Similar documents
How To Understand And Understand The History Of Cryptography

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Cryptography and Network Security

Cryptography and Network Security Block Cipher

How To Encrypt With A 64 Bit Block Cipher

1 Data Encryption Algorithm

Lecture 4 Data Encryption Standard (DES)

CSCE 465 Computer & Network Security

CIS433/533 - Computer and Network Security Cryptography

Network Security - ISA 656 Introduction to Cryptography

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Overview of Symmetric Encryption

Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5)

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Network Security. Omer Rana

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

MAC. SKE in Practice. Lecture 5

Network Security. Modes of Operation. Steven M. Bellovin February 3,

CRYPTOGRAPHY IN NETWORK SECURITY

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

The Misuse of RC4 in Microsoft Word and Excel

Cryptography and Network Security Chapter 3

The Advanced Encryption Standard (AES)

CS 758: Cryptography / Network Security

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

EXAM questions for the course TTM Information Security May Part 1

Network Security Technology Network Management

Secret File Sharing Techniques using AES algorithm. C. Navya Latha Garima Agarwal Anila Kumar GVN

Modes of Operation of Block Ciphers

Message Authentication Codes

Properties of Secure Network Communication

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Symmetric Key cryptosystem

Evaluation of the RC4 Algorithm for Data Encryption

Authentication requirement Authentication function MAC Hash function Security of

Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

Message Authentication Codes. Lecture Outline


lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

SeChat: An AES Encrypted Chat

Talk announcement please consider attending!

Chapter 6 CDMA/802.11i

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

MACs Message authentication and integrity. Table of contents

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

Message Authentication

Cryptography and Network Security Chapter 12

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

7! Cryptographic Techniques! A Brief Introduction

AES Cipher Modes with EFM32

The Encryption Technology of Automatic Teller Machine Networks

Keywords Web Service, security, DES, cryptography.

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Provable-Security Analysis of Authenticated Encryption in Kerberos

F3 Symmetric Encryption

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

best practices for encryption in android

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

CLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY

Cryptography Exercises

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

Introduction. Where Is The Threat? Encryption Methods for Protecting Data. BOSaNOVA, Inc. Phone: Web:

Table of Contents. Bibliografische Informationen digitalisiert durch

Authentication and Encryption: How to order them? Motivation

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

IronKey Data Encryption Methods

Split Based Encryption in Secure File Transfer

Fundamentals of Computer Security

The Advanced Encryption Standard: Four Years On

CSE/EE 461 Lecture 23

Lecture 9: Application of Cryptography

A PPENDIX G S IMPLIFIED DES

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

EDA385 Embedded Systems Design. Advanced Course

6 Data Encryption Standard (DES)

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.

Public Key Cryptography Overview

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Chapter 8. Network Security

IT Networks & Security CERT Luncheon Series: Cryptography

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

1 Construction of CCA-secure encryption

Insight Guide. Encryption: A Guide

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Overview/Questions. What is Cryptography? The Caesar Shift Cipher. CS101 Lecture 21: Overview of Cryptography

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Cryptographic Hash Functions Message Authentication Digital Signatures

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Transcription:

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure cryptography uses a shared secret key of limited length to provide security against an oponent with limited computational resources by making it computationally infeasable extract the key or message. 1.1 Standards of Proof Rigorous proofs of conditional cryptography are in very limited supply. It would be nice to be able to prove that a keyspace search or comparable eort (order of 2 n, for key length n) would be required to nd akey or decode a message, but for the most part it's not possible. One way of showing a given system to be computationally secure is to show that breaking it (reliably) would be comparable in diculty to solving an NP-hard problem { but given that whether P 6= NP (whether the class of problems solveable in polynomial time is the same as the class of problems solveable in non-deterministic polynomial time) is not yet known, even showing a system to be NP-hard to break isn't entirely conclusive. Were it to be shown that P = NP, much of computationally secure cryptography as it presently exists would collapse. Even the \proveably secure" systems are based on the assumption that factoring (or another such problem) is suciently hard. So what are the resources of the limited adversary, and what test(s) might a cryptographics system be asked to pass to demonstrate reasonable security? One proposed \turing test" for a cryptographic system is that an adversary, given M x and M y, should not be able to determine (with greater than 50% probability) which of two ciphertexts is C(M x ) and which isc(m y ) with less than a keyspace search. Another proposed test is that an adversary should not be able to determine the encryption key even with many examples of known ciphertext (an eavesdropper), or 1

2 1 CONDITIONALLY SECURE CRYPTOGRAPHY known ciphertext/plaintext pairs (an eavesdropper able to correlate to plaintexts stolen or made public), or chosen ciphertext/plaintext pairs (someone able to submit items for encryption, possibly an insider 1 ), or related keys used. There are no proofs that any of these practical proposals are sucient tests. 1.2 Block Ciphers A block cipher is an algorithm which takes in a xed-length message block (64 or 128 bits) and a key (not necessarily the same length), and produces a block of ciphertext of the same length as the original message block. The key is reused for many dierent message blocks, so it needs to be added in to the message in a \complex way." M: 64 bits E C: 64 bits fixed length message block K fixed length cyphertext block Figure 1: General Block Cipher Feistel ciphers are based on a certain (public domain) style of design. For such a cipher, the key K is broken into round keys fk 1 ;K 2 ;K 3 ; :::K n g, and the message M broken into left and right halves L and R. For each of n rounds, the operation L Lf(K i ;R) is executed, followed by an exchange of L and R. After n rounds, the nal left and right halves are swapped and concatenated to return as the ciphertext. Decrypting is straightforward, as it is possible with the key to recompute the the round keys and each f(r; K i ) in turn, and the XOR function is its own inverse. The nal swap of the two halves of the ciphertext allows decryption to be done with the same hardware as encryption, with only reversing the order of the round keys necessary. 1 The eld of dierential cryptanalysis is based on analyzing CT/PT pairs with slight dierences.

1.2 Block Ciphers 3 How the key is turned into round keys and the selection of the function f(r; K i ) are the distinguishing features of specic Feistel ciphers. The design of a good function f(r; K i )isanart form. In 1993, Wiener proposed to build for one million dollars a machine that would crack a Feistel cipher in seven hours. Matsui did undertake to break one, and found akey in about 50 hours after searching 2 42 plaintext/ciphertext pairs 2. The recent Internet Challenge this year did so as well, applying a full keyspace search run in spare cycles on machines scattered across the net. DES, the national Data Encryption Standard, is a Feistel-type cipher of sixteen rounds, using a 64 bit message block and a 56 bit key. The round keys are generated by selecting 48 bits out of the 56. The function f(r; K i ) expands R from 32 to 48 bits, XORs R with K i, breaks the resulting sequence into six bit chunks, looks up each six bit chunk in a table of \S-boxes" to get back four bits, scrambles the resulting 32 bits, and returns the result. 3 One of many functions of the S-boxes is to magnify the eect of changes in the plaintext on the ciphertext. The NSA was involved in the design of DES; the motivation and eect of the changes they proposed has been debated. Current dierential analysis suggests that their changes to the S-boxes strengthened DES, but the NSA pushed for the 56 bit key length { down from 128 bits that had been suggested. Variations on DES in use now as possibly stronger include DESX, wherein C(M) = K 2 DES(K; M K 1 ), and triple DES, for which C(M) = DES K1 (DES,1 K 2 (DES K1 (M))) 4. DES is expected to be replaced as a national standard by AES, a cipher to be determined by the NIST. A call for proposals for a 128 bit block cipher with a 128 bit key is expected soon. Other block ciphers include Blowsh, IDEA, CAST, and RC5. RC5 is a Fiestel-type cipher, possibly to be proposed by Rivest for AES, in which the round function is L ((L R) <<< R) K i ), where <<< indicates rotation. 2 This using linear cryptanalysis, which looks at statistical variations in the ciphertext in relation to the plaintext. 3 See the applied cryptography book for details. 4 Double DES is vulnerable to bidirectional attacks, working forward from the plaintext and backwards from the ciphertext.

4 1 CONDITIONALLY SECURE CRYPTOGRAPHY 1.3 Modes of Operation of Block Ciphers Electronic Codebook Mode (ECB) is using a block cipher as-is { padding a message to a multiple of block length, breaking it into blocks, and encrypting it. This is rarely used in practice. Two matching blocks of of plaintext would produce matching blocks of ciphertext, and 64 bits is a small enough chunk that building meaningful messages out of known plaintext/ciphertext pairs would be a real danger. A one bit transmission error in this mode spoils a whole message block. Counter Mode uses a block cipher as a pseudo-random generator. Rather than encrypting the message text, a known string of numbers (possibly just f1; 2; 3; :::g) is encrypted in ECB mode, producing a string of output blocks fr 1 ;R 2 ;R 3 ; :::g, which are XORed with the message blocks to produce the ciphertext: C i M i c(k; i). This has the advantage that the ciphertext transmitted can be the same length as the message, no padding needed { extra characters at the end of the last random block are just dropped { and a one bit transmission error spoils only one bit. Output Feedback Mode, like counter mode, produces a string of \random" blocks which are XORed with the message to produce the ciphertext, but instead of feeding the cipher a xed sequence of numbers, each random block is used as input to the block cipher to generate the next (an initialization block is needed). This, too, needs no padding and loses only one bit to a one-bit transmission error. Cipher Block Chaining (CBC) XORs each message block with the ciphertext of the previous block before encrypting it; an initialization vector, possibly public, is XORed with the rst message block before encryption. This does require padding the message to a multiple of the block size, but cipher block stealing (below) can be used to create a ciphertext of the same size as the original message. A one-bit error in transmission will ruin one block and cause a one-bit error in decrypting the next. Cipher Block Stealing alters the last two ciphertext blocks of a message generated with CBC to avoid a ciphertext longer than the message text. The message is padded with zeros and CBC run as usual. Then the last ciphertext block is transmitted as the second to last, followed by only as many bits of the second-to-last (generated) as there are non-padding bits in the last message block. To recover the message, the last full ciphertext block is decrypted, yielding the second-to-last block generated XORed with the nal message block { but since the message was padded with zeros, the nal bits are the unmodied bits that were dropped from the second-to-last block (generated) before it was transmitted. The fractional transmitted block is combined with the decrypted nal block to recover the nal message block, and to decrypt to recover the second-to-last message block.

1.4 Message Authentication Codes with Block Ciphers 5 1.4 Message Authentication Codes with Block Ciphers Cipher Block Chaining can be used to generate a MAC using a block cipher. CBC is run as usual over the whole message (or ciphertext), and the last block, or a fraction of it, is appended as the MAC. This generates a xed-length MAC calculated from the entire text of the message. If the message is also being encrypted, a separate key is used to generate the MAC. (This is necessary if the message rather than the ciphertext is being authenticated, but is a separate key needed if the ciphertext is being authentication?) This CBC-based MAC is somewhat vulnerable for messages of non-xed length: given one-block message M 1 with MAC A 1, and message M 2 with MAC A 2, a second message (M 1 ;M 2 A 1 ) can be constructed which also has MAC A 2. MACs of this sort are therefore usually encrypted with another key.

6 1 CONDITIONALLY SECURE CRYPTOGRAPHY Li Ri f Ki Li+1 Ri+1 Figure 2: Feistel Cipher Ri: 32 bits expand to 48 bits -> 4 bits -> 4 bits Permu -> 4 bits Ki loo -> 4 bits Figure 3: DES: f(r; K i ) for one round

1.4 Message Authentication Codes with Block Ciphers 7 Ri E Ri+1 Ci+1 K Mi+1 Figure 4: Output Feedback Mode M1 M2 M3 IV K E E E C1 C2 C3 Figure 5: Cipher Block Chaining

8 1 CONDITIONALLY SECURE CRYPTOGRAPHY Mn-1 Mn Cn-2 K E E Cn & C Cn-1 Figure 6: Cipher Block Stealing

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information