Dieses Semester wird das Seminar vom Lehrstuhl für Kryptologie & IT-Sicherheit organisiert. Untenstehend finden Sie eine Liste der geplanten Termine und Vorträge für das ganze Semester. Falls nicht anders angekündigt, finden alle Vorträge um 11.00 Uhr s.t. statt.
|27. Oktober 2011||Colin Boyd||Queensland University of Technology||On Forward Secrecy in One-Round Key Exchange||ID 04/653||11.00 Uhr|
|02. November 2011||Andrey Bogdanov||Katholieke Universiteit Leuven||Biclique Analysis of Full AES||ID 04/653||11.00 Uhr|
|10. November 2011||Chen-Mou Cheng||National Taiwan University||Solving polynomial systems over GF2 using GPU||ID 04/653||11.00 Uhr|
|17. November 2011||Benno Lomb||Ruhr-Universität Bochum||Decrypting HDCP-Protected Video Streams using Reconfigurable Hardware||ID 04/653||11.00 Uhr|
|24. November 2011||Alexander Meurer||Ruhr-Universität Bochum||Improved Information Set Decoding||ID 04/653||11.00 Uhr|
|08. Dezember 2011||Sebastian Uellenbeck||Ruhr-Universität Bochum||Invisible Guard for Mobile Devices||ID 04/653||11.00 Uhr|
|15. Dezember 2011||Ralph Holz||Technische Universität München||The SSL Landscape - Analysis and discussion of the X.509 PKI for SSL/TLS||ID 04/653||11.00 Uhr|
|21. Dezember 2011||Martin Novotny||Tschechische Technische Universität, Prag||Breaking Hitag2 with COPACOBANA||ID 03/653||11:00 Uhr|
|12. Januar 2012||Pooya Farshim||Technische Universität Darmstadt||Delegatable Homomorphic Encryption with Applications to Secure Outsourcing of Computation||ID 04/653||11.00 Uhr|
|26. Januar 2012||Mario Heiderich||Ruhr Universität Bochum||Got your Nose! How to Steal Your Precious Data Without Using Scripts||ID 04/653||11.00 Uhr|
|02. Februar 2012||Benedikt Driessen und Ralf Hund||Ruhr Universität Bochum||Don't Trust Satellite Phones||ID 04/653||11.00 Uhr|
On Forward Secrecy in One-Round Key Exchange
Most one-round key exchange protocols provide only weak forward secrecy at best. Furthermore, one-round protocols with strong forward secrecy often break badly when faced with an adversary who can obtain ephemeral keys. We provide a characterisation of how strong forward secrecy can be achieved in one-round key exchange. Moreover, we show that protocols exist which provide strong forward secrecy and remain secure with weak forward secrecy even when the adversary is allowed to obtain ephemeral keys. We provide a compiler to achieve this for any existing secure protocol with weak forward secrecy. This is joint work with Juan Gonzalez Nieto.
Biclique Analysis of Full AES
Since Rijndael was chosen as the Advanced Encryption Standard, improving upon 7-round attacks on the 128-bit key version or upon 8-round attacks on the 192/256-bit key versions has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade.
We present a novel technique of block cipher cryptanalysis with bicliques, which leads to the first cryptanalysis of all three full AES versions in the classical adversary model with a single secret key. No related keys are required. As our key recovery is of high computational complexity, it does not threaten the practical use of AES in any way.
This is a joint work with Dmitry Khovratovich and Christian Rechberger.
Solving polynomial systems over GF2 using GPU
We analyze how fast we can solve general systems of multivariate equations of various low degrees over GF2; this is a well known hard problem which is important both in itself and as part of many types of algebraic cryptanalysis. Compared to the standard exhaustive-search technique, our improved approach is more efficient both asymptotically and practically.
We implemented several optimized versions of our techniques on CPUs and GPUs. Modern graphic cards allows our technique to run more than 10 times faster than the most powerful CPU available. Today, we can solve 48+ quadratic equations in 48 binary variables using just one NVIDIA GTX 295 video card costing about 500 USD in 21 minutes. With this level of performance, solving systems of equations supposed to ensure a security level of 64 bits turns out to be feasible in practice with a modest budget. This is a clear demonstration of the power of GPUs in solving many types of combinatorial and cryptanalytic problems.
Decrypting HDCP-Protected Video Streams using Reconfigurable Hardware
High-bandwidth Digital Content Protection (HDCP) was established in 1999 as standard to protect digital video content against unauthorized replication. In this work, we demonstrate how an attacker can efficiently implement all its cryptographic mechanisms and the required video processing in reconfigurable hardware to successfully circumvent the HDCP protection. Our demonstration set-up uses a low-cost Xilinx Spartan-6 LX45 FPGA available on Digilent’s Atlys Development Board which also provides all required connectors for video input and output. Using this set-up for less than US$ 250, we show that we can (a) successfully connect any non-compliant monitor to a HDCPprotected video source, (b) extract all secret session keys established during authentication and (c) decrypt single-link video streams with a resolution of 720p or 1080i in real-time.
Improved Information Set Decoding
Today, generic decoding algorithms still give the most efficient attacks on code-based cryptosystems. Such algorithms get as input a (n-k) x n - dimensional parity check matrix and a syndrome s together with a target weight w and compute an n-dimensional error vector e of weight w matching the syndrome s, i.e. H*e=s. The most efficient generic decoding algorithms belong to the class of so-called Information Set Decoding (ISD) algorithms.
For a long time, the asymptotically fastest ISD algorithm was Stern's variant from 1989. Very recently, Bernstein, Lange and Peters proposed a new technique called "Ball-collision decoding" which offers a slight exponential speed-up over Stern's algorithm.
In this talk, we present another new ISD algorithm inspired by a neat representation technique due to Howgrave-Graham and Joux in the context of subset sum algorithms which asymptotically outperforms all known ISD algorithms.
This is joint work with Alexander May and Enrico Thomae and will appear at Asiacrypt 2011.
Invisible Guard for Mobile Devices
Smartphones are mobile devices that combine the restricted features of cellphones with the sophisticated possibilities of mobile computers. In contrast to desktop computers, they are limited by processor speed, memory size, and battery power. They are in wide use for common tasks like reading email, managing contacts, surfing the web, and taking photos, to name only a few. As a result, they contain a lot of private data that needs to be protected from attackers like walk-in-thieves as well as well-resourced attackers. Due to the previously mentioned limitations, desktop solutions like intrusion detection systems that have proven themselves in practice can not be transferred to smartphones. However, they include---in contrast to desktop computers---sensors that might be used to detect biometric data to distinguish between friend and enemy.
In this talk, we start with a broad overview about possibilities to enhance smartphones defence mechanisms. As a second step, we describe a biometric detection tool---currently developed and evaluated---that is based on the users keystroke behaviour.
The SSL Landscape - Analysis and discussion of the X.509 PKI for SSL/TLS
The SSL and TLS infrastructure used in important protocols like HTTPs and IMAPs is built on an X.509 public key infrastructure (PKI). Certificates are used to authenticate services like online banking, shopping, e-mail, etc. However, it always has been felt that the certification processes of this PKI may not be conducted with enough rigor, resulting in a possibly insecure deployment.
In this talk, we present a comprehensive analysis of X.509 certificates used in the wild. We begin with an overview of critical incidents in the past 2 years and highlight the current shortcomings of PKI deployment. Then, we turn to the results of our own 1.5-year study of the X.509 PKI, which we have presented at IMC 2011.
We conducted HTTPs scans of a large number of popular HTTPs servers, including scans from nine locations distributed over the globe. Furthermore, we monitored live SSL/TLS traffic on a 10 Gbps uplink of the Munich Research Network. A third-party scan of the entire IPv4 space complements our own data sets. Our analyses reveal that the quality of certification lacks in stringency, due to a number of reasons among which invalid certification chains and certificate subjects give the most cause for concern. Our findings confirm that the X.509 PKI that we use so often in our everyday's lives is in a sorry state.
Towards the end of the talk, we discuss some proposals made by EFF, Moxie Marlinspike and others to reinforce or replace the current PKI.
Breaking Hitag2 with COPACOBANA
The Hitag2 stream cipher is used in many real-world applications, such as car immobilizers and door opening systems, as well as for the access control of buildings. The short length of the 48-bit secret key employed makes the cipher vulnerable to a brute-force attack, i.e., exhaustive key search. In this presentation we introduce the first hardware architecture for the cryptanalysis of Hitag2 by means of exhaustive key search. Our implementation on the Cost-Optimized Parallel Code-Breaker COPACOBANA is able to reveal the secret key of a Hitag2 transponder in less than 2 hours (103.5 minutes) in the worst case. The speed of our approach outperforms all previously proposed attacks and requires only 2 sniffed communications between a car and a tag. Our findings thus define a new lower limit for the cloning of car keys in practice. Moreover, the attack is arbitrarily parallelizable and could thus be run on multiple COPACOBANAs to decrease the time to find the secret key.
Delegatable Homomorphic Encryption with Applications to Secure Outsourcing of Computation
In this talk, we propose a new cryptographic primitive called Delegatable Homomorphic Encryption (DHE). This allows a Trusted Authority to control/delegate the evaluation of circuits over encrypted data to untrusted workers/evaluators by issuing tokens. This primitive can be both seen as a public-key counterpart to Verifiable Computation, where input generation and output verification are performed by different entities, or as a generalisation of Fully Homomorphic Encryption enabling control over computations on encrypted data. Our primitive comes with a series of extra features: 1) there is a one-time setup procedure for all circuits; 2) senders do not need to be aware of the functions which will be evaluated on the encrypted data, nor do they need to register keys; 3) tokens are independent of senders and receiver; and 4) receivers are able to verify the correctness of computation given short auxiliary information on the input data and the function, independently of the complexity of the computed circuit. We give a modular construction of such a DHE scheme from three components: Fully Homomorphic Encryption (FHE), Functional Encryption (FE), and a (customised) MAC. As a stepping stone, we first define Verifiable Functional Encryption (VFE), and then show how one can build a secure DHE scheme from a VFE and an FHE scheme. We also show how to build the required VFE from a standard FE together with a MAC scheme. All our results hold in the standard model. Finally, we show how one can build a verifiable computation (VC) scheme generically from a DHE. As a corollary, we get the first VC scheme which remains verifiable even if the attacker can observe verification results.
Got your Nose! How to Steal Your Precious Data Without Using Scripts
But what about attacks in the browser that don’t require any scripting at all — but still steal your precious data right before you know it? What about attacks, so sneaky and sophisticated or just simple, even your best Anti-XSS solution won’t prevent them, since they don’t use any scripting but fierce markup tricks from outer space?
Don't Trust Satellite Phones
Benedikt Driessen und Ralf Hund
There is a rich body of work related to the security aspects of cellular mobile phones, in particular with respect to the GSM and UMTS systems. To the best of our knowledge, however, there has been no investigation of the security of satellite phones (abbr. satphones). Even though a niche market compared to the G2 and G3 mobile systems, there are several 100,000 satphone subscribers worldwide. Given the sensitive nature of some of their application domains (e.g., natural disaster areas or military campaigns), security plays a particularly important role for satphones. In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the two algorithms from freely available DSP-firmware updates for satphones, which included the development of a custom disassembler and tools to analyze the code, and extending prior work on binary analysis to efficiently identify cryptographic code. We note that these steps had to be repeated for both systems, because the available binaries were from two entirely different DSP processors. Perhaps somewhat surprisingly, we found that the GMR-1 cipher can be considered a proprietary variant of the GSM A5/2 algorithm, whereas the GMR-2 cipher is an entirely new design. The second main contribution lies in the cryptanalysis of the two proprietary stream ciphers. We were able to adopt known A5/2 ciphertext-only attacks to the GMR- 1 algorithm with an average case complexity of 2^(32) steps. With respect to the GMR-2 cipher, we developed a new attack which is powerful in a known-plaintext setting. In this situation, the encryption key for one session, i.e., one phone call, can be recovered with approximately 50?65 bytes of key stream and a moderate computational complexity. A major finding of our work is that the stream ciphers of the two existing satellite phone systems are considerably weaker than what is state-of- the-art in symmetric cryptography.