Side-Channel Cryptanalysis. Joseph Bonneau Security Group
|
|
- Kelly Foster
- 6 years ago
- Views:
Transcription
1 Side-Channel Cryptanalysis Joseph Bonneau Security Group
2 Rule 0: Attackers will always cheat xkcd #538
3 What is side channel cryptanalysis?
4 Side Channels: whatever the designers ignored Key c=me mod N Plaintext Encryption Cipher Ciphertext T0 = K0 P0
5 Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher Ciphertext
6 Side Channels: whatever the designers ignored Key Plaintext Time Power Encryption Cipher Noise Heat EM radiation Ciphertext
7 Side Channels: whatever the designers ignored Key Plaintext Time Power Encryption Cipher Noise Heat EM radiation Ciphertext
8 Definition Side-channel cryptanalysis is any attack on a cryptosystem requiring information emitted as a byproduct of the physical implementation.
9 Related attacks
10 White box cryptanalysis: nothing is hidden Key Plaintext Debugger Encryption Cipher int k[] = {0x1e,...} Static analysis Memory dumps Ciphertext
11 TEMPEST: EM signals containing full secrets Key Plaintext Encryption Cipher Ciphertext
12 Fault injection: inducing a telling error Key Plaintext Encryption Cipher Ciphertext
13 Hardware attacks: breaking the box open Key Plaintext Encryption Cipher Ciphertext
14 Covert channels: attack code running from within Key Plaintext Encryption Cipher Ciphertext
15 The grandmother of all timing attacks
16 Insecure password checking routine int check_password(char * test, char * correct){ return (strcmp(test, correct) == 0); }
17 Insecure password checking routine int check_password(char * test, char * correct){ return (strcmp(test, correct) == 0); } int strcmp(char *s1, char *s2){ while (*s1!= '\0' && *s1 == *s2) { s1++; s2++; } return ((s1 < s2)? -1 : (s1 > s2)); }
18 Insecure password checking routine int check_password(char * test, char * correct){ return (strcmp(test, correct) == 0); } int strcmp(char *s1, char *s2){ n A queries && *s1 == *s2) { while (*s1!= '\0' s1++; s2++; } return ((s1 < s2)? -1 : (s1 > s2)); }
19 MAC timing attack against Xbox 360 C:\Documents and Settings\Administrator\Desktop\360\DGTool>DGTool.exe 1 Infectus _5759#4_1888_build2.bin Pairing Data 0x6DF3B8 01 Turn on your Xbox, press any key when the RRoD starts H[0 00XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 0 : 0 NEXT H[0 01XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D -3 : 0 NEXT H[0 02XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 3 : 0 NEXT... H[0 1AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 3 : 0 NEXT H[0 1BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 12 : 11 RPT H[0 1BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 11 : 0 HIT! H[1 1B00XXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 0 : 0 NEXT H[1 1B01XXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D -1 : 0 NEXT... H[1 1BFDXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 14 : 8 RPT H[1 1BFDXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 9 : 0 HIT! H[2 1BFD00XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 1 : 0 NEXT H[2 1BFD01XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 4 : 0 NEXT... H[2 1BFDF0XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 15 : 11 RPT H[2 1BFDF0XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 10 : 0 HIT!... H[15 1BFDF0625C214F67CD94DCA3FC47CA55] M A D 16 : 0 HIT! Correct hash: 1BFDF0625C214F67CD94DCA3FC47CA55 Result: BOOT
20 MAC timing attack against Xbox 360 C:\Documents and Settings\Administrator\Desktop\360\DGTool>DGTool.exe 1 Infectus _5759#4_1888_build2.bin Pairing Data 0x6DF3B8 01 Turn on your Xbox, press any key when the RRoD starts H[0 00XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 0 : 0 NEXT H[0 01XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D -3 : 0 NEXT H[0 02XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 3 : 0 NEXT... H[0 1AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 3 : 0 NEXT H[0 1BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 12 : 11 RPT H[0 1BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 11 : 0 HIT! H[1 1B00XXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 0 : 0 NEXT H[1 1B01XXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D -1 : 0 NEXT... H[1 1BFDXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 14 : 8 RPT H[1 1BFDXXXXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 9 : 0 HIT! H[2 1BFD00XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 1 : 0 NEXT H[2 1BFD01XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 4 : 0 NEXT... H[2 1BFDF0XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 15 : 11 RPT H[2 1BFDF0XXXXXXXXXXXXXXXXXXXXXXXXXX] M A D 10 : 0 HIT!... H[15 1BFDF0625C214F67CD94DCA3FC47CA55] M A D 16 : 0 HIT! 2,048 queries Correct hash: 1BFDF0625C214F67CD94DCA3FC47CA55 Result: BOOT
21 Attacks against RSA
22 RSA: The original public key algorithm
23 RSA: The original public key algorithm Private Key: p, q (random primes) d e-1 (mod φ(n)) (exponent) Public Key: N = p q e Encryption: Verification: c = me (mod N) m = cd (mod N) Signing: Verification: s = md (mod N) m = se (mod N) (modulus) (exponent)
24 RSA is implemented via square-and-multiply b65553 b0x10011 b( ) b b65536 b16 b1 (mod N) (mod N) (mod N) (mod N) n digit exponentiation requires log n squares, up to log n multiplications
25 RSA is implemented via square-and-multiply def power(b, e, N): result = 1 for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) return result
26 Simple power analysis of RSA (Paul Kocher et. al 1999)
27 Simple power analysis setup Key Plaintext Encryption Cipher Ciphertext
28 What does power consumption reveal? Trace courtesy of Cryptography Research, Inc.
29 Each set exponent bit inserts a multiplication def power(b, e, N): result = 1 for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) return result
30 Multiplies can often be visually detected Trace courtesy of Cryptography Research, Inc.
31 Multiplies can often be visually detected Trace courtesy of Cryptography Research, Inc.
32 Secret exponent can be easily read out Trace courtesy of Cryptography Research, Inc.
33 Secret exponent can be easily read out 1 encryption Trace courtesy of Cryptography Research, Inc.
34 Algorithmic patch: square and always multiply def power(b, e, N): result = 1 b = mult(b, r, N) for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) else: result = mult(result, r, N) return mult(result, r_inverse, N)
35 Timing attack against RSA (Paul Kocher 1996)
36 Timing attack setup Key Plaintext Encryption Cipher Ciphertext
37 Timing leaks Hamming weight of exponent def power(b, e, N): result = 1 for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) return result
38 Timing of individual multiplies varies significantly Kocher 1996
39 Need a model relating multiplication inputs to time Example: (mod 9997) Multiply: = Reduce: = =11770 =11770 =
40 Attack exponent one bit at a time def power(b, e, N): result = 1 for i in range(len(e)- 1, -1): result = square(result, N) if bit_set(e, i): result = mult(result, b, N) return result
41 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-1: always 1
42 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-2: Is T(power(r,e,N)) M(mult(1,r,N)) + M(square(r,N)) + M(mult(r,r,N)) + M(square(r,N))? 2 3
43 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-2: Is T(power(r,e,N)) M(mult(1,r,N)) + M(square(r,N)) + M(mult(r,r,N)) + M(square(r,N))? 2 3
44 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-3: Is T(power(r,e,N)) M(mult(1,r,N)) e[n-1] + M(square(r,N)) + M(mult(r,r,N)) e[n-2] + M(square(r,N)) M(mult(r,r,N)) + M(square(r,N))? 2 e [n-1:n-1] e [n-1:n-2] 2 e [n-1:n-2] e [n-1:n-2] 1
45 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-3: Is T(power(r,e,N)) M(mult(1,r,N)) e[n-1] + M(square(r,N)) + M(mult(r,r,N)) e[n-2] + M(square(r,N)) M(mult(r,r,N)) + M(square(r,N))? 2 e [n-1:n-1] e [n-1:n-2] 2 e [n-1:n-2] e [n-1:n-2] 1
46 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-i: Is T(power(r,e,N)) M(mult(r,r,N)) + M(square(r,N))? 2 e [n-1:n-i] e [n-1:n-i] 1
47 Attack exponent one bit at a time T = observed timing of entire algorithm M = model for time of one multiplication Bit n-i: Is T(power(r,e,N)) M(mult(r,r,N)) + 2,500 encryptions M(square(r,N))? 2 e [n-1:n-i] e [n-1:n-i] 1
48 More complicated attacks work across a LAN Boneh and Brumley, 2003
49 More complicated attacks work across a LAN 1,000,000 encryptions Boneh and Brumley, 2003
50 Blinded RSA provides generic defense Private Key: p, q (random primes) d e-1 (mod φ(n)) (exponent) Public Key: N = p q e Signing: s = md (mod N) Blind Signing: r1 = r0e (mod N) (modulus) (exponent) s = r0-1 (r1 m)d (mod N)
51 Attacks against AES (Rijndael)
52 AES is cryptography's standard block cipher
53 AES is very complicated Jeff Moser
54 AES is very complicated Wikipedia
55 AES is very complicated Wikipedia
56 AES is very complicated Wikipedia
57 AES is very complicated Wikipedia
58 AES is designed for very efficient implementation t0 = t1 = t2 = t3 = Te0[(s0 Te1[(s1 Te2[(s2 Te3[(s3 rk[0]; Te0[(s1 Te1[(s2 Te2[(s3 Te3[(s0 rk[1]; Te0[(s2 Te1[(s3 Te2[(s0 Te3[(s1 rk[2]; Te0[(s3 Te1[(s0 Te2[(s1 Te3[(s2 rk[3]; >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^
59 AES utilises large pre-computed lookup tables static const u32 Te0[256] = { 0xc66363a5U, 0xf87c7c84U, 0xfff2f20dU, 0xd66b6bbdU, 0x U, 0x U, 0xe7fefe19U, 0xb5d7d762U,... 0x824141c3U, 0x299999b0U, 0x7bb0b0cbU, 0xa85454fcU, }; 0xee777799U, 0xde6f6fb1U, 0xce6767a9U, 0x4dababe6U, 0xf67b7b8dU, 0x91c5c554U, 0x562b2b7dU, 0xec76769aU, 0x5a2d2d77U, 0x1e0f0f11U, 0x6dbbbbd6U, 0x2c16163aU,
60 Lookups into shared cache are vulnerable Plaintext Key XOR Lookup Mix Key XOR Mix Lookup Key XOR Ciphertext
61 Lookups into shared cache are vulnerable Plaintext Key XOR Lookup Mix Key XOR Mix Lookup Key XOR Ciphertext First round: T[Pi Ki]
62 Lookups into shared cache are vulnerable Plaintext Key XOR Lookup First round: T[Pi Ki] Mix Key XOR Mix Final round: T[T [Ci Ki]] -1 Lookup Key XOR Ciphertext
63 Simple power analysis of AES (Bertoni et. Al, 2005; Bonneau 2006)
64 Cache hit/miss is very obvious in power trace Bertoni et. al, 2005
65 Every miss yields many constraints Plaintext Key XOR Lookup Miss? P0 K0 P1 K1 Hit? P0 K0 P1 K1
66 Every miss yields many constraints Plaintext Key XOR Lookup Miss? P0 K0 P1 K1 P0 P1 K0 K1 Hit? P0 K0 P1 K1 P0 P1 K0 K1
67 Every miss yields many constraints Plaintext Key XOR Lookup Miss? P0 P2 K0 K2 P1 P2 K1 K2
68 Table of possible key byte differences refined K0 K1 K2... K15 K0 K1 K2... K15 00 {27,e0} {35} {23,70,c 4} {65} 00 {32,45,8 9} {5f,f3} {0a,db} 00 {86} {17,64,9 c} 00 {42,d5} 00
69 Table of possible key byte differences refined K0 K1 K2... K15 K0 K1 K2... K15 00 {27,e0} {35} {23,70,c 4} {65} 10000encryptions {32,45,8 {5f,f3} 9} 00 {0a,db} {86} {17,64,9 c} 00 {42,d5} 00
70 Cache observation attack (Osvik et. al, 2006)
71 1) Attacker primes the cache with known data AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++;
72 1) Attacker primes the cache with known data AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++;
73 2) Attacker triggers AES encryption AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++; aes_encrypt(random_p());
74 3) AES loads some cache lines AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++; aes_encrypt(random_p());
75 4) Attacker can test which lines were touched AES Attacker RAM void * p = malloc(cache_size); Cache while(i < CACHE_SIZE) p[i++]++; aes_encrypt(random_p()); while(i < CACHE_SIZE) t[i++] = timed_read(p, i);
76 5) All untouched lines yield constraints Plaintext Key XOR Lookup P0 K0 {Untouched lines}
77 5) All untouched lines yield constraints Plaintext Key XOR Lookup K0 {Untouched lines P0}
78 5) All untouched lines yield constraints Plaintext Key XOR Lookup 300 encryptions K0 {Untouched lines P0}
79 Cache timing attack (Bonneau and Mironov, 2006)
80 Observation: self-collisions lower encryption time Plaintext Key XOR Lookup Pi Ki Pj Kj
81 Observation: self-collisions lower encryption time Plaintext Key XOR Lookup Pi Ki Pj Kj Pi Pj Ki Kj
82 Internal collisions cause most timing variation Timing deviation (cycles) # of cache collisions
83 Key byte differences ranked by average time K0 K0 K1 K2... K15 K1 K2... K15
84 Key byte differences ranked by average time K0 K1 K0 K1 K2... K15 0) 1) 2) 3) 255) f2 37 7a 26 a K2... K15
85 Key byte differences ranked by average time K0 K1 K2... K0 K1 K2... K15 0) 1) 2) 3) 255) f2 37 7a 26 a ) 1) 2) 3) ) 5d dc K15
86 Key byte differences ranked by average time K0 K1 K2... K0 K1 K ,000 encryptions K15 0) 1) 2) 3) 255) f2 37 7a 26 a ) 1) 2) 3) ) 5d dc K15
87 Final round is much better to attack Ci Ki =S[X] Cj Kj =S[Y] X=Y Ci Ki = Cj Kj Ci Cj = Ki Kj Lookup Key XOR Ciphertext
88 Final round is much better to attack Ci Ki =S[X] Cj Kj =S[Y] X=Y 32,000 encryptions C K =C K i i j j Ci Cj = Ki Kj Lookup Key XOR Ciphertext
89 Hardware countermeasures on the way /* AES-128 encryption sequence. The data block is in xmm15. Registers xmm0 xmm10 hold the round keys(from 0 to 10 in this order). In the end, xmm15 holds the encryption result. */ pxor xmm15, xmm0 // Input whitening aesenc xmm15, xmm1 // Round 1 aesenc xmm15, xmm2 // Round 2 aesenc xmm15, xmm3 // Round 3 aesenc xmm15, xmm4 // Round 4 aesenc xmm15, xmm5 // Round 5 aesenc xmm15, xmm6 // Round 6 aesenc xmm15, xmm7 // Round 7 aesenc xmm15, xmm8 // Round 8 aesenc xmm15, xmm9 // Round 9 aesenclast xmm15, xmm10 // Round 10 Courtesy of Intel
90 Differential power analysis (Kocher et. al, 1999)
91 Simple power analysis ineffective Trace courtesy of Cryptography Research, Inc.
92 Hardware implementations don't use cache Plaintext Key XOR Lookup Mix
93 Hardware implementations don't use cache Plaintext Key XOR Lookup Mix S[P0 K0]
94 Partition traces by some predicted intermediate bit Guessing K0 = 00, traces where high bit of S[P0 K0] is set
95 Partition traces by some predicted intermediate bit Guessing K0 = 01, traces where high bit of S[P0 K0] is set
96 Partition traces by some predicted intermediate bit Guessing K0 = 02, traces where high bit of S[P0 K0] is set
97 Partition traces by some predicted intermediate bit 10,000 encryptions Guessing K0 = 02, traces where high bit of S[P0 K0] is set
98 Perfect countermeasures are very difficult
99 Even further down the rabbit hole...
100 CPU Noise ƒ PC (Recording Station) ADC (Sound Card) Bandpass Filter Amplifiers Collects sounds which emanates from CPU Capacitor emits sound from its foils due to fast pulse charging n discharging Adi Purwono, 2008
101 Photon emissions Sergei Skorobogatov, 2009
102 Lessons
103 Don't design or implement your own crypto Jeff Moser
104 Do break whatever you can Algorithms: Elliptic curve DSS/DH Pairing-based algorithms AES-GCM authentication SHA-3 candidates Side-channels: Motherboard sensors CPU debug registers Killer target: Cross-VM key compromise
105 Thank you
106 Complication: cache lines
107 Complication: cache lines table lookup
108 Complication: cache lines table lookup cache
109 Complication: Table families t0 = t1 = t2 = t3 = Te0[(s0 Te1[(s1 Te2[(s2 Te3[(s3 rk[0]; Te0[(s1 Te1[(s2 Te2[(s3 Te3[(s0 rk[1]; Te0[(s2 Te1[(s3 Te2[(s0 Te3[(s1 rk[2]; Te0[(s3 Te1[(s0 Te2[(s1 Te3[(s2 rk[3]; >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^ >> 24) ] >> 16) & 0xff] >> 8) & 0xff] ) & 0xff] ^ ^ ^ ^
110 Final round is much better to attack Lookup Key XOR Ciphertext
111 Final round is much better to attack Ci Ki =S[X] Cj Kj =S[Y] Lookup Key XOR Ciphertext
112 Final round is much better to attack Ci Ki =S[X] Cj Kj =S[Y] X=Y Ci Ki = Cj Kj Ci Cj = Ki Kj Lookup Key XOR Ciphertext
FACE : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data
: Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data Jin Hyung Park and Dong Hoon Lee Center for Information Security Technologies, Korea University Introduction 1 IV(Counter)
More informationSide-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck What is RSA? As we all know, RSA (Rivest Shamir Adleman) is a really secure algorithm for public-key cryptography.
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 11 Basic Cryptography Objectives Define cryptography Describe hashing List the basic symmetric cryptographic algorithms 2 Objectives
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationFault-Based Attack of RSA Authentication
Fault-Based Attack of RSA Authentication, Valeria Bertacco and Todd Austin 1 Cryptography: Applications 2 Value of Cryptography $2.1 billions 1,300 employees $1.5 billions 4,000 employees $8.7 billions
More informationSecurity against Timing Analysis Attack
International Journal of Electrical and Computer Engineering (IJECE) Vol. 5, No. 4, August 2015, pp. 759~764 ISSN: 2088-8708 759 Security against Timing Analysis Attack Deevi Radha Rani 1, S. Venkateswarlu
More informationHOST Differential Power Attacks ECE 525
Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately, cryptographic
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ Attacking Cryptographic Schemes Cryptanalysis Find mathematical weaknesses in constructions
More informationMicro-Architectural Attacks and Countermeasures
Micro-Architectural Attacks and Countermeasures Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 25 Contents Micro-Architectural Attacks Cache Attacks Branch Prediction Attack
More informationImplementing AES : performance and security challenges
Implementing AES 2000-2010: performance and security challenges Emilia Käsper Katholieke Universiteit Leuven SPEED-CC Berlin, October 2009 Emilia Käsper Implementing AES 2000-2010 1/ 31 1 The AES Performance
More informationHOW CRYPTOSYSTEMS ARE REALLY BROKEN. Adi Shamir Computer Science The Weizmann Institute Israel
HOW CRYPTOSYSTEMS ARE REALLY BROKEN Adi Shamir Computer Science The Weizmann Institute Israel What is a cryptosystem? Sending a plaintext securely from Alice to Bob: K K plaintext good morning Encryption
More informationCryptographic Systems
CPSC 426/526 Cryptographic Systems Ennan Zhai Computer Science Department Yale University Recall: Lec-10 In lec-10, we learned: - Consistency models - Two-phase commit - Consensus - Paxos Lecture Roadmap
More informationWhite-Box Cryptography State of the Art. Paul Gorissen
White-Box Cryptography State of the Art Paul Gorissen paul.gorissen@philips.com Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationDistributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 26. Cryptographic Systems: An Introduction Paul Krzyzanowski Rutgers University Fall 2015 1 Cryptography Security Cryptography may be a component of a secure system Adding cryptography
More informationWhoamI. Attacking WBC Implementations No con Name 2017
Attacking WBC Implementations No con Name 2017 1 WHO I AM EDUCATION: Computer Science MSc in IT security COMPANY & ROLES: HCE Security Evaluator R&D Engineer WBC project Responsible of Android security
More informationBlind Differential Cryptanalysis for Enhanced Power Attacks
Blind Differential Cryptanalysis for Enhanced Power Attacks Bart Preneel COSIC K.U.Leuven - Belgium bart.preneel(at)esat.kuleuven.be Joint work with Helena Handschuh Concept Differential cryptanalysis
More informationPASSWORDS & ENCRYPTION
PASSWORDS & ENCRYPTION Villanova University Department of Computing Sciences D. Justin Price Fall 2014 CRYPTOGRAPHY Hiding the meaning of a message from unintended recipients. Open source algorithms are
More informationIntroduction to Software Countermeasures For Embedded Cryptography
Introduction to Software Countermeasures For Embedded Cryptography David Vigilant UMPC Master, 1 st December, 2017 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding
More informationINTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)
INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 ISSN 0976 6464(Print)
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationCryptography MIS
Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 2 Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Cryptographic Tools cryptographic algorithms
More informationApplying TVLA to Public Key Cryptographic Algorithms. Michael Tunstall Gilbert Goodwill
Applying TVLA to Public Key Cryptographic Algorithms Michael Tunstall Gilbert Goodwill Introduction Test Vector Leakage Assessment (TVLA) was proposed in 2012 Efficient in evaluating the presence of leakage
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationSome Stuff About Crypto
Some Stuff About Crypto Adrian Frith Laboratory of Foundational Aspects of Computer Science Department of Mathematics and Applied Mathematics University of Cape Town This work is licensed under a Creative
More informationPower Analysis Attacks
Power Analysis Attacks Elisabeth Oswald Computer Science Department Crypto Group eoswald@cs.bris.ac.uk Elisabeth.Oswald@iaik.tugraz.at Outline Working principle of power analysis attacks DPA Attacks on
More informationThe Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab
The Davies-Murphy Power Attack Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab Introduction Two approaches for attacking crypto devices traditional cryptanalysis Side Channel Attacks
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationIntroduction to Cryptography. Vasil Slavov William Jewell College
Introduction to Cryptography Vasil Slavov William Jewell College Crypto definitions Cryptography studies how to keep messages secure Cryptanalysis studies how to break ciphertext Cryptology branch of mathematics,
More informationOther Systems Using Timing Attacks. Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995)
Cryptanalysis of Die-Hellman, RSA, DSS, and Other Systems Using Timing Attacks Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995) Since many existing security systems can be broken with timing attacks,
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Public Key Cryptography Modular Arithmetic RSA
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationOnce upon a time... A first-order chosen-plaintext DPA attack on the third round of DES
A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz, Benedikt Gierlichs KU Leuven, imec - COSIC CARDIS 2017 Once upon a time... 14 November 2017 Benedikt Gierlichs - DPA on
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationPublic Key Cryptography and RSA
Public Key Cryptography and RSA Major topics Principles of public key cryptosystems The RSA algorithm The Security of RSA Motivations A public key system is asymmetric, there does not have to be an exchange
More informationTrace-Driven Cache Attacks on AES
Trace-Driven Cache Attacks on AES Onur Acıiçmez 1 and Çetin Kaya Koç 1,2 1 Oregon State University, School of EECS Corvallis, OR 97331, USA 2 Information Security Research Center, Istanbul Commerce University
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationPROTECTING CONVERSATIONS
PROTECTING CONVERSATIONS Basics of Encrypted Network Communications Naïve Conversations Captured messages could be read by anyone Cannot be sure who sent the message you are reading Basic Definitions Authentication
More informationGoals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010
Encryption Details COMP620 Goals for Today Understand how some of the most common encryption algorithms operate Learn about some new potential encryption systems Substitution Permutation Ciphers A Substitution
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationPower Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA)
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some High-Level Goals Confidentiality Non-authorized users have limited access Integrity
More information1.264 Lecture 28. Cryptography: Asymmetric keys
1.264 Lecture 28 Cryptography: Asymmetric keys Next class: Anderson chapters 20. Exercise due before class (Reading doesn t cover same topics as lecture) 1 Asymmetric or public key encryption Receiver
More informationSynthesis of Fault-Attack Countermeasures for Cryptographic Circuits
Synthesis of Fault-Attack Countermeasures for Cryptographic Circuits Hassan Eldib, Meng Wu, and Chao Wang CAV, July 23, 2016 Cryptographic Algorithm: an example Plaintext Chip Ciphertext 0110 1001 1011
More informationSIMON and SPECK. Ciphers for Constrained Platforms. Louis Wingers National Security Agency Trusted Systems Research Group
SIMON and SPECK Ciphers for Constrained Platforms Louis Wingers National Security Agency Trusted Systems Research Group RAIN RFID Alliance Meeting June 24-25, 2015 Ciphers and Technology Encryption algorithms
More informationCountermeasures against Bernstein s Remote Cache Timing Attack
Countermeasures against Bernstein s Remote Cache Timing Attack Janaka Alawatugoda, Darshana Jayasinghe, and Roshan Ragel, Member, IEEE Abstract- Cache timing attack is a type of side channel attack where
More informationParallelizing Cryptography. Gordon Werner Samantha Kenyon
Parallelizing Cryptography Gordon Werner Samantha Kenyon Outline Security requirements Cryptographic Primitives Block Cipher Parallelization of current Standards AES RSA Elliptic Curve Cryptographic Attacks
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More information: Practical Cryptographic Systems March 25, Midterm
650.445: Practical Cryptographic Systems March 25, 2010 Instructor: Matthew Green Midterm Name: As with any exam, please do not collaborate or otherwise share information with any other person. You are
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationDaniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Goals of authenticated encryption Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven More details, credits: competitions.cr.yp.to /features.html Encryption sender
More informationSecure Design Methodology and The Tree of Trust
Secure Design Methodology and The Tree of Trust Secure Embedded Systems Group ECE Department Virginia Tech The new Cool: Reverse Engineering... Microsoft Zune (http://bunniestudios.com) Under the Hood
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationElliptic Curve Public Key Cryptography
Why? Elliptic Curve Public Key Cryptography ECC offers greater security for a given key size. Why? Elliptic Curve Public Key Cryptography ECC offers greater security for a given key size. The smaller key
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationTuesday, January 17, 17. Crypto - mini lecture 1
Crypto - mini lecture 1 Cryptography Symmetric key cryptography (secret key crypto): sender and receiver keys identical Asymmetric key cryptography (public key crypto): encryption key public, decryption
More informationHigh-Performance Cryptography in Software
High-Performance Cryptography in Software Peter Schwabe Research Center for Information Technology Innovation Academia Sinica September 3, 2012 ECRYPT Summer School: Challenges in Security Engineering
More informationCS Paul Krzyzanowski
Question 1 Explain why hypervisor rootkits are more difficult to detect than user-mode or kernel-mode rootkits. Computer Security 2018 Exam 2 Review Paul Krzyzanowski Rutgers University Spring 2018 The
More informationComputer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 2018 Exam 2 Review Paul Krzyzanowski Rutgers University Spring 2018 April 16, 2018 CS 419 2018 Paul Krzyzanowski 1 Question 1 Explain why hypervisor rootkits are more difficult to detect
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationSecurity. Communication security. System Security
Security Communication security security of data channel typical assumption: adversary has access to the physical link over which data is transmitted cryptographic separation is necessary System Security
More informationIntroduction to Side-Channel Analysis: Basic Concepts and Techniques
Introduction to Side-Channel Analysis: Basic Concepts and Techniques Hardware security, Spring 2018 Lejla Batina March 8, 2018 Institute for Computing and Information Sciences Radboud University 1 Outline
More informationAPNIC elearning: Cryptography Basics
APNIC elearning: Cryptography Basics 27 MAY 2015 03:00 PM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security
More informationCS Side-Channel Attacks. Vitaly Shmatikov
CS 6431 Side-Channel Attacks Vitaly Shmatikov Acoustic Information in Typing Different keystrokes make different sounds Different locations on the supporting plate Each key is slightly different Frequency
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationWorkshop Challenges Startup code in PyCharm Projects
INTRODUCTION TO CRYPTOGRAPHIC ATTACKS EXERCISE LOGISTICS Workshop Challenges Startup code in PyCharm Projects BLOCK CIPHERS Fixed sized input Random looking output for each message and key Block Cipher
More informationPower Analysis Attacks of Modular Exponentiation in Smartcards
Power Analysis Attacks of Modular Exponentiation in Smartcards Thomas S. Messerges 1, Ezzy A. Dabbish 1, Robert H. Sloan 2,3 1 Motorola Labs, Motorola 1301 E. Algonquin Road, Room 2712, Schaumburg, IL
More informationCan randomized mapping secure instruction caches from side-channel attacks?
Can randomized mapping secure instruction caches from side-channel attacks? Fangfei Liu, Hao Wu and Ruby B. Lee Princeton University June 14, 2015 Outline Motivation and Background Data cache attacks and
More informationECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.
Building Secure Hardware ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria Stefan Mangard Infineon Technologies, Munich, Germany Stefan.Mangard@infineon.com Outline Assets and Requirements
More informationPublic Key Cryptography
graphy CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L07, Steve/Courses/2011/S2/CSS322/Lectures/rsa.tex,
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationA New Attack with Side Channel Leakage during Exponent Recoding Computations
A New Attack with Side Channel Leakage during Exponent Recoding Computations Yasuyuki Sakai 1 and Kouichi Sakurai 2 1 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan ysakai@iss.isl.melco.co.jp
More informationEEC-484/584 Computer Networks
EEC-484/584 Computer Networks Lecture 23 wenbing@ieee.org (Lecture notes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review of last lecture Introduction to
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography Tingting Chen Cal Poly Pomona 1 Some slides are from Dr. Cliff Zou. www.cs.ucf.edu/~czou/cis3360-12/ch08-cryptoconcepts.ppt Basic Cryptography Private Key Cryptography
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationCryptography Research, Inc. http:
Di erential Power Analysis Paul Kocher, Joshua Ja e, and Benjamin Jun Cryptography Research, Inc. 870 Market Street, Suite 1088 San Francisco, CA 94102, USA. http: www.cryptography.com E-mail: fpaul,josh,beng@cryptography.com.
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationHow many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?
Homework 1. Come up with as efficient an encoding as you can to specify a completely general one-to-one mapping between 64-bit input values and 64-bit output values. 2. Token cards display a number that
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationPublic Key Encryption
Public Key Encryption A case study THE RSA CRYPTOSYSTEM Public 31/05/14 Key Encryption 2 Rivest Shamir Adleman (1978) Key generation 1. Generate two large, distinct primes p, q (100 200 decimal digits)
More informationRSA (algorithm) History
RSA (algorithm) RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard
More informationCrypto tidbits: misuse, side channels. Slides from Dave Levin 414-spring2016
Crypto tidbits: misuse, side channels Slides from Dave Levin 414-spring2016 A paper from 2013 that looked at how Android apps use crypto, as a function of 6 rules that reflect the bare minimum a secure
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature
More informationDFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.
DFA on AES Christophe Giraud Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France. c.giraud@oberthurcs.com Abstract. In this paper we describe two different DFA attacks on the AES. The
More informationCache Timing Attacks in Cryptography
Cache Timing Attacks in Cryptography Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk DTU, Oct. 10, 2007 Erik Zenner (DTU-MAT) Cache Timing Attacks in Cryptography
More information