1. CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz

2. HW1 out

3. Randomized encryption  Deterministic encryption schemes cannot be secure against chosen-plaintext attacks –Nor can they be secure for encrypting multiple messages  To be secure against chosen-plaintext attack, encryption must be randomized  Moral: always use randomized encryption!

4. Block ciphers  Keyed, invertible permutation F  Large key space, large block size  Modeled as a (family of) random permutations…  A block cipher is not an encryption scheme –A block cipher can be used to build an encryption scheme (and other things as well)  Example – the “trivial” encryption scheme: –C = F K (m) –This is not randomized…

5. Data Encryption Standard (DES)  Developed in 1970s by IBM / NSA / NBS –Non-public design process  56-bit key, 64-bit input/output –A 64-bit key is derived from 56 random bits –One bit in each octet is a parity-check bit  The “short” key length is a major concern…  The “short” block length is also a concern

6. Concerns about DES  Short key length –DES “cracker”, built for $250K, can break DES in days –Computation can be distributed to make it faster –Does not mean “DES is insecure”; depends on desired security  Short block length –Repeated blocks happen “too frequently”  Some (theoretical) attacks have been found –Claimed known to DES designers 15 years before public discovery!  Non-public design process

7. 3DES/triple-DES  Expands the key length  Now, key K = (K 1, K 2 ); |K| = 112  The “new” block cipher is just: –E K1,K2 (m) = DES K1 (DES -1 K2 (DES K1 (m)))  This is a permutation, and invertible  Fairly slow…but widely used in practice

8. AES  Public contest sponsored by NIST in ’97 –Narrowed to 5 finalists –4 years of intense analysis  Rijndael selected as the AES –Supports variety of block/key sizes, but defaults to 128- bit key length and 128-bit block length –2 128 is a huge number Number of seconds since big bang (estimate): ~2 58 Number of nanoseconds since big bang: ~2 90  Both efficiency and security taken into account –The “most secure” finalist was not the one chosen

9. Other block ciphers?  No compelling reason to use anything other than AES, in general –Unless (possibly) you have very severe performance requirements –Even then, think twice  Same goes for stream ciphers

10. Modes of encryption  Used for encrypting a long message m 1, …, m n  ECB –C i = F K (m i ); the ciphertext is c 1, …, c n  CBC –IV; C i = F K (m i  C i-1 ); the ciphertext is IV, c 1, …, c n  OFB (stream cipher mode) –IV; z i = F K (z i-1 ); C i = z i  m i ; the ciphertext is IV, c 1, …, c n  CTR (stream cipher mode) –IV; z i = F K (IV+i); C i = z i  m i ; the ciphertext is IV, c 1,.., c n  Others…

11. Security?  ECB should not be used –Why?  CBC, OFB, and CTR modes are secure against chosen-plaintext attacks  CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks

12. Message integrity

13. Encryption does not provide integrity  “Since encryption garbles the message, decryption of a ciphertext generated by an adversary must be unpredictable” –WRONG  E.g., one-time pad, CBC-/CTR-mode encryption  Why is this a concern? –Lack of integrity can lead to lack of secrecy –Almost always, integrity is needed in addition to secrecy