Some More Attacks on Symmetric Crypto

More crypto attacks

Symmetric cryptanalysis

● Ciphertext only – e.g., frequency analysis or brute force ● Known plaintext – e.g., linear cryptanalysis ● Chosen plaintext – e.g., differential cryptanalysis

Frequency analysis

● “But I don’t want to go among mad people," Alice remarked. "Oh, you can’t help that," said the Cat: "we’re all mad here. I’m mad. You’re mad." "How do you know I’m mad?" said Alice. "You must be," said the Cat, "or you wouldn’t have come here.”

● 19 e's, 19 a's, 17 o's, 13 t's, 12 d's, etc.

● Remember the difference between ECB and CBC

Brute force

● Just try every possible key

● E.g., for key = 0 to 255:

By GaborPete - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/ index.php?curid=6420152

Linear cryptanalysis (known plaintext)

● Block ciphers are made up of a limited variety of operations – XOR

● addition modulo 2 – Permutation

– Substitution

● Hard, need piling up lemma

Differential cryptanalysis (chosen plaintext)

● Choose plaintexts that differ in one bit, e.g., 00110101 and 00100101

● Block ciphers are made up of a limited variety of operations – XOR

● Bit difference is maintained – Permutation

● Bit difference is maintained – Substitution

● Hard

Attacks on secure hash functions

● Preimage attack – Produce a message that has a specific hash value ● Collision attack – Produce two messages with the same hash value

● Collision attack: hash(m1) == hash(m2) – MD5 attack takes seconds on regular PC ● Chosen-prefix collision attack, given p1 and p2: hash (p1 || m1) = hash (p2 || m2) – MD5 attack takes hours on a regular PC

Note: SHA-1 is now also not safe to use in practice Other attacks

● Birthday attacks

● Meet-in-the-middle attacks – “The difference between the birthday attack and the meet-in-the-middle attack is that in a birthday attack, you wait for a single value to occur twice within the same set of elements. In a meet-in-the-middle attack, you have two sets, and wait for an overlap between the two sets.” [Cryptography Engineering] ● Side channel attacks

Side channels

http://www.daemonology.net/papers/htt.pdf Fault injection attacks

http://www.t4f.org/wp-content/uploads/2014/02/Glitch-Tutorial-setup.jpg

iPhone

● Read: http://searchmobilecomputing.techtarget.com/ti p/How-iOS-encryption-and-data-protection-work ● Gist: Apple's security is based on a key hidden in the hardware that protects the code that limits guess attempts – Security through obscurity – Information is inherently physical

Random number generation

Entropy needed for...

● Symmetric keys

● Asymmetric keys

● Initialization vectors

● Nonces

● Etc.

Entropy pool

● /dev/random vs. /dev/urandom – Former blocks on read, latter doesn't – Entropy sources

● Hardware support ● Keyboard timings ● Mouse activity ● Hard drive activity

Some real goofs

Cryptocat

● Array of random integers – {60278, 44571, 56801, 34115, 38861, 6386, 13716} ● As an escaped string – “\xeb\x76\xae\x1b” ● The above string in hex – 5c7865625c7837365c7861655c783162

See https://tobtu.com/decryptocat-old.php

TomSkype (http://firstmonday.org/ojs/index.php/fm/article/view/4628/3727)

Baidu (recent report by Jeffrey Knockel, Sarah McKune, and Adam Senft) (https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser/)

● Lots of custom stuff – Base64 substitution – Modified CBC ● ASCII encoded keys – E.g., “vb%,J^d@2B1l’Abn” ● Other questionable decisions – TEA

Telegram (http://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest)

WordPress password hashes

● MD5(password)

● Don't Google this if you're offended by the f- word: “596a96cc7bf9108cd896f33c44aedc8a”

● How to do authentication properly is something we'll talk about later this semester (salts would fix the above problem)

References

● [Cryptography Engineering] Cryptography Engineering: Design Principles and Applications, by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Wiley Publishing, 2010.

● Lots of images and info plagiarized from Wikipedia