1 / 13

CMSC 414 Computer and Network Security Lecture 4

CMSC 414 Computer and Network Security Lecture 4. Jonathan Katz. HW1 out. Randomized encryption. Deterministic encryption schemes cannot be secure against chosen-plaintext attacks Nor can they be secure for encrypting multiple messages

thompsonchristine
Download Presentation

CMSC 414 Computer and Network Security Lecture 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMSC 414Computer and Network SecurityLecture 4 Jonathan Katz

  2. HW1 out

  3. Randomized encryption • Deterministic encryption schemes cannot be secure against chosen-plaintext attacks • Nor can they be secure for encrypting multiple messages • To be secure against chosen-plaintext attack, encryption must be randomized • Moral: always use randomized encryption!

  4. Block ciphers • Keyed, invertible permutation F • Large key space, large block size • Modeled as a (family of) random permutations… • A block cipher is not an encryption scheme • A block cipher can be used to build an encryption scheme (and other things as well) • Example – the “trivial” encryption scheme: • C = FK(m) • This is not randomized…

  5. Data Encryption Standard (DES) • Developed in 1970s by IBM / NSA / NBS • Non-public design process • 56-bit key, 64-bit input/output • A 64-bit key is derived from 56 random bits • One bit in each octet is a parity-check bit • The “short” key length is a major concern… • The “short” block length is also a concern

  6. Concerns about DES • Short key length • DES “cracker”, built for $250K, can break DES in days • Computation can be distributed to make it faster • Does not mean “DES is insecure”; depends on desired security • Short block length • Repeated blocks happen “too frequently” • Some (theoretical) attacks have been found • Claimed known to DES designers 15 years before public discovery! • Non-public design process

  7. 3DES/triple-DES • Expands the key length • Now, key K = (K1, K2); |K| = 112 • The “new” block cipher is just: • EK1,K2(m) = DESK1(DES-1K2(DESK1(m))) • This is a permutation, and invertible • Fairly slow…but widely used in practice

  8. AES • Public contest sponsored by NIST in ’97 • Narrowed to 5 finalists • 4 years of intense analysis • Rijndael selected as the AES • Supports variety of block/key sizes, but defaults to 128-bit key length and 128-bit block length • 2128 is a huge number • Number of seconds since big bang (estimate): ~258 • Number of nanoseconds since big bang: ~290 • Both efficiency and security taken into account • The “most secure” finalist was not the one chosen

  9. Other block ciphers? • No compelling reason to use anything other than AES, in general • Unless (possibly) you have very severe performance requirements • Even then, think twice • Same goes for stream ciphers

  10. Modes of encryption • Used for encrypting a long message m1, …, mn • ECB • Ci = FK(mi); the ciphertext is c1, …, cn • CBC • IV; Ci = FK(mi Ci-1); the ciphertext is IV, c1, …, cn • OFB (stream cipher mode) • IV; zi = FK(zi-1); Ci = zi mi; the ciphertext is IV, c1, …, cn • CTR (stream cipher mode) • IV; zi = FK(IV+i); Ci = zi mi; the ciphertext is IV, c1, .., cn • Others…

  11. Security? • ECB should not be used • Why? • CBC, OFB, and CTR modes are secure against chosen-plaintext attacks • CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks

  12. Message integrity

  13. Encryption does not provide integrity • “Since encryption garbles the message, decryption of a ciphertext generated by an adversary must be unpredictable” • WRONG • E.g., one-time pad, CBC-/CTR-mode encryption • Why is this a concern? • Lack of integrity can lead to lack of secrecy • Almost always, integrity is needed in addition to secrecy

More Related