MTAT Applied Cryptography

Similar documents
MTAT Applied Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Block Cipher Operation. CS 6313 Fall ASU

Cryptography [Symmetric Encryption]

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Lecture 1 Applied Cryptography (Part 1)

Block Cipher Operation

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Block Cipher Modes of Operation

PKCS #5 v2.0: Password-Based Cryptography Standard

Computer Security CS 526

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CSE 127: Computer Security Cryptography. Kirill Levchenko

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

ECE 646 Lecture 8. Modes of operation of block ciphers

ryptograi "ГС for Tom St Denis, Elliptic Semiconductor Inc. Simon Johnson and Author of the LibTom Project

OpenSSL is a project comprising (1) a core library and (2) a toolkit. The core library offers an API for developers of secure applications.

OpenSSL is a standard tool that we used in encryption. It supports many of the standard symmetric key methods, including AES, 3DES and ChaCha20.

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

PKCS #5 v2.0: Password-Based Cryptography Standard

Encryption of cardholder information. Torbjörn Lofterud Cybercom Sweden East AB.

1 Achieving IND-CPA security

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CRYPTOGRAPHY. Jakub Laszczyk. June 7th,

Crypto: Symmetric-Key Cryptography

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Cryptography MIS

Pass, No Record: An Android Password Manager

Chapter 3 Block Ciphers and the Data Encryption Standard

Winter 2011 Josh Benaloh Brian LaMacchia

Summary on Crypto Primitives and Protocols

Block Cipher Modes of Operation

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Block ciphers, stream ciphers

MTAT Applied Cryptography

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Workshop Challenges Startup code in PyCharm Projects

Password Based Cryptography

Stream Ciphers and Block Ciphers

Cryptographic hash functions and MACs

The Salsa20 Family of Stream Ciphers

Analysis, demands, and properties of pseudorandom number generators

Security with VA Smalltalk

MTAT Applied Cryptography

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Content of this part

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CS 161 Computer Security

Findings for

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Information Security CS526

Understanding how to prevent. Sensitive Data Exposure. Dr Simon Greatrix

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

MTAT Applied Cryptography

Some Aspects of Block Ciphers

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Symmetric Cryptography

Message authentication codes

Secret Key Cryptography

CS155. Cryptography Overview

Software Tutorial: Padding

Lab 2.5: Padding. Padding (AES)

Symmetric Encryption. Thierry Sans

MTAT Applied Cryptography

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Encrypt Data (QC3ENCDT, Qc3EncryptData) API

Cryptography 2017 Lecture 3

Misuse-resistant crypto for JOSE/JWT

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Stream Ciphers. Stream Ciphers 1

Security: Cryptography

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

MBS Xojo Encryption Kit

Double-DES, Triple-DES & Modes of Operation

Symmetric-Key Cryptography

Chapter 6 Contemporary Symmetric Ciphers

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Outline. Block cipher, basic idea. From last time. Pseudorandom permutation. Confusion and diffusion. Block ciphers and modes of operation

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

Practical Aspects of Modern Cryptography

Scanned by CamScanner

MTAT Applied Cryptography

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Solutions to exam in Cryptography December 17, 2013

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

Unit 8 Review. Secure your network! CS144, Stanford University

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Transcription:

MTAT.07.017 Applied Cryptography Block Ciphers (AES) University of Tartu Spring 2017 1 / 17

Block Ciphers Properties: Deterministic Without the key plaintext cannot be found Valid plaintext-ciphertext pairs do not leak the key Diffusion & Confusion AES Advanced Encryption Standard (NIST 2001) 16 byte (128 bit) block size key sizes 128/192/256 bits 2 / 17

Electronic Codebook (ECB) mode 3 / 17

Initialization Vector (IV) On encryption XOR plaintext with random IV IV must not be secret IV must be stored along with ciphertext On decryption XOR plaintext with IV Problem? Ciphertext two times larger than the plaintext 4 / 17

Cipher Block Chaining (CBC) mode Serial writes Parallel reads What about integrity (malleability)? 5 / 17

Plaintext Padding Random padding: 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a XX YY ZZ Zero padding: 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 00 00 00 ANSI X.923: 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 00 00 03 ISO/IEC 10126: 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 81 A6 03 ISO/IEC 7816-4: 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 80 00 00 PKCS#5/PKCS#7: 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 03 03 03 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 05 05 05 05 05 Padding is added even if the plaintext occupies full block. 6 / 17

Counter (CTR) mode Block cipher-based PRNG Turns block cipher into a stream cipher Nonce must never be reused! Block ciphers vs Stream ciphers 7 / 17

Disk Encryption Encrypt whole disk using CBC? Every sector is encrypted separately Use sector number as IV Password change without disk reencryption Master password is used to encrypt data Master password is stored encrypted in disk header User s password decrypts master password Enterprise solutions have several encryptions of master key Prevent meaningful malleability attacks MAC is not an option XTS mode 8 / 17

Password-based encryption Deriving strong (128-bit) keys from short, low entropy passwords? Use hash of the password Increases security level by one bit Use salt as an addition to password Prevents precomputation attacks Use iterated hash to slow down brute-force Adds arbitrary number of operations to brute-force 9 / 17

PBKDF2 Password Based Key Derivation Function 2 key = PBKDF2(PRF, Password, Salt, iter, klen) PRF pseudorandom function e.g., HMAC-MD5, HMAC-SHA1 Password password entered by the user Salt random cryptographic salt Recommended at least 64 bits iter number of iterations desired Recommended at least 1 000 iterations (increases security level by 10 bits) NIST recommends 10 000 000 for critical keys (increases security level by 23 bits) klen desired length of the derived key For example, WPA2 uses: key = PBKDF2(HMAC-SHA1, passphrase, ssid, 4096, 256) Truecrypt uses PBKDF2 with 2000 iterations 10 / 17

Task: Password-based file encryption Implement utility that encrypts and decrypts files using a password: $./aes.py Usage: -encrypt <plaintextfile> <ciphertextfile> -decrypt <ciphertextfile> <plaintextfile> $./aes.py -encrypt plain plain.enc [+] Benchmark: 34856 PBKDF2 iterations in 1 second [?] Enter password: asd $./aes.py -decrypt plain.enc plain.new [?] Enter password: asd Encryption parameters are stored in ASN.1 DER encoding in ciphertext file header. 11 / 17

Task: Password-based file encryption EncInfo ::= SEQUENCE { kdfinfo pbkdf2params, cipherinfo aesinfo, hmacinfo DigestInfo } pbkdf2params ::= SEQUENCE { salt OCTET STRING, iterationcount INTEGER (1..MAX), keylength INTEGER (1..MAX) } aesinfo :: = SEQUENCE { algorithm OBJECT IDENTIFIER, iv OCTET STRING OPTIONAL, } $ dumpasn1 plain.enc 0 86: SEQUENCE { 2 18: SEQUENCE { 4 8: OCTET STRING 7D 64 F8 30 70 5B AE 73 14 3: INTEGER 34856 19 1: INTEGER 36 : } 22 29: SEQUENCE { 24 9: OBJECT IDENTIFIER aes128-cbc (2 16 840 1 101 3 4 1 2) 35 16: OCTET STRING 03 C3 62 AC 25 C2 25 48 E4 B8 11 38 25 D5 2C 25 : } 53 33: SEQUENCE { 55 9: SEQUENCE { 57 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 64 0: NULL : } 66 20: OCTET STRING 85 DF 81 4E C2 32 2A CC C8 BC 4B 36 C5 30 46 2C 4A F1 29 15 : } : } Warning: Further data follows ASN.1 data at position 88. 12 / 17

Task: Test cases $ echo -n "hello world" > plain $./aes.py -encrypt plain plain.enc [+] Benchmark: 35229 PBKDF2 iterations in 1 second [?] Enter password: asd $./aes.py -decrypt plain.enc plain.new [?] Enter password: asd $ hexdump -C plain.new 00000000 68 65 6c 6c 6f 20 77 6f 72 6c 64 hello world 0000000b $ echo -e -n "hello world \x01\x01\x02\x02" > plain $./aes.py -encrypt plain plain.enc [+] Benchmark: 34856 PBKDF2 iterations in 1 second [?] Enter password: asd $./aes.py -decrypt plain.enc plain.new [?] Enter password: asd $ hexdump -C plain.new 00000000 68 65 6c 6c 6f 20 77 6f 72 6c 64 20 01 01 02 02 hello world... 00000010 $./aes.py -decrypt plain.enc plain.new [?] Enter password: asdd [-] HMAC verification failure: wrong password or modified ciphertext! $ wget https://bitbucket.org/appcrypto/2017/raw/master/04/big.enc $./aes.py -decrypt big.enc big [?] Enter password: bigfilepassword $ openssl dgst -sha1 big SHA1(big)= 34edb7d89a791969d710283c7464a80fe2e39249 13 / 17

Task: Password-based file encryption Slow down password brute-force attacks to 1 try/second Benchmark the time required for 10 000 iterations Extrapolate the iteration count to 1 second start = datetime.datetime.now()... stop = datetime.datetime.now() time = (stop-start).total_seconds() Use default PBKDF2 algorithm (HMAC-SHA1) Use PBKDF2 to obtain 36 key bytes PBKDF2(password, salt, 36, iter) Use first 16 bytes as AES-128 key Next 20 bytes as HMAC-SHA1 key Generate IV (16 bytes) and salt (8 bytes) randomly Implement CBC mode using pure AES-128 (ECB mode) cipher = AES.new(key_aes) cipher.encrypt(plaintext_block) cipher.decrypt(ciphertext_block) Use PKCS#5 padding Read DER header by parsing length bytes Verify HMAC-SHA1 before starting decryption 14 / 17

Other key derivation functions The attacker should not be able to gain advantage by optimizing derivation more than the legitimate user. PBKDF2 (attackable using GPU, ASIC, FPGA) bcrypt (attackable using FPGA) scrypt (uses memory bound cryptographic functions) 15 / 17

Side channel attack def authorize_admin(submitted_password): hardcoded_password = qwerty if submitted_password == hardcoded_password: return 1 # access granted return 0 # access denied Function vulnerable to timing attack Comparison stops on first incorrect byte password aaaaaa 1ms password baaaaa 1ms password qaaaaa 2ms password qwaaaa 3ms password qweaaa 4ms password qweraa 5ms Using sleep(random()) before return will not help Constant-time string comparison function needed def is_equal(a, b): result = 0 for x, y in zip(a, b): result = ord(x) ^ ord(y) return result == 0 Moral: discard modified ciphertext without parsing plaintext 16 / 17

Questions How block cipher works (takes as an input, returns)? What happens to ciphertext if single plaintext or key bit is changed? Why encrypting every block of the file independently is not secure? Why do we apply initialization vector (IV) to plaintext block? How to provide integrity of ciphertext? Why using MD5/SHA1 for HMAC is not insecure? When should we use stream cipher and when block cipher? How to convert short password to 128-bit encryption key? What is side-channel vulnerability? 17 / 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback