130 likes | 133 Views
CMSC 414 Computer and Network Security Lecture 4. Jonathan Katz. HW1 out. Randomized encryption. Deterministic encryption schemes cannot be secure against chosen-plaintext attacks Nor can they be secure for encrypting multiple messages
E N D
CMSC 414Computer and Network SecurityLecture 4 Jonathan Katz
Randomized encryption • Deterministic encryption schemes cannot be secure against chosen-plaintext attacks • Nor can they be secure for encrypting multiple messages • To be secure against chosen-plaintext attack, encryption must be randomized • Moral: always use randomized encryption!
Block ciphers • Keyed, invertible permutation F • Large key space, large block size • Modeled as a (family of) random permutations… • A block cipher is not an encryption scheme • A block cipher can be used to build an encryption scheme (and other things as well) • Example – the “trivial” encryption scheme: • C = FK(m) • This is not randomized…
Data Encryption Standard (DES) • Developed in 1970s by IBM / NSA / NBS • Non-public design process • 56-bit key, 64-bit input/output • A 64-bit key is derived from 56 random bits • One bit in each octet is a parity-check bit • The “short” key length is a major concern… • The “short” block length is also a concern
Concerns about DES • Short key length • DES “cracker”, built for $250K, can break DES in days • Computation can be distributed to make it faster • Does not mean “DES is insecure”; depends on desired security • Short block length • Repeated blocks happen “too frequently” • Some (theoretical) attacks have been found • Claimed known to DES designers 15 years before public discovery! • Non-public design process
3DES/triple-DES • Expands the key length • Now, key K = (K1, K2); |K| = 112 • The “new” block cipher is just: • EK1,K2(m) = DESK1(DES-1K2(DESK1(m))) • This is a permutation, and invertible • Fairly slow…but widely used in practice
AES • Public contest sponsored by NIST in ’97 • Narrowed to 5 finalists • 4 years of intense analysis • Rijndael selected as the AES • Supports variety of block/key sizes, but defaults to 128-bit key length and 128-bit block length • 2128 is a huge number • Number of seconds since big bang (estimate): ~258 • Number of nanoseconds since big bang: ~290 • Both efficiency and security taken into account • The “most secure” finalist was not the one chosen
Other block ciphers? • No compelling reason to use anything other than AES, in general • Unless (possibly) you have very severe performance requirements • Even then, think twice • Same goes for stream ciphers
Modes of encryption • Used for encrypting a long message m1, …, mn • ECB • Ci = FK(mi); the ciphertext is c1, …, cn • CBC • IV; Ci = FK(mi Ci-1); the ciphertext is IV, c1, …, cn • OFB (stream cipher mode) • IV; zi = FK(zi-1); Ci = zi mi; the ciphertext is IV, c1, …, cn • CTR (stream cipher mode) • IV; zi = FK(IV+i); Ci = zi mi; the ciphertext is IV, c1, .., cn • Others…
Security? • ECB should not be used • Why? • CBC, OFB, and CTR modes are secure against chosen-plaintext attacks • CBC, OFB, and CTR modes are not secure against chosen-ciphertext attacks
Encryption does not provide integrity • “Since encryption garbles the message, decryption of a ciphertext generated by an adversary must be unpredictable” • WRONG • E.g., one-time pad, CBC-/CTR-mode encryption • Why is this a concern? • Lack of integrity can lead to lack of secrecy • Almost always, integrity is needed in addition to secrecy