Presentation Transcript

1. Authencryption:Privacy with Almost Free Integrity Support“An Essence of Integrity”

   Advisor TzonelihHwang Presenter Prosanta Gope Quantum Information and Network Security Lab, NCKU,2013
2. Privacy and Integrity Revisited
3. Privacy . C Alice Bob interferes with the transmission (Intercept the message and try to Figure out M from C BobEncrypt C = BobDecrypt M=
4. Integrity Integrity: M Alice Bob interferes with the transmission (modifies the message, or inserts a new one) How can Bob be sure that M really comes from Alice?. Or M is not modified yet ?
5. Sometimes: More Important than secrecy! transfer 1000 $ to Bob transfer 1000 $ to Eve Alice Bank Of course: usually we want both secrecy and integrity.
6. Presentation Road Map Objective 1 Modes of Operation 2 Message Authentication Code (MAC) 3 Authenticated Encryption 4 Authencryption and its Application 4 5
7. Our Objective Try to Figure out the Weaknesses in the Conventional modes of operation(ECB, CBC, CTR. etc.) To ensure privacy and integrity support in a single pass with the minimal cost . To ensure integrity support to the conventional modes of operations (CTR, CBC, ECB, OFB, CFB). To provide privacy and integrity in block cipher, stream cipher, and even in the real-time environment with almost free additional computational support.
8. Presentation Road Map Objective 1 Modes of Operation 2 Message Authentication Code (MAC) 3 Authenticated Encryption 4 Authencryption and its Application 4 5
9. What we will do if the message size is shorter or larger than the block size? Say, message Size =224 bit Block Cipher Supported = 64 bit DES
10. Modes of Operation Why we need to use Modes of Operation? Adapt cryptographic algorithm to applications. Increase the strength of a cryptographic algorithm It is necessary to divide bigger plaintext into fixed sized blocks so that cipher can work on it. (i.e.DES-64bit) i.e. Apply block cipher to a sequence of data blocks or data stream DES DES DES packet packet packet …. ….
11. Modes of Operation BIG PLAINTEXTpacket packet packet packet = ….. Encrypt Encrypt Encrypt encrypted packet encrypted packet encrypted packet …. …. ex.ECB mode
12. Conventional Modes of Operations Electronic Codebook Mode (ECB) Cipher Block Chaining Mode (CBC) Cipher Feedback Mode (CFB) Output Feedback Mode (OFB) CTR
13. ECB: Electronic Codebook
14. Notations. – encryption key shared between two entities - mathematical XOR Let P be the message to be encrypted, which is divided into {…} Let C be the message to be encrypted, which is divided into {…},
15. Electronic Codebook Book (ECB)
16. Electronic Codebook Book (ECB) message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks Ci = EK(Pi) uses: secure transmission of single values
17. Electronic Codebook (ECB) Mode The simplest mode of operation is called the electronic codebook (ECB) mode. Figure Electronic codebook (ECB) mode
18. Advantages and Limitations of ECB message repetitions may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem weakness is due to the encrypted message blocks being independent main use is sending a few blocks of data
19. Electronic Codebook (ECB) • Does not hide data patterns, unsuitable for long messages – Wiki example: pixel map using ECB Plain text ECB mode Other modes • Susceptible to replay attacks – Example: a wired transfer transaction can be replayed by resending the original message)
20. Cipher Block Chaining (CBC) message is broken into blocks linked together in encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process Ci = EK(Pi XOR Ci-1) C-1 = IV uses: bulk data encryption, authentication
21. Cipher Block Chaining (CBC)
22. Advantages and Limitations of CBC a ciphertext block depends on all blocks before it any change to a block affects all following ciphertext blocks need Initialization Vector (IV) which must be known to sender & receiver if sent in clear, attacker can change bits of first block, and change IV to compensate hence IV must either be a fixed value or must be sent encrypted in ECB mode before rest of message
23. Cipher Block Chaining (CBC) Mode In CBC mode, each plaintext block is exclusive-ored with the previous ciphertext block before being encrypted. Cipher block chaining (CBC) mode
24. Stream Modes of Operation block modes encrypt entire block may need to operate on smaller units real time data convert block cipher into stream cipher cipher feedback (CFB) mode output feedback (OFB) mode counter (CTR) mode use block cipher as some form of pseudo-random number generator
25. Cipher FeedBack (CFB) message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1,8, 64 or 128 etc) to be feed back denoted CFB-1, CFB-8, CFB-64, CFB-128 etc most efficient to use all bits in block (64 or 128) Ci = Pi XOR EK(Ci-1) C-1 = IV uses: stream data encryption, authentication
26. s-bitCipher FeedBack (CFB-s)
27. Advantages and Limitations of CFB appropriate when data arrives in bits/bytes most common stream mode limitation is need to stall while do block encryption after every n-bits note that the block cipher is used in encryption mode at both ends errors propogate for several blocks after the error
28. Output FeedBack (OFB) message is treated as a stream of bits output of cipher is added to message output is then feed back (hence name) feedback is independent of message can be computed in advance Oi = EK(Oi-1) Ci = Pi XOR Oi O-1 = IV uses: stream encryption on noisy channels
29. Output FeedBack (OFB)
30. Advantages and Limitations of OFB needs an IV which is unique for each use if ever reuse attacker can recover outputs bit errors do not propagate more vulnerable to message stream modification sender & receiver must remain in sync only use with full block feedback subsequent research has shown that only full block feedback (ie CFB-64 or CFB-128) should ever be used
31. Counter (CTR) a “new” mode, though proposed early on similar to OFB but encrypts counter value rather than any feedback value must have a different key & counter value for every plaintext block (never reused) Oi = EK(i) Ci = Pi XOR Oi uses: high-speed network encryptions
32. Counter (CTR)
33. Advantages and Limitations of CTR efficiency can do parallel encryptions in h/w or s/w can preprocess in advance of need good for bursty high speed links random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values, otherwise could break (cf OFB)
34. Presentation Road Map Objective 1 Modes of Operation 2 Message Authentication Code (MAC) 3 Authenticated Encryption 4 Authencryption and its Application 4 5
35. Message Authentication Code A common solution for achieving message authenticity and integrity is to use a message authentication code (MAC). A MAC can be viewed as a cryptographically secure checksum of a message.
36. Message Authentication Code Cont.. Computing a MAC requires authorized senders and receivers to share a secret key, and this key is part of the input to a MAC computation. The sender computes a MAC over the packet with the secret key and includes the MAC with the packet. A receiver sharing the same secret key recomputed the MAC and compares it with the received MAC value.
37. Message Authentication Integrity: M Alice Bob interferes with the transmission (modifies the message, or inserts a new one) How can Bob be sure that M really comes from Alice?
38. Sometimes: more importantthansecrecy! transfer 1000 $ to Bob transfer 1000 $ to Eve Alice Bank Of course: usually we want both secrecy and integrity.
39. Does encryption guarantee message integrity? Idea: Alice encrypts m and sends c=Enc(k,m) to Bob. Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad. “Eve” xor “Bob” transfer 1000 $ toEve transfer 1000 $ to Bob plaintext key K xor ciphertext C
40. Message Authentication Codes – the idea m є {0,1}* (m, t=Tagk(m)) Vrfyk(m)є {yes,no} Alice Bob k k k ischosenrandomlyfrom some set T
41. (m, t) (m, t) (m, t) Warning: MACs do not offer protection against the “replay attacks”. (m, t) Alice Bob Since Vrfyhas no state (or “memory”) there is no way to detect that (m,t) is not fresh! . . . This problem has to be solved by the higher-level application (methods: time-stamping, sequence numbers...).
42. raw CBC Construction 1: encryptedCBC-MAC m[0] m[1] m[3] m[4]    F(k,) F(k,) F(k,) F(k,) F(k1,) tag
43. cascade Construction 2: NMAC (nested MAC) m[0] m[1] m[3] m[4] t k F F F F > t llfpad > > > F > k1 tag
44. Presentation Road Map Objective 1 Modes of Operation 2 Message Authentication Code (MAC) 3 Authenticated Encryption 4 Authencryption and its Application 4 5
45. .
46. Generic Composition
47. State of the Art AE Scheme IAPM OCB
48. IAPM
49. OCB
50. Presentation Road Map Objective 1 Modes of Operation 2 Message Authentication Code (MAC) 3 Authenticated Encryption 4 Authencryption and its Application 4 5