paymaxx inc by abe2


									Some Challenges in Information Security                                                                                                            TRUST 2008
Bart Preneel

                                                                                           Information processing
                                                                                                                      the Internet of things,
                                                                                                                      ubiquitous computing,
                                                                                                                      pervasive computing,
                    Some Challenges in                                                                                ambient intelligence (1012)
                    Information Security                                                                          Internet and mobile (109)
                          Prof. Bart Preneel
                                                                                                                PCs and LANs (107)
                    COSIC, K.U.Leuven, Belgium
                   Bart.Preneel(at)                                                           mainframe (105)
                                                                                     mechanical processing (104)
                                 March 2008
                                                                              manual processing (102)
                                                                          1                                                                                       2

                   Exponential growth
                   Ray Kurzweil,
       • Human brain: 1014 …1015 ops and 1013 bits memory
       • 2025: 1 computer can perform 1016 ops (253)
       • 2013: 1013 RAM bits (1 Terabyte) cost 1000$

                                                                          3                                                                                       4

                            Context                                           Implementations in embedded systems
      DES, RSA, DH, CBC-MAC          HARDWARE                       70
                                     Limited (govt+financial sector)                        Confidentiality
                                                                                               Integrity             Protocol: Wireless authentication protocol
      Provable security (PKC),
                                     DES, 3DES                       80
      ZK, ElGamal, ECC, stream                                                       SIM

      ciphers                                                                              Cipher Design,
                                                                                                                     Algorithm: Embedded fingerprint matching
                                                                                                                              algorithms, crypto algorithms
      MD4, MD5                       SOFTWARE                       90                          Java
      Provable security (SKC)        GSM, PGP                                                    JCA                 Architecture: Co-design, HW/SW, SOC
      Key escrow                     C libraries (RSA, DH)
                                     SSL/TLS, IPsec, SSH, S/MIME                                     Crypto          Micro-Architecture: co-processor design
      How to use RSA?                                                                      MEM
                                     Java crypto libraries                                    Vcc
      Alternatives to RSA            WLAN                                                        D
                                                                                                                     Circuit: Circuit techniques to combat side
      PKI                                                                                                                      channel analysis attacks

      AES                            EVERYWHERE
                                     Trusted computing, DRM,
      ID-Based Crypto                   3GPP, RFID, sensor nodes                    Technology aware solutions?
                                                                          5                                             Slide credit: Prof. Ingrid Verbauwhede    6

Some Challenges in Information Security                                                                                                                  TRUST 2008
Bart Preneel

                   cryptography ≠ security                                                                              Outline
                                                                                             •    Complexity
        • crypto is only a tiny piece of the security                                        •    Evaluation
          puzzle                                                                             •    Human factor
             – but an important one                                                          •    Economics
        • most systems break elsewhere                                                       •    Privacy
             – incorrect requirements or specifications                                      •    Cryptology
             – implementation errors
             – application level                                                        • [Adi Shamir] We are winning yesterday’s information
                                                                                          security battles, but we are losing the war. Security gets
             – social engineering                                                         worse by a factor of 2 every year

                                                                                   7                                                                               8

                               Complexity                                                                            Evaluation
        •   Billions of devices                                                              • Conformance testing
        •   EMV specifications: thousands of pages                                           • Security evaluation: FIPS and CC
                                                                                                   – a step forward but are we stuck with this approach for the
        •   O/S: 50-100 millions of lines of code                                                    next 20 years?
        •   Virtual machines
        •   Middleware                                                                       •    How to check a hardware random number generator?
                                                                                             •    Is protection profile correct?
        •   Application software
                                                                                             •    What about new threats and attacks?
        •   Smart cards: used to be simple ☺
                                                                                             •    What about upgrades?
        •   TPM: 125 commands and hundreds of pages of                                       •    How open is the procedure?
                                                                                             •    Evaluators have incentive for product to pass
                                                                                             •    Is every lab reliable? (mutual recognition)
         Have we learned how to manage complexity?
                                                                                                  Research on security evaluation?
                                                                                   9                                                                               10

                          Privacy breaches                                                           Privacy and technology
       • Lost control of sensitive data concerning millions of                           •       search engines
         victims in total:                                                               •       XML
               • payroll handler PayMaxx, Bank of America, San Jose Medical
                 Group, California State University at Chico, Boston College,            •       biometry                               • PET: Privacy Enhancing
                 University of California at Berkeley, and a large shoe retailer
                 called DSW, ChoicePoint, LexisNexis                                     •       location (GSM, GPS)                      Technologies
                                                                                                                                        • proxies
                                                                                         •       printers                               • pseudonyms
       • US Citizens: complaints received by FTC for                                     •       DRM                                    • cryptology
         identity theft/fraud in general                                                                                                • mixes
            – 2005: 255,000/431,000                                                      •       spyware and cookies
                                                                                                                                        • credentials
            – 2007: 246,000/674,000                                                      •       huge databases
            – total numbers are claimed to be 10 million +
                                                                                         •       data mining
       • UK (Nov 2007): 25 million records lost on a CD in the                           •       video cameras
         mail                                                                            •       RFID
                                                                                   11                                                                              12

Some Challenges in Information Security                                                                                                       TRUST 2008
Bart Preneel

                           The privacy debate                                                      Balancing the rights of
       • user: convenience
         and improved
         service                                         • privacy is essential
       • businesses:                                       for a democracy
             – protect company                           • legislation
               assets (email, DRM)                       • technology
             – price discrimination
       • law enforcement:
         fraud, theft, stalking,
         counterfeiting                                                                      privacy versus security: a false trade-off?
       • national security

                                                                                        13                                                             14

                      Challenges: human factors
                                                                                                             Human factors
                                                                                             • unusable security
                                                                                             • passwords
                                                                                             • phishing
                                                                                               – growing problem: more than 25.000 reports
                                                                                                 per month
                                                                                               – even by legitimate companies
                                                                                               – even experts can’t tell

                                                                                        15                                                             16

                               Password lengths                                                       Economics of security

                                                                          law: loose
                                                                                             • systems are often insecure because no
                                                               5 chars
                                                                                               investment is made in security
                                                               6 chars    1 bit every
                                                               7 chars                         – entity benefiting from investment is not the entity
                                                               8 chars    18 months              paying for it (the Tragedy of the Commons)
        20                                                     9 chars

                                                               10 chars
                                                                                             • examples:
         0                                                                                     –   software (no liability)
             lower case   lower case   mixed       keyboard
                            + digits case+digits                                               –   DDOS
                                                                                               –   credit cards
       • Users can no longer remember passwords that are resistant
         against exhaustive search                                                             –   …
             – Things can be improved with very slow password hashing
       • Need to make sure that number of guessing attempts is limited; in                   • See: Ross Anderson: Why Information
         that case 30-bit security is sufficient                                               Security is Hard. An Economic Perspective
       • Need to make sure that passwords are not intercepted in networks
         or on end systems (including phishing)
                                                                                        17                                                             18

Some Challenges in Information Security                                                                                                       TRUST 2008
Bart Preneel

                 Challenges for crypto                                                                      Outline
        • security for 50-100 years
                                                                              •   Block ciphers
        • authenticated encryption of Terabit/s
                                                                              •   Hash functions
                                                                              •   Public-key cryptology
        • ultra-low power/footprint
                                          Performance                         •   Protocols
        secure software and                                                   •   Implementations issues
        hardware                                                              •   Research challenges

        Algorithm agility
                                 Cost                     Security
                                                                     19                                                                                       20

                            Block cipher                                                         Block ciphers
               P1                P2                P3                         •   3-DES (112-168)
                                                                              •   AES (128-192-256)
              block             block            block                        •   KASUMI (128 in 3G, 64 in 2G)
              cipher            cipher           cipher                       •   IDEA (128)

                C1                C2               C3
                                                                                      Symmetric key lengths
            • larger data units: 64…128 bits
                                                                                          insecure              ?             secure
            • memoryless
                                                                                  0                    50               80                    128
            • repeat simple operation (round) many times
                                                                     21                                                                                       22

                            DES (1977)                                            Federal Register, July 24, 2004
        • 56-bit key length is too short                                  DEPARTMENT OF COMMERCE                    •   SUMMARY: The Data Encryption
                                                                                                                        Standard (DES), currently
        • 25/10/99: DES reaffirmed for the 4th time as                    National Institute of Standards and           specified in Federal Information
          FIPS 46-3                                                       Technology                                    Processing Standard (FIPS) 46–3,
                                                                          [Docket No. 040602169– 4169– 01]              was evaluated pursuant to its
        • 2007: $1 million search machine: 20 seconds                                                                   scheduled review. At the
            – cost per key: less than $0.50                               Announcing Proposed Withdrawal of             conclusion of this review, NIST
                                                                          Federal Information Processing                determined that the strength of
        • 2007: 500 PCs at night: 1 month                                    Standard (FIPS) for the Data               the DES algorithm is no longer
                                                                             Encryption Standard (DES) and              sufficient to adequately protect
            – Cost per key: essentially 0 (+ some patience)               Request for Comments                          Federal government information.
                                                                                                                        As a result, NIST proposes to
                                                                          AGENCY: National Institute of                 withdraw FIPS 46–3, and the
                                                                            Standards and Technology (NIST),
                                                                            Commerce.                                   associated FIPS 74 and FIPS 81.
                                                                                                                        Future use of DES by Federal
                                                                          ACTION: Notice; request for comments.         agencies is to be permitted only as
                                                                                                                        a component function of the Triple
                                                                                                                        Data Encryption Algorithm (TDEA).
                                                                     23                                                                                       24

Some Challenges in Information Security                                                                                                                   TRUST 2008
Bart Preneel

                  3-DES: NIST Spec. Pub. 800-67                                                                                   AES (2001)
                                               (May 2004)                                          • open competition: 1997-2000
                                                                                                   • FIPS 197 published on December 2001
            • two-key triple DES: until 2009                                                       • mandatory for sensitive US govt. information
            • three-key triple DES: until 2030
                                                                                                   • fast adoption in the market
      Clear                       DES             DES-1              DES            %^C&              – > 1000 products
      text                                                                          @&^(              – October 2007: 650 AES product certifications by NIST
                                                                                                      – standardization: ISO, IETF, IEEE 802.11,…
                                                                                                   • slower adoption in financial sector
                                      1                 2                3
                                                                                                   • mid 2003: AES-128 also for classified information and
                                                                                                     AES-192/-256 for secret and top secret information!

     Financial sector will not be ready with upgrade to 3-key 3-DES in 2010
                                                                                                                  AES may well be the last block cipher
                                                                                            25                                                                       26

                                          AES/Rijndael                                                 AES: rich mathematical structure
                                              S S S S S S S S S S S S S S S S                      • very compact/efficient implementations
                              round                                                                      – SW: 14 cycles per byte or 1-2 Gbit/s on high end PCs
                                                                                                         – HW: most compact: 3600 gates
         Key Schedule

                              round           S S S S S S S S S S S S S S S S
                                              MixColumns MixColumns MixColumns MixColumns
                                                                                                         – HW: fastest up to 43 Gbit/s in 130nm CMOS
                                               • Key length: 16/24/32 bytes                        • security
                                  .            • Block length: 16 bytes                                  – No attack has been found that can exploit this
                                                                                                           structure (in spite of earlier claims)
                                                                                                         – main threat is implementation level attack (cache
                                                                                                           timing, fault attacks): requires special
                        A machine that cracks a DES key in 1 second                                        countermeasures
                        would take 149 trillion years to crack a 128-bit key
                                                                                            27                                                                       28

                           Modes of Operation for AES                                                                             Hash functions
                                                                                                     • MDC (manipulation
           • encryption: ECB/CBC/CFB/OFB; new CTR                                                      detection code)
                                                                                                                                            • collision resistance
             mode allows for pipelining (Dec ’01)                                                                                           • preimage resistance
                                                                                                     • Protect short hash value
           • data authentication: CMAC (May ’05, was                                                                                        • 2nd preimage
             OMAC), EMAC                                                                               rather than long text
           • applications need authenticated encryption:
                         – GCM Galois Counter Mode (final draft: July 07)
                                                                                                 This is an input to a crypto-
                                                                                                 graphic hash function. The input
                                                          • IAPM        • GCM                    is a very long string, that is
                        Issues:                                                                  reduced by the hash function to a
                        • associated data                 • XECB        • EAX                    string of fixed length. There are
                        • parallelizable                  • OCB         • CCM                    additional security conditions: it    h      1A3FD4128A198FB3CA345932
                                                                                                 should be very hard to find an
                        • on-line                                                                input hashing to a given value (a
                                                                                                 preimage) or to find two colliding
                        • provable security                                                      inputs (a collision).

                                                                                            29                                                                       30

Some Challenges in Information Security                                                                                                     TRUST 2008
Bart Preneel

      Security requirements (n-bit result)                                           MDx-type hash function history
      preimage             2nd preimage                       collision
                                                                                                              MD4               Ext. MD4          90

         ?                 x     ≠       ?                ?      ≠        ?                                   MD5                                 91

                                                                                      HAVAL                                     RIPEMD            92
         h                 h            h                 h              h
                                                                                                               SHA                                93

                                                                                                             SHA-1                                94
        h(x)              h(x)    = h(x’)               h(x)     =      h(x’)                                                                     95

         2n                       2n                             2n/2                                       SHA-256
     > 90% of all designs for collision resistant hash functions are broken
                                                                                31                                                                      32

                MD5                                                                                          SHA-1
     • Advice (RIPE since ‘92, RSA                                                    • SHA designed by NIST (NSA) in ‘93
       since ‘96): stop using MD5                                                     • redesign after 2 years (’95) to SHA-1
     • Largely ignored by industry
       (click on a cert...)
                                                                                      • Collisions found for SHA-0 in 251 [Joux+’04]
                                                                                      • Reduced to 239 [Wang+’05] and 232 [Rechberger+’07]
     • Collisions for MD5 are within
       range of a brute force attack
       anyway (264): with 100.000$                                                    • Collisions for SHA-1 in 263 [Wang+’05]
       a few days                                                                     • Collisions for SHA-1 found for 70 out of 80 rounds
     • [Wang+’04] collision in 15                                                       [De Cannière-Mendel-Rechberger’07] in 244
       minutes on a PC
     • 2007: collisions in seconds                                                    • Prediction: collision for SHA-1 in 2008; complexity
                                                                                        estimate is 260 [Rechberger+’07]

                                                                                33                                                                      34

                                                                                     From: “Cryptography Simplified in Microsoft .NET”
                                                                                         Paul D. Sheriff ( [Nov. 2003]

                                                                                      How to Choose an Algorithm
                                                                                      • For example, SHA1 uses a 160-bit encryption key,
                                                                                        whereas MD5 uses a 128-bit encryption key; thus, SHA1
                                                                                        is more secure than MD5.
                                                                                      • Another point to consider about hashing algorithms is
                                                                                        whether or not there are practical or theoretical
                                                                                        possibilities of collisions. Collisions are bad since two
                                                                                        different words could produce the same hash. SHA1, for
                                                                                        example, has no practical or theoretical possibilities of
                                                                                        collision. MD5 has the possibility of theoretical collisions,
                                                                                        but no practical possibilities.

                                                                                      In March 2008 this information is still available on MSDN
                                                                                35                                                                      36

Some Challenges in Information Security                                                                                                                         TRUST 2008
Bart Preneel

             Hash function attacks: impact                                                                            Lightweight crypto
         • collisions problematic for future
             – digital signatures for non-repudiation (cf. traffic tickets in Australia?)
         • 2nd preimage only a problem for MD4
                                                                                                       • SQUASH [Shamir07] – Crypto rump session
         • HMAC-MD4 broken, HMAC-MD5 questionable for the long term                                         – MAC algorithm for authentication in RFID chips
                                                                                                            – only 500 gates
         • RIPEMD-160 seems more secure than SHA-1 ☺
         • use more recent standards (slower)                                                               – security is related to modular squaring (Rabin
             – SHA-256, SHA-512                                                                               cryptosystem)
             – Whirlpool
                                                                                                       • PRESENT [Bogdanov07] – CHES 2007
         • upgrading MD5 and SHA-1 in Internet protocols:                                                   – 64-bit block cipher for RFID chips
             – it doesn’t work: algorithm flexibility is much harder than
               expected                                                                                     – only 1750 gates (compare to 3600 for AES)
         • NIST will run an open competition from 2008 to 2012
                                                                                                  Stream cipher: because of time-memory trade-offs, for 80-bit
                                                                                                  security one needs 160 bits memory which costs 1000 gates
                                                                                            37                                                                              38

                                        Outline                                                    RSA: factorisation records
                                                                                                                                                                 Size (digits)
                                                                                                                                                                 Effort (log)
         •   Context                                                                                         1 digit ~3.3 bits
                                                                                                 200                                                                 663 bits
         •   Block ciphers                                                                       180
                                                                                                 160                                                             512 bits
         •   Hash functions                                                                      140
         •   Public-key cryptology                                                               120
         •   Protocols                                                                            80
         •   Implementations issues                                                               40
         •   Research challenges                                                                  20
                                                                                                       64   68   72   76   80     84   88    92       2000
                                                                                                                                                  96 100 104

                                                                                            39                                                                              40

                        Factorisation                                                                       Key lengths for confidentiality
      • New record in May 2005: 663 bits (or 200 digits) using NFS
      • New record in May 2007: 21039-1 (313 digits) using SNFS
                                                                                                            duration             symmetric         RSA         ECC

                                                                                                            days/hours                       50      512         100
      • hardware factoring machine: TWIRL [TS’03]
        (The Weizmann Institute Relation Locator)
         – initial R&D cost of ~$20M                                                                        5 years                          73     1024         146
         – 512-bit RSA keys can be factored with a device costing $5K in about
           10 minutes                                                                                       10-20 years                     103     2048         206
         – 1024-bit RSA keys can be factored with a device costing $10M in
           about 6 weeks
                                                                                                            30-50 years                     141     4096         282
      • ECRYPT statement on key lengths and parameters
                                                                                                                  Assumptions: no quantum computers; no
          768-bit factorization in 2008 and 896-bit factorization in 2010                                             breakthroughs; limited budget
                                                                                            41                                                                              42

Some Challenges in Information Security                                                                                                            TRUST 2008
Bart Preneel

                                                                                          Attack on PKCS #1 v1.5 implementations
          RSA Signatures: PKCS #1 v1.5                    [source: RSA Labs]
                                                    M                                   00 01 ff … ff 00 HashID            H              Magic

                                                   Hash                             • Consider RSA with public exponent 3
                                                                                    • For any hash value H, it is easy to compute a string “Magic”
                                                                                      such that the above string is a perfect cube of 3072 bits
                                                                                    • Consequence:
       00 01 ff ff ff ff ff … ff ff ff 00 HashID    H                                   – One can sign any message (H) without knowing the private key
                                                                                        – This signature works for any public key that is longer than 3072 bits
                                                                                    • Vulnerable: OpenSSL, Mozilla NSS, GnuTLS
       Most signature verification software would accept a                          • Fix
       signature on M of the following form:                                            – Write proper verification code (but the signer cannot know which
                                                                                          code the verifier will use)
       00 01 ff … ff 00 HashID           H         Magic                                – Use a public exponent that is at least 32 bits long
                                                                                        – Upgrade – finally – to RSA-PSS

                                                                               43                                                                                 44

                            Protocols (1)                                                                  Protocols (2)
                                                                                    •   multi-party computation                   decryption based on
         • key transport (email)                                                    •   threshold crypto                          location and context
         • authenticated key agreement (TLS, SSH, GSM,                              •   privacy protecting data mining
           UMTS)                                                                                                                  distance bounding
         • time-stamping                                                            •   social and group crypto
         • notarisation
         • credentials (TPM)
         • anonymous communication
         • e-cash
         • voting
         • auctions
         • threshold cryptography
         • robust networking
                                                                                         “you can trust it because
                                                                                         you don’t have to”
                                                                               45                                                                                 46

                                                                                        Implementations: side channel attacks
                      Models and reality
                                                                                                                             First round of DES

                                                                                              RSA                                     Expansion

                                                                               47                                                                                 48

Some Challenges in Information Security                                                                                       TRUST 2008
Bart Preneel

                 Implementation attacks                                           Challenges for long term security
                    Sun Tzu, The Art of War:
      In war, avoid what is strong and attack what is weak                       • cryptanalysis improves:
                                                                                    – mathematical attacks A5/1, E0, MD5, SHA-1
         • measure: time, power, electromagnetic                                    – implementation attacks
           radiation, sound                                                      • computational power increases:
         • introduce faults (even in CPUs)                                          – Moore’s law
         • combine with statistical analysis and                                    – exponential progress with quantum computers?
           cryptanalysis                                                         • environment changes – new assumptions
         • software: API attacks                                                    –   packet switched networking
                                                                                    –   open networks
         • major impact on implementation cost                                      –   dynamic networks
                                                                                    –   untrusted nodes
                                                                                    –   ratio power CPU/memory size
       L.R. Knudsen: "It is not cryptanalysis, it is vandalism"
                                                                           49                                                        50

     New computational models:                                                  If a large quantum computer
       quantum computers?                                                                can be built...
                                                                                 • All schemes based on factoring (such as RSA)
       • exponential parallelism                                                   will be insecure
                                                 n coupled quantum bits
                                                                                 • Same for discrete log (ECC)
                                                 2n degrees of freedom !         • Symmetric key sizes: x2
                                                                                 • Hash sizes: x1.5
       • Shor 1994: perfect for
         factoring                                                               • Alternatives: McEliece, HFE, NTRU,…
       • But: can a quantum                                                      • So far it seems very hard to match performance
                                                                                   of current systems while keeping the security
         computer be built?                                                        level against conventional attacks
                                                                           51                                                        52

             4-channel Varian                                                             News on 13 Sept. 2007
                       Picture of the roomTtemperature bore
                                      11.7 Oxford magnet,
                                                                                 • “Two independent teams (led by Andrew
                                                                                   White at the University of Queensland in
                                                                                   Brisbane, Australia, and the other by Chao-
                                                                                   Yang Lu of the University of Science and
                                                                                   Technology of China, in Hefei) have
                            15=5x3                                                 implemented Shor’s algorithm using
                                                                                   rudimentary laser-based quantum computers”
                                                                                 • Both teams have managed to factor 15, again
                                                                                   using special properties of the number
                                 grad students in
                                sunny California...

      2001                                                                 53                                                        54

Some Challenges in Information Security                                                                                                    TRUST 2008
Bart Preneel

                                               Layers                                             Assumptions

                                              applications                           research on hard problems?
                                                                                       James L. Massey:
                                               primitives                              A hard problem is one that nobody works on
                             assumptions      algorithms

                                                                                           good lower bounds
     Proofs: link security at different levels in a quantitative way                       average vs worst case
         L.R. Knudsen:                                                                     find new hard problems
         "If it is provably secure, it is probably not"
                                                                           55                                                                      56

                   Challenges for crypto                                                        The power challenge:
                                                                                    AES-128 speed/power for various platforms (Gb/Joule)
          • security for 50-100 years
          • authenticated encryption of Terabit/s                               1 Gbit/s
                                                                                1 Mbit/s                                                     106
          • ultra-low power/footprint
                                              Performance                                                                                    103
                                                                                1 Kbit/s Watt
         secure software and
         hardware                                                                      mWatt                                                  1
         implementations                                                                          CMOS    FPGA     PIII     C - Emb. Java-
                                                                                                                             Sparc   Emb.
         algorithm agility                                                                                                           Spar
                                     Cost                       Security                                 speed   power     speed/power
                                                                           57                                                                      58

                                                                                   Life cycle of a cryptographic algorithm
      demand in
      applications                                                                                                            idea

                                                                                                                   mathematical analysis
                      hash      public key     block
          high        functions operations     ciphers                                                                     publication
                                stream       simple protocols                                                        public evaluation
                                                                                                RIP                           OK

                                                                                                                   hw/sw implementation
           low               protocols                                                                                   standardization

                                                                                                                   industrial products $$$
                      low                         high maturity
                                                                                                                     take out of service           60

Some Challenges in Information Security                                                                                   TRUST 2008
Bart Preneel

         Challenges for advanced crypto
                                                                             • The “security problem” is not solved
        • privacy enhancing technologies
                                                                               – Many challenging problems ahead…
        • linking crypto with physical world
           – biometrics, physically uncloneable functions                      – Make sure that you can upgrade your crypto
        • distributed secure execution                                           algorithm and protocol
        • whitebox cryptography                                                – Bring advanced cryptographic protocols to
        • cryptography in the encrypted domain                                   implementations
           – searching in encrypted databases – data mining on health
             care date
           – zero knowledge watermarking – intelligent media sharing
                                                                             When will the IACR hold its elections on-line?
        • perceptual hashing
        • crypto for nanotechnology                                          When will everyone pay with e-cash?
                                                                             Can we reconcile privacy, DRM and data mining?
                                                                        61                                                    62

     The end

                                                     Thank you for
                                                     your attention


To top