DOCSLIB.ORG

CNS Lecture 3 - 2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CNS Lecture 3 - 2 In the news CNS •gcc 4.1 has stackguard Lecture 3 •Problem in OpenSSL with SHA public key of 3 and padding CVE-2006-4339 see cve.mitre.org •Bank of Ireland will refund phishing losses (160K euros) •authentication •Spammer conviction upheld (9 years in prison) •passwords •Microsoft Publisher could allow remote execution •hash functions MD5, SHA, RIPEMD-160, Whirlpool Cost-benefit analysis for the attacker (Clark & Davis ’95) fun things you can do with hashish hashing Hacking Tip 7345: Mb + Pb > Ocp + OcmPaPc Mb monetary benefit to attacker Reverse engineer a “fixed” P psychological benefit to attacker application or DLL and assignments b develop an exploit ☺ Ocp cost of committing the crime root:.6PcYNUPBpzxw:0:0::/root:/bin/csh Ocm cost of conviction to the attacker toor::0:0::/root:/bin/csh alice:nfVWnUWaAuDSE:500:500:Alice:/home/alice:/bin/csh Pa probability of arrest mallory:yyv4LsfKaOHAE:503:500:Mallory:/home/mallory:/bin/csh bob:nfVWnUWaAuDSE:501:500:Bob:/home/bob:/bin/csh Pc probability of conviction eve:xxP6v.rTrWTb2:505:500:Eve:/home/eve:/bin/csh CNS Lecture 3 - 2 authentication You are here … Attacks & Defenses Cryptography Applied crypto • verifying an identity • • people authentication Risk assessment •Random numbers •SSH • Viruses • password schemes Why authentication? •Hash functions •PGP •access control • Unix security • challenge/response •authorization • • authentication MD5, SHA,RIPEMD S/Mime • token based •auditing • Network security •Classical + stego •SSL • public key systems Firewalls,vpn,IPsec,IDS • biometrics •Number theory •Kerberos • Forensics • host/message authentication •Symmetric key •IPsec DES, Rijndael, RC5 •Crypto APIs •Public key •Coding securely CNS Lecture 3 - 3 RSA, DSA, D-H,ECC CNS Lecture 3 - 4 Design criteria Authenticating people people identify people by face • strength (resistance to attacks) computer verifying who you are voice • speed ID reference • ease of use • what you know • accuracy (false positives) • what you have • manageability • what you are • reliability Best: at least two of the above CNS Lecture 3 - 5 CNS Lecture 3 - 6 1 Is it you? Smart cards What you know •password •PIN What you are … biometrics •Social security number • memory (cash card) •facial verification (picture ID) •Mother’s maiden name • secret-key crypto cards •retinal scanner don’t know when you’ve lost/shared it! •fingerprint reader • public-key crypto cards •hand geometry reader (Olympics/customs) (FORTEZZA) verification, not identifcation What you have • need RS-232 reader or PCMCIA or • voiceprints •ATM card USB or smartdisk • keystroke timing •dongle (bootup, software protect) • • need card loading/init device handwriting •SecurID (server, modified login) concerns: expense, false accept/reject •crypto calculator (challenge/response) • ISO standards •smart card/disk excellent for storing private keys You know when you've lost it or biometric data combine with what you know: PIN or signature Provide both logical and physical special readers / software mods access control (DoD) CNS Lecture 3 - 7 CNS Lecture 3 - 8 Smart card features Authentication scorecard • reader powered (9600 baud) • tamper-resistant (self-destruct) • 8-bit CPU, 8KB ROM, 3K EEPROM, RAM • Write/Erase Cycles: 10,000 • Data life (storage) : 10 years crypto co-processor (FORTEZZA pcmcia) • 160-bit CPU • mod arithmetic • crypto software (RSA, skipjack) Smart card readers (RS-232, USB, PCMCIA) • login supported by linux, Windows CNS Lecture 3 - 9 CNS Lecture 3 - 10 Authentication protocols Athentication protocols USER HOST database ----- name, password --> clear, crypt, hash Our ncp asnmt 3? one-way ----- name, securid# --> server software • password • challenge/response **USER's machine*** • public-key --------name ------> clear/hashed <------ R -------- challenge (nonce) --------- (R)key ------> (encrypt or keyed-hash) two-way (mutual authentication) • trusted intermediary (Kerberos) -------name (time) -----> clear/hashed key Our ncp asnmt 4 • public-key -----------name ------> (Novell 3) hash of key H(key) <------------- R ------- challenge issues ----- H(R,H(key)) ------> • secrets on server • vulnerabilities of protocol -- cleartext, replay, dictionary attack, other? ---------name-----> KDC (clear) (more later, Kerberos) <------(ticket)key ---- • performance of protocol -----name---> NT (hash of key), LAN mgr • cost (user/server) <------------R--- challenge -----(R) -------> • convenience H(key) CNS Lecture 3 - 11 CNS Lecture 3 - 12 2 Mutual authentication Authentication vulnerabilities **USER's machine*** HOST • eavesdropping (sniffers) ------name ----> clear/crypt • password database <--------R1 ------- • replay (need random numbers, good time stamp, sequence number) ------(R1)key --------> --------R2 -----------> • offline guessing (dictionary attack, know R1 and (R1)key) <-------(R2)key --------- • Network session maybe hijacked after authentication! • later: KDC (Kerberos) can provide mutual authentication • authentication can be done with public/private keys too (later) CNS Lecture 3 - 13 CNS Lecture 3 - 14 Passwords -- what you know Strong passwords • easy to remember • special characters, numbers, upper/lower case • hard to guess • would like 64 bits of randomness, so: • historical: military, espionage –with 6-bit alphabet would need 11 characters –pronouncable, need 16 characters password vulnerabilities –choose your own, need 32 characters • easy to guess • human mind is not a good password storage device • read file where passwords are stored • eavesdropper/sniffer “Yes, I use my dog's name as my password. • sys mgr may know/decrypt My dog's name is 4X(!m,q@V-2 • off-line search and I change his name every 90 days.” • strong passwords: inconvenient, people write them down! CNS Lecture 3 - 15 CNS Lecture 3 - 16 Password storage UNIX passwords root:ab7er6hjkjase:0:0:root:/root:/bin/csh bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin • clear text (secret file, security through obscurity -- Ha!) • 8 characters (truncated) ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin 56 ntp:x:38:14:ntp:/etc/ntp:/sbin/nologin • encrypted • 2 possibilities (7-bit ASCII) apache:x:48:48:Apache:/var/www:/bin/false nscd:x:28:28:NSCD Daemon:/:/bin/false ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false • encrypted on authentication server (kerberos, securid server) • assigned by sys mgr xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false gdm:x:42:42::/var/gdm:/sbin/nologin • hashed (one-way encrypted or hash function) • change with passwd dunigan:x:23673:20:TomDunigan:/home/dunigan:/bin/csh • hashed and shadowed • hashed and encoded in /etc/passwd –Hopefully shadowed • portable hash string • newer OS's provide MD5 encoding, longer phrases CNS Lecture 3 - 17 CNS Lecture 3 - 18 3 Unix passwords Password vulnerabilities • user enters name and password • host hashes password and compares • ask user • 13 character string (Dqd2z5wN/3xyE) • guess • 2 character salt (random, 4096) • (void) time(&salt); brute force (1000 MIP years) saltc[0] = salt & 077; • dictionary attack (CRACK) saltc[1] = (salt>>6) & 077; • eavesdrop (sniffer) ... asciify return(crypt(pwbuf,salt)); • shoulder surfing • failed attempts not logged (WWW) salt • trojan horse/library •reduces identical password encodings •discourages pre-hashed dictionary •does not affect time to search for one password crypt() •uses 25 iterations of modified DES (EP is different, thwart DES hardware), • encrypts 0 using salt/pwbuf as "key", • encode 64-bit cipher output to 6-bit alphanumerics CNS Lecture 3 - 19 CNS Lecture 3 - 20 CRACK -- p1Ssw0rd crack3r countermeasures • shadow file • • Dictionary and variations, guess and verify enforce strong passwords • widely available (others: John the Ripper, plus crackers for Windows password databases) – Minimum length • can use multiple machines (parallel) – combo of numerics, alphabetics, special characters • Tries variations of user names, gecos field then dictionary – Language models (Markov ) • rule based ../Scripts/dicts.rules – CRACK-like dictionary tests • caps, substitution, reverse, add a number Bloom filter Hashi(wordj)=y ( y [0,N-1] ) # Pluralise every significant one of the above N-bit “hash” table, reject if tabley is set # MORE-THAN 2, NOT-CONTAIN ANY NON-ALPHA, LOWERCASE, PLURALISE – OS generate list >2!?Alp • scan for weak passwords (CRACK) # Any alphaword >2 & <8 chars long, append a digit or simple punctuation • password aging # since few ppl add non alpha chars to a already non-alpha word • # MORE-THAN 2, LESS-THAN 8, NOT ANY NON-ALPHA, LOWERCASE, APPEND <whatever> eliminate dormant accounts >2<8!?Al0 • log failures (?) >2<8!?Al1 • disable after n failures (?) >2<8!?Al2 Markov model >2<8!?Al3 • trusted hosts (rlogin) • ssh public/private key # Lowercase every pure alphabetic word and reverse it •language letter transition # MORE-THAN 2, NOT-CONTAIN ANY NON-ALPHA, LOWERCASE, REVERSE • Kerberos probabilities (digrams, trigrams) >2!?Alr Don't use re-usable passwords! •Reject if password fits model Lots of password cracking software for various applications CNS Lecture 3 - 21 CNS Lecture 3 - 22 One-time passwords SecurID • SecurID or SafeWord tokens • 2-factor authentication (card and PIN) • challenge/response (SecureNet, SNK) • need to issue cards (battery life?)… costs $$ • need ACE server (DB of username + card secret) • code-book • need to modify login/su on enterprise servers to use ACE server • Skey (OPIE)
Load more

Recommended publications
  • FIPS 140-2 Non-Proprietary Security Policy
    Kernel Crypto API Cryptographic Module version 1.0 FIPS 140-2 Non-Proprietary Security Policy Version 1.3 Last update: 2020-03-02 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com © 2020 Canonical Ltd. / atsec information security This document can be reproduced and distributed only whole and intact, including this copyright notice. Kernel Crypto API Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy Table of Contents 1. Cryptographic Module Specification ..................................................................................................... 5 1.1. Module Overview ..................................................................................................................................... 5 1.2. Modes of Operation ................................................................................................................................. 9 2. Cryptographic Module Ports and Interfaces ........................................................................................ 10 3. Roles, Services and Authentication ..................................................................................................... 11 3.1. Roles .......................................................................................................................................................11 3.2. Services ...................................................................................................................................................11
    [Show full text]
  • The Software Performance of Authenticated-Encryption Modes 1
    An earlier version of this paper appears at Fast Software Encryption 2011 (FSE 2011). The Software Performance of Authenticated-Encryption Modes Ted Krovetz∗ Phillip Rogawayy March 21, 2011 Abstract We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (\Clarkdale") processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counter-based nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of operation, CCM, GCM, OCB. 1 Introduction Background. Over the past few years, considerable effort has been spent constructing schemes for authenticated encryption (AE). One reason is recognition of the fact that a scheme that delivers both privacy and authenticity may be more efficient than the straightforward amalgamation of separate privacy and authenticity techniques. A second reason is the realization that an AE scheme is less likely to be incorrectly used than an encryption scheme designed for privacy alone. While other possibilities exist, it is natural to build AE schemes from blockciphers, employing some mode of operation. There are two approaches. In a composed (\two-pass") AE scheme one conjoins essentially separate privacy and authenticity modes.
    [Show full text]
  • Fast Hashing and Stream Encryption with Panama
    Fast Hashing and Stream Encryption with Panama Joan Daemen1 and Craig Clapp2 1 Banksys, Haachtesteenweg 1442, B-1130 Brussel, Belgium [email protected] 2 PictureTel Corporation, 100 Minuteman Rd., Andover, MA 01810, USA [email protected] Abstract. We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low work-factor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for the stream cipher mode are demonstrated on a com- mercially available VLIW micro-processor. 1 Introduction Panama is a cryptographic module that can be used both as a cryptographic hash function and a stream cipher. It is designed to be very efficient in software implementations on 32-bit architectures. Its basic operations are on 32-bit words. The hashing state is updated by a parallel nonlinear transformation, the buffer operates as a linear feedback shift register, similar to that applied in the compression function of SHA [6]. Panama is largely based on the StepRightUp stream/hash module that was described in [4]. Panama has a low per-byte work factor while still claiming very high security. The price paid for this is a relatively high fixed computational overhead for every execution of the hash function. This makes the Panama hash function less suited for the hashing of messages shorter than the equivalent of a typewritten page. For the stream cipher it results in a relatively long initialization procedure. Hence, in applications where speed is critical, too frequent resynchronization should be avoided.
    [Show full text]
  • Permutation-Based Encryption, Authentication and Authenticated Encryption
    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
    [Show full text]
  • Cryptanalysis of MD4
    Cryptanalysis of MD4 Hans Dobbertin German Information Security Agency P. O. Box 20 03 63 D-53133 Bonn e-maih dobbert inQskom, rhein .de Abstract. In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, a European proposal, was designed as a stronger mode of MD4. Recently wc have found an attack against two of three rounds of RIPEMD. As we shall show in the present note, the methods developed to attack RIPEMD can be modified and supplemented such that it is possible to break the full MD4, while previously only partial attacks were known. An implementation of our attack allows to find collisions for MD4 in a few seconds on a PC. An example of a collision is given demonstrating that our attack is of practical relevance. 1 Introduction Rivest [7] introduced the hash function MD4 in 1990. The MD4 algorithm is defined as an iterative application of a three-round compress function. After an unpublished attack on the first two rounds of MD4 due to Merkle and an attack against the last two rounds by den Boer and Bosselaers [2], Rivest introduced the strengthened version MD5 [8]. The most important difference to MD4 is the adding of a fourth round. On the other hand the stronger mode RIPEMD [1] of MD4 was designed as a European proposal in 1992. The compress function of RIPEMD consists of two parallel lines of a modified version of the MD4 compress function. In [4] we have shown that if the first or the last round of its compress function is omitted, then RIPEMD is not collision-free.
    [Show full text]
  • Efficient Collision Attack Frameworks for RIPEMD-160
    Efficient Collision Attack Frameworks for RIPEMD-160 Fukang Liu1;6, Christoph Dobraunig2;3, Florian Mendel4, Takanori Isobe5;6, Gaoli Wang1?, and Zhenfu Cao1? 1 Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai, China [email protected],fglwang,[email protected] 2 Graz University of Technology, Austria 3 Radboud University, Nijmegen, The Netherlands [email protected] 4 Infineon Technologies AG, Germany [email protected] 5 National Institute of Information and Communications Technology, Japan 6 University of Hyogo, Japan [email protected] Abstract. RIPEMD-160 is an ISO/IEC standard and has been applied to gen- erate the Bitcoin address with SHA-256. Due to the complex dual-stream struc- ture, the first collision attack on reduced RIPEMD-160 presented by Liu, Mendel and Wang at Asiacrypt 2017 only reaches 30 steps, having a time complexity of 270. Apart from that, several semi-free-start collision attacks have been published for reduced RIPEMD-160 with the start-from-the-middle method. Inspired from such start-from-the middle structures, we propose two novel efficient collision at- tack frameworks for reduced RIPEMD-160 by making full use of the weakness of its message expansion. Those two frameworks are called dense-left-and-sparse- right (DLSR) framework and sparse-left-and-dense-right (SLDR) framework. As it turns out, the DLSR framework is more efficient than SLDR framework since one more step can be fully controlled, though with extra 232 memory complexi- ty. To construct the best differential characteristics for the DLSR framework, we carefully build the linearized part of the characteristics and then solve the cor- responding nonlinear part using a guess-and-determine approach.
    [Show full text]
  • Hash Functions and Thetitle NIST of Shapresentation-3 Competition
    The First 30 Years of Cryptographic Hash Functions and theTitle NIST of SHAPresentation-3 Competition Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash functions decoded Insert presenter logo here on slide master Hash functions X.509 Annex D RIPEMD-160 MDC-2 SHA-256 SHA-3 MD2, MD4, MD5 SHA-512 SHA-1 This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it h should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). Hash function history 101 DES RSA 1980 single block ad hoc length schemes HARDWARE MD2 MD4 1990 SNEFRU double MD5 block security SHA-1 length reduction for RIPEMD-160 factoring, SHA-2 2000 AES permu- DLOG, lattices Whirlpool SOFTWARE tations SHA-3 2010 Applications • digital signatures • data authentication • protection of passwords • confirmation of knowledge/commitment • micropayments • pseudo-random string generation/key derivation • construction of MAC algorithms, stream ciphers, block ciphers,… Agenda Definitions Iterations (modes) Compression functions SHA-{0,1,2,3} Bits and bytes 5 Hash function flavors cryptographic hash function this talk MAC MDC OWHF CRHF UOWHF (TCR) Security requirements (n-bit result) preimage 2nd preimage collision ? x ? ? ? h h h h h h(x) h(x) = h(x‘) h(x) = h(x‘) 2n 2n 2n/2 Informal definitions (1) • no secret parameters
    [Show full text]
  • SPHINCS: Practical Stateless Hash-Based Signatures
    SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein1;3, Daira Hopwood2, Andreas Hülsing3, Tanja Lange3, Ruben Niederhagen3, Louiza Papachristodoulou4, Peter Schwabe4, and Zooko Wilcox O'Hearn2 1 Department of Computer Science University of Illinois at Chicago Chicago, IL 606077045, USA [email protected] 2 Least Authority 3450 Emerson Ave. Boulder, CO 803056452 USA [email protected],[email protected] 3 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands [email protected], [email protected], [email protected] 4 Radboud University Nijmegen Digital Security Group P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper introduces a high-security post-quantum stateless hash-based sig- nature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU. Signatures are 41 KB, public keys are 1 KB, and private keys are 1 KB. The signature scheme is designed to provide long-term 2128 security even against attackers equipped with quantum computers. Unlike most hash-based designs, this signature scheme is stateless, allowing it to be a drop-in replacement for current signature schemes. Keywords: post-quantum cryptography, one-time signatures, few-time signatures, hyper- trees, vectorized implementation 1 Introduction It is not at all clear how to securely sign operating-system updates, web-site certicates, etc. once an attacker has constructed a large quantum computer: RSA and ECC are perceived today as being small and fast, but they are broken in polynomial time by Shor's algorithm.
    [Show full text]
  • Patent-Free Authenticated-Encryption As Fast As OCB
    Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f.
    [Show full text]
  • Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017
    Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Kölbl June 20th, 2017 DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography Symmetric Key Cryptography What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange 1 Authentication Authentication Message Authentication Code (MAC) Key Message MAC Tag • Produces a tag • Provide both authenticity and integrity • It should be hard to forge a valid tag. • Similar to hash but has a key • Similar to digital signature but same key 2 Authentication MAC Algorithm • Block Cipher Based (CBC-MAC) • Hash-based (HMAC, Sponge) • Universal Hashing (UMAC, Poly1305) 3 Authentication CBC-MAC M1 M2 Mi 0 EK EK EK T 4 Authentication Hash-based: • H(k jj m) • Okay with Sponge, fails with MD construction. • H(m jj k) • Collision on H allows to construct Tag collision. • HMAC: H(k ⊕ c1kj H(k ⊕ c2jjm)) 5 Authentication Universal Hashing (UMAC, Poly1305, …) • We need a universal hash function family H. • Parties share a secret member of H and key k. • Attacker does not know which one was chosen. Definition A set H of hash functions h : U ! N is universal iff 8x; y 2 U: 1 Pr (h(x) = h(y)) ≤ h2H jNj when h is chosen uniformly at random. 6 Authenticated Encryption In practice we always want Authenticated Encryption • Encryption does not protect against malicious alterations. • WEP [TWP07] • Plaintext recovery OpenSSH [APW09] • Recover TLS cookies [DR11] Problem Lot of things can go wrong when combining encryption and authentication. Note: This can allow to recover plaintext, forge messages..
    [Show full text]
  • Cryptography and Network Security Chapter 12
    Chapter 12 – Message CryptographyCryptography andand Authentication Codes NetworkNetwork SecuritySecurity • At cats' green on the Sunday he took the message from the inside of the pillar and added Peter Moran's name to ChapterChapter 1212 the two names already printed there in the "Brontosaur" code. The message now read: “Leviathan to Dragon: Martin Hillman, Trevor Allan, Peter Moran: observe and tail. ” What was the good of it John hardly knew. He felt Fifth Edition better, he felt that at last he had made an attack on Peter Moran instead of waiting passively and effecting no by William Stallings retaliation. Besides, what was the use of being in possession of the key to the codes if he never took Lecture slides by Lawrie Brown advantage of it? (with edits by RHB) • —Talking to Strange Men, Ruth Rendell Outline Message Authentication • we will consider: • message authentication is concerned with: – message authentication requirements – protecting the integrity of a message – message authentication using encryption – validating identity of originator – non -repudiation of origin (dispute resolution) – MACs • three alternative approaches used: – HMAC authentication using a hash function – hash functions (see Ch 11) – DAA – message encryption – CMAC authentication using a block cipher – message authentication codes ( MACs ) and CCM – GCM authentication using a block cipher – PRNG using Hash Functions and MACs Symmetric Message Encryption Message Authentication Code • encryption can also provides authentication (MAC) • if symmetric encryption
    [Show full text]
  • High Performance Cryptographic Engine PANAMA: Hardware Implementation G
    High Performance Cryptographic Engine PANAMA: Hardware Implementation G. Selimis, P. Kitsos, and O. Koufopavlou VLSI Design Labotaroty Electrical & Computer Engineering Department, University of Patras Patras, Greece Email: [email protected] hardware implementations are more efficiency in FPGAs ABSTRACT than general purpose CPUs due to the fact that the algorithm specifications suits much better in FPGA structure. In this paper a hardware implementation of a dual operation cryptographic engine PANAMA is presented. The Typical application with high speed requirements is implementation of PANAMA algorithm can be used both as encryption or decryption of video-rate in conditional access a hash function and a stream cipher. A basic characteristic applications (e-g pay TV). The modern networks have been of PANAMA is a high degree of parallelism which has as implemented to satisfy the demand for high bandwidth result high rates for the overall system throughput. An other multimedia services. Then the switches which they are profit of the PANAMA is that one only architecture placed at the nodes of the network must provide high throughput. So if there is a need for secure networks, the supports two cryptographic operations – encryption/ systems in the network switches should not introduce delays. decryption and data hashing. The proposed system operates PANAMA [3] is a cryptographic module that can be used in 96.5 MHz frequency with maximum data rate 24.7 Gbps. both as a cryptographic hash function and as stream cipher in The proposed system outperforms previous any hash applications with ultra high speed requirements functions and stream ciphers implementations in terms of In this paper an efficient implementation of the PANAMA is performance.
    [Show full text]