Practical Aspects of Modern Cryptography

Similar documents
Winter 2011 Josh Benaloh Brian LaMacchia

Lecture 1 Applied Cryptography (Part 1)

Encryption. INST 346, Section 0201 April 3, 2018

CSC 474/574 Information Systems Security

Computer Security: Principles and Practice

Computational Security, Stream and Block Cipher Functions

1 Achieving IND-CPA security

CSE 127: Computer Security Cryptography. Kirill Levchenko

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Computer Security CS 526

Information Security CS526

Cryptography Functions

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Double-DES, Triple-DES & Modes of Operation

3 Symmetric Cryptography

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Ref:

Network Security Essentials Chapter 2

Chapter 6: Contemporary Symmetric Ciphers

Chapter 6 Contemporary Symmetric Ciphers

Lecture 4: Symmetric Key Encryption

Goals of Modern Cryptography

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Cryptography [Symmetric Encryption]

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CSC 474/574 Information Systems Security

CSC 774 Network Security

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

CPSC 467b: Cryptography and Computer Security

Lecture 3: Symmetric Key Encryption

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Unit 8 Review. Secure your network! CS144, Stanford University

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

APNIC elearning: Cryptography Basics

CS 161 Computer Security

Cryptography. Summer Term 2010

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Introduction to Symmetric Cryptography

Crypto: Symmetric-Key Cryptography

Security: Cryptography

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Scanned by CamScanner

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Uses of Cryptography

Cryptography and Network Security

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Cryptography MIS

Symmetric-Key Cryptography

EEC-484/584 Computer Networks

Symmetric Encryption. Thierry Sans

CPSC 467b: Cryptography and Computer Security

Lecture 2: Shared-Key Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CSC 580 Cryptography and Computer Security

Chapter 3 Block Ciphers and the Data Encryption Standard

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CSCE 715: Network Systems Security

Cryptography (Overview)

Security Requirements

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

CIS 4360 Secure Computer Systems Symmetric Cryptography

Symmetric Encryption Algorithms

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Lecture 2: Secret Key Cryptography

Secret Key Algorithms (DES)

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Security. Communication security. System Security

CS61A Lecture #39: Cryptography

n-bit Output Feedback

CSC/ECE 774 Advanced Network Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Message Authentication and Hash function

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Cryptography. Submitted to:- Ms Poonam Sharma Faculty, ABS,Manesar. Submitted by:- Hardeep Gaurav Jain

Data Encryption Standard (DES)

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Content of this part

Block Cipher Modes of Operation

CS Paul Krzyzanowski

Computer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Network Security Essentials

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Symmetric Cryptography. CS4264 Fall 2016

Transcription:

Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private message to Bob. Precondition: Alice and Bob have previously shared some secret known only to them. The pre-shared secret is the encryption key Alice and Bob will use. Cryptography 3 Cryptography 4 Symmetric Encryption What makes a cipher secure? P Alice (sender) Alice knows secret key k Bob (receiver) text C Enc(P,k) Dec(C,k) k Bob knows secret key k P Exhaustive search of keyspace must be infeasible More about this later It must also be infeasible to find the key given: Sample ciphertext and corresponding plaintext ( knownplaintext attack ) The ability to feed ciphertext in and see what plaintext comes out ( chosen-ciphertext attack ) or the other way around ( chosen-plaintext attack ) If someone can find keys under any of these conditions, the cipher isn t considered secure Cryptography 5 Cryptography 6 1

Some bad cipher ideas Repeated XOR mask Pick a key number. XOR with each plaintext XOR with key again to decrypt INSECURE: just one plaintext/ciphertext gives the key Monoalphabetic substitution Key is a table of letters and corresponding ciphertexts a=m,b-x,c=b,d=r,etc. encrypt/decrypt by substitution Exhaustive search is really hard (26! keys to try). INSECURE: statistical analysis of ciphertext frequency Symmetric s Private-key (symmetric) ciphers are usually divided into two classes. ciphers Stream ciphers Cryptography 7 Cryptography 8 Symmetric s Private-key (symmetric) ciphers are usually divided into two classes. ciphers Stream ciphers ciphers Encrypt fixed-size blocks ciphertext = Encrypt(key,cleartext) cleartext = Decrypt(key,ciphertext) Encrypt function converts blocks of cleartext bits to ciphertext bits Decrypt function converts back If the key is wrong, you get the wrong result Shouldn t be possible to derive key given cleartext, ciphertext pairs Examples include DES, 3DES, AES Cryptography 9 Cryptography 10 s s Key Key Data text Data Currently usually 8 bytes. AES uses 16 bytes. text Cryptography 11 Cryptography 12 2

Fast Facts about s Encrypt/decrypt data a block at a time Encryption/decryption of sequential blocks may be related Mode of operation We always encrypt/decrypt full blocks No partial blocks allowed by the cipher! Our plaintext may not be an even multiple of blocks, so we may need to pad the last plaintext block Modes Electronic Code Book (ECB) Encryption: text Cryptography 13 Cryptography 14 Modes Electronic Code Book (ECB) Decryption: Problems with ECB Patterns in plaintext preserved in ciphertext X 0 X 1 X 2 X 3 =X 0 text C 0 C 1 C 2 C 3 =C 0 No basic integrity protection. Must add or: block substitution and rearrangement attacks Fabrication of information Cryptography 15 Cryptography 16 Modes Chaining (CBC) Encryption: Modes Chaining (CBC) Decryption: IV IV text text Cryptography 17 Cryptography 18 3

How to Build a Feistel s Key text Cryptography 19 Cryptography 20 Feistel s Feistel s Cryptography 21 Cryptography 22 Feistel s Feistel s Cryptography 23 Cryptography 24 4

Feistel s Typically, most Feistel ciphers are iterated for about 16 rounds. Different sub-keys are used for each round. Sub-keys are derived from the master key or a derived key schedule Even a weak round function can yield a strong Feistel cipher if iterated sufficiently. Data Encryption Standard (DES) 64-bit 56-bit Key 64-bit text Cryptography 25 Cryptography 26 Data Encryption Standard (DES) Data Encryption Standard (DES) 64-bit 64-bit 56-bit Key 16 Feistel Rounds 56-bit Key 16 Feistel Rounds 64-bit text 64-bit text Cryptography 27 Cryptography 28 DES Round Simplified DES Round Function 32 bits Sub-key 4-bit substitutions 32-bit permutation Cryptography 29 Cryptography 30 5

Actual DES Round Function 32 bits Sub-key 48 bits 6/4-bit substitutions 32-bit permutation Padding Modes What do we do if the length of the plaintext is not an even multiple of the cipher s block size? A: Drop the extra data on the floor (You really didn t want it encrypted anyway) B: Throw an exception/return an error User error C: Pad the last block of plaintext so it s a full block, then encrypt it normally Cryptography 31 Cryptography 32 Padding with Zero Add enough zeros to the end of the data so we have a full block to encrypt Example: last block is 31 D9 7B D7 31 D9 7B D7 Zero padding yields: 31 D9 7B D7 00 00 00 00 Zero Padding What s wrong with padding with zeros? 31 D9 7B 00 If my plaintext can end in a zero, I cannot tell the plaintext data apart from the added pad Not always fatal, but in general zero is a legal plaintext value We need something else... Cryptography 33 Cryptography 34 PKCS Padding Idea: Pad the block with a value that depends on the amount of padding needed. This lets you tell the pad apart from the plaintext If you need n bytes of pad, pad with a value of n! Example: Need to pad the last four bytes? Use a value of 04: 31 D9 7B D7 04 04 04 04 PKCS Padding Removing a PKCS pad is easy: Look at the last byte of the last block of plaintext thisisthepadvalue Remove that many bytes of padding 31 D9 7B D7 04 04 04 04 Remove last 4 bytes Value: 04 Cryptography 35 Cryptography 36 6

PKCS Padding What did I forget? What happens if the plaintext doesn t need to be padded? (Last block is already full...) A7 9D 42 46 BE D4 37 B8 Value: B8 (decimal 184) PKCS Padding If the last block is a full block, add an entire block s worth of padding: A7 9D 42 46 BE D4 37 B8 08 08 08 08 08 08 08 08 Value: 08 Remove last 184 bytes! Remove last 8 bytes (entire block) Cryptography 37 Cryptography 38 s in Use Today DES is not secure DES can be brute-forced (2^56 operations) In January 1998, a combination of the EFF DES Cracker and distributed.net brute-forced a challenge in less than 24 hours Today, the common choices are: Triple-DES (two-key or three-key) AES (Rijndael) Triple-DES (3DES) Triple-DES is DES run three times Sometimes called 3DES-EDE because it has three stages: encryption-decryption-encryption Key K 1 Key K 2 Key K 3 DES Encryption DES Decryption DES Encryption text Cryptography 39 Cryptography 40 Triple-DES (3DES) Key K 1 Key K 2 Key K 3 DES Encryption DES Decryption DES Encryption text Triple-DES can be run in either two-key or three-key modes Intwo-keymode,K1=K3 In three-key mode, K1, K2, K3 are all distinct If K1 = K2 = K3, you have just DES Be Skeptical of New s The details are everything And there are a lot of details design is much harder than you d think Don t ever design and use your own cipher! It won t be nearly as secure as existing designs like 3DES Don t trust secret algorithms Need lots of review by skeptical experts to gain confidence in a cipher Cryptography 41 Cryptography 42 7

Symmetric s Private-key (symmetric) ciphers are usually divided into two classes. ciphers Stream ciphers Background: The One-Time Pad An unconditionally secure cipher Key = random bits = 1100010011100100011 Message = bits = 1110011001100110001 text = XOR of Key, Message = 0010001010000010010... Problems: Number of random bits needed = sum of lengths of all messages to be encrypted (not reusable) Random bits must be known to both sender and recipient. Cryptography 43 Cryptography 44 Random Numbers Really good random numbers are hard to acquire Best bits come from physical systems Radioactive decay (http://www.fourmilab.ch/hotbits/) Noise diodes Lava Lamps Getting many truly random bits is slow Getting many shared truly random bits is more awkward Getting good randomness is important for many crypto algorithms Picking private key components & secret keys Some algorithms (e.g. DSA) require random input! So how do we get random numbers on a computer? It sounds so easy: Just pick some random bytes No good standard source of computer randomness OS state (time-of-day, PID) is very low entropy User keyboard input is very unreliable Best practical options aren t very good Inter-event timing (keyboard, network), timing loops, fast clocks and interval timers Better would be /dev/random, or hardware generator Intel 850 chipset (for Pentium motherboards) has on-board hardware RNG Cryptography 45 Cryptography 46 Pseudo-Random Numbers How do we make a lot of good random bits from a smaller number of really good random bits? We want pseudo-random bits Pseudo-random bitstrings are polynomial time indistinguishable from truly random bitstrings In practice: use DES, hash functions to generate bits from a random seed (FIPS 186) Stream s Use the secret key as a seed to a pseudo-random number-generator. Take the stream of output bits from the PRNG and XOR it with the plaintext to form the ciphertext. Cryptography 47 Cryptography 48 8

Stream ciphers Generate mask bits ciphertext[i] = cleartext[i]+stream(key,state) cleartext[i] = ciphertext[i]-stream(key,state) produces a sequence of bits that is added to the cleartext to produce ciphertext Receiver can generate the same sequence and subtract from ciphertext to recover cleartext Must never re-use same part of stream Each bit is encrypted independently Stream Encryption : PRNG(seed): text: Cryptography 49 Cryptography 50 Stream Decryption : PRNG(seed): text: A PRNG: Alleged RC4 Initialization S[0..255] = 0,1,,255 K[0..255] = Key,Key,Key, for i = 0 to 255 j = (j + S[i] + K[i]) mod 256 swap S[i] and S[j] Cryptography 51 Cryptography 52 A PRNG: Alleged RC4 Iteration i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap S[i] and S[j] t = (S[i] + S[j]) mod 256 Output S[t] Stream Integrity It is easy for an adversary (even one who can t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob s Bank: Please transfer $0,000,002.00 to the account of my good friend Alice. Cryptography 53 Cryptography 54 9

Stream Integrity It is easy for an adversary (even one who can t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice. Stream Integrity It is easy for an adversary (even one who can t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice. This can be protected against by the careful addition of appropriate redundancy. Cryptography 55 Cryptography 56 One-Way Hash Functions Theideaofacheck sum is great, but it is designed to prevent accidental changes in a message. For cryptographic integrity, we need an integrity check that is resilient against a smart and determined adversary. One-Way Hash Functions Generally, a one-way hash function is a function H : {0,1}* {0,1} k (typically k is 128 or 160) such that given an input value x, one cannot find avaluex x such H(x) =H(x ). Cryptography 57 Cryptography 58 One-Way Hash Functions There are many measures for one-way hashes. Non-invertability: given y, it s difficult to find any x such that H(x) = y. Collision-intractability: one cannot find a pair of values x x such that H(x) =H(x ). An Example Hash: SHA-1 SHA-1 was designed by the US Government as part of the Digital Signature Standard SHA-1 is the most-commonly used hash function today It s the hash function in which we have the most faith right now SHA-1 takes any size input and produces a 160- bit output (the digest value) Cryptography 59 Cryptography 60 10

(IV) Input Compression Function Output Cryptography 61 Cryptography 62 No Change Rotate 30 bits Cryptography 63 Cryptography 64 No Change No Change Cryptography 65 Cryptography 66 11

What s in the final 32-bit transform? Take the rightmost word. Addintheleftmostwordrotated5bits.? Add in a round-dependent function f of the middle three words. Cryptography 67 Cryptography 68 Depending on the round, the non-linear function f is one of the following. f f(x,y,z) = (X Y) (( X) Z) f(x,y,z) = (X Y) (X Z) (Y Z) f(x,y,z) = X Y Z Cryptography 69 Cryptography 70 What s in the final 32-bit transform? Take the rightmost word. Addintheleftmostwordrotated5bits. Add in a round-dependent function f of the middle three words. What s in the final 32-bit transform? Take the rightmost word. Addintheleftmostwordrotated5bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant. Cryptography 71 Cryptography 72 12

What s in the final 32-bit transform? Take the rightmost word. Addintheleftmostwordrotated5bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant. Add in a portion of the message. Cryptography 73 Cryptography 74 One-Way Hash Functions When using a stream cipher, a hash of the message can be appended to ensure integrity. [Message Authentication Code] When forming a digital signature, the signature need only be applied to a hash of the message. [Message Digest] Cryptography 75 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback