Symmetric and Password- based encrypdon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu
|
|
- Geoffrey Carter
- 5 years ago
- Views:
Transcription
1 Symmetric and Password- based encrypdon CS642: Computer Security Professor Ristenpart h9p:// rist at cs dot wisc dot edu University of Wisconsin CS 642
2 Symmetric encrypdon key generadon R k Kg Handled in TLS key exchange OpDonal K R M Enc C C Dec M or error C is a ciphertext Correctness: D( K, E(K,M,R) ) = M with probability 1 over randomness used
3 In TLS symmetric encrypdon underlies the Record Layer h9p://amazon.com K K R M Enc C C Dec M or error What security properdes do we need from symmetric encrypdon? 1) ConfidenDality: should not learn any informadon about M 2) AuthenDcity: should not be able to forge messages O\en referred to as AuthenDcated EncrypDon security
4 AcDve security of CBC mode IV M1 M2 M3 E K E K E K C0 C1 C2 C3 What about forging a message? Pick any C0, C1 IV M1 D K Be9er yet for any D: IV M1 D D K C0 C1 C0 D C1
5 Hash funcdons and message authendcadon Hash funcdon H maps arbitrary bit string to fixed length string of size m M H H(M) MD5: m = 128 bits SHA- 1: m = 160 bits SHA- 256: m = 256 bits Some security goals: - collision resistance: can t find M!= M such that H(M) = H(M ) - preimage resistance: given H(M), can t find M - second- preimage resistance: given H(M), can t find M s.t. H(M ) = H(M)
6 Hash funcdon applicadon example Password hashing. Choose random salt and store (salt,h) where: salt pw H h The idea: A9acker, given (salt,h), should not be able to recover pw Or can they? For each guess pw : If H(salt pw ) = h then Ret pw Rainbow tables speed this up in pracdce by way of precompudon. Large salts make rainbow tables impracdcal
7 Message authendcadon key generadon OpDonal. If no randomness, then called a Message AuthenDcaDon Code (MAC) R k Kg K R M Tag T M T Ver 0 or 1 Correctness: Ver( K, Tag(K,M,R) ) = 1 with probability 1 over randomness used Unforgeability: A9acker can t find M,T such that V(K,M,T) = 1
8 Recall PRF security F: {0,1} k x {0,1} * - > {0,1} n Security goal: F(K,M) is indisdnguishable from random n- bit string for anyone without K For M 1, M 2,, M q chosen by adversary and disdnct F(K,M 1 ), F(K,M 2 ),, F(K,M q ) U i is fresh n- bit uniform string U 1, U 2,, U q Adversary that adapdvely chooses messages but is limited to reasonable q (e.g., q = 2 40 ) can t disdnguish between two vectors This means outputs of F are unpredictable: Given F(K,M 1 ), F(K,M 2 ),, F(K,M q- 1 ) no a9acker can predict F(K,M q ) with probability 1 / 2 n + negligible
9 Any PRF is a good MAC OpDonal. If no randomness, then called a Message AuthenDcaDon Code (MAC) R k Kg K R M Tag T M T Ver 0 or 1 Correctness: Ver( K, Tag(K,M,R) ) = 1 with probability 1 over randomness used Unforgeability: A9acker can t find M,T such that V(K,M,T) = 1
10 Any PRF is a good MAC R k Kg key generadon picks uniform key for F K M M F(K,M) T F(K,M) = T? T 0 or 1 How do we instandate F?
11 Message authendcadon with HMAC Use a hash funcdon H to build a MAC. Kg outputs uniform bit string K Tag(K,M) = HMAC(K,M) defined by: K ipad M H ipad!= opad are constants K opad h H T To verify a M,T pair, check if HMAC(K,M) = T Unforgeability holds if H is a secure PRF when so- keyed
12 Build a new scheme from CBC and HMAC Kg outputs CBC key K1 and HMAC key K2 Several ways to combine: (1) encrypt- then- mac (2) mac- then- encrypt (3) encrypt- and- mac (1) M K1 CBC HMAC K2 C T (3) M (2) M T M K1 CBC HMAC K2 K1 CBC HMAC K2 C T C
13 Build a new scheme from CBC and HMAC Kg outputs CBC key K1 and HMAC key K2 Several ways to combine: (1) encrypt- then- mac (2) mac- then- encrypt (3) encrypt- and- mac (1) M K1 CBC HMAC K2 C T Thm. If encrypdon scheme provides confidendality against passive a9ackers and MAC provides unforgeability, then Encrypt- then- MAC provides secure authendcated encrypdon
14 TLS record protocol: MAC- Encode- Encrypt (MEE) SQN + comp method MAC Payload Padding is not MAC d. ImplementaDons must handle padding checks very carefully. Payload MAC tag Padding Encrypt Header Ciphertext MAC Encrypt HMAC- MD5, HMAC- SHA1, HMAC- SHA256 CBC- AES128, CBC- AES256, CBC- 3DES, RC4-128
15 Dedicated authendcated encrypdon schemes A"ack Inventors Notes OCB (Offset Codebook) GCM (Galios Counter Mode) Rogaway McGrew, Viega One- pass CTR mode plus specialized MAC CWC Kohno, Viega, WhiDng CTR mode plus Carter- Wegman MAC CCM EAX Housley, Ferguson, WhiDng Wagner, Bellare, Rogaway CTR mode plus CBC- MAC CTR mode plus OMAC
16 Symmetric EncrypDon Advice Never use CTR mode or CBC mode by themselves Passive security is almost never good enough!! Encrypt- then- MAC be9er than MAC- then- Encrypt, Encrypt and MAC Dedicated modes that have been analyzed thoroughly are also good
17 Password- based symmetric encrypdon OpDonal pw R M Enc C C Dec M or error C is a ciphertext Correctness: D( pw, E(pw,M,R) ) = M with probability 1 over randomness used
18 Encrypt- then- MAC with CBC and HMAC IV M1 M2 M3 E K1 E K1 E K1 C0 C1 C2 C3 K2 ipad C H K2 opad h H T Ciphertext is C,T How do we use with a pw?
19 Password- based Key DeriviaDon (PBKDF) PBKDF(pw,salt): Truncate if needed pw salt 1 H H H K1 pw salt 2 H H H K2 repeat c Dmes
20 PBKDF + Symmetric encrypdon yields PW- based encrypdon Enc(pw,M,R): salt R = R K = PBKDF(pw,salt) C = Enc (K,M,R ) Return (salt,c) Dec(pw,C): salt C = C K = PBKDF(pw,salt) M = Enc (K,C ) Return M Here Enc is a normal symmetric encrypdon scheme (CBC+HMAC) A9acks?
21 Rank Password Number of Users with Password (absolute) Password iloveyou princess rockyou abc Rank Password Number of Users with Password (absolute) 11 Nicole Daniel babygirl monkey Jessica Lovely michael Ashley Qwerty From an Imperva study of released RockMe.com password database 2010
22 Brute- force a9acks Given known plaintext, ciphertext pair: M and C = Enc(pw,M) Enumerate a dicdonary D of possible passwords, in order of likelihood BruteForce1(M,C): R C = C foreach pw* in D do C* = Enc(pw*,M,R) If C* = C then Return pw* R is salt IV in CBC- based modes Both are public: C = salt IV C1 IV C0 M1 E K1 C1
23 Brute- force a9acks Given known plaintext, ciphertext pair: M and C = Enc(pw,M) Enumerate a dicdonary D of possible passwords, in order of likelihood BruteForce1(M,C): R C = C foreach pw* in D do C* = Enc(pw*,M,R) If C* = C then Return pw* BruteForce2(C): foreach pw* in D do M* = Dec(pw*,C) If M* looks right then Return (pw*,m*)
24 PBKDF design a9empts to slow down brute- force a9acks Truncate if needed pw salt 1 H H H K1 IteraDng c Dmes should slow down a9acks by factor of c Salts: Different derived keys, even if same password Slows down a9acks against muldple users Prevents precomputadon a9acks, if salts chosen correctly
25 Say c = Generous back of envelope* suggests that in 1 second, can test 252 passwords and so a naïve brute- force: 6 numerical digits 10 6 = 1,000,000 6 lower case alphanumeric digits 8 alphanumeric + 10 special symbols 36 6 = 2,176,782, = 722,204,136,308,736 ~ 3968 seconds ~ 99 days ~ 33million days * I did the arithmedc
26 WPA passwords AP PMK = PBKDF( pw, ssid ssidlength ) with c = 4096 PTK = H( PMK ANonce SNonce AP MAC address STA MAC address ) MIC = HMAC- MD5(PTK, 2 nd message) So a\er sniffing one handshake by another party, we can mount offline brute force a9ack
27 WPA passwords AP PMK = PBKDF( pw, ssid ssidlength ) with c = 4096 PTK = H( PMK ANonce SNonce AP MAC address STA MAC address ) MIC = HMAC- MD5(PTK, 2 nd message) BruteForce(MIC,ANonce,SNonce,2 nd message): foreach pw* in D do PMK* = PBKDF(pw*,ssid ssidlength) PTK* = H(PMK* ANonce ) MIC* = HMAC- MD5(PTK*, 2 nd message) If MIC* = MIC then Return pw*
28 We can also use precomputadon for common SSID s PMK = F(pw,ssid) MIC = G(PMK,data) PMK = PBKDF( pw, ssid ssidlength ) with c = 4096 PTK = H( PMK ANonce SNonce AP MAC address STA MAC address ) MIC = HMAC- MD5(PTK, 2 nd message) Offline(D,SsidList): foreach pw* in D do foreach ssid* in Ssidlist do PMK* = F(pw*,ssid*) T[PMK*] = pw* Add PMK* to P[ssid*] Return P,T Online(P,T,MIC,ANonce, ): foreach PMK* in P[ssid] do MIC* = G(PMK*,data) If MIC* = MIC then Return T[PMK*] Time- space trade- off
29 Password recap Short passwords can be cracked easily See also: JohnTheRipper, aircrack, tools SalDng and iteradon are helpful and needed Salts must be sufficiently large and unpredictable SDll possible to crack in some cases From xkcd.com
Symmetric encrypbon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu
Symmetric encrypbon CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Symmetric encrypbon Block ciphers Modes of operabon
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationCrypto: Passwords and RNGs. CS 642 Guest Lecturer: Adam Everspaugh
Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace Topics! Password-based Crypto!! Random Number Generators Symmetric Key Encryption key generation R k Gen
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 8 (and maybe 9) secret-key primitives Message Authentication Codes Pseudorandom number generators 2
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Message Authentication Codes Syntax: Key space K λ Message space M Tag space T λ MAC(k,m) à σ Ver(k,m,σ) à 0/1 Correctness: m,k,
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationSymmetric Crypto MAC. Pierre-Alain Fouque
Symmetric Crypto MAC Pierre-Alain Fouque Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However,
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationAccelera'on A+acks on PBKDF2
Accelera'on A+acks on PBKDF2 Or, what is inside the black- box of oclhashcat? Andrew Ruddick, UK Dr. Jeff Yan, Lancaster University, UK andrew.ruddick@hotmail.co.uk, jeff.yan@lancaster.ac.uk What is PBKDF2?
More informationWPA Passive Dictionary Attack Overview
WPA Passive Dictionary Attack Overview TakehiroTakahashi This short paper presents an attack against the Pre-Shared Key version of the WPA encryption platform and argues the need for replacement. What
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationUnit 8 Review. Secure your network! CS144, Stanford University
Unit 8 Review Secure your network! 1 Basic Problem Internet To first approximation, attackers control the network Can snoop, replay, suppress, send How do we defend against this? Communicate securely despite
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationCryptography Overview
Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly used properly n
More informationMisuse-resistant crypto for JOSE/JWT
Misuse-resistant crypto for JOSE/JWT Neil Madden OAuth Security Workshop, 2018 1 JOSE Content Encryption Methods Provide authenticated encryption AES-CBC with HMAC-SHA2 Requires random 128-bit IV Must
More informationECE 646 Lecture 8. Modes of operation of block ciphers
ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.
More informationThe OCB Authenticated-Encryption Algorithm
The OCB Authenticated-Encryption Algorithm Ted Krovetz California State University, Sacramento, USA Phillip Rogaway University of California, Davis, USA IETF 83 Paris, France CFRG 11:20-12:20 in 212/213
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationCryptography Overview
ECE458 Winter 2013 Cryptography Overview Dan Boneh (Modified by Vijay Ganesh) Cryptography: Today s Lecture! An introduction to cryptography n Basic definitions n Uses of cryptography! SSL/TLS! Symmetric-key
More informationWireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities
Wireless Security Comp Sci 3600 Security Outline 1 2 3 Wired versus wireless Endpoint Access point Figure 24.1 Wireless Networking Components Locations and types of attack Outline 1 2 3 Wired Equivalent
More informationLecture 10. Data Integrity: Message Authentication Schemes. Shouhuai Xu CS4363 Cryptography Spring
Lecture 10. Data Integrity: Message Authentication Schemes Shouhuai Xu CS4363 Cryptography Spring 2007 1 Roadmap Problem Statement Definition Constructions Remarks Shouhuai Xu CS4363 Cryptography Spring
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationChapter 24 Wireless Network Security
Chapter 24 Wireless Network Security Wireless Security Key factors contributing to higher security risk of wireless networks compared to wired networks include: o Channel Wireless networking typically
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Block Ciphers (AES) University of Tartu Spring 2017 1 / 17 Block Ciphers Properties: Deterministic Without the key plaintext cannot be found Valid plaintext-ciphertext
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationCryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 12 Message Authentication Codes At cats' green on the Sunday he took the message from
More informationCryptography Intro. CS642: Computer Security. Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu
Cryptography Intro CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Cryptography Basic goals and sehng TLS (HTTPS)
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationCourse Business. Homework due today Final Exam Review on Monday, April 24 th Practice Final Exam Solutions Released Monday
Course Business Homework due today Final Exam Review on Monday, April 24 th Practice Final Exam Solutions Released Monday Final Exam on Monday, May 1 st (in this classroom) Adib will proctor I am traveling
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationTLS Security Where Do We Stand? Kenny Paterson
TLS Security Where Do We Stand? Kenny Paterson (based on joint work with Nadhem AlFardan, Dan Bernstein, Bertram Poettering, Jacob Schuldt) Information Security Group Outline TLS and the TLS Record Protocol
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationCryptography Intro. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu
Cryptography Intro CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Cryptography Basic goals and sehng TLS (HTTPS)
More informationECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:
C 646 Lecture 7 Modes of Operation of Block Ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot,
More informationNetwork Security Protocols
Network Security 2! ApplicaDon layer E- mail: PGP, using a web- of- trust Web: HTTP- S, using a cerdficate hierarchy Network Security Protocols Transport layer Transport Layer Security/ Secure Socket Layer
More informationLink & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Outline Network Security EECE 412 Link & end-to-end protocols SSL/TLS WPA Copyright 2004 Konstantin Beznosov 2 Networks Link and End-to-End Protocols
More informationPasswords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.
Passwords CS 166: Introduction to Computer Systems Security 1 Source: https://shop.spectator.co.uk/wp-content/uploads/2015/03/open-sesame.jpg 2 Password Authentication 3 What Do These Passwords Have in
More informationImproved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018
Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview
More informationBetriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität
Betriebssysteme und Sicherheit Stefan Köpsell, Thorsten Strufe Modul 5: Mechanismen Integrität Disclaimer: large parts from Mark Manulis, Dan Boneh, Stefan Katzenbeisser Dresden, WS 17/18 Reprise from
More informationSummary
The Imperva Application Defense Center (ADC) ADC White Paper Summary In December 2009, a major password breach occurred that led to the release of 32 million passwords 1. Further, the hacker posted to
More informationMessage Authentication Codes and Cryptographic Hash Functions
Message Authentication Codes and Cryptographic Hash Functions Readings Sections 2.6, 4.3, 5.1, 5.2, 5.4, 5.6, 5.7 1 Secret Key Cryptography: Insecure Channels and Media Confidentiality Using a secret key
More informationAc,ve a4acks on CPA- secure encryp,on
Online Cryptography Course Authen,cated Encryp,on Ac,ve a4acks on CPA- secure encryp,on Recap: the story so far Confiden'ality: seman,c security against a CPA a4ack Encryp,on secure against eavesdropping
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationKey Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationPasswords (3) Tom Ristenpart CS 6431
Passwords (3) Tom Ristenpart CS 6431 The game plan Refresh from last week Modeling password distributions Melicher et al. paper (neural networks) Typo-tolerant password checking Understanding password
More informationNonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE,
More informationA Surfeit of SSH Cipher Suites
A Surfeit of SSH Cipher Suites Jean Paul Degabriele Information Security Group www.isg.rhul.ac.uk/~psai074 Based in part on slides by Kenny Paterson Outline of this talk Overview of SSH and related work
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationMcOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universität Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE:
More informationAdvanced security notions for the SSH secure channel: theory and practice
Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson - @kennyog Based on joint work with Martin Albrecht, Jean Paul Degabriele and Torben Hansen Information Security
More informationCryptography (cont.)
CSE 484 / CSE M 584 (Autumn 2011) Cryptography (cont.) Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationCS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012
CS 645 : Lecture 6 Hashes, HMAC, and Authentication Rachel Greenstadt May 16, 2012 Reminders Graded midterm, available on bbvista Project 3 out (crypto) Hash Functions MAC HMAC Authenticating SSL Man-in-the-middle
More informationINSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:
A INSE 6110 Midterm Fall 2016 Duration: 80 minutes LAST NAME FIRST NAME ID NUMBER QUESTION 1 2 3 4 Total GRADE Notes: 1) Calculator (non-programming) allowed, nothing else permitted 2) Each page contains
More informationCourse Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More information05 - WLAN Encryption and Data Integrity Protocols
05 - WLAN Encryption and Data Integrity Protocols Introduction 802.11i adds new encryption and data integrity methods. includes encryption algorithms to protect the data, cryptographic integrity checks
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.
ECE 646 Lecture 12 Required Reading W. Stallings, "Cryptography and Network-Security, Chapter 11 Cryptographic Hash Functions & MACs Appendix 11A Mathematical Basis of Birthday Attack Chapter 12 Message
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks
More informationEXAM IN TTM4137 WIRELESS SECURITY
English Norwegian University of Science and Technology Department of Telematics EXAM IN TTM4137 WIRELESS SECURITY Contact person: Professor Danilo Gligoroski. (Tel. 95089319). Date of exam: December 04,
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationn-bit Output Feedback
n-bit Output Feedback Cryptography IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 1 Properties of Output Feedback Mode No error propagation Active attacker can
More informationCS255: Dan Boneh. Iden+fica+on Protocols. Authen+ca+ng users. Dan Boneh
CS255: Iden+fica+on Protocols Authen+ca+ng users The Setup sk Alg. G vk vk either public or secret User P (prover) Server V (verifier) no key exchange yes/no Applica+ons Physical locks: (friend- or- foe)
More informationCryptographic Building Blocks
Cryptographic Building Blocks AMSI Winter School July 10, 2014 Dr Douglas Stebila Cryptographic Building Blocks Symmetric Asymmetric Ciphers Hash funcfons Message authenfcafon codes Pseudo- random funcfons
More informationSecuring Wireless Communication Against Dictionary Attacks Without Using PKI
College of Technology College of Technology Masters Theses Purdue Libraries Year 2010 Securing Wireless Communication Against Dictionary Attacks Without Using PKI Sarath Geethakumar Purdue University -
More informationIntroduction to Cryptography. Steven M. Bellovin September 27,
Introduction to Cryptography Steven M. Bellovin September 27, 2016 1 Cryptography Introduction/Refresher Brief introduction to make sure everyone s is on the same page Important concepts: Symmetric ciphers
More informationAuthenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol
Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationWireless Security i. Lars Strand lars (at) unik no June 2004
Wireless Security - 802.11i Lars Strand lars (at) unik no June 2004 802.11 Working Group 11 of IEEE 802 'Task Groups' within the WG enhance portions of the standard: 802.11 1997: The IEEE standard for
More informationMaking Password Checking Systems Be7er
Making Password Checking Systems Be7er Tom Ristenpart Covering joint work with: Anish Athayle, Devda
More informationCryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security
Recall from last lecture Cryptography To a first approximation, attackers control network Next two lectures: How to defend against this 1. Communicate securely despite insecure networks cryptography 2.
More informationHash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6
Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6 David Cash University of Chicago Plan 1. A few points about hash functions 2. Introducing Public-Key Encryption 3. Math for
More informationPlaintext-Recovery Attacks Against Datagram TLS
Information Security Group Royal Holloway, University of London 6th Feb 2012 Contents 1 Results 2 3 4 Padding Oracle Realisation Against OpenSSL 5 Attacking the GnuTLS Implementation of DTLS 6 Results
More informationStream Ciphers. Stream Ciphers 1
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.
More informationIDEA, RC5. Modes of operation of block ciphers
C 646 - Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van
More informationLecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 8 Message Authentication COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers
More information