Engineering Cryptographic Applications

Day 4:
Cryptographic
Future
David Evans
University of Virginia
www.cs.virginia.edu...
Story So Far
Day 1: Symmetric Ciphers
Plaintext

Ciphertext

Encrypt

Decrypt

Plaintext

Insecure Channel

Key

Key

Kerc...
E
Digital
Signatures

KRB

Signed Message

H

D

KUB

=

E

Message

D

H
Message

KRB

KUB

Certificates
TLS/SSL
evans@vi...
Recap
Day 1: Symmetric Ciphers
AES
Sending Secret Messages
Day 2: Using Symmetric Encryption
PRNG, CTR
Encrypting Long Mes...
Today: Glimpses Into “Future”
Biometrics
Secure Multi-Party Computation
Automated Protocol Testing

Things that are only s...
Biometrics

evans@virginia.edu

Engineering Crypto Applications

5
Appeal of Biometrics
Convenient and Easy:
nothing to remember or lose
Humans like to feel unique
Seems cool and futuristic...
“iPhone 5s introduces Touch ID, an innovative
way to simply and securely unlock your iPhone
with just the touch of a finge...
“iPhone 5s introduces Touch ID, an innovative
way to simply and securely unlock your iPhone
with just the touch of a finge...
evans@virginia.edu

Engineering Crypto Applications

9
evans@virginia.edu

Engineering Crypto Applications

10
Voiceprints?

evans@virginia.edu

Engineering Crypto Applications

11
“My Voice is My Passport”

evans@virginia.edu

Engineering Crypto Applications

12
Meaningful Security Requires Secrets
Biometrics may be okay
for identification
“Touch ID”
(not “Touch Password”)
Biometric...
“Secure-Against-Your-Spouse” Security

vs.

vs.

Breakable by sophisticated adversary in a few hours
evans@virginia.edu

E...
“Secure-Against-Your-Spouse” Security

Biometrics are fine for identification and
security against weak, unmotivated
vs.
v...
Private Biometrics

flickr cc: didbygraham
evans@virginia.edu

Engineering Crypto Applications

16
evans@virginia.edu

Engineering Crypto Applications

17
(De)Motivating Application:
“Genetic Dating”

Alice

Bob

Genome Compatibility
Protocol

Your offspring will have
WARNING!...
Link
evans@virginia.edu

Engineering Crypto Applications

19
evans@virginia.edu

Engineering Crypto Applications

20
$100,000,000

Cost to sequence human genome
Moore’s Law prediction
(halve every 18 months)

$10,000,000

$1,000,000

$100,...
Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje
Drmanac, Andrew B. Sparks, Ma...
Dystopia

Personalized Medicine
evans@virginia.edu

Engineering Crypto Applications

23
Secure Multi-Party Computation

evans@virginia.edu

Engineering Crypto Applications

24
Secure Two-Party Computation
Bob’s Genome: ACTG…
Markers (~1000): *0,1, …, 0+

Alice’s Genome: ACTG…
Markers (~1000): *0, ...
Secure Function Evaluation
Alice (circuit generator)

Bob (circuit evaluator)

Garbled Circuit Protocol

Andrew Yao, 1980s...
Regular Logic
Inputs

Output

a

b

x

0
0
1

0
1
0

0
0
0

1

1

1

a

b

AND
x
evans@virginia.edu

Engineering Crypto Ap...
Computing with Meaningless Values?
Inputs

Output

a

b

x

a0
a0
a1

b0
b1
b0

x0
x0
x0

a1

b1

x1

ai, bi, xi are rando...
Computing with Garbled Tables
Inputs

Output

x

a0
a0
a1

b0
b1
b0

Enca0,b0(x0)
Enca0,b1(x0)
Enca1,b0(x0)

a1
a0 or a1

...
Garbled Circuit Protocol
Alice (circuit generator)

Bob (circuit evaluator)

Garbled Gate

Enca0, b1(x0)
Enca1,b1(x1)
Enca...
Primitive: Oblivious Transfer
Alice

Bob

Oblivious Transfer
Protocol

Oblivious: Alice doesn’t learn which secret Bob obt...
Chaining Garbled Circuits
And Gate 1

a0

a1

b0

AND

AND
Or Gate 2

b1

x1

x0

Enca10, b11(x10)

Enca11,b11(x11)
Enca11...
Building Computing Systems
Encx00, x11(x21)
Encx01,x11(x21)
Encx01,x10(x21)
Encx00,x10(x20)
Digital Electronic Circuits

G...
Faster Circuit
Execution
Pipelined Execution
Optimized Circuit Library
Partial Evaluation

Yan Huang
(UVa PhD 2012)
evans@...
Pipelined Execution
Circuit Structure

Circuit-Level
Application

GC Framework
(Generator)

Circuit Structure
GC Framework...
Pipelining
Circuit Generation

Circuit
Transmission
Circuit
Evaluation

Waiting

Circuit Generation

Saves time: reduces
l...
Results
1

10

Billions

0.8

8

0.6

6

0.4

4

0.2

2

0

100 000 gates/second

x 10000

1.2

0
Fairplay [PSSW09] TASTY ...
Passive Threat Model
Ciphertext
Plaintext

Encrypt

Decrypt

Plaintext

Insecure Channel

Alice

Bob
Eve
(passive attacker...
“Semi-Honest” Threat Model
Circuits
Generator

Alice

evans@virginia.edu

Generate

Evaluate

Output

Both parties follow ...
Active Attacker
Insecure Channel
(e.g., the Internet)

Ciphertext
Plaintext

Encrypt

Decrypt

Alice

Plaintext

Bob
Mallo...
Active Threat Model
Circuits
Generator

Generate

Evaluate

Output

Either party do whatever they want
Bob

Alice

evans@v...
Garbled Circuits Are Half-Way!
Privacy
Nothing is revealed
other than the output
Generator

Correctness
The output of the
...
Dual Execution Protocols

Yan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols: Strengthening Semievans@virginia...
Dual Execution Protocol
Alice
generator

Bob
first round execution (semi-honest)

evaluator

z=f(x, y)
evaluator

second r...
Security Properties
Correctness: guaranteed by authenticated,
secure equality test
Privacy: Leaks one (extra) bit on avera...
1-bit Leak

Cheating detected

evans@virginia.edu

Engineering Crypto Applications

46
Proving Security: Malicious
Show equivalence

Ideal World
A

y'

x'
Trusted Party in Ideal World

Adversary
receives:
f (x...
Proof of Security: One-Bit Leakage
Ideal World
A

Controlled by
malicious A

y'

Adversary receives:
f (x‘, y') and g(x‘, ...
Implementation
Alice
generator

Bob
first round execution (semi-honest)

Recall: work to generate is 3x work to evaluate!
...
FairPlay (2004) [10k*10k alignment]
$100,000,000

Free XOR

$10,000,000

$1,000,000

$100,000

HEKM

$10,000

Schneider & ...
$100,000,000,000

Active Security

$10,000,000,000
$1,000,000,000

Semi-Honest
$100,000,000

KSS 2011

$10,000,000
$1,000,...
Opportunities for Encrypted Computation
Secure Multi-Party
Computation
Practical (or nearly practical) today for some appl...
Yuchen Zhou
(UVa Computer Engineering
PhD Student)

evans@virginia.edu

Engineering Crypto Applications

54
Single Sign-On

evans@virginia.edu

Engineering Crypto Applications

55
Will developers who follow the directions
end up building a secure application?
The requested
response type, one of
code o...
Modeling SSO System
Mallory

Client SDK

MalAppC

FooAppC

FooAppS
Service SDK

Client runtime

Service runtime
Identity P...
Credential Misuse Vulnerability

access_token

Facebook
back end

Welcome, Alice!

Foo App
Client

Foo App
Server

evans@v...
Credential Misuse Vulnerability

access_token

Facebook
back end

Welcome, Alice!

Foo App
Malicious
Client
App Client

Fo...
Credential Leakage Vulnerability
OAuth Credentials

evans@virginia.edu

Engineering Crypto Applications

60
How Common Are These
Vulnerabilities?

evans@virginia.edu

Engineering Crypto Applications

61
Simulating Users

evans@virginia.edu

Engineering Crypto Applications

62
Enrolling Test Accounts

evans@virginia.edu

Engineering Crypto Applications

63
Oracle

Automatically test if site is vulnerable by looking at visual clues and traffic.
evans@virginia.edu

Engineering C...
Dataset
Test the top-ranked
20,000 websites
(from quantcast.com)
for 5 vulnerabilites
3 machines for 3 days

evans@virgini...
45%

1700 of top-20000 sites use Facebook SSO

% supporting FB SSO

40%
35%
30%
25%
20%
15%

10%
5%
0%
Top-Ranked Sites

e...
20%

50 sites

Percent of Sites Vulnerable

30%

10%

20% of sites (in top 20,000) that integrate
Facebook SSO have at lea...
Responses from Sites
20 vendors contacted
normally
12: no response
6: auto-generated
response
2: manual responses
0: fixed...
ssoscan.org

evans@virginia.edu

Engineering Crypto Applications

69
Next Friday’s Talk!

Rice Hall
85 Engineer’s Way
University of Virginia
Charlottesville, Va
evans@virginia.edu

Engineerin...
Home of Famous Cryptographer!

evans@virginia.edu

Engineering Crypto Applications

71
evans@virginia.edu
MightBeEvil.com/crypto
evans@virginia.edu

Engineering Crypto Applications

72
evans@virginia.edu

Engineering Crypto Applications

73
evans@virginia.edu

Engineering Crypto Applications

74
Cryptographic Future
Upcoming SlideShare
Loading in …5
×

Cryptographic Future

659 views

Published on

Day 4 (of 4) of mini-course on Engineering Cryptographic Applications held at AMC Theater Tyson's Corner for Microstrategy, Inc.

See http://www.mightbeevil.com/crypto for details
October 25, 2013

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
659
On SlideShare
0
From Embeds
0
Number of Embeds
108
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Circuit structure is small and can be reused;Each GT can be used only once.Significance: 1) allow GC to easily scale to arbitrary problem size; 2) indirectly improves time efficiency;
  • People have done this before. What’s new here is achieving performance & scalability needed for realistic problems.
  • Cryptographic Future

    1. 1. Engineering Cryptographic Applications Day 4: Cryptographic Future David Evans University of Virginia www.cs.virginia.edu/evans Microstrategy Course 25 October 2013
    2. 2. Story So Far Day 1: Symmetric Ciphers Plaintext Ciphertext Encrypt Decrypt Plaintext Insecure Channel Key Key Kerckhoffs’ Principle, Cryptanalysis, AES Nonce 00000000 00000001 block 1 Engineering Crypto Applications k AES k block 2 block 1 evans@virginia.edu Nonce Counter AES Day 2: Using Symmetric Encryption Generating Keys (Dual-EC PRNG) Cipher Modes (CTR) Storing Passwords block 2 1
    3. 3. E Digital Signatures KRB Signed Message H D KUB = E Message D H Message KRB KUB Certificates TLS/SSL evans@virginia.edu Plaintext Key Agreement Asymmetric Ciphers RSA, ECC Plaintext Day 3: Public Key Protocols petitions.gov Engineering Crypto Applications 2
    4. 4. Recap Day 1: Symmetric Ciphers AES Sending Secret Messages Day 2: Using Symmetric Encryption PRNG, CTR Encrypting Long Messages Day 3: Public-Key Protocols D-H, RSA, ECC Key Agreement, Signatures TLS/SSL Establishing Secure Connect Things everyone in the developed and semi-developed world is using hundreds of times a day! evans@virginia.edu Engineering Crypto Applications 3
    5. 5. Today: Glimpses Into “Future” Biometrics Secure Multi-Party Computation Automated Protocol Testing Things that are only starting to be used outside of research labs (other than biometrics). evans@virginia.edu Engineering Crypto Applications 4
    6. 6. Biometrics evans@virginia.edu Engineering Crypto Applications 5
    7. 7. Appeal of Biometrics Convenient and Easy: nothing to remember or lose Humans like to feel unique Seems cool and futuristic evans@virginia.edu Engineering Crypto Applications 6
    8. 8. “iPhone 5s introduces Touch ID, an innovative way to simply and securely unlock your iPhone with just the touch of a finger. Built into the home button, Touch ID uses a laser cut sapphire crystal, together with the capacitive touch sensor, to take a high-resolution image of your fingerprint and intelligently analyze it to provide accurate readings from any angle.” evans@virginia.edu Engineering Crypto Applications 7
    9. 9. “iPhone 5s introduces Touch ID, an innovative way to simply and securely unlock your iPhone with just the touch of a finger. Built into the home button, Touch ID uses a laser cut sapphire crystal, together with the capacitive touch sensor, to take a high-resolution image of your fingerprint and intelligently analyze it to provide accurate readings from any angle.” evans@virginia.edu Engineering Crypto Applications 8
    10. 10. evans@virginia.edu Engineering Crypto Applications 9
    11. 11. evans@virginia.edu Engineering Crypto Applications 10
    12. 12. Voiceprints? evans@virginia.edu Engineering Crypto Applications 11
    13. 13. “My Voice is My Passport” evans@virginia.edu Engineering Crypto Applications 12
    14. 14. Meaningful Security Requires Secrets Biometrics may be okay for identification “Touch ID” (not “Touch Password”) Biometrics cannot be secret (and may not even be that unique) evans@virginia.edu Engineering Crypto Applications 13
    15. 15. “Secure-Against-Your-Spouse” Security vs. vs. Breakable by sophisticated adversary in a few hours evans@virginia.edu Engineering Crypto Applications Breakable by anyone in second 14
    16. 16. “Secure-Against-Your-Spouse” Security Biometrics are fine for identification and security against weak, unmotivated vs. vs. adversaries. Danger is that they give users a false sense of security. Breakable by sophisticated adversary in a few hours evans@virginia.edu Engineering Crypto Applications Breakable by anyone in second 15
    17. 17. Private Biometrics flickr cc: didbygraham evans@virginia.edu Engineering Crypto Applications 16
    18. 18. evans@virginia.edu Engineering Crypto Applications 17
    19. 19. (De)Motivating Application: “Genetic Dating” Alice Bob Genome Compatibility Protocol Your offspring will have WARNING! good immune systems! Don’t Reproduce Your offspring will have WARNING! good immune systems! Don’t Reproduce evans@virginia.edu Engineering Crypto Applications 18
    20. 20. Link evans@virginia.edu Engineering Crypto Applications 19
    21. 21. evans@virginia.edu Engineering Crypto Applications 20
    22. 22. $100,000,000 Cost to sequence human genome Moore’s Law prediction (halve every 18 months) $10,000,000 $1,000,000 $100,000 $10,000 Engineering Crypto Applications 21 Feb 2013 Aug 2012 Feb 2012 Aug 2011 Feb 2011 Aug 2010 Feb 2010 Aug 2009 Feb 2009 Aug 2008 Feb 2008 Aug 2007 Feb 2007 Aug 2006 Feb 2006 Aug 2005 Feb 2005 Aug 2004 Feb 2004 Aug 2003 Feb 2003 Aug 2002 Aug 2001 evans@virginia.edu Feb 2002 Ion torrent Personal Genome Machine $1,000
    23. 23. Human Genome Sequencing Using Unchained Base Reads on Self-Assembling DNA Nanoarrays. Radoje Drmanac, Andrew B. Sparks, Matthew J. Callow, Aaron L. Halpern, Norman L. Burns, Bahram G. Kermani, Paolo Carnevali, Igor Nazarenko, Geoffrey B. Nilsen, George Yeung, Fredrik Dahl, Andres Fernandez, Bryan Staker, Krishna P. Pant, Jonathan Baccash, Adam P. Borcherding, Anushka Brownley, Ryan Cedeno, Linsu Chen, Dan Chernikoff, Alex Cheung, Razvan Chirita, Benjamin Curson, Jessica C. Ebert, Coleen R. Hacker, Robert Hartlage, Brian Hauser, Steve Huang, Yuan Jiang, Vitali Karpinchyk, Mark Koenig, Calvin Kong, Tom Landers, Catherine Le, Jia Liu, Celeste E. McBride, Matt Morenzoni, Robert E. Morey, Karl Mutch, Helena Perazich, Kimberly Perry, Brock A. Peters, Joe Peterson, Charit L. Pethiyagoda, Kaliprasad Pothuraju, Claudia Richter, Abraham M. Rosenbaum, Shaunak Roy, Jay Shafto, Uladzislau Sharanhovich, Karen W. Shannon, Conrad G. Sheppy, Michel Sun, Joseph V. Thakuria, Anne Tran, Dylan Vu, Alexander Wait Zaranek, Xiaodi Wu, Snezana Drmanac, Arnold R. Oliphant, William C. Banyai, Bruce Martin, Dennis G. Ballinger, George M. Church, Clifford A. Reid. Science, January 2010. evans@virginia.edu Engineering Crypto Applications 22
    24. 24. Dystopia Personalized Medicine evans@virginia.edu Engineering Crypto Applications 23
    25. 25. Secure Multi-Party Computation evans@virginia.edu Engineering Crypto Applications 24
    26. 26. Secure Two-Party Computation Bob’s Genome: ACTG… Markers (~1000): *0,1, …, 0+ Alice’s Genome: ACTG… Markers (~1000): *0, 0, …, 1+ Alice Bob Can Alice and Bob compute a function on their private data, without exposing anything besides the result? evans@virginia.edu Engineering Crypto Applications 25
    27. 27. Secure Function Evaluation Alice (circuit generator) Bob (circuit evaluator) Garbled Circuit Protocol Andrew Yao, 1980s evans@virginia.edu Engineering Crypto Applications 26
    28. 28. Regular Logic Inputs Output a b x 0 0 1 0 1 0 0 0 0 1 1 1 a b AND x evans@virginia.edu Engineering Crypto Applications 27
    29. 29. Computing with Meaningless Values? Inputs Output a b x a0 a0 a1 b0 b1 b0 x0 x0 x0 a1 b1 x1 ai, bi, xi are random values, chosen by the circuit generator but meaningless to the circuit evaluator. evans@virginia.edu a0 or a1 b0 or b1 AND x0 or x Engineering Crypto1Applications 28
    30. 30. Computing with Garbled Tables Inputs Output x a0 a0 a1 b0 b1 b0 Enca0,b0(x0) Enca0,b1(x0) Enca1,b0(x0) a1 a0 or a1 b b1 Enca1,b1(x1) b0 or b1 Garbled And Gate AND x0 evans@virginia.edu or x1 Enca0, b1(x0) Enca1,b1(x1) Enca1,b0(x0) Enca0,b Applications Engineering Crypto0(x0) Bob can only decrypt one of these! a Random Permutation 29
    31. 31. Garbled Circuit Protocol Alice (circuit generator) Bob (circuit evaluator) Garbled Gate Enca0, b1(x0) Enca1,b1(x1) Enca1,b0(x0) Enca0,b0(x0) Sends ai to Bob based on her input value How does the Bob learn his own input wires? evans@virginia.edu Engineering Crypto Applications 30
    32. 32. Primitive: Oblivious Transfer Alice Bob Oblivious Transfer Protocol Oblivious: Alice doesn’t learn which secret Bob obtains Transfer: Bob learns one of Alice’s secrets Rabin, 1981; Even, Goldreich, and Lempel, 1985; many subsequent papers evans@virginia.edu Engineering Crypto Applications 31
    33. 33. Chaining Garbled Circuits And Gate 1 a0 a1 b0 AND AND Or Gate 2 b1 x1 x0 Enca10, b11(x10) Enca11,b11(x11) Enca11,b10(x10) Enca10,b10(x10) Encx00, x11(x21) Encx01,x11(x21) OR Encx01,x10(x21) Encx00,x10(x20) x2 … We can do any computation privately this way! evans@virginia.edu Engineering Crypto Applications 32
    34. 34. Building Computing Systems Encx00, x11(x21) Encx01,x11(x21) Encx01,x10(x21) Encx00,x10(x20) Digital Electronic Circuits Garbled Circuits Operate on known data Operate on encrypted wire labels One-bit logical operation requires moving a few electrons a few nanometers (hundreds of Billions per second) One-bit logical operation requires performing (up to) 4 encryption operations: very slow execution Reuse is great! Reuse is not allowed for privacy: huge circuits needed evans@virginia.edu Engineering Crypto Applications 33
    35. 35. Faster Circuit Execution Pipelined Execution Optimized Circuit Library Partial Evaluation Yan Huang (UVa PhD 2012) evans@virginia.edu Yan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure Two-Party Computation Using Garbled Circuits. USENIX Security 2011. Engineering Crypto Applications 34
    36. 36. Pipelined Execution Circuit Structure Circuit-Level Application GC Framework (Generator) Circuit Structure GC Framework (Evaluator) Encx00, x11(x21) Encx20, x21(x30) Encx20,(x2(x41) 1 Encx01,x1x4x3x3 )(x51) Enc 1 0,(x3 Encx21,x2x4 ,1x5 )(x61) Enc 1 0 1 01 Encx21(x2(x46 )(x71) Enc Encx01,x1x4 ,x310) x 11 0) Enc0 ,x31 ) 1 Encx21,x2x4x31,(x5 0) Enc0(x311(x6 1,x5 Encx21,x3x3 ,x60) 0) Enc0(x4 1 ) 1 Encx41,x30(x5(x7 0 Encx41,x50(x60) Encx31,x60(x71) x21 x31 x41 x51 x60 x71 Saves memory: never need to keep whole circuit in memory evans@virginia.edu Engineering Crypto Applications 35
    37. 37. Pipelining Circuit Generation Circuit Transmission Circuit Evaluation Waiting Circuit Generation Saves time: reduces latency and improves throughput Circuit Transmission Waiting evans@virginia.edu I d l i Circuit Evaluation n g Engineering Crypto Applications time 36
    38. 38. Results 1 10 Billions 0.8 8 0.6 6 0.4 4 0.2 2 0 100 000 gates/second x 10000 1.2 0 Fairplay [PSSW09] TASTY [HEKM11] Here Fairplay [PSSW09] TASTY Here [HEKM11] Scalability Performance (billions of gates) (10,000x non-free gates per second) evans@virginia.edu Engineering Crypto Applications 37
    39. 39. Passive Threat Model Ciphertext Plaintext Encrypt Decrypt Plaintext Insecure Channel Alice Bob Eve (passive attacker) evans@virginia.edu Engineering Crypto Applications 38
    40. 40. “Semi-Honest” Threat Model Circuits Generator Alice evans@virginia.edu Generate Evaluate Output Both parties follow the rules – but may try to learn more from execution transcript! Engineering Crypto Applications Bob 39
    41. 41. Active Attacker Insecure Channel (e.g., the Internet) Ciphertext Plaintext Encrypt Decrypt Alice Plaintext Bob Mallory (active attacker) evans@virginia.edu Engineering Crypto Applications 40
    42. 42. Active Threat Model Circuits Generator Generate Evaluate Output Either party do whatever they want Bob Alice evans@virginia.edu Engineering Crypto Applications 41
    43. 43. Garbled Circuits Are Half-Way! Privacy Nothing is revealed other than the output Generator Correctness The output of the protocol is indeed f(x,y) Evaluator As long as evaluator doesn’t send result back, privacy for evaluator is guaranteed. How can we get both correctness, and maintain privacy while giving both parties result? evans@virginia.edu Engineering Crypto Applications 42
    44. 44. Dual Execution Protocols Yan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols: Strengthening Semievans@virginia.edu Engineering Crypto Applications Honest Protocols with Dual Execution. IEEE Security and Privacy (Oakland) 2012. 43
    45. 45. Dual Execution Protocol Alice generator Bob first round execution (semi-honest) evaluator z=f(x, y) evaluator second round execution (semi-honest) generator z'=f(x, y) z’, learned output wire labels evans@virginia.edu fully-secure, authenticated equality test Pass if z = z’ and correct wire labels Engineering Crypto Applications z, learned output wire labels 44 [Mohassel and Franklin, PKC’06+
    46. 46. Security Properties Correctness: guaranteed by authenticated, secure equality test Privacy: Leaks one (extra) bit on average adversarial circuit generator provides a circuit that fails on ½ of inputs Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input evans@virginia.edu Engineering Crypto Applications 45
    47. 47. 1-bit Leak Cheating detected evans@virginia.edu Engineering Crypto Applications 46
    48. 48. Proving Security: Malicious Show equivalence Ideal World A y' x' Trusted Party in Ideal World Adversary receives: f (x‘, y‘) Real World A B B x' y' Secure Computation Protocol Corrupted party behaves arbitrarily Standard Active Security Model: can’t prove this for Dual Execution evans@virginia.edu Engineering Crypto Applications 47
    49. 49. Proof of Security: One-Bit Leakage Ideal World A Controlled by malicious A y' Adversary receives: f (x‘, y') and g(x‘, y‘) Trusted Party in Ideal World x' B g R {0, 1} g is an arbitrary Boolean function selected by adversary Can prove equivalence to this for Dual Execution protocols evans@virginia.edu Engineering Crypto Applications 48
    50. 50. Implementation Alice generator Bob first round execution (semi-honest) Recall: work to generate is 3x work to evaluate! evaluator second round execution (semi-honest) evaluator z=f(x, y) generator z'=f(x, y) z’, learned output wire labels evans@virginia.edu fully-secure, authenticated equality test Pass if z = z’ and correct wire labels Engineering Crypto Applications z, learned output wire labels 49
    51. 51. FairPlay (2004) [10k*10k alignment] $100,000,000 Free XOR $10,000,000 $1,000,000 $100,000 HEKM $10,000 Schneider & Zhoner 2013 evans@virginia.edu Engineering Crypto Applications Apr 2013 Sep 2012 Feb 2012 Jul 2011 Dec 2010 May 2010 Oct 2009 Mar 2009 Aug 2008 Jan 2008 Jun 2007 Nov 2006 Apr 2006 Sep 2005 Feb 2005 Jul 2004 Dec 2003 May 2003 Oct 2002 Mar 2002 Aug 2001 $1,000 50
    52. 52. $100,000,000,000 Active Security $10,000,000,000 $1,000,000,000 Semi-Honest $100,000,000 KSS 2011 $10,000,000 $1,000,000 HKE 2013 $100,000 1-bit leak $10,000 evans@virginia.edu Engineering Crypto Applications Apr 2013 Sep 2012 Feb 2012 Jul 2011 Dec 2010 May 2010 Oct 2009 Mar 2009 Aug 2008 Jan 2008 Jun 2007 Nov 2006 Apr 2006 Sep 2005 Feb 2005 Jul 2004 Dec 2003 May 2003 Oct 2002 Mar 2002 Aug 2001 $1,000 51
    53. 53. Opportunities for Encrypted Computation Secure Multi-Party Computation Practical (or nearly practical) today for some applications…and improving rapidly! Verifiable Computation Outsourced Computation (e.g., AdWords auctions) (Homomorphic Encryption) These applications are 10-1Mx away from being practical…but improving very rapidly! evans@virginia.edu Engineering Crypto Applications 52
    54. 54. Yuchen Zhou (UVa Computer Engineering PhD Student) evans@virginia.edu Engineering Crypto Applications 54
    55. 55. Single Sign-On evans@virginia.edu Engineering Crypto Applications 55
    56. 56. Will developers who follow the directions end up building a secure application? The requested response type, one of code or token. Defaults to code… evans@virginia.edu Facebook documentation Engineering Crypto Applications example 56
    57. 57. Modeling SSO System Mallory Client SDK MalAppC FooAppC FooAppS Service SDK Client runtime Service runtime Identity Provider (IdP) Reason about all possible applications that can be built using the SDK evans@virginia.edu Engineering Crypto Applications 57
    58. 58. Credential Misuse Vulnerability access_token Facebook back end Welcome, Alice! Foo App Client Foo App Server evans@virginia.edu Engineering Crypto Applications 58
    59. 59. Credential Misuse Vulnerability access_token Facebook back end Welcome, Alice! Foo App Malicious Client App Client Foo App Server evans@virginia.edu Engineering Crypto Applications 59
    60. 60. Credential Leakage Vulnerability OAuth Credentials evans@virginia.edu Engineering Crypto Applications 60
    61. 61. How Common Are These Vulnerabilities? evans@virginia.edu Engineering Crypto Applications 61
    62. 62. Simulating Users evans@virginia.edu Engineering Crypto Applications 62
    63. 63. Enrolling Test Accounts evans@virginia.edu Engineering Crypto Applications 63
    64. 64. Oracle Automatically test if site is vulnerable by looking at visual clues and traffic. evans@virginia.edu Engineering Crypto Applications 64
    65. 65. Dataset Test the top-ranked 20,000 websites (from quantcast.com) for 5 vulnerabilites 3 machines for 3 days evans@virginia.edu Engineering Crypto Applications google.com youtube.com facebook.com msn.com amazon.com twitter.com ebay.com pinterest.com yahoo.com bing.com microsoft.com … 65
    66. 66. 45% 1700 of top-20000 sites use Facebook SSO % supporting FB SSO 40% 35% 30% 25% 20% 15% 10% 5% 0% Top-Ranked Sites evans@virginia.edu Site rank percentile (20K) Engineering Crypto Applications 20,000th-ranked site 66
    67. 67. 20% 50 sites Percent of Sites Vulnerable 30% 10% 20% of sites (in top 20,000) that integrate Facebook SSO have at least one serious vulnerability detected by SSOScan 0% 20,000th-ranked site Top-Ranked Sites evans@virginia.edu Engineering Crypto Applications 67
    68. 68. Responses from Sites 20 vendors contacted normally 12: no response 6: auto-generated response 2: manual responses 0: fixed evans@virginia.edu Engineering Crypto Applications 68
    69. 69. ssoscan.org evans@virginia.edu Engineering Crypto Applications 69
    70. 70. Next Friday’s Talk! Rice Hall 85 Engineer’s Way University of Virginia Charlottesville, Va evans@virginia.edu Engineering Crypto Applications 70
    71. 71. Home of Famous Cryptographer! evans@virginia.edu Engineering Crypto Applications 71
    72. 72. evans@virginia.edu MightBeEvil.com/crypto evans@virginia.edu Engineering Crypto Applications 72
    73. 73. evans@virginia.edu Engineering Crypto Applications 73
    74. 74. evans@virginia.edu Engineering Crypto Applications 74

    ×