Foundations of Network and Computer Security

Slides:



Advertisements
Similar presentations
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Aug 31 st 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 6 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 14 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #11 Sep 21 st 2007 CSCI 6268/TLEN 5831, Fall 2007.
Lecture 23 Symmetric Encryption
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 31 st 2004 CSCI 6268/TLEN 5831, Fall 2004.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
CS 4/585: Cryptography Tom Shrimpton FAB
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
Lecture 4: Using Block Ciphers
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Lecture 23 Symmetric Encryption
1 Introduction to Cryptography Chapter-4. Definitions  Cryptography = the science (art) of encryption  Cryptanalysis = the science (art) of breaking.
Modes of Operation block ciphers encrypt fixed size blocks – eg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts.
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016.
CS480 Cryptography and Information Security
CS/ECE 578 Cyber-Security Dr. Attila Altay Yavuz
Computer and Network Security
Network Security.
Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Outline Desirable characteristics of ciphers Stream and block ciphers
PRPs and PRFs CS255: Winter 2017
Cryptography Lecture 9.
Cryptography Lecture 26.
Introduction to modern cryptology
Block Cipher Modes CS 465 Make a chart for the mode comparisons
Cryptography Lecture 12.
Cryptography and Security Fall 2009 Steve Lai
مروري برالگوريتمهاي رمز متقارن(كليد پنهان)
Security through Encryption
Block cipher and modes of encryptions
CS/ECE 478 Network Security Dr. Attila Altay Yavuz
Foundations of Network and Computer Security
Symmetric-Key Encryption
Block vs Stream Ciphers
Network Security.
Block Ciphers (Crypto 2)
Cryptography Lecture 11.
Cryptography Lecture 9.
Cryptography Lecture 12.
Padding Oracle Attacks
Topic 13: Message Authentication Code
Cryptography Lecture 22.
Cryptography Lecture 11.
Cryptography Lecture 16.
Cryptography Lecture 25.
CRYPTOGRAPHY & NETWORK SECURITY
Elect. Codebook, Cipher Block Chaining
Review of Cryptography: Symmetric and Asymmetric Crypto Advanced Network Security Peter Reiher August, 2014.
Secret-Key Encryption
Presentation transcript:

Foundations of Network and Computer Security John Black Lecture #7 Sep 12th 2007 CSCI 6268/TLEN 5831, Fall 2007

Blockcipher Review DES AES Old, 64-bit blocksize, 56 bit keys Feistel construction Never broken except for exhaustive key search AES New, 128-bit blocksize, 128-256 bit keys Non-Feistel Fast, elegant, so far so good

Aren’t We Done? Blockciphers are only a start They take n-bits to n-bits under a k-bit key Oftentimes we want to encrypt a message and the message might be less than or greater than n bits! We need a “mode of operation” which encrypts any M 2 {0,1}* There are many, but we focus on three: ECB, CBC, CTR

Review of Indistinguishability Several people asked questions (email) about this How to “break” a blockcipher People are still trying to extract the key, decrypt arbitrary ciphertexts, decode messages, etc. This is not your goal! You must simply distinguish between a random permutation and the given blockcipher under a random key

Two Examples Recall blockcipher X: Recall one-round of DES: I hand you an oracle that is either a random permutation or blockcipher X under a random key K; can you distinguish? Recall one-round of DES: I hand you an oracle that is either a random permutation or 1-round DES under a random key K; can you distinguish? Recall two-rounds of DES: Same question… it might be on the next quiz.

Goals of Encryption Cryptographers want to give up exactly two pieces of information when encrypting a message 1) That M exists 2) The approximate length of M The military sometimes does not even want to give up these two things! Traffic analysis We definitely don’t want to make it obvious when a message repeats

ECB – Electronic Codebook This is the most natural way to encrypt It’s what we used with the Substitution Cipher For blockcipher E under key K: First, pad (if required) to ensure M 2 ({0,1}n)+ Write M = M1 M2 … Mm where each Mi has size n-bits Then just encipher each chunk: Ci = EK(Mi) for all 1 · i · m Ciphertext is C = C1 C2 … Cm

Why ECB Mode is BAD ECB leaks more than we wanted Repetitions in the plaintext show through to the ciphertext This is easily avoided, so let’s do so There ARE applications where ECB makes sense What’s a nice advantage of ECB mode?

CBC Mode Encryption Start with an n-bit “nonce” called the IV Initialization Vector Usually a counter or a random string Blockcipher E under key K, M broken into m blocks of n bits as usual C0 = IV Ci = EK(Mi © Ci-1) for all 1 · i · m M1 M2 Mm IV EK EK EK Cm C1 C2

Digression on the One-Time Pad Suppose Alice and Bob shared a 10,000 bit string K that was secret, uniformly random Can Alice send Bob a 1KB message M with “perfect” security? 1KB is 8192 bits; let X be the first 8192 bits of the shared string K Alice sets C = M © X, and sends C to Bob Bob computes C © X and recovers M Recall that M © X © X = M

Security of the One-Time Pad Consider any bit of M, mi, and the corresponding bits of X and C, (xi, ci) Then ci = mi © xi Given that some adversary sees ci go across a wire, what can he discern about the bit mi? Nothing! Since xi is equally likely to be 0 or 1 So why not use the one-time pad all the time? Shannon proved (1948) that for perfect security the key must be at least as long as the message Impractical

One-Time Pad (cont) Still used for very-top-secret stuff Purportedly used by Russians in WW II Note that it is very important that each bit of the pad be used at most one time! The infamous “two time pad” is easily broken Imagine C = M © X, C’ = M’ © X Then C © C’ = M © X © M’ © X = M © M’ Knowing the xor of the two messages is potentially very useful n-time pad for large n is even worse (WEP does this)

Counter Mode – CTR Blockcipher E under key K, M broken into m blocks of n bits, as usual Nonce N is typically a counter, but not required C0 = N Ci = EK(N++) © Mi Ciphertext is C = C0 C1 … Cm

CTR Mode Again, n bits of ciphertext expansion Non-deterministic encryption Fully parallelizable in both directions Not that widely used despite being known for a long time People worry about counter overlap producing pad reuse

Why I Like Modes of Operation Modes are “provably secure” Unlike blockciphers which are deemed “hopefully secure” after intense scrutiny by experts, modes can be proven secure like this: Assume blockcipher E is secure (computationally indistinguishable from random, as we described) Then the mode is secure in an analogous black-box experiment The proof technique is done via a “reduction” much like you did in your NP-Completeness class The argument goes like this: suppose we could break the mode with computational resources X, Y, Z. Then we could distinguish the blockcipher with resources X’, Y’, Z’ where these resources aren’t that much different from X, Y, and Z

Security Model Alice and Bob Traditional names Let’s us abbreviate A and B Adversary is the bad guy This adversary is passive; sometimes called “eve” Note also the absence of side-channels Power consumption, timing, error messages, etc Alice Bob Adversary Key K Key K

Various Attack Models Known-Ciphertext Attack (KCA) You only know the ciphertext Requires you know something about the plaintext (eg, it’s English text, an MP3, C source code, etc) This is the model for the Sunday cryptograms which use a substitution cipher Known-Plaintext Attack (KPA) You have some number of plaintext-ciphertext pairs, but you cannot choose which plaintexts you would like to see This was our model for exhaustive key search and the meet in the middle attack

Attack Models (cont) Chosen-Plaintext Attack (CPA) You get to submit plaintexts of your choice to an encryption oracle (black box) and receive the ciphertexts in return Models the ability to inject traffic into a channel Send a piece of disinformation to an enemy and watch for its encryption Send plaintext to a wireless WEP user and sniff the traffic as he receives it This is the model we used for defining blockcipher security (computational indistinguishability)

Attack Models (cont) Chosen-Ciphertext Attack (CCA) The strongest definition (gives you the most attacking power) You get to submit plaintexts and ciphertexts to your oracles (black boxes) Sometimes called a “lunchtime attack” We haven’t used this one yet, but it’s a reasonable model for blockcipher security as well

So What about CBC, for example? CBC Mode encryption It’s computationally indistinguishable under chosen plaintext attack You can’t distinguish between the encryption of your query M and the encryption of a random string of the same length In the lingo, “CBC is IND-CPA” It’s not IND-CCA You need to add authentication to get this

The Big (Partial) Picture Second-Level Protocols SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting (Can do proofs) First-Level Protocols Symmetric Encryption MAC Schemes Asymmetric Encryption Digital Signatures (Can do proofs) Block Ciphers Stream Ciphers Hash Functions Hard Problems Primitives (No one knows how to prove security; make assumptions)