120 likes | 136 Views
This lecture discusses the concepts of message integrity and secrecy in computer security, emphasizing the distinction between the two. It explores different scenarios where active attacks are possible and explores cryptographic integrity techniques. The lecture also covers private-key and public-key approaches to achieve encryption and integrity, with a focus on digital signature schemes and RSA signatures.
E N D
CMSC 414Computer (and Network) SecurityLecture 8 Jonathan Katz
Administrative stuff • HW2 (will be) out • Due in 2 weeks • Two papers (will be) linked from syllabus • Discuss one of these next time
Integrity vs. secrecy • Integrity and secrecy are distinct concerns • Secrecy: passive eavesdropper cannot get any information about the message • Integrity: active attacker cannot change the message (without being detected) • Important: • Authentication does not provide secrecy • Encryption does not provide integrity
Scenarios… • Possibility of active attacks? • Malicious routers • Radio broadcast • Even the best message integrity scheme does not protect against replay attacks • Protect against this at the application level
Cryptographic integrity • Non-cryptographic checksums • Meant to defend against (random) errors • Not meant to defend against active attacks • Must use cryptographic techniques
Private-key case • Message authentication codes (MACs) • Attack model and definition of security • Example: CBC MAC • CBC MAC is secure if the underlying block cipher is secure • CBC encryption does not authenticate data
Some final notes… • Non-repudiation? • How to achieve encryption and integrity? • “Secure channels” • Trivial approaches do not work • Encrypt-then-mac • Must use distinct keys • Special-purpose modes
Public-key case • Digital signature schemes (signatures) • Attack model and definition of security • Should be obvious that public-key encryption provides no authentication at all
Important point • Signing and decrypting are not the same • In general, “signing” a message by “decrypting” it is a BAD idea • Having said that…
RSA signatures I • “Textbook RSA” • Why textbook RSA is completely insecure! (Two attacks)
RSA signatures for real • Hash functions… • Collision-resistance • Birthday attacks • “Scrambling” • How to fix RSA signatures • Why does this work? • Is it actually secure?