Security Analysis of NIST CTR-DRBG

We study the security of CTR-DRBG, one of NIST\u27s recommended Pseudorandom Number Generator (PRNG) designs. Recently, Woodage and Shumow (Eurocrypt\u27 19), and then Cohney et al. (S&P\u27 20) point out some potential vulnerabilities in both NIST specification and common implementations of CTR-DRBG. While these researchers do suggest counter-measures, the security of the patched CTR-DRBG is still questionable. Our work fills this gap, proving that CTR-DRBG satisfies the robustness notion of Dodis et al. (CCS\u2713), the standard security goal for PRNGs

Validation of Abstract Side-Channel Models for Computer Architectures

Observational models make tractable the analysis of information flow properties by providing an abstraction of side channels. We introduce a methodology and a tool, Scam-V, to validate observational models for modern computer architectures. We combine symbolic execution, relational analysis, and different program generation techniques to generate experiments and validate the models. An experiment consists of a randomly generated program together with two inputs that are observationally equivalent according to the model under the test. Validation is done by checking indistinguishability of the two inputs on real hardware by executing the program and analyzing the side channel. We have evaluated our framework by validating models that abstract the data-cache side channel of a Raspberry Pi 3 board with a processor implementing the ARMv8-A architecture. Our results show that Scam-V can identify bugs in the implementation of the models and generate test programs which invalidate the models due to hidden microarchitectural behavior

Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks

We present the Balloon password-hashing algorithm. This is the first practical cryptographic hash function that: (i) has proven memory-hardness properties in the random-oracle model, (ii) uses a password-independent access pattern, and (iii) meets or exceeds the performance of the best heuristically secure password-hashing algorithms. Memory-hard functions require a large amount of working space to evaluate efficiently and when used for password hashing, they dramatically increase the cost of offline dictionary attacks. In this work, we leverage a previously unstudied property of a certain class of graphs (“random sandwich graphs”) to analyze the memory-hardness of the Balloon algorithm. The techniques we develop are general: we also use them to give a proof of security of the scrypt and Argon2i password-hashing functions in the random-oracle model. Our security analysis uses a sequential model of computation, which essentially captures attacks that run on single-core machines. Recent work shows how to use massively parallel special-purpose machines (e.g., with hundreds of cores) to attack Balloon and other memory-hard functions. We discuss these important attacks, which are outside of our adversary model, and propose practical defenses against them. To motivate the need for security proofs in the area of password hashing, we demonstrate and implement a practical attack against Argon2i that successfully evaluates the function with less space than was previously claimed possible. Finally, we use experimental results to compare the performance of the Balloon hashing algorithm to other memory-hard functions

Mechanisms of action of systemic antibiotics used in periodontal treatment and mechanisms of bacterial resistance to these drugs

Antibiotics are important adjuncts in the treatment of infectious diseases, including periodontitis. The most severe criticisms to the indiscriminate use of these drugs are their side effects and, especially, the development of bacterial resistance. The knowledge of the biological mechanisms involved with the antibiotic usage would help the medical and dental communities to overcome these two problems. Therefore, the aim of this manuscript was to review the mechanisms of action of the antibiotics most commonly used in the periodontal treatment (i.e. penicillin, tetracycline, macrolide and metronidazole) and the main mechanisms of bacterial resistance to these drugs. Antimicrobial resistance can be classified into three groups: intrinsic, mutational and acquired. Penicillin, tetracycline and erythromycin are broad-spectrum drugs, effective against gram-positive and gram-negative microorganisms. Bacterial resistance to penicillin may occur due to diminished permeability of the bacterial cell to the antibiotic; alteration of the penicillin-binding proteins, or production of β-lactamases. However, a very small proportion of the subgingival microbiota is resistant to penicillins. Bacteria become resistant to tetracyclines or macrolides by limiting their access to the cell, by altering the ribosome in order to prevent effective binding of the drug, or by producing tetracycline/macrolide-inactivating enzymes. Periodontal pathogens may become resistant to these drugs. Finally, metronidazole can be considered a prodrug in the sense that it requires metabolic activation by strict anaerobe microorganisms. Acquired resistance to this drug has rarely been reported. Due to these low rates of resistance and to its high activity against the gram-negative anaerobic bacterial species, metronidazole is a promising drug for treating periodontal infections

Kreosotforurensninger i Trøndelag. Miljøvirkninger i Hommelvika, Stjørdalsfjorden, Gudå og Mostadmarka

Tidligere utslipp fra NSBs impregneringsverk i Hommelvik har ført til kraftig forurensning med polysykliske aromatiske hydrokarboner i sedimentene innenfor et område på 13 km². Det har til dels skjedd en naturlig overdekking med uforurensede sedimenter de senere år. Bløtbunnsfaunaen var lite til moderat forurensningspåvirket. På en stasjon nær forurensningskilden var PAH-konsentrasjonen i blåskjell 500 ganger høyere enn det som er vanlig i norske fjorder, men konsentrasjonene avtok raskt med økende avstand fra kilden. I torsk og sandflyndre var PAH-konsentrasjonene moderate eller lave og inneholdt ikke kjente potensielt kreftfremkallende komponenter. Det ble ikke påvist forurensning av betydning fra landdeponiene, hverken i grunnvann, vann eller fis

Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate.

Abstract. We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 2 49 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 2 16 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given

Eliminating cache-based timing attacks with instruction-based scheduling

Information flow control allows untrusted code to access sensitive and trustworthy information without leaking this information. However, the presence of covert channels subverts this security mechanism, allowing processes to communicate information in violation of IFC policies. In this paper, we show that concurrent deterministic IFC systems that use time-based scheduling are vulnerable to a cache-based internal timing channel. We demonstrate this vulnerability with a concrete attack on Hails, one particular IFC web framework. To eliminate this internal timing channel, we implement instruction-based scheduling, a new kind of scheduler that is indifferent to timing perturbations from underlying hardware components, such as the cache, TLB, and CPU buses. We show this scheduler is secure against cache-based internal timing attacks for applications using a single CPU. To show the feasibility of instruction-based scheduling, we have implemented a version of Hails that uses the CPU retired-instruction counters available on commodity Intel and AMD hardware. We show that instruction-based scheduling does not impose significant performance penalties. Additionally, we formally prove that our modifications to Hails’ underlying IFC system preserve non-interference in the presence of caches