What is authenticated encryption?
In the decryption algorithm, we either output the message or an error message (if the message was tampered with).
two guarantees:
- semantic security (IND-CPA)
- ciphertext integrity
Describe the integrity security game
A ciphertext E guarantees INT-CTXT if for all PPT A:
the probability that the adversary manages to construct a forgery a fake cipher text that it hasn’t seen before the decrypted properly. And we’re going to say that a cipher is secure if that is negligible. If the probability that the adversary can trick the Challenger can construct forgery is negligible.
What are the options for combining MAC and encryption?
Option 1 (SSH): Encrypt and MAC Option 2 (SSL): MAC then encrypt Option 3 (IPSec): Encrypt then MAC
What are pros and cons of each option?
SSH: Encrypt AND MAC
-MAC does not guarantee confidentiality so it is possible for the tag to reveal one or more bits about the message; so the combination would no longer be semantically secure; even though ssh itself is not broken, it is problematic and shouldn’t be used
SSL: MAC then encrypt
-does not have the issue of SSH because the ciphertext hides the message; but there are some examples where even though the MAC and encryption are secure the combination is not; this method is also discouraged
IPSec: Encrypt then MAC
- always secure! if your encryption is secure and your MAC is secure then your output will also always be secure.
- WHY: Well, one reason that this is true is that after you encrypt the message, the cipher text is going to be semantically secure. Okay. Which means that signing the cipher text cannot possibly reveal any information about the message. Because if it did, then you could imagine an adversary that could use this signing algorithm as part of a statistical test to try to break the underlying crypto system. But we know that because the crypto system is semantically secure, there doesn’t exist such an adversary that doesn’t exist such a statistical test. And therefore signing cannot possibly extract information about the message from the cipher text. Because we’re working directly with the semantically secure object. So, anything we do on top of that cannot possibly extract information about the message.
describe the goal and threat model of the key exchange protocol.
goal: for alice and bob to agree on a shared secret even though they’ve never had a prior interaction before
threat model:
- adversary can only eavesdrop on the communication
- no tampering with any messages
describe the goal and threat model of the key exchange protocol.
goal: for alice and bob to agree on a shared secret even though they’ve never had a prior interaction before
threat model:
- adversary can only eavesdrop on the communication
- no tampering with any messages
Describe the Diffie-Hellman Key exchanage
both compute the same thing with different components
Why is Diffie-Hellman Key exchange secure?
true/false: DHKE protocol can be non-interactive
true.
the way alice and bob compute the key are independent of A and B
What is the drawback of Diffie-Hellman?
It is not secure against active attacks.
The attacker can replace sent messages with a message of her choosing.
Attacker can intercept read, reencrypt and send to bob.
Describe the public key encryption scheme?
What’s a key difference between the public key encryption scheme described here and the DHKE?
it’s very interactive. the messages depend on each other.
what is a trapdoor function?
Why is this a BAD way to use trapdoor functions?
Not semantically secure because the decryption function is deterministic. The adversary has access to pk and in the IND-CPA game the adversary picks the messages and then can figure out decryption
What do we need to build a public key cryptosystem?
Describe a secure construction of a public key encryption cryptosystem?
trapdoor function (KeyGen)
encryption:
- generate a random input for trapdoor function
- compute trapdoor function
- hash x and use output as symmetric key
- encrypt using authenticated encryption scheme
decryption:
- use trapdoor to invert function
- hash x and use output as symmetric key
- decrypt using authenticated encryption scheme
why is that construction secure?
First of all, this is a randomized algorithm now because we’re sampling randomness, and this is deterministic. There is no randomness here. We have the two features that we wanted, so randomized deterministic and this encryption scheme is going to be semantically secure because observe that c is itself semantically secure and y is just the trapdoor function evaluated at some random input. By the security definition of the trapdoor function, it’s going to be very hard to invert. It’s going to be very hard for an adversary to reconstruct x from y unless they know the secret key. That’s what it means for f to be a trapdoor function. Whereas the entity when the decryption will know the secret key, so they will be able to reverse it.
What is a common way to build public encryption out of the RSA trapdoor function?
RSA-PKCS#1 v1.5 mode 2
this solves the problem of the trapdoor function being deterministic by first adding a randomized padding to the message.
What is a padding oracle attack?
the attacker exploits the fact that the server sends back information to the user about malformed messages. so the attacker can continuously send “corrupted” ciphertexts to the server and bit by bit she can learn the message/password.
What is IND-CCA? (security for chosen-ciphertext attacks)
How is it stronger than IND-CPA?
the adversary can send a ciphertext test and ask for the challenger to send back the decryption. this accounts for the possible attack in the RSA encryption.
RSA-PKCS#1 v.1.5 mode 2 - is it secure?
IND-CPA secure (as far as we know)
NOT IND-CCA secure (see padding oracle attack)
Is symmetric key encryption immune to oracle padding attacks?
- block cipher in CBC mode (remember there is padding)
- –> no, has similar attacks
- authenticated encryption (e.g. encrypt then MAC)
- –> provides IND-CCA2 security and prevents padding oracle attacks
IND-CCA RSA Encryption
two ways to do it:
- generic construction for trapdoor functions
- optimal asymmetric encryption padding (OAEP - recommended)
RSA-KEM (key encapsulation mechanism) / option 1
3 assumptions for security of RSA-KEM
- trapdoor function is secure
- –> in RSA-KEM this means that the RSA assumption holds - H is a random oracle from Z_N to {0,1}^k
- authenticated encryption scheme is secure
-
Lesson 1: The Security Mindset8
-
Process Review (week 2)13
-
address spaces (week 2)8
-
anatomy of a program (week 2)5
-
buffer overflows (week 2)15
-
memory-safety (week 2)23
-
smashing the stack for fun and profit (week 2)4
-
buffer-overflows-attacks-and-defenses (week 3)12
-
return to libc & intro to ROP (week 3)3
-
Stack Canaries, Bounds Checking, NX, DEP, ROP, ASLR(week 3)20
-
principles & design patters for building secure systems (week 4)14
-
privilege separation in unix (week 4)24
-
Authentication and passwords and stuff (week 4)9
-
intro-to-cryptography (week 5)20
-
module 621
-
module 714
-
module 812
-
module 916
-
Module 1033
-
Module 1112
-
Module 1240
-
Module 1325
-
Module 146
