Presentation is loading. Please wait.

Presentation is loading. Please wait.

J. Håstad J. Jakobsson A. Juels M. Yung Funkspiel Schemes: An Alternative to Conventional Tamper Resistance Royal Inst. of Technology, Stockholm RSA Laboratories.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "J. Håstad J. Jakobsson A. Juels M. Yung Funkspiel Schemes: An Alternative to Conventional Tamper Resistance Royal Inst. of Technology, Stockholm RSA Laboratories."— Presentation transcript:

1 J. Håstad J. Jakobsson A. Juels M. Yung Funkspiel Schemes: An Alternative to Conventional Tamper Resistance Royal Inst. of Technology, Stockholm RSA Laboratories Certco

2 Captured by Germans, along with radio and three message/ciphertext pairs Lauwers worked as radio operator for SOE, British underground during WW II Germans sought to mount “Funkspiel”, i.e., pass false messages to SOE Lauwers SOE made use of a kind of MAC

3 Subverting the Funkspiel u Germans demanded to know “MAC” u Lauwers had been instructed to introduce an error into 16th letter of every message as “MAC” u Lauwers made clever observation about his three messages: …………....stop….. Message 1: Message 2: …………....stop….. Message 3: ………….……..….. o o u e u Claimed that “MAC” involved corruption of ‘o’ in stop 16th letter

4 Subverting the Funkspiel u Germans were deceived u Allies were deceived

5 Modern cryptographer’s view Alice Bob Eve (Enemy)

6 Funkspiel scheme Alice Bob Eve

7 Step 1: Alice sends messages to Bob Alice Bob Eve message 1, MAC (message 1 ) message 2, MAC (message 2 ) message 3, MAC (message 3 )

8 Step 2: Alice changes key (maybe) Alice

9 Step 3: Eve steals Alice’s key Alice

10 Step 4: Eve impersonates Alice Bob Eve “I love you”, MAC (“I love you”)

11 Step 5: Bob determines whether Alice changed key MAC (“I love you”) She loves me? She loves me not?

12 What do we want? u Eve can’t tell whether Alice changed key –Even though Eve has seen MAC(message 1 ), MAC(message 2 ),... u Bob can tell whether Alice changed key

13 Related work u Forward-secure signature schemes –Attacker knows that key evolves u Distress PIN –No security against eavesdropper u Deniable encryption

14 A funkspiel scheme MAC key 0: MAC key 1: 01101010001110 01111100011 Problems: We need one bit for every MAC; Eve can cheat with small probability ???

15 Another funkspiel scheme (simplified) Problem: What if Eve sees Bob’s keying material? She can forge a MAC hh ??? ??

16 Asymmetric funkspiel scheme PK A SK A PK B SK B E PK_B (Sig SK_A [message]) PK A SK A ???

17 Asymmetric funkspiel scheme u Semantically secure encryption (e.g., El Gamal) ensures that Eve can’t test signature against SK u Key swap for Alice under El Gamal is efficient, e.g., she can randomize last 100 bits u If Eve sees Bob’s keys, she still can’t forge MAC u Scheme is less efficient than symmetric ones

18 Real-world funkspiel u Alice changes key when she senses Eve is attempting to break in (no coin flipping) u Bob tries to determine whether Alice sent “distress signal”, i.e., changed key

19 What this good for? u Tamper resistant hardware –Currently uses “zeroization” –Funkspiel schemes permit detection and tracing –Funkspiel schemes can give false sense of security or success to attacker –E.g., cash card

20 What this good for? u A honeypot with more sting Honeypot

21 Open issues u Power consumption –Many devices have only external power –What about DPA attacks? u How about, e.g., firewalls?

22 Questions? She loves me? She loves me not?

Download ppt "J. Håstad J. Jakobsson A. Juels M. Yung Funkspiel Schemes: An Alternative to Conventional Tamper Resistance Royal Inst. of Technology, Stockholm RSA Laboratories."

Similar presentations

Handball: Simple Security Tools for Handheld Devices Niklas Frykholm, Markus Jakobsson, Ari Juels LABORATORIES.

Handball: Simple Security Tools for Handheld Devices Niklas Frykholm, Markus Jakobsson, Ari Juels LABORATORIES.
Simple and Practical Anonymous Digital Coin Tracing

Simple and Practical Anonymous Digital Coin Tracing
Public Key Cryptosystem

Public Key Cryptosystem
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google