The devil is in the (implementation) details
-
Upload
enrico-bacis -
Category
Technology
-
view
132 -
download
4
description
Transcript of The devil is in the (implementation) details
The devil is in thedetails
how NOT to do security
implementation
05/06/2013 - Università degli Studi di Bergamo Enrico Bacis
Side Channel Attacks
A parity problem
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
n = 15 (p = 3, q = 5)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(m)
ok
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(2·m)
ok
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(2·m)
ok
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(4·m)
err
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
enc(8·m)
ok
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Multiplicative Property of RSA
Can we only hack farms?
PKCS#1 v1.5
0002 RANDOM PAD 00 MESSAGE
Broken by Bleichenbacher Attack (1998)
Electronic Codebook
ECB CBC
Cipher Block Chaining
Padding Oracle Attack
Timing Attack
"Never ever implementyour own cryptosystem"
( Dan Boneh )
Android and Mobile Vulnerabilities
Sniffing
Man In The Middle Attack
Man In The Middle Attack
Why Eve and Mallory Love Android
1074 of 13500 (8%) apps
● Trusting all Certicates● Allowing all Hostnames
39.5 to 185 million users
SSL/TLS issues
Thank you