a perfect memory key compromise in an efficiency centric
play

A Perfect Memory: Key Compromise in an Efficiency-centric World - PowerPoint PPT Presentation

Feb 10, 2023 •831 likes •1.04k views

A Perfect Memory: Key Compromise in an Efficiency-centric World Britta Hale NTNU, Norwegian University of Science and Technology A Perfect Memory.... Britta Hale | Crypto vs. Mass Surveillance Workshop Facebook Google Lule, Sweden Britta

  1. A Perfect Memory: Key Compromise in an Efficiency-centric World Britta Hale NTNU, Norwegian University of Science and Technology

  2. A Perfect Memory.... Britta Hale | Crypto vs. Mass Surveillance Workshop

  3. Facebook Google Luleå, Sweden Britta Hale | Crypto vs. Mass Surveillance Workshop

  4. Threat Landscape: Always present adversary Long-term adversary Learn Master K sk 1 sk 2 sk 3 sk 4 sk 5 Are past session keys secure? Britta Hale | Crypto vs. Mass Surveillance Workshop

  5. Perfect Forward Secrecy: Long-term key compromised Past session keys remain secure Learn Master K sk 1 sk 2 sk 3 sk 4 sk 5 *Günther, C. G. Eurocrypt ’89 Britta Hale | Crypto vs. Mass Surveillance Workshop

  6. forward secrecy in practice • TLS... ? • DHE-RSA / ECDHE-RSA / ... • TLS 1.2 vs. TLS 1.3 • TLS 1.3 0-RTT ... What? Britta Hale | Crypto vs. Mass Surveillance Workshop

  7. Client Server Client Hello Server Hello Certificate Server Hello Done Client Key Exchange Change Cipher Spec. Client Finished Change Cipher Spec. Server Finished Application Data Application Data Simplified TLS Handshake Protocol Britta Hale | Crypto vs. Mass Surveillance Workshop

  8. The story of low-latency / 0-RTT protocols... Data is sent encrypted immediately Britta Hale | Crypto vs. Mass Surveillance Workshop

  9. • QUIC by ... (Quick UDP Internet Connections) Britta Hale | Crypto vs. Mass Surveillance Workshop

  10. low-latency key exchange Server cnf [ m ] temp . sk Cache: Server cnf Client Server . . . [ m ] sk Britta Hale | Crypto vs. Mass Surveillance Workshop

  11. Client Server (previous communication) Sign K ( g s ) 0-RTT key exchange: g x temp . sk ← g xs temp . sk ← g xs [0-RTT data] temp . sk g y sk ← g xy sk ← g xy [further data] sk Britta Hale | Crypto vs. Mass Surveillance Workshop

  12. • QUIC • Presented in 2013 • Encrypted data can be sent in the first flow • To be replaced by TLS 1.3 • TLS 1.3 draft (version 18): 0-RTT variant • based on a pre-shared key • new forward secrecy concerns Britta Hale | Crypto vs. Mass Surveillance Workshop

  13. Client Server (previous communication) (previous communication) temp . sk temp . sk 0-RTT key exchange: “ temp . sk identity”, *Client key share [0-RTT data] temp . sk “ temp . sk identity”, *Server key share Derive sk Derive sk [further data] sk “This data is not forward secret, as it is encrypted solely under keys derived using the offered PSK.” – TLS 1.3 Draft Britta Hale | Crypto vs. Mass Surveillance Workshop

  14. 0-rtt folklore For 0-RTT, there is an “upper bound on the forward security of the connection” – QUIC Crypto Specification Forward secrecy “can’t be done in 0-RTT” – TLS 1.3 mailing list Britta Hale | Crypto vs. Mass Surveillance Workshop

  15. 0-RTT Key Exchange with Full Forward Secrecy Felix Günther 1 Britta Hale 2 Tibor Jager 3 Sebastian Lauer 3 1 TU Darmstadt 2 NTNU, Trondheim 3 Ruhr-University Bochum • Server has public/secret key pair ( PK, SK ) , where SK is updated • Puncturable FS Key Encapsulation Mechanism (PFS-KEM) • Built from a HIBKEM and One-Time Signatures Britta Hale | Crypto vs. Mass Surveillance Workshop

  16. final comments • Forward secrecy is a serious problem in a world with indefinitely stored data • 0-RTT encrypted data is a growing demand : traffic increase, IoT, ... • Current 0-RTT solutions do not address forward secrecy, or have simply changed the context • Forward secrecy is possible for 0-RTT data, despite all previous claims Britta Hale | Crypto vs. Mass Surveillance Workshop

  17. Questions Britta Hale | Crypto vs. Mass Surveillance Workshop

  18. Britta Hale | Crypto vs. Mass Surveillance Workshop

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC Computing Computing + Fabric SoC Memory HYPERCONVERGED Exascale EDGE DEVICE SYSTEM Eliminate data movement via shared

400 views • 11 slides
Learning From Data Lecture 17 Memory and Efficiency in Nearest Neighbor Memory Efficiency M.

Learning From Data Lecture 17 Memory and Efficiency in Nearest Neighbor Memory Efficiency M.

Learning From Data Lecture 17 Memory and Efficiency in Nearest Neighbor Memory Efficiency M. Magdon-Ismail CSCI 4100/6100 recap: Similarity and Nearest Neighbor Similarity 1. Simple. | x x | d ( x , x ) = | | 2. No training.

546 views • 25 slides
No Compromise Using Unified Memory for High Resolution Medical Image AI Joe Yeh, M.D., CEO

No Compromise Using Unified Memory for High Resolution Medical Image AI Joe Yeh, M.D., CEO

No Compromise Using Unified Memory for High Resolution Medical Image AI Joe Yeh, M.D., CEO Outline Dimension problem with medical image AI Ways to overcome dimension problems Using unified memory for CNN training

617 views • 42 slides
Mnemo: Boosting Memory Cost Efficiency in Hybrid Memory Systems Thaleia Dimitra Doudali Ada

Mnemo: Boosting Memory Cost Efficiency in Hybrid Memory Systems Thaleia Dimitra Doudali Ada

Mnemo: Boosting Memory Cost Efficiency in Hybrid Memory Systems Thaleia Dimitra Doudali Ada Gavrilovska Problem Space Cost of memory dominates in the cloud. 60% - 85% of the hourly VM cost! Big Data Analytics Volatile Memory (DRAM)

535 views • 18 slides
User centric Cost based Flight Efficiency and Equity indicators . Dr. Javier Lpez

User centric Cost based Flight Efficiency and Equity indicators . Dr. Javier Lpez

User centric Cost based Flight Efficiency and Equity indicators . Dr. Javier Lpez Leons (Boeing Research & Technology Europe) Marcos Sanz Bravo (CRIDA A.I.E.) Belgrade, 30 of November 2017 Authors JAVIER LOPEZ LEONES , MANUEL

591 views • 58 slides
Computational Logic Efficiency Issues in Prolog 1 Efficiency In general, efficiency

Computational Logic Efficiency Issues in Prolog 1 Efficiency In general, efficiency

Computational Logic Efficiency Issues in Prolog 1 Efficiency In general, efficiency savings: Not only time (number of unifications, reduction steps, LIPS, etc.) Also memory General advice: Use the best algorithms Use

196 views • 19 slides
The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI Techmedia The Java Memory Model p. 1/30 Overview Part I : Motivation for weak memory models: Compromise between standard optimisations and

813 views • 46 slides
Twizzler: A Data-Centric OS for Persistent Memory Daniel Bittman Peter Alvaro Pankaj Mehra

Twizzler: A Data-Centric OS for Persistent Memory Daniel Bittman Peter Alvaro Pankaj Mehra

Twizzler: A Data-Centric OS for Persistent Memory Daniel Bittman Peter Alvaro Pankaj Mehra Darrell Long Ethan Miller Center for Research in Storage Systems University of California, Santa Cruz 1 Hardware Trends sys_read ~100-300 ns

196 views • 17 slides
Last Class: Memory Management Allocating memory to processes Limited physical memory,

Last Class: Memory Management Allocating memory to processes Limited physical memory,

Last Class: Memory Management Allocating memory to processes Limited physical memory, internal and external fragmentation Paging and segmentation Address translation, efficiency Hardware support (e.g., TLB) Page

513 views • 13 slides
Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey M. Voelker Alex C. Snoeren On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial

798 views • 49 slides
Emerging memory technologies for improved energy efficiency Martin Wenzel Advanced Seminar

Emerging memory technologies for improved energy efficiency Martin Wenzel Advanced Seminar

Emerging memory technologies for improved energy efficiency Martin Wenzel Advanced Seminar WS2015 Memory Bandwidth Technology BW GB/s DDR3-1333 2GB 10,66 DDR4-2667 4GB 21,34 Hennessy, Patterson, Computer Architecture, A quantitative

445 views • 21 slides
IRS & FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your

IRS & FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your

IRS & FTB Offers in Compromise December 12, 2012 Thank you for attending this seminar. Your work on behalf of ALRP clients can reduce, or eliminate, the financial burdens that result from having tax problems. FEDERAL OFFERS IN COMPROMISE

403 views • 8 slides
Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the

Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the

Missouri Compromise, 1820 Firebell in the Night The Missouri Compromise, 1820 Divides the Louisiana Purchase into Free and Slave territory along 36 30 Admits Missouri as a Slave state and Maine as a Free state Keeps Equal Political Power

378 views • 24 slides
Value Types Objectives Discuss concept of value types efficiency memory management

Value Types Objectives Discuss concept of value types efficiency memory management

Value Types Objectives Discuss concept of value types efficiency memory management value semantics boxing unboxing simple types Introduce struct value type definition use advantages

615 views • 26 slides
The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333,

The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333,

The Worlds First LED Human Centric Fluorescent Tube by Human Centric Optics Inc. 333, 10654-82 Ave NW Edmonton, Alberta info@hcolab.com www.hcolab.com Human Centric LED Medical science discovers a third receptor in our eyes This

714 views • 13 slides
Cougar Helicopters Presentation Offshore Helicopter Safety Inquiry 1 No Compromise No

Cougar Helicopters Presentation Offshore Helicopter Safety Inquiry 1 No Compromise No

EXHIBIT/P-00155 Cougar Helicopters Presentation Offshore Helicopter Safety Inquiry 1 No Compromise No operation or business opportunity, either new or ongoing, should ever compromise safety or unduly affect our accepted levels of risk

838 views • 83 slides
r t rts r

r t rts r

r t rts r t str rtr tt P

1.21k views • 76 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation

Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation

26. DECUS Symposium Bonn Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation Overview Product information What is the secure sockets layer (SSL)? Overview of SSL/OpenSSL/SSL on OpenVMS

657 views • 26 slides
Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure applications: Applicaz. (SHTTP) PGP, SHTTP, SFTP, or SSL/TLS Security down in the TCP protocol stack -SSL between TCP IPSEC and applic. layer

723 views • 59 slides
Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst Grtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks

1.45k views • 32 slides
Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17, 2014 Recap & outline Security is hard Cryptography is not security No "security through obscurity" Today:

924 views • 39 slides
MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One

MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One Year Later http://www.cs.stanford.edu/~iliano CS Department, UMBC

679 views • 29 slides
Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf Steinmetz TU Darmstadt - Darmstadt University of Technology, Dept. of Electrical Engineering and Information Technology, Dept. of Computer Science KOM -

2.54k views • 46 slides

More recommend