730 likes | 732 Vues
This lecture covers block cipher encryption modes such as ECB and CBC, as well as an overview of public key encryption using RSA.
E N D
Lecture 3: Cryptography II CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena
Course Administration • Everyone receiving my emails? • Lecture slides worked okay? • Both ppt and pdf versions • Everyone knows how to access the course web page? • HW/Lab 1 heads up • To be posted coming Monday • Labs become active starting next week
Outline of Today’s Lecture • Block Cipher Modes of Encryption • Public Key Crypto Overview • Number Theory Background • Public Key Encryption (RSA) • Public Key Signatures
Block Cipher Encryption Modes Lecture 1 - Introduction
Block Cipher Encryption modes • Electronic Code Book (ECB) • Cipher Block Chain (CBC) • Most popular one • Others (we will not cover) • Cipher Feed Back (CFB) • Output Feed Back (OFB) Lecture 2 - Cryptography - I
Analysis We will analyze each mode in terms of: • Security • Computational Efficiency (parallelizing encryption/decryption) • Transmission Errors • Integrity Protection Lecture 2 - Cryptography - I
Electronic Code Book (ECB) Mode • Although DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode. • Deterministic -- If same key is used then identical plaintext blocks map to identical ciphertext Lecture 2 - Cryptography - I
Example – why ECB is bad? Tux encrypted with AES in ECB mode Tux Lecture 2 - Cryptography - I
Cipher Block Chain (CBC) Mode encryption decryption Lecture 2 - Cryptography - I
CBC Traits • Randomized encryption • IV – Initialization vector serves as the randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation • IV is a random value • IV is no secret; it is sent along with the ciphertext blocks (it is part of the ciphertext) Lecture 2 - Cryptography - I
Example – why CBC is good? Tux encrypted with AES in CBC mode Tux Lecture 2 - Cryptography - I
CBC – More Properties • What happens if k-th cipher block CK gets corrupted in transmission. • With ECB – Only decrypted PK is affected. • With CBC? • Only blocks PK and PK+1 are affected!! • What if one plaintext block PK is changed? • With ECB only CK affected. • With CBC all subsequent ciphertext blocks will be affected. • “Avalanche effect” • This leads to an effective integrity protection mechanism (or message authentication code (MAC)) Lecture 2 - Cryptography - I
Security of Block Cipher Modes • ECB is not even secure against eavesdroppers (ciphertext only and known plaintext attacks) • CBC is secure against CPA attacks (assuming 3-DES or AES is used in each block computation); automatically secure against eavesdropping attacks • However, not secure against CCA. Why? • Intuitively, this is because the ciphertext can be “massaged” in a meaningful way
CBC Mode CCA Attack • Assume adversary has eavesdropped upon a ciphertext – (C0, C1, C2) -- corresponding to a plaintext (M1, M2). C0 is IV. • Adversary is not allowed to query for (C0, C1, C2) itself • With CBC, adversary queries for (C0’, C1, C2) and obtains (M1’, M2) [X’ denotes bit-wise complement of X]
How to achieve CCA security? • Prevent any massaging of the ciphertext • Intuitively, this can be achieved by using integrity protection mechanisms (such as MACs), which we will study later • The ciphertext is generated using CBC/CFB/OFB and a MAC is generated on this ciphertext • Both ciphertext and the MAC is sent off • The other party decrypts only if MAC is valid Lecture 2.3 - Private Key Cryptography III
Advanced Encryption Standard (AES) • National Institute of Science and Technology • DES is an aging standard that no longer addresses today’s needs for strong encryption • Triple-DES: Endorsed by NIST as today’s defacto standard • AES: The Advanced Encryption Standard • Finalized in 2001 • Goal – To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents • AES candidate algorithms were required to be: • Symmetric-key, supporting 128, 192, and 256 bit keys • Royalty-Free • Unclassified (i.e. public domain) • Available for worldwide export Lecture 2.3 - Private Key Cryptography III
AES • AES Round-3 Finalist Algorithms: • MARS • Candidate offering from IBM • RC6 • Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm • Twofish • From Counterpane Internet Security, Inc. • Serpent • Designed by Ross Anderson, Eli Biham and Lars Knudsen • Rijndael: the winner! • Designed by Joan Daemen and Vincent Rijmen Lecture 2.3 - Private Key Cryptography III
Other Symmetric Ciphers and their applications • IDEA (used in PGP) • Blowfish (password hashing in OpenBSD) • RC4 (used in WEP), RC5 • SAFER (used in Bluetooth) Lecture 2.3 - Private Key Cryptography III
Some Questions • Double encryption in DES increases the key space size from 2^56 to 2^112 – true or false? • Is known-plaintext an active or a passive attack? • Is chosen-ciphertext attack an active or a passive attack? • Reverse Engineering is applied to what design of systems – open or closed? • Alice needs to send a 64-bit long top-secret letter to Bob. Which of the ciphers that we studied today should she use? Lecture 2.2 - Private Key Cryptography II
Some Questions • C=DES(K,P); where (P, C are 64-bit long blocks). What would be DES(K,”PPPP”) in ECB mode? What it would be in CBC mode? • ECB is secure for sending just one block of data: true or false? • Is it okay to re-use IV in CBC? Why/why not? • Alice needs to send a *long* top-secret message to Bob. Which of the ciphers that we studied today can she use? • Is ECB secure against CPA? • Is CBC secure against CPA? Lecture 2.3 - Private Key Cryptography III
Public Key Crypto Overview and Number Theory Lecture 1 - Introduction
Recall: Private Key/Public Key Cryptography • Private Key: Sender and receiver share a common (private) key • Encryption and Decryption is done using the private key • Also called conventional/shared-key/single-key/ symmetric-key cryptography • Public Key: Every user has a private key and a public key • Encryption is done using the public key and Decryption using private key • Also called two-key/asymmetric-key cryptography
Private key cryptography revisited. • Good: Quite efficient (as you’ll see from the HW#2 programming exercise on AES) • Bad: Key distribution and management is a serious problem
Public key cryptography model • Good: Key management problem potentially simpler • Bad: Much slower than private key crypto (we’ll see later!)
Public Key Encryption • Two keys: • public encryption key e • private decryption key d • Encryption easy when e is known • Decryption easy when d is known • Decryption hard when d is not known • We’ll study such public key encryption schemes; first we need some number theory.
Public Key Encryption: Security Notions • Very similar to what we studied for private key encryption • What’s the difference?
Group: Definition (G,.) (where G is a set and . : GxGG) is said to be a group if following properties are satisfied: • Closure : for any a, b G, a.b G • Associativity : for any a, b, c G, a.(b.c)=(a.b).c • Identity : there is an identity element such that a.e = e.a = a, for any a G • Inverse : there exists an element a-1 for every a in G, such that a.a-1 = a-1.a = e Abelian Group: Group which also satisfies commutativity , i.e., a.b = b.a Lecture 1 - Introduction
Groups: Examples • Set of all integers with respect to addition --(Z,+) • Set of all integers with respect to multiplication (Z,*) – not a group • Set of all real numbers with respect to multiplication (R,*) • Set of all integers modulo m with respect to modulo addition (Zm, “modular addition”)
Divisors • xdividesy (written x | y) if the remainder is 0 when y is divided by x • 1|8, 2|8, 4|8, 8|8 • The divisors of y are the numbers that divide y • divisors of 8: {1,2,4,8} • For every number y • 1|y • y|y
Prime numbers • A number is prime if its only divisors are 1 and itself: • 2,3,5,7,11,13,17,19, … • Fundamental theorem of arithmetic: • For every number x, there is a unique set of primes {p1, … ,pn} and a unique set of positive exponents {e1, … ,en} such that
Common divisors • The common divisors of two numbers x,y are the numbers z such that z|x and z|y • common divisors of 8 and 12: • intersection of {1,2,4,8} and {1,2,3,4,6,12} • = {1,2,4} • greatest common divisor: gcd(x,y) is the number z such that • z is a common divisor of x and y • no common divisor of x and y is larger than z • gcd(8,12) = 4
Euclidean Algorithm: gcd(r0,r1) Main idea: If y = ax + b then gcd(x,y) = gcd(x,b)
Example – gcd(15,37) • 37 = 2 * 15 + 7 • 15 = 2 * 7 + 1 • 7 = 7 * 1 + 0 • gcd(15,37) = 1
Relative primes • x and y are relatively prime if they have no common divisors, other than 1 • Equivalently, x and y are relatively prime if gcd(x,y) = 1 • 9 and 14 are relatively prime • 9 and 15 are not relatively prime
Modular Arithmetic • Definition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m. Notation: Example: • We work in Zm = {0, 1, 2, …, m-1}, the group of integers modulo m • Example: Z9 ={0,1,2,3,4,5,6,7,8} • We abuse notation and often write = instead of Public Key Cryptography -- II
Addition in Zm : • Addition is well-defined: • 3 + 4 = 7 mod 9. • 3 + 8 = 2 mod 9. Public Key Cryptography -- II
Additive inverses in Zm • 0 is the additive identity in Zm • Additive inverse of a is -a mod m = (m-a) • Every element has unique additive inverse. • 4 + 5= 0 mod 9. • 4 is additive inverse of 5. Public Key Cryptography -- II
Multiplication in Zm : • Multiplication is well-defined: • 3 * 4 = 3 mod 9. • 3 * 8 = 6 mod 9. • 3 * 3 = 0 mod 9. Public Key Cryptography -- II
Multiplicative inverses in Zm • 1 is the multiplicative identity in Zm • Multiplicative inverse (x*x-1=1 mod m) • SOME, but not ALL elements have unique multiplicative inverse. • In Z9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, …, so 3 does not have a multiplicative inverse (mod 9) • On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4-1=7, (mod 9) Public Key Cryptography -- II
Which numbers have inverses? • In Zm, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1 • E.g., 4 in Z9 Public Key Cryptography -- II
Extended Euclidian: a-1 mod n • Main Idea: Looking for inverse of a mod n means looking for x such that x*a – y*n = 1. • To compute inverse of a mod n, do the following: • Compute gcd(a, n) using Euclidean algorithm. • Since a is relatively prime to m (else there will be no inverse) gcd(a, n) = 1. • So you can obtain linear combination of rm and rm-1 that yields 1. • Work backwards getting linear combination of ri and ri-1 that yields 1. • When you get to linear combination of r0 and r1 you are done as r0=n and r1= a. Public Key Cryptography -- II
Example – 15-1 mod 37 • 37 = 2 * 15 + 7 • 15 = 2 * 7 + 1 • 7 = 7 * 1 + 0 Now, • 15 – 2 * 7 = 1 • 15 – 2 (37 – 2 * 15) = 1 • 5 * 15 – 2 * 37 = 1 So, 15-1 mod 37 is 5. Public Key Cryptography -- II
Modular Exponentiation:Square and Multiply method • Usual approach to computing xc mod n is inefficient when c is large. • Instead, represent c as bit string bk-1 … b0 and use the following algorithm: z = 1 For i = k-1 downto 0 do z = z2 mod n if bi = 1 then z = z* x mod n Public Key Cryptography -- II
Example: 3037 mod 77 z = z2 mod n if bi = 1 then z = z* x mod n Public Key Cryptography -- II
Other Definitions • An element g in G is said to be a generator of a group if a = gi for every a in G, for a certain integer i • A group which has a generator is called a cyclic group • The number of elements in a group is called the order of the group • Order of an element a is the lowest i (>0) such that ai = e (identity) • A subgroup is a subset of a group that itself is a group Public Key Cryptography -- II
Lagrange’s Theorem • Order of an element in a group divides the order of the group Public Key Cryptography -- II
Euler’s totient function • Given positive integer n, Euler’s totient function is the number of positive numbers less than n that are relatively prime to n • Fact: If p is prime then • {1,2,3,…,p-1} are relatively prime to p. Public Key Cryptography -- II
Euler’s totient function • Fact: If p and q are prime and n=pq then • Each number that is not divisible by p or by q is relatively prime to pq. • E.g. p=5, q=7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-} • pq-p-(q-1) = (p-1)(q-1) Public Key Cryptography -- II
Euler’s Theorem and Fermat’s Theorem • If a is relatively prime to n then • If a is relatively prime to p then ap-1 = 1 mod p Proof : follows from Lagrange’s Theorem Public Key Cryptography -- II
Euler’s Theorem and Fermat’s Theorem EG: Compute 9100 mod 17: p =17, so p-1 = 16. 100 = 6·16+4. Therefore, 9100=96·16+4=(916)6(9)4 . So mod 17 we have 9100 (916)6(9)4 (mod 17) (1)6(9)4 (mod 17) (81)2 (mod 17) 16 Public Key Cryptography -- II