Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 1 OCB Mode Phillip Rogaway Department of Computer Science UC Davis + CMU

Published byMelinda Dean Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 1 OCB Mode Phillip Rogaway Department of Computer Science UC Davis + CMU"— Presentation transcript:

1 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 1 OCB Mode Phillip Rogaway Department of Computer Science UC Davis + CMU rogaway@cs.ucdavis.edu http://www.cs.ucdavis.edu/~rogaway +66 1 530 7620 +1 530 753 0987 802.11 Presentation – Security (TG i) - Portland, Oregon

2 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 2 What am I? A cryptographer (MIT  IBM  UCD) Practice-oriented provable security – 1993  present. Research program jointly envisioned with M. Bellare Approach applied to many cryptographic problems Work picked up in various standards & draft standards: (OEAP, DHIES, PSS, PSS-R) by (ANSI, IEEE, ISO, PKCS, SECG) What am I not ? An expert in networking A businessman An attorney

3 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 3 Two Cryptographic Goals Privacy What the Adversary sees tells her nothing of significance about the underlying message M that the Sender sent Authenticity The Receiver is sure that the string he receives was sent (in exactly this form) by the Sender Authenticated Encryption Achieves both privacy and authenticity

4 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 4 You may or may not care about privacy, but you almost certainly care about authenticity: without it, an adversary can completely disrupt the operation of the network. The authenticity risk is higher in a wireless environment, as the adversary can easily inject her own packets. Standard privacy methods do not provide authenticity, and simple ways to modify them (eg, “add redundancy then encrypt”) don't work. Authenticity is Essential

5 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 5 Generic Composition Usually called a Message Authentication Code ( MAC ) Glue together an Encryption scheme + Message Integrity Code (MIC) Traditional approach to authenticated encryption Folklore approach. See [Bellare, Namprempre] and [Krawczyk] for analysis.

6 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 6 Generically Compose What? Encryption MIC RC4 CBC-AES CTR-AES CBCMAC-AES A new MMH- or NMH- based MIC UMAC-AES

7 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 7 Characteristics of these Algorithms RC4 + Good SW speed (on a reliable transport). Existing HW support - PRG: Applicable only over a reliable transport (how is this in WAP?) Serious attacks by [Fluhrer, McGrew], [Mantin, Shamir], [Fluhrer, Mantin, Shamir] CBC-AES, CTR-AES + Well-known modes. Provable security (if careful) - Possible concern about the newness of AES. Often misused CBCMAC-AES + Well-known mode. Provable security. OK in SW/HW - Same speed as CBC-AES, CTR-AES. Often misused. UMAC-AES+ Amazing SW speed on SIMD processors - Complex. Bad for dedicated HW. Slow key setup Several parameters. Proof of final version unpublished new MMH/NMH MIC + Good SW speed. Simpler than UMAC possible - Slow key setup. Major design undertaking

8 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 8 Generic Composition: Conclusion At this point in time, in this application domain, CBC-AES / CTR-AES + CBCMAC-AES is the natural approach for generic composition Cost of the above, in SW P3: about: 16 cpb + 16 cpb = 32 cpb Eg: 54 Mb/s, 1GHz processor  22 % of processor People hate paying 2  the cost to encrypt

9 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 9 Trying to do Better Numerous attempts to make privacy + authenticity cheaper. One approach: stick with generic composition, but find cheaper privacy algorithm and cheaper authenticity algorithms. Make authenticity an “incidental” adjunct to privacy within a conventional-looking mode. CBC-with-various-checksums (wrong) PCBC in Kerberos (wrong) [Gligor, Donescu 99] (wrong) [Jutla - Aug 00] First correct solution Jutla described two modes, IACBC and IAPM. A lovely start, but major improvements possible. OCB: IAPM after an enormous amount of “re-engineering” to get more desirable characteristics.

10 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 10 What is OCB? Authenticated-encryption: privacy + authenticity in one shot Uses any block cipher (you’d use AES) Computational cost  cost of CBC Good in SW or HW (since AES is) Lots of nice characteristics designed in:  |M| / 128  + 2 block-cipher calls to encrypt M Uses any nonce (needn’t be unpredictable) Works on messages of any length Creates minimum length ciphertext Uses only a single AES key, each AES keyed with it Quick key setup – suitable for single-message sessions Essentially endian-neutral Fully parallelizable Provably secure: if you break OCB-AES you’ve broken AES

11 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 11 Diagram of OCB

12 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 12 Pseudocode for OCB-AES algorithm OCB-Encrypt K (Nonce, M) L(0) = AES K (0) L(-1) = lsb(L(0))? (L(0) >> 1)  Const43 : (L(0) >>1) for i = 1 to 7 do L(i) = msb(L(i-1))? (L(i) << 1)  Const87 : (L(i-1) <<1) Partition M into M[1]... M[m] // each 128 bits, except M[m] may be shorter Offset = AES K (Nonce  L(0)) for i=1 to m-1 do Offset = Offset  L(ntz(i)) C[i] = AES K (M[i]  Offset)  Offset Offset = Offset  L(ntz(m)) Pad = AES K (len(M[m])  Offset  L(-1)) C[m] = M[m]  (first | M[m] | bits of Pad) Checksum = M[1] ...  M[m-1]  C[m]0*  Pad Tag = first t bits of AES K (Checksum  Offset) return C[1]... C[m] || Tag

13 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 13 Why I like OCB Ease-of-correct-use. Reasons: all-in-one approach; any type of nonce; parameterization limited to block cipher and tag length Aggressively optimized:  optimal in many dimensions: key length, ciphertext length, key setup time, encryption time, decryption time, available parallelism; SW characteristics; HW characteristics; … Simple but sophisticated Ideal setting for practice-oriented provable security

14 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 14 More on Provable Security Provable security begins with [Goldwasser, Micali 82]. Despite the name, one doesn’t really prove security Instead, one gives reductions: theorems of the form If a certain primitive is secure then the scheme based on it is secure For us: If AES is a secure block cipher then OCB-AES is a secure authenticated-encryption scheme Equivalently: If some adversary A does a good job at breaking OCB-AES then some comparably efficient B does a good job to break AES Actual theorems quantitative: they measure how much security is “lost” across the reduction.

15 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 15 OCB Theorem Suppose there is an adversary A that breaks the privacy or the authenticity of OCB-E (where E is an n-bit block cipher) with: time = t total-number-of-blocks =  advantage =  Then there is an adversary B that breaks block cipher E with: time  t number-of-queries   advantage   – 1.5  2 / 2 n (Informal version) Breaking the privacy of OCB-E: The ability to distinguish OCB-E encrypted strings from random strings.. Breaking the authenticity of OCB-E: The ability to produce a forged ciphertext. Breaking the block cipher E: The ability to distinguish E K,E K -1 from ,  -1

16 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 16 Assembly Speed Data from Helger Lipmaa www.tcs.hut.fi/~helger helger@tcs.hut.fi OCB 16.9 cpb (271 cycles) CBC 15.9 cpb (255 cycles) CBCMAC 15.5 cpb (248 cycles) 6.5 % slower The above data is for 1 Kbyte messages. Code is pure Pentium 3 assembly. The block cipher is AES-128. Overhead so small that AES with a C-code CBC wrapper is slightly more expensive that AES with an assembly OCB wrapper. // Best Pentium AES code known. Helger’s code is for sale, btw.

17 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 17 C-Language Speed Data courtesy of Jesse Walker, Intel

18 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 18 Do I have a Patent? Yes, I did file patent applications covering OCB (12 Oct 00, 9 Feb 01) I will license the resulting patent(s) under fair and reasonable terms Letter of Assurance provided to the IEEE (3 May 01). If you want something more or different in the letter, just let me know. My commitment goes well beyond the IEEE policy: - Public pricing, public license agreement - One-time fee (paid-in-full license) - I’d be happy to provide you a letter to that effect - I am committed to making this simple and easy for everyone - For further info, see the “Licensing” on the OCB web page

19 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 19 At present: No. In the future: No way to know. Do keep in mind the proviso from slide 2: I’m not a lawyer! Jutla / IBM Has patent filing before me, including IAPM IAPM does resemble OCB. But there are major differences which might have made it difficult to make claims for IAPM that read against OCB. Asked if they have pending claims that would touch on OCB, IBM answers that can not answer such a question. My conclusion: IBM could come to hold a relevant patent, if their attorneys were lucky or insightful. Does Any Else Have a Patent OCB Would Infringe Upon?

20 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 20 Does Anyone Else Have a Patent, cont Gligor/VDG Has patent filings before me and IBM. [GD, Aug 00] has an authenticated-encryption scheme, XCBC, but it does not resemble OCB. Subsequent versions incorporated ideas apparently from [J] and me. No reason to suspect that Gligor knew such methods before. I know of no idea from [GD] that I used in OCB. My conclusion: I consider it unlikely that Gligor/VDG will come to hold a valid patent that reads against OCB. My overall conclusion A company would be behaving with appropriate diligence to license from me - and no one else - at this time. The IEEE would be behaving with appropriate diligence to request patent-assurance letters from IBM and VDG, just in case.

21 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 21 Risks People Worry About Dealing with three parties - This committee: easy, request two more letters. Companies: possibility of future IP claimants not new, not too threatening here. Dealing with an individual - But I’m easy to reach, often rational, and obviously not too motivated by $ or I wouldn’t be a university professor! Scheme has changed, could change again - Oct 16 snapshot clearly marked “Preliminary”. Actual OCB (Apr 1) has not and will not change. Good schemes last forever. Scheme is new, scheme is buggy - Obviated by provable security. Definition certainly OK. Buggy proof? Has gotten a lot of scrutiny, currently getting more. Scheme ok but something else goes haywire - Application domain makes very unlikely. OCB easier to correctly use than generic composition. First on the block, publicity-attack - If comfortable with correctness, probably not a concern. 802.11 Not trying to innovate, not considering ad hoc methods. NIST does something else - I believe that if NIST standardizes an auth enc scheme it will be OCB. But they might do nothing. If you care, mail them: EncryptionModes@nist.gov

22 doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 22 For More Information OCB web page  www.cs.ucdavis.edu/~rogaway Contains a FAQ, papers, reference code, IP letter, … My email address and phone numbers on cover slide & web page Upcoming talks: - NIST modes-of-operation workshop (Aug 24, Santa Barbara) - MIT TOC/Security seminar (Oct ??, Cambridge) - ACM CCS conference (Nov 5-8, Philadelphia) Grab me now or at CRYPTO (Aug 20-23) Anything Else ???

Download ppt "Doc.: IEEE 802.11-01/378 Submission July 2001 Phillip RogawaySlide 1 OCB Mode Phillip Rogaway Department of Computer Science UC Davis + CMU"

Similar presentations

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et.

Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,

A Block-Cipher Mode of Operation for Parallelizable Message Authentication John Black University of Nevada, Reno, USA Phillip Rogaway University of California,
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Slide 1 OCB: A Bock-Cipher Mode of Operation for Efficient Authenticated Encryption Phillip Rogaway UC Davis

Slide 1 OCB: A Bock-Cipher Mode of Operation for Efficient Authenticated Encryption Phillip Rogaway UC Davis
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 6 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 6 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Similar presentations

Ads by Google