revisiting mac forgeries weak keys and provable security
play

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo - PowerPoint PPT Presentation

Nov 11, 2023 •383 likes •957 views

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

  1. Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  2. Galois/Counter Mode (GCM) ◮ One design of AEAD by McGrew and Viega in 2005 ◮ Counter Mode (CM) for encryption ◮ Galois MAC (GMAC) for authentication ◮ Polynomial-based MAC ◮ Features ◮ Parallelizable computation ◮ Intel CPU hardware instructions (around 1 cycle/byte) ◮ IEEE 802.1AE, IPsec, and TLS v1.2 ◮ To replace RC4 and AES-CBC in TLS 2 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  3. Galois/Counter Mode (GCM) ◮ One design of AEAD by McGrew and Viega in 2005 ◮ Counter Mode (CM) for encryption ◮ Galois MAC (GMAC) for authentication ◮ Polynomial-based MAC ◮ Features ◮ Parallelizable computation ◮ Intel CPU hardware instructions (around 1 cycle/byte) ◮ IEEE 802.1AE, IPsec, and TLS v1.2 ◮ To replace RC4 and AES-CBC in TLS ◮ Recent attacks ◮ A flaw found in GCM’s security proofs in Crypto’12 ◮ Forgery attacks in FSE’12 and FSE’13 2 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  4. Outline Introduction to Galois/Counter Mode (GCM) All subsets with ≥ 2 authentication keys are weak Turning forgeries into birthday attacks Repairing security bounds and proofs of GCM Attacking MAC-then-Enc GCM Summary 3 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  5. Outline Introduction to Galois/Counter Mode (GCM) All subsets with ≥ 2 authentication keys are weak Turning forgeries into birthday attacks Repairing security bounds and proofs of GCM Attacking MAC-then-Enc GCM Summary 4 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  6. Authentication by Galois MAC (GMAC) Additions and multiplications in GF (2 128 ) ◮ Authentication key: H = E K (0) The image is from Procter and Cid’s slides in FSE’13. 5 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  7. Polynomial Based GHASH ◮ GMAC = GHASH H ( A , C ) + E K ( N ) ◮ N : non-repeating nonce ◮ GHASH-like, polynomial based (keyed) hash m M i × H i = g M ( H ) � h H ( M ) = i =1 ◮ Note: constant term is zero 6 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  8. Encryption in Counter Mode (CM) The image is from Saarinen’s paper in FSE’12. ◮ Initial counter ◮ If len ( N ) = 96, Y 0 = N || 0 32 ◮ If len ( N ) � = 96, Y 0 = GHASH H ( N ) ◮ Consecutive counters Y r +1 = msb 96 ( Y r ) || lsb 32 ( Y r ) ⊞ 1 7 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  9. Outline Introduction to Galois/Counter Mode (GCM) All subsets with ≥ 2 authentication keys are weak Turning forgeries into birthday attacks Repairing security bounds and proofs of GCM Attacking MAC-then-Enc GCM Summary 8 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  10. Forgery Attacks on Polynomial-based MACs ◮ General forgeries by Procter and Cid in FSE’13 ◮ Based on the work by Saarinen in FSE’12 ◮ Attacking the polynomial-based hash functions m M i × H i = g M ( H ) � h H ( M ) = i =1 9 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  11. Forgery Attacks on Polynomial-based MACs ◮ General forgeries by Procter and Cid in FSE’13 ◮ Based on the work by Saarinen in FSE’12 ◮ Attacking the polynomial-based hash functions m M i × H i = g M ( H ) � h H ( M ) = i =1 ◮ If we can find a polynomial f ( x ) ∈ F [ x ] ◮ Constant term is zero ◮ f ( H ) = 0 9 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  12. Forgery Attacks on Polynomial-based MACs ◮ General forgeries by Procter and Cid in FSE’13 ◮ Based on the work by Saarinen in FSE’12 ◮ Attacking the polynomial-based hash functions m M i × H i = g M ( H ) � h H ( M ) = i =1 ◮ If we can find a polynomial f ( x ) ∈ F [ x ] ◮ Constant term is zero ◮ f ( H ) = 0 then h H ( M ⊕ F ) = g M ⊕ F ( H ) = g M ( H ) ⊕ g F ( H ) = g M ( H ) = h H ( M ) 9 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  13. Our Generalized Forgery Attack on GCM-like Modes For GMAC-like MACs, the MAC tag is computed as T = h H ( M ) ⊕ E K ( N ) 10 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  14. Our Generalized Forgery Attack on GCM-like Modes For GMAC-like MACs, the MAC tag is computed as T = h H ( M ) ⊕ E K ( N ) If we find a polynomial q ( x ) = q ∗ ( x ) ⊕ Q 0 ∈ F [ x ] such that ◮ q ( H ) = 0 ◮ Note: constant term Q 0 does NOT need to be zero 10 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  15. Our Generalized Forgery Attack on GCM-like Modes For GMAC-like MACs, the MAC tag is computed as T = h H ( M ) ⊕ E K ( N ) If we find a polynomial q ( x ) = q ∗ ( x ) ⊕ Q 0 ∈ F [ x ] such that ◮ q ( H ) = 0 ◮ Note: constant term Q 0 does NOT need to be zero then T = h H ( M ) ⊕ E k ( N ) ⊕ q ( H ) , 10 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  16. Our Generalized Forgery Attack on GCM-like Modes For GMAC-like MACs, the MAC tag is computed as T = h H ( M ) ⊕ E K ( N ) If we find a polynomial q ( x ) = q ∗ ( x ) ⊕ Q 0 ∈ F [ x ] such that ◮ q ( H ) = 0 ◮ Note: constant term Q 0 does NOT need to be zero then T = h H ( M ) ⊕ E k ( N ) ⊕ q ( H ) , which implies E k ( N ) ⊕ h H ( M ) ⊕ q ∗ ( H ) T ⊕ Q 0 = E k ( N ) ⊕ g M ( H ) ⊕ q ∗ ( H ) = = E k ( N ) ⊕ g M ⊕ Q ∗ ( H ) . So ( N , M ⊕ Q ∗ , T ⊕ Q 0 ) is a successful forgery. 10 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  17. All Subsets with ≥ 2 Auth Keys are Weak ◮ Definition of weak key classes by Handschuh and Preneel ◮ Members of the key class make the algorithm behaves in an unexpected way ◮ e.g., high probability for MAC forgeries ◮ Easy to detect whether a key belongs to the class ◮ e.g., less #queries than #elements of the class 11 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  18. All Subsets with ≥ 2 Auth Keys are Weak ◮ Definition of weak key classes by Handschuh and Preneel ◮ Members of the key class make the algorithm behaves in an unexpected way ◮ e.g., high probability for MAC forgeries ◮ Easy to detect whether a key belongs to the class ◮ e.g., less #queries than #elements of the class ◮ For any subset of authentication keys, we can determine if the used key is in the subset ◮ Try to make a forgery by n � q ( x ) = ( x ⊕ H i ) i =1 and query the verification oracle once 11 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  19. All Subsets with ≥ 2 Auth Keys are Weak ◮ Definition of weak key classes by Handschuh and Preneel ◮ Members of the key class make the algorithm behaves in an unexpected way ◮ e.g., high probability for MAC forgeries ◮ Easy to detect whether a key belongs to the class ◮ e.g., less #queries than #elements of the class ◮ For any subset of authentication keys, we can determine if the used key is in the subset ◮ Try to make a forgery by n � q ( x ) = ( x ⊕ H i ) i =1 and query the verification oracle once ◮ For comparison, the original forgery attack by Procter and Cid ◮ Cannot get rid of 0 by only one query ◮ For | S | ≥ 3, use two queries ◮ For | S | ≥ 2 and 0 ∈ S , use one query 11 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  20. Outline Introduction to Galois/Counter Mode (GCM) All subsets with ≥ 2 authentication keys are weak Turning forgeries into birthday attacks Repairing security bounds and proofs of GCM Attacking MAC-then-Enc GCM Summary 12 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  21. Birthday-bound based Forgery Attacks ◮ Previously mentioned forgery attacks are all trial-and-error ◮ (Perhaps randomly) choose a q ( x ) ◮ Forge a tuple ( N , M , T ) and send it to verification oracle ◮ If fails, try another q ( x ) 13 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  22. Birthday-bound based Forgery Attacks ◮ Previously mentioned forgery attacks are all trial-and-error ◮ (Perhaps randomly) choose a q ( x ) ◮ Forge a tuple ( N , M , T ) and send it to verification oracle ◮ If fails, try another q ( x ) ◮ GCM’s special structure can amplify this probability ◮ GHASH is reused to compute the initial counter number if len ( N ) � = 96. ◮ Previous forgeries also work for this GHASH 13 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

  23. Birthday-bound based Forgery Attacks ◮ Previously mentioned forgery attacks are all trial-and-error ◮ (Perhaps randomly) choose a q ( x ) ◮ Forge a tuple ( N , M , T ) and send it to verification oracle ◮ If fails, try another q ( x ) ◮ GCM’s special structure can amplify this probability ◮ GHASH is reused to compute the initial counter number if len ( N ) � = 96. ◮ Previous forgeries also work for this GHASH ◮ New forgery attack 1. Obtain a valid tuple ( N , P , C ) 2. Apply q ( x ) to N , and feed ( N ′ , P ) to the encryption oracle 3. Collect P ⊕ C to a set for collisions 13 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM

Recommend

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong

653 views • 36 slides
On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos

On Weak Keys and Forgery Attacks Against Polynomial-based MAC Schemes Gordon Procter and Carlos Cid Information Security Group, Royal Holloway, University of London Our Contributions 1 Study the underlying algebraic structure of

409 views • 24 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger

Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger

Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, Nadia Heninger University of Pennsylvania Motivation [Mining Your Ps & Qs: Detection of Widespread Weak Keys in Network Devices: Heninger Durumeric Wustrow

358 views • 22 slides
Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to

Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to

Overview Weak entity sets and keys Design principles CS 235: Examples Introduction to Databases Svetlozar Nestorov Lecture Notes #3 CS 235: Intro to DB; S. Nestorov 12 Example: Email Addresses Weak Entity Sets Sometimes an

522 views • 3 slides
Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC

Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC

Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC San Diego Microsoft Research New England Zakir Durumeric Eric Wustrow Alex Halderman University of Michigan January 10, 2012 or

490 views • 46 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

History of WCS Outline Known Security Analysis Our Works Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata CRYPTO 2018 History of WCS Outline Known Security Analysis Our

834 views • 57 slides
A New Class Of Weak Keys for Blowfish Orhun KARA and Cevat MANAP T UB ITAK - UEKAE

A New Class Of Weak Keys for Blowfish Orhun KARA and Cevat MANAP T UB ITAK - UEKAE

A New Class Of Weak Keys for Blowfish Orhun KARA and Cevat MANAP T UB ITAK - UEKAE (National Research Institute of Electronics and Cryptology) 1 Redefining Blowfish Key XORs in Blowfish can be moved around to generate two building blocks

286 views • 12 slides
Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

1.24k views • 76 slides
Cross-Site Request Forgeries (CSRF) & Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) & Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) & Path Traversal Professor Larry Heimann Web Application Security Information Systems Lab 2 Review on XSS Hacker Wall of Fame (Lab 2 members in italics) Renzo Bautista (2x) Ann Chen Luke

676 views • 20 slides
Cross-Site Request Forgeries (CSRF) & Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) & Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) & Path Traversal Professor Larry Heimann Web Application Security Information Systems Lab 3 Review Fastest crackers Melaine Freeman Lan Betancourt Chris Compendio Matthew Nielsen Ivy

292 views • 18 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP Kaufman et al: Ch 17, 11.2 SSL/TLS 18, 19 11.3 IPSEC Stallings: Ch 16,17 1 Pretty Good Privacy Email encryption program

566 views • 8 slides

More recommend