Merkle- Suppose H is a Damgaord hash function built from a secure compression function : several to build a function ways keyed : m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain = : m : 2 . FCK ) 11k) Append key , Hlm ↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the - - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they ↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix ) ' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g , : = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key , - of these constructions are secure PRFS on a variable size domain hash- based MAC ✓ a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys) : = m H H ka m HMACCK ( K H ( , )) , ) , where k ← k ④ and kz ← k to , ipad opad and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated : k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack) Instantiations : denoted HMAC- H where H is the hash function Typically , HMAC- SHAI %" - - HMAC SHA256 one of the most - used MAC on the web (used in IPsec SSH and more widely SSLITLS, , , ) : Recall that under reasonable HMAC is a secure PRF HMACy¥ahi assumptions , In we need to derive from a master derived from a ) many protocols, multiple keys single key leg, password ↳ : To derive a PRF is a natural multiple independent cryptographic keys , primitive ← " " Keno H MAC (k master eric ) PRF derived are from , security says keys computationally indistinguishable ← " " mac ) k mac HMAC (kmaster uniform , ) T derived master ( has to be unique) keys key ttag just This approach is used in TLS and IPsec to derive session keys durin session setup " " ↳ - General - based - derivation (HKDF RFC paradigm is the expand step in hash key 5869) ↳ Consists of two procedures : - : derive a master from Extract key entropy source a user ) leg, password - Expand: derive sub- keys from the master key Both steps rely on HMAC ? How do we combine confidentiality and integrity ↳ with schemes - Systems both guarantees are called encryptionoutdated gold standard for symmetric encryption touring : ← - - to secure l. then MAC (TLS 1.2T IPsec be secure if we instantiate CPA Encrypt , ) guaranteed using encryption and a secure MAC - - 2. MAC then (SSL 301%510 802 . "i ) encrypt , T as we will see secure , not always scheme :( is an authenticated scheme satisfies the two : . An if it Definition encryption The Encrypt,Decrypt) encryption following properties - CPA security ( confidentiality] - ( ciphertext integrity integrity ] - challenger adversary KEK mi - C - ←Entmf§ L to denote - invalid f- special symbol ciphertext 1 c {Ci Cz . if . } output ¢ , [ and (k =L I Decrypt , c) CI Define Adv CA Tse ] to be the that of above is 1 . The scheme TISE satisfies , probability output experiment it for all efficient adversaries A ciphertext integrity , CIAdv CA THE ] = ) , negkx ← determines security parameter key length cannot with a : it can are those that are ciphertext integrity says adversary come up new ciphertext only ciphertext generate valid . do ? already Why we want this property Encrypted under KA KA KB KE , Consider the following active attack scenario: IE mail server - with Each user shares a key a mail server ( c) KA x. - /To:BoT/ -Message To send mail user and send to mail server Alice ... , encrypts contents under - Encrypted Mail server the email re- it under 's and delivers email , recipient kB decrypts encrypts key Eve intercepts and modifies message Encrypted under Kp If Eve is able to with the , KA KE tamper encrypted message , KB Eve / if mail server then she is able to learn the encrypted contents (even the - scheme is CPA secure) [m°e/¥ ke ka k, ↳ peed More an can and 's Alice Bob , tamper inject ciphertext broadly adversary under KE into a system and observe the user's behavior to learn information - the values active attackers we need notion of about decrypted against , stronger security - scheme ( is secure chosen- attacks (CCA secure all efficient . An Definition encryption Tls Encrypt, Decrypt) against ciphertext ) if for = : adversaries A CCAAdv CA TSE . where we define TSE] as follows , , ] negl CCAADVCA, b. C- {on} adversary I " ← k ) Ci Encrypt ( , mi ±÷:¥"¥tc- b' Eloi) [ make and adversary can arbitrary encryption decryption queries, but cannot it received from the decrypt any ciphertext otherwise break ) ( , can security - challenger - trivially = b' = l b - o] adversary CCAADRLA , Tse] /Pr[ l prfbi.si/b=z ]) " ↳ " called an admissibility criterion CCA - scenario security captures above attack where adversary can tamper with ciphertext ↳ Rules out of of XHZ of Hz possibility transforming encryption to encryption y ↳ adversaries ( CPA- is for adversaries ] Necessary for security against active security security against passive ↳ We of a real CCA HWI will see an example attack in - scheme . If an THE authenticated then it is CCA secure teen encryption provide encryption, - A in the . Tse the 's . Consider an CCA Since ProofLI→ adversary security game provides ciphertext integrity , challenger response the 's be with all but This means we the to will . adversary decryption query 1 negligible probability can implement " " - the function . is the . decryption oracle with output L But then this equivalent to CPA security game " " [ Formalize a counter- : concatenate unused bits to end using hybrid argument ) simple example of ciphertext - scheme in a CCA secure (stripped away during f decryption) : of is not - Note converse the above true since CCA security ⇒ ciphertext integrity. ↳ However CCA- t ⇒ authenticated , security plaintext integrity encryption : Authenticated + -a¥ay encryption captures meaningful confidentiality integrity properties ; provides active security a - be a : Let be scheme and ) secure . ( , ) CPA secure ( MAC We define Encrypt-Af Encrypt Verity encryption sign , Verify Encrypt - then- MAC to be the following scheme : ' : ← ( ) m ) c m ( ke km (ke , ) Encrypt , , Encrypt T T t ← (km c Sign , ) ind¥t keys (c t) output , ' (KE ) Cc t)) : if (km c -4=0 t ( , km , , , Decrypt , Verify , output c else (ke , ) , output Decrypt ' ' If ( is - a MAC . CPA secure is secure then ) is an authenticated Theorem , ) and ( , ) , ( Encrypt Decrypt sign Verify Encrypt , Verify encryption scheme. - - . on Protect CPA follows CPA of ( , ). the MAC is texts and nod security by security Encrypt Decrypt Specifically, computed cipher - the cannot . MAC is of so messages key independent encryption key compromise CPA security follows from MAC lie valid must contain a new on some Ciphertext integrity directly security , any ciphertext tag was not to the the .) ciphertext that given adversary by challenger : - t MAC be this in the formal reduction need to be able to . ( tmportantnotese Encryption keys must independent Above proof required , simulate - can ciphertext / MACS only possible if reduction choose its own key). ↳ Can also constructions that are same is used ( ie both fail to give explicit completelybnkg.it key , properties hold) ↳ in schemes instead ! In never different fresh, general , reuse cryptographic keys ; , sample independent keys - to over the MAC needs be entire ciphertext - computed means first ← " - " version of ISO 19772 for did not MAC IV CBC used for CPA secure ) block lie header Early AE ( encryption , ) - is malleable RN in iOS for data also HMAC not to IV µ - Crypto Apple ( encryption) problematic ( applied encryption ) a - be a Let be scheme and ) secure . : ( . ) CPA secure ( MAC We define MA_Encrypt Encrypt Verify encryption sign , Verify MAC- then- Encrypt to be the following scheme : ' : ← ( (ke km) m ) t (km m) Encrypt , , Sign , ← c (KE cm , -4 Encrypt , ) output c ' : ← (KE ) Cc t)) (mt) ( c) ( , km , Decrypt , compute Decrypt ke, - if ( km m t) - I m else I Verify , , , output , , output Not secure! SSL 3.0 ( to TLS) used randomized CBC t MAC generally precursor secure ↳ attack scheme Simple CCA on (by exploiting padding in CBC encryption) (POODLE attack on SSL 3.0 can traffic a CCA attack] decrypt all encrypted using source - then- see for Padding is a common of problems with MAC Encrypt systems ( HWI an example] - In the libraries t MAC interfaces common source of errors past , provided separate encryption ↳ for Good should minimize for users to make errors net more library design crypto ways , provide flexibility there are standard block modes of that Today , cipher operation provide - authenticatedencryption-One.atthe most widely used is GCM (Galois counter model. standardized by NIST in 2007 - GCMm_ode: follows encrypt- then MAC paradigm - in with AES - used action - Most CPA secure encryption is nonce based counter mode commonly conj - AES - MAC is Carter - MAC ( GCM authenticated ) a Wegman } provides encryption " " Carter - MAC ( MAC ) : randomized MAC : Wegman encrypted very lightweight , - " : X → H M 90,13 be a hash function relies on a mild the hash function Let KH keyed security assumption on " - t → Let F : KF R {0,13 be a PRF and can be realized unconditionally