OCB: a Block-Cipher Mode of Operation for Efficient Authenticated Encryption
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Analysis of Selected Block Cipher Modes for Authenticated Encryption
Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3]. -
GCM) for Confidentiality And
NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4 -
Block Cipher Modes
Block Cipher Modes Data and Information Management: ELEN 3015 School of Electrical and Information Engineering, University of the Witwatersrand March 25, 2010 Overview Motivation for Cryptographic Modes Electronic Codebook Mode (ECB) Cipher Block Chaining (CBC) Cipher Feedback Mode (CFB) Output Feedback Mode (OFB) 1. Cryptographic Modes Problem: With block ciphers, same plaintext block always enciphers to the same ciphertext block under the same key 1. Cryptographic Modes Solution: Cryptographic mode: • block cipher • feedback • simple operations Simple operations, as the security lies in the cipher. 1. Cryptographic Modes 1.1 Considerations • The mode should not compromise security of cipher • Mode should conceal patterns in plaintext • Some random starting point is needed • Difficult to manipulate the plaintext by changing ciphertext • Requires multiple messages to be encrypted with same key • No significant impact on efficiency of cipher • Ciphertext same size as plaintext • Fault tolerance - recover from errors 2. Electronic Codebook Mode Uses the block cipher without modifications Same plaintext block encrypts to same ciphertext under same key Each plaintext block is encrypted independently of other plaintext blocks. Corrupted bits only affects one block Dropped/inserted bits cause sync errors ! all subsequent blocks decipher incorrectly 2. Electronic Codebook Mode 2.1 Advantages ECB exhibits `random access property' because plaintext blocks are encrypted independently • Encryption and decryption can be done in any order • Beneficial for databases, records can be added, deleted, modified, encrypted and deleted independently of other records Parallel implementation • Different blocks can simultaneously be decrypted on separate processors Many messages can be encrypted with the same key, since each block is independent. 2. -
Implementation and Analysis of Key Reinstallation Attack
International Journal of Innovations in Engineering and Technology (IJIET) http://dx.doi.org/10.21172/ijiet.133.21 Implementation and Analysis of Key Reinstallation Attack Saba Khanum1, Ishita kalra2 1Department of Information Technology, MSIT, Janakpuri, New Delhi, India 2Department of Computer Science and Engineering, MSIT, Janakpuri, New Delhi, India Abstract- The objective of the paper is to implement and analyzed the impact of Key Reinstallation Attack (popularly dubbed as KRACK) on debian based machines. The paper elucidates on the capture of packets through the attack without being a part of the network and affecting the target machines with the help of an attack machine placed inside the network. It basically exploits the nonce of the network which ultimately paves way to the execution of the attack. The issue tends to gather more eyeballs as it affects all devices using Wi-Fi through WPA2 protocol. Hence, the catastrophe complimented along the attack is severe. The analysis of the impact is carried on by analyzing the type of packets visible as well as captured during the course of the implementation. Here, we have created a python script which identifies whether the targeted machine is vulnerable to KRACK or not and corresponding to that the packet capture starts and ultimately, the impact is measured. Keywords – KRACK, weakness, WPA2, attack, security I. INTRODUCTION The presence of the bug has been detected in the cryptographic nonce of the WPA2 and can be used to clone a connected party to reinstall a used key. The presence of the nonce is specifically intended to prevent reuse, but in this particular case, it gives malicious users the opportunity to replay, decrypt, or forge packets, ultimately enabling them to access all previously considered encrypted information without actually being part of the network. -
Cryptographic Sponge Functions
Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions ......................... -
The EAX Mode of Operation
A preliminary version of this papers appears in Fast Software Encryption ’04, Lecture Notes in Computer Science, vol. ?? , R. Bimal and W. Meier ed., Springer-Verlag, 2004. This is the full version. The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency) ∗ † ‡ M. BELLARE P. ROGAWAY D. WAGNER January 18, 2004 Abstract We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N, M, and H are arbitrary bit strings, and the mode uses 2|M|/n + |H|/n + |N|/n block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this fact is novel and involved. EAX is an alternative to CCM [26], which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one pass for achieving privacy and one for authenticity. -
Efficient & Secure Cipher Scheme with Dynamic Key-Dependent Mode Of
Efficient & secure cipher scheme with dynamic key-dependent mode of operation Hassan Noura, Ali Chehab, Raphael Couturier To cite this version: Hassan Noura, Ali Chehab, Raphael Couturier. Efficient & secure cipher scheme with dynamic key- dependent mode of operation. Signal Processing: Image Communication, Elsevier, 2019, 78, pp.448 - 464. hal-02366798 HAL Id: hal-02366798 https://hal.archives-ouvertes.fr/hal-02366798 Submitted on 16 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Efficient & Secure Cipher Scheme with Dynamic Key-Dependent Mode of Operation Hassan N. Nouraa, Ali Chehaba, Rapha¨elCouturierb a Electrical and Computer Engineering American University of Beirut (AUB) Beirut, Lebanon bUniv. Bourgogne Franche-Comt´e(UBFC), FEMTO-ST Institute, CNRS, Belfort, France Abstract Security attacks are constantly on the rise leading to drastic consequences. Several secu- rity services are required more than ever to prevent both passive and active attacks such as Data Confidentiality (DC). A DC security service is typically based on a strong symmetric cipher algorithm. However, some of today's applications, such as real-time applications and those running on constrained devices, require efficient lightweight cipher schemes that can achieve a good balance between the security level and system performance. -
Patent-Free Authenticated-Encryption As Fast As OCB
Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f. -
Modes of Operation for Compressed Sensing Based Encryption
Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc -
Modes of Operation Module No: CS/CNS/1
e-PGPathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Modes of Operation Module No: CS/CNS/18 Quadrant 1 – e-text Cryptography and Network Security Module 18- Modes of Operation Learning Objectives To understand the Overview of Modes of Operation Discuss about each mode of operation such as EBC, CBC, CFB, OFB, CTR To Compare different modes and to discuss remarks over them 18.1. INTRODUCTION So far we have seen the basic working of block ciphers. In this section, we discuss about modes of operation of block ciphers. Basically the lengthy plain text is divided into number of blocks in block ciphers. Block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit key. But in actual scenario, the file size which has to be encrypted may not be the multiple of the block size. That is in practise, we usually need to handle arbitrary amounts of data, which may be available in advance (in which case a block mode is appropriate), and may only be available a bit/byte at a time (in which case a stream mode is used). A mode of operation describes the process of encrypting each of these blocks under a single key. A mode of operation describes the process of encrypting each of these blocks under a single key. Some modes may use randomised addition input value. We can apply a particular mode of operation in this situation. Basic modes of operations such as Electronic Code Book(ECB), Cipher Block Chaining(CBC), Cipher Feed Back (CFB), Output Feed Back (OFB), Counter (CTR) modes are considered here. -
Authenticated Encryption Mode IAPM Using SHA-3'S Public Random
Authenticated Encryption Mode IAPM using SHA-3’s Public Random Permutation Charanjit Jutla IBM T. J. Watson Research Center New York 10598 Abstract. We study instantiating the random permutation of the block- cipher mode of operation IAPM (Integrity-Aware Parallelizable Mode) with the public random permutation of Keccak, on which the draft stan- dard SHA-3 is built. IAPM and the related mode OCB are single-pass highly parallelizable authenticated-encryption modes, and while they were originally proven secure in the private random permutation model, Kurosawa has shown that they are also secure in the public random per- mutation model assuming the whitening keys are uniformly chosen with double the usual entropy. In this paper, we show a general composabil- ity result that shows that the whitening key can be obtained from the usual entropy source by a key-derivation function which is itself built on Keccak. We stress that this does not follow directly from the usual indifferentiability of key-derivation function constructions from Random Oracles. We also show that a simple and general construction, again employing Keccak, can also be used to make the IAPM scheme key- dependent-message secure. Finally, implementations on modern AMD-64 architecture supporting 128-bit SIMD instructions, and not supporting the native AES instructions, show that IAPM with Keccak runs three times faster than IAPM with AES. 1 Introduction Symmetric key encryption of bulk data is usually performed using either a stream cipher or a block cipher. A long message is divided into small fixed-size blocks and encryption is performed by either a stream-cipher mode or a block-cipher mode employing a cryptographic primitive that operates on blocks. -
OCB: a Bock-Cipher Mode of Operation for Efficient Authenticated Encryption
OCB: A Bock-Cipher Mode of Operation for Efficient Authenticated Encryption Phillip Rogaway UC Davis This work done at Chiang Mai University [email protected] http://www.cs.ucdavis.edu/~rogaway Mihir Bellare John Black Ted Krovetz UC San Diego University of Nevada UC Davis CCS-8 — Philadelphia, USA — November 8, 2001 Slide 1 Principal Goals of Symmetric Cryptography Privacy What the Adversary sees tells her nothing of significance about the underlying message M that the Sender sent Authenticity The Receiver is sure that the string he receives was sent (in exactly this form) by the Sender Authenticated Encryption Achieves both privacy and authenticity C C* Nonce M M K Adversary K or invalid K K Sender Receiver Slide 2 Why Authenticated Encryption? • Efficiency By merging privacy and authenticity one can achieve efficiency difficult to achieve if handling them separately. • Easier-to-correctly-use abstraction By delivering strong security properties one may minimize encryption-scheme misuse. Slide 3 Easier to correctly use because stronger security properties Idealized encryption OCB Authenticated encryption [Bellare, Rogaway] IND-CPA + auth of ciphertexts [Katz,Yung] [Bellare, Namprempre] IND-CCA = NM-CCA CTR, CBC$ [Goldwasser, Micali] IND-CPA [Bellare, Desai, Jokipii, Rogaway] ECB Slide 4 Right or Wrong? It depends on what definition E satisfies K A . R K A A B EK (A . B . RA . RB .sk) EK (RB) Slide 5 Folklore approach. See Generic Composition [Bellare, Namprempre] and [Krawczyk] Traditional approach to authenticated encryption for