Bundesamt fur Sicherheit in der Informationstechnik BSI

Bonn, Germany

Bundesamt fur Sicherheit in der Informationstechnik BSI

Bonn, Germany

Time filter

Source Type

Schindler W.,Bundesamt fur Sicherheit in der Informationstechnik BSI | Itoh K.,Fujitsu Limited
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2011

Exponent blinding is known as a secure countermeasure against side-channel attacks. If single power traces reveal some exponent bits, an attack by Fouque et al. applies that recovers the exponent. However, this attack becomes infeasible if some of the guessed bits are incorrect. Thus, the attack was not assumed to be a realistic threat. In this paper we present two variants of a novel generic attack, which works for considerable error rates at each bit position, disproving the hypothesis that mere exponent blinding is always sufficient. We confirmed experimentally that our attack permits up to 28% (RSA case) or 23% (ECC case) error bits. © 2011 Springer-Verlag Berlin Heidelberg.


Bender J.,Bundesamt fur Sicherheit in der Informationstechnik BSI | Dagdelen O.,TU Darmstadt | Fischlin M.,TU Darmstadt | Kugler D.,Bundesamt fur Sicherheit in der Informationstechnik BSI
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

The restricted identification protocol for the new German identity card basically provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not malicious ones). The protocol can be augmented to allow also for signatures under the pseudonyms. In this paper, we thus view -and define- this idea more abstractly as a new cryptographic signature primitive with some form of anonymity, and use the term domain-specific pseudonymous signatures. We then analyze the restricted identification solutions in terms of the formal security requirements. © 2012 Springer-Verlag.


Bender J.,Bundesamt fur Sicherheit in der Informationstechnik BSI | Dagdelen O.,TU Darmstadt | Fischlin M.,TU Darmstadt | Kugler D.,Bundesamt fur Sicherheit in der Informationstechnik BSI
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

We discuss an efficient combination of the cryptographic protocols adopted by the International Civil Aviation Organization (ICAO) for securing the communication of machine readable travel documents and readers. Roughly, in the original protocol the parties first run the Password-Authenticated Connection Establishment (PACE) protocol to establish a shared key and then the reader (optionally) invokes the Active Authentication (AA) protocol to verify the passport's validity. Here we show that by carefully re-using some of the secret data of the PACE protocol for the AA protocol one can save one exponentiation on the passports's side. We call this the PACE|AA protocol. We then formally prove that this more efficient combination not only preserves the desirable security properties of the two individual protocols but also increases privacy by preventing misuse of the challenge in the Active Authentication protocol. We finally discuss a solution which allows deniable authentication in the sense that the interaction cannot be used as a proof towards third parties. © 2012 Springer-Verlag.


Heuser A.,TU Darmstadt | Kasper M.,Fraunhofer Institute for Secure Information Technology | Schindler W.,Bundesamt fur Sicherheit in der Informationstechnik BSI | Stottinger M.,TU Darmstadt
Proceedings - 2011 14th Euromicro Conference on Digital System Design: Architectures, Methods and Tools, DSD 2011 | Year: 2011

Side-channel analysis has become an important field of research for the semiconductor industry and for the academic sector as well. Of particular interest is constructive side-channel analysis as it supports a target-oriented associated design process. The main goal is to increase the side-channel resistance of cryptographic implementations within the design phase by a combination of advanced stochastic methods with design methods, tools, and countermeasures. In this contribution we present a new enhanced tool that utilizes symmetry properties to assist the side-channel evaluation of cryptographic implementations. This technique applies a symmetry metric, which is introduced as an engineering tool to verify the suitability of the leakage model in the evaluation phase of security-sensitive designs. Additionally, this approach also supports the designer in the selection of appropriate time instants. © 2011 IEEE.


Bender J.,Bundesamt fur Sicherheit in der Informationstechnik BSI | Fischlin M.,TU Darmstadt | Kugler D.,Bundesamt fur Sicherheit in der Informationstechnik BSI
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2013

The International Civil Aviation Organization (ICAO) has adopted the password-based connection establishment protocol (PACE) for securing the contactless communication between the machine-readable travel documents and the readers at border controls. This Diffie-Hellman based protocol achieves impersonation resistance at password strength. To reinforce authentication of the travel documents beyond this lowentropy security, the challenge-response based active authentication protocol could be executed afterwards. However, this optional protocol is often omitted for efficiency reasons. In order to salvage strong security we investigate the possibility to provide active authentication almost "for free" with the PACE|CA protocol, by re-using some of the randomness from the PACE protocol for authentication. © 2013 Springer International Publishing.


Schindler W.,Bundesamt fur Sicherheit in der Informationstechnik BSI
Journal of Cryptographic Engineering | Year: 2016

In this paper we treat a timing attack on RSA implementations, which apply the Chinese remainder theorem and Montgomery’s multiplication algorithm and are protected by exponent blinding. Our attack is applicable to square & multiply exponentiation and to table-based exponentiation algorithms, extending known timing attacks on unprotected implementations. Simulation experiments are conducted, which confirm the theoretical results. Interestingly, increasing the blinding length does not counteract our attack. Our attack can be adjusted to fulfil mild format restrictions. Effective countermeasures exist. This article extends a conference paper by new results. © 2016, Springer-Verlag Berlin Heidelberg.


Klein D.,Bundesamt fur Sicherheit in der Informationstechnik BSI
Communications in Computer and Information Science | Year: 2015

The ICAO-standardized Password Authenticated Connection Establishment (PACE) protocol is used all over the world to secure access to electronic passports. Key-secrecy of PACE is proven by first modeling it as an Observational Transition System (OTS) in CafeOBJ, and then proving invariant properties by induction. © Springer International Publishing Switzerland 2015.


Schindler W.,Bundesamt fur Sicherheit in der Informationstechnik BSI | Wiemers A.,Bundesamt fur Sicherheit in der Informationstechnik BSI
Journal of Cryptographic Engineering | Year: 2014

Exponent blinding has been known as an effective countermeasure against side-channel attacks on RSA. However, if single power traces reveal some exponent bits with certainty, an attack by Fouque et al. (Power attack on small RSA public exponent. Springer, Berlin, pp 339–353, 2006) applies that recovers the exponent. Since this attack becomes infeasible if some of these assumed exponent bits are incorrect it has not been assumed to be a realistic threat in the context of side-channel attacks. In this paper we present three generic attack variants (basic attack, enhanced attack, alternate attack), which work in the presence of considerable error rates at each bit position, disproving the hypothesis that mere exponent blinding is always sufficient to protect SPA-resistant implementations against any type of power attacks. Simulation experiments confirm that for small blinding factors the basic attack permits error rates of more than 25%. The enhanced attack allows smaller error rates but requires much less power traces and computations. Unlike the basic attack and the enhanced attack the alternate attack (against ECC and RSA without CRT) cannot effectively be prevented by simply enlarging the blinding factor. This paper extends (Schindler and Itoh, Exponent blinding does not always lift (Partial) SPA resistance to higher-level security. Springer, Berlin, pp 73–90, 2011) by many new results. © 2014, Springer-Verlag Berlin Heidelberg.


Schindler W.,Bundesamt fur Sicherheit in der Informationstechnik BSI
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2015

The references [1, 3, 9] treat timing attacks on RSA with CRT and Montgomery’s multiplication algorithm in unprotected implementations. It has been widely believed that exponent blinding would prevent any timing attack on RSA. At cost of significantly more timing measurements this paper extends the before-mentioned attacks to RSA with CRT when Montgomery’s multiplication algorithm and exponent blinding are applied. Simulation experiments are conducted, which confirm the theoretical results. Effective countermeasures exist. In particular, the attack efficiency is higher than in the previous version [12] while large parts of both papers coincide. © International Association for Cryptologic Research 2015.


Honecker H.,Bundesamt fur Sicherheit in der Informationstechnik BSI
VGB PowerTech | Year: 2010

Complex physical process architectures are nowadays only conceivable with the aid of suitable automation, instrumentation and control systems. The corresponding system architectures contain both the process-specific hardware components and a large proportion of components which either emulate those of classical information technology or are even directly taken from it. As a result, process control systems are also vulnerable to threats and hazards from classical information technology. These vulnerabilities can in principle be handled by consistent implementation of IT security, for example according to BSI standards 100-1 to 100-4, or the ISO 27000 series. In comparison with classical information technology, however, the weighting of the protection objectives is strongly shifted towards uninterrupted availability in continuous operation with specific requirements such as guaranteed short response times and full integrity of process data. Consequently, many of the standard measures adopted for classical IT security cannot be applied to the power plant field, or need major adaptations. Among other measures, an extremely strict separation of the process control systems and networks, even from the plant's own office network, is essential for suitable process control security in power plants. Furthermore, indispensable safety functionality must not be dependent on process control networks, nor must it be possible for these to endanger such functionality.

Loading Bundesamt fur Sicherheit in der Informationstechnik BSI collaborators
Loading Bundesamt fur Sicherheit in der Informationstechnik BSI collaborators