defense

63 %
38 %
Information about defense
Education

Published on June 18, 2007

Author: FunSchool

Source: authorstream.com

Simultaneously Ensuring Privacy and Authenticity in Digital Communication:  Simultaneously Ensuring Privacy and Authenticity in Digital Communication Chanathip Namprempre (aka Meaw) University of California, San Diego Contents of Dissertation:  Contents of Dissertation Generic Composition Paradigm M. Bellare and C. Namprempre. 'Authenticated encryption: Relations among notions and analysis of the generic composition paradigm,' Asiacrypt 2000. A case study: Secure Shell (SSH) M. Bellare, T. Kohno, and C. Namprempre. 'Authenticated encryption in SSH: Provably fixing the binary packet protocol,' ACM Conference on Computer and Communications Security – CCS 2002. Secure Channels C. Namprempre. 'Secure channels based on authenticated encryption schemes: A simple characterization,' Asiacrypt 2002. Other Publications:  Other Publications M. Abdalla, J. An, M. Bellare, and C. Namprempre. 'From identification to signatures via the Fiat-Shamir transform minimizing assumptions for security and forward security,' Eurocrypt 2002. M. Bellare, A. Boldyreva, Lars Knudsen, and C. Namprempre. 'On-line ciphers and the Hash-CBC construction,' Crypto 2001. M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko. 'The power of RSA inversion oracles and the security of Chaum’s RSA-based blind signature scheme,' Financial Cryptography 2001. M. Abdalla, S. Miner, and C. Namprempre. 'Forward security in threshold signature schemes,' CT-RSA 2001. C. Namprempre, J. Sussman, and K. Marzullo. 'Implementing causal logging using OrbixWeb interception,' USENIX Conference on Object-Oriented Technologies and Systems, May 1999. R. Weiss, B. Velez, M.Sheldon, C. Namprempre, P. Szilagyi, and D. Gifford. 'HyPursuit: a hierarchical network search engine that exploits content-link hypertext clustering,' Hypertext conference, March 1996. Common Goals in Digital Communication:  Common Goals in Digital Communication Alice Bob 0 1 1 0 1 ... Adversary EVE Shared Network Achieving Privacy and Authenticity:  Achieving Privacy and Authenticity Much work in cryptography has been done to achieve each goal separately: Encryption schemes for privacy Message authentication schemes for authenticity Many schemes are accompanied by provable security analyses. However, in practice we often want to achieve the goals simultaneously. A natural and commonly used approach is to combine the above tools. Symmetric (aka shared key) Setting:  Symmetric (aka shared key) Setting Assumption: The communicating parties share a random string called a key which is not a priori known to the adversary. (e.g. 128 bits long, to be used as a key to a block cipher.) We do not concern ourselves here with how the parties got this key but rather with how to use it to get privacy and authenticity. Alice Bob Shared Network K K EVE Tool for Privacy: Symmetric Encryption Scheme:  Tool for Privacy: Symmetric Encryption Scheme EVE K M M C Alice Bob D E K Key …………… K Message ………. M Ciphertext ………C Encryption Alg ….. E Decryption Alg ….. D Goal: It should be hard for EVE to obtain partial information about M. Many constructions: CBC mode, CTR mode, OFB mode, … Tool for Authenticity: Message Authentication Codes (MACs) :  Tool for Authenticity: Message Authentication Codes (MACs) EVE K M valid/ invalid (M,) Alice Bob V T K Key …………… K Message ………. M Tag …….……… MAC Alg ……….. T Verification Alg …. V Goal: It should be hard for EVE to forge a valid new pair (M,). Many constructions: CBC MAC, HMAC, UMAC, …  Tool for Privacy and Authenticity: Authenticated Encryption Scheme:  Tool for Privacy and Authenticity: Authenticated Encryption Scheme Goal: It should be hard for EVE - to obtain partial information about M OR - to forge a valid new ciphertext. EVE K Alice Bob D E K Key …………… K Message ………. M Ciphertext ………C Encryption Alg ….. E Decryption Alg ….. D Relevance to Internet Security:  Relevance to Internet Security Many popular Internet protocols rely on authenticated encryption schemes for privacy and authenticity. Examples: SSL, TLS, SSH, IPSEC, … Many applications on the Internet require both privacy and authenticity. Examples: online banking, online retail, online auctions, instant messaging, remote login, secure file transfer, … There has been a recent surge of research interest. Many workshops, patents, and proposed modes of operation for this purpose. Many new schemes proposed. Plan:  Plan Background on generic composition Results on SSH Description of SSH An attack against SSH Provably secure fixes to SSH Focus: authenticated encryption in SSH Generic Composition Methods:  Generic Composition Methods Encryption scheme Message Authentication scheme Authenticated Encryption Scheme Encrypt-and-MAC EKe,Km(M) = EKe(M)  TKm(M) MAC-then-Encrypt EKe,Km(M) = EKe(M  TKm(M)) Encrypt-then-MAC EKe,Km(M) = EKe(M)  TKm(EKe(M)) Obvious ways to combine the base schemes as black-boxes. Alice can do any of the following: Generic Composition Results:  Generic Composition Results Formal security goals for authenticated encryption: Authenticity: Integrity of ciphertexts (INT-CTXT) Privacy: Indistinguishability under chosen-plaintext attacks (IND-CPA) Chapter 3 [BN00] analyzes generic composition using a provable-security approach. Generic Composition Results:  Generic Composition Results Security Composition Method insecure [can fail to provide privacy or authenticity] insecure [can fail to provide authenticity] secure [always provides privacy and authenticity] Status of Authenticated Encryption:  Status of Authenticated Encryption Generic composition seems well-understood and solved. Well-defined security goals for authenticated encryption, and analyses of methods, exist. Clear recommendation: Use encrypt-then-MAC Why is that not the end of the story? Because, meanwhile, in practice ... Slide16:  We took a close look at SSH and found that Its authenticated encryption scheme is based on encrypt-and-MAC [  ] But with a twist: Data is pre-processed via an 'encoding' transform before encrypt-and-MAC is applied [, maybe?] Important pragmatic questions arise: Is the SSH authenticated encryption scheme secure? If not, what should we do? SSH Results:  SSH Results Break: The currently implemented scheme is NOT secure. Re-make: We target, and provide, fixes that Are PROVABLY secure Are sympathetic to the design, security, and performance goals of SSH Are relatively cheap to implement Preserve or enhance performance Breaks and re-makes have been communicated to the body of SSH developers. They have expressed interest. What this involved:  What this involved Combination of systems and theory work: Closely examined the codes of popular SSH implementations like openSSH Developed new models and notions of security, and provided security proofs Encode-then-Eandamp;M paradigm that generalizes SSH Strong new security notions for schemes with stateful decryption Relations between notions Concrete security analyses Plan:  Plan Background on generic composition Results on SSH Description of SSH An attack against SSH Provably secure fixes to SSH Encode-then-E&M Paradigm:  Encode-then-Eandamp;M Paradigm EK Each black box can use randomness and/or maintain internal state such as a counter. Encoding may be as simple as padding the payload. Encoding is keyless. It is possible to have different portions of encoded payload go into Encrypt box and MAC box. Encode-then-E&M Paradigm:  Encode-then-Eandamp;M Paradigm EK EncryptKe MACKm It is possible to have different portions of encoded payload go into Encrypt box and MAC box. Each black box can use randomness and/or maintain internal state such as a counter. Encoding may be as simple as padding the payload. Encoding is keyless. Authenticated Encryption in SSH:  Authenticated Encryption in SSH payload M pl pdl padding packet length (in bytes) padding length (in bytes) intermediate ciphertext tag ctr minimum 4 bytes maximum 255 bytes maintained internally, not transmitted EK Authenticated Encryption in SSH:  Authenticated Encryption in SSH payload M payload M pl pdl padding data to be communicated EncryptKe MACKm ctr minimum 4 bytes maximum 255 bytes maintained internally, not transmitted EK Authenticated Encryption in SSH:  Authenticated Encryption in SSH DK Authenticated Encryption in SSH:  Authenticated Encryption in SSH payload M VerifyKm ctr DK SSH uses CBC Mode for Encryption:  SSH uses CBC Mode for Encryption payload M payload M pl pdl padding intermediate ciphertext tag ctr EncryptKe MACKm HMAC-SHA1 SSH uses CBC mode with Inter-Packet Chaining:  SSH uses CBC mode with Inter-Packet Chaining $ … … … … … … payload M1 pl1 pdl1 padding1 ctr Observation: IV is known in advance! payload M1 payload M2 pl2 pdl2 padding2 ctr+1 payload M2 Attack against SSH based on CBC with IPC:  Attack against SSH based on CBC with IPC EVE has the ability to observe the traffic and to get the sender to process packets of her choice (i.e. to mount a chosen-plaintext attack). C1  C2  G If X = Y, EVE declares that G is correct. EVE waits until she sees two encryptions such that the first 40 bits of the last ciphertext blocks are the same in both (called a collision). This will allow EVE to verify a guess G as to the value of the last L-40 bits of the first plaintext block of a message. (L is the block size.) EVE uses C1  C2  G as the payload. This causes a collision between two points, leading to the collision between X, Y. Analysis of Attack:  Analysis of Attack It takes approximately 220 packets for a collision on 40 bits of two ciphertext packets to occur. For 128-bit blocks, this comes to about 16MBytes of data. With 10Mbit/sec network, it takes only tens of seconds to successfully mount the attack. SSH standard suggests re-keying every 1GByte or 1 hour. What just happened?:  What just happened? This attack violates the privacy property of SSH. EVE only needs to be able to observe packets on the wire and to mount a chosen-plaintext attack. The vulnerability comes from the interaction between the underlying encryption scheme and the encoding. This attack exploits a well-known weakness that occurs when one uses CBC mode with known or predictable IV. Rogaway documented it in 1995! Fixing SSH:  Fixing SSH Recall our design goals: provably secure fixes that preserve or improve efficiency minimize necessary changes to the specifications and implementations Our approach: replace the underlying encryption scheme replace the underlying encoding scheme Possible Fixes to SSH:  Possible Fixes to SSH Security Proposed Fix Works only if padding is random and is always there. Increases bandwidth cost SSH-$NPC: use CBC with new random IV per packet SSH-EIV-CBC: use CBC with IPC but compute the IV by applying the block cipher to the last block of the previous ciphertext SSH-CTR: use CTR mode with stateful decryption instead of CBC Works with or without the padding Requires only one more block cipher invocation per packet Works with or without the padding Requires same amount of computation but is fully parallelizable SSH-CTR: A Provably Secure Fix:  SSH-CTR: A Provably Secure Fix payload M payload M pl pdl padding intermediate ciphertext tag ctr EncryptKe MACKm AESKe … … … Encryption in Counter (CTR) mode with stateful decryption ctr + 1 ctr + n AESKe Provable Security Results for SSH-CTR:  Provable Security Results for SSH-CTR IF base components are secure, THEN SSH-CTR provides privacy and authenticity. We prove statements of the form: Following provable security approach, we provide precise definitions of privacy and authenticity of authenticated encryption schemes with stateful decryption algorithms use the reduction approach to show that, as long as the base components are secure (under appropriate definitions), the composed scheme is secure. Finding Appropriate Security Definitions:  Finding Appropriate Security Definitions Authenticated encryption in SSH uses internal states for both encryption and decryption algorithms. All pre-existing security definitions assume that decryption algorithms are deterministic and stateless. We need new security definitions to analyze SSH. Observation: Internal states help prevent out-of-order delivery. Security definitions for real protocols should capture this. Our new security definitions can be used to analyze many real-world protocols targetting security goals not covered by standard, pre-existing security definitions. (New) Security Notion of Authenticated Encryption Schemes: Integrity:  (New) Security Notion of Authenticated Encryption Schemes: Integrity Adv int-sfctxt (EVE ) is the probability that EVE wins. Scheme is said to be INT-SFCTXT secure if the advantage of any adversary of practical resources (running time, number of oracle queries) is small. C encryption oracle EK(•) EVE can submit a message to an encryption oracle and get back the corresponding ciphertext. EVE can also submit a ciphertext to a verification oracle and get back an indication whether it is valid. EVE wins if she can submit a valid and out-of-sync query to the verification oracle. C verification oracle valid/ invalid M DK(•) * AE What is an “Out-of-Sync” Query?:  What is an 'Out-of-Sync' Query? an 'out-of-sync' query if C  C3 * Encryption Oracle Verification Oracle Recall that we want to require security against out-of-order delivery attacks, in addition to standard forgery attacks. (Existing) Security Notion of Authenticated Encryption Schemes: Privacy:  (Existing) Security Notion of Authenticated Encryption Schemes: Privacy b C LR-encryption oracle Answer: 0/1 EK(•) b is a random bit unknown to EVE EVE can submit a pair of plaintexts to an LR-encryption oracle and get back a ciphertext. After a few queries, EVE tries to guess b. EVE wins if she guesses b correctly. Mb M0 M1 IND-CPA + INT-SFCTXT  IND-SFCCA Adv ind-cpa (EVE ) is the probability that EVE wins. Scheme is said to be IND-CPA secure if the advantage of any adversary of practical resources (running time, number of oracle queries) is small. AE SSH-CTR Integrity Result:  SSH-CTR Integrity Result Informally: IF the MAC is secure (uf-cma), THEN SSH-CTR provides authenticity (int-sfctxt). SSH-CTR Privacy Result:  SSH-CTR Privacy Result Informally: IF the MAC is secure (uf-cma), if AES is pseudorandom (prf), and if the MAC is also pseudorandom (prf), THEN SSH-CTR provides privacy (ind-sfcca). Proof Sketch for Integrity Result:  Proof Sketch for Integrity Result Adv int-sfctxt ( I )  Adv uf-cma ( F ) SSH-CTR MA Let MA be a message authentication scheme. Given any int-sfctxt adversary I against SSH-CTR, assuming that the counter does not wrap during I’s attack, we can construct a forger F such that where F has running time and other resources similar to those of I. Proof Sketch for Integrity Result:  Proof Sketch for Integrity Result I F TKm(•) VKm(•) K = (Ke, Km) generates its own Ke Proof Sketch for Integrity Result:  Proof Sketch for Integrity Result I F * TKm(•) VKm(•) generates its own Ke This means that C is out-of-sync and valid. K = (Ke, Km) Let C = C’  T Forgery: ( ctr  DKe(C’) , T ) Since ctr never wraps, F wins. (M,) Slide44:  SSH-CTR provides strong privacy and authenticity guarantees. It does so under precise security notions for privacy and authenticity that we defined: INT-SFCTXT and IND-SFCCA. Chapter 4 [BKN02] provides general provable security results. They can be applied to prove our other fixes secure. These results can be used to analyze any schemes that follow the Encode-then-Encrypt-and-MAC composition method. Conclusions:  Conclusions Ensuring both privacy and authenticity simultaneously is crucial in most cryptographic applications. Generic composition is a powerful paradigm for constructing authenticated encryption schemes. Intuition alone is not sufficient in protocol design. Provable security can really help standards bodies and implementors! Really!

Add a comment

Related presentations

Related pages

dict.cc | defense | Wörterbuch Englisch-Deutsch

Übersetzung für defense im Englisch-Deutsch-Wörterbuch dict.cc.
Read more

Tower Defense - Kostenlos TD Games online spielen

Tower Defense ist ein sehr beliebtes Spiele-Genre, bei uns findest Du über 200 TD Games - die man ohne Registrierung und umsonst spielen kann. Viel Spaß!
Read more

Tower Defense Spiele - Kostenlos spielen auf Fettspielen.de

Tower Defense - Spiele kostenlose Tower Defense Spiele und viele weitere Online Games auf Fettspielen.de - dein Spieleportal für Flashspiele und vieles mehr!
Read more

Defense – Wikipedia

Defense (englisch für Verteidigung) wird die verteidigende Mannschaft im American Football genannt. Ihre Aufgabe ist es die angreifende Mannschaft daran ...
Read more

Tower Defense Spiele kostenlos online spielen

Tower Defense-Spiele: Beste Verteidigungsstrategie gesucht! Tower Defense sind sehr populäre Strategiespiele, die viel taktisches Denken und strategische ...
Read more

La Défense - Wikipedia, the free encyclopedia

In December 2005, Bernard Bled, CEO & Chairman of EPAD (La Defense Management & Development Office) ...
Read more

Defense Games: Komplett-Übersicht | Defense-Tower.de

Alle unseren Defense Games in einer praktischen Übersicht. Dazu Spielempfehlungen und eine Liste der neusten Spiele.
Read more

Defence mechanisms - Wikipedia, the free encyclopedia

PsychPage: Defense. Tucker-Ladd, C.E. (1996-2000). Psychological Self-Help. Defence mechanisms. Level 1: Pathological: Delusional projection; Denial ...
Read more

La Défense – Wikipedia

La Défense [ladeˈfɑ̃ːs] ist ein modernes Hochhausviertel westlich von Paris im Département Hauts-de-Seine und gilt als Europas größte Bürostadt.
Read more

Start | i-defense - Die Kampkunstakademie in Essen

Start | Kampfkunst Akademie i-defense Essen e.V. - Karate, MMA, Fitness, Kickboxen
Read more