P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg
PB173 - Tématický vývoj aplikací v C/C++
Domain specific development in C/C++
Skupina: Aplikovaná kryptografie a bezpečné programování
•Petr Švenda svenda@fi.muni.cz

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Block cipher modes for Authenticated Encryption
l
PB173
2

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Modes for authenticated encryption
•Encryption preserves confidentiality but not integrity
•Common integrity functions (like CRC) protect against random faults
•Cryptographic message integrity protects intensional errors
•
PB173
3

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Confidentiality, integrity, privacy
•Message confidentiality [encryption]
–attacker is not able to obtain info about plaintext
•Message integrity [MAC]
–attacker is not able to modify message without being detected (PTX, CTX)
•Message privacy [encryption]
–attacker is not able to distinguish between encrypted message and random string
–same message is encrypted each time differently
•
PB173
4

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Encryption and MAC composition
•Modes for block ciphers (CBC, CTR, CBC-MAC)
•Compositions (encryption + MAC)
–encrypt-and-mac [EKe,Km(M) = EKe(M) | TKm(M)]
•can fail with privacy and authenticity
–mac-then-encrypt [EKe,Km(M) = EKe(M | TKm(M))]
•can fail with authenticity
–encrypt-then-mac [EKe,Km(M) = EKe(M) || TKm(EKe(M)]
•always provides privacy and authenticity
•Paralelizability issue
•Authenticated-encryption modes (AE)
–special block cipher modes for composed process
PB173
5

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Usage scenarios
•Powerful, parallelizable environments
–hardware accelerators
•Powerful, but almost serial environments
–personal computer, PDA
•Restricted environments
–smart cards, microcontrollers, IoT
–
•Different scenarios have different needs
–
•
•
•
PB173
6

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Important features for AE modes
•Provable security
•Performance, paralelizability, memory req.
–important for high-speed encryption, SC
•Patent
–early AE modes are patented
•Associated data authentication
–authentication of non-encrypted part
•Online, incremental MAC, number of keys, endian dependency …
•http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
•www.fi.muni.cz/~xsvenda/docs/AE_comparison_ipics04.pdf
PB173
7

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
EAX mode
eax
PB173
lEncrypt-than-mac composition
lProvable secure, unpatented
l
l
8

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Offset CodeBook mode (OCB)
ocb
PB173
lMemory efficient, fast mode
lProvable secure, but patented
l
●
l
9

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Cipher-State mode (CS)
cs
PB173
lMemory efficient, fast mode, unpatented
lNot provable secure (inner state of cipher)
l
l
10

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Galois/Counter Mode (GCM)
gcm
PB173
lNeed pre-computed table (4kB-64kB)
lfast mode, provable secure, unpatented, NIST standard
lhttp://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
l
l
l
l
11

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Implementation: AES-GCM from mbedTLS
•gcm.h, gcm.c
•
PB173
int gcm_init( gcm_context *ctx,
       const unsigned char *key,
       unsigned int keysize );

int gcm_crypt_and_tag( gcm_context *ctx,
       int mode, // GCM_ENCRYPT (alternatively GCM_DECRYPT)
       size_t length,
       const unsigned char *iv,
       size_t iv_len,
       const unsigned char *add, // authenticated, but not encrypted
       size_t add_len,
       const unsigned char *input, // authenticated and encrypted
       unsigned char *output,       // encrypted data
       size_t tag_len,
       unsigned char *tag );

int gcm_auth_decrypt( gcm_context *ctx,
      size_t length,                  // length of input data
      const unsigned char *iv,
      size_t iv_len,
      const unsigned char *add,   // authenticated, but not encrypted
      size_t add_len,
      const unsigned char *tag,    // authenticator (MAC value)
      size_t tag_len,
      const unsigned char *input, // encrypted data
      unsigned char *output );     // decrypted data
12

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
CAESAR competition
•http://competitions.cr.yp.to/caesar-submissions.html
•
13
PB173
D:\caesar.png

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Conclusions
•Composition of ENC and MAC can fail
–encrypt-then-mac provable secure
–specially designed composed modes
•One of the most promising mode is patented (OCB)
–fast alternative GCM, CS
–Searching for new modes (CAESAR competition)
•Suitable mode depends on usage
–parallelizability, memory
–specific needs (online, incremental MAC)
•
•
PB173
14

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PRACTICAL ASSIGNMENT
•
15
PB173

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Practical assignment
•Presentation of results from 2 weeks ago
•Functions to be implemented (and tested!)
–new user registration (in: user name / password, out: status)
–user authentication to server (in:user/pass, out: status)
–obtain list of other online users (out: formated list – JSON?)
–
–
16
| PB173 - Group: Applied cryptography

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Practical assignment - client
•Update your implementation of server functions based on feedback
–And add into GitHub repo
•Create implementation of basic client process
–No network communication yet, just methods + tests!
•Functions to be implemented (and tested!)
–Login user (client side) (in: user name / password, out: status)
•=> prepared structure to be send to server
–Prepare protected message for another user (in: user identification, session context (keys,
counters…), out: protected message, status)
•Encryption, MAC, Use suitable Authenticated Encryption mode
•Update session context
–Unprotect message from another user (in: protected message, session context (keys, counters…),
out: unprotected message, status)
•Think how to handle errors
•Don’t forget to document functions in JavaDoc-style
17
| PB173 - Group: Applied cryptography

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Submissions, deadlines
•Upload application source codes as single zip file into IS Homework vault (Crypto - 5. homework
(AE))
–Zip file from current version of repo
•DEADLINE 3.4. 12:00
–Up to 10 points assigned
18
| PB173 - Group: Applied cryptography