Results 1  10
of
19
Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices
"... RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widespread. We find that 0.75 % of TLS certificates share keys due to insufficient entropy during key generation, and we suspect that another 1.70 % come from the same faulty implementations and may be susceptible to compromise. Even more alarmingly, we are able to obtain RSA private keys for 0.50 % of TLS hosts and 0.03 % of SSH hosts, because their public keys shared nontrivial common factors due to entropy problems, and DSA private keys for 1.03 % of SSH hosts, because of insufficient signature randomness. We cluster and investigate the vulnerable hosts, finding that the vast majority appear to be headless or embedded devices. In experiments with three software components commonly used by these devices, we are able to reproduce the vulnerabilities and identify specific software behaviors that induce them, including a boottime entropy hole in the Linux random number generator. Finally, we suggest defenses and draw lessons for developers, users, and the security community. 1
Accountable Virtual Machines
"... In this paper, we introduce accountable virtual machines (AVMs). Like ordinary virtual machines, AVMs can execute binary software images in a virtualized copy of a computer system; in addition, they can record nonrepudiable information that allows auditors to subsequently check whether the software ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
In this paper, we introduce accountable virtual machines (AVMs). Like ordinary virtual machines, AVMs can execute binary software images in a virtualized copy of a computer system; in addition, they can record nonrepudiable information that allows auditors to subsequently check whether the software behaved as intended. AVMs provide strong accountability, which is important, for instance, in distributed systems where different hosts and organizations do not necessarily trust each other, or where software is hosted on thirdparty operated platforms. AVMs can provide accountability for unmodified binary images and do not require trusted hardware. To demonstrate that AVMs are practical, we have designed and implemented a prototype AVM monitor based on VMware Workstation, and used it to detect several existing cheats in Counterstrike, a popular online multiplayer game. 1
The SSL Landscape – A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements
"... The SSL and TLS infrastructure used in important protocols like HTTPs and IMAPs is built on an X.509 public key infrastructure (PKI). X.509 certificates are thus used to authenticate services like online banking, shopping, email, etc. However, it always has been felt that the certification processe ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
The SSL and TLS infrastructure used in important protocols like HTTPs and IMAPs is built on an X.509 public key infrastructure (PKI). X.509 certificates are thus used to authenticate services like online banking, shopping, email, etc. However, it always has been felt that the certification processes of this PKI may not be conducted with enough rigor, resulting in a deployment where many certificates do not meet the requirements of a secure PKI. This paper presents a comprehensive analysis of X.509 certificates in the wild. To shed more light on the state of the deployed and actually used X.509 PKI, we obtained and evaluated data from many different sources. We conducted HTTPs scans of a large number of popular HTTPs servers over a 1.5year time span, including scans from nine locations distributed over the globe. To compare certification properties of highly ranked hosts with the
Breaking pairingbased cryptosystems using ηT pairing over GF (3 97)
"... Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptogr ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptography. The most essential numbertheoretic problem in pairingbased cryptosystems is the discrete logarithm problem (DLP) because pairingbased cryptosystems are no longer secure once the underlining DLP is broken. One efficient bilinear pairing is the ηT pairing defined over a supersingular elliptic curve E on the finite field GF (3 n) for a positive integer n. The embedding degree of the ηT pairing is 6; thus, we can reduce the DLP over E on GF (3 n) to that over the finite field GF (3 6n). In this paper, for breaking the ηT pairing over GF (3 n), we discuss solving the DLP over GF (3 6n) by using the function field sieve (FFS), which is the asymptotically fastest algorithm for solving a DLP over finite fields of small characteristics. We chose the extension degree n = 97 because it has been intensively used in benchmarking tests for the implementation of the ηT pairing, and the order (923bit) of GF (3 6·97) is substantially larger than the previous world record (676bit) of solving the DLP by using the FFS. We implemented the FFS for the medium prime case (JL06FFS), and propose several improvements of the FFS, for example, the lattice sieve for JL06FFS and the filtering adjusted to the Galois action. Finally, we succeeded in solving the DLP over GF (3 6·97). The entire computational time of our improved FFS requires about 148.2 days using 252 CPU cores. Our computational results contribute to the secure use of pairingbased cryptosystems with the ηT pairing.
The Set of Solutions of Random XORSAT Formulae
, 2011
"... The XORsatisfiability (XORSAT) problem requires finding an assignment of n Boolean variables that satisfymexclusiveOR(XOR)clauses, wherebyeachclause constrains a subset of the variables. We consider random XORSAT instances, drawn uniformly at random from the ensemble of formulae containing n variab ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
The XORsatisfiability (XORSAT) problem requires finding an assignment of n Boolean variables that satisfymexclusiveOR(XOR)clauses, wherebyeachclause constrains a subset of the variables. We consider random XORSAT instances, drawn uniformly at random from the ensemble of formulae containing n variables and m clauses of size k. This model presents several structural similarities to other ensembles of constraint satisfaction problems, such as ksatisfiability (kSAT). For many of these ensembles, as the number of constraints per variable grows, the set of solutions shatters into an exponential number of wellseparated components. This phenomenon appears to be related to the difficulty of solving random instances of such problems. We prove a complete characterization of this clustering phase transition for random kXORSAT. In particular we prove that the clustering threshold is sharp and determine its exact location. We prove that the set of solutions has large conductance below this threshold and that each of the clusters has large conductance above the same threshold. Our proof constructs a very sparse basis for the set of solutions (or the subset within a cluster). This construction is achieved through a low complexity iterative algorithm. 1
Cryptanalysis of the rsa subgroup assumption from TCC 2005
 In Public Key Cryptography  Proc. PKC 2011, volume 6571 of Lecture Notes in Computer Science
, 2011
"... Abstract. At TCC 2005, Groth underlined the usefulness of working in small RSA subgroups of hidden order. In assessing the security of the relevant hard problems, however, the best attack considered for a subgroup of size 2 2ℓ had a complexity of O(2 ℓ). Accordingly, ℓ = 100 bits was suggested as a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. At TCC 2005, Groth underlined the usefulness of working in small RSA subgroups of hidden order. In assessing the security of the relevant hard problems, however, the best attack considered for a subgroup of size 2 2ℓ had a complexity of O(2 ℓ). Accordingly, ℓ = 100 bits was suggested as a concrete parameter. This paper exhibits an attack with a complexity of roughly 2 ℓ/2 operations, suggesting that Groth’s original choice of parameters was overly aggressive. It also discusses the practicality of this new attack and various implementation issues. Keywords: rsa moduli, hidden order, subgroup, cryptanalysis. 1
Fully Automated Analysis of PaddingBased Encryption in the Computational Model
, 2013
"... Computeraided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Computeraided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for publickey encryption schemes built from trapdoor permutations and hash functions. Using a novel combination of techniques from computational and symbolic cryptography, we present proof systems for analyzing the chosenplaintext and chosenciphertext security of such schemes in the random oracle model. Building on these proof systems, we develop a toolset that bundles together fully automated proof and attack finding algorithms. We use this toolset to build a comprehensive database of encryption
Basées sur les Séquences de Jeux Formal Certification of GameBased Cryptographic Proofs
"... pour obtenir le grade de docteur délivré par l’École nationale supérieure des mines de Paris Spécialité « Informatique tempsréel, robotique et automatique » présentée et soutenue publiquement par ..."
Abstract
 Add to MetaCart
pour obtenir le grade de docteur délivré par l’École nationale supérieure des mines de Paris Spécialité « Informatique tempsréel, robotique et automatique » présentée et soutenue publiquement par