Section 4: Lab 1 Tips, Modular Arithmetic, & CBC-MAC CSE 484 / - - PowerPoint PPT Presentation

section 4 lab 1 tips modular arithmetic cbc mac
SMART_READER_LITE
LIVE PREVIEW

Section 4: Lab 1 Tips, Modular Arithmetic, & CBC-MAC CSE 484 / - - PowerPoint PPT Presentation

Mar 02, 2023 247 likes •518 views

Section 4: Lab 1 Tips, Modular Arithmetic, & CBC-MAC CSE 484 / CSE M 584 Administrivia Final deadline for Lab 1 is next Office hours are available Friday @ 11:59pm ! w e N Run the md5sum command on Friday (12:30-2:30pm)

slide-1
SLIDE 1

Section 4: Lab 1 Tips, Modular Arithmetic, & CBC-MAC

CSE 484 / CSE M 584

slide-2
SLIDE 2

Administrivia

Final deadline for Lab 1 is next Friday @ 11:59pm

  • Run the md5sum command on

sploits 4-7

  • Put the result strings in

<netid>_<netid>_<netid>.txt

  • Submit on Canvas

Office hours are available

  • Friday (12:30-2:30pm)
  • Monday (11:30am-12:30pm)
  • Tuesday (11:30am-12:30pm)
  • Wednesday (3:30-4:30pm)

N e w !

slide-3
SLIDE 3

Lab 1 Notes / Hints

  • Sploit 5: see tfree from last section
  • Make sure the free bit is set!
  • The 2nd four bytes of Q will be overwritten
  • How can you move past this?
  • Point to an assembly instruction?
  • Hardcode an instruction code?
  • The movement does not have to be precise!

Q (P.L) &buf? L P.R L next R 1 1 q P &ret?

slide-4
SLIDE 4

Lab 1 Notes / Hints

  • Sploit 6: snprintf to a location
  • Overwrite ret with %n (will need > 1)
  • Pad with %u or %d to get the value to write
  • %u and %n both expect an argument
  • Internal pointer begins after(char *) arg

Arguments RET SFP buf[296] arg sizeof(buf) buf RET, SFP , etc.

Blue: foo’s stack frame Green: snprintf’s stack frame Printf’s internal pointer Additional arguments to snprintf would (normally) be after arg.

slide-5
SLIDE 5

Lab 1 Notes / Hints

  • Sploit 7: similar to sploit 2
  • However, can’t use EIP since foo calls _exit
  • Where can you take over execution?
  • Hint: think about *p = a
  • Look into _exit

Arguments RET SFP p a

Blue: foo’s stack frame Green: bar’s stack frame

1 byte overwrite

Program expects stack to look like foo when returning from bar.

Arguments RET SFP Local vars

slide-6
SLIDE 6

MODULAR ARITHMETIC!

Will be used in class Friday when talking about Diffie-Helman Protocol (1976)

slide-7
SLIDE 7

Shortcut

a*b mod p = (a mod p * b mod p) mod p

slide-8
SLIDE 8

Activity Time!

slide-9
SLIDE 9

Let p = 11. Let g = 10. Compute g1 mod p, g2 mod p, g3 mod p, …, g100 mod p.

Hint: a*b mod p = (a mod p * b mod p) mod p

slide-10
SLIDE 10

Q1 Solution

Let p = 11. Let g = 10. Compute g1 mod p, g2 mod p, g3 mod p, …, g100 mod p.

slide-11
SLIDE 11

Let p = 11. Let g = 7. Compute g1 mod p, g2 mod p, g3 mod p, …, g100 mod p.

Hint: a*b mod p = (a mod p * b mod p) mod p

slide-12
SLIDE 12

Q2 Solution

Let p = 11. Let g = 7. Compute g1 mod p, g2 mod p, g3 mod p, …, g100 mod p.

slide-13
SLIDE 13

Let p = 11. Let g = 7. Compute g400 mod p, without using a calculator.

Hint: a*b mod p = (a mod p * b mod p) mod p

slide-14
SLIDE 14

Q3 Solution

Let p = 11. Let g = 7. Compute g400 mod p, without using a calculator.

slide-15
SLIDE 15

CBC-MAC: Encrypt the message in CBC mode, use the last block as the MAC

k = secret key

Last block of ciphertext used as MAC

Initialization vector is 0

How do we create a MAC?

slide-16
SLIDE 16

Suppose a and b are both one block long, and suppose the sender MACs a, b, and a || b with CBC-MAC. An attacker who intercepts the MAC tags for these messages can now forge the MAC for the message b || (MK(b) ⊕ MK(a) ⊕ b) which the sender never sent. The forged tag for this message is equal to MK(a || b), the tag for a || b. Justify mathematically why this is true.

(Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing 2010. Exercise 6.3 p. 97)

𝑏 || 𝑐: 𝑏 and 𝑐 concatenated 𝑁!(𝑏): MAC for message 𝑏 𝐹! 𝑏 : ciphertext for message 𝑏

Exercise: CBC-MAC vulnerability

a b EK EK TAG

slide-17
SLIDE 17

Exercise: CBC-MAC vulnerability

a b EK EK TAG

Step 1: Figure out what MK(a), MK(b), and MK(a || b) are in terms of the encryption key. Annotate sketch with the sender’s messages and MACs.

(Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing 2010. Exercise 6.3 p. 97)

??? ??? ???

Prove: MK(b || (MK(b) ⊕ MK(a) ⊕ b)) = MK(a || b)

𝑏 || 𝑐: 𝑏 and 𝑐 concatenated 𝑁!(𝑏): MAC for message 𝑏 𝐹! 𝑏 : ciphertext for message 𝑏

slide-18
SLIDE 18

MK(a) = EK(a) MK(b) = EK(b) (not shown) MK(a || b) = EK(EK(a)⊕b)

EK(a) EK(a)⊕b

Exercise: CBC-MAC vulnerability

(Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing 2010. Exercise 6.3 p. 97)

Prove: MK(b || (MK(b) ⊕ MK(a) ⊕ b)) = MK(a || b)

𝑏 || 𝑐: 𝑏 and 𝑐 concatenated 𝑁!(𝑏): MAC for message 𝑏 𝐹! 𝑏 : ciphertext for message 𝑏

a b EK EK EK(EK(a)⊕b)

Step 1: Figure out what MK(a), MK(b), and MK(a || b) are in terms of the encryption key. Annotate sketch with the sender’s messages and MACs.

slide-19
SLIDE 19

Step 2: Figure out MK(b || (MK(b) ⊕ MK(a) ⊕ b)) . For the MAC of the attacker’s message b || (MK(b) ⊕ MK(a) ⊕ b), what are the values of the ???’s?

Prove: MK(b || (MK(b) ⊕ MK(a) ⊕ b)) = MK(a || b)

???

(Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing 2010. Exercise 6.3 p. 97)

𝑏 || 𝑐: 𝑏 and 𝑐 concatenated 𝑁!(𝑏): MAC for message 𝑏 𝐹! 𝑏 : ciphertext for message 𝑏

Exercise: CBC-MAC vulnerability

b MK(b)⊕MK(a)⊕b EK EK ???

slide-20
SLIDE 20

Step 2: Figure out MK(b || (MK(b) ⊕ MK(a) ⊕ b)) .

Prove: MK(b || (MK(b) ⊕ MK(a) ⊕ b)) = MK(a || b)

???

(Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing 2010. Exercise 6.3 p. 97)

𝑏 || 𝑐: 𝑏 and 𝑐 concatenated 𝑁!(𝑏): MAC for message 𝑏 𝐹! 𝑏 : ciphertext for message 𝑏

Exercise: CBC-MAC vulnerability

b MK(b)⊕MK(a)⊕b EK EK ???

MK(b || (MK(b) ⊕ MK(a) ⊕ b))

slide-21
SLIDE 21

MK(b || (MK(b) ⊕ MK(a) ⊕ b)) = MK(b || (EK(b) ⊕ EK(a) ⊕ b))

𝑏 || 𝑐: 𝑏 and 𝑐 concatenated 𝑁!(𝑏): MAC for message 𝑏 𝐹! 𝑏 : ciphertext for message 𝑏

Exercise: CBC-MAC vulnerability

Prove: MK(b || (MK(b) ⊕ MK(a) ⊕ b)) = MK(a || b)

Step 2: Figure out MK(b || (MK(b) ⊕ MK(a) ⊕ b)) .

???

b EK(b)⊕EK(a)⊕b EK EK ???

slide-22
SLIDE 22

EK(b) EK(a) ⊕ b

MK(b || (MK(b) ⊕ MK(a) ⊕ b)) = MK(b || (EK(b) ⊕ EK(a) ⊕ b)) = EK(EK(b) ⊕ EK(b) ⊕ EK(a) ⊕ b) = EK(EK(a) ⊕ b) This is the same as MK(a || b)! These terms cancel out

𝑏 || 𝑐: 𝑏 and 𝑐 concatenated 𝑁!(𝑏): MAC for message 𝑏 𝐹! 𝑏 : ciphertext for message 𝑏

Exercise: CBC-MAC vulnerability

Prove: MK(b || (MK(b) ⊕ MK(a) ⊕ b)) = MK(a || b)

Step 2: Figure out MK(b || (MK(b) ⊕ MK(a) ⊕ b)) .

b EK(b)⊕EK(a)⊕b EK EK EK(EK(a) ⊕ b)

slide-23
SLIDE 23

So what?

  • We can prove, just using the specification of CBC-MAC,

that the messages b || (M(b) ⊕ M(a) ⊕ b) and a || b share the same tag. This approach is a common method used in cryptanalysis.

  • We broke the theoretical guarantee that no two different

messages will never share a tag.

  • If you were to use CBC-MAC in a protocol, it provides

information about specific weaknesses and how not to use it.

𝑏 || 𝑐: 𝑏 and 𝑐 concatenated 𝑁!(𝑏): MAC for message 𝑏 𝐹! 𝑏 : ciphertext for message 𝑏

slide-24
SLIDE 24

Safer CBC-MAC for variable length messages

For a message m of length l:

1.

Construct s by prepending the length of m to the message: s = concat(l, m)

2.

Pad s until the length is a multiple of the block size

3.

Apply CBC-MAC to the padded string s.

4.

Output the last ciphertext block, or a part of it. Don’t output intermediates.

  • Warning: Appending to end is just as broken as

what we showed!

  • Or encrypt output with another block cipher under

a different key (CMAC). Or use HMAC, UMAC, GMAC.

  • Follow latest guidance very carefully!

l + pad EK EK b1 TAG EK bl

... ...

slide-25
SLIDE 25

Good luck with the rest of Lab 1!