DOCSLIB.ORG

Side Channel Analyses of CBC Mode Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Side Channel Analyses of CBC Mode Encryption Side Channel Analyses of CBC Mode Encryption Arnold K. L. Yau Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2009 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Paterson and Professor Chris J. Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathematics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Arnold K. L. Yau 2 Acknowledgements It was my great fortune to have met my supervisor Kenny Paterson during my undergrad- uate studies, who introduced to me the fascinating world of cryptography and security, and who subsequently encouraged me to pursue a doctorate in the subject. Over the course of my studies, his guidance, patience and encouragement have been invaluable and indeed indispensable. His uncompromising pursuit of conducting quality and thorough research has not only helped me to develop as a researcher, but has also taken the result of our research much further than I had anticipated. His depth and breath of knowledge in information security has been inspirational and influential for my career development. I wish to express my deepest gratitude to Kenny. I am also grateful to my academic advisor Chris Mitchell whose knowledge and expe- rience in international standards have given me a level of access to the standardisation process that would otherwise have been unavailable. Credits are also due to him for pro- viding the concept for an attack that has become a published paper and the basis of one of the thesis chapters. Special thanks to Nessim Kisserli for his help with the laboratory set-up. I wish him success in all his future endeavours. Thanks also to the UK's Engineering and Physical Sciences Research Council (EPSRC) and Hewlett-Packard Laboratories for their financial support, which smoothed the way to fulfilling my commitment to the requisite academic studies for a doctorate. Many thanks to the group of fellow researchers at Royal Holloway, with whom I have shared many a fond memory. In a variation to the Enigma Variations (and with apologies to Sir Edward Elgar), they are, in no particular order: F.Y.S., Y.P.W., &.G., Sergio, L.H.W., O.Z., H.S.L., Dao, P.J., S.A-R., T.Q., S.X., A.P., A.M., S.B., N.B., C.S.J., and J.F.D.I.. Finally, I must thank my parents who provided me with the ability, opportunity and freedom to pursue my interests. 3 Abstract A block cipher encrypts data one block at a time. For bulk data encryption, a block cipher is usually used in a mode of operation. Cipher Block Chaining (CBC) mode encryption is one of the most commonly used modes of operation. The security properties of CBC mode encryption have been studied extensively. One well-known attack against CBC mode encryption allows an attacker, with some restric- tions, to flip abitrary bits in the plaintext. In this thesis we present attacks using the bit flipping technique, in the presence of a side channel, to recover plaintext with varying degrees of efficiency. A side channel is a means by which confidential information about the plaintext is inadvertently leaked to an attacker, who then exploits the information to further his attacks. Error reporting is a common type of side channel in real cryptographic systems. We first examine the use of CBC mode encryption with some padding methods speci- fied by ISO standards, and analyse the security of those combinations in the presence of a padding oracle as a side channel. A padding oracle, first introduced in a paper by Vaude- nay, is a type of error oracle that reveals padding correctness information to an attacker. We show that, in a relaxed attack model in which initialisation vectors (IVs) are public, we can exploit a padding oracle to efficiently extract plaintext bits. We then show that in a stricter attack model (secret and random IVs), the padding schemes are still vulnerable to padding oracle attacks and therefore still weak. Putting theory into practice, we go on to investigate the applicability of error oracle attacks to IPsec, a suite of protocols commonly used to implement Virtual Private Net- works (VPNs) to secure the exchange of IP datagrams at the network layer. When IPsec is configured not to use integrity protection, a usage mode supported by IPsec standards, we show that a variety of efficient attacks are available for an attacker to recover plaintext datagrams, sometimes highly efficiently. By carefully manipulating encrypted IP data- grams, the attacker triggers the generation of Internet Control Message Protocol (ICMP) messages which he then intercepts. The ICMP messages, providing an error reporting side channel, contain plaintext information which can then be used to reconstruct plaintext datagrams in full. Finally, we present our view on the future of CBC mode encryption in the light of our attacks, and conclude with reflections on our experience of cryptography in theory and practice. 4 Contents 1 Introduction 14 1.1 Motivation and Contributions.......................... 14 1.2 Thesis Structure................................. 14 1.3 Publications.................................... 15 2 Preliminaries 16 2.1 Introduction.................................... 16 2.2 A High-Level Classification of Encryption Algorithms............ 16 2.2.1 Symmetric and Asymmetric Key Encryption Algorithms....... 16 2.2.2 Block Ciphers............................... 17 2.2.3 Stream Ciphers.............................. 17 2.2.4 Distinction between Block Ciphers and Stream Ciphers....... 18 2.3 Modes of Operation............................... 19 2.3.1 ECB Mode................................ 19 2.3.2 CBC Mode................................ 20 2.3.3 Other modes............................... 22 2.4 Integrity Protection and Authentication.................... 23 2.4.1 Hash Functions.............................. 24 2.4.2 Message Authentication Codes..................... 24 2.5 Attacks...................................... 25 2.6 Combined Modes of Operation......................... 26 2.7 Side channel Attacks............................... 27 2.7.1 Error Messages.............................. 28 2.7.2 Timing.................................. 31 2.7.3 Power Analysis.............................. 33 2.7.4 Electromagnetic Emanation Analysis.................. 34 2.7.5 Further Research............................. 36 2.8 Chapter Summary................................ 37 3 Padding Oracle Attacks on Proposed ISO/IEC 10116-1 38 3.1 Introduction.................................... 38 3.1.1 Padding Oracle Attacks......................... 38 3.1.2 ISO standards on Modes of Operation................. 39 3.1.3 Overview of Attacks........................... 39 5 CONTENTS 3.2 Attacking the Padding Methods of ISO/IEC 9797-1............. 40 3.2.1 The standard.............................. 40 3.2.2 Padding Method 1............................ 40 3.2.3 Padding Method 2............................ 41 3.2.4 Padding method 3............................ 41 3.3 Attacking the Padding Methods of ISO/IEC 10118-1............. 47 3.3.1 The standard............................... 47 3.3.2 Padding method 3............................ 47 3.4 Recommendations................................ 55 3.5 Chapter Summary................................ 56 4 Further Attacks on Proposed ISO/IEC 10116 57 4.1 Introduction.................................... 57 4.2 Overview..................................... 57 4.2.1 Attack Models.............................. 58 4.3 Analysis of Padding Method 3 of ISO/IEC 9797-1.............. 59 4.3.1 Review of Padding Method and Previous Attack........... 59 4.3.2 An Attack with Secret and Random IVs................ 60 4.3.3 Complexity and Impact......................... 62 4.3.4 Limitations................................ 63 4.3.5 Comparison................................ 63 4.4 Analysis of Padding Method 3 of ISO/IEC 10118-1.............. 64 4.4.1 Review of Padding Method and Previous Attacks........... 64 4.4.2 Attacking an Arbitrary Ciphertext Block............... 65 4.4.3 Attacking the Last Block(s)....................... 69 4.5 Dealing with Multiple IVs............................ 75 4.6 The Published ISO/IEC 10116:2006 Standard................. 77 4.6.1 Our Assessment of the Draft Standard................. 77 4.6.2 The Published Standard......................... 77 4.7 Chapter Summary................................ 78 4.8 Conclusions.................................... 78 5 Attacks in Theory and Practice: IPsec 80 5.1 Introduction.................................... 80 5.2 Internet Protocol................................. 80 5.2.1 IP Datagram Header........................... 81 5.2.2 ICMP................................... 83 5.3 IP Security.................................... 84 5.3.1 IPsec Architecture............................ 86 5.3.2 ESP.................................... 88 5.3.3 Evolution of ESP............................. 91 5.3.4 AH..................................... 93 6 CONTENTS 5.3.5 Internet Key Exchange Protocols: IKE and IKEv2.......... 94 5.3.6 Other IPsec Features........................... 96 5.3.7 Common Configurations......................... 98 5.3.8 IPsec Implementations.......................... 99 5.3.9 Critique and Attacks on IPsec....................
Load more

Recommended publications
  • Cache-Timing Attack Against Aes Crypto System - Countermeasures Review
    Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Cache-timing attack against aes crypto system - countermeasures review Yaseen H. Taha University of Khartoum Settana M. Abdulh University of Khartoum Naila A. Sadalla University of Khartoum Huwaida Elshoush University of Khartoum Follow this and additional works at: https://ro.ecu.edu.au/ism Part of the Information Security Commons DOI: 10.4225/75/57b65fd1343d3 12th Australian Information Security Management Conference. Held on the 1-3 December, 2014 at Edith Cowan University, Joondalup Campus, Perth, Western Australia. This Conference Proceeding is posted at Research Online. https://ro.ecu.edu.au/ism/166 CACHE-TIMING ATTACK AGAINST AES CRYPTO SYSTEM - COUNTERMEASURES REVIEW Yaseen.H.Taha, Settana.M.Abdulh, Naila.A.Sadalla, Huwaida Elshoush University of Khartoum, Sudan [email protected], [email protected], [email protected], [email protected] Abstract Side channel attacks are based on side channel information, which is information that is leaked from encryption systems. Implementing side channel attacks is possible if and only if an attacker has access to a cryptosystem (victim) or can interact with cryptosystem remotely to compute time statistics of information that collected from targeted system. Cache timing attack is a special type of side channel attack. Here, timing information caused by cache effect is collected and analyzed by an attacker to guess sensitive information such as encryption key or plaintext. Cache timing attack against AES was known theoretically until Bernstein carry out a real implementation of the attack. Fortunately, this attack can be a success only by exploiting bad implementation in software or hardware, not for algorithm structure weaknesses, and that means attack could be prevented if proper implementation has been used.
    [Show full text]
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • Authenticated Encryption for Memory Constrained Devices
    Authenticated Encryption for Memory Constrained Devices By Megha Agrawal A thesis submitted in partial fulfillment for the degree of Doctor of Philosophy in Computer Science & Engineering to the Indraprastha Institute of Information Technology, Delhi (IIIT-Delhi) Supervisors: Dr. Donghoon Chang (IIIT Delhi) Dr. Somitra Sanadhya (IIT Jodhpur) September 2020 Certificate This is to certify that the thesis titled - \Authenticated Encryption for Memory Constrained Devices" being submitted by Megha Agrawal to Indraprastha Institute of Information Technology, Delhi, for the award of the degree of Doctor of Philosophy, is an original research work carried out by her under our supervision. In our opinion, the thesis has reached the standards fulfilling the requirements of the regulations relating to the degree. The results contained in this thesis have not been submitted in part or full to any other university or institute for the award of any degree/diploma. Dr. Donghoon Chang September, 2020 Department of Computer Science Indraprastha Institute of Information Technology, Delhi New Delhi, 110020 ii To my family Acknowledgments Firstly, I would like to express my sincere gratitude to my advisor Dr. Donghoon Chang for the continuous support of my Ph.D study and related research, for his patience, motivation, and immense knowledge. His guidance helped me in all the time of research and writing of this thesis. I could not have imagined having a better advisor and mentor for my Ph.D study. I also express my sincere gratitude to my esteemed co-advisor, Dr. Somitra Sanadhya, who has helped me immensely throughout my Ph.D. life. I thank my fellow labmates for the stimulating discussions, and for all the fun we have had in during these years.
    [Show full text]
  • Nshield CONNECT Hsms
    Product Sheet /EN nSHIELD CONNECT nSHIELD CONNECT HSMs Certified appliances that deliver cryptographic key services across networks nShield Connect HSMs are FIPS-certified nSHIELD CONNECT appliances that deliver cryptographic services to applications across the network. • Maximizes performance and availability with high cryptographic transaction These tamper-resistant platforms perform rates and flexible scaling such functions as encryption, digital signing and key generation and protection • Supports a wide variety of applications over an extensive range of applications, including certificate authorities, code including certificate authorities, code signing and more signing, custom software and more. The nShield Connect series includes • nShield CodeSafe protects your nShield Connect+ and the new, high- applications within nShield’s secure performance nShield Connect XC. execution environment HIGHLY FLEXIBLE ARCHITECTURE • nShield Remote Administration helps nCipher unique Security World architecture you cut costs and reduce travel lets you combine nShield HSM models to build a mixed estate that delivers flexible scalability and seamless failover and load balancing. nSHIELD CONNECT PROCESS MORE DATA FASTER – now also available from Nexus! nShield Connect HSMs support high transaction rates, making them ideal for enterprise, retail, IoT and other environments where throughput is critical. Available Models and Performance nShield Connect Models 500+ XC Base 1500+ 6000+ XC Mid XC High PROTECT YOUR PROPRIETARY RSA Signing Performance (tps) for NIST Recommended Key Lengths APPLICATIONS 2048 bit 150 430 450 3,000 3,500 8,600 4096 bit 80 100 190 500 850 2,025 The CodeSafe option provides a secure ECC Prime Curve Signing Performance (tps) for NIST Recommended Key Lengths environment for running sensitive 256 bit 540 680 1,260 2,400 5,500 14,400 Client Licenses applications within nShield boundaries.
    [Show full text]
  • The EAX Mode of Operation
    A preliminary version of this papers appears in Fast Software Encryption ’04, Lecture Notes in Computer Science, vol. ?? , R. Bimal and W. Meier ed., Springer-Verlag, 2004. This is the full version. The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency) ∗ † ‡ M. BELLARE P. ROGAWAY D. WAGNER January 18, 2004 Abstract We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N, M, and H are arbitrary bit strings, and the mode uses 2|M|/n + |H|/n + |N|/n block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this fact is novel and involved. EAX is an alternative to CCM [26], which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one pass for achieving privacy and one for authenticity.
    [Show full text]
  • Security Policy: Informacast Java Crypto Library
    FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library FIPS 140-2 Non-Proprietary Security Policy InformaCast Java Crypto Library Software Version 3.0 Document Version 1.2 June 26, 2017 Prepared For: Prepared By: Singlewire Software SafeLogic Inc. 1002 Deming Way 530 Lytton Ave, Suite 200 Madison, WI 53717 Palo Alto, CA 94301 www.singlewire.com www.safelogic.com Document Version 1.2 © Singlewire Software Page 1 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for InformaCast Java Crypto Library. Document Version 1.2 © Singlewire Software Page 2 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Table of Contents 1 Introduction .................................................................................................................................................. 5 1.1 About FIPS 140 ............................................................................................................................................. 5 1.2 About this Document.................................................................................................................................... 5 1.3 External Resources ....................................................................................................................................... 5 1.4 Notices .........................................................................................................................................................
    [Show full text]
  • Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 Family
    Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family Dmitry Khovratovich1 and Christian Rechberger2 and Alexandra Savelieva3 1Microsoft Research Redmond, USA 2DTU MAT, Denmark 3National Research University Higher School of Economics, Russia Abstract. We present the new concept of biclique as a tool for preimage attacks, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions. The new tool has proved to be widely applicable by inspiring many authors to publish new re- sults of the full versions of AES, KASUMI, IDEA, and Square. In this paper, we demonstrate how our concept results in the first cryptanalysis of the Skein hash function, and describe an attack on the SHA-2 hash function with more rounds than before. Keywords: SHA-2, SHA-256, SHA-512, Skein, SHA-3, hash function, meet-in-the-middle attack, splice-and-cut, preimage attack, initial structure, biclique. 1 Introduction The last years saw an exciting progress in preimage attacks on hash functions. In contrast to collision search [29, 26], where differential cryptanalysis has been in use since 90s, there had been no similarly powerful tool for preimages. The situation changed dramatically in 2008, when the so-called splice-and-cut framework has been applied to MD4 and MD5 [2, 24], and later to SHA-0/1/2 [1, 3], Tiger [10], and other primitives. Despite amazing results on MD5, the applications to SHA-x primitives seemed to be limited by the internal properties of the message schedule procedures. The only promising element, the so-called initial structure tool, remained very informal and complicated.
    [Show full text]
  • Some Comments on the First Round AES Evaluation Of
    Some Comments on the First Round AES Evaluation of RC6 1 2 1 Scott Contini , Ronald L. Rivest , M.J.B. Robshaw , 1 and Yiqun Lisa Yin 1 RSA Lab oratories, 2955 Campus Drive, San Mateo, CA 94403, USA fscontini,matt,yiqung@rsa. com 2 M.I.T. Lab oratory for Computer Science, 545 Technology Square, Cambridge, MA 02139, USA [email protected] 1 Intro duction The rst round of the AES pro cess is coming to an end. Since August of 1998, the cryptographic community has had the opp ortunity to consider each of the fteen prop osed AES candidates. In this note, we take the opp ortunity to answer some of the questions and to resp ond to some of the issues that have b een raised ab out the suitabilityofRC6 as an AES candidate. 2 Encryption/Decryption Performance of RC6 Since the publication of RC6 a variety of researchers and implementors have examined RC6 and considered its p erformance in a wide range of environments. 2.1 32-bit architectures RC6 is one of the fastest AES prop osals on 32-bit architectures, particularly so on the NIST reference platform of a 200 MHz Pentium Pro. It is argued by many that the most reasonable way to assess the p erformance of an algorithm is to consider its sp eed in an assembly language implementation. We agree that this is the case. However it is also interesting to consider how the p erformance of RC6 compares when using di erent compilers. It is imp ortant to note that to take advantage of compiler-sp eci c optimizations the source co de provided to the compiler might need to b e changed.
    [Show full text]
  • An Adaptive-Ciphertext Attack Against I XOR C Block Cipher Modes With
    A A-C A “I ⊕ C” B C M W O Jon Passki Tom Ritter [email protected] [email protected] May 24, 2012 Abstract Certain block cipher confidentiality modes are susceptible to an adaptive chosen-ciphertext attack against the underlying format of the plaintext. When the application decrypts altered ciphertext and attempts to process the manipulated plaintext, it may disclose information about intermediate values resulting in an oracle. In this paper we describe how to recognize and exploit such an oracle to decrypt ciphertext and control the decryption to result in arbitrary plaintext. We also discuss ways to mitigate and remedy the issue. 1 I Quoting from [1]: Adaptive chosen-ciphertext attacks on cryptographic protocols allow an attacker to decrypt a cipher- text C, getting the plaintext M, by submitting a series of chosen-ciphertexts C0= 6 C to an oracle which returns information on the decryption. The ciphertexts can be adaptively chosen so that information on previous decryptions is available before the next chosen ciphertext is submitted. Adaptive chosen-ciphertext attacks against different confidentiality modes are not novel. The CBC confidentiality mode can suffer from a side channel attack against padding verification [2], popularized by [3]. A variant of the Cipher Feedback (CFB) confidentiality mode has been attacked in different encryption mail protocols by [4, 5, 1], and the padding schemes of asymmetric ciphers are another source of such attacks [6, 7]. In some form, they rely on the use of an oracle that leaks or communicates information back to attackers. We examine four different confidentiality modes encrypting plaintext that is separated by a delimiter, and the absence or inclusion of that delimiter generates an oracle by the application.
    [Show full text]
  • Efficient & Secure Cipher Scheme with Dynamic Key-Dependent Mode Of
    Efficient & secure cipher scheme with dynamic key-dependent mode of operation Hassan Noura, Ali Chehab, Raphael Couturier To cite this version: Hassan Noura, Ali Chehab, Raphael Couturier. Efficient & secure cipher scheme with dynamic key- dependent mode of operation. Signal Processing: Image Communication, Elsevier, 2019, 78, pp.448 - 464. hal-02366798 HAL Id: hal-02366798 https://hal.archives-ouvertes.fr/hal-02366798 Submitted on 16 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Efficient & Secure Cipher Scheme with Dynamic Key-Dependent Mode of Operation Hassan N. Nouraa, Ali Chehaba, Rapha¨elCouturierb a Electrical and Computer Engineering American University of Beirut (AUB) Beirut, Lebanon bUniv. Bourgogne Franche-Comt´e(UBFC), FEMTO-ST Institute, CNRS, Belfort, France Abstract Security attacks are constantly on the rise leading to drastic consequences. Several secu- rity services are required more than ever to prevent both passive and active attacks such as Data Confidentiality (DC). A DC security service is typically based on a strong symmetric cipher algorithm. However, some of today's applications, such as real-time applications and those running on constrained devices, require efficient lightweight cipher schemes that can achieve a good balance between the security level and system performance.
    [Show full text]
  • Cs 255 (Introduction to Cryptography)
    CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2.
    [Show full text]
  • Side-Channel Attacks
    Side-Channel Attacks Aleksei Ivanov 26th November 2005 1 Introduction and patches the result with all 0's.This results in small, constant time when compared to complete Side-channel attacks are described in [5] as follows. multiplication. Timing side channel information Side-channel attacks are attacks that are based on can be obtained either by precisely measuring the side channel information. Side channel Information time taken by one encryption or by averaging the that can be retrieved from the encryption device time taken over several encryptions [4]. that is neither plain text to be encrypted nor the cipher text resulting from the encryption process. There are several kind of side-channel attacks, in 2.2 Power Consumption Attacks the [2] timing attack is referred to as the most Devices consume power and the power dissipated common one. Then There is one kind of informa- by a device is an other side channel. Dierential tion leakage referred to in [1] as power consumption power analysis (DPA) is a power consumption side leakage, that is a big help to the timing attacks. It channel attack that divides the encryption into a is even harder to protect a system against the power number of time slots and measures power in each consumption attacks when attacker has direct ac- slot for dierent plain text input. A small number cess to the encryption device. of the power measurements correlate with each bit The purpose of this paper is to get an overview of the interval stage during encryption [4]. of attacks on encryption systems where an attacker This attack requires little knowledge of the device is using other ways to obtain the encryption key and is dicult to hide the channel information if than breaking the mathematical algorithm.
    [Show full text]