the impact of security proofs two troublesome case
play

The impact of security proofs: two troublesome case studies D. J. - PowerPoint PPT Presentation

Feb 19, 2023 •330 likes •566 views

The impact of security proofs: two troublesome case studies D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. The impact of

  1. The impact of security proofs: two troublesome case studies D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published.

  2. The impact of security proofs: two troublesome case studies D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof.

  3. The impact of security proofs: two troublesome case studies D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2.

  4. The impact of security proofs: 2014 Wikip two troublesome case studies is used in (MACsec) D. J. Bernstein 802.11ad University of Illinois at Chicago & ANSI (INCITS) Technische Universiteit Eindhoven Security P1619.1 standards, 2004: GCM is published AES-GCM with security proof. NSA Suite 2004: XCBv1 is published. ✿ ✿ ✿ 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2.

  5. The impact of security proofs: 2014 Wikipedia: “GCM two troublesome case studies is used in the IEEE (MACsec) Ethernet D. J. Bernstein 802.11ad (also kno University of Illinois at Chicago & ANSI (INCITS) Fib Technische Universiteit Eindhoven Security Protocols P1619.1 tape storage, standards, SSH and 2004: GCM is published AES-GCM is included with security proof. NSA Suite B Cryptography ✿ ✿ ✿ 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2.

  6. The impact of security proofs: 2014 Wikipedia: “GCM mode two troublesome case studies is used in the IEEE 802.1AE (MACsec) Ethernet security, D. J. Bernstein 802.11ad (also known as WiGig), University of Illinois at Chicago & ANSI (INCITS) Fibre Channel Technische Universiteit Eindhoven Security Protocols (FC-SP), P1619.1 tape storage, IETF standards, SSH and TLS 1.2. 2004: GCM is published AES-GCM is included into the with security proof. NSA Suite B Cryptography. ✿ ✿ ✿ 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2.

  7. The impact of security proofs: 2014 Wikipedia: “GCM mode two troublesome case studies is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE D. J. Bernstein 802.11ad (also known as WiGig), University of Illinois at Chicago & ANSI (INCITS) Fibre Channel Technische Universiteit Eindhoven Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. 2004: GCM is published AES-GCM is included into the with security proof. NSA Suite B Cryptography. ✿ ✿ ✿ 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2.

  8. The impact of security proofs: 2014 Wikipedia: “GCM mode two troublesome case studies is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE D. J. Bernstein 802.11ad (also known as WiGig), University of Illinois at Chicago & ANSI (INCITS) Fibre Channel Technische Universiteit Eindhoven Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. 2004: GCM is published AES-GCM is included into the with security proof. NSA Suite B Cryptography. ✿ ✿ ✿ 2004: XCBv1 is published. GCM has been proven secure in 2007: NIST standardizes GCM. the concrete security model .” 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2.

  9. The impact of security proofs: 2014 Wikipedia: “GCM mode two troublesome case studies is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE D. J. Bernstein 802.11ad (also known as WiGig), University of Illinois at Chicago & ANSI (INCITS) Fibre Channel Technische Universiteit Eindhoven Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. 2004: GCM is published AES-GCM is included into the with security proof. NSA Suite B Cryptography. ✿ ✿ ✿ 2004: XCBv1 is published. GCM has been proven secure in 2007: NIST standardizes GCM. the concrete security model .” 2007: XCBv2 is published XCB also widely used? Maybe. with security proof. 2010: IEEE standardizes XCBv2.

  10. impact of security proofs: 2014 Wikipedia: “GCM mode 2012 Iwata–Oha troublesome case studies is used in the IEEE 802.1AE Original (MACsec) Ethernet security, IEEE New attack Bernstein 802.11ad (also known as WiGig), main part University of Illinois at Chicago & ANSI (INCITS) Fibre Channel New pro echnische Universiteit Eindhoven Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. GCM is published AES-GCM is included into the security proof. NSA Suite B Cryptography. ✿ ✿ ✿ XCBv1 is published. GCM has been proven secure in NIST standardizes GCM. the concrete security model .” XCBv2 is published XCB also widely used? Maybe. security proof. IEEE standardizes XCBv2.

  11. security proofs: 2014 Wikipedia: “GCM mode 2012 Iwata–Ohashi–Minem case studies is used in the IEEE 802.1AE Original GCM proof (MACsec) Ethernet security, IEEE New attack “invalidates 802.11ad (also known as WiGig), main part of the p Illinois at Chicago & ANSI (INCITS) Fibre Channel New proof, lower Universiteit Eindhoven Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. published AES-GCM is included into the of. NSA Suite B Cryptography. ✿ ✿ ✿ published. GCM has been proven secure in standardizes GCM. the concrete security model .” published XCB also widely used? Maybe. of. standardizes XCBv2.

  12. ofs: 2014 Wikipedia: “GCM mode 2012 Iwata–Ohashi–Minema studies is used in the IEEE 802.1AE Original GCM proof was wrong. (MACsec) Ethernet security, IEEE New attack “invalidates the 802.11ad (also known as WiGig), main part of the privacy proof Chicago & ANSI (INCITS) Fibre Channel New proof, lower security level Eindhoven Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ published. GCM has been proven secure in GCM. the concrete security model .” XCB also widely used? Maybe. CBv2.

  13. 2014 Wikipedia: “GCM mode 2012 Iwata–Ohashi–Minematsu: is used in the IEEE 802.1AE Original GCM proof was wrong. (MACsec) Ethernet security, IEEE New attack “invalidates the 802.11ad (also known as WiGig), main part of the privacy proof”. ANSI (INCITS) Fibre Channel New proof, lower security level . Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model .” XCB also widely used? Maybe.

  14. 2014 Wikipedia: “GCM mode 2012 Iwata–Ohashi–Minematsu: is used in the IEEE 802.1AE Original GCM proof was wrong. (MACsec) Ethernet security, IEEE New attack “invalidates the 802.11ad (also known as WiGig), main part of the privacy proof”. ANSI (INCITS) Fibre Channel New proof, lower security level . Security Protocols (FC-SP), IEEE 2013 Chakraborty–Hernandez- P1619.1 tape storage, IETF IPsec Jimenez–Sarkar: Original XCBv2 standards, SSH and TLS 1.2. proof was wrong. New proof for AES-GCM is included into the some message lengths, but the NSA Suite B Cryptography. ✿ ✿ ✿ “resulting bound that can be GCM has been proven secure in proved is much worse than what the concrete security model .” has been claimed by the authors.” XCB also widely used? Maybe.

  15. 2014 Wikipedia: “GCM mode 2012 Iwata–Ohashi–Minematsu: is used in the IEEE 802.1AE Original GCM proof was wrong. (MACsec) Ethernet security, IEEE New attack “invalidates the 802.11ad (also known as WiGig), main part of the privacy proof”. ANSI (INCITS) Fibre Channel New proof, lower security level . Security Protocols (FC-SP), IEEE 2013 Chakraborty–Hernandez- P1619.1 tape storage, IETF IPsec Jimenez–Sarkar: Original XCBv2 standards, SSH and TLS 1.2. proof was wrong. New proof for AES-GCM is included into the some message lengths, but the NSA Suite B Cryptography. ✿ ✿ ✿ “resulting bound that can be GCM has been proven secure in proved is much worse than what the concrete security model .” has been claimed by the authors.” XCB also widely used? Maybe. New efficient attack on XCBv2 for other message lengths.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Cryptography Game-based Proofs Assumptions BF IB-Encryption Conclusion Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs Introduction Provable Security David Pointcheval 2 Game-based Methodology

722 views • 10 slides
Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble University, France Security Models,

396 views • 20 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Challenges with provable security Building or verifying reductionist proofs is hard Proofs are long and error-prone Rely on unstated and unverified

921 views • 78 slides
Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic

413 views • 39 slides
On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

1.35k views • 36 slides
Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction

Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction

Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction to protocol security The context (I) credit cards contactless cards telephones online transactions cars, fridges,... Internet of

680 views • 11 slides
Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Cryptography Game-based Proofs Assumptions BLS Signature BF IB-Encryption Conclusion Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable Security Game-based Methodology 2 Game-based Approach

345 views • 12 slides
Overwhelmed & Overdue: Addressing Troublesome Debt in Black Communities August 16, 2018 |

Overwhelmed & Overdue: Addressing Troublesome Debt in Black Communities August 16, 2018 |

Overwhelmed & Overdue: Addressing Troublesome Debt in Black Communities August 16, 2018 | 2:30-4:00 ET Welcome Carmen Shorter Senior Manager for Learning Prosperity Now Housekeeping This webinar is being recorded and will be shared

704 views • 51 slides
The troublesome reflection rule Andrej Bauer University of Ljubljana TYPES 2015 Tallinn, May

The troublesome reflection rule Andrej Bauer University of Ljubljana TYPES 2015 Tallinn, May

I thank you very much for the invitation. I am a bit worried about talking about type theory at TYPES since I do not consider myself to be a true type theorist. The troublesome reflection rule Andrej Bauer University of Ljubljana TYPES

441 views • 16 slides
iFCP - A Protocol for Internet Fibre Channel Storage Networking draft-monia-ips-ifcp-00.txt

iFCP - A Protocol for Internet Fibre Channel Storage Networking draft-monia-ips-ifcp-00.txt

iFCP - A Protocol for Internet Fibre Channel Storage Networking draft-monia-ips-ifcp-00.txt Charles Monia Senior Technology Consultant Nishan Systems cmonia@nishansystems.com iFCP and FCIP Comparison iFCP An IP gateway protocol for

216 views • 6 slides
Augmented Hilbert series of numerical semigroups Christopher ONeill University of California

Augmented Hilbert series of numerical semigroups Christopher ONeill University of California

Augmented Hilbert series of numerical semigroups Christopher ONeill University of California Davis coneill@math.ucdavis.edu Joint with *Jeske Glenn, Vadim Ponomarenko, and *Benjamin Sepanski. * = undergraduate student January 12, 2018

1.26k views • 115 slides
Lab 4 Feedback We need some work on func@ons Follow examples and instruc@ons Feb 13, 2018

Lab 4 Feedback We need some work on func@ons Follow examples and instruc@ons Feb 13, 2018

Lab 4 Feedback We need some work on func@ons Follow examples and instruc@ons Feb 13, 2018 Sprenkle - CSCI111 1 Refactoring: Displaying Fibonacci Sequence What part of this code needs to go into the func@on? What is the input to the

517 views • 32 slides
Dynami mic Programmi mming Jeevani Goone*llake University of Colombo

Dynami mic Programmi mming Jeevani Goone*llake University of Colombo

Dynami mic Programmi mming Jeevani Goone*llake University of Colombo School of Compu*ng Sri Lanka Jeevani Goone*llake (University of Colombo - Sri Lanka)

470 views • 31 slides
4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design

4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design

4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design Replication, TMR Distributed Systems Fully fault tolerant system will offer non-stop availability Clusters You cant achieve this! Problem:

458 views • 11 slides
Introduction to PC- Cluster Hardware (II) Russian-German School on High Performance Computer

Introduction to PC- Cluster Hardware (II) Russian-German School on High Performance Computer

Introduction to PC- Cluster Hardware (II) Russian-German School on High Performance Computer Systems, June, 27 th until July, 6 th 2005, Novosibirsk 1. Day, 27 th of June, 2005 HLRS, University of Stuttgart High Performance Computing Center

865 views • 37 slides
Physical Database Design Basic considerations: Data independence: The user should be insulated

Physical Database Design Basic considerations: Data independence: The user should be insulated

Physical Database Design Basic considerations: Data independence: The user should be insulated from physical database design. It is perhaps acceptable (desirable) to allow the user to make suggestions for things such as which attributes

952 views • 72 slides
Next Generation Network - - a PIONIER example Maciej Stroi ski, Artur Binczewski, Micha

Next Generation Network - - a PIONIER example Maciej Stroi ski, Artur Binczewski, Micha

Next Generation Network - - a PIONIER example Maciej Stroi ski, Artur Binczewski, Micha Przybylski Pozna Supercomputing and Networking Center TNC, Zagreb 19-22 May 2003 T E R E N A 2 0 0 3 2 0 0 3 Z a g r e b Z a g r e b, ,

889 views • 22 slides

More recommend