Several possibilities for combination: So far: had cryptographic algorithms to achieve Encrypt-then MAC: encrypt message, then compute MAC of Privacy: use encryption ciphertext. Integrity: use MAC MAC-then-encrypt: First compute MAC, and then encrypt the Want both privacy and integrity message-MAC pair Achieve this by combining encryption and MAC in appropriate way Encrypt and MAC: Result is pair of ciphertext and MAC. Eike Ritter Cryptography 2013/14 113 Eike Ritter Cryptography 2013/14 114 Does this provide both privacy and integrity if encryption is IND-CPA secure and MAC cannot be forged? Definition Encrypt-then MAC: Yes. An authenticated encryption system is given by a pair ( E , D ), MAC-then-encrypt: Not in general, but works in specific where E : K × M → C is the encryption function, instances (eg if encryption is CBC or Counter mode with D : K × C → M ∪ {⊥} such that D ( k , E ( m )) = m for all m ∈ M . random initialisation vector) Encrypt and MAC: Not in general, but works in specific instances (SSH) Eike Ritter Cryptography 2013/14 115 Eike Ritter Cryptography 2013/14 116
Definition We define the authenticated encryption game between challenger and attacker as follows: Definition The challenger picks an encryption key at random An authenticated encryption scheme ( E , D ) is secure if the following conditions are satisfied: The attacker does some computations and may send messages m 1 , . . . , m n to the challenger it satisfies IND-CPA The challenger responds with the ciphertexts c 1 , . . . , c n . any attacker wins the authenticated encryption game with only negligible probability The attacker does some more computations and submits a putative ciphertext c to the challenger. The challenger outputs 1 if c � = c i for all i and D ( k , c ) � = ⊥ . The attacker wins this game if the challenger outputs 1. Eike Ritter Cryptography 2013/14 117 Eike Ritter Cryptography 2013/14 118 Examples Important details First example: TLS 1.2 Have two separate keys K A → B and K B → A for communication in Have two kinds of possible errors: both directions MAC-failures Have also two counters ctr A → B and ctr B → A , designed to prevent Invalid padding information replay attacks Form MAC (HMAC-SHA1) of counter || header || data Must produce same error messages in both cases, otherwise have Apply padding to header || data || tag attack Now apply CBC-AES with new random IV prepend header Eike Ritter Cryptography 2013/14 119 Eike Ritter Cryptography 2013/14 120
Padding Oracle Attack Assume we want m [1]. Perform following operations: Assume have CBC-encryption guess g - last byte of m [2] ask for decryption of c [1] ⊕ g ⊕ 0 x 01 last byte of m [2] is equal to lastByte ⊕ g ⊕ 0 x 01 If lastByte = g , have valid pad (0x01 always valid), otherwise most likely invalid pad Hence if we can distinguish MAC-failures from padding failures, obtain g with at most 256 attempts Source: Wikipedia Eike Ritter Cryptography 2013/14 121 Eike Ritter Cryptography 2013/14 122
Recommend
More recommend
![Possibilities for MeV-GeV DM at accelerators Gordan Krnjaic, Nhan Tran, Andrew Whitbeck [Fermilab]](https://c.sambuz.com/1006225/possibilities-for-mev-gev-dm-at-accelerators-s.jpg)
