Authenticated encryption

Last updated

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key [1] ) and authenticity (in other words, it is unforgeable: [2] the encrypted message includes an authentication tag that the sender can calculate only while possessing the secret key [1] ). Examples of encryption modes that provide AE are GCM, CCM. [1]

Contents

Many (but not all) AE schemes allow the message to contain "associated data" (AD) which is not made confidential, but its integrity is protected (i.e., it is readable, but tampering with it will be detected). A typical example is the header of a network packet that contains its destination address. To properly route the packet, all intermediate nodes in the message path need to know the destination, but for security reasons they cannot possess the secret key. [3] Schemes that allow associated data provide authenticated encryption with associated data, or AEAD. [3]

Programming interface

A typical programming interface for an AE implementation provides the following functions:

The header part is intended to provide authenticity and integrity protection for networking or storage metadata for which confidentiality is unnecessary, but authenticity is desired.

History

The need for authenticated encryption emerged from the observation that securely combining separate confidentiality and authentication block cipher operation modes could be error prone and difficult. [4] [5] This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack of authentication. [6]

Around the year 2000, a number of efforts evolved around the notion of standardizing modes that ensured correct implementation. In particular, strong interest in possibly secure modes was sparked by the publication of Charanjit Jutla's integrity-aware CBC and integrity-aware parallelizable, IAPM, modes [7] in 2000 (see OCB and chronology [8] ). Six different authenticated encryption modes (namely offset codebook mode 2.0, OCB 2.0; Key Wrap; counter with CBC-MAC, CCM; encrypt then authenticate then translate, EAX; encrypt-then-MAC, EtM; and Galois/counter mode, GCM) have been standardized in ISO/IEC 19772:2009. [9] More authenticated encryption methods were developed in response to NIST solicitation. [10] Sponge functions can be used in duplex mode to provide authenticated encryption. [11]

Bellare and Namprempre (2000) analyzed three compositions of encryption and MAC primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext (the Encrypt-then-MAC approach) implies security against an adaptive chosen ciphertext attack, provided that both functions meet minimum required properties. Katz and Yung investigated the notion under the name "unforgeable encryption" and proved it implies security against chosen ciphertext attacks. [12]

In 2013, the CAESAR competition was announced to encourage design of authenticated encryption modes. [13]

In 2015, ChaCha20-Poly1305 is added as an alternative AE construction to GCM in IETF protocols.

Variants

Authenticated encryption with associated data

Authenticated encryption with associated data (AEAD) is a variant of AE that allows the message to include "associated data" (AD, additional non-confidential information, a.k.a. "additional authenticated data", AAD). A recipient can check the integrity of both the associated data and the confidential information in a message. AD is useful, for example, in network packets where the header should be visible for routing, but the payload needs to be confidential, and both need integrity and authenticity. The notion of AEAD was formalized by Rogaway (2002). [3]

Key-committing AEAD

AE was originally designed primarily to provide the ciphertext integrity: successful validation of an authentication tag by Alice using her symmetric key KA indicates that the message was not tampered with by an adversary Mallory that does not possess the KA. The AE schemes usually do not provide the key commitment, a guarantee that the decryption would fail for any other key. [14] As of 2021, most existing AE schemes (including the very popular GCM) allow some messages to be decoded without an error using more than just the (correct) KA; while their plaintext decoded using a second (wrong) key KM will be incorrect, the authentication tag would still match.[ citation needed ] Since crafting a message with such property requires Mallory to already possess both KA and KM, the issue might appear to be one of a purely academic interest. [15] However, under special circumstances, practical attacks can be mounted against vulnerable implementations. For example, if an identity authentication protocol is based on successful decryption of a message that uses a password-based key, Mallory's ability to craft a single message that would be successfully decrypted using 1000 different keys associated with weak, and thus known to her, potential passwords, can speed up her search for passwords by a factor of almost 1000. For this dictionary attack to succeed, Mallory also needs an ability to distinguish successful decryption by Alice from an unsuccessful one, due, for example, to a poor protocol design or implementation turning Alice's side into an oracle. Naturally, this attack cannot be mounted at all when the keys are generated randomly. [16]

Key commitment was originally studied in the 2010s by Abdalla et al. [17] and Farshim et al. [18] under the name "robust encryption". [15] [19]

To mitigate the attack described above without removing the "oracle", a key-committing AEAD that does not allow this type of crafted messages to exist can be used. AEGIS is an example fast (if the AES instruction set is present), key-committing AEAD. [20] It is possible to add key-commitment to an existing AEAD scheme. [21] [22]

Approaches to authenticated encryption

Encrypt-then-MAC (EtM)

EtM approach Authenticated Encryption EtM.png
EtM approach

The plaintext is first encrypted, then a MAC is produced based on the resulting ciphertext. The ciphertext and its MAC are sent together. ETM is the standard method according to ISO/IEC 19772:2009. [9] It is the only method which can reach the highest definition of security in AE, but this can only be achieved when the MAC used is "strongly unforgeable". [23]

IPSec adopted EtM in 2005. [24] In November 2014, TLS and DTLS received extensions for EtM with RFC   7366. Various EtM ciphersuites exist for SSHv2 as well (e.g., hmac-sha1-etm@openssh.com).

Encrypt-and-MAC (E&M)

E&M approach Authenticated Encryption EaM.png
E&M approach

A MAC is produced based on the plaintext, and the plaintext is encrypted without the MAC. The plaintext's MAC and the ciphertext are sent together. Used in, e.g., SSH. [25] Even though the E&M approach has not been proved to be strongly unforgeable in itself, [23] it is possible to apply some minor modifications to SSH to make it strongly unforgeable despite the approach. [26]

MAC-then-Encrypt (MtE)

MtE approach Authenticated Encryption MtE.png
MtE approach

A MAC is produced based on the plaintext, then the plaintext and MAC are together encrypted to produce a ciphertext based on both. The ciphertext (containing an encrypted MAC) is sent. Until TLS 1.2, all available SSL/TLS cipher suites were MtE. [27]

MtE has not been proven to be strongly unforgeable in itself. [23] The SSL/TLS implementation has been proven to be strongly unforgeable by Krawczyk who showed that SSL/TLS was, in fact, secure because of the encoding used alongside the MtE mechanism. [28] However, Krawczyk's proof contains flawed assumptions about the randomness of the initialization vector (IV). The 2011 BEAST attack exploited the non-random chained IV and broke all CBC algorithms in TLS 1.0 and under. [29]

In addition, deeper analysis of SSL/TLS modeled the protection as MAC-then-pad-then-encrypt, i.e. the plaintext is first padded to the block size of the encryption function. Padding errors often result in the detectable errors on the recipient's side, which in turn lead to padding oracle attacks, such as Lucky Thirteen.

See also

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

<span class="mw-page-title-main">Symmetric-key algorithm</span> Algorithm

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the secret key used for decryption.

In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Ciphertext indistinguishability is a property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishability, then an adversary will be unable to distinguish pairs of ciphertexts based on the message they encrypt. The property of indistinguishability under chosen plaintext attack is considered a basic requirement for most provably secure public key cryptosystems, though some schemes also provide indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack. Indistinguishability under chosen plaintext attack is equivalent to the property of semantic security, and many cryptographic proofs use these definitions interchangeably.

Offset codebook mode is an authenticated encryption mode of operation for cryptographic block ciphers. OCB mode was designed by Phillip Rogaway, who credits Mihir Bellare, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the integrity-aware parallelizeable mode (IAPM) of authenticated encryption by Charanjit S. Jutla. The OCB2 version was proven insecure, while the original OCB1 as well as OCB3 from 2011 are still considered secure.

CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

EAX mode (encrypt-then-authenticate-then-translate) is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data (AEAD) algorithm designed to simultaneously provide both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for each block.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

Institute of Electrical and Electronics Engineers (IEEE) standardization project for encryption of stored data, but more generically refers to the Security in Storage Working Group (SISWG), which includes a family of standards for protection of stored data and for the corresponding cryptographic key management.

In cryptography, key wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as block ciphers and cryptographic hash functions.

In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through a side-channel.

Application Layer Transport Security (ALTS) is a Google-developed authentication and transport encryption system used for securing Remote Procedure Call (RPC) within Google machines. Google started its development in 2023, as a tailored modification of TLS.

ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

References

  1. 1 2 3 Black 2005, p. 1.
  2. Katz & Lindell 2020, p. 116.
  3. 1 2 3 Black 2005, p. 2.
  4. M. Bellare; P. Rogaway; D. Wagner. "A Conventional Authenticated-Encryption Mode" (PDF). NIST. Retrieved March 12, 2013. people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC)
  5. T. Kohno; J. Viega & D. Whiting. "The CWC Authenticated Encryption (Associated Data) Mode" (PDF). NIST. Retrieved March 12, 2013. it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes
  6. "Failures of secret-key cryptography" (PDF). Daniel J. Bernstein. Archived from the original (PDF) on April 18, 2013. Retrieved March 12, 2013.
  7. Jutl, Charanjit S. (2000-08-01). "Encryption Modes with Almost Free Message Integrity". Cryptology ePrint Archive: Report 2000/039. Proceedings IACR EUROCRYPT 2001. IACR . Retrieved 2013-03-16.
  8. T. Krovetz; P. Rogaway (2011-03-01). "The Software Performance of Authenticated-Encryption Modes" (PDF). Fast Software Encryption 2011 (FSE 2011). IACR.
  9. 1 2 "Information technology -- Security techniques -- Authenticated encryption". 19772:2009. ISO/IEC. Retrieved March 12, 2013.
  10. "Encryption modes development". NIST. Retrieved April 17, 2013.
  11. The Keccak Team. "Duplexing The Sponge" (PDF).
  12. Katz, J.; Yung, M. (2001). "Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation". In B. Schneier (ed.). Fast Software Encryption (FSE): 2000 Proceedings. Lecture Notes in Computer Science. Vol. 1978. pp. 284–299. doi:10.1007/3-540-44706-7_20. ISBN   978-3-540-41728-6.
  13. "CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness" . Retrieved March 12, 2013.
  14. Albertini et al. 2020, pp. 1–2.
  15. 1 2 Albertini et al. 2020, p. 2.
  16. Len, Julia; Grubbs, Paul; Ristenpart, Thomas (2021). Partitioning Oracle Attacks. USENET '21. pp. 195–212.
  17. Abdalla, Bellare & Neven 2010, pp. 480–497.
  18. Farshim et al. 2013, pp. 352–368.
  19. Bellare & Hoang 2022, p. 5.
  20. Denis, Frank. "The AEGIS Family of Authenticated Encryption Algorithms". cfrg.github.io.
  21. Gueron, Shay (2020). "Key Committing AEADs" (PDF).
  22. poncho. "Key Committing AEADs". Cryptography Stack Exchange. Retrieved 21 February 2024. (See also the comment section discussing a revised libsodium recommendation for adding key-commitment.)
  23. 1 2 3 "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm". M. Bellare and C. Namprempre. Archived from the original on January 23, 2018. Retrieved April 13, 2013.
  24. "Separate Confidentiality and Integrity Algorithms". RFC 4303 - IP Encapsulating Security Payload (ESP). Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
  25. "Data Integrity". RFC 4253 . Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
  26. Bellare, Mihir; Kohno, Tadayoshi; Namprempre, Chanathip. "Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm" (PDF). ACM Transactions on Information and System Security. Retrieved 30 August 2021.
  27. Rescorla, Eric; Dierks, Tim (August 2008). "Record Payload Protection". RFC 5246 . Internet Engineering Task Force (IETF). Retrieved 2018-09-12.
  28. "The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)" (PDF). H. Krawczyk. Retrieved April 13, 2013.
  29. Duong, Thai; Rizzo, Juliano (May 13, 2011). "Here Come The ⊕ Ninjas" (PDF). BEAST attack whitepaper
General

Sources

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.