Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers...
Transcript of Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers...
![Page 1: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/1.jpg)
Cryptanalysis vs. Reality
Jean-Philippe Aumassonhttp://131002.net @aumasson
1 / 67
![Page 2: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/2.jpg)
2 / 67
Cryptanalysis is the study of methods forobtaining the meaning of encrypted informationwithout access to the secret information that is normallyrequired to do so. Wikipedia
![Page 3: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/3.jpg)
3 / 67
Cryptanalysis is the study of methods forobtaining the meaning of encrypted informationwithout access to the secret information that is normallyrequired to do so. Wikipedia
![Page 4: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/4.jpg)
4 / 67
The fundamental goal of a cryptanalyst is toviolate one or several security notionsfor algorithms that claim, implicitly or explicitly,to satisfy these security notions.Antoine Joux, Algorithmic Cryptanalysis
![Page 5: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/5.jpg)
5 / 67
Reality noun (pl. realities)1. the state of things as they actuallyexist, as opposed to an idealistic ornotional idea of them.2. a thing that is actually experiencedor seen.3. the quality of being lifelike.4. the state or quality of having exis-tence or substance.Compact Oxford English Dictionary
![Page 6: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/6.jpg)
Cryptanalysis relies on an ATTACKER MODEL= assumptions on what the attacker can and cannot do
All models are in simulacra, that is, simplified reflectionsof reality, but, despite their inherent falsity, they arenevertheless extremely usefulG. Box, N. Draper, Empirical Model-Building and Response Surfaces
6 / 67
![Page 7: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/7.jpg)
Cryptanalysis usually excludes methods of attack that donot primarily target weaknesses in the actualcryptography, such as bribery, physical coercion,burglary, keystroke logging, and socialengineering, although these types of attack are animportant concern and are often more effectiveWikipedia
7 / 67
![Page 8: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/8.jpg)
8 / 67
Cryptanalysis used to be tightly connected to reality
![Page 9: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/9.jpg)
Times have changed
9 / 67
![Page 10: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/10.jpg)
10 / 67
![Page 11: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/11.jpg)
11 / 67
![Page 12: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/12.jpg)
12 / 67
Broken in a model does notimply broken in reality!
![Page 13: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/13.jpg)
13 / 67
Models’ language overlaps with real-world language:“attacks”, “broken” have different meanings
Have we lost connection with reality?
![Page 14: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/14.jpg)
Cryptography is usually bypassed. I am notaware of any major world-class security systememploying cryptography in which the hackers penetratedthe system by actually going through the cryptanalysis.(. . . ) Usually there are much simpler ways of penetratingthe security system.Adi Shamir, Turing Award lecture, 2002
14 / 67
![Page 15: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/15.jpg)
15 / 67
Is cryptanalysis relevant at all?
![Page 16: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/16.jpg)
16 / 67
Part 1: Physical attacksI Bypass and misuseI Side-channel attacksI Leakage-resilient crypto
Part 2: Algorithmic attacksI State-of-the-ciphersI Why attacks aren’t attacksI Cognitive biasesI An attack that worksI What about AES?
![Page 17: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/17.jpg)
17 / 67
Part 1: Physical attacksI Bypass and misuseI Side-channel attacksI Leakage-resilient crypto
![Page 18: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/18.jpg)
HTTPS server authentication with 2048-bit RSA≈ 100-bit security [http://www.keylength.com/]
≈ 2100 ≈ 1030 ops to break RSA by factorization
≈ 233 using a quantum computerimplementing Shor’s algorithm
≈ 0 by compromising a trusted CA. . .
18 / 67
![Page 19: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/19.jpg)
HTTPS server authentication with 2048-bit RSA≈ 100-bit security [http://www.keylength.com/]
≈ 2100 ≈ 1030 ops to break RSA by factorization
≈ 233 using a quantum computerimplementing Shor’s algorithm
≈ 0 by compromising a trusted CA. . .
18 / 67
![Page 20: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/20.jpg)
HTTPS server authentication with 2048-bit RSA≈ 100-bit security [http://www.keylength.com/]
≈ 2100 ≈ 1030 ops to break RSA by factorization
≈ 233 using a quantum computerimplementing Shor’s algorithm
≈ 0 by compromising a trusted CA. . .
18 / 67
![Page 21: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/21.jpg)
19 / 67
![Page 22: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/22.jpg)
20 / 67
![Page 23: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/23.jpg)
21 / 67
![Page 24: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/24.jpg)
ECDSA signing with a constantinstead of a random numberto find SONY PS3’s private key
RC4 stream cipher with part of the key public andpredictable in WiFi’s WEP protection)
TEA block cipher in hashing modeto perform boot code authenticationEquivalent keys = collisions = break
22 / 67
![Page 25: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/25.jpg)
ECDSA signing with a constantinstead of a random numberto find SONY PS3’s private key
RC4 stream cipher with part of the key public andpredictable in WiFi’s WEP protection)
TEA block cipher in hashing modeto perform boot code authenticationEquivalent keys = collisions = break
22 / 67
![Page 26: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/26.jpg)
ECDSA signing with a constantinstead of a random numberto find SONY PS3’s private key
RC4 stream cipher with part of the key public andpredictable in WiFi’s WEP protection)
TEA block cipher in hashing modeto perform boot code authenticationEquivalent keys = collisions = break
22 / 67
![Page 27: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/27.jpg)
Remote side-channel attacks
Breaking the “secure” AES of OpenSSL 0.9.8n:
Breaking AES on ARM9:
23 / 67
![Page 28: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/28.jpg)
24 / 67
![Page 29: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/29.jpg)
I Power analysis (SPA/DPA)I Electromagnetic analysisI Glitches (clock, power supply, data corruption)I Laser cutting and fault injectionI Focused ion beam surgery, etc.
25 / 67
![Page 30: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/30.jpg)
26 / 67
Leakage resilient?
![Page 31: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/31.jpg)
Leakage-resilient cryptography
New research field developed by Pietrzak et al. (2008+)
Definition of schemes more resistant to side channels
Leakage modelized by a leakage functionthat is independent of the type of attack
(a 2-minute tutorial: http://www.youtube.com/watch?v=89K3j_Rsbco)
27 / 67
![Page 32: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/32.jpg)
Examples of models (leakage functions)
Exposure-resilienceI Aims to model cold boot attacks (say)I Leakage = F (memory)
Private circuitsI Aims to model probing attacksI Leakage = values of any t circuit wires
28 / 67
![Page 33: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/33.jpg)
Examples of models (leakage functions)
Bounded leakageI Aims to model leakage of computationI Leakage = F (input, secret, randomness),
F : {0,1}? → {0,1}λ
Bounded retrievalI Aims to model malware attacksI Complete control of software and hardwareI Limited bandwidth available
29 / 67
![Page 34: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/34.jpg)
Should we care?
I Big gap between models and realityI A leakage-resilient mode was broken. . . by DPA
OTOH:I It may be the “best effort” on the algorithm sideI Co-design algorithm/implementation necessary
30 / 67
![Page 35: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/35.jpg)
31 / 67
Part 2: Algorithmic attacksI State-of-the-ciphersI Why attacks aren’t attacksI Cognitive biasesI An attack that worksI What about AES?
![Page 36: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/36.jpg)
ALGORITHMIC ATTACKS = attacks targetting acryptographic function seen as an algorithm anddescribed as algorithms rather than as physicalprocedures
Independent of the implementation!
32 / 67
![Page 37: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/37.jpg)
Focus on symmetric cryptographic functions:I Block ciphersI Stream ciphersI Hash functionsI PRNGsI MACs
33 / 67
![Page 38: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/38.jpg)
Low-impact attacks
Block ciphers:I AESI GOST (Russian standard, 1970’s!)I IDEA (1991)I KASUMI (3GPP)
Hash functions:I SHA-1I Whirlpool (ISO)
34 / 67
![Page 39: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/39.jpg)
Medium- to high-impact attacks
Block cipher:I DES (56-bit key): practical break by. . . bruteforce
Stream cipher:I A5/1 (GSM): attacks on GSM, commercial
“interceptors”
Hash function:I MD5: rogue certificate attack PoC
35 / 67
![Page 40: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/40.jpg)
Unattacked primitives
Block ciphersI CAST5 (default cipher in OpenPGP)I IDEA NXT (a/k/a FOX)I Serpent, Twofish (AES finalists)
Stream ciphers:I Grain128a (for hardware)I Salsa20 (for software)
Hash functions:I SHA-2 (SHA-256, . . . , SHA-512)I RIPEMD-160 (ISO std)
36 / 67
![Page 41: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/41.jpg)
37 / 67
Hundreds of researchers develop new attacks,improve previous ones, yet “breaks” almost
never happen: why?
![Page 42: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/42.jpg)
#1: Insanely high time complexities
Example: preimage attack on MD5 with time complexity
2123(against 2128 ideally)
MD5 can no longer claim 128-bit security. . .
How (more) practical is a 2123 complexity?
38 / 67
![Page 43: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/43.jpg)
Back-to-reality interlude
2 GHz CPU⇒ 1 sec = 2 · 109 ≈233 clocks
1 year 258 clocks1000 years 268 clockssince the Big-Bang 2116 clocks
39 / 67
![Page 44: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/44.jpg)
The difference between 80 bits and 128 bits of keysearchis like the difference between a mission to Mars and amission to Alpha Centauri. As far as I can see, there is*no* meaningful difference between 192-bit and256-bit keys in terms of practical brute force attacks;impossible is impossible.John Kelsey, NIST hash-forum list
40 / 67
![Page 45: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/45.jpg)
#2: Building blocks
Example: 296 collision attack on the compressionfunction of the SHA-3 candidate LANE
I Did not lead to an attack on the hashI Invalidates a security proof (not the result!)I Disqualified LANE from the SHA-3 competition
How to interpret such attacks?1. We attacked something⇒ it must be weak!2. We failed to attack the function⇒ it must be strong!
41 / 67
![Page 46: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/46.jpg)
#2: Building blocks
Example: 296 collision attack on the compressionfunction of the SHA-3 candidate LANE
I Did not lead to an attack on the hashI Invalidates a security proof (not the result!)I Disqualified LANE from the SHA-3 competition
How to interpret such attacks?1. We attacked something⇒ it must be weak!2. We failed to attack the function⇒ it must be strong!
41 / 67
![Page 47: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/47.jpg)
#3: Strong models, like “related-keys”
Attackers learn encryptions with a derived key
K ′ = f (K )
Actually an old trick: when Enigma operators set rotorsincorrectly, they sent again with the correct key. . .
Modern version introduced by Knudsen/Biham in 1992
Practical on weak key-exchange protocols (EMV, 3GPP?)but unrealistic in any decent protocols
42 / 67
![Page 48: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/48.jpg)
Related-key attack example
Key-recovery on AES-256 with time complexity
299
against 2256 ideally
Needs 4 related subkeys!
The attacks are still mainly of theoretical interest and donot present a threat to practical applications using AESthe authors (Khovratovich / Biryukov)
43 / 67
![Page 49: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/49.jpg)
Real-world model: pay-TV encryption
MPEG stream encrypted with CSA= Common Scrambling Algorithm, 48-bit key
Useful break of CSA needsI Unknown-fixed-key attacksI Ciphertext-only, partially-known plaintext (no TMTO)I Key recovery in <10 seconds (“cryptoperiod”)
44 / 67
![Page 50: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/50.jpg)
#4: Memory matters
Back to our previous examples:I MD5: time 2123.4 and 250B memory (1024 TiB)I LANE: time 296 and 293B memory (253 TiB)I AES-256: time 2119 and 277B memory (237 TiB)
Memory is not free! ($$$, infrastructure, latency)
New attacks should be compared to genericattacks with a similar budget
See Bernstein’s Understanding bruteforcehttp://cr.yp.to/papers.html#bruteforce
45 / 67
![Page 51: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/51.jpg)
#5: Banana attacks
46 / 67
![Page 52: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/52.jpg)
#5: Distinguishing attacks
Used to be statistical biases, now:I Known- or chosen-key attacks (!)I Sets of input/output’s satisfying some relationI Anything “unexpected”
You-know-what-I-mean attacks (Daemen)
Example: zero-sum attacks on a block cipher EK :I Find inputs X1,X2, . . . ,Xn such that
X1⊕X2⊕· · ·⊕Xn = EK (X1)⊕EK (X2)⊕· · ·⊕EK (Xn) = 0
47 / 67
![Page 53: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/53.jpg)
48 / 67
Attacks vs. Reality
2 interpretations of theoretical attacks:1. Vulnerability that may be exploited2. Evidence of no effective attack
Why can we be biased?
![Page 54: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/54.jpg)
49 / 67
![Page 55: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/55.jpg)
50 / 67
Cryptographic Numerology
The basic concept is that as long as your encryption keysare at least “this big”, you’re fine, even if none of thesurrounding infrastructure benefits from that size or evenworks at allIan Grigg, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
![Page 56: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/56.jpg)
51 / 67
Cryptographic Numerology
The basic concept is that as long as your encryption keysare at least “this big”, you’re fine, even if none of thesurrounding infrastructure benefits from that size or evenworks at allIan Grigg, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
Choosing a key size is fantastically easy, whereas mak-ing the crypto work effectively is really hardIbid
![Page 57: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/57.jpg)
Zero-risk bias
Preference for reducing a small risk to zero overa greater reduction in a larger risk
Example: reduce risk from 1% to 0% whereas anotherrisk could be reduced from 50% to 30% at the same cost
Cryptographic numerology (examples)I 1% = scary-new attack threatI Move from 1024- to 2048-bit (or 4096-bit!) RSAI Cascade-encryption with AES + Serpent + Twofish
+ Unintended consequences:Crypto is slower⇒ less deployed⇒ less security
52 / 67
![Page 58: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/58.jpg)
Zero-risk bias
Preference for reducing a small risk to zero overa greater reduction in a larger risk
Example: reduce risk from 1% to 0% whereas anotherrisk could be reduced from 50% to 30% at the same cost
Cryptographic numerology (examples)I 1% = scary-new attack threatI Move from 1024- to 2048-bit (or 4096-bit!) RSAI Cascade-encryption with AES + Serpent + Twofish
+ Unintended consequences:Crypto is slower⇒ less deployed⇒ less security
52 / 67
![Page 59: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/59.jpg)
A selection bias: We will find the average height ofAmericans based on a sample of NBA players
53 / 67
![Page 60: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/60.jpg)
Survivorship bias
= another selection bias
We only see the unbroken ciphers
We don’t see all the experimental designs broken in thecourse of the evaluation process
Example: 56 SHA-3 submissions publishedI 14 implemented attacks (e.g. example of collision)I 3 close-to-practical attacks (≈ 260)I 14 high-complexity attacks
⇒ Attacks kill ciphers before they are deployed
54 / 67
![Page 61: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/61.jpg)
Survivorship bias
= another selection bias
We only see the unbroken ciphers
We don’t see all the experimental designs broken in thecourse of the evaluation process
Example: 56 SHA-3 submissions publishedI 14 implemented attacks (e.g. example of collision)I 3 close-to-practical attacks (≈ 260)I 14 high-complexity attacks
⇒ Attacks kill ciphers before they are deployed
54 / 67
![Page 62: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/62.jpg)
An attack that works in reality
55 / 67
![Page 63: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/63.jpg)
Cube attack
By Dinur and Shamir (2008)
I Refined high-order differential attackI Black-box attack (fixed secret key)I Precomputation + online stage
Complexity is practical and experimentally verified
The attack relies on empirical observations:I Algrebraic degree of implicit equationsI Structure of derivative equations
56 / 67
![Page 64: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/64.jpg)
57 / 67
![Page 65: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/65.jpg)
58 / 67
![Page 66: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/66.jpg)
59 / 67
![Page 67: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/67.jpg)
60 / 67
![Page 68: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/68.jpg)
Groundbreaking attack!
61 / 67
![Page 69: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/69.jpg)
How badly is AES broken?
The facts:
I AES-128: 2126 complexity, 288 plaintext/ciphertextagainst 2128 and 20 for bruteforce
I AES-256: 2254 complexity, 240 plaintext/ciphertextagainst 2256 and 21 for bruteforce
See Bogdanov, Khovratovich, Rechberger:http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf
Reactions heard (e.g. from customers):I AES is insecure, let’s do at least 50 rounds!I AES is always secure, because it’s the standard!
62 / 67
![Page 70: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/70.jpg)
How badly is AES broken?
The facts:
I AES-128: 2126 complexity, 288 plaintext/ciphertextagainst 2128 and 20 for bruteforce
I AES-256: 2254 complexity, 240 plaintext/ciphertextagainst 2256 and 21 for bruteforce
See Bogdanov, Khovratovich, Rechberger:http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf
Reactions heard (e.g. from customers):I AES is insecure, let’s do at least 50 rounds!I AES is always secure, because it’s the standard!
62 / 67
![Page 71: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/71.jpg)
63 / 67
Conclusion
![Page 72: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/72.jpg)
Real threats are physical/implementation/OPSEC attacksI Bad implementation, misuse, side channels, passwords, etc.
Leakage-resilient crypto of little help so far
Algorithmic attacks break ciphers before we use them,thus are a not a significant threatWe don’t break the codes, we try to analyze how secure they are– Orr Dunkelman, panel on security, 2011
When deploying crypto, beware cognitive biases!
AES is fine, weak implementations are the biggest threat
64 / 67
![Page 73: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/73.jpg)
Real threats are physical/implementation/OPSEC attacksI Bad implementation, misuse, side channels, passwords, etc.
Leakage-resilient crypto of little help so far
Algorithmic attacks break ciphers before we use them,thus are a not a significant threatWe don’t break the codes, we try to analyze how secure they are– Orr Dunkelman, panel on security, 2011
When deploying crypto, beware cognitive biases!
AES is fine, weak implementations are the biggest threat
64 / 67
![Page 74: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/74.jpg)
Real threats are physical/implementation/OPSEC attacksI Bad implementation, misuse, side channels, passwords, etc.
Leakage-resilient crypto of little help so far
Algorithmic attacks break ciphers before we use them,thus are a not a significant threatWe don’t break the codes, we try to analyze how secure they are– Orr Dunkelman, panel on security, 2011
When deploying crypto, beware cognitive biases!
AES is fine, weak implementations are the biggest threat
64 / 67
![Page 75: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/75.jpg)
Real threats are physical/implementation/OPSEC attacksI Bad implementation, misuse, side channels, passwords, etc.
Leakage-resilient crypto of little help so far
Algorithmic attacks break ciphers before we use them,thus are a not a significant threatWe don’t break the codes, we try to analyze how secure they are– Orr Dunkelman, panel on security, 2011
When deploying crypto, beware cognitive biases!
AES is fine, weak implementations are the biggest threat
64 / 67
![Page 76: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/76.jpg)
The encryption doesn’t even have to be verystrong to be useful, it just must be strongerthan the other weak links in the system.Using any standard commercial riskmanagement model, cryptosystem failure isorders of magnitude below any other risk.Ian Grigg, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
65 / 67
![Page 77: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/77.jpg)
If you think like an attacker, then you’re a fool toworry about the crypto. Go buy a few zero days.Jon Callas, randombit.net cryptography list, 2011
66 / 67
![Page 78: Cryptanalysis vs. Reality - Black Hat Briefings · employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis. (...) Usually there](https://reader033.fdocuments.us/reader033/viewer/2022060311/5f0ac8ed7e708231d42d542c/html5/thumbnails/78.jpg)
67 / 67
THANK YOU!Please complete the feedback form ,