New Developments in Cryptology Outline Outline Block Ciphers AES

Home , AES implementations, Fugue (hash function)

New Developments in Cryptology March 2013 Bart Preneel

Outline

New developments in cryptology • 1. Cryptology: concepts and algorithms Prof. Bart Preneel • 2. Cryptology: protocols COSIC • 3. Public-Key Infrastructure fundamentals Bart.Preneel(at)esatDOTkuleuven.be • 4. Networking protocols http://homes.esat.kuleuven.be/~preneel • 5. New developments in cryptology March 2013 • 6. Cryptography best practices

Outline Block ciphers P1 P2 P3 • Block ciphers/stream ciphers • Hash functions/MAC algorithms block block block •Modes of operati on an d a uth entic ated cipher cipher cipher encryption • How to encrypt/sign using RSA C1 C2 C3 • Multi-party computation • larger data units: 64…128 bits • memoryless • Concluding remarks • repeat simple operation (round) many times 3

3-DES: NIST Spec. Pub. 800-67 AES (2001) (May 2004) S S S S S S S S S S S S S S S S • Single DES abandoned round • two-key triple DES: until 2009 (80 bit security) • three-key triple DES: until 2030 (100 bit security) round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S hedule

Highly vulnerable to a c round • Block length: 128 bits related key attack • Key length: 128-192-256 . Key S Key . bits round A $ 10M machine that cracks a DES Clear DES DES-1 DES %^C& key in 1 second would take 149 trillion text @&^( years to crack a 128-bit key

1 23

1 New Developments in Cryptology March 2013 Bart Preneel

AES variants (2001) AES implementations: • AES-128 • AES-192 • AES-256 efficient/compact • 10 rounds • 12 rounds • 14 rounds • sensitive • classified • secret and top • NIST validation list: 1953 implementations (2008: 879) secret plaintext plaintext plaintext http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html

round round. round [‘05] dule ) . • HW: 43 Gbit/s in 130 nm CMOS ule le

8 . e . . . round . round • Intel: new AES instruction: 0.75 cycles/byte [’09-’10] Key (12 Key . round round (192) Key . • SW: 7.6 cycles/byte on Core 2 or 110 Mbyte/s bitsliced Key (256) Key

Key Sch Key . . . [Käsper-Schwabe’09] Key Sched Key round . Key Schedu Key round • HW: most compact: 3600 gates Light weight key schedule, in particular for the 256-bit version – KATAN: 1054, PRESENT: 1570

AES: security AES-256 security • Exhaustive key search on AES-256 takes 2256 encryptions • cryptanalysis: no attack has been found that can –264: 10 minutes with $ 5M exploit this structure (in spite of the algebraic –280: 2 year with $ 5M “attack” [Courtois’02]) –2120 : 1 billion years with $ 5B • [Biryukov-Khovratovich’09] related key attack on AES-256 119 • implementation level attack – requires 2 encryptions with 4 related ke ys , – data & time complexity 2119  2256 – cache attack precluded by bitsliced implementations • Why does it work? Very lightweight key schedule or by special hardware support – fault attack requires special countermeasures • Is AES-256 broken? No, only an academic “weakness” that is easy to fix • No implications on security of AES-128 for encryption • Do not use AES-256 in a hash function construction

What is a related key attack? Should I worry about a related key attack? • Attacker chooses plaintexts and key difference C • Very hard in practice (except some old US banking • Attacker gets ciphertexts schemes and IBM control vectors) • Task: find the key C • If you are vulnerable to a related key attack, you are making very bad implementation mistakes plaintext1 plaintext2 plaintext1 • This is a very powerful attack

round round model: if an opponent can round zeroize 96 key bits of his round round round choice (rather than adding a round round round value), he can find the key in h Key (256) Key . . Key (256) Key Key (256) Key . . . . . a few seconds . Key Schedule Key . Schedule Key Key Schedule Key round round round • If you are worried, hashing the key is an easy fix ciphertext1 ciphertext2 ciphertext1

2 New Developments in Cryptology March 2013 Bart Preneel

Related key attacks on AES-256 and KASUMI KASUMI (2002)

Security level in bits Exhaustive search AES [Biryukov- • Widely used in all 3G phones 300 Khovratovich’09] 4 related keys • Present in 40% of GSM phones but not 250 data & time yet used 200 comppylexity Exh aus tive search KASUMI 2119  2256 150

100 • Good news: related key attacks do not Practical [Dunkelman- 50 Keller-Shamir’10] apply in in the GSM or 3G context Related key 0 attack: 4 keys, 0 58 1014 15 226 data & 232 rounds time  2128

KASUMI New announcement: August 2011 [Dunkelman-Keller-Shamir’09] [Bogdanov-Khovratovich-Rechberger] • Practical related key attack announced in • No related keys (attack in 2005) December 2009 on the block cipher KASUMI used in 3GPP • For AES-128: with 288 plaintext/ciphertext pairs, – 4 re ltdklated keys, 2 26 dtdata, 2 30 btbytes of memory, and the effective key size can be reduced by 2 bits 232 time (AES-126) • It is not possible to carry out this attack in 3G • For AES-192: only 280 plaintext/ciphertext pairs (as related keys are not available) • For AES-256: only 240 plaintext/ciphertext pairs

Very minor impact on security and very hard to extend

Synchronous Stream Cipher (SSC) Stream ciphers

IV state IV state init init • historically very important (compact) – LFSR-based: A5/1, A5/2, E0 – practical attacks K next K next known state state – software-oriented: RC4 – serious weaknesses function function – block cipher in CTR or OFB (slower) • today: output output – many broken schemes function “looks” function random – exception: SNOW2.0, MUGI P C P – lack of standards and open solutions

3 New Developments in Cryptology March 2013 Bart Preneel

GSM GSM • A5/1 weak • growing number of open source tools to intercept: – [Barkan+03] requires seconds (software not available so requires GnuRAdio, Airprobe, OpenBTS math) • but needs more work (1-2 years?) – [Nohl10]: Kraken = 2 Terabyte of Rainbow tables http://reflextor.com/trac/a51 • A5/2 trivially weak (milliseconds) – withdrawn in 2007 (took 8 years) • A5/3 (= Kasumi) seems ok but slow adoption (even if in 1.2 billion out of 3 billion handsets)

• Simpler attacks on GSM – eavesdrop after base station (always cleartext) – switch off encryption (can be detected) – SMS of death

GSM International • China: • be careful when rolling out 2-factor – ZUC as 3rd algorithm in LTE (also SMII, SMIII) – National Cryptography Industry Standards Technical Committee authentication via SMS established on 19/10/2011 • war texting hacks on car systems and mod 231  1 215 217 221 220 12 8

S S S S S S S S S S S S S S S S SCADA systems [Black Hat, Aug’11] 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

X X X 0 X1 2 3

R1 R2 Every algorithm used in

L L 1 2 China needs to be designed in China intercepting mobile phone traffic is illegal • US: NIST is very active in standardization

Open competition for stream ciphers The eSTREAM Portfolio http://www.ecrypt.eu.org Apr. 2008 (Rev1 Sept. 2008)

(in alphabetical order) • run by ECRYPT – high performance in software (32/64-bit): 128-bit key Software Hardware – low-gate count hardware (< 1000 gates): 80-bit key – variants: authenticated encryption HC-128 F-FCSR-H • April 2005: 33 submissions Rabbit Grain v1 • many broken in first year • April 2008: end of competition Salsa20/12 MICKEY v2 Sosemanuk Trivium

3-10 cycles per byte 1500..3000 gates

23 24

4 New Developments in Cryptology March 2013 Bart Preneel

Performance reference data Rogue CA attack (Pentium M 1.70GHz Model 6/9/5) [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger ’08] request user cert; by special encryption speed (cycles/byte) Self-signed collision this results in a fake CA root key 120 cert (need to predict serial number 100 + validity period) 80 CA1 CA2 Rogue CA 60 key setup (cycles) 40 35000 impact: rogue CA that User1 User2 User x 20 30000 can issue certs that are 25000 0 trusted by all RC4 HC-128 DES 3-DES AES 20000 15000 browsers 10000 5000 0 6 CAs have issued certificates signed with MD5 in 2008: RC4 HC- DES 3-DES AES 128 Rapid SSL, Free SSL (free trial certificates offered by RapidSSL), 26 26 25 TC TrustCenter AG, RSA Data Security, Verisign.co.jp

Flame (successor of Stuxnet/Duqu) Malicious certificates • discovered in May 2012 by Cert in Iran • Aug’ 11 Diginotar: target Iranian opposition • targeted cyber espionage in Middle Eastern • May ‘12 Flame countries – June ’12: Microsoft no longer supports RSA keys shorter • vectors: LAN, USB, Bluetooth than 1024 bits (except if signed before 1/1/2010) • record audio, screenshots, keyboard activity and – NIST’s deadline is 31/12/2013 network t raffi c (i ncl udi ng Skype ) • Sept. ‘12: Adobe problem • kill command to wipe out its traces (used on June 8 2012) TLS • advanced MD5 collision attack built-in to create fake certificate for Microsoft Enforced Licensing Intermediate PCA (Windows Update) • similar to but independent from rogue CA attack Ceci n’est pas un HSM Microsoft hired in 2004 the “MD5 removal person”

Low cost hw: throughput versus area Hash functions [Bogdanov+08,Sugawara+08] (100 KHz clock, technology in multiples of 10 nm) 900 Protect short hash value rather • collision resistance GRAIN[8] (13) Trivium[8](13) than long text • preimage resistance

) 800 Enocoro-80[8](18) nd 700 •2 preimage resistance

Kbps 600 ( mCRYPTON-96/128 (13) t

u 500 CLEFIA (9) This is an input to a crypto-

hp 400 graphic hash function. The input

g PRESENT-128 (18) 300 is a very long string, that is PICCOLO-128 reduced by the hash function to a HIGHT (25) TDEA (9) string of fixed length. There are 200 1A3FD4128A198FB3CA345932 GOST (18) (13)Trivium(13) additional security conditions: it h

Throu GRAIN 100 SEA (13) AES (13) should be very hard to find an KATAN (18) (18) AES (35) input hashing to a given value (a KTANTAN (18) TEA MISTY1 (18) preimage) or to find two colliding 0 PRESENT-80 (18) inputs (a collision). PRINTcipher-960 1000 2000 3000 4000 5000 6000 (18) LED-128 (18) Gate equivalents 29

5 New Developments in Cryptology March 2013 Bart Preneel

The complexity of collision attacks SHA-1 • SHA designed by NIST (NSA) in ‘93 Brute force: 4 million PCs or US$ 100K hardware (1 year) • redesign after 2 years (’95) to SHA-1 90 90 80 80 [Wang+’05] 70 MD4 70 [Mendel+’08] 60 [Manuel+’09] MD5 60 [Wang+’04] 50 SHA-0 50 40 [McDonald+’09] SHA-1 SHA-1 40 30 30 20 Brute force 20 10 Largely unpublished/withdrawn 10 0 0 2 2 0 2 4 6 8 0 0 0 99 99 00 00 00 1 1 1994 1996 1998 20 20 2 2 2 201 2003 2004 2005 2006 2007 2008 2009 2010 Prediction: collision for SHA-1 in the next 12-18 months

NIST AHS competition (SHA-3) Round 2 Candidates • SHA-3: 224, 256, 384, and 512-bit message digests • (similar to SHA-2) Call: 02/11/07 Deadline (64): 31/10/08 Round 1 (51): 9/12/08 80 Round 2 (14): 24/7/09 64 Final (5): 10/12/10 51 60 Standard: Q4/12 40 20 14 5 1 0 Q4/08 Q3/09 Q4/10 Q4/12

round 1 round 2 final

Slide credit: Christophe De Cannière

Software performance - eBash [Bernstein-Lange11] Hardware: post-place & route results for ASIC 130nm [Guo-Huang-Nazhandali-Schaumont’10] logarithmic scale Throughput (Gbps) 20 slower SHA256 Keccak Blake BMW 16 CubeHash ECHO Fugue 12 Grostl Grøstl Hamsi JH 8 Keccak Luffa Blake Shabal SHAvite 4 JH SIMD Skein Skein 0 Area 0 40,000 80,000 120,000 160,000 200,000 (GateEqv) 36 factor 4 in cycles/byte Slide credit: Patrick Schaumont, Virginia Tech

6 New Developments in Cryptology March 2013 Bart Preneel

Performance of hash functions - Bernstein Keccak (cycles/byte) Intel Intel Core 2 Quad Q9550; 4 x 2833MHz 35 2001 30

permutation: 25, 50, 100, 200, 400, 800, 1600 5 nominal version: • 5x5 array of 64 bits 0 MD4 MD5 SHA-1 RMD- DES SHA- SHA- WhirlpWhirl AES- AES • 18 rounds of 5 steps 160 (estimated) 256 512 -pool hash

HMAC based on MDx, SHA MAC algorithms x K2

• EMAC based on AES • Widely used in SSL/TLS/IPsec f2 K • HMAC based on MD5/SHA-1 • Attacks not yet dramatic 1 • GMAC • NMAC weaker than HMAC f1 •UMAC

Rounds in f1 Rounds in f2 Data complexity • NIST: 2 standards for authenticated encryption MD4 48 48 288 CP & 295 time – CCM: CTR + CMAC [NIST SP 800-38C] MD5 64 33 of 64 2126 CP – GCM: CTR + GMAC [NIST SP 800-38C] MD5 64 64 251 CP & 2100 time (RK) SHA(-0) 80 80 2109 CP SHA-1 80 43 of 80 2154.9 CP

39 40

GMAC: polynomial MAC (NIST UMAC RFC 4418 (2006) SP 800-38D ‘07 + 3GSM)

128 •key K, k , k .., k  GF(232) (1024 bytes) •keys K1, K2  GF(2 ) 1 2 256 128 • input x: x , x , . . . , x , with x  GF(232) • input x: x1, x2, . . . , xt, with xi  GF(2 ) 1 2 256 i t i • g(x) = prfK(h(x)) • g(x) = K1+ Σi=1 xi • (K2) 512 32 . 32 64 • h(x) = ( Σi=1 (x2i-1 + k2i-1) mod 2 (x2i + k2i) mod 2 )mod 2 • in practice: compute K1 = AESK(n) (CTR mode) • properties • properties: – software performance: 1-2 cycles/byte – fast in software and hardware (support from Intel) – forgery probability: 1/230 (provable lower bound) – not very robust w.r.t. nonce reuse, truncation, MAC – [Handschuh-Preneel08] full key recovery with 240 verifications, due to reuse of K2 (not in 3GSM!) verification queries – versions over GF(p) (e.g. Poly1305-AES) seem more robust

41 42

7 New Developments in Cryptology March 2013 Bart Preneel

How NOT to use a block cipher: How to use cryptographic algorithms ECB mode

• Modes of operation • Padding and error messages P1 P2 P3 • Authenticated encryption block block block cipher • How to encrypt with RSA cipher cipher

C1 C2 C3

43 44

An example plaintext Encrypted with substitution and transposition cipher

45 46

Encrypted with AES in ECB and CBC mode How to use a block cipher: CBC mode

P1 P2 P3 IV

AES AES AES

C1 C2 C3

47 48

8 New Developments in Cryptology March 2013 Bart Preneel

CBC mode decryption What if IV is constant? P1 P2’ P3’ P1 P2 P3 IV IV

AES AES AES AES-1 AES-1 AES-1

C1 C2’ C3’ C1 C2 C3 Repetition in P results in repetition in C:  49 information leakage need random and secret IV 50

Reaction attack Reaction attack

Eve Eve What would the Let’s modify plaintext be? the ciphertext

Alice Bob Alice Bob Meet me tonight at 20:00   at the Oude Markt 51 52

Reaction attack (attempt 1) Reaction attack (attempt 2)

Modify ciphertext Eve Eve in a different way

Sorry, you Sorry, you message is message is malformed malformed

error error

Alice Bob Alice Bob     53 54

9 New Developments in Cryptology March 2013 Bart Preneel

Reaction attack (attempt 3) Reaction attack (attempt 973) Meet me tonight at 20:00 at the Oude Markt Eve Eve Great! Now I know the plaintext Sorry, you Fast forwardmessage is malformed ok

error ok

Alice Bob Alice Bob   55 56

Reaction attacks: well known but… CBC with incomplete plaintext (1) Plaintext length • [Bleichenbacher98] PKCS #1v1.5 – 1 million chosen 1 byte ciphertexts; improved by [Klima-Pokorny-Rosa03] in bytes • [Manger01] OAEP PKCS #1v2 – a few 1000 chosen ciphertexts P1 P2 P3|| 0000..0 • [Bellare-Kohno-Namprempre 02]: SSH • [Vaudenay’02] SSL, IPsec, WTLS... IV • [Canvel-Hiltgen-Vaudenay-Vuagnoux03]: SSL/TLS • 2010: ASP.NET • 2011 XML encryption • Solutions: AES AES AES – don’t send error messages (bad engineering practice) – authenticated encryption – MAC the ciphertexts and do not decrypt if MAC is incorrect 57 C1 C2 C3 58

CBC with incomplete plaintext (2) CBC with incomplete plaintext (3) Plaintext length in Plaintext length in bytes + 1100110011||0000….000 bytes + 1100110011||0000….000 P1 P2 P3|| 1000..0 P1 P2 P3|| 1000..0

IV • If the first 10 bits of P3 are equal to 1100110011 then after the modification P3’ will be equal to 0 • The decryption will then produce an error message because the plaintext length field is incorrect -1 -1 -1 AES AES AES • Conclusion: information on 1 byte of P3 can be obtained using on average 128 chosen ciphertexts • Protection: a careful implementation of random C1 C2 C3 padding or authenticated encryption + 1100110011||0000….000 59 60

10 New Developments in Cryptology March 2013 Bart Preneel

XML Encryption attack Modes of Operation

• Reaction attack: chosen plaintext (decryption queries) • CTR mode allows for pipelining and observe error message – Better area/speed trade-off • XML decryption checks validity of plaintext (specific • authentication: E-MAC and CMAC character encoding) – E-MAC is CBC-MAC with extra encryption in last • [Jager-Somorovsky11] decrypt 160 bytes using 2000 block decryp tion quer ies (100 secon ds ) – NIST prefers CMAC (was OMAC)

• Countermeasure: • authenticated encryption: – unified error message – most applications need this primitive (ssh, TLS, – changing mode IPsec, …) – authenticated encryption: non-trivial – for security against chosen ciphertext this is essential – NIST solution: GCM (very fast but lacks robustness) 62

Authenticated encryption Example: CCM: CTR + CBC-MAC

• needed for network security, but only fully understood by SN || 0 || Length CBC IV crypto community around 2000 (too late) CBC-MAC CBC-MAC "result" • dump CBC mode!! E E E ...E E ... E • standards: T T P P P Truncate – CCM: CTR + CBC-MAC [NIST SP 800-38C] 1 2 1 2 n Cleartext data Plaintext –GCM: CTR + GMAC [NIST SP 800-38D] covered by MAC • bhboth are sub opti mal lb but patent f ree

•IAPM SN || 1 SN || 2 SN || n SN || n+1

• properties •XECB Counter E E ... E E – associated data •OCB Mode – parallelizable C C C C – on-line 1 2 n n+1 – “provable” security Ciphertext patented SN = packet sequence number (WEP "IV") 64

Outline RSA (‘78) • choose 2 “large” prime numbers p and q • modulus n = p.q • Block ciphers/stream ciphers • compute (n) = lcm(p-1,q-1) • Hash functions/MAC algorithms • choose e relatively prime w.r.t. (n) • compute d = e-1 mod (n) •Modes of operati on an d a uth entic ated The security of RSA is based on the “fact” that it is encryption easy to generate two large • public key = (e,n) primes, but that it is hard to • How to encrypt/sign using RSA • private key = d of (p,q) factor their product • Multi-party computation • encryption: c = me mod n • Concluding remarks • decryption: m = cd mod n try to factor 2419 66 67

11 New Developments in Cryptology March 2013 Bart Preneel

Key lengths for confidentiality Public-Key Cryptology http://www.ecrypt.eu.org • new factorization record in January 2010: 768 bits duration symmetric RSA ECC • upgrade your RSA-1024 keys (should have been doen in 2010) days/hours 50 512 100

• increased “acceptance” of ECC 5 years 73 1024 146 – example NSA Suite B in USA – Certicom challenge: ECC2K-130: 1 year with 60 10-20 years 103 2048 206 KEURO (a large effort is underway) – limited commercial deployment outside government 30-50 years 141 4096 282 • progress on pairings leading to more efficient protocols Assumptions: no quantum computers; no breakthroughs; limited budget

Generation of key pairs “Ron was wrong, Whit is right” Quantum computers? http://print.iacr.org/2012/064.pdf • 11.7 million openly accessible public keys • exponential parallelism n coupled quantum bits • 6.4 million distinct RSA moduli • rest: ElGamal/DSA (50/50) and 1 ECDSA 2n degrees of freedom !

• 1.1% of RSA keys occur in >1 certificate • 0.2% (12934 moduli) are easy to factor, because they form pairs • Shor 1994: perfect for factoring like: n = p.q and n’ = p’.q so gcd(n,n’)=q • 40% of these have valid certs • But: can a quantum computer • reason: only 40-bit randomness in key generation combined be built? with the birthday paradox • less of a problem for ElGamal/DSA: need to know how randomness is produced and complexity is 240 key generations • ethical problem: how to report this?

If a large quantum computer can Quantum computers be built... • Size of quantum computer does not (yet) matter! • All schemes based on factoring (such as RSA) will Photon machine gun, 7 New scientist, Sept. 09 be insecure 6 • Same for discrete log (ECC) 5 4 • Symmetric ke y sizes: x2 3 • Hash sizes: x1.5 (?) 2 1 0 1995 1997 1999 2001 2003 2005 2007 2009 • Alternatives: McEliece, NTRU,… • More important is to keep • So far it seems very hard to match performance of a few qubits with high current systems while keeping the security level reliability for a against conventional attacks sufficiently long time (decoherence)

12 New Developments in Cryptology March 2013 Bart Preneel

Quantum cryptography Quantum cryptography

• no solution for entity authentication problem •Security based (bootstrapping needed with secret keys) – on the assumption that the laws of quantum physics are correct • no solution (yet) for multicast – rather than on the assumption that certain mathematical •depppyppendent on physical properties of problems are hard communication channel • cost • implementation weaknesses (side channels)

Quantum hacking http://www.iet.ntnu.no/groups/optics/qcr/ How to encrypt with RSA?

• Assume that the RSA problem is hard • … so a fortiori we assume that factoring is hard

• How to encrypt with RSA? – Hint: ensure that the plaintext is mapped to a random element of [0,n-1] and then apply the RSA Encryption Permutation (RSAEP)

How (not) to encrypt with RSA? RSA PKCS-1v1_5

• Non-hybrid schemes – RSA-PKCS-1v1_5 (RSA Laboratories, 1993) • Introduced in 1993 in PKCS #1 v1.5 – RSA-OAEP (Bellare-Rogaway, 1994) • De facto standard for RSA encryption and – RSA-OAEP+ (Shoup, 2000) keyyp transport – RSA-SAEP (Johnson et al., 2001) – Appears in protocols such as TLS, S/MIME, ... – RSA-SAEP+ (Boneh, 2001) • Hybrid schemes – RSA-KEM (Zheng-Seberry, 1992) • RSA-KEM-DEM (Shoup, 2001) • RSA-REACT (Okamoto-Pointcheval, 2001) – RSA-GEM (Coron et al., 2002) 78 79

13 New Developments in Cryptology March 2013 Bart Preneel

RSA-PKCS-1v1_5 Diagram RSA-PKCS-1v1_5 Cryptanalysis

Random message nonzero • Low-exponent RSA when very long messages are bytes encrypted [Coppersmith+ ‘96/Coron ‘00] padding – large parts of a plaintext is known or similar messages are encrypted with the same public key 0002 00 • Chosen ciphertext attack [Bleichenbacher ’98] – decryption oracle: ciphertext valid or not? EM – 1024-bit modulus: 1 million decryption queries Source: • These attacks are precluded by fixes in TLS 80 RSA Labs Public Key RSAEP C 81

“Efficient padding oracle attacks on Bleichenbacher’s attack cryptographic hardware” (PKCS#11 devices) • Goal: decrypt c [Bardou+ 12] most attacks take less than 100 milliseconds – choose random s, 0 < s < n Device PKCS#1v1.5 CBC pad – computer c’ = c se mod n token session token session – ask for decryption of c’: m’ Aladdin eTokenPro XXXX – compute m as m’/s mod n Feitian ePass 2000 OK OK N/A N/A Feitian ePass 3003 OK OK N/A N/A • but m’ does not have the right format! Gemalto Cyberflex X N/A N/A N/A • idea: try many random choices for s: RSA Securid 800 X N/A N/A N/A Safenet iKey 2032 XXN/A N/A – if no error message is received, we know that SATA dKey OK OK OK OK 2B < (m s mod n) < 3B Siemens CardOS X X N/A N/A 8(k-2) (89 secs) – with B = 2 (k length in bytes of the modulus)82

RSA-OAEP Diagram RSA-OAEP DB = pHash 00 ... 01 message

• designers: Bellare and Rogaway 1993 RNG seed • enhancements by Johnson and Matyas in 1996 (“encoding parameters”) MGF • already widely adopted in standards 00 – IEEE P1363 draft – ANSI X9.44 draft MGF – PKCS #1 v2.0 (PKCS #1 v2.1 draft) – ISO 18033-2 working draft 2000 EM Source: 85 Public Key RSAEP C 84 RSA Labs

14 New Developments in Cryptology March 2013 Bart Preneel

RSA OAEP - security RSA OAEP - security

[BR’93] RSA-OAEP is IND-CCA2 secure under • Improved chosen ciphertext attack [Manger, Crypto ‘01] RSA assumption in ROM • requires a few thousand queries (1.1 log2n) • opponent needs oracle that tells whether there is an error ithitin the integer-to-by te conversi on or i n th e OAEP Shoup ‘00: the proof is wrong decoding [FOPS 01] RSA-OAEP is IND-CCA2 secure under • overall conclusion: RSA Inc. is no longer recommending partial domain one-wayness RSA assumption in ROM the use of RSA-OAEP for RSA: partial domain one-wayness one-wayness if it’s provable secure, it probably isn’t Reduction is very weak ROM assumption is questionable86 87

How to encrypt with RSA How to sign with RSA? • public key: (n,e) • RSA-KEM • private key: d – encrypt 2 session keys with RSA •s = td mod n = t 1/e mod n – encrypt and MAC data with these 2 keys • But • Recommended in NESSIE report – message M is often larger than modulus n (http://www.cryptonessie.org) and included in ISO – RSA(x*y) = RSA(x)*RSA(y) 18033 – RSA(0) = 0, RSA(1) = 1,…

• Similar problems for signatures: • Solution: hash and add redundancy ISO 9796-1 broken, PKCS#1 v1.0 questionable –PKCS #1 88 – RSA-PSS 89

How (not) to sign with RSA: RSA Signatures: PKCS #1 v1.5 [source: RSA Labs] an attack on ISO 9796-2 [Coron+’09] M • History: public key: (n,e) – ISO 9796-1 (1991) was broken and withdrawn in 2001 Hash private key: d – ISO 9796-2 was repaired in 2002 after a first attack in 1999

• New forgery attack on 9796-2 that works for very t = 00 01 ff ff ff ff ff … ff ff ff 00 HashID H long RSA moduli (2048 bits) Generation of RSA signature on M: s = t d mod n = t 1/e mod n – any160-bit hash function: 800$ on Amazon cloud – the specific EMV variant: 45K$ Verification of RSA signature s on M Compute t = se mod n and check that t has the required format • Not a practical threat to 750 million EMV cards since the attack requires a large number of chosen texts Problem: most signature verification software would (600,000) accept a signature on M of the following form: 91 00 01 ff … ff 00 HashID H Magic

15 New Developments in Cryptology March 2013 Bart Preneel

Attack on PKCS #1 v1.5 implementations (1) [Bleichenbacher06] Fix of Bleichenbacher’s attack 00 01 ff… ff 00 HashID H Magic • Write proper verification code (but the signer cannot • consider RSA with public exponent e = 3 know which code the verifier will use) • for any hash value H, it is easy to compute a string “Magic” such that the above string is a perfect cube • Use a public exponent that is at least 32 bits of 3072 bits • example of a perfect cube 1728 = 123 • Upgrade – finally – to RSA-PSS • consequence: – one can sign any message (H) without knowing the private key – this signature works for any public key that is longer than 3072 bits • vulnerable: OpenSSL, Mozilla NSS, GnuTLS 92 93

Secure implementations of Secure Computation cryptography • Error messages and APIs (cf. supra) • Side channels – Timing attacks – Power attacks – Acoustic attacks • PKI • Banking Multi-party computation – Electromagnetic attacks • Credit card • Fault attacks • Google “you can trust it because you •… don’t have to”

Multi-party computation becomes Fully homomorphic encryption “truly practical” • From E(x) and E(y), you can compute E(x+y), E(c.x) and E(x.y) without decrypting • Similar to first public key libraries 20 years ago • Many cool applications including cloud computing • [Gentry’09] ideal lattices = breakthrough – EU: CACE project (Computer Aided Cryptography Engineering), www.cace-project.eu • First implementations require only seconds [Vercauteren-Smart’10], [Gentry-Halevi’10]…. – US: Brown Univ. + UCSD (()Usenix 2010) – but to ciphertext for 1 bit is 3 million bits and public key is • Examples several Mbyte • Substantial improvements if restricted operations – efficient zero-knowledge proofs – 2-party computation of AES (Bristol) – secure auction of beetroots in Denmark (BRICS) lattice lettuce – oblivious transfer for road pricing (COSIC)

16 New Developments in Cryptology March 2013 Bart Preneel

Cryptographic algorithm selection Cryptographic standards

• Standards? • Algorithms historically sensitive (e.g., GSM) • Public domain versus proprietary • Choices with little technical motivation (e.g., RC2 and MD2) • Upgrades • Little or no coordination effort (even within IETF) • Technically difficult

A.S. Tanenbaum: “The nice thing about 98 standards is there's so many to choose from” 99

Major Standardization Bodies in Cryptography Independent evaluation efforts • International – ISO and ISO/IEC International Organization for Standardization • NIST (US) (1997-2001): block cipher AES for – ITU: International Telecommunications Union FIPS 197 (http://csrc.nist.gov/CryptoToolkit/aes/) – IETF: Internet Engineering Task Force • CRYPTREC (Japan) (2000-2003 and 2009-2012): – IEEE: Institute of Electrical and Electronic Engineers • National cryptographic algorithms and protocols for – ANSI: American National Standards Institute government use in Japan – NIST: Natilional Insti tute of Stand dddards and Tech hlnology (http:// www.i pa.go.j p/ securit y) • European • EU-funded IST-NESSIE Project (2000-2003): new – CEN: Comité Européen de Normalisation – ETSI: European Telecommunications Standards Institute cryptographic primitives based on an open evaluation • Industry procedure (http://www.cryptonessie.org) – PKCS, SECG • ECRYPT eSTREAM (2004-2007): stream cipher – W3C, OASIS, Liberty Alliance, Wi-Fi Alliance, BioAPI, WS-Security, TCG competition – GP, PC/SC, Open Card Framework, Multos • NIST (US) (2007-2012): hash function SHA-3 for 100 FIPS 197 (http://csrc.nist.gov/CryptoToolkit/aes/) 101

Proprietary/secret algorithms Many insecure algorithms in use

• No “free” public • Fewer problems with • Do it yourself (snake oil) evaluations rumors and “New York • Export controls Times” attacks • Risk of snake oil • Increased computational power for attacks (64-bit • Cost of (re) -evaluation • Extra reaction time if keys are no longer adequate) problems very high • Cryptanalysis progress - including errors in proofs • Fewer problems with • No economy of scale in • Upgrading is often too hard by design implementation attacks implementations – cost issue • Can use crypto for IPR • Reverse engineering – backward compatibility and licensing – version roll-back attacks

102 103

17 New Developments in Cryptology March 2013 Bart Preneel

Upgrade problem And the good news

• GSM: A5/3 takes a • Negotiable algorithms • Many secure and free solutions available long time in SSH, TLS, IPsec,… today: AES, RSA,… • Bluetooth: E0 • With some reasonable confidence in secure hardwired • But even then these • TCG: chip with fixed protocols have • Cost of strong crypto decreasing except for algorithms problems getting rid of “niche applications” (ambient intelligence) • MD5 and SHA-1 MD5/SHA-1 widely used In spite of all the problems, cryptography is Make sure that you do not use the same key with a weak certainly not the weakest link in our security chain and a strong variant (e.g. GSM A5/2 and A5/3) 104 105

What to use (generic solutions) Challenges for crypto security for 50-100 years • Authenticated encryption mode (OCB, CWC, authenticated encryption of Terabit/s networks CCM, or even GCM) with 3-key 3-DES or ultra-low power/footprint AES • Hash functions: RIPEMD-160, SHA-256, performance SHA-512 or Whirlpool secure software and • Public key encryption: RSA-KEM or ECIES hardware • Digital signatures: RSA-PSS or ECDSA implementations • Protocols: TLS 1.2, SSH, IKE(v2) algorithm agility cost security

106

Conclusions: cryptography Conclusions (2): cryptography

• Can only move and simplify your problems • Leave it to the experts • Solid results, but still relying on a large • Do not do this at home number of unproven assumptions and beliefs • Make sure you can upgrade • Not the bottleneck or problem in most • IlImplementi iing it correctl lihdy is hard security systems • Secure computation very challenging and • To paraphrase Laotse, you cannot create promising: reduce trust in individual building trust with cryptography, no matter how much blocks cryptography you use -- Jon Callas.

108 109