Post has attachment
The Dangers of Key Reuse: Practical Attacks on IPsec IKE

Abstract:
IPsec enables cryptographic protection of IP packets.
It is commonly used to build VPNs (Virtual Private Networks).
For key establishment, the IKE (Internet Key
Exchange) protocol is used. IKE exists in two versions,
each with different modes, different phases, several authentication
methods, and configuration options.
In this paper, we show that reusing a key pair across
different versions and modes of IKE can lead to crossprotocol
authentication bypasses, enabling the impersonation
of a victim host or network by attackers. We exploit
a Bleichenbacher oracle in an IKEv1 mode, where RSA
encrypted nonces are used for authentication. Using this
exploit, we break these RSA encryption based modes,
and in addition break RSA signature based authentication
in both IKEv1 and IKEv2. Additionally, we describe
an offline dictionary attack against the PSK (Pre-Shared
Key) based IKE modes, thus covering all available authentication
mechanisms of IKE. We found Bleichenbacher oracles in the IKEv1 implementations of Cisco (CVE-2018-0131), Huawei (CVE2017-17305),
Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129). All vendors published fixes or removed the particular authentication method from their
devices’ firmwares in response to our reports.
Add a comment...

Post has attachment
Reminder that tempest is still a thing...
Add a comment...

Post has attachment
Practical Accountability of Secret Processes

Jonathan Frankle and Sunoo Park and Daniel Shaar and Shafi Goldwasser and Daniel J. Weitzner

Abstract: The US federal court system is exploring ways to improve the accountability of electronic surveillance, an opaque process often involving cases sealed from public view and tech companies subject to gag orders against informing surveilled users. One judge has proposed publicly releasing some metadata about each case on a paper cover sheet as a way to balance the competing goals of (1) secrecy, so the target of an investigation does not discover and sabotage it, and (2) accountability, to assure the public that surveillance powers are not misused or abused.

Inspired by the courts' accountability challenge, we illustrate how accountability and secrecy are simultaneously achievable when modern cryptography is brought to bear. Our system improves configurability while preserving secrecy, offering new tradeoffs potentially more palatable to the risk-averse court system. Judges, law enforcement, and companies publish commitments to surveillance actions, argue in zero-knowledge that their behavior is consistent, and compute aggregate surveillance statistics by multi-party computation (MPC). We demonstrate that these primitives perform efficiently at the scale of the federal judiciary. To do so, we implement a hierarchical form of MPC that mirrors the hierarchy of the court system. We also develop statements in succinct zero-knowledge (SNARKs) whose specificity can be tuned to calibrate the amount of information released. All told, our proposal not only offers the court system a flexible range of options for enhancing accountability in the face of necessary secrecy, but also yields a general framework for accountability in a broader class of "secret information processes."
Add a comment...

Post has attachment
Efficient Logistic Regression on Large Encrypted Data

Kyoohyung Han and Seungwan Hong and Jung Hee Cheon and Daejun Park

Abstract: Machine learning on encrypted data is a cryptographic method for analyzing private and/or sensitive data while keeping privacy. In the training phase, it takes as input an encrypted training data and outputs an encrypted model without using the decryption key. In the prediction phase, it uses the encrypted model to predict results on new encrypted data. In each phase, no decryption key is needed, and thus the privacy of data is guaranteed while the underlying encryption is secure. It has many applications in various areas such as finance, education, genomics, and medical field that have sensitive private data. While several studies have been reported on the prediction phase, few studies have been conducted on the training phase due to the inefficiency of homomorphic encryption (HE), leaving the machine learning training on encrypted data only as a long-term goal.

In this paper, we propose an efficient algorithm for logistic regression on encrypted data, and evaluate our algorithm on real financial data consisting of 422,108 samples over 200 features. Our experiment shows that an encrypted model with a sufficient Kolmogorov Smirnow statistic value can be obtained in ∼
17 hours in a single machine. We also evaluate our algorithm on the public MNIST dataset, and it takes ∼

2 hours to learn an encrypted model with 96.4% accuracy. Considering the inefficiency of HEs, our result is encouraging and demonstrates the practical feasibility of the logistic regression training on large encrypted data, for the first time to the best of our knowledge.

Category / Keywords: applications / implementation, machine learning, homomorphic encryption
Add a comment...

Post has attachment
A couple of years back, the North Korean Red Star OS was described at the Chaos Computer Club conference. Among other things, they described the watermarking mechanism used by the OS to keep track of media files.

Along with the OS, three kernel modules were identified that appeared to contain homemade encryption algorithms specific to Red Star OS. We will name them after their kernel module names—Jipsam1, Jipsam2, and Pilsung. The former two are present in Red Star OS 2.0, whereas Pilsung is present only in Red Star OS 3.0. We are going to take a look at these, and comment on possible rationales for their design. We will only analyze the algorithms in isolation, as there is not a lot of information on how (or if) they are used. To our knowledge, this is the first time these algorithms are described.
Add a comment...

Post has attachment
Not cryptography, but security related:

Fine-Pruning: Defending Against Backdooring Attacks
on Deep Neural Networks

Deep neural networks (DNNs) provide excellent performance across
a wide range of classification tasks, but their training requires high computational
resources and is often outsourced to third parties. Recent work has shown
that outsourced training introduces the risk that a malicious trainer will return a
backdoored DNN that behaves normally on most inputs but causes targeted misclassifications
or degrades the accuracy of the network when a trigger known
only to the attacker is present. In this paper, we provide the first effective defenses
against backdoor attacks on DNNs. We implement three backdoor attacks
from prior work and use them to investigate two promising defenses, pruning and
fine-tuning. We show that neither, by itself, is sufficient to defend against sophisticated
attackers. We then evaluate fine-pruning, a combination of pruning and
fine-tuning, and show that it successfully weakens or even eliminates the backdoors,
i.e., in some cases reducing the attack success rate to 0% with only a 0.4%
drop in accuracy for clean (non-triggering) inputs. Our work provides the first
step toward defenses against backdoor attacks in deep neural networks.
Add a comment...

Post has attachment
Review of the NIST DUAL-EC Random Number standard.
Add a comment...

Post has attachment
OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks

Stanislaw Jarecki and Hugo Krawczyk and Jiayu Xu

Abstract: Password-Authenticated Key Exchange (PAKE) protocols allow two parties that only share a password to establish a shared key in a way that is immune to offline attacks. Asymmetric PAKE (aPAKE) strengthens this notion for the more common client-server setting where the server stores a mapping of the password and security is required even upon server compromise, that is, the only allowed attack in this case is an (inevitable) offline exhaustive dictionary attack against individual user passwords. Unfortunately, current aPAKE protocols (that dispense with the use of servers' public keys) allow for pre-computation attacks that lead to the instantaneous compromise of user passwords upon server compromise, thus forgoing much of the intended aPAKE security. Indeed, these protocols use - in essential ways - deterministic password mappings or use random "salt" transmitted in the clear from servers to users, and thus are vulnerable to pre-computation attacks.

We initiate the study of "Strong aPAKE" protocols that are secure as aPAKE's but are also secure against pre-computation attacks. We formalize this notion in the Universally Composable (UC) settings and present two modular constructions using an Oblivious PRF as a main tool. The first builds a Strong aPAKE from any aPAKE (which in turn can be constructed from any PAKE) while the second builds a Strong aPAKE from any authenticated key-exchange protocol secure against reverse impersonation (a.k.a.\ KCI). Using the latter transformation, we show a practical instantiation of a UC-secure Strong aPAKE in the Random Oracle model. The protocol (``OPAQUE") consists of 2 messages (3 with mutual authentication), requires 3 and 4 exponentiations for server and client, respectively (2 to 4 of which can be fixed-base depending on optimizations), provides forward secrecy, is PKI-free, supports user-side hash iterations, has a built-in facility for password-based storage and retrieval of secrets and credentials, and accommodates a user-transparent server-side threshold implementation.
Add a comment...

Post has attachment
Efail: Breaking S/MIME and OpenPGP Email Encryption using
Exfiltration Channels

OpenPGP and S/MIME are the two prime standards
for providing end-to-end security for emails. We describe
novel attacks built upon a technique we call malleability
gadgets to reveal the plaintext of encrypted
emails. We use CBC/CFB gadgets to inject malicious
plaintext snippets into encrypted emails that abuse existing
and standard conforming backchannels, for example,
in HTML, CSS, or x509 functionality, to exfiltrate
the full plaintext after decryption. The attack works for
emails even if they were collected long ago, and is triggered
as soon as the recipient decrypts a single maliciously
crafted email from the attacker. The attack has
a large surface, since for each encrypted email sent to n
recipients, there are n+1 mail clients that are susceptible
to our attack.
We devise working attacks for both OpenPGP and
S/MIME encryption, and show that exfiltration channels
exist for 23 of the 35 tested S/MIME email clients and 10
of the 28 tested OpenPGP email clients. While it is necessary
to change the OpenPGP and S/MIME standards to
fix these vulnerabilities, some clients had even more severe
implementation flaws allowing straightforward exfiltration
of the plaintext.
Add a comment...

Post has attachment
Add a comment...
Wait while more posts are being loaded