Abstract
We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH.
On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.
A full version of this paper can be found in [21].
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
J. An, M. Bellare, “Does encryption with redundancy provide authenticity?”, Advances in Cryptology-EUROCRYPT 2001 Proceedings, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag, B. Pfitzmann, ed, 2001.
M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation“, Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997.
M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Among Notions of Security for Public-Key Encryption Schemes”, Advances in Cryptology-CRYPTO’98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk, ed., Springer-Verlag, 1998, pp. 26–45.
M. Bellare, J. Kilian and P. Rogaway, “ The security of cipher block chaining”, Advances in Cryptology-CRYPTO’94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt, ed., Springer-Verlag, 1994. pp. 341–358.
M. Bellare and C. Namprempre, “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm”, Advances in Cryptology-ASIACRYPT’00 Proceedings, Lecture Notes in Computer Science Vol. 1976, T. Okamoto, ed., Springer-Verlag, 2000.
Black, J., Halevi, S., Krawczyk, H., Krovetz, T., and Rogaway, P., “UMAC: Fast and Secure Message Authentication”, Advances in Cryptology-CRYPTO’99 Proceedings, Lecture Notes in Computer Science, Vol. 1666, Springer-Verlag, M. Wiener, ed, 1999, pp. 216–233.
Bleichenbacher, D., “Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1”, Advances in Cryptology-CRYPTO’98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk, ed., Springer-Verlag, 1998, pp. 1–12.
Canetti, R., and Krawczyk, H., “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, Advances in Cryptology-EUROCRYPT 2001 Proceedings, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag, B. Pfitzmann, ed, 2001, pp. 453–474. Full version in: Cryptology ePrint Archive (http://eprint.iacr.org/), Report 2001/040.
T. Dierks and C. Allen, “The TLS Protocol-Version 1”, Request for Comments 2246, 1999.
D. Dolev, C. Dwork, and M. Naor. “Non-malleable cryptography”. Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, pages 542–552, 1991.
A. Frier, P. Karlton, and P. Kocher, “The SSL 3.0 Protocol”, Netscape Communications Corp., Nov 18, 1996. http://home.netscape.com/eng/ssl3/ssl-toc.html
O. Goldreich, “Foundations of Cryptography (Fragments of a book)”, Weizmann Inst. of Science, 1995. http://www.wisdom.weizmann.ac.il/oded/frag.html
S. Goldwasser, and S. Micali. “Probabilistic Encryption”, Journal of Computer and System Sciences, Vol. 28, 1984, pp. 270–299.
Halevi, S., and Krawczyk H., “Public-Key Cryptography and Password Protocols”, ACM Transactions on Information and System Security, Vol. 2, No. 3, August 1999, pp. 230–268.
C. Jutla, “Encryption Modes with Almost Free Message Integrity”, Advances in Cryptology-EUROCRYPT 2001 Proceedings, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag, B. Pfitzmann, ed, 2001.
J. Katz and M. Yung, “Unforgeable encryption and adaptively secure modes of operations”, Fast Software Encryption’00, 2000.
J. Katz and M. Yung, “Complete characterization of security notions for probabilistic private-key encryption”, Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, 2000.
S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol”, Request for Comments 2401, Nov. 1998.
S. Kent and R. Atkinson, “IP Encapsulating Security Payload (ESP)”, Request for Comments 2406, Nov. 1998.
H. Krawczyk, “LFSR-based Hashing and Authentication”, Proceedings of CRYPTO’ 94, Lecture Notes in Computer Science, vol. 839, Y. Desmedt, ed., Springer-Verlag, 1994, pp. 129–139.
H. Krawczyk, “The order of encryption and authentication for protecting communications (Or: how secure is SSL?)”. Full version: http://eprint.iacr.org/2001.
M. Luby and C. Rackoff, “How to construct pseudorandom permutations from pseudorandom functions”, SIAM J. on Computing, Vol 17, Number 2, April 1988, pp. 373–386.
M. Naor and M. Yung, “Public key cryptosystems provably secure against chosen ciphertext attacks”. Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, 1990.
C. Rackoff and D. Simon, “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack”, Advances in Cryptology-CRYPTO’91 Proceedings, Lecture Notes in Computer Science Vol. 576, J. Feigenbaum ed, Springer-Verlag.
P. Rogaway. “Bucket Hashing and its application to Fast Message Authentication”, Proceedings of CRYPTO’ 95, Lecture Notes in Computer Science, vol. 963, D. Coppersmith, ed., Springer-Verlag, 1995, pp. 15–25.
P. Rogaway, M. Bellare, J. Black, and T. Krovetz, “OCB Mode”, Cryptology ePrint Archive, Report 2001/026.
T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, “SSH Transport Layer Protocol”, January 2001, draft-ietf-secsh-transport-09.txt.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Krawczyk, H. (2001). The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). In: Kilian, J. (eds) Advances in Cryptology — CRYPTO 2001. CRYPTO 2001. Lecture Notes in Computer Science, vol 2139. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44647-8_19
Download citation
DOI: https://doi.org/10.1007/3-540-44647-8_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42456-7
Online ISBN: 978-3-540-44647-7
eBook Packages: Springer Book Archive