Security of Block Ciphers Beyond Blackbox Model
|
|
- Irma Roberts
- 6 years ago
- Views:
Transcription
1 CRYPTCU ction Meeting November 6, 2016 ecurity of Block Ciphers Beyond Blackbox Model Takanori Isobe ONY Corporation
2 bout Me Researcher/Engineer in ony Corporation since 2008 s a Researcher Cryptanalysis of ymmetric-key Primitive First ttack on full GOT(@FE 2011) Plaintext Recovery ttack on RC4 (@FE 2013) and pritz (@FE 2016) and more Design of Block Cipher Lightweight Block Cipher: Piccolo (@CHE2011) Low Energy Block Cipher: Midori (@ICRYPT 2015) Whitebox-secure Block Cipher: PCE/PNbox (@CM CC 2015/ICRYPT 2016) s an Engineer Design/Evaluation of ecurity ystem of Our Product/Network Game(P Vita/P4), Camera, TV and more Write crypto code for products
3 Today s Talk ecurity beyond Blackbox Model s a engineer, we often face this problem Untrusted environments oftware Only olution dvanced ttack to ystem/device reverse engineering(cold boot attack), Malware, PT oftware vulnerability Bufferover flow, Heartbleed, Dirty Cow This talk shows our approaches to address these issues
4 Background ymmetric-key Cryptography DE, E, CMC, HMC, GCM Plaintext Ciphertext key E Encryption key E Decryption Ciphertext Plaintext Fundamental Primitives for ecurity => Deployed in almost all our products
5 Background ymmetric-key Cryptography DE, E, CMC, HMC, GCM Designed to be secure in the black-box model dversary has access to input and output Internal state: invisible key Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext adversary
6 Crypto is Everywhere The black-box model fails to reflect the reality
7 Beyond Blackbox Cold boot attacks Read the remaining memory contents in the seconds to minutes after power-off oftware attacks Binary analysis, reverse engineering Ex. Overwrite binary (e.g., -box) to get the key Trojans, malware, or software vulnerability (e.g. heartbleed, buffer overflow) leak a part of secret key or internal state Unauthorized access to erver Hacking, cracking, Privilege escalation Internal states in memory often leaks in the real world
8 Our Questions 1. How much memory leakage is enough to break system, e.g. extract secret key 2. What is efficient countermeasures against leakage attack
9 Our Questions 1. How much memory leakage is enough to break system, e.g. extract secret key ->ecurity of E under (Joint work with ndrey Bogdanov) 2. What is efficient countermeasures against leakage attack
10 Motivation How secure is E under memory Leakage Weakest Memory Leakage Model Only one bit leaks in each execution Location of leaked bit is unknown => Limited control of the platform P leakage 1-bit information at unknown location Key E- 128 C
11 Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C
12 Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C
13 Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C
14 Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Z 0, Z 1, Z 2,, Z Ns-1 P E Z i : leaked bit of i-th execution
15 Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Guess 32 bits of key Z 0, Z 1, Z 2,, Z Ns-1 P E Z i : leaked bit of i-th execution
16 Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Use a pair of plaintexts P and P having a special difference which results in the biased (differential) stream only if in correct key Guess 32 bits of key Z 0, Z 1, Z 2,, Z Ns-1 Δ P E Guess 32 bits P E Z 0, Z 1, Z 2,, Z Ns - 1 Z i : leaked bit of i-th execution
17 Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Use a pair of plaintexts P and P having a special difference which results in the biased (differential) stream only if in correct key Δ P P Guess 32 bits of key E Guess 32 bits E Z 0, Z 1, Z 2,, Z Ns-1 Z 0, Z 1, Z 2,, Z Ns - 1 -Only if correct key Pr(Z i XOR Z j = 0) for all i and j is biased If Zi and Zj are random, Pr(Z i XOR Z j = 0) = 0.5 Z i : leaked bit of i-th execution
18 Truncated Differential over 3 Rounds Correct Key Wrong Key #1 #2 #3 #5 #7 #4 #6 P = #0 P $0 B R MC $1 $2 $3 : probability-one non-zero difference : probability-one zero difference : unknown difference exploit this gap! - Correct key : 21, 27 - Wrong key : 0, 12 Guess
19 Bitwise Bias from Truncated Differential Positive bitwise bias toward zero In Probability-one zero truncated difference If Z i and Z j are a pair of the same position P(Z i Z j = 0) = 1 Negative bitwise bias toward zero In Probability-one non-zero truncated difference If Z i and Z j are a pair of the same position P(Z i Z j = 0) = ½ ( ) (experimental value 1/2( )) Guess 32 bits Z 0, Z 1, Z 2,, Z Ns-1 P E Δ Guess 32 bits Pr(Z i XOR Z j = 0) = ½ ( ) strong bias for correct key P E Z 0, Z 1, Z 2,, Z Ns - 1
20 Evaluation ttack cost to obtain a full 128-bit key Time 2 33 Data 2 33 Key 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round Even if in weakest leakage assumption (1 bit leakage at random unknown location), a practical attack is possible! P C
21 Extensions Noisy leakage etting Possible but noise make it time consuming work Known plaintext ttack Possible for differential bias attack Bytewise Leakage omewhat improves attack complexity Other granularities Not only state after round function, but also states after ubbytes, MixColumns, etc. can be used to mount differential bias attacks E-192/256 and some other ciphers ame attacks are directly applicable ee the paper
22 Question from Real World 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack
23 Question from Real World 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack -> Whitebox-ecure Block Cipher (CM CC 2015) Joint work with ndrey Bogdanov
24 Whitebox Cryptography Implementations of cryptographic algorithms that is secure in the whitebox model key oftware dversary
25 Whitebox Model dversary has full access to the crypto algorithm and full control over its execution environment Internal value : fully accessible (read/write) key Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext modify internal value and algorithm read any memory adversary
26 pplications DRM Protected contents (e.g. movie and music) are decrypted in user (adversary) device dversary may control over the platform on which the media player application is executed, and aims to extract a content key Cloud service provider
27 pplications HCE (Host card emulation) Technology that emulates a payment card on a mobile device using only software ecure element is not necessary ndroid 4.4 support Host card emulation (HCE) Google Wallet, VI, master card Issuer Cloud erver credential Payment Processor NFC Reader whitebox crypto
28 pplication Memory Leakage oftware attacks (Binary analysis) Trojans, malware oftware vulnerability (e.g. heartbleed, buffer overflow) Unauthorized access to server
29 History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational 2016 The details of implementations are not required dditional countermeasures do not make sense
30 History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational 2016 The details of implementations are not required dditional countermeasures do not make sense
31 History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational 2016 The details of implementations are not required dditional countermeasures do not make sense No ecure Whitebox Cipher in the Public Domain
32 New whitebox-friendly Encryption cheme 128-bit block cipher called CC 2015 ecure in whitebox ecurity against key extraction reduce to key recovery problem of E in blackbox model pacehardness: Compression of the code is infeasible Mitigate code lifting attacks High Performance Much faster than whitebox E Whitebox E (published by Cloakware): 0.4 MB/s Others PCE: MB/s Not E functionality but the interfaces are the same as E PCE can be considered a mode of operation for E
33 PCE Block Cipher Target-Heavy Feistel Construction 128-bit plaintext is divided into n a -bit x words, p 0, p 1, p x-1 F function: n a bits to (128- n a ) In the white box, F function becomes a table p 0 p 1 p x-1 plaintext n a F 0 Table F 1 ciphertext
34 F-function (Whitebox Table) Table is created by E-128 constrains the plaintext: 128 bit to n a bits truncates the ciphertext : 128 bit to 128- n a bits x x Table Constant n a n - n a n a K k E F function (Table) n - n a r y n a disregard y
35 Confidential ecurity in WhiteBox WB attacker has access to input/output of the table Full ccess WB adversary
36 ecurity in WhiteBox WB attacker has access to input/output of the table What WB adversary can do is same as what BB adversary can do for E x Table x n a C n - n in n in F function (Table) K k n - n in E n in WB adversary = BB adversary y r y disregard
37 ecurity in WhiteBox WB attacker has access to input/output of the table What WB adversary can do is same as what BB adversary can do for E x n a F function (Table) ecurity Table of key xextraction in Whitebox C n - n reduce to Key in Recovery n in Problem of E-128 in Blackbox model K E k n - n in n in WB adversary = BB adversary y r y disregard
38 pace Hardness In the Whitebox implementation Key is expanded to large table few KB to GB 128 bit large key pace hardness Computationally infeasible Difficult to find any compact representation (incompressibility) Table decomposition is as hard as E key recovery
39 Whitebox Cryptography Mitigate Code Lifting ttack Requires a large space to be isolated from execution environments to copy functionality time-consuming work if network is narrow Easy to detect copying by monitoring traffic Discourages the adversary from illegally distributing the code due to its large size execution environment hard to distribute T hard to get dversary T/4 ex. PCE-16, T/4 = 230 MB
40 ummary pace-hard block cipher: PCE ecurity against key extraction/table decomposition White-box security is based on black-box security E key-recovery problem in the blackbox model ecurity against code lifting: space hardness Infeasible to find a compact implementation High Performance Much faster than whitebox E Whitebox E (published by Cloakware): 0.4 MB/s PCE: MB/s More efficient WB block cipher: times Faster than PCE
41 Conclusion 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack PCE is a first whitebox-friendly cipher
42 Thank you for your attention
Keynote: White-Box Cryptography
Keynote: White-Box Cryptography Matthieu Rivain PHIIC Workshop, 4 Oct 2016 Outline Context: white-box crypto: big trend in the industry cryptographic obfuscation: big trend in the scientific literature
More informationUnboxing the whitebox. Jasper van CTO Riscure North America ICMC 16
Unboxing the whitebox Jasper van Woudenberg @jzvw CTO Riscure North America ICMC 16 Riscure Certification Pay TV, EMVco, smart meter, CC Evaluation & consultancy Mobile (TEE/HCE/WBC) Secure architecture
More informationFrom obfuscation to white-box crypto: relaxation and security notions
From obfuscation to white-box crypto: relaxation and security notions Matthieu Rivain WhibOx 26, 4 Aug, UCB What does this program do? ([]+/H/)[&>>]+(+[[]+(-~ )+(~+e)+(.^!)])[[([]+!![
More informationFull Plaintext Recovery Attack on Broadcast RC4
11 March, 2013 FSE 2013 @ Singapore Full Plaintext Recovery Attack on Broadcast RC4 Takanori Isobe () Toshihiro Ohigashi (Hiroshima University) Yuhei Watanabe () Masakatu Morii () Target Broadcast setting
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationMidgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA
Midgame Attacks (and their consequences) Donghoon Chang 1 and Moti Yung 2 1 IIIT-Delhi, India 2 Google Inc. & Columbia U., USA Crypto is a Technical Science As technology moves, so should crypto designs
More informationWhite-Box Cryptography State of the Art. Paul Gorissen
White-Box Cryptography State of the Art Paul Gorissen paul.gorissen@philips.com Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion
More informationBreaking Korea Transit Card with Side-Channel Attack
Breaking Korea Transit Card with Side-Channel Attack -Unauthorized Recharging- Black Hat Asia 2017 Tae Won Kim, Tae Hyun Kim, and Seokhie Hong Outline 1. Attack Goal & Scenario 2. Target Device Details
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationOnce upon a time... A first-order chosen-plaintext DPA attack on the third round of DES
A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz, Benedikt Gierlichs KU Leuven, imec - COSIC CARDIS 2017 Once upon a time... 14 November 2017 Benedikt Gierlichs - DPA on
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationDifferential Computation Analysis Hiding your White-Box Designs is Not Enough
Differential Computation Analysis Hiding your White-Box Designs is Not Enough Joppe W. Bos Microsoft Research Visit, August 24, 2016 Redmond, WA, USA 1. NXP Semiconductors Operations in > 35 countries,
More informationWhite-Box Cryptography
Based on: J. W. Bos, C. Hubain, W. Michiels, P. Teuwen. In CHES 2016: Differential computation analysis: Hiding your white-box designs is not enough. White-Box Cryptography Don't Forget About Grey Box
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationLinear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge
Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge Yaniv Carmeli Joint work with Prof. Eli Biham CRYPTODAY 2014 FEAL FEAL Published in 1987, designed by Miyaguchi and Shimizu (NTT). 64-bit
More informationDifferential Computation Analysis Hiding your White-Box Designs is Not Enough
Differential Computation Analysis Hiding your White-Box Designs is Not Enough Joppe W. Bos Summer school on real-world crypto and privacy Šibenik, Croatia 1. NXP Semiconductors Operations in > 35 countries,
More informationLecture IV : Cryptography, Fundamentals
Lecture IV : Cryptography, Fundamentals Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University Spring 2012 Basic Principles
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationSecurity against Timing Analysis Attack
International Journal of Electrical and Computer Engineering (IJECE) Vol. 5, No. 4, August 2015, pp. 759~764 ISSN: 2088-8708 759 Security against Timing Analysis Attack Deevi Radha Rani 1, S. Venkateswarlu
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationInformation Security CS526
Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers 1 Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days
More informationSecurity. Communication security. System Security
Security Communication security security of data channel typical assumption: adversary has access to the physical link over which data is transmitted cryptographic separation is necessary System Security
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationWenling Wu, Lei Zhang
LBlock: A Lightweight Block Cipher Wenling Wu, Lei Zhang Institute t of Software, Chinese Academy of Sciences 09-Jun-2011 Outline Background and Previous Works LBlock: Specification Design Rationale Security
More informationWhoamI. Attacking WBC Implementations No con Name 2017
Attacking WBC Implementations No con Name 2017 1 WHO I AM EDUCATION: Computer Science MSc in IT security COMPANY & ROLES: HCE Security Evaluator R&D Engineer WBC project Responsible of Android security
More informationCryptanalysis. Andreas Klappenecker Texas A&M University
Cryptanalysis Andreas Klappenecker Texas A&M University How secure is a cipher? Typically, we don t know until it is too late Typical Attacks against Encryption Algorithms Ciphertext only attack: The attacker
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationCSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation
CSCI 454/554 Computer and Network Security Topic 3.2 Secret Key Cryptography Modes of Operation Processing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt long messages?
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationJordan University of Science and Technology
Jordan University of Science and Technology Cryptography and Network Security - CPE 542 Homework #III Handed to: Dr. Lo'ai Tawalbeh By: Ahmed Saleh Shatnawi 20012171020 On: 8/11/2005 Review Questions RQ3.3
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationCSC574: Computer & Network Security
CSC574: Computer & Network Security Lecture 3 Prof. William Enck Spring 2016 (Derived from slides by Micah Sherr, Patrick McDaniel, and Peng Ning) Modern Cryptography 2 Kerckhoffs Principles Modern cryptosystems
More informationAn Improved Truncated Differential Cryptanalysis of KLEIN
An Improved Truncated Differential Cryptanalysis of KLEIN hahram Rasoolzadeh 1, Zahra Ahmadian 2, Mahmoud almasizadeh 3, and Mohammad Reza Aref 3 1 imula Research Laboratory, Bergen, Norway, 2 hahid Beheshti
More informationThe Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab
The Davies-Murphy Power Attack Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab Introduction Two approaches for attacking crypto devices traditional cryptanalysis Side Channel Attacks
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 4 (and 5 and maybe 6) secret-key primitives symmetric-key encryption security notions and types of
More informationComputer and Data Security. Lecture 3 Block cipher and DES
Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationProcessing with Block Ciphers
AIT 682: Network and Systems Security Topic 3.2 Secret Cryptography Modes of Operation Instructor: r. Kun Sun rocessing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationCSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes
CSC/C 574 Computer and Network Security Topic 3.2 Secret Cryptography Modes of Operation CSC/C 574 r. eng Ning 1 rocessing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt
More informationBlock Ciphers that are Easier to Mask How Far Can we Go?
Block Ciphers that are Easier to Mask How Far Can we Go? Benoît Gérard, Vincent Grosso, María Naya-Plasencia, François-Xavier Standaert DGA & UCL Crypto Group & INRIA CHES 2013 Santa Barbara, USA Block
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationMing Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay
Hardware and Architectural Support for Security and Privacy (HASP 18), June 2, 2018, Los Angeles, CA, USA Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay Computing and Engineering (SCSE) Nanyang Technological
More informationCIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation
CIS 6930/4930 Computer and Network Security Topic 3.2 Secret Key Cryptography Modes of Operation 1 Cipher Feedback Mode (CFB) IV Key 64 64 64 64 64 M 1 M 2 M 3 M 4 64 64 64 46 + padding 64 64 64 64 C 1
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5a January 29, 2013 CPSC 467b, Lecture 5a 1/37 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationINTRODUCTION TO CLOAKWARE/TRS TECHNOLOGY
INTRODUCTION TO CLOAKWARE/TRS TECHNOLOGY VERSION 2.2 OCTOBER 2001 SUMMARY Software is easy to tamper with and reverse engineer so unprotected software deployed on malicious hosts can t be trusted by corporations
More informationNarrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT
Narrow-Bicliques: Cryptanalysis of Full IDEA Dmitry Khovratovich, h Microsoft Research Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT Cryptanalysis 101 Differential attacks Linear
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationNew Impossible Differential Search Tool from Design and Cryptanalysis Aspects -- Revealing Structural Properties of Several Ciphers
New Impossible Differential earch Tool from Design and Cryptanalysis Aspects -- Revealing tructural Properties of everal Ciphers Yu asaki and Yosuke Todo Eurocrypt 217 3 May 217 Impossible Differential
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More information1-7 Attacks on Cryptosystems
1-7 Attacks on Cryptosystems In the present era, not only business but almost all the aspects of human life are driven by information. Hence, it has become imperative to protect useful information from
More informationCSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms
CSCI 454/554 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms? Security by
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.
Building Secure Hardware ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria Stefan Mangard Infineon Technologies, Munich, Germany Stefan.Mangard@infineon.com Outline Assets and Requirements
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working on Stern's code, principally with
More informationEncryption and Forensics/Data Hiding
Encryption and Forensics/Data Hiding 1 Cryptography Background See: http://www.cacr.math.uwaterloo.ca/hac/ For more information 2 Security Objectives Confidentiality (Secrecy): Prevent/Detect/Deter improper
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 3.1 Secret Key Cryptography Algorithms Instructor: Dr. Kun Sun Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms?
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationDifferential Computation Analysis Hiding your White-Box Designs is Not Enough. Joppe W. Bos
Differential Computation Analysis Hiding your White-Box Designs is Not Enough Joppe W. Bos 1. Who am I Finished PhD@laboratory for cryptologic algorithms at EPFL, Lausanne, Switzerland under supervision
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationRecent Meet-in-the-Middle Attacks on Block Ciphers
ASK 2012 Nagoya, Japan Recent Meet-in-the-Middle Attacks on Block Ciphers Takanori Isobe Sony Corporation (Joint work with Kyoji Shibutani) Outline 1. Meet-in-the-Middle (MitM) attacks on Block ciphers
More informationBlock Ciphers Introduction
Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationSymmetric key cryptography
The best system is to use a simple, well understood algorithm which relies on the security of a key rather than the algorithm itself. This means if anybody steals a key, you could just roll another and
More informationEEC-484/584 Computer Networks
EEC-484/584 Computer Networks Lecture 23 wenbing@ieee.org (Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review of last lecture Introduction to
More informationCryptanalysis. Ed Crowley
Cryptanalysis Ed Crowley 1 Topics Cryptanalysis History Modern Cryptanalysis Characterization of Cryptanalysis Attacks Attack Types 2 Cryptanalysis Science of cracking ciphers and codes, decoding secrets,
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationEnhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)
Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128) Mohamed Abo El-Fotouh and Klaus Diepold Institute for Data Processing (LDV) Technische Universität München (TUM) 80333 Munich Germany
More informationCryptography ThreeB. Ed Crowley. Fall 08
Cryptography ThreeB Ed Crowley Fall 08 Cryptanalysis History Modern Cryptanalysis Characterization of Cryptanalysis Attacks Attack Types Cryptanalysis. Science of cracking ciphers and codes, decoding secrets,
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationComp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today
Comp527 status items Crypto Protocols, part 2 Crypto primitives Today s talk includes slides from: Bart Preneel, Jonathan Millen, and Dan Wallach Install the smart card software Bring CDs back to Dan s
More informationWhite-box attack resistant cryptography
White-box attack resistant cryptography Hiding cryptographic keys against the powerful attacker Dušan Klinec, Petr Švenda {xklinec, svenda}@fi.muni.cz Outline CEF&CED, fully homomorphic encryption Whitebox
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationRECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT
RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT Manoj Kumar 1, Pratibha Yadav, Meena Kumari SAG, DRDO, Metcalfe House, Delhi-110054, India mktalyan@yahoo.com 1 ABSTRACT In this paper, we have
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More information