More crypto attacks Symmetric cryptanalysis ● Ciphertext only – e.g., frequency analysis or brute force ● Known plaintext – e.g., linear cryptanalysis ● Chosen plaintext – e.g., differential cryptanalysis Frequency analysis ● “But I don’t want to go among mad people," Alice remarked. "Oh, you can’t help that," said the Cat: "we’re all mad here. I’m mad. You’re mad." "How do you know I’m mad?" said Alice. "You must be," said the Cat, "or you wouldn’t have come here.” ● 19 e's, 19 a's, 17 o's, 13 t's, 12 d's, etc. ● Remember the difference between ECB and CBC Brute force ● Just try every possible key ● E.g., for key = 0 to 255: By GaborPete - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/ index.php?curid=6420152 Linear cryptanalysis (known plaintext) ● Block ciphers are made up of a limited variety of operations – XOR ● addition modulo 2 – Permutation – Substitution ● Hard, need piling up lemma Differential cryptanalysis (chosen plaintext) ● Choose plaintexts that differ in one bit, e.g., 00110101 and 00100101 ● Block ciphers are made up of a limited variety of operations – XOR ● Bit difference is maintained – Permutation ● Bit difference is maintained – Substitution ● Hard Attacks on secure hash functions ● Preimage attack – Produce a message that has a specific hash value ● Collision attack – Produce two messages with the same hash value ● Collision attack: hash(m1) == hash(m2) – MD5 attack takes seconds on regular PC ● Chosen-prefix collision attack, given p1 and p2: hash (p1 || m1) = hash (p2 || m2) – MD5 attack takes hours on a regular PC Note: SHA-1 is now also not safe to use in practice Other attacks ● Birthday attacks ● Meet-in-the-middle attacks – “The difference between the birthday attack and the meet-in-the-middle attack is that in a birthday attack, you wait for a single value to occur twice within the same set of elements. In a meet-in-the-middle attack, you have two sets, and wait for an overlap between the two sets.” [Cryptography Engineering] ● Side channel attacks Side channels http://www.daemonology.net/papers/htt.pdf Fault injection attacks http://www.t4f.org/wp-content/uploads/2014/02/Glitch-Tutorial-setup.jpg iPhone ● Read: http://searchmobilecomputing.techtarget.com/ti p/How-iOS-encryption-and-data-protection-work ● Gist: Apple's security is based on a key hidden in the hardware that protects the code that limits guess attempts – Security through obscurity – Information is inherently physical Random number generation Entropy needed for... ● Symmetric keys ● Asymmetric keys ● Initialization vectors ● Nonces ● Etc. Entropy pool ● /dev/random vs. /dev/urandom – Former blocks on read, latter doesn't – Entropy sources ● Hardware support ● Keyboard timings ● Mouse activity ● Hard drive activity Some real goofs Cryptocat ● Array of random integers – {60278, 44571, 56801, 34115, 38861, 6386, 13716} ● As an escaped string – “\xeb\x76\xae\x1b” ● The above string in hex – 5c7865625c7837365c7861655c783162 See https://tobtu.com/decryptocat-old.php TomSkype (http://firstmonday.org/ojs/index.php/fm/article/view/4628/3727) Baidu (recent report by Jeffrey Knockel, Sarah McKune, and Adam Senft) (https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser/) ● Lots of custom stuff – Base64 substitution – Modified CBC ● ASCII encoded keys – E.g., “vb%,J^d@2B1l’Abn” ● Other questionable decisions – TEA Telegram (http://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest) WordPress password hashes ● MD5(password) ● Don't Google this if you're offended by the f- word: “596a96cc7bf9108cd896f33c44aedc8a” ● How to do authentication properly is something we'll talk about later this semester (salts would fix the above problem) References ● [Cryptography Engineering] Cryptography Engineering: Design Principles and Applications, by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Wiley Publishing, 2010. ● Lots of images and info plagiarized from Wikipedia .