Lecture 9 Authenticated Encryption COSC260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/
Setting the Stage We have previously studied the goals of privacy and authenticity in isolation.
Setting the Stage We have previously studied the goals of privacy and authenticity in isolation. Privacy: Symmetrickey encryption and IND CPA security.
Setting the Stage We have previously studied the goals of privacy and authenticity in isolation. Privacy: Symmetrickey encryption and IND CPA security. Authenticity: Message Authentication Codes and UFCMA security.
Setting the Stage We have previously studied the goals of privacy and authenticity in isolation. Privacy: Symmetrickey encryption and IND CPA security. Authenticity: Message Authentication Codes and UFCMA security. But many (most) applications require both.
Medical Example League. Privacy Nobody but Alice can : Hier medical record read Authenticity : Alice is assured that only her doctor modite%.d dod.
K Authenticated Encryption (AE) Syntactically, an authenticated encryption scheme is just a symmetric encryption scheme AE =(K, E, D) where E is a key that outputs a key K generation algorithm is an encryption algorithm that gygkey Kand On input a message M outputs a Ciphutext. C D is a decryption algorithm that and a on inputs key K apherketc M or output a message 1. FKM D ecm) m
Privacy of AE just the standard IND CPA definition.
integrity of cipher texts Integrity of AE (INTCTXT) Let AE =(K, E, D) be a symmetric encryption scheme and A an adversary. Game INTCTXT AE procedure Initialize K $ K ; S ; procedure Enc(M) C $ E K (M) S S [ {C} Return C procedure Finalize(C) M D K (C) if (C 62 S ^ M 6= 0?) then return true Else return false The intctxt advantage of A is Adv intctxt AE (A) =Pr[INTCTXT A AE ) true]
Our Goal We are interested in constructing symmetrickey encryption schemes that are both
Our Goal We are interested in constructing symmetrickey encryption schemes that are both INDCPA (to provide privacy).
Our Goal We are interested in constructing symmetrickey encryption schemes that are both INDCPA (to provide privacy). INTCTXT (to provide integrity).
. Plain Encryption Doesn t Work Alg E K (M) C[0] $ {0, 1} n For i =1,...,m do C[i] E K (C[i 1] M[i]) Return C Alg D K (C) For i =1,...,m do M[i] E 1 K (C[i]) C[i 1] Return M Question: Is CBC$ encryption INTCTXT secure? No! Decryption doesn't return L
The Attack
Encryption with Redundancy C[0] M[1] i? E K? C[1] M[2] i? E K? C[2]... M[m] i? E K? C[m] h(m) i? E K? C[m + 1] Let E: {0, 1} k {0, 1} n! {0, 1} n be our block cipher and h: {0, 1}! {0, 1} n a redundancy function. Let SE =(K, E 0, D 0 ) be CBC$ encryption and define the encryption with redundancy scheme AE =(K, E, D) via Alg E K (M) M[1]...M[m] M M[m + 1] h(m) C $ EK 0 (M[1]...M[m]M[m + 1]) return C Alg D K (C) M[1]...M[m]M[m + 1] DK 0 (C) if (M[m + 1] = h(m)) then return M[1]...M[m] else return?
. follows. MTM The Attack Adversary A let M be arbitrary faces ret CES.c[m±D expand this! as M[ D. ) h ( on ) " " n. # #. ' 7. C[m+zJ Enc(MHnCnD ce r s ±e m" 's CTMT anti ] %m+2]
WEP Attack In around 2000 the 802.1 ) protocol WEP was attacked exactly it used a for this reason ; particular CRC as the redundancy.
Generic Composition Build an authenticated encryption scheme AE =(K, E, D) by combining a given INDCPA symmetric encryption scheme SE =(K 0, E 0, D 0 ) a given PRF F : {0, 1} k {0, 1}! {0, 1} n
Generic Composition Build an authenticated encryption scheme AE =(K, E, D) by combining a given INDCPA symmetric encryption scheme SE =(K 0, E 0, D 0 ) a given PRF F : {0, 1} k {0, 1}! {0, 1} n { } { }! { } AkeyK = K e K m for AE always consists of a key K e for SE and a key K m for F : Alg K K e $ K 0 ; K m $ {0, 1} k Return K e K m
Possibilities The order in which the primitives are applied is important. Can consider Method EncryptandMAC (E&M) MACthenencrypt (MtE) EncryptthenMAC (EtM) Usage SSH SSL/TLS IPSec
EncryptandMAC AE =(K, E, D) isdefinedby Alg E Ke K m (M) C 0 $ EK 0 e (M) T F Km (M) Return C 0 T Alg D Ke K m (C 0 T ) M D 0 K e (C 0 ) If (T = F Km (M)) then return M Else return?
Security Analysis IND CPA txt mmifnmr, Adversary A let M,,m, be arbitrary messages. 9,1142 LR( m,,mz ) Crillcu ( R( M,,M, ) If Ccicu re O Else ret 1
MACthenEncrypt AE =(K, E, D) isdefinedby Alg E Ke K m (M) T F Km (M) C $ EK 0 e (M T ) Return C Alg D Ke K m (C) M T DK 0 e (C) If (T = F Km (M)) then return M Else return?
. ( Then. Security Analysis INP CPA i NT CTXF dea Let SE ' : K,E, D) be any IND CPA scheme Secure encryption and Cef F :Kx{ 0,13*7 " { 413 we construct ' 1 ' an,n ) of F and SE '. PKF h±eµicpa eyuyi Scheme symmetric encryption SE ' =(K,{ encrypt such that MAC is not INT CTXT. then
EncryptthenMAC AE =(K, E, D) isdefinedby Alg E Ke K m (M) C 0 $ E 0 K e (M) T F Km (C 0 ) Return C 0 T Alg D Ke K m (C 0 T ) M D 0 K e (C 0 ) If (T = F Km (C 0 )) then return M Else return?
key Security Analysis One can prove that Encrypt yields encryption thin an INDCPATINFCTXT authenticated Scheme on any INACPA Secure MAC symmetric encryption scheme & Secure PRF.
Generic Composition in Practice Why? AE in is based on which in general is and in this case is SSH E&M insecure secure SSL MtE insecure insecure SSL + RFC 4344 MtE insecure secure IPSec EtM secure secure WinZip EtM secure insecure Encodings Specific E and M schemes For WinZip, disparity between usage and security model
AE in SSH M? Encode counter? len(m)klen(pad)kmkpad?? Encrypt Ke MAC Km?? C T SSH2 encryption uses interpacket chaining which is insecure [D, BKN]. RFC 4344 [BKN] proposed fixes that render SSH provably INDCPA + INTCTXT secure. Fixes recommended by Secure Shell Working Group and included in OpenSSH since 2003. Fixes included in PuTTY since 2008.
AE in SSL SSL uses MtE E Ke kk M = E 0 K e (MkF Km (M)) which we saw is not INTCTXTsecure in general. But E 0 is CBC$ in SSL, and in this case the scheme does achieve INTCTXT [K]. F in SSL is HMAC. Sometimes SSL uses RC4 for encryption.
AEAD The goal has evolved into Authenticated Encryption with Associated Data (AEAD) [Ro]. Associated Data (AD) is authenticated but not encrypted Schemes are noncebased (and deterministic) Sender C E K (N, AD, M) Send (N, AD, C) Receiver Receive (N, AD, C) M D K (N, AD, C) Sender must never reuse a nonce. But when attacking integrity, the adversary may use any nonce it likes.
Schemes Generic composition: E&M, MtE, EtM extend and again EtM is the best but others work too under appropriate conditions [NRS14]. 1pass schemes: IAPM [J], XCBC/XEBC [GD], OCB [RBBK, R] 2pass schemes: CCM [FHW], EAX [BRW], CWC [KVW], GCM [MV] Stream cipher based: Helix [FWSKLK], SOBER128 [HR] 1pass schemes are fast 2pass schemes are patentfree Stream cipher based schemes are fast
Schemes Generic composition: E&M, MtE, EtM extend and again EtM is the best but others work too under appropriate conditions [NRS14]. 1pass schemes: IAPM [J], XCBC/XEBC [GD], OCB [RBBK, R] 2pass schemes: CCM [FHW], EAX [BRW], CWC [KVW], GCM [MV] Stream cipher based: Helix [FWSKLK], SOBER128 [HR] 1pass schemes are fast 2pass schemes are patentfree Stream cipher based schemes are fast
Schemes Generic composition: E&M, MtE, EtM extend and again EtM is the best but others work too under appropriate conditions [NRS14]. 1pass schemes: IAPM [J], XCBC/XEBC [GD], OCB [RBBK, R] 2pass schemes: CCM [FHW], EAX [BRW], CWC [KVW], GCM [MV] Stream cipher based: Helix [FWSKLK], SOBER128 [HR] 1pass schemes are fast 2pass schemes are patentfree Stream cipher based schemes are fast