Presentation is loading. Please wait.

Presentation is loading. Please wait.

Future Cryptography: Standards Are Not Enough Tomáš Rosa Decros-ICZ, CTU FEE

Published byWilla McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "Future Cryptography: Standards Are Not Enough Tomáš Rosa Decros-ICZ, CTU FEE"— Presentation transcript:

1

2 Future Cryptography: Standards Are Not Enough Tomáš Rosa Decros-ICZ, CTU FEE tomas.rosa@decros.cz

3 Abstract Description Versus the Reality Attacker Cryptographic device Keys and other sensitive values Input data Output data Inner cryptosystem

4 Abstract Description Versus the Reality Attacker Cryptographic device Keys and other sensitive values Input data Output data Inner cryptosystem Side channels

5 Side Channels  Definition (side channel)  The unplanned way which allows a cryptographic device to exchange some information with its neighborhood.

6 Side Channels  Analysis of the side channel  The process of extracting the useful information from the particular side channel.  Attack based on the side channel  The process of using the analysis of the particular side channel against a given cryptographic device.

7 Side Channels  Types of side channels (SC)  Time SC  Power SC  Electromagnetic SC  Fault SC  Kleptographic SC

8 Side Channels  The effectiveness of attacks based on side channels usually comes from the „cooperation paradox“:  Cryptologists know, that the information coming from the side channel would be dangerous, but they never expected that such side channel would exist.  Technical designers know that such side channel exists, but they never expected that its existence would be dangerous.

9 Oracle Based Analysis (OBA)  It is important to discuss this technique, because:  It stays behind all major types of Power and Time Analysis.  It allows us to develop the OBA- Fundamental Hypothesis, which can be used to derive useful general countermeasures.

10 Oracle Based Analysis (OBA)  Proposition 1. Let I be the input set and let S be the particular side channel, giving for each input message the n-dimensional real information as S: I  R n.  Definition 2. The oracle will be represented by the transformation O: I  B, where B = {0, 1}.

11 Oracle Based Analysis (OBA)  Proposition 2. Let I m be a subset I m  I, such that for each x  I m we know the appropriate value of S(x).

12 Oracle Based Analysis (OBA)  Proposition 3. The value of oracle O splits the set I m into the two disjunctive subsets I 1, I 2, such that for each x  I m we have: x  I 1 iff O(x) = 1 and x  I 2 iff O(x) = 0.  Next we define the transformations S 1, S 2, such that S 1 : I 1  R n, S 2 : I 2  R n, S 1 (x) = S(x), S 2 (x) = S(x).  By the notation S 1 or S 2 we mean the random variables taking randomly the values from the domain R n.

13 Oracle Based Analysis (OBA)  Proposition 3 (cont.). (cond = false)  d((S 1 ), (S 2 ))   (cond = true)  d((S 1 ), (S 2 )) >> , for some   R,   0.  Here  denotes the selected characteristic of n- dimensional random variable (: R n  R n ), and d denotes appropriate metric on the field R n (d: R n  R).

14 OBA Fundamental Hypothesis  Possibility of OBA-based attack implies the existence of some intermediate variable, which value:  is a function of the input data and the secret key.  can be predicted (based on the knowledge of the input data and some part of the key).

15 OBA Fundamental Hypothesis  Sketch of the proof  The oracle itself can represent such a variable.  Corollary  Avoiding the existence of such a variable is an efficient countermeasure against OBA- based attacks.

16 Fault Analysis  Message sent from the attacker to the device opens up the side channel from the device to the attacker.  The most dangerous techniques are often based on simple (but smart) mathematical observations.  Discussion of the particular FA-based attacks for RSA follows.

17 Fault Analysis RSA  Lemma 1. Let us have x, y, n  Z, such that n = p*q, where p, q are both primes, x  y (mod p) and x  y (mod q). Then it is easy to compute p as p = gcd((x-y), n).  Question remains: How to find such a pair (x,y)?  Computation of the RSA signature based on the Chinese Remainder Theorem (CRT) is a good place for the inspiration…

18 Fault Analysis RSA  Let the quintuple (p, q, d p, d q, pInv) be the RSA private key and let m be the formatted message to sign, m  Z n.  Then signature s can be computed in the following steps: 1.s p = m dp mod p 2.s q = m dq mod q 3.h = pInv*(s q – s p ) mod q 4.s = s p + p*h

19 Fault Analysis RSA  By affecting the computation of the particular signature, we can get the value s faulty, such that: s faulty  m d (mod p) s faulty  m d (mod q)

20 Fault Analysis RSA  Now we can do:  Signature-Signature attack: we exploit the known value of the correct signature s good. It holds that: s faulty  s good (mod p) s faulty  s good (mod q)  Known Message-Signature attack: if we know the value of m, we can use the easily derived congruencies: s e  m (mod p) s e  m (mod q)

21 Fault Analysis RSA  Importance of checking the integrity of private keys  FA-based attacks can be easily carried out when the attacker is able to force the device to work with the corrupted private key or public parameters.  Recent results (includes similar attacks on DSA) – attack on the OpenPGP format and compatible applications ([2]).

22 Side Channels Basic Countermeasures  Blinding the data being processed  Randomizing the cryptographic transformation  Checking the integrity of keys  Checking the outputs for faults

23 Side Channels Future Trends  Technicians shall Try to minimize the power of the signal leaking from the particular side channels Inform cryptologists about all remaining side channels  Cryptologists shall Design their cryptosystems with the respect to the known side channels  According to the actual technology, the defense against attacks based on various side channels is mainly a cryptological problem

24 References [1]Rosa, T.: Future Cryptography: Standards Are Not Enough, in Proc. of CATE 2001, 2001. [2]Klíma, V. and Rosa, T.: Attack on Private Signature Keys of the OpenPGP Format, PGP(tm) Programs and Other Applications Compatible with OpenPGP, ICZ - Technical Report, available at http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf, 2001.

Download ppt "Future Cryptography: Standards Are Not Enough Tomáš Rosa Decros-ICZ, CTU FEE"

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
COMP 170 L2 Page 1 L06: The RSA Algorithm l Objective: n Present the RSA Cryptosystem n Prove its correctness n Discuss related issues.

COMP 170 L2 Page 1 L06: The RSA Algorithm l Objective: n Present the RSA Cryptosystem n Prove its correctness n Discuss related issues.
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Data encryption with big prime numbers

Data encryption with big prime numbers
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Similar presentations

Ads by Google