key reuse theory and practice
play

Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, - PowerPoint PPT Presentation

Dec 12, 2022 •234 likes •819 views

Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on joint work

  1. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on joint work with Jean Paul Degabriele, Tibor Jager, Anja Lehmann, Jacob C.N. Schudlt, Nigel P . Smart, Juraj Somorovsky, Martijn Stam, Mario Strefler, Susan Thomson Workshop on Real-World Cryptography Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 1/29

  2. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Outline 1 Key Separation, Key Reuse, and Cryptographic Agility 2 Joint Security 3 Key Reuse in EMV Cryptographic Agility 4 BC Attacks 5 Concluding Remarks 6 Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 2/29

  3. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Motivation for Key Reuse Reusing an asymmetric key-pair in different primitives can reduce: Storage requirements for certificates and keys; Costs of key certification; Net certificate verification time; Footprint of cryptographic code and development effort. . . . but breaks the key separation principle of using different keys for different purposes. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 3/29

  4. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Motivation for Key Reuse Reusing an asymmetric key-pair in different primitives can reduce: Storage requirements for certificates and keys; Costs of key certification; Net certificate verification time; Footprint of cryptographic code and development effort. . . . but breaks the key separation principle of using different keys for different purposes. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 3/29

  5. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Scope of Reuse Reuse is not restricted to “encryption + signatures”, nor to the asymmetric setting: Could be, for example, “signature + static DH value” in a more complex protocol. We may wish to reuse a key in the symmetric setting, e.g. CCM mode (CTR + CBC-MAC). We may wish to use the same key in two different algorithms for the same primitive, e.g. RSA-OAEP and RSA-PKCS#1v1.5, or AES-CBC and AES-GCM. – As in the most recent edition of the XML standards. – Related to the concept of cryptographic agility . Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 4/29

  6. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Reuse and Certificate Standards X.509: Certificate contains algorithm identifiers for the signing algorithm used to create the certificate itself. But not necessarily any information about for which purposes the certified public key can be used. Nor in which specific algorithms the certified public key can be used. X.509 extensions define Key Usage and Subject Public Key Info fields, but plenty of flexibility . . . Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 5/29

  7. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Usage Extension RFC 5280 (X.509v3): The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 6/29

  8. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Usage Extension RFC 5280 (X.509v3): KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } RFC 5280 (X.509v3): This profile does not restrict the combinations of bits that may be set in an instantiation of the keyUsage extension. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 7/29

  9. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Main Question Given that key reuse in all its forms is common in practice, what can we say about its security? Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 8/29

  10. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption Haber and Pinkas, Securely Combining Public-Key Cryptosystems, CCS’01: First formal security models for joint security. Secure combinations for some schemes in the random oracle model. Only partial solutions in the standard model. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 9/29

  11. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption Coron, Joye, Naccache and Paillier, Universal Padding Schemes for RSA, CRYPTO’02: Signature padding scheme PSS also gives IND-CCA secure encryption. Resulting encryption and signature schemes can securely use same RSA key-pair. Proof of joint security in ROM. Komano and Ohta, Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation, CRYPTO’03: Consider OAEP+ and REACT encodings, also in ROM. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 10/29

  12. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption Coron, Joye, Naccache and Paillier, Universal Padding Schemes for RSA, CRYPTO’02: Signature padding scheme PSS also gives IND-CCA secure encryption. Resulting encryption and signature schemes can securely use same RSA key-pair. Proof of joint security in ROM. Komano and Ohta, Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation, CRYPTO’03: Consider OAEP+ and REACT encodings, also in ROM. Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 10/29

  13. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption P., Schuldt, Stam and Thomson, On the Joint Security of Encryption and Signature, Revisited, ASIACRYPT’11: Target: to find new constructions for jointly secure combined schemes in the standard model . Main contributions: A trivial Cartesian product construction for benchmarking. A generic construction from IBE: Naor trick + CHK transform + domain separation. An efficient, specific construction using pairings. (Applications to signcryption.) Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 11/29

  14. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Joint Security of Signature and Encryption P., Schuldt, Stam and Thomson, On the Joint Security of Encryption and Signature, Revisited, ASIACRYPT’11: Target: to find new constructions for jointly secure combined schemes in the standard model . Main contributions: A trivial Cartesian product construction for benchmarking. A generic construction from IBE: Naor trick + CHK transform + domain separation. An efficient, specific construction using pairings. (Applications to signcryption.) Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 11/29

  15. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks The EMV Specification EMV is the de facto global standard for IC credit/debit cards – Chip & PIN . As of Q2 2012, there were 1.55 billion EMV cards in use worldwide. Coming to the US real soon now. The specification defines the inter-operation of IC cards with Point-of-Sale (PoS) terminals and Automated Teller Machines (ATMs) . Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 12/29

  16. Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks The EMV Specification EMV is the de facto global standard for IC credit/debit cards – Chip & PIN . As of Q2 2012, there were 1.55 billion EMV cards in use worldwide. Coming to the US real soon now. The specification defines the inter-operation of IC cards with Point-of-Sale (PoS) terminals and Automated Teller Machines (ATMs) . Kenny Paterson Royal Holloway, University of London | Key Reuse: Theory and Practice 12/29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London

Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London

Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Looking Ahead to 2020 Key Reuse: Theory, Practice, and Future Kenny Paterson Royal Holloway, University of London based on

869 views • 76 slides
Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit. Theory alone can bring forth and develop the spirit of inventions Louis Pasteur, 1822-1895 Practice : It is a capital mistake to theorize before

548 views • 42 slides
1 Infrastructure Requirements Limit Reuse Planned Indirect Potable Reuse (Purple pipe may be a

1 Infrastructure Requirements Limit Reuse Planned Indirect Potable Reuse (Purple pipe may be a

Overview of Presentation DIRECT POTABLE REUSE: A PATH FORWARD: Take Home Message Reuse Opportunities De Facto and Planned Indirect Potable Reuse 2012 WATER REUSE CONFERENCE Proposed Direct Potable Reuse Strategies Boise, ID

599 views • 8 slides
practice theory for social change practice theory is not for social change in itself it has no

practice theory for social change practice theory is not for social change in itself it has no

practice theory for social change practice theory is not for social change in itself it has no internal normative content practice theory for understanding social change well demonstrated as enabling distinctive insight into change

536 views • 24 slides
University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs Theory and Practice A key problem is someones theory is someone elses practice,

1.66k views • 68 slides
From practice to theory and back again Tools for algorithms and programs In theory there is no

From practice to theory and back again Tools for algorithms and programs In theory there is no

From practice to theory and back again Tools for algorithms and programs In theory there is no difference between theory and practice, but We can time different methods, but how to compare timings? not in practice Different on different

450 views • 7 slides
Dependence: Theory and Practice Introduction to loop dependence and loop transformation 1 The

Dependence: Theory and Practice Introduction to loop dependence and loop transformation 1 The

Dependence: Theory and Practice Introduction to loop dependence and loop transformation 1 The Big Picture What are our goals? Find independent operations to evaluate in parallel Find operations that reuse the same data What we will

528 views • 15 slides
The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International

The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International

The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International House, Rome April 17-18, 2010 Leo van Lier Monterey Institute of International Studies lvanlier@miis.edu 1 1 The ecology has spoken! 2 2 All

421 views • 29 slides
XML Retrieval XML Retrieval XML Retrieval XML Retrieval DB/IR in DB/IR in Theory Theory Web

XML Retrieval XML Retrieval XML Retrieval XML Retrieval DB/IR in DB/IR in Theory Theory Web

XML Retrieval XML Retrieval XML Retrieval XML Retrieval DB/IR in DB/IR in Theory Theory Web in Web in Practice Practice Sihem Amer-Yahia Mariano Consens Yahoo! Research University of Toronto In collaboration with: Ricardo Baeza-Yates

1.06k views • 59 slides
Software Reuse From informal reuse (scavenging) to systematic reuse Management and technical

Software Reuse From informal reuse (scavenging) to systematic reuse Management and technical

Software Reuse From informal reuse (scavenging) to systematic reuse Management and technical issues Michal Young, SERC 05/19/99 1 Merry-Go-Round of Sequential Development Conventional view of development: Requirements Common theme -

238 views • 13 slides
One-Pass Streaming Algorithms Complaints and Grievances Theory and Practice about theory in

One-Pass Streaming Algorithms Complaints and Grievances Theory and Practice about theory in

One-Pass Streaming Algorithms Complaints and Grievances Theory and Practice about theory in practice Disclaimer Experiences with Gigascope. A practitioners perspective. Will be using my own implementations, rather than

849 views • 46 slides
Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Coding Theory Encoder Input: a message over some finite alphabet such as { 0 , 1 } or

162 views • 15 slides
Compression: Information Theory Greg Plaxton Theory in Programming Practice, Fall 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Fall 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin Coding Theory Encoder Input: a message over some finite alphabet such as { 0 , 1 } or {

560 views • 15 slides
Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2004

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2004

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2004 Department of Computer Science University of Texas at Austin Coding Theory Encoder Input: a message over some finite alphabet such as { 0 , 1 } or

579 views • 15 slides
How can practice theory inform interventions into the domestic nexus? Dr. Daniel Welch

How can practice theory inform interventions into the domestic nexus? Dr. Daniel Welch

How can practice theory inform interventions into the domestic nexus? Dr. Daniel Welch Sustainable Consumption Institute, University of Manchester Three contributions of contemporary practice theory A way of understanding the organisation

451 views • 15 slides
Sensor Networks Where Theory Meets Practice Roger Wattenhofer ETH Zurich Distributed

Sensor Networks Where Theory Meets Practice Roger Wattenhofer ETH Zurich Distributed

Sensor Networks Where Theory Meets Practice Roger Wattenhofer ETH Zurich Distributed Computing www.disco.ethz.ch Theory Meets Practice SenSys OSDI HotNets Multimedia Ubicomp PODC STOC Mobicom FOCS SIGCOMM ICALP SPAA SODA EC

950 views • 67 slides
Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors NIST , Gaithersburg, MD February 6, 2013 1 / 60 Outline 1 2 3 4 5 6 The beginning The sponge

908 views • 71 slides
Final Rule Medicaid HCBS Disabled and Elderly Health Programs Group Center for Medicaid and CHIP

Final Rule Medicaid HCBS Disabled and Elderly Health Programs Group Center for Medicaid and CHIP

Final Rule Medicaid HCBS Disabled and Elderly Health Programs Group Center for Medicaid and CHIP Services Final Rule CMS 2249-F and CMS 2296-F Published in the Federal Register on January 16, 2014 Title: Medicaid Program; State Plan Home and

709 views • 59 slides
Clinical Quality Management Program Bal4more City Health Department

Clinical Quality Management Program Bal4more City Health Department

Clinical Quality Management Program Bal4more City Health Department Ryan White Office 410-396-1408 Categories Reviewed in 2010 OAHS Primary Medical

331 views • 17 slides
The Trouble with Types Martin Odersky EPFL and Typesafe

The Trouble with Types Martin Odersky EPFL and Typesafe

The Trouble with Types Martin Odersky EPFL and Typesafe Types Everyone has an opinion on them Industry: Used to be the norm (C/C++,

710 views • 48 slides
http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

CS224W: Social and Information Network Analysis Jure Leskovec Stanford University Jure Leskovec, Stanford University http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups Network communities: Sets of

351 views • 34 slides
Requesting Research Identifiable Data for HCIA Awardees 02/19/2014 Presented by Faith Asper,

Requesting Research Identifiable Data for HCIA Awardees 02/19/2014 Presented by Faith Asper,

Requesting Research Identifiable Data for HCIA Awardees 02/19/2014 Presented by Faith Asper, ResDAC Director of Assistance Work performed under CMS Contract #HHSM-500-2013-00166C About ResDAC Centers for Medicare and Medicaid (CMS)

507 views • 27 slides
(FC FCEP) Brothers Keeper Init itia iati tive RFPGC16-013 Full proposals must be

(FC FCEP) Brothers Keeper Init itia iati tive RFPGC16-013 Full proposals must be

7/22/2016 FAMILY AND D COMMUNIT MUNITY Y ENGAGEME GEMENT NT PROGRAM ROGRAM A New ew York rk State e My (FC FCEP) Brothers Keeper Init itia iati tive RFPGC16-013 Full proposals must be postmarked by 8/26/16 IMPORTANT DATES

680 views • 15 slides
Requirements March 8, 2016 Developmental Disabilities Division Overview New regulations

Requirements March 8, 2016 Developmental Disabilities Division Overview New regulations

OSP Instructions & CMS Final Rule PCSP Requirements March 8, 2016 Developmental Disabilities Division Overview New regulations established by CMS Home & Community Based Services (aka waiver) Effective March 17, 2014

329 views • 21 slides

More recommend