CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Slides:



Advertisements
Similar presentations
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Advertisements

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Computer Security CS 426 Lecture 3
Cryptanalysis. The Speaker  Chuck Easttom  
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.
1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Part 1: Classical Ciphers Jerzy Wojdyło May 4, 2001.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
CMSC 414 Computer (and Network) Security Lecture 3 Jonathan Katz.
Modern symmetric-key Encryption
Cryptography Lecture 2.
Cryptography Lecture 3.
Cryptography Lecture 12.
B504/I538: Introduction to Cryptography
Cryptography Lecture 4.
Topic 5: Constructing Secure Encryption Schemes
Cryptography Lecture 5.
Topic 3: Perfect Secrecy
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
CMSC 414 Computer and Network Security Lecture 3
Cryptography Lecture 6.
Cryptography Lecture 7.
Cryptography Lecture 11.
Cryptography Lecture 4.
Cryptography Lecture 5.
Cryptography Lecture 8.
Cryptography Lecture 12.
Cryptography Lecture 6.
Cryptography Lecture 3.
Cryptography Lecture 7.
Cryptography Lecture 3.
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
Cryptography Lecture 6.
CIS 5371 Cryptography 2. Perfect Secret Encryption
Presentation transcript:

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz

Attacking the Vigenere cipher  Let p i (for i=0, …, 25) denote the frequency of letter i in English-language text –Known that Σ p i 2 ≈  For each candidate period t, compute frequencies {q i } of letters in the sequence c 0, c t, c 2t, …  For the correct value of t, we expect Σ q i 2 ≈ –For incorrect values of t, we expect Σ q i 2 ≈ 1/26  Once we have the period, can use frequency analysis as in the case of the shift cipher

Moral of the story?  Don’t use “simple” schemes  Don’t use schemes that you design yourself –Use schemes that other people have already designed and analyzed…

A fundamental problem  Wouldn’t it be nice if we could somehow prove that an encryption scheme is secure?  But before that…we haven’t even defined what “secure” means!

Modern cryptography  Proofs –We won’t do proofs in this course, but we will state known results  Definitions  Assumptions

Defining security  Why is a good definition important? –If you don’t know what you want, how can you possibly know whether you’ve achieved it? –Forces you to think about what you really want What is essential and what is extraneous –Allows comparison of schemes May be multiple valid ways to define security –Allows others to use schemes; allows analysis of larger systems built using components –Allows for (the possibility of) proofs…

Security definitions  Two components –The threat model –The “security guarantees” or, looking at it from the other side, what counts as a successful attack  Crucial to understand these issues before crypto can be successfully deployed! –Make sure the stated threat model matches your application environment –Make sure the security guarantees are what you need

Security guarantee for encryption?  So how would you define encryption?  Adversary unable to recover the key –Necessary, but meaningless on its own…  Adversary unable to recover entire plaintext –Good, but not enough  Adversary unable to determine any information at all about the plaintext –How to formalize? –Can we achieve it?

Defining secrecy (take 1)  Even an adversary running for an unbounded amount of time learns nothing about the message from the ciphertext –(Except the length)  Perfect secrecy (Shannon)  Formally, for all distributions over the message space, all m, and all c: Pr[M=m | C=c] = Pr[M=m]

Leaking the message length  In general, encryption leaks the length of the message  Possible to (partly) address this using padding –Inefficient –Generally not done  Does not mean that length is unimportant! –In some cases, leaking length can ruin security

The one-time pad  Scheme  Proof of security

Properties of the one-time pad?  Achieves perfect secrecy –No eavesdropper (no matter how powerful) can determine any information whatsoever about the plaintext  Limited use in practice… –Long key length –Can only be used once (hence the name!) –Insecure against known-plaintext attacks  These are inherent limitations of perfect secrecy

Computational secrecy  We can overcome the limitations of perfect secrecy by (slightly) relaxing the definition  Instead of requiring total secrecy against unbounded adversaries, require secrecy against bounded adversaries except with some small probability –E.g., secrecy for 100 years, except with probability  How to define formally?

A simpler characterization  Perfect secrecy is equivalent to the following, simpler definition: –Given a ciphertext C which is known to be an encryption of either m 0 or m 1, no adversary can guess correctly which message was encrypted with probability better than ½  Relax this to give computational security!  Is this definition too strong? Why not?

The take-home message  Weakening the definition slightly allows us to construct much more efficient schemes!  However, we will need to make assumptions  Strictly speaking, no longer 100% absolutely guaranteed to be secure –Security of encryption now depends on security of building blocks (which are analyzed extensively, and are believed to be secure) –Given enough time and/or resources, the scheme can be broken

PRNGs  A pseudorandom (number) generator (PRNG) is a deterministic function that takes as input a seed and outputs a string –To be useful, the output must be longer than the seed  If seed chosen at random, output of the PRNG should “look random” (i.e., be pseudorandom) to any efficient distinguishing algorithm –Even when the algorithm knows G! (Kerchoffs’s rule)

PRGs: a picture y  {0,1} l chosen uniformly at random y ?? World 0 World 1 x  {0,1} n chosen uniformly at random G(x) (poly-time) Far from identical, but Adv can’t tell them apart

Notes  Required notion of pseudorandomness is very strong – must be indistinguishable from random for all efficient algorithms –General-purpose PRNGs (rand( ), java.random) not sufficient for crypto  Pseudorandomness of the PRNG depends on the seed being chosen “at random” –True randomness very difficult to obtain –In practice: randomness from physical processes and/or user behavior

A computationally secure scheme  The pseudo-one-time pad… –Theorem: If G is a pseudorandom generator, then this encryption scheme is secure (in the computational sense defined earlier)  Which drawback(s) of the one-time pad does this address?