Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Similar documents
Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography: Symmetric Encryption [continued]

Cryptography [Symmetric Encryption]

Symmetric Cryptography

Cryptography (cont.)

Symmetric Cryptography

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Crypto meets Web Security: Certificates and SSL/TLS

CSE 484 / CSE M 584: Computer Security and Privacy. Usable Security. Fall Franziska (Franzi) Roesner

Integrity of messages

Cryptographic hash functions and MACs

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Winter 2011 Josh Benaloh Brian LaMacchia

Software Security Design Principles + Intro to Crypto

Software Security and Intro to Cryptography

Cryptographic Hash Functions. *Slides borrowed from Vitaly Shmatikov

Introduction to Cryptography (cont.)

Introduction to Cryptography. Lecture 6

CSE 127: Computer Security Cryptography. Kirill Levchenko

symmetric cryptography s642 computer security adam everspaugh

Lecture 1 Applied Cryptography (Part 1)

Software Security: Miscellaneous

Cryptographic Hash Functions

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE484 Final Study Guide

CS 161 Computer Security

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Practical Aspects of Modern Cryptography

Computer Security CS 526

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

ENEE 459-C Computer Security. Message authentication

Block ciphers, stream ciphers

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Scanned by CamScanner

Data Integrity. Modified by: Dr. Ramzi Saifan

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Symmetric-Key Cryptography

Summary on Crypto Primitives and Protocols

Symmetric Encryption 2: Integrity

1 Achieving IND-CPA security

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Data Integrity & Authentication. Message Authentication Codes (MACs)

Software Security: Buffer Overflow Defenses

User Authentication. Daniel Halperin Tadayoshi Kohno

Computational Security, Stream and Block Cipher Functions

3. Cryptography Review

Introduction to cryptology (GBIN8U16)

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

symmetric cryptography s642 computer security adam everspaugh

Information Security CS526

Cryptology complementary. Symmetric modes of operation

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Web Security Symmetric Encryption & Authentication

Lecture 4: Authentication and Hashing

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Software Security: Misc and Principles

Refresher: Applied Cryptography

Data Integrity & Authentication. Message Authentication Codes (MACs)

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Solutions to exam in Cryptography December 17, 2013

Cryptography 2017 Lecture 3

CS155. Cryptography Overview

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Ref:

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

User Authentication and Human Factors

COMP4109 : Applied Cryptography

Message Authentication Codes and Cryptographic Hash Functions

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cryptographic Hash Functions

Lecture 4: Symmetric Key Encryption

S. Erfani, ECE Dept., University of Windsor Network Security

Introduction to Symmetric Cryptography

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

CS408 Cryptography & Internet Security

Feedback Week 4 - Problem Set

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Computer Security: Principles and Practice

User Authentication. Tadayoshi Kohno

BCA III Network security and Cryptography Examination-2016 Model Paper 1

CS 161 Computer Security

UNIT - IV Cryptographic Hash Function 31.1

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptography ThreeB. Ed Crowley. Fall 08

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

CS155. Cryptography Overview

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Security Requirements

APNIC elearning: Cryptography Basics

Transcription:

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

More Cheating 10/26/16 CSE 484 / CSE M 584 - Fall 2016 2

More Cheating 10/26/16 CSE 484 / CSE M 584 - Fall 2016 3

Dirty COW Vulnerability Race condition involving memory mapped files which allows user processes to write to root-owned files 10/26/16 CSE 484 / CSE M 584 - Fall 2016 4

Dirty COW Fixed commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 Author: Linus Torvalds torvalds@linux-foundation.org Date: Thu Oct 13 20:07:36 2016 GMT This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). 10/26/16 CSE 484 / CSE M 584 - Fall 2016 5

Dirty COW Vulnerability madvise(map,100,madv_dontneed) write( /proc/self/mem ) Eventually writes to a file in the middle of page table updates, causing inappropriate file overwriting. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 6

Recap: Block Ciphers Operates on a single chunk ( ) of plaintext For example, 64 bits for DES, 128 bits for AES Each key defines a different permutation Same key is reused for each (can use short keys) Plaintext Key Ciphertext 10/26/16 CSE 484 / CSE M 584 - Fall 2016 7

Electronic Code Book (ECB) Mode plaintext key key key key key Don t use ECB mode text 10/26/16 CSE 484 / CSE M 584 - Fall 2016 8

Cipher Block Chaining (CBC) Mode: Encryption plaintext Initialization vector (random) key key key key Sent with text text 10/26/16 CSE 484 / CSE M 584 - Fall 2016 9

CBC Mode: Decryption plaintext Initialization vector key key key key decrypt decrypt decrypt decrypt text 10/26/16 CSE 484 / CSE M 584 - Fall 2016 10

ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext s produce similar text s (not good!) [Picture due to Bart Preneel] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 slide 11 11

Counter Mode (CTR): Encryption Initial ctr (random) ctr ctr+1 ctr+2 ctr+3 Key Key Key Key pt pt pt pt text 10/26/16 CSE 484 / CSE M 584 - Fall 2016 12

Counter Mode (CTR): Decryption Initial ctr ctr ctr+1 ctr+2 ctr+3 Key Key Key Key ct ct ct ct pt pt pt pt 10/26/16 CSE 484 / CSE M 584 - Fall 2016 13

How Can a Cipher Be Attacked? Attackers knows text and encryption algthm What else does the attacker know? Depends on the application in which the is used! Ciphertext-only attack KPA: Known-plaintext attack (stronger) Knows some plaintext-text pairs CPA: Chosen-plaintext attack (even stronger) Can obtain text for any plaintext of his choice CCA: Chosen-text attack (very strong) Can decrypt any text except the target 10/26/16 CSE 484 / CSE M 584 - Fall 2016 14

Ex: Chosen Plaintext Attacks Let s plan an attack on AF [wikipedia] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 15

Ex: Chosen Plaintext Attacks This is Midway Island, we re low on supplies [wikipedia] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 16

Ex: Chosen Plaintext Attacks AF is low on supplies [wikipedia] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 17

Ex: Chosen Plaintext Attack When the allies planted mines in the ocean, the German Navy would send messages about those locations to warn their ships. [wikipedia] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 18

Examples of Chosen Ciphertext Attacks Some serious attacks against SSH have been based on Chosen Ciphertext Attacks Example: send chosen text to SSH server, see whether it responds with an error or not. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 19

Examples of Chosen Ciphertext Attacks Imagine a system with very few commands, e.g., a military system which responds to the commands ( FIRE ) and ( DON T FIRE ). Try sending texts and observe in real life whether the weapon fires or not. The side effects of the command serve as a decryption of your text. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 20

Very Informal Intuition Minimum security requirement for a modern encryption scheme Security against chosen-plaintext attack (CPA) Ciphertext leaks no information about the plaintext Even if the attacker correctly guesses the plaintext, he cannot verify his guess Every text is unique, encrypting same message twice produces completely different texts 10/26/16 CSE 484 / CSE M 584 - Fall 2016 21

Message Authentication Codes 10/26/16 CSE 484 / CSE M 584 - Fall 2016 22

So Far: Achieving Privacy Encryption schemes: A tool for protecting privacy. M Encrypt C Decrypt M Alice K K Message = M Ciphertext = C Adversary K Bob K 10/26/16 CSE 484 / CSE M 584 - Fall 2016 23

Now: Achieving Integrity Message authentication schemes: A tool for protecting integrity. KEY MAC: message authentication code (sometimes called a tag ) KEY message, MAC(KEY,message) Alice message? = Bob Recomputes MAC and verifies whether it is equal to the MAC attached to the message Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 24

Reminder: CBC Mode Encryption plaintext Initialization vector (random) key key key key text 10/26/16 CSE 484 / CSE M 584 - Fall 2016 25

CBC-MAC plaintext key key key key TAG 10/26/16 CSE 484 / CSE M 584 - Fall 2016 26

CBC-MAC plaintext key key key key TAG Not secure when system may MAC messages of different lengths. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 27

Hash Functions 10/26/16 CSE 484 / CSE M 584 - Fall 2016 28

Application: Password Hashing Instead of user password, store hash(password) When user enters a password, compute its hash and compare with the entry in the password file System does not store actual passwords! Cannot go from hash to password! Why is hashing better than encryption here? Does hashing protect weak, easily guessable passwords? 10/26/16 CSE 484 / CSE M 584 - Fall 2016 29

Application: Software Integrity VIRUS goodfile badfile BigFirm The NYTimes hash(goodfile) User Goal: Software manufacturer wants to ensure file is received by users without modification. Idea: given goodfile and hash(goodfile), very hard to find badfile such that hash(goodfile)=hash(badfile) 10/26/16 CSE 484 / CSE M 584 - Fall 2016 30

Hash Functions: Main Idea x message. x.. x hash function H message digest.. y y bit strings of any length n-bit bit strings Hash function H is a lossy compression function Collision: h(x)=h(x ) for distinct inputs x, x H(x) should look random Every bit equally likely to be 0 or 1 Cryptographic hash function needs a few properties 10/26/16 CSE 484 / CSE M 584 - Fall 2016 31

Property 1: One-Way The hash should be hard to invert Preimage resistance Let h(x ) = y {0,1} n for random x Given y, it should be hard to find any x such that h(x)=y 10/26/16 CSE 484 / CSE M 584 - Fall 2016 32

Security Mindset Anecdote A clever example of a one-way function: phone books. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 33

Security Mindset Anecdote A clever example of a one-way function: phone books. Hash(name) = Phone number of person with that name 10/26/16 CSE 484 / CSE M 584 - Fall 2016 34

Security Mindset Anecdote Easy to compute forward (phonebook is alphabetical) Hard to invert backward (must search n/2 pages on average to find person by phone number) 10/26/16 CSE 484 / CSE M 584 - Fall 2016 35

Security Mindset Anecdote 10/26/16 CSE 484 / CSE M 584 - Fall 2016 36

Property 2: Collision Resistance Should be hard to find x x such that h(x)=h(x ) 10/26/16 CSE 484 / CSE M 584 - Fall 2016 37

Birthday Paradox Expect birthday collision half the time with a room of only 23 people. Approximate: 50% probability = sqrt(365). Why is this important for cryptography? 2 128 different 128-bit values Pick one value at random. To exhaustively search for this value requires trying on average 2 127 values. Expect collision after selecting approximately 2 64 random values. 64 bits of security against collision attacks, not 128 bits. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 38

Property 2: Collision Resistance Should be hard to find x x such that h(x)=h(x ) Birthday paradox (informal) Let t be the number of values x,x,x we need to look at before finding the first pair x,x s.t. h(x)=h(x ) What is probability of collision for each pair x,x? 1/2 n How many pairs would we need to look at before finding the first collision? O(2 n ) How many pairs x,x total? What is t, the number of values we need to look at? Choose(t,2)=t(t-1)/2 O(t 2 ) 2 n/2 Brute-force collision search is only O(2 n/2 ), not O(2 n ) For SHA-1, this means O(2 80 ) vs. O(2 160 ) 10/26/16 CSE 484 / CSE M 584 - Fall 2016 39

Property 2: Collision Resistance Should be hard to find x x such that h(x)=h(x ) Birthday paradox means that brute-force collision search is only O(2 n/2 ), not O(2 n ) For SHA-1, this means O(2 80 ) vs. O(2 160 ) 10/26/16 CSE 484 / CSE M 584 - Fall 2016 40

Property 3: Weak Collision Resistance Given randomly chosen x, hard to find x such that h(x)=h(x ) Attacker must find collision for a specific x. By contrast, to break collision resistance it is enough to find any collision. Brute-force attack requires O(2 n ) time Weak collision resistance does not imply collision resistance. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 41

Properties of a Cryptographic Hash Function One-wayness Given h(x) Collision resistance Hard to find Weak collision resistance Hard to find 10/26/16 CSE 484 / CSE M 584 - Fall 2016 42

Properties of a Cryptographic Hash One-wayness Function Given h(x): hard to find x Collision resistance Hard to find x x s.t. h(x) == h(x ) Weak collision resistance Hard to find x x s.t. h(x) == h(x ) for specific, random x 10/26/16 CSE 484 / CSE M 584 - Fall 2016 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback