Some More Attacks on Symmetric Crypto
More crypto attacks
Symmetric cryptanalysis
● Ciphertext only – e.g., frequency analysis or brute force ● Known plaintext – e.g., linear cryptanalysis ● Chosen plaintext – e.g., differential cryptanalysis
Frequency analysis
● “But I don’t want to go among mad people," Alice remarked. "Oh, you can’t help that," said the Cat: "we’re all mad here. I’m mad. You’re mad." "How do you know I’m mad?" said Alice. "You must be," said the Cat, "or you wouldn’t have come here.”
● 19 e's, 19 a's, 17 o's, 13 t's, 12 d's, etc.
● Remember the difference between ECB and CBC
Brute force
● Just try every possible key
● E.g., for key = 0 to 255:
By GaborPete - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/ index.php?curid=6420152
Linear cryptanalysis (known plaintext)
● Block ciphers are made up of a limited variety of operations – XOR
● addition modulo 2 – Permutation
– Substitution
● Hard, need piling up lemma
Differential cryptanalysis (chosen plaintext)
● Choose plaintexts that differ in one bit, e.g., 00110101 and 00100101
● Block ciphers are made up of a limited variety of operations – XOR
● Bit difference is maintained – Permutation
● Bit difference is maintained – Substitution
● Hard
Attacks on secure hash functions
● Preimage attack – Produce a message that has a specific hash value ● Collision attack – Produce two messages with the same hash value
● Collision attack: hash(m1) == hash(m2) – MD5 attack takes seconds on regular PC ● Chosen-prefix collision attack, given p1 and p2: hash (p1 || m1) = hash (p2 || m2) – MD5 attack takes hours on a regular PC
Note: SHA-1 is now also not safe to use in practice Other attacks
● Birthday attacks
● Meet-in-the-middle attacks – “The difference between the birthday attack and the meet-in-the-middle attack is that in a birthday attack, you wait for a single value to occur twice within the same set of elements. In a meet-in-the-middle attack, you have two sets, and wait for an overlap between the two sets.” [Cryptography Engineering] ● Side channel attacks
Side channels
http://www.daemonology.net/papers/htt.pdf Fault injection attacks
http://www.t4f.org/wp-content/uploads/2014/02/Glitch-Tutorial-setup.jpg
iPhone
● Read: http://searchmobilecomputing.techtarget.com/ti p/How-iOS-encryption-and-data-protection-work ● Gist: Apple's security is based on a key hidden in the hardware that protects the code that limits guess attempts – Security through obscurity – Information is inherently physical
Random number generation
Entropy needed for...
● Symmetric keys
● Asymmetric keys
● Initialization vectors
● Nonces
● Etc.
Entropy pool
● /dev/random vs. /dev/urandom – Former blocks on read, latter doesn't – Entropy sources
● Hardware support ● Keyboard timings ● Mouse activity ● Hard drive activity
Some real goofs
Cryptocat
● Array of random integers – {60278, 44571, 56801, 34115, 38861, 6386, 13716} ● As an escaped string – “\xeb\x76\xae\x1b” ● The above string in hex – 5c7865625c7837365c7861655c783162
See https://tobtu.com/decryptocat-old.php
TomSkype (http://firstmonday.org/ojs/index.php/fm/article/view/4628/3727)
Baidu (recent report by Jeffrey Knockel, Sarah McKune, and Adam Senft) (https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser/)
● Lots of custom stuff – Base64 substitution – Modified CBC ● ASCII encoded keys – E.g., “vb%,J^d@2B1l’Abn” ● Other questionable decisions – TEA
Telegram (http://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest)
WordPress password hashes
● MD5(password)
● Don't Google this if you're offended by the f- word: “596a96cc7bf9108cd896f33c44aedc8a”
● How to do authentication properly is something we'll talk about later this semester (salts would fix the above problem)
References
● [Cryptography Engineering] Cryptography Engineering: Design Principles and Applications, by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Wiley Publishing, 2010.
● Lots of images and info plagiarized from Wikipedia