Observability Analysis - Detecting When Improved Cryptosystems Fail -
In this paper we show that, paradoxically, what looks like a “universal improvement” or a “straight-forward improvement” which enables better security and better reliability on a theoretical level, may in fact, within certain operational contexts, introduce new exposures and attacks, resulting in a weaker operational cryptosystem. We demonstrate a number of such dangerous “improvements”. This implies that careful considerations should be given to the fact that an implemented cryptosystem exists within certain operational environments (which may enable certain types of tampering and other observed information channels via faults, side-channel attacks or behavior of system operators). We use our case studies to draw conclusions about certain investigations required in studying implementations and suggested improvements of cryptosystems; looking at them in the context of their operating environments (combined with their potential adversarial settings). We call these investigations observability analysis.
KeywordsSecurity analysis observability cryptanalysis implementations side-channel attacks fault analysis robustness cryptosystems
Unable to display preview. Download preview PDF.
- 1.RSA Laboratories. PKCS #1 v2.0: RSA cryptography standard, October 1, 1998. Available at http://www.rsasecurity.com/rsalabs/pkcs/.
- 2.RSA Laboratories. PKCS #1 v2.1: RSA cryptography standard, Draft 2, January 5, 2001. Available at http://www.rsasecurity.com/rsalabs/pkcs/.
- 3.F. Bao, R. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, and T.-H. Ngair. Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In B. Christianson, B. Crispo, M. Lomas, and M. Roe, eds, Security Protocols, vol. 1361 of Lecture Notes in Computer Science, pp. 115–124, Springer-Verlag, 1998.CrossRefGoogle Scholar
- 6.Daniel Bleichenbacher, Burt Kaliski, and Jessica Staddon. Recent results on PKCS #1: RSA encryption standard. RSA Laboratories’ Bulletin, no. 7, June 1998.Google Scholar
- 8.Dan Boneh, Richard A. DeMillo and Richard J. Lipton. On the importance of checking cryptographic protocols for faults. In W. Fumy, ed., Advances in Cryptology-EUROCRYPT’97, vol. 1233 of Lecture Notes in Computer Science, pp. 37–51, Springer-Verlag, 1997.Google Scholar
- 12.Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA-OAEP is secure under the RSA assumption. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, Springer-Verlag, 2001.Google Scholar
- 16.Marc Joye, Pascal Paillier, and Sung-Ming Yen. Secure evaluation of modular functions. In R.J. Hwang and C.K. Wu, eds., Proc. of the 2001 International Workshop on Cryptology and Network Security (CNS 2001), pp. 227–229, Taipei, Taiwan, September 26–28, 2001.Google Scholar
- 19.Burton S. Kaliski Jr. Comments on a new attack on cryptographic devices. RSA Laboratories Technical Note, October 23, 1996.Google Scholar
- 20.Çetin K. Koç. RSA hardware implementation. Technical Report TR 801, RSA Laboratories, April 1996.Google Scholar
- 22.James Manger. A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS #1. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, pp. 230–238, Springer-Verlag, 2001.Google Scholar
- 23.Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proc. of the 22nd ACM Annual Symposium on the Theory of Computing (STOC’ 90), pp. 427–437, ACM Press, 1990.Google Scholar
- 24.Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5–12, 1995.Google Scholar
- 26.Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, ed., Advances in Cryptology-CRYPTO’91, vol. 576 of Lecture Notes in Computer Science, pp. 433–444, Springer-Verlag, 1992.Google Scholar
- 28.Adi Shamir. RSA for paranoids. Cryptobytes, 1(2):1–4, 1995.Google Scholar
- 29.Adi Shamir. Patent US 5.991.415: Method and apparatus for protecting public key schemes from timing and fault attacks, 12 May 1997.Google Scholar
- 30.Adi Shamir. How to check modular exponentiation. Presented at the rump session of EUROCRYPT’97, Konstanz, Germany, 11–15th May 1997.Google Scholar
- 31.Victor Shoup. OAEP reconsidered. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, Springer-Verlag, 2001.Google Scholar