2. Authenticated encryption
Definition
“ Authenticated Encryption (AE) is a term used
to describe encryption systems which
simultaneously protect confidentiality,
confidentiality,
authenticity and integrity of communications ”
4. Why?
MAC
Integrity:
Integrity: an attacker can’t modify the data and then
compute a new MAC, because a secret key is needed
Authentication:
Authentication: only the user who has got the
secret key can authenticate the message
Symmetric encryption
Confidentiality:
Confidentiality: data are encrypted
Authentication:
Authentication: if only 2 users share the secret key
5. A non-computer example
non-
A letter from a lover by ordinary mail:
Envelope: confidentiality and integrity
Signature: authentication
6. Sender AE black box
Input
A plaintext message
A key
Possibly a nonce
Output
The encrypted message (ciphertext)
An authentication tag
7. Recipient AE black box
Input
An encrypted message
A tag
The nonce, if used
The key
Output
If the tag is verified: the plaintext
else: FAIL
8. AE security
Privacy
An attacker can sniff the ciphertext and the nonce,
but must not be able to recover the plaintext
The ciphertext should look like random bits
Authentication
An attacker shouldn’t be able to construct a
ciphertext, a tag and a nonce such that the recipient
accept them as valid.
Protection from replay attacks
9. AE implementations
Usually with “modes”
A mode is a sequence of operations applied to a
block cipher, like DES or AES
Examples: CBC, ECB, CTR, …
CCM and GCM provide authenticated
encryption
10. Generic composition
Immediate solution
PRO: easy, secure, no need to develop specific apps
CON: not optimized, 2 keys needed for best security
3 ways
MtE: MAC then Encrypt
EtM: Encrypt then MAC
E&M: Encrypt and MAC
EtM is the best
11. Single-
Single-pass combined mode
2000: IBM developed IAPM
Comparison with generic composition
Split the plaintext in m parts
Generic composition: 2m calls of the block cipher
Single-
Single-pass: about m invocations
Many followed: XCBC, XECB, OCB, …
There is only a problem…
12. Oh no, Intellectual Properties !!
Single-
Single-pass modes were all patented
IAPM OCB
XCBC XECB
By Rogaway,
Bellare, Black,By Gligor and
By By Gligor and
IBM
Donescu and Krovetz Donescu
13. As a result …
Probably some of the patents are interrelated
Nobody has gone to court to prove it (yet…)
The possible users of these technologies has
been scared by the legal implications
The researchers have moved toward other
directions
All single-pass combined mode are used by
single-
anybody, even though they are the best solution
14. Two-
Two-pass combined mode
Not that different from generic composition
Some advantages
Use of only one key
Patent free
Better performances than generic composition
CCM, EAX, CWC, GCM
16. What is CCM
Counter with CBC-MAC
CBC-
An authenticated encryption solution
Encryption
Use of the block cipher AES-128
AES-
Counter (CTR) mode
Authentication
MAC computed with CBC (Cipher Block Chaining)
17. Main features
Symmetric key
Designed for AES-128
AES-
Use in packet environment (no stream data)
Arbitrary length MAC
Only one key for authentication and encryption
No intellectual property restrictions
19. How does it work ? (cont’d)
Decryption - verification
20. Generation-
Generation-encryption
1. The MAC (Message Authentication Code) is computed
applying CBC to the formatted input data
(N, P, A) m1, m2, …, mx
21. Generation-
Generation-encryption (cont’d)
2. Counter mode is applied to encrypt data and MAC
23. Decryption-
Decryption-verification
Counter mode decryption
Computation of MAC with CBC-MAC
CBC-
(N, A, P’)
Verification of authenticity
Output: Payload / INVALID
24. Hardware implementation
CCM cannot be parallelized
Operations to be implemented:
Encryption: hw implementation of AES cipher
XOR
Counter increment
Formatting function
25. Security
Recommendations
Keys must be secret and “fresh”
IV: 0 for CBC-MAC
CBC-
Never use the same nonce twice
Max n° of nonce with the same key: 261
n°
Choose an appropriate MAC length
Replay attacks: use of timestamps / number packets
26. A possible attack
“be conservative in what you send, and
liberal in what you accept”
16-byte MAC
12-byte MAC
16-byte MAC 8-byte MAC
4-byte MAC
27. A possible attack (cont’d)
Here comes the bad guy !!
16-byte MAC
12-byte MAC
4-byte MAC 8-byte MAC
4-byte MAC
28. A possible attack (cont’d)
232 4-byte MAC computed
At least one valid ciphertext
!!!
29. Countermeasures
Fix the tag length parameter
During key negotiation
Never change it during the current session
31. What is GCM - GMAC
An authenticated encryption solution
Encryption
Use of the block cipher AES
Mode of operation similar to the CTR
Authentication
The MAC provided is a sort of keyed digest
Can provide authentication only → GMAC
32. Main features
Extremely fast, more than 10Gbps
Easy to implement in software and hardware
Can be used for authentication only, if desired
Designed for AES, optimized for 128 bits
Arbitrary length IV, optimized for 96 bits
Only one key for authentication and encryption
No intellectual property restrictions
34. Version for human beings
1. The hash sub-key H is computed and stored
sub-
0000000000000000
0000000000000000
0000000000000000
0000000000000000 Enc K H
0000000000000000
0000000000000000
0000000000000000
0000000000000000
35. Version for human beings
2. The IV length is checked
If it’s 96 bits is padded to 128
If it’s different is computed a 128 bit IV using
a special function (GHASH)
The IV is the starting value of the counter
38. Hardware implementation
The only way to manage more than 10Gbps
GCM can be parallelized
Operations to be implemented:
Encryption: hw implementation of AES cipher
XOR
Increment of the counter
Multiplication within GF(2128)
40. The multiplication in GF(2q)
Different approaches
Parallel
Serial: super serial, bit serial, etc
Serial solutions
Time and area linear with q
Parallel solution
Time: 1 clock cycle
Area: quadratic with q, but only 30% of AES cipher
GO PARALLEL, BOYS!
41. Security
Recommendations
Keys: secret and “fresh”
IV: probability of using same IV and key < 2-32
Known security problem with reused IVs
Appropriate tag length
Replay attacks: use of timestamps
42. Oracles...
Permutation oracle
Outputs random number of PRF
The PRF represent an encrypted message
Distinguishing advantage
43. Oracles...
Tag-
Tag-generation oracle
Input: a message
Output: a valid tag
Tag-
Tag-validation oracle
Input: a message and a tag
Output: is the tag correct for the given message?
Forgery advantage
44. CTR known issue
Hello world, 72dd0294rth%p
this is me, 29sj!5z/k=p
life should be akd'^3sddG#/ap5
fun for everyone 97;7*h2?375ba+?9
Hello Sarah,
Sarah, 72dd023&F7j%p
72dd023&F7j%p
this is me, 29sj!5z/k=p
life should be akd'^3sddG#/ap5
fun for everyone 97;7*h2?375ba+?9
45. Beware !
Attacker with access to a tag-generation oracle
tag-
If IVs are not changed the output will be function
of the hash sub-key H
sub-
Analyzing the resulting tags the attacker could
recover H
With H he can generate valid authentication tags,
thus pretending to be your friend !
46. Solution
This attack is possible only if you use at least
twice the same key with the same IV
NEVER DO THAT!
47. References
NIST Special Publication 800-38C (CCM)
800-
NIST Special Publication 800-38D (GCM)
800-
Authenticated Encryption (J. Black)
A Critique of CCM (P. Rogaway, D. Wagner)
On The Security of CTR + CBC-MAC (J. Jonsson)
CBC-
Counter with CBC-MAC (D. Whiting, R. Housley, N. Ferguson)
CBC-
Flexible and Efficient Message Authentication in Hardware and
Software (D. A. McGrew, J. Viega)
The Security and Performance of the Galois/Counter Mode
(GCM) of Operation (D. A. McGrew, J. Viega)
www.wikipedia.org