cryptography
play

Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) - PowerPoint PPT Presentation

May 29, 2023 •108 likes •390 views

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Reminder • Checkpoint for lab #1 due TONIGHT – Submit md5 hashes to Catalyst dropbox • I’ll have office hours right after class today (CSE 654) 4/16/17 CSE 484 / CSE M 584 - Spring 2017 2

  3. Last Time: One-Time Pad • Easy to compute – Encryption and decryption are the same operation – Bitwise XOR is very cheap to compute • As secure (for secrecy ) as theoretically possible – Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources – …as long as the key sequence is truly random • True randomness is expensive to obtain in large quantities – …as long as each key is same length as plaintext • But how does sender communicate the key to receiver? 4/16/17 CSE 484 / CSE M 584 - Spring 2017 3

  4. Reducing Key Size • What to do when it is infeasible to pre-share huge random keys? – When one-time pad is unrealistic… • Use special cryptographic primitives: block ciphers, stream ciphers – Single key can be re-used (with some restrictions) – Not as theoretically secure as one-time pad 4/16/17 CSE 484 / CSE M 584 - Spring 2017 4

  5. Stream Ciphers • One-time pad: Ciphertext(Key,Message)=Message Å Key – Key must be a random bit sequence as long as message • Idea: replace “ random ” with “ pseudo-random ” – Use a pseudo-random number generator (PRNG) – PRNG takes a short, truly random secret seed and expands it into a long “ random-looking ” sequence • E.g., 128-bit seed into a 10 6 -bit No efficient algorithm can tell pseudo-random sequence this sequence from truly random • Ciphertext(Key,Msg)=Msg Å PRNG(Key) – Message processed bit by bit (unlike block cipher) 4/16/17 CSE 484 / CSE M 584 - Spring 2017 5

  6. Block Ciphers • Operates on a single chunk (“block”) of plaintext – For example, 64 bits for DES, 128 bits for AES – Each key defines a different permutation – Same key is reused for each block (can use short keys) Plaintext block Key cipher Ciphertext 4/16/17 CSE 484 / CSE M 584 - Spring 2017 6

  7. Permutations 0 0 1 1 2 2 3 3 • For N-bit input, 2 N ! possible permutations • Idea for how to use a keyed permutation: split plaintext into blocks; for each block use secret key to pick a permutation – Without the key, permutation should “look random” 4/16/17 CSE 484 / CSE M 584 - Spring 2017 7

  8. Block Cipher Security • Result should look like a random permutation on the inputs – Recall: not just shuffling bits. N-bit block cipher permutes over 2 N inputs. • Only computational guarantee of secrecy – Not impossible to break, just very expensive • If there is no efficient algorithm (unproven assumption!), then can only break by brute-force, try-every-possible-key search – Time and cost of breaking the cipher exceed the value and/or useful lifetime of protected information 4/16/17 CSE 484 / CSE M 584 - Spring 2017 8

  9. Block Cipher Operation (Simplified) Block of plaintext Key Add some secret key bits S S S S to provide confusion S S S S Each S-box transforms its input bits in a “ random-looking ” way repeat for several rounds to provide diffusion (spread plaintext bits throughout ciphertext) S S S S Procedure must be reversible Block of ciphertext (for decryption) 4/16/17 CSE 484 / CSE M 584 - Spring 2017 9

  10. Standard Block Ciphers • DES: Data Encryption Standard – Feistel structure: builds invertible function using non- invertible ones – Invented by IBM, issued as federal standard in 1977 – 64-bit blocks, 56-bit key + 8 bits for parity 4/16/17 CSE 484 / CSE M 584 - Spring 2017 10

  11. DES and 56 bit keys • 56 bit keys are quite short • 1999: EFF DES Crack + distributed machines – < 24 hours to find DES key • DES ---> 3DES – 3DES: DES + inverse DES + DES (with 2 or 3 diff keys) 4/16/17 CSE 484 / CSE M 584 - Spring 2017 11

  12. Standard Block Ciphers • DES: Data Encryption Standard – Feistel structure: builds invertible function using non- invertible ones – Invented by IBM, issued as federal standard in 1977 – 64-bit blocks, 56-bit key + 8 bits for parity • AES: Advanced Encryption Standard – New federal standard as of 2001 • NIST: National Institute of Standards & Technology – Based on the Rijndael algorithm • Selected via an open process – 128-bit blocks, keys can be 128, 192 or 256 bits 4/16/17 CSE 484 / CSE M 584 - Spring 2017 12

  13. Encrypting a Large Message • So, we’ve got a good block cipher, but our plaintext is larger than 128-bit block size 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit ciphertext • What should we do? 4/16/17 CSE 484 / CSE M 584 - Spring 2017 13

  14. Electronic Code Book (ECB) Mode plaintext key key key key key block block block block block cipher cipher cipher cipher cipher ciphertext • Identical blocks of plaintext produce identical blocks of ciphertext • No integrity checks: can mix and match blocks 4/16/17 CSE 484 / CSE M 584 - Spring 2017 14

  15. Information Leakage in ECB Mode Encrypt in ECB mode [Wikipedia] 4/16/17 CSE 484 / CSE M 584 - Spring 2017 15

  16. Cipher Block Chaining (CBC) Mode: Encryption plaintext Å Å Å Å Initialization vector key key key key (random) block block block block cipher cipher cipher cipher Sent with ciphertext (preferably encrypted) ciphertext • Identical blocks of plaintext encrypted differently • Last cipherblock depends on entire plaintext • Still does not guarantee integrity 4/16/17 CSE 484 / CSE M 584 - Spring 2017 16

  17. CBC Mode: Decryption plaintext Å Å Å Å Initialization vector key key key key decrypt decrypt decrypt decrypt ciphertext 4/16/17 CSE 484 / CSE M 584 - Spring 2017 17

  18. ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext blocks produce similar ciphertext blocks (not good!) [Picture due to Bart Preneel] slide 18 4/16/17 CSE 484 / CSE M 584 - Spring 2017 18

  19. CBC and Electronic Voting plaintext Å Å Å Å Initialization vector key key key key (supposed to be random) DES DES DES DES ciphertext Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize, DESKEY, NULL, DES_ENCRYPT) 4/16/17 CSE 484 / CSE M 584 - Spring 2017 19

  20. Counter Mode (CTR): Encryption Initial ctr ctr ctr+1 ctr+2 ctr+3 (random) Key Key Key Key block block block block cipher cipher cipher cipher ⊕ ⊕ ⊕ ⊕ pt pt pt pt ciphertext • Identical blocks of plaintext encrypted differently • Still does not guarantee integrity; Fragile if ctr repeats 4/16/17 CSE 484 / CSE M 584 - Spring 2017 20

  21. Counter Mode (CTR): Decryption Initial ctr ctr ctr+1 ctr+2 ctr+3 Key Key Key Key block block block block cipher cipher cipher cipher ⊕ ⊕ ⊕ ⊕ ct ct ct ct pt pt pt pt 4/16/17 CSE 484 / CSE M 584 - Spring 2017 21

  22. When is an Encryption Scheme “Secure”? • Hard to recover the key? – What if attacker can learn plaintext without learning the key? • Hard to recover plaintext from ciphertext? – What if attacker learns some bits or some function of bits? • Fixed mapping from plaintexts to ciphertexts? – What if attacker sees two identical ciphertexts and infers that the corresponding plaintexts are identical? – Implication: encryption must be randomized or stateful 4/16/17 CSE 484 / CSE M 584 - Spring 2017 22

  23. How Can a Cipher Be Attacked? • Attackers knows ciphertext and encryption algthm – What else does the attacker know? Depends on the application in which the cipher is used! • Ciphertext-only attack • KPA: Known-plaintext attack (stronger) – Knows some plaintext-ciphertext pairs • CPA: Chosen-plaintext attack (even stronger) – Can obtain ciphertext for any plaintext of his choice • CCA: Chosen-ciphertext attack (very strong) – Can decrypt any ciphertext except the target 4/16/17 CSE 484 / CSE M 584 - Spring 2017 23

  24. Chosen Plaintext Attack (CPA) PIN is encrypted and transmitted to bank cipher(key,PIN) Crook #2 eavesdrops on the wire and learns Crook #1 changes ciphertext corresponding his PIN to a number to chosen plaintext PIN of his choice … repeat for any PIN value 4/16/17 CSE 484 / CSE M 584 - Spring 2017 24

  25. Chosen Plaintext Security Game • Attacker does not know the key • She chooses as many plaintexts as she wants, and receives the corresponding ciphertexts • When ready, she picks two plaintexts M 0 and M 1 – He is even allowed to pick plaintexts for which he previously learned ciphertexts! • She receives either a ciphertext of M 0 , or a ciphertext of M 1 • She wins if she guesses correctly which one it is à Any deterministic, stateless symmetric encryption scheme (such as ECB mode) is insecure against chosen plaintext attacks. 4/16/17 CSE 484 / CSE M 584 - Spring 2017 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp; http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Karlstad University Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M, C, E, D, K) M: the set of plaintexts C: the set of ciphertexts E: M x K -&gt; C enciphering functions D: C x K

446 views • 40 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

453 views • 11 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

322 views • 11 slides
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Lecture 4 Page 1 CS 236 Online Cryptography and Secrecy Pretty obvious Only those knowing the

303 views • 15 slides
Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but hard-to-solve problems were discovered. Computational Complexity, by Fu Yuxi Cryptography 1 / 75 Cryptography is closely related to some

785 views • 76 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Symmetric cryptography DES 3DES AES Asymmetric cryptography Diffie-Hellman key exchange 2 Modern cryptography Moving into

338 views • 16 slides
Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is cryptography? Related fields: Cryptography (&quot;secret writing&quot;): Making secret messages Turning plaintext (an ordinary readable message)

1.2k views • 57 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 CCA Security SIM-CCA Security (PKE) Recv Send PK/Enc SK/Dec Replay Filter Secure (and correct) if: s.t. output of is distributed

1.26k views • 101 slides
Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Cryptography Public Key Cryptography Concepts of Public Key Cryptography Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, public.tex, r1803 1

421 views • 7 slides
Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography

Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography

Homomorphic Cryptography &amp; Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography Bike lock of Internet Provides many important building blocks for security For example, encryption or

699 views • 31 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography

Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 15 November, 2012 Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography Diffie-Hellman Key

207 views • 8 slides
HiPAcc-LTE: An Integrated High Performance Accelerator for 3GPP LTE Stream Ciphers Sourav Sen Gupta

HiPAcc-LTE: An Integrated High Performance Accelerator for 3GPP LTE Stream Ciphers Sourav Sen Gupta

HiPAcc-LTE: An Integrated High Performance Accelerator for 3GPP LTE Stream Ciphers Sourav Sen Gupta 1 , Anupam Chattopadhyay 2 , Ayesha Khalid 2 1. Applied Statistics Unit, Indian Statistical Institute, Kolkata, India 2. MPSoC Architectures, UMIC

282 views • 25 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides
On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom

On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom

On the Security of IV Dependent Stream Ciphers Cme Berbain and Henri Gilbert France Telecom R&amp;D {firstname.lastname@orange-ftgroup.com} research &amp; development Stream Ciphers IV-less IV-dependent key K IV (initial value)

477 views • 18 slides
Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick M AUX cole

Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick M AUX cole

Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick M AUX cole normale suprieure, CNRS, INRIA, PSL Joint work with: Anthony J OURNAULT , Franois-Xavier S TANDAERT , and Claude C ARLET Eurocrypt 2016 Vienna,

953 views • 71 slides
Outline RC4 RC4 attacks Spritz Security Analysis of Spritz Performance Conclusion Outline

Outline RC4 RC4 attacks Spritz Security Analysis of Spritz Performance Conclusion Outline

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

654 views • 36 slides
An Introduc+on to Applied Cryptography Chester Rebeiro IIT Madras CR CR Connected and Stored

An Introduc+on to Applied Cryptography Chester Rebeiro IIT Madras CR CR Connected and Stored

An Introduc+on to Applied Cryptography Chester Rebeiro IIT Madras CR CR Connected and Stored Everything is connected! Everything is stored! CR CR 2 Increased Security Breaches 81% more in 2015 CR CR

806 views • 28 slides
An Improved Hardware Implementation of the Quark Hash Function Shohreh Sharif Mansouri and Elena

An Improved Hardware Implementation of the Quark Hash Function Shohreh Sharif Mansouri and Elena

An Improved Hardware Implementation of the Quark Hash Function Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems Royal Institute of Technology (KTH), Stockholm Email:{shsm,dubrova}@kth.se Overview Motivation

417 views • 20 slides
FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li

FSE 2013 Near Collision Attack on the Grain v1 Stream Cipher Bin Zhang and Zhenqi Li Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China. Institute of Software, Chinese Academy of Sciences,

1.08k views • 97 slides

More recommend