Results 1  10
of
24
Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices
"... RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widespread. We find that 0.75 % of TLS certificates share keys due to insufficient entropy during key generation, and we suspect that another 1.70 % come from the same faulty implementations and may be susceptible to compromise. Even more alarmingly, we are able to obtain RSA private keys for 0.50 % of TLS hosts and 0.03 % of SSH hosts, because their public keys shared nontrivial common factors due to entropy problems, and DSA private keys for 1.03 % of SSH hosts, because of insufficient signature randomness. We cluster and investigate the vulnerable hosts, finding that the vast majority appear to be headless or embedded devices. In experiments with three software components commonly used by these devices, we are able to reproduce the vulnerabilities and identify specific software behaviors that induce them, including a boottime entropy hole in the Linux random number generator. Finally, we suggest defenses and draw lessons for developers, users, and the security community. 1
Accountable Virtual Machines
"... In this paper, we introduce accountable virtual machines (AVMs). Like ordinary virtual machines, AVMs can execute binary software images in a virtualized copy of a computer system; in addition, they can record nonrepudiable information that allows auditors to subsequently check whether the software ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
In this paper, we introduce accountable virtual machines (AVMs). Like ordinary virtual machines, AVMs can execute binary software images in a virtualized copy of a computer system; in addition, they can record nonrepudiable information that allows auditors to subsequently check whether the software behaved as intended. AVMs provide strong accountability, which is important, for instance, in distributed systems where different hosts and organizations do not necessarily trust each other, or where software is hosted on thirdparty operated platforms. AVMs can provide accountability for unmodified binary images and do not require trusted hardware. To demonstrate that AVMs are practical, we have designed and implemented a prototype AVM monitor based on VMware Workstation, and used it to detect several existing cheats in Counterstrike, a popular online multiplayer game. 1
The SSL Landscape – A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements
"... The SSL and TLS infrastructure used in important protocols like HTTPs and IMAPs is built on an X.509 public key infrastructure (PKI). X.509 certificates are thus used to authenticate services like online banking, shopping, email, etc. However, it always has been felt that the certification processe ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
The SSL and TLS infrastructure used in important protocols like HTTPs and IMAPs is built on an X.509 public key infrastructure (PKI). X.509 certificates are thus used to authenticate services like online banking, shopping, email, etc. However, it always has been felt that the certification processes of this PKI may not be conducted with enough rigor, resulting in a deployment where many certificates do not meet the requirements of a secure PKI. This paper presents a comprehensive analysis of X.509 certificates in the wild. To shed more light on the state of the deployed and actually used X.509 PKI, we obtained and evaluated data from many different sources. We conducted HTTPs scans of a large number of popular HTTPs servers over a 1.5year time span, including scans from nine locations distributed over the globe. To compare certification properties of highly ranked hosts with the
Breaking pairingbased cryptosystems using ηT pairing over GF (3 97)
"... Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptogr ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptography. The most essential numbertheoretic problem in pairingbased cryptosystems is the discrete logarithm problem (DLP) because pairingbased cryptosystems are no longer secure once the underlining DLP is broken. One efficient bilinear pairing is the ηT pairing defined over a supersingular elliptic curve E on the finite field GF (3 n) for a positive integer n. The embedding degree of the ηT pairing is 6; thus, we can reduce the DLP over E on GF (3 n) to that over the finite field GF (3 6n). In this paper, for breaking the ηT pairing over GF (3 n), we discuss solving the DLP over GF (3 6n) by using the function field sieve (FFS), which is the asymptotically fastest algorithm for solving a DLP over finite fields of small characteristics. We chose the extension degree n = 97 because it has been intensively used in benchmarking tests for the implementation of the ηT pairing, and the order (923bit) of GF (3 6·97) is substantially larger than the previous world record (676bit) of solving the DLP by using the FFS. We implemented the FFS for the medium prime case (JL06FFS), and propose several improvements of the FFS, for example, the lattice sieve for JL06FFS and the filtering adjusted to the Galois action. Finally, we succeeded in solving the DLP over GF (3 6·97). The entire computational time of our improved FFS requires about 148.2 days using 252 CPU cores. Our computational results contribute to the secure use of pairingbased cryptosystems with the ηT pairing.
The Set of Solutions of Random XORSAT Formulae
, 2011
"... The XORsatisfiability (XORSAT) problem requires finding an assignment of n Boolean variables that satisfymexclusiveOR(XOR)clauses, wherebyeachclause constrains a subset of the variables. We consider random XORSAT instances, drawn uniformly at random from the ensemble of formulae containing n variab ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
The XORsatisfiability (XORSAT) problem requires finding an assignment of n Boolean variables that satisfymexclusiveOR(XOR)clauses, wherebyeachclause constrains a subset of the variables. We consider random XORSAT instances, drawn uniformly at random from the ensemble of formulae containing n variables and m clauses of size k. This model presents several structural similarities to other ensembles of constraint satisfaction problems, such as ksatisfiability (kSAT). For many of these ensembles, as the number of constraints per variable grows, the set of solutions shatters into an exponential number of wellseparated components. This phenomenon appears to be related to the difficulty of solving random instances of such problems. We prove a complete characterization of this clustering phase transition for random kXORSAT. In particular we prove that the clustering threshold is sharp and determine its exact location. We prove that the set of solutions has large conductance below this threshold and that each of the clusters has large conductance above the same threshold. Our proof constructs a very sparse basis for the set of solutions (or the subset within a cluster). This construction is achieved through a low complexity iterative algorithm. 1
Cryptanalysis of the rsa subgroup assumption from TCC 2005
 In Public Key Cryptography  Proc. PKC 2011, volume 6571 of Lecture Notes in Computer Science
, 2011
"... Abstract. At TCC 2005, Groth underlined the usefulness of working in small RSA subgroups of hidden order. In assessing the security of the relevant hard problems, however, the best attack considered for a subgroup of size 2 2ℓ had a complexity of O(2 ℓ). Accordingly, ℓ = 100 bits was suggested as a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. At TCC 2005, Groth underlined the usefulness of working in small RSA subgroups of hidden order. In assessing the security of the relevant hard problems, however, the best attack considered for a subgroup of size 2 2ℓ had a complexity of O(2 ℓ). Accordingly, ℓ = 100 bits was suggested as a concrete parameter. This paper exhibits an attack with a complexity of roughly 2 ℓ/2 operations, suggesting that Groth’s original choice of parameters was overly aggressive. It also discusses the practicality of this new attack and various implementation issues. Keywords: rsa moduli, hidden order, subgroup, cryptanalysis. 1
Ron was wrong, Whit is right
, 2012
"... Abstract. We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is th ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for “multiplesecrets ” cryptosystems such as RSA is significantly riskier than for “singlesecret ” ones such as ElGamal or (EC)DSA which are based on DiffieHellman.
Using the Cloud to Determine Key Strengths
 Progress in Cryptology – INDOCRYPT 2012, Springer LNCS 7669
"... Abstract. We develop a new methodology to assess cryptographic key strength using cloud computing, by calculating the true economic cost of (symmetric or private) key retrieval for the most common cryptographic primitives. Although the present paper gives both the current (2012) and last years (20 ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We develop a new methodology to assess cryptographic key strength using cloud computing, by calculating the true economic cost of (symmetric or private) key retrieval for the most common cryptographic primitives. Although the present paper gives both the current (2012) and last years (2011) costs, more importantly it provides the tools and infrastructure to derive new data points at any time in the future, while allowing for improvements such as of new algorithmic approaches. Over time the resulting data points will provide valuable insight in the selection of cryptographic key sizes. 3 1
Fully Automated Analysis of PaddingBased Encryption in the Computational Model
, 2013
"... Computeraided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Computeraided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for publickey encryption schemes built from trapdoor permutations and hash functions. Using a novel combination of techniques from computational and symbolic cryptography, we present proof systems for analyzing the chosenplaintext and chosenciphertext security of such schemes in the random oracle model. Building on these proof systems, we develop a toolset that bundles together fully automated proof and attack finding algorithms. We use this toolset to build a comprehensive database of encryption
The Challenges of Web SecurityNumbers rather than Padlocks (I)
, 2012
"... 1 How secure is the communication: can a third party eavesdrop on what is being shared? 2 Is the “end ” really who my device thinks it is, or am I the victim of a “maninthemiddle ” attack? 3 Is the “end ” my device is talking to the entity I intend my device to be talking to? The first two are es ..."
Abstract
 Add to MetaCart
1 How secure is the communication: can a third party eavesdrop on what is being shared? 2 Is the “end ” really who my device thinks it is, or am I the victim of a “maninthemiddle ” attack? 3 Is the “end ” my device is talking to the entity I intend my device to be talking to? The first two are essentially technical problems, but the third is definitely sociotechnical. James H. Davenport The Challenges of Web SecurityInternet and Security We don’t normally shout our PIN numbers out in crowded supermarkets, so why should we broadcast them on wireless networks? It’s not only James Bond who wants cryptography?