Network security

© All Rights Reserved

10 visualizações

Network security

© All Rights Reserved

- Quantum Cryptography
- Unit - 2 Two Marks CNS
- AlgRev
- EmbedSys
- Intro
- Basics of Crypto Notes
- CCNA Security Module 7
- zaid
- Potential Roles of Blockchain in Fighting Poverty and Reducing Financial Exclusion in the Global South
- VeriSign OTP Credential Provisioning Protocol for Trusted Devices Technical Specification v6
- Lecture 020
- Hardware Implementations of Finite Field Arithmetic
- Topic2_CryptographicTools.pdf
- MFE Encryption Android WP
- Cryptography and Network Security QB
- Cryptography and The Internet
- Basics of Crypto Notes
- DES Avec Java
- 2004 DEMOv4aes
- Cryptography

Você está na página 1de 62

Lecture #3

ENPM 693

Fall 2014

University of Maryland, College Park

Todays Lecture

Where weve been?

Symmetric-key vs. asymmetric-key cryptography

Adversary models

Hash functions

Definition of security of crypto alg.

PRNGs

Attack models on crypto

One-time pad

Cryptosystem - Symmetric-key cryptography: Block cipher & Stream cipher

Block cipher as a symmetric cryptography DES, AES, 3DES

Modes of operation - ECE, CBC, CFB, OFB, CTR

Stream cipher RC4

Message integrity MAC,

Asymmetric cryptography DH, RSA

PRNGs

A pseudo-random number generator (PRNG) is a deterministic

function that takes as input a seed and outputs a string

To be useful, the output must be longer than the seed

(i.e., be pseudo-random) to any efficient distinguishing algorithm

Even when the algorithm knows G! (Kerchoffss rule)

Notes

Required notion of pseudo-randomness is very strong

must be indistinguishable from random for all efficient algorithms

General-purpose PRNGs (rand( ), java.random) not sufficient for crypto

at random

True randomness very difficult to obtain

In practice: randomness from physical processes and/or user behavior

PRGs: a picture

y

at random

??

World 0

World 1

x {0,1}n chosen uniformly

at random

(poly-time)

G(x)

but adv. cant tell them apart

Attack taxonomy

So far, we have been considering only passive eavesdropping of a single

ciphertext

a.k.a., ciphertext-only attack (COA)

Known-Plaintext Attacks (KPA)

Chosen-Plaintext Attacks (CPA-security)

Implies security for multiple messages encrypted using the same key

Chosen-Ciphertext Attacks (CCA by default, encompasses CPA)

Notes

What is the right threat model?

Passive/active adversary?

Ciphertext-only (COA),

Known-Plaintext (KPA),

Chosen-Plaintext (CPA),

Chosen-Ciphertext (CCA),

The classical encryption schemes we have seen are immediately broken by a knownplaintext attack (KPA)

Definitions?

c = Enck(m)

k

c

Known/chosen-plaintext attack (KPA/CPA)

Chosen-ciphertext attack (CCA)

is either m0 or m1,

but which one?

Voters

Voting example:

Midway example

Chosen-plaintext security

Is security against chosen-plaintext attacks (CPA) even possible??

Deterministic encryption schemes cannot be secure against chosenplaintext attacks (CPA)

Nor can they be secure for encrypting multiple messages

be randomized

Moral: always use randomized encryption!

Minimum requirements

The minimum level of security nowadays is security against chosenplaintext attacks (CPA)

Implies security when multiple messages encrypted

often necessary

Make sure you are aware of this when deploying encryption!

Ciphers

Symmetric-key crypto

One time pad (OTP) with keys as long as plaintext

Require pre-sharing huge random keys, but guarantees theoretically secure (perfect secrecy)

DES, 3DES, AES

RC4, A5/1

Asymmetric-key crypto

DH, RSA

Advantages of OTP

Easy to compute

Encryption and decryption are the same operation

Bitwise XOR is very cheap to compute

Given a ciphertext, all plaintexts are equally likely, regardless of attackers

computational resources

if and only if the key sequence is truly random

True randomness is expensive to obtain in large quantities

But how do the sender and receiver communicate the key to each other?

Where do they store the key?

Key must be as long as the plaintext

Impractical in most realistic scenarios

Still used for diplomatic and intelligence traffic

One-time pad only guarantees confidentiality

Attacker cannot recover plaintext, but can easily change it to something else

Attacker can obtain XOR of plaintexts

No integrity

Dangers if reuse

Cryptosystem

Binary alphabets

K = {0,1}

Plaintext

P = {0,1}

P

= {0,1} ,

E: P

C as ciphertext to look random

D: C

P as plaintext to be protected

,

, , = correctness

It is infeasible to find F: key secrecy

Ciphertext

C

Block cipher

Operates on a single chunk (blocks: fixed-length set of bits) of plaintext

Same key is reused for each block (can use short keys)

Result should look like a random permutation

Not impossible to break, just very expensive

If there is no more efficient algorithm (unproven assumption!), can only break

the cipher by brute-force , try-every-possible-key search

Time and cost of breaking the cipher exceed the value and/or useful lifetime of

protected information

DES (56-bit keys, 64-bit blocksize)

AES (128/192/256-bit keys, 128-bit blocksize)

Standardized Ciphers

Until 1970s, most strong ciphers were government secrets

NBS (now called NIST) issued a public call for a cipher; eventually

responded by IBM

Eventual result was DES

64-bit blocks (56-bit key + 8 bits for parity)

Outdated, but still in use (especially as 3DES)

3DES: DES + inverse DES + DES (with 2 or 3 different keys)

Block Ciphers I

Block ciphers Operates on a fixed-length set of bits (blocks)

Block ciphers vs. stream ciphers

Well-known examples:

DES (56-bit keys; 64-bit block size)

AES (128-, 192-, 256- bit keys; 128-bit block size)

Basic structure:

Optional key scheduling, convert supplied key to internal form

Multiple round of combining plaintext with key

DES with 16 rounds, AES with 10-14 round depending on key length

Block Ciphers II

Shared keyed, invertible permutation F

F is a deterministic function

Indistinguishable from a random permutation

A block cipher is not an encryption scheme

A block cipher can be used to build an encryption scheme (and other things as well)

C = FK(m)

This is not randomized

E(m,k) = < r , Fk(r) m >, for random r

Randomized!

Notation:

=

=

=

=

( )

Developed in 1970s by IBM / NSA / NBS

Non-public design process

A 64-bit key is derived from 56 random bits

One bit in each octet is a parity-check bit

The short block length is also a concern

On each round (iteration):

16 iterations total per each operation

Divide the input block in half. The right half of each round becomes the left half

of the next rounds input

Take the right half, pass it through a non-linear function of data and key, and

exclusive-OR the result with the current inputs left half

The output of that function becomes the right half of the next rounds input

This is known as a Feistel network

#$

E expansion phase

32 bit -> 48 bit w/ expansion permutation

duplicating half of the bits 8 of 6-bit

each 6-bit: 4 bit input, 2 bit copy on each end

XOR key mixing

key schedule provide 16 subkeys of 48-bit

from main key

S-box substitution phase

divided into 8 of 6-bit and fed to S-boxes

replacing 6-bit w/ 4-bit using non-linear

transformation by a lookup table

P-box permutation phase

rearranging 32-bits w/ fixed permutation

spreading S-boxes output bits across 4 diff ones

as necessary condition for a secure yet practical cipher

Key scheduler:

Left rotation by 1 or 2 bit

Permuted Choice (PC) boxes

64 bit -> 56 bit = 28 bit x2

28 bit -> 24 bit x2 = 48 bit

In decryption subkeys in reverse order

Decryption

Run the rounds backwards

In the example, )*+ is passed

unchanged to the previous round (as ,* )

Accordingly, it can be fed into - *

i-th Feistel network to be XORed with

,*+ to produce )*

Key length is too short

A machine to crack DES was built in 1998 for $250K, breaking DES in days

Computation can be distributed to make it faster

Does not mean DES is insecure; depends on desired security

Non-public design process back door suspicions

Claimed regarding (theoretical) attacks known to DES designers 15 years before public discovery!

3DES/triple-DES

Expands the key length

Stronger than simple DES twice

Protected against MITM attack

If indep , 6 , 7 then strongest scheme

The new block cipher is just:

EK1, K2(m) = DESK1(DES-1K2(DESK1(m)))

Fairly slow but widely used in practice

Backward compatibility

NIST issued an open call for submissions in 97

Several open conferences were held (and NSA did its own private evaluations)

5 ciphers were eliminated as not secure enough

5 more dropped for inefficiency or low security margins

Of the 5 finalist, Rijndael (a Belgian submission) was chosen for its good security and very high

efficiency across a wide range of platforms

Supports 128/192/256-bit keys (default is 128-bit keys) and 128-bit block length

2128 is a huge number (estimated number of nanoseconds since big bang ~ 290 )

In particular, AES (possibly in stream cipher mode) is usually a better choice than a dedicated

stream cipher

NSA rates 128-bits AES as good enough for SECRET traffic, 256-bit AES is good enough for TOP

SECRET traffic

Substitution-permutation based scheme

Input block viewed as a byte array

Operate on 4x4 column-major order matrix of bytes (state) (16 x 8 = 128)

Subkeys for each round derived from Rijndael key schedule (KeyExpansion)

Subkey viewed as a 2-D matrix

The subkey is mixed with the state (entire block) in each round

are combined in a hard-to-invert fashion

Each round consists of a series of simple, byte-oriented operations:

Initial round (1): AddRoundKey each state byte XOR w/ round key

Intermediate rounds (2 9/11/13):

ByteSubstitution nonlinear substitution of each byte using a lookup table (S-box)

ShiftRow transposition by cyclically L-shift each state row w/ a certain number (depending on row #,

except first row)

MixColumn mixing state columns by combining four bytes in each column using invertible linear

transformation

AddRoundKey

Direct use of a block cipher is inadvisable

Enemy can build up code book of plaintext/ciphertext equivalents a.k.a. dictionary

Direct use also only works on messages that are a multiple of the cipher block

size in length

Solution: five standard modes of operations

Used for encrypting a long message m = m1, , mn

Cipher Block Chaining (CBC)

Cipher FeedBack (CFB)

Output FeedBack (OFB)

and CounTeR (CTR)

Direct use of the block cipher

split plaintext into blocks

encrypt each one separately using block ciphers

Used primarily to transmit encrypted keys

Very weak if used for general-purpose encryption, never use for a file or a message

Dictionary attack

Notation:

Using * and 8* interchangeably to refer to the " #$ block of plaintext

Not even secure against

ciphertext-only attacks

Same plaintext blocks w/ same

ciphertext blocks (inf. leakage)

original

Ciphertext of each encrypted

block depends on plaintext of

all preceding blocks

Initial Vector (IV) as dummy

initial ciphertext block 9 , which

the receiver (decipher) must know

Consider a 4-block message:

=

7 =

;<

7 6

6

0

=

=

0 7

IV ; Ci = FK(mi Ci-1) ; the ciphertext is (IV, C1, , Cn)

what happens to the plaintext? Next slide!

Look at the decryption process, where = is a garbled version of C:

=

7 =

depends only on

;<

=?

depends on

=

=

6

0

, and hence is garbled

and

on

and

6,

depends on

and

7,

and not

7 depends

7.

0

6;

Consider the encrypted message

C:

;<,

6, 7, 0, @

The truncated message

Even

6, 7, 0

6, 7, 0

6, 7, 0, @

appears valid

is valid,

If we snip out blocks, leaving ;<,

0, @,

Conclusion: if you want message integrity, you have to do it yourself (not guaranteed here)

Underlying block cipher used only in encryption mode

(both in encryption and decryption phase)

some of the previous cycles ciphertext can be retained

Errors propagate while bad data is in shift register

17 bytes for -AB when using AES

bit unit

IV; zi = FK(zi-1); Ci = zi mi

Ciphertext is (IV, C1, , Cn)

Properties of OFB

No error propagation

Active attacker can make controlled changes to plaintext

OFB is a form of stream cipher

Another form of stream cipher

IV; zi = FK(IV+i); Ci = zi mi; the ciphertext is (IV, C1, .., Cn)

Frequently split the counter into two sections:

Message number & block number within the message

Highly parallelizable; no linkage between stages

Vital that counter never repeat for any given key

CBC, OFB, and CTR modes are secure against chosen-plaintext attacks (CPA)

CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks (CCA)

General file or packet encryption: CBC

Input must be padded to multiple of cipher block size

Bit stream; noisy line and error propagation is undesirable: OFB

Very high-speed data: CTR

In most situation, an integrity check is needed

Images from Wikipedia

Stream cipher Basically PRNGs

Reuse of single key with limited size

Pseudo-OTP w/ reusable keying vs. OTP

RC4

A5/1

Used for GSM cellphone encryption

Not very secure

Block ciphers can also be turned into stream ciphers

Stream Cipher

Key stream generator to produce pseudo-random sequence S

Unique for each plaintext

J*

RC4 (used in SSL): very efficient

Internal state is 256-byte array plus two integers

=K

=A

RC4

Extremely efficient

After key setup, it just produces a key stream

No way to resynchronize except by rekeying and starting over

Internal state is a 256-byte array plus two integers

Note: weaknesses if used in ways other than as a stream cipher

Snake oil alert! If the key stream is algorithmically generated (), its not a one-time pad!

A cipher is no stronger than its key length

If there are too few keys, an attacker can enumerate all possible keys

No good reason to use less than 128 bits

Adding one bit to the key doubles the work force for brute force attacks

The effect on encryption time is often negligible or even free

It costs nothing to use a longer RC4 key

Going from 128-bit AES to 256-bit AES takes (at most) 40% longer

6B

Using triple DES cost 3x more to encrypt, but increases the attackers effort by a factor of 2

Homework #3

Due next week during the lecture (Thu. 09/24/2015 at 7:00pm)

Homework:

Reading assignment: Submit your review to course web page

Manuel Egele, David Brumley, Yanick Fratantonio, Christopher Kruegel, An Empirical

Study of Cryptographic Misuse in Android Applications

https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf

Students randomly selected to provide their summary of the reading assignment in-class

during the following lecture

Review of Lecture

What did we learn?

PRNGs

Attack models on crypto

One-time pad

Cryptosystem - Symmetric-key cryptography: Block cipher & Stream cipher

Block cipher as a symmetric cryptography DES, AES, 3DES

Modes of operation - ECE, CBC, CFB, OFB, CTR

Stream cipher RC4

Whats next?

Message integrity MAC, Digital Signature

Asymmetric cryptography - DH, RSA

Sources

In addition to the textbooks mentioned in course syllabus, the course

material is in part borrowed from the following sources:

Jonathan Katz, CMSC414 Computer and Network Security

Tudor Dumitras, ENEE757 Network and Distributed System Security

Robert Maxwell, ENPM808D Security Tools for Information Security

Tudor Dumitras, ENEE759D Security Data Science

- Quantum CryptographyEnviado porsanjula4v
- Unit - 2 Two Marks CNSEnviado poranandhac
- AlgRevEnviado porSurigadu
- EmbedSysEnviado porabhi257607168
- IntroEnviado porAyman Ibaida
- Basics of Crypto NotesEnviado porRavi Karthikeyan
- CCNA Security Module 7Enviado porXanator
- zaidEnviado porZayed Ahmed
- Potential Roles of Blockchain in Fighting Poverty and Reducing Financial Exclusion in the Global SouthEnviado porDaniel Wong
- VeriSign OTP Credential Provisioning Protocol for Trusted Devices Technical Specification v6Enviado pormaheshsharmap
- Lecture 020Enviado porextatic11
- Hardware Implementations of Finite Field ArithmeticEnviado porAbrasaxEimi370
- Topic2_CryptographicTools.pdfEnviado porphongiswindy
- MFE Encryption Android WPEnviado porValeRodas
- Cryptography and Network Security QBEnviado porvelkarthi92
- Cryptography and The InternetEnviado porIqbal Pramadita
- Basics of Crypto NotesEnviado porThaddeus Moore
- DES Avec JavaEnviado pormassi2962
- 2004 DEMOv4aesEnviado porEmad Alyan
- CryptographyEnviado porचन्द्र विलाश भूर्तेल
- Double RatchetEnviado porAlex Florea
- 60 1520326673_06-03-2018.pdfEnviado porRahul Sharma
- EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATIONEnviado porIJIERT-International Journal of Innovations in Engineering Research and Technology
- D50323GC20_sg2Enviado porCesar Fuenzalida
- Number Field Sieve - Pseudocodes and Software Implementation - Winograd ThesisEnviado porAWh
- asasEnviado poras
- Encryption Specialist NotesEnviado porKhyaree España
- Plaintext _ CiphertextEnviado porRAJ TAPASE
- Crypto syllabusEnviado porJoseph George
- VideoConfEnviado porPo Po

- KNbO3 Growth Bridgeman ProcessEnviado porAssetEngine
- Flat plate Heat pipeEnviado porसचिन उरुणकर
- Cloud Computing Web-Based Applications That Change the Way You Work and Collaborate OnlineEnviado porSagar Tarkhala
- Eﬀect of Curing Time on Granulated Blast-furnace Slag Cement MortarsEnviado porNel Henao
- Harwick AcceleratorsEnviado porAkash Kumar
- Analysis and Design of Power Gated Low-Power, High Performance Latch Dynamic Double-Tail ComparatorEnviado porEditor IJRITCC
- Class2_KDOMEnviado pornjiuhbb
- SOP_TomyAutoclave.docEnviado porlinhpic32
- _Kristy Mall - Potential and Kinetic Energy Lesson (1)Enviado porArun Bharti
- Call FlowEnviado porAsif Ali
- The Paris Sketch Book by Thackeray, William Makepeace, 1811-1863Enviado porGutenberg.org
- Production of Short CNT by ball millingEnviado porvinodchem
- GE LampsEnviado porAndri Mutiar
- Desaparecidos Short FilmEnviado porDANDDARA
- Study SkillsEnviado porschitzique
- Vle ( Discussion and Conclusion )Enviado porAfiqah Anuwar
- Armenta DisEnviado porDedy Dayat
- Power Management for Industrial PlantsEnviado porSeindahNya
- Alternative MedicineasdEnviado porCésar Elgueta
- DDL-_ICARUS AND DAEDALUS.docEnviado porKezruz Molano
- ptr si key assignment assessment template 1Enviado porapi-429470440
- An Empirical Study on Supply Chain Inventory Management in the Auto Component IndustryEnviado porArchie Srivastava
- C - QuizzicalEnviado porVijay Bhargava
- DBMS CaracterizationEnviado pormikkezavala
- Hotwork Implementation Verification Checklist Rev 5Enviado poranjangandak2932
- EXP-2.2Enviado pornyan nyan nyan
- Voice Pro 206 ManualEnviado poro.enciso3687
- Pressure Vessel PlateEnviado porYetkin Erdoğan
- Perovskite Solar Cell - WikipediaEnviado porShreeyesh Biswal
- Advance 2014 1 Pn Enadv Product NewsEnviado pordetail2k

## Muito mais do que documentos

Descubra tudo o que o Scribd tem a oferecer, incluindo livros e audiolivros de grandes editoras.

Cancele quando quiser.