Cryptographic Reverse Firewalls

Mironov, Ilya; Stephens-Davidowitz, Noah

doi:10.1007/978-3-662-46803-6_22

Cited by 90 publications

(64 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Russell, Tang, Yung and Zhou [43] consider ASAs on one-way and trapdoor one-way functions. Cryptographic reverse firewalls [33,17] represent an architecture to counter ASAs via trusted code in network perimeter filters. Dodis, Ganesh, Golovnev, Juels and Ristenpart [16] provide a formal treatment of backdooring of PRGs, another form of subversion.…”

mentioning

confidence: 99%

Security of Symmetric Encryption against Mass Surveillance

Bellare

Paterson

Rogaway

2014

Lecture Notes in Computer Science

140

208

View full text Add to dashboard Cite

Abstract. Motivated by revelations concerning population-wide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of "big brother" is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.

show abstract

mentioning

confidence: 99%

Security of Symmetric Encryption against Mass Surveillance

Bellare

Paterson

Rogaway

2014

Lecture Notes in Computer Science

140

208

View full text Add to dashboard Cite

show abstract

“…Using a reverse firewall. In Section 6, we show that security against arbitrary tampering with the computation can be achieved, by making the additional assumption of an un-tamperable cryptographic reverse firewall (RF) [MS15,DMS16]. Roughly, a RF takes as input a message/signature pair, and is allowed to "sanitize" the input signature using only public information.…”

Section: Our Results and Techniquesmentioning

confidence: 99%

“…As our third positive result, we provide a way to achieve the ambitious goal of protecting signature schemes against arbitrary SAs, relying on a cryptographic reverse firewall. The latter primitive was introduced in [MS15] (see also [DMS16]) to model security of arbitrary two-party protocols run on machines possibly corrupted by a virus. On a high level, a RF for a signature scheme is an algorithm taking as input a message/signature pair (m, σ), some public state, and outputting a "patched" signature (m, σ ); the initial state of the firewall is typically a function of the verification key vk .…”

Section: Our Results and Techniquesmentioning

confidence: 99%

Subversion-resilient signatures: Definitions, constructions and applications

Ateniese

Magri

Venturi

2020

Theoretical Computer Science

View full text Add to dashboard Cite

We provide a formal treatment of security of digital signatures against subversion attacks (SAs). Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g., malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms. The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and continuous fashion. Previous notions-e.g., the notion of security against algorithmsubstitution attacks introduced by Bellare et al. (CRYPTO '14) for symmetric encryptionwere non-adaptive and non-continuous. In this vein, we show both positive and negative results for the goal of constructing subversion-resilient signature schemes. Negative results. We show that a broad class of randomized signature schemes is insecure against stateful SAs, even if using just a single bit of randomness. On the other hand, we establish that signature schemes with enough min-entropy are insecure against stateless SAs. The attacks we design are undetectable to the end-users (even if they know the signing key). Positive results. We complement the above negative results by showing that signature schemes with unique signatures are subversion-resilient against all attacks that meet a basic undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on stateful schemes; in contrast unique signatures are stateless, and in fact they are among the fastest and most established digital signatures available. As our second positive result, we show how to construct subversion-resilient identification schemes from subversion-resilient signature schemes. We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT '15), i.e., an algorithm that "sanitizes" any signature given as input (using only public information). The firewall we design allows us to successfully protect so-called re-randomizable signature schemes (which include unique signatures as a special case). As an additional contribution, we extend our model to consider multiple users and show implications and separations among the various notions we introduced. While our study is mainly theoretical, due to its strong practical motivation, we believe that our results have important implications in practice and might influence the way digital signature schemes are selected or adopted in standards and protocols.

show abstract

“…Cryptographic reverse firewalls [87] are a general technique for defending against backdoored implementations of interactive cryptographic protocols. A reverse firewall sits between a potentially backdoored implementation and the outside world, modifying messages in such a way that (a) preserves the security of the original protocol and (b) prevents the malicious implementation from leaking information to the outside world.…”

Section: Related Workmentioning

confidence: 99%

True2F: Backdoor-Resistant Authentication Tokens

Dauterman

Corrigan-Gibbs

Mazières

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We present True2F, a system for second-factor authentication that provides the benefits of conventional authentication tokens in the face of phishing and software compromise, while also providing strong protection against token faults and backdoors. To do so, we develop new lightweight two-party protocols for generating cryptographic keys and ECDSA signatures, and we implement new privacy defenses to prevent cross-origin tokenfingerprinting attacks. To facilitate real-world deployment, our system is backwards-compatible with today's U2F-enabled web services and runs on commodity hardware tokens after a firmware modification. A True2F-protected authentication takes just 57ms to complete on the token, compared with 23ms for unprotected U2F.

show abstract

Cryptographic Reverse Firewalls

Cited by 90 publications

References 20 publications

Security of Symmetric Encryption against Mass Surveillance

Security of Symmetric Encryption against Mass Surveillance

Subversion-resilient signatures: Definitions, constructions and applications

True2F: Backdoor-Resistant Authentication Tokens

Contact Info

Product

Resources

About