Cryptography Overview

Similar documents
CS155. Cryptography Overview

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Authenticated encryption

Symmetric Crypto MAC. Pierre-Alain Fouque

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Talk announcement please consider attending!

Cryptographic Hash Functions Message Authentication Digital Signatures

7! Cryptographic Techniques! A Brief Introduction

Message Authentication Codes

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

CIS433/533 - Computer and Network Security Cryptography

Chapter 8. Network Security

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Savitribai Phule Pune University

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

MAC. SKE in Practice. Lecture 5

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

Introduction to Cryptography

Overview of Symmetric Encryption

Message authentication and. digital signatures

Lecture 9 - Network Security TDTS (ht1)

Lecture 6 - Cryptography

CS 758: Cryptography / Network Security

CSE/EE 461 Lecture 23

Authentication and Encryption: How to order them? Motivation

Provable-Security Analysis of Authenticated Encryption in Kerberos

Introduction to Computer Security

Table of Contents. Bibliografische Informationen digitalisiert durch

Overview of Public-Key Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography

Authenticity of Public Keys

Transport Level Security

SECURITY IN NETWORKS

Network Security Technology Network Management

Modes of Operation of Block Ciphers

The Misuse of RC4 in Microsoft Word and Excel

Secure Sockets Layer

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Message Authentication Codes. Lecture Outline

CSCE 465 Computer & Network Security

Message Authentication Code

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Lecture 9 - Message Authentication Codes

Chapter 6 CDMA/802.11i

Authentication requirement Authentication function MAC Hash function Security of

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Overview. SSL Cryptography Overview CHAPTER 1

Lecture 9: Application of Cryptography

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Chapter 7 Transport-Level Security

Client Server Registration Protocol

ETSI TS V1.2.1 ( )

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Midterm 2 exam solutions. Please do not read or discuss these solutions in the exam room while others are still taking the exam.

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography Lecture 8. Digital signatures, hash functions

Chapter 10. Network Security

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Chapter 7: Network security

CS Computer Security Third topic: Crypto Support Sys

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

EXAM questions for the course TTM Information Security May Part 1

Security Protocols/Standards

Chapter 17. Transport-Level Security

Properties of Secure Network Communication

Public Key Cryptography Overview

Hash Functions. Integrity checks

Communication Systems SSL

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Message Authentication

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Authentication, digital signatures, PRNG

1. a. Define the properties of a one-way hash function. (6 marks)

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Principles of Network Security

CRYPTOGRAPHY IN NETWORK SECURITY

Network Security - ISA 656 Introduction to Cryptography

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Network Security Essentials Chapter 5

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Message authentication

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

What is network security?

Cryptography and Network Security Chapter 12

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Transcription:

Cryptography Overview

Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable unless used properly n Something you should try to invent yourself unless w you spend a lot of time becoming an expert w you subject your design to outside review

Auguste Kerckhoffs A cryptosystem should be secure even if everything about the system, except the secret key, is public knowledge. baptised as Jean-Guillaume-Hubert-Victor-François- Alexandre-Auguste Kerckhoffs von Nieuwenhof

Goal 1:secure communication Step 1: Session setup to exchange key Step 2: encrypt data HTTPS

Goal 2: Protected files Disk Alice File 1 Alice File 2 No eavesdropping No tampering Analogous to secure communication: Alice today sends a message to Alice tomorrow

Symmetric Cryptography Assumes parties already share a secret key

Building block: sym. encryption Alice m, n E(k,m,n)=c E nonce Bob c, n D(k,c,n)=m D k k E, D: cipher k: secret key (e.g. 128 bits) m, c: plaintext, ciphertext n: nonce (aka IV) Encryption algorithm is publicly known Never use a proprietary cipher

Use Cases Single use key: (one time key) Key is only used to encrypt one message encrypted email: No need for nonce (set to 0) new key generated for every email Multi use key: (many time key) Key used to encrypt multiple messages SSL: same key used to encrypt many packets Need either unique nonce or random nonce

First example: One Time Pad (single use key) Vernam (1917) Key: Plaintext: 0 1 0 1 1 1 0 0 1 0 1 1 0 0 0 1 1 0 0 0 Ciphertext: 1 0 0 1 1 0 1 0 1 0 Shannon 49: n OTP is secure against ciphertext-only attacks

Stream ciphers (single use key) Problem: OTP key is as long the message Solution: Pseudo random key -- stream ciphers key PRG c PRG(k) m message ciphertext Stream ciphers: RC4 (113MB/sec), SEAL (293MB/sec)

Dangers in using stream ciphers One time key!! Two time pad is insecure: C1 m1 PRG(k) C2 m2 PRG(k) Eavesdropper does: C1 C2 m1 m2 Enough redundant information in English that: m1 m2 m1, m2

Block ciphers: crypto work horse n Bits PT Block n Bits E, D CT Block Key k Bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2. AES: n=128 bits, k = 128, 192, 256 bits IV handled as part of PT block

Building a block cipher Input: (m, k) Repeat simple mixing operation several times DES: Repeat 16 times: ml mr mr mlf(k,mr) AES-128: Mixing step repeated 10 times Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force,

Block Ciphers Built by Iteration key k key expansion k1 k2 k3 kn m R(k1, ) R(k2, ) R(k3, ) R(kn, ) c R(k,m): round function for DES (n=16), for AES (n=10)

Incorrect use of block ciphers Electronic Code Book (ECB): PT: m1 m2 CT: c1 c2 Parallel encryption of the various blocks through the same key Problem: n if m1=m2 then c1=c2

In pictures

Correct use of block ciphers I: CBC mode E a secure PRP. Cipher Block Chaining with random IV: IV m[0] m[1] m[2] m[3] E(k,) E(k,) E(k,) E(k,) IV c[0] c[1] c[2] c[3] ciphertext Q: how to do decryption?

Use cases: choosing an IV Single use key: no IV needed (IV=0) Multi use key: (CPA Security) Best: use a fresh random IV for every message Can use unique IV (e.g counter) but then first step in CBC must be IV E(k1,IV) benefit: may save transmitting IV with ciphertext

CBC with Unique IVs unique IV means: (k,iv) pair is used for only one message may be predictable so use E(k1,) as PRF IV m[0] m[1] m[2] m[3] IV E(k1,) E(k,) E(k,) E(k,) E(k,) IV c[0] c[1] c[2] c[3] ciphertext

In pictures

Correct use of block ciphers II: CTR mode Counter mode with a random IV: (parallel encryption) IV m[0] m[1] E(k,IV) E(k,IV+1) m[l] E(k,IV+L) IV c[0] c[1] c[l] ciphertext

Performance: Crypto++ 5.2.1 [ Wei Dai ] Pentium 4, 2.1 GHz ( on Windows XP SP1, Visual C++ 2003 ) Cipher Block/key size Speed (MB/sec) RC4 113 SEAL 293 3DES 64/168 9 AES 128/128 61

Data integrity

Message Integrity: MACs Goal: message integrity. No confidentiality. n ex: Protecting public binaries on disk. k k Alice Generate tag: tag S(k, m) Message m tag Bob Verify tag:? V(k, m, tag) = `yes note: non-keyed checksum (CRC) is an insecure MAC!!

Secure MACs Attacker information: chosen message attack n for m1,m2,,mq attacker is given ti S(k,mi) Attacker s goal: existential forgery. n produce some new valid message/tag pair (m,t). (m,t) { (m1,t1),, (mq,tq) } A secure PRF gives a secure MAC: n S(k,m) = F(k,m) n V(k,m,t): `yes if t = F(k,m) and `no otherwise.

Construction 1: ECBC m[0] m[1] m[2] m[3] E(k,) E(k,) E(k,) E(k,) Raw CBC key = (k, k1) E(k1,) tag

Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( kopad H( kipad m ))

SHA-256: Merkle-Damgard m[0] m[1] m[2] m[3] IV h h h h H(m) h(t, m[i]): compression function Thm 1: Thm 2 : if h is collision resistant then so is H if h is a PRF then HMAC is a PRF PRF=pseudo random function

Construction 3: PMAC parallel MAC ECBC and HMAC are sequential. PMAC: m[0] m[1] m[2] m[3] P(k,0) P(k,1) P(k,2) P(k,3) F(k,) F(k,) F(k,) F(k,) F(k1,) tag

These MAC constructions are secure n No time to prove it Why the last encryption step in ECBC? n CBC (aka Raw-CBC) is not a secure MAC: n Given tag on a message m, attacker can deduce tag for some other message m n How: good crypto exercise

Authenticated Encryption: Encryption + MAC

Combining MAC and ENC (CCA) Encryption key KE MAC key = KI Option 1: MAC-then-Encrypt (SSL) MAC(M,KI) Enc KE Msg M Msg M MAC Option 2: Encrypt-then-MAC (IPsec) Enc KE Secure on general ground s Msg M Option 3: Encrypt-and-MAC (SSH) Enc KE Msg M MAC(C, KI) MAC MAC(M, KI) MAC

OCB offset codebook mode More efficient authenticated encryption m[0] m[1] m[2] m[3] checksum P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) P(N,k,0) E(k,) E(k,) E(k,) E(k,) E(k,) P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3) auth c[0] c[1] c[2] c[3] c[4] Rogaway,

Public-key Cryptography

Public key encryption: (Gen, E, D) Gen pk sk m c c m E D

Applications Session setup (for now, only eavesdropping security) Alice Generate (pk, sk) x pkalice E(pk, x) Bob choose random x (e.g. 48 bytes) Non-interactive applications: (e.g. Email) Bob sends email to Alice encrypted using pkalice Note: Bob needs pkalice (public key management)

Applications Encryption in non-interactive settings: Encrypted File Systems write read ska Alice Bob E(kF, File) E(pkA, KF) E(pkB, KF) File

Applications Encryption in non-interactive settings: Key escrow: data recovery without Bob s key Bob write E(pkescrow, KF) Escrow Service skescrow E(kF, File) E(pkB, KF)

Trapdoor functions (TDF) A trapdoor func. X Y is a triple of efficient algs. (G, F, F-1) G(): randomized alg. outputs key pair (pk, sk) F(pk, ): det. alg. that defines a func. X Y F-1(sk, ): Y X that inverts F(pk, ) Security: F(pk, ) is one-way without sk

Public-key encryption from TDFs (G, F, F-1): secure TDF X Y (Es, Ds) : symm. auth. encryption with keys in K H: X K a hash function We construct a pub-key enc. system (G, E, D): Key generation G: same as G for TDF

Public-key encryption from TDFs (G, F, F-1): secure TDF X Y (Es, Ds) : symm. auth. encryption with keys in K H: X K a hash function We construct a pub-key enc. system (G, E, D): Key generation G: same as G for TDF

Public-key encryption from TDFs (G, F, F-1): secure TDF X Y (Es, Ds) : symm. auth. encryption with keys in K H: X K a hash function E( pk, m) : x X, y F(pk, x) k H(x), c Es(k, m) output (y, c) D( sk, (y,c) ) : x F-1(sk, y), k H(x), m Ds(k, c) output m

Digital Signatures Public-key encryption n Alice publishes encryption key n Anyone can send encrypted message n Only Alice can decrypt messages with this key Digital signature scheme n Alice publishes key for verifying signatures n Anyone can check a message signed by Alice n Only Alice can send signed messages

Digital Signatures from TDPs (G, F, F-1): secure TDP X X H: M X a hash function Sign( sk, m X) : output sig = F-1(sk, H(m) ) Verify( pk, m, sig) : output 1 if H(m) = F(pk, sig) 0 otherwise Security: existential unforgeability under a chosen message attack in the random oracle model

Public-Key Infrastructure (PKI) Anyone can send Bob a secret message n Provided they know Bob s public key How do we know a key belongs to Bob? n If imposter substitutes another key, can read Bob s mail One solution: PKI n n n Trusted root Certificate Authority (e.g. Symantec) w Everyone must know the verification key of root CA w Check your browser; there are hundreds!! Root authority signs intermediate CA Results in a certificate chain

Back to SSL/TLS Version, Crypto choice, nonce Version, Choice, nonce, Signed certificate containing server s public key Ks C Secret key K encrypted with server s key Ks S switch to negotiated cipher Hash of sequence of messages Hash of sequence of messages data transmission

Limitations of cryptography Most security problems are not crypto problems n n This is good w Cryptography works! This is bad w People make other mistakes; crypto doesn t solve them Misuse of cryptography is fatal for security n n WEP ineffective, highly embarrassing for industry Occasional unexpected attacks on systems subjected to serious review

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information