Systems Security Week8

7/21/2019 Systems Security Week8

http://slidepdf.com/reader/full/systems-security-week8 1/46

SecurityEngineering

CSE 3SE/CSE 5SEInstructor: Sambuddho

Chakravarty(Semester: Winter 2015)

Week 8: March 17 – March 20



Brief History of Cryto!rahy

- Ancient:- "omans

-Ceaser Ciher # S$%stit$tion Ciher

- &Shift' characters- !

*+,-.//: ,BC3H-4+M.6*"S/9W; C-*H"//: ;,BC3H-4+M.6*"S/9W

*+,-.//: /H -C B"6W. 6 4M*S 69" /H+,; 63 C-*H"//: B .";H 6+/ C+ 3"4M* +SB6 B-W9 ,+

ncrytion: n < (=>n) mo? 2@

ncrytion: n < (=An) mo? 2@



Brief History of Cryto!rahy

- Attacking Ceaser Cipher:- Sime %r$te force attacks AA ony 2@ aha%ets

in n!ish an!$a!e- re$ency anaysis AA ! aha%ets DE (or DeE)

an? D/E (or DtE) are the most fre$ent aha%et in!ish an!$a!e

- ncrytion of DE is aFays the sameG



Brief History of Cryto!rah- Medieval Age:

- 9i!enere Ciher (*oyaha%etic s$%stit$tion)- -nentor: 3ioan Battista Beaso in his 155J %ook La cifra

del Sig. Giovan Battista Bellaso (misattri%$te? to9i!enere)

*+,-.// :,//,C,/,W. : +M6.

*+,-.// :,//,C,/,W. :+M6.+M6.+C-*H" :+6*9".H" :+M6.+M6.+C-*H" :

+6*9".H"*+,-.// :



Brief History of Cryto!rah- Attacks against ignere Cipher:

- Har?er to %reak comare? to sime Ceaser s$%stit$tion- ach D%ockE is DeKectieyE a Ceaser s$%stit$tionAttack strategy:- ,ss$me the key en!th is knoFn- ,ss$me a ciher stream: nifon aicum niswt- irst character DnEL DaE an? DnE hae %een encryte? Fith

same key aha%et- Secon? character is encryte? Fith the same roF an? so

onG-

*erform fre$ency anaysis for each of the rstcharacters /he most fre$enty occ$rrin! character is DeELthe secon? most fre$enty occ$rrin! is DaE an? so onG

- *erform simiar fre$ency anaysis for the othercharacters as Fe



Brief History of Cryto!rah- Modern Era !"#th Century$:

- ectroAmechanica rotor machines to erform m$ties$%stit$tion ciher

(ni!ma MachineL -ma!e Co$rtsey: .ationa Cryto!rahicaM$se$mL .S,L Washin!ton C)

-n$t: Man$a key%oar?"otor ?iscs: S$%stit$tion cihers

6$t$t: CiherAstream # tee!rahic co?es # +am%oar?s*$!%oar?: ,??itiona ayer of s$%stit$tion ciher



Brief History of Cryto!rah- Inside the Enigma Machine

-n$t

6$t$t(ia3oFam



Some ,ttack Strate!ies

• noFnAainte=t attack: /he a?ersary knoFsainte=t#ciherte=t airs

• ChosenAainte=t attack: ,?ersary chooses aian? o%seres correson?in! ainte=ts to Fhich encryt

• ChosenAciherte=t attack: ,?ersary choosesciherte=ts an? sees the correson?in! ainte=Fhich they ?ecryt



9ernam Ciher (6ne /ime *a?s

- ernam Cipher !%ne &ime 'ads !%&'s$!()(*$:

- Each bit o+ the plain te,t is -%.ed 0ith each bit o+ thekey stream

- Sec$rity ies in en!th an? pseudo-randomness of the key strea

-Most %asic oeration: Messa!e 6" key

- Best $se case: se each key 6.+ once (6. /-MG) (consi?ecryto!rahicay sec$reG(Shannon – &*erfect Secrecy'))

*r ((M1L 1)) < *r ((M2L 2)) (for eery i in (ke

*+,-.// : H(7) (N) +(11) +(11) 6(1N) : (2J) M(12) C(2) (10) +(11)> (mo? 2@)C-*H" : (N) (1@) .(1J) 9(21) ;(25)

M2 6" 2 C2

M1 6" 1

C1



Stream Cihers- %&' Stream Ciphers

- ach key m$st %e $se? e=acty one- M$tie $sa!e of same key statistica crytanaysis attack

-"e$sa%e keyin! materia

- 3enerate neF keys Fitho$t reeain! hoF they are !enerat- /he encryte? ciher te=t sho$? not reea any informatio

a%o$t the key or the ainte=t- Each bit o+ the message is -%.ed 0ith the bit o+ the

key1- *ro%em Fith ShannonEs &*erfect Secrecy': ey en O Messa!e - So$tion: *"3 instea? of erfecty ran?om f$nction

- *"3: 3:P0L1QsP0L1Qn n RR s

- < 3(k) M < C <3(k) C < M

Important property o+ '.2:nre?icta%iity: noFin! some %itsof the key one sho$? not %e a%e to re?ictthe remainin! %its

3(k)

k

M

C

-nitia see

=an?e?



Some 9$nera%iities of Stream Cihers

- Multiple time usage o+ %&' is insecure

C1 < M1 k

C2 < M2 k

C1 C2 < M1 M2

asy to recoer ,SC-- messa!es M1L M2 from M1 M2




- indo0s 'ointto'oint &unnelling'rotocol !MS''&'$

(M1 M2 MJ)

(S1 S2 SJ)

-Cient an? serer $se? the same key

- Cient an? serer messa!es co$? %e 6"Ae? to reea an 6" or the cient an? serer messa!es- 6ther ossi%e attacks – ciher te=t ony attack: /he a?ersary forces the cient to !enerate messa!es %ase? for secic messa! %$i? an? oraceBetter aroach : $se ?iKerent keys




- Malleability:

,?ersary can mo?ify the ciherte=t Fitho$t knoFin!anythin! a%o$t the ainte=t an? res$t in e$iaent chan!e

the correson?in! ainte=t



Some *o$ar =ames of StreamACihe

• "CN:

• ate of creation: 1T87

• ey en!th: 8A%its (see?s) – 20N8A%its (!enerator)

• "an?omiUation: .oneL if -9 $se? then key m$st %e mi=e?• "emarks: H//*SL W* (%roken)

• ,ttack: noFnAain te=t attack

• ,5#1L ,5#2:

• ate of creation: 1T8T

• ey en!th: 5NA%its (23)

• "an?omiUation: 11NA%its

• "emarks: 9oice encrytion for 3SM netForks

• ,ttack: noFnAain te=t attack

• Sasa:• ate of creation: 200N

• ey en!th: 25@A%itsV ciher stream en!th: 512A%its

• "an?omiUation: @NA%it nonce

• "emarks: 6timiUe? for har?Fare imementations

• ,ttack: ,$massonL ischerL haUaeiL MeierL an? "ech%er!erL 2008 – probab

neutral bits attack.



Bock CihersMessa!e (M) ?ii?e? into m$tie %ocks

M1 M2 MJ MN MnA1 Mn

nA%its

CNC1 CJC2

-n$t: nA%its6$t$t: nA%itsey: O nA%its

5 1

5

2

5

J

5

n

f 1( 1 L

)

f 2( 2 L

)f n( n L

)

f 1( 1 L

)

M

m

1

m

2

m

n



Brief History of Bock Cihe• ary 1T70s: HorstAeiste roose? +$cifer %ock

ciher

• Bock siUe : 128A%itsL ey: 128A%its• 1T7J: .BS (noF .-S/) aske? for %ock ciher

roosas

• -BM s$%mits +$cifer

• 1T7@: .BS a?ots +$cifer Fith shorter key en!th an?

is cae? ata ncrytion Stan?ar?s (S)

A Bock siUe: @NA%its keyAen: 5@A%its

• 1TT7: S %roken %y e=ha$stie search (%r$te forcesearch)

• 2000: .-S/ a?ots "iXn?ae as ,S an? reaces S



S: core i?ea – eiste .etFor3ien f$nctions f 1L GL f ?: P0L1Qn Y P0L1Qn

3oa: %$i? inerti%e f$nction : P0L1Q2n Y P0

-n sym%os: "i < i("iA1)

+

in$t

"?A1

+?A1

"0

+0

n A

% i t

s

n A

% i t

s

"1

+1 Z

f 1

"2

+2 Z

f 2

4 Zf ?

Z



ecrytion circ$it

• -nersion is %asicay the same circ$itLFith f 1L GL f ? aie? in reerse or?er

• 3enera metho? for %$i?in! inerti%e f$nctions (cihers) from ar%itrary f$nctions

• se? in many %ock cihers G %$t not ,S

"1

+1

"?

+?

n A

% i t

s

n A

% i t

s

"?A1

+?A1

Z

f ?

"?A2

+?A2

Z

f ?A1

4

Z

f 1



S: 1@ ro$n? eiste netForkf 1L GL f 1@: P0L1QJ2 Y P0L1QJ2 L f i(=) < ( kiL = )

("o$n? key ?erie?from key )

in$t

@ N

% i t s

o$t

@ N

% i t s1@ ro$n?

eiste netFork-* -*A1

kkey

e=ansionk1 k2 k1@

4

/o inertL $se keys in reerse or?er

5@A%it key e=an?e?into 1@ N8A%it ro$n? keys

S chaen!e



S chaen!e

ms! < “ The unkn own mess ages is: XXXX

C/ < c1 c2 cJ

2oal: n? k [ P0L1Q5@ st S(kL mi) < ci for

1TT7: -nternet search AA 3 months

1TT8: machine (?ee crack) AA 3 days (2

1TTT: com%ine? search AA "" hours

200@: C6*,C6B,., (120 *3,s) * days (10

] 5@A%it cihers sho$? not %e $se? ^^ (128A%it

?ays)

,S: ,?ance? ncrytion Stan?ar? S$%



i n $ t

_

S1

S2

SJ

S8

4

s$%sayer

ermayer inersion

k1

_

S1

S2

SJ

S8

4

k2 S1

S2

SJ

S8

4 _4

k

,S: ,?ance? ncrytion Stan?ar? S$%*erm netFork (not eiste)

,S 128 h ti



,SA128 schematic

in$t

NN

10 ro$n?s(1)ByteS$

%(2)Shift"oF

(J)Mi=Co$mn

_

k2

4

kT

_

(1)ByteS$

%(2)Shift"o

F(J)Mi=Co$

mn

_

k1

_

k0

(1)ByteS

%(2)Shift"

F

o$t$tN

N

_k1

0key1@ %ytes

key e=ansion:

inerti%e

1@ %ytes Y17@ %ytes

/he ro$n? f$nction



/he ro$n? f$nction

• 6yteSub: a 1 %yte SA%o= 25@ %yte ta%e (eacom$ta%e)

• Shi+t.o0s:

• Mi,Columns:



Co?e siUe#erformance tra?eoKCo?e siUe *erform

*reAcom$tero$n? f$nctions(2NB or NB)

ar!estfast

ta%e oan?

*reAcom$teSA%o= ony (25@%ytes)

smaer soF

.o reAcom$tation smaest soF



,S in har?Fare

,S instr$ctions in -nte Westmere:

• aesenc7 aesenclast: ?o one ro$n? of ,S

128A%it re!isters: =mm1<stateL =mm2<ro$n? key

aesenc ,mm(7 ,mm" V $ts res$t in =mm1

• aeskeygenassist: erforms ,S key e=ansion

• Caim 1N = see?A$ oer 6enSS+ on same har?Fare

Simiar instr$ctions on ,M B$?oUer



Semantic Sec$rity for manyAtimeey $se? more than once ] a? sees many C/s F

key

Adversary8s po0er: chosenAainte=t attack (C

• Can o%tain the encrytion of ar%itrary messa!es ochoice

(conseratie mo?ein! of rea ife)

Adversary8s goal: Break sematic sec$rity



So$tion 1: ran?omiUe? encry• (kLm) is a ran?omiUe? a!orithm:

] encrytin! same ms! tFice !ies ?iKerent cihe(Fh)

] ciherte=t m$st %e on!er than ainte=t

"o$!hy seakin!: C/AsiUe < */AsiUe > &` ran?

m1

m0

enc m0

?ec

m1



So$tion 2: nonceA%ase? ncry

• nonce n: a a$e that chan!es from ms! to ms!

(kLn) air neer $se? more than once

• metho? 1: nonce is a counter (e! acket co$nte• $se? Fhen encrytor kees state from ms! to ms!

• if ?ecrytor has same stateL nee? not sen? nonce Fith C/

• metho? 2: encrytor chooses a random nonceL

,ice

mL n (kLmLn)<c

Bo%

cL n

k k

nonce

Constr$ction 1: CBC Fith ran?om



Constr$ction 1: CBC Fith ran?om

CBC(kLm): choose random -9:

(kL⋅) (kL⋅)

m0b m1b m2b m-9

⊕ ⊕

(kL⋅)

⊕

c0b c1b c2b c-9

ciherte=t

ti i it



ecrytion circ$it

(kL⋅) (kL⋅) (k

m0b m1b m2b m

⊕ ⊕ ⊕(kL⋅)

⊕

c0b c1b c2b cJ-9

%os: c0b < (kL -9_m0b ) ] m0b <

.once %ase? CBC



.onceA%ase? CBC

• Ciher %ock chainin! Fith $ni$e nonce: key < (k

E(k,⋅) E(k,⋅)

m[0] m[1] m[2]

⊕ ⊕

E(k,⋅)

⊕

c[0] c[1] c[2]nonce

cip

nonce

E(k1,⋅)

-9

$ni$e nonce means: (keyL n) air is $se? for o

inc$?e? ony if $nknoFn to ?ecrytor

Constr$ction 2: ran? ctrAmo?e



Constr$ction 2: ran? ctr mo?e

m0b m1b G

!k7I$!k7I9($ G

m+b

!k7I9$ ⊕

c0b c1b G c+b

-9

-9

note: araeiUa%e ($nike CBC)

ms!

ciherte=t

(kLm): choose a ran?om -9 ∈ P0L1Qn an? ?o:

C t ti 2E t ?



Constr$ction 2E: nonce ctrAmo?e

m0b m1b G

!k7I$!k7I9($ G

m+b

!k7I9$

c0b c1b G c+b

-9

-9

ms!

ciherte=t

nonce

128 %its

co$nter-9:

@N %its @N %its

s$re (kL=) is neer $se? more than onceL cho

starts at

for eery



Messa!e -nte!rity3oa: integrityL no con?entiaity

=ames:

• *rotectin! $%ic %inaries on ?isk

• *rotectin! %anner a?s on Fe% a!es



Messa!e inte!rity: M,Cs

ef: MAC - < (SL9) ?ene? oer (LML/) is aa!s:

• S(kLm) o$t$ts t in /

• 9(kLmLt) o$t$ts yes’ or no’

,ice Bo%

k kmessa!e m ta!

2enerate tag: tag S!k7 m$

eri+y tag: !k7 m7 ta



-nte!rity re$ires a secret key

• ,ttacker can easiy mo?ify messa!e m an? reAcomC"C

• C"C ?esi!ne? to ?etect randomL not maicio$s er

,ice Bo%

messa!e m ta!

2enerate tag: tag C.C!m$

eri+y tag: !m7 tag$

=ame: rotectin! system e



=ame: rotectin! system e

+ater a ir$s infects system an? mo?ies system e

ser re%oots into cean 6S an? s$ies his assFor• /hen: sec$re M,C ] a mo?ie? es Fi %e ?etecte

ose at insta time the system com$tes:

1

t1 <

S(kL1)

2

t2 <

S(kL2)

n

tn <

S(kLn)

4 k $s

ename ename ename



,ttacks ,!ainst M,Cs

• Existential Forgery /he attacker ro?$ces a si!of some messa!e m of his choice

• Selective Forgery /he attacker chooses a messthen !ets access to the $%ic key $se? for erian? ro?$ces a si!nat$re s of m

• ey recoery: 3ien the $%ic key for ericatioattacker ro?$ces the secret key for si!nin!

Encryte? CBCAM,C (CBCAM,C



raF CBC

Encryte? CBC M,C (CBC M,C

(kL⋅) (kL⋅) (kL⋅)

m0b m1b mJb mNb

⊕⊕

(kL⋅)

⊕

(k (L⋅)

.M,C (neste? M,C)



casca?e

.M,C (neste? M,C)

m0b m1b mJb mNb

= = = =k

k (

t

.M,C (neste? M,C) Fitho$t ast %ock a??in! > enc



casca?e

.M,C (neste? M,C) Fitho$t ast %ock a??in! > enc

m0b m1b mJb mNb

= = = =k

k (

t

Si?es Co$rtesy:

an Boneh

Why the ast encrytion ste in CBCA



Why the ast encrytion ste in CBC

,?ersary Forks as fooFs:

• Choose an ar%itrary oneA%ock messa!e m∈

• "e$est ta! for m 3et t < (kLm)

• 6$t$t t as M,C for!ery for the 2A%ock messa!e mE <

raFCBC(kL (mL t⊕m) ) < (kL (kLm)⊕(t⊕m) ) < (

< t

/he sec$rity %o$n?s are ti!ht: an



/he sec$rity %o$n?s are ti!ht: an

,fter si!nin!1#2 messa!es Fith CBCAM,C or

1#2

messa!es Fith .M,Cthe M,Cs %ecome insec$re

/he MerkeAam!ar? -terate? Constr



!

*B: a??in! %ock

h h h

m[0] m[1] m[2] m[3] ll PB

h-9

(=e?) H0 H1 H2 HJ

1000G0 ms!en

@N %its

-f no saca?? anothSi?es Co$rtesy:

an Boneh

Stan?ar?iUe? metho?: HM( h C)



Stan?ar?iUe? metho?: HM(HashAM,C)

Most Fi?ey $se? M,C on the -nternet

se for cac$atin! a messa!e a$thentication co?e (M

inoin! a cryto!rahic hash f$nction that may $secryto!rahic key

H: hash f$nction

e=ame: SH,A25@ V o$t$t is 25@ %its

B$i?in! a M,C o$t of a hash f$nction:

HM,C: S( kL m ) < H( k⊕oa? L >! k ipad ll m $

HM,C in ict$res



Simiar to the .M,C *"

main ?iKerence: the tFo keys k1 k2 are ?een?en

h h

m[0] m[1] m[2] ll PB

h

h

R R Rh

k ipad?

-9(=e?)

R

R-9(=e?)

hR

k opad?

k1

k2

Systems Security Week8

Documents

Transcript of Systems Security Week8