1. CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz

2. Attacks  Ciphertext only  Known plaintext  Chosen plaintext  Chosen ciphertext (includes chosen plaintext attacks)

3. Randomized encryption  To be secure against chosen-plaintext attack, encryption must be randomized –We will see later how this comes into play

4. Block ciphers  Keyed (invertible) permutation; input/output length  Large key space; large input/output length –Both are critical  Modeled as a (family of) random permutations…

5. A possible encryption scheme  Example – “trivial” encryption: –C = F K (m) –This is not randomized…

6. An improved scheme   Is this secure…?  What about for longer messages?

7. Modes of encryption  ECB –C i = F K (m i )  CBC –C i = F K (m i  C i-1 )  OFB (stream cipher mode) –z i = F K (z i-1 ); C i = z i  m i  CFB (stream cipher mode) –z i = F K (C i-1 ); C i = z i  m i

8. Security?  All previous modes (except ECB) are secure against chosen-plaintext attacks  None of these modes are secure against chosen-ciphertext attacks

9. Data Encryption Standard (DES)  Developed in 1977 by NBS  56-bit key, 64-bit input/output –A 64-bit key is derived from 56 random bits –One bit in each octet is a parity-check bit –The “short” key length is a major concern…

10. DES: High-level description  Encryption proceeds in a sequence of 16 rounds  Each round uses a 48-bit key (derived from the main key), acts on a 64-bit input, and produces a 64-bit output

11. DES: High-level description  Each round proceeds as follows: –Input is divided into (L, R) –L’ = R –R’ = L  F(K, R), where K is the round key –F is a non-invertible function! But we will see that decryption is still possible –(L’, R’) is then permuted in some fixed way to give the output at that round

12. 3-DES  Expands the key length  Now, key K = (K 1, K 2 ); |K| = 112  The “new” block cipher is just: –E K1,K2 (m) = DES K1 (DES -1 K2 (DES K1 (m)))  This is a permutation, and invertible…

13. Concerns about DES  Short key length –DES “cracker”, built for $250K, can break DES in days –Distributing the computation makes it faster  Some (theoretical) attacks have been found  Non-public design process  3-DES is fairly slow

14. AES  Public contest sponsored by NIST in ’97 –Narrowed to 5 finalists –4 years of intense analysis  Efficiency and security taken into account  128-bit key length and 128-bit block size (minimum)  Rijndael selected as the AES –Supports variety of block/key sizes

15. Other ciphers?  IDEA  RC4  No compelling reason to use anything other than AES, in general –Unless (possibly) you have very specific performance requirements –Even then, think twice

16. Public-key encryption (PKE)

17. Why PKE?  Problem with private-key encryption is the need to securely share keys  PKE allows users to publish their public key widely –only need to keep their private key secret  Development of PKE was a huge advance –All classical systems, for 1000 years, were symmetric-key based

18. Some basic number theory  Modular arithmetic: Z p, Z N  Euclidean gcd algorithm, inverses, Z * N  Efficient modular exponentiation  Groups, order,  (N), Fermat’s theorem  Primality testing