Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Published byQuinn Matlock Modified over 10 years ago

Similar presentations

Presentation on theme: "Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University."— Presentation transcript:

1 Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University

2 Some Straw Men 2

3 TCP/IP (highly abstracted) packet Destination Machine TCP/IP Stack Webserver (port = 80) dest=80data Bob (port = 25) 3 Source

4 Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a Bob (port = 25) msg b k k IV 1, dest=25msg b IV 2, 4 Source

5 Example Tampering Attack Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a Eve (port = 25) msg b k IV 1, dest=25msg a IV 2, Eve can change destination (easy with CBC and rand IV) 5 k Source

6 Example Tampering Attack Encrypted with CBC and random IV encrypted packets with key k Destination Machine Webserver (port = 80) dest=80msg a Eve (port = 25) msg b k IV 1, dest=1026msg a IV 2, Active Attacker Eve can change destination (easy with CBC and rand IV) 6 k Source

7 How? 7 dest=80msg a IV 1, dest=1026msg a IV 2, CBC encryption: D(k, c[0]) ⨁ IV 1 = “dest=80” Attack: IV 2 = IV 1 ⨁ 000...80 ⨁ 000...1026 xor out “80” and xor in “1026” Eve

8 An Attack Using Only Network Access 8 Example: Remote terminal app where each keystroke encrypted with CTR mode IP HdrTCP Hdrcd Alice Bob 16 bit checksum keystroke ack if valid checksum, else nothing Answer: Homework Problem

9 The Story So Far Confidentiality: semantic security against a CPA attack – Examples: Using CBC with a PRP, AES Integrity: security against existential forgery – Examples: CBC-MAC, NMAC, PMAC, HMAC Now: security against tampering – Integrity + Confidentiality! 9

10 The lesson CPA security cannot guarantee security under active attacks. Integrity Only ✓ Secure MAC Integrity + Secrecy ✗ Secure MAC + Secure Cipher Integrity + Secrecy ✓ Authenticated Encryption 10

11 Motivating Question: Which is Best? E(k E, m||tag) S(k I, m) m Encryption Key = k E ; MAC key = k I Option 1: SSL (MAC-then-encrypt) mtagm S(k I, c)E(k E, m) m Option 2: IPsec (Encrypt-then-MAC) mmtag S(k I, m)E(k E, m) m Option 3: SSH (Encrypt-and-MAC) mmtag 11

12 Authenticated Encryption 12

13 An authenticated encryption system (E,D) is a cipher where As usual: E: K × M × N ⟶ C but D: K × C × N ⟶ M ∪{ ⊥ } Security: the system must provide – Semantic security under CPA attack, and – ciphertext integrity. The attacker cannot create a new ciphertext that decrypts properly. reject ciphertext as invalid 13

14 Chal.Adv A. kKkK c m 1  M c 1  E(k,m 1 ) b=1 if D(k,c) ≠ ⊥ and c  { c 1, …, c q } b=0 otherwise b m2m2, …, m q c2c2, …, c q Def: (E,D) has ciphertext integrity iff for all “ efficient ” A: Adv CI [A,I] = Pr [Chal. outputs 1] < ε 14 Ciphertext Integrity For b ={0,1}, define EXP(0) and EXP(1) as:

15 Authenticated Encryption Def: cipher (E,D) provides authenticated encryption (AE) if it is (1) semantically secure under CPA, and (2) has ciphertext integrity Counter-example: CBC with rand. IV does not provide AE – D(k, ⋅ ) never outputs ⊥, hence adv. always wins ciphertext integrity game 15

16 Implication 1: Authenticity Attacker cannot fool Bob into thinking a message was sent from Alice AliceBob k k m 1, …, m q c i = E(k, m i ) c Cannot create valid c ∉ { c 1, …, c q } ⇒ if D(k,c) ≠ ⊥ Bob guaranteed message is from someone who knows k (but could be a replay) Eve 16

17 Implication 2 Authenticated encryption ⇒ Security against chosen ciphertext attack 17

18 Chosen Ciphertext Attacks 18

19 Chosen Ciphertext Attacks Def: A CCA adversary has the capability to get ciphertexts of their choosing decrypted. 19 AliceBob k Eve k VPN c = E(k,m) m Eve sees c and m c’ m’ Don’t want them to learn m’... or even just whether an ACK occurred.

20 The Lunchtime CCA Attack 20 Alice’s Computer Encryption Program k Encrypted File 1 It’s Lunchtime! Encrypted File 2

21 The Lunchtime CCA Attack 21 Alice’s Computer Encryption Program k Eve’s Encrypted File 1 Eve’s Encrypted File 2 Encrypted File 1 Encrypted File 2 Eve

22 802.11b WEP: how not to do it k k m CRC(m) PRG( IV || k ) ciphertext IV 22 Answer: Homework

23 Chosen Ciphertext Security Adversaries Power: both CPA and CCA – Can obtain the encryption of arbitrary messages – Can decrypt ciphertexts of his choice Adversaries Goal: break semantic security 23

24 CCA Game Definition 24 Let ENC = (E,D) over (K,M,C). For b = {0,1}, define EXP(0) and EXP(1) b Chal. k  K Adv. b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: c i  C : c i ∉ {c 1, …, c i-1 } m i  D(k, c i ) (2) CCA query: Ex: could query a changed c i

25 CCA Game Definition 25 Let ENC = (E,D) over (K,M,C). For b = {0,1}, define EXP(0) and EXP(1) b Chal. k  K Adv. b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: c i  C : c i ∉ {c 1, …, c i-1 } m i  D(k, c i ) (2) CCA query: ENC = (E,D) is CCA secure iff the Adversary does not do statistically better than guessing.

26 Example: CBC is not CCA Secure 26 Chal. k  K b Adv. m 0, m 1 : |m 0 | = |m 1 |=1 c  E(k, m b ) = (IV, c[0]) c’ = (IV⨁1, c[0]) D(k, c’) = m b ⨁1 b learns b

27 Thm: Let (E,D) be a cipher that provides AE. Then (E,D) is CCA secure. 27 AE implies CCA security!

28 So What? Authenticated encryption assures security against: – A passive adversary (CPA security) – An active adversary that can even decrypt some ciphertexts (CCA security) Limitations: – Does not protect against replay – Assumes no other information other than message/ciphertext pairs can be learned. Timing attacks out of scope Power attacks out of scope... 28

29 AE Constructions Cipher + MAC = security 29

30 History Pre 2000: Crypto API’s provide separate MAC and encrypt primitives – Example: Microsoft Cryptographic Application Programming Interface (MS-CAPI) provided HMAC and CBC + IV – Every project had to combine primitives in their own way 2000: Authenticated Encryption – Bellare and Namprempre in Crypto, 2000 – Katz and Yung in FSE, 2000 30

31 Motivating Question: Which is Best? Encryption Key = k E ; MAC key = k I E(k E, m||tag) S(k I, m) m Option 1: SSL (MAC-then-encrypt) mtagm S(k I, c)E(k E, m) m Option 2: IPsec (Encrypt-then-MAC) mmtag S(k I, m)E(k E, m) m Option 3: SSH (Encrypt-and-MAC) mmtag ✓ Always Correct 31

32 Theorems Let (E,D) by a CPA secure cipher and (S,V) a MAC secure against existential forgery. Then: 1.Encrypt-then-MAC always provides authenticated encryption 2.MAC-then-encrypt may be insecure against CCA attacks – however, when (E,D) is rand-CTR mode or rand- CBC, MAC-then-encrypt provides authenticated encryption 32

33 Standards GCM:CTR mode encryption then CW-MAC CCM:CBC-MAC then CTR mode (802.11i) EAX:CTR mode encryption then CMAC All are nonce-based. All support Authenticated Encryption with Associated Data (AEAD). 33 Associated Data Encrypted Data Authenticated

34 An example API (OpenSSL) int AES_GCM_Init(AES_GCM_CTX *ain, unsigned char * nonce, unsigned long noncelen, unsigned char * key, unsigned int klen ) int AES_GCM_EncryptUpdate(AES_GCM_CTX *a, unsigned char * aad, unsigned long aadlen, unsigned char * data, unsigned long datalen, unsigned char * out, unsigned long *outlen) 34

35 MAC Security -- an explanation Recall: MAC security required an attacker given (m, t) couldn’t find a different t’ such that (m,t’) is a valid MAC Why? Suppose not: (m, t) ⟶ (m, t’) Then Encrypt-then-MAC would not have Ciphertext Integrity !! Chal. k  K b Adv. m 0, m 1 c  E(k, m b ) = (c 0, t) c’ = (c 0, t’ ) ≠ c D(k, c’ ) = m b b (c 0, t) (c 0, t’) 35

36 Performance AE CipherCode SizeSpeed (MB/sec) Raw CipherRaw Speed AES/GCMLarge108AES/CTR139 AES/CCMsmaller61AES/CBC109 AES/EAXsmaller61AES/CMAC109 AES/OCB*small129HMAC/SHA1147 36 * OCB mode may have patent issues. Speed extrapolated from Ted Kravitz’s results. From Crypto++ 5.6.0 [Wei Dai]

37 Summary Encrypt-then-MAC Provides integrity of CT Plaintext integrity If cipher is malleable, we detect invalid CT MAC provides no information about PT since it’s over the encryption MAC-then-Encrypt No integrity of CT Plaintext integrity If cipher is malleable, can change message w/o detection MAC provides no information on PT since encrypted 37 Encrypt-and-MAC No integrity on CT Integrity of PT can be verified If cipher is malleable, contents of CT can be altered; should detect at PT level May reveal info about PT in the MAC (e.g., MAC of same messages are the same)

38 Wrapup Authenticated Encryption – Chosen Ciphertext Attack (CCA) and CCA-secure ciphers – AE game = CCA + CPA secure Encrypt-then-MAC always right – Don’t roll your own 38

Download ppt "Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.

Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography Overview CS155. Cryptography Is A tremendous tool The basis for many security mechanisms Is not The solution to all security problems Reliable.

Cryptography Overview CS155. Cryptography Is A tremendous tool The basis for many security mechanisms Is not The solution to all security problems Reliable.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Similar presentations

Ads by Google