Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Bradley A. Baker
B.S. University of Colorado, 2003
A Project
Submitted to the Graduate School Faculty of the
University of Colorado at Colorado Springs
In Partial Fulfillment of the Requirements
For the Degree of Master of Engineering in Information Assurance
Department of Computer Science
Fall 2009
________________________________________________________________
Dr. C. Edward Chow Date
________________________________________________________________
Dr. Jugal Kalita Date
________________________________________________________________
Dr. Terrance Boult Date
ii
Abstract
iii
cannot be found. The design of bucket decomposition makes the
exhaustive search process feasible for large numbers. The key
transformation process supports tamper detection and improves
security.
iv
Contents
1. Introduction....................................................................................................1
1.1. Motivation................................................................................................1
3. Design...........................................................................................................11
3.6. Encryption..............................................................................................16
3.6. Decryption..............................................................................................17
4. Security Analysis..........................................................................................19
5. Implementation............................................................................................23
5.1. Overview................................................................................................23
v
6. Testing..........................................................................................................25
7. Conclusion....................................................................................................33
8. References....................................................................................................34
Appendixes.......................................................................................................36
vi
List of Tables and Figures
vii
1. Introduction
1.1. Motivation
1
used for encryption and confidentiality. One exception is presented in
[1], which investigates HMAC as an encryption function.
The encryption scheme used for this project offers tamper
detection and confidentiality directly in the encrypted data field
rather than externally or at the system level. Cryptography provides
several standard algorithms that support confidentiality and integrity
in the encrypted data field, including symmetric and asymmetric
encryption algorithms for confidentiality and hash digest or signature
algorithms for integrity. Combining these solutions can require
detailed processing by the end user, and may not be ideal for all
problem domains. Objectives for this projects encryption scheme
include making it simpler to implement both confidentiality and
integrity in a database, improving the efficiency of the encryption
operation over standard solutions, and researching the application of
keyed-HMAC for encryption and key generation.
5
Figure 1 - Overview of the HTEE scheme
6
- fwWe6MNL5WC9gRgCfVbUsuFLeX8IfwKbnkWmlKhj5Tx2Ods+VkmKS73AeFt0EsXy+zmfWEsyO
EaKSx/oYMSmRA==
The key transformation process modifies the original secret key four
times, once for each row and bucket value. The resulting transformed
keys, encoded in base64 format are:
- Row1, Bucket1:
37XFNopRtR5CBZ2trzq3yyHKe0bqevw6k0L59kZdocX2nPSUiZXq1kRghWjxicZJat
OZCXTcsX6L2vbJVrEI8Q==
- Row1, Bucket2:
BcQsceAX2IAR+ubPe1hUQ3HfQ6/ftcU2ilG1HkIFna2vOrfLIcp7Rup6/DqTQvn2Rl
2hxfac9JSJlerWRGCFaA==
- Row2, Bucket1:
qi5K5JmBNRfOuPf8qQvgPVVZ5nHZjlgoDb8un4GS/NxFhbRNdnE5B80kPe3rpqIvHR
DzdZsiEmpk+2Ozcb5yXg==
- Row2, Bucket2:
ylT5vKaGkdc1XMtW0z+HOb1Td2eqLkrkmYE1F8649/ypC+A9VVnmcdmOWCgNvy6fgZ
L83EWFtE12cTkHzSQ97Q==
The bucket1 and bucket2 values from each row are processed through
HMAC with their respective keys to generate two digests, which are
combined to form the final ciphertext. The digest values and
ciphertext, encoded in base64 are:
- Row1, Bucket1: MK5HUyCX1PyFGoVBKh1j16c8/lA=
- Row1, Bucket2: glAcZZmbDL8xRGwg23QBa5/mYuA=
- Row1 ciphertext: MK5HUyCX1PyFGoVBKh1j16c8/lA=glAcZZmbDL8xRGwg23QBa5/mYuA=
- Row2, Bucket1: Ziuytd9t8Vn1h5ldqZjv57sTe2k=
- Row2, Bucket2: uk/ACtScX2oxJUPyEPdPWSPCXQk=
- Row2 ciphertext: Ziuytd9t8Vn1h5ldqZjv57sTe2k=uk/ACtScX2oxJUPyEPdPWSPCXQk=
For this example, the following pairs represent the final plaintext and
ciphertext data:
- Row1: ID = 1000; DATA = 123456;
CIPHER = MK5HUyCX1PyFGoVBKh1j16c8/lA=glAcZZmbDL8xRGwg23QBa5/mYuA=
- Row2: ID = 1001; DATA = 654321;
CIPHER = Ziuytd9t8Vn1h5ldqZjv57sTe2k=uk/ACtScX2oxJUPyEPdPWSPCXQk=
7
ciphertext, or if the primary keys are switched, then the decryption
process will not find a match and the tamper is detected.
HMAC [3, 12, 13] is a process that uses a secret key and a hash
algorithm such as MD5 or SHA-1 to generate a message
authentication code, also referred to as a digest. This authentication
code securely provides data integrity and authenticity because the
secret key is required to reproduce the code. Digests for normal hash
functions can be reproduced with no such constraint. This process is
symmetric, so two parties communicating with HMAC must share the
same secret key. By using a hash algorithm in conjunction with a key,
the HMAC function prevents an unauthorized user from modifying the
message or the digest without being detected. This can protect
against man-in-the-middle attacks on the message, but it is not
designed to encrypt the message itself; only protect it from
unauthorized update. The HMAC function was published in [3], which
includes analysis and a proof of the functions security, and it is
standardized in FIPS PUB 198 [12]. HMAC is defined as a function
that takes a key and a plaintext message as input and produces a
binary authentication code, or digest, output. Any hash algorithm can
be used including MD5, SHA-1, SHA-256, Whirlpool, etc.
The HMAC algorithm defines two padding constants, the inner
pad and the outer pad. The inner and outer pads have values
(0x3636) and (0x5c5c) respectively, each expanded to the block
size of the hash algorithm. The secret key is a set of random bytes
equal to the length of the block size. Smaller keys can be used, but
will decrease security [3]. To calculate the HMAC digest, first the
exclusive-or of the key and the input pad is found. This result is
appended to the beginning of the message to be processed. The result
is then hashed with the chosen hash algorithm, producing an
intermediate digest. In the next step, the exclusive-or of the key and
the output pad is found, and that result is appended to the beginning
of the intermediate digest. The result is hashed again, producing the
8
final message authentication code. The combination of the inner pad
and outer pad with the secret key effectively generates two different
keys, which adds additional security. This operation is summarized in
Figure 2, where { } denotes exclusive-or, {++} denotes
concatenation, {K} is the secret key, {m} is the message, and {H} is
the cryptographic hash function [13].
9
The HTEE encryption scheme developed, researched and
implemented for this project is based on a scheme presented in [1],
and provides several improvements over that method. A detailed
analysis and discussion of this original scheme is available in [2]. The
original scheme [1] uses integer decomposition, HMAC for encryption,
and decryption via exhaustive search, all concepts that the HTEE
scheme is based on. A summary of the original HMAC encryption
schemes process is shown graphically in Figure 3. There are several
differences between the original scheme and HTEE. For example, the
original scheme uses only two buckets for all plaintext values, and
encryption is achieved with recursive HMAC iterated up to the bucket
value. Also the original scheme does not combine related data with
the plaintext data, so it cannot be used for tamper detection.
10
remainder is 5,321 and the bucket ID is 24. The bucket ID and the
remainder are encrypted separately in the next phase. The selection
of bucket size is an important factor this encryption scheme, as
efficiency and validity are affected if the bucket size is incorrect for
the problem domain. The bucket size also controls the largest
plaintext integer value that can be processed. In addition to the
bucket size, the maximum bucket ID {Mb} is defined, and in most
cases the values are equivalent, {Sb = Mb}. The maximum plaintext
value that can be processed with this scheme is equal to {Sb * Mb}. So
in the case of a bucket size of 20,000 and maximum bucket ID of
20,000, the scheme can process values up to 4x108. The limitation of
maximum bucket ID is required for the correct operation of the
decryption function. The maximum bucket ID and bucket size can be
determined from domain knowledge or the data type being encrypted.
Typically a value of the square root of the maximum plaintext value is
used for maximum bucket ID and bucket size.
After decomposition into the remainder and bucket ID, the
values are encrypted. Inputs into encryption include a secret key, a
seed value, the plaintext bucket ID and the remainder. Keyed HMAC is
used recursively to encrypt the bucket ID and remainder
independently. The encrypted bucket ID is found by calculating the
HMAC function repeatedly N times, where N is equal to the bucket ID.
On the first iteration, the secret key and a predefined seed value are
used as input into the HMAC operation. For successive iterations, the
output of the previous HMAC is used as input into the next iteration
along with the secret key. This is repeated until bucket ID iterations
are completed. For example, in the case of bucket ID equal to 24,
HMAC will be executed recursively 24 times, using a predefined seed
value for the initial message. The result is labeled {T(Ib)K},
designating the transformation on bucket ID {Ib} using key {K}. In
this way, the bucket ID is not directly encrypted, but the execution of
recursive HMAC is based on the value of the bucket ID.
The encrypted value for the remainder is found in a similar
operation, differing only in the secret key that is used. Each plaintext
decomposition operation forms a related bucket ID and remainder
pair. When encrypting the remainder value, the corresponding bucket
ID is appended to the beginning of the secret key to form a new key.
11
After finding the new key, the recursive HMAC operation is the same.
Beginning with the seed, the digest is calculated N times where N is
equal to the value of the remainder. This result is labeled {T(r)Ib||K},
designating the transformation on remainder {r} using the composite
key {Ib||K}. As an example of this scheme, consider the encryption of
integer 336,789 with a bucket size of 1,000. The bucket ID is 336 and
the remainder is 789. If using the SHA-1 hash algorithm, a key of
999, and a seed value of test, HMAC will be executed recursively
336 times for the bucket ID, and 789 times for the remainder. Both
recursions use test as the initial HMAC message, but the bucket ID
uses key {K} = 999 and the residual uses key {Ib||K} = 336999. The
resulting encrypted values, encoded in base64 format are {T(Ib)k} =
2CI0b3pNB8KbiCIUbKkOd2ciRAc= and {T(r)Ib||k} =
PynDpvSFSSUZCqk3yVY8J2g3Ks4=. Note that the output in this situation is
two 28 character base64 encoded strings, which is a result of the 160
bit digest output of the SHA-1 hash used with HMAC in this example.
To decrypt, or reproduce the plaintext from the ciphertext an
inverse transformation is defined. Because the algorithm uses a hash
as the basis of its encryption a direct inverse cannot be calculated.
The inverse transformation must search through potential bucket ID
and remainder values. The inverse transformation uses the set of
possible bucket IDs as a range for the search process, hence the
requirement to define the maximum bucket ID {Mb}. The first step for
the decryption transformation is finding the bucket ID of the
ciphertext data. This operation will reproduce the value of {Ib} from
ciphertext {T(Ib)K}. The same seed and key value from encryption are
used in the HMAC operation, and this operation is executed N times,
where N is the number of possible buckets in the domain. For
example, if using a bucket size of 2,000 in a domain where the
maximum data value is 1,000,000, there are 500 possible bucket
values and HMAC is executed 500 times. In this way the upper limit of
allowable data values must be known in order to provide a limit to the
HMAC search loop. While the N iterations of HMAC are calculated,
the input for each calculation is based on the output of the previous
iteration. Each time, the resulting value is compared against all
encrypted bucket IDs for a match. If a match is found, the bucket ID
plaintext is equal to the number of loops executed in the search.
12
Once a bucket ID is found, a similar search is made for the
remainder value. Again, a new key is constructed by appending the
decrypted bucket ID to the beginning of the secret key, and HMAC is
calculated N times, where N is equal to the bucket size. The bucket
size defines all possible remainder values. Once a match is found
between the HMAC output and the encrypted remainder value, the
plaintext remainder is equal to the number of loops executed in the
search. After finding the plaintext bucket ID and remainder values,
the modulus decomposition is reversed to generate the original
plaintext from the decrypted bucket ID and remainder. The plaintext
value {m} is found using {m = Ib * Sb + r}, where {Ib} is the
decrypted bucket ID, {r} is the decrypted remainder, and {Sb} is the
bucket size.
Notable points from the original scheme include the basic idea
of integer value decomposition, key transformation, exhaustive
decryption search, and HMAC as encryption function. Issues identified
with the original scheme include the problem that two buckets
(remainder and bucket ID) decrease efficiency for large integer
values, the key transformation only occurs on the remainder value,
rather than the bucket ID, and the highly recursive use of HMAC is
inefficient [2]. The HTEE process developed for this project improves
each of these points by defining a general rule for integer
decomposition that improves performance, defining a secure key
transformation process, and using HMAC as encryption while
removing the recursion requirement. In addition, tamper detection is
added by making the ciphertext dependent on other related data, a
feature not present in the original scheme.
3. Design
17
Figure 5 - Element key transformation function
19
Figure 6 - Bucket key transformation function
3.6. Encryption
3.6. Decryption
22
Figure 8 - Detailed decryption operation
4. Security Analysis
23
on HMAC security [3, 4, 5]. Because the HMAC function uses an inner
hash with a hidden key, it is more difficult to find collisions [5]. In
addition, due to the outer and inner hash functions, an attacker
cannot control input into the outer hash function which makes it
difficult to attack the function [6].
The designers of the HMAC function proved its security given
two features of the underlying hash function: that the hash function is
weakly collision resistant, and that the hash compression operation is
a pseudo-random function [3]. In response to attacks against the
collision resistance of MD5 and SHA-1 the designers presented a
further proof of HMAC security provided that the hash compression
operation is a pseudo-random function, dropping the collision
resistance requirement [4, 7]. The secret key reduces the effect that
collision based attacks have on the HMAC function [4, 5, 11]. This
improvement is significant to the security of HMAC, because it means
that hash algorithms such as SHA-1 can continue to be used in HMAC
processing [4, 5]. Beyond this assurance, one of the beneficial
features of using HMAC is its extensibility to other hash functions. If
additional security is required, the hash algorithm can be upgraded to
a SHA-512, Whirlpool, or other strong functions [3]. For HMAC
processing and the HTEE scheme, the only factors that will be
impacted by changing the hash function are the key size, the output
digest size, and processing cost.
While the strength of HMAC security is based on the
compression operation of the underlying hash function, the measure
of security is the difficulty to produce a forgery of the authentication
code. If legitimate parties communicate with message / authentication
code pairs {M1, A1} through {Mn, An}, a forgery is the ability for an
attacker to produce a new pair for {Mx, Ax} for a message not
communicated legitimately [3, 6]. The attacker is able to see the
legitimate message pairs, but not the secret key. There are several
methods researched to produce forgeries in the HMAC function, the
primary being the birthday attack. Although collisions of the
underlying hash function are not a concern for the HMAC, it is still
the case the HMAC output is a digest of a message and secret key
input, and it can produce its own collisions. It is possible for an
attacker to observe messages M1 and M2 where {M1 != M2}but {A1 =
24
A2}. This probability of this occurrence is controlled by the birthday
paradox, where a HMAC collision becomes probable after {2n/2}
message pairs are observed, where {n} is the number of bits in the
output digest [3, 5, 11, 15]. So a HMAC-SHA1 function would be
susceptible to a forgery based on the birthday paradox after 280
message pairs are observed. The birthday paradox is also used to find
collisions in hash functions but with HMAC the attacker relies on a
legitimate user to generate all 280 digests. With traditional hash
functions, the attacker can generate digests at will. Also the effect of
a birthday attack is a forgery, and does not yield the secret key. A
forgery could compromise a single records tamper detection
capability, but it wont threaten the entire database.
Beyond the birthday attack, full key recovery attacks are
another important threat to the HMAC function. These attacks still
appear infeasible, although some methods have efficiency better than
brute force [6, 7, 10]. These methods have an underlying requirement
of a very large number of HMAC message/authentication code pairs
for analysis, more than are required for the birthday attack [6, 7, 10].
Several conclusions can be made from this analysis of HMAC security
research. The first conclusion is that the HMAC function is secure
from collision attacks presented in MD5 and SHA-1, and the attacker
cannot generate potential collisions offline but is dependent on a
legitimate user. The second conclusion is that key recovery is a
difficult attack and is only feasible after a very large number of
messages are analyzed. Furthermore, the secret key value and
underlying hash function used in the HMAC process are the primary
contributions to its cryptographic strength.
5. Implementation
5.1. Overview
28
The HTEE scheme was implemented for this project to validate
the designed algorithm, evaluate performance, and provide a tool that
could be used for future applications. The implementation has two
varieties, a command line program designed for flat file processing,
and a database add-on for the PostgreSQL database management
system. The command line program is used for debugging, program
validation and testing while the PostgreSQL add-on is the primary
method to use HTEE for encryption and tamper detection. The
implementation was developed and complied on Windows XP using
the Microsoft Visual C++ 2008 Express Edition compiler. The
PostgreSQL add-on was compiled against server versions 8.3.8 and
8.4.1.
Both programs are implemented in the C language, chosen
because the PostgreSQL system and libraries are implemented in C
and extensibility is supported for the language. The PostgreSQL add-
on is installed into the database as a function which is conveniently
invoked through queries, such as SELECT htee_enc(data,unique) FROM test
for encryption. The add-on is configured through a file in the servers
data directory, which allows specification of a secret key and a
maximum number of buckets. The secret key must be stored in
base64 encoding in a file accessible to the server process. The
maximum number of buckets is an important processing parameter
that defines how many buckets the program can decompose integer
values into, which controls the maximum range of plaintext values and
efficiency. As the number of buckets processed increases, the program
becomes less efficient but it can support a wider range of plaintext
values. Valid values for the maximum number of buckets are one
through six, due to the 8 byte integer limit near 9x1018 preventing the
use of a seventh bucket. Appendix B contains details related to the
implementation including support for compilation and installation of
the add-on.
6. Testing
33
Table 2 - Average performance across bucket sizes
Average Performance
(time in seconds)
Encrypt Method Mode Time
aes1 postgres encrypt 18.1
aes1 postgres decrypt 15.3
aes1 postgres tamper 18.3
aes2 postgres encrypt 15.8
aes2 postgres decrypt 18.2
aes2 postgres tamper 17.8
htee postgres encrypt 3.5
htee postgres decrypt 75.4
htee postgres tamper 58.8
htee console encrypt 00.7
htee console decrypt 81.9
Detailed Performance
(time in seconds)
bucket size 1 2 3 4 5 6
encrypt 17.9 16.4 17.5 17.0 24.4 15.5
aes1
postgres decrypt 15.2 14.1 14.3 13.8 18.6 16.1
tamper 17.8 18.3 18.2 18.7 18.3 18.8
encrypt 16.1 14.7 14.8 14.7 16.4 18.0
aes2
postgres decrypt 15.9 17.2 16.0 15.3 17.1 27.9
tamper 15.0 16.7 18.3 18.2 17.7 20.7
encrypt 3.8 1.4 1.4 4.2 5.0 4.8
htee
postgres decrypt 22.2 42.5 64.4 84.5 100.9 131.3
tamper 32.3 42.4 52.9 63.7 74.4 87.3
35
htee encrypt 0.6 0.5 0.7 0.8 0.9 1.1
console
decrypt 22.7 44.8 68.5 89.3 123.9 142.5
36
Figure 10 - HTEE performance difference across bucket sizes
38
Table 4 - Complexity of HTEE and Original schemes
7. Conclusion
42
7.2. Future Work
8. References
[1] Dong Hyeok Lee; You Jin Song; Sung Min Lee; Taek Yong Nam; Jong Su
Jang, "How to Construct a New Encryption Scheme Supporting Range
Queries on Encrypted Database," Convergence Information Technology,
2007. International Conference on , vol., no., pp.1402-1407, 21-23 Nov.
2007
URI: http://ieeexplore.ieee.org/stamp/stamp.jsp?
arnumber=4420452&isnumber=4420217
[2] Brad Baker, "Analysis of an HMAC Based Database Encryption Scheme,"
UCCS Summer 2009 Independent study July. 2009
URI: http://cs.uccs.edu/~gsc/pub/master/bbaker/doc/final_paper_bbaker_
cs592.doc
[3] Mihir Bellare; Ran Canetti; Hugo Krawczyk; Keying Hash Functions for
Message Authentication, IACR Crypto 1996
URI: http://cseweb.ucsd.edu/users/mihir/papers/kmd5.pdf
43
[4] Mihir Bellare, New Proofs for NMAC and HMAC: Security without
Collision-Resistance, IACR Crypto 2006
URI: http://eprint.iacr.org/2006/043.pdf
[5] Mihir Bellare, Attacks on SHA-1, 2005
URI: http://www.openauthentication.org/pdfs/Attacks%20on%20SHA-
1.pdf
[6] Pierre-Alain Fouque; Gatan Leurent; Phong Q. Nguyen, "Full Key-
Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5," IACR Crypto
2007
URI: ftp://ftp.di.ens.fr/pub/users/pnguyen/Crypto07.pdf
[7] Scott Contini; Yiqun Lisa Yin, Forgery and Partial Key-Recovery Attacks
on HMAC and NMAC using Hash Collisions (Extended Version), 2006
URI: http://eprint.iacr.org/2006/319.pdf
[8] Hyrum Mills; Chris Soghoian; Jon Stone; Malene Wang, NMAC: Security
Proof, 2004
URI: http://www.cs.jhu.edu/~astubble/dss/proofslides.pdf
[9] Ran Canetti, The HMAC construction: A decade later, 2007
URI: http://people.csail.mit.edu/canetti/materials/hmac-10.pdf
[10] Yu Sasaki, A Full Key Recovery Attack on HMAC-AURORA-512, 2009
URI: http://eprint.iacr.org/2009/125.pdf
[11] Jongsung Kim; Alex Biryukov; Bart Preneel; and Seokhie Hong, On the
Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and
SHA-1, 2006
URI: http://eprint.iacr.org/2006/187.pdf
[12] NIST, March 2002. FIPS Pub 198 HMAC specification.
URI = http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf
[13] Wikipedia, October 2009. HMAC reference material.
URI= http://en.wikipedia.org/wiki/Hmac
[14] Wikipedia, October 2009. SHA-1 reference material.
URI= http://en.wikipedia.org/wiki/SHA-1
[15] Wikipedia, October 2009. Birthday Attack reference.
URI= http://en.wikipedia.org/wiki/Birthday_attack
[16] Forouzan, Behrouz A. 2008. Cryptography and Network Security.
McGraw Hill higher Education. ISBN 978-0-07-287022-0
[17] Simon Josefsson, 2006. GPL implementation of HMAC-SHA1.
URI=
http://www.koders.com/c/fidF9A73606BEE357A031F14689D03C0897778
47EFE.aspx
[18] Scott G. Miller, 2006. GPL implementation of SHA-1 hash.
URI=
http://www.koders.com/c/fid716FD533B2D3ED4F230292A6F9617821C8
FDD3D4.aspx
44
[19] Bob Trower, August 2001. Open source base64 encoding implementation,
adapted for test program.
URI= http://base64.sourceforge.net/b64.c
[20] PostgreSQL, October 2009. Server Documentation.
URI= http://www.postgresql.org/docs/8.4/static/index.html
[21] Gopalan Sivathanu; Charles P. Wright; and Erez Zadok, Ensuring data
integrity in storage: techniques and applications, Workshop On Storage
Security And Survivability, Nov. 2005
URI = http://doi.acm.org/10.1145/1103780.1103784
[22] Vishal Kher; Yongdae Kim, Securing Distributed Storage: Challenges,
Techniques, and Systems Workshop On Storage Security And
Survivability, Nov. 2005
URI = http://doi.acm.org/10.1145/1103780.1103783
[23] Kyriacos Pavlou; Richard Snodgrass, Forensic Analysis of Database
Tampering, ACM Transactions on Database Systems (TODS), 2008
URI = http://doi.acm.org/10.1145/1412331.1412342
[24] Elbaz, R.; Torres, L.; Sassatelli, G.; Guillemin, P.; Bardouillet, M.; Rigaud,
J.B., "How to Add the Integrity Checking Capability to Block Encryption
Algorithms," Research in Microelectronics and Electronics 2006, Ph. D. ,
vol., no., pp.369-372, 0-0 0
URI: http://ieeexplore.ieee.org/stamp/stamp.jsp?
arnumber=1689972&isnumber=35631
[25] Elbaz, R.; Torres, L.; Sassatelli, G.; Guillemin, P.; Bardouillet, M., "PE-ICE:
Parallelized Encryption and Integrity Checking Engine," Design and
Diagnostics of Electronic Circuits and systems, 2006 IEEE , vol., no.,
pp.141-142, 0-0 0
URI: http://ieeexplore.ieee.org/stamp/stamp.jsp?
arnumber=1649595&isnumber=34591
[26] Wikipedia, October 2009. Information Security Reference.
URI= http://en.wikipedia.org/wiki/Information_security
[27] Brad Baker, Tamper Evident Encryption of Integers using keyed Hash
Message Authentication Code Project materials and documentation.
URI = http://cs.uccs.edu/~gsc/pub/master/bbaker/
Appendixes
Procedure decompose(value)
If value is plaintext
#plaintext decompose breaks input into buckets size 1000
residual = value
P = floor(log1000(value)) + 1
Loop while(P >= 0)
#use modulus iterativley to decompose into buckets size 1000
bucket = (residual residual mod 1000P) / 1000P
residual = residual mod 1000P
P = P - 1
EndLoop
Return list of bucket
Else
#ciphertext decompose breaks input into digests of 20 bytes
#with sha1, bucket digests are 20 bytes, 28 bytes base64
Parse value into bucket digests
Return list of digests
EndIf
46
Procedure element(KO, unique)
#hash the unique value to seed the HMAC iterations
temp = Sha1(unique)
Return KE
End.
47
Procedure HTEE(plaintext, unique, KO)
Begin
#find the size of the number
buckets = floor(log1000(plaintext)) + 1
return ciphertext
End.
48
Procedure HTEE-1(ciphertext, unique, KO)
Begin
#transform key for this plaintext element
KE = element(KO, unique)
49
- Note the installation path of PostgreSQL.
o The typical Windows installation path is:
"C:\Program Files\PostgreSQL\8.3\", depending on server
version.
o In the following sections this is referred to as: %PGPATH%
"%PGPATH%\include";
"%PGPATH%\include\server"
51
- The original plaintext, encrypted ciphertext and decrypted
plaintext should display.
Encryption operation:
- AES1 method: Raw AES encryption with no tamper detection
o UPDATE htee_test1 SET cipher_aes1 =
encode(pgp_sym_encrypt(cast(data as text),
(SELECT key FROM keys WHERE id=1),
'cipher-algo=aes128'),'base64');
- AES2 method: AES encryption with tamper detection through
unique value concatenation
o UPDATE htee_test1 SET cipher_aes2 =
encode(pgp_sym_encrypt(id||';'||cast(data as text),
(SELECT key FROM keys WHERE id=1),
'cipher-algo=aes128'),'base64');
- HTEE method: HTEE encryption with unique value for key
transformation
o UPDATE htee_test1 SET cipher_htee =
htee_enc(data,cast(id as text));
Decryption Operation:
- When data has been tampered with, the AES2 and HTEE
methods will produce a decryption result of -1, indicating the
tamper.
- AES1 method: Raw AES encryption with no tamper detection
o UPDATE htee_test1 SET dec_aes1 =
cast(pgp_sym_decrypt(decode("cipher_aes1",'base64'),
52
(SELECT key FROM keys WHERE id=1),
'cipher-algo=aes128')as bigint);
- AES2 method: AES encryption with tamper detection through
unique value concatenation
o Note that decryption uses a temporary column to
support the separation of concatenated data, and
comparison of current and decrypted unique values.
This is just one solution for AES tamper detection that
can be implemented with SQL statements.
o UPDATE htee_test1 SET temp_aes2 =
pgp_sym_decrypt(decode("cipher_aes2",'base64'),
(SELECT key FROM keys WHERE id=1), 'cipher-algo=aes128');
o UPDATE htee_test1 set dec_aes2 = cast(substr(temp_aes2,
strpos(temp_aes2,';')+1,length(temp_aes2)) as bigint)
where substr(temp_aes2,0,strpos(temp_aes2,';'))
= cast (id as text);
o UPDATE htee_test1 SET dec_aes2 = -1
WHERE substr(temp_aes2,0,strpos(temp_aes2,';'))
<> cast (id as text);
- HTEE method: HTEE encryption with unique value for key
transformation.
o UPDATE htee_test1 SET dec_htee =
htee_dec(cipher_htee, cast(id as text));
53