Authenticated Encryption
How to secure against tampering.
If message needs integrity but no confidentiality - use MAC
If message needs integrity and confidentiality - use Authenticated Encryption
3 options:
SSL(Mac-then-Encrypt),IPSec(Encrypt-then-MAC),SSH (Encrypt-and-MAC) => IPSec is the best one to provide AE
Standards:
GCM, CCM, EAX
OCB : a direct construction from a PRP - Efficient in the sense that you don't have to invoke AES(or another block cipher) twice - once each for encryption and MAC
- parallel
But OCB is not widely used and not a standard - primarily due to various patents
TLS
AE in real world
Attacks
IMAP over TLS
Padding Oracle
Attacking non-atomic decryption =>
KDF
HKDF - key derivation function from HMAC (Generating multiple keys from one key)
Password based KDF - PBKDF/PKCS
Searching on Encrypted data
Deterministic Encryption - cannot be CPA secure. Solution - pair (k, m) is unique. Same message won't be encrypted by the same key. CBC with fixed IV is not det. CPA secure.
SIV with wide PRP.
EME
Disk Encryption
Encryption cannot expand original text. Sector size fixed.
If 2 sectors have same content, their cipher texts will also be the same. Information will leak.
If 2 sectors have same content, their cipher texts will also be the same. Information will leak.
First, approach - let's use different keys for different sectors.
But even with this approach, user can still change the text and then revert it to find a leakage or pattern.
Tweakable block cipher - where tweak comes from sector number.
XTS tweakable block cipher
Use tweakable encryption when you need many independent PRPs from one key.
Format preserving encryption
Credit card encryption -
No comments:
Post a Comment