Exam is 1 week from today May try to find an overflow room Will post information on Piazza Covers material up to and including todays lecture Open booknotes No electronic devices Practice midterm posted ID: 1003275
Download Presentation The PPT/PDF document "Cryptography Lecture 11 Midterm exam" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. CryptographyLecture 11
2. Midterm examExam is 1 week from todayMay try to find an overflow roomWill post information on PiazzaCovers material up to and including today’s lectureOpen book/notesNo electronic devicesPractice midterm posted
3. (Basic) CBC-MACFkm1Fkm2Fkmlt…
4. Security of (basic) CBC-MAC?If F is a pseudorandom function with block length n, then for any fixed l basic CBC-MAC is a secure MAC for messages of length l·nThe sender and receiver must agree on the length parameter l in advanceBasic CBC-MAC is not secure if this is not done!See Exercise 4.13
5. CBC-MAC extensionsSeveral ways to handle variable-length messagesOne of the simplest: prepend the message length before applying (basic) CBC-MAC
6. CBC-MACFkm1Fkm2Fkmlt…lFk
7. CBC-MAC extensionsSeveral ways to handle variable length messagesOne of the simplest: prepend the message length before applying (basic) CBC-MACCan also be adapted to handle messages whose length is not a multiple of the block length
8. Back to secrecy…
9. So far…In the context of encryption (privacy), we have been considering only a passive, eavesdropping attacker
10. km1, …, mtc1 Enck(m1)…ct Enck(mt)kc1ct...
11. So far…What if the attacker can be active?Modifying what is sent over the channelInjecting traffic on the channel
12. kc Enck(m)kcm’ := Deck(c')c’
13. Malleability(Informal:) A scheme is malleable if it is possible to modify a ciphertext and thereby cause a predictable change to the plaintextMalleability can be dangerous!E.g., encrypted bank transactions
14. MalleabilityAll the encryption schemes we have seen so far are malleable!E.g., the one-time pad...
15. kc := (m1m2…mn)kkc1c2…cnm1m2…m’n := (c1c2…c’n)kc1c2…c’n
16. MalleabilityAll the schemes we have seen so far are malleable!E.g., the one-time pad...Perfect secrecy does not imply non-malleability!Similar attacks (and sometimes others) on all the encryption schemes we have seen so far
17. Chosen-ciphertext attacksModels settings in which the attacker can influence what gets decrypted, and observe the effectsI.e., interact with the receiver (who decrypts) in addition to the sender (who encrypts)
18. kc Enck(m)kcc’m’m’ := Deck(c')
19. Chosen-ciphertext attacksModels settings in which the attacker can influence what gets decrypted, and observe the effectsHow to model?Allow attacker to submit ciphertexts of its choice* to the receiver, and learn the corresponding plaintextIn addition to being able to carry out a chosen-plaintext attack!*With one restriction, described next
20. CCA-securityDefine a randomized exp’t PrivCCAA,(n):k Gen(1n)A(1n) interacts with an encryption oracle Enck(·), and a decryption oracle Deck(·), and then outputs m0, m1 of the same lengthb {0,1}, c Enck(mb), give c to AA continues to interact with Enck(·) and Deck(·), but may not request decryption of cA outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case
21. CCA-security is secure against chosen-ciphertext attacks (CCA-secure) if for all PPT attackers A, there is a negligible function such that Pr[PrivCCAA,(n) = 1] ≤ ½ + (n)
22. Chosen-ciphertext attacks and malleabilityIf a scheme is malleable, then it cannot be CCA-secureModify c, submit modified ciphertext c’ to the decryption oracle and determine (information about) the original message based on the resultCCA-security implies non-malleabilitySo we will focus on CCA-security
23. CCA-securityIn the definition of CCA-security, the attacker can obtain the decryption of any ciphertext of its choice (besides the challenge ciphertext)Is this realistic?We show a scenario where:One bit about decrypted ciphertexts is leakedThe scenario occurs in the real world!It can be exploited to learn the entire plaintext23
24. CBC-mode encryptionFkIVm1c0c1Fkm2c2Fkmlcl…24
25. CBC-mode decryptionFk-1m1c0c1Fk-1m2c2Fk-1mlcl…25
26. ObservationIf an attacker modifies ci-1, this causes a predictable change to mi
27. Arbitrary-length messages?Message encoded data ciphertextPKCS #5 encoding:Assume message is an integral # of bytesLet L be the block length (in bytes) of the cipherLet b ≥ 1 be # of bytes that need to be appended to the message to get length a multiple of L1 ≤ b ≤ L; note b 0Append b (encoded in 1 byte), b timesI.e., if 3 bytes of padding are needed, append 0x03030327
28. Decryption?Use CBC-mode decryption to obtain encoded dataSay the final byte of encoded data has value bIf b=0 or b > L, return “error”If final b bytes of encoded data are not all equal to b, return “error”Otherwise, strip off final b bytes of the encoded data, and output what remains as the message28
29. Example (L=8)AB014F21007C0202AB014F21007C020229
30. kc Enck(m)kcc’error?Deck(c')Padding oracle!30
31. Padding oraclesPadding oracles are frequently present in, e.g., web applicationsEven if an error is not explicitly returned, an attacker might be able to detect differences in timing, behavior, etc.31
32. Main idea of the attackConsider a two-block ciphertext IV, cEncoded data = Fk-1(c) IVGoal is to learn the encoded dataMain observation: If an attacker modifies (only) the ith byte of IV, this causes a predictable change (only) to the ith byte of the encoded data32
33. XXXXXXXXXXXXXXXXAB014F21007C029EFk-1(c):IV:XXXXXXXXXXXXXXXX=Encoded data:“Success”“Error”0606060606330x9E 0x0698
34. XXXXXXXXXXXXXX98AB014F21007C029EFk-1(c):IV:XXXX060606060606=Encoded data:“Success!”9F0x98 0x0707030x02 0x06 0x077D01204E07070707070001024107XX 0x41 = 0x07 XX = 0x41 0x07 plaintext byte = XX 0x01 = 0x4734
35. Attack complexity?≤ L tries to learn the # of padding bytes≤ 28 = 256 tries to learn each plaintext byte35
36. CCA-security: a summaryChosen-ciphertext attacks are a significant, real-world threatModern encryption schemes are designed to be CCA-secureNone of the schemes we have seen so far is CCA-secure36
37. A CCA-secure schemeIdea: combine encryption with integrityUse a CPA-secure encryption scheme to encrypt the messageUse a MAC to prevent the ciphertext from being modified!“Encrypt-then-authenticate”
38. mc Enck1(m)t = Mack2(c)k1, k2Vrfyk2(c, t) = 1?m = Deck1(c)c, tk1, k2Encrypt then authenticate
39. Security?If the underlying encryption scheme is CPA-secure and the MAC is secure (with unique tags) then the combination is a CCA-secure encryption schemeNote: independent keys must be used!
40. Authenticated encryption
41. Secrecy + integrity?We have shown primitives for achieving secrecy and integrity in the private-key settingWhat if we want to achieve both?Against active attackers
42. Authenticated encryptionAn encryption scheme that achieves both secrecy and integritySecrecy notion: CCA-securityIntegrity notion: unforgeabilityAdversary cannot generate any ciphertext that decrypts to a previously unencrypted messageThis is not implied by CCA-security
43. Authenticated encryptionEncrypt-then-authenticate works!If the underlying encryption scheme is CPA-secure and the MAC is secure (with unique tags) then the combination is an AE schemeThis is the recommended generic approach to constructing an AE scheme “Generic” = using any CPA-secure scheme and any secure MAC
44. Other generic constructions?Encrypt and authenticateAuthenticate-then-encrypt
45. mc Enck1(m)t = Mack2(m)k1, k2m = Deck1(c)Vrfyk2(m, t) = 1?c, tk1, k2Encrypt and authenticate
46. ProblemsThe tag t might leak information about m!Nothing in the definition of security for a MAC implies that it hides information about mSo the combination may not even be EAV-secureIf the MAC is deterministic (as is CBC-MAC), then the tag leaks whether the same message is encrypted twiceI.e., the combination will not be CPA-secure
47. mt = Mack2(m)c Enck1(m | t)k1, k2m | t = Deck1(c)Vrfyk2(m, t) = 1?ck1, k2Authenticate-then-encrypt
48. ProblemsPadding-oracle attack still works (if possible to distinguish padding failure from MAC failure)Other counterexamples are also possibleThe combination may not be CCA-secure
49. Authenticated encryptionEncrypt-then-authenticate is the preferred generic approach for building an AE scheme
50. Direct constructionsOther, more-efficient constructions have been proposed and are an active area of research and standardizationE.g., OCB, CCM, GCMActive competition:https://competitions.cr.yp.to/caesar.html