SlideShare a Scribd company logo

Cryptography for software engineers

J
Jas Chhabra

Cryptography for software engineers

Technology
1 of 88
Download to read offline
1 Cryptography for architects and engineers Jasmeet Chhabra CryptoGraphy For Software Engineers Jas Chhabra
2 Introducing Alice, Bob and Eve Alice Bob Eve Alice&wants&to&send&a&message&to&Bob.&Eve&is&going&to&be&able&to&read&any& message&sent.&What&should&Alice&do?&
3 Alice has heard of Encryption Alice Bob Eve c&=&E(K,&c)& c& m&=&D(K,&c)&
4 Alice searches the Internet and finds that AES seems to be the standard
5 What is AES? •  AES is a block cipher •  Block Ciphers: Work on fixed blocks of data •  Current commonly used block ciphers use 128 bit blocks Visualizing&Ideal&Block&Cipher& 128& &bits& 1011….000000…00000 0000….110000…00001 1001….001111….1110 1100….111111….1111 Randomly&mapped&lookup&table&of&size&2&^128&& 128& &bits&Input& Output& Random&& mapping&
6 What does AES do? Single&Round&of&AES& Round&Key&XOR&Data& Fixed&lookup&table&mapping& ShiR&each&byte&by&fixed& offset& Mixed&with&a&linear& transformaVon&funcVon& Repeat&for&10X14& rounds&depending& on&size&of&key.&
7 Quick Note: Kerckhoff’s principal •  The security of the encryption scheme must depend only on the secrecy of the key Ke, and not on the secrecy of the algorithm Why? •  Algorithms are hard to change •  It is difficult to get cryptographic algorithms right and it is better to publish it for analysis.
8 Alice decides to use AES encryption Alice Bob Eve c&=&E(K,&c)& c& m&=&D(K,&c)& Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci&=&E(K,&mi)&&ECB$ Mode$
9 But Eve is clever. She changes the message in following way Buy INTC 50 90 shares Block& !"#$ %&'( )*+,+-.. /019 Each&block&ci&=&E(Ke,&mi)&&ECB$ Mode$ Eve$Swaps$ these$blocks$ Alice$Sends$$following$ Buy INTC 90 50 shares Eve$receives$following$ Each&block&mi&=&D(Ke,&ci)&&
10 AES Electronic Code book (ECB) mode issues •  Blocks can be swapped •  Patterns can be detected Original&image& Encrypted&image& AES&ECB& mode&
11 Quick Note : Padding •  Block ciphers work on messages that are multiple of block size •  If message is not a multiple of block size, padding is required •  Two common padding schemes: •  Append 128 and then as many 0s as needed to make message a multiple of block size •  Determine number of bytes required n > 0 to make it a multiple of block size. Add n bytes, each with value n DD DD DD DD DD DD DD DD DD DD DD DD 80 00 00 00 DD DD DD DD DD DD DD DD DD DD DD DD 04 04 04 04 DD DD DD DD DD DD DD DD 08 08 08 08 08 08 08 08
12 Alice looked up other block cipher modes She likes two : •  CBC •  CTR Let us look at both
13 Quick Note: IV •  Initialization vector: Used in block ciphers as an input along with the key •  Fixed IV : IV that doesn’t change •  Counter IV: IV=0 for first message, IV = 1 for second etc. •  Random IV: Large random number as IV for each message •  Nonce-Generated IV: “Number used once” per key •  Message numbers •  Random number + message number
14 Quick XOR refresher •  1 0 = 0 1 = 1 •  0 0 = 1 1 = 0 •  A 0 = A •  A A = 0 •  A A A= A
15 CBC : Cipher Block Chaining (Encryption) Block Cipher Encryption Plaintext& IV& Key& CipherText& Block Cipher Plaintext& IV& Key& CipherText& Ci$=$Ek(Pi$ $Ci>1)$,$C0$=$IV$
16 CBC : Cipher Block Chaining (Decryption) Block Cipher Ciphertext& IV& Key& Plaintext& Block Cipher Ciphertext& IV& Key& Plaintext& Pi$=$Dk(Ci)$ $Ci>1,$$C0$=$IV$
17 CBC: Which IV to use? •  Fixed IV: What if two messages start with the same plaintext block? •  Counter IV: If first block of messages have simple difference, the XOR with a counter may cancel them out. •  Random IV : Good. But requires a random number to be sent •  Nonce IV: Good. Use a smaller random number + counter.
18 CTR: Counter mode (Encryption) Block Cipher Encryption F45a34…….&000000& Key& CipherText& Ki$=$E(K,$Nonce$||$i)$for$i=1,….,k$ Ci$=$Pi$ $Ki$$ Nonce& Counter& Plaintext& Block Cipher Encryption F45a34…….&000001& Key& CipherText& Nonce& Counter& Plaintext&
19 CTR: Counter mode (Decryption) Block Cipher Encryption F45a34…….&000000& Key& Plaintext& Ki$=$E(K,$Nonce$||$i)$for$i=1,….,k$ Ci$=$Pi$ $Ki$$ Nonce& Counter& Plaintext& CipherText& Block Cipher Encryption F45a34…….&000001& Key& Plaintext& Nonce& Counter& Plaintext& CipherText&
20 AES CTR •  Counter = Nonce || i •  If ever the counter is repeated. •  Cx ⊕ Cy = E(K,counter) ⊕ Px ⊕ E(K,counter) ⊕ Py •  i.e. Cx ⊕ Cy = Px ⊕ Py •  Never Ever repeat counter with same key
21 CTR Advantages •  Random access is possible. •  Both encryption and decryption can be parallelized. •  Needs only encryption implementation
22 Alice decides to use AES CTR encryption Alice Bob Eve c&=&E(Ke,&Nonce||i)& $Pi& c& m&=&E(KeNonce&||&i)& $Ci& Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci&=&E(Ke,&Nonce||i)& $Pi& && ECB$ Mode$
23 Eve is clever •  Sends using CTR. •  She changes the first block by performing a XOR with (Buy Sell) •  So first block becomes: •  c = E(Ke, Nonce||1) ⊕ Buy ⊕ (Buy ⊕ Sell) •  i.e. c = E(Ke, Nonce||1) ⊕ Sell •  So, Bob gets: Sell INTC 50 90 shares
24 Break/Recap
25 Alice figures she needs something to protect this message •  Her goal this time is to ensure that Eve can’t change the message. •  Doesn’t care about confidentiality (to keep things simple) •  She looks up hash functions
26 What is a hash function? Ideal Hash Function Arbitrary&length& input&& Fixed&length&output& •  Random&mapping& •  Same&output&for&same&input&
27 Defining security of hash functions •  Pre-image resistance: •  Given a hash h it should be difficult to find any message m such that h = hash(m). •  Second pre-image resistance •  Given an input m1 it should be difficult to find another input m2 such that m1 ≠ m2 and hash(m1) = hash(m2). •  Collision resistance •  It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2).
28 Standard hash functions •  MD5 : Don’t use •  SHA1 : Avoid. Not recommended for usage. Only use if system gives you no other choice. •  SHA2 : Use this. •  SHA3 (not finalized) •  One of the properties (bug ?) of the hash functions above is that •  If m = m1, m2 •  H(m) = h(h(m1),m2) •  This is called the length extension issue
29 Alice is now confident •  She decides to use SHA-2 hash •  Assume: •  Alice and Bob share a secret key K just like Encryption
30 Alice decides to use SHA-2 Alice Bob Eve Buy INTC 50 SHA2(K|| Data) K$is$the$secret$
31 As usual Eve is clever •  Eve computes •  Sha2( SHA2 ( K||Data), 90) •  Also, changes the message to Buy INTC 50 Sha2( SHA2 ( K||Data), 90)90
32 How to fix this? •  Use HMAC •  HMAC (K,m) = H((K opad) || H((K ipad) || m)) •  opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant), •  ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant). Other MACs are available, but this is the most commonly recommended
33 Horton Principle •  "Authenticate what is being meant, not what is being said” •  Suppose you had two messages to send. •  M1 & M2 •  You just send M1||M2|| HMAC(M1||M2) •  What happens?
34 M1&=&“Rachael&Ray&finds&inspiraVon&is&cooking”& M2=&“&her&family&and&her&dog”&
35 Lesson: Always structure your message to be unambiguous and then MAC the whole thing •  For example Send: •  { message1_length= aa; message1=“M1”; message2_length=bb; message2=“M2”; } HMAC ({….}) "AuthenVcate&what&is&being&meant,&not&what&is&being&said”&
36 Alternative MAC 1: CBC-MAC •  CBC-MAC: Use CBC with IV=0 and return the last block as the MAC •  H0 = IV. IV Should be fixed. Generally 0. •  Hi = E(K, Pi⊕ Hi-1) •  MAC = Hk •  Why IV= 0? •  CBC-MAC is good and secure, but suffers from certain types on collision attacks. •  So, use CMAC.
37 Alternative MAC2 : CMAC •  Same as CBC-MAC, except the way last block is handled •  Generate two keys k1 & k2 from the MAC key k •  Calculate MAC using CBC-MAC except for last block. •  Change the last block (mn′) to following before applying CBC-MAC •  If mn′ is a complete block •  mn = k1 ⊕ mn′ •  else mn = k2 ⊕ (mn′∥ 10…02).
Secure Channel
39 Alice wants the following •  Eve shouldn’t learn anything about the messages except for the timing and size •  Bob should only get proper messages and is able to figure out the correct order. •  Duplicates are detected •  Message modifications are detected •  By now you have probably guessed that this can be achieved by combination of Encryption and Authentication
40 Authentication and Encryption Three possibilities: 1.  MAC then encrypt all including MAC 2.  Encrypt and then MAC the encrypted message 3.  Encrypt and MAC the plaintext message •  Which one to use?
41 Encrypt and MAC the plaintext message •  Not recommended as any weakness in MAC will leak info about the message.
42 MAC and then encrypt the whole message including MAC •  Eve only gets to see ciphertext and encrypted MAC •  Much harder to attack MAC •  This is fine to use. •  Potential timing attacks with padding (TLS Lucky 13 attack)
43 Encrypt and then MAC the encrypted message •  Can drop invalid message fast without decryption •  Is not in fully line with Horton’s principal •  There may be ambiguity •  This is good to use •  We will use this and add authenticated headers for removing ambiguity
44 Secure Channel : Generate Keys •  KEYSENDENC ← HMAC-SHA2(K, "Enc Alice to Bob") •  KEYRECENC ← HMAC-SHA2(K, "Enc Bob to Alice") •  KEYSENDAUTH ← HMAC-SHA2(K,"Auth Alice to Bob") •  KEYRECAUTH ← HMAC-SHA2(K,"Auth Bob to Alice") •  Swap Encryption & Decryption key if message is from Bob to Alice
45 Message counters •  Two message counters •  Cab = Alice-to-Bob Message counter •  Cba =Bob-to-Alice message counter •  Both Alice and Bob store state of both counters •  Initialize both to 0.
46 Alice sending message to Bob •  We will only go through this direction •  Bob to Alice is identical
47 Choosing CTR counter •  It is recommended that number of blocks encrypted with an AES 128 bit key < 264-1 •  This is because after 264 block you will be able to distinguish from random •  To ensure that, we use counter for message sent from Alice to Bob never repeats and number of blocks encrypted < 264 •  Counter = (Cab || i) for the ith block in this particular message. •  Ensure that Cab < 232 -1 •  Ensure that length(m) < 232 -1 * block_size
48 Alice Sending a message •  Ensure that Cab < 232 -1 •  Increment Cab •  Ensure that length(m) < (232 -1) * block_size •  Use Counter = (Cab || i) for the ith block for AES-CTR Version CabLength Header Encrypted message HMAC-SHA2 Type Message
49 Bob: Receiving a message •  Ensure that Cab > Last received Cab •  Check HMAC of the message •  Drop if it does not match •  Store Cab. Check Version. •  Decrypt using AES CTR •  Counter = (Cab || i) for the ith block •  Check type and process accordingly. Version CabLength Header Encrypted message HMAC-SHA2 Type Message
Exchanging keys
51 How to exchange key K?
52 General idea of key exchange
53 Mod p operations •  9 mod 7 = 2 •  Remainder left after division •  9 = 7*1 +2 •  16 mod 7 = 2 •  16 = 7*2 + 2
54 Basic Diffie-Hellman Key exchange Alice Bob gx& gy& K&=&(gy)x& K&=&(gx)y&
55 Other values Pre-Known/Exchanged values: •  p,g,q (may be exchanged as part of the protocol) •  Always check: •  p = Nq +1 •  (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 •  Make sure q is a large enough prime (≥ 256 bits) •  Make sure p is large enough prime (≥ 2048 bits)
56 Man in the middle Alice Alice gx& Eve gv& gy& gw& K&=&(gw)x& K&=&(gv)y& K1&=&(gx)w& & K1&=&(gy)v&
57 So, how to exchange? •  Assume there is some way to authenticate messages. •  We will see how to do that in Public/Private key cryptography •  Authenticated DH Protocol •  First we will look at RSA Public Private Key cryptography
Asymmetric (Public/Private Key) Cryptography
59 Asymmetric (Public/Private) Cryptography Alice Bob Exchange&public&keys&when&they& meet&at&a&party&
60 Asymmetric (Public/Private) Cryptography : Signing Alice Bob Sign&with&Alice’s&Private&Key&(Buy& 20&shares&of&INTC)& Verify&with&Alice’s&Public&key&and& perform&transacVon&
61 Asymmetric (Public/Private) Cryptography : Encryption Alice Bob Encrypt&with&Bob’s&Public&Key& (Secret&message)& Decrypt&with&Bob’s&Public&key&and& read&secret&message&
62 RSA : key generation (1/2) •  Generate two distinct large prime numbers p & q •  Calculate n = p *q •  Compute t = (p-1)(q-1) OR t = lcm (p-1,q-1) •  Choosing t like this implies •  xt = 1 mod n •  xt+1 = x mod n •  Proof by authority !
63 RSA : key generation (2/2) •  Choosing t like this implies xkt+1 = x mod n •  Proof by authority ! •  Choose ed = 1 mod t , i.e. ed = t + 1 •  Common e value is 216 + 1 = 65,537 •  Public Key : n,e •  Private Key : n, d
64 Example RSA key generation •  p = 61 and q = 53 •  n = 61*53 = 3233 •  t = (p-1)(q-1) = (61-1)(53-1) = 3120 •  Let e = 17. Then solving for ed = 1 mod t •  d = 2753 •  2753*17 = 15*3120 +1 •  46801 = 46800 + 1
65 RSA encryption/ decryption •  c = me mod n •  m = cd mod n •  X = (me)d mod n •  We know ed = kt +1 •  X = mkt+1 mod n •  Or X = (mt)k * m mod n •  We also know, for any x: xt = 1 mod n •  So X = (1)k * m mod n = m •  Hence we can decrypt !
66 RSA encryption/ decryption example •  Let m = 65. Then using previous e = 17,d=2753, n=3233 •  c = 6517 (mod 3233) = 2790 •  m = 27902753 (mod 3233) = 65
67 RSA: why not to sign/encrypt data directly •  If you sign m1 and m2 •  m1 d (mod n) •  m2 d (mod n) •  Attacker can compute m3 d (mod n) = m1 d * m2 d (mod n)
68 What is recommended? •  Use one of the standards for signing and encryption •  Signing: RSA-PSS (RSA –Probabilistic signature scheme) •  Encryption: RSA-OAEP (RSA-Optimal asymmetric encryption protocol) •  Don’t use same key for encryption and signing •  Attacker may be able to exploit decryption (public key) for getting signatures (private key) from you or other way around •  Encryption keys and signing keys generally have different lifetimes
69 Elliptic curve cryptography
70 Elliptic curve example : y2 = x3+ ax + b
71 Point addition on curve: A+B A B$ A+B$
72 Point inverse: A+B P$ >P$
73 What about P+P P$ 2P$=$P$+$P$
74 Elliptic curve discrete logarithm problem •  With a curve of form y2 = x3+ ax + b mod p, where p is a large prime and operation point addition + •  P + P +…+ P = dP = T •  Given dP and P, it should be hard to compute d. •  d is kept secret like a private key •  Intuitively: P+P+P… for very large d (>160 bits) Source:&Chapter&9&of&Understanding&Cryptography&by&Christof&Paar&and&Jan&Pelzl&
75 Example of ECC usage: ECDH (simplified) Alice Bob Given&a&prime&p,&a&suitable&ellipVc&curve&E&and&a&point&P=(xP,yP)& Choose&kPrA=&a&{2,&3,…,&#EX1}& & Compute&kPubA=&A&=&aP&=&(xA,yA)& Choose&kPrB=&b&{2,&3,…,&#EX1}& & Compute&kPubB=&B&=&bP&=&(xB,yB)& A& B& Compute&aB&=&Tab& Compute&bA&=&Tab& •  One&of&the&coordinates&of&the&point&TAB&(usually&the&xXcoordinate)&can&be&used&as& session&key&&(oRen&aRer&applying&a&hash&funcVon)&
76 Elliptic curve summary •  Elliptic Curve Cryptography (ECC) is based on the discrete logarithm problem. •  ECC provides the same level of security as RSA or discrete logarithm systems with much shorter key sizes (160-256 bits) vs (1024-3072 bits) •  ECC can be used for key exchange, signatures and encryption •  ECC generally has performance advantage over RSA
77 Diffie-Hellman
78 Why DH Protocol? •  Lot of time security cert only supports signing •  Perfect Forward Security •  Even if you find my private keys later you can not decrypt my communication
79 Reminder: Basic Diffie-Hellman Key exchange Alice Alice gx& gy& K&=&(gy)x& K&=&(gx)y&
80 Reminder DH Pre-Known/Exchanged values: •  p,g,q (may be exchanged as part of the protocol) •  Always check: •  p = Nq +1 •  (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 •  Make sure q is a large enough prime (≥ 256 bits) •  Make sure p is large enough prime (≥ 2048 bits)
81 Attempt 1: Authenticated DH Alice Bob A,&gx& B,&gy,&SigB(gx,&gy)&& SigA(gx,&gy)&& Any&issues?&
82 Identity misbinding attack on DH Alice Bob A,&gx& B,&gy,&SigB(gx,&gy)&& SigA(gx,&gy)&& E&doesn’t&know&K&=&gxy&,&but&B&thinks&that&anything&coming& from&A&is&coming&from&E& Eve E,&gx& B,&gy,&SigB(gx,&gy)&& SigE(gx,&gy)&&
83 Authenticated DH Alice Bob A,&gx& B,&gy,&SigB(gx,&gy,&A)&& SigA(gx,&gy ,&B)&&
84 Limitations •  Both parties need to know each other’s identity before they can authenticate •  Leaves a signed proof of communication (signing peer’s identity) •  Sigma solves these issues
85 Sigma Basic version Alice Bob gx& B,&gy,&SigB(gx,&gy),&MacKm(B)&& A,&SigA(gx,&gy),&MacKm(A)&&& •  Km&is&derived&from&gxy&& •  Does&not&require&knowing&peer’&id&for&own&auth& •  Adds&deniability& & Alice Bob A,&gx& B,&gy,&SigB(gx,&gy,&A)& A,&SigA(gx,&gy,&B),&& Authenticated DH
86 Sigma-I: Active protection of Initiator’s ID Alice Bob gx& gy,&{B,&SigB(gx,&gy),&MACKm(B)}$Ke$$ {A,$SigA(gx,&gy),&MACKm(A)}Ke$$ •  Km&and&Ke&are&derived&from&gxy&& •  IniVator’s&id&is&protected&and&not&revealed&except&to& an&authenVcated&party&
87 Sigma-R: Active protection of Responder’s ID Alice Bob gx& &{A,&SigA(gx,&gy),&MACKm(A)}$Ke$$ {B,SigA(gx,&gy),&MACKm’(B)}Ke’$$ •  Km&and&Ke&are&derived&from&gxy&& •  Responder’s&ID&is&not&revealed&unVl&iniVator's&is& revealed& gy&
88 Next Part •  EPID based Sigma key exchange •  PKI : Public key infrastructure •  Why random numbers are important? •  Clocks and monotonic counters •  Storing secrets •  Analysis of common protocols •  TLS •  Sigma key exchange •  IKE and IPSEC

Recommended

CNIT 141 9. Hard Problems
CNIT 141 9. Hard ProblemsCNIT 141 9. Hard Problems
CNIT 141 9. Hard Problems
Sam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
Sam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
Sam Bowne
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
Sam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
Sam Bowne
 
CNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesCNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic Curves
Sam Bowne
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
Chul-Woong Yang
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
Sam Bowne
 

Recommended

CNIT 141 9. Hard Problems
CNIT 141 9. Hard ProblemsCNIT 141 9. Hard Problems
CNIT 141 9. Hard Problems
Sam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
Sam Bowne
 
CNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic CurvesCNIT 141 12. Elliptic Curves
CNIT 141 12. Elliptic Curves
Sam Bowne
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
Sam Bowne
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
Sam Bowne
 
CNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic CurvesCNIT 141: 12. Elliptic Curves
CNIT 141: 12. Elliptic Curves
Sam Bowne
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
Chul-Woong Yang
 
CNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-QuantumCNIT 141: 14. Quantum and Post-Quantum
CNIT 141: 14. Quantum and Post-Quantum
Sam Bowne
 
Cryptography
CryptographyCryptography
Cryptography
Shivanand Arur
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
Cryptography
CryptographyCryptography
Cryptography
Sidharth Mohapatra
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
5 Cryptography Part1
5 Cryptography Part15 Cryptography Part1
5 Cryptography Part1
Alfred Ouyang
 
Cryptography
CryptographyCryptography
Cryptography
Tushar Swami
 
Bitcoin
Bitcoin Bitcoin
Bitcoin
Jas Chhabra
 
Ipaddress presentationdemoclass
Ipaddress presentationdemoclassIpaddress presentationdemoclass
Ipaddress presentationdemoclassaskme
 
Maths iii quick review by Dr Asish K Mukhopadhyay
Maths iii quick review by Dr Asish K MukhopadhyayMaths iii quick review by Dr Asish K Mukhopadhyay
Maths iii quick review by Dr Asish K Mukhopadhyay
Dr. Asish K Mukhopadhyay
 
Trabajo de informática
Trabajo de informáticaTrabajo de informática
Trabajo de informática
nathalia borja
 
X Windows
X WindowsX Windows
X Windowsa71_barletta
 
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301guest77988fe
 
Advance data structure & algorithm
Advance data structure & algorithmAdvance data structure & algorithm
Advance data structure & algorithm
K Hari Shankar
 
Computer Networks Foundation - Study Notes
Computer Networks Foundation - Study NotesComputer Networks Foundation - Study Notes
Computer Networks Foundation - Study Notes
Marius FAILLOT DEVARRE
 
Cryptography
CryptographyCryptography
Cryptography
Tony Nguyen
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneSecurityTube.Net
 
computer numerical control
computer numerical controlcomputer numerical control
computer numerical control
Lalrin Muani
 
Drm landscape and online streaming
Drm landscape and online streamingDrm landscape and online streaming
Drm landscape and online streaming
Jas Chhabra
 
Newton's forward difference
Newton's forward differenceNewton's forward difference
Newton's forward difference
Raj Parekh
 
Cryptography & Network Security By, Er. Swapnil Kaware
Cryptography & Network Security By, Er. Swapnil KawareCryptography & Network Security By, Er. Swapnil Kaware
Cryptography & Network Security By, Er. Swapnil KawareProf. Swapnil V. Kaware
 
Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphers
Vlad Garbuz
 
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz «Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
0xdec0de
 

More Related Content

Viewers also liked

Cryptography
CryptographyCryptography
Cryptography
Shivanand Arur
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
Cryptography
CryptographyCryptography
Cryptography
Sidharth Mohapatra
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
5 Cryptography Part1
5 Cryptography Part15 Cryptography Part1
5 Cryptography Part1
Alfred Ouyang
 
Cryptography
CryptographyCryptography
Cryptography
Tushar Swami
 
Bitcoin
Bitcoin Bitcoin
Bitcoin
Jas Chhabra
 
Ipaddress presentationdemoclass
Ipaddress presentationdemoclassIpaddress presentationdemoclass
Ipaddress presentationdemoclassaskme
 
Maths iii quick review by Dr Asish K Mukhopadhyay
Maths iii quick review by Dr Asish K MukhopadhyayMaths iii quick review by Dr Asish K Mukhopadhyay
Maths iii quick review by Dr Asish K Mukhopadhyay
Dr. Asish K Mukhopadhyay
 
Trabajo de informática
Trabajo de informáticaTrabajo de informática
Trabajo de informática
nathalia borja
 
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301guest77988fe
 
Advance data structure & algorithm
Advance data structure & algorithmAdvance data structure & algorithm
Advance data structure & algorithm
K Hari Shankar
 
Computer Networks Foundation - Study Notes
Computer Networks Foundation - Study NotesComputer Networks Foundation - Study Notes
Computer Networks Foundation - Study Notes
Marius FAILLOT DEVARRE
 
Cryptography
CryptographyCryptography
Cryptography
Tony Nguyen
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneSecurityTube.Net
 
computer numerical control
computer numerical controlcomputer numerical control
computer numerical control
Lalrin Muani
 
Drm landscape and online streaming
Drm landscape and online streamingDrm landscape and online streaming
Drm landscape and online streaming
Jas Chhabra
 
Newton's forward difference
Newton's forward differenceNewton's forward difference
Newton's forward difference
Raj Parekh
 
Cryptography & Network Security By, Er. Swapnil Kaware
Cryptography & Network Security By, Er. Swapnil KawareCryptography & Network Security By, Er. Swapnil Kaware
Cryptography & Network Security By, Er. Swapnil KawareProf. Swapnil V. Kaware
 

Viewers also liked (20)

Cryptography
CryptographyCryptography
Cryptography
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
5 Cryptography Part1
5 Cryptography Part15 Cryptography Part1
5 Cryptography Part1
 
Cryptography
CryptographyCryptography
Cryptography
 
Bitcoin
Bitcoin Bitcoin
Bitcoin
 
Ipaddress presentationdemoclass
Ipaddress presentationdemoclassIpaddress presentationdemoclass
Ipaddress presentationdemoclass
 
Maths iii quick review by Dr Asish K Mukhopadhyay
Maths iii quick review by Dr Asish K MukhopadhyayMaths iii quick review by Dr Asish K Mukhopadhyay
Maths iii quick review by Dr Asish K Mukhopadhyay
 
Trabajo de informática
Trabajo de informáticaTrabajo de informática
Trabajo de informática
 
X Windows
X WindowsX Windows
X Windows
 
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301
C:\Documents And Settings\Fredlin\Desktop\Ic Design\Synthesis200301
 
Advance data structure & algorithm
Advance data structure & algorithmAdvance data structure & algorithm
Advance data structure & algorithm
 
Computer Networks Foundation - Study Notes
Computer Networks Foundation - Study NotesComputer Networks Foundation - Study Notes
Computer Networks Foundation - Study Notes
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
 
computer numerical control
computer numerical controlcomputer numerical control
computer numerical control
 
Drm landscape and online streaming
Drm landscape and online streamingDrm landscape and online streaming
Drm landscape and online streaming
 
Newton's forward difference
Newton's forward differenceNewton's forward difference
Newton's forward difference
 
Cryptography & Network Security By, Er. Swapnil Kaware
Cryptography & Network Security By, Er. Swapnil KawareCryptography & Network Security By, Er. Swapnil Kaware
Cryptography & Network Security By, Er. Swapnil Kaware
 

Similar to Cryptography for software engineers

Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphers
Vlad Garbuz
 
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz «Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
0xdec0de
 
AES Presentation.pptx
AES Presentation.pptxAES Presentation.pptx
AES Presentation.pptx
hammadhassan9507
 
Cryptocurrency for Dummies
Cryptocurrency for DummiesCryptocurrency for Dummies
Cryptocurrency for Dummies
Miguel Duarte
 
CryptoCurrency for Dummies
CryptoCurrency for Dummies CryptoCurrency for Dummies
CryptoCurrency for Dummies
John and Cindy Donohue
 
HifnCrypto101
HifnCrypto101HifnCrypto101
HifnCrypto101Jim Faith
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynote
Kaya Ota
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
notes.pdf
notes.pdfnotes.pdf
notes.pdf
test643768
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
Chul-Woong Yang
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
Sam Bowne
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
Sam Bowne
 
ch06.ppt
ch06.pptch06.ppt
ch06.ppt
AbhishekVishwakarma964719
 
Cryptography
CryptographyCryptography
Cryptography
Jens Patel
 
Crypto storage
Crypto storageCrypto storage
Crypto storage
Graham Lee
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
AdaCore
 
3F4ecc.ppt
3F4ecc.ppt3F4ecc.ppt
3F4ecc.ppt
Annymus
 

Similar to Cryptography for software engineers (20)

Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphers
 
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz «Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
 
AES Presentation.pptx
AES Presentation.pptxAES Presentation.pptx
AES Presentation.pptx
 
Cryptocurrency for Dummies
Cryptocurrency for DummiesCryptocurrency for Dummies
Cryptocurrency for Dummies
 
CryptoCurrency for Dummies
CryptoCurrency for Dummies CryptoCurrency for Dummies
CryptoCurrency for Dummies
 
HifnCrypto101
HifnCrypto101HifnCrypto101
HifnCrypto101
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynote
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
notes.pdf
notes.pdfnotes.pdf
notes.pdf
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
CNIT 126: 13: Data Encoding
CNIT 126: 13: Data EncodingCNIT 126: 13: Data Encoding
CNIT 126: 13: Data Encoding
 
nabdullin_brcrdu_dark
nabdullin_brcrdu_darknabdullin_brcrdu_dark
nabdullin_brcrdu_dark
 
ch06.ppt
ch06.pptch06.ppt
ch06.ppt
 
Cryptography
CryptographyCryptography
Cryptography
 
Crypto storage
Crypto storageCrypto storage
Crypto storage
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
3F4ecc.ppt
3F4ecc.ppt3F4ecc.ppt
3F4ecc.ppt
 
13528 l8
13528 l813528 l8
13528 l8
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 

Recently uploaded (20)

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 

Cryptography for software engineers

  • 1. 1 Cryptography for architects and engineers Jasmeet Chhabra CryptoGraphy For Software Engineers Jas Chhabra
  • 2. 2 Introducing Alice, Bob and Eve Alice Bob Eve Alice&wants&to&send&a&message&to&Bob.&Eve&is&going&to&be&able&to&read&any& message&sent.&What&should&Alice&do?&
  • 3. 3 Alice has heard of Encryption Alice Bob Eve c&=&E(K,&c)& c& m&=&D(K,&c)&
  • 4. 4 Alice searches the Internet and finds that AES seems to be the standard
  • 5. 5 What is AES? •  AES is a block cipher •  Block Ciphers: Work on fixed blocks of data •  Current commonly used block ciphers use 128 bit blocks Visualizing&Ideal&Block&Cipher& 128& &bits& 1011….000000…00000 0000….110000…00001 1001….001111….1110 1100….111111….1111 Randomly&mapped&lookup&table&of&size&2&^128&& 128& &bits&Input& Output& Random&& mapping&
  • 6. 6 What does AES do? Single&Round&of&AES& Round&Key&XOR&Data& Fixed&lookup&table&mapping& ShiR&each&byte&by&fixed& offset& Mixed&with&a&linear& transformaVon&funcVon& Repeat&for&10X14& rounds&depending& on&size&of&key.&
  • 7. 7 Quick Note: Kerckhoff’s principal •  The security of the encryption scheme must depend only on the secrecy of the key Ke, and not on the secrecy of the algorithm Why? •  Algorithms are hard to change •  It is difficult to get cryptographic algorithms right and it is better to publish it for analysis.
  • 8. 8 Alice decides to use AES encryption Alice Bob Eve c&=&E(K,&c)& c& m&=&D(K,&c)& Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci&=&E(K,&mi)&&ECB$ Mode$
  • 9. 9 But Eve is clever. She changes the message in following way Buy INTC 50 90 shares Block& !"#$ %&'( )*+,+-.. /019 Each&block&ci&=&E(Ke,&mi)&&ECB$ Mode$ Eve$Swaps$ these$blocks$ Alice$Sends$$following$ Buy INTC 90 50 shares Eve$receives$following$ Each&block&mi&=&D(Ke,&ci)&&
  • 10. 10 AES Electronic Code book (ECB) mode issues •  Blocks can be swapped •  Patterns can be detected Original&image& Encrypted&image& AES&ECB& mode&
  • 11. 11 Quick Note : Padding •  Block ciphers work on messages that are multiple of block size •  If message is not a multiple of block size, padding is required •  Two common padding schemes: •  Append 128 and then as many 0s as needed to make message a multiple of block size •  Determine number of bytes required n > 0 to make it a multiple of block size. Add n bytes, each with value n DD DD DD DD DD DD DD DD DD DD DD DD 80 00 00 00 DD DD DD DD DD DD DD DD DD DD DD DD 04 04 04 04 DD DD DD DD DD DD DD DD 08 08 08 08 08 08 08 08
  • 12. 12 Alice looked up other block cipher modes She likes two : •  CBC •  CTR Let us look at both
  • 13. 13 Quick Note: IV •  Initialization vector: Used in block ciphers as an input along with the key •  Fixed IV : IV that doesn’t change •  Counter IV: IV=0 for first message, IV = 1 for second etc. •  Random IV: Large random number as IV for each message •  Nonce-Generated IV: “Number used once” per key •  Message numbers •  Random number + message number
  • 14. 14 Quick XOR refresher •  1 0 = 0 1 = 1 •  0 0 = 1 1 = 0 •  A 0 = A •  A A = 0 •  A A A= A
  • 15. 15 CBC : Cipher Block Chaining (Encryption) Block Cipher Encryption Plaintext& IV& Key& CipherText& Block Cipher Plaintext& IV& Key& CipherText& Ci$=$Ek(Pi$ $Ci>1)$,$C0$=$IV$
  • 16. 16 CBC : Cipher Block Chaining (Decryption) Block Cipher Ciphertext& IV& Key& Plaintext& Block Cipher Ciphertext& IV& Key& Plaintext& Pi$=$Dk(Ci)$ $Ci>1,$$C0$=$IV$
  • 17. 17 CBC: Which IV to use? •  Fixed IV: What if two messages start with the same plaintext block? •  Counter IV: If first block of messages have simple difference, the XOR with a counter may cancel them out. •  Random IV : Good. But requires a random number to be sent •  Nonce IV: Good. Use a smaller random number + counter.
  • 18. 18 CTR: Counter mode (Encryption) Block Cipher Encryption F45a34…….&000000& Key& CipherText& Ki$=$E(K,$Nonce$||$i)$for$i=1,….,k$ Ci$=$Pi$ $Ki$$ Nonce& Counter& Plaintext& Block Cipher Encryption F45a34…….&000001& Key& CipherText& Nonce& Counter& Plaintext&
  • 19. 19 CTR: Counter mode (Decryption) Block Cipher Encryption F45a34…….&000000& Key& Plaintext& Ki$=$E(K,$Nonce$||$i)$for$i=1,….,k$ Ci$=$Pi$ $Ki$$ Nonce& Counter& Plaintext& CipherText& Block Cipher Encryption F45a34…….&000001& Key& Plaintext& Nonce& Counter& Plaintext& CipherText&
  • 20. 20 AES CTR •  Counter = Nonce || i •  If ever the counter is repeated. •  Cx ⊕ Cy = E(K,counter) ⊕ Px ⊕ E(K,counter) ⊕ Py •  i.e. Cx ⊕ Cy = Px ⊕ Py •  Never Ever repeat counter with same key
  • 21. 21 CTR Advantages •  Random access is possible. •  Both encryption and decryption can be parallelized. •  Needs only encryption implementation
  • 22. 22 Alice decides to use AES CTR encryption Alice Bob Eve c&=&E(Ke,&Nonce||i)& $Pi& c& m&=&E(KeNonce&||&i)& $Ci& Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci&=&E(Ke,&Nonce||i)& $Pi& && ECB$ Mode$
  • 23. 23 Eve is clever •  Sends using CTR. •  She changes the first block by performing a XOR with (Buy Sell) •  So first block becomes: •  c = E(Ke, Nonce||1) ⊕ Buy ⊕ (Buy ⊕ Sell) •  i.e. c = E(Ke, Nonce||1) ⊕ Sell •  So, Bob gets: Sell INTC 50 90 shares
  • 25. 25 Alice figures she needs something to protect this message •  Her goal this time is to ensure that Eve can’t change the message. •  Doesn’t care about confidentiality (to keep things simple) •  She looks up hash functions
  • 26. 26 What is a hash function? Ideal Hash Function Arbitrary&length& input&& Fixed&length&output& •  Random&mapping& •  Same&output&for&same&input&
  • 27. 27 Defining security of hash functions •  Pre-image resistance: •  Given a hash h it should be difficult to find any message m such that h = hash(m). •  Second pre-image resistance •  Given an input m1 it should be difficult to find another input m2 such that m1 ≠ m2 and hash(m1) = hash(m2). •  Collision resistance •  It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2).
  • 28. 28 Standard hash functions •  MD5 : Don’t use •  SHA1 : Avoid. Not recommended for usage. Only use if system gives you no other choice. •  SHA2 : Use this. •  SHA3 (not finalized) •  One of the properties (bug ?) of the hash functions above is that •  If m = m1, m2 •  H(m) = h(h(m1),m2) •  This is called the length extension issue
  • 29. 29 Alice is now confident •  She decides to use SHA-2 hash •  Assume: •  Alice and Bob share a secret key K just like Encryption
  • 30. 30 Alice decides to use SHA-2 Alice Bob Eve Buy INTC 50 SHA2(K|| Data) K$is$the$secret$
  • 31. 31 As usual Eve is clever •  Eve computes •  Sha2( SHA2 ( K||Data), 90) •  Also, changes the message to Buy INTC 50 Sha2( SHA2 ( K||Data), 90)90
  • 32. 32 How to fix this? •  Use HMAC •  HMAC (K,m) = H((K opad) || H((K ipad) || m)) •  opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant), •  ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant). Other MACs are available, but this is the most commonly recommended
  • 33. 33 Horton Principle •  "Authenticate what is being meant, not what is being said” •  Suppose you had two messages to send. •  M1 & M2 •  You just send M1||M2|| HMAC(M1||M2) •  What happens?
  • 35. 35 Lesson: Always structure your message to be unambiguous and then MAC the whole thing •  For example Send: •  { message1_length= aa; message1=“M1”; message2_length=bb; message2=“M2”; } HMAC ({….}) "AuthenVcate&what&is&being&meant,&not&what&is&being&said”&
  • 36. 36 Alternative MAC 1: CBC-MAC •  CBC-MAC: Use CBC with IV=0 and return the last block as the MAC •  H0 = IV. IV Should be fixed. Generally 0. •  Hi = E(K, Pi⊕ Hi-1) •  MAC = Hk •  Why IV= 0? •  CBC-MAC is good and secure, but suffers from certain types on collision attacks. •  So, use CMAC.
  • 37. 37 Alternative MAC2 : CMAC •  Same as CBC-MAC, except the way last block is handled •  Generate two keys k1 & k2 from the MAC key k •  Calculate MAC using CBC-MAC except for last block. •  Change the last block (mn′) to following before applying CBC-MAC •  If mn′ is a complete block •  mn = k1 ⊕ mn′ •  else mn = k2 ⊕ (mn′∥ 10…02).
  • 39. 39 Alice wants the following •  Eve shouldn’t learn anything about the messages except for the timing and size •  Bob should only get proper messages and is able to figure out the correct order. •  Duplicates are detected •  Message modifications are detected •  By now you have probably guessed that this can be achieved by combination of Encryption and Authentication
  • 40. 40 Authentication and Encryption Three possibilities: 1.  MAC then encrypt all including MAC 2.  Encrypt and then MAC the encrypted message 3.  Encrypt and MAC the plaintext message •  Which one to use?
  • 41. 41 Encrypt and MAC the plaintext message •  Not recommended as any weakness in MAC will leak info about the message.
  • 42. 42 MAC and then encrypt the whole message including MAC •  Eve only gets to see ciphertext and encrypted MAC •  Much harder to attack MAC •  This is fine to use. •  Potential timing attacks with padding (TLS Lucky 13 attack)
  • 43. 43 Encrypt and then MAC the encrypted message •  Can drop invalid message fast without decryption •  Is not in fully line with Horton’s principal •  There may be ambiguity •  This is good to use •  We will use this and add authenticated headers for removing ambiguity
  • 44. 44 Secure Channel : Generate Keys •  KEYSENDENC ← HMAC-SHA2(K, "Enc Alice to Bob") •  KEYRECENC ← HMAC-SHA2(K, "Enc Bob to Alice") •  KEYSENDAUTH ← HMAC-SHA2(K,"Auth Alice to Bob") •  KEYRECAUTH ← HMAC-SHA2(K,"Auth Bob to Alice") •  Swap Encryption & Decryption key if message is from Bob to Alice
  • 45. 45 Message counters •  Two message counters •  Cab = Alice-to-Bob Message counter •  Cba =Bob-to-Alice message counter •  Both Alice and Bob store state of both counters •  Initialize both to 0.
  • 46. 46 Alice sending message to Bob •  We will only go through this direction •  Bob to Alice is identical
  • 47. 47 Choosing CTR counter •  It is recommended that number of blocks encrypted with an AES 128 bit key < 264-1 •  This is because after 264 block you will be able to distinguish from random •  To ensure that, we use counter for message sent from Alice to Bob never repeats and number of blocks encrypted < 264 •  Counter = (Cab || i) for the ith block in this particular message. •  Ensure that Cab < 232 -1 •  Ensure that length(m) < 232 -1 * block_size
  • 48. 48 Alice Sending a message •  Ensure that Cab < 232 -1 •  Increment Cab •  Ensure that length(m) < (232 -1) * block_size •  Use Counter = (Cab || i) for the ith block for AES-CTR Version CabLength Header Encrypted message HMAC-SHA2 Type Message
  • 49. 49 Bob: Receiving a message •  Ensure that Cab > Last received Cab •  Check HMAC of the message •  Drop if it does not match •  Store Cab. Check Version. •  Decrypt using AES CTR •  Counter = (Cab || i) for the ith block •  Check type and process accordingly. Version CabLength Header Encrypted message HMAC-SHA2 Type Message
  • 52. 52 General idea of key exchange
  • 53. 53 Mod p operations •  9 mod 7 = 2 •  Remainder left after division •  9 = 7*1 +2 •  16 mod 7 = 2 •  16 = 7*2 + 2
  • 54. 54 Basic Diffie-Hellman Key exchange Alice Bob gx& gy& K&=&(gy)x& K&=&(gx)y&
  • 55. 55 Other values Pre-Known/Exchanged values: •  p,g,q (may be exchanged as part of the protocol) •  Always check: •  p = Nq +1 •  (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 •  Make sure q is a large enough prime (≥ 256 bits) •  Make sure p is large enough prime (≥ 2048 bits)
  • 56. 56 Man in the middle Alice Alice gx& Eve gv& gy& gw& K&=&(gw)x& K&=&(gv)y& K1&=&(gx)w& & K1&=&(gy)v&
  • 57. 57 So, how to exchange? •  Assume there is some way to authenticate messages. •  We will see how to do that in Public/Private key cryptography •  Authenticated DH Protocol •  First we will look at RSA Public Private Key cryptography
  • 59. 59 Asymmetric (Public/Private) Cryptography Alice Bob Exchange&public&keys&when&they& meet&at&a&party&
  • 60. 60 Asymmetric (Public/Private) Cryptography : Signing Alice Bob Sign&with&Alice’s&Private&Key&(Buy& 20&shares&of&INTC)& Verify&with&Alice’s&Public&key&and& perform&transacVon&
  • 61. 61 Asymmetric (Public/Private) Cryptography : Encryption Alice Bob Encrypt&with&Bob’s&Public&Key& (Secret&message)& Decrypt&with&Bob’s&Public&key&and& read&secret&message&
  • 62. 62 RSA : key generation (1/2) •  Generate two distinct large prime numbers p & q •  Calculate n = p *q •  Compute t = (p-1)(q-1) OR t = lcm (p-1,q-1) •  Choosing t like this implies •  xt = 1 mod n •  xt+1 = x mod n •  Proof by authority !
  • 63. 63 RSA : key generation (2/2) •  Choosing t like this implies xkt+1 = x mod n •  Proof by authority ! •  Choose ed = 1 mod t , i.e. ed = t + 1 •  Common e value is 216 + 1 = 65,537 •  Public Key : n,e •  Private Key : n, d
  • 64. 64 Example RSA key generation •  p = 61 and q = 53 •  n = 61*53 = 3233 •  t = (p-1)(q-1) = (61-1)(53-1) = 3120 •  Let e = 17. Then solving for ed = 1 mod t •  d = 2753 •  2753*17 = 15*3120 +1 •  46801 = 46800 + 1
  • 65. 65 RSA encryption/ decryption •  c = me mod n •  m = cd mod n •  X = (me)d mod n •  We know ed = kt +1 •  X = mkt+1 mod n •  Or X = (mt)k * m mod n •  We also know, for any x: xt = 1 mod n •  So X = (1)k * m mod n = m •  Hence we can decrypt !
  • 66. 66 RSA encryption/ decryption example •  Let m = 65. Then using previous e = 17,d=2753, n=3233 •  c = 6517 (mod 3233) = 2790 •  m = 27902753 (mod 3233) = 65
  • 67. 67 RSA: why not to sign/encrypt data directly •  If you sign m1 and m2 •  m1 d (mod n) •  m2 d (mod n) •  Attacker can compute m3 d (mod n) = m1 d * m2 d (mod n)
  • 68. 68 What is recommended? •  Use one of the standards for signing and encryption •  Signing: RSA-PSS (RSA –Probabilistic signature scheme) •  Encryption: RSA-OAEP (RSA-Optimal asymmetric encryption protocol) •  Don’t use same key for encryption and signing •  Attacker may be able to exploit decryption (public key) for getting signatures (private key) from you or other way around •  Encryption keys and signing keys generally have different lifetimes
  • 70. 70 Elliptic curve example : y2 = x3+ ax + b
  • 71. 71 Point addition on curve: A+B A B$ A+B$
  • 74. 74 Elliptic curve discrete logarithm problem •  With a curve of form y2 = x3+ ax + b mod p, where p is a large prime and operation point addition + •  P + P +…+ P = dP = T •  Given dP and P, it should be hard to compute d. •  d is kept secret like a private key •  Intuitively: P+P+P… for very large d (>160 bits) Source:&Chapter&9&of&Understanding&Cryptography&by&Christof&Paar&and&Jan&Pelzl&
  • 75. 75 Example of ECC usage: ECDH (simplified) Alice Bob Given&a&prime&p,&a&suitable&ellipVc&curve&E&and&a&point&P=(xP,yP)& Choose&kPrA=&a&{2,&3,…,&#EX1}& & Compute&kPubA=&A&=&aP&=&(xA,yA)& Choose&kPrB=&b&{2,&3,…,&#EX1}& & Compute&kPubB=&B&=&bP&=&(xB,yB)& A& B& Compute&aB&=&Tab& Compute&bA&=&Tab& •  One&of&the&coordinates&of&the&point&TAB&(usually&the&xXcoordinate)&can&be&used&as& session&key&&(oRen&aRer&applying&a&hash&funcVon)&
  • 76. 76 Elliptic curve summary •  Elliptic Curve Cryptography (ECC) is based on the discrete logarithm problem. •  ECC provides the same level of security as RSA or discrete logarithm systems with much shorter key sizes (160-256 bits) vs (1024-3072 bits) •  ECC can be used for key exchange, signatures and encryption •  ECC generally has performance advantage over RSA
  • 78. 78 Why DH Protocol? •  Lot of time security cert only supports signing •  Perfect Forward Security •  Even if you find my private keys later you can not decrypt my communication
  • 79. 79 Reminder: Basic Diffie-Hellman Key exchange Alice Alice gx& gy& K&=&(gy)x& K&=&(gx)y&
  • 80. 80 Reminder DH Pre-Known/Exchanged values: •  p,g,q (may be exchanged as part of the protocol) •  Always check: •  p = Nq +1 •  (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 •  Make sure q is a large enough prime (≥ 256 bits) •  Make sure p is large enough prime (≥ 2048 bits)
  • 81. 81 Attempt 1: Authenticated DH Alice Bob A,&gx& B,&gy,&SigB(gx,&gy)&& SigA(gx,&gy)&& Any&issues?&
  • 82. 82 Identity misbinding attack on DH Alice Bob A,&gx& B,&gy,&SigB(gx,&gy)&& SigA(gx,&gy)&& E&doesn’t&know&K&=&gxy&,&but&B&thinks&that&anything&coming& from&A&is&coming&from&E& Eve E,&gx& B,&gy,&SigB(gx,&gy)&& SigE(gx,&gy)&&
  • 84. 84 Limitations •  Both parties need to know each other’s identity before they can authenticate •  Leaves a signed proof of communication (signing peer’s identity) •  Sigma solves these issues
  • 85. 85 Sigma Basic version Alice Bob gx& B,&gy,&SigB(gx,&gy),&MacKm(B)&& A,&SigA(gx,&gy),&MacKm(A)&&& •  Km&is&derived&from&gxy&& •  Does&not&require&knowing&peer’&id&for&own&auth& •  Adds&deniability& & Alice Bob A,&gx& B,&gy,&SigB(gx,&gy,&A)& A,&SigA(gx,&gy,&B),&& Authenticated DH
  • 86. 86 Sigma-I: Active protection of Initiator’s ID Alice Bob gx& gy,&{B,&SigB(gx,&gy),&MACKm(B)}$Ke$$ {A,$SigA(gx,&gy),&MACKm(A)}Ke$$ •  Km&and&Ke&are&derived&from&gxy&& •  IniVator’s&id&is&protected&and&not&revealed&except&to& an&authenVcated&party&
  • 87. 87 Sigma-R: Active protection of Responder’s ID Alice Bob gx& &{A,&SigA(gx,&gy),&MACKm(A)}$Ke$$ {B,SigA(gx,&gy),&MACKm’(B)}Ke’$$ •  Km&and&Ke&are&derived&from&gxy&& •  Responder’s&ID&is&not&revealed&unVl&iniVator's&is& revealed& gy&
  • 88. 88 Next Part •  EPID based Sigma key exchange •  PKI : Public key infrastructure •  Why random numbers are important? •  Clocks and monotonic counters •  Storing secrets •  Analysis of common protocols •  TLS •  Sigma key exchange •  IKE and IPSEC

Editor's Notes

  1. ----- Meeting Notes (8/29/13 16:44) ----- Should be unpredictable Use a PRNG --- AES --- CTR Both sides could create based on generate
  2. ----- Meeting Notes (9/12/13 16:35) ----- p should have 2048 bits….
  3. ----- Meeting Notes (9/12/13 16:35) ----- - Encryptin keys and signing keys have different lifetimes...
  4. ----- Meeting Notes (9/12/13 16:35) ----- p should have 2048 bits….