1,235 research outputs found
Bad Directions in Cryptographic Hash Functions
A 25-gigabyte "point obfuscation" challenge "using security parameter 60" was announced at the Crypto 2015 rump session; "point obfuscation" is another name for password hashing. This paper shows that the particular matrix-multiplication hash function used in the challenge is much less secure than previous password-hashing functions are believed to be. This paper's attack algorithm broke the challenge in just 19 minutes using a cluster of 21 PCs. Keywords: symmetric cryptography, hash functions, password hashing, point obfuscation, matrix multiplication, meet-in-the-middle attacks, meet-in-many-middles attack
GOTCHA Password Hackers!
We introduce GOTCHAs (Generating panOptic Turing Tests to Tell Computers and
Humans Apart) as a way of preventing automated offline dictionary attacks
against user selected passwords. A GOTCHA is a randomized puzzle generation
protocol, which involves interaction between a computer and a human.
Informally, a GOTCHA should satisfy two key properties: (1) The puzzles are
easy for the human to solve. (2) The puzzles are hard for a computer to solve
even if it has the random bits used by the computer to generate the final
puzzle --- unlike a CAPTCHA. Our main theorem demonstrates that GOTCHAs can be
used to mitigate the threat of offline dictionary attacks against passwords by
ensuring that a password cracker must receive constant feedback from a human
being while mounting an attack. Finally, we provide a candidate construction of
GOTCHAs based on Inkblot images. Our construction relies on the usability
assumption that users can recognize the phrases that they originally used to
describe each Inkblot image --- a much weaker usability assumption than
previous password systems based on Inkblots which required users to recall
their phrase exactly. We conduct a user study to evaluate the usability of our
GOTCHA construction. We also generate a GOTCHA challenge where we encourage
artificial intelligence and security researchers to try to crack several
passwords protected with our scheme.Comment: 2013 ACM Workshop on Artificial Intelligence and Security (AISec
To Share or Not to Share in Client-Side Encrypted Clouds
With the advent of cloud computing, a number of cloud providers have arisen
to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and
business organizations. SaaS (different than Software-as-a-Service in this
context) refers to an architectural model in which a cloud provider provides
digital storage on their own infrastructure. Three models exist amongst SaaS
providers for protecting the confidentiality data stored in the cloud: 1) no
encryption (data is stored in plain text), 2) server-side encryption (data is
encrypted once uploaded), and 3) client-side encryption (data is encrypted
prior to upload). This paper seeks to identify weaknesses in the third model,
as it claims to offer 100% user data confidentiality throughout all data
transactions (e.g., upload, download, sharing) through a combination of Network
Traffic Analysis, Source Code Decompilation, and Source Code Disassembly. The
weaknesses we uncovered primarily center around the fact that the cloud
providers we evaluated were each operating in a Certificate Authority capacity
to facilitate data sharing. In this capacity, they assume the role of both
certificate issuer and certificate authorizer as denoted in a Public-Key
Infrastructure (PKI) scheme - which gives them the ability to view user data
contradicting their claims of 100% data confidentiality. We have collated our
analysis and findings in this paper and explore some potential solutions to
address these weaknesses in these sharing methods. The solutions proposed are a
combination of best practices associated with the use of PKI and other
cryptographic primitives generally accepted for protecting the confidentiality
of shared information
Some Novice methods for Software Protection with Obfuscation
Previously software is distributed to the users by using devices like CD.S and floppies and in the form of bytes. Due to the high usage of internet and in order to perform the tasks rapidly without wasting time on depending physical devices, software is supplied through internet in the form of source code itself. Since source code is available to the end users there is a possibility of changing the source code by malicious users in order to gain their personnel benefits which automatically leads to malfunctioning of the software. The method proposed in this thesis is based on the concept of using hardware to protect the software. We will obfuscate the relation between variables and statements in the software programs so that the attacker can not find the direct relation between them. The method combines software security with code obfuscation techniques, uses the concepts of cryptography like hashing functions and random number generators
Partial-indistinguishability obfuscation using braids
An obfuscator is an algorithm that translates circuits into
functionally-equivalent similarly-sized circuits that are hard to understand.
Efficient obfuscators would have many applications in cryptography. Until
recently, theoretical progress has mainly been limited to no-go results. Recent
works have proposed the first efficient obfuscation algorithms for classical
logic circuits, based on a notion of indistinguishability against
polynomial-time adversaries. In this work, we propose a new notion of
obfuscation, which we call partial-indistinguishability. This notion is based
on computationally universal groups with efficiently computable normal forms,
and appears to be incomparable with existing definitions. We describe universal
gate sets for both classical and quantum computation, in which our definition
of obfuscation can be met by polynomial-time algorithms. We also discuss some
potential applications to testing quantum computers. We stress that the
cryptographic security of these obfuscators, especially when composed with
translation from other gate sets, remains an open question.Comment: 21 pages,Proceedings of TQC 201
Trojans in Early Design Steps—An Emerging Threat
Hardware Trojans inserted by malicious foundries
during integrated circuit manufacturing have received substantial
attention in recent years. In this paper, we focus on a different
type of hardware Trojan threats: attacks in the early steps of
design process. We show that third-party intellectual property
cores and CAD tools constitute realistic attack surfaces and that
even system specification can be targeted by adversaries. We
discuss the devastating damage potential of such attacks, the
applicable countermeasures against them and their deficiencies
- …