Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Transcription

1 Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key Encryption Encryption RSA ElGamal Public Key Encryption Message Authentication Codes Message Authentication Authentication Digital Signature Entity Authentication Based on slides from Dan Boneh COMP 7/ Kan Yang 1 COMP 7/ Kan Yang 2 Learning Objectives Semantic Security for many time key (Chosen Plaintext Attack) How to use Block Cipher (many time key) Cipher Block Chaining (CBC) Model Counter (CTR) Model How to use PRPs (Block Ciphers)? Goal: build secure encryption from a secure PRP (e.g. AES). one-time keys (semantic security) 1. Adversary s power: Adv sees only one ciphertext (one-time key) 2. Adversary s goal: Learn info about PT from CT (semantic security) many-time keys (chosen-plaintext security) COMP 7/ Kan Yang 3 COMP 7/ Kan Yang 4 1

2 ECB is not Semantically Secure ECB is not semantically secure for messages that contain more than one block. bî{0,1} Two blocks m 0 = Hello World A m 1 = Hello Hello (c 1,c 2 ) E(k, m b ) Det. Counter Mode Deterministic counter mode from a PRF F: K 0, 1 ) 0,1 ) E DETCTR (k, m) = Å m[0] m[1] m[l] F(k,0) F(k,1) F(k,L) c[0] c[1] c[l] Then Adv SS [A, ECB] = 1 If c 1 =c 2 output 0, else output 1 COMP 7/ Kan Yang 5 Stream cipher built from a PRF (e.g. AES, 3DES) COMP 7/ Kan Yang 6 Semantic Security for many-time key Key used more than once adv. sees many CTs with same key How to use PRPs (Block Ciphers) with many time key? Adversary s power: chosen-plaintext attack (CPA) Can obtain the encryption of arbitrary messages of his choice (conservative modeling of real life) Adversary s goal: Break semantic security COMP 7/ Kan Yang 7 COMP 7/ Kan Yang 8 2

3 Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b m 1,0, m 1,1 Î M : m 1,0 = m 1,1 b m 2,0, m 2,1 Î M : m 2,0 = m 2,1 c 1 E(k, m 1,b ) c 2 E(k, m 2,b ) COMP 7/ Kan Yang 9 COMP 7/ Kan Yang 10 b Semantic Security for many-time key (CPA security) E = (E,D) a cipher defined over (K,M,C). for i=1,,q: m i,0, m i,1 Î M : m i,0 = m i,1 c i E(k, m i,b ) For b=0,1 define EXP(b) as: if adv. wants c = E(k, m) it queries with m j,0 = m j,1 =m Def: E is sem. sec. under CPA if for all efficient A: Adv CPA [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. b Î {0,1} Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: m 0, m 0 Î M c 0 E(k, m 0 ) m 0, m 1 Î M c E(k, m b ) output 0 if c = c 0 So what? an attacker can learn that two encrypted files are the same, two encrypted packets are the same, etc. Leads to significant attacks when message space M is small COMP 7/ Kan Yang 11 COMP 7/ Kan Yang 12 3

4 Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: m 0, m 0 Î M c 0 E(k, m 0 ) m 0, m 1 Î M c E(k, m b ) output 0 if c = c 0 If secret key is to be used multiple times Þ given the same plaintext message twice, encryption must produce different outputs. Solution 1: randomized encryption E(k,m) is a randomized algorithm: m 0 enc dec m 0 m 1 m 1 encrypting same msg twice gives different ciphertexts (w.h.p) ciphertext must be longer than plaintext Roughly speaking: CT-size = PT-size + # random bits COMP 7/ Kan Yang 13 COMP 7/ Kan Yang 14 Let F: K R M be a secure PRF. R For m M define E(k,m) = [ r R, output (r, F(k,r) m) ] Is E semantically secure under CPA? Yes, whenever F is a secure PRF No, there is always a CPA attack on this system Yes, but only if R is large enough so r never repeats (w.h.p) It depends on what F is used COMP 7/ Kan Yang 15 Solution 2: nonce-based Encryption nonce n: a value that changes from msg to msg. nonce Alice m, n E(k,m,n)=c E k (k,n) pair never used more than once method 1: nonce is a counter (e.g. packet counter) used when encryptor keeps state from msg to msg if decryptor has same state, need not send nonce with CT Bob method 2: encryptor chooses a random nonce, n N c, n D(k,c,n)=m D COMP 7/ Kan Yang 16 k 4

5 b CPA security for nonce-based encryption System should be secure when nonces are chosen adversarially. for i=1,,q: n i and m i,0, m i,1 : m i,0 = m i,1 c E(k, m i,b, n i ) b Î {0,1} All nonces {n 1,, n q } must be distinct. Def: nonce-based E is sem. sec. under CPA if for all efficient A: Adv ncpa [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. Let F: K R M be a secure PRF. Let r = 0 initially. For m M define E(k,m) = [ r++, output (r, F(k, r) m) ] Is E CPA secure nonce-based encryption? Yes, whenever F is a secure PRF No, there is always a nonce-based CPA attack on this system Yes, but only if R is large enough so r never repeats It depends on what F is used COMP 7/ Kan Yang 17 COMP 7/ Kan Yang 18 How to use Block Cipher (many time key) How to use Block Cipher (many time key) Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. Operation Models: Cipher Block Chaining (CBC) Model Counter (CTR) Model COMP 7/ Kan Yang 19 COMP 7/ Kan Yang 20 5

6 Construction 1: Random CBC (with random ) Decryption circuit Let (E,D) be a PRP. E CBC (k,m): choose random X and do: In symbols: c[0] = E(k, m[0] ) m[0] = D(k, c[0]) m[0] m[1] m[2] m[3] Å Å Å Å c[0] c[1] c[2] c[3] E(k, ) E(k, ) E(k, ) E(k, ) D(k, ) D(k, ) D(k, ) D(k, ) c[0] c[1] c[2] c[3] ciphertext COMP 7/ Kan Yang 21 Å Å Å Å m[0] m[1] m[2] m[3] COMP 7/ Kan Yang 22 CBC: CPA Analysis An example CBC Theorem: For any L>0, If E is a secure PRP over (K,X) then E CBC is a sem. sec. under CPA over (K, X L, X L+1 ). In particular, for a q-query adversary A attacking E CBC there exists a PRP adversary B s.t.: Adv CPA [A, E CBC ] 2 Adv PRP [B, E] + 2 q 2 L 2 / X q = # messages encrypted with k, L = length of max message Adv CPA [A, E CBC ] 2 PRP Adv[B, E] + 2 q 2 L 2 / X Suppose we want Adv CPA [A, E CBC ] 1/2 32 q 2 L 2 / X < 1/ 2 32 AES: X = q L < 2 48 So, after 2 48 AES blocks, must change key Note: CBC is only secure as long as q 2 L 2 << X 3DES: X = 2 64 q L < 2 16 COMP 7/ Kan Yang 23 COMP 7/ Kan Yang 24 6

7 Warning: an attack on CBC with rand. CBC where attacker can predict the is not CPA-secure!! Suppose given c E CBC (k,m) can predict for next message 0 Î X c 1 [ 1, E(k, 0 1 ) ] m 0 = 1, m 1 m 0 c [, E(k, 1 ) ] or c [, E(k, m 1 ) ] predict output 0 if c[1] = c 1 [1] Bug in SSL/TLS 1.0: for record #i is last CT block of record #(i-1) COMP 7/ Kan Yang 25 Construction 1 : nonce-based CBC Cipher block chaining with unique nonce: key = (k,k 1 ) unique nonce means: (key, n) pair is used for only one message nonce m[0] m[1] m[2] m[3] Å Å Å Å E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) nonce c[0] c[1] c[2] c[3] included only if unknown to decryptor ciphertext COMP 7/ Kan Yang 26 An example Crypto API (OpenSSL) A CBC technicality: padding void AES_cbc_encrypt( const unsigned char *in, unsigned char *out, size_t length, const AES_KEY *key, unsigned char *ivec, user supplies AES_ENCRYPT or AES_DECRYPT); E(k 1, ) ʹ m[0] m[1] m[2] m[3] ll pad Å Å Å Å E(k, ) E(k, ) E(k, ) E(k, ) c[0] c[1] c[2] c[3] When nonce is non random need to encrypt it before use COMP 7/ Kan Yang 27 TLS: for n>0, n byte pad is n n if no pad needed, add a dummy block n n removed during decryption COMP 7/ Kan Yang 28 7

8 How to use Block Cipher (many time key) Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. Operation Models: Cipher Block Chaining (CBC) Model Counter (CTR) Model Construction 2: rand ctr-mode Let F: K {0,1} n {0,1} n be a secure PRF. E(k,m): choose a random Î {0,1} n and do: msg m[0] m[1] m[l] F(k,) F(k,+1) F(k,+L) c[0] c[1] c[l] ciphertext Å COMP 7/ Kan Yang 29 note: parallelizable (unlike CBC) COMP 7/ Kan Yang 30 Construction 2 : nonce ctr-mode msg m[0] m[1] F(k,) F(k,+1) m[l] F(k,+L) c[0] c[1] c[l] 128 bits ciphertext To ensure F(k,x) is never used more than once, choose as: : Å nonce counter starts at 0 64 bits 64 bits for every msg COMP 7/ Kan Yang 31 rand ctr-mode (rand. ): CPA analysis Counter-mode Theorem: For any L>0, If F is a secure PRF over (K,X,X) then E CTR is a sem. sec. under CPA over (K,X L,X L+1 ). In particular, for a q-query adversary A attacking E CTR there exists a PRF adversary B s.t.: Adv CPA [A, E CTR ] 2 Adv PRF [B, F] + 2 q 2 L / X Note: ctr-mode only secure as long as q 2 L << X. Better than CBC! COMP 7/ Kan Yang 32 8

9 An example q = # messages encrypted with k, L = length of max message Adv CPA [A, E CTR ] 2 Adv PRF [B, E] + 2 q 2 L / X Suppose we want Adv CPA [A, E CTR ] 1/2 32 q 2 L / X < 1/ 2 32 AES: X = q L 1/2 < 2 48 So, after 2 32 CTs each of len 2 32, must change key (total of 2 64 AES blocks) Comparison: ctr vs. CBC CBC ctr mode uses PRP PRF parallel processing No Yes Security of rand. enc. q^2 L^2 << X q^2 L << X dummy padding block Yes No 1 byte msgs (nonce-based) 16x expansion no expansion (for CBC, dummy padding block can be solved using ciphertext stealing) COMP 7/ Kan Yang 33 COMP 7/ Kan Yang 34 Summary PRPs and PRFs: a useful abstraction of block ciphers. We examined two security notions: (security against eavesdropping) 1. Semantic security against one-time CPA. 2. Semantic security against many-time CPA. Note: neither mode ensures data integrity. Further reading A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation, M. Bellare, A. Desai, E. Jokipii and P. Rogaway, FOCS 1997 Nonce-Based Symmetric Encryption, P. Rogaway, FSE 2004 Stated security results summarized in the following table: Power one-time key Many-time key (CPA) Goal Sem. Sec. steam-ciphers det. ctr-mode rand CBC rand ctr-mode CPA and integrity later COMP 7/ Kan Yang 35 COMP 7/ Kan Yang 36 9