• Block Ciphers: Work on fixed blocks of data • Current commonly used block ciphers use 128 bit blocks Visualizing&Ideal&Block&Cipher& 128& &bits& 1011….00 0000…00000 0000….11 0000…00001 1001….00 1111….1110 1100….11 1111….1111 Randomly&mapped&lookup&table&of&size&2&^128&& 128& &bits& Input& Output& Random&& mapping&
encryption scheme must depend only on the secrecy of the key Ke , and not on the secrecy of the algorithm Why? • Algorithms are hard to change • It is difficult to get cryptographic algorithms right and it is better to publish it for analysis.
messages that are multiple of block size • If message is not a multiple of block size, padding is required • Two common padding schemes: • Append 128 and then as many 0s as needed to make message a multiple of block size • Determine number of bytes required n > 0 to make it a multiple of block size. Add n bytes, each with value n DD DD DD DD DD DD DD DD DD DD DD DD 80 00 00 00 DD DD DD DD DD DD DD DD DD DD DD DD 04 04 04 04 DD DD DD DD DD DD DD DD 08 08 08 08 08 08 08 08
ciphers as an input along with the key • Fixed IV : IV that doesn’t change • Counter IV: IV=0 for first message, IV = 1 for second etc. • Random IV: Large random number as IV for each message • Nonce-Generated IV: “Number used once” per key • Message numbers • Random number + message number
if two messages start with the same plaintext block? • Counter IV: If first block of messages have simple difference, the XOR with a counter may cancel them out. • Random IV : Good. But requires a random number to be sent • Nonce IV: Good. Use a smaller random number + counter.
changes the first block by performing a XOR with (Buy Sell) • So first block becomes: • c = E(Ke, Nonce||1) ⊕ Buy ⊕ (Buy ⊕ Sell) • i.e. c = E(Ke, Nonce||1) ⊕ Sell • So, Bob gets: Sell INTC 50 90 shares
• Her goal this time is to ensure that Eve can’t change the message. • Doesn’t care about confidentiality (to keep things simple) • She looks up hash functions
Given a hash h it should be difficult to find any message m such that h = hash(m). • Second pre-image resistance • Given an input m1 it should be difficult to find another input m2 such that m1 ≠ m2 and hash(m1) = hash(m2). • Collision resistance • It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2).
SHA1 : Avoid. Not recommended for usage. Only use if system gives you no other choice. • SHA2 : Use this. • SHA3 (not finalized) • One of the properties (bug ?) of the hash functions above is that • If m = m1, m2 • H(m) = h(h(m1),m2) • This is called the length extension issue
(K,m) = H((K opad) || H((K ipad) || m)) • opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant), • ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant). Other MACs are available, but this is the most commonly recommended
then MAC the whole thing • For example Send: • { message1_length= aa; message1=“M1”; message2_length=bb; message2=“M2”; } HMAC ({….}) "AuthenVcate&what&is&being&meant,¬&what&is&being&said”&
IV=0 and return the last block as the MAC • H0 = IV. IV Should be fixed. Generally 0. • Hi = E(K, Pi ⊕ Hi-1 ) • MAC = Hk • Why IV= 0? • CBC-MAC is good and secure, but suffers from certain types on collision attacks. • So, use CMAC.
the way last block is handled • Generate two keys k1 & k2 from the MAC key k • Calculate MAC using CBC-MAC except for last block. • Change the last block (mn ′) to following before applying CBC-MAC • If mn ′ is a complete block • mn = k1 ⊕ mn ′ • else mn = k2 ⊕ (mn ′∥ 10…02 ).
about the messages except for the timing and size • Bob should only get proper messages and is able to figure out the correct order. • Duplicates are detected • Message modifications are detected • By now you have probably guessed that this can be achieved by combination of Encryption and Authentication
• Eve only gets to see ciphertext and encrypted MAC • Much harder to attack MAC • This is fine to use. • Potential timing attacks with padding (TLS Lucky 13 attack)
drop invalid message fast without decryption • Is not in fully line with Horton’s principal • There may be ambiguity • This is good to use • We will use this and add authenticated headers for removing ambiguity
"Enc Alice to Bob") • KEYRECENC ← HMAC-SHA2(K, "Enc Bob to Alice") • KEYSENDAUTH ← HMAC-SHA2(K,"Auth Alice to Bob") • KEYRECAUTH ← HMAC-SHA2(K,"Auth Bob to Alice") • Swap Encryption & Decryption key if message is from Bob to Alice
of blocks encrypted with an AES 128 bit key < 264-1 • This is because after 264 block you will be able to distinguish from random • To ensure that, we use counter for message sent from Alice to Bob never repeats and number of blocks encrypted < 264 • Counter = (Cab || i) for the ith block in this particular message. • Ensure that Cab < 232 -1 • Ensure that length(m) < 232 -1 * block_size
Last received Cab • Check HMAC of the message • Drop if it does not match • Store Cab . Check Version. • Decrypt using AES CTR • Counter = (Cab || i) for the ith block • Check type and process accordingly. Version Cab Length Header Encrypted message HMAC-SHA2 Type Message
as part of the protocol) • Always check: • p = Nq +1 • (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 • Make sure q is a large enough prime (≥ 256 bits) • Make sure p is large enough prime (≥ 2048 bits)
way to authenticate messages. • We will see how to do that in Public/Private key cryptography • Authenticated DH Protocol • First we will look at RSA Public Private Key cryptography
large prime numbers p & q • Calculate n = p *q • Compute t = (p-1)(q-1) OR t = lcm (p-1,q-1) • Choosing t like this implies • xt = 1 mod n • xt+1 = x mod n • Proof by authority !
this implies xkt+1 = x mod n • Proof by authority ! • Choose ed = 1 mod t , i.e. ed = t + 1 • Common e value is 216 + 1 = 65,537 • Public Key : n,e • Private Key : n, d
q = 53 • n = 61*53 = 3233 • t = (p-1)(q-1) = (61-1)(53-1) = 3120 • Let e = 17. Then solving for ed = 1 mod t • d = 2753 • 2753*17 = 15*3120 +1 • 46801 = 46800 + 1
• m = cd mod n • X = (me)d mod n • We know ed = kt +1 • X = mkt+1 mod n • Or X = (mt)k * m mod n • We also know, for any x: xt = 1 mod n • So X = (1)k * m mod n = m • Hence we can decrypt !
for signing and encryption • Signing: RSA-PSS (RSA –Probabilistic signature scheme) • Encryption: RSA-OAEP (RSA-Optimal asymmetric encryption protocol) • Don’t use same key for encryption and signing • Attacker may be able to exploit decryption (public key) for getting signatures (private key) from you or other way around • Encryption keys and signing keys generally have different lifetimes
of form y2 = x3+ ax + b mod p, where p is a large prime and operation point addition + • P + P +…+ P = dP = T • Given dP and P, it should be hard to compute d. • d is kept secret like a private key • Intuitively: P+P+P… for very large d (>160 bits) Source:&Chapter&9&of&Understanding&Cryptography&by&Christof&Paar&and&Jan&Pelzl&
based on the discrete logarithm problem. • ECC provides the same level of security as RSA or discrete logarithm systems with much shorter key sizes (160-256 bits) vs (1024-3072 bits) • ECC can be used for key exchange, signatures and encryption • ECC generally has performance advantage over RSA
as part of the protocol) • Always check: • p = Nq +1 • (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 • Make sure q is a large enough prime (≥ 256 bits) • Make sure p is large enough prime (≥ 2048 bits)
PKI : Public key infrastructure • Why random numbers are important? • Clocks and monotonic counters • Storing secrets • Analysis of common protocols • TLS • Sigma key exchange • IKE and IPSEC