130 likes | 141 Views
Learn about the significance of randomized encryption, block ciphers like DES, 3DES, AES, and various modes of encryption. Understand the concerns and importance of message integrity in secure communication.
E N D
CMSC 414Computer and Network SecurityLecture 4 Jonathan Katz
Randomized encryption • Deterministic encryption schemes cannot be secure against chosen-plaintext attacks • Nor can they be secure for encrypting multiple messages • To be secure against chosen-plaintext attack, encryption must be randomized • Moral: always use randomized encryption!
Block ciphers • Keyed, invertible permutation F • Large key space, large block size • Modeled as a (family of) random permutations… • A block cipher is not an encryption scheme • A block cipher can be used to build an encryption scheme (and other things as well) • Example – the “trivial” encryption scheme: • C = FK(m) • This is not randomized…
Data Encryption Standard (DES) • Developed in 1970s by IBM / NSA / NBS • Non-public design process • 56-bit key, 64-bit input/output • A 64-bit key is derived from 56 random bits • One bit in each octet is a parity-check bit • The “short” key length is a major concern… • The “short” block length is also a concern
Concerns about DES • Short key length • DES “cracker”, built for $250K, can break DES in days • Computation can be distributed to make it faster • Does not mean “DES is insecure”; depends on desired security • Short block length • Repeated blocks happen “too frequently” • Some (theoretical) attacks have been found • Claimed known to DES designers 15 years before public discovery! • Non-public design process
3DES/triple-DES • Expands the key length • Now, key K = (K1, K2); |K| = 112 • The “new” block cipher is just: • EK1,K2(m) = DESK1(DES-1K2(DESK1(m))) • This is a permutation, and invertible • Fairly slow…but widely used in practice
AES • Public contest sponsored by NIST in ’97 • Narrowed to 5 finalists • 4 years of intense analysis • Rijndael selected as the AES • Supports variety of block/key sizes, but defaults to 128-bit key length and 128-bit block length • 2128 is a huge number • Number of seconds since big bang (estimate): ~258 • Number of nanoseconds since big bang: ~290 • Both efficiency and security taken into account • The “most secure” finalist was not the one chosen
Other block ciphers? • No compelling reason to use anything other than AES, in general • Unless (possibly) you have very severe performance requirements • Even then, think twice • Same goes for stream ciphers
Modes of encryption • Used for encrypting a long message m1, …, mn • ECB • Ci = FK(mi); the ciphertext is c1, …, cn • CBC • IV; Ci = FK(mi Ci-1); the ciphertext is IV, c1, …, cn • OFB (stream cipher mode) • IV; zi = FK(zi-1); Ci = zi mi; the ciphertext is IV, c1, …, cn • CTR (stream cipher mode) • IV; zi = FK(IV+i); Ci = zi mi; the ciphertext is IV, c1, .., cn • Others…
Security? • ECB should not be used • Why? • CBC, OFB, and CTR modes are secure against chosen-plaintext attacks • CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks
Encryption does not provide integrity • “Since encryption garbles the message, decryption of a ciphertext generated by an adversary must be unpredictable” • WRONG • E.g., one-time pad, CBC-/CTR-mode encryption • Why is this a concern? • Lack of integrity can lead to lack of secrecy • Almost always, integrity is needed in addition to secrecy