Lecture 9 Authenticated Encryption

Similar documents
The OCB Authenticated-Encryption Algorithm

Message authentication codes

Symmetric Crypto MAC. Pierre-Alain Fouque

Authenticated Encryption

symmetric cryptography s642 computer security adam everspaugh

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

COMP4109 : Applied Cryptography

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Feedback Week 4 - Problem Set

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CS155. Cryptography Overview

CS155. Cryptography Overview

On Symmetric Encryption with Distinguishable Decryption Failures

Symmetric-Key Cryptography

A Surfeit of SSH Cipher Suites

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Lecture 8 - Message Authentication Codes

Scanned by CamScanner

Authenticated Encryption

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

symmetric cryptography s642 computer security adam everspaugh

Advanced security notions for the SSH secure channel: theory and practice

Cryptography Overview

Introduction to Cryptography. Lecture 3

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

CIS 4360 Secure Computer Systems Symmetric Cryptography

Lecture 1 Applied Cryptography (Part 1)

Cryptography Overview

ECE 646 Lecture 8. Modes of operation of block ciphers

Storage Encryption: A Cryptographer s View. Shai Halevi IBM Research

Transport Layer Security

Symmetric Encryption 2: Integrity

Lecture Note 05 Date:

Cryptographic hash functions and MACs

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Misuse-resistant crypto for JOSE/JWT

1 Achieving IND-CPA security

Block Cipher Operation. CS 6313 Fall ASU

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Randomness Extractors. Secure Communication in Practice. Lecture 17

05 - WLAN Encryption and Data Integrity Protocols

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

OCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Unit 8 Review. Secure your network! CS144, Stanford University

Advanced Cryptography 1st Semester Symmetric Encryption

Computational Security, Stream and Block Cipher Functions

Permutation-based Authenticated Encryption

Cryptography 2017 Lecture 3

Symmetric Cryptography

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Introduction to Cryptography. Lecture 6

CSE 127: Computer Security Cryptography. Kirill Levchenko

OCB Mode. Phillip Rogaway. Department of Computer Science UC Davis + CMU

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Authenticated Encryption in the Face of Protocol and Side-Channel Leakage

Block ciphers, stream ciphers

Summary on Crypto Primitives and Protocols

: Practical Cryptographic Systems March 25, Midterm

Message Authentication Codes and Cryptographic Hash Functions

From CryptoVerif Specifications to Computationally Secure Implementations of Protocols

CLOC: Authenticated Encryption

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Cryptography Functions

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CIS 4360 Secure Computer Systems Applied Cryptography

Multiple forgery attacks against Message Authentication Codes

Crypto: Symmetric-Key Cryptography

More crypto and security

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

COSC4377. Chapter 8 roadmap

PKCS #11 Message-Based Encryption and Decryption

Overview of Cryptography

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Double-DES, Triple-DES & Modes of Operation

How to Use Your Block Cipher? Palash Sarkar

Chapter 24 Wireless Network Security

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

IDEA, RC5. Modes of operation of block ciphers

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Ac,ve a4acks on CPA- secure encryp,on

Introduction to Symmetric Cryptography

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

1 Defining Message authentication

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Cryptography. Andreas Hülsing. 6 September 2016

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Data Integrity & Authentication. Message Authentication Codes (MACs)

Introduction to Cryptography. Lecture 3

Cipher Suite Configuration Mode Commands

Transcription:

Lecture 9 Authenticated Encryption COSC260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/

Setting the Stage We have previously studied the goals of privacy and authenticity in isolation.

Setting the Stage We have previously studied the goals of privacy and authenticity in isolation. Privacy: Symmetrickey encryption and IND CPA security.

Setting the Stage We have previously studied the goals of privacy and authenticity in isolation. Privacy: Symmetrickey encryption and IND CPA security. Authenticity: Message Authentication Codes and UFCMA security.

Setting the Stage We have previously studied the goals of privacy and authenticity in isolation. Privacy: Symmetrickey encryption and IND CPA security. Authenticity: Message Authentication Codes and UFCMA security. But many (most) applications require both.

Medical Example League. Privacy Nobody but Alice can : Hier medical record read Authenticity : Alice is assured that only her doctor modite%.d dod.

K Authenticated Encryption (AE) Syntactically, an authenticated encryption scheme is just a symmetric encryption scheme AE =(K, E, D) where E is a key that outputs a key K generation algorithm is an encryption algorithm that gygkey Kand On input a message M outputs a Ciphutext. C D is a decryption algorithm that and a on inputs key K apherketc M or output a message 1. FKM D ecm) m

Privacy of AE just the standard IND CPA definition.

integrity of cipher texts Integrity of AE (INTCTXT) Let AE =(K, E, D) be a symmetric encryption scheme and A an adversary. Game INTCTXT AE procedure Initialize K $ K ; S ; procedure Enc(M) C $ E K (M) S S [ {C} Return C procedure Finalize(C) M D K (C) if (C 62 S ^ M 6= 0?) then return true Else return false The intctxt advantage of A is Adv intctxt AE (A) =Pr[INTCTXT A AE ) true]

Our Goal We are interested in constructing symmetrickey encryption schemes that are both

Our Goal We are interested in constructing symmetrickey encryption schemes that are both INDCPA (to provide privacy).

Our Goal We are interested in constructing symmetrickey encryption schemes that are both INDCPA (to provide privacy). INTCTXT (to provide integrity).

. Plain Encryption Doesn t Work Alg E K (M) C[0] $ {0, 1} n For i =1,...,m do C[i] E K (C[i 1] M[i]) Return C Alg D K (C) For i =1,...,m do M[i] E 1 K (C[i]) C[i 1] Return M Question: Is CBC$ encryption INTCTXT secure? No! Decryption doesn't return L

The Attack

Encryption with Redundancy C[0] M[1] i? E K? C[1] M[2] i? E K? C[2]... M[m] i? E K? C[m] h(m) i? E K? C[m + 1] Let E: {0, 1} k {0, 1} n! {0, 1} n be our block cipher and h: {0, 1}! {0, 1} n a redundancy function. Let SE =(K, E 0, D 0 ) be CBC$ encryption and define the encryption with redundancy scheme AE =(K, E, D) via Alg E K (M) M[1]...M[m] M M[m + 1] h(m) C $ EK 0 (M[1]...M[m]M[m + 1]) return C Alg D K (C) M[1]...M[m]M[m + 1] DK 0 (C) if (M[m + 1] = h(m)) then return M[1]...M[m] else return?

. follows. MTM The Attack Adversary A let M be arbitrary faces ret CES.c[m±D expand this! as M[ D. ) h ( on ) " " n. # #. ' 7. C[m+zJ Enc(MHnCnD ce r s ±e m" 's CTMT anti ] %m+2]

WEP Attack In around 2000 the 802.1 ) protocol WEP was attacked exactly it used a for this reason ; particular CRC as the redundancy.

Generic Composition Build an authenticated encryption scheme AE =(K, E, D) by combining a given INDCPA symmetric encryption scheme SE =(K 0, E 0, D 0 ) a given PRF F : {0, 1} k {0, 1}! {0, 1} n

Generic Composition Build an authenticated encryption scheme AE =(K, E, D) by combining a given INDCPA symmetric encryption scheme SE =(K 0, E 0, D 0 ) a given PRF F : {0, 1} k {0, 1}! {0, 1} n { } { }! { } AkeyK = K e K m for AE always consists of a key K e for SE and a key K m for F : Alg K K e $ K 0 ; K m $ {0, 1} k Return K e K m

Possibilities The order in which the primitives are applied is important. Can consider Method EncryptandMAC (E&M) MACthenencrypt (MtE) EncryptthenMAC (EtM) Usage SSH SSL/TLS IPSec

EncryptandMAC AE =(K, E, D) isdefinedby Alg E Ke K m (M) C 0 $ EK 0 e (M) T F Km (M) Return C 0 T Alg D Ke K m (C 0 T ) M D 0 K e (C 0 ) If (T = F Km (M)) then return M Else return?

Security Analysis IND CPA txt mmifnmr, Adversary A let M,,m, be arbitrary messages. 9,1142 LR( m,,mz ) Crillcu ( R( M,,M, ) If Ccicu re O Else ret 1

MACthenEncrypt AE =(K, E, D) isdefinedby Alg E Ke K m (M) T F Km (M) C $ EK 0 e (M T ) Return C Alg D Ke K m (C) M T DK 0 e (C) If (T = F Km (M)) then return M Else return?

. ( Then. Security Analysis INP CPA i NT CTXF dea Let SE ' : K,E, D) be any IND CPA scheme Secure encryption and Cef F :Kx{ 0,13*7 " { 413 we construct ' 1 ' an,n ) of F and SE '. PKF h±eµicpa eyuyi Scheme symmetric encryption SE ' =(K,{ encrypt such that MAC is not INT CTXT. then

EncryptthenMAC AE =(K, E, D) isdefinedby Alg E Ke K m (M) C 0 $ E 0 K e (M) T F Km (C 0 ) Return C 0 T Alg D Ke K m (C 0 T ) M D 0 K e (C 0 ) If (T = F Km (C 0 )) then return M Else return?

key Security Analysis One can prove that Encrypt yields encryption thin an INDCPATINFCTXT authenticated Scheme on any INACPA Secure MAC symmetric encryption scheme & Secure PRF.

Generic Composition in Practice Why? AE in is based on which in general is and in this case is SSH E&M insecure secure SSL MtE insecure insecure SSL + RFC 4344 MtE insecure secure IPSec EtM secure secure WinZip EtM secure insecure Encodings Specific E and M schemes For WinZip, disparity between usage and security model

AE in SSH M? Encode counter? len(m)klen(pad)kmkpad?? Encrypt Ke MAC Km?? C T SSH2 encryption uses interpacket chaining which is insecure [D, BKN]. RFC 4344 [BKN] proposed fixes that render SSH provably INDCPA + INTCTXT secure. Fixes recommended by Secure Shell Working Group and included in OpenSSH since 2003. Fixes included in PuTTY since 2008.

AE in SSL SSL uses MtE E Ke kk M = E 0 K e (MkF Km (M)) which we saw is not INTCTXTsecure in general. But E 0 is CBC$ in SSL, and in this case the scheme does achieve INTCTXT [K]. F in SSL is HMAC. Sometimes SSL uses RC4 for encryption.

AEAD The goal has evolved into Authenticated Encryption with Associated Data (AEAD) [Ro]. Associated Data (AD) is authenticated but not encrypted Schemes are noncebased (and deterministic) Sender C E K (N, AD, M) Send (N, AD, C) Receiver Receive (N, AD, C) M D K (N, AD, C) Sender must never reuse a nonce. But when attacking integrity, the adversary may use any nonce it likes.

Schemes Generic composition: E&M, MtE, EtM extend and again EtM is the best but others work too under appropriate conditions [NRS14]. 1pass schemes: IAPM [J], XCBC/XEBC [GD], OCB [RBBK, R] 2pass schemes: CCM [FHW], EAX [BRW], CWC [KVW], GCM [MV] Stream cipher based: Helix [FWSKLK], SOBER128 [HR] 1pass schemes are fast 2pass schemes are patentfree Stream cipher based schemes are fast

Schemes Generic composition: E&M, MtE, EtM extend and again EtM is the best but others work too under appropriate conditions [NRS14]. 1pass schemes: IAPM [J], XCBC/XEBC [GD], OCB [RBBK, R] 2pass schemes: CCM [FHW], EAX [BRW], CWC [KVW], GCM [MV] Stream cipher based: Helix [FWSKLK], SOBER128 [HR] 1pass schemes are fast 2pass schemes are patentfree Stream cipher based schemes are fast

Schemes Generic composition: E&M, MtE, EtM extend and again EtM is the best but others work too under appropriate conditions [NRS14]. 1pass schemes: IAPM [J], XCBC/XEBC [GD], OCB [RBBK, R] 2pass schemes: CCM [FHW], EAX [BRW], CWC [KVW], GCM [MV] Stream cipher based: Helix [FWSKLK], SOBER128 [HR] 1pass schemes are fast 2pass schemes are patentfree Stream cipher based schemes are fast

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback