Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS511 Introduction to Information Security Lecture 3 Cryptography 1 Yongdae Kim.

Published byPosy McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "IS511 Introduction to Information Security Lecture 3 Cryptography 1 Yongdae Kim."— Presentation transcript:

1 IS511 Introduction to Information Security Lecture 3 Cryptography 1 Yongdae Kim

2 Recap ^ http://syssec.kaist.ac.kr/~yongdaek/courses/is511/ http://syssec.kaist.ac.kr/~yongdaek/courses/is511/ ^ E-mail policy  Include [is511]  Profs + TA: IS511-prof@gsis.kaist.ac.krIS511-prof@gsis.kaist.ac.kr  Profs + TA + Students: IS511@gsis.kaist.ac.krIS511@gsis.kaist.ac.kr ^ Text only posting, email! ^ Preproposal ^ Proposal: English only ^ Homework 1 is posted.

3 The main players Alice Bob Eve Yves?

4 Attacks Source Destination Normal Flow Source Destination Interruption: Availability Source Destination Interception: Confidentiality Source Destination Modification: Integrity Source Destination Fabrication: Authenticity

5 Taxonomy of Attacks ^ Passive attacks  Eavesdropping  Traffic analysis ^ Active attacks  Masquerade  Replay  Modification of message content  Denial of service

6 Big picture Trusted third party (e.g. arbiter, distributor of secret information) Secret Information Message Secret Information Message Alice Bob Information Channel Eve

7 Terminology for Encryption ^ A denotes a finite set called the alphabet ^ M denotes a set called the message space  M consists of strings of symbols from an alphabet  An element of M is called a plaintext ^ C denotes a set called the ciphertext space  C consists of strings of symbols from an alphabet  An element of C is called a ciphertext ^ K denotes a set called the key space  An element of K is called a key ^ E e is an encryption function where e  K ^ D d called a decryption function where d  K

8 Encryption ^ Why do we use key?  Or why not use just a shared encryption function? Plaintext source Encryption E e (m) = c destination Decryption D d (c) = m c insecure channel AliceBob Adversary m m

9 SKE with Secure channel Plaintext source Encryption E e (m) = c destination Decryption D d (c) = m c Insecure channel AliceBob Adversary Key source e mm d Secure channel

10 PKE with insecure channel Plaintext source Encryption E e (m) = c destination Decryption D d (c) = m c Insecure channel AliceBob Passive Adversary Key source d mm e Insecure channel

11 Public key should be authentic! e e E e (m) e’e’e’e’ E e’ (m) E e (m) ^ Need to authenticate public keys

12 Digital Signatures ^ Primitive in authentication and non- repudiation ^ Signature  Process of transforming the message and some secret information into a tag ^ Nomenclature  M is set of messages  S is set of signatures  S A : M ! S for A, kept private  V A is verification transformation from M to S for A, publicly known

13 Key Establishment, Management ^ Key establishment  Process to whereby a shared secret key becomes available to two or more parties  Subdivided into key agreement and key transport. ^ Key management  The set of processes and mechanisms which support key establishment  The maintenance of ongoing keying relationships between parties

14 Symmetric vs. Public key ProsCons SKE ^ High data throughput ^ Relatively short key size ^The key must remain secret at both ends ^O(n 2 ) keys to be managed ^Relatively short lifetime of the key PKE ^O(n) keys ^Only the private key must be kept secret ^longer key life time ^digital signature ^Low data throughput ^Much larger key sizes

15 Symmetric key Encryption ^ Symmetric key encryption  if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e  Usually e = d ^ Block cipher  breaks up the plaintext messages to be transmitted into blocks of a fixed length, and encrypts one block at a time ^ Stream cipher  encrypt individual characters of plaintext message one at a time, using encryption transformation which varies with time

16 Block Cipher ^ E: V n  K V n  V n = {0,1} n, K = {0, 1} k, n is called block length, k is called key size  E(P, K) = C for K  K and P, C  V n  E(P, K) = E K (P) is invertible mapping from V n to V n  E K : encryption function  D(C, K) = D K (C) is the inverse of E K  D k : decryption function P (plaintext) E C (ciphertext) K Key P (plaintext) EKEK C (ciphertext)

17 Modes of Operation ^ A block cipher encrypts plaintext in fixed-size n-bit blocks (often n =128). What happens if your message is greater than the block size? E xjxj k E -1 k xj’xj’ E k xjxj C j-1 D k xj’xj’ c 0 =IV IjIj E OjOj xjxj IjIj E OjOj kk xj’xj’ IjIj E OjOj xjxj IjIj E OjOj kk xj’xj’ I 1 =IV

18 Modes of Operation ^ ECB  Encryption: c j  E K (x j )  Decryption: x j  E −1 K (c j ) ^ CBC  Encryption: c 0  IV, c j  E K (c j−1  x j )  Decryption: c 0  IV, x j  c j−1  E −1 K (c j ) ^ CFB  Encryption: I 1  IV, c j  x j  E K (I j ), I j+1 = c j  Decryption: I 1  IV, x j  c j  E K (I j ), I j+1 = c j ^ OFB  Encryption: I 1  IV, o j = E K (I j ), c j  x j  o j, I j+1 = o j  Decryption: I 1  IV, o j = E K (I j ), x j  c j  o j, I j+1 = o j

19 Modes of Operation (CTR) E x1x1 k CTR c1c1 E x2x2 k CTR+1 c2c2 E xNxN k CTR+N-1 cNcN E c1c1 k CTR x1x1 E c2c2 k CTR+1 x2x2 E cNcN k CTR+N-1 xNxN

20 CTR advantages ^ Hardware efficiency  Parallelizable ^ Software efficiency  Similar, modern processors support parallel computation ^ Preprocessing  Pad can be computed earlier ^ Random-access  Each ciphertext block can be encrypted independently  important in applications like hard-disk encryption ^ Provable security  no worse than what one gets for CBC encryption ^ Simplicity  No decryption algorithm and key scheduling

21 Double DES ^ C = E K2 [E K1 [P]] ^ P = D K1 [D K2 [C]] ^ Reduction to single stage?  E K2 [E K1 [P]] =? E K3 [P]  It was proven that it does not hold

22 Meet-in-the-middle Attack ^ Diffie 1977 ^ Exhaustively cracking it requires 2 112 ? ^ C = E K2 [E K1 [P]]  X = E K1 [P] = D K2 [C] ^ Given a known pair, (P, C)  Encrypt P with all possible 2 56 values of K 1  Store this results and sort by X  Decrypt C with all possible 2 56 K 2, and check table  If same, accept it as the correct key ^ Are we done? &&#@!#(

23 Meet-in-the-middle Attack ^ Little statistics  For any P, there are 2 64 possible C  DDES uses 112 bit key, so 2 112 keys  Given C, there are 2 112 /2 64 = 2 48 possible P  So there are 2 48 false alarms  If one more (P’, C’) pair, we can reduce it to 2 -16 ^ So using two (plaintext, ciphertext) pairs, we can break DDES c * 2 56 encryption/decryption ^ C = E K2 [D K1 [P]] different?

24 Triple DES with two keys ^ Obvious counter to DDES: Use three keys  Complexity?  168 bit key ^ Triple DES = EDE = encrypt-decrypt-encrypt  C = E K1 [D K2 [E K1 [P]]] ^ Attacks?  No practical one so far

25 Hash function and MAC ^ A hash function is a function h  compression  ease of computation  Properties  one-way: for a given y, find x’ such that h(x’) = y  collision resistance: find x and x’ such that h(x) = h(x’)  Examples: SHA-1, MD-5 ^ MAC (message authentication codes)  both authentication and integrity  MAC is a family of functions h k  ease of computation (if k is known !!)  compression, x is of arbitrary length, h k (x) has fixed length  computation resistance  Example: HMAC

26 How Random is the Hash function?

27 Applications of Hash Function ^ File integrity ^ Digital signature Sign = S SK (h(m)) ^ Password verification stored hash = h(password) ^ File identifier ^ Hash table ^ Generating random numbers

28 Hash function and MAC ^ A hash function is a function h  compression  ease of computation  Properties  one-way: for a given y, find x’ such that h(x’) = y  collision resistance: find x and x’ such that h(x) = h(x’)  Examples: SHA-1, MD-5 ^ MAC (message authentication codes)  both authentication and integrity  MAC is a family of functions h k  ease of computation (if k is known !!)  compression, x is of arbitrary length, h k (x) has fixed length  computation resistance  Example: HMAC

29 MAC construction from Hash ^ Prefix  M=h(k||x)  appending y and deducing h(k||x||y) form h(k||x) without knowing k ^ Suffix  M=h(x||k)  possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2 n/2 ) ^ STATE OF THE ART: HMAC (RFC 2104)  HMAC(x)=h(k||p 1 ||h(k|| p 2 ||x)), p1 and p2 are padding  The outer hash operates on an input of two blocks  Provably secure

30 How to use MAC? ^ A & B share a secret key k ^ A sends the message x and the MAC M ← H k (x) ^ B receives x and M from A ^ B computes H k (x) with received M ^ B checks if M=H k (x)

31 PKE with insecure channel Plaintext source Encryption E e (m) = c destination Decryption D d (c) = m c Insecure channel AliceBob Passive Adversary Key source d mm e Insecure channel

32 Digital Signature ^ Integrity ^ Authentication ^ Non-repudiation I did not have intimate relations with that woman,…, Ms. Lewinsky

33 Digital Signature with Appendix ^ Schemes with appendix  Requires the message as input to verification algorithm  Rely on cryptographic hash functions rather than customized redundancy functions  DSA, ElGamal, Schnorr etc.

34 Digital Signature with Appendix M m mhmh MhMh h s* S S A,k M h x S u 2{True, False} VAVA s* = S A,k (m h ) u = V A (m h, s*)

35 Authentication ^ How to prove your identity?  Prove that you know a secret information ^ When key K is shared between A and Server  A  S: HMAC K (M) where M can provide freshness  Why freshness? ^ Digital signature?  A  S: Sig SK (M) where M can provide freshness ^ Comparison?

36 Encryption and Authentication ^ E K (M) ^ Redundancy-then-Encrypt: E K (M, R(M)) ^ Hash-then-Encrypt: E K (M, h(M)) ^ Hash and Encrypt: E K (M), h(M) ^ MAC and Encrypt: E h1(K) (M), HMAC h2(K) (M) ^ MAC-then-Encrypt: E h1(K) (M, HMAC h2(K) (M))

37 Challenge-response authentication ^ Alice is identified by a secret she possesses  Bob needs to know that Alice does indeed possess this secret  Alice provides response to a time-variant challenge  Response depends on both secret and challenge ^ Using  Symmetric encryption  One way functions

38 Challenge Response using SKE ^ Alice and Bob share a key K ^ Taxonomy  Unidirectional authentication using timestamps  Unidirectional authentication using random numbers  Mutual authentication using random numbers ^ Unilateral authentication using timestamps  Alice  Bob: E K (t A, B)  Bob decrypts and verified that timestamp is OK  Parameter B prevents replay of same message in B  A direction

39 Challenge Response using SKE ^ Unilateral authentication using random numbers  Bob  Alice: r b  Alice  Bob: E K (r b, B)  Bob checks to see if r b is the one it sent out  Also checks “B” - prevents reflection attack  r b must be non-repeating ^ Mutual authentication using random numbers  Bob  Alice: r b  Alice  Bob: E K (r a, r b, B)  Bob  Alice: E K (r a, r b )  Alice checks that r a, r b are the ones used earlier

40 Challenge-response using OWF ^ Instead of encryption, used keyed MAC h K ^ Check: compute MAC from known quantities, and check with message ^ SKID3  Bob  Alice: r b  Alice  Bob: r a, h K (r a, r b, B)  Bob  Alice: h K (r a, r b, A)

41 Key Establishment, Management ^ Key establishment  Process to whereby a shared secret key becomes available to two or more parties  Subdivided into key agreement and key transport. ^ Key management  The set of processes and mechanisms which support key establishment  The maintenance of ongoing keying relationships between parties

Download ppt "IS511 Introduction to Information Security Lecture 3 Cryptography 1 Yongdae Kim."

Similar presentations

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Network Security Sorina Persa Group 3250 Group 3250.

Network Security Sorina Persa Group 3250 Group 3250.

Similar presentations

Ads by Google