Presentation is loading. Please wait.

Presentation is loading. Please wait.

© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice.

Similar presentations


Presentation on theme: "© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice."— Presentation transcript:

1 © UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Jean-Jacques Quisquater jjq@dice.ucl.ac.bejjq@dice.ucl.ac.be Research Director CNRS, France and Université catholique de Louvain, Louvain-la-Neuve, Belgium UCL Crypto Group http://uclcrypto.orghttp://uclcrypto.org Part of this work done while visiting scientist at MIT-CSAIL

2 © UCL Crypto group DIMACS talk - 2004 2 bCONTENTSCONTENTS Introduction Smart cards IBC Remote integrity Using bad primitives Conclusion Introduction Smart cards IBC Remote integrity Using bad primitives Conclusion

3 © UCL Crypto group DIMACS talk - 2004 3 Goal of the talk Show by examples that thinking with tamperproof and doing crypto with constrained objects is interesting for theoretical and practical purposes.

4 © UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Short Story of Smart Cards René Barjavel (1966) « La nuit des temps » (Gondas) several inventors in USA (IBM - 1968), Japan, Germany, France Roland Moreno (F) pushed the right version (1974) Michel Ugon and Louis Guillou were the technical inventors (~ 1977) SPOM: single chip (security): 1981: first crypto algo and protocol (secret key): tests in France first DES: 1985 (TRASEC, Belgium,TB100 -> Proton) first RSA: CORSAIR (Philips): 1989 (coprocessor)... in some sense smart angel-in-the-box (Shai Halevi, yesterday).

5 © UCL Crypto group DIMACS talk - 2004 5 Ring by Moreno (1974) and first smart card (1980)

6 © UCL Crypto group DIMACS talk - 2004 6 The chip (IC) ROM EEPROM flash memory EEPROM flash memory CPU I/O coprocessor DES – RSA -ECC coprocessor DES – RSA -ECC security logic security logic RAM sensors firewall Reset Ground Volt Clock

7 © UCL Crypto group DIMACS talk - 2004 7 A complete computer

8 © UCL Crypto group DIMACS talk - 2004 8 Passive attacks ChipChip CLK GRD VCC RST I/O 2. SPA-DPA 1. timing 3. probing 4. measures of radiations 4. measures of radiations

9 © UCL Crypto group DIMACS talk - 2004 9 Active fault attacks (Bellcore attack) Key=1010110...

10 © UCL Crypto group DIMACS talk - 2004 10

11 © UCL Crypto group DIMACS talk - 2004 SENDER k (Alice) E(m) SENDER k (Alice) E(m) RECEIVER k (Bob) D(E(m))=m RECEIVER k (Bob) D(E(m))=m  encrypted message E(m)=10010100111       Tamperproof model

12 © UCL Crypto group DIMACS talk - 2004 SENDER k (Alice) E(m) SENDER k (Alice) E(m) RECEIVER k (Bob) D(E(m))=m RECEIVER k (Bob) D(E(m))=m E(m)=10010100111 Tamperproof model => asymmetric crypto (DH-RSA – 1980 public) Tamperproof model => asymmetric crypto (DH-RSA – 1980 public) Only able to encrypt Only able to decrypt

13 © UCL Crypto group DIMACS talk - 2004 Identification with identity-based crypto (Shamir 1984 Guillou 1984 Fiat-Shamir 1986) PROVER k Id E(r) = R PROVER k Id E(r) = R VERIFIER K E(Id) = k E(r) = ? R VERIFIER K E(Id) = k E(r) = ? R Id Surprise r Response R Authority K E(Id) = k Authority K E(Id) = k Id k k

14 © UCL Crypto group DIMACS talk - 2004 14 Identity-Based Encryption Adi Shamir: Identity-Based Cryptosystems and Signature Schemes. CRYPTO 1984: 47-53. Yvo Desmedt, Q.: Public-Key Systems Based on the Difficulty of Tampering (Is There a Difference Between DES and RSA?). CRYPTO 1986: 111-117. Dan Boneh, Matthew K. Franklin: Identity-Based Encryption from the Weil Pairing. CRYPTO 2001: 213-229. Clifford Cocks: An Identity Based Encryption Scheme Based on Quadratic Residues Source LNCS, Proc. of the 8th IMA Intern. Conf. on Cryptography and Coding 2001: 360-363.

15 © UCL Crypto group DIMACS talk - 2004 15 Hierarchical IBC? Was done also in 1984 The easy way: you iterate the process with cards being mother, daughter, granddaughter, aso.

16 © UCL Crypto group DIMACS talk - 2004 16 Tamperproof model useful? Sometimes proof of concept Sometimes useful to simulate public- key crypto in closed systems Yes, but we don’t know how to translate tamperproof into trapdoor in a crypto function.

17 © UCL Crypto group DIMACS talk - 2004 17 First smart card (1980)

18 © UCL Crypto group DIMACS talk - 2004 18 Security with two chips or with a unsecure server? One chip is tamperproof but slow, The other one is a unsecure memory or a fast unsecure processor, … Philippe Béguin, Q.: Secure Acceleration of DSS Signatures Using Insecure Server. ASIACRYPT 1994: 249-259 Possible for El gamal signatures with small memory RSA? See Philippe Béguin, Q.: Fast Server-Aided RSA Signatures Secure Against Active Attacks. CRYPTO 1995: 57-69 but parameters need to be changed due to an attack by Nguyen–Stern (Asiacrypt 1998). Better? Work in progress

19 © UCL Crypto group DIMACS talk - 2004 New problem: “remote integrity” (better than Tripwire®?) IICIS 2003: Deswarte,Q, Saïdane PROVER Smart card Id M (secret) PROVER Smart card Id M (secret) VERIFIER r! A! h(M) f(r,h(M))=R? VERIFIER r! A! h(M) f(r,h(M))=R? Id Surprise A Response R A lot of smart cards

20 © UCL Crypto group DIMACS talk - 2004 20 Protocol for remote integrity GENERAL INIT: Let M = (content of the file), integer n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1 { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/13/3877806/slides/slide_20.jpg", "name": "© UCL Crypto group DIMACS talk - 2004 20 Protocol for remote integrity GENERAL INIT: Let M = (content of the file), integer n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1

21 © UCL Crypto group DIMACS talk - 2004 Using bad primitives? PROVER k h(), r1! E(r1+r2) = R PROVER k h(), r1! E(r1+r2) = R VERIFIER k E(r1+r2) = R ? VERIFIER k E(r1+r2) = R ? h(r1) (weak commitment) r2 Response R, r1 Bad random generator Breakable hash function h() E : resists to linear crypto, E : bad for differential crypto Bad random generator Breakable hash function h() E : resists to linear crypto, E : bad for differential crypto

22 © UCL Crypto group DIMACS talk - 2004 22 General conclusion Thinking theoretically with strongly constrained objects set interesting problems with practical results. Many open problems. UCL ©


Download ppt "© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice."

Similar presentations


Ads by Google