n-bit Output Feedback

Similar documents
Introduction to Cryptography. Steven M. Bellovin September 27,

CSE 127: Computer Security Cryptography. Kirill Levchenko

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 1 Applied Cryptography (Part 1)

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Encryption. INST 346, Section 0201 April 3, 2018

CS 161 Computer Security

Cryptographic Systems

Computer Security 3/23/18

CPSC 467: Cryptography and Computer Security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Security: Cryptography

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

David Wetherall, with some slides from Radia Perlman s security lectures.

Cryptographic Hash Functions

PROTECTING CONVERSATIONS

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CS61A Lecture #39: Cryptography

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Public Key Algorithms

Kurose & Ross, Chapters (5 th ed.)

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture 6 - Cryptography

Computer Security: Principles and Practice

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Chapter 9 Public Key Cryptography. WANG YANG

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

CSC/ECE 774 Advanced Network Security

CSC 774 Network Security

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Summary on Crypto Primitives and Protocols

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Overview. Public Key Algorithms I

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Practical Aspects of Modern Cryptography

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CSC 474/574 Information Systems Security

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CS 161 Computer Security

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Spring 2010: CS419 Computer Security

Symmetric, Asymmetric, and One Way Technologies

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Ref:

VPN Overview. VPN Types

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

2.1 Basic Cryptography Concepts

Content of this part

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CSCE 715: Network Systems Security

Cryptographic Concepts

Other Topics in Cryptography. Truong Tuan Anh

Block Ciphers. Advanced Encryption Standard (AES)

APNIC elearning: Cryptography Basics

Analysis, demands, and properties of pseudorandom number generators

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

CSC 474/574 Information Systems Security

CS Computer Networks 1: Authentication

Unit 8 Review. Secure your network! CS144, Stanford University

COMPUTER & NETWORK SECURITY

Computational Security, Stream and Block Cipher Functions

Information Security CS526

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Computer Security CS 526

Appendix A: Introduction to cryptographic algorithms and protocols

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Study Guide to Mideterm Exam

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Public Key Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

Security. Communication security. System Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

NETWORK SECURITY & CRYPTOGRAPHY

Public-key encipherment concept

Introduction to Cryptography. Lecture 6

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

CS 161 Computer Security

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

RSA. Public Key CryptoSystem

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Transcription:

n-bit Output Feedback Cryptography IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 1

Properties of Output Feedback Mode No error propagation Active attacker can make controlled changes to plaintext OFB is a form of stream cipher Steven M. Bellovin September 16, 2006 2

Counter Mode Cryptography T T + 1 T + 2 Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 3

Properties of Counter Mode Another form of stream cipher Frequently split the counter into two sections: message number and block number within the message Active attacker can make controlled changes to plaintext Highly parallelizable; no linkage between stages Vital that counter never repeat for any given key Steven M. Bellovin September 16, 2006 4

Which Mode for What Task? General file or packet encryption: CBC. Input must be padded to multiple of cipher block size Risk of byte or bit deletion: CFB 8 or CFB 1 Bit stream; noisy line and error propagation is undesirable: OFB Very high-speed data: CTR In most situations, an integrity check is needed Steven M. Bellovin September 16, 2006 5

Integrity Checks Actually, integrity checks are almost always needed Frequently, attacks on integrity can be used to attack confidentiality Usual solution: use separate integrity check along with encryption Steven M. Bellovin September 16, 2006 6

Combined Modes of Operation Integrity checks require a separate pass over the data Such checks generally cannot be parallelized For high-speed implementations, this is a considerable burden Solution: combined modes such as Galois Counter Mode (GCM) or Counter with CBC-MAC (CCM), which provide confidentiality and integrity protection in one pass Steven M. Bellovin September 16, 2006 7

Stream Ciphers Key stream generator produces a sequence S of pseudo-random bytes; key stream bytes are combined (generally via XOR) with plaintext bytes P i S i C i Stream ciphers are very good for asynchronous traffic Best-known stream cipher is RC4; commonly used with SSL Key stream S must never be reused for different plaintexts: C = A K C = B K C C = A K B K = A B Guess at A and see if B makes sense; repeat for subsequent bytes Steven M. Bellovin September 16, 2006 8

RC4 Extremely efficient After key setup, it just produces a key stream No way to resynchronize except by rekeying and starting over Internal state is a 256-byte array plus two integers Note: weaknesses if used in ways other than as a stream cipher. Steven M. Bellovin September 16, 2006 9

The Guts of RC4 for(counter = 0; counter < buffer_len; counter ++) { x = (x + 1) % 256; y = (state[x] + y) % 256; swap_byte(&state[x], &state[y]); xorindex = (state[x] + state[y]) % 256; buffer_ptr[counter] ˆ= state[xorindex]; } Steven M. Bellovin September 16, 2006 10

Cipher Strengths A cipher is no stronger than its key length: if there are too few keys, an attacker can enumerate all possible keys DES has 56 bits arguably too few in 1976; far too few today. Strength of cipher depends on how long it needs to resist attack. No good reason to use less than 128 bits NSA rates 128-bit AES as good enough for SECRET traffic; 256-bit AES is good enough for TOP-SECRET traffic. But a cipher can be considerably weaker! (A monoalphabetic cipher over all bytes has a 1684-bit key, but is trivially solvable.) Steven M. Bellovin September 16, 2006 11

CPU Speed versus Key Size Adding one bit to the key doubles the work factor for brute force attacks The effect on encryption time is often negligible or even free It costs nothing to use a longer RC4 key Going from 128-bit AES to 256-bit AES takes (at most) 40% longer, but increases the attacker s effort by a factor of 2 128 Using triple DES costs 3 more to encrypt, but increases the attacker s effort by a factor of 2 112 Moore s Law favors the defender Steven M. Bellovin September 16, 2006 12

Alice and Bob Alice wants to communicate security with Bob (Cryptographers frequently speak of Alice and Bob instead of A and B... What key should she use? Steven M. Bellovin September 16, 2006 13

Pre-Arranged Key Lists? What if you run out of keys? What if a key is stolen? Why is it necessary to destroy yesterday s [key]... list if it s never going to be used again? A used key, Your Honor, is the most critical key there is. If anyone can gain access to that, they can read your communications. (trial of Jerry Whitworth, a convicted spy.) What if Alice doesn t know in advance that she ll want to talk to Bob? Steven M. Bellovin September 16, 2006 14

The Solution: Public Key Cryptography Allows parties to communicate without prearrangement Separate keys for encryption and decryption Not possible to derive decryption key from encryption key Permissible to publish encryption key, so that anyone can send you secret messages All known public key systems are very expensive to use, in CPU time and bandwidth. Most public systems are based on mathematical problems. Steven M. Bellovin September 16, 2006 15

RSA The best-known public key system is RSA. Generate two large (at least 512 bit) primes p and q; let n = pq Pick two integers e and d such that ed 1 mod (p 1)(q 1). Often, e = 65537, since that simplifies encryption calculations. The public key is e, n ; the private key is d, n. To encrypt m, calculate c = m e mod n; to decrypt c, calculate m = c d mod n. The security of the system relies on the difficulty of factoring n. Finding such primes is relatively easy; factoring n is believed to be extremely hard. Steven M. Bellovin September 16, 2006 16

Classical Public Key Usage Alice publishes her public key in the phone book. Bob prepares a message and encrypts it with that key by doing a large exponentiation. Alice uses her private key to do a different large exponentiation. It s not that simple... Steven M. Bellovin September 16, 2006 17

Complexities RSA calculations are very expensive; neither Bob nor Alice can afford to do many. RSA is too amenable to mathematical attacks; encrypting the wrong numbers is a bad idea. Example: yes 3 is only 69 bits, and won t be reduced by the modulus operation; finding 3 503565527901556194283 is easy. We need a better solution Steven M. Bellovin September 16, 2006 18

A More Realistic Scenario Bob generates a random key k for a conventional cipher. Bob encrypts the message: c = {m} k. Bob pads k with a known amount of padding, to make it at least 512 bits long; call this k. k is encrypted with Alice s public key e, n. Bob transmits {c,(k ) e mod n} to Alice. Alice uses d, n to recover k, removes the padding, and uses k to decrypt ciphertext c. In reality, it s even more complex than that... Steven M. Bellovin September 16, 2006 19

Perfect Forward Secrecy If an endpoint is compromised (i.e., captured or hacked), can an enemy read old conversations? Example: if an attacker has recorded {c,(k ) e mod n} and then recovers Alice s private key, he can read c. Solution: use schemes that provide perfect forward secrecy, such as Diffie-Hellman key exchange. Steven M. Bellovin September 16, 2006 20

Diffie-Hellman Key Exchange Cryptography Agree on a large (at least 1024-bit) prime p, usually of the form 2q + 1 where q is also prime. Find a generator g of the group integers modulo p. (This is easy to do if p is prime.) Alice picks a large random number x and sends Bob g x mod p. Bob picks a large random number y and sends Alice g y mod p. Alice calculates k = (g y ) x g xy mod p; Bob does a similar calculation. If x and y are really random, they can t be recovered if Alice or Bob s machine is hacked. Eavesdroppers can t calculate x from g x mod p, and hence can t get the shared key. This is called the discrete logarithm problem. Steven M. Bellovin September 16, 2006 21

Random Numbers Random numbers are very important in cryptography. They need to be as random as possible an attacker who can guess these numbers can break the cryptosystem. (This is a a common attack!) To the extent possible, use true-random numbers, not pseudo-random numbers. Where do true-random numbers come from? Physical processes are best radioactive decay, thermal noise in amplifiers, oscillator jitter, etc. Often, a true-random number is used to seed a cipher modern cryptographic functions are very good pseudo-random numbers. Steven M. Bellovin September 16, 2006 22

Who Sent a Message? When Bob receives a message from Alice, how does he know who sent it? With traditional, symmetric ciphers, he may know that Alice has the only other copy of the key; with public key, he doesn t even know that Even if he knows, can he prove to a third party say, a judge that Alice sent a particular message? Steven M. Bellovin September 16, 2006 23

Digital Signatures RSA can be used backwards: you can encrypt with the private key, and decrypt with the public key. This is a digital signature: only Alice can sign her messages, but anyone can verify that the message came from Alice, by using her public key Again, it s too expensive to sign the whole message. Instead, Alice calculates a cryptographic hash of the message and signs the hash value. If you sign the plaintext and encrypt the signature, the signer s identity is concealed; if you sign the ciphertext, a gateway can verify the signature without having to decrypt the message. Steven M. Bellovin September 16, 2006 24

They re Not Like Real Signatures Real signatures are strongly bound to the person, and weakly bound to the data Digital signatures are strongly bound to the data, and weakly bound to the person what if the key is stolen (or deliberately leaked)? A better term: digital signature algorithms provide non-repudiation Steven M. Bellovin September 16, 2006 25

Cryptographic Hash Functions Produce relatively-short, fixed-length output string from arbitrarily long input. Computationally infeasible to find two different input strings that hash to the same value Computationally infeasible to find any input string that hashes to a given value Strength roughly equal to half the output length Best-known cryptographic hash functions: MD5 (128 bits), SHA-1 (160 bits), SHA-256/384/512 (256/384/512 bits) 128 bits and shorter are not very secure for general usage Steven M. Bellovin September 16, 2006 26

Recent Developments Cryptography At CRYPTO 04, several hash functions were cracked by Wang et al. More precisely, collisions were found: H(M) = H(M ), M M Cracked functions include MD4, MD5, HAVAL-128, RIPEMD, and SHA-0. But SHA-0 was known to be flawed; NSA replaced it with SHA-1 in 1994 In 2005, Wang eg al. showed that SHA-1 was considerably weaker than its design strength Are SHA-256/384/512 still secure? MD5 is still commonly used, though weaknesses have long been suspected. Steven M. Bellovin September 16, 2006 27

Abusing a Weak Hash Function Alice prepares two contracts, m and m, such that H(m) = H(m ) Contract m is favorable to Bob; contract m is favorable to Alice The exact terms aren t important; Alice can prepare many different contracts while searching for two suitable ones. Alice sends m to Bob; he signs it, producing {H(m)} KB 1. Alice shows m and {H(m)} KB 1 to the judge and asks that m be enforced Note that the signature matches... Steven M. Bellovin September 16, 2006 28

The Birthday Paradox How many people need to be in a room for the probability that two will have the same birthday to be >.5? Naive answer: 183 Correct answer: 23 The question is not who has the same birthday as Alice? ; it s who has the same birthday as Alice or Bob or Carol or... assuming that none of them have the same birthday as any of the others Steven M. Bellovin September 16, 2006 29

The Birthday Attack Alice can prepare lots of variant contracts, looking for any two that have the same hash More precisely, she generates many trivial variants on m and m, looking for a match between the two sets This is much easier than finding a contract that has the same hash as a given other contract As a consequence, the strength of a hash function against brute force attacks is approximately half the output block size: 64 bits for MD5, 80 bits for SHA-1, etc. Steven M. Bellovin September 16, 2006 30

Birthday Attacks and Block Ciphers Cryptography How many blocks can you encrypt with one key before you start getting collisions? The same rule applies: 2 B/2 blocks, where B is the cipher s block size Thus: 2 32 blocks for DES or 3DES; 2 64 blocks for AES 2 32 64-bit blocks is 2 35 bytes. That s 34GB smaller than most modern drives It s also 275Gb; on a 1Gb/sec network, it s less than 5 minutes Conclusion: the block size of DES and 3DES is too small for high-speed networks or large disks Steven M. Bellovin September 16, 2006 31

Practical Stunts from MD5 Collisons Cryptography A general style of attack for exploiting hash function collisions has been devised Create two prologues to a message file, using a collision assigned to some variable in each version In the body of the message, conditionally display one version or the other, depending on that variable Get the harmless version signed Transmit the harmful one If no conditionals in your page description language, put the collision in a font definition file or the like Steven M. Bellovin September 16, 2006 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback