Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 11.

Published byอุกิต เก่งงาน Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 11."— Presentation transcript:

1 Cryptography Lecture 11

2 Historical schemes Shift, Vigenere, etc.
They are all easy to attack They are not used anymore The point of this material was to motivate the need for a more formal treatment

3 Perfect secrecy A more formal approach Definition of perfect secrecy
Definitions Proofs Definition of perfect secrecy The one-time pad achieves this definition Several inherent drawbacks of perfect secrecy The one-time pad is not used

4 Private-key encryption
If we want to overcome drawbacks of perfect secrecy, we must relax the definition Computational secrecy EAV-security (Computational) secrecy for encryption of one message We now need to rely on assumptions in order to prove security

5 Private-key encryption
Pseudorandom generators/stream ciphers Formal definition For now, we simply assume these exist Pseudo-one-time pad (Provable) EAV-security based on any PRG Message length longer than key length Not secure when multiple messages encrypted, or against chosen-plaintext attacks

6 Private-key encryption
CPA-security Security against chosen-plaintext attacks Requires randomized encryption! Pseudorandom functions/block ciphers Formal definition For now, we simply assume these exist (e.g., AES) Basic encryption scheme (Provable) CPA-security based on any PRF 2x ciphertext expansion

7 Private-key encryption
Modes of encryption CBC-mode, CTR-mode are both CPA-secure, and have ciphertext expansion of one block Stream-cipher modes These are used extensively in the real world CCA-security Security against chosen-ciphertext attacks This is a real-world problem (cf. many attacks possible) None of the schemes we have seen so far satisfy this notion of security

8 Message authentication codes
Integrity as an orthogonal security concern Secrecy and integrity are different Encryption and message authentication are different Message authentication codes, and definition of security Basic MAC from any PRF Short, fixed-length messages only

9 Message authentication codes
Constructing a MAC on longer messages? Different attacks to watch out for (Basic) CBC-MAC Secure for fixed-length messages CBC-MAC Secure for arbitrary-length messages Used in the real world

10 Authenticated encryption
Communication with secrecy and integrity An AE scheme is an encryption scheme that achieves both CCA-security Unforgeability Encrypt and authenticate is not a sound generic construction

11 Authenticated encryption

12 Secrecy + integrity? We have shown primitives for achieving secrecy and integrity in the private-key setting What if we want to achieve both?

13 Authenticated encryption
An encryption scheme that achieves both secrecy and integrity Secrecy notion: CCA-security Integrity notion: unforgeability Adversary cannot generate ciphertext that decrypts to a previously unencrypted message

14 Generic constructions
Generically combine an encryption scheme and a MAC Useful when these are already available in some library Goal: the combination should be an authenticated encryption scheme when instantiated with any CPA-secure encryption scheme and any secure MAC

15 Generic constructions?
Encrypt and authenticate Authenticate then encrypt Encrypt then authenticate

16 Encrypt and authenticate
c, t k1, k2 k1, k2 m c  Enck1(m) t = Mack2(m) m = Deck1(c) Vrfyk2(m, t) = 1?

17 Problems The tag t might leak information about m!
Nothing in the definition of security for a MAC implies that it hides information about m So the combination may not even be EAV-secure If the MAC is deterministic (as is CBC-MAC), then the tag leaks whether the same message is encrypted twice I.e., the combination will not be CPA-secure

18 Authenticate then encrypt
k1, k2 k1, k2 m t = Mack2(m) c  Enck1(m | t) m | t = Deck1(c) Vrfyk2(m, t) = 1?

19 Problems Counterexamples are possible
The combination may not be CCA-secure

20 Encrypt then authenticate
c, t k1, k2 k1, k2 m c  Enck1(m) t = Mack2(c) Vrfyk2(c, t) = 1? m = Deck1(c)

21 Security? If the encryption scheme is CPA-secure and the MAC is secure (with unique tags) then this is an authenticated encryption scheme It achieves something even stronger: Given ciphertexts corresponding to (chosen) plaintexts m1,…, mk, it is infeasible for an attacker to generate any new, valid ciphertext!

22 Authenticated encryption
Encrypt-then-authenticate (with independent keys) is the recommended generic approach for constructing authenticated encryption In fact, academia tend to use a stronger integrity notion --- integrity of ciphertext Adversary cannot forge a new ciphertext (Not required in this course)

23 Direct constructions Other, more-efficient constructions have been proposed and are an active area of research and standardization E.g., OCB, CCM, GCM, SIV Others… Active competition:

24 Secure sessions

25 Secure sessions? Consider parties who wish to communicate securely over the course of a session “Securely” = secrecy and integrity “Session” = period of time over which the parties are willing to maintain state Can use authenticated encryption…

26 Enck(m1) Enck(m2) k k Enck(m3)

27 Replay attack Enck(m1) Enck(m2) Enck(m1) k k

28 Re-ordering attack Enck(m1) Enck(m2) Enck(m2) Enck(m1) k k

29 Reflection attack Enck(m1) Enck(m2) k k Enck(m2)

30 Secure sessions These attacks (and others) can be prevented using counters/sequence numbers and identifiers

31 Enck(“Bob”| m1 | 1) Enck(“Bob” | m2 | 2) k k Enck(“Alice” | m3 | 1)

32 Secure sessions These attacks (and others) can be prevented using counters and identifiers Can also use a directionality bit in place of identifiers

Download ppt "Cryptography Lecture 11."

Similar presentations

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Shambhu Upadhyaya 1 802.11 Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Symmetric Cryptography

Symmetric Cryptography
Authenticated encryption

Authenticated encryption
Modern symmetric-key Encryption

Modern symmetric-key Encryption
Secrecy of (fixed-length) stream ciphers

Secrecy of (fixed-length) stream ciphers
Cryptography Lecture 9.

Cryptography Lecture 9.

Similar presentations

Ads by Google