Authenticated encryption

Transcription

1 Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida October 16th, 2013

2 Active attacks on CPA-secure encryption

3 Summary confidentiality encryption secure against eavesdropping only integrity MAC secure against forging of messages this module encryption secure against tampering encrypt provides both confidentiality and integrity

4 Sample tampering attacks TCP/IP: dest=80 data data WWW port=80 source machine TCP/IP stack Eve port=25

5 Sample tampering attacks TCP/IP: dest=80 data TCP/IP stack data WWW port=80 key k dest=25 stuff stuff key k Eve port=25

6 Reading someone else s data IV dest=80 data decrypts to dest=80 data goal: attacker seeks to change IV to IV such that key k IV dest=80 data IV dest=80 data decrypts to dest=25 data TCP/IP stack key k data such modification is easy to do for CBC with random IV WWW port=80 Eve port=25

7 Modification encryption is done with CBC with a random IV IV dest=80 data decrypts to dest=80 data how should the attacker choose IV so that: IV dest=80 data decrypts to dest=25 data

8 An attack using only network access remote terminal application: each key stroke encrypted with CTR mode IP hdr TCP hdr T D T: 16 bit TCP checksum D: 1 byte keystroke for all t, s, attacker sends IP hdr TCP hdr t s and receives ACK if valid checksum and nothing otherwise checksum(hdr,d)=t checksum(hdr,d s) can find D

9 The lesson CPA security cannot guarantee secrecy under active attacks use only one of the two modes message integrity required, but confidentiality not necessary use a message authentication code (MAC) both integrity and confidentiality required use authenticated encryption modes

10 Definitions

11 Definition of authenticated encryption an authenticated encryption system (E, D) is a cipher where as usual: new: E : K M C D : K M C { } means that ciphertext is rejected security requirements: the system must ensure semantic security under a CPA attack ciphertext integrity attacker cannot create new ciphertexts that decrypt properly

12 Cipher integrity let (E, D) be a cipher with message space M m 0,..., m q 1 M Chal Adv c 0 = E(k, m 0 ),..., c q 1 = E(k, m q 1 ) k K b c b = 1 if D(k, c) c {c 0,..., c q 1 } b = 0 otherwise definition: (E, D) has ciphertext integrity if for all efficient A: Adv CI (A, E) = Pr(b = 1) is negligible

13 Authenticated encryption definition: a cipher (E, D) provides authenticated encryption (AE) if it is 1. semantically secure under CPA 2. has ciphertext integrity bad example: CBC with random IV does not provide AE D(k, ) never outputs and so adversary always wins CI game

14 Implication 1: authenticity attacker cannot fool Bob into thinking message was sent from Alice m 0,..., m q 1 Alice c 0,..., c q 1 Bob attacker cannot create valid c {c 0,..., c q 1 } if D(k, c) Bob knows message must be from someone who knows k but message could be a replay

15 Implication 2 authenticated encryption security against chosen ciphertext attacks

16 Chosen ciphertext attacks

17 Examples of chosen ciphertext attacks often, adversary can fool server into decrypting certain ciphertexts dest = 25 data data often, adversary can learn partial information about plaintext TCP/IP packet ACK if valid checksum

18 Chosen ciphertext security adversary s power: both CPA and CCA can obtain the encryption of arbitrary messages of his choice can decrypt any ciphertext of his choice that is not equal to the challenge conservative modeling of real-life situation adversary s goal: break semantic security

19 Definition of ciphertext security let (E, D) be a cipher defined over (K, M, K) for i = 0,..., q (1) CPA query challenger k K m 0,i, m 1,i M c i = E(k, m b,i ) (2) CCA query c i C \ {c 0,..., c i 1 } m i = D(k, c i ) adversary

20 Definition of chosen ciphertext security (E, D) is CCA-secure if for all efficient A Adv CCA (A, E) is negligible CBC with random IV is not CCA-secure 1. adversary submits the messages m 0 and m 1 to challenger for encryption and obtains c = E(k, m b ) = (IV, c 0 ) where b is unknown 2. adversary submits the ciphertext c = (IV 1, c 0 ) to challenger for decryption and obtains D(k, c ) = m b 1

21 Authenticated encryption CCA security Theorem: let (E, D) be a cipher that provides AE (E, D) is CCA-secure in particular, for any q-query efficient algorithm, there exist B 1 and B 2 such that Adv CCA (A, E) 2q Adv CI (B 1, E) + Adv CPA (B 2, E)Adv CCA (A, E)

22 Why is this important? authenticated encryption: ensure confidentiality against active attackers that can decrypt some ciphertexts limitations of AE: does not prevent replay attacks does not account for side channels such as timing

23 Construction from ciphers and MACs

24 Combining MAC and ENC encryption key k E, MAC key k I 1. (SSL) m m t = m S(k I, m) E(k E, m t) 2. (IPSec) m c = E(k E, m) c t = c S(k I, c) 3. (SSH) m c = E(k E, m) c t = c S(k I, m)

25 Authenticated encryption theorems let (E, D) be a CPA secure cipher and (S, V ) a secure MAC 1. encrypt-then-mac: always provides AE 2. MAC-then-encrypt: may be insecure against CCA attacks however: (E, D) is rand-ctr mode or rand-cbc mode M-then-E provides AE for rand-ctr mode, one-time MAC is sufficient

26 Explanation of MAC security recall: MAC security requires that (m, t) (m, t ) why is this important? suppose that (m, t) (m, t ) encrypt-then-mac would not have ciphertext integrity 1. attacker submits m 0, m 1 for encryption and receives c = E(k, m b ) = (c 0, t) where b is unknown to attacker 2. attacker computes alternative tag t, submits c = (c 0, t ) for decryption, and obtains D(k, c ) = m b

27 OCB: a direct construction from a PRP more efficient authenticated encryption scheme: only one encryption per block parallelizable m 0 m 1 m 2 m 3 checksum P(n, k, 0) P(n, k, 1) P(n, k, 2) P(n, k, 3) P(n, k, 4) E(k, ) E(k, ) E(k, ) E(k, ) E(k, ) P(n, k, 0) P(n, k, 1) P(n, k, 2) P(n, k, 3) auth c 0 c 1 c 2 c 3 c 4

28 Standards GCM: CTR mode encryption then CW-MAC CCM: CBC-MAC then CTR encryption (802.11i) EAX: CTR mode encryption then CMAC