Results 1  10
of
16
Plaintext recovery attacks against SSH
 In IEEE Symposium on Security and Privacy
, 2009
"... This paper presents a variety of plaintextrecovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability 2−14 and 32 bits of plaintext from an arbitrary blo ..."
Abstract

Cited by 44 (9 self)
 Add to MetaCart
(Show Context)
This paper presents a variety of plaintextrecovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability 2−14 and 32 bits of plaintext from an arbitrary block of ciphertext with probability 2−18. These attacks assume the default configuration of a 128bit block cipher operating in CBC mode. The paper explains why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, why current provable security results for SSH do not cover our attacks, and how the attacks can be prevented in practice. 1.
A Challenging But Feasible BlockwiseAdaptive ChosenPlaintext Attack on SSL
 SECRYPT 2006, PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY, SET'UBAL
, 2006
"... This paper introduces a chosenplaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 21000 options. SSL and TLS are widely used for securing communication ove ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
This paper introduces a chosenplaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 21000 options. SSL and TLS are widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL and TLS standards mandate the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the first IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediatelypreceding message, and is therefore known to the adversary. The one
Vulnerability of SSL to ChosenPlaintext Attack
, 2004
"... The Secure Sockets Layer (SSL) protocol is widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL standard mandates the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encryp ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
The Secure Sockets Layer (SSL) protocol is widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL standard mandates the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the initial IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediatelypreceding message. We show that this introduces a vulnerability in SSL which (potentially) enables easy recovery of lowentropy strings such as passwords or PINs that have been encrypted. Moreover, we argue that the open nature of web browsers provides a feasible "point of entry" for this attack via a corrupted plugin; thus, implementing the attack is likely to be much easier than, say, installing a Trojan Horse for "keyboard sniffing". Finally, we suggest a number of modi cations to the SSL standard which will prevent this attack.
Concealment and its applications to authenticated encryption
 In EUROCRYPT 2003
, 2003
"... Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, b ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make b  ≪ m, which we call a “nontrivial ” concealment. We show that nontrivial concealments are equivalent to the existence of collisionresistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public or symmetrickey) designed
Online Ciphers from Tweakable Blockciphers
"... Abstract. Online ciphers are deterministic lengthpreserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the ith block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Online ciphers are deterministic lengthpreserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the ith block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen, and Namprempre. We simplify and generalize their work, showing that online ciphers are rather trivially constructed from tweakable blockciphers, a notion of Liskov, Rivest, and Wagner. We go on to show how to define and achieve online ciphers for settings in which messages need not be a multiple of n bits. Key words: Online ciphers, modes of operation, provable security, symmetric encryption, tweakable blockciphers. 1
Blockwise Adversarial Model for Online Ciphers and Symmetric Encryption Schemes
 In Selected Areas in Cryptography ’04, LNCS
, 2004
"... Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encrypt ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encryption. The new introduced adversaries better capture the online properties than classical ones. Indeed, in the new model, the adversaries are allowed to send messages blockbyblock to the encryption machine and receive the corresponding ciphertext blocks onthefly. This kind of attacker is called blockwise adversary and is stronger than standard one which treats messages as atomic objects. In this paper, we compare the two adversarial models for online encryption schemes. For probabilistic encryption schemes, we show that security is not preserved contrary to for deterministic schemes. We prove in appendix of the full version that in this last case, the two models are polynomially equivalent in the number of encrypted blocks. Moreover in the blockwise model, a polynomial number of concurrent accesses to encryption oracles have to be taken into account. This leads to the strongest security notion in this setting. Furthermore, we show that this notion is valid by exhibiting a scheme secure under this security notion. 1
The Security of Ciphertext Stealing
"... Abstract. We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly c ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly considered for chosenplaintext attacks, indistinguishability from random bits (ind$security). We go on to generalize these results to show that, when intermediate outputs are slightly delayed, one achieves ind$security in the sense of an online encryption scheme, a notion we formalize that focuses on what is delivered across an online API, generalizing prior notions of blockwiseadaptive attacks. Finally, we pair our positive results with the observation that the version of ciphertext stealing described in Meyer and Matyas’s wellknown book (1982) is not secure.
Elastic Block Ciphers in Practice: Constructions and Modes of Encryption
 In Proceedings of the European Conference on Computer Network Defense (EC2ND
, 2007
"... We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1 and RC6. An elastic block cipher is a variablelength block cipher created from an existing fixedlength block cipher. The elastic version supports ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
We demonstrate the general applicability of the elastic block cipher method by constructing examples from existing block ciphers: AES, Camellia, MISTY1 and RC6. An elastic block cipher is a variablelength block cipher created from an existing fixedlength block cipher. The elastic version supports any block size between one and two times that of the original block size. We compare the performance of the elastic versions to that of the original versions and evaluate the elastic versions using statistical tests measuring the randomness of the ciphertext. The benefit, in terms of an increased rate of encryption, of using an elastic block cipher varies based on the specific block cipher and implementation. In most cases, there is an advantage to using an elastic block cipher to encrypt blocks that are a few bytes longer than the original block length. The statistical test results indicate no obvious flaws in the method for constructing elastic block ciphers. We also use our examples to demonstrate the concept of a generic key schedule for block ciphers. In addition, we present ideas for new modes of encryption using the elastic block cipher construction.
Authenticated Streamwise Online Encryption ∗
, 2009
"... In Blockwise Online Encryption, encryption and decryption return an output block as soon as the next input block is received. In this paper, we introduce Authenticated Streamwise Online Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fix ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
In Blockwise Online Encryption, encryption and decryption return an output block as soon as the next input block is received. In this paper, we introduce Authenticated Streamwise Online Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fixedsized blocks), and thus significantly reduces message expansion and endtoend latency. Also, ASOE provides data authenticity as an option. ASOE can therefore be used to efficiently secure resourceconstrained communications with realtime requirements such as those in the electric power grid and wireless sensor networks. We investigate and formalize ASOE’s strongest achievable notion of security, and present a construction that is secure under that notion. An instantiation of our construction incurs zero endtoend latency due to buffering and only 48 bytes of message expansion, regardless of the
On the Impossibility of Strong Encryption over ...
"... We give two impossibility results regarding strong encryption over an infinite enumerable domain. The first one relates to statistically secure onetime encryption. The second one relates to computationally secure encryption resisting adaptive chosen ciphertext attacks in streaming mode with bounded ..."
Abstract
 Add to MetaCart
(Show Context)
We give two impossibility results regarding strong encryption over an infinite enumerable domain. The first one relates to statistically secure onetime encryption. The second one relates to computationally secure encryption resisting adaptive chosen ciphertext attacks in streaming mode with bounded resources: memory, time delay or output length. Curiously, both impossibility results can be achieved with either finite or continuous domains. The latter result explains why known CCAsecure cryptosystem constructions require at least two passes to decrypt a message with bounded resources.