权益分类	功能权益	普通用户	{{item.name}}会员
{{category.name}}	{{benefitItem.name}}

SaTC: CORE: Small: Foundations of Applied Cryptography

SaTC：核心：小：应用密码学的基础

基本信息

批准号：
1717640
负责人：
Mihir Bellare
金额：
$ 32.65万
依托单位：
University of California-San Diego
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2017
资助国家：
美国
起止时间：
2017-10-01 至 2021-09-30
项目状态：
已结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=1717640&HistoricalAwards=false
关键词：
SaTC CORE Small Foundations Applied

项目摘要

Currently, on an almost weekly basis there are reports on security breaches which expose private information such as passwords or credit card numbers to cyber criminals. In order to address this problem, this project develops theoretical foundations and cryptographic approaches, and analyzes these new mechanisms. This project focuses on three areas of great practical interest: (1) the recovery of a cryptographic key by an adversary; (2) delegatable format-preserving encryption which, for example, allows the in-place encryption of credit-card numbers while limiting the damage in case of a compromise, and (3) user authentication on the Internet. The broader impact of this work is in that the team will develop a software library PlayCrypt with the goal to make cryptography more accessible to a larger population. Key-recovery attacks discussed in the literature lack precise models and rigorous estimates of success probability. To address this shortcoming, this project defines metrics for key-recovery security in order to enable rigorous claims about attacks and to be able to prove hedging theorems that complement moderately good security bounds under strong metrics with better bounds under these newly-developed key-recovery metrics. This is of great interest and value as key-recovery attacks are considered much more damaging in practice than violations of semantic security. Furthermore, this project defines security metrics for delegatable format-preserving encryption (FPE). FPE is widely used for in-place encryption of credit-card numbers, and delegation allows the damage from physical compromise of terminals to remain local. The project is also geared to inform current standardization efforts. As a third direction, this project considers client-to-server authentication over the Internet. Today's paradigm of passing the password to the server over a server-authenticated TLS (Transport Layer Security) channel exhibits many vulnerabilities. This project formalizes the notion of piggy-backed authentication which allows the client to convince the server of its identity without handing it its password yet designing this mechanism in such a fashion that allows its implementation within the current TLS-based web-security architecture in order to maximize the impact of this work in practice.

目前，几乎每周都有关于安全漏洞的报告，这些漏洞将密码或信用卡号码等私人信息暴露给网络犯罪分子。为了解决这个问题，本项目开发了理论基础和加密方法，并分析了这些新机制。该项目侧重于三个具有重大实际意义的领域：（1）由对手恢复加密密钥;（2）可委托的格式保留加密，例如，允许对信用卡号码进行就地加密，同时限制在妥协情况下的损害;以及（3）互联网上的用户身份验证。这项工作的更广泛的影响在于，该团队将开发一个软件库PlayCrypt，目标是使更多的人更容易使用密码学。文献中讨论的密钥恢复攻击缺乏精确的模型和严格的成功概率估计。为了解决这一缺点，该项目定义了密钥恢复安全性的指标，以使严格的索赔攻击，并能够证明对冲定理，补充适度良好的安全界限下的强指标，更好的界限下，这些新开发的密钥恢复指标。这是非常有趣和有价值的，因为密钥恢复攻击在实践中被认为比违反语义安全更具破坏性。此外，该项目定义了可委托格式保留加密（FPE）的安全度量。FPE被广泛用于信用卡号码的就地加密，并且委托允许终端的物理危害所造成的损害保持在本地。该项目还旨在为当前的标准化工作提供信息。作为第三个方向，该项目考虑通过Internet进行客户端到服务器的身份验证。目前，通过服务器认证的TLS（传输层安全）通道将密码传递给服务器的模式存在许多漏洞。这个项目正式的概念，背驮式身份验证，允许客户端说服服务器的身份，而不交给它的密码，但设计这种机制，使其实现在当前的TLS为基础的网络安全架构，以最大限度地发挥这项工作在实践中的影响。