The summer of OAEP
These are some of the papers to be presented at Crypto 2001 in August[1]: A Chosen Ciphertext Attack On RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized In PKCS #1 James Manger OAEP Reconsidered Victor Shoup RSA--OAEP is Secure Under the RSA Assumption Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval and Jacques Stern Simplified OAEP for the RSA and Rabin Functions Dan Boneh Shoup's abstract[2] reads: The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public-key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+ along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP, and even has a tighter security reduction. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out - essentially by accident, rather than by design - that RSA-OAEP is secure in the random oracle model; however this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme. The Fujisaki, et al abstract[3] reads: Recently Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) one-wayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight. [1] http://www.iacr.org/conferences/c2001/accept.html [2] http://shoup.net/papers/oaep.ps.Z [3] http://cgi.di.ens.fr/cgi-bin/pointche/papers.html?FuOkPoSt00 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: WAS: Thermal Imaging Decision Applicable to TEMPEST?
David Koontz wrote: >Is the average person susceptible to TEMPEST attacks? [And more on TEMPEST technics.] Probably most people are not subject to TEMPEST attacks in the same way they are not in need in crypto. And as crypto protection gets built in to consumer products as understanding for the need increases, it is probable that similar protection against TEMPEST will be built into common devices -- as David noted, this will likely come through regulations of EMI, with lucrative add-ons for "mil-grade" protection. In the meantime, again as with crypto, those at highest risk are most definitely seeking TEMPEST protection as they learn of the capability of intelligence agencies and their commercial emulators to pry into a wide range of confidential affairs. So says TEMPEST protection marketers. Well-to-do persons are buying TEMPEST protection products after being advised by financial and security consultants to do so, and they want "mil-grade" stuff to protect against the justice and tax investigators chasing them from country to country often helped by intel, even mil-intel, snoops. Drug kingpins are not the only buyers. Sellers of TEMPEST products and services claim there is a huge market, domestic and foreign, for their offerings, which is hampered by export regs, again like crypto. Export approvals go through processes similar to those of crypto a few years back -- submit your product/service, and wait for an answer, but not receive precise requirements beforehand. NSA does the crucial review. Some suspect that analysis of weaknesses of the products is being done for future application. TEMPEST customers ask about this possibility and what could be done about it. And if not satisfied they go looking to other countries for products. Global persons are especially fearful of TEMPEST by their own countries as well as the US -- whom they suspect of cooperating with law and tax agencies worldwide through burgeoning law enforcement and intelligence-sharing treaties along with export control regimes. I also notice that more gov/mil advertisements for security services and products now list TEMPEST requirements right alongside encryption. Once the TEMPEST requirements were confidential as were those for encryption. The TEMPEST industry is booming, relatively speaking, and look hungrily at the crypto liberation model. The dribs and drabs we get out of NSA are lapped as if myrhh, not for what they reveal but for what they portend could be coming. Snake-oilers are rushing to reshape promo materials to fit what is being FOIA-ed. Now, what's coming next in secret comsec technology as the defense industry goes after mass markets, scaring customers, selling them salvation? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
WAS: Thermal Imaging Decision Applicable to TEMPEST?
Is the average person susceptible to TEMPEST attacks? "Arnold G. Reinhold" wrote: > > TEMPEST is not shut down by any means. This decision applies to homes > and places where there is an reasonable expectation of privacy (like > a phone booth). The status of computers in offices, cars, and public > places is less clear. Your data stored on someone else's computer > outside you home is apparently not protected (they got Kyllo's > electric bills legally without a warrant). In any event, the NSA can > still use TEMPEST against foreign nationals and overseas, the FBI can > use it against US nationals with a warrant, and the government can, > de facto, use it secretly, as many people believe they now use > wiretapping, to develop information that leads to other evidence that > is admissible. > TEMPEST is the control of compromising emanations - the prevention of secrets leaking out. Contrast this with FCC or EN regulations for EMI and difference is separating secret from not secret information - RED BLACK separation. Not having looked at any of the NACS*M documents on John Youngs site, and not having seen them for almost 30 years otherwise, one emphasis you see is on frequency content of emissions. The FCC specs start at a frequency where you could interfere with CB radios. Changes in the last decade or so, driven by the Europeans to eliminate such things as power factor flicker on lights caused by the motor in your laser printer have greatly added to how well protected the equipment is that we buy today. The major concerns are low frequency stuff, meeting EMI integrity in installation (actually using properly shielded cables and the like), and maintaining RED BLACK separation. One could hypothesis that so much of TEMPEST has been declassified because it is essentially covered by FCC and EN regulations. If you look at modern military grade crypto gear designed for office use, it appears to be similar in design to COTS electronics. Looking through some of the more recent Air Force manuals on John Youngs site you see an emphasis on controlling accidental emissions - decoupled phones when on hook, no transmitters or devices that could generate RF in secure facilities and the like. There is a specification on his site that originates from the CIA (which controls security compartmentalized information), that essentially relaxes physical EMI protections. You can build a SCIF without copper mesh in the walls today. An important element is physical separation (distance) between any attacker and equipment that can radiate (at mandated reduced levels). Thats not to say that the average computer user can't run up against (knowingly or unknowing) a problem they can't cure. How would the average guy deal with coupling between an ethernet cable and a phone line? Guess what, if you adhere to what you read in the manuals you can be more likely to be immune from monitoring than not - the difference is that unless you do it, no one is going to do an RF sweep of your home or office. (I recall a getting a trouble call while in the Air Force from a civilian contractor at a classified location. Seems their Gold phone (a secure phone system with link encryption to a small central switch) was receiving radio station AM 610 when ever the handset was offhook. Something very embarassing to say the least for a phone intended for SCI. Turns out there was a ground loop on an audio cable to the phone set, and a cold solder joint acting as a rectifier - an accidental crystal radio. We cured this by rote examination of the installation against guidelines (at least to find the ground loop). Several years later I happened accross the same phenonenom in a video game while working for a video arcade game company - same radio station, too.) Today I design digital equipment that operates in the gigahertz and up range - as will most computers in the next year or two. There is an additional barrier to monitoring digital microwave rate signals. The equipment is terribly expensive, and out of budgetary range of all but private corporations and national governments. -- remove "no_spam_" from Reply-to address - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: tapping undersea fibers?
At 12:55 PM 06/04/2001 -0400, Lenny Foner wrote: >So we now have at least two people who've confirmed my expectation, >namely that one can feasibly encrypt the entire cable. (After all, >I know what's involved in making fast, special-purpose chips to do >varous sorts of digital operations, and this isn't any different.) I'm not particularly convinced of this - there's OC12 hardware available now (622Mbps, aka 12 T3s plus overhead), but most telco fibers run at multiples of OC48 or OC192 (48 or 192 T3s, aka 2.4 or 10 Gbps.) Some cables run small numbers of wavelengths - often 8-16 of one of those two speeds, but some of the newer fiber technology can run 80 or 160 wavelengths if you want to buy the electronics to put on the ends. As a telco, your end users may be able to encrypt their data streams fast enough, if they care, but you're not going to. It costs way too much, and there's no demand. And as Lenny mentions - politicians, intelligence agencies, etc., aren't stopped by telco-provided encryption, because what a telco can encrypt, a bureaucrat can tell them to decrypt. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: secure phone (was Re: Starium...)
At 07:51 AM 6/7/01 +0800, Enzo Michelangeli wrote: >If you do that, you inherit the drawbacks of TCP for real time >communications: a single packet lost may disrupt the communication for a I've looked at PGPfone source, it uses UDP, as it should. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Thermal Imaging Decision Applicable to TEMPEST?
>"Is thermal imaging more like going through your garbage (which courts >have allowed) or more like looking into your window with a high-powered >telescope (for which courts generally require a warrant)?" off the top of my head, i'd have to say that anyone *intelligent* would be able to see that this is simply "different equipment for seeng things that are in a different part of the electromagnetic spectrum". telescopes are for seeing visual light through things that permit it (windows and doors). thermal imaging equipment is for seeing "heat" through things that permit it (walls, etc). no? -- |-< "CODE WARRIOR" >-| [EMAIL PROTECTED] * "ah! i see you have the internet [EMAIL PROTECTED] (Andrew Brown)that goes *ping*!" [EMAIL PROTECTED] * "information is power -- share the wealth." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Thermal Imaging Decision Applicable to TEMPEST?
At 8:57 AM -0700 6/12/2001, John Young wrote: >The Supreme Court's decision against thermal imaging appears >to be applicable to TEMPEST emissions from electronic devices. >And is it not a first against this most threatening vulnerability >in the digital age? And long overdue. > >Remote acquisition of electronic emissions, say from outside a >home, are not currently prohibited by law as far as I know. And >the language of the thermal imaging decision makes it applicable >to any technology not commonly in use. > >... This decision(Kyllo v. US) is important and very welcome, but I am not sure you are right about the prior status of TEMPEST. There was an earlier decision (Katz v. US, 1967), cited in the Kyllo decision, that "involved eavesdropping by means of an electronic listening device placed on the outside of a phone booth." The court held back then that doing this without a warrant violated the Fourth Amendment. I can't see how this would fail to apply to TEMPEST. TEMPEST is not shut down by any means. This decision applies to homes and places where there is an reasonable expectation of privacy (like a phone booth). The status of computers in offices, cars, and public places is less clear. Your data stored on someone else's computer outside you home is apparently not protected (they got Kyllo's electric bills legally without a warrant). In any event, the NSA can still use TEMPEST against foreign nationals and overseas, the FBI can use it against US nationals with a warrant, and the government can, de facto, use it secretly, as many people believe they now use wiretapping, to develop information that leads to other evidence that is admissible. The other interesting thing about Kyllo is that the Court clearly needed the help of a good physicist. If you read the oral arguments, http://www.supremecourtus.gov/oral_arguments/argument_transcripts/99-8 508.pdf you'll see that no one in the court had a basic understanding of the science. The case involved a bust for growing marijuana. The police had obtained Kyllo's electric bills (no warrant required) and found he used a lot of power. Since power usage varies a lot among houses, this was not considered sufficient to get a search warrant. They then used the thermal imager. The government claimed they only used the imager to verify that a lot of heat was being produced in the house. No one pointed out that, except for highly unlikely circumstances (e.g. someone running a lighthouse or charging a LOT of batteries in the basement), essentially all the electricity consumed by a house is converted to heat. Discovering that the house radiated a lot of heat added no new information to what the utility bills said. The defense claimed it was the presence of specific hot spots in the image that made the warrant issuable and that these revealed what was happening inside the house. There is also some physically unrealistic stuff in the dissenting opinion. Justice Stevens suggests that "the rare homeowner who wishes to engage in uncommon activities that produce a large amount of heat [can] make sure that the surrounding area is well insulated." Unless the homeowner is planning to set her house on fire, that won't work. The heat has to escape somewhere. A system that spread the heat so evenly that a thermal imager couldn't detect the source is far beyond the abilities of a homeowner to construct. This is a great science and law case. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]