CRYPTOGRAPHY INTRO GRAD SEC OCT 17 2017 SCENARIOS AND GOALS - - PowerPoint PPT Presentation

cryptography intro
SMART_READER_LITE
LIVE PREVIEW

CRYPTOGRAPHY INTRO GRAD SEC OCT 17 2017 SCENARIOS AND GOALS - - PowerPoint PPT Presentation

Mar 20, 2023 359 likes •825 views

CRYPTOGRAPHY INTRO GRAD SEC OCT 17 2017 SCENARIOS AND GOALS Alice Bob Disk Public network SCENARIOS AND GOALS Alice Bob Disk Public network SCENARIOS AND GOALS Alice Bob Disk Public network Keep others from CONFIDENTIALITY

slide-1
SLIDE 1

CRYPTOGRAPHY
 INTRO

GRAD SEC

OCT 17 2017

slide-2
SLIDE 2

SCENARIOS AND GOALS

Public network Disk Alice Bob

slide-3
SLIDE 3

SCENARIOS AND GOALS

Public network Disk Alice Bob

slide-4
SLIDE 4

SCENARIOS AND GOALS

Public network Disk Alice Bob

Keep others from reading Alice’s messages / data

CONFIDENTIALITY

Keep others from undetectably tampering with Alice’s messages / data

INTEGRITY

Keep others from undetectably impersonating Alice (keep her to her word, too)

AUTHENTICITY

slide-5
SLIDE 5

RANDOMNESS

slide-6
SLIDE 6

RANDOMNESS

Message m

slide-7
SLIDE 7

RANDOMNESS

Message m Something that leaks
 no information about m

slide-8
SLIDE 8

RANDOMNESS

Message m Something that leaks
 no information about m Original m

slide-9
SLIDE 9

RANDOMNESS

Message m Something that leaks
 no information about m Original m Message m

slide-10
SLIDE 10

RANDOMNESS

Message m Something that leaks
 no information about m Original m Message m <m, unpredictable ‘tag’>

slide-11
SLIDE 11

RANDOMNESS

Message m Something that leaks
 no information about m Original m Message m <m, unpredictable ‘tag’> Determine if m
 was tampered

slide-12
SLIDE 12

RANDOMNESS

Message m Something that leaks
 no information about m Original m Message m <m, unpredictable ‘tag’> Determine if m
 was tampered

Ideally, to the attacker, it is indistinguishable from
 a string of bits chosen uniformly at random

slide-13
SLIDE 13

RANDOMNESS

Message m Something that leaks
 no information about m Original m Message m <m, unpredictable ‘tag’> Determine if m
 was tampered

Ideally, to the attacker, it is indistinguishable from
 a string of bits chosen uniformly at random This will be impossible with Alice and Bob having a shared secret

slide-14
SLIDE 14

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

slide-15
SLIDE 15

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

slide-16
SLIDE 16

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way

slide-17
SLIDE 17

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way “One-way trapdoor function”

slide-18
SLIDE 18

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way “One-way trapdoor function”

slide-19
SLIDE 19

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X

Shared secret: index i chosen u.a.r.

If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way “One-way trapdoor function”

slide-20
SLIDE 20

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X

Shared secret: index i chosen u.a.r. i i

If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way “One-way trapdoor function”

slide-21
SLIDE 21

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X

Shared secret: index i chosen u.a.r.

Message m

i i

If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way “One-way trapdoor function”

slide-22
SLIDE 22

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X

Shared secret: index i chosen u.a.r.

Message m

i i

fi(m) If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way “One-way trapdoor function”

slide-23
SLIDE 23

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X

Shared secret: index i chosen u.a.r.

Message m

i i

fi(m) If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

Learns m f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way “One-way trapdoor function”

slide-24
SLIDE 24

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X

Shared secret: index i chosen u.a.r.

Message m

i i

fi(m) If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

Learns m

Without knowing i,
 learns nothing about m

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way “One-way trapdoor function”

slide-25
SLIDE 25

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Consider the set of all permutations fi : X → X

Shared secret: index i chosen u.a.r.

Message m

i i

fi(m) If you know i, then fi(x) is trivial to invert

Think of X as all
 128-bit bit strings

Learns m

Without knowing i,
 learns nothing about m

f1 f2 f|X|! …

0 1 2 3 4 … 1 0 2 3 4 … 7 9 5 1 8 …

If you don’t know i, then fi(x) is one-way

i is our key

“One-way trapdoor function”

slide-26
SLIDE 26

WHAT WE IDEALLY HAVE: RANDOM FUNCTIONS

Shared secret: index i chosen u.a.r.

Message m

i i

fi(m) Learns m

Without knowing i,
 learns nothing about m

In essence, this protocol is saying “Let’s use the ith permutation function” Infeasible to store all permutation functions So instead cryptographers construct pseudorandom functions

slide-27
SLIDE 27

BLOCK CIPHERS BLACKBOX #1:

slide-28
SLIDE 28

BLOCK CIPHERS

E

m K c Plaintext Ciphertext Same fixed block size
 (AES: 128 bits)

D

c K m AES key sizes:
 128, 192, 256 For a given m and K,
 E(K,m) always returns the same c Confusion: Each bit of the ciphertext should depend on each bit of the key Diffusion: Flipping a bit in m should flip each bit in c with Pr = 1/2 Block ciphers are deterministic

slide-29
SLIDE 29

BLOCK CIPHERS ARE DETERMINISTIC

E

m K c For a given m and K,
 E(K,m) always returns the same c Block ciphers are deterministic

E

m’ K c’

E

m K c c c’ c An eavesdropper could determine
 when messages are re-sent

slide-30
SLIDE 30

BLOCK CIPHERS ARE DETERMINISTIC

E

m K c For a given m and K,
 E(K,m) always returns the same c Block ciphers are deterministic

E

m’ K c’

E

m K c c c’ c An eavesdropper could determine
 when messages are re-sent

E

m ⊕ r K c Send c and r Choose random r

slide-31
SLIDE 31

INITIALIZATION VECTORS

r just needs to be different each time Random: Must send with the message
 Good if messages can be reordered Counter: Can infer from message number
 Good if messages are delivered in-order

slide-32
SLIDE 32

INITIALIZATION VECTORS

E

m ⊕ r K c Send c and r Choose random r r just needs to be different each time Random: Must send with the message
 Good if messages can be reordered Counter: Can infer from message number
 Good if messages are delivered in-order

slide-33
SLIDE 33

BLOCK CIPHERS HAVE FIXED SIZE

E

m1 K c1

E

m2 K c2

E

mn K cn …

slide-34
SLIDE 34
slide-35
SLIDE 35

NEVER use ECB (but over 50% of Android apps do)

slide-36
SLIDE 36
slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39

MESSAGE AUTHENTICATION CODE (MAC) BLACKBOX #2:

slide-40
SLIDE 40

MESSAGE AUTHENTICATION CODES

E

m K c Plaintext Ciphertext Same fixed block size
 (AES: 128 bits)

D

c K m AES key sizes:
 128, 192, 256 For a given m and K,
 E(K,m) always returns the same c Confusion: Each bit of the ciphertext should depend on each bit of the key Diffusion: Flipping a bit in m should flip each bit in c with Pr = 1/2 Block ciphers are deterministic

slide-41
SLIDE 41

MESSAGE AUTHENTICATION CODES

  • Sign: takes a key and a message and outputs a “tag”
  • Sgn(k,m) = t
  • Verify: takes a key, a message, and a tag, and outputs Y/N
  • Vfy(k,m,t) = {Y,N}
  • Correctness:
  • Vfy(k, m, Sgn(k, m)) = Y
slide-42
SLIDE 42

ATTACKER’S GOAL: EXISTENTIAL FORGERY

  • A MAC is secure if an attacker cannot demonstrate an

existential forgery despite being able to perform a chosen plaintext attack:

  • Chose plaintext:
  • Attacker gets to choose m1, m2, m3, …
  • And in return gets a properly computed t1, t2, t3, …
  • Existential forgery:
  • Construct a new (m,t) pair such that Vfy(k, m, t) = Y
slide-43
SLIDE 43

ENCRYPTED CBC

It’s a trap! Just take the last block in CBC Use a separate key and encrypt the last block

slide-44
SLIDE 44

HASH FUNCTIONS BLACKBOX #3:

slide-45
SLIDE 45

HASH FUNCTION PROPERTIES

  • Very fast to compute
  • Takes arbitrarily-sized inputs, returns fixed-sized output
  • Pre-image resistant:


Given H(m), hard to determine m

  • Collision resistant


Given m and H(m), hard to find m’≠ m s.t. H(m) = H(m’)

Good hash functions: SHA family (SHA-256, SHA-512, …)

slide-46
SLIDE 46

HASH MACS

  • Sign(k, m):
  • opad = 0x5c5c5c…
  • ipad =0x363636…
  • H( (k ⊕ opad) || H((k ⊕ ipad) || m ) )
  • Verify:
  • Recompute and compare