The low-call diet: Authenticated Encryption for call counting HSM...

The low-call diet:

Authenticated Encryption for call counting HSM users

Gaven J. Watson – University of Bristol

Joint work with:Mike Bond (Cryptomathic), George French (Barclays Bank Plc) and Nigel P. Smart (UoB)

Real World Cryptography Workshop, Stanford – January 10th 2012

M. Bond, G. French, N.P. Smart, G.J. Watson Low-call diet: AE for call counting HSM users Stanford – January 10th 2012 1 / 40

1 Background

2 Motivation

3 Encryption with redundancy

4 Managed Encryption Format

5 Analysis

6 Summary

7 Something different...


Background

1 Background

2 Motivation



5 Analysis

6 Summary



Background

The story of this work

Designed by Mike Bond and George French.


Background



Scheme presented by Mike Bond at:

“Is Cryptographic Theory Practically Relevant?” – Workshop,Cambridge, UK, Feb 2012.


Background





Security analysis.


Background





Security analysis.

Presented today at:

Real World Crypto Workshop,Stanford, Jan 2013.


Background





Security analysis.

Presented today at:

Real World Crypto Workshop,Stanford, Jan 2013.

Paper to appear at CT-RSA 2013 (February).


Motivation

1 Background

2 Motivation



5 Analysis

6 Summary



Motivation

Setting

Industry commonly manages keys with special purpose hardware:


Motivation

Setting


Hardware Security Module (HSM).


Motivation

Setting



HSMs store keys which should not be exposed outside the module.


Motivation

Setting




Keys used via an API call to the HSM.


Motivation

Setting





e.g. Provides an API call for CBC Mode.Input: plaintext and the name of a key.HSM recovers key and applies CBC-Mode.


Motivation

Setting






Whole process is expensive.


Motivation

Setting






Whole process is expensive.

Minimizing calls to the HSM is important.


Motivation

What are our options?

Constructions which provide authenticated encryption:


Motivation



Encrypt-then-MAC


Motivation



Encrypt-then-MAC

Dedicated AE scheme: OCB, EAX, CCM etc.


Motivation



Encrypt-then-MAC

Dedicated AE scheme: OCB, EAX, CCM etc.

Why not use one of these well studied schemes?


Motivation

HSMs designed before need for AE was understood.


Motivation


More modern modes are not supported.


Motivation



Solution:

Use a generic construction such as Encrypt-then-MAC.


Motivation



Solution:

Use a generic construction such as Encrypt-then-MAC.

Solution Problem:

This uses two keys.

Meaning two HSM calls.


Motivation

Design criteria

Basic requirements:


Motivation

Design criteria

Basic requirements:

All secret keys should reside on the HSM.

Only one call to the HSM is allowed, i.e. single key.

Such a call should be to a CBC-Encrypt.


Encryption with redundancy

1 Background

2 Motivation



5 Analysis

6 Summary





Studied formally by An and Bellare.





Two types of redundancy function; secret key and public key.






IND-CPA encryption scheme + secret/public redundancy function 6⇒ AE.






IND-CPA encryption scheme + secret/public redundancy function 6⇒ AE.

An and Bellare define a scheme with a secret key redundancy function,Nested CBC (NCBC).

NCBC uses a different key to encrypt the last block.



Relating to our scheme

Our scheme uses secret redundancy,




Our scheme uses secret redundancy,where the redundancy function uses a different “key” each time.




Our scheme uses secret redundancy,where the redundancy function uses a different “key” each time.

In general any IND-CPA scheme plus one time redundancy function 6⇒ AE.


Managed Encryption Format

1 Background

2 Motivation



5 Analysis

6 Summary




API call

The API call is CBC-mode



API call

The API call is CBC-mode with all-zero IV.



API call


Need randomness for security.



API call



Use HSMs ability to generate random numbers.



API call




Implementation note – to avoid making an extra HSM call for everyencryption, we maintain a cache of randomness.



API call




Implementation note – to avoid making an extra HSM call for everyencryption, we maintain a cache of randomness.

We assume this cache to be secure.




R

C[0] = FK(R)

FK FK FK

hash(R,A,M)

hash

M [1]

C[1] C[2]

A

FK

M [2]

C[3]

FK

M [n]

C[n+ 1]



Encrypt(K ,A,M)

Rr← {0, 1}l

H ← hash(R ,A,M)C ← E-CBC[F ](K ,R‖H‖pad(M))return C

Decrypt(K ,A,C )

R‖H‖M ′ ← D-CBC[F ](K ,C )M ← dpad(M ′)if M 6=⊥ thenh← hash(R ,A,M)

if h 6= h then M =⊥return M



Encrypt(K ,A,M)

Rr← {0, 1}l

H ← hash(R ,A,M)C ← E-CBC[F ](K ,R‖H‖pad(M))return C

Decrypt(K ,A,C )

R‖H‖M ′ ← D-CBC[F ](K ,C )M ← dpad(M ′)if M 6=⊥ thenh← hash(R ,A,M)

if h 6= h then M =⊥return M

Points to note:

Padding (uniform error reporting)

“MAC-then-encrypt”

IV


Analysis

1 Background

2 Motivation



5 Analysis

6 Summary



Analysis

Security model – Privacy

Let Π = (KeyGen,Encrypt,Decrypt) be a symmetric encryption scheme.

Enc(A,M0,M1)C0 ← Encrypt(K ,A,M0)C1 ← Encrypt(K ,A,M1)

C∪← Cb

return Cb

PRIVA(Π)

K ← KeyGen; br← {0, 1}

b′ ← AEnc

return (b′ = b)

AdvprivΠ (A) = 2Pr[PRIVA(Π)⇒ true]− 1,


Analysis

PRIV

This can be proved by relating to the security of CBC mode proved by Bellare etal. [BDJR].


Analysis

PRIV

This can be proved by relating to the security of CBC mode proved by Bellare etal. [BDJR].

hash(R,A,M) M [1]R

C[0] = FK(R)

FK FK FK

C[1] C[2]


Analysis

Privacy

Let F = {FK : K ∈ {0, 1}k} be a permutation family.

Let Π[F ] be the managed encryption format using permutation family F .

Let A be an adversary against Privacy which runs in time t; making qeencryption queries totalling at most µe bits.


Analysis

Privacy



Let A be an adversary against Privacy which runs in time t; making qeencryption queries totalling at most µe bits.

Then there exists adversary B such that:

AdvPRIVΠ[F ] (A) ≤ 2Adv

prpF (B) +

q2f2l

+1

2l

(

(µe

l+ 2qe

)2

−(µe

l+ 2qe

)

)

where B runs in time t + O(µe) asking at most qf =µe

l+ 2qe queries.


Analysis

Security model – AUTH

Let Π = (KeyGen,Encrypt,Decrypt) be a symmetric encryption scheme.

Enc(A,M)C ← Encrypt(K ,A,M)

C∪← (A,C )

return C

Test(A∗,C∗)M∗ ← Decrypt(K ,A∗,C∗)if M∗ 6=⊥ and (A∗,C∗) 6∈ C then

win← truereturn (M∗ 6=⊥)

AUTHA(Π)K ← KeyGenwin← false(A∗,C∗)← AEnc,Test

return win

AdvauthΠ (A) = Pr[AUTHA(Π)⇒ true]


Analysis

AUTH

R

C[0] = FK(R)

FK FK FK

hash(R,A,M)

hash

M [1]

C[1] C[2]

A

FK

M [2]

C[3]

FK

M [n]

C[n+ 1]

To forge a ciphertext the adversary must forge the hash.


Analysis

Case 1: Hash not queried

Pr[(hash(R∗,A∗,M∗) = h∗) ∧ ((R∗,A∗,M∗, h∗) /∈ H)|πr← Perm] ≤

qt

2l

Not previously queried.

Random chance on verification.


Analysis

Case 2: Hash already queried

Pr[(hash(R∗,A∗,M∗) = h∗) ∧ ((R∗,A∗,M∗, h∗) ∈ H)|πr← Perm] ≤

qhµe

l2l.

Previous call to random oracle.

If call made by encryption query then invalid forgery.

So independent call to hash.


Analysis

Case 2: Hash already queried

Pr[(hash(R∗,A∗,M∗) = h∗) ∧ ((R∗,A∗,M∗, h∗) ∈ H)|πr← Perm] ≤

qhµe

l2l.

Previous call to random oracle.

If call made by encryption query then invalid forgery.

So independent call to hash.

Analysis is then based on the collision event that for some i , j ,

Ci [j ]⊕Mi [j ] = h∗ ⊕ π(R∗).


Analysis

AUTH



Let A be an adversary against the AUTH security which runs in time t;making qe encryption queries totalling at most µe bits, qt test queriestotalling at must µt bits and qh random oracle queries.


Analysis

AUTH



Let A be an adversary against the AUTH security which runs in time t;making qe encryption queries totalling at most µe bits, qt test queriestotalling at must µt bits and qh random oracle queries.

Then there exists adversary B such that:

AdvAUTHΠ[F ] (A) ≤ Adv

sprpF (B) +

qt

2l+

qhµe

l2l

where B makes qf =µe

l+ 2qe +

µt

lqueries and runs in time t + O(µe + µt).


Summary

1 Background

2 Motivation



5 Analysis

6 Summary



Summary

Summary

We have discussed the Managed Encryption Format


Summary

Summary


Despite its limitation we were still able to prove it secure.


Summary

Summary



With several important implementation caveats.


Summary

Summary



With several important implementation caveats.

Care needs to be taken with implementation to ensure security.


Something different...

1 Background

2 Motivation



5 Analysis

6 Summary




And now for something completely different....



Analysis of the new EMV key agreement protocol

Christina Brzuska1 Nigel P. Smart2 Bogdan Warinschi2

Gaven J. Watson2

1School of Computer Science,Tel Aviv University, Israel.

2Dept. Computer Science,University of Bristol, UK.

Real World Cryptography Workshop, Stanford – January 10th 2012

C. Brzuska, N.P. Smart, B. Warinschi, G.J. Watson EMV Analysis Stanford – January 10th 2012 30 / 40


Scheme

Card (C) Terminal (T)secret key: d ∈ Fq

“public” key: QC = dP

certC = (sigsk(QC ),QC )



Scheme




ar← {0, 1}l

A=aQC

−−−−−−−−−−−−−−−→E=eP

←−−−−−−−−−−−−−−− er← Fq



Scheme




ar← {0, 1}l

A=aQC

−−−−−−−−−−−−−−−→E=eP

←−−−−−−−−−−−−−−− er← Fq

(κ1, κ2) = H(daE ) (κ1, κ2) = H(eA)



Scheme




ar← {0, 1}l

A=aQC

−−−−−−−−−−−−−−−→E=eP

←−−−−−−−−−−−−−−− er← Fq

(κ1, κ2) = H(daE ) (κ1, κ2) = H(eA)ct=encκ1

(certC ,QC ,a)

−−−−−−−−−−−−−−−→ (certC ,QC , a) = decκ1(ct)

Check: aQC?= A

verpk(certC ,QC )?= true



Scheme




ar← {0, 1}l

A=aQC

−−−−−−−−−−−−−−−→E=eP

←−−−−−−−−−−−−−−− er← Fq

(κ1, κ2) = H(daE ) (κ1, κ2) = H(eA)ct=encκ1

(certC ,QC ,a)

−−−−−−−−−−−−−−−→ (certC ,QC , a) = decκ1(ct)

Check: aQC?= A

verpk(certC ,QC )?= true

cti=encκ1(mi )

−−−−−−−−−−−−−−−→ctj=encκ2

(mj )

←−−−−−−−−−−−−−−−



What is the correct security model?

Authenticated key exchange security model – Bellare and Rogaway 1993.





Model in a nutshell:

A is permitted NewSession, Send, Reveal and Corrupt queries.

At some point A makes Test query which returns either real or randomsession key.

A must distinguish cases.









Schemes with a key confirmation step cannot be secure.









Schemes with a key confirmation step cannot be secure.(Decrypt the last message and check.)



ACCE

Jager et al. propose Authenticated and Confidential Channel Establishment(ACCE).



ACCE


ACCE = AKE + sLHAE.

Queries permitted – NewSession, Send, Encrypt, Decrypt, Reveal and Corrupt



ACCE


ACCE = AKE + sLHAE.


Challenge –

For each session the challenger chooses a random bit b.



ACCE


ACCE = AKE + sLHAE.


Challenge –

For each session the challenger chooses a random bit b.Encrypt takes as input two messages m0,m1 and returns encryption of mb.



ACCE


ACCE = AKE + sLHAE.


Challenge –

For each session the challenger chooses a random bit b.Encrypt takes as input two messages m0,m1 and returns encryption of mb.A must guess b for one particular session.



ACCE issues

Permitted Decryptions:



ACCE issues

Permitted Decryptions: Consider partners i and j .

Different keys for each direction.j encrypts messages for i to decrypt.



ACCE issues


Different keys for each direction.j encrypts messages for i to decrypt.A should not see decryption by i of encryption output by j .



ACCE issues


Different keys for each direction.j encrypts messages for i to decrypt.A should not see decryption by i of encryption output by j .As stated model checks i does not returned decrypt messages encrypted byitself.



ACCE issues



Reveal Queries:



ACCE issues



Reveal Queries: Consider both EMV and TLS.

Last operation by card is to send an encrypted message.



ACCE issues




Last operation by card is to send an encrypted message.Immediately after message is sent A can reveal the key and re-encryptmessage with new randomness.



ACCE issues




Last operation by card is to send an encrypted message.Immediately after message is sent A can reveal the key and re-encryptmessage with new randomness.The other participant will accept but matching conversations will not hold.



Our model

EAMAP Model:

A permitted queries NewSession, Send, Reveal and Corrupt.

Send controls all key-exchange, encrypt and decrypt operations.



Our model

EAMAP Model:



Security in three parts: Entity Authentication, Message Authentication andMessage Privacy.



Our model

EAMAP Model:




Fixing reveal query issue – entity authentication w.r.t. matchingconversations on the plaintext.



Our model

EAMAP Model:




Fixing reveal query issue – entity authentication w.r.t. matchingconversations on the plaintext.

One-sided authentication.



Security

Entity Authentication – Matching plaintext conversations – Forge certificates.



Security


Message Authentication –

Gap-DHMatching plaintext conversations – certificate forgeryAUTH of encryption scheme (stateful)



Security


Message Authentication –

Gap-DHMatching plaintext conversations – certificate forgeryAUTH of encryption scheme (stateful)

Message Privacy –

Gap-DHMatching plaintext conversations – certificate forgeryPRIV of encryption scheme (stateful)



Unlinkability – Model

We have the additional requirement of unlinkability of card session.






A permitted NewSession, Send, Reveal and Corrupt queries.







A outputs two identities i0 and i1.








Challenger chooses random bit b and creates a session based on ib.









A makes further queries,









A makes further queries, including Send queries to challenge session.









A makes further queries, including Send queries to challenge session.

A must determine b.



Unlinkability – Security

Security then depends on the following problem:

Definition (Small Decisional Discrete Log (SDDL))

Given P ,X0,X1, rXi ∈ G , where |r | ≤ 2l < |G | determine i .



Wrapping up

Presented two formal security analyses:

Managed Encryption Format – Retrospective analysis.

EMV – Analysis as part of the design process.



Questions


The low-call diet: Authenticated Encryption for call counting HSM...

Documents

Transcript of The low-call diet: Authenticated Encryption for call counting HSM...