Authenticated
 encryption
  GCM and CCM modes



Lorenzo Peraldo and Vittorio Picco
Authenticated encryption

                  Definition

“ Authenticated Encryption (AE) is a term used
  to describe encry...
Basic components

Message Authentication
    Code (MAC)

         +
Symmetric encryption
Why?
MAC
  Integrity:
  Integrity: an attacker can’t modify the data and then
  compute a new MAC, because a secret key is...
A non-computer example
        non-
A letter from a lover by ordinary mail:
  Envelope: confidentiality and integrity
  Si...
Sender AE black box
Input
  A plaintext message
  A key
  Possibly a nonce
Output
  The encrypted message (ciphertext)
  A...
Recipient AE black box
Input
  An encrypted message
  A tag
  The nonce, if used
  The key
Output
  If the tag is verified...
AE security
Privacy
  An attacker can sniff the ciphertext and the nonce,
  but must not be able to recover the plaintext
...
AE implementations
Usually with “modes”
A mode is a sequence of operations applied to a
block cipher, like DES or AES
Exam...
Generic composition
Immediate solution
  PRO: easy, secure, no need to develop specific apps
  CON: not optimized, 2 keys ...
Single-
  Single-pass combined mode
2000: IBM developed IAPM
Comparison with generic composition
  Split the plaintext in ...
Oh no, Intellectual Properties !!
Single-
Single-pass modes were all patented
      IAPM                 OCB
             ...
As a result …
Probably some of the patents are interrelated
Nobody has gone to court to prove it (yet…)
The possible users...
Two-
   Two-pass combined mode
Not that different from generic composition
Some advantages
  Use of only one key
  Patent ...
CCM
A brief introduction
What is CCM
Counter with CBC-MAC
             CBC-
An authenticated encryption solution
Encryption
  Use of the block ciph...
Main features
Symmetric key
Designed for AES-128
              AES-
Use in packet environment (no stream data)
Arbitrary l...
How does it work ?

Generation - encryption
How does it work ? (cont’d)

Decryption - verification
Generation-
           Generation-encryption
1.   The MAC (Message Authentication Code) is computed
     applying CBC to t...
Generation-
     Generation-encryption (cont’d)
2.    Counter mode is applied to encrypt data and MAC
Generation-
 Generation-encryption (cont’d)
3. Output ciphertext




    C=      MAC        Payload
                  K
Decryption-
   Decryption-verification
Counter mode decryption
Computation of MAC with CBC-MAC
                        CBC...
Hardware implementation
CCM cannot be parallelized
Operations to be implemented:
  Encryption: hw implementation of AES ci...
Security
Recommendations
  Keys must be secret and “fresh”
  IV: 0 for CBC-MAC
            CBC-
  Never use the same nonce...
A possible attack
“be conservative in what you send, and
      liberal in what you accept”

                       16-byte...
A possible attack (cont’d)
  Here comes the bad guy !!



                   16-byte MAC
                   12-byte MAC
  ...
A possible attack (cont’d)

 232 4-byte MAC computed




 At least one valid ciphertext
                                 !...
Countermeasures
Fix the tag length parameter
  During key negotiation
Never change it during the current session
GCM
Galois/Counter Mode of operations
What is GCM - GMAC
An authenticated encryption solution
Encryption
  Use of the block cipher AES
  Mode of operation simil...
Main features
Extremely fast, more than 10Gbps
Easy to implement in software and hardware
Can be used for authentication o...
Authenticated encryption function




     WHAT ?!?!
Version for human beings
1. The hash sub-key H is computed and stored
            sub-
    0000000000000000
    0000000000...
Version for human beings
2. The IV length is checked

   If it’s 96 bits is padded to 128
   If it’s different is computed...
Version for human beings
3. Encryption
Version for human beings
4. Authentication




            GF(2128)
Hardware implementation
The only way to manage more than 10Gbps
GCM can be parallelized
Operations to be implemented:
  En...
Hardware implementation
The multiplication in GF(2q)
Different approaches
  Parallel
  Serial: super serial, bit serial, etc
Serial solutions
  Ti...
Security
Recommendations
  Keys: secret and “fresh”
  IV: probability of using same IV and key < 2-32
  Known security pro...
Oracles...


Permutation oracle
  Outputs random number of PRF
  The PRF represent an encrypted message
Distinguishing adv...
Oracles...
Tag-
Tag-generation oracle
  Input: a message
  Output: a valid tag
Tag-
Tag-validation oracle
  Input: a messa...
CTR known issue
Hello world,       72dd0294rth%p
this is me,        29sj!5z/k=p
life should be     akd'^3sddG#/ap5
fun for...
Beware !
Attacker with access to a tag-generation oracle
                          tag-
If IVs are not changed the output ...
Solution
This attack is possible only if you use at least
twice the same key with the same IV




NEVER DO THAT!
References
NIST Special Publication 800-38C (CCM)
                         800-
NIST Special Publication 800-38D (GCM)
   ...
Questions ?
Upcoming SlideShare
Loading in...5
×

Authenticated Encryption Gcm Ccm

3,561

Published on

Thiese are the slides used for presenting the Authenticated Encryption GCM - CCM document by Lorenzo Peraldo and Vittorio Picco.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,561
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
91
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Authenticated Encryption Gcm Ccm"

  1. 1. Authenticated encryption GCM and CCM modes Lorenzo Peraldo and Vittorio Picco
  2. 2. Authenticated encryption Definition “ Authenticated Encryption (AE) is a term used to describe encryption systems which simultaneously protect confidentiality, confidentiality, authenticity and integrity of communications ”
  3. 3. Basic components Message Authentication Code (MAC) + Symmetric encryption
  4. 4. Why? MAC Integrity: Integrity: an attacker can’t modify the data and then compute a new MAC, because a secret key is needed Authentication: Authentication: only the user who has got the secret key can authenticate the message Symmetric encryption Confidentiality: Confidentiality: data are encrypted Authentication: Authentication: if only 2 users share the secret key
  5. 5. A non-computer example non- A letter from a lover by ordinary mail: Envelope: confidentiality and integrity Signature: authentication
  6. 6. Sender AE black box Input A plaintext message A key Possibly a nonce Output The encrypted message (ciphertext) An authentication tag
  7. 7. Recipient AE black box Input An encrypted message A tag The nonce, if used The key Output If the tag is verified: the plaintext else: FAIL
  8. 8. AE security Privacy An attacker can sniff the ciphertext and the nonce, but must not be able to recover the plaintext The ciphertext should look like random bits Authentication An attacker shouldn’t be able to construct a ciphertext, a tag and a nonce such that the recipient accept them as valid. Protection from replay attacks
  9. 9. AE implementations Usually with “modes” A mode is a sequence of operations applied to a block cipher, like DES or AES Examples: CBC, ECB, CTR, … CCM and GCM provide authenticated encryption
  10. 10. Generic composition Immediate solution PRO: easy, secure, no need to develop specific apps CON: not optimized, 2 keys needed for best security 3 ways MtE: MAC then Encrypt EtM: Encrypt then MAC E&M: Encrypt and MAC EtM is the best
  11. 11. Single- Single-pass combined mode 2000: IBM developed IAPM Comparison with generic composition Split the plaintext in m parts Generic composition: 2m calls of the block cipher Single- Single-pass: about m invocations Many followed: XCBC, XECB, OCB, … There is only a problem…
  12. 12. Oh no, Intellectual Properties !! Single- Single-pass modes were all patented IAPM OCB XCBC XECB By Rogaway, Bellare, Black,By Gligor and By By Gligor and IBM Donescu and Krovetz Donescu
  13. 13. As a result … Probably some of the patents are interrelated Nobody has gone to court to prove it (yet…) The possible users of these technologies has been scared by the legal implications The researchers have moved toward other directions All single-pass combined mode are used by single- anybody, even though they are the best solution
  14. 14. Two- Two-pass combined mode Not that different from generic composition Some advantages Use of only one key Patent free Better performances than generic composition CCM, EAX, CWC, GCM
  15. 15. CCM A brief introduction
  16. 16. What is CCM Counter with CBC-MAC CBC- An authenticated encryption solution Encryption Use of the block cipher AES-128 AES- Counter (CTR) mode Authentication MAC computed with CBC (Cipher Block Chaining)
  17. 17. Main features Symmetric key Designed for AES-128 AES- Use in packet environment (no stream data) Arbitrary length MAC Only one key for authentication and encryption No intellectual property restrictions
  18. 18. How does it work ? Generation - encryption
  19. 19. How does it work ? (cont’d) Decryption - verification
  20. 20. Generation- Generation-encryption 1. The MAC (Message Authentication Code) is computed applying CBC to the formatted input data (N, P, A) m1, m2, …, mx
  21. 21. Generation- Generation-encryption (cont’d) 2. Counter mode is applied to encrypt data and MAC
  22. 22. Generation- Generation-encryption (cont’d) 3. Output ciphertext C= MAC Payload K
  23. 23. Decryption- Decryption-verification Counter mode decryption Computation of MAC with CBC-MAC CBC- (N, A, P’) Verification of authenticity Output: Payload / INVALID
  24. 24. Hardware implementation CCM cannot be parallelized Operations to be implemented: Encryption: hw implementation of AES cipher XOR Counter increment Formatting function
  25. 25. Security Recommendations Keys must be secret and “fresh” IV: 0 for CBC-MAC CBC- Never use the same nonce twice Max n° of nonce with the same key: 261 n° Choose an appropriate MAC length Replay attacks: use of timestamps / number packets
  26. 26. A possible attack “be conservative in what you send, and liberal in what you accept” 16-byte MAC 12-byte MAC 16-byte MAC 8-byte MAC 4-byte MAC
  27. 27. A possible attack (cont’d) Here comes the bad guy !! 16-byte MAC 12-byte MAC 4-byte MAC 8-byte MAC 4-byte MAC
  28. 28. A possible attack (cont’d) 232 4-byte MAC computed At least one valid ciphertext !!!
  29. 29. Countermeasures Fix the tag length parameter During key negotiation Never change it during the current session
  30. 30. GCM Galois/Counter Mode of operations
  31. 31. What is GCM - GMAC An authenticated encryption solution Encryption Use of the block cipher AES Mode of operation similar to the CTR Authentication The MAC provided is a sort of keyed digest Can provide authentication only → GMAC
  32. 32. Main features Extremely fast, more than 10Gbps Easy to implement in software and hardware Can be used for authentication only, if desired Designed for AES, optimized for 128 bits Arbitrary length IV, optimized for 96 bits Only one key for authentication and encryption No intellectual property restrictions
  33. 33. Authenticated encryption function WHAT ?!?!
  34. 34. Version for human beings 1. The hash sub-key H is computed and stored sub- 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Enc K H 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  35. 35. Version for human beings 2. The IV length is checked If it’s 96 bits is padded to 128 If it’s different is computed a 128 bit IV using a special function (GHASH) The IV is the starting value of the counter
  36. 36. Version for human beings 3. Encryption
  37. 37. Version for human beings 4. Authentication GF(2128)
  38. 38. Hardware implementation The only way to manage more than 10Gbps GCM can be parallelized Operations to be implemented: Encryption: hw implementation of AES cipher XOR Increment of the counter Multiplication within GF(2128)
  39. 39. Hardware implementation
  40. 40. The multiplication in GF(2q) Different approaches Parallel Serial: super serial, bit serial, etc Serial solutions Time and area linear with q Parallel solution Time: 1 clock cycle Area: quadratic with q, but only 30% of AES cipher GO PARALLEL, BOYS!
  41. 41. Security Recommendations Keys: secret and “fresh” IV: probability of using same IV and key < 2-32 Known security problem with reused IVs Appropriate tag length Replay attacks: use of timestamps
  42. 42. Oracles... Permutation oracle Outputs random number of PRF The PRF represent an encrypted message Distinguishing advantage
  43. 43. Oracles... Tag- Tag-generation oracle Input: a message Output: a valid tag Tag- Tag-validation oracle Input: a message and a tag Output: is the tag correct for the given message? Forgery advantage
  44. 44. CTR known issue Hello world, 72dd0294rth%p this is me, 29sj!5z/k=p life should be akd'^3sddG#/ap5 fun for everyone 97;7*h2?375ba+?9 Hello Sarah, Sarah, 72dd023&F7j%p 72dd023&F7j%p this is me, 29sj!5z/k=p life should be akd'^3sddG#/ap5 fun for everyone 97;7*h2?375ba+?9
  45. 45. Beware ! Attacker with access to a tag-generation oracle tag- If IVs are not changed the output will be function of the hash sub-key H sub- Analyzing the resulting tags the attacker could recover H With H he can generate valid authentication tags, thus pretending to be your friend !
  46. 46. Solution This attack is possible only if you use at least twice the same key with the same IV NEVER DO THAT!
  47. 47. References NIST Special Publication 800-38C (CCM) 800- NIST Special Publication 800-38D (GCM) 800- Authenticated Encryption (J. Black) A Critique of CCM (P. Rogaway, D. Wagner) On The Security of CTR + CBC-MAC (J. Jonsson) CBC- Counter with CBC-MAC (D. Whiting, R. Housley, N. Ferguson) CBC- Flexible and Efficient Message Authentication in Hardware and Software (D. A. McGrew, J. Viega) The Security and Performance of the Galois/Counter Mode (GCM) of Operation (D. A. McGrew, J. Viega) www.wikipedia.org
  48. 48. Questions ?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×