Attacking Authenticated Encryption
by: burt rosenberg
at: university of miami
date: feb 2018
Overview
There are two basic tasks to this problem. The first is to implement various
authenticated encryption schemes. The second task is to attack those schemes,
- attacking indistinguishability using a decryption oracle,
- attacking authenticity using a message extension attack,
- attacking confidentiality using a padding error attack, combined with a message truncation attack.
The implementation requested leaves itself open to these attacks, so that you and explore
and understand the attacks. At the same time, the implementation is very close to the
actual cryptography that secure our communications — from shopping to warfare.
After completing the assignment, you will have a clear understanding when reasoning about
professional crypto, and will realize what it can and cannot achieve, and will use
the cryptography properly.
Problem 1: Authenclib/ae.py
To implement authenticated encryption, complete the provided template code
authencrypt/ae.py.
The heart of our implementation is Blowfish,
a block cipher written
by Bruce Schneier.
We use a provided blowfish python package,
blowfish 0.6.1. The
provided Makefile has a target to install the package.
The program authencrypt.py (see class/proj3/authencrypt.py) accepts command line
arguments, instantiates the AuthEncrypt object implemented in ae.py, and encrypts
or decrypts stdin to stdout. In case of error, authencrypt.py writes a single
letter, A or P, to stderr, where A means a bad MAC, and P means faulty padding.
The completed program can encrypt and decrypt in one of four modes,
- No MAC (none). The plaintext is padded to a multiple of block size, an 8 byte IV
is randomly chosen, and the padded text is CBC encrypted using a key derived from
a supplied pass-phrase. The output is the IV followed by the encrypted, padded plaintext.
- MAC-and-Encrypt (mae). The plaintext is encrypted as above. A CBC-MAC
is taken on the padded plaintext using a key derived from a supplied pass-phrase (but not the
same key as that which encrypts/decrypts). The output is the encrypted text followed by the MAC.
- MAC-then-Encrypt (mte): The plaintext is padded to a multiple of block size. A
CBC-MAC is taken over the padded message. The MAC is appended to the padded message and the
entirety is CBC encrypted, as above. The output is the resulting ciphertext.
- Encrypt-then-MAC (etm): The plaintext is padded to a multiple of block size and
is CBC encrypted as above. The resulting ciphertext is CBC-MAC'ed. The output is the ciphertext
followed by the MAC.
Details of the encryptions and MAC generations are from the class text,
m0 m1 m2
| | |
| +--(+) +--(+)
| | | | |
+-+ | +-+ | +-+
|G| | |G| | |G|
+-+ | +-+ | +-+
| | | | |
+---+ +---+ +-----+
|
|
IV m0 m1 m2 |
| | | | |
+-----(+) +--(+) +--(+) |
| | | | | | |
| +-+ | +-+ | +-+ |
| |F| | |F| | |F| |
| +-+ | +-+ | +-+ |
| | | | | | |
| +---+ +---+ | |
| | | | |
c0/IV c1 c2 c3 c4/MAC
**** Encrypt and MAC ****
-
CBC encryption and in Figure 3.7;
-
CBC-MAC as in Figure 4.1, but for arbitrary number of blocks. That is, do not prepend
the message length to the message before MAC'ing. This is a
deliberate vulnerability for the purposes of the assignment.
-
Padding schemes as in Section 3.7.2.
In decryption mode, the padding is checked in all modes, and 'P' is written to stderr if the
padding is faulty. Except for the none mode, the MAC is checked and 'A' is written to stderr
if the MAC does not verify. Check first the padding. This is a
deliberate vulnerability for the purposes of the assignment.
Problem 2: Basic attacks
Write a program that uses the created AuthEncrypt library to automate three attacks,
- An attack against indistinguishability on the none mode using chosen ciphertext attack.
- An attack on MAE using message extension to forge a new message out of given chosen plaintext message.
- An attack to decrypt a message encrypted by MAE making use of the padding and that padding errors
take precedence.
Problem 3: Advanced attacks
Find two attacks against MTE or ETM.