Lecture 2: Shared-Key Cryptography

Similar documents
Symmetric Encryption. Thierry Sans

Classical Cryptography. Thierry Sans

Computer Security CS 526

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Practical Aspects of Modern Cryptography

Stream Ciphers and Block Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptography III: Symmetric Ciphers

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Information Security CS526

CIT 380: Securing Computer Systems. Symmetric Cryptography

Network Security Essentials Chapter 2

Crypto: Symmetric-Key Cryptography

7. Symmetric encryption. symmetric cryptography 1

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Winter 2011 Josh Benaloh Brian LaMacchia

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Lecture 3: Symmetric Key Encryption

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

CSE 127: Computer Security Cryptography. Kirill Levchenko

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 4: Symmetric Key Encryption

EEC-484/584 Computer Networks

ECE 646 Lecture 8. Modes of operation of block ciphers

Some Aspects of Block Ciphers

Chapter 3 Block Ciphers and the Data Encryption Standard

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Private-Key Encryption

CSC 474/574 Information Systems Security

Lecture 2: Secret Key Cryptography

CSCE 813 Internet Security Symmetric Cryptography

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Lecture 1 Applied Cryptography (Part 1)

Cryptography Functions

Cryptography III: Symmetric Ciphers

Goals of Modern Cryptography

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Study Guide to Mideterm Exam

Security: Cryptography

Network Security Essentials

IDEA, RC5. Modes of operation of block ciphers

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Introduction to Cryptography

Cryptography [Symmetric Encryption]

Cryptography BITS F463 S.K. Sahay

Syrvey on block ciphers

Cryptography and Network Security

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Secret Key Cryptography (Spring 2004)

Secret Key Algorithms (DES)

Stream Ciphers and Block Ciphers

APNIC elearning: Cryptography Basics

CIS 4360 Secure Computer Systems Symmetric Cryptography

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

P2_L6 Symmetric Encryption Page 1

Double-DES, Triple-DES & Modes of Operation

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Introduction to Cryptography. Lecture 3

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Data Encryption Standard (DES)

Symmetric Encryption Algorithms

Introduction to Cryptography. Lecture 1. Benny Pinkas. Administrative Details. Bibliography. In the Library

Introduction to Cryptography. Lecture 1

CPSC 467b: Cryptography and Computer Security

Scanned by CamScanner

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Computer Security 3/23/18

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Introduction to Cryptography. Lecture 3

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

Uses of Cryptography

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Computer Security: Principles and Practice

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Cryptography Symmetric Encryption Class 2

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Traditional Symmetric-Key Ciphers. A Biswas, IT, BESU Shibpur

CSC574: Computer & Network Security

Symmetric-Key Cryptography

CPS2323. Block Ciphers: The Data Encryption Standard (DES)

AIT 682: Network and Systems Security

Stream Ciphers An Overview

Geldy : A New Modification of Block Cipher

Conventional Encryption Principles Conventional Encryption Algorithms Cipher Block Modes of Operation Location of Encryption Devices Key Distribution

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

Cryptography MIS

CPSC 467b: Cryptography and Computer Security

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Transcription:

Graduate Course on Computer Security Lecture 2: Cryptography Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita di Udine, Italy December 3, 2001

Outline of cryptography Symmetric ciphers Block ciphers Stream ciphers Data Encryption Standard () What is a secure cipher? Computer Security: 2 Cryptography 2

Confidentiality Implement a virtual trusted channel over an insecure medium E D Computer Security: 2 Cryptography 3

Insecure Channels External observer can Read traffic Inject new traffic Erase traffic sometimes Modify traffic sometimes Computer Security: 2 Cryptography 4

Classical of Cryptography Encryption Encrypted message (ciphertext) Decryption Message (cleartext, plaintext) E key E, D realize a virtual trusted channel, given key D Message (cleartext, plaintext) Computer Security: 2 Cryptography 5

Modern Cryptography Not just about confidentiality! Integrity Digital signatures Hash functions Fair exchange Contract signing Anonymity Electronic cash Electronic voting Computer Security: 2 Cryptography 6

A Brief of Cryptography ~2000 years ago: Substitution ciphers A few centuries later: Permutation ciphers Renaissance: Polyalphabetic ciphers 1844: Mechanization 1976: Public-key cryptography Computer Security: 2 Cryptography 7

Substitution Ciphers Replace each letter with another Key: substitution table How to break it? Brute force? 26! possibilities (= 4x10 26 ) Count the frequencies of letters, pairs, Arabs had tabulated the Koran by 1412 Ciphertext is enough: ciphertext-only attack Example: QVAQBCWZQRLWDVEFW IAMINDECIPHERABLE A V B E C Z D C E W F G G O Caesar s cipher: H L I Q J N K H L F M A N B O S P R Q I R D S U T Y U K A C B E D F X A Y B Z C V X W M X T Y J Z P Computer Security: 2 Cryptography 8

Permutation Ciphers k = 1 2 3 4 5 3 5 4 1 2 Switch letters around by a permutation Example: HELLOWORLD Key: permutation Breakable with ciphertext-only attack LOLHERDLWO Computer Security: 2 Cryptography 9

Renaissance Ciphers Use message and key letters for cipher Key: a word (CRYPTO) Example: WHATANICEDAYTODAY CRYPTOCRYPTOCRYPT ZZZJUCLUDTUNWGCQS + (mod 26) Polyalphabetic cipher: Encryption of letter is context-dependent Seed of modern cryptography Computer Security: 2 Cryptography 10

Mechanization The Enigma 1844: invention of telegraph Beginning of civilian crypto Rotor machines Key: initial position of rotors Culminate in WW II 1975: 1996-2000 AES 1976: Public key cryptography We will examine in some detail Computer Security: 2 Cryptography 11

Symmetric Ciphers Encryption box Encrypted message (ciphertext) Decryption box M E X X D M Message (cleartext) k Secret key D k (E k (m)) = m Message (cleartext) Computer Security: 2 Cryptography 12

Properties of a Good Cipher D k (E k (m)) = m E, D : {0,1} n x {0,1} l {0,1} n For every k, E k is an injection with inverse D k E k (m) is easy to compute, given m and k D k (x) is easy to compute, given x and k Polynomial in max{n,l} - often linear If x = E k (m), it is hard to find m without k Exponential in min{n,l} Computer Security: 2 Cryptography 13

Open Design Kerchoff s Principle (1883) The security of a cryptosystem must not depend on keeping the algorithm secret No security by obscurity Better Lots of smart but innocuous people dissect it Than a single smart malicious Computer Security: 2 Cryptography 14

Attack Models x Random Random m, x E k (m) Ciphertext Only Known Plaintext Chosen E k (m) Chosen D k (x) m, x x, m Chosen Plaintext Known Plaintext Good ciphers resist all attack models Computer Security: 2 Cryptography 15

Successful Decrypt future messages coded with k Recover k Hard Often not needed! Exploit properties of the cipher See Lecture 5 (WEP) Computer Security: 2 Cryptography 16

Sneaky Differential Power Analysis on 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Obtain the key somehow Network sniffers, worms, backup tapes, Blackmail, bribery, torture, Be careful! Detail: Round 2 Round 3 From http://www.cryptography.com/dpa/technical Side-channel cryptanalysis Power consumption off-peak computation Encryption time random noise Radiation physical shielding Better implementation and design Computer Security: 2 Cryptography 17

Encrypting Long messages Most algorithms operate on fixed sizes E.g. 64 bits for Block ciphers Slice m into m 1,, m n Add padding to last block Use E k to produce x 1,, x n Use D k to recover m 1,, m n Stream ciphers Rely on pseudo-random sequence Computer Security: 2 Cryptography 18

Electronic Codebook Mode ECB Any identical block encrypted identically Lots of ciphertext with the same k Dictionary attack m: E k E k E k Attacker records blocks Substitute them back when appropriate Encryption guarantees secrecy, not integrity x: n bits n bits n bits n bits Computer Security: 2 Cryptography 19

Exclusive OR Fundamental operation of many ciphers y 0 0 1 z 0 1 1 y z 0 1 0 Properties y y = 0 y 0 = y y 1 = y 1 0 1 y z z = y Computer Security: 2 Cryptography 20

Cipher Block Chaining CBC Encryption x 1 = E k (m 1 IV) x i = E k (m i x i-1 ) Decryption m 1 = D k (x 1 ) IV Initialization Vector m: IV x: n bits E k n bits E k n bits E k n bits m i = D k (x i ) x i-1 Widely used E.g IPSec Computer Security: 2 Cryptography 21

Output Feedback Mode OFB Encryption x i = m i E k (IV) i m: n bits E k E k E k n bits Decryption m i = x i D k (IV) i Initialization Vector IV x: n bits n bits NB: encryption is never applied to m Computer Security: 2 Cryptography 22

One-Time Pad E k (m) = m k D k (x) = x k Requires m = k Very fast Perfect secrecy Prob[guessing m] = Prob[guessing m x] k should never be reused again! x 1 = m 1 k x x 2 = m 2 k 1 x 2 = m 1 m 2 k very large for long messages How to distribute it? Computer Security: 2 Cryptography 23

Pseudo-Random Bit Generators Deterministic functions RNG : {0,1} n {0,1} Stretch fixed-size seed to an unbounded sequence that looks random Computable approximation of one-time pad Example: RC4 Example: i := 0 i := 0 do forever i := i+1 mod 256 j := j+s[i] mod 256 swap s[i],s[j] t := s[i]+s[j] mod 256 output s[t] Seed: initial value of s Size of state: (2 256 ) 256 Computer Security: 2 Cryptography 24

Stream Ciphers One-time pad using a RNG Use k as seed? Reuse problem! E k (m) = m RNG(k) Typical usage (e.g., with ) E k (m) = k (s), m RNG(s) Chose new s each time strong fast Computer Security: 2 Cryptography 25

- Data Encryption Standard [NIST/IBM/NSA, released 1975] key Message blocks: 64 bits Keys: 56 bits Cleartext block 64 56 64 Ciphertext block Speed Software: 43,000 block/sec ~ 2.7 Mbit/sec Measured on an old 80486 at 66MHz OK for files and web pages Too slow for sound and video Hardware: 16.8 million block/sec ~ 1 Gbit/sec High speed Ethernet: 100 Mbit/sec Modem: 56 Kbit/sec Computer Security: 2 Cryptography 26

Feistel Networks n bits L 0 : R 0 : n bits f 1,, f k : {0,1} n {0,1} n Round 1 f 1 L 1 : R 1 : Arbitrary functions Not necessarily invertible Round 2 f 2 L k-2 : R k-2 : L i = R i-1 R i = L i-1 f i (R i-1 ) Round k-1 Round k f k-1 L k-1 : R k-1 : f k L k : R k : Computer Security: 2 Cryptography 27

Inverting a Feistel Network Theorem For any f 1,, f k : {0,1} n {0,1} n, a Feistel network computes a permutation π : {0,1} n {0,1} n L 0 : R 0 : f 1 L 1 : R 1 : f 2 Inverse: L i-1 = R i f i (L i ) R i-1 = L i Feistel networks convert generic functions into permutations L k-2 : R k-2 : f k-1 L k-1 : R k-1 : f k L k : R k : Computer Security: 2 Cryptography 28

Inside cleartext is a Feistel network with 64 16 rounds π 64 bit cleartext blocks 56 bits key f 1,, f 16 derived from key Initial permutation π (public) Decryption key 56 16-round Feistel Network π -1 64 64 Apply f 16,, f 1 (in reverse order) Same chip 64 ciphertext Computer Security: 2 Cryptography 29

The Functions f i x k i 48 bits f i (x) = F(x, k i ) k i derived from k Public key schedule 56 bits r 32 48 48 48 F: {0,1} 32 x {0,1} 48 {0,1} 32 is public 32 bits 48 bits ½ block x expanded to x Public replicator r S-boxes S j are public 6 bits 4 bits where the magic happens Rationale was kept secret Final permutation π is public Shuffles input for next round 6 S 1 6 S 2 6 S 3 6 S 4 6 S 5 6 S 6 6 S 7 6 S 8 4 4 4 4 4 4 4 4 32 π 32 F(x, k i ) Computer Security: 2 Cryptography 30

on Exhaustive search Given plaintext m and ciphertext x, with high probability there is a single key k s.t. x = (m,k) Trying 10 6 keys/sec, it takes 2,000 years However 1993, $10 6 homemade supercomputer breaks in 7 hours (CPA) More sophisticated attacks Use properties (e.g. (m,k) = (m,k)) Linear / differential crypto-analysis Computer Security: 2 Cryptography 31

Avoiding Exhaustive Search 3 is not a group Given k1, k2, with high probability there is no k3 s.t. E k1 (E k2 (m)) = E k3 (m) for every m 3 k1,k2 (m) = E k1 (D k2 (E k1 (m))) Key length: 112 bits Very popular encryption decryption Computer Security: 2 Cryptography 32

How about a 2? 2 k1,k2 (m) = E k1 ( E k2 (m))?? Meet-in-the-middle attack! m E X 1 X 2 X 2 56 m 1 m 2 =? For key length n, D X total work is only 2 n + 2 n = 2 n+1 m 2 56 Try all possible keys Effective key length is just 57 bits! Applies to any encryption algorithm Computer Security: 2 Cryptography 33

X encryption X k1,k2,k3 (m) = k1 E k2 (m k3) Key length: 56 + 2*64 = 184 bits However, effective key length is only about 100 bits Computer Security: 2 Cryptography 34

AES a Successor to Advanced Encryption Standard 1996: NIST issues public call for proposal Secure for next 50-100 years Block cipher faster than 3 Variable key lengths (128, 192, 256, bits) Open design 15 algorithms submitted Public (and private) crypto-analysis for 4 years 5 finalists Computer Security: 2 Cryptography 35

Oct. 2000: AES Contest Winner Rijndael, by J. Daemen and V. Rijmen Fast (~18-20 cycles to encrypt a byte) Small (98 Kb) Well understood characteristics Bit operations:, shift, Provides good safety (1.33 safety factor) Computer Security: 2 Cryptography 36

When is a Cipher Secure? m m E k (_) E k (0) x Polynomial adversary cannot tell a real encryption box from a fake one x Computer Security: 2 Cryptography 37

Formal Definition Let E: {0,1} n x {0,1} l {0,1} n A(x m) = 1 iff x = E k (m) A algorithm polynomial in key length l x m = E k (m) E is a secure encryption scheme if polynomial p(_) L s.t. l > L k {0,1} l Pr[A(x m m) = 1] - Pr[A(x 0 m) = 1] < 1/p(l) Computer Security: 2 Cryptography 38

Readings Andrea Sgarro, Codici Segreti, 1989 The comprehensive of Secret Communication from Ancient Times to the Internet David Kahn, The Code-Breakers, 1996 A. Menezes, P. van Oorschot and S. Vanstone, The Handbook of Applied Cryptography, 1996 Computer Security: 2 Cryptography 39

Exercises for Lecture 2 Find a way to measure the redundancy in the ASCII rendering of English (or Italian) text Prove the invertibility of a Feistel network Why is 3 immune from the meet-inthe-middle attack? Can you explain why 3 uses only 2 keys? What is the cost of breaking y iterated encryptions with different keys? Computer Security: 2 Cryptography 40

Next Public-Key Cryptography Computer Security: 2 Cryptography 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback