Category Archives: Cryptography

Study on the lifecycle of cryptographic algorithms 2017

This year we have ordered and will publish cryptographic algorithms life cycle report in parts. The first part is now available.

The first and the most important chapter gives overview of the current state of algorithms.

The second chapter writes about the cryptographic side of the last fall ID card crisis. The report describes what happened, what was done and how on the cryptographic side the new solution (elliptic curves) for ID cards works.

The third chapter gives overview of block-chain technologies and in addition provides Estonian-language terminology for block-chain related English terms.

The report has been ordered by RIA and written by Cybernetica researchers Ahto Buldas, Jan Willemson and Arne Ansper.

Links:
https://blog.ria.ee/ria-kruptouuring-id-kaart-ja-plokiahelad/
https://www.ria.ee/public/RIA/kruptograafiliste_algoritmide_elutsukli_uuring_2017.pdf
https://geenius.ee/uudis/nsa-usub-et-eesti-id-kaart-peaks-vastu-pidama-ka-kvantarvuti-runnakule/

Estonian cryptographer rejects claims of being Bitcoin’s creator

Los Angeles lawyer Justin Sobaje is convinced that Helger Lipmaa, senior researcher of the University of Tartu’s computer science institute, is Satoshi Nakamoto – the creator of bitcoin, and says he has analyses and studies that prove it.

Sobaje writes that he is convinced – based on an article in which Nakamoto first describes the nature of bitcoin – that the author or authors of the piece had to have been experts of timestamping technology and hash trees. That is the focus of Helger Lipmaa’s doctoral thesis and scientific papers published in the late 1990s. Lipmaa has cited another two articles the original creator of the bitcoin also cites on his homepage. Conclusion: Lipmaa knows five out of eight articles.

Sobaje continues: “Satoshi was an experienced C++ programmer. Lipmaa created timestamping software while working at Cybernetica.” He lists the years Lipmaa spent working for the company until two years before the birth of bitcoin. How was the name Satoshi Nakamoto created? Sobaje has found three Japanese cryptographers mentioned on Lipmaa’s website – Satoshi Obana, Junko Nakajima, Takeshi Okamoto – and concludes that the name of the world’s most wanted man is a combination of the three.

Helger Lipmaa, commenting on the matter to Postimees, rejects the idea. “I’m certainly not Satoshi and I don’t understand how he got to my name of all things,” he said, adding that bitcoin’s original creator wasn’t a cryptographer.

Professor of software science at the Tallinn University of Technology Ahto Buldas, who worked with Lipmaa on timestamping technology in the late 1990s, laughs out loud when told an American lawyer believes Lipmaa to be Nakamoto. “The number of scientists that worked on it at the time was not great, while there are other candidates for Nakamoto. I don’t want to say that Lipmaa is not Satoshi Nakamoto; even though I don’t really believe it, it cannot be ruled out either,” he says. “We could all have been Nakamotos.

This could be a potential topic for BSc/MSc thesis, to use open source intelligence to verify if there is some correlation between public activities of Satoshi and Helger/Ahto.

Links:
https://news.err.ee/652328/estonian-cryptographer-rejects-claims-alleging-he-created-bitcoin
https://news.postimees.ee/4365547/hunt-for-the-world-s-most-wanted-man-reaches-estonia
http://novaator.err.ee/648962/tartu-ulikooli-vorguteenused-sattusid-pahatahtliku-runnaku-alla

 

Smart-ID paper: Server-Supported RSA Signatures for Mobile Devices

Abstract
We propose a new method for shared RSA signing between the user and the server so that: (a) the server alone is unable to create valid signatures; (b) having the client’s share, it is not possible to create a signature without the server; (c) the server detects cloned client’s shares and blocks the service; (d) having the password-encrypted client’s share, the dictionary attacks cannot be performed without alerting the server; (e) the composite RSA signature “looks like” an ordinary RSA signature and verifies with standard crypto-libraries. We use a modification of the four-prime RSA scheme of Damgård, Mikkelsen and Skeltved from 2015, where the client and the server have independent RSA private keys. As their scheme is vulnerable to dictionary attacks, in our scheme, the client’s RSA private exponent is additively shared between server and client. Our scheme has been deployed and has over 200,000 users.

The paper was published in proceedings of the conference ESORICS 2017, Oslo, Norway, September 11-15, 2017.

The paper contains several pages of cryptographic proofs. The RSA key generation involves “l-safe” primes, which is not a standard practice in generating RSA primes. This is worrisome, especially after it became known that the flaw in ID card was caused by other instance of nonstandard RSA prime generation.

Links:
https://link.springer.com/chapter/10.1007/978-3-319-66402-6_19

RSA 2048-bit keys in Estonian ID cards issued after October 2014 are factorizable

On September 5, 2017, Estonian Information System Authority (RIA) informed about a security risk in ID cards:

On 30 August, an international team of researchers informed the Information System Authority (RIA) of a security risk affecting ID-cards issued in Estonia since October 2014 (including cards issued to e-residents), i.e. about 750,000 cards altogether. ID-cards issued before 16 October 2014 have a different chip and are not affected by this risk.

Now we have more details:

The flaw resides in the Infineon-developed RSA Library version v1.02.013, specifically within an algorithm it implements for RSA primes generation. [..] To boost performance, the Infineon library constructs the keys’ underlying prime numbers in a way that makes the keys prone to a process known as factorization. When generated properly, an RSA key with 2048 bits should require several quadrillion years—or hundreds of thousands of times the age of the universe—to be factorized with a general-purpose computer. Factorizing a 2048-bit RSA key generated with the faulty Infineon library, by contrast, takes [..] no more than 17 days and $40,300 using a 1,000-instance machine on Amazon Web Service. On average, it would require half the cost and time to factorize the affected keys. All that’s required is passing the public key through an extension of what’s known as Coppersmith’s Attack.

The researchers examined keys used in electronic identity cards issued by four countries and quickly found two—Estonia and Slovakia—were issuing documents with fingerprinted keys, both of which were 2048 bits in length, making them practically factorizable.[..] While it has closed its public key database, Estonian government officials have also announced plans to rotate all keys to a format that’s not vulnerable, starting in November.

Details from Infineon:

Due to application-specific requirements, it is common practice to employ acceleration algorithms in order to generate key pairs, especially if time resources are sparse. Infineon also utilizes such an acceleration algorithm in time-restricted cases, called “Fast Prime”. [..] The foundations of “Fast Prime” date back to the year 2000. Its use started around ten years later after thorough reviews. [..] this software function was certified by the BSI (Federal Office for Information Security) in Germany. No mathematical weaknesses were known, nor have been discovered during the certification processes. Recently, a research team from the of the Masaryk University, Czech Republic, developed advanced mathematical methods to analyze and exploit weaknesses in acceleration algorithms for prime number selection.

In a way these findings are a blessing for the practical security of Estonian eID. Up to now, at least publicly the chip of Estonian ID card was presumed infallible, and if someone approached these issues in the risk analysis, it was considered a heresy.

There are several lessons to be learned on different levels of management. The current practice of the plain hope that the vendor of the unauditable chip will get it right, may not be a sustainable approach for the state which so heavily relies on the secrecy of the private keys held therein.

Links:
https://crocs.fi.muni.cz/public/papers/rsa_ccs17
https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
https://www.ria.ee/en/possible-security-vulnerability-detected-in-the-estonian-id-card-chip.html
https://www.ria.ee/en/id-cards-affected-by-the-security-risk-can-be-renewed-from-november.html
http://news.postimees.ee/4258645/e-scare-cure-found-in-weeks
http://news.err.ee/634222/cracking-of-one-id-card-would-require-estonia-to-deactivate-750-000-cards
http://news.err.ee/619703/ria-recommends-state-officials-use-mobile-id-to-minimize-security-risks
http://news.err.ee/616732/potential-security-risk-could-affect-750-000-estonian-id-cards
http://news.err.ee/634560/estonia-to-provide-670-000-in-support-for-mobile-id-access-development
http://tehnika.postimees.ee/4243153/id-kaardi-tootja-oleme-eesti-vastu-kohtus-aga-teeme-turvariski-parast-koostood
https://geenius.ee/uudis/id-kaardi-vea-avastanud-teadlane-geeniusele-meid-ullatas-kui-tosiselt-eestis-seda-voeti/
http://www.err.ee/631731/hanso-id-kaardi-turvaprobleemid-saavad-uueks-aastaks-lahendatud

University of Tartu is looking for professor of cryptography

Vacancy: UT, Institute of Computer Science, Professor of Cryptography
Duties and responsibilities: Development of curricula and courses in Cryptography. Teaching subjects related to Cryptography. Supervision of PhD and Master students. Successful application for research grants, administration of them and performing the research required under the grants. See also job description.
Required qualifications: PhD or an equivalent qualification in the relevant field See also requirements for teaching and research staff.
Required experience: Teaching experience at the university level, experience in supervising Master and PhD students. Administrative and research competence needed to provide the leadership in organising research.
Required language skills: Excellent command of English. Knowledge of Estonian is desirable but not essential.
Workload 1,00; and the classroom teaching load at least 128 academic hours per calendar year
Salary According to UT salary rules, depending on the candidate’s qualification and the level of experience. See also UT salary rules.
Starting at 01.01.2018
Deadline: 03.08.2017

Position fields can be interpreted rather broadly. Cryptography classic and quantum, post-quantum; privacy preserving data mining; privacy and security; new technologies like blockchain; from theoretical to more applied backgrounds. It is important to have a broad view of the field in order to be able to help our curriculum development goals as well as lead research in broad spectrum with many smaller more independent groups. Cryptography has been one of University of Tartu and Estonian ICT sector strongholds, many opportunities for local collaborations exist and could be developed.

Appointments will be for indefinite contracts, i.e. at immediately “tenured” level, with standard performance reviews every 5 years. Since university rules are flexible, internationally competitive levels can be negotiated dependent on ability to attract funding, international collaborations, visibility, etc.

Links:
http://www.ut.ee/en/welcome/job-offer/professor-cryptography

Estonian delegation answers to EU encryption questionnaire

Council of the European Union has prepared a questionnaire to map the situation and identify the obstacles faced by law enforcement authorities when gathering or securing encrypted e-evidence for the purposes of criminal proceedings. These are the answers from the Estonian delegation obtained by a public information request:

1. How often do you encounter encryption in your operational activities and while gathering
electronic evidence/evidence in cyber space in the course of criminal procedures?
o often (in many cases)

2. What are the main types of encryption mostly encountered during criminal investigations
in cyberspace?
o HTTPS, TOR, P2P / I2P, e-communications (through applications such as Skype, WhatsApp, Facebook, etc.)
o offline encryption – encrypted digital devices (mobile phone / tablet /computer), encrypting applications (TrueCrypt / VeraCrypt / DiskCryptor, etc)

3. Under your national law, is there an obligation for the suspects or accused, or persons who
are in possession of a device/e-data relevant for the criminal proceedings, or any other person to provide law enforcement authorities with encryption keys/passwords?
o No. Pursuant to Article 215 of the Criminal Procedure Code, investigative authorities and prosecutor’s offices can order the production of data from any person. Suspect and accused person do not have to disclose encyption keys/passwords.

5. Under your national law, is it possible to intercept/monitor encrypted data flow to obtain
decrypted data for the purposes of criminal proceedings? If so, is a judicial order (from a
prosecutor or a judge) required?
o Yes. §126.7. Wire-tapping or covert observation of information.

8. Do you consider that your current national law allows sufficiently effective securing of e-evidence when encrypted?
o Yes. Current legislation to gather evidence can be considered sufficient. The challenges related to encryption as more or less of technical nature.

10. In your view, will measures in this regard need to be adopted at EU level in the future?
o practical (e. g. development of practical tools for police and judicial authorities)
o improve exchange of information and best practices between police and judicial authorities
o create conditions for improving technical expertise at EU level

Basically, Estonian delegation answer can be read as “not interested in EU-level crypto backdoors”. Which is good, but could have been said more explicitly.

There are positive signs on EU-level for opposing legislation for backdoors:

Andrus Ansip, the Commission vice president in charge of the EU’s technology policies, has said he opposes laws that force companies to create backdoors to weaken encryption.

Europol, the EU law enforcement agency, and ENISA, the agency in charge of cybersecurity, signed an agreement in May opposing laws that strongarm firms into providing backdoors.

Links:
https://www.asktheeu.org/en/request/3347/response/11727/attach/5/Encryption%20questionnaire%20ESTONIA.pdf
https://www.techdirt.com/articles/20161127/18352736140/encryption-survey-indicates-law-enforcement-feels-behind-tech-curve-is-willing-to-create-backdoors-to-catch-up.shtml
http://www.euractiv.com/section/social-europe-jobs/news/five-member-states-want-eu-wide-laws-on-encryption/

PhD thesis: “Efficient non-interactive zero-knowledge protocols in the CRS model”

Prastudy Mungkas Fauzi PhD thesis: “Efficient non-interactive zero-knowledge protocols in the CRS model”
Defense date: 17.02.2017 – 14:15 (J. Liivi 2-405, Tartu, Estonia)

Thesis supervisor: Lead Research Fellow Helger Lipmaa (Institute of Computer Science, UT)

Opponents:
Associate Professor Ivan Visconti (University of Salerno, Italy);
Dr Carla Ràfols Salvador (University of Pompeu Fabra, Barcelona, Spain)

Summary:
In this work we provide three scenarios where NIZK arguments are relevant: verifiable computation, authorization, and electronic voting. In each scenario, we propose NIZK arguments in the CRS model that are more efficient than existing ones, and are comparable in efficiency to the best known NIZK arguments in the RO model.

Links:
http://www.ut.ee/en/events/prastudy-mungkas-fauzi-efficient-non-interactive-zero-knowledge-protocols-crs-model

The head of SMIT’s security department Tiit Hallas gives public lecture on cryptography

tiit-hallas

The public lecture will be held in the building of the IT College, Raja 4C, auditorium 314, Tuesday, October 18, at 13:00. The public lecture will also be broadcast live on the website of the IT College.

The main purpose of Tiit Hallas public lecture is to answer various question on the topic. Tiit will talk about cryptography related terms, describe the overall level of how cryptography works and the need for cryptography to ensure the security. Tiit has promised to bring sophisticated content to listeners as simply
and understandably as possible.

Tiit Hallas has worked in information security for over eight years in both public and private sector and has gained plenty of practical as well as theoretical experience in the field. He has a BA in Information System Development from IT College and an MSc in Cyber Security from Tallinn University of Technology. As well as delivering lectures and talks on the subject, Tiit is involved with Information Security in his daily work as the Head of Information Security at the IT and Development Centre of the Ministry of the Interior, where he not only manages staff but is also engaged with finding solutions to practical information security issues.

The lecture will be in Estonian.

Links:
http://www.itcollege.ee/blog/2016/10/12/smiti-infoturbeosakonna-juhataja-tiit-hallas-peab-kuberturvalisuse-kuu-raames-it-kolledzis-avaliku-loengu-kruptograafiast/
https://www.youtube.com/watch?v=KLhbaSRjz2s

Study on the lifecycle of cryptographic algorithms 2016

cybernetica_ria_crypto_algorithms_report

This study is a natural continuation of three previous studies conducted in 2011, 2013 and 2015. The fourth version of cryptographic algorithms life cycle study published on June 9, has more than 10 authors and has 163 reference source. The 2016 report is the first one in its sequence to be written in English, because the study is unique on a global scale, and the previous versions has been of great international interest.

The foreword of the report has been written by Anto Veldre:

The Dutch DigiNotar case in 2011 demonstrated the hard choices a country faces if a PKI supporting its government’s IT systems is compromised. [..] Therefore, it was decided in 2011 to assemble a scientific task force to analyse the problems and risks that reliance on cryptography is posing on the sustainable functioning of our society.

Among the usual topics in cryptography, there is quite revealing section “Cryptographic protocols over radio connection”. For example, there the authors find that Estonian public transportation cards are vulnerable to various kinds of Denial of Service and cloning attacks:

The transportation cards in Tallinn are built on MIFARE Classic, whereas in Tartu MIFARE Ultralight C cards are used. However, even though both of the cards support cryptographic authentication, this functionality is not used. In both cases, the protocol running between the card and the reader is essentially the same, consisting of transmitting the card’s unique ID and a signature. [..] While this measure prevents unauthorised parties from issuing new cards, it does not stop the card cloning attack. [..] Cloning a card that carries a monthly ticket causes direct financial loss to the transportation service provider and must hence be urgently addressed.

Even though the ID fields of transportation cards are not writeable, other fields may be. This is for example the case with Tartu bus cards that allow e.g. the signature field to be overwritten by a standard app working on a regular NFC-capable smartphone. As a result, the card will become invalid, giving us a potential Denial of Service attack.

The report analyzes different radio frequency card technologies used for physical access control.  There are many problems – transparency issues, use of weak cryptography or no cryptography at all. The authors have also interviewed Hardmeier and G4S to study deployment issues. Some of the deployment issues revealed are quite disturbing:

Interview with a company installing NFC-based access control systems revealed that it is common practice to use same keys also in several installations, making e.g. door keys of one company work at the door of another company, too.

Links:
https://www.ria.ee/public/RIA/Cryptographic_Algorithms_Lifecycle_Report_2016.pdf
https://www.ria.ee/ee/eriik-2018-valmis-2016-aasta-kruptograafiliste-algoritmide-elutsukli-uuring.html
https://blog.ria.ee/ria-aastakonverentsi-i-sessiooni-otseblogi/

Cybersecurity related bachelor’s and master’s theses in University of Tartu 2015/2016

university_of_tartu_logo

Defense committee: Dominique Unruh (chairman), Siim Karus, Vitaly Skachek, Dirk Oliver Theis, Raimundas Matulevicius.

A Cost-Effective Approach to Key Management in Online Voting Scenarios
Abstract: Since smart cards both offer reasonable prices and expose an API for development, this document evaluates different approaches to implement threshold encryption over smart cards to support an electoral process.
Student: Sergio Andrés Figueroa Santos
Curriculum: NordSecMob (MSc)
Supervisor: Sven Heiberg, Helger Lipmaa, Tuomas Aura
Reviewer: Ivo Kubjas
Defense: 02.06.2016, 09:00, Liivi 2-405

Revision of Security Risk-oriented Patterns for Distributed Systems
Abstract: In this thesis, we target the secure system development problem by suggesting application of security risk-oriented patterns. The applicability of these security risk-oriented patterns is validated on business processes from aviation turnaround system.
Student: Silver Samarütel
Curriculum: Software Engineering (MSc)
Supervisor: Raimundas Matulevicius
Reviewer: Alexander Horst Norta
Defense: 02.06.2016, 09:00, Liivi 2-405

Role Based Access Control as SecureUML Model in Web Applications Development with Spring Security
Abstract: In order to support and simplify the model-driven approach for a web application development with Spring platform, realization of a concept plugin for Eclipse IDE is proposed. This plugin supports the recognition of Spring Security notations with capability to visualize the RBAC model on top of them.
Student: Andrey Sergeev
Curriculum: Cyber Security (MSc)
Supervisor: Raimundas Matulevicius
Reviewer: Henri Lakk
Defense: 02.06.2016, 09:00, Liivi 2-405

Secure and Efficient Mix-Nets
Abstract: This thesis studies a zero-knowledge shuffle argument proposed by J. Furukawa in 2005. Firstly, we provide a more detailed and easily readable description of the shuffle and shuffle-decryption zero-knowledge protocols than in the original paper. Secondly, we provide two new characterizations of a permutation matrix and two simple modifications of the shuffle protocol that reduce the computational complexity.
Student: Janno Siim
Curriculum: Computer Science (MSc)
Supervisor: Helger Lipmaa
Reviewer: Sven Laur
Defense: 02.06.2016, 09:00, Liivi 2-405

A Comprehensive Protocol Suite for Secure Two-Party Computation
Abstract: In some scenarios, a two-party model is a better fit when no natural third party is involved in the application. In this work, we design and implement a full protocol suite for two-party computations on Sharemind, providing an alternative and viable solution in such cases.
Student: Sander Siim
Curriculum: Computer Science (MSc)
Supervisor: Dan Bogdanov, Pille Pullonen
Reviewer: Dominique Unruh
Defense: 06.06.2016, 09:00, Liivi 2-405

An improved type system for a privacy-aware programming language and its practical applications
Abstract: he goal of this thesis is to make it easier to add protection domain kinds to the SecreC language by allowing the programmer to define the protection domain kind data types, arithmetic operations and type conversions in the SecreC language without changing the compiler.
Student: Ville Sokk
Curriculum: Computer Science (MSc)
Supervisor: Dan Bogdanov, Jaak Randmets
Reviewer: Vesal Vojdani
Defense: 06.06.2016, 09:00, Liivi 2-405

Energy Harvesting in Cooperative Communications
Abstract: Energy harvesting (EH) is a crucial technology for a variety of wireless systems that have limited access to a reliable electricity supply or recharging sources. In this thesis, the design of a multiple access relay system (MARS) using EH is considered.
Student: Akashkumar Rajaram
Curriculum: Cyber Security (MSc)
Supervisor: Nalin Jayakody, Vitaly Skachek
Reviewer: Bin Chen
Defense: 06.06.2016, 09:00, Liivi 2-405

Security of Eduroam Passwords
Abstract: The University of Tartu has decided that the university’s eduroam accounts will share the same user credentials as the rest of the university’s services. This could potentially be abused by exploiting weaknesses in wireless security in order to gain access to a user’s university account. The aim of this research was to uncover any such weaknesses.
Student: Raul-Martin Rebane
Curriculum: Computer Science (BSc)
Supervisor: Dominique Unruh
Reviewer: Meelis Roos
Defense: 06.06.2016, 09:00, Liivi 2-405

Applying a Security Testing Methodology: a Case Study
Abstract: This thesis aims to describe and apply a process necessary to verify the security of a web application. A checklist of security requirements was gathered combining OWASP ASVS web application security standard and OWASP Top Ten project.
Student: Karin Klooster
Curriculum: Computer Science (BSc)
Supervisor: Meelis Roos, Margus Freudenthal
Reviewer: Kritjan Krips
Defense: 08.06.2016

Word frequency based log analysis
Abstract: The purpose of this bachelor thesis is to explore if you can use word frequency based analysis for log files and find interesting events without knowing the log structure.
Student: Karl Lääts
Curriculum: Computer Science (BSc)
Supervisor: Meelis Roos
Reviewer: Artjom Lind
Defense: 08.06.2016

Randomly Distributed PIN Code Input Layout
Abstract: This thesis examines the possibility of reducing the visual security breach of PIN code input by randomising the input field.
Student: Rain Tõugjas
Curriculum: Computer Science (BSc)
Supervisor: Tauno Palts, Kristjan Krips
Reviewer:
Defense: 08.2016

Smart Home Hacking
Abstract: This work investigates the security and privacy issues found at an emerging smart home technology such as the CoSSMic platform.
Student: Suela Kodra
Curriculum: NordSecMob (MSc)
Supervisor: Danilo Gligoroski, Marie Moe, Dominique Unruh
Reviewer: Raimundas Matulevičius
Defense: 18.08.2016, 09:30, Liivi 2-403

Cache-Timing Techniques: Exploiting the DSA Algorithm
Abstract: This work explains some of the cache-timing techniques commonly used to exploit vulnerable software. Using a particular combination of techniques and exploiting a vulnerability found in the implementation of the DSA signature scheme in the OpenSSL shared library, a cache-timing attack is performed against the DSA’s sliding window exponentiation algorithm.
Student: Cesar Pereida Garcia
Curriculum: NordSecMob (MSc)
Supervisor: Billy Bob Brumley, Dominique Unruh, N. Asokan
Reviewer: Arnis Paršovs
Defense: 26.08.2016, 11:00, Liivi 2-403

Links:
https://comserv.cs.ut.ee/ati_thesis/index.php?year=2016
http://www.cs.ut.ee/sites/default/files/2016/loput88d/Kaitsmiste%20ajakava.pdf