Security Can Only Be Measured by Attacks Feng BAO Principal Scientist - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Security Can Only Be Measured by Attacks Feng BAO Principal Scientist

Description:

Security Can Only Be Measured by Attacks. Feng BAO ... a30: break a nominative signature scheme from ICICS. The list of selected 30 of our attacks (2) ... – PowerPoint PPT presentation

Number of Views:282
Avg rating:3.0/5.0
Slides: 45
Provided by: baof
Category:

less

Transcript and Presenter's Notes

Title: Security Can Only Be Measured by Attacks Feng BAO Principal Scientist


1
Security Can Only Be Measured by AttacksFeng
BAOPrincipal Scientist Dept HeadCryptography
Security Department
2
Department Staffs Profile
  • Totally 42 staffs
  • 40 PhD, 60 Masters
  • International Singapore, Australia, China,
    Greece, India, Indonesia, Korea, Malaysia, UK,
    USA, 10 countries

3
Departments Thrusts and Projects
Project Summary
Projects
Symmetric Key Cryptosystems

Personal DRM Enterprise DRM
Defending Malware



RFID Security
Public Key Cryptosystems and Protocols

Mobile/Sensor Network Security
ACAR
Thrusts
Applied Cryptography
Network System Security
Digit Management Security
4
Projects completed in the past
  • NetProtect---Secure virtual private network
  • Sento---Secure ExtraNet on Trusted OS
  • Secure XML---Secure XML document access
    IP
  • CopyProtect---Digital copy protection
    IP
  • KentSafe---Web based secure digital safe
    IP
  • FX---fair exchange of digital valuables
    IP
  • UbiCash---A practical e-payment scheme
    IP
  • EPKI---Enterprise public key infrastructure
  • KentCert---Compact PKI, toward handheld device
  • Advanced PKI---new PKI scheme without RCL
    IP
  • SECKIT---Secure efficient crypto kit
    IP
  • CAP---Crypto acceleration cards
  • C-One---Internet CashCard
  • Secure VoIP---Secret key establishing by voice
    IP
  • RCrypto---resilient public key server IP
  • 8 technology transfers from above

VPN DocS e-commerce PKI Crypto authentication
5
Research Achievements
  • 500 publications, Int journals/conferences
  • 40 patents granted and filed
  • Broke 60 cryptosystems/secure protocols
    encryption algorithms, digital signature schemes,
    security protocols, watermarking schemes, DRM
    schemes.
  • e.g., Buletooth encryption, DRM of MS Media
    Player, NTRUs PASS, Micalis contract signing
    protocol US5666420 (PODC 2003), MS Office
    Encryption etc.

6
(No Transcript)
7
  • Activities in International Security Community
  • Host 8 international conferences, ACMCCS, ICICS,
    ISPEC, ISC, IWAP, MADNESS, ACNS, PKC. Having 7
    international journal editors. 50
    person-times/year PC member for the following
    conferences
  • Eurocrypt IEEE SP ICICS
  • Asiacrypt ACM CCS ISC
  • PKC GlobeCom ACISP
  • ACNS IFIP TrustBus WISA
  • Indocrypt IEEE ICC ICISC
  • Mycrypt SecureCom ISPEC
  • DRMTICS UsenixSec IWAP
  • VieCrypt WWW ASIACCS
  • CHES GlobeCom ESORICS

8
International Standard Involvement
  • ISO/IEC JTC 1/SC 29/WG 1---Flexible
    authentication and access control for JPEG2000
    image code-streams, 5 proposals incorporated
    ISO/IEC 15444-8 Apr. 15, 2007.
  • IETF/WG Mobopts---Mobile IPv6 Location Privacy
    Solution, status WG document (RFC soon)
    http//www.ietf.org/internet-drafts/draft-irtf-mob
    opts-location-privacy-solutions-04.txt
  • eSTREAM-ECRYPT---HC selected in software
    implementation group

9
Other Activities
  • Security Technologies for Ministry of Defense
  • National Information Technology Standard
    Committee of Singapore (e.g, SC27/ISO, Chairman
    of PKI WG under NITSC, IDA)
  • Technical Advisers for local industry
  • Manpower training for local industry
  • Member of Asiacrypt Steering Committee
    representing Singapore
  • Research collaborations (Kyushu Uni, EU, EADS,
    DSTA, SMU etc)

10
(No Transcript)
11
(No Transcript)
12
Security can only be measured by attacks
  • What is security ?
  • You can defeat all the attacks
  • You are advantageous than all your enemies
  • Ignorance or oversight of attacks causes most of
    the insecurity.
  • Vulnerabilities vs attacks
  • Economics of information security
  • The difference between security and reliability

13
The list of selected 30 of our attacks (1)
a1 break a cellular automata cryptosystem, IEEE
Tran Computers a2 break a provable secure
encryption with homomorphism, Wagner late a3
break three oblivious transfer protocols a4
propose a new attack method to block ciphers,
CANS a5 break a hash function design principle
a6 break a fast encryption algorithm for
multimedia, FEA-M from NTU a7 break a chaos
system cipher from IEEE Trans a8 break a group
signature scheme from ICICS02 a9 break a group
signature scheme from ACMCCS01 a10 break a
password authenticated key exchange protocol,
ISC03 a11 break Lancaster, an access control
protocol a12 break Stanford, an authentication
protocol a13 break Micali's fair contract
signing protocol, ACISP04 a14 break an anonymous
buyer-seller watermarking protocol a15 break a
PAKE protocol from ACISP03
14
The list of selected 30 of our attacks (2)
a16 break AMP, a contribution to IEEE standard
P1363 a17 break MS Office encryption scheme
a18 break Whitenoise, a stream cipher product
of Tinnitus a19 break a tele-conference scheme
with dynamic participation a20 break a
untraceable fair network payment protocol a21
break two fair exchange of digital signature
schemes a22 break COSvd, a stream cipher for
Ecrypt a23 break a signcryption scheme from
ICICS03 a24 break a signcryption scheme from
ACNS03 a25 break a (t,n) threshold proxy
signature scheme a26 break a multi-key secure
video proxy scheme from ACM MM a27 break two
EEPROM key protection schemes from IEEE SP a28
break a forward secure blinding signature scheme
from ICICS03 a29 attack and construct
designated-verifier signature scheme, ICALP a30
break a nominative signature scheme from ICICS
15
Distribution of our attacks
16
Lessons from the Attacks
  • Formal security proof does not necessarily
    guarantee security.
  • What is security proof?
  • Security proof is made by human while human makes
    mistakes.
  • The assumption/model may not be complete.
  • Many proved secure scheme turned out to be
    insecure. Our attacks a2, a9, a15, a20, a28 are
    all against schemes with security proof.
  • Our experience security proof depends much on
    the the prover's level. Attacking experience
    plays very important roles in security proof.

17
Lessons from the Attacks
  • 2. We should not blindly trust the randomness or
    pseudo-randomness brought by mathematical
    systems.
  • Cryptosystems based on some fancy mathematical
    systems. It is dangerious to entrust the security
    over the complexity and randomness from the
    underlying systems without cryptoanalysis in
    details.
  • Try to develop various attacks as much as
    possible.
  • Our attacking work a1, a6, a18 and a7 are good
    instances of failure design. We broke
    cryptosystems based on cellular automata, chaos
    systems, matrix computations and whitenoise, etc.

18
Lessons from the Attacks
3. The more complicated the systems are and the
more features the systems have, the more
difficult the systems can be secure. When a
system is too complicated and has too many
functions, there would be many places where the
flaws could exist. A lesson we can learn from a3,
a9, a11, a12, a20 is under this principle. Among
them a20 is particularly a good example.
19
Lessons from the Attacks
4. We should be open minded in imagining attacks.
New attacks may turn secure systems to
insecure. It is unlikely for the designer to
think about all the possibilities of attacks. The
new technology or breakthrough could bring
something we cannot imagine today. So it is more
cautious not to believe your assumed attack model
can cover everything. Many of our attacks
succeed from this aspect. We broke many security
scheme because the designers failed to think
about the attack we developed. Analogy Construct
a secure house.
20
Lessons from the Attacks
5. Security is a fragile attribute. A secure
system could be totally insecure if you change a
very tiny component of the system. The attack
job a21 is good example. Engineers who
implement the systems may not fully understand
everything in the design. Hence it is very
important to educate the engineers to follow the
full instructions.
21
Lessons from the Attacks
6. Security does not equal to cryptography and
good cryptographic algorithms do not
automatically guarantee the security of
application systems. Every component is secure
does not necessarily mean that the whole system
is secure. It takes long time and big effort
before being able to make any assertion.
22
What potential can be if all possible attacks
come together
  • Rapid growth of the connection of the world
  • IT security becoming more and more heavy to real
    life. Finance, healthcare, business, smart home
    etc
  • 46 wireless network user never use encryption,
    let along WEP insecure. An IA google is possible.
  • What potential the aggregated attacks can have,
    to maximum scope, to maximum degree of damage?
    Capability vs reality.

23
Questions
  • Systematic approach? Helps? Exists? Can we make
    security research more beautiful?
  • Simple rules may not help (like game, more art
    than science). Always case by case?
  • What could be the next breakthrough in
    cryptanalysis?

24
Thank you!Q A
25
Privacy Homomorphism (PH)
  • PH concept Rivest, Adlemann and Dertouzos 1978
  • Property En(xy)En(x)En(y)
    En(xy)En(x) En(y)

Definition - De(En(x)En(y))xy
De(En(x) En(y))x y
26
Previous Work on PH
  • Rivest, Adlemann and Dertouzos scheme (1978)
    broken by Brickell and Yacobi (87) with known
    plaintext attack.
  • All PH subject to chosen plaintext attack (87)
  • Security requirement against known plaintext
    attack
  • Previous schemes some broken, some remain
    unbroken
  • New one J. Domingo-Ferrer, ISC 2002, LNCS
    2433, pp. 471-483.
  • Novelty Better efficiency and provable security

27
Description of the Scheme
  • Public parameter d (dgt2), M (Mgt10200)
  • Secret key r (co-prime with M), m (mM)
  • Encryption key(r, m), plaintext a?Zm
  • aa1a2ad mod m, ai ?ZM (random split of a)
  • En(a, key)(c1, c2, , cd), ciairi mod M
  • Decryption c1/rc2 /r2 cd /rd mod m

28
Homomorphism
aa1a2ad mod m, bb1b2bd mod m a?(c1,
c2, , cd) ciairi mod M b?(e1, e2, , ed)
eibiri mod M (c1, c2, , cd) (e1, e2, , ed)
(, ci ei ) (c1, c2, , cd) (e1, e2, ,
ed)(, ? ciej ,)
ijh all computations mod M
29
M has many small factors. The criterion of
choosing M implies M easily factorized The
security proof is not based on the hardness of
factorization.
  • Factorize M
  • Find out whether a factor p of M is also a factor
    of m
  • Try all the factors of M one by one, m is
    determined
  • Find Rr mod m
  • (R, m) can decrypt

30
Observation aa1a2ad mod m, a?(c1, c2, ,
cd) ciairi mod M Hence a c1/rc2 /r2 cd
/rd mod m If pm, a c1/rc2 /r2 cd /rd mod
p If not, Proba c1/rc2 /r2 cd /rd mod p1/p
31
Suppose we have N plaintext-ciphertext pairs A1
C1,1xC2,1 x2 Cd,1 xd mod p A2 C1,2xC2,2 x2
Cd,2 xd mod p AN C1,NxC2,N x2 Cd,N xd
mod p Find out if there exists a solution x. 1.
Try all x from Zp if p is small 2. Compute the
gcd of the above polynomials 3. Solve linear
equation groups
32
Number of Pairs (N) Required
The attack successful probability (probability on
the random split) End
33
Untraceable Fair Network Payment
ProtocolAsiacrypt03
  • Account opening
  • Withdrawal
  • Payment
  • Disputes
  • Deposit

34
Untraceable Fair Network Payment Protocol
The Main Building Block RCSS Restrictive
confirmation signature scheme A signature signed
by S can be confirmed by C, and C can convince
only some specified verifier V the the signature
is valid and truly signed by S. SignRCSS(S, C,
V, m)
35
Untraceable Fair Network Payment Protocol
Bank
TTP
Digital goods
Digital cash
Open account
withdraw
Digital goods
Pseudo-cash RCSS
Pseudo-cashRCSS
Merchant
Buyer
Digital goods
Digital cash
Untraceability Unlinkability
36
Untraceable Fair Network Payment Protocol
TTP
Digital goods
Digital cash
RCSS
Pseudo-cash
Digital goods
Pseudo-cash RCSS
Merchant
Buyer
Fake buyer
37
About the Security
The protocol is secure if the system contains
only one buyer. It is not secure if there are
multiple buyers, especially when a merchant
collude with some buyer. Not secure in the sense
that untraceability, unlinkability and fairness
cannot be satisfied simultaneously End
38
6 fair exchange of digital signature schemes
ACM CCS99
  • Two of them are not secure (fairness can be
    breached)
  • The attack shares the same principle
  • Key point Vef(m, X, Y, PK)1
  • Normal security definition difficult to find
    X,Y or X or Y.
  • X, m?Y, PK not necessarily hard

39
Schnorr signature ygx mod p, where y is PK and
x is SK A signature (s,e) on m under y
satisfies eH(mgsy-e) Its hard to find such
(s,e) without x. But we can find e and y
different from e and y such that eH(mgsy-e)
For random t, set eH(mgsgt), x-t/e, ygx
40
ElGanmal signature ygx mod p, where y is PK and
x is SK A signature (s,r) on m under y
satisfies gsrH(m)yr Its hard to find such (s,r)
without x. But we can find r and y different
from r and y such that gsrH(m)yr For random
t, set rg(s-t)/H(m), xt/r, ygx
41
For some signature schemes, given a signature
sign under a public key PK,it is easy to generate
a public key PK and a signature sign such that
sign shares a same component with sign.
42
TTP
X
S_B
Y, m, ETTP(X), Prof
S_B
Y, m, ETTP(X), Proof
A
B
S_A(X,Y) under PK_A
43
Colluding Attack
TTP
This attack needs A to submit his public key
later, hence is less serious. But it could happen.
X
S_B
Proof
Y, m, ETTP(X)
S_B
Y, m, ETTP(X), Proof
B
A
A
PK_A
44
Remarks
  • If m already includes the ID of A (or As PK),
    the attack doesnt work. But TTP must check the
    semantics of m, which is unlikely possible.
  • A simple remedy is to include A or As public key
    in the Proof. ProofEQ_DLOG(m , gx , gx g,
    g) ProofEQ_DLOG(PKA , m , gx , gx g , g)
  • Security is very sensitive, can be affected by a
    small change. The engineers implementing a secure
    protocol should be educated. End
Write a Comment
User Comments (0)
About PowerShow.com