Table of contents

  • This session has been presented December 03, 2021.

Description

  • Speaker

    Daniel De Almeida Braga - Université Rennes 1

Protocols for password-based authenticated key exchange (PAKE) allow two users sharing only a short, low-entropy password to establish a secure session with a cryptographically strong key. The challenge in designing such protocols is that they must resist offline dictionary attacks in which an attacker exhaustively enumerates the dictionary of likely passwords in an attempt to match the used password. In this paper, we study the resilience of one particular PAKE against these attacks. Indeed, we focus on the Secure Remote Password (SRP) protocol that was designed by T. Wu in 1998. Despite its lack of formal security proof, SRP has become a de-facto standard. For more than 20 years, many projects have turned towards SRP for their authentication solution, thanks to the availability of open-source implementations with no restrictive licenses. Of particular interest, we mention the Stanford reference implementation (in C and Java) and the OpenSSL one (in C).<br/> In this work, we analyze the security of the SRP implementation inside the OpenSSL library. In particular, we identify that this implementation is vulnerable to offline dictionary attacks. Indeed, we exploit a call for a function computing modular exponentiation of big numbers in OpenSSL. In the SRP protocol, this function leads to the call of a non-constant time function, thereby leaking some information about the used password when leveraging cache-based Flush+Reload timing attack. Then, we show that our attack is practical, since it only requires one single trace, despite the noise of cache measurements. In addition, the attack is quite efficient as the reduction of some common dictionaries is very fast using modern resources at negligible cost. We also prove that the scope of our vulnerability is not only limited to OpenSSL, since many other projects, including Stanford's, ProtonMail and Apple Homekit, rely on OpenSSL, which makes them vulnerable. We find that our flaw might also impact projects written in Python, Erlang, JavaScript and Ruby, as long as they load the OpenSSL dynamic library for their big number operations. We disclosed our attack to OpenSSL who acknowledged the attack and timely fixed the vulnerability.<br/> lien: https://univ-rennes1-fr.zoom.us/j/97066341266?pwd=RUthOFV5cm1uT0ZCQVh6QUcrb1drQT09

Next sessions

  • Efficient zero-knowledge proofs and arguments in the CL framework

    • March 07, 2025 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Agathe Beaugrand - Institut de Mathématiques de Bordeaux

    The CL encryption scheme, proposed in 2015 by Castagnos and Laguillaumie, is a linearly homomorphic encryption scheme, based on class groups of imaginary quadratic fields. The specificity of these groups is that their order is hard to compute, which means it can be considered unknown. This particularity, while being key in the security of the scheme, brings technical challenges in working with CL,[…]

  • Constant-time lattice reduction for SQIsign

    • March 14, 2025 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Sina Schaeffler - IBM Research

    SQIsign is an isogeny-based signature scheme which has recently advanced to round 2 of NIST's call for additional post-quantum signatures. A central operation in SQIsign is lattice reduction of special full-rank lattices in dimension 4. As these input lattices are secret, this computation must be protected against side-channel attacks. However, known lattice reduction algorithms like the famous[…]

  • Circuit optimisation problems in the context of homomorphic encryption

    • March 21, 2025 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Sergiu Carpov - Arcium

    Fully homomorphic encryption (FHE) is an encryption scheme that enables the direct execution of arbitrary computations on encrypted data. The first generation of FHE schemes began with Gentry's groundbreaking work in 2019. It relies on a technique called bootstrapping, which reduces noise in FHE ciphertexts. This construction theoretically enables the execution of any arithmetic circuit, but[…]

  • Cycles of pairing-friendly abelian varieties

    • March 28, 2025 (13:45 - 14:45)

    • Salle Guernesey, ISTIC

    Speaker : Maria Corte-Real Santos - ENS Lyon

    A promising avenue for realising scalable proof systems relies on the existence of 2-cycles of pairing-friendly elliptic curves. More specifically, such a cycle consists of two elliptic curves E/Fp and E’/Fq that both have a low embedding degree and also satisfy q = #E(Fp) and p = #E’(Fq). These constraints turn out to be rather restrictive; in the decade that has passed since 2-cycles were first[…]

    • Cryptography

  • Journées C2

    • April 04, 2025 (00:00 - 18:00)

    • Pornichet

Show previous sessions
Page top