1

The Crypto Year in Review

Bart PreneelCOSIC KU Leuven and imec, Belgium

Bart.Preneel(at)esat.kuleuven.beNovember 2017

© KU Leuven COSIC, Bart Preneel

2

Crypto = Cryptocurrencies = bitcoin?

3

Crypto = Cryptocurrencies = bitcoin?

4

Myths about Bitcoin

• It will keep going up• Transactions are expensive• People do many transactions• We understand why it works• Anarchy works to manage a global currency system• There will be no hard forks after Bitcoin Cash• It is (not) a pyramid scheme• Ethereum is much better• My next ICO is even better

5

Outline

• Cool hacks: Infineon, CRACK, MME• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions

6

The Infineon Library: RSAlib[Nemec, Sýs, Švenda, Klinec, Matyáš ‘17]

RSA keys: product of two large primes: N = p.qHow do I generate p and q?Pick a random number x and test for primalityImprovement 1: pick a random odd number x and test

– Note x = 1 mod 2Improvement 2: pick a random odd number x not divisible

by 3 and test for primality– Note: x = 1 mod 6 or x = 5 mod 6

Improvement 3: pick a random odd number x not divisible by 3 and 5 and test for primality– Note: x = 1,7,11,13 mod 15

Idea: control the value of candidates x modulo the product of the first n primes

7

The Infineon Library: RSAlib

RSAlib: generate prime candidates x as follows– Mn = product of first n primes– x = k . Mn + (65537a mod Mn)

Unfortunately this can be detected easily: N = 65537c mod Mn

And Mn was chosen too large so k and a are small and can be recovered easily leading to factorization:– 1024-bit keys: < 3 CPU months on a single core– 2048-bit keys: 100 CPU-years

Improvements by 25%: [Bernstein-Lange]

8

The Infineon Library: RSAlibhttps://crocs.fi.muni.cz/public/papers/rsa%1Fccs17

Aug. 2016: non-randomness of Infineon keys detectedJan. 2017: vulnerability foundFeb. 2017: Infineon warned16 Oct. 2017: results announced (without details)31 Oct. 2017: paper released3 Nov. 2017: Estonia blocks Infineon keys (more than 750,000 ID cards)Other problems: TPMs, TLS, Github,…

RSAlib was certified by BSI based on tests by TÜV Informationstechnik GmbH

9

KRACK (Key Reinstallation Attack) [Vanhoef-Piessens‘17] https://www.krackattacks.com/

4-way handshake of the Wi-Fi Protected Access II (WPA2)

Can resend 3rd message in replay attack

affects all major software platforms:– Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD

wpa_supplicant (open-source, used in Linux and Android): especially susceptible as it can be manipulated to install an all-0 encryption key

Protocol had formal security proofResponses have been interestingNote that there are even worse attacks on Wi-Fi: evil twin

10

Intel’s MMEIntel’s Management engine in every CPU Runs MinixRing -5: underneath and out of sight of whatever OS,

hypervisor or antivirus is installed– TPM– Media DRM

May 2017: remote unprivileged attacker in AMT [Active Management Technology] to "gain system privileges to provisioned [chips]"

Nov 2017: compromised via the USB port by Russian researchers https://mobile.twitter.com/h0t_max/status/928269320064450560

11

Outline

• Cool hacks• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions

12

A Bad Year for the NSA Crypto Team

Simon and Speck: two light weight block ciphers deisgned by the NSA (2013)

September 2017: SO/IEC JTC1 refuses to standardize all versions of Simon and Speck

Answer of the NSA: we will be back (but only with the larger versions)

And SHA-1?

13

Hash functions

X.509 Annex DMDC-2MD2, MD4, MD5SHA-1

This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).

1A3FD4128A198FB3CA345932h

RIPEMD-160SHA-256SHA-512

SHA-3

ISSE 2016 prediction: collision for SHA-1 in the next 6 months

14

[Wang+’04]

[Wang+’05][Mendel+’08]

[McDonald+’09]

[Manuel+’09]

Most attacks unpublished/withdrawn

[Sugita+’06]

log2 complexity

[Stevens’12]

SHA-1SHA-1 designed by NSA in ‘94

75/80 steps takes 257.7 [Grechnikov-Adinetz’11]collision full SHA-1 in Feb. 2017 https://shattered.io/ [Stevens+17]

15

Collisions for SHA-1 [Stevens-Bursztein-Karpman-Albertini- Markov’17]

263.1 = 6,500 years of single-CPU computations and 110 years of single-GPU computations.

= 100.000 faster than brute force collision 280

browser industry (Chrome, Edge, IE) started preparing in 2015WoSign caught backdating 2016 SHA-1 certificates!

Firefox still had to scramble last minute in 2017problems for Github

16

UpgradesRIPEMD-160 is good replacement for SHA-1

TLS uses MD5 || SHA-1 to protect algorithm negotiation (up to v1.1)

upgrading negotiation algorithm is even harder: need to upgrade TLS 1.1 (‘06) to TLS 1.2 (‘08) – progress in November 2013 (Google, Microsoft)– but TLS 1.2 allows MD5 only!! SLOTH attack

[late 2015]

TLS 1.3 expected late 2017

17

SSL/TLSmost successful end-to-end security technology

12 million servers after 23 yearsLet’s Encrypt: 45 million active certs in 2 yearsbillions of clients

SSLv2 SSLv3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3

94 96 99 06 08 17

broken in many ways: RFC 7457: “Summarizing known attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS),” February 2015

18

TLS overview [Stebila’14]

Crypto primitives

Ciphersuitedetails

Protocol “Framework” Libraries Applications

RSA, DSA, ECDSA

DH, EC-DH

HMAC

MD5, SHA-1, SHA-2

DES, 3DES, RC4, AES

Data structures

Key derivation

Encryption modes and IVs

Padding

Compression

Alerts and errors

Certification/re-vocation

(Re-)Negotiation

Session Resumption

Key reuse

OpenSSL

GnuTLS

SChannel

Java JSSE0

Web browsers

Web servers

Application SDKs

Certificates

Theoretical analysis

19

TLS attack overview [Stebila’14] updated November 2017

DROWN

Improved RC4

biases

FREAK

Logjam

SLOTH

POODLE

DH parameter validation

sweet32

Lucky Microseconds

20

TLS 1.3 coming soon (really)Clean up and simplify

• remove renegotiation and compressionIncrease security

• RSA for key transport removed: only Diffie-Hellman (forward secrecy)

• only authenticated encryption with associated data (AEAD)Increase privacy

• start encrypting earlierReduce latency (if previously connected): 0-RTT and 1-RTTMore details: Eric Rescorla, TLS 1.3, Real World Crypto 2016

Good news: miTLS high assurance implementation [INRIA+Microsoft]

21

Outline

• Cool hacks• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions

22

If a large quantum computer can be built...

Yuri Manin 1980 and Richard Feynman 1981all schemes based on factoring (RSA) and DLOG

are insecure [Shor’94]• including elliptic curve cryptography

symmetric key sizes: x2 [Grover]

23

When to switch to quantum resistant cryptography?

Q = #years until first large quantum computerx = #years it takes to switch (3-10 years)y = #years data needs to be confidential (10 years)

Need to start switching in the year2017 + Q – x – ye.g. Q = 14, x=5, y=10: last year!

For data and entity authentication: y = small(and defense-in-depth)

24

State of the art in coherent qubit control: 2001#

gate

s an

d ga

te n

etw

ork

* unpublished

# qubits1 2 3 4 5 6 7

Stanford/IBMNMR, main playersOther NMRnon-NMR

98

99

99

98

99 NEC

01 NEC02 Sacley*

99 Oxford

98 Oxford00

00

95 NIST

00,01

99,00,01 MIT98 MIT

98 Cambridge

98 LANL

99,0100

00 NIST

00

01 LANL

01 Frankfurt

99 Cambridge

01

00 LANL

95 Caltech

Grover search280 2-bit

gatesOrder

findingShor

15=3x5

“Cooling”spinsLiquid

crystals

Errordetection

Deutsch-Jozsa

Errorcorrection

7-spincoherence

25

It is getting serious2011: D-Wave: 128 qubits “QC” but topologyJan. 2014: NSA 85 M$ for research to build a QC2013: D-Wave: 512 qubits “QC”2015: D-Wave 2X: a 1000+ qubit “QC” (15M$)2015: Intel invests US$50 million with QuTech (Delft)

–2017: test chip with 17 qubits deliveredMarch 2017: Rigetti has raised nearly $70 million and has built an 8-qubit QCMay 2017: IBM announced 16-qubit QC based on superconductivityOct 2017: Google/UCSB: plan for 49-bit QC based on superconductivityMicrosoft: will build QC on topological qubitsNov 2017: IBM announces a 50-qubit QC

26

Predictions

Criticism• interconnect/architecture?• algorithms depend on architecture• number of qubits needed may grow

quadratically with bit size for ECC

M. Mosca, April 2015:“With probability 1/7 we will have a large quantum computer available by 2025; the probability with increase to close to 1 by 2035”

27

August 19 2015: do not switch to Suite B

IAD will initiate a transition to quantum resistant algorithms in the not too distant future[…]

For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition[…]

For now: ECC P-384/RSA-3072/Diffie-Hellman 3072

28

Post-Quantum public key cryptoPQCrypto: http://pqcrypto.eu.org/

• Digital signatures• Hash-based: secure but large signatures (40 Kbyte) and keys• Lattice based: BLISS

• Public key encryption/key establishment• NTRU• Lattice based (Ring Learning With Errors): BGV/BV• Code-based crypto• Isogenies

v2

v10

lettuce

lattice

29

Open competitionsAESDES SHA-3

RIPE NESSIE eSTREAM

CRYPTREC CRYPTREC

1975-1977 1988-2002 1997 2000 2000 2005 2012

POSTQUANTUM

CAESAR

Lightweight

2014 2016 2018 2020 2022 2024

30

Post-Quantum Standardization

NIST Internal Report (NISTIR) 8105: Report on Post-Quantum Cryptography http://csrc.nist.gov/groups/ST/post-quantum-crypto/index.html

Fall 2016 Formal Call for Proposals

Nov 2017 Deadline for submissions

Early 2018 Workshop - Submitter's Presentations

3-5 years Analysis Phase - NIST will report findings1-2 workshops during this phase

2 years later Draft Standards ready

31

As predicted at ISSE 2015and discussed at ISSE 2016

32

The crypto war returns

33

2014: We are going dark

34

9 Nov. 2017

35

US citizens have protections based on 4th Amendment but Europeans don’t

NSA and GCHQ claim that they perform targeted surveillance while they run mass surveillance programs (Tempora and XKeyScore Deep Dive)

36

It’s the

metadatastupid

37

www.wired.com

NSA: “Collect it all, know it all,

exploit it all”

38

(Part of) government seems to prefer offense over defense

How many 0-days do the NSA, FBI and CIA have?Are they revealed to vendors?If so when?

New 0-days

0-days stolen by Shadow brokers from Equation Group resulting in Wannacry and Petya

39

40

EU COM(2017)608 towards an effective and genuine Security Union

encryption will not be “prohibited, limited or weakened”

“measures should not have an impact on a larger or indiscriminate number of people”.

more collaboration96 extra people for Europol

encourages the countries to collaborate in developing a toolbox with alternative investigation techniquesKey search machines? 0-days? Malware

41

http://www.ecrypt.eu.org/csa/documents/D5.2-AlgKeySizeProt-1.0.pdf

42

We need a Digital Geneva ConventionMicrosoft President Brad Smith:“Nation states are hacking civilians in peace time”

43

Encryption to protect industry ~18.3B

log10

6.2B 6B250M

37M200M

3B 2.4B200M

© Bart Preneel

44

Encryption to protect user data ~12.5B(not meta data)

0

2

4

6

8

10

12

Mobile Browsers Android IoS WhatsApp iMessage Skype Harddisk SSL/TLS IPsec

??

log10

6.3B

Not end to

end

3.5B500M1B

https://http://

Browser

HTTP over SSL

SSLTransport System

500M20-

50M?50 M

© Bart Preneel

700M

Meta dataBackup in

cloud?

1B 500M

Backdoors?

45

Architecture is politics [Mitch Kaipor’93]

Control:

avoid single point of trust that becomes single point of failure

Stop massive data collection

big data yields big breaches (think pollution)this is both a privacy and a security problem (think OPM)

46

47

Governance and Architectures

Back to principles: minimum disclosure– stop collecting massive amounts of data

• local secure computation– if we do collect data: encrypt with key outside control of host

• with crypto still useful operations

Bring “cryptomagic” to use without overselling– zero-knowledge, oblivious transfer, functional encryption– road pricing, smart metering, health care

Don’t call anything “privacy/security by design” for GDPR compliance

48

From Big Data to Small Local Data

Data stays with users

49

From Big Data to Big Encrypted Data

Encrypted data

Keys stay with users

Can still compute on

the data

50

Open (Source) Solutions

Effective governance

Transparency for service providers

EU Free and Open Source Software Auditing

51

Conclusions• Crypto problems are definitely not solved but

we making some progress• Crypto wars are not over• Ongoing pervasive surveillance needs

pervasive collection and active attacks with massive collateral damage on our ICT infrastructure

• Better protected end systems: open systems with better governance

5252

Bart Preneel, imec-COSIC KU Leuven

Kasteelpark Arenberg 10, 3000 Leuven

homes.esat.kuleuven.be/~preneel/

Bart.Preneel@esat.kuleuven.be

@CosicBe

ADDRESS:

WEBSITE:

EMAIL:TWITTER:

+32 16 321148TEL

ECRYPT CSA ECRYPT CSA

http://www.ecrypt.eu.org