Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography: Review Day David Brumley Carnegie Mellon University.

Published byLionel Chandler Modified over 10 years ago

Similar presentations

Presentation on theme: "Cryptography: Review Day David Brumley Carnegie Mellon University."— Presentation transcript:

1 Cryptography: Review Day David Brumley dbrumley@cmu.edu Carnegie Mellon University

2 Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity 2 Alice Bob Public Channel Eve E D cc’ m keke m or error keke read/write access

3 3

4 Privacy and Encryption 4

5 Perfect Secrecy [Shannon1945] (Information Theoretic Secrecy) Defn Perfect Secrecy (informal): We’re no better off determining the plaintext when given the ciphertext. 5 AliceBob Eve 1.Eve observes everything but the c. Guesses m 1 2.Eve observes c. Guesses m 2 Goal: \Pr[m = m_1] = \Pr[m = m_2]

6 The One Time Pad 6 Miller, 1882 and Vernam, 1917 \begin{align*} E(k,m) &= k \oplus m = c\\ D(k,c) &= k \oplus c = m\\ \end{align*} \[ \begin{split} D(k,E(k,m)) &= D(k, k \oplus m)\\ &= k \oplus (k \oplus m)\\ &= 0 \oplus m \\ &= m \end{split} \] m:0110110 k:1101000 c:1011110 k:1101000 m:0110110 M = C = K = {0,1} n

7 Block Ciphers Modes of operations – CBC, CTR, etc. – What modes do for security, e.g., why ECB is bad, why randomize an IV for CBC, etc. Definitions – Is a block cipher a PRP or PRF Attacks 7

8 Exhaustive Search for block cipher key Goal: given a few input output pairs (m i, c i = E(k, m i )) i=1,..,nfind key k. Attack: Brute force to find the key k. Homework: What is the probability that the key k found with one pair is correct? For two pairs? 8

9 Meet in the middle attack Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) key-len = 112 bits for 2DES Idea: key found when c’ = c’’: E(k i, m) = D(k j, c) m c' … … c … … c’’ m E(k 2,⋅)E(k 1,⋅) c 9

10 Semantic Security Game 10 E 2. Pick b=0 3. k=KeyGen(l) 4. c = E(k,m b ) A 1. Picks m 0, m 1, |m 0 | = |m 1 | 5. Guess and output b’ m 0,m 1 c World 0 E 2. Pick b=1 3. k=KeyGen(l) 4. c = E(k,m b ) A 1. Picks m 0, m 1, |m 0 | = |m 1 | 5. Guess and output b’ m 0,m 1 c World 1 A doesn’t know which world he is in, but wants to figure it out. Semantic security is a behavioral model getting at any A behaving the same in either world when E is secure.

11 Semantic security under CPA 11 Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) if c b = c 0 output 0 else output 1 m 0, m 0 ∊ M C 0 ← E(k,m) m 0, m 1 ∊ M C b ← E(k,m b ) Challenger k ← K Adversary A

12 Semantic security under CPA 12 Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) if c b = c 0 output 0 else output 1 m 0, m 0 ∊ M C 0 ← E(k,m) m 0, m 1 ∊ M C b ← E(k,m b ) Challenger k ← K Adversary A Encryption modes must be randomized or use a nonce (or are vulnerable to CPA)

13 Hashes and MACS 13

14 Message Integrity Goal: integrity (not secrecy) Examples: – Protecting binaries on disk. – Protecting banner ads on web pages Security Principles: – Integrity means no one can forge a signature 14

15 PRF Security Game (A behavioral model) 15 E 2. if(tbl[x] undefined) tbl[x] = rand() return y =tbl[x] A 1. Picks x 5. Guess and output b’ x y World 0 E y = PRF(x) A 1. Picks x 3. Outputs guess for b x y World 1 A doesn’t know which world he is in, but wants to figure it out. For b=0,1: W b := [ event that A(W b ) =1 ] Adv SS [A,E] := | Pr[ W 0 ] − Pr[ W 1 ] | ∈ [0,1] Always 1

16 Secure PRF: An Alternate Interpretation 16 For b = 0,1 define experiment EXP(b) as: Def: PRF is a secure PRF if for all efficient A: Challenger F Adversary

17 Secure MAC Game Security goal: A cannot produce a valid tag on a message – Even if the message is gibberish 17 Challenger 1. k = KeyGen(l) 3. Compute i in 0...q: t i = S(m i, k) 5. b = V(m,t,k) Adversary A 2. Picks m 1,..., m q 4. picks m not in m 1,...,m q Generates t m 1,...,m q t 1,...,t q m,t b = {yes,no} existential forgery if b=“yes”

18 Birthday Paradox Rule of Thumb Given N possibilities, and random samples x 1,..., x j, PR[x i = x j ] ≈ 50% when j = N 1/2 18

19 Generic attack on hash functions Let H: M  {0,1} n be a hash function ( |M| >> 2 n ) Generic alg. to find a collision in time O(2 n/2 ) hashes Algorithm: 1.Choose 2 n/2 random messages in M: m 1, …, m 2 n/2 (distinct w.h.p ) 2.For i = 1, …, 2 n/2 compute t i = H(m i ) ∈{0,1} n 3.Look for a collision (t i = t j ). If not found, got back to step 1. How well will this work? 19

20 Brute Force Online Brute Force Attack: input: hp = hash(password) to crack for each i in dictionary file if(h(i) == hp) output success; Time Space Tradeoff Attack: precompute: h(i) for each i in dict file in hash tbl input: hp = hash(password) check if hp is in hash tbl 20 “rainbow tables”

21 Salts Enrollment: 1.compute hp=h(password + salt) 2.store salt || hp Verification: 1.Look up salt in password file 2.Check h(input||salt) == hp What is this good for security, given that the salt is public? 21 Salt doesn’t increase security against online attack, but does make tables much bigger.

22 Authenticated Encryption 22

23 Motivating Question: Which is Best? E(k E, m||tag) S(k I, m) m Encryption Key = K E ; MAC key = k I Option 1: SSL (MAC-then-encrypt) mtagm S(k I, c)E(k E, m) m Option 2: IPsec (Encrypt-then-MAC) mmtag S(k I, m)E(k E, m) m Option 3: SSH (Encrypt-and-MAC) mmtag 23

24 An authenticated encryption system (E,D) is a cipher where As usual: E: K × M × N ⟶ C but D: K × C × N ⟶ M ∪{ ⊥ } Security: the system must provide – Semantic security under CPA attack, and – ciphertext integrity. The attacker cannot create a new ciphertext that decrypts properly. reject ciphertext as invalid 24

25 CCA Game Definition 25 Let ENC = (E,D) over (K,M,C). For b = {0,1}, define EXP(0) and EXP(1) b Chal. k  K Adv. b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: c i  C : c i ∉ {c 1, …, c i-1 } m i  D(k, c i ) (2) CCA query: Ex: could query a changed c i

26 Public Key Cryptography 26

27 Eve observes: g, g a, g b Goal: compute a (or b) (i.e., calculate the discrete log) or compute g ab 27 3. g a mod p 4. g b mod p 1. Pick a from [0,p-1)2. Pick b from [0,p-1) 5. Compute (g a ) b mod p as secret key 6. Compute (g b ) a mod p as secret key Alice Bob Eve

28 MITM Adversary As described, Diffie-Hellman is insecure against active Man In The Middle (MITM) attacks AliceBobMITM g a mod pg m mod p g b mod p g m mod p g ma mod p g mb mod p 28

29 Public Key Encryption Def: a public-key encryption system is a triple of algorithms (G, E, D) G(): randomized alg. outputs a key pair (pk, sk) E(pk, m): randomized alg. that takes m∈M and outputs c ∈C D(sk,c): determisitic alg. that takes c∈C and outputs m ∈ M or ⊥ Consistency: ∀(pk, sk) output by G : ∀m∈M: D(sk, E(pk, m) ) = m Note: Without randomization, an attacker can determine E(pk,m 1 ) = E(pk,m 2 ) when m 1 =m 2 29

30 Semantic Security For b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)): Def: Enc = (G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A: Adv SS [A, Enc ] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible Chal. b Adv. A (pk,sk)  G() m 0, m 1  M : |m 0 | = |m 1 | c  E(pk, m b ) b’  {0,1} EXP(b) pk No query encryptions of messages. Why? 30

31 Easy and Hard Problems Factoring Discrete Log Exponentiation 31

32 32 Questions?

33 END

34 34 Thought

Download ppt "Cryptography: Review Day David Brumley Carnegie Mellon University."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.

Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Introduction to Cryptography David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto.

Introduction to Cryptography David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Similar presentations

Ads by Google