Authenticated encryption

Authenticated encryption

Dr. Enigma

Department of Electrical Engineering & Computer Science University of Central Florida

[email protected]

October 16th, 2013

Active attacks on CPA-secure

encryption

Summary

I confidentiality

encryption secure againsteavesdropping only

I integrity

MAC secure againstforging of messages

I this module

encryption secure against tampering

encrypt provides both confidentiality and integrity

Sample tampering attacks

TCP/IP:

source

machine TCP/IP

stack

Eve port=25 WWW port=80

dest=80 | data

data

Sample tampering attacks

TCP/IP:

key k

TCP/IP stack

key k

Eve port=25 WWW port=80

dest=80 | data dest=25 | stuff

data

stuff

Reading someone else’s data

IV dest=80 | data decrypts to

−−−−−−−−−−−−→ dest=80 | data goal: attacker seeks to change IV to IV’ such that

IV’ dest=80 | data decrypts to

−−−−−−−−−−−−→ dest=25 | data

⇓

key k

TCP/IP stack

key k

Eve port=25 WWW port=80 IV’ dest=80 | data

data

such modification is easy to do for CBC with random IV

Modification

encryption is done with CBC with a random IV IV dest=80 | data decrypts to

−−−−−−−−−−−−→ dest=80 | data how should the attacker choose IV’ so that:

IV’ dest=80 | data decrypts to

−−−−−−−−−−−−→ dest=25 | data

An attack using only network access

remote terminal application: each key stroke encrypted with CTR mode

IP hdr | TCP hdr | T | D T: 16 bit TCP checksum D: 1 byte keystroke for all t, s, attacker sends

IP hdr | TCP hdr | ⊕t | ⊕s

and receives ACK if valid checksum and nothing otherwise checksum(hdr,D)=t⊕checksum(hdr,D ⊕ s) ⇒ can find D

The lesson

I CPA security cannot guarantee secrecy under active attacks

I use only one of the two modes

I message integrity required, but confidentiality not necessary ⇒ use a message authentication code (MAC)

I both integrity and confidentiality required ⇒ use authenticated encryption modes

Definitions

Definition of authenticated encryption

I an authenticated encryption system (E , D) is a cipher where as usual: E : K × M → C

new: D : K × M → C ∪ {⊥}

⊥ means that ciphertext is rejected

I security requirements: the system must ensure

I semantic security under a CPA attack

I ciphertext integrity

attacker cannot create new ciphertexts that decrypt properly

Cipher integrity

I let (E , D) be a cipher with message space M m₀, . . . , m_q−1∈ M

Chal ←−−−−−−−−−−−−−−−−−−−−−−−−−−−− Adv c₀= E (k, m₀), . . . , c_q−1 = E (k, m_q−1) k ← K −−−−−−−−−−−−−−−−−−−−−−−−−−−−→

c

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−

↓ b

b = 1 if D(k, c) 6=⊥ ∧c 6∈ {c0, . . . , cq−1} b = 0 otherwise

I definition: (E , D) has ciphertext integrityif for all efficient A:

AdvCI(A, E ) = Pr(b = 1) is negligible

Authenticated encryption

I definition: a cipher (E , D) provides authenticated encryption (AE) if it is

1. semantically secure under CPA 2. has ciphertext integrity

I bad example: CBC with random IV does not provide AE D(k, ·) never outputs ⊥ and so adversary always wins CI game

Implication 1: authenticity

attacker cannot fool Bob into thinking message was sent from Alice

Alice

m₀, . . . , m_q−1

←−−−−−−−−−−−−−−

c0, . . . , cq−1

−−−−−−−−−−−−−−→

−−−−−−−−−−−−−−→ Bob

attacker cannot create valid c 6∈ {c₀, . . . , c_q−1}

if D(k, c) 6=⊥ Bob knows message must be from someone who knows k

but message could be a replay

Implication 2

authenticated encryption ⇒ security against chosen ciphertext attacks

Chosen ciphertext attacks

Examples of chosen ciphertext attacks

I often, adversary can fool server into decrypting certain ciphertexts

dest = 25 | data data

I often, adversary can learn partial information about plaintext

TCP/IP packet ACK

if valid checksum

Chosen ciphertext security

adversary’s power: both CPA and CCA

I can obtain the encryption of arbitrary messages of his choice

I can decrypt any ciphertext of his choice that is not equal to the challenge

conservative modeling of real-life situation adversary’s goal: break semantic security

Definition of ciphertext security

let (E , D) be a cipher defined over (K, M, K)

challenger k ← K

for i = 0, . . . , q (1) CPA query m0,i, m1,i ∈ M

←−−−−−−−−−−−−−−−−−−

−−−−−−−−−−−−−−−−−−→

ci = E (k, m_b,i) (2) CCA query c_i ∈ C \ {c₀, . . . , c_{i −1}}

←−−−−−−−−−−−−−−−−−−

−−−−−−−−−−−−−−−−−−→

m_i = D(k, c_i)

adversary

Definition of chosen ciphertext security

I (E , D) is CCA-secure if for all efficient A AdvCCA(A, E ) is negligible

I CBC with random IV is not CCA-secure

1. adversary submits the messages m0 and m1to challenger for encryption and obtains

c = E (k, mb) = (IV , c0) where b is unknown 2. adversary submits the ciphertext c⁰= (IV ⊕ 1, c0) to

challenger for decryption and obtains D(k, c⁰) = mb⊕ 1

Authenticated encryption ⇒ CCA security

I Theorem:

let (E , D) be a cipher that provides AE ⇒ (E , D) is CCA-secure

in particular, for any q-query efficient algorithm, there exist B₁ and B₂ such that

Adv_CCA(A, E )

≤ 2q · AdvCI(B1, E ) + AdvCPA(B2, E )AdvCCA(A, E )

Why is this important?

authenticated encryption:

I ensure confidentiality against active attackers that can decrypt some ciphertexts

limitations of AE:

I does not prevent replay attacks

I does not account for side channels such as timing

Construction from ciphers and

MACs

Combining MAC and ENC

encryption key k_E, MAC key k_I 1. (SSL)

m ⇒ mkt = mkS (k_I, m) ⇒ E (k_E, mkt)

2. (IPSec)

m ⇒ c = E (k_E, m) ⇒ ckt = ckS (k_I, c)

3. (SSH)

m ⇒ c = E (kE, m) ⇒ ckt = ckS (kI, m)

Authenticated encryption theorems

let (E , D) be a CPA secure cipher and (S , V ) a secure MAC ⇒ 1. encrypt-then-MAC: always provides AE

2. MAC-then-encrypt: may be insecure against CCA attacks however: (E , D) is rand-CTR mode or rand-CBC mode ⇒ M-then-E provides AE

for rand-CTR mode, one-time MAC is sufficient

Explanation of MAC security

recall: MAC security requires that (m, t) 6⇒ (m, t⁰) why is this important?

suppose that (m, t) 6⇒ (m, t⁰) ⇒

encrypt-then-MAC would not have ciphertext integrity 1. attacker submits m0, m1 for encryption and receives

c = E (k, mb) = (c0, t) where b is unknown to attacker

2. attacker computes alternative tag t⁰, submits c⁰ = (c0, t⁰) for decryption, and obtains

D(k, c⁰) = m_b

OCB: a direct construction from a PRP

more efficient authenticated encryption scheme:

I only one encryption per block

I parallelizable

m0 m1 m2 m3 checksum

⊕ ⊕ ⊕ ⊕ ⊕

P(n, k, 0) P(n, k, 1) P(n, k, 2) P(n, k, 3) P(n, k, 4)

E (k, ·) E (k, ·) E (k, ·) E (k, ·) E (k, ·)

⊕ ⊕ ⊕ ⊕ ⊕

P(n, k, 0) P(n, k, 1) P(n, k, 2) P(n, k, 3) auth

c0 c1 c2 c3 c4

Standards

I GCM: CTR mode encryption then CW-MAC

I CCM: CBC-MAC then CTR encryption (802.11i)

I EAX: CTR mode encryption then CMAC