the security impact aes 128 rsa 2048 etc of a new
play

The security impact AES-128, RSA-2048, etc. of a new cryptographic - PowerPoint PPT Presentation

Sep 10, 2022 •218 likes •1.65k views

The security impact AES-128, RSA-2048, etc. of a new cryptographic library are widely accepted standards. D. J. Bernstein, U. Illinois Chicago Obviously infeasible to break & T. U. Eindhoven by best attacks in literature. Tanja Lange, T.

  1. Most of the Internet Alice using a is cryptographically unprotected. typical cryptographic library: Primary goal of NaCl: Fix this. Generate random AES key. Main task: public-key Use AES key to encrypt packet. authenticated encryption . Hash encrypted packet. Read RSA key from wire format. Alice has a message m for Bob. Use key to sign hash. Uses Bob’s public key and Read Bob’s key from wire format. Alice’s secret key to compute Use key to encrypt signature etc. authenticated ciphertext c . Convert to wire format. Sends c to Bob. Plus more code: Bob uses Alice’s public key allocate storage, and Bob’s secret key handle errors, etc. to verify and recover m .

  2. of the Internet Alice using a Alice using cryptographically unprotected. typical cryptographic library: c = crypto_box(m,n,pk,sk) ry goal of NaCl: Fix this. Generate random AES key. task: public-key Use AES key to encrypt packet. authenticated encryption . Hash encrypted packet. Read RSA key from wire format. has a message m for Bob. Use key to sign hash. Bob’s public key and Read Bob’s key from wire format. secret key to compute Use key to encrypt signature etc. authenticated ciphertext c . Convert to wire format. c to Bob. Plus more code: uses Alice’s public key allocate storage, Bob’s secret key handle errors, etc. verify and recover m .

  3. Internet Alice using a Alice using NaCl: cryptographically unprotected. typical cryptographic library: c = crypto_box(m,n,pk,sk) NaCl: Fix this. Generate random AES key. Use AES key to encrypt packet. public-key encryption . Hash encrypted packet. Read RSA key from wire format. message m for Bob. Use key to sign hash. public key and Read Bob’s key from wire format. ey to compute Use key to encrypt signature etc. ciphertext c . Convert to wire format. Plus more code: public key allocate storage, ecret key handle errors, etc. recover m .

  4. Alice using a Alice using NaCl: rotected. typical cryptographic library: c = crypto_box(m,n,pk,sk) this. Generate random AES key. Use AES key to encrypt packet. encryption . Hash encrypted packet. Read RSA key from wire format. Bob. Use key to sign hash. Read Bob’s key from wire format. compute Use key to encrypt signature etc. . Convert to wire format. Plus more code: y allocate storage, handle errors, etc.

  5. Alice using a Alice using NaCl: typical cryptographic library: c = crypto_box(m,n,pk,sk) Generate random AES key. Use AES key to encrypt packet. Hash encrypted packet. Read RSA key from wire format. Use key to sign hash. Read Bob’s key from wire format. Use key to encrypt signature etc. Convert to wire format. Plus more code: allocate storage, handle errors, etc.

  6. Alice using a Alice using NaCl: typical cryptographic library: c = crypto_box(m,n,pk,sk) Generate random AES key. 32-byte secret key sk . Use AES key to encrypt packet. 32-byte public key pk . Hash encrypted packet. 24-byte nonce n . Read RSA key from wire format. c is 16 bytes longer than m . Use key to sign hash. All objects are C++ Read Bob’s key from wire format. std::string variables Use key to encrypt signature etc. represented in wire format, Convert to wire format. ready for storage/transmission. Plus more code: C NaCl: similar, using pointers; allocate storage, no memory allocation, no failures. handle errors, etc.

  7. using a Alice using NaCl: Bob verifying, ypical cryptographic library: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) Generate random AES key. 32-byte secret key sk . Initial key AES key to encrypt packet. 32-byte public key pk . pk = crypto_box_keypair(&sk) encrypted packet. 24-byte nonce n . RSA key from wire format. c is 16 bytes longer than m . ey to sign hash. All objects are C++ Bob’s key from wire format. std::string variables ey to encrypt signature etc. represented in wire format, Convert to wire format. ready for storage/transmission. more code: C NaCl: similar, using pointers; cate storage, no memory allocation, no failures. errors, etc.

  8. Alice using NaCl: Bob verifying, decryptin phic library: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) AES key. 32-byte secret key sk . Initial key generation: encrypt packet. 32-byte public key pk . pk = crypto_box_keypair(&sk) packet. 24-byte nonce n . from wire format. c is 16 bytes longer than m . hash. All objects are C++ from wire format. std::string variables encrypt signature etc. represented in wire format, format. ready for storage/transmission. C NaCl: similar, using pointers; no memory allocation, no failures. etc.

  9. Alice using NaCl: Bob verifying, decrypting: ry: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) . 32-byte secret key sk . Initial key generation: packet. 32-byte public key pk . pk = crypto_box_keypair(&sk) 24-byte nonce n . format. c is 16 bytes longer than m . All objects are C++ format. std::string variables signature etc. represented in wire format, ready for storage/transmission. C NaCl: similar, using pointers; no memory allocation, no failures.

  10. Alice using NaCl: Bob verifying, decrypting: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) 32-byte secret key sk . Initial key generation: 32-byte public key pk . pk = crypto_box_keypair(&sk) 24-byte nonce n . c is 16 bytes longer than m . All objects are C++ std::string variables represented in wire format, ready for storage/transmission. C NaCl: similar, using pointers; no memory allocation, no failures.

  11. Alice using NaCl: Bob verifying, decrypting: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) 32-byte secret key sk . Initial key generation: 32-byte public key pk . pk = crypto_box_keypair(&sk) 24-byte nonce n . Can instead use signatures c is 16 bytes longer than m . for public messages: All objects are C++ pk = crypto_sign_keypair(&sk) std::string variables 64-byte secret key, represented in wire format, 32-byte public key. ready for storage/transmission. sm = crypto_sign(m,sk) C NaCl: similar, using pointers; 64 bytes overhead. no memory allocation, no failures. m = crypto_sign_open(sm,pk)

  12. using NaCl: Bob verifying, decrypting: “This sounds Don’t applications crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) yte secret key sk . Initial key generation: yte public key pk . pk = crypto_box_keypair(&sk) yte nonce n . Can instead use signatures bytes longer than m . for public messages: objects are C++ pk = crypto_sign_keypair(&sk) std::string variables 64-byte secret key, resented in wire format, 32-byte public key. for storage/transmission. sm = crypto_sign(m,sk) NaCl: similar, using pointers; 64 bytes overhead. memory allocation, no failures. m = crypto_sign_open(sm,pk)

  13. NaCl: Bob verifying, decrypting: “This sounds too simple! Don’t applications crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) ey sk . Initial key generation: ey pk . pk = crypto_box_keypair(&sk) . Can instead use signatures longer than m . for public messages: C++ pk = crypto_sign_keypair(&sk) riables 64-byte secret key, wire format, 32-byte public key. rage/transmission. sm = crypto_sign(m,sk) using pointers; 64 bytes overhead. cation, no failures. m = crypto_sign_open(sm,pk)

  14. Bob verifying, decrypting: “This sounds too simple! Don’t applications need more?” crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) Initial key generation: pk = crypto_box_keypair(&sk) Can instead use signatures . for public messages: pk = crypto_sign_keypair(&sk) 64-byte secret key, rmat, 32-byte public key. rage/transmission. sm = crypto_sign(m,sk) ointers; 64 bytes overhead. failures. m = crypto_sign_open(sm,pk)

  15. Bob verifying, decrypting: “This sounds too simple! Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) Initial key generation: pk = crypto_box_keypair(&sk) Can instead use signatures for public messages: pk = crypto_sign_keypair(&sk) 64-byte secret key, 32-byte public key. sm = crypto_sign(m,sk) 64 bytes overhead. m = crypto_sign_open(sm,pk)

  16. Bob verifying, decrypting: “This sounds too simple! Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) Initial key generation: Examples of applications using NaCl’s crypto_box : pk = crypto_box_keypair(&sk) Can instead use signatures DNSCurve and DNSCrypt, for public messages: high-security authenticated encryption for DNS queries; pk = crypto_sign_keypair(&sk) deployed by OpenDNS. 64-byte secret key, 32-byte public key. QUIC, Google’s TLS replacement. MinimaLT in Ethos OS, sm = crypto_sign(m,sk) 64 bytes overhead. faster TLS replacement. Threema, encrypted-chat app. m = crypto_sign_open(sm,pk)

  17. verifying, decrypting: “This sounds too simple! No secre Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) 2005 Osvik–Shamir–T key generation: Examples of applications 65ms to using NaCl’s crypto_box : used for crypto_box_keypair(&sk) Attack p instead use signatures DNSCurve and DNSCrypt, but without public messages: high-security authenticated encryption for DNS queries; Almost all crypto_sign_keypair(&sk) deployed by OpenDNS. use fast yte secret key, Kernel’s yte public key. QUIC, Google’s TLS replacement. influences MinimaLT in Ethos OS, crypto_sign(m,sk) influencing ytes overhead. faster TLS replacement. influencing of the attack Threema, encrypted-chat app. crypto_sign_open(sm,pk) 65ms to

  18. ecrypting: “This sounds too simple! No secret load addresses Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) 2005 Osvik–Shamir–T generation: Examples of applications 65ms to steal Linux using NaCl’s crypto_box : used for hard-disk crypto_box_keypair(&sk) Attack process on DNSCurve and DNSCrypt, signatures but without privileges. messages: high-security authenticated encryption for DNS queries; Almost all AES implementations crypto_sign_keypair(&sk) deployed by OpenDNS. use fast lookup tables. ey, Kernel’s secret AES ey. QUIC, Google’s TLS replacement. influences table-load MinimaLT in Ethos OS, crypto_sign(m,sk) influencing CPU cache overhead. faster TLS replacement. influencing measurable of the attack process. Threema, encrypted-chat app. crypto_sign_open(sm,pk) 65ms to compute influence

  19. “This sounds too simple! No secret load addresses Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) 2005 Osvik–Shamir–Tromer: Examples of applications 65ms to steal Linux AES key using NaCl’s crypto_box : used for hard-disk encryption. crypto_box_keypair(&sk) Attack process on same CPU DNSCurve and DNSCrypt, signatures but without privileges. high-security authenticated encryption for DNS queries; Almost all AES implementations crypto_sign_keypair(&sk) deployed by OpenDNS. use fast lookup tables. Kernel’s secret AES key QUIC, Google’s TLS replacement. influences table-load addresses, MinimaLT in Ethos OS, influencing CPU cache state, faster TLS replacement. influencing measurable timings of the attack process. Threema, encrypted-chat app. crypto_sign_open(sm,pk) 65ms to compute influence −

  20. “This sounds too simple! No secret load addresses Don’t applications need more?” 2005 Osvik–Shamir–Tromer: Examples of applications 65ms to steal Linux AES key using NaCl’s crypto_box : used for hard-disk encryption. Attack process on same CPU DNSCurve and DNSCrypt, but without privileges. high-security authenticated encryption for DNS queries; Almost all AES implementations deployed by OpenDNS. use fast lookup tables. Kernel’s secret AES key QUIC, Google’s TLS replacement. influences table-load addresses, MinimaLT in Ethos OS, influencing CPU cache state, faster TLS replacement. influencing measurable timings of the attack process. Threema, encrypted-chat app. 65ms to compute influence − 1 .

  21. sounds too simple! No secret load addresses Most cryptographic applications need more?” still use secret 2005 Osvik–Shamir–Tromer: but add Examples of applications 65ms to steal Linux AES key intended NaCl’s crypto_box : used for hard-disk encryption. upon the Attack process on same CPU DNSCurve and DNSCrypt, Not confidence- but without privileges. high-security authenticated likely to encryption for DNS queries; Almost all AES implementations ed by OpenDNS. use fast lookup tables. Kernel’s secret AES key Google’s TLS replacement. influences table-load addresses, MinimaLT in Ethos OS, influencing CPU cache state, TLS replacement. influencing measurable timings of the attack process. Threema, encrypted-chat app. 65ms to compute influence − 1 .

  22. o simple! No secret load addresses Most cryptographic applications need more?” still use secret load 2005 Osvik–Shamir–Tromer: but add “countermeasures” applications 65ms to steal Linux AES key intended to obscure crypto_box : used for hard-disk encryption. upon the CPU cache Attack process on same CPU DNSCrypt, Not confidence-ins but without privileges. authenticated likely to be breakable. DNS queries; Almost all AES implementations enDNS. use fast lookup tables. Kernel’s secret AES key TLS replacement. influences table-load addresses, Ethos OS, influencing CPU cache state, lacement. influencing measurable timings of the attack process. encrypted-chat app. 65ms to compute influence − 1 .

  23. No secret load addresses Most cryptographic libraries more?” still use secret load addresses 2005 Osvik–Shamir–Tromer: but add “countermeasures” 65ms to steal Linux AES key intended to obscure influence : used for hard-disk encryption. upon the CPU cache state. Attack process on same CPU DNSCrypt, Not confidence-inspiring; but without privileges. authenticated likely to be breakable. queries; Almost all AES implementations use fast lookup tables. Kernel’s secret AES key replacement. influences table-load addresses, influencing CPU cache state, influencing measurable timings of the attack process. app. 65ms to compute influence − 1 .

  24. No secret load addresses Most cryptographic libraries still use secret load addresses 2005 Osvik–Shamir–Tromer: but add “countermeasures” 65ms to steal Linux AES key intended to obscure influence used for hard-disk encryption. upon the CPU cache state. Attack process on same CPU Not confidence-inspiring; but without privileges. likely to be breakable. Almost all AES implementations use fast lookup tables. Kernel’s secret AES key influences table-load addresses, influencing CPU cache state, influencing measurable timings of the attack process. 65ms to compute influence − 1 .

  25. No secret load addresses Most cryptographic libraries still use secret load addresses 2005 Osvik–Shamir–Tromer: but add “countermeasures” 65ms to steal Linux AES key intended to obscure influence used for hard-disk encryption. upon the CPU cache state. Attack process on same CPU Not confidence-inspiring; but without privileges. likely to be breakable. Almost all AES implementations NaCl systematically avoids use fast lookup tables. all loads from addresses Kernel’s secret AES key that depend on secret data. influences table-load addresses, Eliminates this type of disaster. influencing CPU cache state, influencing measurable timings 2010 Langley ctgrind : of the attack process. verify this automatically. 65ms to compute influence − 1 .

  26. ret load addresses Most cryptographic libraries No secre still use secret load addresses Osvik–Shamir–Tromer: 2011 Brumley–T but add “countermeasures” to steal Linux AES key minutes intended to obscure influence for hard-disk encryption. machine’s upon the CPU cache state. process on same CPU Secret branch Not confidence-inspiring; without privileges. influence likely to be breakable. Almost all AES implementations Most cryptographic NaCl systematically avoids fast lookup tables. has many all loads from addresses Kernel’s secret AES key variations that depend on secret data. influences table-load addresses, e.g., memcmp Eliminates this type of disaster. influencing CPU cache state, influencing measurable timings 2010 Langley ctgrind : attack process. verify this automatically. to compute influence − 1 .

  27. addresses Most cryptographic libraries No secret branch conditions still use secret load addresses Osvik–Shamir–Tromer: 2011 Brumley–Tuveri: but add “countermeasures” Linux AES key minutes to steal another intended to obscure influence rd-disk encryption. machine’s OpenSSL upon the CPU cache state. on same CPU Secret branch conditions Not confidence-inspiring; rivileges. influence timings. likely to be breakable. implementations Most cryptographic NaCl systematically avoids tables. has many more small-scale all loads from addresses AES key variations in timing: that depend on secret data. table-load addresses, e.g., memcmp for IPsec Eliminates this type of disaster. cache state, measurable timings 2010 Langley ctgrind : cess. verify this automatically. compute influence − 1 .

  28. Most cryptographic libraries No secret branch conditions still use secret load addresses romer: 2011 Brumley–Tuveri: but add “countermeasures” ey minutes to steal another intended to obscure influence encryption. machine’s OpenSSL ECDSA upon the CPU cache state. CPU Secret branch conditions Not confidence-inspiring; influence timings. likely to be breakable. implementations Most cryptographic software NaCl systematically avoids has many more small-scale all loads from addresses variations in timing: that depend on secret data. addresses, e.g., memcmp for IPsec MACs. Eliminates this type of disaster. state, timings 2010 Langley ctgrind : verify this automatically. influence − 1 .

  29. Most cryptographic libraries No secret branch conditions still use secret load addresses 2011 Brumley–Tuveri: but add “countermeasures” minutes to steal another intended to obscure influence machine’s OpenSSL ECDSA key. upon the CPU cache state. Secret branch conditions Not confidence-inspiring; influence timings. likely to be breakable. Most cryptographic software NaCl systematically avoids has many more small-scale all loads from addresses variations in timing: that depend on secret data. e.g., memcmp for IPsec MACs. Eliminates this type of disaster. 2010 Langley ctgrind : verify this automatically.

  30. Most cryptographic libraries No secret branch conditions still use secret load addresses 2011 Brumley–Tuveri: but add “countermeasures” minutes to steal another intended to obscure influence machine’s OpenSSL ECDSA key. upon the CPU cache state. Secret branch conditions Not confidence-inspiring; influence timings. likely to be breakable. Most cryptographic software NaCl systematically avoids has many more small-scale all loads from addresses variations in timing: that depend on secret data. e.g., memcmp for IPsec MACs. Eliminates this type of disaster. NaCl systematically avoids 2010 Langley ctgrind : all branch conditions verify this automatically. that depend on secret data. Eliminates this type of disaster.

  31. cryptographic libraries No secret branch conditions No padding use secret load addresses 2011 Brumley–Tuveri: 1998 Bleichenbacher: add “countermeasures” minutes to steal another Decrypt intended to obscure influence machine’s OpenSSL ECDSA key. by observing the CPU cache state. to ≈ 10 6 Secret branch conditions confidence-inspiring; influence timings. SSL first to be breakable. Most cryptographic software then checks systematically avoids has many more small-scale (which many loads from addresses variations in timing: Subsequent depend on secret data. e.g., memcmp for IPsec MACs. more serious Eliminates this type of disaster. NaCl systematically avoids Server resp Langley ctgrind : all branch conditions pattern of this automatically. that depend on secret data. pattern reveals Eliminates this type of disaster.

  32. cryptographic libraries No secret branch conditions No padding oracles load addresses 2011 Brumley–Tuveri: 1998 Bleichenbacher: rmeasures” minutes to steal another Decrypt SSL RSA obscure influence machine’s OpenSSL ECDSA key. by observing server cache state. to ≈ 10 6 variants of Secret branch conditions inspiring; influence timings. SSL first inverts RSA, reakable. Most cryptographic software then checks for “PK ally avoids has many more small-scale (which many forgeries addresses variations in timing: Subsequent processing secret data. e.g., memcmp for IPsec MACs. more serious integrit ype of disaster. NaCl systematically avoids Server responses re ctgrind : all branch conditions pattern of PKCS fo automatically. that depend on secret data. pattern reveals plaintext. Eliminates this type of disaster.

  33. ries No secret branch conditions No padding oracles addresses 2011 Brumley–Tuveri: 1998 Bleichenbacher: rmeasures” minutes to steal another Decrypt SSL RSA ciphertext influence machine’s OpenSSL ECDSA key. by observing server responses state. to ≈ 10 6 variants of ciphertext. Secret branch conditions influence timings. SSL first inverts RSA, Most cryptographic software then checks for “PKCS padding” has many more small-scale (which many forgeries have). variations in timing: Subsequent processing applies data. e.g., memcmp for IPsec MACs. more serious integrity checks. disaster. NaCl systematically avoids Server responses reveal all branch conditions pattern of PKCS forgeries; that depend on secret data. pattern reveals plaintext. Eliminates this type of disaster.

  34. No secret branch conditions No padding oracles 2011 Brumley–Tuveri: 1998 Bleichenbacher: minutes to steal another Decrypt SSL RSA ciphertext machine’s OpenSSL ECDSA key. by observing server responses to ≈ 10 6 variants of ciphertext. Secret branch conditions influence timings. SSL first inverts RSA, Most cryptographic software then checks for “PKCS padding” has many more small-scale (which many forgeries have). variations in timing: Subsequent processing applies e.g., memcmp for IPsec MACs. more serious integrity checks. NaCl systematically avoids Server responses reveal all branch conditions pattern of PKCS forgeries; that depend on secret data. pattern reveals plaintext. Eliminates this type of disaster.

  35. ret branch conditions No padding oracles Typical defense try to hide Brumley–Tuveri: 1998 Bleichenbacher: between minutes to steal another Decrypt SSL RSA ciphertext subsequent machine’s OpenSSL ECDSA key. by observing server responses to ≈ 10 6 variants of ciphertext. branch conditions But hard influence timings. BEAST, SSL first inverts RSA, cryptographic software then checks for “PKCS padding” many more small-scale (which many forgeries have). riations in timing: Subsequent processing applies memcmp for IPsec MACs. more serious integrity checks. systematically avoids Server responses reveal ranch conditions pattern of PKCS forgeries; depend on secret data. pattern reveals plaintext. Eliminates this type of disaster.

  36. conditions No padding oracles Typical defense strategy: try to hide differences uveri: 1998 Bleichenbacher: between padding checks another Decrypt SSL RSA ciphertext subsequent integrit enSSL ECDSA key. by observing server responses to ≈ 10 6 variants of ciphertext. conditions But hard to get this timings. BEAST, Lucky 13, SSL first inverts RSA, cryptographic software then checks for “PKCS padding” small-scale (which many forgeries have). timing: Subsequent processing applies IPsec MACs. more serious integrity checks. ally avoids Server responses reveal conditions pattern of PKCS forgeries; secret data. pattern reveals plaintext. ype of disaster.

  37. conditions No padding oracles Typical defense strategy: try to hide differences 1998 Bleichenbacher: between padding checks and Decrypt SSL RSA ciphertext subsequent integrity checks. ECDSA key. by observing server responses to ≈ 10 6 variants of ciphertext. But hard to get this right: see BEAST, Lucky 13, POODLE, SSL first inverts RSA, re then checks for “PKCS padding” (which many forgeries have). Subsequent processing applies Cs. more serious integrity checks. Server responses reveal pattern of PKCS forgeries; data. pattern reveals plaintext. disaster.

  38. No padding oracles Typical defense strategy: try to hide differences 1998 Bleichenbacher: between padding checks and Decrypt SSL RSA ciphertext subsequent integrity checks. by observing server responses to ≈ 10 6 variants of ciphertext. But hard to get this right: see BEAST, Lucky 13, POODLE, etc. SSL first inverts RSA, then checks for “PKCS padding” (which many forgeries have). Subsequent processing applies more serious integrity checks. Server responses reveal pattern of PKCS forgeries; pattern reveals plaintext.

  39. No padding oracles Typical defense strategy: try to hide differences 1998 Bleichenbacher: between padding checks and Decrypt SSL RSA ciphertext subsequent integrity checks. by observing server responses to ≈ 10 6 variants of ciphertext. But hard to get this right: see BEAST, Lucky 13, POODLE, etc. SSL first inverts RSA, then checks for “PKCS padding” NaCl does not decrypt (which many forgeries have). unless message is authenticated. Subsequent processing applies Verification procedure rejects more serious integrity checks. all forgeries in constant time. Attacks are further constrained Server responses reveal by per-nonce key separation pattern of PKCS forgeries; and standard nonce handling. pattern reveals plaintext.

  40. padding oracles Typical defense strategy: Centralizing try to hide differences Bleichenbacher: 2008 Bello: between padding checks and Decrypt SSL RSA ciphertext OpenSSL subsequent integrity checks. observing server responses had only 10 6 variants of ciphertext. But hard to get this right: see Debian develop BEAST, Lucky 13, POODLE, etc. first inverts RSA, a subtle checks for “PKCS padding” NaCl does not decrypt randomness-generating many forgeries have). unless message is authenticated. Subsequent processing applies Verification procedure rejects serious integrity checks. all forgeries in constant time. Attacks are further constrained responses reveal by per-nonce key separation pattern of PKCS forgeries; and standard nonce handling. pattern reveals plaintext.

  41. racles Typical defense strategy: Centralizing randomness try to hide differences Bleichenbacher: 2008 Bello: Debian/Ubuntu between padding checks and RSA ciphertext OpenSSL keys for subsequent integrity checks. server responses had only 15 bits of riants of ciphertext. But hard to get this right: see Debian developer had BEAST, Lucky 13, POODLE, etc. RSA, a subtle line of Op “PKCS padding” NaCl does not decrypt randomness-generating rgeries have). unless message is authenticated. cessing applies Verification procedure rejects integrity checks. all forgeries in constant time. Attacks are further constrained reveal by per-nonce key separation forgeries; and standard nonce handling. plaintext.

  42. Typical defense strategy: Centralizing randomness try to hide differences 2008 Bello: Debian/Ubuntu between padding checks and ciphertext OpenSSL keys for 1.5 years subsequent integrity checks. onses had only 15 bits of entropy. ciphertext. But hard to get this right: see Debian developer had removed BEAST, Lucky 13, POODLE, etc. a subtle line of OpenSSL padding” NaCl does not decrypt randomness-generating code. have). unless message is authenticated. applies Verification procedure rejects hecks. all forgeries in constant time. Attacks are further constrained by per-nonce key separation rgeries; and standard nonce handling.

  43. Typical defense strategy: Centralizing randomness try to hide differences 2008 Bello: Debian/Ubuntu between padding checks and OpenSSL keys for 1.5 years subsequent integrity checks. had only 15 bits of entropy. But hard to get this right: see Debian developer had removed BEAST, Lucky 13, POODLE, etc. a subtle line of OpenSSL NaCl does not decrypt randomness-generating code. unless message is authenticated. Verification procedure rejects all forgeries in constant time. Attacks are further constrained by per-nonce key separation and standard nonce handling.

  44. Typical defense strategy: Centralizing randomness try to hide differences 2008 Bello: Debian/Ubuntu between padding checks and OpenSSL keys for 1.5 years subsequent integrity checks. had only 15 bits of entropy. But hard to get this right: see Debian developer had removed BEAST, Lucky 13, POODLE, etc. a subtle line of OpenSSL NaCl does not decrypt randomness-generating code. unless message is authenticated. NaCl uses /dev/urandom , Verification procedure rejects the OS random-number generator. all forgeries in constant time. Reviewing this kernel code Attacks are further constrained is much more tractable than by per-nonce key separation reviewing separate RNG code and standard nonce handling. in every security library.

  45. ypical defense strategy: Centralizing randomness Centralization hide differences merge many 2008 Bello: Debian/Ubuntu een padding checks and pool feeding OpenSSL keys for 1.5 years subsequent integrity checks. had only 15 bits of entropy. Merging rd to get this right: see auditable. Debian developer had removed BEAST, Lucky 13, POODLE, etc. bad/failing/malicious a subtle line of OpenSSL if there is does not decrypt randomness-generating code. message is authenticated. NaCl uses /dev/urandom , erification procedure rejects the OS random-number generator. rgeries in constant time. Reviewing this kernel code ttacks are further constrained is much more tractable than er-nonce key separation reviewing separate RNG code standard nonce handling. in every security library.

  46. strategy: Centralizing randomness Centralization allows differences merge many entrop 2008 Bello: Debian/Ubuntu checks and pool feeding many OpenSSL keys for 1.5 years integrity checks. had only 15 bits of entropy. Merging is deterministic this right: see auditable. Can survive Debian developer had removed 3, POODLE, etc. bad/failing/malicious a subtle line of OpenSSL if there is one good decrypt randomness-generating code. is authenticated. NaCl uses /dev/urandom , edure rejects the OS random-number generator. constant time. Reviewing this kernel code further constrained is much more tractable than ey separation reviewing separate RNG code nonce handling. in every security library.

  47. Centralizing randomness Centralization allows OS to merge many entropy sources 2008 Bello: Debian/Ubuntu and pool feeding many applications. OpenSSL keys for 1.5 years checks. had only 15 bits of entropy. Merging is deterministic and see auditable. Can survive many Debian developer had removed POODLE, etc. bad/failing/malicious sources a subtle line of OpenSSL if there is one good source. randomness-generating code. authenticated. NaCl uses /dev/urandom , rejects the OS random-number generator. time. Reviewing this kernel code constrained is much more tractable than ration reviewing separate RNG code handling. in every security library.

  48. Centralizing randomness Centralization allows OS to merge many entropy sources into 2008 Bello: Debian/Ubuntu pool feeding many applications. OpenSSL keys for 1.5 years had only 15 bits of entropy. Merging is deterministic and auditable. Can survive many Debian developer had removed bad/failing/malicious sources a subtle line of OpenSSL if there is one good source. randomness-generating code. NaCl uses /dev/urandom , the OS random-number generator. Reviewing this kernel code is much more tractable than reviewing separate RNG code in every security library.

  49. Centralizing randomness Centralization allows OS to merge many entropy sources into 2008 Bello: Debian/Ubuntu pool feeding many applications. OpenSSL keys for 1.5 years had only 15 bits of entropy. Merging is deterministic and auditable. Can survive many Debian developer had removed bad/failing/malicious sources a subtle line of OpenSSL if there is one good source. randomness-generating code. Huge step backwards: NaCl uses /dev/urandom , Intel’s RDRAND in applications. the OS random-number generator. Single entropy source; no backup; Reviewing this kernel code likely to be poorly cloned; is much more tractable than backdoorable (CHES 2013); reviewing separate RNG code non-auditable. Not used in NaCl. in every security library.

  50. Centralizing randomness Centralization allows OS to Avoiding merge many entropy sources into Bello: Debian/Ubuntu 2010 Bushing–Ma pool feeding many applications. enSSL keys for 1.5 years Sven: Sony only 15 bits of entropy. Merging is deterministic and requirement auditable. Can survive many for each developer had removed bad/failing/malicious sources leaked PS3 subtle line of OpenSSL if there is one good source. randomness-generating code. Huge step backwards: uses /dev/urandom , Intel’s RDRAND in applications. random-number generator. Single entropy source; no backup; Reviewing this kernel code likely to be poorly cloned; much more tractable than backdoorable (CHES 2013); reviewing separate RNG code non-auditable. Not used in NaCl. every security library.

  51. randomness Centralization allows OS to Avoiding unnecessa merge many entropy sources into Debian/Ubuntu 2010 Bushing–Marcan–Segher– pool feeding many applications. for 1.5 years Sven: Sony ignored of entropy. Merging is deterministic and requirement of new auditable. Can survive many for each signature. er had removed bad/failing/malicious sources leaked PS3 code-signing OpenSSL if there is one good source. randomness-generating code. Huge step backwards: /dev/urandom , Intel’s RDRAND in applications. random-number generator. Single entropy source; no backup; ernel code likely to be poorly cloned; tractable than backdoorable (CHES 2013); rate RNG code non-auditable. Not used in NaCl. library.

  52. Centralization allows OS to Avoiding unnecessary randomness merge many entropy sources into Debian/Ubuntu 2010 Bushing–Marcan–Segher– pool feeding many applications. rs Sven: Sony ignored ECDSA y. Merging is deterministic and requirement of new randomness auditable. Can survive many for each signature. ⇒ Signatures removed bad/failing/malicious sources leaked PS3 code-signing key. if there is one good source. de. Huge step backwards: , Intel’s RDRAND in applications. generator. Single entropy source; no backup; likely to be poorly cloned; than backdoorable (CHES 2013); code non-auditable. Not used in NaCl.

  53. Centralization allows OS to Avoiding unnecessary randomness merge many entropy sources into 2010 Bushing–Marcan–Segher– pool feeding many applications. Sven: Sony ignored ECDSA Merging is deterministic and requirement of new randomness auditable. Can survive many for each signature. ⇒ Signatures bad/failing/malicious sources leaked PS3 code-signing key. if there is one good source. Huge step backwards: Intel’s RDRAND in applications. Single entropy source; no backup; likely to be poorly cloned; backdoorable (CHES 2013); non-auditable. Not used in NaCl.

  54. Centralization allows OS to Avoiding unnecessary randomness merge many entropy sources into 2010 Bushing–Marcan–Segher– pool feeding many applications. Sven: Sony ignored ECDSA Merging is deterministic and requirement of new randomness auditable. Can survive many for each signature. ⇒ Signatures bad/failing/malicious sources leaked PS3 code-signing key. if there is one good source. NaCl has deterministic Huge step backwards: crypto_box and crypto_sign . Intel’s RDRAND in applications. Randomness only for keypair . Single entropy source; no backup; Eliminates this type of disaster. likely to be poorly cloned; Also simplifies testing. NaCl uses backdoorable (CHES 2013); automated test battery from non-auditable. Not used in NaCl. eBACS (ECRYPT Benchmarking of Cryptographic Systems).

  55. Centralization allows OS to Avoiding unnecessary randomness Avoiding many entropy sources into 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– feeding many applications. Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molna Merging is deterministic and requirement of new randomness Osvik–de auditable. Can survive many for each signature. ⇒ Signatures MD5 ⇒ bad/failing/malicious sources leaked PS3 code-signing key. there is one good source. NaCl has deterministic step backwards: crypto_box and crypto_sign . RDRAND in applications. Randomness only for keypair . entropy source; no backup; Eliminates this type of disaster. to be poorly cloned; Also simplifies testing. NaCl uses backdoorable (CHES 2013); automated test battery from non-auditable. Not used in NaCl. eBACS (ECRYPT Benchmarking of Cryptographic Systems).

  56. allows OS to Avoiding unnecessary randomness Avoiding pure crypto entropy sources into 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– many applications. Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molna deterministic and requirement of new randomness Osvik–de Weger exploited survive many for each signature. ⇒ Signatures MD5 ⇒ rogue CA bad/failing/malicious sources leaked PS3 code-signing key. od source. NaCl has deterministic ards: crypto_box and crypto_sign . in applications. Randomness only for keypair . source; no backup; Eliminates this type of disaster. rly cloned; Also simplifies testing. NaCl uses (CHES 2013); automated test battery from Not used in NaCl. eBACS (ECRYPT Benchmarking of Cryptographic Systems).

  57. to Avoiding unnecessary randomness Avoiding pure crypto failures sources into 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– applications. Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molnar– and requirement of new randomness Osvik–de Weger exploited many for each signature. ⇒ Signatures MD5 ⇒ rogue CA cert. sources leaked PS3 code-signing key. source. NaCl has deterministic crypto_box and crypto_sign . applications. Randomness only for keypair . backup; Eliminates this type of disaster. Also simplifies testing. NaCl uses 2013); automated test battery from in NaCl. eBACS (ECRYPT Benchmarking of Cryptographic Systems).

  58. Avoiding unnecessary randomness Avoiding pure crypto failures 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molnar– requirement of new randomness Osvik–de Weger exploited for each signature. ⇒ Signatures MD5 ⇒ rogue CA cert. leaked PS3 code-signing key. NaCl has deterministic crypto_box and crypto_sign . Randomness only for keypair . Eliminates this type of disaster. Also simplifies testing. NaCl uses automated test battery from eBACS (ECRYPT Benchmarking of Cryptographic Systems).

  59. Avoiding unnecessary randomness Avoiding pure crypto failures 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molnar– requirement of new randomness Osvik–de Weger exploited for each signature. ⇒ Signatures MD5 ⇒ rogue CA cert. leaked PS3 code-signing key. 2012 Flame: new MD5 attack. NaCl has deterministic crypto_box and crypto_sign . Randomness only for keypair . Eliminates this type of disaster. Also simplifies testing. NaCl uses automated test battery from eBACS (ECRYPT Benchmarking of Cryptographic Systems).

  60. Avoiding unnecessary randomness Avoiding pure crypto failures 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molnar– requirement of new randomness Osvik–de Weger exploited for each signature. ⇒ Signatures MD5 ⇒ rogue CA cert. leaked PS3 code-signing key. 2012 Flame: new MD5 attack. NaCl has deterministic Fact: By 1996, a few years crypto_box and crypto_sign . after the introduction of MD5, Randomness only for keypair . Preneel and Dobbertin were Eliminates this type of disaster. calling for MD5 to be scrapped. Also simplifies testing. NaCl uses NaCl pays attention to automated test battery from cryptanalysis and makes eBACS (ECRYPT Benchmarking very conservative choices of Cryptographic Systems). of cryptographic primitives.

  61. Avoiding unnecessary randomness Avoiding pure crypto failures Speed Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Crypto p Sony ignored ECDSA Appelbaum–Lenstra–Molnar– often lead requirement of new randomness Osvik–de Weger exploited cryptographic h signature. ⇒ Signatures MD5 ⇒ rogue CA cert. or give up PS3 code-signing key. 2012 Flame: new MD5 attack. Example has deterministic Fact: By 1996, a few years used RSA-1024 crypto_box and crypto_sign . after the introduction of MD5, Security Randomness only for keypair . Preneel and Dobbertin were Analyses Eliminates this type of disaster. calling for MD5 to be scrapped. that RSA-1024 simplifies testing. NaCl uses NaCl pays attention to e.g., 2003 automated test battery from cryptanalysis and makes estimated (ECRYPT Benchmarking very conservative choices RSA Labs Cryptographic Systems). of cryptographic primitives. Move to

  62. unnecessary randomness Avoiding pure crypto failures Speed Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Crypto performance red ECDSA Appelbaum–Lenstra–Molnar– often lead users to new randomness Osvik–de Weger exploited cryptographic securit signature. ⇒ Signatures MD5 ⇒ rogue CA cert. or give up on cryptography de-signing key. 2012 Flame: new MD5 attack. Example 1: Google deterministic Fact: By 1996, a few years used RSA-1024 until and crypto_sign . after the introduction of MD5, Security note: only for keypair . Preneel and Dobbertin were Analyses in 2003 concluded ype of disaster. calling for MD5 to be scrapped. that RSA-1024 was testing. NaCl uses NaCl pays attention to e.g., 2003 Shamir–T battery from cryptanalysis and makes estimated 1 year, ≈ CRYPT Benchmarking very conservative choices RSA Labs and NIST Systems). of cryptographic primitives. Move to RSA-2048

  63. randomness Avoiding pure crypto failures Speed rcan–Segher– 2008 Stevens–Sotirov– Crypto performance problems ECDSA Appelbaum–Lenstra–Molnar– often lead users to reduce randomness Osvik–de Weger exploited cryptographic security levels Signatures MD5 ⇒ rogue CA cert. or give up on cryptography. ey. 2012 Flame: new MD5 attack. Example 1: Google SSL Fact: By 1996, a few years used RSA-1024 until 2013. crypto_sign . after the introduction of MD5, Security note: keypair . Preneel and Dobbertin were Analyses in 2003 concluded disaster. calling for MD5 to be scrapped. that RSA-1024 was breakable; NaCl uses NaCl pays attention to e.g., 2003 Shamir–Tromer estimated 1 year, ≈ 10 7 USD. from cryptanalysis and makes Benchmarking very conservative choices RSA Labs and NIST response: ms). of cryptographic primitives. Move to RSA-2048 by 2010.

  64. Avoiding pure crypto failures Speed 2008 Stevens–Sotirov– Crypto performance problems Appelbaum–Lenstra–Molnar– often lead users to reduce Osvik–de Weger exploited cryptographic security levels MD5 ⇒ rogue CA cert. or give up on cryptography. 2012 Flame: new MD5 attack. Example 1: Google SSL Fact: By 1996, a few years used RSA-1024 until 2013. after the introduction of MD5, Security note: Preneel and Dobbertin were Analyses in 2003 concluded calling for MD5 to be scrapped. that RSA-1024 was breakable; NaCl pays attention to e.g., 2003 Shamir–Tromer estimated 1 year, ≈ 10 7 USD. cryptanalysis and makes very conservative choices RSA Labs and NIST response: of cryptographic primitives. Move to RSA-2048 by 2010.

  65. Avoiding pure crypto failures Speed Example until 2013 Stevens–Sotirov– Crypto performance problems elbaum–Lenstra–Molnar– often lead users to reduce Example Osvik–de Weger exploited cryptographic security levels 1024: “tradeoff ⇒ rogue CA cert. or give up on cryptography. risk of key Flame: new MD5 attack. performance Example 1: Google SSL By 1996, a few years used RSA-1024 until 2013. Example the introduction of MD5, to use secret Security note: Preneel and Dobbertin were Analyses in 2003 concluded Example for MD5 to be scrapped. that RSA-1024 was breakable; https://sourceforge.net/account pays attention to e.g., 2003 Shamir–Tromer is protected estimated 1 year, ≈ 10 7 USD. cryptanalysis and makes https://sourceforge.net/develop conservative choices RSA Labs and NIST response: turns off cryptographic primitives. Move to RSA-2048 by 2010. http://sourceforge.net/develop

  66. crypto failures Speed Example 2: Tor use until 2013 switch to Stevens–Sotirov– Crypto performance problems elbaum–Lenstra–Molnar– often lead users to reduce Example 3: DNSSEC exploited cryptographic security levels 1024: “tradeoff bet CA cert. or give up on cryptography. risk of key compromise new MD5 attack. performance : : : ” Example 1: Google SSL a few years used RSA-1024 until 2013. Example 4: OpenSSL duction of MD5, to use secret AES Security note: Dobbertin were Analyses in 2003 concluded Example 5: to be scrapped. that RSA-1024 was breakable; https://sourceforge.net/account attention to e.g., 2003 Shamir–Tromer is protected by SSL estimated 1 year, ≈ 10 7 USD. and makes https://sourceforge.net/develop conservative choices RSA Labs and NIST response: turns off crypto: redirects primitives. Move to RSA-2048 by 2010. http://sourceforge.net/develop

  67. failures Speed Example 2: Tor used RSA-1024 until 2013 switch to Curve25519. Crypto performance problems elbaum–Lenstra–Molnar– often lead users to reduce Example 3: DNSSEC uses RSA- cryptographic security levels 1024: “tradeoff between the or give up on cryptography. risk of key compromise and attack. performance : : : ” Example 1: Google SSL rs used RSA-1024 until 2013. Example 4: OpenSSL continues MD5, to use secret AES load addre Security note: ere Analyses in 2003 concluded Example 5: pped. that RSA-1024 was breakable; https://sourceforge.net/account e.g., 2003 Shamir–Tromer is protected by SSL but estimated 1 year, ≈ 10 7 USD. https://sourceforge.net/develop RSA Labs and NIST response: turns off crypto: redirects to rimitives. Move to RSA-2048 by 2010. http://sourceforge.net/develop

  68. Speed Example 2: Tor used RSA-1024 until 2013 switch to Curve25519. Crypto performance problems often lead users to reduce Example 3: DNSSEC uses RSA- cryptographic security levels 1024: “tradeoff between the or give up on cryptography. risk of key compromise and performance : : : ” Example 1: Google SSL used RSA-1024 until 2013. Example 4: OpenSSL continues to use secret AES load addresses. Security note: Analyses in 2003 concluded Example 5: that RSA-1024 was breakable; https://sourceforge.net/account e.g., 2003 Shamir–Tromer is protected by SSL but estimated 1 year, ≈ 10 7 USD. https://sourceforge.net/develop RSA Labs and NIST response: turns off crypto: redirects to Move to RSA-2048 by 2010. http://sourceforge.net/develop .

  69. Example 2: Tor used RSA-1024 NaCl has until 2013 switch to Curve25519. e.g. crypto_box performance problems encrypts lead users to reduce Example 3: DNSSEC uses RSA- e.g. no RSA-1024; cryptographic security levels 1024: “tradeoff between the not up on cryptography. risk of key compromise and performance : : : ” Example 1: Google SSL RSA-1024 until 2013. Example 4: OpenSSL continues to use secret AES load addresses. Security note: Analyses in 2003 concluded Example 5: RSA-1024 was breakable; https://sourceforge.net/account 2003 Shamir–Tromer is protected by SSL but estimated 1 year, ≈ 10 7 USD. https://sourceforge.net/develop Labs and NIST response: turns off crypto: redirects to to RSA-2048 by 2010. http://sourceforge.net/develop .

  70. Example 2: Tor used RSA-1024 NaCl has no low-securit until 2013 switch to Curve25519. e.g. crypto_box alw rmance problems encrypts and to reduce Example 3: DNSSEC uses RSA- e.g. no RSA-1024; security levels 1024: “tradeoff between the not even RSA-2048. cryptography. risk of key compromise and performance : : : ” ogle SSL until 2013. Example 4: OpenSSL continues to use secret AES load addresses. concluded Example 5: was breakable; https://sourceforge.net/account Shamir–Tromer is protected by SSL but r, ≈ 10 7 USD. https://sourceforge.net/develop NIST response: turns off crypto: redirects to RSA-2048 by 2010. http://sourceforge.net/develop .

  71. Example 2: Tor used RSA-1024 NaCl has no low-security options. until 2013 switch to Curve25519. e.g. crypto_box always roblems encrypts and authenticates. Example 3: DNSSEC uses RSA- e.g. no RSA-1024; levels 1024: “tradeoff between the not even RSA-2048. cryptography. risk of key compromise and performance : : : ” 2013. Example 4: OpenSSL continues to use secret AES load addresses. concluded Example 5: ble; https://sourceforge.net/account is protected by SSL but USD. https://sourceforge.net/develop onse: turns off crypto: redirects to 2010. http://sourceforge.net/develop .

  72. Example 2: Tor used RSA-1024 NaCl has no low-security options. until 2013 switch to Curve25519. e.g. crypto_box always encrypts and authenticates. Example 3: DNSSEC uses RSA- e.g. no RSA-1024; 1024: “tradeoff between the not even RSA-2048. risk of key compromise and performance : : : ” Example 4: OpenSSL continues to use secret AES load addresses. Example 5: https://sourceforge.net/account is protected by SSL but https://sourceforge.net/develop turns off crypto: redirects to http://sourceforge.net/develop .

  73. Example 2: Tor used RSA-1024 NaCl has no low-security options. until 2013 switch to Curve25519. e.g. crypto_box always encrypts and authenticates. Example 3: DNSSEC uses RSA- e.g. no RSA-1024; 1024: “tradeoff between the not even RSA-2048. risk of key compromise and performance : : : ” Remaining risk: Users find NaCl too slow ⇒ Example 4: OpenSSL continues switch to low-security libraries to use secret AES load addresses. or disable crypto entirely. Example 5: https://sourceforge.net/account is protected by SSL but https://sourceforge.net/develop turns off crypto: redirects to http://sourceforge.net/develop .

  74. Example 2: Tor used RSA-1024 NaCl has no low-security options. until 2013 switch to Curve25519. e.g. crypto_box always encrypts and authenticates. Example 3: DNSSEC uses RSA- e.g. no RSA-1024; 1024: “tradeoff between the not even RSA-2048. risk of key compromise and performance : : : ” Remaining risk: Users find NaCl too slow ⇒ Example 4: OpenSSL continues switch to low-security libraries to use secret AES load addresses. or disable crypto entirely. Example 5: How NaCl avoids this risk: https://sourceforge.net/account NaCl is exceptionally fast. is protected by SSL but Much faster than other libraries. https://sourceforge.net/develop Keeps up with the network. turns off crypto: redirects to http://sourceforge.net/develop .

  75. Example 2: Tor used RSA-1024 NaCl has no low-security options. NaCl operations 2013 switch to Curve25519. e.g. crypto_box always for any common encrypts and authenticates. using AMD Example 3: DNSSEC uses RSA- e.g. no RSA-1024; CPU ($190 “tradeoff between the not even RSA-2048. key compromise and crypto_box rmance : : : ” Remaining risk: crypto_box_open Users find NaCl too slow ⇒ Example 4: OpenSSL continues crypto_sign_open switch to low-security libraries secret AES load addresses. or disable crypto entirely. crypto_sign Example 5: How NaCl avoids this risk: https://sourceforge.net/account NaCl is exceptionally fast. rotected by SSL but Much faster than other libraries. https://sourceforge.net/develop Keeps up with the network. off crypto: redirects to http://sourceforge.net/develop .

  76. used RSA-1024 NaCl has no low-security options. NaCl operations per switch to Curve25519. e.g. crypto_box always for any common pack encrypts and authenticates. using AMD Phenom DNSSEC uses RSA- e.g. no RSA-1024; CPU ($190 in 2011): between the not even RSA-2048. romise and crypto_box : > 80000. Remaining risk: crypto_box_open Users find NaCl too slow ⇒ enSSL continues crypto_sign_open switch to low-security libraries AES load addresses. or disable crypto entirely. crypto_sign : > 180000. How NaCl avoids this risk: https://sourceforge.net/account NaCl is exceptionally fast. SSL but Much faster than other libraries. https://sourceforge.net/develop Keeps up with the network. redirects to http://sourceforge.net/develop .

  77. RSA-1024 NaCl has no low-security options. NaCl operations per second Curve25519. e.g. crypto_box always for any common packet size, encrypts and authenticates. using AMD Phenom II X6 1100T RSA- e.g. no RSA-1024; CPU ($190 in 2011): the not even RSA-2048. and crypto_box : > 80000. Remaining risk: crypto_box_open : > 80000. Users find NaCl too slow ⇒ continues crypto_sign_open : > 70000. switch to low-security libraries addresses. or disable crypto entirely. crypto_sign : > 180000. How NaCl avoids this risk: https://sourceforge.net/account NaCl is exceptionally fast. Much faster than other libraries. https://sourceforge.net/develop Keeps up with the network. to http://sourceforge.net/develop .

  78. NaCl has no low-security options. NaCl operations per second e.g. crypto_box always for any common packet size, encrypts and authenticates. using AMD Phenom II X6 1100T e.g. no RSA-1024; CPU ($190 in 2011): not even RSA-2048. crypto_box : > 80000. Remaining risk: crypto_box_open : > 80000. Users find NaCl too slow ⇒ crypto_sign_open : > 70000. switch to low-security libraries or disable crypto entirely. crypto_sign : > 180000. How NaCl avoids this risk: NaCl is exceptionally fast. Much faster than other libraries. Keeps up with the network.

  79. NaCl has no low-security options. NaCl operations per second e.g. crypto_box always for any common packet size, encrypts and authenticates. using AMD Phenom II X6 1100T e.g. no RSA-1024; CPU ($190 in 2011): not even RSA-2048. crypto_box : > 80000. Remaining risk: crypto_box_open : > 80000. Users find NaCl too slow ⇒ crypto_sign_open : > 70000. switch to low-security libraries or disable crypto entirely. crypto_sign : > 180000. How NaCl avoids this risk: Handles arbitrary packet floods NaCl is exceptionally fast. up to ≈ 30 Mbps per CPU, Much faster than other libraries. depending on protocol details. Keeps up with the network.

  80. has no low-security options. NaCl operations per second But wait crypto_box always for any common packet size, 1. Pure encrypts and authenticates. using AMD Phenom II X6 1100T for any pack no RSA-1024; CPU ($190 in 2011): 80000 1500-b not even RSA-2048. crypto_box : > 80000. fill up a Remaining risk: crypto_box_open : > 80000. 2. Pure find NaCl too slow ⇒ for many crypto_sign_open : > 70000. to low-security libraries from same ble crypto entirely. crypto_sign : > 180000. if application NaCl avoids this risk: crypto_box Handles arbitrary packet floods is exceptionally fast. crypto_box_beforenm up to ≈ 30 Mbps per CPU, faster than other libraries. crypto_box_afternm depending on protocol details. up with the network.

  81. w-security options. NaCl operations per second But wait, it’s even always for any common packet size, 1. Pure secret-key and authenticates. using AMD Phenom II X6 1100T for any packet size: RSA-1024; CPU ($190 in 2011): 80000 1500-byte pack RSA-2048. crypto_box : > 80000. fill up a 1 Gbps link. crypto_box_open : > 80000. 2. Pure secret-key too slow ⇒ for many packets crypto_sign_open : > 70000. w-security libraries from same public k entirely. crypto_sign : > 180000. if application splits avoids this risk: crypto_box into Handles arbitrary packet floods exceptionally fast. crypto_box_beforenm up to ≈ 30 Mbps per CPU, than other libraries. crypto_box_afternm depending on protocol details. the network.

  82. options. NaCl operations per second But wait, it’s even faster! for any common packet size, 1. Pure secret-key crypto authenticates. using AMD Phenom II X6 1100T for any packet size: CPU ($190 in 2011): 80000 1500-byte packets/second crypto_box : > 80000. fill up a 1 Gbps link. crypto_box_open : > 80000. 2. Pure secret-key crypto ⇒ for many packets crypto_sign_open : > 70000. ries from same public key, crypto_sign : > 180000. if application splits risk: crypto_box into Handles arbitrary packet floods crypto_box_beforenm and up to ≈ 30 Mbps per CPU, raries. crypto_box_afternm . depending on protocol details. rk.

  83. NaCl operations per second But wait, it’s even faster! for any common packet size, 1. Pure secret-key crypto using AMD Phenom II X6 1100T for any packet size: CPU ($190 in 2011): 80000 1500-byte packets/second crypto_box : > 80000. fill up a 1 Gbps link. crypto_box_open : > 80000. 2. Pure secret-key crypto for many packets crypto_sign_open : > 70000. from same public key, crypto_sign : > 180000. if application splits crypto_box into Handles arbitrary packet floods crypto_box_beforenm and up to ≈ 30 Mbps per CPU, crypto_box_afternm . depending on protocol details.

  84. operations per second But wait, it’s even faster! 3. Very any common packet size, of forged 1. Pure secret-key crypto AMD Phenom II X6 1100T under kno for any packet size: ($190 in 2011): no time 80000 1500-byte packets/second crypto_box : > 80000. fill up a 1 Gbps link. (This do for forgeries crypto_box_open : > 80000. 2. Pure secret-key crypto but flooded for many packets crypto_sign_open : > 70000. continue from same public key, to known crypto_sign : > 180000. if application splits crypto_box into 4. Fast batch Handles arbitrary packet floods crypto_box_beforenm and doubling ≈ 30 Mbps per CPU, crypto_box_afternm . crypto_sign_open ending on protocol details. for valid

  85. per second But wait, it’s even faster! 3. Very fast rejection packet size, of forged packets 1. Pure secret-key crypto Phenom II X6 1100T under known public for any packet size: 2011): no time spent on decryption. 80000 1500-byte packets/second 80000. fill up a 1 Gbps link. (This doesn’t help for forgeries under crypto_box_open : > 80000. 2. Pure secret-key crypto but flooded server for many packets crypto_sign_open : > 70000. continue providing from same public key, to known keys.) 180000. if application splits crypto_box into 4. Fast batch verification, ry packet floods crypto_box_beforenm and doubling speed of Mbps per CPU, crypto_box_afternm . crypto_sign_open otocol details. for valid signatures.

  86. ond But wait, it’s even faster! 3. Very fast rejection size, of forged packets 1. Pure secret-key crypto 1100T under known public keys: for any packet size: no time spent on decryption. 80000 1500-byte packets/second fill up a 1 Gbps link. (This doesn’t help much for forgeries under new keys, 80000. 2. Pure secret-key crypto but flooded server can for many packets 70000. continue providing fast service from same public key, to known keys.) if application splits crypto_box into 4. Fast batch verification, floods crypto_box_beforenm and doubling speed of CPU, crypto_box_afternm . crypto_sign_open details. for valid signatures.

  87. But wait, it’s even faster! 3. Very fast rejection of forged packets 1. Pure secret-key crypto under known public keys: for any packet size: no time spent on decryption. 80000 1500-byte packets/second fill up a 1 Gbps link. (This doesn’t help much for forgeries under new keys, 2. Pure secret-key crypto but flooded server can for many packets continue providing fast service from same public key, to known keys.) if application splits crypto_box into 4. Fast batch verification, crypto_box_beforenm and doubling speed of crypto_box_afternm . crypto_sign_open for valid signatures.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint work with: Tanja Lange, T. U. Eindhoven Peter Schwabe, Academia Sinica http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards.

603 views • 38 slides
The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint work with: Tanja Lange, T. U. Eindhoven Peter Schwabe, National Taiwan U. http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted

641 views • 35 slides
Making Change in 2048 David Eppstein 9th International Conference on Fun With Algorithms (FUN

Making Change in 2048 David Eppstein 9th International Conference on Fun With Algorithms (FUN

Making Change in 2048 David Eppstein 9th International Conference on Fun With Algorithms (FUN 2018) La Maddalena, Italy, June 2018 2048 game 16 squares that can be filled by power-of-two tiles Each turn: slide all squares in one of four

487 views • 14 slides
NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J.

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J.

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Obviously infeasible to break Tanja Lange, T. U. Eindhoven by best attacks in literature. Joint work

1.46k views • 133 slides
What is the Impact of Foreclosures on Retirement Security? Irena Dushi Social Security

What is the Impact of Foreclosures on Retirement Security? Irena Dushi Social Security

What is the Impact of Foreclosures on Retirement Security? Irena Dushi Social Security Administration Leora Friedberg University of Virginia and TIAA-CREF Anthony Webb Center for Retirement Research at Boston College 12 th Annual Joint

414 views • 19 slides
Impact of Climate Change Water resources Impact of Climate Agriculture and food security

Impact of Climate Change Water resources Impact of Climate Agriculture and food security

Impact of Climate Change Water resources Impact of Climate Agriculture and food security Change Forest Coastal areas Species and natural areas > Temperature increase > Sea level rise > More rain Human health Impact on Flora and

420 views • 21 slides
CS 410/510: Web Security Motivation Security issues are having a real impact 2016

CS 410/510: Web Security Motivation Security issues are having a real impact 2016

CS 410/510: Web Security Motivation Security issues are having a real impact 2016 election Stuxnet Snowden F-35 fighter Bangladesh heist Problem Example: Russian 2016 election hacking Influence election via fake news

556 views • 20 slides
Governance, Precarity and Food Security: Impact of Precarious Status on the Food Security of Urban

Governance, Precarity and Food Security: Impact of Precarious Status on the Food Security of Urban

Governance, Precarity and Food Security: Impact of Precarious Status on the Food Security of Urban Refugees In South Africa Jennifer Kandjii PhD Candidate (ABD) Balsillie School of International Affairs Overview of presentation Sources of

664 views • 13 slides
Implementation of RSA 2048 on GPUs Marcelo E. Kaihara EPFL LACAL Nov. 4, 2010 Motivation

Implementation of RSA 2048 on GPUs Marcelo E. Kaihara EPFL LACAL Nov. 4, 2010 Motivation

Implementation of RSA 2048 on GPUs Marcelo E. Kaihara EPFL LACAL Nov. 4, 2010 Motivation NIST Recommendations for Key Management (SP 800-57) NIST DRAFT recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes (SP

710 views • 32 slides
The impact of security proofs: two troublesome case studies D. J. Bernstein University of

The impact of security proofs: two troublesome case studies D. J. Bernstein University of

The impact of security proofs: two troublesome case studies D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. The impact of

566 views • 22 slides
impact of Security. I SPEAKER'S BIOGRAPHY The Speaker is the former Chairman, Technical Committee

impact of Security. I SPEAKER'S BIOGRAPHY The Speaker is the former Chairman, Technical Committee

GSX 1201s PRESENTATION TITLE: ORGANIZATIONAL SECURITY CULTURE:A NEW BUSINESS PARADIGM ABSTRACT "Security is everybody's Concern" is the most frequently expressed among the basic principles of Security; but how it's done is just as

223 views • 9 slides
Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu

Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu

Security Awareness Rick Whitmore Information Technology Security Office security.ku.edu Everyone has a role in securing their part of cyberspace, including the devices and networks they use. Todays Topics Impact on Universities

936 views • 59 slides
Korrel Kanoy, Ph.D. Peace College kkanoy@peace.edu; 919-508-2048 Derek Mann, Ph.D. MHS

Korrel Kanoy, Ph.D. Peace College kkanoy@peace.edu; 919-508-2048 Derek Mann, Ph.D. MHS

Korrel Kanoy, Ph.D. Peace College kkanoy@peace.edu; 919-508-2048 Derek Mann, Ph.D. MHS derek.mann@mhs.com 416.613.2862 Retention and Graduation Key predictors of success What is Emotional Intelligence? How does emotional

952 views • 27 slides
Urban Water Security Research Alliance The Impact of Artificial Monolayers on Water Quality:

Urban Water Security Research Alliance The Impact of Artificial Monolayers on Water Quality:

Urban Water Security Research Alliance The Impact of Artificial Monolayers on Water Quality: Data from Tank and Field Trials Pam Pittaway (NCEA, USQ) Evaporation Loss Science Forum, 19-20 June 2012 BENCHMARK IMPACT OF NATURAL MICROLAYERS,

365 views • 20 slides
Three Little Words? The Impact of Social Security Terminology Francisco Perez-Arce *,+ , Lila

Three Little Words? The Impact of Social Security Terminology Francisco Perez-Arce *,+ , Lila

Three Little Words? The Impact of Social Security Terminology Francisco Perez-Arce *,+ , Lila Rabinovich + , Joanne Yoong+ and Laith Alattar t We study the impact of changing the existing terminology used to describe the rules governing Social

652 views • 38 slides
Design and Evaluation of a 2048 Introduction Core Cluster System The CHiC Project Benchmarks

Design and Evaluation of a 2048 Introduction Core Cluster System The CHiC Project Benchmarks

CHiC 2007 Frank Mietke Design and Evaluation of a 2048 Introduction Core Cluster System The CHiC Project Benchmarks Summary Frank Mietke , Torsten Hfler, Torsten Mehlan and Wolfgang Rehm Computer Architecture Group Department of Computer

594 views • 20 slides
Pitfalls when using parallel streams in OMNeT++ simulations Bernhard Hechenleitner and Karl

Pitfalls when using parallel streams in OMNeT++ simulations Bernhard Hechenleitner and Karl

Pitfalls when using parallel streams in OMNeT++ simulations Bernhard Hechenleitner and Karl Entacher Salzburg University of Applied Sciences and Technologies School of Telecommunications Engineering 5020 Salzburg, Austria

963 views • 9 slides
ON THE COST OF TYPE-TAG SOUNDNESS Ben Greenman Zeina Migeed ON THE COST OF TYPE-TAG SOUNDNESS

ON THE COST OF TYPE-TAG SOUNDNESS Ben Greenman Zeina Migeed ON THE COST OF TYPE-TAG SOUNDNESS

ON THE COST OF TYPE-TAG SOUNDNESS Ben Greenman Zeina Migeed ON THE COST OF TYPE-TAG SOUNDNESS 1. Tag soundness 2. Performance cost of soundness 3. Evaluation method 4. Conclusions TYPE-TAG SOUNDNESS Type Soundness e : If

1.28k views • 64 slides
Creating an Effective, Culturally Diverse Work Environment Laura Castillo-Page, Ph.D. Director

Creating an Effective, Culturally Diverse Work Environment Laura Castillo-Page, Ph.D. Director

Creating an Effective, Culturally Diverse Work Environment Laura Castillo-Page, Ph.D. Director of Research Diversity Policy and Programs Office of the Executive Vice President, AAMC Valarie Clark, M.P.A. Director, Faculty Development

426 views • 27 slides
Exploitation of PLGA conjugates in drug delivery Francesca SELMIN, PhD MIPOL Milan Polymer

Exploitation of PLGA conjugates in drug delivery Francesca SELMIN, PhD MIPOL Milan Polymer

Exploitation of PLGA conjugates in drug delivery Francesca SELMIN, PhD MIPOL Milan Polymer Days February 15-16, 2017 Implants are non -conventional drug delivery systems for parenteral implantation. Definition (Eur. Pham. 9 th ed

282 views • 12 slides
RESOLUTION OF SINGULARITIES For every algebraic variety V we would like to find a non-singular

RESOLUTION OF SINGULARITIES For every algebraic variety V we would like to find a non-singular

RESOLUTION OF SINGULARITIES For every algebraic variety V we would like to find a non-singular variety V which is birationally equivalent to V . Hironaka (1965): This is possible in characteristic 0 in all dimensions. Abhyankar, and others:

392 views • 9 slides
Carnegie Mellon University zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA and Navigation

Carnegie Mellon University zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA and Navigation

~ zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA ~~ Using Occupancy Grids for Mobile Robot Perception Carnegie Mellon University zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA and Navigation Albert0 Elfes T o widen the range of

489 views • 12 slides
Higher Spins, Holography and String Theory 7th Mathematical Physics Meeting IOP Belgrade,

Higher Spins, Holography and String Theory 7th Mathematical Physics Meeting IOP Belgrade,

Higher Spins, Holography and String Theory 7th Mathematical Physics Meeting IOP Belgrade, September 2012 Dimitri Polyakov Center for Quantum Space-Time (CQUeST) and Sogang University, Seoul 1 Higher Spin Field Theories have been one of

1.02k views • 45 slides
Introduction to MDMs and EDMs Thomas Teubner Motivation Overview EDMs and MDMs a e and

Introduction to MDMs and EDMs Thomas Teubner Motivation Overview EDMs and MDMs a e and

Workshop on future muon EDM searches at Fermilab and worldwide University of Liverpool, 1-12 October 2018 Introduction to MDMs and EDMs Thomas Teubner Motivation Overview EDMs and MDMs a e and a ! in the Standard Model one more

1.33k views • 51 slides

More recommend