Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 3: Cryptography II CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.

Published byEmery Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 3: Cryptography II CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena."— Presentation transcript:

1 Lecture 3: Cryptography II CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena

2 Course Administration Everyone receiving my emails? Lecture slides worked okay? – Both ppt and pdf versions Everyone knows how to access the course web page? HW/Lab 1 heads up – To be posted coming Monday – Labs become active starting next week 2

3 Outline of Today’s Lecture Block Cipher Modes of Encryption Public Key Crypto Overview Number Theory Background Public Key Encryption (RSA) Public Key Signatures 3

4 Block Cipher Encryption Modes 1/12/2016Lecture 1 - Introduction4

5 Lecture 2 - Cryptography - I Block Cipher Encryption modes Electronic Code Book (ECB) Cipher Block Chain (CBC) – Most popular one Others (we will not cover) – Cipher Feed Back (CFB) – Output Feed Back (OFB) 1/12/20165

6 Lecture 2 - Cryptography - I Analysis We will analyze each mode in terms of: Security Computational Efficiency (parallelizing encryption/decryption) Transmission Errors Integrity Protection 1/12/20166

7 Lecture 2 - Cryptography - I Electronic Code Book (ECB) Mode Although DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode. Deterministic -- If same key is used then identical plaintext blocks map to identical ciphertext 1/12/20167

8 Example – why ECB is bad? 1/12/2016Lecture 2 - Cryptography - I8 Tux Tux encrypted with AES in ECB mode

9 Lecture 2 - Cryptography - I Cipher Block Chain (CBC) Mode 1/12/20169 encryption decryption

10 Lecture 2 - Cryptography - I CBC Traits Randomized encryption IV – Initialization vector serves as the randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation IV is a random value IV is no secret; it is sent along with the ciphertext blocks (it is part of the ciphertext) 1/12/201610

11 Example – why CBC is good? 1/12/2016Lecture 2 - Cryptography - I11 Tux Tux encrypted with AES in CBC mode

12 Lecture 2 - Cryptography - I CBC – More Properties What happens if k-th cipher block C K gets corrupted in transmission. – With ECB – Only decrypted P K is affected. – With CBC? Only blocks P K and P K+1 are affected!! What if one plaintext block P K is changed? – With ECB only C K affected. – With CBC all subsequent ciphertext blocks will be affected. “Avalanche effect” – This leads to an effective integrity protection mechanism (or message authentication code (MAC)) 1/12/201612

13 Security of Block Cipher Modes ECB is not even secure against eavesdroppers (ciphertext only and known plaintext attacks) CBC is secure against CPA attacks (assuming 3- DES or AES is used in each block computation); automatically secure against eavesdropping attacks However, not secure against CCA. Why? Intuitively, this is because the ciphertext can be “massaged” in a meaningful way 13

14 CBC Mode CCA Attack Assume adversary has eavesdropped upon a ciphertext – (C0, C1, C2) -- corresponding to a plaintext (M1, M2). C0 is IV. Adversary is not allowed to query for (C0, C1, C2) itself With CBC, adversary queries for (C0’, C1, C2) and obtains (M1’, M2) [X’ denotes bit-wise complement of X] 14

15 How to achieve CCA security? Prevent any massaging of the ciphertext Intuitively, this can be achieved by using integrity protection mechanisms (such as MACs), which we will study later The ciphertext is generated using CBC/CFB/OFB and a MAC is generated on this ciphertext Both ciphertext and the MAC is sent off The other party decrypts only if MAC is valid 1/12/2016 Lecture 2.3 - Private Key Cryptography III 15

16 Advanced Encryption Standard (AES) National Institute of Science and Technology – DES is an aging standard that no longer addresses today’s needs for strong encryption – Triple-DES: Endorsed by NIST as today’s defacto standard AES: The Advanced Encryption Standard – Finalized in 2001 – Goal – To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents – AES candidate algorithms were required to be: Symmetric-key, supporting 128, 192, and 256 bit keys Royalty-Free Unclassified (i.e. public domain) Available for worldwide export Lecture 2.3 - Private Key Cryptography III 1/12/201616

17 AES AES Round-3 Finalist Algorithms: – MARS Candidate offering from IBM – RC6 Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm – Twofish From Counterpane Internet Security, Inc. – Serpent Designed by Ross Anderson, Eli Biham and Lars Knudsen – Rijndael: the winner! Designed by Joan Daemen and Vincent Rijmen Lecture 2.3 - Private Key Cryptography III 1/12/201617

18 Other Symmetric Ciphers and their applications IDEA (used in PGP) Blowfish (password hashing in OpenBSD) RC4 (used in WEP), RC5 SAFER (used in Bluetooth) Lecture 2.3 - Private Key Cryptography III 1/12/201618

19 Some Questions Double encryption in DES increases the key space size from 2^56 to 2^112 – true or false? Is known-plaintext an active or a passive attack? Is chosen-ciphertext attack an active or a passive attack? Reverse Engineering is applied to what design of systems – open or closed? Alice needs to send a 64-bit long top-secret letter to Bob. Which of the ciphers that we studied today should she use? 1/12/2016 Lecture 2.2 - Private Key Cryptography II 19

20 Some Questions C=DES(K,P); where (P, C are 64-bit long blocks). What would be DES(K,”PPPP”) in ECB mode? What it would be in CBC mode? ECB is secure for sending just one block of data: true or false? Is it okay to re-use IV in CBC? Why/why not? Alice needs to send a *long* top-secret message to Bob. Which of the ciphers that we studied today can she use? Is ECB secure against CPA? Is CBC secure against CPA? Lecture 2.3 - Private Key Cryptography III 1/12/201620

21 Public Key Crypto Overview and Number Theory 1/12/2016Lecture 1 - Introduction21

22 Recall: Private Key/Public Key Cryptography Private Key: Sender and receiver share a common (private) key – Encryption and Decryption is done using the private key – Also called conventional/shared-key/single-key/ symmetric-key cryptography Public Key: Every user has a private key and a public key – Encryption is done using the public key and Decryption using private key – Also called two-key/asymmetric-key cryptography 22

23 Private key cryptography revisited. Good: Quite efficient (as you’ll see from the HW#2 programming exercise on AES) Bad: Key distribution and management is a serious problem 23

24 Public key cryptography model Good: Key management problem potentially simpler Bad: Much slower than private key crypto (we’ll see later!) 24

25 Public Key Encryption Two keys: – public encryption key e – private decryption key d Encryption easy when e is known Decryption easy when d is known Decryption hard when d is not known We’ll study such public key encryption schemes; first we need some number theory. 25

26 Public Key Encryption: Security Notions Very similar to what we studied for private key encryption – What’s the difference? 26

27 Group: Definition (G,.) (where G is a set and. : GxG  G) is said to be a group if following properties are satisfied: 1.Closure : for any a, b G, a.b G 2.Associativity : for any a, b, c G, a.(b.c)=(a.b).c 3.Identity : there is an identity element such that a.e = e.a = a, for any a G 4.Inverse : there exists an element a -1 for every a in G, such that a.a -1 = a -1.a = e Abelian Group: Group which also satisfies commutativity, i.e., a.b = b.a 1/12/2016Lecture 1 - Introduction27

28 Groups: Examples Set of all integers with respect to addition -- (Z,+) Set of all integers with respect to multiplication (Z,*) – not a group Set of all real numbers with respect to multiplication (R,*) Set of all integers modulo m with respect to modulo addition (Z m, “modular addition”) 28

29 Divisors x divides y (written x | y) if the remainder is 0 when y is divided by x – 1|8, 2|8, 4|8, 8|8 The divisors of y are the numbers that divide y – divisors of 8: {1,2,4,8} For every number y – 1|y – y|y 29

30 Prime numbers A number is prime if its only divisors are 1 and itself: – 2,3,5,7,11,13,17,19, … Fundamental theorem of arithmetic: – For every number x, there is a unique set of primes {p 1, …,p n } and a unique set of positive exponents {e 1, …,e n } such that 30

31 Common divisors The common divisors of two numbers x,y are the numbers z such that z|x and z|y – common divisors of 8 and 12: intersection of {1,2,4,8} and {1,2,3,4,6,12} = {1,2,4} greatest common divisor: gcd(x,y) is the number z such that – z is a common divisor of x and y – no common divisor of x and y is larger than z gcd(8,12) = 4 31

32 Euclidean Algorithm: gcd(r 0,r 1 ) 32 Main idea: If y = ax + b then gcd(x,y) = gcd(x,b)

33 Example – gcd(15,37) 37 = 2 * 15 + 7 15 = 2 * 7 + 1 7 = 7 * 1 + 0  gcd(15,37) = 1 33

34 Relative primes x and y are relatively prime if they have no common divisors, other than 1 Equivalently, x and y are relatively prime if gcd(x,y) = 1 – 9 and 14 are relatively prime – 9 and 15 are not relatively prime 34

35 Modular Arithmetic Definition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m. Notation: Example: We work in Z m = {0, 1, 2, …, m-1}, the group of integers modulo m Example: Z 9 ={0,1,2,3,4,5,6,7,8} We abuse notation and often write = instead of 351/12/2016Public Key Cryptography -- II

36 Addition in Z m : Addition is well-defined: – 3 + 4 = 7 mod 9. – 3 + 8 = 2 mod 9. 361/12/2016Public Key Cryptography -- II

37 Additive inverses in Z m 0 is the additive identity in Z m Additive inverse of a is -a mod m = (m-a) – Every element has unique additive inverse. – 4 + 5= 0 mod 9. – 4 is additive inverse of 5. 371/12/2016Public Key Cryptography -- II

38 Multiplication in Z m : Multiplication is well-defined: – 3 * 4 = 3 mod 9. – 3 * 8 = 6 mod 9. – 3 * 3 = 0 mod 9. 381/12/2016Public Key Cryptography -- II

39 Multiplicative inverses in Z m 1 is the multiplicative identity in Z m Multiplicative inverse (x*x -1 =1 mod m) – SOME, but not ALL elements have unique multiplicative inverse. – In Z 9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, …, so 3 does not have a multiplicative inverse (mod 9) – On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4 -1 =7, (mod 9) 391/12/2016Public Key Cryptography -- II

40 Which numbers have inverses? In Z m, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1 – E.g., 4 in Z 9 401/12/2016Public Key Cryptography -- II

41 Extended Euclidian: a -1 mod n Main Idea: Looking for inverse of a mod n means looking for x such that x * a – y * n = 1. To compute inverse of a mod n, do the following: – Compute gcd(a, n) using Euclidean algorithm. – Since a is relatively prime to m (else there will be no inverse) gcd(a, n) = 1. – So you can obtain linear combination of r m and r m-1 that yields 1. – Work backwards getting linear combination of r i and r i-1 that yields 1. – When you get to linear combination of r 0 and r 1 you are done as r 0 =n and r 1 = a. 411/12/2016Public Key Cryptography -- II

42 Example – 15 -1 mod 37 37 = 2 * 15 + 7 15 = 2 * 7 + 1 7 = 7 * 1 + 0 Now, 15 – 2 * 7 = 1 15 – 2 (37 – 2 * 15) = 1 5 * 15 – 2 * 37 = 1 So, 15 -1 mod 37 is 5. 421/12/2016Public Key Cryptography -- II

43 Modular Exponentiation: Square and Multiply method Usual approach to computing x c mod n is inefficient when c is large. Instead, represent c as bit string b k-1 … b 0 and use the following algorithm: z = 1 For i = k-1 downto 0 do z = z 2 mod n if b i = 1 then z = z* x mod n 431/12/2016Public Key Cryptography -- II

44 Example: 30 37 mod 77 44 z = z 2 mod n if b i = 1 then z = z* x mod n i b z 5 1 30 =1*1*30 mod 77 4 0 53 =30*30 mod 77 3 0 37 =53*53 mod 77 2 1 29 =37*37*30 mod 77 1 0 71 =29*29 mod 77 0 1 2 =71*71*30 mod 77 1/12/2016Public Key Cryptography -- II

45 Other Definitions An element g in G is said to be a generator of a group if a = g i for every a in G, for a certain integer i – A group which has a generator is called a cyclic group The number of elements in a group is called the order of the group Order of an element a is the lowest i (>0) such that a i = e (identity) A subgroup is a subset of a group that itself is a group 45Public Key Cryptography -- II

46 Lagrange’s Theorem Order of an element in a group divides the order of the group 461/12/2016Public Key Cryptography -- II

47 Euler’s totient function Given positive integer n, Euler’s totient function is the number of positive numbers less than n that are relatively prime to n Fact: If p is prime then – {1,2,3,…,p-1} are relatively prime to p. 471/12/2016Public Key Cryptography -- II

48 Euler’s totient function Fact: If p and q are prime and n=pq then Each number that is not divisible by p or by q is relatively prime to pq. – E.g. p=5, q=7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-} – pq-p-(q-1) = (p-1)(q-1) 481/12/2016Public Key Cryptography -- II

49 Euler’s Theorem and Fermat’s Theorem If a is relatively prime to n then If a is relatively prime to p then a p-1 = 1 mod p Proof : follows from Lagrange’s Theorem 491/12/2016Public Key Cryptography -- II

50 Euler’s Theorem and Fermat’s Theorem EG: Compute 9 100 mod 17: p =17, so p-1 = 16. 100 = 6·16+4. Therefore, 9 100 =9 6·16+4 =(9 16 ) 6 (9) 4. So mod 17 we have 9 100  (9 16 ) 6 (9) 4 (mod 17)  (1) 6 (9) 4 (mod 17)  (81) 2 (mod 17)  16 Public Key Cryptography -- II 1/12/201650

51 Some questions 2 -1 mod 4 =? Find x such that – x = 4 (mod 5) – x = 7 (mod 8) – x = 3 (mod 9) Order of a group is 5. What can be the order of an element in this group? 511/12/2016Public Key Cryptography -- II

52 Further Reading Chapter 4 of Stallings Chapter 2.4 of HAC 521/12/2016Public Key Cryptography -- II

53 The RSA Cryptosystem (Encryption) 53

54 “Textbook” RSA: KeyGen Alice wants people to be able to send her encrypted messages. She chooses two (large) prime numbers, p and q and computes n=pq and. [“large” = 1024 bits +] She chooses a number e such that e is relatively prime to and computes d, the inverse of e in, i.e., ed =1 mod She publicizes the pair (e,n) as her public key. (e is called RSA exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and Plaintext and ciphertext messages are elements of Z n and e is the encryption key. 54

55 RSA: Encryption Bob wants to send a message x (an element of Z n * ) to Alice. He looks up her encryption key, (e,n), in a directory. The encrypted message is Bob sends y to Alice. 55

56 RSA: Decryption To decrypt the message she’s received from Bob, Alice computes Claim: D(y) = x 56

57 RSA: why does it all work Need to show  D[E[x]] = x  E[x] and D[y] can be computed efficiently if keys are known  E -1 [y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently  This does not have to be done too often, so efficiency requirements are less stringent. 57

58 E and D are Inverses 58 Because From Euler’s Theorem

59 Tiny RSA example. Let p = 7, q = 11. Then n = 77 and Choose e = 13. Then d = 13 -1 mod 60 = 37. Let message = 2. E(2) = 2 13 mod 77 = 30. D(30) = 30 37 mod 77=2 59

60 Slightly Larger RSA example. Let p = 47, q = 71. Then n = 3337 and Choose e = 79. Then d = 79 -1 mod 3220 = 1019. Let message = 688232… Break it into 3 digit blocks to encrypt. E(688) = 688 79 mod 3337 = 1570. E(232) = 232 79 mod 3337 = 2756 D(1570) = 1570 1019 mod 3337 = 688. D(2756) = 2756 1019 mod 3337 = 232. 60

61 Security of RSA: RSA assumption Suppose Oscar intercepts the encrypted message y that Bob has sent to Alice. Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message) If Oscar can compute d = e -1 mod then he can use to recover the plaintext x. If Oscar can compute, he can compute d (the same way Alice did). 61

62 Security of RSA: factoring Oscar knows that n is the product of two primes If he can factor n, he can compute But factoring large numbers is very difficult: – Grade school method takes divisions. – Prohibitive for large n, such as 160 bits – Better factorization algorithms exist, but they are still too slow for large n – Lower bound for factorization is an open problem 62

63 How big should n be? Today we need n to be at least 1024-bits – This is equivalent to security provided by 80-bit long keys in private-key crypto No other attack on RSA known – Except some side channel attacks, based on timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem! 63

64 Key selection To select keys we need efficient algorithms to – Select large primes Primes are dense so choose randomly. Probabilistic primality testing methods known. Work in logarithmic time. – Compute multiplicative inverses Extended Euclidean algorithm 64

65 RSA in Practice Textbook RSA is insecure – Known-plaintext? – CPA? – CCA? In practice, we use a “randomized” version of RSA, called RSA-OAEP – Use PKCS#1 standard for RSA encryption http://www.rsa.com/rsalabs/node.asp?id=2125 – Interested in details of OAEP: refer to (section 3.1 of) http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf 65

66 Some questions c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). – What is RSA_Enc(m1m2)? Homomorphic property – What is RSA_Enc(2m1)? Malleability (not a good property!) Is it possible to find inverses mod n (RSA modulus)? 66

67 Some Questions RSA stands for Robust Security Algorithm, right? If e is small (such as 3) – Encryption is faster than decryption or the other way round? Private key crypto has key distribution problem and Public key crypto is slow – How about a hybrid approach? – Do you know how ssl/ssh works? 67

68 Some Questions I encrypt m with Alice’s RSA PK, I get c – I encryt m again, I get --? – What does this mean? What if I do the above with DES? 68

69 Further Reading Stallings Chapter 11 HAC Chapter 9 1/12/2016Lecture 4: Hash Functions69

70 Digital Signatures 1/12/2016Lecture 1 - Introduction70

71 Public Key Signatures Signer has public key, private key pair Signer signs using its private key Verifier verifies using public key of the signer Lecture 3.4: Public Key Cryptography IV

72 Security Notion/Model for Signatures Existential Forgery under (adaptively) chosen message attack (CMA) – Adversary (adaptively) chooses messages m i of its choice – Obtains the signature s i on each m i – Outputs any message m (≠ mi) and a signature s on m Lecture 3.4: Public Key Cryptography IV

73 RSA Signatures Key Generation: same as in encryption Sign(m): s = m d mod N Verify(m,s): (s e == m mod N) The above text-book version is insecure; why? In practice, we use a randomized version of RSA (implemented in PKCS#1) – Hash the message and then sign the hash Lecture 3.4: Public Key Cryptography IV

Download ppt "Lecture 3: Cryptography II CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena."

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
1 CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security.

1 CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Similar presentations

Ads by Google