Online Cryptography Course Dan Boneh Deriving many keys from one Typical scenario a single source key SK is sampled from Hardware random number generator ID: 628305
Download Presentation The PPT/PDF document "Odds and ends Key Derivation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Odds and ends
Key Derivation
Online Cryptography Course Dan BonehSlide2
Deriving many keys from oneTypical scenario. a single source key (SK) is sampled from:Hardware random number generatorA key exchange protocol (discussed later)
Need many keys to secure session:unidirectional keys; multiple keys for nonce-based CBC.
Goal: generate many keys from this one source key
SK
k1
, k
2
, k
3
, …
KDFSlide3
When source key is uniformF: a PRF with key space K and outputs in {0,1}nSuppose source key SK is uniform in K
Define Key Derivation Function (KDF) as:
CTX: a string that uniquely identifies the applicationKDF
( SK, CTX, L) :=
F(SK
, (
CTX
ll
0
)
)
ll F(SK, (
CTX
ll
1
)
)
ll
⋯
ll
F
(
SK
, (
CTX
ll
L
)
)
Slide4
What is the purpose of CTX?
KDF( SK, CTX, L) :=
F(SK, (CTX ll
0))
ll F(SK, (
CTX
ll
1
)
)
ll
⋯ ll
F
(
SK
, (
CTX
ll L))
Even if two apps sample same SK they get indep. keys
It’s good practice to label strings with the app. name
It serves no purposeSlide5
What if source key is not uniform?Recall: PRFs are pseudo random only when key is uniform in K SK not uniform ⇒ PRF output may not look randomSource key often not uniformly random:
Key exchange protocol: key uniform in some subset of KHardware RNG: may produce biased outputSlide6
Extract-then-Expand paradigmStep 1: extract pseudo-random key k from source key SK
step 2: expand
k by using it as a PRF key as before
prob
SK
prob
k
extractor
salt
s
alt: a fixed non-secret string chosen at randomSlide7
HKDF: a KDF from HMACImplements the extract-then-expand paradigm:extract: use k ⟵ HMAC( salt, SK )
Then expand using HMAC as a PRF with key k Slide8
Password-Based KDF (PBKDF)Deriving keys from passwords:Do not use HKDF: passwords have insufficient entropy Derived keys will be vulnerable to dictionary attacks
PBKDF defenses: salt and a
slow hash functionStandard approach: PKCS#5 (PBKDF1) H(c)(pwd
ll salt): iterate hash function c times
(more on this later)Slide9
End of SegmentSlide10
Odds and ends
Deterministic Encryption
Online Cryptography Course Dan BonehSlide11
The need for det. Encryption (no nonce)
encrypteddatabase
Alice
data
k
1
, k
2
Alice
data
Bob
data
⋮
??Slide12
The need for det. Encryption (no nonce)
encrypteddatabase
Alice
data
k
1
, k
2
Bob
data
⋮
??
Later:
Retrieve record
E(k
1
, “Alice”)
Alice
data
d
et. enc.
e
nables later lookupSlide13
Problem: det. enc. cannot be CPA secureThe problem: attacker can tell when two ciphertexts
encrypt the same message ⇒ leaks informationLeads to significant attacks when message space M is small.
e
qual
ciphertexts
means same indexSlide14
Problem: det. enc. cannot be CPA secureThe problem: attacker can tell when two ciphertexts
encrypt the same message ⇒ leaks information
Chal.Adv.
kK
m
0
, m
1
M
c
E(k,
m
b
)
m
0
,
m0 M
c
0
E(k
,
m
0
)
o
utput 0
i
f c = c
0
Attacker wins CPA game:
bSlide15
A solution: the case of unique messagesSuppose encryptor never encrypts same message twice:
the pair (k , m) never repeatsThis happens when encryptor:
Chooses messages at random from a large msg space (e.g. keys)Message structure ensures uniqueness (e.g. unique user ID)Slide16
Deterministic CPA security
E
= (E,D) a cipher defined over (K,M,C)
.
For b=0,1 define EXP(b) as:
Def
:
E
is
sem. sec. under det. CPA
if for all efficient A:
Adv
dCPA
[A,
E
] =
|
Pr
[EXP(0)=1] –
Pr[EXP(1)=1] | is negligible.
Chal.
b
Adv.
k
K
b’
{0,1}
m
i
,0
,
m
i
,1
M : |
m
i
,0
|
= |
m
i,1
|
c
i
E(k,
m
i
,b
)
where
m
1,0
, …, m
q,0
are distinct and
m
1,1
,
…, m
q
,
1
are distinct
f
or
i
=
1,…,q: Slide17
A Common MistakeCBC with fixed IV is not det. CPA secure.
Let E: K × {0,1}n ⟶ {0,1}
n be a secure PRP used in CBCChal.
Adv.
kK
m
0
=0
n
,
m
1
= 1
n
c
[
FIV,
E(k, FIV) ] or
0
n
1
n
, 0
n
1
n
c
1
[
FIV, E(k, 0
n
⨁FIV) , …]
o
utput 0if c[1] = c1[1]
c
[ FIV, E(k, 1n
⨁FIV) ]
Leads to significant attacks in practice.
bSlide18
Is counter mode with a fixed IV det. CPA secure?Yes
No
It depends
message
F(k,
FIV
)
ll
F(k,
F
IV+1
)
ll
…
ll
F(k,
F
IV+L)
ciphertext
⨁
Chal.
Adv.
k
K
m
0
, m
1
c
’
m
b
⨁F
(k
, FIV)
m
,
m
c
m⨁
F
(k
,
FIV)
o
utput 0 if
c
⨁
c
’=m
⨁m
0
bSlide19
End of SegmentSlide20
Odds and ends
Deterministic Encryption
Constructions:
SIV and wide PRP
Online Cryptography Course Dan BonehSlide21
Deterministic encryptionNeeded for maintaining an encrypted database indexLookup records by encrypted indexDeterministic CPA security:S
ecurity if never encrypt same message twice using same key: the pair (key , msg) is unique
Formally: we defined deterministic CPA security gameSlide22
Construction 1: Synthetic IV (SIV)Let (E, D) be a CPA-secure encryption. E(k, m ; r) ⟶ cLet F:
K × M ⟶ R be a secure PRFDefine:
Edet( (k1,k2) , m) =Thm: Edet is sem. sec. under det. CPA .
Proof sketch: distinct msgs. ⇒ all r’s are
indist. from randomWell suited for messages longer than one AES block (16 bytes) Slide23
Ensuring ciphertext integrityGoal: det. CPA security and
ciphertext integrity ⇒ DAE: deterministic authenticated encryption
Consider a SIV special case: SIV-CTR SIV where cipher is counter mode with rand. IVmessage
PRF F
k
1
CTR mode with PRF
F
ctr
F
ctr
(k
2
,
IV
)
ll
F
ctr
(k2,
IV+1
)
ll
…
ll
F
ctr
(k
2
,
IV+L
)
IV
k
2
ciphertextSlide24
Det. Auth. Enc. (DAE) for freeDecryption:
Thm
: if F is a secure PRF and CTR from Fctr is CPA-secure then SIV-CTR from F, Fctr provides DAE
message
CTR mode with PRF
F
ctr
F
ctr
(k
2
,IV)
ll
F
ctr
(k
2, IV+1)
ll … ll
Fctr
(k2,IV+L)
IV
k
2
ciphertext
PRF F
k
1
if ≠IV output ⊥Slide25
Construction 2: just use a PRPLet (E, D) be a secure PRP. E: K × X ⟶ XThm: (E,D) is sem. sec. under det. CPA
.Proof sketch: let f: X ⟶ X be a truly random invertible func
. in EXP(0) adv. sees: f(m1,0), …, f(m
q,0
) in EXP(1) adv. sees: f(
m
1,1
)
, …, f(m
q
,1)
Using AES
: Det. CPA secure encryption for 16 byte messages.
L
onger messages?? Need PRPs on larger
msg spaces …
q random values in XSlide26
EME: constructing a wide block PRPLet (E, D) be a secure PRP. E: K × {0,1}
n ⟶ {
0,1}nEME: a PRP on {0,1}N for N ⨠ n
Performance:
can be 2x slower then SIV
x[0]
x[1]
x[2]
y
[0]
y
[1]
y
[2]
E
E
E
E
E
E
E
⨁
⨁
⨁
⨁
⨁
⨁
⨁
⨁
⨁Slide27
PRP-based Det. Authenticated Enc.Goal: det. CPA security and ciphertext integrity ⇒
DAE: deterministic authenticated encryptionEncryption:
Decryption:
message
00000
80
E(k,
⋅
)
ciphertext
message
………
D(
k,
⋅
)
ciphertext
i
f ≠0
80
output
⊥Slide28
PRP-based Det. Authenticated Enc.Let (E, D) be a secure PRP. E: K × (X×{0,1}n
) ⟶ X×{0,1}n
Thm: 1/2n is negligible ⇒ PRP-based enc. provides DAEProof sketch: suffices to prove ciphertext integrity
Adv.
Chal.
π⟵Perms
[
X×{0,1
}
n
]
x
1
, … ,
x
q
∈
X
π (x
1
0
n
), …, π(
x
q
0
n
)
c
∉
{
π (x
1
0
n
), …, π(
x
q
0
n) }But then Pr[ LSBn(
π-1
(c)
) = 0
n
]
≤ 1/2
nSlide29
End of SegmentSlide30
Odds and ends
Tweakable
encryption
Online Cryptography Course Dan BonehSlide31
Disk encryption: no expansionSectors on disk are fixed size (e.g. 4KB) ⇒ encryption cannot expand plaintext (i.e. M = C) ⇒ must use deterministic encryption, no integrity
Lemma: if (E, D) is a det. CPA secure cipher with M=C then (E, D) is a PRP.
⇒ every sector will need to be encrypted with a PRPSlide32
Problem: sector 1 and sector 3 may have same contentLeaks same information as ECB modeCan we do better?
s
ector 1sector 2
s
ector 3
PRP(k,
⋅
)
PRP(k,
⋅
)
PRP(k,
⋅
)
s
ector 1
sector 2
s
ector 3Slide33
Avoids previous leakage problem… but attacker can tell if a sector is changed and then revertedManaging keys: the trivial construction kt
= PRF(k, t) , t=1,…,L
sector 1
sector 2
s
ector 3
PRP(
k
1
,
⋅
)
PRP(
k
2
,
⋅
)
PRP(
k3
, ⋅)
s
ector 1
sector 2
s
ector 3
Can we do better?Slide34
Tweakable block ciphersGoal: construct many PRPs from a key k∈K .
Syntax: E , D : K ×
T × X ⟶ X for every t∈T and k⟵K:
E(k, t, ⋅) is an invertible func
. on X, indist. from randomApplication: use sector number as the tweak
⇒ every sector gets its own independent PRPSlide35
Secure tweakable block ciphersE , D
: K × T × X ⟶ X . For b=0,1 define experiment EXP(b) as:
Def: E is a secure tweakable PRP if for all efficient A: AdvtPRP
[A,E] = |
Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible.
Chal.
b
Adv. A
b=1: π
(
Perms[X])
|T|
b
=0:
k
K
,
π[t]
E(
k
,t,)
t
1
, x
1
π[t
1
](x
1
)
b’
{0,1}
π
t
2
, x
2
…
t
q
,
x
q
π[t2](x
2) … π[tq]
(
x
q
)Slide36
Example 1: the trivial constructionLet (E,D) be a secure PRP, E: K ×
X ⟶ X . The trivial tweakable construction: (suppose K = X)
Etweak(k, t, x) = E( E(k, t), x
)
⇒ to encrypt n blocks need 2n evals of E(.,.) Slide37
2. the XTS tweakable block cipher [R’04]Let (E,D) be a secure
PRP, E: K × {0,1}
n ⟶ {0,1}n . XTS:
Etweak
( (k1,k2), (
t,i
), x
)
=
N ⟵E(k
2
, t)
x
⇒ to encrypt n blocks need n+1
evals
of E(.,.) Slide38
Is it necessary to encrypt the tweak before using it?That is, is the following a secure tweakable PRP?
x
No: E(k, (t,1), P(t,1)) ⨁ E(k, (t,2), P(t,2)) = P(t,1
) ⨁ P(t,2)
No: E(k, (t,1), P(t,2)) ⨁ E(k, (t,2), P(t,1)
)
=
P(t,
1
)
Yes, it is secure
No: E(k, (t,1), P(t,1)
)
⨁ E
(
k, (t,2), P(t,2)
)
= 0 cSlide39
Disk encryption using XTSnote: block-level PRP, not sector-level PRP. Popular in disk encryption products: Mac OS X
-Lion, TrueCrypt, BestCrypt, …
block 1
b
lock 2
b
lock n
s
ector # t:
tweak:
(t,1)
tweak:
(t,2)
tweak:
(
t,n
)Slide40
SummaryUse tweakable encryption when you need many independent PRPs from one keyXTS is more efficient than the trivial construction
Both are narrow block: 16 bytes for AESEME (previous segment) is a tweakable
mode for wide block2x slower than XTSSlide41
End of SegmentSlide42
Odds and ends
Format preserving encryption
Online Cryptography Course Dan BonehSlide43
Encrypting credit card numbers
Goal: end-to-end encryptionIntermediate processors expect to see a credit card number
⇒ encrypted credit card should look like a credit cardCredit card format: bbbb bbnn
nnnn
nnnc ( ≈ 42 bits )
p
rocessor #1
p
rocessor #2
p
rocessor #3
a
cquiring
bank
k
k
POS
terminalSlide44
Format preserving encryption (FPE)This segment: given 0 < s ≤ 2n, build a PRP on {0,…,s-1}
from a secure PRF F:
K × {0,1}n ⟶ {0,1}n (e.g. AES) Then to encrypt a credit card number: (s = total # credit cards)
map given CC# to {0,…,s-1}
apply PRP to get an output in {0,…,s-1}map output back a to CC#Slide45
Step 1: from {0,1}n to {0,1}t
(t<n)
Want PRP on {0,…,s-1} . Let t be such that 2t-1 < s ≤ 2t .Method:
Luby-Rackoff with F’:
K × {0,1}t/2 ⟶ {0,1}
t/2
(truncate F)
R
3
L
3
R
0
L
0
input
R
1
L
1
⊕
F’(k
1
,⋅)
R
2
L
2
⊕
F’(k
2
,⋅)
⊕
F’(k
3
,⋅)
output
t/2 bits
t/2 bits
(better to use 7
rounds a la
Patarin
, Crypto’03)Slide46
Step 2: from {0,1}t to {0,…,s-1}
Given PRP (E,D): K × {0,1}t ⟶ {0,1}
t
we build (E’,D’): K × {0,…,s-1} ⟶ {
0,…,s-1}
E’(k, x): on input x ∈ {0,…,s-1} do:
y
⟵x;
do { y ⟵ E(k, y) } until y∈ {0,…,s-1}; output y
{0,…,s-1}
{0,1}
t
Expected # iterations: 2Slide47
SecurityStep 2 is tight: ∀A ∃B: PRPadv[A,E] = PRPadv[B,E’]
Intuition: ∀sets Y ⊆ X, applying the transformation to a random perm.
π: X⟶ X gives a random perm. π':
Y ⟶ Y
Step 1: same security as Luby-Rackoff constructionnote: no integrity
(actually using analysis of
Patarin
, Crypto’03)Slide48
Further readingCryptographic Extraction and Key Derivation: The HKDF Scheme.
H. Krawczyk, Crypto 2010
Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Keywrap Problem. P. Rogaway
, T. Shrimption
, Eurocrypt 2006A Parallelizable Enciphering Mode.
S.
Halevi
, P.
Rogaway
, CT-RSA 2004
Efficient Instantiations of Tweakable
Blockciphers and Refinements to Modes OCB and PMAC. P.
Rogaway
,
Asiacrypt
2004
How to Encipher Messages on a Small Domain:
Deterministic Encryption and the Thorp Shuffle. B.
Morris, P. Rogaway, T. Stegers
, Crypto 2009Slide49
End of Segment