Some Observations on Reusing One-Time Pads within Dice Codings 1 - - PowerPoint PPT Presentation

some observations on reusing one time pads within dice
SMART_READER_LITE
LIVE PREVIEW

Some Observations on Reusing One-Time Pads within Dice Codings 1 - - PowerPoint PPT Presentation

Jan 21, 2023 98 likes •314 views

10. Kryptotag Sebastian Pape Some Observations on Reusing One-Time Pads within Dice Codings 1 Sebastian Pape, Databases and Interactive Systems Research Group Overview Dice Codings Invalid Keys Attacking the Key Pad

slide-1
SLIDE 1

Sebastian Pape, Databases and Interactive Systems Research Group

1

Sebastian Pape

Some Observations on Reusing One-Time Pads within Dice Codings

  • 10. Kryptotag
slide-2
SLIDE 2

Sebastian Pape, Databases and Interactive Systems Research Group

2

Overview

  • Dice Codings
  • Invalid Keys
  • Attacking the Key Pad
  • Countermeasures
slide-3
SLIDE 3

Sebastian Pape, Databases and Interactive Systems Research Group

3

Introduction / Scenario

  • Scope: Online-Banking
  • Computer is controlled by attacker
  • Visual Cryptography
  • Key-transparencies are used in

conjunction with monitor

slide-4
SLIDE 4

Sebastian Pape, Databases and Interactive Systems Research Group

4

Introduction / Visual Coding

  • Digits:
  • Not complete:

From [DD08] From [DD08]

slide-5
SLIDE 5

Sebastian Pape, Databases and Interactive Systems Research Group

5

Dice Codings

  • Identity / NOT XOR

From [DD08] From [DD08]

slide-6
SLIDE 6

Sebastian Pape, Databases and Interactive Systems Research Group

6

Dice Codings Example

From [DD08]

slide-7
SLIDE 7

Sebastian Pape, Databases and Interactive Systems Research Group

7

  • Number of points per segment: 9
  • Keysize for 10 segments:
  • Valid keys:

Quotient:

Invalid Keys (10 dices)

9 0∗ 9 1∗∗ 9 9∗10!≈4,26∗10

192 66

2

90≈1,23∗10 27

valid keys number of keys ≈3∗10

−8

From [DD08]

slide-8
SLIDE 8

Sebastian Pape, Databases and Interactive Systems Research Group

8

  • Number of points per segment: 9
  • Keysize for 2 segments:
  • Invalid keys per Ciphertext:
  • Quotient:

Invalid Keys (2 dices)

9 0

2

 9 1

2

 9 9

2

=∑

i=0 9

9 i

2

=48.620

2

18

invalid keys number of keys = 48.620 262.144≈18,5%

slide-9
SLIDE 9

Sebastian Pape, Databases and Interactive Systems Research Group

9

Questions

  • Is it possible to extract the OTP / key-

transparency? ⇒ almost

  • d(Cipher, key) →
  • d(Cipher, inverse(key)) →
  • So, how many ciphertexts do we need?
slide-10
SLIDE 10

Sebastian Pape, Databases and Interactive Systems Research Group

10

  • Keep track of invalid keys

– Binary Decision Tree with half of all possible

keys

– Delete invalid keys – Until only one key is left

  • Result: Secret Key or its inverse
  • Runtime: Several times =131.072

Algorithm's Idea

2

17

slide-11
SLIDE 11

Sebastian Pape, Databases and Interactive Systems Research Group

11

Test Data (Ciphers)

  • 20.000 runs
  • 70 ciphers >= 60%
  • 90 ciphers >= 95%

20 40 60 80 100 120 140 160 180 100 200 300 400 500 600 700 800

slide-12
SLIDE 12

Sebastian Pape, Databases and Interactive Systems Research Group

12

Test Data (CPU time(s))

  • 20.000 runs
  • 1 Core 3.00GHz

(Intel E8400)

  • Feasible
  • Victims CPU can

be used

10 20 30 40 50 60 200 400 600 800 1000 1200 1400 1600 1800 2000

slide-13
SLIDE 13

Sebastian Pape, Databases and Interactive Systems Research Group

13

Global View

  • Easy Implementation: Run Algorithm 5

times (pairs: 0+1, 2+3, ..., 8+9)

  • But: we have 45 pairs and as soon as

parts of the key are recovered additional information is gained

  • Not tested in practice
  • Complete key or its inverse is recovered
slide-14
SLIDE 14

Sebastian Pape, Databases and Interactive Systems Research Group

14

Countermeasures

  • More points on the dices (0 to n)
  • More dices

(lower restrictions)

  • Similar procedure to iTAN

(lower restrictions)

slide-15
SLIDE 15

Sebastian Pape, Databases and Interactive Systems Research Group

15

  • Number of points per segment: n
  • Keysize for 2 segments:
  • Invalid keys per Ciphertext:
  • Quotient:
  • Bad impact on UI

Number of Points

i=0 n

n i

2

= 2n! n!n! (using Vandermonde's identity) 2n! n!n!≈ 1

n 2

2n (using Stirling's formula)

2

2n

invalid keys number ob keys ≈ 1

n

slide-16
SLIDE 16

Sebastian Pape, Databases and Interactive Systems Research Group

16

Number of Dices

  • 0 additional dices:

– 18,5% invalid keys, keysize:

  • 1 additional dice (1 doubled dice allowed):

– 3,9% invalid keys, keysize:

  • 2 additional dices (1 tripple dice allowed):

– <1% invalid keys, keysize:

  • Impact on UI

2

18

2

27

2

36

9 0

2a

 9 1

2a

 9 9

2a

=∑

i=0 9

9 i

2a

slide-17
SLIDE 17

Sebastian Pape, Databases and Interactive Systems Research Group

17

Similar to iTAN

  • Ask for a specific TAN
  • Allows to add more redundancy
  • Only 4 (6) Digits have to be contained
  • Worst case: (digits: 0189)
  • Versus:
  • But now any combination can be possible
  • Statistical attacks? / digits 0,9 expose key

3,76∗10

24

2

90≈1,23∗10 27

slide-18
SLIDE 18

Sebastian Pape, Databases and Interactive Systems Research Group

18

Conclusions

  • It is possible to attack Dice Codings if the

key-transparency is used multiple times

  • By Improvements attack can be countered
  • Procedure similar to iTan may solve this

and is probably acceptable by users

  • Statistical attack may be possible
  • User manipulation not regarded here

– Influence User (0,9) to leak parts of the key

slide-19
SLIDE 19

Sebastian Pape, Databases and Interactive Systems Research Group

19

Thank you

for your

attention

slide-20
SLIDE 20

Sebastian Pape, Databases and Interactive Systems Research Group

20

References

  • [DD08] Denise Doberitz, Complete

Codings for Visual Cryptography, 9. Kryptotag, Gelsenkirchen