Presentation is loading. Please wait.

Presentation is loading. Please wait.

Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman

Published byLaureen Long Modified over 8 years ago

Similar presentations

Presentation on theme: "Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman"— Presentation transcript:

1 Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S15/

2 Administrative stuff Schedule updated – More changes soon, but they won’t be major Watch for quiz announcements Periodically check main page for news and schedule page for changes and slides http://www.cis.ksu.edu/~eyv/CIS755_S15/ Paper reading and the “huh?” moment

3 Basic cryptographic primitives Confidentiality (encryption) – Symmetric (e.g. AES) – Asymmetric (e.g. RSA) Hash functions Integrity and authentication – Symmetric (authentication codes) – Asymmetric (signatures) Key agreement Random numbers

4 Security properties of encryption Semantic security Chosen plaintext security (IND-CPA) Chosen ciphertext security (IND-CCA) – IND-CCA2 Security proof “games”

5 NEVER BUILD YOUR OWN WHEN SOLUTION EXISTS!!!

6 Always state your assumptions!

7 Aside: Information theory Conditional vs. unconditional security – Unconditional, e.g. one-time pad – Conditional e.g. RSA, AES … Symmetric encryption Hash functions Remember: confusion and diffusion

8 Basic (but more complex) primitives Confidentiality (encryption) – Symmetric (e.g. AES), asymmetric (e.g. RSA) – Malleable vs. non-malleable – Deterministic vs. randomized Hash functions Message authentication codes, signatures Random numbers Key agreement

9 Some basic cryptographic primitives Confidentiality (encryption) – Symmetric (e.g. AES)E K (M),D K (M) – Asymmetric (e.g. RSA)E PK (M),D SK (M) Hash functions (e.g. SHA-3)h(M) Integrity and authentication – Symmetric (MACs)MAC K (M) – Asymmetric (signatures)Sig SK (M),V PK (M) Key agreement Random numbersn = nonce or E -1

10 Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40-bit key = 64-bit security Example: WEP – IV, RC4(IV, k)  (M, c(M)) – Claim: 24-bit IV + 40- bit key = 64-bit security On your right: text from Jonathan Katz Aside: composability Is this secure against chosen-plaintext attacks? – It is randomized… 40-bit key (in some implementations)! – Claims that, with IV, this gives a 64-bit effective key(!) And how is the IV chosen? – Only 24 bits long -- IV repetitions are a problem! – Reset to 0 upon re-initialization – Some implementations increment the IV as a counter A repeating IV allows the attacker to compute the XOR of two plaintexts – We have discussed already how this can be damaging Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs – If portions of some plaintexts known, this enables determination of other plaintexts Known-plaintext attacks discovered on this usage of RC4 – Possible because the first byte of plaintext is a fixed, known header! Chosen-plaintext attacks – Send IP traffic/e-mail to the mobile host and watch it get forwarded – Transmit broadcast messages to access point – Authentication spoofing No cryptographic integrity protection – The checksum is linear (i.e., c(x  y) = c(x)  c(y)) and unkeyed, and therefore easy to attack – Allows IP redirection attack – Allows TCP “reaction” attacks Look at whether TCP checksum is valid Form of chosen-ciphertext attack Encryption used to provide authentication of mobile station (access point sends nonce; station returns an encryption of the nonce) – Allows easy spoofing after eavesdropping

11 Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Trick question: what’s the difference between a block cipher, a stream cipher, and a pseudorandom number generator (PRNG)?

12 Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)

13 Block cipher modes of operation ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS Differences, i.e. why do we care? Some are parallelizable (GCM) Some are self-synchronizing (CFB)

14 Modes of operation (ECB) Images borrowed from Wikipedia :)

15 Modes of operation (CBC) Images borrowed from Wikipedia :)

16 Modes of operation (CFB) Images borrowed from Wikipedia :)

17 Modes of operation (CTR) Images borrowed from Wikipedia :) VS. ECB

18 Questions?

19 Authenticity and integrity Basic ideas: – Authenticity: the message was produced by a specific known subject Authentication ≠ integrity – Integrity: the message has not been altered between source and destination Messages without integrity protection vulnerable to chosen ciphertext attack

20 Hash functions Collision-resistant (2 k or 2 k/2 ) One-way – Preimage (1 st, 2 nd ) resistant (2 k ) Entropy of input and entropy of output – Output “looks random” Some hashes have partial proofs, e.g. reduction to AES

21 Symmetric authentication Message Authentication Codes (MACs) Pre-shared keys Symmetric means…? – Either party can create a correct MAC – Deniable Chained MACs… why? See TESLA authenticated multicast: http://sparrow.ece.cmu.edu/~adrian/projects/tesla- cryptobytes/tesla-cryptobytes.pdf

22 MACs “Keyed hash” (MAC from a cryptographically-secure hash function) – Hash  Block cipher (CBC or CFB)  MAC Hybrid modes e.g. CBC-MAC – Secrecy plus authenticity (2-party) Remember to use different keys for MAC and encryption… why?

23 MAC examples Example: HMAC – h is a cryptographically-secure hash (or not!) – HMAC K (M) = h(K ⊕ pad 1, h(K ⊕ pad 2, M)) Example: UMAC http://www.springerlink.com/content/ft35c6ha1r8mgv8k/ Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt

24 More MACs BAD: MAC K = h(K,M) or MAC K = h(M,K) GOOD: HMAC K (M) = h(K ⊕ pad 1,h(K ⊕ pad 2, M)) Encrypt-then-MAC provably more secure – vs. MAC-then-Encrypt or MAC-and-Encrypt (see “Cool stuff” section of web page) Full encrypted and authenticated message: E K1 (M), MAC K2 (E K1 (M))

25 Random numbers True random numbers (RNG) – “Quantum” entropy Pseudorandom numbers – PRNG e.g. block cipher in CTR mode – With refresh, more advanced features…

26 Asymmetric cryptography The idea: base security properties on mathematical statements – Facts or assumptions We need to be familiar with our toolset NEVER BUILD YOUR OWN WHEN SOLUTION EXISTS!!

27 Asymmetric No pre-shared keys Public and secret keys (key pairs) Asymmetric means…? – Non-repudiable Key agreement, e.g. Diffie-Hellman – Not like sending password in the clear Mathematical proof based on conjecture – Variants of conjecture (important)

28 Security (strength) Key size * – Commonly 2 256 for AES, 2 2048 for RSA – What is a [good] key? Underlying cryptosystem/primitives Composition e.g. MAC with broken underlying hash function may not itself be broken

29 Current state of symmetric encryption DES is too weak (56-bit key) 3DES is weak (168-bit keys but only 2 112 security – “meet-in-the-middle” attack) Recent weaknesses in AES: – AES-256 (2 254.4 ) AES-192 (2 189.7 ) AES-128 (2 126.1 ) http://research.microsoft.com/en- us/projects/cryptanalysis/aesbc.pdf

30 Current state of hash functions MD5 is broken – http://www.win.tue.nl/hashclash/ http://www.win.tue.nl/hashclash/ SHA-1 is known to be weak – http://theory.csail.mit.edu/~yiqun/shanote.pdf (2 69 ) http://theory.csail.mit.edu/~yiqun/shanote.pdf – http://eprint.iacr.org/2004/304 (2 106, generalizable) http://eprint.iacr.org/2004/304 – SHA-256 (variant) is even weaker SHA-3 currently in “development” (NIST) – We have a winner: all hail Keccak (SHA-3)! – http://csrc.nist.gov/groups/ST/hash/sha-3/ http://csrc.nist.gov/groups/ST/hash/sha-3/

31 Questions?

32 Exercise How do we design a naïve asymmetric encryption scheme from everything we have learned so far? RSA does not provide integrity. Why? Malleable vs. non-malleable Why might we sometimes want malleable?

Download ppt "Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman"

Similar presentations

ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Cryptography & Security Presented April 16, 2010 By Dave Stycos, Zocalo Data Systems.

Cryptography & Security Presented April 16, 2010 By Dave Stycos, Zocalo Data Systems.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Web Security for Network and System Administrators1 Chapter 4 Encryption.

Web Security for Network and System Administrators1 Chapter 4 Encryption.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 456 Introduction to Cryptography

CMSC 456 Introduction to Cryptography
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Similar presentations

Ads by Google