Nist Sp 800-56C

Total Page:16

File Type:pdf, Size:1020Kb

Nist Sp 800-56C Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-56C Title: Recommendation for Key Derivation through Extraction-then-Expansion Publication Date(s): November 2011 Withdrawal Date: April 16, 2018 Withdrawal Note: SP 800-56C is superseded in its entirety by the publication of SP 800-56C Rev. 1. Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-56C Rev. 1 Title: Recommendation for Key Derivation through Extraction-then-Expansion Author(s): Elaine Barker; Lily Chen; Richard Davis Publication Date(s): April 2018 URL/DOI: https://doi.org/10.6028/NIST.SP.800-56Cr1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Laboratory) Latest revision of the attached publication: Related information: https://csrc.nist.gov/Projects/Key-Management/Key-Establishment https://csrc.nist.gov/publications/detail/sp/800-56C/rev-1/final Withdrawal N/A announcement (link): Date updated: Ɖƌŝůϭϲ͕ϮϬϭϴ NIST Special Publication 800-56C Recommendation for Key Derivation through Extraction-then-Expansion Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y November 2011 U.S. Department of Commerce John E. Bryson, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary for Standards and Technology and Director SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion Abstract This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure. KEY WORDS: key derivation, extraction, expansion 2 SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion Acknowledgements The author, Lily Chen of the National Institute of Standards and Technology (NIST), would like to acknowledge the authors, Yevgeniy Dodis, Rosario Gennros, Johan Håstad, Hugo Krawczyk, and Tal Rabin, of Crypto 2004 paper titled “Randomness extraction and key derivation using CBC, cascade and HMAC modes [12]” for formalizing the idea of extraction-then-expansion key derivation. Especially, the author would like to acknowledge Hugo Krawczyk for introducing the instantiation of extraction-then- expansion with HMAC as presented in [10] and [11]. The author like to thank her colleagues, Elaine Barker, Quynh Dang, Sharon Keller, John Kelsey, Allen Roginsky, Meltem Sonmez Turan, and Tim Polk of NIST, Miles Smid of Orion Security Solutions, and Rich Davis of the National Security Agency, for helpful discussions and valuable comments. The author gratefully appreciates the thoughtful and instructive comments received during the public comment periods, which helped to improve the quality of this publication. 3 SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion Authority This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. This Recommendation has been prepared for use by federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.) Nothing in this Recommendation should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority, nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Conformance testing for implementations of this Recommendation will be conducted within the framework of the Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP). The requirements of this Recommendation are indicated by the word “shall”. Some of these requirements may be out-of-scope for CAVP and CMVP validation testing, and thus are the responsibility of entities using, implementing, installing, or configuring applications that incorporate this Recommendation. 4 SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion Table of Contents 1. Introduction ....................................................................................... 6 2. Scope and Purpose............................................................................. 6 3. Definitions, Symbols and Abbreviations........................................... 6 3.1 Definitions................................................................................................ 6 3.2 Symbols and Abbreviations ..................................................................... 8 4. Outline of Extraction-then-Expansion Key Derivation..................... 9 5. Randomness Extraction..................................................................... 9 6. Key Expansion................................................................................. 13 7. Summary and Discussion ................................................................ 14 Appendix A: References .............................................................................. 16 Appendix B: Conformance to “Non-testable” Requirements ...................... 17 Figures Figure 1: Extraction-then-Expansion Procedure.................................................................9 5 SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion 1. Introduction During an execution of some of the public-key-based key establishment schemes specified in NIST Special Publications 800-56A [1] and 800-56B [2], a key derivation method is used to obtain secret cryptographic keying material. This Recommendation specifies an alternative key derivation method to be used in a key establishment scheme specified in 800-56A and 800-56B. 2. Scope and Purpose This Recommendation specifies a two-step key derivation procedure, as one of the approved key derivation methods, that employs an extraction-then-expansion technique for deriving keying material from a shared secret generated during a key establishment scheme specified in [1] or [2]. Several application-specific key derivation functions that use approved variants of this extraction-then-expansion procedure are described in NIST Special Publication 800-135 [5]. The key derivation procedure specified in this Recommendation consists of two steps: 1) randomness extraction (to obtain a single key derivation key) and 2) key expansion (to derive keying material with a desired length from the key derivation key). Since NIST Special Publication 800-108 [4] specifies several families of key derivation functions that are approved for deriving additional keying material from a given cryptographic key derivation key, those functions are employed in the second (key expansion) step of the procedure. 3. Definitions, Symbols and Abbreviations 3.1 Definitions Approved FIPS approved or NIST Recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation or 3) specified in a list of NIST-approved security functions. Hash function A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output. Approved hash functions are specified in FIPS 180 [9]. 6 SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion Key derivation A process that derives keying material from a key or a shared secret. Key derivation A key that is used as input to the key expansion step to derive other key keys. In this Recommendation, the key derivation key is obtained by performing randomness extraction on a shared secret. Key A procedure that results in generating shared keying material among establishment different parties. Key expansion The second step in the key derivation procedure specified in this Recommendation to derive keying material with the desired length. Keying material A binary string, such that any non-overlapping segments of the string with the required lengths can be used as symmetric cryptographic keys and secret parameters, such as initialization vectors. Message A family of cryptographic algorithms that is parameterized by a authentication symmetric key. Each of
Recommended publications
  • Key Derivation Functions and Their GPU Implementation
    MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨ OF I !"#$%&'()+,-./012345<yA|NFORMATICS Key derivation functions and their GPU implementation BACHELOR’S THESIS Ondrej Mosnáˇcek Brno, Spring 2015 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-nc-sa/4.0/ cbna ii Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáˇcek Advisor: Ing. Milan Brož iii Acknowledgement I would like to thank my supervisor for his guidance and support, and also for his extensive contributions to the Cryptsetup open- source project. Next, I would like to thank my family for their support and pa- tience and also to my friends who were falling behind schedule just like me and thus helped me not to panic. Last but not least, access to computing and storage facilities owned by parties and projects contributing to the National Grid In- frastructure MetaCentrum, provided under the programme “Projects of Large Infrastructure for Research, Development, and Innovations” (LM2010005), is also greatly appreciated. v Abstract Key derivation functions are a key element of many cryptographic applications. Password-based key derivation functions are designed specifically to derive cryptographic keys from low-entropy sources (such as passwords or passphrases) and to counter brute-force and dictionary attacks. However, the most widely adopted standard for password-based key derivation, PBKDF2, as implemented in most applications, is highly susceptible to attacks using Graphics Process- ing Units (GPUs).
    [Show full text]
  • The Double Ratchet Algorithm
    The Double Ratchet Algorithm Trevor Perrin (editor) Moxie Marlinspike Revision 1, 2016-11-20 Contents 1. Introduction 3 2. Overview 3 2.1. KDF chains . 3 2.2. Symmetric-key ratchet . 5 2.3. Diffie-Hellman ratchet . 6 2.4. Double Ratchet . 13 2.6. Out-of-order messages . 17 3. Double Ratchet 18 3.1. External functions . 18 3.2. State variables . 19 3.3. Initialization . 19 3.4. Encrypting messages . 20 3.5. Decrypting messages . 20 4. Double Ratchet with header encryption 22 4.1. Overview . 22 4.2. External functions . 26 4.3. State variables . 26 4.4. Initialization . 26 4.5. Encrypting messages . 27 4.6. Decrypting messages . 28 5. Implementation considerations 29 5.1. Integration with X3DH . 29 5.2. Recommended cryptographic algorithms . 30 6. Security considerations 31 6.1. Secure deletion . 31 6.2. Recovery from compromise . 31 6.3. Cryptanalysis and ratchet public keys . 31 1 6.4. Deletion of skipped message keys . 32 6.5. Deferring new ratchet key generation . 32 6.6. Truncating authentication tags . 32 6.7. Implementation fingerprinting . 32 7. IPR 33 8. Acknowledgements 33 9. References 33 2 1. Introduction The Double Ratchet algorithm is used by two parties to exchange encrypted messages based on a shared secret key. Typically the parties will use some key agreement protocol (such as X3DH [1]) to agree on the shared secret key. Following this, the parties will use the Double Ratchet to send and receive encrypted messages. The parties derive new keys for every Double Ratchet message so that earlier keys cannot be calculated from later ones.
    [Show full text]
  • TMF: Asymmetric Cryptography Security Layer V1.0
    GlobalPlatform Device Technology TMF: Asymmetric Cryptography Security Layer Version 1.0 Public Release March 2017 Document Reference: GPD_SPE_122 Copyright 2013-2017 GlobalPlatform, Inc. All Rights Reserved. Recipients of this document are invited to submit, with their comments, notification of any relevant patents or other intellectual property rights (collectively, “IPR”) of which they may be aware which might be necessarily infringed by the implementation of the specification or other work product set forth in this document, and to provide supporting documentation. The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly prohibited. TMF: Asymmetric Cryptography Security Layer – Public Release v1.0 THIS SPECIFICATION OR OTHER WORK PRODUCT IS BEING OFFERED WITHOUT ANY WARRANTY WHATSOEVER, AND IN PARTICULAR, ANY WARRANTY OF NON-INFRINGEMENT IS EXPRESSLY DISCLAIMED. ANY IMPLEMENTATION OF THIS SPECIFICATION OR OTHER WORK PRODUCT SHALL BE MADE ENTIRELY AT THE IMPLEMENTER’S OWN RISK, AND NEITHER THE COMPANY, NOR ANY OF ITS MEMBERS OR SUBMITTERS, SHALL HAVE ANY LIABILITY WHATSOEVER TO ANY IMPLEMENTER OR THIRD PARTY FOR ANY DAMAGES OF ANY NATURE WHATSOEVER DIRECTLY OR INDIRECTLY ARISING FROM THE IMPLEMENTATION OF THIS SPECIFICATION OR OTHER WORK PRODUCT. Copyright 2013-2017 GlobalPlatform, Inc. All Rights Reserved. The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly prohibited. TMF: Asymmetric Cryptography Security Layer – Public Release v1.0 3 / 38 Contents 1 Introduction ...........................................................................................................................
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • CSE 291-I: Applied Cryptography
    CSE 291-I: Applied Cryptography Nadia Heninger UCSD Fall 2020 Lecture 7 Legal Notice The Zoom session for this class will be recorded and made available asynchronously on Canvas to registered students. Announcements 1. HW 3 is due next Tuesday. 2. HW 4 is online, due before class in 1.5 weeks, November 3. Last time: Hash functions This time: Hash-based MACs, authenticated encryption Constructing a MAC from a hash function Recall: Collision-resistant hash function: Unkeyed function • H : 0, 1 0, 1 n hard to find inputs mapping to same { }⇤ !{ } output. MAC: Keyed function Mac (m)=t,hardforadversaryto • k construct valid (m, t) pair. functor alone not- MAC : anyone can (m Hcm)) Hash forge , No secrets . Insecure. Vulnerable to length extension attacks for Merkle-Damgård functions. Secure for SHA3 sponge. Ok, but vulnerable to offline collision-finding attacks against H. Ok, but nobody uses. Secure, similar to HMAC. Candidate MAC constructions Mac(k, m)=H(k m) • || Mac(k, m)=H(m k) • || Mac(k, m)=H(k m k) • || || Mac(k , k , m)=H(k H(k m)) • 1 2 2|| 1|| Ok, but vulnerable to offline collision-finding attacks against H. Ok, but nobody uses. Secure, similar to HMAC. Candidate MAC constructions Mac(k, m)=H(k m) • || Insecure. Vulnerable to length extension attacks for Merkle-Damgård functions. Secure for SHA3 sponge. Mac(k, m)=H(m k) • || Mac(k, m)=H(k m k) • || || Mac(k , k , m)=H(k H(k m)) • 1 2 2|| 1|| Ok, but nobody uses. Secure, similar to HMAC.
    [Show full text]
  • Cryptographic Extraction and Key Derivation: the HKDF Scheme
    Cryptographic Extraction and Key Derivation: The HKDF Scheme Hugo Krawczyk∗ Abstract In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multi-purpose KDFs. In practice, most KDFs (including those widely standardized) follow ad-hoc approaches that treat cryptographic hash functions as perfectly random functions. In this paper we close some gaps between theory and practice by contributing to the study and engineering of KDFs in several ways. We provide detailed rationale for the design of KDFs based on the extract-then-expand approach; we present the first general and rigorous definition of KDFs and their security which we base on the notion of computational extractors; we specify a concrete fully practical KDF based on the HMAC construction; and we provide an analysis of this construction based on the extraction and pseudorandom properties of HMAC. The resultant KDF design can support a large variety of KDF applications under suitable assumptions on the underlying hash function; particular attention and effort is devoted to minimizing these assumptions as much as possible for each usage scenario. Beyond the theoretical interest in modeling KDFs, this work is intended to address two important and timely needs of cryptographic applications: (i) providing a single hash-based KDF design that can be standardized for use in multiple and diverse applications, and (ii) providing a conservative, yet efficient, design that exercises much care in the way it utilizes a cryptographic hash function. (The HMAC-based scheme presented here, named HKDF, is being standardized by the IETF.) ∗IBM T.J.
    [Show full text]
  • Pycryptodome Documentation Release 3.10.4
    PyCryptodome Documentation Release 3.10.4 Legrandin Sep 24, 2021 Contents 1 PyCryptodome 3 2 Features 5 3 Installation 9 3.1 Compiling in Linux Ubuntu.......................................9 3.2 Compiling in Linux Fedora....................................... 10 3.3 Windows (from sources, Python 2.7).................................. 10 3.4 Windows (from sources, Python 3.5 and newer)............................. 11 3.5 Documentation.............................................. 12 3.6 PGP verification............................................. 12 4 Compatibility with PyCrypto 15 5 API documentation 17 5.1 Crypto.Cipher package....................................... 17 5.1.1 Introduction........................................... 17 5.1.2 API principles.......................................... 17 5.1.3 Symmetric ciphers....................................... 18 5.1.4 Legacy ciphers......................................... 34 5.2 Crypto.Signature package..................................... 34 5.2.1 Signing a message....................................... 34 5.2.2 Verifying a signature...................................... 35 5.2.3 Available mechanisms..................................... 35 5.3 Crypto.Hash package......................................... 35 5.3.1 API principles.......................................... 35 5.3.2 Attributes of hash objects.................................... 37 5.3.3 Modern hash algorithms.................................... 37 5.3.4 Extensible-Output Functions (XOF).............................. 38 5.3.5
    [Show full text]
  • Recommendation for Key Derivation Through Extraction-Then-Expansion
    NIST Special Publication 800-56C Recommendation for Key Derivation through Extraction-then-Expansion Lily Chen Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y November 2011 U.S. Department of Commerce John E. Bryson, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary for Standards and Technology and Director SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion Abstract This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure. KEY WORDS: key derivation, extraction, expansion 2 SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion Acknowledgements The author, Lily Chen of the National Institute of Standards and Technology (NIST), would like to acknowledge the authors, Yevgeniy Dodis, Rosario Gennros, Johan Håstad, Hugo Krawczyk, and Tal Rabin, of Crypto 2004 paper titled “Randomness extraction and key derivation using CBC, cascade and HMAC modes [12]” for formalizing the idea of extraction-then-expansion key derivation. Especially, the author would like to acknowledge Hugo Krawczyk for introducing the instantiation of extraction-then- expansion with HMAC as presented in [10] and [11]. The author like to thank her colleagues, Elaine Barker, Quynh Dang, Sharon Keller, John Kelsey, Allen Roginsky, Meltem Sonmez Turan, and Tim Polk of NIST, Miles Smid of Orion Security Solutions, and Rich Davis of the National Security Agency, for helpful discussions and valuable comments. The author gratefully appreciates the thoughtful and instructive comments received during the public comment periods, which helped to improve the quality of this publication.
    [Show full text]
  • Cryptographic Extraction Imperfect Random Sources
    Cryptographic Extraction Hugo Krawczyk IBM Research “Is Cryptographic Theory Practically Relevant? ” Cambridge 2-1-12 1 Imperfect Random Sources 2 Uniform randomness is crucial in many areas Cryptography: requires source of secret randomness (secret keys) However, often deal with imperfect randomness non-uniform, partial knowledge (i.e., partial secrecy) physical sources, system RNGs, biometric data, extracting from group elements (DH key exchange), … Can we convert imperfect sources into (nearly) perfect randomness? 2 1 Randomness Extractors [NZ96] 3 Input: a weak secret X and a uniformly random seed S Out: extracted key R = Ext (X; S) secret: X R (extracted key) Ext seed: S S (input seed) R is uniformly random, even conditioned on the seed S stat (Ext (X; S), S) ≈ (Uniform, S) sufficient min-entropy in X Many uses in complexity theory and cryptography Here: focus on key derivation but many more applications 3 Parameters 4 Min-entropy m (“m-source ”): Pr[X =x] ≤≤≤ 2-m, for all x Output length n ( entropy loss L = m − n ) Error ε (measures statistical distance from uniform) − Equals Max D |Pr[D(Ext(X; S), S)=1] Pr[D(U n, S)=1]| Optimal D1 D can be unbounded ε = 2-L/2 (later, computationally b’ded distinguishers) Uniform Extracted 4 2 Historical Anecdotes (ca.1996) Crypto design of IPsec and IKE (IPsec ’s Key Exchange) Authenticated Diffie-Hellman protocols Parties agree on gxy : But how to derive session keys? The “obvious way ”: H(g xy || info) Objection: Let ’s not treat H as ideally random (e.g., extension attacks) Also: bad interaction with other uses of H The Photuris Example 5 Photuris Example Photuris (a predecessor of IKE) transmitted SIG(g xy ) to authenticate gxy .
    [Show full text]
  • Crypto 101 Lvh
    Crypto 101 lvh 1 2 Copyright 2013-2017, Laurens Van Houtven (lvh) This work is available under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license. You can find the full text of the license at https://creativecommons.org/licenses/by-nc/4.0/. The following is a human-readable summary of (and not a substitute for) the license. You can: • Share: copy and redistribute the material in any medium or format • Adapt: remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms: • Attribution: you must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. • NonCommercial: you may not use the material for commercial purposes. • No additional restrictions: you may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation. 3 No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material. Pomidorkowi 4 Contents Contents 5 I Foreword 10 1 About this book 11 2 Advanced sections 13 3 Development 14 4 Acknowledgments 15 II Building blocks 17 5 Exclusive or 18 5.1 Description .....................
    [Show full text]
  • Robust Authenticated-Encryption: AEZ and the Problem That It Solves
    The proceedings version of this paper appears in EUROCRYPT 2015. This is the full paper. Robust Authenticated-Encryption AEZ and the Problem that it Solves Viet Tung Hoang1,2 Ted Krovetz3 Phillip Rogaway4 1 Dept. of Computer Science, University of Maryland, College Park, USA 2 Dept. of Computer Science, Georgetown University, USA 3 Dept. of Computer Science, California State University, Sacramento, USA 4 Dept. of Computer Science, University of California, Davis, USA March 31, 2017 Abstract. With a scheme for robust authenticated-encryption a user can select an arbitrary value λ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call prove-then-prune: prove security and then instantiate with a scaled-down primitive (e.g., reducing rounds for blockcipher calls). Keywords: AEZ, authenticated encryption, CAESAR competition, misuse resistance, modes of oper- ation, nonce reuse, provable security, prove-then-prune, robust AE. Table of Contents 1 Introduction...................................... ............................. 1 2 Prior AEDefinitions................................. ........................... 4 3 RAESecurity....................................... ........................... 6 4 Verified Redundancy Enhances Authenticity ............. .......................... 8 5 Robust AE from an Arbitrary-Input-Length TBC ........... ....................... 9 6 Wide-Block Enciphering: AEZ-core .................... ........................... 10 7 DefinitionofAEZ .................................... .......................... 12 8 Security of AEZ[E] and AEZ[E].................................................
    [Show full text]
  • Overview of TLS V1.3 What’S New, What’S Removed and What’S Changed? About Me
    Overview of TLS v1.3 What’s new, what’s removed and what’s changed? About Me • Andy Brodie – Worldpay Principal Design Engineer. – Based in Cambridge, UK. – [email protected] • Neither a cryptographer nor a mathematician! – This means no maths in this presentation. Agenda • History & Background. • What’s Been Removed. • What’s New & Changed. – Cipher Suites. – Handshake Changes. – Hashed-Key Derivation Function. – Session Resumption. • Summary. 3 The Goals and Basics of TLS HISTORY & BACKGROUND 4 How SSL became TLS When Who What Comments 1994 Netscape SSL 1.0 designed. Never published as security flaws were found internally. 1995 Netscape SSL v2.0 published. Flaws found pretty quickly, which led to… 1996 Netscape SSL v3.0 published. SSL becomes ubiquitous. 1999 IETF TLS v1.0 published (SSL v3.1) Incremental fixes, political name change and IETF ownership. 2006 IETF TLS v1.1 published (SSL v3.2) Incremental fixes and capabilities. 2008 IETF TLS v1.2 published (SSL v3.3) What we should all be using! 2014 IETF TLS v1.3 draft 1 (SSL v3.4) 2018 IETF TLS v1.3 draft 23 Expires July 15 5 Stop to consider the awesomeness! A Client and Server can have a secure conversation over an insecure medium having never met before. What is a secure conversation? • Privacy – Conversation must be encrypted. – Prevent eavesdropping attacks. • Integrity – Client & Server must be able to detect message tampering. – Prevent Man In The Middle (MITM) attacks. • Authentication – Client needs to trust they’re talking to the intended server. – Prevent impersonation attacks. TLS achieves this using various techniques… • Privacy – Symmetric key encryption for application data.
    [Show full text]