Several possibilities for combination: So far: had cryptographic - - PowerPoint PPT Presentation

several possibilities for combination so far had
SMART_READER_LITE
LIVE PREVIEW

Several possibilities for combination: So far: had cryptographic - - PowerPoint PPT Presentation

Nov 16, 2023 162 likes •207 views

Several possibilities for combination: So far: had cryptographic algorithms to achieve Encrypt-then MAC: encrypt message, then compute MAC of Privacy: use encryption ciphertext. Integrity: use MAC MAC-then-encrypt: First compute MAC, and then

slide-1
SLIDE 1

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way

Eike Ritter Cryptography 2013/14 113

Several possibilities for combination: Encrypt-then MAC: encrypt message, then compute MAC of ciphertext. MAC-then-encrypt: First compute MAC, and then encrypt the message-MAC pair Encrypt and MAC: Result is pair of ciphertext and MAC.

Eike Ritter Cryptography 2013/14 114

Does this provide both privacy and integrity if encryption is IND-CPA secure and MAC cannot be forged? Encrypt-then MAC: Yes. MAC-then-encrypt: Not in general, but works in specific instances (eg if encryption is CBC or Counter mode with random initialisation vector) Encrypt and MAC: Not in general, but works in specific instances (SSH)

Eike Ritter Cryptography 2013/14 115

Definition An authenticated encryption system is given by a pair (E, D), where E : K × M → C is the encryption function, D : K × C → M ∪ {⊥} such that D(k, E(m)) = m for all m ∈ M.

Eike Ritter Cryptography 2013/14 116

slide-2
SLIDE 2

Definition We define the authenticated encryption game between challenger and attacker as follows: The challenger picks an encryption key at random The attacker does some computations and may send messages m1, . . . , mn to the challenger The challenger responds with the ciphertexts c1, . . . , cn. The attacker does some more computations and submits a putative ciphertext c to the challenger. The challenger outputs 1 if c = ci for all i and D(k, c) =⊥. The attacker wins this game if the challenger outputs 1.

Eike Ritter Cryptography 2013/14 117

Definition An authenticated encryption scheme (E, D) is secure if the following conditions are satisfied: it satisfies IND-CPA any attacker wins the authenticated encryption game with

  • nly negligible probability

Eike Ritter Cryptography 2013/14 118

Examples

First example: TLS 1.2 Have two separate keys KA→B and KB→A for communication in both directions Have also two counters ctrA→B and ctrB→A, designed to prevent replay attacks Form MAC (HMAC-SHA1) of counter||header||data Apply padding to header||data||tag Now apply CBC-AES with new random IV prepend header

Eike Ritter Cryptography 2013/14 119

Important details

Have two kinds of possible errors: MAC-failures Invalid padding information Must produce same error messages in both cases, otherwise have attack

Eike Ritter Cryptography 2013/14 120

slide-3
SLIDE 3

Padding Oracle Attack

Assume have CBC-encryption

Source: Wikipedia Eike Ritter Cryptography 2013/14 121

Assume we want m[1]. Perform following operations: guess g - last byte of m[2] ask for decryption of c[1] ⊕ g ⊕ 0x01 last byte of m[2] is equal to lastByte ⊕ g ⊕ 0x01 If lastByte = g, have valid pad (0x01 always valid), otherwise most likely invalid pad Hence if we can distinguish MAC-failures from padding failures,

  • btain g with at most 256 attempts

Eike Ritter Cryptography 2013/14 122