Dumb Crypto in Smart Grids
|
|
- Reginald Perry
- 5 years ago
- Views:
Transcription
1 Dumb Crypto in Smart Grids Practical Cryptanalysis of the Open Smart Grid Protocol Philipp Jovanovic 1 (@daeinar) Samuel Neves 2 (@sevenps) 1 University of Passau, Germany 2 University of Coimbra, Portugal
2 Smart Grids Definition from Wikipedia: A smart grid is a modernized electrical grid that uses analog or digital information and communications technology to gather and act on information [...] in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. Fast-growing technology. Critical infrastructure: communication needs protection. 1
3 Open Smart Grid Protocol (OSGP) ETSI GS OSG 001 V1.1.1 ( ) Group Specific ation Open Smart Grid Protocol (OSGP) Source: Application layer communication protocol for smart grids. Developed by the Energy Service Network Association (ESNA) around Disclaimer Standardised This by document the has been European produced and approved by the Open Telecommunications Smart Grid (OSG) ETSI Industry Specification Group (ISG) and Standards represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. Institute (ETSI) in Used in devices sold by members of the OSGP Alliance. 2
4 Open Smart Grid Protocol (OSGP) Source: Deployed in over 4 million devices world-wide. Customers/Members/Partners of OSGP Alliance: Networked Energy Services, E.ON, Vattenfall, Ericsson AB, Mitsubishi Electric, LG CNS, Oracle,... 3
5 Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4
6 Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4
7 Open Smart Grid Protocol (OSGP) PLC Segment data concentrator Encrypted repeater repeater repeater smart-meter smart-meter smart-meter smart-meter OSGP s Network Topology Encrypted communication between smart-meters and data concentrators. Authenticated encryption scheme: - RC4 (encryption) - OMADigest (authentication) - EN14908 (key derivation) 4
8 Our Work Overview Cryptanalysis of the OMADigest. Key recovery attacks using: 1. Differentials. 2. Bruteforce. 3. Differential-based forgeries. Based on publicly available documents. No experiments on actual (proprietary) OSGP hardware. Disclosed to OSGP Alliance/NES in November Published at IACR Workshop on Fast Software Encryption Paper available at 5
9 Related Work Structural Weaknesses in the Open Smart Grid Protocol By K. Kursawe and C. Peters (European Network for Cyber Security, the Netherlands). Overview article on security in OSGP. Presents basic attacks. Paper available at Disclosed to OSGP Alliance/NES in late Cryptanalysis of RC4 in OSGP By L. Feiten and M. Sauer (University of Freiburg, Germany). Transfers WEP attack on RC4 to the case of OSGP. Under submission. Draft shared privately. Disclosed to OSGP Alliance/NES in November
10 Related Work Structural Weaknesses in the Open Smart Grid Protocol By K. Kursawe and C. Peters (European Network for Cyber Security, the Netherlands). Overview article on security in OSGP. Presents basic attacks. Paper available at Disclosed to OSGP Alliance/NES in late Cryptanalysis of RC4 in OSGP By L. Feiten and M. Sauer (University of Freiburg, Germany). Transfers WEP attack on RC4 to the case of OSGP. Under submission. Draft shared privately. Disclosed to OSGP Alliance/NES in November
11 OSGP s Cryptographic Infrastructure
12 OSGP s Cryptographic Infrastructure k 1 x 1 k 0 x 0 k 1 k 0 m n / 48 / 64 / 48 / 64 / 96 EN14908 EN14908 OMADigest / 64 / 64 / 64 k 1 k 0 / 128 / RC / 0 64 t k 1 k 0 : Open Media Access Key (OMAK). k 1 k 0 : Base Encryption Key (BEK). x 0, x 1 : constants. c t m n: message and counter. c, t: ciphertext and tag. 8
13 The EN14908 Encryption Algorithm Source: The OMADigest is an improved version of the EN14908 encryption algorithm. 9
14 The EN14908 Encryption Algorithm Source: The OMADigest is an improved version of the EN14908 encryption algorithm. 9
15 OMADigest Function OMADigest(m,k) a (0, 0, 0, 0, 0, 0, 0, 0) m mod 144 m m 0 foreach 144-byte block b of m do for i 0 to 17 do for j 7 to 0 do if k i mod 12,7 j = 1 then a j a (j+1) mod 8 + b 8i+(7 j) + ( (a j + j)) 1 else a j a (j+1) mod 8 + b 8i+(7 j) ( (a j + j)) 1 end end end return a Observations 64-bit state a. Message is zero-padded: m m 0 m mod 144. Key extension: k 0 k 11 k 0 k 11 k 0 k 5. Processing of a message byte depends exactly on one key bit. State update is almost linear. Algorithm is fully reversible. 10
16 OMADigest Data processing: m 8i f ki,0,7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1,6 m 8i+7 m 8i+6 m 8i+5 m 8i+4 m 8i+3 m 8i+2 m 8i+1 data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Note: i = 0,..., 17 and i = i mod
17 Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries
18 Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries
19 Crash Course: Differential Cryptanalysis Idea inputs x crypto function F outputs y x y x F y XOR-differential x p y of probability p in F. Applications Detect non-randomness. Key recovery. Collisions. Forgeries
20 Attack #1
21 Bitwise Key Recovery Injecting XOR-difference m 8i = 80: 80 f ki,0,7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 80 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Note: i = 0,..., 17 and i = i mod
22 Bitwise Key Recovery Difference prop. after 8 msg. bytes m 8i,..., m 8i+7 : 80 f ki,0, f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. Difference propagates with probability 1 to the full state! 15
23 Bitwise Key Recovery Difference prop. after 9 msg. bytes m 8i,..., m 8i+7, m 8i+8 : 00 f ki,0, a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow Possible output differences for the XOR-linearisation of f : { 81 = = 80 (80 1) if k a 7 = i,0 = 1 C0 = = 80 (80 7) if k i,0 = 0 Equal behaviour of lsb for and +: k i,0 = lsb( a 7 ). 16
24 Bitwise Key Recovery Full Key Recovery In 96+1 queries with 144-byte chosen-plaintexts. 17
25 Can we do better?
26 Improving Bitwise Key Recovery Setting m 8i 8 = 80 (eight steps earlier as bitwise attack) gives: i = 17,..., 6 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a m 8i m 8i m 8i m 8i a 7 m 8i a 6 a m 8i+7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 Analysing the XOR-linearisation of f shows... 19
27 Improving Bitwise Key Recovery Setting m 8i 8 = 80 (eight steps earlier as bitwise attack) gives: i = 17,..., 6 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a m 8i m 8i m 8i m 8i a 7 m 8i a 6 a m 8i+7 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 Analysing the XOR-linearisation of f shows... 19
28 Bytewise Key Recovery Key bits can be recovered iteratively k i,0 = lsb( a 7 ) lsb(80) k i,4 = lsb( a 3 ) lsb( a 4 ) k i,1 = lsb( a 6 ) lsb( a 7 ) k i,5 = lsb( a 2 ) lsb( a 3 ) k i,2 = lsb( a 5 ) lsb( a 6 ) k i,6 = lsb( a 1 ) lsb( a 2 ) k i,3 = lsb( a 4 ) lsb( a 5 ) k i,7 = lsb( a 0 ) lsb( a 1 ) for all i = 17,..., 6 and i = i mod 12. Conclusion: Setting m 8i 8 = 80 leaks complete key byte k i. 20
29 Bytewise Key Recovery Key bits can be recovered iteratively k i,0 = lsb( a 7 ) lsb(80) k i,4 = lsb( a 3 ) lsb( a 4 ) k i,1 = lsb( a 6 ) lsb( a 7 ) k i,5 = lsb( a 2 ) lsb( a 3 ) k i,2 = lsb( a 5 ) lsb( a 6 ) k i,6 = lsb( a 1 ) lsb( a 2 ) k i,3 = lsb( a 4 ) lsb( a 5 ) k i,7 = lsb( a 0 ) lsb( a 1 ) for all i = 17,..., 6 and i = i mod 12. Conclusion: Setting m 8i 8 = 80 leaks complete key byte k i. 20
30 Bytewise Key Recovery Full Key Recovery In 12+1 queries with 144-byte chosen-plaintexts. 21
31 Attack #2
32 Known-Plaintext Key Recovery Prerequisites Two 144-byte messages m = x y and m = x y with y = y = r bytes and y y. Authentication tags: a = OMADigest(m) and a = OMADigest(m ) 23
33 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24
34 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24
35 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24
36 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24
37 Known-Plaintext Key Recovery Idea OMABackward... k 3 m 120,..., m 127 k 4 m 128,..., m 135 k 5 m 136,..., m 143 a i = 1 i = 0... m 120,..., m 127 m 128,..., m 135 m 136,..., m 143 b? = a k 3 k 4 k 5 For i = 0,..., 11: Set r = 8i Guess k 17 i mod 12. Fix k 16 i mod 12 = 00. OMAForward Compute: b = OMAForward(OMABackward(a, m, k, r), m, k, r). Check: b = a. If so, save guess for k 17 i mod 12 as a candidate. 24
38 Known-Plaintext Key Recovery Full Key Recovery In 24 queries of 144-byte known-plaintexts with common prefix. In queries of 144-byte chosen plaintexts. 25
39 Attack #3
40 Forgery Attacks Injecting XOR-differences m 8i+j = 80 and m 8i+j+1 = f ki,0,7 a 0 a 1 a 2 a 3 a 4 a f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow for i = 0,..., 17, i = i mod 12, and j = 0,..., 7 (here: j = 0). The non-linear update function f : { y + m + ( (x + c)) 1 if k = 1 f k,c (x, y, m) = y + m ( (x + c)) 7 otherwise. 27
41 Forgery Attacks Difference prop. after 8 msg. bytes m 8i+j,..., m 8i+j+7 : 80 f ki,0, f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow No further propagation, stationary difference a 7 =
42 Forgery Attacks Difference prop. after 9 msg. bytes m 8i+j,..., m 8i+j+7, m 8i+j+8 : x f ki,0, a 7 f ki,7,0 f ki,6,1 f ki,5,2 f ki,4,3 f ki,3,4 f ki,2,5 f ki,1, data flow Inject XOR-difference m 8i+j+8 = x s.t. a 7 = 00 forgery! How do we choose x? 29
43 From Forgeries... Options for x: k i+1,j = 0 k i+1,j = 1 x C0 40 p 1/2 1/2 x F 1F 3F 7F FF p 1/2 1/4 1/8 1/16 1/32 1/64 1/128 1/128 Using ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, x) with x {C0, 40, 01} has probability 1/4 to create a forgery. 30
44 From Forgeries... Options for x: k i+1,j = 0 k i+1,j = 1 x C0 40 p 1/2 1/2 x F 1F 3F 7F FF p 1/2 1/4 1/8 1/16 1/32 1/64 1/128 1/128 Using ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, x) with x {C0, 40, 01} has probability 1/4 to create a forgery. 30
45 ... to Key Recovery 1. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, C0). Forgery? Yes: ki+1 mod 12,j = 0. No: Continue. 2. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, 40). Forgery? Yes: ki+1 mod 12,j = 0. No: ki+1 mod 12,j = 1. 31
46 ... to Key Recovery 1. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, C0). Forgery? Yes: ki+1 mod 12,j = 0. No: Continue. 2. Test ( m 8i+j, m 8i+j+1, m 8i+j+8 ) = (80, 80, 40). Forgery? Yes: ki+1 mod 12,j = 0. No: ki+1 mod 12,j = 1. 31
47 Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32
48 Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32
49 Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32
50 Forgery-based Key Recovery Summary Full key recovery in 168 queries (on average). Works with chosen-plaintexts and with chosen-ciphertexts. (due to stream cipher encryption) Key bits can be recovered in arbitrary order. (unlike as in attacks #1 and #2) No restrictions on the message size. 32
51 Conclusion
52 Overview on Digest Attacks Attack Type B Queries Complexity Oracle #1 #2 #3 CP Tag-generation CP Tag-generation CP Tag-generation CP Tag-generation CP Tag-generation CP Tag-generation KP+ / CP 1 24/ Tag-generation KP+ / CP 2 12 / Tag-generation KP+ / CP 3 8 / Tag-generation KP+ / CP 4 6 / Tag-generation KP+ / CP 5 6 / Tag-generation KP+ / CP 6 4 / Tag-generation Forgeries (CP / CC, XOR) Tag-verification Forgeries (CP, Additive) Tag-verification B: time-query trade-off parameter. KP+: known-plaintext with common prefix. CP: chosen-plaintext. CC: chosen-cipertext. 34
53 Fin We think: OSGP s cryptographic scheme offers no protection whatsoever. (assuming it is implemented as in the specification) Secure communication in OSGP highly doubtful as long as any of RC4, EN14908 or OMADigest is used. Thank you! 35
54 Fin We think: OSGP s cryptographic scheme offers no protection whatsoever. (assuming it is implemented as in the specification) Secure communication in OSGP highly doubtful as long as any of RC4, EN14908 or OMADigest is used. Thank you! 35
9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 23 rd March 2018 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationStream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91
Stream ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 91 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 92 Stream Cipher Suppose you want to encrypt
More informationDouble-DES, Triple-DES & Modes of Operation
Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationCHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a f
CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS53 is 512. Λ This demonstrates the contribution to the security of RC4 made by the simple swapping of S table entries in the memory update function.
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationS. Erfani, ECE Dept., University of Windsor Network Security. All hash functions operate using the following general principles:
4.14 Simple Hash Functions All hash functions operate using the following general principles: a) The input string is viewed as a sequence of n-byte blocks. b) The input is processed one block at a time
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationInformation Security CS526
Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers 1 Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days
More informationAPNIC elearning: Cryptography Basics
APNIC elearning: Cryptography Basics 27 MAY 2015 03:00 PM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationRC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step
RC4 RC4 1 RC4 Invented by Ron Rivest o RC is Ron s Code or Rivest Cipher A stream cipher Generate keystream byte at a step o Efficient in software o Simple and elegant o Diffie: RC4 is too good to be true
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationChapter 6 Contemporary Symmetric Ciphers
Chapter 6 Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1 AEGIS: A shield carried by Athena and Zeus 2 Different Design Approaches:
More informationBreaking Korea Transit Card with Side-Channel Attack
Breaking Korea Transit Card with Side-Channel Attack -Unauthorized Recharging- Black Hat Asia 2017 Tae Won Kim, Tae Hyun Kim, and Seokhie Hong Outline 1. Attack Goal & Scenario 2. Target Device Details
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationS. Erfani, ECE Dept., University of Windsor Network Security
4.11 Data Integrity and Authentication It was mentioned earlier in this chapter that integrity and protection security services are needed to protect against active attacks, such as falsification of data
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationOnce upon a time... A first-order chosen-plaintext DPA attack on the third round of DES
A first-order chosen-plaintext DPA attack on the third round of DES Oscar Reparaz, Benedikt Gierlichs KU Leuven, imec - COSIC CARDIS 2017 Once upon a time... 14 November 2017 Benedikt Gierlichs - DPA on
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security In crypto, CHF instantiates a Random Oracle paradigm In security,
More informationA Class of Weak Keys in the RC4 Stream Cipher Preliminary Draft
A Class of Weak Keys in the RC4 Stream Cipher Preliminary Draft Andrew Roos Vironix Software Laboratories 22 September 1995 1 Introduction This paper discusses a class of weak keys in RSA s RC4 stream
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationSecurity guide for Industrial Protocols Smart Grid
Security guide for Industrial Protocols CERT DE SEGURIDAD E INDUSTRIA GOBIERNO DE ESPAÑA MINISTERIO DE ENERGÍA, TURISMO Y AGENDA DIGITAL GOBIERNO DE ESPAÑA MINISTERIO DEL INTERIOR February 2017 CERTSI_GUIA_SCI_002_ProtocolosSmartGrid_2017_v1
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationIntroduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014
Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014 Page 1 Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers Permutation ciphers
More informationMessage Authentication and Hash function
Message Authentication and Hash function Concept and Example 1 Approaches for Message Authentication Encryption protects message against passive attack, while Message Authentication protects against active
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationCryptography and Network Security Chapter 7
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 7 Stream Ciphers and Random Number Generation The comparatively
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationMisuse-resistant crypto for JOSE/JWT
Misuse-resistant crypto for JOSE/JWT Neil Madden OAuth Security Workshop, 2018 1 JOSE Content Encryption Methods Provide authenticated encryption AES-CBC with HMAC-SHA2 Requires random 128-bit IV Must
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 24th March 2016 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationFull Plaintext Recovery Attack on Broadcast RC4
11 March, 2013 FSE 2013 @ Singapore Full Plaintext Recovery Attack on Broadcast RC4 Takanori Isobe () Toshihiro Ohigashi (Hiroshima University) Yuhei Watanabe () Masakatu Morii () Target Broadcast setting
More informationSecret Key Cryptography (Spring 2004)
Secret Key Cryptography (Spring 2004) Instructor: Adi Shamir Teaching assistant: Eran Tromer 1 Background Lecture notes: DES Until early 1970 s: little cryptographic research in industry and academcy.
More informationAccredited Standards Committee X9, Incorporated
Accredited Standards Committee X9, Incorporated The following document contains excerpts from draft standard of the Accredited Standards Committee, X9, Inc. (ASC X9) entitled ANS X9.102- Wrapping of Keys
More informationSecurity Requirements
Message Authentication and Hash Functions CSCI 454/554 Security Requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationSOLUTIONS FOR HOMEWORK # 1 ANSWERS TO QUESTIONS
SOLUTIONS OR HOMEWORK # 1 ANSWERS TO QUESTIONS 2.4 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A block cipher is one in which a block of plaintext is treated
More informationTLS Security Where Do We Stand? Kenny Paterson
TLS Security Where Do We Stand? Kenny Paterson (based on joint work with Nadhem AlFardan, Dan Bernstein, Bertram Poettering, Jacob Schuldt) Information Security Group Outline TLS and the TLS Record Protocol
More informationMike Hamburg. August 1, Abstract
Cryptanalysis of 22 1 2 rounds of Gimli Mike Hamburg August 1, 2017 Abstract Bernstein et al. have proposed a new permutation, Gimli, which aims to provide simple and performant implementations on a wide
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some High-Level Goals Confidentiality Non-authorized users have limited access Integrity
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationStream Ciphers. Stream Ciphers 1
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.
More informationAn Introduction to new Stream Cipher Designs
An Introduction to new Stream Cipher Designs Ways of Turning Your Data into Line Noise T. E. Bjørstad The Selmer Center, Department of Informatics University of Bergen, Norway 25th Chaos Communications
More informationCRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic
CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic Özgecan Payzin, s4159721 ozgecan.payzin@student.ru.nl April 1, 2013 1 Introduction The MIFARE Classic is one of
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More information3 Symmetric Cryptography
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 3 Symmetric Cryptography Symmetric Cryptography Alice Bob m Enc c = e k (m) k c c Dec m = d k (c) Symmetric cryptography uses the same secret key k for encryption
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationA Cache Timing Analysis of HC-256
A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk SAC 2008, Aug. 14, 2008 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationHow crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov
How crypto fails in practice? CSS, WEP, MIFARE classic *Slides borrowed from Vitaly Shmatikov Stream Ciphers One-time pad: Ciphertext(Key,Message)=Message Key Key must be a random bit sequence as long
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationEncryption and Forensics/Data Hiding
Encryption and Forensics/Data Hiding 1 Cryptography Background See: http://www.cacr.math.uwaterloo.ca/hac/ For more information 2 Security Objectives Confidentiality (Secrecy): Prevent/Detect/Deter improper
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationChapter 6: Contemporary Symmetric Ciphers
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 6: Contemporary Symmetric Ciphers Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Why Triple-DES?
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationOutline Basics of Data Encryption CS 239 Computer Security January 24, 2005
Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005 What is data encryption? Basic encryption mechanisms Stream and block ciphers Characteristics of good ciphers Page 1 Page 2 Data
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More information