symmetric cryptography s642 computer security adam everspaugh

Similar documents
symmetric cryptography s642 computer security adam everspaugh

Cryptography Intro. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Cryptography Intro. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Symmetric encrypbon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

CS155. Cryptography Overview

Information Security CS526

Computer Security CS 526

CSE 127: Computer Security Cryptography. Kirill Levchenko

Scanned by CamScanner

CS155. Cryptography Overview

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Feedback Week 4 - Problem Set

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Goals of Modern Cryptography

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Unit 8 Review. Secure your network! CS144, Stanford University

Crypto: Symmetric-Key Cryptography

Introduc)on to Cryptography. Credits: Slide credits to David Brumley, Dan Boneh (ß has a MOOC)

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Cryptography 2017 Lecture 3

Information Security CS526

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Symmetric-Key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

COMP4109 : Applied Cryptography

Cryptography. Andreas Hülsing. 6 September 2016

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Cryptology complementary. Symmetric modes of operation

Symmetric Cryptography

Cryptography Overview

1 Achieving IND-CPA security

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Block ciphers, stream ciphers

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Message authentication codes

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Authenticated Encryption

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Introduction to Cryptography. Lecture 3

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

ISA 562: Information Security, Theory and Practice. Lecture 1

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Symmetric Encryption. Thierry Sans

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

7. Symmetric encryption. symmetric cryptography 1

Lecture 1 Applied Cryptography (Part 1)

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptography (cont.)

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Summary on Crypto Primitives and Protocols

Uses of Cryptography

Authenticated Encryption

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Network Security Essentials Chapter 2

CPSC 467b: Cryptography and Computer Security

Symmetric Encryption 2: Integrity

Cryptography Overview

CPSC 467b: Cryptography and Computer Security

Some Aspects of Block Ciphers

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Secure Multiparty Computation

Chapter 3 Block Ciphers and the Data Encryption Standard

Cryptography [Symmetric Encryption]

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Introduction to Cryptography. Lecture 3

How to Use Your Block Cipher? Palash Sarkar

Lecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes

Symmetric Cryptography

Solutions to exam in Cryptography December 17, 2013

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Cryptography Introduction to Computer Security. Chapter 8

Cryptography (Overview)

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Lecture 4: Symmetric Key Encryption

Lecture 1: Perfect Security

Syrvey on block ciphers

Stream Ciphers An Overview

CSCE 715: Network Systems Security

CS 161 Computer Security

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

SSL/TLS. Pehr Söderman Natsak08/DD2495

Cryptography MIS

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Computational Security, Stream and Block Cipher Functions

Practical Aspects of Modern Cryptography

What Can Be Proved About Security?

APNIC elearning: Cryptography Basics

Transcription:

symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security

Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)

today Provable security Vernam's one-time-pad Shannon's security definition Block ciphers (AES) Block cipher modes of operation

review

flavors Symmetric cryptography / All parties have access to a shared random string K, called the key / Short keys // AES: 128b, 192b, 256b / Fast / Good for long messages Asymmetric cryptography / Each party creates a pair of keys: a public key pk and a secret key sk / Long keys // RSA: 2048b, 4096b, 8192b / Slow / Good for short messages

primitives Encryption / confidentiality / symmetric + asymmetric versions Message authentication codes / integrity, authentication / symmetric Digital signatures / integrity, authentication / asymmetric Key exchange

SSL ver 2.0 designed by Hickman at Netscape Wagner, Goldberg break SSL ver 2 Freier, Karlton, Kocher design SSL ver 3.0 SSL ver 2 SSL ver 3 1994 1995 Bleichenbacher breaks RSA PKCS #1 encryption, used in SSL ver 3 TLS ver 1 released as IETF standard, based on SSL 3, many cryptographers involved Vaudenay, Klima et al. padding attacks Rogaway IV re-use insecurity Brumley, Boneh remote timing attacks TLS ver 1.0 TLS ver 1.1 released as standard TLS ver 1.1 1998 1999 2001 2002 2003 2006 ancient history

iteration TLS was built via "design-break-redesign-break" iteration Some amount iteration is fundamental Designing secure protocols is really hard / the problems are rarely in the primitives Many other tools have similar stories: / SSH, IPsec, kerberos, WEP + WPA (WiFi), GSM (cell phone)

provable security Provable security supplements "design-breakredesign-break" iteration with a mathematical approach 1. Design a cryptographic scheme 2. Provide a proof of it's security [Shannon, 1946] Formal definitions - Scheme semantics and assumptions - Security Security Proofs - Security of a scheme cannot be broken if assumptions hold

enigma Put yourself in Shannon's place in 1946 Enigma is state of the art cryptography developed by the Germans Broken by the Allies There must be a better way

otp Vernam's one-time pad (1917) Fix message length L Kg: output random bit string K of length L E(K,M) = M K = C D(K,C) = C K = M

security notion Dfn. A symmetric encryption is perfectly secret if for all messages M,M' and ciphertexts C Pr[ E(K,M)=C ] = Pr[ E(K,M') = C ] where probabilities are over choice of K. Shannon's "perfect secrecy" notion, 1946 Each message is equally likely to map to a given ciphertext Also: seeing a ciphertext leaks nothing about what message was encrypted

otp proof Dfn. A symmetric encryption is perfectly secret if for all messages M,M' and ciphertexts C Pr[ E(K,M)=C ] = Pr[ E(K,M') = C ] where probabilities are over choice of K. Thm. OTP is perfectly secret. For any C,M of length L: Pr[ E(K,M)=C ] = 1/2 L Pr[ E(K,M')=C ] = 1/2 L Pr[ E(K,M)=C ] = Pr[ E(K,M')]

M K bank.com Eve Mallory K must be as large as M Reusing K for M,M' leaks M M' Message length is obvious Mallory can make undetected modifications Mallory can submit random messages => will decrypt to something problems

provable security Cryptography as a computational science Use computational intractability as basis for confidence 1. Design a cryptographic scheme 2. Provide a proof that no attacker with bounded computational resources can break it [Goldwasser, Micali, Blum, 1980s] Formal definitions - Scheme semantics and assumption - Security Security Proofs (reductions) Breaking scheme Breaking assumptions

provable security Provable security yields / well-defined assumptions and security goals / designers (and attackers) can focus on assumptions As long as assumptions hold, we can be confident in security of a cryptographic scheme

typical assumptions Underlying primitives are hard to break / Factoring of large composite numbers is intractable / RSA permutation is hard to invert / Block ciphers (AES) are good pseudorandom permutations (PRPs) / Hash functions are collision resistant Confidence in primitives is gained by cryptanalysis, public design competitions / design-break-redesign-break over the years

symmetric cryptography

key generation R k Kg Optional R M Enc K C C Dec M or error Correctness: Dec(K, E(K,M,R) ) = M with probability 1 over all randomness symmetric encryption scheme

bank.com K K R M Enc C C' Dec M or error Mallory What security goals do we need from symmetric encryption? 1. Confidentiality (Mallory cannot read M) 2. Integrity (Mallory cannot later M) 3. Authenticity (Mallory cannot forge her own messages M) goals

key generation Implements a family of permutations on n bit strings, one permutation for each K R Kg Key is a uniformly selected bit string of length k K M E C C D M E: {0,1} k x {0,1} n {0,1} n Security goal: E(K,M) is indistinguishable from a random n-bit string for anyone that doesn't know K block ciphers

E: {0,1} k x {0,1} n {0,1} n K M E C Let C be a string chosen uniformly at random world 1 M??? world 0 C Can adversary distinguish between World 0 and World 1? If this holds for all polynomial time adversaries, then E is called a secure pseudorandom function (PRF) block cipher security

Advanced Encryption Standard (AES) Current standard for a secure block cipher Chosen by public competition, run by NIST, academic cryptographers Key sizes: 128b, 192b, 256b K m1 AES Block size: 128b c1 aes

building a block cipher key k key expansion k 1 k 2 k 3 k n m R(k 1, ) R(k 2, ) R(k 3, ) R(k n, ) c R(k,m): round function AES-128 n=10 [slide credit: Dan Boneh, CS155]

Designing good block ciphers is a dark art Must resist subtle attacks: differential attack, linear attacks, others Chosen through public design contests Use build-break-build-break iteration aes round function

Attack Attack type Complexity Year Bogdanov, Khovratovich, Rechberger chosen ciphertext, recovers key 2 126.1 time + some data overheads 2011 - Brute force attack against AES: 2 128 - ~4x speedup best attacks

M = m1 m2 m3 m4 ml m1 m2 m3 K E K E K E c1 c2 c3 C = c1 c2 c3 c4 cl Electronic Code Book (ECB) mode modes of operation

image encrypted with ECB [images from wikipedia] ECB is the natural way to implement encryption with block ciphers But it's insecure Basically it's a complicated substitution cipher If mi = mj then E(k, mi) = E(k,mj) ecb

CTR, GCM, any randomized mode secure modes

M = m1 m2 m3 m4 ml IV := rand() IV+0 IV+1 IV+L K E K E K E m1 m2 ml c0 c1 c2 cl C = c0 c1 c2 c3 c4 cl Counter (CTR) mode How do we do decryption? think-pair-share ctr

M = m1 m2 m3 m4 ml IV := rand() m1 m2 ml Ek Ek Ek c0 c1 c2 cl C = c0 c1 c2 c3 c4 cl Cipher Block Chaining (CBC) mode cbc

IV := rand() m1 m2 ml Eve Ek Ek Ek c0 c1 Can attacker learn K from just c0,c1,c2? Implies attacker can break E (recover block cipher key) c2 cl Can attacker m1,m2,m3 from c0,c1,c2? Implies attacker can invert block cipher without K Can attacker learn one of M from c0,c1,c2? Implies attacker can break PRF security of E Provably: passive adversaries cannot learn anything about M if E is secure passive security

IV := rand() m1 m2 ml Ek Ek Ek Mallory c0 c1 c2 cl What about forging messages? active security

Provable security Vernam's one-time pad / Shannon's "perfect secrecy" Block ciphers (AES) Block cipher modes of operations / ECB - obvious, but insecure!! / CTR Exit slips / 1 thing you learned / 1 thing you didn't understand recap

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback