A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System

The HIVE hidden volume encryption system was proposed by Blass et al. at ACM-CCS 2014. Even though HIVE has a security proof, this paper demonstrates an attack on its implementation that breaks the main security property claimed for the system by its authors, namely plausible hiding against arbitrary-access adversaries. Our attack is possible because of the HIVE implementation\u27s reliance on the RC4 stream cipher to fill unused blocks with pseudorandom data. While the attack can be easily eliminated by using a better pseudorandom generator, it serves as an example of why RC4 should be avoided in all new applications and a reminder that one has to be careful when instantiating primitives

Invisible Adaptive Attacks

We introduce the concept of an \emph{invisible adaptive attack} (IAA) against cryptographic protocols. Or rather, it is a class of attacks, where the protocol itself is the attack, and where this cannot be seen by the security model. As an example, assume that we have some cryptographic security \emph{model} $M$ and assume that we have a current setting of the \emph{real world} with some cryptographic infrastructure in place, like a PKI. Select some object from this real world infrastructure, like the public key, $pk_0$, of some root certificate authority (CA). Now design a protocol $\pi$, which is secure in $M$. Then massage it into $\hat{\pi}$, which runs exactly like $\pi$, except that if the public key $pk$ of the root CA happens to be $pk_0$, then it will be completely insecure. Of course $\hat{\pi}$ should be considered insecure. However, in current security models existing infrastructure is modelled by generating it at random in the experiment defining security. Therefore, \emph{in the model}, the root CA will have a fresh, random public key $pk$. Hence $pk \ne pk_0$, except with negligible probability, and thus $M$ will typically deem $\hat{\pi}$ secure. The problem is that to notice the above attack in a security model, we need to properly model the correlation between $\hat{\pi}$ and $pk$. However, this correlation was made by the \emph{adversary} and it is naïve to believe that he will report this correlation correctly to the security model. It is the protocol itself and how to model it which is the attack. Furthermore, since a model cannot see a real world object, like the current infrastructure , the correlation is invisible to the model when not reported by the adversary. Besides introducing the new concept of an invisible adaptive attack, we have the following contributions: \begin{enumerate} \item We show that a popular security model, the generalized universal composability (GUC) model introduced by Canetti, Dodis, Pass and Walfish in 2007\cite{CDPW07GUC}, allows an IAA, along the lines of the attack sketched above. This is not a problem specific to the GUC model, but it is more interesting to demonstrate this for the GUC model, as it was exactly developed to model security for protocols running with a common infrastructure which has been set up once and for all before the protocols are run. \item We show how to modify the GUC model to catch invisible adaptive attacks relative to existing infrastructure, introducing the \emph{strong externalized universal composability (SEUC)} model. Conceptually, when given a protocol to analyse, we will assume the \emph{worst case correlation} to the existing infrastructure, and we will deem it secure if it is secure in presence of this worst case correlation. I.e., a protocol is deemed insecure if there could \emph{exist} an IAA which is using the given protocol. We consider this new way to define security a main conceptual contribution of the paper. Properly modelling this conceptual idea is technical challenging and requires completely novel ideas. We consider this the main technical contribution of the paper. We prove that the new model has secure modular composition as the UC and the GUC model. \item We show that in the SEUC model any well-formed ideal functionality can be realised securely under standard computational assumptions and using an infrastructure, or setup assumption, known as an augmented common reference string. We do that by slightly modifying a protocol from \cite{CDPW07GUC} and reproving its security in the SEUC model. \end{enumerate} Our techniques seem specific to modelling IAAs relative to \emph{existing infrastructure}. One can, however, imagine more general IAAs, relative, for instance, to values being dynamically generated by secure protocols currently running in practice, like a broadcast service or a cloud service. We do not know how to model IAAs in general and hence open up a new venue of investigation

Diffusion chiffrée avec traçage de traîtres

In this thesis, we look at definitions and black-box constructions with efficient instantiations for broadcast encryption and traitor tracing. We begin by looking at the security notions for broadcast encryption found in the literature. Since there is no easy way to compare these existing notions, we propose a framework of security notions for which we establish relationships. We then show where existing notions fit within this framework. Second, we present a black-box construction of a decentralized dynamic broadcast encryption scheme. This scheme does not rely on any trusted authorities, and new users can join at any time. It achieves the strongest security notion based on the security of its components and has an efficient instantiation that is fully secure under the DDH assumption in the standard model. Finally, we give a black-box construction of a message-based traitor tracing scheme, which allows tracing not only based on pirate decoders but also based on watermarks contained in a message. Our scheme is the first one to obtain the optimal ciphertext rate of 1 symptotically. We then show that at today's data rates, the scheme is already practical for standard choices of values.Dans cette thèse, nous étudions les définitions et les constructions en boite noire avec des instantiations efficaces pour la diffusion chiffrée et le traçage de traîtres. Nous commençons par examiner les notions de sécurité pour la diffusion chiffrée présentes dans la littérature. Comme il n'y a pas de moyen facile de les comparer, nous proposons un cadre général et établissons des relations. Nous montrons alors comment les notions existantes s'inscrivent dans ce cadre. Ensuite, nous présentons une construction en boite noire d'un système de diffusion chiffrée dynamique décentralisée. Ce système ne repose sur aucune autorité de confiance, et de nouveaux utilisateurs peuvent joindre à tout moment. Le système satisfait la notion de sécurité la plus forte sous des hypothèses de sécurité classiques de ses composantes. Il admet une instantiation efficace qui est sûre sous la seule hypothèse DDH dans le modèle standard. Enfin, nous donnons une construction en boite noire d'un système de traçage de traîtres à base de messages, qui permet de tracer non seulement à partir des décodeurs pirates, mais aussi à partir des tatouages numériques contenus dans un message. Notre schéma est le premier à obtenir asymptotiquement le taux d'expansion optimal de 1. Nous montrons également que vus les débits de données actuels, le schéma est déjà pratique pour les choix de valeurs usuels

Security Notions for Broadcast Encryption -- ACNS ’11 Best Student Paper Award

This paper clarifies the relationships between security notions for broadcast encryption. In the past, each new scheme came with its own definition of security, which makes them hard to compare. We thus define a set of notions, as done for signature and encryption, for which we prove implications and separations, and relate the existing notions to the ones in our framework. We find some interesting relationships between the various notions, especially in the way they define the receiver set of the challenge message. In addition, we define a security notion that is stronger than all previous ones, and give an example of a scheme that fulfills this notion

Adaptive CCA Broadcast Encryption with Constant-Size Secret Keys and Ciphertexts

We consider designing broadcast encryption schemes with constant-size secret keys and ciphertexts, achieving chosen-ciphertext security. We first argue that known CPA-to-CCA transforms currently do not yield such schemes. We then propose a scheme, modifying a previous selective CPA secure proposal by Boneh, Gentry, and Waters. Our proposed scheme has constant-size secret keys and ciphertexts and we prove that it is selective chosen-ciphertext secure based on standard assumptions. Our scheme has ciphertexts that are shorter than those of the previous CCA secure proposals. Then we propose a second scheme that provides the functionality of both broadcast encryption and revocation schemes simultaneously using the same set of parameters. Finally we show that it is possible to prove our first scheme adaptive chosen-ciphertext secure under reasonable extensions of the bilinear Diffie-Hellman exponent and the knowledge of exponent assumptions. We prove both of these extended assumptions in the generic group model. Hence, our scheme becomes the first to achieve constant-size secret keys and ciphertexts (both asymptotically optimal) and adaptive chosen-ciphertext security at the same time

On the Joint Security of Encryption and Signature in EMV ⋆

Abstract. We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single key-pair is used for both signature and encryption. We give a theoretical attack for EMV’s current RSA-based algorithms, showing how access to a partial decryption oracle can be used to forge a signature on a freely chosen message. We show how the attack might be integrated into EMV’s CDA protocol flow, enabling an attacker with a wedge device to complete an offline transaction without knowing the cardholder’s PIN. Finally, the elliptic curve signature and encryption algorithms that are likely to be adopted in a forthcoming version of the EMV standards are analyzed in the single key-pair setting, and shown to be secure.

Cybersecurity Research: Challenges and Course of Action

The European society faces numerous disruptive changes due to the progressing digitalisation. These changes have the potential to lead to a fair digitalised world if they are based on the ideal of digital sovereignty as a guiding principle at the citizen, economic and state levels. Research in cybersecurity creates the technological prerequisites for addressing the challenges of digitalisation in this spirit. Researchers in academia and industry from all over Europe met in Darmstadt and Berlin to identify the main challenges of cybersecurity research. Irrespective of their scientific backgrounds, all authors agreed that effective security and privacy measures require a systematic and holistic approach which considers security and privacy from the ground up. They stressed that in addition to the proposed research agenda, it is necessary to improve education across the board. During the discussions, it became also clear that various important scientific questions remain open, and that only long-term research across all disciplines can solve these problems. In the first chapter, we outline the major challenges in the fundamental research of the IT security fields in computer and engineering sciences. In the second chapter, we look at the cybersecurity challenges from the perspective of economic, legal and social sciences. In the last chapter, we analyse various examples of applications and technologies which combine the different research areas. Each section of the roadmap is dedicated to a specific challenge. The order of the sections is not intended to reflect their rel ative importance. For each challenge, we propose concrete next steps based on the state of the art in the scientific and industrial research landscape. We hope to reach out to all interested parties who endeavour to strengthen cybersecurity and enhance digital sovereignty in Europe