from strong mathematics weak cryptographyacns2015.cs.columbia.edu/matthew_green_acns15.pdf ·...
TRANSCRIPT
![Page 1: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/1.jpg)
From strong mathematics weak cryptography
Matthew Green Johns Hopkins University
for ACNS 2015
![Page 2: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/2.jpg)
Why this presentation?
![Page 3: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/3.jpg)
Why this presentation?
These people are wrong
![Page 4: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/4.jpg)
Algorithms
Protocol Design
Implementation
Library API design
Deployment & Correct Usage
Unsolved
“solved problem”
![Page 5: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/5.jpg)
Algorithms
Protocol Design
Implementation
Library API design
Deployment & Correct Usage
“solved problem”
Unsolved
![Page 6: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/6.jpg)
Algorithms
Protocol Design
Implementation
Library API design
Deployment & Correct Usage
“solved problem”
Unsolved
![Page 7: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/7.jpg)
Why does this matter?
![Page 8: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/8.jpg)
![Page 9: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/9.jpg)
![Page 10: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/10.jpg)
![Page 11: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/11.jpg)
• We know how to build strong cryptosystems
• And yet we continue to deploy weak ones
• What’s going on here?
• How are we allowing this to happen?
• Perhaps it has something to do with the way we do business.
• Main case studies: SSL/TLS, Apple iMessage
This talk
![Page 12: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/12.jpg)
Case study 1: SSL/TLS
![Page 13: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/13.jpg)
• Most important security protocol on the Internet
• Allows secure connections between clients & servers
• Current version: TLS 1.2
• (But browsers still support SSL 3, TLS 1.0/1.1) plus 1.3 coming soon!
• Not just web browsing!
SSL/TLS
![Page 14: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/14.jpg)
A brief history• SSLv1 born at Netscape. Never released. (~1994)
• SSLv2 released one year later
• SSLv3 (1996)
• TLS 1.0 (1998)
• Still widely deployed
• TLS 1.1 (2006)
• TLS 1.2 (2008)
![Page 15: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/15.jpg)
How secure is TLS?• Many active attacks and implementation vulnerabilities
• Heartbleed, Lucky13, FREAK, CRIME, BEAST, RC4
![Page 16: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/16.jpg)
How secure is TLS?• Many active attacks and implementation vulnerabilities
• Heartbleed, Lucky13, FREAK, CRIME, BEAST, RC4
In practice: most of these require substantial resources and can’t be deployed at scale
![Page 17: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/17.jpg)
• Not all attacks:
How secure is TLS?But not all attacks…
![Page 18: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/18.jpg)
What’s wrong with TLS?
![Page 19: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/19.jpg)
Quite a bit• Many problems result from TLS’s use of
“pre-historic cryptography” (- Eric Rescorla)
• CBC with Mac-then-Encrypt, bad use of IVs
• RSA-PKCS#1v1.5 encryption padding
• RC4
• DH parameter generation
• Horrifying backwards compatibility requirements
![Page 20: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/20.jpg)
Quite a bit• Many problems result from TLS’s use of
“pre-historic cryptography” (- Eric Rescorla)
• CBC with Mac-then-Encrypt, bad use of IVs
• RSA-PKCS#1v1.5 encryption padding
• RC4
• DH parameter generation
• Horrifying backwards compatibility requirements
Many of these flaws were ‘known’ at design time, but exploited by
researchers only afterwards.
![Page 21: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/21.jpg)
MAC-then-pad-then-Encrypt• TLS MACs the record, then pads (in CBC), then enciphers
• Obvious problem: padding oracles
• Countermeasure(s): 1. Do not distinguish padding/MAC failure2. “Constant-time” decryption
![Page 22: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/22.jpg)
BEAST• Serious bug in TLS 1.0
• Allows complete decryption of CBC ciphertexts
• Use of predictable Initialization Vector (CBC residue bug)
• Known since 2002, attack described by Bard in 2005(Bard was advised to focus on more interesting problems.)
• Nobody cared or noticed until someone implemented it
![Page 23: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/23.jpg)
Solution in practice: RC4
:-(
(When RC4 is your solution, you need a better problem)
![Page 24: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/24.jpg)
Compression (CRIME)• Can’t really blame the TLS designers for including it...
• Blame cryptographers for not noticing it’s still in use?
• Blame cryptographers for pretending it would go away.
• We need a model for compression+encryption
• Clearly this can’t be semantically secure
• But how much weaker? Can we quantify?
![Page 25: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/25.jpg)
Protocol Design
![Page 26: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/26.jpg)
Example: Negotiation
Each TLS handshake begins with a cipher suite negotiation that determines which key agreement
protocol (etc.) will be used.
Negotiate
Key Exchange
Confirm handshake messages
![Page 27: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/27.jpg)
Ciphersuite NegotiationI support:
RSA, DHE, ECDHE, RSA_EXPORT
I choose: ECDHE
Negotiate
![Page 28: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/28.jpg)
Ciphersuite NegotiationI support:
RSA, DHE, ECDHE, RSA_EXPORT
I choose: ECDHE
Key exchange
![Page 29: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/29.jpg)
Ciphersuite Negotiation
I choose: ECDHE
Confirm handshake messages
I support: RSA, DHE, ECDHE,
RSA_EXPORT
![Page 30: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/30.jpg)
MITM Negotiation
![Page 31: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/31.jpg)
MITM NegotiationI support:
RSA, DHE, ECDHE, RSA_EXPORT
![Page 32: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/32.jpg)
MITM Negotiation
I choose: RSA_EXPORT
I support: RSA, DHE, ECDHE,
RSA_EXPORT
![Page 33: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/33.jpg)
MITM Negotiation
I choose: RSA_EXPORT
I support: RSA, DHE, ECDHE,
RSA_EXPORT
![Page 34: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/34.jpg)
MITM Negotiation
I choose: RSA_EXPORT
I support: RSA, DHE, ECDHE,
RSA_EXPORT
Attacker can break RSA export key
![Page 35: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/35.jpg)
MITM Negotiation
I choose: RSA_EXPORT
Confirm handshake messages
I support: RSA, DHE, ECDHE,
RSA_EXPORT
… and forge confirmation messages
![Page 36: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/36.jpg)
MITM Negotiation
I choose: RSA_EXPORT
Confirm handshake messages
I support: RSA, DHE, ECDHE,
RSA_EXPORT
As of Mar ’15,30+% of TLS hosts supported
export suites!
![Page 37: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/37.jpg)
MITM Negotiation
I choose: RSA_EXPORT
Confirm handshake messages
I support: RSA, DHE, ECDHE,
RSA_EXPORT Solution:
Modern clients won’t offer broken cipher suites like RSA_EXPORT
(unless they’re wget or curl!)
As of Mar ’15,30+% of TLS hosts supported
export suites!
![Page 38: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/38.jpg)
Question
Is it sufficient for the client to support only “strong” ciphersuites, even if the server
supports weak ones?
![Page 39: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/39.jpg)
Question
Is it sufficient for the client to support only “strong” ciphersuites, even if the server
supports weak ones?
• Let A be the set of KA protocols supported by ClientLet B be the set of KA protocols supported by Server
• If each KA protocol in is a secure KA protocol, is the TLS handshake secure?
A \B
![Page 40: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/40.jpg)
• In CRYPTO 2012 (!) we saw the first paper to successfully analyze TLS-DHE [Jager et al.]
• In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk et al.]
• In CRYPTO 2014 an automated analysis of the full handshake, under a new security model [Bhargavan et al.]
TLS for cryptographers
![Page 41: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/41.jpg)
• In CRYPTO 2012 (!) we saw the first paper to successfully analyze TLS-DHE [Jager et al.]
• In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk et al.]
• In CRYPTO 2014 an automated analysis of the full handshake, under a new security model [Bhargavan et al.]
TLS for cryptographers
![Page 42: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/42.jpg)
• In CRYPTO 2012 (!) we saw the first paper to successfully analyze TLS-DHE [Jager et al.]
• In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk et al.]
• In CRYPTO 2014 an automated analysis of the full handshake, under a new security model [Bhargavan et al.]
TLS for cryptographers
![Page 43: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/43.jpg)
Theorem• Bhargavan et al. theorem statement:
Let A be the set of KA protocols supported by ClientLet B be the set of KA protocols supported by Server If each KA protocol in is a secure KA protocol & there exist PRFs, then the TLS handshake is a secure KA protocol.
A [B
![Page 44: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/44.jpg)
Theorem• Bhargavan et al. theorem statement:
Let A be the set of KA protocols supported by ClientLet B be the set of KA protocols supported by Server If each KA protocol in is a secure KA protocol & there exist PRFs, then the TLS handshake is a secure KA protocol.
TLS design/deployment assumes this would be !
A [B
A \B
![Page 45: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/45.jpg)
Example 2: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
![Page 46: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/46.jpg)
Example 2: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
RSA_EXPORT
![Page 47: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/47.jpg)
Example 2: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
RSA_EXPORT
![Page 48: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/48.jpg)
Example 2: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
RSA_EXPORT
FREAK [Bhargavan et al.]: Due to a bug in SecureTransport,
OpenSSL, SChannel,client accepts export-grade RSA key
![Page 49: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/49.jpg)
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
![Page 50: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/50.jpg)
Example 2: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
Negotiation
Solution: Fix implementations
Patch OpenSSL, SecureTransport, SChannelso they will recognize an RSA export key
exchange message, barf
(patches rolled out March 2015)
![Page 51: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/51.jpg)
Example 3: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
![Page 52: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/52.jpg)
Example 3: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
DHE_EXPORT
![Page 53: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/53.jpg)
Example 3: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
DHE_EXPORT
![Page 54: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/54.jpg)
Example 3: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
DHE_EXPORT
![Page 55: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/55.jpg)
Example 3: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
DHE_EXPORT
LogJam [Adrian et al.]: Due to a bug in the TLS protocol
client accepts export-grade DHE key
![Page 56: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/56.jpg)
TLS design/deployment assumptions were wrong, and we knew this for years —
but failed to properly communicate to the community.
![Page 57: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/57.jpg)
TLS design/deployment assumptions were wrong, and we knew this for years —
but failed to properly communicate to the community.
The community made terrible assumptions and didn’t ask us what we thought of them.
Then they got mired in backwards compatibility issues and only responded to
attacks.
![Page 58: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/58.jpg)
Exploiting LogJam
![Page 59: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/59.jpg)
Exploiting LogJam• To exploit the downgrade attack, requires
solving a 512-bit DL in real time
• Initially this seems challenging, but NFS algorithmcan be heavily optimized for pre-computationusing only prime (p)
• “Oversieving” increases cost of sieving and storage,but reduces cost of linear algebra step & final “descent”
![Page 60: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/60.jpg)
Exploiting LogJam• To exploit the downgrade attack, requires
solving a 512-bit DL in real time
• 92% of DHE_EXPORT servers use one of two hard-coded primes (p) (Mod_SSL, Apache)
![Page 61: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/61.jpg)
Exploiting LogJam• To exploit the downgrade attack, requires
solving a 512-bit DL in real time
• 92% of DHE_EXPORT servers use one of two hard-coded primes (p) (Mod_SSL, Apache)
Sieving/Linear Alg: 1 week (wall clock) for each p
Descent on (g, h)
![Page 62: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/62.jpg)
Example 3: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
DHE_EXPORT
Short term (hack) solution:
Fix OpenSSL, SecureTransport, SChannelso they refuse DHE keys <768 bits
patched in NSS, SChannel, BoringSSL, LibreSSL,SecureTransport
(Took months to accomplish this, since it breaks ~1% of the Internet to make this fix)
![Page 63: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/63.jpg)
Example 3: Negotiation
Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash, Cryptographic Agility and its Relation to Circular Encryption, in EUROCRYPT 2010
I support: RSA, DHE, ECDHE
I support: RSA, DHE,
DHE_EXPORT, RSA_EXPORT, ECDHE
DHE_EXPORT
Long(er) term solutions:
Eliminate 1024-bit DHE (but Java).
Stop using common DHE primes.
Use EU-CMA signatures to validate the protocol transcript. Then you can achieve the
security the TLS designers originally set out to achieve.
(TLS 1.3 adds such a message, provisionally.)
A \B
![Page 64: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/64.jpg)
• What’s going on here?
This picture again
![Page 65: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/65.jpg)
• What’s going on here?
This picture again
This is just a fancy SSL terminator
![Page 66: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/66.jpg)
• What’s going on here?
This picture again
This is where the magic happens
![Page 67: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/67.jpg)
What is LONGHAUL?
Hypothesis 1: LONGHAUL is a database of stolen RSA secret keys
• This works well, but it’s boring
• Easy to solve: switch to PFS cipher suites (DHE/ECDHE)
![Page 68: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/68.jpg)
What is LONGHAUL?
• Hypothesis 1: The NSA is stealing RSA secret keys
• This works really well, but it’s boring
• Solution: switch to PFS cipher suites (DHE)
![Page 69: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/69.jpg)
What is LONGHAUL?
• Hypothesis 1: The NSA is stealing RSA secret keys
• This works really well, but it’s boring
• Solution: switch to PFS cipher suites (DHE)
![Page 70: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/70.jpg)
Problem• LONGHAUL also purports to decrypt IPSec/IKE
• IKE does not use RSA
• It uses Diffie-Hellman for each connection.
![Page 71: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/71.jpg)
What is LONGHAUL?
![Page 72: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/72.jpg)
![Page 73: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/73.jpg)
What is LONGHAUL?
Hypothesis 2: The NSA is breaking1024-bit DHE
• This sounds completely insane
• Maybe it’s not
![Page 74: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/74.jpg)
Breaking DHE at scale• Breaking DHE == solving the Discrete Logarithm problem
• In theory, this is too expensive for keys >=768 bits
• However there is a wrinkle…
![Page 75: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/75.jpg)
Breaking DHE at scale• A large percentage of Apache/Java/ISS servers use fixed, hardcoded
parameters for DHE
• IPSec/IKE is even worse: nearly 50% of servers will choose Oakley groups 1 and 2 (768/1024) - generated in 1998
• NFS is heavily optimized for pre-computation using only the primes
• With specific pre-computation ($10s-100s of Million/1 year?) an attacker might be able to break 30-50% of DHE connections with academic levels of computing
• Approximately 30 core days for final descent
![Page 76: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/76.jpg)
How do we fix this?• Eliminate 1024-bit DH
• This is challenging in TLS, since many machines (Java 7) crash on longer parameter lengths
• D. Gillmor, new extension to negotiate FF-DHE
• Eliminate DHE altogether
• Move to ECDHE, which is currently not 100% supported
• Downgrade to RSA (!)
• Eliminate common primes
![Page 77: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/77.jpg)
Surely this is all the IETF’s fault
![Page 78: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/78.jpg)
• Not the most important security protocols on the Internet
• But pretty important to real people
• Once you have messaging, you can build inter-device communications…
Case study: Apple iMessage
![Page 79: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/79.jpg)
iMessage: Encryption
![Page 80: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/80.jpg)
iMessage: Encryption
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by sender
![Page 81: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/81.jpg)
iMessage: Encryption
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by sender
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by
attacker
Malleable?
![Page 82: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/82.jpg)
iMessage: Encryption
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by sender
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by
attacker
Malleable?
Concern: CTR mode encryption may be vulnerable to Vaudenay
‘padding oracle attacks’
if attacker can receive decryption errors.
![Page 83: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/83.jpg)
iMessage: Encryption
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by sender
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by
attacker
Malleable?
![Page 84: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/84.jpg)
iMessage: Encryption
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by sender
RSA encryption of k
Message, AES-CTRencrypted with k
ECDSASignature by
attacker
Malleable?
![Page 85: From strong mathematics weak cryptographyacns2015.cs.columbia.edu/Matthew_Green_ACNS15.pdf · 2015-06-11 · • In CRYPTO 2013 a random-oracle analysis of the TLS-RSA handshake [Krawczyk](https://reader036.vdocuments.us/reader036/viewer/2022081407/5f21be49d44a6670b0789e54/html5/thumbnails/85.jpg)
Conclusion• Cryptography is challenging!
• We fail to push best practices down to the engineering community
• They fail to pull best practices from the literature, even years after vulnerabilities are known
• Cryptosystems continue to become more complex and vulnerable
• This process is not really tolerable anymore