P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PB173 - Tématický vývoj aplikací v C/C++ (Jaro 2016) Domain specific development in C/C++ Skupina: Aplikovaná kryptografie a bezpečné programování https://is.muni.cz/auth/predmety/uplny_vypis.pl?fakulta=1433;obdobi=6184;predmet=788705 •Petr Švenda svenda@fi.muni.cz •Konzultace: A406, Pondělí 15-15:50 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Block cipher modes for Authenticated Encryption l PB173 2 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Modes for authenticated encryption •Encryption preserves confidentiality but not integrity •Common integrity functions (like CRC) protect against random faults •Cryptographic message integrity protects intensional errors • PB173 3 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Confidentiality, integrity, privacy •Message confidentiality [encryption] –attacker is not able to obtain info about plaintext •Message integrity [MAC] –attacker is not able to modify message without being detected (PTX, CTX) •Message privacy [encryption] –attacker is not able to distinguish between encrypted message and random string –same message is encrypted each time differently • PB173 4 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Encryption and MAC composition •Modes for block ciphers (CBC, CTR, CBC-MAC) •Compositions (encryption + MAC) –encrypt-and-mac [EKe,Km(M) = EKe(M) | TKm(M)] •can fail with privacy and authenticity –mac-then-encrypt [EKe,Km(M) = EKe(M | TKm(M))] •can fail with authenticity –encrypt-then-mac [EKe,Km(M) = EKe(M) || TKm(EKe(M)] •always provides privacy and authenticity •Paralelizability issue •Authenticated-encryption modes (AE) –special block cipher modes for composed process PB173 5 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Usage scenarios •Powerful, parallelizable environments –hardware accelerators •Powerful, but almost serial environments –personal computer, PDA •Restricted environments –smart card, cellular phone – •Different scenarios have different needs – • • • PB173 6 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Important features for AE modes •Provable security •Performance, paralelizability, memory req. –important for high-speed encryption, SC •Patent –early AE modes were patented •Associated data authentication –authentication of non-encrypted part •Online, incremental MAC, number of keys, endian dependency … •http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html •www.fi.muni.cz/~xsvenda/docs/AE_comparison_ipics04.pdf PB173 7 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg EAX mode eax PB173 lEncrypt-than-mac composition lProvable secure, unpatented l l 8 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Offset CodeBook mode (OCB) ocb PB173 lMemory efficient, fast mode lProvable secure, but patented l ● l 9 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Cipher-State mode (CS) cs PB173 lMemory efficient, fast mode, unpatented lNot provable secure (inner state of cipher) l l 10 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Galois/Counter Mode (GCM) gcm PB173 lNeed pre-computed table (4kB-64kB) lfast mode, provable secure, unpatented, NIST standard lhttp://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf l l l l 11 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Implementation: AES-GCM from PolarSSL •gcm.h, gcm.c • PB173 int gcm_init( gcm_context *ctx, const unsigned char *key, unsigned int keysize ); int gcm_crypt_and_tag( gcm_context *ctx, int mode, // GCM_ENCRYPT (alternatively GCM_DECRYPT) size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, // authenticated, but not encrypted size_t add_len, const unsigned char *input, // authenticated and encrypted unsigned char *output, // encrypted data size_t tag_len, unsigned char *tag ); int gcm_auth_decrypt( gcm_context *ctx, size_t length, // length of input data const unsigned char *iv, size_t iv_len, const unsigned char *add, // authenticated, but not encrypted size_t add_len, const unsigned char *tag, // authenticator (MAC value) size_t tag_len, const unsigned char *input, // encrypted data unsigned char *output ); // decrypted data 12 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg CAESAR competition •http://competitions.cr.yp.to/caesar-submissions.html • 13 PB173 D:\caesar.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Conclusions •Composition of ENC and MAC can fail –encrypt-then-mac provable secure –specially designed composed modes •One of the most promising mode is patented (OCB) –fast alternative GCM, CS –Searching for new modes (CAESAR competition) •Suitable mode depends on usage –parallelizability, memory –specific needs (online, incremental MAC) • • PB173 14 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg PRACTICAL ASSIGNMENT • 15 PB173 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Homework from last week – showtime J •Update your design documents based on feedback –And add into GitHub repo (docs folder) •Create implementation of server process –No network communication yet, just methods + tests! •Functions to be implemented (and tested!) –new user registration (in: user name / password, out: status) •New user stored in local “database” (ini file, sqllite…) –user authentication to server (in:user/pass, out: status) •Check supplied info against info from local database •Use PBKDF2 or better function to generate hash to check –obtain list of other online users (out: formated list – JSON?) •Users that were successfully authenticated now assumed to be online •Don’t forget to document functions in JavaDoc-style 16 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Practical assignment •Update your implementation of server functions based on feedback –And add into GitHub repo •Create implementation of basic client process –No network communication yet, just methods + tests! •Functions to be implemented (and tested!) –Login user (client side) (in: user name / password, out: status) •=> prepared structure to be send to server –Prepare protected message for another user (in: user identification, session context (keys, counters…), out: protected message, status) •Encryption, MAC, Use suitable Authenticated Encryption mode •Update session context –Unprotect message from another user (in: protected message, session context (keys, counters…), out: unprotected message, status) •Think how to handle errors •Don’t forget to document functions in JavaDoc-style 17 | PB173 - Group: Applied cryptography P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Submissions, deadlines •Upload application source codes as single zip file into IS Homework vault (Crypto - 5. homework (AE)) –Zip file from current version of repo •DEADLINE 4.4. 12:00 –Up to 10 points assigned 18 | PB173 - Group: Applied cryptography