error prone cryptographic designs crypto horror story 1
play

Error-prone cryptographic designs Crypto horror story #1 Daniel J. - PowerPoint PPT Presentation

Aug 23, 2023 •373 likes •1.08k views

Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 BushingMarcanSegher University of Illinois at Chicago & Sven failOverflow demolition Technische Universiteit Eindhoven of Sony PS3 security

  1. Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 Bushing–Marcan–Segher– University of Illinois at Chicago & Sven “failOverflow” demolition Technische Universiteit Eindhoven of Sony PS3 security system: Sony had ignored requirement to generate new random nonce “ The poor user is for each ECDSA signature. given enough rope with which ⇒ Sony’s signatures leaked to hang himself—something Sony’s secret code-signing key. a standard should not do. ” —1992 Rivest, commenting on nonce generation inside Digital Signature Algorithm (1991 proposal by NIST, 1992 credited to NSA, 1994 standardized by NIST)

  2. Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 Bushing–Marcan–Segher– University of Illinois at Chicago & Sven “failOverflow” demolition Technische Universiteit Eindhoven of Sony PS3 security system: Sony had ignored requirement to generate new random nonce “ The poor user is for each ECDSA signature. given enough rope with which ⇒ Sony’s signatures leaked to hang himself—something Sony’s secret code-signing key. a standard should not do. ” —1992 Rivest, Traditional response: Blame Sony. commenting on nonce generation Blame the crypto implementor. inside Digital Signature Algorithm (1991 proposal by NIST, 1992 credited to NSA, 1994 standardized by NIST)

  3. Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 Bushing–Marcan–Segher– University of Illinois at Chicago & Sven “failOverflow” demolition Technische Universiteit Eindhoven of Sony PS3 security system: Sony had ignored requirement to generate new random nonce “ The poor user is for each ECDSA signature. given enough rope with which ⇒ Sony’s signatures leaked to hang himself—something Sony’s secret code-signing key. a standard should not do. ” —1992 Rivest, Traditional response: Blame Sony. commenting on nonce generation Blame the crypto implementor. inside Digital Signature Algorithm Rivest’s response: Blame DSA. (1991 proposal by NIST, Blame the crypto designer. 1992 credited to NSA, 1994 standardized by NIST)

  4. Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 Bushing–Marcan–Segher– University of Illinois at Chicago & Sven “failOverflow” demolition Technische Universiteit Eindhoven of Sony PS3 security system: Sony had ignored requirement to generate new random nonce “ The poor user is for each ECDSA signature. given enough rope with which ⇒ Sony’s signatures leaked to hang himself—something Sony’s secret code-signing key. a standard should not do. ” —1992 Rivest, Traditional response: Blame Sony. commenting on nonce generation Blame the crypto implementor. inside Digital Signature Algorithm Rivest’s response: Blame DSA. (1991 proposal by NIST, Blame the crypto designer. 1992 credited to NSA, Change DSA to avoid this pitfall! 1994 standardized by NIST)

  5. rone cryptographic designs Crypto horror story #1 Crypto ho J. Bernstein 2010 Bushing–Marcan–Segher– 2005 Osvik–Shamir–T University of Illinois at Chicago & Sven “failOverflow” demolition 65ms to echnische Universiteit Eindhoven of Sony PS3 security system: used for Sony had ignored requirement Attack p to generate new random nonce but without poor user is for each ECDSA signature. enough rope with which Almost all ⇒ Sony’s signatures leaked hang himself—something use fast Sony’s secret code-signing key. standard should not do. ” Kernel’s —1992 Rivest, Traditional response: Blame Sony. influences commenting on nonce generation influencing Blame the crypto implementor. Digital Signature Algorithm influencing Rivest’s response: Blame DSA. proposal by NIST, of the attack Blame the crypto designer. credited to NSA, 65ms to Change DSA to avoid this pitfall! standardized by NIST)

  6. cryptographic designs Crypto horror story #1 Crypto horror story Bernstein 2010 Bushing–Marcan–Segher– 2005 Osvik–Shamir–T Illinois at Chicago & Sven “failOverflow” demolition 65ms to steal Linux Universiteit Eindhoven of Sony PS3 security system: used for hard-disk Sony had ignored requirement Attack process on to generate new random nonce but without privileges. is for each ECDSA signature. rope with which Almost all AES implementations ⇒ Sony’s signatures leaked himself—something use fast lookup tables. Sony’s secret code-signing key. should not do. ” Kernel’s secret AES Traditional response: Blame Sony. influences table-load nonce generation influencing CPU cache Blame the crypto implementor. Signature Algorithm influencing measurable Rivest’s response: Blame DSA. y NIST, of the attack process. Blame the crypto designer. NSA, 65ms to compute influence Change DSA to avoid this pitfall! rdized by NIST)

  7. designs Crypto horror story #1 Crypto horror story #2 2010 Bushing–Marcan–Segher– 2005 Osvik–Shamir–Tromer: Chicago & Sven “failOverflow” demolition 65ms to steal Linux AES key Eindhoven of Sony PS3 security system: used for hard-disk encryption. Sony had ignored requirement Attack process on same CPU to generate new random nonce but without privileges. for each ECDSA signature. which Almost all AES implementations ⇒ Sony’s signatures leaked himself—something use fast lookup tables. Sony’s secret code-signing key. ” Kernel’s secret AES key Traditional response: Blame Sony. influences table-load addresses, generation influencing CPU cache state, Blame the crypto implementor. Algorithm influencing measurable timings Rivest’s response: Blame DSA. of the attack process. Blame the crypto designer. 65ms to compute influence − Change DSA to avoid this pitfall! NIST)

  8. Crypto horror story #1 Crypto horror story #2 2010 Bushing–Marcan–Segher– 2005 Osvik–Shamir–Tromer: Sven “failOverflow” demolition 65ms to steal Linux AES key of Sony PS3 security system: used for hard-disk encryption. Sony had ignored requirement Attack process on same CPU to generate new random nonce but without privileges. for each ECDSA signature. Almost all AES implementations ⇒ Sony’s signatures leaked use fast lookup tables. Sony’s secret code-signing key. Kernel’s secret AES key Traditional response: Blame Sony. influences table-load addresses, influencing CPU cache state, Blame the crypto implementor. influencing measurable timings Rivest’s response: Blame DSA. of the attack process. Blame the crypto designer. 65ms to compute influence − 1 . Change DSA to avoid this pitfall!

  9. horror story #1 Crypto horror story #2 2012 Mo Shacham: Bushing–Marcan–Segher– 2005 Osvik–Shamir–Tromer: data-cache “failOverflow” demolition 65ms to steal Linux AES key x86 processo Sony PS3 security system: used for hard-disk encryption. somehow had ignored requirement Attack process on same CPU physical generate new random nonce but without privileges. memory h ECDSA signature. Almost all AES implementations programs Sony’s signatures leaked use fast lookup tables. secret code-signing key. Kernel’s secret AES key raditional response: Blame Sony. influences table-load addresses, influencing CPU cache state, Blame the crypto implementor. influencing measurable timings Rivest’s response: Blame DSA. of the attack process. Blame the crypto designer. 65ms to compute influence − 1 . Change DSA to avoid this pitfall!

  10. story #1 Crypto horror story #2 2012 Mowery–Keelveedhi– Shacham: “We posit Bushing–Marcan–Segher– 2005 Osvik–Shamir–Tromer: data-cache timing “failOverflow” demolition 65ms to steal Linux AES key x86 processors that security system: used for hard-disk encryption. somehow subvert the red requirement Attack process on same CPU physical indexing, random nonce but without privileges. memory requirements signature. Almost all AES implementations programs is doomed signatures leaked use fast lookup tables. de-signing key. Kernel’s secret AES key onse: Blame Sony. influences table-load addresses, influencing CPU cache state, crypto implementor. influencing measurable timings onse: Blame DSA. of the attack process. crypto designer. 65ms to compute influence − 1 . avoid this pitfall!

  11. Crypto horror story #2 2012 Mowery–Keelveedhi– Shacham: “We posit that any rcan–Segher– 2005 Osvik–Shamir–Tromer: data-cache timing attack against demolition 65ms to steal Linux AES key x86 processors that does not m: used for hard-disk encryption. somehow subvert the prefetcher, requirement Attack process on same CPU physical indexing, and massive nonce but without privileges. memory requirements of modern signature. Almost all AES implementations programs is doomed to fail.” ed use fast lookup tables. key. Kernel’s secret AES key Blame Sony. influences table-load addresses, influencing CPU cache state, implementor. influencing measurable timings DSA. of the attack process. designer. 65ms to compute influence − 1 . pitfall!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Error-prone cryptographic designs Daniel J. Bernstein University of Illinois at Chicago &

Error-prone cryptographic designs Daniel J. Bernstein University of Illinois at Chicago &

Error-prone cryptographic designs Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven The poor user is given enough rope with which to hang himselfsomething a standard should not do. 1992

597 views • 34 slides
Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

799 views • 61 slides
Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto

Why you shouldn't write cryptographic algorithms yourself Experience why writing your own crypto is harder than it seems at frst. Simo Sorce Sr. Principal Sw. Engineer RHEL Crypto Team 2019-01-26 Everyone tells you that you shouldnt

348 views • 30 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Challenges with provable security Building or verifying reductionist proofs is hard Proofs are long and error-prone Rely on unstated and unverified

921 views • 78 slides
Baby steps in a short-text classification with python My personal horror story Alisa Dammer me:

Baby steps in a short-text classification with python My personal horror story Alisa Dammer me:

Baby steps in a short-text classification with python My personal horror story Alisa Dammer me: alisadammer.com @FedorinoGore 90 July 12, 2017 Structure Initial information collection Award winning model Going live Did I learn anything?

563 views • 19 slides
Payor-Provider Contract Management: How to Avoid Becoming a Horror Story September 23, 2013

Payor-Provider Contract Management: How to Avoid Becoming a Horror Story September 23, 2013

Payor-Provider Contract Management: How to Avoid Becoming a Horror Story September 23, 2013 The Princeton Club New York City 39 Offices in 19 Countries Speakers John M. Kirsner, Columbus john.kirsner@squiresanders.com, +1 614.365.2722

631 views • 36 slides
Issues: Routing in Ad-hoc Networks Mobility Bandwidth constraint Error-prone and

Issues: Routing in Ad-hoc Networks Mobility Bandwidth constraint Error-prone and

Issues: Routing in Ad-hoc Networks Mobility Bandwidth constraint Error-prone and shared channel Location-dependent contention Other resource constraints TDDD36: Routing Issues: Multicas routing ... Robustness Efficiency

1.36k views • 81 slides
EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu,

EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu,

EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu, and Abdallah Khreishah Center for Networked Computing http://www.cnc.temple.edu Agenda 2 Introduction Motivation Setting Proposed

555 views • 21 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
case Statement Nesting if past two levels is error prone and possibly inefficient. case

case Statement Nesting if past two levels is error prone and possibly inefficient. case

case Statement Nesting if past two levels is error prone and possibly inefficient. case excels when many tests are performed on the same expression. case works well for muxes, decoders, and next state logic. SVerilog case has implied

279 views • 15 slides
Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key distribution and PKI Introduction to Computer Security HW1 debrief Day 17: PKI and S protocols Stephen McCamant SSH University of Minnesota,

460 views • 11 slides
@tsmith @tsmith But I like Java! We're stuck in a Java purgatory Error prone Code (no

@tsmith @tsmith But I like Java! We're stuck in a Java purgatory Error prone Code (no

@tsmith @tsmith But I like Java! We're stuck in a Java purgatory Error prone Code (no non-capturing anonymous inner classes) General Java language restrictions @tsmith How about Groovy? Groovy is dynamic Harder for IDEs

624 views • 59 slides
Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team

Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team

Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team recently released for possible future additions to Go, specifically about two areas: improved error handling and parametric polymorphism (AKA generics),

411 views • 29 slides
5/30/2014 Yielding Positions Prone positioning improves VQ To Prone or Not to mismatch

5/30/2014 Yielding Positions Prone positioning improves VQ To Prone or Not to mismatch

5/30/2014 Yielding Positions Prone positioning improves VQ To Prone or Not to mismatch Prone? Prone positioning improves arterial oxygenation John H. Turnbull, MD Assistant Professor of Anesthesia and Perioperative Medicine

89 views • 6 slides
Intuitive Generosity and Error Prone Inference from Response Time Mara P. Recalde 1 Arno Riedl 2

Intuitive Generosity and Error Prone Inference from Response Time Mara P. Recalde 1 Arno Riedl 2

Intuitive Generosity and Error Prone Inference from Response Time Mara P. Recalde 1 Arno Riedl 2 Lise Vesterlund 1 1 University of Pittsburgh 2 Maastricht University October 18, 2013 Motivation When called upon to help others, is our

746 views • 28 slides
About Who is talking to you? Christian SoundFlow founder workflow platform sound designer

About Who is talking to you? Christian SoundFlow founder workflow platform sound designer

About Who is talking to you? Christian SoundFlow founder workflow platform sound designer shortcuts developer automation film composer be more creative entrepreneur be more productive 2 www.soundflow.org Overview About me, SoundFlow

451 views • 28 slides
Christs Prophesies of the Part 3 Facilitators : Ed Foley, Leigh Kelleher Readers: Carole Hoy,

Christs Prophesies of the Part 3 Facilitators : Ed Foley, Leigh Kelleher Readers: Carole Hoy,

Christs Prophesies of the Part 3 Facilitators : Ed Foley, Leigh Kelleher Readers: Carole Hoy, Kevin Kelleher Created & Sponsored By The Willowdale Small Group Leadership Team 1 Review: Several Groupings of Events in 7 Year Period 7

606 views • 32 slides
UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 6:03 pm) I E S

UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 6:03 pm) I E S

Principles of VLSI Design Representations CMSC 491B/711 Circuit and System Representations IC design is hard because designers must juggle several different problems: Multiple levels of abstraction: IC designs requires refining an idea

231 views • 11 slides
DEEP CHURCH Week 2 The Genuine Article Session 1 How do we tell T ruth from Error?

DEEP CHURCH Week 2 The Genuine Article Session 1 How do we tell T ruth from Error?

DEEP CHURCH Week 2 The Genuine Article Session 1 How do we tell T ruth from Error? If it sounds too good to be true, then it probably is Real or fake? Before and after Before and after What is truth? John 18:33-38 Greek:

941 views • 64 slides
1 Thessalonians 3:1 9 Therefore when we could bear it no longer, we decided to be left alone

1 Thessalonians 3:1 9 Therefore when we could bear it no longer, we decided to be left alone

1 Thessalonians 3:1 9 Therefore when we could bear it no longer, we decided to be left alone in Athens; and we sent Timothy, our brother and co-worker for God in proclaiming the gospel of Christ, to strengthen and encourage you for the sake

443 views • 19 slides
Passing the Baton 2 Timothy 3:14-17, 4:1-8 Passing the Baton 30 th April 2017 Joseph Lam

Passing the Baton 2 Timothy 3:14-17, 4:1-8 Passing the Baton 30 th April 2017 Joseph Lam

Passing the Baton 2 Timothy 3:14-17, 4:1-8 Passing the Baton 30 th April 2017 Joseph Lam Introduction: The Relay Run - A team of 4 runners - Running a pre-set distance carrying a baton and passing it onto the next runner. - 4 x 100m/4 x

766 views • 19 slides
Tutorial on SMT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell April

Tutorial on SMT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell April

Tutorial on SMT Solvers Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell April 23, 2019 SMT Solvers SMT solvers take as input a (quantifier-free) first-order logic formula F over a background theory T , and return: sat (+

207 views • 10 slides
Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,) Armando)Solar@Lezama 2 ,)and)Jeffrey)S.)Foster 1) ) 1.)University)of)Maryland,)College)Park) 2.)MIT)CSAIL ) Syntax@guided)Synthesis) bit[32]

310 views • 27 slides

More recommend