Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 12.

Published byDale Sullivan Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 12."— Presentation transcript:

1 Cryptography Lecture 12

2 Midterm exam Exam is Thursday Everyone in this room
Covers material up to and including last Thursday’s lecture Including padding-oracle attacks Open book/notes No electronic devices Practice midterm posted

3 Secure sessions

4 Secure sessions? Consider parties who wish to communicate securely over the course of a session “Securely” = secrecy and integrity “Session” = period of time over which the parties maintain state Use authenticated encryption…?

5 Enck(m1) Enck(m2) k k Enck(m3)

6 Is this enough?

7 Replay attack Enck(m1) Enck(m2) Enck(m1) k k

8 Re-ordering attack Enck(m1) Enck(m2) Enck(m2) Enck(m1) k k

9 Reflection attack Enck(m1) Enck(m2) k k Enck(m2)

10 Secure sessions These attacks (and others) can be prevented using counters/sequence numbers and identifiers

11 Enck(“Bob”| m1 | 1) Enck(“Bob” | m2 | 2) k k Enck(“Alice” | m3 | 1)

12 Secure sessions These attacks (and others) can be prevented using counters and identifiers Can also use a directionality bit in place of identifiers

13 Exam review

14 Historical schemes Shift, Vigenere, etc.
They are all easy to attack They are not used anymore The point of this material was to motivate the need for a more formal treatment, and to help introduce terminology

15 Perfect secrecy A more formal approach Definition of perfect secrecy
Definitions Proofs Definition of perfect secrecy The one-time pad achieves this definition Several inherent drawbacks of perfect secrecy The one-time pad is not used

16 Private-key encryption
If we want to overcome drawbacks of perfect secrecy, we must relax the definition Computational secrecy EAV-security (Computational) secrecy for encryption of one message We now need to rely on assumptions in order to prove security

17 Private-key encryption
Pseudorandom generators/stream ciphers Formal definition For now, we simply assume these exist Pseudo-one-time pad (Provable) EAV-security based on any PRG Message length longer than key length Not secure when multiple messages encrypted, or against chosen-plaintext attacks

18 Private-key encryption
CPA-security Security against chosen-plaintext attacks Requires randomized encryption! Pseudorandom functions/block ciphers Formal definition For now, we simply assume these exist (e.g., AES) Basic encryption scheme (Provable) CPA-security based on any PRF 2 ciphertext expansion

19 Private-key encryption
Modes of encryption CBC-mode, CTR-mode are both CPA-secure, and have ciphertext expansion of one block Synchronous/asynchronous stream-cipher modes These are all used extensively in the real world

20 Message authentication codes
Integrity as an orthogonal security concern Secrecy and integrity are different Encryption and message authentication are different Message authentication codes, and definition of security Basic MAC from any PRF Short, fixed-length messages only

21 Message authentication codes
Constructing a MAC on longer messages? Different attacks that need to be prevented (Basic) CBC-MAC Secure for fixed-length messages CBC-MAC Secure for arbitrary-length messages Used in the real world

22 CCA-security What about active attacks on encryption? CCA-security
This is a real-world problem (cf. padding-oracle attacks) CCA-security Security against chosen-ciphertext attacks None of the previous schemes satisfy this notion Can achieve it with encrypt-then-authenticate

23 Authenticated encryption
Communication with secrecy and integrity An AE scheme is an encryption scheme that achieves both CCA-security Unforgeability Can achieve it with encrypt-then-authenticate Other “natural” approaches do not work

24 Attacking encryption schemes
Let F be a block cipher Want to leak information about some encrypted message Fk(x) for new input x will look random! Cause F to be evaluated on same input twice When encrypting one message (e.g., ECB mode) When encrypting different messages (e.g., HW3) When decrypting (e.g., padding-oracle attack)

25 Attacking MACs Need to predict the tag of some message (without requesting the tag for that message!) Look at how verification is done Impossible to predict the value of Fk(x) on a new input x! Learn (information about) the value of Fk(x) by asking for tags of other messages Set things up so that Fk(x) cancels out in verification

Download ppt "Cryptography Lecture 12."

Similar presentations

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 456 Introduction to Cryptography

CMSC 456 Introduction to Cryptography
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Symmetric Cryptography

Symmetric Cryptography
Authenticated encryption

Authenticated encryption
Modern symmetric-key Encryption

Modern symmetric-key Encryption
Secrecy of (fixed-length) stream ciphers

Secrecy of (fixed-length) stream ciphers

Similar presentations

Ads by Google