DOCSLIB.ORG

Provable Security in Practice: Analysis of SSH and CBC Mode with Padding

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Provable Security in Practice: Analysis of SSH and CBC Mode with Padding Provable Security in Practice: Analysis of SSH and CBC mode with Padding Gaven James Watson Technical Report RHUL{MA{2011{2 21 February 2011 Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports Provable Security in Practice: Analysis of SSH and CBC mode with Padding Gaven James Watson Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2010 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Gaven James Watson June, 2010 2 Acknowledgements When I first started my PhD, I did not know where it would take me or even how much it was possible for me to achieve. I have been incredibly lucky to have worked on some interesting problems which have given birth to significant results. This has all been possible due to the excellent supervision of Prof. Kenny Paterson. His advice, constructive criticism and the odd amusing analogy have helped me, not only to develop as a researcher but have taught me a great deal about writing and presenting my work. What I have learnt will be invaluable in my future career, what- ever that may be. I also extend my gratitude to my advisor Dr. Steven Galbraith, whom I met during my Masters at Royal Holloway and without whom I would not have met Kenny. I am grateful to the EPSRC and BT whose financial support has kept me well fed and watered throughout the course of my PhD. Whilst working on SSH I had the good fortune to work with Martin Albrecht. His speedy implementation of our attacks on SSH and the new insight he brought to our research can be summed up in one word: awesome! During my time at Royal Holloway I have been lucky to meet and become friends with a vast array of people. There have been many great times shared in the office, on the tennis court or at home in the “Houses of Crypto”. Thanks to everyone who has made my time at Royal Holloway so enjoyable. A special thanks goes to Liz Quaglia and Sriram Srinivasan. Liz for being like a third sister to me and giving me somewhere to stay when I was homeless. Sriram for sharing his philosophies on life and being an education to live with. Finally I would like to thank my family: My sisters for setting the standards I’ve had to live up to, my nephews and niece for always being able to put a smile on my face and my parents for their unwavering support and guidance. 3 Abstract This thesis illustrates and examines the gap that exists between theoretical and practical cryptography. Provable security is a useful tool which allows cryptogra- phers to perform formal security analyses within a strict mathematical framework. Unfortunately, the formal modelling of provable security sometimes fails to match how particular schemes or protocols are implemented in real life. We examine how certain types of attack are not covered by the current techniques and show how this can be remedied by expanding existing security models to capture a much wider array of attacks. We begin by studying padding oracle attacks, a powerful class of side-channel, plaintext-recovering attacks introduced by Vaudenay. These attacks have been shown to work in practice against CBC mode when it is implemented in certain ways. In particular, padding oracle attacks have been demonstrated for certain im- plementations of SSL/TLS and IPsec. We develop new security models and proofs of security for CBC mode (with padding). These models show how to select padding schemes and in what order to combine CBC mode encryption, padding and authen- tication to provably provide a strong notion of security incorporating padding oracle attacks. Next we study the secure network protocol SSH. The first formal security analysis of the SSH Binary Packet Protocol (BPP) was performed by Bellare, Kohno and Namprempre. We present new plaintext-recovery attacks against the SSH BPP which partially invalidate this work. By examining why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, we are able to determine what features are missing from Bellare et al.’s original provable security analysis for SSH. Using this knowledge we define new security models that accurately capture the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH. Our new models then give us the ability to prove that SSH using counter mode encryption is secure against a much wider array of attacks, including our plaintext-recovery attacks. We conclude with further discussion of why the gap between theory and practice exists and suggest other ways of narrowing the gap. 4 Contents 1 Introduction 9 1.1 Motivation ................................ 9 1.2 Contribution ............................... 11 1.3 Publications................................ 12 1.4 OrganisationofThesis .......................... 12 2 Theoretical Preliminaries 15 2.1 CryptographicPrimitives . 15 2.1.1 BlockCiphers........................... 16 2.1.2 Encryption Schemes and Modes of Operation . 17 2.1.3 Message Authentication Codes . 23 2.1.4 EncodingSchemes ........................ 24 2.1.5 Authenticated Encryption with Associated Data . 25 2.2 ProvableSecurity............................. 26 2.2.1 AShortHistory ......................... 26 2.2.2 Practice-OrientedProvableSecurity . 27 2.2.3 Functions and Permutations . 28 2.2.4 Security Models for Symmetric Encryption . 31 2.2.5 Results for Generic Compositions . 44 3 Practical Preliminaries 48 3.1 NetworkProtocols ............................ 48 3.1.1 SSL/TLS ............................. 49 3.1.2 SSH ................................ 50 3.1.3 IPsec................................ 53 3.2 Side-ChannelAnalysis . 54 3.3 A Short History of Padding Oracle Attacks . 55 4 Formal Security Models for Padding Oracle Attacks 60 4.1 Introduction................................ 60 4.2 PaddingSchemes............................. 61 4.3 SecurityModels.............................. 62 4.3.1 One-waySecurity......................... 63 4.3.2 Left-or-Right Indistinguishability . 64 4.3.3 Real-or-Random Indistinguishability . 66 4.3.4 Find-then-Guess Security . 68 4.4 RelationsBetweenModels . 70 4.5 Summary ................................. 77 5 CONTENTS 5 Formal Security Analysis of CBC Mode Against Padding Oracle Attacks 78 5.1 Introduction................................ 79 5.2 FurtherDefinitions ............................ 80 5.2.1 Some Padding Schemes . 80 5.2.2 ArbitraryLengthCBCMode . 82 5.3 Padding Methods for Chosen-Plaintext Security . 83 5.3.1 Padding Methods With Invalid Paddings . 83 5.3.2 Padding Methods With No Invalid Paddings . 87 5.4 Constructions Achieving Chosen-Ciphertext Security . ....... 88 5.4.1 Encrypt-&-Authenticate . 91 5.4.2 Encrypt-then-Authenticate . 91 5.4.3 Authenticate-then-Encrypt . 95 5.5 Conclusion ................................ 101 6 Attacking SSH 104 6.1 Introduction................................ 104 6.1.1 OverviewofourAttack . 105 6.1.2 PreviousAttacksonSSH . 108 6.2 TheSSHBinaryPacketProtocol . 109 6.2.1 The OpenSSH Implementation of the BPP . 111 6.3 AttackingOpenSSH ........................... 113 6.3.1 Recovering14PlaintextBits . 113 6.3.2 Recovering32PlaintextBits . 114 6.3.3 IteratingtheAttack . 115 6.4 ExperimentalValidation . 117 6.5 Countermeasures ............................. 120 6.5.1 BPPRedesign .......................... 122 6.6 Conclusion ................................ 123 7 Formal Security Analysis of SSH 124 7.1 Introduction................................ 125 7.2 Existing Formal Security Analysis of SSH . 126 7.2.1 SSH-NPC and SSH-$NPC . 127 7.2.2 Further Provably Secure Variants . 129 7.3 ImprovingtheAnalysis . 129 7.3.1 OnlineEncryption . 130 7.4 ModellingtheSSHBPPanditsSecurity. 131 7.5 FurtherDefinitions ............................ 133 7.5.1 BuildingBlocks. 134 7.5.2 Encode-then-Encrypt-&-MAC. 137 7.6 SecurityModels.............................. 141 7.6.1 Chosen-PlaintextSecurity . 141 7.6.2 Chosen-CiphertextSecurity . 144 7.6.3 IntegrityofCiphertexts . 148 7.6.4 Security of Message Authentication Schemes . 150 7.7 SecurityAnalysis ............................. 151 6 CONTENTS 7.8 Conclusion ................................ 168 8 Conclusion 170 8.1 TheGapBetweenTheoryandPractice . 170 8.2 ClosingtheGap ............................. 171 Bibliography 173 7 Notation We denote here some of the notation that we shall use throughout this thesis. l,L The blocksize in bits/bytes respectively. xky The concatenation of the bit strings x and y. xy Shorthand for xky. xi The concatenation of the bit string x with itself i times. x[i] The i-th block of the string x. x[i...j] The concatenation of blocks i up to j of the bit string x. {0, 1}n All bit strings of length n bits. {0, 1}∗ All bit strings. x ⊕ y The bit-wise exclusive-or (XOR) of x and y. |x| The size of x in bits. 8x8 The size of x in bytes. 8j hiij The j-byte representation of integer i, where 0 ≤ i< 2 . x ←r X Denotes x being chosen uniformly at random from the set X. Exp An experiment. Adv An advantage
Load more

Recommended publications
  • Critical Perspectives on Provable Security: Fifteen Years of “Another Look” Papers
    Advances in Mathematics of Communications doi:10.3934/amc.2019034 Volume 13, No. 4, 2019, 517{558 CRITICAL PERSPECTIVES ON PROVABLE SECURITY: FIFTEEN YEARS OF \ANOTHER LOOK" PAPERS Neal Koblitz Department of Mathematics University of Washington, USA Alfred Menezes Department of Combinatorics & Optimization University of Waterloo, Canada Abstract. We give an overview of our critiques of \proofs" of security and a guide to our papers on the subject that have appeared over the past decade and a half. We also provide numerous additional examples and a few updates and errata. 1. Introduction What does \provable security" mean? If \proof" is understood in the strict mathematical sense | as in \proof of the Pythagorean Theorem" or \proof of Fermat's Last Theorem" | then there's a simple answer: There is no such thing. \Provable security" is an oxymoron. As Benjamin Franklin said 230 years ago, \in this world nothing can be said to be certain, except death and taxes." About communications security there can be no certainty. But it is wrong to reject proofs in cryptography just because in general they do not measure up to the standards of pure mathematics. To take such an inflexible position would be, as Jonathan Katz pointed out, \snobbery at its purest" [200]. Proofs can be useful in several ways. They enforce a kind of discipline on authors so that they strive for precision, systematic approaches, and completeness. They rule out certain categories of attacks or attacks on certain parts of the protocol so that testing can focus on other types of attacks and on the assumptions made in the provable security theorem.
    [Show full text]
  • Security Protocols in a Nutshell
    Security Protocols in a Nutshell Mohsen Toorani Department of Informatics University of Bergen, Norway [email protected] Abstract Security protocols are building blocks in secure communications. They deploy some security mechanisms to provide certain security services. Security protocols are considered abstract when analyzed, but they can have extra vulnerabilities when implemented. This manuscript provides a holistic study on security protocols. It reviews foundations of security protocols, taxonomy of attacks on security protocols and their implementations, and different methods and models for security analysis of protocols. Specifically, it clarifies differences between information-theoretic and computational security, and computational and symbolic models. Furthermore, a survey on computational security models for authenticated key exchange (AKE) and password-authenticated key exchange (PAKE) protocols, as the most impor- tant and well-studied type of security protocols, is provided. Keywords: Cryptographic protocols, Authenticated key exchange, Computational security, Provable security, Security models. arXiv:1605.09771v2 [cs.CR] 2 Jun 2016 Copyright c 2015 Mohsen Toorani. All Rights Reserved. Contents 1 Introduction 1 1.1 Security attacks . 2 1.2 Security services . 2 1.3 Security mechanisms . 3 2 Taxonomy of attacks 3 2.1 Attacks on security protocols . 3 2.2 Attacks on encryption schemes . 8 2.3 Attacks on implementations . 11 3 Security models 14 3.1 Information-theoretic vs computational security . 15 3.2 Idealized models in computational security . 16 3.3 Formal security models . 18 3.4 Security proofs in reality . 19 4 Security models for cryptographic protocols 20 4.1 AKE protocols . 22 4.1.1 Security models for AKE protocols . 23 4.1.2 PAKE protocols .
    [Show full text]
  • Securing Hardware, Software and Data (SHSD) • Frank Siebenlist, Argonne National Laboratory • Len Napolitano, Sandia National Laboratories
    Report of the Cyber Security Research Needs for Open Science Workshop July 23-24, 2007 Sponsored by the DOE Office of Science in Cooperation with the Office of Electricity Delivery and Energy Reliability PNNL-16971 Report of the Cyber Security Research Needs for Open Science Workshop July 23-24, 2007 Sponsored by the DOE Office of Science in Cooperation with the Office of Electricity Delivery and Energy Reliability i Acknowledgements The workshop chairs wish to thank Joree O’Neal and Rachel Smith for all their help and support with organizing the logistics and registration activities for this workshop; Sue Chin, Ted Tanasse, Barbara Wilson, and Stacy Larsen for their expert help with the assembly, text editing, and graphics for this report; and Lance Baatz for his masterful job as webmaster for this project. Finally, we wish to thank the Pacific Northwest National Laboratory for supporting the development and assembly of the final report. iii EXECUTIVE SUMMARY Protecting systems and users, while maintaining ease of access, represents the “perfect storm” of challenges in the area of cyber security. A fundamental tenet of every scientific investigation is the search for truth. Trust and integrity are immutable values that are fundamental to all research endeavors. By extension, the absolute integrity of information, encompassing systems, networks, and file systems is a critical requirement essential for promoting and facilitating discovery. These qualities are equally important for our nation’s critical energy infrastructure. To determine the cyber security research needs for open science and energy control systems, the U.S. Department of Energy’s (DOE) Office of Science (SC), in cooperation with the Office of Electricity Delivery and Energy Reliability (OE), organized a two-day workshop held July 23 and 24, 2007, at the Bethesda North Marriott Hotel in Bethesda, Maryland.
    [Show full text]
  • Security Notions and Definitions
    Security Notions and Definitions Nicolas T. Courtois - University College of London Security Notions Part 0 Some Vocabulary Revision 2 Nicolas T. Courtois, 2006-2010 Security Notions What is Cryptography ? • Classical notions (cf. dictionaries). – Cryptography: “the art keeping messages secure”. Classically - mostly about secure communication… – Cryptanalysis: the art/science of breaking codes and ciphers . – Cryptology: Cryptography+Cryptanalysis. • These definitions are very much outdated…. 3 Nicolas T. Courtois, 2006-2010 Security Notions My Own Definitions (1): Cryptography: The art and practical techniques for achieving “data security goals” … Cryptology: The science of achieving “data security goals” … 4 Nicolas T. Courtois, 2006-2010 Security Notions Cryptanalysis from the Greek • kryptós, "hidden“ • analýein , "to loosen" or "to untie“ = Breaking (secret) codes Term coined in 1920 by William F. Friedman. 5 Nicolas T. Courtois, 2006-2010 Security Notions More Modern Approach: Cryptanalysis = evaluation of existing weak points: Challenging the security goals by attacks and showing that the security is lower than expected (does not have to recover the key in practice, just show that some claims are not justified). 6 Nicolas T. Courtois, 2006-2010 Security Notions My Own Definitions (3): Cryptology: The science that allows to justify / undermine cryptographic security. Science: establishing facts and proving theorems. Modern Cryptology: Prove the “data security goals” are achieved, while minimising the number of, and maximizing the
    [Show full text]
  • Introduction to Provable Security
    Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian´opolis October 17, 2013 1/77 Introduction to Cryptography Part I Introduction 2/77 What Cryptography is about Introduction to Cryptography Classic Goals 1 Introduction to Cryptography What Cryptography is about Classic Goals 3/77 What Cryptography is about Introduction to Cryptography Classic Goals What Cryptography is about Cryptography is the discipline that studies systems (schemes, protocols) that preserve their functionality (their goal) even under the presence of an active disrupter. 4/77 What Cryptography is about Introduction to Cryptography Classic Goals What Cryptography is about Cryptography is the discipline that studies systems (schemes, protocols) that preserve their functionality (their goal) even under the presence of an active disrupter. 4/77 What Cryptography is about Introduction to Cryptography Classic Goals Classic Problems/Goals Integrity: Messages have not been altered Authenticity: Message comes from sender Secrecy: Message not known to anybody else 5/77 What Cryptography is about Introduction to Cryptography Classic Goals Integrity Alice wants to be sure that a message has not been modified. Analogy with mail We want to know that the envelope has not been opened 6/77 What Cryptography is about Introduction to Cryptography Classic Goals Authenticity There are two types: Case 1: Bob wants to interactively prove his identity to Alice. (eg. talking by phone) Case 2: Bob wants to prove his identity non-interactively to Alice. If the proof can convice a third party (judge), it's a signature. 7/77 What Cryptography is about Introduction to Cryptography Classic Goals Secrecy We want to 1 Store a document 2 Send a message We want..
    [Show full text]
  • Provable Security"
    Another Look at \Provable Security" Neal Koblitz Dept. of Mathematics, Box 354350 Univ. of Washington, Seattle, WA 98195 U.S.A. [email protected] Alfred J. Menezes Dept. of Combinatorics & Optimization Univ. of Waterloo, Waterloo, Ontario N2L 3G1 Canada [email protected] July 4, 2004¤ Abstract We give an informal analysis and critique of several typical \provable security" results. In some cases there are intuitive but convincing argu- ments for rejecting the conclusions suggested by the formal terminology and \proofs," whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathemat- ically convincing theoretical evidence to support the security of public-key systems has been an important theme of researchers. But we argue that the theorem-proof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and mis- leading. Because our paper is aimed at the general mathematical public, it is self-contained and as jargon-free as possible. Key words. Cryptography, Public Key, Provable Security AMS subject classi¯cations. 94A60, 68P25, 11T71 1 Introduction Suppose that someone is using public-key cryptography to protect credit card numbers during online purchases, maintain con¯dentiality of medical records, or safeguard national security information. How can she be sure that the system is secure? What type of evidence could convince her that a malicious adversary could not somehow break into the system and learn her secret? At ¯rst glance it seems that this question has a straightforward answer. At the heart of any public-key cryptosystem is a \one-way function" | a function ¤updated on July 16, 2004; October 25, 2004; March 31, 2005; and May 4, 2005 1 y = f(x) that is easy to evaluate but for which it is computationally infeasible to ¯nd the inverse x = f ¡1(y).
    [Show full text]
  • Introduction to Provable Security in Public-Key Cryptography Contents
    Introduction to Provable Security in Public-Key Cryptography Damien Vergnaud (Mathematical Foundations of Asymmetric Cryptography) Sorbonne Universit´e– CNRS – IUF Aussois, Mar. 18 2019 Provable Security in PKC Damien Vergnaud 1 / 64 Contents 1 Introduction 2 Public-Key Encryption Definitions Security Notions for Public-Key Encryption 3 Discrete-log based encryption schemes ElGamal encryption scheme Random Oracle Model and Variants of ElGamal 4 Digital signatures Definitions Security Notions for Digital Signatures 5 Discrete-log based digital signatures One-time signatures Fiat-Shamir heuristic and Schnorr Signatures Aussois, Mar. 18 2019 Provable Security in PKC Damien Vergnaud 2 / 64 Cryptography Goal: enable “secure” communication in the presence of adversaries internet, phone line, ... eavesdrops Alice Bob Eve Aussois, Mar. 18 2019 Provable Security in PKC Damien Vergnaud 3 / 64 Encryption Alice sends a ciphertext to Bob Only Bob can recover the plaintext Confidentiality To recover the plaintext Which means can be used ? to find the whole plaintext ? just the ciphertext ? to get some information some extra information ? about it ? Aussois, Mar. 18 2019 Provable Security in PKC Damien Vergnaud 4 / 64 Why “Provable Security” ? Once a cryptosystem is described, how can we prove its security? by trying to exhibit an attack by proving that no attack exists attack found under some assumptions V system insecure! attack found attack not found V false assumption V ? ”Textbook” cryptosystems cannot be used as such Pratictioners need formatting rules to ensure operability. Paddings are used in practice : heuristic security Provable security is needed in upcoming systems. This is no longer just theory. Provable security is fun! :-) Aussois, Mar.
    [Show full text]
  • On Provable Security for Complex Systems
    On Provable Security for Complex Systems zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften der KIT-Fakult¨atf¨urInformatik des Karlsruher Instituts f¨urTechnologie (KIT) genehmigte Dissertation von Dirk Achenbach aus Villingen-Schwenningen Tag der m¨undlichenPr¨ufung: 29. Januar 2016 Erster Gutachter: Prof. Dr. J¨ornM¨uller-Quade Zweiter Gutachter: Prof. Dr. Ralf Reussner Abstract Computers are ubiquitous. They are critical for a multitude of operations in business, government, and society. Simultaneously they become ever more complex. Consequently, while they gain in importance, it is increasingly difficult to guarantee their security. Because security is a non-functional property, it can neither be tested for, nor can a system be made secure in an ad-hoc fashion. Security can only be included as an inherent property of a system by design. We investigate the contribution of cryptographic proofs of security to a systematic security engineering process. To this end we study how to model and prove security for concrete applications in three practical domains: computer networks, data outsourcing, and electronic voting. In the first domain, computer networks, we investigate the security of a network component irrespective of the surrounding network. As a concrete application, we study how to combine several candidate firewalls to yield one provably-secure firewall, even if one candidate is compromised. Our modeling of a firewall network allows us to define security independent of a firewall's functionality. We show that a concatenation of firewalls is not secure, while a majority decision is. Second, we develop a framework for the privacy of outsourced data. Specifically, we consider privacy in the presence of queries.
    [Show full text]
  • Provable Security of Cryptographic Hash Functions
    ARENBERG DOCTORAL SCHOOL Faculty of Engineering Science Provable Security of Cryptographic Hash Functions Bart Mennink Jury: Dissertation presented in partial Prof. dr. ir. Pierre Verbaeten, chairman fulfillment of the requirements Prof. dr. ir. Bart Preneel, promotor for the degree of Doctor in Prof. dr. ir. Vincent Rijmen, promotor Engineering Prof. dr. Marc Fischlin (Darmstadt University of Technology, Germany) Prof. dr. ir. Frank Piessens Dr. ir. Martijn Stam (University of Bristol, UK) Prof. dr. ir. Joos Vandewalle May 2013 Provable Security of Cryptographic Hash Functions Bart Mennink Jury: Dissertation presented in partial Prof. dr. ir. Pierre Verbaeten, chairman fulfillment of the requirements Prof. dr. ir. Bart Preneel, promotor for the degree of Doctor in Prof. dr. ir. Vincent Rijmen, promotor Engineering Prof. dr. Marc Fischlin (Darmstadt University of Technology, Germany) Prof. dr. ir. Frank Piessens Dr. ir. Martijn Stam (University of Bristol, UK) Prof. dr. ir. Joos Vandewalle May 2013 \Alle grote ontdekkingen komen voort uit onzinnige intu¨ıties.” Harry Mulisch, De Procedure c Katholieke Universiteit Leuven { Faculty of Engineering Science Arenbergkasteel, B-3001 Heverlee (Belgium) Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm, elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemming van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm or any other means without written permission from the publisher. D/2013/7515/46 ISBN 978-94-6018-660-8 Preface After months of thesis writing, it is time to start with the hardest but most important chapter of this thesis.
    [Show full text]
  • NIST Cryptographic Standards and Guidelines Development Process
    NIST Cryptographic Standards and Guidelines Development Process Report and Recommendations of the Visiting Committee on Advanced Technology of the National Institute of Standards and Technology July 2014 Preface This report from Visiting Committee on Advanced Technology (VCAT) of the National Institute of Standards and Technology (NIST) to the NIST Director contains the VCAT’s recommendations on how NIST can improve the cryptographic standards and guidelines development process. The report is based on the report from the VCAT Subcommittee on Cybersecurity to the VCAT. The Subcommittee based its recommendations on inputs received from a distinguished panel of experts, the Committee of Visitors (CoV), that was established with the specific tasks of reviewing NIST cryptographic processes and of providing the Subcommittee their individual assessments. The report is organized as follows. Section 1 contains a summary, in chronological order, of the events and meetings that occurred between February and June 2014 with detailed meeting minutes placed in appendices. Section 2 briefly discusses the individual CoV assessments and recommendations, with the original versions placed in appendices. Finally, Section 3 contains the VCAT observations and recommendations. ii Table of Contents Preface ...................................................................................................................................................... ii Table of Contents .................................................................................................................................
    [Show full text]
  • Practice-Oriented Provable Security and the Social Construction of Cryptography
    Practice-Oriented Provable Security and the Social Construction of Cryptography Phillip Rogaway∗ May 22, 2009† Abstract Traditionally, “provable security” was tied in the minds cryptographers to public-key cryptography, asymptotic analyses, number-theoretic primitives, and proof-of-concept designs. In this essay I survey some of the work that I have done (much of it joint with Mihir Bellare) that has helped to erode these associations. I will use the story of practice-oriented provable security as the backdrop with which to make the case for what might be called a “social constructionist” view of our field. This view entails the claim that the body of work our community has produced is less the inevitable consequence of what we aim to study than the contingent consequence of sensibilities and assumptions within our disciplinary culture. 1 Introduction This essay was written to accompany an invited talk at Eurocrypt 2009. This is not a traditional academic paper; it is only an essay. The plan. My aim is to accomplish a couple of things. First, I have never provided a general exposition of the research program that I initiated some 15+ years ago with Mihir Bellare, what we rather un-creatively termed practice-oriented provable security. So I’d like to do just that. I see practice-oriented provable security as a distinct and recognizable branch of contemporary cryptology, derived from, yet different from, classical provable-security cryptography. But I have no idea if others conceptualize this line of work as such, or if they even associate it to Mihir and me. So telling this story is the first thing I want to do.
    [Show full text]
  • NSTAC REPORT to the PRESIDENT on Communications Resiliency May 6, 2021 Table of Contents
    THE PRESIDENT’S NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE NSTAC REPORT TO THE PRESIDENT on Communications Resiliency May 6, 2021 Table of Contents Executive Summary .......................................................................................................ES-1 Introduction ........................................................................................................................1 Scoping and Charge.............................................................................................................2 Subcommittee Process ........................................................................................................3 Summary of Report Structure ...............................................................................................3 The Future State of ICT .......................................................................................................4 ICT Vision ...........................................................................................................................4 Wireline Segment ............................................................................................................5 Satellite Segment............................................................................................................6 Wireless 5G/6G ..............................................................................................................7 Public Safety Communications ..........................................................................................8
    [Show full text]