Professional Documents
Culture Documents
• Security Concepts:
– Confidentiality; Integrity; Availability
– Authenticity; Assurance; Anonymity
• Overview on the crypto tools
– Symmetric/public crypto., cryptographic hash, digital
signature, digital certificate.
• Secure Password
– Common means for authentication
– Usually stored via hash values
– long psw. + odd char. are better and safer
CS4293 Topics on Cybersecurity 1
Lecture 2 – Basic Crypto Tools
m encrypt C decrypt m
K K
CS4293 Topics on Cybersecurity 4
Basics
• Notation
– Secret key K
– Encryption function EK(M), or Ek(P).
– Decryption function DK(C)
– Plaintext length typically the same as ciphertext length
– Encryption and decryption are PRP, i.e., pseudorandom
permutation functions (bijections), on the set of all n-bit
arrays
• Efficiency
– functions EK and DK should have efficient algorithms
• Consistency
– Decrypting the ciphertext yields the plaintext
– DK(EK(M)) = M or DK(EK(P)) = P.
CS4293 Topics on Cybersecurity 5
Basics (Cont’d)
nonce
Alice Bob
m, n E(k,m,n)=c c, n D(k,c,n)=m
E D
k k
b) collection of Eve
plaintext/ciphertext pairs Plaintext Encryption Ciphertext
Algorithm
(known plaintext attack) Hi, Bob.
Don’t
(b) invite Eve
c) collection of to the
party! key
Love, Alice
plaintext/ciphertext pairs for
plaintexts selected by the
Eve
attacker (chosen plaintext Plaintext Encryption Ciphertext
d) collection of WXYZ.
key
plaintext/ciphertext pairs for
ciphertexts selected by the
Eve
attacker (chosen ciphertext Plaintext
IJCGA,
Encryption
Algorithm
Ciphertext
• Vernam (1917)
Key: 23 12 2 10 11
Shift each char. independently
Plaintext: H E L L O
7 4 11 11 14 Position. in the alphabet
Ciphertext: E Q N V Z
4 16 13 21 25 (Key + plaintext) mod 26.
If it “goes past Z”, it starts
• Decryption: again at A.
• Vernam (1917)
Key: 0 1 0 1 1 1 0 0 1 0
Å
Plaintext: 1 1 0 0 0 1 1 0 0 0
Ciphertext: 1 0 0 1 1 0 1 0 1 0
C = E(k,m) = mÅk
• Shannon ‘49: m = D(k,c) = cÅk
c¬ PRBG(k) Åm
PRBG
Pseudo-random bit generator
Å message
ciphertext
Eavesdropper does:
C1 Å C2 ® m1 Å m2
Requires padding
with extra bits.
Plaintext
Blocks of
plaintext
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
IV handled as part of PT block
CS4293 Topics on Cybersecurity 24
Building a block cipher
Input: (m, k)
Repeat simple “mixing” operation several times
• DES: Repeat 16 times:
mL ¬ mR
mR ¬ mLÅF(k,mR)
key expansion
k1 k2 k3 kn
m c
R(k1, ×)
R(k2, ×)
R(k3, ×)
R(kn, ×)
R(k,m): round function
for 3DES (n=48), for AES (n=10)
CS4293 Topics on Cybersecurity 26
Block Ciphers in Practice
• Data Encryption Standard (DES)
– Developed by IBM and adopted by NIST in 1977
– 64-bit blocks and 56-bit keys
– Small key space makes exhaustive search attack feasible since late 90s
• Triple DES (3DES)
– Nested application of DES with three different keys KA, KB, and KC
– Effective key length is 168 bits, making exhaustive search attacks unfeasible
– C = EKC(DKB(EKA(M))); P = DKA(EKB(DKC(C)))
– Equivalent to DES when KA=KB=KC (backward compatible)
• Advanced Encryption Standard (AES)
– Selected by NIST in 2001 through open international competition and public
discussion
– 128-bit blocks and several possible key lengths: 128, 192 and 256 bits
– Exhaustive search attack not currently possible
– AES-256 is the symmetric encryption algorithm of choice
CS4293 Topics on Cybersecurity 27
The Advanced Encryption Standard
(AES)
• In 1997, the U.S. National Institute for Standards and Technology
(NIST) put out a public call for a replacement to DES.
• It narrowed down the list of submissions to five finalists, and
ultimately chose an algorithm that is now known as the Advanced
Encryption Standard (AES).
• AES is a block cipher that operates on 128-bit blocks. It is designed to
be used with keys that are 128, 192, or 256 bits long, yielding ciphers
known as AES-128, AES-192, and AES-256.
decryption does
reverse
0 if x = 0
G(K, x) =
F(K,x) otherwise
CT: c1 c2
• Problem:
E a secure PRP. (pseudorandom permutation func.) Cipher Block Chaining with IV:
IV IV
EK EK EK EK DK DK DK DK
E a secure PRP. (pseudorandom permutation func.) Cipher Block Chaining with IV:
CBC Encryption: CBC Decryption:
M[0] M[1] M[2] M[3] M[0] M[1] M[2] M[3]
IV IV
EK EK EK EK DK DK DK DK
C[i-1] is required before we generate C[i]; All M[i] can be generated simultaneously,
when all C[i] are available.
IV IV
EK EK EK EK DK DK DK DK
Best: use a fresh random IV for every message (IV ¬ X), and
send IV together with the ciphertexts.
For example, Alice and Bob share both K and K1, and synchronize the choice
of initial counter IV, which might start with 1,2,3,… for message 1,2,3….
Unique (non-random) IV means: (k,IV) pair is used for only one message. As
non-random IV may be predictable, so use E(k1,×) as PRF (pseudorandom func.)
IVʹ
Å Å Å Å
ciphertext
CS4293 Topics on Cybersecurity 52
Other (Stream) Modes of Operation
• block modes encrypt entire block
• may need to operate on smaller units
– real time data
• convert block cipher into stream cipher
– counter (CTR) mode
– cipher feedback (CFB) mode
– output feedback (OFB) mode
• use block cipher as some form of pseudo-
random number generator
CS4293 Topics on Cybersecurity 53
Counter (CTR) Mode
• Encrypts counter value
• must have a different key & counter value for
every plaintext block (never reused)
Oi = EK(i)
Ci = Pi Å Oi
• uses: high-speed network encryptions
IV || || || || digest
SHA-1
Hashing Time MD5
0.06
0.05
0.04
msec
0.03
0.02
0.01
0
0 100 200 300 400 500 600 700 800 900 1000
Input Size (Bytes)
H(m)
IV
h h h h
Compute
Compute d = H(K,Mʹ)
c = H(K,M) M c Mʹ cʹ Accept if
sent message received message d = cʹ
CS4293 Topics on Cybersecurity 77
Construction 1: HMAC (Hash-MAC)
• Building a MAC from a cryptographic hash
function is not immediate
• Because of the iterative construction of standard
hash functions, the following MAC constructions
are proved to be insecure:
– H(K÷çM)
– H(M÷çK)
– H(K÷çM÷çK)
H: hash function.
example: SHA-256 ; output is 256 bits
H(m)
IV
h h h h
Å Å Å
Raw CBC
t[0]Topics on Cybersecurityt[0]
CS4293 83
Authenticated Encryption:
Encryption + MAC
M sig M MAC
encrypted encrypted
CS4293 Topics on Cybersecurity 85
Options of Combining MAC and ENC (CCA)
Msg M MAC
Gen
pk sk
m c c m
E D
Alice Bob
pk
Generate (pk, sk)
choose random x
E(pk, x) (e.g. 48 bytes)
x
skA
write read
Alice
E(pkA, KF)
Bob File
E(kF, File) E(pkB, KF)
CS4293 Topics on Cybersecurity 95
Applications
Escrow
Service
write
skescrow
E(pkescrow, KF)
Bob
E(kF, File) E(pkB, KF)
M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2
M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16
M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54
Generate
random XA < q;
Calculate
YA = !XA mod q YA Generate
random XB < q;
Calculate
YB = !XB mod q;
YB Calculate
Calculate K = (YA)XB mod q
K = (YB)XA mod q
header body
Security Theorem:
If (G, F, F-1) is a secure TDF,
(Es, Ds) provides auth. enc.
and H: X ⟶ K is a “random oracle”
then (G,E,D) is CCAro secure.
CS4293 Topics on Cybersecurity 119
• Suppose the message m to encrypt is short.
Can we directly encrypt m using the TDF as
C = F(pk, m) ?
Server certificate can be verified by any client that has CA public key PKCA.
Certificate authority is “off line”
The encryption used by many Web sites to prevent eavesdropping on their interactions
with visitors is not very secure. This technology is in use when Web addresses start with
“https” (in which “s” stands for secure) and a closed lock icon appears on Web browsers.
These sites rely on third-party organizations, like Comodo, to provide “certificates” that
guarantee sites’ authenticity to Web browsers.
But many security experts say the problems start with the proliferation of organizations
permitted to issue certificates.
Browser makers like Microsoft, Mozilla, Google and Apple have authorized a large and
growing number of entities around the world — both private companies and government
bodies — to create them. Many private “certificate authorities” have, in turn, worked with
resellers and deputized other unknown companies to issue certificates in a “chain of trust”
that now involves many hundreds of players, any of which may in fact be a weak link.
CS4293 Topics on Cybersecurity 134
In SSL/TLS
Version, Crypto choice, nonce
C Secret key K
encrypted with S
server’s key Ks
data transmission
135
CS4293 Topics on Cybersecurity
Limitations of Cryptography