COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University
Applied Cryptography Day 4 (and 5 and maybe 6) secret-key primitives symmetric-key encryption security notions and types of attacks one-time pad stream ciphers block ciphers MACs PRGs modes of operation 2
Symmetric-Key Encryption a symmetric-key encryption scheme is a ve-tuple (P,C,K,E,D), such that P is the plaintext or message space C is the ciphertext space K is the keyspace for each k K, there is an encryption rule e k E, e k : P C a decryption rule d k D, d k : C P such that d k (e k (x)) = x for every plaintext x P note: we might use e k (m), Enc(k,m) or Enc(m) 3
Symmetric-Key Encryption to achieve condentiality of data (see diagram) Alice and Bob share a secret key (k R K ) they both know k, Enc(k,m) = e k (m), and Dec(k,c) = d k (c) how do they do this? (need a secure channel) Alice computes the ciphertext y = Enc(k,m) for plaintext m Alice sends y to Bob over an insecure channel Bob recovers the plaintext message m = Dec(k,y) from the ciphertext Eve can watch the channel 4
Symmetric-Key Encryption consider the shift cipher (Caesar Cipher) P = C = K = Z 26 (Z 26 = {0,1,2...,25}) for k K (a number between 0 and 25), E k (m) = (m + k) mod 26 D k (c) = (c k) mod 26 when k = 4, if we map a = 0, b = 1, c = 2, etc a b c d e f g h i j k l m D E F G H I J K L M N O P n o p q r s t u v w x y z Q R S T U V W X Y Z A B C ROT-13 is a shift cipher with k = 13 5
Symmetric-Key Encryption consider the substitution cipher P = C = A (A = {a,b,c,...,x,y,z}) K is the set of all permutations of A for π K (a permutation), for example Eπ(m) = π(m) Dπ(m) = π 1 (m) a b c d e f g h i j k l m X N Y A H P O G Z Q W B T n o p q r s t u v w x y z S F L R C V M U E K J D I 6
Symmetric-Key Encryption are these secure? what it does secure mean? what are Eve's goals? what are Eve's computational powers? how does Eve interact with Alice and Bob? 7
Attack Models Passive attacks ciphertext-only attack given c = Enc k (m) known-plaintext attack given m and c = Enc k (m) Active attacks chosen plaintext attack chooses m and given c = Enc k (m) chosen-ciphertext attack chooses c and given m such that c = Enc k (m) Other attacks side-channel attacks social engineering attacks 8
Security Levels Information-theoretic security Eve has no limits to her computational resources Complexity-theoretic security Eve has a polynomial-time Turing machine at her disposal Computational security Eve has n real computers at her disposal (computationally bounded) 9
Goals of the Adversary determine the secret key k determine plaintext from ciphertext determine some information about the plaintext from the ciphertext if Eve can nd k or systematically decrypt ciphertexts then the encryption scheme is totally broken (or totally insecure) if Eve cannot determine any partial information about the plaintext (other then the length), the encryption scheme is semantically secure 10
Symmetric-Key Encryption a security model states the level of security assuming certain computational capabilities of the adversary and how the adversary interacts with the communicating parties a symmetric-key encryption scheme is said to be secure if it is semantically secure against chosen-plaintext attacks by a computationally bounded adversary 11
Symmetric-Key Encryption practically speaking, the following properties are desireable for a symmetric-key encryption scheme Enc k () and Dec k () should be ecient k should be small but big enough to thwart brute-force guessing it should be secure it should be secure against the designer of the system 12
Caesar Cipher chosen-plaintext attack totally breaks it known-plaintext attack totally breaks it ciphertext-only attack totally breaks it brute-force attack (exhaustive search) unicity distance Substitution Cipher chosen-plaintext attack totally breaks it known-plaintext attack reveals partial information ciphertext-only attack totally breaks it exhaustive search ( 2 88 keys) (does not break it) frequency analysis! (breaks it) 13
Caesar / Substitution Ciphers what of the plaintext was only one letter? ciphertext-only attack reveals nothing any plaintext/ciphertext pair reveals key what of the key was changed (independently) for each letter that was encrypted? ciphertext-only attack reveals nothing any plaintext/ciphertext pair reveals key what if we didn't use the key again? 14
One-Time Pad Vernam (1917) for telegraphs P = C = K = {0,1} m k K is random binary string for m = m 1 m 2 m n and k = k 1 k 2 k n, ciphertext c = c 1 c 2 c n is computed as bitwise XOR of m and k. (c = m k) what if the same key is used twice? the key can only be used one (hence, one-time!) the one-time pad is unconditionally secure the one-time pad provides perfect secrecy it is semantically secure against ciphertext-only attacks by an adversary with innite computational resources 15
One-Time Pad perfect secrecy can be formally proven (Shannon 1949) all schemes with perfect secrecy have keylength message length P = K = m for one-time pad needs lots of long keys impractical 16
Crypto Today Freedom to Tinker Schneier on Security Whetever you may think of the NSA, so far the cryptography it has published has been quite decent. Ferguson, Schneier, Kohno Cryptography Engineering, Wiley, 2010 17