revisiting mac forgeries weak keys and provable security
play

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo - PowerPoint PPT Presentation

Nov 11, 2023 •383 likes •957 views

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

  1. Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  2. Galois/Counter Mode (GCM) ◮ One design of AEAD by McGrew and Viega in 2005 ◮ Counter Mode (CM) for encryption ◮ Galois MAC (GMAC) for authentication ◮ Polynomial-based MAC ◮ Features ◮ Parallelizable computation ◮ Intel CPU hardware instructions (around 1 cycle/byte) ◮ IEEE 802.1AE, IPsec, and TLS v1.2 ◮ To replace RC4 and AES-CBC in TLS 2 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  3. Galois/Counter Mode (GCM) ◮ One design of AEAD by McGrew and Viega in 2005 ◮ Counter Mode (CM) for encryption ◮ Galois MAC (GMAC) for authentication ◮ Polynomial-based MAC ◮ Features ◮ Parallelizable computation ◮ Intel CPU hardware instructions (around 1 cycle/byte) ◮ IEEE 802.1AE, IPsec, and TLS v1.2 ◮ To replace RC4 and AES-CBC in TLS ◮ Recent attacks ◮ A flaw found in GCM’s security proofs in Crypto’12 ◮ Forgery attacks in FSE’12 and FSE’13 2 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  4. Outline Introduction to Galois/Counter Mode (GCM) All subsets with ≥ 2 authentication keys are weak Turning forgeries into birthday attacks Repairing security bounds and proofs of GCM Attacking MAC-then-Enc GCM Summary 3 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  5. Outline Introduction to Galois/Counter Mode (GCM) All subsets with ≥ 2 authentication keys are weak Turning forgeries into birthday attacks Repairing security bounds and proofs of GCM Attacking MAC-then-Enc GCM Summary 4 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  6. Authentication by Galois MAC (GMAC) Additions and multiplications in GF (2 128 ) ◮ Authentication key: H = E K (0) The image is from Procter and Cid’s slides in FSE’13. 5 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  7. Polynomial Based GHASH ◮ GMAC = GHASH H ( A , C ) + E K ( N ) ◮ N : non-repeating nonce ◮ GHASH-like, polynomial based (keyed) hash m M i × H i = g M ( H ) � h H ( M ) = i =1 ◮ Note: constant term is zero 6 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  8. Encryption in Counter Mode (CM) The image is from Saarinen’s paper in FSE’12. ◮ Initial counter ◮ If len ( N ) = 96, Y 0 = N || 0 32 ◮ If len ( N ) � = 96, Y 0 = GHASH H ( N ) ◮ Consecutive counters Y r +1 = msb 96 ( Y r ) || lsb 32 ( Y r ) ⊞ 1 7 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  9. Outline Introduction to Galois/Counter Mode (GCM) All subsets with ≥ 2 authentication keys are weak Turning forgeries into birthday attacks Repairing security bounds and proofs of GCM Attacking MAC-then-Enc GCM Summary 8 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  10. Forgery Attacks on Polynomial-based MACs ◮ General forgeries by Procter and Cid in FSE’13 ◮ Based on the work by Saarinen in FSE’12 ◮ Attacking the polynomial-based hash functions m M i × H i = g M ( H ) � h H ( M ) = i =1 9 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  11. Forgery Attacks on Polynomial-based MACs ◮ General forgeries by Procter and Cid in FSE’13 ◮ Based on the work by Saarinen in FSE’12 ◮ Attacking the polynomial-based hash functions m M i × H i = g M ( H ) � h H ( M ) = i =1 ◮ If we can find a polynomial f ( x ) ∈ F [ x ] ◮ Constant term is zero ◮ f ( H ) = 0 9 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  12. Forgery Attacks on Polynomial-based MACs ◮ General forgeries by Procter and Cid in FSE’13 ◮ Based on the work by Saarinen in FSE’12 ◮ Attacking the polynomial-based hash functions m M i × H i = g M ( H ) � h H ( M ) = i =1 ◮ If we can find a polynomial f ( x ) ∈ F [ x ] ◮ Constant term is zero ◮ f ( H ) = 0 then h H ( M ⊕ F ) = g M ⊕ F ( H ) = g M ( H ) ⊕ g F ( H ) = g M ( H ) = h H ( M ) 9 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  13. Our Generalized Forgery Attack on GCM-like Modes For GMAC-like MACs, the MAC tag is computed as T = h H ( M ) ⊕ E K ( N ) 10 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  14. Our Generalized Forgery Attack on GCM-like Modes For GMAC-like MACs, the MAC tag is computed as T = h H ( M ) ⊕ E K ( N ) If we find a polynomial q ( x ) = q ∗ ( x ) ⊕ Q 0 ∈ F [ x ] such that ◮ q ( H ) = 0 ◮ Note: constant term Q 0 does NOT need to be zero 10 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  15. Our Generalized Forgery Attack on GCM-like Modes For GMAC-like MACs, the MAC tag is computed as T = h H ( M ) ⊕ E K ( N ) If we find a polynomial q ( x ) = q ∗ ( x ) ⊕ Q 0 ∈ F [ x ] such that ◮ q ( H ) = 0 ◮ Note: constant term Q 0 does NOT need to be zero then T = h H ( M ) ⊕ E k ( N ) ⊕ q ( H ) , 10 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  16. Our Generalized Forgery Attack on GCM-like Modes For GMAC-like MACs, the MAC tag is computed as T = h H ( M ) ⊕ E K ( N ) If we find a polynomial q ( x ) = q ∗ ( x ) ⊕ Q 0 ∈ F [ x ] such that ◮ q ( H ) = 0 ◮ Note: constant term Q 0 does NOT need to be zero then T = h H ( M ) ⊕ E k ( N ) ⊕ q ( H ) , which implies E k ( N ) ⊕ h H ( M ) ⊕ q ∗ ( H ) T ⊕ Q 0 = E k ( N ) ⊕ g M ( H ) ⊕ q ∗ ( H ) = = E k ( N ) ⊕ g M ⊕ Q ∗ ( H ) . So ( N , M ⊕ Q ∗ , T ⊕ Q 0 ) is a successful forgery. 10 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  17. All Subsets with ≥ 2 Auth Keys are Weak ◮ Definition of weak key classes by Handschuh and Preneel ◮ Members of the key class make the algorithm behaves in an unexpected way ◮ e.g., high probability for MAC forgeries ◮ Easy to detect whether a key belongs to the class ◮ e.g., less #queries than #elements of the class 11 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  18. All Subsets with ≥ 2 Auth Keys are Weak ◮ Definition of weak key classes by Handschuh and Preneel ◮ Members of the key class make the algorithm behaves in an unexpected way ◮ e.g., high probability for MAC forgeries ◮ Easy to detect whether a key belongs to the class ◮ e.g., less #queries than #elements of the class ◮ For any subset of authentication keys, we can determine if the used key is in the subset ◮ Try to make a forgery by n � q ( x ) = ( x ⊕ H i ) i =1 and query the verification oracle once 11 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  19. All Subsets with ≥ 2 Auth Keys are Weak ◮ Definition of weak key classes by Handschuh and Preneel ◮ Members of the key class make the algorithm behaves in an unexpected way ◮ e.g., high probability for MAC forgeries ◮ Easy to detect whether a key belongs to the class ◮ e.g., less #queries than #elements of the class ◮ For any subset of authentication keys, we can determine if the used key is in the subset ◮ Try to make a forgery by n � q ( x ) = ( x ⊕ H i ) i =1 and query the verification oracle once ◮ For comparison, the original forgery attack by Procter and Cid ◮ Cannot get rid of 0 by only one query ◮ For | S | ≥ 3, use two queries ◮ For | S | ≥ 2 and 0 ∈ S , use one query 11 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  20. Outline Introduction to Galois/Counter Mode (GCM) All subsets with ≥ 2 authentication keys are weak Turning forgeries into birthday attacks Repairing security bounds and proofs of GCM Attacking MAC-then-Enc GCM Summary 12 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  21. Birthday-bound based Forgery Attacks ◮ Previously mentioned forgery attacks are all trial-and-error ◮ (Perhaps randomly) choose a q ( x ) ◮ Forge a tuple ( N , M , T ) and send it to verification oracle ◮ If fails, try another q ( x ) 13 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  22. Birthday-bound based Forgery Attacks ◮ Previously mentioned forgery attacks are all trial-and-error ◮ (Perhaps randomly) choose a q ( x ) ◮ Forge a tuple ( N , M , T ) and send it to verification oracle ◮ If fails, try another q ( x ) ◮ GCM’s special structure can amplify this probability ◮ GHASH is reused to compute the initial counter number if len ( N ) � = 96. ◮ Previous forgeries also work for this GHASH 13 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  23. Birthday-bound based Forgery Attacks ◮ Previously mentioned forgery attacks are all trial-and-error ◮ (Perhaps randomly) choose a q ( x ) ◮ Forge a tuple ( N , M , T ) and send it to verification oracle ◮ If fails, try another q ( x ) ◮ GCM’s special structure can amplify this probability ◮ GHASH is reused to compute the initial counter number if len ( N ) � = 96. ◮ Previous forgeries also work for this GHASH ◮ New forgery attack 1. Obtain a valid tuple ( N , P , C ) 2. Apply q ( x ) to N , and feed ( N ′ , P ) to the encryption oracle 3. Collect P ⊕ C to a set for collisions 13 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong

653 views • 36 slides
On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos Cid Information Security Group, Royal Holloway, University of London Our Contributions 1 Study the underlying algebraic structure of

409 views • 24 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger

Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger

Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger University of Pennsylvania Motivation [Mining Your Ps & Qs: Detection of Widespread Weak Keys in Network Devices: Heninger Durumeric Wustrow

358 views • 22 slides
Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to

Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to

Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to Databases Svetlozar Nestorov Lecture Notes #3 CS 235: Intro to DB; S. Nestorov 12 Example: Email Addresses Weak Entity Sets Sometimes an

522 views • 3 slides
Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC

Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC

Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC San Diego Microsoft Research New England Zakir Durumeric Eric Wustrow Alex Halderman University of Michigan January 10, 2012 or

490 views • 46 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Log2fs or how to achieve 150.000 IO/s J orn Engel Lazybastard.org September 24, 2010 J

Log2fs or how to achieve 150.000 IO/s J orn Engel Lazybastard.org September 24, 2010 J

Hardware Compression costs Log2 Advanced Credit Log2fs or how to achieve 150.000 IO/s J orn Engel Lazybastard.org September 24, 2010 J orn Engel Log2fs or how to achieve 150.000 IO/s Hardware Compression costs Log2 Advanced Credit

959 views • 38 slides
Security and Cooperation in Wireless Networks Additional Problems edited by Levente Butty an

Security and Cooperation in Wireless Networks Additional Problems edited by Levente Butty an

Security and Cooperation in Wireless Networks Additional Problems edited by Levente Butty an and Jean-Pierre Hubaux July 2009 Lausanne Preface The problems hereafter have been generated by students participating in the course Security and

480 views • 15 slides
Structural Attacks on Two SHA-3 Candidates: Blender- n and DCH- n Mario Lamberger and Florian

Structural Attacks on Two SHA-3 Candidates: Blender- n and DCH- n Mario Lamberger and Florian

Institute for Applied Information Processing and Communications (IAIK) - Krypto Structural Attacks on Two SHA-3 Candidates: Blender- n and DCH- n Mario Lamberger and Florian Mendel Institute for Applied Information Processing and Communications

623 views • 37 slides
A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and

A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and

A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and Nicolas Sendrier Part I General Facts about Hash Functions The Merkle-Damg ard construction D Padding + length n n n o o o i i i s s

393 views • 25 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
The Grindahl hash functions Sren S. Thomsen joint work with Lars R. Knudsen Christian

The Grindahl hash functions Sren S. Thomsen joint work with Lars R. Knudsen Christian

Outline Introduction Grindahl Design considerations Concluding remarks The Grindahl hash functions Sren S. Thomsen joint work with Lars R. Knudsen Christian Rechberger Fast Software Encryption March 2628, 2007 Luxembourg 1 / 17

630 views • 26 slides
Ion Neutralization at Metal Surface vac When a ionized atom is projected onto a solid surface,

Ion Neutralization at Metal Surface vac When a ionized atom is projected onto a solid surface,

Ion Neutralization at Metal Surface vac When a ionized atom is projected onto a solid surface, an excited solid-atom system is formed. Conduction band ~ 4.5 eV The Ion-Neutralization process is a process by which the F excited solid-atom

331 views • 5 slides
Counting and sampling algorithms at low temperature New frontiers in approximate counting STOC

Counting and sampling algorithms at low temperature New frontiers in approximate counting STOC

Counting and sampling algorithms at low temperature New frontiers in approximate counting STOC 2020 Will Perkins (UIC) Algorithms and phase transitions When are phase transitions barriers to e ffi cient algorithms? What algorithmic

497 views • 30 slides

More recommend