# Network Security. Modes of Operation. Steven M. Bellovin February 3,

Save this PDF as:

Size: px
Start display at page:

Download "Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1"

## Transcription

1 Modes of Operation Steven M. Bellovin February 3,

2 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You don t go through strong cryptography, you go around it Steven M. Bellovin February 3,

3 Modes of Operation Direct use of a block cipher is inadvisable Enemy can build up code book of plaintext/ciphertext equivalents Beyond that, direct use only works on messages that are a multiple of the cipher block size in length Solution: five standard Modes of Operation: Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). Steven M. Bellovin February 3,

4 Electronic Code Book Direct use of the block cipher Used primarily to transmit encrypted keys Very weak if used for general-purpose encryption; never use it for a file or a message. Attacker can build up codebook; no semantic security We write {P } k C to denote encryption of plaintext P with key k to produce ciphertext C Steven M. Bellovin February 3,

5 Cipher Block Chaining Network Security P 1 P 2 P 3 IV Encrypt Encrypt Encrypt C 1 C 2 C 3 {P i C i 1 } k C i {C i } k 1 C i 1 P i Steven M. Bellovin February 3,

6 Properties of CBC The ciphertext of each encrypted block depends on the IV and the plaintext of all preceeding blocks. There is a dummy initial ciphertext block C 0 known as the Initialization Vector (IV); the receiver must know this value. Consider a 4-block message: C 1 = {P 1 IV } k C 2 = {P 2 C 1 } k C 3 = {P 3 C 2 } k C 4 = {P 4 C 3 } k If C 2 is damaged during transmission, what happens to the plaintext? Steven M. Bellovin February 3,

7 Error Propagation in CBC Mode Network Security Look at the decryption process, where C is a corrupted version of C: P 1 = {C 1 } k 1 IV P 2 = {C 2 } k 1 C 1 P 3 = {C 3 } k 1 C 2 P 4 = {C 4 } k 1 C 3 P 1 depends only on C 1 and IV, and is unaffected P 2 depends on C 2 and C 1, and hence is corrupted P 3 depends on C 3 and C 2, and is also corrupted. The enemy can control the change to P 3. P 4 depends on C 4 and C 3, and not C 2 ; it thus isn t affected. Conclusion: Two blocks change, one of them predicatably Steven M. Bellovin February 3,

8 Cutting and Pasting CBC Messages Network Security Consider the encrypted message IV, C 1, C 2, C 3, C 4, C 5 The shortened message IV, C 1, C 2, C 3, C 4 appears valid The truncated message C 2, C 3, C 4, C 5 is valid: C 2 acts as the IV. Even C 2, C 3, C 4 is valid, and will decrypt properly. Any subset of a CBC message will decrypt cleanly. If we snip out blocks, leaving IV, C 1, C 4, C 5, we only corrupte one block of plaintext. Conclusion: if you want message integrity, you have to do it yourself. Steven M. Bellovin February 3,

9 The IV The IV provides semantic security: identical messages have different ciphertexts Common message start is also hidden The IV must be unpredictable by the enemy Good strategy: have a random key lying around; encrypt a counter to produce the IV Note: since the IV is transmitted unencrypted, the other side need not know this key Steven M. Bellovin February 3,

10 CBC Padding CBC mode requires the input to be a multiple of the cipher s block size. Must (somehow) handle other lengths Usual strategy: (securely) transmit explicit input length Option: Cipher-Text Steaing (see RFC 2040). Does not increase message size Steven M. Bellovin February 3,

11 CBC MAC Recall that for CBC encryption, the last block of ciphertext depends on all of the plaintext Do a second encryption (using a different key), but only send the last block If you use the same key, a CBC cut-and-paste attack will work Query: what IV should you use? (It doesn t matter; a constant IV will suffice.) Warning: if message sizes can vary, prepend the length NIST standard CMAC uses slightly more complex scheme that avoids needing to know the length in advance Steven M. Bellovin February 3,

12 n-bit Cipher Feedback Network Security IV b n bits n bits b n bits n bits of prev of data of prev of data Encrypt Encrypt P 1 n bits P 2 n bits C 1 C 2 P i {C i 1 } k C i {C i 1 } k C i P i Steven M. Bellovin February 3,

13 Properties of Cipher Feedback Mode Network Security Underlying block cipher used only in encryption mode Feedback path actually incorporates a shift register: shift old cipher input left by n bits; insert first n bits of previous ciphertext output 8-bit CFB is good for asynchronous terminal traffic but requires one encryption for each byte of plaintext Errors propagate while bad data is in the shift register 17 bytes for CFB 8 when using AES. Copes gracefully with deletion of n-bit unit Interesting uses: CFB 1, CFB 8, CFB 1 28 IV selected the same way as in CBC mode Steven M. Bellovin February 3,

14 n-bit Output Feedback Network Security IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin February 3,

15 Properties of Output Feedback Mode No error propagation Active attacker can make controlled changes to plaintext OFB is a form of stream cipher Steven M. Bellovin February 3,

16 Counter Mode Network Security T T + 1 T + 2 Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin February 3,

17 Properties of Counter Mode Another form of stream cipher Frequently split the counter into two sections: message number and block number within the message Active attacker can make controlled changes to plaintext Highly parallelizable; no linkage between stages Vital that counter never repeat for any given key Steven M. Bellovin February 3,

18 Which Mode for What Task? General file or packet encryption: CBC. Input must be padded to multiple of cipher block size Risk of byte or bit deletion: CFB 8 or CFB 1 Bit stream; noisy line and error propagation is undesirable: OFB Very high-speed data: CTR In most situations, an integrity check is needed Steven M. Bellovin February 3,

19 Integrity Checks Network Security Actually, integrity checks are almost always needed Frequently, attacks on integrity can be used to attack confidentiality Usual solution: use separate integrity check along with encryption Simple solutions don t work Choices: HMAC, CBC MAC, CMAC, combined modes of operation, lesser-known schemes One bad idea: append a cryptographic hash to some plaintext, and encrypt the whole thing with, say, CBC mode {P H(P)} K This can fall victim to a chosen plaintext attack Steven M. Bellovin February 3,

20 Chosen Plaintext Attack The enemy picks some plaintext P and tricks you into encrypting it This has happened in the real world! You transmit {prefix P suffix H(prefix P suffix)} K But P is of the form prefix P suffix H(prefix P suffix) An ordinary CBC subset will have the checksum! Steven M. Bellovin February 3,

21 CCM Mode Inputs: nonce N, additional data A (e.g., network packet headers), plaintext P Authenticates A and P ; encrypts P Calculate T CBC-MAC K (N A P) Ciphertext is CTR K (P); MAC is CTR K (T) Note: the first counter value is used to encrypt T Note: N acts as an IV; it must be non-repeating but need not be secret or unpredictable Steven M. Bellovin February 3,

22 Stream Ciphers Key stream generator produces a sequence S of pseudo-random bytes; key stream bytes are combined (generally via XOR) with plaintext bytes P i S i C i Stream ciphers are very good for asynchronous traffic Best-known stream cipher is RC4; commonly used with SSL Key stream S must never be reused for different plaintexts: C = A K C = B K C C = A K B K = A B Guess at A and see if B makes sense; repeat for subsequent bytes Steven M. Bellovin February 3,

23 RC4 Extremely efficient After key setup, it just produces a key stream No way to resynchronize except by rekeying and starting over Internal state is a 256-byte array plus two integers Note: weaknesses if used in ways other than as a stream cipher. Steven M. Bellovin February 3,

24 The Guts of RC4 for(counter = 0; counter < buffer_len; counter ++) { x = (x + 1) % 256; y = (state[x] + y) % 256; swap_byte(&state[x], &state[y]); xorindex = (state[x] + state[y]) % 256; buffer_ptr[counter] ˆ= state[xorindex]; } Steven M. Bellovin February 3,

25 Order of Encryption and MACing Network Security If we want to encrypt and MAC a message, what order do we do it in? Three choices: {P } K M K (P) {P M K (P)} K {P } K M K ({P } K ) The last is the most secure (provably so) always calculate a MAC on the ciphertext Besides, since MACs are often cheaper than decryption, we can verify the integrity of ciphertext first, and discard the message if bogus Steven M. Bellovin February 3,

26 What to MAC? Obviously, the MAC includes all of the ciphertext Frequently, the MAC should include plaintext metadata Example: suppose you supply a plaintext message length, in plaintext, to go along with CBC encryption of a padded message Example: for network data, may wish to MAC the packet headers Steven M. Bellovin February 3,

27 Key Lifetimes A confidentiality key is useful as long as the data is sensitive; that may be many years A digital signature private key is useful as long as you need to prove authorship think of a digitally-signed, 30-year mortgage A MAC key is useful only while the session is alive; once the session is over, the key is useless Steven M. Bellovin February 3,

28 Birthday Attacks and Block Ciphers Network Security How many blocks can you encrypt with one key before you start getting collisions? The same rule applies: 2 B/2 blocks, where B is the cipher s block size Thus: 2 32 blocks for DES or 3DES; 2 64 blocks for AES bit blocks is 2 35 bytes. That s 34GB smaller than most modern drives It s also 275Gb; on a 1Gb/sec network, it s less than 5 minutes Conclusion: the block size of DES and 3DES is too small for high-speed networks or large disks Steven M. Bellovin February 3,

29 Cipher Strengths A cipher is no stronger than its key length: if there are too few keys, an attacker can enumerate all possible keys DES has 56 bits arguably too few in 1976; far too few today. Strength of cipher depends on how long it needs to resist attack. No good reason to use less than 128 bits NSA rates 128-bit AES as good enough for SECRET traffic; 256-bit AES is good enough for TOP-SECRET traffic. But a cipher can be considerably weaker! (A monoalphabetic cipher over all 256 byte values has a 1684-bit key (log 2 256! 1684), but is trivially solvable.) Steven M. Bellovin February 3,

30 CPU Speed versus Key Size Adding one bit to the key doubles the work factor for brute force attacks The effect on encryption time is often negligible or even free It costs nothing to use a longer RC4 key Going from 128-bit AES to 256-bit AES takes (at most) 40% longer, but increases the attacker s effort by a factor of Using triple DES costs 3 more to encrypt, but increases the attacker s effort by a factor of Moore s Law favors the defender Steven M. Bellovin February 3,

31 Moore s Law and Public Key Cryptography For RSA, doubling the modulus length increases encryption time by 4 and decryption time by 8 Attack time against RSA is based on factoring algorithms, not brute force: there are far too many possible primes for brute force to be ever be possible For number field sieve, complexity is approximately proportional to.02e ln n (lnln n) 2 Sub-linear, but space complexity goes up much faster There is a paper design for a \$10M machine (TWIRL) to factor a single 1024-bit number in one year Steven M. Bellovin February 3,

32 Rough Table of Key Length Equivalences Symmetric Key Size (bits) RSA or DH Modulus Size (bits) Add 11 bits to the public key size if TWIRL can be built (Numbers by Orman and Hoffman, RFC 3766) Steven M. Bellovin February 3,

33 Public versus Symmetric Key Sizes Network Security RSA modulus size Symmetric cipher key size Steven M. Bellovin February 3,

34 Current Key Length Recommendations For most purposes, 128-bit symmetric keys are sufficient For data that must be protected for many years, use 192 bits or 256 bits 1024-bit public keys are marginal; new keys should probably be 1536 bits or longer Keys for certificate authorities should be at leat 2048 bits and perhaps 3072 bits As always, consider your adversary s powers Attacks always get better; they never get worse Steven M. Bellovin February 3,

35 Cipher Design is Hard Never design your own cipher Never trust a product that uses a custom cipher design Design of ciphers is a difficult, arcane speciality. It takes years of scrutiny by experts to validate a design Most of the submissions to the AES competition were cryptanalyzed within a year or two Steven M. Bellovin February 3,

36 Hash Function Design is Hard Hash functions are harder to design Even NSA can get it wrong: SHA-0 was replaced after two years by SHA-1, but they differ only in a single circular shift SHA-0 has been cracked; SHA-1 is (as stated) weak, but no collisions have been found yet Steven M. Bellovin February 3,

37 Modes of Operation are Hard There have been many published and implemented modes that have been broken Obviously stronger modes may not be (a variant on DES CBC MAC that should have had 112 bit strength had 57-bit strength) Some variations are better, but most are not Steven M. Bellovin February 3,

38 A Note on Random Numbers Random numbers are very important in cryptography. They need to be as random as possible an attacker who can guess these numbers can break the cryptosystem. (This is a a common attack!) To the extent possible, use true-random numbers, not pseudo-random numbers but watch out for low-assurance generators Where do true-random numbers come from? Physical processes are best radioactive decay, thermal noise in amplifiers, oscillator jitter, etc. Often, a true-random number is used to seed a cipher modern cryptographic functions are very good pseudo-random numbers. Steven M. Bellovin February 3,

### Network Security - ISA 656 Introduction to Cryptography

Network Security - ISA 656 Angelos Stavrou September 18, 2007 Codes vs. K = {0, 1} l P = {0, 1} m C = {0, 1} n, C C E : P K C D : C K P p P, k K : D(E(p, k), k) = p It is infeasible to find F : P C K Let

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### Modes of Operation of Block Ciphers

Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### Cryptography and Network Security Chapter 6

Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 6 Block Cipher Operation Many savages at the present day regard

1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

### Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

### Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 3 Symmetric Cryptography General Description Modes of ion Data ion Standard (DES)

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

### 12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

### Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

### EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

### IPsec Details 1 / 43. IPsec Details

Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS

### GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

Cryptography: Motivation Many areas have sensitive information, e.g. Data Structures and Algorithms Cryptography Goodrich & Tamassia Sections 3.1.3 & 3.1.4 Introduction Simple Methods Asymmetric methods:

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### Message Authentication

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

### Chapter 8. Network Security

Chapter 8 Network Security Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security Some people who

### Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths Elaine Barker and Allen Roginsky Computer Security Division Information

### 802.11 Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi Giulio.Rossetti@gmail.com

802.11 Security (WEP, WPA\WPA2) 19/05/2009 Giulio Rossetti Unipi Giulio.Rossetti@gmail.com 802.11 Security Standard: WEP Wired Equivalent Privacy The packets are encrypted, before sent, with a Secret Key

### CS155. Cryptography Overview

CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

### Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

### CRYPTOGRAPHY IN NETWORK SECURITY

ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

### Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 02 Overview on Modern Cryptography

### SPINS: Security Protocols for Sensor Networks

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, J.D. Tygar, Victor Wen, and David Culler Department of Electrical Engineering & Computer Sciences, University of California

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION September 2010 (reviewed September 2014) ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK NETWORK SECURITY

### Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor http://islab.oregonstate.edu/koc koc@ece.orst.

Cryptographic Algorithms and Key Size Issues Çetin Kaya Koç Oregon State University, Professor http://islab.oregonstate.edu/koc koc@ece.orst.edu Overview Cryptanalysis Challenge Encryption: DES AES Message

### CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Recommendation for Applications Using Approved Hash Algorithms

NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February

### Message authentication

Message authentication -- Hash based MAC unctions -- MAC unctions based on bloc ciphers -- Authenticated encryption (c) Levente Buttyán (buttyan@crysys.hu) Secret preix method MAC (x) = H( x) insecure!

### Network Security Technology Network Management

COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

### Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/

Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006 - The OWASP

### Secure Sockets Layer

SSL/TLS provides endpoint authentication and communications privacy over the Internet using cryptography. For web browsing, email, faxing, other data transmission. In typical use, only the server is authenticated

### Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

### Lecture 5 - Cryptography

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

### Cryptographic mechanisms

General Secretariat for National Defence Central Directorate for Information Systems Security PRIME MINISTER Paris, 2007 september 14 No. 1904/SGDN/DCSSI/SDS/LCR Cryptographic mechanisms Rules and recommendations

### Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest Quiz 1 1. This quiz is intended to provide a fair measure of your understanding

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Goals v understand principles of network security: cryptography and its many uses beyond

### Client Server Registration Protocol

Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

### Lecture 4 Data Encryption Standard (DES)

Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption

### 1 Data Encryption Algorithm

Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been

### SECURITY IN NETWORKS

SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

### SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

SPC5 Software Cryptography Library Data brief SHA-512 Random engine based on DRBG-AES-128 RSA signature functions with PKCS#1v1.5 ECC (Elliptic Curve Cryptography): Key generation Scalar multiplication

### Password-based encryption in ZIP files

Password-based encryption in ZIP files Dmitri Gabbasov December 15, 2015 Abstract In this report we give an overview of the encryption schemes used in the ZIP file format. We first give an overview of

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Cryptographic Engine

Cryptographic Engine HIGHLIGHTS This section of the manual contains the following major topics: 1.0 Introduction... 2 2.0 Registers... 4 3.0 Theory of Operation... 12 4.0 Module Operation... 27 5.0 Operation

### TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastr, David Wagner Presented By: Tristan Brown Outline Motivation Cryptography Overview TinySec Design Implementation

### Cryptography Lecture 8. Digital signatures, hash functions

Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Chapter 7: Network security

Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport

### Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

### Chapter 6 CDMA/802.11i

Chapter 6 CDMA/802.11i IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Some material copyright 1996-2012 J.F Kurose and K.W. Ross,

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security Objectives Overview of IEEE 802.11 wireless security Define vulnerabilities of Open System Authentication,

### IronKey Data Encryption Methods

IronKey Data Encryption Methods An IronKey Technical Brief November 2007 Information Depth:Technical Introduction IronKey is dedicated to building the world s most secure fl ash drives. Our dedication

### Lecture 9: Application of Cryptography

Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### Three attacks in SSL protocol and their solutions

Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland zhon003@ec.auckland.ac.nz Abstract Secure Socket Layer (SSL) and Transport Layer

### AES Cipher Modes with EFM32

AES Cipher Modes with EFM32 AN0033 - Application Note Introduction This application note describes how to implement several cryptographic cipher modes with the Advanced ion Standard (AES) on the EFM32

### Public Key Cryptography Overview

Ch.20 Public-Key Cryptography and Message Authentication I will talk about it later in this class Final: Wen (5/13) 1630-1830 HOLM 248» give you a sample exam» Mostly similar to homeworks» no electronic

### Transport Level Security

Transport Level Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### Introduction. Where Is The Threat? Encryption Methods for Protecting Data. BOSaNOVA, Inc. Phone: 866-865-5250 Email: info@theq3.com Web: www.theq3.

Introduction Within the last ten years, there has been a vast increase in the accumulation and communication of digital computer data in both the private and public sectors. Much of this information has

### Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

### On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

### Introduction to Computer Security

Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### The Data Encryption Standard (DES)

The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric

### CS 600.443 Final Exam

CS 600.443 Final Exam Name: This exam is closed book and closed notes. You are required to do this completely on your own without any help from anybody else. Feel free to write on the back of any page

### Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

Chapter 8 Network Security Slides adapted from the book and Tomas Olovsson Roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity Security protocols and measures: Securing

### CSci 530 Midterm Exam. Fall 2012

CSci 530 Midterm Exam Fall 2012 Instructions: Show all work. No electronic devices are allowed. This exam is open book, open notes. You have 100 minutes to complete the exam. Please prepare your answers

### Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards

White Paper Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards By Dr. Wen-Ping Ying, Director of Software Development, February 2002 Introduction Wireless LAN networking allows the

### Network Security - ISA 656 Email Security

Network Security - ISA 656 Angelos Stavrou November 13, 2007 The Usual Questions The Usual Questions Assets What are we trying to protect? Against whom? 2 / 33 Assets The Usual Questions Assets Confidentiality

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### 7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

### CSCI-E46: Applied Network Security. Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 1

CSCI-E46: Applied Network Security Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 1 Welcome to CSCI-E46 Classroom & Schedule 53 Church Street L01 Wednesdays,

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### UM0586 User manual. STM32 Cryptographic Library. Introduction

User manual STM32 Cryptographic Library Introduction This manual describes the API of the STM32 cryptographic library (STM32-CRYP-LIB) that supports the following cryptographic algorithms: AES-128, AES-192,

### Cryptography and Network Security

PART-A Questions 1. Name the aspects to be considered of information security. 2. What is meant by deciphering? 3. What are the two different uses of public key cryptography related to key distribution?

### Network Security: Secret Key Cryptography

1 Network Security: Secret Key Cryptography Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 c 1999-2000, Henning Schulzrinne Last modified September