the low call diet authenticated encryption for call
play

The low-call diet: Authenticated Encryption for call counting HSM - PowerPoint PPT Presentation

Sep 02, 2022 •178 likes •1.23k views

The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson University of Bristol Joint work with: Mike Bond (Cryptomathic), George French (Barclays Bank Plc) and Nigel P. Smart (UoB) Real World Cryptography

  1. Encryption with redundancy Encryption with redundancy Studied formally by An and Bellare. Two types of redundancy function; secret key and public key. IND-CPA encryption scheme + secret/public redundancy function �⇒ AE. An and Bellare define a scheme with a secret key redundancy function, Nested CBC (NCBC). NCBC uses a different key to encrypt the last block. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 11 / 40

  2. Encryption with redundancy Relating to our scheme Our scheme uses secret redundancy, M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

  3. Encryption with redundancy Relating to our scheme Our scheme uses secret redundancy, where the redundancy function uses a different “key” each time. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

  4. Encryption with redundancy Relating to our scheme Our scheme uses secret redundancy, where the redundancy function uses a different “key” each time. In general any IND-CPA scheme plus one time redundancy function �⇒ AE. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 12 / 40

  5. Managed Encryption Format Background 1 Motivation 2 Encryption with redundancy 3 Managed Encryption Format 4 Analysis 5 Summary 6 Something different... 7 M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 13 / 40

  6. Managed Encryption Format API call The API call is CBC-mode M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  7. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  8. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. Need randomness for security. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  9. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  10. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers. Implementation note – to avoid making an extra HSM call for every encryption, we maintain a cache of randomness. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  11. Managed Encryption Format API call The API call is CBC-mode with all-zero IV. Need randomness for security. Use HSMs ability to generate random numbers. Implementation note – to avoid making an extra HSM call for every encryption, we maintain a cache of randomness. We assume this cache to be secure. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 14 / 40

  12. Managed Encryption Format Managed Encryption Format A M [1] M [2] M [ n ] R hash hash ( R, A, M ) F K F K F K F K F K C [0] = F K ( R ) C [1] C [2] C [3] C [ n + 1] M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 15 / 40

  13. Managed Encryption Format Encrypt( K , A , M ) Decrypt( K , A , C ) R � H � M ′ ← D-CBC[ F ]( K , C ) r ← { 0 , 1 } l R M ← dpad( M ′ ) H ← hash( R , A , M ) if M � = ⊥ then C ← E-CBC[ F ]( K , R � H � pad( M )) h ← hash( R , A , M ) return C if h � = h then M = ⊥ return M M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 16 / 40

  14. Managed Encryption Format Encrypt( K , A , M ) Decrypt( K , A , C ) R � H � M ′ ← D-CBC[ F ]( K , C ) r ← { 0 , 1 } l R M ← dpad( M ′ ) H ← hash( R , A , M ) if M � = ⊥ then C ← E-CBC[ F ]( K , R � H � pad( M )) h ← hash( R , A , M ) return C if h � = h then M = ⊥ return M Points to note: Padding (uniform error reporting) “MAC-then-encrypt” IV M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 16 / 40

  15. Analysis Background 1 Motivation 2 Encryption with redundancy 3 Managed Encryption Format 4 Analysis 5 Summary 6 Something different... 7 M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 17 / 40

  16. Analysis Security model – Privacy Let Π = (KeyGen , Encrypt , Decrypt) be a symmetric encryption scheme. Enc ( A , M 0 , M 1 ) C 0 ← Encrypt( K , A , M 0 ) C 1 ← Encrypt( K , A , M 1 ) ∪ C ← C b return C b PRIV A (Π) r K ← KeyGen; b ← { 0 , 1 } b ′ ← A Enc return ( b ′ = b ) Adv priv ( A ) = 2 Pr[ PRIV A (Π) ⇒ true] − 1 , Π M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 18 / 40

  17. Analysis PRIV This can be proved by relating to the security of CBC mode proved by Bellare et al. [BDJR]. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 19 / 40

  18. Analysis PRIV This can be proved by relating to the security of CBC mode proved by Bellare et al. [BDJR]. R hash ( R, A, M ) M [1] F K F K F K C [0] = F K ( R ) C [1] C [2] M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 19 / 40

  19. Analysis Privacy Let F = { F K : K ∈ { 0 , 1 } k } be a permutation family. Let Π[ F ] be the managed encryption format using permutation family F . Let A be an adversary against Privacy which runs in time t ; making q e encryption queries totalling at most µ e bits. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 20 / 40

  20. Analysis Privacy Let F = { F K : K ∈ { 0 , 1 } k } be a permutation family. Let Π[ F ] be the managed encryption format using permutation family F . Let A be an adversary against Privacy which runs in time t ; making q e encryption queries totalling at most µ e bits. Then there exists adversary B such that: ( B ) + q 2 �� µ e �� 2 l + 1 � 2 � µ e Adv PRIV Π[ F ] ( A ) ≤ 2 Adv prp f l + 2 q e − l + 2 q e F 2 l where B runs in time t + O ( µ e ) asking at most q f = µ e l + 2 q e queries. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 20 / 40

  21. Analysis Security model – AUTH Let Π = (KeyGen , Encrypt , Decrypt) be a symmetric encryption scheme. Test ( A ∗ , C ∗ ) Enc ( A , M ) M ∗ ← Decrypt( K , A ∗ , C ∗ ) C ← Encrypt( K , A , M ) if M ∗ � = ⊥ and ( A ∗ , C ∗ ) �∈ C then ∪ C ← ( A , C ) win ← true return C return ( M ∗ � = ⊥ ) AUTH A (Π) K ← KeyGen win ← false ( A ∗ , C ∗ ) ← A Enc , Test return win ( A ) = Pr[ AUTH A (Π) ⇒ true] Adv auth Π M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 21 / 40

  22. Analysis AUTH A M [1] M [2] M [ n ] R hash hash ( R, A, M ) F K F K F K F K F K C [0] = F K ( R ) C [1] C [2] C [3] C [ n + 1] To forge a ciphertext the adversary must forge the hash. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 22 / 40

  23. Analysis Case 1: Hash not queried ← Perm ] ≤ q t r Pr[(hash( R ∗ , A ∗ , M ∗ ) = h ∗ ) ∧ (( R ∗ , A ∗ , M ∗ , h ∗ ) / ∈ H ) | π 2 l Not previously queried. Random chance on verification. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 23 / 40

  24. Analysis Case 2: Hash already queried ← Perm ] ≤ q h µ e r Pr[(hash( R ∗ , A ∗ , M ∗ ) = h ∗ ) ∧ (( R ∗ , A ∗ , M ∗ , h ∗ ) ∈ H ) | π l 2 l . Previous call to random oracle. If call made by encryption query then invalid forgery. So independent call to hash. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 24 / 40

  25. Analysis Case 2: Hash already queried ← Perm ] ≤ q h µ e r Pr[(hash( R ∗ , A ∗ , M ∗ ) = h ∗ ) ∧ (( R ∗ , A ∗ , M ∗ , h ∗ ) ∈ H ) | π l 2 l . Previous call to random oracle. If call made by encryption query then invalid forgery. So independent call to hash. Analysis is then based on the collision event that for some i , j , C i [ j ] ⊕ M i [ j ] = h ∗ ⊕ π ( R ∗ ) . M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 24 / 40

  26. Analysis AUTH Let F = { F K : K ∈ { 0 , 1 } k } be a permutation family. Let Π[ F ] be the managed encryption format using permutation family F . Let A be an adversary against the AUTH security which runs in time t ; making q e encryption queries totalling at most µ e bits, q t test queries totalling at must µ t bits and q h random oracle queries. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 25 / 40

  27. Analysis AUTH Let F = { F K : K ∈ { 0 , 1 } k } be a permutation family. Let Π[ F ] be the managed encryption format using permutation family F . Let A be an adversary against the AUTH security which runs in time t ; making q e encryption queries totalling at most µ e bits, q t test queries totalling at must µ t bits and q h random oracle queries. Then there exists adversary B such that: ( B ) + q t 2 l + q h µ e Adv AUTH ( A ) ≤ Adv sprp Π[ F ] F l 2 l where B makes q f = µ e l + 2 q e + µ t l queries and runs in time t + O ( µ e + µ t ). M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 25 / 40

  28. Summary Background 1 Motivation 2 Encryption with redundancy 3 Managed Encryption Format 4 Analysis 5 Summary 6 Something different... 7 M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 26 / 40

  29. Summary Summary We have discussed the Managed Encryption Format M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

  30. Summary Summary We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

  31. Summary Summary We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure. With several important implementation caveats. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

  32. Summary Summary We have discussed the Managed Encryption Format Despite its limitation we were still able to prove it secure. With several important implementation caveats. Care needs to be taken with implementation to ensure security. M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 27 / 40

  33. Something different... Background 1 Motivation 2 Encryption with redundancy 3 Managed Encryption Format 4 Analysis 5 Summary 6 Something different... 7 M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 28 / 40

  34. Something different... And now for something completely different.... M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 29 / 40

  35. Something different... Analysis of the new EMV key agreement protocol Christina Brzuska 1 Nigel P. Smart 2 Bogdan Warinschi 2 Gaven J. Watson 2 1 School of Computer Science, Tel Aviv University, Israel. 2 Dept. Computer Science, University of Bristol, UK. Real World Cryptography Workshop, Stanford – January 10th 2012 C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 30 / 40

  36. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  37. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) A = aQ C r ← { 0 , 1 } l a − − − − − − − − − − − − − − − → E = eP r ← − − − − − − − − − − − − − − − e ← F q C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  38. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) A = aQ C r ← { 0 , 1 } l a − − − − − − − − − − − − − − − → E = eP r ← − − − − − − − − − − − − − − − e ← F q ( κ 1 , κ 2 ) = H ( daE ) ( κ 1 , κ 2 ) = H ( eA ) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  39. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) A = aQ C r ← { 0 , 1 } l a − − − − − − − − − − − − − − − → E = eP r ← − − − − − − − − − − − − − − − e ← F q ( κ 1 , κ 2 ) = H ( daE ) ( κ 1 , κ 2 ) = H ( eA ) ct =enc κ 1 ( cert C , Q C , a ) − − − − − − − − − − − − − − − → ( cert C , Q C , a ) = dec κ 1 ( ct ) ? Check: aQ C = A ? ver pk ( cert C , Q C ) = true C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  40. Something different... Scheme Card (C) Terminal (T) secret key: d ∈ F q “public” key: Q C = dP cert C = (sig sk ( Q C ) , Q C ) A = aQ C r ← { 0 , 1 } l a − − − − − − − − − − − − − − − → E = eP r ← − − − − − − − − − − − − − − − e ← F q ( κ 1 , κ 2 ) = H ( daE ) ( κ 1 , κ 2 ) = H ( eA ) ct =enc κ 1 ( cert C , Q C , a ) − − − − − − − − − − − − − − − → ( cert C , Q C , a ) = dec κ 1 ( ct ) ? Check: aQ C = A ? ver pk ( cert C , Q C ) = true ct i =enc κ 1 ( m i ) − − − − − − − − − − − − − − − → ct j =enc κ 2 ( m j ) ← − − − − − − − − − − − − − − − C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 31 / 40

  41. Something different... What is the correct security model? Authenticated key exchange security model – Bellare and Rogaway 1993. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 32 / 40

  42. Something different... What is the correct security model? Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 32 / 40

  43. Something different... What is the correct security model? Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases. Schemes with a key confirmation step cannot be secure. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 32 / 40

  44. Something different... What is the correct security model? Authenticated key exchange security model – Bellare and Rogaway 1993. Model in a nutshell: A is permitted NewSession, Send, Reveal and Corrupt queries. At some point A makes Test query which returns either real or random session key. A must distinguish cases. Schemes with a key confirmation step cannot be secure. (Decrypt the last message and check.) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 32 / 40

  45. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  46. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  47. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge – For each session the challenger chooses a random bit b . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  48. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge – For each session the challenger chooses a random bit b . Encrypt takes as input two messages m 0 , m 1 and returns encryption of m b . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  49. Something different... ACCE Jager et al. propose Authenticated and Confidential Channel Establishment (ACCE). ACCE = AKE + sLHAE. Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt Challenge – For each session the challenger chooses a random bit b . Encrypt takes as input two messages m 0 , m 1 and returns encryption of m b . A must guess b for one particular session. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 33 / 40

  50. Something different... ACCE issues Permitted Decryptions: C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  51. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  52. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  53. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  54. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. Reveal Queries: C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  55. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. Reveal Queries: Consider both EMV and TLS. Last operation by card is to send an encrypted message. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  56. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. Reveal Queries: Consider both EMV and TLS. Last operation by card is to send an encrypted message. Immediately after message is sent A can reveal the key and re-encrypt message with new randomness. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  57. Something different... ACCE issues Permitted Decryptions: Consider partners i and j . Different keys for each direction. j encrypts messages for i to decrypt. A should not see decryption by i of encryption output by j . As stated model checks i does not returned decrypt messages encrypted by itself. Reveal Queries: Consider both EMV and TLS. Last operation by card is to send an encrypted message. Immediately after message is sent A can reveal the key and re-encrypt message with new randomness. The other participant will accept but matching conversations will not hold. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 34 / 40

  58. Something different... Our model EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 35 / 40

  59. Something different... Our model EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 35 / 40

  60. Something different... Our model EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy. Fixing reveal query issue – entity authentication w.r.t. matching conversations on the plaintext . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 35 / 40

  61. Something different... Our model EAMAP Model: A permitted queries NewSession, Send, Reveal and Corrupt. Send controls all key-exchange, encrypt and decrypt operations. Security in three parts: Entity Authentication, Message Authentication and Message Privacy. Fixing reveal query issue – entity authentication w.r.t. matching conversations on the plaintext . One-sided authentication. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 35 / 40

  62. Something different... Security Entity Authentication – Matching plaintext conversations – Forge certificates. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 36 / 40

  63. Something different... Security Entity Authentication – Matching plaintext conversations – Forge certificates. Message Authentication – Gap-DH Matching plaintext conversations – certificate forgery AUTH of encryption scheme (stateful) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 36 / 40

  64. Something different... Security Entity Authentication – Matching plaintext conversations – Forge certificates. Message Authentication – Gap-DH Matching plaintext conversations – certificate forgery AUTH of encryption scheme (stateful) Message Privacy – Gap-DH Matching plaintext conversations – certificate forgery PRIV of encryption scheme (stateful) C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 36 / 40

  65. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  66. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  67. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i 0 and i 1 . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  68. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i 0 and i 1 . Challenger chooses random bit b and creates a session based on i b . C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  69. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i 0 and i 1 . Challenger chooses random bit b and creates a session based on i b . A makes further queries, C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

  70. Something different... Unlinkability – Model We have the additional requirement of unlinkability of card session. Model in a nutshell: A permitted NewSession, Send, Reveal and Corrupt queries. A outputs two identities i 0 and i 1 . Challenger chooses random bit b and creates a session based on i b . A makes further queries, including Send queries to challenge session. C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 37 / 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to

A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to contribute to the debate about the future of health and care provision in England The aim is to gather views, data

534 views • 17 slides
The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to contribute to the debate about the future of health and care provision in England The aim is to gather views, data

532 views • 17 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis Kangjie Lu Hong

Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis Kangjie Lu Hong

Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis Kangjie Lu Hong Hu What is an indirect call? 2 Example, purpose, and commonness void foo(int a) { printf("a = %d\n", a); } typedef void

934 views • 56 slides
Delek US Holdings, Inc. First Quarter 2020 Earnings Call May 6, 2020 Disclaimers Forward

Delek US Holdings, Inc. First Quarter 2020 Earnings Call May 6, 2020 Disclaimers Forward

Delek US Holdings, Inc. First Quarter 2020 Earnings Call May 6, 2020 Disclaimers Forward Looking Statements: Delek US Holdings, Inc. (Delek US) and Delek Logistics Partners, LP (Delek Logistics; and collectively with Delek US,

448 views • 12 slides
Poster Presenter Prep Call September 25, 2019 www.energystorage.org About Storage Exchange

Poster Presenter Prep Call September 25, 2019 www.energystorage.org About Storage Exchange

Poster Presenter Prep Call September 25, 2019 www.energystorage.org About Storage Exchange Performance, Deployment & Modeling & Reliability, & Tech Field Experience Analysis Advancement Each session will have three parts:

89 views • 7 slides
Fourth Quarter Fourth Quarter Fiscal Year 2011 Fiscal Year 2011 Fiscal Year 2011 Fiscal Year

Fourth Quarter Fourth Quarter Fiscal Year 2011 Fiscal Year 2011 Fiscal Year 2011 Fiscal Year

Fourth Quarter Fourth Quarter Fiscal Year 2011 Fiscal Year 2011 Fiscal Year 2011 Fiscal Year 2011 Financial Results Financial Results June 9, 2011 1 Forward Looking Statements Certain statements included in this management presentation

622 views • 17 slides
AmeriCorps VISTA Sponsor Call June 17, 2020 Tech Check The Chat will be monitored Access the

AmeriCorps VISTA Sponsor Call June 17, 2020 Tech Check The Chat will be monitored Access the

AmeriCorps VISTA Sponsor Call June 17, 2020 Tech Check The Chat will be monitored Access the throughout The recording audio through our meeting; and slides will be the computer or please test it posted on the on the phone: now with a

316 views • 19 slides
How NLP is Helping a European Financial Institution Enhance Customer Experience Tal Doron

How NLP is Helping a European Financial Institution Enhance Customer Experience Tal Doron

How NLP is Helping a European Financial Institution Enhance Customer Experience Tal Doron Director, Technology Innovation Agenda Introduction 1 Challenges 2 Use Case 3 Project Milestones 4 Whats Next 5 2 ABOUT ME @taldor oron

619 views • 47 slides
WIC Developmental Monitoring Project: Networking Call A S S O C I A T I O N O F S T A T E P U

WIC Developmental Monitoring Project: Networking Call A S S O C I A T I O N O F S T A T E P U

WIC Developmental Monitoring Project: Networking Call A S S O C I A T I O N O F S T A T E P U B L I C H E A L T H N U T R I T I O N I S T S Updates Update from Funded States AR, MA, NV Project Updates/Timeline Virtual Options

88 views • 6 slides
VIA : Improving Internet Telephony Quality VIA Using Predictive Relay Selection Junchen Jiang ,

VIA : Improving Internet Telephony Quality VIA Using Predictive Relay Selection Junchen Jiang ,

VIA : Improving Internet Telephony Quality VIA Using Predictive Relay Selection Junchen Jiang , Rajdeep Das, Ganesh Ananthanarayanan, Philip A. Chou, Venkata N. Padmanabhan, Vyas Sekar, Esbjorn Dominique, Marcin Goliszewski, Dalibor Kukoleca,

488 views • 22 slides

More recommend