Cryptography in Theory and Practice: The Case of Encryption in IPsec

Paterson, Kenneth G.; Yau, Arnold K. L.

doi:10.1007/11761679_2

Cited by 33 publications

(28 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, problems relating to IPsec support for encryption-only modes of the Encapsulating Security Payload (ESP) protocol seems conceptually similar; a comprehensive overview and resulting attack is given by Paterson and Yau [29]. One can conjecture that the motivation for encryption-only ESP, like ephemeral-static ECDH, is efficiency.…”

Section: Discussionmentioning

confidence: 99%

Practical Realisation and Elimination of an ECC-Related Software Bug Attack

Brumley

Barbosa

Page

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We analyse and exploit implementation features in OpenSSL version 0.9.8g which permit an attack against ECDH-based functionality. The attack, although more general, can recover the entire (static) private key from an associated SSL server via 633 adaptive queries when the NIST curve P-256 is used. One can view it as a software-oriented analogue of the bug attack concept due to Biham et al. and, consequently, as the first bug attack to be successfully applied against a real-world system. In addition to the attack and a posteriori countermeasures, we show that formal verification, while rarely used at present, is a viable means of detecting the features which the attack hinges on. Based on the security implications of the attack and the extra justification posed by the possibility of intentionally incorrect implementations in collaborative software development, we conclude that applying and extending the coverage of formal verification to augment existing test strategies for OpenSSL-like software should be deemed a worthwhile, long-term challenge.

show abstract

Section: Discussionmentioning

confidence: 99%

Practical Realisation and Elimination of an ECC-Related Software Bug Attack

Brumley

Barbosa

Page

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…An interesting case is that of encryption-only-mode of IPsec, for which Paterson and Yau [5] exploited CBC mode of encryption. Their attacks work if an implementation does not follow the standard strictly.…”

Section: Related Workmentioning

confidence: 99%

“…In Setup-(a), I obtains the term {iv 2 For instance, in an attack on IPsec [5] that is based on address rewriting, the first phase of the attack succeeds with a probability of 2 −17 , due to a specific block alignment of IPsec. This means that an attacker may have to repeat the first phase 2 17 times in order to succeed.…”

Section: Nssk With Cbc Mode Of Encryptionmentioning

confidence: 99%

See 1 more Smart Citation

Towards Symbolic Encryption Schemes

Ahmed¹,

Jensen²,

Zenner

2012

Computer Security – ESORICS 2012

View full text Add to dashboard Cite

Abstract. Symbolic encryption, in the style of Dolev-Yao models, is ubiquitous in formal security models. In its common use, encryption on a whole message is specified as a single monolithic block. From a cryptographic perspective, however, this may require a resource-intensive cryptographic algorithm, namely an authenticated encryption scheme that is secure under chosen ciphertext attack. Therefore, many reasonable encryption schemes, such as AES in the CBC or CFB mode 1 , are not among the implementation options.In this paper, we report new attacks on CBC and CFB based implementations of the well-known Needham-Schroeder and Denning-Sacco protocols. To avoid such problems, we advocate the use of refined notions of symbolic encryption that have natural correspondence to standard cryptographic encryption schemes.

show abstract

“…Some other padding schemes leading to decryption attacks have been identified (see e.g. [2,5,7,11]). …”

Section: Introductionmentioning

confidence: 99%

On Hiding a Plaintext Length by Preencryption

Tezcan

Vaudenay

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. It is a well known fact that encryption schemes cannot hide a plaintext length when it is unbounded. We thus admit that an approximation of it may leak and we focus on hiding its precise value. Some standards such as TLS or SSH offer to do it by applying some pad-then-encrypt techniques. In this study, we investigate the information leakage when these techniques are used. We define the notion of padding scheme and its associated security. We show that when a padding length is uniformly distributed, the scheme is nearly optimal. We also show that the insecurity degrades linearly with the padding length.

show abstract

Cryptography in Theory and Practice: The Case of Encryption in IPsec

Cited by 33 publications

References 26 publications

Practical Realisation and Elimination of an ECC-Related Software Bug Attack

Practical Realisation and Elimination of an ECC-Related Software Bug Attack

Towards Symbolic Encryption Schemes

On Hiding a Plaintext Length by Preencryption

Contact Info

Product

Resources

About