07 Authenc v2 Annotated

uan 8oneh
AuLhenucaLed Lncrypuon
Acuve auacks on
CA-secure encrypuon
Cnllne CrypLography Course uan 8oneh
uan 8oneh
8ecap: Lhe sLory so far
Conhdenna||ty: semanuc securlLy agalnsL a CA auack
Lncrypuon secure agalnsL eavesdropp|ng on|y
Integr|ty:
LxlsLenual unforgeablllLy under a chosen message auack
C8C-MAC, PMAC, MAC, CW-MAC
1hls module: encrypuon secure agalnsL tamper|ng
Lnsurlng boLh condenuallLy and lnLegrlLy
uan 8oneh
Sample Lamperlng auacks
1C/l: (hlghly absLracLed)

WWW
porL = 80
8ob
porL = 23
desL = 80 daLa
packeL
source machlne
desunauon machlne
1C/l
sLack
uan 8oneh
Sample Lamperlng auacks
lsec: (hlghly absLracLed)

WWW
porL = 80
8ob
porL = 23
k
k
desL = 80 daLa
packeL
packeLs encrypLed
uslng key k
1C/l
sLack
desL = 23 sLu
s
L
u

uan 8oneh
8eadlng someone else's daLa
WWW
porL = 80
8ob
porL = 23
k
k
desL = 80 daLa
Lasy Lo do for C8C wlLh rand. lv
(only lv ls changed)
noLe: auacker obLalns decrypuon of any clpherLexL
beglnnlng wlLh desL=23"

desL = 23 daLa
8ob:
lv,
lv',
1emplaLe
verLLeWhlLe2
desL = 80 daLa desL = 23 daLa
lv , lv' ,
Lncrypuon ls done wlLh C8C wlLh a random lv.

WhaL should lv' be?
lv' = lv ! (.23.)
lv' = lv ! (.80.)
lv' = lv ! (.80.) ! (.23.)
lL can'L be done
m[0] = u(k, c[0]) ! lv = desL=80."
uan 8oneh
An auack uslng only neLwork access
k
k
8emoLe Lermlnal app.: each keysLroke encrypLed wlLh C18 mode
1C/l packeL
l hdr 1C hdr
16 blL 1C checksum 1 byLe keysLroke
l hdr 1C hdr
! t ! s for all L, s send:
ACk lf valld checksum, noLhlng oLherwlse
[ checksum(hdr, u) = L ! checksum(hdr, u!s) } can nd u
u 1
uan 8oneh
1he lesson
CA securlLy cannoL guaranLee secrecy under acuve auacks.

Cnly use one of Lwo modes:
lf message needs lnLegrlLy buL no condenuallLy:
use a MAC
lf message needs boLh lnLegrlLy and condenuallLy:
use authenncated encrypnon modes (Lhls module)
uan 8oneh
Lnd of SegmenL
uan 8oneh
uenluons
uan 8oneh
Coals
An authenncated encrypnon sysLem (L,u) ls a clpher where
As usual: L: k M n ! C
buL u: k C n ! M {}

SecurlLy: Lhe sysLem musL provlde
sem. securlLy under a CA auack, and
c|phertext |ntegr|ty:
auacker cannoL creaLe new clpherLexLs LhaL decrypL properly
clpherLexL
ls re[ecLed
uan 8oneh
ClpherLexL lnLegrlLy
LeL (L,u) be a clpher wlLh message space M.

uef: (L,u) has c|phertext |ntegr|ty lf for all emclenL A:
Adv
Cl
[A,L] = r[Chal. ouLpuLs 1] ls negllglble.
Chal. Adv.
k!k
c
m
1
" M
c
1
! L(k,m
1
)
b=1 lf u(k,c) = and c # [ c
1
, . , c
q
}
b=0 oLherwlse
b
m
2
, ., m
q
c
2
, ., c
q
uan 8oneh
AuLhenucaLed encrypuon
uef: clpher (L,u) provldes authenncated encrypnon (AL) lf lL ls
(1) semanucally secure under CA, and
(2) has clpherLexL lnLegrlLy

8ad example: C8C wlLh rand. lv does noL provlde AL
u(k,) never ouLpuLs , hence adv. easlly wlns Cl game
uan 8oneh
lmpllcauon 1: auLhenuclLy
Auacker cannoL fool 8ob lnLo Lhlnklng a
message was senL from Allce
Allce
8ob
k
k
m
1
, ., m
q
c
l
= L(k, m
l
)
c
CannoL creaLe
valld c [ c
1
, ., c
q
}
lf u(k,c) = 8ob knows message ls from someone who knows k
(buL message could be a replay)
uan 8oneh
lmpllcauon 2

AuLhenucaLed encrypuon

SecurlLy agalnsL chosen c|phertext auacks
(nexL segmenL)
uan 8oneh
Lnd of SegmenL
uan 8oneh
Chosen clpherLexL
auacks
uan 8oneh
Lxample chosen clpherLexL auacks
Adversary has clpherLexL c LhaL lL wanLs Lo decrypL
Cen, adv. can fool server lnLo decrypung certa|n clpherLexLs (noL c)

Cen, adversary can learn parual lnformauon abouL plalnLexL
desL = 23 daLa daLa
1C/l packeL ACk
lf valld
checksum
uan 8oneh
Chosen clpherLexL securlLy

Adversary's power: boLh CA and CCA
Can obLaln Lhe encrypuon of arblLrary messages of hls cholce
Can decrypL any clpherLexL of hls cholce, oLher Lhan challenge
(conservauve modellng of real llfe)

Adversary's goa|: 8reak semauc securlLy
uan 8oneh
Chosen clpherLexL securlLy: denluon
E = (L,u) clpher dened over (k,M,C). lor b=0,1 dene Lx(b):

Chal.
b
Adv.
k!k
b' " [0,1}
m
l,0
, m
l,1
" M : |m
l,0
| = |m
l,1
|
c
l
! L(k, m
|,b
)
for l=1,.,q:
(1) CA query:

(2) CCA query:
c
l
" C : c
l
[c
1
, ., c
l-1
}
m
l
! u(k, c
|
)
uan 8oneh
Chosen clpherLexL securlLy: denluon
E ls CCA secure lf for all emclenL" A:
Adv
CCA
[A,E] = |r[Lx(0)=1] - r[Lx(1)=1] | ls negllglble."
Lxamp|e: C8C wlLh rand. lv ls noL CCA-secure
Chal.
b
Adv.
k!k
m
0
, m
1
: |m
0
| = |m
1
|=1
c ! L(k, m
b
) = (lv, c[0])
c' = (lv!1, c[0])
u(k, c') = m
b
!1
b
uan 8oneh
AuLhenucaLed enc. CCA securlLy
1hm: LeL (L,u) be a clpher LhaL provldes AL.
1hen (L,u) ls CCA secure !

ln parucular, for any q-query e. A Lhere exlsL e. 8
1
, 8
2
s.L.
Adv
CCA
[A,L] < 2qAdv
Cl
[8
1
,L] + Adv
CA
[8
2
,L]
uan 8oneh
roof by plcLures
Chal. Adv.
k!k
CA query: m
l,0
, m
l,1

CCA query: c
l

c
l
=L(k,m
l,
0
)
u(k,c
l
)
Chal. Adv.
k!k
CA query: m
l,0
, m
l,1

CCA query: c
l

c
l
=L(k,m
l,
1
)
u(k,c
l
)
CA query: m
l,0
, m
l,1

Chal. Adv.
k!k
c
l
=L(k,m
l,
0
)
Chal. Adv.
k!k
CA query: m
l,0
, m
l,1

c
l
=L(k,m
l,
1
)

CCA query: c
l

CCA query: c
l

=
p

=
p

=
p

=
p

uan 8oneh
So whaL?
AuLhenucaLed encrypuon:
ensures condenuallLy agalnsL an acuve adversary
LhaL can decrypL some clpherLexLs

LlmlLauons:
does noL prevenL replay auacks
does noL accounL for slde channels (umlng)
uan 8oneh
Lnd of SegmenL
uan 8oneh
ConsLrucuons from
clphers and MACs
uan 8oneh
. buL rsL, some hlsLory
AuLhenucaLed Lncrypuon (AL): lnLroduced ln 2000 [k?'00, 8n'00]

CrypLo Als before Lhen: (e.g. MS-CAl)
rovlde Al for CA-secure encrypuon (e.g. C8C wlLh rand. lv)
rovlde Al for MAC (e.g. PMAC)

Lvery pro[ecL had Lo comblne Lhe Lwo lLself wlLhouL
a well dened goal
noL all comblnauons provlde AL .
uan 8oneh
Comblnlng MAC and LnC (CCA)
Encryption key k
E
. MAC key = k
I
Cpuon 1: (SSL)

Cpuon 2: (lsec)

Cpuon 3: (SSP)
msg m msg m tag
L(k
L
, mllLag)

S(k
I
, m)

msg m
L(k
L
, m)

tag
S(k
I
, c)

msg m
L(k
L
, m)

tag
S(k
I
, m)

a|ways
correct
uan 8oneh
A.L. 1heorems
LeL (L,u) be CA secure clpher and (S,v) secure MAC. 1hen:

1. Lncrypt-then-MAC: always provldes A.L.
2. MAC-then-encrypt: may be lnsecure agalnsL CCA auacks
however: when (L,u) ls rand-C18 mode or rand-C8C
M-Lhen-L provldes A.L.
for rand-C18 mode, one-ume MAC ls sumclenL
uan 8oneh
SLandards (aL a hlgh level)
GCM: C18 mode encrypuon Lhen CW-MAC
(acceleraLed vla lnLel's CLMuLCuC lnsLrucuon)
CCM: C8C-MAC Lhen C18 mode encrypuon (802.11l)
LAk: C18 mode encrypuon Lhen CMAC
All supporL ALAu: (auLh. enc. wlLh assoclaLed daLa). All are nonce-based.
encrypted data associated data
auLhenucaLed
encrypLed
uan 8oneh
An example Al (CpenSSL)
lnL ALS_GCM_In|t(ALS_CCM_C1x *aln,
unslgned char *nonce, unslgned long noncelen,
unslgned char *key, unslgned lnL klen )

lnL ALS_GCM_LncryptUpdate(ALS_CCM_C1x *a,
unslgned char *aad, unslgned long aadlen,
unslgned char *data, unslgned long daLalen,
unslgned char *out, unslgned long *ouLlen)
uan 8oneh
MAC SecurlLy -- an explanauon
8ecall: MAC securlLy lmplles (m , L) (m , L' )
Why? Suppose noL: (m , L) ! (m , L')
1hen LncrypL-Lhen-MAC would noL have ClpherLexL lnLegrlLy !!

Chal.
b
Adv.
k!k
m
0
, m
1
c ! L(k, m
b
) = (c
0
, L)
c' = (c
0
, L' ) = c
u(k, c') = m
b

b
(c
0
, L)
(c
0
, L')
uan 8oneh
CC8: a dlrecL consLrucuon from a 8
More efficient authenticated encryption: one E() op. per block.
m[0] m[1] m[2] m[3]
$ $ $ $
E(k,%) E(k,%) E(k,%) E(k,%)
P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3)
$ $ $ $
P(N,k,0) P(N,k,1) P(N,k,2)
P(N,k,3)
c[0] c[1] c[2] c[3]
checksum
E(k,%)
$
$
c[4]
P(N,k,0)
auth
uan 8oneh
erformance: CrypLo++ 3.6.0 [ Wel ual ]
AMu CpLeron, 2.2 CPz ( Llnux)
code Speed
Clpher slze (M8/sec)
ALS/CCM large
**
108 ALS/C18 139
ALS/CCM smaller 61 ALS/C8C 109
ALS/LAx smaller 61
ALS/CMAC 109
ALS/CC8 129
*
PMAC/SPA1 147
* exLrapolaLed from 1ed kravlLz's resulLs ** non-lnLel machlnes
uan 8oneh
Lnd of SegmenL
uan 8oneh
Case sLudy: 1LS
uan 8oneh
1he 1LS 8ecord roLocol (1LS 1.2)
unldlrecuonal keys: k
b"s

and k
s"b
SLaLeful encrypuon:
Lach slde malnLalns Lwo 64-blL counLers: cLr
b"s
, cLr
s"b
lnlL. Lo 0 when sesslon sLarLed. cLr++ for every record.
urpose: replay defense
k
b"s
, k
s"b
k
b"s
, k
s"b
1LS record Pu8
uan 8oneh
1LS record: encrypuon (C8C ALS-128, PMAC-SPA1)
k
b"s
= (k
mac
, k
enc
)

8rowser slde enc(k
b"s
, data, ctr
b"s
) :
sLep 1: Lag # S( k
mac
, [ ++cLr
b"s
ll header ll daLa] )
sLep 2: pad [ header ll daLa ll Lag ] Lo ALS block slze
sLep 3: C8C encrypL wlLh k
enc
and

new random lv
sLep 4: prepend header
daLa

Lype ll ver ll len
Lag
pad
uan 8oneh
1LS record: decrypuon (C8C ALS-128, PMAC-SPA1)
Server slde dec(k
b"s
, record, ctr
b"s
) :
sLep 1: C8C decrypL record uslng k
enc

sLep 2: check pad formaL: send bad_record_mac lf lnvalld
sLep 3: check Lag on [ ++cLr
b"s
ll header ll daLa]
send bad_record_mac lf lnvalld

rovldes auLhenucaLed encrypuon
(provlded no oLher lnfo. ls leaked durlng decrypuon)
uan 8oneh
8ugs ln older verslons (prlor Lo 1LS 1.1)
IV for C8C |s pred|ctab|e: (chalned lv)
lv for nexL record ls lasL clpherLexL block of currenL record.
noL CA secure. (a pracucal explolL: 8LAS1 auack)
add|ng orac|e: durlng decrypuon
lf pad ls lnvalld send decryption failed alerL
lf mac ls lnvalld send bad_record_mac alerL
auacker learns lnfo. abouL plalnLexL (auack ln nexL segmenL)
Lesson: when decrypuon falls, do noL explaln why
uan 8oneh
Leaklng Lhe lengLh
1he 1LS header leaks Lhe lengLh of 1LS records
LengLhs can also be lnferred by observlng neLwork Lramc
lor many web appllcauons, leaklng lengLhs reveals sensluve lnfo:
ln Lax preparauon slLes, lengLhs lndlcaLe Lhe Lype of reLurn belng
led whlch leaks lnformauon abouL Lhe user's lncome
ln healLhcare slLes, lengLhs leaks whaL page Lhe user ls vlewlng
ln Coogle maps, lengLhs leaks Lhe locauon belng requesLed
no easy soluuon
uan 8oneh
802.11b WL: how noL Lo do lL
802.11b WL:

revlously dlscussed problems:
Lwo ume pad and relaLed 8C seeds
k
k
m
C8C(m)
8C( lv ll k )
clpheLexL lv
uan 8oneh
Acuve auacks
Iact: C8C ls llnear, l.e. m,p: CkC( m ! p) = CkC(m) ! I(p)
desL-porL = 80 daLa C8C
lv WL clpherLexL:
auacker:
000...00...kk.0000. I(kk)
!
lv desL-porL = 23 daLa C8C'
xx = 23!80
upon decrypuon: C8C ls valld, buL clpherLexL ls changed !!
uan 8oneh
Lnd of SegmenL
uan 8oneh
C8C paddlngs auacks
uan 8oneh
8ecap
Authenncated encrypnon: CA securlLy + clpherLexL lnLegrlLy
CondenuallLy ln presence of acnve adversary
revenLs chosen-clpherLexL auacks
LlmlLauon: cannoL help bad lmplemenLauons . (Lhls segmenL)

AuLhenucaLed encrypuon modes:
SLandards: CCM, CCM, LAx
Ceneral consLrucuon: encrypL-Lhen-MAC

uan 8oneh
1he 1LS record proLocol (C8C encrypuon)
uecrypuon: dec(k
b"s
, record, ctr
b"s
) :
sLep 1: C8C decrypL record uslng k
enc

sLep 2: check pad formaL: aborL lf lnvalld
sLep 3: check Lag on [ ++cLr
b"s
ll header ll daLa]
aborL lf lnvalld
daLa

Lype ll ver ll len
Lag
pad
1wo Lypes of error:
padd|ng error
MAC error
uan 8oneh
addlng oracle
daLa

Lype ll ver ll len
Lag
pad
Suppose auacker can dlerenuaLe Lhe Lwo errors
(pad error, MAC error):
add|ng orac|e:
auacker submlLs clpherLexL and learns lf
lasL byLes of plalnLexL are a valld pad
nlce example of a
chosen c|phertext auack
uan 8oneh
addlng oracle vla umlng CpenSSL
CredlL: 8rlce Canvel
(xed ln CpenSSL 0.9.7a)
ln older 1LS 1.0: paddlng oracle due Lo dlerenL alerL messages.
uan 8oneh
uslng a paddlng oracle (C8C encrypuon)
u(k,%) u(k,%)
m[0] m[1] m[2] ll pad
$ $
u(k,%)
$
c[0] c[1] c[2] lv
Auacker has clpherLexL c = (c[0], c[1], c[2]) and lL wanLs m[1]
uan 8oneh
u(k,%) u(k,%)
m[0] m[1]
$ $
c[0] c[1] lv
sLep 1: leL g be a guess for Lhe lasL byLe of m[1]
! g ! 0x01
= lasL-byLe ! g ! 0x01
lf lasL-byLe = g: valld pad
oLherwlse: lnvalld pad
uan 8oneh
Auack: submlL ( IV, c'[0], c[1] ) Lo paddlng oracle
auacker learns lf lasL-byLe = g

8epeaL wlLh g = 0,1, ., 233 Lo learn lasL byLe of m[1]

1hen use a (02, 02) pad Lo learn Lhe nexL byLe and so on .
uan 8oneh
lMA over 1LS
rob|em: 1LS renegouaLes key when an lnvalld record ls recelved

LnLer lMA over 1LS: (proLocol for readlng emall)
Lvery ve mlnuLes cllenL sends logln message Lo server:
LCGIN "username" "password"
LxacL same auack works, desplLe new keys
recovers password ln a few hours.
uan 8oneh
Lesson

1. LncrypL-Lhen-MAC would compleLely avold Lhls problem:

MAC ls checked rsL and clpherLexL dlscarded lf lnvalld

2. MAC-Lhen-C8C provldes A.L., buL paddlng oracle desLroys lL
1emplaLe
verLLeWhlLe2
Wlll Lhls auack work lf 1LS used counLer mode lnsLead of C8C?
(l.e. use MAC-Lhen-C18 )
?es, paddlng oracles aecL all encrypuon schemes
lL depends on whaL block clpher ls used
no, counLer mode need noL use paddlng
uan 8oneh
Lnd of SegmenL
1emplaLe
verLLeWhlLe2
Auacklng non-aLomlc
decrypuon
uan 8oneh
SSP 8lnary ackeL roLocol
uecrypuon:
sLep 1: decrypL packeL lengLh eld only (!)
sLep 2: read as many packeLs as lengLh specles
sLep 3: decrypL remalnlng clpherLexL blocks
sLep 4: check MAC Lag and send error response lf lnvalld
seq.
num.
packeL
len.
pad
len.
payload pad
MAC
Lag
C8C encrypuon (chalned lv)
MAC compuLed
over plalnLexL
uan 8oneh
An auack on Lhe enc. lengLh eld (slmplled)
Auacker has one clpherLexL block c = ALS(k, m) and lL wanLs m
k
seq.
num.
c
one ALS block
decrypL
and obLaln
len" eld
|en
send byLes one aL a ume
when len" byLes read:
server sends MAC error"
auacker learns 32 LS8 blLs of m !!
1emplaLe
verLLeWhlLe2
Lesson
1he problem: (1) non-aLomlc decrypL
(2) len eld decrypLed and used before lL ls auLhenucaLed
Pow would you redeslgn SSP Lo reslsL Lhls auack?
Send Lhe lengLh eld unencrypLed (buL MAC-ed)
8eplace encrypL-and-MAC by encrypL-Lhen-MAC
Add a MAC of (seq-num, lengLh) rlghL aer Lhe len eld
8emove Lhe lengLh eld and ldenufy packeL boundary
by verlfylng Lhe MAC aer every recelved byLe
uan 8oneh
lurLher readlng
1he Crder of Lncrypuon and AuLhenucauon for roLecung
Communlcauons, P. krawczyk, CrypLo 2001.
AuLhenucaLed-Lncrypuon wlLh AssoclaLed-uaLa,
. 8ogaway, roc. of CCS 2002.
assword lnLercepuon ln a SSL/1LS Channel,
8. Canvel, A. PllLgen, S. vaudenay, M. vuagnoux, CrypLo 2003.
lalnLexL 8ecovery Auacks AgalnsL SSP,
M. AlbrechL, k. aLerson and C. WaLson, lLLL S 2009
roblem areas for Lhe l securlLy proLocols,
S. 8ellovln, usenlx SecurlLy 1996.
uan 8oneh
Lnd of SegmenL

07 Authenc v2 Annotated

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

07 Authenc v2 Annotated

Uploaded by

Copyright:

Available Formats

uan 8oneh

You might also like