Download - Hash Days 11 Slides
-
8/3/2019 Hash Days 11 Slides
1/66
Cryptanalysis vs. Reality
Jean-Philippe Aumasson
1/54
-
8/3/2019 Hash Days 11 Slides
2/66
2/54
Cryptanalysis is the study of methods forobtaining the meaning of encrypted informationwithout access to the secret information that is normallyrequired to do so. Wikipedia
-
8/3/2019 Hash Days 11 Slides
3/66
3/54
Cryptanalysis is the study of methods forobtaining the meaning of encrypted informationwithout access to the secret information that is normallyrequired to do so. Wikipedia
-
8/3/2019 Hash Days 11 Slides
4/664/54
The fundamental goal of a cryptanalyst is toviolate one or several security notionsfor algorithms that claim, implicitly or explicitly,to satisfy these security notions.
Antoine Joux, Algorithmic Cryptanalysis
-
8/3/2019 Hash Days 11 Slides
5/665/54
Reality noun (pl. realities)1. the state of things as they actuallyexist, as opposed to an idealistic or
notional idea of them.2. a thing that is actually experiencedor seen.3. the quality of being lifelike.4. the state or quality of having exis-tence or substance.Compact Oxford English Dictionary
-
8/3/2019 Hash Days 11 Slides
6/66
Cryptanalysis relies on an ATTACKER MODEL= assumptions on what the attacker can and cannot do
All models are in simulacra , that is, simplied reections
of reality, but, despite their inherent falsity, they arenevertheless extremely useful G. Box, N. Draper, Empirical Model-Building and Response Surfaces
6/54
-
8/3/2019 Hash Days 11 Slides
7/66
Cryptanalysis usually excludes methods of attack that donot primarily target weaknesses in the actualcryptography, such as bribery, physical coercion,
burglary, keystroke logging, and socialengineering , although these types of attack are animportant concern and are often more effectiveWikipedia
7/54
-
8/3/2019 Hash Days 11 Slides
8/668/54
Cryptanalysis used to be tightly connected to reality
-
8/3/2019 Hash Days 11 Slides
9/66
But times have changed
9/54
-
8/3/2019 Hash Days 11 Slides
10/6610/54
-
8/3/2019 Hash Days 11 Slides
11/6611/54
-
8/3/2019 Hash Days 11 Slides
12/6612/54
Broken in a model does not
imply broken in reality!
-
8/3/2019 Hash Days 11 Slides
13/6613/54
Models language overlaps with real-world language:attacks, broken have multiple meanings
Has cryptanalysis lost connection with reality?
-
8/3/2019 Hash Days 11 Slides
14/66
Cryptography is usually bypassed. I am notaware of any major world-class security systememploying cryptography in which the hackers penetratedthe system by actually going through the cryptanalysis.(. . . ) Usually there are much simpler ways of penetratingthe security system.Adi Shamir, Turing Award lecture, 2002
14/54
-
8/3/2019 Hash Days 11 Slides
15/66
15/54
Is cryptanalysis relevant at all??
-
8/3/2019 Hash Days 11 Slides
16/66
16/54
Remainder of this talk
PART 1: PHYSICAL ATTACKSBypass and misuseSide channels
PART 2: ALGORITHMIC ATTACKSState-of-the-ciphersWhy attacks arent attacksCognitive biases
What about AES?
CONCLUSIONS + REFERENCES
-
8/3/2019 Hash Days 11 Slides
17/66
17/54
PART 1: PHYSICAL ATTACKSBypass and misuse
Side channels
-
8/3/2019 Hash Days 11 Slides
18/66
HTTPS protection uses (say) 2048-bit RSA toauthenticate servers, and to avoid MitM attacks
100-bit security (see http://www.keylength.com/ ) 2100 ops to break RSA by factoring the modulus
18/54
http://www.keylength.com/http://www.keylength.com/http://www.keylength.com/ -
8/3/2019 Hash Days 11 Slides
19/66
HTTPS protection uses (say) 2048-bit RSA toauthenticate servers, and to avoid MitM attacks
100-bit security (see http://www.keylength.com/ ) 2100 ops to break RSA by factoring the modulus
Or 233 using a quantum computerimplementing Shors algorithm
18/54
http://www.keylength.com/http://www.keylength.com/http://www.keylength.com/ -
8/3/2019 Hash Days 11 Slides
20/66
HTTPS protection uses (say) 2048-bit RSA toauthenticate servers, and to avoid MitM attacks
100-bit security (see http://www.keylength.com/ ) 2100 ops to break RSA by factoring the modulus
Or 233 using a quantum computerimplementing Shors algorithm
Or 20 by compromising a CA. . .
18/54
http://www.keylength.com/http://www.keylength.com/http://www.keylength.com/ -
8/3/2019 Hash Days 11 Slides
21/66
19/54
-
8/3/2019 Hash Days 11 Slides
22/66
AES-256 provides 256-bit security (does it really?)
FIPS 140-2 is supposed to inspire condence. . .
Yet secure USB drives by Kingston, SanDisk, Verbatimwere easily broken
The aw: password validation on host PC+ static unlock code
20/54
-
8/3/2019 Hash Days 11 Slides
23/66
How NOT to use decent cryptographic primitives:
21/54
-
8/3/2019 Hash Days 11 Slides
24/66
How NOT to use decent cryptographic primitives:
ECDSA signing with a constantinstead of a random numberto nd SONY PS3s private key
21/54
-
8/3/2019 Hash Days 11 Slides
25/66
How NOT to use decent cryptographic primitives:
ECDSA signing with a constantinstead of a random numberto nd SONY PS3s private key
RC4 stream cipher with part of the key public andpredictable (as found in the WEP WiFi protection)
21/54
-
8/3/2019 Hash Days 11 Slides
26/66
How NOT to use decent cryptographic primitives:
ECDSA signing with a constantinstead of a random numberto nd SONY PS3s private key
RC4 stream cipher with part of the key public andpredictable (as found in the WEP WiFi protection)
TEA block cipher in hashing mode
to perform boot code authenticationEquivalent keys lead to collisions
21/54
S f id h l k
-
8/3/2019 Hash Days 11 Slides
27/66
Software side-channel attacksPractical attacks exploiting non-constant-time AES implementations
Breaking the secure AES of OpenSSL 0.9.8n :
Breaking AES on ARM9 :
22/54
-
8/3/2019 Hash Days 11 Slides
28/66
23/54
H d id h l k
-
8/3/2019 Hash Days 11 Slides
29/66
Hardware side-channel attacksPower analysis (SPA/DPA)Electromagnetic analysisGlitches (clock, power supply, data corruption)MicroprobingLaser cutting and fault injection
Focused ion beam surgery, etc.
24/54
-
8/3/2019 Hash Days 11 Slides
30/66
25/54
PART 2: ALGORITHMIC ATTACKSState-of-the-ciphersWhy attacks arent attacks
What about AES?Cognitive biases
-
8/3/2019 Hash Days 11 Slides
31/66
ALGORITHMIC ATTACKS = attacks targetting acryptographic function seen as an algorithm anddescribed as algorithms rather than physicalprocedures
ALGORITHMIC ATTACKS are thus independent of theimplementation of the function attacked
26/54
-
8/3/2019 Hash Days 11 Slides
32/66
Well focus on symmetric cryptographic primitives:Block ciphersStream ciphersHash functions
PRNGsMACs
Though thered be a lot to say about public-key encryption/signatures,authentication protocols, etc.
27/54
Null- to low-impact attacks (examples)
-
8/3/2019 Hash Days 11 Slides
33/66
Null- to low-impact attacks (examples)
Block ciphers:AESGOST (Russian standard, 1970s!)
KASUMI(3GPP)
Triple DESHash functions:
SHA-1
Whirlpool (ISO)
28/54
Medium- to high-impact attacks (examples)
-
8/3/2019 Hash Days 11 Slides
34/66
Medium to high impact attacks (examples)
Block cipher:DES (56-bit key): practical break by. . . bruteforce
Stream cipher:A5/1 (GSM): attacks on GSM facilitated
Hash function:MD5 : famous rogue certicate attack PoC
29/54
Unattacked primitives (examples)
-
8/3/2019 Hash Days 11 Slides
35/66
Unattacked primitives (examples)Block ciphers
CAST5 (default cipher in OpenPGP)IDEA (1991!)IDEA-NXT (aka FOX)Serpent (AES nalist)
Twosh (AES nalist)Stream ciphers:
Grain128a (for hardware)Salsa20 (for software)
Hash functions:SHA-2 (SHA-256, . . . , SHA-512)RIPEMD-160 (ISO)
30/54
-
8/3/2019 Hash Days 11 Slides
36/66
31/54
Despite the large amount of research andnew techniques, breaks almost never happen:Why?
High-complexity attacks
-
8/3/2019 Hash Days 11 Slides
37/66
High complexity attacks
Example: preimage attack on MD5 with time complexity
2123 . 4
against 2 128 ideally
High-complexity attacks do not matter as long asthe effort is obviously unfeasible, or
overwhelms the cost of other attacksYet MD5 can no longer be sold as 128-bit security hash
32/54
-
8/3/2019 Hash Days 11 Slides
38/66
-
8/3/2019 Hash Days 11 Slides
39/66
Back-to-reality interlude
2 GHz CPU1 sec = 2 10 9 233 clocks
1 year 2 58 clocks1000 years 2 68 clockssince the Big-Bang 2 116 clocks
34/54
-
8/3/2019 Hash Days 11 Slides
40/66
The encryption doesnt even have to be very strong to beuseful, it just must be stronger than the otherweak links in the system. Using any standardcommercial risk management model, cryptosystem failureis orders of magnitude below any other risk.Ian Griff, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
35/54
Attacks on building blocks
-
8/3/2019 Hash Days 11 Slides
41/66
g
Example: 296 collision attack on the compressionfunction of the SHA-3 candidate LANE
Did not lead to an attack on the hashInvalidates the security reduction compression hashDisqualied LANE from the SHA-3 competition!
36/54
Attacks on building blocks
-
8/3/2019 Hash Days 11 Slides
42/66
g
Example: 296 collision attack on the compressionfunction of the SHA-3 candidate LANE
Did not lead to an attack on the hashInvalidates the security reduction compression hashDisqualied LANE from the SHA-3 competition!
How to interprete those attacks?1. We attacked something
crypto must be weak!2. We failed to attack the full function
crypto must be strong!
36/54
Strong models: ex of related-key attacks
-
8/3/2019 Hash Days 11 Slides
43/66
g y
Attackers learn encryptions with a derived keyK = f (K )
One of the rst attacks: when Enigma operators set rotorsincorrectly, they sent again with the correct key. . .
Modern version introduced by Knudsen/Biham in 1992
Practical on weak key-exchange protocols (EMV, 3GPP?),but unrealistic in most decent protocols
37/54
Related-key attacks example
-
8/3/2019 Hash Days 11 Slides
44/66
y
Key-recovery on AES-256 with time complexity
2119
against 2256
ideally!
Needs 4 related keys . . . actually, related sub keys !attacks are still mainly of theoretical interest and do notpresent a threat to practical applications using AESthe authors (Khovratovich / Biryukov)
38/54
Model from reality: pay-TV encryption
-
8/3/2019 Hash Days 11 Slides
45/66
MPEG stream encrypted with CSACommon Scrambling Algorithm , 48b or 64b key
Useful break of CSA needs
Unknown- xed-key attacksCiphertext-only , partially-known plaintext (no TMTO)Key recovery in < 10 seconds (cryptoperiod)
39/54
Theres not only time!
-
8/3/2019 Hash Days 11 Slides
46/66
Back to our previous examples:
MD5 : time 2123.4 and 2 50 B memory (1024 TiB)
LANE : time 296 and 2 93 B memory (2 53 TiB)AES-256 : time 2119 and 2 77 B memory (2 37 TiB)
Memory is not free! ($$$, infrastructure, latency)
Practical cost of access to memory neglected
New attacks should be compared to genericattacks with a same budget
See cracking machines in Understanding bruteforce http://cr.yp.to/papers.html#bruteforce
40/54
http://cr.yp.to/papers.html#bruteforcehttp://cr.yp.to/papers.html#bruteforce -
8/3/2019 Hash Days 11 Slides
47/66
Distinguishing attacks
-
8/3/2019 Hash Days 11 Slides
48/66
aka distinguishers
Used to be statistical biases
Now distinguishers areKnown- or chosen-key attacks
Sets of input/outputs satisfying some relationExample: differential q -multicollision distinguisher on AES
E K 1 (P 1) E K 1 (P 1 ) = E K 2 (P 2) E K 2 (P 2 )
= E K 3 (P 3) E K 3 (P 3 ) = . . .
NO IMPACT ON SECURITY in a large majority of cases
41/54
-
8/3/2019 Hash Days 11 Slides
49/66
42/54
Attacks (high-complexity, strong model, high-memory,distinguishers, etc.) vs. Reality
2 general interpretations:1. This little thing is a sign of bigger things!2. This little thing is a sign of no big things!
Why are we biased? (towards 1. or 2.)
-
8/3/2019 Hash Days 11 Slides
50/66
43/54
-
8/3/2019 Hash Days 11 Slides
51/66
44/54
Cryptographic Num3rol0gy
The basic concept is that as long as your encryption keysare at least this big, youre ne, even if none of thesurrounding infrastructure benets from that size or evenworks at allIan Griff, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
-
8/3/2019 Hash Days 11 Slides
52/66
45/54
Cryptographic Num3rol0gy
The basic concept is that as long as your encryption keysare at least this big, youre ne, even if none of thesurrounding infrastructure benets from that size or evenworks at allIan Griff, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
Choosing a key size if fantastically easy, whereas making
the crypto work effectively is really hardIbid
-
8/3/2019 Hash Days 11 Slides
53/66
Zero-risk bias
-
8/3/2019 Hash Days 11 Slides
54/66
= Preference for reducing a small risk to zeroover a greater reduction in a larger riskExample: reduce risk from 1% to 0% whereas anotherrisk could be reduced from 50% to 30% at the same cost
Cryptographic numerology (examples)1% = scary-new attack threatMove from 1024- to 2048-bit (or 4096-bit!) RSACascade-encryption with AES + Serpent + Twosh
+ Unintended consequences :Crypto is slower less deployed less security
46/54
Survivorship bias
-
8/3/2019 Hash Days 11 Slides
55/66
We only remember/see the unbroken , deployedand/or standardized, algorithms
Not the numerous experimental designs broken
47/54
Survivorship bias
-
8/3/2019 Hash Days 11 Slides
56/66
We only remember/see the unbroken , deployedand/or standardized, algorithms
Not the numerous experimental designs broken
Example: of the 56 SHA-3 submissions published14 implemented attacks (e.g. example of collision)3 close-to-practical attacks ( 260 )14 high-complexity attacks
Practical attacks kill ciphers before they areused and known to the public
47/54
What about AES?
-
8/3/2019 Hash Days 11 Slides
57/66
48/54
What about AES?
-
8/3/2019 Hash Days 11 Slides
58/66
Groundbreaking attack bogeyman!
49/54
What about AES?
-
8/3/2019 Hash Days 11 Slides
59/66
The facts :
AES-128 : 2126 complexity, 2 88 plaintext/ciphertextagainst 2128 and 20 for bruteforce AES-256 : 2254 complexity, 2 40 plaintext/ciphertextagainst 2256 and 21 for bruteforce
See Bogdanov, Khovratovich, Rechberger:http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf
50/54
http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdfhttp://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdfhttp://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdfhttp://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf -
8/3/2019 Hash Days 11 Slides
60/66
-
8/3/2019 Hash Days 11 Slides
61/66
51/54
CONCLUSIONS + REFERENCES
Conclusions
-
8/3/2019 Hash Days 11 Slides
62/66
Algorithmic attacks on deployed schemes are (almost)never a threat to security , due toHigh complexities, unrealistic models, etc.Weak ciphers are broken earlier and forgotten
We dont break ciphers, we evaluate their securityOrr Dunkelman
52/54
Conclusions
-
8/3/2019 Hash Days 11 Slides
63/66
Algorithmic attacks on deployed schemes are (almost)never a threat to security , due toHigh complexities, unrealistic models, etc.Weak ciphers are broken earlier and forgotten
We dont break ciphers, we evaluate their securityOrr Dunkelman
Beware cryptographic numerology!
52/54
Conclusions
-
8/3/2019 Hash Days 11 Slides
64/66
Algorithmic attacks on deployed schemes are (almost)never a threat to security , due toHigh complexities, unrealistic models, etc.Weak ciphers are broken earlier and forgotten
We dont break ciphers, we evaluate their securityOrr Dunkelman
Beware cryptographic numerology!
AES is ne, weak implementations are the biggest threat
52/54
Related works
-
8/3/2019 Hash Days 11 Slides
65/66
Leakage-resilience vs. RealityLeakage Resilient Cryptography in Practice Standaert et al. http://eprint.iacr.org/2009/341
Bruteforce vs. RealityUsing the Cloud to Determine Key Strengths Kleinjung et al. http://eprint.iacr.org/2011/254
Crypto libs vs. RealityOpen-Source Cryptographic Libraries and Embedded Platforms Junod http://crypto.junod.info/hashdays10_talk.pdf
53/54
Thank you for your attention
http://eprint.iacr.org/2009/341http://eprint.iacr.org/2011/254http://crypto.junod.info/hashdays10_talk.pdfhttp://crypto.junod.info/hashdays10_talk.pdfhttp://eprint.iacr.org/2011/254http://eprint.iacr.org/2009/341 -
8/3/2019 Hash Days 11 Slides
66/66
54/54