Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS
|
|
- Homer Bailey
- 5 years ago
- Views:
Transcription
1 Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Christina Garman Kenny Paterson Thyla van der Merwe Johns Hopkins University Royal Holloway, University of London 12 August 2015 Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 1/ 19
2 Motivation Despite AlFardan-Bernstein-Paterson-Poettering-Schuldt (USENIX 2013), RC4 usage stood at 35% of TLS connections ICSI$Notary$Sta+s+cs$[Dec.,$2014]$ h9p://notary.icsi.berkeley.edu/$ Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 2/ 19
3 Motivation Despite AlFardan-Bernstein-Paterson-Poettering-Schuldt (USENIX 2013), RC4 usage stood at 35% of TLS connections Can we strengthen these attacks? Passwords are widely used for authentication and the fact that they are not uniformly distributed may give us a boost Get RC4 closer to the point where it needs to be abandoned! Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 2/ 19
4 RC4 in TLS h:p tcp Applica7on Transport Internet Data Link TLS C S ClientHello(,[RC4, ]) Handshake protocol ServerHello(,RC4) K u, K d... K u, K d ClientFinshed C r = P r Z r. ServerFinshed Record protocol (encrypted with RC4, keys K u and K d ) Integrity, HMAC- SHA1 36 protected FINISHED bytes applica7on data... Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 3/ 19
5 RC4 Biases 255 INFILE using 1:2:(max(min( *$3,1.0),-1.0)) Byte value, Position 2 [ ] Byte value, Position 1 [ ] -1 Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 4/ 19
6 Attack Setting First described by Mantin and Shamir in 2001 A fixed plaintext, P, is encrypted multiple times under independent RC4 keys, K i P,#K 1# P,#K S# Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 5/ 19
7 Plaintext Recovery via Bayesian Analysis We want to maximize (for a position in the plaintext stream r): Pr(X = x C = c) X is the random variable corresponding to a plaintext byte, x C is the random variable corresponding to a vector of ciphertext bytes Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 6/ 19
8 Plaintext Recovery via Bayesian Analysis Using Bayes Theorem: Pr(X = x C = c) = = Pr(C = c X = x) Pr(X = x) Pr(C = c) Pr(C = c X = x) Pr(X = x) x X Pr(C = c X = x ) Pr(X = x ) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 6/ 19
9 Plaintext Recovery via Bayesian Analysis So we actually want to maximize this: Pr(C = c X = x) Pr(X = x) However, and it suffices to maximize: Pr(C = c X = x) = Pr(Z = z) Pr(X = x) Pr(Z = z) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 6/ 19
10 Plaintext Recovery via Bayesian Analysis C1( C2( encryp7ons(of(fixed(byte(( under(different(keys( r"" byte(candidate(( (x(" x" x" yields(induced(distribu7on(on( keystream(bytes(z r" combine(with(known(distribu7on( C3( x" CS(...(( x"...(( Combine(with(a"priori"plaintext( distribu7on(( Recovery(algorithm:(( Compute(most(likely(byte(by(( considering(all(byte(possibili7es( ( a"posteriori"likelihood(of(x(being(( correct(byte( Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 7/ 19
11 Attacking Cookies [ABPPS13] C1( C2( encryp7ons(of(fixed(byte(( under(different(keys( r"" byte(candidate(( (x(" x" x" yields(induced(distribu7on(on( keystream(bytes(z r" combine(with(known(distribu7on( C3( x" CS(...(( x"...(( assume(a"priori"plaintext( distribu7on(uniform( Recovery(algorithm:(( Compute(most(likely(byte(by(( considering(all(byte(possibili7es( ( Repeat(for(all(bytes(of(the(cookie( a"posteriori"likelihood(of(x(being(( correct(byte( ((256(posi7ons,(2 34 (encryp7ons,(2000(hrs!( Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 8/ 19
12 Attacking Passwords Widely used for authentication on the web, NOT uniformly distributed RockYou leak of 32 million passwords in 2009, about 14 million unique, most popular Have a priori information from leaked datasets Multiple bytes, not just one... Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 9/ 19
13 Attacking Passwords For n bytes we want to maximize Pr(X = x) Pr(Z = z) where X is the random variable corresponding to a vector of plaintext bytes, x = (x 0, x 1,..., x n 1 ) Z is the random variable corresponding to the matrix of keystream bytes?? Pr(Z = z)?? Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 10/ 19
14 Attacking Passwords For n bytes we want to maximize Pr(X = x) Pr(Z = z) where X is the random variable corresponding to a vector of plaintext bytes, x = (x 0, x 1,..., x n 1 ) Z is the random variable corresponding to the matrix of keystream bytes?? Pr(Z = z)?? Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 10/ 19
15 Approximations Pr(Z%=%z)%% A"ack&1:&& Assume&keystream&bytes&behave& independently& &use&single6byte&probabili8es& (product&distribu8on)& A"ack&2:&& Assume&keystream&byte&is&influenced&only&by& byte&directly&adjacent&to&it& &use&double6&and& single6byte&probabili8es& (Picture of the double-byte biases, 2 44 keystreams, 4800 core-days) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 11/ 19
16 Approximations Pr(Z%=%z)%% A"ack&1:&& Assume&keystream&bytes&behave& independently& &use&single6byte&probabili8es& (product&distribu8on)& A"ack&2:&& Assume&keystream&byte&is&influenced&only&by& byte&directly&adjacent&to&it& &use&double6&and& single6byte&probabili8es& (Picture of the double-byte biases, 2 44 keystreams, 4800 core-days) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 11/ 19
17 Approximations encryp8ons(of(fixed(password(( under(different(keys( r,"r+1,,"r+n11" password(candidate(( (x(=(x 0",x 1",,"x n " yields(induced(distribu8on(on( keystream(bytes(z r,z r+1,,z r+n11"" C1( C2( x 0,"x 1,","x n " x 0,"x 1,","x n " combine(with(known(distribu8on( C3( x 0,"x 1,","x n " CS(...(( x 0,"x 1,","x n "...(( approximate!using!known!! distribu:on! combine(with(a"priori"password( distribu8on(!recovery!algorithm:!( (Compute(most(likely(password(from(((( (dic8onary(of(n(passwords( a"posteriori"likelihood(of(x(being(( correct(password( Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 12/ 19
18 What s different? n bytes instead of one T attempts before lockout dictionary of size N single-byte vs double-byte estimator Base64 or ASCII r starting position S ciphertexts guessing attacks Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 13/ 19
19 Simulation Results Use a dictionary built from RockYou leak dataset to attack Singles.org dataset More realistic but limits our success rate Default parameters, n = 6, T = 5, S = 2 20, 2 22,..., 2 28 Success rate based on 256 experiments Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 14/ 19
20 Simulation Results Single-byte vs double-byte, n = 6, T = 5 Success Rate db, 2 20 db, 2 22 db, 2 24 db, 2 26 db, 2 28 sb, 2 20 sb, 2 22 sb, 2 24 sb, 2 26 sb, Starting Position Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 15/ 19
21 Simulation Results T vs success rate, n = 6, r = double-byte and guessing log 2 (T) optimal guessing Recovery Rate Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 16/ 19
22 Practical Validation Applicable to BasicAuth and IMAP We need multiple, independent encryptions of the password We need the password to be encrypted at a favourable position Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 17/ 19
23 Practical Validation r = 133! PW! PW = ! TLS channel! Resumption latency of 250ms, 2 26, 6 parallel connections, 776 hours (at 100ms, 312 hours) Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 18/ 19
24 Closing Remarks Made use of a generally applicable Bayesian inference technique Strengthened the results of AlFardan et al., good recovery rates at 2 26 vs ciphertexts and an attack time of 312 vs hours ICSI$Notary$Sta+s+cs$[Jul./Aug.,$2015]$ h=p://notary.icsi.berkeley.edu/$ 12.8% of TLS connections make use of RC4 Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 19/ 19
25 Closing Remarks Made use of a generally applicable Bayesian inference technique Strengthened the results of AlFardan et al., good recovery rates at 2 26 vs ciphertexts and an attack time of 312 vs hours DEC$ 2015$ FEB$ MAR$ JULY$ NOW$ Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 19/ 19
26 Closing Remarks Made use of a generally applicable Bayesian inference technique Strengthened the results of AlFardan et al., good recovery rates at 2 26 vs ciphertexts and an attack time of 312 vs hours DEC$ 2015$ FEB$ MAR$ JULY$ NOW$ We need to stop using RC4! Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS Thyla van der Merwe 19/ 19
Private-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 32 Outline 1 Historical Ciphers 2 Probability Review 3 Security Definitions: Perfect Secrecy 4 One Time Pad (OTP) 2
More informationPlaintext Recovery Attacks Against WPA/TKIP
Plaintext Recovery Attacks Against WPA/TKIP Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London! The 21st International Workshop on Fast Software Encryption March 4th,
More informationBig Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases
Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Overview RC4 Attacking RC4 in TLS Big bias
More informationTLS Security Where Do We Stand? Kenny Paterson
TLS Security Where Do We Stand? Kenny Paterson (based on joint work with Nadhem AlFardan, Dan Bernstein, Bertram Poettering, Jacob Schuldt) Information Security Group Outline TLS and the TLS Record Protocol
More informationAll Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS
All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS Mathy Vanhoef and Frank Piessens, KU Leuven USENIX Security 2015 RC4 Intriguingly simple stream cipher WEP WPA-TKIP SSL / TLS PPP/MPPE And
More informationCryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers
Cryptography Dr. Michael Schneider michael.schneider@h-da.de Chapter 10: Pseudorandom Bit Generators and Stream Ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Random and Pseudorandom
More informationPlaintext-Recovery Attacks Against Datagram TLS
Information Security Group Royal Holloway, University of London 6th Feb 2012 Contents 1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6 Results
More informationFull Plaintext Recovery Attack on Broadcast RC4
11 March, 2013 FSE 2013 @ Singapore Full Plaintext Recovery Attack on Broadcast RC4 Takanori Isobe () Toshihiro Ohigashi (Hiroshima University) Yuhei Watanabe () Masakatu Morii () Target Broadcast setting
More informationAttacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016
Attacks on SSL/TLS Applied Cryptography Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016 Timeline of attacks on SSL/TLS 2/41 SSLstrip 2010 2011 2012 2013 2014 2015 2016 BEAST POODLE
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationCNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks Topics Password Management Online Password Attacks Offline Password Attacks Dumping Passwords from RAM Password Management Password Alternatives
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationCHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a f
CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS53 is 512. Λ This demonstrates the contribution to the security of RC4 made by the simple swapping of S table entries in the memory update function.
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationStream Ciphers. Stream Ciphers 1
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationStream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16
Stream Ciphers - RC4 F. Sozzani, G. Bertoni, L. Breveglieri Foundations of Cryptography - RC4 pp. 1 / 16 Overview RC4 is a stream cipher using a symmetric key it was developed in 1987 by Ronald Rivest
More informationNetwork Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014
Network Security Security in local-area networks Radboud University Nijmegen, The Netherlands Autumn 2014 Announcement Exercise class (werkcollege) time and room changed: Friday, 15:30-17:30, in LIN 8
More informationImplementing Cryptography: Good Theory vs. Bad Practice
Implementing Cryptography: Good Theory vs. Bad Practice Viet Pham Information Security Group, Department of Mathematics Royal Holloway, University of London Outline News report What is cryptography? Why
More informationNetwork Security. Security in local-area networks. Radboud University, The Netherlands. Spring 2017
Network Security Security in local-area networks Radboud University, The Netherlands Spring 2017 A two-slide intro to networking I Command on tyrion: netcat -lp 51966 Command on arya: echo "Hi tyrion"
More informationCryptography. Summer Term 2010
Cryptography Summer Term 2010 Harald Baier Chapter 3: Pseudo Random Bit Generators and Stream Ciphers Contents Random bits and pseudo random bits Stream ciphers Harald Baier Cryptography h_da, Summer Term
More informationA Surfeit of SSH Cipher Suites
A Surfeit of SSH Cipher Suites Jean Paul Degabriele Information Security Group www.isg.rhul.ac.uk/~psai074 Based in part on slides by Kenny Paterson Outline of this talk Overview of SSH and related work
More informationLucky Microseconds: A Timing Attack on Amazon s s2n Implementation of TLS
Lucky Microseconds: A Timing Attack on Amazon s s2n Implementation of TLS Martin R. Albrecht and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, Egham, Surrey TW20
More informationRC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step
RC4 RC4 1 RC4 Invented by Ron Rivest o RC is Ron s Code or Rivest Cipher A stream cipher Generate keystream byte at a step o Efficient in software o Simple and elegant o Diffie: RC4 is too good to be true
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationSymmetric encrypbon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu
Symmetric encrypbon CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Symmetric encrypbon Block ciphers Modes of operabon
More informationCOMPOSABLE AND ROBUST OUTSOURCED STORAGE
SESSION ID: CRYP-R14 COMPOSABLE AND ROBUST OUTSOURCED STORAGE Christian Badertscher and Ueli Maurer ETH Zurich, Switzerland Motivation Server/Database Clients Write Read block 2 Outsourced Storage: Security
More informationScienceDirect. Efficient FPGA Implementation of the RC4 Stream Cipher using Block RAM and Pipelining
Available online at www.sciencedirect.com ScienceDirect Procedia Computer Science 63 (2015 ) 8 15 The 6th International Conference on Emerging Ubiquitous Systems and Pervasive Networks (EUSPN 2015) Efficient
More informationInformation Security CS526
Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers 1 Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days
More informationRelease note Tornaborate
Release note 1.2.6 Tornaborate 2015-09-10 Contents 1 Summary 4 2 Additional important information about this release 5 3 Upgrade 6 3.1 Prerequisites................................... 6 3.2 How to apply
More informationL5: Basic Grammar Based Probabilistic Password Cracking
L5: Basic Grammar Based Probabilistic Password Cracking Sudhir Aggarwal and Shiva Houshmand and Matt Weir Florida State University Department of Computer Science E-Crime Investigative Technologies Lab
More informationPasswords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.
Passwords CS 166: Introduction to Computer Systems Security 1 Source: https://shop.spectator.co.uk/wp-content/uploads/2015/03/open-sesame.jpg 2 Password Authentication 3 What Do These Passwords Have in
More informationHTTPS is Fast and Hassle-free with Cloudflare
HTTPS is Fast and Hassle-free with Cloudflare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their
More informationNetwork Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014
Network Security Security in local-area networks Radboud University Nijmegen, The Netherlands Autumn 2014 Announcement Exercise class (werkcollege) time and room changed: Friday, 15:30-17:30, in LIN 8
More informationKey Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationThe Salsa20 Family of Stream Ciphers
The Salsa20 Family of Stream Ciphers Based on [Bernstein, 2008] Erin Hales, Gregor Matl, Simon-Philipp Merz Introduction to Cryptology November 13, 2017 From a security perspective, if you re connected,
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationCryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption
and secure channel May 17, 2018 1 / 45 1 2 3 4 5 2 / 45 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationPRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B
PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT 800-63B MOTIVATION DATABASE LEAKAGE ADOBE 152,982,479 Encrypted with 3DES ECB Same password == same ciphertext https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
More informationStream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91
Stream ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 91 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 92 Stream Cipher Suppose you want to encrypt
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCipher Suite Configuration Mode Commands
The Cipher Suite Configuration Mode is used to configure the building blocks for SSL cipher suites, including the encryption algorithm, hash function, and key exchange. Important The commands or keywords/variables
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationTLS (TRANSPORT LAYER SECURITY) PROTOCOL
TLS ATTACKS CHRISTA PHILIPPOU PROFESOR: ELIAS AHANASOPOULOS UNIVERSITY OF CYPRUS EPL 682 ADVANCED SECURITY TOPICS Ø ON THE EFFECTIVE PREVENTION OF TLS MAN-IN-THE-MIDDLE ATTACKS IN WEB APPLICATIONS. USENIX
More informationCourse Business. Homework due today Final Exam Review on Monday, April 24 th Practice Final Exam Solutions Released Monday
Course Business Homework due today Final Exam Review on Monday, April 24 th Practice Final Exam Solutions Released Monday Final Exam on Monday, May 1 st (in this classroom) Adib will proctor I am traveling
More informationScanned by CamScanner
Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Symmetric-Key Cryptography CS 161: Computer Security
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationInitial connection setup. Adding subflow setup. Three-way handshake with MP_CAPABLE Exchange 64 bit key(key-a, Key-B)
- 2 - Despite the short history, Multipath TCP(MPTCP) prevails drastically As MPTCP was deployed, security concerns increase There have been multiple attempts at verifications to security of MPTCP Initial
More informationCOPACOBANA: RECONFIGURABLE COMPUTING IN CRYPTANALYSIS. Ben Johnstone
COPACOBANA: RECONFIGURABLE COMPUTING IN CRYPTANALYSIS Ben Johnstone Overview Goals Architecture DES Performance Conclusion What is COPACOBANA? Cost Optimized Parallel Code Breaker History Developed at
More informationWireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities
Wireless Security Comp Sci 3600 Security Outline 1 2 3 Wired versus wireless Endpoint Access point Figure 24.1 Wireless Networking Components Locations and types of attack Outline 1 2 3 Wired Equivalent
More informationAnalyzing Wireless Security in Columbia, Missouri
Analyzing Wireless Security in Columbia, Missouri Matthew Chittum Clayton Harper John Mixon Johnathan Walton Abstract The current state of wireless security in most areas can be estimated based on trends
More informationSecurity Models: Proofs, Protocols and Certification
Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble
More informationImplementing Practical leakage-resilient symmetric cryptography. University of Illinois at Chicago, Technische Universiteit Eindhoven
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 14: Folklore, Course summary, Exam requirements Ion Petre Department of IT, Åbo Akademi University 1 Folklore on
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationSymmetric and Password- based encrypdon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu
Symmetric and Password- based encrypdon CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Symmetric encrypdon key generadon
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationSecure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More information05 - WLAN Encryption and Data Integrity Protocols
05 - WLAN Encryption and Data Integrity Protocols Introduction 802.11i adds new encryption and data integrity methods. includes encryption algorithms to protect the data, cryptographic integrity checks
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationCS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL
CS 393 Network Security Nasir Memon Polytechnic University Module 12 SSL Course Logistics HW 4 due today. HW 5 will be posted later today. Due in a week. Group homework. DoD Scholarships? NSF Scholarships?
More informationOverview of Security
Overview of 802.11 Security Bingdong Li Present for CPE 601 2/9/2011 Sources: 1 Jesse Walker (Intel) & 2. WinLab 1 Agenda Introduction 802.11 Basic Security Mechanisms What s Wrong? Major Risks Recommendations
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationPhoenix: Rebirth of a Cryptographic Password-Hardening Service
Phoenix: Rebirth of a Cryptographic Password-Hardening Service Russell W.F. Lai 1,2 Christoph Egger 1 Dominique Schro der 1 Sherman S.M. Chow 2 1 Friedrich-Alexander-Universita t Erlangen-Nu rnberg University
More informationCryptography MIS
Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message
More informationCache Timing Analysis of LFSR-based Stream Ciphers
Cache Timing Analysis of LFSR-based Stream Ciphers Gregor Leander, Erik Zenner and Philip Hawkes Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Cirencester, Dec. 17, 2009
More informationThis Security Policy describes how this module complies with the eleven sections of the Standard:
Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationCrypto: Passwords and RNGs. CS 642 Guest Lecturer: Adam Everspaugh
Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace Topics! Password-based Crypto!! Random Number Generators Symmetric Key Encryption key generation R k Gen
More informationIntroduction and Overview. Why CSCI 454/554?
Introduction and Overview CSCI 454/554 Why CSCI 454/554? Get Credits and Graduate Security is important More job opportunities More research funds 1 Workload Five homework assignments Two exams (open book
More informationDistributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 26. Cryptographic Systems: An Introduction Paul Krzyzanowski Rutgers University Fall 2015 1 Cryptography Security Cryptography may be a component of a secure system Adding cryptography
More informationSet Up with Microsoft Outlook 2013 using POP3
Page 1 of 14 Help Center Set Up E-mail with Microsoft Outlook 2013 using POP3 Learn how to configure Microsoft Outlook 2013 for use with your 1&1 e-mail account using the POP3 Protocol. Before you begin,
More informationBlock Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)
Block Ciphers Tutorial c Eli Biham - May 3, 2005 146 Block Ciphers Tutorial (5) A Known Plaintext Attack on 1-Round DES After removing the permutations IP and FP we get: L R 48 K=? F L R c Eli Biham -
More informationNew attacks on the MacDES MAC Algorithm. 1st July Two new attacks are given on a CBC-MAC algorithm due to Knudsen and Preneel, [2],
New attacks on the MacDES MAC Algorithm Don Coppersmith IBM Research T. J. Watson Research Center Yorktown Heights, NY 10598, USA copper@watson.ibm.com Chris J. Mitchell Information Security Group Royal
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationPresentation_ID. 2001, Cisco Systems, Inc. All rights reserved.
1 Session Number Denver Tech Days 2002 WLAN Security Mike Morrato System Engineer Cisco Systems April 10, 2002 2 Agenda Past security methods in Wireless LANs The problem with 802.11 - Wireless Insecurity
More informationDistributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011
Distributed Key Management and Cryptographic Agility Tolga Acar 24 Feb. 2011 1 Overview Distributed Key Lifecycle Problem statement and status quo Distributed Key Manager Typical application scenario and
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationTLS connection management & application support. Giuseppe Bianchi
TLS connection management & application support Alert Protocol TLS defines special messages to convey alert information between the involved fields Alert Protocol messages encapsulated into TLS Records
More informationA Protocol for Secure Public Instant Messaging
Financial Cryptography - Feb 27, 2006 A Protocol for Secure Public Instant Messaging Mohammad Mannan and Paul C. van Oorschot Digital Security Group Carleton University, Canada Mohammad Mannan Feb 27,
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More information06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security
1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security Dr. L. Christofi 1 0. Overview As the knowledge of computer networking and protocols has become more widespread, so the threat of
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationCS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis
CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis CS-435 Lecture preview 802.11 Security IEEE
More informationMaximizing the speed of time based SQL injection data retrieval
Maximizing the speed of time based SQL injection data retrieval 30c3, Hamburg, 29.12.2013 Arnim' ; DROP TABLE students;-- ) Introduction SQL injection SQLi is #1 of OWASP Top 10 Web vulnerabilities Sample
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:
C 646 Lecture 7 Modes of Operation of Block Ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot,
More informationTel Aviv University. The Iby and Aladar Fleischman Faculty of Engineering
Tel Aviv University The Iby and Aladar Fleischman Faculty of Engineering The Zandman-Slaner School of Graduate Studies Estimating Closeness to the Uniform Distribution on RC4 Keystream Bytes using Property
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013 Digital Signatures Diagram illustrating how to sign a message Why do we use a one-way hash? How does a collision
More informationEnhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher
Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher Nishith Sinha Mallika Chawda Kishore Bhamidipati Assistant Professor ABSTRACT RC4 is one of the most widely used stream
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More information