Lecture #3
ENPM 693
Fall 2014
University of Maryland, College Park
Todays Lecture
Where weve been?
PRNGs
Attack models on crypto
One-time pad
Cryptosystem - Symmetric-key cryptography: Block cipher & Stream cipher
Block cipher as a symmetric cryptography DES, AES, 3DES
Modes of operation - ECE, CBC, CFB, OFB, CTR
Stream cipher RC4
PRNGs
A pseudo-random number generator (PRNG) is a deterministic
function that takes as input a seed and outputs a string
To be useful, the output must be longer than the seed
Notes
Required notion of pseudo-randomness is very strong
must be indistinguishable from random for all efficient algorithms
General-purpose PRNGs (rand( ), java.random) not sufficient for crypto
PRGs: a picture
y
??
World 0
World 1
x {0,1}n chosen uniformly
at random
(poly-time)
G(x)
Attack taxonomy
So far, we have been considering only passive eavesdropping of a single
ciphertext
a.k.a., ciphertext-only attack (COA)
Notes
What is the right threat model?
Definitions?
c = Enck(m)
k
c
Midway example
Chosen-plaintext security
Is security against chosen-plaintext attacks (CPA) even possible??
Deterministic encryption schemes cannot be secure against chosenplaintext attacks (CPA)
Nor can they be secure for encrypting multiple messages
Minimum requirements
The minimum level of security nowadays is security against chosenplaintext attacks (CPA)
Implies security when multiple messages encrypted
Ciphers
Symmetric-key crypto
One time pad (OTP) with keys as long as plaintext
Require pre-sharing huge random keys, but guarantees theoretically secure (perfect secrecy)
Asymmetric-key crypto
DH, RSA
Advantages of OTP
Easy to compute
Encryption and decryption are the same operation
Bitwise XOR is very cheap to compute
No integrity
Dangers if reuse
Cryptosystem
Binary alphabets
K = {0,1}
Plaintext
P = {0,1}
P
= {0,1} ,
E: P
C as ciphertext to look random
D: C
P as plaintext to be protected
,
, , = correctness
It is infeasible to find F: key secrecy
Ciphertext
C
Standardized Ciphers
Until 1970s, most strong ciphers were government secrets
NBS (now called NIST) issued a public call for a cipher; eventually
responded by IBM
Eventual result was DES
64-bit blocks (56-bit key + 8 bits for parity)
Outdated, but still in use (especially as 3DES)
3DES: DES + inverse DES + DES (with 2 or 3 different keys)
Block Ciphers I
Block ciphers Operates on a fixed-length set of bits (blocks)
Block ciphers vs. stream ciphers
Basic structure:
Optional key scheduling, convert supplied key to internal form
Multiple round of combining plaintext with key
DES with 16 rounds, AES with 10-14 round depending on key length
Block Ciphers II
Shared keyed, invertible permutation F
F is a deterministic function
=
=
=
=
( )
Divide the input block in half. The right half of each round becomes the left half
of the next rounds input
Take the right half, pass it through a non-linear function of data and key, and
exclusive-OR the result with the current inputs left half
The output of that function becomes the right half of the next rounds input
This is known as a Feistel network
#$
Key scheduler:
Left rotation by 1 or 2 bit
Permuted Choice (PC) boxes
64 bit -> 56 bit = 28 bit x2
28 bit -> 24 bit x2 = 48 bit
In decryption subkeys in reverse order
Decryption
Run the rounds backwards
In the example, )*+ is passed
unchanged to the previous round (as ,* )
Accordingly, it can be fed into - *
i-th Feistel network to be XORed with
,*+ to produce )*
3DES/triple-DES
Expands the key length
Of the 5 finalist, Rijndael (a Belgian submission) was chosen for its good security and very high
efficiency across a wide range of platforms
Supports 128/192/256-bit keys (default is 128-bit keys) and 128-bit block length
2128 is a huge number (estimated number of nanoseconds since big bang ~ 290 )
The subkey is mixed with the state (entire block) in each round
Direct use also only works on messages that are a multiple of the cipher block
size in length
Solution: five standard modes of operations
Used for encrypting a long message m = m1, , mn
Very weak if used for general-purpose encryption, never use for a file or a message
Dictionary attack
Notation:
original
;<
7 6
6
0
=
=
0 7
depends only on
;<
=?
depends on
=
=
6
0
and
on
and
6,
depends on
and
7,
and not
7 depends
7.
0
6;
;<,
6, 7, 0, @
6, 7, 0
6, 7, 0
6, 7, 0, @
appears valid
is valid,
0, @,
Conclusion: if you want message integrity, you have to do it yourself (not guaranteed here)
bit unit
Properties of OFB
No error propagation
Active attacker can make controlled changes to plaintext
OFB is a form of stream cipher
Stream Cipher
Key stream generator to produce pseudo-random sequence S
Unique for each plaintext
J*
RC4
Extremely efficient
After key setup, it just produces a key stream
No way to resynchronize except by rekeying and starting over
Internal state is a 256-byte array plus two integers
Note: weaknesses if used in ways other than as a stream cipher
Snake oil alert! If the key stream is algorithmically generated (), its not a one-time pad!
Adding one bit to the key doubles the work force for brute force attacks
The effect on encryption time is often negligible or even free
It costs nothing to use a longer RC4 key
Going from 128-bit AES to 256-bit AES takes (at most) 40% longer
6B
Using triple DES cost 3x more to encrypt, but increases the attackers effort by a factor of 2
Homework #3
Due next week during the lecture (Thu. 09/24/2015 at 7:00pm)
Homework:
Reading assignment: Submit your review to course web page
Manuel Egele, David Brumley, Yanick Fratantonio, Christopher Kruegel, An Empirical
Study of Cryptographic Misuse in Android Applications
https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf
Students randomly selected to provide their summary of the reading assignment in-class
during the following lecture
Review of Lecture
What did we learn?
PRNGs
Attack models on crypto
One-time pad
Cryptosystem - Symmetric-key cryptography: Block cipher & Stream cipher
Block cipher as a symmetric cryptography DES, AES, 3DES
Modes of operation - ECE, CBC, CFB, OFB, CTR
Stream cipher RC4
Whats next?
Message integrity MAC, Digital Signature
Asymmetric cryptography - DH, RSA
Sources
In addition to the textbooks mentioned in course syllabus, the course
material is in part borrowed from the following sources:
Jonathan Katz, CMSC414 Computer and Network Security
Tudor Dumitras, ENEE757 Network and Distributed System Security
Robert Maxwell, ENPM808D Security Tools for Information Security
Tudor Dumitras, ENEE759D Security Data Science