Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 482/582: Computer Security

Published byΠαναγιώτα Ζαΐμης Modified over 6 years ago

Similar presentations

Presentation on theme: "CSC 482/582: Computer Security"— Presentation transcript:

1 CSC 482/582: Computer Security
Classical Cryptography CSC 482/582: Computer Security

2 Topics Modular Arithmetic Review What is Cryptography?
Substitution Ciphers Cryptanalysis: frequency analysis Stream Ciphers Block Ciphers DES Block Cipher Modes AES CSC 482/582: Computer Security

3 Modular Arithmetic Congruence b is the residue of a, modulo N
a = b (mod N) iff a = b + kN ex: 37=27 mod 10 b is the residue of a, modulo N Integers 0..N-1 are complete set of residues mod N CSC 482/582: Computer Security

4 Laws of Modular Arithmetic
(a + b) mod N = (a mod N + b mod N) mod N (a - b) mod N = (a mod N - b mod N) mod N ab mod N = (a mod N)(b mod N) mod N a(b+c) mod N = ((ab mod N) + (ac mod N)) mod N CSC 482/582: Computer Security

5 What is Cryptography? Cryptography: The art and science of keeping messages secure. Cryptanalysis: the art and science of decrypting messages. Cryptology: cryptography + cryptanalysis CSC 482/582: Computer Security

6 Terminology Plaintext: message P to be encrypted. Also called cleartext. Encryption: altering a message to keep its contents secret. Ciphertext: encrypted message C. Plaintext Ciphertext Encryption Procedure CSC 482/582: Computer Security

7 Early Cryptography Egyptian hieroglyphics ~ 2000 B.C.E.
Cryptic tomb inscriptions for regality. Spartan skytale cipher ~ 500 B.C.E. Wrapped thin sheet of papyrus around staff. Messages written down length of staff. Decrypted by wrapped around = diameter staff. Cæsar cipher ~ 50 B.C.E. Simple alphabetic substitution cipher. al-Kindi ~ 850 C.E. Cryptanalysis using letter frequencies. Images from and

8 A Transposition Cipher
Rearrange letters in plaintext. Example: Rail-Fence Cipher Plaintext is HELLO WORLD Rearrange as H L O O L E L W R D Ciphertext is HLOOL ELWRD CSC 482/582: Computer Security

9 Cryptosystem Formal Definition
5-tuple (E, D, M, K, C) M set of plaintexts K set of keys C set of ciphertexts E set of encryption functions e: M  K  C D set of decryption functions d: C  K  M CSC 482/582: Computer Security

10 Cæsar cipher Letter shifting cipher (A=>D, B=>E, C=>F, …
5-tuple M = { all sequences of letters } K = { i | i is an integer and 0 ≤ i ≤ 25 } E = { Ek | k  K and for all letters m, Ek(m) = (m + k) mod 26 } D = { Dk | k  K and for all letters c, Dk(c) = (26 + c – k) mod 26 } C = M History: Cæsar’s key was 3. CSC 482/582: Computer Security

11 Cæsar cipher Plaintext is HELLO WORLD
Change each letter to the third letter following it (X goes to A, Y to B, Z to C) Key is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG CSC 482/582: Computer Security

12 ROT 13 Cæsar cipher with key of 13
13 chosen since encryption and decryption are same operation Used to hide spoilers, punchlines, and offensive material online. CSC 482/582: Computer Security

13 Kerckhoff’s Principle
Security of cryptosystem should only depend on Quality of shared encryption algorithm E Secrecy of key K Security through obscurity tends to fail ex: DVD Content Scrambling System CSC 482/582: Computer Security

14 Cryptanalysis Goals Decrypt a given message. Recover encryption key.
Threat models vary based on Type of information available to adversary Interaction with cryptosystem. CSC 482/582: Computer Security

15 Cryptanalysis Threat Models
ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key. known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key. chosen plaintext: adversary may supply plaintexts and obtain corresponding ciphertext; goal is to find key. CSC 482/582: Computer Security

16 Brute Force Attack Exhaustive search of keyspace by decrypting ciphertext C with all possible keys K. Must determine if DK(C) is a likely plaintext Requires some knowledge of format (language, doc type) For N possible keys, Worst case is N decryptions. Mean case is N/2 decryptions. Example: DES has 56-bit keys Average time to find key is 255 decryptions. CSC 482/582: Computer Security

17 Is 128 bits enough? 128-bit keyspace permits 2128 keys
340,282,366,920,938,463,463,374,607,431,768,211,456 or 3.4 x 1038 keys Cracking 1 trillion (1012) keys per second requires 3.4 x 1026 seconds or 1.08 x 1019 years Cracking 1 trillion keys per second on 1 billion CPUs requires 1.08 x 1010 years = 10.8 billion years CSC 482/582: Computer Security

18 Classical Cryptography
Sender and receiver share common key Keys may be the same, or be trivial to derive from one another. Sometimes called symmetric cryptography. C P encrypt K decrypt CSC 482/582: Computer Security

19 Substitution Ciphers Substitute plaintext chars for ciphered chars.
Simple: Always use same substitution function. Polyalphabetic: Use different substitution functions based on position in message. CSC 482/582: Computer Security

20 Cryptanalysis of Cæsar Cipher
Brute force attack sufficient: Since the keyspace is small (26 possible keys), try all possible keys until you find the right one. Decryption key (26-K) Candidate plaintext exxegoexsrgi 1 dwwdfndwrqfh 2 cvvcemcvqpeg 3 buubdlbupodf 4 attackatonce 5 zsszbjzsnmbd 6 yrryaiyrmlac ... 23 haahjrhavujl 24 gzzgiqgzutik 25 fyyfhpfytshj CSC 482/582: Computer Security

21 General Simple Substitution Cipher
Key Space: All permutations of alphabet (26! keys) Encryption: Replace each plaintext letter x with K(x) Decryption: Replace each ciphertext letter y with K-1(y) Example: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K= F U B A R D H G J I L K N M P O S Q Z W X Y V T C E CRYPTO BQCOWP CSC 482/582: Computer Security

22 General Simple Substitution Cryptanalysis
Exhaustive search impossible Key space size is 26! =~ 4 x 1026 Historically thought to be unbreakable. However, languages have different frequencies of letters digraphs (groups of 2 letters) trigraphs (groups of 3 letters) etc. Simple substitution ciphers preserve letter frequencies. CSC 482/582: Computer Security

23 English Letter Frequencies

24 Additional Frequency Features
Digraph frequencies Common digraphs: EN, RE, ER, NT Trigraph frequencies Common trigraphs: THE, AND, ING Digraph and trigraph tables can be found at The letter Q is followed only by U.

25 Countering Frequency Analysis
Nulls Insert additional symbols (numbers) which have no meaning in random places. Idiosyncratic spellings n0rM4L s34rCh Hacker speak: Homophonic substitution Each letter has multiple substitutions. Techniques increase difficulty but don’t make impossible. CSC 482/582: Computer Security

26 Countering Frequency Analysis
Primary weakness of simple substitution: Each ciphertext letter corresponds to only one letter of plaintext. Solution: polyalphabetic substitution Use multiple cipher alphabets. Switch between cipher alphabets from character to character in the plaintext. CSC 482/582: Computer Security

27 Letter Frequency Distributions
CSC 482/582: Computer Security

28 Vigènere Cipher Use phrase instead of letter as key. Example
Message THE BOY HAS THE BALL Key VIG Encipher using Cæsar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Reproduction of CSA Cipher Disk CSC 482/582: Computer Security

29 Relevant Parts of Tableau
Tableau shown only has relevant rows and columns. Example encipherments: key V, letter T: follow V column down to T row (giving “O”) Key I, letter H: follow I column down to H row (giving “P”) G I V A G I V B H J W E L M Z H N P C L R T G O U W J S Y A N T Z B O Y E H T CSC 482/582: Computer Security

30 Useful Terms period: length of key
In earlier example, period is 3 tableau: table used to encipher and decipher Vigènere cipher has key letters on top, plaintext letters on the left. CSC 482/582: Computer Security

31 Vigènere Cryptanalysis
Find key length (period), which we will call n. Break message into n parts, each part being enciphered using the same key letter. Use frequency analysis to solve resulting n simple substitution ciphers. key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG CSC 482/582: Computer Security

32 plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG
Kasiski Test Conjunction of key repetition with repeated portion of plaintext produces repeated ciphertext. Example: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Key and plaintext line up over the repetitions. Distance between repetitions is 9 Repeated phrase “OPK” at 1st and 10th positions. Period is a multiple of 9 (1, 3 or 9.) CSC 482/582: Computer Security

33 Example Vigènere Ciphertext
ADQYS MIUSB OXKKT MIBHK IZOOO EQOOG IFBAG KAUMF VVTAA CIDTW MOCIO EQOOG BMBFV ZGGWP CIEKQ HSNEW VECNE DLAAV RWKXS VNSVP HCEUT QOIOF MEGJS WTPCH AJMOC HIUIX CSC 482/582: Computer Security

34 Repetitions in Example
Letters Start End Distance Factors MI 5 15 10 2, 5 OO 22 27 OEQOOG 24 54 30 2, 3, 5 FV 39 63 2, 2, 2, 3 AA 43 87 44 2, 2, 11 MOC 50 122 72 2, 2, 2, 3, 3 QO 56 105 49 7, 7 PC 69 117 48 2, 2, 2, 2, 3 NE 77 83 6 2, 3 SV 94 97 3 CH 118 124 CSC 482/582: Computer Security

35 Estimate of Period OEQOOG is probably not a coincidence
Two character repetitions may be chance. Period may be 1, 2, 3, 5, 6, 10, 15, or 30 Most others (7/10) have 2 in their factors Almost as many (6/10) have 3 in their factors. Begin with period of 2  3 = 6. CSC 482/582: Computer Security

36 Letter Coincidence Coincidence: Picking two letters at random from a message that are identical. Procedure Place one text above other. Count coincidences. Coincidence probabilities for two letters: Random English letters: English plaintext: CSC 482/582: Computer Security

37 English Letter Frequencies
a 0.080 h 0.060 n 0.070 t 0.090 b 0.015 i 0.065 o u 0.030 c j 0.005 p 0.020 v 0.010 d 0.040 k q 0.002 w e 0.130 l 0.035 r x f m s y g z CSC 482/582: Computer Security

38 Index of Coincidence For our ciphertext, IC = 0.043
Probability that two randomly chosen letters of a ciphertext of N characters coincide. ni is frequency of cipher character number i N is the length of the ciphertext C(n r) = n!/(r! (n-r)!) For our ciphertext, IC = 0.043 Indicates a key of slightly more than 5. A statistical measure, so it can be in error, but it agrees with the previous estimate (which was 6.) CSC 482/582: Computer Security

39 Index of Coincidence 2: 0.052 3: 0.047 4: 0.045 5: 0.044 10: 0.041
Expected IC Random: Plaintext: Expected IC by period 2: 0.052 3: 0.047 4: 0.045 5: 0.044 10: 0.041 0.0667 Index of Coincidence Shorter Key Longer Key 0.0385 CSC 482/582: Computer Security

40 Splitting Into Alphabets
Divide cipher into 6 (period) alphabets. Alphabet IC AIKHOIATTOBGEEERNEOSAI DUKKEFUAWEMGKWDWSUFWJU QSTIQBMAMQBWQVLKVTMTMI YBMZOAFCOOFPHEAXPQEPOX SOIOOGVICOVCSVASHOGCC MXBOGKVDIGZINNVVCIJHH IC indicates single alphabet, except #4 and #6. CSC 482/582: Computer Security

41 Frequency Examination
ABCDEFGHIJKLMNOPQRSTUVWXYZ HMMMHMMHHMMMMHHMLHHHMLLLLL Unshifted frequencies (H high, M medium, L low) CSC 482/582: Computer Security

42 Begin Decryption First matches characteristics of unshifted alphabet
Third matches if I shifted to A Sixth matches if V shifted to A Substitute into ciphertext (bold are substitutions) ADIYS RIUKB OCKKL MIGHK AZOTO EIOOL IFTAG PAUEF VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKI HSSEW NECSE DDAAA RWCXS ANSNP HHEUL QONOF EEGOS WLPCM AJEOC MIUAX CSC 482/582: Computer Security

43 Look For Clues AJE in last line suggests “are”, meaning second alphabet maps A into S: ALIYS RICKB OCKSL MIGHS AZOTO MIOOL INTAG PACEF VATIS CIITE EOCNO MIOOL BUTFV EGOOP CNESI HSSEE NECSE LDAAA RECXS ANANP HHECL QONON EEGOS ELPCM AREOC MICAX CSC 482/582: Computer Security

44 Next Alphabet MICAX in last line suggests “mical” (a common ending for an adjective), meaning fourth alphabet maps O into A: ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG PACET VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE NSCSE LDOAA RECLS ANAND HHECL EONON ESGOS ELDCM ARECC MICAL CSC 482/582: Computer Security

45 Got It! QI means that U maps into I, as Q is always followed by U:
ALIME RICKP ACKSL AUGHS ANATO MICAL INTOS PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL Key is ASIMOV CSC 482/582: Computer Security

46 Rotor Machines (1920s-1970s) Observation: If Vigènere key is very long, frequency analysis won’t work. Implement: multiple rounds of Vigènere substitution. Machine contains multiple cylinders. Each cylinder has 26 states (ciphers.) Cylinders rotate to change states on different schedules. m-cylinder machine has 26m substitution ciphers. CSC 482/582: Computer Security

47 Enigma Machine 3 rotors: 17576 substitutions.
3 rotors can be used in any order: 6 combinations. Some machines had up to 8 rotors Plug board: 6 pairs of letters can be swapped. Total keys ~ 1016 CSC 482/582: Computer Security

48 The World Wars Decryption of Zimmerman telegram 1917
Leads US into World War I Japanese Purple Machine cracked 1937 US breaks rotor machine for highest secrets. German Enigma machine cracked Initially broken by Polish mathematician Variants broken at Bletchley Park in UK Colossus, world’s 1st electronic computer.

49 One-Time Pad A Vigenère cipher with a random key at least as long as the message. Provably unbreakable. Example ciphertext: DXQR. Equally likely to correspond to plaintext DOIT (key AJIY) plaintext DONT (key AJDY) and any other 4 letters. CSC 482/582: Computer Security

50 Binary One Time Pad Encrypt a message M with pad P to produce ciphertext C = M ⊕ P where ⊕ is the exclusive OR operator. Decrypt a ciphertext C with the same pad P M = C ⊕ P We can prove this as follows: C ⊕ P = (M ⊕ P) ⊕ P = M ⊕ (P ⊕ P) associativity = M ⊕ 0 = M CSC 482/582: Computer Security

51 One Time Pad Problems The one-time pad must be random.
Software pseudo-random number generators are not random. Pad needs hardware randomness. Transmission of long pads is difficult. The pad is just as long as all the messages you’ll ever send with it, so you’ve just moved the problem of transmitting secret messages to transmitting a secret pad. Pad must always be kept secret. If pad is ever discovered, then attacker can decrypt old messages. Pads must be securely destroyed at end of use. CSC 482/582: Computer Security

52 Stream Ciphers Stream ciphers approximate one time pad by
Generating pseudorandom bits, the keystream. XOR keystream with stream of plaintext bits i.e. Ci = Pi ⊕ Ki where Ki generated from small key k Stream ciphers default for most mobile hardware Simple (good when chip size and power limited) Fast (mobile devices are slow) Also widely used in software in the form of RC4. Important: reuse of keystream for multiple messages is insecure for a stream cipher. CSC 482/582: Computer Security

53 RC4 (Rivest Cipher 4) Simple, fast stream cipher with 128-bit keys used in SSL/TLS connections (over half in 2013) WEP and WPA-TKIP wireless encryption. Office XP (changed due to security problems) BitTorrent, PDFs, Skype, etc. CSC 482/582: Computer Security

54 RC4 Security Problems Misuse Weaknesses
Office XP encrypted different versions of same document with same key, reusing keystream. Solution: XOR key with nonce, changing nonce for each document version. Weaknesses If you flip a bit in the ciphertext, it flips the corresponding bit in the plaintext. Solution: MACs. First part of keystream has many biases (predictable patterns) that have been used to attack RC4. CSC 482/582: Computer Security

55 RC4 Security Attacks Attacking RC4 in Wireless (FMS Attack)
Knowing first 3 bytes of key, biases in keystreams can let an attacker with a few hundred keystreams extract the key. Seems unlikely, but many RC4 users (such as WEP) create key by prepending a predictable Initialization Vector (IV) to a strong key. Attacking RC4 in TLS ( Known plaintext attack based on knowledge of HTTP protocol. Attacker inserts JavaScript that makes page reload in background. RC4 biases allow cookie extraction based on millions of encryptions of same known plaintext (headers like Cookie and Content-Type). RC4-dropN variants proposed where RC4 drops first 768 or more bytes to eliminate biased output. Browsers will stop using RC4 in TLS in early 2016. CSC 482/582: Computer Security

56 Block Ciphers Encrypt groups (blocks) of chars at once.
Combine substitution and transposition. Improvement over single char substitution Cryptanalysis must use digraph frequencies for two-char blocks, trigraph for three-char blocks, etc. Longer blocks are more difficult to analyze. Example: Playfair Cipher, 1854 CSC 482/582: Computer Security

57 Playfair Cipher Create 5x5 table P L A Y F I|J R E X M B C D G H K N O
Fill in spaces with letters of key, dropping duplicate letters. Fill remaining spaces with unused letters of alphabet in order Drop Q … or I = J Charles Wheatstone P L A Y F I|J R E X M B C D G H K N O Q S T U V W Z CSC 482/582: Computer Security

58 Playfair Cipher Encryption Algorithm
If letters of pair are identical (or only one letter remains), add an “X” after first letter. If two letters are in same row or column, replace them with the succeeding letters. Otherwise, two letters form a rectangle, and we replace them with letters on the same row respectively at the other pair of corners. CSC 482/582: Computer Security

59 Playfair Cipher Example
Plaintext is HELLO WORLD Pair HE is rectangle, replace with DM Pair LX (X inserted) is rectangle, YR Pair LO is rectangle, replace with AN Pair WO is rectangle, replace with VQ Pair RL is in column, replace with CR Pair DX is rectangle, replace with GE Ciphertext is DMYRANVQCRGE P L A Y F I|J R E X M B C D G H K N O Q S T U V W Z CSC 482/582: Computer Security

60 Modern Block Ciphers Long blocks Round structure
64-bit in 20th century 128-bit in early 21st century Round structure Create simple block cipher (S-box). Repeat cipher multiple times, each time with diff key. Key scheduling algorithm generates round keys. CSC 482/582: Computer Security

61 SP-Networks Combine Substitution+Permutation (transposition)
Confusion: adding unknown key values will confuse attacker about value of plaintext symbol. Diffusion: Spread plaintext data throughout ciphertext. Designing for Security Block Size Number of Rounds Each input bit is XOR of several output bits from previous round. Choice of S-boxes CSC 482/582: Computer Security

62 Substitution Boxes Substitution can be done using a matrix, which acts as a lookup table for substituting one set of bits with another. Such tables are called substitution boxes, or S-boxes.

63 Overview of the DES Uses 64-bit blocks DES Keys
Splits into 32-bit L and R halves. DES Keys 64-bit key is 56-bit key + 8 parity bits 16 rounds of encryption Expand R half to 48 bits. XOR with 48-bit round key. Substitute result with S-boxes. S-box has 6-bit input, 4-bit output. Output shuffled. Output XORed with L half. L and R are swapped. CSC 482/582: Computer Security

64 Feistel Function (F) PCi = permuted choice i Si = substitution boxes
P = permutation CSC 482/582: Computer Security

65 DES Weaknesses Keys are too short Weak keys exist
NSA reduced key length from 128-bits to 56-bits. EFF “Deep Crack” brute forced DES in 48-hours in 1998. Weak keys exist If key is 0, all round keys are 0 too. Other keys also produce identical round keys. Design decision worries Did NSA leave backdoor in S-box? CSC 482/582: Computer Security

66 Differential Cryptanalysis
A chosen ciphertext attack Biham and Shamir rediscovered in late 1980s Examines pairs of plaintext with particular differences. Requires 247 plaintext, ciphertext pairs. Only 214 pairs required with 8 round DES. Revealed several properties S-box designed to resist differential cryptanalysis. IBM revealed knowledge of technique at design time. Linear cryptanalysis improves result Linear approximation of DES. Requires 243 plaintext, ciphertext pairs. DES not designed to resist this technique. CSC 482/582: Computer Security

67 Triple DES (3DES) Encrypt-Decrypt-Encrypt Mode (3 keys: k, k´, k´´)
c = DESk(DESk´–1(DESk’’(m))) Middle decrypt allows backward compatibility if all keys are equal: k = k´= k´´ Double-encryption vulnerable to meet-in-middle attack, reducing difficulty from 2112 to 257. 3DES allows user to create a 168-bit key that gives Security of 112-bit key against brute force attacks. At cost of 3X slower performance (3X more hardware). CSC 482/582: Computer Security

68 DES is Insecure Brute force attacks can now be completed in <1day
Distributed computing attacks. RIVYERA FPGA-based parallel computer breaks DES in <1 day for a hardware cost of <$10,000. Linear cryptanalysis faster than brute force Need 241 known plaintexts is RIVYERA’s predecessor CSC 482/582: Computer Security

69 Block Cipher Modes CSC 482/582: Computer Security

70 Padding We want to encrypt data of any length. Obvious but wrong
But block ciphers encrypt fixed sized blocks. Therefore we need padding. Obvious but wrong Just add zero bytes until last block is filled. When decrypting, which zeros are plaintext or padding? Common padding algorithms Append 128 followed by as many zeros as needed to fill final block. Compute number of padding bytes required. Pad plaintext by appending n bytes, each with value n. CSC 482/582: Computer Security

71 Electronic Code Book Mode
Encrypt each block independently. E(block) = Cblock each time block appears Do not ever use ECB! CSC 482/582: Computer Security

72 ECB Problems Identical plaintext blocks encrypt into identical ciphertext blocks. Known or chosen plaintext attacks allow attacker to build a dictionary of blocks. Smaller chunks of plaintext will be encrypted identically if they appear in same position within a block too. ECB encryption of bitmap hides colors but image is still discernible. CSC 482/582: Computer Security

73 Cipher Block Chaining Mode
XOR each block with the previous ciphertext block. Random initialization vector (IV) used for 1st block. CBC encryption of bitmap looks random. CSC 482/582: Computer Security

74 Cipher Block Chaining Mode
Formula for CBC encryption (i=1 is 1st block) Formula for CBC decryption CSC 482/582: Computer Security

75 CBC Self-Healing Property
Plaintext “heals” after 2 blocks. i.e., if ciphertext altered, error propagated 2 blocks. Initial message Received as (underlined 4c should be 4b) ef7c4cb2b4ce6f3b f6266e3a97af0e2c 746ab9a6308f e60b451b09603d Which decrypts to efca61e19f4836f CSC 482/582: Computer Security

76 Initialization Vectors
Reuse of a key/IV combination will result in identical encryption to previous use of combination. IV Algorithms Counter IV: Use 0 for 1st message, 1 for 2nd, etc. Random IV: Randomly generate IV for each message and send IV in cleartext with message. Nonce-generated IV: Assign a number to each message (can use counter). Use message number to generate unique nonce. Nonce should be as large as a single block. Encrypt nonce with block cipher to generate IV. Encrypt message in CBC mode using IV. Add message number in front of ciphertext. Only use message numbers once. CSC 482/582: Computer Security

77 Counter (CTR) Mode Converts block cipher into a stream cipher.
Ki = E(K, Nonce || i) Ci = Pi ⊕ Ki Nonce is equivalent to IV in CBC mode. Eliminates need for padding. CSC 482/582: Computer Security

78 CTR Mode Decryption CSC 482/582: Computer Security

79 Galois Counter Mode (GCM)
Counter mode variant with Galois authentication. Provides confidentiality and integrity. Use as stream cipher like CTR mode. Parallelizable. Currently recommended block cipher mode. More secure than CBC or CTR. CSC 482/582: Computer Security

80 Advanced Encryption Standard (AES)
Winner of open NIST competition ( ) Rijndael, designed by Joan Daemen and Vincent Rijmen. Published as FIPS 197 in November 2001. 128-bit block cipher 128-, 192-, or 256-bit keys. 10, 12, or 14 rounds, depending on key size. Replacement for DES DES vulnerable to brute force attacks due to 56-bit keys. AES is about 2X faster than DES, 6X faster than 3DES. 11/29/2018 Cryptography

81 AES Round Structure Round keys derived from user key using AES key schedule. Each round transforms 128-bit state, Xi in 4 steps: SubBytes: S-box substitution. ShiftRows: permutation. MixColumns: matrix multiplication. AddRoundKey: XOR with round key for this round. CSC 482/582: Computer Security

82 AES Round Steps CSC 482/582: Computer Security

83 AES Cryptanalysis Biclique attack (2011) Related key attacks (2009)
Faster than brute force by a factor of 4 So can break AES-128 with operations. Related key attacks (2009) Requires operations to break AES-256 Requires 2176 operations to break AES-192 Due to weak key scheduling algorithm for AES-256 This means AES-128 is more secure than AES-256! CSC 482/582: Computer Security

84 AES Alternatives Caveat AES Contest Runner Ups Recent Ciphers
Alternatives have seen much less analysis than AES, so we know less about their security. But what if AES was broken? AES Contest Runner Ups Serpent and TwoFish Ranked higher in security, lower in performance. Recent Ciphers ThreeFish Salsa20 (a stream cipher) CSC 482/582: Computer Security

85 Key Points Types of ciphers Cryptanalysis Block ciphers
Substitution (monoalphabetic and polyalphabetic) Transposition (permutation) Product (Substitution + Permutation) Cryptanalysis Kerchoff’s principle Brute force attack One-time pad is provably secure Frequency analysis: Kasiski test, Index of Coincidence. Block ciphers ECB mode insecure; need to use CBC for block ciphers. DES obsolete due to small 56-bit keys. 3DES=112 bit key. AES current standard, best symmetric cipher is AES-128. CSC 482/582: Computer Security

86 References Ross Anderson, Security Engineering, 2nd edition, Wiley, 2008. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. Neil Daswani et. al., Foundations of Security, Apress, 2007. Ferguson and Schneier, Practical Cryptography, Wiley, 2003. David Kahn, The Codebreakers, MacMillan, 1967. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996. NIST, FIPS Publication 46-3: Data Encryption Standard (DES), 1999, US Government Dept of the Army, FM FIELD MANUAL, 1990, CSC 482/582: Computer Security

Download ppt "CSC 482/582: Computer Security"

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Classical Cryptography CSC 482/582: Computer Security.

Classical Cryptography CSC 482/582: Computer Security.
1 Cryptography. 2 Overview Classical Cryptography  Caesar cipher  Vigenère cipher  DES Public Key Cryptography  Diffie-Hellman  RSA Cryptographic.

1 Cryptography. 2 Overview Classical Cryptography  Caesar cipher  Vigenère cipher  DES Public Key Cryptography  Diffie-Hellman  RSA Cryptographic.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #9-1 Chapter 9: Basic Cryptography Classical Cryptography Public Key Cryptography.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #9-1 Chapter 9: Basic Cryptography Classical Cryptography Public Key Cryptography.
May 11, 2004ECS 235Slide #1 Vigenère Cipher Like Cæsar cipher, but use a phrase Example –Message THE BOY HAS THE BALL –Key VIG –Encipher using Cæsar cipher.

May 11, 2004ECS 235Slide #1 Vigenère Cipher Like Cæsar cipher, but use a phrase Example –Message THE BOY HAS THE BALL –Key VIG –Encipher using Cæsar cipher.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
1 Cryptography CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 30, 2004.

1 Cryptography CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 30, 2004.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Introduction ECE 498YH / CS 498YH: Computer Security.

Introduction ECE 498YH / CS 498YH: Computer Security.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
CSE 651: Introduction to Network Security

CSE 651: Introduction to Network Security
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Classical Cryptography.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Classical Cryptography.
Chapter 2 Basic Encryption and Decryption. csci5233 computer security & integrity 2 Encryption / Decryption encrypted transmission AB plaintext ciphertext.

Chapter 2 Basic Encryption and Decryption. csci5233 computer security & integrity 2 Encryption / Decryption encrypted transmission AB plaintext ciphertext.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Similar presentations

Ads by Google