ilab
play

iLab Modern cryptography for communications security a fast rush - PowerPoint PPT Presentation

Dec 05, 2022 •44 likes •504 views

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 16ss 1 / 38 Outline

  1. iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Cryptography – 16ss 1 / 38

  2. Outline Cryptography Secret-key setting Hash functions Using cryptography 2 / 38

  3. Outline Cryptography Secret-key setting Hash functions Using cryptography 3 / 38

  4. Scope Focus on: ◮ modern cryptography ◮ methods used in communications security Based on: Introduction to modern cryptography, Katz and Lindell, 2 nd edition, 2015. 4 / 38

  5. What we are concerned with “Let’s meet up at 9!” Alice Bob 5 / 38

  6. What we are concerned with “Let’s meet up at 9!” Alice Bob BfV Roens/Wikipedia. CC-by-sa 2.0 5 / 38

  7. What we are concerned with “Let’s meet up at 9!” Alice Bob Eve passive attack: eavesdropping We want to provide confidentiality! 5 / 38

  8. What we are concerned with “You can trust Trent!” Mallory Alice Bob active attack: message modification We want to provide message authentication! 5 / 38

  9. Limitations ◮ cryptography is typically bypassed, not broken ◮ not applied correctly ◮ not implemented correctly ◮ subverted communication ◮ existence ◮ time ◮ extent ◮ partners 6 / 38

  10. Kerckhoffs’ principle Security should only depend on secrecy of the key, not the secrecy of the system. ◮ key easier to keep secret ◮ change ◮ compatibility No security by obscurity. ◮ scrutiny ◮ standards ◮ reverse engineering 7 / 38

  11. Another principle as a side note The system should be usable easily. ◮ Kerckhoffs actually postulated 6 principles ◮ this one got somewhat forgotten ◮ considered uncontroversial by Kerckhoffs ◮ starting to be rediscovered in design of secure applications and libraries Example Signal, NaCl 8 / 38

  12. Modern cryptography relies on ◮ formal definitions ◮ precisely defined assumptions ◮ mathematical proofs Reductionist security arguments, the proofs, require to formulate assumptions explicitly. 9 / 38

  13. Uniform distribution P : U → [0 , 1] � P ( x ) = 1 x ∈ U ∀ x ∈ U : P ( x ) = 1 | U | 10 / 38

  14. Randomness ◮ required to do any cryptography at all ◮ somewhat difficult to get in a computer (deterministic!) ◮ required to be cryptographically secure: indistiguishable from truly random ◮ not provided in programming languages Example used to generate keys or other information unkown to any other parties 11 / 38

  15. Collecting unpredictable bits ◮ physical phenomena ◮ time between emission of particles during radioactive decay ◮ thermal noise from a semiconductor diode or resistor ◮ software-based ◮ elapsed time between keystrokes or mouse movement ◮ packet interarrival times ◮ attacker must not be able to guess/influence the collected values 1. collect pool of high-entropy data 2. process into sequence of nearly independent and unbiased bits 12 / 38

  16. Pseudo-random generator G : { 0 , 1 } s → { 0 , 1 } n , n ≫ s 13 / 38

  17. A definition of security A scheme is secure, if any probabilistic polynomial time adversary succeeds in breaking the scheme with at most negligible probability. Negligible For every polynomial p and for all sufficiently large values of n : 1 f ( n ) < p ( n ) e.g., f ( n ) = 1 2 n Church-Turing Hypothesis We believe polynomial time models all computers. 14 / 38

  18. Our goals Secret-key (symmetric) public-key (asymmetric) ◮ confidentiality ◮ confidentiality ◮ authenticity ◮ authenticity (as in: message integrity) ◮ key exchange Something providing confidentiality generally makes no statement whatsoever about authenticity. 15 / 38

  19. Outline Cryptography Secret-key setting Hash functions Using cryptography 16 / 38

  20. Secret-key encryption scheme 1. k ← Gen (1 n ), security parameter 1 n 2. c ← Enc k ( m ) , m ∈ { 0 , 1 } ∗ 3. m := Dec k ( c ) ◮ provide confidentiality ◮ definition of security: chosen-plaintext attack (CPA) Cryptography uses theoretical attack games to analyze and formalize security. C : challenger, ← means non-deterministic, A : adversary := means deterministic 17 / 38

  21. The eavesdropping experiment C A k ← Gen (1 n ) input 1 n

  22. The eavesdropping experiment C A k ← Gen (1 n ) input 1 n m 0 , m 1 b ← { 0 , 1 } c ← Enc k ( m b ) c output b ′ ◮ A succeeds, iff b = b ′ 18 / 38

  23. Discussion of the eavesdropping experiment ◮ | m 0 | = | m 1 | ◮ probabilistic polynomial time algorithms ◮ success probability should be 0 . 5 + negligible ◮ if so, Enc has indistinguishable encryptions in the presence of an eavesdropper 19 / 38

  24. Pseudorandom permutation F : { 0 , 1 } ∗ × { 0 , 1 } ∗ → { 0 , 1 } ∗ ◮ F k ( x ) and F − 1 k ( y ) efficiently computable ◮ F k be indistinguishable from uniform permutation ◮ adversary may have access to F − 1 We can assume that all inputs and the output have the same length. 20 / 38

  25. A block cipher Example ◮ fixed key length and block length ◮ chop m into 128 bit blocks m k 128 bit AES c Does this function survive the eavesdropping experiment? 21 / 38

  26. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n 22 / 38

  27. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) c . . . . . . 22 / 38

  28. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) c . . . . . . m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 22 / 38

  29. Chosen-plaintext attack C A C (cont’d) A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) m c c ← Enc k ( m ) . . c . . . . . . . . . . output bit b ′ m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 22 / 38

  30. Chosen-plaintext attack C A C (cont’d) A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) m c c ← Enc k ( m ) . . c . . . . . . . . . . output bit b ′ m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 22 / 38

  31. Discussion of CPA ◮ Enc is secure under chosen-plaintext attack ◮ again, messages must have same length ◮ multiple-use key ◮ non-deterministic (e. g. random initialization vector) or state ◮ block cipher requires operation mode : counter (CTR), output-feedback (OFB), . . . 23 / 38

  32. Example constructions: counter mode Example ◮ randomised AES counter mode (AES-CTR$) ◮ choose nonce r ← { 0 , 1 } 128 , key k ← { 0 , 1 } 128 ◮ great if you have dedicated circuits for AES, else vulnerable to timing attacks r AES r + 1 AES k k m 0 ⊕ m 1 ⊕ c 0 c 1 · · · complete ciphertext c := ( r , c 0 , c 1 , · · · ) 24 / 38

  33. Example constructions: stream ciphers Example A modern stream cipher, fast in software: 256 bit key 96 bit nonce 32 bit initial counter ChaCha keystream plaintext ⊕ ciphertext 25 / 38

  34. Message authentication code (MAC) 1. k ← Gen (1 n ), security parameter 1 n 2. t ← Mac k ( m ) , m ∈ { 0 , 1 } ∗ 3. b := Vrfy k ( m , t ) b = 1 means valid, b = 0 invalid ◮ transmit � m , t � ◮ tag t is a short authenticator ◮ message authenticity ⇔ integrity ◮ detect tampering ◮ no protection against replay ◮ “existentially unforgeable” ◮ security definition: adaptive chosen-message attack 26 / 38

  35. Adaptive chosen-message attack C A k ← Gen (1 n ) input 1 n m t ← Mac k ( m ) � m , t � . . . . . . output � m ′ , t ′ � ◮ let Q be the set of all queries m ◮ A succeeds, iff Vrfy k ( m ′ , t ′ ) = 1 and m ′ / ∈ Q 27 / 38

  36. Used in practice Example ◮ HMAC based on hash functions ◮ CMAC based on cipher block chaining mode (CBC) ◮ authenticated encryption modes 28 / 38

  37. Example: side-channel attack How does tag verification work and how to implement tag comparison correctly? 29 / 38

  38. Recap: secret-key cryptography ◮ attacker power: probabilistic polynomial time ◮ confidentiality defined as IND-CPA: encryption, e. g. AES-CTR$ ◮ message authentication defined as existentially unforgeable under adaptive chosen-message attack: message authentication codes, e. g. HMAC-SHA2 ◮ authenticated encryption modes 30 / 38

  39. Combining confidentiality and authentication ◮ encrypt-then-authenticate is generally secure: c ← Enc k 1 ( m ) , t ← Mac k 2 ( c ) transmit: � c , t � ◮ authenticated encryption is also a good choice: e. g. offset codebook (OCB), Galois counter mode (GCM) c , t ← AEAD enc ( ad , m ) k m := AEAD dec ( ad , c , t ) or verification failure k 31 / 38

  40. Outline Cryptography Secret-key setting Hash functions Using cryptography 32 / 38

  41. Cryptographic hash functions secret-key public-key . . . ◮ encryption ◮ message authentication codes hash functions 33 / 38

  42. Hash functions input ◮ variable length input ◮ fixed length output H ( · ) provide: 1. pre-image resistance output given H ( x ) with a randomly chosen x , cannot find x ′ s. t. H ( x ′ ) = H ( x ) fixed length “H is one-way” 2. second pre-image resistance given x , cannot find x ′ � = x s. t. H ( x ′ ) = H ( x ) 3. collision resistance cannot find x � = x ′ s. t. H ( x ) = H ( x ′ ) 34 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

your exercise iLab 1+2 info event online Tell your friends!

your exercise iLab 1+2 info event online Tell your friends!

The iLab Experience a blended learning hands-on course concept you set the focus Final Lecture Marc-Oliver Pahl, Jul 25, 2017 your exercise iLab 1+2 info event online Tell your friends!

1.81k views • 96 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Surveillance and operational security 14ws 1 lecture evaluation oral

916 views • 30 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to applications application application 4

647 views • 26 slides
iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 7 17ws 1 / 41 Outline Trust Transport Layer Security Packet filter

1.19k views • 43 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 18ss 1 / 36 Outline Introduction Trust architecture Protocols Attacks

663 views • 45 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

784 views • 54 slides
course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance, operational security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt

986 views • 47 slides
iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 4 14ws 1 Outline Transport Layer UDP TCP MTCP / SCTP 2 Outline

720 views • 32 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen October 18, 2017 Based on slides of Lukas Schwaighofer 1

678 views • 46 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen April 25, 2017 Based on slides of Lukas Schwaighofer 1

471 views • 10 slides
iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 2 17ws 1 / 21 Outline Meta

540 views • 27 slides
The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself - Hardware YE - Topic Outline May 29, 2018 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP

1.64k views • 125 slides
CSE 158/258 Web Mining and Recommender Systems Assignment 1 Assignment 1 Two recommendation

CSE 158/258 Web Mining and Recommender Systems Assignment 1 Assignment 1 Two recommendation

CSE 158/258 Web Mining and Recommender Systems Assignment 1 Assignment 1 Two recommendation tasks Due Nov 18 (four weeks from today) Submissions should be made on Kaggle, plus a short report to be submitted to gradescope

369 views • 23 slides
Outline So far, we studied schema design. CS 235: How to manipulate data?

Outline So far, we studied schema design. CS 235: How to manipulate data?

Outline So far, we studied schema design. CS 235: How to manipulate data? Relational algebra Introduction to Databases Elegant theoretical framework Not so elegant in practice SQL Svetlozar Nestorov Relational

603 views • 3 slides
Computer Vision and Control Control Computer Vision and for Autonomous Autonomous Robots

Computer Vision and Control Control Computer Vision and for Autonomous Autonomous Robots

Computer Vision and Control Control Computer Vision and for Autonomous Autonomous Robots Robots for Prof. Dr. Raul Rojas FU Berlin Embodied Intelligence: A new Embodied Intelligence: A new Paradigm for AI Paradigm for AI - Intelligence

899 views • 63 slides
SAC Planning Webinar SAP Analytics Cloud Planning June 2020 Innologic We create insight !

SAC Planning Webinar SAP Analytics Cloud Planning June 2020 Innologic We create insight !

SAC Planning Webinar SAP Analytics Cloud Planning June 2020 Innologic We create insight ! juni 2020 2 Introduction and guidelines This webinar session will be recorded By participating you consent Q&amp;A are scheduled after the webinar

640 views • 8 slides
Rush Creek Preserve Setup &amp; Teardown Team CW Station &amp; Operators KG9X W9HB KF9D W9NXM

Rush Creek Preserve Setup &amp; Teardown Team CW Station &amp; Operators KG9X W9HB KF9D W9NXM

Rush Creek Preserve Setup &amp; Teardown Team CW Station &amp; Operators KG9X W9HB KF9D W9NXM SSB &amp; Digital Station &amp; Operators WD9FOO KD9M KD9DLL VHF Station &amp; Operator WB8BZK Chef Mike KD9DLL

440 views • 6 slides
Animation Renderfarm Pascal Grosvenor DAB Faculty, UTS Pascal.Grosvenor@uts.edu.au XW11

Animation Renderfarm Pascal Grosvenor DAB Faculty, UTS Pascal.Grosvenor@uts.edu.au XW11

Animation Renderfarm Pascal Grosvenor DAB Faculty, UTS Pascal.Grosvenor@uts.edu.au XW11 Presentation Outline Introduction Hardware and software components Typical steps in a render job Renderjob Demo Technical details

487 views • 21 slides
Incorporating Topic Sentence on Neural News Headline Generation Jan Wira Gotama Putra 1 , Hayato

Incorporating Topic Sentence on Neural News Headline Generation Jan Wira Gotama Putra 1 , Hayato

Incorporating Topic Sentence on Neural News Headline Generation Jan Wira Gotama Putra 1 , Hayato Kobayashi 2,3 , Nobuyuki Shimizu 2 1 Tokyo Institute of Technology 2 Yahoo Japan Corporation 3 RIKEN AIP gotama.w.aa@m.titech.ac.jp {hakobaya,

579 views • 23 slides
Beta Upsilon Chi (BYX) Brothers Under Christ Founded in 1985 Established at Clemson in 2012

Beta Upsilon Chi (BYX) Brothers Under Christ Founded in 1985 Established at Clemson in 2012

Beta Upsilon Chi (BYX) Brothers Under Christ Founded in 1985 Established at Clemson in 2012 Organization and Chapter History Nationally Founded in 1985 at the University of Texas at Austin ~40 Active Chapters across the nation

658 views • 6 slides

More recommend