Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Similar documents
Information Security CS526

Information Security CS526

symmetric cryptography s642 computer security adam everspaugh

CSE 127: Computer Security Cryptography. Kirill Levchenko

1 Achieving IND-CPA security

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSC 474/574 Information Systems Security

COMP4109 : Applied Cryptography

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Lecture 1 Applied Cryptography (Part 1)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Some Aspects of Block Ciphers

CPSC 467b: Cryptography and Computer Security

Symmetric Cryptography

Practical Aspects of Modern Cryptography

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

symmetric cryptography s642 computer security adam everspaugh

Computer Security CS 526

David Wetherall, with some slides from Radia Perlman s security lectures.

Goals of Modern Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Stream Ciphers An Overview

Unit 8 Review. Secure your network! CS144, Stanford University

CPSC 467b: Cryptography and Computer Security

Lecture 6 - Cryptography

CSC 580 Cryptography and Computer Security

Introduction to Cryptography. Lecture 3

7. Symmetric encryption. symmetric cryptography 1

CPS2323. Symmetric Ciphers: Stream Ciphers

Cryptography 2017 Lecture 3

ISA 562: Information Security, Theory and Practice. Lecture 1

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CSC 774 Network Security

Cryptographic Hash Functions

Stream Ciphers. Stream Ciphers 1

Lecture 1: Perfect Security

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Winter 2011 Josh Benaloh Brian LaMacchia

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Message Authentication Codes and Cryptographic Hash Functions

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography [Symmetric Encryption]

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Introduction to Cryptography. Lecture 6

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

n-bit Output Feedback

Cryptographic hash functions and MACs

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Solutions to exam in Cryptography December 17, 2013

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Encryption. INST 346, Section 0201 April 3, 2018

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Introduction to Cryptography. Lecture 1. Benny Pinkas. Administrative Details. Bibliography. In the Library

Introduction to Cryptography. Lecture 1

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Data Integrity & Authentication. Message Authentication Codes (MACs)

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

Computer Security: Principles and Practice

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Data Integrity. Modified by: Dr. Ramzi Saifan

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

CPSC 467: Cryptography and Computer Security

Computers and Security

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Lecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes

Lecture 2: Secret Key Cryptography

Security. Communication security. System Security

CS155. Cryptography Overview

Data Integrity & Authentication. Message Authentication Codes (MACs)

Block ciphers, stream ciphers

Security: Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Scanned by CamScanner

CSC/ECE 774 Advanced Network Security

CS408 Cryptography & Internet Security

2.1 Basic Cryptography Concepts

Study Guide to Mideterm Exam

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Lecture 4: Authentication and Hashing

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Content of this part

Lecture 2. Cryptography: History + Simple Encryption,Methods & Preliminaries. Cryptography can be used at different levels

Classical Cryptography. Thierry Sans

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Some Stuff About Crypto

Introduction to Cryptography. Lecture 3

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

RSA. Public Key CryptoSystem

ENEE 459-C Computer Security. Message authentication

Transcription:

Cryptographic Primitives A brief introduction Ragesh Jaiswal CSE, IIT Delhi

Cryptography: Introduction Throughout most of history: Cryptography = art of secret writing Secure communication M M = D K (C) C = E K (M) K Key exchange protocol K

Cryptography: Introduction Early history ( - early 70s): Synonymous with secret communication. Restricted to Military and Nobility. More of art than rigorous science. Design protocol Protocol broken

Cryptography: Introduction Early history ( - early 70s): Synonymous with secret communication. Restricted to Military and Nobility. More of art than rigorous science. Design protocol Protocol broken Modern Cryptography: Digital signatures, e-cash, secure computation, e-voting Touches most aspects of modern lifestyle. Rigorous science: Reason about security of protocols.

Cryptography: Provable security Factoring Discrete log AES MD5 Protocol Construction Protocol

Cryptography: Provable security Factoring Discrete log AES MD5 Protocol Construction Protocol We would like to argue: If the basic primitive/problem is secure/hard, then the constructed protocol is secure

Cryptography: Provable security Factoring Discrete log AES MD5 Protocol Construction Protocol :If there is an adversary that successfully attacks the protocol, then there is another adversary that successfully attacks/solves at least one of the basic primitives/problems.

Secure Communication

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Ceaser Cipher): Substitute each letter with the letter that is the αth letter after the letter in the sequence AB...Z Example (α = 2): SEND TROOPS

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Ceaser Cipher): Substitute each letter with the letter that is the αth letter after the letter in the sequence AB...Z Example (α = 2): SEND TROOPS UGPF VTQQRU

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Ceaser Cipher): Substitute each letter with the letter that is the αth letter after the letter in the sequence AB...Z Security was based on the fact that the encryption algorithm was a secret (Security through obscurity)

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Ceaser Cipher): Substitute each letter with the letter that is the αth letter after the letter in the sequence AB...Z Security was based on the fact that the encryption algorithm was a secret (Security through obscurity) - Should be avoided at all cost! - Algorithm should be public and security should come from secret keys.

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Ceaser Cipher): Substitute each letter with the letter that is the αth letter after the letter in the sequence AB...Z Suppose we make the algorithm public and use the secret key as α. Can you break this protocol?

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Substitution Cipher): Let π be a permutation of the English letters. Substitute each letter α with the letter π α. π acts as the secret key. Example: Let π A = U, π B = T, π C = P, then encryption of CAB is PUT.

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Substitution Cipher): Let π be a permutation of the English letters. Substitute each letter α with the letter π α. π acts as the secret key. Question: How much space you need to use to store the secret key?

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Substitution Cipher): Let π be a permutation of the English letters. Substitute each letter α with the letter π α. π acts as the secret key. Consider a brute-force attack where you try to guess the secret key. Is such an attack feasible?

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Substitution Cipher): Let π be a permutation of the English letters. Substitute each letter α with the letter π α. Can you break this scheme?

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (Substitution Cipher): Let π be a permutation of the English letters. Substitute each letter α with the letter π α. Attack idea: E s occur more frequently than X s

Secure communication Frequency of letters in typical English sentences.

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (One Time Pad(OTP)):Let the message M be an n binary string. Let K be an n bit binary string that is used as a secret key.add M and K modulo 2 to get the ciphertext. Example: M = 1101, K = 0101, then C = M + K (mod 2) = M K = 1000

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Simple idea (One Time Pad(OTP)):Let the message M be an n binary string. Let K be an n bit binary string that is used as a secret key.add M and K modulo 2 to get the Ciphertext. Can you break this scheme?

Secure communication Secure communication: Alice wants to talk to Bob without Eve (who has access to the channel) knowing the communication. Perfect Secrecy (Information Theoretic Security): Let the message space be 0,1 n. For any two message M 0, M 1, and Ciphertext C Pr E K M 0 = C = Pr E K M 1 = C where the probability is over uniformly random K in the Keyspace. Given the ciphertext, all messages are equally likely to be the secret message

Secure communication Perfect Secrecy (Information Theoretic Security): Let the message space be 0,1 n. For any two message M 0, M 1, and Ciphertext C Pr E K M 0 = C = Pr E K M 1 = C where the probability is over uniformly random K in the Keyspace. One Time Pad (OTP): The Keyspace is 0, 1 n. E K M = K M D K C = K C For any messages M 0, M 1 and ciphertext C: Pr E K M 0 = C = Pr E K M 1 = C =??

Secure communication Perfect Secrecy (Information Theoretic Security): Let the message space be 0,1 n. For any two message M 0, M 1, and Ciphertext C Pr E K M 0 = C = Pr E K M 1 = C where the probability is over uniformly random K in the Keyspace. One Time Pad (OTP): The Keyspace is 0, 1 n. E K M = K M D K C = K C For any messages M 0, M 1 and ciphertext C: Pr E K M 0 = C = Pr E K M 1 = C = 1/2 n

Secure communication Perfect Secrecy (Information Theoretic Security): Let the message space be 0,1 n. For any two message M 0, M 1, and Ciphertext C Pr E K M 0 = C = Pr E K M 1 = C where the probability is over uniformly random K in the Keyspace. One Time Pad (OTP): The Keyspace is 0, 1 n. E K M = K M D K C = K C For any messages M 0, M 1 and ciphertext C: Pr E K M 0 = C = Pr E K M 1 = C = 1/2 n Disadvantage: Key is as long as the message.

Secure communication Perfect Secrecy (Information Theoretic Security): Let the message space be 0,1 n. For any two message M 0, M 1, and Ciphertext C Pr E K M 0 = C = Pr E K M 1 = C where the probability is over uniformly random K in the Keyspace. One Time Pad (OTP): The Keyspace is 0, 1 n. E K M = K M D K C = K C For any messages M 0, M 1 and ciphertext C: Pr E K M 0 = C = Pr E K M 1 = C = 1/2 n Disadvantage: Key is as long as the message. Fact: If M > K, then no scheme is perfectly secure.

Secure communication Perfect Secrecy (Information Theoretic Security): Let the message space be 0,1 n. For any two message M 0, M 1, and Ciphertext C Pr E K M 0 = C = Pr E K M 1 = C where the probability is over uniformly random K in the Keyspace. Fact: If M > K, then no scheme is perfectly secure. How do we get around this problem?

Secure communication Perfect Secrecy (Information Theoretic Security): Let the message space be 0,1 n. For any two message M 0, M 1, and Ciphertext C Pr E K M 0 = C = Pr E K M 1 = C where the probability is over uniformly random K in the Keyspace. Fact: If M > K, then no scheme is perfectly secure. How do we get around this problem? Relax our notion of security: Instead of saying it is impossible to break the scheme, we would like to say it is computationally infeasible to break the scheme.

Pseudorandom generator Suppose there was a generator that stretches random bits. 001101011 00101001001010010100101011 Idea: Choose a short key K randomly. Obtain K = G(K). Use K as key for the one time pad. Issue:? G

Pseudorandom generator Suppose there was a generator that stretches random bits. 001101011 00101001001010010100101011 G Idea: Choose a short key K randomly. Obtain K = G(K). Use K as key for the one time pad. Issue: Such a generator is not possible! Any such generator produces a longer string but the string is not random.

Pseudorandom generator Suppose there was a generator that stretches random bits. 001101011 00101001001010010100101011 G Idea: Choose a short key K randomly. Obtain K = G(K). Use K as key for the one time pad. Issue: Such a generator is not possible! Any such generator produces a longer string but the string is not random. What if we can argue that the output of the generator is computationally indistinguishable from truly random string.

Stream Ciphers Pseudorandom generators

Stream Ciphers: Pseudorandom generators A pseudorandom generator (PRG) is a function: G: 0, 1 s 0, 1 n, n s such that G x appears to be a random n bit string. The input to the generator is called the seed. St[0] M R[1] St M St St[1] M R[2] St[1] R M R[3]

Stream Ciphers: Pseudorandom generators A pseudorandom generator (PRG) is a function: G: 0, 1 s 0, 1 n, n s such that G x appears to be a random n bit string. Let us see if we can rule out some popular random generators based on this intuitive understanding of PRG: Linear Congruential Generator (LCG): parameters m, a, c: R n = a R n 1 + c (mod m), the seed is R 0 and the output is R 1 R 2 R 3 This has some nice statistical properties but it is predictable. Never use such predictable random number generators for Cryptography.

Stream Ciphers: Pseudorandom generators Let us see if we can rule out some popular random generators based on this intuitive understanding of PRG: Linear Congruential Generator(LCG): RC4: Used in SSL and WEP K (128 bits) Seed used as secret key

Stream Ciphers How do we use a stream cipher? M PRG(K) M PRG(K) What is the issue with this idea? What if there are more than one message that you want to encrypt?

Stream Ciphers How do we use a stream cipher? M PRG(K) M PRG(K) What is the issue with this idea? What if there are more than one message that you want to encrypt? Key reusability should always be avoided when using stream ciphers.

Stream Ciphers How do we use a stream cipher? Another idea: This is actually used in 128 bit WEP where IV = 24 and K = 104. M RC4(IV K) IV M RC4(IV K) What is the issue with the above protocol? The IV gets repeated after 2 24 frames. In some 802.11 cards, the IV is set to 0 after every power cycle.

Stream Ciphers How do we use a stream cipher? Another idea: This is actually used in 128 bit WEP where IV = 24 and K = 104. M RC4(IV K) IV M RC4(IV K) What is the issue with the above protocol? The IV gets repeated after 2 24 frames. In some 802.11 cards, the IV is set to 0 after every power cycle. Related key attack: IV is incremented by 1 for each frame. So, the key though different, are very similar and one may use the correlation property to attack.

Stream Ciphers How do we use a stream cipher? Another idea: This is actually used in 128 bit WEP where IV = 24 and K = 104. M RC4(IV K) IV M RC4(IV K) 128 bit WEP is insecure. DO NOT USE! There are attacks that will figure out your secret key in less than a minute. Check out aircrack-ptw.

Stream Ciphers How do we use a stream cipher? Another idea: This is actually used in 128 bit WEP where IV = 24 and K = 104. M RC4(IV K) IV M RC4(IV K) So what is the fix? How do we use PRGs like RC4? Throw away initial few bytes of RC4 output. Use unrelated keys.

Stream Ciphers: Pseudorandom generators Linear Feedback Shift Registers (LFSR): Fast hardware implementation. Examples: DVD encryption (CSS), GSM encryption (A5/1,2). Is this generator predictable? taps Register Output Feedback Feedback function

Stream Ciphers: Pseudorandom generators Linear Feedback Shift Registers (LFSR): Fast hardware implementation. Examples: DVD encryption (CSS), GSM encryption (A5/1,2). Is this generator predictable? Yes. One solution that is used in practice is to use a combination of multiple LFSRs. taps Register Output Feedback Feedback function

Block Ciphers

Block Ciphers Block ciphers work on blocks of message bits rather than a stream of message bits. Main Idea: Suppose we encrypt in blocks of size n. Let E: 0,1 k 0,1 n 0,1 n be a function. For a message block M of n bits, and key K, the ciphertext is given by C = E(K, M).

Block Ciphers Block ciphers work on blocks of message bits rather than a stream of message bits. Main Idea: Suppose we encrypt in blocks of size n. Let E: 0,1 k 0,1 n 0,1 n be a function. For a message block M of n bits, and key K, the ciphertext is given by C = E(K, M). What are properties that E should satisfy?

Block Ciphers Block ciphers work on blocks of message bits rather than a stream of message bits. Main Idea: Suppose we encrypt in blocks of size n. Let E: 0,1 k 0,1 n 0,1 n be a function. For a message block M of n bits, and key K, the ciphertext is given by C = E(K, M). What are properties that E should satisfy? For all K 0,1 k, the function E K : 0,1 n 0,1 n defined as E K M = E K, M is a one-one function. In other words, E K is a permutation.

Block Ciphers Block ciphers work on blocks of message bits rather than a stream of message bits. Main Idea: Suppose we encrypt in blocks of size n. Let E: 0,1 k 0,1 n 0,1 n be a function. For a message block M of n bits, and key K, the ciphertext is given by C = E(K, M). What are properties that E should satisfy? For all K 0,1 k, the function E K : 0,1 n 0,1 n defined as E K M = E K, M is a one-one function. In other words, E K is a permutation. Both E K (encryption function) and E K 1 (decryption function) are efficient. E should be computationally indistinguishable from a random permutation.

ECB Mode: Electronic Codebook Mode M M 1 M 2 M 3 K E K E K E C 1 C 2 C 3 C C 1 C 2 C 3 Is the encryption scheme using the ECM mode secure?

ECB Mode: Electronic Codebook Mode

CTRC Mode < ctr + 1 > < ctr + 2 > < ctr + m > E K E K E K M 1 M 2 M m C 1 C 2 C m The encryption algorithm maintains a counter ctr that is initialized to 0. For a m block message M 1,, M m the ciphertext C 0, C 1, C m is sent where C 0 = ctr.

CBC$ Mode M 1 M 2 M m F F F $ C 0 C 1 C 2 C m C 0 is chosen randomly from 0,1 n. The ciphertext corresponding to M 1,, M m is C 0, C 1,, C m. E K needs to be a block cipher (i.e., it should be invertible).

Key Distribution/Exchange K K How do Alice and Bob share a secret key in the first place?

Public key cryptography Generate a pair of related keys. One is called public key and other the secret key. Examples: RSA, El-gamal (using number theory you learnt in Discrete Math).

Hash Functions

Hash Functions: Introduction A hash function is a map h: D 0,1 n that is compressing, i.e., D > 2 n. Usually D 2 n and n is small. Example: D = 0,1 264 i.e., all binary strings of length at most 2 64. n = 128, 160, 256 etc. Examples of Cryptographic Hash Functions: h n MD4 128 MD5 128 SHA1 160 SHA-256 256 SHA-512 512 WHIRLPOOL 512

Hash Functions: Collision x 1 h D x 2 2 n Pigeonhole Principle: h(x 1 ) = h(x 2 ), x 1 x 2

Hash Functions: Applications 1. Password Authentication: Bob, <pass> S stores Bob s password Pass/fail Bob Server Problem: If Eve hacks into the server or if the communication channel is not secure, then Eve knows the password of Bob.

Hash Functions: Applications 1. Password Authentication: Bob, h(<pass>) S stores h(bob s password) Pass/fail Bob Server Eve can only get access to h(<pass>).

Hash Functions: Applications 2. Comparing files by hashing: S has F A F A S has F B Yes/No Server A Server B Problem: Files are usually very large and we would like to save communication costs/delays.

Hash Functions: Applications 2. Comparing files by hashing: S has F A h(fa) S has F B h F A =? h(f B ) Server A Server B

Hash Functions: Applications 3. Downloading new software Give me software X Stores X X Web Server Problem: X could be a virus-infected version of X.

Hash Functions: Applications 3. Downloading new software Stores X, Also stores h(x) in read-only mode Give me software X X, h(x) Web Server

Collision Resistance Password Authentication: If Eve is able to find a string S (perhaps different from < pass >) such that h(s) = h(< pass >) then the scheme breaks. Comparing files: If there is a different file F S such that h(fs) = h(fb) the servers may agree incorrectly. Downloading software: If Eve can find X X such that h X = h(x ), then software might cause problems. Collision Resistance: It is computationally infeasible to find a pair (x 1, x 2 ) such that x 1 x 2 and h(x 1 ) = h(x 2 ) If a hash function h is collision resistant, then the above two problems are avoided.

Collision Resistance: Discussion Are there functions that are collision resistant? Fortunately, there are functions for which no one has been able to find a collision! Example: SHA 1: 0,1 D {0,1} 160 Is the world drastically going to change if someone finds one or few collision for SHA-1? Not really. Suppose the collision has some very specific structure, then we may avoid such structures in the strings on which the hash function is applied. On the other hand, if no one finds a collision then that is a very strong notion of security and we may sleep peacefully without worrying about maintaining complicated structures in the strings. We are once again going for a very strong definition of security for our new primitive similar to Block Ciphers and Symmetric Encryption.

End

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback