DOCSLIB.ORG

Cryptϵ: Crypto-Assisted Differential Privacy on Untrusted Servers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptϵ: Crypto-Assisted Differential Privacy on Untrusted Servers Cryptϵ: Crypto-Assisted Differential Privacy on Untrusted Servers Amrita Roy Chowdhury Chenghong Wang Xi He University of Wisconsin-Madison Duke University University of Waterloo [email protected] [email protected] [email protected] Ashwin Machanavajjhala Somesh Jha Duke University University of Wisconsin-Madison [email protected] [email protected] ABSTRACT optimizations leveraging the fact that the output is noisy. Differential privacy (DP) is currently the de-facto standard We demonstrate Cryptϵ’s practical feasibility with extensive for achieving privacy in data analysis, which is typically im- empirical evaluations on real world datasets. plemented either in the “central” or “local” model. The local ACM Reference Format: model has been more popular for commercial deployments Amrita Roy Chowdhury, Chenghong Wang, Xi He, Ashwin Machanava- as it does not require a trusted data collector. This increased jjhala, and Somesh Jha. 2020. Cryptϵ: Crypto-Assisted Differen- privacy, however, comes at the cost of utility and algorithmic tial Privacy on Untrusted Servers. In 2020 ACM SIGMOD Inter- expressibility as compared to the central model. national Conference on Management of Data (SIGMOD’20), June In this work, we propose, Cryptϵ, a system and program- 14–19, 2020, Portland, OR, USA. ACM, New York, NY, USA, 24 pages. ming framework that (1) achieves the accuracy guarantees https://doi.org/10.1145/3318464.3380596 and algorithmic expressibility of the central model (2) with- out any trusted data collector like in the local model. Cryptϵ 1 INTRODUCTION achieves the “best of both worlds” by employing two non- Differential privacy (DP) is a rigorous privacy definition that colluding untrusted servers that run DP programs on en- is currently the gold standard for data privacy. It is typically crypted data from the data owners. In theory, straightforward implemented in one of two models – centralized differential implementations of DP programs using off-the-shelf secure privacy (CDP) and local differential privacy (LDP). In CDP, multi-party computation tools can achieve the above goal. data from individuals are collected and stored in the clear However, in practice, they are beset with many challenges in a trusted centralized data curator which then executes like poor performance and tricky security proofs. To this end, DP programs on the sensitive data and releases outputs to Cryptϵ allows data analysts to author logical DP programs an untrusted data analyst. In LDP, there is no trusted data that are automatically translated to secure protocols that curator. Rather, each individual perturbs his/her own data work on encrypted data. These protocols ensure that the using a (local) DP algorithm. The data analyst uses these untrusted servers learn nothing more than the noisy outputs, noisy data to infer aggregate statistics of the datasets. In thereby guaranteeing DP (for computationally bounded ad- practice, CDP’s assumption of a trusted server is ill-suited versaries) for all Cryptϵ programs. Cryptϵ supports a rich for many applications as it constitutes a single point of fail- class of DP programs that can be expressed via a small set ure for data breaches, and saddles the trusted curator with of transformation and measurement operators followed by arXiv:1902.07756v5 [cs.CR] 10 Mar 2020 legal and ethical obligations to uphold data privacy. Hence, arbitrary post-processing. Further, we propose performance recent commercial deployments of DP [42, 51] have preferred LDP over CDP. However, LDP’s attractive privacy properties Permission to make digital or hard copies of all or part of this work for comes at a cost. Under the CDP model, the expected additive personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear error for a aggregate count over a dataset of size n is at most this notice and the full citation on the first page. Copyrights for components Θ¹1/ϵº top achieve ϵ-DP. In contrast, under the LDP model, at of this work owned by others than ACM must be honored. Abstracting with least Ω¹ n/ϵº additive expected error must be incurred by credit is permitted. To copy otherwise, or republish, to post on servers or to any ϵ-DP program [16, 28, 36], owing to the randomness of redistribute to lists, requires prior specific permission and/or a fee. Request each data owner. The LDP model in fact imposes additional permissions from [email protected]. penalties on the algorithmic expressibility; the power of LDP SIGMOD ’20, June 14–19, 2020, Portland, OR, USA © 2020 Association for Computing Machinery. is equivalent to that of the statistical query model [66] and ACM ISBN 978-1-4503-6735-6/20/06...$15.00 there exists an exponential separation between the accuracy https://doi.org/10.1145/3318464.3380596 and sample complexity of LDP and CDP algorithms [64]. In this paper, we strive to bridge the gap between LDP Data Owners Analytics Server ˜ Data Analyst D<latexit sha1_base64="v3Y0RkvdhbRMvYyOhK2FEjLB1TI=">AAACAXicbVDLSsNAFJ3UV62vqBvBzWARXJVEBF0WdeGygq2FJoTJZNIOncyEmYlQQtz4K25cKOLWv3Dn3zhps9DWA8MczrmXe+8JU0aVdpxvq7a0vLK6Vl9vbGxube/Yu3s9JTKJSRcLJmQ/RIowyklXU81IP5UEJSEj9+H4qvTvH4hUVPA7PUmJn6AhpzHFSBspsA+8ULBITRLz5Z6mLCL5dRG4RWA3nZYzBVwkbkWaoEInsL+8SOAsIVxjhpQauE6q/RxJTTEjRcPLFEkRHqMhGRjKUUKUn08vKOCxUSIYC2ke13Cq/u7IUaLKJU1lgvRIzXul+J83yHR84eeUp5kmHM8GxRmDWsAyDhhRSbBmE0MQltTsCvEISYS1Ca1hQnDnT14kvdOW67Tc27Nm+7KKow4OwRE4AS44B21wAzqgCzB4BM/gFbxZT9aL9W59zEprVtWzD/7A+vwBPXaXYA==</latexit> 1 3.Program Executor Crypt� and CDP. We propose, Cryptϵ, a system and a programming 2.Aggregator Program . ˜ framework for executing DP programs that: . <latexit sha1_base64="DzF3TBl0yOsNreO2IIUvqlLJDv8=">AAACCXicbVDLSsNAFJ3UV62vqEs3g0VwVRIRdFnUhcsK9gFNKJPJbTt0MgkzE6GEbN34K25cKOLWP3Dn3zhps9DWC8MczrmXe+4JEs6Udpxvq7Kyura+Ud2sbW3v7O7Z+wcdFaeSQpvGPJa9gCjgTEBbM82hl0ggUcChG0yuC737AFKxWNzraQJ+REaCDRkl2lADG3ua8RAyL4h5qKaR+TIvInpMCc9u8jwf2HWn4cwKLwO3BHVUVmtgf3lhTNMIhKacKNV3nUT7GZGaUQ55zUsVJIROyAj6BgoSgfKz2SU5PjFMiIexNE9oPGN/T2QkUoVL01mYVItaQf6n9VM9vPQzJpJUg6DzRcOUYx3jIhYcMglU86kBhEpmvGI6JpJQbcKrmRDcxZOXQees4ToN9+683rwq46iiI3SMTpGLLlAT3aIWaiOKHtEzekVv1pP1Yr1bH/PWilXOHKI/ZX3+AD5Gm04=</latexit> . D Program3.Program translateD Executor to • underlying secure never stores or computes on sensitive data in the clear computation protocols Differentially Private Output • achieves the accuracy guarantees and algorithmic express- Data Collection Phase Program Execution Phase ibility of the CDP model 1.Key 4.Privacy 5. Data Crypt� Manager Engine Decryption Program sk Key✏<latexit sha1_base64="i/UdiyKbp2jVEah3BP9sL5RnkFY=">AAACAHicbVDLSsNAFJ3UV62vqAsXbgaL4KokIuiy1I3LCvYBTSiTyU07dDIJMxOhhGz8FTcuFHHrZ7jzb5y2WWjrgWEO59zLvfcEKWdKO863VVlb39jcqm7Xdnb39g/sw6OuSjJJoUMTnsh+QBRwJqCjmebQTyWQOODQCya3M7/3CFKxRDzoaQp+TEaCRYwSbaShfeIFCQ/VNDZf7kGqGDdyqxjadafhzIFXiVuSOirRHtpfXpjQLAahKSdKDVwn1X5OpGaUQ1HzMgUpoRMygoGhgsSg/Hx+QIHPjRLiKJHmCY3n6u+OnMRqtqOpjIkeq2VvJv7nDTId3fg5E2mmQdDFoCjjWCd4lgYOmQSq+dQQQiUzu2I6JpJQbTKrmRDc5ZNXSfey4ToN9/6q3myVcVTRKTpDF8hF16iJ7lAbdRBFBXpGr+jNerJerHfrY1FascqeY/QH1ucPqXyXEw==</latexit> ManagerB Cryptϵ employs a pair of untrusted but non-colluding servers pk – Analytics Server (AS) and Cryptographic Service Provider Cryptographic Service ProviDer (CSP). The AS executes DP programs (like the data curator in CDP) but on encrypted data records. The CSP initializes Figure 1: Cryptϵ System and manages the cryptographic primitives, and collaborates with the AS to generate the program outputs. Under the as- order of magnitude. A novel contribution of this work is a sumption that the AS and the CSP are semi-honest and do DP indexing optimization that leverages the fact that noisy not collude (a common assumption in cryptographic systems intermediate statistics about the data can be revealed. [45, 46, 48, 67, 80, 83, 84]), Cryptϵ ensures ϵ-DP guarantee for • Practical for Real World Usage: For the same tasks, its programs via two cryptographic primitives – linear homo- Cryptϵ programs achieve accuracy comparable to CDP morphic encryption (LHE) and garbled circuits. One caveat and 50× more than LDP for a dataset of size ≈ 30K. Cryptϵ here is that due to the usage of cryptographic primitives, the runs within 3:6 hours for a large class of programs on a DP guarantee obtained in Cryptϵ is that of computational dataset with 1 million rows and 4 attributes. differential privacy or SIM-CDP [79] (details in Section 7). • Generalized Multiplication Using LHE: Our implemen- Cryptϵ provides a data analyst with a programming frame- tation uses an efficient way for performing n-way multipli- work to author logical DP programs just like in CDP. Like cations using LHE which maybe of independent interest. in prior work [40, 77, 106], access to the sensitive data is restricted via a set of predefined transformations operators 2 CRYPTϵ OVERVIEW (inspired by relational algebra) and DP measurement oper- ators (Laplace mechanism and Noisy-Max [38]). Thus, any 2.1 System Architecture program that can be expressed as a composition of the above Figure 1 shows Cryptϵ’s system architecture. Cryptϵ has operators automatically satisfies ϵ-DP (in the CDP model) two servers: Analytics server (AS) and Cryptographic Ser- giving the analyst a proof of privacy for free. Cryptϵ pro- vice Provider (CSP). At the very outset, the CSP records grams support constructs like looping, conditionals, and can the total privacy budget, ϵB (provided by the data owners), arbitrarily post-process outputs of measurement operators. and generates
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
    [Show full text]
  • Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami
    Speeding Up Linux Disk Encryption Ignat Korchagin @ignatkn $ whoami ● Performance and security at Cloudflare ● Passionate about security and crypto ● Enjoy low level programming @ignatkn Encrypting data at rest The storage stack applications @ignatkn The storage stack applications filesystems @ignatkn The storage stack applications filesystems block subsystem @ignatkn The storage stack applications filesystems block subsystem storage hardware @ignatkn Encryption at rest layers applications filesystems block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers DBMS, PGP, OpenSSL, Themis applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers Cons: ● no visibility into the implementation ● no auditability ● sometimes poor security https://support.microsoft.com/en-us/help/4516071/windows-10-update-kb4516071 @ignatkn Block
    [Show full text]
  • Forgery and Key Recovery Attacks for Calico
    Forgery and Key Recovery Attacks for Calico Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schl¨affer Institute for Applied Information Processing and Communications Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria April 1, 2014 1 Calico v8 Calico [3] is an authenticated encryption design submitted to the CAESAR competition by Christopher Taylor. In Calico v8 in reference mode, ChaCha-14 and SipHash-2-4 work together in an Encrypt-then-MAC scheme. For this purpose, the key is split into a Cipher Key KC and a MAC Key KM . The plaintext is encrypted with ChaCha under the Cipher Key to a ciphertext with the same length as the plaintext. Then, the tag is calculated as the SipHash MAC of the concatenated ciphertext and associated data. The key used for SipHash is generated by xoring the nonce to the (lower, least significant part of the) MAC Key: (C; T ) = EncCalico(KC k KM ; N; A; P ); where k is concatenation, and with ⊕ denoting xor, the ciphertext and tag are calculated vi C = EncChaCha-14(KC ; N; P ) T = MACSipHash-2-4(KM ⊕ N; C k A): Here, A; P; C denote associated data, plaintext and ciphertext, respectively, all of arbitrary length. T is the 64-bit tag, N the 64-bit nonce, and the 384-bit key K is split into a 256-bit encryption and 128-bit authentication part, K = KC k KM . 2 Missing Domain Separation As shown above, the tag is calculated over the concatenation C k A of ciphertext and asso- ciated data. Due to the missing domain separation between ciphertext and associated data in the generation of the tag, the following attack is feasible.
    [Show full text]
  • How to Handle Rainbow Tables with External Memory
    How to Handle Rainbow Tables with External Memory Gildas Avoine1;2;5, Xavier Carpent3, Barbara Kordy1;5, and Florent Tardif4;5 1 INSA Rennes, France 2 Institut Universitaire de France, France 3 University of California, Irvine, USA 4 University of Rennes 1, France 5 IRISA, UMR 6074, France [email protected] Abstract. A cryptanalytic time-memory trade-off is a technique that aims to reduce the time needed to perform an exhaustive search. Such a technique requires large-scale precomputation that is performed once for all and whose result is stored in a fast-access internal memory. When the considered cryptographic problem is overwhelmingly-sized, using an ex- ternal memory is eventually needed, though. In this paper, we consider the rainbow tables { the most widely spread version of time-memory trade-offs. The objective of our work is to analyze the relevance of storing the precomputed data on an external memory (SSD and HDD) possibly mingled with an internal one (RAM). We provide an analytical evalua- tion of the performance, followed by an experimental validation, and we state that using SSD or HDD is fully suited to practical cases, which are identified. Keywords: time memory trade-off, rainbow tables, external memory 1 Introduction A cryptanalytic time-memory trade-off (TMTO) is a technique introduced by Martin Hellman in 1980 [14] to reduce the time needed to perform an exhaustive search. The key-point of the technique resides in the precomputation of tables that are then used to speed up the attack itself. Given that the precomputation phase is much more expensive than an exhaustive search, a TMTO makes sense in a few scenarios, e.g., when the adversary has plenty of time for preparing the attack while she has a very little time to perform it, the adversary must repeat the attack many times, or the adversary is not powerful enough to carry out an exhaustive search but she can download precomputed tables.
    [Show full text]
  • Securing Audio Using AES-Based Authenticated Encryption with Python
    Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 9 August 2021 doi:10.20944/preprints202108.0185.v1 Article Securing Audio Using AES-based Authenticated Encryption with Python Jessy Ayala 1 1 New York University, Tandon School of Engineering; [email protected] Featured Application: Securing communication of audio files utilizing symmetric authenticated encryption. Abstract: The focus of this research is to analyze the results of encrypting audio using various au- thenticated encryption algorithms implemented in the Python cryptography library for ensuring authenticity and confidentiality of the original contents. The Advanced Encryption Standard (AES) is used as the underlying cryptographic primitive in conjunction with various modes including Gal- ois Counter Mode (GCM), Counter with Cipher Block Chaining Message Authentication Code (CCM), and Cipher Block Chaining (CBC) with Keyed-Hashing for encrypting a relatively small audio file. The resulting encrypted audio shows similarity in the variance when encrypting using AES-GCM and AES-CCM. There is a noticeable reduction in variance of the performed encodings and an increase in the amount of time it takes to encrypt and decrypt the same audio file using AES- CBC with Keyed-Hashing. In addition, the corresponding encrypted using this mode audio spans a longer duration. As a result, AES should either have GCM or CCM for an efficient and reliable authenticated encryption integration within a workflow. Keywords: AES; Audio analysis; Authenticated encryption; Cryptography; Python 1. Introduction Cryptography is used worldwide for adhering to the security CIA triad: confidenti- ality, integrity, and availability. In an environment where mobile devices have become ubiquitous, voice messages are more common than one may think.
    [Show full text]
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms
    66 Int'l Conf. Wireless Networks | ICWN'16 | Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
    [Show full text]
  • Optimizing Authenticated Encryption Algorithms
    Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáček Advisor: Ing. Milan Brož i Acknowledgement I would like to thank my advisor, Milan Brož, for his guidance, pa- tience, and helpful feedback and advice. Also, I would like to thank my girlfriend Ludmila, my family, and my friends for their support and kind words of encouragement. If I had more time, I would have written a shorter letter. — Blaise Pascal iii Abstract In this thesis, we look at authenticated encryption with associated data (AEAD), which is a cryptographic scheme that provides both confidentiality and integrity of messages within a single operation. We look at various existing and proposed AEAD algorithms and compare them both in terms of security and performance. We take a closer look at three selected candidate families of algorithms from the CAESAR competition. Then we discuss common facilities provided by the two most com- mon CPU architectures – x86 and ARM – that can be used to implement cryptographic algorithms efficiently.
    [Show full text]
  • Optimizing Dm-Crypt for XTS-AES: Getting the Best of Atmel Cryptographic Co-Processors
    Optimizing dm-crypt for XTS-AES: Getting the Best of Atmel Cryptographic Co-processors Levent Demir1;2, Mathieu Thiery1;2, Vincent Roca1, Jean-Michel Tenkes2 and Jean-Louis Roch3 1Incas ITSec, France 2Univ. Grenoble Alpes, Inria, France 3Univ. Grenoble Alpes, Grenoble INP, LIG, France Keywords: Full Disk Encryption, XTS-AES, Linux dm-crypt Module, Cryptographic Co-processor, Atmel Board. Abstract: Linux implementation of Full Disk Encryption (FDE) relies on the dm-crypt kernel module, and is based on the XTS-AES encryption mode. However, XTS-AES is complex and can quickly become a performance bot- tleneck. Therefore we explore the use of cryptographic co-processors to efficiently implement the XTS-AES mode in Linux. We consider two Atmel boards that feature different cryptographic co-processors: the XTS- AES mode is completely integrated on the recent SAMA5D2 board but not on the SAMA5D3 board. We first analyze three XTS-AES implementations: a pure software implementation, an implementation that leverages the XTS-AES co-processor, and an intermediate solution. This work leads us to propose an optimization of dm-crypt, the extended request mode, that enables to encrypt/decrypt a full 4kB page at once instead of issu- ing eight consecutive 512 bytes requests as in the current implementation. We show that major performance gains are possible with this optimization, a SAMA5D3 board reaching the performance of a SAMA5D2 board where XTS-AES operations are totally offloaded to the dedicated cryptographic co-processor, while remaining fully compatible with the standard. Finally, we explain why bad design choices prevent this optimization to be applied to the new SAMA5D2 board and derive recommendations for future co-processor designs.
    [Show full text]
  • Breaking the Crypt
    2012 Breaking the Crypt Sudeep Singh 5/21/2012 Table of Contents Preface .......................................................................................................................................................... 3 Advanced Hash Cracking ............................................................................................................................... 4 Cryptographic Hash Properties ..................................................................................................................... 5 Hash to the Stash .......................................................................................................................................... 6 Oclhashcat – An insight ............................................................................................................................... 13 The need for Stronger Hashes .................................................................................................................... 19 Fast vs Slow Hashes .................................................................................................................................... 20 How much Salt? .......................................................................................................................................... 21 How Many Iterations?................................................................................................................................. 25 John The Ripper (JTR) – Tweak That Attack! ..............................................................................................
    [Show full text]
  • Just in Time Hashing
    Just in Time Hashing Benjamin Harsha Jeremiah Blocki Purdue University Purdue University West Lafayette, Indiana West Lafayette, Indiana Email: [email protected] Email: [email protected] Abstract—In the past few years billions of user passwords prove and as many users continue to select low-entropy have been exposed to the threat of offline cracking attempts. passwords, finding it too difficult to memorize multiple Such brute-force cracking attempts are increasingly dangerous strong passwords for each of their accounts. Key stretching as password cracking hardware continues to improve and as serves as a last line of defense for users after a password users continue to select low entropy passwords. Key-stretching breach. The basic idea is to increase guessing costs for the techniques such as hash iteration and memory hard functions attacker by performing hash iteration (e.g., BCRYPT[75] can help to mitigate the risk, but increased key-stretching effort or PBKDF2 [59]) or by intentionally using a password necessarily increases authentication delay so this defense is hash function that is memory hard (e.g., SCRYPT [74, 74], fundamentally constrained by usability concerns. We intro- Argon2 [12]). duce Just in Time Hashing (JIT), a client side key-stretching Unfortunately, there is an inherent security/usability algorithm to protect user passwords against offline brute-force trade-off when adopting traditional key-stretching algo- cracking attempts without increasing delay for the user. The rithms such as PBKDF2, SCRYPT or Argon2. If the key- basic idea is to exploit idle time while the user is typing in stretching algorithm cannot be computed quickly then we their password to perform extra key-stretching.
    [Show full text]
  • The Mathematics of Cryptology
    The mathematics of cryptology Paul E. Gunnells Department of Mathematics and Statistics University of Massachusetts, Amherst Amherst, MA 01003 www.math.umass.edu/∼gunnells April 27, 2004 What is Cryptology? • Cryptography is the process of writing using various methods (“ciphers”) to keep messages secret. • Cryptanalysis is the science of attacking ciphers, finding weaknesses, or even proving that a cipher is secure. • Cryptology covers both; it’s the complete science of secure communication. 1 Basic terminology/notation • P is the plaintext. This is the original readable message (written in some standard language, like English, French, Cantonese, Hindi, Icelandic, . ). • C is the ciphertext. This is the output of some encryption scheme, and is not readable by humans. • E is the encryption function. We write, for example, E(P ) = C to mean that applying the encryption process E to the plaintext P produces the ciphertext C. • D is the decryption function, i.e. D(C) = P. Note D(E(P )) = P and E(D(C)) = C. 2 Basic terminology/notation (cont’d.) • The encryption key is piece of data that allows the computation of E. Similarly we have the decryption key. These may or may not be the same. They also may not be secret, as we’ll see later on. • To attack a cipher is to attempt unauthorized reading of plaintext, or to attempt unauthorized transmission of ciphertext. 3 Shift (aka Cæsar) cipher • Encode letters by numbers: A 7→ 0,B 7→ 1,C 7→ 2,...,Z 7→ 25. • Choose a key t, which is a number between 0 and 25 (for Cæsar, t was always 3).
    [Show full text]