Download presentation

Presentation is loading. Please wait.

Published byEloise Willingham Modified over 2 years ago

1
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Jean-Jacques Quisquater jjq@dice.ucl.ac.bejjq@dice.ucl.ac.be Research Director CNRS, France and Université catholique de Louvain, Louvain-la-Neuve, Belgium UCL Crypto Group http://uclcrypto.orghttp://uclcrypto.org Part of this work done while visiting scientist at MIT-CSAIL

2
© UCL Crypto group DIMACS talk - 2004 2 bCONTENTSCONTENTS Introduction Smart cards IBC Remote integrity Using bad primitives Conclusion Introduction Smart cards IBC Remote integrity Using bad primitives Conclusion

3
© UCL Crypto group DIMACS talk - 2004 3 Goal of the talk Show by examples that thinking with tamperproof and doing crypto with constrained objects is interesting for theoretical and practical purposes.

4
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Short Story of Smart Cards René Barjavel (1966) « La nuit des temps » (Gondas) several inventors in USA (IBM - 1968), Japan, Germany, France Roland Moreno (F) pushed the right version (1974) Michel Ugon and Louis Guillou were the technical inventors (~ 1977) SPOM: single chip (security): 1981: first crypto algo and protocol (secret key): tests in France first DES: 1985 (TRASEC, Belgium,TB100 -> Proton) first RSA: CORSAIR (Philips): 1989 (coprocessor)... in some sense smart angel-in-the-box (Shai Halevi, yesterday).

5
© UCL Crypto group DIMACS talk - 2004 5 Ring by Moreno (1974) and first smart card (1980)

6
© UCL Crypto group DIMACS talk - 2004 6 The chip (IC) ROM EEPROM flash memory EEPROM flash memory CPU I/O coprocessor DES – RSA -ECC coprocessor DES – RSA -ECC security logic security logic RAM sensors firewall Reset Ground Volt Clock

7
© UCL Crypto group DIMACS talk - 2004 7 A complete computer

8
© UCL Crypto group DIMACS talk - 2004 8 Passive attacks ChipChip CLK GRD VCC RST I/O 2. SPA-DPA 1. timing 3. probing 4. measures of radiations 4. measures of radiations

9
© UCL Crypto group DIMACS talk - 2004 9 Active fault attacks (Bellcore attack) Key=1010110...

10
© UCL Crypto group DIMACS talk - 2004 10

11
© UCL Crypto group DIMACS talk - 2004 SENDER k (Alice) E(m) SENDER k (Alice) E(m) RECEIVER k (Bob) D(E(m))=m RECEIVER k (Bob) D(E(m))=m encrypted message E(m)=10010100111 Tamperproof model

12
© UCL Crypto group DIMACS talk - 2004 SENDER k (Alice) E(m) SENDER k (Alice) E(m) RECEIVER k (Bob) D(E(m))=m RECEIVER k (Bob) D(E(m))=m E(m)=10010100111 Tamperproof model => asymmetric crypto (DH-RSA – 1980 public) Tamperproof model => asymmetric crypto (DH-RSA – 1980 public) Only able to encrypt Only able to decrypt

13
© UCL Crypto group DIMACS talk - 2004 Identification with identity-based crypto (Shamir 1984 Guillou 1984 Fiat-Shamir 1986) PROVER k Id E(r) = R PROVER k Id E(r) = R VERIFIER K E(Id) = k E(r) = ? R VERIFIER K E(Id) = k E(r) = ? R Id Surprise r Response R Authority K E(Id) = k Authority K E(Id) = k Id k k

14
© UCL Crypto group DIMACS talk - 2004 14 Identity-Based Encryption Adi Shamir: Identity-Based Cryptosystems and Signature Schemes. CRYPTO 1984: 47-53. Yvo Desmedt, Q.: Public-Key Systems Based on the Difficulty of Tampering (Is There a Difference Between DES and RSA?). CRYPTO 1986: 111-117. Dan Boneh, Matthew K. Franklin: Identity-Based Encryption from the Weil Pairing. CRYPTO 2001: 213-229. Clifford Cocks: An Identity Based Encryption Scheme Based on Quadratic Residues Source LNCS, Proc. of the 8th IMA Intern. Conf. on Cryptography and Coding 2001: 360-363.

15
© UCL Crypto group DIMACS talk - 2004 15 Hierarchical IBC? Was done also in 1984 The easy way: you iterate the process with cards being mother, daughter, granddaughter, aso.

16
© UCL Crypto group DIMACS talk - 2004 16 Tamperproof model useful? Sometimes proof of concept Sometimes useful to simulate public- key crypto in closed systems Yes, but we don’t know how to translate tamperproof into trapdoor in a crypto function.

17
© UCL Crypto group DIMACS talk - 2004 17 First smart card (1980)

18
© UCL Crypto group DIMACS talk - 2004 18 Security with two chips or with a unsecure server? One chip is tamperproof but slow, The other one is a unsecure memory or a fast unsecure processor, … Philippe Béguin, Q.: Secure Acceleration of DSS Signatures Using Insecure Server. ASIACRYPT 1994: 249-259 Possible for El gamal signatures with small memory RSA? See Philippe Béguin, Q.: Fast Server-Aided RSA Signatures Secure Against Active Attacks. CRYPTO 1995: 57-69 but parameters need to be changed due to an attack by Nguyen–Stern (Asiacrypt 1998). Better? Work in progress

19
© UCL Crypto group DIMACS talk - 2004 New problem: “remote integrity” (better than Tripwire®?) IICIS 2003: Deswarte,Q, Saïdane PROVER Smart card Id M (secret) PROVER Smart card Id M (secret) VERIFIER r! A! h(M) f(r,h(M))=R? VERIFIER r! A! h(M) f(r,h(M))=R? Id Surprise A Response R A lot of smart cards

20
© UCL Crypto group DIMACS talk - 2004 20 Protocol for remote integrity GENERAL INIT: Let M = (content of the file), integer n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/13/3877806/slides/slide_20.jpg",
"name": "© UCL Crypto group DIMACS talk - 2004 20 Protocol for remote integrity GENERAL INIT: Let M = (content of the file), integer n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1

21
© UCL Crypto group DIMACS talk - 2004 Using bad primitives? PROVER k h(), r1! E(r1+r2) = R PROVER k h(), r1! E(r1+r2) = R VERIFIER k E(r1+r2) = R ? VERIFIER k E(r1+r2) = R ? h(r1) (weak commitment) r2 Response R, r1 Bad random generator Breakable hash function h() E : resists to linear crypto, E : bad for differential crypto Bad random generator Breakable hash function h() E : resists to linear crypto, E : bad for differential crypto

22
© UCL Crypto group DIMACS talk - 2004 22 General conclusion Thinking theoretically with strongly constrained objects set interesting problems with practical results. Many open problems. UCL ©

Similar presentations

OK

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on tcp ip protocol architecture definition Download ppt on air powered cars Ppt on line drawing algorithm in computer graphics Ppt on importance of sports and games Ppt on limits and derivatives ppt Ppt on abo blood grouping Ppt on environmental chemistry class 11 Ppt on c-programming basics Ppt on holographic technology Ppt on ms word 2003