# Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Save this PDF as:

Size: px
Start display at page:

Download "Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13"

## Transcription

1 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues

2 Outline In the course we have yet only seen catastrophic weaknesses where a stream cipher or a stream cipher mode was used. Goal We want to show that this can also happen with block cipher modes. This also helps to understand common recommendations for CTR mode. More on the order of MAC and encryption Goal Give reasons why current research prefers the variant Encrypt-then-MAC. What does a Principle of mean? How to understand? Follow? Goal Encourage critical thinking Network Security, WS 2012/13, Chapter 13 2

3 Attacks we have seen that utilize stream cipher properties Attacks we have seen that utilize stream cipher properties Network Security, WS 2012/13, Chapter 13 3

4 Failures we have seen using stream ciphers/ modes Re-use of Initialization Vector (IV), e.g. in WEP or chapter 3 IV k P1 = xor C1 = Then some time later the same IV is used again: IV k P2 = xor C2 = Network Security, WS 2012/13, Chapter 13 4

5 Failures we have seen using stream ciphers/ modes Re-use of Initialization Vector (IV) continued C1 = C2 = C1+C2 = = = = = = = = = = = = = P1+P2 = P1 = P2 = P1+P2=C1+C2 As we see from the example, the attacker can computer C1+C2 because he observes C1 and C2, but that means he knows also P1+P2. Known Plaintext (e.g. P1) attacker can compute other plaintext Statistical properties of plaintext can be used if plaintext is not random-looking. That means if entropy of P1+P2 is low. Network Security, WS 2012/13, Chapter 13 5

6 Failures we have seen using stream ciphers/ modes No integrity check or weak integrity check, e.g. CRC in WEP To simplify example, we use the last bit as parity bit to check integrity. IV k P = xor s 0 C = = C = P = Attacker can target individual bits, plaintext and checksum are linear in ciphertext. Thus, checksum can be overcome and targeted edits in a text could be done (e.g. change price information) s 1 ok Network Security, WS 2012/13, Chapter 13 6

7 Block cipher Modes The attacks from the previous slides would not have worked that way against a block cipher mode like CBC. The re-use of an IV can give hints about identical first blocks, but plaintext cannot be calculated from it. The plaintext is not linear in the ciphertext. Thus, such trivial attacks won t work. Weak checksums cannot be attacked directly, since single individual bits cannot be controlled by an attacker modifying the cipher text, again due to the fact that the plaintext is sent through the encrpytion algorithm. However, the attacks resulted from severe usage errors and not from proper use. Moreover, integrity is not the goal of encryption and, thus, the weak checksum algorithm should be blamed. Block cipher modes can also fail when used badly. Network Security, WS 2012/13, Chapter 13 7

8 MAC-then-Enc/Enc-then-MAC design guidelines? MAC-then-Enc/Enc-then-MAC what do design guidelines / principle of say? Network Security, WS 2012/13, Chapter 13 8

9 Kerckhoff s Principle (a good guideline) Kerckhoff s Principle (short version): A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Now, is this a true fact? No, it is a guideline for good design, but not a universal truth. The assumption is that you gain more from making the system design public and publicly scrutinized than from hiding a system design where flaws at first may be unknown to attackers, but overlooked by designers. Kerckhoff s principle is widely accepted in cryptography. Does all security technology follow this principle? Well, it is about cryptography. But philosophically, does a. obey it? Firewall? NAT? IDS? Some technologies are more an arms race between defender and attacker. Network Security, WS 2012/13, Chapter 13 9

10 Horton Principle (is it a good guideline?) Horton principle: Authenticate what you mean, not what you say Typical conclusion: this means that the plaintext should be authenticated and not the ciphertext. So, in our secure channel, we should do MAC-then-Encrypt Because then the MAC protects the plaintext Now, state-of-art in cryptography suggests that Encrypt-then-MAC is better. Security proofs for Encrypt-then-MAC can be shown in more security models (~ succeed against a slightly stronger attacker) Attacks (later) So, this guideline misleads us when we talk about the secure channel for data transmission. Network Security, WS 2012/13, Chapter 13 10

11 Horton Principle (philosophic) Horton principle: Authenticate what you mean, not what you say But what is the meaning of a data transport channel? Isn t it naive to think of the plaintext as what you mean? When we say the meaning is the data unit of the higher layer protocol, then it is the plaintext. When we say the meaning is the transport of bits, then we might also be able to think of the ciphertext as the meaning. Logically it is not forbidden by the sentence that meaning and saying is the same. Whatever you might think about the philosophic question above, the main message is that the mechanisms of one layer are not about meanings of other layers. Transport Layer has no semantics for application-specific data. Network Security, WS 2012/13, Chapter 13 11

12 Prerequisites for attacking CBC and MAC-then-Enc Prerequisites for attacking CBC and MAC-then-Enc Network Security, WS 2012/13, Chapter 13 12

13 Guessing a secret (revisited) Passwords N: size of alphabet (number of different characters) L: length of password in characters Complexity of guessing a randomly-generated password / secret The assumption is, we generate a password and then we test it. O(N^L) Complexity of guessing a randomly-generated password character by character The assumption is that we can check each character individually for correctness. For each character it is N/2 (avg) and N (worst case) So, overall L*N/2 (avg) In the subsequent slides we will show an attack that reduces the decryption of a blockcipher in CBC mode to byte-wise decryption (under special assumptions). Network Security, WS 2012/13, Chapter 13 13

14 MAC-then-Encrypt Issues P MAC Ciphertext Operation P and MAC are encrypted and hidden in the ciphertext. Receiver Decrypts P Decrypts MAC Computes and checks MAC MAC error or success Consequence MAC does not protect the ciphertext. Integrity check can only be done once everything is decrypted. As a consequence, receiver will detect malicious messages at the end of the secure channel processing and not earlier. But is that more than a performance issue? Well, yes. Network Security, WS 2012/13, Chapter 13 14

15 MAC-then-Encode-then-Encrypt If we use a block cipher, we have to ensure that the message encoding fits to the blocksize of the cipher. Encode-then-MAC-then-Encrypt: Format P so that with the MAC added the encryption sees the right size. Needs that we know the size of the MAC and blocksize of cipher when generating P Padding. MAC-then-Encode-then-Encrypt Used in TLS/SSL Here, we add the MAC first and then pad the P MAC to the correct size. How do we know what is padding and what not? Padding in TLS/SSL: If size of padding is 1 byte, the padding is 1. If size of padding is 2 bytes, the padding is 2 2. If size of padding is 3 bytes, the padding is P P Pad Ciphertext MAC Ciphertext MAC Pad Network Security, WS 2012/13, Chapter 13 15

16 Padding Oracle Attack against CBC and MAC-then- Enc Padding Oracle Attack against CBC mode and MACthen-Enc Network Security, WS 2012/13, Chapter 13 16

17 Concept of Padding Oracle Attack (against CBC) Attacker sees unknown ciphertext C = that was sent from Alice to Bob P MAC Ciphertext Pad To decrypt the ciphertext, the attacker modifies C and sends it to Bob. P MAC Ciphertext Pad It is unlikely that the MAC and padding are correct. So, Bob will send an error back to Alice (and the attacker). In earlier versions of TLS, Bob sent back different error messages for padding errors and for MAC errors. Network Security, WS 2012/13, Chapter 13 17

18 Padding Oracle Attack CBC mode decryption (revisited) Encryption and Decryption in CBC mode CBC Time = 1 Time = 2... Time = n P 1 P 2 P n IV + + C n-1 + Encrypt K Encrypt K Encrypt... K Encrypt C 1 C 2 C n C 1 C 2 C n Decrypt K Decrypt K Decrypt... K Decrypt IV + + C n-1 + P 1 P 2 P n Network Security, WS 2012/13, Chapter 13 18

19 Padding Oracle Attack against CBC We have n blocks and N bytes per block. The attacker first wants to decrypt the last block C n. In order to do so, he starts with the last byte C n-1,n of the block C n-1. If he changes this byte (blue bytes are changed bytes) C n-1 C n-1,n C n K Decrypt K Decrypt + + P n,n P n-1 the MAC will most likely be invalid (chance 1 in 2^m for MAC length m) the padding will be invalid unless C n-1,n xor P n,n = 1 (chance 1 in 256) After testing the 256 values for C n-1,n all of them produced padding errors except for one that matches C n-1,n xor P n,n = 1. We know P n,n. P n Network Security, WS 2012/13, Chapter 13 19

20 Padding Oracle Attack against CBC (2) Now, the byte P n,n-1. For that we produce a padding of length 2. Since we know P n,n we can calculate C n-1,n so that C n-1,n xor P n,n = 2 Now, we have to find the C n-1,n-1 that satisfies C n-1,n-1 xor P n,n-1 = 2 C n-1 C n-1,n C n K Decrypt K Decrypt + + P n,n P n-1 P n With the same argument as before, we need to try up to 256 values, all values except for the correct one will generate a padding error. The correct one will produce a MAC errror. We know P n,n-1. Network Security, WS 2012/13, Chapter 13 20

21 Padding Oracle Attack against CBC (3) To completely decrypt C n we have to repeat the procedure until all bytes of the block are decrypted. In the figure with 8 bytes per block, the last padding we generate is To decrypt C n-1 we can cut off C n and repeat the same procedure with C n-1 as last block. For decrypting C 1 we can use the IV as ciphertext for the attack modifications. C n-2 C n-2,n C n-1 IV IV n C 1 K Decrypt K Decrypt K Decrypt + + P n-1,n + P 1,N P n-2 P n-1 P 1 Network Security, WS 2012/13, Chapter 13 21

22 Padding Oracle Attack against CBC (4) We have seen a severe known-ciphertext attack against block ciphers in CBC mode. Complexity is in the order of the length of message. Due to that attack, TLS/SSL stopped to differentiate between these two kinds of errors. However, timing can still be an issue in case of local attackers as the padding error occurs a bit earlier (order of 1 ms earlier according to literature). Limitations: Alice and Bob might also start a rekeying due to these attack messages and then the oracle attack would not be possible as the key changed. The attack would not have been possible with (Encode-then-)Encyptthen-MAC as the MAC is checked first. Protecting the ciphertext stops known-ciphertext attacks, which protecting the plaintext does not. Network Security, WS 2012/13, Chapter 13 22

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Modes of operation Stream

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

### Lecture 5 - Cryptography

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

### Chapter 6 CDMA/802.11i

Chapter 6 CDMA/802.11i IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Some material copyright 1996-2012 J.F Kurose and K.W. Ross,

### TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastr, David Wagner Presented By: Tristan Brown Outline Motivation Cryptography Overview TinySec Design Implementation

### Using a block cipher in practice

Using a block cipher in practice -- lectronic Codebook (CB) mode -- Cipher Block Chaining (CBC) mode -- Cipher Feedback (CFB) mode -- Output Feedback (OFB) mode -- Counter (CTR) mode -- attacks on CBC

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### 802.11 Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi Giulio.Rossetti@gmail.com

802.11 Security (WEP, WPA\WPA2) 19/05/2009 Giulio Rossetti Unipi Giulio.Rossetti@gmail.com 802.11 Security Standard: WEP Wired Equivalent Privacy The packets are encrypted, before sent, with a Secret Key

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Chapter 10 Security of Wireless LAN

Chapter 10 Security of Wireless LAN WEP WPA WPA2 [NetSec], WS 2008/2009 10.1 WLAN Authentication and Encryption WEP (Wired Equivalent Privacy) First Generation One way shared key authentication RC4 encryption

### Client Server Registration Protocol

Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Stronger Password-Based Encryption Using All-or-Nothing Transforms

Stronger Password-Based Encryption Using All-or-Nothing Transforms Greg Zaverucha Microsoft August 5, 2015 1 Introduction When encrypting data with a low-entropy key, the primary threat to consider is

### 12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

### Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

### Cryptography and Network Security Chapter 6

Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 6 Block Cipher Operation Many savages at the present day regard

### APNIC elearning: Cryptography Basics. Contact: esec02_v1.0

APNIC elearning: Cryptography Basics Contact: training@apnic.net esec02_v1.0 Overview Cryptography Cryptographic Algorithms Encryption Symmetric-Key Algorithm Block and Stream Cipher Asymmetric Key Algorithm

### Homework 7. Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj.

Problems: 1 to 11. Homework 7 Question: 1 Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj. This is an easy problem. > uasi

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### CS155. Cryptography Overview

CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Network Security Technology Network Management

COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

### Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

Network Security Chapter 15 Security of Wireless Local Area Networks Network Security WS 2002: 15 Wireless LAN Security 1 IEEE 802.11 IEEE 802.11 standardizes medium access control MAC and physical characteristics

### Fundamentals of Computer Security

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A Message From Our Sponsors Fundamentals System/Network Security, crypto How do things work Why How to design secure

### Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security Objectives Overview of IEEE 802.11 wireless security Define vulnerabilities of Open System Authentication,

### Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions

### Three attacks in SSL protocol and their solutions

Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland zhon003@ec.auckland.ac.nz Abstract Secure Socket Layer (SSL) and Transport Layer

### Chapter 17. Transport-Level Security

Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

### Applied Cryptology. Ed Crowley

Applied Cryptology Ed Crowley 1 Basics Topics Basic Services and Operations Symmetric Cryptography Encryption and Symmetric Algorithms Asymmetric Cryptography Authentication, Nonrepudiation, and Asymmetric

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### IPsec Details 1 / 43. IPsec Details

Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS

### 2.3: Hash Functions Message Digest (MD) MD2, MD4, MD5. Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks

Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer 2.3: Hash Functions Message Digest

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### WLAN security. Contents

Contents WEP (Wired Equivalent Privacy) No key management Authentication methods Encryption and integrity checking WPA (WiFi Protected Access) IEEE 802.1X authentication framework Practical example using

### cryptography s642 computer security adam everspaugh

cryptography s642 adam everspaugh ace@cs.wisc.edu computer security today Cryptography intro Crypto primitives / Symmetric and asymmetric crypto / MACs / Digital signatures / Key exchange Provable security

### Stream Ciphers. Example of Stream Decryption. Example of Stream Encryption. Real Cipher Streams. Terminology. Introduction to Modern Cryptography

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function

### Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

### 9/17/2015. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics IT443 Network Security Administration Instructor: Bo Sheng Outline Basic concepts in cryptography system Secret cryptography Public cryptography Hash functions 1 2 Encryption/Decryption

### Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

### Network Security - ISA 656 Introduction to Cryptography

Network Security - ISA 656 Angelos Stavrou September 18, 2007 Codes vs. K = {0, 1} l P = {0, 1} m C = {0, 1} n, C C E : P K C D : C K P p P, k K : D(E(p, k), k) = p It is infeasible to find F : P C K Let

### Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 4: Basic Crypto, Stream Ciphers

Security and Cryptography 1 Stefan Köpsell, Thorsten Strufe Module 4: Basic Crypto, Stream Ciphers Disclaimer: Günter Schäfer, Mark Manulis, large parts from Dan Boneh Dresden, WS 16/17 Reprise from the

Kerberos Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Secure Applications Network Authentication Service: Kerberos

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Lecture 9: Application of Cryptography

Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that

### Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret

### Introduction to Symmetric and Asymmetric Cryptography

Introduction to Symmetric and Asymmetric Cryptography Ali E. Abdallah Birmingham CityUniversity Email: Ali.Abdallah@bcu.ac.uk Lectures are part of the project: ConSoLiDatE Multi-disciplinary Cooperation

### Wireless LAN Security

Wireless LAN Security WEP: Overview WEP = Wired Equivalency Protocol RC4 stream cipher Purposes: Authentication Packet Encryption Uses single key to authenticate all network users and encrypt all packets

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Wireless security (WEP) EJ Jung

Wireless security (WEP) EJ Jung 802.11b Overview Standard for wireless networks Approved by IEEE in 1999 Two modes: infrastructure and ad hoc IBSS (ad hoc) mode Independent Basic Service Set BSS (infrastructure)

### Today ENCRYPTION. Cryptography example. Basic principles of cryptography

Today ENCRYPTION The last class described a number of problems in ensuring your security and privacy when using a computer on-line. This lecture discusses one of the main technological solutions. The use

### Cryptography Overview

Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable unless

### Cryptography and Cryptanalysis

Cryptography and Cryptanalysis Feryâl Alayont University of Arizona December 9, 2003 1 Cryptography: derived from the Greek words kryptos, meaning hidden, and graphos, meaning writing. Cryptography is

### ... Assignment 3 - Cryptography. Information & Communication Security (SS 2016) M.Sc. Welderufael B. Tesfay

Assignment 3 - Cryptography Information & Communication Security (SS 2016) M.Sc. Welderufael B. Tesfay Deutsche Telekom Chair of Mobile Business & Multilateral Security Goethe-University Frankfurt a. M.

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### 4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Secure Applications Network Authentication Service: Kerberos 4.2:

### CS 161 Computer Security

Song Spring 2015 CS 161 Computer Security Discussion 11 April 7 & April 8, 2015 Question 1 RSA (10 min) (a) Describe how to find a pair of public key and private key for RSA encryption system. Find two

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

WLAN Security WEP Overview 1/2 WEP, Wired Equivalent Privacy Introduced in 1999 to provide confidentiality, authentication and integrity Includes weak authentication Shared key Open key (the client will

### Security usually depends on the secrecy of the key, not the secrecy of the algorithm (i.e., the open design model!)

1 A cryptosystem has (at least) five ingredients: 1. 2. 3. 4. 5. Plaintext Secret Key Ciphertext Encryption algorithm Decryption algorithm Security usually depends on the secrecy of the key, not the secrecy

### CS Asymmetric-key Encryption. Prof. Clarkson Spring 2016

CS 5430 Asymmetric-key Encryption Prof. Clarkson Spring 2016 Review: block ciphers Encryption schemes: Enc(m; k): encrypt message m under key k Dec(c; k): decrypt ciphertext c with key k Gen(len): generate

### Savitribai Phule Pune University

Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### Wireless security (WEP) 802.11b Overview

Wireless security (WEP) 9/01/10 EJ Jung 802.11b Overview! Standard for wireless networks Approved by IEEE in 1999! Two modes: infrastructure and ad hoc IBSS (ad hoc) mode Independent Basic Service Set

### Network security and all ilabs

Network security and all ilabs Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität

### Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

### Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5)

Network Security Security Crytographic algorithms Security Services Secret key (DES) Public key (RSA) Message digest (MD5) privacy authenticity Message integrity Secret Key Encryption Plain text Plain

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Chapter 10. Network Security

Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

### Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

### Authentication. Readings. Chapters 9, 10 Sections

Authentication Readings Chapters 9, 10 Sections 11.1-11.3 1 Authentication: Who and How User (human) can be authenticated logging into a workstation using resources of a system issues: humans find it difficult

### Security in IEEE 802.11 WLANs

Security in IEEE 802.11 WLANs 1 IEEE 802.11 Architecture Extended Service Set (ESS) Distribution System LAN Segment AP 3 AP 1 AP 2 MS MS Basic Service Set (BSS) Courtesy: Prashant Krishnamurthy, Univ Pittsburgh

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Cyber Security Workshop Encryption Reference Manual

Cyber Security Workshop Encryption Reference Manual May 2015 Basic Concepts in Encoding and Encryption Binary Encoding Examples Encryption Cipher Examples 1 P a g e Encoding Concepts Binary Encoding Basics

### Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 3 Symmetric Cryptography General Description Modes of ion Data ion Standard (DES)

### Data Encryption Standard (DES)

Data Encryption Standard (DES) DES Background The DES algorithm based on LUCIFER, designed by Horst Feistel, was developed at IBM in 1972. This algorithm was approved by the National Bureau of Standards

### Wireless Networks. Welcome to Wireless

Wireless Networks 11/1/2010 Wireless Networks 1 Welcome to Wireless Radio waves No need to be physically plugged into the network Remote access Coverage Personal Area Network (PAN) Local Area Network (LAN)

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives To distinguish between two cryptosystems: symmetric-key

### L2: Hashing, Cryptographic Hashes, and Password Hashing

L2: Hashing, Cryptographic Hashes, and Password Hashing Sudhir Aggarwal and Shiva Houshmand Florida State University Department of Computer Science E-Crime Investigative Technologies Lab Tallahassee, Florida

### Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Identifying and Exploiting Padding Oracles Brian Holyfield Gotham Digital Science Session ID: ASEC-403 Session Classification: Intermediate What is a Padding Oracle? We re a SQL Server Shop, we don t use

### Shift Cipher. Ahmet Burak Can Hacettepe University. Substitution Cipher. Enigma Machine. How perfect secrecy can be satisfied?

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Basic Ciphers Shift Cipher Brute-force attack can easily break Substitution Cipher Frequency analysis

### Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

### Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS...

Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... Serge Vaudenay Swiss Federal Institute of Technology (EPFL) Serge.Vaudenay@epfl.ch Abstract. In many standards, e.g. SSL/TLS, IPSEC,

### IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

### Network Security. HIT Shimrit Tzur-David

Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/

Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006 - The OWASP

### Computer and Network Security

Computer and Network Security c Copyright 2000 R. E. Newman Computer & Information Sciences & Engineering University Of Florida Gainesville, Florida 32611-6120 nemo@cise.ufl.edu Hashes (Pfleeger Ch. 3,