Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Similar documents
Lecture 1 Applied Cryptography (Part 1)

CSE 127: Computer Security Cryptography. Kirill Levchenko

Permutation-based Authenticated Encryption

ECE 646 Lecture 8. Modes of operation of block ciphers

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Permutation-based symmetric cryptography

COMP4109 : Applied Cryptography

Computer Security CS 526

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Cryptography [Symmetric Encryption]

CIS 4360 Secure Computer Systems Symmetric Cryptography

Symmetric Crypto MAC. Pierre-Alain Fouque

Message authentication codes

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

symmetric cryptography s642 computer security adam everspaugh

Unit 8 Review. Secure your network! CS144, Stanford University

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Introduction to Cryptography. Lecture 6

Summary on Crypto Primitives and Protocols

Cryptography: Symmetric Encryption [continued]

Lecture 4: Authentication and Hashing

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Symmetric Cryptography

Some Aspects of Block Ciphers

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

symmetric cryptography s642 computer security adam everspaugh

Processing with Block Ciphers

Chapter 3 Block Ciphers and the Data Encryption Standard

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

7. Symmetric encryption. symmetric cryptography 1

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Goals of Modern Cryptography

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

BCA III Network security and Cryptography Examination-2016 Model Paper 1

L13. Reviews. Rocky K. C. Chang, April 10, 2015

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptographic Hash Functions

CPSC 467b: Cryptography and Computer Security

IKEv2-SCSI (06-449) Update

Solutions to exam in Cryptography December 17, 2013

Feedback Week 4 - Problem Set

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Modes of Operation. Raj Jain. Washington University in St. Louis

CSCE 715: Network Systems Security

Cryptography. Andreas Hülsing. 6 September 2016

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

CSC574: Computer & Network Security

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Cryptography 2017 Lecture 3

CSC 474/574 Information Systems Security

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

NIST Cryptographic Toolkit

How to Use Your Block Cipher? Palash Sarkar

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Stream Ciphers An Overview

Key-Evolution Schemes Resilient to Space Bounded Leakage

1 Achieving IND-CPA security

La Science du Secret sans Secrets

Cryptography. Summer Term 2010

CS408 Cryptography & Internet Security

Information Security CS526

The Rectangle Attack

Content of this part

Cryptography (cont.)

Message Authentication Codes and Cryptographic Hash Functions

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Cipher Suite Configuration Mode Commands

Security with VA Smalltalk

Multiple forgery attacks against Message Authentication Codes

Study Guide to Mideterm Exam

Message Authentication and Hash function 2

Symmetric Cryptography

CS 495 Cryptography Lecture 6

Symmetric Encryption. Thierry Sans

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Introduction to cryptology (GBIN8U16)

Spring 2010: CS419 Computer Security

Introduction to Cryptography. Lecture 3

Summary. Final Week. CNT-4403: 21.April

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Security. Communication security. System Security

Introduction to Cryptography. Lecture 3

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Elastic Block Ciphers: Method, Security and Instantiations

Block Cipher Operation. CS 6313 Fall ASU

Symmetric-Key Cryptography

Transcription:

Midgame Attacks (and their consequences) Donghoon Chang 1 and Moti Yung 2 1 IIIT-Delhi, India 2 Google Inc. & Columbia U., USA

Crypto is a Technical Science As technology moves, so should crypto designs and constructions! As technology moves new attack vectors become feasible or practical. We have to constantly be aware of and also be prepared for changes in technologies and in related attack scenarios. This is one reason why cryptographers do not sleep well but also why they get jobs!

Midgame Attacks At some point in the middle of computation with a secret key (midgame), and after some secure work (typically initial work), the powerful adversary sees the entire internal state and attempts key recovery/ forgery/ decrypting. For cloud delegated work, hide long term key from provider (after performing small work): E.g., HMAC when the first & second key hashing is applied @user while the rest of the heavy (bulk) hashing work can be performed @cloud starting from an intermediate state.

Motivation Cloud Computing Secure Delegation No need to give away keys to the cloud, just a midgame state (i.e., local rather than global crypto-work delegation). better privacy! There is no perfect Security Guarantee even in Cryptographic Modules (assume attack at some point in the computation, and assume full leakage at time of attack). [in other areas: forward secrecy, key insulated mitigation was considered but not in basic designs!]

Midgame vs. Side-channel Attacks Side-channel Attacks Non-invasive & Passive Attacks Power Analysis Midgame Attacks Invasive Attacks Memory Dump Attack (as cold boot attack but 100% disclosure; goal is to compartmentalize the damage)

Midgame vs. Leakage Attacks Leakage Attacks Partial Information is leaked Gives leakage-resilient Cryptographic Models Midgame Attacks Total leakage at some point Note that once a partial information is leaked, then usually it brings total leakage by the divide-andconquer attack strategy on a symmetric key. So, the total leakage assumption at some point is practicallyjustified while partial leakage assumption has been criticized by some practitioners.

Summary Concrete Midgame Attacks: many known block-cipher encryption schemes and modes are not secure. six ECRYPT stream ciphers, except Rabbit, are not secure. HMAC-Keccak, unlike other four SHA-3 finalists, is not secure; first security gap among the 5. Overall: This is more about new issues/ notions/ revised design rules & not about technicalities of the relatively simple but demonstrative attacks.

Midgame Attacks on Block Cipher-based Encryption Schemes ECB, CBC, OFB, CFB, CTR Modes of Operation (approved by NIST) and many other encryption modes CCM, GCM (approved by NIST), OCB, and many other authenticatedencryption modes During the entire process of encryption, the secret key is fixed for every block cipher call, so the key-recovery attack is possible in the midgame attacks.

Midgame Attacks on Six ECRYPT Stream Ciphers There are Seven ECRYPT Stream ciphers. Except Rabbit, all the other six stream ciphers are not secure against midgame attacks. Except Rabbit, all the internal computations are invertible. Once a midgame attacker knows any internal state, then he can generate all the previous key stream of the Six stream ciphers.

Midgame Attacks on HMAC based on the SHA-3 Finalists There are Five SHA-3 Finalists. Except Keccak, all the other four SHA-3 final candidates provide better security against midgame attacks. Keccak uses a simple domain extension, called Sponge construction, which is based on an invertible permutation, so it is easy to compute the key of HMAC once any internal state is leaked.

HMAC-Keccak (for one-block K) K ipad M 1 M t Z 1 0 r 0 c f f f K opad Z 1 10*1 MAC value 0 r 0 c f f

HMAC-Keccak (for one-block K) K ipad M 1 M t Z 1 0 r 0 c f f f K opad Z 1 10*1 MAC value 0 r 0 c f f If we know any internal state, we can compute the key K because f is efficiently invertible.

Conclusions Typical cryptographic schemes were designed without considering midgame security (since the notion is new!! Cloud-motivated). Designing new schemes, secure against midgame attacks [under new design rules] is a new direction (we have some designs). This includes formalizing security.. Midgame analysis can be applied to numerous other areas such as public-key cryptography. Intuitively: For strong midgame security, locally-one-way & locally-pseudorandom operations should be considered which are fast for efficiency (just being fast is not enough).

Therefore remember: end of crypto reported on Monday s invited talk.. but!! Crypto is a Phoenix

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback