So far: had cryptographic algorithms to achieve Privacy: use - - PowerPoint PPT Presentation

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way

Eike Ritter Cryptography 2014/15 39

Several possibilities for combination: Encrypt-then MAC: encrypt message, then compute MAC of ciphertext. MAC-then-encrypt: First compute MAC, and then encrypt the message-MAC pair Encrypt and MAC: Result is pair of ciphertext and MAC.

Eike Ritter Cryptography 2014/15 40

Does this provide both privacy and integrity if encryption is IND-CPA secure and MAC cannot be forged? Encrypt-then MAC: Yes. MAC-then-encrypt: Not in general, but works in specific instances (eg if encryption is CBC or Counter mode with random initialisation vector) Encrypt and MAC: Not in general, but works in specific instances (SSH)

Eike Ritter Cryptography 2014/15 41

Definition An authenticated encryption system is given by a pair (E, D), where E : K × M → C is the encryption function, D : K × C → M ∪ {⊥} such that D(k, E(m)) = m for all m ∈ M.

Eike Ritter Cryptography 2014/15 42

Definition We define the authenticated encryption game between challenger and attacker as follows: The challenger picks an encryption key at random The attacker does some computations and may send messages m1, . . . , mn to the challenger The challenger responds with the ciphertexts c1, . . . , cn. The attacker does some more computations and submits a putative ciphertext c to the challenger. The challenger outputs 1 if c = ci for all i and D(k, c) =⊥. The attacker wins this game if the challenger outputs 1.

Eike Ritter Cryptography 2014/15 43

Definition An authenticated encryption scheme (E, D) is secure if the following conditions are satisfied: it satisfies IND-CPA any attacker wins the authenticated encryption game with

• nly negligible probability

Eike Ritter Cryptography 2014/15 44

Theorem If (E, D) is a IND-CPA secure encryption scheme and MAC a secure MAC, the authenticated encryption system obtained by first encrypting and then applying the MAC is a secure authenticated encrypted system.

Eike Ritter Cryptography 2014/15 45

The proof uses two lemmata: Lemma If (E, D) is a IND-CPA secure encryption scheme and MAC a secure MAC, the authenticated encryption system obtained by first encrypting and then applying the MAC satisfies IND-CPA. Lemma If (E, D) is a IND-CPA secure encryption scheme and MAC a secure MAC, the probability of the attacker winning the game for the authenticated encryption system obtained by first encrypting and then applying the MAC is negligible.

Eike Ritter Cryptography 2014/15 46

Examples

First example: TLS 1.2 Have two separate keys KA→B and KB→A for communication in both directions Have also two counters ctrA→B and ctrB→A, designed to prevent replay attacks Form MAC (HMAC-SHA1) of counter||header||data Apply padding to header||data||tag Now apply CBC-AES with new random IV prepend header

Eike Ritter Cryptography 2014/15 47

Important details

Have two kinds of possible errors: MAC-failures Invalid padding information Must produce same error messages in both cases, otherwise have attack

Eike Ritter Cryptography 2014/15 48

Padding Oracle Attack

Assume have CBC-encryption

Source: Wikipedia Eike Ritter Cryptography 2014/15 49

Assume we want m[1]. Perform following operations: guess g - last byte of m[2] ask for decryption of c[1] ⊕ g ⊕ 0x01 last byte of m[2] is equal to lastByte ⊕ g ⊕ 0x01 If lastByte = g, have valid pad (0x01 always valid), otherwise most likely invalid pad Hence if we can distinguish MAC-failures from padding failures,

• btain g with at most 256 attempts

Eike Ritter Cryptography 2014/15 50