A few open problems in computer security David Wagner University of California, Berkeley.
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of A few open problems in computer security David Wagner University of California, Berkeley.
![Page 1: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/1.jpg)
A few open problemsin computer security
David Wagner
University of California, Berkeley
![Page 2: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/2.jpg)
Overview of the field
Communication security through cryptography Endpoint security through systems techniques
insecure channel
insecure endpoint
![Page 3: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/3.jpg)
Background
Goals: Confidentiality Integrity Availability
… even in the presence of a malicious adversary!
Problems: Today’s systems often
fail to meet these goals Security is often an
afterthought
![Page 4: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/4.jpg)
Part 1: Critical Infrastructure
![Page 5: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/5.jpg)
Infrastructure protection
Critical infrastructures e.g., power, water, oil, gas,
telecom, banking, … Evolving legacy systems Increasingly reliant on I.T. Very large scale Tightly interdependent
Security is a challenge!
![Page 6: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/6.jpg)
The electric power grid
Elements Loads (users) Distribution (local area) Transmission (long-distance) Generators (adapt slowly) Control centers Bidding & coordination Communication networks
![Page 7: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/7.jpg)
Cascading failures
March 1989: Solar storms cause outages in Quebec, trips interlocks throughout the US
August 1996: Two faults in Oregon cause oscillations that lead to blackouts in 13 states
Generation capacity margin at only 12% (down from 25% in 1980) Will get worse over next decade:
demand grows 20%, transmission capacity grows 3% (projected)
![Page 8: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/8.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
80Kv
80Kv20Kv
20Kv
40Kv
60Kv
60Kv
capacity 75Kv
![Page 9: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/9.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
80Kv
80Kv20Kv
20Kv
40Kv
60Kv
60Kv
Line failure!
capacity 75Kv
![Page 10: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/10.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
73Kv
87Kv29Kv
0Kv
29Kv
58Kv
73Kv
capacity 75Kv
![Page 11: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/11.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
73Kv
87Kv29Kv
0Kv
29Kv
58Kv
73Kv
Overload!
capacity 75Kv
![Page 12: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/12.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
73Kv
87Kv29Kv
0Kv
29Kv
58Kv
73Kv
Overload!
capacity 75Kv
![Page 13: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/13.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
80Kv
80Kv0Kv
0Kv
0Kv
80Kv
80Kv
capacity 75Kv
![Page 14: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/14.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
80Kv
80Kv0Kv
0Kv
0Kv
80Kv
80Kv
capacity 75Kv
Overload!
Overload!
![Page 15: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/15.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
80Kv
80Kv0Kv
0Kv
0Kv
80Kv
80Kv
capacity 75Kv
Overload!
Overload!
![Page 16: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/16.jpg)
Transmission: An example?
capacity 100Kvcapacity 25Kv
0Kv
0Kv0Kv
0Kv
0Kv
0Kv
0Kv
capacity 75Kv
![Page 17: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/17.jpg)
Possible research problems
Modelling an infrastructural system Can we construct a useful predictive model? Given a model, can we efficiently measure its security
against malicious attack?
Structural properties of such systems What key parameters determine their properties? Are there local control rules that ensure global stability? How can we design inherently self-stabilizing systems?
![Page 18: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/18.jpg)
Part 2: Algebraic Crypto
![Page 19: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/19.jpg)
x
Ek(x)
k
What’s a block cipher?
Ek : X → X bijective for all k
![Page 20: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/20.jpg)
When is a block cipher secure?
x
(x)randompermutation
k E
x
Ek(x)
blockcipher
Answer: when these two black boxes are indistinguishable.
![Page 21: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/21.jpg)
Example: The AES
S S S S S S SS S S S S S S SS
4×4 matrix 4×4 matrix 4×4 matrix4×4 matrix
byte re-ordering
One
round
S(x) = l(x-1) in GF(28), where l is GF(2)-linearand the MDS matrix and byte re-ordering are GF(28)-linear
![Page 22: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/22.jpg)
Interpolation attacks
Express cipher as a polynomial in the message & key:
id
id
X
X
Ek
X
X
p
Write Ek(x) = p(x), then interpolate from known texts Or, p’(Ek(x)) = p(x)
Generalization: probabilistic interpolation attacks Noisy polynomial
reconstruction, decoding Reed-Muller codes
![Page 23: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/23.jpg)
Rational interpolation attacks
Express the cipher as a rational polynomial:
id
id
X
X
Ek
X
X
p/q
If Ek(x) = p(x)/q(x), then:
Write Ek(x)×q(x) = p(x), and apply linear algebra
Note: rational poly’s are closed under composition
Are probabilistic rational interpolation attacks feasible?
![Page 24: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/24.jpg)
Resultants
A unifying view: bivariate polynomials:
The small diagrams commute ifpi(x, fi(x)) = 0 for all x
Small diagrams can be composed to obtain q(x, f2(f1(x))) = 0, where q(x,z) = resy(p1(x,y), p2(y,z))
Some details not worked out...
X
X
f1 Xp1
Xp2
X
f2
![Page 25: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/25.jpg)
Public-key encryption
Let S(x) = x3 in GF(28). Define f = L’ ◦ S ◦ L.Private key: L, L’, a pair of GF(28)-linear mapsPublic key: f, given explicitly by listing its coefficients
S S S S S S SS S S S S S S SS
L’
L
![Page 26: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/26.jpg)
The MP problem
Find semi-efficient algorithms for the following: Let f1, ..., fm be multivariate polynomials in n unknowns
over a finite field K, and consider the system of equationsf1(x1, ..., xn) = 0...fm(x1, ..., xn) = 0
Often: fi are sparse, low degree, and K = GF(2q) for q 8 Also, the case m n is of special interest in crypto
![Page 27: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/27.jpg)
What’s known about MP?
For quadratic equations (degree 2): m n2/2: polynomial time via linearization m εn2: polynomial time via re-linearization, XL m n2 + c: conjectured subexponential time via XL m = n: hard? (NP-complete worst-case)
Why not existing Groebner base algorithms? - exponential running time (n 15 is infeasible)
- not optimized for small fields
![Page 28: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/28.jpg)
Summary
Critical infrastructure protection An important area, and A source of intellectually satisfying problems
Algebraic cryptosystems of growing importance Collaboration between cryptographic and mathematical
communities might prove fruitful here
![Page 29: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/29.jpg)
Backup Slides
![Page 30: A few open problems in computer security David Wagner University of California, Berkeley.](https://reader031.fdocuments.in/reader031/viewer/2022032309/56649d3a5503460f94a14f85/html5/thumbnails/30.jpg)
Power grid security
Eligible Receiver (Nov 97): NSA hackers take down part of power grid, E911 in simulated attack using off-the-shelf software
Zenith Star (Oct 99): little improvement Vulnerability assessments: control systems
connected to Internet, dialup modems with poor passwords, using weak software