Authenticated Encryption Gcm Ccm

53 %
47 %
Information about Authenticated Encryption Gcm Ccm

Published on November 19, 2009

Author: ProjectSymphony



Thiese are the slides used for presenting the Authenticated Encryption GCM - CCM document by Lorenzo Peraldo and Vittorio Picco.

Authenticated encryption GCM and CCM modes Lorenzo Peraldo and Vittorio Picco

Authenticated encryption Definition “ Authenticated Encryption (AE) is a term used to describe encryption systems which simultaneously protect confidentiality, confidentiality, authenticity and integrity of communications ”

Basic components Message Authentication Code (MAC) + Symmetric encryption

Why? MAC Integrity: Integrity: an attacker can’t modify the data and then compute a new MAC, because a secret key is needed Authentication: Authentication: only the user who has got the secret key can authenticate the message Symmetric encryption Confidentiality: Confidentiality: data are encrypted Authentication: Authentication: if only 2 users share the secret key

A non-computer example non- A letter from a lover by ordinary mail: Envelope: confidentiality and integrity Signature: authentication

Sender AE black box Input A plaintext message A key Possibly a nonce Output The encrypted message (ciphertext) An authentication tag

Recipient AE black box Input An encrypted message A tag The nonce, if used The key Output If the tag is verified: the plaintext else: FAIL

AE security Privacy An attacker can sniff the ciphertext and the nonce, but must not be able to recover the plaintext The ciphertext should look like random bits Authentication An attacker shouldn’t be able to construct a ciphertext, a tag and a nonce such that the recipient accept them as valid. Protection from replay attacks

AE implementations Usually with “modes” A mode is a sequence of operations applied to a block cipher, like DES or AES Examples: CBC, ECB, CTR, … CCM and GCM provide authenticated encryption

Generic composition Immediate solution PRO: easy, secure, no need to develop specific apps CON: not optimized, 2 keys needed for best security 3 ways MtE: MAC then Encrypt EtM: Encrypt then MAC E&M: Encrypt and MAC EtM is the best

Single- Single-pass combined mode 2000: IBM developed IAPM Comparison with generic composition Split the plaintext in m parts Generic composition: 2m calls of the block cipher Single- Single-pass: about m invocations Many followed: XCBC, XECB, OCB, … There is only a problem…

Oh no, Intellectual Properties !! Single- Single-pass modes were all patented IAPM OCB XCBC XECB By Rogaway, Bellare, Black,By Gligor and By By Gligor and IBM Donescu and Krovetz Donescu

As a result … Probably some of the patents are interrelated Nobody has gone to court to prove it (yet…) The possible users of these technologies has been scared by the legal implications The researchers have moved toward other directions All single-pass combined mode are used by single- anybody, even though they are the best solution

Two- Two-pass combined mode Not that different from generic composition Some advantages Use of only one key Patent free Better performances than generic composition CCM, EAX, CWC, GCM

CCM A brief introduction

What is CCM Counter with CBC-MAC CBC- An authenticated encryption solution Encryption Use of the block cipher AES-128 AES- Counter (CTR) mode Authentication MAC computed with CBC (Cipher Block Chaining)

Main features Symmetric key Designed for AES-128 AES- Use in packet environment (no stream data) Arbitrary length MAC Only one key for authentication and encryption No intellectual property restrictions

How does it work ? Generation - encryption

How does it work ? (cont’d) Decryption - verification

Generation- Generation-encryption 1. The MAC (Message Authentication Code) is computed applying CBC to the formatted input data (N, P, A) m1, m2, …, mx

Generation- Generation-encryption (cont’d) 2. Counter mode is applied to encrypt data and MAC

Generation- Generation-encryption (cont’d) 3. Output ciphertext C= MAC Payload K

Decryption- Decryption-verification Counter mode decryption Computation of MAC with CBC-MAC CBC- (N, A, P’) Verification of authenticity Output: Payload / INVALID

Hardware implementation CCM cannot be parallelized Operations to be implemented: Encryption: hw implementation of AES cipher XOR Counter increment Formatting function

Security Recommendations Keys must be secret and “fresh” IV: 0 for CBC-MAC CBC- Never use the same nonce twice Max n° of nonce with the same key: 261 n° Choose an appropriate MAC length Replay attacks: use of timestamps / number packets

A possible attack “be conservative in what you send, and liberal in what you accept” 16-byte MAC 12-byte MAC 16-byte MAC 8-byte MAC 4-byte MAC

A possible attack (cont’d) Here comes the bad guy !! 16-byte MAC 12-byte MAC 4-byte MAC 8-byte MAC 4-byte MAC

A possible attack (cont’d) 232 4-byte MAC computed At least one valid ciphertext !!!

Countermeasures Fix the tag length parameter During key negotiation Never change it during the current session

GCM Galois/Counter Mode of operations

What is GCM - GMAC An authenticated encryption solution Encryption Use of the block cipher AES Mode of operation similar to the CTR Authentication The MAC provided is a sort of keyed digest Can provide authentication only → GMAC

Main features Extremely fast, more than 10Gbps Easy to implement in software and hardware Can be used for authentication only, if desired Designed for AES, optimized for 128 bits Arbitrary length IV, optimized for 96 bits Only one key for authentication and encryption No intellectual property restrictions

Authenticated encryption function WHAT ?!?!

Version for human beings 1. The hash sub-key H is computed and stored sub- 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Enc K H 0000000000000000 0000000000000000 0000000000000000 0000000000000000

Version for human beings 2. The IV length is checked If it’s 96 bits is padded to 128 If it’s different is computed a 128 bit IV using a special function (GHASH) The IV is the starting value of the counter

Version for human beings 3. Encryption

Version for human beings 4. Authentication GF(2128)

Hardware implementation The only way to manage more than 10Gbps GCM can be parallelized Operations to be implemented: Encryption: hw implementation of AES cipher XOR Increment of the counter Multiplication within GF(2128)

Hardware implementation

The multiplication in GF(2q) Different approaches Parallel Serial: super serial, bit serial, etc Serial solutions Time and area linear with q Parallel solution Time: 1 clock cycle Area: quadratic with q, but only 30% of AES cipher GO PARALLEL, BOYS!

Security Recommendations Keys: secret and “fresh” IV: probability of using same IV and key < 2-32 Known security problem with reused IVs Appropriate tag length Replay attacks: use of timestamps

Oracles... Permutation oracle Outputs random number of PRF The PRF represent an encrypted message Distinguishing advantage

Oracles... Tag- Tag-generation oracle Input: a message Output: a valid tag Tag- Tag-validation oracle Input: a message and a tag Output: is the tag correct for the given message? Forgery advantage

CTR known issue Hello world, 72dd0294rth%p this is me, 29sj!5z/k=p life should be akd'^3sddG#/ap5 fun for everyone 97;7*h2?375ba+?9 Hello Sarah, Sarah, 72dd023&F7j%p 72dd023&F7j%p this is me, 29sj!5z/k=p life should be akd'^3sddG#/ap5 fun for everyone 97;7*h2?375ba+?9

Beware ! Attacker with access to a tag-generation oracle tag- If IVs are not changed the output will be function of the hash sub-key H sub- Analyzing the resulting tags the attacker could recover H With H he can generate valid authentication tags, thus pretending to be your friend !

Solution This attack is possible only if you use at least twice the same key with the same IV NEVER DO THAT!

References NIST Special Publication 800-38C (CCM) 800- NIST Special Publication 800-38D (GCM) 800- Authenticated Encryption (J. Black) A Critique of CCM (P. Rogaway, D. Wagner) On The Security of CTR + CBC-MAC (J. Jonsson) CBC- Counter with CBC-MAC (D. Whiting, R. Housley, N. Ferguson) CBC- Flexible and Efficient Message Authentication in Hardware and Software (D. A. McGrew, J. Viega) The Security and Performance of the Galois/Counter Mode (GCM) of Operation (D. A. McGrew, J. Viega)

Questions ?

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Authenticated Encryption GCM - CCM -

Authenticated encryption GCM - CCM. Lorenzo Peraldo, Vittorio Picco December 20, 2007 Contents 1 Introduction 1.1 Authenticated Encryption . 1.2 Generic ...
Read more

EVP Authenticated Encryption and Decryption - OpenSSLWiki

The EVP interface supports the ability to perform authenticated encryption and decryption, as well as the option to attach unencrypted, associated data to ...
Read more

Authenticated Encryption - Crypto++ Wiki

Authenticated Encryption provides both data confidentiality and data integrity ... (CCM and GCM) which offer both ... The additional authenticated data is ...
Read more

Security of authenticated encryption modes GCM & CCM

I have two questions for Clarification for AE mode choice criteria GCM : it appears to be actually the most popular and widely used AE mode of operation ...
Read more

Authenticated encryption - Wikipedia, the free encyclopedia

Authenticated Encryption ... Six different authenticated encryption modes (namely OCB 2.0, Key Wrap, CCM, EAX, Encrypt-then-MAC (EtM), and GCM) ...
Read more

Galois/Counter Mode - Wikipedia, the free encyclopedia

Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block ciphers ... AES-GCM and AES-CCM Authenticated Encryption in Secure ...
Read more

Authenticated Encryption – Wikipedia

Authenticated Encryption (AE) oder Authenticated Encryption with Associated Data ... CCM Mode; Galois/Counter Mode (GCM) Offset Codebook Mode (OCB) EAX-Modus;
Read more

The Galois/Counter Mode of Operation (GCM)

The Galois/Counter Mode of Operation (GCM) David A. McGrew ... a binary Galois field to provide authenticated encryption. ... such as CCM [2], ...
Read more

Ccm mode - Crypto++ Wiki

Counter with CBC-MAC mode is the earliest NIST approved authenticated encryption mode. ... In addition to CCM mode, GCM Mode also ... Encryption e; CCM ...
Read more