CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz

Private-key encryption  Alice and Bob share a key K –Must be shared securely –Must be completely random –Must be kept completely secret from attacker –We don’t discuss (for now) how they do this  Plaintext - encryption - ciphertext - decryption  Decryption must recover the message!

Security through obscurity?  Always assume full details of crypto protocols and algorithms are public –Only secret information is a key  “Security through obscurity” is a bad idea…

Shift cipher  Attacks? –Key space is too small! –Insecure against ciphertext-only attack Frequency analysis Index of coincidence –If an attacker can recover the key, a scheme is clearly insecure What about the converse? –Multiple other attacks and problems

Substitution cipher  Attacks? –Much larger key space –Definitely not secure against known-plaintext attack –Also not secure against ciphertext-only attack (frequency analysis, digrams, trial and error) –Having a large key space is necessary, but not sufficient, to guarantee security… (Note that adversary can still recover the key)

Attacks…  A typical standard is security against chosen-plaintext attacks  Security against chosen-ciphertext attacks is increasingly required  Note that the one-time pad is insecure against known-plaintext attack

Moral of the story?  Don’t use “simple” schemes  Thoroughly analyze schemes before using –Better yet, use schemes that other, smarter people have already analyzed…  A good definition of security is critical

Re-thinking the problem  What do we mean by security? –I.e., not being able to determine the key?? –Types of attacks  Perfect security –One-time pad  Computational security –Block ciphers and modes of encryption –DES and AES

Notions of Security  What constitutes a “break”?  What kind of attacks?  Note: always assume adversary knows full details of the scheme (except the key…) –Never aim for “security through obscurity”

Security goals?  Adversary unable to recover the key –Necessary, but meaningless on its own…  Adversary unable to recover entire plaintext –Good, but is it enough?  Adversary unable to determine any information at all about the plaintext –Sounds great! –Can we achieve it?

One-time pad  (One-time pad)

Properties of one-time pad?  Achieves perfect secrecy –No eavesdropper (no matter how powerful) can determine any information whatsoever about the plaintext  (Essentially) useless in practice… –Long key length –Can only be used once (hence the name!)