CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz
Attacks Ciphertext only Known plaintext Chosen plaintext Chosen ciphertext (includes chosen plaintext attacks)
Randomized encryption To be secure against chosen-plaintext attack, encryption must be randomized –We will see later how this comes into play
Block ciphers Keyed (invertible) permutation; input/output length Large key space; large input/output length –Both are critical Modeled as a (family of) random permutations…
A possible encryption scheme Example – “trivial” encryption: –C = F K (m) –This is not randomized…
An improved scheme Is this secure…? What about for longer messages?
Modes of encryption ECB –C i = F K (m i ) CBC –C i = F K (m i C i-1 ) OFB (stream cipher mode) –z i = F K (z i-1 ); C i = z i m i CFB (stream cipher mode) –z i = F K (C i-1 ); C i = z i m i
Security? All previous modes (except ECB) are secure against chosen-plaintext attacks None of these modes are secure against chosen-ciphertext attacks
Data Encryption Standard (DES) Developed in 1977 by NBS 56-bit key, 64-bit input/output –A 64-bit key is derived from 56 random bits –One bit in each octet is a parity-check bit –The “short” key length is a major concern…
DES: High-level description Encryption proceeds in a sequence of 16 rounds Each round uses a 48-bit key (derived from the main key), acts on a 64-bit input, and produces a 64-bit output
DES: High-level description Each round proceeds as follows: –Input is divided into (L, R) –L’ = R –R’ = L F(K, R), where K is the round key –F is a non-invertible function! But we will see that decryption is still possible –(L’, R’) is then permuted in some fixed way to give the output at that round
3-DES Expands the key length Now, key K = (K 1, K 2 ); |K| = 112 The “new” block cipher is just: –E K1,K2 (m) = DES K1 (DES -1 K2 (DES K1 (m))) This is a permutation, and invertible…
Concerns about DES Short key length –DES “cracker”, built for $250K, can break DES in days –Distributing the computation makes it faster Some (theoretical) attacks have been found Non-public design process 3-DES is fairly slow
AES Public contest sponsored by NIST in ’97 –Narrowed to 5 finalists –4 years of intense analysis Efficiency and security taken into account 128-bit key length and 128-bit block size (minimum) Rijndael selected as the AES –Supports variety of block/key sizes
Other ciphers? IDEA RC4 No compelling reason to use anything other than AES, in general –Unless (possibly) you have very specific performance requirements –Even then, think twice
Public-key encryption (PKE)
Why PKE? Problem with private-key encryption is the need to securely share keys PKE allows users to publish their public key widely –only need to keep their private key secret Development of PKE was a huge advance –All classical systems, for 1000 years, were symmetric-key based
Some basic number theory Modular arithmetic: Z p, Z N Euclidean gcd algorithm, inverses, Z * N Efficient modular exponentiation Groups, order, (N), Fermat’s theorem Primality testing