1. Introduction to Information Security , Spring Lecture 1: Applied cryptography: symmetric
Avishai Wool

2. Administration
Lecturers: Avishai Wool Dan Gittik
Teaching assistants: Barak Itkin
Exercise checker: Yuval Lewi
Course web site:
Read the Instructions
Join the Facebook group
Register on the Exercises page
JOIN
JOIN

3. Exercises Practical emphasis, challenging hands-on exercises.
Final grade: 65% exam, 35% exercises
Individual work – no sharing / copying!
Attend recitations for necessary context.
Lectures & recitations will be videoed

4. Motivation

5. Responsible disclosure
We will learn and practice attack techniques
With knowledge – you may discover real security vulnerabilities in real systems
Do no harm!
[Wikipedia]
Responsible disclosure is a ... vulnerability disclosure model. … stakeholders agree to allow time for the vulnerability to be patched before publishing:
Tell the vendor (disclose)
Wait for vendor to patch
Then tell the world (publish)

6. A brief history of the word cyber
1948
1960
1980
1988
1998
2007
2010
Cybernetic = regulatory/control systems
such as computers
Cybernetic = using computers
Morris worm
on the Internet
Data Breach at Security Firm Linked to Attack on Lockheed
May 27, 2011
Million-node botnets
Cybersex
Finance: untold $billions
National (Estonia, Georgia, RSA+LM)
Scientific American background review article about “health”. Graphic: doctor+patient, acoustic
“Cybernetic” coined 1948 by U.S. mathematician Norbert Wiener
1998: “cyber” = “cybersex”
In the beginning was the word
And it was good
It is not good for a computer to be alone
So computers went forth and multiplied
Tree of knowledge
Wrecking havoc upon the fledgling Internet
1981: first wild virus written by 9-th grader for Apple II (footnote in SecEng)
Extorting: Gpcode.ak (show asm)
“Cyber attack”, “cyber war” headlines
Fallen from grace
National: Estonia 2007, Georgia 2008, RSA+LM 2011
Physical: DHS generator (2007), Stuxnet (2010)
A computer scientist would never use the word “cyber”, unless he’s writing a grant proposal
Cyber -> Journalist / politician / writing a grant proposal / getting you to attend his session
“cyber-resilient computers” - Shimon Peres, Cyber conference at TAU,
For timeline, see: SecEng 2Nd Ch21
Physical (Stuxnet)
Cybersecurity ~ harming computers and things they control
Information / computer / network / control-system security, cryptography

7. Security goals and threats
Data confidentiality
Data integrity
System availability
User authentication
Privilege separation
THREAT
Data exposure
Data modification
Denial of service
Masquerading
Privilege elevation
Prerequisite to many attacks: getting malicious code to run on victim’s computer system

8. Cryptography overview

9. History of crypto Caesar cipher, אתבש – 2000 years ago
Electromechanical ciphers (e.g., Enigma, 1930s)
Civilian Crypto (DES, RSA, 1970s)
Information theory
Complexity theory
Modern cryptography

10. Cryptography Is Is not A tremendous tool
The basis for many security mechanisms
Is not
The solution to all security problems
Reliable unless implemented properly
Reliable unless used properly
Something you should try to invent yourself unless
you spend a lot of time becoming an expert
you subject your design to outside review

11. Scenarios Communication Storage Avoid eavesdropping (Confidentiality)
Avoid corruption (Integrity)
“Secure channel”
Storage
Store files privately (Confidentiality)
Protect files from tampering (Integrity)

12. Cryptographic primitives
Primitive: syntax and semantics of some cryptographic functionality.
A scheme/protocol/algorithm may be an instance of the primitive.
Example claim: “AES-128-CBC is a secure symmetric encryption scheme”.

13. Common Cryptographic primitives
Encryption: confidentiality Adversary cannot learn anything about message from its encrypted form.
Symmetric (cipherblock ciphers, stream ciphers)
Asymmetric
Digital Signatures: integrity/authentication Adversary cannot fake a signature that passes verification.
Symmetric (Message Authentication Code)
Hashing: Summarizing messages into “unique” short digests Adversary cannot find messages with the same digest.

14. Symmetric cryptography

15. A Symmetric Cipher E, D: encryption/decryption k: secret key
Key generation k k
m, n E
E(k,m,n)=c
c,n D
D(k,c,n)=m
Alice
Bob
E, D: encryption/decryption k: secret key
m: plaintext n: nonce / randomness / c: ciphertext initial vector (IV)

16. Terminology Cipher (שיטת הצפנה, צופן) Plaintext (m) (גלוי)
Ciphertext (c) (מוצפן, כתב סתרים)
Key (k) (מפתח)
Encryption (E) (הצפנה)
Decryption (D) (פיענוח)
A cipher is symmetric because both sides (Alice & Bob) know the same key

17. Kerckhoffs’s Principle
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
Auguste Kerckhoffs, La Cryptographie Militaire, 1883
(Never use a proprietary cipher)
Don’t assume the attacker doesn’t know the algorithm (“security by obscurity”)

18. Identifying a Cipher from other things
A cipher always has a secret key
If there is nothing secret – it’s not a cipher
A cipher is always reversible
E(k,m) = c => D(k,c) = m

19. Stream Ciphers

20. One Time Pad (single use key)
Vernam (1917)
Shannon (1949):
OTP is “secure” against ciphertext-only attacks
… if key is truly random, and is used only once
Key: 1 
Plaintext: 1
Ciphertext: 1

21. Stream ciphers (single use key)
Problem: OTP key is as long the message
Solution: XOR with a pseudorandom string:
c  PRBG(k)  m
Really random (physical source)
key
PRBG: “Pseudo-Random Bit Generator”
AKA
PRG: “Pseudo-Random Generator”
Well-known algorithms:
RC4, RC5 (not secure anymore),
AES in counter mode
PRBG
Pentium 4, 2.1GhZ
stream
Pseudorandom string 
message
ciphertext

22. RC4 stream cipher [Rives 1987]
All values are bytes, all arithmetic is mod S is a 256-byte state array.
for i = :
S[i] = i
j = 0
for i = 0 to 255
j = j + S[i] + key[i]
swap (S[i], S[j])
i, j = 0
repeat:
i = i + 1
j = j + S[i]
output to stream: S[ S[i] + S[j] ]
Key setup 1 2 3 4 5 6 …
Permutation of 256 bytes, depending on key 2
123
134 24 1
218 53 …
Stream generator 2
123
134 24 9
218 53 … i j
+24
Problem: statistical biases, especially in beginning of stream.

23. Dangers in using stream ciphers
One time key! “Two time pad” is insecure:
C1  m1  PRBG(k)
C2  m2  PRBG(k)
Eavesdropper does:
C1  C  m1  m2
Enough redundant information in English that:
m1  m2  m1 , m2

24. Randomized symmetric encryption
Key generation k k
m, n E
E(k,m,n)=c
c,n D
D(k,c,n)=m
Alice
Bob
E, D: cipher k: secret key (e.g., 128 bits)
m: plaintext n: nonce / randomness / c: ciphertext initial vector (IV)
(Notation: sometimes the nonce is included in c.)

25. Need for nonce Single-use key: (one time key) Multi-use key:
Key is only used to encrypt one message
encrypted new key generated for every
No need for nonce (set to 0)
Multi-use key:
Key used to encrypt multiple messages
SSL: same key used to encrypt many packets
Needs either unique nonce or random nonce
Otherwise, repeated messages can be identified

26. Block Ciphers

27. Block ciphers: crypto work horse
Works on fixed-size blocks:
𝑛 bits
𝑛 bits
E, D
Plaintext block
Ciphertext block
Common sizes:
Cipher 𝑛 𝑘
DES 64 56
3DES
168
AES
128
128/192/256
Key
𝑘 bits
Deterministic; random IV can be supplied as part of plaintext block in a mode of operation (see next).).
Efficiency and security optimized for the specific block size.
Historically, more secure and easier to analyze than traditional
stream ciphers.

28. Brute force attack Attacker knows
Algorithm
a pair of matching plaintext/ciphertext pair C=Ek(P)
Try all possible keys to find the right key.
Defense: have many possible keys.
If key is k-bits: attacker needs to try 2k keys
How big should k be?
40 bits not enough
56 bits (DES) not enough
128 bits (AES) is good

29. Building a block cipher
Input (m,k)
DES
Data Encryption Standard [NIST 1977]
Repeat mixing step 16 times
AES
Advanced Encryption Standard
[Rijmen Daemen 1998] [NIST 2001]
Repeat a mixing step 10 times (for k = 128)
Difficult to design: must resist
Brute force (guessing a key using 2k attempts)
Differential cryptanalysis, linear cryptanalysis, related key attacks, side-channel attacks, …
mL  mR
mR  mLF(k,mR)

30. AES Block Cipher (on a napkin)
Source:

31. Block Ciphers Built by Iteration
key k
key expansion k1 k2 k3 kn m
R(k1, )
R(k2, )
R(k3, )
R(kn, ) c
Expand the key into n “Round Keys”
R(k,m): round function
for DES (n=16), for AES (n=10)

32. Modes of Operation

33. Splitting a long input?
A block cipher works on input of n bits (e.g., for AES n=128)
Plaintext M is much longer
Split plaintext into blocks M1, M2, … of n-bits
How to encrypt these blocks (with a single key)?

34. ECB (Electronic Codebook) mode
Encrypt independently:
Problem:
if m1=m2 then c1=c2
PT: m1 m2
CT: c1 c2

35. ECB In pictures
Bad choice !
[visual comparison by Bart Preneel]

36. CBC (Cipher Block Chaining) mode
Assume E is a secure “pseudorandom permutation” (i.e., a good block cipher).
To encrypt a plaintext message m whose size is a multiple of the block size: IV
m[0]
m[1]
m[2]
m[3]    
E(k,)
E(k,)
E(k,)
E(k,) IV
c[0]
c[1]
c[2]
c[3]
ciphertext
To handle messages of different length, use suitable padding.
Q: how to do decryption?

37. Use cases: how to choose an IV
Single use key: no IV needed (IV=0)
Multi use key: (CPA Security)
Best: use a fresh random IV for every message (IV  X)
Can use unique IV (e.g counter) [Bitlocker]
but then first step in CBC must be IV’  E(k,IV)
benefit: may save transmitting IV with ciphertext
Multi-use key, but unique messages
SIV: eliminate IV by setting IV  F(k’, PT)
F: secure PRF with key k’

38. CBC with Unique IVs     E(k,) E(k,) E(k,) E(k,) E(k,)
unique IV means: (k,IV) pair is used for only one message
may be predictable so use E(k,) as PRF IV
E(k,)
IV′
m[0]
m[1]
m[2]
m[3]    
E(k,)
E(k,)
E(k,)
E(k,) IV
c[0]
c[1]
c[2]
c[3]
ciphertext

39. CBC In pictures
Good choice

40. CTR (Counter) mode Good choice 
Encrypt a counter to create a pseudorandom string (similar to stream cipher).
key
Good choice IV IV
IV+1
IV+2
IV+3
(random)
E(k,)
E(k,)
E(k,)
E(k,)
stream 
message IV
ciphertext
Advantage: allows parallel encryption.
These “modes of operations” are proven secure (under suitable definitions).

41. Performance & Attacks

42. Performance of ciphers
Algorithm
Speed (Mbyte/sec)
Block size (bits)
Key size (bits)
RC4
657
unlimited
DES 71 64 56
3DES 26
168
IDEA 91
128
AES
142
OpenSSL on 2.1GHz Intel i7, 64-byte messages.
To benchmark on your computer:
$ openssl speed rc4 des-cbc des-ede3 idea-cbc aes-128-cbc

43. Performance of ciphers
Fast, but still bottleneck for:
Applications applying crypto at high bandwidth with little processing (web servers, bulk storage encryption, virtual private networks)
Small devices (weak CPU, power-limited)
Cheaper/faster with dedicated hardware
AES instructions in recent x86
Dedicated “cryptographic accelerator” cards

44. Attacks and security definitions
What power does the adversary have?
Known-ciphertext attack
Chosen-ciphertext attacks (CCA)
Known-plaintext attack
Chosen-plaintext attack (CPA)
Chosen before target ciphertext
Chosen after target ciphertext
Related-key attack
Weakest
Strongest

45. Attacks and security definitions
What secrecy is preserved?
Key remains secret
Adversary can learn nothing about a message from observing its encryption
For random messages
Even if it’s an encryption of one of two messages chosen by adversary, he can’t tell which one it is

46. Hash functions and message integrity

47. Hash Functions: Main Idea
hash function H .
message
“message
digest” x . y . . .
x’’ y’ x’
bit strings of any length
n-bit bit strings
Hash function H is a lossy compression function
H(x) should look “random”
Every bit (almost) equally likely to be 0 or 1

48. Collisions Collision: H(x)=H(x’) for some inputs x≠x’
Collisions must happen
Length of x unlimited, length of H(x) is n-bits !
Even if length of x is bounded |x| = b, and b > n, there will be collisions
“Pigeonhole principle” "עקרון שובך היונים"
A hash function cannot be 1-to-1
Cryptographic hash function must have certain properties

49. Properties of Cryptographic hash functions
One way (“preimage resistance”)
Given y, hard to find x with H(x)=y
Collision resistant
Hard to find any distinct m, m’ with H(m)=H(m’)
Also useful: 2nd preimage resistance
Given x, hard to find x’x with H(x’)=H(x)
Collision resistance  2nd preimage resistance  preimage resistance

50. Applications of cryptographic hashing
Password files (one way)
Digital signatures (collision resistant)
Sign hash of message instead of entire message
Data integrity
Compute and securely store hash of some data
Check later by recomputing hash and comparing
Keyed hash for message authentication
MAC – Message Authentication Code
“Random-looking bits” in various contexts.

51. Performance of hash functions
Algorithm
Speed (Mbyte/sec)
Block size (bits)
Key size (bits)
RC4
657
unlimited
DES 71 64 56
3DES 26
168
IDEA 91
128
AES
142
SHA-1
197
SHA-256
113
OpenSSL on 2.1GHz Intel i7, 64-byte messages.
To benchmark on your computer:
$ openssl sha1 sha256