On October 2000, the National Institute of Standards and Technology
has announced that Rijndael is going to be the Advanced Encryption
Standard. Its fast implementation, its suitability to wide range
of platforms, and its design criteria seemed to ensure that
Rijndael as the AES is the last cipher we will ever need.
Up until recently all cryptanalytic attempts at AES were far
from worrying. Namely, the best known attacks on AES could not
even convincibly break reduced-round version of AES (even given
amazingly high and improbable data/time/memory complexities).
However, since the beginning of 2009, a series of attacks on
the full AES-256 and AES-192 were shown. These attacks can not
only find the key used in AES-256 and AES-192, but also pose
a security threat to the case where AES-256 is used as the building
block of a compression function. Along with the practical-complexity
attacks (2^45 data and time) on reduced-round AES-256, there
is some uncertainty concerning AES' security.
In this talk we shall cover the recent results on AES, and concentrate
on the recent practical-complexity attacks, as well as the implications
of these results on the everyday user.
דר' כרמית חזאי, מכון ויצמן למדע והמרכז הבינתחומי
On Compression of Data Encrypted with Block Ciphers
Traditionally in communication systems, data from a source is
first compressed and then encrypted before it is transmitted
over a channel to the receiver. While in many cases this approach
is befitting, there exist scenarios where there is a need to
reverse the order in which data encryption and compression are
performed. Still, it was long believed that encrypted data is
In a surprising result, Johnson et al. broke this paradigm and
show that the problem of compressing one-time pad encrypted
data translates to the problem of compressing correlated sources,
which was solved by Slepian and Wolf. Specifically, compression
is practically achievable due to a simple symbol-wise correlation
between the key (one-time pad) and the encrypted message.
However, when such correlation is more complex, as is the case
with block ciphers, the approach to Slepian-Wolf coding utilized
by Jonson et al. is not directly applicable.
We investigate the problem of compression encrypted data where
the encryption procedure utilizes block ciphers such as the
Advanced Encryption Standard (AES) and Data Encryption Standard
(DES). We show that such data can be feasibly compressed without
knowledge of the secret key. We consider block ciphers operating
in various chaining modes and show how compression can be achieved
without compromising the security of the encryption scheme.
Furthermore, we show that there exists a fundamental limitation
to the practical compressibility of block ciphers when no chaining
is used between blocks.
Joint work with Demijan Klinc, Ashish Jagmohan, Hugo Krawczyk,
and Tal Rabin.
דר' אלון רוזן, המרכז הבינתחומי
Cryptographic Elections - Challenges and Opportunities
Advances in computer technology have created the illusion that
electronic means would bring us closer to achieving improved
voting systems. However, if not designed properly, electronic
elections carry more risk than reward. The core of the problem
is that computers cannot be trusted, both because of malicious
software, and because code verification is effectively infeasible.
Needless to say that this reduces the trust in the result of
the election, and may have disastrous consequences.
In this talk I will survey the saga of electronic elections
in the United States, and use it to motivate the concept of
"software independence" (Rivest and Wack '06). I will then report
on the status of electronic elections in Israel, and conclude
by describing how modern cryptographic techniques can be harnessed
in order to implement election mechanisms that enable both public
verifiability and ballot secrecy. This is a combination that
is not known to be achievable by other means.
דר' דן צפריר, הטכניון
Portably Preventing File Race Attacks with User-Mode Path Resolution
The filesystem API of contemporary systems exposes programs to TOCTTOU (time of check to time of use) race-condition vulnerabilities, which occur between pairs of check/use system calls that involve a name of a file. Existing solutions either help programmers to detect such races (by pinpointing their location) or prevent them altogether (by altering the operating system). But the latter alternative is not prevalent and the former is just the first step: programmers must still address TOCTTOU flaws within the limits of the existing API with which several important tasks can not be safely accomplished in a portable straightforward manner. Recent attacks further worsen the problem by allowing adversaries to deterministically win races and thereby refuting the common perception that the risk is small. In the face of this threat, we develop a new algorithm that allows programmers to effectively aggregate a vulnerable pair of distinct system calls into a single operation that is executed "atomically".
This is achieved by emulating one basic kernel functionality in user mode: the filepath resolution. The surprisingly simple resulting algorithm constitutes a portable, deterministic solution to a large class of TOCTTOU vulnerabilities, without requiring modifications to the underlying operating system.
Program obfuscation is the art of writing programs in a way
that renders the code unintelligible even to parties that can
run it. Long the exclusive domain of heuristics and "programming
tricks", program obfuscation has recently become the focus of
more rigorous and comprehensive study. On the one hand, the
study points to new and exciting applications of program obfuscation,
such as secure cloud computing, trustworthy implementation of
economic mechanisms, and privacy preserving public databases.
On the other hand, some strong impossiblity results come about.
Above all, however, program obfuscation emerges as an intriguing
and mostly uncharted research territory.
פרופ' אבישי וול, אוניברסיטת תל-אביב
RFID-Based Electronic Voting: What Could Possibly Go Wrong?
When Israel's Ministry of Internal Affairs decided to move to electronic voting, it chose to replace the traditional paper ballot with secure contactless smartcards. The system was designed around HF RFID technology to make voting stations easier to use and less prone to mechanical faults. However, in doing so the system was exposed to a powerful class of hardware-based attacks called relay attacks, which can extend the interrogation range of HF RFID tags far beyond the nominal range of 5 centimeters. We show how a low-budget adversary armed with a relay device can read out all votes already cast into the ballot box, suppress the votes of one or several voters, rewrite votes at will and even completely disqualify all votes in a single voting station.
Our attacks are easy to mount, very difficult to detect, and compromise both the confidentiality and the integrity of the election system.