Authenticated Encryption and Cryptographic Network Protocols David Brumley [email protected] Carnegie...
-
Upload
hilary-dixon -
Category
Documents
-
view
215 -
download
0
Transcript of Authenticated Encryption and Cryptographic Network Protocols David Brumley [email protected] Carnegie...
![Page 1: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/1.jpg)
Authenticated Encryption and Cryptographic Network Protocols
David [email protected] Mellon University
![Page 2: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/2.jpg)
2
Some Straw Men
![Page 3: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/3.jpg)
3
TCP/IP (highly abstracted)
packet
Destination Machine
TCP/IPStack
Webserver(port = 80)
dest=80 data
data
Bob(port = 25)
Source
![Page 4: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/4.jpg)
4
Encrypted with CBC and random IV
encrypted packets with key k
Destination Machine
Webserver(port = 80)
dest=80 msg a
msg a
Bob(port = 25)
msg b
k
k
IV1,
dest=25 msg bIV2,
Source
![Page 5: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/5.jpg)
5
Example Tampering Attack
Encrypted with CBC and random IV
encrypted packets with key k
Destination Machine
Webserver(port = 80)
dest=80 msg a
msg a
Eve(port = 25)
msg b
k
IV1,
dest=25 msg aIV2,
Eve can change destination (easy with CBC and rand IV)
k
Source
![Page 6: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/6.jpg)
6
Example Tampering Attack
Encrypted with CBC and random IV
encrypted packets with key k
Destination Machine
Webserver(port = 80)
dest=80 msg a
msg a
Eve(port = 25)
msg b
k
IV1,
dest=1026 msg aIV2, Active Attacker
Eve can change destination (easy with CBC and rand IV)
k
Source
![Page 7: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/7.jpg)
7
How?
dest=80 msg aIV1,
dest=1026 msg aIV2,
CBC encryption:D(k, c[0]) IV⨁ 1 = “dest=80”
Attack:IV2 = IV1 000...80 000...25⨁ ⨁
xor out “80” and xor in “1026”
Eve
![Page 8: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/8.jpg)
8
An Attack Using Only Network AccessExample:Remote terminal app where each keystroke encrypted with CTR mode
IP Hdr TCP Hdr c dAlice
Bob
16 bit checksum keystroke
ack if valid checksum, else nothing
![Page 9: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/9.jpg)
9
An Attack Using Only Network Access
{checksum(hdr, d) = t checksum(hdr, d s) } ⨁ ⨁ Even can find d for many realistic checksums⇒ *
Example:Remote terminal app where each keystroke encrypted with CTR mode
IP Hdr TCP Hdr c dAlice
Bob
IP Hdr TCP Hdr t c⨁ s d⨁Eve
16 bit checksum keystroke
ack if valid checksum, else nothing
for all t and s
* potentially not for TCP checksum
![Page 10: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/10.jpg)
10
The Story So Far
Confidentiality: semantic security against a CPA attack
– Examples: Using CBC with a PRP, AES
Integrity: security against existential forgery– Examples: CBC-MAC, NMAC, PMAC, HMAC
Now: security against tampering– Integrity + Confidentiality!
![Page 11: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/11.jpg)
11
The lesson
CPA security cannot guarantee secrecy under active attacks.
Integrity Only ✓ Secure MAC
Integrity + Secrecy
✗ Secure MAC + Secure Cipher
Integrity +Secrecy
✓Authenticated Encryption
![Page 12: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/12.jpg)
12
Motivating Question: Which is Best?
E(kE , m||tag)S(kI, m)
m
Encryption Key = KE; MAC key = kI
Option 1: SSL (MAC-then-encrypt)
m tag m tag
S(kI , c)E(kE, m)
m
Option 2: IPsec (Encrypt-then-MAC)
m m tag
S(kI , m)E(kE, m)
m
Option 3: SSH (Encrypt-and-MAC)
m m tag
![Page 13: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/13.jpg)
13
Authenticated Encryption
![Page 14: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/14.jpg)
14
An authenticated encryption system (E,D) is a cipher where
As usual: E: K × M × N C⟶ but D: K × C × N M { }⟶ ∪ ⊥
Security: the system must provide– Semantic security under CPA attack, and– ciphertext integrity. The attacker cannot create a
new ciphertext that decrypts properly.
reject ciphertext as invalid
![Page 15: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/15.jpg)
15
Chal. Adv A.
kK
c
m1 M
c1 E(k,m1)
b=1 if D(k,c) ≠⊥ and c { c1 , … , cq }
b=0 otherwise
b
m2 , …, mq
c2 , …, cq
Def: (E,D) has ciphertext integrity iff for all “efficient” A:
AdvCI[A,I] = Pr [Chal. outputs 1] < ε
Ciphertext IntegrityFor b ={0,1}, define EXP(0) and EXP(1) as:
![Page 16: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/16.jpg)
16
Authenticated EncryptionDef: cipher (E,D) provides authenticated encryption (AE) if it is
(1) semantically secure under CPA, and(2) has ciphertext integrity
Counter-example: CBC with rand. IV does not provide AE
– D(k, ⋅) never outputs , hence adv. always wins ⊥ciphertext integrity game
![Page 17: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/17.jpg)
17
Implication 1: AuthenticityAttacker cannot fool Bob into thinking a
message was sent from Alice
Alice Bob
k k
m1 , …, mq
ci = E(k, mi)
c
Cannot create valid c { c∉ 1, …, cq }
⇒ if D(k,c) ≠ Bob ⊥ guaranteed message is from someone who knows k (but could be a replay)
Eve
![Page 18: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/18.jpg)
18
Implication 2
Authenticated encryption ⇒
Security against chosen ciphertext attack
![Page 19: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/19.jpg)
19
Chosen Ciphertext Attacks
![Page 20: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/20.jpg)
20
Chosen Ciphertext Attacks
Def: A CCA adversary has the capability to get ciphertexts of their choosing decrypted.
Alice Bob
k
Eve
k
VPNc = E(k,m) m
Eve sees c and m
c’
m’
Don’t want them to learn m’
... or even just whether an ACK
occurred.
![Page 21: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/21.jpg)
21
The Lunchtime CCA Attack
Alice’s Computer
Encryption Program
k
Encrypted File 1
It’s Lunchtime!
Encrypted File 2
![Page 22: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/22.jpg)
22
The Lunchtime CCA Attack
Alice’s Computer
Encryption Program
k
Eve’s Encrypted
File 1
Eve’s Encrypted
File 2
Encrypted File 1
Encrypted File 2
Eve
![Page 23: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/23.jpg)
23
802.11b WEP: how not to do it
k k
m CRC(m)
PRG( IV || k )
ciphertextIV
![Page 24: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/24.jpg)
24
Active attacks
Fact: CRC is linear, i.e. m,p: ∀ CRC( m p) = CRC(m) F(p)⨁ ⨁
dest-port = 80 data CRCIVWEP ciphertext:
attacker: 000...00…..... XX…..0000 F(XX)
⨁IV dest-port = 25 data CRC’
XX = 25 80⨁
Upon decryption CRC is valid, but ciphertext is changed !!
![Page 25: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/25.jpg)
25
Chosen Ciphertext Security
Adversaries Power: both CPA and CCA– Can obtain the encryption of arbitrary messages– Can decrypt ciphertexts of his choice
Adversaries Goal: break semantic security
![Page 26: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/26.jpg)
26
CCA Game DefinitionLet ENC = (E,D) over (K,M,C). For b = {0,1}, define EXP(0) and EXP(1)
b Chal.k K
Adv.
b’ {0,1}
mi,0 , mi,1 M : |mi,0| = |mi,1|
ci E(k, mi,b)
for i=1,…,q: (1) CPA query:
ci C : ci {c∉ 1, …, ci-1}
mi D(k, ci)
(2) CCA query:
Ex: could query a
changed ci
![Page 27: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/27.jpg)
27
CCA Game DefinitionLet ENC = (E,D) over (K,M,C). For b = {0,1}, define EXP(0) and EXP(1)
b
Chal.k K Adv.
b’ {0,1}
mi,0 , mi,1 M : |mi,0| = |mi,1|
ci E(k, mi,b)
for i=1,…,q: (1) CPA query:
ci C : ci {c∉ 1, …, ci-1}
mi D(k, ci)
(2) CCA query:
ENC = (E,D) is CCA secure iff Adv[A,ENC] = |Pr[Exp(0) = 1] – Pr[Exp(1) = 1]| < ε
![Page 28: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/28.jpg)
28
Example: CBC is not CCA Secure
Chal.kKb
Adv.m0 , m1 : |m0| = |m1|=1
c E(k, mb) = (IV, c[0])
c’ = (IV 1, c[0])⨁D(k, c’) = mb 1⨁ blearns b
![Page 29: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/29.jpg)
29
Thm: Let (E,D) be a cipher that provides AE. Then (E,D) is CCA secure !
In particular, for any q-query eff. A there exist eff. B1, B2 s.t.
AdvCCA[A,E] ≤ 2q Adv⋅ CI[B1,E] + AdvCPA[B2,E]
AE implies CCA security!
![Page 30: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/30.jpg)
30
So What?Authenticated encryption assures security against:
– A passive adversary (CPA security)– An active adversary that can even decrypt some
ciphertexts (CCA security)
Limitations: – Does not protect against replay– Assumes no other information other than
message/ciphertext pairs can be learned.• Timing attacks out of scope• Power attacks out of scope• ...
![Page 31: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/31.jpg)
31
AE ConstructionsCipher + MAC = security
![Page 32: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/32.jpg)
32
HistoryPre 2000: Crypto API’s provide separate MAC and encrypt primitives
– Example: Microsoft Cryptographic Application Programming Interface (MS-CAPI) provided HMAC and CBC + IV
– Every project had to combine primitives in their own way
2000: Authenticated Encryption – Bellare and Namprempre in Crypto, 2000– Katz and Yung in FSE, 2000
![Page 33: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/33.jpg)
33
Motivating Question: Which is Best?Encryption Key = KE; MAC key = kI
E(kE , m||tag)S(kI, m)
m
Option 1: SSL (MAC-then-encrypt)
m tag m tag
S(kI , c)E(kE, m)
m
Option 2: IPsec (Encrypt-then-MAC)
m m tag
S(kI , m)E(kE, m)
m
Option 3: SSH (Encrypt-and-MAC)
m m tag
✓AlwaysCorrect
![Page 34: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/34.jpg)
34
Theorems
Let (E,D) by a CPA secure cipher and (S,V) a MAC secure against existential forgery. Then:
1. Encrypt-then-MAC always provides authenticated encryption
2. MAC-then-encrypt may be insecure against CCA attacks
– however, when (E,D) is rand-CTR mode or rand-CBC, MAC-then-encrypt provides authenticated encryption
![Page 35: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/35.jpg)
35
StandardsGCM: CTR mode encryption then CW-MACCCM: CBC-MAC then CTR mode (802.11i)EAX: CTR mode encryption then CMAC
All are nonce-based.All support Authenticated Encryption with Associated Data (AEAD).
Associated Data
EncryptedData
Authenticated
![Page 36: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/36.jpg)
36
An example API (OpenSSL)int AES_GCM_Init(AES_GCM_CTX *ain,
unsigned char *nonce, unsigned long noncelen,
unsigned char *key, unsigned int klen )
int AES_GCM_EncryptUpdate(AES_GCM_CTX *a,unsigned char *aad, unsigned long aadlen,unsigned char *data, unsigned long datalen,unsigned char *out, unsigned long *outlen)
![Page 37: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/37.jpg)
37
MAC Security -- an explanationRecall: MAC security required an attacker given (m , t) couldn’t find a different t’ such that (m,t’) is a valid MAC
Why? Suppose not: (m , t) (m , t’)⟶
Then Encrypt-then-MAC would not have Ciphertext Integrity !!
Chal.kKb
Adv.
m0, m1
c E(k, mb) = (c0, t)
c’ = (c0 , t’ ) ≠ c
D(k, c’) = mb
b
(c0, t)
(c0, t’)
![Page 38: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/38.jpg)
38
Performance
AE Cipher Code Size Speed(MB/sec)
Raw Cipher Raw Speed
AES/GCM Large 108 AES/CTR 139
AES/CCM smaller 61 AES/CBC 109
AES/EAX smaller 61 AES/CMAC 109
AES/OCB* small 129 HMAC/SHA1 147
* OCB mode may have patent issues. Speed extrapolated from Ted Kravitz’s results.
From Crypto++ 5.6.0 [Wei Dai]
![Page 39: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/39.jpg)
39
Summary
Encrypt-then-MAC• Provides integrity
of CT• Plaintext integrity• If cipher is
malleable, we detect invalid CT
• MAC provides no information about PT since it’s over the encryption
MAC-then-Encrypt• No integrity of CT• Plaintext integrity• If cipher is
malleable, can change message w/o detection
• MAC provides no information on PT since encrypted
Encrypt-and-MAC• No integrity on CT• Integrity of PT can
be verified• If cipher is malleable,
contents of CT can be altered; should detect at PT level
• May reveal info about PT in the MAC (e.g., MAC of same messages are the same)
![Page 40: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/40.jpg)
40
Wrapup
• Authenticated Encryption– Chosen Ciphertext Attack (CCA) and
CCA-secure ciphers– AE game = CCA + CPA secure
• Encrypt-then-MAC always right– Don’t roll your own
![Page 41: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/41.jpg)
41
Questions?
![Page 42: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/42.jpg)
END
![Page 43: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/43.jpg)
43
Case Study: TLS
![Page 44: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/44.jpg)
44
AlicePublic keyExpiration Date
Certificates bind a public key to a user
![Page 45: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/45.jpg)
45
AlicePublic keyExpiration Date
Certificate Authority (CA) binds certificate to person
CA Signature
Certificate parameters
![Page 46: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/46.jpg)
46
Alice
Alice Sends:User ID || public key || …
![Page 47: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/47.jpg)
47
Alice
Alice Generates and Gives:User ID || public key || …
CA Computes:D=H(User ID || public key || …)Sig = Sign(D, CA private key)Gives Alice Sig
![Page 48: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/48.jpg)
48
Alice
Alice Generates and Gives:User ID || public key || …
Certificate Authority (CA)
CA Computes:D=H(User ID || public key || …)Sig = Sign(D, Serial, CA private key)Gives Alice <Sig, Serial>
Alice’s Certificate[User ID || public key || …] || CA Name || Serial || Sig || <add.
params>
![Page 49: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/49.jpg)
49
X.509 Certificates
![Page 50: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/50.jpg)
50
TLS and SSL
• Transport Layer Security (TLS)– Secure socket layer (SSL) predecessor– originally developed by Netscape– version 3 designed with public input– RFC 2246
• Uses TCP to provide a reliable end-to-end service
![Page 51: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/51.jpg)
51
Protocol Stack
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTPApplication
Layer
SSL
TransportLayer
![Page 52: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/52.jpg)
52
Session Establishment
AliceBob.com
1. ClientHello
Encrypt with symmetric cipher using shared secret
2. ServerHello
3. ClientKeyExchange
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
supported MAC’s and ciphers
![Page 53: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/53.jpg)
53
Protocol Record
Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
Application Data
Fragment ...
Compress
MAC t
Encrypt t
thdrPrepend Hdr
![Page 54: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/54.jpg)
54
Other Fields
Change cipher: Re-initiate handshake protocol, e.g., to re-negotiate the keying material used for encryption
Alert: Signal warning or fatal problem– Fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal parameter
– Warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown Telnet …
IP
TCP
SSL Record Protocol
HandshakeChangeCipher
Alert
HTTP
![Page 55: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/55.jpg)
55
Detailed Protocol
![Page 56: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/56.jpg)
56
TLS Crypto
Unidirectional keys: kb s ⇾ , ks b ⇾
Stateful encryption:– Each side maintains two 64-bit counters: ctrb s⇾ , ctrs b⇾
– Init. to 0 when session started. ctr++ for every record.– Purpose: replay defense
BrowserServer
hdr record
kb s ⇾ , ks b ⇾ kb s ⇾ , ks b ⇾
![Page 57: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/57.jpg)
57
TLS Record Encryption
Type Version Length
Data ... ...
... ... ...
Tag Tag Tag
Tag Tag Pad
(CBC AES-128, HMAC-SHA1)
TLS Record
kb s ⇾ = (kmac , kenc)
Browser side enc(kb s ⇾ , data, ctrb s⇾ ) :
step 1: tag S( k⟵ mac , [ ++ctrb s⇾ || header || data] )
step 2: pad [ header || data || tag ] to AES block sizestep 3: CBC encrypt with kenc and new random IV
step 4: prepend header
![Page 58: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/58.jpg)
58
TLS Record Decryption(CBC AES-128, HMAC-SHA1)
Server side dec(kb s ⇾ , record, ctrb s ⇾ ) :
step 1: CBC decrypt record using kenc
step 2: check pad format, send bad_record_mac if invalid
step 3: check tag on [ ++ctrb s ⇾ || header || data]
send bad_record_mac if invalid
Provides authenticated encryption(provided no other info. is leaked during decryption)
![Page 59: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/59.jpg)
59
TLS Record Decryption(CBC AES-128, HMAC-SHA1)
Server side dec(kb s ⇾ , record, ctrb s ⇾ ) :
step 1: CBC decrypt record using kenc
step 2: check pad format, send decryption_failed if invalid
step 3: check tag on [ ++ctrb s ⇾ || header || data]
send bad_record_mac if invalidV1.1 Bug:
Only difference is error messages
![Page 60: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/60.jpg)
60
Padding Oracles
Server side dec(kb s ⇾ , record, ctrb s ⇾ ) :
step 1: CBC decrypt record using kenc
step 2: check pad format, abort if invalidstep 3: check tag, abort if invalid
Two different types of errors: bad pad vs bad MAC
Two different types of errors: bad pad vs bad MAC
Padding Attack: Attacker submits ciphertext and learns if last byte of plaintext are a valid pad
![Page 61: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/61.jpg)
61
Credit: Brice CanvelFixed in OpenSSL 0.9.7a
In older TLS 1.0: padding oracle due to different alert messages.
MAC errorpad error
![Page 62: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/62.jpg)
62
TLS Padding
Valid paddings:– 0x01 for 1 byte padding– 0x02 0x02 for 2 byte padding– 0x03 0x03 0x03 for 3 byte padding– ....
Type Version Length
Data ... ...
... ... ...
Tag Tag Tag
Tag Tag Pad
![Page 63: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/63.jpg)
63
Using a Padding Oracle with CBCExample: Attacker has ciphertext c = (c[0], c[1], c[2]) and wants m[1]. We’ll show you how to get last byte of m[1]. (Full break possible)
D(k,) D(k,)
m[0] m[1] m[2] || pad
D(k,)
c[0] c[1] c[2]IV
![Page 64: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/64.jpg)
64
Step 1: Throw Away c[2]
D(k,) D(k,)
m[0] m[1]
c[0] c[1]IV
![Page 65: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/65.jpg)
65
Step 2: Guess and Check if Padding Valid
D(k,) D(k,)
m[0] m[1]
c[0] c[1]IV
= last-byte g 0x01 ⨁ ⨁if last-byte = g: valid pad
otherwise: invalid pad
⨁ g 0x01⨁Let g be our guess for the last byte of m[1]
*note MAC will fail, but we get the byte.
![Page 66: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/66.jpg)
66
Using a Padding OracleAttack: submit ( IV, c’[0], c[1] ) to padding oracle attacker learns if last ⇒byte = g
Repeat with g = 0,1, …, 255 to learn last byte of m[1]
Then use a (0x02, 0x02) pad to learn the next byte and so on …
![Page 67: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/67.jpg)
67
Another TLS Bug Prior to 1.1
IV for CBC is predictable using chained IV– IV for next record is last ciphertext block of
current record.– Not CPA secure (see block cipher lecture).
BEAST attack is a practical implementation
![Page 68: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/68.jpg)
68
Other ProblemsThe TLS header leaks the length of TLS records• Lengths can also be inferred by observing network traffic
For many web applications, leaking lengths reveals sensitive info:• In tax preparation sites, lengths indicate the type of return
being filed which leaks information about the user’s income
• In healthcare sites, lengths leaks what page the user is viewing
• In Google maps, lengths leaks the location being requested
No easy solution
![Page 69: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/69.jpg)
69
Lesson
1. Encrypt-then-MAC would completely avoid many problem.
– MAC is checked first and ciphertext discarded if invalid
2. MAC-then-CBC provides Authenticated Encryption, but padding oracle destroys it
![Page 70: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/70.jpg)
70
Certificate RevocationWhat to do if your keys are compromised.
![Page 71: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/71.jpg)
71
Certificate Revocation
Alice Bob
1. ClientHello
2. ServerHello (send cert., e.g., pub key e)
1. Check CA signature on key2. ....3. Accept key
What needs to happen here?
![Page 72: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/72.jpg)
72
Certificate Revocation
Alice Bob
1. ClientHello
2. ServerHello (send cert., e.g., pub key e)
Verification protocol
Verification Authority
![Page 73: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/73.jpg)
73
Certificate Verification Protocols
• Expiration Date
• Certificate Revocation Lists (CRL) and Certificate Revocation Trees (CRT)
• OCSP – Online Cert Status Protocol
![Page 74: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/74.jpg)
74
Efficient Certificate Revocation Lists (kocher98)
Verification Authority
Alice
VA creates CRL and signs using private key.Note key very powerful.
Replica
Replica
Replica
Signed CRL
Signed CRL
Signed CRL
Query Replicas
Note no private keys
on server
![Page 75: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/75.jpg)
75
Certificate Revocation Tree Generation
C1 C2 C3 C4 Ci-1 Ci…
Revoked cert Cj sorted by serial
h h h
h h
h
VASig = Sign(Hroot , VA signing key)
H1 H2
H3
H4
H5 H6
Hroot
Verification Authority
![Page 76: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/76.jpg)
76
Alice
1. Is Bob’s Cert C2 revoked
2. [C1, H2, H6, VASig]
3. Alice validates C2 by:• H’root=H(H(C1, C2), H2, H6)• H’ =?= H• VA Sig valid?
Size of Proof:O(log i)
VA Replica
Signed CRL
![Page 77: Authenticated Encryption and Cryptographic Network Protocols David Brumley dbrumley@cmu.edu Carnegie Mellon University.](https://reader030.fdocuments.in/reader030/viewer/2022032701/56649c925503460f9494d369/html5/thumbnails/77.jpg)
77
Online Cert Status Protocol
Alice
1. Request(Bob’s Cert)
2. Check DB
3. Response( Sign(Bob’s Cert {OK,BAD}) VA Signing Key )
Verification Authority
Implemented in IE7 (Vista+), Firefox, Safari (by default Lion+), Opera, Chrome