Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Administrative stuff Project ideas posted – Deadlines still TBA, but start looking… Quiz schedule on website Be sure to do the reading!!
Last time: Encryption Basic idea: someone seeing ciphertext learns nothing about plaintext without correct key With or without authentication Symmetric – based on tests/best guess – e.g. AES (block cipher) Asymmetric – based on math assumptions – e.g. RSA
NEVER BUILD YOUR OWN WHEN SOLUTION EXISTS!!!
Example: WEP – IV, RC4(IV, k) (M, c(M)) – Claim: 24-bit IV + 40-bit key = 64-bit security Example: WEP – IV, RC4(IV, k) (M, c(M)) – Claim: 24-bit IV bit key = 64-bit security On your right: text from Jonathan Katz Aside: composability Is this secure against chosen-plaintext attacks? – It is randomized… 40-bit key (in some implementations)! – Claims that, with IV, this gives a 64-bit effective key(!) And how is the IV chosen? – Only 24 bits long -- IV repetitions are a problem! – Reset to 0 upon re-initialization – Some implementations increment the IV as a counter A repeating IV allows the attacker to compute the XOR of two plaintexts – We have discussed already how this can be damaging Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs – If portions of some plaintexts known, this enables determination of other plaintexts Known-plaintext attacks discovered on this usage of RC4 – Possible because the first byte of plaintext is a fixed, known header! Chosen-plaintext attacks – Send IP traffic/ to the mobile host and watch it get forwarded – Transmit broadcast messages to access point – Authentication spoofing No cryptographic integrity protection – The checksum is linear (i.e., c(x y) = c(x) c(y)) and unkeyed, and therefore easy to attack – Allows IP redirection attack – Allows TCP “reaction” attacks Look at whether TCP checksum is valid Form of chosen-ciphertext attack Encryption used to provide authentication of mobile station (access point sends nonce; station returns an encryption of the nonce) – Allows easy spoofing after eavesdropping
Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Trick question: what’s the difference between a block cipher, a stream cipher, and a pseudorandom number generator (PRNG)?
Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)
Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)
Modes of operation (ECB) Images borrowed from Wikipedia :)
Modes of operation (CBC) Images borrowed from Wikipedia :)
Modes of operation (CFB) Images borrowed from Wikipedia :)
Modes of operation (CTR) Images borrowed from Wikipedia :) VS. ECB
Questions?
Authenticity and integrity Basic ideas: – Authenticity: the message was produced by a specific known subject Authentication ≠ integrity – Integrity: the message has not been altered between source and destination Messages without integrity protection vulnerable to chosen ciphertext attack
Hash functions Collision-resistant (2 k or 2 k/2 ) One-way – Preimage (1 st, 2 nd ) resistant (2 k ) Entropy of input and entropy of output – Output “looks random” Some hashes have partial proofs, e.g. reduction to AES
Symmetric authentication Message Authentication Codes (MACs) Pre-shared keys Symmetric means…? – Either party can create a correct MAC – Deniable Chained MACs… why? See TESLA authenticated multicast: cryptobytes/tesla-cryptobytes.pdf
MACs “Keyed hash” (MAC from a cryptographically-secure hash function) – Hash Block cipher (CBC or CFB) MAC Hybrid modes e.g. CBC-MAC – Secrecy plus authenticity (2-party) Remember to use different keys for MAC and encryption… why?
MAC examples Example: HMAC – h is a cryptographically-secure hash (or not!) – HMAC K (M) = h(K ⊕ pad 1, h(K ⊕ pad 2, M)) Example: UMAC Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt
More MACs BAD: MAC K = h(K,M) or MAC K = h(M,K) GOOD: HMAC K (M) = h(K ⊕ pad 1,h(K ⊕ pad 2, M)) Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt (see “Cool stuff” section of web page) Full encrypted and authenticated message: E K1 (M), MAC K2 (E K1 (M))
Random numbers True random numbers (RNG) – “Quantum” entropy Pseudorandom numbers – PRNG e.g. block cipher in CTR mode – With refresh, more advanced features…
Questions?