Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Collision resistance Timing attacks on MAC verification Online Cryptography Course Dan Boneh.

Published byGiles Conley Modified over 8 years ago

Similar presentations

Presentation on theme: "Dan Boneh Collision resistance Timing attacks on MAC verification Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Collision resistance Timing attacks on MAC verification Online Cryptography Course Dan Boneh

2 Dan Boneh Warning: verification timing attacks [L’09] Example: Keyczar crypto library (Python) [simplified] def Verify(key, msg, sig_bytes): return HMAC(key, msg) == sig_bytes The problem: ‘==‘ implemented as a byte-by-byte comparison Comparator returns false when first inequality found

3 Dan Boneh Warning: verification timing attacks [L’09] Timing attack: to compute tag for target message m do: Step 1: Query server with random tag Step 2: Loop over all possible first bytes and query server. stop when verification takes a little longer than in step 1 Step 3: repeat for all tag bytes until valid tag found m, tag k accept or reject target msg m

4 Dan Boneh Defense #1 Make string comparator always take same time (Python) : return false if sig_bytes has wrong length result = 0 for x, y in zip( HMAC(key,msg), sig_bytes): result |= ord(x) ^ ord(y) return result == 0 Can be difficult to ensure due to optimizing compiler.

5 Dan Boneh Defense #2 Make string comparator always take same time (Python) : def Verify(key, msg, sig_bytes): mac = HMAC(key, msg) return HMAC(key, mac) == HMAC(key, sig_bytes) Attacker doesn’t know values being compared

6 Dan Boneh Lesson Don’t implement crypto yourself !

7 Dan Boneh End of Segment

Download ppt "Dan Boneh Collision resistance Timing attacks on MAC verification Online Cryptography Course Dan Boneh."

Similar presentations

Secure Pre-Shared Key Authentication for IKE

Secure Pre-Shared Key Authentication for IKE
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Python Mini-Course University of Oklahoma Department of Psychology Day 2 – Lesson 8 Fruitful Functions 05/02/09 Python Mini-Course: Day 2 - Lesson 8 1.

Python Mini-Course University of Oklahoma Department of Psychology Day 2 – Lesson 8 Fruitful Functions 05/02/09 Python Mini-Course: Day 2 - Lesson 8 1.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Python Mini-Course University of Oklahoma Department of Psychology Day 4 – Lesson 15 Tuples 5/02/09 Python Mini-Course: Day 4 – Lesson 15 1.

Python Mini-Course University of Oklahoma Department of Psychology Day 4 – Lesson 15 Tuples 5/02/09 Python Mini-Course: Day 4 – Lesson 15 1.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Cryptography for Backup Navigation

Cryptography for Backup Navigation
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.
Dan Boneh Collision resistance Generic birthday attack Online Cryptography Course Dan Boneh.

Dan Boneh Collision resistance Generic birthday attack Online Cryptography Course Dan Boneh.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.
Dan Boneh Introduction What is cryptography? Online Cryptography Course Dan Boneh.

Dan Boneh Introduction What is cryptography? Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.
Dan Boneh Intro. Number Theory Intractable problems Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Intractable problems Online Cryptography Course Dan Boneh.

Similar presentations

Ads by Google