CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

Similar documents
Processing with Block Ciphers

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Processing with Block Ciphers

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

CSC 474/574 Information Systems Security

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

CSC574: Computer & Network Security

Block Cipher Operation. CS 6313 Fall ASU

Lecture 1 Applied Cryptography (Part 1)

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CSC574: Computer & Network Security

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Content of this part

Secret Key Cryptography

Block Cipher Modes of Operation

Computer Security CS 526

1 Achieving IND-CPA security

Introduction to Cryptography. Lecture 3

Chapter 3 Block Ciphers and the Data Encryption Standard

Summary. Final Week. CNT-4403: 21.April

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

IDEA, RC5. Modes of operation of block ciphers

Solutions to exam in Cryptography December 17, 2013

Information Security CS526

Double-DES, Triple-DES & Modes of Operation

Introduction to Cryptography. Lecture 3

Security Requirements

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Block Ciphers and Stream Ciphers. Block Ciphers. Stream Ciphers. Block Ciphers

05 - WLAN Encryption and Data Integrity Protocols

Symmetric Encryption. Thierry Sans

Using block ciphers 1

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Summary on Crypto Primitives and Protocols

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Computer Security: Principles and Practice

CIS 4360 Secure Computer Systems Symmetric Cryptography

The Rectangle Attack

Block Cipher Modes of Operation

Chapter 8. Encipherment Using Modern Symmetric-Key Ciphers

n-bit Output Feedback

Modes of Operation. Raj Jain. Washington University in St. Louis

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

CSCE 548 Building Secure Software Symmetric Cryptography

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

CSE 127: Computer Security Cryptography. Kirill Levchenko

ECE 646 Lecture 8. Modes of operation of block ciphers

Chapter 6 Contemporary Symmetric Ciphers

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Stream Ciphers. Stream Ciphers 1

Lecture 3: Symmetric Key Encryption

c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)

Appendix A: Introduction to cryptographic algorithms and protocols

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Message Authentication Codes and Cryptographic Hash Functions

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Block Ciphers. Advanced Encryption Standard (AES)

CSC 474/574 Information Systems Security

Cryptography [Symmetric Encryption]

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

CSC/ECE 774 Advanced Network Security

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Technion - Computer Science Department - Technical Report CS

Network Security Essentials Chapter 2

7. Symmetric encryption. symmetric cryptography 1

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Lecture 4: Symmetric Key Encryption

CSC 474/574 Information Systems Security

Practical Aspects of Modern Cryptography

CSC 774 Network Security

Symmetric key cryptography

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptology complementary. Symmetric modes of operation

Unit 8 Review. Secure your network! CS144, Stanford University

ABC - A New Framework for Block Ciphers. Uri Avraham

Applied Cryptography Data Encryption Standard

Stream Ciphers An Overview

Information Security CS526

Sirindhorn International Institute of Technology Thammasat University

Encryption. INST 346, Section 0201 April 3, 2018

Data Integrity. Modified by: Dr. Ramzi Saifan

Ref:

Crypto: Symmetric-Key Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Introduction to Cryptography. Steven M. Bellovin September 27,

Assignment 3: Block Ciphers

Transcription:

CSC/C 574 Computer and Network Security Topic 3.2 Secret Cryptography Modes of Operation CSC/C 574 r. eng Ning 1 rocessing with Block Ciphers Most ciphers work on blocks of fixed (small) size How to encrypt long messages? Modes of operation CB (lectronic Code Book) CBC (Cipher Block Chaining) OFB (Output Feedback) CFB (Cipher Feedback) CTR (Counter) CSC/C 574 r. eng Ning 2 Issues for Block Chaining Modes Information leakage oes it reveal info about the plaintext blocks? Ciphertext manipulation Can an attacker modify ciphertext block(s) in a way that will produce a predictable/desired change in the decrypted plaintext block(s)? Note: assume the structure of the plaintext is known, e.g., first block is employee #1 salary, second block is employee #2 salary, etc. CSC/C 574 r. eng Ning 3

Issues (Cont d) arallel/sequential Can blocks of plaintext (ciphertext) be encrypted (decrypted) in parallel? rror propagation If there is an error in a plaintext (ciphertext) block, will there be an encryption (decryption) error in more than one ciphertext (plaintext) block? CSC/C 574 r. eng Ning 4 lectronic Code Book (CB) laintext 46 + padding Ciphertext The easiest mode of operation; each block is independently encrypted CSC/C 574 r. eng Ning 5 CB ecryption 46 + padding ach block is independently decrypted CSC/C 574 r. eng Ning 6

CB roperties oes information leak? Can ciphertext be manipulated profitably? arallel processing possible? o ciphertext errors propagate? M 1 M 24 M 3 M 42 46 + padding C 1 C 42 C 3 C 24 CSC/C 574 r. eng Ning 7 Cipher Block Chaining (CBC) Initialization Vector 46 + padding Chaining dependency: each ciphertext block depends on all preceding plaintext blocks CSC/C 574 r. eng Ning 8 Initialization Vectors Initialization Vector () Used along with the key; not secret For a given plaintext, changing either the key, or the, will produce a different ciphertext Why is that useful? generation and sharing Random; may transmit with the ciphertext Incremental; predictable by receivers CSC/C 574 r. eng Ning 9

CBC ecryption Initialization Vector 46 + padding How many ciphertext blocks does each plaintext block depend on? CSC/C 574 r. eng Ning 10 CBC roperties oes information leak? Identical plaintext blocks will produce different ciphertext blocks Can ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? yes (encryption), a little (decryption) CSC/C 574 r. eng Ning 11 Output Feedback Mode (OFB) Initialization Vector one-time pad seudo-random Number Generator 46 + padding CSC/C 574 r. eng Ning 12

OFB ecryption one-time pad 46 + padding No block decryption required! CSC/C 574 r. eng Ning 13 OFB roperties oes information leak? identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably? arallel processing possible? no (generating pad), yes (XORing with blocks) o ciphertext errors propagate? CSC/C 574 r. eng Ning 14 OFB (Cont d) If you know one plaintext/ciphertext pair, can easily derive the one-time pad that was used i.e., should not reuse a one-time pad! Conclusion: must be different every time CSC/C 574 r. eng Ning 15

Cipher Feedback Mode (CFB) 46 + padding Ciphertext block C j depends on all preceding plaintext blocks CSC/C 574 r. eng Ning 16 CFB ecryption 46 + padding No block decryption required! CSC/C 574 r. eng Ning 17 CFB roperties oes information leak? Identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? CSC/C 574 r. eng Ning 18

Counter Mode (CTR) ++ ++ M 1 M 2 M 3 C 1 C 2 C 3 CSC/C 574 r. eng Ning 19 CTR Mode roperties oes information leak? Identical plaintext block produce different ciphertext blocks Can ciphertext be manipulated profitably arallel processing possible Yes (both generating pad and XORing) o ciphertext errors propagate? Allow decryption the ciphertext at any location Ideal for random access to ciphertext CSC 474 r. eng Ning 20 CSC/C 574 Computer and Network Security Topic 3.3 Secret Cryptography Triple S CSC/C 574 r. eng Ning 21

Stronger S Major limitation of S length is too short Can we apply S multiple times to increase the strength of encryption? CSC/C 574 r. eng Ning 22 ouble ncryption with S ncrypt the plaintext twice, using two different S keys Total key material increases to 112 bits is that the same as key strength of 112 bits? ncryption X C K 1 K 2 ecryption X C Observation: X= K 1 {}= K2 {C} CSC/C 574 r. eng Ning 23 Concerns About ouble S Wasn t clear at the time if S was a group (it s not) If it were, then k2 (k1()) k3 (), for all Not good? ossible attack (better than brute force): meet-in-the-middle A chosen plaintext attack CSC/C 574 r. eng Ning 24

The Meet-in-the-Middle Attack 1. Choose a plaintext and generate ciphertext C, using double-s with +K2 2. Then a. encrypt using single-s for all possible 2 56 values K 1 to generate all possible single-s ciphertexts for : X 1,X 2,,X 2 56 ; store these in a table indexed by ciphertex values b. decrypt C using single-s for all possible 2 56 values K 2 to generate all possible single-s plaintexts for C: Y 1,Y 2,,Y 2 56 ; for each value, check the table CSC/C 574 r. eng Ning 25 Steps (Cont d) 3. Meet-in-the-middle: each match (X i = Y j ) reveals a candidate keypair K i +K j there should be approx. (2 112 / 2 ) = 2 48 such pairs for one value of (,C) 2 112 possible keys, but there are only 2 X s 4. Repeat the above, for a second plaintext/ciphertext pair (,C ), and find those 2 48 candidate keypairs K i +K j Why 2 48 (another view)? The table contains only 2 56 /2 = 1/2 8 of all possible -bit values there are 2 56 entries X i for each X i, there is only 1/2 8 chance there is a matching Y i CSC/C 574 r. eng Ning 26 Steps (Cont d) 5. Look for an identical candidate keypair that produces collisions for both (,C) and (,C ) the probability the same candidate keypair occurs for both plaintexts, but is not the keypair used in the double-s encryption: 2 48 / 2 = 2-16! An expensive attack (computation + storage) still, enough of a threat to discourage use of double-s Why 2-16? there are about 2 48 candidate keypairs K i +K j at most one is +K2, the rest are imposters if K i +K j is an imposter, the probability using K i +K j that ( ) = (C ) is 1/2 CSC/C 574 r. eng Ning 27

Triple ncryption (Triple S-) ncryption C K 1 K 2 K 1 ecryption C Why not --? again, wasn t clear if S was a group Apply S encryption/decryption three times why not 3 different keys? why not the same key 3 times? CSC/C 574 r. eng Ning 28 Triple S (Cont d) Widely used equivalent strength to using a 112 bit key strength about 2 110 against M-I-T-M attack However: inefficient / expensive to compute one third as fast as S on the same platform, and S is already designed to be slow in software Next question: how is block chaining used with triple-s? CSC/C 574 r. eng Ning 29 3S-: Outside Chaining Mode K2 What basic chaining mode is this? CSC/C 574 r. eng Ning 30

3S-: OCM ecryption K2 CSC/C 574 r. eng Ning 31 OCM roperties oes information leak? identical plaintext blocks produce different ciphertext blocks Can ciphertext be manipulated profitably? arallel processing possible? no (encryption), yes (decryption) o ciphertext errors propagate? CSC/C 574 r. eng Ning 32 3S-: Inside Chaining Mode K2 00 00 CSC/C 574 r. eng Ning 33

3S-: ICM ecryption K2 00 00 CSC/C 574 r. eng Ning 34 3S-: Inside Chaining Mode 00 00 K2 00 00 CSC/C 574 r. eng Ning 35 3-S : ICM ecryption 00 00 K2 00 00 CSC/C 574 r. eng Ning 36

CSC/C 574 Computer and Network Security Topic 3.4 Secret Cryptography MAC with Secret Ciphers CSC/C 574 r. eng Ning 37 Message Authentication ncryption easily provides confidentiality of messages only the party sharing the key (the key partner ) can decrypt the ciphertext How to use encryption to authenticate messages? That is, prove the message was created by the key partner prove the message wasn t modified by someone other than the key partner CSC/C 574 r. eng Ning 38 Approach #1 The quick and dirty approach If the decrypted plaintext looks plausible, then conclude ciphertext was produced by the key partner i.e., illegally modified ciphertext, or ciphertext encrypted with the wrong key, will probably decrypt to random-looking data But, is it easy to verify data is plausiblelooking? What if all data is plausible? CSC/C 574 r. eng Ning 39

Approach #2: laintext+ciphertext Sender K C C Receiver C K Compare Accept /Reject Send plaintext and ciphertext receiver encrypts plaintext, and compares result with received ciphertext forgeries / modifications easily detected any problems / drawbacks? CSC/C 574 r. eng Ning 40 Approach #3: Use Residue ncrypt plaintext using S CBC mode, with set to zero the last (final) ciphertext output block is called the residue = 00 0 padding C 1 C 2 C 3 RSIU CSC/C 574 r. eng Ning 41 Approach #3 (Cont d) Sender K Residue only Receiver K Compare Residue only Transmit the plaintext and this residue receiver computes same residue, compares to the received residue forgeries / modifications highly likely to be detected CSC/C 574 r. eng Ning 42

Message Authentication Codes MAC: a small fixed-size block (i.e., independent of message size) generated from a message using secret key cryptography also known as cryptographic checksum CSC/C 574 r. eng Ning 43 Requirements for MAC 1. Given M and MAC(M), it should be computationally infeasible (expensive) to construct (or find) another message M such that MAC(M ) = MAC(M) 2. MAC(M) should be uniformly distributed in terms of M for randomly chosen messages M and M, ( MAC(M)=MAC(M ) ) = 2 -k, where k is the number of bits in the MAC CSC/C 574 r. eng Ning 44 Requirements (cont d) 3. Knowing MAC(M1), MAC(M2),... of some (known or chosen) messages M1, M2,..., it should be computationally infeasible for an attacker to find the MAC of some other message M CSC/C 574 r. eng Ning 45

S.K. Crypto for Confidentiality AN Authenticity? So far we ve got confidentiality (encryption), or authenticity (MACs) Can we get both at the same time with one cryptographic operation? CSC/C 574 r. eng Ning 46 Attempt #1 1. Sender computes an error-correcting code or Frame-Check Sequence (FCS) F() of the plaintext 2. Sender concatenates and F() and encrypts i.e., C = K ( F() ) 3. Receiver decrypts received ciphertext C using K, to get F 4. Receiver computes F( ) and compares to F to authenticate received message = How does this authenticate? CSC/C 574 r. eng Ning 47 Attempt #1 (Cont d) Sender K F() Concatenate F() FCS K{ F()} K Receiver FCS F F( ) Compare The order (1) FCS, then (2) encryption is critical why not (2), then (1)? Subtle weaknesses known in this approach, so not preferred CSC/C 574 r. eng Ning 48

Attempt #2 1. Compute residue (MAC) using key 2. ncrypt plaintext message M using key K2 to produce C 3. Transmit MAC C to receiver 4. Receiver decrypts received C with K2 to get 5. Receiver computes MAC( ) using, compares to received MAC CSC/C 574 r. eng Ning 49 Attempt #2 (cont d) Sender K2 C Residue only K2 Receiver MAC Residue only Compare Good (cryptographic) quality, but xpensive! Two separate, full encryptions with different keys are required CSC/C 574 r. eng Ning 50 Summary 1. CB mode is not secure CBC most commonly used mode of operation 2. Triple-S (with 2 keys) is much stronger than S usually uses in Outer Chaining Mode 3. MACs use crypto to authenticate messages at a small cost of additional storage / bandwidth but at a high computational cost CSC/C 574 r. eng Ning 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback