Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Similar documents
Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography [Symmetric Encryption]

Cryptography: Symmetric Encryption [continued]

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Symmetric Cryptography

Cryptography (cont.)

Symmetric Cryptography

Lecture 1 Applied Cryptography (Part 1)

Crypto meets Web Security: Certificates and SSL/TLS

Winter 2011 Josh Benaloh Brian LaMacchia

Software Security and Intro to Cryptography

Symmetric-Key Cryptography

CSE 484 / CSE M 584: Computer Security and Privacy. Usable Security. Fall Franziska (Franzi) Roesner

Cryptographic Hash Functions. *Slides borrowed from Vitaly Shmatikov

CSE 127: Computer Security Cryptography. Kirill Levchenko

Software Security Design Principles + Intro to Crypto

Cryptographic hash functions and MACs

symmetric cryptography s642 computer security adam everspaugh

Symmetric Encryption 2: Integrity

Introduction to Cryptography. Lecture 6

Scanned by CamScanner

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Introduction to Cryptography (cont.)

Integrity of messages

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptographic Hash Functions

Practical Aspects of Modern Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS 161 Computer Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Software Security: Buffer Overflow Defenses

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

CS155. Cryptography Overview

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Data Integrity & Authentication. Message Authentication Codes (MACs)

Computational Security, Stream and Block Cipher Functions

Data Integrity & Authentication. Message Authentication Codes (MACs)

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Data Integrity. Modified by: Dr. Ramzi Saifan

S. Erfani, ECE Dept., University of Windsor Network Security

Computer Security CS 526

CS 161 Computer Security

Ref:

Computer Security: Principles and Practice

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Block ciphers, stream ciphers

CSC574: Computer & Network Security

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

ENEE 459-C Computer Security. Message authentication

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

CS408 Cryptography & Internet Security

Cryptography 2017 Lecture 3

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Solutions to exam in Cryptography December 17, 2013

1 Achieving IND-CPA security

Cryptology complementary. Symmetric modes of operation

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Summary on Crypto Primitives and Protocols

CS155. Cryptography Overview

CIS 4360 Secure Computer Systems Symmetric Cryptography

Symmetric Crypto MAC. Pierre-Alain Fouque

Information Security CS526

Lecture 4: Authentication and Hashing

Jaap van Ginkel Security of Systems and Networks

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Introduction to cryptology (GBIN8U16)

ECE 646 Lecture 8. Modes of operation of block ciphers

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Web Security: Loose Ends

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Web Security Symmetric Encryption & Authentication

Lecture 4: Symmetric Key Encryption

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Feedback Week 4 - Problem Set

Refresher: Applied Cryptography

Crypto: Symmetric-Key Cryptography

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Symmetric Encryption. Thierry Sans

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Content of this part

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Crypto Background & Concepts SGX Software Attestation

Software Security: Misc and Principles

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Software Security: Buffer Overflow Attacks (continued)

CSE484 Final Study Guide

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Transcription:

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

Recap: Block Ciphers Operates on a single chunk ( ) of plaintext For example, 64 bits for DES, 128 bits for AES Each key defines a different permutation Same key is reused for each (can use short keys) Plaintext Key Ciphertext 4/18/16 CSE 484 / CSE M 584 - Spring 2016 2

Electronic Code Book (ECB) Mode plaintext key key key key key text Identical s of plaintext produce identical s of text No integrity checks: can mix and match s 4/18/16 CSE 484 / CSE M 584 - Spring 2016 3

Cipher Block Chaining (CBC) Mode: Encryption plaintext Initialization vector (random) key key key key Sent with text (preferably encrypted) text Identical s of plaintext encrypted differently Last depends on entire plaintext Still does not guarantee integrity 4/18/16 CSE 484 / CSE M 584 - Spring 2016 4

CBC Mode: Decryption plaintext Initialization vector key key key key decrypt decrypt decrypt decrypt text 4/18/16 CSE 484 / CSE M 584 - Spring 2016 5

ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext s produce similar text s (not good!) [Picture due to Bart Preneel] 4/18/16 CSE 484 / CSE M 584 - Spring 2016 slide 6 6

CBC and Electronic Voting plaintext Initialization vector (supposed to be random) key key key key DES DES DES DES text Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_*)tmp, (des_c_*)record.m_data, totalsize, DESKEY, NULL, DES_ENCRYPT) 4/18/16 CSE 484 / CSE M 584 - Spring 2016 7

Counter Mode (CTR): Encryption Initial ctr (random) ctr ctr+1 ctr+2 ctr+3 Key Key Key Key pt pt pt pt text Identical s of plaintext encrypted differently Can compute in parallel (unlike CBC) Still does not guarantee integrity; Fragile if ctr repeats 4/18/16 CSE 484 / CSE M 584 - Spring 2016 8

Counter Mode (CTR): Decryption Initial ctr ctr ctr+1 ctr+2 ctr+3 Key Key Key Key ct ct ct ct pt pt pt pt 4/18/16 CSE 484 / CSE M 584 - Spring 2016 9

When is an Encryption Scheme Secure? Hard to recover the key? What if attacker can learn plaintext without learning the key? Hard to recover plaintext from text? What if attacker learns some bits or some function of bits? Fixed mapping from plaintexts to texts? What if attacker sees two identical texts and infers that the corresponding plaintexts are identical? Implication: encryption must be randomized or stateful 4/18/16 CSE 484 / CSE M 584 - Spring 2016 10

How Can a Cipher Be Attacked? Attackers knows text and encryption algthm What else does the attacker know? Depends on the application in which the is used! Ciphertext-only attack KPA: Known-plaintext attack (stronger) Knows some plaintext-text pairs CPA: Chosen-plaintext attack (even stronger) Can obtain text for any plaintext of his choice CCA: Chosen-text attack (very strong) Can decrypt any text except the target 4/18/16 CSE 484 / CSE M 584 - Spring 2016 11

Chosen Plaintext Attack (key,pin) PIN is encrypted and transmitted to bank Crook #1 changes his PIN to a number of his choice Crook #2 eavesdrops on the wire and learns text corresponding to chosen plaintext PIN repeat for any PIN value 4/18/16 CSE 484 / CSE M 584 - Spring 2016 12

Very Informal Intuition Minimum security requirement for a modern encryption scheme Security against chosen-plaintext attack (CPA) Ciphertext leaks no information about the plaintext Even if the attacker correctly guesses the plaintext, he cannot verify his guess Every text is unique, encrypting same message twice produces completely different texts Security against chosen-text attack (CCA) Integrity protection it is not possible to change the plaintext by modifying the text 4/18/16 CSE 484 / CSE M 584 - Spring 2016 13

Why Hide Everything? Leaking even a little bit of information about the plaintext can be disastrous Electronic voting 2 candidates on the ballot (1 bit to encode the vote) If text leaks the parity bit of the encrypted plaintext, eavesdropper learns the entire vote Also, want a strong definition, that implies other definitions (like not being able to obtain key) 4/18/16 CSE 484 / CSE M 584 - Spring 2016 14

Message Authentication Codes 4/18/16 CSE 484 / CSE M 584 - Spring 2016 15

So Far: Achieving Privacy Encryption schemes: A tool for protecting privacy. M Encrypt C Decrypt M Alice K K Message = M Ciphertext = C Adversary K Bob K 4/18/16 CSE 484 / CSE M 584 - Spring 2016 16

Now: Achieving Integrity Message authentication schemes: A tool for protecting integrity. KEY MAC: message authentication code (sometimes called a tag ) KEY message, MAC(KEY,message) Alice message? = Bob Recomputes MAC and verifies whether it is equal to the MAC attached to the message Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message. 4/18/16 CSE 484 / CSE M 584 - Spring 2016 17

Reminder: CBC Mode Encryption plaintext Initialization vector (random) key key key key text Identical s of plaintext encrypted differently Last depends on entire plaintext Still does not guarantee integrity 4/18/16 CSE 484 / CSE M 584 - Spring 2016 18

CBC-MAC plaintext key key key key TAG Not secure when system may MAC messages of different lengths. NIST recommends a derivative called CMAC [FYI only] 4/18/16 CSE 484 / CSE M 584 - Spring 2016 19

Hash Functions 4/18/16 CSE 484 / CSE M 584 - Spring 2016 20

Hash Functions: Main Idea x message. x.. x hash function H message digest.. y y bit strings of any length n-bit bit strings Hash function H is a lossy compression function Collision: h(x)=h(x ) for distinct inputs x, x H(x) should look random Every bit (almost) equally likely to be 0 or 1 Cryptographic hash function needs a few properties 4/18/16 CSE 484 / CSE M 584 - Spring 2016 21

Property 1: One-Way Intuition: hash should be hard to invert Preimage resistance Let h(x ) = y {0,1} n for a random x Given y, it should be hard to find any x such that h(x)=y How hard? Brute-force: try every possible x, see if h(x)=y SHA-1 (common hash function) has 160-bit output Expect to try 2 159 inputs before finding one that hashes to y. 4/18/16 CSE 484 / CSE M 584 - Spring 2016 22

Property 2: Collision Resistance Should be hard to find x x such that h(x)=h(x ) 4/18/16 CSE 484 / CSE M 584 - Spring 2016 23

Birthday Paradox Are there two people in the first 1/3 of this classroom that have the same birthday? 365 days in a year (366 some years) Pick one person. To find another person with same birthday would take on the order of 365/2 = 182.5 people Expect birthday collision with a room of only 23 people. For simplicity, approximate when we expect a collision as sqrt(365). Why is this important for cryptography? 2 128 different 128-bit values Pick one value at random. To exhaustively search for this value requires trying on average 2 127 values. Expect collision after selecting approximately 2 64 random values. 64 bits of security against collision attacks, not 128 bits. 4/18/16 CSE 484 / CSE M 584 - Spring 2016 24

Property 2: Collision Resistance Should be hard to find x x such that h(x)=h(x ) Birthday paradox (informal) Let t be the number of values x,x,x we need to look at before finding the first pair x,x s.t. h(x)=h(x ) What is probability of collision for each pair x,x? 1/2 n How many pairs would we need to look at before finding the first collision? O(2 n ) How many pairs x,x total? What is t, the number of values we need to look at? Choose(t,2)=t(t-1)/2 O(t 2 ) 2 n/2 Brute-force collision search is only O(2 n/2 ), not O(2 n ) For SHA-1, this means O(2 80 ) vs. O(2 160 ) 4/18/16 CSE 484 / CSE M 584 - Spring 2016 25

Property 2: Collision Resistance Should be hard to find x x such that h(x)=h(x ) Birthday paradox means that brute-force collision search is only O(2 n/2 ), not O(2 n ) For SHA-1, this means O(2 80 ) vs. O(2 160 ) 4/18/16 CSE 484 / CSE M 584 - Spring 2016 26

Authenticated Encryption Instead: Encrypt then MAC. (Not as good: MAC-then-Encrypt) M EncryptKe C C MACKm T Ciphertext C Encrypt-then-MAC 4/18/16 CSE 484 / CSE M 584 - Spring 2016 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback