Jump to Content
Emilia Kasper

Emilia Kasper

Emilia joined Google in 2011 and is currently part of the Information Security Engineering team where she focuses on secure API design. She is a co-author of Google's Certificate Transparency proposal and a member of the OpenSSL development team. She has published papers on high-speed cryptography and holds a PhD from KU Leuven, Belgium.
Authored Publications
Google Publications
Other Publications
Sort By
  • Title
  • Title, desc
  • Year
  • Year, desc
    DROWN: Breaking TLS using SSLv2
    Christoph Paar
    David Adrian
    J. Alex Halderman
    Jens Steube
    Juraj Somorovsky
    Luke Valenta
    Maik Dankel
    Nadia Heninger
    Nimrod Aviram
    Sebastian Schinzel
    Shaanan Cohney
    Susanne Engels
    Viktor Dukhovni
    Yuval Shavitt
    25th USENIX Security Symposium (2016)
    Preview abstract We present DROWN, a novel cross-protocol attack that can decrypt passively collected TLS sessions from upto-date clients by using a server supporting SSLv2 as a Bleichenbacher RSA padding oracle. We present two versions of the attack. The more general form exploits a combination of thus-far unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher attack. A typical scenario requires the attacker to observe 1,000 TLS handshakes, then initiate 40,000 SSLv2 connections and perform 2 50 offline work to decrypt a 2048-bit RSA TLS ciphertext. (The victim client never initiates SSLv2 connections.) We implemented the attack and can decrypt a TLS 1.2 handshake using 2048- bit RSA in under 8 hours using Amazon EC2, at a cost of $440. Using Internet-wide scans, we find that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack, due to widespread key and certificate reuse. For an even cheaper attack, we apply our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU—fast enough to enable man-in-the-middle attacks against modern browsers. 26% of HTTPS servers are vulnerable to this attack. We further observe that the QUIC protocol is vulnerable to a variant of our attack that allows an attacker to impersonate a server indefinitely after performing as few as 225 SSLv2 connections and 265 offline work. We conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem. View details
    The Dangers of Composing Anonymous Channels
    George Danezis
    Information Hiding - 14th International Conference, IH 2012, Revised Selected Papers, Springer, Lecture notes in Computer Science (2013), pp. 191-206
    Preview abstract We present traffic analyses of two anonymous communications schemes that build on the classic Crowds/Hordes protocols. The AJSS10 [1] scheme combines multiple Crowds-like forward channels with a Hordes reply channel in an attempt to offer robustness in a mobile environment. We show that the resulting scheme fails to guarantee the claimed k-anonymity, and is in fact more vulnerable to malicious peers than Hordes, while suffering from higher latency. Similarly, the RWS11 [15] scheme invokes multiple instances of Crowds to provide receiver anonymity. We demonstrate that the sender anonymity of the scheme is susceptible to a variant of the predecessor attack [21], while receiver anonymity is fully compromised with an active attack. We conclude that the heuristic security claims of AJSS10 and RWS11 do not hold, and argue that composition of multiple anonymity channels can in fact weaken overall security. In contrast, we provide a rigorous security analysis of Hordes under the same threat model, and reflect on design principles for future anonymous channels to make them amenable to such security analysis. View details
    Fast Elliptic Curve Cryptography in OpenSSL
    Financial Cryptography and Data Security: FC 2011 Workshops, RLCPS and WECSR, Springer
    Preview abstract We present a 64-bit optimized implementation of the NIST and SECG-standardized elliptic curve P-224. Our implementation is fully integrated into OpenSSL 1.0.1: full TLS handshakes using a 1024-bit RSA certificate and ephemeral Elliptic Curve Diffie-Hellman key exchange over P-224 now run at twice the speed of standard OpenSSL, while atomic elliptic curve operations are up to 4 times faster. In addition, our implementation is immune to timing attacks - most notably, we show how to do small table look-ups in a cache-timing resistant way, allowing us to use precomputation. To put our results in context, we also discuss the various security performance trade-offs available to TLS applications. View details
    No Results Found