Chapter 8ii: Secure Channel Flashcards
Authenticated Encryption With Associated Data (AEAD)
- In order to establish a secure channel, quite a lot has to be considered:
- Encryption (selection of the right cipher and mode of operation, IV, sequence numbers, key, . . . )
- Integrity protection/authentication (selection of the right MAC construction, key, feed the right parameters
(IV, sequence numbers, ciphertext, …) into the function, . . . - Using the crypto primitives in the right order (Enc-then-Mac)
All in one solution:Authenticated Encryption With Associated Data (AEAD)
- Possible problems:
- Design and/or implementation errors
- Performance: in our toy example, the data, i.e., first the plaintext, then the ciphertext, had to be processed
in two separate steps. It would be desirable to have a “one pass” solution!
Authenticated Encryption With Associated Data (AEAD)
Definition:
* One pass encryption and MAC calculation for payload including “associated data”-
Specify benefits and examples.
- Associated data (AD): Additional non-encrypted but authenticated (header) data, e.g.
- Sequence numbers,
- IV
- information necessary for message routing,
- Benefits:
- Security: AEAD algorithms correctly combine message encryption and authentication and are standardized;
errors by inexperienced programmers can be avoided - Performance: AEAD algorithms only need one pass over the data
- Examples:
- Galois/Counter Mode (GCM)
- Offset Codebook Mode (OCB)
Combines concept of Counter Mode for encryption with Galois Field Multiplication to compute MAC on the cipher-
text
- Authenticated Data is data not to be encrypted. GCM generates check value by XOR and GF multiplication with
H for each block. - For the MAC, this process continues on the ciphertext and a length field in the end.
What to note here?
- Note: Example authenticates 1 AD block and encrypts and authenticates 2 plaintext blocks
- Counter 0 = IV, Auth Tag = MAC
- However, block-dependent offsets mask plaintext blocks to avoid ECB problems like determinism!
- AD is not encrypted but authenticated
- For example: Unencrypted header data
- Checksum = XOR over plaintext, length- and key-dependent variables
- MAC = (Encryption of checksum with shared key k) XOR (hash(k,AD))
- Note: hash() is specific for OCB and also part of the standard
Offset Codebook Mode (OCB)
- L’s are used to compute offsets for different inputs:
- Lntz(i) → P1, P2, …Pm (first m plain text blocks)
- L⋆ → P⋆ (last block)
- L$ → checksum
- Note:
- Only few Li are needed (for a fixed K)
- They can be pre-computed and stored in a Lookup table
OCB Initialization
- Offset0 is computed by a
- “It is crucial that, as one encrypts, one does not repeat a nonce.” [RFC 7253, §5.1]
Otherwise (same ciphertext, same MAC) - Nonce may not be random, e.g. a counter works fine
- A new nonce for
specific function depending on the key and a nonce
identical messages would be processed identically
every authenticated encryption API call is needed!
Offset Codebook Mode (OCB)
- Question: XOR plaintext and then encrypt, that sounds like the weak MAC example from slide 6.19. Why is OCB secure?
- The attack on 6.19 was possible, as the attacker knows m and can easily forge the “magic” block yo, which does not depend on any secret.
- With OCB, the attacker cannot apply the same trick as they neiter know or can compute
- Offset* and
- Ls,
- and lastly, the attacker does not know m, as it is encrypted.
- “OCB enjoys provable security: the mode of operation is secure assuming that the underlying blockcipher is secure. As with most modes of operation, security degrades as the number of blocks processed gets large” [RFC 72531]
Attacks against a Secure Channel (Stream Cipher)
The assumption is, we generate a password and then we test it.
- The assumption is that we can check each character individually for correctness.
- For each character it is N/2 (avg) and N (worst case)
- So, overall L ∗ N/2 (avg)
MAC-then-Encrypt-Issues
Operation & Consequence
- Operation: P and MAC are encrypted and hidden in the ciphertext. What happens with the receiver?
What are the consequences?
- Decrypts P
- Decrypts MAC
- Computes and checks MAC→MAC error or success
MAC-then-Encode-then-Encrypt
If we use a block cipher, we have to ensure that the message encoding fits to the blocksize of the cipher. How does Mac-Encode-Encrypt work?
Oracles and Side Channels: Avant, people asked oracles for guidance.
- In computer science, oracles are functions that give cheap access to information that would otherwise be hard to compute.
What happens in cryptography?
- E.g. O(1) cost to ask specific NP-complete question → polynomial hierarchy
Fill in the blanks.
Concept of Padding Oracle Attack (against CBC)
To decrypt the ciphertext, the attacker modifies C and sends it to Bob.
It is unlikely that the MAC and padding are correct. So, Bob will send an error back to Alice (and the attacker).
What is shown below?
CBC Encrypt(above) Decrypt(below)
Padding Oracle Attack - CBC mode decryption (revisited)
Padding Oracle Attack against CBC
Assumptions, Approach, Goal
Goal: Decrypt the complete ciphertext using the oracle.
- Assumptions:
- Attacker got hold of a ciphertext C (n blocks, N bytes per block)
- C was protected with Encryption in CBC mode used in MAC-then-Encode-then-Encrypt mode.
- For padding PKCS7 was used (padding of 1 byte: pad = 1, padding 2 bytes: pad = 2 2, …)
- An oracle replies to sent ciphertexts with error messages:
- Padding error if padding doesn’t match (checked before MAC).
- MAC error if padding fits but MAC is wrong.
Padding Oracle attack vs CBC
How does it work?
- The attack was against CBC mode used in MAC-then-Encode-then-Encrypt mode.
- Padding Oracle attack known long in cryptography.
- Mode still used in SSL / TLS. Hacks have utilized that. However, defenses have been added.
- CBC with Encode-then-Encrypt-then-MAC does not have this vulnerability.
- Because MAC check would fail first, process would be aborted, and padding problems would then not be leaked.
