crypto horror stories
play

Crypto horror stories Daniel J. Bernstein University of Illinois at - PowerPoint PPT Presentation

Nov 15, 2022 •182 likes •799 views

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

  1. Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein

  2. Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein

  3. RC4 stream cipher: The beginning 1987: Ron Rivest designs RC4. Does not publish it. Crypto horror stories Daniel J. Bernstein

  4. RC4 stream cipher: The beginning 1987: Ron Rivest designs RC4. Does not publish it. 1992: U.S. National Security Agency (NSA) makes a deal with Software Publishers Association. “NSA allows encryption . . . The U.S. Department of State will grant export permission to any program that uses the RC2 or RC4 data-encryption algorithm with a key size of less than 40 bits.” Crypto horror stories Daniel J. Bernstein

  6. RC4 stream cipher: The leak 1994: Someone anonymously posts RC4 source code. New York Times: “Widespread dissemination could compromise the long-term effectiveness of the system . . . [RC4] has become the de facto coding standard for many popular software programs including Microsoft Windows, Apple’s Macintosh operating system and Lotus Notes. . . . ‘I have been told it was part of this deal that RC4 be kept confidential,’ Jim Bidzos, president of RSA, said.” Crypto horror stories Daniel J. Bernstein

  7. RC4 stream cipher: Used in SSL 1994: Netscape introduces SSL (“Secure Sockets Layer”) web browser and server “based on RSA Data Security technology”. SSL supports many options. RC4 is fastest cipher in SSL. Crypto horror stories Daniel J. Bernstein

  8. RC4 stream cipher: Used in SSL, and broken 1994: Netscape introduces SSL (“Secure Sockets Layer”) web browser and server “based on RSA Data Security technology”. SSL supports many options. RC4 is fastest cipher in SSL. 1995: Finney posts some examples of SSL ciphertexts. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts. Crypto horror stories Daniel J. Bernstein

  9. RC4 stream cipher: Used in SSL, and broken 1994: Netscape introduces SSL (“Secure Sockets Layer”) web browser and server “based on RSA Data Security technology”. SSL supports many options. RC4 is fastest cipher in SSL. 1995: Finney posts some examples of SSL ciphertexts. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts. Fix: RC4-128? Crypto horror stories Daniel J. Bernstein

  10. RC4 stream cipher: Used in SSL, and broken 1994: Netscape introduces SSL (“Secure Sockets Layer”) web browser and server “based on RSA Data Security technology”. SSL supports many options. RC4 is fastest cipher in SSL. 1995: Finney posts some examples of SSL ciphertexts. Back–Byers–Young, Doligez, Back–Brooks extract plaintexts. Fix: RC4-128? Unacceptable: 1995 Roos shows that RC4 fails a basic definition of cipher security. Crypto horror stories Daniel J. Bernstein

  11. RC4 stream cipher: The end? So the crypto community throws away 40-bit keys? And throws away RC4? Crypto horror stories Daniel J. Bernstein

  12. RC4 stream cipher: The end? So the crypto community throws away 40-bit keys? And throws away RC4? Here’s what actually happens. Crypto horror stories Daniel J. Bernstein

  13. RC4 stream cipher: The end? So the crypto community throws away 40-bit keys? And throws away RC4? Here’s what actually happens. 1997: IEEE standardizes WEP (“Wired Equivalent Privacy”) for 802.11 wireless networks. WEP uses RC4 for encryption. Crypto horror stories Daniel J. Bernstein

  14. RC4 stream cipher: The end? So the crypto community throws away 40-bit keys? And throws away RC4? Here’s what actually happens. 1997: IEEE standardizes WEP (“Wired Equivalent Privacy”) for 802.11 wireless networks. WEP uses RC4 for encryption. 1999: TLS (“Transport Layer Security”), new version of SSL. RC4 is fastest cipher in TLS. TLS still supports “export keys”. Crypto horror stories Daniel J. Bernstein

  15. RC4 stream cipher: Great, we can write papers More RC4 cryptanalysis: 1995 Wagner, 1997 Golic, 1998 Knudsen–Meier–Preneel–Rijmen–Verdoolaege, 2000 Golic, 2000 Fluhrer–McGrew, 2001 Mantin–Shamir, 2001 Fluhrer–Mantin–Shamir, 2001 Stubblefield–Ioannidis–Rubin. Example of real-world damage: RC4 key-output correlations ⇒ practical attacks on WEP. Crypto horror stories Daniel J. Bernstein

  16. RC4 stream cipher: Not dead yet! 2001 Rivest response: RC4 is safe in TLS. “Applications which pre-process the encryption key and IV by using hashing and/or which discard the first 256 bytes of pseudo-random output should be considered secure from the proposed attacks. . . . The ‘heart’ of RC4 is its exceptionally simple and extremely efficient pseudo-random generator. . . . RC4 is likely to remain the algorithm of choice for many applications and embedded systems.” Crypto horror stories Daniel J. Bernstein

  17. RC4 stream cipher: More papers; more damage 2002 Hulton, 2002 Mironov, 2002 Pudovkina, 2003 Bittau, 2003 Pudovkina, 2004 Paul–Preneel, 2004 KoreK, 2004 Devine, 2005 Maximov, 2005 Mantin, 2005 d’Otreppe, 2006 Klein, 2006 Doroshenko–Ryabko, 2006 Chaabouni. Crypto horror stories Daniel J. Bernstein

  18. RC4 stream cipher: More papers; more damage 2002 Hulton, 2002 Mironov, 2002 Pudovkina, 2003 Bittau, 2003 Pudovkina, 2004 Paul–Preneel, 2004 KoreK, 2004 Devine, 2005 Maximov, 2005 Mantin, 2005 d’Otreppe, 2006 Klein, 2006 Doroshenko–Ryabko, 2006 Chaabouni. WEP blamed for 2007 theft of 45 million credit-card numbers from T. J. Maxx. Subsequent lawsuit settled for $40900000. Crypto horror stories Daniel J. Bernstein

  19. RC4 stream cipher: Even more papers 2007 Paul–Maitra–Srivastava, 2007 Paul–Rathi–Maitra, 2007 Paul–Maitra, 2007 Vaudenay–Vuagnoux, 2007 Tews–Weinmann–Pyshkin, 2007 Tomasevic–Bojanic–Nieto-Taladriz, 2007 Maitra–Paul, 2008 Basu–Ganguly–Maitra–Paul, 2008 Biham–Carmeli, 2008 Golic–Morgari, 2008 Maximov–Khovratovich, 2008 Akgun–Kavak–Demirci, 2008 Maitra–Paul. 2008 Beck–Tews, 2009 Basu–Maitra–Paul–Talukdar, 2010 Sepehrdad–Vaudenay–Vuagnoux, 2010 Vuagnoux, 2011 Maitra–Paul–Sen Gupta, 2011 Sen Gupta–Maitra–Paul–Sarkar, 2011 Paul–Maitra book. Crypto horror stories Daniel J. Bernstein

  20. RC4 stream cipher: Resurgence in popularity 2012 Akamai blog entry: “Up to 75% of SSL-enabled web sites are vulnerable [to BEAST] . . . OpenSSL v0.9.8w is the current version in broad use and it only supports TLS v1.0. . . . the interim fix is to prefer the RC4-128 cipher for TLS v1.0 and SSL v3. . . . RC4-128 is faster and cheaper in processor time . . . approximately 15% of SSL/TLS negotiations on the Akamai platform use RC4 . . . most browsers can support the RC4 fix for BEAST.” Crypto horror stories Daniel J. Bernstein

  22. RC4 stream cipher: How to kill a zombie 2013 Lv–Zhang–Lin, 2013 Lv–Lin, 2013 Sen Gupta–Maitra–Meier–Paul–Sarkar, 2013 Sarkar–Sen Gupta–Paul–Maitra, 2013 Isobe–Ohigashi–Watanabe–Morii, 2013 AlFardan–Bernstein–Paterson–Poettering–Schuldt, 2014 Paterson–Strefler, 2015 Sepherdad–Suˇ sil–Vaudenay–Vuagnoux, 2015 Mantin “Bar Mitzvah”, 2015 Garman–Paterson–van der Merwe “RC4 must die”, 2015 Vanhoef–Piessens “RC4 no more”. Crypto horror stories Daniel J. Bernstein

  23. RC4 stream cipher: How to kill a zombie 2013 Lv–Zhang–Lin, 2013 Lv–Lin, 2013 Sen Gupta–Maitra–Meier–Paul–Sarkar, 2013 Sarkar–Sen Gupta–Paul–Maitra, 2013 Isobe–Ohigashi–Watanabe–Morii, 2013 AlFardan–Bernstein–Paterson–Poettering–Schuldt, 2014 Paterson–Strefler, 2015 Sepherdad–Suˇ sil–Vaudenay–Vuagnoux, 2015 Mantin “Bar Mitzvah”, 2015 Garman–Paterson–van der Merwe “RC4 must die”, 2015 Vanhoef–Piessens “RC4 no more”. IETF RFC 7465 (“RC4 die die die”) prohibits RC4 in TLS. Crypto horror stories Daniel J. Bernstein

  24. RC4 stream cipher: How to kill a zombie 2013 Lv–Zhang–Lin, 2013 Lv–Lin, 2013 Sen Gupta–Maitra–Meier–Paul–Sarkar, 2013 Sarkar–Sen Gupta–Paul–Maitra, 2013 Isobe–Ohigashi–Watanabe–Morii, 2013 AlFardan–Bernstein–Paterson–Poettering–Schuldt, 2014 Paterson–Strefler, 2015 Sepherdad–Suˇ sil–Vaudenay–Vuagnoux, 2015 Mantin “Bar Mitzvah”, 2015 Garman–Paterson–van der Merwe “RC4 must die”, 2015 Vanhoef–Piessens “RC4 no more”. IETF RFC 7465 (“RC4 die die die”) prohibits RC4 in TLS. 2015.09: Google, Microsoft, Mozilla announce agreement to turn off RC4 in subsequent browser updates. Crypto horror stories Daniel J. Bernstein

  25. It’s not just RC4 Some ongoing problems illustrated by this story: ◮ Incompetent risk management. Crypto horror stories Daniel J. Bernstein

  26. It’s not just RC4 Some ongoing problems illustrated by this story: ◮ Incompetent risk management. ◮ Security being damaged by the pursuit of performance. Crypto horror stories Daniel J. Bernstein

  27. It’s not just RC4 Some ongoing problems illustrated by this story: ◮ Incompetent risk management. ◮ Security being damaged by the pursuit of performance. ◮ Security being damaged by algorithm “agility”. Crypto horror stories Daniel J. Bernstein

  28. It’s not just RC4 Some ongoing problems illustrated by this story: ◮ Incompetent risk management. ◮ Security being damaged by the pursuit of performance. ◮ Security being damaged by algorithm “agility”. ◮ Security being damaged intentionally by NSA. Crypto horror stories Daniel J. Bernstein

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Time machines, horror stories, and the future of dev tools Shea Newton @shnewto on GitHub and

Time machines, horror stories, and the future of dev tools Shea Newton @shnewto on GitHub and

Time machines, horror stories, and the future of dev tools Shea Newton @shnewto on GitHub and Twitter Horror Stories... ...did you hear that? Youre so quirky! Tales of Developer Horror... Thank you! Photo Credit:

513 views • 18 slides
Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 BushingMarcanSegher University of Illinois at Chicago & Sven failOverflow demolition Technische Universiteit Eindhoven of Sony PS3 security

1.08k views • 69 slides
POSTGRESQL ON AWS: TIPS & TRICKS (AND HORROR STORIES) ALEXANDER KUKUSHKIN 07-07-2017 Put

POSTGRESQL ON AWS: TIPS & TRICKS (AND HORROR STORIES) ALEXANDER KUKUSHKIN 07-07-2017 Put

Please write title, subtitle Please write title, subtitle and speaker name in all and speaker name in all capital letters capital letters POSTGRESQL ON AWS: TIPS & TRICKS (AND HORROR STORIES) ALEXANDER KUKUSHKIN 07-07-2017 Put images

678 views • 54 slides
L-102.00 1 Building Outline Map L-102.00 SCALE: 1" = 10' Date: 7/17/2017 Date:

L-102.00 1 Building Outline Map L-102.00 SCALE: 1" = 10' Date: 7/17/2017 Date:

92ND STREET 7 4 4 4 4 Stories Stories Stories Stories Stories 7 Stories 15 5 4 4 4 4 4 Stories Stories Stories Stories Stories Stories Stories 4 Stories 3 Historic Photo A 2 Historic Photo A L-102.00 L-102.00 SCALE:

477 views • 5 slides
POSTGRESQL ON AWS: TIPS & TRICKS (AND HORROR STORIES) ALEXANDER KUKUSHKIN PGConf.EU 2017,

POSTGRESQL ON AWS: TIPS & TRICKS (AND HORROR STORIES) ALEXANDER KUKUSHKIN PGConf.EU 2017,

Please write title, subtitle Please write title, subtitle and speaker name in all and speaker name in all capital letters capital letters POSTGRESQL ON AWS: TIPS & TRICKS (AND HORROR STORIES) ALEXANDER KUKUSHKIN PGConf.EU 2017, Warsaw

825 views • 56 slides
Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a

Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a

Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a Hacking combus in a Paradox security system Paradox security system Hackfest Decade Quebec, Canada Author Lead researcher at Possible

517 views • 36 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1 Three Stories How Dual EC

Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1 Three Stories How Dual EC

Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1 Three Stories How Dual EC got into our standard What we did when we realized what had happened What we're doing now 2 What's the Issue? NIST and NSA coauthored a

388 views • 36 slides
Rosalind Dibley: Digital Stories and Me Sharing stories Information about how to tell stories is

Rosalind Dibley: Digital Stories and Me Sharing stories Information about how to tell stories is

Rosalind Dibley: Digital Stories and Me Sharing stories Information about how to tell stories is everywhere!!!!!!!!!! ! www.storycenter.org Stories that come from official sources, such as ne news me ws media dia co corpo poratio

489 views • 22 slides
West 108th Street Development West Side Federation for Senior & Supportive Housing Dattner

West 108th Street Development West Side Federation for Senior & Supportive Housing Dattner

WEST 109TH STREET COLUMBUS AVE. AMSTERDAM AVE. ANABIL AVILES PLAYGROUND 6 Stories PLAYGROUND 11 Stories 11 Stories TOILETS 9 Stories 7 Stories 7 Stories WEST 108TH STREET BUILDING 1 BUILDING 2 BOOKER T. WASHINGTON M.S. 54

310 views • 5 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
History The Rocky Horror Show , wri+en by Richard O'Brien.

History The Rocky Horror Show , wri+en by Richard O'Brien.

History The Rocky Horror Show , wri+en by Richard O'Brien. Jun 16, 1973: Premiere as a stage play off West End in London. Original Title:

425 views • 40 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation & opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall:

Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall:

Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall: defini.ons of encryp.on Perfect secrecy CPA security CCA security Today Prac.cal construc.ons 9/9/2009 598MAN Applied Cryptography

490 views • 28 slides
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian

749 views • 30 slides
Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology R&D Center Mitsubishi Electric Corporation February 23 2009, FSE 2009 In this presentation we talk about A colliding key pair of RC4

359 views • 15 slides
Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob

Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob

Hybrid Heterogeneous Electric Vehicle Routing Problem with Time Windows and recharging stations Gerhard Hiermann 1 , Thibaut Vidal 2 , Jakob Puchinger 1 , Richard Hartl 3 1 AIT Austrian Institute of Technology 2 PUC-Rio Pontifical Catholic

701 views • 44 slides
Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

603 views • 37 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides
Wi Wi-Fi Security Fi Security FEUP>MIEIC>Mobile Communications FEUP>MIEIC>Mobile

Wi Wi-Fi Security Fi Security FEUP>MIEIC>Mobile Communications FEUP>MIEIC>Mobile

Wi Wi-Fi Security Fi Security FEUP>MIEIC>Mobile Communications FEUP>MIEIC>Mobile Communications Jaime Dias <jaime.dias@fe.up.pt> Jaime Dias <jaime.dias@fe.up.pt> Symmetric cryptography Symmetric cryptography Ex:

548 views • 30 slides
WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1

WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1

WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1 Outline Available options for securing WLAN access WEP and its key recovery attack Condition to recover the WEP key Good and bad strategies

378 views • 24 slides

More recommend