DOC PREVIEW
UW CSEP 590 - Lecture Notes

This preview shows page 1-2-20-21 out of 21 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Practical Aspects of Modern CryptographyAttacksSide Channel AttacksTiming AttacksProtocol AttacksSlide 6Slide 7Slide 8Slide 9Slide 10Slide 11Direct AttacksSlide 13Slide 14Slide 15Slide 16Slide 17Slide 18FactoringLessonsSlide 21Practical Aspects of Modern CryptographyJosh BenalohBrian LaMacchiaJohn ManferdelliJanuary 14, 2019 Practical Aspects of Modern CryptographyAttacksHow are cryptosystems typically broken?–Back doors–Side doors–Side windows–Crawl spaces–…January 14, 2019 Practical Aspects of Modern CryptographySide Channel AttacksInformation about a secret key can often be divined by careful observation of a device using the key.TimingPower AnalysisAcoustic EmissionsCache Usageetc.January 14, 2019 Practical Aspects of Modern CryptographyTiming AttacksRSA–Each bit of the decryption exponent indicates whether or not to perform a “side multiply”.–“Chinese remaindering” time varies as the argument crosses from slightly below p to slightly above p.AES–Selective flushing of cache lines can cause access times to vary depending on key bits.January 14, 2019 Practical Aspects of Modern CryptographyProtocol AttacksHastad Attack on RSAGivenE1(x) = x3 mod n1E2(x) = x3 mod n2E3(x) = x3 mod n3one can easily compute x.January 14, 2019 Practical Aspects of Modern CryptographyProtocol AttacksBleichenbacher Attack on RSA PKCS#1PKCS#1 Message Format:00 01 XX XX ... XX 00 YY YY ... YYrandomnon-zerobytesmessageJanuary 14, 2019 Practical Aspects of Modern CryptographyProtocol AttacksIf two plaintexts are ever encrypted with the same stream cipher and keyC1 = K  P1C2 = K  P2an attacker can easily computeC1  C2 = P1  P2from which P1 and P2 can be easily teased apart.January 14, 2019 Practical Aspects of Modern CryptographyProtocol AttacksIt is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way.Bob to Bob’s Bank: Please transfer $0,000,002.00 to the account of my good friend Alice.January 14, 2019 Practical Aspects of Modern CryptographyProtocol AttacksIt is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way.Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice.January 14, 2019 Practical Aspects of Modern CryptographyProtocol AttacksElectronic Code Book (ECB) EncryptionBlockCipherBlockCipherBlockCipherBlockCipherPlaintextCiphertextJanuary 14, 2019 Practical Aspects of Modern CryptographyProtocol AttacksCipher Block Chaining (CBC) Encryption:BlockCipherBlockCipherBlockCipherBlockCipherPlaintextCiphertextIVJanuary 14, 2019 Practical Aspects of Modern CryptographyDirect AttacksHash FunctionsFind a “low-Hamming-weight differential” Δ (a vector of almost all zeros) such that for messages M, the probability that h(MΔ) = h(M) is larger than it should be.January 14, 2019 Practical Aspects of Modern CryptographyDirect AttacksBest differential probabilities to dateMD4: ¼MD5: 1/240SHA-1: 1/263January 14, 2019 Practical Aspects of Modern CryptographyDirect AttacksLow RSA decryption exponentIt turns out that if the RSA decryption exponent is less than n¼, then n can be trivially factored given only the encryption exponent.January 14, 2019 Practical Aspects of Modern CryptographyDirect AttacksFactoringIf n=pq – the product of distinct odd primes, then every square modulo n, has four distinct square roots.If y=x2 mod n, then x and –x are both square roots of y.If y=x2 mod n, then y=x2 mod p and y=x2 mod q.There are four ways to “Chinese remainder” ±x mod p with ±x mod q.January 14, 2019 Practical Aspects of Modern CryptographyDirect AttacksFactoringSuppose I have x1 ≠ ±x2 such that x12 = x22 mod n.Then x1 ≠ x2 mod p and x1 ≠ –x2 mod q (or vice-versa).GCD(x1 – x2, n) will therefore produce a non-trivial factor of n.January 14, 2019 Practical Aspects of Modern CryptographyDirect AttacksFactoringHow can I get two distinct values that have the same square modulo n?Try, x≈√n, x≈√2n , x≈√3n , …If I get, say, x2 mod n = 49, I’m really happy.January 14, 2019 Practical Aspects of Modern CryptographyDirect AttacksFactoringIf I get, x12 mod n = 12 and x22 mod n = 3, I’m happy too because (x1x2)2 mod n = 36. In general, look for lots of values x such that x2 mod n is “small” and try to combine the small values to get a square.January 14, 2019 Practical Aspects of Modern CryptographyFactoring2 3 5 7 11 13x121 1x222 1x321 2x422 1 1 1x521 1x622 1Note that (x1x3x5x6)2 = 223254112= (235211)2.January 14, 2019 Practical Aspects of Modern CryptographyLessonsNew attacks must be recognized as a fact of cryptography.This makes cryptographic code unique in that a carefully-built, closed system that works perfectly today may become vulnerable tomorrow.Cryptographic constructs must be built with agility in mind so that they can be easily updated if and when it becomes necessary.January 14, 2019 Practical Aspects of Modern


View Full Document

UW CSEP 590 - Lecture Notes

Documents in this Course
Sequitur

Sequitur

56 pages

Sequitur

Sequitur

56 pages

Protocols

Protocols

106 pages

Spyware

Spyware

31 pages

Sequitur

Sequitur

10 pages

Load more
Download Lecture Notes
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture Notes and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture Notes 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?