cryptography symmetric encryption finish hash functions
play

Cryptography: Symmetric Encryption (finish), Hash Functions, Message - PowerPoint PPT Presentation

Dec 20, 2022 •374 likes •813 views

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter

  1. CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. More Cheating 10/26/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. More Cheating 10/26/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. Dirty COW Vulnerability • Race condition involving memory mapped files which allows user processes to write to root-owned files 10/26/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. Dirty COW Fixed commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 Author: Linus Torvalds torvalds@linux-foundation.org Date: Thu Oct 13 20:07:36 2016 GMT This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). 10/26/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. Dirty COW Vulnerability • madvise(map,100,MADV_DONTNEED) • write(“/proc/self/mem”) • Eventually writes to a file in the middle of page table updates, causing inappropriate file overwriting. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. Recap: Block Ciphers • Operates on a single chunk (“block”) of plaintext – For example, 64 bits for DES, 128 bits for AES – Each key defines a different permutation – Same key is reused for each block (can use short keys) Plaintext block Key cipher Ciphertext 10/26/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. Electronic Code Book (ECB) Mode plaintext key key key key key block block block block block cipher cipher cipher cipher cipher ciphertext • Don’t use ECB mode 10/26/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. Cipher Block Chaining (CBC) Mode: Encryption plaintext ⊕ ⊕ ⊕ ⊕ Initialization vector key key key key (random) block block block block cipher cipher cipher cipher Sent with ciphertext ciphertext 10/26/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. CBC Mode: Decryption plaintext Initialization ⊕ ⊕ ⊕ ⊕ vector key key key key decrypt decrypt decrypt decrypt ciphertext 10/26/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext blocks produce similar ciphertext blocks (not good!) [Picture due to Bart Preneel] slide 11 10/26/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. Counter Mode (CTR): Encryption Initial ctr ctr ctr+1 ctr+2 ctr+3 (random) Key Key Key Key block block block block cipher cipher cipher cipher pt pt pt pt ⊕ ⊕ ⊕ ⊕ ciphertext 10/26/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. Counter Mode (CTR): Decryption Initial ctr ctr ctr+1 ctr+2 ctr+3 Key Key Key Key block block block block cipher cipher cipher cipher ⊕ ⊕ ⊕ ⊕ ct ct ct ct pt pt pt pt 10/26/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. How Can a Cipher Be Attacked? • Attackers knows ciphertext and encryption algthm – What else does the attacker know? Depends on the application in which the cipher is used! • Ciphertext-only attack • KPA: Known-plaintext attack (stronger) – Knows some plaintext-ciphertext pairs • CPA: Chosen-plaintext attack (even stronger) – Can obtain ciphertext for any plaintext of his choice • CCA: Chosen-ciphertext attack (very strong) – Can decrypt any ciphertext except the target 10/26/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. Ex: Chosen Plaintext Attacks “Let’s plan an attack on AF” [wikipedia] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. Ex: Chosen Plaintext Attacks “This is Midway Island, we’re low on supplies” [wikipedia] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. Ex: Chosen Plaintext Attacks “AF is low on supplies” [wikipedia] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. Ex: Chosen Plaintext Attack • When the allies planted mines in the ocean, the German Navy would send messages about those locations to warn their ships. [wikipedia] 10/26/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. Examples of Chosen Ciphertext Attacks • Some serious attacks against SSH have been based on Chosen Ciphertext Attacks • Example: send chosen ciphertext to SSH server, see whether it responds with an error or not. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. Examples of Chosen Ciphertext Attacks • Imagine a system with very few commands, e.g., a military system which responds to the commands (“FIRE”) and (“DON’T FIRE”). Try sending ciphertexts and observe in real life whether the weapon fires or not. • The side effects of the command serve as a “decryption” of your ciphertext. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Very Informal Intuition Minimum security requirement for a modern encryption scheme • Security against chosen-plaintext attack (CPA) – Ciphertext leaks no information about the plaintext – Even if the attacker correctly guesses the plaintext, he cannot verify his guess – Every ciphertext is unique, encrypting same message twice produces completely different ciphertexts 10/26/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. Message Authentication Codes 10/26/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. So Far: Achieving Privacy Encryption schemes: A tool for protecting privacy. M C M Encrypt Decrypt K K Alice Bob K K Message = M Ciphertext = C Adversary 10/26/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. Now: Achieving Integrity Message authentication schemes: A tool for protecting integrity. MAC: message authentication code KEY KEY (sometimes called a “tag”) message, MAC(KEY,message) ? message = Bob Alice Recomputes MAC and verifies whether it is equal to the MAC attached to the message Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 24

  25. Reminder: CBC Mode Encryption plaintext ⊕ ⊕ ⊕ ⊕ Initialization vector key key key key (random) block block block block cipher cipher cipher cipher ciphertext 10/26/16 CSE 484 / CSE M 584 - Fall 2016 25

  26. CBC-MAC plaintext ⊕ ⊕ ⊕ ⊕ key key key key block block block block cipher cipher cipher cipher TAG 10/26/16 CSE 484 / CSE M 584 - Fall 2016 26

  27. CBC-MAC plaintext ⊕ ⊕ ⊕ ⊕ key key key key block block block block cipher cipher cipher cipher TAG • Not secure when system may MAC messages of different lengths. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 27

  28. Hash Functions 10/26/16 CSE 484 / CSE M 584 - Fall 2016 28

  29. Application: Password Hashing • Instead of user password, store hash(password) • When user enters a password, compute its hash and compare with the entry in the password file – System does not store actual passwords! – Cannot go from hash to password! • Why is hashing better than encryption here? • Does hashing protect weak, easily guessable passwords? 10/26/16 CSE 484 / CSE M 584 - Fall 2016 29

  30. Application: Software Integrity VIRUS badFile goodFile The NYTimes BigFirm™ User hash(goodFile) Goal: Software manufacturer wants to ensure file is received by users without modification. Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) 10/26/16 CSE 484 / CSE M 584 - Fall 2016 30

  31. Hash Functions: Main Idea hash function H . message message “digest” x . y . . . x’’ y’ x’ bit strings of any length n-bit bit strings • Hash function H is a lossy compression function – Collision: h(x)=h(x’) for distinct inputs x, x’ • H(x) should look “random” – Every bit equally likely to be 0 or 1 • Cryptographic hash function needs a few properties… 10/26/16 CSE 484 / CSE M 584 - Fall 2016 31

  32. Property 1: One-Way • The hash should be hard to invert – “Preimage resistance” – Let h(x’) = y ∈ {0,1} n for random x’ – Given y, it should be hard to find any x such that h(x)=y 10/26/16 CSE 484 / CSE M 584 - Fall 2016 32

  33. Security Mindset Anecdote • A clever example of a one-way function: phone books. 10/26/16 CSE 484 / CSE M 584 - Fall 2016 33

  34. Security Mindset Anecdote • A clever example of a one-way function: phone books. • Hash(name) = Phone number of person with that name 10/26/16 CSE 484 / CSE M 584 - Fall 2016 34

  35. Security Mindset Anecdote • Easy to compute forward (phonebook is alphabetical) • Hard to invert backward (must search n/2 pages on average to find person by phone number) 10/26/16 CSE 484 / CSE M 584 - Fall 2016 35

  36. Security Mindset Anecdote 10/26/16 CSE 484 / CSE M 584 - Fall 2016 36

  37. Property 2: Collision Resistance • Should be hard to find x≠x’ such that h(x)=h(x’) 10/26/16 CSE 484 / CSE M 584 - Fall 2016 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

529 views • 34 slides
Cryptography: Symmetric Encryption (continued), Hash Functions,

Cryptography: Symmetric Encryption (continued), Hash Functions,

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (continued), Hash Functions, Message Authentication Codes Spring

676 views • 23 slides
Cryptography [Finish Hash Functions; Start Asymmetric Cryptography] Spring 2020 Franziska

Cryptography [Finish Hash Functions; Start Asymmetric Cryptography] Spring 2020 Franziska

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Finish Hash Functions; Start Asymmetric Cryptography] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi

406 views • 19 slides
Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam)

Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam)

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan

567 views • 38 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

490 views • 33 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Cryptocurrency Technologies Cryptography and Cryptocurrencies Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public

489 views • 27 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar & Pelzl. & Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
Multicomponent drift gas mixtures for the SHiP Muon Magnetic Spectrometer DPG Frhjahrstagung

Multicomponent drift gas mixtures for the SHiP Muon Magnetic Spectrometer DPG Frhjahrstagung

Multicomponent drift gas mixtures for the SHiP Muon Magnetic Spectrometer DPG Frhjahrstagung Mnster 2017 Stefan Bieschke Universitt Hamburg 27 March 2017 Stefan Bieschke (UHH) Multicomponent drift gases 03/27/2017 1 / 12 Content The

169 views • 15 slides
Question asking as program induction Anselm Rothe WITH Todd Gureckis Brenden Lake

Question asking as program induction Anselm Rothe WITH Todd Gureckis Brenden Lake

Question asking as program induction Anselm Rothe WITH Todd Gureckis Brenden Lake Computers are useless. They can only give you answers. (attributed to) Pablo Picasso What does it take Computers are to build a machine useless.

680 views • 32 slides
Dirac vs. Majorana HNLs (and their oscillations) at SHiP arXiv: 1912.05520 Inar Timiryasov (EPFL)

Dirac vs. Majorana HNLs (and their oscillations) at SHiP arXiv: 1912.05520 Inar Timiryasov (EPFL)

Dirac vs. Majorana HNLs (and their oscillations) at SHiP arXiv: 1912.05520 Inar Timiryasov (EPFL) Spaatind 2020 Nordic conference on Particle Physics January 03, 2020 1 Speaker 1 / 15 Jean-Loup Tastet 1 (NBI) Feebly interacting particles

378 views • 21 slides
Hidden en s secto ctor search ches at NA t NA62 and S SHiP HiP Hidden sector searches at

Hidden en s secto ctor search ches at NA t NA62 and S SHiP HiP Hidden sector searches at

Hidden en s secto ctor search ches at NA t NA62 and S SHiP HiP Hidden sector searches at NA62 and SHiP Philippe Merm Ph rmod, on behalf of the SHiP Collabora ration Philippe Mermod, on behalf of the SHiP Collaboration NUFACT, Uppsa

320 views • 30 slides
CSE 484 / CSE M 584 Computer Security TA: Thomas Crosley

CSE 484 / CSE M 584 Computer Security TA: Thomas Crosley

CSE 484 / CSE M 584 Computer Security TA: Thomas Crosley tcrosley@cs Thanks to Franzi Roesner, Adrian Sham, and other contributors from previous

649 views • 11 slides
QSSUG Finance/Personnel Committee - Webinar QCC Payroll Transfers November 3, 2015 Presenter:

QSSUG Finance/Personnel Committee - Webinar QCC Payroll Transfers November 3, 2015 Presenter:

QSSUG Finance/Personnel Committee - Webinar QCC Payroll Transfers November 3, 2015 Presenter: Ronnie Steward Q & A: Craig Grilley Before We Start Dont Forget This webinar is being recorded for later viewing within QCC You

930 views • 71 slides
THE LIBRARY PRIVACY ACT Anne M. Seurynck 1700 East Beltline, N.E., Suite 200 Grand Rapids,

THE LIBRARY PRIVACY ACT Anne M. Seurynck 1700 East Beltline, N.E., Suite 200 Grand Rapids,

THE LIBRARY PRIVACY ACT Anne M. Seurynck 1700 East Beltline, N.E., Suite 200 Grand Rapids, Michigan 49525 Telephone: (616) 7262240 Fax: (517) 3677196 email: aseurynck@fosterswift.com fosterswift.com Library Privacy Act What is

579 views • 30 slides
WG Leadership Tutorial IETF 86: Orlando March 10, 2012 Margaret Wasserman

WG Leadership Tutorial IETF 86: Orlando March 10, 2012 Margaret Wasserman

WG Leadership Tutorial IETF 86: Orlando March 10, 2012 Margaret Wasserman mrw@painless-security.com Agenda 1. Introduction 2. Getting a WG started 3. Making WGs work for everyone 4. Steps in the WG process 5. Complex Situations 6.

1.1k views • 55 slides

More recommend