cryptography: review day
DESCRIPTION
Cryptography: Review Day. David Brumley [email protected] Carnegie Mellon University. m or error. m . Public Channel. Bob. Alice. c. c’. D. E. k e. k e. read/ write access. Eve. Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity. Privacy and Encryption. - PowerPoint PPT PresentationTRANSCRIPT
2
Cryptonium Pipe Goals: Privacy, Integrity, and Authenticity
Alice Bob
Public Channel
Eve
E Dc c’
m
ke
m or error
ke
read/write access
3
4
Privacy and Encryption
5
Perfect Secrecy [Shannon1945]
(Information Theoretic Secrecy)
Defn Perfect Secrecy (informal): We’re no better off determining the plaintext when given the ciphertext.
Alice Bob
Eve1. Eve observes everything but the c. Guesses m1
2. Eve observes c. Guesses m2
Goal:
6
The One Time PadMiller, 1882 and Vernam, 1917
m: 0 1 1 0 1 1 0
k: 1 1 0 1 0 0 0
c: 1 0 1 1 1 1 0
k: 1 1 0 1 0 0 0
m: 0 1 1 0 1 1 0
M = C = K = {0,1}n
7
Block Ciphers• Modes of operations– CBC, CTR, etc.– What modes do for security, e.g., why ECB is bad,
why randomize an IV for CBC, etc.
• Definitions– Is a block cipher a PRP or PRF
• Attacks
8
Exhaustive Search for block cipher key
Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,n find key k.
Attack: Brute force to find the key k.
Homework: What is the probability that the key k found with one <m,c> pair is correct? For two pairs?
9
Meet in the middle attack• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
key-len = 112 bits for 2DES
Idea: key found when c’ = c’’: E(ki, m) = D(kj, c)
m c'
…
…c
…
…c’’
m E(k2, )⋅ E(k1, )⋅ c
10
Semantic Security Game
E
2. Pick b=03. k=KeyGen(l)4. c = E(k,mb)
A1. Picks m0, m1, |m0| = |m1|
5. Guess and output b’
m0,m1
c
World 0
E
2. Pick b=13. k=KeyGen(l)4. c = E(k,mb)
A1. Picks m0, m1, |m0| = |m1|
5. Guess and output b’
m0,m1
c
World 1
A doesn’t know which world he is in, but wants to figure it out.
Semantic security is a behavioral model getting at any A behaving the same in either world when E is secure.
11
Semantic security under CPAModes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key)
if cb = c0 output 0else output 1
m0, m0 M∊C0 ← E(k,m)m0, m1 M∊Cb ← E(k,mb)
Challenger
k ← K
Adversary A
12
Semantic security under CPAModes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key)
if cb = c0 output 0else output 1
m0, m0 M∊C0 ← E(k,m)m0, m1 M∊Cb ← E(k,mb)
Challenger
k ← K
Adversary A
Encryption modes must be randomized or use a nonce (or are vulnerable to CPA)
13
Hashes and MACS
14
Message IntegrityGoal: integrity (not secrecy)
Examples:– Protecting binaries on disk.
– Protecting banner ads on web pages
Security Principles: – Integrity means no one can forge a signature
15
PRF Security Game(A behavioral model)
E
2. if(tbl[x] undefined) tbl[x] = rand()return y =tbl[x]
A1. Picks x
5. Guess and output b’
x
y
World 0
E
y = PRF(x)
A1. Picks x
3. Outputs guess for b
x
y
World 1
A doesn’t know which world he is in, but wants to figure it out.
For b=0,1: Wb := [ event that A(Wb) =1 ]AdvSS[A,E] := | Pr[ W0 ] − Pr[ W1 ] | [0,1]∈
Always 1
16
Secure PRF: An Alternate Interpretation For b = 0,1 define experiment EXP(b) as:
Def: PRF is a secure PRF if for all efficient A:
ChallengerF Adversary
17
Secure MAC Game
Security goal: A cannot produce a valid tag on a message– Even if the message is gibberish
Challenger1. k = KeyGen(l)
3. Compute i in 0...q: ti = S(mi, k)
5. b = V(m,t,k)
Adversary A
2. Picks m1, ..., mq
4. picks m not in m1,...,mq
Generates t
m1,...,mq
t1,...,tq
m,t
b = {yes,no} existential forgery if b=“yes”
18
Birthday Paradox Rule of ThumbGiven N possibilities, and random samples x1, ..., xj, PR[xi = xj] ≈ 50% when j = N1/2
19
Generic attack on hash functionsLet H: M {0,1}n be a hash function ( |M| >> 2n )
Generic alg. to find a collision in time O(2n/2) hashes
Algorithm:1. Choose 2n/2 random messages in M:
m1, …, m2n/2 (distinct w.h.p )
2. For i = 1, …, 2n/2 compute ti = H(mi) {0,1}∈ n
3. Look for a collision (ti = tj). If not found, got back to step 1.
How well will this work?
20
Brute ForceOnline Brute Force Attack:
input: hp = hash(password) to crackfor each i in dictionary fileif(h(i) == hp)output success;
Time Space Tradeoff Attack:precompute: h(i) for each i in dict file in hash tbl input: hp = hash(password) check if hp is in hash tbl “rainbow tables”
21
SaltsEnrollment:
1. compute hp=h(password + salt)2. store salt || hp
Verification:3. Look up salt in password file4. Check h(input||salt) == hp
What is this good for security, given that the salt is public?
Salt doesn’t increase security against online attack, but does make tables much bigger.
22
Authenticated Encryption
23
Motivating Question: Which is Best?
E(kE , m||tag)S(kI, m)
m
Encryption Key = KE; MAC key = kI
Option 1: SSL (MAC-then-encrypt)
m tag m tag
S(kI , c)E(kE, m)
m
Option 2: IPsec (Encrypt-then-MAC)
m m tag
S(kI , m)E(kE, m)
m
Option 3: SSH (Encrypt-and-MAC)
m m tag
24
An authenticated encryption system (E,D) is a cipher where
As usual: E: K × M × N C⟶ but D: K × C × N M { }⟶ ∪ ⊥
Security: the system must provide– Semantic security under CPA attack, and– ciphertext integrity. The attacker cannot create a
new ciphertext that decrypts properly.
reject ciphertext as invalid
25
CCA Game DefinitionLet ENC = (E,D) over (K,M,C). For b = {0,1}, define EXP(0) and EXP(1)
b Chal.k K
Adv.
b’ {0,1}
mi,0 , mi,1 M : |mi,0| = |mi,1|
ci E(k, mi,b)
for i=1,…,q: (1) CPA query:
ci C : ci {c∉ 1, …, ci-1}
mi D(k, ci)
(2) CCA query:
Ex: could query a
changed ci
26
Public Key Cryptography
27
Eve observes: g, ga, gb
Goal: compute a (or b) (i.e., calculate the discrete log) or compute gab
3. ga mod p
4. gb mod p
1. Pick a from [0,p-1) 2. Pick b from [0,p-1)
5. Compute (ga)b mod pas secret key
6. Compute (gb)a mod pas secret key
Alice Bob
Eve
28
MITM AdversaryAs described, Diffie-Hellman is insecure against active Man In The Middle (MITM) attacks
Alice BobMITM
ga mod p gm mod p
gb mod pgm mod p
gma mod p gmb mod p
29
Public Key EncryptionDef: a public-key encryption system is a triple of algorithms (G, E, D)
• G(): randomized alg. outputs a key pair (pk, sk)
• E(pk, m): randomized alg. that takes m M and outputs c ∈C∈
• D(sk,c): determisitic alg. that takes c C and outputs m ∈ ∈M or ⊥
Consistency: (pk, sk) output by G : ∀
∀m M: D(sk, E(pk, m) ) = m∈Note: Without randomization, an attacker can determine E(pk,m1) = E(pk,m2) when m1=m2
30
Semantic SecurityFor b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)):
Def: Enc =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A:
AdvSS [A,Enc] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible
Chal.b Adv. A
(pk,sk)G() m0 , m1 M : |m0| = |m1|
c E(pk, mb) b’ {0,1}
EXP(b)
pk
No query encryptions of messages. Why?
31
Easy and Hard Problems• Factoring• Discrete Log• Exponentiation
32
Questions?
END
34
Thought