Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Similar documents
Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

How To Understand And Understand The History Of Cryptography

Authenticated encryption

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

Chapter 6 CDMA/802.11i

CS 758: Cryptography / Network Security

Client Server Registration Protocol

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Overview of Symmetric Encryption

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

The Misuse of RC4 in Microsoft Word and Excel

CIS433/533 - Computer and Network Security Cryptography

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

IPsec Details 1 / 43. IPsec Details

Cryptography and Network Security Chapter 12

Network Security Technology Network Management

CS155. Cryptography Overview

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

MAC. SKE in Practice. Lecture 5

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Chapter 17. Transport-Level Security

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Three attacks in SSL protocol and their solutions

Fundamentals of Computer Security

Talk announcement please consider attending!

Authentication and Encryption: How to order them? Motivation

CPSC 467b: Cryptography and Computer Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Network Security - ISA 656 Introduction to Cryptography

Kerberos. Login via Password. Keys in Kerberos

The application of prime numbers to RSA encryption

Lecture 9: Application of Cryptography

Message Authentication Code

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

Provable-Security Analysis of Authenticated Encryption in Kerberos

Lecture 9 - Message Authentication Codes

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Solutions to Problem Set 1

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Symmetric Crypto MAC. Pierre-Alain Fouque

Cryptography Overview

IT Networks & Security CERT Luncheon Series: Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Savitribai Phule Pune University

NEW HORIZON COLLEGE OF ENGINEERING, BANGALORE CLOUD COMPUTING ASSIGNMENT Explain any six benefits of Software as Service in Cloud computing?

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5)

Chapter 10. Network Security

Wireless Networks. Welcome to Wireless

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Security in IEEE WLANs

SSL A discussion of the Secure Socket Layer

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Paillier Threshold Encryption Toolbox

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Authentication in WLAN

Lecture 13: Message Authentication Codes

Cyber Security Workshop Encryption Reference Manual

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Network Security. HIT Shimrit Tzur-David

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Tutorial 3. June 8, 2015

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Overview/Questions. What is Cryptography? The Caesar Shift Cipher. CS101 Lecture 21: Overview of Cryptography

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Secure Sockets Layer

Cryptography and Network Security: Summary

Introduction to Encryption

Message Authentication Codes

Hill s Cipher: Linear Algebra in Cryptography

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Encrypting Network Traffic

First Semester Examinations 2011/12 INTERNET PRINCIPLES

CLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY

Computer Networks - CS132/EECS148 - Spring

Overview of Public-Key Cryptography

SSL/TLS: The Ugly Truth

Chapter 8. Network Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Properties of Secure Network Communication

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Introduction To Security and Privacy Einführung in die IT-Sicherheit I

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Modes of Operation of Block Ciphers

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Transcription:

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues

Outline In the course we have yet only seen catastrophic weaknesses where a stream cipher or a stream cipher mode was used. Goal We want to show that this can also happen with block cipher modes. This also helps to understand common recommendations for CTR mode. More on the order of MAC and encryption Goal Give reasons why current research prefers the variant Encrypt-then-MAC. What does a Principle of mean? How to understand? Follow? Goal Encourage critical thinking Network Security, WS 2012/13, Chapter 13 2

Attacks we have seen that utilize stream cipher properties Attacks we have seen that utilize stream cipher properties Network Security, WS 2012/13, Chapter 13 3

Failures we have seen using stream ciphers/ modes Re-use of Initialization Vector (IV), e.g. in WEP or chapter 3 IV k P1 = 1 0 1 1 0 0 0 1 0 1 0 1 1 0 0 0 1 0 1 xor 0 0 1 0 0 0 1 0 1 0 1 1 0 1 0 1 0 1 0 C1 = 1 0 0 1 0 0 1 1 1 1 1 0 1 1 0 1 1 1 1 Then some time later the same IV is used again: IV k P2 = 1 0 1 1 0 0 0 1 0 1 0 1 1 0 0 0 1 0 1 xor 1 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 1 1 C2 = 0 1 1 1 0 0 0 1 0 1 0 0 0 1 1 1 1 1 0 Network Security, WS 2012/13, Chapter 13 4

Failures we have seen using stream ciphers/ modes Re-use of Initialization Vector (IV) continued C1 = 1 0 0 1 0 0 1 1 1 1 1 0 1 1 0 1 1 1 1 C2 = 0 1 1 1 0 0 0 1 0 1 0 0 0 1 1 1 1 1 0 C1+C2 = 1 1 1 0 0 0 1 0 1 0 1 0 1 0 1 0 0 0 1 = = = = = = = = = = = = P1+P2 = 1 1 1 0 0 0 1 0 1 0 1 0 1 0 1 0 0 0 1 P1 = 0 0 1 0 0 0 1 0 1 0 1 1 0 1 0 1 0 1 0 P2 = 1 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 1 1 P1+P2=C1+C2 As we see from the example, the attacker can computer C1+C2 because he observes C1 and C2, but that means he knows also P1+P2. Known Plaintext (e.g. P1) attacker can compute other plaintext Statistical properties of plaintext can be used if plaintext is not random-looking. That means if entropy of P1+P2 is low. Network Security, WS 2012/13, Chapter 13 5

Failures we have seen using stream ciphers/ modes No integrity check or weak integrity check, e.g. CRC in WEP To simplify example, we use the last bit as parity bit to check integrity. IV k P = 1 0 1 1 0 0 0 1 0 1 0 1 1 0 0 0 1 0 1 xor 0 0 1 0 0 0 1 0 1 0 1 1 0 1 0 1 0 1 0 8 1 s 0 C = 1 0 0 1 0 0 1 1 1 1 1 0 1 1 0 1 1 1 1 = 1 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 C = 0 1 0 1 0 0 1 1 1 0 1 0 1 1 0 1 1 1 0 P = 1 1 1 0 0 0 1 0 1 1 1 1 0 1 0 1 0 1 1 Attacker can target individual bits, plaintext and checksum are linear in ciphertext. Thus, checksum can be overcome and targeted edits in a text could be done (e.g. change price information). 11 1 s 1 ok Network Security, WS 2012/13, Chapter 13 6

Block cipher Modes The attacks from the previous slides would not have worked that way against a block cipher mode like CBC. The re-use of an IV can give hints about identical first blocks, but plaintext cannot be calculated from it. The plaintext is not linear in the ciphertext. Thus, such trivial attacks won t work. Weak checksums cannot be attacked directly, since single individual bits cannot be controlled by an attacker modifying the cipher text, again due to the fact that the plaintext is sent through the encrpytion algorithm. However, the attacks resulted from severe usage errors and not from proper use. Moreover, integrity is not the goal of encryption and, thus, the weak checksum algorithm should be blamed. Block cipher modes can also fail when used badly. Network Security, WS 2012/13, Chapter 13 7

MAC-then-Enc/Enc-then-MAC design guidelines? MAC-then-Enc/Enc-then-MAC what do design guidelines / principle of say? Network Security, WS 2012/13, Chapter 13 8

Kerckhoff s Principle (a good guideline) Kerckhoff s Principle (short version): A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Now, is this a true fact? No, it is a guideline for good design, but not a universal truth. The assumption is that you gain more from making the system design public and publicly scrutinized than from hiding a system design where flaws at first may be unknown to attackers, but overlooked by designers. Kerckhoff s principle is widely accepted in cryptography. Does all security technology follow this principle? Well, it is about cryptography. But philosophically, does a. obey it? Firewall? NAT? IDS? Some technologies are more an arms race between defender and attacker. Network Security, WS 2012/13, Chapter 13 9

Horton Principle (is it a good guideline?) Horton principle: Authenticate what you mean, not what you say Typical conclusion: this means that the plaintext should be authenticated and not the ciphertext. So, in our secure channel, we should do MAC-then-Encrypt Because then the MAC protects the plaintext Now, state-of-art in cryptography suggests that Encrypt-then-MAC is better. Security proofs for Encrypt-then-MAC can be shown in more security models (~ succeed against a slightly stronger attacker) Attacks (later) So, this guideline misleads us when we talk about the secure channel for data transmission. Network Security, WS 2012/13, Chapter 13 10

Horton Principle (philosophic) Horton principle: Authenticate what you mean, not what you say But what is the meaning of a data transport channel? Isn t it naive to think of the plaintext as what you mean? When we say the meaning is the data unit of the higher layer protocol, then it is the plaintext. When we say the meaning is the transport of bits, then we might also be able to think of the ciphertext as the meaning. Logically it is not forbidden by the sentence that meaning and saying is the same. Whatever you might think about the philosophic question above, the main message is that the mechanisms of one layer are not about meanings of other layers. Transport Layer has no semantics for application-specific data. Network Security, WS 2012/13, Chapter 13 11

Prerequisites for attacking CBC and MAC-then-Enc Prerequisites for attacking CBC and MAC-then-Enc Network Security, WS 2012/13, Chapter 13 12

Guessing a secret (revisited) Passwords N: size of alphabet (number of different characters) L: length of password in characters Complexity of guessing a randomly-generated password / secret The assumption is, we generate a password and then we test it. O(N^L) Complexity of guessing a randomly-generated password character by character The assumption is that we can check each character individually for correctness. For each character it is N/2 (avg) and N (worst case) So, overall L*N/2 (avg) In the subsequent slides we will show an attack that reduces the decryption of a blockcipher in CBC mode to byte-wise decryption (under special assumptions). Network Security, WS 2012/13, Chapter 13 13

MAC-then-Encrypt Issues P MAC Ciphertext Operation P and MAC are encrypted and hidden in the ciphertext. Receiver Decrypts P Decrypts MAC Computes and checks MAC MAC error or success Consequence MAC does not protect the ciphertext. Integrity check can only be done once everything is decrypted. As a consequence, receiver will detect malicious messages at the end of the secure channel processing and not earlier. But is that more than a performance issue? Well, yes. Network Security, WS 2012/13, Chapter 13 14

MAC-then-Encode-then-Encrypt If we use a block cipher, we have to ensure that the message encoding fits to the blocksize of the cipher. Encode-then-MAC-then-Encrypt: Format P so that with the MAC added the encryption sees the right size. Needs that we know the size of the MAC and blocksize of cipher when generating P Padding. MAC-then-Encode-then-Encrypt Used in TLS/SSL Here, we add the MAC first and then pad the P MAC to the correct size. How do we know what is padding and what not? Padding in TLS/SSL: If size of padding is 1 byte, the padding is 1. If size of padding is 2 bytes, the padding is 2 2. If size of padding is 3 bytes, the padding is 3 3 3.. P P Pad Ciphertext MAC Ciphertext MAC Pad Network Security, WS 2012/13, Chapter 13 15

Padding Oracle Attack against CBC and MAC-then- Enc Padding Oracle Attack against CBC mode and MACthen-Enc Network Security, WS 2012/13, Chapter 13 16

Concept of Padding Oracle Attack (against CBC) Attacker sees unknown ciphertext C = that was sent from Alice to Bob P MAC Ciphertext Pad To decrypt the ciphertext, the attacker modifies C and sends it to Bob. P MAC Ciphertext Pad It is unlikely that the MAC and padding are correct. So, Bob will send an error back to Alice (and the attacker). In earlier versions of TLS, Bob sent back different error messages for padding errors and for MAC errors. Network Security, WS 2012/13, Chapter 13 17

Padding Oracle Attack CBC mode decryption (revisited) Encryption and Decryption in CBC mode CBC Time = 1 Time = 2... Time = n P 1 P 2 P n IV + + C n-1 + Encrypt K Encrypt K Encrypt... K Encrypt C 1 C 2 C n C 1 C 2 C n Decrypt K Decrypt K Decrypt... K Decrypt IV + + C n-1 + P 1 P 2 P n Network Security, WS 2012/13, Chapter 13 18

Padding Oracle Attack against CBC We have n blocks and N bytes per block. The attacker first wants to decrypt the last block C n. In order to do so, he starts with the last byte C n-1,n of the block C n-1. If he changes this byte (blue bytes are changed bytes) C n-1 C n-1,n C n K Decrypt K Decrypt + + P n,n P n-1 the MAC will most likely be invalid (chance 1 in 2^m for MAC length m) the padding will be invalid unless C n-1,n xor P n,n = 1 (chance 1 in 256) After testing the 256 values for C n-1,n all of them produced padding errors except for one that matches C n-1,n xor P n,n = 1. We know P n,n. P n Network Security, WS 2012/13, Chapter 13 19

Padding Oracle Attack against CBC (2) Now, the byte P n,n-1. For that we produce a padding of length 2. Since we know P n,n we can calculate C n-1,n so that C n-1,n xor P n,n = 2 Now, we have to find the C n-1,n-1 that satisfies C n-1,n-1 xor P n,n-1 = 2 C n-1 C n-1,n C n K Decrypt K Decrypt + + P n,n P n-1 P n With the same argument as before, we need to try up to 256 values, all values except for the correct one will generate a padding error. The correct one will produce a MAC errror. We know P n,n-1. Network Security, WS 2012/13, Chapter 13 20

Padding Oracle Attack against CBC (3) To completely decrypt C n we have to repeat the procedure until all bytes of the block are decrypted. In the figure with 8 bytes per block, the last padding we generate is 8 8 8 8 8 8 8 8. To decrypt C n-1 we can cut off C n and repeat the same procedure with C n-1 as last block. For decrypting C 1 we can use the IV as ciphertext for the attack modifications. C n-2 C n-2,n C n-1 IV IV n C 1 K Decrypt K Decrypt K Decrypt + + P n-1,n + P 1,N P n-2 P n-1 P 1 Network Security, WS 2012/13, Chapter 13 21

Padding Oracle Attack against CBC (4) We have seen a severe known-ciphertext attack against block ciphers in CBC mode. Complexity is in the order of the length of message. Due to that attack, TLS/SSL stopped to differentiate between these two kinds of errors. However, timing can still be an issue in case of local attackers as the padding error occurs a bit earlier (order of 1 ms earlier according to literature). Limitations: Alice and Bob might also start a rekeying due to these attack messages and then the oracle attack would not be possible as the key changed. The attack would not have been possible with (Encode-then-)Encyptthen-MAC as the MAC is checked first. Protecting the ciphertext stops known-ciphertext attacks, which protecting the plaintext does not. Network Security, WS 2012/13, Chapter 13 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information