symmetric cryptography s642 computer security adam everspaugh

Similar documents
symmetric cryptography s642 computer security adam everspaugh

Symmetric encrypbon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Symmetric and Password- based encrypdon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

CS155. Cryptography Overview

CS155. Cryptography Overview

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

ECE 646 Lecture 8. Modes of operation of block ciphers

CSE 127: Computer Security Cryptography. Kirill Levchenko

Feedback Week 4 - Problem Set

COMP4109 : Applied Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Symmetric Cryptography

Crypto: Symmetric-Key Cryptography

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CS408 Cryptography & Internet Security

Cryptography 2017 Lecture 3

Lecture 1 Applied Cryptography (Part 1)

Cryptography (cont.)

Symmetric Crypto MAC. Pierre-Alain Fouque

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Cryptography Overview

Scanned by CamScanner

Unit 8 Review. Secure your network! CS144, Stanford University

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Computer Security CS 526

Introduction to Cryptography. Lecture 6

Cryptography: Symmetric Encryption [continued]

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Information Security CS526

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Permutation-based symmetric cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

How to Use Your Block Cipher? Palash Sarkar

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

The OCB Authenticated-Encryption Algorithm

Winter 2011 Josh Benaloh Brian LaMacchia

Symmetric Encryption 2: Integrity

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Multiple forgery attacks against Message Authentication Codes

Ref:

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Symmetric-Key Cryptography

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

COMP4109 : Applied Cryptography

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Lecture 4: Authentication and Hashing

Symmetric Cryptography

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Authenticated Encryption

1 Achieving IND-CPA security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Cryptography [Symmetric Encryption]

Cryptographic hash functions and MACs

Block ciphers, stream ciphers

Authenticated Encryption

Permutation-based Authenticated Encryption

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Cryptography Overview

CSCE 715: Network Systems Security

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

CS 161 Computer Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography Functions

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Lecture 4: Symmetric Key Encryption

Data Integrity. Modified by: Dr. Ramzi Saifan

CSC574: Computer & Network Security

Message authentication codes

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

UNIT - IV Cryptographic Hash Function 31.1

Cryptology complementary. Symmetric modes of operation

Computational Security, Stream and Block Cipher Functions

Lecture 3: Symmetric Key Encryption

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Data Integrity & Authentication. Message Authentication Codes (MACs)

CS 161 Computer Security

IDEA, RC5. Modes of operation of block ciphers

CS 161 Computer Security

Data Integrity & Authentication. Message Authentication Codes (MACs)

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Introduction to cryptology (GBIN8U16)

Summary on Crypto Primitives and Protocols

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Transcription:

symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security

Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time) Talk today: Adversarial Machine Learning - Scott Alfed / CS 4310, 4-5p

today Block ciphers (AES) Block cipher modes of operation Hash functions Message authentication codes (MAC), HMAC Authenticated encryption

key generation R k Kg Optional R M Enc K C C Dec M or error Correctness: Dec(K, E(K,M,R) ) = M with probability 1 over all randomness symmetric encryption scheme

key generation Implements a family of permutations on n bit strings, one permutation for each K R Kg Key is a uniformly selected bit string of length k K M E C C D M E: {0,1} k x {0,1} n {0,1} n Security goal: E(K,M) is indistinguishable from a random n-bit string for anyone that doesn't know K block ciphers

E: {0,1} k x {0,1} n {0,1} n K M E C Let C be a string chosen uniformly at random world 1 M??? world 0 C Can adversary distinguish between World 0 and World 1? If this holds for all polynomial time adversaries, then E is called a secure pseudorandom function (PRF) block cipher security

Advanced Encryption Standard (AES) Current standard for a secure block cipher Chosen by public competition, run by NIST, academic cryptographers Key sizes: 128b, 192b, 256b K m1 AES Block size: 128b c1 aes

building a block cipher key k key expansion k 1 k 2 k 3 k n m R(k 1, ) R(k 2, ) R(k 3, ) R(k n, ) c R(k,m): round function AES-128 n=10 [slide credit: Dan Boneh, CS155]

Designing good block ciphers is a dark art Must resist subtle attacks: differential attack, linear attacks, others Chosen through public design contests Use build-break-build-break iteration aes round function

Attack Attack type Complexity Year Bogdanov, Khovratovich, Rechberger chosen ciphertext, recovers key 2 126.1 time + some data overheads 2011 - Brute force attack against AES: 2 128 - ~4x speedup best attacks

Electronic Code Book (ECB) mode M = m1 m2 m3 m4 ml m1 m2 m3 K E K E K E c1 c2 c3 C = c1 c2 c3 c4 cl modes of operation

image encrypted with ECB [images from wikipedia] ECB is the natural way to implement encryption with block ciphers But it's insecure Basically it's a complicated substitution cipher If mi = mj then E(k, mi) = E(k,mj) ecb

CTR, GCM, any randomized mode secure modes

M = m1 m2 m3 m4 ml IV := rand() IV+0 IV+1 IV+L-1 Ek Ek Ek m1 m2 ml c0 c1 c2 cl C = c0 c1 c2 c3 c4 cl How do we do decryption? think-pair-share counter mode (CTR)

M = m1 m2 m3 m4 ml Cipher Block Chaining (CBC) mode IV := rand() m1 m2 ml Ek Ek Ek c0 c1 c2 cl C = c0 c1 c2 c3 c4 cl cbc

IV := rand() m1 m2 ml Eve Ek Ek Ek c0 c1 Can attacker learn K from just c0,c1,c2? Implies attacker can break E (recover block cipher key) c2 cl Can attacker m1,m2,m3 from c0,c1,c2? Implies attacker can invert block cipher without K Can attacker learn one of M from c0,c1,c2? Implies attacker can break PRF security of E Provably: passive adversaries cannot learn anything about M if E is secure passive security

IV := rand() m1 m2 ml Ek Ek Ek Mallory c0 c1 c2 cl What about forging messages? IV := rand() m1d For any change d: Send C' = c0d,c1 Dk c0' = c0d c1 active security

hash functions

Message Digest Broken: - MD5 m=128 - SHA-1 m=160 M H H: {0,1} * {0,1} m H(M) = d Current: - SHA-256 m=256 - SHA-512 m=512 - SHA3-256/512 Security goals Collision resistance / Hard to find any two messages: m!= m', H(m) = H(m') Second pre-image resistance / Given H(m), hard to find m' where H(m) = H(m') One-way / Given H(m), hard to find m hash function

K M T (M,T) (M',T') MAC K valid or invalid Verify Alice K Mallory Bob K Message Authentication Code (MAC) message integrity & authenticity / symmetric

Hashed Message Authentication Code (HMAC) Standard method to construct a secure MAC from a hash function H and a key HMAC(K,M) = H( Kopad H( Kipad M) ) Fixed constants (not tablets made by Apple) hmac

authenticated encryption

k1 - encryption key k2 - MAC key encrypt-then-mac C=Ek1(M), T=MACk2(C) C,T secure for all secure primitives encrypt-and-mac may be insecure C=Ek1(M), T=MACk2(M) C,T mac-then-encrypt may be insecure T=MACk2(M), C=Ek1(M,T) C Even better: use a dedicated AE mode authenticated encryption

Dedicated authenticated encryption schemes Attack Inventors Notes OCB (Offset Codebook) Rogaway One-pass GCM (Galios Counter Mode) CWC CCM EAX McGrew, Viega Kohno, Viega, Whiting Housley, Ferguson, Whiting Wagner, Bellare, Rogaway CTR mode plus specialized MAC CTR mode plus Carter-Wegman MAC CTR mode plus CBC-MAC CTR mode plus OMAC AES-GCM - most common, built-in instructions in Intel chips (very fast) ae modes

Block ciphers (AES) Block cipher modes of operations / ECB - obvious, but insecure!! / CTR, CBC Hash functions, HMAC Authenticated encryption / Encrypt-then-MAC / AES-GCM and others Exit slips / 1 thing you learned / 1 thing you didn't understand recap

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback