Security Models: Proofs, Protocols and Certification

Similar documents
Information Security CS526

Information Security CS526

Lecture IV : Cryptography, Fundamentals

Private-Key Encryption

2 Secure Communication in Private Key Setting

What Can Be Proved About Security?

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Cryptography. Lecture 03

OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY

Computer Security CS 526

1-7 Attacks on Cryptosystems

CSC 580 Cryptography and Computer Security

2 What does it mean that a crypto system is secure?

Making and Breaking Ciphers

Introduction to Cryptography. Lecture 3

Public Key Cryptography

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

Cryptography Part II Introduction to Computer Security. Chapter 8

Goals of Modern Cryptography

Lecture 2. Cryptography: History + Simple Encryption,Methods & Preliminaries. Cryptography can be used at different levels

Introduction to Cryptography

Cryptography. Andreas Hülsing. 6 September 2016

7. Symmetric encryption. symmetric cryptography 1

Public-Key Cryptography

COMP4109 : Applied Cryptography

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Introduc)on to Cryptography. Credits: Slide credits to David Brumley, Dan Boneh (ß has a MOOC)

Foundations of Cryptology

Tuesday, January 17, 17. Crypto - mini lecture 1

Cryptography MIS

symmetric cryptography s642 computer security adam everspaugh

Introduction to Cryptography. Lecture 3

CS408 Cryptography & Internet Security

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Introduction to Cryptography. Lecture 1. Benny Pinkas. Administrative Details. Bibliography. In the Library

Introduction to Cryptography. Lecture 1

CSCE 813 Internet Security Symmetric Cryptography

Computational Security, Stream and Block Cipher Functions

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Part VI. Public-key cryptography

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptology complementary. Symmetric modes of operation

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Applied Cryptography and Computer Security CSE 664 Spring 2018

Public-key encipherment concept

Computer Security: Principles and Practice

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Feedback Week 4 - Problem Set

Unit 8 Review. Secure your network! CS144, Stanford University

Shared Secret = Trust

Some Aspects of Block Ciphers

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Introduction to Cryptography

Refresher: Applied Cryptography

CSC 474/574 Information Systems Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Lecture 1: Perfect Security

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Appendix A: Introduction to cryptographic algorithms and protocols

Lecture 2: Shared-Key Cryptography

CS155. Cryptography Overview

CSEC 507: APPLIED CRYPTOLOGY Historical Introduction to Cryptology

ISA 562: Information Security, Theory and Practice. Lecture 1

B) Symmetric Ciphers. B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers

Cryptanalysis. Ed Crowley

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

1 Achieving IND-CPA security

Cryptography ThreeB. Ed Crowley. Fall 08

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Introduction to Cyber Security Week 2: Cryptography. Ming Chow

Stream Ciphers. Çetin Kaya Koç Winter / 13

Message Authentication Codes and Cryptographic Hash Functions

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

Chapter 3 Public Key Cryptography

Lecture III : Communication Security Mechanisms

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Defining Encryption. Lecture 2. Simulation & Indistinguishability

Security of Cryptosystems

Public Key Algorithms

1 Brief Overview Of the talk

Encryption Providing Perfect Secrecy COPYRIGHT 2001 NON-ELEPHANT ENCRYPTION SYSTEMS INC.

Network Security Technology Project

Security. Communication security. System Security

Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Introduction to Cryptography. Vasil Slavov William Jewell College

CS155. Cryptography Overview

2.1 Basic Cryptography Concepts

Cryptography Math/CprE/InfAs 533

1.264 Lecture 28. Cryptography: Asymmetric keys

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Cryptography Introduction

IND-CCA2 secure cryptosystems, Dan Bogdanov

Cryptographic Hash Functions

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Transcription:

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble University, France

Outlines 1 Introduction : attack models and security properties 2 Security definitions and proofs - Perfect secrecy 3 Elementary notions in probability theory 4 Shannon theorem on perfect secrecy

Security : what cryptography should provide CAIN Confidentiality Authentication Integrity Non-repudiation Kerckhoffs principle [1883] A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Attack models : COA / KPA / CPA / CCA (1/2) COA : Ciphertext-Only Attack the attacker is assumed to have access only to a set of ciphertexts Eg :vulnerabilities to COA : WEP : bad design ; DES : too small key space KOA : Known-Plaintext Attack the attacker has samples of both the plaintext and its encrypted version ; he uses them to get the secret key. Eg : vulnerabilities to KOA : encrypted ZIP archive : knowing only one unencrypted file from the archive is enough to calculate the key

Attack models : COA / KPA / CPA / CCA (2/2) CPA : Chosen-Plaintext Attack the attacker chooses a plaintext and can crypt it to obtain the corresponding ciphertexts ; i.e. he has access to an encryption machine. Eg : vulnerabilities to COA : dictionary attack on Unix passwd file. Crack, John the Ripper, L0phtCrack, Cain&Abel,... CCA : Chosen-Ciphertext Attack the attacker chooses a ciphertext and can decrypt without knowing the key. He has access to a decryption machine (oracle). Important for smart cards designers, since the attacker has full control on the device! Eg : vulnerabilities to CCA : ElGamal, early versions of RSA in SSL,...

Outlines 1 Introduction : attack models and security properties 2 Security definitions and proofs - Perfect secrecy 3 Elementary notions in probability theory 4 Shannon theorem on perfect secrecy

Security definitions. A cryptosystem is Computationally secure : if any successful attack requires at least N operations, with N large eg 10 120 2 400. Provable secure : if any attack exists, a known hard problem could be efficiently solved. [Proof : reduction, complexity, P, NP] Semantic secure for asymmetric cryptosystem : knowing the public key and a ciphertext (COA), it must be infeasible for a computationally-bounded adversary to derive significant information about the plaintext NB equivalent to the property of ciphertext indistinguishability[blum,micali] Unconditionally secure : ( or perfect secrecy) cannot be broken, even by a computationally-unbounded attack Information Theory [Shannon]

Model of a symmetric cryptosystem Shannon model perfect secrecy : i.e., informally, the knowledge of Y gives no information on X definition : Information Theory

Outlines 1 Introduction : attack models and security properties 2 Security definitions and proofs - Perfect secrecy 3 Elementary notions in probability theory 4 Shannon theorem on perfect secrecy

Discrete Random Variable (1/2) Sample space S : finite set whose elements are called elementary events Eg : can be viewed as a possible outcome of an experiment an event is a subset of S. = the null event S= the certain event events A and B are mutually exclusive iff A B = Probability distribution a function Pr : X S [0, 1] satisfying probability axioms : 1 event A : Pr(A) 0 ; 2 if A and B mutually exclusive : Pr(A B) = Pr(A) + Pr(B) 3 Pr(S) = 1

Discrete Random Variable (2/2) Definition : Discrete Random Variable a function X from a finite space S to the real numbers. quantity whose values are random For a real number x, the event X = x is {s S : X (s) = x}. Thus Pr(X = x) = s S:X (s)=x Pr(s) Experiment = rolling a pair of fair 6-sided dice Random variable X : the maximum of the two values Pr(X = 3) = 5 36

Conditional probability and independence Def : Conditional property of an event A given another event B : Pr(A B) = Pr(A B) Pr(B) Def : Two events A and B are independent iff Pr(A B) = Pr(A). Pr(B) So, if Pr(B) 0, A and B independent Pr(A B) = Pr(A) Bayes s theorem From definition, Pr(A B) = Pr(B A) = Pr(B) Pr(A B) = Pr(A) Pr(B A). This, if Pr(B) 0, we have : Pr(A B) = Pr(A) Pr(B A) Pr(B)

Outlines 1 Introduction : attack models and security properties 2 Model of a symmetric cryptosystem 3 Elementary notions in probability theory 4 Information theory - Shannon theorem on perfect secrecy

Information and entropy Shannon s measure of information 1 Hartley s measure of information : I (X ) = log 2 p i bit (logon) Def : entropy H(X ) (or uncertainty) of a disc. rand. var. X : H(X ) = x Supp(X ) i.e. the average Hartley information. Basic properties of entropy Pr(X = x). log 2 Pr(X = x) Let n =Card(Sample space) ; then H(X ) log 2 n The entropy is maximum for the uniform probability distribution Gibbs lemma H(X Y ) H(X ) + H(Y ) H(XY Z) = H(Y Z) + H(X YZ) H(X Y ) H(XZ Y )

Unconditional security / Perfect secrecy Characterization of perfect secrecy The knowledge of the ciphertext Y brings no additional information on the plaintext X, i.e. H(X Y ) = H(X )

Outlines Lecture 1 : attacks ; security defs ; unconditional security and entropy. Unconditional secure symmetric cipher Proof of Shannon s theorem : lower bound on the key size. Vernam s cipher binary and generalization to arbitrary group. Generalized Vernam s cipher is unconditionally secure. Lecture 2 : Asymmetric protocols and provable security Asymmetric cryptography is not unconditionally secure Provable security : arithmetic complexity and reduction Complexity and lower bounds : exponentiation P, NP classes

Model of a symmetric cryptosystem General model Simplified model Definition : Unconditional security or Perfect secrecy The symmetric cipher is unconditionally secure iff H(P C) = H(P) i.e. the cryptanalyst s a-posteriori probability distribution of the plaintext, after having seen the ciphertext, is identical to its a-priori distribution. Shannon s theorem : necessary condition, lower bound on K In any unconditionally secure cryptosystem : H(K) H(P). Proof : H(P) = H(P C) H((P, K) C) = H(K C) + H(P (K, C)) = H(K C) H(K)

Vernam s cipher : unconditionally secure cryptosystem Shannon s Theorem part 2 : existence It exists unconditionally secure cipher. Example : OTP (One-Time Pad) / Vernam s cipher Symmetric cipher of a bit stream : let = boolean xor ; let n = P. for i = 1,..., n : C i = P i K i Vernam s patent, 1917 OTP : One-Time Pad [AT&T Bell labs] NB : size of the (boolean) key K = size of the (boolean) plaintext P. OTP applications Unbreakable if used properly. A one-time pad must be truly random data and must be kept secure in order to be unbreakable. intensively used for diplomatic communications security in the 20th century. E.g. telex line Moscow Washington : keys were generated by hardware random bit stream generators and distributed via trusted couriers. In the 1940s, the (Soviet Union) KGB used recycled one-time pads, leading to the success of the NSA code-breakers of the project VENONA [http ://www.nsa.gov/venona/]

Generalized Vernam s cipher Generalization to a group (G, ) with m = G elements For 1 i n, let K i be uniformly randomly chosen in G. Ciphertext C = E K (P) is computed by : C i = P i K i What is the deciphering P = D K (P)? Theorem : Generalized Vernam s cipher is unconditionally secure Proof : We have H(P) log 2 m n = n log 2 m. Besides, Pr(P = p C = c) = Pr(C K 1 = p C = c) = Pr(K = p 1 c) = 1 m n then H(P C) H(P). Since H(P C) H(P), we have H(P C) = H(P).

Summary Outlines 1 Introduction : attack models and security properties 2 Security definitions and proofs - Perfect secrecy 3 Elementary notions in probability theory 4 Shannon theorem on perfect secrecy Training exercises (tutoring and home) probability ; entropy and secret. Next lecture 1 Provable security of Asymmetric protocols

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback