Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ –...
Transcript of Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ –...
![Page 1: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/1.jpg)
Crypto concepts
Background
Guest lecturer: Mario Frank Slide credits: Dan Boneh
![Page 2: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/2.jpg)
Cryptography Is:
– A tremendous tool – The basis for many security mechanisms
Is not: – The soluAon to all security problems – Reliable unless implemented and used properly – Something you should try to invent yourself
• Need to subject your designs to outside review • Need considerable experience
![Page 3: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/3.jpg)
Goal 1: Secure communicaAon
no eavesdropping no tampering
![Page 4: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/4.jpg)
Secure Sockets Layer / TLS Standard for Internet security
– Goal: “... provide privacy and reliability between two communicaAng applicaAons”
Two main parts 1. Handshake Protocol: Establish shared secret key
using public-‐key cryptography 2. Record Layer: Transmit data using nego8ated key
This module: Using a key for encrypAon and integrity
![Page 5: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/5.jpg)
Goal 2: protected files Disk
File 1
File 2
Alice Alice
No eavesdropping No tampering
Analogous to secure communicaAon: Alice today sends a message to Alice tomorrow
![Page 6: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/6.jpg)
Building block: sym. encrypAon
E, D: cipher k: secret key (e.g. 128 bits) m, c: plaintext, ciphertext n: nonce (aka IV)
EncrypAon algorithm is publicly known • Never use a proprietary cipher
Alice
E m, n E(k,m,n)=c
Bob
D c, n D(k,c,n)=m
k k
nonce
![Page 7: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/7.jpg)
Use Cases Single use key: (one Ame key)
• Key is only used to encrypt one message • encrypted email: new key generated for every email
• No need for nonce (set to 0)
Mul8 use key: (many Ame key) • Key used to encrypt mulAple messages
• SSL: same key used to encrypt many packets • Need either unique nonce or random nonce
![Page 8: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/8.jpg)
First example: One Time Pad (single use key) Vernam (1917)
Shannon ‘49: – OTP is “secure” against one-‐Ame eavesdropping
0 1 0 1 1 1 0 0 0 1 Key:
1 1 0 0 0 1 1 0 0 0 Plaintext: ⊕
Ciphertext:
![Page 9: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/9.jpg)
Template vertLebWhite2 The OTP encrypAon formula is c = E(k, m) = m ⊕ k
What is the decrypAon formula?
D(k, c) = k + c D(k, c) = k × c D(k, c) = k ⊕ c
D(k, c) = k ÷ c
![Page 10: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/10.jpg)
Stream ciphers (single use key) Problem: OTP key is as long the message SoluAon: Pseudo random key -‐-‐ stream ciphers
Examples: Salsa20/12 (643MB/s) , Sosemanuk (727MB/s), RC4 (126MB/s)
key
PRG
message ⊕
ciphertext
c ← PRG(k) ⊕ m
![Page 11: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/11.jpg)
Dangers in using stream ciphers One Ame key !! “Two Ame pad” is insecure:
C1 ← m1 ⊕ PRG(k) C2 ← m2 ⊕ PRG(k)
Eavesdropper does:
C1 ⊕ C2 → m1 ⊕ m2
Enough redundant informaAon in English that: m1 ⊕ m2 → m1 , m2
![Page 12: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/12.jpg)
End of Segment
![Page 13: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/13.jpg)
Crypto concepts
Block ciphers
![Page 14: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/14.jpg)
Block ciphers: crypto work horse
E, D CT Block n bits
PT Block n bits
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
![Page 15: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/15.jpg)
Block Ciphers Built by IteraAon
R(k,m): round funcAon
for 3DES (n=48), for AES-‐128 (n=10)
key k
key expansion
k1 k2 k3 kn R(k 1, ⋅)
R(k 2, ⋅)
R(k 3, ⋅)
R(k n, ⋅)
m c
![Page 16: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/16.jpg)
Standard Block Ciphers Input: (m, k)
Repeat simple mixing operaAon several Ames • 3DES: Repeat 48 Ames:
• AES-‐128: Mixing step repeated 10 Ames
Difficult to design: must resist subtle amacks • differenAal amacks, linear amacks, brute-‐force, …
mL ← mR
mR ← mL ⊕ F(ki,mR)
![Page 17: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/17.jpg)
Template vertLebWhite2
What is the inverse of the DES round funcAon?
x y
F(k,y) ⊕
v w
(x, y) = ( w ⊕ F(k,v) , v )
(v, w) = ( y , x ⊕ F(k,y) ) (x, y) = ( v ⊕ F(k,w) , w )
(x, y) = ( v , w ⊕ F(k,v) )
(x, y) = ( w ⊕ F(k,w) , v )
![Page 18: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/18.jpg)
Abstract Block Ciphers: PRPs and PRFs PRF: F: K × X → Y such that:
exists “efficient” algorithm to eval. F(k,x)
PRP: E: K × X → X such that: 1. Exists “efficient” algorithm to eval. E(k,x)
2. The func E( k, ⋅ ) is one-‐to-‐one
3. Exists “efficient” algorithm for inverse D(k,x)
A block cipher is a PRP
![Page 19: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/19.jpg)
Secure PRF and Secure PRP • A PRF F: K × X → Y is secure if F(k, ⋅ ) is indisAnguishable from a random func. f: X → Y
• A PRP E: K × X → X is secure if E(k, ⋅ ) is indisAng. from a random perm. π: X → X
k ← K
f ← Funs[X,Y] x ∈ X
f(x) or F(k,x) ???
![Page 20: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/20.jpg)
What means indisAnguishable?
• Secure PRF/PRP → indisAnguishable from random funcAon/permutaAon
• (Efficient) staAsAcal tests
• Advantage
![Page 21: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/21.jpg)
PRF Switching Lemma
PRF Switching lemma: A secure PRP is also a secure PRF
⇒ AES and 3DES are secure PRFs
![Page 22: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/22.jpg)
Template vertLebWhite2
Suppose F(k,x) is a secure PRF.
Is the following G a secure PRF?
G(k, x) = 0 if x=0
F(k,x) otherwise
No, it is easy to disAnguish G from a random funcAon Yes, an amack on G would also break F It depends on F
![Page 23: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/23.jpg)
End of Segment
![Page 24: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/24.jpg)
Crypto concepts
Using block ciphers
![Page 25: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/25.jpg)
Incorrect use of block ciphers Electronic Code Book (ECB):
Problem:
– if m1=m2 then c1=c2
PT:
CT:
m1 m2
c1 c2
![Page 26: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/26.jpg)
In pictures
![Page 27: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/27.jpg)
Eavesdropping security 1: CBC mode
E(k,⋅) E(k,⋅) E(k,⋅)
m[0] m[1] m[2] m[3] IV
⊕ ⊕ ⊕
E(k,⋅)
⊕
c[0] c[1] c[2] c[3] IV
ciphertext
E a secure PRP. Cipher Block Chaining with IV:
![Page 28: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/28.jpg)
Use cases: how to choose an IV Single use key: no IV needed (IV=0)
Mul8 use key: (CPA Security)
• Best: use a fresh random IV for every message (IV ← X)
• Can use unique IV (e.g counter)
• but then first step in CBC must be IV’ ← E(k,IV)
• benefit: may save transmiung IV with ciphertext
![Page 29: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/29.jpg)
CBC with Unique IVs (nonce-‐based encrypAon)
E(k,⋅) E(k,⋅) E(k,⋅)
m[0] m[1] m[2] m[3]
⊕ ⊕ ⊕
E(k,⋅)
⊕
c[0] c[1] c[2] c[3] IV
ciphertext
Cipher Block Chaining with unique IV: key = (k,k1)
IV
E(k1,⋅)
IVʹ′
unique IV means: (key,IV) pair is used for only one message
![Page 30: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/30.jpg)
In pictures
![Page 31: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/31.jpg)
Eavesdropping security 2: CTR mode Counter mode with a random IV: (parallel encrypAon)
m[0] m[1] …
E(k,IV) E(k,IV+1) …
m[L]
E(k,IV+L) ⊕
c[0] c[1] … c[L]
IV
IV
ciphertext
Why are these modes secure? See the crypto course.
![Page 32: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/32.jpg)
Performance: Crypto++ 5.6.0 [ Wei Dai ]
AMD Opteron, 2.2 GHz ( Linux)
Cipher Block/key size Speed (MB/sec)
Salsa20/12 643
Sosemanuk 727
3DES 64/168 13
AES 128/128 109
block stream
![Page 33: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/33.jpg)
A Warning eavesdropping security is insufficient for most applica8ons
Need also to defend against acAve amacks.
CBC and CTR modes are insecure against acAve amacks Next: methods to ensure message integrity
![Page 34: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/34.jpg)
End of Segment
![Page 35: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/35.jpg)
Crypto concepts
Message Integrity
![Page 36: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/36.jpg)
Message Integrity: MACs
• Goal: provide message integrity. No confidenAality.
– ex: ProtecAng public binaries on disk.
Alice Bob
k k Message m tag
Generate tag: tag ← S(k, m)
Verify tag: V(k, m, tag) = `yes’
?
note: non-‐keyed checksum (CRC) is an insecure MAC !!
![Page 37: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/37.jpg)
Secure MACs Amacker’s power: chosen message amack.
– for m1,m2,…,mq amacker is given ti ← S(k,mi)
Amacker’s goal: existenAal forgery. – produce some new valid message/tag pair (m,t). (m,t) ∉ { (m1,t1) , … , (mq,tq) }
A secure PRF gives a secure MAC:
– S(k,m) = F(k,m) – V(k,m,t): output `yes’ if t = F(k,m) and `no’ otherwise.
![Page 38: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/38.jpg)
Raw CBC
ConstrucAon 1: ECBC (encrypted MAC)
E(k,⋅) E(k,⋅) E(k,⋅)
m[0] m[1] m[2] m[3]
⊕ ⊕ E(k,⋅)
⊕
E(k1,⋅) tag key = (k, k1)
![Page 39: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/39.jpg)
cascade
ConstrucAon 2: NMAC (nested MAC)
F F F
m[0] m[1] m[3] m[4]
F
F
tag Let F: K × X ⟶ K be a PRF
Define new PRF FNMAC : K2 × X≤L ⟶ K
> > > > k t ll fpad
> k1
t
![Page 40: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/40.jpg)
cascade
Importance of last step (NMAC)
F F F
m[0] m[1] m[3] m[4]
F > > > > k
F
tag
t ll fpad
> k1
t
![Page 41: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/41.jpg)
tag
Raw CBC
Importance of last step (ECBC)
E(k,⋅) E(k,⋅) E(k,⋅)
m[0] m[1] m[2] m[3]
⊕ ⊕ E(k,⋅)
⊕ E(k1,⋅)
tag
![Page 42: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/42.jpg)
ConstrucAon 3: HMAC (Hash-‐MAC) Most widely used MAC on the Internet.
H: hash funcAon. example: SHA-‐256 ; output is 256 bits
Building a MAC out of a hash funcAon:
– Standardized method: HMAC
S( k, m ) = H( k⊕opad , H( k⊕ipad , m ) )
![Page 43: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/43.jpg)
SHA-‐256: Merkle-‐Damgard
• h(t, m[i]): compression funcAon
• Thm 1: if h is collision resistant then so is H
• “Thm 2”: if h is a PRF then HMAC is a PRF
h h h
m[0] m[1] m[2] m[3]
h IV
(fixed) H(m)
![Page 44: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/44.jpg)
ConstrucAon 4: PMAC -‐-‐ a parallel MAC ECBC and HMAC are sequenAal. PMAC:
m[0] m[1] m[2] m[3]
⊕ ⊕ ⊕ ⊕
F(k,⋅) F(k,⋅) F(k,⋅) F(k,⋅)
F(k1,⋅) tag
⊕
P(k,0) P(k,1) P(k,2) P(k,3)
![Page 45: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/45.jpg)
Template vertLebWhite2
m[0] m[1] m[2] m[3]
⊕ ⊕ ⊕ ⊕
F(k,⋅) F(k,⋅) F(k,⋅) F(k,⋅)
F(k1,⋅) tag
⊕
P(k,0) P(k,1) P(k,2) P(k,3)
PMAC
Suppose the P(k,·∙) funcAon was not used.
[ i.e. P(k, ·∙) = 0 ]
Would PMAC be a secure MAC?
No. Given tag on (m[0],m[1]) amacker obtains tag on (m[1],m[0])
No. Without P() an amacker could obtain the secret key k
It depends on what F is used
![Page 46: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/46.jpg)
End of Segment
![Page 47: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/47.jpg)
Crypto concepts
AuthenAcated EncrypAon
![Page 48: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/48.jpg)
Combining MAC and ENC (CCA) Encryption key kE. MAC key = kI
OpAon 1: (SSL)
OpAon 2: (IPsec)
OpAon 3: (SSH)
msg m msg m MAC enc kE MAC(kI, m)
msg m Enc kE
MAC
MAC(kI, c)
msg m enc kE
MAC
MAC(kI, m)
always correct
![Page 49: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/49.jpg)
Standards (at a high level) • CCM: CBC-‐MAC then CTR mode encrypAon
• GCM: CTR mode encrypAon then MAC
• EAX: CTR mode encrypAon then OMAC
All support AEAD: (auth. enc. with associated data)
encrypted data associated data
authenAcated
encrypted
![Page 50: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/50.jpg)
OCB More efficient authenticated encryption
m[0] m[1] m[2] m[3]
⊕ ⊕ ⊕ ⊕
E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅)
P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3)
⊕ ⊕ ⊕ ⊕ P(N,k,0) P(N,k,1) P(N,k,2) P(N,k,3)
c[0] c[1] c[2] c[3]
checksum
E(k,⋅)
⊕
⊕ c[4]
P(N,k,0)
auth
![Page 51: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/51.jpg)
Final words
![Page 52: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/52.jpg)
ImplementaAon amacks Power cryptanalysis. (Kocher-‐Jaffe-‐Jun 99)
– Power consumpAon depends on instrucAon and data
– Measure power consumpAon during block cipher operaAon
– About 1000 ciphertexts suffice to expose secret key.
![Page 53: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/53.jpg)
GeneraAng Randomness (e.g. keys, IV)
Pseudo random generators in pracAce: (e.g. /dev/random) • ConAnuously add entropy to internal state • Entropy sources:
• Hardware RNG: Intel RdRand inst. (Ivy Bridge). 3Gb/sec. • Timing: hardware interrupts (keyboard, mouse)
NIST SP 800-‐90: NIST approved generators
![Page 54: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/54.jpg)
Summary Shared secret key: • Used for secure communicaAon and document encrypAon
Encryp8on: (CPA security) [should not be used standalone] • One-‐Ame key: stream ciphers, CBC or CTR with fixed IV • Many-‐Ame key: CBC or CTR with random IV
Integrity: ECBC or HMAC or PMAC
Authen8cated encryp8on: encrypt-‐then-‐MAC
![Page 55: Background’dawnsong/teaching/f12-cs161/lect… · Cryptography’ Is:’ – A’tremendous’tool’ – The’basis’for’many’security’mechanisms’ Is’not:’ – The’soluAon’to’all’security](https://reader034.fdocuments.net/reader034/viewer/2022052019/6032ba7c4765d71e4424a9b0/html5/thumbnails/55.jpg)
End of Segment