Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 3: Cryptography II

Published byElijah Cobb Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 3: Cryptography II"— Presentation transcript:

1 Lecture 3: Cryptography II
CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena

2 Course Administration
4/26/2017 Course Administration Everyone receiving my s? Lecture slides worked okay? Both ppt and pdf versions Everyone knows how to access the course web page? HW/Lab 1 heads up To be posted coming Monday Labs become active starting next week NO LAB THIS WEEK

3 Outline of Today’s Lecture
4/26/2017 Outline of Today’s Lecture Block Cipher Modes of Encryption Public Key Crypto Overview and Math Background Public Key Encryption (RSA) Public Key Signatures

4 Block Cipher Encryption Modes
4/26/2017 Lecture 1 - Introduction

5 Block Cipher Encryption modes
4/26/2017 Block Cipher Encryption modes Electronic Code Book (ECB) Cipher Block Chain (CBC) Most popular one Others (we will not cover) Cipher Feed Back (CFB) Output Feed Back (OFB) Discuss in each mode: parallelizing encryption/decryption what happens if plaintext block is corrupted what happens if ciphertext block is corrupted can it be used for message authentication 4/26/2017 Lecture 2 - Cryptography - I

6 Lecture 2 - Cryptography - I
4/26/2017 Analysis We will analyze each mode in terms of: Security Computational Efficiency (parallelizing encryption/decryption) Transmission Errors Integrity Protection Discuss in each mode: parallelizing encryption/decryption what happens if plaintext block is corrupted what happens if ciphertext block is corrupted can it be used for message authentication 4/26/2017 Lecture 2 - Cryptography - I

7 Electronic Code Book (ECB) Mode
4/26/2017 Electronic Code Book (ECB) Mode Although DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode. Deterministic -- If same key is used then identical plaintext blocks map to identical ciphertext 4/26/2017 Lecture 2 - Cryptography - I

8 Example – why ECB is bad? Tux Tux encrypted with AES in ECB mode
4/26/2017 Example – why ECB is bad? Tux Tux encrypted with AES in ECB mode 4/26/2017 Lecture 2 - Cryptography - I

9 Cipher Block Chain (CBC) Mode
4/26/2017 Cipher Block Chain (CBC) Mode encryption decryption 4/26/2017 Lecture 2 - Cryptography - I

10 Lecture 2 - Cryptography - I
4/26/2017 CBC Traits Randomized encryption IV – Initialization vector serves as the randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation IV is a random value IV is no secret; it is sent along with the ciphertext blocks (it is part of the ciphertext) Discuss in each mode: parallelizing encryption/decryption what happens if plaintext block is corrupted what happens if ciphertext block is corrupted can it be used for message authentication 4/26/2017 Lecture 2 - Cryptography - I

11 Example – why CBC is good?
4/26/2017 Example – why CBC is good? Tux Tux encrypted with AES in CBC mode 4/26/2017 Lecture 2 - Cryptography - I

12 Lecture 2 - Cryptography - I
4/26/2017 CBC – More Properties What happens if k-th cipher block CK gets corrupted in transmission. With ECB – Only decrypted PK is affected. With CBC? Only blocks PK and PK+1 are affected!! What if one plaintext block PK is changed? With ECB only CK affected. With CBC all subsequent ciphertext blocks will be affected. “Avalanche effect” This leads to an effective integrity protection mechanism (or message authentication code (MAC)) 4/26/2017 Lecture 2 - Cryptography - I

13 Security of Block Cipher Modes
4/26/2017 Security of Block Cipher Modes ECB is not even secure against eavesdroppers (ciphertext only and known plaintext attacks) CBC is secure against CPA attacks (assuming 3-DES or AES is used in each block computation); automatically secure against eavesdropping attacks However, not secure against CCA. Why? Intuitively, this is because the ciphertext can be “massaged” in a meaningful way

14 4/26/2017 CBC Mode CCA Attack Assume adversary has eavesdropped upon a ciphertext – (C0, C1, C2) -- corresponding to a plaintext (M1, M2). C0 is IV. Adversary is not allowed to query for (C0, C1, C2) itself With CBC, adversary queries for (C0’, C1, C2) and obtains (M1’, M2) [X’ denotes bit-wise complement of X]

15 How to achieve CCA security?
4/26/2017 How to achieve CCA security? Prevent any massaging of the ciphertext Intuitively, this can be achieved by using integrity protection mechanisms (such as MACs), which we will study later The ciphertext is generated using CBC and a MAC is generated on this ciphertext Both ciphertext and the MAC is sent off The other party decrypts only if MAC is valid 4/26/2017 Lecture Private Key Cryptography III

16 Advanced Encryption Standard (AES)
4/26/2017 Advanced Encryption Standard (AES) National Institute of Science and Technology DES is an aging standard that no longer addresses today’s needs for strong encryption Triple-DES: Endorsed by NIST as today’s defacto standard AES: The Advanced Encryption Standard Finalized in 2001 Goal – To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents AES candidate algorithms were required to be: Symmetric-key, supporting 128, 192, and 256 bit keys Royalty-Free Unclassified (i.e. public domain) Available for worldwide export 4/26/2017 Lecture Private Key Cryptography III

17 Lecture 2.3 - Private Key Cryptography III
4/26/2017 AES AES Round-3 Finalist Algorithms: MARS Candidate offering from IBM RC6 Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm Twofish From Counterpane Internet Security, Inc. Serpent Designed by Ross Anderson, Eli Biham and Lars Knudsen Rijndael: the winner! Designed by Joan Daemen and Vincent Rijmen 4/26/2017 Lecture Private Key Cryptography III

18 Other Symmetric Ciphers and their applications
4/26/2017 Other Symmetric Ciphers and their applications IDEA (used in PGP) Blowfish (password hashing in OpenBSD) RC4 (used in WEP), RC5 SAFER (used in Bluetooth) 4/26/2017 Lecture Private Key Cryptography III

19 Lecture 2.2 - Private Key Cryptography II
4/26/2017 Some Questions Double encryption in DES increases the key space size from 2^56 to 2^112 – true or false? Is known-plaintext an active or a passive attack? Is chosen-ciphertext attack an active or a passive attack? Reverse Engineering is applied to what design of systems – open or closed? Alice needs to send a 64-bit long top-secret letter to Bob. Which of the ciphers that we studied today should she use? 4/26/2017 Lecture Private Key Cryptography II

20 Lecture 2.3 - Private Key Cryptography III
4/26/2017 Some Questions C=DES(K,P); where (P, C are 64-bit long blocks). What would be DES(K,”PPPP”) in ECB mode? What it would be in CBC mode? ECB is secure for sending just one block of data: true or false? Is it okay to re-use IV in CBC? Why/why not? Is ECB secure against CPA? Is CBC secure against CPA? 4/26/2017 Lecture Private Key Cryptography III

21 Public Key Crypto Overview and Math Background
4/26/2017 Lecture 1 - Introduction

22 Recall: Private Key/Public Key Cryptography
4/26/2017 Recall: Private Key/Public Key Cryptography Private Key: Sender and receiver share a common (private) key Encryption and Decryption is done using the private key Also called conventional/shared-key/single-key/ symmetric-key cryptography Public Key: Every user has a private key and a public key Encryption is done using the public key and Decryption using private key Also called two-key/asymmetric-key cryptography

23 Private key cryptography revisited.
4/26/2017 Private key cryptography revisited. Good: Quite efficient Bad: Key distribution and management is a serious problem

24 Public key cryptography model
4/26/2017 Public key cryptography model Good: Key management problem potentially simpler Bad: Much slower than private key crypto (we’ll see later!)

25 Public Key Encryption Two keys: Encryption easy when e is known
4/26/2017 Public Key Encryption Two keys: public encryption key e private decryption key d Encryption easy when e is known Decryption easy when d is known Decryption hard when d is not known We’ll study such public key encryption schemes; first we need some mathematical background.

26 Public Key Encryption: Security Notions
4/26/2017 Public Key Encryption: Security Notions Very similar to what we studied for private key encryption What’s the difference?

27 Lecture 1 - Introduction
Group: Definition (G,.) (where G is a set and . : GxGG) is said to be a group if following properties are satisfied: Closure : for any a, b G, a.b G Associativity : for any a, b, c G, a.(b.c)=(a.b).c Identity : there is an identity element such that a.e = e.a = a, for any a G Inverse : there exists an element a-1 for every a in G, such that a.a-1 = a-1.a = e 4/26/2017 Lecture 1 - Introduction

28 Groups: Examples Set of all integers with respect to addition --(Z,+)
4/26/2017 Groups: Examples Set of all integers with respect to addition --(Z,+) Set of all integers with respect to multiplication (Z,*) – not a group Set of all real numbers with respect to multiplication (R,*) Set of all integers modulo m with respect to modulo addition (Zm, “modular addition”)

29 Multiplicative inverses in Zm
4/26/2017 Multiplicative inverses in Zm 1 is the multiplicative identity in Zm Multiplicative inverse (x*x-1=1 mod m) SOME, but not ALL elements have unique multiplicative inverse. In Z9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, …, so 3 does not have a multiplicative inverse (mod 9) On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4-1=7, (mod 9) 4/26/2017 Public Key Cryptography -- II

30 Which numbers have inverses?
4/26/2017 Which numbers have inverses? In Zm, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1 E.g., 4 in Z9 4/26/2017 Public Key Cryptography -- II

31 Modular Exponentiation: Square and Multiply method
4/26/2017 Modular Exponentiation: Square and Multiply method Usual approach to computing xc mod n is inefficient when c is large. Instead, represent c as bit string bk-1 … b0 and use the following algorithm: z = 1 For i = k-1 downto 0 do z = z2 mod n if bi = 1 then z = z* x mod n Show an example: x^64 will require 6 squarings (or 6 multiplications). 4/26/2017 Public Key Cryptography -- II

32 Public Key Cryptography -- II
4/26/2017 Example: 3037 mod 77 z = z2 mod n if bi = 1 then z = z* x mod n i b z 5 1 = 1*1*30 mod 77 4 = 30*30 mod 77 3 = 53*53 mod 77 2 = 37*37*30 mod 77 = 29*29 mod 77 = 71*71*30 mod 77 4/26/2017 Public Key Cryptography -- II

33 Public Key Cryptography -- II
4/26/2017 Other Definitions The number of elements in a group is called the order of the group Order of an element a is the lowest i (>0) such that ai = e (identity) Public Key Cryptography -- II

34 Public Key Cryptography -- II
4/26/2017 Lagrange’s Theorem Order of an element in a group divides the order of the group 4/26/2017 Public Key Cryptography -- II

35 Euler’s totient function
4/26/2017 Euler’s totient function Given positive integer n, Euler’s totient function is the number of positive numbers less than n that are relatively prime to n Fact: If p is prime then {1,2,3,…,p-1} are relatively prime to p. 4/26/2017 Public Key Cryptography -- II

36 Euler’s totient function
4/26/2017 Euler’s totient function Fact: If p and q are prime and n=pq then Each number that is not divisible by p or by q is relatively prime to pq. E.g. p = 5, q = 7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-} pq – p - (q-1) = (p-1)*(q-1) 4/26/2017 Public Key Cryptography -- II

37 Euler’s Theorem and Fermat’s Theorem
4/26/2017 Euler’s Theorem and Fermat’s Theorem If a is relatively prime to n then If a is relatively prime to p then ap-1 = 1 mod p Proof : follows from Lagrange’s Theorem 4/26/2017 Public Key Cryptography -- II

38 Euler’s Theorem and Fermat’s Theorem
4/26/2017 Euler’s Theorem and Fermat’s Theorem EG: Compute 9100 mod 17: p =17, so p-1 = = 6·16+4. Therefore, 9100=96·16+4=(916)6(9)4 . So mod 17 we have 9100  (916)6(9)4 (mod 17)  (1)6(9)4 (mod 17)  (81)2 (mod 17)  16 4/26/2017 Public Key Cryptography -- II

39 Public Key Cryptography -- II
4/26/2017 Some questions 2-1 mod 4 =? Find x such that x = 4 (mod 5) x = 7 (mod 8) x = 3 (mod 9) Order of a group is 5. What can be the order of an element in this group? 4/26/2017 Public Key Cryptography -- II

40 Public Key Cryptography -- II
4/26/2017 Further Reading Chapter 4 of Stallings Chapter 2.4 of HAC 4/26/2017 Public Key Cryptography -- II

41 The RSA Cryptosystem (Encryption)
4/26/2017 The RSA Cryptosystem (Encryption)

42 “Textbook” RSA: KeyGen
4/26/2017 “Textbook” RSA: KeyGen Alice wants people to be able to send her encrypted messages. She chooses two (large) prime numbers, p and q and computes n=pq and [“large” = 1024 bits +] She chooses a number e such that e is relatively prime to and computes d, the inverse of e in , i.e., ed =1 mod She publicizes the pair (e,n) as her public key. (e is called RSA exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and Plaintext and ciphertext messages are elements of Zn and e is the encryption key.

43 4/26/2017 RSA: Encryption Bob wants to send a message x (an element of Zn*) to Alice. He looks up her encryption key, (e,n), in a directory. The encrypted message is Bob sends y to Alice.

44 RSA: Decryption To decrypt the message
4/26/2017 RSA: Decryption To decrypt the message she’s received from Bob, Alice computes Claim: D(y) = x

45 RSA: why does it all work
4/26/2017 RSA: why does it all work Need to show D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E-1[y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent.

46 4/26/2017 E and D are Inverses Because From Euler’s Theorem

47 Tiny RSA example. Let p = 7, q = 11. Then n = 77 and
4/26/2017 Tiny RSA example. Let p = 7, q = 11. Then n = 77 and Choose e = 13. Then d = 13-1 mod 60 = 37. Let message = 2. E(2) = 213 mod 77 = 30. D(30) = 3037 mod 77=2

48 Slightly Larger RSA example.
4/26/2017 Slightly Larger RSA example. Let p = 47, q = 71. Then n = 3337 and Choose e = 79. Then d = 79-1 mod 3220 = 1019. Let message = … Break it into 3 digit blocks to encrypt. E(688) = mod 3337 = 1570. E(232) = mod 3337 = 2756 D(1570) = mod 3337 = 688. D(2756) = mod 3337 = 232.

49 Security of RSA: RSA assumption
4/26/2017 Security of RSA: RSA assumption Suppose Oscar intercepts the encrypted message y that Bob has sent to Alice. Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message) If Oscar can compute d = e-1 mod then he can use to recover the plaintext x. If Oscar can compute , he can compute d (the same way Alice did).

50 Security of RSA: factoring
4/26/2017 Security of RSA: factoring Oscar knows that n is the product of two primes If he can factor n, he can compute But factoring large numbers is very difficult: Grade school method takes divisions. Prohibitive for large n, such as 160 bits Better factorization algorithms exist, but they are still too slow for large n Lower bound for factorization is an open problem

51 How big should n be? Today we need n to be at least 1024-bits
4/26/2017 How big should n be? Today we need n to be at least 1024-bits This is equivalent to security provided by 80-bit long keys in private-key crypto No other attack on RSA function known Except some side channel attacks, based on timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem! Say something about the brute force attack on RSA. Why exactly should N be 1024 bits?

52 Key selection To select keys we need efficient algorithms to
4/26/2017 Key selection To select keys we need efficient algorithms to Select large primes Primes are dense so choose randomly. Probabilistic primality testing methods known. Work in logarithmic time. Compute multiplicative inverses Efficient algorithm (Extended Euclidean algorithm) exists

53 RSA in Practice Textbook RSA is insecure
4/26/2017 RSA in Practice Textbook RSA is insecure Known-plaintext? CPA? CCA? In practice, we use a “randomized” version of RSA, called RSA-OAEP Use PKCS#1 standard for RSA encryption Interested in details of OAEP: refer to (section 3.1 of)

54 Some questions c1 = RSA_Enc(m1), c2 = RSA_Enc(m2).
4/26/2017 Some questions c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). What is RSA_Enc(m1m2)? Homomorphic property What is RSA_Enc(2m1)? Malleability (not a good property!)

55 Some Questions RSA stands for Robust Security Algorithm, right?
4/26/2017 Some Questions RSA stands for Robust Security Algorithm, right? If e is small (such as 3) Encryption is faster than decryption or the other way round? Private key crypto has key distribution problem and Public key crypto is slow How about a hybrid approach? Do you know how ssl/ssh works?

56 Some Questions I encrypt m with Alice’s RSA PK, I get c
4/26/2017 Some Questions I encrypt m with Alice’s RSA PK, I get c I encryt m again, I get --? What does this mean? What if I do the above with DES?

57 Lecture 4: Hash Functions
4/26/2017 Further Reading Stallings Chapter 11 HAC Chapter 9 4/26/2017 Lecture 4: Hash Functions

58 Lecture 1 - Introduction
Digital Signatures 4/26/2017 Lecture 1 - Introduction

59 Lecture 3.4: Public Key Cryptography IV
4/26/2017 Public Key Signatures Signer has public key, private key pair Signer signs using its private key Verifier verifies using public key of the signer Show the exact operation: when you verify, you either get a “yes” or a “no”. Not really something as in encryption. Lecture 3.4: Public Key Cryptography IV

60 Security Notion/Model for Signatures
4/26/2017 Security Notion/Model for Signatures Existential Forgery under (adaptively) chosen message attack (CMA) Adversary (adaptively) chooses messages mi of its choice Obtains the signature si on each mi Outputs any message m (≠ mi) and a signature s on m Lecture 3.4: Public Key Cryptography IV

61 Lecture 3.4: Public Key Cryptography IV
4/26/2017 RSA Signatures Key Generation: same as in encryption Sign(m): s = md mod N Verify(m,s): (se == m mod N) The above text-book version is insecure; why? In practice, we use a randomized version of RSA (implemented in PKCS#1) Hash the message and then sign the hash Lecture 3.4: Public Key Cryptography IV

Download ppt "Lecture 3: Cryptography II"

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
1 CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security.

1 CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google