70 likes | 215 Views
Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman. Cryptosystem Basics. Symmetric vs. asymmetric (Public Key) Symmetric – any party with key can encrypt/decrypt/sign Requires key to verify signature! Key distribution main issue Usually requires IV (initialization vector)
E N D
Various Attacks on Cryptosystemsslides (c) 2012 by Richard Newman
Cryptosystem Basics Symmetric vs. asymmetric (Public Key) • Symmetric – any party with key can encrypt/decrypt/sign • Requires key to verify signature! • Key distribution main issue • Usually requires IV (initialization vector) • Asymmetric – public and private keys not the same • Can verity signature without being able to forge • Can encrypt without being able to decrypt • Implementation details always an issue Block vs. Stream • Padding in blocks • Stream must be OTP – reuse is fatal! • Rotate key and use unique IV
Cryptosystem Attacks Goal is to obtain key, or at least decipher (or sign) message What attacker gets • Ciphertext only • Ciphertext and plaintext • Chosen ciphertext and its plaintext • Chosen plaintext and its ciphertext Protocol • Actual use of cipher suite in system • May provide clues or even access to attacker Implementation • Improper generation of “random” numbers • Insufficient key rotation • Distinguishable feedback • Reduction of key strength Message semantics and confusion Guess verification Oracles
Cryptosystem Attacks Message semantics and confusion • Replay of authentic message taken to mean something else • Application of wrong cipher suite to authentic message Guess verification • On-line vs. off-line • Speed of brute force attack System attack • Differential resource usage • Fault injection Oracles • Differential responses to different types of errors in protocol • Silent failure usually safest
RSA Challenge Brute force attack on 56-bit key DES message • Recognizable plaintext (ASCII) – each byte's MSB is 0 • Off-line, ciphertext-only attack • Partition keyspace in massively parallel attack • Each unit tests range of keyspace on first block • If all 8 MSBs are 0 in 8-character block, then viable • Viable keys are tested against second block, etc. • Each time have 1/256 chance of passing at random Loading key often much slower than decrypting block • Special hardware EFF machine to crack fast (few days) for $250K Can use botnet to do same
SSL Attacks Improper random number generation • Depended on implementation • “Random” keys generated using hash of time of day, etc. • Small (relatively) keyspace can be brute-forced Vaudenay attack on CBC with n-n padding • See next slide BEAST attack • Browser attack on CBC in SSL3.0/TLS1.0
Vaudenay Attack on CBC Implementations responded differently to padding error Last n bytes (0<n<=8) all have value n to pad For a CBC block, send previous block (as IV) and see if pad error If not, chances are really good last byte is a 1 Modify last byte of “IV” until no padding error reported Then modify last byte to make a “2”, and work on next to last byte Continue until all bytes known from how IV had to be changed Max of 256 tries per byte, times 8, is 2K tries per block