Authenticated Authenticated

encryptionencryption

GCM and CCM modesGCM and CCM modes

Lorenzo Peraldo and Vittorio PiccoLorenzo Peraldo and Vittorio Picco

Authenticated encryptionAuthenticated encryption

DefinitionDefinition

““ Authenticated Encryption (AE)Authenticated Encryption (AE) is a term used is a term used

to describe encryption systems which to describe encryption systems which to describe encryption systems which to describe encryption systems which

simultaneously protect simultaneously protect confidentialityconfidentiality, ,

authenticityauthenticity and and integrityintegrity of communications ”of communications ”

Basic componentsBasic components

Message Authentication Message Authentication

Code (MAC)Code (MAC)

++

Symmetric encryptionSymmetric encryption

Why?Why?

�� MACMAC

�� IntegrityIntegrity: an attacker can’t modify the data and then : an attacker can’t modify the data and then

compute a new MAC, because a secret key is neededcompute a new MAC, because a secret key is needed

�� AuthenticationAuthentication: only the user who has got the : only the user who has got the AuthenticationAuthentication: only the user who has got the : only the user who has got the

secret key can authenticate the messagesecret key can authenticate the message

�� Symmetric encryptionSymmetric encryption

�� ConfidentialityConfidentiality: data are encrypted: data are encrypted

�� AuthenticationAuthentication: if only 2 users share the secret key: if only 2 users share the secret key

A nonA non--computer examplecomputer example

A letter from a lover by ordinary mail:A letter from a lover by ordinary mail:

�� Envelope: confidentiality and integrityEnvelope: confidentiality and integrity

�� Signature: authenticationSignature: authentication

Sender AE black boxSender AE black box

�� InputInput

�� A plaintext messageA plaintext message

�� A keyA key

�� Possibly a noncePossibly a nonce�� Possibly a noncePossibly a nonce

�� OutputOutput

�� The encrypted message (ciphertext)The encrypted message (ciphertext)

�� An authentication tagAn authentication tag

Recipient AE black boxRecipient AE black box

�� InputInput

�� An encrypted messageAn encrypted message

�� A tagA tag

�� The nonce, if usedThe nonce, if used�� The nonce, if usedThe nonce, if used

�� The keyThe key

�� OutputOutput

�� If the tag is verified: the plaintextIf the tag is verified: the plaintext

�� else: FAILelse: FAIL

AE securityAE security

�� PrivacyPrivacy

�� An attacker can sniff the ciphertext and the nonce, An attacker can sniff the ciphertext and the nonce,

but must not be able to recover the plaintextbut must not be able to recover the plaintext

�� The ciphertext should look like random bitsThe ciphertext should look like random bits�� The ciphertext should look like random bitsThe ciphertext should look like random bits

�� AuthenticationAuthentication

�� An attacker shouldn’t be able to construct a An attacker shouldn’t be able to construct a

ciphertext, a tag and a nonce such that the recipient ciphertext, a tag and a nonce such that the recipient

accept them as valid.accept them as valid.

�� Protection from replay attacksProtection from replay attacks

AE implementations AE implementations

�� Usually with “modes”Usually with “modes”

�� A mode is a sequence of operations applied to a A mode is a sequence of operations applied to a

block cipher, like DES or AESblock cipher, like DES or AES

Examples: CBC, ECB, CTR, …Examples: CBC, ECB, CTR, …�� Examples: CBC, ECB, CTR, …Examples: CBC, ECB, CTR, …

�� CCM and GCM provide authenticated CCM and GCM provide authenticated

encryptionencryption

Generic compositionGeneric composition

�� Immediate solutionImmediate solution

�� PRO: easy, secure, no need to develop specific appsPRO: easy, secure, no need to develop specific apps

�� CON: not optimized, 2 keys needed for best securityCON: not optimized, 2 keys needed for best security

�� 3 ways3 ways�� 3 ways3 ways

�� MtE: MAC then EncryptMtE: MAC then Encrypt

�� EtM: Encrypt then MACEtM: Encrypt then MAC

�� E&M: Encrypt and MACE&M: Encrypt and MAC

�� EtM is the bestEtM is the best

SingleSingle--pass combined modepass combined mode

�� 2000: IBM developed IAPM2000: IBM developed IAPM

�� Comparison with generic compositionComparison with generic composition

�� Split the plaintext in m partsSplit the plaintext in m parts

Generic composition: 2m calls of the block cipherGeneric composition: 2m calls of the block cipher�� Generic composition: 2m calls of the block cipherGeneric composition: 2m calls of the block cipher

�� SingleSingle--pass: about m invocationspass: about m invocations

�� Many followed: XCBC, XECB, OCB, …Many followed: XCBC, XECB, OCB, …

�� There is only a problem…There is only a problem…

Oh no, Intellectual Properties !!Oh no, Intellectual Properties !!

�� SingleSingle--pass modes were all patentedpass modes were all patented

IAPMIAPMXCBCXCBC

OCBOCBXECBXECB

By IBMBy IBMBy Gligor and By Gligor and DonescuDonescu

By Rogaway, By Rogaway, Bellare, Black, Bellare, Black,

and Krovetzand KrovetzBy Gligor and By Gligor and

DonescuDonescu

As a result …As a result …

�� Probably some of the patents are interrelatedProbably some of the patents are interrelated

�� Nobody has gone to court to prove it (yet…)Nobody has gone to court to prove it (yet…)

�� The possible users of these technologies has The possible users of these technologies has

been scared by the legal implicationsbeen scared by the legal implicationsbeen scared by the legal implicationsbeen scared by the legal implications

�� The researchers have moved toward other The researchers have moved toward other

directionsdirections

�� All singleAll single--pass combined mode are used by pass combined mode are used by

anybody, even though they are the anybody, even though they are the bestbest solutionsolution

TwoTwo--pass combined modepass combined mode

�� Not that different from generic compositionNot that different from generic composition

�� Some advantagesSome advantages

�� Use of only one keyUse of only one key

Patent freePatent free�� Patent freePatent free

�� Better performances than generic compositionBetter performances than generic composition

�� CCM, EAX, CWC, GCMCCM, EAX, CWC, GCM

CCMCCM

A brief introductionA brief introduction

What is CCMWhat is CCM

�� Counter with CBCCounter with CBC--MACMAC

�� An authenticated encryption solutionAn authenticated encryption solution

�� EncryptionEncryption

Use of the block cipher AESUse of the block cipher AES--128128�� Use of the block cipher AESUse of the block cipher AES--128128

�� Counter (CTR) modeCounter (CTR) mode

�� AuthenticationAuthentication

�� MAC computed with CBC (Cipher Block Chaining)MAC computed with CBC (Cipher Block Chaining)

Main featuresMain features

�� Symmetric keySymmetric key

�� Designed for AESDesigned for AES--128128

�� Use in packet environment (no stream data)Use in packet environment (no stream data)

�� Arbitrary length MACArbitrary length MAC

�� Only one key for authentication and encryptionOnly one key for authentication and encryption

�� No intellectual property restrictionsNo intellectual property restrictions

How does it work ?How does it work ?

Generation - encryption

How does it work ? (cont’d)How does it work ? (cont’d)

Decryption - verification

GenerationGeneration--encryptionencryption1.1. The MAC (Message Authentication Code) is computed The MAC (Message Authentication Code) is computed

applying CBC to the formatted input dataapplying CBC to the formatted input data

(N, P, A)(N, P, A) m1, m2, …, mxm1, m2, …, mx

GenerationGeneration--encryption (cont’d)encryption (cont’d)

2.2. Counter mode is applied to encrypt data and MACCounter mode is applied to encrypt data and MAC

GenerationGeneration--encryption (cont’d)encryption (cont’d)

3.3. Output ciphertextOutput ciphertext

MAC PayloadC =K

DecryptionDecryption--verificationverification

�� Counter mode decryptionCounter mode decryption

�� Computation of MAC with CBCComputation of MAC with CBC--MACMAC

�� (N, A, P’)(N, A, P’)

�� Verification of authenticityVerification of authenticity�� Verification of authenticityVerification of authenticity

�� Output: Payload / INVALIDOutput: Payload / INVALID

Hardware implementationHardware implementation

�� CCM cannot be parallelizedCCM cannot be parallelized

�� Operations to be implemented:Operations to be implemented:

�� Encryption: hw implementation of AES cipherEncryption: hw implementation of AES cipher

XORXOR�� XORXOR

�� Counter incrementCounter increment

�� Formatting functionFormatting function

SecuritySecurity

�� RecommendationsRecommendations

�� Keys must be secret and “fresh”Keys must be secret and “fresh”

�� IV: 0 for CBCIV: 0 for CBC--MACMAC

�� Never use the same nonce twiceNever use the same nonce twice�� Never use the same nonce twiceNever use the same nonce twice

�� Max nMax n°° of nonce with the same key: 2of nonce with the same key: 26161

�� Choose an appropriate MAC lengthChoose an appropriate MAC length

�� Replay attacks: use of timestamps / number packetsReplay attacks: use of timestamps / number packets

A possible attackA possible attack

“be conservative in what you send, and “be conservative in what you send, and liberal in what you accept”liberal in what you accept”

16-byte MAC

16-byte MAC12-byte MAC8-byte MAC4-byte MAC

A possible attack (cont’d)A possible attack (cont’d)

Here comes the bad guy !!

4-byte MAC

16-byte MAC12-byte MAC8-byte MAC4-byte MAC

A possible attack (cont’d)A possible attack (cont’d)

232 4-byte MAC computed

At least one valid ciphertext

!!!

CountermeasuresCountermeasures

�� Fix the tag length parameterFix the tag length parameter

�� During key negotiationDuring key negotiation

�� Never change it during the current sessionNever change it during the current session

GCMGCM

Galois/Counter Mode of operationsGalois/Counter Mode of operations

What is GCM What is GCM -- GMACGMAC

�� An authenticated encryption solutionAn authenticated encryption solution

�� EncryptionEncryption

�� Use of the block cipher AESUse of the block cipher AES

Mode of operation similar to the CTRMode of operation similar to the CTR�� Mode of operation similar to the CTRMode of operation similar to the CTR

�� AuthenticationAuthentication

�� The MAC provided is a sort of keyed digestThe MAC provided is a sort of keyed digest

�� Can provide authentication only → GMACCan provide authentication only → GMAC

Main featuresMain features

�� Extremely fast, more than 10GbpsExtremely fast, more than 10Gbps

�� Easy to implement in software and hardwareEasy to implement in software and hardware

�� Can be used for authentication only, if desiredCan be used for authentication only, if desired

�� Designed for AES, optimized for 128 bitsDesigned for AES, optimized for 128 bits

�� Arbitrary length IV, optimized for 96 bitsArbitrary length IV, optimized for 96 bits

�� Only one key for authentication and encryptionOnly one key for authentication and encryption

�� No intellectual property restrictionsNo intellectual property restrictions

Authenticated encryption functionAuthenticated encryption function

WHAT ?!?!WHAT ?!?!

Version for human beingsVersion for human beings

1.1. The hash subThe hash sub--key H is computed and storedkey H is computed and stored

00000000000000000000000000000000

00000000000000000000000000000000

Enc KEnc K

00000000000000000000000000000000

00000000000000000000000000000000

00000000000000000000000000000000

00000000000000000000000000000000

00000000000000000000000000000000

00000000000000000000000000000000

HH

Version for human beingsVersion for human beings

2.2. The IV length is checkedThe IV length is checked

�� If it’s 96 bits is padded to 128If it’s 96 bits is padded to 128

�� If it’s different is computed a 128 bit IV using If it’s different is computed a 128 bit IV using

a special function (GHASH)a special function (GHASH)

�� The IV is the starting value of the counterThe IV is the starting value of the counter

Version for human beingsVersion for human beings

3.3. EncryptionEncryption

Version for human beingsVersion for human beings

4.4. AuthenticationAuthentication

GF(2GF(2128128))

Hardware implementationHardware implementation

�� The only way to manage more than 10GbpsThe only way to manage more than 10Gbps

�� GCM can be parallelizedGCM can be parallelized

�� Operations to be implemented:Operations to be implemented:

Encryption: hw implementation of AES cipherEncryption: hw implementation of AES cipher�� Encryption: hw implementation of AES cipherEncryption: hw implementation of AES cipher

�� XORXOR

�� Increment of the counterIncrement of the counter

�� Multiplication within GF(2Multiplication within GF(2128128))

Hardware implementationHardware implementation

The multiplication in GF(2The multiplication in GF(2qq))

�� Different approachesDifferent approaches

�� ParallelParallel

�� Serial: super serial, bit serial, etcSerial: super serial, bit serial, etc

�� Serial solutionsSerial solutions

Time and area linear with qTime and area linear with q�� Time and area linear with qTime and area linear with q

�� Parallel solutionParallel solution

�� Time: 1 clock cycleTime: 1 clock cycle

�� Area: quadratic with q, but only 30% of AES cipherArea: quadratic with q, but only 30% of AES cipher

GO PARALLEL, BOYS!GO PARALLEL, BOYS!

SecuritySecurity

�� RecommendationsRecommendations

�� Keys: secret and “fresh”Keys: secret and “fresh”

�� IV: probability of using same IV and key < 2IV: probability of using same IV and key < 2--3232

�� Known security problem with reused IVsKnown security problem with reused IVs�� Known security problem with reused IVsKnown security problem with reused IVs

�� Appropriate tag lengthAppropriate tag length

�� Replay attacks: use of timestampsReplay attacks: use of timestamps

Oracles...Oracles...

�� Permutation oraclePermutation oracle

�� Outputs random number of PRFOutputs random number of PRF

�� The PRF represent an encrypted messageThe PRF represent an encrypted message

�� Distinguishing advantageDistinguishing advantage

Oracles...Oracles...

�� TagTag--generation oraclegeneration oracle

�� Input: a messageInput: a message

�� Output: a valid tagOutput: a valid tag

�� TagTag--validation oraclevalidation oracle�� TagTag--validation oraclevalidation oracle

�� Input: a message and a tagInput: a message and a tag

�� Output: is the tag correct for the given message?Output: is the tag correct for the given message?

�� Forgery advantageForgery advantage

CTR known issueCTR known issue

Hello world, Hello world, this is me,this is me,life should belife should befun for everyonefun for everyone

72dd0294rth%p72dd0294rth%p29sj!5z/k=p29sj!5z/k=pakd'^3sddG#/ap5akd'^3sddG#/ap597;7*h2?375ba+?997;7*h2?375ba+?9

Hello Hello SarahSarah , , this is me,this is me,life should belife should befun for everyonefun for everyone

72dd0272dd02 3&F7j3&F7j %p%p29sj!5z/k=p29sj!5z/k=pakd'^3sddG#/ap5akd'^3sddG#/ap597;7*h2?375ba+?997;7*h2?375ba+?9

Beware !Beware !

�� Attacker with access to a tagAttacker with access to a tag--generation oraclegeneration oracle

�� If IVs are not changed the output will be function If IVs are not changed the output will be function of the hash subof the hash sub--key Hkey H

�� Analyzing the resulting tags the attacker could Analyzing the resulting tags the attacker could �� Analyzing the resulting tags the attacker could Analyzing the resulting tags the attacker could recover Hrecover H

�� With H he can generate valid authentication tags, With H he can generate valid authentication tags, thus pretending to be your friend !thus pretending to be your friend !

SolutionSolution

�� This attack is possible only if you use at least This attack is possible only if you use at least twice the same key with the same IVtwice the same key with the same IV

NEVER DO THAT!NEVER DO THAT!

ReferencesReferences�� NIST Special Publication 800NIST Special Publication 800--38C (CCM)38C (CCM)

�� NIST Special Publication 800NIST Special Publication 800--38D (GCM)38D (GCM)

�� Authenticated Encryption Authenticated Encryption (J. Black)(J. Black)

�� A Critique of CCM A Critique of CCM (P. Rogaway, D. Wagner)(P. Rogaway, D. Wagner)

�� On The Security of CTR + CBCOn The Security of CTR + CBC--MAC MAC (J. Jonsson)(J. Jonsson)

�� Counter with CBCCounter with CBC--MAC MAC (D. Whiting, R. Housley, N. Ferguson)(D. Whiting, R. Housley, N. Ferguson)�� Counter with CBCCounter with CBC--MAC MAC (D. Whiting, R. Housley, N. Ferguson)(D. Whiting, R. Housley, N. Ferguson)

�� Flexible and Efficient Message Authentication in Hardware and Flexible and Efficient Message Authentication in Hardware and

Software Software (D. A. McGrew, J. Viega)(D. A. McGrew, J. Viega)

�� The Security and Performance of the Galois/Counter Mode The Security and Performance of the Galois/Counter Mode

(GCM) of Operation (GCM) of Operation (D. A. McGrew, J. Viega)(D. A. McGrew, J. Viega)

�� www.wikipedia.orgwww.wikipedia.org

Questions ?Questions ?Questions ?Questions ?