After the widespread critique of AES-GCM mode yesterday, the first talk by Shay Gueron today redressed the balance. A number of very impressive performance improvements over the usual AES-CBC+HMAC-SHA1 suite for TLS were given. An interesting mathematical aside was the interpretation of the multiplication step used in GCM mode as a Montgomery multiplication with the field defining polynomial reversed Despite all the optimizations presented for AES-GCM the hash still takes 68% of the computation still.
We then progressed to the "Royal Holloway Hour". Kenny discussed the EMV protocol, and presented details on our Bleichenbacher signing attack on the EMV protocol from last years CT-RSA. An interesting thing was noticed that the attack would be more efficient if one extracted the PIN rather than just obtain the signature on a message. Kenny then went on to discuss the issue of XML and JSON security, where the new standards still use very bad legacy algorithms (PKCS#1v1.5 for public key encryption and AES-CBC mode with no integrity protection for symmetric key encryption). He said how to use a PKCS#1v1.5 decryption oracle to decrypt RSA-OAEP ciphertexts and to breaking AES-CBC allows one to break AES-GCM mode. Thus the presence of the weak algorithms in the standard allows one to break the stronger algorithms. These attacks have been applied to XML Encryption and XML signatures, and awell as JSON encryption and signature algorithms.
The second talk in the Holloway Hour was given by Bertram Poettering. Bertram's aim was to replace certificates (which bind identities to public keys) in such as way as to still maintain a non-interactive verification, but for which a misbehaving CA is penalised by having a fatal failure imposed on it. The proposed technique uses a tagged one-time signature scheme (or TOSS). This is a scheme to sign tag/message pairs. Since the signature is one-time, if a double signature is produced then security is lost.(say by outputing the key, or allowing one to forge other messages). So if the CA issues two certificates on a single ID with different public keys, then the CAs secret key can be extracted. Thus a cheating CA when it cheats has a fatal security breach. So clearly a CA which uses such a scheme is essentially "Giving a TOSS" every time it issues a certificate. It was however unclear how practical this solution would be, and whether the additional cost is worth the limited extra benefit.
The talk by Markus Jakobsson of PayPal discussed various user experiments in the area of security. I will discuss two of the issues presented:
- User communication is a big issue. As a bad example of mis-communication, in an experiment making a lock icon bigger made users trust the site more; so simply displaying something can fool a user into thinking they are secure. What we really want, is a user interacting with two IDENTICAL looking web sites should be OK for the legitimate web site and produce an abort for the bad website. A proposed solution (for a phone/tablet etc) is that the user before entering a password (say) into a site has to press an interupt button (say the power button on an iPad); the OS then does a check to say whether the web page is on a white list; if not on a white-list the OS will kill the app. The OS also stops people interacting with the web site without pressing the interupt button. The problem is that the system does not work for "good" web sites which are not on the whitelist (i.e. part of the system).
- The second example was about confronting users who are doing something wrong and then lying about it. The experiments were all related to buying items; but they immediately made me feel about how lecturers confront students re plagarism. The basic recommendations from the talk, applied to plagarism, were;
- First confront the person with evidence. Do not allow them to commit to a lie first. e.g. Say "This work is very similar to some other work we have found. Have a look".
- Make sure the innocent person is given some way of not feeling being accused. e.g. Say "How do you think this has happened? Did you give your work to someone else to help them?"
- Give the guilty person a clean simple way out. e.g. Say "We know people make mistakes under pressure; as its the first time this has happened if you admit it then we wont take it further. But make sure it does not happen again".
Dan Boneh talked about the breakthrough result from late last year; namely k-linear maps. Using these maps he showed that one can construct broadcast encryption schemes (such as the ones used in satellite broadcast systems) which have constant size ciphertexts and public key sizes which are logarithmic in the number of recipients in the system. This has been a long standing open problem. The solution was basically to take the old BGW system based on bilinear maps and replace the q-elements in the public key by (log q) elements, and then construct the q-elements back using the binary representations of the associated indexes.
Overall the workshop has been really interesting, with great interaction between academia and industry. The venue of being in Silicon Valley helped ensure that there was a large number of industrial people who were working at the cutting edge.
In the next few days the slides will be made online on the conference website
In addition people might be interested in following the conference feed from Twitter