So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way Eike Ritter Cryptography 2014/15 39
Several possibilities for combination: Encrypt-then MAC: encrypt message, then compute MAC of ciphertext. MAC-then-encrypt: First compute MAC, and then encrypt the message-MAC pair Encrypt and MAC: Result is pair of ciphertext and MAC. Eike Ritter Cryptography 2014/15 40
Does this provide both privacy and integrity if encryption is IND-CPA secure and MAC cannot be forged? Encrypt-then MAC: Yes. MAC-then-encrypt: Not in general, but works in specific instances (eg if encryption is CBC or Counter mode with random initialisation vector) Encrypt and MAC: Not in general, but works in specific instances (SSH) Eike Ritter Cryptography 2014/15 41
Definition An authenticated encryption system is given by a pair ( E , D ), where E : K × M → C is the encryption function, D : K × C → M ∪ {⊥} such that D ( k , E ( m )) = m for all m ∈ M . Eike Ritter Cryptography 2014/15 42
Definition We define the authenticated encryption game between challenger and attacker as follows: The challenger picks an encryption key at random The attacker does some computations and may send messages m 1 , . . . , m n to the challenger The challenger responds with the ciphertexts c 1 , . . . , c n . The attacker does some more computations and submits a putative ciphertext c to the challenger. The challenger outputs 1 if c � = c i for all i and D ( k , c ) � = ⊥ . The attacker wins this game if the challenger outputs 1. Eike Ritter Cryptography 2014/15 43
Definition An authenticated encryption scheme ( E , D ) is secure if the following conditions are satisfied: it satisfies IND-CPA any attacker wins the authenticated encryption game with only negligible probability Eike Ritter Cryptography 2014/15 44
Theorem If ( E , D ) is a IND-CPA secure encryption scheme and MAC a secure MAC, the authenticated encryption system obtained by first encrypting and then applying the MAC is a secure authenticated encrypted system. Eike Ritter Cryptography 2014/15 45
The proof uses two lemmata: Lemma If ( E , D ) is a IND-CPA secure encryption scheme and MAC a secure MAC, the authenticated encryption system obtained by first encrypting and then applying the MAC satisfies IND-CPA. Lemma If ( E , D ) is a IND-CPA secure encryption scheme and MAC a secure MAC, the probability of the attacker winning the game for the authenticated encryption system obtained by first encrypting and then applying the MAC is negligible. Eike Ritter Cryptography 2014/15 46
Examples First example: TLS 1.2 Have two separate keys K A → B and K B → A for communication in both directions Have also two counters ctr A → B and ctr B → A , designed to prevent replay attacks Form MAC (HMAC-SHA1) of counter || header || data Apply padding to header || data || tag Now apply CBC-AES with new random IV prepend header Eike Ritter Cryptography 2014/15 47
Important details Have two kinds of possible errors: MAC-failures Invalid padding information Must produce same error messages in both cases, otherwise have attack Eike Ritter Cryptography 2014/15 48
Padding Oracle Attack Assume have CBC-encryption Source: Wikipedia Eike Ritter Cryptography 2014/15 49
Assume we want m [1]. Perform following operations: guess g - last byte of m [2] ask for decryption of c [1] ⊕ g ⊕ 0 x 01 last byte of m [2] is equal to lastByte ⊕ g ⊕ 0 x 01 If lastByte = g , have valid pad (0x01 always valid), otherwise most likely invalid pad Hence if we can distinguish MAC-failures from padding failures, obtain g with at most 256 attempts Eike Ritter Cryptography 2014/15 50
Recommend
More recommend
