Presentation is loading. Please wait.

Presentation is loading. Please wait.

"The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.

Published byAnis Houston Modified over 9 years ago

Similar presentations

Presentation on theme: ""The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory."— Presentation transcript:

1 "The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory

2 n (modulus) = product of secret primes p and q e (public key) = relatively prime to (p-1)(q-1) d (private key) = e -1 mod ((p-1)(q-1))) Encrypt c=m e mod n Decrypt m=c d mod n Eve gets ciphertext message c from Alice, wants to read it i.e., she wants to find m = c d mod n Choose random r < n, and use Alice’s public key e x=r e mod n y=xc mod n t=r -1 mod n Note if x=r e mod n, then r=x d mod n ! Eve tricks Alice into encrypting (signing) y with her d Alice sends Eve u=y d mod n Eve then calculates tu mod n = r -1 y d mod n = r -1 x d c d mod n = c d mod n = m 2 Chosen ciphertext attack against RSA -Schneier

3 ECRYPT 2012 Key Length Advice 3 See www.keylength.com/en/3

4 Captured One-Time Pads

5 Russian One-Time Pad captured by MI5 5

6 Don’t reuse those one-time pads! If C1=P1  K1 C2=P2  K1 C3=P3  K1 Then try C1  C2 => P1  K1  P2  K1 => P1  P2 C1  C3 => P1  K1  P3  K1 => P1  P3 C2  C3 => P2  K1  P3  K1 => P2  P3 and (P1  P2)  (P1  P3) => (P2  P3) (P1  P2)  (P2  P3) => (P1  P3) … 6

7 7 + + +    From Rick Smith: http://cryptosmith.com/archives/70 Don’t reuse those one-time pads!

8 Key? What Key? Alice encrypts: P  K=>C Bob knows the key and decrypts: C  K=>P They agree on a dummy plaintext D and if they’re ever captured, they will give up the key K’=C  D If the authorities decrypt C  K’ => D 8

9 Case study: Heartbleed SSL Bug http://xkcd.com/1353/ struct { HeartbeatMessageType type; uint16 payload_length; uchar payload [HeartbeatMessage.payload_length]; uchar padding[padding_length]; } HeartbeatMessage; 9

10 10

11 Power Analysis 11

12 Simple Power Analysis: `DES Parity Check DES-CheckParity(byte Key[8]) for i = 8 down to 1 parity=0; for j = 8 down to 1 if (bit j of Key[i] is set) // CONDITIONAL parity = parity+1 // OPERATION endif endfor if (parity is even) parity_error(); endfor end DES-CheckParity 12

13 SPA Attack on DES-Parity 13

14 EM History Classified TEMPEST standards. Some parts declassified Jan '01, http://www.cryptome.org. http://www.cryptome.org Published work – EM Leakages from Peripherals, E.g., Monitors: Van Eck, Anderson & Kuhn. – EM Leakage from smart-cards during Computation. J.-J. Quisquater & David Samyde, E-smart 2001, Gemplus Team [GMO ’01], CHES ’01. – SEMA/DEMA attacks. Best results require "decapsulation" of chip packaging and/or precise micro-antennas positioning on chip surface

15 Rao et.al.’s Work` Deeper understanding of the EM leakages. – Similar to declassified TEMPEST literature. Key Insights/Results – Plenty of EM signals are available, provided you know what to look for and where. Superior signals and attacks possible without micro- antennas or decapsulation. Some attacks possible from a distance. – EM side-channel(s) >> Power side-channel EM can break DPA-resistant implementations.

16 EM Emanations Background Origin/Types of EM Emanations – Direct emanations from intended currents. Maxwell’s equations, Ampere’s and Faraday’s laws. – Unintentional emanations from coupling effects. Depend on physical factors, e.g., circuit geometry. Most couplings ignored by circuit designers. Manifest as modulation of carriers (e.g. clock harmonics) present/generated/introduced in device. – AM or Angle (FM/Phase) Modulation. Compromising signals available via demodulation. Propagation of EM – Radiation, Conduction, Combination of both. E.g., Faint EM signals riding on power line.

17 EM Capturing Equipment Antennas (Far-field) and Near-field probes Current probes. Analog processing: Filters/Amplifiers, Tunable wideband receiver or equivalent $$ Digital sampling hardware.

18 ICOM wideband radio receiver with IF output

19 MAKE YOUR OWN

20 EM vs. Power Sometimes, EM is the only side-channel available. – Filtered power supplies, restricted access… – E.g. Crypto Tokens, SSL Accelerators,...

21 Time (10ns) Amplitude EM Signal from SSL Accelerator S at 15 feet

22 EM vs. Power Is EM useful in the presence of power? Yes, several EM carriers: Generated, Ambient, Introduced… – Experimentally verified: Different carriers carry different information. Some EM leakages substantially different from Power leakages.

23 Bad Instructions Instructions where some EM leakage >> Power leakage. Typically CPU intensive rather than bus intensive. All architectures have BAD Instructions. Example: Bit-test on several 6805 based systems leaks tested bit.

24 EM Attack Example 2 signals, different data, same exp & modulus 24

25 O TESTED BIT = 0 IN BOTH TRACES

26 O TESTED BIT DIFFERENT

27 Countermeasures Require sound vulnerability assessment. Countermeasures include: – Circuit redesign to reduce unintentional emanations. – Reducing S/N ratio EM Shielding Noise introduction Physically secure zones. – Randomization based software countermeasures similar to DPA countermeasures.

Download ppt ""The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory."

Similar presentations

The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.

"The generation of random numbers is too important to be left to chance.” 1 -- Robert R. Coveyou Oak Ridge National Laboratory.
Power, EM and all that: Is your crypto device really secure? Pankaj Rohatgi Dakshi Agrawal, Bruce Archambeault, Suresh Chari, Josyula R Rao IBM T.J. Watson.

Power, EM and all that: Is your crypto device really secure? Pankaj Rohatgi Dakshi Agrawal, Bruce Archambeault, Suresh Chari, Josyula R Rao IBM T.J. Watson.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.

CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 # Public/Private Keys = 2 n.

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 # Public/Private Keys = 2 n.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.

Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Quantum Cryptography Marshall Roth March 9, 2007.

Quantum Cryptography Marshall Roth March 9, 2007.
Public Key Cryptography

Public Key Cryptography
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Similar presentations

Ads by Google