Chapter 8i: Secure Channel

Question 1

What does a secure channel provide?

Where are such constructions used?

Note:

Answer 1

• Confidentiality, Integrity, Authenticity
• Messages received in correct order
• No duplicates/replayed messages (Bonus: we know which messages are missing)
• Virtual private network protocols (VPN) like OpenVPN, IPSec, Wireguard
• Transport layer security protocols like TLS, DTLS
• Secure messenger applications like Signal

• Secure channels require a long term (symmetric or asymmetric) key to work
• Exchanging/agreeing on long term keys is often done out of band

Question 2

• How can we achieve confidentiality, integrity, and authenticity?

Answer 2

• Using a symmetric cipher and a MAC algorithm

• Security differs between the options
• We are using different keys for encryption and integrity protection: k-int and k-enc
• k-int and k-enc can be derived from a session key k using a key derivation function (KDF)

Question 3

#1: MAC-then-Enc

• Enck -enc (m, MACk -int (m)):

Answer 3

Question 4

#2: MAC & Enc

Answer 4

Question 5

#3: Enc-then-MAC

Answer 5

Question 6

Secure Channel Implementation

What do we need? Illustrate a toy implementation.

Answer 6

• Message numbering
• Encryption
• Authentication

Question 7

Secure Channel Implementation

Message Numbering:

Answer 7

Question 8

Secure Channel Implementation

Explain.

Answer 8

• We generate one key for each purpose
• Initialization was shown for Alice! On Bob’s side, keys will be generated differently:
  e.g.: K_send_enc = KDF(k || “Enc Bob to Alice”)
• We assume Alice and Bob share a session key k , established using authenticated DH key exchange
• Where · ∥ · means string/byte concatenation

Question 9

Explain.

Answer 9

Question 10

Answer 10

• Nonces are random 120bit values
• We avoid the (unlikely) event that the same nonce is generated twice

Question 11

Secure Channel Implementation

What’s going on here?

Answer 11

Sending a message.

Question 12

Secure Channel Implementation: Problems?

• Verifying a MAC: def verify(k, msg, t):
  return HMAC -SHA -256(k, msg) == t

Answer 12

Problem:
* Runtime of equality test of two strings differs!
* Longs runtime for equal strings!
* Shorter runtime for different strings (function returns after first different byte!)
* Different runtimes can be attack vector for timing/side channel attacks!
* (See padding oracle attack)

Question 13

Secure Channel Implementation

Answer 13

Question 14

Secure Channel Implementation

• Receiving a Message:

Answer 14

if n_recv + 1 >= MAX_INT - 1:

if not verify(K_recv_int, n || IV || c, t):

if n <= n_recv:

if n != n_recv + 1:

DEC-AES-128-CTR(K_recv_enc, IV, c)