Josh Benaloh Tolga Acar Fall 2016 October 25 2016 2 The wiretap channel Key K 1 Key K 2 Eavesdropper Plaintext P Noisy insecure channel Encrypt Decrypt Alice Bob Plaintext ID: 534249
Download Presentation The PPT/PDF document "Practical Aspects of Modern Crypt..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Practical Aspects of Modern Cryptography
Josh BenalohTolga Acar
Fall 2016Slide2
October 25, 2016
2
The wiretap channel
Key (K
1
)
Key (K
2
)
Eavesdropper
Plaintext
(P)
Noisy insecure
channel
Encrypt
Decrypt
Alice
Bob
Plaintext
(P
)
Message sent is:
C= E
K1
(P)
Decrypted as:P=DK2(C)
Symmetric Key: K1=K2Public Key: K1¹K2K1 is publicly knownK2 is Bob’s secret
Practical Aspects of Modern CryptographySlide3
October 25, 2016
3
Adversaries
Cryptography is computing in the presence of an
adversary
What do you want to protect?
Against who?
Under what circumstances?An adversary is characterized by:TalentAccess to information
Probable plaintext attacksKnown plaintext/ciphertext attacksChosen plaintext attacks
Adaptive interactive chosen plaintext attacks (oracle model)Computational resourcesPractical Aspects of Modern CryptographySlide4
October 25, 2016
4
Cryptographic Algorithm Requirements
WW II
Universally available (simple, light instrumentation) – interoperability.
Compact, rugged: easy for people (soldiers) to use
Kerckhoff’s
Principle: Security in key only: We assume that the attacker knows the complete details of the cryptographic algorithm and implementation
Adversary has access to some corresponding plain and cipher-textNow Adversary has access to unlimited cipher-text and lots of chosen textImplementation in digital devices (power/speed) paramount
Easy for computers to useResistant to ridiculous amount of computing powerPractical Aspects of Modern CryptographySlide5
October 25, 2016
5
Computational strength of adversary
Infinite - Perfect Security
Information Theoretic
Doesn’t depend on computing resources or time available
Polynomial
Asymptotic measure of computing powerIndicative but not dispositive
RealisticThe actual computing resources under known or suspected attacksThis is usPractical Aspects of Modern CryptographySlide6
October 25, 2016
6
Practical attacks
Exhaustive search of theoretical key space
Exhaustive search of actual key space as restricted by poor practice
Exploiting bad key management or storage
Stealing keys
Exploiting encryption errorsSpoofing (ATM PIN)Leaking due to size, position, language choice, frequency, inter-symbol transitions, timing differences, side channels
Practical Aspects of Modern CryptographySlide7
7
What can go wrong
Key space is too small
, all linear in key bits
Linear transformation
Easy to solve the resulting linear equations
decomposable into transformations with independent key bits
should
look
like a PRP ([Pseudo] Random Permutation) and the effect of
should
look
like it picks the random permutations unpredictably
October 25, 2016
Practical Aspects of Modern CryptographySlide8
8
DES Attacks: Exhaustive Search
Symmetry
Suppose we know plain/cipher text pair (
p,c
)
for(k=0;k<2
56
;k++) {
if(DES(
k,p
)==c) {
printf("Key is %x\n", k); break; }}
Expected number of trials (if k was chosen at random) before success: 255
October 25, 2016
Practical Aspects of Modern CryptographySlide9
9
DES: Weak Keys
DES has:
Four weak keys
k
for which
Ek(E
k(m))= mTwelve semi-weak keys which come in pairs
k1 and k2 and are such that E
k1(Ek2(m))= mWeak keys are due to the
key schedule algorithmHow they arise:A 28 bit quantity has potential symmetries of period 1, 2, 4, 7, and 14Suppose each of C0 and D0 has a symmetry of period 1For example C
0 =0x0000000, D0= 0x1111111Easy to figure out a master key (K) that produces such a C0 and D
0October 25, 2016Practical Aspects of Modern CryptographySlide10
October 25, 2016
10
Random Mappings
Let
all functions from a finite domain to a finite co-domain
Every mapping
is equally likely to be chosen,
The probability of choosing a particular mapping is
Example. f
:
{
1
,
2
, …,
13
}
{1
, 2, …, 13}
Graphic by Maithili Narasimha
Practical Aspects of Modern CryptographySlide11
Time memory trade off
TablePre-compute a table of
for a fixed
Given
, look up the key in
time
Time
Try random keys takes
time
, usually
, the number of possible keys
Balanced “memory” and “time” resources?
Not a 50-50 proposition
Hellman showed we could cut the search time to
by pre-computing and storing
values
11
October 25, 2016
Practical Aspects of Modern CryptographySlide12
12
Sophisticated attacks
Exhaustive search
Differential cryptanalysis
Differentials
Linear Cryptanalysis
Linear approximations
October 25, 2016
Practical Aspects of Modern CryptographySlide13
Meet In The Middle: 2DES
Double DES:
Get in the middle:
Find the key when
October 25, 2016
Practical Aspects of Modern Cryptography
13
m
c’=E(K
2
,m)
c=E(K
1
,c’)
cSlide14
Meet In The Middle: 2DES
Attack with
Build table
, with
entries
Sort on
, which maps
to
For each
, test
Found
October 25, 2016
Practical Aspects of Modern Cryptography
14Slide15
Meet In The Middle: 2DES
Double DES:
Space:
Time
Similar attack for 3DES
Time:
Space:
October 25, 2016
Practical Aspects of Modern Cryptography
15Slide16
Faulty PRNG
DSA-1571-1 openssl -- predictable random number generator, May 2008MD_Update
(&
m,buf,j
);
[ .. ]
MD_Update
(&
m,buf,j
); /* purify complains */Purify complained uninitialized data, lines removedRandom seed was no longer mixed in: only process IDMax pid is 32,768Bug was introduced in 2006
October 25, 2016Practical Aspects of Modern Cryptography
16Slide17
Padding Oracles
Many padding oracle attacksExample: CBC mode of operation with block ciphersPKCS#7 Padding of the last blockValue of added byte is the number of bytes
01
02 02
03 03 03
04 04 04 04
05 05 05 05 05 Decryption:
Change last byte of
changes last byte of
October 25, 2016
Practical Aspects of Modern Cryptography
17Slide18
Padding Oracles: CBC w/ PKCS#7
Decryption:
Changes in
bytes change corresponding byte of
padded
, attack here
Decryption checks the last byte after decrypting
October 25, 2016
Practical Aspects of Modern Cryptography
18Slide19
Padding Oracles: CBC w/ PKCS#7
padded
, attack here
Attack for the last byte of
Guess
: last byte of
Change
, last byte of
If correct, byte of
becomes
no error
Repeat 255 times
Similarly for other bytes of
October 25, 2016
Practical Aspects of Modern Cryptography
19Slide20
Side-Channel Attacks
Breaking a cryptosystem is a frontal attack, but there may be easier access though a side or back door – especially on embedded cryptographic devices such as SmartCards and RFIDs
October 25, 2016
Practical Aspects of Modern Cryptography
20Slide21
Side-Channel Attacks
Some attack vectors …Fault AttacksTiming AttacksCache AttacksPower AnalysisElectromagnetic Emissions
Acoustic Emissions
Information Disclosure
… others?
October 25, 2016
Practical Aspects of Modern Cryptography
21Slide22
Fault Attacks
Faults may be unintentional or induced by …HeatColdSupply voltage deviations (low, high, …)OverclockingFocused ion beams and other radiation
Microwaves
Malicious input
…
October 25, 2016
Practical Aspects of Modern Cryptography
22Slide23
Review: AES Round
Each round has 4 transformations:ByteSub: nonlinearityShiftRow
: inter-column diffusion
MixColumn
: inter-byte diffusion
Round key addition (XOR)
First round key is the key
October 25, 2016Practical Aspects of Modern Cryptography
23
Key Addition
Byte Substitution
Shift Rows
Mix Columns
Plaintext
Ciphertext
More Rounds
Round
Key AdditionSlide24
AES Fault Attack
Change a single bit after the first key additionObjective: Reset a single bit in the internal state S0Observe: if the ciphertext has changedSolve: If ciphertext is changed OR fault is detected: correct bit value is 1, otherwise 0
Altered bit is one bit of
Recover the ley bit one bit at a time
Infeasible in practice … so far
October 25, 2016
Practical Aspects of Modern Cryptography
24Slide25
RSA Fault Attack
Recall
,
where
Recover modulus factorization
Recover secret exponent
Decrypt ciphertext
without
October 25, 2016
Practical Aspects of Modern Cryptography
25Slide26
RSA Fault Attack: Bellcore
Factor modulus
by introducing errors in exponentiation and CRT (Chinese Remainder Theorem)
Signature
, or
, or
Attack: corrupt only one of the two exponentiations
October 25, 2016
Practical Aspects of Modern Cryptography
26Slide27
RSA Attack: Bellcore
Attack: corrupt only one of the two exponentiationsAssume
is corrupted by fault injection:
Compute
Observe
shares the factor
with
Compute
Knowing message
to sign,
A correct signature
is not required
October 25, 2016
Practical Aspects of Modern Cryptography
27Slide28
RSA Attack: Square & Multiply
AssumptionsAttacker can submit ciphertexts to decryptUnlimited number of fault injection attacks
Restriction: Non-destructive attacks (e.g.
SmartCards
)
Recover: Private exponent
Cause a single bit flip in
in signature computationSkip if multiply with base
(left-to-right square & multiply)Corruption:
, or
The single bit at position
flipped up or down
October 25, 2016
Practical Aspects of Modern Cryptography
28Slide29
RSA Attack: Square & Multiply
Corruption:
, or
Corrupt the bit at position
in
Recall
siganture
:
For
, either
Hint: Precompute
on a table of size
Multiple bit flips are similar with a larger table of size
October 25, 2016
Practical Aspects of Modern Cryptography
29Slide30
RSA Attack:
root
Find a way to extract the
e
-
th
root of
mod N by knowing the another power of the same message
Obtain
and
via fault injection
Extract the
e-th root of
, for
, by
Recall
, and it is possible to satisfy
Attacker knows
, and computes
October 25, 2016
Practical Aspects of Modern Cryptography
30Slide31
Countermeasures: RSA
Challenging without performance impactLarger circuits, higher latency, higher costRandomization in CRTFault injection, timing, power
Generate a random number
,
Output
only if
Still vulnerable to
Bellcore
: use two random numbers
October 25, 2016
Practical Aspects of Modern Cryptography
31Slide32
Countermeasures: RSA
Generic approach: Validate the outputVerify the signatureSmall
, cost is low
October 25, 2016
Practical Aspects of Modern Cryptography
32Slide33
Timing Attacks
How long does it take to perform a decryption?The answer may be data-dependent.
For instance…
Watch decryption times for
where
and where
.
If there is a minute difference,
can be determined with binary search.
October 25, 2016
Practical Aspects of Modern Cryptography
33Slide34
Cache Attacks
If you can run code on the same device where a decryption is being performed, you may be able to selectively force certain cache lines to be flushed.Decryption times may vary in a key-dependent manner based upon which lines have been flushed.
October 25, 2016
Practical Aspects of Modern Cryptography
34Slide35
Cache Timing Attacks: AES
Not easy to write constant-time AES softwareEasy to write inefficient constant-time AESProblem: Load an array entry time independent of index
Recall AES with two 256-byte SBOX tables
and
These are expanded into four 1024-byte tables:
October 25, 2016
Practical Aspects of Modern Cryptography
35Slide36
Cache-Timing Attacks: AES
Consider
with plaintext
and key
Variable-time table lookup due to cache
Assume the attacker
Observes the time to handle many
s
Adds up the time it takes for each possible
Observes the overall AES time is max when
is some value
Attacker observes, with known keys
, overall AES time is max when
is another value
Attacker computes
October 25, 2016
Practical Aspects of Modern Cryptography
36Slide37
Power Analysis
Power usage of a device may vary in a key-dependent manner.Careful measurement and analysis of power consumption can be used to determine the key.
October 25, 2016
Practical Aspects of Modern Cryptography
37Slide38
Power Analysis
Goal: Extract secret keySPA: Simple Power AnalysisPower traces or graphs over timeVariations in power consumption for different operationsExample: Number of rounds, square, multiply
DPA: Differential Power Analysis
Statistical analysis of multiple operations
Measure power consumption per input/output data
Partition measurements into subsets
Statistical differences between subsets indicate leakage
October 25, 2016Practical Aspects of Modern Cryptography
38Slide39
Electromagnetic Emissions
One can record electromagnetic emissions of a device – often at a distance.Careful analysis of the emissions may reveal a secret key.
October 25, 2016
Practical Aspects of Modern Cryptography
39Slide40
Acoustic Emissions
Modular exponentiation is using done with repeated squaring and conditional “side” multiplications.It can actually be possible to hear whether or not these conditional multiplications are performed.
October 25, 2016
Practical Aspects of Modern Cryptography
40Slide41
Acoustic Cryptanalysis
There is a history of acoustic attacksMore recentlyultrasonic noise emanating from capacitors and inductors in a computer motherboardCooling fanSmall movements of current change capacitor diameter, and piezoelectric size changes
Countermeasures: Generate sound to jam
Same spectrum sound
White noise
October 25, 2016
Practical Aspects of Modern Cryptography
41Slide42
Information Disclosures
(N.B. Bleichenbacher Attack)A protocol may respond differently to properly and improperly formed data.
Careful manipulation of data may elicit responses which disclose information about a desired key or decryption value.
October 25, 2016
Practical Aspects of Modern Cryptography
42Slide43
Cryptosystem Security Definitions
Cryptographers like inscrutable TLAsProbabilistic Polynomial-Time (PPT) adversariesProbabilistic randomized algorithm that gives the correct answer with > ½ probability.
Random Oracle Model (RO or ROM)
Black box with a stateful uniform random response
43
y {0, 1}*
If (x in A) y
Fetch(
A,x)Else Store(x,y) in A
Return yRandom Oracle
x
y
October 25, 2016
Practical Aspects of Modern CryptographySlide44
Attack Game
Encryption scheme security definitionsIND-R: Indistinguishability from RandomIND-CPA:
Indistinguishability
under Chosen Plaintext Attack (a.k.a. semantic security)
IND-CCA:
Indistinguishability
under Chosen Ciphertext AttackIND-CPA ⊂ IND-CCA
44
b
{0, 1}C = Enc(K, mb)
Return CLeft-Right Oracle
m
0, m1
C
Guess b?
IND-CPA Game
October 25, 2016
Practical Aspects of Modern CryptographySlide45
Ciphertext Attacks
IND-CCA2: Indistinguishability under adaptive chosen ciphertext attackDecryption Oracle access (non-trivial)Non-adaptive
Query the decryption oracle till the challenge
ciphertext
is received
Adaptive
Continuous queries to the oracle (max q queries)IND-CPA ⊂ IND-CCA ⊂ IND-CCA2
45October 25, 2016
Practical Aspects of Modern CryptographySlide46
IND-CCA/CCA2 Game
46
m = Dec(K, C)
Decrypt
m
0
, m
1
C
Queries {
m,C
}
Responses {
C,m
}
C =
Enc(K, m)
Encrypt
b {0, 1}
C = Enc(K,
mb)
Left-Right Oracle
C
m
m = Dec(K, C)
Decrypt
Guess b?ChallengeAdaptive (CCA2) AdversaryFree Oracle AccessOctober 25, 2016Practical Aspects of Modern CryptographySlide47
Bleichenbacher Attack
Sign with RSA signatures using PKCS#1v1.5Input message
, hash function
Pad
:
encoding for
DigestInfo
, hash of the message
to sign
A
is a fixed set of bytes
October 25, 2016
Practical Aspects of Modern Cryptography
47Slide48
Bleichenbacher Attack
VerificationDecrypt
to obtain
Peel off padding to extract
from
Compare computed hash
to the decrypted hash
How to parse
from
?
is some other junk data
October 25, 2016
Practical Aspects of Modern Cryptography
48Slide49
Bleichenbacher Attack
Assume: padding is not properly validatedAssume:
Calculate the cube root of
(non-integer)
Round the number, use for forgery. When cubed
. But, broken implementations won’t check
For
, more bytes at the end to compensate for larger errors
October 25, 2016
Practical Aspects of Modern Cryptography
49Slide50
Design Charrette
How would you design a transit fare card system?October 25, 2016
Practical Aspects of Modern Cryptography
50Slide51
Fare Card System Elements
An RFID card for each riderReaders on each vehicle and/or transit station (Internet connected?)Card purchase/payment machinesA web portal for riders to manage and/or enrich their cards
October 25, 2016
Practical Aspects of Modern Cryptography
51