the legacy of export grade cryptography in the 21st
play

The legacy of export-grade cryptography in the 21st century Nadia - PowerPoint PPT Presentation

Nov 10, 2023 •316 likes •1.8k views

The legacy of export-grade cryptography in the 21st century Nadia Heninger and J. Alex Halderman University of Pennsylvania University of Michigan June 9, 2016 International Traffic in Arms Regulations April 1, 1992 version Category

  1. FREAK: MITM downgrade attack to export RSA Implementation flaw: Most major browsers accept unexpected server key exchange messages. [BDFKPSZZ 2015] client hello: random [. . . RSA . . . ] [RSA EXPORT] server hello: random, [RSA EXPORT] certificate = RSA pubkey k 2048 + CA signatures server key exchange: RSA pubkey k 512

  2. FREAK: MITM downgrade attack to export RSA Implementation flaw: Most major browsers accept unexpected server key exchange messages. [BDFKPSZZ 2015] client hello: random [. . . RSA . . . ] [RSA EXPORT] server hello: random, [RSA EXPORT] [RSA] certificate = RSA pubkey k 2048 + CA signatures server key exchange: RSA pubkey k 512

  3. FREAK: MITM downgrade attack to export RSA Implementation flaw: Most major browsers accept unexpected server key exchange messages. [BDFKPSZZ 2015] client hello: random [. . . RSA . . . ] [RSA EXPORT] server hello: random, [RSA EXPORT] [RSA] certificate = RSA pubkey k 2048 + CA signatures server key exchange: RSA pubkey k 512 client key exchange: RSAenc k 512 ( pms ) KDF( pms , KDF( pms , randoms) → randoms) → k m c , k m s , k e k m c , k m s , k e

  4. FREAK: MITM downgrade attack to export RSA Implementation flaw: Most major browsers accept unexpected server key exchange messages. [BDFKPSZZ 2015] client hello: random [. . . RSA . . . ] [RSA EXPORT] server hello: random, [RSA EXPORT] [RSA] certificate = RSA pubkey k 2048 + CA signatures server key exchange: RSA pubkey k 512 client key exchange: RSAenc k 512 ( pms ) KDF( pms , KDF( pms , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e k m c , k m s , k e

  5. FREAK: MITM downgrade attack to export RSA Implementation flaw: Most major browsers accept unexpected server key exchange messages. [BDFKPSZZ 2015] client hello: random [. . . RSA . . . ] [RSA EXPORT] server hello: random, [RSA EXPORT] [RSA] certificate = RSA pubkey k 2048 + CA signatures server key exchange: RSA pubkey k 512 client key exchange: RSAenc k 512 ( pms ) KDF( pms , KDF( pms , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e k m c , k m s , k e

  6. FREAK: MITM downgrade attack to export RSA Implementation flaw: Most major browsers accept unexpected server key exchange messages. [BDFKPSZZ 2015] client hello: random [. . . RSA . . . ] [RSA EXPORT] server hello: random, [RSA EXPORT] [RSA] certificate = RSA pubkey k 2048 + CA signatures server key exchange: RSA pubkey k 512 client key exchange: RSAenc k 512 ( pms ) KDF( pms , KDF( pms , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k mc (dialog) k m c , k m s , k e

  7. FREAK: MITM downgrade attack to export RSA Implementation flaw: Most major browsers accept unexpected server key exchange messages. [BDFKPSZZ 2015] client hello: random [. . . RSA . . . ] [RSA EXPORT] server hello: random, [RSA EXPORT] [RSA] certificate = RSA pubkey k 2048 + CA signatures server key exchange: RSA pubkey k 512 client key exchange: RSAenc k 512 ( pms ) KDF( pms , KDF( pms , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (modified dialog) k m c , k m s , k e

  8. FREAK: MITM downgrade attack to export RSA Implementation flaw: Most major browsers accept unexpected server key exchange messages. [BDFKPSZZ 2015] client hello: random [. . . RSA . . . ] [RSA EXPORT] server hello: random, [RSA EXPORT] [RSA] certificate = RSA pubkey k 2048 + CA signatures server key exchange: RSA pubkey k 512 client key exchange: RSAenc k 512 ( pms ) KDF( pms , KDF( pms , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (modified dialog) k m c , k m s , k e Enc k e (request)

  9. FREAK vulnerability in practice ◮ Implementation flaw affected OpenSSL, Microsoft SChannel, IBM JSSE, Safari, Android, Chrome, BlackBerry, Opera, IE

  10. FREAK vulnerability in practice ◮ Implementation flaw affected OpenSSL, Microsoft SChannel, IBM JSSE, Safari, Android, Chrome, BlackBerry, Opera, IE ◮ Attack outline: 1. MITM attacker downgrades connection to export, learns server’s ephemeral 512-bit RSA export key. 2. Attacker factors 512-bit modulus to obtain server private key. 3. Attacker uses private key to forge client/server authentication for successful downgrade.

  11. FREAK vulnerability in practice ◮ Implementation flaw affected OpenSSL, Microsoft SChannel, IBM JSSE, Safari, Android, Chrome, BlackBerry, Opera, IE ◮ Attack outline: 1. MITM attacker downgrades connection to export, learns server’s ephemeral 512-bit RSA export key. 2. Attacker factors 512-bit modulus to obtain server private key. 3. Attacker uses private key to forge client/server authentication for successful downgrade. ◮ Attacker challenge: Need to know 512-bit private key before connection times out ◮ Implementation shortcut: “Ephemeral” 512-bit RSA server keys generated only on application start; last for hours, days, weeks, months.

  12. Factoring with the number field sieve [Pollard], [Pomerance], [Lenstra,Lenstra] linear polynomial square sieving algebra selection root p N Algorithm Motivation: Find a , b with a 2 ≡ b 2 mod N and gcd( a + b , N ) or gcd( a − b , N ) nontrivial. 1. Polynomial selection Find a good choice of number field K . 2. Relation finding Factor elements over O K and over Z . 3. Linear algebra Find a square in O K and a square in Z . 4. Square roots Take square roots, map into Z , and hope we find a factor.

  13. How long does it take to factor integers? linear polynomial square sieving algebra selection root p N Answer 1: L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 )

  14. How long does it take to factor integers? linear polynomial square sieving algebra selection root p N Answer 1: L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 ) Answer 2: ◮ In 1999, 512-bit RSA in 7 months and hundreds of computers. [Cavallar et al.] ◮ In 2009, 768-bit RSA in 2.5 calendar years. [Kleinjung et al.]

  15. Factoring 512-bit RSA with CADO-NFS linear polynomial square sieving algebra selection root p N Answer 3: polysel sieving linalg sqrt 2400 cores 36 cores 36 cores RSA-512 10 mins 2.3 hours 3 hours 10 mins

  16. Factoring 512-bit RSA with CADO-NFS Answer 4: (256,64) 160 lbp 28; td 120 (128,64) Cost (USD) 120 lbp 29; td 120 (128,64) (128,16) lbp 29; td 70 80 (128,4) (64,4) (32,16) (32,4) (16,4) (8,4) (8,1) (4,1) (2,1) (1,1) 40 2 0 2 1 2 2 2 3 2 4 2 5 2 6 Linalg + sieve time (hrs) Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, and Nadia Heninger. FC 2016. seclab.upenn.edu/projects/faas/

  17. FREAK mitigation ◮ All major browsers pushed bug fixes. ◮ Server operators encouraged to disable export cipher suites. 100 RSA Export Support (Percent) 10 1 0.1 03/15 05/15 07/15 09/15 11/15 01/16 03/16 Date But still enabled for about 2% of trusted sites today.

  18. The Logjam attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom´ e, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-B´ eguelin, Paul Zimmermann CCS 2015 weakdh.org

  19. Textbook (Finite-Field) Diffie-Hellman [Diffie Hellman 1976] Public Parameters p a prime (so F ∗ p is a cyclic group) g < p group generator (often 2 or 5) Key Exchange g a mod p g b mod p g ab mod p g ab mod p

  20. Diffie-Hellman cryptanalysis and computational problems Discrete Log Problem: Given g a , compute a . ◮ Solving this problem permits attacker to compute shared key by computing a and raising ( g b ) a . ◮ Discrete log is in NP and coNP → not NP-complete (unless P=NP or similar). Diffie-Hellman problem Problem: Given g a , g b , compute g ab . ◮ Exactly problem of computing shared key from public information. ◮ Reduces to discrete log in some cases: ◮ (Computational) Diffie-Hellman assumption: This problem is hard in general.

  21. “Perfect Forward Secrecy” “Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party.” “With Perfect Forward Secrecy, anyone possessing the private key and a wiretap of Internet activity can decrypt nothing.” “Ideally the DH group would match or exceed the RSA key size but 1024-bit DHE is arguably better than straight 2048-bit RSA so you can get away with that if you want to.” “But in practical terms the risk of private key theft, for a non-ephemeral key, dwarfs out any cryptanalytic risk for any RSA or DH of 1024 bits or more; in that sense, PFS is a must-have and DHE with a 1024-bit DH key is much safer than RSA-based cipher suites, regardless of the RSA key size.”

  22. TLS Diffie-Hellman Key Exchange client hello: client random [. . . DHE . . . ]

  23. TLS Diffie-Hellman Key Exchange client hello: client random [. . . DHE . . . ] server hello: server random, [DHE] certificate = public RSA key + CA signatures server kex: p , g , g a , Sign RSAkey ( p , g , g a )

  24. TLS Diffie-Hellman Key Exchange client hello: client random [. . . DHE . . . ] server hello: server random, [DHE] certificate = public RSA key + CA signatures server kex: p , g , g a , Sign RSAkey ( p , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e k m c , k m s , k e

  25. TLS Diffie-Hellman Key Exchange client hello: client random [. . . DHE . . . ] server hello: server random, [DHE] certificate = public RSA key + CA signatures server kex: p , g , g a , Sign RSAkey ( p , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e

  26. TLS Diffie-Hellman Key Exchange client hello: client random [. . . DHE . . . ] server hello: server random, [DHE] certificate = public RSA key + CA signatures server kex: p , g , g a , Sign RSAkey ( p , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

  27. Question: How do you selectively weaken a protocol based on Diffie-Hellman?

  28. Question: How do you selectively weaken a protocol based on Diffie-Hellman? Export answer: Optionally use a smaller prime.

  29. TLS Diffie-Hellman Export Key Exchange client hello: client random [. . . DHE EXPORT . . . ]

  30. TLS Diffie-Hellman Export Key Exchange client hello: client random [. . . DHE EXPORT . . . ] server hello: server random, [DHE EXPORT] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a )

  31. TLS Diffie-Hellman Export Key Exchange client hello: client random [. . . DHE EXPORT . . . ] server hello: server random, [DHE EXPORT] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e k m c , k m s , k e

  32. TLS Diffie-Hellman Export Key Exchange client hello: client random [. . . DHE EXPORT . . . ] server hello: server random, [DHE EXPORT] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e

  33. TLS Diffie-Hellman Export Key Exchange client hello: client random [. . . DHE EXPORT . . . ] server hello: server random, [DHE EXPORT] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

  34. Diffie-Hellman export cipher suites in TLS TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5 TLS_DH_Anon_EXPORT_WITH_DES40_CBC_SHA April 2015: 8.4% of Alexa top 1M HTTPS support DHE EXPORT . Totally insecure, but no modern client would negotiate export ciphers. ... right?

  35. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ]

  36. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ] [DHE EXPORT]

  37. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ] [DHE EXPORT] server hello: random, [DHE EXPORT] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a )

  38. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ] [DHE EXPORT] server hello: random, [DHE EXPORT][DHE] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a )

  39. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ] [DHE EXPORT] server hello: random, [DHE EXPORT][DHE] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e k m c , k m s , k e

  40. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ] [DHE EXPORT] server hello: random, [DHE EXPORT][DHE] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e k m c , k m s , k e

  41. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ] [DHE EXPORT] server hello: random, [DHE EXPORT][DHE] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k mc (dialog) k m c , k m s , k e

  42. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ] [DHE EXPORT] server hello: random, [DHE EXPORT][DHE] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (modified dialog) k m c , k m s , k e

  43. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. client hello: random [. . . DHE . . . ] [DHE EXPORT] server hello: random, [DHE EXPORT][DHE] certificate = public RSA key + CA signatures server kex: p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) client kex: g b KDF( g ab , KDF( g ab , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (modified dialog) k m c , k m s , k e Enc k e (request)

  44. Carrying out the Diffie-Hellman export downgrade attack 1. Attacker man-in-the-middles connection, changing messages as necessary. 2. Attacker computes discrete log of g a or g b to learn session keys. 3. Attacker uses session keys to forge client, server finished messages. ◮ Attacker challenge: compute client or server ephemeral Diffie-Hellman secrets before connection times out ◮ For export Diffie-Hellman, most servers actually generate per-connection secrets.

  45. Number field sieve discrete log algorithm [Gordon], [Joux, Lercier], [Semaev] linear polynomial sieving descent y , g selection algebra p log db a 1. Polynomial selection : Find a good choice of number field K . 2. Relation collection : Factor elements over O K and over Z . 3. Linear algebra Once there are enough relations, solve for logs of small elements. 4. Individual log “Descent” Try to write target t as sum of logs in known database.

  46. How long does it take to compute discrete logs? polynomial linear sieving descent y , g algebra selection p a log db Answer 1: L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 )

  47. How long does it take to compute discrete logs? linear polynomial sieving descent y , g selection algebra p log db a precomputation individual log Answer 1: L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 )

  48. How long does it take to compute discrete logs? linear polynomial sieving descent y , g selection algebra p log db a precomputation individual log Answer 1: L (1 / 3 , 1 . 232) L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 )

  49. How long does it take to compute discrete logs? linear polynomial sieving descent y , g selection algebra p log db a precomputation individual log Answer 1: L (1 / 3 , 1 . 232) L (1 / 3 , 1 . 923) = exp(1 . 923(log N ) 1 / 3 (log log N ) 2 / 3 ) Answer 2: In 2005, 431-bit discrete log in 3 weeks. [Joux, Lercier] In 2007, 530-bit discrete log. [Kleinjung] In 2014, 596-bit discrete log. [Bouvier et al.]

  50. How long does it take to compute discrete logs? linear polynomial sieving descent y , g selection algebra p log db a precomputation individual log Answer 3: polysel sieving linalg descent 2000-3000 cores 288 cores 36 cores DH-512 3 hours 15 hours 120 hours 70 seconds Precomputation can be done once and reused for many individual logs!

  51. Implementing Logjam Parameters hard-coded in implementations or built into standards. 97% of DHE EXPORT hosts choose one of three 512-bit primes. Hosts Source Year Bits 80% Apache 2.2 2005 512 13% mod ssl 2.3.0 1999 512 4% JDK 2003 512 ◮ Carried out precomputation for common primes. ◮ After 1 week precomputation, median individual log time 70s. ◮ Logjam and our precomputations can be used to break connections to 8% of the HTTPS top 1M sites!

  53. g = 2 apache: 9fdb8b8a004544f0045f1737d0ba2e0b274cdf1a9f588218fb43 5316a16e374171fd19d8d8f37c39bf863fd60e3e300680a3030c 6e4c3757d08f70e6aa871033 openssl: da583c16d9852289d0e4af756f4cca92dd4be533b804fb0fed94e f9c8a4403ed574650d36999db29d776276ba2d3d412e218f4dd1e 084cf6d8003e7c4774e833 mod_ssl: d4bcd52406f69b35994b88de5db89682c8157f62d8f33633ee577 2f11f05ab22d6b5145b9f241e5acc31ff090a4bc71148976f7679 5094e71e7903529f5a824b

  59. Logjam mitigation ◮ Server operators encouraged to disable export cipher suites. 100 RSA Export DHE Export Support (Percent) 10 1 0.1 03/15 05/15 07/15 09/15 11/15 01/16 03/16 Date ◮ Major browsers have raised minimum DH lengths: IE, Chrome, Firefox to 1024 bits; Safari to 768. ◮ TLS 1.3 draft includes anti-downgrade flag in client random.

  60. The legacy of export-grade cryptography in the 21st century Nadia Heninger and J. Alex Halderman University of Pennsylvania University of Michigan June 9, 2016

  61. Review of Part 1 ◮ 1990s: U.S. cryptography regulations limit strength of RSA, Diffie-Hellman, and symmetric ciphers in exported products. ◮ 1990s: Netscape develops SSL, complies with regulations by supporting weakened export-grade cryptography. . . . 20 years later . . . ◮ March 2015: FREAK attack Modern, full-strength TLS connections can be downgraded to 512-bit export-grade RSA; attacker can factor to decrypt session data. 10% of popular HTTPS sites vulnerable. ◮ May 2015: Logjam attack Modern, full-strength TLS connections can be downgraded to 512-bit export-grade Diffie-Hellman; attacker can take discrete log to decrypt session data. 8% of popular HTTPS sites vulnerable.

  62. First, a digression. . . Things we learned about Diffie-Hellman in practice Logjam attack: Anyone can use backdoors from ’90s crypto war to attack modern browsers.

  63. First, a digression. . . Things we learned about Diffie-Hellman in practice Logjam attack: Anyone can use backdoors from ’90s crypto war to attack modern browsers. Mass surveillance: Governments can exploit 1024-bit discrete log for wide-scale passive decryption.

  64. Is breaking 1024-bit Diffie-Hellman within reach of governments? Sieving Linear Algebra Descent core-years rows core-years core-time I lpb RSA-512 14 29 0.5 4.3M 0.33 DH-512 15 27 2.5 2.1M 7.7 10 mins RSA-768 16 37 800 250M 100 DH-768 17 35 8,000 150M 28,500 2 days RSA-1024 18 42 1,000,000 8.7B 120,000 DH-1024 19 40 10,000,000 5.2B 35,000,000 30 days

  65. Is breaking 1024-bit Diffie-Hellman within reach of governments? Sieving Linear Algebra Descent core-years rows core-years core-time I lpb RSA-512 14 29 0.5 4.3M 0.33 DH-512 15 27 2.5 2.1M 7.7 10 mins RSA-768 16 37 800 250M 100 DH-768 17 35 8,000 150M 28,500 2 days RSA-1024 18 42 1,000,000 8.7B 120,000 DH-1024 19 40 10,000,000 5.2B 35,000,000 30 days ◮ Special-purpose hardware →≈ 80 × speedup. (Research problem: Make rigorous!) ◮ ≈ $ 100Ms machine precomputes for one 1024-bit p every year ◮ Then, individual logs can be computed in close to real time

  66. James Bamford, 2012, Wired According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.” [...] The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. “Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it,” he says. The reason? “They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption.”

  67. 2013 NSA “Black Budget” “Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.” *numbers in thousands

  68. Parameter reuse for 1024-bit Diffie-Hellman ◮ Precomputation for a single 1024-bit prime allows passive decryption of connections to 66% of VPN servers and 26% of SSH servers. (Oakley Group 2) ◮ Precomputation for a second common 1024-bit prime allows passive decryption for 18% of top 1M HTTPS domains. (Apache 2.2)

  71. IKE Key Exchange for IPsec VPNs IKE chooses Diffie-Hellman parameters from standardized set. cipher suite negotiation g a g b KDF ( g ab , PSK) KDF ( g ab , PSK) PSK PSK

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The legacy of export-grade cryptography in the 21st century Nadia Heninger University of

The legacy of export-grade cryptography in the 21st century Nadia Heninger University of

The legacy of export-grade cryptography in the 21st century Nadia Heninger University of Pennsylvania October 6, 2016 International Traffic in Arms Regulations April 1, 1992 version Category XIII--Auxiliary Military Equipment ... (b)

1.05k views • 79 slides
From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy for Africa

From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy for Africa

From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy for Africa Joseph E. Stiglitz African Export-Import Bank October 15, 2017 Export-led growth model behind 20 th century growth miracles Unprecedented growth in

879 views • 33 slides
From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the

From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the

From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the Demise of a Successful Growth Model and What to Do About It Joseph E. Stiglitz WIDER Conference September 2018 I. Export-led growth model behind

460 views • 42 slides
MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in Children v. 13-16 Legacy in Eternity v. 17-31 LEGACY IN MARRIAGE 2 Schools of thought 1. Rabbi Sammai- Strict interpretation. Divorce only

775 views • 9 slides
2019 COLORADO CJP CONVENTION LEGACY CITATION 500 JT15D / PW500 ENGINES LE-DO VU SENIOR MANAGER

2019 COLORADO CJP CONVENTION LEGACY CITATION 500 JT15D / PW500 ENGINES LE-DO VU SENIOR MANAGER

2019 COLORADO CJP CONVENTION LEGACY CITATION 500 JT15D / PW500 ENGINES LE-DO VU SENIOR MANAGER PW615F/JT15D/PW500 PROGRAM EXPORT CLASSIFICATION Check this box if presentation Summarize the export classifications of all slides OR contains

356 views • 20 slides
Coventry Middle School Spring Band Concert Wednesday, May 21st 2014 6th Grade Band Don't Stop

Coventry Middle School Spring Band Concert Wednesday, May 21st 2014 6th Grade Band Don't Stop

Coventry Middle School Spring Band Concert Wednesday, May 21st 2014 6th Grade Band Don't Stop Believin' Words and Music by Jonathan Cain, Neal Schon, and Steve Perry arr. Michael Story Roller Coaster Ride Dan Adams African Folk Trilogy arr.

381 views • 9 slides
Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy and the spirit of Truc Lam Yen Zen Buddhism, the Legacy Yen Tu is an inspiring journey into the past. It offers travelers a stay filled with storied

688 views • 32 slides
How to export Image and Animation 1. When we finished our design, we need export it. Sometimes we

How to export Image and Animation 1. When we finished our design, we need export it. Sometimes we

How to export Image and Animation 1. When we finished our design, we need export it. Sometimes we need export a picture, sometimes we need export to video, GIF or SWF, sometimes we need the transparent background, sometimes we dont. So, we

207 views • 3 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp; http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Kildare Export Success Seminar Kilian Duignan Export Success Seminar Export Success Seminar

Kildare Export Success Seminar Kilian Duignan Export Success Seminar Export Success Seminar

Local Enterprise Office Kildare Export Success Seminar Kilian Duignan Export Success Seminar Export Success Seminar Export Success Seminar Export Success Seminar Jan 13 th 2019 Dyson to move company HQ to Singapore CEO says plan is more

493 views • 20 slides
L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L M E E T I N G 1 WELCOME The Legacy Residents Association was created for the homeowners of Legacy, with the intent of augmenting the lifestyle in Legacy. The goal is to create

1.18k views • 56 slides
L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G

L E G A C Y R E S I D E N T S A S S O C I A T I O N A N N U A L G E N E R A L M E E T I N G WELCOME The Legacy Residents Association was created for the homeowners of Legacy, with the intent of augmenting the lifestyle in Legacy. The goal

412 views • 40 slides
LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM

LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM

LEAVE A LEGACY Qubec And your legacy! What will it be? Action Plan 2010 LEAVE A LEGACY TM Qubec , is comprised of 163 charitable organizations that support its mission which is to encourage the population of Quebec to make a planned

312 views • 18 slides
Mrs. Tucker Mrs. Thompson Mrs. Doe Mrs. Gutierrez Mrs. Gutierrez Fun Facts: This is my 21st

Mrs. Tucker Mrs. Thompson Mrs. Doe Mrs. Gutierrez Mrs. Gutierrez Fun Facts: This is my 21st

Mrs. Tucker Mrs. Thompson Mrs. Doe Mrs. Gutierrez Mrs. Gutierrez Fun Facts: This is my 21st year of teaching at Natoma Station. Born and raised in Sacramento, I I have taught 3rd grade, 2nd received my BA in Child Development

422 views • 28 slides
Congratulations October Buc of the Month Recipients! 12 th Grade 9 th Grade 10 th Grade 11 th

Congratulations October Buc of the Month Recipients! 12 th Grade 9 th Grade 10 th Grade 11 th

Congratulations October Buc of the Month Recipients! 12 th Grade 9 th Grade 10 th Grade 11 th Grade 7 th Grade 8 th Grade Alaina Holguin Simaranjeet Kaur Ashley Garcia Jael Jacobo Julina Rodriguez John Kinchen Yitzel Castellanos Sana

304 views • 3 slides
Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com

Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com

Migrating Legacy.com Migrating a top 50 most visited site in the U.S. onto Drupal - Legacy.com Case Study Migrating Legacy.com Jordan Ryan Product Owner Ankur Gupta Lead Developer Bassam Ismail Front-end Lakshmi Narasimhan RESTful

458 views • 45 slides
States, borders, and security: export controls in physical space and cyberspace Samuel A. Evans

States, borders, and security: export controls in physical space and cyberspace Samuel A. Evans

States, borders, and security: export controls in physical space and cyberspace Samuel A. Evans 10 January 2011 Stanford University Presentation to the Stanford STS Program in conjunction with CISAC 1 Export Control Primer National

625 views • 25 slides
Res estricted ed P Par arty y Screen eening Visu sual Compli liance Dav avid W. Sundval

Res estricted ed P Par arty y Screen eening Visu sual Compli liance Dav avid W. Sundval

Res estricted ed P Par arty y Screen eening Visu sual Compli liance Dav avid W. Sundval all, Senior Manager, Risk and Export April 20 2019 Why UCA UCAR Co Conducts R RPS Various U.S. government agencies maintain lists of

341 views • 16 slides
INFORMATION SESSION WEDNESDAY FEBRUARY 20 TH THURSDAY MARCH 14 TH FRIDAY MARCH 15 TH MCGILL ISRAEL

INFORMATION SESSION WEDNESDAY FEBRUARY 20 TH THURSDAY MARCH 14 TH FRIDAY MARCH 15 TH MCGILL ISRAEL

3/15/2019 AUGUST 8-30 MCGILL ISRAEL 2019 Entrepreneurship through the Lens of Fintech STUDY TRIP INFORMATION SESSION WEDNESDAY FEBRUARY 20 TH THURSDAY MARCH 14 TH FRIDAY MARCH 15 TH MCGILL ISRAEL A SHORT INTRODUCTION ABOUT THE ISRAEL TRIP

437 views • 9 slides
Webinar on Notifications of Substances in Articles Notification of substances in articles -

Webinar on Notifications of Substances in Articles Notification of substances in articles -

Webinar on Notifications of Substances in Articles Notification of substances in articles - Introduction 19 May 2011 Lisa Anflt Risk Management Identification ECHA Contents General concept of REACH and Candidate List Substances

611 views • 13 slides
U.S. EXPORT CONTROL REFORM: New Regulations go into Effect October 15, 2013 Michigan Economic

U.S. EXPORT CONTROL REFORM: New Regulations go into Effect October 15, 2013 Michigan Economic

6/26/2013 U.S. EXPORT CONTROL REFORM: New Regulations go into Effect October 15, 2013 Michigan Economic Development Corporation Webinar Series June 26, 2013 Jean G. Schtokal, Shareholder Foster Swift Collins &amp; Smith, P.C. Michigan Economic

502 views • 13 slides
Sl ayi ng Sl ayi ng Uni x Ve ndor Uni x Ve ndor M M yt hs yt hs M i ke O Connor m j

Sl ayi ng Sl ayi ng Uni x Ve ndor Uni x Ve ndor M M yt hs yt hs M i ke O Connor m j

Slaying Unix Vendor Myths Sl ayi ng Sl ayi ng Uni x Ve ndor Uni x Ve ndor M M yt hs yt hs M i ke O Connor m j o@ doj o. m i . or g Si l i con Gr aphi cs a. k. a. SGI Over 20 year s caus i ng Havoc i n t he I ndus t r y Top

90 views • 5 slides
Credit Constraints, Technology Choice and Exports: A Firm Level Study for Latin American

Credit Constraints, Technology Choice and Exports: A Firm Level Study for Latin American

Credit Constraints, Technology Choice and Exports: A Firm Level Study for Latin American Countries Syed Hasan and Ian Sheldon The Ohio State University Presentation delivered at the 2013 Annual Meeting of the International Agricultural

644 views • 35 slides
January 2017 Stellwagen Capital Whats the Mission? Provide Innovative Financing

January 2017 Stellwagen Capital Whats the Mission? Provide Innovative Financing

Airline Economics Growth Frontiers - Dublin January 2017 Stellwagen Capital Whats the Mission? Provide Innovative Financing Solutions to our Customers and become the Largest and Most Profitable Aviation Fund in the World Pillars of

186 views • 16 slides

More recommend