Download
1 / 17
170 likes | 191 Views
Learn about encryption modes like ECB, CBC, OFB, and CTR, and the importance of message integrity using MACs for secure communication. Explore security concerns and methods to prevent attacks in this lecture summary.
E N D
CMSC 414Computer and Network SecurityLecture 5 Jonathan Katz
Announcements • Midterm on March 15
Modes of encryption • Used for encrypting a long message m1, …, mn • ECB • Ci = FK(mi); the ciphertext is (C1, …, Cn) • CBC • IV; Ci = FK(mi Ci-1); the ciphertext is (IV, C1, …, Cn) • OFB (stream cipher mode) • IV; zi = FK(zi-1); Ci = zi mi; the ciphertext is (IV, C1, …, Cn) • CTR (stream cipher mode) • IV; zi = FK(IV+i); Ci = zi mi; the ciphertext is (IV, C1, .., Cn) • Others…
Security? • ECB should not be used • Why? • Not even secure against ciphertext-only attacks
The effect of ECB mode original encrypted using ECB mode *Images from Wikipedia
Other modes • CBC, OFB, and CTR modes are secure against chosen-plaintext attacks • CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks *Images from Wikipedia
Message integrity m m’
Encryption does not provide integrity • “Since encryption garbles the message, decryption of a ciphertext generated by an adversary must be unpredictable” • WRONG • E.g., one-time pad, CBC-/CTR-mode encryption • Why is this a concern? • Almost always, integrity is needed in addition to secrecy • Lack of integrity can lead to lack of secrecy • Use message authentication codes (MACs)
Message authentication code (MAC) • In the private-key setting, the tool for achieving message integrity is a MAC • Functionality: • MACK(m) = t (we call t the “tag”) • VrfyK(m, t) = 0/1 (“1” = “accept” / ”0”=“reject”) • Correctness…
Bob Alice MAC usage m, t k k Vrfyk(m’,t’) ?? t = Mack(m) • Shared key k • Sender computes a tag t on the message m using k • Receiver verifies the message/tag pair using k
Bob Bob K K MAC usage
Defining security • Attack model: • A random key k is chosen • Attacker is allowed to obtain t1 = MACk(m1), …, tq = MACk(mq) for any messages m1, …, mq of its choice • Attacker is successful if it outputs a forgery; i.e., (m, t) with: • m ≠ mi for all i • VrfyK(m, t) = 1 • For any time-bounded adversary, the probability of a successful attack should be small
Defining security • Is the definition too strong? • When would an attacker be able to obtain tags on any messages of its choice? • Why do we count it as a break if the adversary outputs a forgery on a “meaningless” message? • Main point: we want a secure MAC to be usable in any setting where message integrity is needed
Replay attacks • A MAC inherently cannot prevent replay attacks • Replay attacks must be prevented at a higher level of the protocol! • (Note that whether a replay is ok is application-dependent) • Replay attacks can be prevented using nonces, timestamps, etc. • Will discuss more later
A MAC for short messages • Let F be a block cipher with n-bit output • To authenticate m using key k, compute t = Fk(m) • Vrfyk(m, t): output 1 iff t = Fk(m) • Why is this secure?
(Informal) sketch of security • Replace Fk with a random permutation f • Can do this since F is a block cipher • Seeing f(m1), …, f(mq) does not help to predict f(m) for any m{m1,…,mq} • If adversary outputs (m, t), the probability that t is correct is roughly 2-n • For n large enough, the probability of forgery is small
