1. Integrity via Encryption with Redundancy  Question: Encryption is not ideal for authentication. But, can we gain security advantages if we add recognizable redundancy to the plaintext (e.g., counters), or plaintext has some structure?  Answer is NO, given by Jee Hean and Mihir Bellare [2].  UF-NMA (Unforgeable Non-malleable Message Attack) 1

2. Integrity via Encryption with Redundancy (Cont’)  Integrity only with encryption is impossible with public redundancy Any code known by adversary such as message structure and counter This is valid even with strongest IND-CCA definition  If encryption mechanism is IND-CPA, even with secret redundancy (e.g., a random number only know by parties), integrity via enc. is impossible  Traditional encryption modes (as are) only achieve IND-CPA, and therefore they cannot achieve integrity with encryption even with secret redundancy  Modified encryption modes such as NCBC [2] can achieve the integrity with only secret redundancy, where NCBC uses two distinct private key set and redundancy code is AXU (almost XOR Universal).  This is as costly as using a separate MAC mechanism 2

3. Conclusion on the integrity via encryption with redundancy  Traditional encryption modes cannot provide integrity via redundancy. This is valid even if redundancy code is kept secret  Modified encryption modes achieving NM-CPA, which is equivalent to IND-CCA, can achieve integrity via redundancy, provided that redundancy function relies on a private key and it is AXU  The computational/storage efficiency of using a MAC in addition to the encryption is close to the above NM-CPA type methods  Overall, authentication and integrity must be provided by traditional MACs, which are much better understood than the above alternatives 3

4. The order of encryption and authentication  We concluded that integrity and authentication must be provided with MACs for symmetric encryption. But, what is the correct order? Three most common approaches are as follows:  k is private key, m is the message  Authenticate-then-encrypt (AtE): t=MAC(k,m), c=Enc(k,m||t), transmit c This is used in some modes of SSL  Encrypt-then-authenticate (EtA): c=Enc(k,m), t=MAC(k,c), transmit (c,t) This is used in IPSec  Encrypt-and-Authenticate(E&A): c=Enc(k,m), t=MAC(k,m), transmit (c,t) This is used in some modes of SSH  Hugo Krawczky analyzed these constructions in [4] and provided definitive results. 4

5. The order of encryption and authentication (Cont’)  Given that MAC is EU-CMA secure and Enc is IND-CPA secure:  The generic AtE constructions are insecure: This result is important and directly affects any SSL implementation in this form. The result is still valid even a perfect MAC (stronger than EU-CMA) is used. Some special cases of AtE (with special encryption modes) can be secure. That is, AtE with CBC in SSL is shown to be secure. But, still, this is not a preferred way.  The generic A&E constructions are insecure: This result applies some implementations of SSH. The principles behind of the attacks are similar to the case of AtE.  The generic EtA (Encrypt-then-authenticate) constructions are secure: Any secure channels protocol designed to work with any combination of IND- CPA symmetric cipher and EU-CMA MAC must use EtA method [4]. 5

6. References  [1] Power point slides # 7 and # 9 from Anumap Datta, CMU: 18739A, Foundations of Security and Privacy, Fall 2009.  [2] An, J.H., Bellare, M.: Does Encryption with Redundancy Provide Authenticity? In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 512–528. Springer, Heidelberg (2001)  [3] Introduction to Modern Cryptography, Jonathan Katz and Yehuda Lindell, 2008.  [4] Hugo Krawczyk: The order of encryption and authentication for protecting communications (Or: How to secure SSL?), Eurocrypt 2001. 6