Optimization of the ROCA (CVE-2017-15361) Attack

2017. aastal avastasid Tšehhi teadlased Infineoni loodud RSA võtmete genereerimis algoritmist haavatavuse CVE-2017-15361 (ROCA rünnak). Leiti, et Infineoni algoritmiga genereeritud 2048-bitiseid võtmeid on võimalik faktoriseerida halvimal juhul kõigest 140.8 CPU aastaga. Antud algortimi kasutades olid genereeritud võtmed 750 000 Eesti ID-kaardi jaoks. Selle magistritöö raames implementeeriti ROCA rünnak ning genereeritud võtmeid ja haavatavaid kiipkaarte analüüsides loodi rünnakust uus, optimiseeritud versioon, mille abil on võimalik sooritada rünnak 140.8 aasta asemel 35.2 CPU aastaga 90% võtmete puhul ning 70.4 aastaga ülejäänud võtmetel. Lisaks loodi paralleliseeritud versioon rünnakust kasutades teadusarvutuste klastrit (HPC).In 2017, Czech researchers found the vulnerability CVE-2017-15361 (the ROCA attack) in Infineon's proprietary RSA key generation algorithm. The researchers found that 2048-bit RSA key can be factored in only 140.8 CPU-years in the worst case scenario. The algorithm turned out to be used by 750 000 Estonian ID-cards. In this thesis, we implemented the ROCA attack and, based on the properties observed from the keys generated by the affected smartcards, found further optimizations which allow to improve the original attack from 140.8 CPU-years to 35.2 CPU-years for 90% of the keys and 70.4 CPU-years for the remaining 10% of the keys. As additional contribution, we provide a parallelized version of the attack that can be executed on an HPC

Dynamic block encryption with self-authenticating key exchange

One of the greatest challenges facing cryptographers is the mechanism used for key exchange. When secret data is transmitted, the chances are that there may be an attacker who will try to intercept and decrypt the message. Having done so, he/she might just gain advantage over the information obtained, or attempt to tamper with the message, and thus, misguiding the recipient. Both cases are equally fatal and may cause great harm as a consequence. In cryptography, there are two commonly used methods of exchanging secret keys between parties. In the first method, symmetric cryptography, the key is sent in advance, over some secure channel, which only the intended recipient can read. The second method of key sharing is by using a public key exchange method, where each party has a private and public key, a public key is shared and a private key is kept locally. In both cases, keys are exchanged between two parties. In this thesis, we propose a method whereby the risk of exchanging keys is minimised. The key is embedded in the encrypted text using a process that we call `chirp coding', and recovered by the recipient using a process that is based on correlation. The `chirp coding parameters' are exchanged between users by employing a USB flash memory retained by each user. If the keys are compromised they are still not usable because an attacker can only have access to part of the key. Alternatively, the software can be configured to operate in a one time parameter mode, in this mode, the parameters are agreed upon in advance. There is no parameter exchange during file transmission, except, of course, the key embedded in ciphertext. The thesis also introduces a method of encryption which utilises dynamic blocks, where the block size is different for each block. Prime numbers are used to drive two random number generators: a Linear Congruential Generator (LCG) which takes in the seed and initialises the system and a Blum-Blum Shum (BBS) generator which is used to generate random streams to encrypt messages, images or video clips for example. In each case, the key created is text dependent and therefore will change as each message is sent. The scheme presented in this research is composed of five basic modules. The first module is the key generation module, where the key to be generated is message dependent. The second module, encryption module, performs data encryption. The third module, key exchange module, embeds the key into the encrypted text. Once this is done, the message is transmitted and the recipient uses the key extraction module to retrieve the key and finally the decryption module is executed to decrypt the message and authenticate it. In addition, the message may be compressed before encryption and decompressed by the recipient after decryption using standard compression tools

Threshold cryptography based on Asmuth–Bloom secret sharing

Cataloged from PDF version of article.In this paper, we investigate how threshold cryptography can be conducted with the Asmuth-Bloom secret sharing scheme and present three novel function sharing schemes for RSA, ElGamal and Paillier cryptosysterns. To the best of our knowledge, these are the first provably secure threshold cryptosystems realized using the Asmuth-Bloom secret sharing. Proposed schemes are comparable in performance to earlier proposals in threshold cryptography. (c) 2007 Elsevier Inc. All rights reserved

Cold Boot Attacks in the Discrete Logarithm Setting

In a cold boot attack a cryptosystem is compromised by analysing a noisy version of its internal state. For instance, if a computer is rebooted the memory contents are rarely fully reset; instead, after the reboot an adversary might recover a noisy image of the old memory contents and use it as a stepping stone for reconstructing secret keys. While such attacks were known for a long time, they recently experienced a revival in the academic literature. Here, typically either RSA-based schemes or blockciphers are targeted. We observe that essentially no work on cold boot attacks on schemes defined in the discrete logarithm setting (DL) and particularly for elliptic curve cryptography (ECC) has been conducted. In this paper we hence consider cold boot attacks on selected wide-spread implementations of DL-based cryptography. We first introduce a generic framework to analyse cold boot settings and construct corresponding key-recovery algorithms. We then study common in-memory encodings of secret keys (in particular those of the wNAF-based and comb-based ECC implementations used in OpenSSL and PolarSSL, respectively), identify how redundancies can be exploited to make cold boot attacks effective, and develop efficient dedicated key-recovery algorithms. We complete our work by providing theoretical bounds for the success probability of our attacks

Security in serverless network environments

As portable computing devices grow in popularity, so does the need for secure communications. Lacking tethers, these devices are ideal for forming small proximal groups in an ad-hoc fashion in environments where no server or permanent services are available. Members of these groups communicate over a broadcast or multicast network interconnect, and rely upon each other to form a cohesive group. While generally small in size and short in lifetime, security is a critical aspect of these groups that has received much academic attention in recent years. Much of the research focuses upon generating a common, group-wide private key suitable for encryption. This group key agreement utilizes keying technology that is very costly for small, limited-lifetime devices. Furthermore, key agreement provides no constructs for message authentication or integrity. Traditional systems require two keypairs to address both aspects of the secure group and one for encryption, the other for message validation. This work investigates the appropriateness of using a shared keypair for both contributory group key agreement and message quality guarantees. A JCE-compliant key agreement and digital signature framework has been implemented and is presented, and discussed. Using elliptic curve-based keys, this is possible at no loss in security, and these keys are easily and quickly computable on smaller devices. Algorithms that are known for their cryptographic strength are leveraged in both encryption and digital signature applications. This technique provides a computationally-effient key agreement scheme and digital signature framework, and a network-effcient key and signature distribution system. Perfect forward and backward security is maintained, and all members retain a current view of the group from a cryptographic perspective. This thesis is the culmination of several quarters of research and work, all conducted at the Rochester Institute of Technology under the supervison of Dr. Hans-Peter Bischof between December 2002 and January 2004. This thesis is completed as partial fullfillment of the requirements for a Masters Degree in Computer Science from the Rochester Institute of Technology

Applications of Algebraic Coding Theory to Cryptography

Whether it is online commerce, international relations, or simply through email communication, the encryption and decryption of data is essential to the inner workings of everyday life. To encrypt and decrypt efficiently, it is important that there is some structure behind the process rather than just a random procedure. The purpose of this research is to analyze different encryption schemes and their structure, with a focus on schemes that apply algebraic coding theory to cryptography. Cryptosystems based in algebraic coding theory are particularly important to the future of cryptography, as they are resistant to attacks by quantum computers, unlike many currently employed cryptosystems. Specifically, we examine the McEliece cryptosystem and its variations, in particular the use of Reed-Solomon codes. The goal is to understand the algebraic structure underlying the McEliece cryptosystem as well as to understand its shortcomings and variations that may strengthen it. The current results show that the original Goppa codes that are used in the McEliece systems are stronger and more secure than the proposed Reed-Solomon code alternative