Cryptography: Review Day David Brumley [email protected] Carnegie Mellon University.
-
Upload
lionel-chandler -
Category
Documents
-
view
217 -
download
0
Transcript of Cryptography: Review Day David Brumley [email protected] Carnegie Mellon University.
2
Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity
Alice Bob
Public Channel
Eve
E Dc c’
m
ke
m or error
ke
read/write access
5
Perfect Secrecy [Shannon1945]
(Information Theoretic Secrecy)
Defn Perfect Secrecy (informal): We’re no better off determining the plaintext when given the ciphertext.
Alice Bob
Eve1. Eve observes everything but the c. Guesses m1
2. Eve observes c. Guesses m2
Goal:
6
The One Time PadMiller, 1882 and Vernam, 1917
m: 0 1 1 0 1 1 0
k: 1 1 0 1 0 0 0
c: 1 0 1 1 1 1 0
k: 1 1 0 1 0 0 0
m: 0 1 1 0 1 1 0
M = C = K = {0,1}n
7
Block Ciphers
• Modes of operations– CBC, CTR, etc.– What modes do for security, e.g., why ECB is bad,
why randomize an IV for CBC, etc.
• Definitions– Is a block cipher a PRP or PRF
• Attacks
8
Exhaustive Search for block cipher key
Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,n find key k.
Attack: Brute force to find the key k.
Homework: What is the probability that the key k found with one <m,c> pair is correct? For two pairs?
9
Meet in the middle attack• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
key-len = 112 bits for 2DES
Idea: key found when c’ = c’’: E(ki, m) = D(kj, c)
m c'
…
…c
…
…c’’
m E(k2, )⋅ E(k1, )⋅ c
10
Semantic Security Game
E
2. Pick b=03. k=KeyGen(l)4. c = E(k,mb)
A1. Picks m0, m1, |m0| = |m1|
5. Guess and output b’
m0,m1
c
World 0
E
2. Pick b=13. k=KeyGen(l)4. c = E(k,mb)
A1. Picks m0, m1, |m0| = |m1|
5. Guess and output b’
m0,m1
c
World 1
A doesn’t know which world he is in, but wants to figure it out.
Semantic security is a behavioral model getting at any A behaving the same in either world when E is secure.
11
Semantic security under CPAModes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key)
if cb = c0 output 0else output 1
m0, m0 M∊C0 ← E(k,m)m0, m1 M∊Cb ← E(k,mb)
Challenger
k ← K
Adversary A
12
Semantic security under CPAModes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key)
if cb = c0 output 0else output 1
m0, m0 M∊C0 ← E(k,m)m0, m1 M∊Cb ← E(k,mb)
Challenger
k ← K
Adversary A
Encryption modes must be randomized or use a nonce (or are vulnerable to CPA)
14
Message IntegrityGoal: integrity (not secrecy)
Examples:– Protecting binaries on disk.
– Protecting banner ads on web pages
Security Principles: – Integrity means no one can forge a signature
15
PRF Security Game(A behavioral model)
E
2. if(tbl[x] undefined) tbl[x] = rand()return y =tbl[x]
A1. Picks x
5. Guess and output b’
x
y
World 0
E
y = PRF(x)
A1. Picks x
3. Outputs guess for b
x
y
World 1
A doesn’t know which world he is in, but wants to figure it out.
For b=0,1: Wb := [ event that A(Wb) =1 ]AdvSS[A,E] := | Pr[ W0 ] − Pr[ W1 ] | [0,1]∈
Always 1
16
Secure PRF: An Alternate Interpretation For b = 0,1 define experiment EXP(b) as:
Def: PRF is a secure PRF if for all efficient A:
ChallengerF Adversary
17
Secure MAC Game
Security goal: A cannot produce a valid tag on a message– Even if the message is gibberish
Challenger1. k = KeyGen(l)
3. Compute i in 0...q: ti = S(mi, k)
5. b = V(m,t,k)
Adversary A
2. Picks m1, ..., mq
4. picks m not in m1,...,mq
Generates t
m1,...,mq
t1,...,tq
m,t
b = {yes,no} existential forgery if b=“yes”
18
Birthday Paradox Rule of Thumb
Given N possibilities, and random samples x1, ..., xj, PR[xi = xj] ≈ 50% when j = N1/2
19
Generic attack on hash functionsLet H: M {0,1}n be a hash function ( |M| >> 2n )
Generic alg. to find a collision in time O(2n/2) hashes
Algorithm:1. Choose 2n/2 random messages in M:
m1, …, m2n/2 (distinct w.h.p )
2. For i = 1, …, 2n/2 compute ti = H(mi) {0,1}∈ n
3. Look for a collision (ti = tj). If not found, got back to step 1.
How well will this work?
20
Brute ForceOnline Brute Force Attack:
input: hp = hash(password) to crackfor each i in dictionary file
if(h(i) == hp)output success;
Time Space Tradeoff Attack:precompute: h(i) for each i in dict file in hash tbl
input: hp = hash(password) check if hp is in hash tbl “rainbow tables”
21
SaltsEnrollment:
1. compute hp=h(password + salt)2. store salt || hp
Verification:3. Look up salt in password file4. Check h(input||salt) == hp
What is this good for security, given that the salt is public?
Salt doesn’t increase security against online attack, but does make tables much bigger.
23
Motivating Question: Which is Best?
E(kE , m||tag)S(kI, m)
m
Encryption Key = KE; MAC key = kI
Option 1: SSL (MAC-then-encrypt)
m tag m tag
S(kI , c)E(kE, m)
m
Option 2: IPsec (Encrypt-then-MAC)
m m tag
S(kI , m)E(kE, m)
m
Option 3: SSH (Encrypt-and-MAC)
m m tag
24
An authenticated encryption system (E,D) is a cipher where
As usual: E: K × M × N C⟶ but D: K × C × N M { }⟶ ∪ ⊥
Security: the system must provide– Semantic security under CPA attack, and– ciphertext integrity. The attacker cannot create a
new ciphertext that decrypts properly.
reject ciphertext as invalid
25
CCA Game DefinitionLet ENC = (E,D) over (K,M,C). For b = {0,1}, define EXP(0) and EXP(1)
b Chal.k K
Adv.
b’ {0,1}
mi,0 , mi,1 M : |mi,0| = |mi,1|
ci E(k, mi,b)
for i=1,…,q: (1) CPA query:
ci C : ci {c∉ 1, …, ci-1}
mi D(k, ci)
(2) CCA query:
Ex: could query a
changed ci
27
Eve observes: g, ga, gb
Goal: compute a (or b) (i.e., calculate the discrete log) or compute gab
3. ga mod p
4. gb mod p
1. Pick a from [0,p-1) 2. Pick b from [0,p-1)
5. Compute (ga)b mod pas secret key
6. Compute (gb)a mod pas secret key
Alice Bob
Eve
28
MITM AdversaryAs described, Diffie-Hellman is insecure against active Man In The Middle (MITM) attacks
Alice BobMITM
ga mod p gm mod p
gb mod pgm mod p
gma mod p gmb mod p
29
Public Key EncryptionDef: a public-key encryption system is a triple of algorithms (G, E, D)
• G(): randomized alg. outputs a key pair (pk, sk)
• E(pk, m): randomized alg. that takes m M and outputs c ∈C∈
• D(sk,c): determisitic alg. that takes c C and outputs m ∈ ∈M or ⊥
Consistency: (pk, sk) output by G : ∀
∀m M: D(sk, E(pk, m) ) = m∈Note: Without randomization, an attacker can determine E(pk,m1) = E(pk,m2) when m1=m2
30
Semantic SecurityFor b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)):
Def: Enc =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A:
AdvSS [A,Enc] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible
Chal.b Adv. A
(pk,sk)G() m0 , m1 M : |m0| = |m1|
c E(pk, mb) b’ {0,1}
EXP(b)
pk
No query encryptions of messages. Why?