owcm one way counter mode
play

OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska - PowerPoint PPT Presentation

Aug 12, 2023 •637 likes •1.1k views

1 OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering Norwegian University of Science and

  1. 1 OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Håkon Jacobsen Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering Norwegian University of Science and TechnologyTechnology - NTNU, NORWAY DIAC 2013, OWCM: One-Way Counter Mode

  2. 2 In this talk I will present the material from our two submissions to DIAC 2013 (as agreed with the organizer) DIAC 2013, OWCM: One-Way Counter Mode

  3. 3 In this talk I will present the material from our two submissions to DIAC 2013 (as agreed with the organizer) • Should MAC's retain • OWCM: One-Way hash properties Counter Mode when the key is (initial design) known in the next AEAD? Introductory advertisement for DIAC 2013, OWCM: One-Way Counter Mode

  4. 4 Let t us us sta tart w with th the fol ollowing story from a des esign meet eeting ng in n In our BIG organization we want to on one or organizati tion … introduce a new feature in our huge huge BIG DATABASE: Authenticated Encryption with Emails Social Chats Associated Data networks Financial BIG Video secrets surveillance DATA Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode

  5. 5 Emails Social Chats networks Financial BIG Video We should use a software secrets surveillance library that implements NSA DATA Suit B Cryptography. Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode

  6. 6 Emails Social Chats networks Financial BIG Video secrets surveillance DATA Or we can use some open source crypto library such Telephone conversations as: OpenSSL, Crypto++, … Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode

  7. 7 Emails Social Chats networks Financial BIG Video Yeah, OpenSSL and secrets surveillance Crypto++ have CCM and DATA GCM mode implemented. Telephone conversations And these modes are Industrial SMS provable secure. secrets DIAC 2013, OWCM: One-Way Counter Mode

  8. 8 Emails Social Chats networks Financial BIG Video secrets surveillance DATA Telephone conversations Maybe we can use OCB mode, Industrial SMS it is much faster than GCM secrets mode (but it is patented)  DIAC 2013, OWCM: One-Way Counter Mode

  9. 9 But sometimes files are realy big (like hundreds of gigabytes). We can not transfer them every time when we need just a sanity check that Emails Social Chats the data is not corrupted. networks Financial BIG Video secrets surveillance DATA Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode

  10. 10 All software libraries that perform AEAD, have functions that give us back only the authentication tag. We will communicate that tag in a secure way, so no need to transfer ALL DATA … Emails Social Chats networks Financial BIG Video secrets surveillance DATA Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode

  11. 11 Yeah, we solved the problem, we will use NSA approved set of cryptographic functions that are mathematically proved that they are secure. WHAT COULD POSIBLY GO WRONG? Emails Social Chats networks Financial BIG Video secrets surveillance DATA Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode

  12. 12 Emails Social Chats networks Financial BIG Video secrets surveillance DATA What about insider Telephone conversations attacks and Industrial SMS abuses? secrets DIAC 2013, OWCM: One-Way Counter Mode

  13. 13 What about insider attacks and abuses? DIAC 2013, OWCM: One-Way Counter Mode

  14. 14 DIAC 2013, OWCM: One-Way Counter Mode

  15. 15 DIAC 2013, OWCM: One-Way Counter Mode

  16. 16 What about insider attacks and abuses? • An insider attack is intentional misuse by individuals who are authorized to use computers and networks. • An insider attack is more dangerous than outsider attack from financial and safety and security losses point of view. • In the same time detecting and preventing insider attacks is much more difficult than defending from external attacks DIAC 2013, OWCM: One-Way Counter Mode

  17. 17 We need new thinking for a new era. … and meanwhile technology has given governments, including our own, unprecedented capability to monitor communications. Press conference Aug 9 th , 2013 DIAC 2013, OWCM: One-Way Counter Mode

  18. 18 And the other thing that's happening is, is that as technology develops further, technology itself may provide us some additional Press conference safeguards. Aug 9 th , 2013 DIAC 2013, OWCM: One-Way Counter Mode

  19. 19 … I mean, there may be some technological fixes that provide another layer of assurance. … But it is absolutely true that with Press conference the expansion of technology, this Aug 9 th , 2013 is an area that's moving very quickly -- with the revelations that have depleted public trust, that if there are some additional things that we can do to build that trust back up, then we should do them. DIAC 2013, OWCM: One-Way Counter Mode

  20. 20 CAESAR call for submissions, draft 3 • Submission requirements – Security goals: A table quantifying, for each of the recommended parameter sets, the intended number of bits of security (i.e., the logarithm base 2 of the attack cost) in each of the following Can CAESAR competition categories: – confidentiality for the plaintext; provide an additional safeguard – confidentiality for the secret message number (omit if the secret message number has length 0); against insider abuses? – integrity for the plaintext; – integrity for the associated data; – integrity for the secret message number (omit if the secret message number has length 0); – integrity for the public message number (omit if the public message number has length 0); and – any additional security goals and robustness goals that the submitters wish to point out. DIAC 2013, OWCM: One-Way Counter Mode

  21. 21 CAESAR call for submissions, draft 3 • Submission requirements – Security goals: A table quantifying, for each of the recommended parameter sets, the intended number of bits of security (i.e., the logarithm base 2 of the attack cost) in each of the following categories: – confidentiality for the plaintext; – confidentiality for the secret message number (omit if the secret message number has length 0); – integrity for the plaintext; – integrity for the associated data; – integrity for the secret message number (omit if the secret message number has length 0); – integrity for the public message number (omit if the public message number has length 0); and – any additional security goals and robustness goals that the submitters wish to point out. DIAC 2013, OWCM: One-Way Counter Mode

  22. 22 CAESAR call for submissions, draft 3 • Submission requirements – Security goals: A table quantifying, for each of the recommended parameter sets, the intended number of bits of security (i.e., the logarithm base 2 of the attack cost) in each of the following What about the robustness categories: – confidentiality for the plaintext; against insider attacks and – confidentiality for the secret message number (omit if the secret message number has length 0); insider abuses? – integrity for the plaintext; – integrity for the associated data; – integrity for the secret message number (omit if the secret message number has length 0); – integrity for the public message number (omit if the public message number has length 0); and – any additional security goals and robustness goals that the submitters wish to point out. DIAC 2013, OWCM: One-Way Counter Mode

  23. 23 Easy exercise 1: Find two colliding massages for CCM when key K is known DIAC 2013, OWCM: One-Way Counter Mode

  24. 24 Easy exercise 2: Find two colliding massages for GCM when key K is known DIAC 2013, OWCM: One-Way Counter Mode

  25. 25 DIAC 2013, OWCM: One-Way Counter Mode

  26. 26 Easiest exercise 3: Find two colliding massages for OCB when key K is known DIAC 2013, OWCM: One-Way Counter Mode

  27. 27 DIAC 2013, OWCM: One-Way Counter Mode

  28. 28 Exploit 1 in "Secure audit logs" • Adaptation of Bellare-Yee scenario of "Secure audit logs". • An attacker is breaking into a machine that keeps activity logs that are encrypted by an AEAD scheme. • He/she has obtained the encryption key by some other means (physical force, stealing, ...). • In order to protect against such accidental revelation of encryption keys, the authentication tags are kept in a separate and write protected area. • This way the existing encrypted logs are protected from being overwritten with other fake logs. • However, if the AEAD scheme was implemented by CCM, GCM or OCB, the attacker can erase his/her previous (unsuccessful) attempts to break-in by simply producing a log file that has the same authentication tag as the originally encrypted log. DIAC 2013, OWCM: One-Way Counter Mode

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Intro Repairing GCM Simeck Design Summery Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada Aug 12, 2013 1 of 32 Revisiting CM to Repair GCM Intro Repairing GCM Simeck

917 views • 70 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent,

The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent,

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent, Ferdinand Sibleyras Inria, quipe SECRET EUROCRYPT 2018 1 /

856 views • 56 slides
8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim (cj@coe.psu.ac.th) 8051 Timer/Counter Two internal Timers/Counters 16-bit timer/counter Timer uses system clock as source of input pulses Counter uses external

273 views • 8 slides
Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford University Joint work with: Yi Lu, Andrea Montanari , Sarang Dharmapurikar and Abdul Kabbani Overview Counter Braids Background: current

601 views • 30 slides
Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C

Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C

C.1 C.2 Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C Timers and Counters Can count at some rate up to a value, generate an interrupt and start over counting from 0. Useful for performing

402 views • 5 slides
Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do

Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do

Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do We Know if Counters are Working? Three common failures: Wrong counter (PAPI, Kernel, User) Counter works but gives wrong values Counter

376 views • 36 slides
LETS PLAY! 100 99 98 97 96 O o p s , S o Salty just got a little u r P s u s

LETS PLAY! 100 99 98 97 96 O o p s , S o Salty just got a little u r P s u s

How to play: Each player puts their counter on the space that says 'START'. Take it in turns to roll the dice. Move your counter forward the number of spaces shown on the dice. If your counter lands at the bottom of a ladder, you can move up to

390 views • 5 slides
For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit

For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit

For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit int fireworkCount = 0; while (fireworkCount < NUM_IN_FINALE) { new Firework (...); Repeating Task fireworkCount++; } Increment counter

527 views • 4 slides
Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What

Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What

Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What is Org Mode? Emacs mode for note taking task management tables and spreadsheets producing L A T EX documents and web pages literate

212 views • 7 slides
Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri

Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri

Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri demri@lsv.ens-cachan.fr LSV, ENS Cachan, CNRS, INRIA ESSLLI 2010, Copenhagen, August 2010 What is in the course? Analysis of Counter Systems

778 views • 65 slides
Educational topic: FT8 digital mode What is FT8 Digital operating mode that started gaining

Educational topic: FT8 digital mode What is FT8 Digital operating mode that started gaining

Educational topic: FT8 digital mode What is FT8 Digital operating mode that started gaining momentum in 2017 Named after Its developers Steven Franke (K9AN) Joe Taylor (K1JT) Mode uses an 8-frequency shift keying format Signals occupy 50 Hz

472 views • 21 slides
Decidability and complexity issues for subclasses of counter systems Lecture 4 Counter automata

Decidability and complexity issues for subclasses of counter systems Lecture 4 Counter automata

Decidability and complexity issues for subclasses of counter systems Lecture 4 Counter automata with finite monoid property and flatness St ephane Demri demri@lsv.ens-cachan.fr LSV, ENS Cachan, CNRS, INRIA Course 2.9 MPRI

921 views • 56 slides
Selection of Mode of Presentation Selection of the mode of presentation online does not confirm

Selection of Mode of Presentation Selection of the mode of presentation online does not confirm

Selection of Mode of Presentation Selection of the mode of presentation online does not confirm your choice. The Dental Students Scientific Committee reserves the right to determine the mode of selection for each group. However, your preferred

263 views • 3 slides
8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim (cj@coe.psu.ac.th) 8051 Serial Port Serial communications High speed CMOS signal levels Full duplex No modem status/control signals Registers SBUF Two

661 views • 7 slides
HST Two-Gyro Mode Ken Sembach 26-October-2005 Two-Gyro Science Mode Website

HST Two-Gyro Mode Ken Sembach 26-October-2005 Two-Gyro Science Mode Website

HST Two-Gyro Mode Ken Sembach 26-October-2005 Two-Gyro Science Mode Website http://www.stsci.edu/hst/hst_overview/TwoGyroMode (includes links to ISRs) 1 STScI Two-Gyro Mode Team Effort David Adler Harry Ferguson Jennifer Mack Susan Rose

438 views • 20 slides
M. Liebhaber E-mail: martin.liebhaber@helmholtz-berlin.de Helmholtz Center Berlin Institue for

M. Liebhaber E-mail: martin.liebhaber@helmholtz-berlin.de Helmholtz Center Berlin Institue for

High efficiency silicon heterojunction solar cells: From conventional concepts to a 3 rd generation bi-triplet exciton generating hybrid device M. Liebhaber E-mail: martin.liebhaber@helmholtz-berlin.de Helmholtz Center Berlin Institue for

569 views • 37 slides
Networks: An FFT-Based Architecture Jiaqi Gu, Zheng Zhao, Chenghao Feng, Mingjie Liu, Ray T.

Networks: An FFT-Based Architecture Jiaqi Gu, Zheng Zhao, Chenghao Feng, Mingjie Liu, Ray T.

Towards Area-Efficient Optical Neural Networks: An FFT-Based Architecture Jiaqi Gu, Zheng Zhao, Chenghao Feng, Mingjie Liu, Ray T. Chen, David Z. Pan ECE Department, The University of Texas at Austin This work is supported in part by MURI AI

387 views • 20 slides
Understanding the ultrafast TeV variability of blazars Dimitrios Giannios Princeton, Department

Understanding the ultrafast TeV variability of blazars Dimitrios Giannios Princeton, Department

Understanding the ultrafast TeV variability of blazars Dimitrios Giannios Princeton, Department for Astrophysical Sciences With D. Uzdensky, M. C. Begelman, K. Nalewajko, M. Sikora TeVPA, Paris, 21/7/2010 Relativistic jets in GRBs,

889 views • 27 slides
Role of cardiac CT in LAA closure Dr J-L. SABLAYROLLES, Dr I. TIMOFEEVA, Dr L. MACRON, Dr J.

Role of cardiac CT in LAA closure Dr J-L. SABLAYROLLES, Dr I. TIMOFEEVA, Dr L. MACRON, Dr J.

Role of cardiac CT in LAA closure Dr J-L. SABLAYROLLES, Dr I. TIMOFEEVA, Dr L. MACRON, Dr J. FEIGNOUX Centre Cardiologique du Nord (CCN). Saint-Denis. France CTA : >18 years of experience CCN 2000 2004 2013 2014 2010 2003 2000 2010

386 views • 23 slides
Developments in Particle Therapy using Nuclear Science and Technology Helsinki, NUSPRASEN

Developments in Particle Therapy using Nuclear Science and Technology Helsinki, NUSPRASEN

WIR SCHAFFEN WISSEN HEUTE FR MORGEN Marco Schippers, Paul Scherrer Institut, Villigen Developments in Particle Therapy using Nuclear Science and Technology Helsinki, NUSPRASEN workshop, November 26, 2019 Helsinki, Nov 2019 1

335 views • 29 slides
Nanoclusters Nanoparticle vs. Nanocluster 2-3 nm Nanoclusters Nanoparticles No surface plasmon

Nanoclusters Nanoparticle vs. Nanocluster 2-3 nm Nanoclusters Nanoparticles No surface plasmon

Nanoclusters Nanoparticle vs. Nanocluster 2-3 nm Nanoclusters Nanoparticles No surface plasmon resonance Prominent SPR http://www.sigmaaldrich.com/materials- science/nanomaterials/gold-nanoparticles.html

302 views • 15 slides
L ECTURE IV: C OMPUTATION T REE L OGIC (CTL) Alessandro Artale Faculty of Computer Science

L ECTURE IV: C OMPUTATION T REE L OGIC (CTL) Alessandro Artale Faculty of Computer Science

F ORMAL M ETHODS L ECTURE IV: C OMPUTATION T REE L OGIC (CTL) Alessandro Artale Faculty of Computer Science Free University of Bolzano artale@inf.unibz.it http://www.inf.unibz.it/ artale/ Some material (text, figures) displayed in these

782 views • 41 slides
Advanced Logic Linear Temporal Logic Computation Tree Logic Daniel Gebler VU University

Advanced Logic Linear Temporal Logic Computation Tree Logic Daniel Gebler VU University

Advanced Logic Linear Temporal Logic Computation Tree Logic Daniel Gebler VU University Amsterdam March 11, 2013 Overview Linear temporal logic (LTL): describes properties of paths (individual executions) no modalities to

1.26k views • 107 slides

More recommend