DOCSLIB.ORG

1.1 Authenticated Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
1.1 Authenticated Encryption UC San Diego UC San Diego Electronic Theses and Dissertations Title Authenticated encryption in practice : generalized composition methods and the Secure Shell, CWC, and WinZip schemes Permalink https://escholarship.org/uc/item/7tz0v522 Author Kohno, Tadayoshi Publication Date 2006 Peer reviewed|Thesis/dissertation eScholarship.org Powered by the California Digital Library University of California UNIVERSITY OF CALIFORNIA, SAN DIEGO Authenticated Encryption in Practice: Generalized Composition Methods and the Secure Shell, CWC, and WinZip Schemes A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Computer Science by Tadayoshi Kohno Committee in charge: Professor Mihir Bellare, Chair Professor Rene Cruz Professor Bill Lin Professor Daniele Micciancio Professor Stefan Savage 2006 Copyright Tadayoshi Kohno, 2006 All rights reserved. The dissertation of Tadayoshi Kohno is approved, and it is acceptable in quality and form for publication on microfilm: Chair University of California, San Diego 2006 iii To Taryn and Seth Kohno. iv TABLE OF CONTENTS Signature Page . iii Dedication . iv Table of Contents . v List of Figures . viii List of Tables . viii Acknowledgments . ix Vita and Publications . xiii Abstract . xvi 1 Introduction . 1 1.1 Authenticated Encryption . 1 1.2 Provable Security . 3 1.3 The Secure Shell Protocol and Composition-Based Authenticated En- cryption Schemes . 4 1.4 The CWC Authenticated Encryption Scheme . 5 1.5 The WinZip Authenticated Encryption Scheme . 6 2 Background . 8 2.1 Notation . 8 2.2 Pseudorandom Functions . 9 2.3 Pseudorandom Permutations (Block Ciphers) . 9 2.4 Symmetric Encryption . 11 2.5 Message Authentication . 14 2.6 Authenticated Encryption . 16 2.6.1 Relations Between Notions . 18 2.6.2 Definitional Variations . 19 2.6.3 Generic Composition . 19 2.6.4 Encryption with Redundancy . 22 2.6.5 Encode-then-Encipher . 24 2.6.6 Block Cipher-Based Constructions . 27 3 The Secure Shell Authenticated Encryption Scheme . 29 3.1 Overview . 30 3.2 The SSH Binary Packet Protocol (SSH BPP) . 33 3.3 Attacking the Standard Implementation of SSH . 35 v 3.4 Attacking a Natural “Fix” . 36 3.5 Secure Fixes to SSH . 41 3.6 Definitions and the Encode-then-E&M Paradigm . 43 3.7 General Security Results for the Encode-then-E&M Paradigm . 52 3.7.1 Chosen-Plaintext Privacy . 53 3.7.2 Integrity of Plaintexts . 53 3.7.3 Proof of Theorem 3.7.1 . 55 3.8 SSH Security Results . 61 3.8.1 Collision-Resistance of the SSH Encoding Scheme . 62 3.8.2 Integrity and Privacy of Our Recommendations . 64 3.9 Discussion and Recommendations . 68 4 Generalized Composition Methods for Authenticated Encryption . 74 4.1 Authenticated Encryption with Associated Data . 77 4.1.1 Syntax . 78 4.1.2 Consistency and Security . 78 4.2 Building Blocks . 88 4.2.1 Encryption Schemes . 88 4.2.2 Message Authentication Schemes . 89 4.3 Encoding Schemes . 92 4.3.1 Overview . 92 4.3.2 Syntax, Consistency, and Security . 94 4.4 Composition Methods . 105 4.5 Generalized Encode-then-E&M Security . 108 4.5.1 Privacy . 108 4.5.2 Integrity . 109 4.6 Generalized Encode-then-MtE Security . 115 4.6.1 Privacy . 115 4.6.2 Integrity . 116 4.7 Generalized Encode-then-EtM Security . 118 4.7.1 Privacy . 118 4.7.2 Integrity . 119 5 The CWC Authenticated Encryption Scheme . 122 5.1 Overview . 123 5.2 Preliminaries . 127 5.3 Specification . 129 5.4 Theorem Statements . 131 5.4.1 Privacy . 131 5.4.2 Integrity . 133 5.5 Design Decisions . 134 5.6 Performance . 142 5.7 Security Proofs . 147 5.7.1 More Definitions . 147 vi 5.7.2 The General CWC Construction . 149 5.7.3 Security of the General CWC Construction . 151 5.7.4 Proofs of Theorem 5.4.1 and Theorem 5.4.2 . 152 5.7.5 Proof of Lemma 5.7.2 . 154 5.7.6 Proof of Lemma 5.7.3 . 162 6 The WinZip Authenticated Encryption Scheme . 164 6.1 Overview . 165 6.2 The WinZip Compression and Encryption Method . 175 6.3 Information Leakage . 178 6.4 Exploiting the Interaction Between Compression and Encryption . 179 6.5 Exploiting the Association of Applications to Filenames . 181 6.6 Exploiting the Interaction Between AE-1 and AE-2 . 181 6.7 Attacking Zip Encryption at the File Level . 183 6.8 Keystream Reuse . 185 6.9 Dictionary Attacks . 185 6.10 Fixes . 186 Bibliography . 194 vii LIST OF FIGURES 3.1 The SSH authenticated encryption scheme. 34 3.2 The SSH encoding scheme EC = (Encode, Decode) for l-bit blocks, where l ≡ 0 (mod 8) and 64 ≤ l ≤ 252 · 8............... 62 4.1 The generalized Encode-then-E&M paradigm. 75 4.2 The generalized Encode-then-MtE paradigm. 75 4.3 The generalized Encode-then-EtM paradigm. 76 LIST OF TABLES 5.1 Software performance in clocks per byte for CWC-AES, CCM-AES, and EAX-AES on a Pentium III. Values are averaged over 50 000 sam- ples. 125 viii ACKNOWLEDGMENTS ACADEMIC COLLABORATORS AND FRIENDS. I thank my fantastic advisor, Mihir Bel- lare, for all the wonderful advice and guidance that he has given me over the years. I truly believe that I would not be who I am now if it were not for him. I am indebted to Stefan Savage for all of his generosity and guidance and for helping me find my “dream job.” I thank Avi Rubin for his continual mentoring and constant generosity both professionally and socially. I thank Sid Karin and Dan Wallach for all their help and advice and for watching over my graduate career. I thank my summer mentors and past supervisors, kc claffy, David Conrad, Mark McGovern, Gary McGraw, Fabian Monrose, Bruce Schneier, David Wagner, Tammy Welcome, and Phil Winterbottom. I thank Rene Cruz, Bill Lin, and Daniele Micciancio for overseeing this dissertation. I thank Hal Gabow and Evi Nemeth for overseeing my undergraduate career. In addition to Mihir Bellare, I thank John Black, Chanathip Namprempre, Adriana Palacio, John Viega, and Doug Whiting for co-authoring with me some of the material that appears in this dissertation. I also thank all my other co-authors and collaborators, Michel Abdalla, J. T. Bloch, Andre Broido, Dario Catalano, Niels Ferguson, Kevin Fu, Chris Hall, Tetsu Iwata, Seny Kamara, John Kelsey, Eike Kiltz, Lars Knudsen, Tanja Lange, Stefan Lucks, John Malone-Lee, David Molnar, Gregory Neven, Pascal Paillier, Bruce Potter, Naveen Sastry, Haixia Shi, Mike Stay, and Adam Stubblefield. I thank Emile Aben, Dan Andersen, Matt Bishop, Alexandra Boldyreva, Dan Brown, Cindy Cohn, Don Coppersmith, Frank Dabek, David Dill, Morris Dworkin, Hal Finney, Michael Freedman, Beth Friedman, Patricia Gabow, Brian Gladman, Philippe Golle, Bill Griswold, Peter Gutmann, Stuart Haber, Susan Hohenberger, Tim Hollebeek, Young Hyun, Russell Impagliazzo, David Jefferson, Rob Johnson, Frans Kaashoek, Chris Karlof, Ulrich Kuehn, Mahesh Kallahalla, David Mazieres,` David McGrew, David Moore, Badri Natarajan, Bart Preneel, Christian Rechberger, Mike Reiter, Ron Rivest, Phil Rogaway, Felix Schleer, Rich Schroeppel, Jason Schultz, Umesh Shankar, Colleen Shannon, abhi shelat, Tsutomu Shimomura, Emil Sit, Nigel Smart, Bill Sommerfeld, ix Alex Snoeren, Jeremy Stribling, Ram Swaminathan, Win Treese, Darryl Veitch, Tracy Volz, Brendan White, Richard Wiebe, Michael Wiener, Pat Wilson, Matt Zimmerman, and Robert Zuccherato for commenting on my papers and contributing to my research. I thank Phil Zimmermann for introducing me to modern applied cryptography. I addition- ally thank Josh Benaloh, Brad Calder, Trent Jaeger, Patrick McDaniel, Dave Schroeder, Dan Simon, Hiroyuki Tanabe, Geoff Voelker, and Bennet Yee for all their contributions to my career. I thank all the other members of the UCSD cryptography and security group, including Jee Hea An, Marc Fischlin, Alejandro Hevia, Matt Hohlfeld, Anton Mityagin, Saurabh Panjwani, Barath Raghavan, Tom Ristenpart, Sarah Shoup, Bogdan Warinschi, and Scott Yilek. I am grateful for all the help from Julie Conner and Kathy Reed and rest of the UCSD CSE staff, and Steve Hopper and the rest CSEHelp. I thank everyone else that I have had contact with academically and socially. FAMILY. I am deeply grateful for all that my wife Taryn and son Seth have contributed to all aspects of my life. I could mention a few things, like Taryn always putting my education and career before herself, but I honestly do not believe that any summary of their contributions will do them justice. Indeed, in any short summary I would be forced to exclude many of their critical contributions and sacrifices. I have always had an interest in the maths and sciences, and for that I thank my family, and in particular my parents, Tadahiko and Beth. I thank my parents for also end- lessly investing in my education, including the many computers and electronic equip- ment that they purchased for me as a child and the many hours that they spent shuttling me back and forth between Fairview and CU. FUNDING AND SUPPORT. My graduate research was supported in part by a National Defense Science and Engineering Graduate Fellowship, an IBM Ph.D. Fellowship, the SciDAC program of the US Department of Energy (award DE-FC02-01ER25466), and NSF grants ANR-0129617, CCR-0093337, and CCR-0208842. I thank the Usenix As- sociation for a Student Grant supporting my work on SSH. I thank The Johns Hopkins University Information Security Institute (Avi Rubin and Fabian Monrose) for hosting me the summer of 2003, the Cooperative Association for Internet Data Analysis (kc x claffy) for hosting me the summer of 2004, and the University of California at Berkeley (David Wagner) for hosting me the summer of 2005. PAPERS INCLUDED IN THIS DISSERTATION.
Load more

Recommended publications
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • Authenticated Encryption for Memory Constrained Devices
    Authenticated Encryption for Memory Constrained Devices By Megha Agrawal A thesis submitted in partial fulfillment for the degree of Doctor of Philosophy in Computer Science & Engineering to the Indraprastha Institute of Information Technology, Delhi (IIIT-Delhi) Supervisors: Dr. Donghoon Chang (IIIT Delhi) Dr. Somitra Sanadhya (IIT Jodhpur) September 2020 Certificate This is to certify that the thesis titled - \Authenticated Encryption for Memory Constrained Devices" being submitted by Megha Agrawal to Indraprastha Institute of Information Technology, Delhi, for the award of the degree of Doctor of Philosophy, is an original research work carried out by her under our supervision. In our opinion, the thesis has reached the standards fulfilling the requirements of the regulations relating to the degree. The results contained in this thesis have not been submitted in part or full to any other university or institute for the award of any degree/diploma. Dr. Donghoon Chang September, 2020 Department of Computer Science Indraprastha Institute of Information Technology, Delhi New Delhi, 110020 ii To my family Acknowledgments Firstly, I would like to express my sincere gratitude to my advisor Dr. Donghoon Chang for the continuous support of my Ph.D study and related research, for his patience, motivation, and immense knowledge. His guidance helped me in all the time of research and writing of this thesis. I could not have imagined having a better advisor and mentor for my Ph.D study. I also express my sincere gratitude to my esteemed co-advisor, Dr. Somitra Sanadhya, who has helped me immensely throughout my Ph.D. life. I thank my fellow labmates for the stimulating discussions, and for all the fun we have had in during these years.
    [Show full text]
  • How to Enhance the Security of the 3GPP Confidentiality and Integrity
    How to Enhance the Security of the 3GPP Confidentiality and Integrity Algorithms Tetsu Iwata and Kaoru Kurosawa Dept. of Computer and Information Sciences, Ibaraki University 4–12–1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata, kurosawa}@cis.ibaraki.ac.jp Abstract. We consider the 3GPP confidentiality and integrity schemes that were adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f9, where f9 is a generalized version of f9, it was shown that these proofs are incorrect; it is impossible to prove f8 and f9 secure under the standard PRP assumption on the underlying block cipher. Following the results, it was shown that it is possible to prove f8 and f9 secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f8 is a generalized version of f8. Needless to say, the assumptions here are stronger than the standard PRP assumptions, and it is natural to seek a practical way to modify f8 and f9 to establish security proofs under the standard PRP assumption. In this paper, we propose f8+ and f9+, slightly mod- ified versions of f8 and f9, but they allow proofs of security under the standard PRP assumption. Our results are practical in the sense that we insist on the minimal modifications; f8+ is obtained from f8 by setting the key modifier to all-zero, and f9+ is obtained from f9 by setting the key modifier to all-zero, and using the encryptions of two constants in the CBC MAC computation.
    [Show full text]
  • GCM) of Operation
    The Security and Performance of the Galois/Counter Mode (GCM) of Operation David A. McGrew† and John Viega‡ † Cisco Systems, Inc., [email protected] ‡ Secure Software [email protected] Abstract. The recently introduced Galois/Counter Mode (GCM) of op- eration for block ciphers provides both encryption and message authenti- cation, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these fea- tures are used. We also consider several of its important system-security aspects. 1 Introduction The Galois/Counter Mode (GCM) of operation for block ciphers was designed to meet the need for an authenticated encryption mode that can efficiently achieve speeds of 10 gigabits per second and higher in hardware, can perform well in software, and is free of intellectual property restrictions. It was recently submit- ted to several standards venues, including the NIST Modes of Operation process [18], IEEE 802.1AE Link Security [21], where it is the mandatory-to-implement cryptoalgorithm in the current draft standard, and IPsec [24]. In the following, we consider its performance and security.
    [Show full text]
  • Random Key Chaining (RKC): AES Mode of Operation
    International Journal of Applied Information Systems (IJAIS) – ISSN : 2249-0868 Foundation of Computer Science FCS, New York, USA Volume 1– No.5, February 2012 – www.ijais.org Random Key Chaining (RKC): AES Mode of Operation Puneet Kumar Kaushal Rajeev Sobti Dr. G. Geetha Lovely Professional Lovely Professional Lovely Professional University University University Jalandhar-Delhi G.T. Road Jalandhar-Delhi G.T. Road Jalandhar-Delhi G.T. Road Phagwara, Punjab (India) Phagwara, Punjab (India) Phagwara, Punjab (India) application of block cipher due to additional post processing ABSTRACT [12] There is a compelling need for a mode of operation that can step . This additional delay would certainly impact its efficiently provide authenticated encryption at a higher data performance on short packets or frames. This leaves behind CWC mode for high speed implementation.Rogaway et al. in rate, and is capable of making use of pipelining and parallel [13] processing. This paper describes Random Key Chaining his paper described software performance of authenticated- encryption modes (CCM, GCM &different version ofOCB) (RKC) block cipher mode of operation that fills this need. [14] RKC mode makes use of Deterministic Random Bit across variety of platform, and OCB was found to be faster Generator (DRBG) andwith the application of DRBG every than other modes. However,OCB is covered with multiple block of plaintext is being encrypted with a different key intellectual property claims. bringing it closer to one-time pad approach. The slight Random Key Chaining (RKC) block cipher mode is designed variation of RKC mode can be used as a confidentiality mode to provide both data authenticity and confidentiality.
    [Show full text]
  • Side Channel Analyses of CBC Mode Encryption
    Side Channel Analyses of CBC Mode Encryption Arnold K. L. Yau Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2009 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Paterson and Professor Chris J. Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathematics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Arnold K. L. Yau 2 Acknowledgements It was my great fortune to have met my supervisor Kenny Paterson during my undergrad- uate studies, who introduced to me the fascinating world of cryptography and security, and who subsequently encouraged me to pursue a doctorate in the subject. Over the course of my studies, his guidance, patience and encouragement have been invaluable and indeed indispensable. His uncompromising pursuit of conducting quality and thorough research has not only helped me to develop as a researcher, but has also taken the result of our research much further than I had anticipated. His depth and breath of knowledge in information security has been inspirational and influential for my career development. I wish to express my deepest gratitude to Kenny. I am also grateful to my academic advisor Chris Mitchell whose knowledge and expe- rience in international standards have given me a level of access to the standardisation process that would otherwise have been unavailable.
    [Show full text]
  • Design and Cryptanalysis of a Customizable Authenticated Encryption Algorithm
    Rochester Institute of Technology RIT Scholar Works Theses 8-2014 Design and Cryptanalysis of a Customizable Authenticated Encryption Algorithm Matthew Joseph Kelly Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Kelly, Matthew Joseph, "Design and Cryptanalysis of a Customizable Authenticated Encryption Algorithm" (2014). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Design and Cryptanalysis of a Customizable Authenticated Encryption Algorithm by Matthew Joseph Kelly A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Engineering Supervised by Alan Kaminsky Department of Computer Science & Marcin Łukowiak Department of Computer Engineering Kate Gleason College of Engineering Rochester Institute of Technology Rochester, New York August 2014 ii The thesis “Design and Cryptanalysis of a Customizable Authenticated Encryption Algorithm” by Matthew Joseph Kelly has been examined and approved by the following Examination Commit- tee: Alan Kaminsky Professor, Department of Computer Science Primary Advisor Marcin Łukowiak Associate Professor, Department of Computer Engineering Primary Advisor Michael Kurdziel Harris Corporation Reza Azarderakhsh Assistant Professor, Department of Computer Engineering Thesis Release Permission Form Rochester Institute of Technology Kate Gleason College of Engineering Title: Design and Cryptanalysis of a Customizable Authenticated Encryption Algorithm I, Matthew Joseph Kelly, hereby grant permission to the Wallace Memorial Library to reproduce my thesis in whole or part. Matthew Joseph Kelly Date iv Dedication To my parents, Donna and Martin.
    [Show full text]
  • Comments on CWC and GCM Modes for Authenticated Encryption Dana Neustadter, Michael Bowler, Tom St
    Comments on CWC and GCM Modes for Authenticated Encryption Dana Neustadter, Michael Bowler, Tom St. Denis, Mike Borza* June 1, 2005 Carter-Wegman + Counter mode and Galois Counter Mode are authenticated encryption modes intended to provide secure scalable high-speed encryption and authentication functions. This commentary is made primarily from a hardware-centric point of view, which the authors feel is appropriate given the objective of achieving high speed operation. At the highest levels of performance, hardware implementations are required as they achieve orders of magnitude improvement in power and area efficiency compared with software. While the modes could conceivably make use of any 128-bit block cipher, this commentary is made specifically in the context of AES. In current standard ASIC technologies, a single core implementation is capable of performance to beyond 50 Gbps. More aggressive fully custom implementations will be capable of higher performance still. This performance will continue to scale up as integrated circuit fabrication technology progresses. Owing to block-to-block independence in both modes it is possible to achieve linearly scalable performance gains by processing data in parallel across multiple identical blocks. As a result it is feasible to contemplate multi-hundreds gigabits per second implementations at this writing. While both CWC and GCM modes achieve the same goals, if a single mode is to be preferred these authors favor adoption of GCM. There are a variety of commercial and technical reasons for this position as outlined below. 1. The authors of both modes assert no claims to IP rights through implementation and use of the respective modes and likewise know of no infringement of IP rights of others.
    [Show full text]
  • Algorithms, Key Size and Parameters Report – 2014
    Algorithms, key size and parameters report – 2014 November, 2014 European Union Agency for Network and Information Security www.enisa.europa.eu Algorithms, key size and parameters report – 2014 November, 2014 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors Contributors to this report: This work was commissioned by ENISA under contract ENISA D-COD-14-TO9 (under F-COD-13-C23) to the consortium formed by K.U.Leuven (BE) and University of Bristol (UK). Contributors: Nigel P. Smart (University of Bristol), Vincent Rijmen (KU Leuven), Benedikt Gierlichs (KU Leuven), Kenneth G. Paterson (Royal Holloway, University of London), Martijn Stam (University of Bristol), Bogdan Warinschi (University of Bristol), Gaven Watson (University of Bristol). Editor: Nigel P. Smart (University of Bristol). ENISA Project Manager: Rodica Tirtea. Agreements of Acknowledgements We would like to extend our gratitude to: External Reviewers: Michel Abdalla (ENS Paris), Kenneth G. Paterson (Royal Holloway, University of London), Ahmad-Reza Sadeghi (T.U.
    [Show full text]
  • Authenticated Encryption 1 Introduction
    Authenticated Encryption J. Black ∗ November 12, 2003 1 Introduction Often when two parties communicate over a network, they have two main security goals: privacy and authentication. In fact, there is compelling evidence that one should never use encryption without also providing authentication [8, 14]. Many solutions for the privacy and authentication problems have existed for decades, and the traditional approach to solving both simultaneously has been to combine them in a straightforward manner using so-called “generic composition.” However, recently there have been a number of new constructions which achieve both privacy and authenticity simultaneously, often much faster than any solution which uses generic composition. In this article we will explore the various approaches to achieving both privacy and authenticity, the so-called “Authenticated Encryption” problem. We will often abbreviate this as simply “AE.” We will start with generic composition methods and then explore the newer combined methods. Background. Throughout this article we will consider the AE problem in the “symmetric-key model.” This means that we assume our two communicating parties, traditionally called “Alice” and “Bob,” share a copy of some bit-string K, called the “key.” This key is typically chosen at random and then distributed to Alice and Bob via one of various methods. This is the starting point for our work. We now wish to provide Alice and Bob with an AE algorithm such that Alice can select a message M from a pre-defined message-space, process it with the AE algorithm along with the key (and possibly a “nonce” N–a counter or random value), and then send the resulting output to Bob.
    [Show full text]
  • E-Macs: Towards More Secure and More Efficient Constructions of Secure Channels Basel Alomair, Member, IEEE, and Radha Poovendran, Senior Member, IEEE
    1 E-MACs: Towards More Secure and More Efficient Constructions of Secure Channels Basel Alomair, Member, IEEE, and Radha Poovendran, Senior Member, IEEE Abstract—In cryptography, secure channels enable the confidential and authenticated message exchange between authorized users. A generic approach of constructing such channels is by combining an encryption primitive with an authentication primitive (MAC). In this work, we introduce the design of a new cryptographic primitive to be used in the construction of secure channels. Instead of using general purpose MACs, we propose the deployment of special purpose MACs, named E-MACs. The main motivation behind this work is the observation that, since the message must be both encrypted and authenticated, there might be some redundancy in the computations performed by the two primitives. Therefore, removing such redundancy can improve the efficiency of the overall composition. Moreover, computations performed by the encryption algorithm can be further utilized to improve the security of the authentication algorithm. In particular, we will show how E-MACs can be designed to reduce the amount of computation required by standard MACs based on universal hash functions, and show how E-MACs can be secured against key-recovery attacks. Index Terms—Confidentiality, authenticity, message authentication code (MAC), authenticated encryption, universal hash families F 1 INTRODUCTION most important, generic compositions can lead to faster There are two main approaches for the construction of implementations of authenticated encryption when fast secure channels in cryptography: a dedicated approach encryption algorithms, such as stream ciphers, are com- and a generic approach. In the dedicated approach, a bined with fast MACs, such as universal hash functions cryptographic primitive is designed to achieve authen- based MACs [13].
    [Show full text]
  • Combining Message Encryption and Authentication
    CORE brought to you by Pobrane z czasopisma Annales AI- Informatica http://ai.annales.umcs.pl Data: 04/08/2020 20:53:49 View metadata, citation and similar papers at core.ac.uk Annales UMCS Informatica AI XI, 2 (2011) 61–79 DOI: 10.2478/v10065-011-0010-y Combining message encryption and authentication ∗ Wojciech Oszywa , Rafal Gliwa† Military Communication Institute, 05-130 Zegrze, Poland Abstract The first part of the paper explains the need for combining message encryption and authen- tication. We begin with the example to emphasize the fact that privacy‡ does not imply authenticity. Then we prove, one needs both privacy and authenticity, even if one’s aim is just getting privacy. In theUMCS second part we present an overview of different methods for provid- ing authenticated encryption (AE) i.e. generic compositions, single-pass modes and two-pass combined modes. We analyze what are the advantages and disadvantages of different AE constructions. In the third part of the paper we focus on nonce§ based authenticated encryp- tion modes. Our motivation is the wish to know the methodology of designing authenticated encryption mode of operation. We take into consideration a few most important properties, e.g. parallelizability, memory requirements and pre-processing capability. We analyze possi- bilities of choice of underlying encryption and authentication components and their order in a message we also try to answer. What does single-key mode really mean? Finally we mention the importance of provable security theory in the security of authenticated encryption modes. ∗E-mail address: [email protected] †E-mail address: [email protected] ‡The terms ’privacy’ and ’confidentiality’ are used interchangeably, as defined in [1] §Nonce (N) - a number used only once within a specified context.
    [Show full text]