![Page 1: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/1.jpg)
0/49
�
�
�
�
�
�
YHQL YLGL YLFL — J. CaesarCryptography
Andreas Zeller/Stephan NeuhausLehrstuhl SoftwaretechnikUniversitat des Saarlandes, Saarbrucken
![Page 2: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/2.jpg)
1/49
�
�
�
�
�
�
The Menu
• Symmetric Crypto
![Page 3: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/3.jpg)
1/49
�
�
�
�
�
�
The Menu
• Symmetric Crypto
• Asymmetric Crypto (aka Public-Key)
![Page 4: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/4.jpg)
1/49
�
�
�
�
�
�
The Menu
• Symmetric Crypto
• Asymmetric Crypto (aka Public-Key)
• Hashes, MICs, and MACs
![Page 5: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/5.jpg)
2/49
�
�
�
�
�
�
Cryptography
![Page 6: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/6.jpg)
3/49
�
�
�
�
�
�
Terminology
Encryption transforms a message or plaintext into acryptogram or ciphertext under the control of a key.
![Page 7: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/7.jpg)
3/49
�
�
�
�
�
�
Terminology
Encryption transforms a message or plaintext into acryptogram or ciphertext under the control of a key.
Plaintext will be denoted by P . Sometimes, plaintext isavailable in blocks or other units; those units are then denotedPj or pj.
![Page 8: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/8.jpg)
3/49
�
�
�
�
�
�
Terminology
Encryption transforms a message or plaintext into acryptogram or ciphertext under the control of a key.
Plaintext will be denoted by P . Sometimes, plaintext isavailable in blocks or other units; those units are then denotedPj or pj.
Same for ciphertext: C, Cj, or cj.
![Page 9: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/9.jpg)
3/49
�
�
�
�
�
�
Terminology
Encryption transforms a message or plaintext into acryptogram or ciphertext under the control of a key.
Plaintext will be denoted by P . Sometimes, plaintext isavailable in blocks or other units; those units are then denotedPj or pj.
Same for ciphertext: C, Cj, or cj.
Same for key: K, and (although this is unusual) kj.
![Page 10: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/10.jpg)
3/49
�
�
�
�
�
�
Terminology
Encryption transforms a message or plaintext into acryptogram or ciphertext under the control of a key.
Plaintext will be denoted by P . Sometimes, plaintext isavailable in blocks or other units; those units are then denotedPj or pj.
Same for ciphertext: C, Cj, or cj.
Same for key: K, and (although this is unusual) kj.
C = EK(P); P = DK(C) cj = EK(pj); pj = DK(cj)
![Page 11: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/11.jpg)
3/49
�
�
�
�
�
�
Terminology
Encryption transforms a message or plaintext into acryptogram or ciphertext under the control of a key.
Plaintext will be denoted by P . Sometimes, plaintext isavailable in blocks or other units; those units are then denotedPj or pj.
Same for ciphertext: C, Cj, or cj.
Same for key: K, and (although this is unusual) kj.
C = EK(P); P = DK(C) cj = EK(pj); pj = DK(cj)
Avoid subscript k; easily confused with subscript K.
![Page 12: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/12.jpg)
4/49
�
�
�
�
�
�
Secret-Key and Public-Key
• In secret-key or symmetric cryptography, the participantsshare one key, which is used for encryption and decryption.
![Page 13: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/13.jpg)
4/49
�
�
�
�
�
�
Secret-Key and Public-Key
• In secret-key or symmetric cryptography, the participantsshare one key, which is used for encryption and decryption.
• Examples: DES, AES, IDEA, RC4, Blowfish, Twofish, . . .
![Page 14: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/14.jpg)
4/49
�
�
�
�
�
�
Secret-Key and Public-Key
• In secret-key or symmetric cryptography, the participantsshare one key, which is used for encryption and decryption.
• Examples: DES, AES, IDEA, RC4, Blowfish, Twofish, . . .
• In public-key or asymmetric cryptography, a participant’skey is split in two parts: once is public and is used forencryption, one is private and is used for decryption.
![Page 15: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/15.jpg)
4/49
�
�
�
�
�
�
Secret-Key and Public-Key
• In secret-key or symmetric cryptography, the participantsshare one key, which is used for encryption and decryption.
• Examples: DES, AES, IDEA, RC4, Blowfish, Twofish, . . .
• In public-key or asymmetric cryptography, a participant’skey is split in two parts: once is public and is used forencryption, one is private and is used for decryption.
• Examples: RSA, Elgamal, ECC
![Page 16: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/16.jpg)
5/49
�
�
�
�
�
�
Block Ciphers
A block cipher is a function that takes a n-bit key K and am-bit bit string B and either encrypts or decrypts B into anm-bit string B′.
![Page 17: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/17.jpg)
5/49
�
�
�
�
�
�
Block Ciphers
A block cipher is a function that takes a n-bit key K and am-bit bit string B and either encrypts or decrypts B into anm-bit string B′.
The numbers m and n are usually fixed for each block cipher,but can vary between ciphers.
![Page 18: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/18.jpg)
5/49
�
�
�
�
�
�
Block Ciphers
A block cipher is a function that takes a n-bit key K and am-bit bit string B and either encrypts or decrypts B into anm-bit string B′.
The numbers m and n are usually fixed for each block cipher,but can vary between ciphers.
Cipher n mDES 56 64IDEA 128 64AES varies varies
![Page 19: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/19.jpg)
5/49
�
�
�
�
�
�
Block Ciphers
A block cipher is a function that takes a n-bit key K and am-bit bit string B and either encrypts or decrypts B into anm-bit string B′.
The numbers m and n are usually fixed for each block cipher,but can vary between ciphers.
Cipher n mDES 56 64IDEA 128 64AES varies variesRSA varies varies
![Page 20: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/20.jpg)
5/49
�
�
�
�
�
�
Block Ciphers
A block cipher is a function that takes a n-bit key K and am-bit bit string B and either encrypts or decrypts B into anm-bit string B′.
The numbers m and n are usually fixed for each block cipher,but can vary between ciphers.
Cipher n mDES 56 64IDEA 128 64AES varies variesRSA varies varies
With AES, you can choose m and n independently from{128,160,192,224,256}.
![Page 21: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/21.jpg)
6/49
�
�
�
�
�
�
Properties Of a Good Block Cipher
Two (of many) statistical properties (called “cascading”properties):
![Page 22: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/22.jpg)
6/49
�
�
�
�
�
�
Properties Of a Good Block Cipher
Two (of many) statistical properties (called “cascading”properties):
• Change one key bit and about half of the output bits willchange.
![Page 23: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/23.jpg)
6/49
�
�
�
�
�
�
Properties Of a Good Block Cipher
Two (of many) statistical properties (called “cascading”properties):
• Change one key bit and about half of the output bits willchange.
• Change one plaintext bit and about half of the output bitswill change.
![Page 24: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/24.jpg)
6/49
�
�
�
�
�
�
Properties Of a Good Block Cipher
Two (of many) statistical properties (called “cascading”properties):
• Change one key bit and about half of the output bits willchange.
• Change one plaintext bit and about half of the output bitswill change.
One cryptanalytic property:
![Page 25: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/25.jpg)
6/49
�
�
�
�
�
�
Properties Of a Good Block Cipher
Two (of many) statistical properties (called “cascading”properties):
• Change one key bit and about half of the output bits willchange.
• Change one plaintext bit and about half of the output bitswill change.
One cryptanalytic property: There is no way to find anunknown key except by trying all keys in some order andstopping when the correct one has been found.
![Page 26: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/26.jpg)
6/49
�
�
�
�
�
�
Properties Of a Good Block Cipher
Two (of many) statistical properties (called “cascading”properties):
• Change one key bit and about half of the output bits willchange.
• Change one plaintext bit and about half of the output bitswill change.
One cryptanalytic property: There is no way to find anunknown key except by trying all keys in some order andstopping when the correct one has been found.
That’s a bit difficult to attain in practice
![Page 27: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/27.jpg)
6/49
�
�
�
�
�
�
Properties Of a Good Block Cipher
Two (of many) statistical properties (called “cascading”properties):
• Change one key bit and about half of the output bits willchange.
• Change one plaintext bit and about half of the output bitswill change.
One cryptanalytic property: There is no way to find anunknown key except by trying all keys in some order andstopping when the correct one has been found.
That’s a bit difficult to attain in practice, because we can’t seeinto the future!
![Page 28: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/28.jpg)
7/49
�
�
�
�
�
�
Stream Ciphers
A stream cipher is a function that takes a n-bit key and a(potentially infinite) bit stream as input and produces a(potentially infinite) bit stream as output.
![Page 29: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/29.jpg)
7/49
�
�
�
�
�
�
Stream Ciphers
A stream cipher is a function that takes a n-bit key and a(potentially infinite) bit stream as input and produces a(potentially infinite) bit stream as output.
In practice, the input and output bits are grouped into largerblocks, but it’s still not a block cipher because encryption ofblock j depends on the encryptions of blocks 1 through j − 1.
![Page 30: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/30.jpg)
7/49
�
�
�
�
�
�
Stream Ciphers
A stream cipher is a function that takes a n-bit key and a(potentially infinite) bit stream as input and produces a(potentially infinite) bit stream as output.
In practice, the input and output bits are grouped into largerblocks, but it’s still not a block cipher because encryption ofblock j depends on the encryptions of blocks 1 through j − 1.
Most stream ciphers work by taking the key K and generatinga stream of key bits (or blocks) kj from it, and then setting
cj ←mj ⊕ kj.
![Page 31: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/31.jpg)
7/49
�
�
�
�
�
�
Stream Ciphers
A stream cipher is a function that takes a n-bit key and a(potentially infinite) bit stream as input and produces a(potentially infinite) bit stream as output.
In practice, the input and output bits are grouped into largerblocks, but it’s still not a block cipher because encryption ofblock j depends on the encryptions of blocks 1 through j − 1.
Most stream ciphers work by taking the key K and generatinga stream of key bits (or blocks) kj from it, and then setting
cj ←mj ⊕ kj.
Decryption then generates the same key stream from K andcomputes
![Page 32: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/32.jpg)
7/49
�
�
�
�
�
�
Stream Ciphers
A stream cipher is a function that takes a n-bit key and a(potentially infinite) bit stream as input and produces a(potentially infinite) bit stream as output.
In practice, the input and output bits are grouped into largerblocks, but it’s still not a block cipher because encryption ofblock j depends on the encryptions of blocks 1 through j − 1.
Most stream ciphers work by taking the key K and generatinga stream of key bits (or blocks) kj from it, and then setting
cj ←mj ⊕ kj.
Decryption then generates the same key stream from K andcomputes mj = cj ⊕ kj. Some stream ciphers calculate kj fromkj−1 and mj−1.
![Page 33: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/33.jpg)
8/49
�
�
�
�
�
�
Electronic Codebook Mode (ECB)
K
P1
E
C1
D
C2
D
Encryption
Decryption
K
K
K
P1
P2
P2
E
![Page 34: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/34.jpg)
9/49
�
�
�
�
�
�
Problems with ECB
A salary database contains salary records encrypted with a64-bit block cipher in ECB mode.
![Page 35: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/35.jpg)
9/49
�
�
�
�
�
�
Problems with ECB
A salary database contains salary records encrypted with a64-bit block cipher in ECB mode.
Trudy knows her own record in plaintext; all the others are justciphertext:
Type Person ContentsPlain Trudy Trudy $20,000 ProgrCipher Trudy a67sj*7k2mlz8m/>suwopslgCipher Boss kdndsuye;hfd7as/8endfuah
![Page 36: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/36.jpg)
9/49
�
�
�
�
�
�
Problems with ECB
A salary database contains salary records encrypted with a64-bit block cipher in ECB mode.
Trudy knows her own record in plaintext; all the others are justciphertext:
Type Person ContentsPlain Trudy Trudy $20,000 ProgrCipher Trudy a67sj*7k2mlz8m/>suwopslgCipher Boss kdndsuye;hfd7as/8endfuah
Trudy wants to earn as much as her boss:
![Page 37: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/37.jpg)
9/49
�
�
�
�
�
�
Problems with ECB
A salary database contains salary records encrypted with a64-bit block cipher in ECB mode.
Trudy knows her own record in plaintext; all the others are justciphertext:
Type Person ContentsPlain Trudy Trudy $20,000 ProgrCipher Trudy a67sj*7k2mlz8m/>suwopslgCipher Boss kdndsuye;hfd7as/8endfuah
Trudy wants to earn as much as her boss:
a67sj*7k;hfd7as/suwopslg
![Page 38: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/38.jpg)
10/49
�
�
�
�
�
�
Other Problems With ECB
Person RecordTrudy a67sj*7k2mlz8m/>suwopslgBoss kdndsuye;hfd7as/8endfuahCEO asoiwq34;hfd7as/kjsd9kjqJanitor epxn7mn-2mlz8m/>-m,39j,sAlice kmeqw9ks;hfd7as/suwopslg
![Page 39: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/39.jpg)
10/49
�
�
�
�
�
�
Other Problems With ECB
Person RecordTrudy a67sj*7k2mlz8m/>suwopslgBoss kdndsuye;hfd7as/8endfuahCEO asoiwq34;hfd7as/kjsd9kjqJanitor epxn7mn-2mlz8m/>-m,39j,sAlice kmeqw9ks;hfd7as/suwopslg
Identical plaintext blocks lead to identical ciphertext blocks.
![Page 40: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/40.jpg)
10/49
�
�
�
�
�
�
Other Problems With ECB
Person RecordTrudy a67sj*7k2mlz8m/>suwopslgBoss kdndsuye;hfd7as/8endfuahCEO asoiwq34;hfd7as/kjsd9kjqJanitor epxn7mn-2mlz8m/>-m,39j,sAlice kmeqw9ks;hfd7as/suwopslg
Identical plaintext blocks lead to identical ciphertext blocks.
This makes it possible to find all employees with the samesalary as employee X. . .
![Page 41: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/41.jpg)
10/49
�
�
�
�
�
�
Other Problems With ECB
Person RecordTrudy a67sj*7k2mlz8m/>suwopslgBoss kdndsuye;hfd7as/8endfuahCEO asoiwq34;hfd7as/kjsd9kjqJanitor epxn7mn-2mlz8m/>-m,39j,sAlice kmeqw9ks;hfd7as/suwopslg
Identical plaintext blocks lead to identical ciphertext blocks.
This makes it possible to find all employees with the samesalary as employee X. . .
. . . without breaking the encryption scheme.
![Page 42: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/42.jpg)
11/49
�
�
�
�
�
�
Cipher Block Chaining (CBC)
K
P1
E
C1 C2
K
P2
E
C3
K
P3
E
K D K D K D
IV
P1 P2 P3
The “IV” is a random initialization vector that is sentunencrypted with the message.
![Page 43: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/43.jpg)
12/49
�
�
�
�
�
�
Features of CBC
If a ciphertext block is modified during the encryption, this willaffect only two decrypted plaintext blocks (see exercises).
![Page 44: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/44.jpg)
12/49
�
�
�
�
�
�
Features of CBC
If a ciphertext block is modified during the encryption, this willaffect only two decrypted plaintext blocks (see exercises).
If ciphertext bits (not blocks!) are deleted or added, it willaffect the rest of the message (will come out as garbage aslong as block synchronization is lost).
![Page 45: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/45.jpg)
12/49
�
�
�
�
�
�
Features of CBC
If a ciphertext block is modified during the encryption, this willaffect only two decrypted plaintext blocks (see exercises).
If ciphertext bits (not blocks!) are deleted or added, it willaffect the rest of the message (will come out as garbage aslong as block synchronization is lost).
In most cases, security is not weakened by choosing a constantIV for each message, but there are exceptions (see exercises).
![Page 46: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/46.jpg)
13/49
�
�
�
�
�
�
Problems With CBC (1)
Assume the plaintext is “Trudy R&D $20000 ”
The character 2 has the bit representation 00110010. 3 is00110011. Can Trudy force this single bit to change?
![Page 47: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/47.jpg)
13/49
�
�
�
�
�
�
Problems With CBC (1)
Assume the plaintext is “Trudy R&D $20000 ”
The character 2 has the bit representation 00110010. 3 is00110011. Can Trudy force this single bit to change?
C1 C2
K D K D
IV
P1 P2Garbage
BitFlipped
Trudy flipsBit C3
K D
P3
If Trudy flips the last bit of C1, block 1 will decrypt as garbage,but C2 will decrypt as R&D $2⊕ 1 = R&D $3, a 50%increase in Trudy’s salary!
![Page 48: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/48.jpg)
14/49
�
�
�
�
�
�
Problems With CBC (2)
In CBC, pi = ci−1 ⊕DK(ci) where c0 is the IV. Hence,D(ci) = ci−1 ⊕ pi.
![Page 49: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/49.jpg)
14/49
�
�
�
�
�
�
Problems With CBC (2)
In CBC, pi = ci−1 ⊕DK(ci) where c0 is the IV. Hence,D(ci) = ci−1 ⊕ pi.Therefore, if you know all the plaintext blocks and all theciphertext blocks, you can rearrange the ciphertext blocksand know what the new encrypted message will decrypt to.
![Page 50: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/50.jpg)
14/49
�
�
�
�
�
�
Problems With CBC (2)
In CBC, pi = ci−1 ⊕DK(ci) where c0 is the IV. Hence,D(ci) = ci−1 ⊕ pi.Therefore, if you know all the plaintext blocks and all theciphertext blocks, you can rearrange the ciphertext blocksand know what the new encrypted message will decrypt to.
Arrangement Decryptionc0|c1|c2|c3 p1|p2|p3
c1|c0|c2|c3 c1 ⊕D(c0)|c0 ⊕D(c1)|p3
c0|c1|c2|c2 p1|p2|c2 ⊕D(c2) = p3 ⊕D(c3)⊕D(c2)
It is improbable that rearranged messages will decrypt tosomething useful, but it’s still a threat.
![Page 51: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/51.jpg)
15/49
�
�
�
�
�
�
Feedback Modes (CFB, OFB)
IV
K E
discard
m1
c1
K E
discard
m2
c2
CFB
OFB
k bits
k bits
k bits
k bits
k bits
k bits
k bits
k bits
![Page 52: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/52.jpg)
16/49
�
�
�
�
�
�
Feedback Modes Explained
OFB and CFB generate a one-time pad consisting ofpseudo-random numbers from an IV and a key: ci = pi ⊕ ki,where ki is the key stream generated by the IV and K.
![Page 53: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/53.jpg)
16/49
�
�
�
�
�
�
Feedback Modes Explained
OFB and CFB generate a one-time pad consisting ofpseudo-random numbers from an IV and a key: ci = pi ⊕ ki,where ki is the key stream generated by the IV and K.
OFB CFBUses only key and IV to ge-nerate key stream
Also uses message
Encryption pad can be com-puted beforehand
Must wait for plaintext
Can generate ciphertext asfast as the plaintext appears
Can generate ciphertext asfast as plaintext appears ifblock sizes match
![Page 54: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/54.jpg)
17/49
�
�
�
�
�
�
Effect of Transmission Errors and Attacks
Error OFB Decryption CFB DecryptionGarbled bits Garbles rest of mes-
sageGarbles only thesebits
Added ciphertext Garbles rest of mes-sage
Will re-synchronize
If Trudy knows the one-time pad, she can alter the ciphertextto say anything she wants:
![Page 55: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/55.jpg)
17/49
�
�
�
�
�
�
Effect of Transmission Errors and Attacks
Error OFB Decryption CFB DecryptionGarbled bits Garbles rest of mes-
sageGarbles only thesebits
Added ciphertext Garbles rest of mes-sage
Will re-synchronize
If Trudy knows the one-time pad, she can alter the ciphertextto say anything she wants:
Since pi = ci ⊕ ki, we must substitute p′i ⊕ ki for ci if we wantthe i-th ciphertext character to decrypt to p′i.
![Page 56: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/56.jpg)
18/49
�
�
�
�
�
�
Counter Mode (CTR)
K
IV
E
m1
c1
k bits
k bits
K
IV+1
E
m2
c2
k bits
k bits
K
IV+2
E
m3
c3
k bits
k bits
k bits k bits k bits
discard discard discard
Key stream can again be precomputed (like OFB) anddecryption can start at any point (not just at the beginning).
![Page 57: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/57.jpg)
19/49
�
�
�
�
�
�
Advice
Encrypt What RecommendationFiles CBC with a random IV (especially
if you want to access the file non-sequentially). Also use a good Messa-ge Integrity Code (MIC) in order to de-tect modification of the ciphertext.
Net Sessions CFB or OFB with a random IV or nativestream cipher like RC4. Protect eachpacket with a MIC.
Short Database Fields CBC with random IV and MIC.Encryption Keys ECB with MIC.
![Page 58: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/58.jpg)
20/49
�
�
�
�
�
�
Advice on Algorithms and Key Sizes
Do not use DES (key size too short).
![Page 59: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/59.jpg)
20/49
�
�
�
�
�
�
Advice on Algorithms and Key Sizes
Do not use DES (key size too short).
If you must use DES (and only then), do use 3DES (using threekeys of 56 bits) or 2Key-3DES (using only two). Both(!) have aneffective key size of 112 bits.
![Page 60: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/60.jpg)
20/49
�
�
�
�
�
�
Advice on Algorithms and Key Sizes
Do not use DES (key size too short).
If you must use DES (and only then), do use 3DES (using threekeys of 56 bits) or 2Key-3DES (using only two). Both(!) have aneffective key size of 112 bits.
Do not just encrypt twice with DES to get longer keys!
![Page 61: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/61.jpg)
20/49
�
�
�
�
�
�
Advice on Algorithms and Key Sizes
Do not use DES (key size too short).
If you must use DES (and only then), do use 3DES (using threekeys of 56 bits) or 2Key-3DES (using only two). Both(!) have aneffective key size of 112 bits.
Do not just encrypt twice with DES to get longer keys!
Do choose key sizes of at least 112 bits.
![Page 62: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/62.jpg)
20/49
�
�
�
�
�
�
Advice on Algorithms and Key Sizes
Do not use DES (key size too short).
If you must use DES (and only then), do use 3DES (using threekeys of 56 bits) or 2Key-3DES (using only two). Both(!) have aneffective key size of 112 bits.
Do not just encrypt twice with DES to get longer keys!
Do choose key sizes of at least 112 bits.
Do use one of these algorithms; they are probably OK: IDEA,AES, RC4, RC5, Blowfish, Twofish.
![Page 63: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/63.jpg)
20/49
�
�
�
�
�
�
Advice on Algorithms and Key Sizes
Do not use DES (key size too short).
If you must use DES (and only then), do use 3DES (using threekeys of 56 bits) or 2Key-3DES (using only two). Both(!) have aneffective key size of 112 bits.
Do not just encrypt twice with DES to get longer keys!
Do choose key sizes of at least 112 bits.
Do use one of these algorithms; they are probably OK: IDEA,AES, RC4, RC5, Blowfish, Twofish.
Do not deploy any algorithm without checking whether it hasbeen broken in the meantime. It happens.
![Page 64: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/64.jpg)
21/49
�
�
�
�
�
�
More Advice on Algorithms
Do not use these ciphers; they are broken: GDES, DESX, (andmost other DES variants), Bass-O-Matic, Khufu, Khafre, FEAL,Akelarre, SPEED, Enigma 2000, JEL, StreamBuddy, and manymany more.
![Page 65: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/65.jpg)
21/49
�
�
�
�
�
�
More Advice on Algorithms
Do not use these ciphers; they are broken: GDES, DESX, (andmost other DES variants), Bass-O-Matic, Khufu, Khafre, FEAL,Akelarre, SPEED, Enigma 2000, JEL, StreamBuddy, and manymany more.
N.B.: DES is an excellent cipher; it has withstood about 30years of cryptanalysis. The best way of attacking DES is bruteforce. The problem with DES is that brute force is too easy.
![Page 66: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/66.jpg)
22/49
�
�
�
�
�
�
Why Isn’t He Showing Source Code?
Never roll your own crypto algorithms!
![Page 67: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/67.jpg)
22/49
�
�
�
�
�
�
Why Isn’t He Showing Source Code?
Never roll your own crypto algorithms!
It’s very, very difficult to create a good crypto algorithm.Without proper education (and probably years of experience),you can’t do it. The ciphertext might look “random” to you, butan experienced cryptographer can probably break it.
![Page 68: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/68.jpg)
22/49
�
�
�
�
�
�
Why Isn’t He Showing Source Code?
Never roll your own crypto algorithms!
It’s very, very difficult to create a good crypto algorithm.Without proper education (and probably years of experience),you can’t do it. The ciphertext might look “random” to you, butan experienced cryptographer can probably break it.
Never write your own crypto code!
![Page 69: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/69.jpg)
22/49
�
�
�
�
�
�
Why Isn’t He Showing Source Code?
Never roll your own crypto algorithms!
It’s very, very difficult to create a good crypto algorithm.Without proper education (and probably years of experience),you can’t do it. The ciphertext might look “random” to you, butan experienced cryptographer can probably break it.
Never write your own crypto code!
Even when using algorithms that are known to be good, it’sstill bloody difficult to write correct crypto code.
![Page 70: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/70.jpg)
22/49
�
�
�
�
�
�
Why Isn’t He Showing Source Code?
Never roll your own crypto algorithms!
It’s very, very difficult to create a good crypto algorithm.Without proper education (and probably years of experience),you can’t do it. The ciphertext might look “random” to you, butan experienced cryptographer can probably break it.
Never write your own crypto code!
Even when using algorithms that are known to be good, it’sstill bloody difficult to write correct crypto code.
Example: I’ve seen an application that fed the plaintext backinstead of the ciphertext, turning CFB into “PFB”, whichexposes patterns in the input. (Code change: one identifier.)
![Page 71: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/71.jpg)
23/49
�
�
�
�
�
�
Shortest Possible Intro to Public Key
• A public key pair consists of a public encryption key e anda private decryption or signature key d that can’t easily becomputed from e.
![Page 72: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/72.jpg)
23/49
�
�
�
�
�
�
Shortest Possible Intro to Public Key
• A public key pair consists of a public encryption key e anda private decryption or signature key d that can’t easily becomputed from e.
• Each key defines a function associated with that key. Forthe key pair belonging to Alice, we’ll write {·}Alice for thepublic encryption function and [·]Alice for the privatedecryption function.
![Page 73: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/73.jpg)
23/49
�
�
�
�
�
�
Shortest Possible Intro to Public Key
• A public key pair consists of a public encryption key e anda private decryption or signature key d that can’t easily becomputed from e.
• Each key defines a function associated with that key. Forthe key pair belonging to Alice, we’ll write {·}Alice for thepublic encryption function and [·]Alice for the privatedecryption function.
• For every message M in the domain of {·}Alice, we have[{M}Alice]Alice = M (if {M}Alice is in the domain of [·])
![Page 74: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/74.jpg)
23/49
�
�
�
�
�
�
Shortest Possible Intro to Public Key
• A public key pair consists of a public encryption key e anda private decryption or signature key d that can’t easily becomputed from e.
• Each key defines a function associated with that key. Forthe key pair belonging to Alice, we’ll write {·}Alice for thepublic encryption function and [·]Alice for the privatedecryption function.
• For every message M in the domain of {·}Alice, we have[{M}Alice]Alice = M (if {M}Alice is in the domain of [·]), andfor every message M′ in the domain of [·]Alice, we have{[M′]Alice}Alice = M′.
![Page 75: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/75.jpg)
23/49
�
�
�
�
�
�
Shortest Possible Intro to Public Key
• A public key pair consists of a public encryption key e anda private decryption or signature key d that can’t easily becomputed from e.
• Each key defines a function associated with that key. Forthe key pair belonging to Alice, we’ll write {·}Alice for thepublic encryption function and [·]Alice for the privatedecryption function.
• For every message M in the domain of {·}Alice, we have[{M}Alice]Alice = M (if {M}Alice is in the domain of [·]), andfor every message M′ in the domain of [·]Alice, we have{[M′]Alice}Alice = M′.
• It is not necessary that {M}Alice be in the domain of [·]Alice.(Signature without encryption.)
![Page 76: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/76.jpg)
24/49
�
�
�
�
�
�
Best Known Public-Key Algorithm: RSA
“The obvious mathematical breakthrough would bedevelopment of an easy way to factor large primenumbers.” Bill Gates, The Road Ahead
![Page 77: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/77.jpg)
24/49
�
�
�
�
�
�
Best Known Public-Key Algorithm: RSA
“The obvious mathematical breakthrough would bedevelopment of an easy way to factor large primenumbers.” Bill Gates, The Road Ahead
RSA works because it is difficult (under certain circumstances)to factor large numbers that are the product of two largeprimes.
![Page 78: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/78.jpg)
24/49
�
�
�
�
�
�
Best Known Public-Key Algorithm: RSA
“The obvious mathematical breakthrough would bedevelopment of an easy way to factor large primenumbers.” Bill Gates, The Road Ahead
RSA works because it is difficult (under certain circumstances)to factor large numbers that are the product of two largeprimes. We think.
![Page 79: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/79.jpg)
24/49
�
�
�
�
�
�
Best Known Public-Key Algorithm: RSA
“The obvious mathematical breakthrough would bedevelopment of an easy way to factor large primenumbers.” Bill Gates, The Road Ahead
RSA works because it is difficult (under certain circumstances)to factor large numbers that are the product of two largeprimes. We think.
RSA is a variable-length block cipher
![Page 80: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/80.jpg)
24/49
�
�
�
�
�
�
Best Known Public-Key Algorithm: RSA
“The obvious mathematical breakthrough would bedevelopment of an easy way to factor large primenumbers.” Bill Gates, The Road Ahead
RSA works because it is difficult (under certain circumstances)to factor large numbers that are the product of two largeprimes. We think.
RSA is a variable-length block cipher, where it makes no senseto employ any mode other than ECB!
![Page 81: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/81.jpg)
24/49
�
�
�
�
�
�
Best Known Public-Key Algorithm: RSA
“The obvious mathematical breakthrough would bedevelopment of an easy way to factor large primenumbers.” Bill Gates, The Road Ahead
RSA works because it is difficult (under certain circumstances)to factor large numbers that are the product of two largeprimes. We think.
RSA is a variable-length block cipher, where it makes no senseto employ any mode other than ECB!
There are crypto libraries out there that are so orthogonal thatthey allow you to specify RSA with CBC, but that’s nonsense!
![Page 82: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/82.jpg)
24/49
�
�
�
�
�
�
Best Known Public-Key Algorithm: RSA
“The obvious mathematical breakthrough would bedevelopment of an easy way to factor large primenumbers.” Bill Gates, The Road Ahead
RSA works because it is difficult (under certain circumstances)to factor large numbers that are the product of two largeprimes. We think.
RSA is a variable-length block cipher, where it makes no senseto employ any mode other than ECB!
There are crypto libraries out there that are so orthogonal thatthey allow you to specify RSA with CBC, but that’s nonsense!
It’s even more important than in the case with symmetriccrypto not to write your own RSA package, because there areeven more things that can go wrong when you don’t do it right.
![Page 83: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/83.jpg)
25/49
�
�
�
�
�
�
RSA Key Generation
The number of positive integers that are relatively prime tosome positive integer x (and less than it) is written φ(x), akaEuler’s Totient Function.
![Page 84: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/84.jpg)
25/49
�
�
�
�
�
�
RSA Key Generation
The number of positive integers that are relatively prime tosome positive integer x (and less than it) is written φ(x), akaEuler’s Totient Function.
RSA works because of one of Euler’s theorems which says thataφ(n) ≡ 1 (mod n) if gcd(a,n) = 1.
![Page 85: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/85.jpg)
25/49
�
�
�
�
�
�
RSA Key Generation
The number of positive integers that are relatively prime tosome positive integer x (and less than it) is written φ(x), akaEuler’s Totient Function.
RSA works because of one of Euler’s theorems which says thataφ(n) ≡ 1 (mod n) if gcd(a,n) = 1.
Let p and q be two different odd primes. Let n = pq. We haveφ(n) = (p − 1)(q − 1). Choose e such that gcd(e, p − 1) = 1and gcd(e, q − 1) = 1. Note that this means thatgcd
(e,φ(n)
)= 1.
![Page 86: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/86.jpg)
25/49
�
�
�
�
�
�
RSA Key Generation
The number of positive integers that are relatively prime tosome positive integer x (and less than it) is written φ(x), akaEuler’s Totient Function.
RSA works because of one of Euler’s theorems which says thataφ(n) ≡ 1 (mod n) if gcd(a,n) = 1.
Let p and q be two different odd primes. Let n = pq. We haveφ(n) = (p − 1)(q − 1). Choose e such that gcd(e, p − 1) = 1and gcd(e, q − 1) = 1. Note that this means thatgcd
(e,φ(n)
)= 1.
Compute d such that ed ≡ 1 (mod φ(n)).
![Page 87: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/87.jpg)
25/49
�
�
�
�
�
�
RSA Key Generation
The number of positive integers that are relatively prime tosome positive integer x (and less than it) is written φ(x), akaEuler’s Totient Function.
RSA works because of one of Euler’s theorems which says thataφ(n) ≡ 1 (mod n) if gcd(a,n) = 1.
Let p and q be two different odd primes. Let n = pq. We haveφ(n) = (p − 1)(q − 1). Choose e such that gcd(e, p − 1) = 1and gcd(e, q − 1) = 1. Note that this means thatgcd
(e,φ(n)
)= 1.
Compute d such that ed ≡ 1 (mod φ(n)).
The public key is (e,n); the private key is (d,n).
![Page 88: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/88.jpg)
25/49
�
�
�
�
�
�
RSA Key Generation
The number of positive integers that are relatively prime tosome positive integer x (and less than it) is written φ(x), akaEuler’s Totient Function.
RSA works because of one of Euler’s theorems which says thataφ(n) ≡ 1 (mod n) if gcd(a,n) = 1.
Let p and q be two different odd primes. Let n = pq. We haveφ(n) = (p − 1)(q − 1). Choose e such that gcd(e, p − 1) = 1and gcd(e, q − 1) = 1. Note that this means thatgcd
(e,φ(n)
)= 1.
Compute d such that ed ≡ 1 (mod φ(n)).
The public key is (e,n); the private key is (d,n).
Some choices of p and q are better than others! Beware!
![Page 89: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/89.jpg)
26/49
�
�
�
�
�
�
RSA Encryption/Decryption
To encrypt a message 0 < P < n, compute C = P e mod n. Todecrypt a message, compute P ′ = Cd mod n.
![Page 90: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/90.jpg)
26/49
�
�
�
�
�
�
RSA Encryption/Decryption
To encrypt a message 0 < P < n, compute C = P e mod n. Todecrypt a message, compute P ′ = Cd mod n.
Cd ≡ (P e mod n)d
![Page 91: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/91.jpg)
26/49
�
�
�
�
�
�
RSA Encryption/Decryption
To encrypt a message 0 < P < n, compute C = P e mod n. Todecrypt a message, compute P ′ = Cd mod n.
Cd ≡ (P e mod n)d ≡ P ed
![Page 92: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/92.jpg)
26/49
�
�
�
�
�
�
RSA Encryption/Decryption
To encrypt a message 0 < P < n, compute C = P e mod n. Todecrypt a message, compute P ′ = Cd mod n.
Cd ≡ (P e mod n)d ≡ P ed ≡ Pkφ(n)+1
![Page 93: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/93.jpg)
26/49
�
�
�
�
�
�
RSA Encryption/Decryption
To encrypt a message 0 < P < n, compute C = P e mod n. Todecrypt a message, compute P ′ = Cd mod n.
Cd ≡ (P e mod n)d ≡ P ed ≡ Pkφ(n)+1 ≡ Pkφ(n) · P
![Page 94: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/94.jpg)
26/49
�
�
�
�
�
�
RSA Encryption/Decryption
To encrypt a message 0 < P < n, compute C = P e mod n. Todecrypt a message, compute P ′ = Cd mod n.
Cd ≡ (P e mod n)d ≡ P ed ≡ Pkφ(n)+1 ≡ Pkφ(n) · P ≡ P (mod n).
![Page 95: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/95.jpg)
26/49
�
�
�
�
�
�
RSA Encryption/Decryption
To encrypt a message 0 < P < n, compute C = P e mod n. Todecrypt a message, compute P ′ = Cd mod n.
Cd ≡ (P e mod n)d ≡ P ed ≡ Pkφ(n)+1 ≡ Pkφ(n) · P ≡ P (mod n).
When P is a multiple of p or q, things also work out. (HavingP = kp would expose p, because gcd(P e mod n,n) = p, butthat is just as likely as correctly guessing p or q.)
![Page 96: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/96.jpg)
27/49
�
�
�
�
�
�
RSA Pitfalls: Small Encryption Exponent
You want to send a message P to three participants with publickeys (3, n1), (3, n2), and (3, n3). Encryption is:
Cj = P3 mod nj for 1 ≤ j ≤ 3.
By the Chinese Remainder Theorem, we can compute some xwith Cj = x mod nj (1 ≤ j ≤ 3), if the nj are pairwise relativelyprime (very likely).
This x is unique modulo n1n2n3. We compute the smallestnonnegative such x.
Since P < nj for 1 ≤ j ≤ 3, we have x = P3.
=⇒ Compute x, take cube root, get P .
![Page 97: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/97.jpg)
27/49
�
�
�
�
�
�
RSA Pitfalls: Small Encryption Exponent
You want to send a message P to three participants with publickeys (3, n1), (3, n2), and (3, n3). Encryption is:
Cj = P3 mod nj for 1 ≤ j ≤ 3.
By the Chinese Remainder Theorem, we can compute some xwith Cj = x mod nj (1 ≤ j ≤ 3), if the nj are pairwise relativelyprime (very likely).
This x is unique modulo n1n2n3. We compute the smallestnonnegative such x.
Since P < nj for 1 ≤ j ≤ 3, we have x = P3.
=⇒ Compute x, take cube root, get P .
Solution: Choose e = 65537.
![Page 98: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/98.jpg)
28/49
�
�
�
�
�
�
RSA Pitfalls: No Padding/Small Message
If e = 3 (many still are!), and if the message P is so small thatP3 < n, then you can simply take the e-th root of theciphertext to get P back.
Most messages are indeed small (112-bit or 128-bit encryptionkeys, for example), where there’s a chance that this willhappen.
![Page 99: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/99.jpg)
28/49
�
�
�
�
�
�
RSA Pitfalls: No Padding/Small Message
If e = 3 (many still are!), and if the message P is so small thatP3 < n, then you can simply take the e-th root of theciphertext to get P back.
Most messages are indeed small (112-bit or 128-bit encryptionkeys, for example), where there’s a chance that this willhappen.
Solution: Pad the message on the left with nonzero (orrandom) bits, such that P e > n.
![Page 100: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/100.jpg)
28/49
�
�
�
�
�
�
RSA Pitfalls: No Padding/Small Message
If e = 3 (many still are!), and if the message P is so small thatP3 < n, then you can simply take the e-th root of theciphertext to get P back.
Most messages are indeed small (112-bit or 128-bit encryptionkeys, for example), where there’s a chance that this willhappen.
Solution: Pad the message on the left with nonzero (orrandom) bits, such that P e > n.
These are just two of the easier pitfalls. There are many more(for example, the exact form of the factors p and q etc.).Therefore:
![Page 101: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/101.jpg)
28/49
�
�
�
�
�
�
RSA Pitfalls: No Padding/Small Message
If e = 3 (many still are!), and if the message P is so small thatP3 < n, then you can simply take the e-th root of theciphertext to get P back.
Most messages are indeed small (112-bit or 128-bit encryptionkeys, for example), where there’s a chance that this willhappen.
Solution: Pad the message on the left with nonzero (orrandom) bits, such that P e > n.
These are just two of the easier pitfalls. There are many more(for example, the exact form of the factors p and q etc.).Therefore:
Never roll your own RSA routines!
![Page 102: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/102.jpg)
29/49
�
�
�
�
�
�
RSA Pitfalls: Timing Attacks
If you implement xa mod n, you’ll very probably use atechnique that doesn’t always take the same time for every a.
![Page 103: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/103.jpg)
29/49
�
�
�
�
�
�
RSA Pitfalls: Timing Attacks
If you implement xa mod n, you’ll very probably use atechnique that doesn’t always take the same time for every a.
Some of the most common multiplication algorithms can beexpolited simply by measuring how long it takes to computexa mod n when a isn’t known.
![Page 104: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/104.jpg)
29/49
�
�
�
�
�
�
RSA Pitfalls: Timing Attacks
If you implement xa mod n, you’ll very probably use atechnique that doesn’t always take the same time for every a.
Some of the most common multiplication algorithms can beexpolited simply by measuring how long it takes to computexa mod n when a isn’t known.
That way, a (or even some bits of a) can be recoveredindirectly.
![Page 105: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/105.jpg)
29/49
�
�
�
�
�
�
RSA Pitfalls: Timing Attacks
If you implement xa mod n, you’ll very probably use atechnique that doesn’t always take the same time for every a.
Some of the most common multiplication algorithms can beexpolited simply by measuring how long it takes to computexa mod n when a isn’t known.
That way, a (or even some bits of a) can be recoveredindirectly.
Therefore:
![Page 106: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/106.jpg)
29/49
�
�
�
�
�
�
RSA Pitfalls: Timing Attacks
If you implement xa mod n, you’ll very probably use atechnique that doesn’t always take the same time for every a.
Some of the most common multiplication algorithms can beexpolited simply by measuring how long it takes to computexa mod n when a isn’t known.
That way, a (or even some bits of a) can be recoveredindirectly.
Therefore:
Never roll your own RSA routines!
![Page 107: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/107.jpg)
30/49
�
�
�
�
�
�
MACs and MICs
They are cryptographic checksums:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes.
![Page 108: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/108.jpg)
30/49
�
�
�
�
�
�
MACs and MICs
They are cryptographic checksums:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes.
• Given a checksum, it is infeasible to find a message thathas this checksum.
![Page 109: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/109.jpg)
30/49
�
�
�
�
�
�
MACs and MICs
They are cryptographic checksums:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes.
• Given a checksum, it is infeasible to find a message thathas this checksum.
• Given a message, it is infeasible to find another messagewith the same checksum.
![Page 110: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/110.jpg)
30/49
�
�
�
�
�
�
MACs and MICs
They are cryptographic checksums:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes.
• Given a checksum, it is infeasible to find a message thathas this checksum.
• Given a message, it is infeasible to find another messagewith the same checksum.
• They depend on a key such that the checksum will bedifferent when different keys are used and that thechecksum can’t be predicted without knowing the key.
![Page 111: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/111.jpg)
30/49
�
�
�
�
�
�
MACs and MICs
They are cryptographic checksums:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes.
• Given a checksum, it is infeasible to find a message thathas this checksum.
• Given a message, it is infeasible to find another messagewith the same checksum.
• They depend on a key such that the checksum will bedifferent when different keys are used and that thechecksum can’t be predicted without knowing the key.
All but the last requirements are also required of hashfunctions.
![Page 112: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/112.jpg)
31/49
�
�
�
�
�
�
Computing a MAC: CBC Residue
K
P1
E
C1 MAC
K
P2
E
IV
![Page 113: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/113.jpg)
32/49
�
�
�
�
�
�
Privacy And Integrity (1)
Can we get encryption and integrity protection at the sametime?
K
P1
E
C1 C2
K
P2
E
IV MAC
![Page 114: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/114.jpg)
33/49
�
�
�
�
�
�
Privacy And Integrity (2)
K
P1
E
C1 C2
K
P2
E
MAC
K
C2
E
IV
![Page 115: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/115.jpg)
34/49
�
�
�
�
�
�
Privacy And Integrity (3)
K
P1
E
C1 C2
K
P2
E
MAC
K
CRC
E
IV
![Page 116: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/116.jpg)
35/49
�
�
�
�
�
�
The Moral
You might be able to get integrity and privacy protection inone pass over the data, but how to do that is still under activeresearch.
![Page 117: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/117.jpg)
35/49
�
�
�
�
�
�
The Moral
You might be able to get integrity and privacy protection inone pass over the data, but how to do that is still under activeresearch.
Your best best will be to do two passes over the data; the firstpass should compute a hash (or keyed hash; later), and thesecond pass should encrypt.
![Page 118: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/118.jpg)
35/49
�
�
�
�
�
�
The Moral
You might be able to get integrity and privacy protection inone pass over the data, but how to do that is still under activeresearch.
Your best best will be to do two passes over the data; the firstpass should compute a hash (or keyed hash; later), and thesecond pass should encrypt.
If you use a hash function, the hash should be encrypted, too.A keyed hash can be transmitted in the clear, if the keys usedfor hashing and encryption are different.
![Page 119: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/119.jpg)
35/49
�
�
�
�
�
�
The Moral
You might be able to get integrity and privacy protection inone pass over the data, but how to do that is still under activeresearch.
Your best best will be to do two passes over the data; the firstpass should compute a hash (or keyed hash; later), and thesecond pass should encrypt.
If you use a hash function, the hash should be encrypted, too.A keyed hash can be transmitted in the clear, if the keys usedfor hashing and encryption are different.
Do not try to take shortcuts in crypto!
![Page 120: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/120.jpg)
36/49
�
�
�
�
�
�
Cryptographic Hash Functions
Cryptograhic hash functions have the following properties:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes, called a hash ormessage digest.
![Page 121: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/121.jpg)
36/49
�
�
�
�
�
�
Cryptographic Hash Functions
Cryptograhic hash functions have the following properties:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes, called a hash ormessage digest.
• Given a checksum, it is infeasible to find a message thathas this checksum.
![Page 122: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/122.jpg)
36/49
�
�
�
�
�
�
Cryptographic Hash Functions
Cryptograhic hash functions have the following properties:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes, called a hash ormessage digest.
• Given a checksum, it is infeasible to find a message thathas this checksum.
• Given a message, it is infeasible to find another messagewith the same checksum.
![Page 123: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/123.jpg)
36/49
�
�
�
�
�
�
Cryptographic Hash Functions
Cryptograhic hash functions have the following properties:
• They map an arbitrarily long byte sequence to a fixed (andusually rather small) number of bytes, called a hash ormessage digest.
• Given a checksum, it is infeasible to find a message thathas this checksum.
• Given a message, it is infeasible to find another messagewith the same checksum.
Note that it cannot be impossible to find collisions, because ofthe pigeonhole principle: If you have infinitely many messages,but only finitely many hashes, some messages must hash tothe same value.
![Page 124: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/124.jpg)
37/49
�
�
�
�
�
�
How Infeasible is Finding a Collision?
Let’s say the hash function is cryptographically strong, but Istill want to crack it. I follow the following algorithm:
1. Set S ←∅.
2. Generate a new, random message m and its hash h(m).
3. If(m,h(m)
)∈ S, terminate the algorithm. Otherwise, set
S ← S ∪(m,h(m)
)and repeat step 2.
How often will step 2 have to be executed before the algorithmterminates? (We may assume that the messages that aregenerated contain no duplicates.)
![Page 125: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/125.jpg)
38/49
�
�
�
�
�
�
Collision Probability (1)
Assume that the hash function maps messages to n-bitdigests. We model the problem of finding a collision as follows:
![Page 126: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/126.jpg)
38/49
�
�
�
�
�
�
Collision Probability (1)
Assume that the hash function maps messages to n-bitdigests. We model the problem of finding a collision as follows:
We have an urn containing 2n numbered balls. We draw ballsfrom the urn, note the number on them and replace them.How often must we draw balls before a number appears that isalready on our list?
![Page 127: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/127.jpg)
38/49
�
�
�
�
�
�
Collision Probability (1)
Assume that the hash function maps messages to n-bitdigests. We model the problem of finding a collision as follows:
We have an urn containing 2n numbered balls. We draw ballsfrom the urn, note the number on them and replace them.How often must we draw balls before a number appears that isalready on our list?
What’s the probability that the first k draws are all distinct? SetN = 2n.
![Page 128: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/128.jpg)
38/49
�
�
�
�
�
�
Collision Probability (1)
Assume that the hash function maps messages to n-bitdigests. We model the problem of finding a collision as follows:
We have an urn containing 2n numbered balls. We draw ballsfrom the urn, note the number on them and replace them.How often must we draw balls before a number appears that isalready on our list?
What’s the probability that the first k draws are all distinct? SetN = 2n.
P(k) = NN· N − 1
N· · ·N − k+ 1
N=k−1∏j=0
(1− j
N
)
Now we want to know the first k for which P(k) < 0.5.
![Page 129: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/129.jpg)
39/49
�
�
�
�
�
�
Collision Probability (2)
k−1∏j=0
(1− j
N
)<(
1k
k−1∑j=0
(1− j
N
))k
=(
1− k− 12N
)k≈(
1− k2N
)k< exp(−k2/2N).
To find k for which P(k) < 0.5, we solve exp(−k2/2N) < 0.5for k to yield k > λ
√N where λ =
√2 ln 2 ≈ 1.18.
If N = 2n, and if n is even,√N = 2n/2. We’ll leave out the
factor of λ (since it’s so close to 1).
![Page 130: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/130.jpg)
40/49
�
�
�
�
�
�
Collision Probability (3)
For an n-bit hash, we have to hash about2n/2 messages before we can expect acollision with probability at least 1/2.
That means that
![Page 131: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/131.jpg)
40/49
�
�
�
�
�
�
Collision Probability (3)
For an n-bit hash, we have to hash about2n/2 messages before we can expect acollision with probability at least 1/2.
That means that
Any hash function that has less than 128bits of hash should be considered insecure
and weak and should not be used.
![Page 132: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/132.jpg)
41/49
�
�
�
�
�
�
Well-Known Hash Functions
For some reason, it seems to be easier to create good hashfunctions than to create good encryption schemes. Some goodhash functions are:
Name Bits CommentMD5 128 Less fast than predecessor MD4 (*)SHA-1 160 Standard (*)RIPEMD-160 160
(*) Length limited to be less than 264 bits; but “If you can’t saysomething in 264 bits, you probably shouldn’t say it at all”.
If we could hash one Terabyte per second (which we can’t),hashing the entire 264 bits would take about 550,000 years tocompute.
![Page 133: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/133.jpg)
42/49
�
�
�
�
�
�
Computing MACs With Hashes
A hash function is collision resistant, so we can computehash(m) for a message m and send that as the MAC.
![Page 134: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/134.jpg)
42/49
�
�
�
�
�
�
Computing MACs With Hashes
A hash function is collision resistant, so we can computehash(m) for a message m and send that as the MAC.
No, we can’t, because of the fourth requirement for MACs:
![Page 135: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/135.jpg)
42/49
�
�
�
�
�
�
Computing MACs With Hashes
A hash function is collision resistant, so we can computehash(m) for a message m and send that as the MAC.
No, we can’t, because of the fourth requirement for MACs:
They depend on a key such that the checksum will bedifferent when different keys are used and that thechecksum can’t be predicted without knowing the key.
![Page 136: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/136.jpg)
42/49
�
�
�
�
�
�
Computing MACs With Hashes
A hash function is collision resistant, so we can computehash(m) for a message m and send that as the MAC.
No, we can’t, because of the fourth requirement for MACs:
They depend on a key such that the checksum will bedifferent when different keys are used and that thechecksum can’t be predicted without knowing the key.
How can we add a key to the message digest algorithm?
![Page 137: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/137.jpg)
43/49
�
�
�
�
�
�
MACs With Hashes And Keys (1)
Alice and Bob agree on a shared secret KAB. If Alice sends amessage m to Bob, she concatenates KAB and m and sendshash(KAB|m) as the MAC.
![Page 138: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/138.jpg)
43/49
�
�
�
�
�
�
MACs With Hashes And Keys (1)
Alice and Bob agree on a shared secret KAB. If Alice sends amessage m to Bob, she concatenates KAB and m and sendshash(KAB|m) as the MAC.
This way, the message digest depends on the secret and Evecannot send a message that will be accepted as authentic.
![Page 139: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/139.jpg)
43/49
�
�
�
�
�
�
MACs With Hashes And Keys (1)
Alice and Bob agree on a shared secret KAB. If Alice sends amessage m to Bob, she concatenates KAB and m and sendshash(KAB|m) as the MAC.
This way, the message digest depends on the secret and Evecannot send a message that will be accepted as authentic.
Wrong.
![Page 140: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/140.jpg)
43/49
�
�
�
�
�
�
MACs With Hashes And Keys (1)
Alice and Bob agree on a shared secret KAB. If Alice sends amessage m to Bob, she concatenates KAB and m and sendshash(KAB|m) as the MAC.
This way, the message digest depends on the secret and Evecannot send a message that will be accepted as authentic.
Wrong.
The key to the attack is that it’s possible to computehash(x|y) if you know hash(x) and y.
![Page 141: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/141.jpg)
43/49
�
�
�
�
�
�
MACs With Hashes And Keys (1)
Alice and Bob agree on a shared secret KAB. If Alice sends amessage m to Bob, she concatenates KAB and m and sendshash(KAB|m) as the MAC.
This way, the message digest depends on the secret and Evecannot send a message that will be accepted as authentic.
Wrong.
The key to the attack is that it’s possible to computehash(x|y) if you know hash(x) and y.
That means that if Eve sees hash(KAB|m), she can compute
hash(KAB|m|Romeo must die)
![Page 142: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/142.jpg)
44/49
�
�
�
�
�
�
MACs With Hashes And Keys (2)
Solution: HMAC, which is becoming the standard MAC.
![Page 143: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/143.jpg)
44/49
�
�
�
�
�
�
MACs With Hashes And Keys (2)
Solution: HMAC, which is becoming the standard MAC.
HMAC is provably “secure” if the underlying hash algorithm is“secure”:
![Page 144: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/144.jpg)
44/49
�
�
�
�
�
�
MACs With Hashes And Keys (2)
Solution: HMAC, which is becoming the standard MAC.
HMAC is provably “secure” if the underlying hash algorithm is“secure”:
• It has collision resistance
![Page 145: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/145.jpg)
44/49
�
�
�
�
�
�
MACs With Hashes And Keys (2)
Solution: HMAC, which is becoming the standard MAC.
HMAC is provably “secure” if the underlying hash algorithm is“secure”:
• It has collision resistance; and
• if the attacker doesn’t know the key K, he cannot computeMAC(K,x) even if he sees arbitrarly many MAC(K,y)values.
![Page 146: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/146.jpg)
45/49
�
�
�
�
�
�
HMAC
Key 0
Message
HMAC(Key, Message)
Const1Const2
hash
hash
![Page 147: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/147.jpg)
46/49
�
�
�
�
�
�
Libraries: OpenSSL and cryptlib (1)
OpenSSL cryptlibAuthor Eric Young, OpenSSL
Project TeamPeter Gutmann
Since 1990’s 1990’sVuln’s several noneScope wide, many OSS pro-
jectswide, mostly non-OSSprojects
Approach bunch of functions application supportRuns on mostly Unix and Win-
dowstons of stuff: mainfra-mes to embedded sy-stems
License OSS OSSFree? all use noncommercial use
![Page 148: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/148.jpg)
47/49
�
�
�
�
�
�
Libraries: OpenSSL and cryptlib (2)
Additionally, cryptlib supports hardware encryption, PGP dataformats, S/MIME enveloping, LDAP, RDBMS and ODBCkeystores, and CRL checking.
![Page 149: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/149.jpg)
47/49
�
�
�
�
�
�
Libraries: OpenSSL and cryptlib (2)
Additionally, cryptlib supports hardware encryption, PGP dataformats, S/MIME enveloping, LDAP, RDBMS and ODBCkeystores, and CRL checking.
It is difficult to use cryptlib in an insecure way; cryptlib checkson each operation whether it is meaningful for theparticipating objects.
![Page 150: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/150.jpg)
47/49
�
�
�
�
�
�
Libraries: OpenSSL and cryptlib (2)
Additionally, cryptlib supports hardware encryption, PGP dataformats, S/MIME enveloping, LDAP, RDBMS and ODBCkeystores, and CRL checking.
It is difficult to use cryptlib in an insecure way; cryptlib checkson each operation whether it is meaningful for theparticipating objects.
Has many secure defaults.
![Page 151: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/151.jpg)
47/49
�
�
�
�
�
�
Libraries: OpenSSL and cryptlib (2)
Additionally, cryptlib supports hardware encryption, PGP dataformats, S/MIME enveloping, LDAP, RDBMS and ODBCkeystores, and CRL checking.
It is difficult to use cryptlib in an insecure way; cryptlib checkson each operation whether it is meaningful for theparticipating objects.
Has many secure defaults.
Once it’s set up, encrypting an email message is a matter ofthree lines, including S/MIME enveloping.
![Page 152: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/152.jpg)
48/49
�
�
�
�
�
�
Summary
• Symmetric Crypto
![Page 153: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/153.jpg)
48/49
�
�
�
�
�
�
Summary
• Symmetric Crypto
• Asymmetric Crypto (aka Public-Key)
![Page 154: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/154.jpg)
48/49
�
�
�
�
�
�
Summary
• Symmetric Crypto
• Asymmetric Crypto (aka Public-Key)
• Hashes, MICs, and MACs
![Page 155: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/155.jpg)
49/49
�
�
�
�
�
�
References
• The OpenSSL Project, http://www.openssl.org.
• Cryptlib, http://www.cryptlib.com.
• Bruce Schneier, Applied Cryptography, John Wiley & Sons
![Page 156: YHQL YLGL YLFL — J. Caesar · 5/49 With AES, you can choose Block Ciphers A block cipher is a function that takes a n-bit key K and a m-bit bit string B and either encrypts or decrypts](https://reader033.vdocuments.net/reader033/viewer/2022052006/601a5853348538528a6a1bb9/html5/thumbnails/156.jpg)
49/49
�
�
�
�
�
�
References
• The OpenSSL Project, http://www.openssl.org.
• Cryptlib, http://www.cryptlib.com.
• Bruce Schneier, Applied Cryptography, John Wiley & Sons
• Charlie Kaufman, Radia Perlman, Mike Speciner, NetworkSecurity, Prentice-Hall