J. Håstad J. Jakobsson A. Juels M. Yung Funkspiel Schemes: An Alternative to Conventional Tamper Resistance Royal Inst. of Technology, Stockholm RSA Laboratories RSA Laboratories Certco
J. Håstad J. Jakobsson A. Juels M. Yung Funkspiel Schemes: An Alternative to Conventional Tamper Resistance Royal Inst. of Technology, Stockholm RSA Laboratories.
Dec 20, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
J. HåstadJ. JakobssonA. JuelsM. Yung
Funkspiel Schemes:An Alternative to Conventional Tamper
Resistance
Royal Inst. of Technology, Stockholm RSA LaboratoriesRSA LaboratoriesCertco
Captured by Germans, along with radio and three message/ciphertext pairs
Lauwers worked as radio operator for SOE, British underground during WW II
Germans sought to mount “Funkspiel”, i.e., pass false messages to SOE
Lauwers
SOE made use of a kind of MAC
Subverting the Funkspiel Germans demanded to know “MAC” Lauwers had been instructed to introduce an error into 16th letter
of every message as “MAC” Lauwers made clever observation about his three messages:
…………....stop…..Message 1:
Message 2: …………....stop…..
Message 3: ………….……..…..
o
o
u
e
Claimed that “MAC” involved corruption of ‘o’ in stop
16th letter
Subverting the Funkspiel
Germans were deceived Allies were deceived
Modern cryptographer’s view
Alice Bob
Eve (Enemy)
Funkspiel scheme
Alice Bob
Eve
Step 1: Alice sends messages to Bob
Alice Bob
Eve
message1, MAC (message1)message2, MAC (message2)message3, MAC (message3)
Step 2: Alice changes key (maybe)
Alice
Step 3: Eve steals Alice’s key
Alice
Step 4: Eve impersonates Alice
BobEve
“I love you”, MAC (“I love you”)
Step 5: Bob determines whether Alice changed key
MAC (“I love you”)
She loves me?
She loves me not?
What do we want?
Eve can’t tell whether Alice changed key– Even though Eve has seen MAC(message1),
MAC(message2),...
Bob can tell whether Alice changed key
Related work
Forward-secure signature schemes– Attacker knows that key evolves
Distress PIN– No security against eavesdropper
Deniable encryption
A funkspiel scheme
MAC key 0:
MAC key 1:
0 1 1 0 1 0 1 0 0 0 1 1 1 00 1 1 11 1 0 0 0 1 1
Problems: We need one bit for every MAC;
Eve can cheat with small probability
???
Another funkspiel scheme (simplified)
Problem: What if Eve sees Bob’s keying material?
She can forge a MAC
h h
???
??
Asymmetric funkspiel scheme
PKA
SKA
PKB
SKB
EPK_B(SigSK_A[message])PKA
SKA
???
Asymmetric funkspiel scheme
Semantically secure encryption (e.g., El Gamal) ensures that Eve can’t test signature against SK
Key swap for Alice under El Gamal is efficient, e.g., she can randomize last 100 bits
If Eve sees Bob’s keys, she still can’t forge MAC
Scheme is less efficient than symmetric ones
Real-world funkspiel
Alice changes key when she senses Eve is attempting to break in (no coin flipping)
Bob tries to determine whether Alice sent “distress signal”, i.e., changed key
What this good for? Tamper resistant hardware
– Currently uses “zeroization”
– Funkspiel schemes permit detection and tracing – Funkspiel schemes can give false sense of
security or success to attacker– E.g., cash card
What this good for? A honeypot with more sting
Honeypot
Open issues
Power consumption– Many devices have only external power– What about DPA attacks?
How about, e.g., firewalls?
Questions?
She loves me?
She loves me not?
Related Documents
![1 Tight Hardness Results for Some Approximation Problems [mostly Håstad] Adi Akavia Dana Moshkovitz S. Safra.](https://static.cupdf.com/doc/110x72/56649d5e5503460f94a3d717/1-tight-hardness-results-for-some-approximation-problems-mostly-hastad-adi.jpg)
![1 Tight Hardness Results for Some Approximation Problems [Raz,Håstad,...] Adi Akavia Dana Moshkovitz & Ricky Rosen S. Safra.](https://static.cupdf.com/doc/110x72/56649d3e5503460f94a16776/1-tight-hardness-results-for-some-approximation-problems-razhastad.jpg)
