01 Week2 Crypto Basics

Summary of Lecture 1
• Security Concepts:
– Confidentiality; Integrity; Availability
– Authenticity; Assurance; Anonymity
• Overview on the crypto tools
– Symmetric/public crypto., cryptographic hash, digital
signature, digital certificate.
• Secure Password
– Common means for authentication
– Usually stored via hash values
– long psw. + odd char. are better and safer
CS4293 Topics on Cybersecurity 1
Lecture 2 – Basic Crypto Tools
Dr. Cong Wang

CS Department
City University of Hong Kong
Slides partially adapted from lecture notes by M. Goodrich&R. Tamassia,

W. Stallings&L. Brown, and Dan Boneh.
Symmetric Cryptography
Assumes parties already

share a secret key

Symmetric Cryptosystem
• Scenario
– Alice wants to send a message (plaintext P) to Bob.
– The communication channel is insecure and can be eavesdropped
– If Alice and Bob have previously agreed on a symmetric encryption scheme
and a secret key K, the message can be sent encrypted (ciphertext C)
• Issues
– What is a good symmetric encryption scheme?
– What is the complexity of encrypting/decrypting?
– What is the size of the ciphertext, relative to the plaintext?
m encrypt C decrypt m
K K
Basics
• Notation
– Secret key K
– Encryption function EK(M), or Ek(P).
– Decryption function DK(C)
– Plaintext length typically the same as ciphertext length
– Encryption and decryption are PRP, i.e., pseudorandom
permutation functions (bijections), on the set of all n-bit
arrays
• Efficiency
– functions EK and DK should have efficient algorithms
• Consistency
– Decrypting the ciphertext yields the plaintext
– DK(EK(M)) = M or DK(EK(P)) = P.
Basics (Cont’d)
nonce
Alice Bob
m, n E(k,m,n)=c c, n D(k,c,n)=m
E D
k k
E, D: cipher k: secret key (e.g. 128 bits)

m, c: plaintext, ciphertext n: nonce (aka IV)
Encryption algorithm is publicly known

• Never use a proprietary cipher
Use Cases
Single use key: (one time key)
• Key is only used to encrypt one message

• encrypted email: new key generated for every
email
• No need for nonce (set to 0)
Multi use key: (many time key)

• Key used to encrypt multiple messages
• SSL: same key used to encrypt many packets
• Need either unique nonce or random nonce
Attacks
Plaintext Encryption Ciphertext
• Attacker may have Hi, Bob.
Algorithm
Don’t
a) collection of ciphertexts (a) invite Eve
to the
party!
(ciphertext only attack) Love, Alice key
b) collection of Eve
plaintext/ciphertext pairs Plaintext Encryption Ciphertext
Algorithm
(known plaintext attack) Hi, Bob.
Don’t
(b) invite Eve
c) collection of to the
party! key
Love, Alice
plaintext/ciphertext pairs for
plaintexts selected by the
Eve
attacker (chosen plaintext Plaintext Encryption Ciphertext
attack, CPA) (c)

ABCDEFG
HIJKLMNO
PQRSTUV
Algorithm
d) collection of WXYZ.
key
plaintext/ciphertext pairs for
ciphertexts selected by the
Eve
attacker (chosen ciphertext Plaintext
IJCGA,
Encryption
Algorithm
Ciphertext
attack, CCA) (d)

CAN DO
HIFFA GOT
001101
TIME. 110111
key
CS4293 Topics on Cybersecurity Eve

8
Eve
Brute-Force Attack
• Try all possible keys K and determine if DK(C) is a likely plaintext
– Requires some knowledge of the structure of the plaintext (e.g., PDF file
or email message)
• Key should be a sufficiently long random value to make
exhaustive search attacks unfeasible

Image by Michael Cote from http://commons.wikimedia.org/wiki/File:Bingo_cards.jpg
Substitution Ciphers
• One popular substitution
• Each letter is uniquely “cipher” for some
replaced by another. Internet posts is ROT13.
• There are 26! possible
substitution ciphers.
• There are more than
4.03 x 1026 such ciphers.
Public domain image from http://en.wikipedia.org/wiki/File:ROT13.png

Frequency Analysis
• Letters in a natural language, like English, are
not uniformly distributed.
• Knowledge of letter frequencies, including pairs
and triples can be used in cryptologic attacks
against substitution ciphers.

Substitution Boxes
• Substitution can also be done on binary
numbers.
• Such substitutions are usually described by
substitution boxes, or S-boxes.

One-Time Pads
• There is one type of substitution cipher that is
absolutely unbreakable.
– The one-time pad was invented in 1917 by Joseph
Mauborgne and Gilbert Vernam
– We use a block of shift keys, (k1, k2, . . . , kn), to
encrypt a plaintext, M, of length n, with each shift
key being chosen uniformly at random.
• Since each shift is random, every ciphertext is
equally likely for any plaintext.
First example: One Time Pad
(single use key; over 26 English characters)
• Vernam (1917)
Key: 23 12 2 10 11
Shift each char. independently
Plaintext: H E L L O
7 4 11 11 14 Position. in the alphabet
Ciphertext: E Q N V Z
4 16 13 21 25 (Key + plaintext) mod 26.
If it “goes past Z”, it starts
• Decryption: again at A.
– (Ciphertext – Key) mod 26

Second example: One Time Pad
(single use key; the binary version)
• Vernam (1917)
Key: 0 1 0 1 1 1 0 0 1 0
Å
Plaintext: 1 1 0 0 0 1 1 0 0 0
Ciphertext: 1 0 0 1 1 0 1 0 1 0
C = E(k,m) = mÅk
• Shannon ‘49: m = D(k,c) = cÅk
– OTP is “secure” against ciphertext-only attacks

Weaknesses of the One-Time Pad
• The key has to be as long
as the plaintext
• Keys can never be reused
– Repeated use of one-time
pads allowed the U.S. to
break some of the
communications of Soviet
spies during the Cold War.
• Problems in generation &
safe distribution of keys.

Public domain declassified government image from
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/venona-soviet-espionage-and-the-american-response-1939-1957/part2.htm
Stream ciphers (single use key)
Problem: OTP key is as long the message

Solution: Pseudo random key -- stream ciphers
key
c¬ PRBG(k) Åm
PRBG
Pseudo-random bit generator
Å message
ciphertext
Stream ciphers: RC4 (113MB/sec) , SEAL (293MB/sec)

Stream Cipher
• Key stream
– key input to a pseudorandom bit generator
• produces stream of random like numbers
– Pseudo-random sequence of bits S = S[0], S[1], S[2], …
• unpredictable without knowing input key
– Can be generated on-line one bit (or byte) at the time
• Stream cipher
– XOR the message with the key stream C[i] = S[i] Å m[i]
– Suitable for plaintext of arbitrary length generated on the fly, e.g., media
stream
– processes input elements continuously
• Faster and use far less code

Dangers in using stream ciphers
One time key !! “Two time pad” is insecure:
C1 ¬ m1 Å PRBG(k)
C2 ¬ m2 Å PRBG(k)
Eavesdropper does:
C1 Å C2 ® m1 Å m2
Enough redundant information in English that:

m1 Å m2 ® m 1 , m2

Key Stream Generation
• RC4
– Designed in 1987 by Ron Rivest for RSA Security
– Trade secret until 1994
– Uses keys with up to 2,048 bits
– Simple algorithm
• Block cipher in counter mode (CTR)
– Use a block cipher with block size b
– The secret key is a pair (K,t), where K a is key and t (counter) is a b-bit
value
– The key stream is the concatenation of ciphertexts
EK (t), EK (t + 1), EK (t + 2), …
– Can use a shorter counter concatenated with a random value
– Synchronous stream cipher
• Key stream obtained only from the secret key K
• Works for unreliable channels if plaintext has packets with sequence numbers

Block Cipher

Block Ciphers
• In a block cipher:
– Plaintext and ciphertext have fixed length b (e.g., 128 bits)
– A plaintext of length n is partitioned into a sequence of m
blocks, P[0], …, P[m-1], where n £ bm < n + b
• Each message is divided into a sequence of blocks and
encrypted or decrypted in terms of its blocks.
Requires padding
with extra bits.
Plaintext
Blocks of
plaintext

Padding
• Block ciphers require the length n of the plaintext to be a multiple of the
block size b
• Padding the last block needs to be unambiguous (cannot just add zeroes)
• When the block size and plaintext length are a multiple of 8, a common
padding method (PKCS5) is a sequence of identical bytes, each indicating
the length (in bytes) of the padding
• Example for b = 128 (16 bytes)
– Plaintext: “Roberto” (7 bytes)
– Padded plaintext: “Roberto999999999” (16 bytes), where 9 denotes the
number and not the character
• We need to always pad the last block, which may consist only of padding

Block ciphers: crypto work horse
n Bits n Bits
PT Block E, D CT Block
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
IV handled as part of PT block
Building a block cipher
Input: (m, k)
Repeat simple “mixing” operation several times
• DES: Repeat 16 times:
mL ¬ mR
mR ¬ mLÅF(k,mR)
• AES-128: Mixing step repeated 10 times
Difficult to design: must resist subtle attacks

• differential attacks, linear attacks, brute-force, …

Block Ciphers Built by Iteration
key k
key expansion
k1 k2 k3 kn
m c
R(k1, ×)
R(k2, ×)
R(k3, ×)
R(kn, ×)
R(k,m): round function
for 3DES (n=48), for AES (n=10)
Block Ciphers in Practice
• Data Encryption Standard (DES)
– Developed by IBM and adopted by NIST in 1977
– 64-bit blocks and 56-bit keys
– Small key space makes exhaustive search attack feasible since late 90s
• Triple DES (3DES)
– Nested application of DES with three different keys KA, KB, and KC
– Effective key length is 168 bits, making exhaustive search attacks unfeasible
– C = EKC(DKB(EKA(M))); P = DKA(EKB(DKC(C)))
– Equivalent to DES when KA=KB=KC (backward compatible)
• Advanced Encryption Standard (AES)
– Selected by NIST in 2001 through open international competition and public
discussion
– 128-bit blocks and several possible key lengths: 128, 192 and 256 bits
– Exhaustive search attack not currently possible
– AES-256 is the symmetric encryption algorithm of choice
The Advanced Encryption Standard
(AES)
• In 1997, the U.S. National Institute for Standards and Technology
(NIST) put out a public call for a replacement to DES.
• It narrowed down the list of submissions to five finalists, and
ultimately chose an algorithm that is now known as the Advanced
Encryption Standard (AES).
• AES is a block cipher that operates on 128-bit blocks. It is designed to
be used with keys that are 128, 192, or 256 bits long, yielding ciphers
known as AES-128, AES-192, and AES-256.

AES Round Structure
• The 128-bit version of the AES
encryption algorithm proceeds
in ten rounds.
• Each round performs an
invertible transformation on a
128-bit array, called state.
• The initial state X0 is the XOR of
the plaintext P with the key K:
• X0 = P XOR K.
• Round i (i = 1, …, 10) receives
state Xi-1 as input and produces
state Xi.
• The ciphertext C is the output of
the final round: C = X10.

AES Rounds
• Each round is built from four basic steps:
1. SubBytes step: an S-box substitution step
2. ShiftRows step: a permutation step
3. MixColumns step: a matrix multiplication
step
4. AddRoundKey step: an XOR step with a
round key derived from the 128-bit
encryption key
Advanced
Encryption
Standard
(AES)

AES
Round
Structure

(a) S-box

(b) Inverse S-box

to move
Shift
Rows
individual bytes
from one column
to another and
spread bytes over
columns
decryption does
reverse
on encryption left rotate

each row of State by
0,1,2,3 bytes respectively

Mix Columns and Add Key
• mix columns
₋ operates on each column individually
₋ mapping each byte to a new value that is a function of all
four bytes in the column
₋ use of equations over finite fields
₋ to provide good mixing of bytes in column
• add round key
₋ simply XOR State with bits of expanded key
₋ security from complexity of round key expansion and other
stages of AES

PRF and PRP

Abstract Block Ciphers:
• Pseudorandom Function (PRF)
– F: K × X → Y is such that: exists “efficient” algm. to
eval. F(K, x)
• Pseudorandom Permutation Function (PRP)
– E: K × X → X such that:
– 1. Exists “efficient” algm. to eval. E(k,X).
– 2. The func. E(k, ·) is one-to-one
– 3. Exists “efficient” algm. for inverse D(k,X)
• A block cipher is a PRP
Secure PRF and Secure PRP
• Secure Pseudorandom Function (PRF)
– F: K × X → Y is secure such that F(K, ·) is
indistinguishable from a random func. f: x → Y
• Secure Pseudorandom Permutation Function
(PRP)
– E: K × X → X such that: E(k,·) is indisting. from a
random permutation π:X → X.
• PRF Switching lemma: A secure PRP is also a
secure PRF
– AES and 3DES are secure PRFs

Short Question
• Suppose F(K,x) is a secure PRF. Is the following
G a secure PRF?
0 if x = 0
G(K, x) =
F(K,x) otherwise
No, it is easy to distinguish G from a random function.

Modes of Operation

Block Cipher Modes
• A block cipher mode describes the way a block cipher
encrypts and decrypts a sequence of message blocks.
• Electronic Code Book (ECB) Mode (is the simplest):
– Block P[i] encrypted into ciphertext block C[i] = EK(M[i])
– Block C[i] decrypted into plaintext block M[i] = DK(C[i])

Public domain images from http://en.wikipedia.org/wiki/File:Ecb_encryption.png and http://en.wikipedia.org/wiki/File:Ecb_decryption.png
Incorrect use of block ciphers
•Electronic Code Book (ECB):
PT: m1 m2
CT: c1 c2
• Problem:
– if m1=m2 then c1=c2

In pictures

Strengths and Weaknesses of ECB
• Strengths: • Weakness:
– Documents and images are not
– Is very simple suitable for ECB encryption since
– Allows for parallel patterns in the plaintext are
encryptions of the blocks repeated in the ciphertext:
of a plaintext
– Can tolerate the loss or
damage of a block

Correct Use of Block Ciphers:
Cipher Block Chaining (CBC) Mode
• In Cipher Block Chaining (CBC) Mode
– The previous ciphertext block is combined with the current plaintext
block C[i] = EK (C[i -1] Å M[i])
– C[-1] = IV, a random block separately transmitted (known as the
initialization vector)
– Decryption: M[i] = C[i -1] Å DK (C[i])
E a secure PRP. (pseudorandom permutation func.) Cipher Block Chaining with IV:
CBC Encryption: CBC Decryption:

M[0] M[1] M[2] M[3] M[0] M[1] M[2] M[3]
IV IV
EK EK EK EK DK DK DK DK
C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]

Strengths and Weaknesses of CBC
• Strengths: • Weaknesses:
– Doesn’t show patterns in – CBC requires the
the plaintext encryption of blocks to
– Is the most common be done sequentially
mode
– Is fast and relatively
simple

In pictures

Correct Use of Block Ciphers:
Cipher Block Chaining (CBC) Mode (Cont’d)
• Sequential Encryption Process: C[i] = EK (C[i -1] Å M[i])
• Parallel Decryption Process, if all ciphertext blocks are all
available: M[i] = C[i -1] Å DK (C[i])
M[0] M[1] M[2] M[3] M[0] M[1] M[2] M[3]
IV IV
C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]
C[i-1] is required before we generate C[i]; All M[i] can be generated simultaneously,
when all C[i] are available.

Some Tolerance of Ciphertext Blocks Loss
in CBC mode?
If C[i] is lost, it implies the decryption of blocks C[i] and
C[i+1],i.e., M[i] and M[i+1] are lost.
Can the decryption of blocks C[i+2] still be done?
Yes, since it relies only on C[i+1] and C[i+2].

M[0] M[1] M[2] M[3] M[0] M[1] M[2] M[3]
IV IV
C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]

Use cases: how to choose an IV
Single use key: no IV needed (IV=0)
Multi use key: (CPA Security)
Best: use a fresh random IV for every message (IV ¬ X), and
send IV together with the ciphertexts.
Can use unique and non-random IV (e.g counter) [Bitlocker]

but then first step in CBC must be IV’ ¬ E(k1,IV)
benefit: may save transmitting IV with ciphertext
For example, Alice and Bob share both K and K1, and synchronize the choice
of initial counter IV, which might start with 1,2,3,… for message 1,2,3….

CBC with Unique IVs (nonce-based encryption)
Unique (non-random) IV means: (k,IV) pair is used for only one message. As
non-random IV may be predictable, so use E(k1,×) as PRF (pseudorandom func.)
IV m[0] m[1] m[2] m[3]
IVʹ
Å Å Å Å
E(k1,×) E(k,×) E(k,×) E(k,×) E(k,×)
IV c[0] c[1] c[2] c[3]
ciphertext
Other (Stream) Modes of Operation
• block modes encrypt entire block
• may need to operate on smaller units
– real time data
• convert block cipher into stream cipher
– counter (CTR) mode
– cipher feedback (CFB) mode
– output feedback (OFB) mode
• use block cipher as some form of pseudo-
random number generator
Counter (CTR) Mode
• Encrypts counter value
• must have a different key & counter value for
every plaintext block (never reused)
Oi = EK(i)
Ci = Pi Å Oi
• uses: high-speed network encryptions

Counter
(CTR)

Counter (CTR) Mode (Cont’d)
Counter mode with a random IV: (parallel encryption)
IV m[0] m[1] … m[L]

Å
E(k,IV) E(k,IV+1) … E(k,IV+L)
IV c[0] c[1] … c[L]

ciphertext

Advantages and Limitations of CTR
• efficiency
– can do parallel encryptions in h/w or s/w
– can preprocess in advance of need
– good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter
values, otherwise could break
Cipher FeedBack (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8, 64 or 128 etc)
to be feed back
– denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• most efficient to use all bits in block (64 or 128)
Ci = Mi Å EK(Ci-1)
C-1 = IV
• uses: stream data encryption, authentication

s-bit
Cipher
FeedBack
(CFB-s)

Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• note that the block cipher is used in
encryption mode at both ends
• errors propogate for several blocks after the
error

Output FeedBack (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Oi = EK(Oi-1)
Ci = Pi Å Oi
O-1 = IV
• uses: stream encryption on noisy channels
Output
FeedBack
(OFB)

Advantages and Limitations of OFB
• needs an IV which is unique for each use
– if ever reuse attacker can recover outputs
• bit errors do not propagate
• more vulnerable to message stream modification

Summary on Modes of Operation

Performance: Crypto++ 5.2.1
Pentium 4, 2.1 GHz ( on Windows XP SP1, Visual C++ 2003 )
Cipher Block/key size Speed (MB/sec)

Stream RC4 113
cipher
SEAL 293
3DES 64/168 9
Block AES 128/128 61
cipher
IDEA 64/128 19
SHACAL-2 512/128 20

Summary: Block vs Stream Ciphers
• Block cipher
– processes the input one block of elements at a time
– produces an output block for each input block
– can reuse keys
– more common and better analyzed
• Stream cipher
– processes the encryption/decryption elements
continuously, a bit or a byte at a time
– primary advantage is that they are almost always faster
and use far less code
– pseudorandom stream is one that is unpredictable without
knowledge of the input key

Summary: Block vs Stream Ciphers

Cryptographic Hash Functions

Hash Functions
• A hash function h maps a plaintext x to a fixed-length value x = h(P) called
hash value or digest of P
– A collision is a pair of plaintexts P and Q that map to the same hash value,
h(P) = h(Q)
– Collisions are unavoidable
– For efficiency, the computation of the hash function should take time
proportional to the length of the input plaintext
• Hash table
– Search data structure based on storing items in locations associated with
their hash value
– Chaining or open addressing deal with collisions
– Domain of hash values proportional to the expected number of items to be
stored
– The hash function should spread plaintexts uniformly over the possible hash
values to achieve constant expected search time

Cryptographic Hash Functions
• A cryptographic hash function satisfies additional properties
– Preimage resistance (aka one-way)
• Given a hash value x, it is hard to find a plaintext P such that h(P) = x
– Second preimage resistance (aka weak collision resistance)
• Given a plaintext P, it is hard to find a plaintext Q such that h(Q) = h(P)
– Collision resistance (aka strong collision resistance)
• It is hard to find a pair of plaintexts P and Q such that h(Q) = h(P)
• Collision resistance implies second preimage resistance
• Hash values of at least 256 bits recommended to defend
against brute-force attacks
– 256 bit hash values correspond to brute-force guessing over 128
bit strings. (birthday attack O( 2b/2))

Birthday Attack
• The brute-force birthday attack aims at finding a collision for a hash function h
– Randomly generate a sequence of plaintexts X1, X2, X3,…
– For each Xi compute yi = h(Xi) and test whether yi = yj for some j < i
– Stop as soon as a collision has been found
• If there are m possible hash values, the probability that the i-th plaintext does
not collide with any of the previous i -1 plaintexts is 1 - (i - 1)/m. m = 2b.
• The probability Fk that the attack fails (no collisions) after k plaintexts is
Fk = (1 - 1/m) (1 - 2/m) (1 - 3/m) … (1 - (k - 1)/m)
• Using the standard approximation 1 - x » e-x
Fk » e-(1/m + 2/m + 3/m + … + (k-1)/m) = e-k(k-1)/2m
• The attack succeeds/fails with probability ½ when Fk = ½ , that is,
e-k(k-1)/2m = ½
k » 1.17 m½
• We conclude that a hash function with b-bit values provides about b/2 bits of
security
Message-Digest Algorithm 5 (MD5)
• Developed by Ron Rivest in 1991
• Uses 128-bit hash values
• Still widely used in legacy applications although considered insecure
• Various severe vulnerabilities discovered
• Chosen-prefix collisions attacks found by Marc Stevens, Arjen
Lenstra and Benne de Weger
– Start with two arbitrary plaintexts P and Q
– One can compute suffixes S1 and S2 such that P||S1 and Q||S2 collide
under MD5 by making 250 hash evaluations
– Using this approach, a pair of different executable files or PDF
documents with the same MD5 hash can be computed

Secure Hash Algorithm (SHA)
• Developed by NSA and approved as a federal standard by
NIST
• SHA-0 and SHA-1 (1993)
– 160-bits
– Considered insecure
– Still found in legacy applications
– Vulnerabilities less severe than those of MD5
• SHA-2 family (2002)
– 256 bits (SHA-256) or 512 bits (SHA-512)
– Still considered secure despite published attack techniques
• Public competition for SHA-3 announced in 2007

Iterated Hash Function
• A compression function works on input values of fixed length
• An iterated hash function extends a compression function to inputs of
arbitrary length
– padding, initialization vector, and chain of compression functions
– inherits collision resistance of compression function
• MD5 and SHA are iterated hash functions
P1 P2 P3 P4
IV || || || || digest
SHA-1
Hashing Time MD5
0.06
0.05
0.04
msec
0.03
0.02
0.01
0
0 100 200 300 400 500 600 700 800 900 1000
Input Size (Bytes)

SHA-256: Merkle-Damgard
m[0] m[1] m[2] m[3]
H(m)
IV
h h h h
h(.): compression function

Thm 1: if h is collision resistant then so is H (the
cryptographic hash func.)

Data Integrity:
Applications of Cryptographic
Hash Functions

Message Authentication Code (MAC)
• Cryptographic hash function H(K,M) with two inputs:
– Secret key K, Message M
– Goal: message integrity. No confidentiality, ex: Protecting public binaries on disk.
• Message integrity with MAC
– Sequence of messages transmitted over insecure channel
– Secret key K shared by sender and recipient
– Sender computes MAC c = H(K,M) and transmits it along with message M
– Receiver recomputes MAC from received message and compares it with received MAC
– Attacker cannot compute correct MAC for a forged message
– More efficient than signing each message
– Secret key can be sent in a separate encrypted and signed message
Compute
Compute d = H(K,Mʹ)
c = H(K,M) M c Mʹ cʹ Accept if
sent message received message d = cʹ
Construction 1: HMAC (Hash-MAC)
• Building a MAC from a cryptographic hash
function is not immediate
• Because of the iterative construction of standard
hash functions, the following MAC constructions
are proved to be insecure:
– H(K÷çM)
– H(M÷çK)
– H(K÷çM÷çK)

Construction 1: HMAC (Hash-MAC)
Most widely used MAC on the Internet, e.g., IPSEC
HMAC security is the same as that of the underlying cryptographic hash function
H: hash function.
example: SHA-256 ; output is 256 bits
Building a MAC out of a hash function:
Standardized method: HMAC

H( k, m ) = H( kÅopad || H( kÅipad || m ))
opad, and ipad areonspecified

CS4293 Topics Cybersecurity padding constants 79
SHA-256: Merkle-Damgard
m[0] m[1] m[2] m[3]
H(m)
IV
h h h h
h(.): compression function

Thm 1: if h is collision resistant then so is H
“Thm 2”: if h is a PRF then HMAC is a PRF
Construction 2: Encrypted CBC
m[0] m[1] m[2] m[3]
Å Å Å
E(k,×) E(k,×) E(k,×) E(k,×)
Raw CBC
key = (k, k1) tag

E(k1,×)
The last step

CS4293 Topics on Cybersecurity is essential. Why? 81
Construction 3: PMAC – parallel MAC
ECBC and HMAC are sequential. PMAC:

m[0] m[1] m[2] m[3]
P(k,·) and F(k,·)

P(k,0) Å P(k,1) Å P(k,2) Å P(k,3) Å are secure PRPs.
F(k,×) F(k,×) F(k,×) F(k,×)
If P(k,·) was not used, then PMAC Å

would be insecure.
tag
Given tag on (m[0],m[1]), attacker F(k1,×)
obtains tag on (m[1],m[0]). CS4293 Topics on Cybersecurity 82
Further Remarks on MAC
• Why are these MAC constructions secure?
– … not today – take crypto course
• Why the last encryption step in ECBC?
– CBC (aka Raw-CBC) is not a secure MAC:
– Given tag on a message m, attacker can deduce
tag for some other message m’
– How:
x t[0] Å x
Å Å H(k,M) = Ek(Ek(x) Åt[0] Åx)

= Ek(t[0] Åt[0] Åx)
= Ek(x)
= t[0]
E(k,×) E(k,×)
t[0]Topics on Cybersecurityt[0]
CS4293 83
Authenticated Encryption:
Encryption + MAC

Securing a Communication Channel
• Assuring both integrity and confidentiality of messages transmitted over
an insecure channel
• Sign and encrypt
– The encrypted pair (message, signature) is transmitted
• MAC and encrypt
– The encrypted pair (message, MAC) is transmitted
– Secret key for MAC can be sent in separate message
– More efficient than sign and encrypt
– MAC is shorter and faster to compute than signature and verification
• Alternatively, signing or applying MAC could be done on encrypted
message
M sig M MAC
encrypted encrypted
Options of Combining MAC and ENC (CCA)
Encryption key KE MAC key = KI
Option 1: MAC-then-Encrypt (SSL)

MAC(M,KI) Enc KE
Msg M Msg M MAC
Option 2: Encrypt-then-MAC (IPsec)

Enc KE MAC(C, KI)
Secure on
general Msg M MAC
grounds
Option 3: Encrypt-and-MAC (SSH)

Enc KE MAC(M, KI)
Msg M MAC

OCB
offset codebook mode
More efficient authenticated encryption
m[0] m[1] m[2] m[3] checksum
P(N,k,0) Å P(N,k,1) Å P(N,k,2) Å P(N,k,3) Å P(N,k,0) Å
E(k,×) E(k,×) E(k,×) E(k,×) E(k,×)
P(N,k,0) Å P(N,k,1) Å P(N,k,2) Å P(N,k,3) Å auth Å

c[0] c[1] c[2] c[3] c[4]
CS4293 Topics on Cybersecurity Rogaway, …

87
Final Words on Symmetric
Cryptography

Summary
• Shared secret key:
– Used for secure comm. and doc. encryption
• Encryption: (stream vs block cipher)
– One-time key: stream ciphers, CBC or CTR with
fixed IV
– Many-time key: CBC, CTR with random IV
• Integrity: ECBC or HMAC or PMAC
• Authenticated encryption: encrypt-then-MAC

Public-key Cryptography

Public key encryption: (Gen, E, D)
Gen
pk sk
m c c m
E D

Applications
Session setup (for now, only eavesdropping security)
Alice Bob
pk
Generate (pk, sk)
choose random x
E(pk, x) (e.g. 48 bytes)
x
Non-interactive applications: (e.g. Email)

• Bob sends email to Alice encrypted using
pkalice
• Note: Bob needs pkalice (public key management)
Applications
Encryption in non-interactive settings:

• Encrypted File Systems
skA
write read
Alice
E(pkA, KF)
Bob File
E(kF, File) E(pkB, KF)
Applications
Encryption in non-interactive settings:

• Key escrow: data recovery without Bob’s key
Escrow
Service
write
skescrow
E(pkescrow, KF)
Bob
E(kF, File) E(pkB, KF)

Public-Key Applications
• can classify uses into 3 categories:
– encryption/decryption (provide secrecy)
– digital signatures (provide authentication)
– key exchange (of session keys)
• some algorithms are suitable for all uses,
others are specific to one

Public-Key Requirements
• Public-Key algorithms rely on two keys where:
– it is computationally infeasible to find decryption
key knowing only algorithm & encryption key
– it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
– either of the two related keys can be used for
encryption, with the other used for decryption
(optional)
• these are formidable requirements which only
a few algorithms have satisfied
Concrete Examples:
RSA cryptosystem
and
Diffie-Hellman Key Exchange

Euler’s Theorem
• The multiplicative group for Zn, denoted with Z*n, is the subset of
elements of Zn relatively prime with n
• The totient function of n, denoted with f(n), is the size of Z*n
• Example
Z*10 = { 1, 3, 7, 9 } f(10) = 4
• If p is prime, we have
Z*p = {1, 2, …, (p - 1)} f(p) = p - 1
Euler’s Theorem
For each element x of Z*n, we have xf(n) mod n = 1
• Example (n = 10)
3f(10) mod 10 = 34 mod 10 = 81 mod 10 = 1
7f(10) mod 10 = 74 mod 10 = 2401 mod 10 = 1
9f(10) mod 10 = 94 mod 10 = 6561 mod 10 = 1

RSA Public-Key Encryption
• By Rivest, Shamir & Adleman of MIT in 1977
• Best known and widely used public-key algorithm
• Uses exponentiation of integers modulo a prime
• encrypt: C = Me mod n (for math representation only, not
secure in practice)
• decrypt: M = Cd mod n = (Me)d mod n = M
• both sender and receiver know values of n and e
• only receiver knows value of d
• public-key encryption algorithm with
– public key PU = {e, n} and private key PR = {d, n}.
RSA Cryptosystem
• Setup: • Example
– n = pq, with p and q primes n Setup:
– e relatively prime to w p = 7, q = 17
f(n) = (p - 1) (q - 1) w n = 7×17 = 119
– d inverse of e in Zf(n) w f(n) = 6×16 = 96
• Keys: we=5
– Public key: KE = (n, e) w d = 77
– Private key: KD = d n Keys:
w public key: (119, 5)
• Encryption: w private key: 77
– Plaintext M in Zn n Encryption:
– C = Me mod n w M = 19
• Decryption: w C = 195 mod 119 = 66
– M = Cd mod n n Decryption:
w C = 6677 mod 119 = 19

Complete RSA Example
• Setup: • Encryption
n C = M3 mod 55
– p = 5, q = 11
– n = 5×11 = 55 • Decryption
n M = C27 mod 55
– f(n) = 4×10 = 40
–e = 3
– d = 27 (3×27 = 81 = 2×40 + 1)
M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2
M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16
M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54

Security
• Security of RSA based on • In 2005, a team of researchers
difficulty of factoring factored the RSA-640 challenge
– Widely believed number using 30 2.2GHz CPU years
– Best known algorithm takes • In 2004, the prize for factoring RSA-
exponential time 2048 was $200,000
• RSA Security factoring • Current practice is 2,048-bit keys
• Estimated resources needed to
challenge (discontinued)
factor a number within one year
• In 1999, 512-bit challenge
factored in 4 months using Length PCs Memory
35.7 CPU-years (bits)
– 160 175-400 MHz SGI and Sun 430 1 128MB
– 8 250 MHz SGI Origin 760 215,000 4GB
– 120 300-450 MHz Pentium II 1,020 342´106 170GB
– 4 500 MHz Digital/Compaq 1,620 1.6´1015 120TB
Correctness
• We show the correctness of the • Thus, we obtain
RSA cryptosystem for the case (Me)d mod n =
when the plaintext M does not Med mod n =
divide n Mkf(n) + 1 mod n =
• Namely, we show that MMkf(n) mod n =
(Me)d mod n = M M (Mf(n))k mod n =
• Since ed mod f(n) = 1, there is M (Mf(n) mod n)k mod n =
an integer k such that M (1)k mod n =
ed = kf(n) + 1 M mod n =
• Since M does not divide n, by M
Euler’s theorem we have • Proof of correctness can be
extended to the case when the
Mf(n) mod n = 1 plaintext M divides n

Algorithmic Issues
• The implementation of the • Setup
RSA cryptosystem requires –Generation of random
various algorithms numbers with a given number
of bits (to generate candidates
• Overall p and q)
–Representation of integers of –Primality testing (to check
arbitrarily large size and that candidates p and q are
arithmetic operations on prime)
them
–Computation of the GCD (to
• Encryption verify that e and f(n) are
–Modular power relatively prime)
• Decryption –Computation of the
multiplicative inverse (to
–Modular power compute d from e)

• first published public-key algorithm
• by Diffie and Hellman in 1976 along with the
exposition of public key concepts
• used in a number of commercial products
• practical method to exchange a secret key
securely that can then be used for subsequent
encryption of messages
• security relies on difficulty of computing
discrete logarithms
Diffie-Hellman Setup
• all users agree on global parameters:
– large prime integer or polynomial q
– a being a primitive root mod q
• each user (eg. A) generates their key
– chooses a secret key (number): xA < q
xA
– compute their public key: yA = a mod q
• each user makes public that key yA

• shared session key for users A & B is KAB:
xA.xB
KAB = a mod q
xB
= yA mod q (which B can compute)
xA
= yB mod q (which A can compute)
• KAB is used as session key in private-key encryption
scheme between Alice and Bob
• if Alice and Bob subsequently communicate, they will
have the same key as before, unless they choose
new public-keys
• attacker needs an x, must solve discrete log
Key Exchange Protocols
User A User B
Generate
random XA < q;
Calculate
YA = !XA mod q YA Generate
random XB < q;
Calculate
YB = !XB mod q;
YB Calculate
Calculate K = (YA)XB mod q
K = (YB)XA mod q
Figure 21.8 Diffie-Hellman Key Exchange

Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and a=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute respective public keys:
97
– yA=3 mod 353 = 40 (Alice)
233
– yB=3 mod 353 = 248 (Bob)
• compute shared session key as:
xA 97
– KAB= yB mod 353 = 248 = 160(Alice)
xB 233
– KAB= yA mod 353 = 40 = 160 (Bob)

Remarks on Key Exchange Protocols
• Users could create random private/public D-H
keys each time they communicate
• Users could create a known private/public D-H
key and publish in a directory, then consulted
and used to securely communicate with them
• Both of these are vulnerable to a man-in-the-
middle Attack
• Authentication of the keys is needed

Man-in-the-Middle Attack
• attack is:
1. Darth generates private keys XD1 & XD2, and their public
keys YD1 & YD2
2. Alice transmits YA to Bob
3. Darth intercepts YA and transmits YD1 to Bob. Darth also
calculates K2
4. Bob receives YD1 and calculates K1
5. Bob transmits XA to Alice
6. Darth intercepts XA and transmits YD2 to Alice. Darth
calculates K1
7. Alice receives YD2 and calculates K2
• all subsequent communications compromised
Y X

Public-key encryption from TDFs
• (G, F, F-1): secure TDF X ⟶ Y
• (Es, Ds) : symm. auth. encryption with keys in K
• H: X ⟶ K a hash function
We construct a pub-key enc. system (G, E, D):

Key generation G: same as G for TDF

Public-key encryption from TDFs
• (Es, Ds) : symm. auth. encryption with keys in K
• H: X ⟶ K a hash function
E( pk, m) : D( sk, (y,c) ) :

x⟵ R X, y ⟵ F(pk, x) x ⟵ F-1(sk, y),
k ⟵ H(x), c ⟵ Es(k, m) k ⟵ H(x), m ⟵ Ds(k, c)
output (y, c) output m

In pictures: F(pk, x) Es( H(x), m )
header body
Security Theorem:
If (G, F, F-1) is a secure TDF,
(Es, Ds) provides auth. enc.
and H: X ⟶ K is a “random oracle”
then (G,E,D) is CCAro secure.
• Suppose the message m to encrypt is short.
Can we directly encrypt m using the TDF as
C = F(pk, m) ?
– No, this would be insecure because encrypting the

same msg. twice results in the same ciphertext.

Digital Signature

Digital Signatures
• Public-key encryption
– Alice publishes encryption key
– Anyone can send encrypted message
– Only Alice can decrypt messages with this key
• Digital signature scheme

– Alice publishes key for verifying signatures
– Anyone can check a message signed by Alice
– Only Alice can send signed messages

Solution: make signature depend on document, e.g.: signatures
from trapdoor functions (e.g., RSA).
Y X

Digital Signatures from TDFs
• H: M ⟶ Y a hash function
Sign( sk, m∈Y) : Verify( pk, m, sig) :
output output
sig = F-1(sk, H(m) ) 1 if H(m) = F(pk, sig)
0 otherwise
Security: existential unforgeability under a chosen message

attack in the random oracle model
Digital Signatures from TDFs

Certificate and PKI

Public-Key Infrastructure (PKI)
• Anyone can send Bob a secret message
– Provided they know Bob’s public key
• How do we know a key belongs to Bob?
– If imposter substitutes another key, can read Bob’s mail
• One solution: PKI

– Trusted root authority (VeriSign, IBM, United Nations)
• Everyone must know the verification key of root authority
• Check your browser; there are hundreds!!
– Root authority can sign certificates
– Certificates identify others, including other authorities
– Leads to certificate chains

Public-Key Infrastructure
Known public signature verification key PKCA Certificate
Sign(SKCA, PKserver)
Certificate
PKCA Authority
PKserver and
proof “I am
server”
Client Sign(SKCA, PKserver), Pkserver ,Sign(SKserver, msg), msg Server
Server certificate can be verified by any client that has CA public key PKCA.
Certificate authority is “off line”

Sample
certificate

An Attack Sheds Light on Internet Security Holes
By RIVA RICHMOND
Published: April 6, 2011
The Comodo Group, an Internet security company, has been attacked in the last month by
a talkative and professed patriotic Iranian hacker who infiltrated several of the company’s
partners and used them to threaten the security of myriad big-name Web sites.
But the case is a problem for not only Comodo, …. It has also cast a spotlight on the global
system that supposedly secures communications and commerce on the Web.
The encryption used by many Web sites to prevent eavesdropping on their interactions
with visitors is not very secure. This technology is in use when Web addresses start with
“https” (in which “s” stands for secure) and a closed lock icon appears on Web browsers.
These sites rely on third-party organizations, like Comodo, to provide “certificates” that
guarantee sites’ authenticity to Web browsers.
But many security experts say the problems start with the proliferation of organizations
permitted to issue certificates.
Browser makers like Microsoft, Mozilla, Google and Apple have authorized a large and
growing number of entities around the world — both private companies and government
bodies — to create them. Many private “certificate authorities” have, in turn, worked with
resellers and deputized other unknown companies to issue certificates in a “chain of trust”
that now involves many hundreds of players, any of which may in fact be a weak link.
In SSL/TLS
Version, Crypto choice, nonce
Version, Choice, nonce,

Signed certificate
containing server’s
public key Ks
C Secret key K
encrypted with S
server’s key Ks
switch to negotiated cipher
Hash of sequence of messages
Hash of sequence of messages
data transmission
135
CS4293 Topics on Cybersecurity
Limitations of Cryptography

Limitations of cryptography
• Most security problems are not crypto problems
– This is good
• Cryptography works!
– This is bad
• People make other mistakes; crypto doesn’t solve them
• Misuse of cryptography is fatal for security
– WEP – ineffective, highly embarrassing for industry
– Occasional unexpected attacks on systems subjected
to serious review


01 Week2 Crypto Basics

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01 Week2 Crypto Basics

Uploaded by

Copyright:

Available Formats

Summary of Lecture 1

Dr. Cong Wang

Slides partially adapted from lecture notes by M. Goodrich&R. Tamassia,

Assumes parties already

CS4293 Topics on Cybersecurity 3

E, D: cipher k: secret key (e.g. 128 bits)

Encryption algorithm is publicly known

• Key is only used to encrypt one message

Multi use key: (many time key)

attack, CPA) (c)

attack, CCA) (d)

CS4293 Topics on Cybersecurity Eve

CS4293 Topics on Cybersecurity 9

Public domain image from http://en.wikipedia.org/wiki/File:ROT13.png

CS4293 Topics on Cybersecurity 10

CS4293 Topics on Cybersecurity 11

CS4293 Topics on Cybersecurity 12

– (Ciphertext – Key) mod 26

CS4293 Topics on Cybersecurity 14

– OTP is “secure” against ciphertext-only attacks

CS4293 Topics on Cybersecurity 15

CS4293 Topics on Cybersecurity 16

Problem: OTP key is as long the message

Stream ciphers: RC4 (113MB/sec) , SEAL (293MB/sec)

CS4293 Topics on Cybersecurity 18

Enough redundant information in English that:

CS4293 Topics on Cybersecurity 19

CS4293 Topics on Cybersecurity 20

CS4293 Topics on Cybersecurity 21

CS4293 Topics on Cybersecurity 22

CS4293 Topics on Cybersecurity 23

• AES-128: Mixing step repeated 10 times

Difficult to design: must resist subtle attacks

CS4293 Topics on Cybersecurity 25

CS4293 Topics on Cybersecurity 28

CS4293 Topics on Cybersecurity 29

CS4293 Topics on Cybersecurity 31

CS4293 Topics on Cybersecurity 32

CS4293 Topics on Cybersecurity 33

CS4293 Topics on Cybersecurity 34

on encryption left rotate

CS4293 Topics on Cybersecurity 35

CS4293 Topics on Cybersecurity 36

CS4293 Topics on Cybersecurity 37

CS4293 Topics on Cybersecurity 39

No, it is easy to distinguish G from a random function.

CS4293 Topics on Cybersecurity 40

CS4293 Topics on Cybersecurity 41

CS4293 Topics on Cybersecurity 42

– if m1=m2 then c1=c2

CS4293 Topics on Cybersecurity 43

CS4293 Topics on Cybersecurity 44

CS4293 Topics on Cybersecurity 45

CBC Encryption: CBC Decryption:

C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]

CS4293 Topics on Cybersecurity 47

CS4293 Topics on Cybersecurity 48

C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]

CS4293 Topics on Cybersecurity 49

CBC Encryption: CBC Decryption:

C[0] C[1] C[2] C[3] C[0] C[1] C[2] C[3]

CS4293 Topics on Cybersecurity 50

Multi use key: (CPA Security)

Can use unique and non-random IV (e.g counter) [Bitlocker]