Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 - - PowerPoint PPT Presentation

symmetric key encryp on
SMART_READER_LITE
LIVE PREVIEW

Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 - - PowerPoint PPT Presentation

Jul 03, 2023 208 likes •490 views

Symmetric Key Encryp.on 9/9/2009 598MAN Applied Cryptography 1 Outline Recall: defini.ons of encryp.on Perfect secrecy CPA security CCA security Today Prac.cal construc.ons 9/9/2009 598MAN Applied Cryptography

slide-1
SLIDE 1

Symmetric Key Encryp.on

9/9/2009 598MAN ‐ Applied Cryptography 1

slide-2
SLIDE 2

Outline

  • Recall: defini.ons of encryp.on

– Perfect secrecy – CPA security – CCA security

  • Today

– Prac.cal construc.ons

9/9/2009 598MAN ‐ Applied Cryptography 2

slide-3
SLIDE 3

Perfect Secrecy

  • One‐.me pads
  • Prac.cal?

– Has been used (exchange tapes / CDs / DVDs of random bits) – Generally, using pad only once big limita.on

  • OTen, people get sloppy and reuse pads

– Further reading: hVp://www1.cs.columbia.edu/ ~smb/blog/2009‐08/2009‐08‐28.html

9/9/2009 598MAN ‐ Applied Cryptography 3

slide-4
SLIDE 4

Two‐.me Pads?

C1 = P1 xor keystream C2 = P2 xor keystream C1 xor C2 = P1 xor P2

  • What can you learn from the XOR of two

plaintexts?

– One plaintext if you know the other – Both plaintexts if you know some sta.s.cal proper.es

9/9/2009 598MAN ‐ Applied Cryptography 4

slide-5
SLIDE 5

Stream Ciphers aka PRNGs

  • Construc.on presented last class:

– OWP => Hard core bits => PRG => PRNG

  • Speed evalua.on

– One‐way permuta.on: Rabin func.on over QR’s – 512‐bit modulus: ~10K /s

  • 512‐bit # factored on single computer in 73 days!

– 1024‐bit modulus: ~3K /s

  • 3Kbps or ~400 bytes / second
  • Can we do beVer?

9/9/2009 598MAN ‐ Applied Cryptography 5

slide-6
SLIDE 6

RC4

  • Custom‐designed stream generator

– Developed by Ron Rivest @ RSA Labs – Aka ARCFOUR (“Alleged RC4”)

  • Efficient to implement in soTware
  • Key size: up to 2048 bits
  • Speed:

– 253355.04 KB/s – ~600 000 .mes faster!

9/9/2009 598MAN ‐ Applied Cryptography 6

slide-7
SLIDE 7

RC4 design

  • Table S

– 256 8‐bit values

  • Ini.aliza.on

for i in range(0,256): S[i] = I j = 0 for i in range(0,256): j = j + S[i] + key[i%keylen] swap(S[i],S[j])

9/9/2009 598MAN ‐ Applied Cryptography 7

slide-8
SLIDE 8

RC4 keystream genera.on

i = 0 j = 0 while True: i = i+1 j = j+s[i] swap(s[i],s[j])

  • utput(s[(s[i]+s[j]) % 256])

9/9/2009 598MAN ‐ Applied Cryptography 8

slide-9
SLIDE 9

RC4 security

  • Heuris.c security

– People try to break it, see if it survives – Note: same as Rabin’s OWP security!

  • Weaknesses:

– Digram sta.s.cs [Paul,Preneel’04] – Key leakage [Fluhrer,Man.n,Shamir’01]

  • Used to break WEP

– Many others

9/9/2009 598MAN ‐ Applied Cryptography 9

slide-10
SLIDE 10

RC4 use

  • Widely popular

– SSL/TLS – SSH – WEP / WPA – BitTorrent – PDF – …

  • Can be made secure (heuris.cally)

– Drop first n bytes (n=512 or 3072) – Use completely random keys

9/9/2009 598MAN ‐ Applied Cryptography 10

slide-11
SLIDE 11

RC4 for CPA security

  • Is RC4 encryp.on CPA‐secure?
  • No!

– Same plaintext encrypts to same ciphertext – Similar to one‐.me PAD

  • How to fix?

– Different key for every use

9/9/2009 598MAN ‐ Applied Cryptography 11

slide-12
SLIDE 12

Ini.aliza.on Vectors

9/9/2009 598MAN ‐ Applied Cryptography 12

RC4 Key 1 Keystream 1 Plantext 1 xor Ciphertext 1 RC4 Key 2 Keystream 2 Plantext 2 xor Ciphertext 2 Key 2 Key 1 1 2

Ini.aliza.on Vectors

  • Can be public
  • Do not have to be

random

  • Must never be reused

How do you ensure this?

slide-13
SLIDE 13

Block Ciphers

  • A liVle like PRF

– In prac.ce, inver.ble pseudo‐random permuta.on

9/9/2009 598MAN ‐ Applied Cryptography 13

Encrypt Key Plaintext Ciphertext Decrypt Key Ciphertext Plaintext

slide-14
SLIDE 14

Examples

  • Permuta.on cipher

– Block size = 1 character (~ 5bits) – Key size = 5 * 26 = 130 bits (actually ~88 bits) – Too easy to break

  • DES

– Designed at IBM – Lucifer: 128‐bit key, 128‐bit block – NSA revision: 56‐bit key, 64‐bit block, improved S‐boxes

9/9/2009 598MAN ‐ Applied Cryptography 14

slide-15
SLIDE 15

Block Size

  • How important is block size?

– Permuta.on: same plaintext => same ciphertext

  • How many encryp.ons before you see two

iden.cal plaintext blocks? (random plaintext, 64‐bit blocks)

– 232 blocks (n1/2, birthday paradox)

  • How many before you see all blocks

– ~268 blocks (n log n, coupon collector)

9/9/2009 598MAN ‐ Applied Cryptography 15

slide-16
SLIDE 16

Key size

  • How big a key size should you use?

– Want to prevent brute‐force search – Note: cipher is “secure” if brute‐force search fastest approach to break it

  • Many people believed DES key size too small

from incep.on

– 1999: EFF builds DES cracker, 1.5 days, $250K – 2008: COPACOBANA, $10K, < 1 week

9/9/2009 598MAN ‐ Applied Cryptography 16

slide-17
SLIDE 17

Key size selec.on

  • How much money does your adversary have?

– 64‐bit feasible for $10K – ~87‐bit feasible for $10B!

  • How much .me do you want thing to stay secret?

– Moore’s law (corollary): computa.onal unit becomes twice as cheap every ~2 years – 128‐bit feasible in 128 years (for $10K) – Note: key search trivially parallelizable

  • Further reading

– www.keysize.com

9/9/2009 598MAN ‐ Applied Cryptography 17

slide-18
SLIDE 18

ATer DES

  • 3DES: Encrypt‐Decrypt‐Encrypt

– C = Ek1(Dk2(Ek3(P)))

  • Why not 2DES?

– C = Ek1(Ek2((P))

– Meet‐in‐the‐middle aVack

9/9/2009 598MAN ‐ Applied Cryptography 18

E0(P) E1(P) … E256‐1(P) D0(C) D1(C) … D256‐1(C) sort sort find matches

slide-19
SLIDE 19

AES

  • Contest held by NIST to design new block

cipher

  • Winner: Rijndael (aka AES)
  • 128‐bit block
  • 128‐, 192‐, or 256‐bit key size

9/9/2009 598MAN ‐ Applied Cryptography 19

slide-20
SLIDE 20

Encryp.on with AES

  • Split file into blocks, encrypt each with AES
  • Is XOR aVack s.ll possible?
  • Is this CPA‐secure?

9/9/2009 598MAN ‐ Applied Cryptography 20

slide-21
SLIDE 21

Use IVs

9/9/2009 598MAN ‐ Applied Cryptography 21

Encrypt Key Plaintext1 Ciphertext1 IV1 xor IV1 Encrypt Key Plaintext2 Ciphertext2 IV2 xor IV2

Ciphertext size expanded by a factor of 2!

slide-22
SLIDE 22

CBC‐mode

9/9/2009 598MAN ‐ Applied Cryptography 22

Encrypt Key Plaintext1 Ciphertext1 IV1 xor IV1 Encrypt Key Plaintext2 Ciphertext2 xor

Re‐use previous ciphertext as IV for next block

slide-23
SLIDE 23

Other Modes

  • OFB, CFB, Counter

9/9/2009 598MAN ‐ Applied Cryptography 23

slide-24
SLIDE 24

CCA Security

  • Is CBC CCA‐secure?

9/9/2009 598MAN ‐ Applied Cryptography 24

slide-25
SLIDE 25

PCBC

  • Propaga.ng CBC mode

9/9/2009 598MAN ‐ Applied Cryptography 25

slide-26
SLIDE 26

Message Authen.ca.on Codes

  • IDEA: make it impossible for aVacker to

generate a valid message

  • I.e., authen.cate message

9/9/2009 598MAN ‐ Applied Cryptography 26

Encrypt Key Plaintext Ciphertext MAC Checksum

slide-27
SLIDE 27

MACs

  • How long should a MAC be?
  • CBC‐MAC:

– CBC‐encrypt plaintext with 0 IV – Use last encrypted block as MAC

  • Only secure for fixed‐length messages (why?)

– Can be extended for longer messages

9/9/2009 598MAN ‐ Applied Cryptography 27

slide-28
SLIDE 28

Summary

  • Prac.cal construc.ons for:

– Perfect secrecy: one‐.me pad – CPA security: stream ciphers, block ciphers – CCA security: CPA + MAC

  • Take‐away:

– Use AES‐CTR + CBC‐MAC (or HMAC) – If not, beVer have a good reason!

9/9/2009 598MAN ‐ Applied Cryptography 28