How to Abuse and Fix Authenticated Encryption Without Key Commitment
https://eprint.iacr.org/2020/1456 [eprint.iacr.org]
2020-12-13 06:03
tags:
crypto
format
paper
security
Authenticated encryption (AE) is used in a wide variety of applications, potentially in settings for which it was not originally designed. Recent research tries to understand what happens when AE is not used as prescribed by its designers. A question given relatively little attention is whether an AE scheme guarantees “key commitment’’: ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext. As key commitment is not part of AE’s design goal, AE schemes in general do not satisfy it. Nevertheless, one would not expect this seemingly obscure property to have much impact on the security of actual products. In reality, however, products do rely on key commitment. We discuss three recent applications where missing key commitment is exploitable in practice. We provide proof-of-concept attacks via a tool that constructs AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM. Finally we discuss two solutions to add key commitment to AE schemes which have not been analyzed in the literature: one is a generic approach that adds an explicit key commitment scheme to the AE scheme, and the other is a simple fix which works for AE schemes like AES-GCM and ChaCha20Poly1305, but requires separate analysis for each scheme.
source: white
Too Much Crypto
https://eprint.iacr.org/2019/1492 [eprint.iacr.org]
2019-12-31 02:29
tags:
crypto
paper
pdf
perf
security
We show that many symmetric cryptography primitives would not be less safe with significantly fewer rounds. To support this claim, we review the cryptanalysis progress in the last 20 years, examine the reasons behind the current number of rounds, and analyze the risk of doing fewer rounds. Advocating a rational and scientific approach to round numbers selection, we propose revised number of rounds for AES, BLAKE2, ChaCha, and SHA-3, which offer more consistent security margins across primitives and make them much faster, without increasing the security risk.
source: L
Cryptography During the French and American Wars in Vietnam
https://eprint.iacr.org/2016/1136 [eprint.iacr.org]
2019-03-30 02:53
tags:
crypto
history
opsec
paper
pdf
security
After Vietnam’s Declaration of Independence on 2 September 1945, the country had to suffer through two long, brutal wars, first against the French and then against the Americans, before finally in 1975 becoming a unified country free of colonial domination. Our purpose is to examine the role of cryptography in those two wars. Despite the far greater technological resources of their opponents, the communications intelligence specialists of the Viet Minh, the National Liberation Front, and the Democratic Republic of Vietnam had considerable success in both protecting Vietnamese communications and acquiring tactical and strategic secrets from the enemy. Perhaps surprisingly, in both wars there was a balance between the sides. Generally speaking, cryptographic knowledge and protocol design were at a high level at the central commands, but deployment for tactical communications in the field was difficult, and there were many failures on all sides.
source: grugq
Fast Message Franking: From Invisible Salamanders to Encryptment
https://eprint.iacr.org/2019/016 [eprint.iacr.org]
2019-01-10 00:12
tags:
crypto
paper
pdf
security
social
Message franking enables cryptographically verifiable reporting of abusive content in end-to-end encrypted messaging. Grubbs, Lu, and Ristenpart recently formalized the needed underlying primitive, what they call compactly committing authenticated encryption (AE), and analyzed the security of a number of approaches. But all known secure schemes are still slow compared to the fastest standard AE schemes. For this reason Facebook Messenger uses AES-GCM for franking of attachments such as images or videos. We show how to break Facebook’s attachment franking scheme: a malicious user can send an objectionable image to a recipient but that recipient cannot report it as abuse. The core problem stems from use of fast but non-committing AE, and so we build the fastest compactly committing AE schemes to date. To do so we introduce a new primitive, called encryptment, which captures the essential properties needed. We prove that, unfortunately, schemes with performance profile similar to AES-GCM won’t work. Instead, we show how to efficiently transform Merkle-Damgärd-style hash functions into secure encryptments, and how to efficiently build compactly committing AE from encryptment. Ultimately our main construction allows franking using just a single computation of SHA-256 or SHA-3. Encryptment proves useful for a variety of other applications, such as remotely keyed AE and concealments, and our results imply the first single-pass schemes in these settings as well.
source: green
Prime and Prejudice: Primality Testing Under Adversarial Conditions
https://eprint.iacr.org/2018/749 [eprint.iacr.org]
2018-10-31 03:40
tags:
crypto
dupe
math
paper
security
This work provides a systematic analysis of primality testing under adversarial conditions, where the numbers being tested for primality are not generated randomly, but instead provided by a possibly malicious party. Such a situation can arise in secure messaging protocols where a server supplies Diffie-Hellman parameters to the peers, or in a secure communications protocol like TLS where a developer can insert such a number to be able to later passively spy on client-server data.
Note: Updated to include details on vulnerabilities in Apple crypto libraries.
Prime and Prejudice: Primality Testing Under Adversarial Conditions
https://eprint.iacr.org/2018/749 [eprint.iacr.org]
2018-08-20 01:12
tags:
crypto
library
math
paper
pdf
security
This work provides a systematic analysis of primality testing under adversarial conditions, where the numbers being tested for primality are not generated randomly, but instead provided by a possibly malicious party. Such a situation can arise in secure messaging protocols where a server supplies Diffie-Hellman parameters to the peers, or in a secure communications protocol like TLS where a developer can insert such a number to be able to later passively spy on client-server data. We study a broad range of cryptographic libraries and assess their performance in this adversarial setting. As examples of our findings, we are able to construct 2048-bit composites that are declared prime with probability 1/16 by OpenSSL’s primality testing in its default configuration; the advertised performance is 2−80. We can also construct 1024-bit composites that always pass the primality testing routine in GNU GMP when configured with the recommended minimum number of rounds. And, for a number of libraries (Cryptlib, LibTomCrypt, JavaScript Big Number, WolfSSL), we can construct composites that always pass the supplied primality tests. We explore the implications of these security failures in applications, focusing on the construction of malicious Diffie-Hellman parameters. We show that, unless careful primality testing is performed, an adversary can supply parameters (p,q,g) which on the surface look secure, but where the discrete logarithm problem in the subgroup of order q generated by g is easy. We close by making recommendations for users and developers. In particular, we promote the Baillie-PSW primality test which is both efficient and conjectured to be robust even in the adversarial setting for numbers up to a few thousand bits.
source: solar
Start your ENGINEs: dynamically loadable contemporary crypto
https://eprint.iacr.org/2018/354 [eprint.iacr.org]
2018-05-10 16:20
tags:
crypto
library
paper
pdf
security
In this paper, focusing on OpenSSL as a de-facto standard, we analyze these limits, their impact on the security of modern systems, and their significance for researchers.
We propose the OpenSSL ENGINE API as a tool in a framework to overcome these limits, describing how it fits in the OpenSSL architecture, its features, and a technical review of its internals.
I don’t know that more OpenSSL API is the solution to any problem, but here it is.
source: green
A Cryptographic Analysis of the WireGuard Protocol
https://eprint.iacr.org/2018/080 [eprint.iacr.org]
2018-01-24 16:08
tags:
crypto
networking
paper
pdf
security
WireGuard (Donenfeld, NDSS 2017) is a recently proposed secure network tunnel operating at layer 3. WireGuard aims to replace existing tunnelling solutions like IPsec and OpenVPN, while requiring less code, being more secure, more performant, and easier to use. The cryptographic design of WireGuard is based on the Noise framework. It makes use of a key exchange component which combines long-term and ephemeral Diffie-Hellman values (along with optional preshared keys). This is followed by the use of the established keys in an AEAD construction to encapsulate IP packets in UDP. To date, WireGuard has received no rigorous security analysis. In this paper, we, rectify this.
source: green
Scalable, transparent, and post-quantum secure computational integrity
https://eprint.iacr.org/2018/046 [eprint.iacr.org]
2018-01-12 06:53
tags:
blockchain
compsci
crypto
paper
pdf
security
Here we report the first realization of a transparent ZK system (ZK-STARK) in which verification scales exponentially faster than database size, and moreover, this exponential speedup in verification is observed concretely for meaningful and sequential computations, described next. Our system uses several recent advances on interactive oracle proofs (IOP), such as a “fast” (linear time) IOP system for error correcting codes.
source: green
On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees
https://eprint.iacr.org/2017/666 [eprint.iacr.org]
2018-01-09 21:14
tags:
crypto
networking
paper
pdf
security
social
One reason for this discrepancy in security guarantees is that most existing group messaging protocols are fundamentally synchronous, and thus cannot be used in the asynchronous world of mobile communications. In this paper we show that this is not necessary, presenting a design for a tree-based group key exchange protocol in which no two parties ever need to be online at the same time, which we call Asynchronous Ratcheting Tree (ART). ART achieves strong security guarantees, in particular including post-compromise security.
source: green
May the Fourth Be With You: A Microarchitectural Side Channel Attack on Several Real-World Applications of Curve25519
https://eprint.iacr.org/2017/806 [eprint.iacr.org]
2017-08-30 03:05
tags:
crypto
paper
pdf
security
sidechannel
In today’s edition of shared computers are shared.
Cryptanalysis of 22 1/2 rounds of Gimli
https://eprint.iacr.org/2017/743 [eprint.iacr.org]
2017-08-12 04:18
tags:
crypto
paper
pdf
random
security
Bernstein et al. have proposed a new permutation, Gimli, which aims to provide simple and performant implementations on a wide variety of platforms. One of the tricks used to make Gimli performant is that it processes data mostly in 96-bit columns, only occasionally swapping 32-bit words between them.
Here we show that this trick is dangerous by presenting a distinguisher for reduced-round Gimli. Our distinguisher takes the form of an attack on a simple and practical PRF that should be nearly 192-bit secure.
Sliding right into disaster: Left-to-right sliding windows leak
https://eprint.iacr.org/2017/627 [eprint.iacr.org]
2017-06-30 20:24
tags:
crypto
math
paper
pdf
security
sidechannel
It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery attack against RSA.
In this paper we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion. We show for the first time that the direction of the encoding matters
source: green
Notes on the design and analysis of SIMON and SPECK
https://eprint.iacr.org/2017/560 [eprint.iacr.org]
2017-06-09 13:39
tags:
crypto
development
paper
pdf
security
We discuss the design rationale and analysis of the SIMON and SPECK lightweight block ciphers.
Pretty easy reading paper, how one goes about making and tuning a new cipher.
source: green
Side-Channel Attacks on BLISS Lattice-Based Signatures
http://eprint.iacr.org/2017/505 [eprint.iacr.org]
2017-06-06 00:45
tags:
crypto
paper
pdf
quantum
security
sidechannel
In this paper, we investigate the security of the BLISS lattice-based signature scheme, one of the most promising candidates for post-quantum-secure signatures, against side-channel attacks.
We also show that other parts of the BLISS signing algorithm can leak secrets not just for a subset of secret keys, but for 100% of them. The BLISS Gaussian sampling algorithm in strongSwan is intrinsically variable time. This would be hard to exploit using a noisy source of leakage like EMA, but branch tracing allows to recover the entire randomness and hence the key: we show that a single execution of the strongSwan signature algorithm is actually sufficient for full key recovery.
0-RTT Key Exchange with Full Forward Secrecy
https://eprint.iacr.org/2017/223 [eprint.iacr.org]
2017-03-07 06:48
tags:
crypto
networking
paper
pdf
perf
security
According to cryptographic folklore, it is impossible to achieve forward secrecy for this message, because the session key used to protect it must depend on a non-ephemeral secret of the receiver. If this secret is later leaked to an attacker, it should intuitively be possible for the attacker to compute the session key by performing the same computations as the receiver in the actual session. In this paper we show that this belief is actually false. We construct the first 0-RTT key exchange protocol which provides full forward secrecy for all transmitted payload messages and is automatically resilient to replay attacks.
Shove it into overdrive. Highway to the danger zone.
source: green
What Else is Revealed by Order-Revealing Encryption?
https://eprint.iacr.org/2016/786 [eprint.iacr.org]
2017-01-09 16:59
tags:
crypto
paper
pdf
security
This work shows that more plaintext information can be extracted from ORE ciphertexts than was previously thought.
Never used ORE, and I think I won’t.
Constant-Time Callees with Variable-Time Callers
https://eprint.iacr.org/2016/1195 [eprint.iacr.org]
2017-01-03 05:26
tags:
crypto
exploit
math
paper
pdf
security
To mitigate remote timing and cache-timing attacks, many ubiquitous cryptography software libraries feature constant-time implementations of cryptographic primitives. In this work, we disclose a vulnerability in OpenSSL 1.0.1u that recovers ECDSA private keys for the standardized elliptic curve P-256 despite the library featuring both constant-time curve operations and modular inversion with microarchitecture attack mitigations. Exploiting this defect, we target the errant modular inversion code path with a cache-timing and improved performance degradation attack, recovering the inversion state sequence.
See also: http://seclists.org/oss-sec/2017/q1/52
A Salad of Block Ciphers
http://eprint.iacr.org/2016/1171 [eprint.iacr.org]
2016-12-28 23:17
tags:
book
crypto
math
pdf
reference
security
This book is a survey on the state of the art in block cipher design and analysis.
This is quite thorough.
Antikernel: A Decentralized Secure Hardware-Software Operating System Architecture
https://eprint.iacr.org/2016/550 [eprint.iacr.org]
2016-11-30 20:21
tags:
compsci
cpu
hardware
networking
paper
pdf
security
systems
Writing an operating system is too easy these days? Why not write your own hardware too?
This work presents Antikernel, a novel operating system architecture consisting of both hardware and software components and designed to be fundamentally more secure than the state of the art.
Plus efforts at proving correctness.
Code and more: https://github.com/azonenberg/antikernel