Information Security CS526

Similar documents
Information Security CS526

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Computer Security CS 526

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Double-DES, Triple-DES & Modes of Operation

Stream Ciphers. Çetin Kaya Koç Winter / 13

Security Models: Proofs, Protocols and Certification

Stream Ciphers. Koç ( ucsb ccs 130h explore crypto fall / 13

Introduction to Cryptography. Lecture 3

Introduction to Cryptology. Lecture 2

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

2 What does it mean that a crypto system is secure?

CSC 580 Cryptography and Computer Security

Cryptography and Network Security Chapter 7

Cryptography [Symmetric Encryption]

Chapter 6 Contemporary Symmetric Ciphers

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

COMP4109 : Applied Cryptography

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Network Security Essentials Chapter 2

symmetric cryptography s642 computer security adam everspaugh

Introduction to Cryptography. Lecture 3

7. Symmetric encryption. symmetric cryptography 1

Symmetric Cryptography

Lecture 1: Perfect Security

Stream Ciphers - RC4. F. Sozzani, G. Bertoni, L. Breveglieri. Foundations of Cryptography - RC4 pp. 1 / 16

Private-Key Encryption

Goals of Modern Cryptography

ISA 562: Information Security, Theory and Practice. Lecture 1

1 Achieving IND-CPA security

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Chapter 6: Contemporary Symmetric Ciphers

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

2 Secure Communication in Private Key Setting

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Network Security Essentials

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Cryptography. Summer Term 2010

CSE 127: Computer Security Cryptography. Kirill Levchenko

Message Authentication Codes and Cryptographic Hash Functions

CPSC 467: Cryptography and Computer Security

Syrvey on block ciphers

Stream Ciphers An Overview

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Cryptography Part II Introduction to Computer Security. Chapter 8

CS61A Lecture #39: Cryptography

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Summary on Crypto Primitives and Protocols

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

How crypto fails in practice? CSS, WEP, MIFARE classic. *Slides borrowed from Vitaly Shmatikov

Lecture 2: Secret Key Cryptography

Symmetric Encryption. Thierry Sans

Introduction to Symmetric Cryptography

CPSC 467b: Cryptography and Computer Security

Computer Security 3/23/18

Applied Cryptography and Computer Security CSE 664 Spring 2018

Cryptography BITS F463 S.K. Sahay

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

U-II BLOCK CIPHER ALGORITHMS

Bob k. Alice. CS 558 Lecture Deck(c) = c k. Continuation of Encryption

Encryption. INST 346, Section 0201 April 3, 2018

CPS2323. Symmetric Ciphers: Stream Ciphers

Some Aspects of Block Ciphers

1 One-Time Pad. 1.1 One-Time Pad Definition

Cryptography. Lecture 03

Security: Cryptography

Information Security

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Cryptography MIS

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

David Wetherall, with some slides from Radia Perlman s security lectures.

Lecture 1 Applied Cryptography (Part 1)

Stream Ciphers. Stream Ciphers 1

CSC 474/574 Information Systems Security

CPSC 467b: Cryptography and Computer Security

Lecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes

Introduction to Cryptography

Cryptography: Symmetric Encryption [continued]

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

Cryptography Introduction to Computer Security. Chapter 8

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Making and Breaking Ciphers

2/7/2013. CS 472 Network and System Security. Mohammad Almalag Lecture 2 January 22, Introduction To Cryptography

Cryptography. Historical Encoding. Encryption Media. Intro to Encryption 8/24/2010. COMP620 Information Privacy & Security 1

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

CPSC 467b: Cryptography and Computer Security

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Computer Security: Principles and Practice

CPSC 467: Cryptography and Computer Security

Practical Aspects of Modern Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Cryptography CS 555. Topic 1: Course Overview & What is Cryptography

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

CIS 4360 Secure Computer Systems Symmetric Cryptography

Transcription:

Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers 1

Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days HW2 will be assigned on Sept 11, due on Sept 25 Planned project 1: implementation of file encryption, to be assigned on Sept 25 2

Readings for This Lecture Required reading from wikipedia One-Time Pad Information theoretic security Stream cipher Pseudorandom number generator 3

Begin Math 4

Random Variable Definition A discrete random variable, X, consists of a finite set X, and a probability distribution defined on X. The probability that the random variable X takes on the value x is denoted Pr[X =x]; sometimes, we will abbreviate this to Pr[x] if the random variable X is fixed. It must be that 0 x X Pr[ x] Pr[ x] 1 for all x X 5

Example of Random Variables Let random variable D 1 denote the outcome of throwing one die (with numbers 0 to 5 on the 6 sides) randomly, then D={0,1,2,3,4,5} and Pr[D 1 =i] = 1/6 for 0 i 5 Let random variable D 2 denote the outcome of throwing a second such die randomly Let random variable S 1 denote the sum of the two dice, then S ={0,1,2,,10}, and Pr[S 1 =0] = Pr[S 1 =10] = 1/36 Pr[S 1 =1] = Pr[S 1 =9] = 2/36 = 1/18 Let random variable S 2 denote the sum of the two dice modulo 6, what is the distribution of S 2? 6

Relationships between Two Random Variables Definitions Assume X and Y are two random variables, then we define: - joint probability: Pr[x, y] is the probability that X takes value x and Y takes value y. - conditional probability: Pr[x y] is the probability that X takes value x given that Y takes value y. Pr[x y] = Pr[x, y] / Pr[y] - independent random variables: X and Y are said to be independent if Pr[x,y] = Pr[x]P[y], for all x X and all y Y. 7

Examples Joint probability of D 1 and D 2 for 0 i,j 5, Pr[D 1 =i, D 2 =j] =? Are D 1 and D 2 independent? Suppose D 1 is plaintext and D 2 is key, and S 1 and S 2 are ciphertexts of two different ciphers, which cipher would you use? 8

Examples to think after class What is the joint probability of D 1 and S 1? What is the joint probability of D 2 and S 2? What is the conditional probability Pr[S 1 =s D 1 =i] for 0 i 5 and 0 s 10? What is the conditional probability Pr[D 1 =i S 2 =s] for 0 i 5 and 0 s 5? Are D 1 and S 1 independent? Are D 1 and S 2 independent? 9

10 Bayes Theorem If P[y] > 0 then Corollary X and Y are independent random variables iff P[x y] = P[x], for all x X and all y Y. Example: What is Pr[D 1 =1 S 1 =3]? ] [ ] [ ] [ ] [ y P x y P x P y x P X x X x x y p x P y x P y P ] [ ] [ ], [ ] [

End Math 11

One-Time Pad Fix the vulnerability of the Vigenere cipher by using very long keys Key is a random string that is at least as long as the plaintext Encryption is similar to shift cipher Invented by Vernam in the 1920s 12

One-Time Pad Let Z m ={0,1,,m-1} be the alphabet. Plaintext space = Ciphtertext space = Key space = (Z m ) n The key is chosen uniformly randomly Plaintext X = (x 1 x 2 x n ) Key K = (k 1 k 2 k n ) Ciphertext Y = (y 1 y 2 y n ) e k (X) = (x 1 +k 1 x 2 +k 2 x n +k n ) mod m d k (Y) = (y 1 -k 1 y 2 -k 2 y n -k n ) mod m 13

The Binary Version of One-Time Pad Plaintext space = Ciphtertext space = Keyspace = {0,1} n Key is chosen randomly For example: Plaintext is 11011011 Key is 01101001 Then ciphertext is 10110010 14

Bit Operators Bit AND 0 0 = 0 0 1 = 0 1 0 = 0 1 1 = 1 Bit OR 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 1 Addition mod 2 (also known as Bit XOR) 0 0 = 0 0 1 = 1 1 0 = 1 1 1 = 0 Can we use operators other than Bit XOR for binary version of One-Time Pad? 15

How Good is One-Time Pad? Intuitively, it is secure The key is random, so the ciphertext is completely random How to formalize the confidentiality requirement? Want to say certain thing is not learnable by the adversary (who sees the ciphertext). But what is the certain thing? Which (if any) of the following is the correct answer? The key. The plaintext. Any bit of the plaintext. Any information about the plaintext. E.g., the first bit is 1, the parity is 0, or that the plaintext is not aaaa, and so on 16

Shannon (Information-Theoretic) Security = Perfect Basic Idea: Ciphertext should reveal no information about Plaintext Definition. An encryption over a message space M is perfectly secure if probability distribution over M message m M ciphertext c C for which Pr[C=c] > 0 We have Pr [PT=m CT=c] = Pr [PT = m]. 17

Explanation of the Definition Pr [PT = m] is what the adversary believes the probability that the plaintext is m, before seeing the ciphertext Pr [PT = m CT=c] is what the adversary believes after seeing that the ciphertext is c Pr [PT=m CT=c] = Pr [PT = m] means that after knowing that the ciphertext is C 0, the adversary s belief does not change. 18

An Equivalent Definition of Perfect Definition. An encryption scheme is perfectly secure if and only if for any ciphertext c, and any two plaintext m1 and m2, the probability that m1 is encrypted to c is the same as the probability that m2 is encrypted to c. message m1,m2 ciphertext c Pr [CT=c PT = m1] = Pr [CT = c PT = m2] CS555 Spring 2012/Topic 3 19

Example for Information Theoretical Security Consider an example of encrypting the result of a 6-side dice (1 to 6). Method 1: randomly generate K=[1..6], ciphertext is result + K. What is plaintext distribution? After seeing that the ciphertext is 3, what could be the plaintext. After seeing that the ciphertext is 12, what could be the plaintext? Method 2: randomly generate K=[1..6], ciphertext is (result + K) mod 6. Same questions. Can one do a brute-force attack? 20

Perfect Fact: When keys are uniformly chosen in a cipher, the cipher has perfect secrecy iff. the number of keys encrypting M to C is the same for any (M,C) This implies that c m 1 m 2 Pr[CT=c PT=m 1 ] = Pr[CT=c PT=m 2 ] One-time pad has perfect secrecy when limited to messages over the same length (Proof?) 21

Key Randomness in One-Time Pad One-Time Pad uses a very long key, what if the key is not chosen randomly, instead, texts from, e.g., a book are used as keys. this is not One-Time Pad anymore this does not have perfect secrecy this can be broken How? The key in One-Time Pad should never be reused. If it is reused, it is Two-Time Pad, and is insecure! Why? 22

Usage of One-Time Pad To use one-time pad, one must have keys as long as the messages. To send messages totaling certain size, sender and receiver must agree on a shared secret key of that size. typically by sending the key over a secure channel Key agreement is difficult to do in practice. Can t one use the channel for sending the key to send the messages instead? Why is OTP still useful, even though difficult to use? 23

Usage of One-Time Pad The channel for distributing keys may exist at a different time from when one has messages to send. The channel for distributing keys may have the property that keys can be leaked, but such leakage will be detected Such as in Quantum cryptography 24

The Bad News Theorem for Perfect Question: OTP requires key as long as messages, is this an inherent requirement for achieving perfect secrecy? Answer. Yes. Perfect secrecy implies that key-length msg-length Proof: Plaintext space Cipherttext space Implication: Perfect secrecy difficult to achieve in practice 25

Stream Ciphers In One-Time Pad, a key is a random string of length at least the same as the message Stream ciphers: Idea: replace rand by pseudo rand Use Pseudo Random Number Generator PRNG: {0,1} s {0,1} n expand a short (e.g., 128-bit) random seed into a long (e.g., 10 6 bit) string that looks random Secret key is the seed Basic encryption method: E key [M] = M PRNG(key) 26

The RC4 Stream Cipher A proprietary cipher owned by RSA, designed by Ron Rivest in 1987. Became public in 1994. Simple and effective design. Variable key size (typical 40 to 256 bits), Output length unbounded Widely used (web SSL/TLS, wireless WEP). Extensively studied, not a completely secure PRNG, first part of output biased, when used as stream cipher, should use RC4-Drop[n] Which drops first n bytes before using the output Conservatively, set n=3072 27

Pseudo Random Number Generator Useful for cryptography, simulation, randomized algorithm, etc. Stream ciphers, generating session keys The same seed always gives the same output stream Why is this necessary for stream ciphers? Simulation requires uniform distributed sequences E.g., having a number of statistical properties Cryptographically secure pseudo-random number generator requires unpredictable sequences satisfies the "next-bit test : given consecutive sequence of bits output (but not seed), next bit must be hard to predict Some PRNG s are weak: knowing output sequence of sufficient length, can recover key. Do not use these for cryptographic purposes 28

Properties of Stream Ciphers Typical stream ciphers are very fast Widely used, often incorrectly Content Scrambling System (uses Linear Feedback Shift Registers incorrectly), Wired Equivalent Privacy (uses RC4 incorrectly) SSL (uses RC4, SSLv3 has no known major flaw) 29

Security Properties of Stream Ciphers Under known plaintext, chosen plaintext, or chosen ciphertext, the adversary knows the key stream (i.e., PRNG(key)) Security depends on PRNG PRNG must be unpredictable Do stream ciphers have perfect secrecy? How to break a stream cipher in a brute-force way? If the same key stream is used twice, then easy to break. This is a fundamental weakness of stream ciphers; it exists even if the PRNG used in the ciphers is strong 30

Using Stream Ciphers in Practice If the same key stream is used twice, then easy to break. This is a fundamental weakness of stream ciphers; it exists even if the PRNG used in the ciphers is strong In practice, one key is used to encrypt many messages Example: Wireless communication Solution: Use Initial vectors (IV). E key [M] = [IV, M PRNG(key IV)] IV is sent in clear to receiver; IV needs integrity protection, but not confidentiality protection IV ensures that key streams do not repeat, but does not increase cost of brute-force attacks Without key, knowing IV still cannot decrypt Need to ensure that IV never repeats! How? 31

Coming Attractions Cryptography: Semantic Security, Block ciphers, encryption modes, cryptographic functions 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback