CMSC 414 Computer and Network Security Lecture 4

1
CMSC 414Computer and Network SecurityLecture 4

• Jonathan Katz

2
HW1 out
3
Randomized encryption

• Deterministic encryption schemes cannot be secure
  against chosen-plaintext attacks
• Nor can they be secure for encrypting multiple
  messages
• To be secure against chosen-plaintext attack,
  encryption must be randomized
• Moral always use randomized encryption!

4
Block ciphers

• Keyed, invertible permutation F
• Large key space, large block size
• Modeled as a (family of) random permutations
• A block cipher is not an encryption scheme
• A block cipher can be used to build an encryption
  scheme (and other things as well)
• Example the trivial encryption scheme
• C FK(m)
• This is not randomized

5
Data Encryption Standard (DES)

• Developed in 1970s by IBM / NSA / NBS
• Non-public design process
• 56-bit key, 64-bit input/output
• A 64-bit key is derived from 56 random bits
• One bit in each octet is a parity-check bit
• The short key length is a major concern
• The short block length is also a concern

6
Concerns about DES

• Short key length
• DES cracker, built for 250K, can break DES in
  days
• Computation can be distributed to make it faster
• Does not mean DES is insecure depends on
  desired security
• Short block length
• Repeated blocks happen too frequently
• Some (theoretical) attacks have been found
• Claimed known to DES designers 15 years before
  public discovery!
• Non-public design process

7
3DES/triple-DES

• Expands the key length
• Now, key K (K1, K2) K 112
• The new block cipher is just
• EK1,K2(m) DESK1(DES-1K2(DESK1(m)))
• This is a permutation, and invertible
• Fairly slowbut widely used in practice

8
AES

• Public contest sponsored by NIST in 97
• Narrowed to 5 finalists
• 4 years of intense analysis
• Rijndael selected as the AES
• Supports variety of block/key sizes, but defaults
  to 128-bit key length and 128-bit block length
• 2128 is a huge number
• Number of seconds since big bang (estimate) 258
• Number of nanoseconds since big bang 290
• Both efficiency and security taken into account
• The most secure finalist was not the one chosen

9
Other block ciphers?

• No compelling reason to use anything other than
  AES, in general
• Unless (possibly) you have very severe
  performance requirements
• Even then, think twice
• Same goes for stream ciphers

10
Modes of encryption

• Used for encrypting a long message m1, , mn
• ECB
• Ci FK(mi) the ciphertext is c1, , cn
• CBC
• IV Ci FK(mi ? Ci-1) the ciphertext is IV, c1,
  , cn
• OFB (stream cipher mode)
• IV zi FK(zi-1) Ci zi ? mi the ciphertext
  is IV, c1, , cn
• CTR (stream cipher mode)
• IV zi FK(IVi) Ci zi ? mi the ciphertext
  is IV, c1, .., cn
• Others

11
Security?

• ECB should not be used
• Why?
• CBC, OFB, and CTR modes are secure against
  chosen-plaintext attacks
• CBC, OFB, and CTR modes are not secure against
  chosen-ciphertext attacks

12
Message integrity
13
Encryption does not provide integrity

• Since encryption garbles the message, decryption
  of a ciphertext generated by an adversary must be
  unpredictable
• WRONG
• E.g., one-time pad, CBC-/CTR-mode encryption
• Why is this a concern?
• Lack of integrity can lead to lack of secrecy
• Almost always, integrity is needed in addition to
  secrecy