Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
Administrative stuff Schedule updated – More changes soon, but they won’t be major Watch for quiz announcements Periodically check main page for news and schedule page for changes and slides Paper reading and the “huh?” moment
Basic cryptographic primitives Confidentiality (encryption) – Symmetric (e.g. AES) – Asymmetric (e.g. RSA) Hash functions Integrity and authentication – Symmetric (authentication codes) – Asymmetric (signatures) Key agreement Random numbers
Security properties of encryption Semantic security Chosen plaintext security (IND-CPA) Chosen ciphertext security (IND-CCA) – IND-CCA2 Security proof “games”
NEVER BUILD YOUR OWN WHEN SOLUTION EXISTS!!!
Always state your assumptions!
Aside: Information theory Conditional vs. unconditional security – Unconditional, e.g. one-time pad – Conditional e.g. RSA, AES … Symmetric encryption Hash functions Remember: confusion and diffusion
Basic (but more complex) primitives Confidentiality (encryption) – Symmetric (e.g. AES), asymmetric (e.g. RSA) – Malleable vs. non-malleable – Deterministic vs. randomized Hash functions Message authentication codes, signatures Random numbers Key agreement
Some basic cryptographic primitives Confidentiality (encryption) – Symmetric (e.g. AES)E K (M),D K (M) – Asymmetric (e.g. RSA)E PK (M),D SK (M) Hash functions (e.g. SHA-3)h(M) Integrity and authentication – Symmetric (MACs)MAC K (M) – Asymmetric (signatures)Sig SK (M),V PK (M) Key agreement Random numbersn = nonce or E -1
Example: WEP – IV, RC4(IV, k) (M, c(M)) – Claim: 24-bit IV + 40-bit key = 64-bit security Example: WEP – IV, RC4(IV, k) (M, c(M)) – Claim: 24-bit IV bit key = 64-bit security On your right: text from Jonathan Katz Aside: composability Is this secure against chosen-plaintext attacks? – It is randomized… 40-bit key (in some implementations)! – Claims that, with IV, this gives a 64-bit effective key(!) And how is the IV chosen? – Only 24 bits long -- IV repetitions are a problem! – Reset to 0 upon re-initialization – Some implementations increment the IV as a counter A repeating IV allows the attacker to compute the XOR of two plaintexts – We have discussed already how this can be damaging Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs – If portions of some plaintexts known, this enables determination of other plaintexts Known-plaintext attacks discovered on this usage of RC4 – Possible because the first byte of plaintext is a fixed, known header! Chosen-plaintext attacks – Send IP traffic/ to the mobile host and watch it get forwarded – Transmit broadcast messages to access point – Authentication spoofing No cryptographic integrity protection – The checksum is linear (i.e., c(x y) = c(x) c(y)) and unkeyed, and therefore easy to attack – Allows IP redirection attack – Allows TCP “reaction” attacks Look at whether TCP checksum is valid Form of chosen-ciphertext attack Encryption used to provide authentication of mobile station (access point sends nonce; station returns an encryption of the nonce) – Allows easy spoofing after eavesdropping
Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Trick question: what’s the difference between a block cipher, a stream cipher, and a pseudorandom number generator (PRNG)?
Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)
Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)
Modes of operation (ECB) Images borrowed from Wikipedia :)
Modes of operation (CBC) Images borrowed from Wikipedia :)
Modes of operation (CFB) Images borrowed from Wikipedia :)
Modes of operation (CTR) Images borrowed from Wikipedia :) VS. ECB
Questions?
Authenticity and integrity Basic ideas: – Authenticity: the message was produced by a specific known subject Authentication ≠ integrity – Integrity: the message has not been altered between source and destination Messages without integrity protection vulnerable to chosen ciphertext attack
Hash functions Collision-resistant (2 k or 2 k/2 ) One-way – Preimage (1 st, 2 nd ) resistant (2 k ) Entropy of input and entropy of output – Output “looks random” Some hashes have partial proofs, e.g. reduction to AES
Symmetric authentication Message Authentication Codes (MACs) Pre-shared keys Symmetric means…? – Either party can create a correct MAC – Deniable Chained MACs… why? See TESLA authenticated multicast: cryptobytes/tesla-cryptobytes.pdf
MACs “Keyed hash” (MAC from a cryptographically-secure hash function) – Hash Block cipher (CBC or CFB) MAC Hybrid modes e.g. CBC-MAC – Secrecy plus authenticity (2-party) Remember to use different keys for MAC and encryption… why?
MAC examples Example: HMAC – h is a cryptographically-secure hash (or not!) – HMAC K (M) = h(K ⊕ pad 1, h(K ⊕ pad 2, M)) Example: UMAC Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt
More MACs BAD: MAC K = h(K,M) or MAC K = h(M,K) GOOD: HMAC K (M) = h(K ⊕ pad 1,h(K ⊕ pad 2, M)) Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt (see “Cool stuff” section of web page) Full encrypted and authenticated message: E K1 (M), MAC K2 (E K1 (M))
Random numbers True random numbers (RNG) – “Quantum” entropy Pseudorandom numbers – PRNG e.g. block cipher in CTR mode – With refresh, more advanced features…
Asymmetric cryptography The idea: base security properties on mathematical statements – Facts or assumptions We need to be familiar with our toolset NEVER BUILD YOUR OWN WHEN SOLUTION EXISTS!!
Asymmetric No pre-shared keys Public and secret keys (key pairs) Asymmetric means…? – Non-repudiable Key agreement, e.g. Diffie-Hellman – Not like sending password in the clear Mathematical proof based on conjecture – Variants of conjecture (important)
Security (strength) Key size * – Commonly for AES, for RSA – What is a [good] key? Underlying cryptosystem/primitives Composition e.g. MAC with broken underlying hash function may not itself be broken
Current state of symmetric encryption DES is too weak (56-bit key) 3DES is weak (168-bit keys but only security – “meet-in-the-middle” attack) Recent weaknesses in AES: – AES-256 ( ) AES-192 ( ) AES-128 ( ) us/projects/cryptanalysis/aesbc.pdf
Current state of hash functions MD5 is broken – SHA-1 is known to be weak – (2 69 ) – (2 106, generalizable) – SHA-256 (variant) is even weaker SHA-3 currently in “development” (NIST) – We have a winner: all hail Keccak (SHA-3)! –
Questions?
Exercise How do we design a naïve asymmetric encryption scheme from everything we have learned so far? RSA does not provide integrity. Why? Malleable vs. non-malleable Why might we sometimes want malleable?