CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Similar documents
Cryptography 2017 Lecture 3

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

Cryptography: Symmetric Encryption [continued]

CS155. Cryptography Overview

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Cryptography [Symmetric Encryption]

Goals of Modern Cryptography

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Cryptography (cont.)

Crypto: Symmetric-Key Cryptography

Symmetric Cryptography

symmetric cryptography s642 computer security adam everspaugh

symmetric cryptography s642 computer security adam everspaugh

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Symmetric Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Authenticated Encryption

Symmetric key cryptography

CS155. Cryptography Overview

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Information Security CS526

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

Authenticated Encryption

Winter 2011 Josh Benaloh Brian LaMacchia

Introduction to Cryptography. Lecture 3

Introduction to Modern Symmetric-Key Ciphers

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Secret Key Cryptography

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Private-Key Encryption

Block ciphers, stream ciphers

Lecture 4: Symmetric Key Encryption

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Introduction to cryptology (GBIN8U16)

Lecture 3: Symmetric Key Encryption

Encryption Details COMP620

1 Achieving IND-CPA security

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Feedback Week 4 - Problem Set

CSC 474/574 Information Systems Security

Computational Security, Stream and Block Cipher Functions

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Symmetric-Key Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

L3: Basic Cryptography II. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Content of this part

Public key encryption: definitions and security

CIS 4360 Secure Computer Systems Symmetric Cryptography

Computer Security CS 526

Data Encryption Standard (DES)

Scanned by CamScanner

Introduction to Cryptography. Lecture 3

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Cryptography Functions

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Fundamentals of Cryptography

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

CSC574: Computer & Network Security

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Implementing AES : performance and security challenges

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Modern Symmetric Block cipher

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

7. Symmetric encryption. symmetric cryptography 1

FACE : Fast AES CTR mode Encryption Techniques based on the Reuse of Repetitive Data

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Cryptography Overview

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

AES Advanced Encryption Standard

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Message authentication codes

Chapter 7 Advanced Encryption Standard (AES) 7.1

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

A Brief Outlook at Block Ciphers

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Block Ciphers. Advanced Encryption Standard (AES)

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Cryptographic Algorithms - AES

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptography and Network Security

Block Cipher Modes of Operation

Introduction to Symmetric Cryptography

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CPSC 467: Cryptography and Computer Security

Transcription:

CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018

Review CPA-secure construction Security proof by reduction to PRF Randomized How to design block ciphers Substitution Permutation Networks Feistel Networks Multiple rounds DES Feistel Network AES Substitution Permutation Network 2

R(k 1, ) R(k 2, ) R(k 3, ) R(k n, ) Block Ciphers Built by Iteration key k Key schedule k 1 k 2 k 3 k n m c R(k,m) is called a round function for DES (n=16), for AES-128 (n=10) 3

Substitution-Permutation Network Round key Key mixing S-box Fixed permutation Invertible Substitution Permutation S boxes and mixing permutation are public 4

Feistel Networks Given functions f 1,, f d : {0,1} n {0,1} n Often f i (x) = F k i (x), for k i secret keys and F a PRF Goal: build invertible function (PRP) F: {0,1} 2n {0,1} 2n n-bits n-bits R 0 L 0 input R 1 f 1 R 2 L 1 f 2 L 2 R d-1 L d-1 f d R d L d output L i = R i 1 R i = L i 1 f i (R i 1 ) Functions f i are public Round key is derived from main key and secret Advantage: f i not invertible! 5

64 bits 64 bits DES: 16 round Feistel network f 1,, f 16 : {0,1} 32 {0,1} 32, f i (x) = F( k i, x ) k 56 bits key expansion k 1 k 2 k 16 48 bits 16 round IP IP Feistel network -1 input To invert, use keys in reverse order output 6

The function F(k i, x) Key mixing Substitution- Permutation Network Substitution Permutation S-box: function {0,1} 6 {0,1} 4, implemented as look-up table. 7

The AES process 1997: NIST publishes request for proposal 1998: 15 submissions. Five claimed attacks. 1999: NIST chooses 5 finalists 2000: NIST chooses Rijndael as AES Belgium) (designed in Key sizes: 128, 192, 256 bits. Block size: 128 bits 8

input output AES is a Subs-Perm network (not Feistel) k 1 S 1 S 1 k 2 S 1 k n S 2 S 2 S 2 S 3 S 3 S 3 S 8 S 8 S 8 subs. layer perm. layer inversion 9

AES-128 schematic 10 rounds 4 4 input (1) ByteSub (2) ShiftRow (3) MixColumn (1) ByteSub (2) ShiftRow (3) MixColumn (1) ByteSub (2) ShiftRow k 0 invertible k 1 k 2 k 9 key 16 bytes key expansion: 16 bytes 176 bytes k 10 4 output 4 10

The round function ByteSub: a 1 byte S-box. 256 byte table (non- linear, but easily computable A i, j S A i, j, i, j ShiftRows: MixColumns: 11

Code size/performance tradeoff Pre-compute round functions (24KB or 4KB) Pre-compute S-box only (256 bytes) Code size largest smaller Performance fastest: table lookups and xors slower No pre-computation smallest slowest 12

AES in hardware AES instructions in Intel Westmere: aesenc, aesenclast: do one round of AES 128-bit registers: xmm1=state, xmm2=round key aesenc xmm1, xmm2 ; puts result in xmm1 aeskeygenassist: performs AES key expansion Claim 14 x speed-up over OpenSSL on same hardware Similar instructions on AMD Bulldozer 13

Attacks Best key recovery attack: four times better than ex. search [BKR 11] Related key attack on AES-256: [BK 09] Given 2 99 inp/out pairs from four related keys in AES-256 can recover keys in time 2 99 14

Block ciphers Suggestions: Don t think about the inner-workings of AES and 3DES. Don t implement them yourselves We assume both are secure PRPs and will see how to use them 15

Incorrect use of block cipher Electronic Code Book (ECB): PT: m 1 m 2 CT: c 1 c 2 Problem: if m 1 =m 2 then c 1 =c 2 Not EAV-secure! 16

In pictures (courtesy B. Preneel) 17

CBC encryption Let F be a PRP; F: K {0,1} n {0,1} n Enc CBC (k,m): choose random IV {0,1} n and do: IV m[1] m[2] m[3] m[l] F(k, ) F(k, ) F(k, ) F(k, ) IV c[1] c[2] c[3] c[l] ciphertext c i = F k (c i 1 m i ) 18

Decryption circuit In symbols: c[1] = F k ( IV m[1] ) m[1] = F k -1 (c[1]) IV IV c[1] c[2] c[3] c[l] F -1 (k, ) F -1 (k, ) F -1 (k, ) F -1 (k, ) m[1] m[2] m[3] m[l] m i = F 1 k(c i ) c i 1 19

CBC: CPA Analysis CBC Theorem: For any L>0 number of blocks, If F is a secure PRP over (K, {0,1} n ) then Enc CBC is CPA-secure over (K, {0,1} nl, {0,1} n(l+1) ). In particular, for a q-query adversary A attacking Enc CBC there exists a PRP adversary B s.t.: CPA Pr[Exp EncCBC,A n = 1] 1/2 + 2Adv PRP F,B + 2 q 2 L 2 /2 n Adv PRP E,B = Pr B F 1 k,f k n = 1 Pr[B f,f 1 n Note: CBC is only secure as long as q 2 L 2 << 2 n 20

An example CPA Pr[Exp ECBC,A n = 1] 1/2+Adv PRP E,B + 2 q 2 L 2 /2 n q = # messages encrypted with k L = length of max message CPA Suppose we want Pr[Exp EncCBC A n = 1] 1/2 + 1/2 32 q 2 L 2 /2 n < 1/ 2 32 AES: 2 n = 2 128 q L < 2 48 So, after 2 48 AES blocks, must change key 3DES: 2 n = 2 64 q L < 2 16 21

Attack on CBC with predictable IV CBC where attacker can predict the IV is not CPA-secure!! Suppose given c Enc CBC (k,m) can predict next IV Chal. k K 0 {0,1} n c 1 [ IV 1, F k ( 0 IV 1 ) ] m 0 =IV IV 1, m 1 m 0 c [ IV, F k (IV 1 ) ] or c [ IV, F k (m 1 IV) ] Adv. predict IV output 0 if c[1] = c 1 [1] Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1) 22

CTR-mode encryption Let F: K {0,1} n {0,1} n be a secure PRF. Enc(k,m): choose a random IV {0,1} n and do: IV msg m[1] m[2] F(k,IV) F(k,IV+1) m[l] F(k,IV+L) IV c[1] c[2] c[l] ciphertext note: parallelizable (unlike CBC) c i = F k (IV + i) m i 23

Comparison: CTR vs. CBC CBC CTR mode Uses PRP PRF Parallel processing No Yes Security q^2 L^2 << 2 n q^2 L << 2 n Dummy padding block Yes No 24

A CBC technicality: padding IV m[1] m[2] m[3] m[l] ll pad F(k, ) F(k, ) F(k, ) F(k, ) IV c[1] c[2] c[3] c[l] TLS: for n>0, n byte pad is n n n if no pad needed, add a dummy block n removed during decryption 25

TLS bugs in older versions IV for CBC is predictable: (chained IV) - IV for next record is last ciphertext block of current record. - Not CPA secure. Padding oracle: during decryption - If pad is invalid send decryption failed alert - If mac is invalid send bad_record_mac alert attacker learns information about plaintext Lesson: when decryption fails, do not explain why 26

Recap To encrypt longer messages, use CBC or CTR mode CPA security CTR mode has some advantages Parallelizable Better security CBC encryption with padding is vulnerable to padding oracle attack Authenticated encryption schemes are CCA secure 27

Acknowledgement Some of the slides and slide contents are taken from http://www.crypto.edu.pl/dziembowski/teaching and fall under the following: 2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. We have also used slides from Prof. Dan Boneh online cryptography course at Stanford University: http://crypto.stanford.edu/~dabo/courses/onlinecrypto/ 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback