1 / 41

IS511 Introduction to Information Security Lecture 3 Cryptography 1

IS511 Introduction to Information Security Lecture 3 Cryptography 1. Yongdae Kim. Recap. http://syssec.kaist.ac.kr/~yongdaek/courses/is511/ E-mail policy Include [is511] Profs + TA: IS511-prof@gsis.kaist.ac.kr Profs + TA + Students: IS511@gsis.kaist.ac.kr Text only posting, email!

dorcas
Télécharger la présentation

IS511 Introduction to Information Security Lecture 3 Cryptography 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IS511Introduction to Information Security Lecture 3Cryptography 1 Yongdae Kim

  2. Recap • http://syssec.kaist.ac.kr/~yongdaek/courses/is511/ • E-mail policy • Include [is511] • Profs + TA: IS511-prof@gsis.kaist.ac.kr • Profs + TA + Students: IS511@gsis.kaist.ac.kr • Text only posting, email! • Preproposal • Proposal: English only • Homework 1 is posted.

  3. Eve Yves? The main players Bob Alice

  4. Attacks Normal Flow Destination Source Interruption: Availability Interception: Confidentiality Destination Destination Source Source Modification: Integrity Fabrication: Authenticity Destination Destination Source Source

  5. Taxonomy of Attacks • Passive attacks • Eavesdropping • Traffic analysis • Active attacks • Masquerade • Replay • Modification of message content • Denial of service

  6. Big picture Trusted third party (e.g. arbiter, distributor of secret information) Bob Alice Information Channel Message Message Secret Information Secret Information Eve

  7. Terminology for Encryption • A denotes a finite set called the alphabet • M denotes a set called the message space • M consists of strings of symbols from an alphabet • An element of M is called a plaintext • C denotes a set called the ciphertext space • C consists of strings of symbols from an alphabet • An element of C is called a ciphertext • K denotes a set called the key space • An element of K is called a key • Ee is an encryption function where e  K • Dd called a decryption function where d  K

  8. Encryption • Why do we use key? • Or why not use just a shared encryption function? Adversary Encryption Ee(m) = c Decryption Dd(c) = m c insecure channel m m Plaintext source destination Alice Bob

  9. SKE with Secure channel Adversary d Secure channel Key source e Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  10. PKE with insecure channel Passive Adversary e Insecure channel Key source d Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  11. e e’ Ee’(m) Public key should be authentic! • Need to authenticate public keys Ee(m) e Ee(m)

  12. Digital Signatures • Primitive in authentication and non-repudiation • Signature • Process of transforming the message and some secret information into a tag • Nomenclature • M is set of messages • S is set of signatures • SA: M ! S for A, kept private • VA is verification transformation from M to S for A, publicly known

  13. Key Establishment, Management • Key establishment • Process to whereby a shared secret key becomes available to two or more parties • Subdivided into key agreement and key transport. • Key management • The set of processes and mechanisms which support key establishment • The maintenance of ongoing keying relationships between parties

  14. Symmetric vs. Public key

  15. Symmetric key Encryption • Symmetric key encryption • if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e • Usually e = d • Block cipher • breaks up the plaintext messages to be transmitted into blocks of a fixed length, and encrypts one block at a time • Stream cipher • encrypt individual characters of plaintext message one at a time, using encryption transformation which varies with time

  16. Block Cipher • E: VnKVn • Vn = {0,1}n, K = {0, 1}k, n is called block length, k is called key size • E(P, K) = C for K  K and P, C  Vn • E(P, K) = EK(P) is invertible mapping from Vn to Vn • EK: encryption function • D(C, K) = DK(C) is the inverse of EK • Dk: decryption function P (plaintext) P (plaintext) E K Key EK C (ciphertext) C (ciphertext)

  17. k D Modes of Operation • A block cipher encrypts plaintext in fixed-size n-bit blocks (often n =128). What happens if your message is greater than the block size? xj c0=IV Cj-1 xj k E E-1 k k E Cj-1 xj’ xj’ I1=IV Ij Ij Ij Ij I1=IV k E E k k E E k Oj Oj Oj Oj xj xj’ xj xj’

  18. Modes of Operation • ECB • Encryption: cjEK(xj) • Decryption: xj E−1K (cj) • CBC • Encryption: c0 IV, cj EK(cj−1 xj) • Decryption: c0 IV, xj cj−1  E−1K(cj) • CFB • Encryption: I1 IV, cj xj EK(Ij), Ij+1 = cj • Decryption: I1 IV, xj cj EK(Ij), Ij+1 = cj • OFB • Encryption: I1 IV, oj = EK(Ij), cj xj oj, Ij+1 = oj • Decryption: I1 IV, oj = EK(Ij), xj cj oj, Ij+1 = oj

  19. Modes of Operation (CTR) CTR CTR+1 CTR+N-1 k E k E k E x1 x2 xN c1 c2 cN CTR CTR+1 CTR+N-1 k E k E k E c1 c2 cN x1 x2 xN

  20. CTR advantages • Hardware efficiency • Parallelizable • Software efficiency • Similar, modern processors support parallel computation • Preprocessing • Pad can be computed earlier • Random-access • Each ciphertext block can be encrypted independently • important in applications like hard-disk encryption • Provable security • no worse than what one gets for CBC encryption • Simplicity • No decryption algorithm and key scheduling

  21. Double DES • C = EK2[EK1 [P]] • P = DK1[DK2[C]] • Reduction to single stage? • EK2[EK1 [P]] =? EK3[P] • It was proven that it does not hold

  22. Meet-in-the-middle Attack • Diffie 1977 • Exhaustively cracking it requires 2112? • C = EK2[EK1 [P]] • X = EK1 [P] = DK2[C] • Given a known pair, (P, C) • Encrypt P with all possible 256 values of K1 • Store this results and sort by X • Decrypt C with all possible 256 K2, and check table • If same, accept it as the correct key • Are we done? &&#@!#(

  23. Meet-in-the-middle Attack • Little statistics • For any P, there are 264 possible C • DDES uses 112 bit key, so 2112 keys • Given C, there are 2112/264 = 248 possible P • So there are 248 false alarms • If one more (P’, C’) pair, we can reduce it to 2-16 • So using two (plaintext, ciphertext) pairs, we can break DDES c * 256 encryption/decryption • C = EK2[DK1 [P]] different?

  24. Triple DES with two keys • Obvious counter to DDES: Use three keys • Complexity? • 168 bit key • Triple DES = EDE = encrypt-decrypt-encrypt • C = EK1[DK2 [EK1[P]]] • Attacks? • No practical one so far

  25. Hash function and MAC • A hash function is a function h • compression • ease of computation • Properties • one-way: for a given y, find x’ such that h(x’) = y • collision resistance: find x and x’ such that h(x) = h(x’) • Examples: SHA-1, MD-5 • MAC (message authentication codes) • both authentication and integrity • MAC is a family of functions hk • ease of computation (if k is known !!) • compression, x is of arbitrary length, hk(x) has fixed length • computation resistance • Example: HMAC

  26. How Random is the Hash function?

  27. Applications of Hash Function • File integrity • Digital signature Sign = SSK(h(m)) • Password verification stored hash = h(password) • File identifier • Hash table • Generating random numbers

  28. Hash function and MAC • A hash function is a function h • compression • ease of computation • Properties • one-way: for a given y, find x’ such that h(x’) = y • collision resistance: find x and x’ such that h(x) = h(x’) • Examples: SHA-1, MD-5 • MAC (message authentication codes) • both authentication and integrity • MAC is a family of functions hk • ease of computation (if k is known !!) • compression, x is of arbitrary length, hk(x) has fixed length • computation resistance • Example: HMAC

  29. MAC construction from Hash • Prefix • M=h(k||x) • appending y and deducing h(k||x||y) form h(k||x) without knowing k • Suffix • M=h(x||k) • possible a birthday attack, an adversary that can choose x can construct x’ for which h(x)=h(x’) in O(2n/2) • STATE OF THE ART: HMAC (RFC 2104) • HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding • The outer hash operates on an input of two blocks • Provably secure

  30. How to use MAC? • A & B share a secret key k • A sends the message x and the MAC M←Hk(x) • B receives x and M from A • B computes Hk(x) with received M • B checks if M=Hk(x)

  31. PKE with insecure channel Passive Adversary e Insecure channel Key source d Encryption Ee(m) = c Decryption Dd(c) = m c Insecure channel m m Plaintext source destination Alice Bob

  32. Digital Signature • Integrity • Authentication • Non-repudiation I did not have intimate relations with that woman,…, Ms. Lewinsky WJ Clinton

  33. Digital Signature with Appendix • Schemes with appendix • Requires the message as input to verification algorithm • Rely on cryptographic hash functions rather than customized redundancy functions • DSA, ElGamal, Schnorr etc.

  34. Mh x S VA u 2{True, False} Digital Signature with Appendix M Mh S SA,k h m mh s* s* = SA,k(mh) u = VA(mh, s*)

  35. Authentication • How to prove your identity? • Prove that you know a secret information • When key K is shared between A and Server • A  S: HMACK(M) where M can provide freshness • Why freshness? • Digital signature? • A  S: SigSK(M) where M can provide freshness • Comparison?

  36. Encryption and Authentication • EK(M) • Redundancy-then-Encrypt: EK(M, R(M)) • Hash-then-Encrypt: EK(M, h(M)) • Hash and Encrypt: EK(M), h(M) • MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M) • MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))

  37. Challenge-response authentication • Alice is identified by a secret she possesses • Bob needs to know that Alice does indeed possess this secret • Alice provides responseto a time-variant challenge • Response depends on both secret and challenge • Using • Symmetric encryption • One way functions

  38. Challenge Response using SKE • Alice and Bob share a key K • Taxonomy • Unidirectional authentication using timestamps • Unidirectional authentication using random numbers • Mutual authentication using random numbers • Unilateral authentication using timestamps • Alice  Bob: EK(tA, B) • Bob decrypts and verified that timestamp is OK • Parameter Bprevents replay of same message in B  A direction

  39. Challenge Response using SKE • Unilateral authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(rb, B) • Bob checks to see if rb is the one it sent out • Also checks “B” - prevents reflection attack • rb must be non-repeating • Mutual authentication using random numbers • Bob  Alice: rb • Alice  Bob: EK(ra, rb, B) • Bob  Alice: EK(ra, rb) • Alice checks that ra, rb are the ones used earlier

  40. Challenge-response using OWF • Instead of encryption, used keyed MAC hK • Check: compute MAC from known quantities, and check with message • SKID3 • Bob  Alice: rb • Alice  Bob: ra, hK(ra, rb, B) • Bob  Alice: hK(ra, rb, A)

  41. Key Establishment, Management • Key establishment • Process to whereby a shared secret key becomes available to two or more parties • Subdivided into key agreement and key transport. • Key management • The set of processes and mechanisms which support key establishment • The maintenance of ongoing keying relationships between parties

More Related