The “Taint” Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009.

Slides:



Advertisements
Similar presentations
Chapter 3 Public Key Cryptography and Message authentication.
Advertisements

CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.
White-Box Cryptography
Interlock Protocol - Akanksha Srivastava 2002A7PS589.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Copyright Justin Klein Keane InfoSec Training Encryption.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Full AES key extraction in 65 milliseconds using cache attacks
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
Computer Security CS 426 Lecture 3
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.
By Jyh-haw Yeh Boise State University ICIKM 2013.
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
Class 7 Practical Considerations CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
BASIC CRYPTOGRAPHIC CONCEPTS. Public Key Cryptography  Uses two keys for every simplex logical communication link.  Public key  Private key  The use.
Honey Encryption: Security Beyond the Brute-Force Bound
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Theory of Computation II Topic presented by: Alberto Aguilar Gonzalez.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
An Offloaded Dynamic Taint Analysis Approach for Privacy Leakage Detection on Android Hui Xu 1.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)
CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.
Lecture 2: Introduction to Cryptography
Chapter 11 Message Authentication and Hash Functions.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.
Prepared by Dr. Lamiaa Elshenawy
PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 Principles Applications Requirements RSA Algorithm Description.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
Linear Cryptanalysis of DES
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Lecture 5 Page 1 CS 236 Online Key Management Choosing long, random keys doesn’t do you any good if your clerk is selling them for $10 a pop at the back.
Cryptography Against Physical Attacks Dana Dachman-Soled University of Maryland
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Computer Security Lecture 5 Ch.9 Public-Key Cryptography And RSA Prepared by Dr. Lamiaa Elshenawy.
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
RSA Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
Cryptography and Network Security Chapter 13
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
Efficient Leakage Resilient Circuit Compilers
e-Health Platform End 2 End encryption
Semantic Security and Indistinguishability in the Quantum World
Cryptography Lecture 4.
The “Taint” Leakage Model
Presentation transcript:

The “Taint” Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009

Taint Common term in software security Any external input is tainted. A computation with a tainted input produces tainted output. Think tainted = “controllable” by adversary Untainted values are private inputs, random values you generate, and functions of untainted values. E.g. what values in browser depend on user input?

Proposed “Taint Leakage Model” Only computations with tainted inputs leak information. Adversary learns output and all inputs (even untainted ones) of a computation with a tainted input. Define a valued as spoiled if it is untainted but input to a computation with a tainted input. Examples: tainted values in red, spoiled values in purple clean values in black (untainted and unspoiled) – z = f(x,y)No leakage; clean inputs gives clean outputs – z = f(x,y) x tainted so z tainted & y spoiled – z = f(x,y) x clean & y spoiled so z clean Leakable iff tainted or spoiled Adversary can learn all tainted and spoiled values. Leakage may be unbounded or bounded. x y z f x y z f x y z f

Motivating Sample What attacks motivate this model? Various forms of chosen-input attacks, such as timing attacks or differential attacks. C = E K (M) Here K is spoiled, and thus leakable; this models timing attacks on K using adversary- controlled probes via control of M.

Model useful in building systems Clean zone Tainted zone adversary Zones can be implemented separately -- e.g. untainted on a TPM (or remote!) -- clean zone may include a random source, and can do computations (e.g. keygen) -- output could even be stored when independent of adversarial input (ref Dodis talk in this workshop) Private inputs Spoiled zone

Example Encrypting (tainted) message M with key K : – C = E K (M) K is spoiled and thus leaks (since M is tainted) – C = (R, S) where S = M xor Y and Y = E K (R)) K is not tainted or spoiled, thus protected S is tainted (since M is tainted) R is spoiled (since paired with tainted S ) (but known anyway) Y is spoiled (since M is tainted) Protect long-term keys by using random ephemeral working keys. (Can do similarly for signatures) Taint model more-or-less distinguishes between chosen- plaintext and known-plaintext attacks. Related to “on-line/off-line” primitives…

Relation to other models Incomparable… Adversary is weaker with taint model than with computational leakage, since values not depending on adversarial input don’t leak. Adversary is stronger than with bounded leakage models, since it is OK to leak all inputs and output of computation with tainted input. Taint model doesn’t capture all attacks (e.g. power-analysis, memory remanence attacks, …)

Discussion Contribution here is probably mostly terminology; model presumably implicit (or explicit?) in prior work. Results in taint leakage model may be easy in some cases (e.g. using empheral keys). (ref Dodis talk in this workshop) Goals typically should be that leakage does at most temporary damage…. What can be done securely in this model?

The End

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.