PKCS - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

PKCS

Description:

Algo Proposals. Motivation for PRNG Standard. Increases Security. Complements ... Algo Proposals (due to Bob Baldwin) 1. Cipher Based Single Width Algorithm ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 19
Provided by: sunsiteCn
Category:
Tags: pkcs | algo

less

Transcript and Presenter's Notes

Title: PKCS


1
PKCS 14 Status of Work
Pseudo Random Number Generation
Jan-Ove Larsson RSA Laboratories
Europe jlarsson_at_rsasecurity.com PKCS Workshop
99 Sep 29 - Oct 1 Stockholm, Sweden
2
Outline
  • Motivation for PRNG Standard
  • Design Criteria
  • Building Blocks
  • Set of Operations for PRNG
  • Model for PRNG
  • Basic Security Properties
  • Attacks on PRNGs
  • Algo Proposals

3
Motivation for PRNG Standard
  • Increases Security
  • Complements Other Standards
  • Support to Developers
  • - strength, correctness via testvectors
  • Legal Aspects
  • - liability in cases of fraud
  • Public Trust
  • - home-banking
  • - e-commerce
  • - other services

4
Design Criteria
  • Build On
  • - proven security properties if possible
  • - well-studied algorithms and primitives
  • Be Conservative
  • Promote Simplicity
  • - better performance, easier to analyse

5
Building Blocks
  • In Accordance With Our Design Criteria We Build
  • the PRNG Using Well-Studied Algorithms and
    Primitives.
  • There Are Several Possibilities Including
  • Block Ciphers
  • - CBCMACs
  • Stream Ciphers
  • Modular Exponentiation Based
  • Cryptographic Hash Functions
  • - HMACs
  • - NMACs


6
Set of Operations for PRNG
  • State Update from New Seed
  • State Advance after Output Generation
  • Output Generation
  • Save / Restore State
  • Self-Test

?
7
Model for PRNG
I
X
Variables I, Input to Seed Array X , Array of
Blocks of Seed Bytes Y , Array of Output
Bytes S, Internal State Functions H, State
Update From Seed F, State Advance After Output G,
Generation of Output Bytes
H
S
F
G
Y
8
Basic Security Properties
  • Use Large Seed Blocks
  • Knowledge of Part of Seed Shall Be of
  • No Help For an Adversary
  • Good Seed Usage Make the State Depend
  • on All Previous Seed
  • Large, Unbiased Internal State
  • Output Shall Pass Randomness Tests
  • Output Shall Be Unpredictable

9
Attacks on PRNGs 1
  • Guessing of Seed
  • - Entropy of Xi Need to Be Large to Prevent
  • an Exhaustive Search Attack.
  • Chosen Seed Input / State Cycle Shortening

X i
Old State
H
New State
10
Attacks on PRNGs 2
  • Timing Attacks on State Advance Function
  • - Ensure That the Advance Function Takes
  • Constant Time.
  • - If That Is Not Possible, Random Delays?
  • Gives Worse Performance!

11
Attacks on PRNGs 3
  • Direct Cryptanalytic Attacks on Output
    Generation
  • Function
  • - Strong Cipher or Preimage Resistant Hash
  • - Truncate Output From Output Generation
  • Function

12
Attacks on PRNGs 4
  • Attacks After a Compromise of State
  • Backward Tracking Attack After a Compromise of
  • State, Try to Determine Previous Outputs.
  • Forward Tracking

13
Algo Proposals (due to Bob Baldwin) 1
Cipher Based Single Width Algorithm S Counter
Value, C Counter Incr., K Encr. Key State
Update From Seed K Hash ( K X i ) ,
K at Initialization S C Odd( Enc( K ,
0 )), (K determines State) State Advance after
Output S S C ( mod 2 S ) Output
Generation Y j Enc( K , S)
14
Algo Proposals
2
Digest Based Single Width Algorithm S Counter
Value, C Counter Incr., K Secret State State
Update From Seed K Hash ( K X i ) ,
K at Initialization S C Odd( Hash( K ,
0 )), (K determines State) State Advance after
Output S S C ( mod 2 S ) Output
Generation Y j Hash( K S)
15
Algo Proposals
3
Cipher Based Double Width Algorithm KL Cipher
Key Length, BL Cipher Block Length 0x20
Block of BL bytes equal to 0x20 Dmac(K1, K2, S)
Enc(K1, CbcMac(K2, S)) H2(x) Dmac(0x20,
0x20, x) Dmac(0x21, 0x21, x)
16
Algo Proposals
4
Cipher Based Double Width Algorithm Contd State
Update From Seed Secret State is(K1, K2)
K1 K2 H2 (K1 K2 X i ) , K1 K2
at Init C1 DMac(K1, K2, 2BL-zeros) S
C1 BL-zeros C2 DMac(K1, K2, S) C S C1
C2 C Odd(C) State Advance after Output S
S C ( mod 2 BL ) Output Generation Y j
DMac( K1, K2, S)
17
Algo Proposals
5
Digest Based Double Width Algorithm BL Output
Block Length For Digest ML Input Block Length
For the Digest Compression Fcn H(x) Digest of
x Ext(x) ML-byte value, x padded to the right
with 0-bytes NMac(K1, K2, S) H(Ext(K1)
H(Ext(K2) S)) H2(K1, K2, x) Nmac(K1, K2, x)
Nmac(K2, K1, x)
18
Algo Proposals
6
Digest Based Double Width Algorithm Contd State
Update From Seed Secret State is(K1, K2)
K1 K2 H2 (K1 K2 X i ) , K1 K2
at Init C1 NMac(K1, K2, 2BL-zeros) S
C1 BL-zeros C2 NMac(K1, K2, S) C S C1
C2 C Odd(C) State Advance after Output S
S C ( mod 2 BL ) Output Generation Y j
NMac( K1, K2, S)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "PKCS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!