Cryptography (cont.)

Similar documents
Symmetric Cryptography

Cryptography [Symmetric Encryption]

Symmetric Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography: Symmetric Encryption [continued]

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Introduction to Cryptography (cont.)

Web Security Symmetric Encryption & Authentication

Software Security Design Principles + Intro to Crypto

Software Security and Intro to Cryptography

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography 2017 Lecture 3

Symmetric-Key Cryptography

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Scanned by CamScanner

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Winter 2011 Josh Benaloh Brian LaMacchia

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Lecture 4: Symmetric Key Encryption

CSE 127: Computer Security Cryptography. Kirill Levchenko

symmetric cryptography s642 computer security adam everspaugh

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Crypto: Symmetric-Key Cryptography

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Computer Security CS 526

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Computational Security, Stream and Block Cipher Functions

Information Security CS526

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Lecture 3: Symmetric Key Encryption

User Authentication and Human Factors

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

P2_L6 Symmetric Encryption Page 1

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Introduction to cryptology (GBIN8U16)

Goals of Modern Cryptography

Introduction to Cryptography. Lecture 3

Practical Aspects of Modern Cryptography

Crypto meets Web Security: Certificates and SSL/TLS

User Authentication. Daniel Halperin Tadayoshi Kohno

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Lecture 1 Applied Cryptography (Part 1)

Private-Key Encryption

COMP4109 : Applied Cryptography

3 Symmetric Cryptography

Cryptography Functions

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Secret Key Cryptography

Lecture 15: Public Key Encryption: I

Symmetric Cryptography. CS4264 Fall 2016

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

1 Achieving IND-CPA security

CSC 474/574 Information Systems Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Feedback Week 4 - Problem Set

Block ciphers, stream ciphers

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Solutions to exam in Cryptography December 17, 2013

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CSE484 Final Study Guide

symmetric cryptography s642 computer security adam everspaugh

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Secret Key Cryptography

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptology complementary. Symmetric modes of operation

Data Encryption Standard (DES)

Some Aspects of Block Ciphers

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Assignment 3: Block Ciphers

Introduction to Cryptography. Lecture 3

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Cryptographic Hash Functions. *Slides borrowed from Vitaly Shmatikov

Symmetric Encryption Algorithms

ECE 646 Lecture 8. Modes of operation of block ciphers

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

CPSC 467: Cryptography and Computer Security

Symmetric Encryption. Thierry Sans

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Block Cipher Operation. CS 6313 Fall ASU

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Stream Ciphers and Block Ciphers

Chapter 3 Block Ciphers and the Data Encryption Standard

Computer Security 3/23/18

Lecture 2: Secret Key Cryptography

Stream Ciphers and Block Ciphers

Modern Symmetric Block cipher

7. Symmetric encryption. symmetric cryptography 1

Worksheet - Reading Guide for Keys and Passwords

Secret Key Algorithms (DES)

Cryptographic Algorithms - AES

Lecture 07: Private-key Encryption. Private-key Encryption

Transcription:

CSE 484 / CSE M 584 (Autumn 2011) Cryptography (cont.) Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

Updates Oct. 17th Lab 1 is due Friday TA office hours Fri before class (12-2:20, CSE 002) My office hours today, Wed after class (CSE 210) 584 paper reviews What are you doing to Emacs?

Today Today s symmetric algorithm: AES Cryptographic primitives: how to use a Evaluating privacy and integrity

DES and 56 bit keys (Stallings Tab 2.2) 56 bit keys are quite short 1999: EFF DES Crack + distibuted machines < 24 hours to find DES key DES ---> 3DES 3DES: DES + inverse DES + DES (with 2 or 3 diff keys)

Advanced Encryption Standard (AES) New federal standard as of 2001 Based on the Rijndael algorithm 128-bit s, keys can be 128, 192 or 256 bits Unlike DES, does not use Feistel structure The entire is processed during each round Design uses some very nice mathematics

Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key

Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key

Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key S byte substitution

Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key S byte substitution Shift rows shift array rows (1 st unchanged, 2 nd left by 1, 3 rd left by 2, 4 th left by 3)

Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key S byte substitution Shift rows Mix columns shift array rows (1 st unchanged, 2 nd left by 1, 3 rd left by 2, 4 th left by 3) mix 4 bytes in each column (each new byte depends on all bytes in old column)

Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key S byte substitution Shift rows Mix columns shift array rows (1 st unchanged, 2 nd left by 1, 3 rd left by 2, 4 th left by 3) mix 4 bytes in each column (each new byte depends on all bytes in old column) Expand key

Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key S byte substitution Shift rows Mix columns shift array rows (1 st unchanged, 2 nd left by 1, 3 rd left by 2, 4 th left by 3) mix 4 bytes in each column (each new byte depends on all bytes in old column) add key for this round Expand key

Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key S byte substitution Shift rows Mix columns shift array rows (1 st unchanged, 2 nd left by 1, 3 rd left by 2, 4 th left by 3) mix 4 bytes in each column (each new byte depends on all bytes in old column) add key for this round Expand key repeat 10 times

Encrypting a Large Message So, we ve got a good, but our plaintext is larger than 128-bit size 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit text What should we do?

Electronic Code Book (ECB) Mode plaintext K K K K K text

Electronic Code Book (ECB) Mode plaintext K K K K K text Identical s of plaintext produce identical s of text

Electronic Code Book (ECB) Mode plaintext K K K K K text Identical s of plaintext produce identical s of text No integrity checks: can mix and match s

Cipher Block Chaining (CBC) Mode: Encryption plaintext Initialization vector (random) K K K K text Identical s of plaintext encrypted differently Last depends on entire plaintext Still does not guarantee integrity

CBC Mode: Decryption plaintext Initialization vector K K K K decrypt decrypt decrypt decrypt text

ECB vs. CBC [Picture due to Bart Preneel] AES in ECB mode AES in CBC mode Similar plaintext s produce similar text s (not good!)

Information Leakage in ECB Mode [Wikipedia] Encrypt in ECB mode

CBC and Electronic Voting plaintext Initialization vector (supposed to be random) K K K K DES DES DES DES text Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_*)tmp, (des_c_*)record.m_data, totalsize, DESKEY, NULL, DES_ENCRYPT)

Counter (CTR) Mode: Encryption Initial ctr (random) ctr ctr+1 ctr+2 ctr+3 K K K K pt pt pt pt text Identical s of plaintext encrypted differently Still does not guarantee integrity Fragile if ctr repeats

CTR Mode: Decryption Initial ctr ctr ctr+1 ctr+2 ctr+3 K K K K ct ct ct ct pt pt pt pt

Achieving Privacy (Symmetric) Encryption schemes: A tool for protecting privacy. M Encrypt C Decrypt M K K Alice K Message.......... Ciphertext....... M C Adversary Bob K

When Is an Encryption Scheme Secure? Hard to recover the key? What if attacker can learn plaintext without learning the key? Hard to recover plaintext from text? What if attacker learns some bits or some function of bits? Fixed mapping from plaintexts to texts? What if attacker sees two identical texts and infers that the corresponding plaintexts are identical? Implication: encryption must be randomized or stateful

How Can a Cipher Be Attacked? Assume that the attacker knows the encryption algorithm and wants to learn information about some text Main question: what else does attacker know? Depends on the application in which is used! Ciphertext-only attack Known-plaintext attack (stronger) Knows some plaintext-text pairs Chosen-plaintext attack (even stronger) Can obtain text for any plaintext of his choice Chosen-text attack (very strong) Can decrypt any text except the target Sometimes very realistic model

Defining Security (Not Required) Attacker does not know the key He chooses as many plaintexts as he wants, and learns the corresponding texts When ready, he picks two plaintexts M 0 and M 1 He is even allowed to pick plaintexts for which he previously learned texts! He receives either a text of M 0, or a text of M 1 He wins if he guesses correctly which one it is

Defining Security (Not Required) Idea: attacker should not be able to learn even a single bit of the encrypted plaintext Define Enc(M 0,M 1,b) to be a function that returns encrypted M 0 or 1 b Given two plaintexts, Enc returns a text of one or the other depending on the value of bit b Think of Enc as a magic box that computes texts on attacker s demand. He can obtain a text of any plaintext M by submitting M 0 =M 1 =M, or he can try to learn even more by submitting M 0 M 1. Attacker s goal is to learn just one bit b

Chosen-Plaintext Security (Not Required) Consider two experiments (A is the attacker) Experiment 0 Experiment 1 A interacts with Enc(-,-,0) and outputs bit d A interacts with Enc(-,-,1) and outputs bit d Identical except for the value of the secret bit d is attacker s guess of the secret bit Attacker s advantage is defined as If A knows secret bit, he should be able to make his output depend on it Prob(A outputs 1 in Exp0) - Prob(A outputs 1 in Exp1)) Encryption scheme is chosen-plaintext secure if this advantage is negligible for any efficient A

Simple Example (Not Required) Any deterministic, stateless symmetric encryption scheme is insecure Attacker can easily distinguish encryptions of different plaintexts from encryptions of identical plaintexts This includes ECB mode of common s! Attacker A interacts with Enc(-,-,b) Let X,Y be any two different plaintexts C 1 Enc(X,Y,b); C 2 Enc(Y,Y,b); If C 1 =C 2 then b=1 else say b=0 The advantage of this attacker A is 1 Prob(A outputs 1 if b=0)=0 Prob(A outputs 1 if b=1)=1

Why Hide Everything? Leaking even a little bit of information about the plaintext can be disastrous Electronic voting 2 candidates on the ballot (1 bit to encode the vote) If text leaks the parity bit of the encrypted plaintext, eavesdropper learns the entire vote Also, want a strong definition, that implies others

Birthday attacks Are there two people in the first 1/3 of this classroom that have the same birthday? Yes? No?

Birthday attacks Why is this important for cryptography? 365 days in a year (366 some years) Pick one person. To find another person with same birthday would take on the order of 365/2 = 182.5 people Expect collision -- two people with same birthday -- with a room of only 23 people For simplicity, approximate when we expect a collision as the square root of 365. 2 128 different 128-bit keys Pick one key at random. To exhaustively search for this key requires trying on average 2 127 keys. Expect a collision after selecting approximately 2 64 random keys. 64 bits of security against collision attacks, not 128 bits.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback