CSE 127: Computer Security Cryptography. Kirill Levchenko

Similar documents
9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Computer Security: Principles and Practice

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Winter 2011 Josh Benaloh Brian LaMacchia

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Unit 8 Review. Secure your network! CS144, Stanford University

Lecture 1 Applied Cryptography (Part 1)

Ref:

Chapter 9 Public Key Cryptography. WANG YANG

Encryption. INST 346, Section 0201 April 3, 2018

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptography MIS

Computer Security CS 526

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Public Key Algorithms

APNIC elearning: Cryptography Basics

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

CIS 4360 Secure Computer Systems Symmetric Cryptography

UNIT - IV Cryptographic Hash Function 31.1

CSC 774 Network Security

1.264 Lecture 28. Cryptography: Asymmetric keys

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

COMP4109 : Applied Cryptography

Cryptography (Overview)

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Information Security CS526

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

David Wetherall, with some slides from Radia Perlman s security lectures.

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Basics of Cryptography

n-bit Output Feedback

CSC/ECE 774 Advanced Network Security

CSC 474/574 Information Systems Security

Encryption 2. Tom Chothia Computer Security: Lecture 3

Computer Security 3/23/18

BCA III Network security and Cryptography Examination-2016 Model Paper 1

PROTECTING CONVERSATIONS

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

Public Key Cryptography

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Crypto Background & Concepts SGX Software Attestation

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Advanced Crypto. 2. Public key, private key and key exchange. Author: Prof Bill Buchanan

symmetric cryptography s642 computer security adam everspaugh

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

CS Computer Networks 1: Authentication

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

symmetric cryptography s642 computer security adam everspaugh

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Public Key Cryptography

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Uses of Cryptography

Cryptography Functions

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Study Guide to Mideterm Exam

Kurose & Ross, Chapters (5 th ed.)

Jaap van Ginkel Security of Systems and Networks

2.1 Basic Cryptography Concepts

Practical Aspects of Modern Cryptography

Goals of Modern Cryptography

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

CSC 474/574 Information Systems Security

CSC 8560 Computer Networks: Network Security

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

What did we talk about last time? Public key cryptography A little number theory

Spring 2010: CS419 Computer Security

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Cryptographic Systems

CPSC 467: Cryptography and Computer Security

Key Exchange. Secure Software Systems

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Encryption I. An Introduction

EEC-484/584 Computer Networks

Symmetric, Asymmetric, and One Way Technologies

Summary on Crypto Primitives and Protocols

EEC-682/782 Computer Networks I

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Cryptography [Symmetric Encryption]

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Symmetric Encryption 2: Integrity

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Message Authentication Codes and Cryptographic Hash Functions

Network Security Chapter 8

Transcription:

CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017

Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified Authenticity: Parties cannot be impersonated Example: Military orders Enemy can t know what the orders say Enemy can t modify the orders Enemy can t send fake orders

Motivation A B Alice E Bob Eve

Setting Alice and Bob communicate by sending messages Eve can read, create, modify, or block messages Attacker model determines Eve s control of channel: Passive attack: can read only Active attack: can read and possibly create, modify, block Man-in-the-middle (MitM) attack: read, create, modify, block

Simple Example Bob Alice, Bob, Eve in lecture hall like this one Alice and Bob can pass notes via Eve Alice Eve

Simple Example Alice wants to communicate to Bob whether or not she will work with him on CSE 127 Assignment 3 Think of this as one bit of information: yes or no Alice does not want Eve to know this but Eve can observe every message between them How can Alice communicate with Bob without Eve knowing her answer?

Simple Example Let s say Alice and Bob create a secret code Eagle means yes, and snake means no Alice sends message eagle Bob knows this means yes Eve learns nothing because she doesn t know code This is perfect secrecy In practice we rarely get this

Simple Example What if Eve knows Alice and Bob have a secret code? that the secret code is a pair of code words? that the two code words are eagle and snake? Eve learns nothing even if she knows everything except which code word means yes and which means no Does this scheme provide integrity? authenticity?

Moar Encrypt We usually want to encrypt more than one bit of information In general binary string of arbitrary length Also want integrity and authenticity Will get to this in a bit

Definitions Plaintext: unencrypted message to be communicated From now on, assume this is a binary string Ciphertext: encrypted version of message Also a binary string (may not be same length as plaintext) Secrecy: ciphertext reveals nothing about plaintext C = E(M)

One-Time Pad We can achieve perfect secrecy if we XOR plaintext with a random stream of bits known only to Alice and Bob Why? C = M P Plaintext (a binary string) Random binary string of the same length as plaintext

C = M P For a given ciphertext, every plaintext is equally probable Probability taken over random choice of pad P Eagle-Snake protocol as a one-time pad: Plaintext: yes 1, no 0 Ciphertext: eagle 1, snake 0 If P = 0: eagle = yes, snake = no If P = 1: eagle = no, snake = yes Perfect secrecy, no integrity or authenticity

One-Time Pads Used when perfect secrecy is necessary Requires a lot of prearranged secrets Each pad can only be used once Why?

Computational Cryptography Want the size of the secret to be small If pre-arranged secret smaller than message, not all plaintexts equally probable ciphertext reveals info about plaintext Modern cryptography based on idea that learning anything about plaintext from ciphertext is computationally difficult without secret

Symmetric Cryptography C =E k (M) Encryption function shared secret key M =D k (C) Decryption function shared secret key

Ciphers Stream cipher: generate a pseudorandom pad as long as plaintext Pseudorandom: hard to tell apart from random Hard: computationally hard to distinguish from random Can t reuse pad (remember one-time pad!) Block cipher: Encrypt/decrypt fixed-size messages Need a way to encrypt longer or shorter messages

How Does It Work? Goal: learn how to use cryptographic primitives correctly We will treat them as a black box that mostly does what it says To learn what s inside black box take CSE 107 Avoid making your own crypto at all costs This often fails, even when very smart people do it

How Does It Work? Symmetric cryptographic primitives: 1 part arcane magic and folk superstition + 2 parts bitter experience of past failures When a primitive gets broken move on to another one NIST developing SHA-3 for when SHA-2 is broken Asymmetric cryptographic primitives: based on computational complexity of certain problems Breaking one means breakthrough in solving hard problem Have weathered the test of time better

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Edward Snowden

Brute Force All encryption breakable by brute force given enough knowledge about plaintext Try to decrypt ciphertext with every possible key until a valid plaintext is found Attack complexity proportional to size of key space Keys are just binary strings, size of key space expressed in bits 64-bit key requires 2⁶⁴ decryption attempts

Block Ciphers Block ciphers operate on fixed-size blocks Common sizes: 64 and 128 bits A block cipher is a permutation of fixed-size inputs Each input mapped to exactly one output Eagle-Snake protocol as a block cipher Block size is 1 bit

Block Ciphers DES: Data Encryption Standard Very old and widely-used cipher Key size: 56 bits vulnerable to brute force attack Block size: 64 bits 3DES: 3 applications of DES (encrypt-decrypt-encrypt) Can re-use existing DES hardware or libraries 3 times slower than DES Key size: 168 bits Block size: 64 bits

Block Ciphers AES: Advanced Encryption Standard Replacement for DES based on Rijndael cipher Faster than DES in software Key size: 128, 192, 256 bits Block size: 128 bits Twofish: AES competition finalist Based on earlier Blowfish by Bruce Schneier Key size: 128, 192, 256 bits Block size: 128 bits

Block Cipher Modes Block ciphers encrypt/decrypt a single fixed-size block Several modes of operation for longer messages Shorter messages padded to full block size Must be possible to distinguish pad from plaintext

Block Cipher Modes ECB: Encrypt each block separately Avoid why?

Block Cipher Modes CBC: XOR ciphertext block into next plaintext Use random IV Subtle attack possible if attacker knows IV, controls plaintext

Block Cipher Modes CTR: Counter mode Block cipher becomes stream cipher

Hash Functions A (cryptographic) hash function maps arbitrary length input into a fixed-size string H = H(M) Hash functions provide collision resistance It is hard to find two inputs that have the same hash value

Hash Functions MD5: Message Digest Designed by Ron Rivest Very popular hash function Output: 128 bits Broken do not use

Hash Functions SHA-1: Secure Hash Algorithm 1 Designed by NSA Output: 160 bits Considered to have weaknesses SHA-2: Secure Hash Algorithm 2 Designed by NSA Output: 224, 256, 384, or 512 bits Recommended for use today

Hash Functions SHA-3: Secure Hash Algorithm 3 Result of NIST SHA-3 contest Output: arbitrary size Replacement if SHA-2 broken

MACs Goal: Validate message integrity based on shared secret MAC: Message Authentication Code Keyed hash function using shared secret Hard compute hash without knowing key A =MAC k (M)

MACs HMAC: MAC based on hash function HMAC-MD5: HMAC construction using MD5 HMAC-SHA1: HMAC construction using SHA-1 CMAC: MAC based on block cipher

Symmetric Primitives A =MAC k (M) C =E k (M) M =D k (C)

Hash Function Properties Finding a pre-image is hard pre-image is an input that hashes to a particular value Finding a collision is hard collision are two inputs that has to same value Non-property: secrecy Hash value may leak useful information about input Although current hash functions not know not leak useful information Compare to properties of ciphers

Cipher Properties Encryption and decryption are inverse operations: M =D k (E k (M)) Informally: ciphertext reveals nothing about plaintext More formally: can t distinguish which of two plaintexts were encrypted without key Non-property: integrity May be possible to change decrypted plaintext in known way Need separate message authentication

MAC Properties Input of arbitrary length mapped to fixed-size string A =MAC k (M) Collision resistance: Hard to find M M' such that Pre-image resistance: hard to find M for given hash value S Collision-resistance implies pre-image resistance Non-property: secrecy Hash value may leak useful information about input

Asymmetric Cryptography Also called public key cryptography Two separate keys: public key and private (secret) key Public key known to everyone Private key used to decrypt and sign

Asymmetric Primitives Encryption and decryption Signing and verification

Asymmetric Keys Each user has a public and private key Keys related to each other in algorithm-dependent way Can t just pick a random string as your key as with symmetric Need a key-generation function Notation: K denotes public key, k denotes private key, r denotes random bits (K, k) Keygen(r)

Encryption and Decryption Encryption uses public key C = E K (M) Decryption uses private key M = D k (C) Computationally hard to decrypt without private key Messages are fixed size

Asymmetric Usage Public directory contains everyone s public key To encrypt to a person, get their public key from directory No need for shared secrets!

Signing and Verification Signing uses private key S = S k (M) Verification uses public key V K (M,S) Computationally hard to sign without private key Messages of fixed size

Asymmetric Encryption ElGamal encryption (1985) Based on Diffie-Helman key exchange (1976) Computational basis: hardness of discrete logarithms RSA encryption (1978) Invented by Rivest, Shamir, and Adleman Computational basis: hardness of factoring

Asymmetric Signatures DSA: Digital Signature Algorithm (1991) Closely related to ElGamal signature scheme (1984) Computational basis: hardness of discrete logarithms RSA signatures Invented by Rivest, Shamir, and Adleman Computational basis: hardness of factoring

Key Sizes Symmetric ECC DH/DSA/RSA - - - - - - - - - - - - +- - - - - - - - - +- - - - - - - - - - - - - 80 163 1024 112 233 2048 128 283 3072 192 409 7680 256 571 15360 Table 1: Comparable Key Sizes (in bits) From RFC 4492

Practical Considerations Asymmetric cryptography operations generally much more expensive than symmetric operations Asymmetric primitives operate on fixed-size messages Usually combined with symmetric for performance Use asymmetric to bootstrap ephemeral secret

Typical Encryption Usage Generate a ephemeral (one time) symmetric secret key Encrypt message using ephemeral secret key Encrypt ephemeral key using asymmetric encryption Send encrypted message, encrypted key (E K (k ),E k (M)) Decryption: decrypt ephemeral key, decrypt message

Typical Signature Usage Signing: Compute cryptographic hash of message and sign it using asymmetric signature scheme Verification: Compute cryptographic hash of message and verify it using asymmetric signature scheme

Symmetric Primitives A =MAC k (M) C =Enc k (M) M =Dec k (C)

Asymmetric Primitives (K, k) Keygen(r) (K, k) Keygen(r) C = E K (M) S = S k (M) M = D k (C) V K (M,S)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback