CSE 291-I: Applied

Nadia Heninger UCSD

Spring 2020 Lecture 5 Legal Notice

The Zoom session for this class will be recorded and made available asynchronously on Canvas to registered students. Announcements

1. HW 2 is due Wednesday!

2. HW 3 is out, due before class in 1.5 weeks, April 22. Last time: Chosen attacks

This time: Fun with CBC mode, malleability and message integrity Last time: Cipher block chaining (CBC) mode

I

w

1. IV has same length as block length.

2. ci =Enck (ci 1 mi ) 3. Output (IV , c0, c1, c2,...). IV should be random.

CBC mode is CPA-secure, but suffers from implementation vulnerabilities. Chosen Plaintext Attack against CBC mode Assumption: Emek is a LPRP

if is wrong. No information p Rogaway 1995: CBC mode not secure against chosen plaintext attacks if attacker can see IV or previous block before choosing m. I 1. Attacker observes c1, c2,...,ci 1, ci ,...,cj . → - - 2. Attacker wants to distinguish ci ,streamiscurrentlyatcj .

3. Attacker guesses ci plaintext is p.

4. Attacker causes victim to encrypt cj ci 1 p. 5. Victim sends Enck (cj (cj ci 1 p)) = Enck (ci 1 p) - f - 6. Attacker compares Enck (ci 1 p) to ci ,matchifp correct. A Slightly modified attack same

. where C chains # (Cs Mi) c-Ence - Chosen Plaintext Attacks against CBC mode in practice

Dai 2002: SSH2 chains between ciphertext,EE server • SSLv3, TLS 1.0 also •

128 bits is a lot to brute force in one block In many cases, know a lot of plaintext •

How to request encryptions? Javascript, Java can make cookie-bearing requests across • domains

Duong, Rizzo 2011: BEAST (Browser Exploit Against SSL/TLS) Pad to 1 unknown text byte per block • Example: PKCS 7 padding. If message is b bytes short of 128-bit block, append b bytes • bbb ...b to make block multiple of 128. Decryptor checks and strips offpadding. •

Q: What do you do if padding is incorrect? A: Throw an error?

Message padding for

Q: How do you encrypt odd-length messages with a fixed-length block cipher? A: Pad message somehow. Q: What do you do if padding is incorrect? A: Throw an error?

Message padding for encryption

Q: How do you encrypt odd-length messages with a fixed-length block cipher? A: Pad message somehow.

Example: PKCS 7 padding. If message is b bytes short of 128-bit block, append b bytes • bbb ...b to make block multiple of 128. Decryptor checks and strips offpadding. • Message padding for encryption

Q: How do you encrypt odd-length messages with a fixed-length block cipher? A: Pad message somehow.

Example: PKCS 7 padding. If message is b bytes short of 128-bit block, append b bytes • bbb ...b to make block multiple of 128. Decryptor checks and strips offpadding. •

Q: What do you do if padding is incorrect? A: Throw an error? Padding oracle attacks

Vaudenay 2002: CBC mode encryption is insecure if attacker can distinguish bad from good message padding Want to decrypt (IV , c1,...,cn)=Enck (m1,...,mn). -

Have oracle that given (IV 0, c`0,...,c`0) will:

1. Compute (m10 ,...,m`0 )=Deck (IV , c10 ,...,c`0)

' # ' l l l I , I I y , , 2. Return

valid if m`0 ends in valid padding

(invalid if m`0 doesn’t end in valid padding : N . CI ( , CT ez Cs . . . , ) Vaudenay CBC padding oracle attack Input , .

T µ, it , 1. Attacker sends (IV 00 ...00t, c )=F (IV m 00 ...00t) 1 k 1 to decryption padding oracle.

28- l) l r a O e c ( , d id valid if IVmmmm m1 000 ...0t = ...1(most likely) . ← ...22 8 . ...333 oracle returns> > . <> . invalid otherwise > > 2. Try all 256 values:> of t. 3. Good probability of learning value d

. . : 00 . 4. Iterate for successive bytes of ciphertext. Ot ? - - - mod mas

5. 256n query complexity to learn n bytes of plaintext. Z Z Message Malleability and Integrity

Independent of whether messages remain confidential, we want to ensure that they can’t be modified by a third party in transit. Message Authentication Codes

Solution: Add a special tag to ensure integrity of the message. In order to protect against malicious forgery, cryptographic integrity checks must use a secret .

Cryptographic and non-cryptographic integrity checking

Non-cryptographic protocols also often include integrity cheks: Ethernet uses CRC32, a 32-bit checksum • TCP has a 16-bit checksum •

These algorithms protect against random errors, but they are public and do not include keys so can be forged by a malicious adversary. Cryptographic and non-cryptographic integrity checking

Non-cryptographic protocols also often include integrity cheks: Ethernet uses CRC32, a 32-bit checksum • TCP has a 16-bit checksum •

These algorithms protect against random errors, but they are public and do not include keys so can be forged by a malicious adversary.

In order to protect against malicious forgery, cryptographic integrity checks must use a secret key. rue fu stream ciphers at mute ) = k⑦ m Etc does not suffice . Eno dm Encryption , Cto garage Deelctosasge) =mqze Message Authentication Codes

Definition Key generation algorithm generates k • Tag generation: Mac (m) t • k ! Tag verification: • accept if tag is valid Verifyk (m, t)= (reject if tag is invalid

Correctness: Pr[Verify (m, Mac (m)) = ]=1 • k k accept MAC Security: Existential MAC forgery

l

l

mu

Definition AMACconstruction(Mac, Verify) is existentially unforgeable under achosen-messageattackiftheprobabilitythatA wins is negligible. “Strongly secure” MACs

This is equivalent to the previous definition for deterministic MACs. The adversary can query the target message but not return one of the responses. Constructing a MAC from a PRF

Let F be a PRF. Then we can construct a MAC as follows: Key generation: k 0, 1 n • 2R { } Mac (m)=F (m) • k k • accept if Fk (m)=t Verifyk (m, t)= (reject otherwise Theorem The PRF MAC construction is secure. Proof. Assume construction not secure, construct PRF distinguisher.

D

1. If F is a truly random function, then n Pr[Asucceeds]=2 =Pr[D(f )=1]

2. If F PRF, Pr[D(Fk )=1]=d > negligible by assumption.

n Pr[D(F )=1] Pr[D(f )=1] = d 2 > negligible | k | CBC-MAC foxed-length ✓ Can use CBC construction to construct a MAC for arbitrary length messages. k 0, 1 n • 2R { } Input m = m1 ...m`.TocomputeMack (m): • n 1. t0 = 0 (fixed, non-random value) 2. For i = I0,...,` ti = Fk (ti 1 mi ) 3. Output last block t`

• accept if Mack (m)=t Verifyk (m, t)= (reject otherwise

Theorem If F is a secure PRF, then CBC-MAC is a secure fixed-length MAC for arbitrary-length messages Attacks " " Chosen - Ciphertext Ded CCA secure CCA indistinguishably effluent indistinguishable encryptions under a chosen ciphntextgthcle A adversaries en Lait tf efficient A

' " feet bomb PRCA succeeds) t {tf

. . nest oracle access to Engel )

" " Decide ) IND- CCA 1 : non- adaptive decryption oracle only grieved can't Decide) guy - to pro challenge ciphertext

→ " " IND-CCAZ : adaptive - < make further cells to → may oracle A succeeds if decryption

' b - b combine and checks? How do you encryption integrity

( prelude to authenticate encryption. ) mode : - defined authenticated Right answer in practice Usea pre encryption w/ AES .

: Fo- historical purposes - t attacker see- . MAC to fo- CPA it keep Intuition: use encryption useful into something . for mauling ciphertext

Options :

- - and MAC ? Encrypt t send Cc, ) - (m) (m) t - C = Encke Mac km

- Mae- then encrypt ? send C - ( m h t ) c - t = Macken (m) Encke of Poteet integrity ciphket ← CCA -secure - ? Encrypt - then Mac t = Cc) send Cc t) - m , C - Encke ( ) Macan Reminder, HW 2 is due before next lecture so we can talk about it in lecture!