This work describes a class of Algorithm Substitution Attack (ASA) generically targeting the receiver of a communication between two parties. Our work provides a unified framework that applies to any scheme where a secret key is held by the receiver; in particular, message authentication schemes (MACs), authenticated encryption (AEAD) and public key encryption (PKE). Our unified framework brings together prior work targeting MAC schemes (FSE’19) and AEAD schemes (IMACC’19); we extend prior work by showing that public key encryption may also be targeted. ASAs were initially introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance, as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. Previous work looking at ASAs against encryption schemes can be divided into two groups. ASAs against PKE schemes target key generation by creating subverted public keys that allow an adversary to recover the secret key. ASAs against symmetric encryption target the encryption algorithm and leak information through a subliminal channel in the ciphertexts. We present a new class of attack that targets the decryption algorithm of an encryption scheme for symmetric encryption and public key encryption, or the verification algorithm for an authentication scheme. We present a generic framework for subverting a cryptographic scheme between a sender and receiver, and show how a decryption oracle allows a subverter to create a subliminal channel which can be used to leak secret keys. We then show that the generic framework can be applied to authenticated encryption with associated data, message authentication schemes, public key encryption and KEM/DEM constructions. We consider practical considerations and specific conditions that apply for particular schemes, strengthening the generic approach. Furthermore, we show how the hybrid subversion of key generation and decryption algorithms can be used to amplify the effectiveness of our decryption attack. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.
相似文献 |
|||||||
|
|||||||
|
共查询到20条相似文献,搜索用时 31 毫秒
1.
Armour Marcel Poettering Bertram 《International Journal of Information Security》2022,21(5):1027-1050
2.
In hybrid public key encryption (PKE), first a key encapsulation mechanism (KEM) is used to fix a random session key that is then fed into a highly efficient data encapsulation mechanism (DEM) to encrypt the actual message. A well-known composition theorem states that if both the KEM and the DEM have a high enough level of security (i.e., security against chosen-ciphertext attacks), then so does the hybrid PKE scheme. It is not known if these strong security requirements on the KEM and DEM are also necessary, nor if such general composition theorems exist for weaker levels of security.Using six different security notions for KEMs, 10 for DEMs, and six for PKE schemes, we completely characterize in this work which combinations lead to a secure hybrid PKE scheme (by proving a composition theorem) and which do not (by providing counterexamples). Furthermore, as an independent result, we revisit and extend prior work on the relations among security notions for KEMs and DEMs. 相似文献
3.
安全高效的公钥加密算法是信息系统安全的重要保障技术,文中利用陷门承诺函数的思想实现对密文完整性的保护,由此在标准模型下给出一个可证明适应性选择密文攻击安全的公钥加密算法.新算法与著名的CS98公钥加密算法相比公钥参数数量减少20%,私钥参数减少80%;与BMW05公钥加密算法比较,公、私钥参数数量大为减少且安全规约效率... 相似文献
4.
主要研究标准模型下基于证书的加密方案(certificate-based encryption,简称CBE)的通用构造,并给出了两个实现方案.首先,以IND-CCA2安全的公钥加密方案、IND-ID-CCA安全的基于身份的加密方案以及强一次性签名方案这3种密码学原型为组件提出了第一个CBE方案的通用构造,并在标准模型下证明了其安全性;其次,针对强一次性签名方案存在的一些问题,以强一次性消息认证码代替一次性签名方案,提出了另一个通用构造.与前者相比,第二个通用构造的性能得到了明显的优化. 相似文献
5.
带关键字搜索的公钥加密(PEKS)是一种有用的加密原语,它允许用户将在加密数据上搜索的功能委托给不可信的第三方服务器,而不影响原始数据的安全性和隐私性。但是,由于缺乏对于数据的加密以及解密能力,PEKS方案不能单独进行使用,必须与标准的公钥加密方案(PKE)相结合。因此,Baek等人在2006年引入了一种新的加密原语,称为结合PKE和PEKS的加密方案(PKE+PEKS),它同时提供了PKE和PEKS的功能。目前,已有文献提出了几种PKE+PEKS方案。然而,他们都没有考虑关键字猜测攻击的问题。本文提出一个新的高效且能够抵抗关键字猜测攻击的PKE+PEKS方案,与已有方案相比,该方案在性能上有很大的提升,并且在生成关键字和数据密文时,不需要使用双线性对,极大地降低了计算和存储成本。安全性分析表明,本文中所提出的方案能够满足密文隐私安全性、陷门不可区分性和抗关键字猜测攻击的安全性。效率分析表明,本分提出的方案更加高效。 相似文献
6.
We present a new primitive of randomized message-locked encryption (MLE) in this paper and define a new security model for it. The new primitive, named message-locked encryption3 (hereafter referred as MLE3), is actually a variant of randomized message-locked encryption (Bellare et al. Eurocrypt’13). In order to prevent trivial attacks, our primitive admits a semi-trusted server, which is allowed to hold a secret key of public key encryption (PKE), to verify the correctness of a tag. The new security notion, called privacy chosen-distribution attacks3 (PRV-CDA3), requires that a ciphertext generated by encrypting an unpredictable message and another ciphertext (possible invalid) chosen randomly from a ciphertext space are indistinguishable. Compared with the priori proposed security notion, privacy chosen-distribution attacks (PRV-CDA) (Bellare et al. Eurocrypt’13), which requires that two ciphertexts generated by encrypting two unpredictable messages are indistinguishable, the security notion we propose is much stronger. Based on the new primitive, under the blackbox reductions, we put forward a novel construction which achieves both privacy chosen-distribution attacks3 (PRV-CDA3) and strong tag consistency (STC) securities in the standard model via universal computational extractors (UCEs) (Bellare et al. Crypto’13). In addition, our scheme also provides the validity-testing for ciphertext. 相似文献
7.
Xiao-yuan Yang Li-qiang Wu Min-qing Zhang Xiao-Feng Chen 《Computers & Mathematics with Applications》2013,65(9):1254-1263
We first construct an efficient IND-sID-CPA secure IBE cryptosystem from ideal lattices, and proceed with its security proof under the standard model in detail. Then with an asymptotically efficient strongly unforgeable one-time signature, we propose a new CCA secure public key encryption (PKE) scheme over ideal lattices by universal paradigm of IBE transformation. Performance of the resulting PKE system is very close to the underlying IBE scheme and its security can be tightly reduced to decisional R-LWE hardness assumption. Compared with known CCA secure PKE schemes from standard lattices, our new scheme is simpler and more efficient. 相似文献
8.
9.
以Shamir的门限秘密共享方案和对称密码算法为基础,基于椭圆曲线上的双线性变换提出了一个具有多个解密者的单方加密-多方解密公钥加密方案.在该方案中,消息发送者具有一个唯一的加密密钥,而每个消息接收者都具有不同的解密密钥.使用加密密钥所加密的密文可以被任意解密密钥所解密,得到同样的明文信息.分析发现,该加密方案不仅安全有效,同时,它还具备前向保密性,即使加密者的主密钥泄露,也不会影响之前加密信息的安全性.文中方案具有非常重要的应用价值,尤其可以用来实现安全广播/组播和会议密钥的安全分发. 相似文献
10.
闫浩 《单片机与嵌入式系统应用》2011,11(3):65-68
市场上车门无钥匙进入(Passive Keyless Entry,PKE)系统成本高、种类少、应用灵活度低,大部分汽车无法配备.本文在AES加密算法的基础上,提出了一种类似于滚动加密算法(KEELOQ)的通信安全协议,并应用于无钥匙进入系统,既降低了成本,又保证了通信安全,且更具灵活性. 相似文献
11.
12.
13.
在分簇的无线传感器网络中,簇内节点经常进行组播,为保证报文和节点信息的安全性,设计一种高效的组密钥管理方案。该方案采用改进的基于身份的广播加密算法,计算初始组密钥与更新节点退出时的组密钥,减少广播报文的长度,降低传输能耗。利用能耗较小的对称加密算法,加入新节点与更新密钥生命期结束时的组密钥。该方案可以抵抗同谋攻击、仿冒攻击。安全性分析结果表明,在相同的安全标准下,与EGKAS方案相比,该方案占用存储空间更小,能耗更低,且节点存储及组密钥更新开销与群组大小无关,具有良好的扩展性。 相似文献
14.
陈志明 《计算机应用与软件》2005,22(2):82-84,144
本文提出了Elgamal加密算法的一种改进算法,这种改进算法的特点是可以实现成泉序列密码一样逐比特地进行加解密,被加密消息可以任意比特长;本文还通过改进算法和原Elgamal算法的对比分析,讨论了改进算法的安全性,加解密速度、密文扩展、消息块长度的灵活性,同时对Elgamal加密算法及改进算法的随机数的位数对安全性的影响作了讨论,提出了算法中对随机数选取的安全性要求。 相似文献
15.
基于MD5的迭代冗余加密算法 总被引:7,自引:0,他引:7
MD5报文摘要算法是一种非常流行的加密方案,是对任意长度的消息提取数字指纹或消息摘要的算法,但是,在计算上难以提供两个具有相同数字指纹的不同消息,并难以由给定的数字指纹推算出相应的消息.基于MD5的迭代冗余加密算法对MD5算法进行了扩展,利用了MD5算法的强大安全性,实现了文件加密、解密和数据完整性保护的功能. 相似文献
16.
17.
宁多彪 《计算机工程与应用》2016,52(17):107-111
如何设计标准模型下满足适应性选择密文安全(IND-CCA2)的高效加密方案,是公钥密码学领域的一个重要研究课题。基于判定型双线性Diffie-Hellman问题,提出了一个高效、短公/私钥长度、强安全的,基于对称加密算法、消息认证码算法、密钥分割算法等基础算法的一次一密型混合加密方案,分析了方案的安全性和效率。方案在标准模型下被证明具有IND-CCA2安全性,支持公开的密文完整性验证,与同类方案相比计算效率高。 相似文献
18.
为了提高RSA公钥算法在消息加密过程中的安全性,在深入分析传统RSA算法的基础上,对其进行一些改进性研究,提出了一种比传统RSA算法更加有效的方法优化其安全性。在将传统RSA改进为四素数RSA的基础上,再运用数学变换进行参数替换,消除了在公钥中对传输两个随机素数的乘积n的需要,引入了一个新的参数x代替原参数n。针对改进后的算法在运算效率方面的不足,采用中国剩余定理( Chinese remainder theorem,CRT)优化大数模幂运算。实验结果证实了改进算法的可行性,为通过公钥加密消息发送和接收提供了更安全的路径;同时,对改进算法与传统RSA 和四素数RSA算法的解密(签名)时间进行比较分析。实验结果表明改进后的算法对消息发送方和接收方之间签名效率也有一定程度的优化。 相似文献
19.
随着“坚强智能电网”、“泛在电力物联网”等战略的部署和发展建设,大量的电力采集设备、机器人、监控摄像头应用在配网作业场景中。因此,针对配网终端数量多和配网作业环境复杂多样化等因素,如何设计合适的通信架构对于保证配网数据的安全稳定传输尤为重要。首先,本文基于当前流行的物联网平台通信协议MQTT、CoAP和HTTP,从多个方面进行对比分析,并设计了一种新颖的配电物联网通信架构。进一步,针对安全性要求,我们基于国密SM4提出MQTT- SM4掩码辅助加密算法对配电物联网信息进行加密传输,通过会话密钥协商获取所需的掩码密钥和消息密钥,并协同计算出轮密钥用于加密。通过对MQTT- SM4掩码辅助加密算法进行加密测试和安全分析,仿真结果表明,本文设计方案能够有效提高配电物联网通信安全性和稳定性。 相似文献
20.
Chung Ki Li 《Information Sciences》2010,180(4):549-4050
We propose a new generic construction for signcryption and show that it is secure under the security models which are comparable to the security against adaptive chosen ciphertext attacks for public key encryption and the existential unforgeability against chosen message attacks for signature. In particular, the security models also capture the notion of insider security. The generic construction relies on the existence of a special class of efficient public key encryption schemes which allow the encryption randomness to be recovered during decryption. We also propose two efficient instantiations for the generic construction and show that one of them has less message expansion and yields smaller ciphertext when compared with all the existing signcryption schemes. 相似文献
|
| 设为首页 | 免责声明 | 关于勤云 | 加入收藏 |
|
Copyright©北京勤云科技发展有限公司 京ICP备09084417号 |