CSE 127: Computer Security Symmetric-key Cryptography
Transcript of CSE 127: Computer Security Symmetric-key Cryptography
![Page 1: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/1.jpg)
CSE 127: Computer Security
Symmetric-key CryptographyDeian Stefan
Some slides adopted from Nadia Heninger, Kirill Levchenko and Dan Boneh
![Page 2: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/2.jpg)
Cryptography• Is:
➤ A tremendous tool
➤ The basis for many security mechanisms
• Is not: ➤ The solution to all security problems
➤ Reliable unless implemented and used properly
➤ Something you should try to invent yourself
➤ Another word for blockchain
![Page 3: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/3.jpg)
How Does It Work?• Goal: learn how to use crypto primitives correctly
➤ We will treat them as a black box that mostly does what it says
• To learn what’s inside black box take CSE 107
• Do not roll your own crypto*
* Exceptions: You are Daniel J. Bernstein, Joan Daemen, Neal Koblitz, Dan Boneh, or similar, or you have finished your PhD in cryptography under an advisor of that caliber, and your work has been accepted at Crypto, Eurocrypt, Asiacrypt, FSE, or PKC and/or NIST is running another competition, and then wait several years for full standardization and community vetting.
![Page 4: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/4.jpg)
How Does It Work?• Goal: learn how to use crypto primitives correctly
➤ We will treat them as a black box that mostly does what it says
• To learn what’s inside black box take CSE 107
• Do not roll your own crypto*
* Exceptions: You are Daniel J. Bernstein, Joan Daemen, Neal Koblitz, Dan Boneh, or similar, or you have finished your PhD in cryptography under an advisor of that caliber, and your work has been accepted at Crypto, Eurocrypt, Asiacrypt, FSE, or PKC and/or NIST is running another competition, and then wait several years for full standardization and community vetting.
![Page 5: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/5.jpg)
Real-world crypto: SSL/TLS
1. Browser and web server run “handshake protocol’’: ➤ Establishes shared secret key using public-key
cryptography (next lecture)
2. Browser and web server use negotiated key to symmetrically encrypt data (“Record layer”)
![Page 6: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/6.jpg)
Real-world crypto: File encryption
Password
Decrypted data
➤ Files are symmetrically encrypted with a secret key
➤ The symmetric key is stored encrypted or in tamperproof hardware.
➤ The password is used to unlock the key so the data can be decrypted.
![Page 7: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/7.jpg)
This class: secure communication
Alice Bob
Eve
➤ Authenticity: Parties cannot be impersonated
➤ Secrecy: No one else can read messages
➤ Integrity: Messages cannot be modified
![Page 8: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/8.jpg)
Attacker models
➤ Passive attacker: Eve only snoops on channel
➤ Active attacker: Eve can snoop, inject, block, tamper, etc.
Alice Bob
Eve
![Page 9: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/9.jpg)
Outline
• Symmetric-key crypto ➤ Encryption
➤ Hash functions
➤ Message authentication codes
• Next time: asymmetric (public-key) crypto ➤ Key exchange
➤ Digital signatures
![Page 10: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/10.jpg)
Symmetric-key encryption
Em c
kDc m
k
![Page 11: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/11.jpg)
Symmetric-key encryption
• Encryption: (key, plaintext) → ciphertext ➤ Ek(m) = c
• Decryption: (key, ciphertext) → plaintext ➤ Dk(c) = m
• Functional property: Where Dk(Ek(m)) = m
Em c
kDc m
k
![Page 12: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/12.jpg)
Symmetric-key encryption
• One-time key: used to encrypt one message ➤ E.g., encrypted email, new key generate per email
• Multi-use key: used to encrypt multiple messages ➤ E.g., SSL, same key used to encrypt many packets
Em c
kDc m
k
![Page 13: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/13.jpg)
Symmetric-key encryption
• One-time key: used to encrypt one message ➤ E.g., encrypted email, new key generate per email
• Multi-use key: used to encrypt multiple messages ➤ E.g., SSL, same key used to encrypt many packets
Em c
kDc m
k
![Page 14: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/14.jpg)
Symmetric-key encryption
• One-time key: used to encrypt one message ➤ E.g., encrypted email, new key generate per email
• Multi-use key: used to encrypt multiple messages ➤ E.g., SSL, same key used to encrypt many packets
Em c
kDc m
k
n n
![Page 15: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/15.jpg)
Symmetric-key encryption
• One-time key: used to encrypt one message ➤ E.g., encrypted email, new key generate per email
• Multi-use key: used to encrypt multiple messages ➤ E.g., SSL, same key used to encrypt many packets
Em c
kDc m
k
n n
Need unique/random nonce
![Page 16: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/16.jpg)
Security definition: Passive eavesdropper
• Simplest security definition
• Secrecy against a passive eavesdropper: ➤ Ciphertext reveals nothing about plaintext
➤ Informal formal definition: Given Ek(m1) and Ek(m2), can’t distinguish which plaintext was encrypted without key
![Page 17: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/17.jpg)
Vernam (1917)
Example: One Time Pad
➤ Encryption: c = Ek(m) = m ⨁ k
➤ Decryption: Dk(c) = c ⨁ k = (m ⨁ k) ⨁k = m
0 1 0 1 1 1 0 0 01Key:
1 1 0 0 0 1 1 0 00Plaintext:
⊕
1 0 0 1 1 0 1 0 01Ciphertext:
![Page 18: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/18.jpg)
Vernam (1917)
Example: One Time Pad
➤ Encryption: c = Ek(m) = m ⨁ k
➤ Decryption: Dk(c) = c ⨁ k = (m ⨁ k) ⨁k = m
0 1 0 1 1 1 0 0 01Key:
1 1 0 0 0 1 1 0 00Plaintext:
⊕
1 0 0 1 1 0 1 0 01Ciphertext:
![Page 19: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/19.jpg)
OTP security
• Shannon (1949) ➤ Information-theoretic security: without key,
ciphertext reveals no “information” about plaintext
• Problems with OTP ➤ Can only use key once
➤ Key is as long as the message
![Page 20: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/20.jpg)
Computational cryptography
• Want the size of the secret to be small ➤ If size of keyspace smaller than size of message
space, information-theoretic security is impossible.
• Solution: Weaken security requirement ➤ It should be infeasible for a computationally
bounded attacker to violate security
![Page 21: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/21.jpg)
Stream ciphers
• Problem: OTP key is as long as message
• Solution: Pseudo random generator
➤ Examples: ChaCha, Salsa, etc.
![Page 22: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/22.jpg)
Stream ciphers
• Problem: OTP key is as long as message
• Solution: Pseudo random generator
➤ Examples: ChaCha, Salsa, etc.
key
![Page 23: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/23.jpg)
Stream ciphers
• Problem: OTP key is as long as message
• Solution: Pseudo random generator
➤ Examples: ChaCha, Salsa, etc.
key
PRG
![Page 24: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/24.jpg)
Stream ciphers
• Problem: OTP key is as long as message
• Solution: Pseudo random generator
➤ Examples: ChaCha, Salsa, etc.
key
PRG
Computationally hard to distinguish from random
![Page 25: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/25.jpg)
Stream ciphers
• Problem: OTP key is as long as message
• Solution: Pseudo random generator
➤ Examples: ChaCha, Salsa, etc.
key
PRG
message⊕
ciphertextEk(m) = PRG(k) ⊕ m
Computationally hard to distinguish from random
![Page 26: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/26.jpg)
Stream ciphers
• Problem: OTP key is as long as message
• Solution: Pseudo random generator
➤ Examples: ChaCha, Salsa, etc.
key
PRG
message⊕
ciphertextEk(m) = PRG(k) ⊕ m
Computationally hard to distinguish from random
![Page 27: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/27.jpg)
Dangers in using stream ciphers
• Can we use a key more than once?
➤ E.g., c1 ← m1 ⊕ PRG(k)
c2 ← m2 ⊕ PRG(k)
➤ Yes? No?
➤ Eavesdropper does: c1 ⊕ c2 → m1 ⊕ m2
➤ Enough redundant information in English that: m1 ⊕ m2 → m1 , m2
![Page 28: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/28.jpg)
Dangers in using stream ciphers
• Can we use a key more than once?
➤ E.g., c1 ← m1 ⊕ PRG(k)
c2 ← m2 ⊕ PRG(k)
➤ Yes? No?
➤ Eavesdropper does: c1 ⊕ c2 → m1 ⊕ m2
➤ Enough redundant information in English that: m1 ⊕ m2 → m1 , m2
![Page 29: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/29.jpg)
Chosen plaintext attacks
• Attacker can learn encryptions for arbitrary plaintexts
• Historical example: ➤ During WWII the US Navy sent messages about Midway Island
and watched Japanese ciphertexts to learn codename (“AF”)
• More recent (but still a bit old) example: ➤ WEP WiFi encryption has poor randomization and can result in
the same stream cipher used multiple times
![Page 30: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/30.jpg)
Block ciphers: crypto work horses
• Block ciphers operate on fixed-size blocks ➤ E.g., 3DES: |m| = |c| = 64 bits, |k| = 168 bits
➤ E.g., AES: |m| = |c| = 128 bits, |k| = 128, 192, 256
• A block cipher = permutation of fixed-size inputs ➤ Each input mapped to exactly one output
Em c
kDc m
k
![Page 31: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/31.jpg)
Block ciphers: crypto work horses
• Block ciphers operate on fixed-size blocks ➤ E.g., 3DES: |m| = |c| = 64 bits, |k| = 168 bits
➤ E.g., AES: |m| = |c| = 128 bits, |k| = 128, 192, 256
• A block cipher = permutation of fixed-size inputs ➤ Each input mapped to exactly one output
Em c
kDc m
k
Correct block cipher choice: AES
![Page 32: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/32.jpg)
R(k 1
, ⋅)
R(k 2
, ⋅)
R(k 3
, ⋅)
R(k n
, ⋅)
k1 k2 k3 kn
key k
What’s inside the box?
R(k,m): round function for AES-128 (n=10)
key expansion
m c
![Page 33: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/33.jpg)
What’s inside that?
![Page 34: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/34.jpg)
Challenges with block ciphers
![Page 35: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/35.jpg)
Challenges with block ciphers
• Block ciphers operate on single fixed-size block
• How do we encrypt longer messages?
![Page 36: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/36.jpg)
Challenges with block ciphers
• Block ciphers operate on single fixed-size block
• How do we encrypt longer messages?➤ Several modes of operation for longer messages
![Page 37: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/37.jpg)
Challenges with block ciphers
• Block ciphers operate on single fixed-size block
• How do we encrypt longer messages?➤ Several modes of operation for longer messages
• How do we deal with messages that are not block-aligned?
![Page 38: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/38.jpg)
Challenges with block ciphers
• Block ciphers operate on single fixed-size block
• How do we encrypt longer messages?➤ Several modes of operation for longer messages
• How do we deal with messages that are not block-aligned?➤ Must pad messages in a distinguishable way
![Page 39: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/39.jpg)
Insecure block cipher usage: ECB mode
![Page 40: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/40.jpg)
Insecure block cipher usage: ECB mode
Source: wikipedia
![Page 41: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/41.jpg)
Why is ECB so bad?
Ek( )=
Source: wikipedia
![Page 42: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/42.jpg)
Moderately secure usage:CBC mode with random IV
![Page 43: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/43.jpg)
Source: wikipedia
Moderately secure usage:CBC mode with random IV
![Page 44: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/44.jpg)
Subtle attacks that abuse padding possible!
Source: wikipedia
Moderately secure usage:CBC mode with random IV
![Page 45: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/45.jpg)
Better block cipher usage: CTR mode with random IV
![Page 46: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/46.jpg)
Better block cipher usage: CTR mode with random IV
Source: wikipedia
![Page 47: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/47.jpg)
Better block cipher usage: CTR mode with random IV
Essentially use block cipher as stream cipher!
Source: wikipedia
![Page 48: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/48.jpg)
What security do we actually get?
• All encryption breakable by brute force given enough knowledge about plaintext ➤ Try to decrypt ciphertext with every possible key until
a valid plaintext is found
• Attack complexity proportional to size of key space ➤ 128-bit key requires 2128 decryption attempts
![Page 49: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/49.jpg)
Chosen ciphertext attacks• What if Eve can alter the ciphertexts sent
between Alice and Bob?
• Symmetric encryption alone is not enough to ensure security. ➤ Need to protect integrity of ciphertexts (and thus
underlying encrypted messages)
![Page 50: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/50.jpg)
Outline
• Symmetric-key crypto ➤ Encryption
➤ Hash functions
➤ Message authentication codes
• Asymmetric (public-key) crypto ➤ Key exchange
➤ Digital signatures
![Page 51: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/51.jpg)
Hash Functions
• A (cryptographic) hash function maps arbitrary length input into a fixed-size string
➤ |m| is arbitrarily large
➤ |h| is fixed, usually 128-512 bits
mH
h
h=H(m)
![Page 52: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/52.jpg)
Hash Function Properties
![Page 53: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/53.jpg)
Hash Function Properties
• Finding a preimage is hard ➤ Given h, find m such that H(m)=h
• Finding a second preimage is hard ➤ Given m1, find m2 such that H(m1)=H(m2)
• Finding a collision is hard ➤ Find m1 and m2 such that H(m1)=H(m2)
![Page 54: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/54.jpg)
Hash function security
• A 128-bit hash function has 64 bits of security ➤ Why? Birthday bound: find collision in time 264
![Page 55: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/55.jpg)
Hash function security
• A 128-bit hash function has 64 bits of security ➤ Why? Birthday bound: find collision in time 264
![Page 56: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/56.jpg)
Real-world crypto: Hash functions
• Versioning systems (e.g., git) ➤ Better than _1, _final, _really_final
• Sub-resource integrity ➤ Integrity of files you include from CDN
• File download integrity ➤ Make sure the thing you download is the thing you
thought you were downloading
![Page 57: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/57.jpg)
![Page 58: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/58.jpg)
Popular broken hash gunctions
• MD5: Message Digest
➤ Designed by Ron Rivest
➤ Output: 128 bits
• SHA-1: Secure Hash Algorithm 1 ➤ Designed by NSA
➤ Output: 160 bits
![Page 59: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/59.jpg)
Hash functions
• SHA-2: Secure Hash Algorithm 2 ➤ Designed by NSA
➤ Output: 224, 256, 384, or 512 bits
• SHA-3: Secure Hash Algorithm 3 ➤ Result of NIST SHA-3 contest
➤ Output: arbitrary size
➤ Replacement once SHA-2 broken
![Page 60: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/60.jpg)
Outline
• Symmetric-key crypto ➤ Encryption
➤ Hash functions
➤ Message authentication code
• Next time: asymmetric (public-key) crypto ➤ Key exchange
➤ Digital signatures
![Page 61: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/61.jpg)
Chosen ciphertext attacks• What if Eve can alter the ciphertexts sent
between Alice and Bob?
• Symmetric encryption alone is not enough to ensure security. ➤ Need to protect integrity of ciphertexts (and thus
underlying encrypted messages)
![Page 62: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/62.jpg)
MACs
• Validate message integrity based on shared secret
• MAC: Message Authentication Code ➤ Keyed function using shared secret
➤ Hard to compute function without knowing key
a=MACk(m)
![Page 63: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/63.jpg)
HMAC construction
• HMAC: MAC based on hash functionMACk(m) = H( k⊕opad ‖ H( k⊕ipad ‖ m ) )
➤ HMAC-SHA256: HMAC construction using SHA-256
![Page 64: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/64.jpg)
Other MAC constructions
• In 2009, Flickr required API calls to use authentication token that looked like:MD5( secret || arg1=val1&arg2=val2&…)
• Is MACk(m) = H(k || m) a secure MAC? ➤ No! If H is MD5, SHA1 or SHA2
➤ Use HMAC!
![Page 65: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/65.jpg)
Other MAC constructions
• In 2009, Flickr required API calls to use authentication token that looked like:MD5( secret || arg1=val1&arg2=val2&…)
• Is MACk(m) = H(k || m) a secure MAC? ➤ No! If H is MD5, SHA1 or SHA2
➤ Use HMAC!
![Page 66: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/66.jpg)
• Merkle-Damgård construction: hash function from collision-resistant compression function f
• Attacker that can observe MACk(m) can forge MACk(m||padding||r) for an r of their choice
Length extension attack
length paddingm1 m2 m3
IV hf f f f
![Page 67: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/67.jpg)
• Merkle-Damgård construction: hash function from collision-resistant compression function f
• Attacker that can observe MACk(m) can forge MACk(m||padding||r) for an r of their choice
Length extension attack
length paddingm1 m2 m3
IV hf f f f
![Page 68: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/68.jpg)
Combining MAC with encryption
MAC then Encrypt (SSL) ➤ Integrity for plaintext not
ciphertext
➤ Issue: need to decrypt before you can verify integrity
➤ Hard to get right!
m
a
kIMAC
c
kEE
m||a
![Page 69: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/69.jpg)
Combining MAC with encryption
MAC then Encrypt (SSL) ➤ Integrity for plaintext not
ciphertext
➤ Issue: need to decrypt before you can verify integrity
➤ Hard to get right!
m
a
kIMAC
c
kEE
m||a
![Page 70: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/70.jpg)
Combining MAC with encryption
Encrypt and MAC (SSH) ➤ Integrity for plaintext not
ciphertext
➤ Issue: need to decrypt before you can verify integrity
➤ Hard to get right!
m
a
kIMAC
c
kE E
||
![Page 71: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/71.jpg)
Combining MAC with encryption
Encrypt and MAC (SSH) ➤ Integrity for plaintext not
ciphertext
➤ Issue: need to decrypt before you can verify integrity
➤ Hard to get right!
m
a
kIMAC
c
kE E
||
![Page 72: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/72.jpg)
Combining MAC with encryption
Encrypt then MAC (IPSec) ➤ Integrity for plaintext and
ciphertext
➤ Almost always right!
m
a
kIMAC
c
kE E
||
![Page 73: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/73.jpg)
Combining MAC with encryption
Encrypt then MAC (IPSec) ➤ Integrity for plaintext and
ciphertext
➤ Almost always right!
m
a
kIMAC
c
kE E
||
![Page 74: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/74.jpg)
AEAD construction
• Authenticated Encryption with Associated Data ➤ AES-GCM, AES-GCM-SIV
• Always use an authenticated encryption mode ➤ Combines mode of operation with integrity
protection/MAC in the right way
![Page 75: CSE 127: Computer Security Symmetric-key Cryptography](https://reader030.fdocuments.us/reader030/viewer/2022012813/61c45a8b2bca9c7fbc73199b/html5/thumbnails/75.jpg)
Good libraries have good defaults