1 / 40

Amir Herzberg AmirHerzberg

Intro to Crypto: Encryption References: ‘Introduction to Modern Cryptography’ [KL] – Book by Katz and Lindell (in library) [BR] – Lecture notes by Bellare and Rogaway ( cs.ucsd.edu/~mihir/cse207/classnotes.html ). Amir Herzberg http://AmirHerzberg.com. Cryptology / cryptography.

dunkin
Download Presentation

Amir Herzberg AmirHerzberg

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Crypto: EncryptionReferences: ‘Introduction to Modern Cryptography’ [KL] – Book by Katz and Lindell (in library)[BR] – Lecture notes by Bellare and Rogaway (cs.ucsd.edu/~mihir/cse207/classnotes.html) Amir Herzberg http://AmirHerzberg.com http://AmirHerzberg.com

  2. Cryptology / cryptography • `Science of using secret information` • Modern use: using computational limitations of adversary (and secret keys) to… • Prevent damage – e.g. encrypt for privacy • Punish (deter) corruption – e.g. signed proofs and reviews • Main tool for information security • Earliest, most known function: encryption http://AmirHerzberg.com

  3. Encryption • Earliest form of cryptography • Cryptography originally meant ‘secret writing’ • Goal: encode secret information so that adversary cannot learn anything from it • Send / store encrypted (encoded) version • Idea: use secret algorithm and/or key to encode plaintextand decode ciphertext • Should the algorithm be secret??? key key ciphertext plaintext plaintext Encrypt Decrypt http://AmirHerzberg.com

  4. Caesar Cipher • Rotate the 26 letters of the alphabet by 3: a b c d e f g h i j k l m n o p q … A B C D E F G H I J K L M N O P Q … • As formula: c = E(p) = p+3 (mod 26) • Using the notation: x=y (mod n) • Reads: “xis congruent to y modulo n” • If xand yhave the same reminder when divided by n, namely x=y+l∙n for some integer l +3 http://AmirHerzberg.com

  5. Caesar Cipher: Security by Obscurity (?) • Caeser’s Cipher: c = E(p) = p+3 (mod 26) • Once this `algorithm` is known, decryption is trivial! • The secrecy is in the algorithm • Not a good idea… http://AmirHerzberg.com

  6. Kerckhoff’s Principle: Known Design • Attacking (e.g. cryptanalysis) of unknown design can be much harder • But using public (non-secret) designs… • Published designs are often stronger • No need to replace system once design is exposed • No need to worry that design was exposed • E.g. Windows `system code`… • Establish standards for multiple applications: • Efficiency of production and of test attacks / cryptanalysis • Kerckhoff’s Known Design Principle [1883]: adversary knows the design – everything except the secret keys http://AmirHerzberg.com

  7. Encryption: Key Protects Confidentiality Symmetric/shared secret key cryptosystem: B.e=B.d=k Public-key cryptosystem: B.e is a public encryption key, B.d is a matchingprivate decryption key Key Alice uses to encrypt to Bob Key Bob uses to decrypt B.e B.d encryption algorithm plaintext decryption algorithm ciphertext plaintext Bob Alice Eve http://AmirHerzberg.com

  8. Symmetric key cryptosystem symmetric (shared) key cryptosystem: Bob and Alice share key k k k encryption algorithm decryption algorithm ciphertext plaintext plaintext message, m c=Ek(m) m=Dk(c)=Dk(Ek(m)) http://AmirHerzberg.com

  9. Shift Cipher (Keyed Caesar Cipher) • Caeser’s Cipher: c = E(p) = p+3 (mod 26) • Once this `algorithm` is known, decryption is trivial! • Idea: improve security byadding a secret key • Keyed Caesar cipher (aka Shift Cipher): • Rotate letters by keykey • As formula: c = Ekey(p) = p + key (mod 26) • Exhaustive Key Search Attack: try all keys, key=0,1,…,25 • Not very secure… http://AmirHerzberg.com

  10. Sufficient Key Space Principle • Sufficient Key Space Principle: • Number of possible keys should be large enough • To make attacks infeasible, using best adversary resources (HW) expected during `sensitivity period` of data • Using exhaustive key search or other feasible attacks • Idea: use arbitrary plaintext-ciphertext mapping (substitution), not necessarily rotation http://AmirHerzberg.com

  11. Monoalphabetic Substitution Cipher • Map each letter to some other letter • Mapping is the key: φ : a b c d e f g h i j k l m n o p q … key[φ] : X E U A D N B K S M R O C Q F S W … • Ci=key[Pi] • Many keys (26! for 26 letters – more than 280) • But… simple statistical (`ciphertext only`) attack: • Identify letters by their frequencies, e.g. Pr(‘E’)=13% • Identify common words (e.g. ‘the’), sequences (‘ing’) • Need a better idea… maybe add `changing rotation`? http://AmirHerzberg.com

  12. Vigenére’s cipher • Multiple shift ciphers • Shift the ith letter by key[i] :c[i] = p[i] + key[i mod |key|] (mod 26) • Prevents simple statistical attack • Prob(c[i]=x) does not depend (only) on p[i] • But what about more advanced attacks? http://AmirHerzberg.com

  13. Attacking Vigenére’s cipher • Vigenére’s cipher: Ci=K[i+Pi] • Stronger statistical attacks: • Easy: if length of key is known • If not… e.g., Kasiski’s method • Both: require long ciphertext; details in [KL] • Principle: limit amount of usage of each key • What if adversary also knows/chooses some plaintext? • Known plaintext: • Common prefixes, e.g. `Dear`, `Hail`, `Date:`, `<html>` • Exposed/non-confidential messages, … • Chosen plaintext: `the message we intercepted was: …` • This breaks Vigenére with very short text… [Exercise!] http://AmirHerzberg.com

  14. Symmetric key cryptosystem - Attacks symmetric (shared) key crypto: Bob and Alice share key k Attacks: • Plaintext-statistics only • Known plaintext attack (KPA) • Chosen plaintext attack (CPA) • (Adaptive) chosen ciphertext attack (CCA) • Sometimes, practical… esp: modify ciphertext to get error feedback! • Compare ciphers on resistance to different attacks • E.g. it is rarely feasible to collect 240known plaintexts k k encryption algorithm decryption algorithm ciphertext plaintext plaintext message, m c=Ek(m) m=Dk(c)=Dk(Ek(m)) http://AmirHerzberg.com

  15. Symmetric key cryptosystem - Security symmetric (shared) key crypto: Bob and Alice share key k Defining successful attack… • Prevent… what? Key / message recovery? • What about partial recovery (e.g.: first byte)? • What if m{“Advance”, “Retreat”}? •  Adversary must win indistinguishability experiment k k encryption algorithm decryption algorithm ciphertext plaintext plaintext message, m c=Ek(m) m=Dk(c)=Dk(Ek(m)) http://AmirHerzberg.com

  16. Indistinguishability: Encryption is like disguise… • With a good disguise, adversary… • Can’t even tell the most pretty from the most ugly • Can’t even identify the same disguised person • Talk to masked Rachel • She disappears for few minutes • Who returned? Rachel or Leah? • As long as they are roughly same size • A giant can never disguise as a dwarf • With good encryption, adversary… • Can’t identify the encryption of any plaintext (he choose) • Can’t identify two encryptions of same plaintext • Encryption process must be randomized • But: encryption can’t hide the length of the plaintext http://AmirHerzberg.com

  17. Indistinguishability Experiment(symmetric encryption, i.e. shared key) Encrypt, or select b{0,1}and encrypt mb k k plaintext encryption algorithm decryption algorithm ciphertext plaintext Chosen ciphertext c Ciphertextc=Ek(m,re) Alice Bob Decryptionsm=Dk(c) Chosen plaintext m Selected messages m0, m1 Eve Guess of b http://AmirHerzberg.com

  18. Indistinguishability Experiment(asymmetric encryption, aka Public Key) Encrypt, or select b{0,1} and encrypt mb Key Bob uses to decrypt B.e B.d plaintext encryption algorithm decryption algorithm ciphertext plaintext Chosen ciphertext c Ciphertextc=EB.e(m,re) Alice Bob Decryptionsm=DB.d(c) Chosen plaintext m Selected messages m0, m1 Eve Guess of b http://AmirHerzberg.com

  19. Definition: Cryptosystem • Three algorithms<K ,E,D> are cryptosystem, • K : Key generation algorithm; input 1n(security parameter), outputs: K .e (encrypt key) and K .d (decrypt key) • Security parameter defines minimal key/data length, `hardness` • Ee( m;re), Dd(c): encryption and decryption • If m{0,1}*, r, re , holds:m= Dd(Ee(m;re )), where d=K .d (1n;r), e=K .e (1n;r) • `Random bits` notation (sometimes omitted) • Notice: same definition for symmetric and asymmetric (public key) cryptosystems • Differ only in indistinguishability experiment (next) • Public key cryptosystem: expose encrypt key K..eto adversary. http://AmirHerzberg.com

  20. http://AmirHerzberg.com

  21. Cryptosystem <K ,E,D> is Perfectly… • IND-Px-Cy secure if for every A • Perfectly Symmetric CPA-Secure if it is Perfectly IND-P2-C0 secure • Asymmetric CPA-Secure if it is IND-PK-C0 secure • Symmetric CCA-Secure if it is IND-P2-C2 secure • Asymmetric CCA-Secure if it is IND-PK-C2 secure • Comment: these two CCA notions are often referred to as adaptive CCA-Secure or CCA2-Secure http://AmirHerzberg.com

  22. Example: One-Time-Pad (OTP) • To encrypt message m, compute the bitwise XOR of the key with the message: • Ek(m)=c where c[i] = k[i]  m[i] • To decrypt ciphertext c, compute the bitwise XOR of the key with the ciphertext: • Dk(c)=m’ where m’[i] = k[i]  c[i] Key k (pad) Ciphertext c Plaintext m + http://AmirHerzberg.com

  23. One-Time-Pad: Example, Properties k = 11001 c = 01010 m’ = 10011 k = 11001 m = 10011 C = 01010 • m’= k  c = k  (k  m) = (k  k)  m = 0  m = m • Very simple, efficient • Provably CPA-secure against unbounded adversary [KL] • But not CCA-secure (why?) • Drawback: key is as long as message, i.e. |k|=|m| • Shannon Theorem [KL]: |k|=|m| for every perfectly-secure encryption • What of computationallylimited adversary? http://AmirHerzberg.com

  24. Computationally Secure Cryptosystem • Assume adversary has limited computational resources (e.g., can’t try all 128-bit keys) • Cryptosystem <K ,E,D> is Computationally IND-Px-Cy secure if for every polytime A and every c>0, for sufficiently large n holds: • Computationally symmetric CPA-secure if it is computationally IND-P2-C0 secure, etc… http://AmirHerzberg.com

  25. Computationally-Secure Stream Cipher • Idea: same as OTP, but with bounded key • `Emulate` infinite random `pad` • So that computationally-bounded adversary cannot distinguish from a truly random `pad`! • Using a pseudo-random generator PRG(k) • `Pseudo-random pad` from fixed seed/key • `Indistinguishable from random bits` • [KL]: def, proof that PRG  IND-CPA symmetric encryption • Intuition: use adversary for IND-CPA to distinguish pad from random PRG Key k Ciphertext c Plaintext m + http://AmirHerzberg.com

  26. Example: Shift-reg based PRG • Shift register, seed (key) as initial state • c[i]=m[i]out(reg); reg←F(reg)||Shift(reg) • Easy, efficient implementations (esp. in HW) • Many insecure versions, e.g. linear feedback • Some unbroken (yet?), e.g. `Shrinking Generator` Feedback F `taps` Key k(seed) out(reg) (aka pad) Ciphertext c Plaintext m + http://AmirHerzberg.com

  27. Pseudo-Random Function Encryption • Goal: stateless encryption (unlike PRG!) • Use Fk(x), a Psuedo-random Function (PRF), instead • Ifx≠ythen Fk(x) is pseudorandom (Fk(y) known for all y≠x) • ci=<miFk(xi), xi> , where w.h.p. xi≠xj • Bit by bit or `block by block` (|ci|=|mi|=|Fk(xi)|) • [KL]: `counter mode`: xi random or xi=xi-1+1 is CPA secure (why not CCA secure?) • When Fk(x) is a PRF or a PRP (Pseudo-Random Permutation) • Define PRF, PRP… xi PRF/PRP Fk Key k `pad` Fk(xi) Ciphertext ci Plaintext mi + http://AmirHerzberg.com

  28. Pseudorandom Functions (PRF): Definition f=Fk (random k) or random f x f(x) (use of security parm n for key and block length is a simplification) http://AmirHerzberg.com

  29. Pseudorandom Permutation (PRP) Comments:(1) F-1should also be efficiently computable) (2) `strong PRP` - since we also allow f-1queries http://AmirHerzberg.com

  30. Block Cipher and Pseudorandom Permutation • Block cipher: efficient (invertible) keyed permutation • Data Encryption Standard (DES): US NIST, 1977-2001, 64-bit blocks, 56 bit keys  exhaustive search • Advanced Encryption Standard (AES): NIST 2002-?, 128-bit blocks, 128 bit keys • Modeled as PRP (with fixed key, block sizes) • Best known attacks: 2|key|(or unrealistic # of chosen/known pairs) • Several `modes of use`, incl. `counter mode` • And `Electronic Code Book` mode (ECB): c=Fk(m) • Is ECB secure? `Encrypt` Fk `Decrypt` Fk-1 m c http://AmirHerzberg.com

  31. Secure Encryption need State/Randomness • Block ciphers are deterministic (not randomized) • If Ek(m) is deterministic, it is trivial to distinguish! • With one select-phase encrypt query • And have Fixed Input Length (FIL), i.e. `block` • `Modes of Operation`: how to use block ciphers, to... • Encrypt long (Variable Input Length, VIL) messages • Randomize/add state for security • Often: use random/stateful Initialization Vector (IV) block • So why standardize block ciphers? • Principle: design, cryptanalyze simple function, use it to construct strong function • Design (FIL, deterministic, stateless) block cipher, transform to (VIL, randomized/stateful) secure cryptosystem • And: different `modes` have different properties… http://AmirHerzberg.com

  32. Cipher Block Chaining (CBC) Mode • Popular mode for VIL encryption • Although not parallelizable (cf. counter mode) • Efficient randomization (IV) • Operation: • c[0] =IVR{0,1}l • i>0: c[i] = Ek(c[i-1] p[i]) Split plaintext pto l bit blocks p[1],… IV Initialization Vector (IV)random number (sent `in clear`) E E E k Ciphertext c[0],c[1]… http://AmirHerzberg.com

  33. Security of CBC mode • CBC is randomized… so there is hope! • Indeed: if block-cipher is a (strong) pseudo-random permutation, then CBC is IND-CPA-secure • Proof: [BR], ch. 4 • But: CBC is (also) NOT IND-CCA2-Secure (why?) • Ensuring CCA-Security: • `Prevent` decryption queries… • Use secret key to `sign/authenticate` ciphertext… • And decrypt only properly authenticated ciphertext • Output `failure` if given unauthenticated ciphertext • How to authenticate? We’ll see in next lecture… http://AmirHerzberg.com

  34. Hybrid Encryption (`enveloping`) • Public key cryptosystems ЄPK are slow • Also: most (e.g. RSA) have fixed block size (FIL) • Using a long block size is veeeery slooow • Using CBC etc. is also too wasteful • Use secret key cryptosystem in VIL (e.g. CBC) mode; encrypt shared key and use it to encrypt plaintext http://AmirHerzberg.com

  35. Encryption: at what phase? Message • Related goals: • Compression • Error-detection code • Integrity, authentication • Redundancy in plaintext helps attacker • Can’t compress ciphertext •  compress then encrypt Compress Plaintext Encrypt Ciphertext Compress-then-encrypt is not IND-CPA-Secure! Why??Solution? http://AmirHerzberg.com

  36. Encryption: at what phase? Message • Related goals: • Compression • Error-detection code • Integrity, authentication • Redundancy in plaintext helps attacker • Can’t compress ciphertext •  compress then encrypt Compress Plaintext Encrypt Ciphertext Compress-then-encrypt changes length… Solution: combine multiple sources… later lectures http://AmirHerzberg.com

  37. Encryption and Error Detection (1) Message • EDC on plaintext? • allows attacker to validate key guess • 1-bit error in ciphertext makes invalid EDC •  Bad design •  Better: Encrypt before Error Detection Compress Plaintext Code EDC Plaintext Encrypt Ciphertext http://AmirHerzberg.com

  38. Encryption and Error Detection (2) Message • EDC on plaintext… • allows attacker to validate key guess • 1-bit error in ciphertext decrypts to `random` plaintext •  Better: Encrypt before Error Detection • Does this protect integrity against attack? Compress Plaintext Encrypt Ciphertext Code Ciphertext EDC http://AmirHerzberg.com

  39. Encryption: Few Further Issues... • Design of block ciphers, cryptosystems – in Crypto course • Also a bit later on, in Public Key Crypto subject • Cryptanalysis • rCCA – weaker CCA variant (and why…) • Robust (tolerant) combiner c( , ) design [H05] • Given two candidates E’, E’’ (encryption schemes, block cipher (PRP), etc.) • (E’ secure) or (E’’ secure)  c(E’,E’’) `secure` • Cascade E’k’(E’’k’’(m)) is robust combiner for CPA, rCCA • Homomorphic encryption: E(m1+m2)=E(m1)*E(m2) • Where +,* are some efficient operations • CCA security • Using authentication – next topic http://AmirHerzberg.com

  40. Thank You! Amir Herzberg, http://AmirHerzberg.com http://AmirHerzberg.com

More Related