Cryptography 2017 Lecture 3
|
|
- Asher McDowell
- 6 years ago
- Views:
Transcription
1 Cryptography 2017 Lecture 3 Block Ciphers - AES, DES Modes of Operation - ECB, CBC, CTR November 7, / 1
2 What have seen? What are we discussing today? What is coming later? Lecture 2 One Time Pad (OTP) Perfect Secrecy Stream Ciphers Pseudo Random Generators (PRG) (unpredictable) Attacks!! Lecture 3 PRGs, PRFs and PRPs Block Ciphers (definition) Block Ciphers (examples: DES, AES) Block Ciphers (modes of operation: ECB, CBC, CTR) Lecture 4 Attacks against Block Cipher Modes Intro to Public Key Cryptography November 7, / 1
3 Block ciphers: motivation OTP has perfect secrecy... But... the secret key as long as the message instead of exchanging the secret key, we could directly exchange the message! we should never re-use a key (e.g., avoid attacks like against the Venona project) long message What if... we expand the short secret key, to obtain several new keys split a long message, into small blocks, and use the new keys to encrypt each block of the message? M 4 M 3 M 2 M 1 M 0 bit N... bit 3 bit 2 bit 1 bit 0 E K C 4 C 3 C 2 C 1 C 0 ciphertext as long as the message Block Cipher K November 7, / 1
4 Block ciphers Definition A block cipher is a cipher (E,D) where: E : {0,1} k {0,1} n {0,1} n and for each K K = {0,1} k and m M = {0,1} n, E (K,m) is invertible and it holds: D(K,c) = E 1 (K,m). Invertible: given one output there is only one input that maps to that output. key K k bits Key expansion n bits Plaintext - Block Pre computation K 1 K 2 l rounds K n Post computation Ciphertext - Block n bits Maps n-bits of input to n-bits of output. Examples 3DES: n = 64 bits, k = 168 bits AES: n = 128 bits, k = 128,192,256 bits November 7, / 1
5 What determines a block cipher? A block cipher is determined by the key and block length (the length of the key is connected to the security of the cipher) 2. the key expansion function (must be a secure PRG) 3. the round function (encrypts the message iteratively for n rounds using the rounds keys e.g., for DES n = 16 and for AES n = 10.) November 7, / 1
6 Reminder: What is a secure PRG? Definition A function G : {0,1} l {0,1} n with l n (i.e., l much smaller than n), is a secure Pseudo Random Generator (PRG), if for any efficient statistical test D (Distinguisher), it holds that: Pr[D(G(s)) = 1] Pr[D(r) = 1] is negligible (i.e., too small) for every s R {0,1} l, r R {0,1} n selected uniformly at random. Intuition space of output k s G k 2 s space of key k 1 k 1 image s 1 x Does x belong in the image or not? {0,1} l {0,1} n An adversary that sees the output of G cannot distinguish it from something completely random (i.e., coming from the uniform distribution). November 7, / 1
7 Pseudorandom function Pseudorandom function (Intuition) A pseudorandom function (PRF) defined over (K,M,C) i.e., F : K M C such that there exists an efficient algorithm to compute F(k,m) = F k (m) for all k K and m M and F k (for a uniform key k) is indistinguishable from a function chosen uniformly at random from the set of all possible functions S f. Secure PRF - Intuition m M F F k f f(m) or F k (m) S F S F : set of all possible functions from MX to to Y C F : set of all possible PRF functions from MX to to Y C f S F and F k F A PRF is secure if a random function f S f is indistinguishable from a random function F k F. November 7, / 1
8 Pseudorandom Permutation (block cipher) Definition PRF F is called Pseudo Random Permutation (PRP) if it holds: 1. M = C (i.e., the sets of the plaintext and the ciphertext are the same) 2. the function F(k, m) is one-to-one 3. there exists an efficient, deterministic algorithm to compute F(k,m) = E(k,m) for any message m M. 4. there exists an efficient, deterministic algorithm (the inverse of F) to compute: F 1 (k,c) = D(k,c), for any ciphertext c C. set X x 1 x 2 x 3 x 4 x 5 set Y f(x 2) f(x 1) set X x 1 x 2 x 3 x 4 x 5 set Y g(x 1) g(x 2) g(x 3) g(x 4) g(x 5) Deterministic Function For the same input it will always give the same output. A one-to-one function is also invertible: given one output there is always one input that maps to that output. This is not a One-to-One function One-to-One function: for each x X there is a singley Y November 7, / 1
9 Pseudorandom Permutation (block cipher) Definition PRF F is called Pseudo Random Permutation (PRP) if it holds: 1. M = C (i.e., the sets of the plaintext and the ciphertext are the same) 2. the function F(k, m) is one-to-one 3. there exists an efficient, deterministic algorithm to compute F(k,m) = E(k,m) for any message m M. 4. there exists an efficient, deterministic algorithm (the inverse of F) to compute: F 1 (k,m) = D(k,m), for any ciphertext c C. Examples of block ciphers (PRPs): AES: K M C where K = M = C = {0,1} DES: K M C where M = C = {0,1} 64, K = {0,1} 168. November 7, / 1
10 The Feistel Network The core of the DES block cipher! Given d functions f 1,...,f d : {0,1} n {0,1} n, build an invertible function F : {0,1} 2n {0,1} 2n "*.!%/& "*.!%/& ( -&, -&!"#$%& ( +& 0 +& ( 1&!&, +& 0 1& "!!&, 1& ( )*+&, )*+& 0 )&!& ( )&, )& '$%#$% F(L i,r i ) = (R i,f i+1 (R i ) L i ) = (L i+1,r i+1 ) Picture from Dan Boneh s online course November 7, / 1
11 The Feistel Network Given d functions f 1,...,f d : {0,1} n {0,1} n, build an invertible function F : {0,1} 2n {0,1} 2n F(L i,r i ) = (R i,f i+1 (R i ) L i ) = (L i+1,r i+1 ), for i = 1,...,d What is the inverse?! "#$%! "% ' "% "()*+,*%! "%!% ' "%! "#$% & "#$%!% & "% & "% & "#$% Lets write it: R i = L i+1 and L i = R i+1 f i+1(r i) = R i+1 f i+1(l i+1) (L i,r i ) = (f i+1 (L i+1 ) R i+1,l i+1 ) = F 1 (L i+1,r i+1 ) Picture from Dan Boneh s online course November 7, / 1
12 A Feistel Network with Keys A Feistel network is a general method for building invertible functions from arbitrary functions. It is used in many block ciphers (including DES). Theorem (Luby-Rackoff 85) If f : K {0,1} n {0,1} n is a secure PRF then a 3-round Feistel Network is a secure PRP (block cipher). DES: 16 round of Feistel Network However it has been badly broken! (not due to the Feistel network) November 7, / 1
13 DES: the Data Encryption Standard key K k bits Key expansion K M C 56 bits 64 bits 64 bits 64 bits Plaintext - Block Initial Permutation K 1 K 2 K rounds of Feistel network Inverse Permutation Ciphertext - Block 64 bits In order to invert use the round keys in reverse order. November 7, / 1
14 DES: the Data Encryption Standard 32 bits 48 bits x k i 48 bits expansion box replicates and moves bits around 48 f(k i,x) S-boxes (substitution boxes) S i : {0,1} 6 {0,1} S 1 S 2 S 3 S 4 S 5 S 6 S 7 S bits P permutation box 32 bits November 7, / 1
15 DES: the Data Encryption Standard - S-boxes S i : {0,1} 6 {0,1} 4 What is the output of in S 5? To guarantee security, the S-boxes should be chosen carefully. The output bits should be as far as possible from linear functions of the input bits. Choosing the S-boxes & the P-box at random would result in an insecure block cipher (key recovery after 2 24 outputs) Info from Dan Boneh s online course. November 7, / 1
16 DES challenge - Exhaustive search attacks! 64-bits 64-bits 64-bits msg = The unkn own mess age is: XXXX... CT = c 1 c 2 c 3 c 4 c 5 c 6 Goal Find k {0,1} 56 such that DES(K,m i) = c i for i = 1,2,3. History of the DES challenge 1997: Internet search 3 months 1998: EFF machine (deep crack) 3 days (250K$) 1999: combined search 22 hours 2006: COPACOBANA (120 FPGAs) 7 days (10K$) Conclusion: 56-bit ciphers should not be used! Badly Broken! Info from Dan Boneh s online course November 7, / 1
17 Strengthening DES: Triple DES Triple-DES (3DES) Let (E,D) be the DES cipher, we define 3DES: K 3 {0,1} 64 {0,1} 64 as: 3E((k 1,k 2,k 3),block) = E(k 1,D(k 2,E(k 3,block))) Main advantage Backwards compatibility: 3DES = DES when k 1 = k 2 = k 3 (e.g., for hardware implementations). Disadvantages 3DES is 3 times slower than DES A successful attack can be performed against 3DES that run in time Despite the attack it is considered safe enough but not efficient! November 7, / 1
18 Quiz Question! Go to: and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS 3DES - Decryption How is defined the decryption algorithm of 3DES? A D ( k 3,E(k 2,D(k 1,c)) ) B D ( k 1,E(k 2,D(k 3,c)) ) C D ( k 1,D(k 2,D(k 3,c)) ) D E ( k 1,D(k 2,D(k 3,c)) ) Reminder: 3E((k 1,k 2,k 3),block) = E(k 1,D(k 2,E(k 3,block))) Answer: 3D ( (k 1,k 2,k 3),block ) = D(k 3,E(k 2,D(k 1,block))) November 7, / 1
19 Why not double DES? Double-DES is defined as follows 2E ( (k 1,k 2),block ) = E ( k 1,E(k 2,block) ) The key length for double-des is (56 2) = 112 Thus possible keys! (big enough to avoid standard exhaustive search) Badly Broken! But... Double-DES is vulnerable to Meet-in-the-Middle Attacks Intuition: Rewrite E ( k 1,E(k 2,m) ) = c as E(k 2,m) = D(k 1,c) Build two lookup tables and check for the terms that match! Remember: This attack works for all double-encryption ciphers! November 7, / 1
20 The meet in the middle attack m c=e(k 1,E(k 2,m)) Alice Eve Bob Alice and Bob share two secret keys k 1 and k 2. Step 1: Eve gets access to a pair of plaintext, ciphertext (m,c). Remember: 2DES can be re-written as: E(k 2,m) = D(k 1,c) Step 2: Eve builds a table with all possible encryptions of m (using all possible values of k 2 ) and Step 3: Eve computes all possible decryptions of c (using all possible values of k 1 ). Question: What is Eve looking for in the table? Step 4: Eve looks for a match of the decryption to be equal to the encryption i.e., E(k 2,m) = D(k 1,c) Required time: 2 56 log(2 56 ) }{{} +256 log(2 56 ) }{{} < k 2 = k 0 E(k 0,m) k 0 D(k 0,c) k 1 E(k 1,m) k 1 D(k 1,c) build & sort a table search in a sorted table 2 63 This attack is feasible!! k i E(k i,m) k 1 = k i D(k i,c).... k 256 E(k 256,m) k 256 D(k 1,c) November 7, / 1
21 Evolution block ciphers Early 1970s: Horst Feistel designs Lucifer at IBM (key-length = 128 bits, block-length=128 bits) 1973: NBS (National Bureau of Standards) asks for block cipher proposals. (IBM submits variant of Lucifer) 1976: NBS adopts DES as a federal standard (key-length=56 bits, block-length=64 bits) 1997: DES broken by exhaustive search 1997: NIST (National Institute for Standards & Technology) publishes a request for new proposals (15 submissions and 5 finalists). 2000: NIST adopts Rijndael as AES (Advanced Encryption Standard) to replace DES Info from Dan Boneh s online course November 7, / 1
22 AES: the Advance Encryption Standard 128, 192 or 256 bits 128 bits 128 bits Key expansion K M C Plaintext Block K K 1 0 ByteSub Subrow ByteSub Subrow K 2 K 10 MixColumns MixColumns 128 bits 128 bits 4x4 bytes 4x4 bytes 10 rounds 10 rounds for 128-bit key 12 rounds for 192-bit key 14 rounds for 256-bit key ByteSub K Subrow Ciphertext Block November 7, / 1
23 AES and its subroutines November 7, / 1
24 AES vs. DES AES Based on a substitution-permutation network. Due to the substitution network all bits are changed at every round! The substitution tables are invertible. The decryption is simply the inverse order of all operations performed during encryption. The known key recovery attack against AES-128 takes time (infeasible). Related key attacks on AES (still infeasible) DES Based on Feistel networks. Due to the Feistel Network half of the bits are not changed from round to round. The S-boxes are not invertible. The decryption is based on the invertibility of the Feistel network. Efficient but broken! (key is 56 bits long is too short). 3DES secure but 3 times slower! November 7, / 1
25 Modes of Operation How do basic block ciphers work? So now we know how to encrypt a block of a message with a block cipher. long message M 4 M 3 M 2 M 1 M 0 bit N... bit 3 bit 2 bit 1 bit 0 E K K C 4 C 3 C 2 C 1 C 0 ciphertext as long as the message Block Cipher But wait! How do we move from one block to the other? November 7, / 1
26 Modes of Operation Modes of operation: ECB (Electronic Code Book) ECB is the simplest mode of encryption for a block cipher. Each block of the plaintext is encrypted separately and with the same key! November 7, / 1
27 Modes of Operation Quiz Question! Go to: and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS ECB (Electronic Code Book) Suppose that in a plaintext we are encrypting two blocks are equal e.g., m 1 = m 2. How wound the corresponding ciphertext blocks c 1 and c 2 look like? A c 2 = c 1 m 1 B c 2 = m 1 m 2 C c 1 = c 2 D c 1 = m 2 Problem: Since the encryption is deterministic (not randomised), equal plaintext blocks will have equal ciphertext blocks. How to solve this and get different ciphertexts when using the same plaintext and the same key? November 7, / 1
28 Modes of Operation Modes of operation: ECB example Original Image Plaintext Encryption with ECB mode Encryption with other mode of operation November 7, / 1
29 Modes of Operation Modes of operation: Cipher Block Chaining (CBC) Let (E,D) be a block cipher. The CBC block cipher is defined as follows. E CBC (k,m): choose a random IV {0,1} nt and do: IV: random Initialisation Vector./& '()*& '(+*& '(,*& '(-*& & & & &!"#$ %&!"#$ %&!"#$ %&!"#$ %&./& 0()*& 0(+*& 0(,*& 0(-*& & Each ciphertext-block is chained and XOR-ed to the next plaintext block. The ciphertext is longer than the plaintext due to the IV. Picture from Dan Boneh s online course. November 7, / 1
30 Modes of Operation Modes of operation: CBC - Decryption Circuit Let (E,D) be a block cipher. For the CBC block cipher the decryption is defined as follows: IV: random Initialisation Vector /0&.()*&.(+*&.(,*&.(-*&!"#$ %&!"#$ %&!"#$ %&!"#$ %& & & & & '()*& '(+*& '(,*& '(-*& Attention: In the next lecture we will show that CBC with random IV is not secure! Picture from Dan Boneh s online course. November 7, / 1
31 Modes of Operation Modes of operation: Nonce-based CBC Useful for the first home assignment! key = (k,k 1 ) Unique nonce means: (key,n) pair is used for only one message. nonce!"! m[0] m[1] m[2] m[3] IV: random Initialisation Vector E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) nonce c[0] c[1] c[2] c[3] ciphertext The nonce is included in the ciphertext only if it is unknown to the recipient. Picture from Dan Boneh online course. November 7, / 1
32 Modes of Operation Modes of operation: Nonce-based CBC (Useful for 1st Home Assignment) What should we do when the last block of the message is shorter than the cipher s block size? Padding! IV: random Initialisation Vector IV!"!" m[0] m[1] m[2] m[3] ll pad E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] In TLS we pad with n repetitions of the number n where n = block size - length of m[3] n n n! n if n=0 add a dummy block with all zeros #$%&'$() (*#+,-) ($.#/01&,) Picture from Dan Boneh online course. November 7, / 1
33 Modes of Operation Modes of operation: CTR (deterministic counter mode) Let (E,D) be a block cipher. The CTR block cipher is defined as follows: E(k,m): pick a random IV {0,1} nt and do: *+%!,-%!"#$%!"&$% '%!"#$%&'(!"#$%&)*'( '% IV: random Initialisation Vector!"($%!"#$%&)+'( % *+% )"#$% )"&$% '% )"($% )./ % Remember: The IV is chosen at random for every message! Note: parallelizable (unlike CBC) To guarantee F(k,x) is never used more than once, choose IV as: /01$ nonce 23$%&'($!"#$%&'($ )*+,'-.$ 23$%&'($ ('4.'($4'$5$ 6*.$-7-.8$9(:$ Picture from Dan Boneh online course. November 7, / 1
34 Modes of Operation Things to Remember Things to remember What is a block cipher? How does DES and AES work? How does the meet-in the middle attack work in double DES? How the different modes of operation in block ciphers work? November 7, / 1
35 Modes of Operation Announcement - Home Assignment 1 Home assignment 1, Cryptography course The assignment consists of two largely independent parts. In the first (and main) part you will study a well-known attack on an SSL channel and answer some questions. In the second part, you will encrypt your solution using gpg before submitting it. Home assignment 1 is on the web, ready to be attacked! Discusses side-channel attack on CBC mode. Shows vulnerability in widely used software (OpenSSL). Password to IMAP mail accounts discovered in less than one hour. Deadline: next Tuesday (November 14)! Remember: You must upload at least one solution to Home Assignment 1 Before next Tuesday (14/11/2017) at midnight! November 7, / 1
36 Modes of Operation Preview of MAC mentioned in Assignment 1 In the 1st Assignment we talk about MACs (Message Authentication Codes). Although you will not work with MACs directly, lets see what is a MAC! Alice! Generate tag: S(k,m) = tag Definition message tag Bob k Verify tag: V(k,m,tag)? = yes A MAC can be used in secret key cryptography to guarantee integrity of a message. Even if a message is long the MAC (tag) of a message is very short (e.g., 90 or 100 bits). A Message Authentication Code MAC = (S,V) is a pair of algorithms definer over (K, M, T ) with the following properties: S : K M T is a signing algorithm that takes as input a key k and a message m and outputs a tag t = S(k,m) V : K M T {yes,no} is a verification algorithm that checks if t is a valid tag for m under the key k. If so, the verification( outputs yes, ) otherwise it outputs no. Consistency requirement: k K, m M : V k,m,s(k,m) = yes November 7, / 1
37 Modes of Operation Conditional Probability used in Assignment 1 Let us consider two events: Event A: The forecast predicts rain for today. Event B: It rains today. Conditional Probability Conditional Probability P(A B) is the probability of observing event A given that event B is true. To calculate it we use the following rule: P(B A) = P(B A) P(A) November 7, / 1
38 Modes of Operation References: Cryptography and Network Security: Principles and practice (Chapters , , 7.1, 6.2, and 6.3.) Introduction to Modern Cryptography, Lindell and Katz (Chapter 6.2, 3.5.1, and 3.6.2) Thank you for your attention! November 7, / 1
Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationSecurity and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers
Security and Cryptography 1 Stefan Köpsell, Thorsten Strufe Module 5: Pseudo Random Permutations and Block Ciphers Disclaimer: large parts from Mark Manulis and Dan Boneh Dresden, WS 14/15 Reprise from
More informationCourse Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More informationSymmetric Encryption. Thierry Sans
Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion
More informationCrypto: Symmetric-Key Cryptography
Computer Security Course. Song Crypto: Symmetric-Key Cryptography Slides credit: Dan Boneh, David Wagner, Doug Tygar Overview Cryptography: secure communication over insecure communication channels Three
More informationIntroduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space
Perfect Cipher Introduction to Cryptography Lecture 2 Benny Pinkas What type of security would we like to achieve? Given C, the adversary has no idea what M is Impossible since adversary might have a-priori
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers 2MMC10 Cryptology Fall 2015 Ruben Niederhagen October 6th, 2015 Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers Ruben Niederhagen September 18th, 2013 Introduction 2/22 Recall from last lecture: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationBlock ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCryptography (cont.)
CSE 484 / CSE M 584 (Autumn 2011) Cryptography (cont.) Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More information3 Symmetric Cryptography
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 3 Symmetric Cryptography Symmetric Cryptography Alice Bob m Enc c = e k (m) k c c Dec m = d k (c) Symmetric cryptography uses the same secret key k for encryption
More informationNew Kid on the Block Practical Construction of Block Ciphers. Table of contents
New Kid on the Block Practical Construction of Block Ciphers Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Substitution-permutation
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationScanned by CamScanner
Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Symmetric-Key Cryptography CS 161: Computer Security
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationSymmetric-Key Cryptography
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016 Announcements Project due Sept 20 Special guests Alice Bob The attacker (Eve - eavesdropper, Malice) Sometimes Chris
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationBlock Ciphers and Data Encryption Standard. CSS Security and Cryptography
Block Ciphers and Data Encryption Standard CSS 322 - Security and Cryptography Contents Block Cipher Principles Feistel Structure for Block Ciphers DES Simplified DES Real DES DES Design Issues CSS 322
More informationCryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi
Cryptographic Primitives A brief introduction Ragesh Jaiswal CSE, IIT Delhi Cryptography: Introduction Throughout most of history: Cryptography = art of secret writing Secure communication M M = D K (C)
More informationCryptography: Symmetric Encryption [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption [continued] Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography Tingting Chen Cal Poly Pomona 1 Some slides are from Dr. Cliff Zou. www.cs.ucf.edu/~czou/cis3360-12/ch08-cryptoconcepts.ppt Basic Cryptography Private Key Cryptography
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationIntroduction to Cryptology. Lecture 17
Introduction to Cryptology Lecture 17 Announcements HW7 due Thursday 4/7 Looking ahead: Practical constructions of CRHF Start Number Theory background Agenda Last time SPN (6.2) This time Feistel Networks
More informationSymmetric key cryptography
The best system is to use a simple, well understood algorithm which relies on the security of a key rather than the algorithm itself. This means if anybody steals a key, you could just roll another and
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationLecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 5 Portland State University Jan. 23, 2018 Lecturer: Fang Song Draft note. Version: January 25, 2018. Email fang.song@pdx.edu for comments and
More informationSome Aspects of Block Ciphers
Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar
More informationECE 646 Lecture 8. Modes of operation of block ciphers
ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationSecret Key Cryptography
Secret Key Cryptography General Block Encryption: The general way of encrypting a 64-bit block is to take each of the: 2 64 input values and map it to a unique one of the 2 64 output values. This would
More informationComputer and Data Security. Lecture 3 Block cipher and DES
Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach
More informationCSC574: Computer & Network Security
CSC574: Computer & Network Security Lecture 3 Prof. William Enck Spring 2016 (Derived from slides by Micah Sherr, Patrick McDaniel, and Peng Ning) Modern Cryptography 2 Kerckhoffs Principles Modern cryptosystems
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions
ENEE 457: Computer Systems Security 09/12/16 Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions Charalampos (Babis) Papamanthou Department of Electrical and Computer
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationCS 161 Computer Security. Week of September 11, 2017: Cryptography I
Weaver Fall 2017 CS 161 Computer Security Discussion 3 Week of September 11, 2017: Cryptography I Question 1 Activity: Cryptographic security levels (20 min) Say Alice has a randomly-chosen symmetric key
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationL3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015
L3. An Introduction to Block Ciphers Rocky K. C. Chang, 29 January 2015 Outline Product and iterated ciphers A simple substitution-permutation network DES and AES Modes of operations Cipher block chaining
More informationWeek 4. : Block Ciphers and DES
Week 4. : Block Ciphers and DES Model of Symmetric Cryptosystem Cryptanalyst Adversary M K E Insecure Channel D Plaintext M Ciphertext C Secure Channel Plaintext M Key K Shared Secret Key C = E K (M) D
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationNetwork Security Essentials
Network Security Essentials Applications and Standards Third Edition William Stallings Chapter 2 Symmetric Encryption and Message Confidentiality Dr. BHARGAVI H. GOSWAMI Department of Computer Science
More informationIntroduction to Modern Symmetric-Key Ciphers
Introduction to Modern Symmetric-Key Ciphers 1 Objectives Review a short history of DES. Define the basic structure of DES. List DES alternatives. Introduce the basic structure of AES. 2 Data Encryption
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationCS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES
CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES PREPARED BY R.CYNTHIA PRIYADHARSHINI AP/IT/SREC Block Ciphers A block cipher is an encryption/decryption scheme in which a block of plaintext is treated
More informationENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms
ENEE 459-C Computer Security Symmetric key encryption in practice: DES and AES algorithms A perfect encryption of a block Say you have a block of n bits You want to encrypt it You want to use the same
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationApplied Cryptography Data Encryption Standard
Applied Cryptography Data Encryption Standard Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 History DES has a checkered history. The book provided fascinating reading
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationSymmetric Key Cryptography
Symmetric Key Cryptography Jooyoung Lee School of Computing (GSIS), KAIST Outline 1. Introduction to Symmetric Key Crypto 2. Stream Ciphers 3. Block Ciphers 3.1 DES 3.2 AES 3.3 Modes of Operations 3.4
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More information