the crypto year in review - eema · graphic hash function. the input is a very long string, that is...
TRANSCRIPT
1
The Crypto Year in Review
Bart PreneelCOSIC KU Leuven and imec, Belgium
Bart.Preneel(at)esat.kuleuven.beNovember 2017
© KU Leuven COSIC, Bart Preneel
2
Crypto = Cryptocurrencies = bitcoin?
3
Crypto = Cryptocurrencies = bitcoin?
4
Myths about Bitcoin
• It will keep going up• Transactions are expensive• People do many transactions• We understand why it works• Anarchy works to manage a global currency system• There will be no hard forks after Bitcoin Cash• It is (not) a pyramid scheme• Ethereum is much better• My next ICO is even better
5
Outline
• Cool hacks: Infineon, CRACK, MME• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions
6
The Infineon Library: RSAlib[Nemec, Sýs, Švenda, Klinec, Matyáš ‘17]
RSA keys: product of two large primes: N = p.qHow do I generate p and q?Pick a random number x and test for primalityImprovement 1: pick a random odd number x and test
– Note x = 1 mod 2Improvement 2: pick a random odd number x not divisible
by 3 and test for primality– Note: x = 1 mod 6 or x = 5 mod 6
Improvement 3: pick a random odd number x not divisible by 3 and 5 and test for primality– Note: x = 1,7,11,13 mod 15
Idea: control the value of candidates x modulo the product of the first n primes
7
The Infineon Library: RSAlib
RSAlib: generate prime candidates x as follows– Mn = product of first n primes– x = k . Mn + (65537a mod Mn)
Unfortunately this can be detected easily: N = 65537c mod Mn
And Mn was chosen too large so k and a are small and can be recovered easily leading to factorization:– 1024-bit keys: < 3 CPU months on a single core– 2048-bit keys: 100 CPU-years
Improvements by 25%: [Bernstein-Lange]
8
The Infineon Library: RSAlibhttps://crocs.fi.muni.cz/public/papers/rsa%1Fccs17
Aug. 2016: non-randomness of Infineon keys detectedJan. 2017: vulnerability foundFeb. 2017: Infineon warned16 Oct. 2017: results announced (without details)31 Oct. 2017: paper released3 Nov. 2017: Estonia blocks Infineon keys (more than 750,000 ID cards)Other problems: TPMs, TLS, Github,…
RSAlib was certified by BSI based on tests by TÜV Informationstechnik GmbH
9
KRACK (Key Reinstallation Attack) [Vanhoef-Piessens‘17] https://www.krackattacks.com/
4-way handshake of the Wi-Fi Protected Access II (WPA2)
Can resend 3rd message in replay attack
affects all major software platforms:– Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD
wpa_supplicant (open-source, used in Linux and Android): especially susceptible as it can be manipulated to install an all-0 encryption key
Protocol had formal security proofResponses have been interestingNote that there are even worse attacks on Wi-Fi: evil twin
10
Intel’s MMEIntel’s Management engine in every CPU Runs MinixRing -5: underneath and out of sight of whatever OS,
hypervisor or antivirus is installed– TPM– Media DRM
May 2017: remote unprivileged attacker in AMT [Active Management Technology] to "gain system privileges to provisioned [chips]"
Nov 2017: compromised via the USB port by Russian researchers https://mobile.twitter.com/h0t_max/status/928269320064450560
11
Outline
• Cool hacks• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions
12
A Bad Year for the NSA Crypto Team
Simon and Speck: two light weight block ciphers deisgned by the NSA (2013)
September 2017: SO/IEC JTC1 refuses to standardize all versions of Simon and Speck
Answer of the NSA: we will be back (but only with the larger versions)
And SHA-1?
13
Hash functions
X.509 Annex DMDC-2MD2, MD4, MD5SHA-1
This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).
1A3FD4128A198FB3CA345932h
RIPEMD-160SHA-256SHA-512
SHA-3
ISSE 2016 prediction: collision for SHA-1 in the next 6 months
14
[Wang+’04]
[Wang+’05][Mendel+’08]
[McDonald+’09]
[Manuel+’09]
Most attacks unpublished/withdrawn
[Sugita+’06]
log2 complexity
[Stevens’12]
SHA-1SHA-1 designed by NSA in ‘94
75/80 steps takes 257.7 [Grechnikov-Adinetz’11]collision full SHA-1 in Feb. 2017 https://shattered.io/ [Stevens+17]
15
Collisions for SHA-1 [Stevens-Bursztein-Karpman-Albertini- Markov’17]
263.1 = 6,500 years of single-CPU computations and 110 years of single-GPU computations.
= 100.000 faster than brute force collision 280
browser industry (Chrome, Edge, IE) started preparing in 2015WoSign caught backdating 2016 SHA-1 certificates!
Firefox still had to scramble last minute in 2017problems for Github
16
UpgradesRIPEMD-160 is good replacement for SHA-1
TLS uses MD5 || SHA-1 to protect algorithm negotiation (up to v1.1)
upgrading negotiation algorithm is even harder: need to upgrade TLS 1.1 (‘06) to TLS 1.2 (‘08) – progress in November 2013 (Google, Microsoft)– but TLS 1.2 allows MD5 only!! SLOTH attack
[late 2015]
TLS 1.3 expected late 2017
17
SSL/TLSmost successful end-to-end security technology
12 million servers after 23 yearsLet’s Encrypt: 45 million active certs in 2 yearsbillions of clients
SSLv2 SSLv3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
94 96 99 06 08 17
broken in many ways: RFC 7457: “Summarizing known attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS),” February 2015
18
TLS overview [Stebila’14]
Crypto primitives
Ciphersuitedetails
Protocol “Framework” Libraries Applications
RSA, DSA, ECDSA
DH, EC-DH
HMAC
MD5, SHA-1, SHA-2
DES, 3DES, RC4, AES
Data structures
Key derivation
Encryption modes and IVs
Padding
Compression
Alerts and errors
Certification/re-vocation
(Re-)Negotiation
Session Resumption
Key reuse
OpenSSL
GnuTLS
SChannel
Java JSSE0
Web browsers
Web servers
Application SDKs
Certificates
Theoretical analysis
19
TLS attack overview [Stebila’14] updated November 2017
DROWN
Improved RC4
biases
FREAK
Logjam
SLOTH
POODLE
DH parameter validation
sweet32
Lucky Microseconds
20
TLS 1.3 coming soon (really)Clean up and simplify
• remove renegotiation and compressionIncrease security
• RSA for key transport removed: only Diffie-Hellman (forward secrecy)
• only authenticated encryption with associated data (AEAD)Increase privacy
• start encrypting earlierReduce latency (if previously connected): 0-RTT and 1-RTTMore details: Eric Rescorla, TLS 1.3, Real World Crypto 2016
Good news: miTLS high assurance implementation [INRIA+Microsoft]
21
Outline
• Cool hacks• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions
22
If a large quantum computer can be built...
Yuri Manin 1980 and Richard Feynman 1981all schemes based on factoring (RSA) and DLOG
are insecure [Shor’94]• including elliptic curve cryptography
symmetric key sizes: x2 [Grover]
23
When to switch to quantum resistant cryptography?
Q = #years until first large quantum computerx = #years it takes to switch (3-10 years)y = #years data needs to be confidential (10 years)
Need to start switching in the year2017 + Q – x – ye.g. Q = 14, x=5, y=10: last year!
For data and entity authentication: y = small(and defense-in-depth)
24
State of the art in coherent qubit control: 2001#
gate
s an
d ga
te n
etw
ork
* unpublished
# qubits1 2 3 4 5 6 7
Stanford/IBMNMR, main playersOther NMRnon-NMR
98
99
99
98
99 NEC
01 NEC02 Sacley*
99 Oxford
98 Oxford00
00
95 NIST
00,01
99,00,01 MIT98 MIT
98 Cambridge
98 LANL
99,0100
00 NIST
00
01 LANL
01 Frankfurt
99 Cambridge
01
00 LANL
95 Caltech
Grover search280 2-bit
gatesOrder
findingShor
15=3x5
“Cooling”spinsLiquid
crystals
Errordetection
Deutsch-Jozsa
Errorcorrection
7-spincoherence
25
It is getting serious2011: D-Wave: 128 qubits “QC” but topologyJan. 2014: NSA 85 M$ for research to build a QC2013: D-Wave: 512 qubits “QC”2015: D-Wave 2X: a 1000+ qubit “QC” (15M$)2015: Intel invests US$50 million with QuTech (Delft)
–2017: test chip with 17 qubits deliveredMarch 2017: Rigetti has raised nearly $70 million and has built an 8-qubit QCMay 2017: IBM announced 16-qubit QC based on superconductivityOct 2017: Google/UCSB: plan for 49-bit QC based on superconductivityMicrosoft: will build QC on topological qubitsNov 2017: IBM announces a 50-qubit QC
26
Predictions
Criticism• interconnect/architecture?• algorithms depend on architecture• number of qubits needed may grow
quadratically with bit size for ECC
M. Mosca, April 2015:“With probability 1/7 we will have a large quantum computer available by 2025; the probability with increase to close to 1 by 2035”
27
August 19 2015: do not switch to Suite B
IAD will initiate a transition to quantum resistant algorithms in the not too distant future[…]
For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition[…]
For now: ECC P-384/RSA-3072/Diffie-Hellman 3072
28
Post-Quantum public key cryptoPQCrypto: http://pqcrypto.eu.org/
• Digital signatures• Hash-based: secure but large signatures (40 Kbyte) and keys• Lattice based: BLISS
• Public key encryption/key establishment• NTRU• Lattice based (Ring Learning With Errors): BGV/BV• Code-based crypto• Isogenies
v2
v10
lettuce
lattice
29
Open competitionsAESDES SHA-3
RIPE NESSIE eSTREAM
CRYPTREC CRYPTREC
1975-1977 1988-2002 1997 2000 2000 2005 2012
POSTQUANTUM
CAESAR
Lightweight
2014 2016 2018 2020 2022 2024
30
Post-Quantum Standardization
NIST Internal Report (NISTIR) 8105: Report on Post-Quantum Cryptography http://csrc.nist.gov/groups/ST/post-quantum-crypto/index.html
Fall 2016 Formal Call for Proposals
Nov 2017 Deadline for submissions
Early 2018 Workshop - Submitter's Presentations
3-5 years Analysis Phase - NIST will report findings1-2 workshops during this phase
2 years later Draft Standards ready
31
As predicted at ISSE 2015and discussed at ISSE 2016
32
The crypto war returns
33
2014: We are going dark
34
9 Nov. 2017
35
US citizens have protections based on 4th Amendment but Europeans don’t
NSA and GCHQ claim that they perform targeted surveillance while they run mass surveillance programs (Tempora and XKeyScore Deep Dive)
36
It’s the
metadatastupid
37
www.wired.com
NSA: “Collect it all, know it all,
exploit it all”
38
(Part of) government seems to prefer offense over defense
How many 0-days do the NSA, FBI and CIA have?Are they revealed to vendors?If so when?
New 0-days
0-days stolen by Shadow brokers from Equation Group resulting in Wannacry and Petya
39
40
EU COM(2017)608 towards an effective and genuine Security Union
encryption will not be “prohibited, limited or weakened”
“measures should not have an impact on a larger or indiscriminate number of people”.
more collaboration96 extra people for Europol
encourages the countries to collaborate in developing a toolbox with alternative investigation techniquesKey search machines? 0-days? Malware
41
http://www.ecrypt.eu.org/csa/documents/D5.2-AlgKeySizeProt-1.0.pdf
42
We need a Digital Geneva ConventionMicrosoft President Brad Smith:“Nation states are hacking civilians in peace time”
43
Encryption to protect industry ~18.3B
log10
6.2B 6B250M
37M200M
3B 2.4B200M
© Bart Preneel
44
Encryption to protect user data ~12.5B(not meta data)
0
2
4
6
8
10
12
Mobile Browsers Android IoS WhatsApp iMessage Skype Harddisk SSL/TLS IPsec
??
log10
6.3B
Not end to
end
3.5B500M1B
https://http://
Browser
HTTP over SSL
SSLTransport System
500M20-
50M?50 M
© Bart Preneel
700M
Meta dataBackup in
cloud?
1B 500M
Backdoors?
45
Architecture is politics [Mitch Kaipor’93]
Control:
avoid single point of trust that becomes single point of failure
Stop massive data collection
big data yields big breaches (think pollution)this is both a privacy and a security problem (think OPM)
46
47
Governance and Architectures
Back to principles: minimum disclosure– stop collecting massive amounts of data
• local secure computation– if we do collect data: encrypt with key outside control of host
• with crypto still useful operations
Bring “cryptomagic” to use without overselling– zero-knowledge, oblivious transfer, functional encryption– road pricing, smart metering, health care
Don’t call anything “privacy/security by design” for GDPR compliance
48
From Big Data to Small Local Data
Data stays with users
49
From Big Data to Big Encrypted Data
Encrypted data
Keys stay with users
Can still compute on
the data
50
Open (Source) Solutions
Effective governance
Transparency for service providers
EU Free and Open Source Software Auditing
51
Conclusions• Crypto problems are definitely not solved but
we making some progress• Crypto wars are not over• Ongoing pervasive surveillance needs
pervasive collection and active attacks with massive collateral damage on our ICT infrastructure
• Better protected end systems: open systems with better governance
5252
Bart Preneel, imec-COSIC KU Leuven
Kasteelpark Arenberg 10, 3000 Leuven
homes.esat.kuleuven.be/~preneel/
@CosicBe
ADDRESS:
WEBSITE:
EMAIL:TWITTER:
+32 16 321148TEL
ECRYPT CSA ECRYPT CSA
http://www.ecrypt.eu.org