1 / 16

CMSC 414 Computer (and Network) Security Lecture 4

CMSC 414 Computer (and Network) Security Lecture 4. Jonathan Katz. Some examples. (Shift cipher) (Substitution cipher) (Vigenere cipher). Moral of the story?. Key space should be large Necessary, but not sufficient Don’t use “simple” schemes Thoroughly analyze schemes before using

awheeler
Download Presentation

CMSC 414 Computer (and Network) Security Lecture 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMSC 414Computer (and Network) SecurityLecture 4 Jonathan Katz

  2. Some examples • (Shift cipher) • (Substitution cipher) • (Vigenere cipher)

  3. Moral of the story? • Key space should be large • Necessary, but not sufficient • Don’t use “simple” schemes • Thoroughly analyze schemes before using • Better yet, use schemes that other, smarter people have already analyzed…

  4. Re-thinking the problem • What do we mean by security? • I.e., not being able to determine the key?? • Types of attacks • Perfect security • One-time pad • Computational security • Block ciphers and modes of encryption • DES and AES

  5. Notions of Security • What constitutes a “break”? • What kind of attacks? • Note: always assume adversary knows full details of the scheme (except the key…) • Never aim for “security through obscurity”

  6. Security goals? • Adversary unable to recover the key • Necessary, but meaningless on its own… • Adversary unable to recover entire plaintext • Good, but is it enough? • Adversary unable to determine any information at all about the plaintext • Sounds great! • Can we achieve it?

  7. One-time pad • (One-time pad)

  8. Properties of one-time pad? • Achieves perfect secrecy (proof) • No eavesdropper (no matter how powerful) can determine any information whatsoever about the plaintext • (Essentially) useless in practice… • Long key length • Can only be used once (hence the name!)

  9. Weaken security guarantee? • Instead of requiring that no adversary can learn anything about the plaintext… • …require that no adversary running in any “reasonable amount of time” can learn anything about the plaintext except with “very small probability” • “Reasonable time” = 106 years • “Very small probability” = 2-64 • Computational security

  10. Simpler characterization? • Equivalent to the following, simpler definition: • Given a ciphertext C which is known to be an encryption of either M0 or M1, an adversary cannot guess which one was actually encrypted • More precisely, no adversary running in reasonable amount of time can guess correctly with probability significantly better than ½.

  11. The take-home message • Weakening the definition slightly allows us to construct much more efficient schemes! • Strictly speaking, no longer 100% absolutely guaranteed to be secure • Security of encryption now depends on security of building blocks (which are analyzed extensively, and are assumed to be secure) • Given enough time, the scheme can be broken

  12. Security? • We now have a working definition of what it means for encryption to be secure • What sort of attacks should we consider?

  13. Attacks • Ciphertext only • Known plaintext • Chosen plaintext • Chosen ciphertext (includes chosen plaintext attacks)

  14. Attacks… • A typical standard is security against chosen-plaintext attacks • Security against chosen-ciphertext attacks is increasingly required • Note that the one-time pad is insecure against known-plaintext attack

  15. Randomized encryption • To be secure against chosen-plaintext attack, encryption must be randomized • We will see later how this comes into play

  16. Block ciphers • Keyed permutation; input/output length • Large key space • Modeled as a (family of) random permutations… • Example – “trivial” encryption: • C = FK(m) • This is not randomized…

More Related