AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at - PowerPoint PPT Presentation

AUTHENTICATED ENCRYPTION 1 / 1

So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity MA scheme/MAC UF-CMA, SUF-CMA 2 / 1

Authenticated Encryption In practice we often want both privacy and integrity/authenticity. Example: A doctor wishes to send medical information M about Alice to the medical database. Then • We want data privacy to ensure Alice’s medical records remain confidential. • We want integrity/authenticity to ensure the person sending the information is really the doctor and the information was not modified in transit. We refer to this as authenticated encryption. 3 / 1

Authenticated Encryption Schemes Syntactically, an authenticated encryption scheme is just a symmetric encryption scheme AE = ( K , E , D ) where 4 / 1

Privacy of Authenticated Encryption Schemes The notions of privacy for symmetric encryption carry over: • IND-CPA • IND-CCA 5 / 1

Integrity of Authenticated Encryption Schemes Adversary’s goal is to get the receiver to accept a “non-authentic” ciphertext C . Two possible interpretations of “non-authentic:” • Integrity of plaintexts: M = D K ( C ) was never encrypted by the sender • Integrity of ciphertexts: C was never transmitted by the sender 6 / 1

INT-PTXT Let AE = ( K , E , D ) be a symmetric encryption scheme and A an adversary. Game INTPTXT AE procedure Dec ( C ) M ← D K ( C ) procedure Initialize if ( M �∈ S ∧ M � = ⊥ ) then $ ← K ; S ← ∅ K win ← true procedure Enc ( M ) return win $ C ← E K ( M ) procedure Finalize S ← S ∪ { M } return win return C The int-ptxt advantage of A is Adv int - ptxt ( A ) = Pr[INTPTXT A AE ⇒ true] AE 7 / 1

INT-CTXT Let AE = ( K , E , D ) be a symmetric encryption scheme and A an adversary. Game INTCTXT AE procedure Dec ( C ) M ← D K ( C ) procedure Initialize $ if ( C �∈ S ∧ M � = ⊥ ) then K ← K ; S ← ∅ win ← true procedure Enc ( M ) return win $ ← E K ( M ) C procedure Finalize S ← S ∪ { C } return win return C The int-ctxt advantage of A is Adv int - ctxt ( A ) = Pr[INTCTXT A AE ⇒ true] AE 8 / 1

INT-CTXT ⇒ INT-PTXT If AE = ( K , E , D ) is INT-CTXT secure then it is also INT-PTXT secure. Why? Suppose A makes Enc queries M 1 , . . . , M q resulting in ciphertexts $ $ ← E K ( M 1 ) , . . . , C q ← E K ( M q ) C 1 suppose A makes query Dec ( C ), and let M = D K ( C ). M �∈ { M 1 , . . . , M q } ⇒ C �∈ { C 1 , . . . , C q } Fact: So if A wins INT-PTXT AE it also wins INT-CTXT AE . Theorem: For any adversary A, Adv int - ptxt ( A ) ≤ Adv int - ctxt ( A ) . AE AE 9 / 1

INT-PTXT �⇒ INT-CTXT Counterexample: Construct AE = ( K , E , D ) which is • not INT-CTXT secure, but • is INT-PTXT secure Start from some INT-PTXT secure AE ′ = ( K ′ , E ′ , D ′ ) and Approach: modify it to AE so that: • There is an attack showing AE is not INT-CTXT secure • There is a proof by reduction showing AE inherits the INT-PTXT security of AE ′ . 10 / 1

INT-PTXT �⇒ INT-CTXT Given AE ′ = ( K ′ , E ′ , D ′ ), let AE = ( K ′ , E , D ) where Alg E K ( M ) Alg D K ( C ) b || C ′ ← C ; M ← D ′ C ′ ← E ′ $ K ( M ); C ← 0 || C ′ K ( C ′ ) Return M Return C If C = 0 || C ′ $ Observe: ← E K ( M ) then • 1 || C ′ � = 0 || C ′ , but • D K (1 || C ′ ) = D K (0 || C ′ ) adversary A Let M be any message 0 || C ′ ← Enc ( M ); x ← Dec (1 || C ′ ) $ Then Adv int - ctxt ( A ) = 1. AE Note: This does not compromise INT-PTXT security because x = M . 11 / 1

INT-PTXT �⇒ INT-CTXT Given AE ′ = ( K ′ , E ′ , D ′ ), let AE = ( K ′ , E , D ) where Alg E K ( M ) Alg D K ( C ) b || C ′ ← C ; M ← D ′ K ( C ′ ) C ′ ← E ′ $ K ( M ); C ← 0 || C ′ Return C Return M If AE ′ is INT-PTXT secure, then so is AE . Claim: Why? An attack on AE can be turned into one on AE ′ . A formal proof is by reduction. 12 / 1

Integrity with privacy The goal of authenticated encryption is to provide both integrity and privacy. We will be interested in: • IND-CPA + INT-PTXT • IND-CPA + INT-CTXT 13 / 1

Relations A → B : Any A -secure scheme is B -secure A �→ B : There is an A -secure scheme that is not B -secure 14 / 1

Plain Encryption Does Not Provide Integrity Alg E K ( M ) Alg D K ( C ) ← { 0 , 1 } n $ C [0] For i = 0 , . . . , m do For i = 0 , . . . , m do M [ i ] ← E − 1 K ( C [ i ]) ⊕ C [ i − 1] C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) Return M Return C Question: Is CBC $ encryption INT-PTXT or INT-CTXT secure? 15 / 1

Plain Encryption Does Not Provide Integrity Alg E K ( M ) Alg D K ( C ) ← { 0 , 1 } n $ C [0] For i = 0 , . . . , m do For i = 0 , . . . , m do M [ i ] ← E − 1 K ( C [ i ]) ⊕ C [ i − 1] C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) Return M Return C Question: Is CBC $ encryption INT-PTXT or INT-CTXT secure? Answer: No, because any string C [0] C [1] . . . C [ m ] has a valid decryption. 15 / 1

Plain Encryption Does Not Provide Integrity Alg E K ( M ) Alg D K ( C ) ← { 0 , 1 } n $ C [0] For i = 0 , . . . , m do For i = 0 , . . . , m do M [ i ] ← E − 1 K ( C [ i ]) ⊕ C [ i − 1] C [ i ] ← E K ( C [ i − 1] ⊕ M [ i ]) Return M Return C adversary A ← { 0 , 1 } 3 n $ C [0] C [1] C [2] M [1] M [2] ← Dec ( C [0] C [1] C [2]) Then Adv int - ptxt ( A ) = 1 SE This violates INT-PTXT. A scheme whose decryption algorithm never outputs ⊥ cannot provide integrity! 16 / 1

A Better Attack on CBC$ Suppose A has the CBC$ encryption C [0] C [1] of a 1-block known message M . Then it can create an encryption C ′ [0] C ′ [1] of any (1-block) message M ′ of its choice via C ′ [0] ← C [0] ⊕ M ⊕ M ′ C ′ [1] ← C [1] M ′ M i i ❄ ❄ E K E K ❄ ❄ C [0] ⊕ M ⊕ M ′ C [0] C [1] C [1] 17 / 1

Encryption with Redundancy Here E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n is our block cipher and h : { 0 , 1 } ∗ → { 0 , 1 } n is a “redundancy” function, for example • h ( M [1] . . . M [ m ]) = 0 n • h ( M [1] . . . M [ m ]) = M [1] ⊕ · · · ⊕ M [ m ] • A CRC • h ( M [1] . . . M [ m ]) is the first n bits of SHA1( M [1] . . . M [ m ]). The redundancy is verified upon decryption. 18 / 1

Encryption with Redundancy Let E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n be our block cipher and h : { 0 , 1 } ∗ → { 0 , 1 } n a redundancy function. Let SE = ( K , E ′ , D ′ ) be CBC$ encryption and define the encryption with redundancy scheme AE = ( K , E , D ) via Alg E K ( M ) Alg D K ( C ) M [1] . . . M [ m ] M [ m + 1] ← D ′ M [1] . . . M [ m ] ← M K ( C ) M [ m + 1] ← h ( M ) if ( M [ m + 1] = h ( M )) then ← E ′ $ return M [1] . . . M [ m ] C K ( M [1] . . . M [ m ] M [ m + 1]) else return ⊥ return C 19 / 1

Arguments in Favor of Encryption with Redundancy The adversary will have a hard time producing the last enciphered block of a new message. 20 / 1

Encryption with Redundancy Fails adversary A ← { 0 , 1 } n ; M [2] ← h ( M [1]) $ M [1] $ C [0] C [1] C [2] C [3] ← Enc ( M [1] M [2]) M [1] ← Dec ( C [0] C [1] C [2]) h ( M [1]) ���� M [1] M [2] h ( M [1] M [2]) i i i ❄ ❄ ❄ E K E K E K ❄ ❄ ❄ C [0] C [1] C [2] C [3] This attack succeeds for any (not secret-key dependent) redundancy function h . 21 / 1

WEP Attack A “real-life” rendition of this attack broke the 802.11 WEP protocol, which instantiated h as CRC and used a stream cipher for encryption [BGW]. What makes the attack easy to see is having a clear, strong and formal security model. 22 / 1

Generic Composition Build an authenticated encryption scheme AE = ( K , E , D ) by combining • a given IND-CPA symmetric encryption scheme SE = ( K ′ , E ′ , D ′ ) • a given SUF-CMA MAC MA [F] where F : { 0 , 1 } k × { 0 , 1 } ∗ → { 0 , 1 } n CBC$-AES CTRC-AES . . . HMAC-SHA1 CMAC PMAC UMAC . . . 23 / 1

Generic Composition Build an authenticated encryption scheme AE = ( K , E , D ) by combining • a given IND-CPA symmetric encryption scheme SE = ( K ′ , E ′ , D ′ ) • a given SUF-CMA MAC MA [F] where F : { 0 , 1 } k × { 0 , 1 } ∗ → { 0 , 1 } n A key K = K e || K m for AE always consists of a key K e for SE and a key K m for F : Alg K ← K ′ ; K m $ ← { 0 , 1 } k $ K e Return K e || K m 24 / 1

Generic Composition Methods The order in which the primitives are applied is important. Can consider Method Usage Encrypt-and-MAC (E&M) SSH MAC-then-encrypt (MtE) SSL/TLS Encrypt-then-MAC (EtM) IPSec We study these following [BN]. 25 / 1

Encrypt-and-MAC AE = ( K , E , D ) is defined by Alg E K e || K m ( M ) Alg D K e || K m ( C ′ || T ) C ′ ← E ′ $ M ← D ′ K e ( C ′ ) K e ( M ) T ← F K m ( M ) If ( T = F K m ( M )) then return M Return C ′ || T Else return ⊥ Security Achieved? IND-CPA INT-PTXT INT-CTXT 26 / 1

Encrypt-and-MAC AE = ( K , E , D ) is defined by Alg E K e || K m ( M ) Alg D K e || K m ( C ′ || T ) C ′ ← E ′ $ M ← D ′ K e ( C ′ ) K e ( M ) T ← F K m ( M ) If ( T = F K m ( M )) then return M Return C ′ || T Else return ⊥ Security Achieved? IND-CPA NO INT-PTXT INT-CTXT Why? T = F K m ( M ) is a deterministic function of M and allows detection of repeats. 26 / 1