Fast Message Franking: from Invisible Salamanders to Encryptment
Total Page:16
File Type:pdf, Size:1020Kb

Load more
Recommended publications
-
FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS
FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS Cryptographic Module FIPS 140-2 Level 1 Validation Software Version: R7-4.0.0 Date: January 22nd, 2020 Document Version 2.3 © Oracle Corporation This document may be reproduced whole and intact including the Copyright notice. Title: Oracle Linux 7 NSS Cryptographic Module Security Policy Date: January 22nd, 2020 Author: Oracle Security Evaluations – Global Product Security Contributing Authors: Oracle Linux Engineering Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyright notice. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 7 NSS Cryptographic Module Security Policy i TABLE OF CONTENTS Section Title -
Nshield CONNECT Hsms
Product Sheet /EN nSHIELD CONNECT nSHIELD CONNECT HSMs Certified appliances that deliver cryptographic key services across networks nShield Connect HSMs are FIPS-certified nSHIELD CONNECT appliances that deliver cryptographic services to applications across the network. • Maximizes performance and availability with high cryptographic transaction These tamper-resistant platforms perform rates and flexible scaling such functions as encryption, digital signing and key generation and protection • Supports a wide variety of applications over an extensive range of applications, including certificate authorities, code including certificate authorities, code signing and more signing, custom software and more. The nShield Connect series includes • nShield CodeSafe protects your nShield Connect+ and the new, high- applications within nShield’s secure performance nShield Connect XC. execution environment HIGHLY FLEXIBLE ARCHITECTURE • nShield Remote Administration helps nCipher unique Security World architecture you cut costs and reduce travel lets you combine nShield HSM models to build a mixed estate that delivers flexible scalability and seamless failover and load balancing. nSHIELD CONNECT PROCESS MORE DATA FASTER – now also available from Nexus! nShield Connect HSMs support high transaction rates, making them ideal for enterprise, retail, IoT and other environments where throughput is critical. Available Models and Performance nShield Connect Models 500+ XC Base 1500+ 6000+ XC Mid XC High PROTECT YOUR PROPRIETARY RSA Signing Performance (tps) for NIST Recommended Key Lengths APPLICATIONS 2048 bit 150 430 450 3,000 3,500 8,600 4096 bit 80 100 190 500 850 2,025 The CodeSafe option provides a secure ECC Prime Curve Signing Performance (tps) for NIST Recommended Key Lengths environment for running sensitive 256 bit 540 680 1,260 2,400 5,500 14,400 Client Licenses applications within nShield boundaries. -
Security Policy: Informacast Java Crypto Library
FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library FIPS 140-2 Non-Proprietary Security Policy InformaCast Java Crypto Library Software Version 3.0 Document Version 1.2 June 26, 2017 Prepared For: Prepared By: Singlewire Software SafeLogic Inc. 1002 Deming Way 530 Lytton Ave, Suite 200 Madison, WI 53717 Palo Alto, CA 94301 www.singlewire.com www.safelogic.com Document Version 1.2 © Singlewire Software Page 1 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for InformaCast Java Crypto Library. Document Version 1.2 © Singlewire Software Page 2 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Table of Contents 1 Introduction .................................................................................................................................................. 5 1.1 About FIPS 140 ............................................................................................................................................. 5 1.2 About this Document.................................................................................................................................... 5 1.3 External Resources ....................................................................................................................................... 5 1.4 Notices ......................................................................................................................................................... -
Extending NIST's CAVP Testing of Cryptographic Hash Function
Extending NIST’s CAVP Testing of Cryptographic Hash Function Implementations Nicky Mouha and Christopher Celi National Institute of Standards and Technology, Gaithersburg, MD, USA [email protected],[email protected] Abstract. This paper describes a vulnerability in Apple’s CoreCrypto library, which affects 11 out of the 12 implemented hash functions: every implemented hash function except MD2 (Message Digest 2), as well as several higher-level operations such as the Hash-based Message Authen- tication Code (HMAC) and the Ed25519 signature scheme. The vulnera- bility is present in each of Apple’s CoreCrypto libraries that are currently validated under FIPS 140-2 (Federal Information Processing Standard). For inputs of about 232 bytes (4 GiB) or more, the implementations do not produce the correct output, but instead enter into an infinite loop. The vulnerability shows a limitation in the Cryptographic Algorithm Validation Program (CAVP) of the National Institute of Standards and Technology (NIST), which currently does not perform tests on hash func- tions for inputs larger than 65 535 bits. To overcome this limitation of NIST’s CAVP, we introduce a new test type called the Large Data Test (LDT). The LDT detects vulnerabilities similar to that in CoreCrypto in implementations submitted for validation under FIPS 140-2. Keywords: CVE-2019-8741, FIPS, CAVP, ACVP, Apple, CoreCrypto, hash function, vulnerability. 1 Introduction The security of cryptography in practice relies not only on the resistance of the algorithms against cryptanalytical attacks, but also on the correctness and robustness of their implementations. Software implementations are vulnerable to software faults, also known as bugs. -
Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 Family
Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family Dmitry Khovratovich1 and Christian Rechberger2 and Alexandra Savelieva3 1Microsoft Research Redmond, USA 2DTU MAT, Denmark 3National Research University Higher School of Economics, Russia Abstract. We present the new concept of biclique as a tool for preimage attacks, which employs many powerful techniques from differential cryptanalysis of block ciphers and hash functions. The new tool has proved to be widely applicable by inspiring many authors to publish new re- sults of the full versions of AES, KASUMI, IDEA, and Square. In this paper, we demonstrate how our concept results in the first cryptanalysis of the Skein hash function, and describe an attack on the SHA-2 hash function with more rounds than before. Keywords: SHA-2, SHA-256, SHA-512, Skein, SHA-3, hash function, meet-in-the-middle attack, splice-and-cut, preimage attack, initial structure, biclique. 1 Introduction The last years saw an exciting progress in preimage attacks on hash functions. In contrast to collision search [29, 26], where differential cryptanalysis has been in use since 90s, there had been no similarly powerful tool for preimages. The situation changed dramatically in 2008, when the so-called splice-and-cut framework has been applied to MD4 and MD5 [2, 24], and later to SHA-0/1/2 [1, 3], Tiger [10], and other primitives. Despite amazing results on MD5, the applications to SHA-x primitives seemed to be limited by the internal properties of the message schedule procedures. The only promising element, the so-called initial structure tool, remained very informal and complicated. -
A (Second) Preimage Attack on the GOST Hash Function
A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria [email protected] Abstract. In this article, we analyze the security of the GOST hash function with respect to (second) preimage resistance. The GOST hash function, defined in the Russian standard GOST-R 34.11-94, is an iter- ated hash function producing a 256-bit hash value. As opposed to most commonly used hash functions such as MD5 and SHA-1, the GOST hash function defines, in addition to the common iterated structure, a check- sum computed over all input message blocks. This checksum is then part of the final hash value computation. For this hash function, we show how to construct second preimages and preimages with a complexity of about 2225 compression function evaluations and a memory requirement of about 238 bytes. First, we show how to construct a pseudo-preimage for the compression function of GOST based on its structural properties. Second, this pseudo- preimage attack on the compression function is extended to a (second) preimage attack on the GOST hash function. The extension is possible by combining a multicollision attack and a meet-in-the-middle attack on the checksum. Keywords: cryptanalysis, hash functions, preimage attack 1 Introduction A cryptographic hash function H maps a message M of arbitrary length to a fixed-length hash value h. A cryptographic hash function has to fulfill the following security requirements: – Collision resistance: it is practically infeasible to find two messages M and M ∗, with M ∗ 6= M, such that H(M) = H(M ∗). -
Advanced Meet-In-The-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2
Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 Jian Guo1, San Ling1, Christian Rechberger2, and Huaxiong Wang1 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 2 Dept. of Electrical Engineering ESAT/COSIC, K.U.Leuven, and Interdisciplinary Institute for BroadBand Technology (IBBT), Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium. [email protected] Abstract. We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for second-preimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks. To obtain these results, we extend the meet-in-the-middle framework recently developed by Aoki and Sasaki in a series of papers. In addition to various algorithm-specific techniques, we use a number of conceptually new ideas that are applicable to a larger class of constructions. Among them are (1) incorporating multi-target scenarios into the MITM framework, leading to faster preimages from pseudo-preimages, (2) a simple precomputation technique that allows for finding new preimages at the cost of a single pseudo-preimage, and (3) probabilistic initial structures, to reduce the attack time complexity. -
Certicom Security Builder GSE Datasheet
Security Builder® GSE™ FIPS 140-2 VALIDATED CRYPTOGRAPHIC MODULE Build trusted, government-approved security into your products. Security Builder® GSE™ enables developers to quickly build client and server-side applications that require a FIPS 140-2 level 1 validation for the cryptographic module. Security Builder GSE acts as a software cryptographic provider within the Certicom® Security Architecture™ – a comprehensive, portable and modular solution designed to allow developers to quickly and cost-effectively embed security across multiple families and generations of devices and applications. MEETS GOVERNMENT SECURITY REQUIREMENTS REDUCES TIME TO MARKET A number of government regulations mandate the use of FIPS By building on Security Builder GSE, you can avoid the lengthy validated modules for the protection of data, especially in a and expensive FIPS validation process and get your product to wireless setting. FIPS also helps demonstrate adherence to market more quickly. Re-validation and re-branding options security best practices. In the US, for instance, compliance are also available if you wish for your product to be listed on with FIPS 140-2 can help manufacturers of network- the NIST Cryptographic Module Validation Program active connected devices and application software demonstrate best validation list. By using a pre-validated module you can meet practice encryption capabilities for protecting patient and user security requirements without diverting valuable resources and data. keep your developers focused on your core application. Security Builder GSE has been validated on a wide variety COMPREHENSIVE SECURITY SOLUTION of high-level and embedded operating systems, including QNX With support for leading client and server-side operating real-time OS, Android and iOS. -
Cryptographic Hash Workshop (2005)
SHA-160: A Truncation Mode for SHA256 (and most other hashes) John Kelsey, NIST Halloween Hash Bash 2005 1 What’s a Truncation Mode? • Rule for chopping bits off a hash output • We have a big hash fn we trust, Like SHA256 • We need a smaller hash output Like 160 bits • We need to specify how this is done – Interoperability and security reasons 2 Why Do We Need One? • Need drop in replacement for SHA1 (MD5?) • Have unBroken hashes of wrong size – ECDSA/DSA key sizes – File and protocol formats • OBvious approach: Truncate SHA256/SHA512 • This has Been done Before: Snefru, Tiger, SHA384, SHA224 3 Our Proposal in a Nutshell H(X,M) = hash M from initial value X • Start with different IV for each truncation length n: n has fixed-length representation T IV n = H(IV xor 0xccc…c,n) • Run bigger hash normally T T H n(m) = truncate(H(IV n, m),n) • Generic: Any n, many big hashes – (Rivest comment to SHA224) 4 Intuition: Why should this be okay? • If hash “good”, seems like truncation should be good, too. – Fits our intuition about hash functions – Easy proof in Random Oracle Model – Prior art suggests other people agree • So, is intuition correct here? 5 Security Considerations • Issue #1: Related hash outputs T – H n(X) ! H(X’) • Issue #2: Can we safely truncate? – No reduction proof – “Near collisions” 6 Issue #1: Related Outputs T Why we need IV n!IV T What if IV n =IV? Then we get collision before truncation: T H 160(M) = ABCDE T H 192(M) = ABCDEF 7 Does This Matter? A Common KDF • KDF(S,P,n): – T = “” – for j = 1 to n: T = T || hash(S||P||j) • Two people use different truncations: – Result: Two closely related keys “AAAABBBBCCCCDDDD” “AAABBBCCCDDD” • Very unintuitive property! – Related key attack? Protocol problem? 8 Broader Issue: Related Outputs T T H n(m) = truncate(H(IV n, m),n) T • What if H n(m) ! H(m’)? – Broader property: can’t prove it won’t happen – Narrow property: collision before truncation 9 Does Our Scheme Prevent This? We prevent collision before truncation: T • Can’t choose M’ -> IV n (preimage) • Can’t cause intermediate collision (DM constr. -
Implementation of Hash Function for Cryptography (Rsa Security)
International Journal For Technological Research In Engineering Volume 4, Issue 6, February-2017 ISSN (Online): 2347 - 4718 IMPLEMENTATION OF HASH FUNCTION FOR CRYPTOGRAPHY (RSA SECURITY) Syed Fateh Reza1, Mr. Prasun Das2 1M.Tech. (ECE), 2Assistant Professor (ECE), Bitm,Bolpur ABSTRACT: In this thesis, a new method for expected to have a unique hash code and it should be implementing cryptographic hash functions is proposed. generally difficult for an attacker to find two messages with This method seeks to improve the speed of the hash the same hash code. function particularly when a large set of messages with Mathematically, a hash function (H) is defined as follows: similar blocks such as documents with common Headers H: {0, 1}* → {0, 1}n are to be hashed. The method utilizes the peculiar run-time In this notation, {0, 1}* refers to the set of binary elements configurability Feature of FPGA. Essentially, when a block of any length including the empty string while {0, 1}n refers of message that is commonly hashed is identified, the hash to the set of binary elements of length n. Thus, the hash value is stored in memory so that in subsequent occurrences function maps a set of binary elements of arbitrary length to of The message block, the hash value does not need to be a set of binary elements of fixed length. Similarly, the recomputed; rather it is Simply retrieved from memory, thus properties of a hash function are defined as follows: giving a significant increase in speed. The System is self- x {0, 1}*; y {0,1}n learning and able to dynamically build on its knowledge of Pre-image resistance: given y= H(x), it should be difficult to frequently Occurring message blocks without intervention find x. -
Tiger Hash Attribute Encryption for Secured Cloud Service Provisioning
Middle-East Journal of Scientific Research 25 (1): 181-191, 2017 ISSN 1990-9233 © IDOSI Publications, 2017 DOI: 10.5829/idosi.mejsr.2017.181.191 Tiger Hash Attribute Encryption for Secured Cloud Service Provisioning 12P. Muthusamy and V. Murali Bhaskaran 1Department of Computer Science & Engg, Anna University, Chennai - 600 025, Tamil Nadu, India 2Principal, Dhirajlal Gandhi College of Technology, Salem - 636 309, Tamil Nadu, India Abstract: Cloud Computing facilitates organization to share various operation services in a high secure manner. In cloud based communication, the confidentiality of the systemis the major concern. Hence, the secured message communication is to prevent unauthorized access of confidential information. Several encryption approacheshave been developed for cloud service provisioning. But, cloud users still have major security and confidentiality about their outsourced data due to unauthorized access within the service providers. In order to improve the confidentiality in cloud service provisioning, Tiger Cryptographic Hash Function based Attribute Encryption and Decryption (TCHF-AED) technique is introduced. Tiger is a cryptographic hash function for achieving higher confidentiality rate in cloud service provisioning. Initially, the attribute cloud request is sent from the users to cloud server. Next, Tiger Cryptographic Hash Function is used to achieve cloud data confidentiality based on output of hash value.TheAttribute Encryption is performed for converting actual message into cipher textand the hash value of each encrypted message is calculated. The encrypted message with hash value is stored in cloud server. Whenever the cloud user accesses the data from cloud server, the hash value is recomputed to achieve the correctness of the message. If the correctness is achieved the decryption is performed to attain the confidentiality. -
Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated.