Upload
melvyn-owen-walters
View
227
Download
0
Embed Size (px)
Citation preview
Class 3Cryptography Refresher II
CIS 755: Advanced Computer SecuritySpring 2014
Eugene Vasserman
http://www.cis.ksu.edu/~eyv/CIS755_S14/
Administrative stuff
• Project ideas posted–Deadlines still TBA, but start looking…
• Quiz schedule on website
• Be sure to do the reading!!
Last time: Encryption
• Basic idea: someone seeing ciphertext learns nothing about plaintext without correct key
• With or without authentication• Symmetric – based on tests/best guess– e.g. AES (block cipher)
• Asymmetric – based on math assumptions– e.g. RSA
• Example: WEP– IV, RC4(IV, k) (M, c(M))–Claim: 24-bit IV + 40-bit key = 64-bit
security
• Example: WEP– IV, RC4(IV, k) (M,
c(M))– Claim: 24-bit IV + 40-
bit key = 64-bit security
• On your right: text from Jonathan Katz
Aside: composability• Is this secure against chosen-plaintext attacks?
– It is randomized…
• 40-bit key (in some implementations)!– Claims that, with IV, this gives a 64-bit effective key(!)
• And how is the IV chosen?– Only 24 bits long -- IV repetitions are a problem!– Reset to 0 upon re-initialization– Some implementations increment the IV as a counter
• A repeating IV allows the attacker to compute the XOR of two plaintexts– We have discussed already how this can be damaging
• Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs– If portions of some plaintexts known, this enables determination of other
plaintexts
• Known-plaintext attacks discovered on this usage of RC4– Possible because the first byte of plaintext is a fixed, known header!
• Chosen-plaintext attacks– Send IP traffic/e-mail to the mobile host and watch it get forwarded– Transmit broadcast messages to access point– Authentication spoofing
• No cryptographic integrity protection– The checksum is linear (i.e., c(xy) = c(x)c(y)) and unkeyed, and therefore
easy to attack– Allows IP redirection attack– Allows TCP “reaction” attacks
• Look at whether TCP checksum is valid• Form of chosen-ciphertext attack
• Encryption used to provide authenticationof mobile station (access point sends nonce; station returns an encryption of the nonce)– Allows easy spoofing after eavesdropping
Block cipher modes of operation
• ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS• Differences, i.e. why do we care?
• Trick question: what’s the difference between a block cipher, a stream cipher, and a pseudorandom number generator (PRNG)?
Block cipher modes of operation
• ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS• Differences, i.e. why do we care?
• Some are parallelizable (GCM)
• Some are self-synchronizing (CFB)
Block cipher modes of operation
• ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS• Differences, i.e. why do we care?
• Some are parallelizable (GCM)
• Some are self-synchronizing (CFB)
Authenticity and integrity
• Basic ideas:–Authenticity: the message was produced by a
specific known subject
Authentication ≠ integrity
– Integrity: the message has not been altered between source and destination
• Messages without integrity protection vulnerable to chosen ciphertext attack
Hash functions
• Collision-resistant (2k or 2k/2)• One-way–Preimage (1st, 2nd) resistant (2k)
• Entropy of input and entropy of output–Output “looks random”
• Some hashes have partial proofs, e.g. reduction to AES
Symmetric authentication
• Message Authentication Codes (MACs)• Pre-shared keys• Symmetric means…?– Either party can create a correct MAC–Deniable
• Chained MACs… why?• See TESLA authenticated multicast:
http://sparrow.ece.cmu.edu/~adrian/projects/tesla-cryptobytes/tesla-cryptobytes.pdf
MACs
• “Keyed hash” (MAC from a cryptographically-secure hash function)–Hash Block cipher (CBC or CFB) MAC
• Hybrid modes e.g. CBC-MAC– Secrecy plus authenticity (2-party)
• Remember to use different keys for MAC and encryption… why?
MAC examples
• Example: HMAC–h is a cryptographically-secure hash (or not!)–HMACK(M) = h(K pad⊕ 1, h(K pad⊕ 2, M))
• Example: UMAChttp://www.springerlink.com/content/ft35c6ha1r8mgv8k/
• Encrypt-then-MAC provably more secure– vs. MAC-then-Encrypt or MAC-and-Encrypt
More MACs
BAD: MACK = h(K,M) or MACK = h(M,K)
GOOD: HMACK(M) = h(K pad⊕ 1,h(K pad⊕ 2, M))
•Encrypt-then-MAC provably more secure– vs. MAC-then-Encrypt or MAC-and-Encrypt (see
“Cool stuff” section of web page)
•Full encrypted and authenticated message:EK1(M), MACK2(EK1(M))
Random numbers
• True random numbers (RNG)– “Quantum” entropy
• Pseudorandom numbers–PRNG• e.g. block cipher in CTR mode
–With refresh, more advanced features…