# Modes of Operation of Block Ciphers

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must 1 split the sequence into n-bit blocks, 2 pad the last block if necessary with zeroes or random values or context information Then each block is encrypted by f, but in general one uses some sort of chaining Four chaining procedures, called modes of operation were standardized together with DES: ECB, CBC, CFB, OFB These chaining procedures apply to each block cipher The standardization in the context of AES added two more modes: CTR, XTS 35

2 K Pommerening, Bitblock Ciphers 36 For a description of the modes a suitable general framework is a block alphabet Σ, with F n 2 as most important example, equipped with a group composition Furthermore we fix an encryption function f :Σ Σ The dependence on the key doesn t matter in this context and therefore is dropped in the notation

3 K Pommerening, Bitblock Ciphers ECB = Electronic Code Book Description Let r be the number of blocks of the plaintext (a 1,,a r ) Encryption: In ECB mode each block is encrypted independently of the other blocks: a =(a 1,,a r ) c =(c 1,,c r ) Σ r with c i = f(a i ) a 1 c 1 a 2 c 2 a r c r Decryption: a i = f 1 (c i ) Properties ECB mode simply is a monoalphabetic substitution on Σ For sufficiently large #Σ this is secure from a ciphertext-only attack But there are several disadvantages: ECB encryption leaks information on identical blocks Even if the plaintext is not random, the rule of thumb from the Birthday Paradox applies in the interpretation (for Σ = F n 2 ): After 2 n/2 bits ECB encryption begins to leak information Wikipedia has a nice illustration of this effect, see cipher mode of operation The other modes significantly enlarge this bound Building a codebook from known plaintext blocks is not unrealistic For structured messages, say bank transactions, there occur many blocks of known plaintext An active attack by exchanging or inserting single blocks of ciphertext (for example with known, sympathic plaintext) is possible For example an attacker who knows which block contains the receiver of a money transfer could exchange this block with a corresponding block from another transfer for another receiver He doesn t need to know the key

4 K Pommerening, Bitblock Ciphers 38 If the situation allows for an attack with chosen plaintext (as in a black box analysis), trial encryption and dictionary attacks can be mounted In view of these problems generating diffusion between the plaintext blocks seems a much better approach In the following sections we look at modes of operation that achieve this effect

5 K Pommerening, Bitblock Ciphers CBC = Cipher Block Chaining Description Choose a start value c 0 by random (also called IV = Initialization Vector ) Then the procedure looks like this: c 0 a 1 c 1 a 2 c 2 a r c r Encryption: In CBC mode the formula for encryption is: c i := f(a i c i 1 ) for i =1,,r = f(a i f(a i 1 f(a 1 c 0 ) )) Decryption: a i = f 1 (c i ) c 1 i 1 for i =1,,r Properties Each ciphertext block depends on all previous plaintext blocks (diffusion) An attacker is not able to replace or insert text blocks unnoticeably Identical plaintext blocks in general encrypt to different ciphertext blocks On the other side an attack with known plaintext is not more difficult, compared with ECB mode Each plaintext block depends on two ciphertext blocks As a consequence a transmission error in a single ciphertext block results in (only) two corrupted plaintext blocks ( self synchronisation of CBC mode) Question: Does it make sense to treat the initialization vector c 0 as secret and use it as an additional key component? (Then for the example of DES we had 56 proper key bits plus a 64 bit initialization vector, making a total of 120 key bits)

6 K Pommerening, Bitblock Ciphers 40 Answer: No! Reason: In the decryption process only a 1 depends on c 0 This means that keeping c 0 secret conceals known plaintext only for the first block If the attacker knows the second or a later plaintext block, then she may determine the key as in ECB mode (by exhaustion, or by an algebraic attack, or by any other attack with known plaintext) Remarks 1 CBC is the composition f (ciphertext autokey) In the trivial case f = 1 Σ only the (completely unsuited) ciphertext autokey cipher with key length 1 is left 2 (John Kelsey in the mailing list 24 Nov 1999) If there occurs a collision c i = c j for i = j, thenf(a i c i 1 )= f(a j c j 1 ), hence a i c i 1 = a j c j 1 and therefore a 1 j a i = c j 1 c 1 i 1 In this way the attacker gains some information on the plaintext By the Birthday Paradox this situation is expected after about #Σ blocks The longer the text, the more such collisions will occur This effect reassures the rule of thumb for the frequency of key changes: change the key in good time before you encrypt #Σ blocks

7 K Pommerening, Bitblock Ciphers Variants of CBC Plaintext Autokey Replacing the ciphertext autokey encryption for CBC mode by plaintext autokey yields the following scheme: a 0 3 a 1 f c 1 3 a 2 3 f c 2 a r f c r that sometimes is called PBC = Plaintext Block Chaining Encryption: After choosing an initialization vector a 0 the formula for encryption is: c i := f(a i a i 1 ) for i =1,,r Decription: The formula is: a i = f 1 (c i ) a 1 i 1 for i =1,,r However this method seems not to be in widely accepted use, and there seem to be no relevant results on its security PCBC = error-propagating CBC This procedure mixes CBC and PBC It follows the scheme: c 0 a 1 3 c 1 a 2 c 2 3 a r c r

8 K Pommerening, Bitblock Ciphers 42 Encryption: After choosing the initialization vector a 0 = e (neutral element of the group) encryption is by the formula c i := f(a i a i 1 c i 1 ) for i =1,,r In the case of a bitblock cipher we choose a 0 = 0, the null block Decryption: The formula is a i = f 1 (c i ) c 1 i 1 a 1 i 1 for i =1,,r This mode was implemented in early versions of Kerberos but then abandoned Generalization by Meyer/Matyas c i := f(a i h(a i 1,c i 1 )) for i =1,,r, where in the case Σ = F n 2 addition modulo 2n is suggested for h BCM = Block Chaining Mode This mode follows the scheme: c 0 d 1 a 1 c 1 d 2 a 2 c 2 a r c r d 3 Formula for encryption: d i := c 0 c i 1, c i := f(a i d i ) for i =1,,r

9 K Pommerening, Bitblock Ciphers 43 An Application of CBC CBC-MAC (= Message Authentication Code ) is a key-dependent hash function that serves for checking the integrity of messages It is standardized in ISO/IEC 9797 and used in electronic banking Sender and receiver of the message these could be the same person if the MAC used for securing the integrity of a stored file share the key k and use the encryption function f = f k The MAC of a text a =(a 1,,a r ) is the last ciphertext block where a is encrypted in CBC mode Hence MAC(a) =c r = f(a r f(a r 1 f(a 1 c 0 ) )) If MAC(a) is sent together with a, then the receiver may check the authenticity of the sender and the integrity of the content Only someone who has the key can calculate this value correctly The disadvantage of this procedure is the need of sharing a secret k In a legal dispute each of the two parties can contend a forgery by the other one

10 K Pommerening, Bitblock Ciphers CFB = Cipher Feedback Description (of the simplest version) f a 1 f a 2 c 0 c 1 c 2 f a r c r Encryption in CFB mode is by the formula c i := a i f(c i 1 ) for i =1,,r = a i f(a i 1 f( a 1 f(c 0 ) )) Decryption: a i = c i f(c i 1 ) 1 for i =1,,r Properties As before the initialization vector is unsuited as additional key component As before this mode doesn t make an attack with known plaintext more difficult Note that also decryption uses f, not f 1 Therefore: CFB mode doesn t make sense for asymmetric ciphers On the other hand CFB mode may be used with a (key dependent) one-way or hash function f For the identical map f = 1 Σ CFB again reduces to ciphertext autokey (David Wagner)ECB CFB = CBC: For a proof take c 0 as initialization vector for CFB, and c 0 initialization vector for CBC Then := f(c 0) as c 1 = CFB(a 1 )=a 1 f(c 0 ), c 1 =ECB(c 1 )=f(a 1 f(c 0 )) = f(a 1 c 0)=CBC(a 1 ), c 2 = CFB(a 2 )=a 2 f(c 1 ), c 2 =ECB(c 2 )=f(a 2 f(c 1 )) = f(a 2 c 1)=CBC(a 2 ), etc

11 K Pommerening, Bitblock Ciphers 45 The Standardized Version uses a shift register, hence is defined only in the case of Σ = F n 2 Here 1 t n, and the encryption procedure uses blocks a i F t 2 of length t The current ciphertext block c i of length t is shifted from the right into the shift register (drawn in red): q 0 c f 0 p 1 q 1 a 1 c 1 q 1 c f 1 p 2 q 2 a 2 c 2 q r 1 c r 1 f p r q r a r c r The q i are bitblocks of length n t As it turned out later the security of this more general version decreases with t Therefore its use is not recommended

12 K Pommerening, Bitblock Ciphers OFB = Output Feedback Description (of the simplest version) s 0 f a 1 s 1 = c 1 f a 2 s 2 = c 2 f a r s r = c r This mode also was originally defined as shift register version Here too using a blocklength of t<nweakens the security [Jueneman, Crypto 82] Encryption in OFB mode is by the formula Decryption by the formula Properties c i := a i s i, s i := f(s i 1 ) for i =1,,r a i = c i s 1 i, s i := f(s i 1 ) for i =1,,r There is no diffusion However identical plaintext blocks in general yield different ciphertext blocks In the case Σ = F s 2 OFB simply is a bitstream cipher where f serves as random generator If encryption or decryption is time critical, the sender or the receiver (or both) might precalculate the key stream s i Here too the decryption uses only f, not f 1 For Σ = F s 2 the cipher is an involution, that is encryption and decryption are the same function More generally this holds when the group Σ has exponent 2

13 K Pommerening, Bitblock Ciphers 47 Under an attack with known plaintext the pair (a 1,c 1 ) reveals the value of s 1, the next pair (a 2,c 2 ), the value of s 2 = f(s 1 ) This leads to an attack with known plaintext against the function f itself Keeping the initialization vector s 0 secret doesn t increase the security of the cipher for OFB (like for the other modes) Variant: Counter Mode CTR The simplest case is c i := a i f(i) for i =1,,r There are same slight variants, for example starting with another number than 1

1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

### Cryptography and Network Security Chapter 6

Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 6 Block Cipher Operation Many savages at the present day regard

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

### EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

### WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

WINTR SCHOOL ON COMPUTR SCURITY Prof. li Biham Computer Science Department Technion, Haifa 3200003, Israel January 27, 2014 c li Biham c li Biham - January 27, 2014 1 Cryptanalysis of Modes of Operation

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/

Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006 - The OWASP

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

### 1 Data Encryption Algorithm

Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### CS155. Cryptography Overview

CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin. www.itmr.ac.in

01 0110 0001 01101 WHITE PAPER ON Data Encryption Prepared by Mohammed Samiuddin www.itmr.ac.in Contents INTRODUCTION... 2 NEED FOR DATA ENCRYPTION... 3 DUE CARE... 3 REPUTATIONAL RISK... 3 REGULATORY

### IronKey Data Encryption Methods

IronKey Data Encryption Methods An IronKey Technical Brief November 2007 Information Depth:Technical Introduction IronKey is dedicated to building the world s most secure fl ash drives. Our dedication

### Message authentication

Message authentication -- Hash based MAC unctions -- MAC unctions based on bloc ciphers -- Authenticated encryption (c) Levente Buttyán (buttyan@crysys.hu) Secret preix method MAC (x) = H( x) insecure!

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Network Security - ISA 656 Introduction to Cryptography

Network Security - ISA 656 Angelos Stavrou September 18, 2007 Codes vs. K = {0, 1} l P = {0, 1} m C = {0, 1} n, C C E : P K C D : C K P p P, k K : D(E(p, k), k) = p It is infeasible to find F : P C K Let

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### CSci 530 Midterm Exam. Fall 2012

CSci 530 Midterm Exam Fall 2012 Instructions: Show all work. No electronic devices are allowed. This exam is open book, open notes. You have 100 minutes to complete the exam. Please prepare your answers

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

### Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

### Cryptographic mechanisms

General Secretariat for National Defence Central Directorate for Information Systems Security PRIME MINISTER Paris, 2007 september 14 No. 1904/SGDN/DCSSI/SDS/LCR Cryptographic mechanisms Rules and recommendations

### Lecture 9 - Network Security TDTS41-2006 (ht1)

Lecture 9 - Network Security TDTS41-2006 (ht1) Prof. Dr. Christoph Schuba Linköpings University/IDA Schuba@IDA.LiU.SE Reading: Office hours: [Hal05] 10.1-10.2.3; 10.2.5-10.7.1; 10.8.1 9-10am on Oct. 4+5,

### 159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication

### Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest Quiz 1 1. This quiz is intended to provide a fair measure of your understanding

### Security for Computer Networks

Security for Computer Networks An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer D. W. Davies Consultant for Data Security and W. L. Price National Physical Laboratory, Teddington,

### Network Security Technology Network Management

COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Chapter 11 Message Authentication and Hash Functions At cats' green on the Sunday he took the message from the inside of

### Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

Cryptography: Motivation Many areas have sensitive information, e.g. Data Structures and Algorithms Cryptography Goodrich & Tamassia Sections 3.1.3 & 3.1.4 Introduction Simple Methods Asymmetric methods:

### Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Network Security 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室 Security Attacks Normal flow: sender receiver Interruption: Information source Information destination

### Chapter 8. Network Security

Chapter 8 Network Security Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security Some people who

### AES Cipher Modes with EFM32

AES Cipher Modes with EFM32 AN0033 - Application Note Introduction This application note describes how to implement several cryptographic cipher modes with the Advanced ion Standard (AES) on the EFM32

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Goals v understand principles of network security: cryptography and its many uses beyond

### : Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

Subject Code Department Semester : Network Security : XCS593 : MSc SE : Nineth Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Part A (2 marks) 1. What are the various layers of an OSI reference

### SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION September 2010 (reviewed September 2014) ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK NETWORK SECURITY

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### CS3235 - Computer Security Third topic: Crypto Support Sys

Systems used with cryptography CS3235 - Computer Security Third topic: Crypto Support Systems National University of Singapore School of Computing (Some slides drawn from Lawrie Brown s, with permission)

### The Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES

### Message authentication and. digital signatures

Message authentication and " Message authentication digital signatures verify that the message is from the right sender, and not modified (incl message sequence) " Digital signatures in addition, non!repudiation

### Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 3 Symmetric Cryptography General Description Modes of ion Data ion Standard (DES)

### Hash Functions. Integrity checks

Hash Functions EJ Jung slide 1 Integrity checks Integrity vs. Confidentiality! Integrity: attacker cannot tamper with message! Encryption may not guarantee integrity! Intuition: attacker may able to modify

### Data Encryption A B C D E F G H I J K L M N O P Q R S T U V W X Y Z. we would encrypt the string IDESOFMARCH as follows:

Data Encryption Encryption refers to the coding of information in order to keep it secret. Encryption is accomplished by transforming the string of characters comprising the information to produce a new

### An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Walt Hubis, LSI Corporation SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature

### First Semester Examinations 2011/12 INTERNET PRINCIPLES

PAPER CODE NO. EXAMINER : Martin Gairing COMP211 DEPARTMENT : Computer Science Tel. No. 0151 795 4264 First Semester Examinations 2011/12 INTERNET PRINCIPLES TIME ALLOWED : Two Hours INSTRUCTIONS TO CANDIDATES

### Cryptography Overview

Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable unless

### Fundamentals of Computer Security

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A Message From Our Sponsors Fundamentals System/Network Security, crypto How do things work Why How to design secure

### Reconsidering Generic Composition

Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Lecture 4 Data Encryption Standard (DES)

Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### On the Security of Double and 2-key Triple Modes of Operation

On the Security of Double and 2-key Triple Modes of Operation [Published in L. Knudsen, d., Fast Software ncryption, vol. 1636 of Lecture Notes in Computer Science, pp. 215 230, Springer-Verlag, 1999.]

### Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

### Network Security: Secret Key Cryptography

1 Network Security: Secret Key Cryptography Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 c 1999-2000, Henning Schulzrinne Last modified September

### Message Authentication

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

### CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

### Visualisation of potential weakness of existing cipher engine implementations in commercial on-the-fly disk encryption software

Visualisation of potential weakness of existing cipher engine implementations in commercial on-the-fly disk encryption software C. B. Roellgen Global IP Telecommunications, Ltd. & PMC Ciphers, Inc. August

### Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

### Chapter 10. Network Security

Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

### Evaluation of the RC4 Algorithm for Data Encryption

Evaluation of the RC4 Algorithm for Data Encryption Allam Mousa (1) and Ahmad Hamad (2) (1) Electrical Engineering Department An-Najah University, Nablus, Palestine (2) Systems Engineer PalTel Company,

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### ETSI TS 102 176-2 V1.2.1 (2005-07)

TS 102 176-2 V1.2.1 (2005-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

SPC5 Software Cryptography Library Data brief SHA-512 Random engine based on DRBG-AES-128 RSA signature functions with PKCS#1v1.5 ECC (Elliptic Curve Cryptography): Key generation Scalar multiplication

### 2009-2010. SSL Firewalls

& 2009-2010 & ( ) SSL Firewalls :. :.. byte 0x01 : 1,. 1 , :,, : ( ) ). : : (Confidentiality) (Integrity) (Availability) :.,,. :. :...,,. :,,. 2 (Identification) (Authentication).,,, )... (Authorization)

### Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastr, David Wagner Presented By: Tristan Brown Outline Motivation Cryptography Overview TinySec Design Implementation

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### The Data Encryption Standard (DES)

The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric

### SECURITY IN NETWORKS

SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

### Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Table of Contents - Objective - Cryptography: An Overview - Symmetric Key - Asymmetric Key - Transparent Key: A Paradigm Shift - Security

### Chapter 17. Transport-Level Security

Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

### EDA385 Embedded Systems Design. Advanced Course

EDA385 Embedded Systems Design. Advanced Course Encryption for Embedded Systems Supervised by Flavius Gruian Submitted by Ahmed Mohammed Youssef (aso10ayo) Mohammed Shaaban Ibraheem Ali (aso10mib) Orges

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Savitribai Phule Pune University

Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

### Crypto Lab Secret-Key Encryption

SEED Labs 1 Crypto Lab Secret-Key Encryption Copyright c 2006-2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National Science Foundation:

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### AN3270 Application note

Application note Using the STM8L16x AES hardware accelerator Introduction The purpose of cryptography is to protect sensitive data to avoid it being read by unauthorized persons. There are many algorithms

### Insight Guide. Encryption: A Guide

Encryption: A Guide for Beginners If you read anything about information security, you re likely to have come across the word encryption. It s a fundamental building block when it comes to securing your

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher