Further Results and Considerations on Side Channel Attacks on rsa the research presented in this chapter contains three parts. In the first part, we present a new side channel attack on a plaintext encrypted by eme-oaep pkcs1.2.1. In contrast with recent well-known Manger's attack 61, we attack directly that part of the plaintext, which is shielded by the oaep method. In the second part, we remind that Bleichenbacher's 16 and Manger's attack on the rsa encryption scheme pkcs1.1.5 and eme-oaep pkcs1.2.1 can be converted to an attack on the rsa signature scheme with any message encoding (not only pkcs). In the third part, we deploy a general idea of fault-based attacks (we introduce a notion of confirmation oracle) on the rsa-kem 92 scheme which was suggested as a possible solution to implementation attacks (e.g. Side channel attacks) which seem to be constant problems of the schemes from. We present two particular attacks as examples to show that this solution is clearly not a definite one. The result of these attacks is the private key instead of the plaintext as with attacks on pkcs1.1.5 and.2.1.
Press f1 to resume - anandTech Forums
The success of the attack was practically verified and demonstrated on the pgp tm program version with a combination of the aes 34 and DH/dss algorithms. As the private signature key is the basic information of the whole system which is kept secret, it is encrypted using the strong cipher. However, we show that this protection is weak, as the attacker has neither to pgp is registered trade mark of Network Associates, Inc. All other registered and not registered trade marks listed in essay this document are owned by their appropriate owners. 5 10 attack this cipher nor user s secret passphrase. A modification of the private key file in a certain manner and subsequent capturing of one signed message is sufficient for a successful attack. A vulnerability coming from an insufficient protection of the integrity of the public as well as private parts of signature keys in the Openpgp format is analyzed. On the basis of this, a procedure of attacks is shown on both dsa and rsa private signature keys. The attacks apply to all lengths of parameters (modules, keys) of rsa and dsa. The cryptographic countermeasures for correction of the Openpgp format as well as the pgp tm format are proposed.
Practically, side channels are often represented as physical magnitudes, which are in some ways related to an activity of the cryptographic module being examined (the amount of time it takes to perform some operation, the power trace, the electromagnetic emanation, etc.). This overviewing chapter presents various general aspects of the theory of side channel cryptanalysis. It introduces particular types of side channels, which are known up to now, and it sketches, how these side channels can be used for cryptanalytic purposes. It also proposes a general classification methodology which allows practically useful distinguishing between various channels and their analyses. Furthermore, it separates the terms channel, book signal, analysis, and information which should also be practically beneficial. Attack on Private signature keys of the Openpgp format, pgp tm programs and other applications compatible with Openpgp in this chapter, we describe an attack on the Openpgp format 87, which leads to a disclosure of private signature keys of the dsa 33 and rsa. The Openpgp format is used in a number of applications including pgp, gnu privacy guard and other programs specified on the list of products compatible with Openpgp, which is available at Therefore all these applications shall undergo the same revision as the actual program pgp.
The relevant information on how and where particular papers were published, is included as footnotes at their relevant starting pages. Short abstracts of each chapter showing the main author s results obtained follow. Side Channel Cryptanalysis An overview Growing theory of the side channel cryptanalysis shows the necessity of building and using general business models of cryptographic modules when their security has to be examined. Traditional approach, which database was used before, was to examine these modules as abstract mathematical functions without their connection to the objective physical reality. It shows that particular physical properties can prominently spread the set of vulnerabilities and available cryptanalytic techniques. From here follows their impact on the security. The information available due to particular physical properties is referred to as side information. The means, which the side information is transmitted by, are then referred to as side channels.
The main focus is on the area of side channel cryptanalysis which is highly promising and rapidly growing part of contemporary cryptanalysis. To design and-or suggest effective countermeasures against discovered attacks. To contribute to a general theory of side channel cryptanalysis. Since this kind of cryptanalysis is the main tool used in the thesis, together with the fact that it is still rapidly growing, it would be desirable to try to independently generalize certain new ideas which were discovered for the purpose of the attacks presented. We note that this goal is mainly achieved in the overviewing part of the thesis (c.f. Organization of the thesis bellow) where a practical enhancement of classification methodology is proposed. Certain general results and observation are also pointed out in detailed descriptions of particular attacks. Organization of the Thesis and Results Summary The thesis consists of extended versions of papers which reflect author s results obtained during his PhD research. Each paper represents one chapter of the thesis indexed as a,.
Hard, disk, error, press, f1 to, resume
Furthermore, we did not have to solve any from those well-hard problems (here namely the discrete logarithm problem) to do our attack. What we actually did is that we exploited such a property of these schemes which tends to be constantly overlooked by many researchers. Certain evidences, that answering the above mentioned questions is of a crucial importance, can be seen if we look carefully words at the attacks studied and presented at various conferences in the past and nowadays. The attacks discussed in the past were almost solely focused on cryptanalysis of intercepted cryptograms, while the ones presented nowadays are somehow mentioning playing an interactive game between an attacker and her victim. This naturally reflects the way in which cryptosystems are implemented into practical applications. Being in the role of the attacker, we do not have to rely solely on randomly intercepted cryptograms any more.
Playing the interactive game with our victim, we can adjust the conditions of our attack to finally get as write easiest mathematical problem to solve as possible. Although it can be perhaps a bit disgusting 2 7 for a beautiful mathematical mind, this subject must be studied and understood properly to tightly grasp what the contemporary cryptology is all about, which is then necessary to be able to fight with modern attackers. Author s opinion here is that even in this area of so-called theory of applied cryptography, one can find very interesting problems for any taste of mathematical complexity and-or engineering practice. This is the main motto behind the papers written and completed in this thesis. Goals of the doctoral Thesis The main goals of the dissertation are: to investigate several selected security standards which are widely used in contemporary security modules in order to see if they are designed properly according to particular key issues of modern cryptology (c.f. To propose, elaborate, and describe possible practical attacks based on vulnerabilities found in these standards.
We may really say that it was a revolution in contemporary cryptology which, hopefully, changed the way of viewing and modeling cryptographic modules. However, it will probably take some time until this theory becomes also practice. At the time of completing the thesis (spring-summer of 2004 side channel attacks are still very dangerous and very few modules can be regarded as reasonably protected against them. Therefore, most of the papers included in this thesis are focused on side channel attacks to deeply illustrate their nature and some techniques to defeat them. The second key question is: What is the easiest problem an attacker has to solve to break the module in some way? As security architects, we should answer this question when we have an accurate threat model constructed in the previous step.
It is important to note that, for example, identifying potential side channels would be of no benefit if we underestimate the way they would help an attacker to break into the system. The core is that traditional theoretical cryptanalysis tends to be focused on well-known, well-hard problems (such as factorization, discrete logarithm, etc. 64, 103 while the particular problems an attacker has to solve in practice to be able to say that she broke the system are often essentially easier. Consequences of overlooking this aspect can be again easily seen from unusually good results obtained by side channel attacks. However, side channels are not the only one area where we can see that. As an example, we have also included in chapter G (see organization notes bellow) a new kind of attack on the well-known signature schemes dsa and ecdsa 33, 64, 103. This is not a side channel attack, but it can also introduce serious weaknesses in certain systems based on a growing phenomenon of electronic signatures.
3rd master harddisk error press f1 to resume : Equity assignment
The vulnerability is then defined as a set of conditions presentation which allow the with particular threat to harm the system (here, it could be a security hole in an authentication module, etc.). Since the set of concrete threats together with their characteristics is given mainly by a concrete environment in which the designed module will be used, it is absolutely necessary to answer the first question mentioned above and to make up an accurate threat model. In such a model, we must then carefully examine as many properties of the module as we can to verify whether the module will really remove all those vulnerabilities or not. Moreover, we must also check if there are not some new vulnerabilities which would be introduced by applying this module. Otherwise, it may happen that the designed module will have such property that 1 6 would turn out to be a serious vulnerability allowing disastrous threat to occur. Although it may seem as nothing more than just repeating basis of the best designing practice, the reality shows that most of devastating attacks are possible mainly because of the fact that this code of best practice is being constantly underestimated and overlooked. For instance, ignoring physical properties of cryptographic modules (i.e. The environment which surrounds every physical device) motivated the development of a brand new, rapidly developing area of cryptanalytical techniques called side channel cryptanalysis. Roughly speaking, introduction of this theory (by paul Kocher around 1996 56) was the time when devastating attacks returned back to the papers presented at conferences on cryptology.
Unfortunately, unforgettable it does not. The main focus of the thesis is to draw an attention on several topics of the area of applied cryptography, which are very often neglected by many security architects. These topics will be demonstrated mainly on practically feasible attacks which were or would be possible because of architects of security modules or even standards did not pay appropriate attention to certain key aspects of applied cryptography. It turns out that, despite of surviving belief of various experts, following even highly trusted security standards is simply not enough to build up a really secure security module. These standards can be used as useful hints of what we shall (not) do, but the definite responsibility of checking potential vulnerabilities of a particular security module designed is still left on their architects. 1.2 main Issues of Modern Cryptology There are two basic questions which seem to be so important for identifying and resolving potential vulnerabilities that even a high-skilled security architect should not regret of paying an appropriate attention to them. The first question is: What environment shall the designed module be used in? The main aim of every security module is to defeat certain vulnerabilities of a target system (for example an online banking application) to lower risks coming from potential threats. For this purpose, the threat is defined as an event which could cause a certain loss of subjects incorporated in using the particular application (here, it could be a threat of stealing an access to somebody s banking account, etc.).
the area of theory of applied cryptography (as an integral part of modern cryptology we will briefly show what this subject represents together with what its current state of the art. The mainstream of applied cryptography can be seen in development and implementation of various cryptographic and security standards. Standards such as aes 34, sha-1 32, dsa 33, ecdsa (33, 45 rsa 89 or standards such as pkcs (76, 77, 78, 79 etc. Are good examples of that. These standards are kept up-to-date and made public. However, does this mean that anyone with a basic knowledge of computer architecture and discrete mathematics can simply build up a secure cryptographic module following these standards? Also, does this tell us that all cryptographic modules using the same cryptographic standard have the same level of security?
Předseda komise pro obhajobu disertační práce ve studijním oboru Informatika a výpočetní technika katedra počítačů fakulta elektrotechnická čvut v praze karlovo náměstí 13, Praha 2 4 Content. State of the art modern cryptology main issues of modern cryptology goals of the doctoral thesis organization of the thesis and results summary chapter. Side channel cryptanalysis an overview chapter. Attack on private signature keys of the openpgp format, pgp tm programs and other applications compatible with openpgp chapter. Further results and considerations on side channel attacks on rsa chapter. Strengthened encryption in the cbc mode chapter. Side channel attacks on cbc encrypted messages in the pkcs7 format chapter. Attacking rsa-based sessions in ssl/tls paper chapter. Key-collisions in (EC)DSA: attacking non-repudiation.
Should, i do my homework?
1 české vysoké učení technické v praze tezisertační práci 2 České vysoké učení technické v praze fakulta elektrotechnická katedra počítačů ing. Tomáš rosa modern cryptology: standards are not enough doktorský studijní program: Elektrotechnika a informatika studijní obor: 2612V025 - informatika a výpočetní technika teze disertace k získání akademického titulu doktor, ve zkratce. Praha červenec 2004 3 Disertační práce byla vypracována v rámci prezenční formy doktorského studia na pracovišti katedry počítačů fakulty elektrotechnické čvut v praze. Tomáš rosa katedra počítačů fakulta elektrotechnická čvut v praze karlovo náměstí 13, Praha 2 školitel: Doc. Katedra počítačů fakulta elektrotechnická čvut v praze karlovo náměstí 13, Praha 2 Oponenti: teze byly rozeslány dne. Obhajoba disertace se koná dne. V zasedací místnosti. Elektrotechnické fakulty čvut v praze před komisí pro obhajobu disertační práce ve studijním oboru listing 2612V025 - informatika a výpočetní technika. S disertací je možno se seznámit na děkanátě elektrotechnické fakulty čvut v praze, na oddělení pro vědeckou a výzkumnou činnost, technická 2, Praha 6 Dejvice.