Authentication and Encryption: How to order them? Motivation



Similar documents
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

Message Authentication Codes 133

Authenticated encryption

MACs Message authentication and integrity. Table of contents

Lecture 9 - Message Authentication Codes

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Message Authentication Code

Lecture 13: Message Authentication Codes

Talk announcement please consider attending!

1 Construction of CCA-secure encryption

Digital Signatures. What are Signature Schemes?

MAC. SKE in Practice. Lecture 5

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Ciphertext verification security of symmetric encryption schemes

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

Provable-Security Analysis of Authenticated Encryption in Kerberos

Cryptographic Hash Functions Message Authentication Digital Signatures

CS155. Cryptography Overview

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

1 Message Authentication

Message authentication

Message Authentication Codes. Lecture Outline

Key Agreement from Close Secrets over Unsecured Channels Winter 2010

CS 758: Cryptography / Network Security

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

Chapter 17. Transport-Level Security

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

CryptoVerif Tutorial

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Chosen-Ciphertext Security from Identity-Based Encryption

Overview of Symmetric Encryption

Cryptography and Network Security: Summary

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Symmetric Crypto MAC. Pierre-Alain Fouque


Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Modes of Operation of Block Ciphers

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Chapter 23. Database Security. Security Issues. Database Security

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Cryptography Overview

CPSC 467b: Cryptography and Computer Security

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Chapter 7. Message Authentication. 7.1 The setting

Network Security Technology Network Management

Reconsidering Generic Composition

Chapter 3. Network Domain Security

Savitribai Phule Pune University

EXAM questions for the course TTM Information Security May Part 1

Cryptography. Jonathan Katz, University of Maryland, College Park, MD

Computational Soundness of Symbolic Security and Implicit Complexity

Post-Quantum Cryptography #4

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Sample or Random Security A Security Model for Segment-Based Visual Cryptography

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Lecture 15 - Digital Signatures

CIS 5371 Cryptography. 8. Encryption --

Lecture 5 - CPA security, Pseudorandom functions

CSCE 465 Computer & Network Security

Lecture 3: One-Way Encryption, RSA Example

Introduction. Digital Signature

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

Properties of Secure Network Communication

Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin.

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Cryptography. Lecture Notes from CS276, Spring Luca Trevisan Stanford University

Network Security Protocols

One-Way Encryption and Message Authentication

Computer Networks - CS132/EECS148 - Spring

Communication Systems SSL

Message authentication and. digital signatures

Message Authentication Codes

Chapter 6 CDMA/802.11i

3-6 Toward Realizing Privacy-Preserving IP-Traceback

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

IT Networks & Security CERT Luncheon Series: Cryptography

On the Security of CTR + CBC-MAC

Chapter 10. Network Security

Introduction to Cryptography CS 355

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Network Security - ISA 656 Introduction to Cryptography

Digital Signatures. Prof. Zeph Grunschlag

Paillier Threshold Encryption Toolbox

Transcription:

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in two stages: first call a ey establishment protocol for establishing a secret ey, then use this to authenticate and encrypt the transmitted information. Common protocols which follow them are SSL, IPSEC, SSH 1

3 Approaches Interestingly 3 different approaches are used by these: SSL: a=auth(x), C=Enc(x,a), transmit C Authenticate Then Encrypt (AtE) IPSEC: C=Enc(x), a=auth(c), transmit (C,a) Encrypt Then Authenticate SSH: C=Enc(x), a=auth(x), transmit(c,a) Encrypt and Authenticate (E&A) Question Q: Are all of them equivalent, or is there any good way and bad way? Assumptions: We assume that the underlying primitives are strong and developed separately: Enc is secured in the CPA sense MAC is secured in the chosen message sense. Requirement is for an all-or-nothing approach. ie. we will be satisfied when any combination of a good Enc and a good MAC provides both privacy and integrity. 2

Encrypt-and-Authenticate Independent encryptions and authentication steps: Given a plaintext m, the sender transmits a pair (c,t) where, c=enc 1 (m), and t=mac 2 (m) Receiver decrypts c and obtains m. But it outputs, m only when Vrfy 2 (m,t)=1, otherwise it outputs a NULL. Authenticate then Encrypt Here a MAC tag is first computed, then the message tag and the message are encrypted together: t=mac 2 (m), c=enc 1 (m t). transmit(c) The receiver decrypts c and then verifies the tag t on m. It outputs m if Vrfy 2 (m,t)=1, else NULL. 3

Encrypt then Authenticate Message is first encrypted and then the tag is computed: c=enc 1 (m), t=mac 2 (c) Receiver verifies the tag, t and then decrypts c. Security Definitions What is a secure communication channel? 1. The ey-generation algorithm Gen taes input n, runs Gen ( n) and Gen (n) to obtain eys and. E 1 2 M 1 2 2. The message transmission algorithm EncMac taes as input the eys (, ) and a message m, and outputs a value c, that is derived by some combination of Enc (.) and Mac (.). 1 2 3. The decryption algorithm Dec taes as input the eys (, ), and a transmitted value c, and applies some combination of Dec (.) and Vrfy (.). The output of Dec is either a plaintext 1 2 m or NULL (if verification fails). 1 2 4

Correctness Dec, (, ( )) EncMac m m 1 2 1 2 Secure Message Transmission Experiment Secure Message Transmission Experiment Auth A, ( n) : 1. A random ey ( 1, 2) is generated by running Gen(n). 2. The adversary A is given input n and oracle access to the message transmission algorithm EncMac (.). The adversary eventually outputs c. Let Q denote the set of all queries that A ased to its oracle. 3. Let m Dec ( c). The output of the experiment is defined to be 1 if and only if 1)m NULL, and 2)m Q 5

Definition of Security A message transmission scheme achieves authenticated communication if for all probabilistic polynomial time adversaries A, there exists a negligible function negl, st: Pr[Auth ( n) 1] negl( n). A, The definition shows that the adversary s job is slightly easier, since the adversary does not need to now the message m to which its output c corresponds. Encrypt and Authenticate c Enc ( m), t Mac ( m) 1 2 The combination is not necessarily secret. A secure MAC does not necessarily imply privacy. In particular, if (Gen M,Mac,Vrfy) is a secure MAC, the scheme (m,mac (m)) is also secure MAC. But there is no privacy. 6

What about CBC-MAC If the MAC is more practical, lie CBC- MAC, does the scheme provide secrecy? Authenticate-then-encrypt t Mac ( m), c Enc ( m t) 2 1 The plaintext is often transformed with encodings. This hides various information to the attacer, lie length, side channel information etc. Let Transform(m) be as follows: 0 00 1 01 or 10 (arbitrarily) The inverse transform thus parses the strings as pairs of bits, and then maps 00 to 0, and 01 or 10 as 1. However, since a 11 can never occur, the result is. 1 1 Thus, Transform (0110) 11, but Transformm (1100). 7

The Encryption function Define, Enc ( m) Enc( Transform( m)), where Enc represents a counter mode encryption. The discussion holds for any encryption scheme which generates a pesudorandom pad to xor with the message data. The Enc is a CPA-secure scheme. Insecurity of the scheme We show that this scheme is not secure. The attac wors as long as the attacer can chec whether a given ciphertext is valid (note an entire decryption is not even needed). Consider, a challenge ciphertext, c Enc ( Transform( m Mac ( m))), the attacer simply flips the first two bits of the second bloc of c. Note : The first bloc is the counter value. Then verifies whether the new ciphertext is valid. Note, if the first bit of the message is 1, then flipping eeps the ciphertext valid. However, if the first bit was 0, the flipped bits mae the ciphertext invalid. The attac can be performed on each bit maing the scheme lea the entire message. 2 8

Authenticate-then-encrypt Thus, in general Authenticate-then-encrypt is not secured. However certain specific constructs used in SSL are secured. uses CBC mode of encryption OTP for encryption Encrypt then Authenticate The message is first encrypted, and then authenticated. Let Let E M c Enc ( m), t Mac ( c). 1 2 be a CPA-secure private ey encryption scheme. be a secure message authentication code with unique tags. Then the combination (Gen,EncMac,Dec) derived by applying the encrypt-then-authenticate approach to, is a secure message transmission scheme. Proof: CCA-security has been discussed in the last class. Proof of authentication is left as an exercise. E M 9

Secure Message Transmission and CCA-Security Secure Message Transmission implies CCA security. The opposite is not necessarily true. Need for independent eys Different security goals should always use different eys. Thus, if both authentication and privacy are needed we should use different eys. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information