Scream: a Software-Efficient Stream Cipher
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Breaking Crypto Without Keys: Analyzing Data in Web Applications Chris Eng
Breaking Crypto Without Keys: Analyzing Data in Web Applications Chris Eng 1 Introduction – Chris Eng _ Director of Security Services, Veracode _ Former occupations . 2000-2006: Senior Consulting Services Technical Lead with Symantec Professional Services (@stake up until October 2004) . 1998-2000: US Department of Defense _ Primary areas of expertise . Web Application Penetration Testing . Network Penetration Testing . Product (COTS) Penetration Testing . Exploit Development (well, a long time ago...) _ Lead developer for @stake’s now-extinct WebProxy tool 2 Assumptions _ This talk is aimed primarily at penetration testers but should also be useful for developers to understand how your application might be vulnerable _ Assumes basic understanding of cryptographic terms but requires no understanding of the underlying math, etc. 3 Agenda 1 Problem Statement 2 Crypto Refresher 3 Analysis Techniques 4 Case Studies 5 Q & A 4 Problem Statement 5 Problem Statement _ What do you do when you encounter unknown data in web applications? . Cookies . Hidden fields . GET/POST parameters _ How can you tell if something is encrypted or trivially encoded? _ How much do I really have to know about cryptography in order to exploit implementation weaknesses? 6 Goals _ Understand some basic techniques for analyzing and breaking down unknown data _ Understand and recognize characteristics of bad crypto implementations _ Apply techniques to real-world penetration tests 7 Crypto Refresher 8 Types of Ciphers _ Block Cipher . Operates on fixed-length groups of bits, called blocks . Block sizes vary depending on the algorithm (most algorithms support several different block sizes) . Several different modes of operation for encrypting messages longer than the basic block size . -
SGX Secure Enclaves in Practice Security and Crypto Review
SGX Secure Enclaves in Practice Security and Crypto Review JP Aumasson, Luis Merino This talk ● First SGX review from real hardware and SDK ● Revealing undocumented parts of SGX ● Tool and application releases Props Victor Costan (MIT) Shay Gueron (Intel) Simon Johnson (Intel) Samuel Neves (Uni Coimbra) Joanna Rutkowska (Invisible Things Lab) Arrigo Triulzi Dan Zimmerman (Intel) Kudelski Security for supporting this research Agenda .theory What's SGX, how secure is it? .practice Developing for SGX on Windows and Linux .theory Cryptography schemes and implementations .practice Our projects: reencryption, metadata extraction What's SGX, how secure is it? New instruction set in Skylake Intel CPUs since autumn 2015 SGX as a reverse sandbox Protects enclaves of code/data from ● Operating System, or hypervisor ● BIOS, firmware, drivers ● System Management Mode (SMM) ○ aka ring -2 ○ Software “between BIOS and OS” ● Intel Management Engine (ME) ○ aka ring -3 ○ “CPU in the CPU” ● By extension, any remote attack = reverse sandbox Simplified workflow 1. Write enclave program (no secrets) 2. Get it attested (signed, bound to a CPU) 3. Provision secrets, from a remote client 4. Run enclave program in the CPU 5. Get the result, and a proof that it's the result of the intended computation Example: make reverse engineer impossible 1. Enclave generates a key pair a. Seals the private key b. Shares the public key with the authenticated client 2. Client sends code encrypted with the enclave's public key 3. CPU decrypts the code and executes it A trusted -
On the Security of IV Dependent Stream Ciphers
On the Security of IV Dependent Stream Ciphers Côme Berbain and Henri Gilbert France Telecom R&D {[email protected]} research & development Stream Ciphers IV-less IV-dependent key K key K IV (initial value) number ? generator keystream keystream plaintext ⊕ ciphertext plaintext ⊕ ciphertext e.g. RC4, Shrinking Generator e.g. SNOW, Scream, eSTREAM ciphers well founded theory [S81,Y82,BM84] less unanimously agreed theory practical limitations: prior work [RC94, HN01, Z06] - no reuse of K numerous chosen IV attacks - synchronisation - key and IV setup not well understood IV setup – H. Gilbert (2) research & developement Orange Group Outline security requirements on IV-dependent stream ciphers whole cipher key and IV setup key and IV setup constructions satisfying these requirements blockcipher based tree based application example: QUAD incorporate key and IV setup in QUAD's provable security argument IV setup – H. Gilbert (3) research & developement Orange Group Security in IV-less case: PRNG notion m K∈R{0,1} number truly random VS generator g generator g g(K) ∈{0,1}L L OR Z ∈R{0,1} 1 input A 0 or 1 PRNG A tests number distributions: Adv g (A) = PrK [A(g(K)) = 1] − PrZ [A(Z) = 1] PRNG PRNG Advg (t) = maxA,T(A)≤t (Advg (A)) PRNG 80 g is a secure cipher ⇔ g is a PRNG ⇔ Advg (t < 2 ) <<1 IV setup – H. Gilbert (4) research & developement Orange Group Security in IV-dependent case: PRF notion stream cipher perfect random fct. IV∈ {0,1}n function generator VSOR g* gK G = {gK} gK(IV) q oracle queries • A 0 or 1 PRF gK g* A tests function distributions: Adv G (A) = Pr[A = 1] − Pr[A = 1] PRF PRF Adv G (t, q) = max A (Adv G (A)) PRF 80 40 G is a secure cipher ⇔ G is a PRF ⇔ Adv G (t < 2 ,2 ) << 1 IV setup – H. -
9/11 Report”), July 2, 2004, Pp
Final FM.1pp 7/17/04 5:25 PM Page i THE 9/11 COMMISSION REPORT Final FM.1pp 7/17/04 5:25 PM Page v CONTENTS List of Illustrations and Tables ix Member List xi Staff List xiii–xiv Preface xv 1. “WE HAVE SOME PLANES” 1 1.1 Inside the Four Flights 1 1.2 Improvising a Homeland Defense 14 1.3 National Crisis Management 35 2. THE FOUNDATION OF THE NEW TERRORISM 47 2.1 A Declaration of War 47 2.2 Bin Ladin’s Appeal in the Islamic World 48 2.3 The Rise of Bin Ladin and al Qaeda (1988–1992) 55 2.4 Building an Organization, Declaring War on the United States (1992–1996) 59 2.5 Al Qaeda’s Renewal in Afghanistan (1996–1998) 63 3. COUNTERTERRORISM EVOLVES 71 3.1 From the Old Terrorism to the New: The First World Trade Center Bombing 71 3.2 Adaptation—and Nonadaptation— ...in the Law Enforcement Community 73 3.3 . and in the Federal Aviation Administration 82 3.4 . and in the Intelligence Community 86 v Final FM.1pp 7/17/04 5:25 PM Page vi 3.5 . and in the State Department and the Defense Department 93 3.6 . and in the White House 98 3.7 . and in the Congress 102 4. RESPONSES TO AL QAEDA’S INITIAL ASSAULTS 108 4.1 Before the Bombings in Kenya and Tanzania 108 4.2 Crisis:August 1998 115 4.3 Diplomacy 121 4.4 Covert Action 126 4.5 Searching for Fresh Options 134 5. -
Bias in the LEVIATHAN Stream Cipher
Bias in the LEVIATHAN Stream Cipher Paul Crowley1? and Stefan Lucks2?? 1 cryptolabs Amsterdam [email protected] 2 University of Mannheim [email protected] Abstract. We show two methods of distinguishing the LEVIATHAN stream cipher from a random stream using 236 bytes of output and pro- portional effort; both arise from compression within the cipher. The first models the cipher as two random functions in sequence, and shows that the probability of a collision in 64-bit output blocks is doubled as a re- sult; the second shows artifacts where the same inputs are presented to the key-dependent S-boxes in the final stage of the cipher for two suc- cessive outputs. Both distinguishers are demonstrated with experiments on a reduced variant of the cipher. 1 Introduction LEVIATHAN [5] is a stream cipher proposed by David McGrew and Scott Fluhrer for the NESSIE project [6]. Like most stream ciphers, it maps a key onto a pseudorandom keystream that can be XORed with the plaintext to generate the ciphertext. But it is unusual in that the keystream need not be generated in strict order from byte 0 onwards; arbitrary ranges of the keystream may be generated efficiently without the cost of generating and discarding all prior val- ues. In other words, the keystream is “seekable”. This property allows data from any part of a large encrypted file to be retrieved efficiently, without decrypting the whole file prior to the desired point; it is also useful for applications such as IPsec [2]. Other stream ciphers with this property include block ciphers in CTR mode [3]. -
RC4-2S: RC4 Stream Cipher with Two State Tables
RC4-2S: RC4 Stream Cipher with Two State Tables Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipher which can be applied to many security applications in real time security. However, RC4 cipher shows some weaknesses including a correlation problem between the public known outputs of the internal state. We propose RC4 stream cipher with two state tables (RC4-2S) as an enhancement to RC4. RC4-2S stream cipher system solves the correlation problem between the public known outputs of the internal state using permutation between state 1 (S1) and state 2 (S2). Furthermore, key generation time of the RC4-2S is faster than that of the original RC4 due to less number of operations per a key generation required by the former. The experimental results confirm that the output streams generated by the RC4-2S are more random than that generated by RC4 while requiring less time than RC4. Moreover, RC4-2S’s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as distinguishing attack. Keywords Stream cipher Á RC4 Á Pseudo-random number generator This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS-0855248 and EPS-0918970). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the funding agencies or those of the employers. M. M. Hammood Applied Science, University of Arkansas at Little Rock, Little Rock, USA e-mail: [email protected] K. -
Ascon (A Submission to CAESAR)
Ascon (A Submission to CAESAR) Ch. Dobraunig1, M. Eichlseder1, F. Mendel1, M. Schl¨affer2 1IAIK, Graz University of Technology, Austria 2Infineon Technologies AG, Austria 22nd Crypto Day, Infineon, Munich Overview CAESAR Design of Ascon Security analysis Implementations 1 / 20 CAESAR CAESAR: Competition for Authenticated Encryption { Security, Applicability, and Robustness (2014{2018) http://competitions.cr.yp.to/caesar.html Inspired by AES, eStream, SHA-3 Authenticated Encryption Confidentiality as provided by block cipher modes Authenticity, Integrity as provided by MACs \it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes" { Kohno, Whiting, and Viega 2 / 20 CAESAR CAESAR: Competition for Authenticated Encryption { Security, Applicability, and Robustness (2014{2018) http://competitions.cr.yp.to/caesar.html Inspired by AES, eStream, SHA-3 Authenticated Encryption Confidentiality as provided by block cipher modes Authenticity, Integrity as provided by MACs \it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes" { Kohno, Whiting, and Viega 2 / 20 Generic compositions MAC-then-Encrypt (MtE) e.g. in SSL/TLS MAC M security depends on E and MAC E ∗ C T k Encrypt-and-MAC (E&M) ∗ e.g. in SSH E C M security depends on E and MAC MAC T Encrypt-then-MAC (EtM) ∗ IPSec, ISO/IEC 19772:2009 M E C provably secure MAC T 3 / 20 Tags for M = IV (N 1), M = IV (N 2), . ⊕ k ⊕ k are the key stream to read M1, M2,... (Keys for) E ∗ and MAC must be independent! Pitfalls: Dependent Keys (Confidentiality) Encrypt-and-MAC with CBC-MAC and CTR CTR CBC-MAC Nk1 Nk2 Nk` M1 M2 M` IV ··· EK EK ··· EK EK EK EK M1 M2 M` C1 C2 C` T What can an attacker do? 4 / 20 Pitfalls: Dependent Keys (Confidentiality) Encrypt-and-MAC with CBC-MAC and CTR CTR CBC-MAC Nk1 Nk2 Nk` M1 M2 M` IV ··· EK EK ··· EK EK EK EK M1 M2 M` C1 C2 C` T What can an attacker do? Tags for M = IV (N 1), M = IV (N 2), . -
Stream Cipher Designs: a Review
SCIENCE CHINA Information Sciences March 2020, Vol. 63 131101:1–131101:25 . REVIEW . https://doi.org/10.1007/s11432-018-9929-x Stream cipher designs: a review Lin JIAO1*, Yonglin HAO1 & Dengguo FENG1,2* 1 State Key Laboratory of Cryptology, Beijing 100878, China; 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China Received 13 August 2018/Accepted 30 June 2019/Published online 10 February 2020 Abstract Stream cipher is an important branch of symmetric cryptosystems, which takes obvious advan- tages in speed and scale of hardware implementation. It is suitable for using in the cases of massive data transfer or resource constraints, and has always been a hot and central research topic in cryptography. With the rapid development of network and communication technology, cipher algorithms play more and more crucial role in information security. Simultaneously, the application environment of cipher algorithms is in- creasingly complex, which challenges the existing cipher algorithms and calls for novel suitable designs. To accommodate new strict requirements and provide systematic scientific basis for future designs, this paper reviews the development history of stream ciphers, classifies and summarizes the design principles of typical stream ciphers in groups, briefly discusses the advantages and weakness of various stream ciphers in terms of security and implementation. Finally, it tries to foresee the prospective design directions of stream ciphers. Keywords stream cipher, survey, lightweight, authenticated encryption, homomorphic encryption Citation Jiao L, Hao Y L, Feng D G. Stream cipher designs: a review. Sci China Inf Sci, 2020, 63(3): 131101, https://doi.org/10.1007/s11432-018-9929-x 1 Introduction The widely applied e-commerce, e-government, along with the fast developing cloud computing, big data, have triggered high demands in both efficiency and security of information processing. -
2013 Summer Challenge Book List TM
2013 Summer Challenge Book List TM www.scholastic.com/summer Ages 3-5 (By Title, Author and Illustrator) F ABC Drive, Naomi Howland F Corduroy, Don Freeman F Happy Birthday, Hamster, Cynthia Lord & Derek Anderson F ABC I Like Me!, Nancy Carlson F A Den is a Bed for a Bear, Becky Baines F Harold and the Purple Crayon, Crockett Johnson F The ABCs of Thanks and Please, Diane C. Ohanesian F Dolphin Baby!, Nicola Davies F Here Come the Girl Scouts!, Shana Corey & Hadley Hooper F Abuela, Arthur Dorros & Elisa Kleven F Don’t Worry, Douglas!, David Melling F Homer, Shelley Rotner & Diane Detroit F Alexander and the Terrible, Horrible, No Good, F The Dot, Peter H. Reynolds Very Bad Day, Judith Viorst & Ray Cruz F The House that George Built, Suzanne Slade F Exclamation Mark, Amy Krouse Rosenthal & Tom Lichtenheld F Alice the Fairy, David Shannon F A House is a House for Me, Family Pictures, Carmen Lomas Garza F Mary Ann Hoberman & Betty Fraser F Alphabet Under Construction, Denise Fleming F First the Egg, Laura Vaccaro Seeger F How Do Dinosaurs Say Happy Birthday?, F All Kinds of Families!, Mary Ann Hoberman F Five Little Monkeys Reading in Bed, Eileen Christelow Jane Yolen & Mark Teague F The Are You Ready for Kindergarten? F How Does Your Salad Grow?, Francie Alexander workbook series, Kumon Publishing F The Frog & Toad Are Friends, Arnold Lobel F How Georgie Radboum Saved Baseball, David Shannon F Baby Bear Sees Blue, Ashley Wolff F The Froggy books, Jonathan London & Frank Remkiewicz F Huck Runs Amuck, Sean F Bailey, Harry Bliss F The Geronimo Stilton series, Geronimo Stilton F I Am Small, Emma Dodd F Bats at the Beach, Brian Lies F Gilbert Goldfish Wants a Pet, Kelly DiPucchio & Bob Shea F I Read Signs, Ana Hoban F Bird, Butterfly, Eel, James Prosek F The Giving Tree, Shel Silverstein F If Rocks Could Sing, Leslie McGuirk F Brown Bear, Brown Bear, What Do You See?, F Gone with the Wand, Margie Palatini Bill Martin Jr. -
D-DOG: Securing Sensitive Data in Distributed Storage Space by Data Division and Out-Of-Order Keystream Generation †Jun Feng, †Yu Chen*, ‡Wei-Shinn Ku, §Zhou Su †Dept
D-DOG: Securing Sensitive Data in Distributed Storage Space by Data Division and Out-of-order keystream Generation †Jun Feng, †Yu Chen*, ‡Wei-Shinn Ku, §Zhou Su †Dept. of Electrical & Computer Engineering, SUNY - Binghamton, Binghamton, NY 13902 ‡Dept. of Computer Science & Software Engineering, Auburn University, Auburn, AL 36849 §Dept. of Computer Science, Waseda University, Ohkubo 3-4-1, Shinjyuku, Tokyo 169-8555, Japan {jfeng3, ychen }@binghamton.edu, [email protected], [email protected] ∗ Abstract - Migrating from server-attached storage to system against the attacks/intrusion from outsiders. The distributed storage brings new vulnerabilities in creating a confidentiality and integrity of data are mostly achieved secure data storage and access facility. Particularly it is a using robust cryptograph schemes. challenge on top of insecure networks or unreliable storage However, such a security system is not robust enough to service providers. For example, in applications such as cloud protect the data in distributed storage applications at the computing where data storage is transparent to the owner. It is level of wide area networks. The recent progress of network even harder to protect the data stored in unreliable hosts. technology enables global-scale collaboration over More robust security scheme is desired to prevent adversaries heterogeneous networks under different authorities. For from obtaining sensitive information when the data is in their hands. Meanwhile, the performance gap between the execution instance, in the environment of peer-to-peer (P2P) file speed of security software and the amount of data to be sharing or the distributed storage in cloud computing processed is ever widening. A common solution to close the environment, it enables the concrete data storage to be even performance gap is through hardware implementation. -
Scream on MSP430 07282015
Implementation of the SCREAM Tweakable Block Cipher in MSP430 Assembly Language William Diehl George Mason University, Fairfax VA 22033, USA [email protected] Abstract. The encryption mode of the Tweakable Block Cipher (TBC) of the SCREAM Authenticated Cipher is implemented in the MSP430 microcontroller. Assembly language versions of the TBC are prepared using both precomputed tweak keys and tweak keys computed “on-the-fly.” Both versions are compared against published results for the assembly language version of SCREAM on the ATMEL AVR microcontroller, and against the C reference implementation in terms of performance and size. The assembly language version using precomputed tweak keys achieves a speedup of 1.7 and memory savings of 9 percent over the reported SCREAM implementation in the ATMEL AVR. The assembly language version using tweak keys computed “on-the-fly” achieves a speedup of 1.6 over the ATMEL AVR version while reducing memory usage by 15 percent. Keywords: Cryptography, encryption, MSP430, assembly, speed, efficiency 1 Introduction Authenticated ciphers combine the functionality of confidentiality and integrity into one algorithm. In 2014 the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) called for submission of authenticated cipher candidates [1]. CAESAR candidates are evaluated in terms of security, size, robustness, flexibility, and performance. Software reference implementations written in C code are required as part of Rounds One and Two submissions. Many of the Round One submissions contained the authors’ evaluations in both hardware and software. Additionally, several Round One submissions investigated the software performance of the authors’ algorithms on various types of platforms, including high-end CPU and resource-constrained microcontrollers suitable for embedded applications. -
THE COLLECTED POEMS of HENRIK IBSEN Translated by John Northam
1 THE COLLECTED POEMS OF HENRIK IBSEN Translated by John Northam 2 PREFACE With the exception of a relatively small number of pieces, Ibsen’s copious output as a poet has been little regarded, even in Norway. The English-reading public has been denied access to the whole corpus. That is regrettable, because in it can be traced interesting developments, in style, material and ideas related to the later prose works, and there are several poems, witty, moving, thought provoking, that are attractive in their own right. The earliest poems, written in Grimstad, where Ibsen worked as an assistant to the local apothecary, are what one would expect of a novice. Resignation, Doubt and Hope, Moonlight Voyage on the Sea are, as their titles suggest, exercises in the conventional, introverted melancholy of the unrecognised young poet. Moonlight Mood, To the Star express a yearning for the typically ethereal, unattainable beloved. In The Giant Oak and To Hungary Ibsen exhorts Norway and Hungary to resist the actual and immediate threat of Prussian aggression, but does so in the entirely conventional imagery of the heroic Viking past. From early on, however, signs begin to appear of a more personal and immediate engagement with real life. There is, for instance, a telling juxtaposition of two poems, each of them inspired by a female visitation. It is Over is undeviatingly an exercise in romantic glamour: the poet, wandering by moonlight mid the ruins of a great palace, is visited by the wraith of the noble lady once its occupant; whereupon the ruins are restored to their old splendour.