2,436 research outputs found
On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name
Most modern web browsers today sacrifice optimal TLS security for backward
compatibility. They apply coarse-grained TLS configurations that support (by
default) legacy versions of the protocol that have known design weaknesses, and
weak ciphersuites that provide fewer security guarantees (e.g. non Forward
Secrecy), and silently fall back to them if the server selects to. This
introduces various risks including downgrade attacks such as the POODLE attack
[15] that exploits the browsers silent fallback mechanism to downgrade the
protocol version in order to exploit the legacy version flaws. To achieve a
better balance between security and backward compatibility, we propose a
mechanism for fine-grained TLS configurations in web browsers based on the
sensitivity of the domain name in the HTTPS request using a whitelisting
technique. That is, the browser enforces optimal TLS configurations for
connections going to sensitive domains while enforcing default configurations
for the rest of the connections. We demonstrate the feasibility of our proposal
by implementing a proof-of-concept as a Firefox browser extension. We envision
this mechanism as a built-in security feature in web browsers, e.g. a button
similar to the \quotes{Bookmark} button in Firefox browsers and as a
standardised HTTP header, to augment browsers security
Fault Analysis Study of the Block Cipher FOX64
FOX is a family of symmetric block ciphers from MediaCrypt AG that helps to secure digital media, communications, and storage. The high-level structure of FOX is the so-called (extended) Lai-Massey scheme. This paper presents a detailed fault analysis of the block cipher FOX64, the 64-bit version of FOX, based on a differential property of tworound Lai-Massey scheme in a fault model. Previous fault attack on FOX64 shows that each round-key (resp. whole round-keys) could be recovered through 11.45 (resp. 183.20) faults on average. Our proposed fault attack, however, can deduce any round-key (except the first one) through 4.25 faults on average (4 in the best case), and retrieve the whole round-keys through 43.31 faults on average (38 in the best case). This implies that the number of needed faults in the fault attack on FOX64 can be significantly reduced. Furthermore, the technique introduced in this paper can be extended to other series of the block cipher family FOX
Fault Analysis of the KTANTAN Family of Block Ciphers: A Revisited Work of Fault Analysis of the KATAN Family of Block Ciphers
This paper investigates the security of the
KTANTAN block cipher against differential fault analysis. This
attack is considered to be first side channel analysis of
KTANTAN in the literature. KTANTAN is a relative to the
KATAN block cipher. Therefore, the previous fault analysis on
KATAN family of block cipher is revisited. Similar to KATAN,
KTANTAN has three variants namely KTANTAN32,
KTANTAN48 and KTANTAN64. The inner structure of
KTANTAN is similar to KATAN except the key schedule
algorithms. KATAN has been practically broken by using fault
analysis, employing a transient single-bit fault model, with the
assumption is that the attacker is able to inject faults randomly
into the internal state of the cipher. The attack is empowerd by
extended cube method similarly as applied on KATAN. The
complexity of this attack is for KTANTAN32 and for both
KTANTAN48 and KTANTAN64. Furthermore, based on the
obtained results, this paper concludes that KTANTAN is more
robust against fault analysis compared to KATAN
Analysis and Design of Symmetric Cryptographic Algorithms
This doctoral thesis is dedicated to the analysis and the design of
symmetric cryptographic algorithms.
In the first part of the dissertation, we deal with fault-based attacks
on cryptographic circuits which belong to the field of active implementation
attacks and aim to retrieve secret keys stored on such chips. Our main focus
lies on the cryptanalytic aspects of those attacks. In particular, we target
block ciphers with a lightweight and (often) non-bijective key schedule where
the derived subkeys are (almost) independent from each other. An attacker who is
able to reconstruct one of the subkeys is thus not necessarily able to directly
retrieve other subkeys or even the secret master key by simply reversing the key
schedule. We introduce a framework based on differential fault analysis that
allows to attack block ciphers with an arbitrary number of independent subkeys
and which rely on a substitution-permutation network. These methods are then
applied to the lightweight block ciphers LED and PRINCE and we show in both
cases how to recover the secret master key requiring only a small number of
fault injections. Moreover, we investigate approaches that utilize algebraic
instead of differential techniques for the fault analysis and discuss advantages
and drawbacks. At the end of the first part of the dissertation, we explore
fault-based attacks on the block cipher Bel-T which also has a lightweight key
schedule but is not based on a substitution-permutation network but instead on
the so-called Lai-Massey scheme. The framework mentioned above is thus not
usable against Bel-T. Nevertheless, we also present techniques for the case of
Bel-T that enable full recovery of the secret key in a very efficient way using
differential fault analysis.
In the second part of the thesis, we focus on authenticated encryption
schemes. While regular ciphers only protect privacy of processed data,
authenticated encryption schemes also secure its authenticity and integrity.
Many of these ciphers are additionally able to protect authenticity and
integrity of so-called associated data. This type of data is transmitted
unencrypted but nevertheless must be protected from being tampered with during
transmission. Authenticated encryption is nowadays the standard technique to
protect in-transit data. However, most of the currently deployed schemes have
deficits and there are many leverage points for improvements. With NORX we
introduce a novel authenticated encryption scheme supporting associated data.
This algorithm was designed with high security, efficiency in both hardware and
software, simplicity, and robustness against side-channel attacks in mind. Next
to its specification, we present special features, security goals,
implementation details, extensive performance measurements and discuss
advantages over currently deployed standards. Finally, we describe our
preliminary security analysis where we investigate differential and rotational
properties of NORX. Noteworthy are in particular the newly developed
techniques for differential cryptanalysis of NORX which exploit the power of
SAT- and SMT-solvers and have the potential to be easily adaptable to other
encryption schemes as well.Diese Doktorarbeit beschäftigt sich mit der Analyse und dem Entwurf von
symmetrischen kryptographischen Algorithmen.
Im ersten Teil der Dissertation befassen wir uns mit fehlerbasierten Angriffen
auf kryptographische Schaltungen, welche dem Gebiet der aktiven
Seitenkanalangriffe zugeordnet werden und auf die Rekonstruktion geheimer
Schlüssel abzielen, die auf diesen Chips gespeichert sind. Unser Hauptaugenmerk
liegt dabei auf den kryptoanalytischen Aspekten dieser Angriffe. Insbesondere
beschäftigen wir uns dabei mit Blockchiffren, die leichtgewichtige und eine
(oft) nicht-bijektive Schlüsselexpansion besitzen, bei denen die erzeugten
Teilschlüssel voneinander (nahezu) unabhängig sind. Ein Angreifer, dem es
gelingt einen Teilschlüssel zu rekonstruieren, ist dadurch nicht in der Lage
direkt weitere Teilschlüssel oder sogar den Hauptschlüssel abzuleiten indem er
einfach die Schlüsselexpansion umkehrt. Wir stellen Techniken basierend auf
differenzieller Fehleranalyse vor, die es ermöglichen Blockchiffren zu
analysieren, welche eine beliebige Anzahl unabhängiger Teilschlüssel einsetzen
und auf Substitutions-Permutations Netzwerken basieren. Diese Methoden werden im
Anschluss auf die leichtgewichtigen Blockchiffren LED und PRINCE angewandt und
wir zeigen in beiden Fällen wie der komplette geheime Schlüssel mit einigen
wenigen Fehlerinjektionen rekonstruiert werden kann. Darüber hinaus untersuchen
wir Methoden, die algebraische statt differenzielle Techniken der Fehleranalyse
einsetzen und diskutieren deren Vor- und Nachteile. Am Ende des ersten Teils der
Dissertation befassen wir uns mit fehlerbasierten Angriffen auf die Blockchiffre
Bel-T, welche ebenfalls eine leichtgewichtige Schlüsselexpansion besitzt jedoch
nicht auf einem Substitutions-Permutations Netzwerk sondern auf dem sogenannten
Lai-Massey Schema basiert. Die oben genannten Techniken können daher bei Bel-T
nicht angewandt werden. Nichtsdestotrotz werden wir auch für den Fall von Bel-T
Verfahren vorstellen, die in der Lage sind den vollständigen geheimen Schlüssel
sehr effizient mit Hilfe von differenzieller Fehleranalyse zu rekonstruieren.
Im zweiten Teil der Doktorarbeit beschäftigen wir uns mit authentifizierenden
Verschlüsselungsverfahren. Während gewöhnliche Chiffren nur die Vertraulichkeit
der verarbeiteten Daten sicherstellen, gewährleisten authentifizierende
Verschlüsselungsverfahren auch deren Authentizität und Integrität. Viele dieser
Chiffren sind darüber hinaus in der Lage auch die Authentizität und Integrität
von sogenannten assoziierten Daten zu gewährleisten. Daten dieses Typs werden in
nicht-verschlüsselter Form übertragen, müssen aber dennoch gegen unbefugte
Veränderungen auf dem Transportweg geschützt sein. Authentifizierende
Verschlüsselungsverfahren bilden heutzutage die Standardtechnologie um Daten
während der Übertragung zu beschützen. Aktuell eingesetzte Verfahren weisen
jedoch oftmals Defizite auf und es existieren vielfältige Ansatzpunkte für
Verbesserungen. Mit NORX stellen wir ein neuartiges authentifizierendes
Verschlüsselungsverfahren vor, welches assoziierte Daten unterstützt. Dieser
Algorithmus wurde vor allem im Hinblick auf Einsatzgebiete mit hohen
Sicherheitsanforderungen, Effizienz in Hardware und Software, Einfachheit, und
Robustheit gegenüber Seitenkanalangriffen entwickelt. Neben der Spezifikation
präsentieren wir besondere Eigenschaften, angestrebte Sicherheitsziele, Details
zur Implementierung, umfassende Performanz-Messungen und diskutieren Vorteile
gegenüber aktuellen Standards. Schließlich stellen wir Ergebnisse unserer
vorläufigen Sicherheitsanalyse vor, bei der wir uns vor allem auf differenzielle
Merkmale und Rotationseigenschaften von NORX konzentrieren. Erwähnenswert sind
dabei vor allem die für die differenzielle Kryptoanalyse von NORX entwickelten
Techniken, die auf die Effizienz von SAT- und SMT-Solvern zurückgreifen und das
Potential besitzen relativ einfach auch auf andere Verschlüsselungsverfahren
übertragen werden zu können
Quantum Attacks on Lai-Massey Structure
Aaram Yun et al. considered that Lai-Massey structure has the same security as Feistel structure. However, Luo et al. showed that 3-round Lai-Massey structure can resist quantum attacks of Simon\u27s algorithm, which is different from Feistel structure. We give quantum attacks against a typical Lai-Massey structure. The result shows that there exists a quantum CPA distinguisher against 3-round Lai-Massey structure and a quantum CCA distinguisher against 4-round Lai-Massey Structure, which is the same as Feistel structure. We extend the attack on Lai-Massey structure to quasi-Feistel structure. We show that if the combiner of quasi-Feistel structure is linear, there exists a quantum CPA distinguisher against 3-round balanced quasi-Feistel structure and a quantum CCA distinguisher against 4-round balanced quasi-Feistel Structure
Statistical cryptanalysis of block ciphers
Since the development of cryptology in the industrial and academic worlds in the seventies, public knowledge and expertise have grown in a tremendous way, notably because of the increasing, nowadays almost ubiquitous, presence of electronic communication means in our lives. Block ciphers are inevitable building blocks of the security of various electronic systems. Recently, many advances have been published in the field of public-key cryptography, being in the understanding of involved security models or in the mathematical security proofs applied to precise cryptosystems. Unfortunately, this is still not the case in the world of symmetric-key cryptography and the current state of knowledge is far from reaching such a goal. However, block and stream ciphers tend to counterbalance this lack of "provable security" by other advantages, like high data throughput and ease of implementation. In the first part of this thesis, we would like to add a (small) stone to the wall of provable security of block ciphers with the (theoretical and experimental) statistical analysis of the mechanisms behind Matsui's linear cryptanalysis as well as more abstract models of attacks. For this purpose, we consider the underlying problem as a statistical hypothesis testing problem and we make a heavy use of the Neyman-Pearson paradigm. Then, we generalize the concept of linear distinguisher and we discuss the power of such a generalization. Furthermore, we introduce the concept of sequential distinguisher, based on sequential sampling, and of aggregate distinguishers, which allows to build sub-optimal but efficient distinguishers. Finally, we propose new attacks against reduced-round version of the block cipher IDEA. In the second part, we propose the design of a new family of block ciphers named FOX. First, we study the efficiency of optimal diffusive components when implemented on low-cost architectures, and we present several new constructions of MDS matrices; then, we precisely describe FOX and we discuss its security regarding linear and differential cryptanalysis, integral attacks, and algebraic attacks. Finally, various implementation issues are considered
F-HASH: Securing Hash Functions Using Feistel Chaining
The Feistel structure is well-known as a good structure for building block ciphers, due to its property of invertibility. It can be made non-invertible by fixing the left half of the input to 0, and by discarding the left half of the output bits. It then becomes suitable as a hash function construction. This paper uses the structure to build a hash function called F-Hash, which is immune to recent attack styles. In this paper, a more precise evaluation method, based upon conditional probability, is given
- …