Professional Documents
Culture Documents
encryption
GCM and CCM modes
Definition
Message Authentication
Code (MAC)
+
Symmetric encryption
Why?
MAC
Integrity: an attacker can’t modify the data and then
Integrity:
compute a new MAC, because a secret key is needed
Authentication
Authentication:: only the user who has got the
secret key can authenticate the message
Symmetric encryption
Confidentiality: data are encrypted
Confidentiality:
Authentication
Authentication:: if only 2 users share the secret key
A non-
non-computer example
A letter from a lover by ordinary mail:
Envelope: confidentiality and integrity
Signature: authentication
Sender AE black box
Input
A plaintext message
A key
Possibly a nonce
Output
The encrypted message (ciphertext)
An authentication tag
Recipient AE black box
Input
An encrypted message
A tag
The key
Output
If the tag is verified: the plaintext
else: FAIL
AE security
Privacy
An attacker can sniff the ciphertext and the nonce,
but must not be able to recover the plaintext
The ciphertext should look like random bits
Authentication
An attacker shouldn’t be able to construct a
ciphertext, a tag and a nonce such that the recipient
accept them as valid.
Protection from replay attacks
AE implementations
Usually with “modes”
A mode is a sequence of operations applied to a
block cipher, like DES or AES
Examples: CBC, ECB, CTR, …
CCM and GCM provide authenticated
encryption
Generic composition
Immediate solution
PRO: easy, secure, no need to develop specific apps
CON: not optimized, 2 keys needed for best security
3 ways
MtE: MAC then Encrypt
EtM: Encrypt then MAC
Single
Single--pass: about m invocations
Many followed: XCBC, XECB, OCB, …
There is only a problem…
Oh no, Intellectual Properties !!
Single--pass modes were all patented
Single
IAPM OCB
XCBC XECB
By Rogaway,
Bellare, Black,By Gligor and
By By
IBMGligor and
Donescuand Krovetz Donescu
As a result …
Probably some of the patents are interrelated
Nobody has gone to court to prove it (yet…)
The possible users of these technologies has
been scared by the legal implications
The researchers have moved toward other
directions
All single-
single-pass combined mode are used by
anybody, even though they are the best solution
Two--pass combined mode
Two
Not that different from generic composition
Some advantages
Use of only one key
Patent free
Authentication
MAC computed with CBC (Cipher Block Chaining)
Main features
Symmetric key
Designed for AES-
AES-128
Use in packet environment (no stream data)
Arbitrary length MAC
Only one key for authentication and encryption
No intellectual property restrictions
How does it work ?
Generation - encryption
How does it work ? (cont’d)
Decryption - verification
Generation--encryption
Generation
1. The MAC (Message Authentication Code) is computed
applying CBC to the formatted input data
(N, P, A) m1, m2, …, mx
Generation--encryption (cont’d)
Generation
2. Counter mode is applied to encrypt data and MAC
Generation--encryption (cont’d)
Generation
3. Output ciphertext
C= MAC Payload
K
Decryption--verification
Decryption
Counter mode decryption
Computation of MAC with CBC-
CBC-MAC
(N, A, P’)
Verification of authenticity
Output: Payload / INVALID
Hardware implementation
CCM cannot be parallelized
Operations to be implemented:
Encryption: hw implementation of AES cipher
XOR
Counter increment
Formatting function
Security
Recommendations
Keys must be secret and “fresh”
IV: 0 for CBC-
CBC-MAC
Never use the same nonce twice
16-byte MAC
12-byte MAC
16-byte MAC 8-byte MAC
4-byte MAC
A possible attack (cont’d)
Here comes the bad guy !!
16-byte MAC
12-byte MAC
4-byte MAC 8-byte MAC
4-byte MAC
A possible attack (cont’d)
Authentication
The MAC provided is a sort of keyed digest
Can provide authentication only → GMAC
Main features
Extremely fast, more than 10Gbps
Easy to implement in software and hardware
Can be used for authentication only, if desired
Designed for AES, optimized for 128 bits
Arbitrary length IV, optimized for 96 bits
Only one key for authentication and encryption
No intellectual property restrictions
Authenticated encryption function
WHAT ?!?!
Version for human beings
1. The hash sub-
sub-key H is computed and stored
0000000000000000
0000000000000000
0000000000000000
0000000000000000 Enc K H
0000000000000000
0000000000000000
0000000000000000
0000000000000000
Version for human beings
2. The IV length is checked
GF(2128)
Hardware implementation
The only way to manage more than 10Gbps
GCM can be parallelized
Operations to be implemented:
Encryption: hw implementation of AES cipher
XOR
Serial solutions
Time and area linear with q
Parallel solution
Time: 1 clock cycle
Area: quadratic with q, but only 30% of AES cipher
GO PARALLEL, BOYS!
Security
Recommendations
Keys: secret and “fresh”
IV: probability of using same IV and key < 2-32
Permutation oracle
Outputs random number of PRF
The PRF represent an encrypted message
Distinguishing advantage
Oracles...
Tag--generation oracle
Tag
Input: a message
Output: a valid tag
Tag--validation oracle
Tag
Input: a message and a tag
Output: is the tag correct for the given message?
Forgery advantage
CTR known issue
Hello world, 72dd0294rth%p
this is me, 29sj!5z/k=p
life should be akd'^3sddG#/ap5
fun for everyone 97;7*h2?375ba+?9
Hello Sarah
Sarah,
, 72dd023&F7j%p
72dd023&F7j%p
this is me, 29sj!5z/k=p
life should be akd'^3sddG#/ap5
fun for everyone 97;7*h2?375ba+?9
Beware !
Attacker with access to a tag-
tag-generation oracle
If IVs are not changed the output will be function
of the hash sub-
sub-key H
Analyzing the resulting tags the attacker could
recover H
With H he can generate valid authentication tags,
thus pretending to be your friend !
Solution
This attack is possible only if you use at least
twice the same key with the same IV
NEVER DO THAT!
References
NIST Special Publication 800-
800-38C (CCM)
NIST Special Publication 800-
800-38D (GCM)
Authenticated Encryption (J. Black)
A Critique of CCM (P. Rogaway, D. Wagner)
On The Security of CTR + CBC-
CBC-MAC (J. Jonsson)
Counter with CBC-
CBC-MAC (D. Whiting, R. Housley, N. Ferguson)
Flexible and Efficient Message Authentication in Hardware and
Software (D. A. McGrew, J. Viega)
The Security and Performance of the Galois/Counter Mode
(GCM) of Operation (D. A. McGrew, J. Viega)
www.wikipedia.org
Questions ?