1 / 23

15-349 Introduction to Computer and Network Security

15-349 Introduction to Computer and Network Security. Iliano Cervesato 26 August 2008 – Modern Cryptography. Where we are. Course intro Cryptography Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols

etana
Télécharger la présentation

15-349 Introduction to Computer and Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 15-349Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography

  2. Where we are • Course intro • Cryptography • Intro to crypto • Modern crypto • Symmetric encryption • Asymmetric encryption • Beyond encryption • Cryptographic protocols • Attacking protocols • Program/OS security & trust • Networks security • Beyond technology

  3. Outline • Cryptographic schemes • Design principles • Confusion and diffusion • Randomization • Kerchoff’s principle • Mathematical foundations • Computational complexity • One-way functions • Trapdoors • What is a secure cipher?

  4. (Symmetric) Encryption Schemes (K, E, D) • Key generation algorithm • K : {0,1}k • Encryption algorithm • E : {0,1}a x {0,1}k{0,1}c • Ek : {0,1}a{0,1}c • Decryption algorithm • D: {0,1}c x {0,1}k{0,1}a • Dk : {0,1}c{0,1}a

  5. What makes a cipher good ? • behaves as expected • Functionally sound • based on mathematics • Confusion and diffusion • examined by experts • Open design • stood the test of time • Moore’s law

  6. Functional requirements E, D : {0,1}n x {0,1}k{0,1}n • Dk(Ek(m)) = m • For every k, Ek is an injection with inverse Dk • Ek(m) is easy to compute, given m and k • Dk(x) is easy to compute, given x and k • Polynomial in max{n,k} - often linear • If x = Ek(m), it is hard to find m without k • Exponential in k

  7. Confusion Replace symbol with another Hide plaintext symbols Diffusion Mix up symbols Spread plaintext around Confusion and Diffusion WHATANI WHATANI ZZZJUCL ANWIHAT Modern ciphers are a combination

  8. Augmenting diffusion • Make it harder for attacker • Repeated encryptions of same text are different • Randomization • Ek : {0,1}ax {0,1}r{0,1}c • Dk : {0,1}c{0,1}a • It must be that c > a • Part of all modern ciphers

  9. Open Design Kerchoff’s Principle (1883) The security of a cryptosystem must not depend on keeping the algorithm secret No security by obscurity • Better • Lots of smart but innocuous people dissect it • Than a single smart malicious

  10. Shannon’s criteria • Strength of cipher proportional to effort • Keys should be simple • Implementation should be simple • Errors should not propagate • Size of ciphertext same as plaintext

  11. Critique to Shannon’s Criteria Shannon’s criteria based on manual process • Strength of cipher proportional to effort • Strength should be depend on value, cost, time • Keys should be simple • Not necessarily • Implementation should be simple • Efficient! • Errors should not propagate • Yes, many countermeasures nowadays • Size of ciphertext same as plaintext • Not necessarily Computers allow powerful automation

  12. Computational problems • Finite space of solutions • Always decidable • Can grow in size (n) • Bigger size, bigger solution space • Questions • How hard is it to find a solution? • How hard is it to verify a solution? • “Hard” = amount of time • Generic algorithms • Best algorithm possible • Not special cases!

  13. Computational classes • P • Finding solution polynomial in n • Element lookup in list – O(n) • Sorting a list – O(n2) • Verifying solution also polynomial in n • NP • Verifying solution polynomial in n • Finding solution may not be polynomial in n • Polynomial if we can “guess” • Polynomial if we can try solutions in parallel • EXP • Finding solution exponential in n • Verifying solution may not be polynomial in n

  14. Computational complexity • P  NP  EXP • P  EXP • P = NP ? • Open problem • Believed false EXP NP P n n2 n3 n100 2n 22n

  15. NP-Complete problems • In NP • As hard or harder than any other NP problem • Represent all NP problems • If polynomial solution exists, all NP problems have one • P = NP • If not, no NP-complete problem has one • P  NP • Characteristics • Always solvable • Verifying solution is polynomial • No known polynomial way to find solution • Exponential as far as we know

  16. Computation in practice • Bounded by time • If a small polynomial instance is solvable • Slightly larger instance also solvable • Possibly with tomorrow’s technology • If a small exponential instance is solvable • Slightly larger instance may not be solvable • Maybe not even with tomorrow’s technology • … but Moore’s law is exponential? • Physical limitations • Can always choose a big enough instance

  17. NP-Completeness and Crypto • Require attacker to solve an NP-complete problem to find plaintext • Exponential work in n • But … • Crumbles if P = NP • May be easy for small n • Side channel attacks • Advances in technology • But Moore’s law is exponential ?? • Trends in cryptography • Rely on problems that are harder than NP • Quantum cryptography

  18. One-way functions • Easy to compute • f(i)  o • Evaluation in P • Linear • Hard to invert • f-1(o)  I • Inverse is NP-complete • Foundations of • Hashing Easy – P f input output Hard – NP

  19. One-way functions with trapdoor • Easy to compute • f(i,t)  o • Encryption in P • Linear • Hard to invert normally • f-1(o)  i • Decryption without key is NP-complete • Easy to invert through trapdoor • f-1(o,t)  i • Decryption with key in P • Linear • Foundations of • Encryption • Digital signatures Easy – P Hard – NP f input output Easy – P trapdoor

  20. Some NP-complete Problems • Boolean satisfiability • Is there an assignment of boolean value that make a formula in conjunctive normal form true? • Knapsack • Is there a way to fill a bag of a given size completely with objects of various sizes? • Cliques • Does a graph have a complete subgraph of a given size? • Discrete logarithm • Is there a such that ga mod n = b • Integer factorization • What are the prime factors of number n?

  21. When is a Cipher Secure? m m Polynomial adversary cannot tell a real encryption box from a fake one Ek(_) Ek(0) x x

  22. Formal Definition Let • E: {0,1}a x {0,1}k{0,1}c • A(xm) = 1 iff x = Ek(m) • A algorithm polynomial in key length k • xm = Ek(m) (K,E,D) is a secure encryption scheme if  polynomial p(_) K s.t. k > K  k  {0,1}k Pr[A(xmm) = 1] - Pr[A(x0m) = 1] < 1/p(k)

  23. Key length • The strength of a cipher is given by the length of the key • Strength is non-polynomial in k • 10% longer key requires much more than 10% extra work • Often each extra bit doubles the effort • To get a stronger cipher, make key longer! • Guideline for modern ciphers • Ciphers with variable key length • RSA • AES • Not sufficient for bad ciphers!

More Related