diff --git a/notes.ctb_HTML/cs306--Notes--Attacks.html b/notes.ctb_HTML/cs306--Notes--Attacks.html index d673c92..b71e846 100644 --- a/notes.ctb_HTML/cs306--Notes--Attacks.html +++ b/notes.ctb_HTML/cs306--Notes--Attacks.html @@ -142,5 +142,5 @@
  • homework
    • -

    Attacks

    eavesdropping
    - Posses collection of ciphertext -> ciphertext only attack
    - Posses collection of plaintext/ciphertext pairs -> known plaintext attack
    - Posses collection of plaintext/ciphertext pairs for plaintexts selected by the attack -> chosen plaintext attack
    - Posses collection of plaintext/ciphertext pairs for plaintexts and ciphertexts selected by the attacker -> chosen ciphertext attack

    ◇ EAV-attack
    indistinguishability for a single message against an eavesdropper

    • An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker
    Statistical Attack

    dictionary attacks
    man in the middle attack
    length-extension attack
    brute force attack
    birthday attack
    replay attack
    reflection attac
    • Reordering attack -> verify the block index i
    • Truncation attack
    mix and match attack
    etc...
    +

    Attacks

    eavesdropping
    - Posses collection of ciphertext -> ciphertext only attack
    - Posses collection of plaintext/ciphertext pairs -> known plaintext attack
    - Posses collection of plaintext/ciphertext pairs for plaintexts selected by the attack -> chosen plaintext attack
    - Posses collection of plaintext/ciphertext pairs for plaintexts and ciphertexts selected by the attacker -> chosen ciphertext attack

    • An attacker may posses a collection of ciphertext:
    ◇ ciphertext only attack
    ◇ EAV-attack
    ▪indistinguishability for a single message against an eavesdropper
    ▪An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker
    ◇ Chosen plaintext attack
    ◇ CPA-attack
    ▪ indistinguishability for a single message against an eavesdropper

    • An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker
    Statistical Attack

    dictionary attacks
    man in the middle attack
    length-extension attack
    brute force attack
    birthday attack
    replay attack
    reflection attac
    • Reordering attack -> verify the block index i
    • Truncation attack
    mix and match attack
    Alteration
    Denial-of-service
    Masquerading
    Repudiation
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Authenticate-then-encrypt.html b/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Authenticate-then-encrypt.html index 96474ed..9eefbfc 100644 --- a/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Authenticate-then-encrypt.html +++ b/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Authenticate-then-encrypt.html @@ -142,5 +142,5 @@
  • homework
    • -

    Authenticate-then-encrypt

    Authenticate-then-encrypt


    • Mackm(m) -> t; Encke(m||t) -> c; send ciphertext c
    • if Decke(c) = m || t ≠ fail and Vrfykm(m,t) accepts,
    ◇ output m
    ◇ else output fail
    • insecure
    +

    Authenticate-then-encrypt

    Authenticate-then-encrypt


    • Mackm(m) -> t; Encke(m||t) -> c; send ciphertext c
    • if Decke(c) = m || t ≠ fail and Vrfykm(m,t) accepts,
    ◇ output m
    ◇ else output fail
    • insecure
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-and-authenticate.html b/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-and-authenticate.html index 9cc2a41..f34d084 100644 --- a/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-and-authenticate.html +++ b/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-and-authenticate.html @@ -142,5 +142,5 @@
  • homework
    • -

    Encrypt-and-authenticate

    Encrypt-and-authenticate


    • Encke(m) -> c; Mackm(m) -> t; send ciphertext (c, t)
    • if Decke(c) ≠ fail and Vrfykm(m,t) accepts
    ◇ output m
    ◇ else output fail
    • Insecure
    ◇ MAC tag t may leak information about m
    ◇ if MAC is deterministic (CBC-MAC) then ΠAE is not CPA-secure
    +

    Encrypt-and-authenticate

    Encrypt-and-authenticate


    • Encke(m) -> c; Mackm(m) -> t; send ciphertext (c, t)
    • if Decke(c) ≠ fail and Vrfykm(m,t) accepts
    ◇ output m
    ◇ else output fail
    • Insecure
    ◇ MAC tag t may leak information about m
    ◇ if MAC is deterministic (CBC-MAC) then ΠAE is not CPA-secure
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-then-authenticate.html b/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-then-authenticate.html index 3a4a80c..33f2793 100644 --- a/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-then-authenticate.html +++ b/notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-then-authenticate.html @@ -142,5 +142,5 @@
  • homework
    • -

    Encrypt-then-authenticate

    Encrypt-then-authenticate


    • Encke(m) -> c; Mackm(c) ->t; send ciphertext (c, t)
    • if Vrfykm(c,t) accepts then
    ◇ output Decke(c) = m,
    ◇ else output fail
    • secure scheme as long as ΠM is a strong MAC
    +

    Encrypt-then-authenticate

    Encrypt-then-authenticate


    • Encke(m) -> c; Mackm(c) ->t; send ciphertext (c, t)
    • if Vrfykm(c,t) accepts then
    ◇ output Decke(c) = m,
    ◇ else output fail
    • secure scheme as long as ΠM is a strong MAC
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Authenticated_encryption.html b/notes.ctb_HTML/cs306--Notes--Authenticated_encryption.html index 7bfdaf2..d885374 100644 --- a/notes.ctb_HTML/cs306--Notes--Authenticated_encryption.html +++ b/notes.ctb_HTML/cs306--Notes--Authenticated_encryption.html @@ -142,5 +142,5 @@
  • homework
    • -

    Authenticated encryption

    Authenticated encryption constructions


    • CPA-secure encryption scheme ΠE=(Enc, Dec)
    • a secure MAC ΠM = (MAC, Vrfy)
    • instantiated using independent secret keys ke, km
    • order matters
    • secrecy and integrity is protected

    • Possible attacks:
    ◇ reordering attack - counters can be used to eliminate reordering/replays
    ◇ reflection attack - directional bit can be used to eliminate reflections
    ◇ replay attack - c = Enck(ba->b || ctrA,b || m); ctrA,B++
    +

    Authenticated encryption

    Authenticated encryption constructions


    • CPA-secure encryption scheme ΠE=(Enc, Dec)
    • a secure MAC ΠM = (MAC, Vrfy)
    • instantiated using independent secret keys ke, km
    • order matters
    • secrecy and integrity is protected

    • Possible attacks:
    ◇ reordering attack - counters can be used to eliminate reordering/replays
    ◇ reflection attack - directional bit can be used to eliminate reflections
    ◇ replay attack - c = Enck(ba->b || ctrA,b || m); ctrA,B++
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC--Chained_CBC.html b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC--Chained_CBC.html index cd69c11..35d37a5 100644 --- a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC--Chained_CBC.html +++ b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC--Chained_CBC.html @@ -142,5 +142,5 @@
  • homework
    • -

    Chained CBC

    Chained CBC


    • Uses last block ciphertext as IV of next message
    • not CPA-secure
    +

    Chained CBC

    Chained CBC


    • Uses last block ciphertext as IV of next message
    • not CPA-secure
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC.html b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC.html index 604b31a..e4cd21d 100644 --- a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC.html +++ b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC.html @@ -142,5 +142,5 @@
  • homework
    • -

    CBC

    CBC: Cipher Block Chaining


    • ECB produces the same ciphertext on the same ciphertext under the same key
    • The ciphertext of the previous block can be mixed with the plaintext of the current block (XOR). an initial vector is used as the initial ciphertext
    • Previous ciphertext block is combined with current plaintext block C[i] = Ek(C[i-1]⊕P[i])
    • C[-1] = IV; a random block separately transmitted encrypted
    • decryption: P[i] = C[i-1]⊕Dk(C[i])
    images\21-1.png

    images\21-2.png
    +

    CBC

    CBC: Cipher Block Chaining


    • ECB produces the same ciphertext on the same ciphertext under the same key
    • The ciphertext of the previous block can be mixed with the plaintext of the current block (XOR). an initial vector is used as the initial ciphertext
    • Previous ciphertext block is combined with current plaintext block C[i] = Ek(C[i-1]⊕P[i])
    • C[-1] = IV; a random block separately transmitted encrypted
    • decryption: P[i] = C[i-1]⊕Dk(C[i])
    images\21-1.png

    images\21-2.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CTR.html b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CTR.html index 65edbe8..65eb746 100644 --- a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CTR.html +++ b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CTR.html @@ -142,5 +142,5 @@
  • homework
    • -

    CTR


    CTR - Counter Mode


    • CTR uniform
    • message length doesn't need to be multiple of n
    • resembles synchronized stream-cipher mode
    • CPA-secure if Fk is PRF
    • no need for Fk to be invertible
    • parallelizable
    images\29-1.png
    +

    CTR

    CTR - Counter Mode


    • CTR uniform
    • message length doesn't need to be multiple of n
    • resembles synchronized stream-cipher mode
    • CPA-secure if Fk is PRF
    • no need for Fk to be invertible
    • parallelizable
    images\29-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--ECB.html b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--ECB.html index d06f2cd..1fd9824 100644 --- a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--ECB.html +++ b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--ECB.html @@ -142,5 +142,5 @@
  • homework
    • -

    ECB


    ECB: Electronic Code Book


    • Block P[i] encrypted into ciphertext block C[i] = Ek(P[i])
    • Block P[i] decrypted into ciphertext block M[i] = Dk(C[i])
    images\20-1.png
    • Strengths
    ◇ Simple
    ◇ Parallel encryptions
    ◇ Tolerates loss or damage
    • Weaknesses
    ◇ Documents and images are not suitable since patterns in the plaintext are repeated in the ciphertext
    images\20-2.png

    • deterministic - not CPA secure
    • not EAV-secure
    images\20-3.png
    +

    ECB

    ECB: Electronic Code Book


    • Block P[i] encrypted into ciphertext block C[i] = Ek(P[i])
    • Block P[i] decrypted into ciphertext block M[i] = Dk(C[i])
    images\20-1.png
    • Strengths
    ◇ Simple
    ◇ Parallel encryptions
    ◇ Tolerates loss or damage
    • Weaknesses
    ◇ Documents and images are not suitable since patterns in the plaintext are repeated in the ciphertext
    images\20-2.png

    • deterministic - not CPA secure
    • not EAV-secure
    images\20-3.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--OFB.html b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--OFB.html index 870d6c7..ffea207 100644 --- a/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--OFB.html +++ b/notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--OFB.html @@ -142,5 +142,5 @@
  • homework
    • -

    OFB


    OFB - Output Feedback


    • IV uniform
    • message length doesn't need to be multiple of n
    • resembles synchronizes stream-cipher mode
    • stateful variant (chaining) is secure
    • CPA-secure if Fk is PRF
    images\28-1.png
    +

    OFB

    OFB - Output Feedback


    • IV uniform
    • message length doesn't need to be multiple of n
    • resembles synchronizes stream-cipher mode
    • stateful variant (chaining) is secure
    • CPA-secure if Fk is PRF
    images\28-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms--RSA.html b/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms--RSA.html index bac18aa..e5d8d54 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms--RSA.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms--RSA.html @@ -142,5 +142,5 @@
  • homework
    • -

    RSA

    RSA Algorithm


    General case
    • Setup (run by a given user)
    ◇ n = p * q, with p and q primes
    ◇ e relatively prime to Φ(n) = (p - 1)(q - 1)
    ◇ d inverse of e in ZΦ(n)
    • Keys
    ◇ public key is Kpk = (n, e)
    ◇ private key is Ksk = d
    • Encryption
    ◇ C = Me mod n for plaintext M in Zn
    • Decryption
    ◇ M = Cd mod n
    images\75-1.png
    images\75-2.png

    Security


    • Sign the hash
    • Current practice is using 2048-bit long RSA keys (617 decimal digits)
    • Plain RSA is deteministic
    • homomorphic

    Issues


    • Requires various algorithms
    ◇ Generation of random numbers
    ◇ primality testing
    ◇ computation of the GCD
    ◇ Computation of the multiplicative inverse

    Real-world usage


    • Randomized RSA
    ◇ To encrypt message M under an RSA public key (e, n) generate a new random session AES key K, compute ciphertext as [Ke mod n, AESk(m)]
    ◇ prevents an adversary distinguishing two encryptions of the same M since K is chosen at random every time encryption takes place
    • Optimal Asymmetric Encryption Padding (OAEP)
    ◇ roughly to encrypt M , choose random r, encode M as M' = [X = M ⊕ H1(r), Y = r ⊕ H2(X)] where H1 and H2 are cryptographic hash functions, then encrypt it as (M')e mod n
    +

    RSA

    RSA Algorithm


    General case
    • Setup (run by a given user)
    ◇ n = p * q, with p and q primes
    ◇ e relatively prime to Φ(n) = (p - 1)(q - 1)
    ◇ d inverse of e in ZΦ(n)
    • Keys
    ◇ public key is Kpk = (n, e)
    ◇ private key is Ksk = d
    • Encryption
    ◇ C = Me mod n for plaintext M in Zn
    • Decryption
    ◇ M = Cd mod n
    images\75-1.png
    images\75-2.png

    Security


    • Sign the hash
    • Current practice is using 2048-bit long RSA keys (617 decimal digits)
    • Plain RSA is deteministic
    • homomorphic

    Issues


    • Requires various algorithms
    ◇ Generation of random numbers
    ◇ primality testing
    ◇ computation of the GCD
    ◇ Computation of the multiplicative inverse

    Real-world usage


    • Randomized RSA
    ◇ To encrypt message M under an RSA public key (e, n) generate a new random session AES key K, compute ciphertext as [Ke mod n, AESk(m)]
    ◇ prevents an adversary distinguishing two encryptions of the same M since K is chosen at random every time encryption takes place
    • Optimal Asymmetric Encryption Padding (OAEP)
    ◇ roughly to encrypt M , choose random r, encode M as M' = [X = M ⊕ H1(r), Y = r ⊕ H2(X)] where H1 and H2 are cryptographic hash functions, then encrypt it as (M')e mod n
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms.html b/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms.html index 10f0349..1f40a54 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms.html @@ -142,5 +142,5 @@
  • homework
    • -

    algorithms


    +

    algorithms

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--hybrid_encryption.html b/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--hybrid_encryption.html index e6760a1..66274bc 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--hybrid_encryption.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--hybrid_encryption.html @@ -142,5 +142,5 @@
  • homework
    • -

    hybrid encryption

    ybrid encryption


    images\69-1.png
    • reduces public-key crypto to secret-key crypto
    • better performance
    • apply public-key encryption on random key k
    • use k for secret-key encryption of m
    images\69-2.png
    • Using KEM/DEM approach
    ◇ encapsulate secret key k into c
    ◇ use k for secret-key encryption of m
    ◇ KEM: key-encapsulation mechanism - Encaps
    ◇ DEM: data encapsulation machanism - Enc'
    ◇ KEM/DEM scheme
    ▪ CPA-secure if KEM is CPA-secure and Enc' is EAV-secure
    ▪ CCA-secure if KEM and Enc' are CCA-secure
    +

    hybrid encryption

    Hybrid encryption


    images\69-1.png
    • reduces public-key crypto to secret-key crypto
    • better performance
    • apply public-key encryption on random key k
    • use k for secret-key encryption of m
    images\69-2.png
    • Using KEM/DEM approach
    ◇ encapsulate secret key k into c
    ◇ use k for secret-key encryption of m
    ◇ KEM: key-encapsulation mechanism - Encaps
    ◇ DEM: data encapsulation machanism - Enc'
    ◇ KEM/DEM scheme
    ▪ CPA-secure if KEM is CPA-secure and Enc' is EAV-secure
    ▪ CCA-secure if KEM and Enc' are CCA-secure
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric.html b/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric.html index 0bd0941..b0e74c4 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--asymmetric.html @@ -142,5 +142,5 @@
  • homework
    • -

    asymmetric

    ublic-key encryption


    • assumes trusted setup
    ◇ PKI (public keys are public) and secure storage (private keys remain private)
    • Many parties can encrypt, but only one party can decrypt
    images\68-1.png
    • defined by message space M and triplet of algorithms (Gen, Enc, Dec)
    ◇ Gen: probabilistic algorithm that outputs a public-key pair (Upk, Usk) for user U
    ◇ Enc: probabilistic algorithm that on input plantextm and public key, outputs ciphertext c
    ◇ Dec: deterministic alogirthm that on input ciphertext c and private key, outputs a plaintext m

    Security


    • CPA-securty -- randomized encryption is required
    • Easy to check (Upk, Usk) is a valid key pair
    • infeasible to produce Usk from Upk
    • the attacker can posses the rcipient's public key
    ◇ all 3 collapse to the same attack type
    ▪ ciphertext-only attack
    ▪ known plaintext attack
    ▪ chosen-plaintext attack
    • EAV-security
    ◇ A scheme is EAV-secure if no PPT attacker can correctly guess b non-negligibly better than randomly guessing
    ▪ even when it can use the recipient's public key pk
    ▪ one message extends to multiple messages
    ▪ fixed-length messages extends to arbitrary length messages
    ▪ probabilistic encryption is necessary
    • CPA-security
    ◇ A scheme is CPA-secure if any PPT adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is a negligible function
    ▪ even when it learns the encryptions of messages of its choice
    ▪ one message extends to multiple messages
    ▪ fixed-length messages extends to arbitrary length messages
    ▪ probabilistic encryption is necessary
    • EAV-security implies CPA-security
    • CCA-security
    ◇ attacker posses recipient's public key
    ◇ attacker has access to the decryption oracle
    ◇ attacker is not allowed to use the oracle on the challenge ciphertext
    ◇ probabilistic encryption necessary
    ◇ one message extends to multiple messages
    ◇ fixed length messages DO NOT extend to arbitrary length messages
    +

    asymmetric

    Public-key encryption


    • assumes trusted setup
    ◇ PKI (public keys are public) and secure storage (private keys remain private)
    • Many parties can encrypt, but only one party can decrypt
    images\68-1.png
    • defined by message space M and triplet of algorithms (Gen, Enc, Dec)
    ◇ Gen: probabilistic algorithm that outputs a public-key pair (Upk, Usk) for user U
    ◇ Enc: probabilistic algorithm that on input plantextm and public key, outputs ciphertext c
    ◇ Dec: deterministic alogirthm that on input ciphertext c and private key, outputs a plaintext m

    Security


    • CPA-securty -- randomized encryption is required
    • Easy to check (Upk, Usk) is a valid key pair
    • infeasible to produce Usk from Upk
    • the attacker can posses the rcipient's public key
    ◇ all 3 collapse to the same attack type
    ▪ ciphertext-only attack
    ▪ known plaintext attack
    ▪ chosen-plaintext attack
    • EAV-security
    ◇ A scheme is EAV-secure if no PPT attacker can correctly guess b non-negligibly better than randomly guessing
    ▪ even when it can use the recipient's public key pk
    ▪ one message extends to multiple messages
    ▪ fixed-length messages extends to arbitrary length messages
    ▪ probabilistic encryption is necessary
    • CPA-security
    ◇ A scheme is CPA-secure if any PPT adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is a negligible function
    ▪ even when it learns the encryptions of messages of its choice
    ▪ one message extends to multiple messages
    ▪ fixed-length messages extends to arbitrary length messages
    ▪ probabilistic encryption is necessary
    • EAV-security implies CPA-security
    • CCA-security
    ◇ attacker posses recipient's public key
    ◇ attacker has access to the decryption oracle
    ◇ attacker is not allowed to use the oracle on the challenge ciphertext
    ◇ probabilistic encryption necessary
    ◇ one message extends to multiple messages
    ◇ fixed length messages DO NOT extend to arbitrary length messages
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--AES.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--AES.html index 95238a1..99ddf5f 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--AES.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--AES.html @@ -142,5 +142,5 @@
  • homework
    • -

    AES

    AES: Advanced Encryption System


    • Block cipher
    • Still in use
    images\18-1.png
    • Employs substitution, confusion, and diffusion
    ◇ on blocks of 128 bits in 10, 12, or 14 rounds for keys of 128, 192, 256
    images\18-2.png

    DES vs AES


    images\18-3.png
    +

    AES

    AES: Advanced Encryption System


    • Block cipher
    • Still in use
    images\18-1.png
    • Employs substitution, confusion, and diffusion
    ◇ on blocks of 128 bits in 10, 12, or 14 rounds for keys of 128, 192, 256
    images\18-2.png

    DES vs AES


    images\18-3.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--DES.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--DES.html index c1dd5db..3150985 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--DES.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--DES.html @@ -142,5 +142,5 @@
  • homework
    • -

    DES

    DES: Data Encryption Standard


    • Block cipher
    • Considered insecure
    images\17-1.png
    • Employs substituion and transposition on top of each other for 16 rounds
    • block size = 64 bits, key size = 56 bits
    • double DES -> not effective -> 80 bit security
    • triple DES -> more effective -> 112 bit security
    images\17-2.png

    DES vs AES


    images\17-3.png
    +

    DES

    DES: Data Encryption Standard


    • Block cipher
    • Considered insecure
    images\17-1.png
    • Employs substituion and transposition on top of each other for 16 rounds
    • block size = 64 bits, key size = 56 bits
    • double DES -> not effective -> 80 bit security
    • triple DES -> more effective -> 112 bit security
    images\17-2.png

    DES vs AES


    images\17-3.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--One_Time_Pad.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--One_Time_Pad.html index e7aef90..db85d71 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--One_Time_Pad.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--One_Time_Pad.html @@ -142,5 +142,5 @@
  • homework
    • -

    One Time Pad

    • Unbreakable
    • Uses a block of shift keys of size n (k1.... kn) with each shift key being chosen uniformly at random
    • Perfectly secure
    M = C = K = {0,1)t
    • Gen: uniformly random
    {0, 1}t
    • Enc:
    Enc(k, m) = k ⊕ m
    • Dec
    Dec(c) = k ⊕ c
    • Correctness
    k ⊕ c = k ⊕ k ⊕ m = 0 ⊕ m = m

    • Weaknesses


    ◇ The key has to be as long as the plaintext
    ◇ keys can never be reused
    ▪ if they are reused, the XOR of plaintext messages is leaked
    +

    One Time Pad

    • Unbreakable
    • Uses a block of shift keys of size n (k1.... kn) with each shift key being chosen uniformly at random
    • Perfectly secure
    M = C = K = {0,1)t
    • Gen: uniformly random
    {0, 1}t
    • Enc:
    Enc(k, m) = k ⊕ m
    • Dec
    Dec(c) = k ⊕ c
    • Correctness
    k ⊕ c = k ⊕ k ⊕ m = 0 ⊕ m = m

    • Weaknesses


    ◇ The key has to be as long as the plaintext
    ◇ keys can never be reused
    ▪ if they are reused, the XOR of plaintext messages is leaked
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--Substitution_Boxes.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--Substitution_Boxes.html index d3e8e99..942aad7 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--Substitution_Boxes.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--Substitution_Boxes.html @@ -142,5 +142,5 @@
  • homework
    • -

    Substitution Boxes

    Substitution boxes


    images\16-1.png
    +

    Substitution Boxes

    Substitution boxes


    images\16-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher--Shift_Cipher.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher--Shift_Cipher.html index 16a84ec..4f9b553 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher--Shift_Cipher.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher--Shift_Cipher.html @@ -142,5 +142,5 @@
  • homework
    • -

    Shift Cipher

    Shift Cipher


    • Key extension of Caesar's cipher
    • Randomly set key k in [0:25]
    ◇ shift each character in the message by k positions
    • Brute force attacks - only 26 possibilities - manual
    • Automated attack based on statistics
    ◇ if a character i in the alphabet has a frequency pi, then from known statistics we know that Σipi2 ≈ 0.065
    • The brute-force attack can test all possible keys
    ◇ condition becomes much simpler and isn't as manual
    +

    Shift Cipher

    Shift Cipher


    • Key extension of Caesar's cipher
    • Randomly set key k in [0:25]
    ◇ shift each character in the message by k positions
    • Brute force attacks - only 26 possibilities - manual
    • Automated attack based on statistics
    ◇ if a character i in the alphabet has a frequency pi, then from known statistics we know that Σipi2 ≈ 0.065
    • The brute-force attack can test all possible keys
    ◇ condition becomes much simpler and isn't as manual
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher--Vigenere_cipher.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher--Vigenere_cipher.html index 8543dba..1b6f4d3 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher--Vigenere_cipher.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher--Vigenere_cipher.html @@ -142,5 +142,5 @@
  • homework
    • -

    Vigenere cipher

    Vigenere cipher


    • generalization of mono-alphabetic substitution cipher
    • key space defines fixed (shift) mapping that is applied on block of characters
    • a key k is a string of length t, defining the shift for blocks of size t
    • e.g. k = (2,1,3,11). Each block is shifted respectively by 2,1,3,11
    • plaintext-to-ciphertext mapping is many-to-many
    • if the key length t is known: problem is reduced to attacking the shift cipher
    ◇ statistical attacks for each subsequence of the from cj, cj+t, cj+2t...
    • if key length t is unknown:
    ◇ repeat stastical attacks for gussed values of t.
    ◇ Kasiski's method: identify repeated patterns of length 2 or 3 in the ciphertext.p period t can be decuded by locations of these patterns in the text
    ◇ index of coincidence method: compute ST = Σiqi2 and stop when ST = 0.065. T is a multiple of t.
    +

    Vigenere cipher

    Vigenere cipher


    • generalization of mono-alphabetic substitution cipher
    • key space defines fixed (shift) mapping that is applied on block of characters
    • a key k is a string of length t, defining the shift for blocks of size t
    • e.g. k = (2,1,3,11). Each block is shifted respectively by 2,1,3,11
    • plaintext-to-ciphertext mapping is many-to-many
    • if the key length t is known: problem is reduced to attacking the shift cipher
    ◇ statistical attacks for each subsequence of the from cj, cj+t, cj+2t...
    • if key length t is unknown:
    ◇ repeat stastical attacks for gussed values of t.
    ◇ Kasiski's method: identify repeated patterns of length 2 or 3 in the ciphertext.p period t can be decuded by locations of these patterns in the text
    ◇ index of coincidence method: compute ST = Σiqi2 and stop when ST = 0.065. T is a multiple of t.
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher.html index 4a0f1c9..380d9b6 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Caesar's_Cipher.html @@ -142,5 +142,5 @@
  • homework
    • -

    Caesar's Cipher

    Caesar's cipher


    • Shift each character in the message by 3 postiions (13 in ROT-13)
    • no secret key is used - security by obscurity
    • Brute force attacks - only 26 possibilities
    +

    Caesar's Cipher

    Caesar's cipher


    • Shift each character in the message by 3 postiions (13 in ROT-13)
    • no secret key is used - security by obscurity
    • Brute force attacks - only 26 possibilities
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Subsitution_Cipher--Mono-alphabetic_substituion_cipher.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Subsitution_Cipher--Mono-alphabetic_substituion_cipher.html index 03bb781..f79d795 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Subsitution_Cipher--Mono-alphabetic_substituion_cipher.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Subsitution_Cipher--Mono-alphabetic_substituion_cipher.html @@ -142,5 +142,5 @@
  • homework
    • -

    Mono-alphabetic substituion cipher

    Mono-alphabetic substituion cipher


    • generalization of shift cipher
    • key space defines permutation on alphabet
    ◇ use a 1-1 mapping between characters in the alphabet to produce ciphertext
    ◇ shift each distinct character in the plaintext to get a distinct character in the ciphertext
    • Key space is large (26! or 288)
    • character mapping is fixed - plaintext and ciphertext exhibit same statistics

    images\14-1.png
    +

    Mono-alphabetic substituion cipher

    Mono-alphabetic substituion cipher


    • generalization of shift cipher
    • key space defines permutation on alphabet
    ◇ use a 1-1 mapping between characters in the alphabet to produce ciphertext
    ◇ shift each distinct character in the plaintext to get a distinct character in the ciphertext
    • Key space is large (26! or 288)
    • character mapping is fixed - plaintext and ciphertext exhibit same statistics

    images\14-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Subsitution_Cipher.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Subsitution_Cipher.html index d82b444..034bcad 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Subsitution_Cipher.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric--classical_ciphers--Subsitution_Cipher.html @@ -142,5 +142,5 @@
  • homework
    • -

    Subsitution Cipher

    Substituion cipher


    images\11-1.png
    • Each letter is uniquely replaced by another
    • Broken by using a frequency analysis
    images\11-2.png
    +

    Subsitution Cipher

    Substituion cipher


    images\11-1.png
    • Each letter is uniquely replaced by another
    • Broken by using a frequency analysis
    images\11-2.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric.html b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric.html index e8053f8..907d7d3 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption--symmetric.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption--symmetric.html @@ -142,5 +142,5 @@
  • homework
    • -

    symmetric

    Symmetric Key Cryptography


    • Assumptions
    ◇ Adversary
    ▪ types of attacks
    ◇ trusted setup
    ▪ keys are distributed securely
    ▪ keys remain secret
    ◇ trust basis
    ▪ underlying primitives are secure
    ▪ PRG, PRF, CR-hashing
    • Limitations
    ◇ securely obtain
    ▪ strong assumption to make
    ▪ requires secure channel for key distribution
    ▪ seems impossible for two parties having no prior trust relationship
    ▪ not easily justifiable to hold a prioi
    ◇ shared secret key
    ▪ challenging problem to solve
    ▪ requires too many keys for n parties to communicate
    ▪ too much risk to protect all secret keys
    ▪ revovation complexity

    • 2 approaches to solve key distribution


    ◇ designated secure channels
    ▪ physically protected
    ▪ e.g. sound proof room
    ◇ trusted party
    ▪ entities autorized to dstribute keys
    ▪ e.g. key distribution center
    +

    symmetric

    Symmetric Key Cryptography


    images\67-1.png

    Defined by message space M
    Triplet of algorithms (Gen, Enc, Dec)
    • Gen: probabilistic algorithm, outputs a uniformly random key k from key space K
    • Enc: probabilistic algorithm, on input plaintext m and key k, outputs ciphertext c
    • Dec: deterministic algorithm, on iput c and key k, outputs a plaintext m

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Statisfies properties:
    • efficiency: key generation and message transformations are fast
    • correctness: for all m, k it holds that Dec(Enc(m, k), k) = m
    • security: one cannot learn plaintext m from ciphertext c

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    • Assumptions
    ◇ Adversary
    ▪ types of attacks
    ◇ trusted setup
    ▪ keys are distributed securely
    ▪ keys remain secret
    ◇ trust basis
    ▪ underlying primitives are secure
    ▪ PRG, PRF, CR-hashing
    • Limitations
    ◇ securely obtain
    ▪ strong assumption to make
    ▪ requires secure channel for key distribution
    ▪ seems impossible for two parties having no prior trust relationship
    ▪ not easily justifiable to hold a prioi
    ◇ shared secret key
    ▪ challenging problem to solve
    ▪ requires too many keys for n parties to communicate
    ▪ too much risk to protect all secret keys
    ▪ revovation complexity

    • 2 approaches to solve key distribution


    ◇ designated secure channels
    ▪ physically protected
    ▪ e.g. sound proof room
    ◇ trusted party
    ▪ entities autorized to dstribute keys
    ▪ e.g. key distribution center
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Encryption.html b/notes.ctb_HTML/cs306--Notes--Encryption.html index fd8a788..c641182 100644 --- a/notes.ctb_HTML/cs306--Notes--Encryption.html +++ b/notes.ctb_HTML/cs306--Notes--Encryption.html @@ -142,5 +142,5 @@
  • homework
    • -

    Encryption

    Symmetric vs Asymmetric Crypto


    Key ManagementAssumptionsPrimitivesAdversarial Sampling
    SymmetricLess scalable and riskersecret and authentic communicationgeneric assumptionsoracle access
    secure storagemore efficient in practice
    Asymmetricmore scalable and simplerauthenticity (PKI)number-theoretic assumptionspublic-key operations and oracle access
    secure storageless efficient in practice (2-3 o.o.m)

    images\23-1.png
    +

    Encryption

    Symmetric vs Asymmetric Crypto


    Key ManagementAssumptionsPrimitivesAdversarial Sampling
    SymmetricLess scalable and riskersecret and authentic communicationgeneric assumptionsoracle access
    secure storagemore efficient in practice
    Asymmetricmore scalable and simplerauthenticity (PKI)number-theoretic assumptionspublic-key operations and oracle access
    secure storageless efficient in practice (2-3 o.o.m)

    images\23-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Plain.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Plain.html index 20dc213..57deb40 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Plain.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Plain.html @@ -142,5 +142,5 @@
  • homework
    • -

    Plain


    ***Attacker can send back an altered file
    +

    Plain

    images\58-1.png
    ***Attacker can send back an altered file
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--merkle_tree.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--merkle_tree.html index bd8bff5..c7b383c 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--merkle_tree.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--merkle_tree.html @@ -142,5 +142,5 @@
  • homework
    • -

    merkle tree

    Merkle Tree


    images\62-1.png
    +

    merkle tree

    Merkle Tree


    images\62-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--separate_file.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--separate_file.html index 6f24d9d..da40b91 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--separate_file.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--separate_file.html @@ -142,5 +142,5 @@
  • homework
    • -

    separate file

    Hashing files separately


    images\61-1.png
    +

    separate file

    Hashing files separately


    images\61-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--whole_file.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--whole_file.html index f1a1a4b..1d8b6f5 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--whole_file.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure--whole_file.html @@ -142,5 +142,5 @@
  • homework
    • -

    whole file

    Hashing files as a whole


    images\60-1.png
    +

    whole file

    Hashing files as a whole


    images\60-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure.html index e4648ac..0e54765 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage--Secure.html @@ -142,5 +142,5 @@
  • homework
    • -

    Secure

    • Secure Cloud Storage Model


    images\59-1.png
    images\59-2.png
    • user has
    ◇ authentic digest d
    ◇ file F1' to verify
    ◇ proof (to help verification)
    • canonical verification
    ◇ combine F1' and the proof to recompute digest d'
    ◇ if d' = d - F1 is intact
    +

    Secure

    • Secure Cloud Storage Model


    images\59-1.png
    images\59-2.png
    • user has
    ◇ authentic digest d
    ◇ file F1' to verify
    ◇ proof (to help verification)
    • canonical verification
    ◇ combine F1' and the proof to recompute digest d'
    ◇ if d' = d - F1 is intact
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage.html index 5d41add..bd5f7bf 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Cloud_Storage.html @@ -142,5 +142,5 @@
  • homework
    • -

    Cloud Storage


    +

    Cloud Storage

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Digital_Envelops_-_Commitment_Schemes.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Digital_Envelops_-_Commitment_Schemes.html index 47f5edb..f4831e6 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Digital_Envelops_-_Commitment_Schemes.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Digital_Envelops_-_Commitment_Schemes.html @@ -142,5 +142,5 @@
  • homework
    • -

    Digital Envelops / Commitment Schemes

    Digital Envelops / Commitment Schemes


    • Commitment schemes provide two operations
    ◇ commit(x,r) = C ------ seal an envelop
    ▪ put message x into an evelop using randomness r
    ▪ commit (x,r) = h(x || r)
    ▪ hiding property - you cannot see through an envelop
    - perfect opaqueness
    - reveals nothing about message
    ◇ open(C,m,r) = ACCEPT/REJECT --- open a sealed envelop
    ▪ open envelop using r to check that it has not been tampered with
    ▪ open(C, m, r): check if h(x || r) = ?C
    ▪ binding property - you cannot change the contents of a sealed envelop
    - perfect sealing
    - unforgeability - cannot find a cimmitment collision

    Online auction


    • Use digital envelops / commitment schemes

    Coin Flip - Who's doing the dishes


    • Use digital envelops / commitment schemes
    +

    Digital Envelops / Commitment Schemes

    Digital Envelops / Commitment Schemes


    • Commitment schemes provide two operations
    ◇ commit(x,r) = C ------ seal an envelop
    ▪ put message x into an evelop using randomness r
    ▪ commit (x,r) = h(x || r)
    ▪ hiding property - you cannot see through an envelop
    - perfect opaqueness
    - reveals nothing about message
    ◇ open(C,m,r) = ACCEPT/REJECT --- open a sealed envelop
    ▪ open envelop using r to check that it has not been tampered with
    ▪ open(C, m, r): check if h(x || r) = ?C
    ▪ binding property - you cannot change the contents of a sealed envelop
    - perfect sealing
    - unforgeability - cannot find a cimmitment collision

    Online auction


    • Use digital envelops / commitment schemes

    Coin Flip - Who's doing the dishes


    • Use digital envelops / commitment schemes
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--File_Identifiers.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--File_Identifiers.html index b97e2cb..5ddb1cf 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--File_Identifiers.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--File_Identifiers.html @@ -142,5 +142,5 @@
  • homework
    • -

    File Identifiers

    ile Identifiers


    • h(f) serves as a unique indentifier for F
    • one can check whether two files are equal by comparing digests

    • Virus fingerprinting


    ◇ comparing digest of your files against database of digests of know viruses

    • Peer to peer file sharing


    ◇ routing tables store values in the hash range for easy lookup of files

    • Data deduplication


    ◇ don't save duplicates of file. check if hash is already being stored
    ◇ saves storage and bandwidth

    • Password hashing


    ◇ server stores password hashes
    ◇ if a password file leaks, passwords are protected because of onewayness
    images\65-1.png
    ◇ password space is small and predictable - need to use password salting
    ◇ password salting
    ▪ slow down dictionary attacks
    ▪ salt is appended to a user's password before it is hashed
    ▪ salt value is stored in clear along with the hashed password
    ▪ two users with the same password will have different hashed passwords
    ▪ slows down dictionary attacks

    • Digital Signatures and hashing


    ◇ Hash and sign
    ◇ hash of a message is signed
    ◇ signing message M
    ▪ let h be a cryptographic hash function, assume RSA setting (n,d,e)
    ▪ compute signature σ = h(M)d mod n
    ▪ send σ, M
    ◇ Verifying signature σ
    ◇ use public key (e,n)
    ◇ compute H = σe mod n
    ◇ if H = h(m)
    ▪ output ACCEPT
    ▪ else output REJECT
    +

    File Identifiers

    File Identifiers


    • h(f) serves as a unique indentifier for F
    • one can check whether two files are equal by comparing digests

    • Virus fingerprinting


    ◇ comparing digest of your files against database of digests of know viruses

    • Peer to peer file sharing


    ◇ routing tables store values in the hash range for easy lookup of files

    • Data deduplication


    ◇ don't save duplicates of file. check if hash is already being stored
    ◇ saves storage and bandwidth

    • Password hashing


    ◇ server stores password hashes
    ◇ if a password file leaks, passwords are protected because of onewayness
    images\65-1.png
    ◇ password space is small and predictable - need to use password salting
    ◇ password salting
    ▪ slow down dictionary attacks
    ▪ salt is appended to a user's password before it is hashed
    ▪ salt value is stored in clear along with the hashed password
    ▪ two users with the same password will have different hashed passwords
    ▪ slows down dictionary attacks

    • Digital Signatures and hashing


    ◇ Hash and sign
    ◇ hash of a message is signed
    ◇ signing message M
    ▪ let h be a cryptographic hash function, assume RSA setting (n,d,e)
    ▪ compute signature σ = h(M)d mod n
    ▪ send σ, M
    ◇ Verifying signature σ
    ◇ use public key (e,n)
    ◇ compute H = σe mod n
    ◇ if H = h(m)
    ▪ output ACCEPT
    ▪ else output REJECT
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Forward-secure_key_rotation.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Forward-secure_key_rotation.html index 3269a57..df7092e 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Forward-secure_key_rotation.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--Forward-secure_key_rotation.html @@ -142,5 +142,5 @@
  • homework
    • -

    Forward-secure key rotation

    orward-secure key rotation


    • Keep hashing the symmetric key after every message
    • If an attack intercepts the messages and breaks into a user's machine, key leakage will only begin after the current key
    • previous messages will remain safe
    images\64-1.png
    +

    Forward-secure key rotation

    Forward-secure key rotation


    • Keep hashing the symmetric key after every message
    • If an attack intercepts the messages and breaks into a user's machine, key leakage will only begin after the current key
    • previous messages will remain safe
    images\64-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC--HMAC.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC--HMAC.html index 9e199f3..3517a8f 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC--HMAC.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC--HMAC.html @@ -142,5 +142,5 @@
  • homework
    • -

    HMAC

    MAC: Secure MAC based on hashing


    • HMACk[m] = H[ (k ⊕ opad) || H[ (k ⊕ ipad) || m ] ]
    ◇ two layers of hashing Hs - instantiation of hash and sign paradigm
    • upper layer
    ◇ y = H( (k ⊕ ipad) || m )
    ◇ y = H'(m)
    • lower layer
    ◇ t = H( (k ⊕ opad) || y' )
    ◇ t = Mac'(kouty')
    • if used with a secure hash function and follows specification (key size, correct output), no known practical attacks
    images\56-1.png
    +

    HMAC

    HMAC: Secure MAC based on hashing


    • HMACk[m] = H[ (k ⊕ opad) || H[ (k ⊕ ipad) || m ] ]
    ◇ two layers of hashing Hs - instantiation of hash and sign paradigm
    • upper layer
    ◇ y = H( (k ⊕ ipad) || m )
    ◇ y = H'(m)
    • lower layer
    ◇ t = H( (k ⊕ opad) || y' )
    ◇ t = Mac'(kouty')
    • if used with a secure hash function and follows specification (key size, correct output), no known practical attacks
    images\56-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC--Insecure.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC--Insecure.html index 39e5d09..e1a9caa 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC--Insecure.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC--Insecure.html @@ -142,5 +142,5 @@
  • homework
    • -

    Insecure

    nsecure MAC based on hashing


    • tag t = Mack(m) = H(k || m)
    ◇ given H(k||m), it should be infeasible to compute H(k || m'), m' ≠ m
    • insecure construction
    ◇ susceptive to length-extension attacks
    • security vulnerability
    ◇ practical CR hash functions are of Merkle Damgard design
    • length-extension attack
    ◇ knowledge of H(m1) make it feasible to compute H(m1 || m2)
    ◇ knowing of length of message m1 can retrieve internal state sk even without knowing k
    images\54-1.png
    +

    Insecure

    Insecure MAC based on hashing


    • tag t = Mack(m) = H(k || m)
    ◇ given H(k||m), it should be infeasible to compute H(k || m'), m' ≠ m
    • insecure construction
    ◇ susceptive to length-extension attacks
    • security vulnerability
    ◇ practical CR hash functions are of Merkle Damgard design
    • length-extension attack
    ◇ knowledge of H(m1) make it feasible to compute H(m1 || m2)
    ◇ knowing of length of message m1 can retrieve internal state sk even without knowing k
    images\54-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC.html index caa60df..f361d64 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications--MAC.html @@ -142,5 +142,5 @@
  • homework
    • -

    MAC

    fficient MAC


    • secure MAC for messages of arbitrary lengths based on CR hashing
    • Gen': instantiate H, Mac, output (s, k)
    • Mac': hash message m into h = Hs(m), output Mack-tag t on h
    • Vrfy': canonical verification
    • Πmac' is secure as long as
    ◇ H is collision resistant
    ◇ Πmac is a secure MAC
    images\53-1.png
    +

    MAC

    Efficient MAC


    • secure MAC for messages of arbitrary lengths based on CR hashing
    • Gen': instantiate H, Mac, output (s, k)
    • Mac': hash message m into h = Hs(m), output Mack-tag t on h
    • Vrfy': canonical verification
    • Πmac' is secure as long as
    ◇ H is collision resistant
    ◇ Πmac is a secure MAC
    images\53-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Applications.html b/notes.ctb_HTML/cs306--Notes--Hashes--Applications.html index 9547340..11c4371 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Applications.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Applications.html @@ -142,5 +142,5 @@
  • homework
    • -

    Applications


    +

    Applications

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Constructing--Davies-Meyer.html b/notes.ctb_HTML/cs306--Notes--Hashes--Constructing--Davies-Meyer.html index f2cda22..145957e 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Constructing--Davies-Meyer.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Constructing--Davies-Meyer.html @@ -142,5 +142,5 @@
  • homework
    • -

    Davies-Meyer

    Davies-Meyer Scheme


    • Generic construction of CR compression function
    ◇ assume PRF w/ key length n and block length l
    ◇ define h: {0, 1}n+l -> {0,1}l as
    ▪ H(x) = Fk(x) ⊕ x
    ◇ h is CR if F is an ideal cipher
    images\42-1.png
    +

    Davies-Meyer

    Davies-Meyer Scheme


    • Generic construction of CR compression function
    ◇ assume PRF w/ key length n and block length l
    ◇ define h: {0, 1}n+l -> {0,1}l as
    ▪ H(x) = Fk(x) ⊕ x
    ◇ h is CR if F is an ideal cipher
    images\42-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Constructing--Merkle-Damgard.html b/notes.ctb_HTML/cs306--Notes--Hashes--Constructing--Merkle-Damgard.html index 1378848..669606e 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Constructing--Merkle-Damgard.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Constructing--Merkle-Damgard.html @@ -142,5 +142,5 @@
  • homework
    • -

    Merkle-Damgard

    Merkle-Damgard transform


    • reduces problem to design of CR compression functions
    • use for general hash functions
    • general design pattern for cryptographic hash functions
    • reduces collision resistance of general hash functions to colission resistance of compression functions
    • compressing 1 single bit is at least as hard as compressing by any number of bits
    • Design
    ◇ suppose that h: {0,1}2n -> {0,1}n is a collision reistant compression function
    ◇ the general hash function M: {x: |x|<2n} -> {0,1}n is defined as
    ▪ H(x) is computed by applying h(x) in a chained manner over n-bit message blocks
    - pad x and create B message blocks x1....xB with |xi| = n
    - set extra final message block xB+1 as n-bit encoding L of |x|
    - starting with z0=IV = 0n, output H(x) = zB+1, where zi=hs(zi-1 || xi)
    • If compression function h is collision resistant, then the derived hash function H is also collision resistant
    images\41-1.png
    +

    Merkle-Damgard

    Merkle-Damgard transform


    • reduces problem to design of CR compression functions
    • use for general hash functions
    • general design pattern for cryptographic hash functions
    • reduces collision resistance of general hash functions to colission resistance of compression functions
    • compressing 1 single bit is at least as hard as compressing by any number of bits
    • Design
    ◇ suppose that h: {0,1}2n -> {0,1}n is a collision reistant compression function
    ◇ the general hash function M: {x: |x|<2n} -> {0,1}n is defined as
    ▪ H(x) is computed by applying h(x) in a chained manner over n-bit message blocks
    - pad x and create B message blocks x1....xB with |xi| = n
    - set extra final message block xB+1 as n-bit encoding L of |x|
    - starting with z0=IV = 0n, output H(x) = zB+1, where zi=hs(zi-1 || xi)
    • If compression function h is collision resistant, then the derived hash function H is also collision resistant
    images\41-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Constructing.html b/notes.ctb_HTML/cs306--Notes--Hashes--Constructing.html index f61d334..0dc75c5 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Constructing.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Constructing.html @@ -142,5 +142,5 @@
  • homework
    • -

    Constructing


    +

    Constructing

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Functions--MD5.html b/notes.ctb_HTML/cs306--Notes--Hashes--Functions--MD5.html index a2f2511..e7fb48c 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Functions--MD5.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Functions--MD5.html @@ -142,5 +142,5 @@
  • homework
    • -

    MD5

    MD5 - Message Digest Algorithm


    • output 128 bits, collision resistance
    • completely broken
    • collisions can be found in less than a minute
    • widely used in legacy applications
    +

    MD5

    MD5 - Message Digest Algorithm


    • output 128 bits, collision resistance
    • completely broken
    • collisions can be found in less than a minute
    • widely used in legacy applications
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA1.html b/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA1.html index 03a0e1a..4cde2d7 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA1.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA1.html @@ -142,5 +142,5 @@
  • homework
    • -

    SHA1

    SHA1 - Secure Hash Algorithm


    • output 160 bits
    • considered insecure for collision resistance
    • broken
    +

    SHA1

    SHA1 - Secure Hash Algorithm


    • output 160 bits
    • considered insecure for collision resistance
    • broken
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA2.html b/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA2.html index f156d1c..2df20ac 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA2.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA2.html @@ -142,5 +142,5 @@
  • homework
    • -

    SHA2

    SHA2


    • outputs 224, 256, 384, 512 bits
    • no security concerns yet
    • based on Merkle-Damgard and Davies Meyer generic transforms
    +

    SHA2

    SHA2


    • outputs 224, 256, 384, 512 bits
    • no security concerns yet
    • based on Merkle-Damgard and Davies Meyer generic transforms
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA3.html b/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA3.html index 3d135c3..ef67c84 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA3.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes--Functions--SHA3.html @@ -142,5 +142,5 @@
  • homework
    • -

    SHA3

    SHA3


    • Completely new philosophy
    • Sponge construction and un-keyed permutations
    +

    SHA3

    SHA3


    • Completely new philosophy
    • Sponge construction and un-keyed permutations
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Hashes.html b/notes.ctb_HTML/cs306--Notes--Hashes.html index 14f657e..aea17fd 100644 --- a/notes.ctb_HTML/cs306--Notes--Hashes.html +++ b/notes.ctb_HTML/cs306--Notes--Hashes.html @@ -142,5 +142,5 @@
  • homework
    • -

    Hashes

    Hash Functions


    • maps objects to a fix-length string
    • core property: avoid collisions
    ◇ collision: distinct objects x ≠ y) are mapped to the same hash value (H(x) = H(y))
    ◇ collisions may exist, but they should be infeasbile to find
    • lies between symmetric and assymetric key cryptography
    • catpure different security properties on idealized random functions
    • qualitative stronger assumption than PRF
    • security parameter 1n
    images\39-1.png
    • general hash function H
    ◇ maps a message of an arbitrary length to l(n)-bit string
    • compression hash function h
    ◇ maps long binary string to a shorter binary string
    ◇ maps l'(n)-bit string to a l(n)-bit string with l'(n) > l(n)

    Collision resistance (CR)


    • H is collision-resistant if no PPT adversary can find collisions non-negligibly often

    Security


    • Given a hash function H: X->Y
    ◇ preimage resistant (one-way)
    ▪ if given y ∈ Y, finding a value x ∈ X s.t. H(x) = y happens negligibly often
    ◇ 2nd preimage resistant (weak collision resistant)
    ▪ if given a uniform x ∈ X, finding a value x' ∈ X, s.t. x' ≠ x and H(x') = H(x) happens negligibly often
    ◇ cf collision resistant (strong collision resistant)
    ▪ if finding two distinct values x', x ∈ X, s.t. H(x') = H(x) happens negligibly often
    +

    Hashes

    Hash Functions


    • maps objects to a fix-length string
    • core property: avoid collisions
    ◇ collision: distinct objects x ≠ y) are mapped to the same hash value (H(x) = H(y))
    ◇ collisions may exist, but they should be infeasbile to find
    • lies between symmetric and assymetric key cryptography
    • catpure different security properties on idealized random functions
    • qualitative stronger assumption than PRF
    • security parameter 1n
    images\39-1.png
    • general hash function H
    ◇ maps a message of an arbitrary length to l(n)-bit string
    • compression hash function h
    ◇ maps long binary string to a shorter binary string
    ◇ maps l'(n)-bit string to a l(n)-bit string with l'(n) > l(n)

    Collision resistance (CR)


    • H is collision-resistant if no PPT adversary can find collisions non-negligibly often

    Security


    • Given a hash function H: X->Y
    ◇ preimage resistant (one-way)
    ▪ if given y ∈ Y, finding a value x ∈ X s.t. H(x) = y happens negligibly often
    ◇ 2nd preimage resistant (weak collision resistant)
    ▪ if given a uniform x ∈ X, finding a value x' ∈ X, s.t. x' ≠ x and H(x') = H(x) happens negligibly often
    ◇ cf collision resistant (strong collision resistant)
    ▪ if finding two distinct values x', x ∈ X, s.t. H(x') = H(x) happens negligibly often
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures--Asymmetric-key_message_authentication.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures--Asymmetric-key_message_authentication.html index a9f1092..46ddba3 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures--Asymmetric-key_message_authentication.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures--Asymmetric-key_message_authentication.html @@ -142,5 +142,5 @@
  • homework
    • -

    Asymmetric-key message authentication

    Asymmetric-key message authentication


    • Scheme
    ◇ Secret key is used for signing and public key is used for verification
    ◇ The message m with signature σ is sent.
    • One only party can sign, but multiple parties can verify
    • Assumption: PKI
    • existential unforgeability
    ◇ infeasible for any PPT attacker to forge an invalid but verifiable signature on a new message
    +

    Asymmetric-key message authentication

    Asymmetric-key message authentication


    • Scheme
    ◇ Secret key is used for signing and public key is used for verification
    ◇ The message m with signature σ is sent.
    • One only party can sign, but multiple parties can verify
    • Assumption: PKI
    • existential unforgeability
    ◇ infeasible for any PPT attacker to forge an invalid but verifiable signature on a new message
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures--RSA.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures--RSA.html index 14d643b..cb76a22 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures--RSA.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures--RSA.html @@ -142,5 +142,5 @@
  • homework
    • -

    RSA

    Signing with RSA


    • (Md)e = M mod p * q
    • signing algorithm = Sign(M,d,n): σ = Md mod n for message M in Zn
    • verifying algorithm = Vrfy(σ, M, e, n): return M == σe mod n
    • General case
    ◇ Setup
    ▪ n = p * q with p and q primes
    ▪ e relatively prime to Φ(n) = (p - 1)(q - 1)
    ▪ d inverse of e in ZΦ(n)
    ◇ Keys
    ▪ public key is Kpk = (n,e)
    ▪ private key is Ksk = d
    ◇ Sign
    ▪ σ = Md mod n for message M in Zn
    ◇ Verify
    ▪ Check if M = σe mod n
    images\77-1.png

    Security


    • Sign the hash
    • Current practice is using 2048-bit long RSA keys (617 decimal digits)
    • Plain RSA is deteministic
    • homomorphic

    Issues


    • Requires various algorithms
    ◇ Generation of random numbers
    ◇ primality testing
    ◇ computation of the GCD
    ◇ Computation of the multiplicative inverse

    Real-world usage


    • Randomized RSA
    ◇ To encrypt message M under an RSA public key (e, n) generate a new random session AES key K, compute ciphertext as [Ke mod n, AESk(m)]
    ◇ prevents an adversary distinguishing two encryptions of the same M since K is chosen at random every time encryption takes place
    • Optimal Asymmetric Encryption Padding (OAEP)
    ◇ roughly to encrypt M , choose random r, encode M as M' = [X = M ⊕ H1(r), Y = r ⊕ H2(X)] where H1 and H2 are cryptographic hash functions, then encrypt it as (M')e mod n
    +

    RSA

    Signing with RSA


    • (Md)e = M mod p * q
    • signing algorithm = Sign(M,d,n): σ = Md mod n for message M in Zn
    • verifying algorithm = Vrfy(σ, M, e, n): return M == σe mod n
    • General case
    ◇ Setup
    ▪ n = p * q with p and q primes
    ▪ e relatively prime to Φ(n) = (p - 1)(q - 1)
    ▪ d inverse of e in ZΦ(n)
    ◇ Keys
    ▪ public key is Kpk = (n,e)
    ▪ private key is Ksk = d
    ◇ Sign
    ▪ σ = Md mod n for message M in Zn
    ◇ Verify
    ▪ Check if M = σe mod n
    images\77-1.png

    Security


    • Sign the hash
    • Current practice is using 2048-bit long RSA keys (617 decimal digits)
    • Plain RSA is deteministic
    • homomorphic

    Issues


    • Requires various algorithms
    ◇ Generation of random numbers
    ◇ primality testing
    ◇ computation of the GCD
    ◇ Computation of the multiplicative inverse

    Real-world usage


    • Randomized RSA
    ◇ To encrypt message M under an RSA public key (e, n) generate a new random session AES key K, compute ciphertext as [Ke mod n, AESk(m)]
    ◇ prevents an adversary distinguishing two encryptions of the same M since K is chosen at random every time encryption takes place
    • Optimal Asymmetric Encryption Padding (OAEP)
    ◇ roughly to encrypt M , choose random r, encode M as M' = [X = M ⊕ H1(r), Y = r ⊕ H2(X)] where H1 and H2 are cryptographic hash functions, then encrypt it as (M')e mod n
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures.html index 6a2493f..7e3af94 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--Digital_Signatures.html @@ -142,5 +142,5 @@
  • homework
    • -

    Digital Signatures

    igital Signatures


    • A person can deny that they signed something.
    • Digital signatures make it infeasible to fake

    • Mac for digital signing


    ◇ two parties share a secret key k
    ◇ one party generates MAC on the message to be signed, using k
    ◇ message digest serves as a signature
    ◇ the other party varifies the integrity of the signed message using k
    images\71-1.png

    Properties of Digital Signatures


    • Authentication - receiver can determine that the signature really came from the signer
    • Integrity/unforgeability - no one other than the signer can produce the signature without the signer's private key
    • Non-repudiation - the ability to ensrue that a party cannot deny the authenticity of their signature on a document
    • Not alterable signatures - no signer, receiver, or any interceptor can modify the signature without tampering being evident
    • Not reusable signatures (replay-attack safeness) - any attempt to reuse a previous signature will be detected by the receiver
    +

    Digital Signatures

    Digital Signatures


    • A person can deny that they signed something.
    • Digital signatures make it infeasible to fake

    • Mac for digital signing


    ◇ two parties share a secret key k
    ◇ one party generates MAC on the message to be signed, using k
    ◇ message digest serves as a signature
    ◇ the other party varifies the integrity of the signed message using k
    images\71-1.png

    Properties of Digital Signatures


    • Authentication - receiver can determine that the signature really came from the signer
    • Integrity/unforgeability - no one other than the signer can produce the signature without the signer's private key
    • Non-repudiation - the ability to ensrue that a party cannot deny the authenticity of their signature on a document
    • Not alterable signatures - no signer, receiver, or any interceptor can modify the signature without tampering being evident
    • Not reusable signatures (replay-attack safeness) - any attempt to reuse a previous signature will be detected by the receiver
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--CBC.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--CBC.html index 0c4fe65..b93f43a 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--CBC.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--CBC.html @@ -142,5 +142,5 @@
  • homework
    • -

    CBC

    CBC-MAC


    • Employ a PRF similar to CBC-mode encryption
    • security
    ◇ secure only when fixed-length messages are authenticated provided that Fk is a secure PRF
    ◇ messages of length equal to any multiple of n can be authenticated
    ▪ length needs to be fixed in advance
    ◇ insecure otherwise
    • Can authenticate longer messages than basic PRF-based scheme
    • more efficient than domain-extension MAC scheme
    • CBC-MAC uses no IV (or uses IV set to 0)
    • Only uses last PRF output
    images\33-1.png
    +

    CBC

    CBC-MAC


    • Employ a PRF similar to CBC-mode encryption
    • security
    ◇ secure only when fixed-length messages are authenticated provided that Fk is a secure PRF
    ◇ messages of length equal to any multiple of n can be authenticated
    ▪ length needs to be fixed in advance
    ◇ insecure otherwise
    • Can authenticate longer messages than basic PRF-based scheme
    • more efficient than domain-extension MAC scheme
    • CBC-MAC uses no IV (or uses IV set to 0)
    • Only uses last PRF output
    images\33-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Domain_extension.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Domain_extension.html index 5bd8843..35ac32e 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Domain_extension.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Domain_extension.html @@ -142,5 +142,5 @@
  • homework
    • -

    Domain extension

    Domain extension for MACs


    • Based on previous fix-length MAC scheme Π
    • Split up m into multiple d blocks mi.
    • Pad them and authenticate via Π
    • Reordering attack -> verify the block index i
    • Truncation attack -> verify message length δ = |m|
    • Mix-and-match attack -> randomize tags (using message specific fresh nonce)
    • Fk(r || mi || i || δ)
    • secure provided that Fk is a secure PRF
    images\32-1.png
    +

    Domain extension

    Domain extension for MACs


    • Based on previous fix-length MAC scheme Π
    • Split up m into multiple d blocks mi.
    • Pad them and authenticate via Π
    • Reordering attack -> verify the block index i
    • Truncation attack -> verify message length δ = |m|
    • Mix-and-match attack -> randomize tags (using message specific fresh nonce)
    • Fk(r || mi || i || δ)
    • secure provided that Fk is a secure PRF
    images\32-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Fixed_Length.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Fixed_Length.html index d71e9e0..fe7ce98 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Fixed_Length.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Fixed_Length.html @@ -142,5 +142,5 @@
  • homework
    • -

    Fixed Length

    Fixed-length MAC


    • Based on use of a PRF
    ◇ employ a PRF Fk in the obvious way to compute and canonically verify tags
    ◇ set tag t to be the pseudorandom string derived by evaluating Fk on message m
    • secure, provided that Fk is a secure PRF
    • MAC scheme Π
    ◇ Gen(1n): {0, 1}n -> k
    ◇ Mack(m): set t = Fk(m)
    ◇ Vrfyk(m, t): return 1 iff t = Fk(m)
    images\31-1.png
    +

    Fixed Length

    Fixed-length MAC


    • Based on use of a PRF
    ◇ employ a PRF Fk in the obvious way to compute and canonically verify tags
    ◇ set tag t to be the pseudorandom string derived by evaluating Fk on message m
    • secure, provided that Fk is a secure PRF
    • MAC scheme Π
    ◇ Gen(1n): {0, 1}n -> k
    ◇ Mack(m): set t = Fk(m)
    ◇ Vrfyk(m, t): return 1 iff t = Fk(m)
    images\31-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing--HMAC.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing--HMAC.html index 3e34951..aa24103 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing--HMAC.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing--HMAC.html @@ -142,5 +142,5 @@
  • homework
    • -

    HMAC

    MAC: Secure MAC based on hashing


    • HMACk[m] = H[ (k ⊕ opad) || H[ (k ⊕ ipad) || m ] ]
    ◇ two layers of hashing Hs - instantiation of hash and sign paradigm
    • upper layer
    ◇ y = H( (k ⊕ ipad) || m )
    ◇ y = H'(m)
    • lower layer
    ◇ t = H( (k ⊕ opad) || y' )
    ◇ t = Mac'(kouty')
    • if used with a secure hash function and follows specification (key size, correct output), no known practical attacks
    images\52-1.png
    +

    HMAC

    HMAC: Secure MAC based on hashing


    • HMACk[m] = H[ (k ⊕ opad) || H[ (k ⊕ ipad) || m ] ]
    ◇ two layers of hashing Hs - instantiation of hash and sign paradigm
    • upper layer
    ◇ y = H( (k ⊕ ipad) || m )
    ◇ y = H'(m)
    • lower layer
    ◇ t = H( (k ⊕ opad) || y' )
    ◇ t = Mac'(kouty')
    • if used with a secure hash function and follows specification (key size, correct output), no known practical attacks
    images\52-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing--Insecure.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing--Insecure.html index 7dc205c..6ac79b8 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing--Insecure.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing--Insecure.html @@ -142,5 +142,5 @@
  • homework
    • -

    Insecure

    Insecure MAC based on hashing


    • tag t = Mack(m) = H(k || m)
    ◇ given H(k||m), it should be infeasible to compute H(k || m'), m' ≠ m
    • insecure construction
    ◇ susceptive to length-extension attacks
    • security vulnerability
    ◇ practical CR hash functions are of Merkle Damgard design
    • length-extension attack
    ◇ knowledge of H(m1) make it feasible to compute H(m1 || m2)
    ◇ knowing of length of message m1 can retrieve internal state sk even without knowing k
    images\51-1.png
    +

    Insecure

    Insecure MAC based on hashing


    • tag t = Mack(m) = H(k || m)
    ◇ given H(k||m), it should be infeasible to compute H(k || m'), m' ≠ m
    • insecure construction
    ◇ susceptive to length-extension attacks
    • security vulnerability
    ◇ practical CR hash functions are of Merkle Damgard design
    • length-extension attack
    ◇ knowledge of H(m1) make it feasible to compute H(m1 || m2)
    ◇ knowing of length of message m1 can retrieve internal state sk even without knowing k
    images\51-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing.html index e8a80e2..6f9c283 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC--Hashing.html @@ -142,5 +142,5 @@
  • homework
    • -

    Hashing

    Efficient MAC


    • secure MAC for messages of arbitrary lengths based on CR hashing
    • Gen': instantiate H, Mac, output (s, k)
    • Mac': hash message m into h = Hs(m), output Mack-tag t on h
    • Vrfy': canonical verification
    • Πmac' is secure as long as
    ◇ H is collision resistant
    ◇ Πmac is a secure MAC
    images\50-1.png
    +

    Hashing

    Efficient MAC


    • secure MAC for messages of arbitrary lengths based on CR hashing
    • Gen': instantiate H, Mac, output (s, k)
    • Mac': hash message m into h = Hs(m), output Mack-tag t on h
    • Vrfy': canonical verification
    • Πmac' is secure as long as
    ◇ H is collision resistant
    ◇ Πmac is a secure MAC
    images\50-1.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC.html index eb45944..5467ede 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication--MAC.html @@ -142,5 +142,5 @@
  • homework
    • -

    MAC


    +

    MAC

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Message_Authentication.html b/notes.ctb_HTML/cs306--Notes--Message_Authentication.html index feeab30..e837532 100644 --- a/notes.ctb_HTML/cs306--Notes--Message_Authentication.html +++ b/notes.ctb_HTML/cs306--Notes--Message_Authentication.html @@ -142,5 +142,5 @@
  • homework
    • -

    Message Authentication

    MAC constructions


    • Fixed-length MAC
    ◇ direct application of a PRF for tagging
    ◇ limited applicability
    • Domain extension for MACs
    ◇ straightforward secure extension of fix-length MAC
    ◇ inefficient
    • CBC-MAC
    ◇ resembles CBC-mode encryption
    ◇ efficient

    images\30-1.png

    Properties


    • Authentication
    • Data integrity
    +

    Message Authentication

    MAC constructions


    • Fixed-length MAC
    ◇ direct application of a PRF for tagging
    ◇ limited applicability
    • Domain extension for MACs
    ◇ straightforward secure extension of fix-length MAC
    ◇ inefficient
    • CBC-MAC
    ◇ resembles CBC-mode encryption
    ◇ efficient

    images\30-1.png

    Properties


    • Authentication
    • Data integrity
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Pseudo_randomness--Linear_congruential_generator.html b/notes.ctb_HTML/cs306--Notes--Pseudo_randomness--Linear_congruential_generator.html index ea27ba2..758b2c9 100644 --- a/notes.ctb_HTML/cs306--Notes--Pseudo_randomness--Linear_congruential_generator.html +++ b/notes.ctb_HTML/cs306--Notes--Pseudo_randomness--Linear_congruential_generator.html @@ -142,5 +142,5 @@
  • homework
    • -

    Linear congruential generator

    • Xi = axi-1 + b mod m i >= 1 where
    ◇ x0 is the seed or start value
    ◇ a is the multiplier
    ◇ b is the increment
    ◇ m is the modulus
    • Output:
    ◇ (x1, x2, ..., xk)
    ◇ yi = xi mod 2
    ◇ Y = (y1y2...yk) <- pseudo random sequence of k bits

    Example


    • xn = 3xn-1 + 5 mod 31, n >= 1, x0 = 2
    • 3 and 31 are relatively prime, one-to-one
    • 31 is prime, order is 30
    • 2,11,7,26,21,6,23,12,10,4,17,25,18,28,27,24,15,19,0,5,20,3,14,16,22,9,1,8,29,30
    • When x0 = 2, 01101010001
    • When x1 = 3 10001101001

    Security


    • Fast, but insecure
    ◇ sensitive to the choice of parameters a, b, and m
    ◇ correlation between successive values
    ◇ short period, often m = 232 or 264
    • Used commonly in compilers - rand()
    • Not suitable for high-quality randomness
    • Not suitable for cryptographic applications
    +

    Linear congruential generator

    • Xi = axi-1 + b mod m i >= 1 where
    ◇ x0 is the seed or start value
    ◇ a is the multiplier
    ◇ b is the increment
    ◇ m is the modulus
    • Output:
    ◇ (x1, x2, ..., xk)
    ◇ yi = xi mod 2
    ◇ Y = (y1y2...yk) <- pseudo random sequence of k bits

    Example


    • xn = 3xn-1 + 5 mod 31, n >= 1, x0 = 2
    • 3 and 31 are relatively prime, one-to-one
    • 31 is prime, order is 30
    • 2,11,7,26,21,6,23,12,10,4,17,25,18,28,27,24,15,19,0,5,20,3,14,16,22,9,1,8,29,30
    • When x0 = 2, 01101010001
    • When x1 = 3 10001101001

    Security


    • Fast, but insecure
    ◇ sensitive to the choice of parameters a, b, and m
    ◇ correlation between successive values
    ◇ short period, often m = 232 or 264
    • Used commonly in compilers - rand()
    • Not suitable for high-quality randomness
    • Not suitable for cryptographic applications
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Pseudo_randomness.html b/notes.ctb_HTML/cs306--Notes--Pseudo_randomness.html index d2a0d01..dbd642d 100644 --- a/notes.ctb_HTML/cs306--Notes--Pseudo_randomness.html +++ b/notes.ctb_HTML/cs306--Notes--Pseudo_randomness.html @@ -142,5 +142,5 @@
  • homework
    • -

    Pseudo randomness

    • not truly random in that
    ◇ derived by a deterministic algorithm
    ◇ output is dependent on initial values
    • Two types: Classical PRGs, Cryptographically secure PRGs
    • Classical PRGs - linear congruential generator
    • Cryptographically secure PRGs - Blum-Micali generator
    • Definition
    ◇ Deterministic PPT algorithm G that on inpout a seed s ∈ {0,1}n, outputs G(s) ∈ {0,1}l/n
    ◇ G is a PRG if:
    ▪ Expansion
    - for polynomial l, it holds that for any n, l(n) > n
    - models the process of extracting randomness from a short random string
    ▪ Pseudorandomness
    - no efficient statistical test can tell apart G(s) from a truly random string r
    images\24-1.png


    Pseudorandom functions


    • Generalize the concept of a PRG
    ◇ produce pseudorandom bits that also depend on specific input
    ◇ keyed functions of the form Fk: {0,1}n -> {0,1}n
    • Operate essentially as a random function
    • Fk is PRF if it is indistinguishable from a truly random function f [e.g. f is a random permutation]
    • f: {0,1}n -> {0,1}n is randomly selected for the set of all length-preserving functions mapping n-bit inputs to n-bit outputs
    images\24-2.png
    +

    Pseudo randomness

    • not truly random in that
    ◇ derived by a deterministic algorithm
    ◇ output is dependent on initial values
    • Two types: Classical PRGs, Cryptographically secure PRGs
    • Classical PRGs - linear congruential generator
    • Cryptographically secure PRGs - Blum-Micali generator
    • Definition
    ◇ Deterministic PPT algorithm G that on inpout a seed s ∈ {0,1}n, outputs G(s) ∈ {0,1}l/n
    ◇ G is a PRG if:
    ▪ Expansion
    - for polynomial l, it holds that for any n, l(n) > n
    - models the process of extracting randomness from a short random string
    ▪ Pseudorandomness
    - no efficient statistical test can tell apart G(s) from a truly random string r
    images\24-1.png


    Pseudorandom functions


    • Generalize the concept of a PRG
    ◇ produce pseudorandom bits that also depend on specific input
    ◇ keyed functions of the form Fk: {0,1}n -> {0,1}n
    • Operate essentially as a random function
    • Fk is PRF if it is indistinguishable from a truly random function f [e.g. f is a random permutation]
    • f: {0,1}n -> {0,1}n is randomly selected for the set of all length-preserving functions mapping n-bit inputs to n-bit outputs
    images\24-2.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes--Types_of_Security.html b/notes.ctb_HTML/cs306--Notes--Types_of_Security.html index d00cf46..313c6fc 100644 --- a/notes.ctb_HTML/cs306--Notes--Types_of_Security.html +++ b/notes.ctb_HTML/cs306--Notes--Types_of_Security.html @@ -142,5 +142,5 @@
  • homework
    • -

    Types of Security

    CPA Secure
    CCA Secure
    EAV Secure
    Computationally Secure
    Perfect Security
    +

    Types of Security

    CPA Secure
    CCA Secure
    EAV Secure
    Computationally Secure
    Perfect Security
    (t, ε)-secure
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--Notes.html b/notes.ctb_HTML/cs306--Notes.html index 7094800..9fac3d9 100644 --- a/notes.ctb_HTML/cs306--Notes.html +++ b/notes.ctb_HTML/cs306--Notes.html @@ -142,5 +142,5 @@
  • homework
    • -

    Notes

    images\2-1.png

    Defined by message space M
    Triplet of algorithms (Gen, Enc, Dec)
    • Gen: probabilistic algorithm, outputs a uniformly random key k from key space K
    • Enc: probabilistic algorithm, on input plaintext m and key k, outputs ciphertext c
    • Dec: deterministic algorithm, on iput c and key k, outputs a plaintext m

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Statisfies properties:
    • efficiency: key generation and message transformations are fast
    • correctness: for all m, k it holds that Dec(Enc(m, k), k) = m
    • security: one cannot learn plaintext m from ciphertext c

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    +

    Notes


    Notes
    Block Cipher Modes
    ECB
    ECB: Electronic Code Book
    CBC
    CBC: Cipher Block Chaining
    Chained CBC
    Chained CBC
    OFB
    OFB - Output Feedback
    CTR
    CTR - Counter Mode
    Stream Cipher Modes
    Encryption
    Symmetric vs Asymmetric Crypto
    symmetric
    Symmetric Key Cryptography
    • 2 approaches to solve key distribution
    One Time Pad
    • Weaknesses
    classical ciphers
    Subsitution Cipher
    Substituion cipher
    Mono-alphabetic substituion cipher
    Mono-alphabetic substituion cipher
    Caesar's Cipher
    Caesar's cipher
    Shift Cipher
    Shift Cipher
    Vigenere cipher
    Vigenere cipher
    Substitution Boxes
    Substitution boxes
    DES
    DES: Data Encryption Standard
    DES vs AES
    AES
    AES: Advanced Encryption System
    DES vs AES
    asymmetric
    Public-key encryption
    Security
    hybrid encryption
    Hybrid encryption
    algorithms
    El Gamal
    RSA
    RSA Algorithm
    Security
    Issues
    Real-world usage
    Pseudo randomness
    Pseudorandom functions
    Linear congruential generator
    Example
    Security
    Message Authentication
    MAC constructions
    Properties
    MAC
    CBC
    CBC-MAC
    Domain extension
    Domain extension for MACs
    Fixed Length
    Fixed-length MAC
    Hashing
    Efficient MAC
    Insecure
    Insecure MAC based on hashing
    HMAC
    HMAC: Secure MAC based on hashing
    Digital Signatures
    Digital Signatures
    • Mac for digital signing
    Properties of Digital Signatures
    Asymmetric-key message authentication
    Asymmetric-key message authentication
    RSA
    Signing with RSA
    Security
    Issues
    Real-world usage
    Authenticated encryption
    Authenticated encryption constructions
    Encrypt-and-authenticate
    Encrypt-and-authenticate
    Authenticate-then-encrypt
    Authenticate-then-encrypt
    Encrypt-then-authenticate
    Encrypt-then-authenticate
    Hashes
    Hash Functions
    Collision resistance (CR)
    Security
    Constructing
    Merkle-Damgard
    Merkle-Damgard transform
    Davies-Meyer
    Davies-Meyer Scheme
    Functions
    MD5
    MD5 - Message Digest Algorithm
    SHA1
    SHA1 - Secure Hash Algorithm
    SHA2
    SHA2
    SHA3
    SHA3
    Applications
    MAC
    Efficient MAC
    Insecure
    Insecure MAC based on hashing
    HMAC
    HMAC: Secure MAC based on hashing
    Cloud Storage
    Plain
    Secure
    • Secure Cloud Storage Model
    whole file
    Hashing files as a whole
    separate file
    Hashing files separately
    merkle tree
    Merkle Tree
    Digital Envelops / Commitment Schemes
    Digital Envelops / Commitment Schemes
    Online auction
    Coin Flip - Who's doing the dishes
    Forward-secure key rotation
    Forward-secure key rotation
    File Identifiers
    File Identifiers
    • Virus fingerprinting
    • Peer to peer file sharing
    • Data deduplication
    • Password hashing
    • Digital Signatures and hashing
    Attacks
    Types of Security

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--lectures--lecture_1.html b/notes.ctb_HTML/cs306--lectures--lecture_1.html index 99d7b30..5849c3e 100644 --- a/notes.ctb_HTML/cs306--lectures--lecture_1.html +++ b/notes.ctb_HTML/cs306--lectures--lecture_1.html @@ -142,5 +142,5 @@
  • homework
    • -

    lecture 1

    Definitions


    • IT security
    - access to information by unauthorized recipients
    - intentional but unauthorized destruction or alteration of that information
    • Computer Security
    - the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide
    • Security Control / Countermeasure
    - Protect against threats seeking to exploit vulnerabilities
    - Mechanism that protects against harm
    - Designed to prevent threats from exercising vulnerabilities
    • Vulnerabilities
    - Weakness that could be exploited to cause harm
    • Threat
    - Set of circumstances that could cause harm

    Examples of Controls


    • HTTPS protocol
    - ✔ Confidentiality
    - ✔ Integrity
    - ✔ Authenticity
    • TOR protocol
    - ✔ Anonymity
    • RAID technology
    - ✔ Availability

    Examples of threats


    • Eavesdropping
    - the interception of information intended for someone else during its transmission over a communication channel
    • Alteration
    - unauthorized modification of information
    - Ex: Man n the Middle - modify data
    • Denial-of-service
    - the interruption or degradation of a data service or information access
    - Ex: email spam to fill up email queue
    • Masquerading
    - the fabrication of information that is purported to be from someone who is not actually the author
    - Ex: Spoofing [altering the source IP address]
    • Repudiation
    - the denial of a commitment or data receipt

    Examples of vulnerability


    • Software bugs
    - code is not doing what it is supposed to do

    CIA triad


    • Confidentiality
    - conforming to originally-prescribed rules
    • Integrity
    - precise, accurate, unmodified, modified in acceptable way by authorized people, consistent, meaningful, and usable
    - authorized actions, separation and protection of resources, error detection and correctness
    • Availability
    - usable, meeting service's needs, bounded waiting/completion time, acceptable outcome
    - timely response, fairness, concurrency, fault tolerance, graceful cessation
    • Others [Used in CIA examples]
    ◇ authenticity
    - The ability to determine that statements, policies, and permissions issued by persons or systems are genuine
    ◇ anonymity
    - The property that certain records/transactions cannot be attributed to any individual
    • Others
    ◇ authentication
    ◇ non-repudiation
    ◇ auditability
    • Protects against:
    ◇ interception
    ◇ interruption
    ◇ modification
    ◇ fabrication of data

    Ways to neutralize threats or remove vulnerabilities


    • prevent it (attack is blocked)
    • deter it (attack is harder)
    • deflect it (change target of attack)
    • mitigate it (make impact less severe)
    • contain it (do not allow propagation of harm)
    • detect it (real time or after the fact)
    • recover (recover from its effects)
    +

    lecture 1

    Definitions


    • IT security
    - access to information by unauthorized recipients
    - intentional but unauthorized destruction or alteration of that information
    • Computer Security
    - the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide
    • Security Control / Countermeasure
    - Protect against threats seeking to exploit vulnerabilities
    - Mechanism that protects against harm
    - Designed to prevent threats from exercising vulnerabilities
    • Vulnerabilities
    - Weakness that could be exploited to cause harm
    • Threat
    - Set of circumstances that could cause harm

    Examples of Controls


    • HTTPS protocol
    - ✔ Confidentiality
    - ✔ Integrity
    - ✔ Authenticity
    • TOR protocol
    - ✔ Anonymity
    • RAID technology
    - ✔ Availability

    Examples of threats


    • Eavesdropping
    - the interception of information intended for someone else during its transmission over a communication channel
    • Alteration
    - unauthorized modification of information
    - Ex: Man n the Middle - modify data
    • Denial-of-service
    - the interruption or degradation of a data service or information access
    - Ex: email spam to fill up email queue
    • Masquerading
    - the fabrication of information that is purported to be from someone who is not actually the author
    - Ex: Spoofing [altering the source IP address]
    • Repudiation
    - the denial of a commitment or data receipt

    Examples of vulnerability


    • Software bugs
    - code is not doing what it is supposed to do

    CIA triad


    • Confidentiality
    - conforming to originally-prescribed rules
    • Integrity
    - precise, accurate, unmodified, modified in acceptable way by authorized people, consistent, meaningful, and usable
    - authorized actions, separation and protection of resources, error detection and correctness
    • Availability
    - usable, meeting service's needs, bounded waiting/completion time, acceptable outcome
    - timely response, fairness, concurrency, fault tolerance, graceful cessation
    • Others [Used in CIA examples]
    ◇ authenticity
    - The ability to determine that statements, policies, and permissions issued by persons or systems are genuine
    ◇ anonymity
    - The property that certain records/transactions cannot be attributed to any individual
    • Others
    ◇ authentication
    ◇ non-repudiation
    ◇ auditability
    • Protects against:
    ◇ interception
    ◇ interruption
    ◇ modification
    ◇ fabrication of data

    Ways to neutralize threats or remove vulnerabilities


    • prevent it (attack is blocked)
    • deter it (attack is harder)
    • deflect it (change target of attack)
    • mitigate it (make impact less severe)
    • contain it (do not allow propagation of harm)
    • detect it (real time or after the fact)
    • recover (recover from its effects)
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--lectures--lecture_2.html b/notes.ctb_HTML/cs306--lectures--lecture_2.html index cdf8264..75da101 100644 --- a/notes.ctb_HTML/cs306--lectures--lecture_2.html +++ b/notes.ctb_HTML/cs306--lectures--lecture_2.html @@ -142,5 +142,5 @@
  • homework
    • -

    lecture 2

    efinitions


    • Cryptography / Cryptology
    - Secret Writing
    - historically developed/studied for secrecy in communications
    • Classic cryptography
    - the art or writing and solving codes
    - Approach
    → Ad-hoc design
    → trial and error methods
    → empirically evaluated
    • Modern Cryptography
    - the study of mathematical techiniques for securing digital information, systems, and distributed computations against adversarial attacks
    - Approach
    → systematic development and analysis
    → formal notions of security / adversary
    → rigorous proofs of security (or insecurity)
    - Formal treatment
    → fundamental notions underlying the design and evaluation of crypto primitives
    - Systematic process
    → Security Goals - What it means for a crypto primitive to be secure
    ⇒ abstracted into suitable security definitions amenable to mathematical treatment
    → Threat model - What forms of attacks are allowed and which aren't
    ⇒ abstracted into suitable adversarial settings and computational assumptions
    → Security analysis - Why a candidate instantiation is indeed secure or not
    ⇒ abstracted into rigorous proofs and security, inherent limitations and characterizations

    Why

    Formation definitions are important?
    • Successful project management
    • Provable security
    • Qualitative analysis / modular design

    Symmetric-key encryption


    images\8-1.png
    • Secret communication amonst two parties
    • A secret key k is shared and used by both message transformations
    • Definition
    ◇ Defined by message space M
    ◇ Triplet of algorithms (Gen, Enc, Dec)
    ◇ Gen: probabilistic algorithm, outputs a uniformly random key k from key space K
    ◇ Enc: probabilistic algorithm, on input plaintext m and key k, outputs ciphertext c
    ◇ Dec: deterministic algorithm, on iput c and key k, outputs a plaintext m
    • Statisfies properties:
    ◇ efficiency: key generation and message transformations are fast
    ◇ correctness: for all m, k it holds that Dec(Enc(m, k), k) = m
    ◇ security: one cannot learn plaintext m from ciphertext c

    Kerckhoff's principle


    • The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience
    • Keeping Enc and Dec secret is problematic

    Applications of Symmetric Keys


    • Secure communication
    ◇ encrypted messages sent among parties
    ◇ securely generated, distributed, and stored shared key k
    ◇ attack does not learn key k
    • Secure Storage
    ◇ encrypted files outsourced to the cloud
    ◇ securely generated and stored key k
    ◇ attack does not learn key k

    Attacks on symmetric encryption


    Brute Force


    • Given a captured ciphertext c and known key space K, Dec strategy is an exhaustic search
    • Try all possible keys k in K and determine if Dec(c,k) is likely plaintext m
    Requires some knowledge on the message space M
    • Countermeasure
    ◇ key should be a random value from a sufficely large key space K to make exhaustive search attacks infeasible

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Perfect correctness


    • For any k ∈ K, m ∈ M and any ciphertext c output of Enck(m)
    Pr[Deck(c)=m] = 1

    Perfect Security


    • The adversary should not be able to learn any additional information on m

    • Definition 1


    ◇ A symmetric-key encryption scheme (Gen, Enc, Dec) with message space M, is perfectly secret if for every DM, every message m ∈ M and every ciphertext c ∈ C for which Pr[C = c] > 0, it holds that
    Pr[M = m | C = c] = Pr[M = m]
    ◇ Probability that any given message m was actually sent is the same as the probability that m would have been sent
    ◇ observing the ciphertext reveals nothing about the underlying plaintext

    • Definition 2


    ◇ A symmetric-key encryption scheme (Gen, Enc, Dec) with message space M, is perfect secret if for every messages m, m' ∈ M and every c ∈ C, it holds that
    Pr[Enck(m) = c] = Pr[Enck(m') = c]
    ◇ The probability distribution Dc does not depend on the plaintext
    ◇ M and C are independent random variables
    ◇ the ciphertext contains no information about the plaintext
    ◇ impossible to distinguish an encryption of m from an encryption of m'

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    One time pad


    • Unbreakable
    • Uses a block of shift keys of size n (k1.... kn) with each shift key being chosen uniformly at random
    • Perfectly secure
    M = C = K = {0,1)t
    • Gen: uniformly random
    {0, 1}t
    • Enc:
    Enc(k, m) = k ⊕ m
    • Dec
    Dec(c) = k ⊕ c
    • Correctness
    k ⊕ c = k ⊕ k ⊕ m = 0 ⊕ m = m

    • Weaknesses


    ◇ The key has to be as long as the plaintext
    ◇ keys can never be reused
    ▪ if they are reused, the XOR of plaintext messages is leaked

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Modern cryptography


    • Systematic process
    ◇ Formal definitions - What is means for a crypto primitive to be secure
    ▪ Computing setting
    - Involved parties, communication mode, core functionality
    ▪ Underlying cryptographic scheme
    - Symmetric-key encryption scheme
    ▪ Desired Properties
    - Security related
    - non-securty related (correctness, efficiency, etc)
    ▪ Split up into 4 parts:
    - To be solved
    - To be considered
    - To be designed
    - To be achieved
    ◇ Precise assumptions - Which forms of attacks are allowed and which aren't
    ▪ Adversary
    - type of attacks - threat model
    - capabilities
    - limitations
    ▪ Computational assumptions
    - Hardness of certain tasks
    ▪ Computing setting
    - system set up, initial state, key distribution, randomness
    - means of communication
    - timing assumptions
    ▪ Why these are important:
    - Basis for proofs of securty
    - comparison among solutions/schemes
    - flexibility - validation, modularity, characterization
    ◇ Provable security - Why a candidate instantiation is indeed secure or not
    ▪ Typical performance
    - In computer science, proofs may not be essential
    - typical inputs are expected
    ▪ Worst case performance
    - Formal proofs are essential in cryptography
    - An adversary will use any means in its power to break a scheme

    Symmetric encryption and Modern Cryptography example


    • Formal Definition
    ◇ To be solved (problem):
    ▪ Secret communication
    ◇ To be considered (computing setting):
    ▪ Involved Parties: Alice, Bob, Eve
    ▪ Communication Model: Alice wants to send a message m to Bob; Eve can eavesdrop sent messages
    ▪ Core functionality: Alice/Bob may transform the transmitted/received message and share info
    ◇ To be designed (cryptographic scheme)
    ▪ Alice and Bob share and use a secret key k
    ▪ Alice encrypts plaintext m to ciphertext c and sends c instead of m
    ▪ Bob decrypts received c to get a message m'
    ◇ To be achieved (desired properties)
    ▪ securty -> Eve cannot learn m from c
    ▪ correctness -> If alice encrypts m to c, then Bob decrypts c to the original message m
    • Precise assumptions
    ◇ Adversary
    ▪ type of attacks -> eavesdropping
    - Posses collection of ciphertext -> ciphertext only attack
    - Posses collection of plaintext/ciphertext pairs -> known plaintext attack
    - Posses collection of plaintext/ciphertext pairs for plaintexts selected by the attack -> chosen plaintext attack
    - Posses collection of plaintext/ciphertext pairs for plaintexts and ciphertexts selected by the attacker -> chosen ciphertext attack
    ▪ capabilities -> eve may know the distribution of messages sent by Alice
    ▪ limitations -> eve doesn't know / learn the secret k (shared by Alice and Bob)
    ◇ Computational Assumptions
    ▪ no computational assumptions
    ◇ Computing Setting
    ▪ Setup / Randomness - Key k is generated randomly using the uniform distribution
    ▪ Key distribution - Key k is securely distrubted to and securely stored at Alice and Bob
    ▪ One message m is only cummunicated
    ▪ k, m are chosen independently
    +

    lecture 2

    Definitions


    • Cryptography / Cryptology
    - Secret Writing
    - historically developed/studied for secrecy in communications
    • Classic cryptography
    - the art or writing and solving codes
    - Approach
    → Ad-hoc design
    → trial and error methods
    → empirically evaluated
    • Modern Cryptography
    - the study of mathematical techiniques for securing digital information, systems, and distributed computations against adversarial attacks
    - Approach
    → systematic development and analysis
    → formal notions of security / adversary
    → rigorous proofs of security (or insecurity)
    - Formal treatment
    → fundamental notions underlying the design and evaluation of crypto primitives
    - Systematic process
    → Security Goals - What it means for a crypto primitive to be secure
    ⇒ abstracted into suitable security definitions amenable to mathematical treatment
    → Threat model - What forms of attacks are allowed and which aren't
    ⇒ abstracted into suitable adversarial settings and computational assumptions
    → Security analysis - Why a candidate instantiation is indeed secure or not
    ⇒ abstracted into rigorous proofs and security, inherent limitations and characterizations

    Why

    Formal definitions are important?
    • Successful project management
    • Provable security
    • Qualitative analysis / modular design

    Symmetric-key encryption


    images\8-1.png
    • Secret communication amonst two parties
    • A secret key k is shared and used by both message transformations
    • Definition
    ◇ Defined by message space M
    ◇ Triplet of algorithms (Gen, Enc, Dec)
    ◇ Gen: probabilistic algorithm, outputs a uniformly random key k from key space K
    ◇ Enc: probabilistic algorithm, on input plaintext m and key k, outputs ciphertext c
    ◇ Dec: deterministic algorithm, on input c and key k, outputs a plaintext m
    • Statisfies properties:
    ◇ efficiency: key generation and message transformations are fast
    ◇ correctness: for all m, k it holds that Dec(Enc(m, k), k) = m
    ◇ security: one cannot learn plaintext m from ciphertext c

    Kerckhoff's principle


    • The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience
    • Keeping Enc and Dec secret is problematic

    Applications of Symmetric Keys


    • Secure communication
    ◇ encrypted messages sent among parties
    ◇ securely generated, distributed, and stored shared key k
    ◇ attack does not learn key k
    • Secure Storage
    ◇ encrypted files outsourced to the cloud
    ◇ securely generated and stored key k
    ◇ attack does not learn key k

    Attacks on symmetric encryption


    Brute Force


    • Given a captured ciphertext c and known key space K, Dec strategy is an exhaustic search
    • Try all possible keys k in K and determine if Dec(c,k) is likely plaintext m
    Requires some knowledge on the message space M
    • Countermeasure
    ◇ key should be a random value from a sufficely large key space K to make exhaustive search attacks infeasible

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Perfect correctness


    • For any k ∈ K, m ∈ M and any ciphertext c output of Enck(m)
    Pr[Deck(c)=m] = 1

    Perfect Security


    • The adversary should not be able to learn any additional information on m

    • Definition 1


    ◇ A symmetric-key encryption scheme (Gen, Enc, Dec) with message space M, is perfectly secret if for every DM, every message m ∈ M and every ciphertext c ∈ C for which Pr[C = c] > 0, it holds that
    Pr[M = m | C = c] = Pr[M = m]
    ◇ Probability that any given message m was actually sent is the same as the probability that m would have been sent
    ◇ observing the ciphertext reveals nothing about the underlying plaintext

    • Definition 2


    ◇ A symmetric-key encryption scheme (Gen, Enc, Dec) with message space M, is perfect secret if for every messages m, m' ∈ M and every c ∈ C, it holds that
    Pr[Enck(m) = c] = Pr[Enck(m') = c]
    ◇ The probability distribution Dc does not depend on the plaintext
    ◇ M and C are independent random variables
    ◇ the ciphertext contains no information about the plaintext
    ◇ impossible to distinguish an encryption of m from an encryption of m'

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    One time pad


    • Unbreakable
    • Uses a block of shift keys of size n (k1.... kn) with each shift key being chosen uniformly at random
    • Perfectly secure
    M = C = K = {0,1)t
    • Gen: uniformly random
    {0, 1}t
    • Enc:
    Enc(k, m) = k ⊕ m
    • Dec
    Dec(c) = k ⊕ c
    • Correctness
    k ⊕ c = k ⊕ k ⊕ m = 0 ⊕ m = m

    • Weaknesses


    ◇ The key has to be as long as the plaintext
    ◇ keys can never be reused
    ▪ if they are reused, the XOR of plaintext messages is leaked

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Modern cryptography


    • Systematic process
    ◇ Formal definitions - What is means for a crypto primitive to be secure
    ▪ Computing setting
    - Involved parties, communication mode, core functionality
    ▪ Underlying cryptographic scheme
    - Symmetric-key encryption scheme
    ▪ Desired Properties
    - Security related
    - non-securty related (correctness, efficiency, etc)
    ▪ Split up into 4 parts:
    - To be solved
    - To be considered
    - To be designed
    - To be achieved
    ◇ Precise assumptions - Which forms of attacks are allowed and which aren't
    ▪ Adversary
    - type of attacks - threat model
    - capabilities
    - limitations
    ▪ Computational assumptions
    - Hardness of certain tasks
    ▪ Computing setting
    - system set up, initial state, key distribution, randomness
    - means of communication
    - timing assumptions
    ▪ Why these are important:
    - Basis for proofs of securty
    - comparison among solutions/schemes
    - flexibility - validation, modularity, characterization
    ◇ Provable security - Why a candidate instantiation is indeed secure or not
    ▪ Typical performance
    - In computer science, proofs may not be essential
    - typical inputs are expected
    ▪ Worst case performance
    - Formal proofs are essential in cryptography
    - An adversary will use any means in its power to break a scheme

    Symmetric encryption and Modern Cryptography example


    • Formal Definition
    ◇ To be solved (problem):
    ▪ Secret communication
    ◇ To be considered (computing setting):
    ▪ Involved Parties: Alice, Bob, Eve
    ▪ Communication Model: Alice wants to send a message m to Bob; Eve can eavesdrop sent messages
    ▪ Core functionality: Alice/Bob may transform the transmitted/received message and share info
    ◇ To be designed (cryptographic scheme)
    ▪ Alice and Bob share and use a secret key k
    ▪ Alice encrypts plaintext m to ciphertext c and sends c instead of m
    ▪ Bob decrypts received c to get a message m'
    ◇ To be achieved (desired properties)
    ▪ securty -> Eve cannot learn m from c
    ▪ correctness -> If alice encrypts m to c, then Bob decrypts c to the original message m
    • Precise assumptions
    ◇ Adversary
    ▪ type of attacks -> eavesdropping
    - Posses collection of ciphertext -> ciphertext only attack
    - Posses collection of plaintext/ciphertext pairs -> known plaintext attack
    - Posses collection of plaintext/ciphertext pairs for plaintexts selected by the attack -> chosen plaintext attack
    - Posses collection of plaintext/ciphertext pairs for plaintexts and ciphertexts selected by the attacker -> chosen ciphertext attack
    ▪ capabilities -> eve may know the distribution of messages sent by Alice
    ▪ limitations -> eve doesn't know / learn the secret k (shared by Alice and Bob)
    ◇ Computational Assumptions
    ▪ no computational assumptions
    ◇ Computing Setting
    ▪ Setup / Randomness - Key k is generated randomly using the uniform distribution
    ▪ Key distribution - Key k is securely distrubted to and securely stored at Alice and Bob
    ▪ One message m is only cummunicated
    ▪ k, m are chosen independently
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--lectures--lecture_3.html b/notes.ctb_HTML/cs306--lectures--lecture_3.html index 0bb5555..80249bd 100644 --- a/notes.ctb_HTML/cs306--lectures--lecture_3.html +++ b/notes.ctb_HTML/cs306--lectures--lecture_3.html @@ -142,5 +142,5 @@
  • homework
    • -

    lecture 3

    Shannon's theorem


    • Let Π = {M, (Gen, Enc, Dec)} be an encryption scheme with a message space M for which |M| = |K| = |C|. Then Π is perfectly secure if and only if:
    1. Every key k ∈ K is chosen with equal probability 1/|K| by algorithm Gen
    2. For every m ∈ M and every c ∈ C, these exists a unique key k ∈ K such that Enck(m) outputs c

    Computational Security - Relax Perfectness


    • Perfect secrecy / security requires
    ◇ absolutely no information is leaked about the plaintext
    ◇ to adversaries that unlimited computational power
    • Computational security
    ◇ A tiny amount of information is leaked about the plaintext (e.g. w/ prob 2-60)
    ◇ To adversaries with bounded computational power (e.g. attack invests 200 yrs)
    • Two relaxations
    ◇ Security is guaranteed against efficient adversaries
    ▪ Attacker must invest a sufficiently large resources
    ◇ Adversaries can potentially succeed
    ▪ Small probability of breakability

    • Definition


    ◇ Bounds the maximum success probability fo any (randomized) adversary running for some specified amount of time or investing a specified amount of resources
    ◇ A scheme is (t, ε)-secure if any adversary A, running for time at most t, succeeds in breaking the scheme with probability at most ε.
    ◇ need to define:
    ▪ what it means for an adverary to break a scheme
    ▪ specify precisely the resources

    Almost optimal security


    • Key length n, key space size |K| = 2n
    • parameter c models advanced computing methods (concurrency, multiple threads, etc)
    • A running for time t succeeds with probability at most ct/2n
    • Like brute-forcing
    • Today's recommendations
    ◇ n = 128

    Alternative Approach


    • Asymptotic approach
    ◇ secure parameter n is used (key length)
    ◇ efficient adversaries are equiated with probabilistic poly-time (PPT) algorithms that run for time that is a polynomial of n
    ◇ small probability of success is equated with success probabilities that are asymptotically smaller than any inverse polynomial in n
    ◇ A scheme is secure if any PPT adversary A succeeds in breaking the scheme with at most negligible probability

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Classical Ciphers


    • based on letter substitution
    • message space M is valid words from a given alphabet
    • encryption
    ◇ ciphertext is produced by mapping each plaintext character into another character
    ◇ a character mpaaing is typically defined as a shift of a plaintext character by a number of positions in a canonical ordering of the characters in the alphabet
    ◇ character shifting occurs with wrap-around (mod 25 addition)
    • decryption
    ◇ under shifting of characters with wrap-around (using mod 25 subtraction)

    Substituion cipher


    images\9-1.png
    • Each letter is uniquely replaced by another
    • Broken by using a frequency analysis
    images\9-2.png

    Caesar's cipher


    • Shift each character in the message by 3 postiions (13 in ROT-13)
    • no secret key is used - security by obscurity
    • Brute force attacks - only 26 possibilities

    Shift Cipher


    • Key extension of Caesar's cipher
    • Randomly set key k in [0:25]
    ◇ shift each character in the message by k positions
    • Brute force attacks - only 26 possibilities - manual
    • Automated attack based on statistics
    ◇ if a character i in the alphabet has a frequency pi, then from known statistics we know that Σipi2 ≈ 0.065
    • The brute-force attack can test all possible keys
    ◇ condition becomes much simpler and isn't as manual

    Mono-alphabetic substituion cipher


    • generalization of shift cipher
    • key space defines permutation on alphabet
    ◇ use a 1-1 mapping between characters in the alphabet to produce ciphertext
    ◇ shift each distinct character in the plaintext to get a distinct character in the ciphertext
    • Key space is large (26! or 288)
    • character mapping is fixed - plaintext and ciphertext exhibit same statistics

    Vigenere cipher


    • generalization of mono-alphabetic substitution cipher
    • key space defines fixed (shift) mapping that is applied on block of characters
    • a key k is a string of length t, defining the shift for blocks of size t
    • e.g. k = (2,1,3,11). Each block is shifted respectively by 2,1,3,11
    • plaintext-to-ciphertext mapping is many-to-many
    • if the key length t is known: problem is reduced to attacking the shift cipher
    ◇ statistical attacks for each subsequence of the from cj, cj+t, cj+2t...
    • if key length t is unknown:
    ◇ repeat stastical attacks for gussed values of t.
    ◇ Kasiski's method: identify repeated patterns of length 2 or 3 in the ciphertext.p period t can be decuded by locations of these patterns in the text
    ◇ index of coincidence method: compute ST = Σiqi2 and stop when ST = 0.065. T is a multiple of t.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Stream Ciphers


    images\9-3.png

    Block Ciphers


    images\9-4.png

    Stream vs Block ciphers


    images\9-5.png

    Perfect encryption of a block


    • Goal: encrypt a block of n bits using the same key all the time
    • Approach: encryption via a bijective random mapping T from {0,1}n to {0,1}n
    ◇ Mapped pairs are computed uniformly at random
    • Problem: T has size ~ n 2n
    • Make it randomized
    ◇ pick random r and encrypt x as: (y = T[r] XOR x, r)
    ◇ decrypt (y,r) as: y XOR T[r]

    Primitive techniques for symmetric-key encryption


    • Substitution
    ◇ exchanging one set of bits for another set
    • Transposition
    ◇ rearranging the order of the ciphertext bits
    • Confusion
    ◇ enforcing complex functional relationship between the plaintext/key pair and the ciphertext
    • Diffusion
    ◇ distributes information from single plaintext characters over entire ciphertext output

    Substitution boxes


    images\9-6.png

    DES: Data Encryption Standard


    • Block cipher
    • Considered insecure
    images\9-7.png
    • Employs substituion and transposition on top of each other for 16 rounds
    • block size = 64 bits, key size = 56 bits
    • double DES -> not effective -> 80 bit security
    • triple DES -> more effective -> 112 bit security
    images\9-8.png

    AES: Advanced Encryption System


    • Block cipher
    • Still in use
    images\9-9.png
    • Employs substitution, confusion, and diffusion
    ◇ on blocks of 128 bits in 10, 12, or 14 rounds for keys of 128, 192, 256
    images\9-10.png

    DES vs AES


    images\9-11.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Block Cipher Modes


    • Describe the way a block cipher encrypts or decrypts a sequence of message blocks

    ECB: Electronic Code Book


    • Block P[i] encrypted into ciphertext block C[i] = Ek(P[i])
    • Block P[i] decrypted into ciphertext block M[i] = Dk(C[i])
    images\9-12.png
    • Strengths
    ◇ Simple
    ◇ Parallel encryptions
    ◇ Tolerates loss or damage
    • Weaknesses
    ◇ Documents and images are not suitable since patterns in the plaintext are repeated in the ciphertext
    images\9-13.png

    CBC: Cipher Block Chaining


    • ECB produces the same ciphertext on the same ciphertext under the same key
    • The ciphertext of the previous block can be mixed with the plaintext of the current block (XOR). an initial vector is used as the initial ciphertext
    • Previous ciphertext block is combined with current plaintext block C[i] = Ek(C[i-1]⊕P[i])
    • C[-1] = IV; a random block separately transmitted encrypted
    • decryption: P[i] = C[i-1]⊕Dk(C[i])
    images\9-14.png

    +

    lecture 3

    Shannon's theorem


    • Let Π = {M, (Gen, Enc, Dec)} be an encryption scheme with a message space M for which |M| = |K| = |C|. Then Π is perfectly secure if and only if:
    1. Every key k ∈ K is chosen with equal probability 1/|K| by algorithm Gen
    2. For every m ∈ M and every c ∈ C, these exists a unique key k ∈ K such that Enck(m) outputs c

    Computational Security - Relax Perfectness


    • Perfect secrecy / security requires
    ◇ absolutely no information is leaked about the plaintext
    ◇ to adversaries that unlimited computational power
    • Computational security
    ◇ A tiny amount of information is leaked about the plaintext (e.g. w/ prob 2-60)
    ◇ To adversaries with bounded computational power (e.g. attack invests 200 yrs)
    • Two relaxations
    ◇ Security is guaranteed against efficient adversaries
    ▪ Attacker must invest a sufficiently large resources
    ◇ Adversaries can potentially succeed
    ▪ Small probability of breakability

    • Definition


    ◇ Bounds the maximum success probability fo any (randomized) adversary running for some specified amount of time or investing a specified amount of resources
    ◇ A scheme is (t, ε)-secure if any adversary A, running for time at most t, succeeds in breaking the scheme with probability at most ε.
    ◇ need to define:
    ▪ what it means for an adverary to break a scheme
    ▪ specify precisely the resources

    Almost optimal security


    • Key length n, key space size |K| = 2n
    • parameter c models advanced computing methods (concurrency, multiple threads, etc)
    • A running for time t succeeds with probability at most ct/2n
    • Like brute-forcing
    • Today's recommendations
    ◇ n = 128

    Alternative Approach


    • Asymptotic approach
    ◇ secure parameter n is used (key length)
    ◇ efficient adversaries are equiated with probabilistic poly-time (PPT) algorithms that run for time that is a polynomial of n
    ◇ small probability of success is equated with success probabilities that are asymptotically smaller than any inverse polynomial in n
    ◇ A scheme is secure if any PPT adversary A succeeds in breaking the scheme with at most negligible probability

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Classical Ciphers


    • based on letter substitution
    • message space M is valid words from a given alphabet
    • encryption
    ◇ ciphertext is produced by mapping each plaintext character into another character
    ◇ a character mpaaing is typically defined as a shift of a plaintext character by a number of positions in a canonical ordering of the characters in the alphabet
    ◇ character shifting occurs with wrap-around (mod 25 addition)
    • decryption
    ◇ under shifting of characters with wrap-around (using mod 25 subtraction)

    Substituion cipher


    images\9-1.png
    • Each letter is uniquely replaced by another
    • Broken by using a frequency analysis
    images\9-2.png

    Caesar's cipher


    • Shift each character in the message by 3 postiions (13 in ROT-13)
    • no secret key is used - security by obscurity
    • Brute force attacks - only 26 possibilities

    Shift Cipher


    • Key extension of Caesar's cipher
    • Randomly set key k in [0:25]
    ◇ shift each character in the message by k positions
    • Brute force attacks - only 26 possibilities - manual
    • Automated attack based on statistics
    ◇ if a character i in the alphabet has a frequency pi, then from known statistics we know that Σipi2 ≈ 0.065
    • The brute-force attack can test all possible keys
    ◇ condition becomes much simpler and isn't as manual

    Mono-alphabetic substituion cipher


    • generalization of shift cipher
    • key space defines permutation on alphabet
    ◇ use a 1-1 mapping between characters in the alphabet to produce ciphertext
    ◇ shift each distinct character in the plaintext to get a distinct character in the ciphertext
    • Key space is large (26! or 288)
    • character mapping is fixed - plaintext and ciphertext exhibit same statistics

    Vigenere cipher


    • generalization of mono-alphabetic substitution cipher
    • key space defines fixed (shift) mapping that is applied on block of characters
    • a key k is a string of length t, defining the shift for blocks of size t
    • e.g. k = (2,1,3,11). Each block is shifted respectively by 2,1,3,11
    • plaintext-to-ciphertext mapping is many-to-many
    • if the key length t is known: problem is reduced to attacking the shift cipher
    ◇ statistical attacks for each subsequence of the from cj, cj+t, cj+2t...
    • if key length t is unknown:
    ◇ repeat stastical attacks for gussed values of t.
    ◇ Kasiski's method: identify repeated patterns of length 2 or 3 in the ciphertext.p period t can be decuded by locations of these patterns in the text
    ◇ index of coincidence method: compute ST = Σiqi2 and stop when ST = 0.065. T is a multiple of t.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Stream Ciphers


    images\9-3.png

    Block Ciphers


    images\9-4.png

    Stream vs Block ciphers


    images\9-5.png

    Perfect encryption of a block


    • Goal: encrypt a block of n bits using the same key all the time
    • Approach: encryption via a bijective random mapping T from {0,1}n to {0,1}n
    ◇ Mapped pairs are computed uniformly at random
    • Problem: T has size ~ n 2n
    • Make it randomized
    ◇ pick random r and encrypt x as: (y = T[r] XOR x, r)
    ◇ decrypt (y,r) as: y XOR T[r]

    Primitive techniques for symmetric-key encryption


    • Substitution
    ◇ exchanging one set of bits for another set
    • Transposition
    ◇ rearranging the order of the ciphertext bits
    • Confusion
    ◇ enforcing complex functional relationship between the plaintext/key pair and the ciphertext
    • Diffusion
    ◇ distributes information from single plaintext characters over entire ciphertext output

    Substitution boxes


    images\9-6.png

    DES: Data Encryption Standard


    • Block cipher
    • Considered insecure
    images\9-7.png
    • Employs substituion and transposition on top of each other for 16 rounds
    • block size = 64 bits, key size = 56 bits
    • double DES -> not effective -> 80 bit security
    • triple DES -> more effective -> 112 bit security
    images\9-8.png

    AES: Advanced Encryption System


    • Block cipher
    • Still in use
    images\9-9.png
    • Employs substitution, confusion, and diffusion
    ◇ on blocks of 128 bits in 10, 12, or 14 rounds for keys of 128, 192, 256
    images\9-10.png

    DES vs AES


    images\9-11.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Block Cipher Modes


    • Describe the way a block cipher encrypts or decrypts a sequence of message blocks

    ECB: Electronic Code Book


    • Block P[i] encrypted into ciphertext block C[i] = Ek(P[i])
    • Block P[i] decrypted into ciphertext block M[i] = Dk(C[i])
    images\9-12.png
    • Strengths
    ◇ Simple
    ◇ Parallel encryptions
    ◇ Tolerates loss or damage
    • Weaknesses
    ◇ Documents and images are not suitable since patterns in the plaintext are repeated in the ciphertext
    images\9-13.png

    CBC: Cipher Block Chaining


    • ECB produces the same ciphertext on the same ciphertext under the same key
    • The ciphertext of the previous block can be mixed with the plaintext of the current block (XOR). an initial vector is used as the initial ciphertext
    • Previous ciphertext block is combined with current plaintext block C[i] = Ek(C[i-1]⊕P[i])
    • C[-1] = IV; a random block separately transmitted encrypted
    • decryption: P[i] = C[i-1]⊕Dk(C[i])
    images\9-14.png

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--lectures--lecture_4.html b/notes.ctb_HTML/cs306--lectures--lecture_4.html index 5df0f81..dc88964 100644 --- a/notes.ctb_HTML/cs306--lectures--lecture_4.html +++ b/notes.ctb_HTML/cs306--lectures--lecture_4.html @@ -142,5 +142,5 @@
  • homework
    • -

    lecture 4

    Possible Eavesdropping Attacks


    • An attacker may posses a collection of ciphertext:
    ◇ ciphertext only attack
    ◇ EAV-attack
    ▪indistinguishability for a single message against an eavesdropper
    ◇ Chosen plaintext attack
    ▪An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker
    ◇ CPA-attack

    Perfect EAV-security


    • Definitions
    • For every DM, m ∈ M and c ∈ C, for which Pr[C=c] > 0, it holds that Pr[M=m | C=c] = Pr[M=m]
    • C is independent of M
    ◇ For every m, m' ∈ M and c ∈ C, it holds that Pr[Enck(m) = c] = Pr[Enck(m') = c]
    • indistinguishability
    ◇ For every A, it holds that Pr[b'=b] = 1/2
    • Absolutely no information is leaked about the plaintext
    • To adversaries that unlimited computational power
    • require that m0, m1 are chosen by a PPT adversary
    • require that no PPT adverasary can distinguish Enck(m0) from Enck(m1)

    Computational security


    • A tiny amount of information is leaked about the plaintext
    • To adversaries with bounded computational power
    • Attacks best strategy remains ineffective
    ◇ Random guess on secret key
    ◇ Exhaustive search over key space (brute force attack)
    • Negligible functions:
    ◇ negl = very small probability of success of the attack
    ◇ can be ignored

    Computational EAV-security


    • require that m0, m1 are chosen by a PPT adversary
    • no PPT adversary can distinguish Enck(m0) frp, Enck(m1)
    ◇ Pr[b' = b] = 1/2 + negl

    CPA-security


    • Π = {M, (Gen, Enc, Dec)}
    • (Enc, Dec) is CPA-secure if any PPT adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is a negligible function
    • Any encryption scheme that is CPA-secure is also CPA-secure for multiple encryptions
    • CPA security implies probabilistic encryption
    • EAV-security for multiple messages implies probabilistic encryption

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Pseudo-randomness


    • not truly random in that
    ◇ derived by a deterministic algorithm
    ◇ output is dependent on initial values
    • Two types: Classical PRGs, Cryptographically secure PRGs
    • Classical PRGs - linear congruential generator
    • Cryptographically secure PRGs - Blum-Micali generator
    • Definition
    ◇ Deterministic PPT algorithm G that on inpout a seed s ∈ {0,1}n, outputs G(s) ∈ {0,1}l/n
    ◇ G is a PRG if:
    ▪ Expansion
    - for polynomial l, it holds that for any n, l(n) > n
    - models the process of extracting randomness from a short random string
    ▪ Pseudorandomness
    - no efficient statistical test can tell apart G(s) from a truly random string r
    images\22-1.png

    Linear congruential generator


    • Xi = axi-1 + b mod m i >= 1 where
    ◇ x0 is the seed or start value
    ◇ a is the multiplier
    ◇ b is the increment
    ◇ m is the modulus
    • Output:
    ◇ (x1, x2, ..., xk)
    ◇ yi = xi mod 2
    ◇ Y = (y1y2...yk) <- pseudo random sequence of k bits

    Example


    • xn = 3xn-1 + 5 mod 31, n >= 1, x0 = 2
    • 3 and 31 are relatively prime, one-to-one
    • 31 is prime, order is 30
    • 2,11,7,26,21,6,23,12,10,4,17,25,18,28,27,24,15,19,0,5,20,3,14,16,22,9,1,8,29,30
    • When x0 = 2, 01101010001
    • When x1 = 3 10001101001

    Security


    • Fast, but insecure
    ◇ sensitive to the choice of parameters a, b, and m
    ◇ correlation between successive values
    ◇ short period, often m = 232 or 264
    • Used commonly in compilers - rand()
    • Not suitable for high-quality randomness
    • Not suitable for cryptographic applications

    PRG security


    • Pr[D(G(s)) = 1] - Pr[D(r)=1] | <= negl(n)

    PRG-based symmetric-key encryption scheme


    • encryption scheme is EAV-secure as long as the underlying PRG is secure
    • either fixed-length or arbitrary-length encryption scheme
    images\22-2.png

    Modes of operation for stream ciphers


    • on-the-fly computation of new pseudorandom bits, no IV needed, EAV-security
    images\22-3.png
    • random IV used for every new message is sent along with ciphertext, CPA-security

    Pseudorandom functions


    • Generalize the concept of a PRG
    ◇ produce pseudorandom bits that also depend on specific input
    ◇ keyed functions of the form Fk: {0,1}n -> {0,1}n
    • Operate essentially as a random function
    • Fk is PRF if it is indistinguishable from a truly random function f [e.g. f is a random permutation]
    • f: {0,1}n -> {0,1}n is randomly selected for the set of all length-preserving functions mapping n-bit inputs to n-bit outputs
    images\22-4.png

    PRF Security


    • Pr[DF(k,)(1n) = 1] - Pr[Df()(1n) = 1] | <= negl(n)

    PRF-based symmetric-key encryption scheme


    • Encryption scheme is EAV-secure as long as the underlying PRG is secure
    • Fixed-length encryption scheme
    images\22-5.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Modes of Operations for block ciphers


    ECB - electronic code book


    • insecure
    • deterministic - not CPA secure
    • not EAV-secure
    images\22-6.png

    CBC - Cipher block chaining


    • CPA-secure if Fk is a permutation
    • uniform IV - otherwise security breaks
    images\22-7.png

    Chained CBC


    • Uses last block ciphertext as IV of next message
    • not CPA-secure

    OFB - Output Feedback


    • IV uniform
    • message length doesn't need to be multiple of n
    • resembles synchronizes stream-cipher mode
    • stateful variant (chaining) is secure
    • CPA-secure if Fk is PRF
    images\22-8.png

    CTR - Counter Mode


    • CTR uniform
    • message length doesn't need to be multiple of n
    • resembles synchronized stream-cipher mode
    • CPA-secure if Fk is PRF
    • no need for Fk to be invertible
    • parallelizable
    images\22-9.png

    Additional Notes


    • Block length matters -> IV or ctr can be recycled
    • IV are often misused
    ◇ reused or not uniformly random
    ◇ CBC is a better option than OFB/CTR

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Security problems studied by modern cryptography


    • Classical cryptography - message encryption
    ◇ provide secrecy/confidentiality
    ◇ no message should be leaked while in transit
    • Modern cryptography - wide variety of security problems
    ◇ secrecy is not the only security concern when using an unprotected channel
    ◇ need to study large set of secrutiy properties
    • Sibling of message encryption - message authentication
    ◇ provide integrity
    ◇ while in transit, no message should be modified by an outsider

    Message Authentication


    • Information has value -> citrical information must be protected not to leak to unauthorized parties
    ◇ message encryption takes care of this
    • Correct information is valuable
    ◇ incorrect or falsified information may be of little value
    ◇ random information may be useless
    ◇ maliciously crafted information can be harmful
    ◇ message authentication takes care of this

    Examples of attacks


    • A bank receives an electronic request to transfer money from user A to B
    ◇ Did A actually send the request?
    • A user puchases from Amazon
    ◇ Did the user actually make the purchase?

    Integrity of communications / computations


    • no unprotected system can be assumed to be trustworthy
    ◇ origin of information (source) - attacks: impersonation, phishing, etc
    ◇ contents of information - attacks: man-in-the-middle, email spam, etc
    • prevention vs detection
    ◇ tampering with information cannot be avoided.
    ◇ need to be detectable
    • Goal: prevent undetected tampering

    Symmetric-key message authentication


    • Sign message m with tag t and send (m, t)
    • Verify authenticity of received m using t

    Applications


    • Secure communication
    ◇ verify authenticity of messages
    ◇ assumption
    ▪ securely generate distrbute and store shared key k
    ▪ attack does not learn key k
    • Secure Storage
    ◇ verify authenticity of files
    ◇ assumption
    ▪ securely generate and store key k
    ▪ attacker does not learn key k

    Symmetric-key message authentication code (MAC)


    • defined by triplet of PPT algorithms (Gen, Mac, Vrfy) security parameter 1n
    ◇ Gen: prob. alg. on input 1n, outputs a key k from the key space K
    ◇ Mac: prob. alg. on input message m ∈ {0,1}* and key k, outputs tag t, Mack(m) -> t
    ◇ Vrfy: det. alg. on input a pair (m, t) and key k, outputs a bit b, b := Vrfyk(m, t)
    • Satisfying desired properties:
    ◇ efficiency: key generation and tag computation / verification are fast
    ◇ correctness: for all m, k it holds that Vrfyk(m Mack(m)) = 1
    ◇ security: one cannot forge a verifiable pair (m, t)
    • Authenicating m = computing t
    • Verifying authenticity of m = running vrfy

    Security of MACs


    • attacker cannot forge a verifiable message-tag pair (m, t)
    • Replay attack -> insert a new message m*, t* into traffic so that (m*, t*) is verifiable.
    ◇ if m* = previously observed message, attack is successful
    • Brute-force attack Mack(m) -> t is publicly known
    ◇ An exhaustive search in key space K can be done to find the used key k
    • new messages may be forged undetectably, but they can be found only with negligible probability or after an exponentially large computation
    • replay-attack unsafe security definition
    ◇ better not to assume any semantics regarding the high-level app, but instead delegate the validity or safeety check to this app that consumes the messages
    • Eliminating replay attacks
    ◇ Use of counters between sender and receiver
    ◇ Use of timestamps along with an authentication window for validation

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    MAC constructions


    • Fixed-length MAC
    ◇ direct application of a PRF for tagging
    ◇ limited applicability
    • Domain extension for MACs
    ◇ straightforward secure extension of fix-length MAC
    ◇ inefficient
    • CBC-MAC
    ◇ resembles CBC-mode encryption
    ◇ efficient

    Fixed-length MAC


    • Based on use of a PRF
    ◇ employ a PRF Fk in the obvious way to compute and canonically verify tags
    ◇ set tag t to be the pseudorandom string derived by evaluating Fk on message m
    • secure, provided that Fk is a secure PRF
    • MAC scheme Π
    ◇ Gen(1n): {0, 1}n -> k
    ◇ Mack(m): set t = Fk(m)
    ◇ Vrfyk(m, t): return 1 iff t = Fk(m)
    images\22-10.png

    Domain extension for MACs


    • Based on previous fix-length MAC scheme Π
    • Split up m into multiple d blocks mi.
    • Pad them and authenticate via Π
    • Reordering attack -> verify the block index i
    • Truncation attack -> verify message length δ = |m|
    • Mix-and-match attack -> randomize tags (using message specific fresh nonce)
    • Fk(r || mi || i || δ)
    • secure provided that Fk is a secure PRF
    images\22-11.png

    CBC-MAC


    • Employ a PRF similar to CBC-mode encryption
    • security
    ◇ secure only when fixed-length messages are authenticated provided that Fk is a secure PRF
    ◇ messages of length equal to any multiple of n can be authenticated
    ▪ length needs to be fixed in advance
    ◇ insecure otherwise
    • Can authenticate longer messages than basic PRF-based scheme
    • more efficient than domain-extension MAC scheme
    • CBC-MAC uses no IV (or uses IV set to 0)
    • Only uses last PRF output
    images\22-12.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Authenticated encryption


    • Communication is over an open/unprotected channel
    • No message should be leaked
    • No message should be modified
    • Encryption schemes provide secrecy/confidentiality
    • MAC schemes provide integrity/unforability

    Secrecy vs Integrity


    • Secrecy
    ◇ sensitive information has value
    ▪ leaking it can be risky
    ◇ prevention
    ▪ does not imply integrity
    • Integrity
    ◇ correct information has value
    ▪ if manipulated, it can be harmful
    ◇ detection
    ▪ does nont imply secrecy

    Authenticated encryption constructions


    • CPA-secure encryption scheme ΠE=(Enc, Dec)
    • a secure MAC ΠM = (MAC, Vrfy)
    • instantiated using independent secret keys ke, km
    • order matters

    Encrypt-and-authenticate


    • Encke(m) -> c; Mackm(m) -> t; send ciphertext (c, t)
    • if Decke(c) ≠ fail and Vrfykm(m,t) accepts
    ◇ output m
    ◇ else output fail
    • Insecure
    ◇ MAC tag t may leak information about m
    ◇ if MAC is deterministic (CBC-MAC) then ΠAE is not CPA-secure

    Authenticate-then-encrypt


    • Mackm(m) -> t; Encke(m||t) -> c; send ciphertext c
    • if Decke(c) = m || t ≠ fail and Vrfykm(m,t) accepts,
    ◇ output m
    ◇ else output fail
    • insecure

    Encrypt-then-authenticate


    • Encke(m) -> c; Mackm(c) ->t; send ciphertext (c, t)
    • if Vrfykm(c,t) accepts then
    ◇ output Decke(c) = m,
    ◇ else output fail
    • secure scheme as long as ΠM is a strong MAC

    Application of Authenticated Encryption


    • Session communication
    ◇ ΠAE = (Enc, Dec) enables 2 parties to communicate securely
    ◇ session: period of time during which sender and receiver maintain state
    ◇ idea: send message m as c = Enck(m) and ignore received c that doesn't verify
    ◇ secrecy and integrity is protected
    • Possible attacks:
    ◇ reordering attack - counters can be used to eliminate reordering/replays
    ◇ reflection attack - directional bit can be used to eliminate reflections
    ◇ replay attack - c = Enck(ba->b || ctrA,b || m); ctrA,B++

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Hash Functions


    • maps objects to a fix-length string
    • core property: avoid collisions
    ◇ collision: distinct objects x ≠ y) are mapped to the same hash value (H(x) = H(y))
    ◇ collisions may exist, but they should be infeasbile to find
    • lies between symmetric and assymetric key cryptography
    • catpure different security properties on idealized random functions
    • qualitative stronger assumption than PRF
    • security parameter 1n
    images\22-13.png
    • general hash function H
    ◇ maps a message of an arbitrary length to l(n)-bit string
    • compression hash function h
    ◇ maps long binary string to a shorter binary string
    ◇ maps l'(n)-bit string to a l(n)-bit string with l'(n) > l(n)

    Collision resistance (CR)


    • H is collision-resistant if no PPT adversary can find collisions non-negligibly often

    Security


    • Given a hash function H: X->Y
    ◇ preimage resistant (one-way)
    ▪ if given y ∈ Y, finding a value x ∈ X s.t. H(x) = y happens negligibly often
    ◇ 2nd preimage resistant (weak collision resistant)
    ▪ if given a uniform x ∈ X, finding a value x' ∈ X, s.t. x' ≠ x and H(x') = H(x) happens negligibly often
    ◇ cf collision resistant (strong collision resistant)
    ▪ if finding two distinct values x', x ∈ X, s.t. H(x') = H(x) happens negligibly often

    Merkle-Damgard transform


    • reduces problem to design of CR compression functions
    • use for general hash functions
    • general design pattern for cryptographic hash functions
    • reduces collision resistance of general hash functions to colission resistance of compression functions
    • compressing 1 single bit is at least as hard as compressing by any number of bits
    • Design
    ◇ suppose that h: {0,1}2n -> {0,1}n is a collision reistant compression function
    ◇ the general hash function M: {x: |x|<2n} -> {0,1}n is defined as
    ▪ H(x) is computed by applying h(x) in a chained manner over n-bit message blocks
    - pad x and create B message blocks x1....xB with |xi| = n
    - set extra final message block xB+1 as n-bit encoding L of |x|
    - starting with z0=IV = 0n, output H(x) = zB+1, where zi=hs(zi-1 || xi)
    • If compression function h is collision resistant, then the derived hash function H is also collision resistant
    images\22-14.png

    Davies-Meyer Scheme


    • Generic construction of CR compression function
    ◇ assume PRF w/ key length n and block length l
    ◇ define h: {0, 1}n+l -> {0,1}l as
    ▪ H(x) = Fk(x) ⊕ x
    ◇ h is CR if F is an ideal cipher
    images\22-15.png

    +

    lecture 4

    Possible Eavesdropping Attacks


    • An attacker may posses a collection of ciphertext:
    ◇ ciphertext only attack
    ◇ EAV-attack
    ▪indistinguishability for a single message against an eavesdropper
    ▪An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker
    ◇ Chosen plaintext attack
    ◇ CPA-attack
    ▪ indistinguishability for a single message against an eavesdropper

    Perfect EAV-security


    • Definitions
    • For every DM, m ∈ M and c ∈ C, for which Pr[C=c] > 0, it holds that Pr[M=m | C=c] = Pr[M=m]
    • C is independent of M
    ◇ For every m, m' ∈ M and c ∈ C, it holds that Pr[Enck(m) = c] = Pr[Enck(m') = c]
    • indistinguishability
    ◇ For every A, it holds that Pr[b'=b] = 1/2
    • Absolutely no information is leaked about the plaintext
    • To adversaries that unlimited computational power
    • require that m0, m1 are chosen by a PPT adversary
    • require that no PPT adverasary can distinguish Enck(m0) from Enck(m1)

    Computational security


    • A tiny amount of information is leaked about the plaintext
    • To adversaries with bounded computational power
    • Attacks best strategy remains ineffective
    ◇ Random guess on secret key
    ◇ Exhaustive search over key space (brute force attack)
    • Negligible functions:
    ◇ negl = very small probability of success of the attack
    ◇ can be ignored

    Computational EAV-security


    • An attacker may posses a collection of ciphertext
    • require that m0, m1 are chosen by a PPT adversary
    • no PPT adversary can distinguish Enck(m0) frp, Enck(m1)
    ◇ Pr[b' = b] = 1/2 + negl

    CPA-security


    • An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker
    • Π = {M, (Gen, Enc, Dec)}
    • (Enc, Dec) is CPA-secure if any PPT adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is a negligible function
    • Any encryption scheme that is CPA-secure is also CPA-secure for multiple encryptions
    • CPA security implies probabilistic encryption
    • EAV-security for multiple messages implies probabilistic encryption

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Pseudo-randomness


    • not truly random in that
    ◇ derived by a deterministic algorithm
    ◇ output is dependent on initial values
    • Two types: Classical PRGs, Cryptographically secure PRGs
    • Classical PRGs - linear congruential generator
    • Cryptographically secure PRGs - Blum-Micali generator
    • Definition
    ◇ Deterministic PPT algorithm G that on inpout a seed s ∈ {0,1}n, outputs G(s) ∈ {0,1}l/n
    ◇ G is a PRG if:
    ▪ Expansion
    - for polynomial l, it holds that for any n, l(n) > n
    - models the process of extracting randomness from a short random string
    ▪ Pseudorandomness
    - no efficient statistical test can tell apart G(s) from a truly random string r
    images\22-1.png

    Linear congruential generator


    • Xi = axi-1 + b mod m i >= 1 where
    ◇ x0 is the seed or start value
    ◇ a is the multiplier
    ◇ b is the increment
    ◇ m is the modulus
    • Output:
    ◇ (x1, x2, ..., xk)
    ◇ yi = xi mod 2
    ◇ Y = (y1y2...yk) <- pseudo random sequence of k bits

    Example


    • xn = 3xn-1 + 5 mod 31, n >= 1, x0 = 2
    • 3 and 31 are relatively prime, one-to-one
    • 31 is prime, order is 30
    • 2,11,7,26,21,6,23,12,10,4,17,25,18,28,27,24,15,19,0,5,20,3,14,16,22,9,1,8,29,30
    • When x0 = 2, 01101010001
    • When x1 = 3 10001101001

    Security


    • Fast, but insecure
    ◇ sensitive to the choice of parameters a, b, and m
    ◇ correlation between successive values
    ◇ short period, often m = 232 or 264
    • Used commonly in compilers - rand()
    • Not suitable for high-quality randomness
    • Not suitable for cryptographic applications

    PRG security


    • Pr[D(G(s)) = 1] - Pr[D(r)=1] | <= negl(n)

    PRG-based symmetric-key encryption scheme


    • encryption scheme is EAV-secure as long as the underlying PRG is secure
    • either fixed-length or arbitrary-length encryption scheme
    images\22-2.png

    Modes of operation for stream ciphers


    • on-the-fly computation of new pseudorandom bits, no IV needed, EAV-security
    images\22-3.png
    • random IV used for every new message is sent along with ciphertext, CPA-security

    Pseudorandom functions


    • Generalize the concept of a PRG
    ◇ produce pseudorandom bits that also depend on specific input
    ◇ keyed functions of the form Fk: {0,1}n -> {0,1}n
    • Operate essentially as a random function
    • Fk is PRF if it is indistinguishable from a truly random function f [e.g. f is a random permutation]
    • f: {0,1}n -> {0,1}n is randomly selected for the set of all length-preserving functions mapping n-bit inputs to n-bit outputs
    images\22-4.png

    PRF Security


    • Pr[DF(k,)(1n) = 1] - Pr[Df()(1n) = 1] | <= negl(n)

    PRF-based symmetric-key encryption scheme


    • Encryption scheme is EAV-secure as long as the underlying PRG is secure
    • Fixed-length encryption scheme
    images\22-5.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Modes of Operations for block ciphers


    ECB - electronic code book


    • insecure
    • deterministic - not CPA secure
    • not EAV-secure
    images\22-6.png

    CBC - Cipher block chaining


    • CPA-secure if Fk is a permutation
    • uniform IV - otherwise security breaks
    images\22-7.png

    Chained CBC


    • Uses last block ciphertext as IV of next message
    • not CPA-secure

    OFB - Output Feedback


    • IV uniform
    • message length doesn't need to be multiple of n
    • resembles synchronizes stream-cipher mode
    • stateful variant (chaining) is secure
    • CPA-secure if Fk is PRF
    images\22-8.png

    CTR - Counter Mode


    • CTR uniform
    • message length doesn't need to be multiple of n
    • resembles synchronized stream-cipher mode
    • CPA-secure if Fk is PRF
    • no need for Fk to be invertible
    • parallelizable
    images\22-9.png

    Additional Notes


    • Block length matters -> IV or ctr can be recycled
    • IV are often misused
    ◇ reused or not uniformly random
    ◇ CBC is a better option than OFB/CTR

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Security problems studied by modern cryptography


    • Classical cryptography - message encryption
    ◇ provide secrecy/confidentiality
    ◇ no message should be leaked while in transit
    • Modern cryptography - wide variety of security problems
    ◇ secrecy is not the only security concern when using an unprotected channel
    ◇ need to study large set of secrutiy properties
    • Sibling of message encryption - message authentication
    ◇ provide integrity
    ◇ while in transit, no message should be modified by an outsider

    Message Authentication


    • Information has value -> citrical information must be protected not to leak to unauthorized parties
    ◇ message encryption takes care of this
    • Correct information is valuable
    ◇ incorrect or falsified information may be of little value
    ◇ random information may be useless
    ◇ maliciously crafted information can be harmful
    ◇ message authentication takes care of this

    Examples of attacks


    • A bank receives an electronic request to transfer money from user A to B
    ◇ Did A actually send the request?
    • A user puchases from Amazon
    ◇ Did the user actually make the purchase?

    Integrity of communications / computations


    • no unprotected system can be assumed to be trustworthy
    ◇ origin of information (source) - attacks: impersonation, phishing, etc
    ◇ contents of information - attacks: man-in-the-middle, email spam, etc
    • prevention vs detection
    ◇ tampering with information cannot be avoided.
    ◇ need to be detectable
    • Goal: prevent undetected tampering

    Symmetric-key message authentication


    • Sign message m with tag t and send (m, t)
    • Verify authenticity of received m using t

    Applications


    • Secure communication
    ◇ verify authenticity of messages
    ◇ assumption
    ▪ securely generate distrbute and store shared key k
    ▪ attack does not learn key k
    • Secure Storage
    ◇ verify authenticity of files
    ◇ assumption
    ▪ securely generate and store key k
    ▪ attacker does not learn key k

    Symmetric-key message authentication code (MAC)


    • defined by triplet of PPT algorithms (Gen, Mac, Vrfy) security parameter 1n
    ◇ Gen: prob. alg. on input 1n, outputs a key k from the key space K
    ◇ Mac: prob. alg. on input message m ∈ {0,1}* and key k, outputs tag t, Mack(m) -> t
    ◇ Vrfy: det. alg. on input a pair (m, t) and key k, outputs a bit b, b := Vrfyk(m, t)
    • Satisfying desired properties:
    ◇ efficiency: key generation and tag computation / verification are fast
    ◇ correctness: for all m, k it holds that Vrfyk(m Mack(m)) = 1
    ◇ security: one cannot forge a verifiable pair (m, t)
    • Authenicating m = computing t
    • Verifying authenticity of m = running vrfy

    Security of MACs


    • attacker cannot forge a verifiable message-tag pair (m, t)
    • Replay attack -> insert a new message m*, t* into traffic so that (m*, t*) is verifiable.
    ◇ if m* = previously observed message, attack is successful
    • Brute-force attack Mack(m) -> t is publicly known
    ◇ An exhaustive search in key space K can be done to find the used key k
    • new messages may be forged undetectably, but they can be found only with negligible probability or after an exponentially large computation
    • replay-attack unsafe security definition
    ◇ better not to assume any semantics regarding the high-level app, but instead delegate the validity or safeety check to this app that consumes the messages
    • Eliminating replay attacks
    ◇ Use of counters between sender and receiver
    ◇ Use of timestamps along with an authentication window for validation

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    MAC constructions


    • Fixed-length MAC
    ◇ direct application of a PRF for tagging
    ◇ limited applicability
    • Domain extension for MACs
    ◇ straightforward secure extension of fix-length MAC
    ◇ inefficient
    • CBC-MAC
    ◇ resembles CBC-mode encryption
    ◇ efficient

    Fixed-length MAC


    • Based on use of a PRF
    ◇ employ a PRF Fk in the obvious way to compute and canonically verify tags
    ◇ set tag t to be the pseudorandom string derived by evaluating Fk on message m
    • secure, provided that Fk is a secure PRF
    • MAC scheme Π
    ◇ Gen(1n): {0, 1}n -> k
    ◇ Mack(m): set t = Fk(m)
    ◇ Vrfyk(m, t): return 1 iff t = Fk(m)
    images\22-10.png

    Domain extension for MACs


    • Based on previous fix-length MAC scheme Π
    • Split up m into multiple d blocks mi.
    • Pad them and authenticate via Π
    • Reordering attack -> verify the block index i
    • Truncation attack -> verify message length δ = |m|
    • Mix-and-match attack -> randomize tags (using message specific fresh nonce)
    • Fk(r || mi || i || δ)
    • secure provided that Fk is a secure PRF
    images\22-11.png

    CBC-MAC


    • Employ a PRF similar to CBC-mode encryption
    • security
    ◇ secure only when fixed-length messages are authenticated provided that Fk is a secure PRF
    ◇ messages of length equal to any multiple of n can be authenticated
    ▪ length needs to be fixed in advance
    ◇ insecure otherwise
    • Can authenticate longer messages than basic PRF-based scheme
    • more efficient than domain-extension MAC scheme
    • CBC-MAC uses no IV (or uses IV set to 0)
    • Only uses last PRF output
    images\22-12.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Authenticated encryption


    • Communication is over an open/unprotected channel
    • No message should be leaked
    • No message should be modified
    • Encryption schemes provide secrecy/confidentiality
    • MAC schemes provide integrity/unforability

    Secrecy vs Integrity


    • Secrecy
    ◇ sensitive information has value
    ▪ leaking it can be risky
    ◇ prevention
    ▪ does not imply integrity
    • Integrity
    ◇ correct information has value
    ▪ if manipulated, it can be harmful
    ◇ detection
    ▪ does nont imply secrecy

    Authenticated encryption constructions


    • CPA-secure encryption scheme ΠE=(Enc, Dec)
    • a secure MAC ΠM = (MAC, Vrfy)
    • instantiated using independent secret keys ke, km
    • order matters

    Encrypt-and-authenticate


    • Encke(m) -> c; Mackm(m) -> t; send ciphertext (c, t)
    • if Decke(c) ≠ fail and Vrfykm(m,t) accepts
    ◇ output m
    ◇ else output fail
    • Insecure
    ◇ MAC tag t may leak information about m
    ◇ if MAC is deterministic (CBC-MAC) then ΠAE is not CPA-secure

    Authenticate-then-encrypt


    • Mackm(m) -> t; Encke(m||t) -> c; send ciphertext c
    • if Decke(c) = m || t ≠ fail and Vrfykm(m,t) accepts,
    ◇ output m
    ◇ else output fail
    • insecure

    Encrypt-then-authenticate


    • Encke(m) -> c; Mackm(c) ->t; send ciphertext (c, t)
    • if Vrfykm(c,t) accepts then
    ◇ output Decke(c) = m,
    ◇ else output fail
    • secure scheme as long as ΠM is a strong MAC

    Application of Authenticated Encryption


    • Session communication
    ◇ ΠAE = (Enc, Dec) enables 2 parties to communicate securely
    ◇ session: period of time during which sender and receiver maintain state
    ◇ idea: send message m as c = Enck(m) and ignore received c that doesn't verify
    ◇ secrecy and integrity is protected
    • Possible attacks:
    ◇ reordering attack - counters can be used to eliminate reordering/replays
    ◇ reflection attack - directional bit can be used to eliminate reflections
    ◇ replay attack - c = Enck(ba->b || ctrA,b || m); ctrA,B++

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Hash Functions


    • maps objects to a fix-length string
    • core property: avoid collisions
    ◇ collision: distinct objects x ≠ y) are mapped to the same hash value (H(x) = H(y))
    ◇ collisions may exist, but they should be infeasbile to find
    • lies between symmetric and assymetric key cryptography
    • catpure different security properties on idealized random functions
    • qualitative stronger assumption than PRF
    • security parameter 1n
    images\22-13.png
    • general hash function H
    ◇ maps a message of an arbitrary length to l(n)-bit string
    • compression hash function h
    ◇ maps long binary string to a shorter binary string
    ◇ maps l'(n)-bit string to a l(n)-bit string with l'(n) > l(n)

    Collision resistance (CR)


    • H is collision-resistant if no PPT adversary can find collisions non-negligibly often

    Security


    • Given a hash function H: X->Y
    ◇ preimage resistant (one-way)
    ▪ if given y ∈ Y, finding a value x ∈ X s.t. H(x) = y happens negligibly often
    ◇ 2nd preimage resistant (weak collision resistant)
    ▪ if given a uniform x ∈ X, finding a value x' ∈ X, s.t. x' ≠ x and H(x') = H(x) happens negligibly often
    ◇ cf collision resistant (strong collision resistant)
    ▪ if finding two distinct values x', x ∈ X, s.t. H(x') = H(x) happens negligibly often

    Merkle-Damgard transform


    • reduces problem to design of CR compression functions
    • use for general hash functions
    • general design pattern for cryptographic hash functions
    • reduces collision resistance of general hash functions to colission resistance of compression functions
    • compressing 1 single bit is at least as hard as compressing by any number of bits
    • Design
    ◇ suppose that h: {0,1}2n -> {0,1}n is a collision reistant compression function
    ◇ the general hash function M: {x: |x|<2n} -> {0,1}n is defined as
    ▪ H(x) is computed by applying h(x) in a chained manner over n-bit message blocks
    - pad x and create B message blocks x1....xB with |xi| = n
    - set extra final message block xB+1 as n-bit encoding L of |x|
    - starting with z0=IV = 0n, output H(x) = zB+1, where zi=hs(zi-1 || xi)
    • If compression function h is collision resistant, then the derived hash function H is also collision resistant
    images\22-14.png

    Davies-Meyer Scheme


    • Generic construction of CR compression function
    ◇ assume PRF w/ key length n and block length l
    ◇ define h: {0, 1}n+l -> {0,1}l as
    ▪ H(x) = Fk(x) ⊕ x
    ◇ h is CR if F is an ideal cipher
    images\22-15.png

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--lectures--lecture_5.html b/notes.ctb_HTML/cs306--lectures--lecture_5.html index 73ebd11..9109b93 100644 --- a/notes.ctb_HTML/cs306--lectures--lecture_5.html +++ b/notes.ctb_HTML/cs306--lectures--lecture_5.html @@ -142,5 +142,5 @@
  • homework
    • -

    lecture 5

    trengthening computational EAV security


    • PPT adversary can learn the ciphertext of any plaintext of its choice
    • no PPT adversary can distinguish c0, c1 non-negligibly better than guessing even with extra information
    • Pr[b' = b] = 1/2 + negl
    • *randomized encryption is needed

    Strengthening vs weakening security


    • strengthening - assume attacker is more powerful
    ◇ e.g. they learn encrypted chosen-plaintext messages
    • weakening - restricting the attacker to be less general
    ◇ e.g. same-length messages
    • Pr[b' = b] = 1/2 + negl

    Hash Functions


    images\37-1.png

    MD5 - Message Digest Algorithm


    • output 128 bits, collision resistance
    • completely broken
    • collisions can be found in less than a minute
    • widely used in legacy applications

    SHA1 - Secure Hash Algorithm


    • output 160 bits
    • considered insecure for collision resistance
    • broken

    SHA2


    • outputs 224, 256, 384, 512 bits
    • no security concerns yet
    • based on Merkle-Damgard and Davies Meyer generic transforms

    SHA3


    • Completely new philosophy
    • Sponge construction and un-keyed permutations

    Attacks against cryptographic hashing


    • assume CR compression function h: {0,1}l'(n) -> {0, 1}l(n)
    • brute force attack
    ◇ for each string x in the domain
    ▪ compute and record hash value h(x)
    ▪ if h(x) = h(y), output collision on x ≠ y
    ◇ evaluate h on 2l(n) + 1 distinct inputs
    ◇ by the pigeon hole principle, at least 1 collision will be found
    • birthday attack
    ◇ more efficient
    ◇ uses randomized search rather than exhausting search
    ▪ k balls = distinct messages
    ▪ m bins = number of possible hash values
    ◇ k balls are each independently and randomly thrown into one out m bins
    ◇ probability that the i-th ball lands in an empty bin: 1-(i-1)/m
    ◇ two balls land in the same bin: Pr[E] = 1-Fk = 1 - e-k(k-1)/2m
    ◇ approximate number of hash evaluations for finding hash collisions with probability p for varous digest lengths in Bits
    ◇ evaluate h on fewer distinct inputs that hash to random values
    ◇ probabilistic analysis - at least 1 collision will likely be found
    ◇ hashing half distinct inputs -> more likely to find a collision
    ◇ to get k-bit security, we at least need hash values of length 2k

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Efficient MAC


    • secure MAC for messages of arbitrary lengths based on CR hashing
    • Gen': instantiate H, Mac, output (s, k)
    • Mac': hash message m into h = Hs(m), output Mack-tag t on h
    • Vrfy': canonical verification
    • Πmac' is secure as long as
    ◇ H is collision resistant
    ◇ Πmac is a secure MAC
    images\37-2.png

    Insecure MAC based on hashing


    • tag t = Mack(m) = H(k || m)
    ◇ given H(k||m), it should be infeasible to compute H(k || m'), m' ≠ m
    • insecure construction
    ◇ susceptive to length-extension attacks
    • security vulnerability
    ◇ practical CR hash functions are of Merkle Damgard design
    • length-extension attack
    ◇ knowledge of H(m1) make it feasible to compute H(m1 || m2)
    ◇ knowing of length of message m1 can retrieve internal state sk even without knowing k
    images\37-3.png

    HMAC: Secure MAC based on hashing


    • HMACk[m] = H[ (k ⊕ opad) || H[ (k ⊕ ipad) || m ] ]
    ◇ two layers of hashing Hs - instantiation of hash and sign paradigm
    • upper layer
    ◇ y = H( (k ⊕ ipad) || m )
    ◇ y = H'(m)
    • lower layer
    ◇ t = H( (k ⊕ opad) || y' )
    ◇ t = Mac'(kouty')
    • if used with a secure hash function and follows specification (key size, correct output), no known practical attacks
    images\37-4.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Message Digest


    • Succinct secure description of data - used to detect changes to a block of data
    • Message Authentication - integrity checking
    • User authentication - password protection
    ◇ used with public-key algorithms for encryption and digital signatures
    • Main properties of modern cryptographic hash functions
    ◇ one way - fast to convert input to a digest but infeasible to infer input of a digest value
    ◇ collision-resistance - many collisions exist but they are not obvious to find

    Secure Cloud storage


    • Hashing can be used to
    ◇ check integrity of files
    ◇ correctness of file searches

    • Plain Model


    images\37-5.png
    ***Attacker can send back an altered file

    • Secure Cloud Storage Model


    images\37-6.png
    images\37-7.png
    • user has
    ◇ authentic digest d
    ◇ file F1' to verify
    ◇ proof (to help verification)
    • canonical verification
    ◇ combine F1' and the proof to recompute digest d'
    ◇ if d' = d - F1 is intact

    Hashing files as a whole


    images\37-8.png

    Hashing files separately


    images\37-9.png

    Merkle Tree


    images\37-10.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Digital Envelops / Commitment Schemes


    • Commitment schemes provide two operations
    ◇ commit(x,r) = C ------ seal an envelop
    ▪ put message x into an evelop using randomness r
    ▪ commit (x,r) = h(x || r)
    ▪ hiding property - you cannot see through an envelop
    - perfect opaqueness
    - reveals nothing about message
    ◇ open(C,m,r) = ACCEPT/REJECT --- open a sealed envelop
    ▪ open envelop using r to check that it has not been tampered with
    ▪ open(C, m, r): check if h(x || r) = ?C
    ▪ binding property - you cannot change the contents of a sealed envelop
    - perfect sealing
    - unforgeability - cannot find a cimmitment collision

    Online auction


    • Use digital envelops / commitment schemes

    Coin Flip - Who's doing the dishes


    • Use digital envelops / commitment schemes

    Forward-secure key rotation


    • Keep hashing the symmetric key after every message
    • If an attack intercepts the messages and breaks into a user's machine, key leakage will only begin after the current key
    • previous messages will remain safe
    images\37-11.png

    File Identifiers


    • h(f) serves as a unique indentifier for F
    • one can check whether two files are equal by comparing digests

    • Virus fingerprinting


    ◇ comparing digest of your files against database of digests of know viruses

    • Peer to peer file sharing


    ◇ routing tables store values in the hash range for easy lookup of files

    • Data deduplication


    ◇ don't save duplicates of file. check if hash is already being stored
    ◇ saves storage and bandwidth

    • Password hashing


    ◇ server stores password hashes
    ◇ if a password file leaks, passwords are protected because of onewayness
    images\37-12.png
    ◇ password space is small and predictable - need to use password salting
    ◇ password salting
    ▪ slow down dictionary attacks
    ▪ salt is appended to a user's password before it is hashed
    ▪ salt value is stored in clear along with the hashed password
    ▪ two users with the same password will have different hashed passwords
    ▪ slows down dictionary attacks

    • Digital Signatures and hashing


    ◇ Hash and sign
    ◇ hash of a message is signed
    ◇ signing message M
    ▪ let h be a cryptographic hash function, assume RSA setting (n,d,e)
    ▪ compute signature σ = h(M)d mod n
    ▪ send σ, M
    ◇ Verifying signature σ
    ◇ use public key (e,n)
    ◇ compute H = σe mod n
    ◇ if H = h(m)
    ▪ output ACCEPT
    ▪ else output REJECT

    +

    lecture 5

    Strengthening computational EAV security


    • PPT adversary can learn the ciphertext of any plaintext of its choice
    • no PPT adversary can distinguish c0, c1 non-negligibly better than guessing even with extra information
    • Pr[b' = b] = 1/2 + negl
    • *randomized encryption is needed

    Strengthening vs weakening security


    • strengthening - assume attacker is more powerful
    ◇ e.g. they learn encrypted chosen-plaintext messages
    • weakening - restricting the attacker to be less general
    ◇ e.g. same-length messages
    • Pr[b' = b] = 1/2 + negl

    Hash Functions


    images\37-1.png

    MD5 - Message Digest Algorithm


    • output 128 bits, collision resistance
    • completely broken
    • collisions can be found in less than a minute
    • widely used in legacy applications

    SHA1 - Secure Hash Algorithm


    • output 160 bits
    • considered insecure for collision resistance
    • broken

    SHA2


    • outputs 224, 256, 384, 512 bits
    • no security concerns yet
    • based on Merkle-Damgard and Davies Meyer generic transforms

    SHA3


    • Completely new philosophy
    • Sponge construction and un-keyed permutations

    Attacks against cryptographic hashing


    • assume CR compression function h: {0,1}l'(n) -> {0, 1}l(n)
    • brute force attack
    ◇ for each string x in the domain
    ▪ compute and record hash value h(x)
    ▪ if h(x) = h(y), output collision on x ≠ y
    ◇ evaluate h on 2l(n) + 1 distinct inputs
    ◇ by the pigeon hole principle, at least 1 collision will be found
    • birthday attack
    ◇ more efficient
    ◇ uses randomized search rather than exhausting search
    ▪ k balls = distinct messages
    ▪ m bins = number of possible hash values
    ◇ k balls are each independently and randomly thrown into one out m bins
    ◇ probability that the i-th ball lands in an empty bin: 1-(i-1)/m
    ◇ two balls land in the same bin: Pr[E] = 1-Fk = 1 - e-k(k-1)/2m
    ◇ approximate number of hash evaluations for finding hash collisions with probability p for varous digest lengths in Bits
    ◇ evaluate h on fewer distinct inputs that hash to random values
    ◇ probabilistic analysis - at least 1 collision will likely be found
    ◇ hashing half distinct inputs -> more likely to find a collision
    ◇ to get k-bit security, we at least need hash values of length 2k

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Efficient MAC


    • secure MAC for messages of arbitrary lengths based on CR hashing
    • Gen': instantiate H, Mac, output (s, k)
    • Mac': hash message m into h = Hs(m), output Mack-tag t on h
    • Vrfy': canonical verification
    • Πmac' is secure as long as
    ◇ H is collision resistant
    ◇ Πmac is a secure MAC
    images\37-2.png

    Insecure MAC based on hashing


    • tag t = Mack(m) = H(k || m)
    ◇ given H(k||m), it should be infeasible to compute H(k || m'), m' ≠ m
    • insecure construction
    ◇ susceptive to length-extension attacks
    • security vulnerability
    ◇ practical CR hash functions are of Merkle Damgard design
    • length-extension attack
    ◇ knowledge of H(m1) make it feasible to compute H(m1 || m2)
    ◇ knowing of length of message m1 can retrieve internal state sk even without knowing k
    images\37-3.png

    HMAC: Secure MAC based on hashing


    • HMACk[m] = H[ (k ⊕ opad) || H[ (k ⊕ ipad) || m ] ]
    ◇ two layers of hashing Hs - instantiation of hash and sign paradigm
    • upper layer
    ◇ y = H( (k ⊕ ipad) || m )
    ◇ y = H'(m)
    • lower layer
    ◇ t = H( (k ⊕ opad) || y' )
    ◇ t = Mac'(kouty')
    • if used with a secure hash function and follows specification (key size, correct output), no known practical attacks
    images\37-4.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Message Digest


    • Succinct secure description of data - used to detect changes to a block of data
    • Message Authentication - integrity checking
    • User authentication - password protection
    ◇ used with public-key algorithms for encryption and digital signatures
    • Main properties of modern cryptographic hash functions
    ◇ one way - fast to convert input to a digest but infeasible to infer input of a digest value
    ◇ collision-resistance - many collisions exist but they are not obvious to find

    Secure Cloud storage


    • Hashing can be used to
    ◇ check integrity of files
    ◇ correctness of file searches

    • Plain Model


    images\37-5.png
    ***Attacker can send back an altered file

    • Secure Cloud Storage Model


    images\37-6.png
    images\37-7.png
    • user has
    ◇ authentic digest d
    ◇ file F1' to verify
    ◇ proof (to help verification)
    • canonical verification
    ◇ combine F1' and the proof to recompute digest d'
    ◇ if d' = d - F1 is intact

    Hashing files as a whole


    images\37-8.png

    Hashing files separately


    images\37-9.png

    Merkle Tree


    images\37-10.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Digital Envelops / Commitment Schemes


    • Commitment schemes provide two operations
    ◇ commit(x,r) = C ------ seal an envelop
    ▪ put message x into an evelop using randomness r
    ▪ commit (x,r) = h(x || r)
    ▪ hiding property - you cannot see through an envelop
    - perfect opaqueness
    - reveals nothing about message
    ◇ open(C,m,r) = ACCEPT/REJECT --- open a sealed envelop
    ▪ open envelop using r to check that it has not been tampered with
    ▪ open(C, m, r): check if h(x || r) = ?C
    ▪ binding property - you cannot change the contents of a sealed envelop
    - perfect sealing
    - unforgeability - cannot find a cimmitment collision

    Online auction


    • Use digital envelops / commitment schemes

    Coin Flip - Who's doing the dishes


    • Use digital envelops / commitment schemes

    Forward-secure key rotation


    • Keep hashing the symmetric key after every message
    • If an attack intercepts the messages and breaks into a user's machine, key leakage will only begin after the current key
    • previous messages will remain safe
    images\37-11.png

    File Identifiers


    • h(f) serves as a unique indentifier for F
    • one can check whether two files are equal by comparing digests

    • Virus fingerprinting


    ◇ comparing digest of your files against database of digests of know viruses

    • Peer to peer file sharing


    ◇ routing tables store values in the hash range for easy lookup of files

    • Data deduplication


    ◇ don't save duplicates of file. check if hash is already being stored
    ◇ saves storage and bandwidth

    • Password hashing


    ◇ server stores password hashes
    ◇ if a password file leaks, passwords are protected because of onewayness
    images\37-12.png
    ◇ password space is small and predictable - need to use password salting
    ◇ password salting
    ▪ slow down dictionary attacks
    ▪ salt is appended to a user's password before it is hashed
    ▪ salt value is stored in clear along with the hashed password
    ▪ two users with the same password will have different hashed passwords
    ▪ slows down dictionary attacks

    • Digital Signatures and hashing


    ◇ Hash and sign
    ◇ hash of a message is signed
    ◇ signing message M
    ▪ let h be a cryptographic hash function, assume RSA setting (n,d,e)
    ▪ compute signature σ = h(M)d mod n
    ▪ send σ, M
    ◇ Verifying signature σ
    ◇ use public key (e,n)
    ◇ compute H = σe mod n
    ◇ if H = h(m)
    ▪ output ACCEPT
    ▪ else output REJECT

    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--lectures--lecture_6.html b/notes.ctb_HTML/cs306--lectures--lecture_6.html index 98ff9cf..7385fdf 100644 --- a/notes.ctb_HTML/cs306--lectures--lecture_6.html +++ b/notes.ctb_HTML/cs306--lectures--lecture_6.html @@ -142,5 +142,5 @@
  • homework
    • -

    lecture 6

    ymmetric Key Cryptography


    • Assumptions
    ◇ Adversary
    ▪ types of attacks
    ◇ trusted setup
    ▪ keys are distributed securely
    ▪ keys remain secret
    ◇ trust basis
    ▪ underlying primitives are secure
    ▪ PRG, PRF, CR-hashing
    • Limitations
    ◇ securely obtain
    ▪ strong assumption to make
    ▪ requires secure channel for key distribution
    ▪ seems impossible for two parties having no prior trust relationship
    ▪ not easily justifiable to hold a prioi
    ◇ shared secret key
    ▪ challenging problem to solve
    ▪ requires too many keys for n parties to communicate
    ▪ too much risk to protect all secret keys
    ▪ revovation complexity

    • 2 approaches to solve key distribution


    ◇ designated secure channels
    ▪ physically protected
    ▪ e.g. sound proof room
    ◇ trusted party
    ▪ entities autorized to dstribute keys
    ▪ e.g. key distribution center

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Public key (assymetric cryptography)


    • Goal: devise a cryptosystem where key management is more manageable
    • idea: user-specific keys (that come in pairs)
    ◇ Upk is public
    ◇ Usk is private
    • usage:
    ◇ employ public key for public tasks
    ◇ employ private key for sensitive tasks
    • assumption:
    ◇ public key infrastructure PKI: public keys become securely available to users
    ◇ secret keys remain secret
    ◇ underlying primitives are secure
    images\66-1.png

    Terms


    • asymmetric crypto = public-key crypto
    • symmetric crypto = secret key crypto
    • user's public-key pair = (user's public key, user's private key)
    • user's private key = user's secret key
    • pk = public key
    • sk = secret key

    Encryption


    • Sender and receiver maintain different keys
    • each user has two keys: public and private
    • message encrypted by receiver's public key can only be decrypted by receiver's private key

    Digital signatures


    • Sender and receiver maintain different keys
    • each user has two keys: public and private
    • messages signed by sender's private key can be verified by sender's public key

    Public key pairs and user identities


    • A public-key pair of user U can be specific to a machine or application
    • Gen is a key-generation algorithm to produce (Upk, Usk)
    • Public-key pair is always attached to a user's identity
    • associated with the user's identity

    Public-key infrastructure (PKI)


    • Setting
    ◇ a set of users produce their public-key pairs
    ◇ keys will be used by a public-key cryptosystem
    ▪ each private key is securely stored individually by the user owning the key
    • Where are publish keys stored?
    • How do they remain authenticated?
    • PKI is a mechanism for the secure management of public keys
    ◇ challenging to achieve

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Symmetric vs Asymmetric Crypto


    Key ManagementAssumptionsPrimitivesAdversarial Sampling
    SymmetricLess scalable and riskersecret and authentic communicationgeneric assumptionsoracle access
    secure storagemore efficient in practice
    Asymmetricmore scalable and simplerauthenticity (PKI)number-theoretic assumptionspublic-key operations and oracle access
    secure storageless efficient in practice (2-3 o.o.m)

    images\66-2.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Public-key encryption


    • assumes trusted setup
    ◇ PKI (public keys are public) and secure storage (private keys remain private)
    • Many parties can encrypt, but only one party can decrypt
    images\66-3.png
    • defined by message space M and triplet of algorithms (Gen, Enc, Dec)
    ◇ Gen: probabilistic algorithm that outputs a public-key pair (Upk, Usk) for user U
    ◇ Enc: probabilistic algorithm that on input plantextm and public key, outputs ciphertext c
    ◇ Dec: deterministic alogirthm that on input ciphertext c and private key, outputs a plaintext m

    Security


    • CPA-securty -- randomized encryption is required
    • Easy to check (Upk, Usk) is a valid key pair
    • infeasible to produce Usk from Upk
    • the attacker can posses the rcipient's public key
    ◇ all 3 collapse to the same attack type
    ▪ ciphertext-only attack
    ▪ known plaintext attack
    ▪ chosen-plaintext attack
    • EAV-security
    ◇ A scheme is EAV-secure if no PPT attacker can correctly guess b non-negligibly better than randomly guessing
    ▪ even when it can use the recipient's public key pk
    ▪ one message extends to multiple messages
    ▪ fixed-length messages extends to arbitrary length messages
    ▪ probabilistic encryption is necessary
    • CPA-security
    ◇ A scheme is CPA-secure if any PPT adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is a negligible function
    ▪ even when it learns the encryptions of messages of its choice
    ▪ one message extends to multiple messages
    ▪ fixed-length messages extends to arbitrary length messages
    ▪ probabilistic encryption is necessary
    • EAV-security implies CPA-security
    • CCA-security
    ◇ attacker posses recipient's public key
    ◇ attacker has access to the decryption oracle
    ◇ attacker is not allowed to use the oracle on the challenge ciphertext
    ◇ probabilistic encryption necessary
    ◇ one message extends to multiple messages
    ◇ fixed length messages DO NOT extend to arbitrary length messages

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Hybrid encryption


    images\66-4.png
    • reduces public-key crypto to secret-key crypto
    • better performance
    • apply public-key encryption on random key k
    • use k for secret-key encryption of m
    images\66-5.png
    • Using KEM/DEM approach
    ◇ encapsulate secret key k into c
    ◇ use k for secret-key encryption of m
    ◇ KEM: key-encapsulation mechanism - Encaps
    ◇ DEM: data encapsulation machanism - Enc'
    ◇ KEM/DEM scheme
    ▪ CPA-secure if KEM is CPA-secure and Enc' is EAV-secure
    ▪ CCA-secure if KEM and Enc' are CCA-secure

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Digital Signatures


    • A person can deny that they signed something.
    • Digital signatures make it infeasible to fake

    • Mac for digital signing


    ◇ two parties share a secret key k
    ◇ one party generates MAC on the message to be signed, using k
    ◇ message digest serves as a signature
    ◇ the other party varifies the integrity of the signed message using k
    images\66-6.png

    Properties of Digital Signatures


    • Authentication - receiver can determine that the signature really came from the signer
    • Integrity/unforgeability - no one other than the signer can produce the signature without the signer's private key
    • Non-repudiation - the ability to ensrue that a party cannot deny the authenticity of their signature on a document
    • Not alterable signatures - no signer, receiver, or any interceptor can modify the signature without tampering being evident
    • Not reusable signatures (replay-attack safeness) - any attempt to reuse a previous signature will be detected by the receiver

    Asymmetric-key message authentication


    • Scheme
    ◇ Secret key is sued for signing and public key is used for verification
    ◇ The message m with signature σ is sent.
    • One only party can sign, but multiple parties can verify
    • Assumption: PKI
    • existential unforgeability
    ◇ infeasible for any PPT attacker to forge an invalid but verifiable signature on a new message

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Public Key Certifications


    • public-key pairs are bound to user identities
    • PKI implements a mechanism for securely managing public keys
    • Where to store keys so they are publicly available?
    • How are they secured so they remain authenticated?
    • Challenging to achieve:
    ◇ open, dynamic, multi-user system
    ▪ users can join or leave, or privileges can be revoked
    ◇ user-specific public-key pairs
    ▪ unique key pair is attached to the identity of user U
    ◇ authenticated public keys
    ▪ a user's current public key should be consistently known to everyone

    Distibution of public keys


    • public announcement
    ◇ users can distribute public keys to recipients or broadcast to community at large
    • publicly available directory
    ◇ users can obtain better security by registering keys with a public directory

    Trusting One's Public Key


    • Attacks:
    ◇ An impostor claims to be a true party --- impostor has public and private key of victim
    ◇ Impostor sends impostor's own public key to the verifier --- impostor pretends to be victim

    Certificates


    • A digital certificate is a public key and an identity bound together and signed by a certificate authority
    • a certificate authority is an authority that users trust to accurately verify identities before generating certificates that bind those identities to keys
    • imperfect practice

    Certificate hierarchy


    • a single CA certifying every public key is impractical
    • uses trusted root authorities
    • root CA signs certificates for intermediate CAs and they sign certificates for lower-level CAs.
    images\66-7.png

    X.509 certificates


    • framework for authentication services
    ◇ public keys stored as certificates in public directory
    ◇ certificates issued and signed by certification authority
    • used by many applications - SSL

    Key Agreement


    • vulnerable to man in the middle attacks
    ◇ need to verify with the certificate authority
    • Public key encryption
    images\66-8.png
    • Diffie-hellman key-agreement protocol
    ◇ computing discrete logs is computationally hard
    images\66-9.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Number-Theoretic Facts


    • Public key encryption algorithms
    ◇ typically based on number theory and modular arithmetic
    ◇ relies on hardness assumption
    ◇ Two algorithms:
    ▪ RSA
    - Based on the hardness of factoring large numbers
    ▪ El Gamal
    - Based on the hardness of solving discrete logarithm
    - Same idea as Diffie-Hellman key agreement

    Multiplicative inverses


    • x * y mod n = 1
    • multiplicative inverses of the residues modulo 11
    images\66-10.png
    • Theorem
    ◇ An element x in Zn has a multiplicative inverse if and only if x and n are relatively prime.
    • Z = 10
    images\66-11.png
    ◇ If p is prime, every nonzero in Zp has multiplicative inverses

    Multiplicative group


    • all numbers up to n in Zn that have multiplicative inverses

    Totient function Φ(n)


    • denotes order (length) of Z*n
    • e.g. Z*10 = {1,3,7,9). n = 10. Φ(10) = 4
    • if n = p * q, where p and q are distinct primes, then
    ◇ Φ(n) = (p-1)(q-1)
    ◇ difficult problem to find p and q, or order of n, only given N

    Fermat's Little Theorem


    • for each nonzero x in Zp, xp-1 mod p = 1
    • e.g. p = 5
    ◇ 14 mod 5 = 1
    ◇ 34 mod 5 =1

    Euler's Theorem


    • for each element x in Z*n, xΦ(n) mod n =1
    • e.g. n = 10
    ◇ Z*10= {1,3,7,9}. n = 10, Φ(10) = 4
    ◇ 3Φ(10) mod 10 = 1

    Computing Exponents


    • For the multiplicative group Z*n, we can reduce the exponent modulo Φ(n)
    • xy mod n = xy mod Φ(n) mod n

    Euclid's GCD algorithm


    • gcd(a, b) = if b = 0 return a else gcd(b, a mod b);

    Extended Euclidean algorithm


    images\66-12.png

    Computing multiplicative inverse


    • given two numbers a and b, there exist integers x, y s.t. x a + y b = gcd(a,b)
    • can be computed efficiently by the extended Euclidean algorithm
    • the multiplicative inverse of a in Zb exists iff gcd(a,b) = 1
    • The extended Euclidean algorithm computes x and y s.t. xa + yb = 1
    • the multiplicative inverse of a in Zb is x

    Powers


    • Let p be a prime
    ◇ the sequences of successive powers of the elements in Z*p exhibit repeating subsequences
    ◇ the sizes of the repeating subsequences and the number of their repetitions are the divisors of p-1
    images\66-13.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    RSA Algorithm


    General case
    • Setup (run by a given user)
    ◇ n = p * q, with p and q primes
    ◇ e relatively prime to Φ(n) = (p - 1)(q - 1)
    ◇ d inverse of e in ZΦ(n)
    • Keys
    ◇ public key is Kpk = (n, e)
    ◇ private key is Ksk = d
    • Encryption
    ◇ C = Me mod n for plaintext M in Zn
    • Decryption
    ◇ M = Cd mod n
    images\66-14.png
    images\66-15.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Signing with RSA


    • (Md)e = M mod p * q
    • signing algorithm = Sign(M,d,n): σ = Md mod n for message M in Zn
    • verifying algorithm = Vrfy(σ, M, e, n): return M == σe mod n
    • General case
    ◇ Setup
    ▪ n = p * q with p and q primes
    ▪ e relatively prime to Φ(n) = (p - 1)(q - 1)
    ▪ d inverse of e in ZΦ(n)
    ◇ Keys
    ▪ public key is Kpk = (n,e)
    ▪ private key is Ksk = d
    ◇ Sign
    ▪ σ = Md mod n for message M in Zn
    ◇ Verify
    ▪ Check if M = σe mod n
    images\66-16.png

    Security


    • Sign the hash
    • Current practice is using 2048-bit long RSA keys (617 decimal digits)
    • Plain RSA is deteministic
    • homomorphic

    Issues


    • Requires various algorithms
    ◇ Generation of random numbers
    ◇ primality testing
    ◇ computation of the GCD
    ◇ Computation of the multiplicative inverse

    Real-world usage


    • Randomized RSA
    ◇ To encrypt message M under an RSA public key (e, n) generate a new random session AES key K, compute ciphertext as [Ke mod n, AESk(m)]
    ◇ prevents an adversary distinguishing two encryptions of the same M since K is chosen at random every time encryption takes place
    • Optimal Asymmetric Encryption Padding (OAEP)
    ◇ roughly to encrypt M , choose random r, encode M as M' = [X = M ⊕ H1(r), Y = r ⊕ H2(X)] where H1 and H2 are cryptographic hash functions, then encrypt it as (M')e mod n

    Modular Powers


    images\66-17.png

    Pseudo-primality testing


    images\66-18.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ElGamal Encryption Scheme


    images\66-19.png
    images\66-20.png
    +

    lecture 6

    Symmetric Key Cryptography


    • Assumptions
    ◇ Adversary
    ▪ types of attacks
    ◇ trusted setup
    ▪ keys are distributed securely
    ▪ keys remain secret
    ◇ trust basis
    ▪ underlying primitives are secure
    ▪ PRG, PRF, CR-hashing
    • Limitations
    ◇ securely obtain
    ▪ strong assumption to make
    ▪ requires secure channel for key distribution
    ▪ seems impossible for two parties having no prior trust relationship
    ▪ not easily justifiable to hold a prioi
    ◇ shared secret key
    ▪ challenging problem to solve
    ▪ requires too many keys for n parties to communicate
    ▪ too much risk to protect all secret keys
    ▪ revovation complexity

    • 2 approaches to solve key distribution


    ◇ designated secure channels
    ▪ physically protected
    ▪ e.g. sound proof room
    ◇ trusted party
    ▪ entities autorized to dstribute keys
    ▪ e.g. key distribution center

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Public key (assymetric cryptography)


    • Goal: devise a cryptosystem where key management is more manageable
    • idea: user-specific keys (that come in pairs)
    ◇ Upk is public
    ◇ Usk is private
    • usage:
    ◇ employ public key for public tasks
    ◇ employ private key for sensitive tasks
    • assumption:
    ◇ public key infrastructure PKI: public keys become securely available to users
    ◇ secret keys remain secret
    ◇ underlying primitives are secure
    images\66-1.png

    Terms


    • asymmetric crypto = public-key crypto
    • symmetric crypto = secret key crypto
    • user's public-key pair = (user's public key, user's private key)
    • user's private key = user's secret key
    • pk = public key
    • sk = secret key

    Encryption


    • Sender and receiver maintain different keys
    • each user has two keys: public and private
    • message encrypted by receiver's public key can only be decrypted by receiver's private key

    Digital signatures


    • Sender and receiver maintain different keys
    • each user has two keys: public and private
    • messages signed by sender's private key can be verified by sender's public key

    Public key pairs and user identities


    • A public-key pair of user U can be specific to a machine or application
    • Gen is a key-generation algorithm to produce (Upk, Usk)
    • Public-key pair is always attached to a user's identity
    • associated with the user's identity

    Public-key infrastructure (PKI)


    • Setting
    ◇ a set of users produce their public-key pairs
    ◇ keys will be used by a public-key cryptosystem
    ▪ each private key is securely stored individually by the user owning the key
    • Where are publish keys stored?
    • How do they remain authenticated?
    • PKI is a mechanism for the secure management of public keys
    ◇ challenging to achieve

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Symmetric vs Asymmetric Crypto


    Key ManagementAssumptionsPrimitivesAdversarial Sampling
    SymmetricLess scalable and riskersecret and authentic communicationgeneric assumptionsoracle access
    secure storagemore efficient in practice
    Asymmetricmore scalable and simplerauthenticity (PKI)number-theoretic assumptionspublic-key operations and oracle access
    secure storageless efficient in practice (2-3 o.o.m)

    images\66-2.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Public-key encryption


    • assumes trusted setup
    ◇ PKI (public keys are public) and secure storage (private keys remain private)
    • Many parties can encrypt, but only one party can decrypt
    images\66-3.png
    • defined by message space M and triplet of algorithms (Gen, Enc, Dec)
    ◇ Gen: probabilistic algorithm that outputs a public-key pair (Upk, Usk) for user U
    ◇ Enc: probabilistic algorithm that on input plantextm and public key, outputs ciphertext c
    ◇ Dec: deterministic alogirthm that on input ciphertext c and private key, outputs a plaintext m

    Security


    • CPA-securty -- randomized encryption is required
    • Easy to check (Upk, Usk) is a valid key pair
    • infeasible to produce Usk from Upk
    • the attacker can posses the rcipient's public key
    ◇ all 3 collapse to the same attack type
    ▪ ciphertext-only attack
    ▪ known plaintext attack
    ▪ chosen-plaintext attack
    • EAV-security
    ◇ A scheme is EAV-secure if no PPT attacker can correctly guess b non-negligibly better than randomly guessing
    ▪ even when it can use the recipient's public key pk
    ▪ one message extends to multiple messages
    ▪ fixed-length messages extends to arbitrary length messages
    ▪ probabilistic encryption is necessary
    • CPA-security
    ◇ A scheme is CPA-secure if any PPT adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is a negligible function
    ▪ even when it learns the encryptions of messages of its choice
    ▪ one message extends to multiple messages
    ▪ fixed-length messages extends to arbitrary length messages
    ▪ probabilistic encryption is necessary
    • EAV-security implies CPA-security
    • CCA-security
    ◇ attacker posses recipient's public key
    ◇ attacker has access to the decryption oracle
    ◇ attacker is not allowed to use the oracle on the challenge ciphertext
    ◇ probabilistic encryption necessary
    ◇ one message extends to multiple messages
    ◇ fixed length messages DO NOT extend to arbitrary length messages

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Hybrid encryption


    images\66-4.png
    • reduces public-key crypto to secret-key crypto
    • better performance
    • apply public-key encryption on random key k
    • use k for secret-key encryption of m
    images\66-5.png
    • Using KEM/DEM approach
    ◇ encapsulate secret key k into c
    ◇ use k for secret-key encryption of m
    ◇ KEM: key-encapsulation mechanism - Encaps
    ◇ DEM: data encapsulation machanism - Enc'
    ◇ KEM/DEM scheme
    ▪ CPA-secure if KEM is CPA-secure and Enc' is EAV-secure
    ▪ CCA-secure if KEM and Enc' are CCA-secure

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Digital Signatures


    • A person can deny that they signed something.
    • Digital signatures make it infeasible to fake

    • Mac for digital signing


    ◇ two parties share a secret key k
    ◇ one party generates MAC on the message to be signed, using k
    ◇ message digest serves as a signature
    ◇ the other party varifies the integrity of the signed message using k
    images\66-6.png

    Properties of Digital Signatures


    • Authentication - receiver can determine that the signature really came from the signer
    • Integrity/unforgeability - no one other than the signer can produce the signature without the signer's private key
    • Non-repudiation - the ability to ensrue that a party cannot deny the authenticity of their signature on a document
    • Not alterable signatures - no signer, receiver, or any interceptor can modify the signature without tampering being evident
    • Not reusable signatures (replay-attack safeness) - any attempt to reuse a previous signature will be detected by the receiver

    Asymmetric-key message authentication


    • Scheme
    ◇ Secret key is sued for signing and public key is used for verification
    ◇ The message m with signature σ is sent.
    • One only party can sign, but multiple parties can verify
    • Assumption: PKI
    • existential unforgeability
    ◇ infeasible for any PPT attacker to forge an invalid but verifiable signature on a new message

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Public Key Certifications


    • public-key pairs are bound to user identities
    • PKI implements a mechanism for securely managing public keys
    • Where to store keys so they are publicly available?
    • How are they secured so they remain authenticated?
    • Challenging to achieve:
    ◇ open, dynamic, multi-user system
    ▪ users can join or leave, or privileges can be revoked
    ◇ user-specific public-key pairs
    ▪ unique key pair is attached to the identity of user U
    ◇ authenticated public keys
    ▪ a user's current public key should be consistently known to everyone

    Distibution of public keys


    • public announcement
    ◇ users can distribute public keys to recipients or broadcast to community at large
    • publicly available directory
    ◇ users can obtain better security by registering keys with a public directory

    Trusting One's Public Key


    • Attacks:
    ◇ An impostor claims to be a true party --- impostor has public and private key of victim
    ◇ Impostor sends impostor's own public key to the verifier --- impostor pretends to be victim

    Certificates


    • A digital certificate is a public key and an identity bound together and signed by a certificate authority
    • a certificate authority is an authority that users trust to accurately verify identities before generating certificates that bind those identities to keys
    • imperfect practice

    Certificate hierarchy


    • a single CA certifying every public key is impractical
    • uses trusted root authorities
    • root CA signs certificates for intermediate CAs and they sign certificates for lower-level CAs.
    images\66-7.png

    X.509 certificates


    • framework for authentication services
    ◇ public keys stored as certificates in public directory
    ◇ certificates issued and signed by certification authority
    • used by many applications - SSL

    Key Agreement


    • vulnerable to man in the middle attacks
    ◇ need to verify with the certificate authority
    • Public key encryption
    images\66-8.png
    • Diffie-hellman key-agreement protocol
    ◇ computing discrete logs is computationally hard
    images\66-9.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Number-Theoretic Facts


    • Public key encryption algorithms
    ◇ typically based on number theory and modular arithmetic
    ◇ relies on hardness assumption
    ◇ Two algorithms:
    ▪ RSA
    - Based on the hardness of factoring large numbers
    ▪ El Gamal
    - Based on the hardness of solving discrete logarithm
    - Same idea as Diffie-Hellman key agreement

    Multiplicative inverses


    • x * y mod n = 1
    • multiplicative inverses of the residues modulo 11
    images\66-10.png
    • Theorem
    ◇ An element x in Zn has a multiplicative inverse if and only if x and n are relatively prime.
    • Z = 10
    images\66-11.png
    ◇ If p is prime, every nonzero in Zp has multiplicative inverses

    Multiplicative group


    • all numbers up to n in Zn that have multiplicative inverses

    Totient function Φ(n)


    • denotes order (length) of Z*n
    • e.g. Z*10 = {1,3,7,9). n = 10. Φ(10) = 4
    • if n = p * q, where p and q are distinct primes, then
    ◇ Φ(n) = (p-1)(q-1)
    ◇ difficult problem to find p and q, or order of n, only given N

    Fermat's Little Theorem


    • for each nonzero x in Zp, xp-1 mod p = 1
    • e.g. p = 5
    ◇ 14 mod 5 = 1
    ◇ 34 mod 5 =1

    Euler's Theorem


    • for each element x in Z*n, xΦ(n) mod n =1
    • e.g. n = 10
    ◇ Z*10= {1,3,7,9}. n = 10, Φ(10) = 4
    ◇ 3Φ(10) mod 10 = 1

    Computing Exponents


    • For the multiplicative group Z*n, we can reduce the exponent modulo Φ(n)
    • xy mod n = xy mod Φ(n) mod n

    Euclid's GCD algorithm


    • gcd(a, b) = if b = 0 return a else gcd(b, a mod b);

    Extended Euclidean algorithm


    images\66-12.png

    Computing multiplicative inverse


    • given two numbers a and b, there exist integers x, y s.t. x a + y b = gcd(a,b)
    • can be computed efficiently by the extended Euclidean algorithm
    • the multiplicative inverse of a in Zb exists iff gcd(a,b) = 1
    • The extended Euclidean algorithm computes x and y s.t. xa + yb = 1
    • the multiplicative inverse of a in Zb is x

    Powers


    • Let p be a prime
    ◇ the sequences of successive powers of the elements in Z*p exhibit repeating subsequences
    ◇ the sizes of the repeating subsequences and the number of their repetitions are the divisors of p-1
    images\66-13.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    RSA Algorithm


    General case
    • Setup (run by a given user)
    ◇ n = p * q, with p and q primes
    ◇ e relatively prime to Φ(n) = (p - 1)(q - 1)
    ◇ d inverse of e in ZΦ(n)
    • Keys
    ◇ public key is Kpk = (n, e)
    ◇ private key is Ksk = d
    • Encryption
    ◇ C = Me mod n for plaintext M in Zn
    • Decryption
    ◇ M = Cd mod n
    images\66-14.png
    images\66-15.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Signing with RSA


    • (Md)e = M mod p * q
    • signing algorithm = Sign(M,d,n): σ = Md mod n for message M in Zn
    • verifying algorithm = Vrfy(σ, M, e, n): return M == σe mod n
    • General case
    ◇ Setup
    ▪ n = p * q with p and q primes
    ▪ e relatively prime to Φ(n) = (p - 1)(q - 1)
    ▪ d inverse of e in ZΦ(n)
    ◇ Keys
    ▪ public key is Kpk = (n,e)
    ▪ private key is Ksk = d
    ◇ Sign
    ▪ σ = Md mod n for message M in Zn
    ◇ Verify
    ▪ Check if M = σe mod n
    images\66-16.png

    Security


    • Sign the hash
    • Current practice is using 2048-bit long RSA keys (617 decimal digits)
    • Plain RSA is deteministic
    • homomorphic

    Issues


    • Requires various algorithms
    ◇ Generation of random numbers
    ◇ primality testing
    ◇ computation of the GCD
    ◇ Computation of the multiplicative inverse

    Real-world usage


    • Randomized RSA
    ◇ To encrypt message M under an RSA public key (e, n) generate a new random session AES key K, compute ciphertext as [Ke mod n, AESk(m)]
    ◇ prevents an adversary distinguishing two encryptions of the same M since K is chosen at random every time encryption takes place
    • Optimal Asymmetric Encryption Padding (OAEP)
    ◇ roughly to encrypt M , choose random r, encode M as M' = [X = M ⊕ H1(r), Y = r ⊕ H2(X)] where H1 and H2 are cryptographic hash functions, then encrypt it as (M')e mod n

    Modular Powers


    images\66-17.png

    Pseudo-primality testing


    images\66-18.png

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ElGamal Encryption Scheme


    images\66-19.png
    images\66-20.png
    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306--lectures.html b/notes.ctb_HTML/cs306--lectures.html index a160277..a8146d8 100644 --- a/notes.ctb_HTML/cs306--lectures.html +++ b/notes.ctb_HTML/cs306--lectures.html @@ -142,5 +142,5 @@
  • homework
    • -

    lectures


    +

    lectures


    lectures
    lecture 1
    Definitions
    Examples of Controls
    Examples of threats
    Examples of vulnerability
    CIA triad
    Ways to neutralize threats or remove vulnerabilities
    lecture 2
    Definitions
    Why
    Symmetric-key encryption
    Kerckhoff's principle
    Applications of Symmetric Keys
    Attacks on symmetric encryption
    Brute Force
    Perfect correctness
    Perfect Security
    • Definition 1
    • Definition 2
    One time pad
    • Weaknesses
    Modern cryptography
    Symmetric encryption and Modern Cryptography example
    lecture 3
    Shannon's theorem
    Computational Security - Relax Perfectness
    • Definition
    Almost optimal security
    Alternative Approach
    Classical Ciphers
    Substituion cipher
    Caesar's cipher
    Shift Cipher
    Mono-alphabetic substituion cipher
    Vigenere cipher
    Stream Ciphers
    Block Ciphers
    Stream vs Block ciphers
    Perfect encryption of a block
    Primitive techniques for symmetric-key encryption
    Substitution boxes
    DES: Data Encryption Standard
    AES: Advanced Encryption System
    DES vs AES
    Block Cipher Modes
    ECB: Electronic Code Book
    CBC: Cipher Block Chaining
    lecture 4
    Possible Eavesdropping Attacks
    Perfect EAV-security
    Computational security
    Computational EAV-security
    CPA-security
    Pseudo-randomness
    Linear congruential generator
    Example
    Security
    PRG security
    PRG-based symmetric-key encryption scheme
    Modes of operation for stream ciphers
    Pseudorandom functions
    PRF Security
    PRF-based symmetric-key encryption scheme
    Modes of Operations for block ciphers
    ECB - electronic code book
    CBC - Cipher block chaining
    Chained CBC
    OFB - Output Feedback
    CTR - Counter Mode
    Additional Notes
    Security problems studied by modern cryptography
    Message Authentication
    Examples of attacks
    Integrity of communications / computations
    Symmetric-key message authentication
    Applications
    Symmetric-key message authentication code (MAC)
    Security of MACs
    MAC constructions
    Fixed-length MAC
    Domain extension for MACs
    CBC-MAC
    Authenticated encryption
    Secrecy vs Integrity
    Authenticated encryption constructions
    Encrypt-and-authenticate
    Authenticate-then-encrypt
    Encrypt-then-authenticate
    Application of Authenticated Encryption
    Hash Functions
    Collision resistance (CR)
    Security
    Merkle-Damgard transform
    Davies-Meyer Scheme
    lecture 5
    Strengthening computational EAV security
    Strengthening vs weakening security
    Hash Functions
    MD5 - Message Digest Algorithm
    SHA1 - Secure Hash Algorithm
    SHA2
    SHA3
    Attacks against cryptographic hashing
    Efficient MAC
    Insecure MAC based on hashing
    HMAC: Secure MAC based on hashing
    Message Digest
    Secure Cloud storage
    • Plain Model
    • Secure Cloud Storage Model
    Hashing files as a whole
    Hashing files separately
    Merkle Tree
    Digital Envelops / Commitment Schemes
    Online auction
    Coin Flip - Who's doing the dishes
    Forward-secure key rotation
    File Identifiers
    • Virus fingerprinting
    • Peer to peer file sharing
    • Data deduplication
    • Password hashing
    • Digital Signatures and hashing
    lecture 6
    Symmetric Key Cryptography
    • 2 approaches to solve key distribution
    Public key (assymetric cryptography)
    Terms
    Encryption
    Digital signatures
    Public key pairs and user identities
    Public-key infrastructure (PKI)
    Symmetric vs Asymmetric Crypto
    Public-key encryption
    Security
    Hybrid encryption
    Digital Signatures
    • Mac for digital signing
    Properties of Digital Signatures
    Asymmetric-key message authentication
    Public Key Certifications
    Distibution of public keys
    Trusting One's Public Key
    Certificates
    Certificate hierarchy
    X.509 certificates
    Key Agreement
    Number-Theoretic Facts
    Multiplicative inverses
    Multiplicative group
    Totient function Φ(n)
    Fermat's Little Theorem
    Euler's Theorem
    Computing Exponents
    Euclid's GCD algorithm
    Extended Euclidean algorithm
    Computing multiplicative inverse
    Powers
    RSA Algorithm
    Signing with RSA
    Security
    Issues
    Real-world usage
    Modular Powers
    Pseudo-primality testing
    ElGamal Encryption Scheme


    \ No newline at end of file diff --git a/notes.ctb_HTML/cs306.html b/notes.ctb_HTML/cs306.html index e4265d6..c37456f 100644 --- a/notes.ctb_HTML/cs306.html +++ b/notes.ctb_HTML/cs306.html @@ -142,5 +142,5 @@
  • homework
    • -

    cs306

    Logistics
    • The exam will take place during our class meeting time, that is, on Tuesday, October 17, at 10am.• Unless accommodations are to be provided - in this case, I'll contact you in a different message.

    • The exam will be with closed books and no use of electronic devises (cell phones, laptops, etc.) or other notes is allowed.
    • The exam will cover all materials that we have covered in class thus far.
    • The exam will be designed so that well-prepared students can finish it at most within an hour. However, you can take as much time as you need, but exams will be collected at the end of the class meeting time, i.e., at 12:30pm.
    Preparation
    • The exam will cover basic concepts (and typically at a high level) that we have studied in lectures, labs and homework HW#1.
    • The best way to prepare for the exam is to go through the (updated) posted lecture notes, the quizzes and your homework.
    • Most important topics for each one of Lectures 1 - 6 are as follows - but note that sometimes topics were covered in more than one lectures and that the exam will not necessarily cover only topics for the following list):
    • Lecture 1: Basic security concepts & terms
    • Lecture 2: One time pad & perfect secrecy
    • Lecture 3: Computational security, modes of operations
    • Lecture 4: Pseudorandomness, MACs
    • Lecture 5: Hash functions & applications
    • Lecture 6: Public-key encryption, signatures, key management
    +

    cs306


    Logistics
    • The exam will take place during our class meeting time, that is, on Tuesday, October 17, at 10am.• Unless accommodations are to be provided - in this case, I'll contact you in a different message.

    • The exam will be with closed books and no use of electronic devises (cell phones, laptops, etc.) or other notes is allowed.
    • The exam will cover all materials that we have covered in class thus far.
    • The exam will be designed so that well-prepared students can finish it at most within an hour. However, you can take as much time as you need, but exams will be collected at the end of the class meeting time, i.e., at 12:30pm.
    Preparation
    • The exam will cover basic concepts (and typically at a high level) that we have studied in lectures, labs and homework HW#1.
    • The best way to prepare for the exam is to go through the (updated) posted lecture notes, the quizzes and your homework.
    • Most important topics for each one of Lectures 1 - 6 are as follows - but note that sometimes topics were covered in more than one lectures and that the exam will not necessarily cover only topics for the following list):
    • Lecture 1: Basic security concepts & terms
    • Lecture 2: One time pad & perfect secrecy
    • Lecture 3: Computational security, modes of operations
    • Lecture 4: Pseudorandomness, MACs
    • Lecture 5: Hash functions & applications
    • Lecture 6: Public-key encryption, signatures, key management

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    cs306
    lectures
    lecture 1
    Definitions
    Examples of Controls
    Examples of threats
    Examples of vulnerability
    CIA triad
    Ways to neutralize threats or remove vulnerabilities
    lecture 2
    Definitions
    Why
    Symmetric-key encryption
    Kerckhoff's principle
    Applications of Symmetric Keys
    Attacks on symmetric encryption
    Brute Force
    Perfect correctness
    Perfect Security
    • Definition 1
    • Definition 2
    One time pad
    • Weaknesses
    Modern cryptography
    Symmetric encryption and Modern Cryptography example
    lecture 3
    Shannon's theorem
    Computational Security - Relax Perfectness
    • Definition
    Almost optimal security
    Alternative Approach
    Classical Ciphers
    Substituion cipher
    Caesar's cipher
    Shift Cipher
    Mono-alphabetic substituion cipher
    Vigenere cipher
    Stream Ciphers
    Block Ciphers
    Stream vs Block ciphers
    Perfect encryption of a block
    Primitive techniques for symmetric-key encryption
    Substitution boxes
    DES: Data Encryption Standard
    AES: Advanced Encryption System
    DES vs AES
    Block Cipher Modes
    ECB: Electronic Code Book
    CBC: Cipher Block Chaining
    lecture 4
    Possible Eavesdropping Attacks
    Perfect EAV-security
    Computational security
    Computational EAV-security
    CPA-security
    Pseudo-randomness
    Linear congruential generator
    Example
    Security
    PRG security
    PRG-based symmetric-key encryption scheme
    Modes of operation for stream ciphers
    Pseudorandom functions
    PRF Security
    PRF-based symmetric-key encryption scheme
    Modes of Operations for block ciphers
    ECB - electronic code book
    CBC - Cipher block chaining
    Chained CBC
    OFB - Output Feedback
    CTR - Counter Mode
    Additional Notes
    Security problems studied by modern cryptography
    Message Authentication
    Examples of attacks
    Integrity of communications / computations
    Symmetric-key message authentication
    Applications
    Symmetric-key message authentication code (MAC)
    Security of MACs
    MAC constructions
    Fixed-length MAC
    Domain extension for MACs
    CBC-MAC
    Authenticated encryption
    Secrecy vs Integrity
    Authenticated encryption constructions
    Encrypt-and-authenticate
    Authenticate-then-encrypt
    Encrypt-then-authenticate
    Application of Authenticated Encryption
    Hash Functions
    Collision resistance (CR)
    Security
    Merkle-Damgard transform
    Davies-Meyer Scheme
    lecture 5
    Strengthening computational EAV security
    Strengthening vs weakening security
    Hash Functions
    MD5 - Message Digest Algorithm
    SHA1 - Secure Hash Algorithm
    SHA2
    SHA3
    Attacks against cryptographic hashing
    Efficient MAC
    Insecure MAC based on hashing
    HMAC: Secure MAC based on hashing
    Message Digest
    Secure Cloud storage
    • Plain Model
    • Secure Cloud Storage Model
    Hashing files as a whole
    Hashing files separately
    Merkle Tree
    Digital Envelops / Commitment Schemes
    Online auction
    Coin Flip - Who's doing the dishes
    Forward-secure key rotation
    File Identifiers
    • Virus fingerprinting
    • Peer to peer file sharing
    • Data deduplication
    • Password hashing
    • Digital Signatures and hashing
    lecture 6
    Symmetric Key Cryptography
    • 2 approaches to solve key distribution
    Public key (assymetric cryptography)
    Terms
    Encryption
    Digital signatures
    Public key pairs and user identities
    Public-key infrastructure (PKI)
    Symmetric vs Asymmetric Crypto
    Public-key encryption
    Security
    Hybrid encryption
    Digital Signatures
    • Mac for digital signing
    Properties of Digital Signatures
    Asymmetric-key message authentication
    Public Key Certifications
    Distibution of public keys
    Trusting One's Public Key
    Certificates
    Certificate hierarchy
    X.509 certificates
    Key Agreement
    Number-Theoretic Facts
    Multiplicative inverses
    Multiplicative group
    Totient function Φ(n)
    Fermat's Little Theorem
    Euler's Theorem
    Computing Exponents
    Euclid's GCD algorithm
    Extended Euclidean algorithm
    Computing multiplicative inverse
    Powers
    RSA Algorithm
    Signing with RSA
    Security
    Issues
    Real-world usage
    Modular Powers
    Pseudo-primality testing
    ElGamal Encryption Scheme
    Notes
    Block Cipher Modes
    ECB
    ECB: Electronic Code Book
    CBC
    CBC: Cipher Block Chaining
    Chained CBC
    Chained CBC
    OFB
    OFB - Output Feedback
    CTR
    CTR - Counter Mode
    Stream Cipher Modes
    Encryption
    Symmetric vs Asymmetric Crypto
    symmetric
    Symmetric Key Cryptography
    • 2 approaches to solve key distribution
    One Time Pad
    • Weaknesses
    classical ciphers
    Subsitution Cipher
    Substituion cipher
    Mono-alphabetic substituion cipher
    Mono-alphabetic substituion cipher
    Caesar's Cipher
    Caesar's cipher
    Shift Cipher
    Shift Cipher
    Vigenere cipher
    Vigenere cipher
    Substitution Boxes
    Substitution boxes
    DES
    DES: Data Encryption Standard
    DES vs AES
    AES
    AES: Advanced Encryption System
    DES vs AES
    asymmetric
    Public-key encryption
    Security
    hybrid encryption
    Hybrid encryption
    algorithms
    El Gamal
    RSA
    RSA Algorithm
    Security
    Issues
    Real-world usage
    Pseudo randomness
    Pseudorandom functions
    Linear congruential generator
    Example
    Security
    Message Authentication
    MAC constructions
    Properties
    MAC
    CBC
    CBC-MAC
    Domain extension
    Domain extension for MACs
    Fixed Length
    Fixed-length MAC
    Hashing
    Efficient MAC
    Insecure
    Insecure MAC based on hashing
    HMAC
    HMAC: Secure MAC based on hashing
    Digital Signatures
    Digital Signatures
    • Mac for digital signing
    Properties of Digital Signatures
    Asymmetric-key message authentication
    Asymmetric-key message authentication
    RSA
    Signing with RSA
    Security
    Issues
    Real-world usage
    Authenticated encryption
    Authenticated encryption constructions
    Encrypt-and-authenticate
    Encrypt-and-authenticate
    Authenticate-then-encrypt
    Authenticate-then-encrypt
    Encrypt-then-authenticate
    Encrypt-then-authenticate
    Hashes
    Hash Functions
    Collision resistance (CR)
    Security
    Constructing
    Merkle-Damgard
    Merkle-Damgard transform
    Davies-Meyer
    Davies-Meyer Scheme
    Functions
    MD5
    MD5 - Message Digest Algorithm
    SHA1
    SHA1 - Secure Hash Algorithm
    SHA2
    SHA2
    SHA3
    SHA3
    Applications
    MAC
    Efficient MAC
    Insecure
    Insecure MAC based on hashing
    HMAC
    HMAC: Secure MAC based on hashing
    Cloud Storage
    Plain
    Secure
    • Secure Cloud Storage Model
    whole file
    Hashing files as a whole
    separate file
    Hashing files separately
    merkle tree
    Merkle Tree
    Digital Envelops / Commitment Schemes
    Digital Envelops / Commitment Schemes
    Online auction
    Coin Flip - Who's doing the dishes
    Forward-secure key rotation
    Forward-secure key rotation
    File Identifiers
    File Identifiers
    • Virus fingerprinting
    • Peer to peer file sharing
    • Data deduplication
    • Password hashing
    • Digital Signatures and hashing
    Attacks
    Types of Security
    Labs
    Lab 1
    Lab 2
    Lab 3
    Lab 4
    Lab 5
    Lab 6
    homework
    \ No newline at end of file diff --git a/notes.ctb_HTML/images/58-1.png b/notes.ctb_HTML/images/58-1.png new file mode 100644 index 0000000..eb9358d Binary files /dev/null and b/notes.ctb_HTML/images/58-1.png differ diff --git a/notes.ctb_HTML/images/2-1.png b/notes.ctb_HTML/images/67-1.png similarity index 100% rename from notes.ctb_HTML/images/2-1.png rename to notes.ctb_HTML/images/67-1.png