4 views

Uploaded by santiagogf89

Authenticated scription slides from Graz TU university

- Draft Agrmt 1nov45
- h11561 Data Domain Encryption Wp
- SA Civil Society Secrecy Bill Statement & Petition
- Docs 05 3474-20-0csg Zigbee Specification
- Errata Crypto5e 0612
- Information Security Course Description
- Ijret - A Combined Approach Using Triple Des and Blowfish
- milcomfiinalfromKent
- crypto
- wep-attack-at-t
- Cipher.java
- nsa
- narayan2
- Secure Sensitive Data Sharing On a Big Data and Cloud Platform using Advanced Security System
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life
- Sapiens: A Brief History of Humankind
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race
- Shoe Dog: A Memoir by the Creator of Nike
- The Library Book
- The Unwinding: An Inner History of the New America

You are on page 1of 42

Maria Eichlseder

Applied Cryptography – WT 2017/18

www.iaik.tugraz.at

you almost certainly don’t want it modified!

Confidentiality

as provided by block cipher modes

Authenticity, integrity

as provided by message authentication codes

with secure MACs and still get insecure authenticated encryption

schemes”

1 / 43

www.iaik.tugraz.at

Outline

Authenticated Encryption

Requirements

Generic compositions

Pitfalls

Dedicated modes

CAESAR

The competition

The candidates

2 / 43

www.iaik.tugraz.at

Notation cheatsheet

C: Ciphertext, protected version of plaintext

K : Shared secret key of Alice and Bob

N: Nonce (number-used-once), a unique initial value (IV)

EK∗ : block cipher mode, EK∗ : F∗2 → F∗2

MACK : MAC authentication MACK : F∗2 → Fb2

h: hash function h : F∗2 → Fb2

⊕: xor of bitstrings

k: concatenation of bitstrings

×: multiplication in a binary finite field

3 / 43

www.iaik.tugraz.at

message M1 M2 M`

IV

M ∈ F∗2 N ∈ Fb2 N ···

EK EK EK

C1 C2 C`

EK∗

Counter (CTR)

Nk1 Nk2 Nk`

EK EK ··· EK

C ∈ F∗2

ciphertext M1 M2 M`

C1 C2 C`

4 / 43

www.iaik.tugraz.at

original forgery

↓ ↓

streaming modes (OFB, CTR):

arbitrary modifications, not detectable

M ...000100... M0 ...011100...

C ...110011... C0 ...101011...

arbitrary modifications, delayed detection

M ...000100... M0 ...0111??...

C ...110011... C0 ...101011...

any mode:

random modification of low-redundancy data

M ...000100... M0 ...??????...

C ...110011... C0 ...101011...

5 / 43

www.iaik.tugraz.at

Forges C = EK∗ (Mkh(M)) = C 0 ⊕ (M ⊕ M 0 kh(M) ⊕ h(M 0 ))

Intercepts C 0 = EK∗ (Mkh(M)kxkh(M 0 ))

Forges C = EK∗ (Mkh(M)) by truncating end of C 0

6 / 43

www.iaik.tugraz.at

CBC-MAC

M1 M2 M`

message

M ∈ F∗2 0 ···

EK EK EK

T

MACK

HMAC

(K ⊕ 0x3636..)kM1 · · · M`

(K ⊕ 0x5c5c..)k h

T ∈ Fb2

tag

h T

7 / 43

www.iaik.tugraz.at

ciphertext C ∈ F∗2

tag T ∈ Fb2

8 / 43

www.iaik.tugraz.at

Authenticated Encryption E

Output: ciphertext C, tag T

Verified Decryption D

Output: plaintext M or ⊥ if invalid

9 / 43

www.iaik.tugraz.at

Generic compositions

E∗ ? C

?

M

?

MAC T

?

10 / 43

www.iaik.tugraz.at

Generic compositions

Encrypt-and-MAC (E&M)

E∗ C

∗ M

C = E (M), T = MAC(M)

MAC T

Encrypt-then-MAC (EtM)

M E∗ C

∗

C = E (M), T = MAC(C)

MAC T

MAC-then-Encrypt (MtE)

MAC

CkT = E ∗ (MkMAC(M)) M

E∗ CkT

11 / 43

www.iaik.tugraz.at

Generic compositions

Encrypt-and-MAC (E&M)

e.g., in SSH

security depends on E ∗ and MAC details

Encrypt-then-MAC (EtM)

e.g., in IPSec; standard ISO/IEC 19772:2009

provably secure

MAC-then-Encrypt (MtE)

e.g., in SSL/TLS

security depends on E ∗ and MAC details

12 / 43

www.iaik.tugraz.at

CBC CBC-MAC

M1 M2 M` M1 M2 M`

N ··· N ···

EK EK EK EK EK EK

C1 C2 C` T

What happens?

C`+1 = EK (T ⊕ C` ) = EK (0), no authenticity!

13 / 43

www.iaik.tugraz.at

CTR CBC-MAC

Nk1 Nk2 Nk` M1 M2 M`

··· 0 ···

EK EK EK

EK EK EK

M1 M2 M`

C1 C2 C` T

Query tags for messages Nk1, Nk2, . . . to read M

14 / 43

www.iaik.tugraz.at

(

0 0 to 00

1 Encode M to M : expand

1 to 01 or 10

2 Apply EK∗0 to M 0

1 SUF

2 IND-CPA. . . more in a moment

15 / 43

www.iaik.tugraz.at

1 Toggle bit 2i, 2i + 1 of C (= of M 0 )

e (i) to recipient

2 Send this modified C

3 If rejected: bit i was 0, else 1

many similar examples in the real world!

for some specific E ∗ (e.g., CBC) – but not in general!

16 / 43

www.iaik.tugraz.at

Confidentiality

infeasible for an attacker to find out which message M or M 0 was

encrypted to C, even if he can query encryptions of any chosen

messages (including M, M 0 !).

like IND-CPA, but the attacker can additionally query the

decryption of any ciphertext except C.

17 / 43

www.iaik.tugraz.at

CBC

M1 M2 M`

N ···

EK EK EK

C1 C2 C`

C with some modified N ⊕ ∆, or. . .

C with some modified C1 ⊕ ∆, or. . .

18 / 43

www.iaik.tugraz.at

Authenticity/integrity

infeasible for an attacker to find tag T for any new message M,

even if he can request tags for any chosen messages M 0 6= M.

like WUF-CMA, but even a new T 0 for a previously queried M

counts.

19 / 43

www.iaik.tugraz.at

Confidentiality

IND-CPA and IND-CCA2

Authenticity/integrity

infeasible for an attacker to construct ciphertext C (with T ) for

any new message M, even if he can query encryption of chosen

messages M 0 6= M.

INT-CTXT (integrity of ciphertext):

like INT-PTXT, but even a new ciphertext C 0 6= C for a previously

queried M counts.

20 / 43

www.iaik.tugraz.at

IND-CPA IND-CCA INT-PTXT INT-CTXT

E&M × × X ×

MtE X × X ×

EtM X ×/X∗ X ×/X∗

×insecure Xsecure ×/X∗ secure only for SUF MACs

21 / 43

www.iaik.tugraz.at

Adding explicit inputs N, A makes the situation more complicated

AEAD: Authenticated Encryption with Associated Data

We also need a suitable, concise security notion

22 / 43

www.iaik.tugraz.at

Implements the scheme Behaves like an ideal AEAD

D executes scheme with K D always returns ⊥ ∗

∗

except consistency with previous queries

Can send queries (N, A, M) to E and (N, A, C, T ) to D

She is not allow to cheat (reuse nonce, . . . )

23 / 43

www.iaik.tugraz.at

AES-CCM

OCB 3.0 (very fast)

SIV (nonce-misuse resistance)

ChaCha20-Poly1305 (not based on AES)

...

(assuming an ideal block cipher and a nonce-respecting adversaries)

24 / 43

www.iaik.tugraz.at

Nk16 · ` EK EK EK ··· EK

A1 · · · As

M1 M2 M` T

EK EK EK EK

C1 C2 C` C`+1

25 / 43

www.iaik.tugraz.at

CCM – Properties

+ Needs no DK (decryption)

26 / 43

www.iaik.tugraz.at

EtM with CTR and Carter-Wegman MAC (in “Galois field” F2128 )

EK EK EK ··· EK EK

H M1 M2 M`

A1 · · · As C1 C2 C` `ks

···

×H ×H ×H ×H ×H T

27 / 43

www.iaik.tugraz.at

GCM – Properties

+ Fast

EK parallellizable

one block cipher call per block

28 / 43

www.iaik.tugraz.at

∆0←initK (N)

M

Mi

M1 M2 M` 1≤i≤`

∆1 ∆2 ∆` ∆$

EK EK ··· EK EK

M

∆1 ∆2 ∆` EK (Ai ⊕ ∆

e i)

1≤i≤s

C1 C2 C` T

29 / 43

www.iaik.tugraz.at

OCB – Properties

Patented!

Can be used under some conditions, but. . . complicated.

30 / 43

www.iaik.tugraz.at

T = MACK (A, M)

use T as IV for C = EK∗0 (M)

send T kC

for other strong properties

31 / 43

www.iaik.tugraz.at

A1 As M1 C1 M ` C`

r r

K kN T

p p p p p

c c

0

32 / 43

www.iaik.tugraz.at

Release under unverified plaintext

Parallelizable

Fewer block cipher calls per block

Key size = security level

Online, single-pass

Inverse-free

Hardware/software optimization

Lightweight

Cheaper security against side-channel/fault attacks

Simplicity

...

33 / 43

www.iaik.tugraz.at

Applicability, and Robustness

Co-funded by NIST

Goal: Portfolio of great AEAD designs

Currently ongoing

34 / 43

www.iaik.tugraz.at

CAESAR – Timeline

35 / 43

www.iaik.tugraz.at

CAESAR – Submissions

ACORN ++AE AEGIS AES-CMCC

AES-COBRA AES-COPA AES-CPFB AES-JAMBU

AES-OTR AEZ Artemia Ascon

AVALANCHE Calico CBA CBEAM

CLOC Deoxys ELmD Enchilada

FASER HKC HS1-SIV ICEPOLE

iFeed[AES] Joltik Julius Ketje

Keyak KIASU LAC Marble

McMambo Minalpher MORUS NORX

OCB OMD PAEQ PAES

PANDA π-Cipher POET POLAWIS

PRIMATEs Prøst Raviyoyla Sablier

SCREAM SHELL SILC Silver

STRIBOB Tiaoxin TriviA-ck Wheesht

YAES

36 / 43

www.iaik.tugraz.at

ACORN ++AE AEGIS AES-CMCC

AES-COBRA AES-COPA AES-CPFB AES-JAMBU

AES-OTR AEZ Artemia Ascon

AVALANCHE Calico CBA CBEAM

CLOC Deoxys ELmD Enchilada

FASER HKC HS1-SIV ICEPOLE

iFeed[AES] Joltik Julius Ketje

Keyak KIASU LAC Marble

McMambo Minalpher MORUS NORX

OCB OMD PAEQ PAES

PANDA π-Cipher POET POLAWIS

PRIMATEs Prøst Raviyoyla Sablier

SCREAM SHELL SILC Silver

STRIBOB Tiaoxin TriviA-ck Wheesht

YAES

37 / 43

www.iaik.tugraz.at

ACORN ++AE AEGIS AES-CMCC

AES-COBRA AES-COPA AES-CPFB AES-JAMBU

AES-OTR AEZ Artemia Ascon

AVALANCHE Calico CBA CBEAM

CLOC/SILC Deoxys ELmD Enchilada

FASER HKC HS1-SIV ICEPOLE

iFeed[AES] Joltik Julius Ketje

Keyak KIASU LAC Marble

McMambo Minalpher MORUS NORX

OCB OMD PAEQ PAES

PANDA π-Cipher POET POLAWIS

PRIMATEs Prøst Raviyoyla Sablier

SCREAM SHELL SILC Silver

STRIBOB Tiaoxin TriviA-ck Wheesht

YAES

39 / 43

www.iaik.tugraz.at

ACORN ++AE AEGIS AES-CMCC

AES-COBRA COLM AES-CPFB AES-JAMBU

AES-OTR AEZ Artemia Ascon

AVALANCHE Calico CBA CBEAM

CLOC/SILC Deoxys ELmD Enchilada

FASER HKC HS1-SIV ICEPOLE

iFeed[AES] Joltik Julius Ketje

Keyak KIASU LAC Marble

McMambo Minalpher MORUS NORX

OCB OMD PAEQ PAES

PANDA π-Cipher POET POLAWIS

PRIMATEs Prøst Raviyoyla Sablier

SCREAM SHELL SILC Silver

STRIBOB Tiaoxin TriviA-ck Wheesht

YAES

41 / 43

www.iaik.tugraz.at

Summary

42 / 43

www.iaik.tugraz.at

Questions

Which are secure? What can go wrong?

(redundancy-only integrity, dependent keys, . . . )

43 / 43

- Draft Agrmt 1nov45Uploaded byJohn Greenewald
- h11561 Data Domain Encryption WpUploaded byechoicmp
- SA Civil Society Secrecy Bill Statement & PetitionUploaded bySA Books
- Docs 05 3474-20-0csg Zigbee SpecificationUploaded bychiase83
- Errata Crypto5e 0612Uploaded byBabak Karimi
- Information Security Course DescriptionUploaded byAjay Kumar Agarwal
- Ijret - A Combined Approach Using Triple Des and BlowfishUploaded byInternational Journal of Research in Engineering and Technology
- milcomfiinalfromKentUploaded bySai Mahesh Chaturvedula
- cryptoUploaded byapi-387941025
- wep-attack-at-tUploaded bymueen
- Cipher.javaUploaded byDamas Fajar Priyanto
- nsaUploaded byapi-25095981
- narayan2Uploaded bysomebody314
- Secure Sensitive Data Sharing On a Big Data and Cloud Platform using Advanced Security SystemUploaded byIRJET Journal

- How We Say Numbers and Symbols in EnglishUploaded byTim Cooper
- FPPresentation.pdfUploaded byudunge
- Pavement Condition SurveysUploaded byMehroz Baloch
- Ling.a.S, Goh.K.h-3D Seismic Survey to Determine Soil-rock ProfileUploaded bySelvaganesh Selvaraju
- Aero Town (Bare Chassis)Uploaded byPhilippine Bus Enthusiasts Society
- Alien FrontiersUploaded byTheLastAntidote
- California Technology Forum 2015 presentation - System Reset: Rebooting for Change by Randy BradshawUploaded bye.Republic
- Going Beyond Traditional Motivational and Behavioral ApproachesUploaded byRoberto Pozza Neto
- Half cells and the electrochemical seriesUploaded byMandy Lim
- 8 ee 2 discovery 3Uploaded byapi-366693286
- OB NotesUploaded byAnkur Max
- Automatic Rain GaugeUploaded bypitapitul
- glossary for deep sky objectsUploaded byapi-245463500
- Design 9Uploaded byemaster1
- example bearing calculationUploaded byFarid Nasri
- Management Guru 4Uploaded byGabriel
- Introduction to Building Services by Mohd Rodzi IsmailUploaded byfopoku2k2
- Max 1472Uploaded byCostel Diaconu
- Engineering MechanicsUploaded byvidya_k_11
- senior seminar portfolio reflectionUploaded byapi-317889705
- 65705 3 Applied Materials HMI 150414 DKUploaded bychopina
- Drilling ExponentUploaded byMuhammad Aditya
- Vl Sics 040306Uploaded byAnonymous e4UpOQEP
- Staff report for Active Transportation PlanUploaded byCollingwoodPlanning
- Samurai and WeaponmasterUploaded byJeremiah Davis
- AP HUMAN UNIT 1Uploaded byJohn Doe
- Roman Siege Equipment and ArtilleryUploaded byCullen O'Connor
- Computing Project 1Uploaded bySteve Spicklemire
- calibration sampleUploaded byicygears21
- Lecture 01 Introduction to TechnopreneurshipUploaded byChaiw Fan Chai