Integrity via Encryption with Redundancy  Question: Encryption is not ideal for authentication. But, can we gain security advantages if we add recognizable.

Slides:



Advertisements
Similar presentations
ECE454/CS594 Computer and Network Security
Advertisements

Off-the-Record Communication, or, Why Not To Use PGP
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.
Security Definitions in Computational Cryptography
CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 CIS 5371 Cryptography 4. Collision Resistant Hash Functions B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.
Cryptography The science of writing in secret code.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 456 Introduction to Cryptography
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Dr Alejandra Flores-Mosri Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
CIS 5371 Cryptography Introduction.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Class 2 Cryptography Refresher CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.
A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall A: Foundations of Security and Privacy.
TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.
1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.
Lecture 2: Introduction to Cryptography
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Tae-Joon Kim Jong yun Jun
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Part 1  Cryptography 1 Integrity Part 1  Cryptography 2 Data Integrity  Integrity  detect unauthorized writing (i.e., modification of data)  Example:
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.
- Richard Bhuleskar “At the end of the day, the goals are simple: safety and security” – Jodi Rell.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 12.
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016.
Symmetric Cryptography
Cryptographic Hash Function
Authenticated encryption
Topic 11: Authenticated Encryption + CCA-Security
Semantic Security and Indistinguishability in the Quantum World
Cryptography Lecture 12.
Cryptography Basics and Symmetric Cryptography
Workshop on algorithms and parameters for Electronic Signatures draft ETSI TS V ( ) November 25, Brussels.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Cryptography Lecture 11.
Cryptography Lecture 12.
Topic 13: Message Authentication Code
Cryptography Lecture 11.
Secret-Key Encryption
Presentation transcript:

Integrity via Encryption with Redundancy  Question: Encryption is not ideal for authentication. But, can we gain security advantages if we add recognizable redundancy to the plaintext (e.g., counters), or plaintext has some structure?  Answer is NO, given by Jee Hean and Mihir Bellare [2].  UF-NMA (Unforgeable Non-malleable Message Attack) 1

Integrity via Encryption with Redundancy (Cont’)  Integrity only with encryption is impossible with public redundancy Any code known by adversary such as message structure and counter This is valid even with strongest IND-CCA definition  If encryption mechanism is IND-CPA, even with secret redundancy (e.g., a random number only know by parties), integrity via enc. is impossible  Traditional encryption modes (as are) only achieve IND-CPA, and therefore they cannot achieve integrity with encryption even with secret redundancy  Modified encryption modes such as NCBC [2] can achieve the integrity with only secret redundancy, where NCBC uses two distinct private key set and redundancy code is AXU (almost XOR Universal).  This is as costly as using a separate MAC mechanism 2

Conclusion on the integrity via encryption with redundancy  Traditional encryption modes cannot provide integrity via redundancy. This is valid even if redundancy code is kept secret  Modified encryption modes achieving NM-CPA, which is equivalent to IND-CCA, can achieve integrity via redundancy, provided that redundancy function relies on a private key and it is AXU  The computational/storage efficiency of using a MAC in addition to the encryption is close to the above NM-CPA type methods  Overall, authentication and integrity must be provided by traditional MACs, which are much better understood than the above alternatives 3

The order of encryption and authentication  We concluded that integrity and authentication must be provided with MACs for symmetric encryption. But, what is the correct order? Three most common approaches are as follows:  k is private key, m is the message  Authenticate-then-encrypt (AtE): t=MAC(k,m), c=Enc(k,m||t), transmit c This is used in some modes of SSL  Encrypt-then-authenticate (EtA): c=Enc(k,m), t=MAC(k,c), transmit (c,t) This is used in IPSec  Encrypt-and-Authenticate(E&A): c=Enc(k,m), t=MAC(k,m), transmit (c,t) This is used in some modes of SSH  Hugo Krawczky analyzed these constructions in [4] and provided definitive results. 4

The order of encryption and authentication (Cont’)  Given that MAC is EU-CMA secure and Enc is IND-CPA secure:  The generic AtE constructions are insecure: This result is important and directly affects any SSL implementation in this form. The result is still valid even a perfect MAC (stronger than EU-CMA) is used. Some special cases of AtE (with special encryption modes) can be secure. That is, AtE with CBC in SSL is shown to be secure. But, still, this is not a preferred way.  The generic A&E constructions are insecure: This result applies some implementations of SSH. The principles behind of the attacks are similar to the case of AtE.  The generic EtA (Encrypt-then-authenticate) constructions are secure: Any secure channels protocol designed to work with any combination of IND- CPA symmetric cipher and EU-CMA MAC must use EtA method [4]. 5

References  [1] Power point slides # 7 and # 9 from Anumap Datta, CMU: 18739A, Foundations of Security and Privacy, Fall  [2] An, J.H., Bellare, M.: Does Encryption with Redundancy Provide Authenticity? In: Pfitzmann, B. (ed.) EUROCRYPT LNCS, vol. 2045, pp. 512–528. Springer, Heidelberg (2001)  [3] Introduction to Modern Cryptography, Jonathan Katz and Yehuda Lindell,  [4] Hugo Krawczyk: The order of encryption and authentication for protecting communications (Or: How to secure SSL?), Eurocrypt