We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEloise Willingham
Modified over 2 years ago
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Jean-Jacques Quisquater email@example.com@dice.ucl.ac.be Research Director CNRS, France and Université catholique de Louvain, Louvain-la-Neuve, Belgium UCL Crypto Group http://uclcrypto.orghttp://uclcrypto.org Part of this work done while visiting scientist at MIT-CSAIL
© UCL Crypto group DIMACS talk - 2004 2 bCONTENTSCONTENTS Introduction Smart cards IBC Remote integrity Using bad primitives Conclusion Introduction Smart cards IBC Remote integrity Using bad primitives Conclusion
© UCL Crypto group DIMACS talk - 2004 3 Goal of the talk Show by examples that thinking with tamperproof and doing crypto with constrained objects is interesting for theoretical and practical purposes.
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Short Story of Smart Cards René Barjavel (1966) « La nuit des temps » (Gondas) several inventors in USA (IBM - 1968), Japan, Germany, France Roland Moreno (F) pushed the right version (1974) Michel Ugon and Louis Guillou were the technical inventors (~ 1977) SPOM: single chip (security): 1981: first crypto algo and protocol (secret key): tests in France first DES: 1985 (TRASEC, Belgium,TB100 -> Proton) first RSA: CORSAIR (Philips): 1989 (coprocessor)... in some sense smart angel-in-the-box (Shai Halevi, yesterday).
© UCL Crypto group DIMACS talk - 2004 5 Ring by Moreno (1974) and first smart card (1980)
© UCL Crypto group DIMACS talk - 2004 6 The chip (IC) ROM EEPROM flash memory EEPROM flash memory CPU I/O coprocessor DES – RSA -ECC coprocessor DES – RSA -ECC security logic security logic RAM sensors firewall Reset Ground Volt Clock
© UCL Crypto group DIMACS talk - 2004 7 A complete computer
© UCL Crypto group DIMACS talk - 2004 8 Passive attacks ChipChip CLK GRD VCC RST I/O 2. SPA-DPA 1. timing 3. probing 4. measures of radiations 4. measures of radiations
© UCL Crypto group DIMACS talk - 2004 9 Active fault attacks (Bellcore attack) Key=1010110...
© UCL Crypto group DIMACS talk - 2004 10
© UCL Crypto group DIMACS talk - 2004 SENDER k (Alice) E(m) SENDER k (Alice) E(m) RECEIVER k (Bob) D(E(m))=m RECEIVER k (Bob) D(E(m))=m encrypted message E(m)=10010100111 Tamperproof model
© UCL Crypto group DIMACS talk - 2004 SENDER k (Alice) E(m) SENDER k (Alice) E(m) RECEIVER k (Bob) D(E(m))=m RECEIVER k (Bob) D(E(m))=m E(m)=10010100111 Tamperproof model => asymmetric crypto (DH-RSA – 1980 public) Tamperproof model => asymmetric crypto (DH-RSA – 1980 public) Only able to encrypt Only able to decrypt
© UCL Crypto group DIMACS talk - 2004 Identification with identity-based crypto (Shamir 1984 Guillou 1984 Fiat-Shamir 1986) PROVER k Id E(r) = R PROVER k Id E(r) = R VERIFIER K E(Id) = k E(r) = ? R VERIFIER K E(Id) = k E(r) = ? R Id Surprise r Response R Authority K E(Id) = k Authority K E(Id) = k Id k k
© UCL Crypto group DIMACS talk - 2004 14 Identity-Based Encryption Adi Shamir: Identity-Based Cryptosystems and Signature Schemes. CRYPTO 1984: 47-53. Yvo Desmedt, Q.: Public-Key Systems Based on the Difficulty of Tampering (Is There a Difference Between DES and RSA?). CRYPTO 1986: 111-117. Dan Boneh, Matthew K. Franklin: Identity-Based Encryption from the Weil Pairing. CRYPTO 2001: 213-229. Clifford Cocks: An Identity Based Encryption Scheme Based on Quadratic Residues Source LNCS, Proc. of the 8th IMA Intern. Conf. on Cryptography and Coding 2001: 360-363.
© UCL Crypto group DIMACS talk - 2004 15 Hierarchical IBC? Was done also in 1984 The easy way: you iterate the process with cards being mother, daughter, granddaughter, aso.
© UCL Crypto group DIMACS talk - 2004 16 Tamperproof model useful? Sometimes proof of concept Sometimes useful to simulate public- key crypto in closed systems Yes, but we don’t know how to translate tamperproof into trapdoor in a crypto function.
© UCL Crypto group DIMACS talk - 2004 17 First smart card (1980)
© UCL Crypto group DIMACS talk - 2004 18 Security with two chips or with a unsecure server? One chip is tamperproof but slow, The other one is a unsecure memory or a fast unsecure processor, … Philippe Béguin, Q.: Secure Acceleration of DSS Signatures Using Insecure Server. ASIACRYPT 1994: 249-259 Possible for El gamal signatures with small memory RSA? See Philippe Béguin, Q.: Fast Server-Aided RSA Signatures Secure Against Active Attacks. CRYPTO 1995: 57-69 but parameters need to be changed due to an attack by Nguyen–Stern (Asiacrypt 1998). Better? Work in progress
© UCL Crypto group DIMACS talk - 2004 New problem: “remote integrity” (better than Tripwire®?) IICIS 2003: Deswarte,Q, Saïdane PROVER Smart card Id M (secret) PROVER Smart card Id M (secret) VERIFIER r! A! h(M) f(r,h(M))=R? VERIFIER r! A! h(M) f(r,h(M))=R? Id Surprise A Response R A lot of smart cards
© UCL Crypto group DIMACS talk - 2004 20 Protocol for remote integrity GENERAL INIT: Let M = (content of the file), integer n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1
"name": "© UCL Crypto group DIMACS talk - 2004 20 Protocol for remote integrity GENERAL INIT: Let M = (content of the file), integer n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1
© UCL Crypto group DIMACS talk - 2004 Using bad primitives? PROVER k h(), r1! E(r1+r2) = R PROVER k h(), r1! E(r1+r2) = R VERIFIER k E(r1+r2) = R ? VERIFIER k E(r1+r2) = R ? h(r1) (weak commitment) r2 Response R, r1 Bad random generator Breakable hash function h() E : resists to linear crypto, E : bad for differential crypto Bad random generator Breakable hash function h() E : resists to linear crypto, E : bad for differential crypto
© UCL Crypto group DIMACS talk - 2004 22 General conclusion Thinking theoretically with strongly constrained objects set interesting problems with practical results. Many open problems. UCL ©
© UCL Crypto group – October 2004 – I0 Low Cost Security for Internet-0? Frontiers and Limits Jean-Jacques Quisquater (visiting scientist.
What is in a name? Identity-based cryptography. How public-key crypto works When you use public key cryptography, you can publish a value (public key)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
4 th lecture. Message to be encrypted: HELLO Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
The RSA Algorithm Rocky K. C. Chang, March
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Information Security CS 526
Security. Cryptography (1) Intruders and eavesdroppers in communication.
Identity Based Encryption
1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
SCSC 455 Computer Security
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Networks Management and Security Lecture 3.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Digital Signatures and Hash Functions. Digital Signatures.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Some Perspectives on Smart Card Cryptography
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Public Key Model 8. Cryptography part 2.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptography and Network Security Chapter 13. Digital Signatures have looked at message authentication – but does not address issues of lack of trust.
1 Public-Key Cryptography and Message Authentication.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
Midterm Review Cryptography & Network Security
Chapter 3 Encryption Algorithms & Systems (Part C)
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Chapter3 Public-Key Cryptography and Message Authentication.
Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
ECE Prof. John A. Copeland fax Office: GCATT Bldg.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Sensor Network Security through Identity-Based Encryption
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
RSA Pubic Key Encryption CSCI 5857: Encoding and Encryption.
© 2017 SlidePlayer.com Inc. All rights reserved.