Lecture 1 Applied Cryptography (Part 1)

Similar documents
Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

CSCE 715: Network Systems Security

Spring 2010: CS419 Computer Security

Data Integrity. Modified by: Dr. Ramzi Saifan

Ref:

Security Requirements

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Computer Security: Principles and Practice

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSE 127: Computer Security Cryptography. Kirill Levchenko

S. Erfani, ECE Dept., University of Windsor Network Security

CS408 Cryptography & Internet Security

Message Authentication Codes and Cryptographic Hash Functions

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptographic Hash Functions

Chapter 3 Block Ciphers and the Data Encryption Standard

Digests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS

Message Authentication and Hash function

Public-key Cryptography: Theory and Practice

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Security: Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

Introduction to Cryptography. Lecture 6

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CSC 774 Network Security

Summary on Crypto Primitives and Protocols

Data Integrity & Authentication. Message Authentication Codes (MACs)

Network Security Essentials Chapter 2

Practical Aspects of Modern Cryptography

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

P2_L8 - Hashes Page 1

CSC574: Computer & Network Security

Secret Key Cryptography

Appendix A: Introduction to cryptographic algorithms and protocols

Content of this part

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Unit 8 Review. Secure your network! CS144, Stanford University

Symmetric Encryption Algorithms

Cryptographic hash functions and MACs

CSC 474/574 Information Systems Security

Computer Security CS 526

Cryptography Functions

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Cryptography and Network Security

CSC 474/574 Information Systems Security

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSC/ECE 774 Advanced Network Security

Encryption. INST 346, Section 0201 April 3, 2018

Symmetric Crypto MAC. Pierre-Alain Fouque

P2_L6 Symmetric Encryption Page 1

Winter 2011 Josh Benaloh Brian LaMacchia

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

David Wetherall, with some slides from Radia Perlman s security lectures.

Block Cipher Modes of Operation

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Lecture 4: Authentication and Hashing

n-bit Output Feedback

Symmetric Cryptography. Chapter 6

APNIC elearning: Cryptography Basics

CSC574: Computer & Network Security

Kurose & Ross, Chapters (5 th ed.)

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Cryptographic Concepts

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

CSC 8560 Computer Networks: Network Security

1-7 Attacks on Cryptosystems

Cryptography (Overview)

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Introduction to Software Security Hash Functions (Chapter 5)

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Block Cipher Operation. CS 6313 Fall ASU

UNIT - IV Cryptographic Hash Function 31.1

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

2.1 Basic Cryptography Concepts

Introduction to Symmetric Cryptography

Lecture 2 Applied Cryptography (Part 2)

Symmetric Encryption. Thierry Sans

ECE 646 Lecture 8. Modes of operation of block ciphers

Network and System Security

Integrity of messages

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Information Security CS526

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Cryptographic Systems

Transcription:

Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1

Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication Tsinghua Summer Course 2010 1-2

Introduction to Security A computer system or network application is said to be secure if it behaves normally even some bad guys try to attack it and make it misbehave. Definition of attack (RFC 2828) An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security property of a system. Tsinghua Summer Course 2010 1-3

Passive Attack Tsinghua Summer Course 2010 1-4

Active Attack Tsinghua Summer Course 2010 1-5

Security Properties We need some formal definitions of security. Confidentiality: the protection of data from unauthorized disclosure by passive attacks. Sometimes called privacy. Authentication: to assure that the message is from the source that it claims to be from. Tsinghua Summer Course 2010 1-6

Security Properties (More) Integrity: content of message is unaltered. Availability: a system and a system resource remain accessible and usable upon demand. Non-repudiation: a sender cannot falsely deny that he sent a message Note its difference from authentication Tsinghua Summer Course 2010 1-7

Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication Tsinghua Summer Course 2010 1-8

What is Cryptography? Information of data may be attacked: Eavesdropping: sniffing and recording of data transmitted over a channel Passive attack Modification, insertion, or deletion of messages or message content Active attack Cryptography is the ability to send information between participants, in a mangled format, that prevents others from reading it. Address the issue of information security. Tsinghua Summer Course 2010 1-9

What is Cryptography? A message in its original form is called plaintext or cleartext. The mangled information is called ciphertext. The process of producing ciphertext from plaintext is called encryption. The reverse of encryption is called decryption. Parties involved (to help our discussion): Alice, Bob, Carol, Dave: good guys who communicate securely Trudy and Eve: bad guys who disrupt Tsinghua Summer Course 2010 1-10

What is Cryptography? A cryptosystem is a system that is built on cryptographic algorithms. Cryptosystems generally involve encryption/decryption algorithms and secret values called keys. Without the knowledge of keys, it is computationally infeasible to recover protected information. Computational difficulty Tsinghua Summer Course 2010 1-11

What is Cryptography? A cryptosystem should remain secure as long as the keys are kept secret, even through algorithm details are published A typical cryptosystem: Alice s encryption key Bob s decryption key plaintext m encryption algorithm E ciphertext c decryption algorithm D plaintext m c = E(m) m = D(c) Tsinghua Summer Course 2010 1-12

Attacks on Cryptography An attacker can try every possible key to recover the plaintext, i.e., via brute force. The goal of cryptanalysis is to recover keys based on cryptographic characteristics. Three types of attacks: Ciphertext only: only ciphertext is known to attackers. Known plaintext: some <plaintext, ciphertext> pairs are known to attackers Chosen plaintext: Some selected plaintext and the corresponding ciphertext are known to attackers Tsinghua Summer Course 2010 1-13

Cryptographic Primitives Cryptographic primitives are specific cryptographic functions that form the basic building blocks of a cryptosystem. Examples: Symmetric key cryptography Public key cryptography Hash functions Digital signatures Certificates Tsinghua Summer Course 2010 1-14

Cryptographic Primitives When we build a cryptosystem, leverage existing cryptographic primitives whenever possible. Our focus in this course is to apply existing cryptographic primitives into a cryptosystem. In other words, how to have them interact with each other such that the cryptosystem remains secure. Tsinghua Summer Course 2010 1-15

Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication Tsinghua Summer Course 2010 1-16

Symmetric Key Cryptography K S K S plaintext message, m encryption algorithm ciphertext E Ks (m) decryption algorithm plaintext m = D Ks (E Ks (m)) symmetric key crypto: Bob and Alice share same (symmetric) key: K Also known as secret key crypto For now, assume Bob and Alice have secret and reliable ways to agree on key. Tsinghua Summer Course 2010 1-17

Generic Block Encryption Symmetric key cryptography is mainly built on block ciphers: Algorithm takes a fixed-length block of plaintext and a fixed-length key, and generates a block of ciphertext with the same length as the input. E.g., DES uses 64-bit blocks and a 56-bit key Another type is called stream ciphers, which encrypt one byte at a time. Tsinghua Summer Course 2010 1-18

Generic Block Encryption Definitely, key length can t be too short. But block length is also a matter. Block length consideration: Too small: easy to reconstruct all mappings (e.g., chosen-plaintext attack, try all plaintext blocks) Too big: performance degradation 64-bit / 128-bit may be reasonable. Tsinghua Summer Course 2010 1-19

Generic Block Encryption Input and output blocks must form one-to-one mappings: E.g., block length = 3 bits. One mapping structure: input output 000 110 001 111 010 101 011 100 input output 100 011 101 010 110 000 111 001 How many mapping structures are there if n-bit blocks are used? Tsinghua Summer Course 2010 1-20

Generic Block Encryption Specifying the whole mapping structure is exhaustive. Symmetric key crypto. is to take a reasonable-length key and generate a mapping structure that looks random How many mapping structures can be specified if a k-bit key is used? Tsinghua Summer Course 2010 1-21

Generic Block Encryption Typical operations of symmetric key crypto Substitution: specify mapping of an m-bit input to an m-bit output (assuming m is small) Permutation: specify mapping of an input bit position to an output bit position (special case of substitution) In each round, run substitution and permutation. Repeat many rounds. Tsinghua Summer Course 2010 1-22

Example of Block Encryption Kaufman et al. (2002), Page 62. Tsinghua Summer Course 2010 1-23

Data Encryption Standard (DES) adopted in 1977 by NBS (now NIST) encrypts 64-bit data using 56-bit key has widespread use with controversial security Why 56 bits, not 64 bits? 8 bits are for parity checking of keys (is parity useful?) 56 bits less secure Tsinghua Summer Course 2010 1-24

DES Overview Tsinghua Summer Course 2010 1-25

Avalanche Effect Avalanche effect: change of one input or key bit results in changing many output bits A key desirable property of encryption algo In DES, for one round, change of one bit makes approx half of output bits change DES exhibits strong avalanche Tsinghua Summer Course 2010 1-26

Is DES Perfect? Problems of DES Key size and block size are too short A feasible DES cracker was available in 1998 Efficient in hardware. Slow in software A variant called Triple-DES is too slow although more secure Tsinghua Summer Course 2010 1-27

Advanced Encryption Standard (AES) new (Nov. 2001) symmetric-key NIST standard, replacing DES always processes data in 128 bit blocks regardless of the key size 128, 192, or 256 bit keys brute force decryption (try each key) takes 149 trillion years for AES taking 1 sec on DES Tsinghua Summer Course 2010 1-28

AES Design goals of AES resistant against known attacks speed and code compactness on many CPUs Can be efficiently implemented on 8-bit and 32-bit CPUs design simplicity Now widely used Tsinghua Summer Course 2010 1-29

AES Overview: Encryption process in AES Tsinghua Summer Course 2010 1-30

Encrypting Large Messages Let block size = 64 bits. How do you encrypt a message larger than 64 bits? Modes of operations: Electronic Code Block (ECB) Cipher Block Chaining (CBC) Output Feedback Mode (OFB) not discussed Counter Mode (CTR) Tsinghua Summer Course 2010 1-31

Electronic Code Block (ECB) Break a message into 64-bit blocks (padding the last one to a full block). Encrypt each block with a secret key. message m1 m2 m3 m4 K K K K c1 c2 c3 c4 Tsinghua Summer Course 2010 1-32

Electronic Code Block If two plaintext blocks are identical, the output ciphertext blocks are also identical Reveal the pattern of information Can rearrange blocks to affect the protocol E.g., know two blocks that store salaries $50K and $100K. Can reorder the two blocks and change the salaries of employees Tsinghua Summer Course 2010 1-33

Cipher Block Chaining (CBC) Make ciphertext blocks different even they are from the same plaintext blocks CBC has encryption of current block depend on result of previous block Provide initialization vector (IV) to encrypt first block IV need not be secret Change IV over each session c(i-1) m(i) + block cipher c(i) Tsinghua Summer Course 2010 1-34

Counter Mode (CTR) In CBC, what happen if a ciphertext block is dropped, or garbled? Counter mode: c(i) = E(key, IV + block number, m(i)) Advantage: can decrypt an arbitrary block Disadvantage: Same ciphertext block if key and IV are the same Tsinghua Summer Course 2010 1-35

Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication Tsinghua Summer Course 2010 1-36

Hashes Take arbitrary message to generate fixedsize output hash (or digest) h = H(m) Implementation of hash function is public Uses of hashes: Sign hash instead of messages Store digests of files for integrity checks (e.g., viruses may modify files) Irreversible password hash database Tsinghua Summer Course 2010 1-37

Hashes Tsinghua Summer Course 2010 1-38

Cryptographic Hash Requirements of a cryptographic hash: One-way property: Given a hash value h, computationally infeasible to find x s.t. h = H(x) Collision resistance property: Computationally infeasible to find any pair (x, y) s.t. H(x) = H(y) Tsinghua Summer Course 2010 1-39

Attacks on Hash Functions Attacks via brute force or cryptanalysis Attack on one-way: find x such that H(x) equals a given value Attack on collision resistance: find x and y such that H(x) = H(y) Which attack is easier to launch? Tsinghua Summer Course 2010 1-40

Birthday Attack Birthday paradox: in a group of people N, probability of two sharing same birthday > 0.5 if N >= 23 Birthday attack: given user prepared to sign a valid message x using k-bit hash opponent generates 2 k / 2 variations x of x, all with essentially the same meaning, and saves them opponent generates 2 k / 2 variations y of a desired fraudulent message y two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the forgery which will have a valid signature Conclusion: need large enough k Tsinghua Summer Course 2010 1-41

Hash Algorithms MD5 (RFC 1321) computes 128-bit message digest In 2005, collision attack is feasibly launched (using a laptop running with a few hours) Tsinghua Summer Course 2010 1-42

Secure Hash Algorithm SHA originally designed by NIST & NSA in 1993, and was revised in 1995 as SHA-1 SHA-1 US standard for use with DSA signature scheme produces 160-bit hash values Unlike MD5, SHA-1 is not defined if input message length > 2 64 bits (but enough in practice) recent 2005 results on security of SHA-1 have raised concerns on its use in future applications Tsinghua Summer Course 2010 1-43

Revised SHA adds 3 additional versions of SHA SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher Tsinghua Summer Course 2010 1-44

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin No denial of message transmission by origin then three alternative functions used: hash function but can t guarantee identity message encryption message authentication code (MAC) Tsinghua Summer Course 2010 1-45

Message Encryption use encryption for authentication if symmetric encryption is used then: receiver know sender must have created it and content can t t be altered Drawback: not efficient Tsinghua Summer Course 2010 1-46

Message Authentication Code (MAC) generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender Tsinghua Summer Course 2010 1-47

MAC a small fixed-sized block of data generated from message + secret key MAC = C(K,M) C(.) is some MAC function, may not be hash function appended to message when sent Tsinghua Summer Course 2010 1-48

Keyed Hash Functions as MAC But no reason of not using hash function for MAC Advantages of using hash functions: because hash functions are generally faster crypto hash function code is widely available hash includes a key along with message original proposal: KeyedHash = Hash(Key Message) some weaknesses were found with this eventually led to development of HMAC Tsinghua Summer Course 2010 1-49

HMAC (Hash-Based MAC) specified as Internet standard RFC2104 HMAC algorithm: Concatenates secret to front of message Hashes concatenated message Concatenates the secret to front of digest Hashes the combination again Tsinghua Summer Course 2010 1-50

HMAC uses hash function on the message: HMAC K (M)= Hash[(K + XOR opad) Hash[(K + XOR ipad) M)] ] where K + is the key padded out to size opad, ipad are specified padding constants overhead is just 3 more hash calculations than the message needs alone any hash function can be used e.g., MD5, SHA-1 Tsinghua Summer Course 2010 1-51

HMAC proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) choose hash function used based on speed verses security constraints Tsinghua Summer Course 2010 1-52

Pseudorandom Number Generator (PRNG) Essential elements of any pseudorandom number generator (PRNG) are a seed value and a deterministic algorithm for generating a stream of pseudorandom bits PRNG can be based on Encryption algorithm Hash function MAC Tsinghua Summer Course 2010 1-53

Hash-Based PRNG Steps: Take seed V Repeatedly add 1 Hash V Use n-bits of hash Secure if good hash is used Tsinghua Summer Course 2010 1-54

MAC-based PRNG Steps: Use a key K and seed V Input based on last hash Tsinghua Summer Course 2010 1-55

Summary and References Summary: Introduction to security Security defined by security properties Introduction to cryptography Cryptographic primitives Symmetric key cryptography Hash functions and message digests References: Kaufman et al., Ch. 1-5 Stallings, Ch. 1, 2, 3, 5, 11, 12 Kurose & Ross, Ch. 8 Tsinghua Summer Course 2010 1-56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback