Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)

Diffie-Hellman key exchange (DHKE) is a widely adopted method for exchanging cryptographic key material in realworld protocols like TLS-DH(E). Past attacks on TLS-DH(E) focused on weak parameter choices or missing parameter validation. The confidentiality of the computed DH share, the premaster secret, was never questioned; DHKE is used as a generic method to avoid the security pitfalls of TLS-RSA. We show that due to a subtle issue in the key derivation of all TLS-DH(E) cipher suites in versions up to TLS 1.2, the premaster secret of a TLS-DH(E) session may, under certain circumstances, be leaked to an adversary. Our main result is a novel side-channel attack, named Raccoon attack, which exploits a timing vulnerability in TLS-DH(E), leaking the most significant bits of the shared Diffie-Hellman secret. The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret. If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem. The Raccoon attack takes advantage of uncommon DH modulus sizes, which depend on the properties of the used hash functions. We describe a fully feasible remote attack against an otherwisesecure TLS configuration: OpenSSL with a 1032-bit DH modulus. Fortunately, such moduli are not commonly used on the Internet. Furthermore, with our large-scale scans we have identified implementation-level issues in production-grade TLS implementations that allow for executing the same attack by directly observing the contents of server responses, without resorting to timing measurements

Systemization of Pluggable Transports for Censorship Resistance

An increasing number of countries implement Internet censorship at different scales and for a variety of reasons. In particular, the link between the censored client and entry point to the uncensored network is a frequent target of censorship due to the ease with which a nation-state censor can control it. A number of censorship resistance systems have been developed thus far to help circumvent blocking on this link, which we refer to as link circumvention systems (LCs). The variety and profusion of attack vectors available to a censor has led to an arms race, leading to a dramatic speed of evolution of LCs. Despite their inherent complexity and the breadth of work in this area, there is no systematic way to evaluate link circumvention systems and compare them against each other. In this paper, we (i) sketch an attack model to comprehensively explore a censor's capabilities, (ii) present an abstract model of a LC, a system that helps a censored client communicate with a server over the Internet while resisting censorship, (iii) describe an evaluation stack that underscores a layered approach to evaluate LCs, and (iv) systemize and evaluate existing censorship resistance systems that provide link circumvention. We highlight open challenges in the evaluation and development of LCs and discuss possible mitigations.Comment: Content from this paper was published in Proceedings on Privacy Enhancing Technologies (PoPETS), Volume 2016, Issue 4 (July 2016) as "SoK: Making Sense of Censorship Resistance Systems" by Sheharbano Khattak, Tariq Elahi, Laurent Simon, Colleen M. Swanson, Steven J. Murdoch and Ian Goldberg (DOI 10.1515/popets-2016-0028

Pitfalls in blood pressure measurement in daily practice

Background. Accurate blood pressure (BP) readings and correctly interpreting the obtained values are of great importance. However, there is considerable variation in the different BP measuring methods suggested in guidelines and used in hypertension trials. Objective. To compare the different methods used to measure BP; measuring once, the method used for a large study such as the UKPDS, and the methods recommended by various BP guidelines. Methods. In 223 patients with type 2 diabetes from five family practices BP was measured according to a protocol to obtain the following data: A = first reading, B = mean of two initial readings, C = at least four readings and the mean of the last three readings with less than 15% coefficient of variation difference, D = mean of the first two consecutive readings with a maximum of 5 mm Hg difference. Mean outcomes measure is the mean difference between different BP measuring methods in mm Hg. Results. Significant differences in systolic/diastolic BP were found between A and B [mean difference (MD) systolic BP 1.6 mm Hg, P < 0.001], B and C (MD 5.7/2.8 mm Hg, P < 0.001), B and D (MD 6.2/2.8 mm Hg, P < 0.001), A and C (MD 7.3/3.3 mm Hg), and A and D (MD 7.9/3.0 mm Hg, P < 0.001). Conclusion. Different methods to assess BP during one visit in the same patient lead to significantly different BP readings and can lead to overestimation of the mean BP. These differences are clinically relevant and show a gap between different methods in trials, guidelines and daily practice

Experimental realization of a highly secure chaos communication under strong channel noise

A one-way coupled spatiotemporally chaotic map lattice is used to contruct cryptosystem. With the combinatorial applications of both chaotic computations and conventional algebraic operations, our system has optimal cryptographic properties much better than the separative applications of known chaotic and conventional methods. We have realized experiments to pratice duplex voice secure communications in realistic Wired Public Switched Telephone Network by applying our chaotic system and the system of Advanced Encryption Standard (AES), respectively, for cryptography. Our system can work stably against strong channel noise when AES fails to work.Comment: 15 pages, 5 figure