RNGs for Resource-Constrained Devices
|
|
- Spencer Osborne
- 6 years ago
- Views:
Transcription
1 RNGs for Resource-Constrained Devices Werner Schindler Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn, Germany Bochum, November 6, 2017
2 Outline Crypto for IoT: some general thoughts RNGs on resource-constrained devices (focus on evaluation and design) Physical RNGs Deterministic RNGs Conclusions Schindler November 6, 2017 Slide 2
3 Crypto for IoT IoT devices are often resource-constrained. Cryptographic implementations then should save resources (area, memory, energy). The saving may be limited by requirements on the execution time. This goal may be supported by the use of lightweight algorithms. Note: AES implementations, for instance, can be lightweight, too. Schindler November 6, 2017 Slide 3
4 Crypto for IoT: General Challenges The designer / developer should assess the impact of successful attacks and their benefit for potential attackers determine an appropriate security level identify the relevant attack classes (mathematical cryptanalysis, side-channel attacks, fault attacks, ) prevent undesired side effects (attacks on weakly secured devices shall not allow the control of more security critical components) Schindler November 6, 2017 Slide 4
5 Crypto for IoT: General Challenges (II) In particular, the designer / developer should select appropriate cryptographic algorithms at least for (complex) long-term systems: enable key change crypto agility Schindler November 6, 2017 Slide 5
6 RNGs in real world devices High-end smart cards and general purpose hardware (PC, server etc.) normally use RNGs, which allow the broadest possible range of applications. Usually, smart cards utilize physical RNGs (PTRNGs) or deterministic RNG (DRNGs) PCs, server etc. utilize non-physical nondeterministic RNGs (NTRNGs) Example: /dev/random (Linux) Schindler November 6, 2017 Slide 6
7 AIS 20 and AIS 31 In the German certification scheme (Common Criteria) the evaluation guidance documents AIS 20: Functionality Classes and Evaluation Methodology for Deterministic Random Number Generators AIS 31: Functionality Classes and Evaluation Methodology for Physical Random Number Generators have been effective since 1999, resp. since 2001 (mathematical-technical reference updated in 2011) Schindler November 6, 2017 Slide 7
8 AIS 20 + AIS 31 Functionality classes Increasing requirements DRG.4 DRG.3 DRG.2 DRG.1 Increasing requirements PTG.3 PTG.2 PTG.1 Highest class: strong physical noise source with cryptographic postprocessing Pure PTRNGs NTG.1 DRNGs PTRNGs NTRNGs Schindler November 6, 2017 Slide 8
9 RNGs for IoT devices Principally, supporting a broad range of applications is a positive feature but general purpose RNGs may require substantial resources. Question: Is it possible to tailor RNGs on resourceconstrained devices to the needs of the applications? What would this mean for the design and the security evaluation of RNGs? Schindler November 6, 2017 Slide 9
10 Security evaluation of PTRNGs Primary Goal: Estimate the entropy per random bit Entropy is a property of random variables but not of random numbers. Unfortunately, general entropy estimators do not exist. Main task: Develop, verify and analyse a stochastic model ( entropy estimate) Schindler November 6, 2017 Slide 10
11 Security evaluation of PTRNGs (II) A trustworthy security evaluation should verify the suitability of the RNG design the online test, the tot test and the start-up test. online test: shall detect non-tolerable weaknesses of the random numbers. tot test (total failure test): shall consider all realistic scenarios of total failures. Schindler November 6, 2017 Slide 11
12 PTRNGs on low-cost devices Can the evaluation tasks be simplified / be reduced for low-cost devices? The answer is: no! Reason: The keys of (e.g.) lightweight algorithms may be shorter than keys of normal cryptographic algorithms but the entropy per key bit should not be smaller. The lower bound for the entropy per random bit cannot be scaled down in a natural way. Schindler November 6, 2017 Slide 12
13 PTRNGs on low-cost devices (II) At the cost of the output rate resource-efficient PTRNG designs might be utilized if the application permits. Can the online test and the tot test be dropped? Principally yes, but only at the risk of the unnoticed use of (very) weak random numbers! ( risk analysis; worst case: constant random numbers! ) Schindler November 6, 2017 Slide 13
14 Security evaluations of DRNGs The state transition function and the output function are usually composed of cryptographic primitives. A security evaluation of a DRNG shall verify that the seed entropy is sufficiently large that the random numbers have appropriate statistical properties. which of the following security properties are fulfilled forward secrecy backward secrecy enhanced backward secrecy Schindler November 6, 2017 Slide 14
15 Security evaluations of DRNGs (II) The security properties forward secrecy, backward secrecy enhanced backward secrecy are deduced from the security properties of the cryptographic primitives. Schindler November 6, 2017 Slide 15
16 Example 1 Enc: block cipher (AES, Triple-DES etc.), full OFB k: key (to be kept secret) (r n,k) r n (random number) (Enc(r n,k), k) internal state: s n = (r n,k) s n+1 = (Enc (r n, k), k) =: (r n+1,k) Schindler November 6, 2017 Slide 16
17 Example 1: a typical security proof Assumption: The attacker knows r i,r i+1,,r i+j Task: Find r i+j+1 = Enc(r i+j,k): Note that r i+1 = Enc(r i,k),, r i+j = Enc(r i+j-1,k) specific chosen-plaintext attack on Enc(,k) (for AES, for instance forward secrecy) Task: Find r i-1 = Dec(r i,k) = Enc -1 (r i,k): Note that r i+j-1 = Dec(r i+j,k),, r i = Dec(r i+1,k) specific chosen-plaintext attack on Dec(,k) (for AES, for instance backward secrecy) Schindler November 6, 2017 Slide 17
18 DRNGs for resource-constrained devices Natural approach: take a general purpose DRNG replace its cryptographic primitives by corresponding lightweight primitives (e.g., AES by Present). This may reduce the security level of the DRNG. This should not be critical until the security level of the DRNG is still the security level of the application, which uses the random numbers. Schindler November 6, 2017 Slide 18
19 DRNGs for resource-constrained devices (II) This approach allows to save resources without affecting the security level of the consuming lightweight cipher. However, the reduced design may still be (too) costly. Are further savings possible? Enhanced backward secrecy guarantees the secrecy of prior random numbers even if the internal state has been compromised. Its implementation yet might be (too) costly ( requires a one-way function). Schindler November 6, 2017 Slide 19
20 If further savings are necessary the designer might analyse carefully whether the enhanced backward secrecy is actually needed by the application ( threat model). Schindler November 6, 2017 Slide 20
21 Conclusion The selection of cryptographic mechanisms and their implementation on IoT devices should be based on a careful analysis. The evaluation methodology for RNGs does not become easier for resource-constraint devices. PTRNGs: The entropy requirements can not be relaxed. Instead, resources may be saved at the cost of performance. DRNGs: may be scaled down by substituting the cryptographic primitives by suitable lightweight primitives. Schindler November 6, 2017 Slide 21
22 Contact Bundesamt für Sicherheit in der Informationstechnik (BSI) Werner Schindler Godesberger Allee Bonn, Germany Tel: +49 (0) Fax: +49 (0) Schindler November 6, 2017 Slide 22
Update of German Guidance for RNG Evaluation. Wolfgang Killmann T-Systems
Update of German Guidance for RNG Evaluation Wolfgang Killmann T-Systems Motivation Why random number generators? Randomness The outcome of random experiments are unpredictable. Outcomes of ideal random
More informationDeveloper evidence for the evaluation of a deterministic random number generator
Developer evidence for the evaluation of a deterministic random number generator Version: Date: Evaluation Procedure: [Version] [Datum] [BSI-DSZ-CC-xxxx] Author: Qualitätssicherung: [Name(n)] [Name(n)]
More informationEvaluation Report as part of the Evaluation Technical Report, Part B ETR-Part Deterministic Random Number Generator
##Classification Evaluation Report as part of the Evaluation Technical Report, Part B ETR-Part Deterministic Random Number Generator Evaluation Assurance Level ##EAL 1-7 Version: Version 0.10 Date: 28.02.13
More informationWorking with the EU Directive High common level of network and information security. Martin Apel, SANS ICS Summit, Munich und
Working with the EU Directive High common level of network and information security Martin Apel, SANS ICS Summit, Munich und 18.06.2018 Outline 1. Overview over NIS-Directive 2. Who is an operator of essential
More informationAssurance Continuity Maintenance Report
IFX_CCI_000003h, IFX_CCI_000005h, IFX_CCI_000008h, IFX_CCI_00000Ch, IFX_CCI_000013h, IFX_CCI_000014h, IFX_CCI_000015h, IFX_CCI_00001Ch and IFX_CCI_00001Dh design step H13 including optional software libraries
More informationPredictive Assurance
Predictive Assurance Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security) 9 ICCC Jeju, Korea September 2008 Irmela Ruhrmann Head of Division Certification,
More informationDeveloper evidence for the evaluation of a physical true random number generator
Developer evidence for the evaluation of a physical true random number generator Version: Date: Evaluation Procedure: [Version] [Datum] [BSI-DSZ-CC-xxxx] Author: Quality Assurance: [Name(n)] [Name(n)]
More informationTwo Aspects of Exercising Cyber Incidents
Two Aspects of Exercising Cyber Incidents Susanne Jantsch Federal Office for Information Security Situation Centre and CERT-Bund ENISA's 1 st International Conference on Cyber Exercises Paris, 27 June
More informationDesign and evaluation of random number generators
Journal of Applied Mathematics & Bioinformatics, vol.5, no.3, 2015, 155-176 ISSN: 1792-6602 (print), 1792-6939 (online) Scienpress Ltd, 2015 Design and evaluation of random number generators George Marinakis
More informationDocumentation and Analysis of the Linux Random Number Generator. Version: 2.3
Documentation and Analysis of the Linux Random Number Generator Version: 2.3 Document history Version Date Editor Description 0.1 2017-01-26 Stephan Müller Chapters 2 and 3 completed 0.2 2017-04-01 Stephan
More informationLegal Regulations and Vulnerability Analysis
Legal Regulations and Vulnerability Analysis Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security) Germany Introduction of the BSI National Authority for Information
More informationBSI-CC-PP for. FIDO Universal Second Factor (U2F) Authenticator, Version 1.0. developed by. Federal Office for Information Security
for FIDO Universal Second Factor (U2F) Authenticator, Version 1.0 developed by Federal Office for Information Security Federal Office for Information Security (BSI), Postfach 20 03 63, 53133 Bonn, Germany
More informationBSI ADV Transition Guide. from CC V2.3 to CC V3.1. Miriam Serowy. Bundesamt für Sicherheit in der Informationstechnik /
BSI ADV Transition Guide from CC V2.3 to CC V3.1 Miriam Serowy Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security 8 th ICCC Rome / September 2007 Agenda General
More informationBSI-CC-PP for
for Protection Profile for the Security Module of a Smart Meter Mini-HSM (Mini-HSM Security Module PP) - Schutzprofil für das Sicherheitsmodul des Smart Meter Mini-HSM, V1.0 developed by Federal Office
More informationBSI-CC-PP for. Java Card Protection Profile - Open Configuration, Version December developed by. Oracle Corporation
BSI-CC-PP-0099-2017 for Java Card Protection Profile - Open Configuration, Version 3.0.5 December 2017 developed by Oracle Corporation Federal Office for Information Security (BSI), Postfach 20 03 63,
More informationECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.
Building Secure Hardware ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria Stefan Mangard Infineon Technologies, Munich, Germany Stefan.Mangard@infineon.com Outline Assets and Requirements
More informationEvaluating memory protection of smartcards and similar devices. Wolfgang Killmann, T-Systems GEI GmbH
Evaluating memory protection of smartcards and similar devices Wolfgang Killmann, T-Systems GEI GmbH Motivation of the talk Confidentiality of stored data is a core security feature but memory may be physically
More informationThe German IT Security Certification Scheme. Joachim Weber
The German IT Security Certification Scheme Joachim Weber The German IT Security Certification Scheme 1. The role of the BSI 2. The German IT Certificate Scheme 3. Certification procedures in detail 4.
More informationBSI-CC-PP-0088-V for
BSI-CC-PP-0088-V2-2017 for Base Protection Profile for Database Management Systems (DBMS PP) Version 2.12 and DBMS PP Extended Package - Access History (DBMS PP_EP_AH) Version 1.02 developed by DBMS Working
More informationKey Lifecycle Security Requirements. Version 1.0.2
Key Lifecycle Security Requirements Version 1.0.2 Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Phone: +49 22899 9582-0 E-Mail: eid@bsi.bund.de Internet: https://www.bsi.bund.de
More informationProtection Profile for the Gateway of a Smart Metering System Combining privacy protection with security for the grid
Protection Profile for the Gateway of a Smart Metering System Combining privacy protection with security for the grid Dr. Helge (BSI) 12th ICC, 29.9.2011 A Possible Smart Grid 2 Introduction Smart Meter
More informationBSI-PP for. Protection Profile Waste Bin Identification Systems (WBIS-PP) Version developed by. Deutscher Städte- und Gemeindenbund
Bundesamt für Sicherheit in der Informationstechnik BSI-PP-0010-2004 for Protection Profile Waste Bin Identification Systems (WBIS-PP) Version 1.04 developed by Deutscher Städte- und Gemeindenbund - Bundesamt
More informationGermany and The Netherlands Certification of cryptographic modules
Germany and The Netherlands Certification of cryptographic modules Leo Kool (Msc), Brightsight 18 May 2016, kool@brightsight.com Outline CC and Schemes Evaluation Process and Reporting forms (NSCIB, BSI)
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCryptographic Mechanisms: Recommendations and Key Lengths
Technical Guideline TR-02102-4 Cryptographic Mechanisms: Recommendations and Key Lengths Part 4 Use of Secure Shell (SSH) (Version 2018-01) Federal Office for Information Security P.O.B. 20 03 63 D-53133
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationB) Symmetric Ciphers. B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers
1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers B.a) Fundamentals 2 B.1 Definition 3 A mapping Enc: P K C for which ϕ k := Enc(,k): P C is bijective for each k K is called
More informationEC500. Design of Secure and Reliable Hardware. Lecture 1 & 2
EC500 Design of Secure and Reliable Hardware Lecture 1 & 2 Mark Karpovsky January 17 th, 2013 1 Security Errors injected by the attacker (active attacks) Reliability Errors injected by random sources e.g.
More informationBSI-CC-PP for
for Common Criteria PP Configuration Machine Readable Electronic Documents - Optionales Nachladen (Optional Post-Emission Updates) [MR.ED-ON-PP] developed by Federal Office for Information Security Federal
More informationInternet Engineering Task Force (IETF) Category: Informational ISSN: October 2013
Internet Engineering Task Force (IETF) J. Merkle Request for Comments: 7027 secunet Security Networks Updates: 4492 M. Lochter Category: Informational BSI ISSN: 2070-1721 October 2013 Abstract Elliptic
More informationNational Cyber Security Strategy 2016
National Cyber Security Strategy 2016 26th of April 2017, Athens Samuel Rothenpieler, International Relations Advisor, Federal Office for Information Security (BSI) Mission Statement of the German Federal
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationSecuring Network Communications
Securing Network Communications Demonstration: Securing network access with Whitenoise Labs identity management, one-time-pad dynamic authentication, and onetime-pad authenticated encryption. Use of Whitenoise
More informationBSI-PP for. Protection Profile Secure Signature-Creation Device Type 3, Version developed by
BSI-PP-0006-2002 for Protection Profile Secure Signature-Creation Device Type 3, Version 1.05 developed by CEN/ISSS Information Society Standardization System, Workshop on Electronic Signatures - Bundesamt
More informationeidas compliant Trust Services with Utimaco HSMs
eidas compliant Trust Services with Utimaco HSMs March 15, 2018 Dieter Bong Product Manager Utimaco HSM Business Unit Aachen, Germany 2018 eidas-compliant Trust Services with Utimaco HSMs Page 1 eidas
More informationTrue Random Number Generation TRNG Master SETI
True Random Number Generation Master SETI Jean-Luc Danger Jean-Luc Danger Outline overview architecture post-processing and tests Conclusions, Questions 2 Jean-Luc Danger RNG Applications Cryptography
More informationJuniper Network Connect Cryptographic Module Version 2.0 Security Policy Document Version 1.0. Juniper Networks, Inc.
Juniper Network Connect Cryptographic Module Version 2.0 Security Policy Document Version 1.0 Juniper Networks, Inc. September 10, 2009 Copyright Juniper Networks, Inc. 2009. May be reproduced only in
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationCryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers
Cryptography Dr. Michael Schneider michael.schneider@h-da.de Chapter 10: Pseudorandom Bit Generators and Stream Ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Random and Pseudorandom
More informationBSI-CC-PP for. Remote-Controlled Browsers Systems (ReCoBS) Version 1.0. from. Bundesamt für Sicherheit in der Informationstechnik
BSI-CC-PP-0040-2008 for Remote-Controlled Browsers Systems (ReCoBS) Version 1.0 from Bundesamt für Sicherheit in der Informationstechnik BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 2 Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Cryptographic Tools cryptographic algorithms
More informationG13. Resistance to attackers with HIGH attack potential. Author: Hans-Ulrich Buchmüller. Revision: 0.3
Common Criteria v3.1 EAL6 augmented / EAL6+ IFX_CCI_000007h IFX_CCI_000009h IFX_CCI_00000Ah IFX_CCI_00000Bh IFX_CCI_000016h IFX_CCI_000017h IFX_CCI_000018h G13 Resistance to attackers with HIGH attack
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 32 Outline 1 Historical Ciphers 2 Probability Review 3 Security Definitions: Perfect Secrecy 4 One Time Pad (OTP) 2
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 5 More About Block Ciphers ver. November 26, 2010 Last modified 10-2-17
More informationConnecting Securely to the Cloud
Connecting Securely to the Cloud Security Primer Presented by Enrico Gregoratto Andrew Marsh Agenda 2 Presentation Speaker Trusting The Connection Transport Layer Security Connecting to the Cloud Enrico
More informationSTS Secure for Windows XP, Embedded XP Security Policy Document Version 1.4
STS Secure for Windows XP, Embedded XP Security Policy Document Version 1.4 Inter-4 A Division of Sierra Nevada Corporation December 10, 2008 Copyright Sierra Nevada Corporation 2008. May be reproduced
More informationSpanish Information Technology Security Evaluation and Certification Scheme
Spanish Information Technology Security Evaluation and Certification Scheme IT-009 Remote Qualified Electronic Signature Creation Device Evaluation Methodology Version 1.0 January 2017 Documento del Esquema
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationA Closer Look at Security in Random Number Generators Design
A Closer Look at Security in Random Number Generators Design Viktor Fischer To cite this version: Viktor Fischer. A Closer Look at Security in Random Number Generators Design. Werner Schindler; Sorin Huss.
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationStream Ciphers. Koç ( ucsb ccs 130h explore crypto fall / 13
Stream Ciphers Çetin Kaya Koç http://cs.ucsb.edu/~koc koc@cs.ucsb.edu Koç (http://cs.ucsb.edu/~koc) ucsb ccs 130h explore crypto fall 2014 1 / 13 Block Ciphers Plaintext: M i with M i = n, where n is the
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More information2nd ENISA Workshop German CERT-Activities. 5 th October, 2006 Brussels
2nd ENISA Workshop German CERT-Activities 5 th October, 2006 Brussels Overview Hosting Organisation CERT-Bund Background Projects CERT Services German CERT Activities International Cooperation Lessons
More informationAssurance Continuity Maintenance Report
Infineon Smart Card IC (Security Controller) SLE88CFX4000P/M8830-b17, SLE88CFX4002P/M8834-b17, SLE88CFX3520P/M8847-b17, SLE88CFX2920P/M8849-b17, SLE88CF4000P/M8845-b17, SLE88CF4002P/M8846-b17, SLE88CF3520P/M8848-b17,
More informationPassword Management. Eugene Davis UAH Information Security Club January 10, 2013
Password Management Eugene Davis UAH Information Security Club January 10, 2013 Password Basics Passwords perform service across a broad range of applications Can act as a way to authenticate a user to
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationBSI-CC-PP for. Biometric Verification Mechanisms Protection Profile Version 1.3. from. Bundesamt für Sicherheit in der Informationstechnik
for Biometric Verification Mechanisms Protection Profile Version 1.3 from Bundesamt für Sicherheit in der Informationstechnik BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63,
More informationA Differential Fault Attack against Early Rounds of (Triple-)DES
A Differential Fault Attack against Early Rounds of (Triple-)DES Ludger Hemme Giesecke & Devrient GmbH Prinzregentenstr. 159, 81677 Munich, Germany ludger.hemme@de.gi-de.com Abstract. Previously proposed
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationLECTURE NOTES ON COMPUTER AND DATA SECURITY
Department of Software The University of Babylon LECTURE NOTES ON COMPUTER AND DATA SECURITY By College of Information Technology, University of Babylon, Iraq Samaher@itnet.uobabylon.edu.iq Computer an
More informationMisuse-resistant crypto for JOSE/JWT
Misuse-resistant crypto for JOSE/JWT Neil Madden OAuth Security Workshop, 2018 1 JOSE Content Encryption Methods Provide authenticated encryption AES-CBC with HMAC-SHA2 Requires random 128-bit IV Must
More informationSecurity. Communication security. System Security
Security Communication security security of data channel typical assumption: adversary has access to the physical link over which data is transmitted cryptographic separation is necessary System Security
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 3 Week of February 5, 2018: Cryptography I Question 1 Activity: Cryptographic security levels (20 min) Say Alice has a randomly-chosen symmetric
More informationComposite Evaluation for Smart Cards and Similar Devices
Composite Evaluation for Smart Cards and Similar Devices ISCI-WG1 and T-Systems GEI GmbH Composite EAL Certificate 25th-27th September, 2007, page 1. What are we speaking about? Motivation Terminology
More informationTechnological foundation
Technological foundation Carte à puce et Java Card 2010-2011 Jean-Louis Lanet Jean-louis.lanet@unilim.fr Cryptology Authentication Secure upload Agenda Cryptology Cryptography / Cryptanalysis, Smart Cards
More informationBSI C5 Status Quo. Dr. Clemens Doubrava, BSI,
BSI C5 Status Quo Dr. Clemens Doubrava, BSI, 11.12.2017 Expectations Cloud Service Provider Customers, more customers, An Everything-is-secure -Certification Preferably including data protection (GDPR)
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationCryptography. Summer Term 2010
Cryptography Summer Term 2010 Harald Baier Chapter 3: Pseudo Random Bit Generators and Stream Ciphers Contents Random bits and pseudo random bits Stream ciphers Harald Baier Cryptography h_da, Summer Term
More informationPrivacy and Security in Smart Grids
Faculty of Computer Science, Institute of Systems Architecture, Chair for Privacy and Data Security Privacy and Security in Smart Grids The German Approach Sebastian Clauß, Stefan Köpsell Dresden, 19.10.2012
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationFIPS Security Policy
Motorola Mobility Linux Kernel Software Cryptographic Module FIPS 140-2 Security Policy Module Version 1.0 Document version 1.13 March 11, 2015 This document may be freely copied and distributed provided
More informationStream Ciphers. Çetin Kaya Koç Winter / 13
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 13 Block Ciphers Cryptography Plaintext: M i with M i = n, where n is the block length (in bits) Ciphertext: C i with C i = m, where m n, however,
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationn-bit Output Feedback
n-bit Output Feedback Cryptography IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 1 Properties of Output Feedback Mode No error propagation Active attacker can
More informationSUCCESS STORY INFORMATION SECURITY
SUCCESS STORY Landis+Gyr cares for security in Smart Metering Safety modules for Smart-Meter Gateways according to Common Criteria The fabrication of intelligent power meters, the so called Smart Meters,
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationSecurity Policy Document Version 3.3. Tropos Networks
Tropos Control Element Management System Security Policy Document Version 3.3 Tropos Networks October 1 st, 2009 Copyright 2009 Tropos Networks. This document may be freely reproduced whole and intact
More informationAPNIC elearning: Cryptography Basics
APNIC elearning: Cryptography Basics 27 MAY 2015 03:00 PM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security
More informationCryptography III: Symmetric Ciphers
Cryptography III: Symmetric Ciphers Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 14th February 2008 Outline Stream ciphers Block ciphers DES and Rijndael Summary
More informationDMT-CBS-CE3D3 Family (DMT-CBS-CE3D3/CC080/CC048) Dual interface smart card chip with HAL library, version 2.0
DMT-CBS-CE3D3 Family (DMT-CBS-CE3D3/CC080/CC048) Dual interface smart card chip with HAL library, version 2.0 Security Target Lite 13 December 2016 Version 0.3 1 DATANG DATANG MICROELECTRONICS MICROELECTRONICS
More informationSecurity Target Lite of. CIU9872B_01 C12 Secure Chip
Lite CIU9872B_01 C12 Security Target Security Target Lite of CIU9872B_01 C12 Secure Chip Version 1.2 Date 2017-10-11 CEC Huada Electronic Design Co., Ltd. REVISION HISTORY 1.0 2017.09.29: Generated the
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationBSI-DSZ-CC for. NXP Secure Smart Card Controller N7021 VA including IC Dedicated Software. from. NXP Semiconductors Germany GmbH
BSI-DSZ-CC-0977-2017 for NXP Secure Smart Card Controller N7021 VA including IC Dedicated Software from NXP Semiconductors Germany GmbH BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach
More informationFIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module
FIPS 140-2 Security Policy for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module Hardware Version: 88i8925, 88i8922, 88i8945, and 88i8946 Firmware Version: Solaris2-FIPS-FW-V1.0 Document Version:
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationSecurity Requirements for Crypto Devices
Security Requirements for Crypto Devices Version 1.0 02 May 2018 Controller of Certifying Authorities Ministry of Electronics and Information Technology 1 Document Control Document Name Security Requirements
More informationRSA BSAFE Crypto-C Micro Edition Security Policy
Security Policy 15.11.12 RSA BSAFE Crypto-C Micro Edition 3.0.0.16 Security Policy This document is a non-proprietary security policy for RSA BSAFE Crypto-C Micro Edition 3.0.0.16 (Crypto-C ME) security
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationBSI-DSZ-CC for. S3CC9LC 16-Bit RISC Microcontroller for Smart Card Version 2. from. Samsung Electronics Co., Ltd.
BSI-DSZ-CC-0452-2007 for S3CC9LC 16-Bit RISC Microcontroller for Smart Card Version 2 from Samsung Electronics Co., Ltd. BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63, D-53133
More informationTest Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,
Test Conditions Closed book, closed notes, no calculator, no laptop just brains 75 minutes Steven M. Bellovin October 19, 2005 1 Form 8 questions I m not asking you to write programs or even pseudo-code
More informationBSI-DSZ-CC-0957-V for. TCOS Smart Meter Security Module Version 1.0 Release 2/P60C144PVE. from. T-Systems International GmbH
BSI-DSZ-CC-0957-V2-2016 for TCOS Smart Meter Security Module Version 1.0 Release 2/P60C144PVE from T-Systems International GmbH BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03
More informationJoint Interpretation Library. Management of. Code Disclosure and Software IP Reuse
Management of Code Disclosure and Software IP Reuse CARRYING OUT IMPACT AND VULNERABILITY ANALYSIS IN CASE OF REUSE OF SOFTWARE IP DISCLOSURE OF SOFTWARE AND FIRMWARE Version 1.2 November 2017 Management
More informationElectronic Health Card Terminal (ehct)
Common Criteria Protection Profile Electronic Health Card Terminal (ehct) BSI-CC-PP-0032 Approved by the Federal Ministry of Health Foreword This Protection Profile - Protection Profile electronic Health
More informationDataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.
Submitted by SPYRUS, Inc. Contents DT5000 and DT6000 Technology Overview...2 Why DT5000 and DT6000 Encryption Is Different...3 Why DT5000 and DT6000 Encryption Is Different - Summary...4 XTS-AES Sector-Based
More informationCSc 466/566. Computer Security. 6 : Cryptography Symmetric Key
1/56 CSc 466/566 Computer Security 6 : Cryptography Symmetric Key Version: 2012/02/22 16:14:16 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More information