SlideShare a Scribd company logo

symet.crypto.hill.cipher.2023.ppt

Download as PPT, PDF
H
halosidiq1

symmetric encryption

Technology
1 of 38
Vitaly Shmatikov CS 361S Overview of Symmetric Encryption
slide 2 Reading Assignment Read Kaufman 2.1-4 and 4.2
slide 3 Basic Problem ? ----- ----- ----- Given: both parties already know the same secret How is this achieved in practice? Goal: send a message confidentially Any communication system that aims to guarantee confidentiality must solve this problem
slide 4 Kerckhoffs's Principle An encryption scheme should be secure even if enemy knows everything about it except the key • Attacker knows all algorithms • Attacker does not know random numbers Do not rely on secrecy of the algorithms (“security by obscurity”) Full name: Jean-Guillaume-Hubert-Victor- François-Alexandre-Auguste Kerckhoffs von Nieuwenhof Easy lesson: use a good random number generator!
slide 5 Randomness Matters!
slide 6 One-Time Pad (Vernam Cipher) = 10111101… ----- ----- ----- = 00110010… 10001111…  00110010… =  10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext  key Decrypt by bitwise XOR of ciphertext and key: ciphertext  key = (plaintext  key)  key = plaintext  (key  key) = plaintext Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon, 1949)
slide 7 Advantages of One-Time Pad Easy to compute • Encryption and decryption are the same operation • Bitwise XOR is very cheap to compute As secure as theoretically possible • Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources • …if and only if the key sequence is truly random – True randomness is expensive to obtain in large quantities • …if and only if each key is as long as the plaintext – But how do the sender and the receiver communicate the key to each other? Where do they store the key?
slide 8 Problems with One-Time Pad Key must be as long as the plaintext • Impractical in most realistic scenarios • Still used for diplomatic and intelligence traffic Does not guarantee integrity • One-time pad only guarantees confidentiality • Attacker cannot recover plaintext, but can easily change it to something else Insecure if keys are reused • Attacker can obtain XOR of plaintexts
slide 9 No Integrity = 10111101… ----- ----- ----- = 00110010… 10001111…  00110010… =  10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext  key Decrypt by bitwise XOR of ciphertext and key: ciphertext  key = (plaintext  key)  key = plaintext  (key  key) = plaintext 0 0
slide 10 Dangers of Reuse = 00000000… ----- ----- ----- = 00110010… 00110010…  00110010… =  00000000… P1 C1 = 11111111… ----- ----- ----- = 00110010… 11001101…  P2 C2 Learn relationship between plaintexts C1C2 = (P1K)(P2K) = (P1P2)(KK) = P1P2
slide 11 Reducing Key Size What to do when it is infeasible to pre-share huge random keys? Use special cryptographic primitives: block ciphers, stream ciphers • Single key can be re-used (with some restrictions) • Not as theoretically secure as one-time pad
slide 12 Block Ciphers Operates on a single chunk (“block”) of plaintext • For example, 64 bits for DES, 128 bits for AES • Same key is reused for each block (can use short keys) Result should look like a random permutation Not impossible to break, just very expensive • If there is no more efficient algorithm (unproven assumption!), can only break the cipher by brute-force, try-every-possible-key search • Time and cost of breaking the cipher exceed the value and/or useful lifetime of protected information
slide 13 Permutation 1 2 3 4 1 2 3 4 CODE becomes DCEO For N-bit input, N! possible permutations Idea: split plaintext into blocks, for each block use secret key to pick a permutation, rinse and repeat • Without the key, permutation should “look random”
slide 14 A Bit of Block Cipher History Playfair and variants (from 1854 until WWII) Feistel structure • “Ladder” structure: split input in half, put one half through the round and XOR with the other half • After 3 random rounds, ciphertext indistinguishable from a random permutation DES: Data Encryption Standard • Invented by IBM, issued as federal standard in 1977 • 64-bit blocks, 56-bit key + 8 bits for parity • Very widely used (usually as 3DES) until recently – 3DES: DES + inverse DES + DES (with 2 or 3 different keys) Textbook Textbook
slide 15 DES Operation (Simplified) Block of plaintext S S S S S S S S S S S S Key Add some secret key bits to provide confusion Each S-box transforms its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext) repeat for several rounds Block of ciphertext Procedure must be reversible (for decryption)
slide 16 Remember SHA-1? Current message block Constant value Buffer contains final hash value Very similar to a block cipher, with message itself used as the key for each round
slide 17 Advanced Encryption Standard (AES) US federal standard as of 2001 Based on the Rijndael algorithm 128-bit blocks, keys can be 128, 192 or 256 bits Unlike DES, does not use Feistel structure • The entire block is processed during each round Design uses some clever math • See section 8.5 of the textbook for a concise summary
slide 18 Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key  S shuffle the array (16x16 substitution table) Shift rows shift array rows (1st unchanged, 2nd left by 1, 3rd left by 2, 4th left by 3) add key for this round  Expand key repeat 10 times Mix columns mix 4 bytes in each column (each new byte depends on all bytes in old column)
slide 19 Encrypting a Large Message So, we’ve got a good block cipher, but our plaintext is larger than 128-bit block size Electronic Code Book (ECB) mode • Split plaintext into blocks, encrypt each one separately using the block cipher Cipher Block Chaining (CBC) mode • Split plaintext into blocks, XOR each block with the result of encrypting previous blocks Also various counter modes, feedback modes, etc.
slide 20 ECB Mode Identical blocks of plaintext produce identical blocks of ciphertext No integrity checks: can mix and match blocks plaintext ciphertext block cipher block cipher block cipher block cipher block cipher key key key key key
slide 21 Information Leakage in ECB Mode [Wikipedia] Encrypt in ECB mode
slide 22 Adobe Passwords Stolen (2013) 153 million account passwords • 56 million of them unique Encrypted using 3DES in ECB mode rather than hashed Password hints
Sent with ciphertext (preferably encrypted) slide 23 CBC Mode: Encryption Identical blocks of plaintext encrypted differently Last cipherblock depends on entire plaintext • Still does not guarantee integrity plaintext ciphertext block cipher block cipher block cipher block cipher  Initialization vector (random)    key key key key
slide 24 CBC Mode: Decryption plaintext ciphertext decrypt decrypt decrypt decrypt  Initialization vector    key key key key
slide 25 ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext blocks produce similar ciphertext blocks (not good!) [Picture due to Bart Preneel]
slide 26 Choosing the Initialization Vector Key used only once • No IV needed (can use IV=0) Key used multiple times • Best: fresh, random IV for every message • Can also use unique IV (eg, counter), but then the first step in CBC mode must be IV’  E(k, IV) – Example: Windows BitLocker – May not need to transmit IV with the ciphertext Multi-use key, unique messages • Synthetic IV: IV  F(k’, message) – F is a cryptographically secure keyed pseudorandom function
slide 27 CBC and Electronic Voting Initialization vector (supposed to be random) plaintext ciphertext DES DES DES DES     Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize, DESKEY, NULL, DES_ENCRYPT) [Kohno, Stubblefield, Rubin, Wallach] key key key key
slide 28 CTR (Counter Mode) Still does not guarantee integrity Fragile if counter repeats plaintext ciphertext Enc(IV) Enc(IV+1) Enc(IV+2) Enc(IV+3)  Random IV    IV key key key key
slide 29 When Is a Cipher “Secure”? Hard to recover plaintext from ciphertext? • What if attacker learns only some bits of the plaintext? Some function of the bits? Some partial information about the plaintext? Fixed mapping from plaintexts to ciphertexts? • What if attacker sees two identical ciphertexts and infers that the corresponding plaintexts are identical? • What if attacker guesses the plaintext – can he verify his guess? • Implication: encryption must be randomized or stateful
slide 30 How Can a Cipher Be Attacked? Attackers knows ciphertext and encryption algthm • What else does the attacker know? Depends on the application in which the cipher is used! Known-plaintext attack (stronger) • Knows some plaintext-ciphertext pairs Chosen-plaintext attack (even stronger) • Can obtain ciphertext for any plaintext of his choice Chosen-ciphertext attack (very strong) • Can decrypt any ciphertext except the target • Sometimes very realistic
slide 31 Known-Plaintext Attack Extracting password from an encrypted PKZIP file … “… I opened the ZIP file and found a `logo.tif’ file, so I went to their main Web site and looked at all the files named `logo.tif.’ I downloaded them and zipped them all up and found one that matched the same checksum as the one in the protected ZIP file” With known plaintext, PkCrack took 5 minutes to extract the key • Biham-Kocher attack on PKZIP stream cipher [From “The Art of Intrusion”]
slide 32 Chosen-Plaintext Attack Crook #1 changes his PIN to a number of his choice cipher(key,PIN) PIN is encrypted and transmitted to bank Crook #2 eavesdrops on the wire and learns ciphertext corresponding to chosen plaintext PIN … repeat for any PIN value
slide 33 Very Informal Intuition Security against chosen-plaintext attack • Ciphertext leaks no information about the plaintext • Even if the attacker correctly guesses the plaintext, he cannot verify his guess • Every ciphertext is unique, encrypting same message twice produces completely different ciphertexts Security against chosen-ciphertext attack • Integrity protection – it is not possible to change the plaintext by modifying the ciphertext Minimum security requirement for a modern encryption scheme
slide 34 The Chosen-Plaintext Game Attacker does not know the key He chooses as many plaintexts as he wants, and receives the corresponding ciphertexts When ready, he picks two plaintexts M0 and M1 • He is even allowed to pick plaintexts for which he previously learned ciphertexts! He receives either a ciphertext of M0, or a ciphertext of M1 He wins if he guesses correctly which one it is
slide 35 Meaning of “Leaks No Information” Idea: given a ciphertext, attacker should not be able to learn even a single bit of useful information about the plaintext Let Enc(M0,M1,b) be a “magic box” that returns encrypted Mb • Given two plaintexts, the box always returns the ciphertext of the left plaintext or right plaintext • Attacker can use this box to obtain the ciphertext of any plaintext M by submitting M0=M1=M, or he can try to learn even more by submitting M0≠M1 Attacker’s goal is to learn just this one bit b 0 or 1
slide 36 Chosen-Plaintext Security Consider two experiments (A is the attacker) Experiment 0 Experiment 1 A interacts with Enc(-,-,0) A interacts with Enc(-,-,1) and outputs his guess of bit b and outputs his guess of bit b • Identical except for the value of the secret bit • b is attacker’s guess of the secret bit Attacker’s advantage is defined as | Prob(A outputs 1 in Exp0) - Prob(A outputs 1 in Exp1)) | Encryption scheme is chosen-plaintext secure if this advantage is negligible for any efficient A
slide 37 Simple Example Any deterministic, stateless symmetric encryption scheme is insecure • Attacker can easily distinguish encryptions of different plaintexts from encryptions of identical plaintexts • This includes ECB mode of common block ciphers! Attacker A interacts with Enc(-,-,b) Let X,Y be any two different plaintexts C1  Enc(X,X,b); C2  Enc(X,Y,b); If C1=C2 then b=0 else b=1 The advantage of this attacker A is 1 Prob(A outputs 1 if b=0)=0 Prob(A outputs 1 if b=1)=1
slide 38 Encrypt + MAC Goal: confidentiality + integrity + authentication Alice Bob K1, K2 K1, K2 msg MAC=HMAC(K2,msg) encrypt(msg), MAC(msg) = ? Encrypt(K1,msg) Decrypt Verify MAC encrypt(msg2), MAC(msg2) Can tell if messages are the same! MAC is deterministic: messages are equal  their MACs are equal Solution: Encrypt, then MAC (or MAC, then encrypt) Breaks chosen- plaintext security

Recommended

Jaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin Jani
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGjulien pauli
 
Encryption
EncryptionEncryption
Encryptionkeith dias
 
3 Basics of Cryptography Basics of Cryptography
3 Basics of Cryptography Basics of Cryptography3 Basics of Cryptography Basics of Cryptography
3 Basics of Cryptography Basics of CryptographyMohammedMorhafJaely
 
AES Presentation.pptx
AES Presentation.pptxAES Presentation.pptx
AES Presentation.pptxhammadhassan9507
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynoteKaya Ota
 
Day5
Day5Day5
Day5Jai4uk
 
Conventional Encryption NS2
Conventional Encryption NS2Conventional Encryption NS2
Conventional Encryption NS2koolkampus
 

Recommended

Jaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin chp-8 - network security-new -use this - 2011 batch
Jaimin chp-8 - network security-new -use this - 2011 batchJaimin Jani
 
Basics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGBasics of Cryptography - Stream ciphers and PRNG
Basics of Cryptography - Stream ciphers and PRNGjulien pauli
 
Encryption
EncryptionEncryption
Encryptionkeith dias
 
3 Basics of Cryptography Basics of Cryptography
3 Basics of Cryptography Basics of Cryptography3 Basics of Cryptography Basics of Cryptography
3 Basics of Cryptography Basics of CryptographyMohammedMorhafJaely
 
AES Presentation.pptx
AES Presentation.pptxAES Presentation.pptx
AES Presentation.pptxhammadhassan9507
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynoteKaya Ota
 
Day5
Day5Day5
Day5Jai4uk
 
Conventional Encryption NS2
Conventional Encryption NS2Conventional Encryption NS2
Conventional Encryption NS2koolkampus
 
1 DES.pdf
1 DES.pdf1 DES.pdf
1 DES.pdfnitin571047
 
Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxHodaAhmedBekhitAhmed
 
Data Encryption standard in cryptography
Data Encryption standard in cryptographyData Encryption standard in cryptography
Data Encryption standard in cryptographyNithyasriA2
 
Cryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptxCryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptxRobertCarreonBula
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
CH02-CompSec4e.pptx
CH02-CompSec4e.pptxCH02-CompSec4e.pptx
CH02-CompSec4e.pptxams1ams11
 
Fundamentals of Information Encryption
Fundamentals of Information EncryptionFundamentals of Information Encryption
Fundamentals of Information EncryptionAmna Magzoub
 
section-8.ppt
section-8.pptsection-8.ppt
section-8.pptDeepakPrajapati868260
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfMohammedMorhafJaely
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2Hamed Moghaddam
 
Cybersecurity cyberlab3
Cybersecurity cyberlab3Cybersecurity cyberlab3
Cybersecurity cyberlab3rayborg
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptxDEEPAK948083
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701Amit Pathak
 
my net security and its models which are explained here
my net security and its models which are explained heremy net security and its models which are explained here
my net security and its models which are explained herehalosidiq1
 
new.technique.column transposional CTi college.ppt
new.technique.column transposional CTi college.pptnew.technique.column transposional CTi college.ppt
new.technique.column transposional CTi college.ppthalosidiq1
 

More Related Content

Similar to symet.crypto.hill.cipher.2023.ppt

Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxHodaAhmedBekhitAhmed
 
Data Encryption standard in cryptography
Data Encryption standard in cryptographyData Encryption standard in cryptography
Data Encryption standard in cryptographyNithyasriA2
 
Cryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptxCryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptxRobertCarreonBula
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
CH02-CompSec4e.pptx
CH02-CompSec4e.pptxCH02-CompSec4e.pptx
CH02-CompSec4e.pptxams1ams11
 
Fundamentals of Information Encryption
Fundamentals of Information EncryptionFundamentals of Information Encryption
Fundamentals of Information EncryptionAmna Magzoub
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfMohammedMorhafJaely
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2Hamed Moghaddam
 
Cybersecurity cyberlab3
Cybersecurity cyberlab3Cybersecurity cyberlab3
Cybersecurity cyberlab3rayborg
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptxDEEPAK948083
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701Amit Pathak
 

Similar to symet.crypto.hill.cipher.2023.ppt (20)

1 DES.pdf
1 DES.pdf1 DES.pdf
1 DES.pdf
 
Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptx
 
Data Encryption standard in cryptography
Data Encryption standard in cryptographyData Encryption standard in cryptography
Data Encryption standard in cryptography
 
Cryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptxCryptography and steganography lesson and discription.pptx
Cryptography and steganography lesson and discription.pptx
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2
 
CH02-CompSec4e.pptx
CH02-CompSec4e.pptxCH02-CompSec4e.pptx
CH02-CompSec4e.pptx
 
Fundamentals of Information Encryption
Fundamentals of Information EncryptionFundamentals of Information Encryption
Fundamentals of Information Encryption
 
section-8.ppt
section-8.pptsection-8.ppt
section-8.ppt
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdf
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2
 
Cybersecurity cyberlab3
Cybersecurity cyberlab3Cybersecurity cyberlab3
Cybersecurity cyberlab3
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptx
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
Cryptography and network security Nit701
Cryptography and network security Nit701Cryptography and network security Nit701
Cryptography and network security Nit701
 

More from halosidiq1

my net security and its models which are explained here
my net security and its models which are explained heremy net security and its models which are explained here
my net security and its models which are explained herehalosidiq1
 
new.technique.column transposional CTi college.ppt
new.technique.column transposional CTi college.pptnew.technique.column transposional CTi college.ppt
new.technique.column transposional CTi college.ppthalosidiq1
 
row.coliumn,transitio,.Polyetchnical.colleage.ppt
row.coliumn,transitio,.Polyetchnical.colleage.pptrow.coliumn,transitio,.Polyetchnical.colleage.ppt
row.coliumn,transitio,.Polyetchnical.colleage.ppthalosidiq1
 
CTI.Vigenir Cipher.pptx
CTI.Vigenir Cipher.pptxCTI.Vigenir Cipher.pptx
CTI.Vigenir Cipher.pptxhalosidiq1
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppthalosidiq1
 
My Project on Cryptograpghy.2023.ppt
My Project on Cryptograpghy.2023.pptMy Project on Cryptograpghy.2023.ppt
My Project on Cryptograpghy.2023.ppthalosidiq1
 
my.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptxmy.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptxhalosidiq1
 
MyCryptography.2023.ppt
MyCryptography.2023.pptMyCryptography.2023.ppt
MyCryptography.2023.ppthalosidiq1
 
MyTutorialON Cryptography.ppt
MyTutorialON Cryptography.pptMyTutorialON Cryptography.ppt
MyTutorialON Cryptography.ppthalosidiq1
 
new.deadlock.ppt
new.deadlock.pptnew.deadlock.ppt
new.deadlock.ppthalosidiq1
 
CNF.Chap.5.pptx
CNF.Chap.5.pptxCNF.Chap.5.pptx
CNF.Chap.5.pptxhalosidiq1
 

More from halosidiq1 (11)

my net security and its models which are explained here
my net security and its models which are explained heremy net security and its models which are explained here
my net security and its models which are explained here
 
new.technique.column transposional CTi college.ppt
new.technique.column transposional CTi college.pptnew.technique.column transposional CTi college.ppt
new.technique.column transposional CTi college.ppt
 
row.coliumn,transitio,.Polyetchnical.colleage.ppt
row.coliumn,transitio,.Polyetchnical.colleage.pptrow.coliumn,transitio,.Polyetchnical.colleage.ppt
row.coliumn,transitio,.Polyetchnical.colleage.ppt
 
CTI.Vigenir Cipher.pptx
CTI.Vigenir Cipher.pptxCTI.Vigenir Cipher.pptx
CTI.Vigenir Cipher.pptx
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppt
 
My Project on Cryptograpghy.2023.ppt
My Project on Cryptograpghy.2023.pptMy Project on Cryptograpghy.2023.ppt
My Project on Cryptograpghy.2023.ppt
 
my.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptxmy.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptx
 
MyCryptography.2023.ppt
MyCryptography.2023.pptMyCryptography.2023.ppt
MyCryptography.2023.ppt
 
MyTutorialON Cryptography.ppt
MyTutorialON Cryptography.pptMyTutorialON Cryptography.ppt
MyTutorialON Cryptography.ppt
 
new.deadlock.ppt
new.deadlock.pptnew.deadlock.ppt
new.deadlock.ppt
 
CNF.Chap.5.pptx
CNF.Chap.5.pptxCNF.Chap.5.pptx
CNF.Chap.5.pptx
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

symet.crypto.hill.cipher.2023.ppt

  • 1. Vitaly Shmatikov CS 361S Overview of Symmetric Encryption
  • 2. slide 2 Reading Assignment Read Kaufman 2.1-4 and 4.2
  • 3. slide 3 Basic Problem ? ----- ----- ----- Given: both parties already know the same secret How is this achieved in practice? Goal: send a message confidentially Any communication system that aims to guarantee confidentiality must solve this problem
  • 4. slide 4 Kerckhoffs's Principle An encryption scheme should be secure even if enemy knows everything about it except the key • Attacker knows all algorithms • Attacker does not know random numbers Do not rely on secrecy of the algorithms (“security by obscurity”) Full name: Jean-Guillaume-Hubert-Victor- François-Alexandre-Auguste Kerckhoffs von Nieuwenhof Easy lesson: use a good random number generator!
  • 6. slide 6 One-Time Pad (Vernam Cipher) = 10111101… ----- ----- ----- = 00110010… 10001111…  00110010… =  10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext  key Decrypt by bitwise XOR of ciphertext and key: ciphertext  key = (plaintext  key)  key = plaintext  (key  key) = plaintext Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon, 1949)
  • 7. slide 7 Advantages of One-Time Pad Easy to compute • Encryption and decryption are the same operation • Bitwise XOR is very cheap to compute As secure as theoretically possible • Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources • …if and only if the key sequence is truly random – True randomness is expensive to obtain in large quantities • …if and only if each key is as long as the plaintext – But how do the sender and the receiver communicate the key to each other? Where do they store the key?
  • 8. slide 8 Problems with One-Time Pad Key must be as long as the plaintext • Impractical in most realistic scenarios • Still used for diplomatic and intelligence traffic Does not guarantee integrity • One-time pad only guarantees confidentiality • Attacker cannot recover plaintext, but can easily change it to something else Insecure if keys are reused • Attacker can obtain XOR of plaintexts
  • 9. slide 9 No Integrity = 10111101… ----- ----- ----- = 00110010… 10001111…  00110010… =  10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext  key Decrypt by bitwise XOR of ciphertext and key: ciphertext  key = (plaintext  key)  key = plaintext  (key  key) = plaintext 0 0
  • 10. slide 10 Dangers of Reuse = 00000000… ----- ----- ----- = 00110010… 00110010…  00110010… =  00000000… P1 C1 = 11111111… ----- ----- ----- = 00110010… 11001101…  P2 C2 Learn relationship between plaintexts C1C2 = (P1K)(P2K) = (P1P2)(KK) = P1P2
  • 11. slide 11 Reducing Key Size What to do when it is infeasible to pre-share huge random keys? Use special cryptographic primitives: block ciphers, stream ciphers • Single key can be re-used (with some restrictions) • Not as theoretically secure as one-time pad
  • 12. slide 12 Block Ciphers Operates on a single chunk (“block”) of plaintext • For example, 64 bits for DES, 128 bits for AES • Same key is reused for each block (can use short keys) Result should look like a random permutation Not impossible to break, just very expensive • If there is no more efficient algorithm (unproven assumption!), can only break the cipher by brute-force, try-every-possible-key search • Time and cost of breaking the cipher exceed the value and/or useful lifetime of protected information
  • 13. slide 13 Permutation 1 2 3 4 1 2 3 4 CODE becomes DCEO For N-bit input, N! possible permutations Idea: split plaintext into blocks, for each block use secret key to pick a permutation, rinse and repeat • Without the key, permutation should “look random”
  • 14. slide 14 A Bit of Block Cipher History Playfair and variants (from 1854 until WWII) Feistel structure • “Ladder” structure: split input in half, put one half through the round and XOR with the other half • After 3 random rounds, ciphertext indistinguishable from a random permutation DES: Data Encryption Standard • Invented by IBM, issued as federal standard in 1977 • 64-bit blocks, 56-bit key + 8 bits for parity • Very widely used (usually as 3DES) until recently – 3DES: DES + inverse DES + DES (with 2 or 3 different keys) Textbook Textbook
  • 15. slide 15 DES Operation (Simplified) Block of plaintext S S S S S S S S S S S S Key Add some secret key bits to provide confusion Each S-box transforms its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext) repeat for several rounds Block of ciphertext Procedure must be reversible (for decryption)
  • 16. slide 16 Remember SHA-1? Current message block Constant value Buffer contains final hash value Very similar to a block cipher, with message itself used as the key for each round
  • 17. slide 17 Advanced Encryption Standard (AES) US federal standard as of 2001 Based on the Rijndael algorithm 128-bit blocks, keys can be 128, 192 or 256 bits Unlike DES, does not use Feistel structure • The entire block is processed during each round Design uses some clever math • See section 8.5 of the textbook for a concise summary
  • 18. slide 18 Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key  S shuffle the array (16x16 substitution table) Shift rows shift array rows (1st unchanged, 2nd left by 1, 3rd left by 2, 4th left by 3) add key for this round  Expand key repeat 10 times Mix columns mix 4 bytes in each column (each new byte depends on all bytes in old column)
  • 19. slide 19 Encrypting a Large Message So, we’ve got a good block cipher, but our plaintext is larger than 128-bit block size Electronic Code Book (ECB) mode • Split plaintext into blocks, encrypt each one separately using the block cipher Cipher Block Chaining (CBC) mode • Split plaintext into blocks, XOR each block with the result of encrypting previous blocks Also various counter modes, feedback modes, etc.
  • 20. slide 20 ECB Mode Identical blocks of plaintext produce identical blocks of ciphertext No integrity checks: can mix and match blocks plaintext ciphertext block cipher block cipher block cipher block cipher block cipher key key key key key
  • 21. slide 21 Information Leakage in ECB Mode [Wikipedia] Encrypt in ECB mode
  • 22. slide 22 Adobe Passwords Stolen (2013) 153 million account passwords • 56 million of them unique Encrypted using 3DES in ECB mode rather than hashed Password hints
  • 23. Sent with ciphertext (preferably encrypted) slide 23 CBC Mode: Encryption Identical blocks of plaintext encrypted differently Last cipherblock depends on entire plaintext • Still does not guarantee integrity plaintext ciphertext block cipher block cipher block cipher block cipher  Initialization vector (random)    key key key key
  • 24. slide 24 CBC Mode: Decryption plaintext ciphertext decrypt decrypt decrypt decrypt  Initialization vector    key key key key
  • 25. slide 25 ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext blocks produce similar ciphertext blocks (not good!) [Picture due to Bart Preneel]
  • 26. slide 26 Choosing the Initialization Vector Key used only once • No IV needed (can use IV=0) Key used multiple times • Best: fresh, random IV for every message • Can also use unique IV (eg, counter), but then the first step in CBC mode must be IV’  E(k, IV) – Example: Windows BitLocker – May not need to transmit IV with the ciphertext Multi-use key, unique messages • Synthetic IV: IV  F(k’, message) – F is a cryptographically secure keyed pseudorandom function
  • 27. slide 27 CBC and Electronic Voting Initialization vector (supposed to be random) plaintext ciphertext DES DES DES DES     Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize, DESKEY, NULL, DES_ENCRYPT) [Kohno, Stubblefield, Rubin, Wallach] key key key key
  • 28. slide 28 CTR (Counter Mode) Still does not guarantee integrity Fragile if counter repeats plaintext ciphertext Enc(IV) Enc(IV+1) Enc(IV+2) Enc(IV+3)  Random IV    IV key key key key
  • 29. slide 29 When Is a Cipher “Secure”? Hard to recover plaintext from ciphertext? • What if attacker learns only some bits of the plaintext? Some function of the bits? Some partial information about the plaintext? Fixed mapping from plaintexts to ciphertexts? • What if attacker sees two identical ciphertexts and infers that the corresponding plaintexts are identical? • What if attacker guesses the plaintext – can he verify his guess? • Implication: encryption must be randomized or stateful
  • 30. slide 30 How Can a Cipher Be Attacked? Attackers knows ciphertext and encryption algthm • What else does the attacker know? Depends on the application in which the cipher is used! Known-plaintext attack (stronger) • Knows some plaintext-ciphertext pairs Chosen-plaintext attack (even stronger) • Can obtain ciphertext for any plaintext of his choice Chosen-ciphertext attack (very strong) • Can decrypt any ciphertext except the target • Sometimes very realistic
  • 31. slide 31 Known-Plaintext Attack Extracting password from an encrypted PKZIP file … “… I opened the ZIP file and found a `logo.tif’ file, so I went to their main Web site and looked at all the files named `logo.tif.’ I downloaded them and zipped them all up and found one that matched the same checksum as the one in the protected ZIP file” With known plaintext, PkCrack took 5 minutes to extract the key • Biham-Kocher attack on PKZIP stream cipher [From “The Art of Intrusion”]
  • 32. slide 32 Chosen-Plaintext Attack Crook #1 changes his PIN to a number of his choice cipher(key,PIN) PIN is encrypted and transmitted to bank Crook #2 eavesdrops on the wire and learns ciphertext corresponding to chosen plaintext PIN … repeat for any PIN value
  • 33. slide 33 Very Informal Intuition Security against chosen-plaintext attack • Ciphertext leaks no information about the plaintext • Even if the attacker correctly guesses the plaintext, he cannot verify his guess • Every ciphertext is unique, encrypting same message twice produces completely different ciphertexts Security against chosen-ciphertext attack • Integrity protection – it is not possible to change the plaintext by modifying the ciphertext Minimum security requirement for a modern encryption scheme
  • 34. slide 34 The Chosen-Plaintext Game Attacker does not know the key He chooses as many plaintexts as he wants, and receives the corresponding ciphertexts When ready, he picks two plaintexts M0 and M1 • He is even allowed to pick plaintexts for which he previously learned ciphertexts! He receives either a ciphertext of M0, or a ciphertext of M1 He wins if he guesses correctly which one it is
  • 35. slide 35 Meaning of “Leaks No Information” Idea: given a ciphertext, attacker should not be able to learn even a single bit of useful information about the plaintext Let Enc(M0,M1,b) be a “magic box” that returns encrypted Mb • Given two plaintexts, the box always returns the ciphertext of the left plaintext or right plaintext • Attacker can use this box to obtain the ciphertext of any plaintext M by submitting M0=M1=M, or he can try to learn even more by submitting M0≠M1 Attacker’s goal is to learn just this one bit b 0 or 1
  • 36. slide 36 Chosen-Plaintext Security Consider two experiments (A is the attacker) Experiment 0 Experiment 1 A interacts with Enc(-,-,0) A interacts with Enc(-,-,1) and outputs his guess of bit b and outputs his guess of bit b • Identical except for the value of the secret bit • b is attacker’s guess of the secret bit Attacker’s advantage is defined as | Prob(A outputs 1 in Exp0) - Prob(A outputs 1 in Exp1)) | Encryption scheme is chosen-plaintext secure if this advantage is negligible for any efficient A
  • 37. slide 37 Simple Example Any deterministic, stateless symmetric encryption scheme is insecure • Attacker can easily distinguish encryptions of different plaintexts from encryptions of identical plaintexts • This includes ECB mode of common block ciphers! Attacker A interacts with Enc(-,-,b) Let X,Y be any two different plaintexts C1  Enc(X,X,b); C2  Enc(X,Y,b); If C1=C2 then b=0 else b=1 The advantage of this attacker A is 1 Prob(A outputs 1 if b=0)=0 Prob(A outputs 1 if b=1)=1
  • 38. slide 38 Encrypt + MAC Goal: confidentiality + integrity + authentication Alice Bob K1, K2 K1, K2 msg MAC=HMAC(K2,msg) encrypt(msg), MAC(msg) = ? Encrypt(K1,msg) Decrypt Verify MAC encrypt(msg2), MAC(msg2) Can tell if messages are the same! MAC is deterministic: messages are equal  their MACs are equal Solution: Encrypt, then MAC (or MAC, then encrypt) Breaks chosen- plaintext security