WIRED Security (20 October 2016) is a new one-day event, which...
by Andrzej Chmielowiec
We will explain the methods of attacking this popular public-key algorithm. Its 35-year history showed that RSA provides sufficient security only when it is implemented in accordance with the latest norms and standards. It has been the object of extensive cryptanalytic research. The attempts at cracking RSA led to the development of much faster factorization methods. Moreover, the strong desire to break the RSA algorithm was fundamental to many interesting publications on the number theory.
Practical Padding Oracle Attacks on RSA
by Riccardo Focardi
We revise attacks on the RSA cipher based on side-channels that leak partial information about the plaintext. We show how to compute a plaintext when only its parity is leaked. We then describe PKCS#1 v1.5 padding for RSA and we show that the simple leakage of padding errors is enough to recover the whole plaintext, even when it is unpadded or padded under another scheme. This vulnerability is well-known since 1998 but the flawed PKCS#1 v1.5 padding is still broadly in use. We discuss recent optimizations of this padding oracle attack that make it effective on commercially available cryptographic devices.
Differential Power Analysis
by David Gueguen and Paul Benard
In the present article we will give a brief history of Side Channel Attacks, then try to give a general overview of one of its most famous representative Differential Power Analysis. Then we’ll try to y illustrate the fact that because of the side channel threat the implementation of a cryptosystem can be far away from its mathematical design even if this one is taking into account all the known countermeasures to resist to classical cryptanalysis.
Timing Attacks: the developer’s perspective
by L.A.R. Lopez
The goal of this article is to present aspects of timing-attacks, and mainly to discuss what countermeasures and best practices have been successful against them. We present these patterns strictly from the developer’s perspective, referencing cases, code snippets, and tools. More philosophical gibberish is further discussed after the more serious part.
Cache Timing Attacks on AES
by Anthony Tonge and Zsolt Nemeth
A particular side-channel attack involves monitoring the movement of data into and out of cache. Recent advances in cache behaviour analysis have shown that software implementations of AES are particularly vulnerable to cache attacks. Bernstein’s recent attack in particular has remotely extracted an entire AES key from a server. This paper discusses the advances in cache attacks, focusing in particular on Bernstein’s attack, with an investigation into implementing this attack.
Quantum Cryptography review
by Vladimir Frolov
Using these quantum phenomena, it is possible to develop a communication system, which can always detect eavesdropping. This is ensured by the fact that an attempt to measure some related parameters in a quantum system makes it destroying the original signals and hence the level of noise in the channel can give (to legitimate users) degree of assurance on interception.
A Method for Finding Large Prime Numbers
by Chuck Easttom
Prime numbers are essential in many public key cryptographic algorithms. For example the RSA algorithm is based on the difficulty of factoring large numbers into their prime factors (Rizvi1 & Wadhwa, 2010). However, as of this writing, there is no full proof method of generating prime numbers. And in fact algorithms such as RSA require two prime numbers, preferably of similar size.
Bad randomness – vulnerability of DSA signatures
by Avradip Mandal
Digital Signature is probably the most well known cryptographic primitive used in our everyday life. From certificate based authentication (e.g. SSL) to validating whether an application is genuine in smartphone marketplace, digital signatures are present everywhere. The most popular digital signature scheme is probably Digital Signature Algorithm (DSA), the standard set by National Institute of Standard and Technologies (NIST) in the USA. Similar to many other cryptographic schemes, the security of DSA crucially depends on the quality of the random number generator used in the implementation.
by Christopher M. Frenz
Email address harvesting by SPAM bots has led to the widespread adoption of email address obfuscation measures such as email address munging and email address obfuscation to make the collection of email addresses more difficult to automate. These techniques often entail the use of client side scripting designed to reconstruct the email address in the browser for a legitimate user. The techniques, however, attempt to make the address unrecognizable to an email harvesting program that processes the HTML that comprises the Web page containing the email address of interest.
Using advanced PKI features for authentication and authorization
by Valentin Necoara
Nowadays, security is a must have for IT systems. You cannot have a reliable informational system without adequate security implemented. The main processes in a security-oriented system are: authentication, authorization and accounting. This article will help to better understand these processes combined with the power of Public Key Infrastructures. Another important aspect which must be taken more and more into consideration is mobility. Smartphones, tablets, laptops are widespread and used almost by any corporation as a terminal for accessing the company systems. Blackberry came up with e-mail access for all devices. Smartphones went a little bit further allowing to access virtually any web server/service thus allowing even the concept of “working from your mobile phone”.
Polarisation Encoded QKD in Fibre
by Abdul Mirza and Sharmini Pillay
With the advent of the electronic age, the security of data transmissions has become vastly important to the knowledge-based society that presides today. Modern communication systems, that are the cornerstone of information technology, have introduced new dynamics to information security. Data interception, or eavesdropping, is now a realistic threat within current communication networks due to the nature of the technology. Infrastructure such as electronic banking and e-voting are significant advances in technology but both rely heavily on a secure transmission between the transmitter and the intended recipient. To protect sensitive data on the move and prevent the unauthorised removal of the intelligible information, various cryptographic systems (cryptosystems) have been devised.
Designing a Java Cryptography Header
by James H. Wong
When a file is encrypted, digitally signed or both, a Cryptographic header is placed in front of the resulting file and has the following structure. The structure consists of two sections, the header and the encrypted/plain file contents. The header structure contains information required to reverse the encryption process and decrypt the contents of the file or verify the digital signature. The header contains the total length, an ID, version, and two sections containing encryption and digital signature information. Using Java, you can write out the contents of header within a byte stream as well as read it back in