Presentation is loading. Please wait.

Presentation is loading. Please wait.

Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Published byMelvyn Owen Walters Modified over 8 years ago

Similar presentations

Presentation on theme: "Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman"— Presentation transcript:

1 Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S14/

2 Administrative stuff Project ideas posted – Deadlines still TBA, but start looking… Quiz schedule on website Be sure to do the reading!!

3 Last time: Encryption Basic idea: someone seeing ciphertext learns nothing about plaintext without correct key With or without authentication Symmetric – based on tests/best guess – e.g. AES (block cipher) Asymmetric – based on math assumptions – e.g. RSA

4 NEVER BUILD YOUR OWN WHEN SOLUTION EXISTS!!!

5 Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40-bit key = 64-bit security Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40- bit key = 64-bit security On your right: text from Jonathan Katz Aside: composability Is this secure against chosen-plaintext attacks? – It is randomized… 40-bit key (in some implementations)! – Claims that, with IV, this gives a 64-bit effective key(!) And how is the IV chosen? – Only 24 bits long -- IV repetitions are a problem! – Reset to 0 upon re-initialization – Some implementations increment the IV as a counter A repeating IV allows the attacker to compute the XOR of two plaintexts – We have discussed already how this can be damaging Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs – If portions of some plaintexts known, this enables determination of other plaintexts Known-plaintext attacks discovered on this usage of RC4 – Possible because the first byte of plaintext is a fixed, known header! Chosen-plaintext attacks – Send IP traffic/e-mail to the mobile host and watch it get forwarded – Transmit broadcast messages to access point – Authentication spoofing No cryptographic integrity protection – The checksum is linear (i.e., c(x  y) = c(x)  c(y)) and unkeyed, and therefore easy to attack – Allows IP redirection attack – Allows TCP “reaction” attacks Look at whether TCP checksum is valid Form of chosen-ciphertext attack Encryption used to provide authentication of mobile station (access point sends nonce; station returns an encryption of the nonce) – Allows easy spoofing after eavesdropping

6 Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Trick question: what’s the difference between a block cipher, a stream cipher, and a pseudorandom number generator (PRNG)?

7 Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)

8 Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)

9 Modes of operation (ECB) Images borrowed from Wikipedia :)

10 Modes of operation (CBC) Images borrowed from Wikipedia :)

11 Modes of operation (CFB) Images borrowed from Wikipedia :)

12 Modes of operation (CTR) Images borrowed from Wikipedia :) VS. ECB

13 Questions?

14 Authenticity and integrity Basic ideas: – Authenticity: the message was produced by a specific known subject Authentication ≠ integrity – Integrity: the message has not been altered between source and destination Messages without integrity protection vulnerable to chosen ciphertext attack

15 Hash functions Collision-resistant (2 k or 2 k/2 ) One-way – Preimage (1 st, 2 nd ) resistant (2 k ) Entropy of input and entropy of output – Output “looks random” Some hashes have partial proofs, e.g. reduction to AES

16 Symmetric authentication Message Authentication Codes (MACs) Pre-shared keys Symmetric means…? – Either party can create a correct MAC – Deniable Chained MACs… why? See TESLA authenticated multicast: http://sparrow.ece.cmu.edu/~adrian/projects/tesla- cryptobytes/tesla-cryptobytes.pdf

17 MACs “Keyed hash” (MAC from a cryptographically-secure hash function) – Hash  Block cipher (CBC or CFB)  MAC Hybrid modes e.g. CBC-MAC – Secrecy plus authenticity (2-party) Remember to use different keys for MAC and encryption… why?

18 MAC examples Example: HMAC – h is a cryptographically-secure hash (or not!) – HMAC K (M) = h(K ⊕ pad 1, h(K ⊕ pad 2, M)) Example: UMAC http://www.springerlink.com/content/ft35c6ha1r8mgv8k/ Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt

19 More MACs BAD: MAC K = h(K,M) or MAC K = h(M,K) GOOD: HMAC K (M) = h(K ⊕ pad 1,h(K ⊕ pad 2, M)) Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt (see “Cool stuff” section of web page) Full encrypted and authenticated message: E K1 (M), MAC K2 (E K1 (M))

20 Random numbers True random numbers (RNG) – “Quantum” entropy Pseudorandom numbers – PRNG e.g. block cipher in CTR mode – With refresh, more advanced features…

21 Questions?

Download ppt "Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman"

Similar presentations

Chapter 4: Modes of Operation CS 472: Fall 2012. Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.

Chapter 4: Modes of Operation CS 472: Fall Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Cryptography & Security Presented April 16, 2010 By Dave Stycos, Zocalo Data Systems.

Cryptography & Security Presented April 16, 2010 By Dave Stycos, Zocalo Data Systems.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google