220 likes | 368 Views
Funkspiel Schemes: An Alternative to Conventional Tamper Resistance. Royal Inst. of Technology, Stockholm RSA Laboratories RSA Laboratories Certco. J. Håstad J. Jakobsson A. Juels M. Yung. Lauwers. Lauwers worked as radio operator for SOE, British underground during WW II.
E N D
Funkspiel Schemes:An Alternative to Conventional Tamper Resistance Royal Inst. of Technology, Stockholm RSA Laboratories RSA Laboratories Certco J. Håstad J. Jakobsson A. Juels M. Yung
Lauwers Lauwers worked as radio operator for SOE, British underground during WW II Captured by Germans, along with radio and three message/ciphertext pairs Germans sought to mount “Funkspiel”, i.e., pass false messages to SOE SOE made use of a kind of MAC
16th letter o u o e Subverting the Funkspiel • Germans demanded to know “MAC” • Lauwers had been instructed to introduce an error into 16th letter of every message as “MAC” • Lauwers made clever observation about his three messages: Message 1: …………....stop….. …………....stop….. Message 2: ………….……..….. Message 3: • Claimed that “MAC” involved corruption of ‘o’ in stop
Subverting the Funkspiel • Germans were deceived • Allies were deceived
Alice Bob Eve (Enemy) Modern cryptographer’s view
Alice Bob Eve Funkspiel scheme
message1, message2, message3, MAC (message1) MAC (message2) MAC (message3) Alice Bob Eve Step 1: Alice sends messages to Bob
Alice Step 2: Alice changes key (maybe)
Alice Step 3: Eve steals Alice’s key
“I love you”, MAC (“I love you”) Bob Eve Step 4: Eve impersonates Alice
She loves me? She loves me not? MAC (“I love you”) Step 5: Bob determines whether Alice changed key
What do we want? • Eve can’t tell whether Alice changed key • Even though Eve has seen MAC(message1), MAC(message2),... • Bob can tell whether Alice changed key
Related work • Forward-secure signature schemes • Attacker knows that key evolves • Distress PIN • No security against eavesdropper • Deniable encryption
??? 1 1 0 0 1 1 1 0 0 1 1 A funkspiel scheme MAC key 0: 0 1 1 0 1 0 1 0 0 0 1 1 1 0 MAC key 1: Problems: We need one bit for every MAC; Eve can cheat with small probability
h h ??? ?? Another funkspiel scheme (simplified) Problem: What if Eve sees Bob’s keying material? She can forge a MAC
EPK_B(SigSK_A[message]) PKA PKB PKA SKA SKB SKA ??? Asymmetric funkspiel scheme
Asymmetric funkspiel scheme • Semantically secure encryption (e.g., El Gamal) ensures that Eve can’t test signature against SK • Key swap for Alice under El Gamal is efficient, e.g., she can randomize last 100 bits • If Eve sees Bob’s keys, she still can’t forge MAC • Scheme is less efficient than symmetric ones
Real-world funkspiel • Alice changes key when she senses Eve is attempting to break in (no coin flipping) • Bob tries to determine whether Alice sent “distress signal”, i.e., changed key
What this good for? • Tamper resistant hardware • Currently uses “zeroization” • Funkspiel schemes permit detection and tracing • Funkspiel schemes can give false sense of security or success to attacker • E.g., cash card
Honeypot What this good for? • A honeypot with more sting
Open issues • Power consumption • Many devices have only external power • What about DPA attacks? • How about, e.g., firewalls?
She loves me? She loves me not? Questions?