Symmetric Cryptography

Similar documents
Cryptography (cont.)

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography [Symmetric Encryption]

Cryptography: Symmetric Encryption [continued]

Symmetric Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Software Security Design Principles + Intro to Crypto

Software Security and Intro to Cryptography

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Block ciphers, stream ciphers

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Introduction to Cryptography (cont.)

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Symmetric-Key Cryptography

Cryptography 2017 Lecture 3

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Scanned by CamScanner

CSE 127: Computer Security Cryptography. Kirill Levchenko

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

symmetric cryptography s642 computer security adam everspaugh

Web Security Symmetric Encryption & Authentication

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Feedback Week 4 - Problem Set

Cryptology complementary. Symmetric modes of operation

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Block Cipher Operation. CS 6313 Fall ASU

Computer Security CS 526

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

ECE 646 Lecture 8. Modes of operation of block ciphers

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Cryptography. Lecture 3

1 Achieving IND-CPA security

User Authentication + Other Human Aspects

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Solutions to exam in Cryptography December 17, 2013

Information Security CS526

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Introduction to cryptology (GBIN8U16)

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

CPSC 467: Cryptography and Computer Security

Symmetric Encryption 2: Integrity

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Defining Encryption. Lecture 2. Simulation & Indistinguishability

COMP4109 : Applied Cryptography

Lecture 15: Public Key Encryption: I

Winter 2011 Josh Benaloh Brian LaMacchia

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Crypto: Symmetric-Key Cryptography

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Lecture 1 Applied Cryptography (Part 1)

Crypto meets Web Security: Certificates and SSL/TLS

Lecture 07: Private-key Encryption. Private-key Encryption

CS155. Cryptography Overview

Some Aspects of Block Ciphers

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Cryptographic Hash Functions. *Slides borrowed from Vitaly Shmatikov

Introduction to Symmetric Cryptography

Introduction to Cryptography. Lecture 3

CSE484 Final Study Guide

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Using block ciphers 1

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Practical Aspects of Modern Cryptography

symmetric cryptography s642 computer security adam everspaugh

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CPSC 467: Cryptography and Computer Security

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Permutation-based Authenticated Encryption

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Stream Ciphers An Overview

CS 161 Computer Security

Cryptography. Andreas Hülsing. 6 September 2016

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Symmetric Crypto MAC. Pierre-Alain Fouque

CS155. Cryptography Overview

User Authentication + Human Aspects

COMP4109 : Applied Cryptography

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Introduction to Cryptography. Lecture 6

Cryptography Functions

Authenticated Encryption

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Computational Security, Stream and Block Cipher Functions

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

1 Defining Message authentication

INSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:

Content of this part

Unit 8 Review. Secure your network! CS144, Stanford University

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Refresher: Applied Cryptography

Message authentication codes

Transcription:

CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

Goals for Today Under the hood: Symmetric encryption

Encrypting a Large Message So, we ve got a good, but our plaintext is larger than 128-bit size Electronic Code Book (ECB) mode Split plaintext into s, encrypt each one separately using the Cipher Block Chaining (CBC) mode Split plaintext into s, XOR each with the result of encrypting previous s Counter (CTR) mode Use to generate keystream, like a stream...

ECB Mode plaintext text Identical s of plaintext produce identical s of text No integrity checks: can mix and match s

CBC Mode: Encryption plaintext Initialization vector (random) text Identical s of plaintext encrypted differently Last depends on entire plaintext Still does not guarantee integrity

CBC Mode: Decryption plaintext Initialization vector decrypt decrypt decrypt decrypt text

ECB vs. CBC [Picture due to Bart Preneel] AES in ECB mode AES in CBC mode Similar plaintext s produce similar text s (not good!)

Information Leakage in ECB Mode [Wikipedia] Encrypt in ECB mode

CBC and Electronic Voting plaintext Initialization vector (supposed to be random) DES DES DES DES text Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_*)tmp, (des_c_*)record.m_data, totalsize, DESKEY, NULL, DES_ENCRYPT)

CTR Mode: Encryption Initial ctr (random) ctr ctr+1 ctr+2 ctr+3 pt pt pt pt text Identical s of plaintext encrypted differently Still does not guarantee integrity Fragile if ctr repeats

CTR Mode: Decryption Initial ctr ctr ctr+1 ctr+2 ctr+3 ct ct ct ct pt pt pt pt

When Is a Cipher Secure? Hard to recover the key? What if attacker can learn plaintext without learning the key? Hard to recover plaintext from text? What if attacker learns some bits or some function of bits? Fixed mapping from plaintexts to texts? What if attacker sees two identical texts and infers that the corresponding plaintexts are identical? Implication: encryption must be randomized or stateful

How Can a Cipher Be Attacked? Assume that the attacker knows the encryption algorithm and wants to decrypt some text Main question: what else does attacker know? Depends on the application in which is used! Ciphertext-only attack Known-plaintext attack (stronger) Knows some plaintext-text pairs Chosen-plaintext attack (even stronger) Can obtain text for any plaintext of his choice Chosen-text attack (very strong) Can decrypt any text except the target Sometimes very realistic model

Defining Security (Not Required) Attacker does not know the key He chooses as many plaintexts as he wants, and learns the corresponding texts When ready, he picks two plaintexts M 0 and M 1 He is even allowed to pick plaintexts for which he previously learned texts! He receives either a text of M 0, or a text of M 1 He wins if he guesses correctly which one it is

Defining Security (Not Required) Idea: attacker should not be able to learn even a single bit of the encrypted plaintext Define Enc(M 0,M 1,b) to be a function that returns encrypted M 0 or 1 b Given two plaintexts, Enc returns a text of one or the other depending on the value of bit b Think of Enc as a magic box that computes texts on attacker s demand. He can obtain a text of any plaintext M by submitting M 0 =M 1 =M, or he can try to learn even more by submitting M 0 M 1. Attacker s goal is to learn just one bit b

Chosen-Plaintext Security (Not Required) Consider two experiments (A is the attacker) Experiment 0 Experiment 1 A interacts with Enc(-,-,0) and outputs bit d A interacts with Enc(-,-,1) and outputs bit d Identical except for the value of the secret bit d is attacker s guess of the secret bit Attacker s advantage is defined as If A knows secret bit, he should be able to make his output depend on it Prob(A outputs 1 in Exp0) - Prob(A outputs 1 in Exp1)) Encryption scheme is chosen-plaintext secure if this advantage is negligible for any efficient A

Simple Example (Not Required) Any deterministic, stateless symmetric encryption scheme is insecure Attacker can easily distinguish encryptions of different plaintexts from encryptions of identical plaintexts This includes ECB mode of common s! Attacker A interacts with Enc(-,-,b) Let X,Y be any two different plaintexts C 1 Enc(X,Y,b); C 2 Enc(Y,Y,b); If C 1 =C 2 then b=1 else say b=0 The advantage of this attacker A is 1 Prob(A outputs 1 if b=0)=0 Prob(A outputs 1 if b=1)=1

Why Hide Everything? Leaking even a little bit of information about the plaintext can be disastrous Electronic voting 2 candidates on the ballot (1 bit to encode the vote) If text leaks the parity bit of the encrypted plaintext, eavesdropper learns the entire vote D-Day: Pas-de-Calais or Normandy? Allies convinced Germans that invasion will take place at Pas-de-Calais Dummy landing craft, feed information to double spies Goal: hide a 1-bit secret Also, want a strong definition, that implies others

Birthday attacks Are there two people in the first 1/3 of this classroom that have the same birthday? Yes? No? Experiment

Birthday attacks Why is this important for cryptography? 365 days in a year (366 some years) Pick one person. To find another person with same birthday would take on the order of 365/2 = 182.5 people Expect collision -- two people with same birthday -- with a room of only 23 people For simplicity, approximate when we expect a collision as the square root of 365. 2 128 different 128-bit keys Pick one key at random. To exhaustively search for this key requires trying on average 2 127 keys. Expect a collision after selecting approximately 2 64 random keys. 64 bits of security against collision attacks, not 128 bits.

Achieving Privacy (Symmetric) Encryption schemes: A tool for protecting privacy. M Encrypt C Decrypt M K K Alice K Message.......... Ciphertext....... M C Adversary Bob K

Achieving Integrity (Symmetric) Message authentication schemes: A tool for protecting integrity. (Also called message authentication codes or MACs.) M MAC T (M,T) Verify valid/ invalid K K Alice K Message.......... M Tag................ T Adversary Bob K

CBC Mode: Encryption plaintext Initialization vector (random) text Identical s of plaintext encrypted differently Last depends on entire plaintext Still does not guarantee integrity

CBC-MAC plaintext TAG Not secure when system may MAC messages of different lengths. Encode length at beginning: Whiteboard example Use a derivative called CMAC Internal collisions and birthday attacks: Whiteboard example

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback