Misuse-resistant crypto for JOSE/JWT

Similar documents
Block Cipher Modes of Operation

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Message authentication codes

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Block Cipher Modes of Operation

Workshop Challenges Startup code in PyCharm Projects

Lecture 1 Applied Cryptography (Part 1)

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Authenticated Encryption

Summary on Crypto Primitives and Protocols

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 127: Computer Security Cryptography. Kirill Levchenko

Multiple forgery attacks against Message Authentication Codes

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Cryptographic Algorithm Validation Program:

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

CIS 4360 Secure Computer Systems Symmetric Cryptography

Symmetric Crypto MAC. Pierre-Alain Fouque

Authenticated Encryption

Intended status: Standards Track January 13, 2015 Expires: July 17, 2015

Permutation-based Authenticated Encryption

ECE 646 Lecture 8. Modes of operation of block ciphers

Internet Engineering Task Force (IETF) Request for Comments: 7518 Category: Standards Track May 2015 ISSN:

History of message integrity techniques

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Storage encryption... what about data integrity?

Understanding how to prevent. Sensitive Data Exposure. Dr Simon Greatrix

Refresher: Applied Cryptography

Updates on CLOC and SILC Version 3

05 - WLAN Encryption and Data Integrity Protocols

COMP4109 : Applied Cryptography

CS155. Cryptography Overview

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

PKCS #11 Message-Based Encryption and Decryption

Feedback Week 4 - Problem Set

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

Extended Package for Secure Shell (SSH) Version: National Information Assurance Partnership

PKCS #11 Message-Based Encryption and Decryption

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

The OCB Authenticated-Encryption Algorithm

Winter 2011 Josh Benaloh Brian LaMacchia

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Computer Security CS 526

symmetric cryptography s642 computer security adam everspaugh

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Symmetric Encryption. Thierry Sans

CLOC: Authenticated Encryption

Data Integrity & Authentication. Message Authentication Codes (MACs)

Cryptographic hash functions and MACs

MTAT Applied Cryptography

CSE484 Final Study Guide

CSCE 715: Network Systems Security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Data Integrity. Modified by: Dr. Ramzi Saifan

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Storage Encryption: A Cryptographer s View. Shai Halevi IBM Research

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

L13. Reviews. Rocky K. C. Chang, April 10, 2015

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

A Surfeit of SSH Cipher Suites

Permutation-based symmetric cryptography

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Content of this part

Uses of Cryptography

Chapter 3 Block Ciphers and the Data Encryption Standard

Solutions to exam in Cryptography December 17, 2013

ryptograi "ГС for Tom St Denis, Elliptic Semiconductor Inc. Simon Johnson and Author of the LibTom Project

Information Security CS526

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Computer Security: Principles and Practice

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Block Cipher Operation

symmetric cryptography s642 computer security adam everspaugh

Block Cipher Operation. CS 6313 Fall ASU

Data Integrity & Authentication. Message Authentication Codes (MACs)

NIST Cryptographic Toolkit

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

CS155. Cryptography Overview

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

n-bit Output Feedback

Stream Ciphers. Stream Ciphers 1

Advanced security notions for the SSH secure channel: theory and practice

1 Defining Message authentication

CS255. Programming Assignment #1

Network Security Essentials Chapter 2

What is JOSE. Jim Schaad Co-chair JOSE August Cellars. Friday, March 15, 13

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Unit 8 Review. Secure your network! CS144, Stanford University

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

Elaine Barker and Allen Roginsky NIST June 29, 2010

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

IKEv2-SCSI (06-449) Update

Transcription:

Misuse-resistant crypto for JOSE/JWT Neil Madden OAuth Security Workshop, 2018 1

JOSE Content Encryption Methods Provide authenticated encryption AES-CBC with HMAC-SHA2 Requires random 128-bit IV Must be unpredictable AES-GCM Requires 96-bit nonce Nonce can be a simple counter Most modern textbooks would recommend GCM: fast, dedicated AEAD mode, parallel

GCM Galois Counter Mode CTR-mode for privacy GHASH for authentication Simple! :-) By NIST (http://en.wikipedia.org/wiki/file:gcm.png) [Public domain], via Wikimedia Commons

What happens if you reuse a nonce? NIST SP-800-38D on GCM: An important caution to the use of GCM is that a breach of the requirement in Sec. 8 for the uniqueness of the initialization strings may compromise the security assurance almost entirely In practice, this requirement is almost as important as the secrecy of the key.

Nonce reuse attacks on GCM If a nonce is reused for the same key just once, results are catastrophic: Recover information about encrypted plaintexts Recover authentication sub-key Produce arbitrary forgeries of associated data Can often produce forgeries of encrypted ciphertext too: { sub : peter, } { sub : admin, }

Nonce reuse in reality KRACK attacks against WPA2 Forced nonce reuse by weaknesses in protocol If the victim uses [ ] GCMP encryption protocol, instead of AES- CCMP, the impact is especially catastrophic. Against these encryption protocols, nonce reuse enables an adversary to not only decrypt, but also to forge and inject packets. (krackattacks.com)

How to avoid? NIST recommends either: 1. Use random IV 2. Use deterministic counter Both can be problematic Failures of RNG, e.g. SSH keys generated too soon on first boot, Android SecureRandom failures leading to BitCoin wallet compromise, IoT devices Counters are hard to synchronise across servers Only 96-bit IV

Is CBC/HMAC better? Yes and no CBC has its own problems: Padding oracle attacks If IV is predictable then plaintext can be recovered (BEAST) Worse security bounds than CTR mode Unpredictable IV is a more strict requirement than non-repeating nonce HMAC prevents some of these attacks, but not necessarily all e.g., if attacker can inject plaintext via logon username

A safer alternative Misuse Resistant Authenticated Encryption (MRAE) Developed by Rogaway & Shrimpton while analysing AES KeyWrap When unique nonce used then has same properties as GCM, CBC+HMAC, etc: authenticated encryption If nonce is reused then loses a minimum amount of security: Authenticity is not compromised at all Privacy only (slightly) compromised if the the same message is encrypted with same key, nonce, and associated data.

Synthetic IV (SIV) Achieves MRAE Basic idea: use MAC of associated data (header) and plaintext as the IV for encryption AES-SIV: MAC is AES- CMAC, encryption is AES- CTR RFC 5297 H 1...... * CMAC K1 H m IV M CTR K2 C From http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf

Advantages Simple and provably secure scheme Original AES-SIV only uses AES in encrypt direction: efficient on constrained devices (similar to AES-CCM) Can substitute other MACs and ciphers (with some caveats) For instance, HMAC, PMAC (parallel), Blake2 etc Other (stream) ciphers, e.g. XSalsa20/XChaCha20 About to be published by IRTF (CFRG): AES-GCM-SIV Versatile: content encryption, key-wrapping, deterministic encrypt Subjective: Well-respected mode amongst cryptographers

Disadvantages Must make two passes over the input Cannot be streamed If no unique value in header then completely deterministic Not great for low-entropy inputs (e.g., passwords) On the other hand: Many JOSE inputs are small (JWTs) Decryption cannot (safely) be streamed in any case Few encryption schemes are secure for passwords

Proposed new modes enc A128SIV A128SIV-HS256 A192SIV-HS384 A256SIV-HS512 alg A128SIVKW A128SIVKW-HS256 A192SIVKW-HS384 A256SIVKW-HS512 JWE IV should be a random 128-bit value Fixed IV for -KW variants

Code (Java + Bouncy Castle) byte[] iv = securerandombytes(16); Mac cmac = Mac.getInstance( AESCMAC ); cmac.init(mackey); cmac.update(ascii(b64url(header) +.. + b64url(iv) +. )); byte[] siv = cmac.dofinal(plaintext); Cipher aes = Cipher.getInstance( AES/CTR/NoPadding ); aes.init(cipher.encrypt_mode, enckey, new IvParameterSpec(siv)); byte[] ciphertext = aes.dofinal(plaintext);

Code - Key Wrap byte[] iv = securerandombytes(16); Mac cmac = Mac.getInstance( AESCMAC ); cmac.init(mackey); cmac.update(ascii( A128SIV...")); byte[] siv = cmac.dofinal(cek); Cipher aes = Cipher.getInstance( AES/CTR/NoPadding ); aes.init(cipher.encrypt_mode, enckey, new IvParameterSpec(siv)); byte[] ciphertext = aes.dofinal(cek);

Misuse of other JOSE algorithms? Signatures mostly ok apart from ES ones Nonce reuse for NIST ECDSA led to Playstation 3 hack, Bitcoin theft, etc. Use RFC 6979 or EdDSA Public key encryption Less of a problem? Hedged PKE Password-based encryption can be hedged by increasing rounds (maybe consider memory-hard hash algorithms: Scrypt, Argon2)

Internet Draft https://tools.ietf.org/html/draft-madden-jose-siv-mode-02 03 coming soon What variants to support? Just AES-SIV? HMAC variants? AES-GCM-SIV? A non-aes alternative (e.g., XChaCha20-HS384-SIV)? Would OAUTH WG adopt this?

Thank You 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback