Wednesday, December 27, 2017

cryptography course - Authenticated Encryption

Authenticated Encryption
How to secure against tampering.

If message needs integrity but no confidentiality - use MAC
If message needs integrity and confidentiality - use Authenticated Encryption

3 options:
SSL(Mac-then-Encrypt),IPSec(Encrypt-then-MAC),SSH (Encrypt-and-MAC) => IPSec is the best one to provide AE
Standards:
GCM, CCM, EAX

OCB : a direct construction from a PRP - Efficient in the sense that you don't have to invoke AES(or another block cipher) twice - once each for encryption and MAC
- parallel
But OCB is not widely used and not a standard - primarily due to various patents

TLS
AE in real world

Attacks
IMAP over TLS
Padding Oracle
Attacking non-atomic decryption => 

KDF
HKDF - key derivation function from HMAC (Generating multiple keys from one key)
Password based KDF - PBKDF/PKCS

Searching on Encrypted data
Deterministic Encryption - cannot be CPA secure. Solution - pair (k, m) is unique. Same message won't be encrypted by the same key. CBC with fixed IV is not det. CPA secure.
SIV with wide PRP.
EME

Disk Encryption
Encryption cannot expand original text. Sector size fixed.
If 2 sectors have same content, their cipher texts will also be the same. Information will leak.
First, approach - let's use different keys for different sectors.
But even with this approach, user can still change the text and then revert it to find a leakage or pattern.
Tweakable block cipher - where tweak comes from sector number.
XTS tweakable block cipher

Use tweakable encryption when you need many independent PRPs from one key.

Format preserving encryption
Credit card encryption - 

No comments:

Blog Archive