Network security and all ilabs

Size: px

Start display at page:

Download "Network security and all ilabs"

Julianna James
7 years ago
Views:

1 Network security and all ilabs Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Cryptography 16ws 1 / 34

2 Outline Cryptography Symmetric setting 2 / 34

3 Outline Cryptography Symmetric setting 3 / 34

4 Scope Focus on: modern cryptography methods used in communications security Based on: Introduction to modern cryptography, Katz and Lindell, 2 nd edition, / 34

5 Communication by Melissa Elliott 5 / 34

6 What we are concerned with Alice Let s meet up at 9! Bob 6 / 34

7 What we are concerned with Alice Let s meet up at 9! Bob BfV Roens/Wikipedia. CC-by-sa / 34

8 What we are concerned with Alice Let s meet up at 9! Bob Eve passive attack: eavesdropping We want to provide confidentiality! 6 / 34

9 What we are concerned with This will not be on the exam! Alice Mallory Bob active attack: message modification or forgery We want to provide message authentication! 6 / 34

10 Limitations cryptography is typically bypassed, not broken not applied correctly not implemented correctly subverted No protection of information about the communication. existence time extent partners 7 / 34

11 Kerckhoffs principle Security should only depend on secrecy of the key, not the secrecy of the system. key easier to keep secret change compatibility No security by obscurity. scrutiny standards reverse engineering 8 / 34

12 Another principle as a side note The system should be usable easily. Kerckhoffs actually postulated 6 principles this one got somewhat forgotten considered uncontroversial by Kerckhoffs starting to be rediscovered in design of secure applications and libraries Example Signal, NaCl 9 / 34

13 What should secure encryption guarantee? It should be impossible for the attacker to 10 / 34

14 What should secure encryption guarantee? It should be impossible for the attacker to recover the key. recover the entire plaintext from the ciphertext. recover any character of the plaintext from the ciphertext. 10 / 34

15 What should secure encryption guarantee? It should be impossible for the attacker to recover the key. recover the entire plaintext from the ciphertext. recover any character of the plaintext from the ciphertext. Regardless of any information an attacker already has, a ciphertext should leak no additional information about the underlying plaintext. 10 / 34

16 Modern cryptography relies on formal definitions precisely defined assumptions mathematical proofs Reductionist security arguments, the proofs, require to formulate assumptions explicitly. 11 / 34

17 A definition of security A scheme is secure, if any probabilistic polynomial time adversary succeeds in breaking the scheme with at most negligible probability. Negligible For every polynomial p and for all sufficiently large values of n: e.g., f (n) = 1 2 n f (n) < 1 p(n) Church-Turing Hypothesis We believe polynomial time models all computers. 12 / 34

18 Our goals symmetric (secret-key) confidentiality authenticity (as in: message integrity) asymmetric (public-key) confidentiality authenticity key exchange Something providing confidentiality generally makes no statement whatsoever about authenticity. 13 / 34

19 Motivation What does a perfectly encrypted message look like? 14 / 34

20 Uniform distribution P : U [0, 1] P(x) = 1 x U x U : P(x) = 1 U 15 / 34

21 Randomness required to do any cryptography at all somewhat difficult to get in a computer (deterministic!) required to be cryptographically secure: indistiguishable from truly random not provided in programming languages Example used to generate keys or other information unkown to any other parties 16 / 34

22 Collecting unpredictable bits physical phenomena time between emission of particles during radioactive decay thermal noise from a semiconductor diode or resistor software-based elapsed time between keystrokes or mouse movement packet interarrival times attacker must not be able to guess/influence the collected values 1. collect pool of high-entropy data 2. process into sequence of nearly independent and unbiased bits 17 / 34

23 Pseudo-random generator G : {0, 1} s {0, 1} n, n s 18 / 34

24 Outline Cryptography Symmetric setting 19 / 34

25 Symmetric encryption scheme 1. k Gen(1 n ), security parameter 1 n 2. c Enc k (m), m {0, 1} 3. m := Dec k (c) provide confidentiality definition of security: chosen-plaintext attack (CPA) Cryptography uses theoretical attack games to analyze and formalize security. C: challenger, means non-deterministic, A: adversary := means deterministic 20 / 34

26 The eavesdropping experiment C A k Gen(1 n ) input 1 n

27 The eavesdropping experiment C A k Gen(1 n ) b {0, 1} c Enc k (m b ) m 0, m 1 c input 1 n output b A succeeds, iff b = b 21 / 34

28 Discussion of the eavesdropping experiment m 0 = m 1 probabilistic polynomial time algorithms success probability should be negligible if so, Enc has indistinguishable encryptions in the presence of an eavesdropper 22 / 34

29 Pseudorandom permutation F : {0, 1} {0, 1} {0, 1} F k (x) and Fk 1 (y) efficiently computable F k be indistinguishable from uniform permutation adversary may have access to F 1 We can assume that all inputs and the output have the same length. 23 / 34

30 A block cipher Example fixed key length and block length chop m into 128 bit blocks m k AES 128 bit c Does this function survive the eavesdropping experiment? 24 / 34

31 Chosen-plaintext attack C A k Gen(1 n ) input 1 n 25 / 34

32 Chosen-plaintext attack C A k Gen(1 n ) input 1 n m c Enc k (m) c.. 25 / 34

33 Chosen-plaintext attack C A k Gen(1 n ) input 1 n m c Enc k (m) c.. m 0, m 1 b {0, 1} Enc k (m b ) 25 / 34

34 Chosen-plaintext attack C A C (cont d) A k Gen(1 n ) input 1 n m c Enc k (m) m c Enc k (m) c c.... output bit b m 0, m 1 b {0, 1} Enc k (m b ) 25 / 34

35 Chosen-plaintext attack C A C (cont d) A k Gen(1 n ) input 1 n m c Enc k (m) m c Enc k (m) c c.... output bit b m 0, m 1 b {0, 1} Enc k (m b ) 25 / 34

36 Discussion of CPA Enc is secure under chosen-plaintext attack again, messages must have same length multiple-use key non-deterministic (e. g. random initialization vector) or state block cipher requires operation mode, e. g.: counter (CTR), output-feedback (OFB), / 34

37 Example constructions: counter mode Example randomised AES counter mode (AES-CTR$) choose nonce r {0, 1} 128, key k {0, 1} 128 great if you have dedicated circuits for AES, else vulnerable to timing attacks r AES k r + 1 AES k m 0 m 1 c 0 c 1 complete ciphertext c := (r, c 0, c 1, ) 27 / 34

38 Example constructions: stream ciphers Example A modern stream cipher, fast in software: 96 bit nonce 32 bit initial counter 128 bit key ChaCha plaintext keystream ciphertext 28 / 34

39 Message authentication code (MAC) 1. k Gen(1 n ), security parameter 1 n 2. t Mac k (m), m {0, 1} 3. b := Vrfy k (m, t) b = 1 means valid, b = 0 invalid transmit m, t tag t is a short authenticator message authenticity integrity detect tampering no protection against replay existentially unforgeable security definition: adaptive chosen-message attack 29 / 34

40 Adaptive chosen-message attack C A k Gen(1 n ) t Mac k (m) m m, t input 1 n.. output m, t let Q be the set of all queries m A succeeds, iff Vrfy k (m, t ) = 1 and m / Q 30 / 34

41 Used in practice Example HMAC based on hash functions CMAC based on cipher block chaining mode (CBC) authenticated encryption modes 31 / 34

42 Example: side-channel attack How does tag verification work and how to implement tag comparison correctly? 32 / 34

43 Recap: secret-key cryptography attacker power: probabilistic polynomial time confidentiality defined as IND-CPA: encryption, e. g. AES-CTR$ message authentication defined as existentially unforgeable under adaptive chosen-message attack: message authentication codes, e. g. HMAC-SHA2 authenticated encryption modes 33 / 34

44 Combining confidentiality and authentication encrypt-then-authenticate is generally secure: c Enc k1 (m), t Mac k2 (c) transmit: c, t authenticated encryption is also a good choice: e. g. offset codebook (OCB), Galois counter mode (GCM) c, t AEAD enc k (ad, m) m := AEAD dec k (ad, c, t) or verification failure 34 / 34

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and