The Order of Encryption and Authen tication for Protecting Comm unications Or Ho Secure is SSL Hugo Kra czyk  Abstract
141K - views

The Order of Encryption and Authen tication for Protecting Comm unications Or Ho Secure is SSL Hugo Kra czyk Abstract

study the question of ho to generically comp ose sym metric encryption and authen tication when building secure hannels for the protection of comm unications er insecure net orks sho that an secure hannels proto col designed to ork with an com bina

Tags : study the question
Download Pdf

The Order of Encryption and Authen tication for Protecting Comm unications Or Ho Secure is SSL Hugo Kra czyk Abstract




Download Pdf - The PPT/PDF document "The Order of Encryption and Authen ticat..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentation on theme: "The Order of Encryption and Authen tication for Protecting Comm unications Or Ho Secure is SSL Hugo Kra czyk Abstract"— Presentation transcript:


Page 1
The Order of Encryption and Authen tication for Protecting Comm unications (Or: Ho Secure is SSL?) Hugo Kra czyk ?? Abstract. study the question of ho to generically comp ose sym- metric encryption and authen tication when building \secure hannels" for the protection of comm unications er insecure net orks. sho that an secure hannels proto col designed to ork with an com bina- tion of secure encryption (against hosen plain text attac ks) and secure MA ust use the encrypt-then-authen ticate metho d. demonstrate this sho wing that the other common metho ds of comp osing encryp-

tion and authen tication, including the authen ticate-then-encrypt metho used in SSL, are not generically secure. sho an example of an en- cryption function that pro vides (Shannon's) erfect secrecy but when com bined with an MA function under the authen ticate-then-encrypt metho yields totally insecure proto col (for example, nding passw ords or credit card um ers transmitted under the protection of suc proto col ecomes an easy task for an activ attac er). The same applies to the encrypt-and-authen ticate metho used in SSH. On the ositiv side sho that the authen ticate-then-encrypt

metho is secure if the encryption metho in use is either CBC mo de (with an underlying secure blo cipher) or stream cipher (that xor the data with random or pseudorandom pad). Th us, while sho the generic securit of SSL to brok en, the curren practical implemen tations of the proto col that use the ab mo des of encryption are safe. In tro duction The most widespread application of cryptograph in the In ternet these da ys is for implemen ting se cur channel et een end oin ts and then exc hanging information er that hannel. ypical implemen tations rst call ey-exc hange proto col for

establishing shared ey et een the parties, and then use this ey to authen ticate and encrypt the transmitted information using (ecien t) symmetric-k ey algorithms. The three most opular proto cols that follo this approac are SSL [11] (or TLS [9]), IPSec [18, 19] and SSH [27]. In particular, SSL is used to protect yriad of passw ords, credit card um ers, and other sensitiv data transmitted et een eb clien ts and serv ers, and is used to secure man other applications. IPSec is the standard for establishing secure hannel et een an IP en tities for protecting information at the net ork la

er. full ersion of this pap er can found in [21]. ?? EE Departmen t, ec hnion, Haifa, Israel. Email: ugo@ee.tec hnion.ac.il
Page 2
As said, all these proto cols apply oth symmetric authen tication (MA C) and encryption to the transmitted data. In terestingly eac of these three opular proto cols ha hosen dier ent to com bine authen tication and encryption. describ these three metho ds (here is message; nc is symmetric encryption function; uth is message authen tication co de; and `,' denotes concatenation in this notation the secret eys to the algorithms are implicit): SSL: uth ), nc

x; ), transmit IPSec: nc ), uth ), transmit SSH: nc ), uth ), transmit ). refer to these three metho ds as authentic ate-then-encrypt (abbreviated tE ), encrypt-then-authentic ate EtA ), and encrypt-and-authentic ate ), resp ec- tiv ely This disparit of hoices reflects lac of consensus in the cryptograph and securit comm unities as for the righ to apply these functions. But is there \righ y", or are all equally secure? Clearly the answ er to this question dep ends on the assumptions one mak es on the encryption and authen tication functions. Ho ev er, since proto cols lik the ab are

usually built using crypto- graphic functions as replaceable mo dules, the most useful form of this question is obtained considering oth functionalities, encryption and authen tication, as generic crypto gr aphic primitives with ell dened (and indep enden from eac other) prop erties. Moreo er, an these prop erties to commonly ac hiev ed the kno wn ecien metho ds of symmetric encryption and authen tication, and exp ected to exist in future practical realizations of these functions as ell. Sp ecically consider generic MA functions secure against chosen-messa- ge attacks

and generic symmetric encryption functions secure against chosen- plaintext attacks These securit prop erties are the most common notions used to mo del the securit of these cryptographic primitiv es. In particular, hosen- message securit of the authen tication function allo ws to use the MA in the ab proto cols indep enden tly of the encryption in cases where only in tegrit protection is required but not secrecy As for encryption, hosen-plain text secu- rit is the most common prop ert under whic encryption mo des are designed and analyzed. note that stronger prop ert of encryption is

resistance to hosen-ciphertext attac ks; while this prop ert is imp ortan against activ at- tac ks it is NOT presen in the prev alen mo des of symmetric encryption (suc as in stream ciphers or CBC mo de ev en when the underlying blo cipher is hosen-ciphertext secure) and therefore assuming this strong prop ert as the basic secrecy requiremen of the encryption function ould exclude the use of suc standard ecien mec hanisms. Rather than just studying the ab ys of comp osing encryption and au- then tication as stand-alone comp osed primitiv e, our fo cus is on the more com- prehensiv

question of whether these metho ds pro vide for truly secure comm u- nications (i.e., secrecy and in tegrit y) when em edded in proto col that runs in real adv ersarial net ork setting (where links are con trolled the attac er,
Page 3
where some of the parties running the proto col ma corrupted, where ultiple securit sessions are run sim ultaneously and maliciously in terlea ed, etc.). Recen results. In recen ork, Canetti and Kra czyk [8] describ mo del of secure hannels that encompasses oth the initial exc hange of ey et een pairs of comm unicating parties and the use of the

resultan shared ey for the application of symmetric encryption and authen tication on the transmitted data. The requiremen ts made from secure hannels in this mo del include protecting the data's in tegrit (in the sense of sim ulating ideally authen ticated hannels) and secrecy (in the sense of plain text indistinguishabilit y) in the presence of net- ork attac er with erful and realistic abilities of the yp men tioned ab e. main result in [8] is that if the ey is shared securely then applying to the data the encrypt-then-authen ticate metho ac hiev es secure hannels pro vided that the

encryption function is seman tically secure (or plain text-indistinguishable) under hosen-plain text attac and the authen tication function is MA that resists hosen message attac ks. This pro vides one imp ortan answ er to the ques- tions raised ab e: it pr oves that encrypt-then-authentic ate is generic al ly se cur metho for implementing se cur channels. Our results. In this pap er complemen the ab result on the encrypt- then-authen ticate metho with con trasting results on the other metho ds. The generic insecurity of tE sho that the authen ticate-then- encrypt metho (as in SSL) is not

generic al ly se cur under the sole assumption that the encryption function is secure against hosen plain text attac ks and the MA secure against hosen message attac ks. sho an example of simple encryption function that enjo ys erfect (in the sense of Shannon) secrecy against hosen plain text attac ks and when com bined under the tE metho with an MA (ev en erfect one) results in total ly br akable implementation of se- cur channels. illustrate the insecurit of the resultan sc heme sho ho passw ords (and credit card um ers, etc) transmitted under suc metho can easily disco ered an activ attac

er that mo dies some of the information on the links. ma jor issue to highligh here is that the attac is not against the authen ticit of information but against its secrecy! This result is particu- larly unfortunate in the case of SSL where protection of this form of sensitiv information is one of the most common uses of the proto col. The generic insecurity of The ab example is used also to demon- strate the insecurit of the encrypt-and-authen ticate metho (as in SSH) where the same attac (and consequences) is ossible. It is orth noting that the is ob viously insecure if one uses MA

function that leaks information on the data. Ho ev er, what our attac sho ws is that the metho is not generically se- cure ev en if one assumes stronger MA function with secrecy prop erties as commonly used in practice (e.g. MA realized via pseudorandom family or if the MA C's tag itself is encrypted). The security of tE with specific encr yption modes. This pap er do es not bring just bad news. also sho that the authen ticate-then-encrypt metho is se cur under ery common forms of encryption: CBC mo de (with an underlying secure blo cipher) and stream ciphers (that xor the data with
Page

4
random or pseudorandom pad). pro vide (near optimal) quan tied secu- rit analysis of these metho ds. While these ositiv results do not resolv the \generic eakness" of the authen ticate-then-encrypt metho (and of SSL), they do sho that the common implemen tations curren tly in use do result in secure hannels proto col. In conjunction, these results sho quite complete picture of the securit (and lac of securit y) of these metho ds. They oin to the imp ortan conclu- sion that any secure channels roto col designed to rk with any combination of secure encryption (against chosen

plaintext attacks) and secure MA must use the encrypt-then-authenticate metho d. On the other hand, proto cols that use the authen ticate-then-encrypt metho with encryption in either stream cipher or CBC mo des are safe. Ho ev er, note the fragilit of this last statemen t: ery simple (seemingly inno cuous) hanges to the encryption function, including hanges that do not influence the secrecy protection pro vided the encryption when considered as stand-alone primitiv e, can fatal for the securit of the implemen ted hannels. This is illustrated our example of erfect cipher where the sole

use of simple enco ding efore encryption compromises the se- curit of the transmitted data, or the case of CBC encryption where the join encryption of message and MA results in secure proto col but separate en- cryption of these elemen ts is insecure. Th us, when using non-generically secure metho one has to ery careful with any hanges to existing functions or with the in tro duction of new encryption mec hanisms (ev en if these mec hanisms are secure as stand-alone functions). Op en question. Our results demonstrate that hosen-plain text securit is not sucien condition for an

encryption sc heme to guaran tee secure authen ticate- then-encrypt comp osition ev en if the MA is secure. An in teresting op en ques- tion is to nd stronger prop ert that is enjo ed common mo des of encryption but at the same time is sucien to ensure the securit of the authen ticate-then- encrypt metho when com bined with secure MA C. Note that are lo oking for prop ert that is signican tly eak er than hosen-ciphertext securit since the latter is not ac hiev ed most symmetric encryption mo des, but also ecause our results sho that this condition is not really

necessary Related ork. While the in teraction et een symmetric encryption and au- then tication is fundamen tal issue in the design of cryptographic proto cols, this question seems to ha receiv ed surprisingly little explicit atten tion in the cryp- tographic literature un til ery recen tly In con trast, in the last ear ha seen signican amoun of ork dealing with this and related questions. already men tioned the ork Canetti and Kra czyk [8] that estab- lishes the securit of the encrypt-then-authen ticate metho for building secure hannels. Here, use this result (and some extensions of

it) as basis to de- riv some of our ositiv results. In particular, orro from that pap er the formalization of the notion of secure hannels; short outline of this mo del is presen ted in Section 2.3 but the reader is referred directly to [8] for the (man missing) details.
Page 5
recen t, indep enden t, ork that deals directly with the ordering of generic encryption and authen tication is Bellare and Namprempre [5]. They study the same three forms of comp osition as in this pap er but fo cus on the prop erties of the comp osed function as stand-alone comp osed primitiv rather than in

the con text of its application to secure hannels as do. The main con tribu- tion of [5] is in pro viding careful quan titativ relations and reductions et een dieren metho ds and securit notions related to these forms of comp osition. These results, ho ev er, are insucien in general for claiming the securit or demonstrating the insecurit of hannels that use these metho ds for protecting data. or example, while [5] sho that authen ticate-then-encrypt is not neces- sarily CCA-secure, it turns out (b results in [8] and here) that the lac of this prop ert is no reason to consider insecure

the hannels that use suc metho (moreo er, ev en the sp ecic non-CCA example in [5] do es pro vide secure han- nels). This demonstrates that the consideration of secure hannels requires ner treatmen of the question of encryption/authen tication comp osition (see discussion at the eginning of Section 4.2). In particular, none of our results is claimed or implied [5]. related sub ject that receiv ed uc atten tion recen tly is the construction of encryption mo des that pro vide in tegrit in addition to secrecy Katz and ung [16] suggest mo de of op eration for blo ciphers that pro

vides suc functional com bination; for their analysis (and for its indep enden in terest) they in tro duce the notion of \unforgeable encryption". ery similar notion is also in tro duced in [5] and called there \in tegrit of ciphertexts" (INT-CTXT). use this notion in our ork to (see Section 3) as to ol in some of our pro ofs. In another recen ork, An and Bellare [1] study the use of redundancy functions (with and without secret eys) as metho for adding authen tication to encryption functions. They sho sev eral ositiv and negativ results ab out the yp of redundancy functions that are required

in com bination with dieren forms of encryption and securit notions. Our results concerning the authen ticate-then- encrypt metho with stream ciphers and CBC mo des con tribute also to this researc direction since these results pro vide sucien and necessary conditions on the redundancy functions (view ed as MA functions) required for pro viding in tegrit to these imp ortan mo des of encryption. Of particular in terest is our pro of that secure tE comp osition that uses CBC encryption requires strong underlying MA C; this con tradicts common in tuition that (since the message and MA are

encrypted) eak er \redundancy functions" could replace the full- fledge MA C. Recen tly Jutla [15] devised an elegan CBC-lik sc heme that pro vides in- tegrit at little cost ey ond the traditional CBC metho d, as ell as parallel mo de of encryption with in tegrit guaran tee (a related sc heme is presen ted in [26]). note that while sc hemes suc as [15] can used to ecien tly imple- men secure hannels that pro vide secrecy and authen ticit generic sc hemes lik encrypt-then-authen ticate ha sev eral design and analysis adv an tages due to their mo dularit and the fact that the

encryption and authen tication comp o- nen ts can designed, analyzed and replaced indep enden tly of eac other. In
Page 6
particular, generic sc hemes can allo for faster implemen tations than the sp e- cic ones; ev en to da the com bination of fast stream ciphers with fast MA function suc as UMA [6] under the encrypt-then-authen ticate metho ould result in faster mec hanism than the one prop osed in [15] whic requires the use of blo ciphers. Also, ha ving separate MA from encryption allo ws for uc more ecien authen tication in the cases where secrecy is not required.

Preliminaries informally outline some ell-kno wn notions of securit for MA and en- cryption functions as used throughout the pap er, and in tro duce some notation. References are giv en elo for formal treatmen of these notions. also sk etc the mo del of \secure hannels" from [8]. 2.1 Secure message authen tication. unctions that pro vide to erify the in tegrit of information (for example, against unauthorized hanges er comm unications net ork) and whic use shared secret ey are called MA message authentic ation des ). The notion of MA and its securit denition is ell understo [4]. Here

outline the main ingredien ts of this denition as used later in the pap er. MA sc heme is describ ed as family of (deterministic) functions er giv en domain and range. (W will usually assume the domain to and the range for xed size .). The ey shared the parties that use the MA sc heme determines sp ecic function from this family This sp ecic function is used to compute an authentic ation tag on eac transmitted message and the tag is app ended to the message. recipien of the information that kno ws the MA ey can re-compute the tag on the receiv ed message and

compare to the receiv ed tag. Securit of MA sc heme is dened through the inabilit of an attac er to pro duce for gery namely to generate message, not transmitted et een the legitimate parties, with its alid authen tication tag. The formal denition of securit pro vides the attac er with access to MA or acle MA that on input message outputs the authen tication tag corresp onding to that message. The oracle uses for its resp onses ey that is generated according to the probabilit distribution of eys dened the MA sc heme. The attac er succeeds if after this in teraction with

the oracle it is able to nd forgery (for message not previously queried). quan tify securit sa that MA scheme has se curity Q; if any attacker that works time and asks queries fr om MA involving total of bits has pr ob ability at most Q; to pr duc for gery. Remark. In the case of MA functions (e.g., randomized ones) where there ma ulti-v alued alid tags for the same message, extend the denition of securit as follo ws. If the messages queried to MA are and the resp onses from MA are then forgery x; output the attac er is considered alid if x; for all (Namely consider the attac

er successful ev en in case its forgery includes queried message as long
Page 7
as the tag as not generated the oracle for that message.) This tec hnical strengthening of the denition is used in some of our results. This notion app ears (due to similar reasons) also in [5]. 2.2 Secure symmetric encryption do not dev elop formal denition of encryption securit here as the sub ject is ell established and treated extensiv ely in the literature. et, summarize informally the main asp ects of the securit notions of symmetric encryption that are relev an to our ork and

establish some notation. or formal and precise denitions see the references men tioned elo w. An encryption sc heme is triple of (probabilistic) algorithms KEYGEN ENC DEC where KEYGEN denes the pro cess (and resultan probabilit distribu- tion) whic eys are generated, while ENC and DEC are the encryption and decryption op erations with the usual in erse prop erties. simplify notation use ENC to denote the encryption op eration itself but also as represen ting the whole sc heme (i.e., triple as ab e). The main notion ehind the common denitions of securit of encryption is

semantic se curity [13], or its (usually) equiv alen form ulation via plaintext indistinguishability In this form ulation an attac er against sc heme ENC is giv en tar get ciphertext and candidate plain texts suc that ENC ), The encryption sc heme has the indistinguishabilit prop ert if the attac er cannot guess the righ alue of with probabilit signican tly etter than 2. The securit of the sc heme is quan tied via the time in ested the attac er and the probabilit ey ond 1/2 to guess correctly The ab describ es the goal of the attac er but not the ys of attac it is allo ed to

use. Tw common mo dels of attac are CP (c hosen plain text attac k) and CCA (c hosen ciphertext attac k). In the rst the attac er has access to an encryption or acle ENC to whic it can presen plain texts and receiv the ciphertexts resulting from the encryption of these plain texts. In the second mo del the attac er can, in addition to the ab queries to the encryption oracle, also ask for decryptions of arbitrary ciphertexts (except for the target ciphertext from de cryption or acle DEC note that oth ENC and DEC use the same ey for their resp onses whic is also the ey under whic the

target ciphertext as describ ed ab e, is pro duced. In oth cases the queries to the oracles can generated adaptiv ely the attac er, i.e. as function of previous resp onses from the oracles and of the target ciphertext (actually also the candidate plain texts on whic the target ciphertext is computed can hosen the attac er). Under these form ulations new parameters en ter the quan tication of securit y: the um er of queries to ENC and the um er of queries to DEC (the latter is in the case of CP A). ner quan tication ould also consider the total um er of bits in these

queries. As it is customary denote the ab notions of encryption securit as IND-CP and IND-CCA. Extensiv treatmen of these notions can found use the notation to denote that the elemen is hosen with uniform probabilit from the set
Page 8
among other orks in [13, 12, 2] and [24, 3, 17], resp ectiv ely notion strongly related to IND-CCA is non-malleabilit of ciphertexts [10] whic do not use directly here; eak er notion of CCA securit as in tro duced earlier in [23]. also note that are only concerned with symmetric encryption; asymmet- ric encryption shares man of the same asp ects but

there are some imp ortan dierences as ell (in particular, in the asymmetric case encryption oracles are meaningless since ev ery one can encrypt at will an plain text). 2.3 Secure Channels In order to claim our ositiv results, i.e. that certain com bination of en- cryption and authen tication pro vides secure comm unications, need to dene what is mean suc \secure comm unications". or this use the mo del of secure channels in tro duced Canetti and Kra czyk [8] and whic is in tended to capture the standard net ork-securit practice in whic comm unications er public net orks are protected

through \sessions" et een pairs of comm unicat- ing parties, and where eac session consists of stages. First, the parties run ey-exc hange proto col that establishes an authen ticated and secret session ey shared et een the parties. Then, in the second stage, this session ey is used, together with symmetric-k ey cryptographic functions, to protect the in- tegrit and/or secrecy of the transmitted data. The formalism of [8] in olv es the denition of ey-exc hange proto col for implemen tation of the session and ey establishmen stage, as ell as of functions, snd and rcv that dene

the actions applied to transmitted data for protection er otherwise insecure links. proto col that follo ws this formalism is called in [8] \net ork hannels proto col", and its securit is dened in terms of authen tication and secrecy These notions are dened in [8] in the con text of comm unications con trolled an attac er with full con trol of the information sen er the links and with the capabilit of corrupting sessions and parties. refer to the full ersion of [8] for full description of the adv ersarial mo del and securit denitions. Here only men tion briefly

the main elemen ts in this denition concerning the functions snd and rcv The function snd represen ts the op erations and transformations applied to message its sender in order to protect it from adv ersarial action er the comm unication links. Namely when message is to transmitted from part to part under session established et een these parties, the function snd is applied to and, ossibly to additional information suc as message iden tier. The denition of snd ypically consists of the application of some com bination of MA and symmetric encryption ey ed via the session

ey The function rcv describ es the action at the receiving end for \deco ding" and erifying incoming messages, and it ypically in olv es the erication of MA and/or the decryption of an incoming ciphertext. Roughly sp eaking, [8] dene that authen tication is ac hiev ed the proto col if an message deco ded and accepted as alid the receiving part to session as indeed sen the partner to that session. (That is, an mo dication of messages pro duced the attac er er the comm unications links, including the injection or repla of messages, should detected and rejected the

recipien t; in [8] this is formalized as the \em ulation" of an ideally-authen ticated hannel.) Secrecy
Page 9
is formalized in the tradition of seman tic securit y: among the man messages exc hanged in session the attac er ho oses pair of \test messages" of whic only one is sen t; the attac er's goal is to guess whic one as sen t. Securit is obtained if the attac er cannot guess correctly with probabilit signican tly greater than 1/2. net ork hannels proto col is called secure channels roto col if it ac hiev es oth authen tication and secrecy in the sense outlined ab e. In

this pap er fo cus on the the functions snd and rcv are to dened to ac hiev secure hannels, i.e. to pro vide oth authen tication and secrecy in the presence of an attac er as ab e. sa that an of the com binations EtA tE implements secure channels if when used as the sp ecication of the snd and rcv functions the resultan proto col is \secure hannels proto col". Note that are not concerned here with sp ecic ey-exc hange mec hanism, but rather assume secure ey-exc hange proto col [8], and ma ev en assume an \ideally shared" session ey CUF-CP A: Ciphertext Unforgeabilit In

addition to the traditional notions of securit for an encryption sc heme out- lined in Section 2.2 use the follo wing notion of securit that call ciphertext unfo rgeabilit similar notion has een recen tly (and indep enden tly) used in [16, 5] where it is called \existen tial unforgeabilit of encryption" and \in tegrit of ciphertexts (INT-CTXT)", resp ectiv ely Let ENC symmetric encryption sc heme, and ey for ENC Let the set of plain texts on whic ENC is dened, and the set of ciphertexts s.t. ENC (note that if ENC is not deterministic then ENC mean that there is run of ENC on that

outputs ). call the set of valid ciphertexts under ey or example, under blo cipher only strings of the blo length are alid ciphertexts while in the basic CBC mo de only strings that are ultiples of the blo length can alid ciphertexts. assume that the decryption oracle DEC outputs sp ecial \in alidit sym ol" when queried with an in alid ciphertext (and otherwise outputs the unique decrypted plain text ). sa that an encryption sc heme is ciphertext unfo rgeable and denote it CUF-CP if it is infeasible for an attac er (called \ciphertext for ger" that has access to an encryption oracle ENC with

ey to pro duce alid ciphertext under not generated ENC as resp onse to one of the queries More precisely quan tify ciphertext unforgeabilit the function Q; dened as the maximal probabilit of success for an ciphertext forger that queries plain texts totalling bits and sp ends time in the attac k. stress that this denition do es not in olv access to decryption oracle and th us its name CUF-CP (this is consisten with other common notations of the form X-Y where represen ts the goal of the attac er and the assumed abilities of the attac er). Our main use of the CUF-CP notion is for

pro ving (see Section 5) that under certain conditions the tE comp osition is secure, i.e., it implemen ts secure
Page 10
hannels. Ho ev er, the notion of CUF-CP while sucien for our purp oses is actually stronger than needed. or example, an sc heme ENC that allo ws for arbitrary padding of ciphertexts to length-b oundary (e.g., to ultiple of 8-bits) will not CUF-CP (since giv en ciphertext with padded bits an hange to these bits will result in dieren et alid ciphertext). Ho ev er, suc sc heme ma erfectly secure in the con text of implemen ting secure hannels (see [8]); moreo

er, sc hemes of this yp are common in practice. Th us, in order to oid an articial limitation of the sc hemes that iden tify as secure for implemen ting secure hannels presen next relaxation of the CUF-CP notion that is still sucien for our purp oses (w stress that this is not necessarily the eak est relaxation for this purp ose and other eak enings of the CUF-CP notion are ossible). Let olynomial-time omputable relation on pairs of ciphertexts com- puted under the encryption function ENC with the prop ert that c; implies that and decrypt to the same plain text. Then sa that

the encryption sc heme ENC is CUF -CP if for an alid ciphertext that the attac er can fea- sibly pro duce there exists ciphertext output the encryption oracle suc that c; ). When the relation is not explicitly describ ed will refer to this notion as lo ose ciphertext unfo rgeabilit or instance, in the ab example of sc heme that allo ws for arbitrary padding of ciphertexts, if one denes c; to hold if and dier only on the padding bits, then the sc heme can ac hiev CUF -CP A. note that while CUF- CP implies CCA-securit lo ose CUF-CP do es not (as the ab \padding example" sho ws). Indeed,

as oin ted out in the in tro duction (see also Sec- tion 4.2) CCA-securit is not necessary condition for MA C/encryption com- bination to implemen secure hannels. Generic comp osition of encryption and authen tication In this section study the securit of the three metho ds, EtA tE under generic symmetric encryption and MA functions where the only assumption is that the encryption is IND-CP and the MA is secure against hosen mes- sage attac ks. Our fo cus is on the appropriateness of these metho ds to pro vide securit to transmitted data in realistic setting of adv ersarially-con trolled net-

orks. In other ords, are in terested in whether eac one of these metho ds when applied to adv ersarially-con trolled comm unication hannels ac hiev the goals of information secrecy and in tegrit As will see only the encrypt-then- authen ticate metho is generically secure. 4.1 The kno wn securit of encrypt-then-authen ticate The results in this subsection are from [8] and presen them briefly for com- pleteness. refer the reader to that pap er for details. In particular, in the statemen of the next theorem use the notion of \secure hannels" as in tro- duced in the ab pap er and sk etc hed

in Section 2.3.
Page 11
Theorem 1. [8] If ENC is symmetric encryption scheme se cur in the sense of IND-CP and MA is se cur MA family then metho EtA ENC MA implements se cur channels. ollo wing our terminology from Section 2.3, the meaning of the ab theorem is that if in the net ork hannels mo del of [8] one applies to eac transmitted message the comp osed function EtA ENC MA (as the snd function) then the secrecy and authen ticit of the resultan net ork hannels is guaran teed. More precisely in pro ving the ab theorem, [8] sp ecify the snd function as follo ws. First, pair of

(computationally indep enden t) eys, and are deriv ed from eac session ey Then, for eac transmitted message, unique message iden tier m-id is hosen (e.g., sequence um er). Finally the function snd pro duces triple x; where m-id ENC ), MA m-id ). On an incoming message the rcv function eries the uniqueness of message iden tier and the alidit of the MA tag (computed on )); if the hec ks succeeds is decrypted under ey and the resultan plain text accepted as alid message. main con tribution of the presen pap er is in sho wing (see next subsec- tions) that generic result as

in Theorem cannot hold for an of the other metho ds, tE and (ev en if the used eys are shared with erfect securit y). Therefore, an secure hannels proto col designed to ork with any com bination of secure encryption (against hosen plain text attac ks) and secure MA ust use the encrypt-then-authen ticate metho d. Ho ev er, note in Section that the ab theorem can extended in the setting of metho tE if one as- sumes stronger prop ert on the encryption function; in particular, sho imp ortan cases that satisfy the added securit requiremen t. Remark. Note that the authen tication of the ciphertext

pro vides plain text in tegrit as long as the encryption and decryption eys used at the sender and receiv er, resp ectiv ely are the same. While this ey sync hron is implicit in our analytical mo dels [8], ey mismatc can happ en in practice. system con- cerned with detecting suc cases can hec the plain text for redundancy in- formation (suc redundancy exists in most applications: e.g., message formats, non-cryptographic hec ksums, etc.). If the redundancy en trop is signican then ey mismatc will corrupt this redundancy with high probabilit 4.2 Authen ticate-then-encrypt is not

generically secure Here sho that the authen ticate-then-encrypt metho tE ENC MA is not guaran teed to secure for implemen ting secure hannels ev en if the function ENC is IND-CP and MA pro vides message unforgeabilit against hosen mes- sage attac ks. First, ho ev er, discuss shortly wh this result do es not follo from [5] where it is sho wn that the tE comp osition (view ed as an encryp- tion sc heme) do es not necessarily pro vide IND-CCA. The reason is simple: as Proto cols that use sync hronized coun ter as the message iden tier, e.g. SSL, do not need to transmit this alue; et they

ust include it under the MA computation and erication. If transmitted, iden tiers are not encrypted under ENC since they are needed for erifying the MA alue efore the decryption is applied.
Page 12
demonstrated in [8] IND-CCA is not ne essary ondition for ombination of encryption and MA functions to implement se cur channels An example is pro- vided the main construction of secure hannels in [8] (see Theorem 1): if the MA used in this sc heme enjo ys regular MA securit rather than the strength- ened notion describ ed in the last remark of Section 2.1, then this

construction guaran tees secure hannels but not necessarily CCA securit (F or example, if the MA function has the prop ert that flipping the last bit of an authen tication tag do es not hange the alidit of the tag, then the sc heme in [8] is not IND- CCA et it suces for implemen ting secure hannels. or similar example, see remark on \m ulti-v alued MA C" follo wing our Theorem 3.) Moreo er, the sp e- cic example from [5] of non-CCA tE ENC MA sc heme can itself used to sho an example of non-CCA sc heme that pro ably pro vides secure hannels. Therefore, the result in [5] do

es not sa an ything ab out the suitabilit of tE ENC MA for implemen ting secure hannels; it rather oin ts out to the fact that while CCA securit is useful securit notion it is certainly to strong for some (fundamen tal) applications suc as secure hannels. Th us if an to establish the inse curity of authen ticate-then-encrypt han- nels under generic comp osition need to sho an explicit example and suc- cessful attac k. pro vide suc example no w. In this example the encryption sc heme is IND-CP (actually it enjo ys \p erfect secrecy" in the sense of Shan- non) but when com bined with any MA

function under the tE metho the secrecy of the comp osed sc heme breaks completely under an activ attac k. The encryption function ENC start dening an encryption sc heme ENC that can based on an stream cipher ENC (i.e. an encryption function that uses random or pseudorandom pad to xor with the data). The sc heme ENC preserv es the IND-CP securit of the underlying sc heme ENC In par- ticular, if ENC has erfect secrecy (i.e., uses erfect one-time pad encryption) so do es ENC Next, dene ENC Giv en an -bit plain text (for an ), ENC rst applies an enco ding of in to -bit

string obtained represen ting eac bit in with bits in as follo ws: 1. if bit then the pair of bits is set to (0 0); 2. if bit then the pair of bits is set to (0 1) or to (1 0) (b arbitrary hoice of the encrypting part y). The encryption function ENC is then applied to or decrypting ENC one rst applies the decryption function of ENC to obtain whic is then deco ded in to mapping pair (0 0) in to and either pair (0 1) or (1 0) in to 1. If con tains pair that equals (1 1) the deco ding outputs the in alidit sign The attac when only encryption is used. or the sak of presen tation let's

rst assume that only ENC is applied to the transmitted data (w will then treat the tE case where MA is applied to the data efore encryption). In Just app end an arbitrary one-bit pad to the ciphertext and discard the bit efore decryption.
Page 13
this case when an attac er sees transmitted ciphertext ENC it can learn the rst bit of as follo ws. It in tercepts flips (from to and from to 0) the rst bits of and sends the mo died ciphertext to its destination. If can obtain the information of whether the decryption output alid or in alid plain text

then learns the rst bit of This is so since, as it can easily seen, the mo died is alid if and only if 1. (Remem er that are using stream cipher to encrypt .) Clearly this breaks the secrecy of the hannel (note that the describ ed attac can applied to an of the bits of the plain text). One question that arises is whether it is realistic to assume that the attac er learns the alidit or in alidit of the ciphertext. The answ er is that this is so for man practical applications that will sho an observ able hange of eha vior if the ciphertext is in alid (in particular, man

applications will return an error message in this case). mak the oin ev en clearer consider proto col that transmits passw ords and uses ENC to protect passw ords er the net ork (this is, for example, one of the ery common uses of SSL). The ab attac if applied to one of the bits of the passw ord (w assume that the attac er kno ws the placemen of the passw ord eld in the transmitted data) will ork as follo ws. If the attac ed bit is then the passw ord authen tication will succeed in spite of the hange in the ciphertext. If it is the passw ord authen tication will fail. In this case

success or failure is rep orted bac to the remote mac hine and then learned the attac er. In applications where the same passw ord is used ultiple times (again, as in man applications protected SSL) the attac er can learn the passw ord bit- y-bit. The same can applied to other sensitiv information suc as to credit card um ers where mistak in this um er will usually rep orted bac and the alidit y/in alidit information will learned The attac against the tE ENC MA sc heme. Consider no the case of in terest for us in whic the encryption is applied not just to the data but also to MA function

computed on this data. Do es the ab attac applies? The answ er is YES. The MA is applied to the data efore enco ding and encryption and therefore if the original bit is the hange in ciphertext will result in the same decrypted plain text and then the MA hec will succeed. Similarly if the original bit is the decrypted plain text will ha instead and the MA will fail. All the attac er needs no is the information of whether the MA succeeded or not. Note that in sense the MA just makes things worse since regardless of the seman tics of the application failure of authen tication is easier to learn

the attac er: either via returned error messages, or other eects on the application that can observ ed the attac er. Discussion: what ha learned? The example using ENC is certainly sucien to sho that the metho tE can insecure ev en if the encryption function is IND-CP secure and the MA unforgeable (note that this conclu- sion do es not dep end on an sp ecic formalization of secure comm unications; an reasonable denition of securit ust lab el the ab proto col as insecure). Therefore, if one an ts to claim the securit of tE ENC MA for particular functions ENC and MA one

needs to analyze the com bination as whole or
Page 14
use stronger or sp ecic prop erties of the encryption function (see Section 5). An in teresting issue here is ho plausible it is that eople will ev er use an encryp- tion sc heme suc as ENC note that although this sc heme do es not app ear to the most natural encryption mec hanism some (equally insecure) arian ts of it ma arise in practice. First the application of an enco ding to plain text efore encryption is used man times for padding and other purp oses and is particularly common practice in public ey encryption

algorithms. Second, en- co dings of this yp can motiv ated str onger securit requiremen ts: e.g. to prev en an attac er from learning the exact length of transmitted messages or other trac analysis information. In this case one could use an enco ding similar to ENC but with ariable size co des. (Just to mak the oin t: note that go example of trac analysis arises in the ab examples where the attac er has lot to learn from error-rep orting messages; ev en in cases where this information is encrypted it can usually learned through the analysis of pac et lengths, etc.) Another

setting where plain text enco ding is in tro duced in order to impro securit is for com bating timing and er analysis attac ks. The ottom line is that it is highly desirable to ha sc hemes that are robust to generic comp osition and are not vulnerable when seemingly inno cuous hanges are made to an algorithm (or when new more secure or more ecien algorithm or mo de is adopted) 4.3 Encrypt-and-authen ticate is not generically secure The rst observ ation to mak regarding the encrypt-and-authen ticate metho is that under the common requiremen ts from MA function this metho cannot

guaran tee the protection of secrecy (ev en against passiv ea esdropp er). This is so since MA can secure against forgeries but still leak information on the plain text. Th us, the really in teresting question is whether the metho ecomes secure if oid this ob vious eakness via the use of \secrecy protecting" MA suc as one implemen ted via pseudorandom function or when the MA tag is encrypted (most, if not all, MA functions used in practice are eliev ed to protect secrecy). Unfortunately ho ev er, the attac from the previous section applies here to o, th us sho wing the (generic) insecurit of

the metho ev en under the ab stronger forms of MA C. (See also last remark in Section 5.2.) Authen ticate-then-encrypt with CBC and OTP mo des In Section 4.2 sa that authen ticate-then-encrypt cannot guaran tee secure hannels under the sole assumption that the encryption function is IND-CP A, ev en if the MA function is erfectly secure. In this section pro that for common mo des of encryption, CBC (with secure underlying blo cipher) and OTP (stream ciphers that xor data with (pseudo) random pad), the tE mo de do es ork for implemen ting secure hannels. See the last remark in Section 5.2 for

another example where seemingly harmless hanges transform secure proto col in to an insecure one.
Page 15
5.1 sucien condition for the securit of tE start oin ting out to the follo wing Theorem that can pro en in the securit mo del of [8] (see Section 2.3). Theorem 2. (deriv ed from [8]) et ENC an IND-CP encryption function and MA MA function. If the omp ose function tE ENC MA onsid- er as an encryption scheme, is (lo ose) CUF-CP A, then tE ENC MA im- plements se cur channels. That is, under the assumptions on the ENC and MA functions as stated in the Theorem, applying the

function tE ENC MA to information transmit- ted er adv ersarially-con trolled links protects the secrecy and in tegrit of this information. More sp ecically the Theorem implies the follo wing denition of the function snd in the net ork hannels mo del of [8] (see Section 2.3). or eac transmitted message with unique message iden tier m-id the function snd pro duces pair x; where m-id and ENC m; MA m-id )), where the eys and are computationally indep enden eys deriv ed from the session ey On an incoming message the rcv function eries the uniqueness of message iden

tier decrypts under ey eries the alid- it of the decrypted MA tag, and if all tests succeed the recipien accepts the decrypted message as alid. note that if the message iden tier is main tained in sync hron sender and receiv er (as in SSL) then there is no need to send its alue er the net ork. On the other hand, if sen t, the message iden tier can encrypted to o. The ab Theorem holds in either case. stress that the Theorem holds for strict CUF-CP as ell as for the relaxed \lo ose" ersion (see Section 3). Based on this Theorem, and on the fact that OTP and CBC

are IND-CP [2], can pro the securit of tE under OTP and CBC sho wing that in this case the resultan tE sc heme is CUF-CP A. The rest of this section is dev oted to pro these facts. 5.2 tE with OTP The OTP sc heme. Let family of functions with domain and range dene the encryption sc heme to ork on messages of length at most as follo ws. ey in the encryption sc heme is description of mem er of the family The OTP encryption under of plain text is erformed ho osing and computing where is truncated to the length of The ciphertext is the pair ). Decryption orks in the ob vious If is the set

of al functions with the ab domain and range and is hosen at random from this family get erfect secrecy against hosen-plain text attac ks as long as there are no rep etitions in the alues hosen the encryptor (after encrypting dieren messages rep etition happ ens with probabilit ); denote this sc heme OTP If is family of pseudorandom functions then the same securit is ac hiev ed but in computational sense, i.e., up to the \indistinguishabilit distance" et een the
Page 16
pseudorandom family and truly random function. formal and exact-securit treatmen of this mo de of encryption can

found in [2]. The tE OTP MA comp osition. Let MA MA family with -bit outputs, and ey to mem er of that family Let random function with domain and range as dened ab e. The tE OTP MA function with and acts as follo ws: (i) it receiv es as input message of length at most (ii) computes MA ), (iii) app ends to (iv) outputs the OTP encryption under of the concatenated message x; ). The follo wing theorem establishes the CUF-CP securit of tE OTP MA as function of the securit of MA Theorem 3. If MA is MA family that esists one-query attacks then tE OTP MA is CUF-CP (and then by The or em it

implements se cur channels). Mor pr cisely, any ciphertext for ger against tE OTP MA that runs time has suc ess pr ob ability of at most (1 p; wher is ar ameter of OTP is the numb er of queries makes during the attack, is an upp er ound on the length of ach such query and on the length of the output for gery, and cq for some onstant or pro of of the Theorem see [21]. Using standard tec hniques one can sho that the theorem holds also for OTP sc heme realized via family of pseudorandom functions if add to the ab probabilit ound the distinguishabilit distance et een the pseu- dorandom family and

truly random function. Also, the comp onen can eliminated if one uses non-rep eating nonces instead of random 's (suc as in coun ter mo de or via stateful pseudorandom generator used to generate pseudorandom pad). Remark Tightness: one-query esistanc is ne essary ). Here is an ex- ample of MA that do es not resist one-queries and with whic alid cipher- text can forged against tE OTP MA ). Assume MA allo ws for nding same-length messages with the same MA tag. (F or example, MA rst ze- ros the last bit of the message and then applies secure MA function on the resultan message. Th

us, MA resists zero-queries but fails to one-queries: ask for MA on message, then forge for the message with last bit flipp ed.) The strategy of the ciphertext forger against tE OTP MA is to nd suc pair of messages Then, it queries the rst one and gets the ciphertext ). Finally it outputs the forgery where is obtained from xor-ing to the rst bits of It is easy to see that decrypts to MA )). Remark Multi-value MA C) In Section 2.1 strengthened the regular securit denition of MA function in the case that the function allo ws for dieren alid authen tication

tags for the same message. This extended deni- ton is used (explicitly) in the pro of of Theorem and is essen tial for ensuring the CUF-CP prop ert of tE OTP MA ). see this, let MA secure single-v alued MA function and dene MA to the same as MA except that an additional arbitrary bit is app ended to eac authen tication tag. The erication pro cedure will just ignore this bit. It is easy to see that in this case
Page 17
tE OTP MA will not CUF-CP A. Ho ev er, if one examines the pro of of Theorem it can seen that tE OTP MA ac hiev es lo ose CUF-CP (see Section 3)

and then it is sucien for implemen ting secure hannels (whic is what care ab out). So can disp ense of the strengthened notion of MA when ulti-v alued MA Cs are used? The answ er is no. It is ossible to build ulti-v alued function MA that satises the regular MA denition, but not the strengthened ersion, for whic tE OTP MA is inse cur for building secure hannels (see [21]). Remark Suciency of dundancy functions ). In [1] An and Bellare in estigate the question of whether simple redundancy functions (suc as com- binatorial hash functions) applied to plain text

efore encryption suce for pro viding ciphertext unforgeabilit In the case of tE with OTP it seems natu- ral to assume that simple com binatorial prop ert of the redundancy function suc as AX [20, 25] should suce. (In particular, this seems so since suc prop ert is sucien [20] if one only considers plaintext inte grity where only the output of the redundancy function is encrypted under an OTP sc heme.) Ho w- ev er, this turns out not to true in the case of ciphertext unforgeabilit can sho an example of an -AXU (and also -balanced [20]) MA family for whic tE OTP MA is not

CUF-CP A. It seems plausible, ho ev er, that more in olv ed com binatorial prop ert (in olving the length of messages) of the MA function could suce to guaran tee ciphertext unforgeabilit in the case of tE with OTP Actually it is in teresting to note that if the authen tication tag is ositioned efor the message, instead of at the end as dened ab e, the AX prop ert is indeed sucien (assuming xed-length and single-v alued alid authen tication tags). Remark Bewar of \slight changes" ). highligh the \fragilit y" of the result in Theorem note that the pro of of this

theorem uses in an essen- tial the fact that the encryption is applied as whole on the concatenated message and MA tag. If ere to encrypt these alues sep ar ately (i.e., using separate IVs for the encryption of the message and of the MA C) ev en under truly random function ould not get CUF or CCA securit More signican tly suc separate encryption results in inse cur channels Indeed, un- der this metho an activ attac er can get to learn whether transmitted messages, ossibly with dieren message iden tiers, are the same, something clearly un an ted in secure proto col. (This

eakness allo ws for actual attac ks on practical applications, in particular sev eral forms of \dictionary attac ks" In addition, this observ ation sho ws another eakness of the encrypt-and- authen ticate metho (Section 4.3) since it exhibits the insecurit of this metho ev en under the use of standard stream cipher for encryption and ev en when the MA tag is encrypted. One suc example ould nding passw ords sen in the telnet proto col ev en if the proto col is run er secure hannel protected as ab e; this is particularly facilitated the fact that in this case individual asswor char

acters are transmitted separately and th us dictionary attac can moun ted on individual haracters.
Page 18
5.3 tE with CBC The CBC sc heme. Let ositiv in teger and family of erm uta- tions er dene the encryption sc heme to ork on messages of length ultiple of ey in the encryption sc heme is description of mem er of the family The CBC encryption under of plain text is er- formed partitioning in to blo ks [1] of length eac h, then ho osing (called the IV) and computing the ciphertext [0] [1] as [0] 1] ]) Decryption orks in the ob vious in erse If is the set of al erm utations

er and is hosen at random from then denote the sc heme CBC formal and exact-securit treatmen of this mo de of encryption can found in [2] who in particular pro it to IND-CP also in the case where is pseudorandom family (in this case the securit dep ends on the \indistinguishabilit distance" et een the pseudorandom family and truly random function). The tE CBC MA comp osition. Let MA MA family with -bit outputs, and ey to mem er of that family Let random erm utation er The tE CBC MA function with and acts as follo ws: (i) it receiv es as input message of length ultiple of (ii) computes MA ),

(iii) app ends to (iv) outputs the CBC encryption under of the concatenated message x; (note that the resultan output is blo ks longer than due to the added blo and the prep ended IV ). The follo wing theorem establishes the CUF-CP securit of tE CBC MA as function of the securit of MA Theorem 4. If MA is se cur MA family then tE CBC MA is CUF- CP (and then by The or em it implements se cur channels). Mor pr cisely, any ciphertext for ger against tE CBC MA that runs time has suc ess pr ob ability of at most (0 (1 p`; p`; wher is the numb er of plaintexts querie by is an upp er ound on the numb

er of blo cks in ach of these queries, is the length in blo cks of the for gery output by min is the total numb er of blo cks in the esp onses to 's queries plus and for onstant or pro of of the Theorem see [21]. Using standard tec hniques one can sho that the theorem holds also for CBC sc heme realized via family of pseudorandom erm utations if add to the ab probabilit ound the distinguishabilit distance et een the pseudo- random family and truly random function. Ho ev er, note, that in this case the distinguisher not only gets access to an oracle that computes the function but also to an

oracle that computes the in erse function (that is, need to assume the family of erm utations to \sup er pseudorandom" [22]). Remark Tightness: the ne essity of the ound ). The most \ex- ensiv e" term in MA securit in the expression of the theorem is the alue
Page 19
since other terms only require protection against one-query or zero- query Since an attac er do es not get to see an of the MA alues one could onder wh suc strong securit from the MA is required. sho here that, in con trast to the tE OTP MA case, this requiremen is una oidable. Sp ecically presen for an an

example of MA function MA that is secure against queries but yields an insecure tE CBC MA sc heme with (and 4). describ the example for 1, the extension to other alues is straigh tforw ard. Let family of pseudorandom functions from to `= Dene MA family MA on the same domain as and with -bit outputs as follo ws: MA ;k ))). Dene second MA family MA that uses the same set of eys as MA and suc that on ey ): 1. if the input con tains -bit blo ks and suc that and oth ha the prop ert that applying to the rst half of the blo yields the second half of the blo then output as the

MA alue for 2. otherwise, output MA ;k It is easy to see that the so dened MA has securit of roughly `= against single queries (but is totally insecure after queries since the output of MA pro vides the blo format that mak es the authen tication tag \trivial"). sho that it yields tE CBC MA sc heme whose ciphertexts are forgeable after queries ev en if the encryption erm utation is purely random. The ciphertext forger against tE CBC MA pro ceeds as follo ws: 1. Cho ose arbitrary one-blo long plain texts as the queries. 2. Let the resp onses the triples: MA ))) and MA ))). 3. Output

forgery ). simple examination sho ws that is alid ciphertext. One consequence of the ab lo er ound on the required securit of MA is that, somewhat surprisingly the MA function cannot replaced sim- ple com binatorial hash function, suc as one enjo ying AX (see remark on \redundancy functions" in Section 5.2). Indeed, had AX een sucien then one-query resistan MA Cs ould suce to (since one-query resistance implies AX ). note that mo died CBC-lik mo de for whic AX is sucien is presen ted in [1]. In con trast to the ab lo er ound, do not kno if the term (0) in the

ound of the theorem is necessary or not; do not ha so far an example that sho ws this term to una oidable. Th us, it ma ell the case that more careful analysis could lo er the factor (actually ev en with the curren analysis it is ossible to replace the factor with sligh tly more in olv ed argumen t). Remark Non-adaptive se curity of MA suc es ). It is in teresting to note that the requiremen from the securit of the MA in Theorem is for non-
Page 20
adaptive queries only This can seen insp ecting the pro of of the theorem, where the MA forger that build mak es non-adaptiv

queries only Remark Bewar of \slight changes" ). Similarly to the case of tE OTP MA the pro of of Theorem uses in an essen tial the fact that the encryption is done as whole on the concatenated message and MA It is easy to build ciphertext forgery attac in case the encryption of the plain text and of the MA tag are done separately (i.e. with indep enden tly hosen IVs). Ac kno wledgmen ould lik to thank aron Sc heer for motiv ating con ersations on this topic and for \forcing" me to nd an explicit coun ter-example for the tE metho d; aron also help ed in simplifying previous example.

also thank Mihir Bellare for in teresting con ersations and for highligh ting some of the subtleties related to the sub ject of this pap er, and to Ran Canetti and Jonathan Katz for aluable commen ts on earlier drafts of the pap er. This researc is supp orted an Irwin and Bethea Green Detroit Chapter Career Dev elopmen Chair, and the und for the Promotion of Researc at the ec hnion. References 1. J. An, M. Bellare, \Do es encryption with redundancy pro vide authen ticit y?", Ad- ances in Cryptology EUR OCR YPT 2001 Pro ceedings Lecture Notes in Com- puter Science, ol. 2045, Springer-V erlag,

B. Ptzmann, ed, 2001. 2. M. Bellare, A. Desai, E. Jokipii, and Roga \A concrete securit treatmen of symmetric encryption: Analysis of the DES mo des of op eration", Pro ceedings of the 38th Symp osium on oundations of Computer Science IEEE, 1997. 3. M. Bellare, A. Desai, D. oin tc hev al, and Roga \Relations Among No- tions of Securit for Public-Key Encryption Sc hemes", Adv ances in Cryptology CR YPTO'98 Pro ceedings Lecture Notes in Computer Science ol. 1462, H. Kra czyk, ed., Springer-V erlag, 1998, pp. 26{45. 4. M. Bellare, J. Kilian and Roga The securit of cipher blo haining", Adv

ances in Cryptology CR YPTO'94 Pro ceedings Lecture Notes in Computer Science ol. 839, Y. Desmedt, ed., Springer-V erlag, 1994. pp. 341-358. 5. M. Bellare and C. Namprempre, \Authen ticated encryption: Relations among no- tions and analysis of the generic comp osition paradigm", Adv ances in Cryptology ASIA CR YPT'00 Pro ceedings Lecture Notes in Computer Science ol. 1976, T. Ok amoto, ed., Springer-V erlag, 2000. 6. Blac k, J., Halevi, S., Kra czyk, H., Kro etz, T., and Roga ., \UMA C: ast and Secure Message Authen tication", Adv ances in Cryptology CR YPTO'99 Pro ceedings Lecture Notes in

Computer Science, ol. 1666, Springer-V erlag, M. Wiener, ed, 1999, pp. 216{233. 7. Bleic hen bac her, D., \Chosen Ciphertext ttac ks against Proto cols Based on RSA Encryption Standard PK CS #1", Adv ances in Cryptology CR YPTO'98 Pro ceed- ings Lecture Notes in Computer Science ol. 1462, H. Kra czyk, ed., Springer- erlag, 1998, pp. 1{12.
Page 21
8. Canetti, R., and Kra czyk, H., \Analysis of Key-Exc hange Proto cols and Their Use for Building Secure Channels", Adv ances in Cryptology EUR OCR YPT 2001 Pro ceedings Lecture Notes in Computer Science, ol. 2045, Springer-V erlag, B.

Ptzmann, ed, 2001, pp. 453{474. ull ersion in Cryptology ePrin Arc hiv http://eprint.iacr.org/ ), Rep ort 2001/040. 9. T. Dierks and C. Allen, \The TLS Proto col ersion 1", Request for Commen ts 2246 1999. 10. D. Dolev, C. Dw ork, and M. Naor. \Non-malleable cryptograph y". Pro ceedings of the 23rd Ann ual CM Symp osium on Theory of Computing pages 542-552, 1991. 11. A. rier, Karlton, and Ko her, \The SSL 3.0 Proto col", Netscap Comm unica- tions Corp., No 18, 1996. http://home.netscape.com/eng/ssl3/ssl-toc.html 12. O. Goldreic h, \F oundations of Cryptograph (F ragmen ts of ok)",

eizmann Inst. of Science, 1995. http://www.wisdom.weizmann.ac.il/ oded/frag.html 13. S. Goldw asser, and S. Micali. \Probabilistic Encryption", Journal of Computer and System Sciences ol. 28, 1984, pp. 270-299. 14. Halevi, S., and Kra czyk H., \Public-Key Cryptograph and assw ord Proto cols", CM ransactions on Information and System Securit ol. 2, No. 3, August 1999, pp. 230{268. 15. C. Jutla, \Encryption Mo des with Almost ree Message In tegrit y", Adv ances in Cryptology EUR OCR YPT 2001 Pro ceedings Lecture Notes in Computer Sci- ence, ol. 2045, Springer-V erlag, B. Ptzmann, ed,

2001. 16. J. Katz and M. ung, \Unforgeable encryption and adaptiv ely secure mo des of op erations", ast Soft are Encryption'00 2000. 17. J. Katz and M. ung, \Complete haracterization of securit notions for proba- bilistic priv ate-k ey encryption", Pro ceedings of the 32nd Ann ual CM Symp osium on Theory of Computing 2000. 18. S. Ken and R. tkinson, \Securit Arc hitecture for the In ternet Proto col", Re- quest for Commen ts 2401 No v. 1998. 19. S. Ken and R. tkinson, \IP Encapsulating Securit yload (ESP)", Request for Commen ts 2406 No v. 1998. 20. H. Kra czyk, \LFSR-based Hashing and Authen

tication", Pro ceedings of CR YPTO '94 Lecture Notes in Computer Science, ol. 839, Y. Desmedt, ed., Springer-V erlag, 1994, pp. 129-139. 21. H. Kra czyk, \The order of encryption and authen tication for protecting comm u- nications (Or: ho secure is SSL?)". ull ersion: http://eprint.iacr.org/2001. 22. M. Lub and C. Rac o, \Ho to construct pseudorandom erm utations from pseudorandom functions", SIAM J. on Computing ol 17, Num er 2, April 1988, pp. 373{386. 23. M. Naor and M. ung, \Public ey cryptosystems pro ably secure against hosen ciphertext attac ks". Pro ceedings of the 22nd Ann ual CM

Symp osium on Theory of Computing 1990. 24. C. Rac o and D. Simon, \Non-in teractiv zero-kno wledge pro of of kno wledge and hosen ciphertext attac k", Adv ances in Cryptology CR YPTO'91 Pro ceedings Lecture Notes in Computer Science ol. 576, J. eigen baum ed, Springer-V erlag. 25. Roga Buc et Hashing and its application to ast Message Authen tication", Pro ceedings of CR YPTO '95 Lecture Notes in Computer Science, ol. 963, D. Copp ersmith, ed., Springer-V erlag, 1995, pp. 15-25. 26. Roga M. Bellare, J. Blac k, and T. Kro etz, \OCB Mo de", Cryptology ePrin Arc hiv Rep ort 2001/026. 27. T.

Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Leh tinen, \SSH ransp ort La er Proto col", Jan uary 2001, draft-ietf-secsh-transport-09.txt