Doc.: IEEE 802.11-02/156ar0 Submission March 2002 RogawaySlide 1 Some Comments on OCB and CCM Phil Rogaway UC Davis and Chiang Mai Univ.

Slides:



Advertisements
Similar presentations
Chapter 3 Public Key Cryptography and Message authentication.
Advertisements

Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Sri Lanka Institute of Information Technology
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
Doc.: IEEE r1 Submission July 2011 Dan Harkins, Aruba NetworksSlide 1 Prohibiting Technology Date: Authors:
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Slide 1 OCB: A Bock-Cipher Mode of Operation for Efficient Authenticated Encryption Phillip Rogaway UC Davis
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Doc.: IEEE /378 Submission July 2001 Phillip RogawaySlide 1 OCB Mode Phillip Rogaway Department of Computer Science UC Davis + CMU
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Cryptography Week-6.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Lecture 4: Using Block Ciphers
1 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal.
WEP Protocol Weaknesses and Vulnerabilities
Doc.: IEEE /378 Submission July 2001 Phillip RogawaySlide 1 OCB Mode Phillip Rogaway Department of Computer Science UC Davis + CMU
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Doc.: Linksec CipherSuites Submission August David Johnston, IntelSlide 1 LinkSec CipherSuites? David Johnston
TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.
Doc.: IEEE r0 Submission July 2011 Dan Harkins, Aruba NetworksSlide 1 Prohibiting Technology Date: Authors:
Lecture 2: Introduction to Cryptography
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Doc.: IEEE /1063r0 Submission Nov 2005 Jon Edney, NokiaSlide 1 The Lock-out Problem - an Analysis Notice: This document has been prepared to assist.
Lecture 5.1: Message Authentication Codes, and Key Distribution
Template vertLeftWhite2 Authenticated Encryption Attacking non-atomic decryption Online Cryptography Course Dan Boneh.
Doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 1 Attacks against Michael and.
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
2010 CCSDS Spring Meeting, 5 May 2010 Portsmouth, VA, USA Encrypted Authentication ISO/IEC I. Aguilar – ESA/ESTEC.
Doc.: IEEE /634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson,
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
XCBC: A Version of the CBC MAC for Handling Arbitrary-Length Messages
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Public Key Encryption Systems
Outline Desirable characteristics of ciphers Uses of cryptography
Outline Desirable characteristics of ciphers Uses of cryptography
Cryptography Lecture 12.
AES Mode Choices OCB vs. Counter Mode with CBC-MAC
Security through Encryption
December 2015 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security considerations for 15.3e] Date.
CCMP Nonce Construction
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
CCMP Nonce Construction
Cryptography Lecture 11.
Cryptography Lecture 11.
Public Key Encryption Systems
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.
Review of Cryptography: Symmetric and Asymmetric Crypto Advanced Network Security Peter Reiher August, 2014.
Secret-Key Encryption
Presentation transcript:

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 1 Some Comments on OCB and CCM Phil Rogaway UC Davis and Chiang Mai Univ. * This talk corresponds to contribution: “Some Comments on WHF Mode”, doc.: IEEE /156r0

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 2 Why is Phil here? I came in July 2001 to describe OCB. At that time, OCB was quite new. –The paper had not even appeared! Since then, OCB (and auth enc in general) has continued to do well. –The papers have appeared. Nice follow-on work. Lot of implementations. Lots of interest. But I’m told that OCB is in jeopardy in So I’ve come to clarify cryptographic questions and address whatever else has given people pause.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 3 What is OCB ? Auth enc mode by Bellare, Black, Krovetz, Rogaway. Appears in ACM CCS 01 + a proposal to NIST. Follow-on work to early version of [Jutla01]. Uses any block cipher (eg, AES). Uses  |M| / n  + 2 block cipher calls to encrypt+authenticate M (n=block length). About half of what alternatives use. Provably secure: if you break OCB-E privacy/authenticity with advantage > 1.5 m 2 /2 n then you break E with the “excess” advantage (m = # ciphertext blocks you get hold of). Adopted for the draft i standard.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 4 Why the move away from OCB? Some specious technical issues. –[FHW01] non-issues: size of SW implementation, size of HW implementation, power consumption, HW speed, crypto confidence, … Only valid issue: plaintext integrity coverage; addressed. –[Fe02] non-issue: m 2 / 2 n security bound. Main issue for [FHW01, Fe02] appears to be patent avoidance.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 5 What is this Ferguson attack? [Fe02] points out: if you have m blocks of ciphertext (and its plaintext) you can forge with probability  m 2 / 2 n –Right. This is obvious, well-known to the OCB authors, and the same as other popular modes. A non-issue for –In general, when security upper bounds are available (as with OCB), you should always use them, and not attacks, to assess security. –Numerical example: bytes of encrypted data (max possible) gives < chance of forgery. So gathering data at 1 Gbit/sec for one million years will give chance of forgery < 1 in 4 million. –Has nothing to do with tag length. m 2 / 2 n security degradation perhaps more significant for privacy than authenticity, but still of no practical importance when n=128.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 6 The “Real” Issue: Patents From [FHW01] –“IEEE 802 has long history with patents—Bottom line: Avoid patents when there are viable unencumbered alternatives” –“Fair, non-discriminatory, and non-onerous are subjective (especially after standard is done)” From [Fe02] –“OCB mode has been patented. This last reason has been the main reason for the author … not to spend any time on OCB. Spending time on OCB will only help the patent- holders sell their licenses without any further compensation to the cryptanalyst… Given that OCB’s computational advantage over the patent-free modes is at most a factor of 2, … [we] expect OCB only to be used in niche applications” From the Chief Scientist at RSA –Lovely algorithm, but RSA just cannot support this because of the patents… (my paraphrase)

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 7 Why the Patent Bashing? Take your pick. –Dislike of crypto patents; uncomfortable with non-corporate patent holder; possibility of more than one party to deal with; fear of my/Virgil/IBM avarice; fear of my/Virgil licensing inexperience; … Phil doesn’t exactly understand. –Phil, IBM, and VDG have all sent in their letters of assurance. –Already licensed under very simple & inexpensive terms. –All owners of auth enc IP are focused on auth enc succeeding beyond ; none of us have any interest for this to be costly or difficult.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 8 CCM Mode An OCB alternative by [WHF02]. New, unpublished, still evolving. Invented specifically for Twice the # of block cipher calls. Positioned as generic composition, but it is not. A new writeup, [Jo02], abstracts out the mode (does excellent job of this) and drafts a proof. Generic composition (with encrypt-then-mac taken over proven primitives) would be safer.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 9 More on Generic Compostion Studied by [BN00]. –encrypt-then-mac: always achieves the desired security property (“auth of ciphertexts” [BR00,KY00]) under the customary assumptions. –mac-then-encrypt, encrypt-and-mac: doesn’t. No known results establish that one gets a better bound (in special cases) with mac-then-encrypt. Landscape unchanged by [Kr01]. Known results become inapplicable if one uses a common key.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 10 More on the MAC within CCM CCM uses a kind of length-prepend CBC MAC. –[BKR94] suggested an approach for analyzing the length- prepend CBC MAC. –[PR97] claimed a more general result, for prefix-free message spaces, but gave no proof (they referred to [BKR94] instead). Single key of CCM means that one cannot appeal to the [PR00] claim even if one regards it as proven.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 11 Is CCM more secure than OCB (wrt authenticity) ? Currently there is no publshed or independently verified proof of CCM. [Fe02, Jo02] suggest that CCM might have better Adv auth than m 2 /2 n. Who knows! One should focus on security bounds, not attacks. Statements like: –“[CCM] can be used for any amount of data up to 2 64 blocks” [Fe02] –“[CCM] is secure against attackers limited to steps of operation if the key K is 256 bits” [WHF02] have no basis in results. Overall, an interesting academic question, but of limited practical significance.

doc.: IEEE /156ar0 Submission March 2002 RogawaySlide 12 OCB vs. CCM Published, peer-reviewed work from an experienced team of cryptographers. Proof under standard complexity assumption, getting standard bounds. Stable algorithm. Unpublished algorithm. Still evolving. Designed specifically for Does not follow well- understood enc-then-mac generic composition paradigm. Unlikely to be used outside of  |M| / n  + 2 block cipher calls 2  |M| / n  + 2 block cipher calls Yes. Letters of assurance on file None known Not significantly differentiated for purposes: differences are overly assumption-dependent and likely “in the noise” Assurance HW/SW size HW speed Power use Ciphertext expansion... SW speed Patents

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Условия использования

© 2024 SlidePlayer.com. Inc. All rights reserved.