Professional Documents
Culture Documents
cryptography
cs642
adam everspaughcomputer security
ace@cs.wisc.edu
Announcements
Midterm next week: Monday, March 7 (in-class)
Hash functions
Authenticated encryption
key generation
Rk Kg
K
Optional
R
Enc C C Dec M
M or error
M E C C D M
block ciphers
E: {0,1}k x {0,1}n → {0,1}n
K
Let C be a string
chosen uniformly at
M E C random
world 1 world 0
???
M
aes
building a block cipher
key k
key expansion
k1 k2 k3 kn
R(k1, ⋅)
R(k2, ⋅)
R(k3, ⋅)
R(kn, ⋅)
m c
Use build-break-build-break
iteration
best attacks
Electronic Code Book (ECB) mode
M = m1 m2 m3 m4 … mL
m1 m2 m3
K E K E … K E
c1 c2 c3
C = c1 c2 c3 c4 … cL
modes of operation
[images from wikipedia]
image encrypted with ECB
secure modes
M = m1 m2 m3 m4 … mL
Ek Ek … Ek
m1 ⊕ m2 ⊕ mL ⊕
c0 c1 c2 cL
How do we do decryption?
C = c0 c1 c2 c3 c4 … cL
think-pair-share
IV := rand() m1 m2 mL
⊕ ⊕ ⊕
Ek Ek … Ek
c0 c1 c2 cL
C = c0 c1 c2 c3 c4 … cL
cbc
IV := rand() m1 m2 mL
⊕ ⊕ ⊕
Eve
Ek Ek … Ek
c0 c1 c2 cL
Can attacker learn K from just c0,c1,c2?
Implies attacker can break E (recover block cipher key)
Can attacker m1,m2,m3 from c0,c1,c2?
Implies attacker can invert block cipher without K
Can attacker learn one of M from c0,c1,c2?
Implies attacker can break PRF security of E
passive security
IV := rand() m1 m2 mL
⊕ ⊕ ⊕
Ek Ek … Ek
Mallory
c0 c1 c2 cL
c0' = c0⊕d c1
active security
hash functions
Message Broken:
Digest - MD5 m=128
- SHA-1 m=160
M H H(M) = d
Current:
- SHA-256 m=256
H: {0,1}* → {0,1}m
- SHA-512 m=512
- SHA3-256/512
Security goals
Collision resistance
hash function
K K valid
or
M T (M,T) (M',T') invalid
MAC Verify
Alice
K Bob
K
Mallory
HMAC(K,M) =
H( K⊕opad || H( K⊕ipad || M) )
Fixed constants
(not tablets made by Apple)
hmac
authenticated
encryption
k1 - encryption key
k2 - MAC key C=Ek1(M), T=MACk2(C)
C,T
encrypt-then-mac
secure for all secure primitives
T=MACk2(M), C=Ek1(M,T)
mac-then-encrypt C
may be insecure
authenticated encryption
Dedicated authenticated encryption schemes
Attack Inventors Notes
ae modes
Block ciphers (AES)
Authenticated encryption
/ Encrypt-then-MAC
/ AES-GCM and others
Exit slips
/ 1 thing you learned
/ 1 thing you didn't understand
recap