Section 4: Lab 1 Tips, Modular Arithmetic, & CBC-MAC CSE 484 / - PowerPoint PPT Presentation

Section 4: Lab 1 Tips, Modular Arithmetic, & CBC-MAC CSE 484 / CSE M 584

Administrivia Final deadline for Lab 1 is next Office hours are available Friday @ 11:59pm ! w e N • Run the md5sum command on • Friday (12:30-2:30pm) sploits 4-7 • Monday (11:30am-12:30pm) • Put the result strings in • Tuesday (11:30am-12:30pm) <netid>_<netid>_<netid>.txt • Wednesday (3:30-4:30pm) • Submit on Canvas

Lab 1 Notes / Hints ◦ Sploit 5: see tfree from last section ◦ Make sure the free bit is set! ◦ The 2 nd four bytes of Q will be overwritten ◦ How can you move past this? ◦ Point to an assembly instruction? ◦ Hardcode an instruction code? ◦ The movement does not have to be precise! q &ret? L P.R 1 L next R 1 Q (P.L) P &buf?

Blue: foo ’s stack frame Green: snprintf’ s stack frame Lab 1 Notes / Hints Arguments ◦ Sploit 6: snprintf to a location RET SFP ◦ Overwrite ret with %n (will need > 1) ◦ Pad with %u or %d to get the value to write buf[296] Printf’s ◦ %u and %n both expect an argument internal ◦ Internal pointer begins after (char *) arg arg pointer sizeof(buf) buf RET, SFP , etc. Additional arguments to snprintf would (normally) be after arg .

Blue: foo ’s stack frame Green: bar ’s stack frame Lab 1 Notes / Hints Arguments RET ◦ Sploit 7: similar to sploit 2 SFP ◦ However, can’t use EIP since foo calls _exit p ◦ Where can you take over execution? ◦ Hint: think about *p = a a ◦ Look into _exit Arguments RET SFP 1 byte overwrite Local vars Program expects stack to look like foo when returning from bar .

MODULAR ARITHMETIC! Will be used in class Friday when talking about Diffie-Helman Protocol (1976)

Shortcut a * b mod p = ( a mod p * b mod p ) mod p

Activity Time!

Let p = 11. Let g = 10. Compute g 1 mod p, g 2 mod p, g 3 mod p, …, g 100 mod p. Hint: a * b mod p = ( a mod p * b mod p ) mod p

Q1 Solution Let p = 11. Let g = 10. Compute g 1 mod p, g 2 mod p, g 3 mod p, …, g 100 mod p.

Let p = 11. Let g = 7. Compute g 1 mod p, g 2 mod p, g 3 mod p, …, g 100 mod p. Hint: a * b mod p = ( a mod p * b mod p ) mod p

Q2 Solution Let p = 11. Let g = 7. Compute g 1 mod p, g 2 mod p, g 3 mod p, …, g 100 mod p.

Let p = 11. Let g = 7. Compute g 400 mod p, without using a calculator. Hint: a * b mod p = ( a mod p * b mod p ) mod p

Q3 Solution Let p = 11. Let g = 7. Compute g 400 mod p, without using a calculator.

How do we create a MAC? CBC-MAC: Encrypt the message in CBC mode, use the last block as the MAC Initialization vector is 0 k = secret key Last block of ciphertext used as MAC

𝑏 || 𝑐 : 𝑏 and 𝑐 concatenated Exercise: CBC-MAC vulnerability 𝑁 ! (𝑏) : MAC for message 𝑏 𝐹 ! 𝑏 : ciphertext for message 𝑏 Suppose a and b are both one block long, and suppose a b the sender MACs a , b , and a || b with CBC-MAC. An attacker who intercepts the MAC tags for these messages can now forge the MAC for the message E K E K b || (M K (b) ⊕ M K (a) ⊕ b) which the sender never sent. The forged tag for this message is equal to M K (a || b) , the tag for a || b . TAG Justify mathematically why this is true. (Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications . Wiley Publishing 2010. Exercise 6.3 p. 97)

𝑏 || 𝑐 : 𝑏 and 𝑐 concatenated Exercise: CBC-MAC vulnerability 𝑁 ! (𝑏) : MAC for message 𝑏 𝐹 ! 𝑏 : ciphertext for message 𝑏 Prove: a b M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) = M K ( a || b ) Step 1: Figure out what M K (a), M K (b), and M K (a || b) are ??? ??? in terms of the encryption key. E K E K Annotate sketch with the sender’s messages and MACs. TAG ??? (Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications . Wiley Publishing 2010. Exercise 6.3 p. 97)

𝑏 || 𝑐 : 𝑏 and 𝑐 concatenated Exercise: CBC-MAC vulnerability 𝑁 ! (𝑏) : MAC for message 𝑏 𝐹 ! 𝑏 : ciphertext for message 𝑏 Prove: a b M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) = M K ( a || b ) E K (a) Step 1: Figure out what M K (a), M K (b), and M K (a || b) are E K (a) ⊕ b in terms of the encryption key. E K E K Annotate sketch with the sender’s messages and MACs. M K (a) = E K (a) EK(EK(a) ⊕ b) M K (b) = E K (b) (not shown) M K (a || b) = E K (E K (a) ⊕ b) (Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications . Wiley Publishing 2010. Exercise 6.3 p. 97)

𝑏 || 𝑐 : 𝑏 and 𝑐 concatenated Exercise: CBC-MAC vulnerability 𝑁 ! (𝑏) : MAC for message 𝑏 𝐹 ! 𝑏 : ciphertext for message 𝑏 Prove: b M K (b) ⊕ M K (a) ⊕ b M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) = M K ( a || b ) ??? Step 2: Figure out M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) . E K E K For the MAC of the attacker’s message b || (M K (b) ⊕ M K (a) ⊕ b) , what are the values of the ???’s? ??? (Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications . Wiley Publishing 2010. Exercise 6.3 p. 97)

𝑏 || 𝑐 : 𝑏 and 𝑐 concatenated Exercise: CBC-MAC vulnerability 𝑁 ! (𝑏) : MAC for message 𝑏 𝐹 ! 𝑏 : ciphertext for message 𝑏 Prove: b M K (b) ⊕ M K (a) ⊕ b M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) = M K ( a || b ) ??? Step 2: Figure out M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) . E K E K M K (b || (M K (b) ⊕ M K (a) ⊕ b)) ??? (Ferguson, Schneier, & Kohno. Cryptography Engineering: Design Principles and Practical Applications . Wiley Publishing 2010. Exercise 6.3 p. 97)

𝑏 || 𝑐 : 𝑏 and 𝑐 concatenated Exercise: CBC-MAC vulnerability 𝑁 ! (𝑏) : MAC for message 𝑏 𝐹 ! 𝑏 : ciphertext for message 𝑏 Prove: b E K (b) ⊕ E K (a) ⊕ b M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) = M K ( a || b ) ??? Step 2: Figure out M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) . E K E K M K (b || (M K (b) ⊕ M K (a) ⊕ b)) = M K (b || (E K (b) ⊕ E K (a) ⊕ b)) ???

𝑏 || 𝑐 : 𝑏 and 𝑐 concatenated Exercise: CBC-MAC vulnerability 𝑁 ! (𝑏) : MAC for message 𝑏 𝐹 ! 𝑏 : ciphertext for message 𝑏 Prove: b E K (b) ⊕ E K (a) ⊕ b M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) = M K ( a || b ) E K (b) E K (a) ⊕ b Step 2: Figure out M K ( b || (M K (b) ⊕ M K (a) ⊕ b) ) . E K E K M K (b || (M K (b) ⊕ M K (a) ⊕ b)) = M K (b || (E K (b) ⊕ E K (a) ⊕ b)) = E K (E K (b) ⊕ E K (b) ⊕ E K (a) ⊕ b) These terms E K (E K (a) ⊕ b) cancel out = E K (E K (a) ⊕ b) This is the same as M K (a || b)!

𝑏 || 𝑐 : 𝑏 and 𝑐 concatenated 𝑁 ! (𝑏) : MAC for message 𝑏 𝐹 ! 𝑏 : ciphertext for message 𝑏 So what? We can prove, just using the specification of CBC-MAC, ● that the messages b || (M(b) ⊕ M(a) ⊕ b) and a || b share the same tag. This approach is a common method used in cryptanalysis. We broke the theoretical guarantee that no two different ● messages will never share a tag. If you were to use CBC-MAC in a protocol, it provides ● information about specific weaknesses and how not to use it.

Safer CBC-MAC for variable length messages For a message m of length l : ... l + pad b 1 b l Construct s by prepending the length of m to the 1. message : s = concat(l, m) Pad s until the length is a multiple of the block size 2. Apply CBC-MAC to the padded string s . 3. ... Output the last ciphertext block, or a part of it. 4. Don’t output intermediates. E K E K E K Warning : Appending to end is just as broken as ● what we showed! TAG Or encrypt output with another block cipher under ● a different key (CMAC). Or use HMAC, UMAC, GMAC. Follow latest guidance very carefully! ●

Good luck with the rest of Lab 1!