Results 1  10
of
14
Solving linear equations modulo divisors: On factoring given any bits
 In Advances in Cryptology  Asiacrypt 2008, volume 5350 of LNCS
, 2008
"... Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of the bits of p are unknown and if the unknown bits are located in one consecutive block. We introduce an heuristic algorithm that extends factoring with known bits to an arbitrary number n of blocks. Surprisingly, we are able to show that ln(2) ≈ 70 % of the bits are sufficient for any n in order to find the factorization. The algorithm’s running time is however exponential in the parameter n. Thus, our algorithm is polynomial time only for n = O(log logN) blocks.
Attacking the ipsec standards in encryptiononly configurations
 in Security and Privacy, 2007. SP ’07. IEEE Symposium on, 2007
"... We describe new attacks which break any RFCcompliant implementation of IPsec making use of encryptiononly ESP in tunnel mode. The new attacks are both efficient and realistic: they are ciphertextonly and need only the capability to eavesdrop on ESPencrypted traffic and to inject traffic into the ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
(Show Context)
We describe new attacks which break any RFCcompliant implementation of IPsec making use of encryptiononly ESP in tunnel mode. The new attacks are both efficient and realistic: they are ciphertextonly and need only the capability to eavesdrop on ESPencrypted traffic and to inject traffic into the network. We report on our experiences in applying the attacks to a variety of implementations of IPsec. 1.
Cryptography in Theory and Practice: The Case of Encryption in IPsec
 Advances in Cryptology – EUROCRYPT 2006, LNCS
, 2006
"... Abstract. This paper studies the gaps that exist between cryptography as studied in theory, as defined in standards, as implemented by software engineers, and as actually consumed by users. Our focus is on IPsec, an important and widelyused suite of protocols providing security at the IP layer of n ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies the gaps that exist between cryptography as studied in theory, as defined in standards, as implemented by software engineers, and as actually consumed by users. Our focus is on IPsec, an important and widelyused suite of protocols providing security at the IP layer of network communications. Despite wellknown results in theoretical cryptography highlighting the vulnerabilities of unauthenticated encryption, the IPsec standards currently mandate its support. We present evidence that such “encryptiononly” configurations are in fact still often selected by users in practice, even with strong warnings advising against this in the IPsec standards. We then describe a variety of attacks against such configurations and report on their successful implementation in the case of the Linux kernel implementation of IPsec. Our attacks are realistic in their requirements, highly efficient, and recover the complete contents of IPsecprotected datagrams. Our attacks still apply when integrity protection is provided by a higher layer protocol, and in some cases even when it is supplied by IPsec itself. Finally in this paper, we reflect on the reasons why this unsatisfactory situation persists, and make some recommendations for the future development of IPsec and cryptographic software in general. Keywords: IPsec, integrity, encryption, ESP. 1
Experimenting with Faults, Lattices and the DSA
 In Public Key Cryptography
, 2005
"... Abstract. We present an attack on DSA smartcards which combines physical fault injection and lattice reduction techniques. This seems to be the first (publicly reported) physical experiment allowing to concretely pullout DSA keys out of smartcards. We employ a particular type of fault attack know ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present an attack on DSA smartcards which combines physical fault injection and lattice reduction techniques. This seems to be the first (publicly reported) physical experiment allowing to concretely pullout DSA keys out of smartcards. We employ a particular type of fault attack known as a glitch attack, which will be used to actively modify the DSA nonce k used for generating the signature: k will be tampered with so that a number of its least significant bytes will flip to zero. Then we apply wellknown lattice attacks on El Gamaltype signatures which can recover the private key, given sufficiently many signatures such that a few bits of each corresponding k are known. In practice, when one byte of each k is zeroed, 27 signatures are sufficient to disclose the private key. The more bytes of k we can reset, the fewer signatures will be required. This paper presents the theory, methodology and results of the attack as well as possible countermeasures.
Malicious Cryptography: Kleptographic Aspects
"... Abstract. In the last few years we have concentrated our research efforts on new threats to the computing infrastructure that are the result of combining malicious software (malware) technology with modern cryptography. At some point during our investigation we ended up asking ourselves the followin ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In the last few years we have concentrated our research efforts on new threats to the computing infrastructure that are the result of combining malicious software (malware) technology with modern cryptography. At some point during our investigation we ended up asking ourselves the following question: what if the malware (i.e., Trojan horse) resides within a cryptographic system itself? This led us to realize that in certain scenarios of black box cryptography (namely, when the code is inaccessible to scrutiny as in the case of tamper proof cryptosystems or when no one cares enough to scrutinize the code) there are attacks that employ cryptography itself against cryptographic systems in such a way that the attack possesses unique properties (i.e., special advantages that attackers have such as granting the attacker exclusive access to crucial information where the exclusive access privelege holds even if the Trojan is reverseengineered). We called the art of designing this set of attacks “kleptography. ” In this paper we demonstrate the power of kleptography by illustrating a carefully designed attack against RSA key generation.
Authenticated Broadcast with a Partially Compromised PublicKey Infrastructure
"... Abstract. Given a publickey infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties (who do not follow the protocol), and honest part ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Given a publickey infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties (who do not follow the protocol), and honest parties whose secret (signing) keys have been compromised (but who continue to behave honestly). We explore conditions under which it is possible to construct broadcast protocols that still provide the usual guarantees (i.e., validity/agreement) to the latter. Consider a network of n parties, where an adversary has compromised the secret keys of up to tc honest parties and, in addition, fully controls the behavior of up to ta other parties. We show that for any fixed tc> 0, and any fixed ta, there exists an efficient protocol for broadcast if and only if 2ta + min(ta, tc) < n. (When tc = 0, standard results imply feasibility.) We also show that if tc, ta are not fixed, but are only guaranteed to satisfy the bound above, then broadcast is impossible to achieve except for a few specific values of n; for these “exceptional ” values of n, we demonstrate a broadcast protocol. Taken together, our results give a complete characterization of this problem. 1
Cryptosystems and LLL
"... Since the late 70’s, several public key cryptographic algorithms have been proposed. Diffie and Hellman [4] first came with this concept in 1976. Since that time, several other public key cryptosystems were invented, such as the well known RSA [22], ElGamal [5] or Rabin [21] cryptosystems. Roughly, ..."
Abstract
 Add to MetaCart
(Show Context)
Since the late 70’s, several public key cryptographic algorithms have been proposed. Diffie and Hellman [4] first came with this concept in 1976. Since that time, several other public key cryptosystems were invented, such as the well known RSA [22], ElGamal [5] or Rabin [21] cryptosystems. Roughly, the scope of these algorithms is to allow the secure exchange of a
OPEN SOURCE IS NOT ENOUGH ATTACKING THE ECPACKAGE OF BOUNCYCASTLE VERSION 1.x 132
"... Abstract. BouncyCastle is an open source Crypto provider written in Java which supplies classes for Elliptic Curve Cryptography (ECC). We have found a flaw in the class ECPoint resulting from an unhappy interaction of elementary algorithms. We show how to exploit this flaw to a real world attack, e. ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. BouncyCastle is an open source Crypto provider written in Java which supplies classes for Elliptic Curve Cryptography (ECC). We have found a flaw in the class ECPoint resulting from an unhappy interaction of elementary algorithms. We show how to exploit this flaw to a real world attack, e.g., on the encryption scheme ECIES. BouncyCastle has since fixed this flaw (version 1.x 133 and higher) but all older versions remain highly vulnerable to an active attacker and the attack shows a certain vulnerability of the involved validation algorithms.
Authenticated Broadcast with a Partially Compromised PublicKey Infrastructure
"... Given a publickey infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties who do not follow the protocol, and honest parties whose se ..."
Abstract
 Add to MetaCart
(Show Context)
Given a publickey infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties who do not follow the protocol, and honest parties whose secret (signing) keys have been compromised but continue to behave honestly. We explore conditions under which it is possible to construct broadcast protocols that still provide the usual guarantees (i.e., validity/agreement) to the latter. Consider a network of n parties, where an adversary has compromised the secret keys of up to tc honest parties and, in addition, fully controls the behavior of up to ta other parties. We show that for any fixed tc> 0, and any fixed ta, there exists an efficient protocol for broadcast if and only if 2ta+min(ta, tc) < n. (When tc = 0, standard results imply feasibility.) We also show that if tc, ta are not fixed, but are only guaranteed to satisfy the bound above, then broadcast is impossible to achieve except for a few specific values of n; for these “exceptional” values of n, we demonstrate a broadcast protocol. Taken together, our results give a complete characterization of this problem. Keywords: Broadcast protocols, publickey infrastructure (PKI)
Authenticated Broadcast with a Partially Compromised PublicKey Infrastructure
"... Given a publickey infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties (who do not follow the protocol), and honest parties whose ..."
Abstract
 Add to MetaCart
(Show Context)
Given a publickey infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties (who do not follow the protocol), and honest parties whose secret (signing) keys have been compromised (but who continue to behave honestly). We explore conditions under which it is possible to construct broadcast protocols that still provide the usual guarantees (i.e., validity/agreement) to the latter. Consider a network of n parties, where an adversary has compromised the secret keys of up to tc honest parties and, in addition, fully controls the behavior of up to ta other parties. We show that for any fixed tc, ta there exists an efficient protocol for broadcast if and only if 2ta +min(ta, tc) < n. We also show that if tc, ta are not fixed, but are only guaranteed to satisfy the bound above, then broadcast is impossible to achieve except for a few specific values of n; for these “exceptional ” values of n, we demonstrate a broadcast protocol. Taken together, our results give a complete characterization of this problem.