MAC. SKE in Practice. Lecture 5

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "MAC. SKE in Practice. Lecture 5"

Transcription

1 MAC. SKE in Practice. Lecture 5

2 Active Adversary

3 Active Adversary An active adversary can inject messages into the channel

4 Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted

5 Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA)

6 Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve, no security possible

7 Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve, no security possible What can Bob do?

8 Symmetric-Key Encryption RECALL SIM-CCA Security Send Recv Key/Enc Key/Dec SIM-CCA secure if: s.t. Replay Filter REAL IDEAL IDEAL Env Env REAL

9 Symmetric-Key Encryption RECALL SIM-CCA Security Invalid ciphertexts are silently ignored Send Recv Key/Enc Key/Dec SIM-CCA secure if: s.t. Replay Filter REAL IDEAL IDEAL Env Env REAL

10 Symmetric-Key Encryption RECALL SIM-CCA Security Send Recv Key/Enc Key/Dec SIM-CCA secure if: s.t. Replay Filter REAL IDEAL IDEAL Env Env REAL

11 Symmetric-Key Encryption RECALL Alternately (slightly weaker form): Adv can send its own messages SIM-CCA Security Send Recv Key/Enc Key/Dec SIM-CCA secure if: s.t. Replay Filter REAL IDEAL IDEAL Env Env REAL

12 Symmetric-Key Encryption RECALL IND-CCA Security Experiment picks b {0,1} and K KeyGen Adv gets (guarded) access to Dec K oracle For as long as Adversary wants Key/Enc Enc(m b,k) IND-CCA + ~correctness equivalent to SIM-CCA Key/Dec Adv sends two messages m 0, m 1 to the experiment Expt returns Enc(m b,k) to the adversary m b m 0,m 1 No challenge ciphertext answered Adversary returns a guess b Experiments outputs 1 iff b =b IND-CCA secure if for all feasible adversaries Pr[b =b] 1/2 b b b {0,1} b =b? Yes/No

13 Symmetric-Key Encryption RECALL IND-CCA Security Experiment picks b {0,1} and K KeyGen Adv gets (guarded) access to Dec K oracle For as long as Adversary wants Key/Enc Weaker Enc(m b,k) IND-CCA + ~correctness equivalent to SIM-CCA Key/Dec Adv sends two messages m 0, m 1 to the experiment Expt returns Enc(m b,k) to the adversary m b m 0,m 1 No challenge ciphertext answered Adversary returns a guess b Experiments outputs 1 iff b =b IND-CCA secure if for all feasible adversaries Pr[b =b] 1/2 b b b {0,1} b =b? Yes/No

14 CCA Security

15 CCA Security How to obtain CCA security?

16 CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice

17 CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice i.e., Eve can t create new ciphertexts that will be accepted by Bob

18 CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice i.e., Eve can t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can t send its own messages to Bob

19 CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice i.e., Eve can t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can t send its own messages to Bob CCA secure SKE reduces to the problem of CPA secure SKE and (shared key) message authentication

20 CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice i.e., Eve can t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can t send its own messages to Bob CCA secure SKE reduces to the problem of CPA secure SKE and (shared key) message authentication MAC: Message Authentication Code

21 Message Authentication Codes

22 Message Authentication Codes A single short key shared by Alice and Bob

23 Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages

24 Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages A triple (KeyGen, MAC, Verify) MAC K Ver K

25 Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages A triple (KeyGen, MAC, Verify) MAC K Ver K Correctness: For all K from KeyGen, and all messages M, Verify K (M,MAC K (M))=1

26 Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages A triple (KeyGen, MAC, Verify) Correctness: For all K from KeyGen, and all messages M, Verify K (M,MAC K (M))=1 Security: probability that an adversary can produce (M,s) s.t. Verify K (M,s)=1 is negligible unless Alice produced an output s=mac K (M) MAC K s i = MAC K (M i ) M i (M,s) Ver K Ver K (M,s) Advantage = Pr[ Ver K (M,s)=1 and (M,s) {(M i,s i )} ]

27 CCA Secure SKE

28 CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) )

29 CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction

30 CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction MAC: from a PRF or Block-Cipher (coming up)

31 CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction MAC: from a PRF or Block-Cipher (coming up) SKE in practice can just use Block-Ciphers (coming up)

32 CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction MAC: from a PRF or Block-Cipher (coming up) SKE in practice can just use Block-Ciphers (coming up) In principle, constructions (less efficient) possible based on any One-Way Permutation or even any One-Way Function

33 Making a MAC

34 One-time MAC MAC Ver

35 One-time MAC To sign a single n bit message MAC Ver

36 One-time MAC To sign a single n bit message A simple (but inefficient) scheme MAC Ver

37 One-time MAC To sign a single n bit message A simple (but inefficient) scheme Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC Ver r r r r r r

38 One-time MAC To sign a single n bit message A simple (but inefficient) scheme Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC 010 Ver r r r r r r

39 One-time MAC To sign a single n bit message A simple (but inefficient) scheme 010 Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC r 1 0 r 2 1 r 3 0 Ver Signature for m 1...m n be (r i mi) i=1..n r r r r r r

40 One-time MAC To sign a single n bit message A simple (but inefficient) scheme 010 Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC r 1 0 r 2 1 r 3 0 Ver Signature for m 1...m n be (r i mi) i=1..n Negligible probability that Eve can produce a signature on m m r r r r r r

41 One-time MAC To sign a single n bit message A simple (but inefficient) scheme 010 Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC r 1 0 r 2 1 r 3 0 Ver Signature for m 1...m n be (r i mi) i=1..n Negligible probability that Eve can produce a signature on m m r r r r r r Doesn t require any computational restrictions on adversary!

42 One-time MAC To sign a single n bit message A simple (but inefficient) scheme 010 Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC r 1 0 r 2 1 r 3 0 Ver Signature for m 1...m n be (r i mi) i=1..n Negligible probability that Eve can produce a signature on m m r r r r r r Doesn t require any computational restrictions on adversary! More efficient one-time MACs exist (later)

43 (Multi-msg) MAC from PRF When Each Message is a Single Block

44 (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC!

45 (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF

46 (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF M F K F K (M)

47 (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K F K (M)

48 (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) Output length of F K should be big enough M F K F K (M)

49 (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) Output length of F K should be big enough M F K F K (M) If an adversary forges MAC with probability MAC, then can break PRF with advantage O( MAC 2 -m(k) ) (m(k) being the output length of the PRF) [How?]

50 (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) Output length of F K should be big enough M F K F K (M) If an adversary forges MAC with probability MAC, then can break PRF with advantage O( MAC 2 -m(k) ) (m(k) being the output length of the PRF) [How?] Advantage in breaking a PRF F: diff in prob a test has of outputting 1, when given F vs. truly random R

51 (Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) Output length of F K should be big enough M F K F K (M) If an adversary forges MAC with probability MAC, then can break PRF with advantage O( MAC 2 -m(k) ) (m(k) being the output length of the PRF) [How?] If random function R used as MAC, then probability of forgery, MAC* = 2 -m(k) Advantage in breaking a PRF F: diff in prob a test has of outputting 1, when given F vs. truly random R

52 MAC for Multiple-Block Messages

53 MAC for Multiple-Block Messages What if message is longer than one block?

54 MAC for Multiple-Block Messages What if message is longer than one block? MAC ing each block separately is not secure (unlike in the case of CPA secure encryption)

55 MAC for Multiple-Block Messages What if message is longer than one block? MAC ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks

56 MAC for Multiple-Block Messages What if message is longer than one block? MAC ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks Could use a PRF that takes longer inputs

57 MAC for Multiple-Block Messages What if message is longer than one block? MAC ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks Could use a PRF that takes longer inputs Can we use a PRF with a fixed block-length (i.e., a block cipher)?

58 MAC for Multiple-Block Messages

59 MAC for Multiple-Block Messages A simple solution: tie the blocks together

60 MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number

61 MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i )

62 MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t )

63 MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t ) r prevents mixing blocks from two messages, t prevents dropping blocks and i prevents rearranging

64 MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t ) r prevents mixing blocks from two messages, t prevents dropping blocks and i prevents rearranging Inefficient! Tag length increases with message length

65 CBC-MAC

66 CBC-MAC PRF domain extension: Chaining the blocks

67 CBC-MAC PRF domain extension: Chaining the blocks m 1 m 2 m t... F K F K F K T

68 CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) m 1 m 2 m t... F K F K F K T

69 CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) t-block messages, a single block tag m 1 m 2 m t... F K F K F K T

70 CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) t-block messages, a single block tag Can be shown to be secure m 1 m 2 m t... F K F K F K T

71 CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) t-block messages, a single block tag Can be shown to be secure m 1 m 2 m t... F K F K F K T If restricted to t-block messages (i.e., same length)

72 CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) t-block messages, a single block tag Can be shown to be secure m 1 m 2 m t... F K F K F K T If restricted to t-block messages (i.e., same length) Else attacks possible (by extending a previously signed message)

73 Patching CBC-MAC

74 Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is):

75 Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks

76 Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks

77 Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible

78 Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K (T), where K is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori.

79 Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K (T), where K is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks.

80 Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K (T), where K is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks. NIST Recommendation. 2005

81 Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K (T), where K is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks. NIST Recommendation Later: Hash-based HMAC used in TLS and IPSec IETF Standard. 1997

82 SKE in Practice

83 Stream Ciphers

84 Stream Ciphers Used for one-time encryption

85 Stream Ciphers Used for one-time encryption RC4, estream portfolio,...

86 Stream Ciphers Used for one-time encryption RC4, estream portfolio,... In practice, stream ciphers take a key and an IV (for initialization vector) as inputs

87 Stream Ciphers Used for one-time encryption RC4, estream portfolio,... Also used to denote the random nonce chosen for encryption using a block-cipher In practice, stream ciphers take a key and an IV (for initialization vector) as inputs

88 Stream Ciphers Used for one-time encryption RC4, estream portfolio,... Also used to denote the random nonce chosen for encryption using a block-cipher In practice, stream ciphers take a key and an IV (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption

89 Stream Ciphers Used for one-time encryption RC4, estream portfolio,... Also used to denote the random nonce chosen for encryption using a block-cipher In practice, stream ciphers take a key and an IV (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption But often breaks if used this way

90 Stream Ciphers Used for one-time encryption RC4, estream portfolio,... Also used to denote the random nonce chosen for encryption using a block-cipher In practice, stream ciphers take a key and an IV (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption But often breaks if used this way NIST Standard: For multi-message encryption, use a blockcipher in CTR mode

91 Block Ciphers

92 Block Ciphers DES, 3DES, Blowfish, AES,...

93 Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions

94 Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions Permutations that can be inverted with the key

95 Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence

96 Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence But should withstand known attacks

97 Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence But should withstand known attacks As a PRP (or at least, against key recovery)

98 Feistel Network

99 Feistel Network Building a permutation from a (block) function

100 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function

101 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) f 1

102 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) f 1

103 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) f 1

104 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft f 1

105 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft f1 f 2

106 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft Still a permutation from {0,1} 2m to {0,1} 2m f1 f 2

107 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft Still a permutation from {0,1} 2m to {0,1} 2m Luby-Rackoff: A 3-layer Feistel network, in which 3 PRFs with independent seeds are the 3 round functions, is a PRP. A 4-layer Feistel gives a strong PRP f1 f 2

108 Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft Still a permutation from {0,1} 2m to {0,1} 2m Luby-Rackoff: A 3-layer Feistel network, in which 3 PRFs with independent seeds are the 3 round functions, is a PRP. A 4-layer Feistel gives a strong PRP Fewer layers do not suffice! [Exercise] f1 f 2

109 DES Block Cipher

110 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X

111 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps)

112 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc

113 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse

114 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions

115 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions DES s key length too short

116 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions DES s key length too short Can now mount brute force key-recovery attacks (e.g. using $10K hardware, running for under a week, in 2006; now, in under a day)

117 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions DES s key length too short Can now mount brute force key-recovery attacks (e.g. using $10K hardware, running for under a week, in 2006; now, in under a day) DES-X: extra keys to pad input and output

118 NIST Standard DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions DES s key length too short Can now mount brute force key-recovery attacks (e.g. using $10K hardware, running for under a week, in 2006; now, in under a day) DES-X: extra keys to pad input and output Triple DES: 3 successive applications of DES (or DES -1 ) with 3 keys

119 AES Block Cipher

120 NIST Standard AES Block Cipher Advanced Encryption Standard (AES)

121 NIST Standard AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits)

122 NIST Standard AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES)

123 NIST Standard AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks

124 NIST Standard AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure

125 NIST Standard AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure Operations in a vector space over the field GF(2 8 )

126 NIST Standard AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure Operations in a vector space over the field GF(2 8 ) The algebraic structure may lead to attacks?

127 NIST Standard AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure Operations in a vector space over the field GF(2 8 ) The algebraic structure may lead to attacks? Some implementations may lead to side-channel attacks (e.g. cache-timing attacks)

128 NIST Standard AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure Operations in a vector space over the field GF(2 8 ) The algebraic structure may lead to attacks? Some implementations may lead to side-channel attacks (e.g. cache-timing attacks) No simple hardness assumption known to imply any sort of security for AES

129 By Jeff Moser (

130 Cryptanalysis

131 Cryptanalysis Attacking stream ciphers and block ciphers

132 Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery

133 Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware

134 Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware e.g. Attack on DES in 1998

135 Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware e.g. Attack on DES in 1998 Several other analytical techniques to speed up attacks

136 Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware e.g. Attack on DES in 1998 Several other analytical techniques to speed up attacks Sometimes theoretical : on weakened ( reduced round ) constructions, showing improvement over brute-force attack

137 Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware e.g. Attack on DES in 1998 Several other analytical techniques to speed up attacks Sometimes theoretical : on weakened ( reduced round ) constructions, showing improvement over brute-force attack Meet-in-the-middle, linear cryptanalysis, differential cryptanalysis, impossible differential cryptanalysis, boomerang attack, integral cryptanalysis, cube attack,...

138 Authenticated Encryption

139 Authenticated Encryption Doing encryption + authentication better

140 Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC

141 Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes

142 Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently

143 Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently Several constructions based on block-ciphers (modes of operation) provably secure modeling block-cipher as PRP

144 Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently Several constructions based on block-ciphers (modes of operation) provably secure modeling block-cipher as PRP One pass: IAPM, OCB,... [patented]

145 Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently Several constructions based on block-ciphers (modes of operation) provably secure modeling block-cipher as PRP One pass: IAPM, OCB,... [patented] Two pass: CCM, GCM, SIV,... [included in NIST standards]

146 Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently Several constructions based on block-ciphers (modes of operation) provably secure modeling block-cipher as PRP One pass: IAPM, OCB,... [patented] Two pass: CCM, GCM, SIV,... [included in NIST standards] AE with Associated Data: Allows unencrypted (but authenticated) parts of the plaintext, for headers etc.

147 SKE today

148 SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers

149 SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256

150 SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC)

151 SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication

152 SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication Older components/modes still in use

153 SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication Older components/modes still in use Supported by many standards for legacy purposes

154 SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication Older components/modes still in use Supported by many standards for legacy purposes In many applications (sometimes with modifications)

155 SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication Older components/modes still in use Supported by many standards for legacy purposes In many applications (sometimes with modifications) e.g. RC4 in BitTorrent, Skype, PDF

Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC. Pierre-Alain Fouque Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

More information

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

More information

Authenticated encryption

Authenticated encryption Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

More information

Talk announcement please consider attending!

Talk announcement please consider attending! Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch 1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

More information

Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Motivation Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1 EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Secret Key Cryptography (I) 1 Introductory Remarks Roadmap Feistel Cipher DES AES Introduction

More information

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

More information

Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1 Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

More information

CS155. Cryptography Overview

CS155. Cryptography Overview CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard

More information

Message Authentication Codes. Lecture Outline

Message Authentication Codes. Lecture Outline Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages: Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015 CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret

More information

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

More information

Message Authentication Codes

Message Authentication Codes 2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

More information

Cryptography and Network Security Chapter 6

Cryptography and Network Security Chapter 6 Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 6 Block Cipher Operation Many savages at the present day regard

More information

CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

More information

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

Lecture 4 Data Encryption Standard (DES)

Lecture 4 Data Encryption Standard (DES) Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption

More information

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with

More information

On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

More information

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION September 2010 (reviewed September 2014) ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK NETWORK SECURITY

More information

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

More information

Modes of Operation of Block Ciphers

Modes of Operation of Block Ciphers Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

More information

Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3 Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon

More information

CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

More information

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1) Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 3 Symmetric Cryptography General Description Modes of ion Data ion Standard (DES)

More information

Overview of Symmetric Encryption

Overview of Symmetric Encryption CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

More information

Lecture 5 - Cryptography

Lecture 5 - Cryptography CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

More information

Message authentication

Message authentication Message authentication -- Hash based MAC unctions -- MAC unctions based on bloc ciphers -- Authenticated encryption (c) Levente Buttyán (buttyan@crysys.hu) Secret preix method MAC (x) = H( x) insecure!

More information

Message Authentication Codes 133

Message Authentication Codes 133 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

More information

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

More information

Cryptography Overview

Cryptography Overview Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable unless

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

More information

Cryptography & Network Security

Cryptography & Network Security Cryptography & Network Security Lecture 1: Introduction & Overview 2002. 3. 27 chlim@sejong.ac.kr Common Terms(1) Cryptography: The study of mathematical techniques related to aspects of information security

More information

Chapter 8. Network Security

Chapter 8. Network Security Chapter 8 Network Security Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security Some people who

More information

Message Authentication

Message Authentication Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

CRYPTOGRAPHY IN NETWORK SECURITY

CRYPTOGRAPHY IN NETWORK SECURITY ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

More information

Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

Authentication requirement Authentication function MAC Hash function Security of

Authentication requirement Authentication function MAC Hash function Security of UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

More information

Reconsidering Generic Composition

Reconsidering Generic Composition Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

More information

The Data Encryption Standard (DES)

The Data Encryption Standard (DES) The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric

More information

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

More information

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128 SPC5 Software Cryptography Library Data brief SHA-512 Random engine based on DRBG-AES-128 RSA signature functions with PKCS#1v1.5 ECC (Elliptic Curve Cryptography): Key generation Scalar multiplication

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

More information

Chapter 6 CDMA/802.11i

Chapter 6 CDMA/802.11i Chapter 6 CDMA/802.11i IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Some material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic

More information

Ciphertext verification security of symmetric encryption schemes

Ciphertext verification security of symmetric encryption schemes www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

More information

EXAM questions for the course TTM4135 - Information Security June 2010. Part 1

EXAM questions for the course TTM4135 - Information Security June 2010. Part 1 EXAM questions for the course TTM4135 - Information Security June 2010 Part 1 This part consists of 6 questions all from one common topic. The number of maximal points for every correctly answered question

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

More information

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

More information

Network Security. Omer Rana

Network Security. Omer Rana Network Security Omer Rana CM0255 Material from: Cryptography Components Sender Receiver Plaintext Encryption Ciphertext Decryption Plaintext Encryption algorithm: Plaintext Ciphertext Cipher: encryption

More information

Network Security Technology Network Management

Network Security Technology Network Management COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

More information

Chapter 3. Network Domain Security

Chapter 3. Network Domain Security Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

More information

CryptoVerif Tutorial

CryptoVerif Tutorial CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

More information

On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

Lecture 9 - Network Security TDTS41-2006 (ht1)

Lecture 9 - Network Security TDTS41-2006 (ht1) Lecture 9 - Network Security TDTS41-2006 (ht1) Prof. Dr. Christoph Schuba Linköpings University/IDA Schuba@IDA.LiU.SE Reading: Office hours: [Hal05] 10.1-10.2.3; 10.2.5-10.7.1; 10.8.1 9-10am on Oct. 4+5,

More information

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1 Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Goals v understand principles of network security: cryptography and its many uses beyond

More information

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

More information

1 Data Encryption Algorithm

1 Data Encryption Algorithm Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been

More information

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastr, David Wagner Presented By: Tristan Brown Outline Motivation Cryptography Overview TinySec Design Implementation

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information

The Advanced Encryption Standard: Four Years On

The Advanced Encryption Standard: Four Years On The Advanced Encryption Standard: Four Years On Matt Robshaw Reader in Information Security Information Security Group Royal Holloway University of London September 21, 2004 The State of the AES 1 The

More information

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

More information

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

More information

Security and Authentication Primer

Security and Authentication Primer Security and Authentication Primer Manfred Jantscher and Peter H. Cole Auto-ID Labs White Paper WP-HARDWARE-025 Mr. Manfred Jantscher Visiting Master Student, School of Electrical and Electronics Engineering,

More information

Hash Functions. Integrity checks

Hash Functions. Integrity checks Hash Functions EJ Jung slide 1 Integrity checks Integrity vs. Confidentiality! Integrity: attacker cannot tamper with message! Encryption may not guarantee integrity! Intuition: attacker may able to modify

More information

Security Protocols/Standards

Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards How do we actually communicate securely across a hostile network? Provide integrity, confidentiality, authenticity

More information

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

More information

CPS 590.5 Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang xwy@cs.duke.edu

CPS 590.5 Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang xwy@cs.duke.edu CPS 590.5 Computer Security Lecture 9: Introduction to Network Security Xiaowei Yang xwy@cs.duke.edu Previous lectures Worm Fast worm design Today Network security Cryptography building blocks Existing

More information

Information Security

Information Security SE 4472 / ECE 9064 Information Security Week 11: Transport Layer Security (TLS): Putting it all together Fall 2015 Prof. Aleksander Essex Security at the Transport Layer Where we started in this course:

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. Instructor: Sharon Goldberg March 25, 2014. 9:30-10:50 AM. One-sided handwritten aid sheet allowed. No cell phone or calculators

More information

Cryptography and Network Security

Cryptography and Network Security PART-A Questions 1. Name the aspects to be considered of information security. 2. What is meant by deciphering? 3. What are the two different uses of public key cryptography related to key distribution?

More information

The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

More information

Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest. Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest Quiz 1 1. This quiz is intended to provide a fair measure of your understanding

More information