CS155. Cryptography Overview

Similar documents
CS155. Cryptography Overview

Cryptography Overview

Cryptography Overview

Cryptographic hash functions and MACs

Public key encryption: definitions and security

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

symmetric cryptography s642 computer security adam everspaugh

symmetric cryptography s642 computer security adam everspaugh

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Message authentication codes

Authenticated Encryption

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

CS408 Cryptography & Internet Security

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Authenticated Encryption

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Unit 8 Review. Secure your network! CS144, Stanford University

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptographic Hash Functions

Symmetric Encryption 2: Integrity

Symmetric Crypto MAC. Pierre-Alain Fouque

Feedback Week 4 - Problem Set

The ElGamal Public- key System

Message Authentication Codes and Cryptographic Hash Functions

Cryptography MIS

Cryptography 2017 Lecture 3

Lecture 1 Applied Cryptography (Part 1)

Information Security CS526

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

Crypto: Symmetric-Key Cryptography

Integrity of messages

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Refresher: Applied Cryptography

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Randomness Extractors. Secure Communication in Practice. Lecture 17

Public key encryp4on: defini4ons and security

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

COMP4109 : Applied Cryptography

Encryption. INST 346, Section 0201 April 3, 2018

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Data Integrity. Modified by: Dr. Ramzi Saifan

Symmetric-Key Cryptography

Scanned by CamScanner

Summary on Crypto Primitives and Protocols

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Outline. From last time. Feistel cipher. Some DES history DES. Block ciphers and modes of operation

Lecture 4: Cryptography III; Security. Course Administration

Introduction to Cryptography. Lecture 3

Auth. Key Exchange. Dan Boneh

Computational Security, Stream and Block Cipher Functions

414-S17 Crypto. Shankar. April 18, 2017

Introduction to Cryptography. Lecture 6

CS 161 Computer Security

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Appendix A: Introduction to cryptographic algorithms and protocols

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Symmetric Cryptography

Computer Security CS 526

Cryptography Functions

CSC574: Computer & Network Security

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Security: Cryptography

David Wetherall, with some slides from Radia Perlman s security lectures.

Practical Aspects of Modern Cryptography

Data Integrity & Authentication. Message Authentication Codes (MACs)

CIS 4360 Secure Computer Systems Symmetric Cryptography

Introduction to cryptology (GBIN8U16)

CS Computer Networks 1: Authentication

CSCE 715: Network Systems Security

Tuesday, January 17, 17. Crypto - mini lecture 1

Cryptography [Symmetric Encryption]

CSE484 Final Study Guide

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Overview of Cryptography

CS 495 Cryptography Lecture 6

Network Security. Chapter 4 Symmetric Encryption. Cornelius Diekmann With contributions by Benjamin Hof. Technische Universität München

Introduction to Cryptography. Steven M. Bellovin September 27,

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Permutation-based Authenticated Encryption

Cryptography and Network Security

Data Integrity & Authentication. Message Authentication Codes (MACs)

Lecture 6 - Cryptography

Multiple forgery attacks against Message Authentication Codes

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Ac,ve a4acks on CPA- secure encryp,on

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Transcription:

CS155 Cryptography Overview

Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent or implement yourself

Kerckhoff s principle A cryptosystem should be secure even if everything about the system, except the secret key, is public knowledge.

Goal 1:secure communication Step 1: Session setup to exchange key Step 2: encrypt data

Goal 2: Protected files Disk Alice File 1 Alice File 2 No eavesdropping No tampering Analogous to secure communication: Alice today sends a message to Alice tomorrow

Symmetric Cryptography Assumes parties already share a secret key

Building block: sym. encryption Alice m, n E(k,m,n)=c E nonce Bob c, n D(k,c,n)=m D k k E, D: cipher k: secret key (e.g. 128 bits) m, c: plaintext, ciphertext n: nonce (aka IV) Encryption algorithm is publicly known Never use a proprietary cipher

Use Cases Single use key: (one time key) Key is only used to encrypt one message encrypted email: new key generated for every email No need for nonce (set to 0) Multi use key: (many time key) Key used to encrypt multiple messages files: same key used to encrypt many files

First example: One Time Pad (single use key) Vernam (1917) Key: Plaintext: 0 1 0 1 1 1 0 0 1 0 1 1 0 0 0 1 1 0 0 0 Ciphertext: 1 0 0 1 1 0 1 0 1 0 Shannon 49: n OTP is secure against ciphertext-only attacks

Stream ciphers (single use key) Problem: OTP key is as long the message Solution: Pseudo random key -- stream ciphers key PRG c PRG(k) m message ciphertext Stream ciphers: ChaCha (643 MB/sec)

Dangers in using stream ciphers One time key!! Two time pad is insecure: C 1 m 1 PRG(k) C 2 m 2 PRG(k) Eavesdropper does: C 1 C 2 m 1 m 2 Enough redundant information in English that: m 1 m 2 m 1, m 2

Block ciphers: crypto work horse n Bits PT Block n Bits E, D CT Block Key k Bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2. AES: n=128 bits, k = 128, 192, 256 bits IV handled as part of PT block

Building a block cipher Input: (m, k) Repeat simple mixing operation several times DES: Repeat 16 times: m L m R m R m L F(k,m R ) AES-128: Mixing step repeated 10 times Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force,

Block Ciphers Built by Iteration key k key expansion k 1 k 2 k 3 k n m R(k 1, ) R(k 2, ) R(k 3, ) R(k n, ) c R(k,m): round function for DES (n=16), for AES-128 (n=10)

Incorrect use of block ciphers Electronic Code Book (ECB): PT: m 1 m 2 CT: c 1 c 2 Problem: n if m 1 =m 2 then c 1 =c 2

In pictures

Correct use of block ciphers: CTR mode E(k,x): maps key k and n-bit block x to a n-bit block y Counter mode (CTR) with a random IV: IV m[0] m[1] E(k,IV) E(k,IV+1) m[l] E(k,IV+L) IV c[0] c[1] c[l] ciphertext Note: Parallel encryption

Use cases: how to choose an IV Single use key: no IV needed (IV=0) Multi use key: (CPA Security) Best: use a fresh random IV for every message Can use unique IV (e.g 0, 1, 2, 3, ) benefit: may save transmitting IV with ciphertext uniqueiv counter 128 bits

In pictures encrypt with CTR Why is CTR secure? not today

Performance: [openssl speed] Intel Core 2 (on Windows Vista) Cipher Block/key size Speed (MB/sec) ChaCha 643 3DES 64/168 30 AES-128/GCM 128/128 163 AES is dramatically faster with AES-NI instructions: Intel SkyLake: 4 cycles per round, fully pipelined AESENC xmm15, xmm1

Data integrity

Message Integrity: MACs Goal: message integrity. No confidentiality. n ex: Protecting public binaries on disk. k Message m tag k Alice Bob Generate tag: tag S(k, m) Verify tag:? V(k, m, tag) = `yes note: non-keyed checksum (CRC) is an insecure MAC!!

Secure MACs Attacker information: chosen message attack n for m 1,m 2,,m q attacker is given t i S(k,m i ) Attacker s goal: existential forgery. n produce some new valid message/tag pair (m,t). (m,t) { (m 1,t 1 ),, (m q,t q ) } A secure PRF gives a secure MAC: n n S(k,m) = F(k,m) V(k,m,t): `yes if t = F(k,m) and `no otherwise.

Construction 1: ECBC m[0] m[1] m[2] m[3] E(k, ) E(k, ) E(k, ) E(k, ) Raw CBC key = (k, k 1 ) E(k 1, ) tag

Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( k opad H( k ipad m ))

SHA-256: Merkle-Damgard m[0] m[1] m[2] m[3] IV h h h h H(m) h(t, m[i]): compression function Thm 1: Thm 2 : if h is collision resistant then so is H if h is a PRF then HMAC is a PRF

Construction 3: PMAC parallel MAC ECBC and HMAC are sequential. PMAC: m[0] m[1] m[2] m[3] P(k,0) P(k,1) P(k,2) P(k,3) F(k, ) F(k, ) F(k, ) F(k, ) Å F(k 1, ) tag

Why are these MAC constructions secure? not today take CS255 Why the last encryption step in ECBC? n CBC (aka Raw-CBC) is not a secure MAC: n Given tag on a message m, attacker can deduce tag for some other message m n How: good crypto exercise

Authenticated Encryption: Encryption + MAC

Combining MAC and ENC (CCA) Encryption key K E Option 1: MAC-then-Encrypt (SSL) MAC(M,K I ) Msg M Msg M MAC MAC key = K I Enc K E Option 2: Encrypt-then-MAC (IPsec) Enc K E Secure for all secure primitives Msg M Option 3: Encrypt-and-MAC (SSH) Msg M Enc K E MAC(C, K I ) MAC MAC(M, K I ) MAC

Recommended mode (currently) AES-GCM: encrypt-then-mac Counter mode AES Carter-Wagman MAC

Public-key Cryptography

Public key encryption: (Gen, E, D) Gen pk sk m c c m E D

Applications Session setup (for now, only eavesdropping security) Alice Generate (pk, sk) x pk E(pk, x) Bob choose random x (e.g. 48 bytes) Non-interactive applications: (e.g. Email) Bob sends email to Alice encrypted using pk alice Note: Bob needs pk alice (public key management)

Applications Encryption in non-interactive settings: Encrypted File Systems write read sk A Alice Bob E(pk A, K F ) File E(k F, File) E(pk B, K F )

Applications Encryption in non-interactive settings: Key escrow: data recovery without Bob s key write Escrow Service sk escrow Bob E(pk escrow, K F ) E(k F, File) E(pk B, K F )

Trapdoor functions (TDF) Def: a trapdoor func. X Y is a triple of efficient algs. (G, F, F -1 ) G(): randomized alg. outputs key pair (pk, sk) F(pk, ): det. alg. that defines a func. X Y F -1 (sk, ): func. Y X that inverts F(pk, ) Security: F(pk, ) is one-way without sk

Public-key encryption from TDFs (G, F, F -1 ): secure TDF X Y (E s, D s ) : symm. auth. encryption with keys in K H: X K a hash function We construct a pub-key enc. system (G, E, D): Key generation G: same as G for TDF

Public-key encryption from TDFs (G, F, F -1 ): secure TDF X Y (E s, D s ) : symm. auth. encryption with keys in K H: X K a hash function E( pk, m) : R x X, y F(pk, x) k H(x), c E s (k, m) output (y, c) D( sk, (y,c) ) : x F -1 (sk, y), k H(x), m D s (k, c) output m

In pictures: F(pk, x) E s ( H(x), m ) header body Security Theorem: If (G, F, F -1 ) is a secure TDF, (E s, D s ) provides auth. enc. and H: X K is a random oracle then (G,E,D) is CCA ro secure.

Digital Signatures Public-key encryption n n n Alice publishes encryption key Anyone can send encrypted message Only Alice can decrypt messages with this key Digital signature scheme n n n Alice publishes key for verifying signatures Anyone can check a message signed by Alice Only Alice can send signed messages

Digital Signatures from TDPs (G, F, F -1 ): secure TDP X X H: M X a hash function Sign( sk, m X) : output sig = F -1 (sk, H(m) ) Verify( pk, m, sig) : output 1 if H(m) = F(pk, sig) 0 otherwise Security: existential unforgeability under a chosen message attack (in the random oracle model)

Public-Key Infrastructure (PKI) Anyone can send Bob a secret message provided they know Bob s public key How do we know a key belongs to Bob? n If imposter substitutes another key, can read Bob s messages One solution: PKI n n Trusted root Certificate Authority (CA) CA certifies that a given public-key belongs to Bob more on this next time

Putting it all together: SSL/TLS (simplified) Client-hello Server-hello Key exchange Server-key-exchange C Client key-exchange S finished Confirmation finished Encrypted session

Limitations of cryptography Cryptography works when used correctly!! but is not the solution to all security problems XKCD 538

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback