a more cautious approach to security against mass
play

A More Cautious Approach to Security Against Mass Surveillance Jean - PowerPoint PPT Presentation

Jan 19, 2024 •32 likes •292 views

Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results A More Cautious Approach to Security Against Mass Surveillance Jean Paul Degabriele , Pooya Farshim, and Bertram Poettering Royal Holloway, Queens University

  1. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results A More Cautious Approach to Security Against Mass Surveillance Jean Paul Degabriele , Pooya Farshim, and Bertram Poettering Royal Holloway, Queen’s University Belfast, Ruhr University Bochum FSE - 11th March 2015 Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 1/21

  2. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Outline of this Talk 1 Motivation 2 Algorithm Substitution Attacks 3 The BPR14 Model 4 Analysis & Results Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 2/21

  3. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results The Snowden Revelations Since June 2013 Edward Snowden has been disclosing classified documents about mass surveillance programs carried by the NSA and GCHQ. Until now, there has been no indication that these agencies are capable of breaking any of the main cryptographic primitives/assumptions which we believe to be secure/hard. Instead these agencies have resorted to more devious means: - Manoeuver standardisation bodies to advance the backdoored EC DRBG and the TLS Ext Random. - Secretly pay RSA to make the EC DRBG the default option in their cryptographic library. - Forcing vendors and service providers (through secret courts) to provide user data, secret keys, access to infrastructure, etc. - Intercept postal shipping to replace networking hardware. - Inject malware in network data carrying executable files. Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 3/21

  4. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Guarding Against Surveillance In light of these events it is natural to ask what other means could be employed by such entities. Following the Snowden revelations, a first step in this direction is the recent work of Bellare, Paterson and Rogaway from CRYPTO 2014 [BPR14]. The focus of their study is Algorithm Substitution Attacks (ASA) with respect to symmetric encryption. Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 4/21

  5. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Algorithm Substitution Attacks Consider some type of closed-source software that makes use of a standard symmetric encryption scheme. In an ASA the code of the standard encryption scheme is replaced with that of an alternative scheme that the attacker has authored. Following the terminology of [BPR14] we call this latter scheme a subversion and we refer to the attacker as big brother . If the code is obfuscated can we protect against this? Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 5/21

  6. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Algorithm Substitution Attacks Consider some type of closed-source software that makes use of a standard symmetric encryption scheme. In an ASA the code of the standard encryption scheme is replaced with that of an alternative scheme that the attacker has authored. Following the terminology of [BPR14] we call this latter scheme a subversion and we refer to the attacker as big brother . If the code is obfuscated can we protect against this? Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 5/21

  7. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Algorithm Substitution Attacks Note that ASAs are di ff erent from backdoors, as in the case of the Dual EC DRBG. The focus here is whether an implementation of the scheme o ff ers the claimed security. The original scheme is assumed to be secure and free from backdoors. ASAs have been considered in the past in the works of Young and Yung, and others, under the name of Kleptography. In addition ASAs often rely on constructing subliminal channels. However [BPR14] is the first to provide a formal treatment of ASAs and also provides a more general analysis. Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 6/21

  8. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Algorithm Substitution Attacks Note that ASAs are di ff erent from backdoors, as in the case of the Dual EC DRBG. The focus here is whether an implementation of the scheme o ff ers the claimed security. The original scheme is assumed to be secure and free from backdoors. ASAs have been considered in the past in the works of Young and Yung, and others, under the name of Kleptography. In addition ASAs often rely on constructing subliminal channels. However [BPR14] is the first to provide a formal treatment of ASAs and also provides a more general analysis. Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 6/21

  9. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Subversions For a symmetric encryption scheme Π = ( K , E , D ) its subversion is a pair e Π = ( e K , e E ). In an ASA the attacker samples a subversion key e K and substitutes E with e K , where e E takes the same inputs as E together with e E e K . Since the code is assumed to be obfuscated, the subversion key e K is inaccessible to the user. This gives big brother much more power to reach his goal. Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 7/21

  10. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Main Results From BPR14 Propose two complementary security definitions: - A notion of surveillance resilience to prove positive results. - A notion of undetectability to prove negative results. The biased ciphertext attack , consisting of an undetectable subversion, applicable to any probabilistic scheme, which allows the attacker to recover the user’s key. Identify a property of symmetric encryption schemes, called unique ciphertexts , that is su ffi cient to guarantee surveillance resilience. They show that most nonce-based schemes can be used to build schemes with unique ciphertexts. Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 8/21

  11. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Surveillance Resilience [BPR14] Game SURV B Π , e Π K , b 0 B Key , Enc ( e b $ { 0 , 1 } , e K $ e K ) return ( b = b 0 ) Key ( i ) if K i = ? then K i $ K , σ i ε return ε Enc ( M , A , i ) if K i = ? then return ? if b = 1 then ( C , σ i ) E ( K i , M , A , σ i ) else ( C , σ i ) e E ( e K , K i , M , A , σ i , i ) return C h i Adv srv SURV B Π ( B ) := 2 · Pr � 1 Π , e Π , e Π Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 9/21

  12. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Undetectability [BPR14] Game DETECT U Π , e Π K , b 0 U Key , Enc b $ { 0 , 1 } , e K $ e return ( b = b 0 ) Key ( i ) if K i = ? then K i $ K , σ i ε return K i Enc ( M , A , i ) if K i = ? then return ? if b = 1 then ( C , σ i ) E ( K i , M , A , σ i ) else ( C , σ i ) e E ( e K , K i , M , A , σ i , i ) return C h i Adv det DETECT U Π ( U ) := 2 · Pr � 1 Π , e Π , e Π Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 10/21

  13. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results The Decryptability Condition Whithout additional restrictions it is always possible to find a subversion e Π such that B can win the SURV game with probability one. Accordingly BPR require the following ‘minimal’ condition of undetectability that every subversion must satisfy. Definition (Decryptability) A subversion e Π = ( e K , e E ) is said to satisfy decryptability with respect to the scheme Π = ( K , E , D ) if the encryption scheme ( e K ⇥ K , e E , D 0 ) is perfectly correct, where D 0 (( e K , K ) , C , A , % ) = D ( K , C , A , % ). Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 11/21

  14. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Analysis of The BPR Model The first thing to note is that: Undetectability 6 = ) Decryptability Undetectability allows U a small success probability but the same is not true for Decryptability. This is overly restrictive on B . There is no reason why B would only consider subversions that have zero probability of being detected. Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 12/21

  15. Motivation Algorithm Substitution Attacks The BPR14 Model Analysis & Results Analysis of The BPR Model The first thing to note is that: Undetectability 6 = ) Decryptability Undetectability allows U a small success probability but the same is not true for Decryptability. This is overly restrictive on B . There is no reason why B would only consider subversions that have zero probability of being detected. So why not relax the decryptability condition by allowing a small probability of error? Degabriele, Farshim, Poettering A More Cautious Approach to Security Against Mass Surveillance 12/21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How Overly Cautious Risk Assessment Methods Overstate Risk from PCBs in Indoor Air Presenter:

How Overly Cautious Risk Assessment Methods Overstate Risk from PCBs in Indoor Air Presenter:

OReilly, Talbot, and Okun [ A S S O C I A T E S ] How Overly Cautious

496 views • 36 slides
Low-mass dileptons at HADES and CBM in a transport approach Janus Weil FIAS with H. van Hees,

Low-mass dileptons at HADES and CBM in a transport approach Janus Weil FIAS with H. van Hees,

Low-mass dileptons at HADES and CBM in a transport approach Janus Weil FIAS with H. van Hees, U. Mosel, S. Endres, M. Bleicher CBM Collab. Meeting, 9. April 2014 Janus Weil Low-mass dileptons at HADES and CBM Outline questions & topics

338 views • 21 slides
Cautious label-wise ranking with constraint satisfaction Sbastien Destercke, Yonatan Carlos

Cautious label-wise ranking with constraint satisfaction Sbastien Destercke, Yonatan Carlos

Cautious label-wise ranking with constraint satisfaction Sbastien Destercke, Yonatan Carlos Carranza Alarcon DA2PL 2018 S. Destercke, Y. Alarcon Cautious label ranking DA2PL 2018 1 / 26 Some announcements: SUM 2019 When: 16-18 december

509 views • 23 slides
Cautious Adaptation For RL in Safety-Critical Settings International Conference on Machine

Cautious Adaptation For RL in Safety-Critical Settings International Conference on Machine

3 1 2 Cautious Adaptation For RL in Safety-Critical Settings International Conference on Machine Learning 2020 Jesse Zhang 1 , Brian Cheung 1 , Chelsea Finn 2 , Sergey Levine 1 , Dinesh Jayaraman 3 1 Outline Short overview (4 Minutes)

697 views • 26 slides
SOLVENT MASS BALANCE APPROACH FOR ESTI MATI NG VOC EMI SSI ONS FROM ELEVEN NONPOI NT

SOLVENT MASS BALANCE APPROACH FOR ESTI MATI NG VOC EMI SSI ONS FROM ELEVEN NONPOI NT

SOLVENT MASS BALANCE APPROACH FOR ESTI MATI NG VOC EMI SSI ONS FROM ELEVEN NONPOI NT SOLVENT SOURCE CATEGORI ES By: Donna Lee Jones, Steve Fudge, and Bill Battye EC/R, Inc., Chapel Hill, North Carolina EPA Contract Officer

913 views • 44 slides
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP

Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP

Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those processes Security is

577 views • 34 slides
Cautious R Regret M Minimization: Online O Optimization w with L Long-Term B Budg udget Co

Cautious R Regret M Minimization: Online O Optimization w with L Long-Term B Budg udget Co

Cautious R Regret M Minimization: Online O Optimization w with L Long-Term B Budg udget Co Constraints Nikolaos Liakopoulos 1,2,3 , Apostolos Destounis 1 , Georgios S. Paschos 1 , Thrasyvoulos Spyropoulos 2 , Panayotis Mertikopoulos 4 1

315 views • 13 slides
Republic of the Philippines The Philippine Economy: Cautious Optimism 22 February 2019 Deputy

Republic of the Philippines The Philippine Economy: Cautious Optimism 22 February 2019 Deputy

Republic of the Philippines The Philippine Economy: Cautious Optimism 22 February 2019 Deputy Governor Diwa C. Guinigundo Bangko Sentral ng Pilipinas 1 Outline I. The Operating Environment: Three Key Challenges II. The Philippine Case: A

413 views • 22 slides
Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th

Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th

Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th International Conference on Parallel Processing (ICPP) 2020 Ahmed M. Abdelmoniem, Hengky Susanto, and Brahim Bensaou Outline Introduction and background

498 views • 31 slides
Governor Mike Rounds FY2010 Budget Address Budget Highlights A Very Cautious Budget An

Governor Mike Rounds FY2010 Budget Address Budget Highlights A Very Cautious Budget An

Governor Mike Rounds FY2010 Budget Address Budget Highlights A Very Cautious Budget An Uncertain Economy Running out of Reserves Funding only Our Basic Needs Taking Care of People Protecting the Public

704 views • 42 slides
Information Security A Fresh Approach [Based on material from Kevin Day's book: Inside the

Information Security A Fresh Approach [Based on material from Kevin Day's book: Inside the

Information Security A Fresh Approach [Based on material from Kevin Day's book: Inside the Security Mind: Making the Tough Decisions , Prentice-Hall, 2003, ISBN: 0-13-111829-3] Why? Why concentrate on Information Security (or IT Security) when

152 views • 11 slides
A Dynamic Programming Approach to De Novo Peptide Sequencing via Tandem Mass Spectrometry Ting

A Dynamic Programming Approach to De Novo Peptide Sequencing via Tandem Mass Spectrometry Ting

Journal of Computational Biology, 8(3): 325-337, 2001 A Dynamic Programming Approach to De Novo Peptide Sequencing via Tandem Mass Spectrometry Ting Chen Department of Genetics Harvard Medical School Boston, MA 02115, USA Ming-Yang Kao

236 views • 13 slides
A Holistic Approach to Cyber Security Reduce the gap between your tools and your strategy. July

A Holistic Approach to Cyber Security Reduce the gap between your tools and your strategy. July

A Holistic Approach to Cyber Security Reduce the gap between your tools and your strategy. July 23,2019 Todays Presenters - A Holistic Approach to Cyber Security Frank Yako Steve Roesing CIO, Director of Strategic Initiatives, ASMGi

310 views • 27 slides
So basically same as a lot of us here: Wants to do cool InfoSec stuff, Wants to Stay out of Jail

So basically same as a lot of us here: Wants to do cool InfoSec stuff, Wants to Stay out of Jail

Changing Legal Landscape for Infosec Who I am: Elissa Shevinsky CEO of Jekudo Privacy Company @ElissaBeth and @Jekudo_Cat on Twitter Writer/Journalist Cautious Security Researcher So basically same as a lot of us here: Wants to do cool

472 views • 17 slides
Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background NTU / NIE is corporatized in April 2006 (Not requires to comply with IM8) Mission - To provide effective ICT resources, services and

841 views • 6 slides
A virtualized approach to Mass Storage System Dorin Lobontu, Jos van Wezel and Martin Beitzinger

A virtualized approach to Mass Storage System Dorin Lobontu, Jos van Wezel and Martin Beitzinger

A virtualized approach to Mass Storage System Dorin Lobontu, Jos van Wezel and Martin Beitzinger STEINBUCH CENTRE FOR COMPUTING KIT University of the State of Baden-Wuerttemberg and www.kit.edu National Research Center of the Helmholtz

554 views • 19 slides
Security Specification and Implementation for Mobile e-Health Services Ramon Mart, Jaime

Security Specification and Implementation for Mobile e-Health Services Ramon Mart, Jaime

Security Specification and Implementation for Mobile e-Health Services Ramon Mart, Jaime Delgado, Xavier Perramon Universitat Pompeu Fabra (UPF), Barcelona, Spain {ramon.marti, jaime.delgado, xavier.perramon}@upf.edu personal health data to be

137 views • 9 slides
Why Encrypt Data? We have already discussed authentication and access control as means to

Why Encrypt Data? We have already discussed authentication and access control as means to

Security in Outsourced Databases II Outsourced Databases II (Query Processing on Encrypted Data) Disks replaced Data worthless if encrypted Customer Credit for maintenance Card Number Laptops stolen Backups lost p 1 Why Encrypt Data?

759 views • 19 slides
Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats Security policies Confidentiality Policies Policy The Bell-LaPadula Model Specification Integrity Policies The Biba

698 views • 49 slides
Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond,

Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond,

Extending Security Protocol Analysis : New Challenges Mike Bond, Jolyon Clulow {Mike.Bond, Jolyon.Clulow}@cl.cam.ac.uk Workshop on Automated Reasoning for Security Protocols Analysis (ARSPA 2004) 4 th July 2004 Outline An introduction to

764 views • 31 slides
ZISC Information Security Colloquium June 15, 2004 Direct Anonymous Attestation: Achieving

ZISC Information Security Colloquium June 15, 2004 Direct Anonymous Attestation: Achieving

Zurich Research Laboratory ZISC Information Security Colloquium June 15, 2004 Direct Anonymous Attestation: Achieving Privacy in Remote Authentication Jan Camenisch IBM Zurich Research Laboratory jca@zurich.ibm.com Joint work with Ernie

353 views • 24 slides
A CSCW System for Distributed Search/Collection Tasks using Wearable Computers 6 th IEEE Workshop

A CSCW System for Distributed Search/Collection Tasks using Wearable Computers 6 th IEEE Workshop

A CSCW System for Distributed Search/Collection Tasks using Wearable Computers 6 th IEEE Workshop on Mobile Computing Systems & Applications Dec 2 nd 3 rd , 2004 English Lake District, UK Tetsuo Sumiya , Akifumi Inoue , Sadayuki

387 views • 23 slides
Toward a Pattern Language for CSCW THOMAS John, IBM Research 2011 March 19 Potential Forms of

Toward a Pattern Language for CSCW THOMAS John, IBM Research 2011 March 19 Potential Forms of

Toward a Pattern Language for CSCW THOMAS John, IBM Research 2011 March 19 Potential Forms of Knowledge Known, Predictable, Unchanging, Simple Algorithms, Formulae, Programs, Machines Patterns Heuristics, Principles, Properties Case Studies

507 views • 26 slides
Perspectives on CSCW 2017 Courtney Williams Opening Keynote Conversational Intelligence: Bots

Perspectives on CSCW 2017 Courtney Williams Opening Keynote Conversational Intelligence: Bots

Perspectives on CSCW 2017 Courtney Williams Opening Keynote Conversational Intelligence: Bots and Lessons Learned Lili Cheng (Microsoft Research) Xiaoice (China), Tay (US) Advanced conversational bots Bots for work, bots for

569 views • 11 slides

More recommend