the crypto year in review - eema · graphic hash function. the input is a very long string, that is...
TRANSCRIPT
![Page 1: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/1.jpg)
1
The Crypto Year in Review
Bart PreneelCOSIC KU Leuven and imec, Belgium
Bart.Preneel(at)esat.kuleuven.beNovember 2017
© KU Leuven COSIC, Bart Preneel
![Page 2: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/2.jpg)
2
Crypto = Cryptocurrencies = bitcoin?
![Page 3: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/3.jpg)
3
Crypto = Cryptocurrencies = bitcoin?
![Page 4: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/4.jpg)
4
Myths about Bitcoin
• It will keep going up• Transactions are expensive• People do many transactions• We understand why it works• Anarchy works to manage a global currency system• There will be no hard forks after Bitcoin Cash• It is (not) a pyramid scheme• Ethereum is much better• My next ICO is even better
![Page 5: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/5.jpg)
5
Outline
• Cool hacks: Infineon, CRACK, MME• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions
![Page 6: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/6.jpg)
6
The Infineon Library: RSAlib[Nemec, Sýs, Švenda, Klinec, Matyáš ‘17]
RSA keys: product of two large primes: N = p.qHow do I generate p and q?Pick a random number x and test for primalityImprovement 1: pick a random odd number x and test
– Note x = 1 mod 2Improvement 2: pick a random odd number x not divisible
by 3 and test for primality– Note: x = 1 mod 6 or x = 5 mod 6
Improvement 3: pick a random odd number x not divisible by 3 and 5 and test for primality– Note: x = 1,7,11,13 mod 15
Idea: control the value of candidates x modulo the product of the first n primes
![Page 7: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/7.jpg)
7
The Infineon Library: RSAlib
RSAlib: generate prime candidates x as follows– Mn = product of first n primes– x = k . Mn + (65537a mod Mn)
Unfortunately this can be detected easily: N = 65537c mod Mn
And Mn was chosen too large so k and a are small and can be recovered easily leading to factorization:– 1024-bit keys: < 3 CPU months on a single core– 2048-bit keys: 100 CPU-years
Improvements by 25%: [Bernstein-Lange]
![Page 8: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/8.jpg)
8
The Infineon Library: RSAlibhttps://crocs.fi.muni.cz/public/papers/rsa%1Fccs17
Aug. 2016: non-randomness of Infineon keys detectedJan. 2017: vulnerability foundFeb. 2017: Infineon warned16 Oct. 2017: results announced (without details)31 Oct. 2017: paper released3 Nov. 2017: Estonia blocks Infineon keys (more than 750,000 ID cards)Other problems: TPMs, TLS, Github,…
RSAlib was certified by BSI based on tests by TÜV Informationstechnik GmbH
![Page 9: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/9.jpg)
9
KRACK (Key Reinstallation Attack) [Vanhoef-Piessens‘17] https://www.krackattacks.com/
4-way handshake of the Wi-Fi Protected Access II (WPA2)
Can resend 3rd message in replay attack
affects all major software platforms:– Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD
wpa_supplicant (open-source, used in Linux and Android): especially susceptible as it can be manipulated to install an all-0 encryption key
Protocol had formal security proofResponses have been interestingNote that there are even worse attacks on Wi-Fi: evil twin
![Page 10: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/10.jpg)
10
Intel’s MMEIntel’s Management engine in every CPU Runs MinixRing -5: underneath and out of sight of whatever OS,
hypervisor or antivirus is installed– TPM– Media DRM
May 2017: remote unprivileged attacker in AMT [Active Management Technology] to "gain system privileges to provisioned [chips]"
Nov 2017: compromised via the USB port by Russian researchers https://mobile.twitter.com/h0t_max/status/928269320064450560
![Page 11: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/11.jpg)
11
Outline
• Cool hacks• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions
![Page 12: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/12.jpg)
12
A Bad Year for the NSA Crypto Team
Simon and Speck: two light weight block ciphers deisgned by the NSA (2013)
September 2017: SO/IEC JTC1 refuses to standardize all versions of Simon and Speck
Answer of the NSA: we will be back (but only with the larger versions)
And SHA-1?
![Page 13: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/13.jpg)
13
Hash functions
X.509 Annex DMDC-2MD2, MD4, MD5SHA-1
This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).
1A3FD4128A198FB3CA345932h
RIPEMD-160SHA-256SHA-512
SHA-3
ISSE 2016 prediction: collision for SHA-1 in the next 6 months
![Page 14: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/14.jpg)
14
[Wang+’04]
[Wang+’05][Mendel+’08]
[McDonald+’09]
[Manuel+’09]
Most attacks unpublished/withdrawn
[Sugita+’06]
log2 complexity
[Stevens’12]
SHA-1SHA-1 designed by NSA in ‘94
75/80 steps takes 257.7 [Grechnikov-Adinetz’11]collision full SHA-1 in Feb. 2017 https://shattered.io/ [Stevens+17]
![Page 15: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/15.jpg)
15
Collisions for SHA-1 [Stevens-Bursztein-Karpman-Albertini- Markov’17]
263.1 = 6,500 years of single-CPU computations and 110 years of single-GPU computations.
= 100.000 faster than brute force collision 280
browser industry (Chrome, Edge, IE) started preparing in 2015WoSign caught backdating 2016 SHA-1 certificates!
Firefox still had to scramble last minute in 2017problems for Github
![Page 16: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/16.jpg)
16
UpgradesRIPEMD-160 is good replacement for SHA-1
TLS uses MD5 || SHA-1 to protect algorithm negotiation (up to v1.1)
upgrading negotiation algorithm is even harder: need to upgrade TLS 1.1 (‘06) to TLS 1.2 (‘08) – progress in November 2013 (Google, Microsoft)– but TLS 1.2 allows MD5 only!! SLOTH attack
[late 2015]
TLS 1.3 expected late 2017
![Page 17: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/17.jpg)
17
SSL/TLSmost successful end-to-end security technology
12 million servers after 23 yearsLet’s Encrypt: 45 million active certs in 2 yearsbillions of clients
SSLv2 SSLv3 TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
94 96 99 06 08 17
broken in many ways: RFC 7457: “Summarizing known attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS),” February 2015
![Page 18: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/18.jpg)
18
TLS overview [Stebila’14]
Crypto primitives
Ciphersuitedetails
Protocol “Framework” Libraries Applications
RSA, DSA, ECDSA
DH, EC-DH
HMAC
MD5, SHA-1, SHA-2
DES, 3DES, RC4, AES
Data structures
Key derivation
Encryption modes and IVs
Padding
Compression
Alerts and errors
Certification/re-vocation
(Re-)Negotiation
Session Resumption
Key reuse
OpenSSL
GnuTLS
SChannel
Java JSSE0
Web browsers
Web servers
Application SDKs
Certificates
Theoretical analysis
![Page 19: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/19.jpg)
19
TLS attack overview [Stebila’14] updated November 2017
DROWN
Improved RC4
biases
FREAK
Logjam
SLOTH
POODLE
DH parameter validation
sweet32
Lucky Microseconds
![Page 20: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/20.jpg)
20
TLS 1.3 coming soon (really)Clean up and simplify
• remove renegotiation and compressionIncrease security
• RSA for key transport removed: only Diffie-Hellman (forward secrecy)
• only authenticated encryption with associated data (AEAD)Increase privacy
• start encrypting earlierReduce latency (if previously connected): 0-RTT and 1-RTTMore details: Eric Rescorla, TLS 1.3, Real World Crypto 2016
Good news: miTLS high assurance implementation [INRIA+Microsoft]
![Page 21: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/21.jpg)
21
Outline
• Cool hacks• Hash functions• TLS• Postquantum crypto• Cryptowars returning• Conclusions
![Page 22: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/22.jpg)
22
If a large quantum computer can be built...
Yuri Manin 1980 and Richard Feynman 1981all schemes based on factoring (RSA) and DLOG
are insecure [Shor’94]• including elliptic curve cryptography
symmetric key sizes: x2 [Grover]
![Page 23: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/23.jpg)
23
When to switch to quantum resistant cryptography?
Q = #years until first large quantum computerx = #years it takes to switch (3-10 years)y = #years data needs to be confidential (10 years)
Need to start switching in the year2017 + Q – x – ye.g. Q = 14, x=5, y=10: last year!
For data and entity authentication: y = small(and defense-in-depth)
![Page 24: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/24.jpg)
24
State of the art in coherent qubit control: 2001#
gate
s an
d ga
te n
etw
ork
* unpublished
# qubits1 2 3 4 5 6 7
Stanford/IBMNMR, main playersOther NMRnon-NMR
98
99
99
98
99 NEC
01 NEC02 Sacley*
99 Oxford
98 Oxford00
00
95 NIST
00,01
99,00,01 MIT98 MIT
98 Cambridge
98 LANL
99,0100
00 NIST
00
01 LANL
01 Frankfurt
99 Cambridge
01
00 LANL
95 Caltech
Grover search280 2-bit
gatesOrder
findingShor
15=3x5
“Cooling”spinsLiquid
crystals
Errordetection
Deutsch-Jozsa
Errorcorrection
7-spincoherence
![Page 25: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/25.jpg)
25
It is getting serious2011: D-Wave: 128 qubits “QC” but topologyJan. 2014: NSA 85 M$ for research to build a QC2013: D-Wave: 512 qubits “QC”2015: D-Wave 2X: a 1000+ qubit “QC” (15M$)2015: Intel invests US$50 million with QuTech (Delft)
–2017: test chip with 17 qubits deliveredMarch 2017: Rigetti has raised nearly $70 million and has built an 8-qubit QCMay 2017: IBM announced 16-qubit QC based on superconductivityOct 2017: Google/UCSB: plan for 49-bit QC based on superconductivityMicrosoft: will build QC on topological qubitsNov 2017: IBM announces a 50-qubit QC
![Page 26: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/26.jpg)
26
Predictions
Criticism• interconnect/architecture?• algorithms depend on architecture• number of qubits needed may grow
quadratically with bit size for ECC
M. Mosca, April 2015:“With probability 1/7 we will have a large quantum computer available by 2025; the probability with increase to close to 1 by 2035”
![Page 27: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/27.jpg)
27
August 19 2015: do not switch to Suite B
IAD will initiate a transition to quantum resistant algorithms in the not too distant future[…]
For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition[…]
For now: ECC P-384/RSA-3072/Diffie-Hellman 3072
![Page 28: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/28.jpg)
28
Post-Quantum public key cryptoPQCrypto: http://pqcrypto.eu.org/
• Digital signatures• Hash-based: secure but large signatures (40 Kbyte) and keys• Lattice based: BLISS
• Public key encryption/key establishment• NTRU• Lattice based (Ring Learning With Errors): BGV/BV• Code-based crypto• Isogenies
v2
v10
lettuce
lattice
![Page 29: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/29.jpg)
29
Open competitionsAESDES SHA-3
RIPE NESSIE eSTREAM
CRYPTREC CRYPTREC
1975-1977 1988-2002 1997 2000 2000 2005 2012
POSTQUANTUM
CAESAR
Lightweight
2014 2016 2018 2020 2022 2024
![Page 30: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/30.jpg)
30
Post-Quantum Standardization
NIST Internal Report (NISTIR) 8105: Report on Post-Quantum Cryptography http://csrc.nist.gov/groups/ST/post-quantum-crypto/index.html
Fall 2016 Formal Call for Proposals
Nov 2017 Deadline for submissions
Early 2018 Workshop - Submitter's Presentations
3-5 years Analysis Phase - NIST will report findings1-2 workshops during this phase
2 years later Draft Standards ready
![Page 31: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/31.jpg)
31
As predicted at ISSE 2015and discussed at ISSE 2016
![Page 32: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/32.jpg)
32
The crypto war returns
![Page 33: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/33.jpg)
33
2014: We are going dark
![Page 34: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/34.jpg)
34
9 Nov. 2017
![Page 35: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/35.jpg)
35
US citizens have protections based on 4th Amendment but Europeans don’t
NSA and GCHQ claim that they perform targeted surveillance while they run mass surveillance programs (Tempora and XKeyScore Deep Dive)
![Page 36: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/36.jpg)
36
It’s the
metadatastupid
![Page 37: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/37.jpg)
37
www.wired.com
NSA: “Collect it all, know it all,
exploit it all”
![Page 38: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/38.jpg)
38
(Part of) government seems to prefer offense over defense
How many 0-days do the NSA, FBI and CIA have?Are they revealed to vendors?If so when?
New 0-days
0-days stolen by Shadow brokers from Equation Group resulting in Wannacry and Petya
![Page 39: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/39.jpg)
39
![Page 40: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/40.jpg)
40
EU COM(2017)608 towards an effective and genuine Security Union
encryption will not be “prohibited, limited or weakened”
“measures should not have an impact on a larger or indiscriminate number of people”.
more collaboration96 extra people for Europol
encourages the countries to collaborate in developing a toolbox with alternative investigation techniquesKey search machines? 0-days? Malware
![Page 41: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/41.jpg)
41
http://www.ecrypt.eu.org/csa/documents/D5.2-AlgKeySizeProt-1.0.pdf
![Page 42: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/42.jpg)
42
We need a Digital Geneva ConventionMicrosoft President Brad Smith:“Nation states are hacking civilians in peace time”
![Page 43: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/43.jpg)
43
Encryption to protect industry ~18.3B
log10
6.2B 6B250M
37M200M
3B 2.4B200M
© Bart Preneel
![Page 44: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/44.jpg)
44
Encryption to protect user data ~12.5B(not meta data)
0
2
4
6
8
10
12
Mobile Browsers Android IoS WhatsApp iMessage Skype Harddisk SSL/TLS IPsec
??
log10
6.3B
Not end to
end
3.5B500M1B
https://http://
Browser
HTTP over SSL
SSLTransport System
500M20-
50M?50 M
© Bart Preneel
700M
Meta dataBackup in
cloud?
1B 500M
Backdoors?
![Page 45: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/45.jpg)
45
Architecture is politics [Mitch Kaipor’93]
Control:
avoid single point of trust that becomes single point of failure
Stop massive data collection
big data yields big breaches (think pollution)this is both a privacy and a security problem (think OPM)
![Page 46: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/46.jpg)
46
![Page 47: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/47.jpg)
47
Governance and Architectures
Back to principles: minimum disclosure– stop collecting massive amounts of data
• local secure computation– if we do collect data: encrypt with key outside control of host
• with crypto still useful operations
Bring “cryptomagic” to use without overselling– zero-knowledge, oblivious transfer, functional encryption– road pricing, smart metering, health care
Don’t call anything “privacy/security by design” for GDPR compliance
![Page 48: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/48.jpg)
48
From Big Data to Small Local Data
Data stays with users
![Page 49: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/49.jpg)
49
From Big Data to Big Encrypted Data
Encrypted data
Keys stay with users
Can still compute on
the data
![Page 50: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/50.jpg)
50
Open (Source) Solutions
Effective governance
Transparency for service providers
EU Free and Open Source Software Auditing
![Page 51: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/51.jpg)
51
Conclusions• Crypto problems are definitely not solved but
we making some progress• Crypto wars are not over• Ongoing pervasive surveillance needs
pervasive collection and active attacks with massive collateral damage on our ICT infrastructure
• Better protected end systems: open systems with better governance
![Page 52: The Crypto Year in Review - EEMA · graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional](https://reader034.vdocuments.us/reader034/viewer/2022043021/5f3cc5146f5f212a8f03f4c7/html5/thumbnails/52.jpg)
5252
Bart Preneel, imec-COSIC KU Leuven
Kasteelpark Arenberg 10, 3000 Leuven
homes.esat.kuleuven.be/~preneel/
@CosicBe
ADDRESS:
WEBSITE:
EMAIL:TWITTER:
+32 16 321148TEL
ECRYPT CSA ECRYPT CSA
http://www.ecrypt.eu.org