ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering...
-
Upload
vivian-thrash -
Category
Documents
-
view
217 -
download
0
Transcript of ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering...
![Page 1: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/1.jpg)
1
ECE454/CS594 Computer and Network Security
Dr. Jinyuan (Stella) SunDept. of Electrical Engineering and Computer ScienceUniversity of Tennessee Fall 2011
![Page 2: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/2.jpg)
2
Secret Key Cryptography
• Modes of operation• Stream cipher
![Page 3: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/3.jpg)
3
Encrypting A Large Message
How to encrypt a message > 64 bits? • Electronic Code Book (ECB)• Cipher Block Chaining (CBC)• Output Feedback Mode (OFB)• Cipher Feedback Mode (CFB)• Counter Mode (CTR)
![Page 4: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/4.jpg)
4
ECB ModeECB Encryption
ECB Decryption
• Message is broken into 64-bit blocks• Each block is independently encoded with the same secret key
![Page 5: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/5.jpg)
5
Pros and Cons of ECB• Suitable for use in secure transmission of single values (e.g. an encryption key)• Error in one received ciphertext block does not affect the correct decryption of other ciphertext blocks• Identical plaintext blocks produce identical ciphertext blocks resulting in recognizable pattern
• Ciphertext blocks can be easily rearranged or modified
![Page 6: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/6.jpg)
6
ECB Rearranging and Modification Attacks
• 10,000’s digit of salary easily modified• 10,000’s digit blocks easily swapped
![Page 7: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/7.jpg)
7
CBC Mode
• Selects a random number: IV (initialization vector) that is XORed with the first plaintext block. Why?
• Then generates its own random numbers: the ciphertext from the previous block, XORed with the next plaintext block
CBC Encryption
CBC Decryption
![Page 8: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/8.jpg)
8
Pros and Cons of CBC• Suitable for use in general-purpose block-oriented transmission, and authentication • The same block repeating in the plaintext will not cause repeats in the ciphertext• Subject to modification attack: (but error propagates)
• Subject to ciphertext block rearranging attack• IV: needs to be shared between sender and receiver, either a fixed value or sent encrypted (How to encrypt?)
![Page 9: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/9.jpg)
9
CBC Modification Attack
Original message
Decrypted message after modification
• Solution?
![Page 10: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/10.jpg)
10
CBC Rearranging Attack
• If the ciphertext blocks are rearranged as: C1, C5, C3, C2, C4, C6
• The resulting plaintext blocks can be deduced…
![Page 11: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/11.jpg)
11
AES Example: ECB vs. CBC
AES in ECB mode AES in CBC mode
Similar plaintextblocks producesimilar ciphertextblocks (not good!)
![Page 12: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/12.jpg)
12
Output Feedback Mode (OFB)
• OFB is a stream cipher: encryption is done by XORing plaintext with one-time pad• One-time pad: b0|b1|b2|b3…, where b0 is a random 64-bit IV, b1 is the secret key encrypted b0, and so on…
k-bit OFB
![Page 13: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/13.jpg)
13
Pros and Cons of OFB• Suitable for use in stream-oriented transmission
over noisy channel (e.g., satellite communication)• One-time pad can be generated in advance, only
XOR operations are performed in real-time• Bit errors do not propagate: error in one
ciphertext block only garbles the corresponding plaintext block
• Message can arrive in arbitrarily sized chunks, get encrypted and transmitted immediately
• Plaintext modification attack: if attacker knows <plaintext, ciphertext>, he can XOR the plaintext and ciphertext, and XOR the result with any message of his choosing
• Must not reuse the same IV or secret key (Why?)
![Page 14: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/14.jpg)
14
Cipher Feedback Mode (CFB)
• Similar to OFB• k bits shifted in the register are the k bits of ciphertext from the previous block (k can be any number: 1, 8, 64, 128, etc.)
k-bit CFB
![Page 15: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/15.jpg)
15
Pros and Cons of CFB• Suitable for use in general-purpose stream-oriented transmission, and authentication• Less subject to tampering: with k-bit CFB, the change of any k-bit of plaintext in a predictable way will cause unpredictably garbling the next b/k blocks• One-time pad cannot be pre-computed, encryption needs to be done in real-time• Error in a k-bit ciphertext block propagates: it garbles the next b/k plaintext blocks
![Page 16: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/16.jpg)
16
Counter Mode (CTR)
• Similar to OFB• Instead of chaining the encryption of one-time pad, the IV is incremented and encrypted to get successive blocks of the one-time pad
Counter Mode
![Page 17: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/17.jpg)
17
Pros and Cons of CTR• Suitable for use in general-purpose block-oriented transmission, and high speed encryption• One-time pad can be pre-computed• Decrypting at any point rather than the beginning: ideal for random access applications• Hardware/software efficiency: parallel encryption/decryption on multiple blocks of plaintext or ciphertext• Provable security: at least as secure as other modes• Simplicity: unlike ECB and CBC, no decryption algorithm is needed in CTR (also true for OFB and CFB)• Must not reuse the same IV or key, same as OFB• Because: An attacker could get the XOR of two plaintext blocks by XORing the two corresponding ciphertext blocks
![Page 18: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/18.jpg)
18
Generating MACs• Integrity: protect against undetected modifications, cannot be guaranteed by any mode of operation if attacker knows the plaintext• Plaintext + CBC residue (when message not secret)
![Page 19: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/19.jpg)
19
Privacy and Integrity: The Don’ts• Privacy: CBC encryption• Integrity: CBC residue• Ciphertext + CBC residue?• Encrypt {plaintext + CBC residue}?• Encrypt {plaintext + CRC}?
![Page 20: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/20.jpg)
20
Ciphertext + CBC Residue
• Problem?
![Page 21: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/21.jpg)
21
Encrypt {plaintext + CBC residue}
• Problem?
![Page 22: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/22.jpg)
22
Encrypt {plaintext + CRC}
• Longer CRC maybe Okay
![Page 23: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/23.jpg)
23
Privacy and Integrity: The Do’s• Privacy: CBC encryption + Integrity: CBC residue, but with different keys• CBC + weak cryptographic checksum• CBC + CBC residue with related keys• CBC + cryptographic hash: keyed hash preferred• OCB: offset codebook mode: both privacy and integrity in a single cryptographic pass, desirable
![Page 24: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/24.jpg)
24
3DES: CBC Outside vs. Inside
CBC on the outside(Why this one?)
CBC on the inside
![Page 25: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/25.jpg)
25
Stream Ciphers A key is input into a pseudorandom generator to
produce a pseudorandom keystream Pseudorandom stream: unpredictable without
knowing key Keystream is bitwise XORed with plaintext stream
![Page 26: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/26.jpg)
26
Design ConsiderationsThe encryption sequence should have a
large period without repetitionsThe keystream k should approximate the
properties of a true random number stream as close as possible
Input key K need be sufficiently longWhen properly designed, a stream cipher
can be as secure as block cipher of comparable key length
Advantage of stream ciphers: almost always faster and use far less code than block ciphers
![Page 27: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/27.jpg)
27
RC4Designed by Ron Rivest in 1987 for RSA securityVariable key-size stream cipher with byte-oriented
applicationsPopular uses: SSL/TLS (Secure Sockets Layer/Transport Layer Security), WEP (Wired Equivalent Privacy)
protocol and the newer WiFi Protected Access (WPA)A variable-length key (1—256 bytes) is used to
initialize a 256-byte state vector SA byte in the keystream k is generated from S by
selecting one of the 256 entries for encryption/decryption
The entries in S are permuted after generating each k
![Page 28: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/28.jpg)
28
RC4 (Cont’d)
![Page 29: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/29.jpg)
29
RC4 Keystream Generation
![Page 30: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/30.jpg)
30
Strength of RC4 No practical attack on RC4 is knownMust not reuse keyA known vulnerability in WEP: relevant
to the generation of the key input to RC4 but not RC4 itself
![Page 31: ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.](https://reader036.fdocuments.net/reader036/viewer/2022062619/55173a47550346f5558b60fc/html5/thumbnails/31.jpg)
31
Reading Assignments
[Kaufman] Chapter 4