Modes opératoires et MAC
Transcription
Modes opératoires et MAC
Modes opératoires et MAC Pierre-Alain Fouque mardi 8 octobre 13 Comparaison • Block cipher (DES, AES, Kasumi) • avantages: sécurité (preuves pour les modes) • inconvénient: modes (IV), bcp opérations • Stream cipher (RC4, A5/1,SNOW3G) • avantages: léger (petit), IV setup • drawbacks: sécurité ? • Utilisations: Stream cipher pour protocoles sans place pour IV ou très contraint. Dans tous les autres cas, préférer un block cipher mardi 8 octobre 13 Jeu de Sécurité • Block cipher doit être indistinguable d’un ensemble de permutations (substitution) aléatoire • pour tout k, E(k,x) est une permutation qui paraît aléatoire si la clé n’est pas connue E(k,.) P Dist. Chal. b∈{0,1} f=E(k, ) or P() according to b x f(x) x f(x) ... b’ Adv. Adv(A)=|Pr[b=b’]-1/2| mardi 8 octobre 13 Schéma de Feistel • 1-round of Feistel is not secure • 2-round of Feistel is not secure • 3-round of Feistel is not secure under chosen-ciphertext attack (TD) mardi 8 octobre 13 Ciphertext Block Chaining (CBC) • Encrypting: C =IV, ..., C =E(k,C ⊕M ) • Decrypting: M =D(k,C )⊕C Drawbacks: 0 i i i i-1 i i-1 - sequential Advantages: - randomized - propagation of error in decryption mardi 8 octobre 13 Counter Mode (CTR) • Better solution mardi 8 octobre 13 Security • Confidentiality is ensure by the mode of operation • Main idea: the ciphertext must be indistinguishable from random for polynomial-time adversaries • Security Game: mardi 8 octobre 13 Security • Security Games: • ECB is not IND-CPA • CBC is IND-CPA secure up to 2 queries if E is a PRP (insecure if the IV is guessable) • n/2 CTR is IND-CPA secure up to 2n queries if E is a PRP • IND-CCA: Integrity of the first block of CBC mardi 8 octobre 13 Message Authentication Code (MAC) • Warning: Encryption does not provide integrity • Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However, no integrity is guaranteed. (CBC first block) Alice C1 M1 = « $200 on Bob’s account » C1 = EK(ctr) ⊕ M1 mardi 8 octobre 13 C’1 Eve Bank M’1 = « $2000 on Eve’s account » C’1 = C1 ⊕ M1 ⊕ M’1 Birthday Paradox • In a set of D elements, by picking at random √D elements, we have with high probability a collision • two elements are equal • D=365, about 23 people are required • Let two sets N and M of random elements in a large set D, the number of expected collisions is |N|×|M|/|D| (Birthday paradox with boys and girls) mardi 8 octobre 13 Definition of Message Authentication Code • • • Key generation: randomized alg. • output: key uniformly distributed Tag MAC generation: randomized or deterministic • • input: M ∈ {0,1}* output: tag τ ∈ {0,1}t ∪ ⊥ : τ = MK ( M ) Verification: deterministic alg. • • input: tag τ ∈ {0,1}t and message M output: bit if the tag is valid for this message s.t. for any K and message M, if τ = MK ( M ), then VK (τ, M ) = 1 mardi 8 octobre 13 Security game • Adversary’s goals: • 1. key recovery attacks • 2. forgery: producing a valid MAC for some message M (of his choice, or any) • Adversary’s ressources: • 1. known message attack: interception of MACs. Adv. knows pair (M, τ) of already tagged messages • 2. chosen message attack: Adv. knows the tag of message of his choice (access to a MAC generation alg. adaptively or not) mardi 8 octobre 13 Security game • Def: Combining an adversary’s goal and some ressources • SUF-CMA: strongly inforgeability against chosen message attacks Challenger Mi τi Adversary A (M, τ) 1 : valid tag Adv ( A ) = Pr ( Expérience retourne 1) mardi 8 octobre 13 Generic Security • 1. For a t-bit MAC, advantage (forgery probability) is always at least 1/2t • 2. Among 2t/2 MACs, by the birthday paradox, there is a collision between two of them: these collisions can be used to recover the keys ... mardi 8 octobre 13 MAC vs. Signature • Signatures: – used for vertifying public keys, – guarantee non-repudiation, – same properties than hand-written signature • MACs: – very good performences, – secret-key shared between two users – no public verification mardi 8 octobre 13 no non-repudiation, First construction • Let F : {0,1}k × {0,1}* → {0,1}t a random function (i.e. outputs are indistinguishable from random values) • MAC construction: For message M = M1 … Mm, τ = FK ( M1 ) ⊕ … ⊕ FK ( Mm ) • Is this scheme secure ? mardi 8 octobre 13 Second Example • Let F : {0,1}k × {0,1}* → {0,1}t random function For message M = M1 … Mm For i = 1 to m, yi = FK ( <i>, Mi ) τ = y1 ⊕ … ⊕ y m • Is this scheme secure ? mardi 8 octobre 13 unencrypted CBC-MAC • Ci = EK (Mi ⊕ Ci-1) • MAC = Cm • Secure only for constant length messages mardi 8 octobre 13 M1 M2 Mm EK EK EK C1 C2 Mac = Cm Security CBC-MAC Let 2 arbitrary messages M and M’ M1 M2 M3 EK EK EK C1 C2 Mac = C3 MAC(M’) is C’2 = Mac’ mardi 8 octobre 13 MAC(M) is C3 = Mac M’1 M’2 EK EK C’1 Mac’ = C’2 unencrypted CBC-MAC • Given MACs of M and M’, it is possible to forge MAC of another message M1 M2 M3 M’1 ⊕ Mac M’2 EK EK EK EK EK C1 C2 C3 C’1 Mac’=C’2 • Recovering the secret key is in 2k MAC computation where k is the bit length of the used key (exhaustive search) mardi 8 octobre 13 No IV in CBC-MAC • The integrity of the first block is not ensured if an IV is used M1 M2 M1 ⊕ IV’ ⊕ IV IV’ M2 EK EK EK EK C1 Mac = C2 C1 Mac = C2 IV ( M, IV, Mac ) mardi 8 octobre 13 ( M’, IV’, Mac ) 20 Encrypted CBC-MAC (EMAC) • Ci = EK (Mi ⊕ Ci-1) and MAC = EK’ (Cm) • Secure if less than 2n/2 MACs are computed • Keys can be recovered using 2 exhaustive search in time 2k (for k-bit keys) mardi 8 octobre 13 M1 M2 Mm EK EK EK EK’ C1 C2 Cm Mac = Cm+1 Some attacks M1 M2 Mm EK EK EK EK’ Mac = Cm+1 N1 N2 Nm’ EK EK EK EK’ Mac’ = Cm’+1 mardi 8 octobre 13 Some attacks M1 M2 Mm EK EK EK EK’ Mac = Cm+1 N1 EK N2 EK Nm’ EK EK’ collision Mac’ = Cm’+1 mardi 8 octobre 13 Some attacks M1 M2 Mm EK EK EK EK’ Mac = Cm+1 EK N2 EK Nm’ EK = N1 EK’ collision Mac’ = Cm’+1 mardi 8 octobre 13 Attacks M1 M2 Mm R EK EK EK EK EK’ τ N2 Nm’ EK EK EK = N1 R EK EK’ τ mardi 8 octobre 13 Security Analysis • Assume 2n/2 MACs computed: ( Mi , τi), 0 ≤ i ≤ 2n/2 and Mi ≠ Mj • Using Birthday Paradox, there exists i,j s.t. i ≠ j and τi = τj • Ask MAC τ of Mi || R, where R is a random block • Claim: One can forge MAC for message Mj || R : τ mardi 8 octobre 13 Key Recovery M1 M2 Mm DESK DESK DESK TDESK,K’ C1 C2 Cm Mac = Cm+1 For efficiency and security reasons, one decide E = DES with key K and E’ = TDES, with keys K,K’. What is the complexity to recover keys K and K’ ? mardi 8 octobre 13 Hash-based MAC • Consider the following MAC scheme: MACK ( M ) = H ( K || M ) Is it secure ? mardi 8 octobre 13 HMAC • HMACK( M ) = H(K’ ⊕ opad, H( K’ ⊕ ipad, M )) • where ipad and opad are constant values: – mardi 8 octobre 13 Encryption and Authentication • IPSEC: MAC-Then-Encrypt • SSL/TLS: Encrypt-Then-MAC • SSH: MAC-And-Encrypt mardi 8 octobre 13 Mac-And-Encrypt • Non-secure mode of operation • Confidentiality is not guaranteed MAC mardi 8 octobre 13 Encryption Mac-And-Encrypt • Non-secure mode of operation • Confidentiality is not guaranteed Plaintext MAC mardi 8 octobre 13 Encryption Mac-And-Encrypt • Non-secure mode of operation • Confidentiality is not guaranteed Plaintext MAC Encryption MAC || ciphertext mardi 8 octobre 13 Mac-And-Encrypt • Non-secure mode of operation • Confidentiality is not guaranteed Plaintext Encryption MAC contains MAC information on the plaintext MAC || ciphertext mardi 8 octobre 13 MAC-then-Encrypt • Non-always secure but it could be • In practice, one can construct secure scheme MAC Encryption mardi 8 octobre 13 τ MAC-then-Encrypt • Non-always secure but it could be • In practice, one can construct secure scheme Plaintext Encryption mardi 8 octobre 13 MAC τ MAC-then-Encrypt • Non-always secure but it could be • In practice, one can construct secure scheme Plaintext MAC Encryption authenticated ciphertext mardi 8 octobre 13 τ CCM: Mac-then-encrypt • CCM proposed by Housley, Whiting and Ferguson • Wifi network • NIST in 2003, operation mode for AES • CBC-MAC then CTR – associated data – security proof mardi 8 octobre 13 CCM mode B[0] M[1] M[i-1] M[i] M[m] EK’ EK’ EK’ EK’ EK’ τ ctr ctr+1 ctr+i ctr+m EK EK EK EK M[1] τ C[0] mardi 8 octobre 13 M[i] C[1] M[m] C[i] C[m] Encrypt-then-MAC • Secure if the encryption mode is secure and if the MAC is secure Encryption ciphertext mardi 8 octobre 13 MAC τ Encrypt-then-MAC • Secure if the encryption mode is secure and if the MAC is secure Plaintext Encryption ciphertext mardi 8 octobre 13 MAC τ Encrypt-then-MAC • Secure if the encryption mode is secure and if the MAC is secure Plaintext Encryption ciphertext MAC authenticated encryption mardi 8 octobre 13 τ Encrypt-then-MAC M[1] M[i-1] M[i] M[m] EK EK EK EK C[0] C[1] C[i-1] C[i] C[m] EK’ EK’ EK’ EK’ EK’ IV τ mardi 8 octobre 13 Encrypt-then-MAC M[1] M[i-1] M[i] M[m] EK EK EK EK C[0] C[1] C[i-1] C[i] C[m] EK’ EK’ EK’ EK’ EK’ IV τ mardi 8 octobre 13 One-pass Mode • Message is treated once: – More efficient : near as efficient as one encryption – One key • Examples : IAPM, IACBC, OCB, … mardi 8 octobre 13 IACBC mode r M[1] EK EK mardi 8 octobre 13 EK Sm-1 S1 C[0] M[m -1] Checksum C[1] EK Sm C[m -1] C[m]