lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal



Similar documents
Symmetric Crypto MAC. Pierre-Alain Fouque

Cryptographic Hash Functions Message Authentication Digital Signatures

MAC. SKE in Practice. Lecture 5

CS155. Cryptography Overview

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Authenticated encryption

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Table of Contents. Bibliografische Informationen digitalisiert durch

Message Authentication Codes. Lecture Outline

Cryptography Overview

CIS433/533 - Computer and Network Security Cryptography

Message Authentication

EXAM questions for the course TTM Information Security May Part 1

CS 758: Cryptography / Network Security

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security. Omer Rana

Cryptography and Network Security Chapter 12

Introduction to Computer Security

Modes of Operation of Block Ciphers

1 Data Encryption Algorithm

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Lecture 4 Data Encryption Standard (DES)

Authentication requirement Authentication function MAC Hash function Security of

Message Authentication Codes

Talk announcement please consider attending!

Lecture 9 - Network Security TDTS (ht1)

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

One-Way Encryption and Message Authentication

Network Security - ISA 656 Introduction to Cryptography

Hash Functions. Integrity checks

IT Networks & Security CERT Luncheon Series: Cryptography

CSCE 465 Computer & Network Security

Computer Security: Principles and Practice

Provable-Security Analysis of Authenticated Encryption in Kerberos

How To Understand And Understand The History Of Cryptography

Cryptography Lecture 8. Digital signatures, hash functions

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Message authentication

Public Key Cryptography Overview

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.


Cryptography and Network Security Chapter 3

The Advanced Encryption Standard (AES)

On the Security of CTR + CBC-MAC

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Chapter 8. Network Security

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Network Security Technology Network Management

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

MACs Message authentication and integrity. Table of contents

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

SSL Firewalls

Introduction to Cryptography CS 355

Cryptography and Network Security Chapter 11

Security Protocols/Standards

SECURITY IN NETWORKS

Data integrity and data origin authentication

On the Security of the CCM Encryption Mode and of a Slight Variant

Practice Questions. CS161 Computer Security, Fall 2008

Remotely Keyed Encryption Using Non-Encrypting Smart Cards

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Cryptography & Network Security

How To Encrypt With A 64 Bit Block Cipher

Cryptographic mechanisms

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Overview of Symmetric Encryption

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Secure Network Communications FIPS Non Proprietary Security Policy

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Cryptography and Network Security

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Chapter 7: Network security

An Introduction to Cryptography as Applied to the Smart Grid

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

CSE/EE 461 Lecture 23

What is network security?

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Digital Signatures. Prof. Zeph Grunschlag

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Fundamentals of Computer Security

NETWORK ADMINISTRATION AND SECURITY

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

The Misuse of RC4 in Microsoft Word and Excel

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Authentication, digital signatures, PRNG

EXAM questions for the course TTM Information Security June Part 1

Message Authentication Code

Message authentication and. digital signatures

Security for Computer Networks

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Transcription:

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are required Let two sets N and M of random elements in a large set D, the number of expected collisions is N M / D (Birthday paradox with boys and girls) Avoiding frequency attacks Main idea: large blocksize avoid frequency attack on small block, statistics are non-random Block cipher Cipher (E,D) «eff. algs» such that D(k,E(k,m))=c Main drawback of stream cipher: lacks of theory to construct secure PRG Iterate many times a «small» round function F Master Key k K1 K2... Kr Round Keys m F F F c

Data Encryption Standard DES (IBM 1973) and NBS standard in 1977 Key Length: 56 bits Block Length: 64 bits 16 rounds with 48-bit round keys K K1 K2 K3 32 bits 32 bits R0 L0 F R1 L1 F R2 L2 F R3 L3 FKi(Li,Ri)=(Ri,Li fki(ri))=(li+1,ri+1) Feistel scheme Designed by Horst Feistel at IBM Transform random function to random permutation L R K f f function Round input (32 bits) Expansion (32 to 48 bits function) Subkey (48 bits) SBox (6 to 4 bits functions) Permutation over 32 bits Round output (32 bits) Attacks against DES Before 1990: attacks against round reduced version (less than 16 rounds) 1990-92: Differential cryptanalysis 1993-94: Linear cryptanalysis other attacks: Davies-Murphy, side-channel In practice, the most efficient attack is the exhaustive search (EFF, copacabana)

Main drawback of DES Exhaustive key search in 256 (3DES) Block size (collision for 232 blocks) Differential / Linear Cryptanalysis DES: well-designed and withstands successfully 30 years of cryptanalysis 2DES 3DES Advanced Encryption Standard Substitution / Permutation Network Key Length: 128 / 192 / 256 bits Block Length: 128 bits Designed by Daemen and Rijmen Standardized by NIST in 2000 AES M ki S SubBytes ShiftRows MixColumns xi+1 xi

Security game Block cipher must be indistinguishable from a random permutation for all k, E(k,x) is a permutation which looks random provided the key is not known E(k,.) P Dist. x f(x) Chal. b {0,1} x f=e(k, ) or P() f(x) according to b... b Adv. Adv(A)= Pr[b=b ]-1/2 Feistel security Could you distinguish one-round Feistel? Could you distinguish two-round Feistel? Could you distinguish three-round Feistel? Modes of operation How to encipher larger messages? ECB, CBC, CTR, OFB, CFB Drawbacks: - deterministic Advantages: - parallelisable Ciphertext Block Chaining (CBC) Encrypting: C 0=IV,..., Ci=E(k,Ci-1 Mi) Decrypting: M i=d(k,ci) Ci-1 Drawbacks: - sequential Advantages: - randomized - propagation of error in decryption

Ciphertext FeedBack (CFB) How to use a block cipher as a stream cipher? Output FeedBack (OFB) How to use a block cipher as a stream cipher? Counter Mode (CTR) Better solution Security Confidentiality is ensure by the mode of operation Integrity: first block of CBC? Main idea: the ciphertext must be indistinguishable from random for polynomial-time adversaries Security Game: Example on CBC:

Def: Hash Function message M M {0,1}* H hash H(M) H(M) {0,1} n A hash function H compute a hash value, a.k.a. fingerprint of n bits for a given arbitrary long message M H : {0,1}* {0,1} n Usage: integrity, password storage, signature,... Eg: SHA-1 (160 bits), MD5 (128 bits), SHA-2,... Use cases: File integrity Idea : we want to detect if a file has been modified by recomputing its fingerprint // Fichier code.c #include <stdio.h> #include <stdlib.h> int main(int argc, char** argv) { if (argc <2) { } } SHA-1 Hash Length of 160 bits : SHA-1 (code.c) = A51F 07BB 62EC 44A3 F118 Use cases: Passwords Instead of storing a password on a machine, we store its hash h = H(password) To authenticate, the user must send h On the web, the server sends a random value N and the user must answer with H(N Password) Compression Function f a compression function f:{0,1} m+n {0,1} n Fixed-Length hashing function data For SHA-1 : n = 160 et m = 512 Chaining Variable m bits n bits f n bits output 23

Merkle-Damgard f a compression function f:{0,1} m+n {0,1} n Let M = M 1 M m a message to hash (l blocks of m bits) Construction: H f (M): h1=f(iv,), h2=f(h1,),..., hn=f(hn-1,pad) Th: If we have a collision on H f, then we have a collision on f Ml f IV f f H( M ) Security notions Collision Resistance Find M 1 and M 2 such that H(M 1 ) = H(M 2 ) (2 n/2 + Pollard) Second-preimage Resistance Given M 1, find M 2 such that H(M 1 ) = H(M 2 ) (2 n ) Preimage Resistance Given x, find M such that H(M) = x (2 n ) Length extension Attacks: Could you predict the value of H(M) without having to recompute from the beginning? Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However, no integrity is guaranteed. (CBC first block) C 1 Alice Bank = «$200 on Bob s account» = (ctr) M 1 Eve M 1 = «$2000 on Eve s account» C 1 = C 1 M 1 M 1

Definition of Message Authentication Code Key generation: randomized alg. output: key uniformly distributed Tag MAC generation: randomized or deterministic input: M {0,1} * output: tag τ {0,1}t : τ = M K ( M ) Verification: deterministic alg. input: tag τ {0,1} t and message M output: bit if the tag is valid for this message s.t. for any K and message M, if τ = M K ( M ), then V K (τ, M ) = 1 Security game Adversary s goals: 1. key recovery attacks 2. forgery: producing a valid MAC for some message M (of his choice, or any) Adversary s ressources: 1. known message attack: interception of MACs. Adv. knows pair (M, τ) of already tagged messages 2. chosen message attack: Adv. knows the tag of message of his choice (access to a MAC generation alg. adaptively or not) Security game Def: Combining an adversary s goal and some ressources SUF-CMA: strongly inforgeability against chosen message attacks Challenger M i τ i (M, τ) 1 : valid tag Adversary A Adv ( A ) = Pr ( Expérience retourne 1) Generic Security 1. For a t-bit MAC, advantage (forgery probability) is always at least 1/2 t 2. Among 2 t/2 MACs, by the birthday paradox, there is a collision between two of them: these collisions can be used to recover the keys...

MAC vs. Signature Signatures: used for vertifying public keys, guarantee non-repudiation, same properties than hand-written signature MACs: very good performences, secret-key shared between two users no non-repudiation, no public verification First construction Let F : {0,1} k {0,1} * {0,1} t a random function (i.e. outputs are indistinguishable from random values) MAC construction: For message M = M 1 M m, τ = F K ( M 1 ) F K ( M m ) Is this scheme secure? Second Example Let F : {0,1} k {0,1} * {0,1} t random function For message M = M 1 M m For i = 1 to m, y i = F K ( <i>, M i ) τ = y 1 y m Is this scheme secure? unencrypted CBC-MAC C i = (M i C i-1 ) MAC = C m Secure only for constant length messages C2 Mac = C m

Security CBC-MAC Let 2 arbitrary messages M and M M3 MAC(M) is C 3 = Mac C2 M Mac = C 1 M 2 3 MAC(M ) is C 2 = Mac C 1 Mac = C 2 unencrypted CBC-MAC Given MACs of M and M, it is possible to forge MAC of another message M3 M 1 Mac M 2 C2 C3 C 1 Mac =C 2 Recovering the secret key is in 2 k MAC computation where k is the bit length of the used key (exhaustive search) No IV in CBC-MAC The integrity of the first block is not ensured if an IV is used IV IV IV IV Mac = C 2 Mac = C 2 ( M, IV, Mac ) ( M, IV, Mac ) 20 Encrypted CBC-MAC (EMAC) C i = (M i C i-1 ) and MAC = (C m ) Secure if less than 2 n/2 MACs are computed Keys can be recovered using 2 exhaustive search in time 2 k (for k-bit keys) C2 Cm Mac = C m+1

N1 N1 N2 N2 Some attacks Mac = C m+1 Nm Mac = C m +1 Some attacks Mac = C m+1 Nm Mac = C m +1 collision Some attacks Mac = C m+1 N1 N2 Nm collision Mac = C m +1 Attacks R τ N1 N2 Nm R τ = =

Security Analysis Assume 2 n/2 MACs computed: ( M i, τ i ), 0 i 2 n/2 and M i M j Using Birthday Paradox, there exists i,j s.t. i j and τ i = τ j Ask MAC τ of M i R, where R is a random block Claim: One can forge MAC for message M j R : τ Key Recovery DES K DES K DES K TDES K,K C2 Cm Mac = C m+1 For efficiency and security reasons, one decide E = DES with key K and E = TDES, with keys K,K. What is the complexity to recover keys K and K? Hash-based MAC Consider the following MAC scheme: MAC K ( M ) = H ( K M ) Is it secure? HMAC HMAC K ( M ) = H(K opad, H( K ipad, M )) where ipad and opad are constant values:

Encryption and Authentication IPSEC: MAC-Then-Encrypt SSL/TLS: Encrypt-Then-MAC SSH: MAC-And-Encrypt

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information