Presentation is loading. Please wait.

Presentation is loading. Please wait.

"The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.

Published byBrianna Cliff Modified over 9 years ago

Similar presentations

Presentation on theme: ""The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory."— Presentation transcript:

1 "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory

2 n (modulus) = product of secret primes p and q e (public key) = relatively prime to (p-1)(q-1) d (private key) = e -1 mod ((p-1)(q-1))) Encrypt c=m e mod n Decrypt m=c d mod n Eve gets ciphertext message c from Alice, wants to read it i.e., she wants to find m = c d Choose random r < n, and use Alice’s public key e x=r e mod n y=xc mod n t=r -1 mod n Note if x=r e mod n, then r=x d mod n ! Eve tricks Alice into encrypting (signing) y with her d Alice sends Eve u=y d mod n Eve then calculates tu mod n = r -1 y d mod n = r -1 x d c d mod n = c d mod n = m 2 Chosen ciphertext attack against RSA -Schneier

3 ECRYPT 2012 Key Length Advice 3 See www.keylength.com/en/3

4 Captured One-Time Pads

5 Russian One-Time Pad captured by MI5 5

6 Don’t reuse those one-time pads! If C1=P1  K1 C2=P2  K1 C3=P3  K1 Then try C1  C2 => P1  K1  P2  K1 => P1  P2 C1  C3 => P1  K1  P3  K1 => P1  P3 C2  C3 => P2  K1  P3  K1 => P2  P3 and (P1  P2)  (P1  P3) => (P2  P3) (P1  P2)  (P2  P3) => (P1  P3) … 6

7 7 + + +    From Rick Smith: http://cryptosmith.com/archives/70 Don’t reuse those one-time pads!

8 Key? What Key? Alice encrypts: P  K=>C Bob knows the key and decrypts: C  K=>P They agree on a dummy plaintext D and if they’re ever captured, they will give up the key K’=C  D If the authorities decrypt C  K’ => D 8

9 Case study: Heartbleed SSL Bug http://xkcd.com/1353/ struct { HeartbeatMessageType type; uint16 payload_length; uchar payload [HeartbeatMessage.payload_length]; uchar padding[padding_length]; } HeartbeatMessage; 9

10 10

11 Power Analysis 11

12 Simple Power Analysis: `DES Parity Check DES-CheckParity(byte Key[8]) for i = 8 down to 1 parity=0; for j = 8 down to 1 if (bit j of Key[i] is set) // CONDITIONAL parity = parity+1 // OPERATION endif endfor if (parity is even) parity_error(); endfor end DES-CheckParity 12

13 SPA Attack on DES-Parity 13

14 EM History Classified TEMPEST standards. Some parts declassified Jan '01, http://www.cryptome.org. http://www.cryptome.org Published work – EM Leakages from Peripherals, E.g., Monitors: Van Eck, Anderson & Kuhn. – EM Leakage from smart-cards during Computation. J.-J. Quisquater & David Samyde, E-smart 2001, Gemplus Team [GMO ’01], CHES ’01. – SEMA/DEMA attacks. Best results require "decapsulation" of chip packaging and/or precise micro-antennas positioning on chip surface

15 Rao et.al.’s Work` Deeper understanding of the EM leakages. – Similar to declassified TEMPEST literature. Key Insights/Results – Plenty of EM signals are available, provided you know what to look for and where. Superior signals and attacks possible without micro- antennas or decapsulation. Some attacks possible from a distance. – EM side-channel(s) >> Power side-channel EM can break DPA-resistant implementations.

16 EM Emanations Background Origin/Types of EM Emanations – Direct emanations from intended currents. Maxwell’s equations, Ampere’s and Faraday’s laws. – Unintentional emanations from coupling effects. Depend on physical factors, e.g., circuit geometry. Most couplings ignored by circuit designers. Manifest as modulation of carriers (e.g. clock harmonics) present/generated/introduced in device. – AM or Angle (FM/Phase) Modulation. Compromising signals available via demodulation. Propagation of EM – Radiation, Conduction, Combination of both. E.g., Faint EM signals riding on power line.

17 EM Capturing Equipment Antennas (Far-field) and Near-field probes Current probes. Analog processing: Filters/Amplifiers, Tunable wideband receiver or equivalent $$ Digital sampling hardware.

18 ICOM wideband radio receiver with IF output

19 MAKE YOUR OWN

20 EM vs. Power Sometimes, EM is the only side-channel available. – Filtered power supplies, restricted access… – E.g. Crypto Tokens, SSL Accelerators,...

21 Time (10ns) Amplitude EM Signal from SSL Accelerator S at 15 feet

22 EM vs. Power Is EM useful in the presence of power? Yes, several EM carriers: Generated, Ambient, Introduced… – Experimentally verified: Different carriers carry different information. Some EM leakages substantially different from Power leakages.

23 Bad Instructions Instructions where some EM leakage >> Power leakage. Typically CPU intensive rather than bus intensive. All architectures have BAD Instructions. Example: Bit-test on several 6805 based systems leaks tested bit.

24 EM Attack Example 2 signals, different data, same exp & modulus 24

25 O TESTED BIT = 0 IN BOTH TRACES

26 O TESTED BIT DIFFERENT

27 Countermeasures Require sound vulnerability assessment. Countermeasures include: – Circuit redesign to reduce unintentional emanations. – Reducing S/N ratio EM Shielding Noise introduction Physically secure zones. – Randomization based software countermeasures similar to DPA countermeasures.

28 28

29 29 Xkcd http://xkcd.com/221/

30 Netscape 1.1 Seeding Process 30 RNG_CreateContext() { (seconds, microseconds) = time of day; /* Time elapsed since 1970 */ pid = process ID; ppid = parent process ID; a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid << 12)); seed = MD5(a, b); /* seed is a global variable */ } mklcpr(x) { /* not cryptographically significant; shown for completeness */ return ((0xDEECE66D * x + 0x2BBB62DC) >> 1); } From Goldberg and Wagner, “Randomness and the Netscape Browser”, Dr. Dobb’s, January 1996.

31 Netscape 1.1 Key Generation 31 From Goldberg and Wagner, “Randomness and the Netscape Browser”, Dr. Dobb’s, January 1996. RNG_GenerateRandomBytes() { x = MD5(seed); seed = seed + 1; return x; } global variable challenge, secret_key; create_key() { RNG_CreateContext(); tmp = RNG_GenerateRandomBytes(); challenge = RNG_GenerateRandomBytes(); secret_key = RNG_GenerateRandomBytes(); }

32 Jone’s RNG Rules 1.Don’t use system generators 2.Use a known good RNG you implemented 3.Properly seed the RNG 32

33 KISS Generator (G. Marsaglia) static unsigned int /* Seed variables */ x = 123456789, y = 362436000, z = 521288629, c = 7654321; unsigned int KISS() { unsigned long long t, a = 698769069ULL; x = 69069*x+12345; // y never == 0! */ y ^= (y >17); y ^= (y >32); // Also avoid setting z=c=0! return x+y+(z=t); } 33

Download ppt ""The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory."

Similar presentations

RSA.

RSA.
Tempest Emanations Jacklyn Truong University of Tulsa April 16, 2013.

Tempest Emanations Jacklyn Truong University of Tulsa April 16, 2013.
Power, EM and all that: Is your crypto device really secure? Pankaj Rohatgi Dakshi Agrawal, Bruce Archambeault, Suresh Chari, Josyula R Rao IBM T.J. Watson.

Power, EM and all that: Is your crypto device really secure? Pankaj Rohatgi Dakshi Agrawal, Bruce Archambeault, Suresh Chari, Josyula R Rao IBM T.J. Watson.
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.

CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 # Public/Private Keys = 2 n.

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 # Public/Private Keys = 2 n.
1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.

1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.
95-712 OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.

OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Similar presentations

Ads by Google