![[Symmetric] Encryption
Both parties share a secret key K
Given a message M, and a key K:
- M is known as the plaintext
- E(K;M) ! C (C known as the ciphertext)
- D(K;C) ! M
- Attacker cannot efficiently derive M from C without K
Note E and D take same argument K
- Thus, also sometimes called symmetric encryption
- Raises issue of how to get K: more on that later
Example algorithms: AES, Blowfish, DES, RC4, . . .](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-4-320.jpg)
![Example stream cipher (RC4)
Initialization:
- S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0;
Generating pseudo-random bytes:
i (i + 1) mod 256;
j (j + S[i]) mod 256;
swap S[i] $ S[j];
return S [(S[i] + S[j]) mod 256] ;](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-8-320.jpg)
![Example stream cipher (RC4)
Initialization:
- S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0;
Generating pseudo-random bytes:
i (i + 1) mod 256;
j (j + S[i]) mod 256;
swap S[i] $ S[j];
return S [(S[i] + S[j]) mod 256] ;](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-9-320.jpg)
![Example stream cipher (RC4)
Initialization:
- S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0;
Generating pseudo-random bytes:
i (i + 1) mod 256;
j (j + S[i]) mod 256;
swap S[i] $ S[j];
return S [(S[i] + S[j]) mod 256] ;](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-10-320.jpg)
![Example stream cipher (RC4)
Initialization:
- S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0;
Generating pseudo-random bytes:
i (i + 1) mod 256;
j (j + S[i]) mod 256;
swap S[i] $ S[j];
return S [(S[i] + S[j]) mod 256] ;](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-11-320.jpg)
![Example stream cipher (RC4)
Initialization:
- S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0;
Generating pseudo-random bytes:
i (i + 1) mod 256;
j (j + S[i]) mod 256;
swap S[i] $ S[j];
return S [(S[i] + S[j]) mod 256] ;](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-12-320.jpg)
![RC4 security
Warning: Lecture goal just to give a feel
- May omit critical details necessary to use RC4 and other
algorithms securely
RC4 Goal: Indistinguishable from random sequence
- Given part of the output stream, it should be intractable to
distinguish it from a truly random string
Problems
- Second byte of RC4 is 0 with twice expected probability [MS01]
- Bad to use many related keys (see WEP 802.11b) [FMS01]
- Recommendation: Discard the first 256 bytes of RC4 output
[RSA, MS]](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-13-320.jpg)
![Another example [Preneel]](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-20-320.jpg)
![Cryptographic hashes
Hash arbitrary-length input to fixed-size output
- Typical output size 160–512 bits
- Cheap to compute on large input (faster than network)
Collision-resistant: Intractable to find
x6= y such that H(x) = H(y)
- Of course, many such collisions exist
- But no one has been able to find one, even after analyzing
the algorithm
Historically most popular hash SHA-1
- [Nearly] broken
- Today should use SHA-256 or SHA-512
- Competition underway for new hash standard](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-26-320.jpg)
![Applications of cryptographic hashes
Small hash uniquely specifies large data
- Hash a file, remember the hash value
- Recompute hash later, if same value no tampering
- Hashes often published for software distribution
Hash tree [Merkle] lets you check small piece of large
file or database with log number of nodes
H
m0 m1 m2 m3 m4 m5 m6 m7](https://image.slidesharecdn.com/computernetwork3-140901161441-phpapp01/85/Computer-network-3-27-320.jpg)
Computer network (3)
- 1. Recall from last lecture To a first approximation, attackers control network Next two lectures: How to defend against this 1. Communicate securely despite insecure networks – cryptography 2. Secure small parts of network despite wider Internet
- 2. Cryptography Crypto important tool for securing communication - But often misused - Have to understand what it guarantees and what it doesn’t
- 3. How Cryptography Helps Secrecy - Encryption Integrity - Cryptographic hashes - Digital signatures - Message authentication codes (MACs) Authentication - Certificates, signatures, MACs Availability - Can’t usually be guaranteed by cryptography alone
- 4. [Symmetric] Encryption Both parties share a secret key K Given a message M, and a key K: - M is known as the plaintext - E(K;M) ! C (C known as the ciphertext) - D(K;C) ! M - Attacker cannot efficiently derive M from C without K Note E and D take same argument K - Thus, also sometimes called symmetric encryption - Raises issue of how to get K: more on that later Example algorithms: AES, Blowfish, DES, RC4, . . .
- 5. One-time pad Share a completely random key K Encrypt M by XORing with K: E(K;M) = M K Decrypt by XORing again: D(K;C) = C K Advantage: Information-theoretically secure - Given C but not K, any M of same length equally likely - Also: fast! Disadvantage: K must be as long as M - Makes distributing K for each message difficult
- 6. Idea: Computational security Distribute small K securely (e.g., 128 bits) Use K to encrypt far larger M (e.g., 1 MByte file) Given C = E(K;M), may be only one possible M - If M has redundancy But believed computationally intractable to find - E.g., could try every possible K, but 2128 keys a lot of work!
- 7. Types of encryption algorithms Stream ciphers – pseudo-random pad - Generate pseudo-random stream of bits from short key - Encrypt/decrypt by XORing with stream as if one-time pad - But NOT one-time PAD! (People who claim so are frauds!) - In practice, many stream ciphers uses have run into problems More common algorithm type: Block cipher - Operates on fixed-size blocks (e.g., 64 or 128 bits) - Maps plaintext blocks to same size ciphertext blocks - Today should use AES; other algorithms: DES, Blowfish, . . .
- 8. Example stream cipher (RC4) Initialization: - S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0; Generating pseudo-random bytes: i (i + 1) mod 256; j (j + S[i]) mod 256; swap S[i] $ S[j]; return S [(S[i] + S[j]) mod 256] ;
- 9. Example stream cipher (RC4) Initialization: - S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0; Generating pseudo-random bytes: i (i + 1) mod 256; j (j + S[i]) mod 256; swap S[i] $ S[j]; return S [(S[i] + S[j]) mod 256] ;
- 10. Example stream cipher (RC4) Initialization: - S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0; Generating pseudo-random bytes: i (i + 1) mod 256; j (j + S[i]) mod 256; swap S[i] $ S[j]; return S [(S[i] + S[j]) mod 256] ;
- 11. Example stream cipher (RC4) Initialization: - S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0; Generating pseudo-random bytes: i (i + 1) mod 256; j (j + S[i]) mod 256; swap S[i] $ S[j]; return S [(S[i] + S[j]) mod 256] ;
- 12. Example stream cipher (RC4) Initialization: - S[0 : : : 255] permutation h0; : : : 255i (based on key); i 0; j 0; Generating pseudo-random bytes: i (i + 1) mod 256; j (j + S[i]) mod 256; swap S[i] $ S[j]; return S [(S[i] + S[j]) mod 256] ;
- 13. RC4 security Warning: Lecture goal just to give a feel - May omit critical details necessary to use RC4 and other algorithms securely RC4 Goal: Indistinguishable from random sequence - Given part of the output stream, it should be intractable to distinguish it from a truly random string Problems - Second byte of RC4 is 0 with twice expected probability [MS01] - Bad to use many related keys (see WEP 802.11b) [FMS01] - Recommendation: Discard the first 256 bytes of RC4 output [RSA, MS]
- 14. Example use of stream cipher Pre-arrange to share secret s with web vendor Exchange payment information as follows - Send: E(s; Visa card #3273. . . ”) - Receive: E(s; Order confirmed, have a nice day”) Now an eavesdropper can’t figure out your Visa #
- 15. Wrong! Let’s say an attacker has the following: - c1 = Encrypt(s; Visa card #3273. . . ”) - c2 = Encrypt(s; Order confirmed, have a nice day”) Now compute: - m c1 c2 Order confirmed, have a nice day” Lesson: Never re-use keys with a stream cipher - Similar lesson applies to one-time pads (That’s why they’re called one-time pads.)
- 16. Wired Equivalent Privacy (WEP) Initial security standard for 802.11 - Serious weaknesses discovered: able to crack a connection in minutes - Replaced by WPA in 2003 Stream cipher, basic mode uses 64-bit key: 40 bits are fixed and 24 bits are an initialization vector (IV), specified in the packet - One basic flaw: if IV ever repeated (only 4 million packets), then key is reused - Many implementations would reset IV on reboot Other flaws include IV collisions, altered packets, etc.
- 17. Example block cipher (blowfish) 32 bit 32 bit F F 13 More Iterations F P1 P2 P16 P18 P17 32 bit 32 bit 32 bit Plaintext 32 bit 64 bit 32 bit 64 bit Ciphertext “Feistel network” Derive F and 18 subkeys (P1 : : : P18) from key Divide plaintext block into two halves, L0 and R0 Ri = Li1 Pi Li = Ri1 F(Ri) R17 = L16 P17 L17 = R16 P18 Output L17R17. (Note: This is just to give an idea; it’s not a complete description)
- 18. Using a block cipher In practice, message may be more than one block Encrypt with ECB (electronic code book) mode: - Split plaintext into blocks, and encrypt separately m1 m2 m3 Enc Enc Enc c1 c2 c3 - Attacker can’t decrypt any of the blocks; message secure Note: can re-use keys, unlike stream cipher - Every block encrypted with cipher will be secure
- 19. Wrong! Attacker will learn of repeated plaintext blocks - If transmitting sparse file, will know where non-zero regions lie Example: Intercepting military instructions - Most days, send encryption of “nothing to report.” - On eve of battle, send “attack at dawn.” - Attacker will know when battle plans are being made
- 21. Cipher-block chaining (CBC) IV m1 m2 m3 Enc Enc Enc c1 c2 c3 Choose initialization vector (IV) for each message - Can be 0 if key only ever used to encrypt one message - Choose randomly for each message if key re-used - Can be publicly known (e.g., transmit openly with ciphertext) c1 = E(K;mi IV ), ci = E(K;mi ci1) - Ensures repeated blocks are not encrypted the same
- 22. Encryption modes CBC, ECB are encryption modes, but there are others Cipher Feedback (CFB) mode: ci = mi E(K; ci1) - Useful for messages that are not multiple of block size Output Feedback (OFB) mode: - Repeatedly encrypt IV use result like stream cipher Counter (CTR) mode: ci = mi E(K; i) - Useful if you want to encrypt in parallel Q: Given a shared key, can you transmit files securely over net by just encrypting them in CBC mode?
- 23. 2-minute break
- 24. Problem: Integrity Attacker can tamper with messages - E.g., corrupt a block to flip a bit in next What if you delete original file after transfer? - Might have nothing but garbage at recipient Encryption does not guarantee integrity - A system that uses encryption alone (no integrity check) is often incorrectly designed. - Exception: Cryptographic storage (to protect disk if stolen)
- 25. Message authentication codes Message authentication codes (MACs) - Sender receiver share secret key K - For message m, compute v MAC(K;m) - Recipient runs CHECK(K; v;m) ! fyes; nog - Intractable to produce valid hm; vi without K To send message securely, append MAC - Send fm; MAC(K;m)g (m could be ciphertext, E(K0;M)) - Receiver of fm; vg discards unless CHECK(K; v;m) = yes Careful of Replay – don’t believe previous fm; vg
- 26. Cryptographic hashes Hash arbitrary-length input to fixed-size output - Typical output size 160–512 bits - Cheap to compute on large input (faster than network) Collision-resistant: Intractable to find x6= y such that H(x) = H(y) - Of course, many such collisions exist - But no one has been able to find one, even after analyzing the algorithm Historically most popular hash SHA-1 - [Nearly] broken - Today should use SHA-256 or SHA-512 - Competition underway for new hash standard
- 27. Applications of cryptographic hashes Small hash uniquely specifies large data - Hash a file, remember the hash value - Recompute hash later, if same value no tampering - Hashes often published for software distribution Hash tree [Merkle] lets you check small piece of large file or database with log number of nodes H m0 m1 m2 m3 m4 m5 m6 m7
- 28. HMAC Use cryptographic hash to produce MAC HMAC(K;m) = H(K opad;H(K ipad;m)) - H is a cryptographic hash such as SHA-1 - ipad is 0x36 repeated 64 times, opad 0x5c repeated 64 times To verify, just recompute HMAC - CHECK(K; v;m) = v ?= HMAC(K;m) - Many MACs are deterministic and work like this (“PRFs”), but fastest MACs randomized so CHECK can’t just recompute Note: Don’t just use H(K,M) as a MAC - Say you have fM; SHA-1(K;M)g, but not K - Can produce fM0; SHA-1(K;M0)g where M06= M - Hashes provide collision resistance, but do not prevent spoofing new messages
- 29. Order of Encryption and MACs Should you Encrypt then MAC, or vice versa? MACing encrypted data is always secure Encrypting fData+MACg may not be secure! - Consider the following secure, but stupid encryption alg - Transform m ! m0 by mapping each bit to two bits: Map 0 ! 00 (always), 1 ! f10; 01g (randomly pick one) - Now encrypt m0 with a stream cipher to produce c - Attacker flips two bits of c—if msg rejected, was 0 bit in m
- 30. Public key encryption Three randomized algorithms: - Generate – G(1k) ! K;K1 (randomized) - Encrypt – E(K;m) ! fmgK (randomized) - Decrypt – D(K1; fmgK) ! m Provides secrecy, like conventional encryption - Can’t derive m from fmgK without knowing K1 Encryption key K can be made public - Can’t derive K1 from K - Everyone can use same pub. key to encrypt for one recipient Note: Encrypt must be randomized - Same message must encrypt to different ciphertext each time - Otherwise, can easily guess plaintext from small message space (E.g., encrypt “yes”, encrypt “no”, see which matches message)
- 31. Digital signatures Three (randomized) algorithms: - Generate – G(1k) ! K;K1 (randomized) - Sign – S K1;m ! fmgK1 (can be randomized) - Verify – V (K; fmgK1 ;m) ! fyes; nog Provides integrity, like a MAC - Cannot produce valid hm; fmgK1 i pair without K1 - But only need K to verify; cannot derive K1 from K - So K can be publicly known
- 32. Popular public key algorithms Encryption: RSA, Rabin, ElGamal Signature: RSA, Rabin, ElGamal, Schnorr, DSA, . . . Warning: Message padding critically important - E.g., basic idea behind RSA encryption simple - Just modular exponentiation of large integers - But simple transformations of messages to numbers not secure Many keys support both signing encryption - But Encrypt/Decrypt and Sign/Verify different algorithms! - Common error: Sign by “encrypting” with private key
- 33. Cost of cryptographic operations Cost of public key algorithms significant - E.g., encrypt or sign only 100 msgs/sec - Can only encrypt small messages ( size of key) - Signature cost relatively insensitive to message size - Some algorithm variants provide faster encrypt/verify (e.g., Rabin, RSA-3 can encrypt 10; 000 msgs/sec) In contrast, symmetric algorithms much cheaper - Symmetric can encrypt+MAC faster than 1Gbps/sec LAN
- 34. Hybrid schemes Use public key to encrypt symmetric key - Send message symmetrically encrypted: fmsggKS ; fKSgKP Use PK to negotiate secret session key - Use Public Key crypto to establish 4 keys symmetric keys - Client sends server: ffm1gK1 ;MAC(K2; fm1gK1 )g - Server sends client: ffm2gK3 ;MAC(K4; fm2gK3 )g Often want mutual authentication (client server) - Or more complex, user(s), client, server Common pitfall: signing underspecified messages - E.g., Always specify intended recipient in signed messages - Should also specify expiration, or better yet fresh data - Otherwise like signing a blank check. . .
- 35. Server authentication Often want to communicate securely with a server Easy once you have server’s public key - Use public key to bootstrap symmetric keys Problem: Key management - How to get server’s public key? - How to know the key is really server’s?
- 36. Danger: impersonating servers Client Server Attacker Attacker pretends to be server, gives its own pub key Attacker mounts man-in-the-middle attack - Looks just like server to client (except for different public key) - Attacker sees, then re-encrypts sensitive communications - Attacker can also send bad data back to client
- 37. One solution: Certificate authorities (CAs) 1. PubKey, $$$ 2. Certificate Certification 3. Connection request 4. PubKey, Certificate Client Authority Server Everybody trusts some certificate authority Everybody knows CA’s public key - E.g., built into web browser This is how HTTPS (over SSL/TLS) works - Active when you see padlock in your web browser
- 38. Digital certificates A digital certificate binds a public key to name - E.g., “www.ebay.com’s public key is 0x39f32641. . . ” - Digitally signed with a CA’s private key Certificates can be chained - E.g., start with root CAs like Verisign - Verisign can sign Stanford’s public key - Stanford can sign keys for cs.stanford.edu, etc. - Not as widely supported as it should be (Maybe because CAs want $300 for every Stanford server) Assuming you trust the CA, solves the key management problem
- 39. Overview Attacks: secrecy, integrity, availability Cryptographic tools for secrecy and integrity - Availability usually solved through systems design, not crypto Next lecture: TLS and DNSSEC design and crypto