1 OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Håkon Jacobsen Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering Norwegian University of Science and TechnologyTechnology - NTNU, NORWAY DIAC 2013, OWCM: One-Way Counter Mode
2 In this talk I will present the material from our two submissions to DIAC 2013 (as agreed with the organizer) DIAC 2013, OWCM: One-Way Counter Mode
3 In this talk I will present the material from our two submissions to DIAC 2013 (as agreed with the organizer) • Should MAC's retain • OWCM: One-Way hash properties Counter Mode when the key is (initial design) known in the next AEAD? Introductory advertisement for DIAC 2013, OWCM: One-Way Counter Mode
4 Let t us us sta tart w with th the fol ollowing story from a des esign meet eeting ng in n In our BIG organization we want to on one or organizati tion … introduce a new feature in our huge huge BIG DATABASE: Authenticated Encryption with Emails Social Chats Associated Data networks Financial BIG Video secrets surveillance DATA Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode
5 Emails Social Chats networks Financial BIG Video We should use a software secrets surveillance library that implements NSA DATA Suit B Cryptography. Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode
6 Emails Social Chats networks Financial BIG Video secrets surveillance DATA Or we can use some open source crypto library such Telephone conversations as: OpenSSL, Crypto++, … Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode
7 Emails Social Chats networks Financial BIG Video Yeah, OpenSSL and secrets surveillance Crypto++ have CCM and DATA GCM mode implemented. Telephone conversations And these modes are Industrial SMS provable secure. secrets DIAC 2013, OWCM: One-Way Counter Mode
8 Emails Social Chats networks Financial BIG Video secrets surveillance DATA Telephone conversations Maybe we can use OCB mode, Industrial SMS it is much faster than GCM secrets mode (but it is patented) DIAC 2013, OWCM: One-Way Counter Mode
9 But sometimes files are realy big (like hundreds of gigabytes). We can not transfer them every time when we need just a sanity check that Emails Social Chats the data is not corrupted. networks Financial BIG Video secrets surveillance DATA Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode
10 All software libraries that perform AEAD, have functions that give us back only the authentication tag. We will communicate that tag in a secure way, so no need to transfer ALL DATA … Emails Social Chats networks Financial BIG Video secrets surveillance DATA Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode
11 Yeah, we solved the problem, we will use NSA approved set of cryptographic functions that are mathematically proved that they are secure. WHAT COULD POSIBLY GO WRONG? Emails Social Chats networks Financial BIG Video secrets surveillance DATA Telephone conversations Industrial SMS secrets DIAC 2013, OWCM: One-Way Counter Mode
12 Emails Social Chats networks Financial BIG Video secrets surveillance DATA What about insider Telephone conversations attacks and Industrial SMS abuses? secrets DIAC 2013, OWCM: One-Way Counter Mode
13 What about insider attacks and abuses? DIAC 2013, OWCM: One-Way Counter Mode
14 DIAC 2013, OWCM: One-Way Counter Mode
15 DIAC 2013, OWCM: One-Way Counter Mode
16 What about insider attacks and abuses? • An insider attack is intentional misuse by individuals who are authorized to use computers and networks. • An insider attack is more dangerous than outsider attack from financial and safety and security losses point of view. • In the same time detecting and preventing insider attacks is much more difficult than defending from external attacks DIAC 2013, OWCM: One-Way Counter Mode
17 We need new thinking for a new era. … and meanwhile technology has given governments, including our own, unprecedented capability to monitor communications. Press conference Aug 9 th , 2013 DIAC 2013, OWCM: One-Way Counter Mode
18 And the other thing that's happening is, is that as technology develops further, technology itself may provide us some additional Press conference safeguards. Aug 9 th , 2013 DIAC 2013, OWCM: One-Way Counter Mode
19 … I mean, there may be some technological fixes that provide another layer of assurance. … But it is absolutely true that with Press conference the expansion of technology, this Aug 9 th , 2013 is an area that's moving very quickly -- with the revelations that have depleted public trust, that if there are some additional things that we can do to build that trust back up, then we should do them. DIAC 2013, OWCM: One-Way Counter Mode
20 CAESAR call for submissions, draft 3 • Submission requirements – Security goals: A table quantifying, for each of the recommended parameter sets, the intended number of bits of security (i.e., the logarithm base 2 of the attack cost) in each of the following Can CAESAR competition categories: – confidentiality for the plaintext; provide an additional safeguard – confidentiality for the secret message number (omit if the secret message number has length 0); against insider abuses? – integrity for the plaintext; – integrity for the associated data; – integrity for the secret message number (omit if the secret message number has length 0); – integrity for the public message number (omit if the public message number has length 0); and – any additional security goals and robustness goals that the submitters wish to point out. DIAC 2013, OWCM: One-Way Counter Mode
21 CAESAR call for submissions, draft 3 • Submission requirements – Security goals: A table quantifying, for each of the recommended parameter sets, the intended number of bits of security (i.e., the logarithm base 2 of the attack cost) in each of the following categories: – confidentiality for the plaintext; – confidentiality for the secret message number (omit if the secret message number has length 0); – integrity for the plaintext; – integrity for the associated data; – integrity for the secret message number (omit if the secret message number has length 0); – integrity for the public message number (omit if the public message number has length 0); and – any additional security goals and robustness goals that the submitters wish to point out. DIAC 2013, OWCM: One-Way Counter Mode
22 CAESAR call for submissions, draft 3 • Submission requirements – Security goals: A table quantifying, for each of the recommended parameter sets, the intended number of bits of security (i.e., the logarithm base 2 of the attack cost) in each of the following What about the robustness categories: – confidentiality for the plaintext; against insider attacks and – confidentiality for the secret message number (omit if the secret message number has length 0); insider abuses? – integrity for the plaintext; – integrity for the associated data; – integrity for the secret message number (omit if the secret message number has length 0); – integrity for the public message number (omit if the public message number has length 0); and – any additional security goals and robustness goals that the submitters wish to point out. DIAC 2013, OWCM: One-Way Counter Mode
23 Easy exercise 1: Find two colliding massages for CCM when key K is known DIAC 2013, OWCM: One-Way Counter Mode
24 Easy exercise 2: Find two colliding massages for GCM when key K is known DIAC 2013, OWCM: One-Way Counter Mode
25 DIAC 2013, OWCM: One-Way Counter Mode
26 Easiest exercise 3: Find two colliding massages for OCB when key K is known DIAC 2013, OWCM: One-Way Counter Mode
27 DIAC 2013, OWCM: One-Way Counter Mode
28 Exploit 1 in "Secure audit logs" • Adaptation of Bellare-Yee scenario of "Secure audit logs". • An attacker is breaking into a machine that keeps activity logs that are encrypted by an AEAD scheme. • He/she has obtained the encryption key by some other means (physical force, stealing, ...). • In order to protect against such accidental revelation of encryption keys, the authentication tags are kept in a separate and write protected area. • This way the existing encrypted logs are protected from being overwritten with other fake logs. • However, if the AEAD scheme was implemented by CCM, GCM or OCB, the attacker can erase his/her previous (unsuccessful) attempts to break-in by simply producing a log file that has the same authentication tag as the originally encrypted log. DIAC 2013, OWCM: One-Way Counter Mode
Recommend
More recommend