Symmetric Encryption 2: Integrity

Similar documents
Data Integrity & Authentication. Message Authentication Codes (MACs)

CSE 127: Computer Security Cryptography. Kirill Levchenko

Data Integrity & Authentication. Message Authentication Codes (MACs)

Introduction to Cryptography. Lecture 6

Feedback Week 4 - Problem Set

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture 4: Authentication and Hashing

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CS155. Cryptography Overview

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptographic Hash Functions

Symmetric Crypto MAC. Pierre-Alain Fouque

CS155. Cryptography Overview

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 1 Applied Cryptography (Part 1)

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Unit 8 Review. Secure your network! CS144, Stanford University

Kurose & Ross, Chapters (5 th ed.)

CS 161 Computer Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Cryptographic hash functions and MACs

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptographic Systems

1 Defining Message authentication

Introduction to Software Security Hash Functions (Chapter 5)

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Message authentication codes

Security: Cryptography

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Key Establishment and Authentication Protocols EECE 412

Solutions to exam in Cryptography December 17, 2013

Lecture 1: Course Introduction

CSC 774 Network Security

Security Requirements

CSC/ECE 774 Advanced Network Security

CS 161 Computer Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Part VI. Public-key cryptography

CS Computer Networks 1: Authentication

CS408 Cryptography & Internet Security

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

CIS 4360 Secure Computer Systems Symmetric Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Lecture 3.4: Public Key Cryptography IV

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Integrity of messages

Crypto Background & Concepts SGX Software Attestation

Cryptography 2017 Lecture 3

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Data Security and Privacy. Topic 14: Authentication and Key Establishment

symmetric cryptography s642 computer security adam everspaugh

Cryptography Overview

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Symmetric Cryptography

CS408 Cryptography & Internet Security

Cryptography V: Digital Signatures

CS 161 Computer Security

Cryptography V: Digital Signatures

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

1 Achieving IND-CPA security

Data Integrity. Modified by: Dr. Ramzi Saifan

Authenticated encryption

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Cryptography. Andreas Hülsing. 6 September 2016

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

CIS 4360 Secure Computer Systems Applied Cryptography

UNIT - IV Cryptographic Hash Function 31.1

Overview of Cryptography

Computer Networks. Wenzhong Li. Nanjing University

1 Identification protocols

CS 161 Computer Security

Cryptographic Concepts

symmetric cryptography s642 computer security adam everspaugh

Information Security CS526

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Chapter 9. Public Key Cryptography, RSA And Key Management

Security. Communication security. System Security

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

ENEE 459-C Computer Security. Message authentication

David Wetherall, with some slides from Radia Perlman s security lectures.

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Message Authentication ( 消息认证 )

Diffie-Hellman. Part 1 Cryptography 136

Message authentication

CSC 5930/9010 Modern Cryptography: Digital Signatures

Transcription:

http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1

Summing up (so far) Computational security Adversary receives encryption of either m0 or m1 Can t do better than guess which it is Secure PRF: Adversary can t distinguish between PRF and actual random function Block ciphers: Secure when used properly (IVs!) Multiple encryption modes 2

Message integrity and authentication 3

Privacy and integrity are orthogonal Up to now we ve had privacy without integrity Now we will do integrity without privacy And later, both at once Reminder: Goal is to detect tampering Not to prevent it! 4

Goal: Integrity Eve should not be able to alter m without detection. message m: curiouser and curiouser! ERROR! E Public channel D Alice Bob message m : curious and curious? Eve 5

Message authentication (MAC) m true or false S Public channel V Alice k s m t k s Bob t = Sign(m, ks) Verify(m,t,ks)?= true Only someone who knows ks could have sent the message! 6

Non-repudiation A special case of authentication Only Alice can have sent the message Bob could not have made it up Alice cannot effectively deny having sent it Why would you want this? 7

MAC definition t:t = S(k,m) V(k,m,t) = yes or no V(k, m, S(k,m)) = yes 8

Straw example #1: CRC CRC = cyclic redundancy check Binary division gives short, deterministic summary of data S(k,m) = CRC(m) What s wrong with this plan? 9

MAC security Alice sends message m with tag t Attacker s power: Chosen plaintext Can observe correct (mi, ti) pairs Can use MAC oracle to get tx for chosen mx Attacker s goal: Generate some valid m, t for m not previously seen m does not have to make sense! Secure if: Pr[V(k, m, t ) == yes] is very small 10 Called: Existential forgery

Replay attacks Does a MAC prevent a replay attack? NO Must be prevented at a higher level Application-dependent scenario Nonce, timestamp, etc. (more later) 11

Straw example #2: Block cipher Suppose message is exactly one block t = S(k,m) = E(k,m) t is 128 bits long under AES Is this secure? Why? 12

Security sketch Since E(k,m) is a secure block cipher, can conceptually replace E(k,m) with a random permutation. Seeing E(k,m1) E(k,mn) doesn t help predict unseen mn+1 Probability of a random guess is 1/2 L L = length of output tag (in bits) Need to make sure L is long enough! But this only works for tiny messages! 13

Encrypted CBC (ECBC) IV = 0 m1 m2 m3 m4 Using key k0 E E E E Using key k1 Verify: Same algorithm as signing E t 14

ECBC vs. CBC Output only one block instead of many Don t need to recover the plaintext AES => 2-128 chance of guessing We used two keys Necessary to prevent existential forgery Both require serial computation 15

Why two keys? Attacker requests tag for message m (m1.. mn) Get corresponding tag t = c[n] Attacker creates message m (one block long) Request tag t for (t XOR m ) Resulting t is valid for m m Uh oh. 16

MACs with Hashes 17

Hash functions A pseudorandom, one-way function Does not require a key H(m) = h Input m = pre-image, can be arbitrary length Output h = digest or hash, fixed small length Generally very fast to compute 18

Cryptographic hash Pre-image resistance: Given H(m), it s hard to find m Collision resistant: Given H(m), it s hard to find m s.t. m!= m H(m ) = H(m) Even more: Pr[any bit matching] = 1/2 19

Example hash functions MD5: Known collision attacks, still frequently used SHA-1, SHA-256, SHA-512, etc. SHA1: theoretically broken since 2005 Deprecated by NIST in 2011 Practical attack (SHAttered) as of February! (Still in use many places) New SHA-3 (224, 256, 385, 512) Public contest 2007-2012 Officially standardized August 2015 20

Hash-MAC Most widely used MAC on internet General idea: hash then PRF (short MAC) Translate arbitrary message into one block Works if H and E are both secure m H E t Using key k 21

Aside: Birthday paradox How likely 2 people in a room share a birthday? Pr > 50% with 23 people! Why? There are n 2 different pairs With X possibility space and n samples: Pr[xi = xj] ~ 50% when n = X 1/2 22

Integrity vs. Authentication Recall: What is the difference? Don t forget non-repudiation Do symmetric MACs like ECBC and Hash-Mac give one, or both? Which? Problem: More than one person knows the key 23

Authenticated Encryption 24

Previously: Privacy / secrecy Integrity Now: Both at once 25

Ciphertext integrity Maintain semantic secrecy under CPA attack Attacker cannot create a new ciphertext that decrypts properly! Encryption oracle Decrypt c or error m1 mn c1 = E(k,m1) cn c (not in c1 cn) Eve (polynomial time) Ciphertext integrity IFF prob. of decryption without error is very small 26

CCA revisited Eve can get a cipher text decrypted c = E(k,m) E VPN D m m Bob Alice c = forged cipher text Eve 27

CCA game Attacker gets encryption oracle + decryption oracle (Encryption oracle not shown) Decryption oracle c1 cn m1 = D(k,c1) mn Challenge: Choose b = x or y at uniform random mx and my (not in m1 mn) c = E(k,mb) Eve (polynomial time) Eve s job: Guess whether x or y was picked. CCAsecure IFF no better than guessing 28

CBC is not CCA-secure Challenge: Choose b = x or y at uniform random mx and my mx = my = 1 blk c = E(k,mb) = IV c[0] Decryption oracle c = (IV xor 1) c[0] m = D(k,c ) = mb xor 1 Eve (polynomial time) Uh oh. 29

Ciphertext integrity (aka authenticated encryption) can protect against CCA! Because only someone who knows k can send a message that will decrypt properly. 30

Auth. Encr. limitations Does not protect against replay Does not protect against e.g. timing attacks 31

Constructing authenticated encryption 32

Three basic options Can you guess? Encrypt and MAC MAC then encrypt Encrypt then MAC 33

Encrypt and MAC m S ki E k E c t Send E(m) MAC(m) This is not secure b/c MAC may leak information about the message Secrecy is not a MAC property 34

MAC then encrypt m ki m S E k E t c Send E(m MAC(m)) This can be insecure in some combinations Always follow standards! 35

Encrypt then MAC m E k E c S ki c t Send E(m) Mac(E(m)) This is always secure! Intuition: MAC reveals only info about ciphertext (OK) MAC ensures ciphertext has not been tampered 36

Key exchange 37

Up to now, we have assumed Alice and Bob share a secret key How did that happen? How does this scale to many users? 38

One solution: Trusted third party (TTP) U1 k1 k2 U2 TTP U3 k3 k4 U4 TTP is a bottleneck for every message TTP must be online at all times TTP can read every message Does not solve bootstrapping problem 39

Session keys and tickets Used for Kerberos kat Bob KAB, Ticket TTP Ticket = E(KBT, Alice Bob kab ) (fresh kab) kab Hi Alice Ticket TTP is a bottleneck for every message TTP must be online at all times TTP can read every message Does not solve bootstrapping problem Bob 40

A (very) little number theory p => a random, large prime number g => a generator for p: 1 < g < p For all k between 1 and p: There is some i, s.t. k = g i mod p This is called discrete log Easy: Given p, g, x, compute y = g x mod p Believed hard: Given p, g, y, compute x Candidate one-way function! 41

Generator examples: p = 7 g = 3 g = 2 3 1 mod 7 3 3 2 mod 7 2 3 3 mod 7 6 3 4 mod 7 4 3 5 mod 7 5 3 6 mod 7 1 YES 2 1 mod 7 2 2 2 mod 7 4 2 3 mod 7 1 2 4 mod 7 2 2 5 mod 7 4 2 6 mod 7 1 NO 42

Diffie-Hellman protocol 1 Compute A = g x mod p 2 p, g, A Alice secret value x Compute B = g y mod p B k = g xy mod p 4 3 Bob secret value y 5 k = B x mod p k = A y mod p 6 Successful secret key exchange! 43

Diffie-Hellman today Widely used on the internet for session keys (forward secrecy) Can be broken if parameters chosen poorly Precompute some of the attack to speed it up ( Logjam ) Currently switching to elliptic curves 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback