Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.

Slides:



Advertisements
Similar presentations
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Advertisements

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Online Cryptography Course Dan Boneh
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Authenticated Encryption with Replay prOtection (AERO)
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CMSC 456 Introduction to Cryptography
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
1 Introduction to Information Security , Spring 2015 Lecture 6: Applied cryptography: symmetric Eran Tromer Slides credit: John Mitchell, Stanford.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Cryptography Overview CS155. Cryptography Is A tremendous tool The basis for many security mechanisms Is not The solution to all security problems Reliable.
Active attacks on CPA-secure encryption
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.
Dan Boneh Odds and ends Format preserving encryption Online Cryptography Course Dan Boneh.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Dan Boneh Using block ciphers Modes of operation: many time key (CTR) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
Attacks on OTP and stream ciphers
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Dan Boneh Using block ciphers Modes of operation: many time key (CBC) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
Cryptography: Block Ciphers David Brumely Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from Dan.
Dan Boneh Collision resistance Introduction Online Cryptography Course Dan Boneh.
Integrity via Encryption with Redundancy  Question: Encryption is not ideal for authentication. But, can we gain security advantages if we add recognizable.
CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.
1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.
Dan Boneh Message Integrity CBC-MAC and NMAC Online Cryptography Course Dan Boneh.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Odds and ends Tweakable encryption
Cryptography: Review Day David Brumley Carnegie Mellon University.
Template vertLeftWhite2 Authenticated Encryption Attacking non-atomic decryption Online Cryptography Course Dan Boneh.
Dan Boneh Stream ciphers Stream ciphers are semantically secure Online Cryptography Course Dan Boneh Goal: secure PRG ⇒ semantically secure stream cipher.
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
Presentation Road Map 1 Authenticated Encryption 2 Message Authentication Code (MAC) 3 Authencryption and its Application Objective Modes of Operation.
Dan Boneh Basic key exchange Trusted 3 rd parties Online Cryptography Course Dan Boneh.
Dan Boneh Collision resistance The Merkle-Damgard Paradigm Online Cryptography Course Dan Boneh.
Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh.
Online Cryptography Course Dan Boneh
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
Part 1  Cryptography 1 Integrity Part 1  Cryptography 2 Data Integrity  Integrity  detect unauthorized writing (i.e., modification of data)  Example:
1 HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption Tetsu Iwata (Nagoya University, Japan) Kan Yasuda (NTT Corporation, Japan)
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography: Block Ciphers David Brumely Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from Dan.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Lecture 3 Overview of Cryptography A Practitioner Perspective
Using block ciphers Review: PRPs and PRFs
PRPs and PRFs CS255: Winter 2017
Cryptography Lecture 12.
Authenticated Encryption
Cryptography Lecture 11.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 12.
Cryptography Lecture 11.
Secret-Key Encryption
Presentation transcript:

Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh

Dan Boneh … but first, some history Authenticated Encryption (AE): introduced in 2000 [KY’00, BN’00] Crypto APIs before then: (e.g. MS-CAPI) Provide API for CPA-secure encryption (e.g. CBC with rand. IV) Provide API for MAC (e.g. HMAC) Every project had to combine the two itself without a well defined goal Not all combinations provide AE …

Dan Boneh Combining MAC and ENC (CCA) Encryption key k E. MAC key = k I Option 1: (SSL) Option 2: (IPsec) Option 3: (SSH) msg m tag E(k E, m ll tag) S(k I, m) msg m E(k E, m) tag S(k I, c) msg m E(k E, m) tag S(k I, m) always correct

Dan Boneh A.E. Theorems Let (E,D) be CPA secure cipher and (S,V) secure MAC. Then: 1.Encrypt-then-MAC: always provides A.E. 2.MAC-then-encrypt: may be insecure against CCA attacks however: when (E,D) is rand-CTR mode or rand-CBC M-then-E provides A.E. for rand-CTR mode, one-time MAC is sufficient

Dan Boneh Standards (at a high level) GCM: CTR mode encryption then CW-MAC ( accelerated via Intel’s PCLMULQDQ instruction) CCM: CBC-MAC then CTR mode encryption (802.11i) EAX: CTR mode encryption then CMAC All support AEAD: (auth. enc. with associated data). All are nonce-based. encrypted data associated data authenticated encrypted

Dan Boneh An example API (OpenSSL) int AES_GCM_Init(AES_GCM_CTX *ain, unsigned char * nonce, unsigned long noncelen, unsigned char * key, unsigned int klen ) int AES_GCM_EncryptUpdate(AES_GCM_CTX *a, unsigned char * aad, unsigned long aadlen, unsigned char * data, unsigned long datalen, unsigned char * out, unsigned long *outlen)

Dan Boneh MAC Security -- an explanation Recall: MAC security implies (m, t) (m, t’ ) Why? Suppose not: (m, t) (m, t’) Then Encrypt-then-MAC would not have Ciphertext Integrity !! ⇏ Chal. b Adv. kKkK m 0, m 1 c  E(k, m b ) = (c 0, t) c’ = (c 0, t’ ) ≠ c D(k, c’ ) = m b b (c 0, t) (c 0, t’)

Dan Boneh OCB: a direct construction from a PRP More efficient authenticated encryption: one E() op. per block. m[0]m[1]m[2]m[3]  E(k,  ) P(N,k,0)P(N,k,1)P(N,k,2)P(N,k,3)  P(N,k,0)P(N,k,1)P(N,k,2) P(N,k,3) c[0]c[1]c[2]c[3] checksum E(k,  )   c[4] P(N,k,0) auth

Dan Boneh Performance: Crypto [ Wei Dai ] AMD Opteron, 2.2 GHz ( Linux) codeSpeed Cipher size (MB/sec) AES/GCM large ** 108AES/CTR139 AES/CCMsmaller 61AES/CBC109 AES/EAXsmaller 61 AES/CMAC109 AES/OCB129 * HMAC/SHA1147 * extrapolated from Ted Kravitz’s results ** non-Intel machines

Dan Boneh End of Segment

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.