170 likes | 188 Views
This lecture covers stream ciphers, block ciphers, and encryption standards such as DES, 3DES, and AES. It discusses the limitations of perfect secrecy and the different types of attacks that can be launched against encryption schemes. The lecture also explores the development and use of AES as the current standard.
E N D
CMSC 414Computer and Network SecurityLecture 4 Jonathan Katz
Announcements • HW1 out • Work in teams of two students • Both students should contribute to all problems • Material covered on HW1 is fair game for the exam • Post on Piazza if you are looking for a partner • Assigned reading on course syllabus
Review • If we want perfect secrecy, we face several inherent limitations • Key as long as the message • Key used only once • Not secure against chosen-plaintext attacks • Computational secrecy offers the potential to circumvent these limitations • E.g., the pseudo-one-time pad
Stream ciphers • Basically PRNGs • Popular ones: • RC4 • A5/1 • Used for GSM cellphone encryption • Not very secure • Block ciphers can also be turned into stream ciphers
Note • Which drawbacks of the one-time pad does the pseudo-OTP address? • What is the “right” threat model? • Multiple messages or a single message? • Passive/active adversary? • Ciphertext-only, known-plaintext, chosen-plaintext, chosen-ciphertext, … • The threat model matters! • The classical encryption schemes we have seen are immediately broken by a known-plaintext attack
Attack taxonomy • So far, we have been considering only passive eavesdropping of a single ciphertext • aka, ciphertext-only attack • In practice, stronger attacks need to be considered • Known-plaintext attacks • Chosen-plaintext attacks (CPA-security) • Implies security for multiple messages encrypted using the same key • Chosen-ciphertext attacks (by default, encompasses chosen-plaintext attacks)
Enck(m2) m2 Definitions? c = Enck(m) Deck(c’) k k Enck(m1) c’ m1 I know the message m is either m0 or m1, but which one? Ciphertext-only attack Known/chosen-plaintext attack Chosen-ciphertext attack
c Chosen-plaintext security • Is the definition too strong? • Voting example: • Midway example Voters Enck(Obama) Enck(McCain)
Chosen-plaintext security • Is security against chosen-plaintext attacks even possible?? • Deterministic encryption schemes cannot be secure against chosen-plaintext attacks • Nor can they be secure for encrypting multiple messages • To be secure against chosen-plaintext attack, encryption must be randomized • Moral: always use randomized encryption!
Minimum requirements • The minimum level of security nowadays is security against chosen-plaintext attacks • Implies security when multiple messages encrypted • Security against chosen-ciphertext attacks (or even stronger) is often necessary • Make sure you are aware of this when deploying encryption! • We will revisit this issue after discussing message authentication
Block ciphers • Keyed, invertible permutation F • F is a deterministic function • Large key space, large block length • Indistinguishable from a random permutation • A block cipher is not an encryption scheme • A block cipher can be used to build an encryption scheme (and other things as well) • Example – the “trivial” encryption scheme: • C = FK(m) • This is not randomized…
Encryption from block ciphers • Enck(m) = <r, Fk(r) m >, for random r • Randomized! • Theorem: If F is a secure block cipher, this is CPA-secure • Proof sketch…
Data Encryption Standard (DES) • Developed in 1970s by IBM / NSA / NBS • Non-public design process • 56-bit key, 64-bit block length • A 64-bit key is derived from 56 random bits • One bit in each octet is a parity-check bit • The short key length is a major concern… • The short block length is also a concern
Concerns about DES • Short key length • DES “cracker”, built for $250K, can break DES in days • Computation can be distributed to make it faster • Does not mean “DES is insecure”; depends on desired security • Short block length • Repeated blocks happen “too frequently” • Some (theoretical) attacks have been found • Claimed known to DES designers 15 years before public discovery! • Non-public design process
3DES/triple-DES • Expands the key length • Now, key K = (K1, K2); |K| = 112 • Still has the short block length • The new block cipher is just: • EK1, K2(m) = DESK1(DES-1K2(DESK1(m))) • This is a permutation, and invertible • Fairly slow…but widely used in practice • Backward compatibility
Adv. Encryption Standard (AES) • Public contest sponsored by NIST in ’97 • 15 candidates submitted • Narrowed to 5 finalists in ’99 • Winner selected in 2000 • Entire contest open; intense cryptanalytic effort • Supports 128/192/256-bit keys (“default” is 128-bit keys) and 128-bit block length • 2128 is a huge number • Number of nanoseconds since big bang (estimate): ~290 • Both efficiency and security taken into account • The “most secure” finalist was not the one chosen
Other block ciphers? • No compelling reason to use anything but AES • Unless (possibly) you have very severe performance requirements • Even then, think twice • In particular, AES (possibly in stream cipher mode) is usually a better choice than a dedicated stream cipher