Use or disclosure of the contents of this page is restricted by the terms on the notice page Intel Strategy for Post Quantum Crypto Ernie Brickell Presentation.

Slides:



Advertisements
Similar presentations
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Chapter 14
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Bob can sign a message using a digital signature generation algorithm
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Chapter 10: Authentication Guide to Computer Network Security.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
The Cryptographic Sensor FTO Libor Dostálek, Václav Novák.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Chapter 21 Public-Key Cryptography and Message Authentication.
Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Wireless and Mobile Security
Cryptography and Network Security Chapter 14
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Hardware-rooted Trust for Secure Key Management & Transient Trust
Trusted Computing and the Trusted Platform Module
Cryptography and Network Security
Information Security message M one-way hash fingerprint f = H(M)
Trusted Computing and the Trusted Platform Module
Tutorial on Creating Certificates SSH Kerberos
Information Security message M one-way hash fingerprint f = H(M)
ICS 454 Principles of Cryptography
Information Security message M one-way hash fingerprint f = H(M)
ICS 454 Principles of Cryptography
Aimee Coughlin, Greg Cusack, Jack Wampler, Eric Keller, Eric Wustrow
SPIRAL: Security Protocols for Cerberus
Presentation transcript:

Use or disclosure of the contents of this page is restricted by the terms on the notice page Intel Strategy for Post Quantum Crypto Ernie Brickell Presentation to PQCrypto 2016 © 2016 Intel Corporation

Intel Labs Research – Not Intel product plans 2 Goal: Intel products must survive quantum computers Problem: Quantum computers may come into existence sometime between 2030 and Intel products currently use crypto that would be broken by quantum computers Goal: Intel products produced in the early 2020’s would survive if quantum computing came into existence during their lifetime.

Intel Labs Research – Not Intel product plans 3 Disclaimer & Request This presentation contains information about certain research efforts by Intel Labs. Currently, there is no product plan to implement these research efforts, which is subject to change without notice. Motivation for presentation: Motivate priorities for standards and research for Post Quantum Crypto Request: Feedback on the current proposals

Intel Labs Research – Not Intel product plans 4 Use of Crypto inside Intel products Verified Boot, including FW load FW update Sealed Secrets Memory Encryption Attestation Secure Key communication between factory and Secure Servers DRM

Intel Labs Research – Not Intel product plans 5 Cryptographic Assumptions Must have a symmetric encryption algorithm and a hash function Easy part of strategy: Replace all use of symmetric crypto with AES-256 Replace all use of cryptographic hash with SHA2 or SHA Security Goal: Minimize need for any other crypto assumptions AlgorithmAttackOps on Classical Computer Ops on Quantum Computer AES – 256 bit keyCryptanalysis SHA2 or SHA3 – 384 bit hash Find Pre-image Find Collision with RAM For all Intel uses of crypto that cannot be modified in the field, are these minimal crypto assumptions sufficient?

Intel Labs Research – Not Intel product plans 6 Likely Implementation Assumption Hash based signatures are great. Digital Signatures where only cryptographic assumption is security of hash algorithm. However, implementation risk for signer due to managing state MUST use each key at most once. MUST maintain state for which keys were used. Stateless hash based signatures exist, but are very inefficient. Implementation Assumption: For the uses of hash based signatures for non-modifiable usages, the signer will manage state robustly.

Intel Labs Research – Not Intel product plans 7 Standards Risks to Intel: We implement something before standards evolve, and standards go a different direction. Standards are not optimal for our usages We implement a standard and the standard changes. We would like world wide standards. We would like standards soon. Uncertainty: Will the stateful hash based signatures be approved by standards bodies due to the risk of implementation error?

Intel Labs Research – Not Intel product plans 8 Verified Boot Verified boot is validating a signature on FW and or SW during the boot of a platform. Algorithm requirements Multiple components to verify during boot Time to verify is critical Updates to boot components are rare Time to sign is not critical Small number of signatures in lifetime of platform Verified boot algorithm is not field upgradable Conclusion: Stateless Hash based signatures are not an option because of the lengthy verification time. Stateful hash based signatures with limits on number of signatures is a good option. Concern: Implementation errors in maintaining state. Most efficient option is local conversion of a signature to a unique keyed MAC in a local isolated execution environment.

Intel Labs Research – Not Intel product plans 9 Isolated Execution Environment Typical attack surface HW – CPU, Chipset, Devices FW – BIOS, Chipset, Devices VMM OS App Provides execution of code that is protected from some of the SW, FW, HW on the platform ACM – Authenticated Code Module Available only to Intel HW – CPU App ME / CSE – Converged Security Engine Available only to Intel HW –Chipset RTOS on CSE App Intel® Software Guard Extensions (Intel® SGX). Available to others HW – CPU App - Intel implementations Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

Intel Labs Research – Not Intel product plans 10 Conversion of signature to local MAC Properties: Have a “Boot Key,” a unique symmetric key on processor, not known outside the processor. At boot time: During boot, the processor uses the Boot Key to produce and check a MAC to verify code for execution. Conversion to MAC: Have a “Conversion App” in an Isolated Execution Environment with the rights to access the Boot Key. When the platform gets an updated signed boot code segment, the platform launches the Conversion App, which Attempts to verify the signature. If verified, creates a MAC of this boot code using the Boot Key. Conclusion: With this method, the signature verification time is much less relevant The stateless hash based signatures would thus be a possibility for many devices Could verify multiple signatures in the Conversion App.

Intel Labs Research – Not Intel product plans 11 Attestation keys Keys on processor used to Prove that the processor is an Intel processor Used to sign properties of some software environment on the platform Could be entire BIOS and VMM and OS. Could be the code in an Isolated Execution Environment Could be the hash of the software, or a public key that was used to verify a signature of the software. There could be privacy properties in the signature scheme. Requirement for attestation: Intel must certify the public key used to verify attestation signatures.

Intel Labs Research – Not Intel product plans 12 Attestation public key certification requirement Currently met using a secure communication between an Intel Secure Facility and each manufacturing site. Different methods Keys generated at Intel Secure Facility and shipped to factory Shared secret generated at Intel Secure Facility and shipped to factory for later use to authenticate device for provisioning of attestation keys.

Intel Labs Research – Not Intel product plans 13 Key Exchange for secure communication from factory floor to Intel server Risks Use multiple couriersHuman compromise of all couriers PQC key exchange – optimized for security – perhaps McEliece or MDPC Additional Crypto assumption Quantum crypto key exchangePotential implementation vulnerability, Key exchange between quantum crypto termination and factory floor Alternate solution: Remove need for secure communication, and thus additional crypto assumption. Perhaps cryptographic combo of first two of the above methods.

Intel Labs Research – Not Intel product plans 14 Removing need for secure communication to factories Fundamental idea: Generate public private key pair on the part during manufacturing Sign the public key on the manufacturing floor and send to Intel secure facility Cost reality: Time powering a individual part in manufacturing is really expensive Easy theoretical solution today: Generate an RSA key pair on the part Not a practical solution: Generating an RSA key pair takes too long Random time per part on manufacturing floor is craziness More practical solution: Generate a DSA or ECDSA key pair on the part Not PQ secure PQ Secure solution: Generate a Hash Based Signature key pair on the part Limited in number of signatures

Intel Labs Research – Not Intel product plans 15 Removing need for secure communication to factories in Post Quantum Computing World (Joint work with Rachid ElBansarkhani) Method 1: 1.Generate a one time (or several time) hash based signature on manufacturing floor. 2.Export public key and sign on manufacturing floor 3.Send to Intel Secure Facility 4.Later, generate a multi-time public key 5.Sign the multi-time public key with the one time key for certification. 6.With a several time hash based signature in step 1, could repeat steps 4 and 5 several times. Method 2: 1.Generate a random secret and one way function of secret on the manufacturing floor. 2.Export output and sign output on manufacturing floor 3.Send to Intel Secure Facility 4.Later, generate a multi-time public key 5.Authenticate the multi-time public key with the knowledge of the pre-image of the OWF 6.With an iterated OWF in step 1, i.e. C 0 = Rand, C k = OWF(C k-1 ), could repeat steps 4 and 5 several times.

Intel Labs Research – Not Intel product plans 16 Attestation and Privacy: Review of Digital Anonymous Attestation (DAA) (B, Camenisch, Chen) and Intel® Enhanced Privacy ID (Intel® EPID) (B, Li) DAA / EPID is a digital signature scheme with privacy properties Join protocol allows a member to obtain a private key which the issuer does not know Anonymous: Even Issuer cannot open a signature and identify the signer DAA/ EPID pub-key pvt-key 1 Sign Message DAA / EPID Signature Verify Message, DAA / EPID Signature True / False pvt-key n pvt-key 2 … Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

Intel Labs Research – Not Intel product plans 17 Privacy Features and Revocation DAA/EPID During a sign process, the Device generates a pseudonym, a pair (b, b f ), that is cryptographically tied to the signature. f is a component of the private key of the signer Modes of EPID signatures Random base: b is chosen at random by the device. –Signatures are unlinkable Name Base: – b is chosen by the verifier –Signatures using same name base are linkable, as pseudonym (b, b f ) is the same if b and f are both the same. –Signatures still unlinkable with different names. Revocation Known Private key revocation (DAA and EPID) Verifier blacklisting using name base (DAA and EPID) Signature based revocation (EPID only) When signing, signer proofs that his f was not the one used in a revoked pseudonym

Intel Labs Research – Not Intel product plans 18 Importance of EPID to Intel We use EPID for providing attestation for our Isolated Execution Environments: CSE and SGX. We have announced that we will be promoting EPID as an industry wide standard for providing security and privacy in IoT.

Intel Labs Research – Not Intel product plans 19 Attestation with Privacy – Post Quantum Current EPID / DAA algorithms based on RSA, Discrete logs, or ECC We have found no PQC method to replace EPID or DAA. Options: Digital signature without privacy – Lattices or hash based Two options for privacy Trusted Third Party Group signatures where issuer can open any signature Lattice based group signatures are not efficient with large groups Hash based group signature scheme is efficient, but stateful. New result from Rachid ElBansarkhani and Rafael Misoczki

Intel Labs Research – Not Intel product plans 20 Attestation keys - Summary Create few (k) time authentication key for authenticating to Intel Timing – During Manufacturing Algorithm – Not field updateable Key – Not field updateable Create many time signature key for authenticating to Intel Timing – After Manufacturing Algorithm – Not field updateable Key – Field updateable k times Create anonymous signature key for general attestation Timing – After Manufacturing Algorithm – Field updateable Key – Field updateable many times Authenticate

Intel Labs Research – Not Intel product plans 21 Use of Crypto inside Intel products Verified Boot, including FW load Hash based signatures and MAC FW update Hash based signatures Sealed Secrets AES Memory Encryption AES Attestation Hash based signatures and Hashes for non updateable portion Looking for better solution for updateable portion Secure Key communication between factory and Secure Servers Removed this requirement DRM Uses attestation, then updateable algorithms provided by DRM industry For all Intel uses of crypto that cannot be modified in the field, are these minimal crypto assumptions sufficient? Yes!

Intel Labs Research – Not Intel product plans 22 Additional Intel requirements Want standards for crypto for wireless and internet protocols that minimize resources, especially power and memory.

Intel Labs Research – Not Intel product plans 23 Request for standards and research Would like to see standards produced that are appropriate for: Stateful hash based signatures used for verified boot Stateless hash based signatures used for conversion to local MAC for verified boot Key exchange where long term security is imperative and efficiency doesn’t matter to use between factory and secure facility Maintaining security of internet using algorithms efficient in hardware and small devices Would like research to solve the following: PQC alternatives to EPID Reduce risk of vulnerabilities in implementation of PQC algorithms Convincing evidence that we can trust PQC algorithms other than hash and symmetric, especially RLWE Intel is sponsoring PQC research at TU Darmstadt, U. Sao Paulo, and previously at National Taiwan University

Intel Labs Research – Not Intel product plans 24 Questions? Comments?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.