midterm recap misuse of crypto and future work clipper
play

Midterm Recap Misuse of Crypto and Future Work Clipper chip A - PowerPoint PPT Presentation

Apr 04, 2024 •49 likes •639 views

Midterm Recap Misuse of Crypto and Future Work Clipper chip A lesson in poorly designed protocols Clipper Clipper Goal: Support encrypted communication Confidentiality between devices Goal: Permit law enforcement

  1. 
 
 Midterm Recap 
 Misuse of Crypto 
 and Future Work

  2. Clipper chip A lesson in poorly designed protocols Clipper Clipper Goal: 
 Support encrypted communication 
 Confidentiality between devices Goal: 
 Permit law enforcement to obtain 
 Key escrow “session keys” with a warrant

  3. Clipper chip: Design Tamper-proof hardware Hardware that is difficult to introspect (e.g., extract keys), Skipjack 
 alter (change the algorithms), or impersonate encryption algorithm Skipjack Keys 
 Unit key 
 Global family key Diffie-Hellman 
 key exchange LEAF generation & validation

  4. 
 Clipper chip: Design Tamper-proof hardware Skipjack 
 Block cipher designed by the 
 encryption algorithm NSA, originally classified 
 SECRET. Skipjack Keys 
 (Violates Kirchhoff’s principle) Unit key 
 Global family key Broken within one day of declassification. Diffie-Hellman 
 key exchange 80-bit key; similar algorithm to DES (also broken) LEAF generation & validation

  5. Clipper chip: Design Tamper-proof hardware Skipjack 
 Assigned when the hardware 
 encryption algorithm is manufactured. Unit key is unique to this unit 
 Skipjack Keys 
 in particular (each Clipper chip 
 Unit key 
 also has a unit ID ). Global family key Global family key is the same 
 Diffie-Hellman 
 across many units. key exchange LEAF generation & validation

  6. Clipper chip: Design Tamper-proof hardware Skipjack 
 Used for establishing a 
 encryption algorithm (symmetric) session key Session keys are ephemeral Skipjack Keys 
 (e.g., last only for a given Unit key 
 connection, transaction, etc.) Global family key General properties about Diffie-Hellman 
 session keys: key exchange • Compromising one session key 
 does not compromise others • Compromising a long-term key 
 LEAF generation should not compromise past 
 & validation session keys ( forward secrecy )

  7. Clipper chip: Design Tamper-proof hardware LEAF 
 Skipjack 
 (Law Enforcement Access Field) encryption algorithm To permit wiretapping, law 
 enforcement needs to be able 
 Skipjack Keys 
 to extract session keys, but 
 Unit key 
 only has access to what is sent 
 Global family key during communication Diffie-Hellman 
 key exchange Idea : send data that has enough 
 info to allow law enforcement 
 to extract keys (but not any 
 LEAF generation other eavesdropper). & validation

  8. LEAF protocol design 1. DH key exchange 2. Each send LEAF packet Clipper Clipper 3. Send data encrypted 
 with the session key The Clipper chips will not decrypt until 
 it has received a valid LEAF packet Law enforcement sees all packets. • Cannot infer key from DH key exchange • Can infer it from the LEAF packet

  9. LEAF message structure Session key 80 bits Other 
 variables Unit Key Skipjack Hash algorithm 16 bits Unit ID Encrypted session key Hash Global family key Skipjack LEAF

  10. LEAF message structure Session key 80 bits Other 
 variables The other Clipper chip also has the Global Family key Unit Key Skipjack Hash algorithm => Can decrypt the LEAF to obtain this triple 16 bits Unit ID Encrypted session key Hash Global family key Skipjack LEAF

  11. LEAF message structure Session key 80 bits Other 
 variables Unit Key Skipjack Hash algorithm 16 bits The other Clipper chip “verifies” the LEAF by making sure that 
 Unit ID Encrypted session key Hash the hash is correct Global family key Skipjack LEAF

  12. LEAF message structure Session key 80 bits Other 
 variables Law enforcement also has the Global Family Key Unit Key Skipjack Hash algorithm => Can decrypt the LEAF to obtain this triple 16 bits Unit ID Encrypted session key Hash Global family key Skipjack LEAF

  13. LEAF message structure Session key 80 bits Other 
 variables Unit Key Skipjack Hash algorithm 16 bits Unit ID Encrypted session key Hash Law enforcement does not have direct access 
 Global family key Skipjack to all unit keys; needs a warrant to get them Unit keys are split across two locations LEAF (one location gets a OTP, the other gets the XOR)

  14. LEAF: failure Session key 80 bits Other 
 variables Unit Key Skipjack Hash algorithm To verify the LEAF, 
 the otherClipper chip 
 16 bits only checks the hash Unit ID Encrypted session key Hash Clipper chips also allow you to 
 test a LEAF locally Global family key Skipjack LEAF

  15. LEAF: failure Session key 80 bits Other 
 variables Unit Key Skipjack Hash algorithm 16 bits Generate a random LEAF => 
 Unit ID Encrypted session key Hash 1/2 16 chance of a valid hash Unit ID Encrypted session key Hash Global family key Skipjack Validates at the other 
 But law enforcement will just 
 Clipper chip (so it will 
 see random ID & key LEAF decrypt messages)

  16. Misusing crypto Avoid shooting yourself in the foot: • Do not roll your own cryptographic mechanisms • Takes peer review • Apply Kerkhoff’s principle • Do not misuse existing crypto • Do not even implement the underlying crypto

  17. A paper from 2013 that looked at how Android 
 apps use crypto, as a function of 6 “rules” that reflect 
 the bare minimum a secure programmer should know:

  18. A paper from 2013 that looked at how Android 
 apps use crypto, as a function of 6 “rules” that reflect 
 the bare minimum a secure programmer should know: 1. Do not use ECB mode for encryption. Period.

  19. A paper from 2013 that looked at how Android 
 apps use crypto, as a function of 6 “rules” that reflect 
 the bare minimum a secure programmer should know: 1. Do not use ECB mode for encryption. Period. 2. Do not use a non-random IV for CBC encryption.

  20. A paper from 2013 that looked at how Android 
 apps use crypto, as a function of 6 “rules” that reflect 
 the bare minimum a secure programmer should know: 1. Do not use ECB mode for encryption. Period. 2. Do not use a non-random IV for CBC encryption. 3. Do not use constant encryption keys .

  21. A paper from 2013 that looked at how Android 
 apps use crypto, as a function of 6 “rules” that reflect 
 the bare minimum a secure programmer should know: 1. Do not use ECB mode for encryption. Period. 2. Do not use a non-random IV for CBC encryption. 3. Do not use constant encryption keys . 4. (see paper)

  22. A paper from 2013 that looked at how Android 
 apps use crypto, as a function of 6 “rules” that reflect 
 the bare minimum a secure programmer should know: 1. Do not use ECB mode for encryption. Period. 2. Do not use a non-random IV for CBC encryption. 3. Do not use constant encryption keys . 4. (see paper) 5. (see paper)

  23. A paper from 2013 that looked at how Android 
 apps use crypto, as a function of 6 “rules” that reflect 
 the bare minimum a secure programmer should know: 1. Do not use ECB mode for encryption. Period. 2. Do not use a non-random IV for CBC encryption. 3. Do not use constant encryption keys . 4. (see paper) 5. (see paper) 6. Do not use static seeds to seed SecureRandom(.)

  24. Crypto misuse in Android apps 15,134 apps from Google play used crypto; Analyzed 11,748 of them

  25. Crypto misuse in Android apps 15,134 apps from Google play used crypto; Analyzed 11,748 of them 48% 31% 17% 16% 14% 12%

  26. Crypto misuse in Android apps 15,134 apps from Google play used crypto; Analyzed 11,748 of them 48% 31% 17% 16% 14% 12%

  27. 
 BouncyCastle defaults • BouncyCastle is a library that conforms to Java’s Cipher interface: Cipher c = 
 Cipher.getInstance(“AES/CBC/PKCS5Padding”); // Ultimately end up wrapping a ByteArrayOutputStream 
 // in a CipherOutputStream • Java documentation specifies:

  30. Crypto misuse in Android apps 15,134 apps from Google play used crypto; Analyzed 11,748 of them 48% 31% 17% 16% 14% 12%

  31. Crypto misuse in Android apps 15,134 apps from Google play used crypto; Analyzed 11,748 of them 48% 31% 17% 16% 14% 12% A failure of the programmers to know the tools they use A failure of library writers to provide safe defaults

  32. Misusing crypto Avoid shooting yourself in the foot: • Do not roll your own cryptographic mechanisms • Takes peer review • Apply Kerkhoff’s principle • Do not misuse existing crypto • Do not even implement the underlying crypto

  33. Why not implement AES/RSA/etc. yourself? • Not talking about creating a brand new crypto scheme, just implementing one that’s already widely accepted and used. • Kerkhoff’s principle: these are all open standards; should be implementable. • Potentially buggy/incorrect code, but so might be others’ implementations (viz. OpenSSL bugs, poor defaults in Bouncy castles, etc.) • So why not implement it yourself?

  34. Side-channel attacks • Cryptography concerns the theoretical difficulty in breaking a cipher Input 
 Output 
 Cryptographic processing 
 message message (Encrypt/decrypt/sign/etc.) Secret keys

  35. Side-channel attacks • Cryptography concerns the theoretical difficulty in breaking a cipher Input 
 Output 
 Cryptographic processing 
 message message (Encrypt/decrypt/sign/etc.) Secret keys • But what about the information that a particular implementation could leak? • Attacks based on these are “ side-channel attacks ”

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

61A Lecture 11 Friday, September 21 Midterm 1 Recap 2 Midterm 1 Recap The exam was more

61A Lecture 11 Friday, September 21 Midterm 1 Recap 2 Midterm 1 Recap The exam was more

61A Lecture 11 Friday, September 21 Midterm 1 Recap 2 Midterm 1 Recap The exam was more difficult than the Fall 2011 Midterm 1 2 Midterm 1 Recap The exam was more difficult than the Fall 2011 Midterm 1 Typically, more than 75% of students

1.22k views • 72 slides
CSE 158 Lecture 10 Web Mining and Recommender Systems Midterm recap Midterm on Wednesday!

CSE 158 Lecture 10 Web Mining and Recommender Systems Midterm recap Midterm on Wednesday!

CSE 158 Lecture 10 Web Mining and Recommender Systems Midterm recap Midterm on Wednesday! 5:10 pm 6:10 pm Closed book but Ill provide a similar level of basic info as in the last page of previous midterms Assignment

1.18k views • 91 slides
CSE 158 Lecture 10 Web Mining and Recommender Systems Midterm recap Midterm on Wednesday!

CSE 158 Lecture 10 Web Mining and Recommender Systems Midterm recap Midterm on Wednesday!

CSE 158 Lecture 10 Web Mining and Recommender Systems Midterm recap Midterm on Wednesday! 5:10 pm 6:10 pm Closed book but Ill provide a similar level of basic info as in the last page of previous midterms Assignment

1.16k views • 90 slides
Midterm Presentation 3/25/2010 Progress to Date Future Work Functionality

Midterm Presentation 3/25/2010 Progress to Date Future Work Functionality

Midterm Presentation 3/25/2010 Progress to Date Future Work Functionality Screenshots Discussed with Alex what he was looking for in the system. Broke the tasks down into Student and TA sides, and then further into phases.

402 views • 18 slides
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

844 views • 68 slides
Foyle Maritime e Festival & Clipper Race & Clipper Race e Presentation 26 6 May 2016

Foyle Maritime e Festival & Clipper Race & Clipper Race e Presentation 26 6 May 2016

Foyle Maritime e Festival & Clipper Race & Clipper Race e Presentation 26 6 May 2016 Background Derry City & Strabane Dist trict Council is in final year of 4 year/2 race spon nsorship and is currently a boat sponsor in

188 views • 14 slides
CS 744: CLIPPER Shivaram Venkataraman Fall 2019 ADMINISTRIVIA - Assignment 2 grading -

CS 744: CLIPPER Shivaram Venkataraman Fall 2019 ADMINISTRIVIA - Assignment 2 grading -

CS 744: CLIPPER Shivaram Venkataraman Fall 2019 ADMINISTRIVIA - Assignment 2 grading - Midterm details - Course Project template MACHINE LEARNING So FAR MACHINE LEARNING: INFERENCE GOALS - Interactive latencies (tail latency <

401 views • 19 slides
Clipper A Low-Latency Online Prediction Serving System Dan Crankshaw crankshaw@cs.berkeley.edu

Clipper A Low-Latency Online Prediction Serving System Dan Crankshaw crankshaw@cs.berkeley.edu

Clipper A Low-Latency Online Prediction Serving System Dan Crankshaw crankshaw@cs.berkeley.edu http://clipper.ai https://github.com/ucbrise/clipper December 8, 2017 Serving Training Query Big Training Data Decision Model Application

720 views • 19 slides
HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING

HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING

HOW CRYPTO FAILS IN PRACTICE GRAD SEC OCT 31 2017 TODAYS PAPERS POOR PROGRAMING CryptoLint tool to perform static analysis on Android apps to detect how they are using crypto libraries CRYPTO MISUSE IN ANDROID APPS 15,134 apps

1.6k views • 133 slides
HOW CRYPTO FAILS IN PRACTICE CMSC 414 APR 3 2018 POOR PROGRAMING CryptoLint tool to perform

HOW CRYPTO FAILS IN PRACTICE CMSC 414 APR 3 2018 POOR PROGRAMING CryptoLint tool to perform

HOW CRYPTO FAILS IN PRACTICE CMSC 414 APR 3 2018 POOR PROGRAMING CryptoLint tool to perform static analysis on Android apps to detect how they are using crypto libraries CRYPTO MISUSE IN ANDROID APPS 15,134 apps from Google play

841 views • 47 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
The Future of Crypto Crime and the Threat it Poses to Organizational Security CHARLES STOCKWELL

The Future of Crypto Crime and the Threat it Poses to Organizational Security CHARLES STOCKWELL

The Future of Crypto Crime and the Threat it Poses to Organizational Security CHARLES STOCKWELL | THE SECURITY STRONGHOLD CRYPTO CRIME IS STARING US IN THE FACE...and its just a child CRYPTO CRIME EXPEDITION FUTURE PAST PRESENT (my

611 views • 49 slides
New inventions: telegraph, RRs, clipper ships, steam engines, building of factories.

New inventions: telegraph, RRs, clipper ships, steam engines, building of factories.

Growth of Industry-Life in the North New inventions: telegraph, RRs, clipper ships, steam engines, building of factories. Immigrants come to find work. (Mostly Germans and Irish) No need for slavery with this type of economy.

657 views • 37 slides
Clipper Breathing Life into Cultural Collections and Archives John Casey 1 , Trevor Collins 2

Clipper Breathing Life into Cultural Collections and Archives John Casey 1 , Trevor Collins 2

Clipper Breathing Life into Cultural Collections and Archives John Casey 1 , Trevor Collins 2 Gill Hamilton 3 and Will Gregory 4 Clipper 20/04/2016 An online media analysis and collaboration tool for digital researchers 1. City of Glasgow

784 views • 14 slides
Midterm Review Prof. Usagi Recap: Logic Design?

Midterm Review Prof. Usagi Recap: Logic Design?

Midterm Review Prof. Usagi Recap: Logic Design? https://www.britannica.com/technology/logic-design 2 Analog v.s. digital signals 0.5? 0.4? 0.45? 0.445? 0.4445? or 0.4444444444459? Infinite possible values! 1 0 sampling cycle 3 Analog

1.61k views • 139 slides
Working with Families where there is Parental Substance Misuse Families First Is a multi

Working with Families where there is Parental Substance Misuse Families First Is a multi

Working with Families where there is Parental Substance Misuse Families First Is a multi agency team, set up in 1999 to work with the children of families who are negatively affected by their parents / carers substance misuse Is a

518 views • 23 slides
C u s t o m c r y p t o p o l i c i e s b y e x a m p l e s T o m

C u s t o m c r y p t o p o l i c i e s b y e x a m p l e s T o m

C u s t o m c r y p t o p o l i c i e s b y e x a m p l e s T o m M r z P r i n c i p a l S W E n g i n e e r , R e d H a t 1 A G E N D A W h a t w e l l b

963 views • 41 slides
Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by

Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by

Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by tiling with a basis Lattices A infinite set of points in R n obtained by tiling with a basis Lattices A infinite set of points in R n

1.48k views • 118 slides
BoAT: Future Entry of AIoT Leo Lin PlatON Chief Innovation Officer BoAT-Blockchain of AI Things

BoAT: Future Entry of AIoT Leo Lin PlatON Chief Innovation Officer BoAT-Blockchain of AI Things

BoAT: Future Entry of AIoT Leo Lin PlatON Chief Innovation Officer BoAT-Blockchain of AI Things IoT Device Wallet Protect valuable data from the source Blockchain By 2025, thea global data volume will reach 175ZB , among which IoT device data

102 views • 7 slides
White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud

White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud

White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud & Implementation Paris, June 27-28 2017 Overview 1 What is white-box crypto? 2 White-box compilers for signatures 3 White-box

543 views • 29 slides
PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 27 December 2015 D-Wave quantum computer isnt universal . . .

789 views • 65 slides
Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock

Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock

Cryptography : how to talk in a secret language in public You broke ! my heart Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock box Only Alice Bob slams knows the the door combination

81 views • 7 slides
Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 15 2018 Outline Symmetric lightweight primitives Most used cryptanalysis Impossible

1.31k views • 76 slides
Kotlin + Ethereum = Fun by ligi (https://ligi.de) At KotlinConf 2018 new computing platform c

Kotlin + Ethereum = Fun by ligi (https://ligi.de) At KotlinConf 2018 new computing platform c

Kotlin + Ethereum = Fun by ligi (https://ligi.de) At KotlinConf 2018 new computing platform c o w m o p r u l t d e r WEB3 Not a silver bullet Vitalik Buterin: Cryptoeconomic Protocols In the Context of Wider

1.01k views • 83 slides

More recommend