Cryptography: Symmetric Encryption [continued]

Transcription

1 CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption [continued] Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

2 Announcements Homework 2 (on crypto) will be out early next week. 10/21/16 CSE 484 / CSE M Fall

3 Participatory Security Mindset Anecdote Cyberwarfare class gave an unfair exam on short notice: 10/21/16 CSE 484 / CSE M Fall

4 Participatory Security Mindset Anecdote Cyberwarfare class gave an unfair exam on short notice: For this exam, you will be required to write down the first 100 digits of pi. 10/21/16 CSE 484 / CSE M Fall

5 Participatory Security Mindset Anecdote Cyberwarfare class gave an unfair exam on short notice: For this exam, you will be required to write down the first 100 digits of pi. You may cheat on this exam. 10/21/16 CSE 484 / CSE M Fall

6 My favorites Write 100 digits of pi on a piece of paper before the exam. Turn it in. Write followed by 90 random digits. Turn it in, assuming graders too lazy to check past the first 10 digits 10/21/16 CSE 484 / CSE M Fall

7 Achieving Privacy (Symmetric) Encryption schemes: A tool for protecting privacy. M Encrypt C Decrypt M Alice K K Message = M Ciphertext = C Adversary K Bob K 10/21/16 CSE 484 / CSE M Fall

8 Block Ciphers Operates on a single chunk ( ) of plaintext For example, 64 bits for DES, 128 bits for AES Each key defines a different permutation Same key is reused for each (can use short keys) Plaintext Key Ciphertext 10/21/16 CSE 484 / CSE M Fall

9 Permutations K 1 K For N-bit input, 2 N! possible permutations Time and cost of breaking the exceed the value and/or useful lifetime of protected information 10/21/16 CSE 484 / CSE M Fall

10 Block Cipher Operation (Simplified) Block of plaintext Key S S S S S S S S repeat for several rounds S S S S Block of text Add some secret key bits to provide confusion Each S-box transforms its input bits in a random-looking way to provide diffusion (spread plaintext bits throughout text) Procedure must be reversible (for decryption) 10/21/16 CSE 484 / CSE M Fall

11 Standard Block Ciphers DES: Data Encryption Standard Feistel structure: builds invertible function using noninvertible ones Invented by IBM, issued as federal standard in bit s, 56-bit key + 8 bits for parity AES: Advanced Encryption Standard New federal standard as of 2001 NIST: National Institute of Standards & Technology Based on the Rijndael algorithm Selected via an open process 128-bit s, keys can be 128, 192 or 256 bits 10/21/16 CSE 484 / CSE M Fall

12 Encrypting a Large Message with AES 128-bit size, but plaintext is longer. 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit text What should we do? 10/21/16 CSE 484 / CSE M Fall

13 Electronic Code Book (ECB) Mode plaintext 640 bits key key key key key 5x128 text 640 bits 5x128 10/21/16 CSE 484 / CSE M Fall

14 Information Leakage in ECB Mode Encrypt in ECB mode [Wikipedia] 10/21/16 CSE 484 / CSE M Fall

15 Information Leakage in ECB Mode Encrypt in ECB mode [Wikipedia] 10/21/16 CSE 484 / CSE M Fall

16 Electronic Code Book (ECB) Mode plaintext key key key key key text Identical s of plaintext produce identical s of text No integrity checks: can mix and match s 10/21/16 CSE 484 / CSE M Fall

17 Cipher Block Chaining (CBC) Mode plaintext key key key key key text 10/21/16 CSE 484 / CSE M Fall

18 Cipher Block Chaining (CBC) Mode: Encryption plaintext Initialization vector (random) key key key key Sent with text (preferably encrypted) text Identical s of plaintext encrypted differently Last depends on entire plaintext Still does not guarantee integrity 10/21/16 CSE 484 / CSE M Fall

19 CBC Mode: Decryption plaintext Initialization vector key key key key decrypt decrypt decrypt decrypt text 10/21/16 CSE 484 / CSE M Fall

20 ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext s produce similar text s (not good!) [Picture due to Bart Preneel] 10/21/16 CSE 484 / CSE M Fall 2016 slide 20 20

21 CBC and Electronic Voting plaintext Initialization vector (supposed to be random) key key key key DES DES DES DES text Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_*)tmp, (des_c_*)record.m_data, totalsize, DESKEY, NULL, DES_ENCRYPT) 10/21/16 CSE 484 / CSE M Fall

22 Counter Mode (CTR): Encryption Initial ctr (random) ctr ctr+1 ctr+2 ctr+3 Key Key Key Key pt pt pt pt text Identical s of plaintext encrypted differently Can compute in parallel (unlike CBC) Still does not guarantee integrity; Fragile if ctr repeats 10/21/16 CSE 484 / CSE M Fall

23 Counter Mode (CTR): Decryption Initial ctr ctr ctr+1 ctr+2 ctr+3 Key Key Key Key ct ct ct ct pt pt pt pt 10/21/16 CSE 484 / CSE M Fall

24 When is an Encryption Scheme Secure? Hard to recover the key? What if attacker can learn plaintext without learning the key? Hard to recover plaintext from text? What if attacker learns some bits or some function of bits? Fixed mapping from plaintexts to texts? What if attacker sees two identical texts and infers that the corresponding plaintexts are identical? Implication: encryption must be randomized or stateful 10/21/16 CSE 484 / CSE M Fall

25 How Can a Cipher Be Attacked? Attackers knows text and encryption algthm What else does the attacker know? Depends on the application in which the is used! Ciphertext-only attack KPA: Known-plaintext attack (stronger) Knows some plaintext-text pairs CPA: Chosen-plaintext attack (even stronger) Can obtain text for any plaintext of his choice CCA: Chosen-text attack (very strong) Can decrypt any text except the target 10/21/16 CSE 484 / CSE M Fall

26 Chosen Plaintext Attack (key,pin) PIN is encrypted and transmitted to bank Crook #1 changes his PIN to a number of his choice Crook #2 eavesdrops on the wire and learns text corresponding to chosen plaintext PIN repeat for any PIN value 10/21/16 CSE 484 / CSE M Fall

27 Very Informal Intuition Minimum security requirement for a modern encryption scheme Security against chosen-plaintext attack (CPA) Ciphertext leaks no information about the plaintext Even if the attacker correctly guesses the plaintext, he cannot verify his guess Every text is unique, encrypting same message twice produces completely different texts Security against chosen-text attack (CCA) Integrity protection it is not possible to change the plaintext by modifying the text 10/21/16 CSE 484 / CSE M Fall