Recruiting & HR

Authenticated Encryption

Description
Authenticated Encryption Yan Huang Credit: Dan Boneh (Stanford, Crypto I) Story So Far Confidentiality: Secure Encryption (CPA-secure) - Single Block messages - Multi-block messages Integrity: Message
Published
of 18
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
Authenticated Encryption Yan Huang Credit: Dan Boneh (Stanford, Crypto I) Story So Far Confidentiality: Secure Encryption (CPA-secure) - Single Block messages - Multi-block messages Integrity: Message Authentication Code - Using secure block cipher - Using collision-resistant hashing Can we achieve Confidentiality and Integrity at the same time? Sample tampering attacks TCP/IP: (highly abstracted) packet data WWW port = 80 dest = 80 data source machine TCP/IP stack Bob port = 25 destination machine Sample tampering attacks IPsec: (highly abstracted) packet TCP/IP stack data WWW port = 80 dest = 80 data stuff k dest = 25 stuff packets encrypted using key k k Bob port = 25 Reading someone else s data Note: attacker obtains decryption of any ciphertext beginning with dest=25 IV, dest = 80 data WWW port = 80 Bob: data k IV, dest = 25 data k Easy to do for CBC with rand. IV (only IV is changed) Bob port = 25 The lesson CPA security cannot guarantee secrecy under active attacks. Only use one of two modes: If message needs integrity but no confidentiality: use a MAC If message needs both integrity and confidentiality: use authenticated encryption modes The Idea An authenticated encryption system (E,D) As usual: but E: K M C D: K C M { } Security: the system must provide ciphertext is rejected semantic security, and ciphertext integrity: attacker cannot create new ciphertexts that decrypt properly Ciphertext integrity Let (E,D) be a cipher with message space M. Chal. k K m 1 M c 1 E(k,m 1 ) m 2 c 2,, m q,, c q Adversary A c b b=1 if D(k,c) and c { c 1,, c q } b=0 otherwise Def: (E,D) has ciphertext integrity if for all efficient A: Adv CI [A, E] = Pr[Chal. outputs 1] is negligible. Authenticated Encryption Def: cipher (E,D) provides authenticated encryption (AE) if it is (1) semantically secure under CPA, and (2) has ciphertext integrity Bad example: CBC with rand. IV does not provide AE D(k, ) never outputs, hence adv. easily wins CI game Implication 1: authenticity Attacker cannot fool Bob into thinking a message was sent from Alice Alice k m 1,, m q c i = E(k, m i ) c Cannot create valid c { c 1,, c q } Bob k if D(k,c) Bob knows message is from someone who knows k (but message could be a replay) Implication 2 Authenticated Encryption Security against Chosen Ciphertext Attacks Chosen Ciphertext security -- Definition For b=0,1 define EXP(b): b Chal. k K for i=1,,q: (1) CPA query: m i,0, m i,1 M : m i,0 = m i,1 Adv. A c i E(k, m i,b ) (2) CCA query: c i C : c i {c 1,, c i-1 } m i = D(k, c i ) b {0,1} E is CCA secure if for all efficient A: Adv CCA [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. Combining MAC and Enc (CCA) Encryption key k E. MAC key = k I Option 1: (SSL) Mac(k I, m) msg m msg m tag E(k E, mlltag) Option 2: (IPsec) always correct msg m E(k E, m) Mac(k I, c) tag Option 3: (SSH) msg m E(k E, m) Mac(k I, m) tag GCM: Standards (at a high level) CTR mode encryption then CW-MAC (accelerated via Intel s PCLMULQDQ instruction) CCM: (802.11i) EAX: CBC-MAC then CTR mode encryption CTR mode encryption then CMAC All support AEAD: (auth. enc. with associated data). All are nonce-based. encrypted associated data encrypted data authenticated An example API (OpenSSL) int AES_GCM_Init(AES_GCM_CTX *ain, unsigned char *nonce, unsigned long noncelen, unsigned char *key, unsigned int klen ) int AES_GCM_EncryptUpdate(AES_GCM_CTX *a, unsigned char *aad, unsigned long aadlen, unsigned char *data, unsigned long datalen, unsigned char *out, unsigned long *outlen) OCB: a direct construction from a PRP More efficient authenticated encryption: one E() op. per block. m[0] m[1] m[2] m[3] checksum P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) P(N,k,0) E(k, ) E(k, ) E(k, ) E(k, ) E(k, ) P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) auth c[0] c[1] c[2] c[3] OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption, [RBBK01, CCS] c[4] IETF RFC7253 802.11b WEP: how not to do it b WEP: k m PRG( IV ll k ) CRC(m) k IV ciphetext Previously discussed problems: two time pad and related PRG seeds Active attacks Fact: CRC is linear, i.e. m,p: CRC( m p) = CRC(m) F(p) WEP ciphertext: IV dest-port = 80 data CRC attacker: XX 0000 F(XX) XX = IV dest-port = 25 data CRC Upon decryption: CRC is valid, but ciphertext is changed!!
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks