SlideShare une entreprise Scribd logo
1  sur  48
Télécharger pour lire hors ligne
Authenticated
 encryption
  GCM and CCM modes



Lorenzo Peraldo and Vittorio Picco
Authenticated encryption

                  Definition

“ Authenticated Encryption (AE) is a term used
  to describe encryption systems which
  simultaneously protect confidentiality,
                          confidentiality,
  authenticity and integrity of communications ”
Basic components

Message Authentication
    Code (MAC)

         +
Symmetric encryption
Why?
MAC
  Integrity:
  Integrity: an attacker can’t modify the data and then
  compute a new MAC, because a secret key is needed
  Authentication:
  Authentication: only the user who has got the
  secret key can authenticate the message
Symmetric encryption
  Confidentiality:
  Confidentiality: data are encrypted
  Authentication:
  Authentication: if only 2 users share the secret key
A non-computer example
        non-
A letter from a lover by ordinary mail:
  Envelope: confidentiality and integrity
  Signature: authentication
Sender AE black box
Input
  A plaintext message
  A key
  Possibly a nonce
Output
  The encrypted message (ciphertext)
  An authentication tag
Recipient AE black box
Input
  An encrypted message
  A tag
  The nonce, if used
  The key
Output
  If the tag is verified: the plaintext
  else: FAIL
AE security
Privacy
  An attacker can sniff the ciphertext and the nonce,
  but must not be able to recover the plaintext
  The ciphertext should look like random bits
Authentication
  An attacker shouldn’t be able to construct a
  ciphertext, a tag and a nonce such that the recipient
  accept them as valid.
  Protection from replay attacks
AE implementations
Usually with “modes”
A mode is a sequence of operations applied to a
block cipher, like DES or AES
Examples: CBC, ECB, CTR, …
CCM and GCM provide authenticated
encryption
Generic composition
Immediate solution
  PRO: easy, secure, no need to develop specific apps
  CON: not optimized, 2 keys needed for best security
3 ways
  MtE: MAC then Encrypt
  EtM: Encrypt then MAC
  E&M: Encrypt and MAC
EtM is the best
Single-
  Single-pass combined mode
2000: IBM developed IAPM
Comparison with generic composition
  Split the plaintext in m parts
  Generic composition: 2m calls of the block cipher
  Single-
  Single-pass: about m invocations
Many followed: XCBC, XECB, OCB, …
There is only a problem…
Oh no, Intellectual Properties !!
Single-
Single-pass modes were all patented
      IAPM                 OCB
              XCBC                      XECB




                        By Rogaway,
                       Bellare, Black,By Gligor and
         By By Gligor and
            IBM
                Donescu  and Krovetz      Donescu
As a result …
Probably some of the patents are interrelated
Nobody has gone to court to prove it (yet…)
The possible users of these technologies has
been scared by the legal implications
The researchers have moved toward other
directions
All single-pass combined mode are used by
    single-
anybody, even though they are the best solution
Two-
   Two-pass combined mode
Not that different from generic composition
Some advantages
  Use of only one key
  Patent free
  Better performances than generic composition
CCM, EAX, CWC, GCM
CCM
A brief introduction
What is CCM
Counter with CBC-MAC
             CBC-
An authenticated encryption solution
Encryption
  Use of the block cipher AES-128
                          AES-
  Counter (CTR) mode
Authentication
  MAC computed with CBC (Cipher Block Chaining)
Main features
Symmetric key
Designed for AES-128
              AES-
Use in packet environment (no stream data)
Arbitrary length MAC
Only one key for authentication and encryption
No intellectual property restrictions
How does it work ?

Generation - encryption
How does it work ? (cont’d)

Decryption - verification
Generation-
           Generation-encryption
1.   The MAC (Message Authentication Code) is computed
     applying CBC to the formatted input data
             (N, P, A)       m1, m2, …, mx
Generation-
     Generation-encryption (cont’d)
2.    Counter mode is applied to encrypt data and MAC
Generation-
 Generation-encryption (cont’d)
3. Output ciphertext




    C=      MAC        Payload
                  K
Decryption-
   Decryption-verification
Counter mode decryption
Computation of MAC with CBC-MAC
                        CBC-
  (N, A, P’)
Verification of authenticity
Output: Payload / INVALID
Hardware implementation
CCM cannot be parallelized
Operations to be implemented:
  Encryption: hw implementation of AES cipher
  XOR
  Counter increment
  Formatting function
Security
Recommendations
  Keys must be secret and “fresh”
  IV: 0 for CBC-MAC
            CBC-
  Never use the same nonce twice
  Max n° of nonce with the same key: 261
       n°
  Choose an appropriate MAC length
  Replay attacks: use of timestamps / number packets
A possible attack
“be conservative in what you send, and
      liberal in what you accept”

                       16-byte MAC
                       12-byte MAC
      16-byte MAC       8-byte MAC
                        4-byte MAC
A possible attack (cont’d)
  Here comes the bad guy !!



                   16-byte MAC
                   12-byte MAC
  4-byte MAC        8-byte MAC
                    4-byte MAC
A possible attack (cont’d)

 232 4-byte MAC computed




 At least one valid ciphertext
                                 !!!
Countermeasures
Fix the tag length parameter
  During key negotiation
Never change it during the current session
GCM
Galois/Counter Mode of operations
What is GCM - GMAC
An authenticated encryption solution
Encryption
  Use of the block cipher AES
  Mode of operation similar to the CTR
Authentication
  The MAC provided is a sort of keyed digest
  Can provide authentication only → GMAC
Main features
Extremely fast, more than 10Gbps
Easy to implement in software and hardware
Can be used for authentication only, if desired
Designed for AES, optimized for 128 bits
Arbitrary length IV, optimized for 96 bits
Only one key for authentication and encryption
No intellectual property restrictions
Authenticated encryption function




     WHAT ?!?!
Version for human beings
1. The hash sub-key H is computed and stored
            sub-
    0000000000000000
    0000000000000000
    0000000000000000
    0000000000000000    Enc K       H
    0000000000000000
    0000000000000000
    0000000000000000
    0000000000000000
Version for human beings
2. The IV length is checked

   If it’s 96 bits is padded to 128
   If it’s different is computed a 128 bit IV using
   a special function (GHASH)
   The IV is the starting value of the counter
Version for human beings
3. Encryption
Version for human beings
4. Authentication




            GF(2128)
Hardware implementation
The only way to manage more than 10Gbps
GCM can be parallelized
Operations to be implemented:
  Encryption: hw implementation of AES cipher
  XOR
  Increment of the counter
  Multiplication within GF(2128)
Hardware implementation
The multiplication in GF(2q)
Different approaches
  Parallel
  Serial: super serial, bit serial, etc
Serial solutions
  Time and area linear with q
Parallel solution
  Time: 1 clock cycle
  Area: quadratic with q, but only 30% of AES cipher

GO PARALLEL, BOYS!
Security
Recommendations
  Keys: secret and “fresh”
  IV: probability of using same IV and key < 2-32
  Known security problem with reused IVs
  Appropriate tag length
  Replay attacks: use of timestamps
Oracles...


Permutation oracle
  Outputs random number of PRF
  The PRF represent an encrypted message
Distinguishing advantage
Oracles...
Tag-
Tag-generation oracle
  Input: a message
  Output: a valid tag
Tag-
Tag-validation oracle
  Input: a message and a tag
  Output: is the tag correct for the given message?


Forgery advantage
CTR known issue
Hello world,       72dd0294rth%p
this is me,        29sj!5z/k=p
life should be     akd'^3sddG#/ap5
fun for everyone   97;7*h2?375ba+?9


Hello Sarah,
      Sarah,       72dd023&F7j%p
                   72dd023&F7j%p
this is me,        29sj!5z/k=p
life should be     akd'^3sddG#/ap5
fun for everyone   97;7*h2?375ba+?9
Beware !
Attacker with access to a tag-generation oracle
                          tag-
If IVs are not changed the output will be function
of the hash sub-key H
            sub-
Analyzing the resulting tags the attacker could
recover H
With H he can generate valid authentication tags,
thus pretending to be your friend !
Solution
This attack is possible only if you use at least
twice the same key with the same IV




NEVER DO THAT!
References
NIST Special Publication 800-38C (CCM)
                         800-
NIST Special Publication 800-38D (GCM)
                         800-
Authenticated Encryption (J. Black)
A Critique of CCM (P. Rogaway, D. Wagner)
On The Security of CTR + CBC-MAC (J. Jonsson)
                           CBC-
Counter with CBC-MAC (D. Whiting, R. Housley, N. Ferguson)
              CBC-
Flexible and Efficient Message Authentication in Hardware and
Software (D. A. McGrew, J. Viega)
The Security and Performance of the Galois/Counter Mode
(GCM) of Operation (D. A. McGrew, J. Viega)
www.wikipedia.org
Questions ?

Contenu connexe

Tendances

Tendances (20)

Algorithm (MAC/GCM/GMAC)
Algorithm (MAC/GCM/GMAC)Algorithm (MAC/GCM/GMAC)
Algorithm (MAC/GCM/GMAC)
 
AES KEY EXPANSION .pptx
AES KEY EXPANSION .pptxAES KEY EXPANSION .pptx
AES KEY EXPANSION .pptx
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Key management
Key managementKey management
Key management
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Hashing
HashingHashing
Hashing
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Cryptography
CryptographyCryptography
Cryptography
 
AES by example
AES by exampleAES by example
AES by example
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
암호화 이것만 알면 된다.
암호화 이것만 알면 된다.암호화 이것만 알면 된다.
암호화 이것만 알면 된다.
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption Standard
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec ProtocolsIPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptography
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 

En vedette

Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 
IEEE 802.22[wardah & mariam]
IEEE 802.22[wardah & mariam]IEEE 802.22[wardah & mariam]
IEEE 802.22[wardah & mariam]Mariam Musavi
 
Block Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationBlock Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationVittorio Giovara
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
Printers And Its Types
Printers And Its TypesPrinters And Its Types
Printers And Its TypesAasim Mushtaq
 

En vedette (8)

Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
IEEE 802.22[wardah & mariam]
IEEE 802.22[wardah & mariam]IEEE 802.22[wardah & mariam]
IEEE 802.22[wardah & mariam]
 
Block Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationBlock Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For Authentication
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
Printers And Its Types
Printers And Its TypesPrinters And Its Types
Printers And Its Types
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 

Similaire à Authenticated Encryption Gcm Ccm

Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...Aaron Zauner
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoHarry Potter
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoJames Wong
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoYoung Alista
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoDavid Hoen
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoLuis Goldster
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoTony Nguyen
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoFraboni Ec
 
Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3koolkampus
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
CH02-CompSec4e.pptx
CH02-CompSec4e.pptxCH02-CompSec4e.pptx
CH02-CompSec4e.pptxams1ams11
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesKernel TLV
 
Information and data security cryptography and network security
Information and data security cryptography and network securityInformation and data security cryptography and network security
Information and data security cryptography and network securityMazin Alwaaly
 
Message Authentication Requirement-MAC
Message Authentication Requirement-MACMessage Authentication Requirement-MAC
Message Authentication Requirement-MACSou Jana
 

Similaire à Authenticated Encryption Gcm Ccm (20)

Cryptography101
Cryptography101Cryptography101
Cryptography101
 
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
[BlackHat USA 2016] Nonce-Disrespecting Adversaries: Practical Forgery Attack...
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit iv
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit iv
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Moein
MoeinMoein
Moein
 
CH02-CompSec4e.pptx
CH02-CompSec4e.pptxCH02-CompSec4e.pptx
CH02-CompSec4e.pptx
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
 
Java Crypto
Java CryptoJava Crypto
Java Crypto
 
Information and data security cryptography and network security
Information and data security cryptography and network securityInformation and data security cryptography and network security
Information and data security cryptography and network security
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Message Authentication Requirement-MAC
Message Authentication Requirement-MACMessage Authentication Requirement-MAC
Message Authentication Requirement-MAC
 

Plus de Vittorio Giovara

Color me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoColor me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoVittorio Giovara
 
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyAn overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyVittorio Giovara
 
Introduction to video reverse engineering
Introduction to video reverse engineeringIntroduction to video reverse engineering
Introduction to video reverse engineeringVittorio Giovara
 
Fuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryFuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryVittorio Giovara
 
Parallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersParallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersVittorio Giovara
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsVittorio Giovara
 
Microprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmMicroprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmVittorio Giovara
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development StandardVittorio Giovara
 
OpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatOpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatVittorio Giovara
 

Plus de Vittorio Giovara (12)

Color me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in videoColor me intrigued: A jaunt through color technology in video
Color me intrigued: A jaunt through color technology in video
 
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiencyAn overview on 10 bit video: UHDTV, HDR, and coding efficiency
An overview on 10 bit video: UHDTV, HDR, and coding efficiency
 
Introduction to video reverse engineering
Introduction to video reverse engineeringIntroduction to video reverse engineering
Introduction to video reverse engineering
 
Il Caso Ryanair
Il Caso RyanairIl Caso Ryanair
Il Caso Ryanair
 
I Mercati Geografici
I Mercati GeograficiI Mercati Geografici
I Mercati Geografici
 
Crittografia Quantistica
Crittografia QuantisticaCrittografia Quantistica
Crittografia Quantistica
 
Fuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability DiscoveryFuzzing Techniques for Software Vulnerability Discovery
Fuzzing Techniques for Software Vulnerability Discovery
 
Parallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency ClustersParallel and Distributed Computing on Low Latency Clusters
Parallel and Distributed Computing on Low Latency Clusters
 
Software Requirements for Safety-related Systems
Software Requirements for Safety-related SystemsSoftware Requirements for Safety-related Systems
Software Requirements for Safety-related Systems
 
Microprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division AlgorithmMicroprocessor-based Systems 48/32bit Division Algorithm
Microprocessor-based Systems 48/32bit Division Algorithm
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development Standard
 
OpenSSL User Manual and Data Format
OpenSSL User Manual and Data FormatOpenSSL User Manual and Data Format
OpenSSL User Manual and Data Format
 

Dernier

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Dernier (20)

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Authenticated Encryption Gcm Ccm

  • 1. Authenticated encryption GCM and CCM modes Lorenzo Peraldo and Vittorio Picco
  • 2. Authenticated encryption Definition “ Authenticated Encryption (AE) is a term used to describe encryption systems which simultaneously protect confidentiality, confidentiality, authenticity and integrity of communications ”
  • 3. Basic components Message Authentication Code (MAC) + Symmetric encryption
  • 4. Why? MAC Integrity: Integrity: an attacker can’t modify the data and then compute a new MAC, because a secret key is needed Authentication: Authentication: only the user who has got the secret key can authenticate the message Symmetric encryption Confidentiality: Confidentiality: data are encrypted Authentication: Authentication: if only 2 users share the secret key
  • 5. A non-computer example non- A letter from a lover by ordinary mail: Envelope: confidentiality and integrity Signature: authentication
  • 6. Sender AE black box Input A plaintext message A key Possibly a nonce Output The encrypted message (ciphertext) An authentication tag
  • 7. Recipient AE black box Input An encrypted message A tag The nonce, if used The key Output If the tag is verified: the plaintext else: FAIL
  • 8. AE security Privacy An attacker can sniff the ciphertext and the nonce, but must not be able to recover the plaintext The ciphertext should look like random bits Authentication An attacker shouldn’t be able to construct a ciphertext, a tag and a nonce such that the recipient accept them as valid. Protection from replay attacks
  • 9. AE implementations Usually with “modes” A mode is a sequence of operations applied to a block cipher, like DES or AES Examples: CBC, ECB, CTR, … CCM and GCM provide authenticated encryption
  • 10. Generic composition Immediate solution PRO: easy, secure, no need to develop specific apps CON: not optimized, 2 keys needed for best security 3 ways MtE: MAC then Encrypt EtM: Encrypt then MAC E&M: Encrypt and MAC EtM is the best
  • 11. Single- Single-pass combined mode 2000: IBM developed IAPM Comparison with generic composition Split the plaintext in m parts Generic composition: 2m calls of the block cipher Single- Single-pass: about m invocations Many followed: XCBC, XECB, OCB, … There is only a problem…
  • 12. Oh no, Intellectual Properties !! Single- Single-pass modes were all patented IAPM OCB XCBC XECB By Rogaway, Bellare, Black,By Gligor and By By Gligor and IBM Donescu and Krovetz Donescu
  • 13. As a result … Probably some of the patents are interrelated Nobody has gone to court to prove it (yet…) The possible users of these technologies has been scared by the legal implications The researchers have moved toward other directions All single-pass combined mode are used by single- anybody, even though they are the best solution
  • 14. Two- Two-pass combined mode Not that different from generic composition Some advantages Use of only one key Patent free Better performances than generic composition CCM, EAX, CWC, GCM
  • 16. What is CCM Counter with CBC-MAC CBC- An authenticated encryption solution Encryption Use of the block cipher AES-128 AES- Counter (CTR) mode Authentication MAC computed with CBC (Cipher Block Chaining)
  • 17. Main features Symmetric key Designed for AES-128 AES- Use in packet environment (no stream data) Arbitrary length MAC Only one key for authentication and encryption No intellectual property restrictions
  • 18. How does it work ? Generation - encryption
  • 19. How does it work ? (cont’d) Decryption - verification
  • 20. Generation- Generation-encryption 1. The MAC (Message Authentication Code) is computed applying CBC to the formatted input data (N, P, A) m1, m2, …, mx
  • 21. Generation- Generation-encryption (cont’d) 2. Counter mode is applied to encrypt data and MAC
  • 22. Generation- Generation-encryption (cont’d) 3. Output ciphertext C= MAC Payload K
  • 23. Decryption- Decryption-verification Counter mode decryption Computation of MAC with CBC-MAC CBC- (N, A, P’) Verification of authenticity Output: Payload / INVALID
  • 24. Hardware implementation CCM cannot be parallelized Operations to be implemented: Encryption: hw implementation of AES cipher XOR Counter increment Formatting function
  • 25. Security Recommendations Keys must be secret and “fresh” IV: 0 for CBC-MAC CBC- Never use the same nonce twice Max n° of nonce with the same key: 261 n° Choose an appropriate MAC length Replay attacks: use of timestamps / number packets
  • 26. A possible attack “be conservative in what you send, and liberal in what you accept” 16-byte MAC 12-byte MAC 16-byte MAC 8-byte MAC 4-byte MAC
  • 27. A possible attack (cont’d) Here comes the bad guy !! 16-byte MAC 12-byte MAC 4-byte MAC 8-byte MAC 4-byte MAC
  • 28. A possible attack (cont’d) 232 4-byte MAC computed At least one valid ciphertext !!!
  • 29. Countermeasures Fix the tag length parameter During key negotiation Never change it during the current session
  • 31. What is GCM - GMAC An authenticated encryption solution Encryption Use of the block cipher AES Mode of operation similar to the CTR Authentication The MAC provided is a sort of keyed digest Can provide authentication only → GMAC
  • 32. Main features Extremely fast, more than 10Gbps Easy to implement in software and hardware Can be used for authentication only, if desired Designed for AES, optimized for 128 bits Arbitrary length IV, optimized for 96 bits Only one key for authentication and encryption No intellectual property restrictions
  • 34. Version for human beings 1. The hash sub-key H is computed and stored sub- 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Enc K H 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  • 35. Version for human beings 2. The IV length is checked If it’s 96 bits is padded to 128 If it’s different is computed a 128 bit IV using a special function (GHASH) The IV is the starting value of the counter
  • 36. Version for human beings 3. Encryption
  • 37. Version for human beings 4. Authentication GF(2128)
  • 38. Hardware implementation The only way to manage more than 10Gbps GCM can be parallelized Operations to be implemented: Encryption: hw implementation of AES cipher XOR Increment of the counter Multiplication within GF(2128)
  • 40. The multiplication in GF(2q) Different approaches Parallel Serial: super serial, bit serial, etc Serial solutions Time and area linear with q Parallel solution Time: 1 clock cycle Area: quadratic with q, but only 30% of AES cipher GO PARALLEL, BOYS!
  • 41. Security Recommendations Keys: secret and “fresh” IV: probability of using same IV and key < 2-32 Known security problem with reused IVs Appropriate tag length Replay attacks: use of timestamps
  • 42. Oracles... Permutation oracle Outputs random number of PRF The PRF represent an encrypted message Distinguishing advantage
  • 43. Oracles... Tag- Tag-generation oracle Input: a message Output: a valid tag Tag- Tag-validation oracle Input: a message and a tag Output: is the tag correct for the given message? Forgery advantage
  • 44. CTR known issue Hello world, 72dd0294rth%p this is me, 29sj!5z/k=p life should be akd'^3sddG#/ap5 fun for everyone 97;7*h2?375ba+?9 Hello Sarah, Sarah, 72dd023&F7j%p 72dd023&F7j%p this is me, 29sj!5z/k=p life should be akd'^3sddG#/ap5 fun for everyone 97;7*h2?375ba+?9
  • 45. Beware ! Attacker with access to a tag-generation oracle tag- If IVs are not changed the output will be function of the hash sub-key H sub- Analyzing the resulting tags the attacker could recover H With H he can generate valid authentication tags, thus pretending to be your friend !
  • 46. Solution This attack is possible only if you use at least twice the same key with the same IV NEVER DO THAT!
  • 47. References NIST Special Publication 800-38C (CCM) 800- NIST Special Publication 800-38D (GCM) 800- Authenticated Encryption (J. Black) A Critique of CCM (P. Rogaway, D. Wagner) On The Security of CTR + CBC-MAC (J. Jonsson) CBC- Counter with CBC-MAC (D. Whiting, R. Housley, N. Ferguson) CBC- Flexible and Efficient Message Authentication in Hardware and Software (D. A. McGrew, J. Viega) The Security and Performance of the Galois/Counter Mode (GCM) of Operation (D. A. McGrew, J. Viega) www.wikipedia.org