Cryptography And Secure Channels Kenny Paterson Information Security Group Royal Holloway, University of London 05/22/09 | Cryp-203 What is a secure channel? Why ad hoc approaches to building secure channels may be dangerous Why the order of encryption and integrity protection matters
Information Security Group Royal Holloway, University of London
05/22/09 | Cryp-203
Secure channels are usually constructed as follows:
In this talk, we will:
Encrypted inner packet
Encrypted inner packetESP in Tunnel Mode
Original IP packet
“ESP allows encryption-only … because this may offer considerably better performance and still provide adequate security, e.g., when higher layer authentication/integrity protection is offered independently.”
From the IPsec Tunnel Implementation administrator's guide of a well-known vendor (until very recently):
“If you require data confidentiality only in your IPSec tunnel implementation, you should use ESP without authentication. By leaving off the authentication service, you gain some performance speed but lose the authentication service.”
Flipping bits here
And randomised block here
Leads to bit flips here
Paterson and Yau (Eurocrypt 2006):
Encrypted inner packet
Flip bits here
To change protocol field and source address here
Correction of checksum via further IV bit flips
Some reactions to the Linux ESP attacks:
Degabriele and Paterson (IEEE S&P 2007):
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for TELNET and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.
PiCBC Mode in SSH
Ci* = eK(Ci-1*Pi*), i.e. Pi* = Ci-1* dK(Ci*)
P0’ = IVdK(Ci*).
P0’ = IV dK(Ci*).
Pi* = Ci-1* dK(Ci*) = Ci-1* IV P0’
From Bellare, Kohno and Namprempre:
“…in the modern era of strong cryptography it would seem counterintuitive to voluntarily use a protocol with low security when it is possible to fix the security of SSH at low cost.”
SSL/TLS Record Protocol provides:
MAC tagSSL/TLS Record Protocol (Simplified)
Major open problem:
How to model and reason about the security of secure channels in a way that captures all significant cryptographic attacks?
How do we even know what system features should be included in a security model?
A (mis)quote from Eugene Spafford:
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.”