Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Slides:



Advertisements
Similar presentations
Chapter 4: Modes of Operation CS 472: Fall Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.
Advertisements

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Cryptography & Security Presented April 16, 2010 By Dave Stycos, Zocalo Data Systems.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Chapter 5 Cryptography Protecting principals communication in systems.
Wired Equivalent Privacy (WEP)
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 23 Symmetric Encryption
Computer Security CS 426 Lecture 3
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Class 19 Wrap-up and Review CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Class 2 Cryptography Refresher CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
CS 4/585: Cryptography Tom Shrimpton FAB
Class 7 Practical Considerations CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.
Lecture 4: Using Block Ciphers
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Class 13 Review CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
NSRI1 Security of Wireless LAN ’ Seongtaek Chee (NSRI)
Class 4 Secure Channels and Practical Considerations CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Class 5 Channels and Preview CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
Chapter 9: Algorithms Types and Modes Dulal C. Kar Based on Schneier.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
1 Symmetric-Key Encryption CSE 5351: Introduction to Cryptography Reading assignment: Chapter 3 Read sections first (skipping 3.2.2)
CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.
Class 2 Cryptography Refresher CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Class 4 Asymmetric Cryptography and Trusting Internal Components CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Lecture 23 Symmetric Encryption
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
Lecture 5.1: Message Authentication Codes, and Key Distribution
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
Presentation Road Map 1 Authenticated Encryption 2 Message Authentication Code (MAC) 3 Authencryption and its Application Objective Modes of Operation.
Cipher Transmission and Storage Modes Part 2: Stream Cipher Modes CSCI 5857: Encoding and Encryption.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
WLAN Security1 Security of WLAN Máté Szalay
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Block Cipher Modes Last Updated: Aug 25, ECB Mode Electronic Code Book Divide the plaintext into fixed-size blocks Encrypt/Decrypt each block independently.
Modes of Operation block ciphers encrypt fixed size blocks – eg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts.
Block Cipher Modes CS 465 Make a chart for the mode comparisons
Cryptography Lecture 12.
Cryptography Lecture 16.
Block cipher and modes of encryptions
Security Of Wireless Sensor Networks
Symmetric-Key Encryption
Block vs Stream Ciphers
Security of Wireless Sensor Networks
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 11.
Counter Mode, Output Feedback Mode
Secret-Key Encryption
Presentation transcript:

Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Administrative stuff Project ideas posted – Deadlines still TBA, but start looking… Quiz schedule on website Be sure to do the reading!!

Last time: Encryption Basic idea: someone seeing ciphertext learns nothing about plaintext without correct key With or without authentication Symmetric – based on tests/best guess – e.g. AES (block cipher) Asymmetric – based on math assumptions – e.g. RSA

NEVER BUILD YOUR OWN WHEN SOLUTION EXISTS!!!

Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40-bit key = 64-bit security Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV bit key = 64-bit security On your right: text from Jonathan Katz Aside: composability Is this secure against chosen-plaintext attacks? – It is randomized… 40-bit key (in some implementations)! – Claims that, with IV, this gives a 64-bit effective key(!) And how is the IV chosen? – Only 24 bits long -- IV repetitions are a problem! – Reset to 0 upon re-initialization – Some implementations increment the IV as a counter A repeating IV allows the attacker to compute the XOR of two plaintexts – We have discussed already how this can be damaging Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs – If portions of some plaintexts known, this enables determination of other plaintexts Known-plaintext attacks discovered on this usage of RC4 – Possible because the first byte of plaintext is a fixed, known header! Chosen-plaintext attacks – Send IP traffic/ to the mobile host and watch it get forwarded – Transmit broadcast messages to access point – Authentication spoofing No cryptographic integrity protection – The checksum is linear (i.e., c(x  y) = c(x)  c(y)) and unkeyed, and therefore easy to attack – Allows IP redirection attack – Allows TCP “reaction” attacks Look at whether TCP checksum is valid Form of chosen-ciphertext attack Encryption used to provide authentication of mobile station (access point sends nonce; station returns an encryption of the nonce) – Allows easy spoofing after eavesdropping

Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Trick question: what’s the difference between a block cipher, a stream cipher, and a pseudorandom number generator (PRNG)?

Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)

Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)

Modes of operation (ECB) Images borrowed from Wikipedia :)

Modes of operation (CBC) Images borrowed from Wikipedia :)

Modes of operation (CFB) Images borrowed from Wikipedia :)

Modes of operation (CTR) Images borrowed from Wikipedia :) VS. ECB

Questions?

Authenticity and integrity Basic ideas: – Authenticity: the message was produced by a specific known subject Authentication ≠ integrity – Integrity: the message has not been altered between source and destination Messages without integrity protection vulnerable to chosen ciphertext attack

Hash functions Collision-resistant (2 k or 2 k/2 ) One-way – Preimage (1 st, 2 nd ) resistant (2 k ) Entropy of input and entropy of output – Output “looks random” Some hashes have partial proofs, e.g. reduction to AES

Symmetric authentication Message Authentication Codes (MACs) Pre-shared keys Symmetric means…? – Either party can create a correct MAC – Deniable Chained MACs… why? See TESLA authenticated multicast: cryptobytes/tesla-cryptobytes.pdf

MACs “Keyed hash” (MAC from a cryptographically-secure hash function) – Hash  Block cipher (CBC or CFB)  MAC Hybrid modes e.g. CBC-MAC – Secrecy plus authenticity (2-party) Remember to use different keys for MAC and encryption… why?

MAC examples Example: HMAC – h is a cryptographically-secure hash (or not!) – HMAC K (M) = h(K ⊕ pad 1, h(K ⊕ pad 2, M)) Example: UMAC Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt

More MACs BAD: MAC K = h(K,M) or MAC K = h(M,K) GOOD: HMAC K (M) = h(K ⊕ pad 1,h(K ⊕ pad 2, M)) Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt (see “Cool stuff” section of web page) Full encrypted and authenticated message: E K1 (M), MAC K2 (E K1 (M))

Random numbers True random numbers (RNG) – “Quantum” entropy Pseudorandom numbers – PRNG e.g. block cipher in CTR mode – With refresh, more advanced features…

Questions?