[go: up one dir, main page]
Scribd
Upload
82 views9 pages

07.1 Authenc Annotated PDF

This document discusses the need for encryption that provides both confidentiality and integrity. It begins by recapping previous discussions on confidentiality using semantic security and integrity using message authentication codes. It then demonstrates ways encrypted messages can be tampered with by changing packet headers or checksums unless the encryption also ensures integrity. The lesson is that CPA-secure encryption alone is not sufficient against active attacks, and authenticated encryption modes should be used instead when both confidentiality and integrity are required.

Uploaded by

kassahun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
82 views9 pages

07.1 Authenc Annotated PDF

This document discusses the need for encryption that provides both confidentiality and integrity. It begins by recapping previous discussions on confidentiality using semantic security and integrity using message authentication codes. It then demonstrates ways encrypted messages can be tampered with by changing packet headers or checksums unless the encryption also ensures integrity. The lesson is that CPA-secure encryption alone is not sufficient against active attacks, and authenticated encryption modes should be used instead when both confidentiality and integrity are required.

Uploaded by

kassahun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Online Cryptography Course Dan Boneh

Authenticated Encryption

Active attacks on
CPA-secure encryption

Dan Boneh
Recap: the story so far
Confidentiality: semantic security against a CPA attack
• Encryption secure against eavesdropping only

Integrity:
• Existential unforgeability under a chosen message attack
• CBC-MAC, HMAC, PMAC, CW-MAC

This module: encryption secure against tampering


• Ensuring both confidentiality and integrity

Dan Boneh
Sample tampering attacks
TCP/IP: (highly abstracted)
WWW
port = 80
packet
dest = 80 data

source machine
TCP/IP
stack Bob
port = 25
destination machine
Dan Boneh
Sample tampering attacks
IPsec: (highly abstracted)
WWW
TCP/IP port = 80
packet stack
dest = 80 data

dest = 25 stuff
k
k
packets encrypted Bob
port = 25
using key k
Dan Boneh
Reading someone else’s data
Note: attacker obtains decryption of any ciphertext
beginning with “dest=25”
WWW
IV, dest = 80 data port = 80

Bob:
k IV’, dest = 25 data
k
Bob
Easy to do for CBC with rand. IV port = 25

(only IV is changed)
Dan Boneh
IV , dest = 80 data IV’ , dest = 25 data

Encryption is done with CBC with a random IV.

What should IV’ be? m[0] = D(k, c[0]) ⨁ IV = “dest=80…”

IV’ = IV ⨁ (…25…)
IV’ = IV ⨁ (…80…)
IV’ = IV ⨁ (…80…) ⨁ (…25…)
It can’t be done
An attack using only network access
Remote terminal app.: each keystroke encrypted with CTR mode
TCP/IP packet
k
IP hdr TCP hdr T D

k 16 bit TCP checksum 1 byte keystroke

for all t, s send: IP hdr TCP hdr ⨁t ⨁s

ACK if valid checksum, nothing otherwise

{ checksum(hdr, D) = t ⨁ checksum(hdr, D⨁s) } ⇒ can find D


Dan Boneh
The lesson
CPA security cannot guarantee secrecy under active attacks.

Only use one of two modes:


• If message needs integrity but no confidentiality:
use a MAC
• If message needs both integrity and confidentiality:
use authenticated encryption modes (this module)

Dan Boneh
End of Segment

Dan Boneh

You might also like