MAC. SKE in Practice. Lecture 5

Similar documents
Symmetric Crypto MAC. Pierre-Alain Fouque

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Authenticated encryption

Talk announcement please consider attending!

Lecture 9 - Message Authentication Codes

1 Construction of CCA-secure encryption

Lecture 13: Message Authentication Codes

Table of Contents. Bibliografische Informationen digitalisiert durch

Authentication and Encryption: How to order them? Motivation

Provable-Security Analysis of Authenticated Encryption in Kerberos

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

1 Message Authentication

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Message Authentication Code

CSCE 465 Computer & Network Security

EXAM questions for the course TTM Information Security May Part 1


CS155. Cryptography Overview

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Cryptography and Network Security

Message Authentication Codes. Lecture Outline

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Cryptographic Hash Functions Message Authentication Digital Signatures

Message Authentication Codes

CS 758: Cryptography / Network Security

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Lecture 4 Data Encryption Standard (DES)

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

On the Security of CTR + CBC-MAC

Modes of Operation of Block Ciphers

CIS433/533 - Computer and Network Security Cryptography

Cryptography and Network Security Chapter 3

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Overview of Symmetric Encryption

How To Understand And Understand The History Of Cryptography

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

Message authentication

Message Authentication Codes 133

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography Overview

Cryptography & Network Security

Chapter 8. Network Security

Message Authentication

CRYPTOGRAPHY IN NETWORK SECURITY

1 Signatures vs. MACs

Cryptography and Network Security Chapter 12

Authentication requirement Authentication function MAC Hash function Security of

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Reconsidering Generic Composition

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

How To Encrypt With A 64 Bit Block Cipher

Chapter 10. Network Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Chapter 6 CDMA/802.11i

Ciphertext verification security of symmetric encryption schemes

Client Server Registration Protocol

Digital Signatures. Prof. Zeph Grunschlag

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Network Security Technology Network Management

Chapter 3. Network Domain Security

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

IT Networks & Security CERT Luncheon Series: Cryptography

Network Security. Omer Rana

CryptoVerif Tutorial

Lecture 15 - Digital Signatures

On the Security of the CCM Encryption Mode and of a Slight Variant

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

EXAM questions for the course TTM Information Security June Part 1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Lecture 9 - Network Security TDTS (ht1)

1 Data Encryption Algorithm

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

The Advanced Encryption Standard: Four Years On

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

1 Domain Extension for MACs

Security Protocols/Standards

Hash Functions. Integrity checks

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

Information Security

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Computational Soundness of Symbolic Security and Implicit Complexity

Security and Authentication Primer

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

The Misuse of RC4 in Microsoft Word and Excel

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Transcription:

MAC. SKE in Practice. Lecture 5

Active Adversary

Active Adversary An active adversary can inject messages into the channel

Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted

Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA)

Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve, no security possible

Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve, no security possible What can Bob do?

Symmetric-Key Encryption RECALL SIM-CCA Security Send Recv Key/Enc Key/Dec SIM-CCA secure if: s.t. Replay Filter REAL IDEAL IDEAL Env Env REAL

Symmetric-Key Encryption RECALL SIM-CCA Security Invalid ciphertexts are silently ignored Send Recv Key/Enc Key/Dec SIM-CCA secure if: s.t. Replay Filter REAL IDEAL IDEAL Env Env REAL

Symmetric-Key Encryption RECALL SIM-CCA Security Send Recv Key/Enc Key/Dec SIM-CCA secure if: s.t. Replay Filter REAL IDEAL IDEAL Env Env REAL

Symmetric-Key Encryption RECALL Alternately (slightly weaker form): Adv can send its own messages SIM-CCA Security Send Recv Key/Enc Key/Dec SIM-CCA secure if: s.t. Replay Filter REAL IDEAL IDEAL Env Env REAL

Symmetric-Key Encryption RECALL IND-CCA Security Experiment picks b {0,1} and K KeyGen Adv gets (guarded) access to Dec K oracle For as long as Adversary wants Key/Enc Enc(m b,k) IND-CCA + ~correctness equivalent to SIM-CCA Key/Dec Adv sends two messages m 0, m 1 to the experiment Expt returns Enc(m b,k) to the adversary m b m 0,m 1 No challenge ciphertext answered Adversary returns a guess b Experiments outputs 1 iff b =b IND-CCA secure if for all feasible adversaries Pr[b =b] 1/2 b b b {0,1} b =b? Yes/No

Symmetric-Key Encryption RECALL IND-CCA Security Experiment picks b {0,1} and K KeyGen Adv gets (guarded) access to Dec K oracle For as long as Adversary wants Key/Enc Weaker Enc(m b,k) IND-CCA + ~correctness equivalent to SIM-CCA Key/Dec Adv sends two messages m 0, m 1 to the experiment Expt returns Enc(m b,k) to the adversary m b m 0,m 1 No challenge ciphertext answered Adversary returns a guess b Experiments outputs 1 iff b =b IND-CCA secure if for all feasible adversaries Pr[b =b] 1/2 b b b {0,1} b =b? Yes/No

CCA Security

CCA Security How to obtain CCA security?

CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice

CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice i.e., Eve can t create new ciphertexts that will be accepted by Bob

CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice i.e., Eve can t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can t send its own messages to Bob

CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice i.e., Eve can t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can t send its own messages to Bob CCA secure SKE reduces to the problem of CPA secure SKE and (shared key) message authentication

CCA Security How to obtain CCA security? Use a CPA-secure encryption scheme, but make sure Bob accepts and decrypts only ciphertexts produced by Alice i.e., Eve can t create new ciphertexts that will be accepted by Bob Achieves the stronger guarantee: in IDEAL, Eve can t send its own messages to Bob CCA secure SKE reduces to the problem of CPA secure SKE and (shared key) message authentication MAC: Message Authentication Code

Message Authentication Codes

Message Authentication Codes A single short key shared by Alice and Bob

Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages

Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages A triple (KeyGen, MAC, Verify) MAC K Ver K

Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages A triple (KeyGen, MAC, Verify) MAC K Ver K Correctness: For all K from KeyGen, and all messages M, Verify K (M,MAC K (M))=1

Message Authentication Codes A single short key shared by Alice and Bob Can sign any (polynomial) number of messages A triple (KeyGen, MAC, Verify) Correctness: For all K from KeyGen, and all messages M, Verify K (M,MAC K (M))=1 Security: probability that an adversary can produce (M,s) s.t. Verify K (M,s)=1 is negligible unless Alice produced an output s=mac K (M) MAC K s i = MAC K (M i ) M i (M,s) Ver K Ver K (M,s) Advantage = Pr[ Ver K (M,s)=1 and (M,s) {(M i,s i )} ]

CCA Secure SKE

CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) )

CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction

CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction MAC: from a PRF or Block-Cipher (coming up)

CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction MAC: from a PRF or Block-Cipher (coming up) SKE in practice can just use Block-Ciphers (coming up)

CCA Secure SKE CCA-Enc K1,K2 (m) = ( c:= CPA-Enc K1 (m), t:= MAC K2 (c) ) CPA secure encryption: Block-cipher/CTR mode construction MAC: from a PRF or Block-Cipher (coming up) SKE in practice can just use Block-Ciphers (coming up) In principle, constructions (less efficient) possible based on any One-Way Permutation or even any One-Way Function

Making a MAC

One-time MAC MAC Ver

One-time MAC To sign a single n bit message MAC Ver

One-time MAC To sign a single n bit message A simple (but inefficient) scheme MAC Ver

One-time MAC To sign a single n bit message A simple (but inefficient) scheme Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC Ver r r r r r r

One-time MAC To sign a single n bit message A simple (but inefficient) scheme Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC 010 Ver r r r r r r

One-time MAC To sign a single n bit message A simple (but inefficient) scheme 010 Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC r 1 0 r 2 1 r 3 0 Ver Signature for m 1...m n be (r i mi) i=1..n r r r r r r

One-time MAC To sign a single n bit message A simple (but inefficient) scheme 010 Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC r 1 0 r 2 1 r 3 0 Ver Signature for m 1...m n be (r i mi) i=1..n Negligible probability that Eve can produce a signature on m m r r r r r r

One-time MAC To sign a single n bit message A simple (but inefficient) scheme 010 Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC r 1 0 r 2 1 r 3 0 Ver Signature for m 1...m n be (r i mi) i=1..n Negligible probability that Eve can produce a signature on m m r r r r r r Doesn t require any computational restrictions on adversary!

One-time MAC To sign a single n bit message A simple (but inefficient) scheme 010 Shared secret key: 2n random strings (each k-bit long) (r i 0,r i 1) i=1..n MAC r 1 0 r 2 1 r 3 0 Ver Signature for m 1...m n be (r i mi) i=1..n Negligible probability that Eve can produce a signature on m m r r r r r r Doesn t require any computational restrictions on adversary! More efficient one-time MACs exist (later)

(Multi-msg) MAC from PRF When Each Message is a Single Block

(Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC!

(Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF

(Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF M F K F K (M)

(Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) M F K F K (M)

(Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) Output length of F K should be big enough M F K F K (M)

(Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) Output length of F K should be big enough M F K F K (M) If an adversary forges MAC with probability MAC, then can break PRF with advantage O( MAC 2 -m(k) ) (m(k) being the output length of the PRF) [How?]

(Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) Output length of F K should be big enough M F K F K (M) If an adversary forges MAC with probability MAC, then can break PRF with advantage O( MAC 2 -m(k) ) (m(k) being the output length of the PRF) [How?] Advantage in breaking a PRF F: diff in prob a test has of outputting 1, when given F vs. truly random R

(Multi-msg) MAC from PRF When Each Message is a Single Block PRF is a MAC! MAC K (M) := F K (M) where F is a PRF Ver K (M,S) := 1 iff S=F K (M) Output length of F K should be big enough M F K F K (M) If an adversary forges MAC with probability MAC, then can break PRF with advantage O( MAC 2 -m(k) ) (m(k) being the output length of the PRF) [How?] If random function R used as MAC, then probability of forgery, MAC* = 2 -m(k) Advantage in breaking a PRF F: diff in prob a test has of outputting 1, when given F vs. truly random R

MAC for Multiple-Block Messages

MAC for Multiple-Block Messages What if message is longer than one block?

MAC for Multiple-Block Messages What if message is longer than one block? MAC ing each block separately is not secure (unlike in the case of CPA secure encryption)

MAC for Multiple-Block Messages What if message is longer than one block? MAC ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks

MAC for Multiple-Block Messages What if message is longer than one block? MAC ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks Could use a PRF that takes longer inputs

MAC for Multiple-Block Messages What if message is longer than one block? MAC ing each block separately is not secure (unlike in the case of CPA secure encryption) Eve can rearrange the blocks/drop some blocks Could use a PRF that takes longer inputs Can we use a PRF with a fixed block-length (i.e., a block cipher)?

MAC for Multiple-Block Messages

MAC for Multiple-Block Messages A simple solution: tie the blocks together

MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number

MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i )

MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t )

MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t ) r prevents mixing blocks from two messages, t prevents dropping blocks and i prevents rearranging

MAC for Multiple-Block Messages A simple solution: tie the blocks together Add to each block a random string r (same r for all blocks), total number of blocks, and a sequence number B i = (r, t, i, M i ) MAC(M) = (r, (MAC(B i )) i=1..t ) r prevents mixing blocks from two messages, t prevents dropping blocks and i prevents rearranging Inefficient! Tag length increases with message length

CBC-MAC

CBC-MAC PRF domain extension: Chaining the blocks

CBC-MAC PRF domain extension: Chaining the blocks m 1 m 2 m t... F K F K F K T

CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) m 1 m 2 m t... F K F K F K T

CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) t-block messages, a single block tag m 1 m 2 m t... F K F K F K T

CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) t-block messages, a single block tag Can be shown to be secure m 1 m 2 m t... F K F K F K T

CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) t-block messages, a single block tag Can be shown to be secure m 1 m 2 m t... F K F K F K T If restricted to t-block messages (i.e., same length)

CBC-MAC PRF domain extension: Chaining the blocks cf. CBC mode for encryption (which is not a MAC!) t-block messages, a single block tag Can be shown to be secure m 1 m 2 m t... F K F K F K T If restricted to t-block messages (i.e., same length) Else attacks possible (by extending a previously signed message)

Patching CBC-MAC

Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is):

Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks

Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks

Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible

Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K (T), where K is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori.

Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K (T), where K is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks.

Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K (T), where K is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks. NIST Recommendation. 2005

Patching CBC-MAC Patching CBC MAC to handle message of any (polynomial) length but still producing a single block tag (secure if block-cipher is): Derive K as F K (t), where t is the number of blocks Use first block to specify number of blocks Important that first block is used: if last block, message extension attacks still possible EMAC: Output not the last tag T, but F K (T), where K is an independent key (after padding the message to an integral number of blocks). No need to know message length a priori. CMAC: XOR last block with another key (derived from the original key using the block-cipher). Avoids padding when message is integral number of blocks. NIST Recommendation. 2005 Later: Hash-based HMAC used in TLS and IPSec IETF Standard. 1997

SKE in Practice

Stream Ciphers

Stream Ciphers Used for one-time encryption

Stream Ciphers Used for one-time encryption RC4, estream portfolio,...

Stream Ciphers Used for one-time encryption RC4, estream portfolio,... In practice, stream ciphers take a key and an IV (for initialization vector) as inputs

Stream Ciphers Used for one-time encryption RC4, estream portfolio,... Also used to denote the random nonce chosen for encryption using a block-cipher In practice, stream ciphers take a key and an IV (for initialization vector) as inputs

Stream Ciphers Used for one-time encryption RC4, estream portfolio,... Also used to denote the random nonce chosen for encryption using a block-cipher In practice, stream ciphers take a key and an IV (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption

Stream Ciphers Used for one-time encryption RC4, estream portfolio,... Also used to denote the random nonce chosen for encryption using a block-cipher In practice, stream ciphers take a key and an IV (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption But often breaks if used this way

Stream Ciphers Used for one-time encryption RC4, estream portfolio,... Also used to denote the random nonce chosen for encryption using a block-cipher In practice, stream ciphers take a key and an IV (for initialization vector) as inputs Heuristic goal: behave somewhat like a PRF (instead of a PRG) so that it can be used for multi-message encryption But often breaks if used this way NIST Standard: For multi-message encryption, use a blockcipher in CTR mode

Block Ciphers

Block Ciphers DES, 3DES, Blowfish, AES,...

Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions

Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions Permutations that can be inverted with the key

Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence

Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence But should withstand known attacks

Block Ciphers DES, 3DES, Blowfish, AES,... Heuristic constructions Permutations that can be inverted with the key Speed (hardware/software) is of the essence But should withstand known attacks As a PRP (or at least, against key recovery)

Feistel Network

Feistel Network Building a permutation from a (block) function

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) f 1

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) f 1

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) f 1

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft f 1

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft f1 f 2

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft Still a permutation from {0,1} 2m to {0,1} 2m f1 f 2

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft Still a permutation from {0,1} 2m to {0,1} 2m Luby-Rackoff: A 3-layer Feistel network, in which 3 PRFs with independent seeds are the 3 round functions, is a PRP. A 4-layer Feistel gives a strong PRP f1 f 2

Feistel Network Building a permutation from a (block) function Let f: {0,1} m {0,1} m be an arbitrary function F f : {0,1} 2m {0,1} 2m defined as F f (x,y) = ( y, x f(y) ) F f is a permutation (Why?) Can invert (How?) Given functions f 1,...,f t can build a t-layer Feistel network F f1...ft Still a permutation from {0,1} 2m to {0,1} 2m Luby-Rackoff: A 3-layer Feistel network, in which 3 PRFs with independent seeds are the 3 round functions, is a PRP. A 4-layer Feistel gives a strong PRP Fewer layers do not suffice! [Exercise] f1 f 2

DES Block Cipher

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps)

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions DES s key length too short

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions DES s key length too short Can now mount brute force key-recovery attacks (e.g. using $10K hardware, running for under a week, in 2006; now, in under a day)

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions DES s key length too short Can now mount brute force key-recovery attacks (e.g. using $10K hardware, running for under a week, in 2006; now, in under a day) DES-X: extra keys to pad input and output

NIST Standard. 1976 DES Block Cipher Data Encryption Standard (DES), Triple-DES, DES-X DES uses a 16-layer Feistel network (and a few other steps) The round functions are not PRFs, but ad hoc Confuse and diffuse Defined for fixed key/block lengths (56 bits and 64 bits); key is used to generate subkeys for round functions DES s key length too short Can now mount brute force key-recovery attacks (e.g. using $10K hardware, running for under a week, in 2006; now, in under a day) DES-X: extra keys to pad input and output Triple DES: 3 successive applications of DES (or DES -1 ) with 3 keys

AES Block Cipher

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES)

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits)

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES)

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure Operations in a vector space over the field GF(2 8 )

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure Operations in a vector space over the field GF(2 8 ) The algebraic structure may lead to attacks?

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure Operations in a vector space over the field GF(2 8 ) The algebraic structure may lead to attacks? Some implementations may lead to side-channel attacks (e.g. cache-timing attacks)

NIST Standard. 2001 AES Block Cipher Advanced Encryption Standard (AES) AES-128, AES-192, AES-256 (3 key sizes; block size = 128 bits) Very efficient in software implementations (unlike DES) Uses Substitute-and-Permute instead of Feistel networks Has some algebraic structure Operations in a vector space over the field GF(2 8 ) The algebraic structure may lead to attacks? Some implementations may lead to side-channel attacks (e.g. cache-timing attacks) No simple hardness assumption known to imply any sort of security for AES

By Jeff Moser (http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html)

Cryptanalysis

Cryptanalysis Attacking stream ciphers and block ciphers

Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery

Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware

Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware e.g. Attack on DES in 1998

Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware e.g. Attack on DES in 1998 Several other analytical techniques to speed up attacks

Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware e.g. Attack on DES in 1998 Several other analytical techniques to speed up attacks Sometimes theoretical : on weakened ( reduced round ) constructions, showing improvement over brute-force attack

Cryptanalysis Attacking stream ciphers and block ciphers Typically for key recovery Brute force cryptanalysis, using specialized hardware e.g. Attack on DES in 1998 Several other analytical techniques to speed up attacks Sometimes theoretical : on weakened ( reduced round ) constructions, showing improvement over brute-force attack Meet-in-the-middle, linear cryptanalysis, differential cryptanalysis, impossible differential cryptanalysis, boomerang attack, integral cryptanalysis, cube attack,...

Authenticated Encryption

Authenticated Encryption Doing encryption + authentication better

Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC

Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes

Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently

Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently Several constructions based on block-ciphers (modes of operation) provably secure modeling block-cipher as PRP

Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently Several constructions based on block-ciphers (modes of operation) provably secure modeling block-cipher as PRP One pass: IAPM, OCB,... [patented]

Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently Several constructions based on block-ciphers (modes of operation) provably secure modeling block-cipher as PRP One pass: IAPM, OCB,... [patented] Two pass: CCM, GCM, SIV,... [included in NIST standards]

Authenticated Encryption Doing encryption + authentication better Generic composition: encrypt, then MAC Needs two keys and two passes AE aims to do this more efficiently Several constructions based on block-ciphers (modes of operation) provably secure modeling block-cipher as PRP One pass: IAPM, OCB,... [patented] Two pass: CCM, GCM, SIV,... [included in NIST standards] AE with Associated Data: Allows unencrypted (but authenticated) parts of the plaintext, for headers etc.

SKE today

SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers

SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256

SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC)

SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication

SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication Older components/modes still in use

SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication Older components/modes still in use Supported by many standards for legacy purposes

SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication Older components/modes still in use Supported by many standards for legacy purposes In many applications (sometimes with modifications)

SKE today SKE in IPsec, TLS etc. mainly based on AES block-ciphers AES-128, AES-192, AES-256 Recommended: AES Counter-mode + CMAC (or HMAC) Gives CCA security, and provides authentication Older components/modes still in use Supported by many standards for legacy purposes In many applications (sometimes with modifications) e.g. RC4 in BitTorrent, Skype, PDF

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information