attacks only get better the case of ocb2
play

Attacks only get better: The case of OCB2 Tetsu Iwata Nagoya - PowerPoint PPT Presentation

Nov 27, 2022 •146 likes •650 views

Attacks only get better: The case of OCB2 Tetsu Iwata Nagoya University Real World Crypto 2020, New York, USA January 810, 2020 1 / 28 This talk is based on Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu, and Bertram Poettering

  1. Attacks only get better: The case of OCB2 Tetsu Iwata Nagoya University Real World Crypto 2020, New York, USA January 8–10, 2020 1 / 28

  2. This talk is based on • Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu, and Bertram Poettering • Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality, CRYPTO 2019 • Cryptology ePrint Archive: Report 2019/311 2 / 28

  3. Penguin Image: Larry Ewing, lewing@isc.tamu.edu , created with the GIMP. https://en.wikipedia.org/wiki/ Block_cipher_mode_of_operation 3 / 28

  4. ECB (Electronic Code Book) M [1] M [2] M [ m ] E K E K E K C [1] C [2] C [ m ] • E K : a block cipher with n -bit blocks • M = ( M [1] , . . . , M [ m ]) • C = ( C [1] , . . . , C [ m ]) 4 / 28

  5. The ECB Penguin Image: Larry Ewing, lewing@isc.tamu.edu , created with the GIMP. https://en.wikipedia.org/wiki/ Block_cipher_mode_of_operation 5 / 28

  6. Issues with ECB • M [ i ] = M [ j ] ⇒ C [ i ] = C [ j ] • M = M ′ ⇒ C = C ′ • does not provide authenticity, “authenticated encryption” 6 / 28

  7. AE (Authenticated Encryption) • Symmetric-key primitive for privacy and authenticity • Nonce-based AE [Rog02] (this talk will not consider associated data) – nonce: data that is changed for each encryption (counter) • Encryption: ( K, N, M ) �→ ( C, T ) • Decryption: ( K, N, C, T ) �→ M or ( K, N, C, T ) �→ ⊥ (authentication error, reject) K K K : key ( N, C, T ) M N : nonce M : message C : ciphertext T : tag ( C, T ) ← Enc K ( N, M ) M/ ⊥ ← Dec K ( N, C, T ) [Rog02] Rogaway. Authenticated-encryption with associated-data. CCS 2002 7 / 28

  8. Examples of AE • GCM and CCM (NIST recommendations) • 6 schemes in ISO/IEC 19772 • IETF RFC includes GCM, ChaCha20-Poly1305, . . . • 6 schemes in CAESAR final portfolio • many schemes in the ongoing NIST lightweight cryptography standardization project 8 / 28

  9. OCB (Offset Code Book) • 3 versions, built on a block cipher (e.g., AES, with n = 128 ) – OCB1 by Rogaway et al. at CCS 2001 [RBBK01] – OCB2 by Rogaway at ASIACRYPT 2004 [Rog04] – OCB3 by Krovetz and Rogaway at FSE 2011 [KR11] • Nonce-based AE (with AD) with strong features: – fully parallelizable – 1 block cipher call to process each n -bit block (rate-1, same as CTR and ECB modes) – provable security [RBBK01] Rogaway, Bellare, Black, Krovetz. OCB: A block-cipher mode of operation for efficient authenticated encryp- tion. CCS 2001 [Rog04] Rogaway. Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. ASI- ACRYPT 2004 [KR11] Krovetz, Rogaway. The software performance of authenticated-encryption modes. FSE 2011 9 / 28

  10. Security Evaluation of OCB All versions have been extensively studied: • Security proofs for all versions of OCB by Rogaway et al. [RBBK01, Rog04, KR11] • Tightness of the security bounds: Ferguson [Fer02], Sun et al. [SWZ12] • (Nonce) misuse attacks: Andreeva et al. [ABLMMY14], Ashur et al. [ADL17] • Necessity of SPRP: Aoki and Yasuda [AY13] • Bound improvement (for OCB3): Bhaumik and Nandi [BN17] [Fer02] Ferguson. Collision attacks on OCB. Comments to NIST, 2002 [SWZ12] Sun, Wang, Zhang. Collision attacks on variant of OCB mode and its series. Inscrypt 2012 [ABLMMY14] Andreeva, Bogdanov, Luykx, Mennink, Mouha, Yasuda. How to securely release unverified plaintext in authenticated encryption. ASIACRYPT 2014 [ADL17] Ashur, Dunkelman, Luykx. Boosting authenticated encryption robustness with minimal modifications. CRYPTO 2017 [AY13] Aoki, Yasuda. The security of the OCB mode of operation without the SPRP assumption. ProvSec 2013 [BN17] Bhaumik, Nandi. Improved security for OCB3. ASIACRYPT 2017 10 / 28

  11. Security Evaluation of OCB All versions have been extensively studied: • Security proofs for all versions of OCB by Rogaway et al. [RBBK01, Rog04, KR11] • Tightness of the security bounds: Ferguson [Fer02], Sun et al. [SWZ12] • (Nonce) misuse attacks: Andreeva et al. [ABLMMY14], Ashur et al. [ADL17] • Necessity of SPRP: Aoki and Yasuda [AY13] • Bound improvement (for OCB3): Bhaumik and Nandi [BN17] No weakness known, the security is very well understood [Fer02] Ferguson. Collision attacks on OCB. Comments to NIST, 2002 [SWZ12] Sun, Wang, Zhang. Collision attacks on variant of OCB mode and its series. Inscrypt 2012 [ABLMMY14] Andreeva, Bogdanov, Luykx, Mennink, Mouha, Yasuda. How to securely release unverified plaintext in authenticated encryption. ASIACRYPT 2014 [ADL17] Ashur, Dunkelman, Luykx. Boosting authenticated encryption robustness with minimal modifications. CRYPTO 2017 [AY13] Aoki, Yasuda. The security of the OCB mode of operation without the SPRP assumption. ProvSec 2013 [BN17] Bhaumik, Nandi. Improved security for OCB3. ASIACRYPT 2017 10 / 28

  12. Security Evaluation of OCB All versions have been extensively studied: • Security proofs for all versions of OCB by Rogaway et al. [RBBK01, Rog04, KR11] • Tightness of the security bounds: Ferguson [Fer02], Sun et al. [SWZ12] • (Nonce) misuse attacks: Andreeva et al. [ABLMMY14], Ashur et al. [ADL17] • Necessity of SPRP: Aoki and Yasuda [AY13] • Bound improvement (for OCB3): Bhaumik and Nandi [BN17] No weakness known, the security is very well understood? [Fer02] Ferguson. Collision attacks on OCB. Comments to NIST, 2002 [SWZ12] Sun, Wang, Zhang. Collision attacks on variant of OCB mode and its series. Inscrypt 2012 [ABLMMY14] Andreeva, Bogdanov, Luykx, Mennink, Mouha, Yasuda. How to securely release unverified plaintext in authenticated encryption. ASIACRYPT 2014 [ADL17] Ashur, Dunkelman, Luykx. Boosting authenticated encryption robustness with minimal modifications. CRYPTO 2017 [AY13] Aoki, Yasuda. The security of the OCB mode of operation without the SPRP assumption. ProvSec 2013 [BN17] Bhaumik, Nandi. Improved security for OCB3. ASIACRYPT 2017 10 / 28

  13. Our Results Structural weakness of OCB2 • Independent of the underlying block cipher (and its block size) • has been overlooked for about 15 years Attacks • Authenticity attacks (existential and universal forgeries) • Privacy attacks (distinguishing attack and plaintext recovery) • All attacks have very small complexity & the success probability is (almost) one 11 / 28

  14. Practical Impacts • OCB2 was one of the six algorithms in ISO/IEC 19772 – ISO/IEC declared a plan for removal of OCB2 from the international standard • SJCL Javascript crypto library implements OCB2 – Users may be affected, though it is hard to see the real impact – Fixing crypto is not easy, time-consuming • Joplin, a multi-platform application for taking notes – uses OCB2 through SJCL – decided to wait for the decision by SJCL team http://bitwiseshiftleft.github.io/sjcl/ https://joplinapp.org/ https://github.com/laurent22/joplin/issues/943 12 / 28

  15. Technical Details of OCB2 • Encryption: ( N, M ) �→ ( C, T ) , ECB mode with masks generated from L = E K ( N ) – 2 a is doubling of a over GF(2 n ) , 3 a = 2 a ⊕ a – M [ m ] is encrypted in CTR mode – len ( X ) is an n -bit encoding of | X | • The checksum is Σ = M [1] ⊕ · · · ⊕ M [ m ] M [1] M [2] M [ m − 1] M [ m ] E K E K E K E K C [1] C [2] C [ m − 1] C [ m ] 13 / 28

  16. Technical Details of OCB2 • Encryption: ( N, M ) �→ ( C, T ) , ECB mode with masks generated from L = E K ( N ) – 2 a is doubling of a over GF(2 n ) , 3 a = 2 a ⊕ a – M [ m ] is encrypted in CTR mode – len ( X ) is an n -bit encoding of | X | • The checksum is Σ = M [1] ⊕ · · · ⊕ M [ m ] M [1] M [2] M [ m − 1] M [ m ] N E K E K E K E K E K L C [1] C [2] C [ m − 1] C [ m ] 13 / 28

  17. Technical Details of OCB2 • Encryption: ( N, M ) �→ ( C, T ) , ECB mode with masks generated from L = E K ( N ) – 2 a is doubling of a over GF(2 n ) , 3 a = 2 a ⊕ a – M [ m ] is encrypted in CTR mode – len ( X ) is an n -bit encoding of | X | • The checksum is Σ = M [1] ⊕ · · · ⊕ M [ m ] M [1] M [2] M [ m − 1] len ( M [ m ]) N Σ 2 2 L 2 m − 1 L 2 m L 2 m 3 L 2 L E K E K E K E K E K E K 2 L 2 2 L 2 m − 1 L M [ m ] L C [1] C [2] C [ m − 1] C [ m ] T 13 / 28

  18. Technical Details of OCB2 • Decryption: ( N, C, T ) �→ M/ ⊥ M [1] M [2] M [ m − 1] len ( C [ m ]) N Σ 2 m − 1 L 2 m L 2 m 3 L 2 L 2 2 L E − 1 E − 1 E − 1 E K E K E K K K K 2 L 2 2 L 2 m − 1 L M [ m ] ? L C [1] C [2] C [ m − 1] C [ m ] T ∗ = T • Theorem [Rog04] – ( C, T ) ≈ random string (privacy) – forgery is not possible (authenticity) 14 / 28

  19. Minimal Forgery [IM18] (Existential Forgery) ( C, T ) ← Enc K ( N, M ) ( N, C, T ) M [IM18] Inoue, Minematsu. Cryptanalysis of OCB2. IACR ePrint 2018/1040 15 / 28

  20. Minimal Forgery [IM18] (Existential Forgery) ( C, T ) ← Enc K ( N, M ) ( N, C, T ) M ′ = 2 L ⊕ len (0 n ) M ( N, C ′ , T ′ ) [IM18] Inoue, Minematsu. Cryptanalysis of OCB2. IACR ePrint 2018/1040 15 / 28

  21. Minimal Forgery [IM18] (For Experts) • Encrypt ( N, M ) to obtain ( C [1] , C [2] , T ) , where M = ( len (0 n ) , M [2]) and | M [2] | = n len ( M [2]) M [1] = = len (0 n ) len (0 n ) N Σ 2 L 2 2 L 2 2 3 L E K E K E K E K 2 L M [2] C [1] C [2] L T 16 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Case presentation Non diabetic patient with hypoglycemic attacks 30 years old Non

Case presentation Non diabetic patient with hypoglycemic attacks 30 years old Non

Case presentation Non diabetic patient with hypoglycemic attacks 30 years old Non diabetic female patient History of several unexplained hypoglycaemic attacks CECT- Pancreatic head lesion Serum insulin level- elevated

432 views • 29 slides
CASE STUDY 2 FAINTING ATTACKS FAINTING ANYTHING FROM A NUISANCE TO SERIOUS A 55 year old man

CASE STUDY 2 FAINTING ATTACKS FAINTING ANYTHING FROM A NUISANCE TO SERIOUS A 55 year old man

CASE STUDY 2 FAINTING ATTACKS FAINTING ANYTHING FROM A NUISANCE TO SERIOUS A 55 year old man was admitted to coronary care after an episode of blackout or syncope as doctors call it. Over the last 6-9 months he had four additional episodes

349 views • 9 slides
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

Motivation 64-bit key version of Kasumi used for A5/3 Upper bound for any 3-round related-key differential over A5/3 Resistance against Crypto2010 Attack Conclusion On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 ,

624 views • 26 slides
s rsrt Case study: information sharing

s rsrt Case study: information sharing

s rsrt Case study: information sharing in incident response Tyler Moore Phishing attacks Challenges of information sharing To combat phishing attacks, defenders take down the

913 views • 13 slides
IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

SPAWAR S YSTEMS C ENTER P ACIFIC IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai Malware and IoT-Based Botnets 24-26 April, 2017 Presented at the 2 nd International Conference Presented by Roger

654 views • 20 slides
Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier,

Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier,

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks Romain Poussier, Franois-Xavier Standaert: Universit catholique de Louvain Yuanyuan Zhou: Universit catholique de Louvain &

410 views • 37 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Attacks on the global financial network SWIFT: A case analysis and Detection of Payment Fraud

Attacks on the global financial network SWIFT: A case analysis and Detection of Payment Fraud

Attacks on the global financial network SWIFT: A case analysis and Detection of Payment Fraud Global Readiness Hiscox Cyber Readiness Report 2017 57% Experienced an attack in the past year The incidence of cyber-attack is 42% have to

738 views • 15 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
Denial of Service via Algorithmic Complexity Attacks Scott Crosby and Dan Wallach Presented by

Denial of Service via Algorithmic Complexity Attacks Scott Crosby and Dan Wallach Presented by

Denial of Service via Algorithmic Complexity Attacks Scott Crosby and Dan Wallach Presented by Eddie Aftandilian COMP150ICS Spring 2006 1 Problem Frequently used data structures and algorithms have good average-case running time but

232 views • 8 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Refactoring Legacy Code By: Adam Culp Twitter: @ adamculp https://joind.in/ 11658 1 Refactoring

Refactoring Legacy Code By: Adam Culp Twitter: @ adamculp https://joind.in/ 11658 1 Refactoring

Refactoring Legacy Code By: Adam Culp Twitter: @ adamculp https://joind.in/ 11658 1 Refactoring Legacy Code About me PHP 5.3 Certified Consultant at Zend Technologies Zend Certification Advisory Board Organizer SoFloPHP

737 views • 38 slides
Information Theory Lecture 4 Discrete channels, codes and capacity: CT7 Channels:

Information Theory Lecture 4 Discrete channels, codes and capacity: CT7 Channels:

Information Theory Lecture 4 Discrete channels, codes and capacity: CT7 Channels: CT7.12 Capacity and the coding theorem: CT7.37 and CT7.9 Combining source and channel coding: CT7.13 Mikael Skoglund, Information Theory 1/19

310 views • 10 slides
Pattern Recognition Part 5: Codebook Training Gerhard Schmidt Christian-Albrechts-Universitt

Pattern Recognition Part 5: Codebook Training Gerhard Schmidt Christian-Albrechts-Universitt

Pattern Recognition Part 5: Codebook Training Gerhard Schmidt Christian-Albrechts-Universitt zu Kiel Faculty of Engineering Institute of Electrical and Information Engineering Digital Signal Processing and System Theory Codebook Training

698 views • 47 slides
Bag-of-Visual-Words 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University What object

Bag-of-Visual-Words 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University What object

Bag-of-Visual-Words 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University What object do these parts belong to? Some local feature are very informative An object as a collection of local features (bag-of-features) deals well

832 views • 49 slides
Compiler Construction Chapter 1: Introduction Slides modified from Louden Book and Dr. Scherger

Compiler Construction Chapter 1: Introduction Slides modified from Louden Book and Dr. Scherger

Compiler Construction Chapter 1: Introduction Slides modified from Louden Book and Dr. Scherger Terminology Compiler Source Language Interpreter Target Language Translator Target Platform Relocatable Assembler

559 views • 28 slides
https://xkcd.com/538/ CS 166: Information Security Crypto Basics Prof. Tom Austin San Jos

https://xkcd.com/538/ CS 166: Information Security Crypto Basics Prof. Tom Austin San Jos

https://xkcd.com/538/ CS 166: Information Security Crypto Basics Prof. Tom Austin San Jos State University Crypto Terminology Cryptology art and science of making and breaking secret codes Cryptography making secret

645 views • 50 slides
Machine-Level Programming I: Basics 15-213/18-213:

Machine-Level Programming I: Basics 15-213/18-213:

Carnegie Mellon Machine-Level Programming I: Basics 15-213/18-213: Introducon to Computer Systems 5 th Lecture, Sep. 15, 2015 Instructors: Randal

721 views • 44 slides
Cryptography Cryptography secret- -key and and public key and and public- -key technologies

Cryptography Cryptography secret- -key and and public key and and public- -key technologies

Cryptography Cryptography secret- -key and and public key and and public- -key technologies key technologies secret September 4, 2020 Administrative getting VM files getting VM files Administrative new Administrative

1.1k views • 63 slides

More recommend