Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticated Encryption

Published byLucy Francis Modified over 6 years ago

Similar presentations

Presentation on theme: "Authenticated Encryption"— Presentation transcript:

1 Authenticated Encryption
Instructor: Mohammad Sadeq Dousti

2 Copyright Notice These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0. Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: They credit the original author(s); Their work is used non-commercially; They license their work under CC BY-NC-SA 4.0. For further information, please consult: sa/4.0/legalcode

3 Outline Definitions Generic Constructions Modes of Operations Dedicated to AE Secure Communication Systems

4 Definitions

5 Introduction It is best practice to always ensure secrecy and integrity by default in the private-key setting. Indeed, in many applications where secrecy is required it turns out that integrity is essential also. A lack of integrity can sometimes lead to a breach of secrecy. We will define an encryption scheme that provides both secrecy and integrity. This is called an “authenticated encryption” (AE) scheme.

6 Let Π  (Gen, Enc, Dec) be a private-key encryption scheme.
Definitional options Let Π  (Gen, Enc, Dec) be a private-key encryption scheme. In order for Π to satisfy the requirements of an AE scheme, it should be: IND-CCA2 secure. We are explicitly considering an active adversary who can modify the data sent from one honest party to the other. (Recall malleability!) UF-CMA secure. Since Π does not satisfy the syntax of a MAC, we introduce a definition specific to this case (next slide).

7 Unforgeable encryption
A private-key encryption scheme Π is unforgeable if for every efficient 𝒜, there is a negligible function negl such that: Pr Enc–Forge 𝒜,Π cma (𝑛)=1 ≤negl 𝑛 .

8 IND-CCA2 security vs. unforgeability
We know that IND-CCA2 security is equivalent to non-malleability. Non-malleability: Informally, given an encryption E(m) of some unknown message m, it should be hard to transform this ciphertext into some encryption E(m) of a related message m. Isn’t this the same requirement as unforgeability?! No! Example: Recall that if F is a strong PRP, then ENCK(m)  FK(m∥r) is IND-CCA2 secure. But, obviously, it is not unforgeable!

9 Generic Constructions

10 Naively combining encryption and MAC
It may be tempting to think that any reasonable combination of a secure encryption scheme and a secure MAC should result in an AE scheme. However, this is not the case! This demonstrates that even secure cryptographic tools can be combined in such a way that the result is insecure, and highlights once again the importance of definitions and proofs of security. On the positive side, we show how encryption and message authentication can be combined properly to achieve joint secrecy and integrity.

11 Let ΠE  (Enc, Dec) be a IND-CPA secure encryption scheme.
Setup Let ΠE  (Enc, Dec) be a IND-CPA secure encryption scheme. Let ΠM  (Mac, Vrfy) denote a UF-CMA MAC. In both cases, Gen(1n) simply outputs a uniform n-bit key: kE for ΠE and kM for ΠM. We assume that kE and kM are generated independently. Independent cryptographic keys should always be used when different schemes are combined. We return to this point later.

12 Three natural ways to combine ΠE and ΠM
Encrypt-and-authenticate (E&A) Authenticate-then-encrypt (AtE) Encrypt-then-authenticate (EtA) ENC ( ) M KE MAC ( ) KM SSH SSL IPsec ENC ( ) KE MAC ( ) M KM MAC ( ) KM ENC ( ) M KE

13 Encrypt-and-authenticate (E&A)
In this method, encryption and message authentication are computed independently in parallel. That is, given a plaintext message m, the sender transmits the ciphertext c, t where: 𝑐← Enc 𝐾 𝐸 𝑚 and 𝑡← Mac 𝐾 𝑀 𝑚 The receiver decrypts c to recover m. Assuming no decryption error occurred, it then verifies the tag t. If Vrfy 𝐾 𝑀 (𝑚,𝑡)=1, the receiver outputs m; otherwise, it outputs an error.

14 Authenticate-then-encrypt (AtE)
Here a MAC tag t is first computed, and then the message and tag are encrypted together. That is, given a message m, the sender transmits the ciphertext c computed as: 𝑡← Mac 𝐾 𝑀 𝑚 and 𝑐← Enc 𝐾 𝐸 𝑚∥𝑡 The receiver decrypts c to obtain m ∥ t. Assuming no decryption error occurs, it then verifies the tag t. As before, if Vrfy 𝐾 𝑀 (𝑚,𝑡)=1, the receiver outputs m; otherwise, it outputs an error.

15 Encrypt-then-authenticate (EtA)
In this case, the message m is first encrypted and then a MAC tag is computed over the result. That is, the ciphertext is the pair c, t where: 𝑐← Enc 𝐾 𝐸 𝑚 and 𝑡← Mac 𝐾 𝑀 𝑐 if Vrfy 𝐾 𝑀 (𝑐,𝑡)=1, then the receiver decrypts c and outputs the result; otherwise, it outputs an error.

16 Analysis approach We analyze each of the above approaches when they are instantiated with “generic” secure components. That is, an arbitrary CPA-secure encryption scheme and an arbitrary (strongly) secure MAC. We want an approach that provides joint secrecy and integrity when using any (secure) components, and we will therefore reject as “unsafe” any approach for which there exists even a single counterexample of a secure encryption scheme/MAC for which the combination is insecure. This “all-or-nothing” approach reduces the likelihood of implementation flaws.

17 This is the least secure approach.
Analysis of E&A 𝑐← Enc 𝐾 𝐸 𝑚 and 𝑡← Mac 𝐾 𝑀 𝑚 This is the least secure approach. In general, MacK(m) can reveal some information about m. We can even construct a MAC where the tag reveals the m in its entirety: MacK(m)  m ∥ MacK(m). Furthermore, if MacK() is deterministic, the combination is not even IND-CPA secure: 𝓐 requests the encryption on m0, and receives c, t. 𝓐 outputs m0 and m1, and receives the challenge c*, t*. 𝓐 outputs 0 if t*  t, and outputs 1 otherwise.

18 𝑡← Mac 𝐾 𝑀 𝑚 and 𝑐← Enc 𝐾 𝐸 𝑚∥𝑡
Analysis of AtE AtE can be proven secure for specific constructions. Examples: When E is CBC-mode encryption. When E is CTR-mode encryption. In this case, a one-time MAC suffices. 𝑡← Mac 𝐾 𝑀 𝑚 and 𝑐← Enc 𝐾 𝐸 𝑚∥𝑡 This combination also does not necessarily yield an authenticated encryption scheme. However, proving insecurity is much more subtle. Examples of practical attacks include: Padding oracle attacks. Recent (2010 – 2012) attacks on several web frameworks, including JavaServer Faces, Ruby on Rails and ASP.NET. POODLE attack on TLS (2014). For further information, see: POODLE: Padding Oracle On Downgraded Legacy Encryption

19 This approach is sound, as long as the MAC is strongly secure.
Analysis of EtA 𝑐← Enc 𝐾 𝐸 𝑚 and 𝑡← Mac 𝐾 𝑀 𝑐 This approach is sound, as long as the MAC is strongly secure. That is, the adversary against the MAC scheme has access to both MacK() and VrfyK(). Strong UF-CMA security of the MAC ensures that an adversary will be unable to generate any valid ciphertext that it did not receive from its encryption oracle. This immediately implies that the combination is unforgeable.

20 Analysis of EtA (Cont’d)
As for CCA-security, the MAC computed over the ciphertext has the effect of rendering the decryption oracle useless. This is because for every ciphertext c, t the adversary submits to its decryption oracle, he: Either already knows the decryption (if it received c, t from its own encryption oracle), Or else can expect the result to be an error (since the adversary cannot generate any new, valid ciphertexts). This intuition can be proven formally; see THEOREM of [KL14, p. 136].

21 The need for independent keys
While EtA combination is secure when KE and KM are independent, it can be totally insecure if they are dependent. Example: Let KE  KM  K, where K is a uniform n-bit key. Let F be a strong PRP. Define EncK(m)  FK(m∥r), which is IND-CCA2 secure. Define Mac 𝐾 𝑐 = 𝐹 𝐾 −1 𝑐 , which is UF-CMA secure. Applying the EtA combination, we see that it sends m in clear!

22 Modes of Operations Dedicated to AE

23 Standards (at a high level)
GCM: CTR-mode encryption then CW-MAC (EtA) Accelerated via Intel’s PCLMULQDQ instruction CCM: CBC-MAC then CTR-mode encryption (AtE) Used in i. EAX: CTR-mode encryption then CMAC (EtA) All are nonce-based. All support AEAD (AE with Associated Data). associated data encrypted date authenticated

24 An example API (OpenSSL)
int AES_GCM_Init(AES_GCM_CTX *ain, unsigned char *nonce, unsigned long noncelen, unsigned char *key, unsigned int klen ) int AES_GCM_EncryptUpdate(AES_GCM_CTX *a, unsigned char *aad, unsigned long aadlen, unsigned char *data, unsigned long datalen, unsigned char *out, unsigned long *outlen) Moral: Don’t reinvent the wheel!

25 OCB: a direct construction from a PRP
More efficient AE: Only one PRP per block. Unfortunately, not in wide use due to patent issues.

26 Performance Crypto++   5.6.0       [Wei Dai]

27 Secure Communication Systems

28 Introduction We briefly describe the application of AE to the setting of two parties who wish to communicate “securely”— namely, with joint secrecy and integrity—over the course of a communication session. A communication session is simply a period of time during which the communicating parties maintain state. In our treatment here we are deliberately informal. A formal definition is quite involved, and this topic arguably lies more in the area of network security than cryptography.

29 Let Π  (Enc, Dec) be an AE scheme.
Setup Let Π  (Enc, Dec) be an AE scheme. Consider two parties A and B who share a key k and wish to use this key to secure their communication over the course of a session. The obvious thing to do here is to use Π: Whenever, say, A wants to transmit a message m to B, it computes c  Enck(m) and sends c to B. In turn, B decrypts c to recover the result (ignoring the result if decryption returns ⊥). Likewise, the same procedure is followed when B wants to send a message to A. This simple approach, however, does not suffice, as there are various potential attacks.

30 Re-ordering attack: An attacker can swap the order of messages.
Potential attacks (1) Re-ordering attack: An attacker can swap the order of messages. For example: A transmits c1 (an encryption of m1) and subsequently transmits c2 (an encryption of m2). An attacker who has some control over the network can deliver c2 before c1 and thus cause B to output the messages in the wrong order. This causes a mismatch between the two parties’ views of their communication session.

31 Potential attacks (2) Replay attack: An attacker can replay a (valid) ciphertext c sent previously by one of the parties. Again, this causes a mismatch between what is sent by one party and received by the other. Reflection attack: An attacker can take a ciphertext c sent from A to B and send it back to A. This again can cause a mismatch between the two parties’ transcripts of their communication session. A may output a message m, even though B never sent such a message.

32 Preventing the attacks
Fortunately, the above attacks are easy to prevent using counters to address the first two and a directionality bit to prevent the third. In practice, the issue of directionality is often solved by simply having separate keys for each direction The parties use a key kA for messages sent from A to B, and a different key kB for messages sent from B to A.

33 Preventing the attacks (Cont’d)
Each party maintains two counters: ctrA, B : keeps track of the number of messages sent from A to B during the session. ctrB,A : defined similarly for messages sent from B to A during the session. These counters are initialized to 0 and incremented each time a party sends or receives a (valid) message. The parties also agree on a bit bA, B, and define bB, A to be its complement. One way to do this is to set bA, B  0 iff the identity of A is lexicographically smaller than the identity of B.

34 Preventing the attacks (Cont’d)
When A wants to transmit a message m to B, he computes the ciphertext 𝑐← Enc 𝐾 ( 𝑏 𝐴,𝐵 ∥ ctr 𝐴,𝐵 ∥𝑚) and sends c. He then increments ctr 𝐴,𝐵 . Upon receiving c, party B decrypts; if the result is ⊥, he immediately rejects. Otherwise, B parses the decrypted message as 𝑏∥ctr∥𝑚. If 𝑏= 𝑏 𝐴,𝐵 and ctr= ctr 𝐴,𝐵 , then B outputs m and increments ctr 𝐴,𝐵 . Otherwise, B rejects. The above steps, with necessarily changes, are applied when B sends a message to A. Since the parties are anyway maintaining state (namely, the counters), they could easily use a stateful AE scheme Π.

35 References Section 4.5 of [KL14].
[KL14] J. Katz & Y. Lindell. “Introduction to Modern Cryptography: Principles and Protocols,” 2nd Edition, CRC Press, 2014. [Bon12] D. Boneh. “Authenticated  Encryption,” Online Cryptography Course, Available from university.s3.amazonaws.com/stanford-crypto/slides/07-authenc-v2- annotated.pdf.

Download ppt "Authenticated Encryption"

Similar presentations

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.

IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Integrity via Encryption with Redundancy  Question: Encryption is not ideal for authentication. But, can we gain security advantages if we add recognizable.

Integrity via Encryption with Redundancy  Question: Encryption is not ideal for authentication. But, can we gain security advantages if we add recognizable.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.

CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.

Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.

CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016.

Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016.

Similar presentations

Ads by Google