Authenticated Encryption

Similar documents
Authenticated Encryption

Ac,ve a4acks on CPA- secure encryp,on

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Feedback Week 4 - Problem Set

CS155. Cryptography Overview

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CS155. Cryptography Overview

Cryptography Overview

Cryptography Overview

Symmetric Crypto MAC. Pierre-Alain Fouque

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

Message authentication codes

Public key encryption: definitions and security

Cryptographic hash functions and MACs

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Cryptography 2017 Lecture 3

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Information Security CS526

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

COMP4109 : Applied Cryptography

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Online Cryptography Course. Basic key exchange. Trusted 3 rd par7es. Dan Boneh

symmetric cryptography s642 computer security adam everspaugh

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Authenticated encryption

Lecture 8 - Message Authentication Codes

The OCB Authenticated-Encryption Algorithm

symmetric cryptography s642 computer security adam everspaugh

Block ciphers, stream ciphers

Symmetric Encryption 2: Integrity

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

CS 495 Cryptography Lecture 6

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

ECE 646 Lecture 8. Modes of operation of block ciphers

The ElGamal Public- key System

Cryptography. Andreas Hülsing. 6 September 2016

Symmetric Cryptography

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Lecture 9 Authenticated Encryption

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Message Authentication ( 消息认证 )

The case for ubiquitous transport-level encryption

Unit 8 Review. Secure your network! CS144, Stanford University

Katz, Lindell Introduction to Modern Cryptrography

Scanned by CamScanner

Homework 3: Solution

Misuse-resistant crypto for JOSE/JWT

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

1 Achieving IND-CPA security

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Symmetric-Key Cryptography

The Secure Shell (SSH) Protocol

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

CS Computer Networks 1: Authentication

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Public key encryp4on: defini4ons and security

SSL/TLS. How to send your credit card number securely over the internet

COSC4377. Chapter 8 roadmap

Encryption. INST 346, Section 0201 April 3, 2018

Auth. Key Exchange. Dan Boneh

Summary on Crypto Primitives and Protocols

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

IP Security IK2218/EP2120

Goals of Modern Cryptography

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Cryptology complementary. Symmetric modes of operation

OCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain

Refresher: Applied Cryptography

Introduc)on to Cryptography. Credits: Slide credits to David Brumley, Dan Boneh (ß has a MOOC)

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Advanced Cryptography 1st Semester Symmetric Encryption

Introduction to Cryptography. Lecture 3

Pipelineable On-Line Encryption (POE)

On Symmetric Encryption with Distinguishable Decryption Failures

Storage encryption... what about data integrity?

Data Integrity & Authentication. Message Authentication Codes (MACs)

Randomness Extractors. Secure Communication in Practice. Lecture 17

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Uses of Cryptography

Data Integrity & Authentication. Message Authentication Codes (MACs)

Cryptography: Symmetric Encryption [continued]

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Kurose & Ross, Chapters (5 th ed.)

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Computer Security CS 526

Content of this part

: Practical Cryptographic Systems March 25, Midterm

Cryptography (cont.)

CLOC: Authenticated Encryption

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CSC 4900 Computer Networks: Security Protocols (2)

Computer Communication Networks Network Security

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Transcription:

18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption

Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption

Recap: the story so far Confidentiality: semantic security against a CPA attack Encryption secure against eavesdropping only Integrity: Existential unforgeability under a chosen message attack CBC-MAC, HMAC, PMAC, CW-MAC This module: encryption secure against tampering Ensuring both confidentiality and integrity

Sample tampering attacks TCP/IP: (highly abstracted) dest = 80 packet data WWW port = 80 source machine TCP/IP stack destination machine Bob port = 25

Sample tampering attacks IPsec: (highly abstracted) packet TCP/IP stack WWW port = 80 dest = 80 data k dest = 25 stuff packets encrypted using key k k Bob port = 25

Reading someone else s data Note: attacker obtains decryption of any ciphertext beginning with dest=25 IV, dest = 80 data WWW port = 80 k IV, Bob: dest = 25 data Easy to do for CBC with rand. IV k Bob port = 25 (only IV is changed)

IV, dest = 80 data IV, dest = 25 data Encryption is done with CBC with a random IV. What should IV be? m[0] = D(k, c[0]) IV = dest=80 IV = IV ( 25 ) IV = IV ( 80 ) IV = IV ( 80 ) ( 25 ) It can t be done

An attack using only network access Remote terminal app.: each keystroke encrypted with CTR mode TCP/IP packet IP hdr TCP hdr T D k k for all t, s send: 16 bit TCP checksum 1 byte keystroke IP hdr TCP hdr t s ACK if valid checksum, nothing otherwise { checksum(hdr, D) = t checksum(hdr, D s) } can find D

The lesson CPA security cannot guarantee secrecy under active attacks. Only use one of two modes: If message needs integrity but no confidentiality: use a MAC If message needs both integrity and confidentiality: use authenticated encryption modes (this module)

End of Segment

Online Cryptography Course Authenticated Encryption Definitions

Goals An authenticated encryption system (E,D) is a cipher where As usual: but E: K M N C D: K C N M { } Security: the system must provide sem. security under a CPA attack, and ciphertext is rejected ciphertext integrity: attacker cannot create new ciphertexts that decrypt properly

Ciphertext integrity Let (E,D) be a cipher with message space M. Chal. k K m 1 M c 1 E(k,m 1 ) m 2 c 2,, m q,, c q Adv. b c b=1 if D(k,c) and c { c 1,, c q } b=0 otherwise Def: (E,D) has ciphertext integrity if for all efficient A: Adv CI [A,E] = Pr[Chal. outputs 1] is negligible.

Authenticated encryption Def: cipher (E,D) provides authenticated encryption (AE) if it is (1) semantically secure under CPA, and (2) has ciphertext integrity Bad example: CBC with rand. IV does not provide AE D(k, ) never outputs, hence adv. easily wins CI game

Implication 1: authenticity Attacker cannot fool Bob into thinking a message was sent from Alice Alice k m 1,, m q c i = E(k, m i ) c Cannot create valid c { c 1,, c q } Bob k if D(k,c) Bob knows message is from someone who knows k (but message could be a replay)

Implication 2 Authenticated encryption Security against chosen ciphertext attacks (next segment)

End of Segment

Online Cryptography Course Authenticated Encryption Chosen ciphertext attacks

Example chosen ciphertext attacks Adversary has ciphertext c that it wants to decrypt Often, adv. can fool server into decrypting certain ciphertexts (not c) dest = 25 data data Often, adversary can learn partial information about plaintext TCP/IP packet ACK if valid checksum

Chosen ciphertext security Adversary s power: both CPA and CCA Can obtain the encryption of arbitrary messages of his choice Can decrypt any ciphertext of his choice, other than challenge (conservative modeling of real life) Adversary s goal: Break semantic security

Chosen ciphertext security: definition E = (E,D) cipher defined over (K,M,C). For b=0,1 define EXP(b): b Chal. k K for i=1,,q: (1) CPA query: m i,0, m i,1 M : m i,0 = m i,1 Adv. c i E(k, m i,b ) (2) CCA query: c i C : c i {c 1,, c i-1 } m i D(k, c i ) b {0,1}

Chosen ciphertext security: definition E is CCA secure if for all efficient A: Adv CCA [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. Example: CBC with rand. IV is not CCA-secure b Chal. k K m 0, m 1 : m 0 = m 1 =1 c E(k, m b ) = (IV, c[0]) c = (IV 1, c[0]) D(k, c ) = m b 1 Adv. b

Authenticated enc. CCA security Thm: Let (E,D) be a cipher that provides AE. Then (E,D) is CCA secure! In particular, for any q-query eff. A there exist eff. B 1, B 2 s.t. Adv CCA [A,E] 2q Adv CI [B 1,E] + Adv CPA [B 2,E]

Proof by pictures Chal. CPA query: m i,0, m i,1 Adv. Chal. CPA query: m i,0, m i,1 Adv. k K c i =E(k,m i, 0 ) CCA query: c i D(k,c i ) p p, CI c i =E(k,m i, 0 k K ) CCA query: c i p, CPA Chal. CPA query: m i,0, m i,1 Adv. Chal. CPA query: m i,0, m i,1 Adv. k K c i =E(k,m i, 1 ) p,ci k K c i =E(k,m i, 1 ) CCA query: c i CCA query: c i D(k,c i )

So what? Authenticated encryption: ensures confidentiality against an active adversary that can decrypt some ciphertexts Limitations: does not prevent replay attacks does not account for side channels (timing)

End of Segment

Online Cryptography Course Authenticated Encryption Constructions from ciphers and MACs

but first, some history Authenticated Encryption (AE): introduced in 2000 [KY 00, BN 00] Crypto APIs before then: (e.g. MS-CAPI) Provide API for CPA-secure encryption (e.g. CBC with rand. IV) Provide API for MAC (e.g. HMAC) Every project had to combine the two itself without a well defined goal Not all combinations provide AE

Combining MAC and ENC (CCA) Encryption key k E. MAC key = k I Option 1: (SSL) S(k I, m) msg m msg m tag E(k E, mlltag) Option 2: (IPsec) always correct msg m E(k E, m) S(k I, c) tag Option 3: (SSH) msg m E(k E, m) S(k I, m) tag

A.E. Theorems Let (E,D) be CPA secure cipher and (S,V) secure MAC. Then: 1. Encrypt-then-MAC: always provides A.E. 2. MAC-then-encrypt: may be insecure against CCA attacks however: when (E,D) is rand-ctr mode or rand-cbc M-then-E provides A.E. for rand-ctr mode, one-time MAC is sufficient

Standards (at a high level) GCM: CTR mode encryption then CW-MAC (accelerated via Intel s PCLMULQDQ instruction) CCM: CBC-MAC then CTR mode encryption (802.11i) EAX: CTR mode encryption then CMAC All support AEAD: (auth. enc. with associated data). All are nonce-based. encrypted associated data authenticated encrypted data

MAC Security -- an explanation Recall: MAC security implies (m, t) (m, t ) Why? Suppose not: (m, t) (m, t ) Then Encrypt-then-MAC would not have Ciphertext Integrity!! b Chal. k K m 0, m 1 c E(k, m b ) = (c 0, t) c = (c 0, t ) c Adv. (c 0, t) (c 0, t ) b D(k, c ) = m b

OCB: a direct construction from a PRP More efficient authenticated encryption: one E() op. per block. m[0] m[1] m[2] m[3] P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) E(k, ) E(k, ) E(k, ) E(k, ) P(N,k,0) checksum E(k, ) P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) auth c[0] c[1] c[2] c[3] c[4]

Performance: Crypto++ 5.6.0 [ Wei Dai ] AMD Opteron, 2.2 GHz ( Linux) Cipher code Speed size (MB/sec) AES/GCM large ** 108 AES/CTR 139 AES/CCM smaller 61 AES/CBC 109 AES/EAX smaller 61 AES/CMAC 109 AES/OCB 129 * HMAC/SHA1 147 * extrapolated from Ted Kravitz s results ** non-intel machines

End of Segment

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback