Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 Bushing–Marcan–Segher– University of Illinois at Chicago & Sven “failOverflow” demolition Technische Universiteit Eindhoven of Sony PS3 security system: Sony had ignored requirement to generate new random nonce “ The poor user is for each ECDSA signature. given enough rope with which ⇒ Sony’s signatures leaked to hang himself—something Sony’s secret code-signing key. a standard should not do. ” —1992 Rivest, commenting on nonce generation inside Digital Signature Algorithm (1991 proposal by NIST, 1992 credited to NSA, 1994 standardized by NIST)
Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 Bushing–Marcan–Segher– University of Illinois at Chicago & Sven “failOverflow” demolition Technische Universiteit Eindhoven of Sony PS3 security system: Sony had ignored requirement to generate new random nonce “ The poor user is for each ECDSA signature. given enough rope with which ⇒ Sony’s signatures leaked to hang himself—something Sony’s secret code-signing key. a standard should not do. ” —1992 Rivest, Traditional response: Blame Sony. commenting on nonce generation Blame the crypto implementor. inside Digital Signature Algorithm (1991 proposal by NIST, 1992 credited to NSA, 1994 standardized by NIST)
Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 Bushing–Marcan–Segher– University of Illinois at Chicago & Sven “failOverflow” demolition Technische Universiteit Eindhoven of Sony PS3 security system: Sony had ignored requirement to generate new random nonce “ The poor user is for each ECDSA signature. given enough rope with which ⇒ Sony’s signatures leaked to hang himself—something Sony’s secret code-signing key. a standard should not do. ” —1992 Rivest, Traditional response: Blame Sony. commenting on nonce generation Blame the crypto implementor. inside Digital Signature Algorithm Rivest’s response: Blame DSA. (1991 proposal by NIST, Blame the crypto designer. 1992 credited to NSA, 1994 standardized by NIST)
Error-prone cryptographic designs Crypto horror story #1 Daniel J. Bernstein 2010 Bushing–Marcan–Segher– University of Illinois at Chicago & Sven “failOverflow” demolition Technische Universiteit Eindhoven of Sony PS3 security system: Sony had ignored requirement to generate new random nonce “ The poor user is for each ECDSA signature. given enough rope with which ⇒ Sony’s signatures leaked to hang himself—something Sony’s secret code-signing key. a standard should not do. ” —1992 Rivest, Traditional response: Blame Sony. commenting on nonce generation Blame the crypto implementor. inside Digital Signature Algorithm Rivest’s response: Blame DSA. (1991 proposal by NIST, Blame the crypto designer. 1992 credited to NSA, Change DSA to avoid this pitfall! 1994 standardized by NIST)
rone cryptographic designs Crypto horror story #1 Crypto ho J. Bernstein 2010 Bushing–Marcan–Segher– 2005 Osvik–Shamir–T University of Illinois at Chicago & Sven “failOverflow” demolition 65ms to echnische Universiteit Eindhoven of Sony PS3 security system: used for Sony had ignored requirement Attack p to generate new random nonce but without poor user is for each ECDSA signature. enough rope with which Almost all ⇒ Sony’s signatures leaked hang himself—something use fast Sony’s secret code-signing key. standard should not do. ” Kernel’s —1992 Rivest, Traditional response: Blame Sony. influences commenting on nonce generation influencing Blame the crypto implementor. Digital Signature Algorithm influencing Rivest’s response: Blame DSA. proposal by NIST, of the attack Blame the crypto designer. credited to NSA, 65ms to Change DSA to avoid this pitfall! standardized by NIST)
cryptographic designs Crypto horror story #1 Crypto horror story Bernstein 2010 Bushing–Marcan–Segher– 2005 Osvik–Shamir–T Illinois at Chicago & Sven “failOverflow” demolition 65ms to steal Linux Universiteit Eindhoven of Sony PS3 security system: used for hard-disk Sony had ignored requirement Attack process on to generate new random nonce but without privileges. is for each ECDSA signature. rope with which Almost all AES implementations ⇒ Sony’s signatures leaked himself—something use fast lookup tables. Sony’s secret code-signing key. should not do. ” Kernel’s secret AES Traditional response: Blame Sony. influences table-load nonce generation influencing CPU cache Blame the crypto implementor. Signature Algorithm influencing measurable Rivest’s response: Blame DSA. y NIST, of the attack process. Blame the crypto designer. NSA, 65ms to compute influence Change DSA to avoid this pitfall! rdized by NIST)
designs Crypto horror story #1 Crypto horror story #2 2010 Bushing–Marcan–Segher– 2005 Osvik–Shamir–Tromer: Chicago & Sven “failOverflow” demolition 65ms to steal Linux AES key Eindhoven of Sony PS3 security system: used for hard-disk encryption. Sony had ignored requirement Attack process on same CPU to generate new random nonce but without privileges. for each ECDSA signature. which Almost all AES implementations ⇒ Sony’s signatures leaked himself—something use fast lookup tables. Sony’s secret code-signing key. ” Kernel’s secret AES key Traditional response: Blame Sony. influences table-load addresses, generation influencing CPU cache state, Blame the crypto implementor. Algorithm influencing measurable timings Rivest’s response: Blame DSA. of the attack process. Blame the crypto designer. 65ms to compute influence − Change DSA to avoid this pitfall! NIST)
Crypto horror story #1 Crypto horror story #2 2010 Bushing–Marcan–Segher– 2005 Osvik–Shamir–Tromer: Sven “failOverflow” demolition 65ms to steal Linux AES key of Sony PS3 security system: used for hard-disk encryption. Sony had ignored requirement Attack process on same CPU to generate new random nonce but without privileges. for each ECDSA signature. Almost all AES implementations ⇒ Sony’s signatures leaked use fast lookup tables. Sony’s secret code-signing key. Kernel’s secret AES key Traditional response: Blame Sony. influences table-load addresses, influencing CPU cache state, Blame the crypto implementor. influencing measurable timings Rivest’s response: Blame DSA. of the attack process. Blame the crypto designer. 65ms to compute influence − 1 . Change DSA to avoid this pitfall!
horror story #1 Crypto horror story #2 2012 Mo Shacham: Bushing–Marcan–Segher– 2005 Osvik–Shamir–Tromer: data-cache “failOverflow” demolition 65ms to steal Linux AES key x86 processo Sony PS3 security system: used for hard-disk encryption. somehow had ignored requirement Attack process on same CPU physical generate new random nonce but without privileges. memory h ECDSA signature. Almost all AES implementations programs Sony’s signatures leaked use fast lookup tables. secret code-signing key. Kernel’s secret AES key raditional response: Blame Sony. influences table-load addresses, influencing CPU cache state, Blame the crypto implementor. influencing measurable timings Rivest’s response: Blame DSA. of the attack process. Blame the crypto designer. 65ms to compute influence − 1 . Change DSA to avoid this pitfall!
story #1 Crypto horror story #2 2012 Mowery–Keelveedhi– Shacham: “We posit Bushing–Marcan–Segher– 2005 Osvik–Shamir–Tromer: data-cache timing “failOverflow” demolition 65ms to steal Linux AES key x86 processors that security system: used for hard-disk encryption. somehow subvert the red requirement Attack process on same CPU physical indexing, random nonce but without privileges. memory requirements signature. Almost all AES implementations programs is doomed signatures leaked use fast lookup tables. de-signing key. Kernel’s secret AES key onse: Blame Sony. influences table-load addresses, influencing CPU cache state, crypto implementor. influencing measurable timings onse: Blame DSA. of the attack process. crypto designer. 65ms to compute influence − 1 . avoid this pitfall!
Crypto horror story #2 2012 Mowery–Keelveedhi– Shacham: “We posit that any rcan–Segher– 2005 Osvik–Shamir–Tromer: data-cache timing attack against demolition 65ms to steal Linux AES key x86 processors that does not m: used for hard-disk encryption. somehow subvert the prefetcher, requirement Attack process on same CPU physical indexing, and massive nonce but without privileges. memory requirements of modern signature. Almost all AES implementations programs is doomed to fail.” ed use fast lookup tables. key. Kernel’s secret AES key Blame Sony. influences table-load addresses, influencing CPU cache state, implementor. influencing measurable timings DSA. of the attack process. designer. 65ms to compute influence − 1 . pitfall!
Recommend
More recommend