stronger security guarantees for authenticated encryption
play

Stronger Security Guarantees for Authenticated Encryption Schemes - PowerPoint PPT Presentation

Feb 18, 2023 •392 likes •889 views

Ciphertext Fragmentation Distinguishable Decryption Failures Stronger Security Guarantees for Authenticated Encryption Schemes Alexandra Boldyreva, Jean Paul Degabriele , Kenny Paterson, and Martijn Stam DIAC Workshop - 5th July 2012 Boldyreva,

  1. Ciphertext Fragmentation Distinguishable Decryption Failures Stronger Security Guarantees for Authenticated Encryption Schemes Alexandra Boldyreva, Jean Paul Degabriele , Kenny Paterson, and Martijn Stam DIAC Workshop - 5th July 2012 Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 1/22

  2. Ciphertext Fragmentation Distinguishable Decryption Failures Scope of This Talk Arguably the best way we have of assessing the security of an Authenticated Encryption (AE) scheme is through its security proof. There are various criteria for assessing security proofs: security notion, tightness and quantitative bounds, assumptions, etc. but most importantly we want security to hold in in practice! This relates to how well our theoretic framework captures real-world scenarios. In this talk we consider two aspects that that current cryptographic theory fails to address. We here outline recent and upcoming work of ours to address these, and propose new design criteria for AE schemes. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 2/22

  3. Ciphertext Fragmentation Distinguishable Decryption Failures Outline Ciphertext Fragmentation 1 Distinguishable Decryption Failures 2 Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 3/22

  4. Ciphertext Fragmentation Distinguishable Decryption Failures Outline Ciphertext Fragmentation 1 Distinguishable Decryption Failures 2 Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 4/22

  5. Ciphertext Fragmentation Distinguishable Decryption Failures Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 5/22

  6. Ciphertext Fragmentation Distinguishable Decryption Failures Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 5/22

  7. Ciphertext Fragmentation Distinguishable Decryption Failures Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 5/22

  8. Ciphertext Fragmentation Distinguishable Decryption Failures Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 5/22

  9. Ciphertext Fragmentation Distinguishable Decryption Failures Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 5/22

  10. Ciphertext Fragmentation Distinguishable Decryption Failures Why is it a Problem? This setting emerges in practice, one such instance is that of secure network protocols . AE schemes are NOT designed to operate in this setting, and it is left to the protocol designer to adapt the scheme into one that supports ciphertext fragmentation (hoping that security is preserved). However as the following two examples show, security in the usual ‘atomic’ setting does not guarantee security in the fragmented setting. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 6/22

  11. Ciphertext Fragmentation Distinguishable Decryption Failures Ciphertext-Fragmentation Attacks SSH: A proof of security (IND-sfCCA) for SSH was given in [BKN 04] . Yet [APW 09] presented plaintext-recovery attacks against SSH. IPsec in MAC-then-encrypt (CBC): [Kra 01] proves that MAC-then-encrypt with CBC encryption is secure (secure channel [CK 01]). [MT 10] show that MAC-then-encode-then-encrypt (injective / CBC) is secure (secure channel [Mau 11]). [DP 10] present ciphertext-fragmentation attacks against such IPsec configurations. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 7/22

  12. Ciphertext Fragmentation Distinguishable Decryption Failures Ciphertext-Fragmentation Attacks SSH: A proof of security (IND-sfCCA) for SSH was given in [BKN 04] . Yet [APW 09] presented plaintext-recovery attacks against SSH. IPsec in MAC-then-encrypt (CBC): [Kra 01] proves that MAC-then-encrypt with CBC encryption is secure (secure channel [CK 01]). [MT 10] show that MAC-then-encode-then-encrypt (injective / CBC) is secure (secure channel [Mau 11]). [DP 10] present ciphertext-fragmentation attacks against such IPsec configurations. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 7/22

  13. Ciphertext Fragmentation Distinguishable Decryption Failures Ciphertext-Fragmentation Attacks SSH: A proof of security (IND-sfCCA) for SSH was given in [BKN 04] . Yet [APW 09] presented plaintext-recovery attacks against SSH. IPsec in MAC-then-encrypt (CBC): [Kra 01] proves that MAC-then-encrypt with CBC encryption is secure (secure channel [CK 01]). [MT 10] show that MAC-then-encode-then-encrypt (injective / CBC) is secure (secure channel [Mau 11]). [DP 10] present ciphertext-fragmentation attacks against such IPsec configurations. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 7/22

  14. Ciphertext Fragmentation Distinguishable Decryption Failures The Case of SSH SSH encrypts messages in the following format: 4 bytes 4 bytes 1 byte > 4 bytes Sequence Packet Padding Payload Padding Number Length Length ENCRYPT MAC Ciphertext MAC tag Message Ciphertext Packet SSH commonly uses CBC mode for encryption. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 8/22

  15. Ciphertext Fragmentation Distinguishable Decryption Failures The SSH Attack (Main Idea) Intercepted Ciphertext Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 9/22

  16. Ciphertext Fragmentation Distinguishable Decryption Failures The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 9/22

  17. Ciphertext Fragmentation Distinguishable Decryption Failures The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption c ∗ i Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 9/22

  18. Ciphertext Fragmentation Distinguishable Decryption Failures The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i ? Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 9/22

  19. Ciphertext Fragmentation Distinguishable Decryption Failures The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i ? Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 9/22

  20. Ciphertext Fragmentation Distinguishable Decryption Failures The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i ? ⊥ MAC Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 9/22

  21. Ciphertext Fragmentation Distinguishable Decryption Failures The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i ? L ⊥ MAC Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 9/22

  22. Ciphertext Fragmentation Distinguishable Decryption Failures The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i L L ⊥ MAC Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 9/22

  23. Ciphertext Fragmentation Distinguishable Decryption Failures Our Treatment of Fragmentation From EUROCRYPT 12 We define a syntax and a correctness requirement for encryption in the fragmented setting. We introduce indistinguishability under chosen-fragment attacks . We identify and formalise two other security goals that arise in relation to ciphertext fragmentation. We construct a scheme, InterMAC , that meets all three of our security notions. Boldyreva, Degabriele , Paterson, and Stam | Stronger Security Guarantees for Authenticated Encryption Schemes 10/22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with Tetsu Iwata (Nagoya University) To appear at FSE 2017 Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 NonceBased AE

617 views • 44 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog;

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog;

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog; www.isg.rhul.ac.uk/~kp Overview (both lectures) Secure channels and their properties AEAD (revision) AEAD secure channel the [APW09] attack

1.63k views • 72 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Authenticated Encryption in TLS Same modelling Poor TLS track record & verification

Authenticated Encryption in TLS Same modelling Poor TLS track record & verification

Authenticated Encryption in TLS Same modelling Poor TLS track record & verification approach - Many implementation flaws - Attacks on weak cryptography concrete security: each lossy step (MD5, SHA1, ) documented by a game and a

514 views • 27 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
Authenticated Encryption in TLS Kenny Paterson DIAC 2013 Information Security Group Outline

Authenticated Encryption in TLS Kenny Paterson DIAC 2013 Information Security Group Outline

Authenticated Encryption in TLS Kenny Paterson DIAC 2013 Information Security Group Outline TLS and the TLS Record Protocol Theory for TLS Attacks: The BEAST Padding oracles Lucky 13 (More theory for TLS) RC4 attack

909 views • 70 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
Decision Procedures for Flat Array Properties F. Alberti 1 , 3 , S. Ghilardi 2 , N. Sharygina 1 1

Decision Procedures for Flat Array Properties F. Alberti 1 , 3 , S. Ghilardi 2 , N. Sharygina 1 1

Decision Procedures for Flat Array Properties F. Alberti 1 , 3 , S. Ghilardi 2 , N. Sharygina 1 1 University of Lugano, Switzerland 2 University of Milan, Italy 3 Verimag, Grenoble, France SMT July 17, 2014 Talk based on the paper published at

924 views • 50 slides
Splat/Mesh Blending, Perspective Rasterization and Transparency for Point-Based Rendering Gal

Splat/Mesh Blending, Perspective Rasterization and Transparency for Point-Based Rendering Gal

Splat/Mesh Blending, Perspective Rasterization and Transparency for Point-Based Rendering Gal Guennebaud Loc Barthe, Mathias Paulin IRIT UPS CNRS TOULOUSE FRANCE http://www.irit.fr/~Gael.Guennebaud/ Gal Guennebaud IRIT

453 views • 32 slides
FDE-Modalities and Weak Definability . Odintsov 1 Sergei P 1 Sobolev Institute of Mathematics

FDE-Modalities and Weak Definability . Odintsov 1 Sergei P 1 Sobolev Institute of Mathematics

FDE-Modalities and Weak Definability . Odintsov 1 Sergei P 1 Sobolev Institute of Mathematics (Novosibirsk, Russia) odintsov@math.nsc.ru (joint work with Heinrich Wansing) Wormshop, 1520.10.2017 Sergei P . Odintsov FDE-Modalities Logic R

754 views • 64 slides
Beagle - A Hierarchic Superposition Theorem Prover Peter Baumgartner Uwe Waldmann Joshua Bax

Beagle - A Hierarchic Superposition Theorem Prover Peter Baumgartner Uwe Waldmann Joshua Bax

Beagle - A Hierarchic Superposition Theorem Prover Peter Baumgartner Uwe Waldmann Joshua Bax Introduction Goal Automated deduction in hierarchic combinations of speci fi cations Previous work: calculus Hierarchic superposition

189 views • 17 slides
Probabilistic -Regular Expressions Thomas Weidner Universitt Leipzig LATA 2014 1.

Probabilistic -Regular Expressions Thomas Weidner Universitt Leipzig LATA 2014 1.

Probabilistic -Regular Expressions Thomas Weidner Universitt Leipzig LATA 2014 1. Probabilistic regular expressions on infinite words Motivation In this talk LATA 2014 Probabilistic -Regular Expressions Thomas Weidner (Universitt

646 views • 31 slides
CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Phases of a Syntactic

CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Phases of a Syntactic

CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Phases of a Syntactic compiler structure Figure 1.6, page 5 of text Example L = { 0, 1, 00, 11, 000, 111, 0000, 1111, } G = ( {0,1}, {S, ZeroList, OneList}, {S

654 views • 29 slides
Arithmetic universes as generalized point-free spaces Steve Vickers CS Theory Group Birmingham

Arithmetic universes as generalized point-free spaces Steve Vickers CS Theory Group Birmingham

Arithmetic universes as generalized point-free spaces Steve Vickers CS Theory Group Birmingham * Grothendieck: "A topos is a generalized topological space" * ... it's represented by its category of sheaves * but that depends on

474 views • 36 slides
Metabolic flux estimation So far in this course we have examined techniques that help us

Metabolic flux estimation So far in this course we have examined techniques that help us

Metabolic flux estimation So far in this course we have examined techniques that help us understanding the cells capabilities: Given genome, what kind of metabolic network (Metabolic reconstruction) Given metabolic network, what

347 views • 34 slides

More recommend