CS155. Cryptography Overview

Similar documents
Cryptography Overview

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Authenticated encryption

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Symmetric Crypto MAC. Pierre-Alain Fouque

Talk announcement please consider attending!

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic Hash Functions Message Authentication Digital Signatures

Message Authentication Codes

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

CS 758: Cryptography / Network Security

7! Cryptographic Techniques! A Brief Introduction

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Savitribai Phule Pune University

Chapter 8. Network Security

MAC. SKE in Practice. Lecture 5

CIS433/533 - Computer and Network Security Cryptography

Message authentication and. digital signatures

Table of Contents. Bibliografische Informationen digitalisiert durch

Overview of Public-Key Cryptography

Lecture 9 - Network Security TDTS (ht1)

Introduction to Cryptography

Overview of Symmetric Encryption

Authentication and Encryption: How to order them? Motivation

IT Networks & Security CERT Luncheon Series: Cryptography

Provable-Security Analysis of Authenticated Encryption in Kerberos

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

EXAM questions for the course TTM Information Security May Part 1

Lecture 6 - Cryptography

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Authenticity of Public Keys

Message Authentication Codes. Lecture Outline

CSE/EE 461 Lecture 23

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

CS Computer Security Third topic: Crypto Support Sys

Lecture 9 - Message Authentication Codes

Modes of Operation of Block Ciphers

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Introduction to Computer Security

Cryptography Lecture 8. Digital signatures, hash functions

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Secure Sockets Layer

SECURITY IN NETWORKS

Message Authentication Code

Public Key Cryptography Overview

Network Security. Modes of Operation. Steven M. Bellovin February 3,

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

Authentication requirement Authentication function MAC Hash function Security of

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Authentication, digital signatures, PRNG

ETSI TS V1.2.1 ( )

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Network Security Technology Network Management

CSCE 465 Computer & Network Security

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 10. Network Security

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

CRYPTOGRAPHY IN NETWORK SECURITY

Transport Level Security

Information Security

Hash Functions. Integrity checks

Message authentication

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Overview. SSL Cryptography Overview CHAPTER 1

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Chapter 6 CDMA/802.11i

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

The Misuse of RC4 in Microsoft Word and Excel

Practice Questions. CS161 Computer Security, Fall 2008

Chapter 7 Transport-Level Security

Chapter 17. Transport-Level Security

Lecture 9: Application of Cryptography

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Message Authentication

1. a. Define the properties of a one-way hash function. (6 marks)

Client Server Registration Protocol

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

Network Security - ISA 656 Introduction to Cryptography

MACs Message authentication and integrity. Table of contents

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Chapter 7: Network security

Properties of Secure Network Communication

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

CryptoVerif Tutorial

Cryptography & Network Security

Introduction to Cryptography CS 355

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

NXP & Security Innovation Encryption for ARM MCUs

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Cryptography and Network Security Chapter 15

One-Way Encryption and Message Authentication

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Cryptography and Network Security Chapter 12

Transcription:

CS155 Cryptography Overview

Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable unless used properly n Something you should try to invent or implement yourself

Kerckhoff s principle A cryptosystem should be secure even if everything about the system, except the secret key, is public knowledge.

Goal 1:secure communication Step 1: Session setup to exchange key Step 2: encrypt data

Goal 2: Protected files Disk Alice File 1 Alice File 2 No eavesdropping No tampering Analogous to secure communication: Alice today sends a message to Alice tomorrow

Symmetric Cryptography Assumes parties already share a secret key

Building block: sym. encryption Alice m, n E(k,m,n)=c E nonce Bob c, n D(k,c,n)=m D k k E, D: cipher k: secret key (e.g. 128 bits) m, c: plaintext, ciphertext n: nonce (aka IV) Encryption algorithm is publicly known Never use a proprietary cipher

Use Cases Single use key: (one time key) Key is only used to encrypt one message encrypted email: new key generated for every email No need for nonce (set to 0) Multi use key: (many time key) Key used to encrypt multiple messages files: same key used to encrypt many files

First example: One Time Pad (single use key) Vernam (1917) Key: Plaintext: 0 1 0 1 1 1 0 0 1 0 1 1 0 0 0 1 1 0 0 0 Ciphertext: 1 0 0 1 1 0 1 0 1 0 Shannon 49: n OTP is secure against ciphertext-only attacks

Stream ciphers (single use key) Problem: OTP key is as long the message Solution: Pseudo random key -- stream ciphers key PRG c PRG(k) m message ciphertext Stream ciphers: RC4 (126 MB/sec), Salsa20/12 (643 MB/sec)

Dangers in using stream ciphers One time key!! Two time pad is insecure: C 1 m 1 PRG(k) C 2 m 2 PRG(k) Eavesdropper does: C 1 C 2 m 1 m 2 Enough redundant information in English that: m 1 m 2 m 1, m 2

Block ciphers: crypto work horse n Bits PT Block n Bits E, D CT Block Key k Bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2. AES: n=128 bits, k = 128, 192, 256 bits IV handled as part of PT block

Building a block cipher Input: (m, k) Repeat simple mixing operation several times DES: Repeat 16 times: m L m R m R m L F(k,m R ) AES-128: Mixing step repeated 10 times Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force,

Block Ciphers Built by Iteration key k key expansion k 1 k 2 k 3 k n m R(k 1, ) R(k 2, ) R(k 3, ) R(k n, ) c R(k,m): round function for DES (n=16), for AES-128 (n=10)

Incorrect use of block ciphers Electronic Code Book (ECB): PT: m 1 m 2 CT: c 1 c 2 Problem: n if m 1 =m 2 then c 1 =c 2

In pictures

Correct use of block ciphers I: CBC mode E a secure PRP. Cipher Block Chaining with random IV: IV m[0] m[1] m[2] m[3] E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] ciphertext Q: how to do decryption?

Use cases: how to choose an IV Single use key: no IV needed (IV=0) Multi use key: (CPA Security) Best: use a fresh random IV for every message Can use unique IV (e.g counter) but then first step in CBC must be IV E(k 1,IV) benefit: may save transmitting IV with ciphertext

CBC with Unique IVs unique IV means: (k,iv) pair is used for only one message. generate unpredictable IV as E(k 1,IV) IV m[0] m[1] m[2] m[3] IV E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] ciphertext

In pictures

Correct use of block ciphers II: CTR mode Counter mode with a random IV: (parallel encryption) IV m[0] m[1] E(k,IV) E(k,IV+1) m[l] E(k,IV+L) IV c[0] c[1] c[l] ciphertext Why are these modes secure? not today.

Performance: Crypto++ 5.6.0 [ Wei Dai ] Intel Core 2 (on Windows Vista) Cipher Block/key size Speed (MB/sec) RC4 126 Salsa20/12 643 3DES 64/168 10 AES/GCM 128/128 102 AES is about 8x faster with AES-NI : Intel Westmere and onwards

Data integrity

Message Integrity: MACs Goal: message integrity. No confidentiality. n ex: Protecting public binaries on disk. k Message m tag k Alice Bob Generate tag: tag S(k, m) Verify tag:? V(k, m, tag) = `yes note: non-keyed checksum (CRC) is an insecure MAC!!

Secure MACs Attacker information: chosen message attack n for m 1,m 2,,m q attacker is given t i S(k,m i ) Attacker s goal: existential forgery. n produce some new valid message/tag pair (m,t). (m,t) { (m 1,t 1 ),, (m q,t q ) } A secure PRF gives a secure MAC: n S(k,m) = F(k,m) n V(k,m,t): `yes if t = F(k,m) and `no otherwise.

Construction 1: ECBC m[0] m[1] m[2] m[3] E(k, ) E(k, ) E(k, ) E(k, ) Raw CBC key = (k, k 1 ) E(k 1, ) tag

Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( kopad H( kipad m ))

SHA-256: Merkle-Damgard m[0] m[1] m[2] m[3] IV h h h h H(m) h(t, m[i]): compression function Thm 1: Thm 2 : if h is collision resistant then so is H if h is a PRF then HMAC is a PRF

Construction 3: PMAC parallel MAC ECBC and HMAC are sequential. PMAC: m[0] m[1] m[2] m[3] P(k,0) P(k,1) P(k,2) P(k,3) F(k, ) F(k, ) F(k, ) F(k, ) F(k 1, ) tag

Why are these MAC constructions secure? not today take CS255 Why the last encryption step in ECBC? n CBC (aka Raw-CBC) is not a secure MAC: n Given tag on a message m, attacker can deduce tag for some other message m n How: good crypto exercise

Authenticated Encryption: Encryption + MAC

Combining MAC and ENC (CCA) Encryption key K E Option 1: MAC-then-Encrypt (SSL) MAC(M,K I ) Msg M Msg M MAC MAC key = K I Enc K E Option 2: Encrypt-then-MAC (IPsec) Enc K E Secure for all secure primitives Msg M Option 3: Encrypt-and-MAC (SSH) Msg M Enc K E MAC(C, K I ) MAC MAC(M, K I ) MAC

OCB offset codebook mode More efficient authenticated encryption m[0] m[1] m[2] m[3] checksum P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) P(N,k,0) E(k, ) E(k, ) E(k, ) E(k, ) E(k, ) P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) auth c[0] c[1] c[2] c[3] c[4] Rogaway,

Public-key Cryptography

Public key encryption: (Gen, E, D) Gen pk sk m c c m E D

Applications Session setup (for now, only eavesdropping security) Alice Generate (pk, sk) x pk E(pk, x) Bob choose random x (e.g. 48 bytes) Non-interactive applications: (e.g. Email) Bob sends email to Alice encrypted using pk alice Note: Bob needs pk alice (public key management)

Applications Encryption in non-interactive settings: Encrypted File Systems write read sk A Alice Bob E(pk A, K F ) File E(k F, File) E(pk B, K F )

Applications Encryption in non-interactive settings: Key escrow: data recovery without Bob s key write Escrow Service sk escrow Bob E(pk escrow, K F ) E(k F, File) E(pk B, K F )

Trapdoor functions (TDF) Def: a trapdoor func. X Y is a triple of efficient algs. (G, F, F -1 ) G(): randomized alg. outputs key pair (pk, sk) F(pk, ): det. alg. that defines a func. X Y F -1 (sk, ): defines a func. Y X that inverts F(pk, ) Security: F(pk, ) is one-way without sk

Public-key encryption from TDFs (G, F, F -1 ): secure TDF X Y (E s, D s ) : symm. auth. encryption with keys in K H: X K a hash function We construct a pub-key enc. system (G, E, D): Key generation G: same as G for TDF

Public-key encryption from TDFs (G, F, F -1 ): secure TDF X Y (E s, D s ) : symm. auth. encryption with keys in K H: X K a hash function E( pk, m) : R x X, y F(pk, x) k H(x), c E s (k, m) output (y, c) D( sk, (y,c) ) : x F -1 (sk, y), k H(x), m D s (k, c) output m

In pictures: F(pk, x) E s ( H(x), m ) header body Security Theorem: If (G, F, F -1 ) is a secure TDF, (E s, D s ) provides auth. enc. and H: X K is a random oracle then (G,E,D) is CCA ro secure.

Digital Signatures Public-key encryption n Alice publishes encryption key n Anyone can send encrypted message n Only Alice can decrypt messages with this key Digital signature scheme n Alice publishes key for verifying signatures n Anyone can check a message signed by Alice n Only Alice can send signed messages

Digital Signatures from TDPs (G, F, F -1 ): secure TDP X X H: M X a hash function Sign( sk, m X) : output sig = F -1 (sk, H(m) ) Verify( pk, m, sig) : output 1 if H(m) = F(pk, sig) 0 otherwise Security: existential unforgeability under a chosen message attack (in the random oracle model)

Public-Key Infrastructure (PKI) Anyone can send Bob a secret message n Provided they know Bob s public key How do we know a key belongs to Bob? n If imposter substitutes another key, can read Bob s mail One solution: PKI n n n Trusted root Certificate Authority (e.g. Symantec) w Everyone must know the verification key of root CA w Check your browser; there are hundreds!! Root authority signs intermediate CA Results in a certificate chain

Back to SSL/TLS Version, Crypto choice, nonce Version, Choice, nonce, Signed certificate containing server s public key Ks C Secret key K encrypted with server s key Ks S switch to negotiated cipher Hash of sequence of messages Hash of sequence of messages data transmission

Limitations of cryptography Cryptography works when used correctly!! but is not the solution to all security problems XKCD 538

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information