Computer Security Lecture 2 PDF

COM2041 Computer Security Lecture 2 Yangguang (Jack) Tian 1 Symmetric Cryptography (I) 2 Lecture 2 Structure of lecture Symmetric Cryptography (I) Introduction Block ciphers padding...

COM2041 Computer Security Lecture 2 Yangguang (Jack) Tian 1 Symmetric Cryptography (I) 2 Lecture 2 Structure of lecture Symmetric Cryptography (I) Introduction Block ciphers padding Modes of Operation Error Propagation Message Authentication Codes (MAC) Authenticated encryption 3 Lecture 2 Cryptographic Primitives The basic cryptographic primitives covered in this module are Encryption Digital signatures 4 Lecture 2 Encryption Encryption Key Decryption Key KE KD Ciphertext Plaintext Plaintext C P P E D E - Encryption D - Decryption C = E(KE, P), P = D(KD, C) 5 Lecture 2 Digital Signatures Signing Key Verification Key KS KV Signature 0 - reject Message σ 1 - accept m S V S - Signing V - Verification σ = S(KS, m), 0/1 = V(KV, (σ, m)) 6 Lecture 2 Symmetric and Asymmetric Cryptography Symmetric cryptography: a single key is used in different cryptographic operations Symmetric cryptography is also called secret key cryptography Asymmetric cryptography: a pair of related but distinct keys are used in different cryptographic operations One key is public, and another key is kept at secret Asymmetric cryptography is also called public key cryptography 7 Lecture 2 Encryption Encryption Key Decryption Key KE KD Ciphertext Plaintext Plaintext C P P E D E - Encryption D - Decryption C = E(KE, P), P = D(KD, C) If KE = KD, symmetric encryption If KE ≠ KD, asymmetric encryption, where KE is publicly available for any encrypters, and KD is kept at secret by only the decrypter 8 Lecture 2 Digital Signatures Signing Key Verification Key KS KV Signature 0 - reject Message σ 1 - accept m S V S - Signing V - Verification σ = S(KS, m), 0/1 = V(KV, σ) If KS = KV, symmetric signature, which is also called message authentication code (MAC) If KS ≠ KV, asymmetric signature, where KS is kept at secret by the signer and KV is publicly available for any verifiers 9 Lecture 2 Information Entropy Claude Shannon: “A Mathematical Theory of Communication” (1948). Entropy in a class of message being communicated is the amount of information that can be expected on average in a message from that class. It is generally measured in number of bits. This is the minimum number of bits that would be needed to encode the information. For example, if a message can only be yes or no then this is one bit of information. For a cryptographic scheme to be secure, we need any key used to have a large entropy, such as 128, 192, or 256 bits 10 Lecture 2 From One-Time Pad to Modern Cryptography One-time pad is a symmetric cryptographic encryption scheme One-time pad: the length of a key is the same as the length of a plaintext to be encrypted, and the key cannot be reused Modern cryptography: the length of a key is independent to the size of a plaintext, and the key can be reused 11 Lecture 2 Stream Cipher & Block Cipher From ISO/IEC 18033: Encryption algorithms Stream cipher: symmetric encryption system with the property that the encryption algorithm involves combining a sequence of plaintext symbols with a sequence of keystream symbols one symbol at a time, using an invertible function Block cipher: symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext 12 Lecture 2 Block ciphers Encryption and decryption: takes a block of a certain size (known as the block size) Block and a key of a certain length (the keylength) and returns another block of the Key E/D same size The same key is used for encryption and decryption. This Block means a block cipher is symmetric 13 Lecture 2 Stream ciphers Encryption and decryption: takes a plaintext with an Arbitrary arbitrary length length data and a key of a certain length (the keylength) and returns a ciphertext, whose Key E/D length is associated with the plaintext The same key is used for Arbitrary encryption and decryption. This means a stream cipher is also length symmetric data 14 Lecture 2 Structure of lecture Symmetric Cryptography (I) Introduction Block ciphers padding Modes of Operation Error Propagation Message Authentication Codes (MAC) Authenticated encryption 15 Lecture 2 Two Block Cipher Examples: DES (data encryption standard) AES (advanced encryption standard) 16 Lecture 2 DES Takes a block of a certain size (64 bits = 8 bytes = 16 Hex digits) and a key of a certain length (56 bits [in fact 64 bits are provided but 8 are for checksum and not used]) and returns another block of the same size (64 bits) Block (64 bits) Key (56 bits) DES Block (64 bits) 17 Lecture 2 AES Takes a block of a certain size (128 bits bits = 16 bytes = 32 hex digits) and a key of a certain length (128, 192 or 256 bits) and returns another block of the same size (128 bits) Block (128 bits) Key (128, 192 or 256 bits) AES Block (128 bits) 18 Lecture 2 19 Lecture 2 In reality: DES challenge Goal: find a 56-bit key k such that DES(k, mi) = ci for i = 1, 2 1997: Internet search – 3 months 1998: EFF machine (deep crack) – 3 days (250K $) 1999: Combined search – 22 hours 2006: COPACOBANA (120 FPGAs) – 7 days (10K $) So, 56-bit ciphers should not be used 128-bit key >> 272 days The information of this slide is from Dan Boneh’s online Cryptograpahy Course DES – developed in the early 1970s at IBM 20 Lecture 2 3DES – TripleDES Because a single DES is insecure The triple DES algorithm is still used (e.g., by banks) 3-key triple DES, using three keys K1, K2 and K3 C = E(K3, D(K2, E(K1, P))) P = D(K1, E(K2, D(K3, C))) 2-key triple DES, Using two keys K1 and K2 C = E(K1, D(K2, E(K1, P))) P = D(K1, E(K2, D(K1, C))) Why cannot use double DES, i.e., C = E(K2, E(K1, P))? (the answer will be discussed next week) 21 Lecture 2 Encrypting with DES DES is a block cipher and its block size is 64 bits Encrypting “Accusing”, which is a single block (plaintext) 4163637573696E67 (“Accusing” as ascii bytes in hex) A5636D43433D2B E 956047AEA6020BDB (ciphertext) 22 Lecture 2 Encrypting “Atom” with DES 41746F6D (“Atom” as ascii bytes) A5636D43433D2B ? “Atom” does not give a full 64 bit block. What should we do? 23 Lecture 2 The answer is to use Padding 24 Lecture 2 Padding A plaintext for encryption may not contain an exact number of blocks. It will therefore need to be extended to produce a file of the right size: an exact number of 64-bit blocks (in the case of using DES). This will require adding additional bytes, known as padding. This needs to be done in a recognisable way so the padding can be removed on decryption. 25 Lecture 2 Several padding schemes for a given block size Zero padding: add zero bytes to complete the block, e.g.: d2 a1 62 pads to d2 a1 62 00 00 00 00 00 ANSI X.923: add a sequence of 0’s, with the number of added bytes as the last byte, e.g.: d2 a1 62 pads to d2 a1 62 00 00 00 00 05 PKCS7: identify how many bytes to add, and add a sequence of bytes all containing that number, e.g.: d2 a1 62 pads to d2 a1 62 05 05 05 05 05 PKCS5: same as PKCS7 (sometime) only for 8-byte block size 26 Lecture 2 Zero padding Zero padding is not injective: different blocks may pad to the same result Zero padding should not be used if bytes in the block can have the value 00 Trailing zeros in the padded block are ambiguous, they might be there from the block, or from the padding 27 Lecture 2 Structure of lecture Symmetric Cryptography (I) Introduction Block ciphers padding Modes of Operation Error Propagation Message Authentication Codes (MAC) Authenticated encryption 28 Lecture 2 Encrypting “Computation” with DES 436F6D7075746174696F6E (“Computation” as ascii bytes) A5636D43433D2B ? “Computation” gives more than a full 64 bit block. What should we do? 29 Lecture 2 The answer is to use Modes of Operation From Block Cipher to Stream Cipher 30 Lecture 2 Preliminaries: XOR Exclusive-or, written XOR or ⊕, is a binary operator, applied to two bits, according to the following table: 0⊕0=0 0⊕1=1 1⊕0=1 1⊕1=0 It is the same as addition modulo 2, or parity checking. It is associative and commutative (i.e. the order you combine things does not make any difference) It is applied bitwise on strings of bits: 0111011010 1011101000 = 1100110010 31 Lecture 2 Exclusive-or properties XOR exhibits lots of useful properties. If x, y, and z are all bitstrings of the same length, then the following laws hold: associative: x ⊕ y = y ⊕ x commutative: (x ⊕ y) ⊕ z = x ⊕ (y ⊕ z) cancellative: x ⊕ y ⊕ y = x ⊕ y ⊕ y So if x ⊕ y = z then the following are also true x⊕z=y z⊕y=x This is very useful for reversing XOR: plaintext ⊕ key = ciphertext ciphertext ⊕ key = plaintext 32 Lecture 2 Modes of Operation How do we encrypt a sequence of blocks? Block ciphers, can be used in a number of different ways to encrypt a data string (which consists of a number of blocks). A number of modes of operation have been recommended for using block ciphers for data encryption. We will introduce three of them in details: Electronic Codebook Mode (ECB), Cipher Block Chaining Mode (CBC), and Counter mode (CTR). Several more will be mentioned for you to learn them by yourselves 33 Lecture 2 Electronic Codebook Mode (ECB) ECB is the most basic mode. In ECB, a data string is split into blocks, and each block is separately encrypted, to provide the output string. It uses the block cipher as a (very large) substitution cipher, with no links between the blocks. The key gives rise to an `electronic code book’ (i.e. the substitution). Blocks are encrypted (and decrypted) independently. For a given key, the same block always encrypts to the same block. 34 Lecture 2 More about ECB Encryption: Pad to an exact number of blocks Use the encryption algorithm to encrypt each block in turn with the key Decryption: Use the decryption algorithm to decrypt each block in turn with the key Remove the padding E.g. CrypTool DES(ECB) mode uses zero padding javax.crypto package provides - “DES/ECB/PKCS5Padding” (steps 1 and 2) and - “DES/ECB/NoPadding” (just step 2 of encryption, and returns an error if not an exact number of blocks) 35 Lecture 2 Example: encrypting “Computation” with DES 436F6D7075746174 696F6E Zero Padding 436F6D7075746174 696F6E0000000000 Ek Ek F22DB31D615233CA 0F3B12C7755BC716 k=A000000000000000 36 Lecture 2 ECB feature Plaintext: Ciphertext: The same plaintext block always encrypts to the same ciphertext block. Hence patterns in the blocks will be preserved. 37 Lecture 2 Cipher Block Chaining Mode (CBC) This mode introduces a simple feedback mechanism to the block cipher. To encrypt a plaintext block, XOR it with the ciphertext of the previous block, and then encrypt. Therefore different instances of a block will encrypt differently Needs an initialisation vector IV of random data for the first block. This does not need to be secret. 38 Lecture 2 CBC Encryption Let P1, P2, … be plaintext blocks and C1, C2, … be ciphertext blocks and IV be the initialisation value. Let Ek be the encryption operation with the key k C1 = Ek(P1 ⊕ IV) C2 = Ek(P2 ⊕ C1)... In general, Ci+1 = Ek(Pi+1 ⊕ Ci) Pi+1 Pi Pi+1⊕ Ci Ek(Pi+1⊕ Ci) Ci Diagram courtesy of Wikipedia 39 Lecture 2 CBC on the same plaintext block CBC encrypts the same plaintext block in different positions to different ciphertext blocks e.g. say we have a sequence of block P repeated: C1 = Ek(P ⊕ IV) C2 = Ek(P ⊕ C1)... In general, Ci+1 = Ek(P ⊕ Ci) Each Ci is different. The repeated nature of the plaintext is not apparent in the ciphertext 40 Lecture 2 CBC decryption Let Dk be the decryption algorithm with the key k In encryption, Ci+1 = Ek(Pi+1 ⊕ Ci) So: Pi+1 ⊕ Ci = Dk(Ci+1 ) Pi+1 = Dk(Ci+1) ⊕ Ci … P1 = Dk(C1) ⊕ IV The decryption operation can be done in parallel for multiple blocks 41 Lecture 2 CBC Decryption In a summary, to decrypt, simply decrypt each block in turn, and XOR with the previous ciphertext (or Initialisation Vector IV for the first one). Diagram courtesy of Wikipedia 42 Lecture 2 Error Propagation If there is an error in the plaintext, what does that do to the ciphertext? If there is an error in the ciphertext, what does that do to the plaintext? 43 Lecture 2 Error propagation in CBC encryption Encryption: One bit change here result...... No change here Completely different blocks here 44 Lecture 2 CBC Encryption One change here C1 = Ek(P1 ⊕ IV) C1 = Ek(P1 ⊕ IV) C2 = Ek(P2 ⊕ C1) C2’ = Ek(P2’ ⊕ C1) C3 = Ek(P3 ⊕ C2) C3’ = Ek(P3 ⊕ C2’) C4 = Ek(P4 ⊕ C3) C4’ = Ek(P4 ⊕ C3’) These all change 45 Lecture 2 Error propagation in CBC decryption Decryption: One bit change here result Completely different One bit No change here, block here change here or subsequently 46 Lecture 2 CBC Decryption One change here P1 = Dk(C1) ⊕ IV P1 = Dk(C1) ⊕ IV P2 = Dk(C2) ⊕ C1 P’2 = Dk(C’2) ⊕ C1 P3 = Dk(C3) ⊕ C2 P’3 = Dk(C3) ⊕ C’2 P4 = Dk(C4) ⊕ C3 P4 = Dk(C4) ⊕ C3 These This doesn’t change change 47 Lecture 2 Data Confidentiality vs Data Integrity/Authentication Data confidentiality: Only authorised entity (e.g., who holds a key) can access protected data Date integrity/authentication: Only authorised entity (e.g., who holds a key) can create data, and any unauthorised modification to the data can be detected Alice and Bob share a key kAB that they use for confidential communication Alice sends the following to Bob, encrypted under kAB with CBC: “code no kkkkkkkk: £10.00 to be transferred to Mallory’s account” What could possibly go wrong? Ek AB ( “code no kkkkkkkk: £10.00 to be transferred to Mallory’s account” ) 48 Lecture 2 Block level view: code no kkkkkkkk: £10.00 to be transferred to Mallory’s account EkAB C1 C2 C3 C4 C5 C6 C7 C8 send to Bob received by Bob C1 C2 C3 C4 C5 C6 C7 C8 DkAB code no kkkkkkkk: £10.00 to be transferred to Mallory’s account 49 Lecture 2 An attack on integrity: code no kkkkkkkk: £10.00 to be transferred to Mallory’s account EkAB C1 C2 C3 C4 C5 C6 C7 C8 send to Bob Change the second cipher block: C2’= C2 ⊕ “: £10.00” ⊕ “: £10000” received by Bob C1 C2' C3 C4 C5 C6 C7 C8 DkAB code no nnnnnnnn: £10000 to be transferred to Mallory’s account 50 Lecture 2 What does Mallory need to change? Mallory exploits the method for decryption: Pi+1 = Dk(Ci+1) ⊕ Ci To produce plaintext P’i+1 in block i+1 (in place of Pi+1), we xor with Pi+1 ⊕ P’i+1 as follows: Pi+1 ⊕ Pi+1 ⊕ P’i+1 = Dk(Ci+1) ⊕ Ci ⊕ Pi+1 ⊕ P’i+1 Hence we change Ci to: Ci ⊕ Pi+1 ⊕ P’i+1 This will result in changing Pi+1 to P’i+1 51 Lecture 2 What does Mallory need to change? P3 = “: £10.00” = 3A 20 A3 31 30 2E 30 30 P’3 = “: £10000” = 3A 20 A3 31 30 30 30 30 P3 ⊕ P’3 = 00 00 00 00 00 1E 00 00 Mallory needs to change: C2 to: C2 ⊕ 00 00 00 00 00 1E 00 00 e.g. if C2 = E8 DD 56 8E 5E B7 11 B0 then C’2 = E8 DD 56 8E 5E A9 11 B0 1E 00011110 ⊕ B7 10110111 = A9 10101001 52 Lecture 2 Counter (CTR) Mode (I) Encryption The initialisation value is a nonce, say n, which is never be reused For the first block, counter value is 0, so use n1 = n For the second block, n2 = n1 + 1 For the i-th block, ni = ni-1+1 Ci = ENC(Key, ni) ⊕ Pi 53 Lecture 2 Counter (CTR) mode (II) Decryption Use the same initialisation value and counter value as in encryption For the first block, counter value is 0, so use n1 = n For the second block, n2 = n1 + 1 For the i-th block, ni = ni-1+1 Pi = ENC(Key, ni) ⊕ Ci 54 Lecture 2 Error propagation ECB One bit change in plaintext gives one block change in ciphertext. No impact on other blocks. One bit change in ciphertext gives one block change in plaintext on decryption. No impact on other blocks. CBC One bit change in plaintext gives completely different sequence of subsequent enciphered blocks One bit change in ciphertext changes one block plus one bit in plaintext. Please think about error propagation in the CTR mode. 55 Lecture 2 Several other modes There are several other modes that are variations of CBC and CTR. These all carry forward some aspect of the encryption from one block to the next. Cipher Feedback (CFB) Output Feedback (OFB) Others less common... e.g. propagating cipher block chaining (PCBC) https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation 56 Lecture 2 Structure of lecture Symmetric Cryptography (I) Introduction Block ciphers padding Modes of Operation Error Propagation Message Authentication Codes (MAC) Authenticated encryption 57 Lecture 2 Message Authentication Code (MAC) also called symmetric signature 58 Lecture 2 Confidentiality and Integrity/Authenticity Security is about confidentiality and integrity. Symmetric encryption that we have discussed so far (DES/AES + ECB/CBC/CTR) gives confidentiality. BUT: it does not give integrity. i.e. a message that Bob receives and decrypts with kAB might not decrypt to the message that Alice created. Encryption does not protect against alteration. So we need something further to ensure integrity/authenticity: a Message Authentication Code (MAC) 59 Lecture 2 Message Authentication Code (cryptographic checksum) The MAC is a small (fixed size) block of data. MAC = C(k, M), where M = input message C = MAC function k = secret key shared between sender and recipient. To provide evidence of authenticity, transmit the MAC alongside the message. 60 Lecture 2 Use of MAC Diagram from: http://en.wikipedia.org/wiki/Message_authentication_code 61 Lecture 2 MAC assurances Alice and Bob share the secret key k. When Bob receives a message M and its MAC = C(k,M): Bob knows M cannot have been altered in transit (since the MAC must have been computed by Alice, using M as input). He knows M must have come from Alice (no-one else could have computed the MAC). If the message contains a sequence number then the receiver knows the proper sequence, since the sequence numbers cannot be altered. 62 Lecture 2 Building a MAC function: CBC-MAC (a commonly used example, among others) Block ciphers with CBC can be used to build a MAC function: Pad data as usual to provide an exact number of blocks Encrypt with k using CBC Take the final block as the MAC, after optional processing and truncation (if MAC size is smaller than block size) Typically optional processing uses a second secret k’: it consists of decrypting with k’ and then encrypting again with k Optional processing defends against cryptanalysis and combining messages 63 Lecture 2 Authenticated Encryption 64 Lecture 2 Authenticated Encryption From ISO/IEC 19772: Authenticated encryption Authenticated encryption: (reversible) transformation of data by a cryptographic algorithm to produce ciphertext that cannot be altered by an unauthorized entity without detection, i.e. it provides data confidentiality, data integrity, and data origin authentication Example of authenticated encryption: Encrypt-then-MAC 65 Lecture 2 Encrypt-then-MAC Notation Notation: K1 and K2 are two keys S is a starting value (the same idea as an initialization value) P is a plaintext C is a ciphertext T is a tag (output from a MAC operation) ENC is encryption operation (e.g., AES + CBC) DEC is decryption operation (associated with ENC) MAC is message authentication code operation || is concatenation 66 Lecture 2 Encrypt-then-MAC Encryption P Encryption Given P, S, K1, K2 K1 ENC C’ = ENC(K1, S, P) C’ S T = MAC(K2, S||C’) C = C’||T K2 MAC Output C T C = C’||T 67 Lecture 2 Encrypt-then-MAC Decryption C’ Decryption Given C, S, K1, K2 K2 MAC Get C’ and T from C T’ = MAC(K2, S||C’) halt N T=T’? S T =?= T’, if not, halt C’ Y If yes, P = DEC(K1, S, C’) K1 DEC Output P P 68 Lecture 2 A thwarted attack on integrity: code no kkkkkkkk: £10.00 to be transferred to Mallory’s account EkAB C1 C2 C3 C4 C5 C6 C7 C8 send to Bob Change the second cipher block: with MAC(k'AB,C) C2’=C2 ⊕ “: £10.00” ⊕ “: £10000” cannot compute MAC(k'AB,C’) MAC(k'AB,C) won’t match C’ Bob doesn’t accept the message C1 C2' C3 C4 C5 C6 C7 C8 69 Lecture 2 Lab: working with DES/AES CrypTool Java Cryptography Extensions Note that in reality, DES is insecure due to the small key size (56 bits) and block size (64 bits), so it should not be used in real applications. This lab session makes use of DES only for the experiment purpose. In the real world, 3DES is still used 70 Lecture 2

Computer Security Lecture 2 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue