Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3]. However, some potential attacks have been proposed against certain AE schemes [4]; in particular the interaction between confidentiality and integrity assurance components in an AE scheme may cause problems unless special care is taken [5]. Therefore, at the beginning of 2013, the Competition for Authenticated En- cryption: Security, Applicability, and Robustness (CAESAR), was launched to invite proposals for AE schemes that are more powerful and practical in terms of security and speed than GCM [6]. The overall aim of this research is to analyse the security of some block cipher modes of operation submitted to CAESAR. The analysis is performed through considering the structure of the block cipher mode used in AE schemes. This may reveal vulnerabilities in the integrity assurance that can be exploited in forgery attacks. Further, we propose fault attacks against certain CAESAR iii block cipher modes. Finally, an AE block cipher mode is proposed that assures resilience against side channel leakage, and provides misuse resistance and online computation at both sender and receiver sides. This thesis analyses four block cipher modes: ++AE, OTR, XEX/XE and AEZ, and has five contributions. The first work identifies serious flaws in the integrity assurance mechanism of ++AE [7]. Most significantly, it does not verify the most significant bit of any message block. Other flaws are also identified which allow forgeries (including addition, deletion and swapping of certain blocks) in a chosen plaintext mes- sage. This work therefore concludes that ++AE is insecure as an authenticated encryption mode of operation. The second contribution is the investigation of the generic OTR mode [8,9]. The current masking coefficients are specific to the finite field used to update masks. This work shows that certain choices of primitive polynomials result in mask collisions that can be exploited in forgery attacks. Alternatively, generic masking coefficients are proposed that can be used with any block size and any primitive polynomial, without affecting the security provided by this scheme. Thirdly, we apply fault attacks to XEX/XE modes [10] to either eliminate the effect of secret masks or retrieve their values. Either of these cases enables existing fault attack techniques to recover the secret key. Different fault attack methods were demonstrated in this work by using permanent, transient, and biased fault injections. This work also shows that the AE modes: COPA, ELmD, SHELL, OCB2 and OTR are susceptible to our fault attack techniques. The fourth contribution describes a fault analysis on AEZ [11] focusing mainly on AEZ v4.2 and the most updated version AEZ v5. This work shows that all three 128-bit keys in AEZ v4.2 can be uniquely retrieved using only three fault injections. In addition, a similar approach using four fault injections can uniquely recover all keys of AEZ v5. Two approaches are suggested to prevent attackers from exploiting the structure of AEZ in order to minimise the number of faults. The final contribution studies the leakage of existing AE block cipher modes that can be exploited in side channel attacks. Certain AE proposals provide leakage resilience and misuse resistance on the sender side only (and not the receiver side), while others provide leakage resilience and misuse resistance on both sides, but cannot perform online computation. This work proposes an AE block cipher mode that is online, leakage-resilient and misuse resistant at both the sender and receiver ends. iv Contents Keywords .................................. i Abstract................................... iii Table of Contents.............................. v List of Figures................................ xi List of Tables................................xiii Notation................................... xv Declaration .................................xix Previously Published Material.......................xxi Acknowledgements . .xxiii Chapter 1 Introduction1 1.1 Background and motivation ..................... 1 1.2 Research aims and objectives .................... 4 1.3 Research contributions........................ 5 1.4 Organisation of thesis......................... 8 Chapter 2 Background and literature review 11 2.1 Confidentiality provided by block ciphers.............. 11 2.1.1 Block ciphers ......................... 12 2.1.2 Modes of operation...................... 15 2.2 Integrity assurance provided by block ciphers............ 25 2.2.1 Message authentication codes ................ 26 2.2.2 Properties of message authentication codes......... 26 2.2.3 Construction of message authentication codes . 27 2.3 Authenticated encryption ...................... 29 2.3.1 Classification of AE schemes................. 30 2.3.2 Generic composition ..................... 32 2.3.3 Dedicated AE schemes.................... 34 2.3.4 Comparison between dedicated AE modes ......... 38 v 2.3.5 CAESAR competition .................... 38 2.3.6 Selected block cipher-based AE modes ........... 41 2.4 Cryptanalytic attacks......................... 42 2.4.1 Attack goals.......................... 42 2.4.2 Attack models......................... 43 2.4.3 Confidentiality attacks.................... 44 2.4.4 Integrity assurance attacks.................. 46 2.4.5 Implementation attacks.................... 47 2.5 Summary ............................... 52 Chapter 3 Analysis of ++AE authenticated encryption mode 55 3.1 Description of ++AE......................... 57 3.2 Fundamental flaw in ++AE..................... 58 3.3 Other integrity assurance flaws in ++AE.............. 62 3.3.1 Repeating internal vectors Ii 1 and Qi 1 . 62 − − 3.3.2 Groups of blocks that result in the same MDC value . 66 3.4 Forgery attacks on ++AE...................... 71 3.4.1 Forgery attack using two groups............... 72 3.4.2 Forgery attack using a single group............. 75 3.5 Experimental verification....................... 76 3.5.1 Verification of insertion and deletion attack . 77 3.5.2 Verification of swapping attack using two groups . 78 3.5.3 Verification of swapping attack using a single group . 78 3.6 General remarks about ++AE design................ 80 3.7 Conclusion............................... 81 Chapter 4 Tweaking generic OTR mode to avoid forgery attacks 83 4.1 Tweakable block ciphers ....................... 84 4.2 OTR description ........................... 86 4.2.1 Generic OTR mode...................... 86 4.2.2 AES-OTR mode ....................... 90 4.3 Existing analysis of OTR....................... 91 4.4 New analysis of OTR......................... 94 4.4.1 Proposed attacks....................... 95 4.5 Proposed solution........................... 98 4.5.1 Proposed instantiation of encryption/decryption core . 99 vi 4.5.2 Proposed instantiation of authentication core . 99 4.6 Alternative solution..........................101 4.7 Security bounds for OTR using the new masking coefficients . 102 4.8 Conclusion...............................104 Chapter 5 Analysis of XEX mode using fault attacks 107 5.1 Preliminaries .............................109 5.1.1 AES description........................109 5.1.2 The design of XEX mode...................110 5.1.3 Fuhr et al.’s fault attack on AES . 112 5.2 Existing fault attacks on XEX....................114 5.3 Eliminating the masks in XEX mode . 115 5.3.1 Stuck-at-zero fault attack ..................116 5.3.2 Skipping an instruction fault attack . 117 5.3.3 Security implication for mask elimination . 117 5.4 A Ciphertext only attack to reveal secret mask L . 118 5.4.1 Fault model A at round 9 ..................121 5.4.2 Fault model A at round 8 ..................121 5.4.3 Fault model B
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages238 Page
-
File Size-