2003
Bezpečnostní konference
V. Klíma:
Slabiny v protokolech SSL/TLS, konference Network Security, Hotel Diplomat,
Praha, 11.-12.11.2003, more info.
V. Klíma: Nešifrovaný e-mail je jako výkladní
skříň, Právo, příloha FIRMA, str. 8, 31.10.2003.
V. Klíma, T.Rosa: Protokoly SSL/TLS pod palbou roku 2003,
DSM č. 5/2003, str. 26 - 29.
Mezinárodní kryptologická konference
Klíma, V.,
Pokorný, O., Rosa, T.: Attacking RSA-based Sessions in SSL/TLS, presented
at CHES 2003,
pp. 426 - 440, Springer-Verlag, 2003, Preliminary version: 2003/052.
Ohlasy na
článek z různých médií: CZ, ENG.
Abstract:
In this paper we present a practically feasible attack on RSA-based sessions in
SSL/TLS protocols. We show that incorporating a version number check over
PKCS#1 plaintext used in the SSL/TLS creates a side channel that allows an
attacker to invert the RSA encryption. The attacker can then either recover the
premaster-secret or sign a message on behalf of the server. Practical tests
showed that two thirds of randomly chosen Internet SSL/TLS servers were
vulnerable. The attack is an extension of Bleichenbacher’s attack on PKCS#1 (v.
1.5). We introduce the concept of a bad-version oracle (BVO) that covers the
side channel leakage, and present several methods that speed up the original
algorithm. Our attack was successfully tested in practice and the results of
complexity measurements are presented in the paper.
Mezinárodní kryptologická konference
Klíma, V.,
Rosa, T.: Side Channel Attacks - Highly Promising Directions in Modern
Cryptanalysis, TATRACRYPT
'03, The 3rd Central European Conference on Cryptology, June 26-28, 2003,
Bratislava, Slovakia.
Abstract:
The traditional cryptanalysis tends to examine cryptosystems as purely abstract
mathematical functions without any direct connection with the objective
physical reality. The theory and practice of side channels is completely
changing such an understanding of cryptanalysis. In a short time after being
introduced (in 1996 by Dr. Paul Kocher), it brought us fascinating results
which would be very hard to achieve when viewing the cryptanalysis in the
traditional way. In the speech, we briefly introduce the theory of side channel
cryptanalysis and point out several interesting thoughs behind side channel
attacks.
Mezinárodní konference NATO
V. Klíma,
T.Rosa: Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format,
NATO PfP/PWP - 2nd International Scientific Conference Security and Protection
of Information, Brno, Czech Republic, 28. - 30.4.2003, 2003/098, press release.
Abstract:
Vaudenay has shown in [5] that a CBC encryption mode ([2], [9]) combined with
the PKCS#5 padding [3] scheme allows an attacker to invert the underlying block
cipher, provided she has access to a valid-padding oracle which for each input
ciphertext tells her whether the corresponding plaintext has a valid padding or
not. Having on mind the countermeasures against this attack, different padding
schemes have been studied in [1]. The best one is referred to as the ABYT-PAD.
It is designed for byte-oriented messages. It removes the valid-padding oracle,
thereby defeating Vaudenay's attack, since all deciphered plaintexts are valid
in this padding scheme. In this paper, we try to combine the well-known
cryptographic message syntax standard PKCS#7 [8] with the use of ABYT-PAD
instead of PKCS#5. Let us assume that we have access to a PKCS#7CONF oracle
that tells us for a given ciphertext (encapsulated in the PKCS#7 structure)
whether the deciphered plaintext is correct or not according to the PKCS#7
(v1.6) syntax. This is probably a very natural assumption, because applications
usually have to reflect this situation in its behavior. It could be a message
for the user, an API error message, an entry in the log file, different timing
behavior, etc. We show that access to such an oracle again enables an attacker
to invert the underlying block cipher. The attack requires single captured
ciphertext and approximately 128 oracle calls per one ciphertext byte. It shows
that we cannot hope to fully solve problems with side channel attacks on the
CBC encryption mode by using a “magic” padding method or an obscure
message-encoding format. Strong cryptographic integrity checks of ciphertexts
should be incorporated instead.
Konference Openweekend
V. Klíma, T.Rosa: Na kanálu se pracuje aneb O
revolučním objevu v kryptoanalýze, 16.3.. 2003, Openweekend, ČVUT, more info.
Přednášky na MFF UK
V.
Klíma: Aplikovaná (počítačová) kryptologie, MFF UK, 12.3. 2003,
prosloveno v rámci přednášek oboru "Matematické metody
informační bezpečnosti", more
info.
Seminář na Vojenské akademii
V.
Klíma: Symetrická kryptografie, Seminář z oblasti aplikované kryptografie,
bezpečnosti počítačových sítí a biometriky, Vojenská akademie,
Brno, 8.-9.1.2003
Sdělovací technika
V.
Klíma, T.Rosa: Kryptologie pro praxi (7) - tipy a triky, Sdělovací
technika, 12/2003, str. 18 - 19, pdf.
V. Klíma, T.Rosa:
Kryptologie pro praxi (6) - neupoužívanější šifry, Sdělovací
technika, 11/2003, str. 17 - 18, pdf.
V. Klíma, T.Rosa:
Kryptologie pro praxi (5) - formátování a bezpečnost,Sdělovací technika,10/2003,
str.14-15, pdf.
V. Klíma, T.Rosa:
Kryptologie pro praxi (4) - operační mód, Sdělovací technika, 9/2003,
str. 16, pdf.
V. Klíma, T.Rosa:
Kryptologie pro praxi (3) - asymetrické metody, Sdělovací technika,
8/2003, str. 22, pdf.
V. Klíma, T.Rosa:
Kryptologie pro praxi (2) - symetrická a asymetrická kryptografie,
Sdělovací technika, 7/2003, str. 16, pdf.
V. Klíma, T.Rosa:
Kryptologie pro praxi (1) - úvod k seriálu o aplikované kryptologii,
Sdělovací technika, 6/2003, str. 19, pdf.
V. Klíma, T.Rosa: Vybrané
aspekty moderní kryptoanalýzy, Sdělovací technika, 3/2003, str. 3 - 7, pdf.