Eran Tromer Slide credits: John Mitchell, Stanford
description
Transcript of Eran Tromer Slide credits: John Mitchell, Stanford
![Page 1: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/1.jpg)
1
Introduction to Information Security0368-3065, Spring 2014
Lecture 5: Cryptography overview (1/2)
Eran Tromer
Slide credits:John Mitchell, Stanford
![Page 2: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/2.jpg)
2
History of crypto
• Ceaser cipher
• Electromechanical ciphers(e.g., Enigma)
• Informationtheory
• Complexitytheory
• Moderncryptography
![Page 3: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/3.jpg)
3
Cryptography
Is• A tremendous tool• The basis for many security mechanisms
Is not• The solution to all security problems• Reliable unless implemented properly• Reliable unless used properly• Something you should try to invent yourself
unless you spend a lot of time becoming an expert you subject your design to outside review
![Page 4: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/4.jpg)
4
Scenarios
Storage• Store files privately• Protect files from tampering
Communication• Avoid eavesdropping• Avoid corruption• “Secure channel”
Authentication Many protocols
![Page 5: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/5.jpg)
5
Encryption scheme:• functions to encrypt, decrypt data
Symmetric encryption• Block, stream ciphers
Hash function, MAC• Map any input to short hash; ideally, no
collisions• MAC (keyed hash) used for message integrity
Public-key cryptography• PK encryption: public key does not reveal key-1
• Signatures: sign data, verify signature
Basic cryptographic concepts
![Page 6: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/6.jpg)
6
Symmetric cryptography schemes
![Page 7: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/7.jpg)
7
Symmetric encryption
7
E, D: cipher k: secret key (e.g., 128 bits)m, c: plaintext, ciphertext n: nonce (aka IV)
Kerckhoff’s Principle
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
(Never use a proprietary cipher.)
Alice
Em, n E(k,m,n)=c
Bob
Dc, n D(k,c,n)=m
k k
Keygeneration
![Page 8: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/8.jpg)
8 8
First example: One Time Pad (single use key)
Vernam (1917)
Shannon ‘49: • OTP is “secure” against ciphertext-only attacks
0 1 0 1 1 1 0 0 01Key:
1 1 0 0 0 1 1 0 00Plaintext:
1 0 0 1 1 0 1 0 01Ciphertext:
![Page 9: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/9.jpg)
9 9
Stream ciphers (single use key)
Problem: OTP key is as long the messageSolution: Pseudo random key -- stream ciphers
Example: RC4
key
PRBG
message
ciphertext
c PRBG(k) m
![Page 10: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/10.jpg)
10
Dangers in using stream ciphers
One time key! “Two time pad” is insecure:
C1 m1 PRBG(k)
C2 m2 PRBG(k)
Eavesdropper does:
C1 C2 m1 m2
Enough redundant information in English that:
m1 m2 m1 , m2
![Page 11: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/11.jpg)
11
Symmetric encryption: nonce (IV)
11
E, D: cipher k: secret key (e.g., 128 bits)m, c: plaintext, ciphertext n: nonce (aka IV)
Alice
Em, n E(k,m,n)=c
Bob
Dc, n D(k,c,n)=m
k k
nonce
![Page 12: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/12.jpg)
12
Use Cases
Single use key: (one time key)• Key is only used to encrypt one message
encrypted email: new key generated for every email
• No need for nonce (set to 0)
Multi use key:• Key used to encrypt multiple messages
SSL: same key used to encrypt many packets
• Need either unique nonce or random nonce
Multi use key, but all plaintexts are distinct:• Can eliminate nonce (use 0) using special mode (SIV)
12
![Page 13: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/13.jpg)
13
Block ciphers: crypto work horse
E, D CT Block
n Bits
PT Block
n Bits
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
IV handled as part of PT block
![Page 14: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/14.jpg)
14
Building a block cipher
Input: (m, k)Repeat simple mixing operation several times DES: Repeat 16 times:
(“Feistel” structure)
AES-128: Mixing step repeated 10 times
Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force, …
mL mR
mR mLF(k,mR)
![Page 15: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/15.jpg)
15
Block Ciphers Built by Iteration
R(k,m): round function for DES (n=16), for AES (n=10)
key k
key expansion
k1 k2 k3 kn
R(k
1, )
R(k
2, )
R(k
3, )
R(k
n, )
m c
![Page 16: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/16.jpg)
16 16
Incorrect use of block ciphers
Electronic Code Book (ECB):
Problem: • if m1=m2 then c1=c2
PT:
CT:
m1
m2
c1 c2
![Page 17: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/17.jpg)
17
In pictures
[visual comparison by Bart Preneel]
![Page 18: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/18.jpg)
18
Correct use of block ciphers I: CBC mode
E(k,) E(k,) E(k,)
m[0] m[1] m[2] m[3]IV
E(k,)
c[0] c[1] c[2] c[3]IV
ciphertext
E a secure PRP. Cipher Block Chaining with IV:
Q: how to do decryption?
![Page 19: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/19.jpg)
21 21
In pictures
![Page 20: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/20.jpg)
22 22
Correct use of block ciphers II: CTR mode
Counter mode with a random IV: (parallel encryption)
m[0] m[1] …
E(k,IV) E(k,IV+1) …
m[L]
E(k,IV+L)
c[0] c[1] … c[L]
IV
IV
ciphertext
• Why are these modes secure? not today.
![Page 21: Eran Tromer Slide credits: John Mitchell, Stanford](https://reader034.fdocuments.in/reader034/viewer/2022050908/568145f7550346895db30018/html5/thumbnails/21.jpg)
24
Hash functions and message integrity
(see next talk’s slides)