Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 6: Applied cryptography: symmetric Eran Tromer Slides credit: John Mitchell, Stanford.

Published byRosemary Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 6: Applied cryptography: symmetric Eran Tromer Slides credit: John Mitchell, Stanford."— Presentation transcript:

1 1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 6: Applied cryptography: symmetric Eran Tromer Slides credit: John Mitchell, Stanford

2 2 Cryptography overview

3 3 History of crypto Ceaser cipher Electromechanical ciphers (e.g., Enigma) Information theory Complexity theory Modern cryptography

4 4 Cryptography  Is A tremendous tool The basis for many security mechanisms  Is not The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent yourself unless  you spend a lot of time becoming an expert  you subject your design to outside review

5 5 Scenarios  Storage Store files privately Protect files from tampering  Communication Avoid eavesdropping Avoid corruption “Secure channel”  Authentication  Many protocols

6 6 Cryptographic primitives Primitive: syntax and semantics of some cryptographic functionality. A scheme/protocol/algorithm may be an instance of the primitive. Example claim: “AES-128-CBC is a secure symmetric encryption scheme”. Most common cryptographic primitives (very informally):  Encryption: confidentiality Adversary cannot learn anything about message from its encrypted form. Symmetric (cipherblock ciphers, stream ciphers) Asymmetric  Digital Signatures: integrity/authentication Adversary cannot fake a signature that passes verification. Symmetric (Message Authentication Code) Asymmetric  Hashing: Summarizing messages into “unique” short digests Adversary cannot find messages with the same digest.

7 7 Symmetric cryptography schemes

8 8 Symmetric encryption 8 E, D: cipher k:secret key (e.g., 128 bits) m:plaintext n:nonce / randomness / c:ciphertextinitial vector (IV) Kerckhoff’s Principle A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. (Never use a proprietary cipher) Alice E m, n E(k,m,n)=c Bob D c,n D(k,c,n)=m k k Key generation

9 9 9 First example: One Time Pad (single use key)  Vernam (1917)  Shannon (1949) : OTP is “secure” against ciphertext-only attacks 0101110001 Key: 1100011000 Plaintext:  1001101001 Ciphertext:

10 10 10 Stream ciphers (single use key) Problem: OTP key is as long the message Solution: XOR with a pseudorandom seed: key PRBG message  ciphertext c  PRBG (k)  m stream Really random (physical source) Pseudorandom string PRBG: “Pseudo-Random Bit Generator” AKA PRG: “Pseudo-Random Generator” Well-known algorithms: RC4, RC5 (not secure anymore), AES in counter mode

11 11 RC4 stream cipher [Rives 1987] for i = 0..255: S[i] = i j = 0 for i = 0 to 255 j = j + S[i] + key[i] swap (S[i], S[j]) i, j = 0 repeat: i = i + 1 j = j + S[i] swap (S[i], S[j]) output to stream: S[ S[i] + S[j] ] Key setup 212313424121853 … 0123456 … Permutation of 256 bytes, depending on key 212313424921853 … ji All values are bytes, all arithmetic is mod 256. S is a 256-byte state array. +24 Problem: statistical biases, especially in beginning of stream. Stream generator

12 12 Dangers in using stream ciphers One time key! “Two time pad” is insecure: C 1  m 1  PRBG(k) C 2  m 2  PRBG(k) Eavesdropper does: C 1  C 2  m 1  m 2 Enough redundant information in English that: m 1  m 2  m 1, m 2

13 13 Randomized symmetric encryption13 E, D: cipher k:secret key (e.g., 128 bits) m:plaintext n:nonce / randomness / c:ciphertextinitial vector (IV) (Notation: sometimes the nonce is included in c.) Alice E m, n E(k,m,n)=c Bob D c,n D(k,c,n)=m k k Key generation

14 14 Need for nonce  Single-use key: (one time key) Key is only used to encrypt one message  encrypted email: new key generated for every email No need for nonce (set to 0)  Multi-use key: Key used to encrypt multiple messages  SSL: same key used to encrypt many packets Needs either unique nonce or random nonce  Otherwise, repeated messages can be identified  Multi-use key, but all plaintexts are distinct: Can eliminate nonce using special mode (SIV) 14

15 15 Block ciphers: crypto work horse E, D Cciphertext blockPlaintext block Key Deterministic; random IV can be supplied as part of plaintext block in a mode of operation (see next).). Efficiency and security optimized for the specific block size. Historically, more secure and easier to analyze than traditional stream ciphers. Works on fixed-size blocks: Common sizes: Cipher DES6456 3DES64168 AES128128/192/256

16 16 Building a block cipher m L  m R m R  m L  F(k,m R )

17 17 AES Block Cipher (on a napkin) Source: http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

18 18 Block Ciphers Built by Iteration R(k,m): round function for DES (n=16), for AES (n=10) key k key expansion k1k1 k2k2 k3k3 knkn R(k 1,  )R(k 2,  )R(k 3,  )R(k n,  ) mc

19 19 19 Incorrect use of block cipher: ECB (Electronic Codebook) mode Break plaintext into blocks and encrypt independently:  Problem: if m 1 =m 2 then c 1 =c 2 PT: CT: m1m1 m2m2 c1c1 c2c2

20 20 In pictures [visual comparison by Bart Preneel]

21 21 Correct use of block ciphers I: CBC (Cipher Block Chaining) mode E(k,  ) m[0]m[1]m[2]m[3]IV  E(k,  )  c[0]c[1]c[2]c[3]IV ciphertext Assume E is a secure “pseudorandom permutation” (i.e., a good block cipher). To encrypt a plaintext message m whose size is a multiple of the block size: Q: how to do decryption? To handle messages of different length, use suitable padding.

22 22 Use cases: how to choose an IV Single use key: no IV needed (IV=0) Multi use key: (CPA Security) Best: use a fresh random IV for every message (IV  X) Can use unique IV(e.g counter) [Bitlocker] but then first step in CBC must be IV’  E(k,IV) benefit: may save transmitting IV with ciphertext Multi-use key, but unique messages SIV: eliminate IV by setting IV  F(k’, PT) F: secure PRF with key k’ 22

23 23 CBC with Unique IVs E(k,  ) m[0]m[1]m[2]m[3]  E(k,  )  c[0]c[1]c[2]c[3]IV ciphertext IV E(k,  ) IV ′ unique IV means: (k,IV) pair is used for only one message may be predictable so use E(k,  ) as PRF

24 24 In pictures

25 25 Correct use of block ciphers II: CTR (Counter) mode Encrypt a counter to create a pseudorandom string (similar to stream cipher). These “modes of operations” are proven secure (under suitable definitions). Advantage: allows parallel encryption. key message  stream E(k,  ) IVIV+1IV+2IV+3 E(k,  ) IV ciphertext (random)

26 26 Performance of ciphers OpenSSL 1.0.1 on 2.1GHz Intel i7, 64-byte messages. To benchmark on your computer: $ openssl speed rc4 des-cbc des-ede3 idea-cbc aes-128-cbc Fast, but still bottleneck for: Applications applying crypto at high bandwidth with little processing (web servers, bulk storage encryption, virtual private networks) Small devices (weak CPU, power-limited) Cheaper/faster with dedicated hardware AES instructions in recent x86 Dedicated “cryptographic accelerator” cards AlgorithmSpeed (Mbyte/sec) Block size (bits) Key size (bits) RC4657unlimited DES716456 3DES2664168 IDEA9164128 AES142128

27 27 Attacks and security definitions What power does the adversary have?  Known-ciphertext attack  Chosen-ciphertext attacks (CCA)  Known-plaintext attack  Chosen-plaintext attack (CPA) Chosen before target ciphertext Chosen after target ciphertext  Related-key attack What secrecy is preserved?  Key remains secret  Adversary can learn nothing about a message from observing its encryption For random messages Even if it’s an encryption of one of two messages chosen by adversary, he can’t tell which one it is

28 28 Hash functions and message integrity

29 29 Cryptographic hash functions  Length-reducing function H Map arbitrary strings to strings of fixed length  One way (“preimage resistance”) Given y, hard to find x with H(x)=y  Collision resistant Hard to find any distinct m, m’ with H(m)=H(m’)  Also useful: 2 nd preimage resistance Given x, hard to find x’  x with H(x’)=H(x) Collision resistance  2 nd preimage resistance  preimage resistance

30 30 Applications of cryptographic hashing  Password files (one way)  Digital signatures (collision resistant) Sign hash of message instead of entire message  Data integrity Compute and securely store hash of some data Check later by recomputing hash and comparing  Keyed hash for message authentication MAC – Message Authentication Code

31 31 Common hash functions: SHA-1, SHA-256 m[0]m[1]m[2]m[3] IV constant H(m) Merkle-Damgard construction:(simplified) 64 x Fixed constants (Expanded) message hhhh Compression function:

32 32 Performance of hash functions OpenSSL 1.0.1 on 2.1GHz Intel i7, 64-byte messages. To benchmark on your computer: $ openssl sha1 sha256 AlgorithmSpeed (Mbyte/sec) Block size (bits) Key size (bits) RC4657unlimited DES716456 3DES2664168 IDEA9164128 AES142128 SHA-1197 SHA-256113

33 33 Symmetric-key integrity: MAC (Message Authentication Code)  Goal: message integrity. No confidentiality. 33 AliceBob kk Message mtag Generate tag: tag  S(k, m) Verify tag: V(k, m, tag) = 0/1 ? Note: non-keyed checksum (CRC) is an insecure MAC! Key generation Common nickname for “signature” in symmetric setting

34 34 Secure MACs  Attacker’s power: chosen message attack. for m 1,m 2,…,m q attacker is given t i  S(k,mi)  Attacker’s goal: existential forgery. produce some new valid message/tag pair (m,t). (m,t)  { (m 1,t 1 ), …, (m q,t q ) }  Existential unforgeability security: no feasible attacker can witn the above game with more than negligible probability.

35 35 MAC Construction 1: ECBC 35 Raw CBC E(k,  ) m[0]m[1]m[2]m[3]  E(k,  )  E(k 1,  ) tag key = (k, k 1 )

36 36 36 MAC Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( k  opad || H( k  ipad || m ))

37 37 37 Construction 3: PMAC – parallel MAC ECBC and HMAC are sequential. PMAC: m[0]m[1]m[2]m[3]  F(k,  ) F(k 1,  ) tag  P(k,0)P(k,1) P(k,2) P(k,3)

38 38 Authenticated (symmetric) Encryption: combining confidentiality and authentication Attaining AE:  Compose existing primitives Encrypt-and-MAC (as in SSH) MAC-then-encrypt (as in TLS) Encrypt-then-MAC (as in IPsec, best in theory) Examples: AEAD_AES_128_CBC_HMAC_SHA256, AEAD_CHACHA20_POLY1305 Disadvantage: requires two passes over data, one for encryption and one for MAC/hash  From-scratch authenticated ciphers Grain-128a, NORX, …  AE mode of operations using existing block ciphers CCM, GCM (NIST-standardized) OCB (patented), AEX, … Ongoing competition: http://competitions.cr.yp.to/caesar.html (57 submissions)http://competitions.cr.yp.to/caesar.html AES-GCM is nowadays a good conservative choice, reasonably efficient

Download ppt "1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 6: Applied cryptography: symmetric Eran Tromer Slides credit: John Mitchell, Stanford."

Similar presentations

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google