Cursuri SI

Crypto Concepts
Symmetric Encryption
Ferucio Laurenţiu Ţiplea
Department of Computer Science

“Al.I.Cuza” University of Iaşi
Iaşi 700506, Romania
e-mail: ferucio.tiplea@uaic.ro
Fall 2020
Outline
Computational security
Symmetric encryption
Security models
Stream ciphers
Block ciphers and modes of encryption

Outline
Security models
Stream ciphers
Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 3 / 55

Computational security Symmetric encryption Security models Stream ciphers Block ciphers and modes of encryption
1. Perfect security is impractical: keys must be as long as messages
2. We would like to securely encrypt arbitrary long messages using
short keys
3. How ? Relax the security requirements:
3.1 Consider only adversaries that use a reasonable amount of resources
3.2 Consider a weaker notion of security such as concrete security or
asymptotic security
4. Concrete security: a scheme is (t, )-secure if every adversary

running for time at most t succeeds in breaking the scheme with
probability at most
5. Asymptotic security: a scheme is secure if every PPT adversary
succeeds in breaking the scheme with only negligible probability

1. We follow the asymptotic security approach
2. Adversary: PPT algorithm

3. Security parameter : used to measure the input size of the
computational problem
3.1 resource requirements by the cryptographic algorithm or protocol
3.2 running time of the adversary as well as its success probability
4. Keys, messages, ciphertexts:

4.1 K denotes a set of keys
4.2 M denotes a set of (plain) messages, also called plaintexts
4.3 C denotes a set of ciphertexts

Outline
Security models
Stream ciphers

Definition 1
A symmetric key encryption (SKE) scheme over (K, M, C) is a triple of
algorithms S = (G, E, D) such that:
1. G is a PPT algorithm, called the key generation algorithm, which
outputs a key K ∈ K when invoked on a security parameter λ;
2. E is a PPT algorithm, called the encryption algorithm, which outputs
a ciphertext c ∈ C when invoked on a key K and a message m ∈ M;
3. D is a deterministic PT algorithm, called the decryption algorithm,
which outputs a message m ∈ M or a special symbol ⊥ (denoting
failure) when invoked on a key K and a ciphertext c.
Soundness: for all λ, m ∈ M, and c ∈ C,
K ← G(λ) ∧ c ← E(K , m) ⇒ m := D(K , c)

1. The complexity of G is measured w.r.t. the input λ
2. The complexity of E (D) is measured w.r.t. |K | + |m| (|K | + |c|).

The key size is polynomial in λ, but |m| (|c|) might not be
3. We will generally consider encryption/decryption of messages of

length polynomial in λ. As a result, all algorithms will run in time
complexity polynomial in λ
4. When E is defined only for messages of length `(λ), for some

polynomial `, we will say that the encryption scheme is a
fixed-length private-key encryption scheme with length parameter `

Terminology, notation, remarks:
1. Symmetric key encryption: the encryption key is also the decryption
key
2. Symmetric key encryption is also called private-key encryption.

When two parties want to use an SKE scheme, it is assumed they
are in the possession of the same key K
3. The encryption algorithm may be stateful: it maintains a state,

initialized in some pre-defined way, and computes the ciphertext
based on the key, message, and its current state. If no state is
maintained, the algorithm is called stateless
4. Both randomized and stateful encryption algorithms are rare in

practice

Outline
Security models
Stream ciphers

Examples of attacks
Attacks frequently met in practice:
• Brute-force attack
• Denial of service attack
• Man-in-the-middle attack
• Meet-in-the-middle attack
• Frequency analysis attack
• Power analysis attack
• Timing attack
• Replay attack
• Birthday attack
• Dictionary attack

Security models
Definition 2
A security model is a pair consisting of a security goal and an attack
model.
Standard security goals:

1. Semantic security (SS)
2. Indistinguishability (IND)
3. Non-malleability (NM)
Standard attack models:

1. Chosen plaintext attack (CPA)
2. Non-adaptive chosen ciphertext attack (CCA1)
3. Adaptive chosen ciphertext attack (CCA2)

Security goals
1. Semantic security
1.1 Proposed by Goldwasser and Micali in 1982, it was the first definition
of security for encryption
1.2 It formalizes the fact that no adversary can obtain any partial
information about the message of a given ciphertext (whatever can
efficiently be computed about a message from its ciphertext can also
be computed without the ciphertext)
1.3 It is a “polynomially bounded” version of the concept of perfect
secrecy introduced by Shannon in 1949
1.4 It is complex and difficult to work with
2. Indistinquishability is an equivalent definition to semantic security
which is somewhat simpler
3. Non-malleability means that, given a ciphertext c of some message
m, no efficient adversary can construct another ciphertext c 0 of
some message m0 meaningfully related to m

Attack models
Some common attack models are:
1. Passive attacks:
1.1 Cipher-only attack (COA): A has access to the ciphertext
1.2 Known plaintext attack (KPA): A knows pairs (plaintext,ciphertext)
2. Active attacks:
2.1 Chosen plaintext attack (CPA): A has access to the encryption
oracle (this is for free for PKE)
2.2 Non-adaptive chosen ciphertext attack (CCA1): A has, in addition
to the ability of a CPA adversary, access to a decryption oracle
before the challenge phase
2.3 Adaptive chosen ciphertext attack (CCA2): A has, in addition to the
ability of a CCA1 adversary, access to a decryption oracle after the
challenge phase. However, no decryption query is allowed involving
the challenge ciphertext

Relationships among security models

By combining a security goal X with an attack model Y , we obtain a
security model X -Y . A few remarks on these combinations are in order:
1. Indistinguishability against ciphertext-only attacks IND-COA (also
called indistinguishability in the presence of an eavesdropper) is the
weakest form of security where the adversary can only eavesdrop on
ciphertexts
2. A stronger form of security, required for any reasonable encryption
scheme, is the indistinguishability against known plaintext attack
IND-KPA (also called indistinguishability under multiple encryption
attack)
3. We will mainly focus on security models where the adversary is
active and not only passive as in COA or KPA

Security models
The diagram below only aims to create an image on the relationships
between the security models introduced so far (an arrow means an
implication). Some of these relationships are far from trivial.
NM-CPA NM-CCA1 NM-CCA2
IND-CPA IND-CCA1 IND-CCA2
SS-CPA SS-CCA1 SS-CCA2
Figure: Relationships among security models

IND-COA security games

ind-coa-b
Experiment PrivKA,S (λ), where b ∈ {0, 1}
1: The challenger generates a key K ← G(λ)
2: The adversary A submits a pair (m0 , m1 ) ∈ M2 with |m0 | = |m1 |
3: The challenger computes c ← E(K , mb ) and send it to A
4: The adversary outputs a bit b 0 ∈ {0, 1}
5: Return b 0 .
Remark 3
ind-coa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S
ind-coa-b
(λ) returns
0 0
b , which is also the probability that A returns b in this experiment.
The probability is taken over the internal coin tosses of all algorithms !

IND-KPA security games

ind-kpa-b
2: The adversary A submits a sequence of pairs
(m01 , m11 ), . . . , (m0` , m1` ) ∈ (M2 )` with |m0i | = |m1i | for all i
3: The challenger computes c i ← E(K , mbi ) for all i and sends
c 1 , . . . , c ` to A
5: Return b 0 .
Remark 4
ind-kpa-b ind-kpa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S (λ) returns
0 0

IND-CPA security games

ind-cpa-b
2: Repeat the following two steps a polynomial number of times
– A submits a pair (m0 , m1 ) ∈ M2 with |m0 | = |m1 |
– The challenger computes c ← E(K , mb ) and sends it to A
4: Return b 0 .
Remark 5
ind-cpa-b ind-cpa-b
P(PrivKA,S (λ) = b 0 ) is the probability that PrivKA,S (λ) returns
0 0

IND-XXX security
Definition 6
An SKE scheme S is IND-XXX secure, where XXX ∈ {COA, KPA, CPA},
if
ind-xxx-0 ind-xxx-1

P(PrivKA,S (λ) = 1) − P(PrivKA,S (λ) = 1)
is negligible, for all PPT algorithms A.

IND-XXX security: bit guessing version

Consider XXX=CPA (similar for the other cases)
ind-cpa
Experiment PrivKA,S (λ)
2: Access to the encryption oracle : repeat the following two steps a
polynomial number of times
– A submits a query m ∈ M to the challenger
– The challenger computes c ← E(K , m) and sends it to A
3: Challenge :
– A sends a pair (m0 , m1 ) ∈ M2 with |m0 | = |m1 |
– The challenger generates a bit b ← {0, 1}, computes
c ← E(K , mb ), and sends c to A
4: Access to the encryption oracle : A has access to the encryption
oracle (as above) for messages different than m0 and m1
5: Guess : The adversary outputs a bit b 0 ∈ {0, 1}
6: If b 0 = b then return 1 else return 0
IND-XXX security: bit guessing version

Consider XXX=CPA (similar for the other cases)
Definition 7
The IND-CPA advantage of A with respect to the SKE scheme S is

ind-cpa
ind-cpa 1
AdvA,S (λ) = P(PrivKA,S (λ) = 1) −

2
Proposition 8
For any SKE scheme S and any PPT adversary A, the following property
holds:
ind-cpa
AdvA,S (λ) =
1
ind-cpa-0 ind-cpa-1

(λ) = 1) − P(PrivKA,S (λ) = 1)

P(PrivKA,S
2

Outline
Security models
Stream ciphers

Stream ciphers
Main characteristics of a stream cipher:
• The message is viewed as a sequence of blocks (also called
characters) of a very limited size, that can efficiently be enumerated
in practice (e.g., bits or bytes)
• The secret key is expanded to a keystream of the same size as the
message block size by a keystream generator initially seeded with the
secret key
• The encryption is block-driven
• OTP may be regarded as a stream cipher, but a quite impractical
one

Stream ciphers
keystream
encryption key K
generator
0
0
keystream
0
1
1
message 1 0 1 1 0 encryptor ciphertext
Figure: Pictorial view of a stream cipher

PRG as keystream generators

Description 9 (Stream cipher from PRG)
Let G be a PRG with expansion factor `. Define an SKE scheme

S(G ) = (G, E, D) over ({0, 1}λ , {0, 1}`(λ) , {0, 1}`(λ) ) by:
1. G(λ) : output K ← {0, 1}λ

2. E(K , m) : output c = m ⊕ G (K )
3. D(K , c) : output m = c ⊕ G (K )
Theorem 10
The SKE scheme in Description 9 is IND-COA (provided that G is a
PRG).

Stream ciphers: using the same key twice

Using the same key twice:
• If c1 = m1 ⊕ G (K ) and c2 = m2 ⊕ G (K ), then c1 ⊕ c2 = m1 ⊕ m2
• Natural language text contains enough redundancy to allow the
adversary to recover m1 and m2 from c1 ⊕ c2
Real scenarios:
• Microsoft implementation of PPTP in Windows NT uses RC4. Its
original implementation uses the same key to encrypt messages from
A to B and from B to A (see ScMu1998.pdf on the course site)
• Microsoft have used RC4 to protect Word and Excel document.
When encrypted documents were modified and saved, the same key
was used (see Wu2005.pdf on the course site)
Never use the same key to encrypt more than one message with stream
ciphers !
Stream ciphers: malleability

Malleability:
• From an encryption c = m ⊕ G (K ) of m one can simply obtain an
encryption of m ⊕ m0 by c 0 = c ⊕ m0
Real scenarios:
• Assume that the adversary knows a prefix m1 of m (m1 might be a
standard header filled with someone’s address, name, etc.)
• The adversary wants to replace m1 by m2 (m2 might be a header
filled with information up to his desire)
• The adversary may compute c ⊕ (m1 ⊕ m2 )0 · · · 0 to obtain what he
wants
Stream ciphers do not guarantee integrity !

The stream cipher RC4

1. RC4: designed by Ronald Rivest in 1987
2. Kept as a commercial secret until 1994 (when it was disclosed)
3. The keystream generator works as a finite automaton with outputs
0, 0, S0 i1 , j1 , S1 i2 , j2 , S2
Z1 Z2
4. RC4 encryption: on an n-byte message m = m1 · · · mn , the generator

RC 4 gen(K ) outputs an n-byte keystream Z1 · · · Zn . The ciphertext
is c = (m1 ⊕ Z1 ) · · · (mn ⊕ Zn )
5. RC4 decryption: on an n-byte ciphertext c = c1 · · · cn , the generator
RC 4 gen(K ) outputs an n-byte keystream Z1 · · · Zn . The message is
m = (c1 ⊕ Z1 ) · · · (cn ⊕ Zn )

RC4 in practice
1. RC4 is suited for software implementations
2. RC4 was used in a large variety of applications: SSL/TLS, WEP,

WPA, MS-PPTP etc.
3. Recent results have shown that the RC 4 gen output is biased (see
ABPPS2013.pdf on the course site) :
1
3.1 (Mantin & Shamir, 2001) P(Z2 = 0x00) ≈
128
1 cr
3.2 (Gupta et al., 2012) P(Zr = 0x00) ≈ + for 3 ≤ r ≤ 255,
256 2562
where c3 = 0.351089 and 0.242811 ≤ cr ≤ 1.337057 for r ≥ 4
4. Several other variants of RC4 have been proposed: RC 4A, VMPC ,

RC 4+ , Spritz

The stream cipher CSS

1. CSS = Content Scrambling System
2. It is based on two LFSRs: one is of length 17 with the feedback

function f1 (x0 , . . . , x16 ) = x0 ⊕ x14 , and the other one is of length 25
with the feedback function f2 (x0 , . . . , x24 ) = x0 ⊕ x3 ⊕ x4 ⊕ x12
3. The keystream generator runs in parallel the two LFSR and combines
their outputs by addition modulo 256 (the Trans algorithm)
4. The initial state of the keystream generator is prepared from a given

40-bit secret key (the Init algorithm)
5. The encryption by CSS works by XOR-ing the plaintext with the

keystream

CSS in practice
1. It was designed in 1980’s for preventing unauthorized duplication of
DVDs
2. CSS can be brute-force attacked in time 240 (the seed space size)
3. Faster attack to recover the seed: time 216 (Stevenson, 1999)

Other practical stream ciphers

1. A5/1, A5/2, A5/3 stream ciphers for GSM encryption
1.1 They are based on three LFSRs
1.2 All have been cryptanalysed by several researchers (see
BaBK2006.pdf on the course site)
2. E0 stream cipher for Bluetooth encryption

2.1 It is based on four LFSRs of length 25, 31, 33, and 39 bits (total
length = 128 bits)
2.2 The most efficient cryptanalysis requires the first 24 bits of 223.8
frames (a frame is 2745 bits long) and 238 computations to recover
the key (LuMV2005.pdf on the course site)
3. Salsa, designed by Bernstein in 2005
4. ChaCha, designed by Bernstein in 2008

Outline
Security models
Stream ciphers

Block ciphers
An intensively used method to encrypt a message is the next one:
1. View the message as a sequence of blocks of a larger size so that the
enumeration of all blocks is infeasible in practice
2. Iteratively encrypt each message block by another block
Remark 11
1. The encryption of a message block by another block is done by
families of permutations (i.e., block ciphers) or families of functions
2. The iteration method is crucial and it is called mode of operation
3. In the encryption process of a message block, the encryption key is

expanded to a fixed number of round keys

Block ciphers
Key expansion algorithm
K1 K2 ··· Kn
m Ti TK1 TK2 ··· TKn Tf c
Figure: Pictorial view of a block cipher
Notation:
1. Ti = initial transformation
2. Tf = final transformation
3. TKi = transformation induced by Ki , 1 ≤ i ≤ n
DES block cipher

1. K = M = C = {0, 1}64
2. for any key K ,
eK = P0−1 ◦ Rev ◦ TK16 ◦ · · · ◦ TK1 ◦ P0
and
dK = P0−1 ◦ Rev ◦ TK1 ◦ · · · ◦ TK16 ◦ P0 ,
where K1 , . . . , K16 are derived from K .

AES block cipher

• M = C = M4×m (Z82 ), where m ∈ {4, 6, 8}
• K = M4×k (Z82 ), where k ∈ {4, 6, 8}
• For any K ∈ K,
eK = TKf n ◦ TKn−1 ◦ · · · ◦ TK1 ◦ TKi 0
and
dK = TK−f0 ◦ TK−1
1
◦ · · · ◦ TK−1
n−1
◦ TKi n
• The number n of rounds depends on the key and message block
length
n m=4 m=6 m=8
k=4 10 12 14
k=6 12 12 14
k=8 14 14 14

Families of functions
1. A pseudo-random function is a family of functions with the property
that if we randomly choose a function from this family then its
input-output behavior is computationally indistinguishable from that
of a random function
2. Family of functions from {0, 1}`1 (n) to {0, 1}`2 (n) , where `1 and `2
are polynomials with positive values:
2.1 F`1 ,`2 ,n : random variable with values in ({0, 1}`1 (n) → {0, 1}`2 (n) )
2.2 F`1 ,`2 = (F`1 ,`2 ,n )n∈N
3. Special cases :
3.1 H`1 ,`2 = (H`1 ,`2 ,n )n∈N is the uniform distribution
3.2 H`0 = (H`,n0
)n∈N is the uniform distribution on all permutations on
`(n)
{0, 1} , n ∈ N
We will avoid the subscript “`1 , `2 ” or “`” whenever these polynomials

are clear from context
Algorithms with oracle access to a function

Given a function f : {0, 1}`1 (n) → {0, 1}`2 (n) , the notation Af signifies an
algorithm that has oracle access to the function f in the following sense:
1. The algorithm can adaptively query an oracle for f in the sense that
on an input x it gets f (x)
2. The algorithm has only a “black-box” (input-output) view on f in
the sense that it does not know how the function f is evaluated
Af Oracle
–
···
– x
Query f for x f (x)
–
··· f
– x0
Query f for x 0 f (x )0
–
···
–

Oracle indistinguishability
We use A◦ to denote algorithms with oracle access to functions; Af is an
instantiation of the oracle by f .
Definition 12 (Oracle indistinguishability)

Two families F and G of functions from {0, 1}`1 (n) to {0, 1}`2 (n) are called
computationally indistinguishable if, for any PPT algorithm A◦ with
oracle access to functions from {0, 1}`1 (n) to {0, 1}`2 (n) , its advantage
prf
AdvA · ,F ,G (n) = |P(1 ← Af (1n ) : f ← F`1 ,`2 ,n )−
P(1 ← Af (1n ) : f ← G`1 ,`2 ,n )|
is negligible.

Pseudo-random functions
Definition 13 (Pseudo-random function)
A set of functions
F = {fK : {0, 1}`1 (|K |) → {0, 1}`2 (|K |) | K ∈ {0, 1}∗ }
is called pseudo-random if it is:
1. Efficiently computable : there exists a deterministic polynomial-time

algorithm that on input K ∈ {0, 1}∗ , and x ∈ {0, 1}`1 (|K |) returns
fK (x);
2. Pseudo-random : the family F = (Fn )n∈N , where Fn is a random

variable uniformly distributed over (the multi-set)
{fK ∈ F | |K | = n}, is computationally indistinguishable from H`1 ,`2 .

Weak pseudo-random permutations

Definition 14 (Weak pseudo-random permutation (weak PRP))
A set of permutations
P = {fK : {0, 1}`(|K |) → {0, 1}`(|K |) | K ∈ {0, 1}∗ }

1. Efficiently computable :
1.1 there exists a deterministic polynomial-time algorithm that on input
K ∈ {0, 1}∗ , and x ∈ {0, 1}`(|K |) returns fK (x);
K ∈ {0, 1}∗ , and y ∈ {0, 1}`(|K |) returns fK−1 (y );
2. Pseudo-random : the family P = (Pn )n∈N , where Pn is a random
{fK ∈ P | |K | = n}, is computationally indistinguishable from H`0 .

Strong pseudo-random permutations

Definition 15 (Strong pseudo-random permutation (strong PRP))
A set of permutations
P = {fK : {0, 1}`(|K |) → {0, 1}`(|K |) | K ∈ {0, 1}∗ }

1. Efficiently computable :
K ∈ {0, 1}∗ , and x ∈ {0, 1}`(|K |) returns fK (x);
K ∈ {0, 1}∗ , and y ∈ {0, 1}`(|K |) returns fK−1 (y );
2. Pseudo-random : the family P = (Pn )n∈N , where Pn is a random
{fK ∈ P | |K | = n}, is computationally indistinguishable from H`0 by
PPT algorithms that have oracle access to both f and f −1 .

Pseudo-random permutations
Remark 16
1. Strong PRP are simply referred to as PRP
2. PRP are sometimes called block ciphers
Example 17 (PRP candidates)
1. DES : {0, 1}56 × {0, 1}64 → {0, 1}64
2. 3DES : {0, 1}168 × {0, 1}64 → {0, 1}64
3. AES-128 : {0, 1}128 × {0, 1}128 → {0, 1}128

Electronic Code Block (ECB)

F = (Fn )n∈N is a PRP
m1 m2 ··· m`
FK FK FK
c1 c2 ··· c`
Theorem 18
ECB is not IND-KPA.
Proof.
mi = mj ⇒ ci = cj .

ECB illustrated
Original image ECB encryption

Cipher Block Chaining (CBC)

F = (Fn )n∈N is a PRP
m1 m2 ··· m`
IV ⊕ ⊕ ⊕
FK FK FK
c1 c2 ··· c`
• c0 = IV
• ci = FK (mi ⊕ ci−1 ), for all i ≥ 1
• ciphertext : (IV , c1 · · · c` )

Cipher Block Chaining (CBC)

Theorem 19
If F = (Fn )n∈N is a PRP, then CBC with F is IND-CPA.
Proof.
Show that for any adversary A against the scheme S, there exists a PRP
adversary B such that
dctr prp q(λ)2 `2

AdvA,S (λ) ≤ 2 · AdvB,F (λ) + ,
2λ−1
where ` is the input block-length of the messages and q(λ) is the
maximum number of queries A makes to its challenger.

CBC versus ECB
Original image ECB encryption CBC encryption

Deterministic counter mode (DCTR)

F = (Fn )n∈N is a PRF
m1 m2 ··· m`
⊕ ⊕ ⊕
r := 1 FK (r ) FK (r +1) ··· FK (r +`-1)
c1 c2 ··· c`
Remark 20
1. The ciphertext is c1 · · · c` (assuming r is publicly known)
2. The scheme works like a stream cipher with the PRG G given by
G (K ) = FK (1) k FK (2) k · · · k FK (`)
3. DES, 3DES, AES can be used with such a construction

Deterministic counter mode (DCTR)

Theorem 21
If F = (Fn )n∈N is a PRF, then DCTR with F is IND-KPA but not
IND-CPA.
Proof.
For IND-CPA: query for m1 m2 and m3 m4 , and then request challenge for
(m1 m4 , m3 m2 ).
For IND-KPA: show that for any adversary A against the scheme S,
there exists a PRF adversary B such that
dctr prf
AdvA,S (λ) = 2 · AdvB,F (λ)

Counter mode (CTR)

F = (Fn )n∈N is a PRF
m1 m2 ··· m`
⊕ ⊕ ⊕
r ← {0, 1}n FK (r ) FK (r +1) ··· FK (r +`-1)
c1 c2 ··· c`
Remark 22
1. The ciphertext is (r , c1 · · · c` )
2. The scheme is similar to DCTR expect for the fact that the counter
r is uniformly at random generated from {0, 1}n
3. DES, 3DES, AES can be used with such a construction

Counter mode (CTR)

Theorem 23
If F = (Fn )n∈N is a PRF, then CTR with F is IND-CPA.
Proof.
Show that for any adversary A against the scheme S, there exists a PRF
dctr prf q(λ)2 `

AdvA,S (λ) ≤ 2 · AdvB,F (λ) + ,
2λ−1
where ` is the input block-length of the messages and q(λ) is the
maximum number of queries A makes to its challenger.

Output feedback (OFB) and cipher feedback (CFB)

1. The key stream in CTR mode is
FK (r ) k FK (r + 1) k FK (r + 2) k · · ·
where r ← {0, 1}n

2. The OFB and CFB modes are defined as the CTR mode but with a
different key stream generation :
2.1 The key stream in OFB mode is
FK (r ) k FK (FK (r )) k FK (FK (FK (r ))) k · · ·
where r ← {0, 1}n

2.2 The key stream in CFB mode is
FK (r ) k FK (c1 ) k FK (c2 ) k · · ·
n
where r ← {0, 1}

Crypto Concepts
Hash Functions, Message Authentication, Authenticated
Encryption

Fall 2020
Outline
Hash functions
Message authentication codes
Authenticated encryption
Outline
Hash functions
Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 3 / 40

Hash functions Message authentication codes Authenticated encryption
Hash functions
A hash function outputs a fixed-length bitstring (e.g., 128 or 160) when
applied to an arbitrary-length bitstring.
Hash functions are used in many cryptographic applications such as:

• signing messages, in connection with digital signatures (signing a
document should be a fast operation and the signature should be
small so that it can be put on a smart card);
• identifying files on peer-to-peer file sharing networks;
• ensuring security of micro-payment schemes (e.g., PayWord);
• etc.

Hash functions
Definition 1
A keyed hash function over (K, X , Z ) is a pair of algorithms H = (G, H)
such that:
1. G is a PPT algorithm which takes as input a security parameter λ
and outputs a key K ∈ K;
2. H is a DPT algorithm which takes as input a key K and a message
m ∈ X and outputs a digest H(K , m) ∈ Z .
As usual, X and Z are sets of binary strings; typically, Z = {0, 1}` for
some small ` (e.g., 128 or 256).
When |K| = 1, H is simply written as a function from X into Z and it is
called a hash function.
A collision for H under K is any pair (m0 , m1 ) of distinct messages such
that H(K , m0 ) = H(K , m1 ).

Collision-resistant hash functions

kka
Experiment CRHFA,H (λ)
1: The challenger generates a key K ← G(λ) and gives it to A
2: The adversary A generates a pair of messages (m0 , m1 )
3: If (m0 , m1 ) is a collision of H under K then return 1, else return 0.
Remark that the adversary mounts a known-key attack (kka). Its

advantage of A is
cr -kka kka
AdvA,H (λ) = P(CRHFA,H (λ) = 1)
Definition 2
cr -kka
A keyed hash function H is collision-resistant (CRHF) if AdvA,H (λ) is
negligible for all PPT algorithms A.

Universal hash functions

Experiment UHFA,H (λ)
2: The adversary A generates a pair of messages (m0 , m1 )
The advantage of A is
u
AdvA,H (λ) = P(UHFA,H (λ) = 1)
Definition 3
u
A keyed hash function H is universal (UHR) if AdvA,H (λ) is negligible
for all PPT algorithms A.

One-way functions
kka
Experiment OWHFA,H (λ)
1: The challenger generates a key K ← G(λ) and y in the range of HK ,
and give them to A
2: The adversary A(K , y ) generates m
3: If H(K , m) = y then return 1, else return 0.
ow -kka kka
AdvA,H (λ) = P(OWHFA,H (λ) = 1)
Definition 4
ow -kka
A keyed hash function H is one-way (OWHF) if AdvA,H (λ) is
negligible for all PPT algorithms A.

Universal one-way functions

Experiment UOWHFA,H (λ)
1: The adversary A generates a message m0
2: The challenger generates a key K ← G(λ) and give it to A
3: The adversary A(K , m0 ) generates m1
Remark that A wins the game if it is able to compute m1 ∈ H −1 (K , m0 )

with m0 6= m1 . The advantage of A is
uow -kka
AdvA,H (λ) = P(UOWHFA,H (λ) = 1)
Definition 5
uow -kka
A keyed hash function H is universal one-way (UOWHF) if AdvA,H (λ)
is negligible for all PPT algorithms A.

Relationship between CRHF, UOWHF, and UHF

Theorem 6
Let H be a hash function. Then:
1. For any adversary A there exists an adversary B having the same
running time as A such that
uow cr -kka
AdvA,H (λ) ≤ AdvB,H (λ)
2. For any adversary A there exists an adversary B having the same

running time as A such that
u uow
AdvA,H (λ) ≤ AdvB,H (λ)
Corollary 7
Any CRHF is also a UOWHF, and any UOWHF is also a UHF.

Relationship between UOWHF and OWHF

Theorem 8
Let H be a hash function. Then, for any adversary A there exists an
ow -kka uow -kka
AdvA,H (λ) ≤ AdvB,H (λ)+
P(|H(K , y )−1 | = 1 : y = H(K , x), K ← K, x ← X )

Moreover, the running time of B is that of A plus the time to sample an
element from X and compute H once.
Corollary 9
Any UOWHF is also a OWHF, as long as the domain of the hash
function is significantly larger than its range.

Finding collisions: the birthday attack

The birthday attack is based on the birthday paradox which says that in
a group of 23 (randomly chosen) people, at least two of them will share a
birthday with probability at least 1/2.
Given a group of r people, the probability that no two people share a
birthday is
365 364 365 − r + 1 365!
p365,r = · ··· =
365 365 365 (365 − r )! · 365r
Therefore, the probability that at least two people share a birthday is
1 − p365,r .
For r = 23, 1 − p365,r ≥ 1/2.

Generalization of the birthday paradox

Generalization : m properties and r objects, each object having exactly
one of the m properties. Then, the probability that at least two objects
share the same property is 1 − pm,r , where

m! 1 r −1
pm,r = = 1− ··· 1 −
(m − r )! · mr m m
Lemma 10
√
Let m and r be natural numbers such that m > r > b 2cmc, where
c > 0 is a real constant. Then,
1 − pm,r > 1 − e −c .
Example 11
√
1 − pm,r > 1 − e −c ≥ 1
2 for c ≥ ln 2 ∼ 0.693 and m > r > b 2cmc.

The birthday attack

The birthday paradox is used to attack hash functions as follows:
• m = number of possible message digests
• r = number of messages for which a message digest will be
computed;
√
• if m > r > b 2cmc for some real constant c > 0, then
1 − pm,r > 1 − e −c .
Example 12
√
Let m = 240 and r such that 240 > r > b220 2 ln 2c ≈ 1.200.000.
The probability of getting a collision is greater than 1/2. Therefore,
40-bit message digests do not ensure security.
For 128-bit message digests, the birthday attack needs to compute at
least 264 message digests to get a collision with the probability at least
1/2.

Construction of CRHF
Some general techniques:
1. The Merkle-Damgard (MD) transform
2. The sponge construction
3. Constructions from DLP

The MD transform
Basic principle:
• Use a compression function h : K × {0, 1}`+k → {0, 1}`
size ` + k size `
h(K , ·)
`
• S
Use an MD-complaint padding pad from X ⊆ {0, 1}<2 into
n`
n≥1 {0, 1} , with the following properties:
1. m is a prefix of pad(m)
2. if |m1 | = |m2 | then |pad(m1 )| = |pad(m2 )|
3. if m1 6= m2 , then the last block of of pad(m1 ) is different than the

last block of pad(m2 )

The MD transform
• Iterate h on messages m as follows:
1. pad(m) = m1 k · · · k mn with |mi | = k for all i
2. V := IV , where IV ∈ {0, 1}`
3. for i := 1 to n do V := h(K , mi k V )
4. return V
m1 m2 mn
···
message digest
IV hK hK ··· hK
Theorem 13
If h is collision-resistant then the MD-transform based of h is
collision-resistant.
The MD transform in practice

Practical hash functions based on the MD-transform:
• MD4 – developed by Rivest in 1990. It was the starting point for the
development of a series of similar hash functions
• SHA (Secure Hash Algorithm) or SHA-0 – developed by NSA in
1993 (withdrawn shortly after publication because of some flaw)
• MD5 – the strengthened successor of MD4 (Rivest 1995)
• SHA-1 – developed by NSA in 1995; not longer approved after 2010
• SHA-2 family includes 6 hash functions, SHA-224, SHA-256,

SHA-384, SHA-512, SHA-512/224, SHA-512/256 (the last two are
truncated versions of SHA-512)

The sponge construction

Basic principle:
• Use a permutation π : {0, 1}` → {0, 1}` (π has no key!)
• ` is written ` = r + c (r is the rate and c is the capacity)
• m is padded and then divided into r -bit blocks m1 · · · mn
• Absorbing phase:
m1 m2 ··· mn
m1 k 0c m2 k 0c ··· mn k 0c
0` ⊕ ⊕ ⊕
···
π π π
V
The sponge construction

• Squeezing phase:
π π ··· π
V
z1 z2 zi each of size r
z1 z2 ··· zi
message digest
Theorem 14
If π is a random permutation and 2` and 2c are super-poly, then the
sponge construction yields a CRHF.
The sponge construction is the basis of SHA-3 standard.

CRHFs from DLP

Chaum-van Heijst-Pfitzmann hash function:
• let p and q be primes such that p = 2q + 1;
• let α, β ∈ Z∗p be primitive elements (and let β = αc mod p, for
some c);
• h : Zq × Zq → Z∗p is given by
h(x1 , x2 ) = αx1 β x2 mod p,
for any x1 , x2 ∈ Zq .
Theorem 15
If a collision of h can be computed efficiently, then c can be computed
efficiently.
According to Theorem 15, h is collision-resistant if DLP is intractable.

Outline
Hash functions


Message authentication codes = used to prove message integrity based
on a shared secret key between parties
Definition 16
A MAC system over (K, M, T ) is a triple of algorithms S = (G, Tg , V)
such that:
1. G is the key generator;
2. Tg is a PPT algorithm, called the tag generation algorithm, which
outputs a tag t ∈ T when invoked on a key K ∈ K and a message
m ∈ M;
3. V is a DPT algorithm, called the verification algorithm, which
outputs accept or reject when invoked on a key K , a message m,
and a tag t.
Soundness: P(V(K , m, Tg (K , m)) = accept) = 1

MAC security game

Experiment MACA,S (λ)
2: The adversary A queries the challenger several times (sends messages
and receive tags)
3: Eventually, A outputs a candidate forgery pair (m, t) not among the
pairs it has
mac-forge
P(MACA,S (λ)), called the advantage of A and denoted AdvA,S (λ),
is the probability that A wins the above game (i.e., t is a valid tag for m).
mac-forge
S is a secure MAC system if AdvA,S (λ) is negligible, for all PPT
adversaries A.

Construction of MAC schemes

1. MAC schemes from PRF
1.1 For (very) short messages
1.2 For long messages
2. MAC schemes from hash functions

2.1 Use of universal hash functions
2.2 Use of collision-resistant hash functions

MACs from PRFs for short messages

If F is a PRF, define the MAC scheme SF as follows: Terminology,
notation, remarks:
1. Tg (K , m) = F (K , m)
2. V(K , m, t) = accept iff F (K , m) = t
FK (·)
m t
Theorem 17
If F is a PRF, then SF is a secure MAC scheme.
Disadvantage: works only for (very) short messages (e.g., 128-bit

messages)

MACs from PRFs for long messages

If F is a PRF on messages of length `, define the following MAC schemes
for messages of length n · ` for some poly-bounded n:
1. CBC-MAC: This is the CBC operation mode with IV = 0` , where
the final output block is the tag
m1 m2 ··· mn
0` ⊕ ⊕ ⊕
FK FK ··· FK

MACs from PRFs for long messages

2. Cascade-MAC
m1 m2 ··· mn
FK Fc1 Fcn−1
···
t
Theorem 18
If F is a PRF, then the CBC-MAC and Cascade-MAC schemes are secure
in the class of messages of length n · `, where n is an arbitrary
poly-bounded value.
Disadvantage: does not work for variable length messages

MACs from PRFs: encrypted PRF

1. ECBC-MAC (encrypted CBC-MAC) with (K , K 0 )
m1 m2 ··· mn
0` ⊕ ⊕ ⊕
FK FK ··· FK
cn FK 0 t

MACs from PRFs: encrypted PRF

2. NMAC (nested MAC, which is an encrypted Cascade-MAC) with
(K , K 0 )
m1 m2 ··· mn
FK Fc1 Fcn−1
···
cn FK 0 t
Theorem 19
If F is a PRF, then the ECBC-MAC and NMAC schemes are secure in
the class of messages of length n · ` for some poly-bounded n.
Disadvantage: work only for `-bit block sequences.

MACs from PRFs: prefix-free encodings

1. Apply a prefix-free encoding for `-bit block sequences such as:
1.1 (m1 , . . . , mk ) → (hki, m1 , . . . , mk ), or
1.2 (m1 , . . . , mk ) → (m1 k 0, . . . , mk−1 k 0, mk k 1), where mi have
length ` − 1
2. Apply F as in one of the above methods
Theorem 20
If F is a PRF, then the MAC schemes above are secure in the class of
messages of length n · ` for some poly-bounded n.
Disadvantage: work only for `-bit block sequences.

MACs from PRFs: CMAC

If F is a PRF on messages of length `, define the following MAC scheme
for arbitrary length messages, called CMAC:
1. Generate three keys K0 , K1 , and K2 of length ` from K ;
2. Break the message m into m = (m1 , . . . , mk−1 , mk );
3. If |mk | = ` then replace mk by mk ⊕ K1 ;
4. If |mk | < ` then replace mk by (mk k 1 k 0j ) ⊕ K2 ;
5. Apply F with K0 in the CBC mode.
CMAC fits the randomized prefix-free encoding paradigm and its security
follows from it.

MACs from UHFs

Let H be a keyed hash function and F be a PRF. Define the following
family of functions:
FH ((K1 , K2 ), m) = F (K2 , H(K1 , m))
Theorem 21
If H is a UHF and F is a PRF, then FH is a PRF.
FH can be used to define a MAC scheme for arbitrary large messages.

MACs from CRHFs: HMAC

Let H be a hash function defined by the MD transform from a
compression function h(K , m). Define FH by
FH ((K1 , K2 ), m) = H(K2 k H(K1 k m))
Theorem 22
If h and h0 given by h0 (K , m) = h(m, K ) are PRF, then FH is a PRF.
The HMAC construction uses one single key K from which two keys are
derived: K1 = K ⊕ ipad and K2 = K ⊕ opad.
HMAC-SHA1 and HMAC-SHA256 are instances of the above
construction, with H = SHA1 and H = SHA256.

Outline
Hash functions

Ciphertext integrity
Consider the ciphertext integrity experiment between a cipher S and an
adversary A:
Experiment CIA,S (λ)
2: The adversary A queries the encryption oracle
3: Eventually A outputs a candidate ciphertext c different than the
ones obtained by queries
4: If c is a valid ciphertext then return 1, else return 0.
ci ci
AdvA,S (λ) = P(CIA,H (λ) = 1)

Definition 23
ci
A cipher S provides ciphertext integrity (CI) if AdvA,S (λ) is negligible for
all PPT algorithms A.
Definition 24
A cipher S provides authenticated encryption (AE) if:
1. S is IND-CPA secure
2. S provides CI.
Theorem 25
If S is AE secure then it is IND-CCA secure.

Constructing AE secure ciphers

One popular way to construct AE secure ciphers is to combine an
IND-CPA secure cipher with a secure MAC. There are two main variants:
1. Encrypt-then-MAC (EtM)
1.1 c ← E(K , m), t ← Tg (K 0 , c), output (c, t)
1.2 Used in IPsec, TLS 1.2 and later versions, and in the NIST standard
GCM
2. MAC-then-Encrypt (MtE)
2.1 t ← Tg (K 0 , m), c ← E(K , (m, t)), output c
2.2 Used in SSL 3.0, TLS 1.0, and in 802.11i WiFi encryption protocol
The keys K and K 0 are chosen independently

Encrypt-then-MAC
Theorem 26
If S is an IND-CPA secure cipher and S 0 is a secure MAC, then the EtM
construction is AE secure.
Common mistakes in implementing the EtM construction:
1. Use the same key for the cipher and the MAC
2. Apply the MAC only to part of the ciphertext (we may loose
ciphertext integrity) – discovered in 2013 at RNCryptor facility in
Apple’s iOS

MAC-then-Encrypt
MtE is not generally secure:
1. The attack POODLE on SSL 3.0
2. Padding oracle timing attack in TLS 1.0
3. Informative error messages in TLS 1.0
There are secure instances of MtE:
1. The randomized counter mode of the cipher assures AE security

Crypto Concepts
Public Key Encryption

Fall 2020
Outline
Introduction
Public-key encryption
Security models
The RSA PKE scheme
The ElGamal PKE scheme
Hybrid encryption
IND-CCA security
Outline
Introduction
Security models
The RSA PKE scheme
Hybrid encryption
IND-CCA security

Introduction Public-key encryption Security models The RSA PKE scheme The ElGamal PKE scheme Hybrid encryption IND-CCA s
Why public-key cryptography?

Two main objectives that cannot be achieved by symmetric-key
cryptography:
• Need for secure key distribution – A private conversation between
two people with no prior acquaintance is a common occurrence in
business, and it is unrealistic to expect initial business contacts to be
postponed long enough for keys to be transmitted by some physical
means;
• Need for authentication – In current business, the validity of
contracts is guaranteed by signatures. Is there any purely digital
replacement of the handwritten signature?

A bit of history
• 1976: Whitfield Diffie and Martin Hellman, and independently Ralph
Merkle, invented public-key cryptography to address the two
aforementioned deficiencies;
• The first concrete realization of a public-key cryptosystem is due to
R.C. Merkle and M.E. Hellman in 1978. Unfortunately, this
cryptosystem, as well as many other variations of it, have been
proved to be insecure;
• Soon after the Merkle-Hellman cryptosystem came the first
full-fledged public-key cryptosystem, RSA (named after its inventors,
R. Rivest, A. Shamir, and L. Adleman). RSA is by far the easiest to
understand and implement public-key cryptosystem; it gets its
security from the difficulty of factorization of very large numbers.

Outline
Introduction
Security models
The RSA PKE scheme
Hybrid encryption
IND-CCA security

Definition 1
A public-key encryption (PKE) scheme over (K, M, C) is a triple of
algorithms S = (G, E, D) such that:
1. G is a PPT algorithm, called the key generation algorithm, which
outputs a (public-key, secret-key) pair (pk, sk) when invoked on a
security parameter λ;
2. E is a PPT algorithm, called the encryption algorithm, which
outputs a ciphertext c ∈ C when invoked on a public key pk and a
message m ∈ M;
3. D is a deterministic PT algorithm, called the decryption algorithm,
which outputs a message m ∈ M or a special symbol ⊥ (denoting
failure) when invoked on a secret-key sk and a ciphertext c.
Soundness: for all λ, m ∈ M, and c ∈ C,

(pk, sk) ← G(λ) ∧ c ← E(pk, m) ⇒ m := D(sk, c)
Pictorial view of PKE

Encryption Decryption
Dear Tom: BBg Dear Tom:

I have \lk[mn I have
reviewed Bj,nb reviewed
the new... (.l_ the new...
Original Public Scrambled Private Original

data key data key data
+ = Asymmetric key
1. The public-key is assumed to be openly and widely distributed so

that anyone can encrypt messages
2. The secret-key must be kept private by the receiver

Outline
Introduction
Security models
The RSA PKE scheme
Hybrid encryption
IND-CCA security

IND-CPA security games

ind-cpa-b
Experiment PubKA,S (λ), where b ∈ {0, 1}
1: The challenger generates a key pair (pk, sk) ← G(λ)
2: Access to the encryption oracle : for free (pk is public)
3: A submits a pair (m0 , m1 ) ∈ M2 with |m0 | = |m1 |
4: The challenger computes c ← E(pk, mb ) and sends it to A
6: Return b 0 .
Definition 2
An SKE scheme S is IND-CPA secure, where if

ind-cpa-0 ind-cpa-1
(λ) = 1) − P(PubKA,S (λ) = 1)

P(PubKA,S
is negligible, for all PPT algorithms A.

IND-CPA security: bit guessing version

ind-cpa
Experiment PubKA,S (λ)
1: The challenger generates a key (pk, sk) ← G(λ)
2: Access to the encryption oracle : for free
3: Challenge :
– A sends a pair (m0 , m1 ) ∈ M2 with |m0 | = |m1 |
– The challenger generates a bit b ← {0, 1}, computes
c ← E(pk, mb ), and sends c to A
4: Access to the encryption oracle : for free
5: Guess : The adversary outputs a bit b 0 ∈ {0, 1}
6: If b 0 = b then return 1 else return 0
Definition 3
The IND-CPA advantage of A with respect to the SKE scheme S is

ind-cpa
ind-cpa 1
AdvA,S (λ) = P(PubKA,S (λ) = 1) −

2

IND-CPA security: bit guessing version

Proposition 4
For any PKE scheme S and any PPT adversary A, the following property
holds:
ind-cpa
AdvA,S (λ) =
1
ind-cpa-0 ind-cpa-1

(λ) = 1) − P(PubKA,S (λ) = 1)

P(PubKA,S
2

Remarks on IND-CPA security for PKE

1. No deterministic PKE scheme can be IND-CPA secure – the
adversary can consult the encryption oracle any time and,therefore,
it can decide what message was encrypted
2. No PKE scheme can achieve perfect seurity – given a message m

and a ciphertext c, and assuming 0 < P(m) < 1, and unbounded
adversary can decide whether c comes from m or not. That is,
P(m|c) is 0 or 1. Then, P(m|c) 6= P(m)

Outline
Introduction
Security models
The RSA PKE scheme
Hybrid encryption
IND-CCA security

The RSA PKE scheme

In 1977, Ronald Rivest, Adi Shamir, and Leonard Adleman, proposed the
first public-key cryptosystem which is still secure and used.
The RSA PKE scheme

• let p and q be two distinct primes, and n = pq;
• M = C = Zn ;
• pk = (n, e) and sk = (n, d), where e ∈ Z∗φ(n) and ed ≡ 1 mod φ(n);
• for any pk and sk as above,
eK (x) = x e mod n and dK (y ) = y d mod n

3. The RSA Cryptosystem

Example 5 (with artificially small parameters)
Let p = 61 and q = 53. Then:
• n = pq = 3233 and φ(n) = 3120;
• if we chose e = 17, then d can be computed with the extended
Euclidean algorithm. We obtain d = e −1 mod 3120 = 2753;
• n = 3233 and e = 17 are public parameters; p, q, and d secrete;
Let m = 123 be a plaintext. The cryptotext is
c = 12317 mod 3233 = 855.
In order to decrypt c we have to compute
8552753 mod 3233 = 123.

Choosing RSA parameters

• p and q are large numbers randomly generated (512-bit or even
larger). Then they are tested for primality using a probabilistic
algorithm (e.g., Miller-Rabin). There is a possibility that the
algorithm may claim that n is prime when it is not. However,
running the algorithm enough times, the error probability can be
reduced below any desired threshold
√
• e is small (fast encryption) but chosen such that d > 4 n (otherwise,
an efficient attack can be mounted – details will be provided later)
• RSA encryption and decryption can be done in O((log n)3 )

Security issues
• The RSA PKE scheme, as it was defined, is not IND-CPA (encrytion
is deterministic)
• If p or q is recovered (e.g., by factoring n in reasonable time), then
the system is completely broken
• If φ(n) can be computed in reasonable time, then the system is
completely broken
• If d can be easily computed from n and e, then the system is
completely broken
• If the same n is used with two different users, anyone of them can
break the other’s encryption

Security issues
√ √
• If e = 3 and m < 3
n, then m = 3
c (no modular computation)
• If e = 3 and m is sent to three receivers

3
c1 ≡ m mod n1

c2 ≡ m3 mod n2

c3 ≡ m3 mod n3

and m < n1 n2 n3 , then m can be obtained by CRT and square root

extraction

Padded RSA
Let ` = `(λ) be a function such that ` ≤ 2λ − 2
1. G(λ): generate an RSA modulus n = pq of size λ, a public key
pk = (n, e), and a secret key sk = (n, d);
2. E(pk, m): assume m ∈ {0, 1}`
• r ← {0, 1}λ−`−1
• c = (r k m)e mod n
3. D(sk, c): output the less significant ` bits of m0 = c d mod n
Public-key Cryptography Standard (PKCS) # 1 (for RSA), v. 2.2:
0x00 k 0x02 k r k 0x00 k m
where r is a random string on (k − D − 3) bytes, k is length of n is bytes,

and D is length of m in bytes. Moreover, no byte of r is 0x00.

Security of padded RSA

Let G be an RSA generator, (n, e, d) ← G(λ)
RSA problem for G
Instance: (n, e, ) ← G(λ), y ← Z∗n
Question: Compute x such that x e mod n = y if such an x exists, or
output ⊥ otherwise
The RSA problem is hard for G if no PPT algorithm can solve it, except
with negligible probability. The RSA assumption is that there exists a
generator for which the RSA problem is hard.
Theorem 6
The RSA padded PKE scheme is IND-CPA, provided that ` = 1 and the
RSA problem is hard for its generator.
PKCS #1 v2.2 is believed to be IND-CPA secure, though no proof has

ever been shown (based on the RSA assumption).
Outline
Introduction
Security models
The RSA PKE scheme
Hybrid encryption
IND-CCA security

ElGamal PKE scheme

In 1985, Taher El Gamal (ElGamal, Elgamal) adapted the Diffie-Hellman
key-exchange protocol to get a PKE scheme and a digital signature
ElGamal PKE scheme
• (G , q, g ) ← G(λ), where G is a cyclic group of order q, kqk = λ, g
generator;
• M = C = G;
• pk = (q, g , g x ), where x ← Zq , and sk = (q, g , x);
• for any pk and sk as above,
epk (m) = (g y , m · g xy ), where y ← Zq
and
dsk (c) = c/g xy , assuming c = (g y , m · g xy )
The encryption is randomized!

ElGamal PKE scheme

Example 7 (with artificially small parameters)
• q prime and g 6= 1
1. q = 61, g = 2, x = 5, pk = (61, 2, 25 ), sk = (61, 2, 5)
pk
2. m = 3 −→ c = (27 , 3 · 235 mod 61)
sk
3. c = (27 , 3 · 235 mod 61) −→ (3 · 235 )/235 mod 61 = 3
• q prime, p = 2q + 1 prime, G the subgroup of quadratic residues

modulo p (its order is q), and q 6= 1 quadratic residue
1. q = 83, p = 167, g = 4, x = 37,
pk = (83, 4, 437 mod 167) = (83, 4, 76), sk = (83, 4, 37)
pk
2. m = 65 −→ c = (471 mod 167, 65 · 476 mod 167) = (132, 44)
sk
3. c = (132, 44) −→ 44/(13237 ) mod 167) = 65

Security of ElGamal PKE scheme

Definition 8
The discrete log (DL) problem in a cyclic group G = hg i of prime order
is to compute x, given g and g x .
Definition 9
The Decisional Diffie-Hellman (DDH) problem in a cyclic group G = hg i
of prime order p is to distinguish between the distributions
(g , g x , g y , g xy ) and (g , g x , g y , g z ), where x, y , z are drawn uniformly at
random from Zp .
Definition 10
The Computational Diffie-Hellman (CDH) problem in a cyclic group
G = hg i of prime order is to compute g xy , given (g , g x , g y ).
It is believed that there are groups where the DDH problem is easy but
the CDH problem is hard (such groups are called gap Diffie-Hellman
(GDH) groups
Security of ElGamal PKE scheme

Theorem 11
ElGamal PKE scheme is IND-CPA, provided that the DDH problem is
hard for its generator.
Proof.
Assume that A is an adversary against the ElGamal PKE scheme. Define
an adversary B that uses A to distinguish the two probability
distributions in DDH:
1. B gives to A the public-key (G , q, g , g x )
2. B encrypts to A by (g y , mb · α)
3. If A guesses b, then B returns α = g xy ; otherwise, α = g z .
The probability to distinguish between the two probability distributions is
1 ind−cpa
| P(b 0 = b) − |= AdvA,S (λ)
2

Outline
Introduction
Security models
The RSA PKE scheme
Hybrid encryption
IND-CCA security

Facts
• SKE is significantly faster than PKE
• SKE schemes have lower ciphertext expansion
• Use SKE to encrypt messages and PKE to encrypt the secret key for
SKE

Hybrid encryption
1. S = (G, E, D) PKE scheme
2. S 0 = (G 0 , E 0 , D0 ) SKE scheme
3. Hybrid encryption with (S, S 0 )
3.1 (pk, sk) ← G(λ)
3.2 To encrypt m do:
• K ← G 0 (λ)
• c1 ← E(pk, K )
• c2 ← E 0 (K , m)
• c = (c1 , c2 )
3.3 To decrypt c do:
• K ← D0 (sk, c1 )
• m ← D(K , c2 )
Hybrid encryption is a PKE because the sender and receiver do not share
any secret key in advance!

Security of hybrid encryption

Theorem 12
If S is an IND-CPA secure PKE scheme and S 0 is an IND-COA secure
SKE scheme, then the HE scheme (S, S 0 ) is IND-CPA secure.
The reason for which is required only IND-COA security of the scheme S 0
is that a fresh key is chosen each time a new message is encrypted

Outline
Introduction
Security models
The RSA PKE scheme
Hybrid encryption
IND-CCA security

Why IND-CCA security?

An RSA PKE example:
1. Assume pk = (n, e) and sk = (n, d)
2. Encrypt m into c = me mod n
3. An adversary A intercepts c, chooses r ∈ Z∗n uniformly at random,

and computes
c 0 = r e · c mod n
4. If A is allowed to consult the decryption oracle, then it may ask

decryption for c 0 and gets m0 = r · m
5. A recovers easily m from m0

Why IND-CCA security?

An ElGamal PKE example:
1. Assume pk = (G , q, g , g x ) and sk = (G , q, g , x)
2. Encrypt m into c = (g y , m · g xy )
3. An adversary A intercepts c, chooses r ∈ G uniformly at random,

and computes
c 0 = (g y , r · m · g xy )
4. If A is allowed to consult the decryption oracle, then it may ask

decryption for c 0 and gets m0 = r · m
5. A recovers easily m from m0

Trapdoor functions
Definition 13
A trapdoor function (TDF) over (X , Y ) is a triple T = (G, F , I ), where:
1. G is a PPT algorithm that generates pairs (pk, sk) (as in a PKE
scheme);
2. F is a deterministic algorithm that acts on a pk and an x ∈ X and
returns a y ∈ Y ;
3. I is a deterministic algorithm that acts on an sk and a y ∈ Y and
returns an x ∈ X .
Moreover, for any (pk, sk) ← G(λ), for any x ∈ X , I (sk, F (pk, x)) = x.
A trapdoor function is one-way if F can be efficiently computed but I is

hard to compute.

Encryption based on a TDF

A TDF T = (G, F , I ) over (X , Y ) can be used in connection with any
SKE scheme S = (G 0 , E 0 , D0 ) over (K, M, C) and any hash function
h : X → K to define PKE schemes:
1. Key generation: (pk, sk) ← G(λ);
2. Encryption: given pk and m:
• x ← X;
• K = h(x);
• c 0 = E 0 (K , m);
• y = F (pk, x);
• c = (y , c 0 );
3. Decryption: given sk and c = (y , c 0 ):
• x 0 = I (sk, y );
• If y 6= F (pk, x 0 ), abort;
• K = h(x 0 ) (= h(x));
• m = D0 (K , c 0 ).
IND-CCA security for RSA PKE scheme

We use the RSA trapdoor permutation (TDP) with an SKE scheme
S = (G 0 , E 0 , D0 ) over (K, M, C) and a hash function h : {0, 1}∗ → K
1. Key generation: (pk, sk) ← G(λ), where pk = (n, e) and
sk = (n, d);
2. Encryption: given pk and m:
• x ← Zn ;
• K = h(x);
• c 0 = E 0 (K , m);
• y = x e mod n;
• c = (y , c 0 );
3. Decryption: given sk and c = (y , c 0 ):
• x 0 = I (sk, y );
• If y 6= F (pk, x 0 ), abort;
• K = h(x 0 ) (= h(x));
• m = D0 (K , c 0 ).
Key Management
Prof.Dr. Ferucio Laurenţiu Ţiplea

Alexandru Ioan Cuza University of Iaşi
Iaşi, Romania
E-mail: ferucio.tiplea@uaic.ro
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Key Management 1 / 52

Outline
1 Introduction
2 Key generation
Introduction
Random Bit Generators
Key Derivation Functions
3 Key Establishment
Introduction
Examples of Key Establishment Protocols
Public-key Infrastructures
Other Techniques
4 Key Storage
5 Key Update, Revocation, and Destruction
6 Key Use

Introduction
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Introduction
Cryptographic Keys
Classification by algorithm type
symmetric keys : for symmetric cryptography
(public key, private key) : for asymmetric cryptography
Classification by intended use

for confidentiality (encryption)
for data origin authentication (signature or MAC)
for entity authentication (signature or MAC)
for key agreement
Classification by duration of use

long-term keys
short-term keys

Introduction
“A chain is only as strong as its weakest link”
The security of the system is dependent on the security of the keys !
A security system without strong key management procedures has no

security !

Introduction
Key Management
Key management goals:
Generation of keying material
Distribution of keying material
Storage (including backup, recovery, archival) of keying material
Usage of keying material
Update, revocation and destruction of keying material

Introduction
Standards
International standards: ANSI X9.17 / ISO 8732, ANSI X9.24, ISO 11166,
ISO 11568
defines both the manual and automated management of keying material
used for financial services such as point-of-sale (POS) transactions (debit
and credit), automated teller machine (ATM) transactions, messages among
terminals and financial institutions, and interchange messages among
acquirers, switches and card issuers
National standards: ETEBACS (France), AS2805.6.xx (Australia), APACS

40 & APACS 70 (UK)
Adherence to standards does not guarantee security !

Introduction
Key Management Systems

Examples of key management systems:
Cryptomathic (http://www.cryptomathic.com/)
KeyConductor (http://www.capturetech.com/)
keyAuthority (http://www.thales-esecurity.com/) etc.
Choice of a key management system usually determined by:
network topology
cryptographic services (confidentiality, authentication etc.)
cryptographic mechanism (digital signature, MAC etc.)
S. Bellovin (RFC 4107, June 2005): Key management schemes should not be
designed by amateurs !

Key generation
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Key generation Introduction
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Key Generation
Key generation techniques:
Random bit generator (RBG)

Derivation from source (initial) keying material (such as from another key
or from a password)
NIST SP 800-133: Recommendation for Cryptographic Key Generation

Key Length
Key lengths for confidentiality:
duration symmetric RSA ECC

days/hours 50 512 146
10-20 years 103 2048 206
30-50 years 141 4096 282
Figure: From http://www.ecrypt.eu.org/documents/D.SPA.20.pdf
Assumptions: no quantum computers; no breakthroughs; limited budget

Key generation Random Bit Generators
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Definitions for Random Sequences

An infinite sequence is random if the quantity of information it contains (in
the sense of Shannon’s information theory) is also infinite
not very useful : it is not possible in practice to produce and process infinite
sequences
formally impossible to verify whether a finite sequence is random or not (it is
only possible to check that it shares the statistical properties of a random
sequence)
[Knuth, D.: The Art of Computer Programming, 1981] : a sequence of

random numbers is a sequence of independent numbers with a specified
distribution and a specified probability of falling in any given range of
values
[Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source
Code in C, 1996] : a sequence of random numbers is a sequence that
has the same statistical properties as random bits, is unpredictable and
cannot be reliably reproduced

General Requirements
Two general requirements a random sequence should fulfill:
(R1) Random sequences should have “good” statistical properties
(R1) is usually checked by applying a particular statistical test suite, such as
the NIST 800-22 Statistical Test Suit or Diehard Tests of Randomness;
(R1) may be sufficient for some applications (e.g., for
challenge-and-response protocols) but may be insufficient for others (e.g.,
generation of session keys).
(R2) The knowledge of subsequences of random sequences shall not

allow one to practically compute predecessors or successors or to guess
these numbers with non-negligible larger probability than without
knowledge of these subsequences

Classification
Random number generators (RNG) can be classified as follows:
deterministic random number generators (PRNG) (also called

pseudo-random number generators (PRNG)).
PRNGs generate random number sequences algorithmically, starting with
a seed. They may be pure or hybrid;
non-deterministic random number generators (also called true random

number generators (TRNG)). They may be:
physical. These generators use non-deterministic effects of electronic
circuits (e.g., inherent semiconductor thermal noise) or physical experiments
(e.g., radioactivity, quantum processes);
non-physical. These generators use non-deterministic events (e.g., system

time, hard disk seek time, user interaction).
Each of the physical or non-physical random number generators may be
pure or hybrid.

Pure PRNG
Definition 1
A pure PRNG is a 4-tuple G = (S, O, δ , g), where:
S is a finite set of states;
O is a finite set of outputs;
δ : S→S is the transition function;
g : S→O is the output function.
Given an initial state s0 (called seed), G generates a sequence of outputs
r1 , r2 , · · ·
where ri = g(si ) and si = δ (si−1) , for all i ≥ 1.

Pure PRNG
Remark 1
1 The seed is generated outside G.
2 In order to meet (R2), the transition and output functions should be
sufficiently complex, and the entropy of the seed should be large;
3 The least p > 0 with sn+p = sn for all n ≥ 1 is called the period of G. Large
periods are better.

Examples of Pure PRNGs
Example 2 (Linear congruential generator)

A linear congruential generator is characterized by:
S = Zm (m > 0);
δ (x) = ax + c mod m, where a ∈ Zm − {0} (the multiplier) and c ∈ Zm (the
increment);
x x
the output function may have the form g(x) = m or g(x) = m−1 or
x+1/2
g(x) = m .
When c = 0, it is called Lehmer generator.
It can be shown that the period is maximum if and only if

(c, m) = 1;
a − 1 is divisible by all prime factors of m;
a − 1 is a multiple of 4 if m is a multiple of 4.

Example 3 (Multiple recursive generator)

A multiple recursive generator is characterized by:
S = Zkm (m > 0 and k > 0);
δ (x1 , . . . , xk ) = (x2 , . . . , xk , xk+1 ), where xk+1 = ∑ki=1 ai xi mod m
(a1 , . . . , ak ∈ Zm );
x1
the output function may have the form g(x1 , . . . , xk ) = m.

Example 4 (PRNG from block cryptosystems)

Assume that S is a block cryptosystem which works on n-bit blocks with m-bit
keys and the result is an n-bit block. Then, we can define a PRNG as follows:
S = {0, 1}n × {0, 1}m ;
δ (x, K) = ({x}K , K);
g(x, K) = x.
If no statistical weaknesses are known for S , then (R1) should be fulfilled.

If we assume now that ri , . . . , ri+j are known, then finding ri−1 or ri+j+1 is as
hard as a chosen plaintext attack on S . Assuming that K is kept secret and
cannot be guessed with non-negligible probability, we conclude that this
PRNG should fulfill (R2).

Requirement (R3)
If an attacker get knowledge of the current internal state of the PRNG from the
previous example, then (R2) does not hold anymore. As (R2) is important in
many applications, it is desirable to add one more requirement to PRNG:
(R3) The knowledge of the internal state shall not allow one to practically
compute “old” random numbers or even a previous internal state or to
guess these values with non-negligible larger probability than without
knowledge of the internal state.
(R3) demands a one-way transition function!

Examples of pure PRNGs
Example 5 (PRNG from hash functions)

Assume that h1 and h2 are two distinct hash functions on n-bit blocks (yielding
n-bit blocks). Then, we can define a PRNG as follows:
S = {0, 1}n ;
δ = h1 ;
g = h2 .
If h1 and h2 are one-way functions, then the above PRNG fulfills (R3).
Remark 2
If h1 = h2 in the above example, then the PRNG does not fulfill (R2) because
one can easily obtain the successor of a random value from the current
random value.

Examples of pure PRNGs
Example 6 (Blum-Blum-Shub PRNG (BBS))

Let p and q be two large distinct m-bit primes with p ≡ 3 ≡ q mod 4 and n = pg.
Then, we can define a PRNG as follows:
S = Zn ;
δ (x) = x2 mod n;
g(x) = x mod 2 (the last significant bit of x).
The generator is seeded with a quadratic residue x0 modulo n (that is,

x0 = r2 mod n, for some r ∈ Z∗n ).
Remark 3
The BBS generator is slow due to the modular multiplication it uses.
It can be shown that BBS is cryptographically secure in the sense that the
next outputted bit is unpredictable. Moreover, this property holds true
even if BBS outputs not only the least significant bit but also the least
log log m significant bits.
Hybrid PRNGs
In a hybrid PRNG, the update process of the current internal state takes into
consideration not only the current state but also an additional input from some
finite set E∞ = E ∪ {∞}. When the element ∞ is used, this means that the
update of the current state is only performed on the basis of the current state.
Therefore, if E∞ = {∞} then the hybrid PRNG is in fact a pure PRNG.
Definition 7
A hybrid PRNG is a 5-tuple G = (S, O, E, δ , g), where S, O, and g are as in the
case of a pure PRNG, E is a finite set (not including ∞), and δ is a function
from S × E∞ into S with the property δ (s, ∞) = s, for any s ∈ S.
The generation of a sequence of elements by G follows the same line as in

the case of pure PRNG but with the difference that a state s is updated by the
following procedure:
generate, according to some probability distribution, an element e ∈ E;
compute the new current state s0 = δ (s, e).

Requirement (R4)
In the case of pure PRNG, the knowledge of an internal state may
compromise the generator. This might not be the case of hybrid PRNG
because the generation of a new state takes into account external inputs. But,
it may be desirable to add one more requirements:
(R4) The knowledge of the internal state shall not allow one to practically
compute the next random numbers or to guess these values with
non-negligible larger probability than without knowledge of the internal
state.
Whether (R4) is met depends on the randomness of the external input.

Examples of hybrid PRNGs
Example 8 (ANSI X9.17 PRNG)

We consider the cryptosystem two-key EDE 3DES and define the following
PRNG:
S = {0, 1}64 × {0, 1}128 ;
E = {0, 1}64 ;
δ ((x, K), t) = {{x ⊕ {t}K }K ⊕ {t}K }K ;
g(x, K) = {x ⊕ {t}K }K .
The external input t is the 64-bit representation of the current (date and) time
(the (date and) time just before the generation of a new state).
This PRNG does not fulfill (R3) if the adversary knows the exact time when
the random numbers are generated (that is, if the adversary knows t).

Key generation Key Derivation Functions
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Key generation Key Derivation Functions
A key derivation function (KDF) takes a source of initial keying material

and derives from it one or more cryptographically strong secret keys
The main difficulty in designing a KDF relates to the form of the initial
keying material
Two types of initial keying material:
“large” initial keying material
passwords (Password-based KDF (PBLDF))
More on this in class !

Key Establishment
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Key Establishment Introduction
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Key Establishment
Key establishment = protocol whereby a shared secret becomes available to
two or more parties (for subsequent cryptographic use)
Key establishment may use:
pre-shared secrets or keys

centralized or trusted parties (trusted third party (TTP), trusted server,
authentication server, key distribution center (KDC), key translation
center (KTC), certification authority (CA))
They may be:
in-line
on-line
off-line
symmetric or asymmetric cryptography

Key Establishment
Requirements:
(mutual) entity authentication
(mutual) data origin authentication
implicit key authentication
(mutual) key confirmation
explicit key authentication
key confidentiality, key freshness, joint key control

Key Establishment
General classification:
key distribution
point-to-point techniques - communicating parties involved directly
centralized techniques - trusted (third) party involved
key agreement - mainly used to establish keying material
Some techniques may benefit of keying material issued in advance on

initialization of the system - these are called pre-distribution techniques

Key Establishment Examples of Key Establishment Protocols
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Needham-Schroeder Shared-key Protocol
Notations: T is a KDC, encryption is symmetric, and KXT is the key

shared by X and T
Protocol:
1. A→T : (NA ) A, B, NA
2. T→A : {NA , B, K, {K, A}KBT }KAT
3. A→B : {K, A}KBT
4. B→A : (NB ) {NB }K
5. A→B : {NB − 1}K
Goal: A requests from T a communication key with B, and then transports
the key to B
Properties: key authentication (due to the trusted server T), key
confirmation, and entity authentication of A to B
Remark: no longer recommended (important primarily for historical
reasons); it is the basis for many server-based authentication and key
distribution protocols such as Kerberos and Otway-Rees
Needham-Schroeder-Lowe Public-key Protocol
Notations: KX is the public key of X
Protocol:
1. A→B : (NA ) {NA , A}KB
2. B→A : (NB ) {NA , NB , B}KA
3. A→B : {NB }KB
Goal: A and B agree on (NA , NB ) as the source keying material
Properties: entity authentication of B to A, assurance that B knows NA ,

assurance that A knows NB

Diffie-Hellman Protocol
Notations: p is a (public) large prime and α is a (public) primitive root

modulo p. All operations below are mod p
Protocol:
1. A→B : (x←{2, . . . , p − 2}) α x
2. B→A : (y←{2, . . . , p − 2}) α y
Goal: A and B agree on α xy as the source keying material
Properties: vulnerable to man-in-the-middle attack

Station-to-Station Protocol
Notations: p is a (public) large prime, α is a (public) primitive root modulo

p, and sigX (m) is X’s RSA signature on a hash value of m. All operations
below are mod p
Protocol:
1. A→B : (x←{2, . . . , p − 2}) α x
2. B→A : (y←{2, . . . , p − 2}) α y , {sigB (α y , α x )}K
3. A→B : {sigA (α x , α y )}K
where K = α xy
Goal: A and B agree on α xy as the source keying material
Properties: mutual entity authentication and mutual explicit key
authentication
Remark: there are several variations of this protocol such as full STS
(certificates included) and STS-MAC ({·}K replaced by MACK )
Key Establishment Public-key Infrastructures
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Certifying Public-keys
Public keys for encryption or signature verification must be certified !
A Public-key Certificate binds an identity to a particular public key value
Core elements of a public-key certificate:

name of owner
public-key value
validity time period
signature (of the creator of certificate)
Examples: X.509 v3

Managing Certificates
Certification Authority (CA)
Certifying the certifiers:

cross certification
certificate hierarchies
certificate chains
Revocation
certificate revocation list (CRL)
on-line certification status protocol (OCSP)

Public Key Intrastructures (PKIs)

1 PKIs are currently the primary means for practical deployment of public
key encryption (PKE) schemes
2 PKIs support the management of public-keys and certificates

3 Some PKI problems:
1 Difficulty in retrieving keys and certificates
2 Questionable value of certified key representations
3 Certificate processing complexity
4 Costly certificates
5 Problematic cross-domain trust management
6 Naming semantics
7 Use with insecure clients
8 Privacy compromises

PKI: Usability Studies

1 Why Johny Can’t Encrypt: A Usability Case Study of PGP 5.0, by A.
Whitten and J.D. Tyger, 1999
2 Johny 2: A User Test of Key Continuity Management with S/MIME and

Outlook Express, by S.I. Garfinkel and R.C. Miller, 2005
3 Why Johny Still Can’t Encrypt: Evaluating the Usability of Email

Encryption Software, by S. Sheng, L. Broderick, C.A. Koranda, and J.L.
Hyland, 2006
4 Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of

the APCO Project 25 Two-Way Radio System, by S. Clark, T.
Goodspeed, P. Metzger, Z. Wasserman, K. Xu, and M. Blaze, 2011

Key Establishment Other Techniques
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Key Establishment Other Techniques
Other Techniques
Techniques based on secret sharing
Quantum key distribution
Identity-based encryption !
Voltage security: http://www.voltage.com/

Key Storage
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Key Storage
Key Storage
Techniques for storing secret keys:
Inside a tamper-resistant hardware security module (HSM)
On a smart card or other token encrypted with another key
Stored on a database
Local Master Key (LKM):
Used to encrypt other keys
It is usually a strong key
Stored inside a HSM

Key Update, Revocation, and Destruction
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

In all cryptographic systems there should be the facilities to change keys

on a regular basis (updates) or for the compromised keys (revocation)
Keys, when no longer needed, must be destroyed in a secure manner
ANSI X9.17: “Paper-based keying materials shall be destroyed by

crosscut, shredding, burning or pulping. Keying material stored on other
media shall be destroyed so that it is impossible to recover by physical or
electronic means.”

Key Use
Outline
1 Introduction
2 Key generation
Introduction
3 Key Establishment
Introduction
Other Techniques
4 Key Storage
6 Key Use

Key Use
Key Use
Techniques for controlling the use of keys:
Key tags: a simplified method for specifying allowed uses of keys
Key variants: keys derived from a base key (for instance, K ⊕ v or {r}K ,
where v and are random)
Key notarization: prevents key substitution by requiring explicit

identification of the parties
Control vectors: usually combine key tags and key notarization
On-going research: use access control models

Access Control: Basic Concepts

Iaşi, Romania
Outline
1 Introduction
2 Users, Subjects, Objects, Operations, and Permissions
3 Policies, Models, and Mechanisms

Introduction
Access Control: Who Can Do What
Access control – guards, gates, locks

Access control in computing – the way in which users can access
resources in a computer system
Access control – the most fundamental and most pervasive security
mechanism in use today
Access control shows up in virtually all systems, can take many form, and
acts at different levels:
Hardware
Operating system
Middleware
Application
Formal study of access control: early 1970s
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control: Basic Concepts : : 3 / 14

Introduction
Access Control: Who Can Do What
Access control is critical to preserving the confidentiality and integrity of

information
Access control is also important to preserving availability
Authorization and authentication are fundamental to access control:
authentication: process of determining who you are

authorization: process of determining what you are allowed to do

Users, Subjects, Objects, Operations, and Permissions
Users, Subjects, Objects, Operations, Permissions
User – people who interface with the computer system
Subject – computer process acting on behalf of a user
Object – resource accessible on a computer system
Operation – active process invoked by a subject
Permission (privilege, right) – authorization to perform some action on the

system

Users, Subjects, Objects, Operations, and

Permissions
Remark 1
Subjects/Objects/Operations/Permissions may be different in different
systems or application contexts
in operating systems, objects are typically files, directories or programms
in database systems, objects can be relations, views etc.
Traditionally, subjects are viewed as active entities (they request access

to objects)
Traditionally, objects are viewed as passive entities (they contain or

receive information and should be protected of subjects)
However, subjects may be themselves objects

Principle of Least Privilege

Principle of least privilege: “Every program and every privileged user of the
system should operate using the least amount of privilege necessary to
complete the job”
J. H. Saltzer. Protection and the control of information sharing in multics,

Communications of the ACM, vol.17, no. 7, 1974, 388–402.
Benefits:
Better stability
Better security
Easy of deployment
In practice, the principle is neither definable nor possible to enforce

Policies, Models, and Mechanisms

Development process of an Access Control System (ACS) based on:
(Security) Policy – defines the high-level requirements that specify how

access is managed and who, under what circumstances, may access
what information
(Security) Model – provides a formal representation of the access control

policy and its working. A model allows proof of properties
(Security) Mechanism – defines the low level (software and hardware)

functions that implement a policy

Policies
Three main classes of security policies:
Discretionary (DAC) – enforce access control on the basis of the identity

of the requester and explicit access rules that establish who can or
cannot execute which actions on which resources
Mandatory (MAC) – enforce access control on the basis of regulations

mandated by a central authority
Role-based (RBAC)– enforce access control decisions on the functions a

user is allowed to perform within an organization (the users cannot pass
access permissions on to other users at their discretion)

Models
Security models based on:
Matrices
Graphs
Partial orders
Logics

Mechanisms
Modern access control mechanisms are based on the reference monitor
concept introduced in 1972 by Anderson:
J. Anderson. Computer Security Technology Planning Study,

ESD-TR-73-51, US Air Force Electronic Systems Division, Oct 1972, 142
pages.
Reference monitor: hardware and software portion of an operating system

that is responsible for the enforcement of the security policy of the system

Reference Monitor
Audit
File
Subjects Reference monitor Objects
Access
Control
Database

Reference Monitor
Fundamental implementation principles of a reference monitor:
Completeness – it must be always invoked and impossible to bypass

Isolation – it must be tamper-proof
Verifiability – it must be shown to be properly implemented
Additional design principles of an access control system:
Flexibility – the system should be able to enforce the access control

policies of the host enterprise
Manageability – the system should be intuitive and easy to manage
Scalability – with respect to the number of users and resources

Reference Monitor
The reference monitor can be implemented using various topologies:
System-wide enforcement of the reference monitor
Enforcement of the reference monitor at the resource manager level
Application-based reference monitor

Discretionary Access Control Models

Iaşi, Romania
Outline
1 Introduction to DAC
2 The Access-matrix Model
3 Other Models
The Take-grant Model
The Schematic Model
4 Concluding Remarks on DAC Models

Introduction to DAC
Discretionary Access Control
Basic features:
DAC models enforce access control on the basis of the identity of

requesters
DAC models are called “discretionary” as users can be given the ability of
passing on their privileges to other users
DAC mechanisms usually include a concept of object ownership
DAC models:
Take-grant model
Access-matrix model
Schematic model
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Discretionary Access Control Models : : 3 / 45

The Access-matrix Model

The most general DAC model has been proposed in 1976:
M.A. Harrison, W.L. Ruzzo, J.D. Ullman. Protection in Operating

Systems, Communications of the ACM, vol.19, no. 8, 1976, 461–471.
It is called the access control matrix model or the access-matrix model or the
HRU model.
Basic features:
It is a state-transition system
States are matrices where each row corresponds to a subject, each
column corresponds to an object, and a cell specifies the rights a subject
has over an object
Transitions between states are performed by commands
Subjects are objects too

States in the Access-matrix Model

In what follows, R denotes a non-empty finite set of rights.
Definition 1
A state over R is a triple Q = (S, O, A), where S and O are non-empty finite sets
of subjects and objects, respectively, and A is an | S | × | O |-matrix whose
elements are subsets of R.
Example 2
Let S = {process1 , process2 }, O = {process1 , process2 , file}, and A given below:
process1 process2 file

process1 0/ r r, w
process2 r, x 0/ r
The triple (S, O, A) is a state over R = {r, w, x}.

Primitive Operations
Vsub = set of variables of type subject, Vob = set of variables of type object
Definition 3
A primitive operation over R is a construct of the one of the following types:
1 enter r into (Xs , Xo )
2 delete r from (Xs , Xo )
3 create subject Xs
4 create object Xo
5 destroy subject Xs
6 destroy object Xo
where r ∈ R, Xs ∈ Vsub , and Xo ∈ Vob .

Commands
Definition 4
A command over R is a construct of the form:
command α(X1 , . . . , Xk )
if r1 in (Xs1 , Xo1 ) and
command α(X1 , . . . , Xk )
···
op1 , . . . , opn
rm in (Xsm , Xom )
end
then op1 , . . . , opn
end
where m, n ≥ 1, r1 , . . . , rm ∈ R, X1 , . . . , Xk ∈ Vsub ∪ Vob , 1 ≤ s1 , . . . , sm , o1 , . . . , om ≤ k,
Xsi ∈ Vsub and Xoi ∈ Vob for all 1 ≤ i ≤ m, and op1 , . . . , opn are operations over R
whose variables are among X1 , . . . , Xk .
Definition 5
A protection system over R is a finite set C of commands over R.

Examples of Commands
Example 6
command CREATE(process, file)
create object file
enter own into (process, file)
end
Example 7
command CONFER_READ(owner, friend, file)
if own in (owner, file)
then
enter r into (friend, file)
end

Examples of Commands
Example 8
command REMOVE_READ(owner, exfriend, file)
if own in (owner, file) and
r in (exfriend, file)
then
delete r from (exfriend, file)
end

Substitution
A substitution assigns values to variables according to their types:
subjects to subject-type variables, and

objects to object-type variables.
Substitutions can homomorphically be applied to primitive operations and

commands.
Example 9
Let S be a set of subjects and O be a set of objects. If σ (X) = s ∈ S and
σ (X 0 ) = o ∈ O, then
σ (enter r into (X, X 0 )) = enter r into (s, o)

Transition Relation
Given an operation op and a substitution σ , define the binary relation ⇒σ (op)
on states by
(S, O, A)⇒σ (op) (S0 , O0 , A0 )
if and only if one of the following properties holds:
1 if op = enter r into (X, Y), then σ (X) ∈ S, σ (Y) ∈ O, S0 = S, O0 = O, and
(
0 A(s, o) ∪ {r}, if (σ (X), σ (Y)) = (s, o)
A (s, o) =
A(σ (X), σ (Y)), otherwise
2 if op = delete r from (X, Y), then σ (X) ∈ S, σ (Y) ∈ O, S0 = S, O0 = O, and

(
A(s, o) − {r}, if (σ (X), σ (Y)) = (s, o)
A0 (s, o) =
A(σ (X), σ (Y)), otherwise

Transition Relation
3 if op = create subject X, then σ (X) 6∈ O, S0 = S ∪ {σ (X)}, O0 = O ∪ {σ (X)},
and (
A(s, o), if (s, o) ∈ S × O
A0 (s, o) =
0,
/ otherwise
4 if op = create object Y, then σ (Y) 6∈ O, S0 = S, O0 = O ∪ {σ (Y)}, and
(
0 A(s, o), if (s, o) ∈ S × O
A (s, o) =
0,
/ otherwise
5 if op = destroy subject X, then σ (X) ∈ S, S0 = S − {σ (X)}, O0 = O − {σ (X)},
and A0 (s, o) = A(s, o), for all (s, o) ∈ S0 × O0 ;
6 if op = destroy object Y, then σ (Y) ∈ O − S, S0 = S, O0 = O − {σ (X)}, and
A0 (s, o) = A(s, o), for all (s, o) ∈ S0 × O0 .
Define now
(S, O, A)⇒op (S0 , O0 , A0 ) ⇔ ∃σ : (S, O, A)⇒σ (op) (S0 , O0 , A0 )

Transition Relation
Given a command α and a substitution σ , define the binary relation ⇒σ (α) on
states by
(S, O, A)⇒σ (α) (S0 , O0 , A0 )
if and only if one of the following properties holds:
1 if the test of σ (α) is not satisfied at (S, O, A), then (S0 , O0 , A0 ) = (S, O, A);
2 if the test of σ (α) is satisfied at (S, O, A), then there exist Q0 , Q1 , . . . , Qn
such that
(S, O, A) = Q0 ⇒σ (op1 ) Q1 ⇒σ (op2 ) · · · ⇒σ (opn ) Qn = (S0 , O0 , A0 )
where op1 , . . . , opn is the body of α.
Define now
(S, O, A)⇒α (S0 , O0 , A0 ) ⇔ ∃σ : (S, O, A)⇒σ (α) (S0 , O0 , A0 )
and
(S, O, A)⇒(S0 , O0 , A0 ) ⇔ ∃α : (S, O, A)⇒α (S0 , O0 , A0 )
Safety
Definition 10
Let C be a protection system over R, Q a state of C , r ∈ R, and α a command
of C . We say that α leaks r from Q if there exists a substitution σ such that:
1 the test of σ (α) is satisfied at Q;
2 there exist Q0 , Q1 , . . . , Qi such that:
Q0 = (S0 , O0 , A0 )⇒σ (op1 ) Q1 = (S1 , O1 , A1 )⇒σ (op2 ) · · · ⇒σ (opi ) Qi = (Si , Oi , Ai );
r ∈ Ai (s, o) − Ai−1 (s, o) for some s and o,
where op1 , . . . , opi , . . . , opn is the body of α and 1 ≤ i ≤ n.
Definition 11
Let C be a protection system over R, Q a state of C , and r ∈ R. We say that C
leaks r from Q if there exists a command of C that leaks r from Q.

Safety
Definition 12
Let C be a protection system over R, Q a state of C , and r ∈ R. We say that Q
is unsafe for r if there exists a reachable state Q0 from Q such that C leaks r
from Q0 .
We say that Q is safe for r if it is not unsafe for r.

The safety problem for protection systems is the problem to decide, given a
protection system over some set R of rights, a state Q of C , and a right r ∈ R,
whether Q is safe for r.
Remark 1
We emphasize that “leaks” are not necessarily “bad”. Any interesting
protection system has commands able to leak some rights. However, these
leaks should not occur at unauthorized states.

Deciding safety
Theorem 13
The safety problem for bi-conditional (i.e., at most two conditions) monotonic
(i.e., without delete and destroy operations) protection systems is
undecidable.
Theorem 14
The safety problem for mono-conditional protection systems without
destroy-operations is decidable.
Most practical systems require multi-conditional commands !

Implementation
Access control matrix implementations do not scale well: a bank with 50,000
staff and 300 applications would have an access control matrix of 15 million
entries !
We need compact ways of storing and managing access control matrices.
Two main ways of doing this are:
1 use groups (roles) to manage the privileges (rights) of large sets of users
simultaneously (role-based access control - RBAC);
2 store the matrix either by columns (access control lists - ACL) or rows
(capability lists).

Access Control Lists
Definition 15
An access control list (ACL) is a column of the access control matrix
(therefore, associated to an object - the ACL associated to o is denoted ACLo ,
and it is stored along with o).
Advantages and disadvantages of ACLs:
suited to environments where users manage their own file security;
less suited where the user population is large and constantly changing;
less suited where users want to be able to delegate their authority to run
a particular program to another user for some set period of time;

Access Control Lists

Advantages and disadvantages of ACLs (continued):
simple to implement;
security checking at runtime is difficult (usually, the operating system

knows which user is running a particular program, rather than which files
it has been authorized to access);
tedious to find all the files to which a user has access;
tedious to run system wide checks, such as verifying that no files have
been left world-writable by users whose access was revoked.

Access Control Lists in Unix

In Unix:
every file or folder has associated access permissions. There are three
types of permissions:
read access
write access
execute access
permissions are defined for three types of users:

the owner of the file
the group that the owner belongs to
anyone else (world)
Each permission type has exactly two values, allowed or denied,

specified by a bit.

Example 16
ACL for a file:
-rw-r----- Alice Accounts

The first bit specifies that the ACL is for a file, the next three bits give the
access rights for the owner, the next three bits for the group, and the last three
bits for anyone else. It follows then the owner name and the group name.
Example 17
ACL for a folder:
drwxrwxrwx Alice Accounts
The first bit specifies that the ACL is for a folder (directory); the next bits have
the same meaning as above.


How is associated an ACL to a program in Unix?
Unix does not provide any direct method for doing this. However, there are two
attributes, suid (set user id) and sgid (set group id), which help for this:
the owner of the program mark the program as suid (the bit x in owner
ACL is set to s meaning both x and suid, or to S meaning only suid);
then, the program is placed in some folder where some user Alice has
access;
Alice can run the program with the privilege of its owner.
(things are similar for sgid).
This method leads to serious security holes.

Access Control Lists in Windows NT

In Windows NT, the access control is richer than Unix, but not fundamentally
different:
There are six types of permissions:
read access
write access
execute access
delete
change permissions (i.e., modify the ACL)
take ownership (make current account the new owner)
permissions are defined for users and groups. Each permission type has
three values, Access denied, Access allowed, and System audit.
ACLs are associated to items (i.e., files or directors), and each ACL is a list of
entries of the form
· · · (user/group,permissions) · · ·
Capability Lists
Definition 18
An capability list (C-list) is a row of the access control matrix (therefore,
associated to a subject - the C-list associated to s is denoted Cs , and it is
stored along with s).
In practice, it is more convenient to store a C-list Cs as a list of pairs (o, r),

where o is an object and r is a right (permission). Such a pair will be called a
capability; then, Cs becomes a list of capabilities. Each capability acts like a
ticket for s to access o with permission r. Therefore, capabilities are
authentication tags.
This technique is used in EROS (Extremely Reliable Operating System),
Hydra operating system (CMU), IBM System/38 and AS/400, Amoeba
distributed operating system etc.

Capability Lists
Problems with capabilities:
how to represent object o in capability (o, r)?

The use of o’s address might not be a good idea if the address changes.
A solution would be to use random bit strings, hash tables, and
translation techniques (naming schemes);
How to make capabilities unforgeable? There are a number of
possibilities:
hardware tags: 1-bit tag associated to the capability, showing that the
capability can/cannot be changed or copied;
protected address space: store capabilities in parts of memory that are not
accessible to programs;
language-based security: use of a programming language to enforce

restrictions on access and modification to capabilities;
cryptography: use encryption.

Other Models The Take-grant Model
Outline
3 Other Models
The Schematic Model

The take-grant model has been proposed in:
A.K. Jones, R.J. Lipton, L. Snyder: A Linear Time Algorithm for Deciding
Security, Proc. of 17th Annual Symp. on Found. of Comp. Sci., 1976.
Basic features:
Take-grant systems are state-transition systems

Subjects are not objects
States are directed graphs whose nodes are subjects and objects, and
whose arcs are labeled by sets of rights
There are two special rights: take (t) and grant (g):
if x has the right take for y, then x can “borrow” from y all his abilities (rights)
if x has the right grant for y, then x can “lend” to y all his abilities (rights)

Take-grant States
Example 19
mount root r, w
x t
user file1
r, w
r, w
file2 device
Figure: Take-grant state
Meaning:
Dark circles stand for subjects
Open circles stand for objects
Gray circles denote either a subject or an object
An arc from x to y labeled α says that x has rights r ∈ α for y

Transitions in Take-grant Systems
The transition relation in take-grant systems is guided by four rules:
Take: x take r for z from y

r
t r t r
⇒
x y z x y z
Grant: x grant r for z to y

r r
g g r
⇒
x y z x y z

Transitions in Take-grant Systems
Create: x create α for new subject/object y

α
⇒
x x y
Remove: x remove r for y

α α-r
⇒
x y x y

Safeness in Take-grant Systems
Define the predicate can.share(r, x, p, G)

∗
can.share(r, x, p, G) ⇔ ∃G0 : G ⇒ G0 ∧ r ∈G0 (p, x)
where:
G and G0 are take-grant states

r is a right
x and p are nodes in G
Definition 20
Let G be a take-grant state, r a right, and x and p nodes in G. G is called safe
for r and x w.r.t. p if can.share(r, x, p, G) does not hold.

Connected Nodes
Definition 21
Let G be a take-grant state and x and y two nodes of G.
1 x and y are directly connected if there is an arc between them.
2 x and y are directly tg-connected if there is an arc between them with a
label containing t or g.
3 A path (tg-path) is a sequence x0 , x1 , . . . , xn of nodes such that xi and xi+1
are directly connected (tg-connected), for any 0 ≤ i < n.
4 x and y are connected (tg-connected) if there is a path (tg-path) between
them.
Remark 2
We emphasize that if x and y are not connected in G then they cannot become
connected in any G0 obtained by rewriting G. This is because no rule adds
arcs between unconnected nodes.
Initial/Terminal Span, Island, Bridge
Let G be a take-grant state. With each tg-path associate one or more words
→
− ← −− ←
over the alphabet { t , t , →
g, −
g } in an obvious way.
Definition 22
Let G be a take-grant state.
1 An island of G is any subject-only tg-connected subgraph of G.
2 A node x initially spans to y if x is a subject and there is a tg-path between

→
− −
x and y with an associated word in ( t )∗ → g +λ.
3 A node x terminally spans to y if x is a subject and there is a tg-path

→
−
between x and y with an associated word in ( t )∗ .
4 A bridge is a tg-path with endpoints both subjects and with an associated

→
− ←− →
− − ← − →
− −← −
word in ( t )∗ + ( t )∗ + ( t )∗ →
g ( t )∗ + ( t )∗ ←
g ( t )∗ .

Deciding Safeness
Theorem 23
Let G be a take-grant state, r a right, and x and p nodes in G. Then,
can.share(r, x, p, G) is true if and only if r ∈ (p, x) or there exists a node s, two
subjects p0 and s0 , and islands I1 , . . . , In such that:
1 r ∈G (s, x);
2 p0 = p or p0 initially spans to p;
3 s0 = s or s0 terminally spans to s;
4 p0 is in I1 , s0 is in In , and there is a bridge from Ij to Ij+1 , for all 1 ≤ j < n.
Corollary 24
There is an algorithm for testing can.share that operates in linear time in the
size of the initial state (graph).
Other Models The Schematic Model
Outline
3 Other Models
The Schematic Model

The Schematic Model

The schematic model has been proposed in:
R. S. Sandhu: The Schematic Protection Model: Its Definition and

Analysis for Acyclic Attenuating Schemes, Journal of the ACM 35(2),
1988, 404–432.
Why this model ?
To fill the gap between the richness in expressive power of the HRU
model and its intractability with respect to the safety question as
compared with the limited applicability of the take-grant model but
efficient decidability of safety.
How ?
The schematic model provides considerably more structure than HRU.

The Schematic Model: Types and Rights

Types:
subject types: TS
object types: TO
T = TS ∪ TO
τ(x): type of the entity x
subjects and objects are distinct entities
Rights:
inert rights: RI (do not affect the protection state)
control rights: RC (may change the protection state)
R = RI ∪ RC
copy flag c: rc means “r is copyable”, while r means “r is not copyable”
r : c denotes r or rc (rc subsumes r !)
The Schematic Model: Tickets

Tickets:
A ticket is a pair (x, r : c) (often written as x/r : c)
Abbreviation: x/r1 r2 c means {x/r1 c, x/r2 c}
τ(x/r : c) is defined as τ(x)/r : c
for a subject x, dom(x) is a set of tickets that x has
Presence of x/rc in dom(y) subsumes presence of x/r, but not vice versa !

The Schematic Model: States

States:
A state consists of a (finite) set of typed entities (subjects and objects)

together with their domains
Operations that change the current state:
copy: moves a copy of a ticket from the domain of one subject to the
domain of another, leaving the original ticket intact
create: introduces new subjects and objects in the system
The original formulation of the model included a third operation, demand.

However, this is formally redundant:
R. S. Sandhu: The Demand Operation in the Schematic Protection

Model, Information Processing Letters 32(4), 1989, 213–219.

The Schematic Model: The Copy Operation

The copy operation is guided by a link predicate linki and a filter function fi :
linki (x, y) is a disjunction or conjunction of atomic terms:
x/r ∈ dom(x), x/r ∈ dom(y), y/r ∈ dom(x), y/r ∈ dom(y),
where r ∈ RC;
fi : TS × TS→P(T × R)
One filter function is associated to each link predicate !
A ticket z/r : c can be copied from dom(x) to dom(y) iff there exists i such that:
z/rc ∈ dom(x);
linki (x, y) evaluates to true;
τ(z)/r : c ∈ fi (τ(x), τ(y))

The Schematic Model: The Create Operation

The create operation is guided by two predicates: cc (can create) and cr:
cc ⊆ TS × T
(a, b) ∈ cc a subject of type a can create an entity of type b
cr handles the tickets
object creation: cr(a, b) ⊆ {b/r : c|r ∈ RI}

(when a subject x of type a creates on object y of type b, x gets y/r : c iff
b/r : c ∈ cr(a, b))
subject creation:
a 6= b: cr(a, b) = crp (a, b) ∪ crc (a, b)
(as above, x gets y/r : c iff b/r : c ∈ crp (a, b), and y gets x/r : c iff a/r : c ∈ crc (a, b))
a = b: cr(a, b) ⊆ {a/r : c, self /r : c|r : c ∈ RI}
(as above, where self /r : c denotes tickets for the creator)

The Schematic Model: Examples
Example 25 (Owner-based policy)

Subject u can authorize subject v to access an object z iff u owns z:
TS = {user}, TO = {file}
RI = {r : c, w : c, a : c, x : c} (read, write, append, execute)
RC = 0/
link(u, v) = true, for all u and v of type user
f (user, user) = {file/xc}
cc = {(user, file)}
cr(user, file) = {file/rc, file/wc, file/xc}

The Schematic Model: Examples
Example 26 (The basic take-grant model)

TS = {user}, TO = {file}
RI = {x : c} (execute)
RC = {t : c, g : c}
link(u, v) = true iff v/g ∈ dom(u) or u/t ∈ dom(v)
f (user, user) = T × R
cc = {(user, file), (user, user)}
cr(user, file) = {file/xc}
cr(user, user) = {user/tgc, self /tgc}

The Schematic Model: Results

The schematic model subsumes several well-known protection models in
terms of expressive power and safety analysis, such as:
the Bell-LaPadula multi-level security model

take-grant models
the grammatical protection model
R. S. Sandhu: Expressive Power of the Schematic Protection Model,

Journal of Computer Security 1(1), 1992, 59–98.

Concluding Remarks on DAC Models
Concluding Remarks
DAC policies enforce access control on the basis of the identity of the
requester and explicit access rules
DAC policies ignore the distinction between users and subjects and
evaluate all requests submitted by a process (subject) running on behalf
of some user against the authorizations of the user
DAC policies are vulnerable from processes executing malicious
programs (such as Trojan Horses) exploiting the authorizations of the
user on behalf of whom they are executing
DAC policies do not enforce any control on the flow of information once
this information is acquired by a process
A more precise examination of the access control problem shows the utility of
separating users from subjects and controlling the flow of information !

Mandatory Access Control Models

Iaşi, Romania
Outline
1 Introduction to MAC
2 Information Flow Models
3 Confidentiality-based Mandatory Policies: The Bell-LaPadula Model
4 Integrity-based Mandatory Policies: The Biba Model
5 Combining the BLP and Biba Models
6 The Chinese Wall Model
7 MAC Implementations
8 Concluding Remarks on MAC Models

Introduction to MAC
Mandatory Access Control
Basic features:
MAC enforces access control on the basis of regulations mandated by a

central authority
No concept of ownership in MAC
MAC makes distinction between users and subjects
MAC models:
The Bell-LaPadula model
The Biba model
The Chinese-wall model
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Mandatory Access Control Models : : 3 / 26

Information Flow Models
D. E. Denning. A Lattice Model of Secure Information Flow,

Communications of the ACM, vol.19, no. 5, 1976, 236–243.
Basic features:
IF models are concerned with the flow of information from one security
class to another
Object = viewed as a container of information
Examples of objects: files or directories in an operating system, or

relations and tuples in a database
Information flow is controlled by assigning every object a security class or

security label

Information Flow Models: Definition
Definition 1
An information flow model is a triple (SC, →, ⊕), where:
SC is a set of elements called security classes
→ ⊆ SC × SC is a binary relation called may-flow
⊕ : SC × SC→SC is a commutative and associative operator called the

class combiner operator
Meaning:
A→B : the information may flow from the security class A to the security
class B
A ⊕ B : if information from the two security classes A and B are combined,
the result belongs to the security class A ⊕ B

Information Flow Models: Denning’s Axioms

Denning’s axioms:
Axiom 1: SC is finite
Axiom 2: The may-flow relation → is a partial order
Axiom 3: SC has a least element w.r.t. →
Axiom 4: ⊕ is a least upper bound operator
Proposition 1
Any information flow model that satisfies the Denning’s axioms is a lattice.
In what follows, all IF models we consider satisfy the Denning’s axioms !

Information Flow Models: Dominance
Definition 2
Let (SC, →, ⊕) be an information flow model and A, B ∈ SC. We say that A
dominates B, denoted A ≥ B, if B→A.
Notation and terminology:
A > B (A strictly dominates B) if A dominates B and A 6= B
A and B are comparable if A ≥ B or B ≥ A
A and B are incomparable if A and B are not comparable

Information Flow Models: Examples
TS
H
H
S
A1 ··· An
C
L
L
U
{A, B, C}
{A, B}
{A, B} {A, C} {B, C}

{A} {B}
{A} {B} {C}
0/
{0}
/

Confidentiality-based Mandatory Policies: The Bell-LaPadula Model
Confidentiality-based Mandatory Policies
Aim: control the direct and indirect flows of information by preventing

leakages to unauthorized subjects
Subjects and objects are assigned security levels (security classes)
The security level of an object, also called security classification, reflects

the sensitivity of the information contained in the object
The security level of a subject, also called security clearance, reflects the
user’s trustworthiness
Requests of subjects to access objects are regulated by means of their

security classes

The Bell-LaPadula Model: A Minimalist Approach
D. E. Bell, L. J. LaPadula. Secure Computer Systems: Mathematical

Foundations, MITRE Corporation, 1973.
Overview:
Key idea: augment DAC with MAC to enforce information flow policies
Two-step approach:
1 First, an access control matrix D is established
2 Second, operations must be authorized by the mandatory access control
policy

The Bell-LaPadula Model: A Minimalist Approach

The MAC in the BLP model:
associate labels to subjects and objects by some function λ (once
assigned, labels cannot be changed – this is called tranquility)
Rules (No Read Up – No Write Down):
1 Simple security (ss-) property – s is allowed to read o only if λ (s) ≥ λ (o)
2 ∗-property – s is allowed to write o only if λ (s) ≤ λ (o)
Remark 1
The ∗-property allows secret data be destroyed or damaged by unclassified
subjects. To prevent this the ∗-property is sometimes used in the form
Strong ∗-property – s is allowed to write o only if λ (s) = λ (o)

The Bell-LaPadula Model: Remarks
In some approaches, write access means “read and write”, with append
access provided for “write only”
The BLP model is stated in terms of read and write operations (which
suffices to illustrate the main points). Other operations may be added,
such as create and destroy objects, constrained by the ∗-property
because they modify the state of the object in question
Mandatory controls in BLP are coupled with discretionary control: if the

access control matrix does not authorizes the operation, there is no need
to check the mandatory controls since the operation will be rejected
anyway

Integrity-based Mandatory Policies: The Biba Model
Integrity-based Mandatory Policies
Aim: control the flows of information and prevent subjects to indirectly

modify information they cannot write
Subjects and objects are assigned integrity levels (integrity classes)
The integrity level of an object reflects both the degree of trust of the
information stored in the object and the potential damage resulting from
unauthorized modifications of the information
The integrity level of a subject reflects the user’s trustworthiness for

inserting, modifying, or deleting information
Requests of subjects to access objects are regulated by means of their

integrity classes

Integrity-based Mandatory Policies: The Biba Model
The Biba Model
K. J. Biba. Integrity Considerations for Secure Computer Systems,

MTR-3153, The Mitre Corporation, April 1977.
The MAC in the Biba model:
associate labels to subjects and objects by some function ω

Rules (No Read Down – No Write Up):
1 Simple integrity (si-) property – s is allowed to read o only if ω(s) ≤ ω(o)
2 Integrity ∗-property – s is allowed to write o only if ω(s) ≥ ω(o)
Remark 2
The Biba model’s rules are the dual of the BLP model’s rules.

Combining the BLP and Biba Models
There is no fundamental difference between the BLP and Biba models:

both are concerned with information flow in a lattice of security classes
In the BLP model, the information flows upward
In the Biba model, the information flows downward
The direction is irrelevant: it is a matter of convention in representing the

highest security class (in our case, in both the BLP and Biba models the
highest security class on top of the lattice)

Case 1: Single Label

Combination 1: use a single label for both confidentiality and integrity
Conclusions:
s can read or write o only if s and o have the same security class !
No information flow between security classes !
Irrelevant model

Case 2: Independent Labels, Same Directions

Combination 2: use independent labels for confidentiality (λ ) and integrity (ω)
under the assumption that both lattices have the highest security class on top
Conclusions:
Rules:
1 s is allowed to read o only if λ (s) ≥ λ (o) and ω(s) ≤ ω(o)
2 s is allowed to write o only if λ (s) ≤ λ (o) and ω(s) ≥ ω(o)
The model uses two lattices with information flow going in opposite
directions
Implemented in several operating system, database, and network

products

Case 3: Independent Labels, Opposite Directions

Combination 3: use independent labels for confidentiality (λ ) and integrity (ω)
under the assumption that the lattices have the highest security classes on
opposite directions
Conclusions:
Rules:
1 s is allowed to read o only if λ (s) ≥ λ (o) and ω(s) ≥ ω(o)
2 s is allowed to write o only if λ (s) ≤ λ (o) and ω(s) ≤ ω(o)
The two lattices can be combined in just one lattice (see next slide)
In this lattice, the entity with highest confidentiality has lowest integrity,
and vice versa

Case 3: Example
information flow
λH ωL
highest confidentiality
highest integrity
λL ωH
λH ωL
highest confidentiality, lowest integrity
λH ωH λL ωL
lowest confidentiality, highest integrity

λL ωH

The Chinese Wall Model
D. F. C. Brewer, M. J. Nash. The Chinese Wall security policy, IEEE

Symposium on Security and Privacy, 206–214, 1989.
Where it arises:
In the commercial sector that provides consulting services to other
companies
Aim:
Prevent information flows that result in a conflict of interest and
inadvertent disclosure of information by a consultant or contractor
Example of conflict of interest: lawyer providing consultancy services for
two airline companies
How:
Combines commercial discretion with legally enforceable mandatory
controls

Basic elements:
Object = item of information concerning a single corporation (company)

Company dataset = all objects which concern the same company
Conflict of interest class = all datasets of the companies that are in
competition
Subject = user or program that might act on behalf of a user
Basic idea:
In the first instance, each subject has complete freedom to access

anything he cares
Once an object in a dataset D of some conflict of interest class CoI is
chosen, a Chinese Wall is created around D and no other dataset in CoI
can be chosen by the same subject.


Rules:
(Chinese Wall) Simple Security Rule: a subject s can be granted read
access to an object o only if the object:
1 is in the same company datasets as the objects already accessed by s, that
is, “within the Wall”, or
2 belongs to an entirely different conflict of interest class
(Chinese Wall) ∗-property: a subject s can be granted write access to an

object o only if:
1 s can read o by the simple security rule, and
2 no object can be read which is in a different company dataset to the one for
which write access is requested
The Chinese Wall model can be states as an information flow model !

MAC Implementations
MAC Implementations
Early implementations of MAC (started out in the eighties):
Honeywell Secure Communications Processor (SCOMP), Strategic Air

Command DIgital Network (SACDIN) of the US Air Force (USAF), Boeing
Multi-level Secure Local Area Network, etc.
These are focused to protect military-oriented security classification levels
More recent implementations of MAC:
Security-Enhanced Linux (SELinux) : Linux kernel security module,

incorporated into Linux kernels from 2.6, to provide the mechanism for
supporting access control security policies
Mandatory Integrity Control (MIC) : incorporated by Microsoft starting
with Windows Vista and Windows Server 2008, adds integrity levels
etc.

MAC Implementations
Mandatory Integrity Control (MIC)
MAC implementation in Windows Vista is called Mandatory Integrity

Control (MIC), which is a form of the Biba model
It ensures integrity by controlling writes and deletions: to write to or
delete an object, the subject’s integrity level must be greater than or
equal to the object’ integrity level
There are six integrity levels: Untrusted, Low (everyone), Medium
(standard users, authenticated users), High (local services, network
services, elevated users), System (system services), and Trusted Installer
Subjects’ integrity level: when a user logs on, Windows Vista assigns an
integrity SID to the user’s access token
Objects’ integrity level: files, pipes, threads, registry keys, printers etc.,
are assigned an integrity SID which is stored in the System Access
Control List (SACL)

MAC Implementations
Security-Enhanced Linux (SELinux)
Subject security level = domain

Object security level = type
Type of an object = class
Two types of rules: access rules and labeling rules
Access rules:
Example: allow sshd.t shell.exec.t:file execute
Meaning: when a subject of sshd.t accesses an object of shell.exec.t
of class file, it has the execute permission
Rules for the type of a new object (labeling rules):

Example: type.transition sshd.t tmp.t: devfile.class.set
cardmsg.dev.t
Meaning: when sshd daemon creates a device file in the tmp directory, the
new file is labeled with cardmsg.dev.t

Concluding Remarks on MAC Models
Concluding Remarks
MAC provides protection against indirect information leakages
MAC is still vulnerable to covert channels

covert channels were introduced by Lampson in 1973 as
“channels not intended for information transfer at all, such as the service
program’s effect on system load.”
Example: a low level subject requires a resource which is busy by a high

level subject. If the system signal this to the low level subject, then there is a
flow of information from the high level subject to the low level subject
Covert channels can exist in any MAC system that restrict information flow
Covert channels are hard to detect and control

Role-based Access Control

Iaşi, Romania
Outline
1 Introduction to RBAC
2 Basic RBAC
3 Hierarchical RBAC
4 Constrained RBAC
5 Consolidated RBAC
6 RBAC Implementations
7 Concluding Remarks on MAC Models

Introduction to RBAC
Role-based Access Control
Basic features:
Access rights are grouped according to a particular functionality into a
role
User flexibility: a user moving to a new function is simply assigned to the
new role and removed from the old one
Powerful mechanism to an administrator to specify the privileges required
by various job functions
RBAC models:
Basic RBAC
Hierarchical RBAC
Constrained RBAC
Consolidated RBAC
Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Role-based Access Control : : 3 / 10
Basic RBAC
Users, Roles, Permissions
Basic elements:
U is set users
R is set of roles
P ⊆ P(Op × O) is set of permissions
(Op is the set of operations, and O is the set of objects)
UR ⊆ U × R is the user-to-role assignment relation
PR ⊆ P × R is the permission-to-role assignment relation
su : S→U is the subject-to-user mapping
(S is the set of subjects)
sr : S→P(R) is the subject-to-role mapping, constrained by
sr(s) ⊆ UR(su(s))

Basic RBAC
Basic RBAC
Role authorization: a subject can never have an active role that is not
authorized for its user
(∀s ∈ S)(∀r ∈ R)(r ∈ sr(s) ⇒ su(s) ∈ UR−1 (r))
Object access authorization: A subject s can perform an operation op on

object o only if there exists a role r that is included in the subject’s active role
set and there exists a permission that is assigned to r such that the
permission authorizes the performance of op on o
access(s, op, o) ⇒ (∃r ∈ R)(∃p ∈ P)(r ∈ sr(s) ∧ p ∈ PR−1 (r) ∧ (op, o) ∈ p)

Hierarchical RBAC
Hierarchical RBAC
Hierarchical RBAC builds on top of basic RBAC by adding a role inheritance
relation which is a partial order relation ≥ on R
Meaning of r1 ≥ r2 :
PR−1 (r2 ) ⊆ PR−1 (r1 )

UR−1 (r1 ) ⊆ UR−1 (r2 )
Authorized users and permissions:
the set of authorized users for the role r is
{u ∈ U | (u, r0 ) ∈ UR ∧ r0 ≥ r}
the set of authorized permissions for the role r is
{p ∈ P | (p, r0 ) ∈ PR ∧ r0 ≤ r}

Constrained RBAC
Constrained RBAC
Constrained RBAC is obtained from basic RBAC by adding constraints
Types of constraints:
Mutually exclusive roles: this is one of the most common constraint
Cardinality: maximum number of members in some roles
Prerequisite roles: a user is assigned to role r only if the user is already

assigned to some role r0 (r0 proves the competency and appropriateness
of the user for role r)

Consolidated RBAC
Consolidated RBAC
Consolidated RBAC combines hierarchical and constrained RBAC
Consolidated RBAC
Hierarchical RBAC Constrained RBAC
Basic RBAC

RBAC Implementations
RBAC Implementations
Implementation in two important classes of commercial software:
Database management systems (such as Oracle enterprise server)
Enterprise security administration

Concluding Remarks on MAC Models
Concluding Remarks
RBAC simplifies security administration by using roles, hierarchies, and

constraints
RBAC reduces costs within an organization because it takes into account

that employees change much more frequently than the duties within
positions
RBAC can be configured to support a large variety of access control

policies, including DAC and MAC policies
RBAC is suited to a large variety of applications and software system

environments

Access Control Models for Cloud Computing

Iaşi, Romania
Outline
1 Introduction
Cloud computing
Limitations of traditional access control
2 Access control models for cloud computing

Task based access control
Attribute based access control
Usage based access control
Introduction Cloud computing
Outline
1 Introduction
Cloud computing

Prof.Dr. Ferucio Laurenţiu Ţiplea (UAIC) Access Control Models for Cloud Computing : : 3 / 16
Cloud computing environment

Sharma and Trivedi (2014) – “A cloud computing environment is a set
of resources that can scale up and down on demand. It is available
over the Internet in a self-service model with little to no interaction re-
quired with the service provider. Cloud enables new ways of offering
products and services with innovative, technical, and pricing opportu-
nities.”
A cloud computing environment is a large-scale, distributed, and a virtual

complex information system:
large number of dynamic users who join and exit the environment in a
dynamic manner
large amount of resources
flexible constructions
NIST cloud architecture
Introduction Limitations of traditional access control
Outline
1 Introduction
Cloud computing

Limitations of DAC to cloud environments
Due to its properties of
decentralized resource management and

complex authorization management,
DAC is not well suited for large-scale networks with high security
requirements mainly because it does not offer any mechanism or method to
manage the improper access control.
Improper access control means that access control mechanism fails to restrict
or incorrectly restricts access to a resource from an unauthorized user (and
so the user can hack into the system and can have an outbreak to the
confidential files and can also perform all the actions on it like read, write,
delete, etc.)
Limitations of MAC to cloud environments
Difficult to deploy MAC in cloud because it does not support separation of

duties, delegation, or inheritance
From security point of view, separation of duty has as its primary

objective the prevention of fraud and errors. This objective is achieved by
disseminating the tasks and associated privileges for a specific business
process among multiple users.
Example of use: two signatures on a cheque
Delegation is the process of a computer user handing over their
authentication credentials to another user. In role-based access control
models, delegation of authority involves delegating roles that a user can
assume or the set of permissions that he can acquire, to other users
Security inheritance refers to the passing of permissions from a parent
object to a child object
Limitations of RBAC to cloud environments
Although RBAC alleviates some of the security issues with DAC and MAC, it is
still not very well suited for cloud computing:
It does not scale easily to systems with large number of users and roles
where the user’s roles change frequently
It is difficult to extended RBAC across administrative domains because it
is difficult to decide a role’s privileges
Access control models for cloud computing Task based access control
Outline
1 Introduction
Cloud computing

Access control models for cloud computing Task based access control
Task based access control (TBAC)
Proposed in 1997 by Thomas and Sandhu

Main idea: grant additional privileges only when they are needed to
perform some task and then revoke the privileges.
By a standard RBAC approach, additional privileges should be part of a
role and the user-role assignment will give the user the ability to play the
role anytime he wants
Well suited for distributed computing and information processing activities
with multiple points of access, control, and decision making such as that
found in workflow and distributed process and transaction management
systems
Implementation: Amazon Elastic Compute Cloud
Access control models for cloud computing Attribute based access control
Outline
1 Introduction
Cloud computing

Access control models for cloud computing Attribute based access control
Attribute based access control (ABAC)
Sometimes referred to as policy-based access control (PBAC) or

claims-based access control (CBAC)
Uses attributes (of users, objects, actions, environment) and defines
policies based on attributes
Attributes make ABAC a more fine-grained access control model than
RBAC
The key standards that implement ABAC are XACML (eXtensible Access
Control Markup Language) and ALFA (XACML)
It is harder to configure ABAC than RBAC
Prediction: 70% of all organization will use ABAC by 2020
Access control models for cloud computing Usage based access control
Outline
1 Introduction
Cloud computing

Usage based access control (UCON)
Park and Sandhu (2002, 2004). It starts from the limitations of:
Traditional access control – focuses on closed systems where all users are
known and primarily utilizes a server-side reference monitor
Trust management – has been introduced to cover authorization for
newcomers in an open environment such as the Internet
Digital right management – focuses on the control of the digital information
usage
UCON
Deals with the above techniques in a systematic unified manner
Enables finer-grained control over usage of digital objects than the above
models. For example, print once as opposed to unlimited prints
Covers both centrally controllable environments and environments where
central control authorities are not available
Deals with privacy issues in both commercial and non-commercial
environments
Implementation: grid environments, cloud based services (Nego-UCON),
U-XACML
UCON
Privacy
Digital
IPR Right
Management
AC
t
Sensitive en
em t
ag us
al
on
an Tr
information
iti
ad
m
Tr
Server-side Client-side SRM and CRM

reference monitor (SRM) reference monitor (CRM)
Attribute-based Encryption for Access Control

Iaşi, Romania
Fall 2020
Outline
Introduction to ABE
Access structures
Attribute-based encryption (ABE)
Security models for ABE

Outline
Introduction to ABE
Access structures
F.L. Tiplea Attribute-based Encryption Fall 2020 3 / 26

Introduction to ABE Access structures Attribute-based encryption (ABE) Security models for ABE
Cloud, fog, IoT

Fundamental crypto tools for cloud, fog, IoT:
1. Identity-based encryption (IBE)
2. Attribute-based encryption (ABE)
3. Searchable encryption (SE)
4. Homomorphic encryption (HE)

ABE in cloud computing

Encryptor
File storage
Company’s docs
Symmetric encryp-
Encrypted files and
Files to be encrypted tion for files and
keys
ABE for keys
Company’s ABAC
KeyGen
Access control policy User
based on attributes attributes
such as:
Decryption key gen-
User
erators
A ∨ HR Dept decr key
(in general, it is
given by a Boolean
circuit)

Standards on ABE
ETSI – European
Standards
ETSI TS 103 458 V1.1.1 (2018-06) Organization that
produces globally
applicable
standards for
ICT-enabled
systems,
applications and
services deployed
TECHNICAL SPECIFICATION
across all sectors
of industry and
society
CYBER
Application of Attribute Based Encryption (ABE) to PII and

personal data protection on IoT devices, WLAN, cloud and
mobile services - High level requirements

ABE-based software for access control

1. Content-based Access Control – is for
granting selective access later (e.g.,
cloud, big data, and so on). It uses
KP-ABE
2. Role-based Access Control – is for
http://www.zeutro.com policies known at the time of
encryption. (e.g., classified documents,
Zeutro provides ABE-based medical records). It uses CP-ABE
solutions for access control
3. Multi-authority Role-based Access
Control – is for operating across
organizational boundaries

Outline
Introduction to ABE
Access structures

Granting access by means of attributes

Large variety of attributes and how they can be used:
1. Identity identifiers : driver license, passport, fingerprint, palm veins,

face recognition, DNA, palm print, hand geometry, iris recognition,
retina etc.
2. Object identifiers : shape, structure, viscosity etc.
3. Digital content identifiers : pdf, doc, txt etc.
4. Personnel positions in a company : director, vice-director,

technician, programmer etc.
5. Number of people in well-defined groups

Access structures
Assume U is a non-empty finite set of attributes
1. Access structure over U = any set S of non-empty subsets of U
1.1 The subsets (of U) that are in S are called authorized sets
1.2 The subsets not in S are called unauthorized sets
2. S is called monotone if
(∀B ⊆ U)((∃A ∈ S)(A ⊆ B) ⇒ B ∈ S)
3. An authorized set A is minimal if there is no B ∈ S such that B ⊂ A
For a general treatment, U is given as a set of positive integers

U = {1, . . . , n}

Access structures
Let U = {1, . . . , n} be a set of attributes
1. k out of n access structure (1 ≤ k ≤ n) :
S = {A ⊆ U | |A| ≥ k}
2. Disjunctive multilevel access structure :

2.1 Consider a = (a1 , . . . , ak ) a vector of positive integers in increasing
order 0 < a1 < · · · < ak
2.2 Consider U = (U1 , . . . , Uk ) a partition of U
2.3 Define the access structure
S = {A ⊆ U|(∃1 ≤ i ≤ k)(|A ∩ (∪ij=1 Uj )| ≥ ai )}
3. Conjunctive multilevel access structure : replace “∃” by “∀” in the

above definition

Access structures
1. Compartmented access structure :
1.1 Consider U = (U1 , . . . , Uk ) a partition of U into k ≥ 1 non-empty
subsets called compartments (the number of participants in Ui is ni ,
for all 1 ≤ i ≤ k)
1.2 Consider a = (a1 , . . . , ak ) a vector of positive integers that satisfy

ai ≤ ni , for all 1 ≤ i ≤ k
1.3 Consider
Pk t an integer (called global threshold) such that
i=1 ti ≤ t≤n
1.4 Define the access structure
S = {A ⊆ U|(∀1 ≤ i ≤ k)(|A ∩ Ui | ≥ ai ) ∧ (|A| ≥ t)}

Boolean circuits
Basis = finite set of Boolean operators
Definition 1
An n-input single-output Boolean circuits over a basis B, where n ≥ 1, is
a labeled directed acyclic graph with the following properties:
1. It has exactly n vertices with no incoming edges
2. It has exactly one vertex with no outgoing edges
3. Each vertex with incoming edges is labeled with a logical operator in
B such that the number of incoming edges equals the arity of the
operator.
Terminology on Boolean circuits:

1. Vertex with no incoming edges = source or input vertex / input gate
2. Vertex with no outgoing edges = sink or output vertex / output gate
3. Vertex with incoming edges = logic gate

Boolean circuits
Conventions:
1. The basis B usually consists of AND, OR, NOT. It may also contain
(k, n)-gates (“k out of n” gates)
2. All Boolean circuits will have only one output gate and therefore the
terminology is simplified to n-input Boolean circuit
3. Input gates are totally ordered so that we may speak about the i-th
input gate
Computation with Boolean circuits :

1. Assume x ∈ {0, 1}n
2. If C is an n-input Boolean circuit, then assigning xi to the i-th input
gate, we may evaluate recursively in a bottom-up fashion all gates.
The resulting Boolean value for the output gate is the output of C
on x, denoted C(x)

Boolean circuits
Level C(1, 0, 0, 1) = 0 C(1, 0, 0, 1) = 1
4 Γ5 OR
3 Γ4 OR Γ4 AND
2 Γ3 AND Γ2 OR AND Γ3
1 Γ1 OR AND Γ2 Γ1 NOT
0 1 2 3 4 1 2 3 4
1 0 0 1 1 0 0 1

Boolean circuits
Definition 2
A Boolean circuit is monotone if it does not have NOT-gates.
In a monotone Boolean circuit C,
x ≤y ⇒ C(x) ≤ C(y )
Definition 3
A Boolean circuit has fan-out k, where k ≥ 1, if it has at least one gate
of fan-out k, the others gates having fan-out smaller than k.

Access structures and Boolean circuits

Boolean circuits define access structures:
1. Let U = {1, . . . , n} be a set of attributes
2. Let C be an n-input Boolean circuit
3. Given A ⊆ U, let xA be the characteristic vector of A w.r.t. U
4. S = {A ⊆ U | C(xA ) = 1} is an access structure over U
5. If C is monotone, then S is monotone
We simply write C(A) instead of C(xA )
Remark 4
Non-monotone Boolean circuits might not define monotone access
structures: the second Boolean circuit in our previous example computes
C(1, 0, 0, 1) = 1 and C(1, 0, 1, 1) = 0. That is, {1, 4} is authorized but
{1, 3, 4} is not authorized. Therefore, the induced access structure is not
monotone.

Access structures and Boolean circuits

Proposition 5
1. There are disjunctive/conjunctive multilevel access structures that
cannot be represented by monotone Boolean circuits of fan-out 1.
2. There are compartmented access structures that cannot be
represented by monotone Boolean circuits of fan-out 1.
Proof.
(1) Consider U = {1, 2, 3, 4}, U1 = {1, 2}, U2 = {3, 4}, a1 = 2, and
a2 = 3. The disjunctive multilevel access structure induced by these
parameters cannot be represented by monotone Boolean circuit of
fan-out 1.
(2) Consider U = {1, 2, 3, 4, 5}, U1 = {1, 2, 3}, U2 = {4, 5}, a1 = 1,
a2 = 2, t = 3. The compartmented access structure induced by these
parameters cannot be represented by monotone Boolean circuit of
fan-out 1.

Outline
Introduction to ABE
Access structures


ABE is a new paradigm in cryptography, where messages are encrypted
and decryption keys are computed in accordance with a given access
structure on the set of attributes.
There are two forms of ABE :
1. key-policy ABE (KP-ABE) : each message is encrypted together
with a set of attributes and the decryption key is computed for the
entire access structure
2. ciphertext-policy ABE (CP-ABE) : each message is encrypted

together with an access structure while the decryption keys are given
for specific sets of attributes
Access structures will be specified by Boolean circuits !

A bit of history
1. 2005, Sahai and Waters (Eurocrypt) : Fuzzy Identity-Based
Encryption (FIBE) – an identity is viewed as a set of attributes
2. FIBE has limited applicability to access control of data
3. 2006, Goyal et al. (CCS) : first practical ABE scheme for access
control (of encrypted data). The scheme is limited to Boolean
circuits of fan-out 1
4. 2013 : extensions to general Boolean circuits, based on lattice

cryptography or multilinear maps (!!!)
5. 2014 – : other practical extensions of Goyal et al.’s scheme
There is an increasing interest to develop practical ABE schemes for

general Boolean circuits

KP-ABE scheme
Definition 6 (KP-ABE scheme)
A KP-ABE scheme consists of four PPT algorithms:
Setup(λ) : outputs public parameters PP and a master key MSK ;
Enc(PP, m, A) : outputs a ciphertext E of the message m with a
non-empty set A ⊆ U of attributes;
KeyGen(MSK , C) : outputs a decryption key D for a Boolean circuit C
defining an access structure over U;
Dec(E , D) : this is a deterministic polynomial-time algorithm that
inputs a ciphertext E and a decryption key D, and outputs
a message m or the special symbol ⊥.
Correctness property : for any (PP, MSK ) ← Setup(λ), any Boolean

circuit C over a set U of attributes, any message m, any A ⊆ U, any
E ← Enc(PP, m, A), and any D ← KeyGen(MSK , C) :
C(A) = 1 ⇒ m = Dec(E , D)
CP-ABE scheme
Definition 7 (CP-ABE scheme)
A CP-ABE scheme consists of four PPT algorithms:
Setup(λ) : outputs public parameters PP and a master key MSK ;
Enc(PP, m, C) : outputs a ciphertext E of the message m with a
Boolean circuit C for a set U of attributes;
KeyGen(MSK , A) : outputs a decryption key D for a set A ⊆ U of
attributes;
Dec(E , D) : this is a deterministic polynomial-time algorithm that
inputs a ciphertext E and a decryption key D, and outputs
a message m or the special symbol ⊥.
Correctness property : for any (PP, MSK ) ← Setup(λ), any Boolean

circuit C over a set U of attributes, any message m, any A ⊆ U, any
E ← Enc(PP, m, C), and any D ← KeyGen(MSK , A) :
C(A) = 1 ⇒ m = Dec(E , D)
Outline
Introduction to ABE
Access structures

Selective security for KP-ABE

Selective security game (A is the adversary and Ch is the challenger):
Init : A announces a set A of attributes that he wishes to be
challenged upon
Setup : Ch runs Setup(λ), keeps MSK and gives PP to A
Queries 1 : Private key queries for access structures C with C(A) = 0
Challenge : A sends m0 and m1 with |m0 | = |m1 |. Ch picks
b ← {0, 1}, runs c ∗ ← Enc(PP, mb , A), and sends c ∗ to A
Queries 2 : A may issue more adaptive private key queries with the
same constraint as in phase 1
Guess : Eventually, A outputs a bit b 0 ∈ {0, 1} and wins if b 0 = b.
The advantage of the adversary in this game is |P(b 0 = b) − 1/2|. The

KP-ABE scheme is secure (in the selective model) if any adversary has
only a negligible advantage in the selective security game described
above.
Standard security for CP-ABE

Standard security game (A is the adversary and Ch is the challenger):
Setup : Ch runs Setup(λ), keeps MSK and gives PP to A
Queries 1 : Private key queries for sets of attributes
Challenge : A sends m0 and m1 with |m0 | = |m1 |, and an access
structures C that is not satisfied by the sets in private key
queries. Ch picks b ← {0, 1}, runs c ∗ ← Enc(PP, mb , C),
and sends c ∗ to A
Queries 2 : A may issue more adaptive private key queries for sets
that do not satisfy C
Guess : Eventually, A outputs a bit b 0 ∈ {0, 1} and wins if b 0 = b.
The advantage of the adversary in this game is |P(b 0 = b) − 1/2|. The

CP-ABE scheme is secure (in the standard model) if any adversary has
only a negligible advantage in the standard security game described
above.
Key-policy Attribute-based Encryption
Schemes

Nov 27, 2020

Outline
A first KP-ABE scheme
The backtracking attack
Bi/Multi-linear map based solutions to the backtracking attack

Use of leveled multi-linear maps
Secret sharing and one bilinear map
The case of compartmented and multi-level access structures
Attribute multiplication, secret sharing, and one bilinear map
Secret sharing and chained bilinear maps
Conclusions
KP-ABE from Secret Sharing and Bilinear Maps
V. Goyal et al.: Attribute-based Encryption for Fine-grained Ac-
cess Control of Encrypted Data, CCS 2006
Set U = {1, . . . , n} of attributes and access structure C over U:
Setup(λ): y , t1 , . . . , tn ← Zp , MSK = (y , t1 , . . . , tn )
PP = (p, G1 , G2 , g , e, n, Y = e(g , g )y , (Ti = g ti |i ∈ U))
Enc(m, A, PP): s ← Zp , E = (A, E 0 = mY s , (Ei = Tis = g ti s |i ∈ A), g s )

Linear sharing
KeyGen(C, MSK ): y −−−−−−−−→ y1 , . . . , yn , D = (Di = g yi /ti |i ∈ U)
Dec(E , D, PP): compute Y s = e(g , g )ys (y is a linear combination of

shares)
Ferucio Laurentiu Tiplea Key-policy Attribute-based Encryption Schemes Nov 27, 2020 : : 2 / 37
Example: KeyGen – Secret Sharing
Γ4 OR
y
Γ3 AND
y
x2
Linear sharing y
Γ1 OR
AND Γ2
x1
x2 x2
x3 x4
1 2 3 3’ 4
x1 x2 x2 x3 x4
Example: KeyGen – Key Computation
Γ4 OR
y
Γ3 AND
y
x2
Linear sharing y
Γ1 OR
AND Γ2
x1
x2 x2
x3 x4
1 2 3 3’ 4
x1 x2 x2 x3 x4
0
g x1 /t1 g x2 /t2 g x2 /t3 g x3 /t3 g x4 /t4
Example: Decryption
Γ4 OR e(g , g )ys
y
Γ3 AND
Reconstruction of e(g , g )ys

y
x2
Linear sharing y
Γ1 OR
AND Γ2
x1
x2 x2
x3 x4
1 2 3 3’ 4
x1 x2 x2 x3 x4
x1 /t1 x2 /t2 x2 /t3 0 x4 /t4
g g g g x3 /t3 g
e(g , g )x1 s e(g , g )x2 s e(g , g )x2 s e(g , g )x3 s e(g , g )x4 s
Boolean Formula – Boolean Circuit
1. Goyal et al.’s scheme works only for Boolean formulas (Boolean

circuits of fan-out 1)
2. Boolean formulas cannot define multi-level or compartmented access

structures
3. There is an increasing interest to develop practical ABE schemes for

general Boolean circuits
The Backtracking Attack
Γ4 OR Γ4 OR
Γ3 AND Γ3 AND
Γ1 OR AND Γ2 Γ1 OR AND Γ2
1 2 3 4 1 2 3 4
Solutions to the Backtraking Attack (1)
1. Based on multi-linear maps

1.1 Garg et al.: Attribute-based Encryption for Circuits from Multiminear
Maps, CRYPTO 2013
1.2 More solutions on the next slide
2. Based on integer lattices

2.1 Gorbunov et al.: Attribute-based Encryption for Circuits, STOCS
2013
2.2 Boneh et al.: Attribute-based Encryption for Arithmetic Circuits,

Cryptology ePrint Archive 2013: 669
2.3 Boneh et al.: Fully Key-homomorphic Encryption, Arithmetic Circuit

ABE, and Compact Garbled Circuits, EUROCRYPT 2014
Solutions to the Backtraking Attack (2)
Can it be done with just one bilinear maps ?

1. F.L. Ţiplea, C.C. Drăgan (2014)
Secret sharing and just one bilinear map
Efficiency for a larger class than the class of Boolean formulas
2. C.C. Drăgan, F.L. Ţiplea (2015)
Secret sharing and chained bilinear maps
Works for the entire class of Boolean circuits
3. P. Hu, H. Gao (2017)
4. F.L. Ţiplea et al. (2020)
Bi/Multi-linear map based
solutions to the backtracking
attack
Use of leveled multi-linear maps

Leveled Multi-linear Map Based (LMM) KP-ABE Scheme
1. Proposed by Garg et al. (Crypto, 2013)

2. Does not use secret sharing
3. Uses leveled multi-linear maps
4. Leveled multi-linear map:
4.1 k cyclic groups hg1 i = G1 , · · · , hgk i = Gk of prime order p (k − 1 is
the circuit depth)
4.2 A set {ei,j : Gi × Gj → Gi+j |i, j ≥ 1, i + j ≤ k} of bilinear maps

satisfying ei,j (gia , gjb ) = gi+j
ab
gi gj
ei,j
gi−1 gi+11
ei−1,j+1 gi+j ei+1,j−1
gj+1 gj−1
Leveled Multi-linear Map Based (LMM) KP-ABE Scheme
5. Associate two keys to each input wire, three keys to each output wire
of an AND-gate, and four keys to each output wire of an OR-gate
srw
gj+1
w
rw −aw ·rw rw −bw ·rw
gj 1 OR gj 2
g1aw g1bw
w1 w2
srw srw
gj 1 gj 2
6. Evaluate the circuit bottom-up – the values to output wires of gates

on level j are powers of gj+1
Security in the Selective Model
Decisional MDH problem in e = {ei,j : Gi × Gj → Gi+j , i + j ≤ k}:
Instance: (g1 , g1s , g1c1 , . . . , g1ck , z), where hg1 i = G1 and

s, c1 , . . . , ck , z ← Zp
Question: distinguish between gksc1 ···ck and gkz
Decisional MDH assumption: no PPT algorithm can solve the DMDH

problem with more than a negligible advantage
Theorem 1
The LMM KP-ABE scheme is secure in the selective model under the
decisional multi-linear Diffie-Hellman assumption.
Are there secure multi-linear maps?
attack
Secret sharing and one bilinear map

FO KP-ABE Scheme
1. Proposed in
F.L. Ţiplea and C. Drăgan: Attribute-Based Encryption for Cir-
cuits from multi-linear Maps, BCS 2014
2. Introduces supplementary FAN-OUT (FO) gates to multiply outputs

of input or logic gates
3. Secret sharing: adapted to FO gates
4. Reconstruction: by just one bilinear map
5. The scheme is as efficient as Goyal et al.’s scheme for a relevant

subclass of Boolean circuits strictly including Boolean formulas
FO-gates
Γ4 OR Γ4 OR
Γ3 AND Γ3 AND
Γ1 OR AND Γ2 Γ1 OR AND Γ2
Γ0 FO
1 2 3 4 1 2 3 4
Secret Sharing and Key Generation
Γ4 OR
y
Γ3 : x1 ← Zp , x2 = y − x1
Γ3 AND
y
x2 Γ0 : a1 ← Zp , b1 = x2 − a1
a2 ← Zp , b2 = x3 − a2
Γ1 OR
AND Γ2
x1 x2
x3
x2 x4
Γ0 FO
(a1 , a2 )
1 2 3 4
x1 x2 a1 a2 x4
g t1 g t2 (g , g )
t3 t3
g t4
( g b1 , g b2 )
Resistance to the Backtracking Attack
Γ4 OR
y
y
Γ3 AND
x2
Γ1 OR AND Γ2
x2 x3
x1
x2 Γ10 FO1 2
FO2 Γ0 x4
a1 a2
1 2 (3,1) (3,2) 4
x1 x2 a1 a2 x4
g t1 g t2 g t3 g t3 g t4
g b1 g b2
Decisional BDH problem in (G1 , G2 , e):
Instance: (g , g a , g b , g c , z), where hg i = G1 and a, b, c, z ← Zp

Question: distinguish between e(g , g )abc and e(g , g )z
Decisional BDH assumption: no PPT algorithm can solve the DBDH

problem with more than a negligible advantage
Theorem 2
The FO KP-ABE scheme is secure in the selective model under the
decisional bilinear Diffie-Hellman assumption.
attack
The case of compartmented and

multi-level access structures
Compartmented and Multi-level Access Structures
1. Real-world applications such as cloud storage, healthcare systems, or

wireless sensor networks, need complex access structures based on
different degrees of trust and privileges associated to participants
2. Compartmented access structures (CASs):
Users are grouped into compartments that have associated thresholds
A global threshold is also associated
An authorized set must pass each threshold
3. Multi-level access structures (MASs):

Users are grouped on levels that have associated unique thresholds
Levels are ascending order w.r.t. their thresholds
An authorized set must contain enough users from the first i levels in
order to pass the ith threshold, for some i (in the disjunctive case) or
for all i (in the conjunctive case)
CASs and MASs cannot be represented by Boolean formulas!
Efficient KP-ABE Schemes for CASs and MASs
1. Proposed in
F.L. Ţiplea et al.: Practically Efficient Attribute-based Encryp-
tion for Compartmented Access Structures, SECRYPT 2020
2. Start from the FO KP-ABE scheme
3. Remove the FO gates and simplify the secret sharing procedure
FO KP-ABE Scheme for CASs
AND
y1 yk yk+1
(t1 , n1 ) ··· (tk , nk ) (t, n)
f1 (1) f1 (n1 ) fk (1) fk (nk )
)
k
.1)
.n
k
1 (k
1.1) ) 1(
f k +1 ( f k +1(
1.n 1 f k+
fk +
1
b1,1 2
b1,1 1
b1,n 2
b1,n 1
bk,1 b2 1
bk+1,1 2
bk+1,1
g /g FO g 1 /g 1 FO g /g k,1 FO g /g FO
1 2
1
a1,1 2
a1,1 an1 an2 1
ak,1 2
ak,1 ak,n ak,n
1 ,1 1 ,1 k k
··· ··· ···
1.1 1.n1 k.1 k.nk
CAS KP-ABE Scheme
We may remove the FO gates in the scheme above and get a more
efficient one:
AND
y1 yk yk+1
(t1 , n1 ) ··· (tk , nk ) (t, n)
f1 (1) f1 (n1 ) fk (1) fk (nk )
k)
1)
.n
(k .
(k
1.1) 1.n 1 ) f k +1
f k +1 ( f k +1 (
+1
fk
1.1 1.n1 k.1 k.nk
··· ··· ···
Theorem 3
The CAS KP-ABE scheme is secure in the selective model under the
Remarks about CAS KP-ABE scheme:
1. Each attribute gets exactly two keys
2. This is the most efficient KP-ABE scheme for CASs known so far
FO KP-ABE Scheme for MASs
(z, k)
(t1 , n1 ) ··· (tk−1 , nk−1 ) (tk , nk )
FO FO FO FO
1.1 ··· 1.n1 · · · (k − 1).1 · · · (k − 1).nk−1 k.1 · · · k.nk
MAS KP-ABE Scheme
We may remove the FO gates in the scheme above and get a more
efficient one:
(z, k)
(t1 , n1 ) ··· (tk−1 , nk−1 ) (tk , nk )
1.1 · · · 1.n1 ··· (k − 1).1 · · · (k − 1).nk−1 k.1 · · · k.nk
Theorem 4
The MAS KP-ABE scheme is secure in the selective model under the
Remarks about CAS KP-ABE scheme:
1. Decryption key size
k · n1 + (k − 1) · n2 + · · · + nk · 1
which gives on average n(k + 1)/2
2. This is the most efficient KP-ABE scheme for MASs known so far
attack
Attribute multiplication, secret sharing,

and one bilinear map
Attribute multiplication-based (AM) KP-ABE Scheme
1. Proposed in
P. Hu and H. Gao: A Key-Policy Attribute-based Encryption
Scheme for General Circuit from Bilinear Maps, Intern. J. Net-
work Security 19(5), 2017
2. Avoids FO gates by multiplying sub-circuits with roots consisting of

gates with fan-out greater than 1
3. Secret sharing and reconstruction as in the case of the FO KP-ABE
scheme
4. Disadvantages:
May lead to an exponential explosion in the number of attributes
Redefining the access structure and managing the association
between attributes and users can be cumbersome
attack
Secret sharing and chained bilinear

maps
Chained Multi-linear Map Based KP-ABE Scheme
1. Proposed in
C. Drăgan and F.L. Ţiplea: Attribute-Based Encryption for Cir-
cuits from multi-linear Maps, BCS 2015
2. Based on FO gates
3. The secret sharing procedure is totally diferent than the one in the
previous schemes
4. Reconstruction is based on chained multi-linear maps
g1 e1 g2 e2 g3
g1
ei : Gi × G1 → Gi+1 1 ≤ i ≤ r + 1( r = number of FO-levels)
5. The scheme is more efficient than the LMM KP-ABE scheme
FO-levels and FO-sequences
6 Γ12 OR
5 Γ11 OR
4 Γ9 AND Γ10 AND
3 Γ7 AND Γ8 AND
Γ6 FO
(2)
(2, 0)
2 (FO-level) Γ5 OR
1 Γ2 OR Γ3 AND Γ4 AND
Γ0 FO Γ1 FO
0 (FO-level) 1 2 3 4 5 6 7 8
Secret Sharing: Main Idea
1. Consider G1 = hg1 i a cyclic group of prime order p

2. Each FO-level i has associated a
private FO-level integer ai ← Zp , and a
public FO-level integer (g1ai mod p) ∈ G1
3. Output integers of OR- and AND-gates are shared by taking into

consideration all the FO-levels (private integers) their input edges
cross
4. Output integers of FO-gates are mixed into one randomly chosen

integer by means of some public keys associated to gates
Secret Sharing 1: Gates not Crossing FO-levels
6 OR
y
5 OR y
y
4 y AND AND
x1 x2
x3 x4
3 AND AND
x8 x6
x7 x5
Secret Sharing 2: Gates Crossing FO-levels
y x1
3 AND AND x2
x8 x3
x5 x4
g1b1 FO g1b2 x6
x9
2: g1a1 OR
x9
x7
1 OR AND AND
x12 x11
x9 a2−1 x9 a2−1
g1b5 FO g1b6 x13 x10 g1b3 FO g1b4
x9 a2−1
x15 x14
0: g1a2 1 2 3 4 5 6 7 8
x7 x9 a2−1 x9 a2−1 x9 a2−1 x15 x13 x10 x14
Secret Sharing 2: AND-gate
y x1
3 AND AND x2
x8 x3
x5 x4
x7 a1 a2 + x8 ≡ y mod p
g1b1 FO g1b2 x6
x9
2: g1a1 OR
x9
x7
1 OR AND AND
x12 x11
x9 a2−1 x9 a2−1
x9 a2−1
x15 x14
0: g1a2 1 2 3 4 5 6 7 8
x7 x9 a2−1 x9 a2−1 x9 a2−1 x15 x13 x10 x14
Secret Sharing 2: OR-gate
y x1
3 AND AND x2
x8 x3
x5 x4
g1b1 FO g1b2 x6
x9
2: g1a1 OR
x9
x7
1 OR AND AND
x12 x11
x9 a2−1 x9 a2−1
x9 a2−1
x15 x14
0: g1a2 1 2 3 4 5 6 7 8
x7 x9 a2−1 x9 a2−1 x9 a2−1 x15 x13 x10 x14
Secret Sharing 2: FO-gate
y x1
3 AND AND x2
x8 x3
x5 x4
x8 ≡ x9 b1 mod p,
g1b1 FO g1b2 x6
x5 ≡ x9 b2 mod p,
x9
2: g1a1 OR
x9
x7
1 OR AND AND
x12 x11
x9 a2−1 x9 a2−1
x9 a2−1
x15 x14
0: g1a2 1 2 3 4 5 6 7 8
x7 x9 a2−1 x9 a2−1 x9 a2−1 x15 x13 x10 x14
Reconstruction by Chained Multi-linear Maps
g4x1 s
g4x2 a1 s
3 AND AND g4x4 a1 s
⊥
g4x8 s
g4x5 s
g1b1 FO g1b2
g4x6 a1 s
g3x9 s
2: g1a1 OR
⊥
1 ⊥
OR AND AND
g3x9 s
g3x11 s
g3x12 s
g1b3 FO g1b4
⊥ ⊥ g1b5 FO g1b6 ⊥ g3x10 a2 s
g2x15 s g2x14 s
0: g1a2 1 2 3 4 5 6 7 8
−1 x15 x10 x14
x9 a
2
⊥ g1
t2 ⊥ ⊥ g1
t5
⊥ g1
t7
g1
t8
Theorem 5
The CMM KP-ABE scheme is secure in the selective model under the
decisional multi-linear Diffie-Hellman assumption.
Comparison:
Leveled multi-linear map Chained multi-linear map
gi gj
ei,j g1 e1 g2 e2 g3
gi−1 gi+11
ei−1,j+1 gi+j ei+1,j−1

g1
gj+1 gj−1
ei : Gi × G1 → Gi+1
ei,j : Gi × Gj → Gi+j 1≤i ≤r +1
1≤i <j ≤` r = number of FO-levels

` = circuit depth
Conclusions
1. Recent results show that several attempts for introducing multi-linear

maps are not secure. As a result, the Garg et al.’s scheme based on
leveled multi-linear maps does not guarantee security
2. The schemes presented in the first part of this talk, based on a

single bilinear map, remain the most efficient at the moment, both
from a theoretical and practical point of view
3. The schemes presented in the first part of this talk largely cover the
current practical needs. Would more be needed?
4. From a theoretical point of view, the construction of a KP-ABE

scheme based on a single bilinear map remains an exciting problem
(or to prove that it is not possible)
5. How can we build secure chained multi-linear maps?
IP Security

“AL.I.Cuza” University of Iaşi
Iaşi, Romania
November 28, 2020
F.L. Tiplea (UAIC) Information Security November 28, 2020 1 / 49

Outline
1 What is IPsec?
2 Transport and Tunnel Modes
3 More on AH and ESP

AH format
ESP format
4 Security Associations
Security associations
Basic combinations of SAs
Security association and policy databases
5 Internet key exchange

What is IPsec?
Outline
1 What is IPsec?

AH format
ESP format

What is IPsec?
Security Issues with IP
S. Bellovin: Security Problems in the TCP/IP Protocol Suite, Computer

Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989
Eavesdropping (sniffing, snooping)
Data modification
Sequence number spoofing
IP address spoofing
Routing attacks
The Internet will never be fully secure ...

What is IPsec?
IPsec: What Is It ?
Security architecture for the Internet Protocol (IPv4 and IPv6)
Provides security services at the IP layer
Provides security in three situations

host – host
host – security gateway
security gateway – security gateway
Operates in two modes

transport (for end-to-end)
tunnel (for VPN)

What is IPsec?
IPsec: Networking Concepts
Node
device attached to a network where messages can be created, received, or
transmitted
examples: computers, personal digital assistants (PDAs), cell phones, or
various other networked devices
on a TCP/IP network, a node is any device with an IP address
Host : node that is a computer
Security gateway
system that implements IPsec protocols
examples: router or firewall implementing IPsec

What is IPsec?
IPsec: Fundamental Components

1 Security protocols
Authentication Header (AH) : piece of information associated to an IP
datagram in order to authenticate certain fields of the datagram
Encapsulating Security Payload (ESP) : obtained from an IP datagram by
encrypting, and optionally authenticating, certain fields of the datagram
2 Security associations
3 Key management protocols
4 Algorithms for authentication and encryption
Because of these protocols are provided at the IP layer, they can be used by
any higher layer protocol (e.g., TCP, UDP, ICMP etc.)

What is IPsec?
IPsec Security Services
Security service AH ESP ESP with auth
access control yes yes yes

data integrity yes yes
data origin authentication yes yes
confidentiality yes yes
rejection of replayed packages yes yes
limited traffic flow confidentiality yes yes
A traffic flow confidentiality (TFC) mechanism alters or masks statistical

characteristics of the traffic pattern(s)

Transport and Tunnel Modes
Outline
1 What is IPsec?

AH format
ESP format

IP Datagrams
IP hdr IP payload
Figure: IPv4 datagram
IPv6 hdr
IP main hdr ext hdrs IP payload
···
routing extension header
fragmentation extension header
destination options extension header
Figure: IPv6 datagram

Transport Mode
Typically, the transport mode is used for communication between two

hosts (e.g., a client and a server or two workstations)
Gateways are not required to support the transport mode. A gateway is

allowed to support the transport mode when it acts as a host, that is,
when the traffic is destined to the gateway itself
Due to its definitions, the transport mode provides protection for upper
layer protocols (e.g., TCP or UDP)
, Fewer processing costs
/ Mutable fields are not authenticated

AH in Transport Mode
In the transport mode, AH authenticates the IP payload and selected portions
of the IP header (e.g., mutable and unpredictable fields are not authenticated)
IPv4 IP hdr AH IP payload
Authenticated (except for mutable fields)
ext hdrs
IPv6 IP main hdr ··· rout AH dest IP payload
Authenticated (except for mutable fields)

ESP in Transport Mode

In the transport mode, ESP encrypts and optionally authenticates the IP
payload (but not the IP header)
IPv4 IP hdr ESP IP payload ESP ESP

hdr trailer auth
Encrypted
Authenticated
ext hdrs
IPv6 IP main hdr ··· rout ESP dest IP payload ESP ESP
hdr trailer auth
Encrypted
Authenticated

Tunnel Mode
Tunneling means encapsulation and it consists of wrapping a packet in a

new one
Tunnel mode is used whenever either end of an SA is a security gateway:
host – security gateway

security gateway – security gateway (such as two firewalls)
security gateway – host
Remark that hosts must support both transport and tunnel mode
, Total protection (possibility of using private addresses)
/ Extra processing costs

AH in Tunnel Mode
In the tunnel mode, AH authenticates the entire inner IP packet plus selected
portions of the outer IP header and outer IP extension headers
IPv4 new IPv4 hdr AH IPv4 datagram
Authenticated (except for mutable fields in the new IPv4 hdr)
IPv6 new IPv6 new ext hdrs AH IPv6 datagram

main hdr
Authenticated (except for mutable fields in the new IP hdr and its extensions hdrs)

ESP in Tunnel Mode

In the tunnel mode, ESP (with authentication) encrypts (and authenticates)
the inner IP packet
IPv4 new IPv4 hdr ESP

hdr
IPv4 datagram ESP
trailer
ESP
auth
Encrypted
Authenticated
IPv6 new IPv6 new ext hdrs ESP IPv6 datagram ESP ESP
main hdr hdr trailer auth
Encrypted
Authenticated

More on AH and ESP
Outline
1 What is IPsec?

AH format
ESP format

More on AH and ESP AH format
Outline
1 What is IPsec?

AH format
ESP format

Authentication Header
0 8 16 31
next header payload length researved
security parameter index (SPI)
sequence number
authentication data (variable)
Figure: AH format

Authentication Header
Sequence number field : designed to thwart reply attacks
Authentication data field : contains the Integrity Check Value (ICV), or

MAC, for the packet.
RFC 4835 recommendation:
Requirement Authentication algorithm

MUST HMAC-SHA-1-96
SHOULD+ AES-XCBC-MAC-96
MAY HMAC-MD5-95
Source Address and Destination Address are always authenticated under

AH and ESP and, therefore, address spoofing is prevented

More on AH and ESP ESP format
Outline
1 What is IPsec?

AH format
ESP format

Encapsulating Security Payload Format
0 16 24 31
security parameter index (SPI)
authenticated
sequence number
payload data (variable)

encrypted
padding (0-255 bytes)

pad length next header
authentication data (variable)
Figure: ESP format

Encryption in ESP
RFC 4835 recommendation:
Requirement Encryption algorithm

MUST NULL
MUST AES-CBC with 128-bit keys
MUST- 3DES-CBC
SHOULD AES-CTR
SHOULD NOT DES-CBC
NULL does nothing to alter data: it is the identity function with a block size of 1
byte (therefore, padding is not necessary).
NULL is simply a convenient way to use ESP in order to provide

authentication and integrity without confidentiality.

Authentication in ESP
RFC 4835 recommnedation:
Requirement Authentication algorithm

MUST HMAC-SHA-1-96
SHOULD+ AES-XCBC-MAC-96
MAY NULL
MAY HMAC-MD5-95
Authentication and encryption can each be "NULL", but not at the same time

Security Associations
Outline
1 What is IPsec?

AH format
ESP format

Security Associations Security associations
Outline
1 What is IPsec?

AH format
ESP format

A security association (SA) is a unidirectional logical connection between two
IP systems, uniquely identified by a triple
(SPI, IP destination address, security protocol)
where
SPI (security parameter index) is a 32-bit value used to identify different

SAs with the same destination address and the same security protocol
IP destination address can be unicast, broadcast, or multicast
security protocol – this can be either AH or ESP

1 SAs are uniderectional ! Thus, for bidirectional communication bewteen

two IPsec systems there must be two SAs definied, one for each direction
2 A single SA gives security to the traffic carried by it either by using AH or

ESP, but not both
3 For a connection that needs to be protected by both AH and ESP, two

SAs must be defined for each direction

Security Associations Basic combinations of SAs
Outline
1 What is IPsec?

AH format
ESP format

SA Bundle
An SA bundle is a sequence of SAs through which traffic must be

processed to provide a desired security
SAs may be combined into bundles in two ways:
transport adjacency – consists of applying in the transport mode both
security protocols to the same IP datagram
iterated tunneling – consists of applying multiple layers of security protocols

through IP tunneling (although there is no limit in the nesting levels, more
than three levels is considered impractical)
These approaches can be combined: e.g., an IP packet with transport

adjacency IPsec headers can be sent through nested tunnels

End-to-end Security
Internet/
Host 1 intranet Host 2
tunnel
connection
Figure: End-to-end security
Two hosts are connected through the Internet or an intranet without any
security gateway between them. They can use ESP, AH, or both. Either
transport or tunnel mode can be applied

Basic VPN Support
Internet/
Host 1 intranet Gtw 1 intranet Gtw 2 intranet Host 2
tunnel
connection
Figure: Basic VPN support
The hosts in the intranets are not required to support IPsec, but the gateways
are required to run IPsec and support tunnel mode (either with AH or ESP)

End-to-end Security with VPN Support
Internet/
Host 1 intranet Gtw 1 intranet Gtw 2 intranet Host 2
connection
tunnels
Figure: End-to-end security with VPN support
This is a combination of the previous two cases. For instance, the gateways
may use AH in tunnel mode, while the hosts use ESP in transport mode

Remote Access
Internet/ G2
Host 1 intranet Host 2
intranet (firewall)
connection
tunnels
Figure: Remote access
Between the host H1 and the firewall G2, only the tunnel mode is required
(e.g., AH in tunnel mode), and between the host H1 and H2, either transport
or tunnel mode can be used (e.g., ESP in transport mode)

Security Associations Security association and policy databases
Outline
1 What is IPsec?

AH format
ESP format

Security Associations Security association and policy databases
SAD and SPD
1 Each SA has an entry in a Security Association Database (SAD)
2 A Security Policy Database (SPD) specifies what services are to be

offered to IP datagrams and in what fashion
3 An SPD consists of an ordered lists of policy entries, each policy being

keyed by one or more (traffic) selectors that define the set of IP traffic
encompassed by this policy entry
4 Example of policy entry: all matching traffic must be protected by ESP in

transport mode using 3DES-CBC with an explicit IV, nested inside of AH
in tunnel mode using HMAC-SHA-1
5 SPD must be consulted during the processing of all traffic (inbound or

outbound), including non-IPsec traffic

Internet key exchange
Outline
1 What is IPsec?

AH format
ESP format

Internet Key Exchange
Internet Key Exchange (IKE) is a component of IPsec that

establishes an IKE SA that includes shared secrets
performs mutual authentication between parties
establishes AH and ESP SAs and a set of cryptographic algorithms to be
used by them
The design of IKE was influenced by three protocols:

STS (Station-to-Station) protocol – this was discussed in one of our previous
lectures
SKEME protocol – developed specifically for IPsec, SKEME is an extension
of Photuris suggested in 1996 by H. Krawczyk
Oakley protocol – this is a key-agreement protocol proposed by H. Orman in
1998 (RFC 2412). It allows authenticated parties to exchange keying
material across an insecure connection

IKE Exchanges
Exchange : pair of messages consisting of a request and a response

Types of exchanges in IKE:
The first exchange (IKE_SA_INIT)
negotiates security parameters for the IKE SA
sends nonces
sends DH values
The second exchange (IKE_AUTH)
transmits identities
proves knowledge of the secrets corresponding to the two identities
sets up an SA for the first (and often only) AH or ESP Child SA
Subsequent exchanges:
CREATE_CHILD_SA : creates new Child SAs or re-keys (create a new SA and
then delete the old SA) both IKE SAs and Child SAs
INFORMATIONAL : deletes an SA, reports error conditions, or does other
housekeeping

IKE Exchanges
IKE SA
SKEYSEED = prf (NI k NR , g ir )

keys: SKd , . . .
Child SA
IKE_AUTH
KEYMAT = prf + (SKd , NI k NR )
key(s)
CREATE_CHILD_SA
new Child SA
IKE_SA_INIT
KEYMAT = prf + (SKd , [g ir k] NI k NR )

key(s)
CREATE_CHILD_SA
re-key Child SA / re-key IKE SA
KEYMAT = prf + (SKd , [g ir k] NI k NR )
SKEYSEED = prf (SKd , g ir k NI k NR )
key(s)

IKE_SA_INIT
IKE_SA_INIT
I→R: Hdr , SAI1 , KEI , NI
R→I: Hdr , SAR1 , KER , NR [, CertReq]
Hdr contains SPIs, version numbers, exchange type, message ID, and
flags
SAI1 states the cryptographic algorithms the initiator supports for the IKE
SA
SAR1 is the responder choice selected from the initiator’s offered choices
(SAI1 )
NI and NR are nonces
KEI and KER are DH values (g i and g r )
CertReq : certificate request

IKE_SA_INIT: Key Generation

At this point, each party can generate all keys for IKE SA:
SKEYSEED = prf (NI k NR , g ir )
KEYS = prf + (SKEYSEED, NI k NR k SPII k SPIR )
KEYS = SKd k SKai k SKar k SKei k SKer k SKpi k SKpr k · · ·
where prf is a PRF and prf + is an iteration of it

prf + (K , T0 ) = T1 k T2 k T3 k · · ·
T1 = prf (K , T0 k 0x01)
T2 = prf (K , T1 k 0x02)
···
In what follows, {·}SK means authenticated encryption by SKex + SKax , with

x ∈ {i, r }
SKd will be used for derivation of further keying material for Child_SAs

IKE_AUTH
IKE_AUTH
I→R: Hdr , {IDI , [Cert, ][CertReq, ][IDR , ]Auth, SAI2 , TSI , TSR }SK
R→I: Hdr , {IDR , [Cert, ]Auth, SAR2 , TSI , TSR }SK
IDI , IDR : identities

Auth : authentication payload (based on SKpi and SKpr )
Cert : certificate payload
SAI2 , SAR2 : the initiator begins negotiation of a Child_SA using the SAI2
payload, and the receptor completes the negotiation with SAR2
TSI , TSR : traffic selectors
A traffic selector is a list of IP addresses and port numbers that are to be
protected by the SA
TSI (TSR ) specifies source (destination ) addresses and ports

IKE_AUTH: Key Generation for Child SA

When the first Child_SA is created by IKE_AUTH, the keys are generated as
follows:
The keying material is
KEYMAT = prf + (SKd , NI k NR )
where NI and NR are the nonces from the IKE_SA_INIT exchange
Generally, keys are taken from KEYMAT in the order: encryption key and
then integrity key

CREATE_CHILD_SA
Used to:
Create new Child SA (recall that the first Child SA is created by

IKE_AUTH)
Re-key a Child SA
Re-key an IKE SA – the main reason for rekeying the IKE SA is to ensure
that the compromise of old keying material does not provide information
about the current keys, or vice versa
Re-keying an SA: create a new SA and then delete the old one

CREATE_CHILD_SA: New Child SA

CREATE_CHILD_SA: New Child SA
I→R: Hdr , {SA, NI [, KEI ], TSI , TSR }SK
R→I: Hdr , {SA, NR [, KER ], TSI , TSR }SK
where:
SA : the new security association the initiator wants to create
If KEI and KER are not used, the keys are generated as in the case of a
Child SA created by IKE_SA but with the fresh nonces NI and NR
If KEI and KER are used, the keys are generated as follows:
KEYMAT = prf + (SKd , g ir k NI k NR ) (g ir , NI , NR are the fresh ones)
the same rules for taking the keys

CREATE_CHILD_SA: Re-keying a Child SA

CREATE_CHILD_SA: Re-keying a Child SA
I→R: Hdr , {N(REKEY _SA), SA, NI [, KEI ], TSI , TSR }SK
R→I: Hdr , {SA, NR [, KER ], TSI , TSR }SK
where:
N(REKEY_SA) identifies (by the SPI field) the SA to be rekeyed
The keys are generated as in the case of creation of a new Child SA

CREATE_CHILD_SA: Re-keying IKE SA

CREATE_CHILD_SA: Re-keying IKE SA
I→R: Hdr , {SA, NI , KEI }SK
R→I: Hdr , {SA, NR , KER }SK
where:
SA re-keys the current IKE SA
The new SKEYSEED is computed by
SKEYSEED = prf (SKd , g ir k NI k NR )
where SKd and prf are the old ones
The new SKd , SKai etc., are computed as usual (a new prf may be used)

INFORMATIONAL
INFORMATIONAL
I→R: Hdr , {[N, ] [D, ] [CP, ] . . .}SK
R→I: Hdr , {[N, ] [D, ] [CP, ] . . .}SK
where:
N : notify
D : delete
CP : configuration

SSL and TLS

Iaşi, Romania
December 23, 2020
F.L. Tiplea (UAIC) Information Security: SSL/TLS December 23, 2020 1 / 44

Outline
1 Secure Socket Layer (SSL)

Overview
Connections and sessions
Master secret generation
SSL handshake
SSL record protocol
SSL change cipher spec protocol
SSL alert protocol
SSL application data protocol
2 Transport Layer Security (TLS)
3 SSL and TLS applications
4 Security of TLS in the Standard Model

Secure Socket Layer (SSL) Overview
Outline

Overview
SSL handshake
SSL record protocol
SSL alert protocol

Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) : security protocol developed by Netscape

Communications Corporation
Current version : SSL v3.0
Primary goal : to provide a private channel between communicating
applications to ensure
privacy of data
authentication of the parties
integrity
SSL does not provide non-repudiation (neither non-repudiation of origin

nor non-repudiation of delivery)
SSL is socket-oriented (all or none of the data that is sent or received

from a socket are protected in the same way, i.e., there is no way to sign
individual pieces of data)
SSL Structure
SSL is composed of two layers:

the lowest layer is layered on top of some reliable transport protocol (e.g.,
TCP), and consists of the SSL record protocol
the highest layer consists of four protocols: SSL handshake, SSL change
cipher spec, SSL alert, and SSL application data
FTP ··· HTTP Applications
SSL HS SSL CCS SSL A SSL AD

SSL
SSL record
TCP Transport
SSL provides security services to any TCP-based application protocol

(e.g., HTTP, FTP etc.)
SSL is application independent
Secure Socket Layer (SSL) Connections and sessions
Outline

Overview
SSL handshake
SSL record protocol
SSL alert protocol

Connections and Sessions
SSL connection
transport (in the OSI layering model definition) that provides a suitable type
of service
each connection is associated with one session
SSL session
association between two communicating peers
defines a set of cryptographic parameters which can be shared among
multiple connections
created by the SSL handshake protocol
primarily used to avoid expensive negotiation of new security parameters for
each connection
Multiple simultaneous sessions between a pair of parties may coexist

Session States
SSL sessions are stateful

Two current states are maintained by each party
current read (for receive)
current write (for send)
Two pending states are also maintained by each party (to change the
current states)
pending read (for receive)
pending write (for send)

Session State Parameters
Session id – a byte sequence chosen by the server to identify an active or

resumable session state
Peer certificate – an X509.v3 certificate of the peer (this element may be
null)
Compression method – the algorithm used to compress data prior to
encryption
CipherSpec – defines the data encryption algorithm (such as null, DES
etc.), a hash algorithm (such as MD5 or SHA-1), and cryptographic
attributes (such as the hash size)
Master secret – a 48-byte secret shared between the client and the server
Is resumable – a flag indicating whether the session can be used to
initiate new connections
A vector of values for these parameters is usually called a session state

Connection State Parameters
Client/server random value NC /NS – a byte sequence chosen by the

client/server for each connection
C S
Client/server write MAC secret KMAC /KMAC – secret key used in MAC
operations on data sent by client/server
Client/server write key KC /KS – secret key used by client/server to

encrypt and by server/client to decrypt
Initialization vector IV – used in CBC mode
Sequence numbers – each party maintains separate sequence numbers

for transmitted and received messages for each connection
A vector of values for these parameters is usually called a connection state

Pictorial View of SSL States
session state parameters
session id certificates resumable?
authentication and encryption algorithms
compression algorithm
master secret
connection state parameters
two secret keys (MAC and encryption)

two IV’s (client, server)
client and server random
sequence number for transmitted and received messages
Figure: Pictorial view of SSL states

Secure Socket Layer (SSL) Master secret generation
Outline

Overview
SSL handshake
SSL record protocol
SSL alert protocol

Master Secret
Is an element of the session state
Is used to derive connection keys and initialization vectors
It is generated from
pre-master secret
client and server nonces
constants
by using MD5 and SHA-1

Pre-master Secret
The pre-master secret is established between parties, in the handshake
protocol, by one of the following methods:
1 RSA: the client generates a pre-master secret that is encrypted with the
server’s public key, and sends it to the server
2 DH: the pre-master secret is the DH value obtained from the client’s and
server’s DH public parameters. There are three variants:
Fixed DH: the server must have a certificate which should include his DH
public parameters. The client provides its DH public parameters either in a
certificate or in a key exchange message
Ephemeral (temporary, one-time) DH: DH public parameters are
exchanged and signed using sender’s private RSA or DSS key. Certificates
are needed to authenticate the public keys
Anonymous DH: this is DH with no authentication
3 Fortezza: this is the Fortezza scheme (based oh Skipjack cryptosystem)

Master Secret Generation

Both sides compute the master secret as follows:
master _secret = MD5(pre-master _secret k sha(A, pre-master _secret))||

MD5(pre-master _secret k sha(B, pre-master _secret))||
MD5(pre-master _secret k sha(C, pre-master _secret))
where:
sha(A) = SHA(‘0x410 k pre-master _secret k NC k NS )
sha(B) = SHA(‘0x42420 k pre-master _secret k NC k NS )
sha(C) = SHA(‘0x4343430 k pre-master _secret k NC k NS )
NC = client_hello_random (client nonce)
NS = server_hello_random (server nonce)

Generation of Cryptographic Parameters

All cryptographic parameters,
client/server write MAC

client/server write key
client/server write IV
are generated from the key block below, in this order
key _bloc = MD5(master _secret k sha(A, master _secret))||

MD5(master _secret k sha(B, master _secret))||
MD5(master _secret k sha(C, master _secret))||
...
In some cases, the client/server write key and the client/server write IV may
be subject to some additional processing

Secure Socket Layer (SSL) SSL handshake
Outline

Overview
SSL handshake
SSL record protocol
SSL alert protocol

SSL Handshake Protocol
The most complex protocol of SSL

It allows parties to
agree on a protocol version
authenticate each other
negotiate a cryptographic suite and a compression method
establish a pre-master secret
exchange nonces
Two main forms

establishing a new session
resuming a session

SSL Handshake Protocol – New Session
1. C → S : ClientHello
2. S → C : ServerHello,
[Certificate, ]
[ServerKeyExchange, ]
[CertificateRequest, ]
ServerHelloDone
3. C → S : [Certificate, ]
ClientKeyExchange,
[CertificateVerify , ]
ChangeCipherSpec,
Finished
4. S → C : ChangeCipherSpec,
Finished

SSL Handshake Protocol – Resuming a Session

The simplified version below of the SSL protocol is to be used when the client
and server decide to resume a previous session or duplicate an existing one,
instead of negotiating new security parameters
1. C → S : ClientHello
2. S → C : ServerHello,
ChangeCipherSpec,
Finished
3. C → S : ChangeCipherSpec,
Finished

SSL Handshake Protocol Messages

ClientHello message includes:
highest SSL version understood by the client

random value generated by client for use in the master secret generation
session ID (it is 0 if the client is starting a new session)
cipher suite list (in order of preference). A cipher suite consists of:
a key exchange method (RSA, DH, Fortezza)
a cipher algorithm (e.g., 3DES) and a cipher type (stream or block)
a MAC algorithm (MD5 or SHA-1) and a hash value
a value for “is exportable” (true or false)
key material (used in generating the write keys)
the size of IV
data compression methods (supported by the client)

ServerHello message includes: version number, time information,

session ID, chiper suite, compression method, random value
Certificate message includes a server certificate (if the server is required

to be authenticated by the key exchange method)
ServerKeyExchange message consists of the elements provided by

server according to the key exchange method
CertificateRequest message requests a client certificate if the client is

required to be authenticated
ServerHelloDone message indicates the end of the server hello and

associated messages


ClientKeyExchange message consists of the elements provided by client
according to the key exchange method
CertificateVerify message provides explicit verification of the client
certificate. It contains a signature with the client private key over a field
consisting of an MD5 hash value and a SHA-1 hash value, if RSA is
used, and over a field consisting of a SHA-1 hash value, if DSA is used.
The hash values are computed as follows:
h(master _secret k pad_2 k
h(handshake_messages k master _secret k pad_1))
where h is MD5 or SHA-1 and
( (
(0x36)48 , for MD5 (0x5c)48 , for MD5
pad_1 = pad_2 =
(0x36)40 , for SHA-1 (0x5c)40 , for SHA-1
ChangeCipherSpec message causes the receiver (sender) to copy the
read (write) pending state into the current read (write) state (see next
slide)
Finished message indicates that the negotiation part is completed

It is the first message protected with the just-negotiated algorithms and
keys
It is an encrypted message that includes an MD5 hash value (16 bytes),
followed by a SHA-1 hash value (20 bytes), followed by a MAC (16 or 20
bytes). The structure of hash values is
h(master _secret k pad_2 k
h(handshake_messages k sender k master _secret k pad_1))
where:
h is MD5 or SHA-1
handshake_messages is all of the data from all handshake messages up to
but not including this message
sender is 0x434c4e54 for client, and 0x53525652 for server


Client Server
pending read state
message
current read state pherSpec current read state
ChangeCi
current write state current write state
pending write state
pending read state
ChangeCi
current read state pherSpec current read state
message
current write state current write state
pending write state
Figure: Copying pending states into current states

Secure Socket Layer (SSL) SSL record protocol
Outline

Overview
SSL handshake
SSL record protocol
SSL alert protocol

SSL Record Protocol
Application data
Fragmentation ≤ 214 bytes
Compression
Add MAC
Encryption
Add SSL header
Received data are processed in reverse order.

Computing the MAC

The MAC is computed as follows:
h(K k pad_2 k
h(K k pad_1 k seq_number k type k length k fragment))
where:
h is MD5 sau SHA-1

K is the MAC key
seq_number is the sequence number for this message

Encryption
If a stream cipher is used (RC4) then no padding or IV are needed
If a block cipher is used (RC2, DES, 3DES, IDEA, Skipjack

(FORTEZZA)), then a padding is needed, as well as an IV for the CBC
mode

Secure Socket Layer (SSL) SSL change cipher spec protocol
Outline

Overview
SSL handshake
SSL record protocol
SSL alert protocol

Secure Socket Layer (SSL) SSL change cipher spec protocol
SSL Change Cipher Spec Protocol
The SSL change cipher spec message consists of a single one byte
message with the value 1
The purpose of the message is to cause the pending state to be copied

into the current state, which updates the cipher suite to be used on this
connection

Secure Socket Layer (SSL) SSL alert protocol
Outline

Overview
SSL handshake
SSL record protocol
SSL alert protocol

Secure Socket Layer (SSL) SSL alert protocol
SSL Alert Protocol
Alert messages convey the severity of the message and the description
of the alert
Alert level of fatal leads to immediate termination of the connection
Closure alerts : notify the recipient that the sender will not send any more
messages on this connection
Error alerts : unexpected_message, bad_record_mac,

decompression_failure, handshake_failure etc.

Secure Socket Layer (SSL) SSL application data protocol
Outline

Overview
SSL handshake
SSL record protocol
SSL alert protocol

Secure Socket Layer (SSL) SSL application data protocol
SSL Application Data Protocol
Allows the communicating peers to exchange application data
Takes application data and feeds it into the SSL record protocol

Transport Layer Security (TLS)
When SSL was standardized by the IEFT, it was renamed to TLS

TLS has an identical structure to SSL
TLS sessions and connections are as in SSL
Session and connection states in TLS are basically the same
Major change: generation of master secret (new PRF)
Major change: use of HMAC
Major change: use of SHA-2
Major change: explicit use of IV in the CBC mode
Major change: new cipher suites (such as AES-based)

From SSL v3.0 to TLS v1.0

Some differences between SSL v3.0 and TLS v1.0 (RFC 2246):
TLS v1.0 very close to and backward-compatible with SSL v3.0
Cipher suites: removes 3 suites based on FORTEZZA, and any TLS

compliant application MUST implement the suite
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Generation of master secret is based on a new PRF (it will be described

later)
MAC construction mechanism modified into an HMAC (the MAC in SSL

v3.0 is similar to the HMAC construction but it is not exactly the same)

From TLS v1.0 to TLS v1.1

Some differences between TLS v1.0 and TLS v1.1 (RFC 4346):
The implicit Initialization Vector (IV) is replaced with an explicit IV to

protect against CBC attacks
The cipher suites have been changed considerable


Some differences between TLS v1.1 and TLS v1.2 (RFC 5246):
SHA-256 is the default digest method (the combined use of MD5 and
SHA-1 has been removed)
Several new cipher suites use SHA-256
A new, simpler but more secure, PRF
TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to
implement cipher suite
Added HMAC-SHA256 cipher suites
Removed IDEA and DES cipher suites, they are now deprecated
Support for the SSL v2.0 backward-compatible is now optional only

TLS PRF v1.2
P_hash(secret, seed) = HMAC_hash(secret, A(1) k seed) k

HMAC_hash(secret, A(2) k seed) k
HMAC_hash(secret, A(3) k seed) k
···
where
A(0) = seed
A(i) = HMAC_hash(secret, A(i − 1)) ∀i > 0
Then,
PRF (secret, label, seed) = P_hash(secret, label k seed)

master _secret = PRF (pre_master _secret, “master secret 00 , NC k NS )
key _block = PRF (master _secret, “key expansion00 , NC k NS )


Some differences between TLS v1.2 and TLS v1.3 (RFC 8446, Aug 2018):
Removes obsolete algorithms and ciphers: RC4 stream cipher, RSA key
transport, SHA-1 hash function, CBC mode ciphers, MD5 algorithm,
various Diffie-Hellman groups, EXPORT-strength ciphers, DES, 3DES
Introduces a brand new handshake:
Removes the RSA method and keeps the Ephemeral Diffie-Hellman method
This reduces the time it takes to encrypt a connection
TLS 1.2 requires two round-trips to complete the TLS handshake, but TLS
1.3 needs only one round-trip
As a result, it cuts down the encryption time to half


More differences between TLS v1.2 and TLS v1.3:
Forward secrecy: protect the secrecy of past sessions so that a session
stays secret going forward:
TLS 1.2 – an adversary who discovers a server’s private key could use it to
decrypt earlier network traffic
TLS 1.3 – uses the Ephemeral Diffie-Hellman key exchange protocol, which
generates a one-time key that is used only for the current session. At the
end of the session, the key is discarded
New feature that cuts down the encryption time: Zero Round Trip Time
Resumption (0-RTT). When a user re-visits a site in a short time, 0-RTT
makes the connection almost instantaneous

SSL and TLS applications
SSL and TLS Applications
HTTPS (HTTP + SSL/TLS + TCP)

FTPS : File Transfer Protocol with TLS
Software update programs : in more recent versions of Windows,
Windows Update is a custom app secured by TLS. Many other online
software update programs, such as the getPlus program used by Adobe,
use TLS connections for security
Client security with TLS/SSL : client side certificates can be used with
TLS to prove the identity of the client to the server, and vice-versa. This is
called “two-way TLS” and requires the client and server both provide
certificates to each other
Server-to-Server security with TLS : many server-to-server connections
offer TLS as an option
Google Chrome included TLS 1.3 since Oct 2018, and Google Cloud
since June 2020
Security of TLS in the Standard Model
Security of TLS in the Standard Model

Aim: security of TLS considering the unmodified handshake in a model
without idealized assumptions (i.e., random oracle)
T. Jager, F. Kohlar, S. Schäge, J. Schwenk: On the security of TLS-DHE

in the standard model, CRYPTO 2012
F. Kohlar, S. Schäge, J. Schwenk: On the security of TLS-DH and

TLS-RSA in the standard model, IACR Cryptology ePrint Archive, 2013
F. Giesen, F. Kohlar, D. Stebila: On the security of TLS renegotiation,

ACM Conference on Computer and Communications Security 2013

Domain Name System Security Extensions (DNSsec)

Iaşi, Romania
January 6, 2021
F.L. Tiplea (UAIC) Information Security January 6, 2021 1 / 29

Outline
1 Short introduction to DNS
2 What is DNSsec?
3 DNSsec specific elements
4 Zone signing
5 Resolving and authenticated DNS response

Short introduction to DNS
Outline
2 What is DNSsec?
4 Zone signing

Domain Name System
1 Internet domain = collection of data describing a self-contained

administrative and technical unit on the Internet
2 An internet domain can comprise computer addresses, services (such as

e-mail or FTP), resource (such as hypertext documents), and more
3 Domain name = identification string for a domain
4 Domain Name System (DNS) = hierarchical and decentralized naming

system for Internet domains
5 DNS is the “phone-book” of the Internet

Domain Name System
1 DNS was proposed in the early 1980s by Paul V. Mockapetris
2 DNS original specifications were published in 1983 in RFC 882 and RFC
883
3 DNS became an Internet Standard in 1986 (RFC 1034 and RFC 1035)

DNS domain name space
Root
Top Level
Domains ... com edu org ...
(TLD)
2nd Level mit ...

Domains
Subdomains admin cs ...
sw hw net ...

Zones of authority
1 The DNS name space is comprised logically of domain names but

physically of zones
2 Zones are obtained by making cuts between adjacent nodes of the DNS
name tree to create groups of contiguous nodes in the tree
3 Each group is called a zone of authority
4 Each zone is usually identified by the domain name of the highest level
node in the zone
5 The zones are non-overlapping
6 Every zone is managed by one or more pairs (primary/master,
secondary/slave) of authoritative name servers
7 A name server may be authoritative for more than one zone

Zones of authority
Root
com edu org
mit
Zone of authority
managed by a name
server
admin cs
delegation between
authority zones
sw hw net

Resource Records (RR)
1 Each node in the DNS name tree has associated a number of records,
usually called resource records (RR), depending on the node type
2 The RRs are added, changed, or deleted when DNS information changes
(this is done by administrators)
3 The set of all RRs gives rise to a distributed database that is structured in
a hierarchy comparable to the hierarchy of authorities

RR format
0 16 32
= Name =
Type Class
TTL
RData length
= RData =
Name = object, domain or zone TTL = time to live (in seconds) =

name (limited to 63 chars) time to cache a record
Type = type of resource record RData length = length of RData
(SOA, NS, A, MX ...) field
Class = class of resource record RData = resource data
(mostly, IN for Internet)
Some DNS RRs

1 A = Address
1 Contains a 32-bit IP address (it is the IP address of the node, stored for the
resolution process)
2 SOA = Start Of Authority
1 Every zone has exactly one SOA RR, present at the beginning of the zone
2 It holds information about the zone itself and about other records
3 NS = Name Server
1 Specifies the name of a DNS name server that is authoritative for the zone
2 Each zone must have at least one NS RR that points to its primary name
server, and that name must also have a valid A RR
4 MX = Mail eXchanger
1 Specifies the location (device name) that is responsible for handling e-mail
sent to the domain, and that location must have a valid A RR

DNS resolution
1 Most typical types of resolution
1 (Standard) name resolution
2 Reverse name resolution
3 E-mail resolution
2 DNS name resolution techniques

1 Iterative resolution
2 Recursive resolution

What is DNSsec?
Outline
2 What is DNSsec?
4 Zone signing

What is DNSsec?
DNS vulnerabilities
S. Bellovin: Using the Domain Name System for System Break-ins,

Proceedings of the Fifth USENIX UNIX Security Symposium Salt Lake
City, Utah, June 1995
Author’s note: “... this paper has been withheld by the author for over
four years ... because it described a serious vulnerability for which
there was no feasible fix. The only choice would have been to give up
entirely on name based authentication, a choice the industry was not
able to make in 1990.”
DNS snooping
DNS ID hacking
DNS cache poisoning

What is DNSsec?
What is DNSsec?
1 After Bellovin’s paper, securing DNS became a fundamental issue
2 Proposed DNSsec standards: RFC 4033, 4034, 4035 (in 2005)
DNSsec is an extension of DNS that adds:
Data origin authentication – allows a resolver to cryptographically verify

that the data it has received actually came from the zone where it
believes the data originated;
Data integrity protection – allows the resolver to know that the data has
not been modified in transit since it was originally signed by the zone
owner with the zone’s private key.

DNSsec specific elements
Outline
2 What is DNSsec?
4 Zone signing

New RR types
DNSsec uses four new types of RRs:
RRSIG – stores a digital signature over an RRset
DNSKEY – stores a public key for digital signature verification
NSEC (NSEC3) – used to prove that something really does not exist
DS – stores a hash value of a verification public key

DNSsec signature algorithms (RFC 8624)

Number Mnemonics Signing Verification
1 RSAMD5 must not must not
3 DSA must not must not
5 RSASHA1 not recommended must
6 DSA-NSEC3-SHA1 must not must not
7 RSASHA1-NSEC3-SHA1 not recommended must
8 RSASHA256 must must
10 RSASHA512 not recommended must
12 ECC-GOST must not may
13 ECDSAP256SHA256 must must
14 ECDSAP384SHA384 may recommended
15 ED25519 recommended recommended
16 ED448 may recommended
A combination like “not recommended – must” means that validators must
implement it in order to validate/invalidate existing RRSIGs, but it is not
recommended to use it to sign new RRsets.

DNSsec digest algorithms (RFC 8624)

Number Mnemonics Signing Verification
1 SHA-1 must not must
2 SHA-256 must must
3 GOST R 34.11-94 must not may
4 SHA-384 may recommended
Remarks:
1 SHA-256 is widely used and considered strong
2 GOST R 34.11-94 has been superseded by GOST R 34.11-2012 in RFC

6986. GOST R 34.11-2012 has not been standardized for use in DNSsec

Canonical ordering of DNS names (RFC 4034)
For the purposes of DNSsec:

1 Owner names are ordered by treating individual labels as unsigned
left-justified octet strings
2 The absence of a octet sorts before a zero value octet
3 Uppercase US-ASCII letters are treated as lowercase
4 Start by sorting the names according to their rightmost labels
5 For names in which the most significant label is identical, continue sorting
according to their next most significant label, and so forth
example
z.example
a.example
\001.z.example
yljkjljk.a.example
*.z.example
Z.a.example
\200.z.example
zABC.a.EXAMPLE

Canonical RR ordering in an RRset (RFC 4034)
For the purposes of DNSsec:

1 RRs with the same owner name, class, and type are sorted by treating
the RDATA portion of the canonical form of each RR as a left-justified
unsigned octet sequence in which the absence of an octet sorts before a
zero octet
2 If a DNSsec implementation detects duplicate RRs when putting the

RRset in canonical form, it must treat this as a protocol error or remove
all but one of the duplicate RR(s) for the purposes of calculating the
canonical form of the RRset

RData for DNSKEY
0 16 24 32
Flags Protocol Algorithm
= Public key =
Flags = If bit 7 has value 1, then Algorithm = identifies the public

the DNSKEY record holds a DNS key’s cryptographic algorithm
zone key; otherwise, the DNSKEY (e.g., 5 stands for RSA/SHA-1)
record holds some other type of Public key = holds the public key
DNS public key material
Protocol = must have value 3;
otherwise, is treated as invalid

RData for RRSIG
0 16 24 32
Type covered Algorithm Labels
Original TTL
Sig expiration
Sig inception
Key tag
Signer’s name
= Signature =
Original TTL = the TTL of the Key tag = the key tag value of the
covered RRset DNSKEY RR that validates this
Sig expiration/inception = validity signature (see RFC 4034)
period for the signature Signer’s name = must contain the
name of the zone of the covered
RRset
RData for NSEC
0 32
= Next domanin name =
= Type bit maps =
Next domain name = the next Type bit maps = identifies the
owner name (in the canonical RRset types that exist at the
ordering of the zone) that has NSEC RR’s owner name
authoritative data or contains a
delegation point NS RRset

RData for DS
0 16 24 32
Key tag Algorithm Digest type
= Digest =
Key tag = the key tag of some Digest type = identifies the
DNSKEY RR. It is identical to the algorithm used to construct the
key tag used by all RRSIG RRs digest
that sign by the same key Digest = includes a digest of that
Algorithm = the algorithm number DNSKEY RR.
of some DNSKEY RR. It is
identical to the algorithm number
used by all RRSIG RRs that sign
by the same key

Zone signing
Outline
2 What is DNSsec?
4 Zone signing

Zone signing
Signed zone
To sign a zone means to include DNSKEY RRs, RRSIG RRs, NSEC RRs, and
optionally DS RRs in that zone, according to the following rules:
A signed zone includes DNSKEY RRs, RRSIG RRs, NSEC RRs, and
optionally DS RRs
To sign a zone, zone’s admin generates one or more (public,private) keys

and uses the private keys to sign authoritative RRsets. For each private
key used to create RRSIG RRs, a corresponding DNSKEY should be
included in the zone
Each owner name in the zone that has authoritative data or a delegation
point ND RRset, must have an NSEC RR
A DS RRset should be included at a delegation point when a child zone is

signed. DS RRs establish authentication chains between zones

Resolving and authenticated DNS response
Outline
2 What is DNSsec?
4 Zone signing


In class by means of examples:
DNSsec_Example1.pdf – for zone signing
DNSsec_Example2.pdf – for resolving and responses

Cursuri SI

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cursuri SI

Uploaded by

Copyright:

Available Formats

Crypto Concepts

Ferucio Laurenţiu Ţiplea

Department of Computer Science

Block ciphers and modes of encryption

Block ciphers and modes of encryption

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 3 / 55

4. Concrete security: a scheme is (t, )-secure if every adversary

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 4 / 55

2. Adversary: PPT algorithm

3.2 running time of the adversary as well as its success probability

4. Keys, messages, ciphertexts:

4.2 M denotes a set of (plain) messages, also called plaintexts

4.3 C denotes a set of ciphertexts

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 5 / 55

Block ciphers and modes of encryption

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 6 / 55

Soundness: for all λ, m ∈ M, and c ∈ C,

K ← G(λ) ∧ c ← E(K , m) ⇒ m := D(K , c)

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 7 / 55

2. The complexity of E (D) is measured w.r.t. |K | + |m| (|K | + |c|).

3. We will generally consider encryption/decryption of messages of

4. When E is defined only for messages of length `(λ), for some

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 8 / 55

2. Symmetric key encryption is also called private-key encryption.

3. The encryption algorithm may be stateful: it maintains a state,

4. Both randomized and stateful encryption algorithms are rare in

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 9 / 55

Block ciphers and modes of encryption

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 10 / 55

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 11 / 55

Standard security goals:

Standard attack models:

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 12 / 55

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 13 / 55

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 14 / 55

Relationships among security models

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 15 / 55

NM-CPA NM-CCA1 NM-CCA2

IND-CPA IND-CCA1 IND-CCA2

SS-CPA SS-CCA1 SS-CCA2

Figure: Relationships among security models

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 16 / 55

IND-COA security games

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 17 / 55

IND-KPA security games

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 18 / 55

IND-CPA security games

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 19 / 55

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 20 / 55

IND-XXX security: bit guessing version

IND-XXX security: bit guessing version

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 22 / 55

Block ciphers and modes of encryption

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 23 / 55

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 24 / 55

message 1 0 1 1 0 encryptor ciphertext

Figure: Pictorial view of a stream cipher

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 25 / 55

PRG as keystream generators

Let G be a PRG with expansion factor `. Define an SKE scheme

1. G(λ) : output K ← {0, 1}λ

Ferucio Laurentiu Tiplea Crypto Concepts Fall 2020 : : 26 / 55

Stream ciphers: using the same key twice

4. Concrete security: a scheme is (t, )-secure if every adversary