DOCSLIB.ORG

Finding Address-Based Side-Channels in Binaries

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Finding Address-Based Side-Channels in Binaries DATA – Differential Address Trace Analysis: Finding Address-based Side-Channels in Binaries Samuel Weiser, Graz University of Technology; Andreas Zankl, Fraunhofer AISEC; Raphael Spreitzer, Graz University of Technology; Katja Miller, Fraunhofer AISEC; Stefan Mangard, Graz University of Technology; Georg Sigl, Fraunhofer AISEC; Technical University of Munich https://www.usenix.org/conference/usenixsecurity18/presentation/weiser This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. DATA – Differential Address Trace Analysis: Finding Address-based Side-Channels in Binaries Samuel Weiser1, Andreas Zankl2, Raphael Spreitzer1, Katja Miller2, Stefan Mangard1, and Georg Sigl2,3 1Graz University of Technology, 2Fraunhofer AISEC, 3Technical University of Munich Abstract target for various side-channel attacks [11, 45, 77], as a successful attack undermines cryptographic security Cryptographic implementations are a valuable target for guarantees. Especially software-based microarchitec- address-based side-channel attacks and should, thus, be tural attacks (e.g., cache attacks, DRAM attacks, branch- protected against them. Countermeasures, however, are prediction attacks, and controlled-channel attacks) are often incorrectly deployed or completely omitted in prac- particularly dangerous since they can be launched from tice. Moreover, existing tools that identify information software and, thus, without the need for physical access. leaks in programs either suffer from imprecise abstrac- Many of these software-based attacks exploit address- tion or only cover a subset of possible leaks. We sys- based information leakage to recover cryptographic keys tematically address these limitations and propose a new of symmetric [6, 36] or asymmetric [28, 87] primitives. methodology to test software for information leaks. Various countermeasures against address-based infor- In this work, we present DATA, a differential address mation leakage have been proposed on an architectural trace analysis framework that detects address-based side- level [52, 62, 81]. However, these require changing the channel leaks in program binaries. This accounts for at- hardware, which prohibits fast and wide adoption. A tacks exploiting caches, DRAM, branch prediction, con- more promising line of defense are software countermea- trolled channels, and likewise. DATA works in three sures, which remove address-based information leaks by phases. First, the program under test is executed to eliminating key-dependent memory accesses to data and record several address traces. These traces are analyzed code memory. For example, data leakage can be thwarted using a novel algorithm that dynamically re-aligns traces by means of bit-slicing [43, 47, 66], and control-flow to increase detection accuracy. Second, a generic leakage leakage by unifying the control flow [21]. Even though test filters differences caused by statistically independent software countermeasures are already well studied, in program behavior, e.g., randomization, and reveals true practice their adoption to crypto libraries is often par- information leaks. The third phase classifies these leaks tial, error-prone, or non-transparent, as demonstrated by according to the information that can be obtained from recent attacks on OpenSSL [27, 28, 88]. them. This provides further insight to security analysts about the risk they pose in practice. To address these issues, leakage detection tools have We use DATA to analyze OpenSSL and PyCrypto in been developed that allow developers and security ana- a fully automated way. Among several expected leaks in lysts to identify address-based side-channel vulnerabil- symmetric ciphers, DATA also reveals known and pre- ities. Most of these tools, however, primarily focus on viously unknown leaks in asymmetric primitives (RSA, cache attacks and can be classified into static and dy- DSA, ECDSA), and DATA identifies erroneous bug fixes namic approaches. Many static analysis methods use ab- of supposedly fixed constant-time vulnerabilities. stract interpretation [24,25,48,57] to give upper leakage bounds, ideally proving the absence of information leaks in already secured implementations, e.g., the evaluation 1 Introduction of Salsa20 [24]. However, these approaches struggle to accurately describe and pinpoint information leaks due Side-channel attacks infer sensitive information, such to over-approximation [24, page 443], rendering leakage as cryptographic keys or private user data, by moni- bounds meaningless in the worst case. Moreover, their toring inadvertent information leaks of computing de- approximations of the program’s data plane fundamen- vices. Cryptographic implementations are a valuable tally prohibit the analysis of interpreted code. USENIX Association 27th USENIX Security Symposium 603 In contrast, dynamic approaches [41, 84, 89] focus tifies in a program is potentially exposed to side-channel on concrete program executions to reduce false posi- attacks. DATA works in three phases. tives. Contrary to static analysis, dynamic analysis can- Difference Detection: The first phase generates noise- not prove the absence of leakage without exhaustive in- less address traces by executing the target program with put search, which is infeasible for large input spaces. binary instrumentation. It identifies differences in these However, in case of cryptographic algorithms, testing a traces on a byte-address granularity. This accounts for subset of inputs is enough to encounter information leaks all address-based side-channel attacks such as cache at- with a high probability, because crypto primitives heav- tacks [61,64,87], DRAM attacks [65], branch-prediction ily diffuse the secret input during processing. Thus, there attacks [1], controlled-channel attacks [86], and many is a fundamental trade-off between static analysis (mini- blackbox timing attacks [11]. mizing false negatives) and dynamic analysis (minimiz- Leakage Detection: The second phase tests data and ing false positives). control-flow differences for dependencies on the secret We aim for a pragmatic approach towards minimiz- input. A generic leakage test compares the address traces ing false positives, allowing developers to identify infor- of (i) a fixed secret input and (ii) random secret inputs. If mation leaks in real-world applications. Thus, we fo- the traces differ significantly, the corresponding data or cus on dynamic analysis and tackle the limitations of ex- control-flow differences are labeled as secret-dependent isting tools. In particular, existing tools either focus on leaks. This minimizes false positives and explicitly ad- control-flow leaks or data leaks, but not both at the same dresses non-deterministic program behavior introduced time [80,89]; they consider the strongest adversary to ob- by blinding or probabilistic encryption, for example. serve cache-line accesses only [41], which is too coarse- Leakage Classification: The third phase classifies grained in light of recent attacks (CacheBleed [88]); the information leakage of secret-dependent data and many of them lack the capability to properly filter pro- control-flow differences. This is achieved with specific gram activity that is statistically independent of secret leakage tests that find linear and non-linear relations be- input [50, 80, 84]; and most do not provide any means tween the secret input and the address traces. These leak- to further assess the severity of information leaks, i.e., age tests are a valuable tool for security analysts to de- the risk they bring and the urgency with which they termine the severity and exploitability of a leak. must be fixed. Based on these shortcomings, we argue We implement DATA in a fully automated evaluation that tools designed to identify address-based information tool that allows analyzing large software stacks, includ- leaks must tackle the following four challenges: ing initialization operations, such as key loading and 1. Leakage origin: Detect the exact location of data parsing, as well as cryptographic operations. We use and control-flow leaks in programs on byte-address DATA to analyze OpenSSL and PyCrypto, confirming granularity instead of cache-line granularity. existing and identifying new vulnerabilities. Among sev- 2. Detection accuracy: Minimize false positives, e.g., eral expected leaks in symmetric ciphers (AES, Blow- caused by non-determinism that is statistically inde- fish, Camellia, CAST, Triple DES, ARC4), DATA also pendent of the secret input, and provide reasonable reveals known and previously unknown leaks in asym- strategies to also reduce false negatives. metric primitives (RSA, DSA, ECDSA) and identifies er- 3. Leakage classification: Provide means to classify roneous bug fixes of supposedly resolved vulnerabilities. leaks with respect to the information gained by an Outline. The remainder of this paper is organized as fol- adversary. lows. In Section 2, we discuss background information 4. Practicality: Report information leaks (i) fully au- and related work. In Section 3, we present DATA on a tomated, i.e., without requiring manual interven- high level. In Sections 4–6 we describe the three phases tion, (ii) using only the program binary, i.e., with- of DATA. In Section 7, we give implementation details. out requiring the source code, and (iii) efficiently in In Section 8, we evaluate DATA on OpenSSL and Py- terms
Load more

Recommended publications
  • Models and Algorithms for Physical Cryptanalysis
    MODELS AND ALGORITHMS FOR PHYSICAL CRYPTANALYSIS Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨at fur¨ Elektrotechnik und Informationstechnik an der Ruhr-Universit¨at Bochum von Kerstin Lemke-Rust Bochum, Januar 2007 ii Thesis Advisor: Prof. Dr.-Ing. Christof Paar, Ruhr University Bochum, Germany External Referee: Prof. Dr. David Naccache, Ecole´ Normale Sup´erieure, Paris, France Author contact information: [email protected] iii Abstract This thesis is dedicated to models and algorithms for the use in physical cryptanalysis which is a new evolving discipline in implementation se- curity of information systems. It is based on physically observable and manipulable properties of a cryptographic implementation. Physical observables, such as the power consumption or electromag- netic emanation of a cryptographic device are so-called `side channels'. They contain exploitable information about internal states of an imple- mentation at runtime. Physical effects can also be used for the injec- tion of faults. Fault injection is successful if it recovers internal states by examining the effects of an erroneous state propagating through the computation. This thesis provides a unified framework for side channel and fault cryptanalysis. Its objective is to improve the understanding of physi- cally enabled cryptanalysis and to provide new models and algorithms. A major motivation for this work is that methodical improvements for physical cryptanalysis can also help in developing efficient countermea- sures for securing cryptographic implementations. This work examines differential side channel analysis of boolean and arithmetic operations which are typical primitives in cryptographic algo- rithms. Different characteristics of these operations can support a side channel analysis, even of unknown ciphers.
    [Show full text]
  • Branch-Directed and Pointer-Based Data Cache Prefetching
    Branch-directed and Pointer-based Data Cache Prefetching Yue Liu Mona Dimitri David R. Kaeli Department of Electrical and Computer Engineering Northeastern University Boston, MA Abstract The design of the on-chip cache memory and branch prediction logic has become an integral part of a microprocessor implementation. Branch predictors reduce the effects of control hazards on pipeline performance. Branch prediction implementations have been proposed which eliminate a majority of the pipeline stalls associated with branches. Caches are commonly used to reduce the performance gap between microprocessor and memory technology. Caches can only provide this benefit if the requested address is in the cache when requested. To increase the probability that addresses are present when requested, prefetching can be employed. Prefetching attempts to prime the cache with instructions and data which will be accessed in the near future. The work presented here describes two new prefetching algorithms. The first ties data cache prefetching to branches in the instruction stream. History of the data stream is incorporated into a Branch Target Buffer (BTB). Since branch behavior determines program control flow, data access patterns are also dependent upon this behavior. Results indicate that combining this strategy with tagged prefetching can significantly improve cache hit ratios. While improving cache hit rates is important, the resulting memory bus traffic introduced can be an issue. Our prefetching technique can also significantly reduce the overall memory bus traffic. The second prefetching scheme dynamically identifies pointer-based data references in the data stream, and records these references in order to successfully prime the cache with the next element in the linked data structure in advance of its access.
    [Show full text]
  • Non-Sequential Instruction Cache Prefetching for Multiple--Issue Processors
    Non-Sequential Instruction Cache Prefetching for Multiple--Issue Processors Alexander V. Veidenbaum Qingbo Zhao Abduhl Shameer Dept. of Information and DSET Inc. Microsoft Inc. Computer Science University of California Irvine 1 [email protected] Abstract This paper presents a novel instruction cache prefetching mechanism for multiple-issue processors. Such processors at high clock rates often have to use a small instruction cache which can have significant miss rates. Prefetching from secondary cache or even memory can hide the instruction cache miss penalties, but only if initiated sufficiently far ahead of the current program counter. Existing instruction cache prefetching methods are strictly sequential and do not prefetch past conditional branches which may occur almost every clock cycle in wide-issue processors. In this study, multi-level branch prediction is used to overcome this limitation. By keeping branch history and target addresses, two methods are defined to predict a future PC several branches past the current branch. A prefetching architecture using such a mechanism is defined and evaluated with respect to its accuracy, the impact of the instruction prefetching on performance, and its interaction with sequential prefetching. Both PC-based and history- based predictors are used to perform a single-lookup prediction. Targeting an on-chip L2 cache with low latency, prediction for 3 branch levels is evaluated for a 4-issue processor and cache architecture patterned after the DEC Alpha-21164. It is shown that history-based predictor is more accurate, but both predictors are effective. The prefetching unit using them can be effective and succeeds when the sequential prefetcher fails.
    [Show full text]
  • Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A
    Air Force Institute of Technology AFIT Scholar Theses and Dissertations Student Graduate Works 9-13-2012 Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation Eric A. Koziel Follow this and additional works at: https://scholar.afit.edu/etd Part of the Computer and Systems Architecture Commons, and the Information Security Commons Recommended Citation Koziel, Eric A., "Effects of Architecture on Information Leakage of a Hardware Advanced Encryption Standard Implementation" (2012). Theses and Dissertations. 1127. https://scholar.afit.edu/etd/1127 This Thesis is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more information, please contact [email protected]. EFFECTS OF ARCHITECTURE ON INFORMATION LEAKAGE OF A HARDWARE ADVANCED ENCRYPTION STANDARD IMPLEMENTATION THESIS Eric A. Koziel AFIT/GCO/ENG/12-25 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States. AFIT/GCO/ENG/12-25 EFFECTS OF ARCHITECTURE ON INFORMATION LEAKAGE OF A HARDWARE ADVANCED ENCRYPTION STANDARD IMPLEMENTATION THESIS Presented to the Faculty Department of Electrical & Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Operations Eric A.
    [Show full text]
  • Denial-Of-Service Attacks on Shared Cache in Multicore: Analysis and Prevention
    Denial-of-Service Attacks on Shared Cache in Multicore: Analysis and Prevention Michael G. Bechtel, Heechul Yun University of Kansas, USA. fmbechtel, [email protected] Abstract—In this paper we investigate the feasibility of denial- of the cores can access the cache until it is unblocked, which of-service (DoS) attacks on shared caches in multicore platforms. can take a long time (e.g., hundreds of CPU cycles) as it may With carefully engineered attacker tasks, we are able to cause need to access slow main memory. Therefore, if an attacker more than 300X execution time increases on a victim task running on a dedicated core on a popular embedded multicore platform, can intentionally induce shared cache blocking, it can cause regardless of whether we partition its shared cache or not. Based significant timing impacts to other tasks on different cores. on careful experimentation on real and simulated multicore This is because every shared cache hit access, which would platforms, we identify an internal hardware structure of a non- normally take a few cycles, would instead take a few hundreds blocking cache, namely the cache writeback buffer, as a potential cycles until the cache is unblocked. target of shared cache DoS attacks. We propose an OS-level solution to prevent such DoS attacks by extending a state-of-the- While most prior works on cache isolation focused on art memory bandwidth regulation mechanism. We implement the cache space partitioning, either in software or in hardware [9], proposed mechanism in Linux on a real multicore platform and [16]–[19], [25], [27], [37], [43], [44], these cache partitioning show its effectiveness in protecting against cache DoS attacks.
    [Show full text]
  • Fetch Directed Instruction Prefetching
    In Proceedings of the 32nd Annual International Symposium on Microarchitecture (MICRO-32), November 1999. Fetch Directed Instruction Prefetching y z Glenn Reinmany Brad Calder Todd Austin y Department of Computer Science and Engineering, University of California, San Diego z Electrical Engineering and Computer Science Department, University of Michigan Abstract consumed by the instruction cache. This decoupling allows Instruction supply is a crucial component of processor the branch predictor to run ahead of the instruction fetch. performance. Instruction prefetching has been proposed as This can be beneficial when the instruction cache has a miss, a mechanism to help reduce instruction cache misses, which or when the execution core backs up, thereby filling up the in turn can help increase instruction supply to the processor. connecting buffers and causing the instruction cache to stall. In this paper we examine a new instruction prefetch ar- This second case can occur because of data cache misses or chitecture called Fetch Directed Prefetching, and compare long latency instructions in the pipeline. In this paper we it to the performance of next-line prefetching and streaming examine using the fetch block addresses in the FTQ to pro- buffers. This architecture uses a decoupled branch predic- vide Fetch Directed Prefetching (FDP) for the instruction tor and instruction cache, so the branch predictor can run cache. We use the fetch block addresses stored in the FTQ ahead of the instruction cache fetch. In addition, we ex- to guide instruction prefetching, masking stall cycles due to amine marking fetch blocks in the branch predictor that are instruction cache misses.
    [Show full text]
  • Some Words on Cryptanalysis of Stream Ciphers Maximov, Alexander
    Some Words on Cryptanalysis of Stream Ciphers Maximov, Alexander 2006 Link to publication Citation for published version (APA): Maximov, A. (2006). Some Words on Cryptanalysis of Stream Ciphers. Department of Information Technology, Lund Univeristy. Total number of authors: 1 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 Some Words on Cryptanalysis of Stream Ciphers Alexander Maximov Ph.D. Thesis, June 16, 2006 Alexander Maximov Department of Information Technology Lund University Box 118 S-221 00 Lund, Sweden e-mail: [email protected] http://www.it.lth.se/ ISBN: 91-7167-039-4 ISRN: LUTEDX/TEIT-06/1035-SE c Alexander Maximov, 2006 Abstract n the world of cryptography, stream ciphers are known as primitives used Ito ensure privacy over a communication channel.
    [Show full text]
  • Cryptography Weekly Independent Teaching Activities Teaching Credits Hours 4 6
    COURSE OUTLINE (1) GENERAL SCHOOL SCHOOL OF SCIENCES ACADEMIC UNIT DEPARTMENT OF MATHEMATICS LEVEL OF STUDIES UNDERGRADUATE PROGRAM COURSE CODE 311-2003 SEMESTER F COURSE TITLE CRYPTOGRAPHY WEEKLY INDEPENDENT TEACHING ACTIVITIES TEACHING CREDITS HOURS 4 6 COURSE TYPE Special background PREREQUISITE COURSES: NO LANGUAGE OF INSTRUCTION and GREEK EXAMINATIONS: IS THE COURSE OFFERED TO YES ERASMUS STUDENTS COURSE WEBSITE (URL) http://www.math.aegean.gr/index.php/en/academics/undergraduate- programs (2) LEARNING OUTCOMES Learning outcomes In this course the students are introduced to the basic complexity theory and how computational difficulty in solving problems can be exploited to build secure cryptographic protocols. The lectures are, then, focused on some elementary cryptographic schemes like Caesar’s cipher, general substitution ciphers, polyalphabetic ciphers and how they can be broken efficiently. Then the students are introduced to Shannon’s cryptographic principles of confusion and diffusion and how they lead to the Feistel-based block ciphers. Then, as case studies, the block ciphers DES, CAST-128 and AES are presented along with analysis of their security properties. In the middle of the course, the students are introduced to public key cryptography and the RSA, ElGamal scheme and the foundations of Elliptic Curve Cryptography as well as the state of the art in the cryptanalysis of RSA and ECC. The aim of this course is mainly to introduce the students into the basic concepts of cryptography and cryptanalysis. At the end of the course, they could develop and analyse certain cryptographic systems and they could be ready to use and modify certain cryptanalysis techniques.
    [Show full text]
  • Dynamic Eviction Set Algorithms and Their Applicability to Cache Characterisation
    UPTEC IT 20036 Examensarbete 30 hp September 2020 Dynamic Eviction Set Algorithms and Their Applicability to Cache Characterisation Maria Lindqvist Institutionen för informationsteknologi Department of Information Technology Abstract Dynamic Eviction Set Algorithms and Their Applicability to Cache Characterisation Maria Lindqvist Teknisk- naturvetenskaplig fakultet UTH-enheten Eviction sets are groups of memory addresses that map to the same cache set. They can be used to perform efficient information-leaking attacks Besöksadress: against the cache memory, so-called cache side channel attacks. In Ångströmlaboratoriet Lägerhyddsvägen 1 this project, two different algorithms that find such sets are implemented Hus 4, Plan 0 and compared. The second of the algorithms improves on the first by using a concept called group testing. It is also evaluated if these algorithms can Postadress: be used to analyse or reverse engineer the cache characteristics, which is a Box 536 751 21 Uppsala new area of application for this type of algorithms. The results show that the optimised algorithm performs significantly better than the previous Telefon: state-of-the-art algorithm. This means that countermeasures developed 018 – 471 30 03 against this type of attacks need to be designed with the possibility of Telefax: faster attacks in mind. The results also shows, as a proof-of-concept, that 018 – 471 30 00 it is possible to use these algorithms to create a tool for cache analysis. Hemsida: http://www.teknat.uu.se/student Handledare: Christos Sakalis Ämnesgranskare: Stefanos Kaxiras Examinator: Lars-Åke Nordén UPTEC IT 20036 Tryckt av: Reprocentralen ITC Acknowledgements I would like to thank my supervisor Christos Sakalis for all the guidance, dis- cussions and feedback during this thesis.
    [Show full text]
  • In Using the GNU Compiler Collection (GCC)
    Using the GNU Compiler Collection For gcc version 6.1.0 (GCC) Richard M. Stallman and the GCC Developer Community Published by: GNU Press Website: http://www.gnupress.org a division of the General: [email protected] Free Software Foundation Orders: [email protected] 51 Franklin Street, Fifth Floor Tel 617-542-5942 Boston, MA 02110-1301 USA Fax 617-542-2652 Last printed October 2003 for GCC 3.3.1. Printed copies are available for $45 each. Copyright c 1988-2016 Free Software Foundation, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being \Funding Free Software", the Front-Cover Texts being (a) (see below), and with the Back-Cover Texts being (b) (see below). A copy of the license is included in the section entitled \GNU Free Documentation License". (a) The FSF's Front-Cover Text is: A GNU Manual (b) The FSF's Back-Cover Text is: You have freedom to copy and modify this GNU Manual, like GNU software. Copies published by the Free Software Foundation raise funds for GNU development. i Short Contents Introduction ::::::::::::::::::::::::::::::::::::::::::::: 1 1 Programming Languages Supported by GCC ::::::::::::::: 3 2 Language Standards Supported by GCC :::::::::::::::::: 5 3 GCC Command Options ::::::::::::::::::::::::::::::: 9 4 C Implementation-Defined Behavior :::::::::::::::::::: 373 5 C++ Implementation-Defined Behavior ::::::::::::::::: 381 6 Extensions to
    [Show full text]
  • CE441: Data and Network Security Cryptography — Symmetric
    CE441: Data and Network Security Cryptography — Symmetric Behnam Momeni, PhD Department of Computer Engineering Sharif University of Technology Fall 2019 . B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 1 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Outline 1 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Cryptography: Definition and Models Classic Cryptography Cryptanalysis: A Glimpse 2 Confidentiality-Providing Schemes 3 Integrity-Providing Schemes 4 Full Fledged Schemes . B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 2 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Security Goals Availability CIA Triad Confidentiality Integrity . B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 3 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Definition Defining an scheme has two main parts Syntax: specifies operations which can be performed by honest participants of the scheme e.g. The symmetric encryption scheme, SE = (K; E; D), contains a key generation function K, an encryption function E, and a decryption function D k K : 8m : Dk (Ek (m)) = m The scheme is modeled here Semantic: specifies conditions which must be met by a secure scheme The security definition is formalized here . B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 4 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Game-based Definition Model the scheme operations normally Then, devise a game between an adversary and a challenger Adversary tries to break the security definition Challenger wants to demonstrate inability of the adversary Adversary is trying to obtain some advantage e.g.
    [Show full text]
  • Security System on Data Encryption & Decryption
    International Research Journal of Engineering and Technology (IRJET)e-ISSN: 2395-0056 Volume: 07 Issue: 04 | Apr 2020 www.irjet.net p-ISSN: 2395-0072 Security System on Data Encryption & Decryption Mr. Mukul Aggarwal1, Mr. Deepak Kumar Yadav2, Dr. Himanshu Arora3 and Mr. Sudhanshu Vashistha4 1B. Tech Student, Department of CSE, Arya College of Engineering and Research Center, Jaipur 2B. Tech Student, Department of CSE, Arya College of Engineering and Research Center, Jaipur 3Professor, Department of CSE, Arya College of Engineering and Research Center, Jaipur 4Assistant Professor, Department of CSE, Arya College of Engineering and Research Center, Jaipur ---------------------------------------------------------------------- ***--------------------------------------------------------- Abstract— Now’s a day’s security is a feature or factor which is most services attack. It is the attack in which third- person important about any sector which ensures the protection of data. It directly access the server. prevents unauthorized persons, thieves, hackers, etc. In this field, Access Control: It is the process in which only authorized there are three main feature which is essential for data security i.e. person can only access the data resources confidentiality, integrity, availability, these three main features which prevent from unauthorized any other third person. Confidentiality TABLE I basically if we send the data from one person to another person then FONT SIZES FOR PAPERS only authorized person can access & integrity if we transfer the information from one to another then no one can change. The availability of the resources should be available 24/7 hour or data should be available on demand. Process of communication using Encryption and Decryption over data. To convert the plain text into ciphertext is Encryption and convert the ciphertext into plain text is Decryption and both methods called as a Cryptology.
    [Show full text]