Multi-Instance Security and its Application to Password- Based Cryptography

Size: px

Start display at page:

Download "Multi-Instance Security and its Application to Password- Based Cryptography"

Megan Douglas
5 years ago
Views:

1 Multi-Instance Security and its Application to Password- Based Cryptography Stefano Tessaro MIT Joint work with Mihir Bellare (UC San Diego) Thomas Ristenpart (Univ. of Wisconsin)

2 Scenario: File encryption Want to store data in encrypted form using symmetric encryption.

3 Scenario: File encryption Want to store data in encrypted form using symmetric encryption. Keys need to be securely stored for later decryption

4 Scenario: File encryption Want to store data in encrypted form using symmetric encryption. Keys need to be securely stored for later decryption Alternative solution: Password-based cryptography.

5 Password-based encryption

6 Password-based encryption Used widely: Winzip, OpenOffice, Mac OS X FileVault,TrueCrypt, WiFi WPA (PBKDF),

7 Password-based encryption Used widely: Winzip, OpenOffice, Mac OS X FileVault,TrueCrypt, WiFi WPA (PBKDF), K = Key-derivation function KDF q1w2e3

8 Password-based encryption Used widely: Winzip, OpenOffice, Mac OS X FileVault,TrueCrypt, WiFi WPA (PBKDF), K = Key-derivation function KDF q1w2e3 PB-Encrypt(pw, M) K KDF(pw) C ENC(K, M) Return C

9 Password-based encryption Used widely: Winzip, OpenOffice, Mac OS X FileVault,TrueCrypt, WiFi WPA (PBKDF), ENC(K, M) K = Key-derivation function KDF q1w2e3 PB-Encrypt(pw, M) K KDF(pw) C ENC(K, M) Return C

10 Problem: Weak passwords are unavoidable

11 Problem: Weak passwords are unavoidable

12 Problem: Weak passwords are unavoidable

13 Mitigating dictionary attacks via iteration KDF = H c

14 Mitigating dictionary attacks via iteration KDF = H c pw H H H K c times

15 Mitigating dictionary attacks via iteration KDF = H c pw H H H K c times H {0,1} {0,1} n is cryptographic hash function (e.g., SHA-256)

16 Mitigating dictionary attacks via iteration KDF = H c pw H H H K c times H {0,1} {0,1} n is cryptographic hash function (e.g., SHA-256) PB-Encrypt(pw, M) K H c (pw) C ENC(K, M) Return C

17 Mitigating dictionary attacks via iteration KDF = H c pw H H H K c times H {0,1} {0,1} n is cryptographic hash function (e.g., SHA-256) PB-Encrypt(pw, M) K H c (pw) C ENC(K, M) Return C Expectation: Work N to guess pw Work c N to break PB-Encrypt

18 Mitigating dictionary attacks via iteration KDF = H c pw H H H K c times H {0,1} {0,1} n is cryptographic hash function (e.g., SHA-256) PB-Encrypt(pw, M) K H c (pw) C ENC(K, M) Return C Expectation: Work N to guess pw Work c N to break PB-Encrypt N = 2 32

19 Mitigating dictionary attacks via iteration KDF = H c pw H H H K c times H {0,1} {0,1} n is cryptographic hash function (e.g., SHA-256) PB-Encrypt(pw, M) K H c (pw) C ENC(K, M) Return C Expectation: Work N to guess pw Work c N to break PB-Encrypt N = 2 32 N c = = 2 52

20 Mitigating dictionary attacks via iteration KDF = H c pw H H H K c times H {0,1} {0,1} n is cryptographic hash function (e.g., SHA-256) PB-Encrypt(pw, M) K H c (pw) C ENC(K, M) Return C Expectation: Work N to guess pw Work c N to break PB-Encrypt N = 2 32 N c = = 2 52

21 Mitigating dictionary attacks via iteration KDF = H c pw H H H K c times H {0,1} {0,1} n is cryptographic hash function (e.g., SHA-256) PB-Encrypt(pw, M) K H c (pw) C ENC(K, M) Return C Expectation: Work N to guess pw Work c N to break PB-Encrypt N = 2 32 N c = = 2 52

22 PB-Encryption in the multi-user setting Real world has multiple users:

23 PB-Encryption in the multi-user setting Real world has multiple users: C 1 PB Encrypt(pw 1, M 1 ) C 2 PB Encrypt(pw 2, M 2 ) C 3 PB Encrypt(pw 3, M 3 )

24 PB-Encryption in the multi-user setting Real world has multiple users: C 1 PB Encrypt(pw 1, M 1 ) C 2 PB Encrypt(pw 2, M 2 ) C 3 PB Encrypt(pw 3, M 3 )

25 PB-Encryption in the multi-user setting Real world has multiple users: C 1 PB Encrypt(pw 1, M 1 ) C 2 PB Encrypt(pw 2, M 2 ) C 3 PB Encrypt(pw 3, M 3 )

26 PB-Encryption in the multi-user setting Real world has multiple users: C 1 PB Encrypt(pw 1, M 1 ) C 2 PB Encrypt(pw 2, M 2 ) M 1 Work c N to retrieve M 1 C 3 PB Encrypt(pw 3, M 3 )

27 PB-Encryption in the multi-user setting Real world has multiple users: C 1 PB Encrypt(pw 1, M 1 ) C 2 PB Encrypt(pw 2, M 2 ) M 1 Work c N to retrieve M 1 C 3 PB Encrypt(pw 3, M 3 )

28 PB-Encryption in the multi-user setting Real world has multiple users: C 1 PB Encrypt(pw 1, M 1 ) C 2 PB Encrypt(pw 2, M 2 ) Additional work to retrieve M 2? M 1 M 2 Work c N to retrieve M 1 C 3 PB Encrypt(pw 3, M 3 )

29 PB-Encryption in the multi-user setting Real world has multiple users: C 1 PB Encrypt(pw 1, M 1 ) C 2 PB Encrypt(pw 2, M 2 ) Additional work to retrieve M 2? M 1 M 2 Work c N to retrieve M 1 C 3 PB Encrypt(pw 3, M 3 ) Ideally: Work m c N to retrieve m plaintexts!

30 Multi-instance security amplification Not true in general:

31 Multi-instance security amplification Not true in general:

32 Multi-instance security amplification Not true in general: c times pw 1 H H H K 1

33 Multi-instance security amplification Not true in general: c times pw 1 H H H K 1 pw N H H H K N

34 Multi-instance security amplification Not true in general: c times pw 1 H H H K 1 pw N H H H K N Work N c + Work N / ciphertext = N c + m vs N c m

35 Multi-instance security amplification Not true in general: New design goal: Multi-instance c times security amplification Hardness of breaking multiple instances must increase linearly in the number of instances. pw 1 H H H K 1 pw N H H H K N Work N c + Work N / ciphertext = N c + m vs N c m

36 PKCS#5 Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack

37 PKCS#5 Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: pw salt H H H K

38 PKCS#5 Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: pw salt H H H K Randomly chosen per KDF evaluation

39 PKCS#5 Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: pw salt H H H K PB-Encrypt(pw, M) salt {0,1} s K H c (pw salt) C ENC(K, M) Return C salt Randomly chosen per KDF evaluation

40 PKCS#5 Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: pw salt H H H K PB-Encrypt(pw, M) salt {0,1} s K H c (pw salt) C ENC(K, M) Return C salt Randomly chosen per KDF evaluation

41 PKCS#5 Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: pw salt H H H K PB-Encrypt(pw, M) salt {0,1} s K H c (pw salt) C ENC(K, M) Return C salt Randomly chosen per KDF evaluation

42 PKCS#5 Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: pw salt H H H K PB-Encrypt(pw, M) salt {0,1} s K H c (pw salt) C ENC(K, M) Return C salt Randomly chosen per KDF evaluation Allows decryption

43 PKCS#5 Password-based cryptography standard Salting as suggested in PKCS#5 prevents attack KDF1: pw salt H H H K PB-Encrypt(pw, M) salt {0,1} s K H c (pw salt) C ENC(K, M) Return C salt Randomly chosen per KDF evaluation Allows decryption Question: Does salting provably ensure multiinstance security amplification?

44 Iteration and salting in the real world No salting! No iteration!

45 Our results

46 Our results Question: Does salting provably ensure multi-instance security amplification?

47 Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know!

48 Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof!

49 Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model!

Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model!

50 Our results Question: Does salting provably ensure multi-instance security amplification? Answer: We do not really know! 1) No formal proof! 2) No formal model! Our contributions: 1) General definitional framework for multi-instance security of arbitrary cryptographic primitives. 2) Case study: Security analysis of PKCS#5 within our framework.

51 Outline 1. Multi-instance security 2. Security of PKCS#5 A case study

52 Outline 1. Multi-instance security 2. Security of PKCS#5 A case study

53 Single-instance security PB-Encryption LOR-Security b 0,1 pw PWD

54 Single-instance security PB-Encryption LOR-Security m 0, m 1 m 0 = m 1 b 0,1 pw PWD ENC(pw, m b )

55 Single-instance security PB-Encryption LOR-Security m 0, m 1 m 0 = m 1 b 0,1 pw PWD ENC(pw, m b ) b

56 Single-instance security PB-Encryption LOR-Security m 0, m 1 m 0 = m 1 b 0,1 pw PWD ENC(pw, m b ) b Adv lor A = 2 [Pr b = b 1 2]

57 Single-instance security PB-Encryption LOR-Security m 0, m 1 m 0 = m 1 b 0,1 pw PWD ENC(pw, m b ) b Adv lor A = 2 [Pr b = b 1 2]

58 Single-instance security PB-Encryption LOR-Security m 0, m 1 m 0 = m 1 b 0,1 pw PWD ENC(pw, m b ) b Adv lor A = 2 [Pr b = b 1 2] PWR-Security pw PWD

59 Single-instance security PB-Encryption LOR-Security m 0, m 1 m 0 = m 1 b 0,1 pw PWD ENC(pw, m b ) b Adv lor A = 2 [Pr b = b 1 2] m PWR-Security pw PWD ENC(pw, m)

60 Single-instance security PB-Encryption LOR-Security m 0, m 1 m 0 = m 1 b 0,1 pw PWD ENC(pw, m b ) b Adv lor A = 2 [Pr b = b 1 2] m PWR-Security pw PWD pw ENC(pw, m)

61 Single-instance security PB-Encryption LOR-Security m 0, m 1 m 0 = m 1 b 0,1 pw PWD ENC(pw, m b ) b Adv lor A = 2 [Pr b = b 1 2] m PWR-Security pw PWD pw ENC(pw, m) Adv pwr A = Pr[pw = pw]

62 The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: instances of the scheme concurrently. Corrupts up to t < m instances of the scheme (e.g., learns passwords). Wins if it breaks P for all uncorrupted instances.

The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: Attacks m

63 The multi-instance (mi) security vista Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: Attacks m instances of the scheme concurrently. Corrupts up to t < m instances of the scheme (e.g., learns passwords). Wins if it breaks P for all uncorrupted instances.

64 The multi-instance (mi) security vista < mm instances of the scheme (e.g., learns passwords). Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: Attacks m instances of the scheme concurrently. Corrupts up to t < m instances of the scheme (e.g., learns passwords). Wins if it breaks P for all uncorrupted instances.

Our goal: Define security metric for scheme S wrt property P to measure success of an

65 The multi-instance (mi) security vista < mm instances of the scheme (e.g., learns passwords). Our goal: Define security metric for scheme S wrt property P to measure success of an adversary that: Attacks m instances of the scheme concurrently. Wins if it breaks P for all uncorrupted instances. Wins if it breaks P for all uncorrupted instances.

66 PWR security

67 PWR security pw 1 PWD pw 2 PWD pw 3 PWD

68 PWR security pw 1 PWD pw 2 PWD pw 3 PWD

69 PWR security pw 1 PWD pw 2 PWD pw 3 PWD

70 PWR security pw 1 PWD pw 2 PWD pw 3 PWD

71 PWR security (pw 1, pw 2, pw 3 ) pw 1 PWD pw 2 PWD pw 3 PWD

72 PWR security (pw 1, pw 2, pw 3 ) pw 1 PWD pw 2 PWD pw 3 PWD Adv m pwr A = Pr[pw 1 = pw 1,, pw m = pw m ]

73 LOR security b 1 0,1 pw 1 PWD b 3 0,1 pw 3 PWD b 2 0,1 pw 2 PWD

74 LOR security b 1 0,1 pw 1 PWD b 3 0,1 pw 3 PWD b 2 0,1 pw 2 PWD

75 LOR security b 1 0,1 pw 1 PWD b 3 0,1 pw 3 PWD b 2 0,1 pw 2 PWD

76 LOR security b 1 0,1 pw 1 PWD b 3 0,1 pw 3 PWD Adv m lor A =? b 2 0,1 pw 2 PWD

77 Defining mi security for encryption Attempt #1: AND-advantage

78 Defining mi security for encryption Attempt #1: AND-advantage LORA-security: Output: b 1,, b m Advantage: Adv m lora A = Pr[ b 1,, b m = b 1,, b m ]

79 Defining mi security for encryption Attempt #1: AND-advantage LORA-security: Output: b 1,, b m Advantage: Adv m lora A = Pr[ b 1,, b m = b 1,, b m ] Problem: Does not measure hardness of winning all uncorrupted instances.

80 Defining mi security for encryption Attempt #1: AND-advantage LORA-security: Output: b 1,, b m Advantage: Adv m lora A = Pr[ b 1,, b m = b 1,, b m ] Problem: Does not measure hardness of winning all uncorrupted instances. Reason: If adversary with Pr[b 1 = b 1 ] > 3/4 Then adversary guessing second bit at random, with Pr b 1, b 2 = b 1, b 2 > = 3/8

hardness of winning all uncorrupted instances.

81 Defining mi security for encryption Attempt #1: AND-advantage LORA-security: Output: b 1,, b m Advantage: Adv m lora A = Pr[ b 1,, b m = b 1,, b m ] Problem: Does not measure hardness of winning all uncorrupted instances. Reason: If adversary with Pr[b 1 = b 1 ] > 3/4 Then adversary guessing second bit at random, with Pr b 1, b 2 = b 1, b 2 > = 3/8

82 Defining mi security for encryption Attempt #2: XOR-advantage

83 Defining mi security for encryption Attempt #2: XOR-advantage LORX-security: Output: b Advantage: Adv m lorx A = 2 Pr b = b 1 b m 1/2

84 Defining mi security for encryption Attempt #2: XOR-advantage LORX-security: Output: b Advantage: Adv m lorx A = 2 Pr b = b 1 b m 1/2 Reason: If adversary with Pr b = b 1 > 1 + ε 2 Then: Adversary guessing second bit has no advantage Pr b = b 1 b 2 = 1 2

85 Mi security notions Relations m-lorx m-lora m-pwr

86 Mi security notions Relations m-lorx (1) m-lora m-pwr

87 Mi security notions Relations m-lorx (1) m-lora m-pwr

88 Mi security notions Relations m-lorx (1) m-lora m-pwr 1) Holds in most cases proof relies on probabilistic lemma from [U09].

89 Mi security notions Relations m-lorx (1) m-lora (2) m-pwr 1) Holds in most cases proof relies on probabilistic lemma from [U09].

90 Mi security notions Relations m-lorx (1) m-lora (2) m-pwr 1) Holds in most cases proof relies on probabilistic lemma from [U09]. 2) Very loose asymptotic implication based on Goldreich- Levin Theorem [GL89]

91 Relations LOR vs ROR m 0, m 1 b 0,1 pw PWD LOR-Security ENC(pw, m b ) b m 0 b 0,1 m 1 M pw PWD ROR-Security ENC(pw, m b ) b

92 Relations LOR vs ROR

93 Relations LOR vs ROR Classical textbook theorem. Adv ror t Adv lor t 2 Adv ror t

94 Relations LOR vs ROR Hybrid argument Classical textbook theorem. Adv ror t Adv lor t 2 Adv ror t

95 Relations LOR vs ROR Hybrid argument Classical textbook theorem. Adv ror t Adv lor t 2 Adv ror t L R L $ + $ R

96 Relations LOR vs ROR Hybrid argument Classical textbook theorem. Adv ror t Adv lor t 2 Adv ror t L R L $ + $ R Mi setting with m instances: Adv m rorx t Adv m lorx t 2 m Adv m rorx t

97 Relations LOR vs ROR Hybrid argument Classical textbook theorem. Adv ror t Adv lor t 2 Adv ror t L R L $ + $ R Mi setting with m instances: Adv m rorx t Adv m lorx t 2 m Adv m rorx t L R L $ $ R + L R L $ L $ + $ R $ R + L $ $ R

98 Relations LOR vs ROR Hybrid argument Classical textbook theorem. Adv ror t Adv lor t 2 Adv ror t L R L $ + $ R Tight! Mi setting with m instances: Adv m rorx t Adv m lorx t 2 m Adv m rorx t L R L $ $ R + L R L $ L $ + $ R $ R + L $ $ R

99 Outline 1. Multi-instance security 2. Security of PKCS#5 A case study

100 Outline 1. Multi-instance security 2. Security of PKCS#5 A case study

101 PKCS#5 Defining KDF Security

102 PKCS#5 Defining KDF Security Question: Does salting provably ensures multiinstance security amplification? YES!

103 PKCS#5 Defining KDF Security Question: Does salting provably ensures multiinstance security amplification? YES! pw salt H H H K

104 PKCS#5 Defining KDF Security Question: Does salting provably ensures multiinstance security amplification? YES! pw salt H H H K Main step: Security analysis of KDF1 for case H = RO.

105 KDF Security in the ROM KDF satisfies indifferentiability-like poperty [MRH04] Sim password distributions: Left Right pw 1 sa 1,, pw m sa m pw 1 sa 1,, pw m sa m KDF1 RO Test Sim K 1,, K m K 1,, K m 0/1 0/1

106 KDF Security in the ROM KDF satisfies indifferentiability-like poperty [MRH04] Sim password distributions: Left Right pw 1 sa 1,, pw m sa m pw 1 sa 1,, pw m sa m KDF1 RO Test Sim K 1,, K m q queries K 1,, K m q queries 0/1 0/1

107 KDF Security in the ROM KDF satisfies indifferentiability-like poperty [MRH04] Sim password distributions: Left Right pw 1 sa 1,, pw m sa m pw 1 sa 1,, pw m sa m KDF1 RO Test Sim K 1,, K m q queries K 1,, K m q queries 0/1 0/1

108 Final result: Security of PB-Encrypt Question: Does salting deliver multi-instance security amplification for PKCS#5? PB-Encrypt(pw, M) salt {0,1} s K H c (pw salt) C ENC(K, M) Return C salt Theorem: A making q RO queries, B such that m rorx q Adv PB Encrypt A < mcn + m Adv ror ENC B + q 2 2 n + q 2 2 s

109 Final result: Security of PB-Encrypt Question: Does salting deliver multi-instance security amplification for PKCS#5? PB-Encrypt(pw, M) salt {0,1} s K H c (pw salt) C ENC(K, M) Return C salt Theorem: A making q RO queries, B such that m rorx q Adv PB Encrypt A < mcn + m Adv ror ENC B + q 2 2 n + q 2 2 s Work m c N to break encryption (RO queries)

110 Concluding Remarks Summary:

111 Concluding Remarks Summary: The world has multiple users

112 Concluding Remarks Summary: The world has multiple users Weak individual instances sometimes unavoidable

113 Concluding Remarks Summary: The world has multiple users Weak individual instances sometimes unavoidable Mi security as a second line of defense

114 Concluding Remarks Summary: The world has multiple users Weak individual instances sometimes unavoidable Mi security as a second line of defense Interesting technical questions

115 Concluding Remarks Summary: The world has multiple users Weak individual instances sometimes unavoidable Mi security as a second line of defense Interesting technical questions First security analysis of PKCS#5 in the mi setting

116 Concluding Remarks Summary: The world has multiple users Weak individual instances sometimes unavoidable Mi security as a second line of defense Interesting technical questions First security analysis of PKCS#5 in the mi setting Thank you!

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

Eliminating Random Permutation Oracles in the Even-Mansour Cipher Zulfikar Ramzan Joint work w/ Craig Gentry DoCoMo Labs USA ASIACRYPT 2004 Outline Even-Mansour work and open problems. Main contributions