Cryptography Lecture 11 (Basic) CBC-MAC - PowerPoint Presentation

1. CryptographyLecture 11

2. (Basic) CBC-MACFkm1Fkm2Fkmlt…

3. CBC-MAC vs. CBC-modeCBC-MAC is deterministic (no IV)MACs do not need to be randomized to be secureVerification is done by re-computing the resultIn CBC-MAC, only the final value is outputBoth are essential for securityExercise: show attacks on variants

4. Security of (basic) CBC-MAC?If F is a pseudorandom function with block length n, then for any fixed l, basic CBC-MAC is a secure MAC for messages of length l·nThe sender and receiver must agree on the length parameter l in advanceBasic CBC-MAC is not secure if this is not done!

5. CBC-MAC extensionsSeveral ways to handle variable-length messagesOne of the simplest: prepend the message length before applying (basic) CBC-MAC

6. CBC-MACFkm1Fkm2Fkmlt…lFk

7. CBC-MAC extensionsSeveral ways to handle variable-length messagesOne of the simplest: prepend the message length before applying (basic) CBC-MACCan also be adapted to handle messages whose length is not a multiple of the block length

8. Back to secrecy…

9. So far…In the context of encryption (secrecy), so far we have only been considering a passive, eavesdropping attacker

10. km1, …, mtc1  Enck(m1)…ct  Enck(mt)kc1ct...

11. So far…What if the attacker can be active?Modifying what is sent over the channelInjecting traffic on the channel

12. kc  Enck(m)kcm’ := Deck(c')c’

13. Malleability(Informal:) A scheme is malleable if it is possible to modify a ciphertext and thereby cause a predictable change to the plaintextMalleability can be dangerous!E.g., encrypted bank transactions

14. MalleabilityAll the encryption schemes we have seen so far are malleable!E.g., the one-time pad...

15. kc := (m1m2…mn)kkc1c2…cnm1m2…m’n := (c1c2…c’n)kc1c2…c’n

16. MalleabilityAll the schemes we have seen so far are malleable!E.g., the one-time pad...Perfect secrecy does not imply non-malleability!Similar attacks (and sometimes others) on all the encryption schemes we have seen so far

17. Chosen-ciphertext attacksModels settings in which the attacker can influence what gets decrypted, and observe the effectsI.e., interact with the receiver (who decrypts) in addition to the sender (who encrypts)

18. kc  Enck(m)kcc’m’m’ := Deck(c')

19. Chosen-ciphertext attacksModels settings in which the attacker can influence what gets decrypted, and observe the effectsHow to model?Allow attacker to submit ciphertexts of its choice* to the receiver, and learn the corresponding plaintextIn addition to being able to carry out a chosen-plaintext attack!*With one restriction, described next

20. CCA-securityDefine a randomized exp’t PrivCCAA,(n):k  Gen(1n)A(1n) interacts with an encryption oracle Enck(·), and a decryption oracle Deck(·), and then outputs m0, m1 of the same lengthb  {0,1}, c  Enck(mb), give c to AA continues to interact with Enck(·) and Deck(·), but may not request decryption of cA outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case

21. CCA-security is secure against chosen-ciphertext attacks (CCA-secure) if for all PPT attackers A, there is a negligible function  such that Pr[PrivCCAA,(n) = 1] ≤ ½ + (n)

22. CCA-securityIn the definition of CCA-security, the attacker can obtain the decryption of any ciphertext of its choice (besides the challenge ciphertext)Is this realistic?In the real world the attacker would not have access to a full decryption oracle, but might learn partial information about decrypted ciphertextsIn many such cases, submitting the challenge ciphertext would give no additional information22

23. Chosen-ciphertext attacks and malleabilityIf a scheme is malleable, then it cannot be CCA-secureModify c, submit modified ciphertext c’ to the decryption oracle and determine (information about) the original message based on the resultCCA-security implies non-malleabilitySo we will focus on CCA-security

24. Padding-oracle attacksWe show a scenario where:One bit about decrypted ciphertexts is leakedThe scenario occurs in the real world!It can be exploited to learn the entire plaintextIn this scenario, submitting the challenge ciphertext gives no additional information24

25. CBC-mode encryptionFkIVm1c0c1Fkm2c2Fkmlcl…25

26. CBC-mode decryptionFk-1m1c0c1Fk-1m2c2Fk-1mlcl…26

27. ObservationIf an attacker modifies ci-1, this causes a predictable change to mi

28. Arbitrary-length messages?Message  encoded data  ciphertextPKCS #7 encoding:Assume message is an integral # of bytesLet L be the block length (in bytes) of the cipherLet b > 0 be # of bytes that need to be appended to the message to get length a multiple of L1 ≤ b ≤ L; note b  0Append b (encoded in 1 byte), b timesI.e., if 3 bytes of padding are needed, append 0x03030328

29. Decryption?Use CBC-mode decryption to obtain encoded dataSay the final byte of encoded data has value bIf b=0 or b > L, return “error”If final b bytes of encoded data are not all equal to b, return “error”Otherwise, strip off final b bytes of the encoded data, and output what remains as the message29

30. Example (L=8)AB014F21007C0202AB014F21007C020230

31. kc  Enck(m)kcc’error?Deck(c')Padding oracle!31

32. Padding oraclesPadding oracles are often present in, e.g., web applicationsEven if an error is not explicitly returned, an attacker might be able to detect differences in timing, behavior, etc. after decryption32

33. Main idea of the attackConsider a two-block ciphertext IV, cEncoded data = Fk-1(c)  IVGoal is to learn the encoded dataMain observation: If an attacker modifies (only) the ith byte of IV, this causes a predictable change to (only) the ith byte of the encoded data33

34. XXXXXXXXXXXXXXXXAB014F21007C029EFk-1(c):IV:XXXXXXXXXXXXXXXX=Encoded data:“Success”“Error”0606060606340x9E  0x0698

35. XXXXXXXXXXXXXX98AB014F21007C029EFk-1(c):IV:XXXX060606060606=Encoded data:“Success!”9F0x98  0x0707030x02  0x06  0x077D01204E07070707070001024107XX  0x41 = 0x07 XX = 0x41  0x07 plaintext byte = XX  0x01 = 0x4735

36. Attack complexity?≤ L attempts to learn the # of padding bytes≤ 28 = 256 attempts to learn a plaintext byte36