Symmetric and Password- based encrypdon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Transcription

1 Symmetric and Password- based encrypdon CS642: Computer Security Professor Ristenpart h9p:// rist at cs dot wisc dot edu University of Wisconsin CS 642

2 Symmetric encrypdon key generadon R k Kg Handled in TLS key exchange OpDonal K R M Enc C C Dec M or error C is a ciphertext Correctness: D( K, E(K,M,R) ) = M with probability 1 over randomness used

3 In TLS symmetric encrypdon underlies the Record Layer h9p://amazon.com K K R M Enc C C Dec M or error What security properdes do we need from symmetric encrypdon? 1) ConfidenDality: should not learn any informadon about M 2) AuthenDcity: should not be able to forge messages O\en referred to as AuthenDcated EncrypDon security

4 AcDve security of CBC mode IV M1 M2 M3 E K E K E K C0 C1 C2 C3 What about forging a message? Pick any C0, C1 IV M1 D K Be9er yet for any D: IV M1 D D K C0 C1 C0 D C1

5 Hash funcdons and message authendcadon Hash funcdon H maps arbitrary bit string to fixed length string of size m M H H(M) MD5: m = 128 bits SHA- 1: m = 160 bits SHA- 256: m = 256 bits Some security goals: - collision resistance: can t find M!= M such that H(M) = H(M ) - preimage resistance: given H(M), can t find M - second- preimage resistance: given H(M), can t find M s.t. H(M ) = H(M)

6 Hash funcdon applicadon example Password hashing. Choose random salt and store (salt,h) where: salt pw H h The idea: A9acker, given (salt,h), should not be able to recover pw Or can they? For each guess pw : If H(salt pw ) = h then Ret pw Rainbow tables speed this up in pracdce by way of precompudon. Large salts make rainbow tables impracdcal

7 Message authendcadon key generadon OpDonal. If no randomness, then called a Message AuthenDcaDon Code (MAC) R k Kg K R M Tag T M T Ver 0 or 1 Correctness: Ver( K, Tag(K,M,R) ) = 1 with probability 1 over randomness used Unforgeability: A9acker can t find M,T such that V(K,M,T) = 1

8 Recall PRF security F: {0,1} k x {0,1} * - > {0,1} n Security goal: F(K,M) is indisdnguishable from random n- bit string for anyone without K For M 1, M 2,, M q chosen by adversary and disdnct F(K,M 1 ), F(K,M 2 ),, F(K,M q ) U i is fresh n- bit uniform string U 1, U 2,, U q Adversary that adapdvely chooses messages but is limited to reasonable q (e.g., q = 2 40 ) can t disdnguish between two vectors This means outputs of F are unpredictable: Given F(K,M 1 ), F(K,M 2 ),, F(K,M q- 1 ) no a9acker can predict F(K,M q ) with probability 1 / 2 n + negligible

9 Any PRF is a good MAC OpDonal. If no randomness, then called a Message AuthenDcaDon Code (MAC) R k Kg K R M Tag T M T Ver 0 or 1 Correctness: Ver( K, Tag(K,M,R) ) = 1 with probability 1 over randomness used Unforgeability: A9acker can t find M,T such that V(K,M,T) = 1

10 Any PRF is a good MAC R k Kg key generadon picks uniform key for F K M M F(K,M) T F(K,M) = T? T 0 or 1 How do we instandate F?

11 Message authendcadon with HMAC Use a hash funcdon H to build a MAC. Kg outputs uniform bit string K Tag(K,M) = HMAC(K,M) defined by: K ipad M H ipad!= opad are constants K opad h H T To verify a M,T pair, check if HMAC(K,M) = T Unforgeability holds if H is a secure PRF when so- keyed

12 Build a new scheme from CBC and HMAC Kg outputs CBC key K1 and HMAC key K2 Several ways to combine: (1) encrypt- then- mac (2) mac- then- encrypt (3) encrypt- and- mac (1) M K1 CBC HMAC K2 C T (3) M (2) M T M K1 CBC HMAC K2 K1 CBC HMAC K2 C T C

13 Build a new scheme from CBC and HMAC Kg outputs CBC key K1 and HMAC key K2 Several ways to combine: (1) encrypt- then- mac (2) mac- then- encrypt (3) encrypt- and- mac (1) M K1 CBC HMAC K2 C T Thm. If encrypdon scheme provides confidendality against passive a9ackers and MAC provides unforgeability, then Encrypt- then- MAC provides secure authendcated encrypdon

14 TLS record protocol: MAC- Encode- Encrypt (MEE) SQN + comp method MAC Payload Padding is not MAC d. ImplementaDons must handle padding checks very carefully. Payload MAC tag Padding Encrypt Header Ciphertext MAC Encrypt HMAC- MD5, HMAC- SHA1, HMAC- SHA256 CBC- AES128, CBC- AES256, CBC- 3DES, RC4-128

15 Dedicated authendcated encrypdon schemes A"ack Inventors Notes OCB (Offset Codebook) GCM (Galios Counter Mode) Rogaway McGrew, Viega One- pass CTR mode plus specialized MAC CWC Kohno, Viega, WhiDng CTR mode plus Carter- Wegman MAC CCM EAX Housley, Ferguson, WhiDng Wagner, Bellare, Rogaway CTR mode plus CBC- MAC CTR mode plus OMAC

16 Symmetric EncrypDon Advice Never use CTR mode or CBC mode by themselves Passive security is almost never good enough!! Encrypt- then- MAC be9er than MAC- then- Encrypt, Encrypt and MAC Dedicated modes that have been analyzed thoroughly are also good

17 Password- based symmetric encrypdon OpDonal pw R M Enc C C Dec M or error C is a ciphertext Correctness: D( pw, E(pw,M,R) ) = M with probability 1 over randomness used

18 Encrypt- then- MAC with CBC and HMAC IV M1 M2 M3 E K1 E K1 E K1 C0 C1 C2 C3 K2 ipad C H K2 opad h H T Ciphertext is C,T How do we use with a pw?

19 Password- based Key DeriviaDon (PBKDF) PBKDF(pw,salt): Truncate if needed pw salt 1 H H H K1 pw salt 2 H H H K2 repeat c Dmes

20 PBKDF + Symmetric encrypdon yields PW- based encrypdon Enc(pw,M,R): salt R = R K = PBKDF(pw,salt) C = Enc (K,M,R ) Return (salt,c) Dec(pw,C): salt C = C K = PBKDF(pw,salt) M = Enc (K,C ) Return M Here Enc is a normal symmetric encrypdon scheme (CBC+HMAC) A9acks?

21 Rank Password Number of Users with Password (absolute) Password iloveyou princess rockyou abc Rank Password Number of Users with Password (absolute) 11 Nicole Daniel babygirl monkey Jessica Lovely michael Ashley Qwerty From an Imperva study of released RockMe.com password database 2010

22 Brute- force a9acks Given known plaintext, ciphertext pair: M and C = Enc(pw,M) Enumerate a dicdonary D of possible passwords, in order of likelihood BruteForce1(M,C): R C = C foreach pw* in D do C* = Enc(pw*,M,R) If C* = C then Return pw* R is salt IV in CBC- based modes Both are public: C = salt IV C1 IV C0 M1 E K1 C1

23 Brute- force a9acks Given known plaintext, ciphertext pair: M and C = Enc(pw,M) Enumerate a dicdonary D of possible passwords, in order of likelihood BruteForce1(M,C): R C = C foreach pw* in D do C* = Enc(pw*,M,R) If C* = C then Return pw* BruteForce2(C): foreach pw* in D do M* = Dec(pw*,C) If M* looks right then Return (pw*,m*)

24 PBKDF design a9empts to slow down brute- force a9acks Truncate if needed pw salt 1 H H H K1 IteraDng c Dmes should slow down a9acks by factor of c Salts: Different derived keys, even if same password Slows down a9acks against muldple users Prevents precomputadon a9acks, if salts chosen correctly

25 Say c = Generous back of envelope* suggests that in 1 second, can test 252 passwords and so a naïve brute- force: 6 numerical digits 10 6 = 1,000,000 6 lower case alphanumeric digits 8 alphanumeric + 10 special symbols 36 6 = 2,176,782, = 722,204,136,308,736 ~ 3968 seconds ~ 99 days ~ 33million days * I did the arithmedc

26 WPA passwords AP PMK = PBKDF( pw, ssid ssidlength ) with c = 4096 PTK = H( PMK ANonce SNonce AP MAC address STA MAC address ) MIC = HMAC- MD5(PTK, 2 nd message) So a\er sniffing one handshake by another party, we can mount offline brute force a9ack

27 WPA passwords AP PMK = PBKDF( pw, ssid ssidlength ) with c = 4096 PTK = H( PMK ANonce SNonce AP MAC address STA MAC address ) MIC = HMAC- MD5(PTK, 2 nd message) BruteForce(MIC,ANonce,SNonce,2 nd message): foreach pw* in D do PMK* = PBKDF(pw*,ssid ssidlength) PTK* = H(PMK* ANonce ) MIC* = HMAC- MD5(PTK*, 2 nd message) If MIC* = MIC then Return pw*

28 We can also use precomputadon for common SSID s PMK = F(pw,ssid) MIC = G(PMK,data) PMK = PBKDF( pw, ssid ssidlength ) with c = 4096 PTK = H( PMK ANonce SNonce AP MAC address STA MAC address ) MIC = HMAC- MD5(PTK, 2 nd message) Offline(D,SsidList): foreach pw* in D do foreach ssid* in Ssidlist do PMK* = F(pw*,ssid*) T[PMK*] = pw* Add PMK* to P[ssid*] Return P,T Online(P,T,MIC,ANonce, ): foreach PMK* in P[ssid] do MIC* = G(PMK*,data) If MIC* = MIC then Return T[PMK*] Time- space trade- off

29 Password recap Short passwords can be cracked easily See also: JohnTheRipper, aircrack, tools SalDng and iteradon are helpful and needed Salts must be sufficiently large and unpredictable SDll possible to crack in some cases From xkcd.com