cipher techniques
play

Cipher Techniques Chapter 12 Computer Security: Art and Science , 2 - PowerPoint PPT Presentation

Feb 02, 2024 •484 likes •1.79k views

Cipher Techniques Chapter 12 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-1 Overview Problems What can go wrong if you naively use ciphers Cipher types Stream or block ciphers? Networks Link vs

  1. Block Ciphers • Encipher, decipher multiple bits at once • Each block enciphered independently • Problem: identical plaintext blocks produce identical ciphertext blocks • Plaintext image: • Ciphertext image: Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-26

  2. Solutions • Insert information about block’s position into the plaintext block, then encipher • Cipher block chaining : • Exclusive-or current plaintext block with previous ciphertext block: • c 0 = E k ( m 0 Å I ) • c i = E k ( m i Å c i –1 ) for i > 0 where I is the initialization vector • Example encipherment of image on previous slide: Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-27

  3. Multiple Encryption • Double encipherment: c = E k ¢ ( E k ( m )) • Effective key length is 2 n , if k , k ¢ are length n • Problem: breaking it requires 2 n +1 encryptions, not 2 2 n encryptions • Triple encipherment: • EDE (Encrypt-Decrypt-Encrypt) mode: c = E k ( D k ¢ ( E k ( m )) • Problem: chosen plaintext attack takes O(2 n ) time using 2 n ciphertexts • Triple encryption mode: c = E k ( E k ¢ ( E k ¢¢ ( m )) • Best attack (p chosen plaintexts) requires O(2 n+1 p + 2 h+b +1 /p ) time, O(2 n /p) memory Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-28

  4. Authenticated Encryption • Transforms message providing confidentiality, integrity, authentication simultaneously • May be associated data that is not to be encrypted • Called Authenticated Encryption with Associated Data (AEAD) • Two examples: • Counter with CBC-MAC (CCM) • Galois Counter Mode (GCM) • message is part to be encrypted; associated data is part not to be encrypted • Both are authenticated and integrity-checked; if omitted, treat as having length 0 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-29

  5. Counter with CBC-MAC Mode (CCM) • Defined for block ciphers with block size 1287 (like AES) • Parameters: • L A size of authentication field (may be 4,6,8,10,12,14,16 octets) • L M size of message length (may take up between 2 and 8 octets) • nonce of 15 – L M octets • Notation: k key, n nonce, M message, A associated data • Three phases Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-30

  6. CCM Phase 1 • Compute authentication field T • Prepend set of blocks B i to message; first block B 0 has message info: • Octet 0 has flags • Bits 0-2: L M – 1 • Bits 3-5: ( L A – 2) / 2 • Bit 6: 1 if there is associated data, 0 otherwise • Bit 7: reserved, set to 0 • Octets 1 . . . 15 – L M : nonce • Octets 16 – L M . . . 15: length of message in octets Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-31

  7. CCM Phase 1 • Next octets contain information about length L A : • 0 < L A < 2 16 – 2 8 : first 2 octets contain L A • 2 16 – 2 8 ≤ L A < 2 32 : first 2 octets 0xff , 0xfe , next 4 octets contain L A • 2 32 ≤ L A < 2 64 : first 2 octets both 0xff, next 6 octets contain L A • Block B 0 , these octets prepended to associated data A; split this into 16-octet blocks, with 0 padding if needed • Append message, split into 16-octet blocks, with 0 padding if needed • This gives B 0 . . . B m Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-32

  8. CCM Phase 1 • Compute CBC-MAC of B 0 . . . B m x 1 = E k ( B 0 ) x i +1 = E k ( x i ⊕ B i ) for i = 1, . . ., m • Authentication field T is first L A blocks of x m +1 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-33

  9. CCM Phase 2 • This enciphers the message using counter mode • A i block with the following: • Octet 0 contains flags • Bits 0-2: contains L M – 1 • Bits 3-7: set to 0 • Octets 1 . . . 15 – L M : contain nonce • Octets 16 – L M . . . 15: contain i th counter’s value • Key blocks S i = E k ( A i ) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-34

  10. CCM Phases 2 and 3 Phase 2: • Encrypt message with blocks M 1 . . . M z : for i = 1, . . . , z , C i = M i ⊕ S i • Let s A be first L A bytes of S0 • Compute authentication value U = T ⊕ s A Phase 3: • Sender constructs C = C 1 . . . C z and sends C || U Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-35

  11. CCM Decryption • Decryption and validation: simply reverse process • Important requirement: if validation fails, recipient must only reveal that computed T is incorrect • Must not reveal the incorrect value, or any part of decrypted message Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-36

  12. Galois Counter Mode (GCM) • Can be implemented efficiently in hardware • If encrypted, authenticated message is changed, new authentication value can be computed with cost proportional to number of changed bits • Allows nonce (initialization vector) of any length • Parameters • nonce IV up to 2 64 bits; 96 bits recommended for efficiency reasons • message M up to 2 39 – 2 8 bits long; ciphertext C same length • associated data A up to 2 64 bits long Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-37

  13. GCM Notation • Authentication value T is t bits long • M = M 0 . . . M n , each block 128 bits long • M n may not be complete block; call its length u bits • C = C 0 . . . C n , each block 128 bits long; C is L C bits long • Number of bits in C is the same as number of bits in M • A = A 0 . . . A m , each block 128 bits long; A is L A bits long • A m may not be complete block; call its length v bits • 0 x , 1 y mean x bits of 0 and y bits of 1, respectively Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-38

  14. Multiplication in GF(2 128 ) • This is written Z = X · Y /* multiply X and Y to produce Z in GF (2128 ) */ • Y i is i th leftmost bit of function GFmultiply(X, Y: integer ) Y , so Y 127 is the begin rightmost bit of Y Z := 0 • rightshift( V , 1) means V := X; to shift V right 1 bit, for i := 0 to 127 do begin and bring in 0 from = 1 then Z := Z ⊕ V; if Y i the left V = rightshift(V, 1); • R is bits 11100001 if V 127 = 1 then V := V ⊕ R; followed by 120 0 bits end return Z; end Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-39

  15. GCM Hash Function GHASH( H , A , C ) computed as follows: 1. X 0 = 0 2. for i = 1, . . ., m –1, X i = ( X i –1 ⊕ A i ) · H 3. X m = ( X m –1 ⊕ A m ) · H • A m is right-padded with 0s if not a complete block 4. for i = m +1, . . ., m + n –1, X i = ( X i –1 ⊕ C i ) · H 5. X m + n = ( X m + n –1 ⊕ C n ) · H • C n is right-padded with 0s if not a complete block 6. X m + n +1 = ( X m + n ⊕ ( L A || L C )) · H • L A , L C left-padded with 0 bits to form 64 bits each Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-40

  16. GCM Authenticated Encryption This computes C and T : 1. H = E k (0 128 ) 2. If IV is 96 bits, Y 0 = IV || 0 31 1; otherwise, Y 0 = GHASH( H , ! , IV ) • ! empty string 3. for i = 1, . . . n , I i = I i -1 + 1 mod 2 32 ; set Y i = L i -1 || I i • I i -1 right part of Y i -1 ; treat it as unsigned 32 bit integer; L i -1 left part of Y i -1 4. for i = 1, . . . n –1, C i = M i + E k ( Y i ) 5. C n = M n + MSB u ( E k ( Y n )) • MSB u ( X ) is u most significant (leftmost) bits of X 6. T = MSB t (GHASH( H , A , C ) + E k ( Y 0 )) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-41

  17. GCM Transmission and Decryption • Send C , T • To verify, perform steps 1, 2, 6, 3, 4, 5 • When authentication value is computed, compare to sent value • Note this is done before decrypting the message • If they do not match, return failure and discard messages Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-42

  18. GCM Analysis Strength depends on certain properties • If IV (nonce) reused, part of H can be obtained • If length of authentication value too short, forgeries can occur and from that, H can be determined (enabling undetectable forgeries) • Under study is whether particular values of H make forging messages easier • Restricting length of IV to 96 bits produces a stronger AEAD cipher than when the length is not restricted Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-43

  19. Networks and Cryptography • ISO/OSI model • Conceptually, each host communicates with peer at each layer Application Application Presentation Presentation Session Session Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 12-44

  20. Link and End-to-End Protocols Link Protocol End-to-End (or E2E) Protocol Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-45

  21. Encryption • Link encryption • Each host enciphers message so host at “next hop” can read it • Message can be read at intermediate hosts • End-to-end encryption • Host enciphers message so host at other end of communication can read it • Message cannot be read at intermediate hosts Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-46

  22. Examples • SSH protocol • Messages between client, server are enciphered, and encipherment, decipherment occur only at these hosts • End-to-end protocol • PPP Encryption Control Protocol • Host gets message, deciphers it • Figures out where to forward it • Enciphers it in appropriate key and forwards it • Link protocol Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-47

  23. Cryptographic Considerations • Link encryption • Each host shares key with neighbor • Can be set on per-host or per-host-pair basis • Windsor, stripe, seaview each have own keys • One key for (windsor, stripe); one for (stripe, seaview); one for (windsor, seaview) • End-to-end • Each host shares key with destination • Can be set on per-host or per-host-pair basis • Message cannot be read at intermediate nodes Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-48

  24. Traffic Analysis • Link encryption • Can protect headers of packets • Possible to hide source and destination • Note: may be able to deduce this from traffic flows • End-to-end encryption • Cannot hide packet headers • Intermediate nodes need to route packet • Attacker can read source, destination Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-49

  25. Example Protocols • Securing Electronic Mail (OpenPGP, PEM) • Applications layer protocol • Start with PEM as goals, design described in detail; then lool at OpenPGP • Securing Instant Messaging (Signal) • Applications layer protocol • Secure Socket Layer (TLS) • Transport layer protocol • IP Security (IPSec) • Network layer protocol Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-50

  26. How Email Works User UA UA UA Agents Message MTA MTA MTA Transfer Agents Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-51

  27. Goals of PEM 1. Confidentiality Only sender and recipient(s) can read message • 2. Origin authentication Identify the sender precisely • 3. Data integrity Any changes in message are easy to detect • 4. Non-repudiation of origin Whenever possible … • Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-52

  28. Design Principles • Do not change related existing protocols • Cannot alter SMTP • Do not change existing software • Need compatibility with existing software • Make use of PEM optional • Available if desired, but email still works without them • Some recipients may use it, others not • Enable communication without prearrangement • Out-of-bands authentication, key exchange problematic Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-53

  29. Basic Design: Keys • Two keys • Interchange keys tied to sender, recipients and is static (for some set of messages) • Like a public/private key pair (indeed, may be a public/private key pair) • Must be available before messages sent • Data exchange keys generated for each message • Like a session key, session being the message Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-54

  30. Basic Design: Sending Confidentiality • m message • k s data exchange key • k B Bob’s interchange key { m } k s || { k s } k B Alice Bob Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-55

  31. Basic Design: Integrity Integrity and authentication: • m message • h ( m ) hash of message m —Message Integrity Check (MIC) • k A Alice’s interchange key m { h ( m ) } k A Alice Bob Non-repudiation: if k A is Alice’s private key, this establishes that Alice’s private key was used to sign the message Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-56

  32. Basic Design: Everything Confidentiality, integrity, authentication: • Notations as in previous slides • If k A is Alice’s private key, get non-repudiation too { m } k s || { h ( m ) } k A || { k s } k B Alice Bob Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-57

  33. Practical Considerations • Limits of SMTP • Only ASCII characters, limited length lines • Use encoding procedure 1. Map local char representation into canonical format – Format meets SMTP requirements 2. Compute and encipher MIC over the canonical format; encipher message if needed 3. Map each 6 bits of result into a character; insert newline after every 64th character 4. Add delimiters around this ASCII message Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-58

  34. Problem • Recipient without PEM-compliant software cannot read it • If only integrity and authentication used, should be able to read it • Mode MIC-CLEAR allows this • Skip step 3 in encoding procedure • Problem: some MTAs add blank lines, delete trailing white space, or change end of line character • Result: PEM-compliant software reports integrity failure Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-59

  35. PEM vs. OpenPGP • Use different ciphers • PGP allows several ciphers • Public key: RSA, El Gamal, DSA, Diffie-Hellman, Elliptic curve • Symmetric key: IDEA, Triple DES, CAST5, Blowfish, AES-128, AES-192, AES-256, Twofish-256 • Hash algorithms: MD5, SHA-1, RIPE-MD/160, SHA256, SHA384, SHA512, SHA224 • PEM allows RSA as public key algorithm, DES in CBC mode to encipher messages, MD2, MD5 as hash functions • Use different certificate models • PGP uses general “web of trust” • PEM uses hierarchical certification structure • Handle end of line differently • PGP remaps end of line if message tagged “text”, but leaves them alone if message tagged “binary” • PEM always remaps end of line Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-60

  36. Signal: Instant Messaging • Provides confidentiality, authentication, integrity, perfect forward secrecy • Three steps: • Client registers with messaging server • Two clients set up a session • They exchange messages Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-61

  37. Client Keys • Long-term identity key pair IK • Curve25519 key generated when client program is installed • Medium-term signed pre-key pair SPK • Also a Curve25519 key generated when client program is installed • Change periodically • Ephemeral one-time pre-key pair OPK • Also a Curve25519 key selected from a list generated when client program is installed; when the list is used up, another list is generated Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-62

  38. Session Keys • message key : 80-byte key used to encrypt messages • 32-byte key for AES-256 encryption • 32-byte key for HMAC-SHA256 cryptographic checksum • 16-byte initialization vector • chain key : 32-byte value used to generate message keys • root key : 32-byte value used to generate chain keys Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-63

  39. Cryptographic Functions Symmetric key generation: • Use HMAC-SHA256 • Use a 2-stage HMAC-based key derivation function First stage: • s a non-secret salt; if omitted, use 0; x is other material, k is key: k = HMAC_SHA256( s , x ) Second stage: • info string of characters like “WhisperGroup”, L number of octets to produce • T (0) = “” (empty string), T ( i ) = HMAC_SHA256( k , T ( i – 1) || info || i ) • Compute to L octets HDKF_Extend( k , info ) = T (1) || T (2) || . . . • First L octets are the result, HDKF( s , x ) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-64

  40. Notation • W is signal message server • k pub ,A is A’s public key, k priv ,A is A’s private key • ECDH is elliptic curve Diffie-Hellman • Alice wishes to communicate with Bob Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-65

  41. Registration Step • Alice signs her public key SPK pub ,Alice : SSPK Alice = { SPK pub ,Alice } IK priv ,Alice • She sends her pre-key bundle : { IK pub ,Alice || SPK pub ,Alice || SSPK Alice || OPK pub ,Alice,1 || Alice W OPK pub ,Alice,2 || . . . } where OPK pub ,Alice,1 , OPK pub ,Alice,2 , . . . are the ephemeral one-time pre-key public keys • Bob also must register Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-66

  42. Session Setup and Initial Message • Alice requests Bob’s pre-key bundle from W • W sends it; note only 1 ephemeral one-time pre-key public key is included • If Bob’s one-time pre-keys are all used, no such keys included message requesting Bob’s pre-key bundle Alice W { IK pub ,Bob || SPK pub ,Bob || SSPK Bob || OPK pub ,Bob, I } Alice W Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-67

  43. Session Setup and Initial Message • Alice verifies SSPK Bob is the signature for SPK pub ,Bob • If it isn’t, setup stops • Alice generates another ephemeral key pair EK • It’s another Curve25519 key pair • Alice now computes a master secret ms : ms = ECDH( IK priv ,Alice , SPK pub ,Bob ) || ECDH( EK priv ,Alice , IK pub ,Bob ) || ECDH( EK priv ,Alice , SPK pub ,Bob ) || ECDH( EK priv ,Alice , OPK pub ,Bob ,i ) • If OPK pub ,Bob ,i not sent, omit last encryption • Alice deletes EK priv ,Alice , all intermediate values used to compute ms Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-68

  44. Session Setup and Initial Message • Alice computes HDKF( c 0 , c 1 || ms ) • c 0 is 256 0 bits and c 1 is 256 1 bits • First 32 bits are root key k r , next 32 bits are first chain key k c ,1 • Alice creates associated data A = IK pub ,Alice || IK pub ,Bob • May also append additional information Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-69

  45. Sending Messages • Alice creates message key k m = HMAC_SHA256( k c ,1 , 1) • Alice encrypts message using AEAD scheme with AES-256 in CBC mode for encryption and HMAC_SHA256 for authentication • Call result C { IK pub ,Alice || EK pub ,Alice || pre-key indicator || C } Alice Bob • EK pub ,Alice is a new ephemeral Curve25519 public key • pre-key indicator indicates to Bob which of his ephemeral one-time pre-keys was used Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-70

  46. Sending Messages • Bob receives message • Bob computes master secret ms analogously to Alice, but using his private keys and Alice’s public keys • After, Bob deletes ( OPK pub ,Bob, I , OPK priv ,Bob, i ) • Bob computes the root and chain keys • All information to do this is in what Alice sent him, so can do it offline • Now they begin to exchange messages Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-71

  47. Sending Messages • When Alice sends messages before receiving Bob’s reply to any, uses a hash ratchet to change message key for each message: k m , i +1 = HMAC_SHA256( k c , i , 1) k c , i +1 = HMAC_SHA256( k c , i , 2) • When Alice receives a reply from Bob, she computes new chain, root key: x = HKDF( k r , ECDH( EK pub ,Bob , EK priv ,Alice )) where EK pub ,Bob in received message, EK priv ,Alice private key associated with EK pub ,Alice that Alice sent in message Bob is replying to • First 32 octets are new chain key, next 32 octets new root key Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-72

  48. Signal Protocol Use • Much of the manipulation is to provide perfect forward secrecy • So previously sent messages remain secret if current keys are discovered • Signal widely used in instant messaging services like Signal and WhatsApp Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-73

  49. Transport Layer Security • Internet protocol: TLS • Provides confidentiality, integrity, authentication of endpoints • Focus on version 1.2 • Old Internet protocol: SSL • Developed by Netscape for WWW browsers and servers • Use is deprecated Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-74

  50. TLS Session • Association between two peers • May have many associated connections • Information related to session for each peer: • Unique session identifier • Peer’s X.509v3 certificate, if needed • Compression method • Cipher spec for cipher and MAC • “Master secret” of 48 bits shared with peer • Flag indicating whether this session can be used to start new conncetion Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-75

  51. TLS Connection • Describes how data exchanged with peer • Information for each connection • Whether a server or client • Random data for server and client • Write keys (used to encipher data) • Write MAC key (used to compute MAC) • Initialization vectors for ciphers, if needed • Sequence numbers for server, client Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-76

  52. Structure of TLS TLS Alert TLS Application TLS Heartbeat Protocol Data Protocol Extension TLS Handshake TLS Change Cipher Protocol Spec Protocol TLS Record Protocol Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-77

  53. Supporting Cryptogrphy • All parts of TLS use them • Initial phase: public key system exchanges keys • Messages enciphered using classical ciphers, checksummed using cryptographic checksums • Only certain combinations allowed • Depends on algorithm for interchange cipher • Interchange algorithms: RSA, Diffie-Hellman Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-78

  54. Diffie-Hellman: Types • Diffie-Hellman: certificate contains D-H parameters, signed by a CA • DSS or RSA algorithms used to sign • Ephemeral Diffie-Hellman: DSS or RSA certificate used to sign D-H parameters • Parameters not reused, so not in certificate • Anonymous Diffie-Hellman: D-H with neither party authenticated • Use is “strongly discouraged” as it is vulnerable to attacks • Elliptic curve Diffie-Hellman supports Diffie-Hellman and ephemeral Diffie-Hellman • But not anonymous Diffie-Hellman Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-79

  55. Derivation of Master Secret • master_secret = PRF ( premaster , “master secret”, r 1 || r 2 ) • premaster set by client, ˚sent to server during setup • r 1 , r 2 random numbers from client, server respectively • PRF ( secret , label , seed ) = P_ hash ( secret , label || seed ) • P_ hash ( secret , seed ) = HMAC_ hash ( secret || A (1) || seed ) || HMAC_ hash ( secret || A (2) || seed ) || HMAC_ hash ( secret || A (3) || seed ) || … • Use first 48 bits of output to set PRF • A (0) = seed , A ( i ) = HMAC_ hash ( secret , A ( i -1)) for i > 0 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-80

  56. Derivation of Keys • key_block = PRF( master , “key expansion”, r 1 || r 2 ) • r 1 , r 2 as before • Break it into blocks of 48 bits • First two are client, server keys for computing MACs • Next two are client, server keys used to encipher messages • Next two are client, server initialization vectors • Omitted if cipher does not use initialization vector Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-81

  57. MAC for Block hash ( MAC_ws , seq || TLS_comp || TLS_vers || TLS_len || block ) • MAC_ws : MAC write key • seq : sequence number of block • TLS_comp : message type • TLS_vers : TLS version • TLS_len : length of block • block : block being sent Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-82

  58. SSL Record Layer Message Compressed blocks MAC Compressed blocks, enciphered, with MAC Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-83

  59. Record Protocol Overview • Lowest layer, taking messages from higher • Max block size 2 14 = 16,384 bytes • Bigger messages split into multiple blocks • Construction • Block b compressed; call it b c • MAC computed for b c • If MAC key not selected, no MAC computed • b c , MAC enciphered • If enciphering key not selected, no enciphering done • TLS record header prepended Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-84

  60. TLS Handshake Protocol • Used to initiate connection • Sets up parameters for record protocol • 4 rounds • Upper layer protocol • Invokes Record Protocol • Note: what follows assumes client, server using RSA as interchange cryptosystem Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-85

  61. Overview of Rounds 1. Create TLS connection between client, server 2. Server authenticates itself 3. Client validates server, begins key exchange 4. Acknowledgments all around Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-86

  62. Handshake Round 1 { v C || r 1 || s 1 || ciphers || comps || ext C } Server 1. Client { v || r 2 || s 2 || cipher || comp || ext } Server 2. Client v C Client’s version of SSL v Highest version of SSL that client, server both understand r 1 , r 2 nonces (timestamp and 28 random bytes) s 1 Current session id (empty if new session) s 2 Current session id (if s 1 empty, new session id) ciphers Ciphers that client understands comps Compression algorithms that client understand cipher Cipher to be used comp Compression algorithm to be used ext C List of extensions client supports ext List of extensions server supports (subset of ext C ) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-87

  63. Handshake Round 2 { certificate chain } Server 3. Client { p || g || K S || { h ( r 1 || r 2 || p || g || K S ) } k S } 4. Client Server { ctype || sigalgs || gca } Server 5. Client { server_hello_done } Server 6. Client If server not going to authenticate itself, only last message sent Second step is for Diffie-Hellman with RSA certificate Third step omitted if server does not need client certificate K S , k S Server’s Diffie-Hellman public, private keys ctype Certificate type accepted (by cryptosystem) sigalgs List of hash, signature algorithm pairs server can use gca Acceptable certification authorities Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-88

  64. Handshake Round 3 { client_certificate } Server 7. Client { pre } K S Server 8. Client { hash ( all previous messages ) } k C Server 9. Client pre Premaster secret K S Server’s public key k C Client’s private key Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-89

  65. Handshake Round 4 change_cipher_spec Server 10. Client { PRF ( master || “client finished” || hash ( all previous messages ) } Server 11. Client change_cipher_spec Server 12. Client { PRF ( master || “server finished” || hash ( all previous messages ) } Server 13. Client change_cipher_spec Begin using cipher specified Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-90

  66. TLS Change Cipher Spec Protocol • Send single byte • In handshake, new parameters considered “pending” until this byte received • Old parameters in use, so cannot just switch to new ones Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-91

  67. TLS Alert Protocol • Closure alert • Sender will send no more messages • Pending data delivered; new messages ignored • Error alerts • Warning: connection remains open • Fatal error: connection torn down as soon as sent or received Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-92

  68. TLS Heartbeat Extension • Message has 4 fields • Value indicating message is request • Length of data in message • Data of given length • Random data • Message sent to peer; peer replies with similar message • If second field is too large (> 214 bytes), ignore message • Reply message has same data peer sent, new random data • When peer sends this for the first time, it sends nothing more until a response is received Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-93

  69. TLS Application Data Protocol • Passes data from application to TLS Record Protocol layer Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-94

  70. Differences Between TLSv2 and SSLv3 • Master secret computed differently master = MD5( premaster || SHA(‘A’ || premaster || r 1 || r 2 ) || MD5( premaster || SHA(‘BB’ || premaster || r 1 || r 2 ) || MD5( premaster || SHA(‘CCC’ || premaster || r 1 || r 2 ) • Key block also computed differently key_block = MD5( master || SHA(‘A’ || master || r 1 || r 2 ) || MD5( master || SHA(‘BB’ || master || r 1 || r 2 ) || MD5( master || SHA(‘CCC’ || master || r 1 || r 2 ) || . . . Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-95

  71. Differences Between TLSv2 and SSLv3 MAC for each block computed differently: hash ( MAC_ws || opad || hash( MAC_ws || ipad || seq || SSL_comp || SSL_len || block )) • hash : hash function used • MAC__ws , seq , SSL_comp , SSL_len , block : as for TLS (with obvious changes) • ipad, opad : as for HMAC Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-96

  72. Differences Between TLSv2 and SSLv3 • Verification message (9, above) is different: { hash ( master || opad || hash ( all previous messages || master || ipad )) } 9’. Client Server • Messages after change cipher spec (11, 13 above) are also different: { hash ( master || opad || hash ( all previous messages || 0x434C4E54 || master || ipad )) } 11’. Client Server { hash ( master || opad || hash ( all previous messages || 0x53525652 || master || ipad )) } 13’. Client Server Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-97

  73. Differences Between TLSv2 and SSLv3 • Different sets of ciphers • SSL allows use of RC4, but its use is deprecated • SSL allows set of ciphers for the Fortezza cryptographic token used by the U.S. Department of Defense Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-98

  74. Problems with SSL • POODLE attack focuses on padding of messages • In SSL, all but the last byte of the padding are random and so cannot be checked • How padding works (assume block size of b ): • Message ends in a full block: add additional block of padding, and last byte is the number of bytes of random padding ( b – 1) • Message ends in part of a block: add random bytes out to last byte, set that to number of random bytes (so if block is b – 1 bytes, one padding byte added and it is 0) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-99

  75. The POODLE Attack • Peer receives incoming ciphertext message c 1 , …, c n • Peer decrypts it to m 1 , …, m n : m i = D k ( c i ) ⊕ c i –1 , where c 0 is initialization vector • Validates by removing padding, computes and checks MAC over remaining bytes • Attacker replaces c n with some earlier block, say c j , j ≠ n • If last byte of c j is same as c n , message accepted as valid; otherwise, rejected • So attacker arranges for HTTP messages to end with known number of padding bytes • Then server should accept changed message in at least 1 out of 256 tries Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 12-100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I &amp; II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input &quot;tweak - Tweaks are publicly used

519 views • 30 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
Instance Variables The JOptionPane Class The JOptionPane Class displays a dialog for user

Instance Variables The JOptionPane Class The JOptionPane Class displays a dialog for user

Instance Variables The JOptionPane Class The JOptionPane Class displays a dialog for user information and interaction... ... it is part of the javax.swing package and must be imported before you can use it. import

1.12k views • 76 slides
Shared Portable Moodle Taking online learning offline to support disadvantaged students Stephen

Shared Portable Moodle Taking online learning offline to support disadvantaged students Stephen

Shared Portable Moodle Taking online learning offline to support disadvantaged students Stephen Grono, School of Education sgrono2@une.edu.au University of New England, Armidale @calvinbal Shared Portable Moodle Taking online learning

343 views • 22 slides
polymorphism (intro only) Class class Nov. 24, 2017 1 Primitive Type Conversion double In

polymorphism (intro only) Class class Nov. 24, 2017 1 Primitive Type Conversion double In

COMP 250 Lecture 33 type conversion polymorphism (intro only) Class class Nov. 24, 2017 1 Primitive Type Conversion double In COMP 273, you will non-integers learn details of how float number representations long are related to each

823 views • 37 slides
TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier

TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier

TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS Olivier Levillain, Baptiste Gourdin, Herv Debar ANSSI, Sekoia, Tlcom SudParis ASIACCS 2015 Levillain, Gourdin, Debar (ASIACCS) TLS Record Protocol

793 views • 62 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block &amp; stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Top 10 Vulnerabilities in past 5 years. #10 - DROWN Vulnerability in downgrading to SSLv2

Top 10 Vulnerabilities in past 5 years. #10 - DROWN Vulnerability in downgrading to SSLv2

Top 10 Vulnerabilities in past 5 years. #10 - DROWN Vulnerability in downgrading to SSLv2 Can break encryption of TLS in ~8 hours Requires MITM March 2016 #9 - POODLE Vulnerability in downgrading to SSLv3 Decipher cipher

419 views • 20 slides
Representing Knowledge Using Rules Procedural Versus Declarative Knowledge Logic

Representing Knowledge Using Rules Procedural Versus Declarative Knowledge Logic

Representing Knowledge Using Rules Procedural Versus Declarative Knowledge Logic Programming Forward versus Backward Reasoning Matching Control Knowledge Chapter 6

518 views • 10 slides
What is REASONABLE? Discussing the Accommodation Process within the College Environment By:

What is REASONABLE? Discussing the Accommodation Process within the College Environment By:

9/2/2017 What is REASONABLE? Discussing the Accommodation Process within the College Environment By: Tessa DiPerri &amp; Crystal Tenan 1 About Us Tessa DiPerri Tessa DiPerri, is a higher educational professional with experience in

223 views • 11 slides

More recommend