boring crypto some recent tls failures daniel j bernstein
play

Boring crypto Some recent TLS failures Daniel J. Bernstein - PowerPoint PPT Presentation

Oct 03, 2023 •18 likes •1.3k views

Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University of Illinois at Chicago & BEAST CBC attack. Technische Universiteit Eindhoven Trustwave HTTPS interception. CRIME compression attack. Lucky 13

  1. The RC4 stream cipher 1994: Someone anonymously posts RC4 source code. 1987: Ron Rivest designs RC4. Does not publish it. New York Times: “Widespread dissemination could compromise 1992: NSA makes a deal with the long-term effectiveness of Software Publishers Association. system : : : [RC4] has become “NSA allows encryption : : : the de facto coding standard The U.S. Department of State for many popular software will grant export permission programs including Microsoft to any program that uses the Windows, Apple’s Macintosh RC2 or RC4 data-encryption operating system and Lotus algorithm with a key size Notes. : : : ‘I have been told cryptographers. of less than 40 bits.” was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.”

  2. The RC4 stream cipher 1994: Someone anonymously posts RC4 source code. 1987: Ron Rivest designs RC4. Does not publish it. New York Times: “Widespread dissemination could compromise 1992: NSA makes a deal with the long-term effectiveness of the Software Publishers Association. system : : : [RC4] has become “NSA allows encryption : : : the de facto coding standard The U.S. Department of State for many popular software will grant export permission programs including Microsoft to any program that uses the Windows, Apple’s Macintosh RC2 or RC4 data-encryption operating system and Lotus algorithm with a key size Notes. : : : ‘I have been told it of less than 40 bits.” was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.”

  3. RC4 stream cipher 1994: Someone anonymously 1994: Netscap posts RC4 source code. SSL (“Secure Ron Rivest designs RC4. web browser not publish it. New York Times: “Widespread RSA Data dissemination could compromise NSA makes a deal with the long-term effectiveness of the SSL supp re Publishers Association. system : : : [RC4] has become RC4 is fastest allows encryption : : : the de facto coding standard U.S. Department of State for many popular software grant export permission programs including Microsoft program that uses the Windows, Apple’s Macintosh r RC4 data-encryption operating system and Lotus rithm with a key size Notes. : : : ‘I have been told it than 40 bits.” was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.”

  4. cipher 1994: Someone anonymously 1994: Netscape intro posts RC4 source code. SSL (“Secure Sock Rivest designs RC4. web browser and server it. New York Times: “Widespread RSA Data Security dissemination could compromise es a deal with the long-term effectiveness of the SSL supports many Publishers Association. system : : : [RC4] has become RC4 is fastest cipher encryption : : : the de facto coding standard rtment of State for many popular software permission programs including Microsoft that uses the Windows, Apple’s Macintosh data-encryption operating system and Lotus key size Notes. : : : ‘I have been told it bits.” was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.”

  5. 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) RC4. web browser and server “based New York Times: “Widespread RSA Data Security technology”. dissemination could compromise with the long-term effectiveness of the SSL supports many options. ciation. system : : : [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard : State for many popular software ermission programs including Microsoft the Windows, Apple’s Macintosh data-encryption operating system and Lotus Notes. : : : ‘I have been told it was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.”

  6. 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) web browser and server “based on New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system : : : [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard for many popular software programs including Microsoft Windows, Apple’s Macintosh operating system and Lotus Notes. : : : ‘I have been told it was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.”

  7. 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) web browser and server “based on New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system : : : [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL ciphertexts. programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Notes. : : : ‘I have been told it was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.”

  8. 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) web browser and server “based on New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system : : : [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL ciphertexts. programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Fix: RC4-128? Notes. : : : ‘I have been told it was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.”

  9. 1994: Someone anonymously 1994: Netscape introduces posts RC4 source code. SSL (“Secure Sockets Layer”) web browser and server “based on New York Times: “Widespread RSA Data Security technology”. dissemination could compromise the long-term effectiveness of the SSL supports many options. system : : : [RC4] has become RC4 is fastest cipher in SSL. the de facto coding standard 1995: Finney posts some for many popular software examples of SSL ciphertexts. programs including Microsoft Back–Byers–Young, Doligez, Windows, Apple’s Macintosh Back–Brooks extract plaintexts. operating system and Lotus Fix: RC4-128? Unacceptable: Notes. : : : ‘I have been told it 1995 Roos shows that RC4 fails a was part of this deal that RC4 basic definition of cipher security. be kept confidential,’ Jim Bidzos, president of RSA, said.”

  10. Someone anonymously 1994: Netscape introduces So the crypto RC4 source code. SSL (“Secure Sockets Layer”) throws a web browser and server “based on And thro ork Times: “Widespread RSA Data Security technology”. dissemination could compromise long-term effectiveness of the SSL supports many options. : : : [RC4] has become RC4 is fastest cipher in SSL. facto coding standard 1995: Finney posts some any popular software examples of SSL ciphertexts. rograms including Microsoft Back–Byers–Young, Doligez, ws, Apple’s Macintosh Back–Brooks extract plaintexts. erating system and Lotus Fix: RC4-128? Unacceptable: : : : ‘I have been told it 1995 Roos shows that RC4 fails a rt of this deal that RC4 basic definition of cipher security. ept confidential,’ Jim Bidzos, resident of RSA, said.”

  11. anonymously 1994: Netscape introduces So the crypto communit e code. SSL (“Secure Sockets Layer”) throws away 40-bit web browser and server “based on And throws away RC4? : “Widespread RSA Data Security technology”. could compromise effectiveness of the SSL supports many options. [RC4] has become RC4 is fastest cipher in SSL. ding standard 1995: Finney posts some r software examples of SSL ciphertexts. ding Microsoft Back–Byers–Young, Doligez, Apple’s Macintosh Back–Brooks extract plaintexts. and Lotus Fix: RC4-128? Unacceptable: have been told it 1995 Roos shows that RC4 fails a deal that RC4 basic definition of cipher security. confidential,’ Jim Bidzos, RSA, said.”

  12. anonymously 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? “Widespread RSA Data Security technology”. romise tiveness of the SSL supports many options. ecome RC4 is fastest cipher in SSL. rd 1995: Finney posts some examples of SSL ciphertexts. Microsoft Back–Byers–Young, Doligez, Macintosh Back–Brooks extract plaintexts. Lotus Fix: RC4-128? Unacceptable: told it 1995 Roos shows that RC4 fails a RC4 basic definition of cipher security. Bidzos,

  13. 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? RSA Data Security technology”. SSL supports many options. RC4 is fastest cipher in SSL. 1995: Finney posts some examples of SSL ciphertexts. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts. Fix: RC4-128? Unacceptable: 1995 Roos shows that RC4 fails a basic definition of cipher security.

  14. 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? RSA Data Security technology”. Here’s what actually happens. SSL supports many options. RC4 is fastest cipher in SSL. 1995: Finney posts some examples of SSL ciphertexts. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts. Fix: RC4-128? Unacceptable: 1995 Roos shows that RC4 fails a basic definition of cipher security.

  15. 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? RSA Data Security technology”. Here’s what actually happens. SSL supports many options. 1997: IEEE standardizes WEP RC4 is fastest cipher in SSL. (“Wired Equivalent Privacy”) 1995: Finney posts some for 802.11 wireless networks. examples of SSL ciphertexts. WEP uses RC4 for encryption. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts. Fix: RC4-128? Unacceptable: 1995 Roos shows that RC4 fails a basic definition of cipher security.

  16. 1994: Netscape introduces So the crypto community SSL (“Secure Sockets Layer”) throws away 40-bit keys? web browser and server “based on And throws away RC4? RSA Data Security technology”. Here’s what actually happens. SSL supports many options. 1997: IEEE standardizes WEP RC4 is fastest cipher in SSL. (“Wired Equivalent Privacy”) 1995: Finney posts some for 802.11 wireless networks. examples of SSL ciphertexts. WEP uses RC4 for encryption. Back–Byers–Young, Doligez, 1999: TLS (“Transport Layer Back–Brooks extract plaintexts. Security”), new version of SSL. Fix: RC4-128? Unacceptable: RC4 is fastest cipher in TLS. 1995 Roos shows that RC4 fails a TLS still supports “export keys”. basic definition of cipher security.

  17. Netscape introduces So the crypto community More RC4 Secure Sockets Layer”) throws away 40-bit keys? 1995 Wagner, rowser and server “based on And throws away RC4? 1997 Golic, Data Security technology”. Here’s what actually happens. 1998 Knudsen–Meier–Preneel– supports many options. Rijmen–V 1997: IEEE standardizes WEP fastest cipher in SSL. 2000 Golic, (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, Finney posts some for 802.11 wireless networks. 2001 Mantin–Shamir, examples of SSL ciphertexts. WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, Back–Byers–Young, Doligez, 2001 Stubblefield–Ioannidis– 1999: TLS (“Transport Layer Back–Brooks extract plaintexts. Rubin. Security”), new version of SSL. RC4-128? Unacceptable: RC4 key-output RC4 is fastest cipher in TLS. Roos shows that RC4 fails a ⇒ practical TLS still supports “export keys”. definition of cipher security.

  18. introduces So the crypto community More RC4 cryptanalysis: ckets Layer”) throws away 40-bit keys? 1995 Wagner, server “based on And throws away RC4? 1997 Golic, Security technology”. Here’s what actually happens. 1998 Knudsen–Meier–Preneel– any options. Rijmen–Verdo 1997: IEEE standardizes WEP cipher in SSL. 2000 Golic, (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, osts some for 802.11 wireless networks. 2001 Mantin–Shamir, ciphertexts. WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, oung, Doligez, 2001 Stubblefield–Ioannidis– 1999: TLS (“Transport Layer extract plaintexts. Rubin. Security”), new version of SSL. Unacceptable: RC4 key-output co RC4 is fastest cipher in TLS. ws that RC4 fails a ⇒ practical attacks TLS still supports “export keys”. of cipher security.

  19. duces So the crypto community More RC4 cryptanalysis: er”) throws away 40-bit keys? 1995 Wagner, “based on And throws away RC4? 1997 Golic, technology”. Here’s what actually happens. 1998 Knudsen–Meier–Preneel– options. Rijmen–Verdoolaege, 1997: IEEE standardizes WEP SSL. 2000 Golic, (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, for 802.11 wireless networks. 2001 Mantin–Shamir, ciphertexts. WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, Doligez, 2001 Stubblefield–Ioannidis– 1999: TLS (“Transport Layer plaintexts. Rubin. Security”), new version of SSL. Unacceptable: RC4 key-output correlations RC4 is fastest cipher in TLS. RC4 fails a ⇒ practical attacks on WEP TLS still supports “export keys”. security.

  20. So the crypto community More RC4 cryptanalysis: throws away 40-bit keys? 1995 Wagner, And throws away RC4? 1997 Golic, Here’s what actually happens. 1998 Knudsen–Meier–Preneel– Rijmen–Verdoolaege, 1997: IEEE standardizes WEP 2000 Golic, (“Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, for 802.11 wireless networks. 2001 Mantin–Shamir, WEP uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, 2001 Stubblefield–Ioannidis– 1999: TLS (“Transport Layer Rubin. Security”), new version of SSL. RC4 key-output correlations RC4 is fastest cipher in TLS. ⇒ practical attacks on WEP. TLS still supports “export keys”.

  21. crypto community More RC4 cryptanalysis: 2001 Rivest away 40-bit keys? 1995 Wagner, “Applications throws away RC4? 1997 Golic, the encryption what actually happens. 1998 Knudsen–Meier–Preneel– using hashing Rijmen–Verdoolaege, discard th IEEE standardizes WEP 2000 Golic, pseudo-random Wired Equivalent Privacy”) 2000 Fluhrer–McGrew, be considered 2.11 wireless networks. 2001 Mantin–Shamir, proposed uses RC4 for encryption. 2001 Fluhrer–Mantin–Shamir, of RC4 is 2001 Stubblefield–Ioannidis– and extremely TLS (“Transport Layer Rubin. random generato Security”), new version of SSL. likely to RC4 key-output correlations fastest cipher in TLS. choice fo ⇒ practical attacks on WEP. still supports “export keys”. embedded

  22. community More RC4 cryptanalysis: 2001 Rivest response 40-bit keys? 1995 Wagner, “Applications which y RC4? 1997 Golic, the encryption key actually happens. 1998 Knudsen–Meier–Preneel– using hashing and/o Rijmen–Verdoolaege, discard the first 256 standardizes WEP 2000 Golic, pseudo-random output Equivalent Privacy”) 2000 Fluhrer–McGrew, be considered secure wireless networks. 2001 Mantin–Shamir, proposed attacks. : for encryption. 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally 2001 Stubblefield–Ioannidis– and extremely efficient ransport Layer Rubin. random generator. version of SSL. likely to remain the RC4 key-output correlations cipher in TLS. choice for many applications ⇒ practical attacks on WEP. rts “export keys”. embedded systems.”

  23. More RC4 cryptanalysis: 2001 Rivest response: TLS is 1995 Wagner, “Applications which pre-process 1997 Golic, the encryption key and IV by ens. 1998 Knudsen–Meier–Preneel– using hashing and/or which Rijmen–Verdoolaege, discard the first 256 bytes of WEP 2000 Golic, pseudo-random output should Privacy”) 2000 Fluhrer–McGrew, be considered secure from the rks. 2001 Mantin–Shamir, proposed attacks. : : : The ‘hea tion. 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- yer Rubin. random generator. : : : RC4 is SSL. likely to remain the algorithm RC4 key-output correlations TLS. choice for many applications ⇒ practical attacks on WEP. keys”. embedded systems.”

  24. More RC4 cryptanalysis: 2001 Rivest response: TLS is ok. 1995 Wagner, “Applications which pre-process 1997 Golic, the encryption key and IV by 1998 Knudsen–Meier–Preneel– using hashing and/or which Rijmen–Verdoolaege, discard the first 256 bytes of 2000 Golic, pseudo-random output should 2000 Fluhrer–McGrew, be considered secure from the 2001 Mantin–Shamir, proposed attacks. : : : The ‘heart’ 2001 Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2001 Stubblefield–Ioannidis– and extremely efficient pseudo- Rubin. random generator. : : : RC4 is likely to remain the algorithm of RC4 key-output correlations choice for many applications and ⇒ practical attacks on WEP. embedded systems.”

  25. RC4 cryptanalysis: 2001 Rivest response: TLS is ok. Even mo agner, “Applications which pre-process 2002 Hulton, Golic, the encryption key and IV by 2002 Mironov, Knudsen–Meier–Preneel– using hashing and/or which 2002 Pudovkina, Rijmen–Verdoolaege, discard the first 256 bytes of 2003 Bittau, Golic, pseudo-random output should 2003 Pudovkina, Fluhrer–McGrew, be considered secure from the 2004 Paul–Preneel, Mantin–Shamir, proposed attacks. : : : The ‘heart’ 2004 Ko Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2004 Devine, Stubblefield–Ioannidis– and extremely efficient pseudo- 2005 Maximov, Rubin. random generator. : : : RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otrepp ey-output correlations choice for many applications and 2006 Klein, ractical attacks on WEP. embedded systems.” 2006 Do 2006 Chaab

  26. cryptanalysis: 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: “Applications which pre-process 2002 Hulton, the encryption key and IV by 2002 Mironov, Knudsen–Meier–Preneel– using hashing and/or which 2002 Pudovkina, erdoolaege, discard the first 256 bytes of 2003 Bittau, pseudo-random output should 2003 Pudovkina, Fluhrer–McGrew, be considered secure from the 2004 Paul–Preneel, Mantin–Shamir, proposed attacks. : : : The ‘heart’ 2004 KoreK, Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2004 Devine, Stubblefield–Ioannidis– and extremely efficient pseudo- 2005 Maximov, random generator. : : : RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, correlations choice for many applications and 2006 Klein, attacks on WEP. embedded systems.” 2006 Doroshenko–R 2006 Chaabouni.

  27. 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: “Applications which pre-process 2002 Hulton, the encryption key and IV by 2002 Mironov, Knudsen–Meier–Preneel– using hashing and/or which 2002 Pudovkina, olaege, discard the first 256 bytes of 2003 Bittau, pseudo-random output should 2003 Pudovkina, be considered secure from the 2004 Paul–Preneel, proposed attacks. : : : The ‘heart’ 2004 KoreK, Fluhrer–Mantin–Shamir, of RC4 is its exceptionally simple 2004 Devine, Stubblefield–Ioannidis– and extremely efficient pseudo- 2005 Maximov, random generator. : : : RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, rrelations choice for many applications and 2006 Klein, WEP. embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni.

  28. 2001 Rivest response: TLS is ok. Even more RC4 cryptanalysis: “Applications which pre-process 2002 Hulton, the encryption key and IV by 2002 Mironov, using hashing and/or which 2002 Pudovkina, discard the first 256 bytes of 2003 Bittau, pseudo-random output should 2003 Pudovkina, be considered secure from the 2004 Paul–Preneel, proposed attacks. : : : The ‘heart’ 2004 KoreK, of RC4 is its exceptionally simple 2004 Devine, and extremely efficient pseudo- 2005 Maximov, random generator. : : : RC4 is 2005 Mantin, likely to remain the algorithm of 2005 d’Otreppe, choice for many applications and 2006 Klein, embedded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni.

  29. Rivest response: TLS is ok. Even more RC4 cryptanalysis: WEP blamed million credit-ca “Applications which pre-process 2002 Hulton, T. J. Maxx. encryption key and IV by 2002 Mironov, settled fo hashing and/or which 2002 Pudovkina, the first 256 bytes of 2003 Bittau, pseudo-random output should 2003 Pudovkina, considered secure from the 2004 Paul–Preneel, osed attacks. : : : The ‘heart’ 2004 KoreK, is its exceptionally simple 2004 Devine, extremely efficient pseudo- 2005 Maximov, generator. : : : RC4 is 2005 Mantin, to remain the algorithm of 2005 d’Otreppe, for many applications and 2006 Klein, edded systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni.

  30. onse: TLS is ok. Even more RC4 cryptanalysis: WEP blamed for 2007 million credit-card which pre-process 2002 Hulton, T. J. Maxx. Subse ey and IV by 2002 Mironov, settled for $40900000 and/or which 2002 Pudovkina, 256 bytes of 2003 Bittau, output should 2003 Pudovkina, ecure from the 2004 Paul–Preneel, attacks. : : : The ‘heart’ 2004 KoreK, exceptionally simple 2004 Devine, efficient pseudo- 2005 Maximov, r. : : : RC4 is 2005 Mantin, the algorithm of 2005 d’Otreppe, applications and 2006 Klein, systems.” 2006 Doroshenko–Ryabko, 2006 Chaabouni.

  31. TLS is ok. Even more RC4 cryptanalysis: WEP blamed for 2007 theft million credit-card numbers from rocess 2002 Hulton, T. J. Maxx. Subsequent lawsuit by 2002 Mironov, settled for $40900000. which 2002 Pudovkina, of 2003 Bittau, should 2003 Pudovkina, the 2004 Paul–Preneel, ‘heart’ 2004 KoreK, simple 2004 Devine, pseudo- 2005 Maximov, RC4 is 2005 Mantin, rithm of 2005 d’Otreppe, applications and 2006 Klein, 2006 Doroshenko–Ryabko, 2006 Chaabouni.

  32. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 million credit-card numbers from 2002 Hulton, T. J. Maxx. Subsequent lawsuit 2002 Mironov, settled for $40900000. 2002 Pudovkina, 2003 Bittau, 2003 Pudovkina, 2004 Paul–Preneel, 2004 KoreK, 2004 Devine, 2005 Maximov, 2005 Mantin, 2005 d’Otreppe, 2006 Klein, 2006 Doroshenko–Ryabko, 2006 Chaabouni.

  33. Even more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 million credit-card numbers from 2002 Hulton, T. J. Maxx. Subsequent lawsuit 2002 Mironov, settled for $40900000. 2002 Pudovkina, 2003 Bittau, Cryptanalysis continues: 2003 Pudovkina, 2007 Paul–Maitra–Srivastava, 2004 Paul–Preneel, 2007 Paul–Rathi–Maitra, 2004 KoreK, 2007 Paul–Maitra, 2004 Devine, 2007 Vaudenay–Vuagnoux, 2005 Maximov, 2007 Tews–Weinmann–Pyshkin, 2005 Mantin, 2007 Tomasevic–Bojanic– 2005 d’Otreppe, Nieto-Taladriz, 2006 Klein, 2007 Maitra–Paul, 2006 Doroshenko–Ryabko, 2008 Basu–Ganguly–Maitra–Paul. 2006 Chaabouni.

  34. more RC4 cryptanalysis: WEP blamed for 2007 theft of 45 And mor million credit-card numbers from Hulton, 2008 Biham–Ca T. J. Maxx. Subsequent lawsuit Mironov, 2008 Golic–Mo settled for $40900000. Pudovkina, 2008 Maximov–Khovratovich, Bittau, Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, Pudovkina, 2008 Maitra–P 2007 Paul–Maitra–Srivastava, aul–Preneel, 2008 Beck–T 2007 Paul–Rathi–Maitra, KoreK, 2009 Basu–Maitra–P 2007 Paul–Maitra, Devine, 2010 Sep 2007 Vaudenay–Vuagnoux, Maximov, Vuagnoux, 2007 Tews–Weinmann–Pyshkin, Mantin, 2010 Vua 2007 Tomasevic–Bojanic– d’Otreppe, 2011 Maitra–P Nieto-Taladriz, Klein, 2011 Sen 2007 Maitra–Paul, Doroshenko–Ryabko, Sark 2008 Basu–Ganguly–Maitra–Paul. Chaabouni. 2011 Pau

  35. cryptanalysis: WEP blamed for 2007 theft of 45 And more: million credit-card numbers from 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit 2008 Golic–Morgari, settled for $40900000. Pudovkina, 2008 Maximov–Khovratovich, Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, Pudovkina, 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, aul–Preneel, 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, 2009 Basu–Maitra–P 2007 Paul–Maitra, 2010 Sepehrdad–V 2007 Vaudenay–Vuagnoux, Vuagnoux, 2007 Tews–Weinmann–Pyshkin, 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 2011 Maitra–Paul–Sen Nieto-Taladriz, 2011 Sen Gupta–Maitra–P 2007 Maitra–Paul, o–Ryabko, Sarkar, 2008 Basu–Ganguly–Maitra–Paul. ouni. 2011 Paul–Maitra

  36. cryptanalysis: WEP blamed for 2007 theft of 45 And more: million credit-card numbers from 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit 2008 Golic–Morgari, settled for $40900000. 2008 Maximov–Khovratovich, Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, 2009 Basu–Maitra–Paul–Talukda 2007 Paul–Maitra, 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, Vuagnoux, 2007 Tews–Weinmann–Pyshkin, 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, o, Sarkar, 2008 Basu–Ganguly–Maitra–Paul. 2011 Paul–Maitra book.

  37. WEP blamed for 2007 theft of 45 And more: million credit-card numbers from 2008 Biham–Carmeli, T. J. Maxx. Subsequent lawsuit 2008 Golic–Morgari, settled for $40900000. 2008 Maximov–Khovratovich, Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, 2008 Maitra–Paul. 2007 Paul–Maitra–Srivastava, 2008 Beck–Tews, 2007 Paul–Rathi–Maitra, 2009 Basu–Maitra–Paul–Talukdar, 2007 Paul–Maitra, 2010 Sepehrdad–Vaudenay– 2007 Vaudenay–Vuagnoux, Vuagnoux, 2007 Tews–Weinmann–Pyshkin, 2010 Vuagnoux, 2007 Tomasevic–Bojanic– 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, 2011 Sen Gupta–Maitra–Paul– 2007 Maitra–Paul, Sarkar, 2008 Basu–Ganguly–Maitra–Paul. 2011 Paul–Maitra book.

  38. blamed for 2007 theft of 45 And more: 2012 Aka credit-card numbers from “Up to 75% 2008 Biham–Carmeli, Maxx. Subsequent lawsuit web sites 2008 Golic–Morgari, for $40900000. BEAST] 2008 Maximov–Khovratovich, is the current Cryptanalysis continues: 2008 Akgun–Kavak–Demirci, use and 2008 Maitra–Paul. aul–Maitra–Srivastava, v1.0. : : : 2008 Beck–Tews, aul–Rathi–Maitra, prefer th 2009 Basu–Maitra–Paul–Talukdar, aul–Maitra, TLS v1.0 2010 Sepehrdad–Vaudenay– audenay–Vuagnoux, 128 is faster Vuagnoux, ews–Weinmann–Pyshkin, processor 2010 Vuagnoux, omasevic–Bojanic– 15% of SSL/T 2011 Maitra–Paul–Sen Gupta, Nieto-Taladriz, on the Ak 2011 Sen Gupta–Maitra–Paul– Maitra–Paul, RC4 : : : Sarkar, Basu–Ganguly–Maitra–Paul. support the 2011 Paul–Maitra book.

  39. r 2007 theft of 45 And more: 2012 Akamai blog rd numbers from “Up to 75% of SSL-enabled 2008 Biham–Carmeli, bsequent lawsuit web sites are vulne 2008 Golic–Morgari, $40900000. BEAST] : : : OpenSSL 2008 Maximov–Khovratovich, is the current version continues: 2008 Akgun–Kavak–Demirci, use and it only supp 2008 Maitra–Paul. aul–Maitra–Srivastava, v1.0. : : : the interim 2008 Beck–Tews, thi–Maitra, prefer the RC4-128 2009 Basu–Maitra–Paul–Talukdar, aul–Maitra, TLS v1.0 and SSL 2010 Sepehrdad–Vaudenay– y–Vuagnoux, 128 is faster and cheap Vuagnoux, einmann–Pyshkin, processor time : : : 2010 Vuagnoux, omasevic–Bojanic– 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, aladriz, on the Akamai platfo 2011 Sen Gupta–Maitra–Paul– aul, RC4 : : : most browsers Sarkar, Basu–Ganguly–Maitra–Paul. support the RC4 fix 2011 Paul–Maitra book.

  40. theft of 45 And more: 2012 Akamai blog entry: ers from “Up to 75% of SSL-enabled 2008 Biham–Carmeli, lawsuit web sites are vulnerable [to 2008 Golic–Morgari, BEAST] : : : OpenSSL v0.9.8w 2008 Maximov–Khovratovich, is the current version in broad 2008 Akgun–Kavak–Demirci, use and it only supports TLS 2008 Maitra–Paul. aul–Maitra–Srivastava, v1.0. : : : the interim fix is to 2008 Beck–Tews, prefer the RC4-128 cipher fo 2009 Basu–Maitra–Paul–Talukdar, TLS v1.0 and SSL v3. : : : RC4- 2010 Sepehrdad–Vaudenay– agnoux, 128 is faster and cheaper in Vuagnoux, einmann–Pyshkin, processor time : : : approximately 2010 Vuagnoux, 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– RC4 : : : most browsers can Sarkar, Basu–Ganguly–Maitra–Paul. support the RC4 fix for BEAST.” 2011 Paul–Maitra book.

  41. And more: 2012 Akamai blog entry: “Up to 75% of SSL-enabled 2008 Biham–Carmeli, web sites are vulnerable [to 2008 Golic–Morgari, BEAST] : : : OpenSSL v0.9.8w 2008 Maximov–Khovratovich, is the current version in broad 2008 Akgun–Kavak–Demirci, use and it only supports TLS 2008 Maitra–Paul. v1.0. : : : the interim fix is to 2008 Beck–Tews, prefer the RC4-128 cipher for 2009 Basu–Maitra–Paul–Talukdar, TLS v1.0 and SSL v3. : : : RC4- 2010 Sepehrdad–Vaudenay– 128 is faster and cheaper in Vuagnoux, processor time : : : approximately 2010 Vuagnoux, 15% of SSL/TLS negotiations 2011 Maitra–Paul–Sen Gupta, on the Akamai platform use 2011 Sen Gupta–Maitra–Paul– RC4 : : : most browsers can Sarkar, support the RC4 fix for BEAST.” 2011 Paul–Maitra book.

  42. more: 2012 Akamai blog entry: RC4 cryptanalysis “Up to 75% of SSL-enabled Biham–Carmeli, 2013 Lv–Zhang–Lin, web sites are vulnerable [to Golic–Morgari, 2013 Lv–Lin, BEAST] : : : OpenSSL v0.9.8w Maximov–Khovratovich, 2013 Sen is the current version in broad Akgun–Kavak–Demirci, Paul–Sa use and it only supports TLS Maitra–Paul. 2013 Sark v1.0. : : : the interim fix is to Beck–Tews, Maitra, prefer the RC4-128 cipher for Basu–Maitra–Paul–Talukdar, 2013 Isob TLS v1.0 and SSL v3. : : : RC4- Sepehrdad–Vaudenay– Mo 128 is faster and cheaper in uagnoux, 2013 AlF processor time : : : approximately uagnoux, Paterson–P 15% of SSL/TLS negotiations Maitra–Paul–Sen Gupta, Schuldt, on the Akamai platform use Sen Gupta–Maitra–Paul– 2014 Paterson–Strefler, RC4 : : : most browsers can Sarkar, 2015 Sep support the RC4 fix for BEAST.” aul–Maitra book. Vuagnoux.

  43. 2012 Akamai blog entry: RC4 cryptanalysis “Up to 75% of SSL-enabled rmeli, 2013 Lv–Zhang–Lin, web sites are vulnerable [to rgari, 2013 Lv–Lin, BEAST] : : : OpenSSL v0.9.8w Maximov–Khovratovich, 2013 Sen Gupta–Maitra–Meier– is the current version in broad Akgun–Kavak–Demirci, Paul–Sarkar, use and it only supports TLS aul. 2013 Sarkar–Sen Gupta–P v1.0. : : : the interim fix is to ews, Maitra, prefer the RC4-128 cipher for Basu–Maitra–Paul–Talukdar, 2013 Isobe–Ohigashi–W TLS v1.0 and SSL v3. : : : RC4- ehrdad–Vaudenay– Morii, 128 is faster and cheaper in 2013 AlFardan–Bernstein– processor time : : : approximately Paterson–Poettering– 15% of SSL/TLS negotiations aul–Sen Gupta, Schuldt, on the Akamai platform use Gupta–Maitra–Paul– 2014 Paterson–Strefler, RC4 : : : most browsers can 2015 Sepehrdad–Su support the RC4 fix for BEAST.” l–Maitra book. Vuagnoux.

  44. 2012 Akamai blog entry: RC4 cryptanalysis continues: “Up to 75% of SSL-enabled 2013 Lv–Zhang–Lin, web sites are vulnerable [to 2013 Lv–Lin, BEAST] : : : OpenSSL v0.9.8w Maximov–Khovratovich, 2013 Sen Gupta–Maitra–Meier– is the current version in broad Akgun–Kavak–Demirci, Paul–Sarkar, use and it only supports TLS 2013 Sarkar–Sen Gupta–Paul– v1.0. : : : the interim fix is to Maitra, prefer the RC4-128 cipher for alukdar, 2013 Isobe–Ohigashi–Watanab TLS v1.0 and SSL v3. : : : RC4- y– Morii, 128 is faster and cheaper in 2013 AlFardan–Bernstein– processor time : : : approximately Paterson–Poettering– 15% of SSL/TLS negotiations Gupta, Schuldt, on the Akamai platform use aul– 2014 Paterson–Strefler, RC4 : : : most browsers can 2015 Sepehrdad–Suˇ sil–Vaudena support the RC4 fix for BEAST.” Vuagnoux.

  45. 2012 Akamai blog entry: RC4 cryptanalysis continues: “Up to 75% of SSL-enabled 2013 Lv–Zhang–Lin, web sites are vulnerable [to 2013 Lv–Lin, BEAST] : : : OpenSSL v0.9.8w 2013 Sen Gupta–Maitra–Meier– is the current version in broad Paul–Sarkar, use and it only supports TLS 2013 Sarkar–Sen Gupta–Paul– v1.0. : : : the interim fix is to Maitra, prefer the RC4-128 cipher for 2013 Isobe–Ohigashi–Watanabe– TLS v1.0 and SSL v3. : : : RC4- Morii, 128 is faster and cheaper in 2013 AlFardan–Bernstein– processor time : : : approximately Paterson–Poettering– 15% of SSL/TLS negotiations Schuldt, on the Akamai platform use 2014 Paterson–Strefler, RC4 : : : most browsers can 2015 Sepehrdad–Suˇ sil–Vaudenay– support the RC4 fix for BEAST.” Vuagnoux.

  46. Akamai blog entry: RC4 cryptanalysis continues: Maybe the 75% of SSL-enabled 2013 Lv–Zhang–Lin, 2015 Mantin sites are vulnerable [to 2013 Lv–Lin, 2015 Garman–P BEAST] : : : OpenSSL v0.9.8w 2013 Sen Gupta–Maitra–Meier– van current version in broad Paul–Sarkar, “RC4 and it only supports TLS 2013 Sarkar–Sen Gupta–Paul– 2015 Vanho : : the interim fix is to Maitra, “RC4 the RC4-128 cipher for 2013 Isobe–Ohigashi–Watanabe– v1.0 and SSL v3. : : : RC4- Morii, faster and cheaper in 2013 AlFardan–Bernstein– cessor time : : : approximately Paterson–Poettering– of SSL/TLS negotiations Schuldt, Akamai platform use 2014 Paterson–Strefler, : : most browsers can 2015 Sepehrdad–Suˇ sil–Vaudenay– rt the RC4 fix for BEAST.” Vuagnoux.

  47. blog entry: RC4 cryptanalysis continues: Maybe the final stra SSL-enabled 2013 Lv–Zhang–Lin, 2015 Mantin “Bar vulnerable [to 2013 Lv–Lin, 2015 Garman–Paterson– enSSL v0.9.8w 2013 Sen Gupta–Maitra–Meier– van der Merw version in broad Paul–Sarkar, “RC4 must die”, supports TLS 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens interim fix is to Maitra, “RC4 no more”. RC4-128 cipher for 2013 Isobe–Ohigashi–Watanabe– SSL v3. : : : RC4- Morii, cheaper in 2013 AlFardan–Bernstein– : : approximately Paterson–Poettering– LS negotiations Schuldt, platform use 2014 Paterson–Strefler, rowsers can 2015 Sepehrdad–Suˇ sil–Vaudenay– fix for BEAST.” Vuagnoux.

  48. RC4 cryptanalysis continues: Maybe the final straws: SSL-enabled 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, [to 2013 Lv–Lin, 2015 Garman–Paterson– v0.9.8w 2013 Sen Gupta–Maitra–Meier– van der Merwe road Paul–Sarkar, “RC4 must die”, TLS 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens to Maitra, “RC4 no more”. for 2013 Isobe–Ohigashi–Watanabe– RC4- Morii, in 2013 AlFardan–Bernstein– ximately Paterson–Poettering– negotiations Schuldt, use 2014 Paterson–Strefler, can 2015 Sepehrdad–Suˇ sil–Vaudenay– BEAST.” Vuagnoux.

  49. RC4 cryptanalysis continues: Maybe the final straws: 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2013 Lv–Lin, 2015 Garman–Paterson– 2013 Sen Gupta–Maitra–Meier– van der Merwe Paul–Sarkar, “RC4 must die”, 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Morii, 2013 AlFardan–Bernstein– Paterson–Poettering– Schuldt, 2014 Paterson–Strefler, 2015 Sepehrdad–Suˇ sil–Vaudenay– Vuagnoux.

  50. RC4 cryptanalysis continues: Maybe the final straws: 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2013 Lv–Lin, 2015 Garman–Paterson– 2013 Sen Gupta–Maitra–Meier– van der Merwe Paul–Sarkar, “RC4 must die”, 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Meanwhile IETF publishes Morii, RFC 7465 (“RC4 die die die”), 2013 AlFardan–Bernstein– prohibiting RC4 in TLS. Paterson–Poettering– Schuldt, 2014 Paterson–Strefler, 2015 Sepehrdad–Suˇ sil–Vaudenay– Vuagnoux.

  51. RC4 cryptanalysis continues: Maybe the final straws: 2013 Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2013 Lv–Lin, 2015 Garman–Paterson– 2013 Sen Gupta–Maitra–Meier– van der Merwe Paul–Sarkar, “RC4 must die”, 2013 Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens Maitra, “RC4 no more”. 2013 Isobe–Ohigashi–Watanabe– Meanwhile IETF publishes Morii, RFC 7465 (“RC4 die die die”), 2013 AlFardan–Bernstein– prohibiting RC4 in TLS. Paterson–Poettering– 2015.09.01: Google, Microsoft, Schuldt, Mozilla say that in 2016 their 2014 Paterson–Strefler, browsers will no longer allow RC4. 2015 Sepehrdad–Suˇ sil–Vaudenay– Vuagnoux.

  52. cryptanalysis continues: Maybe the final straws: Another Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: Lv–Lin, 2015 Garman–Paterson– 65ms to Sen Gupta–Maitra–Meier– van der Merwe used for aul–Sarkar, “RC4 must die”, Attack p Sarkar–Sen Gupta–Paul– 2015 Vanhoef–Piessens but without Maitra, “RC4 no more”. Isobe–Ohigashi–Watanabe– Meanwhile IETF publishes Morii, RFC 7465 (“RC4 die die die”), AlFardan–Bernstein– prohibiting RC4 in TLS. aterson–Poettering– 2015.09.01: Google, Microsoft, Schuldt, Mozilla say that in 2016 their aterson–Strefler, browsers will no longer allow RC4. Sepehrdad–Suˇ sil–Vaudenay– uagnoux.

  53. cryptanalysis continues: Maybe the final straws: Another example: Lv–Zhang–Lin, 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2015 Garman–Paterson– 65ms to steal Linux Gupta–Maitra–Meier– van der Merwe used for hard-disk r, “RC4 must die”, Attack process on Gupta–Paul– 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. e–Ohigashi–Watanabe– Meanwhile IETF publishes RFC 7465 (“RC4 die die die”), rdan–Bernstein– prohibiting RC4 in TLS. oettering– 2015.09.01: Google, Microsoft, Mozilla say that in 2016 their aterson–Strefler, browsers will no longer allow RC4. ehrdad–Suˇ sil–Vaudenay–

  54. continues: Maybe the final straws: Another example: timing attacks 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2015 Garman–Paterson– 65ms to steal Linux AES key Gupta–Maitra–Meier– van der Merwe used for hard-disk encryption. “RC4 must die”, Attack process on same CPU aul– 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. atanabe– Meanwhile IETF publishes RFC 7465 (“RC4 die die die”), prohibiting RC4 in TLS. ettering– 2015.09.01: Google, Microsoft, Mozilla say that in 2016 their browsers will no longer allow RC4. audenay–

  55. Maybe the final straws: Another example: timing attacks 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2015 Garman–Paterson– 65ms to steal Linux AES key van der Merwe used for hard-disk encryption. “RC4 must die”, Attack process on same CPU 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. Meanwhile IETF publishes RFC 7465 (“RC4 die die die”), prohibiting RC4 in TLS. 2015.09.01: Google, Microsoft, Mozilla say that in 2016 their browsers will no longer allow RC4.

  56. Maybe the final straws: Another example: timing attacks 2015 Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: 2015 Garman–Paterson– 65ms to steal Linux AES key van der Merwe used for hard-disk encryption. “RC4 must die”, Attack process on same CPU 2015 Vanhoef–Piessens but without privileges. “RC4 no more”. Almost all AES implementations Meanwhile IETF publishes use fast lookup tables. RFC 7465 (“RC4 die die die”), Kernel’s secret AES key prohibiting RC4 in TLS. influences table-load addresses, influencing CPU cache state, 2015.09.01: Google, Microsoft, influencing measurable timings Mozilla say that in 2016 their of the attack process. browsers will no longer allow RC4. 65ms: compute key from timings.

  57. the final straws: Another example: timing attacks 2011 Brumley–T minutes Mantin “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: machine’s Garman–Paterson– 65ms to steal Linux AES key Secret branch van der Merwe used for hard-disk encryption. influence “RC4 must die”, Attack process on same CPU anhoef–Piessens but without privileges. “RC4 no more”. Almost all AES implementations Meanwhile IETF publishes use fast lookup tables. 7465 (“RC4 die die die”), Kernel’s secret AES key rohibiting RC4 in TLS. influences table-load addresses, influencing CPU cache state, 2015.09.01: Google, Microsoft, influencing measurable timings Mozilla say that in 2016 their of the attack process. rs will no longer allow RC4. 65ms: compute key from timings.

  58. straws: Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another “Bar Mitzvah”, 2005 Tromer–Osvik–Shamir: machine’s OpenSSL aterson– 65ms to steal Linux AES key Secret branch conditions Merwe used for hard-disk encryption. influence timings. must die”, Attack process on same CPU ef–Piessens but without privileges. more”. Almost all AES implementations publishes use fast lookup tables. (“RC4 die die die”), Kernel’s secret AES key in TLS. influences table-load addresses, influencing CPU cache state, ogle, Microsoft, influencing measurable timings in 2016 their of the attack process. longer allow RC4. 65ms: compute key from timings.

  59. Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another Mitzvah”, 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU but without privileges. Almost all AES implementations use fast lookup tables. die”), Kernel’s secret AES key influences table-load addresses, influencing CPU cache state, Microsoft, influencing measurable timings their of the attack process. allow RC4. 65ms: compute key from timings.

  60. Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU but without privileges. Almost all AES implementations use fast lookup tables. Kernel’s secret AES key influences table-load addresses, influencing CPU cache state, influencing measurable timings of the attack process. 65ms: compute key from timings.

  61. Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU but without privileges. Most cryptographic software has many more small-scale Almost all AES implementations variations in timing: use fast lookup tables. e.g., memcmp for IPsec MACs. Kernel’s secret AES key influences table-load addresses, influencing CPU cache state, influencing measurable timings of the attack process. 65ms: compute key from timings.

  62. Another example: timing attacks 2011 Brumley–Tuveri: minutes to steal another 2005 Tromer–Osvik–Shamir: machine’s OpenSSL ECDSA key. 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU but without privileges. Most cryptographic software has many more small-scale Almost all AES implementations variations in timing: use fast lookup tables. e.g., memcmp for IPsec MACs. Kernel’s secret AES key influences table-load addresses, Many more timing attacks: e.g. influencing CPU cache state, 2014 van de Pol–Smart–Yarom influencing measurable timings extracted Bitcoin secret keys of the attack process. from 25 OpenSSL signatures. 65ms: compute key from timings.

  63. Another example: timing attacks 2011 Brumley–Tuveri: 2008 RF minutes to steal another Layer Securit romer–Osvik–Shamir: machine’s OpenSSL ECDSA key. Version 1.2”: to steal Linux AES key Secret branch conditions small timing for hard-disk encryption. influence timings. performance process on same CPU extent on without privileges. Most cryptographic software fragment, has many more small-scale Almost all AES implementations be large variations in timing: fast lookup tables. due to the e.g., memcmp for IPsec MACs. Kernel’s secret AES key existing MA influences table-load addresses, Many more timing attacks: e.g. of the timing influencing CPU cache state, 2014 van de Pol–Smart–Yarom influencing measurable timings extracted Bitcoin secret keys attack process. from 25 OpenSSL signatures. compute key from timings.

  64. example: timing attacks 2011 Brumley–Tuveri: 2008 RFC 5246 “The minutes to steal another Layer Security (TLS) romer–Osvik–Shamir: machine’s OpenSSL ECDSA key. Version 1.2”: “This Linux AES key Secret branch conditions small timing channel, rd-disk encryption. influence timings. performance depends on same CPU extent on the size rivileges. Most cryptographic software fragment, but it is has many more small-scale implementations be large enough to variations in timing: tables. due to the large blo e.g., memcmp for IPsec MACs. AES key existing MACs and table-load addresses, Many more timing attacks: e.g. of the timing signal.” cache state, 2014 van de Pol–Smart–Yarom measurable timings extracted Bitcoin secret keys cess. from 25 OpenSSL signatures. key from timings.

  65. attacks 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transp minutes to steal another Layer Security (TLS) Protocol, romer–Osvik–Shamir: machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a ey Secret branch conditions small timing channel, since MA encryption. influence timings. performance depends to some CPU extent on the size of the data Most cryptographic software fragment, but it is not believed has many more small-scale implementations be large enough to be exploitable variations in timing: due to the large block size of e.g., memcmp for IPsec MACs. existing MACs and the small addresses, Many more timing attacks: e.g. of the timing signal.” state, 2014 van de Pol–Smart–Yarom timings extracted Bitcoin secret keys from 25 OpenSSL signatures. timings.

  66. 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport minutes to steal another Layer Security (TLS) Protocol, machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a Secret branch conditions small timing channel, since MAC influence timings. performance depends to some extent on the size of the data Most cryptographic software fragment, but it is not believed to has many more small-scale be large enough to be exploitable, variations in timing: due to the large block size of e.g., memcmp for IPsec MACs. existing MACs and the small size Many more timing attacks: e.g. of the timing signal.” 2014 van de Pol–Smart–Yarom extracted Bitcoin secret keys from 25 OpenSSL signatures.

  67. 2011 Brumley–Tuveri: 2008 RFC 5246 “The Transport minutes to steal another Layer Security (TLS) Protocol, machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a Secret branch conditions small timing channel, since MAC influence timings. performance depends to some extent on the size of the data Most cryptographic software fragment, but it is not believed to has many more small-scale be large enough to be exploitable, variations in timing: due to the large block size of e.g., memcmp for IPsec MACs. existing MACs and the small size Many more timing attacks: e.g. of the timing signal.” 2014 van de Pol–Smart–Yarom 2013 AlFardan–Paterson “Lucky extracted Bitcoin secret keys Thirteen: breaking the TLS and from 25 OpenSSL signatures. DTLS record protocols”: exploit these timings; steal plaintext.

  68. Brumley–Tuveri: 2008 RFC 5246 “The Transport Interesting minutes to steal another Layer Security (TLS) Protocol, All of this machine’s OpenSSL ECDSA key. Version 1.2”: “This leaves a wonderful branch conditions small timing channel, since MAC influence timings. performance depends to some extent on the size of the data cryptographic software fragment, but it is not believed to many more small-scale be large enough to be exploitable, riations in timing: due to the large block size of memcmp for IPsec MACs. existing MACs and the small size more timing attacks: e.g. of the timing signal.” van de Pol–Smart–Yarom 2013 AlFardan–Paterson “Lucky extracted Bitcoin secret keys Thirteen: breaking the TLS and 25 OpenSSL signatures. DTLS record protocols”: exploit these timings; steal plaintext.

  69. uveri: 2008 RFC 5246 “The Transport Interesting vs. boring another Layer Security (TLS) Protocol, All of this excitement enSSL ECDSA key. Version 1.2”: “This leaves a wonderful for crypto conditions small timing channel, since MAC timings. performance depends to some extent on the size of the data cryptographic software fragment, but it is not believed to small-scale be large enough to be exploitable, timing: due to the large block size of IPsec MACs. existing MACs and the small size timing attacks: e.g. of the timing signal.” ol–Smart–Yarom 2013 AlFardan–Paterson “Lucky Bitcoin secret keys Thirteen: breaking the TLS and enSSL signatures. DTLS record protocols”: exploit these timings; steal plaintext.

  70. 2008 RFC 5246 “The Transport Interesting vs. boring crypto Layer Security (TLS) Protocol, All of this excitement is ECDSA key. Version 1.2”: “This leaves a wonderful for crypto researchers small timing channel, since MAC performance depends to some extent on the size of the data re fragment, but it is not believed to be large enough to be exploitable, due to the large block size of Cs. existing MACs and the small size attacks: e.g. of the timing signal.” arom 2013 AlFardan–Paterson “Lucky eys Thirteen: breaking the TLS and signatures. DTLS record protocols”: exploit these timings; steal plaintext.

  71. 2008 RFC 5246 “The Transport Interesting vs. boring crypto Layer Security (TLS) Protocol, All of this excitement is Version 1.2”: “This leaves a wonderful for crypto researchers . small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal.” 2013 AlFardan–Paterson “Lucky Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  72. 2008 RFC 5246 “The Transport Interesting vs. boring crypto Layer Security (TLS) Protocol, All of this excitement is Version 1.2”: “This leaves a wonderful for crypto researchers . small timing channel, since MAC The only people suffering performance depends to some are the crypto users : extent on the size of the data continually forced to panic, fragment, but it is not believed to vulnerable to attacks, be large enough to be exploitable, uncertain what to do next. due to the large block size of existing MACs and the small size of the timing signal.” 2013 AlFardan–Paterson “Lucky Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  73. 2008 RFC 5246 “The Transport Interesting vs. boring crypto Layer Security (TLS) Protocol, All of this excitement is Version 1.2”: “This leaves a wonderful for crypto researchers . small timing channel, since MAC The only people suffering performance depends to some are the crypto users : extent on the size of the data continually forced to panic, fragment, but it is not believed to vulnerable to attacks, be large enough to be exploitable, uncertain what to do next. due to the large block size of existing MACs and the small size The crypto users’ fantasy of the timing signal.” is boring crypto : crypto that simply works, 2013 AlFardan–Paterson “Lucky solidly resists attacks, Thirteen: breaking the TLS and never needs any upgrades. DTLS record protocols”: exploit these timings; steal plaintext.

  74. RFC 5246 “The Transport Interesting vs. boring crypto What will Security (TLS) Protocol, the crypto All of this excitement is ersion 1.2”: “This leaves a some crypto wonderful for crypto researchers . timing channel, since MAC actually The only people suffering rmance depends to some are the crypto users : on the size of the data continually forced to panic, fragment, but it is not believed to vulnerable to attacks, rge enough to be exploitable, uncertain what to do next. the large block size of existing MACs and the small size The crypto users’ fantasy timing signal.” is boring crypto : crypto that simply works, AlFardan–Paterson “Lucky solidly resists attacks, Thirteen: breaking the TLS and never needs any upgrades. record protocols”: exploit timings; steal plaintext.

  75. “The Transport Interesting vs. boring crypto What will happen (TLS) Protocol, the crypto users convince All of this excitement is his leaves a some crypto researchers wonderful for crypto researchers . channel, since MAC actually create boring The only people suffering ends to some are the crypto users : size of the data continually forced to panic, is not believed to vulnerable to attacks, to be exploitable, uncertain what to do next. block size of and the small size The crypto users’ fantasy signal.” is boring crypto : crypto that simply works, rdan–Paterson “Lucky solidly resists attacks, reaking the TLS and never needs any upgrades. rotocols”: exploit steal plaintext.

  76. ransport Interesting vs. boring crypto What will happen if Protocol, the crypto users convince All of this excitement is a some crypto researchers to wonderful for crypto researchers . since MAC actually create boring crypto? The only people suffering some are the crypto users : data continually forced to panic, elieved to vulnerable to attacks, exploitable, uncertain what to do next. of all size The crypto users’ fantasy is boring crypto : crypto that simply works, “Lucky solidly resists attacks, TLS and never needs any upgrades. exploit plaintext.

  77. Interesting vs. boring crypto What will happen if the crypto users convince All of this excitement is some crypto researchers to wonderful for crypto researchers . actually create boring crypto? The only people suffering are the crypto users : continually forced to panic, vulnerable to attacks, uncertain what to do next. The crypto users’ fantasy is boring crypto : crypto that simply works, solidly resists attacks, never needs any upgrades.

  78. Interesting vs. boring crypto What will happen if the crypto users convince All of this excitement is some crypto researchers to wonderful for crypto researchers . actually create boring crypto? The only people suffering No more real-world attacks. are the crypto users : No more emergency upgrades. continually forced to panic, Limited audience for any vulnerable to attacks, minor attack improvements uncertain what to do next. and for replacement crypto. The crypto users’ fantasy is boring crypto : crypto that simply works, solidly resists attacks, never needs any upgrades.

  79. Interesting vs. boring crypto What will happen if the crypto users convince All of this excitement is some crypto researchers to wonderful for crypto researchers . actually create boring crypto? The only people suffering No more real-world attacks. are the crypto users : No more emergency upgrades. continually forced to panic, Limited audience for any vulnerable to attacks, minor attack improvements uncertain what to do next. and for replacement crypto. The crypto users’ fantasy This is an existential threat is boring crypto : against future crypto research. crypto that simply works, solidly resists attacks, never needs any upgrades.

  80. Interesting vs. boring crypto What will happen if the crypto users convince All of this excitement is some crypto researchers to wonderful for crypto researchers . actually create boring crypto? The only people suffering No more real-world attacks. are the crypto users : No more emergency upgrades. continually forced to panic, Limited audience for any vulnerable to attacks, minor attack improvements uncertain what to do next. and for replacement crypto. The crypto users’ fantasy This is an existential threat is boring crypto : against future crypto research. crypto that simply works, solidly resists attacks, Is this the real life? never needs any upgrades. Is this just fantasy?

  81. Interesting vs. boring crypto What will happen if Crypto can the crypto users convince this excitement is Again consider some crypto researchers to onderful for crypto researchers . Many interesting actually create boring crypto? only people suffering How do No more real-world attacks. the crypto users : How can No more emergency upgrades. continually forced to panic, How can Limited audience for any vulnerable to attacks, to influence minor attack improvements uncertain what to do next. affect timings? and for replacement crypto. crypto users’ fantasy This is an existential threat ring crypto : against future crypto research. that simply works, resists attacks, Is this the real life? needs any upgrades. Is this just fantasy?

  82. oring crypto What will happen if Crypto can be boring the crypto users convince excitement is Again consider timing some crypto researchers to crypto researchers . Many interesting questions: actually create boring crypto? suffering How do secrets affect No more real-world attacks. users : How can attacker No more emergency upgrades. rced to panic, How can attacker Limited audience for any attacks, to influence how secrets minor attack improvements to do next. affect timings? Et and for replacement crypto. users’ fantasy This is an existential threat : against future crypto research. simply works, attacks, Is this the real life? upgrades. Is this just fantasy?

  83. crypto What will happen if Crypto can be boring the crypto users convince Again consider timing leaks. some crypto researchers to rchers . Many interesting questions: actually create boring crypto? How do secrets affect timings? No more real-world attacks. How can attacker see timings? No more emergency upgrades. panic, How can attacker choose inpu Limited audience for any to influence how secrets minor attack improvements next. affect timings? Et cetera. and for replacement crypto. This is an existential threat against future crypto research. Is this the real life? Is this just fantasy?

  84. What will happen if Crypto can be boring the crypto users convince Again consider timing leaks. some crypto researchers to Many interesting questions: actually create boring crypto? How do secrets affect timings? No more real-world attacks. How can attacker see timings? No more emergency upgrades. How can attacker choose inputs Limited audience for any to influence how secrets minor attack improvements affect timings? Et cetera. and for replacement crypto. This is an existential threat against future crypto research. Is this the real life? Is this just fantasy?

  85. What will happen if Crypto can be boring the crypto users convince Again consider timing leaks. some crypto researchers to Many interesting questions: actually create boring crypto? How do secrets affect timings? No more real-world attacks. How can attacker see timings? No more emergency upgrades. How can attacker choose inputs Limited audience for any to influence how secrets minor attack improvements affect timings? Et cetera. and for replacement crypto. The boring-crypto alternative: This is an existential threat crypto software is built from against future crypto research. instructions that have no data Is this the real life? flow from inputs to timings. Is this just fantasy? Obviously constant time.

  86. will happen if Crypto can be boring Another “2 80 securit crypto users convince Again consider timing leaks. crypto researchers to 2 80 mults Many interesting questions: actually create boring crypto? about 2 22 How do secrets affect timings? re real-world attacks. Bluffdale: How can attacker see timings? re emergency upgrades. How can attacker choose inputs Limited audience for any to influence how secrets attack improvements affect timings? Et cetera. r replacement crypto. The boring-crypto alternative: an existential threat crypto software is built from against future crypto research. instructions that have no data the real life? flow from inputs to timings. just fantasy? Obviously constant time.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Boring crypto Daniel J. Bernstein University of Illinois at Chicago & Technische

Boring crypto Daniel J. Bernstein University of Illinois at Chicago & Technische

Boring crypto Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Ancient Chinese curse: May you live in interesting times, so that you have many papers to write. Related mailing list:

871 views • 57 slides
Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

799 views • 61 slides
Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo

Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo

Crypto developments A bit about me Daniel J. Bernstein Designer of: qmail , used by Yahoo Research Professor, to handle Internet mail; University of Illinois at Chicago tinydns , used by Facebook Hoogleraar, to publish server

625 views • 43 slides
Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Terrorist in Hong Kong prepares to throw deadly weapon at Chinese government workers. Image credit: Reuters.

1.74k views • 140 slides
Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago &

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Terrorist in Hong Kong prepares to throw deadly weapon at Chinese government workers. Image credit: Reuters.

739 views • 54 slides
The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

541 views • 51 slides
Crypto developments Daniel J. Bernstein Research Professor, University of Illinois at Chicago

Crypto developments Daniel J. Bernstein Research Professor, University of Illinois at Chicago

Crypto developments Daniel J. Bernstein Research Professor, University of Illinois at Chicago Hoogleraar, Cryptographic Implementations, Technische Universiteit Eindhoven A bit about me Designer of: qmail , used by Yahoo to handle

753 views • 26 slides
Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 BushingMarcanSegher University of Illinois at Chicago & Sven failOverflow demolition Technische Universiteit Eindhoven of Sony PS3 security

1.08k views • 69 slides
Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the

Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the

Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the (prime-field) NIST curves I Presented by NIST in 1999 Curve names: P-192, P-224, P-256, P-384, P-521 Curve is defined over F p where p has

250 views • 22 slides
Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

1 Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of Illinois at Chicago Crypto 1999 Nguyen: At Crypto 97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the

683 views • 32 slides
The Year in Crypto Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit

The Year in Crypto Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit

The Year in Crypto Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger University of Pennsylvania Tanja Lange Technische Universiteit Eindhoven Candidate Indistinguishability Obfuscation

1.18k views • 78 slides
The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has

1.29k views • 94 slides
Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago &

Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago &

1 Standardization for the black hat Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1 bada55.cr.yp.to BADA55 Crypto including How to manipulate curve standards: a white paper for the

879 views • 45 slides
Evaluation of the Impacts of Geographically-Correlated Failures on Power Grids Andrey Bernstein

Evaluation of the Impacts of Geographically-Correlated Failures on Power Grids Andrey Bernstein

Evaluation of the Impacts of Geographically-Correlated Failures on Power Grids Andrey Bernstein 1,2 , Daniel Bienstock 3 , David Hay 4 , Meric Uzunoglu 1 , Gil Zussman 1 1 Electrical Engineering, Columbia University 2 Electrical Engineering,

944 views • 44 slides
Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of

Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of

1 Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2 Bit operations per bit of plaintext (assuming precomputed subkeys), as listed in recent

1.07k views • 46 slides
Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

1.15k views • 86 slides
Higgs and Flavor Physics supplementary slides First Joint ICTP - T rieste/ICTP - SAIFR School on

Higgs and Flavor Physics supplementary slides First Joint ICTP - T rieste/ICTP - SAIFR School on

Higgs and Flavor Physics supplementary slides First Joint ICTP - T rieste/ICTP - SAIFR School on Particle Physics 2018 Benjamn Grinstein Problem 1: Winter?? in So Paulo 2 Problem 2: Schedule of lectures? 3 Fat Skinny For many like

178 views • 13 slides
Scikit-Learn in particle physics Gilles Louppe CERN, Switzerland November 18, 2014 1 / 13 High

Scikit-Learn in particle physics Gilles Louppe CERN, Switzerland November 18, 2014 1 / 13 High

Scikit-Learn in particle physics Gilles Louppe CERN, Switzerland November 18, 2014 1 / 13 High Energy Physics (HEP) c CERN 2 / 13 High Energy Physics (HEP) c CERN Study the nature of the constituents of matter 2 / 13 High Energy

516 views • 17 slides
Lecture II: Neutrino Mass Models in Context M.J. Ramsey-Musolf U Mass Amherst

Lecture II: Neutrino Mass Models in Context M.J. Ramsey-Musolf U Mass Amherst

Lecture II: Neutrino Mass Models in Context M.J. Ramsey-Musolf U Mass Amherst http://www.physics.umass.edu/acfi/ ACFI NLDBD School 10/31-11/3 2017 1 Lecture II Goals Provide broader BSM context for 0 decay Provide a simple

1.17k views • 89 slides
MP466 Particle Physics Lecturer: Jon-Ivar Skullerud, jonivar@thphys.nuim.ie Room 1.7c, Science

MP466 Particle Physics Lecturer: Jon-Ivar Skullerud, jonivar@thphys.nuim.ie Room 1.7c, Science

MP466 Particle Physics Lecturer: Jon-Ivar Skullerud, jonivar@thphys.nuim.ie Room 1.7c, Science Bldg Lectures: Wed 910, Hall C, Arts Bldg Fri 1112, Hall B, Arts Bldg Tutorials: Mon 1415, Hall B, Arts Bldg (TBC) Outline of course Basic

294 views • 8 slides
Today Profit maximization. To pea or not to pea. 4$ for peas. 2$ bushel of carrots. x 1 - to

Today Profit maximization. To pea or not to pea. 4$ for peas. 2$ bushel of carrots. x 1 - to

Today Profit maximization. To pea or not to pea. 4$ for peas. 2$ bushel of carrots. x 1 - to pea! x 2 to carrot ? Money 4 x 1 + 2 x 2 maximize max4 x 1 + 2 x 2 . Carrots take 2 unit of water/bushel. Plant Carrots or Peas? Peas take 3 units of

536 views • 5 slides
Learning in Macroeconomic Models Wouter J. Den Haan London School of Economics 2011 by Wouter

Learning in Macroeconomic Models Wouter J. Den Haan London School of Economics 2011 by Wouter

Learning in Macroeconomic Models Wouter J. Den Haan London School of Economics 2011 by Wouter J. Den Haan c August 28, 2011 Intro Simple No Feedback Recursive LS With Feedback Topics Overview A bit of history of economic thought

1.23k views • 94 slides
PEA Microgrid Prachya Laochoo Engineer Smart Grid Planning Division, PEA, Thailand PEA Thailand

PEA Microgrid Prachya Laochoo Engineer Smart Grid Planning Division, PEA, Thailand PEA Thailand

PEA Microgrid Prachya Laochoo Engineer Smart Grid Planning Division, PEA, Thailand PEA Thailand 1 Microgrid IEC TS 62898-2-2018: group of interconnected loads and distributed energy resources with defined electrical boundaries that acts as a

506 views • 22 slides
A Search Theory of the Peacocks Tail Balzs Szentes May 5, 2012 Literature 1. Costly

A Search Theory of the Peacocks Tail Balzs Szentes May 5, 2012 Literature 1. Costly

A Search Theory of the Peacocks Tail Balzs Szentes May 5, 2012 Literature 1. Costly Signaling 2. Social Assets Postlewaite and Mailath (2006) Model males differ in a binary attribute { a, d } females differ in endowment E U

486 views • 22 slides

More recommend