DOCSLIB.ORG

An Analysis of the Transport Layer Security Protocol

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

An Analysis of the Transport Layer Security Protocol Thyla van der Merwe Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group School of Mathematics and Information Security Royal Holloway, University of London 2018 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Paterson. The work presented in this thesis is the result of original research I conducted, in collabo- ration with others, whilst enrolled in the School of Mathematics and Information Security as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Thyla van der Merwe March, 2018 2 Dedication To my niece, Emma. May you always believe in your abilities, no matter what anybody tells you, and may you draw on the strength of our family for support, as I have done (especially your Gogo, she’s one tough lady). “If you’re going through hell, keep going.” Winston Churchill 3 Abstract The Transport Layer Security (TLS) protocol is the de facto means for securing commu- nications on the World Wide Web. Originally developed by Netscape Communications, the protocol came under the auspices of the Internet Engineering Task Force (IETF) in the mid 1990s and today serves millions, if not billions, of users on a daily basis. The ubiquitous nature of the protocol has, especially in recent years, made the protocol an attractive target for security researchers. Since the release of TLS 1.2 in 2008, the protocol has suffered many high-profile, and increasingly practical, attacks. Coupled with pressure to improve the protocol’s efficiency, this deluge of identified weaknesses prompted the IETF to develop a new version of the protocol, namely TLS 1.3. In the development of the new version of the protocol, the IETF TLS Working Group has adopted an “analysis-prior-to-deployment” design philosophy. This is in sharp contrast to all previous versions of the protocol. We present an account of the TLS standardisation narrative, commenting on the differences between the reactive development process for TLS 1.2 and below, and the more proactive design process for TLS 1.3. As part of this account, we present work that falls on both sides of this design transition. We contribute to the large body of work highlighting weaknesses in TLS 1.2 and below by presenting two classes of attacks against the RC4 stream cipher when used in TLS. Our attacks exploit statistical biases in the RC4 keystream to recover TLS-protected user passwords and cookies. Next we present a symbolic analysis of the TLS 1.3 draft specification, using the Tamarin prover, to show that TLS 1.3 meets the desired goals of authenticated key exchange, thus contributing to a concerted effort by the TLS community to ensure the protocol’s robustness prior to its official release. 4 Contents Publications 9 Acknowledgements 10 I Motivation and Background 12 1 Introduction 13 1.1 Motivation . 13 1.2 Thesis Structure . 16 2 Preliminaries 19 2.1 The TLS Protocol . 19 2.2 TLS 1.2 and Below . 21 2.2.1 The Handshake Protocol . 21 2.2.2 The Record Protocol . 24 2.2.3 Security Properties . 24 2.3 TLS 1.3 . 26 2.4 TLS 1.3 draft-10 ................................ 28 2.4.1 The Handshake Protocol . 28 2.4.2 The Record Protocol . 32 2.4.3 Security Properties . 32 2.5 TLS 1.3 draft-21 ................................ 34 2.5.1 The Handshake Protocol . 34 2.5.2 The Record Protocol . 38 2.5.3 Post-Handshake Mechanisms . 38 2.5.4 Security Properties . 39 3 Reactive and Proactive Standardisation of TLS 42 3.1 Post-Deployment Analysis . 42 5 CONTENTS 3.1.1 Design, Release, Break, Patch . 43 3.1.2 Fixes, Constraints and Time Lags . 46 3.1.3 Impact and Incentives . 49 3.2 Pre-Deployment Analysis . 49 3.2.1 Design, Break, Fix, Release . 49 3.2.2 Available Tools . 54 3.2.3 Impact and Incentives . 56 II Attacking TLS 1.2 and Below 58 4 Password Recovery Attacks Against RC4 59 4.1 Introduction . 59 4.2 Preliminaries . 64 4.2.1 Bayes’ Theorem . 65 4.2.2 The RC4 Algorithm . 65 4.2.3 Single-byte Biases in the RC4 Keystream . 66 4.2.4 Double-byte Biases in the RC4 Keystream . 67 4.2.5 RC4 and the TLS Record Protocol . 71 4.2.6 Passwords . 73 4.3 Plaintext Recovery via Bayesian Analysis . 74 4.3.1 Formal Bayesian Analysis . 74 4.3.2 Using a Product Distribution . 77 4.3.3 Double-byte-based Approximation . 79 4.4 Simulation Results . 82 4.4.1 Methodology . 82 4.4.2 Results . 84 4.5 Practical Validation . 94 4.5.1 The BasicAuth Protocol . 95 4.5.2 Attacking BasicAuth . 95 4.6 Conclusion . 98 5 Analysing and Exploiting the Mantin Biases in RC4 100 5.1 Introduction . 101 5.2 Preliminaries . 104 5.2.1 Inferential Form of Bayes’ Theorem . 104 6 CONTENTS 5.2.2 Order Statistics . 105 5.2.3 The Mantin Biases . 106 5.2.4 Dynamic Programming Algorithms . 106 5.3 Plaintext Recovery using the Mantin Biases . 107 5.3.1 Maximum Likelihood Estimation . 107 5.3.2 Plaintext Recovery Attack . 110 5.3.3 Distribution of the Maximum Likelihood Statistic and Attack Per- formance . 111 5.3.4 Incorporating Prior Information about Plaintext Bytes . 116 5.4 Recovering Multiple Plaintext Bytes . 119 5.4.1 A Likelihood Analysis for Multiple Plaintext Bytes . 120 5.4.2 Algorithms for Recovering Multiple Plaintext Bytes . 121 5.5 Simulation Results . 123 5.5.1 Methodology . 123 5.5.2 Results . 124 5.6 Conclusion . 126 III Verifying TLS 1.3 130 6 Automated Analysis and Verification of draft-10 131 6.1 Introduction . 131 6.2 Preliminaries . 135 6.2.1 Symbolic Analysis . 135 6.2.2 Tamarin Fundamentals . 136 6.3 draft-10 Analysis . 150 6.3.1 Building the Model . 153 6.3.2 Encoding Security Properties . 158 6.3.3 Analysis and Results . 162 6.3.4 Attacking Post-handshake Client Authentication . 165 6.4 Conclusion . 169 7 Automated Analysis and Verification of draft-21 171 7.1 Introduction . 171 7.2 Preliminaries . 174 7.3 draft-21 Analysis . 174 7 CONTENTS 7.3.1 Building the Model . 178 7.3.2 Encoding Security Properties . 186 7.3.3 Analysis and Results . 194 7.4 Conclusion . 198 IV Concluding Remarks 200 8 Conclusion 201 Bibliography 202 A STS .spthy File 221 8 Publications This thesis is based on the following five publications, to which each author contributed equally: 1. Christina Garman, Kenneth G. Paterson, and Thyla van der Merwe. Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015., pages 113-128, 2015. 2. Cas Cremers, Marko Horvat, Sam Scott, and Thyla van der Merwe. Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016., pages 470-485, 2016. 3. Kenneth G. Paterson and Thyla van der Merwe. Reactive and Proactive Standardis- ation of TLS. In Security Standardisation Research - Third International Conference, SSR 2016, Gaithersburg, MD, USA, December 5-6, 2016., pages 160-186, 2016. 4. Cas Cremers, Marko Horvat, Jonathan Hoyland, Sam Scott, and Thyla van der Merwe. A Comprehensive Symbolic Analysis of TLS 1.3. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pages 1773-1788, 2017. 5. Remi Bricout, Kenneth G. Paterson, Sean Murphy, and Thyla van der Merwe. Analysing and Exploiting the Mantin Biases in RC4. Designs, Codes and Cryptogra- phy, 86(4):743-770, April 2018. 9 Acknowledgements I would like to thank my supervisor, Kenny Paterson, for his guidance and support over the course of my Ph.D., and for facilitating a number of excellent research opportunities. Thank you for always making time for my work. I would also like to thank Cas Cremers for being an incredible mentor, collaborator, and friend. Your constant encouragement has meant the world to me. Thanks go to Eric Rescorla for hosting me at Mozilla as an intern (twice!), and for teaching me a great deal about the protocol upon which this thesis is based, TLS. Your advice, and help, over the years have been instrumental in dictating the direction of my research. I also thank Christine Swart for sparking my interest in cryptography many moons ago. Sam Scott and Jonathan Hoyland, I will never forget our Tamarin adventures, and I thank you for your patience and good humour. Sam, I can’t believe that we ventured down the Tamarin rabbit hole more than once! Thank you for teaching me so much about the tool, and for introducing me to dulce de leche during our time in California. I have been fortunate to have worked with a host of impressive and inspiring collaborators, I thank you all. Sheila Cobourne, I thank you for helping me to start the Women In the Security Domain and/Or Mathematics (WISDOM) group, and for instilling in me a love of cake. I also thank Thalia Laing for her calming influence on the group. I thank my Ph.D. office mates for creating a lively working environment, and my friends, James Hourston, Jayni Shah, Marc Nimmerrichter, Sarah Frewen and Marianne Jonassen for making me laugh when the journey seemed long, dark, and arduous.
Recommended publications
  • Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities

    Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities

    Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Robert Merget and Juraj Somorovsky, Ruhr University Bochum; Nimrod Aviram, Tel Aviv University; Craig Young, Tripwire VERT; Janis Fliegenschmidt and Jörg Schwenk, Ruhr University Bochum; Yuval Shavitt, Tel Aviv University https://www.usenix.org/conference/usenixsecurity19/presentation/merget This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Robert Merget1, Juraj Somorovsky1, Nimrod Aviram2, Craig Young3, Janis Fliegenschmidt1, Jörg Schwenk1, and Yuval Shavitt2 1Ruhr University Bochum 2Department of Electrical Engineering, Tel Aviv University 3Tripwire VERT Abstract the encryption key. The attack requires a server that decrypts a message and responds with 1 or 0 based on the message va- The TLS protocol provides encryption, data integrity, and lidity. This behavior essentially provides the attacker with a authentication on the modern Internet. Despite the protocol’s cryptographic oracle which can be used to mount an adaptive importance, currently-deployed TLS versions use obsolete chosen-ciphertext attack. The attacker exploits this behavior cryptographic algorithms which have been broken using var- to decrypt messages by executing adaptive queries.Vaudenay ious attacks. One prominent class of such attacks is CBC exploited a specific form of vulnerable behavior, where im- padding oracle attacks. These attacks allow an adversary to plementations validate the CBC padding structure and re- decrypt TLS traffic by observing different server behaviors spond with 1 or 0 accordingly.
  • On the NIST Lightweight Cryptography Standardization

    On the NIST Lightweight Cryptography Standardization

    On the NIST Lightweight Cryptography Standardization Meltem S¨onmez Turan NIST Lightweight Cryptography Team ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2, 2019 Outline • NIST's Cryptography Standards • Overview - Lightweight Cryptography • NIST Lightweight Cryptography Standardization Process • Announcements 1 NIST's Cryptography Standards National Institute of Standards and Technology • Non-regulatory federal agency within U.S. Department of Commerce. • Founded in 1901, known as the National Bureau of Standards (NBS) prior to 1988. • Headquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado. • Employs around 6,000 employees and associates. NIST's Mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 2 NIST Organization Chart Laboratory Programs Computer Security Division • Center for Nanoscale Science and • Cryptographic Technology Technology • Secure Systems and Applications • Communications Technology Lab. • Security Outreach and Integration • Engineering Lab. • Security Components and Mechanisms • Information Technology Lab. • Security Test, Validation and • Material Measurement Lab. Measurements • NIST Center for Neutron Research • Physical Measurement Lab. Information Technology Lab. • Advanced Network Technologies • Applied and Computational Mathematics • Applied Cybersecurity • Computer Security • Information Access • Software and Systems • Statistical
  • Secure Shell- Its Significance in Networking (Ssh)

    Secure Shell- Its Significance in Networking (Ssh)

    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
  • TS 102 176-1 V2.1.1 (2011-07) Technical Specification

    TS 102 176-1 V2.1.1 (2011-07) Technical Specification

    ETSI TS 102 176-1 V2.1.1 (2011-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms 2 ETSI TS 102 176-1 V2.1.1 (2011-07) Reference RTS/ESI-000080-1 Keywords e-commerce, electronic signature, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission.
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019

    Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019

    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
  • A Security Analysis of the WPA-TKIP and TLS Security Protocols

    A Security Analysis of the WPA-TKIP and TLS Security Protocols

    ARENBERG DOCTORAL SCHOOL Faculty of Engineering Science A Security Analysis of the WPA-TKIP and TLS Security Protocols Mathy Vanhoef Supervisor: Dissertation presented in partial Prof. dr. ir. F. Piessens fulfillment of the requirements for the degree of Doctor in Engineering Science: Computer Science July 2016 A Security Analysis of the WPA-TKIP and TLS Security Protocols Mathy VANHOEF Examination committee: Dissertation presented in partial Prof. dr. ir. P. Van Houtte, chair fulfillment of the requirements for Prof. dr. ir. F. Piessens, supervisor the degree of Doctor in Engineering Prof. dr. ir. C. Huygens Science: Computer Science Prof. dr. D. Hughes Prof. dr. ir. B. Preneel Prof. dr. K. Paterson (Royal Holloway, University of London) July 2016 © 2016 KU Leuven – Faculty of Engineering Science Uitgegeven in eigen beheer, Mathy Vanhoef, Celestijnenlaan 200A box 2402, B-3001 Leuven (Belgium) Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotokopie, microfilm, elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemming van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm, electronic or any other means without written permission from the publisher. Preface When I started my PhD four years ago, I thought people were exaggerating when they said that doing a PhD was a unique and special experience. Turns out I was wrong: it is indeed quite the journey! It was a roller coaster of exciting and sometimes no so exciting research results, late-night deadline races, moments of doubt, enriching and rewarding travels, grueling dilemmas, facing your own limitations,.
  • Guidelines on Cryptographic Algorithms Usage and Key Management

    Guidelines on Cryptographic Algorithms Usage and Key Management

    EPC342-08 Version 7.0 4 November 2017 [X] Public – [ ] Internal Use – [ ] Confidential – [ ] Strictest Confidence Distribution: Publicly available GUIDELINES ON CRYPTOGRAPHIC ALGORITHMS USAGE AND KEY MANAGEMENT Abstract This document defines guidelines on cryptographic algorithms usage and key management. Document Reference EPC342-08 Issue Version 7.0 Date of Issue 22 November 2017 Reason for Issue Maintenance of document Produced by EPC Authorised by EPC Document History This document was first produced by ECBS as TR 406, with its latest ECBS version published in September 2005. The document has been handed over to the EPC which is responsible for its yearly maintenance. DISCLAIMER: Whilst the European Payments Council (EPC) has used its best endeavours to make sure that all the information, data, documentation (including references) and other material in the present document are accurate and complete, it does not accept liability for any errors or omissions. EPC will not be liable for any claims or losses of any nature arising directly or indirectly from use of the information, data, documentation or other material in the present document. Conseil Européen des Paiements AISBL– Cours Saint-Michel 30A – B 1040 Brussels Tel: +32 2 733 35 33 – Fax: +32 2 736 49 88 Enterprise N° 0873.268.927 – www.epc-cep.eu – [email protected] © 2016 Copyright European Payments Council (EPC) AISBL: Reproduction for non-commercial purposes is authorised, with acknowledgement of the source Table of Content MANAGEMENT SUMMARY ............................................................. 5 1 INTRODUCTION .................................................................... 7 1.1 Scope of the document ...................................................... 7 1.2 Document structure .......................................................... 7 1.3 Recommendations ............................................................ 8 1.4 Implementation best practices .........................................
  • BIP Note 18 Binding Implementation Practice (BIP) Note

    BIP Note 18 Binding Implementation Practice (BIP) Note

    Superannuation Transaction Network BIP Note 18 Binding Implementation Practice (BIP) Note Title: TLS Configuration and Cryptography Date: 10 Nov 201 5 Standards Version: 1.0 Scope [ x ] transport layer Status: [ ] Draft [ ] message payload [x ] Ratified [ x ] security Live Date: 25 February 2016 On this date this BIP note will be binding on all participants 1. Change This document sets requirements for SSL/TLS configuration within the STN. 2. Reason for Change Secure message exchange within the STN is fully dependent on HTTPS protocol (HTTP over TLS). SSL 3.0 has existed for at least 15 years. It was superseded by TLS 1.0 which was in turn replaced by TLS 1.1 and TLS 1.2. Cryptography standards used in SSL and early versions of TLS are now deprecated and do not provide sufficient level of security. Clause 6.6(a) of Superannuation Data and Gateway Services Standards for Gateway Operators transaction within the Superannuation Transaction Network document requires STN gateways to use “a minimum level of protection of Transport Layer Security (TLS) of version 1.1 or above”. Majority of the STN gateways supports TLS versions 1.0 through 1.2 at the server side (some gateways still support SSL 3.0). However, only a few gateways support modern TLS versions at the client side resulting majority of transactions within the STN being sent through TLS 1.0 channel. In order to eliminate vulnerabilities of the obsolete SSL/TLS protocols, SSL 3.0 and TLS 1.0 must be completely disabled. Mozilla Foundation recommends not to include TLS 1.0 into “Modern” configuration set for web- servers and limits its usage only for backward-compatibility purposes (given that STN is P2P network with a limited number of participants, backward-compatibility issue is not relevant).
  • Cs 255 (Introduction to Cryptography)

    Cs 255 (Introduction to Cryptography)

    CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2.
  • Study on the Use of Cryptographic Techniques in Europe

    Study on the Use of Cryptographic Techniques in Europe

    Study on the use of cryptographic techniques in Europe [Deliverable – 2011-12-19] Updated on 2012-04-20 II Study on the use of cryptographic techniques in Europe Contributors to this report Authors: Edward Hamilton and Mischa Kriens of Analysys Mason Ltd Rodica Tirtea of ENISA Supervisor of the project: Rodica Tirtea of ENISA ENISA staff involved in the project: Demosthenes Ikonomou, Stefan Schiffner Agreements or Acknowledgements ENISA would like to thank the contributors and reviewers of this study. Study on the use of cryptographic techniques in Europe III About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU leg- islation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details For contacting ENISA or for general enquiries on cryptography, please use the following de- tails: E-mail: [email protected] Internet: http://www.enisa.europa.eu Legal notice Notice must be taken that this publication represents the views and interpretations of the au- thors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011.
  • On the Security of the PKCS#1 V1.5 Signature Scheme

    On the Security of the PKCS#1 V1.5 Signature Scheme

    On the Security of the PKCS#1 v1.5 Signature Scheme Tibor Jager1 Saqib A. Kakvi1 Alexander May2 September 10, 2018 1Department of Computer Science, Universitat¨ Paderborn ftibor.jager,[email protected] 2Hortz Gortz¨ Institute, Ruhr Universitat¨ Bochum [email protected] Abstract The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the huge practical importance of RSA PKCS#1 v1.5 signatures, providing formal evidence for their security based on plausible cryptographic hardness assumptions has turned out to be very difficult. Therefore the most recent version of PKCS#1 (RFC 8017) even recommends a replacement the more complex and less efficient scheme RSA-PSS, as it is provably secure and therefore considered more robust. The main obstacle is that RSA PKCS#1 v1.5 signatures use a deterministic padding scheme, which makes standard proof techniques not applicable. We introduce a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures. We prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Furthermore, we give a tight proof under the Phi-Hiding assumption. These proofs are in the random oracle model and the parameters deviate slightly from the standard use, because we require a larger output length of the hash function. However, we also show how RSA-PKCS#1 v1.5 signatures can be instantiated in practice such that our security proofs apply.
  • You Really Shouldn't Roll Your Own Crypto: an Empirical Study of Vulnerabilities in Cryptographic Libraries

    You Really Shouldn't Roll Your Own Crypto: an Empirical Study of Vulnerabilities in Cryptographic Libraries

    You Really Shouldn’t Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries Jenny Blessing Michael A. Specter Daniel J. Weitzner MIT MIT MIT Abstract A common aphorism in applied cryptography is that cryp- The security of the Internet rests on a small number of open- tographic code is inherently difficult to secure due to its com- source cryptographic libraries: a vulnerability in any one of plexity; that one should not “roll your own crypto.” In par- them threatens to compromise a significant percentage of web ticular, the maxim that complexity is the enemy of security traffic. Despite this potential for security impact, the character- is a common refrain within the security community. Since istics and causes of vulnerabilities in cryptographic software the phrase was first popularized in 1999 [52], it has been in- are not well understood. In this work, we conduct the first voked in general discussions about software security [32] and comprehensive analysis of cryptographic libraries and the vul- cited repeatedly as part of the encryption debate [26]. Conven- nerabilities affecting them. We collect data from the National tional wisdom holds that the greater the number of features Vulnerability Database, individual project repositories and in a system, the greater the risk that these features and their mailing lists, and other relevant sources for eight widely used interactions with other components contain vulnerabilities. cryptographic libraries. Unfortunately, the security community lacks empirical ev- Among our most interesting findings is that only 27.2% of idence supporting the “complexity is the enemy of security” vulnerabilities in cryptographic libraries are cryptographic argument with respect to cryptographic software.