bit attacks d j bernstein university of illinois at
play

Bit attacks D. J. Bernstein University of Illinois at Chicago - PDF document

Oct 18, 2023 •257 likes •394 views

Bit attacks D. J. Bernstein University of Illinois at Chicago From: andr...@ise... Date: 11 Feb 2009 14:48 Subject: Question Running CubeHash8/1 with 64 bit output over 2 different datasets give me the same hash under Visual Studio. Using

  1. Bit attacks D. J. Bernstein University of Illinois at Chicago

  2. From: andr...@ise... Date: 11 Feb 2009 14:48 Subject: Question Running CubeHash8/1 with 64 bit output over 2 different datasets give me the same hash under Visual Studio. Using the code from simple.c and call it the following way:

  3. memcpy(data, "AAAAAAAABBBB\0\0\0\0" ,16); Hash(64,data,16,hash); for(i = 0; i < 8; i++) printf("%02x",0xff&hash[i]); printf("\n"); memcpy(data, "AAAAAAAACBBB\0\0\0\0" ,16); Hash(64,data,16,hash); for(i = 0; i < 8; i++) printf("%02x",0xff&hash[i]); printf("\n");

  4. As you can see, there is a minor difference in the dataset (first "B" replaced with a "C". Running it produces: 379ec80069d7a71b 379ec80069d7a71b Is this the winner of the final CubeHash prize?

  5. Let’s look at what happened. Programmer wants to hash a string s with n bytes. Classic MD5 API: “ input has inputlen bytes.” Okay: input = s ; inputlen = n

  6. Let’s look at what happened. Programmer wants to hash a string s with n bytes. Classic MD5 API: “ input has inputlen bytes.” Okay: input = s ; inputlen = n NIST SHA-3 API: “ data has databitlen bits.” Okay: data = s ; � n databitlen = 8

  7. e.g. databitlen = 128 to hash 16 bytes: AAAAAAAABBBB0000 AAAAAAAACBBB0000

  8. e.g. databitlen = 128 to hash 16 bytes: AAAAAAAABBBB0000 AAAAAAAACBBB0000 What if the programmer forgets to multiply by 8? databitlen = 16: AA AAAAAABBBB0000 AA AAAAAACBBB0000

  9. From: andr...@ise... Date: 11 Feb 2009 15:40 Subject: RE: Question Responding to my own message here. Found the bug and it was my mistake. I call Hash with the number of bytes for datalength, instead of the number of bits.

  10. What fraction of programmers will forget to multiply by 8? =F . Let’s say fraction is 1 Surely SHA-3 will be used in > 1000 network protocols. > 1000 =F cases Expect of server programmer forgetting to multiply by 8. Will this bug be caught by interoperability tests?

  11. Standardizing a protocol requires an independent client implementation. > 1000 =F 2 cases Still expect of client programmer and independent server programmer forgetting to multiply by 8.

  12. Standardizing a protocol requires an independent client implementation. > 1000 =F 2 cases Still expect of client programmer and independent server programmer forgetting to multiply by 8. Typical tests will be passed. Protocol will be deployable. = 8th of message Last 7 will be trivially modifiable. Security disaster!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise:

Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise:

Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise: How big is the dig +dnssec -t any se response packet? @a.ns.se How big was the query packet? Some general questions Why doesnt the Internet

1.43k views • 86 slides
Attacks on DNS D. J. Bernstein University of Illinois at Chicago The Domain Name System

Attacks on DNS D. J. Bernstein University of Illinois at Chicago The Domain Name System

Attacks on DNS D. J. Bernstein University of Illinois at Chicago The Domain Name System cert.org wants to see http://www.lsec.be . Browser at cert.org The web server www.lsec.be has IP address

813 views • 55 slides
Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of

Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of

Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of Illinois at Chicago Motivation A hashing structure proposed by Bellare/Micciancio, 1996: f 1 ; f 2 ; : : : Standardize functions from, e.g.,

297 views • 17 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views • 32 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers

NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers

1 2 NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers Preneel RIPEMD-160: University of Illinois at Chicago &amp; a strengthened version of Technische Universiteit Eindhoven RIPEMD: It is

1.93k views • 149 slides
Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University

Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University

Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University of Illinois at Chicago http://cr.yp.to /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 1996: qmail 0.70. 1997: qmail 1.00.

1.04k views • 69 slides
Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS

Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS

Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Certificates Make use of trusted Certificate Authorities (CA) This public

472 views • 29 slides
The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation Math Sciences Research Institute University of California at Berkeley

596 views • 33 slides
Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF

Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF

Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS9600083 NSF DMS9970409 NSF DMS0140542 Alfred P. Sloan Foundation NSF ITR0716498 T as the time Define n . used by NFS to factor T depends on

433 views • 31 slides
Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at

Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at

Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Christiane Peters University of Illinois at Chicago Context: speed What is

500 views • 36 slides
Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF (1018836)

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF (1018836)

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF (1018836) NIST (60NANB10D263) Cisco (University Research Program) Interpolation Fix coprime 1 Z 0 . Remainder repn

1.19k views • 70 slides
ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF

ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF

ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 New EECM web site: http://eecm.cr.yp.to Joint work with: 1 2 3 Tanja Lange 1 Peter Birkner 1 Christiane Peters 2 3 Chen-Mou Cheng 2 3

470 views • 29 slides
Breaking DNSSEC D. J. Bernstein University of Illinois at Chicago Advertisement:

Breaking DNSSEC D. J. Bernstein University of Illinois at Chicago Advertisement:

Breaking DNSSEC D. J. Bernstein University of Illinois at Chicago Advertisement: Special-purpose hardware for attacking cryptographic systems, Lausanne, 2009.09.0910; http://sharcs.org . 1993.11 Galvin: The DNS Security design

1.05k views • 65 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago &amp; Technische

The DNS security mess D. J. Bernstein University of Illinois at Chicago &amp; Technische

The DNS security mess D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC: This sounds simple but it has deep reaching consequences in both the protocol and the

2.05k views • 180 slides
Week 4 Video 7 Memory Algorithms Is future correctness enough? Up until this point weve

Week 4 Video 7 Memory Algorithms Is future correctness enough? Up until this point weve

Week 4 Video 7 Memory Algorithms Is future correctness enough? Up until this point weve been talking about predicting future correctness But what if you forget it tomorrow? Another way to look at knowledge is how long will you

404 views • 15 slides
1 Optimization in decision graphs Unfolding to decision tree Only option until Shachter

1 Optimization in decision graphs Unfolding to decision tree Only option until Shachter

Decision graphs II Influence Diagrams Advanced Herd Management Anders Ringgaard Kristensen Slide 1 Outline Optimization methods Decision tree Strong junction tree Single Policy Updating Decision node ordering Advantages and

467 views • 10 slides
Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research

Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research

Concise Preservation by combining Managed Forgetting and Contextualized Remembering Research Talk, May 9, 2014 University of Twente, Enschede Speaker: Nattiya Kanhabua L3S Research Center / University of Hannover ForgetIT Project Consortium

640 views • 35 slides
Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan

Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan

Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Riemannian Walk for Incremental Learning: Understanding Forgetting and Intransigence Arslan Chaudhry et al. Presented by Milo Prgr Pattern Recognition and

653 views • 39 slides
The Price of Forgetting in Parallel Routing Jonatha Anselmi &amp; Bruno Gaujal INRIA Aussois

The Price of Forgetting in Parallel Routing Jonatha Anselmi &amp; Bruno Gaujal INRIA Aussois

The Price of Forgetting in Parallel Routing Jonatha Anselmi &amp; Bruno Gaujal INRIA Aussois June, 2011 (INRIA ) 1 / 21 Introduction Goal of my talk : explore different types of routing policies (selfish/social, with/without memory) in a

312 views • 28 slides
Questionnaire Design II Department of Political Science and Government Aarhus University October

Questionnaire Design II Department of Political Science and Government Aarhus University October

Construct Validity Recall-type Questions Sensitive Topics Preview of Next Time Questionnaire Design II Department of Political Science and Government Aarhus University October 6, 2014 Construct Validity Recall-type Questions Sensitive

638 views • 38 slides
Not that I have already obtained this or am already perfect, but I press on to make it my own,

Not that I have already obtained this or am already perfect, but I press on to make it my own,

Philippians 3:12-16 (ESV) Not that I have already obtained this or am already perfect, but I press on to make it my own, because Christ Jesus has made me his own. 13 Brothers, I do not consider that I have made it my own. But one thing I do:

299 views • 11 slides
A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang,

A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang,

A Personalized Interest-Forgetting Markov Model for Recommendations Jun Chen , Chaokun Wang, Jianmin Wang Tsinghua University, China chenjun14@mails.tsinghua.edu.cn, {chaokun, jimwang}@tsinghua.edu.cn AAAI-15 28-Jan-15 1 Review on

366 views • 19 slides

More recommend