Class 3Cryptography Refresher II

CIS 755: Advanced Computer SecuritySpring 2014

Eugene Vasserman

http://www.cis.ksu.edu/~eyv/CIS755_S14/

Administrative stuff

• Project ideas posted–Deadlines still TBA, but start looking…

• Quiz schedule on website

• Be sure to do the reading!!

Last time: Encryption

• Basic idea: someone seeing ciphertext learns nothing about plaintext without correct key

• With or without authentication• Symmetric – based on tests/best guess– e.g. AES (block cipher)

• Asymmetric – based on math assumptions– e.g. RSA

NEVER BUILD YOUR OWN WHEN

SOLUTION EXISTS!!!

• Example: WEP– IV, RC4(IV, k) (M, c(M))–Claim: 24-bit IV + 40-bit key = 64-bit

security

• Example: WEP– IV, RC4(IV, k) (M,

c(M))– Claim: 24-bit IV + 40-

bit key = 64-bit security

• On your right: text from Jonathan Katz

Aside: composability• Is this secure against chosen-plaintext attacks?

– It is randomized…

• 40-bit key (in some implementations)!– Claims that, with IV, this gives a 64-bit effective key(!)

• And how is the IV chosen?– Only 24 bits long -- IV repetitions are a problem!– Reset to 0 upon re-initialization– Some implementations increment the IV as a counter

• A repeating IV allows the attacker to compute the XOR of two plaintexts– We have discussed already how this can be damaging

• Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs– If portions of some plaintexts known, this enables determination of other

plaintexts

• Known-plaintext attacks discovered on this usage of RC4– Possible because the first byte of plaintext is a fixed, known header!

• Chosen-plaintext attacks– Send IP traffic/e-mail to the mobile host and watch it get forwarded– Transmit broadcast messages to access point– Authentication spoofing

• No cryptographic integrity protection– The checksum is linear (i.e., c(xy) = c(x)c(y)) and unkeyed, and therefore

easy to attack– Allows IP redirection attack– Allows TCP “reaction” attacks

• Look at whether TCP checksum is valid• Form of chosen-ciphertext attack

• Encryption used to provide authenticationof mobile station (access point sends nonce; station returns an encryption of the nonce)– Allows easy spoofing after eavesdropping

Block cipher modes of operation

• ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS• Differences, i.e. why do we care?

• Trick question: what’s the difference between a block cipher, a stream cipher, and a pseudorandom number generator (PRNG)?

Block cipher modes of operation

• ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS• Differences, i.e. why do we care?

• Some are parallelizable (GCM)

• Some are self-synchronizing (CFB)

Block cipher modes of operation

• ECB, CBC, OFB, CTR, CFB, GCM, XEX, XTS• Differences, i.e. why do we care?

• Some are parallelizable (GCM)

• Some are self-synchronizing (CFB)

Modes of operation (ECB)

Images borrowed from Wikipedia :)

Modes of operation (CBC)

Images borrowed from Wikipedia :)

Modes of operation (CFB)

Images borrowed from Wikipedia :)

Modes of operation (CTR)

Images borrowed from Wikipedia :)

VS. ECB

Questions?

Authenticity and integrity

• Basic ideas:–Authenticity: the message was produced by a

specific known subject

Authentication ≠ integrity

– Integrity: the message has not been altered between source and destination

• Messages without integrity protection vulnerable to chosen ciphertext attack

Hash functions

• Collision-resistant (2k or 2k/2)• One-way–Preimage (1st, 2nd) resistant (2k)

• Entropy of input and entropy of output–Output “looks random”

• Some hashes have partial proofs, e.g. reduction to AES

Symmetric authentication

• Message Authentication Codes (MACs)• Pre-shared keys• Symmetric means…?– Either party can create a correct MAC–Deniable

• Chained MACs… why?• See TESLA authenticated multicast:

http://sparrow.ece.cmu.edu/~adrian/projects/tesla-cryptobytes/tesla-cryptobytes.pdf

MACs

• “Keyed hash” (MAC from a cryptographically-secure hash function)–Hash Block cipher (CBC or CFB) MAC

• Hybrid modes e.g. CBC-MAC– Secrecy plus authenticity (2-party)

• Remember to use different keys for MAC and encryption… why?

MAC examples

• Example: HMAC–h is a cryptographically-secure hash (or not!)–HMACK(M) = h(K pad⊕ 1, h(K pad⊕ 2, M))

• Example: UMAChttp://www.springerlink.com/content/ft35c6ha1r8mgv8k/

• Encrypt-then-MAC provably more secure– vs. MAC-then-Encrypt or MAC-and-Encrypt

More MACs

BAD: MACK = h(K,M) or MACK = h(M,K)

GOOD: HMACK(M) = h(K pad⊕ 1,h(K pad⊕ 2, M))

•Encrypt-then-MAC provably more secure– vs. MAC-then-Encrypt or MAC-and-Encrypt (see

“Cool stuff” section of web page)

•Full encrypted and authenticated message:EK1(M), MACK2(EK1(M))

Random numbers

• True random numbers (RNG)– “Quantum” entropy

• Pseudorandom numbers–PRNG• e.g. block cipher in CTR mode

–With refresh, more advanced features…

Questions?