Modes opératoires et MAC

Transcription

Modes opératoires et
MAC
Pierre-Alain Fouque
mardi 8 octobre 13
Comparaison
• Block cipher (DES, AES, Kasumi)
• avantages: sécurité (preuves pour les modes)
• inconvénient: modes (IV), bcp opérations
• Stream cipher (RC4, A5/1,SNOW3G)
• avantages: léger (petit), IV setup
• drawbacks: sécurité ?
• Utilisations: Stream cipher pour protocoles sans
place pour IV ou très contraint. Dans tous les autres
cas, préférer un block cipher
mardi 8 octobre 13
Jeu de Sécurité
• Block cipher doit être indistinguable d’un ensemble de
permutations (substitution) aléatoire
• pour tout k, E(k,x) est une permutation qui paraît
aléatoire si la clé n’est pas connue
E(k,.)
P
Dist.
Chal.
b∈{0,1}
f=E(k, ) or P()
according to b
x
f(x)
x
f(x)
...
b’
Adv.
Adv(A)=|Pr[b=b’]-1/2|
mardi 8 octobre 13
Schéma de Feistel
• 1-round of Feistel is not secure
• 2-round of Feistel is not secure
• 3-round of Feistel is not secure under
chosen-ciphertext attack (TD)
mardi 8 octobre 13
Ciphertext Block Chaining (CBC)
• Encrypting: C =IV, ..., C =E(k,C ⊕M )
• Decrypting: M =D(k,C )⊕C Drawbacks:
0
i
i
i
i-1
i
i-1
- sequential
Advantages:
- randomized
- propagation of
error in decryption
mardi 8 octobre 13
Counter Mode (CTR)
• Better solution
mardi 8 octobre 13
Security
• Confidentiality is ensure by the mode of operation
• Main idea: the ciphertext must be indistinguishable
from random for polynomial-time adversaries
• Security Game:
mardi 8 octobre 13
Security
• Security Games:
• ECB is not IND-CPA
• CBC is IND-CPA secure up to 2
queries if E is a
PRP (insecure if the IV is guessable)
•
n/2
CTR is IND-CPA secure up to 2n queries if E is a
PRP
• IND-CCA: Integrity of the first block of CBC
mardi 8 octobre 13
Message Authentication Code (MAC)
• Warning: Encryption does not provide integrity
• Eg: CTR mode ensures confidentiality if the
blockcipher used is secure. However, no
integrity is guaranteed. (CBC first block)
Alice
C1
M1 = « $200 on
Bob’s account »
C1 = EK(ctr) ⊕ M1
mardi 8 octobre 13
C’1
Eve
Bank
M’1 = « $2000 on
Eve’s account »
C’1 = C1 ⊕ M1 ⊕ M’1
Birthday Paradox
• In a set of D elements, by picking at random √D
elements, we have with high probability a collision
• two elements are equal
• D=365, about 23 people are required
• Let two sets N and M of random elements in a
large set D, the number of expected collisions is
|N|×|M|/|D| (Birthday paradox with boys and girls)
mardi 8 octobre 13
Definition of Message Authentication Code
•
•
•
Key generation: randomized alg.
•
output: key uniformly distributed
Tag MAC generation: randomized or deterministic
•
•
input: M ∈ {0,1}*
output: tag τ ∈ {0,1}t ∪ ⊥ : τ = MK ( M )
Verification: deterministic alg.
•
•
input: tag τ ∈ {0,1}t and message M
output: bit if the tag is valid for this message s.t.
for any K and message M, if τ = MK ( M ), then VK (τ, M ) = 1
mardi 8 octobre 13
Security game
• Adversary’s goals:
• 1. key recovery attacks
• 2. forgery: producing a valid MAC for some message M (of his
choice, or any)
• Adversary’s ressources:
• 1. known message attack: interception of MACs. Adv. knows
pair (M, τ) of already tagged messages
• 2. chosen message attack: Adv. knows the tag of message of his
choice (access to a MAC generation alg. adaptively or not)
mardi 8 octobre 13
Security game
• Def: Combining an adversary’s goal and some ressources
• SUF-CMA: strongly inforgeability against chosen message attacks
Challenger
Mi
τi
Adversary A
(M, τ)
1 : valid tag
Adv ( A ) = Pr ( Expérience retourne 1)
mardi 8 octobre 13
Generic Security
• 1. For a t-bit MAC, advantage (forgery probability) is
always at least 1/2t
• 2. Among 2t/2 MACs, by the birthday paradox, there is
a collision between two of them: these collisions can
be used to recover the keys ...
mardi 8 octobre 13
MAC vs. Signature
• Signatures:
– used for vertifying public keys,
– guarantee non-repudiation,
– same properties than hand-written signature
• MACs:
– very good performences,
– secret-key shared between two users
– no public verification
mardi 8 octobre 13
no non-repudiation,
First construction
• Let F : {0,1}k × {0,1}* → {0,1}t a random function (i.e.
outputs are indistinguishable from random values)
• MAC construction: For message M = M1 … Mm,
τ
= FK ( M1 ) ⊕ … ⊕ FK ( Mm )
• Is this scheme secure ?
mardi 8 octobre 13
Second Example
• Let F : {0,1}k × {0,1}* → {0,1}t random function
For message M = M1 … Mm
For i = 1 to m, yi = FK ( <i>, Mi )
τ
= y1 ⊕ … ⊕ y m
• Is this scheme secure ?
mardi 8 octobre 13
unencrypted CBC-MAC
• Ci = EK (Mi ⊕ Ci-1)
• MAC = Cm
• Secure only for constant length messages
mardi 8 octobre 13
M1
M2
Mm
EK
EK
EK
C1
C2
Mac = Cm
Security CBC-MAC
Let 2 arbitrary messages M and M’
M1
M2
M3
EK
EK
EK
C1
C2
Mac = C3
MAC(M’) is C’2 = Mac’
mardi 8 octobre 13
MAC(M) is C3 = Mac
M’1
M’2
EK
EK
C’1
Mac’ = C’2
unencrypted CBC-MAC
• Given MACs of M and M’, it is possible to forge
MAC of another message
M1
M2
M3
M’1 ⊕ Mac
M’2
EK
EK
EK
EK
EK
C1
C2
C3
C’1
Mac’=C’2
• Recovering the secret key is in 2k MAC computation
where k is the bit length of the used key (exhaustive search)
mardi 8 octobre 13
No IV in CBC-MAC
• The integrity of the first block is not ensured if an IV is used
M1
M2
M1 ⊕ IV’ ⊕ IV
IV’
M2
EK
EK
EK
EK
C1
Mac = C2
C1
Mac = C2
IV
( M, IV, Mac )
mardi 8 octobre 13
( M’, IV’, Mac )
20
Encrypted CBC-MAC (EMAC)
• Ci = EK (Mi ⊕ Ci-1) and MAC = EK’ (Cm)
• Secure if less than 2n/2 MACs are computed
• Keys can be recovered using 2 exhaustive search in time
2k (for k-bit keys)
mardi 8 octobre 13
M1
M2
Mm
EK
EK
EK
EK’
C1
C2
Cm
Mac = Cm+1
Some attacks
M1
M2
Mm
EK
EK
EK
EK’
Mac = Cm+1
N1
N2
Nm’
EK
EK
EK
EK’
Mac’ = Cm’+1
mardi 8 octobre 13
Some attacks
M1
M2
Mm
EK
EK
EK
EK’
Mac = Cm+1
N1
EK
N2
EK
Nm’
EK
EK’
collision
Mac’ = Cm’+1
mardi 8 octobre 13
Some attacks
M1
M2
Mm
EK
EK
EK
EK’
Mac = Cm+1
EK
N2
EK
Nm’
EK
=
N1
EK’
collision
Mac’ = Cm’+1
mardi 8 octobre 13
Attacks
M1
M2
Mm
R
EK
EK
EK
EK
EK’
τ
N2
Nm’
EK
EK
EK
=
N1
R
EK
EK’
τ
mardi 8 octobre 13
Security Analysis
• Assume 2n/2 MACs computed: ( Mi , τi), 0 ≤ i ≤ 2n/2 and Mi ≠ Mj
• Using Birthday Paradox, there exists i,j s.t. i ≠ j and τi = τj
• Ask MAC τ of Mi || R, where R is a random block
• Claim: One can forge MAC for message Mj || R : τ
mardi 8 octobre 13
Key Recovery
M1
M2
Mm
DESK
DESK
DESK
TDESK,K’
C1
C2
Cm
Mac = Cm+1
For efficiency and security reasons, one decide E =
DES with key K and E’ = TDES, with keys K,K’.
What is the complexity to recover keys K and K’ ?
mardi 8 octobre 13
Hash-based MAC
• Consider the following MAC scheme:
MACK ( M ) = H ( K || M )
Is it secure ?
mardi 8 octobre 13
HMAC
• HMACK( M ) = H(K’ ⊕ opad, H( K’ ⊕ ipad, M ))
• where ipad and opad are constant values:
–
mardi 8 octobre 13
Encryption and
Authentication
• IPSEC: MAC-Then-Encrypt
• SSL/TLS: Encrypt-Then-MAC
• SSH: MAC-And-Encrypt
mardi 8 octobre 13
Mac-And-Encrypt
• Non-secure mode of operation
• Confidentiality is not guaranteed
MAC
mardi 8 octobre 13
Encryption
Mac-And-Encrypt
Plaintext
MAC
mardi 8 octobre 13
Encryption
Mac-And-Encrypt
Plaintext
MAC
Encryption
MAC || ciphertext
mardi 8 octobre 13
Mac-And-Encrypt
Plaintext
Encryption
MAC contains MAC
information on
the plaintext
MAC || ciphertext
mardi 8 octobre 13
MAC-then-Encrypt
• Non-always secure but it could be
• In practice, one can construct secure
scheme
MAC
Encryption
mardi 8 octobre 13
τ
MAC-then-Encrypt
scheme
Plaintext
Encryption
mardi 8 octobre 13
MAC
τ
MAC-then-Encrypt
scheme
Plaintext
MAC
Encryption
authenticated ciphertext
mardi 8 octobre 13
τ
CCM: Mac-then-encrypt
• CCM proposed by Housley, Whiting and
Ferguson
• Wifi network
• NIST in 2003, operation mode for AES
• CBC-MAC then CTR
– associated data
– security proof
mardi 8 octobre 13
CCM mode
B[0]
M[1]
M[i-1]
M[i]
M[m]
EK’
EK’
EK’
EK’
EK’
τ
ctr
ctr+1
ctr+i
ctr+m
EK
EK
EK
EK
M[1]
τ
C[0]
mardi 8 octobre 13
M[i]
C[1]
M[m]
C[i]
C[m]
Encrypt-then-MAC
• Secure if the encryption mode is secure and
if the MAC is secure
Encryption
ciphertext
mardi 8 octobre 13
MAC
τ
Encrypt-then-MAC
Plaintext
Encryption
ciphertext
mardi 8 octobre 13
MAC
τ
Encrypt-then-MAC
Plaintext
Encryption
ciphertext
MAC
authenticated encryption
mardi 8 octobre 13
τ
Encrypt-then-MAC
M[1]
M[i-1]
M[i]
M[m]
EK
EK
EK
EK
C[0]
C[1]
C[i-1]
C[i]
C[m]
EK’
EK’
EK’
EK’
EK’
IV
τ
mardi 8 octobre 13
Encrypt-then-MAC
M[1]
M[i-1]
M[i]
M[m]
EK
EK
EK
EK
C[0]
C[1]
C[i-1]
C[i]
C[m]
EK’
EK’
EK’
EK’
EK’
IV
τ
mardi 8 octobre 13
One-pass Mode
• Message is treated once:
– More efficient : near as efficient as one
encryption
– One key
• Examples : IAPM, IACBC, OCB, …
mardi 8 octobre 13
IACBC mode
r
M[1]
EK
EK
mardi 8 octobre 13
EK
Sm-1
S1
C[0]
M[m -1] Checksum
C[1]
EK
Sm
C[m -1]
C[m]

Modes opératoires et MAC

Transcription

Documents pareils

Johan Håstad