CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz
HW1 out
Randomized encryption Deterministic encryption schemes cannot be secure against chosen-plaintext attacks –Nor can they be secure for encrypting multiple messages To be secure against chosen-plaintext attack, encryption must be randomized Moral: always use randomized encryption!
Block ciphers Keyed, invertible permutation F Large key space, large block size Modeled as a (family of) random permutations… A block cipher is not an encryption scheme –A block cipher can be used to build an encryption scheme (and other things as well) Example – the “trivial” encryption scheme: –C = F K (m) –This is not randomized…
Data Encryption Standard (DES) Developed in 1970s by IBM / NSA / NBS –Non-public design process 56-bit key, 64-bit input/output –A 64-bit key is derived from 56 random bits –One bit in each octet is a parity-check bit The “short” key length is a major concern… The “short” block length is also a concern
Concerns about DES Short key length –DES “cracker”, built for $250K, can break DES in days –Computation can be distributed to make it faster –Does not mean “DES is insecure”; depends on desired security Short block length –Repeated blocks happen “too frequently” Some (theoretical) attacks have been found –Claimed known to DES designers 15 years before public discovery! Non-public design process
3DES/triple-DES Expands the key length Now, key K = (K 1, K 2 ); |K| = 112 The “new” block cipher is just: –E K1,K2 (m) = DES K1 (DES -1 K2 (DES K1 (m))) This is a permutation, and invertible Fairly slow…but widely used in practice
AES Public contest sponsored by NIST in ’97 –Narrowed to 5 finalists –4 years of intense analysis Rijndael selected as the AES –Supports variety of block/key sizes, but defaults to 128- bit key length and 128-bit block length –2 128 is a huge number Number of seconds since big bang (estimate): ~2 58 Number of nanoseconds since big bang: ~2 90 Both efficiency and security taken into account –The “most secure” finalist was not the one chosen
Other block ciphers? No compelling reason to use anything other than AES, in general –Unless (possibly) you have very severe performance requirements –Even then, think twice Same goes for stream ciphers
Modes of encryption Used for encrypting a long message m 1, …, m n ECB –C i = F K (m i ); the ciphertext is c 1, …, c n CBC –IV; C i = F K (m i C i-1 ); the ciphertext is IV, c 1, …, c n OFB (stream cipher mode) –IV; z i = F K (z i-1 ); C i = z i m i ; the ciphertext is IV, c 1, …, c n CTR (stream cipher mode) –IV; z i = F K (IV+i); C i = z i m i ; the ciphertext is IV, c 1,.., c n Others…
Security? ECB should not be used –Why? CBC, OFB, and CTR modes are secure against chosen-plaintext attacks CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks
Message integrity
Encryption does not provide integrity “Since encryption garbles the message, decryption of a ciphertext generated by an adversary must be unpredictable” –WRONG E.g., one-time pad, CBC-/CTR-mode encryption Why is this a concern? –Lack of integrity can lead to lack of secrecy –Almost always, integrity is needed in addition to secrecy