Title: Security Can Only Be Measured by Attacks Feng BAO Principal Scientist
1Security Can Only Be Measured by AttacksFeng
BAOPrincipal Scientist Dept HeadCryptography
Security Department
2Department Staffs Profile
- Totally 42 staffs
- 40 PhD, 60 Masters
- International Singapore, Australia, China,
Greece, India, Indonesia, Korea, Malaysia, UK,
USA, 10 countries
3Departments Thrusts and Projects
Project Summary
Projects
Symmetric Key Cryptosystems
Personal DRM Enterprise DRM
Defending Malware
RFID Security
Public Key Cryptosystems and Protocols
Mobile/Sensor Network Security
ACAR
Thrusts
Applied Cryptography
Network System Security
Digit Management Security
4Projects completed in the past
- NetProtect---Secure virtual private network
- Sento---Secure ExtraNet on Trusted OS
- Secure XML---Secure XML document access
IP - CopyProtect---Digital copy protection
IP - KentSafe---Web based secure digital safe
IP - FX---fair exchange of digital valuables
IP - UbiCash---A practical e-payment scheme
IP - EPKI---Enterprise public key infrastructure
- KentCert---Compact PKI, toward handheld device
- Advanced PKI---new PKI scheme without RCL
IP - SECKIT---Secure efficient crypto kit
IP - CAP---Crypto acceleration cards
- C-One---Internet CashCard
- Secure VoIP---Secret key establishing by voice
IP - RCrypto---resilient public key server IP
- 8 technology transfers from above
VPN DocS e-commerce PKI Crypto authentication
5Research Achievements
- 500 publications, Int journals/conferences
- 40 patents granted and filed
- Broke 60 cryptosystems/secure protocols
encryption algorithms, digital signature schemes,
security protocols, watermarking schemes, DRM
schemes. - e.g., Buletooth encryption, DRM of MS Media
Player, NTRUs PASS, Micalis contract signing
protocol US5666420 (PODC 2003), MS Office
Encryption etc.
6(No Transcript)
7- Activities in International Security Community
- Host 8 international conferences, ACMCCS, ICICS,
ISPEC, ISC, IWAP, MADNESS, ACNS, PKC. Having 7
international journal editors. 50
person-times/year PC member for the following
conferences - Eurocrypt IEEE SP ICICS
- Asiacrypt ACM CCS ISC
- PKC GlobeCom ACISP
- ACNS IFIP TrustBus WISA
- Indocrypt IEEE ICC ICISC
- Mycrypt SecureCom ISPEC
- DRMTICS UsenixSec IWAP
- VieCrypt WWW ASIACCS
- CHES GlobeCom ESORICS
-
8International Standard Involvement
- ISO/IEC JTC 1/SC 29/WG 1---Flexible
authentication and access control for JPEG2000
image code-streams, 5 proposals incorporated
ISO/IEC 15444-8 Apr. 15, 2007. - IETF/WG Mobopts---Mobile IPv6 Location Privacy
Solution, status WG document (RFC soon)
http//www.ietf.org/internet-drafts/draft-irtf-mob
opts-location-privacy-solutions-04.txt - eSTREAM-ECRYPT---HC selected in software
implementation group
9Other Activities
- Security Technologies for Ministry of Defense
- National Information Technology Standard
Committee of Singapore (e.g, SC27/ISO, Chairman
of PKI WG under NITSC, IDA) - Technical Advisers for local industry
- Manpower training for local industry
- Member of Asiacrypt Steering Committee
representing Singapore - Research collaborations (Kyushu Uni, EU, EADS,
DSTA, SMU etc)
10(No Transcript)
11(No Transcript)
12Security can only be measured by attacks
- What is security ?
- You can defeat all the attacks
- You are advantageous than all your enemies
- Ignorance or oversight of attacks causes most of
the insecurity. - Vulnerabilities vs attacks
- Economics of information security
- The difference between security and reliability
13The list of selected 30 of our attacks (1)
a1 break a cellular automata cryptosystem, IEEE
Tran Computers a2 break a provable secure
encryption with homomorphism, Wagner late a3
break three oblivious transfer protocols a4
propose a new attack method to block ciphers,
CANS a5 break a hash function design principle
a6 break a fast encryption algorithm for
multimedia, FEA-M from NTU a7 break a chaos
system cipher from IEEE Trans a8 break a group
signature scheme from ICICS02 a9 break a group
signature scheme from ACMCCS01 a10 break a
password authenticated key exchange protocol,
ISC03 a11 break Lancaster, an access control
protocol a12 break Stanford, an authentication
protocol a13 break Micali's fair contract
signing protocol, ACISP04 a14 break an anonymous
buyer-seller watermarking protocol a15 break a
PAKE protocol from ACISP03
14The list of selected 30 of our attacks (2)
a16 break AMP, a contribution to IEEE standard
P1363 a17 break MS Office encryption scheme
a18 break Whitenoise, a stream cipher product
of Tinnitus a19 break a tele-conference scheme
with dynamic participation a20 break a
untraceable fair network payment protocol a21
break two fair exchange of digital signature
schemes a22 break COSvd, a stream cipher for
Ecrypt a23 break a signcryption scheme from
ICICS03 a24 break a signcryption scheme from
ACNS03 a25 break a (t,n) threshold proxy
signature scheme a26 break a multi-key secure
video proxy scheme from ACM MM a27 break two
EEPROM key protection schemes from IEEE SP a28
break a forward secure blinding signature scheme
from ICICS03 a29 attack and construct
designated-verifier signature scheme, ICALP a30
break a nominative signature scheme from ICICS
15Distribution of our attacks
16Lessons from the Attacks
- Formal security proof does not necessarily
guarantee security. - What is security proof?
- Security proof is made by human while human makes
mistakes. - The assumption/model may not be complete.
- Many proved secure scheme turned out to be
insecure. Our attacks a2, a9, a15, a20, a28 are
all against schemes with security proof. - Our experience security proof depends much on
the the prover's level. Attacking experience
plays very important roles in security proof.
17Lessons from the Attacks
- 2. We should not blindly trust the randomness or
pseudo-randomness brought by mathematical
systems. - Cryptosystems based on some fancy mathematical
systems. It is dangerious to entrust the security
over the complexity and randomness from the
underlying systems without cryptoanalysis in
details. - Try to develop various attacks as much as
possible. - Our attacking work a1, a6, a18 and a7 are good
instances of failure design. We broke
cryptosystems based on cellular automata, chaos
systems, matrix computations and whitenoise, etc.
18Lessons from the Attacks
3. The more complicated the systems are and the
more features the systems have, the more
difficult the systems can be secure. When a
system is too complicated and has too many
functions, there would be many places where the
flaws could exist. A lesson we can learn from a3,
a9, a11, a12, a20 is under this principle. Among
them a20 is particularly a good example.
19Lessons from the Attacks
4. We should be open minded in imagining attacks.
New attacks may turn secure systems to
insecure. It is unlikely for the designer to
think about all the possibilities of attacks. The
new technology or breakthrough could bring
something we cannot imagine today. So it is more
cautious not to believe your assumed attack model
can cover everything. Many of our attacks
succeed from this aspect. We broke many security
scheme because the designers failed to think
about the attack we developed. Analogy Construct
a secure house.
20Lessons from the Attacks
5. Security is a fragile attribute. A secure
system could be totally insecure if you change a
very tiny component of the system. The attack
job a21 is good example. Engineers who
implement the systems may not fully understand
everything in the design. Hence it is very
important to educate the engineers to follow the
full instructions.
21Lessons from the Attacks
6. Security does not equal to cryptography and
good cryptographic algorithms do not
automatically guarantee the security of
application systems. Every component is secure
does not necessarily mean that the whole system
is secure. It takes long time and big effort
before being able to make any assertion.
22What potential can be if all possible attacks
come together
- Rapid growth of the connection of the world
- IT security becoming more and more heavy to real
life. Finance, healthcare, business, smart home
etc - 46 wireless network user never use encryption,
let along WEP insecure. An IA google is possible. - What potential the aggregated attacks can have,
to maximum scope, to maximum degree of damage?
Capability vs reality.
23Questions
- Systematic approach? Helps? Exists? Can we make
security research more beautiful? - Simple rules may not help (like game, more art
than science). Always case by case? - What could be the next breakthrough in
cryptanalysis?
24Thank you!Q A
25Privacy Homomorphism (PH)
- PH concept Rivest, Adlemann and Dertouzos 1978
- Property En(xy)En(x)En(y)
En(xy)En(x) En(y)
Definition - De(En(x)En(y))xy
De(En(x) En(y))x y
26Previous Work on PH
- Rivest, Adlemann and Dertouzos scheme (1978)
broken by Brickell and Yacobi (87) with known
plaintext attack. - All PH subject to chosen plaintext attack (87)
- Security requirement against known plaintext
attack - Previous schemes some broken, some remain
unbroken - New one J. Domingo-Ferrer, ISC 2002, LNCS
2433, pp. 471-483. - Novelty Better efficiency and provable security
27Description of the Scheme
- Public parameter d (dgt2), M (Mgt10200)
- Secret key r (co-prime with M), m (mM)
- Encryption key(r, m), plaintext a?Zm
- aa1a2ad mod m, ai ?ZM (random split of a)
- En(a, key)(c1, c2, , cd), ciairi mod M
- Decryption c1/rc2 /r2 cd /rd mod m
28Homomorphism
aa1a2ad mod m, bb1b2bd mod m a?(c1,
c2, , cd) ciairi mod M b?(e1, e2, , ed)
eibiri mod M (c1, c2, , cd) (e1, e2, , ed)
(, ci ei ) (c1, c2, , cd) (e1, e2, ,
ed)(, ? ciej ,)
ijh all computations mod M
29M has many small factors. The criterion of
choosing M implies M easily factorized The
security proof is not based on the hardness of
factorization.
- Factorize M
- Find out whether a factor p of M is also a factor
of m - Try all the factors of M one by one, m is
determined - Find Rr mod m
- (R, m) can decrypt
30Observation aa1a2ad mod m, a?(c1, c2, ,
cd) ciairi mod M Hence a c1/rc2 /r2 cd
/rd mod m If pm, a c1/rc2 /r2 cd /rd mod
p If not, Proba c1/rc2 /r2 cd /rd mod p1/p
31Suppose we have N plaintext-ciphertext pairs A1
C1,1xC2,1 x2 Cd,1 xd mod p A2 C1,2xC2,2 x2
Cd,2 xd mod p AN C1,NxC2,N x2 Cd,N xd
mod p Find out if there exists a solution x. 1.
Try all x from Zp if p is small 2. Compute the
gcd of the above polynomials 3. Solve linear
equation groups
32Number of Pairs (N) Required
The attack successful probability (probability on
the random split) End
33Untraceable Fair Network Payment
ProtocolAsiacrypt03
- Account opening
- Withdrawal
- Payment
- Disputes
- Deposit
34Untraceable Fair Network Payment Protocol
The Main Building Block RCSS Restrictive
confirmation signature scheme A signature signed
by S can be confirmed by C, and C can convince
only some specified verifier V the the signature
is valid and truly signed by S. SignRCSS(S, C,
V, m)
35Untraceable Fair Network Payment Protocol
Bank
TTP
Digital goods
Digital cash
Open account
withdraw
Digital goods
Pseudo-cash RCSS
Pseudo-cashRCSS
Merchant
Buyer
Digital goods
Digital cash
Untraceability Unlinkability
36Untraceable Fair Network Payment Protocol
TTP
Digital goods
Digital cash
RCSS
Pseudo-cash
Digital goods
Pseudo-cash RCSS
Merchant
Buyer
Fake buyer
37About the Security
The protocol is secure if the system contains
only one buyer. It is not secure if there are
multiple buyers, especially when a merchant
collude with some buyer. Not secure in the sense
that untraceability, unlinkability and fairness
cannot be satisfied simultaneously End
386 fair exchange of digital signature schemes
ACM CCS99
- Two of them are not secure (fairness can be
breached) - The attack shares the same principle
- Key point Vef(m, X, Y, PK)1
- Normal security definition difficult to find
X,Y or X or Y. - X, m?Y, PK not necessarily hard
39Schnorr signature ygx mod p, where y is PK and
x is SK A signature (s,e) on m under y
satisfies eH(mgsy-e) Its hard to find such
(s,e) without x. But we can find e and y
different from e and y such that eH(mgsy-e)
For random t, set eH(mgsgt), x-t/e, ygx
40ElGanmal signature ygx mod p, where y is PK and
x is SK A signature (s,r) on m under y
satisfies gsrH(m)yr Its hard to find such (s,r)
without x. But we can find r and y different
from r and y such that gsrH(m)yr For random
t, set rg(s-t)/H(m), xt/r, ygx
41For some signature schemes, given a signature
sign under a public key PK,it is easy to generate
a public key PK and a signature sign such that
sign shares a same component with sign.
42TTP
X
S_B
Y, m, ETTP(X), Prof
S_B
Y, m, ETTP(X), Proof
A
B
S_A(X,Y) under PK_A
43Colluding Attack
TTP
This attack needs A to submit his public key
later, hence is less serious. But it could happen.
X
S_B
Proof
Y, m, ETTP(X)
S_B
Y, m, ETTP(X), Proof
B
A
A
PK_A
44Remarks
- If m already includes the ID of A (or As PK),
the attack doesnt work. But TTP must check the
semantics of m, which is unlikely possible. - A simple remedy is to include A or As public key
in the Proof. ProofEQ_DLOG(m , gx , gx g,
g) ProofEQ_DLOG(PKA , m , gx , gx g , g) - Security is very sensitive, can be affected by a
small change. The engineers implementing a secure
protocol should be educated. End