Fast Message Franking: From Invisible Salamanders to Encryptment - PowerPoint PPT Presentation

Fast Message Franking: From Invisible Salamanders to Encryptment Yevgeniy Dodis, Paul Grubbs , Thomas Ristenpart, Joanne Woodage

End-to-end encrypted messaging Message Message Authenticated Authenticated Encryption Encryption Service provider [Frosch et al. 2014] [Frosch et al. 2014] End-to-end security: End-to-end security: [Cohn-Gordon et al. 2016] Provider cannot read or [Cohn-Gordon, Cremers, Garratt 2016] modify messages [Bellare et al. 2017] [Jaeger and Stepanovs 2018] 2

Providers want to help users with abuse !%$#! !%$#! Authenticated Authenticated He said !%$#! Encryption Encryption Service provider End-to-end security: cannot verify “ !%$#! ” cannot verify “ !%$#! ” [Facebook 2016]: was sent • Provide cryptographic proof of message contents when reporting abuse • Called technique message franking [G., Lu, Ristenpart 2017]: • Formalized compactly committing authenticated encryption (ccAE): primitive needed for message franking. 3 • Proved part of FB’s protocol secure

Our contributions Show vulnerability in Facebook’s scheme: invisible salamanders Lower bound on efficiency of ccAE New symmetric-key primitive: encryptment. New symmetric-key primitive: encryptment. Hash-Function-Chaining (HFC): single-pass encryptment construction Generic, fast transform: encryptment + compression function=ccAE 4

Facebook’s message franking protocol C B , T FB C B K B , !%$#! K B , !%$#! Service provider Sender cryptographically commits to message: C = HMAC(K ,M) Sender cryptographically commits to message: C B = HMAC(K B ,M) Encrypt-then-HMAC message along with K B (called the opening) Provider signs C B using HMAC to generate tag T FB (fast because C B short) Receiver decrypts, retrieves K B , and verifies C B 5

Facebook’s message franking protocol C B , T FB C B K B , !%$#! K B , !%$#! K B , !%$#! , C B , T FB Service provider To report abuse, send message as well as K , C , T To report abuse, send message as well as K B , C B , T FB Provider can verify C B , T FB ,convinced that message was “ !%$#! ” Attachments (images, videos) handled differently Is Facebook’s approach secure? [ G LR17]: without attachments, yes This work: with attachments, no! 6

Security goals for message franking C B , T FB C B K B , !%$#! K B , !%$#! K B , !%$#! , C B , T FB Service provider 1) Receiver binding : receiver can’t open a message not sent 2) Sender binding : can’t send a message that can’t be reported 3) End-to-end confidentiality/authenticity for messages not reported 7

Facebook’s attachment franking protocol C B , T FB C B K B , K file K B , K file file file Service provider Sender cryptographically commits to attachment encryption key: C B = HMAC(K B , K file ) Encrypt-then-HMAC file encryption key K file along with K B AES-GCM encrypt attachment: AES-GCM( K file , file ) Receiver decrypts as before to get K file and then decrypts attachment 8

Facebook’s attachment franking protocol C B , T FB C B K B , K file K B , K file file file Service C2 B K B2 , K file2 C2 B ,T2 FB provider K B2 , K file2 file2 file2 file2 file2 K B , K file , C B , T FB K B2 , K file2 , C2 B , T2 FB To report abuse, receiver opens K file and other recent messages Facebook checks openings & decrypts all unique AES-GCM ciphertexts to add them to abuse report 9

Our attack exploits AES-GCM C B , T FB C B K B , K file K B , K file file file Service C2 B K B2 , K file2 C2 B ,T2 FB provider K B2 , K file2 file file file file 3. 3. receiver sees K B , K file , C B , T FB 2. Send ciphertext both K B2 , K file2 , C2 B , T2 FB twice - K file ,K file2 4. Only the innocuous 1. Craft special AES-GCM ciphertext: • Decrypts under K file to innocuous image image appears in report! • (Violates sender binding) Decrypts under K file2 to abuse image 10

Our attack exploits AES-GCM Craft special AES-GCM ciphertext: 1) Decrypts under K file to innocuous image 2) Decrypts under K file2 to abuse image But isn’t AES-GCM a secure authenticated encryption scheme? Yes, but ... this type of attack is not standard attacker gets to choose K file and K file2 GCM uses a universal-hash-based MAC not collision resistant (CR) Our attack violates robustness : can find ciphertext that decrypts under two keys (First robustness attack against real system) [Abdalla, Bellare, Neven 2010] [Farshim et al. 2013] [Farshim et al. 2017] 11

Abusive JPEG seen by receiver, Innocuous BMP but not in abuse report in abuse report Disclosed to Facebook Thanks to Jon Millican for answering questions! Thanks to Jon Millican for answering questions! They fixed by changing report generation logic Awarded us a bug bounty 12

Recall Facebook’s message franking C B , T FB C B K B , !%$#! K B , !%$#! K B , !%$#! , C B , T FB Service provider Commitment + authenticated encryption (AE): Commitment + authenticated encryption (AE): [ G LR] proved secure as ccAE Didn’t use for attachments because too slow • Signal uses AES-CBC then HMAC for AE • Total of 3 passes ( HMAC-Encrypt-HMAC ) Can we make faster ccAE schemes? 13

How do we build faster ccAE? Scheme ccAE? # passes Ideally: ~1 blockcipher call per msg block. Can any secure scheme achieve this? AES-GCM No 1 No! OCB No 1 Thm. Secure ccAE => CR hashing. Encrypt-then-HMAC Encrypt-then-HMAC No 2 Leverage prior impossibility results for CR (distinct keys) hashing from fixed-key blockciphers Encrypt-then-HMAC [Black, Cochran, Shrimpton 2005] Yes 2 (one key) [Rogaway, Steinberger 2008] Facebook HMAC- Yes 3 Encrypt-HMAC No similar ccAE scheme can be secure!

How do we build faster ccAE? New primitive: encryptment Step 1 Hash-Function-Chaining (HFC) scheme “ one-time” ccAE + Encryptment-to-ccAE transform from Simple transforms from Step 2 compression function encryptment to ccAE ccAE in one SHA-256 call

Encryptment: syntax, semantics, security Should be short: e.g. 256 bits EC(K, M) = C 1 , C B encrypts and commits to M DO(K, C 1 ,C B ) = M/ decrypts (C 1 , C B ) and opens to M EVer(M, K , C B ) = 0/1 EVer(M, K , C B ) = 0/1 verifies commitment C B of M verifies commitment C B of M 1. Confidentiality: can’t distinguish ciphertexts from random bits 2. Second-ciphertext unforgeability: can’t forge ciphertexts in particular way 3. Receiver binding: can’t generate K,M pairs that verify for same C B 4. Sender binding: can’t decrypt ciphertext that doesn’t verify properly

The hash-function chaining (HFC) scheme Recall Merkle-Damgard style hash functions (e.g., SHA-256) built in two steps: 1) Specify a compression function f: {0,1} n x {0,1} d -> {0,1} n 2) Iterate f to hash long message (after some suitable padding) M M 1 M M 2 M M 3 M M 4 IV F(M) Constant bit string called initialization vector 17

The hash-function chaining (HFC) scheme The HFC scheme EC (K, M): 1) Prepend message with a block of zeros, XOR key into each block 2) Use chaining variables as encryption pad to compute C 1 3) MD output is the binding tag C B M M 1 M M 2 M M 3 M M 4 IV F(M) 18

The hash-function chaining (HFC) scheme The HFC scheme EC (K, M): 1) Prepend message with a block of zeros, XOR key into each block 2) Use chaining variables as encryption pad to compute C 1 3) MD output is the binding tag C B K ⨁ M K ⨁ M 1 K ⨁ M K ⨁ M 2 K ⨁ M K ⨁ M 3 K K IV F(M) 19

The hash-function chaining (HFC) scheme The HFC scheme EC (K, M): 1) Prepend message with a block of zeros, XOR key into each block 2) Use chaining variables as encryption pad to compute C 1 3) MD output is the binding tag C B K ⨁ M 1 K ⨁ M K ⨁ M K ⨁ M 2 K ⨁ M K ⨁ M 3 K K IV F(M) M 1 M 2 M 3 C a C b C c 20

The hash-function chaining (HFC) scheme The HFC scheme EC (K, M): 1) Prepend message with a block of zeros, XOR key into each block 2) Use chaining variables as encryption pad to compute C 1 3) MD output is the binding tag C B Similar to AE from DO (K, C 1 , C B ) runs MD, recovers message blocks, checks C B [Cogliani et al. ‘10] EVer (K, M, C B ) recomputes, checks C B [Bertoni et al. ‘11] [Bertoni et al. ‘11] K ⨁ M 1 K ⨁ M K ⨁ M K ⨁ M 2 K ⨁ M K ⨁ M 3 K K IV C B M 1 M 2 M 3 EC/DO/EVer require EC/DO/EVer require just one pass of hash C a C b C c function function 21 21

(Fast) Encryptment => (Fast) ccAE Construct fast ccAE from fast encryptment: 2 additional compression function calls 1. Use long-term key K lt K lt 2. Derive encryptment key via 3. MAC the binding tag C B R R K ⨁ M K ⨁ M 1 K ⨁ M K ⨁ M 2 K ⨁ M K ⨁ M 3 K K K K lt IV C B T M 1 M 2 M 3 C a C b C c 22

(Fast) Encryptment => (Fast) ccAE Construct fast ccAE from fast encryptment: 2 additional compression function calls Thm . If EC is a secure encryptment scheme and compression function is PRF, this construction is ccAE Encryptment is useful elsewhere, gives single-pass: - concealments [DH03] - remotely-keyed AE [BFN98] - robust AE [FOR17] See paper for details 23

Conclusion Show vulnerability in Facebook’s scheme: invisible salamanders Lower bound on efficiency of ccAE New symmetric-key primitive: encryptment. New symmetric-key primitive: encryptment. Hash-Function-Chaining (HFC): single-pass encryptment construction Generic, fast transform: encryptment + compression function=ccAE Thanks for listening! Any questions? 24