Download presentation

Presentation is loading. Please wait.

Published byEloise Willingham Modified about 1 year ago

1
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Jean-Jacques Quisquater Research Director CNRS, France and Université catholique de Louvain, Louvain-la-Neuve, Belgium UCL Crypto Group Part of this work done while visiting scientist at MIT-CSAIL

2
© UCL Crypto group DIMACS talk bCONTENTSCONTENTS Introduction Smart cards IBC Remote integrity Using bad primitives Conclusion Introduction Smart cards IBC Remote integrity Using bad primitives Conclusion

3
© UCL Crypto group DIMACS talk Goal of the talk Show by examples that thinking with tamperproof and doing crypto with constrained objects is interesting for theoretical and practical purposes.

4
© UCL Crypto group – October 2004 – DIMACS - Smart Theory Meets Smartcard Practice Smart Theory Meets Smartcard Practice Short Story of Smart Cards René Barjavel (1966) « La nuit des temps » (Gondas) several inventors in USA (IBM ), Japan, Germany, France Roland Moreno (F) pushed the right version (1974) Michel Ugon and Louis Guillou were the technical inventors (~ 1977) SPOM: single chip (security): 1981: first crypto algo and protocol (secret key): tests in France first DES: 1985 (TRASEC, Belgium,TB100 -> Proton) first RSA: CORSAIR (Philips): 1989 (coprocessor)... in some sense smart angel-in-the-box (Shai Halevi, yesterday).

5
© UCL Crypto group DIMACS talk Ring by Moreno (1974) and first smart card (1980)

6
© UCL Crypto group DIMACS talk The chip (IC) ROM EEPROM flash memory EEPROM flash memory CPU I/O coprocessor DES – RSA -ECC coprocessor DES – RSA -ECC security logic security logic RAM sensors firewall Reset Ground Volt Clock

7
© UCL Crypto group DIMACS talk A complete computer

8
© UCL Crypto group DIMACS talk Passive attacks ChipChip CLK GRD VCC RST I/O 2. SPA-DPA 1. timing 3. probing 4. measures of radiations 4. measures of radiations

9
© UCL Crypto group DIMACS talk Active fault attacks (Bellcore attack) Key=

10
© UCL Crypto group DIMACS talk

11
© UCL Crypto group DIMACS talk SENDER k (Alice) E(m) SENDER k (Alice) E(m) RECEIVER k (Bob) D(E(m))=m RECEIVER k (Bob) D(E(m))=m encrypted message E(m)= Tamperproof model

12
© UCL Crypto group DIMACS talk SENDER k (Alice) E(m) SENDER k (Alice) E(m) RECEIVER k (Bob) D(E(m))=m RECEIVER k (Bob) D(E(m))=m E(m)= Tamperproof model => asymmetric crypto (DH-RSA – 1980 public) Tamperproof model => asymmetric crypto (DH-RSA – 1980 public) Only able to encrypt Only able to decrypt

13
© UCL Crypto group DIMACS talk Identification with identity-based crypto (Shamir 1984 Guillou 1984 Fiat-Shamir 1986) PROVER k Id E(r) = R PROVER k Id E(r) = R VERIFIER K E(Id) = k E(r) = ? R VERIFIER K E(Id) = k E(r) = ? R Id Surprise r Response R Authority K E(Id) = k Authority K E(Id) = k Id k k

14
© UCL Crypto group DIMACS talk Identity-Based Encryption Adi Shamir: Identity-Based Cryptosystems and Signature Schemes. CRYPTO 1984: Yvo Desmedt, Q.: Public-Key Systems Based on the Difficulty of Tampering (Is There a Difference Between DES and RSA?). CRYPTO 1986: Dan Boneh, Matthew K. Franklin: Identity-Based Encryption from the Weil Pairing. CRYPTO 2001: Clifford Cocks: An Identity Based Encryption Scheme Based on Quadratic Residues Source LNCS, Proc. of the 8th IMA Intern. Conf. on Cryptography and Coding 2001:

15
© UCL Crypto group DIMACS talk Hierarchical IBC? Was done also in 1984 The easy way: you iterate the process with cards being mother, daughter, granddaughter, aso.

16
© UCL Crypto group DIMACS talk Tamperproof model useful? Sometimes proof of concept Sometimes useful to simulate public- key crypto in closed systems Yes, but we don’t know how to translate tamperproof into trapdoor in a crypto function.

17
© UCL Crypto group DIMACS talk First smart card (1980)

18
© UCL Crypto group DIMACS talk Security with two chips or with a unsecure server? One chip is tamperproof but slow, The other one is a unsecure memory or a fast unsecure processor, … Philippe Béguin, Q.: Secure Acceleration of DSS Signatures Using Insecure Server. ASIACRYPT 1994: Possible for El gamal signatures with small memory RSA? See Philippe Béguin, Q.: Fast Server-Aided RSA Signatures Secure Against Active Attacks. CRYPTO 1995: but parameters need to be changed due to an attack by Nguyen–Stern (Asiacrypt 1998). Better? Work in progress

19
© UCL Crypto group DIMACS talk New problem: “remote integrity” (better than Tripwire®?) IICIS 2003: Deswarte,Q, Saïdane PROVER Smart card Id M (secret) PROVER Smart card Id M (secret) VERIFIER r! A! h(M) f(r,h(M))=R? VERIFIER r! A! h(M) f(r,h(M))=R? Id Surprise A Response R A lot of smart cards

20
© UCL Crypto group DIMACS talk Protocol for remote integrity GENERAL INIT: Let M = (content of the file), integer n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/13/3877806/slides/slide_19.jpg",
"name": "© UCL Crypto group DIMACS talk - 2004 20 Protocol for remote integrity GENERAL INIT: Let M = (content of the file), integer n = pq (RSA modulus, 1024 bits) public: factorisation is secret a = a random number, 1

21
© UCL Crypto group DIMACS talk Using bad primitives? PROVER k h(), r1! E(r1+r2) = R PROVER k h(), r1! E(r1+r2) = R VERIFIER k E(r1+r2) = R ? VERIFIER k E(r1+r2) = R ? h(r1) (weak commitment) r2 Response R, r1 Bad random generator Breakable hash function h() E : resists to linear crypto, E : bad for differential crypto Bad random generator Breakable hash function h() E : resists to linear crypto, E : bad for differential crypto

22
© UCL Crypto group DIMACS talk General conclusion Thinking theoretically with strongly constrained objects set interesting problems with practical results. Many open problems. UCL ©

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google