Processing with Block Ciphers

Similar documents
Processing with Block Ciphers

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

CSC 474/574 Information Systems Security

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Lecture 1 Applied Cryptography (Part 1)

CSC574: Computer & Network Security

Block Cipher Operation. CS 6313 Fall ASU

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Computer Security: Principles and Practice

CSC574: Computer & Network Security

1 Achieving IND-CPA security

Computer Security CS 526

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Introduction to Cryptography. Lecture 3

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Content of this part

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Information Security CS526

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Block Cipher Modes of Operation

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Secret Key Cryptography

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Introduction to Cryptography. Lecture 3

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Sirindhorn International Institute of Technology Thammasat University

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Information Security CS526

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

Encryption. INST 346, Section 0201 April 3, 2018

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Lecture 3: Symmetric Key Encryption

Summary. Final Week. CNT-4403: 21.April

Solutions to exam in Cryptography December 17, 2013

Ref:

Practical Aspects of Modern Cryptography

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Chapter 3 Block Ciphers and the Data Encryption Standard

Security Requirements

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Message Authentication Codes and Cryptographic Hash Functions

CSCE 813 Internet Security Symmetric Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Double-DES, Triple-DES & Modes of Operation

n-bit Output Feedback

CIS 4360 Secure Computer Systems Symmetric Cryptography

Security: Cryptography

Technion - Computer Science Department - Technical Report CS

Lecture 4: Symmetric Key Encryption

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Computational Security, Stream and Block Cipher Functions

CSCE 548 Building Secure Software Symmetric Cryptography

Assignment 3: Block Ciphers

CSC/ECE 774 Advanced Network Security

Symmetric Encryption. Thierry Sans

Summary on Crypto Primitives and Protocols

CSC 474/574 Information Systems Security

CSE 127: Computer Security Cryptography. Kirill Levchenko

05 - WLAN Encryption and Data Integrity Protocols

The Rectangle Attack

Public Key Algorithms

CSC 474/574 Information Systems Security

Chapter 8. Encipherment Using Modern Symmetric-Key Ciphers

Authentication Handshakes

Cryptography [Symmetric Encryption]

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Introduction to Cryptography

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Chapter 6: Contemporary Symmetric Ciphers

Applied Cryptography Data Encryption Standard

Block Cipher Modes of Operation

CSC 774 Network Security

P2_L6 Symmetric Encryption Page 1

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Data Integrity. Modified by: Dr. Ramzi Saifan

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

Symmetric key cryptography

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

S. Erfani, ECE Dept., University of Windsor Network Security

Data Integrity & Authentication. Message Authentication Codes (MACs)

2.1 Basic Cryptography Concepts

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

7. Symmetric encryption. symmetric cryptography 1

Cryptographic Checksums

Transcription:

rocessing with Block iphers AIT 682: Network and Systems Security Topic 3.2 Secret ryptography Modes of Operation Instructor: r. un Sun Most ciphers work on blocks of fixed (small) size How to encrypt long messages? Modes of operation B (lectronic ode Book) B (ipher Block haining) OFB (Output Feedback) FB (ipher Feedback) TR (ounter) 2 Issues for Block haining Modes Information leakage oes it reveal info about the plaintext blocks? iphertext manipulation an an attacker modify ciphertext block(s) in a way that will produce a predictable/desired change in the decrypted plaintext block(s)? Note: assume the structure of the plaintext is known, e.g., first block is employee #1 salary, second block is employee #2 salary, etc. Issues (ont d) arallel/sequential an blocks of plaintext (ciphertext) be encrypted (decrypted) in parallel? rror propagation If there is an error in a plaintext (ciphertext) block, will there be an encryption (decryption) error in more than one ciphertext (plaintext) block? 3 4 lectronic ode Book (B) B ecryption laintext iphertext The easiest mode of operation; each block is independently encrypted ach block is independently decrypted 5 6

B roperties ipher Block haining (B) oes information leak? an ciphertext be manipulated profitably? arallel processing possible? o ciphertext errors propagate? M 1 M 24 M 3 M 42 1 4 3 2 7 Initialization Vector haining dependency: each ciphertext block depends on all preceding plaintext blocks 8 Initialization Vectors Initialization Vector () Used along with the key; not secret For a given plaintext, changing either the key, or the, will produce a different ciphertext Why is that useful? generation and sharing Random; may transmit with the ciphertext Incremental; predictable by receivers 9 Initialization Vector B ecryption How many ciphertext blocks does each plaintext block depend on? 10 B roperties oes information leak? Identical plaintext blocks will produce different ciphertext blocks an ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? yes (encryption), a little (decryption) 11 Output Feedback Mode (OFB) Initialization Vector one-time pad seudo-random Number Generator 12

OFB ecryption OFB roperties one-time pad No block decryption required! 13 oes information leak? identical plaintext blocks produce different ciphertext blocks an ciphertext be manipulated profitably? arallel processing possible? no (generating pad), yes (XORing with blocks) o ciphertext errors propagate? 14 OFB (ont d) ipher Feedback Mode (FB) If you know one plaintext/ciphertext pair, can easily derive the one-time pad that was used i.e., should not reuse a one-time pad! onclusion: must be different every time 15 iphertext block j depends on all preceding plaintext blocks 16 FB ecryption No block decryption required! 17 FB roperties oes information leak? Identical plaintext blocks produce different ciphertext blocks an ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? 18

ounter Mode (TR) ++ ++ M 1 M 2 M 3 1 2 3 19 TR Mode roperties oes information leak? Identical plaintext block produce different ciphertext blocks an ciphertext be manipulated profitably arallel processing possible Yes (both generating pad and XORing) o ciphertext errors propagate? Allow decryption the ciphertext at any location Ideal for random access to ciphertext 20 Stronger S AIT 682: Network and Systems Security Major limitation of S length is too short an we apply S multiple times to increase the strength of encryption? Topic 3.3 Secret ryptography Triple S Instructor: r. un Sun 22 ouble ncryption with S ncrypt the plaintext twice, using two different S keys Total key material increases to 112 bits is that the same as key strength of 112 bits? ncryption ecryption X 1 2 X Observa(on: X= 1 {}= {} oncerns About ouble S Wasn t clear at the time if S was a group (it s not) If it were, then k2 ( k1 ()) k3 (), for all Not good? ossible attack (better than brute force): meet-in-the-middle A known-plaintext attack 23 24

The Meet-in-the-Middle Attack 1. hoose a plaintext and generate ciphertext, using double-s with + 2. Then a. encrypt using single-s for all possible 2 56 values 1 to generate all possible single-s ciphertexts for : X 1,X 2,,X 2 56 ; store these in a table indexed by ciphertex values b. decrypt using single-s for all possible 2 56 values 2 to generate all possible single-s plaintexts for : Y 1,Y 2,,Y 2 56 ; for each value, check the table Steps (ont d) 3. Meet-in-the-middle: each match (X i = Y j ) reveals a candidate keypair i + j there should be approx. (2 112 / 2 ) = 2 48 such pairs for one value of (,) 2 112 possible keys, but there are only 2 X s 4. Repeat the above, for a second plaintext/ciphertext pair (, ), and find those 2 48 candidate keypairs i + j Why 2 48 (another view)? - The table contains only 2 56 /2 = 1/2 8 of all possible -bit values - there are 2 56 entries X i - for each X i, there is only 1/2 8 chance there is a matching Y i 25 26 Steps (ont d) Triple ncryption (Triple S-) 5. Look for an identical candidate keypair that produces collisions for both (,) and (, ) the probability the same candidate keypair occurs for both plaintexts, but is not the keypair used in the double-s encryption: 2 48 / 2 = 2-16 An expensive attack (computation + storage) still, enough of a threat to discourage use of double- S Why 2-16? - there are about 2 48 candidate keypairs i + j - at most one is +, the rest are imposters - if i + j is an imposter, the probability using i + j that ( ) = ( ) is 1/2 27 ncryption ecryption Why not --? again, wasn t clear if S was a group Apply S encryption/decryption three times why not 3 different keys? why not the same key 3 times? 1 2 1 28 Triple S (ont d) 3S-: Outside haining Mode Widely used equivalent strength to using a 112 bit key strength about 2 110 against M-I-T-M attack However: inefficient / expensive to compute one third as fast as S on the same platform, and S is already designed to be slow in software Next question: how is block chaining used with triple-s? 29 What basic chaining mode is this? 30

3S-: OM ecryption OM roperties oes information leak? identical plaintext blocks produce different ciphertext blocks an ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? 31 32 3S-: Inside haining Mode 3S-: IM ecryption 33 34 3S-: Inside haining Mode 3-S : IM ecryption 35 36

Message Authentication AIT 682: Network and Systems Security Topic 3.4 Secret ryptography MA with Secret iphers Instructor: r. un Sun ncryption easily provides confidentiality of messages only the party sharing the key (the key partner ) can decrypt the ciphertext How to use encryption to authenticate messages? That is, prove the message was created by the key partner prove the message wasn t modified by someone other than the key partner 38 Approach #1 The quick and dirty approach If the decrypted plaintext looks plausible, then conclude ciphertext was produced by the key partner i.e., illegally modified ciphertext, or ciphertext encrypted with the wrong key, will probably decrypt to random-looking data But, is it easy to verify data is plausiblelooking? What if all data is plausible? 39 Approach #2: laintext+iphertext Sender Send plaintext and ciphertext receiver encrypts plaintext, and compares result with received ciphertext forgeries / modifications easily detected any problems / drawbacks? Receiver ompare Accept /Reject 40 Approach #3: Use Residue ncrypt plaintext using S B mode, with set to zero the last (final) ciphertext output block is called the residue = 00 0 1 2 3 RSIU 41 Approach #3 (ont d) Sender Residue only Receiver Transmit the plaintext and this residue receiver computes same residue, compares to the received residue forgeries / modifications highly likely to be detected ompare Residue only 42

Message Authentication odes MA: a small fixed-size block (i.e., independent of message size) generated from a message using secret key cryptography also known as cryptographic checksum Requirements for MA 1. Given M and MA(M), it should be computationally infeasible (expensive) to construct (or find) another message M such that MA(M ) = MA(M) 2. MA(M) should be uniformly distributed in terms of M for randomly chosen messages M and M, ( MA(M)=MA(M ) ) = 2 -k, where k is the number of bits in the MA 43 44 Requirements (cont d) 3. nowing MA(M1), MA(M2),... of some (known or chosen) messages M1, M2,..., it should be computationally infeasible for an attacker to find the MA of some other message M rypto for onfidentiality AN Authenticity? So far we ve got confidentiality (encryption), or authenticity (MAs) an we get both at the same time with one cryptographic operation? 45 46 Attempt #1 1. Sender computes an error-correcting code or Frame-heck Sequence (FS) F() of the plaintext 2. Sender concatenates and F() and encrypts i.e., = ( F() ) 3. Receiver decrypts received ciphertext using, to get F 4. Receiver computes F( ) and compares to F to authenticate received message = How does this authenticate? Attempt #1 (ont d) Sender F() oncatenate FS F() { F()} The order (1) FS, then (2) encryption is critical why not (2), then (1)? Subtle weaknesses known in this approach, so not preferred Receiver F FS ompare F( ) 47 48

Attempt #2 1. ompute residue (MA) using key 2. ncrypt plaintext message M using key to produce 3. Transmit MA to receiver 4. Receiver decrypts received with to get 5. Receiver computes MA( ) using, compares to received MA 49 Sender Attempt #2 (cont d) Residue only Good (cryptographic) quality, but xpensive! Two separate, full encryptions with different keys are required Receiver Residue MA only ompare 50 Summary 1. B mode is not secure B most commonly used mode of operation 2. Triple-S (with 2 keys) is much stronger than S usually uses in Outer haining Mode 3. MAs use crypto to authenticate messages at a small cost of additional storage / bandwidth but at a high computational cost 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback