29 research outputs found

    Optimal Forgeries Against Polynomial-Based MACs and GCM

    Get PDF
    Polynomial-based authentication algorithms, such as GCM and Poly1305, have seen widespread adoption in practice. Due to their importance, a significant amount of attention has been given to understanding and improving both proofs and attacks against such schemes. At EUROCRYPT 2005, Bernstein published the best known analysis of the schemes when instantiated with PRPs, thereby establishing the most lenient limits on the amount of data the schemes can process per key. A long line of work, initiated by Handschuh and Preneel at CRYPTO 2008, finds the best known attacks, advancing our understanding of the fragility of the schemes. Yet surprisingly, no known attacks perform as well as the predicted worst-case attacks allowed by Bernstein\u27s analysis, nor has there been any advancement in proofs improving Bernstein\u27s bounds, and the gap between attacks and analysis is significant. We settle the issue by finding a novel attack against polynomial-based authentication algorithms using PRPs, and combine it with new analysis, to show that Bernstein\u27s bound, and our attacks, are optimal

    Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS

    Get PDF
    We investigate nonce reuse issues with the GCM block cipher mode as used in TLS and focus in particular on AES-GCM, the most widely deployed variant. With an Internet-wide scan we identified 184 HTTPS servers repeating nonces, which fully breaks the authenticity of the connections. Affected servers include large corporations, financial institutions, and a credit card company. We present a proof of concept of our attack allowing to violate the authenticity of affected HTTPS connections which in turn can be utilized to inject seemingly valid content into encrypted sessions. Furthermore we discovered over 70,000 HTTPS servers using random nonces, which puts them at risk of nonce reuse if a large amount of data is sent over the same connection

    MEGA: Malleable Encryption Goes Awry

    Get PDF
    MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data. MEGA claims to offer user-controlled, end-to-end security. This is achieved by having all data encryption and decryption operations done on MEGA clients, under the control of keys that are only available to those clients. This is intended to protect MEGA users from attacks by MEGA itself, or by adversaries who have taken control of MEGA’s infrastructure. We provide a detailed analysis of MEGA’s use of cryptography in such a malicious server setting. We present five distinct attacks against MEGA, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks. Four of the five attacks are eminently practical. They have all been responsibly disclosed to MEGA and remediation is underway. Taken together, our attacks highlight significant shortcomings in MEGA’s cryptographic architecture. We present immediately deployable countermeasures, as well as longer-term recommendations. We also provide a broader discussion of the challenges of cryptographic deployment at massive scale under strong threat models

    Attacking Deterministic Signature Schemes using Fault Attacks

    Get PDF
    Many digital signature schemes rely on random numbers that are unique and non-predictable per signature. Failures of random number generators may have catastrophic effects such as compromising private signature keys. In recent years, many widely-used cryptographic technologies adopted deterministic signature schemes because they are presumed to be safer to implement. In this paper, we analyze the security of deterministic ECDSA and EdDSA signature schemes and show that the elimination of random number generators in these schemes enables new kinds of fault attacks. We formalize these attacks and introduce practical attack scenarios against EdDSA using the Rowhammer fault attack. EdDSA is used in many widely used protocols such as TLS, SSH and IPSec, and we show that these protocols are not vulnerable to our attack. We formalize the necessary requirements of protocols using these deterministic signature schemes to be vulnerable, and discuss mitigation strategies and their effect on fault attacks against deterministic signature schemes

    Design and Analysis of Symmetric Primitives

    Get PDF

    Cybersecurity and Quantum Computing: friends or foes?

    Get PDF
    L'abstract è presente nell'allegato / the abstract is in the attachmen

    Security in automotive microcontrollers of next generation

    Get PDF
    Information technology – we define broadly as being systems based on digital hardware and software – has gained central importance for many new automotive applications and services.On the production side we observe that the cost for electronics and IT is approaching the 50% threshold of all manufacturing costs.One aspect of modern IT systems has hardly been addressed in the context of automotive applications: IT security. Security is concerned with protection against the manipulation of IT systems by humans. After a brief review of the evolution in the last five years of the IT security in the automotive environment, we will see the state of art of the security features of the automotive microcontrollers.laslty it will be presented an hardware module that ensure the privacy aspect, of the IT security, in a bus communication in an automotive environment

    SoK: Computer-Aided Cryptography

    Get PDF
    Computer-aided cryptography is an active area of research that develops and applies formal, machine-checkable approaches to the design, analysis, and implementation of cryptography. We present a cross-cutting systematization of the computer-aided cryptography literature, focusing on three main areas: (i) design-level security (both symbolic security and computational security), (ii) functional correctness and efficiency,and (iii) implementation-level security (with a focus on digital side-channel resistance). In each area, we first clarify the role of computer-aided cryptography—how it can help and what the caveats are—in addressing current challenges. We next present a taxonomy of state-of-the-art tools, comparing their accuracy,scope, trustworthiness, and usability. Then, we highlight their main achievements, trade-offs, and research challenges. After covering the three main areas, we present two case studies. First, we study efforts in combining tools focused on different areas to consolidate the guarantees they can provide. Second, we distill the lessons learned from the computer-aided cryptography community’s involvement in the TLS 1.3 standardization effort.Finally, we conclude with recommendations to paper authors,tool developers, and standardization bodies moving forward

    Another Look at TLS Ecosystems in Networked Devices vs. Web Servers

    Get PDF
    High-speed IPv4 scanners, such as ZMap, now enable rapid and timely collection of TLS certificates and other security-sensitive parameters. Such large datasets led to the development of the Censys search interface, facilitating comprehensive analysis of TLS deployments in the wild. Several recent studies analyzed TLS certificates as deployed in web servers. Beyond public web servers, TLS is deployed in many other Internet-connected devices, at home and enterprise environments, cyber physical systems, and at network backbones. In Apr. 2017, we reported the results of a preliminary analysis based on measurement data of TLS deployments in such devices (e.g., routers, modems, NAS, printers, SCADA, and IoT devices in general) collected in Oct. 2016 using Censys. We also compared certificates and TLS connection parameters from a security perspective, as found in common devices against top Alexa sites. Censys has evolved since then and its data volume has increased with the addition of several new device types. In this paper, we perform a similar but more comprehensive measurement study to assess TLS vulnerabilities in devices, and compare our current results with our 2016 findings, showing how such systems have evolved in the last one and half year. Indeed, there are noticeable improvements in the TLS ecosystem for devices, especially in terms of adoption of TLS itself (from 29.4% in 2016 to 73.7% in 2018) and stronger cryptographic primitives. However, we also note the continuity of significant weaknesses in devices for which immediate remediation is warranted (e.g., the use of known private keys, SSLv3, MD5-RSA, and RC4). We have also contacted the top manufacturers of vulnerable devices to convey our findings. Most of them blamed users for not updating their devices with latest firmware images that apparently would mitigate the reported findings
    corecore