Allgemeine Katalogisierungsregeln für eigene E-Books

Aufbereitung der "Praxisanweisung zur Erfassung von E-Books und Digitalisaten" der AG Kooperative Neukatalogisierun

On the Linear Transformation in White-box Cryptography

Linear transformations are applied to the white-box cryptographic implementation for the diffusion effect to prevent key-dependent intermediate values from being analyzed. However, it has been shown that there still exists a correlation before and after the linear transformation, and thus this is not enough to protect the key against statistical analysis. So far, the Hamming weight of rows in the invertible matrix has been considered the main cause of the key leakage from the linear transformation. In this study, we present an in-depth analysis of the distribution of intermediate values and the characteristics of block invertible binary matrices. Our mathematical analysis and experimental results show that the balanced distribution of the key-dependent intermediate value is the main cause of the key leakage

On Selecting the Nonce Length in Distance-Bounding Protocols

Distance-bounding protocols form a family of challenge-response authentication protocols that have been introduced to thwart relay attacks. They enable a verifier to authenticate and to establish an upper bound on the physical distance to an untrusted prover. We provide a detailed security analysis of a family of such protocols. More precisely, we show that the secret key shared between the verifier and the prover can be leaked after a number of nonce repetitions. The leakage probability, while exponentially decreasing with the nonce length, is only weakly dependent on the key length. Our main contribution is a high probability bound on the number of sessions required for the attacker to discover the secret, and an experimental analysis of the attack under noisy conditions. Both of these show that the attack's success probability mainly depends on the length of the used nonces rather than the length of the shared secret key. The theoretical bound could be used by practitioners to appropriately select their security parameters. While longer nonces can guard against this type of attack, we provide a possible countermeasure which successfully combats these attacks even when short nonces are use

White-Box Cryptography in the Gray Box - A Hardware Implementation and its Side Channels

Implementations of white-box cryptography aim to protect a secret key in a white-box environment in which an adversary has full control over the execution process and the entire environment. Its fundamental principle is the map of the cryptographic architecture, including the secret key, to a number of encoded tables that shall resist the inspection and decomposition of an attacker. In a gray-box scenario, however, the property of hiding required implementation details from the attacker could be used as a promising mitigation strategy against side-channel attacks (SCA). In this work, we present a first white-box implementation of AES on reconfigurable hardware for which we evaluate this approach assuming a gray-box attacker. We show that - unfortunately - such an implementation does not provide sufficient protection against an SCA attacker. We continue our evaluations by a thorough analysis of the source of the observed leakage, and present additional results which can be used to build stronger white-box designs

Improvement on a Masked White-box Cryptographic Implementation

White-box cryptography is a software technique to protect secret keys of cryptographic algorithms from attackers who have access to memory. By adapting techniques of differential power analysis to computation traces consisting of runtime information, Differential Computation Analysis (DCA) has recovered the secret keys from white-box cryptographic implementations. In order to thwart DCA, a masked white-box implementation has been suggested. However, each byte of the round output was not masked and just permuted by byte encodings. This is the main reason behind the success of DCA variants on the masked white-box implementation. In this paper, we improve the masked white-box cryptographic implementation in such a way to protect against DCA variants by obfuscating the round output with random masks. Specifically, we implement a white-box AES implementation applying masking techniques to the key-dependent intermediate value and the several outer-round outputs. Our analysis and experimental results show that the proposed method can protect against DCA variants including DCA with a 2-byte key guess, collision and bucketing attacks. This work requires approximately 3.7 times the table size and 0.7 times the number of lookups compared to the previous masked WB-AES implementation

On selecting the nonce length in distance bounding protocols

Distance-bounding protocols form a family of challenge–response authentication protocols that have been introduced to thwart relay attacks. They enable a verifier to authenticate and to establish an upper bound on the physical distance to an untrusted prover.We provide a detailed security analysis of a family of such protocols. More precisely, we show that the secret key shared between the verifier and the prover can be leaked after a number of nonce repetitions. The leakage probability, while exponentially decreasing with the nonce length, is only weakly dependent on the key length. Our main contribution is a high probability bound on the number of sessions required for the attacker to discover the secret, and an experimental analysis of the attack under noisy conditions. Both of these show that the attack’s success probability mainly depends on the length of the used nonces rather than the length of the shared secret key. The theoretical bound could be used by practitioners to appropriately select their security parameters. While longer nonces can guard against this type of attack, we provide a possible countermeasure which successfully combats these attacks even when short nonces are use

CENC is Optimally Secure

At FSE 2006, Iwata introduced the CENC encryption mode and proved its security up to 2^{2n/3} plaintext blocks processed in total. He conjectured optimal security up to a constant. In this brief note, we confirm this conjecture. Rather than proving it ourselves, we point out that the conjecture\u27s proof follows as a corollary of Patarin\u27s ``Theorem P_i xor P_j for any xi_max\u27\u27 from 2010. This connection appears to have remained unnoticed, and the sole purpose of this brief note is to make the connection explicit

보안 설정의 공간적 차이를 이용한 TLS 다운그레이드 공격

학위논문 (석사) -- 서울대학교 대학원 : 공과대학 컴퓨터공학부, 2021. 2. 권태경.To provide secure content delivery, Transport Layer Security (TLS) has become a de facto standard over a couple of decades. However, TLS has a long history of security weaknesses and drawbacks. Thus the security of TLS has been enhanced by addressing security problems through continuous version upgrades. Meanwhile, to provide fast content delivery globally, websites need to administer many machines in globally distributed environments. They often delegate the management of machines to web hosting services or Content Delivery Networks (CDNs), where the security configurations on distributed servers may vary depending on the managing entities or locations. By leveraging these spatial differences in TLS security, we present a new TLS downgrade attack, called a Teleport attack. In our attack model, an adversary collects the information of (web) domains that exhibit different TLS versions and cryptographic options depending on clients locations. Then the adversary redirects TLS handshake messages to weak TLS servers, and downgrades TLS sessions, which both the server and the client may not be aware of. We measure how many domains in the wild are vulnerable to the Teleport attack, and seek to better understand the root causes of the spatial differences in TLS security configurations. We also measure the redirection delay in various locations over the world to demonstrate the feasibility of the Teleport attack.지난 수십 년간 TLS(Transport Layer Security)는 안전한 웹 콘텐츠의 전달을 위한 사실상의 표준으로 자리매김했다. 그러나 TLS는 오랜 기간동안 지속적으로 취약점을 노출해 왔으며, 그로 인해 TLS의 안전성은 지속적인 버전 업그레이드를 통해 보안 문제들을 해결함으로써 유지되어 왔다. 한편, 세계각지의 사용자들에게 웹 콘텐츠를 빠르게 전달하기 위하여 웹서비스 제공자들이 지리적으로 분산된 환경에서 많은 서버들을 유지할 필요성이 대두되었다. 그 결과 웹 호스팅 또는 CDN(Content Delivery Networks) 서비스 제공자에게 자신들의 웹 콘텐츠를 위임하는 경우가 많아졌으며, 이때 분산된 서버들의 보안 설정 또한 위임되어 관리 주체나 서비스 지역에 따라 달라질 수 있게 되었다. 이러한 TLS 보안 설정의 공간적 차이를 활용하여 우리는 새로운 TLS 다운그레이드 공격으로 이른바 텔레포트(Teleport) 공격을 제시한다. 이 공격 모델에서 공격자는 클라이언트의 지리적 위치에 따라 다른 TLS 버전과 암호 옵션을 제공하는 도메인들의 정보를 수집한다. 그런 다음, 클라이언트의 TLS 연결 메시지를 다른 지역의 취약한 서버로 우회시켜 서버와 클라이언트 양자가 알아차리지 못하게 TLS 세션을 다운그레이드한다. 우리는 실제 환경에서 얼마나 많은 도메인들이 텔레포트 공격에 취약한지를 측정하였으며, TLS 보안 설정의 공간적 차이가 발생하는 근본적인 원인을 추적하기 위한 분석을 수행하였다. 또한 여러 지역에서 세션 우회로 인한 지연 시간을 측정하여 텔레포트 공격의 실효성을 입증하였다.Chapter 1. Introduction 1 Chapter 2. Background 6 2.1 TLS Handshakes and Downgrade Attacks 6 2.2 CDN Redirection 8 Chapter 3. Teleport Attack 10 3.1 Threat Model 10 3.2 Populating Target Database 12 3.3 TLS Handshake Redirection 14 3.4 Downgraded Session Exploitation 17 3.5 Summary 18 Chapter 4. Effect of the Teleport attack 19 4.1 Data Collection 19 4.2 Vulnerable Domains 21 4.3 Cases of Spatial Differences 25 4.4 How Web Servers are Managed 26 4.5 Classification Results 31 Chapter 5. Feasibility of the Teleport attack 34 Chapter 6. Discussions 38 6.1 Mitigation 38 6.2 Limitations 39 Chapter 7. Related Work 41 Chapter 8. Conclusion 44Maste

A Masked White-box Cryptographic Implementation for Protecting against Differential Computation Analysis

Recently, gray-box attacks on white-box cryptographic implementations have succeeded. These attacks are more efficient than white-box attacks because they can be performed without detailed knowledge of the target implementation. The success of the gray-box attack is reportedly due to the unbalanced encoding used to generate the white-box lookup table. In this paper, we propose a method to protect the gray-box attack against white-box implementations. The basic idea is to apply the masking technique before encoding intermediate values during the white-box lookup table generation. Because we do not require any random source in runtime, it is possible to perform efficient encryption and decryption using our method. The security and performance analysis shows that the proposed method can be a reliable and efficient countermeasure

Not so Difficult in the End: Breaking the ASCADv2 Dataset

The ASCADv2 dataset ranks among the most secure publicly available datasets today. Two layers of countermeasures protect it: affine masking and shuffling, and the current attack approaches rely on strong assumptions. Specifically, besides having access to the source code, an adversary also requires prior knowledge of random shares. This paper forgoes reliance on such knowledge and proposes two attack approaches based on the vulnerabilities of the affine mask implementation. As a result, the first attack can retrieve all secret keys\u27 reliance in less than a minute. Although the second attack is not entirely successful in recovering all keys, we believe more traces would help make such an attack fully functional