all ilabs and p2pss
play

All iLabs and P2PSS Modern cryptography for communications security - PowerPoint PPT Presentation

Jan 15, 2024 •263 likes •705 views

All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 17ss 1 / 34

  1. All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Cryptography – 17ss 1 / 34

  2. Outline Cryptography Symmetric setting 2 / 34

  3. Outline Cryptography Symmetric setting 3 / 34

  4. Scope Focus on: ◮ modern cryptography ◮ methods used in communications security Based on: Introduction to modern cryptography, Katz and Lindell, 2 nd edition, 2015. 4 / 34

  5. Communication by Melissa Elliott https://twitter.com/0xabad1dea/status/400676797874208768 5 / 34

  6. What we are concerned with “Let’s meet up at 9!” Alice Bob 6 / 34

  7. What we are concerned with “Let’s meet up at 9!” Alice Bob BfV Roens/Wikipedia. CC-by-sa 2.0 6 / 34

  8. What we are concerned with “Let’s meet up at 9!” Alice Bob Eve passive attack: eavesdropping We want to provide confidentiality! 6 / 34

  9. What we are concerned with “This will not be on the exam!” Mallory Alice Bob active attack: message modification or forgery We want to provide message authentication! 6 / 34

  10. Limitations ◮ cryptography is typically bypassed, not broken ◮ not applied correctly ◮ not implemented correctly ◮ subverted No protection of information about the communication. ◮ existence ◮ time ◮ extent ◮ partners 7 / 34

  11. Kerckhoffs’ principle Security should only depend on secrecy of the key, not the secrecy of the system. ◮ key easier to keep secret ◮ change ◮ compatibility No security by obscurity. ◮ scrutiny ◮ standards ◮ reverse engineering 8 / 34

  12. Another principle as a side note The system should be usable easily. ◮ Kerckhoffs actually postulated 6 principles ◮ this one got somewhat forgotten ◮ considered uncontroversial by Kerckhoffs ◮ starting to be rediscovered in design of secure applications and libraries Example Signal, NaCl 9 / 34

  13. What should secure encryption guarantee? It should be impossible for the attacker to 10 / 34

  14. What should secure encryption guarantee? It should be impossible for the attacker to ◮ recover the key. ◮ recover the entire plaintext from the ciphertext. ◮ recover any character of the plaintext from the ciphertext. 10 / 34

  15. What should secure encryption guarantee? It should be impossible for the attacker to ◮ recover the key. ◮ recover the entire plaintext from the ciphertext. ◮ recover any character of the plaintext from the ciphertext. Regardless of any information an attacker already has, a ciphertext should leak no additional information about the underlying plaintext. 10 / 34

  16. Modern cryptography relies on ◮ formal definitions ◮ precisely defined assumptions ◮ mathematical proofs Reductionist security arguments, the proofs, require to formulate assumptions explicitly. 11 / 34

  17. A definition of security A scheme is secure, if any probabilistic polynomial time adversary succeeds in breaking the scheme with at most negligible probability. Negligible For every polynomial p and for all sufficiently large values of n : 1 f ( n ) < p ( n ) e.g., f ( n ) = 1 2 n Church-Turing Hypothesis We believe polynomial time models all computers. 12 / 34

  18. Our goals symmetric (secret-key) asymmetric (public-key) ◮ confidentiality ◮ confidentiality ◮ authenticity ◮ authenticity (as in: message integrity) ◮ key exchange Something providing confidentiality generally makes no statement whatsoever about authenticity. 13 / 34

  19. Motivation What does a perfectly encrypted message look like? 14 / 34

  20. Uniform distribution P : U → [0 , 1] � P ( x ) = 1 x ∈ U ∀ x ∈ U : P ( x ) = 1 | U | 15 / 34

  21. Randomness ◮ required to do any cryptography at all ◮ somewhat difficult to get in a computer (deterministic!) ◮ required to be cryptographically secure: indistiguishable from truly random ◮ not provided in programming languages Example used to generate keys or other information unkown to any other parties 16 / 34

  22. Collecting unpredictable bits ◮ physical phenomena ◮ time between emission of particles during radioactive decay ◮ thermal noise from a semiconductor diode or resistor ◮ software-based ◮ elapsed time between keystrokes or mouse movement ◮ packet interarrival times ◮ attacker must not be able to guess/influence the collected values 1. collect pool of high-entropy data 2. process into sequence of nearly independent and unbiased bits 17 / 34

  23. Pseudo-random generator G : { 0 , 1 } s → { 0 , 1 } n , n ≫ s 18 / 34

  24. Outline Cryptography Symmetric setting 19 / 34

  25. Symmetric encryption scheme 1. k ← Gen (1 n ), security parameter 1 n 2. c ← Enc k ( m ) , m ∈ { 0 , 1 } ∗ 3. m := Dec k ( c ) ◮ provide confidentiality ◮ definition of security: chosen-plaintext attack (CPA) Cryptography uses theoretical attack games to analyze and formalize security. C : challenger, ← means non-deterministic, A : adversary := means deterministic 20 / 34

  26. The eavesdropping experiment C A k ← Gen (1 n ) input 1 n

  27. The eavesdropping experiment C A k ← Gen (1 n ) input 1 n m 0 , m 1 b ← { 0 , 1 } c ← Enc k ( m b ) c output b ′ ◮ A succeeds, iff b = b ′ 21 / 34

  28. Discussion of the eavesdropping experiment ◮ | m 0 | = | m 1 | ◮ probabilistic polynomial time algorithms ◮ success probability should be 0 . 5 + negligible ◮ if so, Enc has indistinguishable encryptions in the presence of an eavesdropper 22 / 34

  29. Pseudorandom permutation F : { 0 , 1 } ∗ × { 0 , 1 } ∗ → { 0 , 1 } ∗ ◮ F k ( x ) and F − 1 k ( y ) efficiently computable ◮ F k be indistinguishable from uniform permutation ◮ adversary may have access to F − 1 We can assume that all inputs and the output have the same length. 23 / 34

  30. A block cipher Example ◮ fixed key length and block length ◮ chop m into 128 bit blocks m k 128 bit AES c Does this function survive the eavesdropping experiment? 24 / 34

  31. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n 25 / 34

  32. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) c . . . . . . 25 / 34

  33. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) c . . . . . . m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 25 / 34

  34. Chosen-plaintext attack C A C (cont’d) A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) m c c ← Enc k ( m ) . . c . . . . . . . . . . output bit b ′ m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 25 / 34

  35. Chosen-plaintext attack C A C (cont’d) A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) m c c ← Enc k ( m ) . . c . . . . . . . . . . output bit b ′ m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 25 / 34

  36. Discussion of CPA ◮ Enc is secure under chosen-plaintext attack ◮ again, messages must have same length ◮ multiple-use key ◮ non-deterministic (e. g. random initialization vector) or state ◮ block cipher requires operation mode , e. g.: counter (CTR), output-feedback (OFB), . . . 26 / 34

  37. Example constructions: counter mode Example ◮ randomised AES counter mode (AES-CTR$) ◮ choose nonce r ← { 0 , 1 } 128 , key k ← { 0 , 1 } 128 ◮ great if you have dedicated circuits for AES, else vulnerable to timing attacks r AES r + 1 AES k k m 0 ⊕ m 1 ⊕ c 0 c 1 · · · complete ciphertext c := ( r , c 0 , c 1 , · · · ) 27 / 34

  38. Example constructions: stream ciphers Example A modern stream cipher, fast in software: 128 bit key 96 bit nonce 32 bit initial counter ChaCha keystream plaintext ⊕ ciphertext 28 / 34

  39. Message authentication code (MAC) 1. k ← Gen (1 n ), security parameter 1 n 2. t ← Mac k ( m ) , m ∈ { 0 , 1 } ∗ 3. b := Vrfy k ( m , t ) b = 1 means valid, b = 0 invalid ◮ transmit � m , t � ◮ tag t is a short authenticator ◮ message authenticity ⇔ integrity ◮ detect tampering ◮ no protection against replay ◮ “existentially unforgeable” ◮ security definition: adaptive chosen-message attack 29 / 34

  40. Adaptive chosen-message attack C A k ← Gen (1 n ) input 1 n m t ← Mac k ( m ) � m , t � . . . . . . output � m ′ , t ′ � ◮ let Q be the set of all queries m ◮ A succeeds, iff Vrfy k ( m ′ , t ′ ) = 1 and m ′ / ∈ Q 30 / 34

  41. Used in practice Example ◮ HMAC based on hash functions ◮ CMAC based on cipher block chaining mode (CBC) ◮ authenticated encryption modes 31 / 34

  42. Example: side-channel attack How does tag verification work and how to implement tag comparison correctly? 32 / 34

  43. Recap: secret-key cryptography ◮ attacker power: probabilistic polynomial time ◮ confidentiality defined as IND-CPA: encryption, e. g. AES-CTR$ ◮ message authentication defined as existentially unforgeable under adaptive chosen-message attack: message authentication codes, e. g. HMAC-SHA2 ◮ authenticated encryption modes 33 / 34

  44. Combining confidentiality and authentication ◮ encrypt-then-authenticate is generally secure: c ← Enc k 1 ( m ) , t ← Mac k 2 ( c ) transmit: � c , t � ◮ authenticated encryption is also a good choice: e. g. offset codebook (OCB), Galois counter mode (GCM) c , t ← AEAD enc ( ad , m ) k m := AEAD dec ( ad , c , t ) or verification failure k 34 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Being and Time (Final Fantasy Edition) Guglielmo Feis - Universit degli Studi di Milano, Milan.

Being and Time (Final Fantasy Edition) Guglielmo Feis - Universit degli Studi di Milano, Milan.

Being and Time (Final Fantasy Edition) Guglielmo Feis - Universit degli Studi di Milano, Milan. Jacopo Tagliabue - iLabs, Milan. The Philosophy of Computer Games Bergen 2013 Coauthored with... Sorely missed as well Plan of the talk 1.

488 views • 19 slides
MAGNETIZATION, BOUND CURRENTS AND H 6.4 A solid cylinder has uniform magnetization M throughout

MAGNETIZATION, BOUND CURRENTS AND H 6.4 A solid cylinder has uniform magnetization M throughout

MAGNETIZATION, BOUND CURRENTS AND H 6.4 A solid cylinder has uniform magnetization M throughout the volume in the x direction as shown. What's the magnitude of the total magnetic dipole moment of the cylinder? ) R 2 L M R B) 2 R L M C)

373 views • 23 slides
WE? Curro Mrquez Simn Roses Femerling Director of Intelligence, VULNEX Founder &amp; CEO,

WE? Curro Mrquez Simn Roses Femerling Director of Intelligence, VULNEX Founder &amp; CEO,

WE? Curro Mrquez Simn Roses Femerling Director of Intelligence, VULNEX Founder &amp; CEO, VULNEX Blog: www.simonroses.com Twitter: @simonroses Former Microsoft, PwC, @Stake DARPA Cyber Fast Track award on

730 views • 45 slides
HUBBLE SPACE TELESCOPE: S A Piecing Together the P B O H E U Workings of the Universe E

HUBBLE SPACE TELESCOPE: S A Piecing Together the P B O H E U Workings of the Universe E

HUBBLE SPACE TELESCOPE: S A Piecing Together the P B O H E U Workings of the Universe E R T R R R I A E C T A A I C Robert Williams L O H N STScI D A A I T T M A T A R G A A E R C S C T H I I V

612 views • 39 slides
Yanagihara+ (FlowQCDCollab.) arXiv:1803.01234 Newton Action-at-a-distance Faraday Local

Yanagihara+ (FlowQCDCollab.) arXiv:1803.01234 Newton Action-at-a-distance Faraday Local

XQCD2018, 23 May, 2018, Frankfurt, Germany Yanagihara+ (FlowQCDCollab.) arXiv:1803.01234 Newton Action-at-a-distance Faraday Local interaction Action through medium Pressure S Pressure Generally, F and n are not parallel v fluid

771 views • 50 slides
Wireless Sensor Networks 5th Lecture 08.11.2006 Christian Schindelhauer

Wireless Sensor Networks 5th Lecture 08.11.2006 Christian Schindelhauer

Wireless Sensor Networks 5th Lecture 08.11.2006 Christian Schindelhauer schindel@informatik.uni-freiburg.de schindel@informatik.uni-freiburg.de University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer 1

613 views • 12 slides
Quantum many particle systems in one dimensional optical potentials Luigi Amico Dep. Fisica

Quantum many particle systems in one dimensional optical potentials Luigi Amico Dep. Fisica

Quantum many particle systems in one dimensional optical potentials Luigi Amico Dep. Fisica Materiales, Universidad Complutense de Madrid. MATIS INFM &amp; DMFCI, Universit di Catania. Superconductivity Mesoscopics Theory group

593 views • 33 slides
Experimental quantum fast Carlo Di Franco hitting on hexagonal graphs 9th International

Experimental quantum fast Carlo Di Franco hitting on hexagonal graphs 9th International

Experimental quantum fast Carlo Di Franco hitting on hexagonal graphs 9th International Conference on Quantum Simulation and Quantum Walks CIRM, Marseille, France 21st January 2020 Outline A feasible experimental platform for implementing

627 views • 39 slides
Capturing rare events with the heterogeneous multiscale method David Kelly Eric Vanden-Eijnden

Capturing rare events with the heterogeneous multiscale method David Kelly Eric Vanden-Eijnden

Capturing rare events with the heterogeneous multiscale method David Kelly Eric Vanden-Eijnden Courant Institute New York University New York NY www.dtbkelly.com October 1, 2016 SIAM MPE 16 , Philadelphia, PE David Kelly (CIMS) HMM rare

371 views • 19 slides
Adversarial Surrogate Losses for General Multiclass Classification Rizal Zaini Ahmad Fathony

Adversarial Surrogate Losses for General Multiclass Classification Rizal Zaini Ahmad Fathony

Adversarial Surrogate Losses for General Multiclass Classification Rizal Zaini Ahmad Fathony Committee: Prof. Brian Ziebart (Chair) Prof. Bhaskar DasGupta Prof. Lev Reyzin Prof. Xinhua Zhang Prof. Simon Lacoste-Julien 1 Multiclass

530 views • 50 slides
Exponential lower bounds for hom. depth-5 circuits over finite fields Mrinal Kumar Ramprasad

Exponential lower bounds for hom. depth-5 circuits over finite fields Mrinal Kumar Ramprasad

Exponential lower bounds for hom. depth-5 circuits over finite fields Mrinal Kumar Ramprasad Saptharishi TIFR, Mumbai CCC 2017 Riga Rutgers Harvard Algebraic Circuits f ( x 1 , x 2 , x 3 ) = 2 x 2 1 + 2 x 1 x 2 + 2 x 1 x 3 + 2 x 2 x 3 =

1.56k views • 115 slides
Support Vector Machines 290N, 2014 Support Vector Machines (SVM) Supervised learning

Support Vector Machines 290N, 2014 Support Vector Machines (SVM) Supervised learning

Support Vector Machines 290N, 2014 Support Vector Machines (SVM) Supervised learning methods for classification and regression they can represent non-linear functions and they have an efficient training algorithm derived

1.15k views • 57 slides
The New Large D Limit of Matrix Models: Theory and Applications Frank FERRARI Universit Libre

The New Large D Limit of Matrix Models: Theory and Applications Frank FERRARI Universit Libre

The New Large D Limit of Matrix Models: Theory and Applications Frank FERRARI Universit Libre de Bruxelles International Solvay Institutes Institute for Basic Science, South Korea Black Holes, Quantum Information, Entanglement and All That

472 views • 21 slides
Comparison of Fault Currents in AC &amp; DC Microgrids Mahdi Izadkhast Learning Objectives

Comparison of Fault Currents in AC &amp; DC Microgrids Mahdi Izadkhast Learning Objectives

Comparison of Fault Currents in AC &amp; DC Microgrids Mahdi Izadkhast Learning Objectives How is the fault current calculated in an AC microgrid? Which elements are contributing to the DC fault current of a DC microgrid?

779 views • 10 slides
Design Optimization of Time- and Cost-Constrained Fault-Tolerant Distributed Embedded Systems

Design Optimization of Time- and Cost-Constrained Fault-Tolerant Distributed Embedded Systems

Design Optimization of Time- and Cost-Constrained Fault-Tolerant Distributed Embedded Systems Viaceslav Izosimov, Paul Pop, Petru Eles, Zebo Peng Embedded Systems Lab (ESLAB) Linkping University, Sweden 1/21 1 of 14 Motivation Faults

408 views • 21 slides
Fault Modeling 1 Why Fault Models? Actual number of physical defects in a circuit are too

Fault Modeling 1 Why Fault Models? Actual number of physical defects in a circuit are too

8/1/2012 Fault Modeling 1 Why Fault Models? Actual number of physical defects in a circuit are too many. Not possible to consider individually. Difficult to count and analyze. Some logical fault models are considered. A fault

493 views • 15 slides
Context Since we are at the end Announcements This is the last class of the semester -- no

Context Since we are at the end Announcements This is the last class of the semester -- no

Context Since we are at the end Announcements This is the last class of the semester -- no more class meetings. Announcements This is the last class of the semester -- no more class meetings. Please respond to the Doodle poll to set

1.39k views • 138 slides
Today Memory Management: Page Replacement Dec 5, 2018 Sprenkle - CSCI330 1 Review What

Today Memory Management: Page Replacement Dec 5, 2018 Sprenkle - CSCI330 1 Review What

Today Memory Management: Page Replacement Dec 5, 2018 Sprenkle - CSCI330 1 Review What is paging? Segmentation? What are they used for? How does the OS translate from the virtual address to the physical address? Compare and

475 views • 28 slides
Final Demos on Thursday! 1. Robotic Arm Controller for Diagnostics 2. PiCar 3. Facial

Final Demos on Thursday! 1. Robotic Arm Controller for Diagnostics 2. PiCar 3. Facial

Final Demos on Thursday! 1. Robotic Arm Controller for Diagnostics 2. PiCar 3. Facial Recognition Based Attendance 4. Interactive Sign Language Training System 5. WashU Course Buddy IoT 6. Smart Soft Real-Time Security Camera 7.

932 views • 57 slides
8/14/2014

8/14/2014

8/14/2014

341 views • 3 slides
FeralCatScan community mapping resource www.feralcatscan.org.au Peter West Project Manager,

FeralCatScan community mapping resource www.feralcatscan.org.au Peter West Project Manager,

FeralCatScan community mapping resource www.feralcatscan.org.au Peter West Project Manager, Invasive Animals CRC www.feralcatscan.org.au What is FeralCatScan? 1. FeralCatScan is a web and mobile App resource for landholders and the

289 views • 14 slides
An evaluation of approaches for accommodating interactions and non-linear terms in multiple

An evaluation of approaches for accommodating interactions and non-linear terms in multiple

An evaluation of approaches for accommodating interactions and non-linear terms in multiple imputation of incomplete three-level data Rushani Wijesuriya Katherine J. Lee, Margarita Moreno-Betancur, John B. Carlin and Anurika P. De Silva

619 views • 27 slides
CSCI 4152/6509 Natural Language Processing Lab 1: FCS Computing Environment, Perl Tutorial 1

CSCI 4152/6509 Natural Language Processing Lab 1: FCS Computing Environment, Perl Tutorial 1

CSCI 4152/6509 Natural Language Processing Lab 1: FCS Computing Environment, Perl Tutorial 1 Lab Instructor: Dijana Kosmajac, Tukai Pain Faculty of Computer Science Dalhousie University 15/17-Jan-2020 (1) CSCI 4152/6509 1 Lab Overview

630 views • 46 slides
Network Coding (IN2315) WiSe 2015/16 Prof. Dr.-Ing. Georg Carle Stephan M. G unther, Maurice

Network Coding (IN2315) WiSe 2015/16 Prof. Dr.-Ing. Georg Carle Stephan M. G unther, Maurice

Chair for Network Architectures and Services Technische Universit at M unchen Network Coding (IN2315) WiSe 2015/16 Prof. Dr.-Ing. Georg Carle Stephan M. G unther, Maurice Leclaire Chair for Network Architectures and Services

696 views • 58 slides

More recommend