security of symmetric encryption in the presence of
play

Security of Symmetric Encryption in the Presence of Ciphertext - PowerPoint PPT Presentation

Nov 15, 2023 •477 likes •924 views

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

  1. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny Paterson, and Martijn Stam EUROCRYPT - 19th April 2012 Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 1/18

  2. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Outline of this Talk Ciphertext Fragmentation and Related Problems 1 Formalizing Fragmentation 2 Security Notions 3 4 Constructions and Comparison Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 2/18

  3. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 3/18

  4. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 3/18

  5. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 3/18

  6. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 3/18

  7. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Ciphertext Fragmentation Alice Bob Channel Under normal operation the channel delivers ciphertexts in a fragmented fashion, where: a) The fragmentation pattern is arbitrary. b) But the order of the fragments is preserved. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 3/18

  8. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Why Should We Care? This setting emerges in practice, where encryption schemes have to operate under such conditions. One such instance is that of secure network protocols . However this is NOT captured by the security models currently used in cryptographic theory! Ciphertext fragmentation has given rise to a class of attacks that proved to be fatal in certain cases. This has left a gap between cryptographic theory and practice. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 4/18

  9. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Ciphertext-Fragmentation Attacks SSH: A proof of security (IND-sfCCA) for SSH was given in [BKN 04] . Yet [APW 09] presented plaintext-recovery attacks against SSH. IPsec in MAC-then-encrypt (CBC): [Kra 01] proves that MAC-then-encrypt with CBC encryption is secure (secure channel [CK 01]). [MT 10] show that MAC-then-encode-then-encrypt (injective / CBC) is secure (secure channel [Mau 11]). [DP 10] present ciphertext-fragmentation attacks against such IPsec configurations. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 5/18

  10. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Ciphertext-Fragmentation Attacks SSH: A proof of security (IND-sfCCA) for SSH was given in [BKN 04] . Yet [APW 09] presented plaintext-recovery attacks against SSH. IPsec in MAC-then-encrypt (CBC): [Kra 01] proves that MAC-then-encrypt with CBC encryption is secure (secure channel [CK 01]). [MT 10] show that MAC-then-encode-then-encrypt (injective / CBC) is secure (secure channel [Mau 11]). [DP 10] present ciphertext-fragmentation attacks against such IPsec configurations. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 5/18

  11. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Ciphertext-Fragmentation Attacks SSH: A proof of security (IND-sfCCA) for SSH was given in [BKN 04] . Yet [APW 09] presented plaintext-recovery attacks against SSH. IPsec in MAC-then-encrypt (CBC): [Kra 01] proves that MAC-then-encrypt with CBC encryption is secure (secure channel [CK 01]). [MT 10] show that MAC-then-encode-then-encrypt (injective / CBC) is secure (secure channel [Mau 11]). [DP 10] present ciphertext-fragmentation attacks against such IPsec configurations. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 5/18

  12. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) SSH encrypts messages in the following format: 4 bytes 4 bytes 1 byte > 4 bytes Sequence Packet Padding Payload Padding Number Length Length ENCRYPT MAC Ciphertext MAC tag Message Ciphertext Packet SSH commonly uses CBC mode for encryption. Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 6/18

  13. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) Intercepted Ciphertext Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 7/18

  14. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 7/18

  15. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption c ∗ i Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 7/18

  16. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i ? Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 7/18

  17. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i ? Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 7/18

  18. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i ? ⊥ MAC Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 7/18

  19. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i ? L ⊥ MAC Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 7/18

  20. Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison The SSH Attack (Main Idea) Intercepted Ciphertext c ∗ i Submit for Decryption p ∗ i L L ⊥ MAC Boldyreva, Degabriele , Paterson, and Stam | Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation 7/18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap

Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap

Defining Encryption Lecture 2 1 Roadmap 2 Roadmap First, Symmetric Key Encryption 2 Roadmap First, Symmetric Key Encryption Defining the problem Well do it elaborately, so that it will be easy to see different levels of security 2

1.67k views • 136 slides
Protection and Security - II Encrypts a block of data at a time (64 bit messages, with 56 bit

Protection and Security - II Encrypts a block of data at a time (64 bit messages, with 56 bit

CSC 4103 - Operating Systems Symmetric Encryption Spring 2007 Same key used to encrypt and decrypt E ( k ) can be derived from D ( k ), and vice versa Lecture - XXI DES is most commonly used symmetric block-encryption algorithm

496 views • 4 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) SIM-CPA = IND-CPA + almost perfect correctness Restricts to PPT entities Allows negligible advantage

1.1k views • 13 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides
White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile Delerabl Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , erieure 2 Ecole Normale Sup SAC 2013 Outline 1 What is white-box

406 views • 38 slides
Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far

Symmetric-Key Encryption: constructions Lecture 4 PRG, Stream Cipher Story So Far Story So Far We defined (passive) security of Symmetric Key Encryption (SKE) Story So Far We defined (passive) security of Symmetric Key Encryption (SKE)

1.13k views • 67 slides
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = ( K , E , D ) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct decryption requirement More

1.19k views • 53 slides
Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1 Yesterday Motivation for searchable encryption First SSE scheme [SWP00] Attacks on [SWP00] Conjunctive SSE [GSW04,PKL04,BKM05] 2

703 views • 24 slides
Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent

Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent

Separating Semantic and Circular Security for Symmetric Key Bit Encryption from LWE Rishab Goyal Venkata Koppula Brent Waters n-Circular Security [C amenisch L ysyanskya 01] PK 1 PK 1 . . . . . . PK n PK n Enc PKn (0) Enc PKn (SK 1 ) Enc PK1

1.07k views • 89 slides
Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key

Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key

Network and Communications Security (IN3210/IN4210) Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric Encryption One problem: key exchange Eve 6R4Y2 hlbMZ CB... Dear Dear Bob Decryption Bob Encryption .... ....

831 views • 63 slides
Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model encryption as a key alternating cipher: k 1 k 2 k 3 m c F 1 F 2 F 3 2 / 17 Symmetric Encryption (2) Two main constructions for practical

603 views • 17 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Cryptography: Symmetric Encryption (continued), Hash Functions,

Cryptography: Symmetric Encryption (continued), Hash Functions,

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (continued), Hash Functions, Message Authentication Codes Spring

676 views • 23 slides
SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic

SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic

Syntax A symmetric encryption scheme SE = ( K , E , D ) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1 / 116 2 / 116 Correct decryption requirement Example:

430 views • 29 slides
1 Confidentiality using Symmetric Encryption have two major placement alternatives link

1 Confidentiality using Symmetric Encryption have two major placement alternatives link

Information System Security Chapter 7 Confidentiality Using Symmetric Encryption Dr. Loai Tawalbeh Faculty of Information system and Technology, The Arab Academy for Banking and Financial Sciences. Jordan Dr. Loai Tawalbeh Summer

698 views • 8 slides
The GOLD Community Vision Scott Farrar Transregional Collaborative Research Center,

The GOLD Community Vision Scott Farrar Transregional Collaborative Research Center,

The GOLD Community Vision Scott Farrar Transregional Collaborative Research Center, Universitt Bremen Goals of the Talk Describe a model for the GOLD Community of Practice Discuss the data and knowledge components of the model

405 views • 36 slides
The Dilemma of Early Warning Against Debris Caused by Successful Ballistic Missile Interception

The Dilemma of Early Warning Against Debris Caused by Successful Ballistic Missile Interception

The Dilemma of Early Warning Against Debris Caused by Successful Ballistic Missile Interception Dima Kanevsky CEMA The Center for Military Analyses Rafael, Israel Unclassified General Since the year 2001 Israel has sustained more

573 views • 19 slides
Some Rules for Making a Presentation Here's a 10-minute Powerpoint talk with the essentials.

Some Rules for Making a Presentation Here's a 10-minute Powerpoint talk with the essentials.

Some Rules for Making a Presentation Here's a 10-minute Powerpoint talk with the essentials. Golden rule Human attention is very limited. Don't cram too much information, either in each slide, or in the whole talk. Avoid details: they won't be

239 views • 3 slides
Modern Fast Streaming Data Todd L. Montgomery @toddlmontgomery Why Should We Care? Myths &

Modern Fast Streaming Data Todd L. Montgomery @toddlmontgomery Why Should We Care? Myths &

Modern Fast Streaming Data Todd L. Montgomery @toddlmontgomery Why Should We Care? Myths & Misconceptions You cant escape the Math Technologies & Techniques Why Should We Care? Human Knowledge is now doubling every year* * by

904 views • 88 slides
Study of -jets physics in the ATLAS experiment MERIC Nicolas CERN Student sessions 2009

Study of -jets physics in the ATLAS experiment MERIC Nicolas CERN Student sessions 2009

Study of -jets physics in the ATLAS experiment MERIC Nicolas CERN Student sessions 2009 August 11 th 2009 MERIC Nicolas -jets physics Why this study? Necessary for backgrounds rejection -jets events : half of the background in the H

508 views • 9 slides
FY 20 1 8 Financial Results COMPANY OVERVIEW OUR STORY IS MADE OF HERITAGE UNIQUENESS QUALITY

FY 20 1 8 Financial Results COMPANY OVERVIEW OUR STORY IS MADE OF HERITAGE UNIQUENESS QUALITY

FY 20 1 8 Financial Results COMPANY OVERVIEW OUR STORY IS MADE OF HERITAGE UNIQUENESS QUALITY CONSISTENCY ENERGY OUR STORY: MORE THAN 65 YEARS OF UNIQUE HERITAGE 1 952 20 1 3 20 1 8 The company is founded Moncler supplies products

1.47k views • 38 slides
Protected Interoperable File Format (PIFF) The Athens Project Microsoft Corporation

Protected Interoperable File Format (PIFF) The Athens Project Microsoft Corporation

TM4299 rev1 Protected Interoperable File Format (PIFF) The Athens Project Microsoft Corporation September 23, 2009 J. Simmons, M. Jeffrey Agenda A vision of the future The digital rights management dilemma Protected

432 views • 15 slides
for Heavy Ion Therapy D. Bolst 1 , G.A.P. Cirrone 2 , G. Cuttone 2 , G. Folger 3 , S. Incerti 4,5 ,

for Heavy Ion Therapy D. Bolst 1 , G.A.P. Cirrone 2 , G. Cuttone 2 , G. Folger 3 , S. Incerti 4,5 ,

Validation of Geant4 fragmentation for Heavy Ion Therapy D. Bolst 1 , G.A.P. Cirrone 2 , G. Cuttone 2 , G. Folger 3 , S. Incerti 4,5 , V. Ivanchenko 3,6 , T. Koi 7 , D. Mancusi 8 , L. Pandola 2 , F. Romano 2,9 , A. Rosenfeld 1 and S. Guatelli 1 1

502 views • 25 slides

More recommend