New Developments in March 2012

Outline

New developments in cryptology • 1. Cryptology: concepts and algorithms Prof. Bart Preneel • 2. Cryptology: protocols COSIC • 3. Public- Infrastructure principles Bart.Preneel(at)esatDOTkuleuven.be • 4. Networking protocols http://homes.esat.kuleuven.be/~preneel • 5. New developments in cryptology March 2012 • 6. Cryptography best practices

© Bart Preneel. All rights reserved 1 2

Outline Block P1 P2 P3 • Block ciphers/stream ciphers • Hash functions/MAC algorithms block block block • Modes of operation and authenticated cipher cipher • How to encrypt/sign using RSA C1 C2 C3 • Multi-party computation • larger data units: 64…128 bits •memoryless • Concluding remarks • repeat simple operation (round) many times 3

3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) S S S S S S S S S S S S S S S S • Single DES abandoned round • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S hedule

Highly vulnerable to a c round • Block length: 128 bits related key attack • Key length: 128-192-256 . Key S Key . bits round A $ 10M machine that cracks a DES Clear DES DES-1 DES %^C& key in 1 second would take 149 trillion text @&^( years to crack a 128-bit key

1 23

1 New Developments in Cryptography March 2012 Bart Preneel

AES variants (2001) AES implementations:

• AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • NIST validation list: 1953 implementations (2008: 879) secret plaintext plaintext http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html

round round. round [‘05]

dule • HW: 43 Gbit/s in 130 nm CMOS ) . ule le

8 . e . . . round . round • Intel: new AES instruction: 0.75 cycles/byte [’09-’10] Key (12 Key . round round (192) Key . • SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s bitsliced Key (256) Key

Key Sch Key . . . [Käsper-Schwabe’09] Key Sched Key round . Key Schedu Key round • HW: most compact: 3600 gates Light weight , in particular for the 256-bit version – KATAN: 1054, PRESENT: 1570

AES: security AES-256 security • Exhaustive key search on AES-256 takes 2256 : no attack has been found that can –264: 10 minutes with $ 5M exploit this structure (in spite of the algebraic –280: 2 year with $ 5M “attack” [Courtois’02]) –2120 : 1 billion years with $ 5B • [Biryukov-Khovratovich’09] related key attack on AES-256 • implementation level attack – requires 2119 encryptions with 4 related ke ys , – data & time complexity 2119 << 2256 – cache attack precluded by bitsliced implementations • Why does it work? Very lightweight key schedule or by special hardware support – fault attack requires special countermeasures • Is AES-256 broken? No, only an academic “weakness” that is easy to fix • No implications on security of AES-128 for encryption • Do not use AES-256 in a hash function construction

What is a related key attack? Should I worry about a related key attack? • Attacker chooses and key difference C • Very hard in practice (except some old US banking • Attacker gets schemes and IBM control vectors) • Task: find the key C • If you are vulnerable to a related key attack, you are making very bad implementation mistakes plaintext1 plaintext2 plaintext1 • This is a very powerful attack

round round model: if an opponent can round zeroize 96 key bits of his round round round choice (rather than adding a round round round value), he can find the key in h Key (256) Key . . Key (256) Key Key (256) Key . . . . . a few seconds . Key Schedule Key . Schedule Key Key Schedule Key round round round • If you are worried, hashing the key is an easy fix ciphertext1 ciphertext2 ciphertext1

2 New Developments in Cryptography March 2012 Bart Preneel

Related key attacks on AES-256 and KASUMI KASUMI (2002)

Security level in bits Exhaustive search AES [Biryukov- • Widely used in all 3G phones 300 Khovratovich’09] 4 related keys • Present in 40% of GSM phones but not 250 data & time yet used 200 comppylexity Exh aus tive search KASUMI 2119 << 2256 150

100 • Good news: related key attacks do not Practical [Dunkelman- 50 Keller-Shamir’10] apply in in the GSM or 3G context Related key 0 attack: 4 keys, 0 58 1014 15 226 data & 232 rounds time << 2128

KASUMI New announcement: August 2011 [Dunkelman-Keller-Shamir’09] [Bogdanov-Khovratovich-Rechberger] • Practical related key attack announced in • No related keys (attack in 2005) December 2009 on the KASUMI used in 3GPP • For AES-128: with 288 plaintext/ pairs, – 4 rel ltdkated keys, 2 26 dtdata, 2 30 btbytes of memory, and the effective can be reduced by 2 bits 232 time (AES-126) • It is not possible to carry out this attack in 3G • For AES-192: only 280 plaintext/ciphertext pairs (as related keys are not available) • For AES-256: only 240 plaintext/ciphertext pairs

Very minor impact on security and very hard to extend

Synchronous (SSC) Stream ciphers

IV state IV state init init • historically very important (compact) – LFSR-based: A5/1, A5/2, – practical attacks K next K next known state state – software-oriented: RC4 – serious weaknesses function function – block cipher in CTR or OFB (slower) • today: output output – many broken schemes function “looks” function random – exception: SNOW2.0, MUGI P C P – lack of standards and open solutions

18

3 New Developments in Cryptography March 2012 Bart Preneel

GSM GSM • A5/1 weak • growing number of open source tools to intercept: – [Barkan+03] requires seconds (software not available so requires math) GnuRAdio, Airprobe, OpenBTS – [Nohl10]: Kraken = 2 Terabyte of Rainbow tables • but needs more work (1-2 years?) http://reflextor.com/trac/a51 • A5/2 trivially weak (milliseconds) – withdrawn in 2007 (took 8 years) • A5/3 (= Kasumi) seems ok but slow adoption (even if in 1.2 billion out of 3 billion handsets)

• Simpler attacks on GSM – eavesdrop after base station (always cleartext) – switch off encryption (can be detected) – SMS of death

GSM International • China: • be careful when rolling out 2-factor – ZUC as 3rd algorithm in LTE (also SMII, SMIII) – National Cryptography Industry Standards Technical Committee via SMS established on 19/10/2011 • war texting hacks on car systems and mod 231 − 1 215 217 221 220 12+ 8

S S S S S S S S S S S S S S S S SCADA systems [Black Hat, Aug’11] 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

X X X 0 X1 2 3

R1 R2 Every algorithm used in

L L 1 2 China needs to be designed in China intercepting mobile phone traffic is illegal • US: NIST is very active in standardization

Open competition for stream ciphers The eSTREAM Portfolio http://www.ecrypt.eu.org Apr. 2008 (Rev1 Sept. 2008)

(in alphabetical order) • run by ECRYPT – high performance in software (32/64-bit): 128-bit key Software Hardware – low-gate count hardware (< 1000 gates): 80-bit key – variants: authenticated encryption HC-128 F-FCSR-H • April 2005: 33 submissions v1 • many broken in first year • April 2008: end of competition /12 MICKEY v2 Sosemanuk

3-10 cycles per byte 1500..3000 gates

23 24

4 New Developments in Cryptography March 2012 Bart Preneel

Performance reference data Rogue CA attack (Pentium M 1.70GHz Model 6/9/5) [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger ’08] request user cert; by special encryption speed (cycles/byte) Self-signed collision this results in a fake CA root key 120 cert (need to predict serial number 100 + validity period) 80 CA1 CA2 Rogue CA 60 key setup (cycles) 40 35000 impact: rogue CA that User1 User2 User x 20 30000 can issue certs that are 25000 0 trusted by all RC4 HC-128 DES 3-DES AES 20000 15000 browsers 10000 5000 0 6 CAs have issued certificates signed with MD5 in 2008: RC4 HC- DES 3-DES AES 128 Rapid SSL, Free SSL (free trial certificates offered by RapidSSL), 26 26 25 TC TrustCenter AG, RSA Data Security, Verisign.co.jp

Low cost hw: throughput versus area Hash functions [Bogdanov+08,Sugawara+08] (100 KHz , technology in multiples of 10 nm) 900 Protect short hash value rather • collision resistance GRAIN[8] (13) Trivium[8](13) than long text • preimage resistance

) 800 Enocoro-80[8](18) nd 700 •2 preimage resistance

Kbps 600 ( mCRYPTON-96/128 (13) t

u 500 CLEFIA (9) This is an input to a crypto-

hp 400 graphic hash function. The input

g PRESENT-128 (18) 300 is a very long string, that is PICCOLO-128 reduced by the hash function to a HIGHT (25) TDEA (9) string of fixed length. There are 200 1A3FD4128A198FB3CA345932 GOST (18) (13)Trivium(13) additional security conditions: it h Throu GRAIN 100 SEA (13) AES (13) should be very hard to find an KATAN (18) (18) AES (35) input hashing to a given value (a KTANTAN (18) TEA MISTY1 (18) preimage) or to find two colliding 0 PRESENT-80 (18) inputs (a collision). PRINTcipher-960 1000 2000 3000 4000 5000 6000 (18) LED-128 (18) Gate equivalents 27

The complexity of collision attacks SHA-1 • SHA designed by NIST (NSA) in ‘93 Brute force: 4 million PCs or US$ 100K hardware (1 year) • redesign after 2 years (’95) to SHA-1 90 90 80 80 [Wang+’05] 70 MD4 70 [Mendel+’08] 60 [Manuel+’09] MD5 60 [Wang+’04] 50 SHA-0 50 40 [McDonald+’09] SHA-1 SHA-1 40 30 30 20 Brute force 20 10 Largely unpublished/withdrawn 10 0 0 92 94 96 00 02 06 10 19 1992 19 19 1998 20 20 2004 20 2008 20 2003 2004 2005 2006 2007 2008 2009 2010 Prediction: collision for SHA-1 in the next 12-18 months

5 New Developments in Cryptography March 2012 Bart Preneel

NIST AHS competition (SHA-3) Round 2 Candidates • SHA-3: 224, 256, 384, and 512-bit message digests • (similar to SHA-2) Call: 02/11/07 Deadline (64): 31/10/08 Round 1 (51): 9/12/08 80 Round 2 (14): 24/7/09 64 Final (5): 10/12/10 51 60 Standard: Q4/12 40 20 14 5 1 0 Q4/08 Q3/09 Q4/10 Q4/12

round 1 round 2 final

Slide credit: Christophe De Cannière

Performance of hash functions - Bernstein (cycles/byte) Intel Intel Core 2 Quad Q9550; 4 x 2833MHz MAC algorithms 35 2001 • EMAC based on AES 30 • HMAC based on MD5/SHA-1 25 •GMAC 20 •UMAC

15 • NIST: 2 standards for 10 – CCM: CTR + CMAC [NIST SP 800-38C] 5 – GCM: CTR + GMAC [NIST SP 800-38C]

0 MD4 MD5 SHA-1 RMD- DES SHA- SHA- WhirlpWhirl AES- AES 160 (estimated) 256 512 -pool hash 34

HMAC based on MDx, SHA GMAC: polynomial MAC (NIST x K2 SP 800-38D ‘07 + 3GSM)

• Widely used in SSL/TLS/IPsec f2 128 •keys K1, K2 ∈ GF(2 ) K 128 • Attacks not yet dramatic 1 • input x: x1, x2, . . . , xt, with xi ∈ GF(2 ) f t i • NMAC weaker than HMAC 1 • g(x) = K1+ Σi=1 xi • (K2) • in practice: compute K1 = AESK(n) (CTR mode)

Rounds in f1 Rounds in f2 Data complexity • properties: MD4 48 48 288 CP & 295 time – fast in software and hardware (support from Intel) MD5 64 33 of 64 2126 CP MD5 64 64 251 CP & 2100 time (RK) – not very robust w.r.t. nonce reuse, truncation, MAC SHA(-0) 80 80 2109 CP verifications, due to reuse of K2 (not in 3GSM!) SHA-1 80 43 of 80 2154.9 CP – versions over GF(p) (e.g. -AES) seem more robust

36 35

6 New Developments in Cryptography March 2012 Bart Preneel

UMAC RFC 4418 (2006) How to use cryptographic algorithms

32 •key K, k1, k2 .., k256 ∈ GF(2 ) (1024 bytes) 32 • Modes of operation • input x: x1, x2, . . . , x256, with xi ∈ GF(2 ) • g(x) = prfK(h(x)) • and error messages 512 • h(x) = ( Σ (x + k ) mod 232 . (x + k ) mod 232 )mod 264 i=1 2i-1 2i-1 2i 2i • Authenticated encryption • properties – software performance: 1-2 cycles/byte • How to encrypt with RSA – forgery probability: 1/230 (provable lower bound) – [Handschuh-Preneel08] full key recovery with 240 verification queries

37 38

How NOT to use a block cipher: ECB mode An example plaintext

P1 P2 P3

block block block cipher cipher cipher

C1 C2 C3

39 40

Encrypted with substitution and Encrypted with AES in ECB and CBC mode

41 42

7 New Developments in Cryptography March 2012 Bart Preneel

How to use a block cipher: CBC mode CBC mode decryption

P1 P2 P3 P1 P2 P3 IV IV

AES AES AES AES-1 AES-1 AES-1

C1 C2 C3 C1 C2 C3

43 44

Reaction attack What if IV is constant?

P1 P2’ P3’ Eve What would the IV plaintext be?

AES AES AES

C1 C2’ C3’ Alice Bob Repetition in P results in repetition in C: ⇒ Meet me tonight at 20:00 information leakage need random and secret IV 45 at the Oude Markt 46

Reaction attack Reaction attack (attempt 1)

Eve Eve Let’s modify the ciphertext Sorry, you message is malformed

error

Alice Bob Alice Bob ldl ldl 47 48

8 New Developments in Cryptography March 2012 Bart Preneel

Reaction attack (attempt 2) Reaction attack (attempt 3)

Modify ciphertext Eve in a different way Eve

Sorry, you Sorry, you message is Fast forwardmessage is malformed malformed

error error

Alice Bob Alice Bob ldl ldl 49 50

Reaction attack (attempt 973) Reaction attacks: well known but… Meet me tonight at 20:00 at the Oude Markt Eve • [Bleichenbacher98] PKCS #1v1.5 – 1 million chosen ciphertexts; improved by [Klima-Pokorny-Rosa03] Great! Now I know • [Manger01] OAEP PKCS #1v2 – a few 1000 chosen the plaintext ciphertexts • [Bellare-Kohno-Namprempre 02]: SSH • [Vaudenay’02] SSL, IPsec, WTLS... ok • [Canvel-Hiltgen-Vaudenay-Vuagnoux03]: SSL/TLS • 2010: ASP.NET ok • 2011 XML encryption • Solutions: – don’t send error messages (bad engineering practice) Alice Bob – authenticated encryption

51 – MAC the ciphertexts and do not decrypt if MAC is incorrect52

CBC with incomplete plaintext (1) CBC with incomplete plaintext (2) Plaintext length Plaintext length in 1 byte in bytes bytes + 1100110011||0000….000 P1 P2 P3|| 1000..0 P1 P2 P3|| 0000..0 IV IV

AES-1 AES-1 AES-1 AES AES AES

C1 C2 C3 C1 C2 C3 53 + 1100110011||0000….000 54

9 New Developments in Cryptography March 2012 Bart Preneel

CBC with incomplete plaintext (3) XML Encryption attack Plaintext length in bytes • Reaction attack: chosen plaintext (decryption queries) + 1100110011||0000….000 and observe error message P1 P2 P3|| 1000..0 • XML decryption checks validity of plaintext (specific character encoding) • If the first 10 bits of P3 are equal to 1100110011 • [Jager-Somorovsky11] decrypt 160 bytes using 2000 then after the modification P3’ will be equal to 0 decryp tion quer ies (100 secon ds ) • The decryption will then produce an error message because the plaintext length field is incorrect • Countermeasure: • Conclusion: information on 1 byte of P3 can be – unified error message obtained using on average 128 chosen ciphertexts – changing mode – authenticated encryption: non-trivial • Protection: a careful implementation of random padding or authenticated encryption 55

Modes of Operation Authenticated encryption • CTR mode allows for pipelining • needed for network security, but only fully understood by crypto community around 2000 (too late) – Better area/speed trade-off • dump CBC mode!! • authentication: E-MAC and CMAC • standards: – E-MAC is CBC-MAC with extra encryption in last – CCM: CTR + CBC-MAC [NIST SP 800-38C] block –GCM: CTR + GMAC [NIST SP 800-38D] • bhboth are sub opti mal lb but patent f ree – NIST prefers CMAC (was OMAC) •IAPM • authenticated encryption: • properties •XECB – most applications need this primitive (ssh, TLS, – associated data •OCB IPsec, …) – parallelizable – on-line – for security against chosen ciphertext this is essential – “provable” security – NIST solution: GCM (very fast but lacks robustness) patented 57

Example: CCM: CTR + CBC-MAC Outline

SN || 0 || Length CBC IV CBC-MAC CBC-MAC "result" E E E ...E E ... E • Block ciphers/stream ciphers

Truncate T1 T2 P1 P2 Pn • Hash functions/MAC algorithms Cleartext data Plaintext covered by MAC • Modes of operation and authenticated

SN || 1 SN || 2 SN || n SN || n+1 encryption

Counter E E ... E E Mode • How to encrypt/sign using RSA • Multi-party computation C1 C2 Cn Cn+1 Ciphertext • Concluding remarks SN = packet sequence number (WEP "IV") 59 61

10 New Developments in Cryptography March 2012 Bart Preneel

RSA (‘78) Public-Key Cryptology • choose 2 “large” prime numbers p and • modulus n = p.q • new factorization record in January 2010: 768 bits • compute λ(n) = lcm(p-1,q-1) • upgrade your RSA-1024 keys (should have been doen in 2010) • choose e relatively prime w.r.t. λ(n) • compute d = e-1 mod λ(n) The security of RSA is • increased “acceptance” of ECC based on the “fact” that it is easy to generate two – example NSA Suite B in USA • public key = (e,n) large primes, but that it is – Certicom challenge: ECC2K-130: 1 year with 60 • private key = d of (p,q) hard to factor their KEURO (a large effort is underway) product – limited commercial deployment outside government • encryption: c = me mod n • progress on pairings leading to more efficient • decryption: m = cd mod n try to factor protocols 2419 62

Key lengths for confidentiality Generation of key pairs “Ron was wrong, Whit is right” http://www.ecrypt.eu.org http://print.iacr.org/2012/064.pdf duration symmetric RSA ECC • 11.7 million openly accessible public keys • 6.4 million distinct RSA moduli days/hours 50 512 100 • rest: ElGamal/DSA (50/50) and 1 ECDSA

5 years 73 1024 146 • 1. 1% of RSA keys occur in >1 certificate • 0.2% (12934 moduli) are easy to factor, because they form pairs 10-20 years 103 2048 206 like: n = p.q and n’ = p’.q so gcd(n,n’)=q • 40% of these have valid certs 30-50 years 141 4096 282 • reason: only 40-bit randomness in key generation combined with the birthday paradox • less of a problem for ElGamal/DSA: need to know how Assumptions: no quantum computers; randomness is produced and complexity is 240 key generations no breakthroughs; limited budget • ethical problem: how to report this?

If a large quantum computer can Quantum computers? be built...

• exponential parallelism n coupled quantum bits • All schemes based on factoring (such as RSA) will be insecure n 2 degrees of freedom ! • Same for discrete log (ECC) •Syyymmetric key sizes: x2 • Shor 1994: perfect for factoring • Hash sizes: x1.5 (?) • But: can a quantum computer be built? • Alternatives: McEliece, NTRU,… • So far it seems very hard to match performance of current systems while keeping the against conventional attacks

11 New Developments in Cryptography March 2012 Bart Preneel

Quantum computers • Size of quantum computer does not (yet) matter! • no solution for entity authentication problem Photon machine gun, 7 New scientist, Sept. 09 (bootstrapping needed with secret keys) 6 5 • no solution (yet) for multicast 4 3 •depppyppendent on physical properties of 2 communication channel 1 0 •cost 1995 1997 1999 2001 2003 2005 2007 2009 • implementation weaknesses (side channels) • More important is to keep a few qubits with high reliability for a sufficiently long time (decoherence)

Quantum hacking Quantum cryptography http://www.iet.ntnu.no/groups/optics/qcr/ •Security based – on the assumption that the laws of quantum physics are correct – rather than on the assumption that certain mathematical problems are hard

How to encrypt with RSA? How (not) to encrypt with RSA?

• Non-hybrid schemes • Assume that the RSA problem is hard – RSA-PKCS-1v1_5 (RSA Laboratories, 1993) • … so a fortiori we assume that factoring is hard – RSA-OAEP (Bellare-Rogaway, 1994) – RSA-OAEP+ (Shoup, 2000) – RSA-SAEP (Johnson et al., 2001) • How to encrypt with RSA? – RSA-SAEP+ (Boneh, 2001) – Hint: ensure that the plaintext is mapped to a •Hybrid schemes random element of [0,n-1] and then apply the RSA – RSA-KEM (Zheng-Seberry, 1992) Encryption Permutation (RSAEP) • RSA-KEM-DEM (Shoup, 2001) • RSA-REACT (Okamoto-Pointcheval, 2001) – RSA-GEM (Coron et al., 2002) 72 73

12 New Developments in Cryptography March 2012 Bart Preneel

RSA-PKCS-1v1_5 Diagram RSA PKCS-1v1_5 Random message nonzero bytes • Introduced in 1993 in PKCS #1 v1.5 padding • De facto standard for RSA encryption and keyyp transport – Appears in protocols such as TLS, S/MIME, ... 0002 00

EM Source: 75 RSA Labs Public Key RSAEP C 74

RSA-PKCS-1v1_5 Cryptanalysis Bleichenbacher’s attack

• Low-exponent RSA when very long messages are • Goal: decrypt c encrypted [Coppersmith+ ‘96/Coron ‘00] – choose random s, 0 < s < n – large parts of a plaintext is known or similar – computer c’ = c se mod n messages are encrypted with the same public – ask for decryption of c’: m’ key – compute m as m’/s mod n • Chosen ciphertext attack [Bleichenbacher ’98] • but m’ does not have the right format! – decryption oracle: ciphertext valid or not? • idea: try many random choices for s: – 1024-bit modulus: 1 million decryption queries – if no error message is received, we know that • These attacks are precluded by fixes in TLS 2B < (m s mod n) < 3B 8(k-2) 76 – with B = 2 (k length in bytes of the modulus)77

RSA-OAEP Diagram RSA-OAEP DB = pHash 00 ... 01 message

• designers: Bellare and Rogaway 1993 RNG • enhancements by Johnson and Matyas in 1996 (“encoding parameters”) MGF • already widely adopted in standards 00 – IEEE P1363 draft – ANSI X9.44 draft MGF – PKCS #1 v2.0 (PKCS #1 v2.1 draft) – ISO 18033-2 working draft 2000 EM Source: 79 Public Key RSAEP C 78 RSA Labs

13 New Developments in Cryptography March 2012 Bart Preneel

RSA OAEP - security RSA OAEP - security

[BR’93] RSA-OAEP is IND-CCA2 secure under • Improved chosen ciphertext attack [Manger, Crypto ‘01] RSA assumption in ROM • requires a few thousand queries (1.1 log2n) • opponent needs oracle that tells whether there is an error ithitin the integer-to-by te conversi on or i n th e OAEP Shoup ‘00: the proof is wrong decoding [FOPS 01] RSA-OAEP is IND-CCA2 secure under • overall conclusion: RSA Inc. is no longer recommending partial domain one-wayness RSA assumption in ROM the use of RSA-OAEP for RSA: partial domain one-wayness⇔ one-wayness if it’s provable secure, it probably isn’t Reduction is very weak ROM assumption is questionable80 81

How to encrypt with RSA How to sign with RSA? • public key: (n,e) •RSA-KEM • private key: d – encrypt 2 session keys with RSA •s = td mod n = t 1/e mod n – encrypt and MAC data with these 2 keys

• Recommended in NESSIE report • But (http://www.cryptonessie.org) and included in ISO – message M is often larger than modulus n 18033 – RSA(x*y) = RSA(x)*RSA(y) – RSA(0) = 0, RSA(1) = 1,… • Similar problems for signatures: ISO 9796-1 broken, PKCS#1 v1.0 questionable • Solution: hash and add redundancy –PKCS #1 82 – RSA-PSS 83

How (not) to sign with RSA: RSA Signatures: PKCS #1 v1.5 [source: RSA Labs] an attack on ISO 9796-2 [Coron+’09] M • History: public key: (n,e) – ISO 9796-1 (1991) was broken and withdrawn in 2001 Hash private key: d – ISO 9796-2 was repaired in 2002 after a first attack in 1999

• New forgery attack on 9796-2 that works for very t = 00 01 ff ff ff ff ff … ff ff ff 00 HashID H long RSA moduli (2048 bits) Generation of RSA signature on M: s = t d mod n = t 1/e mod n – any160-bit hash function: 800$ on Amazon cloud – the specific EMV variant: 45K$ Verification of RSA signature s on M Compute t = se mod n and check that t has the required format • Not a practical threat to 750 million EMV cards since the attack requires a large number of chosen texts Problem: most signature verification software would (600,000) accept a signature on M of the following form: 85 00 01 ff … ff 00 HashID H Magic

14 New Developments in Cryptography March 2012 Bart Preneel

Attack on PKCS #1 v1.5 implementations (1) [Bleichenbacher06] Fix of Bleichenbacher’s attack 00 01 ff… ff 00 HashID H Magic • Write proper verification (but the signer cannot • consider RSA with public exponent e = 3 know which code the verifier will use) • for any hash value H, it is easy to compute a string “Magic” such that the above string is a perfect cube • Use a public exponent that is at least 32 bits of 3072 bits • example of a perfect cube 1728 = 123 • Upgrade – finally – to RSA-PSS • consequence: – one can sign any message (H) without knowing the private key – this signature works for any public key that is longer than 3072 bits • vulnerable: OpenSSL, Mozilla NSS, GnuTLS 86 87

Secure implementations of Secure Computation cryptography • Error messages and APIs (cf. supra) • Side channels – Timing attacks – Power attacks – Acoustic attacks • PKI • Banking Multi-party computation – Electromagnetic attacks • Credit card • Fault attacks • Google “you can trust it because you •… don’t have to”

88

Multi-party computation becomes Fully homomorphic encryption “truly practical” • From E(x) and E(y), you can compute E(x+y), E(c.x) and E(x.y) without decrypting • Similar to first public key libraries 20 years ago • Many cool applications including cloud computing • [Gentry’09] ideal lattices = breakthrough – EU: CACE project (Computer Aided Cryptography Engineering), www.cace-project.eu • First implementations require only seconds [Vercauteren-Smart’10], [Gentry-Halevi’10]…. – US: Brown Univ. + UCSD (()Usenix 2010) – but to ciphertext for 1 bit is 3 million bits and public key is •Examples several Mbyte • Substantial improvements if restricted operations – efficient zero-knowledge proofs – 2-party computation of AES (Bristol) – secure auction of beetroots in Denmark (BRICS) lattice lettuce – oblivious transfer for road pricing (COSIC)

15 New Developments in Cryptography March 2012 Bart Preneel

Cryptographic algorithm selection Cryptographic standards

• Standards? • Algorithms historically sensitive (e.g., GSM) • Public domain versus proprietary • Choices with little technical motivation (e.g., RC2 and MD2) • Upgrades • Little or no coordination effort (even within IETF) • Technically difficult

A.S. Tanenbaum: “The nice thing about 92 standards is there's so many to choose from” 93

Major Standardization Bodies in Cryptography Independent evaluation efforts • International – ISO and ISO/IEC International Organization for Standardization • NIST (US) (1997-2001): block cipher AES for – ITU: International Telecommunications Union FIPS 197 (http://csrc.nist.gov/CryptoToolkit/aes/) – IETF: Internet Engineering Task Force • CRYPTREC (Japan) (2000-2003 and 2009-2012): – IEEE: Institute of Electrical and Electronic Engineers • National cryptographic algorithms and protocols for – ANSI: American National Standards Institute government use in Japan –NISilifSdddhlST: National Institute of Standards and Technology (http:// www.i pa.go.j p/ securit y) • European • EU-funded IST-NESSIE Project (2000-2003): new – CEN: Comité Européen de Normalisation – ETSI: European Telecommunications Standards Institute cryptographic primitives based on an open evaluation • Industry procedure (http://www.cryptonessie.org) – PKCS, SECG • ECRYPT eSTREAM (2004-2007): stream cipher – W3C, OASIS, Liberty Alliance, Wi-Fi Alliance, BioAPI, WS-Security, TCG competition – GP, PC/SC, Open Card Framework, Multos • NIST (US) (2007-2012): hash function SHA-3 for 94 FIPS 197 (http://csrc.nist.gov/CryptoToolkit/aes/) 95

Proprietary/secret algorithms Many insecure algorithms in use

• No “free” public • Fewer problems with • Do it yourself (snake oil) evaluations rumors and “New York • Export controls Times” attacks • Risk of snake oil • Increased computational power for attacks (64-bit • Cost of (re)-evaluation • Extra reaction time if keys are no longer adequate) problems very high • Cryptanalysis progress - including errors in proofs • Fewer problems with • No economy of scale in • Upgrading is often too hard by design implementation attacks implementations – cost issue • Can use crypto for IPR • Reverse engineering – backward compatibility and licensing – version roll-back attacks

96 97

16 New Developments in Cryptography March 2012 Bart Preneel

Upgrade problem And the good news

• GSM: A5/3 takes a • Negotiable algorithms • Many secure and free solutions available long time in SSH, TLS, IPsec,… today: AES, RSA,… • Bluetooth: E0 • With some reasonable confidence in secure hardwired • But even then these • TCG: chip with fixed protocols have • Cost of strong crypto decreasing except for algorithms problems getting rid of “niche applications” (ambient intelligence) • MD5 and SHA-1 MD5/SHA-1 widely used In spite of all the problems, cryptography is Make sure that you do not use the same key with a weak certainly not the weakest link in our security chain and a strong variant (e.g. GSM A5/2 and A5/3) 98 99

What to use (generic solutions) Challenges for crypto security for 50-100 years • Authenticated encryption mode (OCB, CWC, authenticated encryption of Terabit/s networks CCM, or even GCM) with 3-key 3-DES or -low power/footprint AES • Hash functions: RIPEMD -160, SHA -256, performance SHA-512 or Whirlpool secure software and • Public key encryption: RSA-KEM or ECIES hardware • Digital signatures: RSA-PSS or ECDSA implementations • Protocols: TLS 1.2, SSH, IKE(v2) algorithm agility cost security

100

Conclusions: cryptography Conclusions (2): cryptography

• Can only move and simplify your problems • Leave it to the experts • Solid results, but still relying on a large • Do not do this at home number of unproven assumptions and beliefs • Make sure you can upgrade • Not the bottleneck or problem in most • IlImplementi iing it correctl lihdy is hard security systems • Secure computation very challenging and • To paraphrase Laotse, you cannot create promising: reduce trust in individual building trust with cryptography, no matter how much blocks cryptography you use -- Jon Callas.

102 103

17 New Developments in Cryptography March 2012 Bart Preneel

Selected books on cryptology • D. Stinson, Cryptography: Theory and Practice, CRC Press, 3rd Ed., 2005. Solid introduction, but only for the mathematically inclined. • A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997. The bible of modern cryptography. Thorough and complete reference work – not suited as a first text book. Freely available at http://www.cacr.math.uwaterloo.ca/hac • N. Smart, Cryptography, An Introduction: 3rd Ed., 2008. Solid and up to date but on the mathematical side. Freely available at http://www.cs.bris.ac.uk/~nigel/Crypto_Book/ • B. Schneier, Applied Cryptography, Wiley, 1996. Widely popular and very accessible – make sure you get the errata, online • Other authors: Johannes Buchmann, 104

18