Security of Symmetric Encryption against Mass Surveillance Gihyuk Ko Carnegie Mellon University slides from Kyle Soska Today’s Lecture • Consider new type of adversary in the form of a ‘Big Brother’ that wants to perform surveillance at a large scale • Discuss constructions that could be used by a ‘Big Brother’ for symmetric encryption • Discuss mitigations and solutions against these constructions Traditional Adversary Model Alice Bob ENC(K, M) DEC(K, C) DEC(K, C’) ENC(K, M’) Example: IND-CPA 퐸푛푐 푘, 푚0 b = 0 (푚0, 푚1) 푛 b ←푅 {0, 1}, k ←푅 0, 1 퐸푛푐(푘, 푚푏) 퐸푛푐 푘, 푚1 b = 1 퐴푑푣 퐴 = Pr 퐴 퐸푛푐 푘, 푚0 = 1 − Pr 퐴 퐸푛푐 푘, 푚1 = 1 Example: Secure PRNG • Ideal: Sequence of truly random bits • Actual: Pseudorandom sequence of bits Random b = 0 푛 01001110101…. b ←푅 {0, 1}, k ←푅 0, 1 퐺(푘) b = 1 퐴푑푣 퐴 = Pr 퐴 퐺 푘 = 1 − Pr 퐴 푟 = 1 Traditional Adversary Model Bob ENC(K, M) DEC(K, C) DEC(K, C’) ENC(K, M’) Terrorism Adversary Model Potential Terrorist Or Criminal DEC(K, C) ENC(K, M’) ENC(K, M) DEC(K, C’) Potential Terrorist Or Criminal DEC(K, C) ENC(K, M’) Terrorism and Large Internet Companies Terrorism Adversary Model Potential Terrorist Or Criminal DEC(K, C) ENC(K, M’) ENC(K, M) DEC(K, C’) Potential Terrorist Or Criminal DEC(K, C) I would like to eavesdrop in order to prevent terrorism and other crime ENC(K, M’) Spying Government Adversary Model Alice DEC(K, C) ENC(K, M’) ENC(K, M) DEC(K, C’) Bob DEC(K, C) All your privacy are belong to us ENC(K, M’) Spying Government Best of Both Worlds Potential Terrorist Or Criminal DEC(K, C) ENC(K, M’) ENC(K, M) DEC(K, C’) Potential Terrorist Or Criminal DEC(K, C) I will always do the ‘right’ thing ENC(K, M’) The Rest of the Lecture • How could a company allow a third party such as the government to eavesdrop in an undetectable way? • What can we as users do to prevent such things from happening? Goals - Informal • Big Brother (푩) • Wants to eavesdrop on communication • Does not want its eavesdropping to be detected • Users (푼) • Wants to detect when eavesdropping is taking place • Want to prevent eavesdropping from taking place Recall CBC Encryption M1 M2 M3 IV ⊕ ⊕ ⊕ 퐸푛푐퐾 퐸푛푐퐾 퐸푛푐퐾 C1 C2 C3 Recall CBC Decryption C1 C2 C3 퐷푒푐퐾 퐷푒푐퐾 퐷푒푐푘 IV ⊕ ⊕ ⊕ M1 M2 M3 Encryption Schemes More Formally • Π = (퐾, 퐸, 퐷) • 풦 = 0, 1 푘 the keyspace • 퐾: Secret symmetric key • 푀: Message • 퐴: Associated Data (Supplementary information such as padding) • 휎: state (ex. A counter for CBC counter mode) • 퐸 is a possibly randomized encryption routine such that 퐶, 휎′ ← 퐸(퐾, 푀, 퐴, 휎) • 퐷 is a deterministic decryption routine such that 푀, 휎′ ← 퐷(퐾, 퐶, 퐴, 휎) How to subvert Π? • Transfer all symmetric keys 퐾 to 퐵 • Keys would be observed by an eavesdropper and surveillance would be detected • If the company ever wanted to stop sending keys to 퐵, then 퐵 would no longer be able to eavesdrop Spying Government Adversary Model Alice DEC(K, C) ENC(K, M) ENC(K, M’) DEC(K, C’) Bob Client keys = {퐾1, K2, … } DEC(K, C) ENC(K, M’) How to backdoor Π? • Transfer all symmetric keys 퐾 to 퐵 • Keys would be observed by an eavesdropper and surveillance would be detected • Transfer all symmetric keys encrypted under key 퐾′ • Still high bandwidth communication channel between company and surveillance body, suspicious Spying Government Adversary Model Alice DEC(K, C) ENC(K, M) ENC(K, M’) DEC(K, C’) Bob Client keys = EncK′ 퐾1, K2, … DEC(K, C) Something is ENC(K, M’) fishy…. Algorithm Substitution Attack (ASA) • Suppose the servers replaced their implementation of encryption scheme Π with a modified version Π′ • Π′ could be specially designed to leak information about the messages or secret keys to an eavesdropper who holds secret information 퐾′ • Eavesdroppers that do not know this secret information would not be able to learn the messages or 퐾 • The server’s implementation of Π is a black box from the point of view of a regular user • Π′ has all the information Π has as well as a key 퐾′ called the escrow key or big-brother key, and possibly more state How to backdoor Π? • Derive a modified Π′ from Π, what properties must Π′ have? Decryptability (Informal) • The modified 훱′ = (퐾′, 퐸′, 퐷′) must produce encryptions that are correctly decrypted by the unmodified Π = (퐾, 퐸, 퐷) Decryptability (Formal) • Π′ = (퐾′, 퐸′, 퐷′) satisfies decryptability relative to Π = (퐾, 퐸, 퐷) if (퐾′, 퐾, 퐸′, 퐷′) is a correct encryption scheme where 퐷′ is defined by 퐷′ 퐾′, 퐾 , 퐶, 퐴, 휎 = 퐷(퐾, 퐶, 퐴, 휎) If decryptability does not hold Alice ??? This decryption makes no sense! DEC(K, C) ENC’(K’, K, M) ENC(K, M’) DEC’(K’, K, C’) Bob ??? This decryption Shared 퐾′ makes no sense! DEC(K, C) DEC’(K’, C) ENC(K, M’) How to backdoor Π? • Derive a modified Π′ from Π, what properties must Π′ have? Decryptability (Informal) • The modified 훱′ = (퐾′, 퐸′, 퐷′) must produce encryptions that are correctly decrypted by the unmodified Π = (퐾, 퐸, 퐷) Decryptability (Formal) • Π′ = (퐾′, 퐸′, 퐷′) satisfies decryptability relative to Π = (퐾, 퐸, 퐷) if (퐾′, 퐾, 퐸′, 퐷′) is a correct encryption scheme where 퐷′ is defined by 퐷′ 퐾′, 퐾 , 퐶, 퐴, 휎 = 퐷(퐾, 퐶, 퐴, 휎) • Needs to ‘look like’ a regular ciphertext, can’t have anything abnormal such as ciphertexts always start with a ‘0’ If ciphertexts are distinguishable Alice DEC(K, C) ENC(K’, K, M) ENC(K, M’) DEC(K’, K, C’) Bob Shared 퐾′ Every ciphertext DEC(K, C) from server starts DEC’(K’, C) with 0, something is ENC(K, M’) fishy…. Detection Game • Can a user with secret key 퐾 tell the difference between encryptions with 퐸 and 퐸′? Π → 퐸(푚) b = 0 K 푛 푚 b ←푅 {0, 1}, K’ ←푅 0, 1 , K 퐶 User 푈 Π′ → 퐸′(푚) b = 1 퐴푑푣 푈 = Pr 푈 퐾, 퐸′ 푚 = 1 − Pr 푈 퐾, 퐸 푚 = 1 Surveillance Game • Can Big brother with escrow key 퐾′ tell the difference between 퐸 and 퐸′? Π → 퐸(푚) b = 0 K’ 푛 푚 b ←푅 {0, 1}, K ←푅 0, 1 , K’ 퐶 Big Brother 퐵 Π′ → 퐸′(푚) b = 1 퐴푑푣 퐵 = Pr 퐵 퐾′, 퐸′ 푚 = 1 − Pr 퐵 퐾′, 퐸 푚 = 1 Additional Comments • Practically, Big Brother would want to be able to do more than simply distinguish encryptions from 퐸 and 퐸′ with non-negligible probability • We will be looking at schemes that allow Big Brother to either completely learn each message, or learn the session key so that he can decrypt each message with advantage nearly 1 • Big brother wants to win surveillance game with advantage 1 and for users to win detection game with negligible probability • Users want to win detection game with advantage 1, and for big brother to win surveillance game with negligible probability IV Replacement Attacks • Lots of encryption schemes flip coins (generate random information) • Turing machine with a random tape • Idea: when Π′ needs to generate random information, it will instead select the values specifically for the purpose of leaking information • Nonces • Initialization Vectors (IV) • Variable Length Padding • Can a user detect this type of attack? • Let 푋 be some efficient algorithm that extracts 퐼푉 ← 푋(퐶) from ciphertext 퐶, if such an algorithm exists then the 퐼푉 is said to be ‘surfaced’ or the encryption scheme ‘surfaces’ its 퐼푉 Stateful IV Attack M1 M2 M3 푘 IV = ←푅 0, 1 IV = 퐸푛푐퐾′(퐾) ⊕ ⊕ ⊕ 퐸푛푐퐾 퐸푛푐퐾 퐸푛푐퐾 C1 C2 C3 An Example Problem – part (a) • Question Suppose for all messages m and keys k, |E(m,k)| = |m|, that is, the size of the encryption of m (in bits) is the same as the size of m. Argue that (E,D) cannot be CPA-secure. • Answer • Domain and Range of the encryption is the same: it has to be deterministic! • Deterministic encryption cannot be secure against CPA adversary! Fixed IV attack Question • Can we just set a fixed IV = 퐸푛푐퐾′(퐾) for every message? What is the problem with this scheme? Answer • IV will always be the same, this is easily detectable by a user! • How can we modify this to make the attack work? Stateful IV Attack • 푬′ 푲′, 퐊, 퐌, 퐀, 흈 Algorithm: • Let 휎 be a counter initialized to 0 • If 휎 = 0 then 퐼푉 ← 퐸푛푐퐾′ 퐾 푘 • Else 퐼푉 ←푅 0, 1 • 퐶 = 퐸퐾 푀, 퐴, 퐼푉 • 휎 = 휎 + 1; Return 퐶 • 푫′ 푲′, 푪, 푨 Algorithm (푪 is an indexed array of ciphertexts): • 퐼푉 ← 푋 퐶 1 • 퐾 ← 퐷푒푐퐾′(퐼푉) • 푀 1 ← 퐷퐾 퐶 1 , 퐴 1 • Return 푀 Stateful IV Attack Alice 퐶 = 퐸퐾′ 퐾 ||퐸퐾 푀 DEC(K, C) ENC(K, M’) ENC(K’, K, M) DEC(K’, K, C’) Bob Shared 퐾′ DEC(K, C) DEC’(K’, C) ENC(K, M’) Attack Against Stateful IV Attack • State reset attack • If the state could get reset to 휎 = 0 then the IV would repeat, highly unlikely to happen if the IV is truly random or pseudorandom • Solution • Use a probabilistic / combinatorial version of Π instead of a stateful version of Π Stateless IV Attack • The intuition is that we will randomly select a single bit of the Key 퐾 and leak it in an IV • 퐼푉 = 퐸푛푐퐾′ (푏푖푡, 푖푛푑푒푥, 푟푎푛푑표푚 푝푎푑) Stateless IV Attack • Let 푘 be the size of the key (ex.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages55 Page
-
File Size-