CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz
Private-key encryption Alice and Bob share a key K –Must be shared securely –Must be completely random –Must be kept completely secret from attacker –We don’t discuss (for now) how they do this Plaintext - encryption - ciphertext - decryption Decryption must recover the message!
Security through obscurity? Always assume full details of crypto protocols and algorithms are public –Only secret information is a key “Security through obscurity” is a bad idea…
Shift cipher Attacks? –Key space is too small! –Insecure against ciphertext-only attack Frequency analysis Index of coincidence –If an attacker can recover the key, a scheme is clearly insecure What about the converse? –Multiple other attacks and problems
Substitution cipher Attacks? –Much larger key space –Definitely not secure against known-plaintext attack –Also not secure against ciphertext-only attack (frequency analysis, digrams, trial and error) –Having a large key space is necessary, but not sufficient, to guarantee security… (Note that adversary can still recover the key)
Attacks… A typical standard is security against chosen-plaintext attacks Security against chosen-ciphertext attacks is increasingly required Note that the one-time pad is insecure against known-plaintext attack
Moral of the story? Don’t use “simple” schemes Thoroughly analyze schemes before using –Better yet, use schemes that other, smarter people have already analyzed… A good definition of security is critical
Re-thinking the problem What do we mean by security? –I.e., not being able to determine the key?? –Types of attacks Perfect security –One-time pad Computational security –Block ciphers and modes of encryption –DES and AES
Notions of Security What constitutes a “break”? What kind of attacks? Note: always assume adversary knows full details of the scheme (except the key…) –Never aim for “security through obscurity”
Security goals? Adversary unable to recover the key –Necessary, but meaningless on its own… Adversary unable to recover entire plaintext –Good, but is it enough? Adversary unable to determine any information at all about the plaintext –Sounds great! –Can we achieve it?
One-time pad (One-time pad)
Properties of one-time pad? Achieves perfect secrecy –No eavesdropper (no matter how powerful) can determine any information whatsoever about the plaintext (Essentially) useless in practice… –Long key length –Can only be used once (hence the name!)