making sure crypto stays insecure daniel j bernstein
play

Making sure crypto stays insecure Daniel J. Bernstein University - PowerPoint PPT Presentation

Making sure crypto stays insecure Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Terrorist in Hong Kong prepares to throw deadly weapon at Chinese government workers. Image credit: Reuters.


  1. Other useful strategies, Some imp not covered in this talk: 1. “We” Manipulate software ecosystem I want secure so that software stays insecure. Break into computers; access hundreds of millions of disks, screens, microphones, cameras. Add back doors to hardware . e.g. 2012 U.S. government report says that Chinese-manufactured routers provide “Chinese intelligence services access to telecommunication networks”.

  2. Other useful strategies, Some important cla not covered in this talk: 1. “We” doesn’t include Manipulate software ecosystem I want secure crypto. so that software stays insecure. Break into computers; access hundreds of millions of disks, screens, microphones, cameras. Add back doors to hardware . e.g. 2012 U.S. government report says that Chinese-manufactured routers provide “Chinese intelligence services access to telecommunication networks”.

  3. Other useful strategies, Some important clarifications not covered in this talk: 1. “We” doesn’t include me. Manipulate software ecosystem I want secure crypto. so that software stays insecure. Break into computers; access hundreds of millions of disks, screens, microphones, cameras. Add back doors to hardware . e.g. 2012 U.S. government report says that Chinese-manufactured routers provide “Chinese intelligence services access to telecommunication networks”.

  4. Other useful strategies, Some important clarifications not covered in this talk: 1. “We” doesn’t include me. Manipulate software ecosystem I want secure crypto. so that software stays insecure. Break into computers; access hundreds of millions of disks, screens, microphones, cameras. Add back doors to hardware . e.g. 2012 U.S. government report says that Chinese-manufactured routers provide “Chinese intelligence services access to telecommunication networks”.

  5. Other useful strategies, Some important clarifications not covered in this talk: 1. “We” doesn’t include me. Manipulate software ecosystem I want secure crypto. so that software stays insecure. 2. Their actions violate Break into computers; access fundamental human rights. hundreds of millions of disks, screens, microphones, cameras. Add back doors to hardware . e.g. 2012 U.S. government report says that Chinese-manufactured routers provide “Chinese intelligence services access to telecommunication networks”.

  6. Other useful strategies, Some important clarifications not covered in this talk: 1. “We” doesn’t include me. Manipulate software ecosystem I want secure crypto. so that software stays insecure. 2. Their actions violate Break into computers; access fundamental human rights. hundreds of millions of disks, 3. I don’t know how much screens, microphones, cameras. of today’s crypto ecosystem Add back doors to hardware . was deliberately manipulated. e.g. 2012 U.S. government report says that Chinese-manufactured routers provide “Chinese intelligence services access to telecommunication networks”.

  7. Other useful strategies, Some important clarifications not covered in this talk: 1. “We” doesn’t include me. Manipulate software ecosystem I want secure crypto. so that software stays insecure. 2. Their actions violate Break into computers; access fundamental human rights. hundreds of millions of disks, 3. I don’t know how much screens, microphones, cameras. of today’s crypto ecosystem Add back doors to hardware . was deliberately manipulated. e.g. 2012 U.S. government report This talk is actually says that Chinese-manufactured a thought experiment: routers provide “Chinese how could an attacker manipulate intelligence services access to the ecosystem for insecurity? telecommunication networks”.

  8. useful strategies, Some important clarifications Timing attacks covered in this talk: 1. “We” doesn’t include me. 2005 Osvik–Shamir–T Manipulate software ecosystem I want secure crypto. 65ms to that software stays insecure. used for 2. Their actions violate into computers; access Attack p fundamental human rights. hundreds of millions of disks, but without 3. I don’t know how much screens, microphones, cameras. Almost all of today’s crypto ecosystem back doors to hardware . use fast was deliberately manipulated. 2012 U.S. government report Kernel’s This talk is actually that Chinese-manufactured influences a thought experiment: routers provide “Chinese influencing how could an attacker manipulate intelligence services access to influencing the ecosystem for insecurity? telecommunication networks”. of the attack 65ms: compute

  9. strategies, Some important clarifications Timing attacks this talk: 1. “We” doesn’t include me. 2005 Osvik–Shamir–T ware ecosystem I want secure crypto. 65ms to steal Linux stays insecure. used for hard-disk 2. Their actions violate computers; access Attack process on fundamental human rights. illions of disks, but without privileges. 3. I don’t know how much hones, cameras. Almost all AES implementations of today’s crypto ecosystem to hardware . use fast lookup tables. was deliberately manipulated. government report Kernel’s secret AES This talk is actually Chinese-manufactured influences table-load a thought experiment: “Chinese influencing CPU cache how could an attacker manipulate vices access to influencing measurable the ecosystem for insecurity? telecommunication networks”. of the attack process. 65ms: compute key

  10. Some important clarifications Timing attacks 1. “We” doesn’t include me. 2005 Osvik–Shamir–Tromer: ecosystem I want secure crypto. 65ms to steal Linux AES key insecure. used for hard-disk encryption. 2. Their actions violate access Attack process on same CPU fundamental human rights. disks, but without privileges. 3. I don’t know how much cameras. Almost all AES implementations of today’s crypto ecosystem re . use fast lookup tables. was deliberately manipulated. government report Kernel’s secret AES key This talk is actually Chinese-manufactured influences table-load addresses, a thought experiment: influencing CPU cache state, how could an attacker manipulate to influencing measurable timings the ecosystem for insecurity? rks”. of the attack process. 65ms: compute key from timings.

  11. Some important clarifications Timing attacks 1. “We” doesn’t include me. 2005 Osvik–Shamir–Tromer: I want secure crypto. 65ms to steal Linux AES key used for hard-disk encryption. 2. Their actions violate Attack process on same CPU fundamental human rights. but without privileges. 3. I don’t know how much Almost all AES implementations of today’s crypto ecosystem use fast lookup tables. was deliberately manipulated. Kernel’s secret AES key This talk is actually influences table-load addresses, a thought experiment: influencing CPU cache state, how could an attacker manipulate influencing measurable timings the ecosystem for insecurity? of the attack process. 65ms: compute key from timings.

  12. important clarifications Timing attacks 2011 Brumley–T minutes e” doesn’t include me. 2005 Osvik–Shamir–Tromer: machine’s secure crypto. 65ms to steal Linux AES key Secret branch used for hard-disk encryption. Their actions violate influence Attack process on same CPU fundamental human rights. but without privileges. Most cryptographic don’t know how much has many Almost all AES implementations day’s crypto ecosystem variations use fast lookup tables. deliberately manipulated. e.g., memcmp Kernel’s secret AES key talk is actually influences table-load addresses, Many mo thought experiment: influencing CPU cache state, 2014 van could an attacker manipulate influencing measurable timings extracted ecosystem for insecurity? of the attack process. from 25 65ms: compute key from timings.

  13. clarifications Timing attacks 2011 Brumley–Tuveri: minutes to steal another esn’t include me. 2005 Osvik–Shamir–Tromer: machine’s OpenSSL crypto. 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. violate influence timings. Attack process on same CPU human rights. but without privileges. Most cryptographic how much has many more small-scale Almost all AES implementations crypto ecosystem variations in timing: use fast lookup tables. manipulated. e.g., memcmp for IPsec Kernel’s secret AES key actually influences table-load addresses, Many more timing eriment: influencing CPU cache state, 2014 van de Pol–Sma attacker manipulate influencing measurable timings extracted Bitcoin secret r insecurity? of the attack process. from 25 OpenSSL 65ms: compute key from timings.

  14. rifications Timing attacks 2011 Brumley–Tuveri: minutes to steal another me. 2005 Osvik–Shamir–Tromer: machine’s OpenSSL ECDSA 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU rights. but without privileges. Most cryptographic software has many more small-scale Almost all AES implementations ecosystem variations in timing: use fast lookup tables. manipulated. e.g., memcmp for IPsec MACs. Kernel’s secret AES key influences table-load addresses, Many more timing attacks: influencing CPU cache state, 2014 van de Pol–Smart–Yarom manipulate influencing measurable timings extracted Bitcoin secret keys insecurity? of the attack process. from 25 OpenSSL signatures. 65ms: compute key from timings.

  15. Timing attacks 2011 Brumley–Tuveri: minutes to steal another 2005 Osvik–Shamir–Tromer: machine’s OpenSSL ECDSA key. 65ms to steal Linux AES key Secret branch conditions used for hard-disk encryption. influence timings. Attack process on same CPU but without privileges. Most cryptographic software has many more small-scale Almost all AES implementations variations in timing: use fast lookup tables. e.g., memcmp for IPsec MACs. Kernel’s secret AES key influences table-load addresses, Many more timing attacks: e.g. influencing CPU cache state, 2014 van de Pol–Smart–Yarom influencing measurable timings extracted Bitcoin secret keys of the attack process. from 25 OpenSSL signatures. 65ms: compute key from timings.

  16. Timing attacks 2011 Brumley–Tuveri: Manufacture minutes to steal another that such Osvik–Shamir–Tromer: machine’s OpenSSL ECDSA key. to steal Linux AES key Maybe terro Secret branch conditions for hard-disk encryption. won’t try influence timings. process on same CPU 2001 NIST without privileges. Most cryptographic software development has many more small-scale Almost all AES implementations Encryption variations in timing: fast lookup tables. “A general e.g., memcmp for IPsec MACs. Kernel’s secret AES key timing attacks influences table-load addresses, Many more timing attacks: e.g. each encryption influencing CPU cache state, 2014 van de Pol–Smart–Yarom operation influencing measurable timings extracted Bitcoin secret keys amount attack process. from 25 OpenSSL signatures. not vulnerable compute key from timings.

  17. 2011 Brumley–Tuveri: Manufacture public minutes to steal another that such attacks exist. Osvik–Shamir–Tromer: machine’s OpenSSL ECDSA key. Linux AES key Maybe terrorists Alice Secret branch conditions rd-disk encryption. won’t try to stop t influence timings. on same CPU 2001 NIST “Report rivileges. Most cryptographic software development of the has many more small-scale implementations Encryption Standa variations in timing: tables. “A general defense e.g., memcmp for IPsec MACs. AES key timing attacks is to table-load addresses, Many more timing attacks: e.g. each encryption and cache state, 2014 van de Pol–Smart–Yarom operation runs in the measurable timings extracted Bitcoin secret keys amount of time. : : cess. from 25 OpenSSL signatures. not vulnerable to timing key from timings.

  18. 2011 Brumley–Tuveri: Manufacture public denials minutes to steal another that such attacks exist. romer: machine’s OpenSSL ECDSA key. ey Maybe terrorists Alice and Bob Secret branch conditions encryption. won’t try to stop the attacks. influence timings. CPU 2001 NIST “Report on the Most cryptographic software development of the Advanced has many more small-scale implementations Encryption Standard (AES)”: variations in timing: “A general defense against e.g., memcmp for IPsec MACs. timing attacks is to ensure that addresses, Many more timing attacks: e.g. each encryption and decryption state, 2014 van de Pol–Smart–Yarom operation runs in the same timings extracted Bitcoin secret keys amount of time. : : : Table lo from 25 OpenSSL signatures. not vulnerable to timing attacks. timings.

  19. 2011 Brumley–Tuveri: Manufacture public denials minutes to steal another that such attacks exist. machine’s OpenSSL ECDSA key. Maybe terrorists Alice and Bob Secret branch conditions won’t try to stop the attacks. influence timings. 2001 NIST “Report on the Most cryptographic software development of the Advanced has many more small-scale Encryption Standard (AES)”: variations in timing: “A general defense against e.g., memcmp for IPsec MACs. timing attacks is to ensure that Many more timing attacks: e.g. each encryption and decryption 2014 van de Pol–Smart–Yarom operation runs in the same extracted Bitcoin secret keys amount of time. : : : Table lookup: from 25 OpenSSL signatures. not vulnerable to timing attacks.”

  20. Brumley–Tuveri: Manufacture public denials 2008 RF minutes to steal another that such attacks exist. Layer Securit machine’s OpenSSL ECDSA key. Version 1.2”: Maybe terrorists Alice and Bob branch conditions small timing won’t try to stop the attacks. influence timings. performance 2001 NIST “Report on the extent on cryptographic software development of the Advanced fragment, many more small-scale Encryption Standard (AES)”: be large riations in timing: “A general defense against due to the memcmp for IPsec MACs. timing attacks is to ensure that existing MA more timing attacks: e.g. each encryption and decryption of the timing van de Pol–Smart–Yarom operation runs in the same extracted Bitcoin secret keys amount of time. : : : Table lookup: 25 OpenSSL signatures. not vulnerable to timing attacks.”

  21. uveri: Manufacture public denials 2008 RFC 5246 “The another that such attacks exist. Layer Security (TLS) enSSL ECDSA key. Version 1.2”: “This Maybe terrorists Alice and Bob conditions small timing channel, won’t try to stop the attacks. timings. performance depends 2001 NIST “Report on the extent on the size cryptographic software development of the Advanced fragment, but it is small-scale Encryption Standard (AES)”: be large enough to timing: “A general defense against due to the large blo IPsec MACs. timing attacks is to ensure that existing MACs and timing attacks: e.g. each encryption and decryption of the timing signal.” ol–Smart–Yarom operation runs in the same Bitcoin secret keys amount of time. : : : Table lookup: enSSL signatures. not vulnerable to timing attacks.”

  22. Manufacture public denials 2008 RFC 5246 “The Transp that such attacks exist. Layer Security (TLS) Protocol, ECDSA key. Version 1.2”: “This leaves a Maybe terrorists Alice and Bob small timing channel, since MA won’t try to stop the attacks. performance depends to some 2001 NIST “Report on the extent on the size of the data re development of the Advanced fragment, but it is not believed Encryption Standard (AES)”: be large enough to be exploitable “A general defense against due to the large block size of Cs. timing attacks is to ensure that existing MACs and the small attacks: e.g. each encryption and decryption of the timing signal.” arom operation runs in the same eys amount of time. : : : Table lookup: signatures. not vulnerable to timing attacks.”

  23. Manufacture public denials 2008 RFC 5246 “The Transport that such attacks exist. Layer Security (TLS) Protocol, Version 1.2”: “This leaves a Maybe terrorists Alice and Bob small timing channel, since MAC won’t try to stop the attacks. performance depends to some 2001 NIST “Report on the extent on the size of the data development of the Advanced fragment, but it is not believed to Encryption Standard (AES)”: be large enough to be exploitable, “A general defense against due to the large block size of timing attacks is to ensure that existing MACs and the small size each encryption and decryption of the timing signal.” operation runs in the same amount of time. : : : Table lookup: not vulnerable to timing attacks.”

  24. Manufacture public denials 2008 RFC 5246 “The Transport that such attacks exist. Layer Security (TLS) Protocol, Version 1.2”: “This leaves a Maybe terrorists Alice and Bob small timing channel, since MAC won’t try to stop the attacks. performance depends to some 2001 NIST “Report on the extent on the size of the data development of the Advanced fragment, but it is not believed to Encryption Standard (AES)”: be large enough to be exploitable, “A general defense against due to the large block size of timing attacks is to ensure that existing MACs and the small size each encryption and decryption of the timing signal.” operation runs in the same 2013 AlFardan–Paterson “Lucky amount of time. : : : Table lookup: Thirteen: breaking the TLS and not vulnerable to timing attacks.” DTLS record protocols”: exploit these timings; steal plaintext.

  25. Manufacture public denials 2008 RFC 5246 “The Transport Some instructions such attacks exist. Layer Security (TLS) Protocol, flow from Version 1.2”: “This leaves a timings: terrorists Alice and Bob small timing channel, since MAC constant-distance try to stop the attacks. performance depends to some (on most NIST “Report on the extent on the size of the data What if development of the Advanced fragment, but it is not believed to software Encryption Standard (AES)”: be large enough to be exploitable, instructions? general defense against due to the large block size of see anything attacks is to ensure that existing MACs and the small size encryption and decryption of the timing signal.” eration runs in the same 2013 AlFardan–Paterson “Lucky amount of time. : : : Table lookup: Thirteen: breaking the TLS and vulnerable to timing attacks.” DTLS record protocols”: exploit these timings; steal plaintext.

  26. public denials 2008 RFC 5246 “The Transport Some instructions attacks exist. Layer Security (TLS) Protocol, flow from their inputs Version 1.2”: “This leaves a timings: e.g., logic Alice and Bob small timing channel, since MAC constant-distance shifts, stop the attacks. performance depends to some (on most CPUs), add, ort on the extent on the size of the data What if Alice and the Advanced fragment, but it is not believed to software built solely Standard (AES)”: be large enough to be exploitable, instructions? Yikes: defense against due to the large block size of see anything from to ensure that existing MACs and the small size and decryption of the timing signal.” in the same 2013 AlFardan–Paterson “Lucky : : : Table lookup: Thirteen: breaking the TLS and to timing attacks.” DTLS record protocols”: exploit these timings; steal plaintext.

  27. denials 2008 RFC 5246 “The Transport Some instructions have no data Layer Security (TLS) Protocol, flow from their inputs to CPU Version 1.2”: “This leaves a timings: e.g., logic instructions, Bob small timing channel, since MAC constant-distance shifts, multiply attacks. performance depends to some (on most CPUs), add, subtract. the extent on the size of the data What if Alice and Bob use crypto Advanced fragment, but it is not believed to software built solely from these (AES)”: be large enough to be exploitable, instructions? Yikes: we won’t against due to the large block size of see anything from timings! that existing MACs and the small size decryption of the timing signal.” same 2013 AlFardan–Paterson “Lucky lookup: Thirteen: breaking the TLS and attacks.” DTLS record protocols”: exploit these timings; steal plaintext.

  28. 2008 RFC 5246 “The Transport Some instructions have no data Layer Security (TLS) Protocol, flow from their inputs to CPU Version 1.2”: “This leaves a timings: e.g., logic instructions, small timing channel, since MAC constant-distance shifts, multiply performance depends to some (on most CPUs), add, subtract. extent on the size of the data What if Alice and Bob use crypto fragment, but it is not believed to software built solely from these be large enough to be exploitable, instructions? Yikes: we won’t due to the large block size of see anything from timings! existing MACs and the small size of the timing signal.” 2013 AlFardan–Paterson “Lucky Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  29. 2008 RFC 5246 “The Transport Some instructions have no data Layer Security (TLS) Protocol, flow from their inputs to CPU Version 1.2”: “This leaves a timings: e.g., logic instructions, small timing channel, since MAC constant-distance shifts, multiply performance depends to some (on most CPUs), add, subtract. extent on the size of the data What if Alice and Bob use crypto fragment, but it is not believed to software built solely from these be large enough to be exploitable, instructions? Yikes: we won’t due to the large block size of see anything from timings! existing MACs and the small size Try to scare implementors away of the timing signal.” from constant-time software. 2013 AlFardan–Paterson “Lucky e.g. “It will be too slow.” Thirteen: breaking the TLS and “It’s too hard to write.” DTLS record protocols”: exploit these timings; steal plaintext.

  30. RFC 5246 “The Transport Some instructions have no data Fund variable-time Security (TLS) Protocol, flow from their inputs to CPU maybe with ersion 1.2”: “This leaves a timings: e.g., logic instructions, that mak timing channel, since MAC constant-distance shifts, multiply for resea rmance depends to some (on most CPUs), add, subtract. but that on the size of the data with our What if Alice and Bob use crypto fragment, but it is not believed to software built solely from these rge enough to be exploitable, instructions? Yikes: we won’t the large block size of see anything from timings! existing MACs and the small size Try to scare implementors away timing signal.” from constant-time software. AlFardan–Paterson “Lucky e.g. “It will be too slow.” Thirteen: breaking the TLS and “It’s too hard to write.” record protocols”: exploit timings; steal plaintext.

  31. “The Transport Some instructions have no data Fund variable-time (TLS) Protocol, flow from their inputs to CPU maybe with “countermeasures” his leaves a timings: e.g., logic instructions, that make the timings channel, since MAC constant-distance shifts, multiply for researchers to analyze ends to some (on most CPUs), add, subtract. but that are still break size of the data with our computer What if Alice and Bob use crypto is not believed to software built solely from these to be exploitable, instructions? Yikes: we won’t block size of see anything from timings! and the small size Try to scare implementors away signal.” from constant-time software. rdan–Paterson “Lucky e.g. “It will be too slow.” reaking the TLS and “It’s too hard to write.” rotocols”: exploit steal plaintext.

  32. ransport Some instructions have no data Fund variable-time software, Protocol, flow from their inputs to CPU maybe with “countermeasures” a timings: e.g., logic instructions, that make the timings difficu since MAC constant-distance shifts, multiply for researchers to analyze some (on most CPUs), add, subtract. but that are still breakable data with our computer resources. What if Alice and Bob use crypto elieved to software built solely from these exploitable, instructions? Yikes: we won’t of see anything from timings! all size Try to scare implementors away from constant-time software. “Lucky e.g. “It will be too slow.” TLS and “It’s too hard to write.” exploit plaintext.

  33. Some instructions have no data Fund variable-time software, flow from their inputs to CPU maybe with “countermeasures” timings: e.g., logic instructions, that make the timings difficult constant-distance shifts, multiply for researchers to analyze (on most CPUs), add, subtract. but that are still breakable with our computer resources. What if Alice and Bob use crypto software built solely from these instructions? Yikes: we won’t see anything from timings! Try to scare implementors away from constant-time software. e.g. “It will be too slow.” “It’s too hard to write.”

  34. Some instructions have no data Fund variable-time software, flow from their inputs to CPU maybe with “countermeasures” timings: e.g., logic instructions, that make the timings difficult constant-distance shifts, multiply for researchers to analyze (on most CPUs), add, subtract. but that are still breakable with our computer resources. What if Alice and Bob use crypto software built solely from these Continue expressing skepticism instructions? Yikes: we won’t that constant time is needed. see anything from timings! e.g. 2012 Mowery–Keelveedhi– Shacham “Are AES x86 cache Try to scare implementors away timing attacks still feasible?”, from constant-time software. unfortunately shredded by 2014 e.g. “It will be too slow.” Irazoqui–Inci–Eisenbarth–Sunar “It’s too hard to write.” “Wait a minute! A fast, cross-VM attack on AES”.

  35. instructions have no data Fund variable-time software, What if from their inputs to CPU maybe with “countermeasures” use a different timings: e.g., logic instructions, that make the timings difficult constant-time constant-distance shifts, multiply for researchers to analyze are simple most CPUs), add, subtract. but that are still breakable Don’t standa with our computer resources. if Alice and Bob use crypto e.g. choose re built solely from these Continue expressing skepticism not higher-securit instructions? Yikes: we won’t that constant time is needed. Watch o anything from timings! e.g. 2012 Mowery–Keelveedhi– standardization Shacham “Are AES x86 cache scare implementors away Discourage timing attacks still feasible?”, constant-time software. Pretend unfortunately shredded by 2014 “It will be too slow.” is a guarantee Irazoqui–Inci–Eisenbarth–Sunar too hard to write.” while anything “Wait a minute! A fast, has questionable cross-VM attack on AES”.

  36. instructions have no data Fund variable-time software, What if terrorists Alice inputs to CPU maybe with “countermeasures” use a different cipher logic instructions, that make the timings difficult constant-time imple constant-distance shifts, multiply for researchers to analyze are simple and fast? CPUs), add, subtract. but that are still breakable Don’t standardize with our computer resources. and Bob use crypto e.g. choose Rijndael solely from these Continue expressing skepticism not higher-security Yikes: we won’t that constant time is needed. Watch out for any from timings! e.g. 2012 Mowery–Keelveedhi– standardization effo Shacham “Are AES x86 cache implementors away Discourage use of timing attacks still feasible?”, constant-time software. Pretend that standa unfortunately shredded by 2014 too slow.” is a guarantee of securit Irazoqui–Inci–Eisenbarth–Sunar write.” while anything non “Wait a minute! A fast, has questionable securit cross-VM attack on AES”.

  37. data Fund variable-time software, What if terrorists Alice and Bob CPU maybe with “countermeasures” use a different cipher for which instructions, that make the timings difficult constant-time implementations multiply for researchers to analyze are simple and fast? Yikes! subtract. but that are still breakable Don’t standardize that cipher. with our computer resources. crypto e.g. choose Rijndael as AES, these Continue expressing skepticism not higher-security Serpent. on’t that constant time is needed. Watch out for any subsequen timings! e.g. 2012 Mowery–Keelveedhi– standardization efforts. Shacham “Are AES x86 cache away Discourage use of the cipher. timing attacks still feasible?”, re. Pretend that standardization unfortunately shredded by 2014 is a guarantee of security Irazoqui–Inci–Eisenbarth–Sunar while anything non-standard “Wait a minute! A fast, has questionable security. cross-VM attack on AES”.

  38. Fund variable-time software, What if terrorists Alice and Bob maybe with “countermeasures” use a different cipher for which that make the timings difficult constant-time implementations for researchers to analyze are simple and fast? Yikes! but that are still breakable Don’t standardize that cipher. with our computer resources. e.g. choose Rijndael as AES, Continue expressing skepticism not higher-security Serpent. that constant time is needed. Watch out for any subsequent e.g. 2012 Mowery–Keelveedhi– standardization efforts. Shacham “Are AES x86 cache Discourage use of the cipher. timing attacks still feasible?”, Pretend that standardization unfortunately shredded by 2014 is a guarantee of security Irazoqui–Inci–Eisenbarth–Sunar while anything non-standard “Wait a minute! A fast, has questionable security. cross-VM attack on AES”.

  39. variable-time software, What if terrorists Alice and Bob Padding with “countermeasures” use a different cipher for which 1998 Bleichenbacher: make the timings difficult constant-time implementations Decrypt searchers to analyze are simple and fast? Yikes! by observing that are still breakable to ≈ 10 6 Don’t standardize that cipher. our computer resources. e.g. choose Rijndael as AES, SSL first Continue expressing skepticism not higher-security Serpent. then checks constant time is needed. Watch out for any subsequent (which many 2012 Mowery–Keelveedhi– standardization efforts. Subsequent Shacham “Are AES x86 cache Discourage use of the cipher. more serious attacks still feasible?”, Pretend that standardization Server resp rtunately shredded by 2014 is a guarantee of security pattern of qui–Inci–Eisenbarth–Sunar while anything non-standard pattern reveals a minute! A fast, has questionable security. cross-VM attack on AES”.

  40. riable-time software, What if terrorists Alice and Bob Padding oracles “countermeasures” use a different cipher for which 1998 Bleichenbacher: timings difficult constant-time implementations Decrypt SSL RSA to analyze are simple and fast? Yikes! by observing server breakable to ≈ 10 6 variants of Don’t standardize that cipher. computer resources. e.g. choose Rijndael as AES, SSL first inverts RSA, ressing skepticism not higher-security Serpent. then checks for “PK time is needed. Watch out for any subsequent (which many forgeries ery–Keelveedhi– standardization efforts. Subsequent processing AES x86 cache Discourage use of the cipher. more serious integrit still feasible?”, Pretend that standardization Server responses re shredded by 2014 is a guarantee of security pattern of PKCS fo qui–Inci–Eisenbarth–Sunar while anything non-standard pattern reveals plaintext. A fast, has questionable security. on AES”.

  41. re, What if terrorists Alice and Bob Padding oracles “countermeasures” use a different cipher for which 1998 Bleichenbacher: ifficult constant-time implementations Decrypt SSL RSA ciphertext are simple and fast? Yikes! by observing server responses to ≈ 10 6 variants of ciphertext. Don’t standardize that cipher. resources. e.g. choose Rijndael as AES, SSL first inverts RSA, epticism not higher-security Serpent. then checks for “PKCS padding” needed. Watch out for any subsequent (which many forgeries have). ery–Keelveedhi– standardization efforts. Subsequent processing applies cache Discourage use of the cipher. more serious integrity checks. feasible?”, Pretend that standardization Server responses reveal 2014 is a guarantee of security pattern of PKCS forgeries; rth–Sunar while anything non-standard pattern reveals plaintext. has questionable security. AES”.

  42. What if terrorists Alice and Bob Padding oracles use a different cipher for which 1998 Bleichenbacher: constant-time implementations Decrypt SSL RSA ciphertext are simple and fast? Yikes! by observing server responses to ≈ 10 6 variants of ciphertext. Don’t standardize that cipher. e.g. choose Rijndael as AES, SSL first inverts RSA, not higher-security Serpent. then checks for “PKCS padding” Watch out for any subsequent (which many forgeries have). standardization efforts. Subsequent processing applies Discourage use of the cipher. more serious integrity checks. Pretend that standardization Server responses reveal is a guarantee of security pattern of PKCS forgeries; while anything non-standard pattern reveals plaintext. has questionable security.

  43. if terrorists Alice and Bob Padding oracles Design cryptographic different cipher for which so that fo 1998 Bleichenbacher: constant-time implementations as much Decrypt SSL RSA ciphertext simple and fast? Yikes! by observing server responses e.g. Design to ≈ 10 6 variants of ciphertext. standardize that cipher. and check choose Rijndael as AES, checking SSL first inverts RSA, higher-security Serpent. Broken b then checks for “PKCS padding” out for any subsequent such as BEAST (which many forgeries have). rdization efforts. Subsequent processing applies e.g. Design Discourage use of the cipher. more serious integrity checks. IPsec options. Pretend that standardization Paterson–Y Server responses reveal guarantee of security Degabriele–P pattern of PKCS forgeries; anything non-standard pattern reveals plaintext. questionable security.

  44. rists Alice and Bob Padding oracles Design cryptographic cipher for which so that forgeries are 1998 Bleichenbacher: plementations as much processing Decrypt SSL RSA ciphertext fast? Yikes! by observing server responses e.g. Design SSL to to ≈ 10 6 variants of ciphertext. rdize that cipher. and check padding dael as AES, checking a serious SSL first inverts RSA, higher-security Serpent. Broken by padding-o then checks for “PKCS padding” any subsequent such as BEAST and (which many forgeries have). efforts. Subsequent processing applies e.g. Design “encrypt-only” of the cipher. more serious integrity checks. IPsec options. Brok standardization Paterson–Yau for Lin Server responses reveal of security Degabriele–Paterson pattern of PKCS forgeries; non-standard pattern reveals plaintext. security.

  45. and Bob Padding oracles Design cryptographic systems which so that forgeries are sent through 1998 Bleichenbacher: mentations as much processing as possible. Decrypt SSL RSA ciphertext es! by observing server responses e.g. Design SSL to decrypt to ≈ 10 6 variants of ciphertext. cipher. and check padding before AES, checking a serious MAC. SSL first inverts RSA, ent. Broken by padding-oracle attacks then checks for “PKCS padding” uent such as BEAST and POODLE. (which many forgeries have). Subsequent processing applies e.g. Design “encrypt-only” cipher. more serious integrity checks. IPsec options. Broken by 2006 rdization Paterson–Yau for Linux and Server responses reveal Degabriele–Paterson for RFCs. pattern of PKCS forgeries; rd pattern reveals plaintext.

  46. Padding oracles Design cryptographic systems so that forgeries are sent through 1998 Bleichenbacher: as much processing as possible. Decrypt SSL RSA ciphertext by observing server responses e.g. Design SSL to decrypt to ≈ 10 6 variants of ciphertext. and check padding before checking a serious MAC. SSL first inverts RSA, Broken by padding-oracle attacks then checks for “PKCS padding” such as BEAST and POODLE. (which many forgeries have). Subsequent processing applies e.g. Design “encrypt-only” more serious integrity checks. IPsec options. Broken by 2006 Paterson–Yau for Linux and 2007 Server responses reveal Degabriele–Paterson for RFCs. pattern of PKCS forgeries; pattern reveals plaintext.

  47. adding oracles Design cryptographic systems Randomness so that forgeries are sent through Bleichenbacher: 1995 Goldb as much processing as possible. Decrypt SSL RSA ciphertext SSL keys observing server responses e.g. Design SSL to decrypt 2008 Bello: 10 6 variants of ciphertext. and check padding before OpenSSL checking a serious MAC. first inverts RSA, < 20 bits Broken by padding-oracle attacks checks for “PKCS padding” 2012 Lenstra–Hughes–Augier– such as BEAST and POODLE. many forgeries have). Bos–Kleinjung–W Subsequent processing applies e.g. Design “encrypt-only” Heninger–Durumeric–W serious integrity checks. IPsec options. Broken by 2006 Halderman Paterson–Yau for Linux and 2007 responses reveal keys for Degabriele–Paterson for RFCs. pattern of PKCS forgeries; The prim pattern reveals plaintext. randomness

  48. Design cryptographic systems Randomness so that forgeries are sent through Bleichenbacher: 1995 Goldberg–Wagner: as much processing as possible. RSA ciphertext SSL keys had < 50 server responses e.g. Design SSL to decrypt 2008 Bello: Debian/Ubuntu riants of ciphertext. and check padding before OpenSSL keys for checking a serious MAC. RSA, < 20 bits of entrop Broken by padding-oracle attacks “PKCS padding” 2012 Lenstra–Hughes–Augier– such as BEAST and POODLE. rgeries have). Bos–Kleinjung–Wachter cessing applies e.g. Design “encrypt-only” Heninger–Durumeric–W integrity checks. IPsec options. Broken by 2006 Halderman broke the Paterson–Yau for Linux and 2007 reveal keys for 0.5% of all Degabriele–Paterson for RFCs. forgeries; The primes had so plaintext. randomness that they

  49. Design cryptographic systems Randomness so that forgeries are sent through 1995 Goldberg–Wagner: Netscap as much processing as possible. ciphertext SSL keys had < 50 bits of entrop onses e.g. Design SSL to decrypt 2008 Bello: Debian/Ubuntu ciphertext. and check padding before OpenSSL keys for years had checking a serious MAC. < 20 bits of entropy. Broken by padding-oracle attacks padding” 2012 Lenstra–Hughes–Augier– such as BEAST and POODLE. have). Bos–Kleinjung–Wachter and applies e.g. Design “encrypt-only” Heninger–Durumeric–Wustro hecks. IPsec options. Broken by 2006 Halderman broke the RSA publ Paterson–Yau for Linux and 2007 keys for 0.5% of all SSL servers. Degabriele–Paterson for RFCs. rgeries; The primes had so little randomness that they collided.

  50. Design cryptographic systems Randomness so that forgeries are sent through 1995 Goldberg–Wagner: Netscape as much processing as possible. SSL keys had < 50 bits of entropy. e.g. Design SSL to decrypt 2008 Bello: Debian/Ubuntu and check padding before OpenSSL keys for years had checking a serious MAC. < 20 bits of entropy. Broken by padding-oracle attacks 2012 Lenstra–Hughes–Augier– such as BEAST and POODLE. Bos–Kleinjung–Wachter and 2012 e.g. Design “encrypt-only” Heninger–Durumeric–Wustrow– IPsec options. Broken by 2006 Halderman broke the RSA public Paterson–Yau for Linux and 2007 keys for 0.5% of all SSL servers. Degabriele–Paterson for RFCs. The primes had so little randomness that they collided.

  51. cryptographic systems Randomness Make randomnes that forgeries are sent through extremely 1995 Goldberg–Wagner: Netscape much processing as possible. SSL keys had < 50 bits of entropy. Have each Design SSL to decrypt its own RNG 2008 Bello: Debian/Ubuntu check padding before OpenSSL keys for years had Maintain checking a serious MAC. < 20 bits of entropy. each application. by padding-oracle attacks build this 2012 Lenstra–Hughes–Augier– as BEAST and POODLE. from the Bos–Kleinjung–Wachter and 2012 Design “encrypt-only” available Heninger–Durumeric–Wustrow– options. Broken by 2006 Halderman broke the RSA public Pay people aterson–Yau for Linux and 2007 keys for 0.5% of all SSL servers. RNGs such riele–Paterson for RFCs. The primes had so little Claim “p randomness that they collided.

  52. cryptographic systems Randomness Make randomness-generation are sent through extremely difficult 1995 Goldberg–Wagner: Netscape cessing as possible. SSL keys had < 50 bits of entropy. Have each application to decrypt its own RNG “for sp 2008 Bello: Debian/Ubuntu ng before OpenSSL keys for years had Maintain separate serious MAC. < 20 bits of entropy. each application. “F padding-oracle attacks build this RNG in 2012 Lenstra–Hughes–Augier– and POODLE. from the inputs conveniently Bos–Kleinjung–Wachter and 2012 “encrypt-only” available to that application. Heninger–Durumeric–Wustrow– Broken by 2006 Halderman broke the RSA public Pay people to use r Linux and 2007 keys for 0.5% of all SSL servers. RNGs such as Dual rson for RFCs. The primes had so little Claim “provable securit randomness that they collided.

  53. systems Randomness Make randomness-generation through extremely difficult to audit. 1995 Goldberg–Wagner: Netscape ossible. SSL keys had < 50 bits of entropy. Have each application maintain decrypt its own RNG “for speed”. 2008 Bello: Debian/Ubuntu OpenSSL keys for years had Maintain separate RNG code < 20 bits of entropy. each application. “For simplicit attacks build this RNG in ad-hoc wa 2012 Lenstra–Hughes–Augier– POODLE. from the inputs conveniently Bos–Kleinjung–Wachter and 2012 available to that application. Heninger–Durumeric–Wustrow– 2006 Halderman broke the RSA public Pay people to use backdoored and 2007 keys for 0.5% of all SSL servers. RNGs such as Dual EC. RFCs. The primes had so little Claim “provable security”. randomness that they collided.

  54. Randomness Make randomness-generation code extremely difficult to audit. 1995 Goldberg–Wagner: Netscape SSL keys had < 50 bits of entropy. Have each application maintain its own RNG “for speed”. 2008 Bello: Debian/Ubuntu OpenSSL keys for years had Maintain separate RNG code for < 20 bits of entropy. each application. “For simplicity” build this RNG in ad-hoc ways 2012 Lenstra–Hughes–Augier– from the inputs conveniently Bos–Kleinjung–Wachter and 2012 available to that application. Heninger–Durumeric–Wustrow– Halderman broke the RSA public Pay people to use backdoored keys for 0.5% of all SSL servers. RNGs such as Dual EC. The primes had so little Claim “provable security”. randomness that they collided.

  55. Randomness Make randomness-generation code What if extremely difficult to audit. merge all Goldberg–Wagner: Netscape into a central eys had < 50 bits of entropy. Have each application maintain its own RNG “for speed”. This pool Bello: Debian/Ubuntu bad/failing/malicious enSSL keys for years had Maintain separate RNG code for if there is bits of entropy. each application. “For simplicity” Merging build this RNG in ad-hoc ways Lenstra–Hughes–Augier– Yikes! from the inputs conveniently Bos–Kleinjung–Wachter and 2012 available to that application. Heninger–Durumeric–Wustrow– Halderman broke the RSA public Pay people to use backdoored r 0.5% of all SSL servers. RNGs such as Dual EC. rimes had so little Claim “provable security”. randomness that they collided.

  56. Make randomness-generation code What if the terrorists extremely difficult to audit. merge all available erg–Wagner: Netscape into a central entrop 50 bits of entropy. Have each application maintain its own RNG “for speed”. This pool can survive Debian/Ubuntu bad/failing/malicious for years had Maintain separate RNG code for if there is one good entropy. each application. “For simplicity” Merging process is build this RNG in ad-hoc ways Lenstra–Hughes–Augier– Yikes! from the inputs conveniently achter and 2012 available to that application. Heninger–Durumeric–Wustrow– e the RSA public Pay people to use backdoored all SSL servers. RNGs such as Dual EC. so little Claim “provable security”. they collided.

  57. Make randomness-generation code What if the terrorists extremely difficult to audit. merge all available inputs Netscape into a central entropy pool? entropy. Have each application maintain its own RNG “for speed”. This pool can survive many Debian/Ubuntu bad/failing/malicious inputs had Maintain separate RNG code for if there is one good input. each application. “For simplicity” Merging process is auditable. build this RNG in ad-hoc ways Lenstra–Hughes–Augier– Yikes! from the inputs conveniently and 2012 available to that application. ustrow– public Pay people to use backdoored servers. RNGs such as Dual EC. Claim “provable security”. collided.

  58. Make randomness-generation code What if the terrorists extremely difficult to audit. merge all available inputs into a central entropy pool? Have each application maintain its own RNG “for speed”. This pool can survive many bad/failing/malicious inputs Maintain separate RNG code for if there is one good input. each application. “For simplicity” Merging process is auditable. build this RNG in ad-hoc ways Yikes! from the inputs conveniently available to that application. Pay people to use backdoored RNGs such as Dual EC. Claim “provable security”.

  59. Make randomness-generation code What if the terrorists extremely difficult to audit. merge all available inputs into a central entropy pool? Have each application maintain its own RNG “for speed”. This pool can survive many bad/failing/malicious inputs Maintain separate RNG code for if there is one good input. each application. “For simplicity” Merging process is auditable. build this RNG in ad-hoc ways Yikes! from the inputs conveniently available to that application. Claim performance problems in writing to a central pool, Pay people to use backdoored reading from a central pool. RNGs such as Dual EC. Modify pool to make it unusable Claim “provable security”. ( random ) or scary ( urandom ).

  60. randomness-generation code What if the terrorists What if extremely difficult to audit. merge all available inputs RNG speed into a central entropy pool? each application maintain Make it wn RNG “for speed”. This pool can survive many to use randomness bad/failing/malicious inputs possible. Maintain separate RNG code for if there is one good input. tests, en application. “For simplicity” Merging process is auditable. this RNG in ad-hoc ways e.g. DSA Yikes! the inputs conveniently new random available to that application. Claim performance problems in m ; could writing to a central pool, H ( s; m ). ople to use backdoored reading from a central pool. user is given such as Dual EC. Modify pool to make it unusable which to “provable security”. ( random ) or scary ( urandom ). Bushing–Ma “PS3 epic

  61. ndomness-generation code What if the terrorists What if the terrorists lt to audit. merge all available inputs RNG speed isn’t an into a central entropy pool? application maintain Make it an issue! r speed”. This pool can survive many to use randomness bad/failing/malicious inputs possible. This also rate RNG code for if there is one good input. tests, encouraging application. “For simplicity” Merging process is auditable. in ad-hoc ways e.g. DSA and ECDSA Yikes! conveniently new random numb application. Claim performance problems in m ; could have replaced writing to a central pool, H ( s; m ). 1992 Rivest: use backdoored reading from a central pool. user is given enough Dual EC. Modify pool to make it unusable which to hang himself security”. ( random ) or scary ( urandom ). Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS

  62. s-generation code What if the terrorists What if the terrorists realize audit. merge all available inputs RNG speed isn’t an issue? into a central entropy pool? maintain Make it an issue! Design crypto This pool can survive many to use randomness as often as bad/failing/malicious inputs possible. This also complicates de for if there is one good input. tests, encouraging bugs. simplicity” Merging process is auditable. ways e.g. DSA and ECDSA use a Yikes! conveniently new random number k to sign application. Claim performance problems in m ; could have replaced k with writing to a central pool, H ( s; m ). 1992 Rivest: “the ored reading from a central pool. user is given enough rope with Modify pool to make it unusable which to hang himself”. 2010 ( random ) or scary ( urandom ). Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  63. What if the terrorists What if the terrorists realize that merge all available inputs RNG speed isn’t an issue? into a central entropy pool? Make it an issue! Design crypto This pool can survive many to use randomness as often as bad/failing/malicious inputs possible. This also complicates if there is one good input. tests, encouraging bugs. Merging process is auditable. e.g. DSA and ECDSA use a Yikes! new random number k to sign Claim performance problems in m ; could have replaced k with writing to a central pool, H ( s; m ). 1992 Rivest: “the poor reading from a central pool. user is given enough rope with Modify pool to make it unusable which to hang himself”. 2010 ( random ) or scary ( urandom ). Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  64. if the terrorists What if the terrorists realize that Pure crypto all available inputs RNG speed isn’t an issue? 2008 Stevens–Sotirov– central entropy pool? Make it an issue! Design crypto Appelbaum–Lenstra–Molna ool can survive many to use randomness as often as Osvik–de bad/failing/malicious inputs possible. This also complicates MD5 ⇒ there is one good input. tests, encouraging bugs. Merging process is auditable. e.g. DSA and ECDSA use a new random number k to sign performance problems in m ; could have replaced k with to a central pool, H ( s; m ). 1992 Rivest: “the poor reading from a central pool. user is given enough rope with dify pool to make it unusable which to hang himself”. 2010 random ) or scary ( urandom ). Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  65. terrorists What if the terrorists realize that Pure crypto failure available inputs RNG speed isn’t an issue? 2008 Stevens–Sotirov– entropy pool? Make it an issue! Design crypto Appelbaum–Lenstra–Molna survive many to use randomness as often as Osvik–de Weger exploited bad/failing/malicious inputs possible. This also complicates MD5 ⇒ rogue CA od input. tests, encouraging bugs. is auditable. e.g. DSA and ECDSA use a new random number k to sign rmance problems in m ; could have replaced k with central pool, H ( s; m ). 1992 Rivest: “the poor central pool. user is given enough rope with make it unusable which to hang himself”. 2010 ry ( urandom ). Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  66. What if the terrorists realize that Pure crypto failures RNG speed isn’t an issue? 2008 Stevens–Sotirov– ol? Make it an issue! Design crypto Appelbaum–Lenstra–Molnar– many to use randomness as often as Osvik–de Weger exploited inputs possible. This also complicates MD5 ⇒ rogue CA for TLS. tests, encouraging bugs. auditable. e.g. DSA and ECDSA use a new random number k to sign roblems in m ; could have replaced k with H ( s; m ). 1992 Rivest: “the poor ol. user is given enough rope with unusable which to hang himself”. 2010 urandom ). Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  67. What if the terrorists realize that Pure crypto failures RNG speed isn’t an issue? 2008 Stevens–Sotirov– Make it an issue! Design crypto Appelbaum–Lenstra–Molnar– to use randomness as often as Osvik–de Weger exploited possible. This also complicates MD5 ⇒ rogue CA for TLS. tests, encouraging bugs. e.g. DSA and ECDSA use a new random number k to sign m ; could have replaced k with H ( s; m ). 1992 Rivest: “the poor user is given enough rope with which to hang himself”. 2010 Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  68. What if the terrorists realize that Pure crypto failures RNG speed isn’t an issue? 2008 Stevens–Sotirov– Make it an issue! Design crypto Appelbaum–Lenstra–Molnar– to use randomness as often as Osvik–de Weger exploited possible. This also complicates MD5 ⇒ rogue CA for TLS. tests, encouraging bugs. 2012 Flame: new MD5 attack. e.g. DSA and ECDSA use a new random number k to sign m ; could have replaced k with H ( s; m ). 1992 Rivest: “the poor user is given enough rope with which to hang himself”. 2010 Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  69. What if the terrorists realize that Pure crypto failures RNG speed isn’t an issue? 2008 Stevens–Sotirov– Make it an issue! Design crypto Appelbaum–Lenstra–Molnar– to use randomness as often as Osvik–de Weger exploited possible. This also complicates MD5 ⇒ rogue CA for TLS. tests, encouraging bugs. 2012 Flame: new MD5 attack. e.g. DSA and ECDSA use a Fact: By 1996, a few years new random number k to sign after the introduction of MD5, m ; could have replaced k with Preneel and Dobbertin were H ( s; m ). 1992 Rivest: “the poor calling for MD5 to be scrapped. user is given enough rope with which to hang himself”. 2010 Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  70. What if the terrorists realize that Pure crypto failures RNG speed isn’t an issue? 2008 Stevens–Sotirov– Make it an issue! Design crypto Appelbaum–Lenstra–Molnar– to use randomness as often as Osvik–de Weger exploited possible. This also complicates MD5 ⇒ rogue CA for TLS. tests, encouraging bugs. 2012 Flame: new MD5 attack. e.g. DSA and ECDSA use a Fact: By 1996, a few years new random number k to sign after the introduction of MD5, m ; could have replaced k with Preneel and Dobbertin were H ( s; m ). 1992 Rivest: “the poor calling for MD5 to be scrapped. user is given enough rope with We managed to keep MD5. How? which to hang himself”. 2010 Speed; standards; compatibility. Bushing–Marcan–Segher–Sven “PS3 epic fail”: PS3 forgeries.

  71. if the terrorists realize that Pure crypto failures 2014: DNSSEC speed isn’t an issue? to “secure” 2008 Stevens–Sotirov– e.g. dnssec-deployment.org it an issue! Design crypto Appelbaum–Lenstra–Molnar– address is randomness as often as Osvik–de Weger exploited ossible. This also complicates MD5 ⇒ rogue CA for TLS. encouraging bugs. 2012 Flame: new MD5 attack. DSA and ECDSA use a Fact: By 1996, a few years random number k to sign after the introduction of MD5, could have replaced k with Preneel and Dobbertin were ). 1992 Rivest: “the poor calling for MD5 to be scrapped. given enough rope with We managed to keep MD5. How? to hang himself”. 2010 Speed; standards; compatibility. Bushing–Marcan–Segher–Sven epic fail”: PS3 forgeries.

  72. terrorists realize that Pure crypto failures 2014: DNSSEC uses an issue? to “secure” IP addresses. 2008 Stevens–Sotirov– e.g. dnssec-deployment.org issue! Design crypto Appelbaum–Lenstra–Molnar– address is signed b randomness as often as Osvik–de Weger exploited also complicates MD5 ⇒ rogue CA for TLS. raging bugs. 2012 Flame: new MD5 attack. ECDSA use a Fact: By 1996, a few years number k to sign after the introduction of MD5, replaced k with Preneel and Dobbertin were Rivest: “the poor calling for MD5 to be scrapped. enough rope with We managed to keep MD5. How? himself”. 2010 Speed; standards; compatibility. rcan–Segher–Sven PS3 forgeries.

Recommend


More recommend