Papers by Vlastimil Klima
Lecture Notes in Computer Science, 2003
In this paper we present a practically feasible attack on RSA-based sessions in SSL/TLS protocols... more In this paper we present a practically feasible attack on RSA-based sessions in SSL/TLS protocols. These protocols incorporate the PKCS#1 (v. 1.5) encoding method for the RSA encryption of a premaster-secret value. The premaster-secret is the only secret value that is used for deriving all the particular session keys. Therefore, an attacker who can recover the premastersecret can decrypt the whole captured SSL/TLS session. We show that incorporating a version number check over PKCS#1 plaintext used in the SSL/TLS creates a side channel that allows the attacker to invert the RSA encryption. The attacker can then either recover the premaster-secret or sign a message on behalf of the server. Practical tests showed that two thirds of randomly chosen Internet SSL/TLS servers were vulnerable. The attack is an extension of Bleichenbacher's attack on PKCS#1 (v. 1.5). We introduce the concept of a bad-version oracle (BVO) that covers the side channel leakage, and present several methods that speed up the original algorithm. Our attack was successfully tested in practice and the results of complexity measurements are presented in the paper. Plugging a testing server (2x Pentium III/1.4 GHz, 1 GB RAM, 100 Mb/s Ethernet, OS RedHat 7.2, Apache 1.3.27), it was possible to achieve a speed of 67.7 BVO calls per second for a 1024 bits RSA key. The median time for a whole attack on the premaster-secret could be then estimated as 54 hours and 42 minutes. We also propose and discuss countermeasures, which are both cryptographically acceptable and practically feasible.
IACR Cryptology ePrint Archive, 2009
BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 ... more BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BM W lin , which is an affine transformation. In this paper we consider only a BM W lin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BM W lin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BM W 256 lin and BM W 512 lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.
Springer eBooks, 2010
Blue Midnight Wish hash function is one of 14 candidate functions that are continuing in the Seco... more Blue Midnight Wish hash function is one of 14 candidate functions that are continuing in the Second Round of the SHA-3 competition. In its design it has several S-boxes (bijective components) that transform 32-bit or 64-bit values. Although they look similar to the S-boxes in SHA-2, they are also different. It is well known fact that the design principles of SHA-2 family of hash functions are still kept as a classified NSA information. However, in the open literature there have been several attempts to analyze those design principles. In this paper first we give an observation on the properties of SHA-2 S-boxes and then we investigate the same properties in Blue Midnight Wish.
Practical Consequences of the Aberration of Narrow-Pipe Hash Designs from Ideal Random Functions
Communications in computer and information science, 2011
Lecture Notes in Computer Science, 2003
This paper contains three parts. In the first part we present a new side channel attack on a plai... more This paper contains three parts. In the first part we present a new side channel attack on a plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Manger's attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher's and Manger's attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant.
International Workshop on Security, May 20, 2009
This is the supporting documentation that describes in details the tweaked cryptographic hash fun... more This is the supporting documentation that describes in details the tweaked cryptographic hash function BLUE MIDNIGHT WISH which is submitted as a candidate for the second round of the SHA-3 hash competition organized by the National Institute of Standards and Technology (NIST), according to the public call [1]. BLUE MIDNIGHT WISH is a cryptographic hash function with output size of n bits where n = 224, 256, 384 or 512. Its conjectured cryptographic security is: O(2 n 2) hash computations for finding collisions, O(2 n) hash computations for finding preimages, O(2 n−k) hash computations for finding second preimages for messages shorter than 2 k bits. Additionally, it is resistant against lengthextension attacks, and it is resistant against multicollision attacks. BLUE MIDNIGHT WISH has been designed to be much more efficient than SHA-2 cryptographic hash functions, while in the same time offering same or better security. The speed of the optimized 32-bit version on the defined reference platform using Intel(R) C++ 11.0.072 is 7.76 cycles/byte for n = 224, 256 and 13.20 cycles/byte for n = 384, 512. The speed of the optimized 64-bit version on the defined reference platform using Intel(R) C++ 11.0.072 is 7.50 cycles/byte for n = 224, 256 and 3.90 cycles/byte for n = 384, 512.
Cryptographic hash function Edon-R′
International Workshop on Security, May 20, 2009
Page 1. Cryptographic Hash Function EDON-?????? Danilo Gligoroski, Rune Steinsmo ??deg??rd, Marij... more Page 1. Cryptographic Hash Function EDON-?????? Danilo Gligoroski, Rune Steinsmo ??deg??rd, Marija Mihova, Svein Johan Knapskog, Ale?? Dr??pal, Vlastimil Klima, J??rn Amundsen, Mohamed El-Hadedy Department of Telematics ...
Blue Midnight Wish is one of the 14 candidates in the second round of the NIST SHA-3 competition ... more Blue Midnight Wish is one of the 14 candidates in the second round of the NIST SHA-3 competition [1]. In this paper we present a decomposition of the Blue Midnight Wish core functions, what gives deeper look at the Blue Midnight Wish family of hash functions and a tool for their cryptanalysis. We used this decomposition for better understanding the insights of Blue Midnight Wish functions and to propose the tweak for the second round. We would like to encourage further cryptanalysis of Blue Midnight Wish, as the quickest candidate in the second round. Keywords: hash, SHA-3, Blue Midnight Wish. 1
In the last 7-8 months me and Klima have discovered several deficiencies of narrow-pipe cryptogra... more In the last 7-8 months me and Klima have discovered several deficiencies of narrow-pipe cryptographic hash designs. It all started with a note to the hash-forum list that narrow-pipe hash functions are giving outputs that are pretty different than the output that we would expect from a random oracle that is mapping messages of arbitrary length to hash values of n-bits. Then together with Klima we have investigated the consequences of that aberration to some practical protocols for key derivation that are using iterative and repetitive calls to a hash function. Finally, during the third SHA-3 conference I have shown that narrow-pipe hash functions cannot offer n-bits of security against the length-extension attack (a requirement that NIST has put as one of the conditions for the SHA-3 competition). In this paper we collect in one place and explain in details all these problems with narrow-pipe hash designs and we explain why wide-pipe hash functions such as Blue Midnight Wish do not suffer from the mentioned deficiencies. 1 The infinite domain {0, 1} * in all practical implementations of cryptographic hash functions such as SHA-1 or SHA-2 or the next SHA-3 is replaced by some huge practically defined finite domain such as the domain D = maxbitlength i=0 {0, 1} i , where maxbitlength = 2 64 − 1 or maxbitlength = 2 128 − 1.
This is the version 02 of the supporting documentation that describes in details the cryptographi... more This is the version 02 of the supporting documentation that describes in details the cryptographic hash function EDON-R which was submitted as a candidate for SHA-3 hash competition organized by National Institute of Standards and Technology (NIST), according to the public call [1]. The difference between version 01 and version 02 of the documentation is in the produced test vectors for HMAC. That is due to the fact that there was mismatch between rotation values defined in the documentation and implemented C code. Accordingly, C source code (in the accompanied CD) has been changed with the correct rotation values. So, in this documentation we do not change anything in the originally submitted algorithm, but just give the correct HMAC test values. In this version a minor change in the performance has been measured with Microsoft Visual Studio 2005, but we add new measurements performed by Intel C++ v 11.0.066 (that are slightly better than those obtained by Microsoft Visual Studio 2...
CipherCAD is a graphical programming tool that can be used to model and explore cryptographic fun... more CipherCAD is a graphical programming tool that can be used to model and explore cryptographic functions, protocols, etc. In this paper we present an application of the CipherCAD to model and explore five finalists of NIST SHA-3 competition. In this limited space we show some of the myriad possibilities of using CipherCAD for cryptanalysis of cryptographic functions and their evaluation. We also present cryptographic designing tools and options on the example of Skein-512 hash function. Furthermore, a comparativeanalysis is shown on the example of an avalanche test for all five finalists SHA-3: BLAKE, Grøstl, JH, KECCAK and Skein.
Článek navazuje na p říspěvek v čísle 1 Crypto-Worldu 2010, s nímž má spole čnou skoro celou úvod... more Článek navazuje na p říspěvek v čísle 1 Crypto-Worldu 2010, s nímž má spole čnou skoro celou úvodní stranu a n ěkolik obrázků. Volně také navazuje na články o BMW v 3/2009, 78/2009 a 12/2009. V čísle 1 jsme se zabývali hledáním vzoru (úloha první ), nyní se budeme zabývat hledáním kolize (úloha druhá). Chceme stimu lovat analýzy a útoky na BMW a prezentovat otev řené problémy. Ty by se mohly stát p ředmětem studentských prací. Pro č? Velkou výhodou oproti jiným témat ům je, že tyto rozbory jsou nyní velmi žádané, a ť s negativním nebo pozitivním výsledkem. Když bude pro blém vyřešen nebo naopak bude ukázáno, že je složitý, je to v obou p řípadech velmi dob ře publikovatelný výsledek.
cryptography.hyperlink.cz
This paper provides an overview of current cryptographic techniques, targeting management and foc... more This paper provides an overview of current cryptographic techniques, targeting management and focussing on applicability of cryptographic tools and on the level of their security. The paper shows real-life examples and latest developments in the area. It also brings recommendations that should help managers to understand the necessary basics, what is really important and how to manage cryptology.
Communications in Computer and Information Science, 2011
In a recent note to the NIST hash-forum list, the following observation was presented: narrow-pip... more In a recent note to the NIST hash-forum list, the following observation was presented: narrow-pipe hash functions differ significantly from ideal random functions H : {0, 1} N → {0, 1} n that map bit strings from a big domain where N = n + m, m ≥ n (n = 256 or n = 512). Namely, for an ideal random function with a big domain space {0, 1} N and a finite co-domain space Y = {0, 1} n , for every element y ∈ Y , the probability P r{H −1 (y) = ∅} ≈ e −2 m ≈ 0 where H −1 (y) ⊆ {0, 1} N and H −1 (y) = {x | H(x) = y} (in words-the probability that elements of Y are "unreachable" is negligible). However, for the narrow-pipe hash functions, for certain values of N (the values that are causing the last padded block that is processed by the compression function of these functions to have no message bits), there exists a huge non-empty subset Y∅ ⊆ Y with a volume |Y∅| ≈ e −1 |Y | ≈ 0.36|Y | for which it is true that for every y ∈ Y∅, H −1 (y) = ∅. In this paper we extend the same finding to SHA-2 and show consequences of this abberation when narrow-pipe hash functions are employed in HMAC and in two widely used protocols: 1. The pseudorandom function defined in SSL/TLS 1.2 and 2. The Password-based Key Derivation Function No.1, i.e. PBKDF1. practically defined finite domain such as the domain D = ∪ maxbitlength i=0 {0, 1} i , where maxbitlength = 2 64 − 1 or maxbitlength = 2 128 − 1.
Cryptographic hash function EDON-R
Submission to …, 2008
... Dmitry Khovratovich, Ivica Nikolić, Ralf-Philipp Weinmann - Cryptanalysis of Edon-R Available... more ... Dmitry Khovratovich, Ivica Nikolić, Ralf-Philipp Weinmann - Cryptanalysis of Edon-R Available online, 2008 [Electronic Edition] [Bibtex] Author : Dmitry Khovratovich, Ivica Nikolić, Ralf-PhilippWeinmann Title : Cryptanalysis of Edon-R In : Available online -. [Abstract]. ...
This is the supporting documentation that describes in details the tweaked cryptographic hash fun... more This is the supporting documentation that describes in details the tweaked cryptographic hash function BLUE MIDNIGHT WISH which is submitted as a candidate for the second round of the SHA-3 hash competition organized by the National Institute of Standards and Technology (NIST), according to the public call [1]. BLUE MIDNIGHT WISH is a cryptographic hash function with output size of n bits where n = 224, 256, 384 or 512. Its conjectured cryptographic security is: O(2 n 2) hash computations for finding collisions, O(2 n) hash computations for finding preimages, O(2 n−k) hash computations for finding second preimages for messages shorter than 2 k bits. Additionally, it is resistant against lengthextension attacks, and it is resistant against multicollision attacks. BLUE MIDNIGHT WISH has been designed to be much more efficient than SHA-2 cryptographic hash functions, while in the same time offering same or better security. The speed of the optimized 32-bit version on the defined reference platform using Intel(R) C++ 11.0.072 is 7.76 cycles/byte for n = 224, 256 and 13.20 cycles/byte for n = 384, 512. The speed of the optimized 64-bit version on the defined reference platform using Intel(R) C++ 11.0.072 is 7.50 cycles/byte for n = 224, 256 and 3.90 cycles/byte for n = 384, 512.
Kryptologie pro praxi - Jak Diffie zaspal
Uploads
Papers by Vlastimil Klima