1. 1 Introduction to Information Security 0368-3065, Spring 2016 Lecture 3: Applied cryptography: symmetric Zvi Ostfeld Slides credit: Eran Tromer

2. 2 Cryptography overview

3. 3 History of crypto Ceaser cipher Electromechanical ciphers (e.g., Enigma) Information theory Complexity theory Modern cryptography

4. 4 Cryptography  Is A tremendous tool The basis for many security mechanisms  Is not The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent yourself unless  you spend a lot of time becoming an expert  you subject your design to outside review

5. 5 Scenarios  Storage Store files privately Protect files from tampering  Communication Avoid eavesdropping Avoid corruption “Secure channel”  Authentication  Many protocols

6. 6 Cryptographic primitives Primitive: syntax and semantics of some cryptographic functionality. A scheme/protocol/algorithm may be an instance of the primitive. Example claim: “AES-128-CBC is a secure symmetric encryption scheme”. Most common cryptographic primitives (very informally):  Encryption: confidentiality Adversary cannot learn anything about message from its encrypted form. Symmetric (cipherblock ciphers, stream ciphers) Asymmetric  Digital Signatures: integrity/authentication Adversary cannot fake a signature that passes verification. Symmetric (Message Authentication Code) Asymmetric  Hashing: Summarizing messages into “unique” short digests Adversary cannot find messages with the same digest.

7. 7 Symmetric cryptography schemes

8. 8 Symmetric encryption 8 E, D: cipher k:secret key (e.g., 128 bits) m:plaintext n:nonce / randomness / c:ciphertextinitial vector (IV) Kerckhoff’s Principle A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. (Never use a proprietary cipher) Alice E m, n E(k,m,n)=c Bob D c,n D(k,c,n)=m k k Key generation

9. 9 9 First example: One Time Pad (single use key)  Vernam (1917)  Shannon (1949) : OTP is “secure” against ciphertext-only attacks 0101110001 Key: 1100011000 Plaintext:  1001101001 Ciphertext:

10. 10 10 Stream ciphers (single use key) Problem: OTP key is as long the message Solution: XOR with a pseudorandom seed: key PRBG message  ciphertext c  PRBG (k)  m stream Really random (physical source) Pseudorandom string PRBG: “Pseudo-Random Bit Generator” AKA PRG: “Pseudo-Random Generator” Well-known algorithms: RC4, RC5 (not secure anymore), AES in counter mode

11. 11 RC4 stream cipher [Rives 1987] for i = 0..255: S[i] = i j = 0 for i = 0 to 255 j = j + S[i] + key[i] swap (S[i], S[j]) i, j = 0 repeat: i = i + 1 j = j + S[i] swap (S[i], S[j]) output to stream: S[ S[i] + S[j] ] Key setup 212313424121853 … 0123456 … Permutation of 256 bytes, depending on key 212313424921853 … ji All values are bytes, all arithmetic is mod 256. S is a 256-byte state array. +24 Problem: statistical biases, especially in beginning of stream. Stream generator

12. 12 Dangers in using stream ciphers One time key! “Two time pad” is insecure: C 1  m 1  PRBG(k) C 2  m 2  PRBG(k) Eavesdropper does: C 1  C 2  m 1  m 2 Enough redundant information in English that: m 1  m 2  m 1, m 2

13. 13 Randomized symmetric encryption13 E, D: cipher k:secret key (e.g., 128 bits) m:plaintext n:nonce / randomness / c:ciphertextinitial vector (IV) (Notation: sometimes the nonce is included in c.) Alice E m, n E(k,m,n)=c Bob D c,n D(k,c,n)=m k k Key generation

14. 14 Need for nonce  Single-use key: (one time key) Key is only used to encrypt one message  encrypted email: new key generated for every email No need for nonce (set to 0)  Multi-use key: Key used to encrypt multiple messages  SSL: same key used to encrypt many packets Needs either unique nonce or random nonce  Otherwise, repeated messages can be identified  Multi-use key, but all plaintexts are distinct: Can eliminate nonce using special mode (SIV) 14

15. 15 Block ciphers: crypto work horse E, D Cciphertext blockPlaintext block Key Deterministic; random IV can be supplied as part of plaintext block in a mode of operation (see next).). Efficiency and security optimized for the specific block size. Historically, more secure and easier to analyze than traditional stream ciphers. Works on fixed-size blocks: Common sizes: Cipher DES6456 3DES64168 AES128128/192/256

16. 16 Building a block cipher  Input (m,k)  DES Data Encryption Standard [NIST 1977] Repeat simple mixing operation 16 times  AES Advanced Encryption Standard [Rijmen Daemen 1998] [NIST 2001] Repeat a mixing step 10 times (for k = 128) Difficult to design: must resist  Brute force (guessing a key using 2 k attempts)  Differential cryptanalysis, linear cryptanalysis, related key attacks, side-channel attacks, … m L  m R m R  m L  F(k,m R )

17. 17 AES Block Cipher (on a napkin) Source: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

18. 18 Block Ciphers Built by Iteration R(k,m): round function for DES (n=16), for AES (n=10) key k key expansion k1k1 k2k2 k3k3 knkn R(k 1,  )R(k 2,  )R(k 3,  )R(k n,  ) mc

19. 19 19 Incorrect use of block cipher: ECB (Electronic Codebook) mode Break plaintext into blocks and encrypt independently:  Problem: if m 1 =m 2 then c 1 =c 2 PT: CT: m1m1 m2m2 c1c1 c2c2

20. 20 In pictures [visual comparison by Bart Preneel]

21. 21 Correct use of block ciphers I: CBC (Cipher Block Chaining) mode E(k,  ) m[0]m[1]m[2]m[3]IV  E(k,  )  c[0]c[1]c[2]c[3]IV ciphertext Assume E is a secure “pseudorandom permutation” (i.e., a good block cipher). To encrypt a plaintext message m whose size is a multiple of the block size: Q: how to do decryption? To handle messages of different length, use suitable padding.

22. 22 Use cases: how to choose an IV Single use key: no IV needed (IV=0) Multi use key: (CPA Security) Best: use a fresh random IV for every message (IV  X) Can use unique IV(e.g counter) [Bitlocker] but then first step in CBC must be IV’  E(k,IV) benefit: may save transmitting IV with ciphertext Multi-use key, but unique messages SIV: eliminate IV by setting IV  F(k’, PT) F: secure PRF with key k’ 22

23. 23 CBC with Unique IVs E(k,  ) m[0]m[1]m[2]m[3]  E(k,  )  c[0]c[1]c[2]c[3]IV ciphertext IV E(k,  ) IV ′ unique IV means: (k,IV) pair is used for only one message may be predictable so use E(k,  ) as PRF

24. 24 In pictures

25. 25 Correct use of block ciphers II: CTR (Counter) mode Encrypt a counter to create a pseudorandom string (similar to stream cipher). These “modes of operations” are proven secure (under suitable definitions). Advantage: allows parallel encryption. key message  stream E(k,  ) IVIV+1IV+2IV+3 E(k,  ) IV ciphertext (random)

26. 26 Performance of ciphers OpenSSL 1.0.1 on 2.1GHz Intel i7, 64-byte messages. To benchmark on your computer: $ openssl speed rc4 des-cbc des-ede3 idea-cbc aes-128-cbc Fast, but still bottleneck for: Applications applying crypto at high bandwidth with little processing (web servers, bulk storage encryption, virtual private networks) Small devices (weak CPU, power-limited) Cheaper/faster with dedicated hardware AES instructions in recent x86 Dedicated “cryptographic accelerator” cards AlgorithmSpeed (Mbyte/sec) Block size (bits) Key size (bits) RC4657unlimited DES716456 3DES2664168 IDEA9164128 AES142128

27. 27 Attacks and security definitions What power does the adversary have?  Known-ciphertext attack  Chosen-ciphertext attacks (CCA)  Known-plaintext attack  Chosen-plaintext attack (CPA) Chosen before target ciphertext Chosen after target ciphertext  Related-key attack What secrecy is preserved?  Key remains secret  Adversary can learn nothing about a message from observing its encryption For random messages Even if it’s an encryption of one of two messages chosen by adversary, he can’t tell which one it is

28. 28 Hash functions and message integrity

29. 29 Cryptographic hash functions  Length-reducing function H Map arbitrary strings to strings of fixed length  One way (“preimage resistance”) Given y, hard to find x with H(x)=y  Collision resistant Hard to find any distinct m, m’ with H(m)=H(m’)  Also useful: 2 nd preimage resistance Given x, hard to find x’  x with H(x’)=H(x) Collision resistance  2 nd preimage resistance  preimage resistance

30. 30 Applications of cryptographic hashing  Password files (one way)  Digital signatures (collision resistant) Sign hash of message instead of entire message  Data integrity Compute and securely store hash of some data Check later by recomputing hash and comparing  Keyed hash for message authentication MAC – Message Authentication Code

31. 31 Common hash functions: SHA-1, SHA-256 m[0]m[1]m[2]m[3] IV constant H(m) Merkle-Damgard construction:(simplified) 64 x Fixed constants (Expanded) message hhhh Compression function:

32. 32 Performance of hash functions OpenSSL 1.0.1 on 2.1GHz Intel i7, 64-byte messages. To benchmark on your computer: $ openssl sha1 sha256 AlgorithmSpeed (Mbyte/sec) Block size (bits) Key size (bits) RC4657unlimited DES716456 3DES2664168 IDEA9164128 AES142128 SHA-1197 SHA-256113

33. 33 Symmetric-key integrity: MAC (Message Authentication Code)  Goal: message integrity. No confidentiality. 33 AliceBob kk Message mtag Generate tag: tag  S(k, m) Verify tag: V(k, m, tag) = 0/1 ? Note: non-keyed checksum (CRC) is an insecure MAC! Key generation Common nickname for “signature” in symmetric setting

34. 34 Secure MACs  Attacker’s power: chosen message attack. for m 1,m 2,…,m q attacker is given t i  S(k,mi)  Attacker’s goal: existential forgery. produce some new valid message/tag pair (m,t). (m,t)  { (m 1,t 1 ), …, (m q,t q ) }  Existential unforgeability security: no feasible attacker can witn the above game with more than negligible probability.

35. 35 MAC Construction 1: ECBC 35 Raw CBC E(k,  ) m[0]m[1]m[2]m[3]  E(k,  )  E(k 1,  ) tag key = (k, k 1 )

36. 36 36 MAC Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( k  opad || H( k  ipad || m ))