Cryptography Overview

Similar documents
CS155. Cryptography Overview

CS155. Cryptography Overview

Cryptography Overview

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptographic hash functions and MACs

symmetric cryptography s642 computer security adam everspaugh

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Message authentication codes

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Unit 8 Review. Secure your network! CS144, Stanford University

Authenticated Encryption

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Winter 2011 Josh Benaloh Brian LaMacchia

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Cryptography MIS

symmetric cryptography s642 computer security adam everspaugh

CS408 Cryptography & Internet Security

Symmetric Encryption 2: Integrity

Authenticated Encryption

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 1 Applied Cryptography (Part 1)

Message Authentication Codes and Cryptographic Hash Functions

Practical Aspects of Modern Cryptography

Cryptographic Hash Functions

Public key encryption: definitions and security

Feedback Week 4 - Problem Set

Information Security CS526

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CIS 4360 Secure Computer Systems Symmetric Cryptography

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Cryptography 2017 Lecture 3

David Wetherall, with some slides from Radia Perlman s security lectures.

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Crypto: Symmetric-Key Cryptography

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Introduction to Cryptography. Lecture 3

Summary on Crypto Primitives and Protocols

Appendix A: Introduction to cryptographic algorithms and protocols

Data Integrity. Modified by: Dr. Ramzi Saifan

Symmetric Crypto MAC. Pierre-Alain Fouque

Auth. Key Exchange. Dan Boneh

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography Functions

Symmetric Encryption. Thierry Sans

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Security: Cryptography

Data Integrity & Authentication. Message Authentication Codes (MACs)

Computer Security CS 526

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Cryptography and Network Security

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Randomness Extractors. Secure Communication in Practice. Lecture 17

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

CSE 127: Computer Security Cryptography. Kirill Levchenko

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Introduction to Cryptography. Lecture 6

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Refresher: Applied Cryptography

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CSCE 715: Network Systems Security

Data Integrity & Authentication. Message Authentication Codes (MACs)

The ElGamal Public- key System

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

CS 161 Computer Security

Network Security Essentials Chapter 2

Computer Security 3/23/18

Scanned by CamScanner

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Solutions to exam in Cryptography December 17, 2013

Integrity of messages

Introduction to cryptology (GBIN8U16)

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

CSC 474/574 Information Systems Security

1 Achieving IND-CPA security

Introduction to Cryptography. Vasil Slavov William Jewell College

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

COMP4109 : Applied Cryptography

CSC 8560 Computer Networks: Network Security

Double-DES, Triple-DES & Modes of Operation

CSE484 Final Study Guide

Lecture 6 - Cryptography

Symmetric-Key Cryptography

CS 161 Computer Security

Some Aspects of Block Ciphers

1 Defining Message authentication

Cryptography [Symmetric Encryption]

UNIT - IV Cryptographic Hash Function 31.1

Transcription:

Cryptography Overview

Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly used properly n Something to try invent yourself unless w you spend a lot of time becoming an expert w you subject your design to outside review

Auguste Kerckhoffs A cryptosystem should be secure even if everything about the system, except the secret key, is public knowledge. baptised as Jean-Guillaume-Hubert-Victor-François- Alexandre-Auguste Kerckhoffs von Nieuwenhof

Goal 1:secure communication Step 1: Session setup to exchange key Step 2: encrypt data HTTPS

Goal 2: Protected files Disk Alice File 1 Alice File 2 No eavesdropping No tampering Analogous to secure communication: Alice today sends a message to Alice tomorrow

Taxonomy of Cryptographic attacks a) Brute force i) Known-plaintext b) Differential cryptanalysis j Power analysis c) Linear cryptanalysis k) Timing d) Meet-in-the-middle l) Man-in-the-middle e) Chosen-ciphertext f) Chosen-plaintext g) Ciphertext-only h) Replay attack

Symmetric Cryptography Assumes parties already share a secret key

Building block: sym. encryption Alice m, n E(k,m,n)=c E nonce Bob c, n D(k,c,n)=m D k k E, D: cipher k: secret key (e.g. 128 bits) m, c: plaintext, ciphertext n: nonce (aka IV) Encryption algorithm is publicly known Never use a proprietary cipher

Use Cases Single use key: (one time key) Key is only used to encrypt one message encrypted email: No need for nonce (set to 0) new key generated for every email Multi use key: (many time key) Key used to encrypt multiple messages SSL: same key used to encrypt many packets Need either unique nonce or random nonce

First example: One Time Pad (single use key) Vernam (1917) Key: Plaintext: 0 1 0 1 1 1 0 0 1 0 1 1 0 0 0 1 1 0 0 0 Ciphertext: 1 0 0 1 1 0 1 0 1 0 Shannon 49: n OTP is secure against ciphertext-only attacks = attacker can only access the chiper text

Stream ciphers (single use key) Problem: OTP key is as long the message Solution: Pseudo random key -- stream ciphers key PRG c PRG(k) m message ciphertext Stream ciphers: RC4 (113MB/sec), SEAL (293MB/sec)

PRG = pseudo random generator Unfortunately, generating random numbers looks a lot easier than it really is. It is fundamentally impossible to produce truly random numbers on any deterministic device. Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin. Von Neumann The best we can hope for are pseudo-random numbers, a stream of numbers that appear as if they were generated randomly.

Dangers in using stream ciphers One time key!! Two time pad is insecure: C1 m1 PRG(k) C2 m2 PRG(k) Eavesdropper does: C1 C2 m1 m2 Enough redundant information in English that: m1 m2 m1, m2

Block ciphers: crypto work horse n Bits PT Block n Bits E, D CT Block Key k Bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2. AES: n=128 bits, k = 128, 192, 256 bits IV handled as part of PT block

Building a block cipher Input: (m, k) Repeat simple mixing operation several times DES: Repeat 16 times: ml mr mr ml F(k,mR) AES-128: Mixing step repeated 10 times Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force,

Block Ciphers Built by Iteration key k key expansion k1 k2 k3 kn m R(k1, ) R(k2, ) R(k3, ) R(kn, ) c R(k,m): round function for DES (n=16), for AES (n=10)

6.17 General structure of DES

Initial and Final Permutations Initial and final permutation steps in DES 6.18

6.19 Initial and final permutation tables

Rounds DES uses 16 rounds. Each round of DES is a Feistel cipher. Figure 6.4 A round in DES (encryption site) 6.20

DES Function The DES function applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output. 6.21

6.22 Expansion P-box

Expansion P-box table The relationship between the input and output can be defined mathematically, but DES uses a table 6.23

6.24 DES cipher and reverse cipher = same hw component for encryption and decryption

Incorrect use of block ciphers Electronic Code Book (ECB): PT: m1 m2 CT: c1 c2 Parallel encryption of the various blocks through the same key Problem: n if m1=m2 then c1=c2

In pictures

Correct use of block ciphers I: CBC mode E a secure PRP. Cipher Block Chaining with random IV: IV m[0] m[1] m[2] m[3] E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] ciphertext Q: how to do decryption?

Use cases: choosing an IV Single use key: no IV needed (IV=0) Multi use key: (CPA Security) Best: use a fresh random IV for every message Can use unique IV (e.g counter) but then first step in CBC must be IV E(k1,IV) benefit: may save transmitting IV with ciphertext

CBC with Unique IVs unique IV means: (k,iv) pair is used for only one message may be predictable so use E(k1, ) as PRF IV m[0] m[1] m[2] m[3] IV E(k1, ) E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] ciphertext

In pictures

Correct use of block ciphers II: CTR mode Counter mode with a random IV: (parallel encryption) IV m[0] m[1] E(k,IV) E(k,IV+1) m[l] E(k,IV+L) IV c[0] c[1] c[l] ciphertext

Performance: Crypto++ 5.2.1 [ Wei Dai ] Pentium 4, 2.1 GHz ( on Windows XP SP1, Visual C++ 2003 ) Cipher Block/key size Speed (MB/sec) RC4 113 SEAL 293 3DES 64/168 9 AES 128/128 61

Data integrity

Message Integrity: MACs Goal: message integrity. No confidentiality. n ex: Protecting public binaries on disk. k k Alice Generate tag: tag S(k, m) Message m tag Bob Verify tag:? V(k, m, tag) = `yes note: non-keyed checksum (CRC) is an insecure MAC!!

Secure MACs Attacker information: chosen message attack n for m1,m2,,mq attacker is given ti S(k,mi) Attacker s goal: existential forgery. n produce some new valid message/tag pair (m,t). (m,t) { (m1,t1),, (mq,tq) } A secure PseudoRandomFunction gives a secure MAC: n S(k,m) = F(k,m) n V(k,m,t): `yes if t = F(k,m) and `no otherwise.

Construction 1: ECBC m[0] m[1] m[2] m[3] E(k, ) E(k, ) E(k, ) E(k, ) Raw CBC key = (k, k1) E(k1, ) tag

Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( k opad H( k ipad m ))

HMAC i) A popular system of checking message integrity, uses one-way hash f unctions to produce unique mac values. ii) ipad and opad are used to modify the secret key. It is recommended to choose the values that would make both inputs to the hash functions look as dissimilar as possible Iii) Using a secure hash function that doesn't produce the same outputs for different input data) guarantees the security of HMAC.

SHA-256: Merkle-Damgard m[0] m[1] m[2] m[3] IV h h h h H(m) h(t, m[i]): compression function Thm 1: Thm 2 : if h is collision resistant then so is H if h is a PRF then HMAC is a PRF PRF=pseudo random function

Construction 3: PMAC parallel MAC ECBC and HMAC are sequential. PMAC: m[0] m[1] m[2] m[3] P(k,0) P(k,1) P(k,2) P(k,3) F(k, ) F(k, ) F(k, ) F(k, ) One encryption function Two distinct keys F(k1, ) tag

These MAC constructions are secure n No time to prove it Why the last encryption step in ECBC? n CBC (aka Raw-CBC) is not a secure MAC: n Given tag on a message m, attacker can deduce tag for some other message m n How: good crypto exercise

Authenticated Encryption: Encryption + MAC

Combining MAC and ENC (CCA) Encryption key KE MAC key = KI Option 1: MAC-then-Encrypt (SSL) MAC(M,KI) Enc KE Msg M Msg M MAC Option 2: Encrypt-then-MAC (IPsec) Enc KE Secure on general ground s Msg M Option 3: Encrypt-and-MAC (SSH) Enc KE Msg M MAC(C, KI) MAC MAC(M, KI) MAC

OCB offset codebook mode More efficient authenticated encryption m[0] m[1] m[2] m[3] checksum P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) P(N,k,0) E(k, ) E(k, ) E(k, ) E(k, ) E(k, ) P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) auth c[0] c[1] c[2] c[3] c[4] Rogaway,

Public-key Cryptography

Public key encryption: (Gen, E, D) Gen pk sk m c c m E D

Public key encryption: (Gen, E, D) Gen Ma anche sk pk m c c m E D

Applications Session setup (for now, only eavesdropping security) Alice Generate (pk, sk) x pkalice E(pk, x) Bob choose random x (e.g. 48 bytes) Non-interactive applications: (e.g. Email) Bob sends email to Alice encrypted using pkalice Note: Bob needs pkalice (public key management)

Applications Encryption in non-interactive settings: Encrypted File Systems write read ska Alice Bob E(kF, File) E(pkA, KF) E(pkB, KF) File

Applications Encryption in non-interactive settings: Key escrow: data recovery without Bob s key Bob write E(pkescrow, KF) Escrow Service skescrow E(kF, File) E(pkB, KF)

Trapdoor functions (TDF) A trapdoor func. X Y is a triple of efficient algs. (G, F, F-1) G(): F(pk, ): randomized alg. outputs key pair (pk, sk) det. alg. that defines a func. X Y F-1(sk, ): Y X that inverts F(pk, ) Security: F(pk, ) is one-way without sk

Public-key encryption from TDFs (G, F, F-1): secure TDF X Y (Es, Ds) : symm. auth. encryption with keys in K H: X K a hash function We construct a pub-key enc. system (G, E, D): Key generation G: same as G for TDF

Public-key encryption from TDFs (G, F, F-1): secure TDF X Y (Es, Ds) : symm. auth. encryption with keys in K H: X K a hash function E( pk, m) : x X, y F(pk, x) k H(x), c Es(k, m) output (y, c) D( sk, (y,c) ) : x F-1(sk, y), k H(x), m Ds(k, c) output m

Digital Signatures Public-key encryption n Alice publishes encryption key n Anyone can send encrypted message n Only Alice can decrypt messages with this key Digital signature scheme n Alice publishes key for verifying signatures n Anyone can check a message signed by Alice n Only Alice can send signed messages

Digital Signatures from TDPs (G, F, F-1): secure TDP X X H: M X a hash function Sign( sk, m X) : output sig = F-1(sk, H(m) ) Verify( pk, m, sig) : output 1 if H(m) = F(pk, sig) 0 otherwise Security: existential unforgeability under a chosen message attack in the random oracle model

Public-Key Infrastructure (PKI) Anyone can send Bob a secret message n Provided they know Bob s public key How do we know a key belongs to Bob? n If imposter substitutes another key, can read Bob s mail One solution: PKI n n n Trusted root Certificate Authority (e.g. Symantec) w Everyone must know the verification key of root CA w Check your browser; there are hundreds!! Root authority signs intermediate CA Results in a certificate chain

Back to SSL/TLS Version, Crypto choice, nonce Version, Choice, nonce, Signed certificate containing server s public key Ks C Secret key K encrypted with server s key Ks S switch to negotiated cipher Hash of sequence of messages Hash of sequence of messages data transmission

Limitations of cryptography Most security problems are not crypto problems n n This is good w Cryptography works! This is bad w People make other mistakes; crypto doesn t solve them Misuse of cryptography is fatal for security n n WEP ineffective, highly embarrassing for industry Occasional unexpected attacks on systems subjected to serious review

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback