Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

Published byAudra Lawrence Modified over 7 years ago

Similar presentations

Presentation on theme: "Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia."— Presentation transcript:

1 Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia

2 Lecture 4: AES, Hash Functions, and Protocols

3 January 29, 2002Practical Aspects of Modern Cryptography3 Advanced Encryption Standard Competition to replace the Data Encryption Standard (DES) 128-bit block size Key sizes of 128, 192, and 256 bits 15 ciphers were submitted 5 finalists were chosen

4 January 29, 2002Practical Aspects of Modern Cryptography4 AES Finalists MARS (IBM submission) RC6 (RSA Labs submission) Rijndael (Joan Daemen and Vincent Rijmen) Serpent (Anderson, Biham, and Knudsen) Twofish (Schneier, et. al.)

5 January 29, 2002Practical Aspects of Modern Cryptography5 Feistel Ciphers Ugly

6 January 29, 2002Practical Aspects of Modern Cryptography6 Feistel Ciphers Ugly

7 January 29, 2002Practical Aspects of Modern Cryptography7 Feistel Ciphers Ugly

8 January 29, 2002Practical Aspects of Modern Cryptography8 AES Finalists MARS (IBM submission) RC6 (RSA Labs submission) Rijndael (Joan Daemen and Vincent Rijmen) Serpent (Anderson, Biham, and Knudsen) Twofish (Schneier, et. al.)

9 January 29, 2002Practical Aspects of Modern Cryptography9 Rijndael k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,6 a 0,7 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,6 a 1,7 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 2,6 a 2,7 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,6 a 3,7 16, 24, or 32 bytes of key 16, 24, or 32 bytes of data

10 January 29, 2002Practical Aspects of Modern Cryptography10 Rijndael 4 transformations per round ByteSub: nonlinearity ShiftRow: inter-column diffusion MixColumn: inter-byte diffusion Round key addition

11 January 29, 2002Practical Aspects of Modern Cryptography11 Rijndael ByteSub a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 A single 8-bit to 8-bit (invertible) S-box is applied to each byte. 

12 January 29, 2002Practical Aspects of Modern Cryptography12 Rijndael MixColumn a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 An (invertible) linear transform is applied to each column. 

13 January 29, 2002Practical Aspects of Modern Cryptography13 Rijndael ShiftRow a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 a 0,0 a 0,1 a 0,2 a 0,3 a 1,3 a 1,0 a 1,1 a 1,2 a 2,2 a 2,3 a 2,0 a 2,1 a 3,1 a 3,2 a 3,3 a 3,0 An different cyclic shift is applied to each row. 

14 January 29, 2002Practical Aspects of Modern Cryptography14 Rijndael Round key addition a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 The round key is XORed to complete the round.  k 0,0 k 0,1 k 0,2 k 0,3 k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 =

15 January 29, 2002Practical Aspects of Modern Cryptography15 Rijndael Key Schedule k0k0 k1k1 k2k2 k3k3 k4k4 k5k5 k6k6 k7k7 k8k8 k9k9 k 10 k 11 … Round key 0Round key 1Round key 2 … The key schedule is defined on 4-byte words by k i = k i-4  k i-1 when i is not a multiple of 4 k i = k i-4  f(k i-1 ) when i is a multiple of 4

16 January 29, 2002Practical Aspects of Modern Cryptography16 Cipher Integrity When using block ciphers in CBC mode, there is generally a built-in integrity check. However, when using block ciphers in ECB mode or (especially) when using stream ciphers, an external integrity check is crucial. Such an integrity check is called a Message Authentication Code (MAC).

17 January 29, 2002Practical Aspects of Modern Cryptography17 Stream Cipher Integrity It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $0,000,002.00 to the account of my good friend Alice.

18 January 29, 2002Practical Aspects of Modern Cryptography18 Stream Cipher Integrity It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice.

19 January 29, 2002Practical Aspects of Modern Cryptography19 One-Way Hash Functions The idea of a check sum is great, but it is designed to prevent accidental changes in a message. For cryptographic integrity, we need an integrity check that is resilient against a smart and determined adversary.

20 January 29, 2002Practical Aspects of Modern Cryptography20 One-Way Hash Functions Generally, a one-way hash function is a function H : {0,1}*  {0,1} k (typically k is 128 or 160) such that given an input value x, one cannot find a value x  x such H(x) = H(x ).

21 January 29, 2002Practical Aspects of Modern Cryptography21 One-Way Hash Functions There are many measures for one-way hashes. Non-invertability: given y, it’s difficult to find any x such that H(x) = y. Collision-intractability: one cannot find a pair of values x  x such that H(x) = H(x ).

22 January 29, 2002Practical Aspects of Modern Cryptography22 An Example Hash: SHA-1 SHA-1 was designed by the US Government as part of the Digital Signature Standard. SHA-1 is the most-commonly used hash function today. It’s the hash function in which we have the most faith right now. SHA-1 takes any size input and produces a 160-bit output (the digest value).

23 January 29, 2002Practical Aspects of Modern Cryptography23 A Cryptographic Hash: SHA-1 Compression Function 160-bit Output 512-bit Input (IV)

24 January 29, 2002Practical Aspects of Modern Cryptography24 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds

25 January 29, 2002Practical Aspects of Modern Cryptography25 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

26 January 29, 2002Practical Aspects of Modern Cryptography26 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds Rotate 30 bits

27 January 29, 2002Practical Aspects of Modern Cryptography27 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

28 January 29, 2002Practical Aspects of Modern Cryptography28 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds No Change

29 January 29, 2002Practical Aspects of Modern Cryptography29 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds ?

30 January 29, 2002Practical Aspects of Modern Cryptography30 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words.

31 January 29, 2002Practical Aspects of Modern Cryptography31 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds f

32 January 29, 2002Practical Aspects of Modern Cryptography32 A Cryptographic Hash: SHA-1 Depending on the round, the “non-linear” function f is one of the following. f(X,Y,Z) = (X  Y)  ((  X)  Z) f(X,Y,Z) = (X  Y)  (X  Z)  (Y  Z) f(X,Y,Z) = X  Y  Z

33 January 29, 2002Practical Aspects of Modern Cryptography33 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words.

34 January 29, 2002Practical Aspects of Modern Cryptography34 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant.

35 January 29, 2002Practical Aspects of Modern Cryptography35 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant. Add in a portion of the 512-bit message.

36 January 29, 2002Practical Aspects of Modern Cryptography36 A Cryptographic Hash: SHA-1 160-bit512-bit One of 80 rounds

37 January 29, 2002Practical Aspects of Modern Cryptography37 One-Way Hash Functions When using a stream cipher, a (keyed) hash of the message can be appended to ensure integrity. [Message Authentication Code] When forming a digital signature, the signature need only be applied to a hash of the message. [Message Digest]

38 January 29, 2002Practical Aspects of Modern Cryptography38 Cryptographic Tools One-Way Trapdoor Functions Public-Key Encryption Schemes One-Way Permutations One-Way Functions One-Way Hash Functions Pseudo-Random Number-Generators Secret-Key Encryption Schemes Digital Signature Schemes

39 January 29, 2002Practical Aspects of Modern Cryptography39 Using Public Key Encryption Now that we have all of these tools available, how do we actually send a (short) message, perhaps a symmetric key, encrypted with a public key?

40 January 29, 2002Practical Aspects of Modern Cryptography40 PKCS#1v1 Message Format: Recall the Bleichenbacher attack 00 01 XX XX... XX 00 YY YY... YY random non-zero bytes message

41 January 29, 2002Practical Aspects of Modern Cryptography41 OAEP Optimal Asymmetric Encryption Protocol To encrypt the message M, Select a random value r, For a PRNG G and one-way hash H, use the public key to encrypt the following: M  G(r) || r  H(M  G(r))

42 January 29, 2002Practical Aspects of Modern Cryptography42 Internet Protocols 1994: Secure Sockets Layer (SSL) V2.0 1995: Private Communication Technology (PCT) V1.0 1996: Secure Sockets Layer (SSL) V3.0 1997: Private Communication Technology (PCT) V4.0 1999: Transport Layer Security (TLS) V1.0

43 January 29, 2002Practical Aspects of Modern Cryptography43 Internet Protocols You (client)Merchant (server) Let’s talk securely. Here is my RSA public key. Here is a fresh key encrypted with your key.

44 January 29, 2002Practical Aspects of Modern Cryptography44 Internet Protocols You (client)Merchant (server) Let’s talk securely. Here is my RSA public key. Here is a fresh key encrypted with your key.

45 January 29, 2002Practical Aspects of Modern Cryptography45 Internet Protocols You (client)Merchant (server) Let’s talk securely. Here are the protocols and ciphers I understand. Here is my RSA public key. Here is a fresh key encrypted with your key.

46 January 29, 2002Practical Aspects of Modern Cryptography46 Internet Protocols You (client)Merchant (server) Let’s talk securely. Here are the protocols and ciphers I understand. Here is a fresh key encrypted with your key. I choose this protocol and ciphers. Here is my public key, a digital certificate, and a random nonce.

47 January 29, 2002Practical Aspects of Modern Cryptography47 Internet Protocols You (client)Merchant (server) Let’s talk securely. Here are the protocols and ciphers I understand. I choose this protocol and ciphers. Here is my public key, a digital certificate, and a random nonce. Using your public key, I’ve encrypted a random symmetric key.

48 January 29, 2002Practical Aspects of Modern Cryptography48 Internet Protocols All subsequent secure messages are sent using the symmetric key and a keyed hash for message authentication.

Download ppt "Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia."

Similar presentations

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
L1.2. An Introduction to Block Ciphers Rocky K. C. Chang, February 2013.

L1.2. An Introduction to Block Ciphers Rocky K. C. Chang, February 2013.
Web Security for Network and System Administrators1 Chapter 4 Encryption.

Web Security for Network and System Administrators1 Chapter 4 Encryption.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 4: ePayment Security I.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 4: ePayment Security I.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Encryption Schemes Second Pass Brice Toth 21 November 2001.

Encryption Schemes Second Pass Brice Toth 21 November 2001.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Data Encryption Standard (DES). Symmetric Cryptography  C = E(P,K)  P = D(C,K)  Requirements  Given C, the only way to obtain P should be with  the.

Data Encryption Standard (DES). Symmetric Cryptography  C = E(P,K)  P = D(C,K)  Requirements  Given C, the only way to obtain P should be with  the.
1 Chapter 4 Encryption. 2 Objectives In this chapter, you will: Learn the basics of encryption technology Recognize popular symmetric encryption algorithms.

1 Chapter 4 Encryption. 2 Objectives In this chapter, you will: Learn the basics of encryption technology Recognize popular symmetric encryption algorithms.

Similar presentations

Ads by Google