On Symmetric Encryption with Distinguishable Decryption Failures

Similar documents
Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Marc Fischlin, Giorgia Azzurra Marson, and Kenneth G.

A Surfeit of SSH Cipher Suites

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Advanced security notions for the SSH secure channel: theory and practice

Lecture 8 - Message Authentication Codes

Message authentication codes

Pipelineable On-Line Encryption (POE)

Lecture 18 - Chosen Ciphertext Security

: Practical Cryptographic Systems March 25, Midterm

Proofs for Key Establishment Protocols

Concrete Security of Symmetric-Key Encryption

Information Security

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

Refining Computationally Sound Mech. Proofs for Kerberos

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

How to Securely Release Unverified Plaintext in Authenticated Encryption

1 Achieving IND-CPA security

Authenticated encryption

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Security of Cryptosystems

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Computationally Sound Mechanized Proof of PKINIT for Kerberos

Information Security CS526

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Authenticated Encryption

Block ciphers, stream ciphers

Security & Indistinguishability in the Presence of Traffic Analysis

Inductive Trace Properties for Computational Security

Computer Security CS 526

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

If we define science as an objective approach to

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

Cryptology complementary. Symmetric modes of operation

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

CS408 Cryptography & Internet Security

IND-CCA2 secure cryptosystems, Dan Bogdanov

Code-Based Cryptography McEliece Cryptosystem

The OCB Authenticated-Encryption Algorithm

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

symmetric cryptography s642 computer security adam everspaugh

Message Authentication ( 消息认证 )

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Stateful Key Encapsulation Mechanism

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Katz, Lindell Introduction to Modern Cryptrography

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Authenticated Encryption

Homework 3: Solution

Security Analysis of a Design Variant of Randomized Hashing

Random Oracles - OAEP

Security of Message Authentication Codes in the Presence of Key-Dependent Messages

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptanalysis of GlobalPlatform Secure Channel Protocols

Lecture 9 Authenticated Encryption

Authenticated Encryption in the Face of Protocol and Side-Channel Leakage

Symmetric Cryptography

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model

Goals of Modern Cryptography

Concrete cryptographic security in F*

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Interactive Encryption and Message Authentication

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Inductive Trace Properties for Computational Security

OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea

Practical Attacks on Implementations

1 Defining Message authentication

OCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Encrypted databases. Tom Ristenpart CS 6431

2 Secure Communication in Private Key Setting

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

On Re-keying Mechanisms for Extending The Lifetime of Symmetric Keys draft-smyshlyaev-re-keying

Introduction to Cryptography. Lecture 3

Lectures 4+5: The (In)Security of Encrypted Search

Practical Symmetric On-line Encryption

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

CS 495 Cryptography Lecture 6

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Applied Cryptography and Computer Security CSE 664 Spring 2018

On the Security of Group-based Proxy Re-encryption Scheme

From Crypto to Code. Greg Morrisett

Authenticated Encryption in TLS

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Permutation-based Authenticated Encryption

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Chaum s Designated Confirmer Signature Revisited

Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Randomness Extractors. Secure Communication in Practice. Lecture 17

A Closer Look at Anonymity and Robustness in Encryption Schemes

Transcription:

On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul Degabriele, Kenny Paterson, and Martijn Stam FSE - 12th Mar 2013

Outline Distinguishable Decryption Failures The Multiple-Error Setting Conclusion

Attacks Based on Decryption Failures Sender Receiver Channel Adversary

Attacks Based on Decryption Failures Sender Receiver Channel Adversary

Attacks Based on Decryption Failures Sender Receiver Channel Adversary

Attacks Based on Decryption Failures Sender Receiver Channel Adversary

Attacks Based on Decryption Failures Sender Receiver Channel Adversary

Attacks Based on Decryption Failures Sender Receiver Channel Adversary

Attacks Based on Decryption Failures The classic examples are Bleichenbacher s attack on RSA and Vaudenay s padding oracle attack on CBC encryption. These attacks motivated us to require IND-CCA security, but does IND-CCA always guard against such attacks?

Attacks Based on Decryption Failures The classic examples are Bleichenbacher s attack on RSA and Vaudenay s padding oracle attack on CBC encryption. These attacks motivated us to require IND-CCA security, but does IND-CCA always guard against such attacks? The decryption algorithm can have multiple checks that may cause it to fail. Knowledge of which check failed may convey more information to the adversary. Distinguishable decryption failures enabled attacks against TLS [CHVV 03], DTLS [AP 12], and IPsec [DP 10].

Attacks Based on Decryption Failures The classic examples are Bleichenbacher s attack on RSA and Vaudenay s padding oracle attack on CBC encryption. These attacks motivated us to require IND-CCA security, but does IND-CCA always guard against such attacks? The decryption algorithm can have multiple checks that may cause it to fail. Knowledge of which check failed may convey more information to the adversary. Distinguishable decryption failures enabled attacks against TLS [CHVV 03], DTLS [AP 12], and IPsec [DP 10]. GAP: In IND-CCA the adversary only learns whether a ciphetext is valid or not (distinct decryption failures always return ).

A Common Response "This is a flaw in the implementation. It can be easily fixed by ensuring that errors are not distinguishable." But errors are useful for troubleshooting; moreover side-channels due to timing or interaction with other protocols (e.g. IPsec) are hard to prevent.

A Common Response "This is a flaw in the implementation. It can be easily fixed by ensuring that errors are not distinguishable." But errors are useful for troubleshooting; moreover side-channels due to timing or interaction with other protocols (e.g. IPsec) are hard to prevent. On the other hand it is easy to model distinguishable decryption failures multiple-error schemes. where S = { 1, 2,..., n } D : K C M S How does this affect the theory of symmetric encryption?

Revisiting Classic Relations The following relation is attributed to Bellare and Namprempre [BN00], and to Katz and Yung [KY00]. IND-CPA INT-CTXT IND-CCA

Revisiting Classic Relations The following relation is attributed to Bellare and Namprempre [BN00], and to Katz and Yung [KY00]. IND-CPA INT-CTXT IND-CCA This relation provides a simple technique for realizing IND-CCA secure schemes in the symmetric setting. Furthermore INT-CTXT + IND-CPA has become the target security notion for authenticated encryption, since INT-CTXT INT-PTXT.

Revisiting Classic Relations In their work on SSH, Bellare, Kohno, and Namprempre [BKN04] extended this relation to the stateful setting. IND-CPA INT-sfCTXT IND-sfCCA INT-sfCTXT and IND-sfCCA are strengthened variations, which additionally capture replay and reordering attacks. Any encryption scheme which satisfies these notions must be stateful hence the name.

Classic Relations in the Multiple-Error Setting

Classic Relations in the Multiple-Error Setting Theorem If pseudorandom functions exist, then there exists a multiple-error encryption scheme that is both IND-CPA and INT-CTXT secure, but not IND-CCA secure. IND-CPA INT-CTXT IND-CCA

Classic Relations in the Multiple-Error Setting Theorem If pseudorandom functions exist, then there exists a multiple-error encryption scheme that is both IND-CPA and INT-CTXT secure, but not IND-CCA secure. IND-CPA INT-CTXT IND-CCA A similar separation holds for the stateful setting: IND-CPA INT-sfCTXT IND-sfCCA As we shall see, it is possible to define ciphertext integrity in two ways, both separations allow the stronger variant.

New Relations in the Multiple-Error Setting Given the utility of these relations, an obvious question is whether we can obtain something similar in the multiple-error setting.

New Relations in the Multiple-Error Setting Given the utility of these relations, an obvious question is whether we can obtain something similar in the multiple-error setting. IND-CVA INT-CTXT IND-CCA

New Relations in the Multiple-Error Setting Given the utility of these relations, an obvious question is whether we can obtain something similar in the multiple-error setting. IND-CVA INT-CTXT IND-CCA Informally, IND-CVA is described as the IND-CPA game with additional access to a ciphertext validity oracle which returns decryption errors but no plaintext. The stronger variant of ciphertext integrity is required. Similar relations can be obtained for IND-sfCCA, IND$-CCA, and IND$-sfCCA.

Defining Ciphertext Integrity INT-CTXT* (weaker variant): Exp int-ctxt SE (A) K K C, win 0 A Enc( ),Try ( ) return win Enc(m) c E K (m) C C c return c Try (c) m D K (c) if c C and m M then win true if m M then m valid else m invalid return m Try queries reveal only whether a ciphertext is valid or not.

Defining Ciphertext Integrity INT-CTXT (stronger variant): Exp int-ctxt SE (A) K K C, win 0 A Enc( ),Try( ) return win Enc(m) c E K (m) C C c return c Try(c) m D K (c) if c C and m M then win true if m M then m valid return m Try queries reveal either that a ciphertext is valid or the error that it generates.

Ciphertext Integrity Obviously INT-CTXT INT-CTXT*, but is the converse true? The new relations required strong ciphertext integrity, is this necessary or is it just an artefact of the proof?

Ciphertext Integrity Obviously INT-CTXT INT-CTXT*, but is the converse true? The new relations required strong ciphertext integrity, is this necessary or is it just an artefact of the proof? Both questions are settled through the following non-trivial separation.

Ciphertext Integrity Obviously INT-CTXT INT-CTXT*, but is the converse true? NO The new relations required strong ciphertext integrity, is this necessary or is it just an artefact of the proof? NECESSARY Both questions are settled through the following non-trivial separation. Theorem Given a scheme with a sufficiently large message space that is both IND-CVA and INT-CTXT*, we can construct a multiple-error scheme that is both IND-CVA and INT-CTXT* but not IND-CCA. IND-CVA INT-CTXT* IND-CCA

IND-CCA3 Rogaway and Shrimpton [RS06] introduced a notion that captures concisely the goal for authenticated encryption: IND-CCA3 IND-CPA INT-CTXT.

IND-CCA3 Rogaway and Shrimpton [RS06] introduced a notion that captures concisely the goal for authenticated encryption: IND-CCA3 IND-CPA INT-CTXT. For all adversaries A : Pr [ A E K ( ),D K ( ) = 1 ] [ ] Pr A E K ($ ), ( ) = 1 ɛ.

IND-CCA3 Rogaway and Shrimpton [RS06] introduced a notion that captures concisely the goal for authenticated encryption: IND-CCA3 IND-CPA INT-CTXT. For all adversaries A : Pr [ A E K ( ),D K ( ) = 1 ] [ ] Pr A E K ($ ), ( ) = 1 ɛ. Can we extend this notion to the multiple-error setting? What security would it guarantee?

IND-CCA3 in the Multiple-Error Setting There exists a 0 S such that for all adversaries A : [ ] [ ] Pr A E K ( ),D K ( ) = 1 Pr A E K ($ ), 0 ( ) = 1 ɛ.

IND-CCA3 in the Multiple-Error Setting There exists a 0 S such that for all adversaries A : [ ] [ ] Pr A E K ( ),D K ( ) = 1 Pr A E K ($ ), 0 ( ) = 1 ɛ. IND-CCA3 provides the following security guarantees: IND-CCA3 IND-CPA INT-CTXT* INV-ERR. Informally INV-ERR says that all invalid ciphertexts that an adversary can come up with, will generate the same error.

IND-CCA3 in the Multiple-Error Setting There exists a 0 S such that for all adversaries A : [ ] [ ] Pr A E K ( ),D K ( ) = 1 Pr A E K ($ ), 0 ( ) = 1 ɛ. IND-CCA3 provides the following security guarantees: IND-CCA3 IND-CPA INT-CTXT* INV-ERR. Informally INV-ERR says that all invalid ciphertexts that an adversary can come up with, will generate the same error. It can further be shown that: IND-CCA3 IND-CVA INT-CTXT IND-CCA. Hence IND-CCA3 still constitutes a good notion for authenticated encryption, albeit perhaps it is too strong.

Authenticated Encryption Through Generic Composition In [BN00] Encrypt-then-MAC emerges as the preferred generic composition for realizing authenticated encryption. Krawczyk [Kra01] however, showed that MAC-then-Encrypt is also IND-CCA secure when encryption is instantiated with CBC mode or CTR mode.

Authenticated Encryption Through Generic Composition In [BN00] Encrypt-then-MAC emerges as the preferred generic composition for realizing authenticated encryption. Krawczyk [Kra01] however, showed that MAC-then-Encrypt is also IND-CCA secure when encryption is instantiated with CBC mode or CTR mode. Hence, when encryption is instantiated with CBC mode or CTR mode, the question as to which generic composition is better remains open. Nonetheless practical cryptosystems (using CBC and CTR) based on EtM have proved to be less vulnerable to attack than ones based on MtE.

Re-examining Generic Compositions Re-examining generic compositions in the light of distinguishable decryption failures, provides new formal evidence to support this observation. We consider an Encode-then-Encrypt-then-MAC (EEM) composition to account for the pre-processing that is common in practical schemes.

Re-examining Generic Compositions Re-examining generic compositions in the light of distinguishable decryption failures, provides new formal evidence to support this observation. We consider an Encode-then-Encrypt-then-MAC (EEM) composition to account for the pre-processing that is common in practical schemes. Theorem For any multiple-error encoding scheme, any IND-CPA multiple-error encryption scheme, and any UF-CMA MAC, the EEM composition yields an IND-CCA3 secure scheme.

Re-examining Generic Compositions This theorem says that EEM is a robust composition, since security holds even when decryption failures are distinguishable, and without assuming anything about the error behaviour of the encoding or encryption components.

Re-examining Generic Compositions This theorem says that EEM is a robust composition, since security holds even when decryption failures are distinguishable, and without assuming anything about the error behaviour of the encoding or encryption components. Attacks on SSL/TLS [CHVV03], IPsec [DP10], and DTLS [AP12] serve as counterexamples that similar general statements cannot be made about MAC-then-Encode-then-Encrypt.

Re-examining Generic Compositions This theorem says that EEM is a robust composition, since security holds even when decryption failures are distinguishable, and without assuming anything about the error behaviour of the encoding or encryption components. Attacks on SSL/TLS [CHVV03], IPsec [DP10], and DTLS [AP12] serve as counterexamples that similar general statements cannot be made about MAC-then-Encode-then-Encrypt. It may seem unfair that we do not consider multiple-error MACs. This is justified as follows: - Most MACs verify the tag by recomputing the tag and comparing only one test condition. - When this is implemented badly (the keyczar library example) it results in the MAC itself not being secure.

Conclusion We propose the multiple-error setting in order to obtain security guarantees that are more relevant to practice.

Conclusion We propose the multiple-error setting in order to obtain security guarantees that are more relevant to practice. Preventive Approach: Assign distinct error messages to the distinct checks made during decryption achieve security that is less implementation-dependent.

Conclusion We propose the multiple-error setting in order to obtain security guarantees that are more relevant to practice. Preventive Approach: Assign distinct error messages to the distinct checks made during decryption achieve security that is less implementation-dependent. A Posteriori Analysis: Alternatively the multiple-error setting can be used to model realizations of cryptographic protocols and analyze the security of the implementation.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback