ece 443/518 computer cyber security lecture 05 modes of

ECE 443/518 – Computer Cyber SecurityLecture 05 Modes of Operation,Cryptographic Hash Functions

Professor Jia WangDepartment of Electrical and Computer Engineering

Illinois Institute of Technology

September 8, 2021

1/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT

Outline

Modes of Operation

Cryptographic Hash Functions


Reading Assignment

I This lecture: UC 5.1 – 5.1.5, 11.2

I Next lecture: UC 11.3, 11.5, 12, 5.1.6


Outline

Modes of Operation



Electronic Code Book (ECB)

(Wikipedia)5/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT

Discussions

I A substitution cipher based on a block cipher like AES.I Padding: when message size is not multiples of block size

I Alice appends additional bits that Bob will identify.I E.g. 1 followed by necessary number of 0’s.

I Oscar the passive adversaryI Known-plaintext attack using padding.I Traffic analysis possible since same plaintext blocks always

encrypts to same ciphertext blocks.

I Can be parallelized as long as the message is available.


Active Adversaries and Integrity

I We introduce passive adversaries to address confidentiality.I For integrity, we could address it by active adversaries.

I They can modify or even insert messages.I E.g. reorder/substitute/modify/create blocks.

I With the ability to manipulate ciphertext, active adversariescould evenI Break confidentiality by side-channel attack.I Break higher level protocols by replay attack.

I ECB doesn’t provide much protect against active adversaries.I E.g. reordering and substitution attacks – all blocks will

decrypt but may mean things completely different whencombined together.

I No matter how secure the underlying block cipher is.

I Any other ways to apply block ciphers to long messages?I Will they protect against active adversaries?


Cipher Block Chaining (CBC)

(Wikipedia)


Discussions

I “Randomize” plaintext blocksI Use previous ciphertext blocks.I Use an initialization vector (IV) for the first plaintext block.

I Choice of IVI Probabilistic encryption: different IVs results in different

ciphertexts even if the plaintext and the key are the same.I A.k.a nonce – a number used only once.I Usually randomly chosen and transmitted before ciphertext.

I Oscar will see it.I If that’s a concern, Alice could just encrypt IV.

I Only decryption can be parallelized.


CBC and Active Adversaries

I CBC provides better protection against active adversaries thanECB.I Reordering and substitution attacks less likely to work as Bob

will receive “random” blocks.

I Nevertheless, Bob still need to decide whether someonemodifies the message or it is just Alice sending a randommessage.I Need other mechanisms for integrity! Will discuss later.


Output Feedback (OFB)

(Wikipedia)11/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT

Discussions

I A stream cipher (CSPRNG) based on a block cipher.I Random IV guarantees probabilistic encryption.

I Only need encryption from the block cipher.I No need to implement decryption – save hardware resource.

I Cannot be parallelized.I Key stream can be precomputed as long as storage permits.


Cipher Feedback (CFB)

(Wikipedia)


Discussions

I An asynchronous stream cipher as the key stream depends onboth key and previou ciphertext (and plaintext).I Otherwise very similar to OFB.

I Only need encryption and decryption can be parallelized.


Counter Mode (CTR)

(Wikipedia)


Discussions

I A stream cipher that can be fully parallelized.

I Only need encryption as OFB and CFB.I There is a limitation on message size for a given IV.

I OFB also has limitation on message size, although it should bemuch longer.


Outline

Modes of Operation



Motivation

I How should we address active adversaries?I Three steps

I Integrity without a secret key: Cryptographic Hash FunctionsI Integrity with a secret key: Message Authentication CodesI Confidentiality and integrity: Authenticated Encryption


Integrity without Secret Key

I Alice has developed a marvelous game and wants everyone toplay it.

I The installation package is huge – Alice decides to seek helpfrom third parties for distribution.I Because required bandwidth is either too expensive or

technically infeasible.I E.g. via BitTorrent.

I It is not possible for Bob, who wants to download the game,to setup a secret key with Alice.

I Oscar, who participates in package distribution, plans to addhis/her own adware to the package to make some profit.

I Integrity: how to design a mechanism to ensure Bob toreceive the authentic package from Alice?


Hash Functions

(Paar and Pelzl)

I Input x : messages of arbitrary lengths

I Output z = h(x): message digest, a.k.a fingerprint, with fixedsize, say m bits.


Preimage Resistance (One-Wayness)

Given a hash function h and a message digest z , find a message xsuch that:

z == h(x).

I If someone could derive h−1 from h, then he/she maycompute x = h−1(z).

I A “good” hash function should be one-way.I E.g. to allow infinite many messages to map to any z .


Alice’s Mechanism

I From the package x , Alice publishes the message digestz = h(x) on her website.I The message digest is so short, e.g. m = 256, that Alice

doesn’t need to worry about bandwidth.

I Bob obtains the package x ′, computes z ′ = h(x ′), and verifiesthat z == z ′.I Can Bob be sure x == x ′ now? Don’t try to answer it now –

state your assumptions and think of attacks!

I Assumption: Oscar can’t modify z on Alice’s website.I I.e. an authentic channel that guarentees only integrity –

anyone can see but no one could modify z .I In comparison with the secure channel that guarentees both

confidentiality and integrity to setup secret keys.

I Attack: Oscar create a package with the same message digestso that Bob won’t find out what he received is not authentic.


Second Preimage Resistance (Weak Collision Resistance)

Given a hash function h, a message x1 and its message digestz1 = h(x1), find a message x2 6= x1 such that for its message digestz2 = h(x2),

z2 == z1.

I Weak collision is unavoidable: x2 always exists.I Collision: different messages map to the same message digest.I The practical question is how easily Oscar can find one.

I Oscar’s attack: choose x2 randomly and compute z2 = h(x2).I z2 == z1 with a probability of at least 1

2m for some z1.

I If Oscar repeats the attack N times, the probability of findingx2 is 1− (1− 1

2m )N .I About 63% for N = 2m.I Not a concern if m is large enough when Oscar is

computationally bounded.

I What about cryptanalysis that uses properties of h and x1?


Oscar’s Trick

I Knowing there may exist little hope to modify Alice’s packagewithout being caught, Oscar decides to create his/her owngame package to distribute the adware.

I Oscar’s trick: create two packages x and x ′ such thatI h(x) == h(x ′)I Good package x : just the game.I Bad package x ′: the game and the adware.

I Oscar then delivers x ′ to Bob through third parties.

I If Bob finds the adware in x ′, Oscar shows Bob x and claimssomeone else creates x ′.

I Will second preimage resistance help?


(Strong) Collision Resistance

Given a hash function h, find two messages x1 6= x2 such that:

h(x2) == h(x1).

I Birthday Attack: what is the probability that two in our classhave the same birthday?I How many students are needed to have a 50% chance of two

colliding birthdays? 23.

I Roughly speaking, if Oscar creates 2m2 random packages, then

there is 50% chance of collision.I If half of the packages are good and half are bad, there is 50%

chance for the collision to happen between a good and a badpackage.

I There is 25% chance for Oscar to find x and x ′ for the trick.

I Bob may still resist such attack by requesting m to be largeenough.I But what about cryptanalysis?



I Cryptographic Hash Functions: a hash function that isI Preimage resistantI Second preimage resistantI (Strong) collision resistant

I With a proper choice of m.I As of now, consider m = 256 or more.

I Be so even under cryptanalysis.I A “bad” choice of h may lead to attack of second preimage

resistance using far less than 2m messages, or attack of strongcollision resistance using far less than 2

m2 messages.

I E.g. cyclic redundancy check (CRC) is a good hash functionagainst data corruption but not a good cryptographic hashfunction.


Summary

I Block ciphers can be applied in different modes to encrypt along message.

I Use random IV to guarantee probabilistic encryption.

I Stream ciphers built on top of block ciphers only need theencryption operation, saving hardware resources.

I CTR mode can be fully parallelized.

I Cryptographic hash functions need to be preimage resistant,second preimage resistant, and (strong) collision resistant.


ece 443/518 computer cyber security lecture 05 modes of

Documents