# Odds and ends Key Derivation - PowerPoint Presentation  #### Odds and ends Key Derivation - Description

Online Cryptography Course Dan Boneh Deriving many keys from one Typical scenario a single source key SK is sampled from Hardware random number generator ID: 628305 Download Presentation

### Tags

key prp encryption secure prp key secure encryption cpa det ctr prf sector random message keys tweakable ctx deterministic

Embed / Share - Odds and ends Key Derivation

## Presentation on theme: "Odds and ends Key Derivation"— Presentation transcript

Slide1

Odds and ends

Key Derivation

Online Cryptography Course Dan BonehSlide2

Deriving many keys from oneTypical scenario. a single source key (SK) is sampled from:Hardware random number generatorA key exchange protocol (discussed later)

Need many keys to secure session:unidirectional keys; multiple keys for nonce-based CBC.

Goal: generate many keys from this one source key

SK

k1

, k

2

, k

3

, …

KDFSlide3

When source key is uniformF: a PRF with key space K and outputs in {0,1}nSuppose source key SK is uniform in K

Define Key Derivation Function (KDF) as:

CTX: a string that uniquely identifies the applicationKDF

( SK, CTX, L) :=

F(SK

, (

CTX

ll

0

)

)

ll F(SK, (

CTX

ll

1

)

)

ll

ll

F

(

SK

, (

CTX

ll

L

)

)

Slide4

What is the purpose of CTX?

KDF( SK, CTX, L) :=

F(SK, (CTX ll

0))

ll F(SK, (

CTX

ll

1

)

)

ll

⋯ ll

F

(

SK

, (

CTX

ll L))

Even if two apps sample same SK they get indep. keys

It’s good practice to label strings with the app. name

It serves no purposeSlide5

What if source key is not uniform?Recall: PRFs are pseudo random only when key is uniform in K SK not uniform ⇒ PRF output may not look randomSource key often not uniformly random:

Key exchange protocol: key uniform in some subset of KHardware RNG: may produce biased outputSlide6

Extract-then-Expand paradigmStep 1: extract pseudo-random key k from source key SK

step 2: expand

k by using it as a PRF key as before

prob

SK

prob

k

extractor

salt

s

alt: a fixed non-secret string chosen at randomSlide7

HKDF: a KDF from HMACImplements the extract-then-expand paradigm:extract: use k ⟵ HMAC( salt, SK )

Then expand using HMAC as a PRF with key k Slide8

Password-Based KDF (PBKDF)Deriving keys from passwords:Do not use HKDF: passwords have insufficient entropy Derived keys will be vulnerable to dictionary attacks

PBKDF defenses: salt and a

slow hash functionStandard approach: PKCS#5 (PBKDF1) H(c)(pwd

ll salt): iterate hash function c times

(more on this later)Slide9

End of SegmentSlide10

Odds and ends

Deterministic Encryption

Online Cryptography Course Dan BonehSlide11

The need for det. Encryption (no nonce)

encrypteddatabase

Alice

data

k

1

, k

2

Alice

data

Bob

data

??Slide12

The need for det. Encryption (no nonce)

encrypteddatabase

Alice

data

k

1

, k

2

Bob

data

??

Later:

Retrieve record

E(k

1

, “Alice”)

Alice

data

d

et. enc.

e

nables later lookupSlide13

Problem: det. enc. cannot be CPA secureThe problem: attacker can tell when two ciphertexts

encrypt the same message ⇒ leaks informationLeads to significant attacks when message space M is small.

e

qual

ciphertexts

means same indexSlide14

Problem: det. enc. cannot be CPA secureThe problem: attacker can tell when two ciphertexts

encrypt the same message ⇒ leaks information

kK

m

0

, m

1

 M

c

E(k,

m

b

)

m

0

,

m0  M

c

0

E(k

,

m

0

)

o

utput 0

i

f c = c

0

Attacker wins CPA game:

bSlide15

A solution: the case of unique messagesSuppose encryptor never encrypts same message twice:

the pair (k , m) never repeatsThis happens when encryptor:

Chooses messages at random from a large msg space (e.g. keys)Message structure ensures uniqueness (e.g. unique user ID)Slide16

Deterministic CPA security

E

= (E,D) a cipher defined over (K,M,C)

.

For b=0,1 define EXP(b) as:

Def

:

E

is

sem. sec. under det. CPA

if for all efficient A:

dCPA

[A,

E

] =

|

Pr

[EXP(0)=1] –

Pr[EXP(1)=1] | is negligible.

Chal.

b

k

K

b’

 {0,1}

m

i

,0

,

m

i

,1

 M : |

m

i

,0

|

= |

m

i,1

|

c

i

E(k,

m

i

,b

)

where

m

1,0

, …, m

q,0

are distinct and

m

1,1

,

…, m

q

,

1

are distinct

f

or

i

=

1,…,q: Slide17

A Common MistakeCBC with fixed IV is not det. CPA secure.

Let E: K × {0,1}n ⟶ {0,1}

n be a secure PRP used in CBCChal.

kK

m

0

=0

n

,

m

1

= 1

n

c

[

FIV,

E(k, FIV) ] or

0

n

1

n

, 0

n

1

n

c

1

[

FIV, E(k, 0

n

⨁FIV) , …]

o

utput 0if c = c1

c

 [ FIV, E(k, 1n

⨁FIV) ]

Leads to significant attacks in practice.

bSlide18

Is counter mode with a fixed IV det. CPA secure?Yes

No

It depends

message

F(k,

FIV

)

ll

F(k,

F

IV+1

)

ll

ll

F(k,

F

IV+L)

ciphertext

Chal.

k

K

m

0

, m

1

c

m

b

⨁F

(k

, FIV)

m

,

m

c

m⨁

F

(k

,

FIV)

o

utput 0 if

c

c

’=m

⨁m

0

bSlide19

End of SegmentSlide20

Odds and ends

Deterministic Encryption

Constructions:

SIV and wide PRP

Online Cryptography Course Dan BonehSlide21

Deterministic encryptionNeeded for maintaining an encrypted database indexLookup records by encrypted indexDeterministic CPA security:S

ecurity if never encrypt same message twice using same key: the pair (key , msg) is unique

Formally: we defined deterministic CPA security gameSlide22

Construction 1: Synthetic IV (SIV)Let (E, D) be a CPA-secure encryption. E(k, m ; r) ⟶ cLet F:

K × M ⟶ R be a secure PRFDefine:

Edet( (k1,k2) , m) =Thm: Edet is sem. sec. under det. CPA .

Proof sketch: distinct msgs. ⇒ all r’s are

indist. from randomWell suited for messages longer than one AES block (16 bytes) Slide23

Ensuring ciphertext integrityGoal: det. CPA security and

ciphertext integrity ⇒ DAE: deterministic authenticated encryption

Consider a SIV special case: SIV-CTR SIV where cipher is counter mode with rand. IVmessage

PRF F

k

1

CTR mode with PRF

F

ctr

F

ctr

(k

2

,

IV

)

ll

F

ctr

(k2,

IV+1

)

ll

ll

F

ctr

(k

2

,

IV+L

)

IV

k

2

ciphertextSlide24

Thm

: if F is a secure PRF and CTR from Fctr is CPA-secure then SIV-CTR from F, Fctr provides DAE

message

CTR mode with PRF

F

ctr

F

ctr

(k

2

,IV)

ll

F

ctr

(k

2, IV+1)

ll … ll

Fctr

(k2,IV+L)

IV

k

2

ciphertext

PRF F

k

1

if ≠IV output ⊥Slide25

Construction 2: just use a PRPLet (E, D) be a secure PRP. E: K × X ⟶ XThm: (E,D) is sem. sec. under det. CPA

.Proof sketch: let f: X ⟶ X be a truly random invertible func

. in EXP(0) adv. sees: f(m1,0), …, f(m

q,0

) in EXP(1) adv. sees: f(

m

1,1

)

, …, f(m

q

,1)

Using AES

: Det. CPA secure encryption for 16 byte messages.

L

onger messages?? Need PRPs on larger

msg spaces …

q random values in XSlide26

EME: constructing a wide block PRPLet (E, D) be a secure PRP. E: K × {0,1}

n ⟶ {

0,1}nEME: a PRP on {0,1}N for N ⨠ n

Performance:

can be 2x slower then SIV

x

x

x

y



y



y



E

E

E

E

E

E

E

⨁Slide27

PRP-based Det. Authenticated Enc.Goal: det. CPA security and ciphertext integrity ⇒

DAE: deterministic authenticated encryptionEncryption:

Decryption:

message

00000

80

E(k,

)

ciphertext

message

………

D(

k,

)

ciphertext

i

f ≠0

80

output

⊥Slide28

PRP-based Det. Authenticated Enc.Let (E, D) be a secure PRP. E: K × (X×{0,1}n

) ⟶ X×{0,1}n

Thm: 1/2n is negligible ⇒ PRP-based enc. provides DAEProof sketch: suffices to prove ciphertext integrity

Chal.

π⟵Perms

[

X×{0,1

}

n

]

x

1

, … ,

x

q

X

π (x

1

0

n

), …, π(

x

q

0

n

)

c

{

π (x

1

0

n

), …, π(

x

q

0

n) }But then Pr[ LSBn(

π-1

(c)

) = 0

n

]

≤ 1/2

nSlide29

End of SegmentSlide30

Odds and ends

Tweakable

encryption

Online Cryptography Course Dan BonehSlide31

Disk encryption: no expansionSectors on disk are fixed size (e.g. 4KB) ⇒ encryption cannot expand plaintext (i.e. M = C) ⇒ must use deterministic encryption, no integrity

Lemma: if (E, D) is a det. CPA secure cipher with M=C then (E, D) is a PRP.

⇒ every sector will need to be encrypted with a PRPSlide32

Problem: sector 1 and sector 3 may have same contentLeaks same information as ECB modeCan we do better?

s

ector 1sector 2

s

ector 3

PRP(k,

)

PRP(k,

)

PRP(k,

)

s

ector 1

sector 2

s

ector 3Slide33

Avoids previous leakage problem… but attacker can tell if a sector is changed and then revertedManaging keys: the trivial construction kt

= PRF(k, t) , t=1,…,L

sector 1

sector 2

s

ector 3

PRP(

k

1

,

)

PRP(

k

2

,

)

PRP(

k3

, ⋅)

s

ector 1

sector 2

s

ector 3

Can we do better?Slide34

Tweakable block ciphersGoal: construct many PRPs from a key k∈K .

Syntax: E , D : K ×

T × X ⟶ X for every t∈T and k⟵K:

E(k, t, ⋅) is an invertible func

. on X, indist. from randomApplication: use sector number as the tweak

⇒ every sector gets its own independent PRPSlide35

Secure tweakable block ciphersE , D

: K × T × X ⟶ X . For b=0,1 define experiment EXP(b) as:

Def: E is a secure tweakable PRP if for all efficient A: AdvtPRP

[A,E] = |

Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible.

Chal.

b

b=1: π

(

Perms[X])

|T|

b

=0:

k

K

,

π[t]

E(

k

,t,)

t

1

, x

1

π[t

1

](x

1

)

b’

 {0,1}

π

t

2

, x

2

t

q

,

x

q

π[t2](x

2) … π[tq]

(

x

q

)Slide36

Example 1: the trivial constructionLet (E,D) be a secure PRP, E: K ×

X ⟶ X . The trivial tweakable construction: (suppose K = X)

Etweak(k, t, x) = E( E(k, t), x

)

⇒ to encrypt n blocks need 2n evals of E(.,.) Slide37

2. the XTS tweakable block cipher [R’04]Let (E,D) be a secure

PRP, E: K × {0,1}

n ⟶ {0,1}n . XTS:

Etweak

( (k1,k2), (

t,i

), x

)

=

N ⟵E(k

2

, t)

x

⇒ to encrypt n blocks need n+1

evals

of E(.,.) Slide38

Is it necessary to encrypt the tweak before using it?That is, is the following a secure tweakable PRP?

x

No: E(k, (t,1), P(t,1)) ⨁ E(k, (t,2), P(t,2)) = P(t,1

) ⨁ P(t,2)

No: E(k, (t,1), P(t,2)) ⨁ E(k, (t,2), P(t,1)

)

=

P(t,

1

)

Yes, it is secure

No: E(k, (t,1), P(t,1)

)

⨁ E

(

k, (t,2), P(t,2)

)

= 0 cSlide39

Disk encryption using XTSnote: block-level PRP, not sector-level PRP. Popular in disk encryption products: Mac OS X

-Lion, TrueCrypt, BestCrypt, …

block 1

b

lock 2

b

lock n

s

ector # t:

tweak:

(t,1)

tweak:

(t,2)

tweak:

(

t,n

)Slide40

SummaryUse tweakable encryption when you need many independent PRPs from one keyXTS is more efficient than the trivial construction

Both are narrow block: 16 bytes for AESEME (previous segment) is a tweakable

mode for wide block2x slower than XTSSlide41

End of SegmentSlide42

Odds and ends

Format preserving encryption

Online Cryptography Course Dan BonehSlide43

Encrypting credit card numbers

Goal: end-to-end encryptionIntermediate processors expect to see a credit card number

⇒ encrypted credit card should look like a credit cardCredit card format: bbbb bbnn

nnnn

nnnc ( ≈ 42 bits )

p

rocessor #1

p

rocessor #2

p

rocessor #3

a

cquiring

bank

k

k

POS

terminalSlide44

Format preserving encryption (FPE)This segment: given 0 < s ≤ 2n, build a PRP on {0,…,s-1}

from a secure PRF F:

K × {0,1}n ⟶ {0,1}n (e.g. AES) Then to encrypt a credit card number: (s = total # credit cards)

map given CC# to {0,…,s-1}

apply PRP to get an output in {0,…,s-1}map output back a to CC#Slide45

Step 1: from {0,1}n to {0,1}t

(t<n)

Want PRP on {0,…,s-1} . Let t be such that 2t-1 < s ≤ 2t .Method:

Luby-Rackoff with F’:

K × {0,1}t/2 ⟶ {0,1}

t/2

(truncate F)

R

3

L

3

R

0

L

0

input

R

1

L

1

F’(k

1

,⋅)

R

2

L

2

F’(k

2

,⋅)

F’(k

3

,⋅)

output

t/2 bits

t/2 bits

(better to use 7

rounds a la

Patarin

, Crypto’03)Slide46

Step 2: from {0,1}t to {0,…,s-1}

Given PRP (E,D): K × {0,1}t ⟶ {0,1}

t

we build (E’,D’): K × {0,…,s-1} ⟶ {

0,…,s-1}

E’(k, x): on input x ∈ {0,…,s-1} do:

y

⟵x;

do { y ⟵ E(k, y) } until y∈ {0,…,s-1}; output y

{0,…,s-1}

{0,1}

t

Expected # iterations: 2Slide47

Intuition: ∀sets Y ⊆ X, applying the transformation to a random perm.

π: X⟶ X gives a random perm. π':

Y ⟶ Y

Step 1: same security as Luby-Rackoff constructionnote: no integrity

(actually using analysis of

Patarin

, Crypto’03)Slide48

Further readingCryptographic Extraction and Key Derivation: The HKDF Scheme.

H. Krawczyk, Crypto 2010

Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Keywrap Problem. P. Rogaway

, T. Shrimption

, Eurocrypt 2006A Parallelizable Enciphering Mode.

S.

Halevi

, P.

Rogaway

, CT-RSA 2004

Efficient Instantiations of Tweakable

Blockciphers and Refinements to Modes OCB and PMAC. P.

Rogaway

,

Asiacrypt

2004

How to Encipher Messages on a Small Domain:

Deterministic Encryption and the Thorp Shuffle. B.

Morris, P. Rogaway, T. Stegers

, Crypto 2009Slide49

End of Segment

Shom More.... By: jane-oiler
Views: 31
Type: Public