DOCSLIB.ORG

(12) United States Patent (10) Patent No.: US 9,514,285 B2 Durham Et Al

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
(12) United States Patent (10) Patent No.: US 9,514,285 B2 Durham Et Al USO09514285B2 (12) United States Patent (10) Patent No.: US 9,514,285 B2 Durham et al. (45) Date of Patent: Dec. 6, 2016 (54) CREATING STACK POSITION DEPENDENT (56) References Cited CRYPTOGRAPHC RETURN ADDRESS TO MTGATE RETURN ORIENTED U.S. PATENT DOCUMENTS PROGRAMMING ATTACKS 7.853,803 B2 * 12/2010 Milliken ................. GO6F 21/52 713, 176 (71) Applicant: Intel Corporation, Santa Clara, CA 2014/0173293 A1* 6/2014 Kaplan ................... G06F 21.54 (US) T13, 190 (72) Inventors: David M. Durham, Beaverton, OR OTHER PUBLICATIONS (US); Baiju V. Patel, Portland, OR “Disk encryption theory,” available at http://en.wikipedia.org/wiki/ (US) XEX-TCB-CTS, accessed Dec. 29, 2014, 6 pages. “The Heartbleed bug, available at http://heartbleed.com/, accessed (73) Assignee: Intel Corporation, Santa Clara, CA Dec. 29, 2014, 7 pages. (US) “OpenSSL.” available at http://en.wikipedia.org/wiki/OpenSSL, accessed Dec. 29, 2014, 13 pages. (*) Notice: Subject to any disclaimer, the term of this “Return-oriented programming,' available at http://en.wikipedia. patent is extended or adjusted under 35 org/wiki/Return-oriented programming, accessed Dec. 29, 2014, 4 pageS. U.S.C. 154(b) by 0 days. “Buffer overflow,” available at http://en.wikipedia.org/wiki/Buf (21) Appl. No.: 14/498,521 fer overflow, accessed Dec. 29, 2014, 12 pages. (22) Filed: Sep. 26, 2014 * cited by examiner Primary Examiner — Jacob Lipman (65) Prior Publication Data (74) Attorney, Agent, or Firm — Barnes & Thornburg US 2016/0094.552 A1 Mar. 31, 2016 LLP (51) Int. C. (57) ABSTRACT G6F 2/54 (2013.01) A computing device includes technologies for securing G06F2L/00 (2013.01) return addresses that are used by a processor to control the (52) U.S. C. flow of execution of a program. The computing device uses CPC ..................................... G06F 21/00 (2013.01) a cryptographic algorithm to provide security for a return (58) Field of Classification Search address in a manner that binds the return address to a CPC ............................. H04L 63/0876; G06F 21/54 location in a stack. USPC .................................................. 713/171, 190 See application file for complete search history. 23 Claims, 7 Drawing Sheets COMPUTING DEWICE 100 USER SPACE APPLICATION 134 SUBROUTINE rTURNRCM RETURN FROM CALL 202 SUBROUTINE 210 SUROUTINE RFAULT216 prwileged system CoMomeNT 142 RETURN ADDRESS FAULTHANDLER MODULE 48 SECURE CONTROL TRANSFER NON-CANONICAL NSTRUCTIONS 104 FAULTING ARSS 24 SECURE CALL SECURE RETURN LOGIC 108 LOGIC 108 RTURN RETURN MODIFIED MODIFIED ADDRESS ADDRESS RETURN RTURN CESCRAMBLER 24 ADDRESS208 ARESS 206 LOGIC 110 MODIFIED MODIFIED RETURN AddRSS2O6 RTUN RTURN ARSS 206 ARESS 204 CALL STACK218 RETURNADRESS SECURITY LOGC 138 STACKPOSITIONIDENTIFIER(S) 114 scrTKY 16 U.S. Patent Dec. 6, 2016 Sheet 1 of 7 US 9,514,285 B2 COMPUTING DEVICE 100 PROCESSOR 102 SECURE CONTROL TRANSFER INSTRUCTIONS 104 SECURE CALL LOGIC 106 RETURN ADDRESS SECURITY LOGIC 136 SECURE RETURN LOGIC 108 CRYPTOGRAPHC LOGIC 138 RETURN ADDRESS ADDRESSPECATION DESCRAMBLINGLOGIC 110 REGISTERS 112 STACKPOSITION IDENTIFIER 114 SECRET KEY 1 16 fC) SUBSYSTEM 124 MEMORY 122 PRIWILEGED SYSTEM COMPONENT 142 DATA STORAGE DEVICE 126 MEMORY MANAGER DISPLAY DEVICE 128 MODULE 144 KEY CREATIONMODULE 146 USUBSYSTEM 130 RETURN ADDRESS FAULT COMM SUBSYSTEM 132 HANDLERMODULE 148 INTERRUPT HANDLER USER SPACE APPLICATION 134 MODULE 150 FIG. 1 U.S. Patent Dec. 6, 2016 Sheet 2 of 7 US 9,514,285 B2 200 COMPUTING DEVICE 100 USER SPACE APPLICATION 134 SUBROUTINE CALL 202 RETURN FROM RETURN FROM SUBROUTINE 210 SUBROUTINE ORFAULT216 PRIVILEGED SYSTEM COMPONENT 142 RETURN ADDRESS FAULTHANDLER MODULE 148 SECURE CONTROL TRANSFER NON-CANONICAL INSTRUCTIONS 104 FAULTING ADDRESS 214 SECURE CALL SECURE RETURN LOGIC 106 LOGIC 108 RETURN RETURN MODIFIED MODIFIED ADDRESS ADDRESS RETURN RETURN DESCRAMBLER 204 ADDRESS 206 ADDRESS 206 LOGIC 110 MODIFIED MODIFIED RETURN RETURN ADDRESS 206 ADDRESS 206 RETURN ADDRESS 204 CALL STACK218 RETURN ADDRESS SECURITY LOGIC 136 STACK POSITION IDENTIFIER(S) 114 SECRET KEY 1 16 FIG. 2 U.S. Patent Dec. 6, 2016 Sheet 3 of 7 US 9,514,285 B2 300 FFFFFFFF t FFFFFFFF USED/CANONICAL ADDRESSESl (SYSTEM SPACE) 310 FFFF 80000 OOOOOOOO MODIFIED RETURN ADDRESS 206 UNUSED/NON-CANONICAL ADDRESSES 312 0000 7FFFF FFFFFFFF USED/CANONICAL ADDRESSESl (USER SPACE) 314 OOOOOOOO OOOOOOOO FIG. 3 U.S. Patent Dec. 6, 2016 Sheet 4 of 7 US 9,514,285 B2 M 400 410 CONTROL TRANSFER INSTRW RTN ADDRESS PRE-PROCESS THE RETURN ADDRESS 412 AS NEEDED BY ENCRYPTIONALGORITHM 414 ENCRYPT THE RETURN ADDRESS USING SECRET KEY AND STACK POSITION IDENTIFIER AS A TWEAK 416 MANIPULATE THE ENCRYPTED RETURN ADDRESS TO FALL WITHIN AN UNUSED NON-CANONICAL ADDRESS RANGE 418 STORE THE MODIFIED RETURN ADDRESS ON THE CALL STACK 420 READ THE NEXT INSTRUCTION FIG. 4 U.S. Patent Dec. 6, 2016 Sheet S of 7 US 9,514,285 B2 M 500 - -TRANSFER INSTR THAT USES RTN ADDRESSP 512 OBTAIN MODIFIED RETURN ADDRESS FROM CALL STACK 514 DOES RTN ADDRESS FALL WITHIN AN UNUSED NON-CANONICAL TO FIG. 6 RANGEP YES 516 DECRYPT THE RETURN ADDRESS USING STACK POSITION IDENTIFIER AS A TWEAK 518 RESTORE THE DECRYPTED RETURN ADDRESS TO ORIGINAL FORM 520 JUMP TO RETURN ADDRESS FIG. 5 U.S. Patent Dec. 6, 2016 Sheet 6 of 7 US 9,514,285 B2 M 600 614 SFAULTING ADDRESS NON-CANONICAL TREAT ASFAULT YES 616 DECRYPT THE RETURN ADDRESS USING STACK POSITION IDENTIFIER AS A TWEAK 618 VERIFY DECRYPTED RETURN ADDRESS AND/OR CALLING CODE 620 TRANSFER CONTROL TO RETURN ADDRESS F.G. 6 U.S. Patent Dec. 6, 2016 Sheet 7 Of 7 US 9,514,285 B2 710 - - - - - - - - - - - - - - - - - - - - - - - - - - 4- - - - - - - - - LOOP - COUNTER MODE 712 716 | PARALLEL EXECUTION 718 - 4- - - - - LOOP - NORMAL 720 PROCESSOR PIPELINE CONTROL TRANSFER INSTRW RTN ADDRESS YES 722 OBTAIN CURRENT ENCRYPTED STACK POSITION IDENTIFIER 724 COMBINE CURRENT ENCRYPTED STACK POSITION IDNETFER WITH RETURN ADDRESS TO CREATE MODIFIED RETURN ADDRESS 726 STORE THE MODIFIED RETURN ADDRESS ON THE CALL STACK US 9,514,285 B2 1. 2 CREATING STACK POSITION DEPENDENT figures. For simplicity and clarity of illustration, elements CRYPTOGRAPHC RETURN ADDRESS TO illustrated in the figures are not necessarily drawn to scale. MTIGATE RETURN ORIENTED Where considered appropriate, reference labels have been PROGRAMMING ATTACKS repeated among the figures to indicate corresponding or analogous elements. BACKGROUND FIG. 1 is a simplified block diagram of at least one When a software application runs on a computing device, embodiment of a computing device configured with secure a processor executes machine-level instructions into which control transfer instructions as disclosed herein; high level programming code of the application has been FIG. 2 is a simplified environment diagram of the com translated (e.g., by a compiler and/or an interpreter, etc.). 10 puting device of FIG. 1, illustrating an application of the The pre-defined set of machine-level instructions that a secure control transfer instructions of FIG. 1; particular processor can execute is the processors instruc FIG. 3 is a simplified schematic diagram of a range of tion set. The processor typically fetches from memory, memory addresses including used and unused addresses; sequentially, the machine-level instructions corresponding FIG. 4 is a simplified flow diagram of at least one to the functionality of a Software application, and then 15 embodiment of a method for providing security for a control executes the instructions sequentially. transfer instruction as disclosed herein, which may be However, the processor may encounter an instruction that executed by the computing device of FIG. 1; transfers control of the program execution to another FIG. 5 is a simplified flow diagram of at least one instruction or set of instructions stored in another memory embodiment of a method for providing security for another location. For example, a call instruction causes the processor control transfer instruction as disclosed herein, which may to transfer control of the program execution to a Subroutine, be executed by the computing device of FIG. 1; Such as a function or a procedure. In this case, the called FIG. 6 is a simplified flow diagram of at least one Subroutine will have among its instructions at least one embodiment of a method for verifying a previously secured return (“ret') instruction. The return instruction causes the control transfer instruction as disclosed herein, which may processor to return control back to the instruction that 25 immediately follows the call instruction in the normal be executed by the computing device of FIG. 1; and sequence of instructions. The memory location of the FIG. 7 is a simplified flow diagram of at least one instruction to which control should return after a call instruc embodiment of another method for providing security for a tion may be referred to as the return address. Some examples control transfer instruction as disclosed herein, which may of control transfer instructions include call, jump (imp”), be executed by the computing device of FIG. 1. interrupt (“int”), and return from interrupt (“iret'). 30 The processor uses a call stack data structure to keep track DETAILED DESCRIPTION OF THE DRAWINGS of the program control flow when a call instruction is encountered. To do this, the call instruction pushes the return While the concepts of the present disclosure are suscep address onto the top of the stack. A stack pointer is used to tible to various modifications and alternative forms, specific keep track of the memory location of the top of the stack. 35 embodiments thereof have been shown by way of example The stack pointer is stored in a processor register. The return in the drawings and will be described herein in detail. It instruction uses the stack pointer to retrieve the return should be understood, however, that there is no intent to address from the top of the stack. The return instruction limit the concepts of the present disclosure to the particular transfers control to the instruction found at the memory forms disclosed, but on the contrary, the intention is to cover location of the return address.
Load more

Recommended publications
  • Horizontal PDF Slides
    1 2 Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: “I have a problem where I need to make some University of Illinois at Chicago; cryptography faster, and I’m Ruhr University Bochum setting up a $1000 competition funded from my own pocket for Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 1 2 3 Speed, speed, speed $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)). D. J. Bernstein Crowley: “I have a problem where I need to make some Note that H needs only “TCR”, University of Illinois at Chicago; cryptography faster, and I’m not full collision resistance. Ruhr University Bochum setting up a $1000 competition Does this allow faster H design? funded from my own pocket for TCR breaks how many rounds? Reporting some recent work towards the solution.” symmetric-speed discussions, Not fast enough: Signing H(M), especially from RWC 2020. where M is a long message. Not included in this talk: “[On a] 900MHz Cortex-A7 NISTLWC. • [SHA-256] takes 28.86 cpb ::: Short inputs. • BLAKE2b is nearly twice as FHE/MPC ciphers. • fast ::: However, this is still a lot slower than I’m happy with.” 1 2 3 Speed, speed, speed $1000 TCR hashing competition Instead choose random R and sign (R; H(R; M)).
    [Show full text]
  • Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives
    Self-encrypting deception: weaknesses in the encryption of solid state drives Carlo Meijer Bernard van Gastel Institute for Computing and Information Sciences School of Computer Science Radboud University Nijmegen Open University of the Netherlands [email protected] and Institute for Computing and Information Sciences Radboud University Nijmegen Bernard.vanGastel@{ou.nl,ru.nl} Abstract—We have analyzed the hardware full-disk encryption full-disk encryption. Full-disk encryption software, especially of several solid state drives (SSDs) by reverse engineering their those integrated in modern operating systems, may decide to firmware. These drives were produced by three manufacturers rely solely on hardware encryption in case it detects support between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form by the storage device. In case the decision is made to rely on factor) and external models using the USB interface. hardware encryption, typically software encryption is disabled. In theory, the security guarantees offered by hardware encryp- As a primary example, BitLocker, the full-disk encryption tion are similar to or better than software implementations. In software built into Microsoft Windows, switches off software reality, we found that many models using hardware encryption encryption and completely relies on hardware encryption by have critical security weaknesses due to specification, design, and implementation issues. For many models, these security default if the drive advertises support. weaknesses allow for complete recovery of the data without Contribution. This paper evaluates both internal and external knowledge of any secret (such as the password).
    [Show full text]
  • Analysis of an Encrypted HDD
    Analysis of an encrypted HDD J. Czarny, R. Rigo May 11, 2015 Abstract The idea of this presentation is to debunk the myth that analyzing the security of hardware is difficult. From the perspective of a software reverse engineer we present the process of studying a hardware-encrypted, PIN secured, external hard drive: the Zalman VE-400. While the end result of the analysis and attack is not a full success as it was not possible to recover an encrypted drive, it shows that the drive is nevertheless vulnerable by design. 1 Introduction 1.1 The target Analysing the security of hardware products seems to scare software reversers and hackers. It used to scare us. But, fortunately, today there is no need to know much about electronics, as most products are just System on Chip (SoC), a single integrated circuit with IO and a CPU or microcontroller. All that is needed is a bit of soldering ability, a multimeter, some useful pieces of hardware and a brain. The subject here is not embedded systems in the now common sense of “small hardware running Linux” but smaller systems using one or two chips. Most interesting for software hackers are encrypted HDD/USB keys: their functionnality is conceptually simple and they provide an interesting target. We will focus on the Zalman VE-400 encrypted drive, a consumer enclosure for 2.5" SATA hard drives which supports hardware encryption. It also supports advanced features like mounting ISO files as virtual optical drives. To do so, the user must choose between the ExFAT and NTFS filesystem support, by reflashing the correct firmware.
    [Show full text]
  • Nouveau Mode Opératoire Pour La Cryptographie *
    Nouveau Mode Opératoire pour la Cryptographie * Naima Hadj-Said*, Adda Ali-Pacha, Mohamed Sadek Ali-Pacha – Aek Haouas *Laboratoire SIMPA (Signal-Image-Parole) Université des Sciences et de la Technologie d’Oran USTO , BP 1505 El M’Naouer Oran 31036 Algerie [email protected] Résumé : Un mode opératoire consiste en la description détaillée des actions nécessaires à l'obtention d'un résultat. Il décrit généralement le déroulement détaillé des opérations effectuées sur un poste fixe, mais il peut également décrire l'enchaînement des opérations de poste à poste. Un mode opératoire décrivant les enchaînements opératoires de poste à poste permet de définir : -l'ensemble des postes de travail concernés par la réalisation d'un produit, d'une pièce élémentaire, - les temps de passage prévus (alloués) à chaque poste, -l'ordre logique d'intervention de chaque poste (machine, ou poste manuel), -les conditions d'enchaînement, de déclenchement, des opérations successives, -les moyens de transfert de poste à poste. En cryptographie, un mode d'opération est la manière de traiter les blocs de texte clairs et chiffrés au sein d'un algorithme de chiffrement par bloc ou bien c’est la présentation d’une méthode de chaînage des blocs dans un chiffrement par blocs. Plusieurs modes existent possédant leur propre atout, certains sont plus vulnérables que d'autres et certains modes combinent les concepts d'authentification et sécurité. Dans ce travail on essaie de faire la synthèse des modes opératoires des systèmes cryptographique et de proposer une bonne alternative pour faire le bon choix du vecteur d'initialisation de ces modes, avec la suggestion d’un nouveau mode opératoire qu’on a appelé : mode Autonome Secure blocK (ASK).
    [Show full text]
  • Enclave Security and Address-Based Side Channels
    Graz University of Technology Faculty of Computer Science Institute of Applied Information Processing and Communications IAIK Enclave Security and Address-based Side Channels Assessors: A PhD Thesis Presented to the Prof. Stefan Mangard Faculty of Computer Science in Prof. Thomas Eisenbarth Fulfillment of the Requirements for the PhD Degree by June 2020 Samuel Weiser Samuel Weiser Enclave Security and Address-based Side Channels DOCTORAL THESIS to achieve the university degree of Doctor of Technical Sciences; Dr. techn. submitted to Graz University of Technology Assessors Prof. Stefan Mangard Institute of Applied Information Processing and Communications Graz University of Technology Prof. Thomas Eisenbarth Institute for IT Security Universit¨atzu L¨ubeck Graz, June 2020 SSS AFFIDAVIT I declare that I have authored this thesis independently, that I have not used other than the declared sources/resources, and that I have explicitly indicated all material which has been quoted either literally or by content from the sources used. The text document uploaded to TUGRAZonline is identical to the present doctoral thesis. Date, Signature SSS Prologue Everyone has the right to life, liberty and security of person. Universal Declaration of Human Rights, Article 3 Our life turned digital, and so did we. Not long ago, the globalized commu- nication that we enjoy today on an everyday basis was the privilege of a few. Nowadays, artificial intelligence in the cloud, smartified handhelds, low-power Internet-of-Things gadgets, and self-maneuvering objects in the physical world are promising us unthinkable freedom in shaping our personal lives as well as society as a whole. Sadly, our collective excitement about the \new", the \better", the \more", the \instant", has overruled our sense of security and privacy.
    [Show full text]
  • Format Preserving Encryption
    – Figure 1: Cover picture Format Preserving Encryption Bachelor Thesis Degree programme: Bachelor of Science in Computer Science Author: Matthias Liechti, Rizja Schmid Thesis advisor: Prof. Dr. Reto Koenig Expert: Stefan Berner Date: 12.06.2015 Berner Fachhochschule | Haute école spécialisée bernoise | Bern University of Applied Sciences Management Summary This thesis aims to give a theoretical as well as practical overview of an emerging issue in the field of IT security named Format Preserving Encryption (FPE). Although FPE is not new, it is relatively unknown. It is used in the full-disk encryption and some other areas. Nevertheless, it is to this day even unknown to many cryptographers. Another issue that is on everyone's lips is the Internet of Things (IoT). IoT offers a whole new scope for FPE and could give it possibly a further boost. Format Preserving Encryption is - as the name says - an encryption in which the format of the encrypted data is maintained. When a plaintext is encrypted with FPE, the ciphertext then has the same format again. As illustrated for example on the cover page: If we encrypt the owner and the number of a credit card with AES we get an unrecognizable string. If we use FPE instead, we might get for example Paul Miller and the number 4000 0838 7507 2846. The advantage is that for man and/or machine nothing changes. The encryption is therefore not noticed without analysis of the data. The advantage can also become a disadvantage. An attacker has with the format of the ciphertext already information about the plaintext.
    [Show full text]
  • Trusted Platform Module Library Part 1: Architecture TCG Public Review
    Trusted Platform Module Library Part 1: Architecture Family “2.0” Level 00 Revision 01.50 September 18, 2018 Committee Draft Contact: [email protected] Work in Progress This document is an intermediate draft for comment only and is subject to change without notice. Readers should not design products based on this document. TCG Public Review Copyright © TCG 2006-2019 TCG Trusted Platform Module Library Part 1: Architecture Licenses and Notices Copyright Licenses: Trusted Computing Group (TCG) grants to the user of the source code in this specification (the “Source Code”) a worldwide, irrevocable, nonexclusive, royalty free, copyright license to reproduce, create derivative works, distribute, display and perform the Source Code and derivative works thereof, and to grant others the rights granted herein. The TCG grants to the user of the other parts of the specification (other than the Source Code) the rights to reproduce, distribute, display, and perform the specification solely for the purpose of developing products based on such documents. Source Code Distribution Conditions: Redistributions of Source Code must retain the above copyright licenses, this list of conditions and the following disclaimers. Redistributions in binary form must reproduce the above copyright licenses, this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution. Disclaimers: THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES) THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE. Contact TCG Administration ([email protected]) for information on specification licensing rights available through TCG membership agreements.
    [Show full text]
  • Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings December 2003
    Risk Management Series Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings December 2003 FEMA FEMA 426 FEMA 426 / December 2003 RISK MANAGEMENT SERIES Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings PROVIDING PROTECTION TO PEOPLE AND BUILDINGS www.fema.gov Any opinions, findings, conclusions, or recommendations expressed in this publication do not necessarily reflect the views of FEMA. Additionally, neither FEMA or any of its employees makes any warrantee, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process included in this publication. Users of information from this publication assume all liability arising from such use. he creation of the Department of Homeland Security (DHS) is one of the most significant transformations in the Federal Government in decades, establishing a department T whose first priority is to protect the nation against terrorist attacks. Within the DHS, the Directorate of Emergency Preparedness and Response (EP&R) is focused on ensuring that our nation is prepared for catastrophes, including both natural disasters and terrorist assaults. Central to this mission is the protection of people and the critical infrastructure of the built environment. This Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings provides guidance to the building science community of architects and engineers, to reduce physical damage to buildings, related infrastructure, and people caused by terrorist assaults. The comprehensive approach to understanding how to improve security in high occupancy buildings will better protect the nation from potential threats by identifying key actions and design criteria to strengthen our buildings from the forces that might be anticipated in a terrorist assault.
    [Show full text]
  • Encryption Block Cipher
    10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits.
    [Show full text]
  • Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption
    Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption Robert Granger1, Philipp Jovanovic2, Bart Mennink3, and Samuel Neves4 1 Laboratory for Cryptologic Algorithms, École polytechnique fédérale de Lausanne, Switzerland, [email protected] 2 Decentralized and Distributed Systems Lab, École polytechnique fédérale de Lausanne, Switzerland, [email protected] 3 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iMinds, Belgium, [email protected] 4 CISUC, Dept. of Informatics Engineering, University of Coimbra, Portugal, [email protected] Abstract. A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function combines the advantages of word-oriented LFSR- and powering-up-based methods. We show in particular how recent advancements in computing discrete logarithms over finite fields of characteristic 2 can be exploited in a constructive way to realize highly efficient, constant-time masking functions. If the masking satisfies a set of simple conditions, then MEM is a secure tweakable blockcipher up to the birthday bound. The strengths of MEM are exhibited by the design of fully parallelizable authenticated encryption schemes OPP (nonce-respecting) and MRO (misuse-resistant). If instantiated with a reduced-round BLAKE2b permutation, OPP and MRO achieve speeds up to 0.55 and 1.06 cycles per byte on the Intel Haswell microarchitecture, and are able to significantly outperform their closest competitors.
    [Show full text]
  • Secure Content Distribution from Insecure Cloud Computing Systems
    Secure Content Distribution from Insecure Cloud Computing Systems A Thesis submitted to the designated by the Assembly of the Department of Computer Science and Engineering Examination Committee by Evangelos Dimoulis in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN DATA AND COMPUTER SYSTEMS ENGINEERING WITH SPECIALIZATION IN ADVANCED COMPUTER SYSTEMS University of Ioannina School of Engineering Ioannina August 2021 Examining Committee: • Stergios Anastasiadis, Associate Professor, Department of Computer Science and Engineering, University of Ioannina (Advisor) • Evaggelia Pitoura, Professor, Department of Computer Science and Engineer- ing, University of Ioannina • Evangelos Papapetrou, Assistant Professor, Department of Computer Science and Engineering, University of Ioannina ACKNOWLEDGEMENTS First and foremost, I would like to express my sincere gratitude to my research advisor Prof. Stergios Anastasiadis for his invaluable assistance and guidance throughout this thesis. With his deep knowledge on the field of computer systems, he taught methe process of conducting research, how to understand, design and implement systems software. He was always available for long and creative brainstorming sessions, and it was a great privilege to work under his guidance. I would also like to thank my friends who helped relax and clear my mind after many demanding working hours required to complete this research. Especially, Anargyros Katsoulieris with whom we worked together at the Computer Systems Lab, for the many hours of brainstorming sessions in the field of computer systems security, and his funny jokes that helped making time at the office even better. Above all, however, I am grateful to my family for their support, love, care and for encouraging me to pursue and accomplish my goals.
    [Show full text]
  • Android 7 File Based Encryption and the Attacks Against It
    Android 7 File Based Encryption and the Attacks Against It Ronan Loftus Marwin Baumann [email protected] [email protected] Research Project 1 Supervised by: Rick Van Galen Ruben De Vries January 2017 Abstract Android users have been provided with some level of disk encryption since Android 3.0 \Honeycomb". This is marketed as `Full Disk' encryption (FDE). FDE allows users to encrypt their /data partition. The major problem with FDE is that after rebooting, multiple critical functions of the device are unusable without user interaction. File Based encryption (FBE) was introduced to overcome this issue as part of the release of Android 7.0 \Nougat" in August 2016. FBE allows different files to be encrypted with different keys that can be unlocked independently. This fixes the shortcoming of FDE and also allows for more fine grained control of what's encrypted. The security of FDE has been researched quite extensively. Due to its recent release FBE has not been studied. In this paper we elucidate the workings of FBE. We then catalogue some of the known attacks against Android FDE. For each attack we introduce how they function along with the Android specific mechanisms they use. Then we either reason about or practically apply these attacks to the most recent Android version. Over half of the attacks we test are still applicable for Android 7. Finally we provide some recommendations for how these attacks can be rendered obsolete. 1 Contents 1 Introduction 3 1.1 Research question . .3 2 Related Work 4 2.1 Contribution . .4 3 Methodology 5 4 Android Disk Encryption 6 4.1 `Full Disk' .
    [Show full text]