Extending SAT solvers to cryptographic problems

Abstract. Cryptography ensures the confidentiality and authenticity of information but often relies on unproven assumptions. SAT solvers are a powerful tool to test the hardness of certain problems and have successfully been used to test hardness assumptions. This paper extends a SAT solver to efficiently work on cryptographic problems. The paper further illustrates how SAT solvers process cryptographic functions using automatically generated visualizations, introduces techniques for simplifying the solving process by modifying cipher representations, and demonstrates the feasibility of the approach by solving three stream ciphers. To optimize a SAT solver for cryptographic problems, we extended the solver's input language to support the XOR operation that is common in cryptography. To better understand the inner workings of the adapted solver and to identify bottlenecks, we visualize its execution. Finally, to improve the solving time significantly, we remove these bottlenecks by altering the function representation and by pre-parsing the resulting system of equations. The main contribution of this paper is a new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them. Using these techniques, we were able to solve a well-researched stream cipher 2 6 times faster than was previously possible

Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards

MiFare Crypto 1 is a lightweight stream cipher used in London\u27s Oyster card, Netherland\u27s OV-Chipcard, US Boston\u27s CharlieCard, and in numerous wireless access control and ticketing systems worldwide. Recently, researchers have been able to recover this algorithm by reverse engineering. We have examined MiFare from the point of view of the so called algebraic attacks . We can recover the full 48-bit key of MiFare algorithm in 200 seconds on a PC, given 1 known IV (from one single encryption). The security of this cipher is therefore close to zero. This is particularly shocking, given the fact that, according to the Dutch press, 1 billion of MiFare Classic chips are used worldwide, including in many governmental security systems

A game of “Cut and Mouse”:bypassing antivirus by simulating user inputs

To protect their digital assets from malware attacks, most users and companies rely on anti-virus (AV) software. But AVs' protection is a full-time task and AVs are engaged in a cat-and-mouse game where malware, e.g., through obfuscation and polymorphism, denial of service attacks and malformed packets and parameters, try to circumvent AV defences or make them crash. On the other hand, AVs react by complementing signature-based with anomaly or behavioral detection, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-act, for instance by using adversarial inputs to avoid detection, et cetera. This paper investigates two novel moves for the malware side. The first one consists in simulating mouse events to control AVs, namely to send them mouse "clicks" to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling high-integrity white-listed applications, such as Notepad, by sending them keyboard events (such as "copy-and-paste") to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of some AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse

Privacy through Noise: A Design Space for Private Identification

To protect privacy in large systems, users should be able to authenticate against a central server without disclosing their identity to others. Private identification protocols based on public key cryptography are computationally expensive and cannot be implemented on small devices like RFID tags. Symmetric key protocols, on the other hand, provide only modest levels of privacy, but can be efficiently executed on servers and cheaply implemented on devices. The privacy of symmetric-key privacy protocols derives from the fact that an attacker only ever knows a small fraction of the keys in a system while the legitimate reader knows all keys. We propose to amplify this gap in the ability to distinguish users by adding noise to user responses. We focus on scenarios where an attacker is not able to acquire multiple different reads known to be from the same device, and justify this threat model by proposing a simple modification to RFID tag designs. In such scenarios, we can use noise to blur the borders between groups of users that the attacker would otherwise be able to distinguish. We evaluate the effectiveness and cost of this randomization and find that the information leakage from the tree protocol can be decreased to two thousandths of its original value with 150 times the number of server-side cryptographic operations and minimal cost to the tag. Degrees of privacy up to those achieved by public key protocols can be reached while staying well below the cost of public key cryptography