CSE 291-I: Applied Cryptography

CSE 291-I: Applied Cryptography

CSE 291-I: Applied Cryptography Nadia Heninger UCSD Spring 2020 Lecture 7 Legal Notice The Zoom session for this class will be recorded and made available asynchronously on Canvas to registered students. Announcements 1. HW 3 is due Wednesday! 2. HW 4 will be posted online today, due before class in 1.5 weeks, April 29. Last time: Hash functions This time: Hash-based MACs, authenticated encryption Constructing a MAC from a hash function Recall: Collision-resistant hash function: Unkeyed function • H : 0, 1 0, 1 n hard to find inputs mapping to same { }⇤ ! { } output. MAC: Keyed function Mac (m)=t, hard for adversary to • k construct valid (m, t) pair. to c for forge H Lm) =t easy adversary need a secret key Insecure. Vulnerable to length extension attacks for Merkle-Damgård functions. Secure for SHA3 sponge. Ok, but vulnerable to offline collision-finding attacks against H. Ok, but nobody uses. Secure, similar to HMAC. Candidate MAC constructions yupREIMAC F (k, m)=H(k m) • || F (k, m)=H(m k) • || F (k, m)=H(k m k) • || || F (k , k , m)=H(k H(k m)) • 1 2 2|| 1|| Ok, but vulnerable to offline collision-finding attacks against H. Ok, but nobody uses. Secure, similar to HMAC. Candidate MAC constructions F (k, m)=H(k m) • || Insecure. Vulnerable to length extension attacks for Merkle-Damgård functions. Secure for SHA3 sponge. F (k, m)=H(m k) • || F (k, m)=H(k m k) • || || F (k , k , m)=H(k H(k m)) • 1 2 2|| 1|| Ok, but nobody uses. Secure, similar to HMAC. Candidate MAC constructions F (k, m)=H(k m) • || Insecure. Vulnerable to length extension attacks for Merkle-Damgård functions. Secure for SHA3 sponge. " - Lentini Hertz) - if Hlm - Alma) F (k, m)=H(m k) .) and U-D • - || Hlmillk) - Hlmzllk) Ok, but vulnerable to offline collision-finding attacks against - H. F (k, m)=H(k m k) • || || F (k , k , m)=H(k H(k m)) • 1 2 2|| 1|| Secure, similar to HMAC. Candidate MAC constructions F (k, m)=H(k m) • || Insecure. Vulnerable to length extension attacks for Merkle-Damgård functions. Secure for SHA3 sponge. F (k, m)=H(m k) • || Ok, but vulnerable to offline collision-finding attacks against H. F (k, m)=H(k m k) • || || Ok, but nobody uses. F (k , k , m)=H(k H(k m)) • 1 2 2|| 1|| Candidate MAC constructions F (k, m)=H(k m) • || Insecure. Vulnerable to length extension attacks for Merkle-Damgård functions. Secure for SHA3 sponge. F (k, m)=H(m k) • || Ok, but vulnerable to offline collision-finding attacks against H. F (k, m)=H(k m k) • || || Ok, but nobody uses. F (k1, k2, m)=H(k2 H(k1 m)) - • || - || Secure, similar to HMAC. Length extension attacks Recall the Merkle-Damgård construction: = mall padIller In) The final output is equivalent to an intermediate state for H(m pad ...). || || m : : (m HCK " )) input Dad MAC , ' Length extension attacks validbad :( " m forge MAC mllped , Hlkllmllpcdllm ') So even if we only know H(m) but not m, we can construct the hash H(m pad m ) for any m || || new new centre any length h - - - Just need to know (or guess) len(m) to compute padding. In particular, can do length extension on an insecure MAC constructed as H(k m) if you know len(k). || Attack: MAC form 5M A ' t is ' ¥E¥} Ca was if validform HMAC: A PRF for Merkle-Damgård functions m F (m)=H(k opad H(k ipad)) k ⊕ ||IH⊕ ipad = 0x36 opad = 0x5C - - Under the heuristic assumption that k opad and k ipad are ⊕ ⊕ “independent” keys, this is a secure PRF. HMAC is standardized and HMAC-SHA256 is a good choice. Historically HMAC-SHA1 was also common. H(k m) is a secure MAC for SHA3. || Key derivation Problem: How do we get symmetric keys? Input: Some data that we want to use to generate a key. Apassword • Abunchofnonuniformrandominputsfromtheenvironment • { The result of a public-key agreement (coming soon!) . • : Desired output: Uniform AES or MAC keys of the right length. Solutions that work in practice: H(data) • HMAC (data) (better for Merkle-Damgård functions) I • 0 Subkey derivation For a real protocol, we likely need several keys: encryption keys for each direction, MAC keys. Once we have derived a master key mk using a hash function, we can use a PRF to to derive subkeys. Examples: k = FM ("MAC-KEY") • mac k k = Fm ("AB-KEY") for Alice Bob encryption • AB k ! k = Fm ("BA-KEY") for Bob Alice encryption • BA k ! If F is a secure PRF, then these behave like independent keys. HMAC is often used for this in practice. HKDF Standardized HMAC-based key derivation function. Input: Secret s, optional salt salt Output: L bytes of output Algorithm: Use a HMAC function with output length `. 1. t = HMACsalt (s) 2. z0 = empty string. 3. for i from 1 toNeil`: : zi = HMACt (zi 1 i) # I − || 4. Output L bytes of z1 ... -|| Chosen ciphertext attacks 't can guy Decide) Definition (Enc, Dec) is CCA-secure if efficient adversaries A, 8 - Pr[A succeeds] 1/2 + ✏ IND-CCA1: Non-adaptive: Decryption oracle only queried prior to c IND-CCA2: Adaptive: May make further calls to decryption oracle Ciphertext Integrity A onset valid c is a ciphertext c not queried Definition (Enc, Dec) provides ciphertext integrity if Pr[A succeeds]= negligible. Authenticated Encryption Definition (Enc, Dec) provides authenticated encryption if it is CPA-secure and provides ciphertext integrity. Theorem If (Enc, Dec) provides authenticated encryption then it is CCA-secure. Constructing Authenticated Encryption Encrypt-then-MAC Encryption: c =Enc (m) t = Mac (c) output (c, t) • ke km - Decryption: Input (c, t). • Verify (c, t)= If km reject then output reject oh wok else output Decke (c). choice aHak broker make man t straw Mac ) Theorem Gnc, attak In I Reek Encrypt-then-MAC is CCA secure. of preheatdnt PRF sure , secure not Mfc a with both is Common implementation mistakes: d this secure then not but keys Using the same key for encryption and MAC same • Only MACing part of the ciphertext. (e.g. omitting the IV or • the data used to derive a deterministic IV) Outputting some plaintext before verifying integrity • MAC then Encrypt is not CCA secure - MAC Hu- encrypt #Encrypt-then-MAC Encryption: t = Mackm (m) c =Encke (m t) output c • || - Decryption: Input c. Compute Decke (c)=(m t) • -|| If Verifykm (m, t)=reject then output reject else output m. MAC-then-encrypt can fail to be secure even with CPA-secure Enc and secure MAC. SSL 3.0 vulnerable to POODLE attack. POODLE Attack Idea SSL 3.0 uses MAC-then-encrypt with CBC mode. c=Enc(message||MACtag||pad) To pad p bytes, append p 1arbitrarybytesandthenbytep 1. − − (For 0 bytes, append dummy block of 15 bytes ending in 15.) If adversary intercepts block Then they query decryption oracle with (een f this block I officiate ishykoay It? If last byte is 15, decryption valid, otherwise likely reject = learn byte of m. ) once madjfm.it Degania me , if rmY 9mdwuxb t T [email protected] →Dieu de DIE; Negi we Cle) ] " : Ther : Attack: Dec ¥E If MACIEJ = 15 " " block ⇒ valid c¥¥fDec④ ~> padding T ⇒ Decryption oracle accepts " CED ow " invalid ⇒ padding I → rejects : learns that Then Atteeke- Assumptions: ' w/ is CPA -save Deo,cCcHD=N④m CBC - mode padding unforeseeable all- 55 is on D= MAC - r - , - - - Wto - bytes . q hey , .tw#E4frtseiseuebytel5otmindistinguishably message : breeks practice broken in theory To e g s l o i t i n HTTPqueries ⇒ " constructs cookie Attacker to learn at a time A - ¥ 1- GET - shifting byte cookie to HTTP CAA . message victim connects - Oracle - website Authenticated encryption in practice Fine solution: Use AES-GCM mode. TLS 1.3 uses authenticated encryption modes correctly. • Older versions of TLS use MAC-then-encrypt. • SSHv2 uses Encrypt-and-MAC. This is not generally secure • but is secure for SSH’s cipher choices..

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    24 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us