1 / 34

Cryptography: Review Day

Cryptography: Review Day. David Brumley dbrumley@cmu.edu Carnegie Mellon University. m or error. m . Public Channel. Bob. Alice. c. c’. D. E. k e. k e. read/ write access. Eve. Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity. Privacy and Encryption.

deron
Download Presentation

Cryptography: Review Day

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography: Review Day David Brumley dbrumley@cmu.edu Carnegie Mellon University

  2. m or error m Public Channel Bob Alice c c’ D E ke ke read/write access Eve Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity

  3. Privacy and Encryption

  4. Perfect Secrecy [Shannon1945](Information Theoretic Secrecy) Defn Perfect Secrecy (informal):We’re no better off determining the plaintext when given the ciphertext. Alice Bob Eve observes everything but the c. Guesses m1 Eve observes c. Guesses m2 Goal: Eve \Pr[m = m_1] = \Pr[m = m_2]

  5. The One Time Pad Miller, 1882 and Vernam, 1917 \begin{align*} E(k,m) &= k \oplus m = c\\ D(k,c) &= k \oplus c = m\\ \end{align*} M = C = K = {0,1}n \[ \begin{split} D(k,E(k,m)) &= D(k, k \oplus m)\\ &= k \oplus (k \oplus m)\\ &= 0 \oplus m \\ &= m \end{split} \]

  6. Block Ciphers • Modes of operations • CBC, CTR, etc. • What modes do for security, e.g., why ECB is bad, why randomize an IV for CBC, etc. • Definitions • Is a block cipher a PRP or PRF • Attacks

  7. Exhaustive Search for block cipher key Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,n find key k. Attack: Brute force to find the key k. Homework: What is the probability that the key k found with one <m,c> pair is correct? For two pairs?

  8. Meet in the middle attack • Define 2E( (k1,k2), m)= E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES E(k2,⋅) E(k1,⋅) m c … … m c' c c’’ … … Idea: key found when c’ = c’’: E(ki, m) = D(kj, c)

  9. Semantic Security Game World 0 World 1 E 2. Pick b=0 3. k=KeyGen(l) 4. c = E(k,mb) A 1. Picks m0, m1, |m0| = |m1| 5. Guess and output b’ E 2. Pick b=1 3. k=KeyGen(l) 4. c = E(k,mb) A 1. Picks m0, m1, |m0| = |m1| 5. Guess and output b’ m0,m1 m0,m1 c c A doesn’t know which world he is in, but wants to figure it out. Semantic security is a behavioral model getting at any A behaving the same in either world when E is secure.

  10. Semantic security under CPA Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) m0, m0∊ M Challenger k ← K Adversary A C0← E(k,m) m0, m1 ∊ M Cb← E(k,mb) if cb = c0 output 0else output 1

  11. Semantic security under CPA Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) m0, m0∊ M Challenger k ← K Adversary A C0← E(k,m) m0, m1 ∊ M Cb← E(k,mb) Encryption modes must be randomized or use a nonce (or are vulnerable to CPA) if cb = c0 output 0else output 1

  12. Hashes and MACS

  13. Message Integrity Goal: integrity(not secrecy) Examples: • Protecting binaries on disk. • Protecting banner adson web pages Security Principles: • Integrity means no one can forge a signature

  14. PRF Security Game(A behavioral model) World 0 World 1 E 2. if(tbl[x] undefined)tbl[x] = rand() return y =tbl[x] A 1. Picks x 5. Guess and output b’ E y = PRF(x) A 1. Picks x 3. Outputs guess for b x x y y A doesn’t know which world he is in, but wants to figure it out. For b=0,1: Wb:= [ event that A(Wb) =1 ] AdvSS[A,E] := | Pr[ W0 ] − Pr[ W1 ] | ∈ [0,1] Always 1

  15. Secure PRF: An Alternate Interpretation For b = 0,1 define experiment EXP(b) as: Def: PRF is a secure PRF if for all efficient A: ChallengerF Adversary

  16. Secure MAC Game Security goal: A cannot produce a valid tag on a message • Even if the message is gibberish Challenger 1. k = KeyGen(l) 3. Compute i in 0...q:ti= S(mi, k) 5. b = V(m,t,k) Adversary A 2. Picks m1, ..., mq 4. picks m not in m1,...,mq Generates t m1,...,mq t1,...,tq m,t existential forgery if b=“yes” b = {yes,no}

  17. Birthday Paradox Rule of Thumb Given N possibilities, and random samples x1, ..., xj, PR[xi = xj] ≈ 50% when j = N1/2

  18. Generic attack on hash functions Let H: M  {0,1}nbe a hash function ( |M| >> 2n ) Generic alg. to find a collision in time O(2n/2) hashes Algorithm: • Choose 2n/2random messages in M: m1, …, m2n/2 (distinct w.h.p ) • For i = 1, …, 2n/2 compute ti = H(mi) ∈{0,1}n • Look for a collision (ti = tj). If not found, got back to step 1. How well will this work?

  19. Brute Force Online Brute Force Attack: input:hp = hash(password) to crack for each i in dictionary file if(h(i) == hp) output success; Time Space Tradeoff Attack: precompute: h(i) for each i in dict file in hash tbl input: hp = hash(password) check if hp is in hash tbl “rainbow tables”

  20. Salts Enrollment: • compute hp=h(password + salt) • store salt || hp Verification: • Look up salt in password file • Check h(input||salt) == hp What is this good for security, given that the salt is public? Salt doesn’t increase security against online attack, but does make tables much bigger.

  21. Authenticated Encryption

  22. Motivating Question: Which is Best? Encryption Key = KE; MAC key = kI Option 1: SSL (MAC-then-encrypt) E(kE , m||tag) S(kI, m) m tag m m m tag tag tag m Option 2: IPsec (Encrypt-then-MAC) E(kE, m) S(kI , c) m m Option 3: SSH (Encrypt-and-MAC) E(kE, m) S(kI , m) m m

  23. An authenticated encryptionsystem (E,D) is a cipher where As usual: E: K × M × N⟶ C but D: K × C × N⟶ M ∪{⊥} Security: the system must provide • Semantic security under CPA attack, and • ciphertext integrity. The attacker cannot create a new ciphertext that decrypts properly. reject ciphertext as invalid

  24. ci E(k,mi,b) mi D(k,ci) CCA Game Definition Let ENC = (E,D) over (K,M,C). For b = {0,1}, define EXP(0) and EXP(1) for i=1,…,q: (1) CPA query: mi,0, mi,1  M : |mi,0| = |mi,1| ci C : ci ∉ {c1, …, ci-1} Chal. k  K Adv. b’  {0,1} b Ex: could query a changed ci (2) CCA query:

  25. Public Key Cryptography

  26. 1. Pick a from [0,p-1) 2. Pick b from [0,p-1) Eveobserves: g, ga, gb Goal: compute a (or b) (i.e., calculate the discrete log) or compute gab Bob Alice 4. gb mod p 3. ga mod p 5. Compute (ga)b mod pas secret key 6. Compute (gb)a mod pas secret key Eve

  27. MITM Adversary As described, Diffie-Hellman is insecureagainst activeMan In The Middle (MITM) attacks Alice MITM Bob gamod p gm mod p gm mod p gb mod p gmb mod p gma mod p

  28. Public Key Encryption Def: a public-key encryption system is a triple of algorithms (G, E, D) • G(): randomized alg. outputs a key pair (pk, sk) • E(pk, m): randomized alg. that takes m∈M and outputs c ∈C • D(sk,c): determisitic alg. that takes c∈Cand outputs m ∈ M or ⊥ Consistency: ∀(pk, sk) output by G : ∀m∈M: D(sk, E(pk, m) ) = m Note: Without randomization, an attacker can determine E(pk,m1) = E(pk,m2) when m1=m2

  29. m0 , m1  M : |m0| = |m1| c E(pk, mb) pk b’  {0,1} Semantic Security For b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)): Def:Enc =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A:AdvSS[A,Enc] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible b Chal. Adv. A (pk,sk)G() EXP(b) No query encryptions of messages. Why?

  30. Easy and Hard Problems • Factoring • Discrete Log • Exponentiation

  31. Questions?

  32. END

  33. Thought

More Related