Information Security CS526

Similar documents
Information Security CS526

Computer Security CS 526

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Goals of Modern Cryptography

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Introduction to Cryptography. Lecture 3

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Network Security Essentials Chapter 2

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CSE 127: Computer Security Cryptography. Kirill Levchenko

1 Achieving IND-CPA security

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Introduction to Cryptography. Lecture 3

symmetric cryptography s642 computer security adam everspaugh

Cryptography [Symmetric Encryption]

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Double-DES, Triple-DES & Modes of Operation

Symmetric-Key Cryptography

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Computational Security, Stream and Block Cipher Functions

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Block ciphers, stream ciphers

ISA 562: Information Security, Theory and Practice. Lecture 1

Cryptography and Network Security Chapter 7

Scanned by CamScanner

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Cryptology complementary. Symmetric modes of operation

Private-Key Encryption

Feedback Week 4 - Problem Set

Crypto: Symmetric-Key Cryptography

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Security Models: Proofs, Protocols and Certification

Practical Aspects of Modern Cryptography

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Applied Cryptography and Computer Security CSE 664 Spring 2018

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Lecture 1 Applied Cryptography (Part 1)

Network Security Essentials

Winter 2011 Josh Benaloh Brian LaMacchia

Some Aspects of Block Ciphers

Chapter 6 Contemporary Symmetric Ciphers

Summary on Crypto Primitives and Protocols

Symmetric Cryptography

Computer Security: Principles and Practice

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

COMP4109 : Applied Cryptography

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Symmetric Encryption. Thierry Sans

CSC 474/574 Information Systems Security

Cryptography: Symmetric Encryption [continued]

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Cryptography 2017 Lecture 3

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Stream Ciphers An Overview

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptographic Hash Functions

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

Chapter 6: Contemporary Symmetric Ciphers

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

U-II BLOCK CIPHER ALGORITHMS

7. Symmetric encryption. symmetric cryptography 1

Information Security

Introduction to Cryptology. Lecture 2

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

CS408 Cryptography & Internet Security

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Syrvey on block ciphers

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Lecture 2: Secret Key Cryptography

Lecture 1: Perfect Security

CS155. Cryptography Overview

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

2 Secure Communication in Private Key Setting

Cryptography. Andreas Hülsing. 6 September 2016

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 3: Symmetric Key Encryption

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

CIS 4360 Secure Computer Systems Symmetric Cryptography

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Private-Key Encryption

Data Encryption Standard (DES)

Lecture 4: Symmetric Key Encryption

Cryptography Functions

CS 161 Computer Security

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Lecture 2: Shared-Key Cryptography

Block Cipher Operation. CS 6313 Fall ASU

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

2 What does it mean that a crypto system is secure?

Lecture 4: Authentication and Hashing

EEC-484/584 Computer Networks

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Defining Encryption. Lecture 2. Simulation & Indistinguishability

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Cryptography (cont.)

CS155. Cryptography Overview

Transcription:

Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1

Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for HW and Project Team project has separate late days 2

Readings for This Lecture Required reading from wikipedia Stream cipher Pseudorandom number generator Block Cipher Block cipher modes of operation Information theoretic security Ciphertext Indistinguishability 3

Notation for Symmetric-key Encryption A symmetric-key encryption scheme is comprised of three algorithms Gen the key generation algorithm The algorithm must be probabilistic/randomized Output: a key k Enc the encryption algorithm Input: Output: key k, plaintext m ciphertext c := Enc k (m) Dec the decryption algorithm Input: key k, ciphertext c Output: plaintext m := Dec k (m) Requirement: k m [ Dec k (Enc k (m)) = m ] 4

Stream Ciphers (An Approximation of One-Time Pad) In One-Time Pad, a key is a random string of length at least the same as the message Stream ciphers: Idea: replace rand by pseudo rand Use Pseudo Random Number Generator PRNG: {0,1} s {0,1} n expand a short (e.g., 128-bit) random seed into a long (typically unbounded) string that looks random Secret key is the seed Basic encryption method: E key [M] = M PRNG(key) 5

The RC4 Stream Cipher A proprietary cipher owned by RSA, designed by Ron Rivest in 1987. Became public in 1994. Simple and effective design. Variable key size (typical 40 to 256 bits), Output length unbounded Widely used (web SSL/TLS, wireless WEP). Extensively studied, not a completely secure PRNG, first part of output biased, when used as stream cipher, should use RC4-Drop[n] Which drops first n bytes before using the output Conservatively, set n=3072 6

Stream Ciphers = Cryptographically Strong Pseudo Random Number Generators Useful for cryptography, simulation, randomized algorithm, etc. Stream ciphers, generating session keys The same seed always gives the same output stream Why is this necessary for stream ciphers? Simulation requires uniform distributed sequences E.g., having a number of statistical properties Cryptographically secure pseudo-random number generator requires unpredictable sequences satisfies the "next-bit test : given consecutive sequence of bits output (but not seed), next bit must be hard to predict Some PRNG s are weak: knowing output sequence of sufficient length, can recover key. Do not use these for cryptographic purposes 7

Properties of Stream Ciphers Under known plaintext, chosen plaintext, or chosen ciphertext, the adversary knows the key stream (i.e., PRNG(key)) depends on strength of PRNG PRNG must be unpredictable Precise definition is foundation of modern crypto How to break a stream cipher in a brute-force way? If the same key stream is used twice, then easy to break. This is a fundamental weakness of stream ciphers; it exists even if the PRNG used in the ciphers is strong 8

Using Stream Ciphers in Practice In practice, one key is used to encrypt many messages Example: Wireless communication Solution: Use Initial vectors (IV). E key [M] = [IV, M PRNG(key IV)] IV is sent in clear to receiver; IV needs integrity protection, but not confidentiality protection IV ensures that key streams do not repeat, but does not increase cost of brute-force attacks Without key, knowing IV still cannot decrypt Need to ensure that IV never repeats! How? 9

Randomized vs. Deterministic Encryption Encryption can be randomized, i.e., same message, same key, running the encryption algorithm twice results in two different ciphertexts E.g, Enc k [m] = (r, PRNG[k r] m), i.e., the ciphertext includes two parts, a randomly generated r, and a second part Decryption is deterministic in the sense that For the same ciphertext and same key, running decryption algorithm twice always results in the same plaintext Each key induces a one-to-many mapping from plaintext space to ciphertext space Corollary: ciphertext space must be equal to or larger than plaintext space 10

Block Ciphers An n-bit plaintext is encrypted to an n-bit ciphertext P : {0,1} n C : {0,1} n K : {0,1} s E: K P C : E k : a permutation on {0,1} n D: K C P : D k is E k -1 Block size: n Key size: s 11

Data Encryption Standard (DES) Designed by IBM, with modifications proposed by the National Agency US national standard from 1977 to 2001 De facto standard Block size is 64 bits; Key size is 56 bits Has 16 rounds Designed mostly for hardware implementations Software implementation is somewhat slow Considered insecure now Vulnerable to brute-force attacks Triple DES: E k3 D k2 E K1 (M) has 112-bit strength, but slow 12

Advanced Encryption Standard Starting 1999: replace DES as the standard for block ciphers. Aka. Rijndael (invented by Joan Daemen and Vincent Rijmen) Designed to be efficient in both hardware and software across a variety of platforms. Block size: 128 bits Variable key size: 128, 192, or 256 bits. No known exploitable algorithmic weaknesses Implementation may be vulnerable to timing attacks (largely due to CPU s architecture of using cache) Intel now has AES-NI, CPU-based implementation for AES Timing-based side channel attacks no longer an issue 13

Need for Encryption Modes A block cipher encrypts only one block Needs a way to extend it to encrypt an arbitrarily long message Want to ensure that if the block cipher is secure, then the encryption is secure Aims at providing Semantic (IND-CPA) assuming that the underlying block ciphers are strong 14

Block Cipher Encryption Modes: ECB Message is broken into independent blocks; Electronic Code Book (ECB): each block encrypted separately. Encryption: c i = E k (x i ) Decrytion: x i = D k (c i ) 15

Properties of ECB Deterministic: the same data block gets encrypted the same way, reveals patterns of data when a data block repeats when the same key is used, the same message is encrypted the same way Usage: not recommended to encrypt more than one block of data 16

DES Encryption Modes: CBC Cipher Block Chaining (CBC): Uses a random Initial Vector (IV) Next input depends upon previous output Encryption: C i = E k (M i C i-1 ), with C 0 =IV Decryption: M i = C i-1 D k (C i ), with C 0 =IV M 1 M 2 M 3 IV E k E k E k C 0 C 1 C 2 C 3 17

Properties of CBC Randomized encryption: repeated text gets mapped to different encrypted data. IV must be randomly chosen to get this benefit Each ciphertext block depends on all preceding plaintext blocks. Usage: IV must be random, needs integrity but not confidentiality The IV is not secret (it is part of ciphertext) The adversary cannot control the IV 18

Encryption Modes: CTR Counter Mode (CTR): Defines a stream cipher using a block cipher Uses a random IV, known as the counter Encryption: C 0 =IV, C i =M i E k [IV+i] Decryption: IV=C 0, M i =C i E k [IV+i] M 1 M 2 M 3 IV IV+1 IV+2 IV+3 E k E k E k C 0 C 1 C 2 C 3 19

Properties of CTR Gives a stream cipher from a block cipher Randomized encryption: when starting counter is chosen randomly Random Access: encryption and decryption of a block can be done in random order, very useful for hard-disk encryption. E.g., when one block changes, re-encryption only needs to encrypt that block. In CBC, all later blocks also need to change 20

Encryption Schemes Commonly User RC4 (with new IV for each message) AES+ECB (Only in very restricted scenarios) AES+CBC AES+CTR Are they secure? We need probability theory to study that. 21

Begin Math 22

Random Variable Definition A discrete random variable, X, consists of a finite set X, and a probability distribution defined on X. The probability that the random variable X takes on the value x is denoted Pr[X =x]; sometimes, we will abbreviate this to Pr[x] if the random variable X is fixed. It must be that 0 x X Pr[ x] Pr[ x] 1 for all x X 23

Example of Random Variables Let random variable D 1 denote the outcome of throwing one die (with numbers 0 to 5 on the 6 sides) randomly, then D={0,1,2,3,4,5} and Pr[D 1 =i] = 1/6 for 0 i 5 Let random variable D 2 denote the outcome of throwing a second such die randomly Let random variable S 1 denote the sum of the two dice, then S ={0,1,2,,10}, and Pr[S 1 =0] = Pr[S 1 =10] = 1/36 Pr[S 1 =1] = Pr[S 1 =9] = 2/36 = 1/18 Let random variable S 2 denote the sum of the two dice modulo 6, what is the distribution of S 2? 24

Relationships between Two Random Variables Definitions Assume X and Y are two random variables, then we define: - joint probability: Pr[x, y] is the probability that X takes value x and Y takes value y. - conditional probability: Pr[x y] is the probability that X takes value x given that Y takes value y. Pr[x y] = Pr[x, y] / Pr[y] - independent random variables: X and Y are said to be independent if Pr[x,y] = Pr[x]P[y], for all x X and all y Y. 25

Examples Joint probability of D 1 and D 2 for 0 i,j 5, Pr[D 1 =i, D 2 =j] =? Are D 1 and D 2 independent? Suppose D 1 is plaintext and D 2 is key, and S 1 and S 2 are ciphertexts of two different ciphers, which cipher would you use? 26

Examples to think after class What is the joint probability of D 1 and S 1? What is the joint probability of D 2 and S 2? What is the conditional probability Pr[S 1 =s D 1 =i] for 0 i 5 and 0 s 10? What is the conditional probability Pr[D 1 =i S 2 =s] for 0 i 5 and 0 s 5? Are D 1 and S 1 independent? Are D 1 and S 2 independent? 27

28 Bayes Theorem If P[y] > 0 then Corollary X and Y are independent random variables iff P[x y] = P[x], for all x X and all y Y. Example: What is Pr[D 1 =1 S 1 =3]? ] [ ] [ ] [ ] [ y P x y P x P y x P X x X x x y p x P y x P y P ] [ ] [ ], [ ] [

End Math 29

Shannon (Information-Theoretic) = Perfect Secrecy Basic Idea: Ciphertext should reveal no information about Plaintext Intuition: Ciphertext should be independent from the plaintext That is, message m, ciphertext c Pr [PT=m CT=c] = Pr [PT = m] Pr[CT=c] Or, equivalently message m1, m2, ciphertext c Pr [CT=c PT = m1] = Pr [CT = c PT = m2] 30

Example for Information Theoretical Consider an example of encrypting the result of a 6-side dice (1 to 6). Method 1: randomly generate K=[1..6], ciphertext is result + K. What is plaintext distribution? After seeing that the ciphertext is 3, what could be the plaintext. After seeing that the ciphertext is 12, what could be the plaintext? Method 2: randomly generate K=[1..6], ciphertext is (result + K) mod 6. Same questions. Can one do a brute-force attack? 31

Perfect Secrecy Fact: When keys are uniformly chosen in a cipher, the cipher has perfect secrecy iff. the number of keys encrypting M to C is the same for any (M,C) This implies that c m 1 m 2 Pr[CT=c PT=m 1 ] = Pr[CT=c PT=m 2 ] One-time pad has perfect secrecy when limited to messages over the same length (Proof?) 32

The Bad News Theorem for Perfect Secrecy Question: OTP requires key as long as messages, is this an inherent requirement for achieving perfect secrecy? Answer. Yes. Perfect secrecy implies that key-length msg-length Proof: Plaintext space Cipherttext space Implication: Perfect secrecy difficult to achieve in practice 33

Towards Computational Perfect secrecy is too difficult to achieve. Computational security uses two relaxations: is preserved only against efficient (computationally bounded) adversaries Adversary can only run in feasible amount of time Adversaries can potentially succeed with some very small probability (that we can ignore the case it actually happens) 34

Defining Desire semantic security, i.e., having access to the ciphertext does not help adversary to compute any function of the plaintext. Difficult to use Equivalent notion: Adversary cannot distinguish between the ciphertexts of two plaintexts 35

Towards IND-CPA : Ciphertext Indistinguishability under a Chosen-Plaintext Attack: Define the following IND-CPA experiment : Involving an Adversary and a Challenger Instantiated with an Adversary algorithm A, and an encryption scheme = (Gen, Enc, Dec) Challenger k Gen() b R {0,1} Enc k [] m 0, m 1 C=Enc k [m b ] b {0,1} Adversary wins if b=b Adversary chooses m 0, m 1 M 36

The IND-CPA Experiment Explained A k is generated by Gen() Adversary is given oracle access to Enc k ( ), Oracle access: one gets its question answered without knowing any additional information Adversary outputs a pair of equal-length messages m 0 and m 1 A random bit b is chosen, and adversary is given Enc k (m b ) Called the challenge ciphertext Adversary does any computation it wants, while still having oracle access to Enc k ( ), and outputs b Adversary wins if b=b 37

Intuition of IND-CPA security Perfect secrecy means that any plaintext is encrypted to a given ciphertext with the same probability, i.e., given any pair of M 0 and M 1, the probabilities that they are encrypted into a ciphertext C are the same Hence no adversary can tell whether C is ciphertext of M 0 or M 1. IND-CPA means With bounded computational resources, the adversary cannot tell which of M 0 and M 1 is encrypted in C 38

Computational vs. Information Theoretic If a cipher has only computational security, then it can be broken by a brute force attack, e.g., enumerating all possible keys Weak algorithms can be broken with much less time How to prove computational security? Assume that some problems are hard (requires a lot of computational resources to solve), then show that breaking security means solving the problem Computational security is foundation of modern cryptography. 39

of Ciphers Stream ciphers can be used to achieve IND-CPA security when the underlying PRNG is cryptographically strong ECB does not have semantic security How to break the semantic security (IND-CPA) of a block cipher with ECB? CBC is proven to provide IND-CPA assuming that the block cipher is secure and that IV s are randomly chosen CTR is proven IND-CPA secure assuming that block cipher is secure and that IV s are randomly chosen 40

Coming Attractions Cryptography: Message Authentication Code and Cryptographic Hash Functions 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback