Authenticated Encryption Atul Luykx COSIC, ESAT, KU Leuven, Belgium - PowerPoint PPT Presentation

Authenticated Encryption Atul Luykx COSIC, ESAT, KU Leuven, Belgium July 15, 2016 1

2

2

2

2

2

2

2

2

2

2

Modeling Attacks 3

Modeling Attacks 3

Modeling Attacks Encryption 3

Modeling Attacks Encryption 3

Modeling Attacks Encryption Decryption 3

Modeling Attacks Encryption K Decryption K 3

Modeling Attacks Encryption K Adversary Decryption K 3

Ciphertext-Only Plaintext unknown, adversary receives only ciphertext 4

Ciphertext-Only Plaintext unknown, adversary receives only ciphertext m 1 m 2 m 3 m 4 E K E K E K E K c 1 c 2 c 3 c 4 4

Ciphertext-Only Plaintext unknown, adversary receives only ciphertext m 1 m 2 m 3 m 4 E K E K E K E K c 1 c 2 c 3 c 4 4

Ciphertext-Only Attacks In Practice 5

Ciphertext-Only Attacks In Practice 5

Ciphertext-Only Attacks In Practice 5

Known Plaintext Attacks 6

Known Plaintext Attacks 6

Known Plaintext Attacks 6

KPA: Brute Force m 1 E K c 1 1 ECRYPT II 2012 key size recommendation 7

KPA: Brute Force m 1 Cipher Block size Key size DES 64 56 E K AES 128 128, 192, 256 KATAN 32, 48, 64 80 c 1 1 ECRYPT II 2012 key size recommendation 7

KPA: Brute Force m 1 Cipher Block size Key size DES 64 56 E K AES 128 128, 192, 256 KATAN 32, 48, 64 80 c 1 1. Key recovery 1 ECRYPT II 2012 key size recommendation 7

KPA: Brute Force m 1 Cipher Block size Key size DES 64 56 E K AES 128 128, 192, 256 KATAN 32, 48, 64 80 c 1 1. Key recovery ◮ Determines how long the data must be protected 1 ECRYPT II 2012 key size recommendation 7

KPA: Brute Force m 1 Cipher Block size Key size DES 64 56 E K AES 128 128, 192, 256 KATAN 32, 48, 64 80 c 1 1. Key recovery ◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force 1 ECRYPT II 2012 key size recommendation 7

KPA: Brute Force m 1 Cipher Block size Key size DES 64 56 E K AES 128 128, 192, 256 KATAN 32, 48, 64 80 c 1 1. Key recovery ◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations, very short-term protection against agencies 1 1 ECRYPT II 2012 key size recommendation 7

KPA: Brute Force m 1 Cipher Block size Key size DES 64 56 E K AES 128 128, 192, 256 KATAN 32, 48, 64 80 c 1 1. Key recovery ◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations, very short-term protection against agencies 1 ◮ Guessing one key out of many is much easier 1 ECRYPT II 2012 key size recommendation 7

Chosen-Plaintext Attacks 1. Diplomatic messaging 8

Chosen-Plaintext Attacks 1. Diplomatic messaging 2. ATMs and PINs 8

Chosen-Plaintext Attacks 1. Diplomatic messaging 2. ATMs and PINs 3. Locks, sensors, cameras 8

Chosen-Plaintext Attacks 1. Diplomatic messaging 2. ATMs and PINs 3. Locks, sensors, cameras 4. Javascript code in browsers 8

CPA: BEAST 9

CPA: BEAST m 2 m 3 m 4 IV ⊕ m 1 + + + E K E K E K E K E K c 1 c 2 c 3 c 4 c 1 Secure: 9

CPA: BEAST m 2 m 3 m 4 IV ⊕ m 1 + + + E K E K E K E K E K c 1 c 2 c 3 c 4 c 1 Secure: m 2 m 3 m 4 IV ⊕ m 1 + + + E K E K E K E K E K c 1 c 2 c 3 c 4 c 1 Insecure: 9

CPA: BEAST IV 1 ⊕ m 1 m 2 + m ′ m ′ 1 2 E K E K E K + + E K E K c 1 c 1 c 2 = IV 2 c ′ c ′ 1 2 9

CPA: BEAST IV 1 ⊕ m 1 m 2 + m ′ m ′ 1 2 E K E K E K + + E K E K c 1 c 1 c 2 = IV 2 c ′ c ′ 1 2 m ′ 1 = IV 1 ⊕ IV 2 ⊕ Guess 9

CPA: BEAST IV 1 ⊕ m 1 m 2 + m ′ m ′ 1 2 E K E K E K + + E K E K c 1 c 1 c 2 = IV 2 c ′ c ′ 1 2 m ′ 1 = IV 1 ⊕ IV 2 ⊕ Guess Inject zero padding in m 1 9

Chosen-Ciphertext Attacks 1. Devices all connected to internet: easy access to decryption 10

Chosen-Ciphertext Attacks 1. Devices all connected to internet: easy access to decryption 2. TLS padding oracle attack: decryption algorithm leaks validity of padding 10

Chosen-Ciphertext Attacks 1. Devices all connected to internet: easy access to decryption 2. TLS padding oracle attack: decryption algorithm leaks validity of padding 3. Data Authenticity? 10

Necessary Security Level Chosen-ciphertext Confidentiality and Authenticity 11

Necessary Security Level Chosen-ciphertext Confidentiality and Authenticity ⇒ Authenticated Encryption 11

Authenticated Encryption K K 12

Authenticated Encryption K K n 12

Authenticated Encryption K K n AEnc K n 12

Authenticated Encryption K K n n AEnc K n 12

Authenticated Encryption K K n n AEnc K ADec K n ⊥ 12

Authenticated Encryption Security AE security = Confidentiality + Authenticity 13

Authenticated Encryption Security AE security = Confidentiality + Authenticity Simultaneous vs Separate Treatment 13

Authenticated Encryption Security AE security = Confidentiality + Authenticity Simultaneous vs Separate Treatment 13

Authenticity: Intuition K K n AEnc K n 14

Authenticity: Intuition K K n AEnc K n 14

Authenticity: Intuition K K n n AEnc K n 14

Authenticity: Intuition K K n n AEnc K ADec K ⊥ n 14

Authenticity: Formalization n n AEnc K ADec K ⊥ n 15

Authenticity: Formalization N, M N, C’ AEnc K ADec K N, C ⊥ 15

Authenticity: Formalization N, M N, C’ AEnc K ADec K N, C ⊥ ? 15

Authenticity: Formalization ? N, M N, C’ AEnc K ADec K N, C ⊥ ? 15

Authenticity: Adversarial Power Plaintext Control: ? N, M AEnc K N, C 16

Authenticity: Adversarial Power Plaintext Control: Ciphertext-only Random N, M AEnc K N, C 16

Authenticity: Adversarial Power M 1 , M 2 , . . . , M q Plaintext Control: Ciphertext-only Known Plaintext N, M AEnc K N, C 16

Authenticity: Adversarial Power Plaintext Control: Ciphertext-only Known Plaintext Chosen Plaintext N, M AEnc K N, C 16

Authenticity: Adversarial Power Plaintext Control: Ciphertext-only Known Plaintext Chosen Plaintext N, M Nonce Control: Force Uniqueness Allow “Abuse” AEnc K N, C 16

Non-Example: One-time pad K M 1 17

Non-Example: One-time pad K M 1 + C 1 17

Non-Example: One-time pad K M 1 M 2 + + C 1 C 2 17

Non-Example: One-time pad K N 2 M 1 M 2 + + C 1 C 2 17

Non-Example: One-time pad K N 2 M 1 M 2 + + C 1 C 2 K N 2 + C 2 M 2 17

Non-Example: One-time pad C K N 2 + C M 2 Valid? 17

Non-Example: One-time pad K + M M C 17

Non-Example: One-time pad K + M M C K N 2 + C If equal, valid. M 2 M M 17

Non-Example: One-time pad K + M M M’ M’ + C K N 2 + C If equal, valid. M 2 M M 17

Using a Block Cipher M � M C E − 1 E K K M � M ? C 18

Using a Block Cipher N � M C E − 1 E K K N � M ? C 18

Authenticity Only Confidentiality does not imply Authenticity 19

Authenticity Only Confidentiality does not imply Authenticity n n AEnc K ADec K ⊥ ? n 19

Authenticity Only Confidentiality does not imply Authenticity n n Tag K Verify K ⊥ ? n 19

Example: Authentication With Block Cipher M E K T 20

Example: Authentication With Block Cipher Tag K M E K T 20

Example: Authentication With Block Cipher Tag K Verify K T ∗ M M ′ E K E K T ? T ′ = 20

Example: Authentication With Block Cipher Tag K Verify K M 1 ⊕ M 2 M ′ T ∗ E K E K ? T T ′ = 20

Example: Authentication With Block Cipher Tag K Verify K E L ( M 1 ) ⊕ E L ( M 2 ) M ′ T ∗ E K E K ? T ′ T = 20

Example: Authentication With Block Cipher Tag K Verify K E L ( N ) ⊕ E L ( M 1 ) ⊕ E L ( M 2 ) M ′ T ∗ E K E K ? T ′ T = 20

Authentication Algorithm Design N , M PRF K T 21

Authentication Algorithm Design N , M T ′ PRF K T 21

Authentication Algorithm Design N , M T ′ PRF K ? T = 1 0 21

Pseudorandom Functions N , M T ′ PRF K ? T = 1 0 22

Pseudorandom Functions N , M N , M PRF K Random T T 22

Modes of Operation PRF K 23

Modes of Operation PRF K m 1 E K c 1 23

Modes of Operation PRF K m 1 m 2 m 3 m 4 + + + E K E K E K E K E K T 23

Overview 1. Block cipher m 1 E K c 1 24

Overview 1. Block cipher m 1 m 2 m 3 m 4 2. Mode of operation + + + E K E K E K E K E K T c 1 24