Cryptography Autumn 2018 Tadayoshi (Yoshi) Kohno - - PowerPoint PPT Presentation

cryptography
SMART_READER_LITE
LIVE PREVIEW

Cryptography Autumn 2018 Tadayoshi (Yoshi) Kohno - - PowerPoint PPT Presentation

Jul 03, 2023 194 likes •450 views

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner,

slide-1
SLIDE 1

CSE 484 / CSE M 584: Computer Security and Privacy

Cryptography

Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu

Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

slide-2
SLIDE 2

Admin

  • Lab 1:

– Due Oct 24, 4:30pm

  • Quiz sections (especially for Lab 1): M 2:30, W 1:30, F 12
  • My office hours (especially for crypto, research readings,

administrivia, worksheet pick up): M 11:30

  • Questions about David Aucsmith’s talk?

10/21/2018 CSE 484 / CSE M 584 2

slide-3
SLIDE 3

Some Notes on David Aucsmith’s Talk

  • Cyber Crime
  • Cyber Espionage
  • Cyber Warfare

10/21/2018 CSE 484 / CSE M 584 3

slide-4
SLIDE 4

10/21/2018 CSE 484 / CSE M 584 4

https://www.gao.gov/products/GAO-19-128

slide-5
SLIDE 5

Review Slides (Overview)

10/21/2018 CSE 484 / CSE M 584 5

slide-6
SLIDE 6

Flavors of Cryptography

  • Symmetric cryptography

– Both communicating parties have access to a shared random string K, called the key. – Challenge: How do you privately share a key?

  • Asymmetric cryptography

– Each party creates a public key pk and a secret key sk. – Challenge: How do you validate a public key?

10/21/2018 CSE 484 / CSE M 584 6

slide-7
SLIDE 7

Confidentiality: Basic Problem

Given (Symmetric Crypto): both parties know the same secret. Goal: send a message confidentially.

10/21/2018 CSE 484 / CSE M 584 7

?

  • Ignore for now: How is this achieved in practice??
slide-8
SLIDE 8

Review Slides (Block Ciphers)

10/21/2018 CSE 484 / CSE M 584 8

slide-9
SLIDE 9

Block Ciphers

  • Operates on a single chunk (“block”) of plaintext

– For example, 64 bits for DES, 128 bits for AES – Each key defines a different permutation – Same key is reused for each block (can use short keys)

10/21/2018 CSE 484 / CSE M 584 9

Plaintext

Ciphertext

block cipher Key

slide-10
SLIDE 10

Standard Block Ciphers

  • DES: Data Encryption Standard

– Feistel structure: builds invertible function using non- invertible ones – Invented by IBM, issued as federal standard in 1977 – 64-bit blocks, 56-bit key + 8 bits for parity

  • AES: Advanced Encryption Standard

– New federal standard as of 2001

  • NIST: National Institute of Standards & Technology

– Based on the Rijndael algorithm

  • Selected via an open process

– 128-bit blocks, keys can be 128, 192 or 256 bits

10/21/2018 CSE 484 / CSE M 584 10

slide-11
SLIDE 11

New Slides: How to Use Block Ciphers

10/21/2018 CSE 484 / CSE M 584 11

slide-12
SLIDE 12

Encrypting a Large Message

  • So, we’ve got a good block cipher, but our

plaintext is larger than 128-bit block size

  • What should we do?

10/21/2018 CSE 484 / CSE M 584 12

128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit ciphertext

slide-13
SLIDE 13

Electronic Code Book (ECB) Mode

10/21/2018 CSE 484 / CSE M 584 13

plaintext ciphertext

block cipher block cipher block cipher block cipher block cipher

key key key key key

  • Identical blocks of plaintext produce identical blocks of ciphertext
  • No integrity checks: can mix and match blocks
slide-14
SLIDE 14

Information Leakage in ECB Mode

10/21/2018 CSE 484 / CSE M 584 14

Encrypt in ECB mode

[Wikipedia]

slide-15
SLIDE 15
  • Identical blocks of plaintext encrypted differently
  • Last cipherblock depends on entire plaintext
  • Still does not guarantee integrity

Cipher Block Chaining (CBC) Mode: Encryption

10/21/2018 CSE 484 / CSE M 584 15

Sent with ciphertext

plaintext ciphertext

block cipher block cipher block cipher block cipher

Initialization vector (random)

  

key key key key

slide-16
SLIDE 16

CBC Mode: Decryption

10/21/2018 CSE 484 / CSE M 584 16

plaintext ciphertext

decrypt decrypt decrypt decrypt

Initialization vector

  

key key key key

slide-17
SLIDE 17

ECB vs. CBC

10/21/2018 CSE 484 / CSE M 584 17

slide 17

AES in ECB mode AES in CBC mode

Similar plaintext blocks produce similar ciphertext blocks (not good!)

[Picture due to Bart Preneel]

slide-18
SLIDE 18

CBC and Electronic Voting

10/21/2018 CSE 484 / CSE M 584 18

Initialization vector (supposed to be random and sent with ciphertext)

plaintext ciphertext

DES DES DES DES

   

Found in the source code for Diebold voting machines:

DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize, DESKEY, NULL, DES_ENCRYPT)

key key key key

slide-19
SLIDE 19
  • Identical blocks of plaintext encrypted differently
  • Still does not guarantee integrity; Fragile if ctr repeats

Counter Mode (CTR): Encryption

10/21/2018 CSE 484 / CSE M 584 19

ctr ctr+1 ctr+2 ctr+3 block cipher block cipher block cipher block cipher

Initial ctr (random)

pt2 pt1 pt3 pt4 Key Key Key Key

ciphertext

⊕ ⊕ ⊕ ⊕

slide-20
SLIDE 20

Counter Mode (CTR): Decryption

10/21/2018 CSE 484 / CSE M 584 20

ct2 ct3 ct4 ct1 ctr ctr+1 ctr+2 ctr+3 block cipher block cipher block cipher block cipher

Initial ctr

⊕ ⊕ ⊕ ⊕

pt1 pt2 pt3 pt4 Key Key Key Key

slide-21
SLIDE 21

Flavors of Cryptography

  • Symmetric cryptography

– Both communicating parties have access to a shared random string K, called the key. – Challenge: How do you privately share a key?

  • Asymmetric cryptography

– Each party creates a public key pk and a secret key sk. – Challenge: How do you validate a public key?

10/21/2018 CSE 484 / CSE M 584 21

slide-22
SLIDE 22

When is an Encryption Scheme “Secure”?

  • Hard to recover the key?

– What if attacker can learn plaintext without learning the key?

  • Hard to recover plaintext from ciphertext?

– What if attacker learns some bits or some function of bits?

10/21/2018 CSE 484 / CSE M 584 22

slide-23
SLIDE 23

How Can a Cipher Be Attacked?

  • Attackers knows ciphertext and encryption algthm

– What else does the attacker know? Depends on the application in which the cipher is used!

  • Ciphertext-only attack
  • KPA: Known-plaintext attack (stronger)

– Knows some plaintext-ciphertext pairs

  • CPA: Chosen-plaintext attack (even stronger)

– Can obtain ciphertext for any plaintext of their choice

  • CCA: Chosen-ciphertext attack (very strong)

– Can decrypt any ciphertext except the target

10/21/2018 CSE 484 / CSE M 584 23

slide-24
SLIDE 24

Chosen Plaintext Attack

10/21/2018 CSE 484 / CSE M 584 24

Crook #1 changes their PIN to a number

  • f their choice

cipher(key,PIN)

PIN is encrypted and transmitted to bank Crook #2 eavesdrops

  • n the wire and learns

ciphertext corresponding to chosen plaintext PIN

… repeat for any PIN value

slide-25
SLIDE 25

Very Informal Intuition

  • Security against chosen-plaintext attack (CPA)

– Ciphertext leaks no information about the plaintext – Even if the attacker correctly guesses the plaintext, they cannot verify their guess – Every ciphertext is unique, encrypting same message twice produces completely different ciphertexts

  • Implication: encryption must be randomized or stateful
  • Security against chosen-ciphertext attack (CCA)

– Integrity protection – it is not possible to change the plaintext by modifying the ciphertext

10/21/2018 CSE 484 / CSE M 584 25

Minimum security requirement for a modern encryption scheme