The impact of security proofs: two troublesome case studies D. J. - - PowerPoint PPT Presentation

the impact of security proofs two troublesome case
SMART_READER_LITE
LIVE PREVIEW

The impact of security proofs: two troublesome case studies D. J. - - PowerPoint PPT Presentation

Feb 19, 2023 330 likes •569 views

The impact of security proofs: two troublesome case studies D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. The impact of

slide-1
SLIDE 1

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published.

slide-2
SLIDE 2

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof.

slide-3
SLIDE 3

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2.

slide-4
SLIDE 4

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2. 2014 Wikip is used in (MACsec) 802.11ad ANSI (INCITS) Security P1619.1 standards, AES-GCM NSA Suite ✿ ✿ ✿

slide-5
SLIDE 5

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2. 2014 Wikipedia: “GCM is used in the IEEE (MACsec) Ethernet 802.11ad (also kno ANSI (INCITS) Fib Security Protocols P1619.1 tape storage, standards, SSH and AES-GCM is included NSA Suite B Cryptography ✿ ✿ ✿

slide-6
SLIDE 6

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2. 2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), P1619.1 tape storage, IETF standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿

slide-7
SLIDE 7

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2. 2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿

slide-8
SLIDE 8

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2. 2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model.”

slide-9
SLIDE 9

The impact of security proofs: two troublesome case studies

  • D. J. Bernstein

University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. 2007: NIST standardizes GCM. 2007: XCBv2 is published with security proof. 2010: IEEE standardizes XCBv2. 2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model.” XCB also widely used? Maybe.

slide-10
SLIDE 10

impact of security proofs: troublesome case studies Bernstein University of Illinois at Chicago & echnische Universiteit Eindhoven GCM is published security proof. XCBv1 is published. NIST standardizes GCM. XCBv2 is published security proof. IEEE standardizes XCBv2. 2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model.” XCB also widely used? Maybe. 2012 Iwata–Oha Original New attack main part New pro

slide-11
SLIDE 11

security proofs: case studies Illinois at Chicago & Universiteit Eindhoven published

  • f.

published. standardizes GCM. published

  • f.

standardizes XCBv2. 2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model.” XCB also widely used? Maybe. 2012 Iwata–Ohashi–Minem Original GCM proof New attack “invalidates main part of the p New proof, lower

slide-12
SLIDE 12
  • fs:

studies Chicago & Eindhoven published. GCM. CBv2. 2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model.” XCB also widely used? Maybe. 2012 Iwata–Ohashi–Minema Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof New proof, lower security level

slide-13
SLIDE 13

2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model.” XCB also widely used? Maybe. 2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level.

slide-14
SLIDE 14

2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model.” XCB also widely used? Maybe. 2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.”

slide-15
SLIDE 15

2014 Wikipedia: “GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, IEEE 802.11ad (also known as WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards, SSH and TLS 1.2. AES-GCM is included into the NSA Suite B Cryptography. ✿ ✿ ✿ GCM has been proven secure in the concrete security model.” XCB also widely used? Maybe. 2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.” New efficient attack on XCBv2 for other message lengths.

slide-16
SLIDE 16

Wikipedia: “GCM mode in the IEEE 802.1AE Csec) Ethernet security, IEEE 802.11ad (also known as WiGig), (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec rds, SSH and TLS 1.2. AES-GCM is included into the Suite B Cryptography. ✿ ✿ ✿ has been proven secure in concrete security model.” also widely used? Maybe. 2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.” New efficient attack on XCBv2 for other message lengths. What do Modern is fragile Do we have to eliminate

slide-17
SLIDE 17

“GCM mode IEEE 802.1AE Ethernet security, IEEE known as WiGig), Fibre Channel cols (FC-SP), IEEE storage, IETF IPsec and TLS 1.2. included into the

  • Cryptography. ✿ ✿ ✿

proven secure in security model.” used? Maybe. 2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.” New efficient attack on XCBv2 for other message lengths. What does this mean? Modern “provable is fragile and untrust Do we have a strat to eliminate these

slide-18
SLIDE 18

mode 802.1AE security, IEEE WiGig), Channel C-SP), IEEE IETF IPsec 1.2. the

  • Cryptography. ✿ ✿ ✿

secure in model.” Maybe. 2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.” New efficient attack on XCBv2 for other message lengths. What does this mean? Modern “provable security” is fragile and untrustworthy. Do we have a strategy to eliminate these failures?

slide-19
SLIDE 19

2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.” New efficient attack on XCBv2 for other message lengths. What does this mean? Modern “provable security” is fragile and untrustworthy. Do we have a strategy to eliminate these failures?

slide-20
SLIDE 20

2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.” New efficient attack on XCBv2 for other message lengths. What does this mean? Modern “provable security” is fragile and untrustworthy. Do we have a strategy to eliminate these failures? Do security proofs actually reduce risk compared to thorough cryptanalysis?

slide-21
SLIDE 21

2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.” New efficient attack on XCBv2 for other message lengths. What does this mean? Modern “provable security” is fragile and untrustworthy. Do we have a strategy to eliminate these failures? Do security proofs actually reduce risk compared to thorough cryptanalysis? Did the security proofs encourage standardization without thorough cryptanalysis?

slide-22
SLIDE 22

2012 Iwata–Ohashi–Minematsu: Original GCM proof was wrong. New attack “invalidates the main part of the privacy proof”. New proof, lower security level. 2013 Chakraborty–Hernandez- Jimenez–Sarkar: Original XCBv2 proof was wrong. New proof for some message lengths, but the “resulting bound that can be proved is much worse than what has been claimed by the authors.” New efficient attack on XCBv2 for other message lengths. What does this mean? Modern “provable security” is fragile and untrustworthy. Do we have a strategy to eliminate these failures? Do security proofs actually reduce risk compared to thorough cryptanalysis? Did the security proofs encourage standardization without thorough cryptanalysis? Did the security proofs deter cryptanalysis?