Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Transcription

1 Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th / 60

2 Last Time (I) Security Notions Hybrid argument Application to pseudo-random generator Remarks, questions, comments? 2 / 60

3 Last Time (II) Exercises done Hybrid Arguement Application: Pseudo-random generator 3 / 60

4 Outline of Today: Security Notions Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 4 / 60

5 Recall Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 5 / 60

6 Recall Symmetric key and public key encryption Symmetric key encryption encryption decryption Public key encryption encryption decryption public key private key 6 / 60

7 Recall Summary of IND-XXX Games Given S = (K, E, D), A = (A 1, A 2 ) of polynomial-time probabilistic algorithms. Ind b XXX (A) follows: Generate (pk,sk) R K(η). (s,m 0,m 1 ) R A O 1 1 (η,pk) b R A O 2 2 (η,pk,s, E(pk,m b)) return b. Adv Ind XXX S,A (η) = Pr[b R Ind 1 XXX (A) : b = 1] Pr[b R Ind 0 XXX (A) : b = 1] IND-CPA, IND-CCA1, IND-CCA2 IND-CPA: O 1 = O 2 = Chosen Plain text Attack IND-CCA1: O 1 = {D}, O 2 = Non-adaptive Chosen Cipher text Attack IND-CCA2: O 1 = O 2 = {D} Adaptive Chosen Cipher text Attack. 7 / 60

8 Recall The NM-XXX Games Given S = (K, E, D). An adversary A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, m, m, m M. Let NM b XXX (A): Generate (pk, sk) R K(η). (s, M) R A O1 1 (η, pk), m 0, m 1, M (R, C ) R A O2 2 (η, pk, s, M, E(pk, m b)), M D(C ) return R(m b, M ) Then, we define the advantage against the IND-CCA2 game by: Adv NM XXX S,A (η) = Pr[R(m, M ) R NM 1 XXX (A) : R(m, M ) = 1] Pr[R(m, M ) R NM 0 XXX (A) : R(m, M ) = 1] NM-CPA: O 1 = O 2 = Chosen Plain text Attack NM-CCA1: O 1 = {D}, O 2 = Non-adaptive Chosen Cipher text Attack NM-CCA2: O 1 = O 2 = {D} Adaptive Chosen Cipher text Attack. 8 / 60

9 Block cipher modes Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 9 / 60

10 Block cipher modes Block Cipher Modes NIST standard Electronic Code Book (ECB) Cipher Block Chaining (CBC) Cipher FeedBack mode (CFB) Output FeedBack (OFB), and Counter mode (CTR). Others DMC,CBC-MAC, IACBC, IAPM, XCB,TMAC, HCTR, HCH, EME, EME*, PEP, OMAC, TET, CMC, GCM, EAX, XEX, TAE, TCH, TBC, CCM, ABL4 10 / 60

11 Block cipher modes ECB Electronic Book Code (ECB) Each block of the same length is encrypted separately. 11 / 60

12 Block cipher modes ECB Electronic Book Code (ECB) Each block of the same length is encrypted separately. 11 / 60

13 Block cipher modes ECB ECB Encryption Algorithm algorithm E K (M) if ( M mod n 0 or M = 0) then return FAIL Break M into n-bit blocks M[1]... M[m] for i = 1 to m do C[i] = E K (M[i]) C = C[1]... C[m] return C 12 / 60

14 Block cipher modes ECB ECB Decryption Algorithm algorithm D K (C) if ( C mod n 0 or C = 0) then return FAIL Break C into n-bit blocks C[1]... C[m] for i = 1 to m do M[i] = D K (C[i]) M = M[1]... M[m] return M 13 / 60

15 Block cipher modes ECB 14 / 60

16 Block cipher modes CBC Cipher-block chaining (CBC) If the first block has index 1, the mathematical formula for CBC encryption is C i = E K (P i C i 1 ),C 0 = IV while the mathematical formula for CBC decryption is P i = D K (C i ) C i 1,C 0 = IV CBC has been the most commonly used mode of operation. 15 / 60

17 Block cipher modes CBC 16 / 60

18 Block cipher modes CBC 17 / 60

19 Block cipher modes CFB The cipher feedback (CFB) A close relative of CBC: C i = E K (C i 1 ) P i P i = E K (C i 1 ) C i C 0 = IV 18 / 60

20 Block cipher modes CFB 19 / 60

21 Block cipher modes CFB 20 / 60

22 Block cipher modes OFB Output feedback (OFB) Because of the symmetry of the XOR operation, encryption and decryption are exactly the same: C i = P i O i P i = C i O i O i = E K (O i 1 ) O 0 = IV 21 / 60

23 Block cipher modes OFB 22 / 60

24 Block cipher modes OFB 23 / 60

25 Block cipher modes OFB ECB vs Others 24 / 60

26 Attack on ECB Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 25 / 60

27 Attack on ECB ECB Attack Let us fix a block cipher E : K {0,1} n {0,1} n. and SE = (K, E, D) an ECB symmetric encryption scheme, where the size of each block is n. We build an adversary A with a high IND-CPA advantage. E K (LR(m l,m r,b)) = { EK (m l ) if b = 1 E K (m r ) if b = 0 26 / 60

28 Attack on ECB Adversary A Adversary A E K(LR(.,.,b) ) M 0 0 n 1 n ; M 1 0 2n ; C[1]C[2] E K (LR(M 0,M 1,b)) If C[1] = C[2] then return 1 else return 0 X[i] denotes the i-th block of a string X, a block being a sequence of n bits. 27 / 60

29 Attack on ECB Proof Why? Pr[Exp IND CPA 0 SE (A) = 1] = 0 Pr[Exp IND CPA 1 SE (A) = 1] = 1 28 / 60

30 Attack on ECB Proof Why? Pr[Exp IND CPA 0 SE (A) = 1] = 0 Pr[Exp IND CPA 1 SE (A) = 1] = 1 If b = 1, then the oracle returns C[1]C[2] = E K (0 n ) E K (0 n ), so C[1] = C[2] and A returns / 60

31 Attack on ECB Proof Why? Pr[Exp IND CPA 0 SE (A) = 1] = 0 Pr[Exp IND CPA 1 SE (A) = 1] = 1 If b = 1, then the oracle returns C[1]C[2] = E K (0 n ) E K (0 n ), so C[1] = C[2] and A returns 1. if b = 0, the oracle returns C[1]C[2] = E K (0 n ) E K (1 n ). Hence C[1] C[2]. So A returns 0 in this case. 28 / 60

32 Attack on ECB Proof Why? Pr[Exp IND CPA 0 SE (A) = 1] = 0 Pr[Exp IND CPA 1 SE (A) = 1] = 1 If b = 1, then the oracle returns C[1]C[2] = E K (0 n ) E K (0 n ), so C[1] = C[2] and A returns 1. if b = 0, the oracle returns C[1]C[2] = E K (0 n ) E K (1 n ). Hence C[1] C[2]. So A returns 0 in this case. Adv IND CPA SE (A) = 1 0 = 1 This means that the ECB encryption scheme is insecure. 28 / 60

33 Attack on ECB Exercise 1. Find an attack on CBC with counter IV. 2. Prove that CBC with random IV is not IND-CCA1 secure. 3. Notice that CBC with random IV is IND-CPA secure. 29 / 60

34 Security of CBC Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 30 / 60

35 Attack on CBC with counter Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 31 / 60

36 Attack on CBC with counter CBC counter CBC using a random number IV the first call, and latter IV++. Consider for simplicity IV is 0 and for generating the next IV we just increase by one the value of the previous IV. C i = E K (P i C i 1 ) and C 0 = IV 32 / 60

37 Attack on CBC with counter CBC counter Attack Assuming IV 1 = 0 and IV 2 = 1 Adversary AE K (LR(.,.,b)) M 0,1 0 n ; M 1,1 0 n ; M 0,2 0 n ; M 1,2 0 n 1 1; < IV 1,C 1 > r E K (LR(M 0,1,M 1,1,b)) < IV 2,C 2 > r E K (LR(M 0,2,M 1,2,b)) If C 1 = C 2 then return 1 else return 0 because Adv IND CPA SE (A) = 1 0 = 1 Pr[Exp IND CPA 1 AE K (A) = 1] = 1 Pr[Exp IND CPA 0 AE K (A) = 1] = 0 33 / 60

38 Attack on CBC with counter CBC counter Attack (Proof I) Assuming IV 1 = 0 and IV 2 = 1 Adversary AE K (LR(.,., b)) M 0,1 0 n ; M 1,1 0 n ; M 0,2 0 n ; M 1,2 0 n 1 1; < IV 1, C 1 > r E K (LR(M 0,1, M 1,1, b)) < IV 2, C 2 > r E K (LR(M 0,2, M 1,2, b)) If C 1 = C 2 then return 1 else return 0 b = 0 (right) C 1 = E K (M 1,1 IV 1 ) = E K (0 0) = E K (0) C 2 = E K (M 1,2 IV 2 ) = E K (1 1) = E K (0) Hence C 1 = C 2 34 / 60

39 Attack on CBC with counter CBC counter Attack (Proof II) Assuming IV 1 = 0 and IV 2 = 1 Adversary AE K (LR(.,., b)) M 0,1 0 n ; M 1,1 0 n ; M 0,2 0 n ; M 1,2 0 n 1 1; < IV 1, C 1 > r E K (LR(M 0,1, M 1,1, b)) < IV 2, C 2 > r E K (LR(M 0,2, M 1,2, b)) If C 1 = C 2 then return 1 else return 0 b = 1 (left) C 1 = E K (M 0,1 IV 1 ) = E K (0 0) = E K (0) C 2 = E K (M 0,2 IV 2 ) = E K (0 1) = E K (1) Hence C 1 C 2 35 / 60

40 Hybrid Encryption Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 36 / 60

41 Hybrid Encryption Idea and Motivations Idea AE = (K a, E a, D a ) an asymmetric encryption scheme (pk,sk). SE = (K s, E s, D s ) a symmetric encryption scheme K. We define E pk (M) using E s K (M) and Ea pk (K) Motivation Costly operation (asymmetric encryption) is applied on a message of fixed size, and after efficient algorithm are used to encrypt the data. 37 / 60

42 Hybrid Encryption Encryption Algorithm Algorithm E pk (M) K K s ; C s E s K (M); C a E a pk (K); C (C a,c s ); Return C 38 / 60

43 Hybrid Encryption Decryption Algorithm Algorithm D sk (C) Parse C as (C a,c s ); K D a sk (Ca ); M D s K (Cs ); Return M 39 / 60

44 Hybrid Encryption Security Property If AE and SE are each secure against chosen-plain-text attack, then AE the hybrid encryption is also secure against chosen-plain-text attack. Let B be an IND-CPA adversary attacking AE. Then there exist IND-CPA adversaries A 00,01,A 11,10 attacking AE, and an adversary A attacking SE, such that: Adv IND CPA AE (B) Adv IND CPA AE (A 00,01 ) + Adv IND CPA AE (A 11,10 ) +Adv IND CPA SE (A) 40 / 60

45 Hybrid Encryption Idea of the Proof P(α,β) = Pr[Exp αβ (B) = 1] AE P(1,0) = Pr[Exp IND CPA 1 (B) = 1] AE P(0,0) = Pr[Exp IND CPA 0 (B) = 1] AE Adv IND CPA (B) = P(1,0) P(0,0) AE 41 / 60

46 Hybrid Encryption General Scheme of the Proof P(1,0) P(0,0) = [P(1,0) P(1,1)] + [P(1,1) P(0,1)] + [P(0,1) P(0,0)] P(1,0) P(1,1) Adv IND CPA AE (A 11,10 ) P(1,1) P(0,1) Adv IND CPA SE (A) P(0,1) P(0,0) Adv IND CPA AE (A 00,01 ) 42 / 60

47 OAEP Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 43 / 60

48 OAEP Hash Functions A hash function H takes as input a bit-string and returns a corresponding digest of fixed length. Good hash functions are : collision-free: H(x) = H(y) x = y non-malleable: xry H(x)RH(y) H(Alice) = H(Bob) 44 / 60

49 OAEP Properties of hash functions Definition (Preimage resistance) Given an output y, it is computationally infeasible to compute x such that h(x) = y Definition (2nd preimage resistance) Given an input x, it is computationally infeasible to compute x such that h(x ) = h(x) 45 / 60

50 OAEP Properties of hash functions Definition (Collision resistance) It is computationally infeasible to compute x and x such that h(x) = h(x ) 46 / 60

51 OAEP Properties of hash functions Alternate terminology: pre-image resistant one-way 2nd pre-image resistant weak collision resistant collision resistant strong collision resistant 47 / 60

52 OAEP Use of hash functions Idea: compute a condensed message y from a given message m. The condensed should be specific to the message. Use y in place of m in a trustworthy way. Did you get m correctly? Here s y to check. (file-sharing) Could you decrypt c correctly? I sign y to prove that I wrote m. 48 / 60

53 OAEP List of Hash Functions Algorithm Output size Internal state size Block size Length size Word size Collision HAVAL 256/.../ Yes MD No 8 Almost MD Yes MD Yes PANAMA No 32 Yes RadioGatn Arbitrarily long 58 words 3 words No 1-64 No RIPEMD Yes RIPEMD 128/ / No RIPEMD 160/ / No SHA Yes SHA With flaws SHA-256/ / No SHA-512/ / No Tiger(2) 192/160/ No WHIRLPOOL No 49 / 60

54 OAEP Optimal Asymmetric Encryption Padding (OAEP) The OAEP cryptosystem (K, E, D) obtained from a permutation f, whose inverse is denoted by g. And two hash functions: G : {0,1} k 0 {0,1} k k 0 H : {0,1} k k 0 {0,1} k 0 K(1 k ): specifies an instance of the function f, and of its inverse g. The public key pk is therefore f and the private key sk is g. 50 / 60

55 OAEP OAEP: Encryption E pk (m,r) = c with m {0,1} n, and r {0,1} k 0 s = (m 0 k 1 ) G(r),t = r H(s) c = f (s,t) 51 / 60

56 OAEP OAEP: Decryption D sk (c) g(c) = (s,t) r = t H(s) M = s G(r) If [M] k1 = 0 k 1, the algorithm returns [M] n, otherwise it returns Reject [M] k1 denotes the k 1 least significant bits of M [M] n denotes the n most significant bits of M 52 / 60

57 OAEP Results and References OAEP was first proved IND-CPA then IND-CCA1 and finally IND-CCA2 secure under some assumptions. 1. M. Bellare, P. Rogaway. Optimal Asymmetric Encryption How to encrypt with RSA. Extended abstract in Advances in Cryptology - Eurocrypt 94 Proceedings, LNCS Vol. 950, A. Springer-Verlag, Victor Shoup. OAEP Reconsidered. IBM Zurich Research Lab, September 18, Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA OAEP is secure under the RSA assumption. In J. Kilian, ed., Advances in Cryptology CRYPTO 2001, vol of LNCS, SpringerVerlag, P. Paillier and J. Villar, Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption, Advances in Cryptology Asiacrypt / 60

58 OAEP Examples Bellare & Rogaway 93: Zheng & Seberry 93: f (r) x G(r) H(x r) f (r) G(r) (x H(x)) OAEP 94 (Bellare & Rogaway): where s = x0 k G(r) OAEP+ 02 (Shoup): where s = x G(r) H (r x). Fujisaki & Okamoto 99: f (s r H(s)) f (s r H(s)) where E is IND-CPA. E((x r);h(x r)) 54 / 60

59 Conclusion Outline Recall Block cipher modes ECB CBC CFB OFB Attack on ECB Security of CBC Attack on CBC with counter Hybrid Encryption OAEP Conclusion 55 / 60

60 Conclusion Summary Today ECB, CBC, FBC, OFB Attack on ECB Hybrid Encryption OAEP 56 / 60

61 Conclusion Where are we? Introduction Indistinguishability Public Encryption Symmetric encryption Security protocols: Symbolic Model Computational Model Non-interference Problem Access Control and Security Policies And a little more, if possible / 60

62 Conclusion Next Time Symbolic Model: Principles using Examples Playing with Tools: Scyther Avispa: OFMC, Cl-Atse, SATMC, TA4SP Proverif 58 / 60

63 Conclusion Challenge: Find a flaw on a simple protocol! {N A,A} KB 59 / 60

64 Conclusion Challenge: Find a flaw on a simple protocol! {N A,A} KB {N A,N B } KA 59 / 60

65 Conclusion Challenge: Find a flaw on a simple protocol! {N A,A} KB {N A,N B } KA {N B } KB 59 / 60

66 Conclusion Challenge: Find a flaw on a simple protocol! {N A,A} KB {N A,N B } KA {N B } KB Question Is N B a shared secret between A et B? 59 / 60

67 Conclusion Thank you for your attention. Questions? 60 / 60