COMP043 Cryptography. Cryptographic Attacks

Similar documents
9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

APNIC elearning: Cryptography Basics

Cryptanalysis. Ed Crowley

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Cryptography ThreeB. Ed Crowley. Fall 08

CSE 127: Computer Security Cryptography. Kirill Levchenko

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Computer Security CS 526

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

David Wetherall, with some slides from Radia Perlman s security lectures.

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

1-7 Attacks on Cryptosystems

CSC 474/574 Information Systems Security

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Cryptography MIS

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Information Security CS526

PROTECTING CONVERSATIONS

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

2.1 Basic Cryptography Concepts

Most Common Security Threats (cont.)

PASSWORDS & ENCRYPTION

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Cryptography (Overview)

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

n-bit Output Feedback

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Network Security and Cryptography. December Sample Exam Marking Scheme

Computational Security, Stream and Block Cipher Functions

EEC-484/584 Computer Networks

Worksheet - Reading Guide for Keys and Passwords

1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?

Summary on Crypto Primitives and Protocols

Computer Security 3/23/18

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Security Requirements

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Security: Cryptography

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Chapter 3 Block Ciphers and the Data Encryption Standard

Introduction to Cyber Security Week 2: Cryptography. Ming Chow

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Securing Internet Communication: TLS

CS 161 Computer Security

Symmetric, Asymmetric, and One Way Technologies

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

ECEN 5022 Cryptography

Cryptography and Network Security

Lecture 4: Symmetric Key Encryption

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Wireless Security and Monitoring. Training materials for wireless trainers

Encrypting stored data

Lecture 1 Applied Cryptography (Part 1)

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

EEC-682/782 Computer Networks I

18-642: Cryptography 11/15/ Philip Koopman

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

CS 111. Operating Systems Peter Reiher

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2

Computer Security: Principles and Practice

CPSC 467b: Cryptography and Computer Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Making and Breaking Ciphers

Lecture 3: Symmetric Key Encryption

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Scanned by CamScanner

Encryption. INST 346, Section 0201 April 3, 2018

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CS 161 Computer Security

Information Security CS 526

Ref:

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

Chapter 9 Public Key Cryptography. WANG YANG

CPSC 467: Cryptography and Computer Security

Atmel Trusted Platform Module June, 2014

Introduction to Cryptography. Vasil Slavov William Jewell College

CS 161 Computer Security

Defeating All Man-in-the-Middle Attacks

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Lecture 6 - Cryptography

Introduction and Overview. Why CSCI 454/554?

Findings for

CCNA Security 1.1 Instructional Resource

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

Randomness Extractors. Secure Communication in Practice. Lecture 17

Transcription:

COMP043 Cryptography Cryptographic Attacks

Ciphertext Attacks Types of attacks on a cipher, mostly designed to discover the key: ciphertext only: the cryptanalyst has only the cipher text known-plaintext: the cryptanalyst knows both the ciphertext and its plaintext chosen-plaintext: the cryptanalyst selects the plaintext used to create the ciphertext

Ciphertext Attacks (cont.) Adaptive-chosen-plaintext: the plaintext is selected based on previous plaintext-ciphertext pairs ( as opposed to batch CPA) Chosen-ciphertext: the cryptanalyst selects the ciphertext to decode to known plaintext Adaptive chosen-ciphertext: like ACP

Infrastructure and other attacks Brick attacks Physical coercion to obtain key Infrastructure attacks Attack the PKI, steal private keys Software bugs and poor design Exploit implementation errors Side channel attacks MITM attacks

Ciphertext Only More common in classical cryptography Manual ciphers were subject to frequency analysis Modern ciphers mostly immune to Known Ciphertext

Ciphertext Only Considered successful if any info about plaintext determined E.g. detecting null messages inserted in a stream to defeat traffic flow analysis Microsoft PPTP VPN was vulnerable due to reuse of RC4 key Actually a related key attack

Related-key Attack Several different keys whose values are initially unknown Some mathematical relationship WEP encryption uses RC4 stream cypher RC4 key for each packet is an IV concatenated with WEP key IV's repeat (24 bits) Hence keys repeat

WEP Attack 24 bit IV allows around 16 million values Due to birthday paradox it is likely there is a duplicate key in any set of 4000 packets This makes attacks possible Some weak RC4 keys allowed for recovery of WEP key

Birthday Paradox Two people have a 1/365 chance of sharing a birthday With three people ~ 3/365 With four, ~ 6/365 In a group of 23 people the chance is > 50% With 57 > 99%

Birthday Paradox Not really a paradox, just surprising Lots of crypto attacks based on Birthday Paradox Often called birthday attacks

DNS Birthday Cache Poisoning Attack Sending spoofed replies to a DNS request that was sent to an authoritative server in response to a query you sent to a caching server Reply must have same port # and transaction ID as request ID only 16 bits Send lots of queries to cache and lots of replies Good chance one of the replies will match a request generated by one of the queries

Known Plaintext Attack Common in classical cryptography German weather reports in second world war Can be used to crack encrypted zip archives if you have plaintext of one file Note CBC mode will defeat this attack

CBC Mode

Known Plaintext Attack on GSM GSM phones encrypt and sign using a symmetric key (shared secret) stored on SIM card with copy retained by the network Some still use 56 bit DES keys Malformed Class 2 SMS message (sent to SIM) will be rejected by SIM card with predictable signed message Attacker pre-calculates encrypted message hash for all possible keys (rainbow table) Looks up message signature to reveal key

Chosen Plaintext Attack Attacker can choose arbitrary plaintext and get ciphertext Goal is to determine the key Public key systems have to resist this form of attack

Chosen Plaintext Attack Version of dictionary attack can be used by preencrypting likely messages, then using ciphertext as lookup key Need some randomiser in key to resist Salt Note that our public key applications seldom encrypt real data

Adaptive Chosen Plaintext Attack As opposed to batch Attacker chooses plaintext based on progress of attack Differential Cryptanalysis is a form of ACPA

Differential Cryptanalysis Discovered by Adi Shamir (the S in RSA) in late '80s Each known plaintext has carefully crafted difference from other plaintext Designed to reveal statistical failings in algorithm DES found to be remarkably and specifically resistant Later revealed that IBM (and NSA) knew about the attack since 1974

Chosen Ciphertext Attack El Gamal can be trivially defeated by CCA RSA is vulnerable E(P1) x E(P2) = E(P1 x P2) Using some complex math, attacker can recover plaintext from plaintext of a carefully constructed ciphertext Usually some complex padding is inserted to make this fail Early SSL systems did this wrong PKCS#1 has a padding scheme that avoided this problem

Adaptive Chosen Ciphertext Attack PKCS#1 proved susceptible to an adaptive chosen ciphertext attack in 1998, which resulted in the exposure of session keys A new scheme, Optimal Asymmetric Encryption Padding was developed to thwart this attack As were new versions of PKCS#1 from RSA labs

Lunchtime Attacks Attack types are interesting as theoretical measures of a cryptosystem's strength All systems must resist cyphertext only Should resist known plaintext Resistance to chosen plaintext implies resistance to known plaintext Chosen ciphertext is pretty strong condition

Lunchtime Attacks Lunchtime attacks suppose a limited number of chosen ciphertexts As if attacker had access to cryptosystem while user was at lunch

Infrastructure Attacks NSA is believed to have stolen private keys from CA's and other large X509 users to compromise SSL/TLS and ipsec Luxury car key codes compromised by reverse engineering Windows software used to program dongles that use secret crypto algorithm

Heartbleed Software Bugs Stupid idea in the first place Why have a heatbeat Stupid design Why allow variable length messages? Flawed implementation No bounds checking Poor oversight

Poor Design Android apps Signature and software stored in Java Beans file which is a form of zip archive Zip archives can be updated with new version of files contained in them Unzip extracts latest version of files But signature checker compares signature to oldest version Malicious replacement version appears to have correct signature

Poor Design SSH bruteforce ssh command allows config file options on the command line, for flexibility (rigidity is more secure) KbdInteractiveDevices option can specify a list of authentication methods, but you can specify the same option many times (bounds checking!) Specifying pam many times defeats limits on failed login, allowing password brute force attempts ssh okbdinteractivedevices=`perl e 'print "pam," x 10000'`

Side Channel Attacks Insecure channel Plain text The internet Secure Channel Ciphertext VPN SSL Side Channel Any other source of information

Types of Side Channel Attacks Timing attack Power monitoring attack TEMPEST Actually a defence Differential fault analysis Message Size Attacks

Timing Attack Some key values and plain text values will take longer to compute With lots of chosen plaintext, attackers can use timing attacks to determine key values one bit at a time Diffie-Hellman and RSA are vulnerable due to the complex math involved

Power Monitoring Attack Like timing attack, but this time watch power consumption Smart cards are vulnerable because power can be carefully monitored Sometimes DES internals are vulnerable Differential PMA collects many power consumption records and compares them statistically DPMA harder to defend against

Laptop Power Monitoring Attack Researchers monitoring fluctuations in the ground potential of laptops determined what instructions were executed Wire to chassis Monitor ground cable in USB, CAT5 cable Touch the chassis Can determine 4096 bit RSA keys while encrypting or signing Have achieved same result listening to generated noise

TPM attacks Power monitoring attacks have been used to retrieve keys from TPM modules Rumors are that the CIA has developed an attack of this sort that defeats bitlocker

TEMPEST TEMPEST is a military standard for shielding against compromising emanations (CE) Variations include Electrical Mechanical Acoustical

CE Electrical Printers, Monitors, Keyboards In 1985 CE from monitors were intercepted from 100s of meters away using TV and $15 of equipment LEDs on routers Mechanical Lasers on window panes Acoustical In cold war, soviets would bug IBM Selectric typewriters

Message Size Reveals Information in TLS encrypted web services Web 2.0 basically uses AJAX code rather than static HTML page Many small encrypted interactions with server But address of page is known, and with message size information attacker can determine what menu and other choices were made

Message Size Example Google search query completion With first letter typed server returns completion list Size of list determines letter typed Subsequent letters evoke new completion lists

Fault Analysis Analyse behaviour of cryptosystem under duress Power glitches, high temperature etc. Certain areas of the computation more likely to fail For DES, around 200 single flipped bits will reveal the secret key

MITM Attacker (Eve) intercepts communications between two endpoints (Bob and Alice) to monitor, or modify communications Effective against Diffie-Hellman if endpoints aren't authenticated An interesting MITM attack has been devised to defeat PIN-and-chip credit cards

Why Does Eve Want to Intercept Bob and Alice's Messages?

MITM vs PIN and Chip Smartcard communicates with Terminal Attack sits between card and terminal Terminal communicates with bank Three steps Card Authentication Card holder Authentication Transaction Authentication

Chip and PIN MTM To Bank Terminal MITM Card

Card Holder Authentication Card asks terminal if it supports PIN Some don't MITM modifies terminal's reply to tell card that terminal doesn't want PIN But tells terminal to get PIN Then drops it Card now happy that signature will be captured But terminal thinks cardholder authenticated by PIN

Transaction Authentication Now terminal thinks authenticated PIN transaction is taking place It gets card to supply cryptographic authentication for transaction using keys on card Bank thinks PIN authenticated transaction took place But cardholder not authenticated at all

FDE Attacks The Elephant in the room

FDE Attacks, Cold Boot Cold Boot Attack Computer is powered on with decryption keys in memory, but locked Reboot quickly to OS on portable device Decryption keys are still readable in memory Or use USB device that can read memory with malicious drivers

FDE Attacks, Evil Maid Maid can compromise computer, then return to collect data Installs malicious bootloader that will collect and store password at boot time Maid returns next day to collect password TPM can try to defend but...

FDE Attacks, Stoned Boot Malware is incorporated into the boot software (MBR) Gets loaded before anti-malware Gets loaded before software signature checking TPM can protect against this, but...

TPM protection PCT Extend TPM has several Platform Configuration Registers (PCR) Set to zero on power-up Extend function is only way to modify Function passes value to TPM and ID's a PCR TPM hashes value with current PCR value to create new PCR value Only way to replicate is to execute same sequence of extend functions

TPM protection Seal Function Seal function of TPM can can encrypt a value, such as a decryption key, in relation to some PCR values Cypher text can be decrypted by the TPM But only if the PCR's have the same value as when the key was sealed

TPM Protection Boot Attacks TPM protection against boot attacks uses the PCR's and seal function Boot code, and maybe unencrypted boot partition, is used during boot to extend PCR's Seal function encrypts decryption key with reference to these PCR's Any corruption in boot sequence will prevent decryption

TPM protection Evil Maid Attack Even with all this, evil maid can install corrupted bootloader that: Captures and stores credentials Restores original uncompromized boot path Reboots

FDE Cipher Text Attacks FDE does not employ MACS to authenticate the cipher text No place to store them or IV's So encrypted sectors can be modified without detection Effect of a bit flip on decrypted plaintext is to randomise one block but flip just one bit in another Attacker knows lots of plaintext and can maybe corrupt with appropriate cypher text changes

CBC Mode

Decrypting CBC mode with corrupted ciphertext

Another thing: CBC= ECB? Because of lack of MAC and no stored IV, CBC mode for FDE is like a symmetric cipher in ECB mode with block size = sector size So we could evaluate the crypto-system in that light Considerations like diffusion could be applied to the system as a whole

h Diffusion Good ciphers have good diffusion, meaning that a one bit change in plaintext changes every bit in cipher text with 50% probability Same applies to decryption This diffusion applies only to the small blocks encrypted by the basic AES or other symmetric key cipher But in FDE we might like to see diffusion apply to an entire sector, not just a block Harder then to make small changes to plaintext through small changes to ciphertext

Elephant Diffuser Bitlocker developers wanted diffusion to apply to entire sectors Looked at some encryption algorithms that did this using block size = sector size Bear and Lion Beast Too slow Too slow and poor diffusion So they added a diffuser called the elephant diffuser

End of the Elephant Despite lots of high praise, the elephant was dropped with W8 Replaced with AES in XTS mode Full sector diffusion really not needed Just need to avoid the 1 bit flip Diffuser was overkill Did it weaken the system? Developers said it couldn't be weaker than AES + CBC on its own but... Not standards compliant (FIPS)

XTS Decryption with Corrupted Cyphertext

Today's Lab Encrypting a container with bitlocker Next week is lab test Following week is written test

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback