1. CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz

2. Announcements  Midterm on March 15

3. Modes of encryption  Used for encrypting a long message m 1, …, m n  ECB –C i = F K (m i ); the ciphertext is (C 1, …, C n )  CBC –IV; C i = F K (m i  C i-1 ); the ciphertext is (IV, C 1, …, C n )  OFB (stream cipher mode) –IV; z i = F K (z i-1 ); C i = z i  m i ; the ciphertext is (IV, C 1, …, C n )  CTR (stream cipher mode) –IV; z i = F K (IV+i); C i = z i  m i ; the ciphertext is (IV, C 1,.., C n )  Others…

4. Security?  ECB should not be used –Why?  Not even secure against ciphertext-only attacks

5. The effect of ECB mode originalencrypted using ECB mode * Images from Wikipedia

6. Other modes  CBC, OFB, and CTR modes are secure against chosen-plaintext attacks  CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks * Images from Wikipedia

7. Message integrity

8. mm’

9. Encryption does not provide integrity  “Since encryption garbles the message, decryption of a ciphertext generated by an adversary must be unpredictable” –WRONG  E.g., one-time pad, CBC-/CTR-mode encryption  Why is this a concern? –Almost always, integrity is needed in addition to secrecy –Lack of integrity can lead to lack of secrecy  Use message authentication codes (MACs)

10. Message authentication code (MAC)  In the private-key setting, the tool for achieving message integrity is a MAC  Functionality: –MAC K (m) = t (we call t the “tag”) –Vrfy K (m, t) = 0/1 (“1” = “accept” / ”0”=“reject”) –Correctness…

11. MAC usage kk Vrfy k (m’,t’) ?? m, t t = Mac k (m) Shared key k Sender computes a tag t on the message m using k Receiver verifies the message/tag pair using k Alice Bob

12. K K MAC usage

13. Defining security  Attack model: –A random key k is chosen –Attacker is allowed to obtain t 1 = MAC k (m 1 ), …, t q = MAC k (m q ) for any messages m 1, …, m q of its choice  Attacker is successful if it outputs a forgery; i.e., (m, t) with: –m ≠ m i for all i –Vrfy K (m, t) = 1  For any time-bounded adversary, the probability of a successful attack should be small

14. Defining security  Is the definition too strong? –When would an attacker be able to obtain tags on any messages of its choice? –Why do we count it as a break if the adversary outputs a forgery on a “meaningless” message? –Main point: we want a secure MAC to be usable in any setting where message integrity is needed

15. Replay attacks  A MAC inherently cannot prevent replay attacks  Replay attacks must be prevented at a higher level of the protocol! –(Note that whether a replay is ok is application- dependent)  Replay attacks can be prevented using nonces, timestamps, etc. –Will discuss more later

16. A MAC for short messages  Let F be a block cipher with n-bit output  To authenticate m using key k, compute t = F k (m)  Vrfy k (m, t): output 1 iff t = F k (m)  Why is this secure?

17. (Informal) sketch of security  Replace F k with a random permutation f –Can do this since F is a block cipher  Seeing f(m 1 ), …, f(m q ) does not help to predict f(m) for any m  {m 1,…,m q } –If adversary outputs (m, t), the probability that t is correct is roughly 2 -n –For n large enough, the probability of forgery is small