1 / 17

CMSC 414 Computer and Network Security Lecture 5

CMSC 414 Computer and Network Security Lecture 5. Jonathan Katz. Announcements. Midterm on March 15. Modes of encryption. Used for encrypting a long message m 1 , …, m n ECB C i = F K (m i ); the ciphertext is (C 1 , …, C n ) CBC

patia
Download Presentation

CMSC 414 Computer and Network Security Lecture 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMSC 414Computer and Network SecurityLecture 5 Jonathan Katz

  2. Announcements • Midterm on March 15

  3. Modes of encryption • Used for encrypting a long message m1, …, mn • ECB • Ci = FK(mi); the ciphertext is (C1, …, Cn) • CBC • IV; Ci = FK(mi Ci-1); the ciphertext is (IV, C1, …, Cn) • OFB (stream cipher mode) • IV; zi = FK(zi-1); Ci = zi mi; the ciphertext is (IV, C1, …, Cn) • CTR (stream cipher mode) • IV; zi = FK(IV+i); Ci = zi mi; the ciphertext is (IV, C1, .., Cn) • Others…

  4. Security? • ECB should not be used • Why? • Not even secure against ciphertext-only attacks

  5. The effect of ECB mode original encrypted using ECB mode *Images from Wikipedia

  6. Other modes • CBC, OFB, and CTR modes are secure against chosen-plaintext attacks • CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks *Images from Wikipedia

  7. Message integrity

  8. Message integrity m m’

  9. Encryption does not provide integrity • “Since encryption garbles the message, decryption of a ciphertext generated by an adversary must be unpredictable” • WRONG • E.g., one-time pad, CBC-/CTR-mode encryption • Why is this a concern? • Almost always, integrity is needed in addition to secrecy • Lack of integrity can lead to lack of secrecy • Use message authentication codes (MACs)

  10. Message authentication code (MAC) • In the private-key setting, the tool for achieving message integrity is a MAC • Functionality: • MACK(m) = t (we call t the “tag”) • VrfyK(m, t) = 0/1 (“1” = “accept” / ”0”=“reject”) • Correctness…

  11. Bob Alice MAC usage m, t k k Vrfyk(m’,t’) ?? t = Mack(m) • Shared key k • Sender computes a tag t on the message m using k • Receiver verifies the message/tag pair using k

  12. Bob Bob K K MAC usage

  13. Defining security • Attack model: • A random key k is chosen • Attacker is allowed to obtain t1 = MACk(m1), …, tq = MACk(mq) for any messages m1, …, mq of its choice • Attacker is successful if it outputs a forgery; i.e., (m, t) with: • m ≠ mi for all i • VrfyK(m, t) = 1 • For any time-bounded adversary, the probability of a successful attack should be small

  14. Defining security • Is the definition too strong? • When would an attacker be able to obtain tags on any messages of its choice? • Why do we count it as a break if the adversary outputs a forgery on a “meaningless” message? • Main point: we want a secure MAC to be usable in any setting where message integrity is needed

  15. Replay attacks • A MAC inherently cannot prevent replay attacks • Replay attacks must be prevented at a higher level of the protocol! • (Note that whether a replay is ok is application-dependent) • Replay attacks can be prevented using nonces, timestamps, etc. • Will discuss more later

  16. A MAC for short messages • Let F be a block cipher with n-bit output • To authenticate m using key k, compute t = Fk(m) • Vrfyk(m, t): output 1 iff t = Fk(m) • Why is this secure?

  17. (Informal) sketch of security • Replace Fk with a random permutation f • Can do this since F is a block cipher • Seeing f(m1), …, f(mq) does not help to predict f(m) for any m{m1,…,mq} • If adversary outputs (m, t), the probability that t is correct is roughly 2-n • For n large enough, the probability of forgery is small

More Related