Authenticated encryption

Similar documents
Symmetric Crypto MAC. Pierre-Alain Fouque

Authentication and Encryption: How to order them? Motivation

MAC. SKE in Practice. Lecture 5

Message Authentication Code

CS155. Cryptography Overview

Talk announcement please consider attending!

Lecture 13: Message Authentication Codes

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

Lecture 9 - Message Authentication Codes

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Cryptography Overview

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Chapter 17. Transport-Level Security

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

1 Construction of CCA-secure encryption

Message Authentication Codes. Lecture Outline

Ciphertext verification security of symmetric encryption schemes

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Chapter 10. Network Security

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Security Protocols/Standards

1 Message Authentication

Provable-Security Analysis of Authenticated Encryption in Kerberos

Message Authentication Codes

Message Authentication Codes 133

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CPSC 467b: Cryptography and Computer Security

Lecture 9 - Network Security TDTS (ht1)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Chapter 3. Network Domain Security

Computer and Network Security. Alberto Marchetti Spaccamela

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Chapter 6 CDMA/802.11i

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Overview of Symmetric Encryption

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Compter Networks Chapter 9: Network Security

Client Server Registration Protocol

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Transport Level Security

Cryptography and Network Security Chapter 12

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Virtual Private Networks

Chapter 7 Transport-Level Security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Cryptographic Hash Functions Message Authentication Digital Signatures

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Cryptography and Network Security: Summary

First Semester Examinations 2011/12 INTERNET PRINCIPLES

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Practice Questions. CS161 Computer Security, Fall 2008

Protocol Security Where?

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

VPN Lesson 2: VPN Implementation. Summary

On the Security of CTR + CBC-MAC

CS 758: Cryptography / Network Security

TELE 301 Network Management. Lecture 16: Remote Terminal Services

CIS 5371 Cryptography. 8. Encryption --

Solution of Exercise Sheet 5

How To Secure My Data

DataTrust Backup Software. Whitepaper Data Security. Version 6.8

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

Netzwerksicherheit: Anwendungen

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Introduction to Cryptography CS 355

MACs Message authentication and integrity. Table of contents

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Message authentication

KeyStone Architecture Security Accelerator (SA) User Guide

Overview of Public-Key Cryptography

TLS and SRTP for Skype Connect. Technical Datasheet

Wireless Networks. Welcome to Wireless

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

Einführung in SSL mit Wireshark

CryptoVerif Tutorial

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

EXAM questions for the course TTM Information Security May Part 1

SECURITY IN NETWORKS

Authenticity of Public Keys

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Computer Networks. Secure Systems

Transcription:

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013

Active attacks on CPA-secure encryption

Summary confidentiality encryption secure against eavesdropping only integrity MAC secure against forging of messages this module encryption secure against tampering encrypt provides both confidentiality and integrity

Sample tampering attacks TCP/IP: dest=80 data data WWW port=80 source machine TCP/IP stack Eve port=25

Sample tampering attacks TCP/IP: dest=80 data TCP/IP stack data WWW port=80 key k dest=25 stuff stuff key k Eve port=25

Reading someone else s data IV dest=80 data decrypts to dest=80 data goal: attacker seeks to change IV to IV such that key k IV dest=80 data IV dest=80 data decrypts to dest=25 data TCP/IP stack key k data such modification is easy to do for CBC with random IV WWW port=80 Eve port=25

Modification encryption is done with CBC with a random IV IV dest=80 data decrypts to dest=80 data how should the attacker choose IV so that: IV dest=80 data decrypts to dest=25 data

An attack using only network access remote terminal application: each key stroke encrypted with CTR mode IP hdr TCP hdr T D T: 16 bit TCP checksum D: 1 byte keystroke for all t, s, attacker sends IP hdr TCP hdr t s and receives ACK if valid checksum and nothing otherwise checksum(hdr,d)=t checksum(hdr,d s) can find D

The lesson CPA security cannot guarantee secrecy under active attacks use only one of the two modes message integrity required, but confidentiality not necessary use a message authentication code (MAC) both integrity and confidentiality required use authenticated encryption modes

Definitions

Definition of authenticated encryption an authenticated encryption system (E, D) is a cipher where as usual: new: E : K M C D : K M C { } means that ciphertext is rejected security requirements: the system must ensure semantic security under a CPA attack ciphertext integrity attacker cannot create new ciphertexts that decrypt properly

Cipher integrity let (E, D) be a cipher with message space M m 0,..., m q 1 M Chal Adv c 0 = E(k, m 0 ),..., c q 1 = E(k, m q 1 ) k K b c b = 1 if D(k, c) c {c 0,..., c q 1 } b = 0 otherwise definition: (E, D) has ciphertext integrity if for all efficient A: Adv CI (A, E) = Pr(b = 1) is negligible

Authenticated encryption definition: a cipher (E, D) provides authenticated encryption (AE) if it is 1. semantically secure under CPA 2. has ciphertext integrity bad example: CBC with random IV does not provide AE D(k, ) never outputs and so adversary always wins CI game

Implication 1: authenticity attacker cannot fool Bob into thinking message was sent from Alice m 0,..., m q 1 Alice c 0,..., c q 1 Bob attacker cannot create valid c {c 0,..., c q 1 } if D(k, c) Bob knows message must be from someone who knows k but message could be a replay

Implication 2 authenticated encryption security against chosen ciphertext attacks

Chosen ciphertext attacks

Examples of chosen ciphertext attacks often, adversary can fool server into decrypting certain ciphertexts dest = 25 data data often, adversary can learn partial information about plaintext TCP/IP packet ACK if valid checksum

Chosen ciphertext security adversary s power: both CPA and CCA can obtain the encryption of arbitrary messages of his choice can decrypt any ciphertext of his choice that is not equal to the challenge conservative modeling of real-life situation adversary s goal: break semantic security

Definition of ciphertext security let (E, D) be a cipher defined over (K, M, K) for i = 0,..., q (1) CPA query challenger k K m 0,i, m 1,i M c i = E(k, m b,i ) (2) CCA query c i C \ {c 0,..., c i 1 } m i = D(k, c i ) adversary

Definition of chosen ciphertext security (E, D) is CCA-secure if for all efficient A Adv CCA (A, E) is negligible CBC with random IV is not CCA-secure 1. adversary submits the messages m 0 and m 1 to challenger for encryption and obtains c = E(k, m b ) = (IV, c 0 ) where b is unknown 2. adversary submits the ciphertext c = (IV 1, c 0 ) to challenger for decryption and obtains D(k, c ) = m b 1

Authenticated encryption CCA security Theorem: let (E, D) be a cipher that provides AE (E, D) is CCA-secure in particular, for any q-query efficient algorithm, there exist B 1 and B 2 such that Adv CCA (A, E) 2q Adv CI (B 1, E) + Adv CPA (B 2, E)Adv CCA (A, E)

Why is this important? authenticated encryption: ensure confidentiality against active attackers that can decrypt some ciphertexts limitations of AE: does not prevent replay attacks does not account for side channels such as timing

Construction from ciphers and MACs

Combining MAC and ENC encryption key k E, MAC key k I 1. (SSL) m m t = m S(k I, m) E(k E, m t) 2. (IPSec) m c = E(k E, m) c t = c S(k I, c) 3. (SSH) m c = E(k E, m) c t = c S(k I, m)

Authenticated encryption theorems let (E, D) be a CPA secure cipher and (S, V ) a secure MAC 1. encrypt-then-mac: always provides AE 2. MAC-then-encrypt: may be insecure against CCA attacks however: (E, D) is rand-ctr mode or rand-cbc mode M-then-E provides AE for rand-ctr mode, one-time MAC is sufficient

Explanation of MAC security recall: MAC security requires that (m, t) (m, t ) why is this important? suppose that (m, t) (m, t ) encrypt-then-mac would not have ciphertext integrity 1. attacker submits m 0, m 1 for encryption and receives c = E(k, m b ) = (c 0, t) where b is unknown to attacker 2. attacker computes alternative tag t, submits c = (c 0, t ) for decryption, and obtains D(k, c ) = m b

OCB: a direct construction from a PRP more efficient authenticated encryption scheme: only one encryption per block parallelizable m 0 m 1 m 2 m 3 checksum P(n, k, 0) P(n, k, 1) P(n, k, 2) P(n, k, 3) P(n, k, 4) E(k, ) E(k, ) E(k, ) E(k, ) E(k, ) P(n, k, 0) P(n, k, 1) P(n, k, 2) P(n, k, 3) auth c 0 c 1 c 2 c 3 c 4

Standards GCM: CTR mode encryption then CW-MAC CCM: CBC-MAC then CTR encryption (802.11i) EAX: CTR mode encryption then CMAC

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information