CMSC 414 Computer and Network Security Lecture 4

1
CMSC 414Computer (and Network) SecurityLecture
4

• Jonathan Katz

2
Some examples

• (Shift cipher)
• (Substitution cipher)
• (Vigenere cipher)

3
Moral of the story?

• Key space should be large
• Necessary, but not sufficient
• Dont use simple schemes
• Thoroughly analyze schemes before using
• Better yet, use schemes that other, smarter
  people have already analyzed

4
Re-thinking the problem

• What do we mean by security?
• I.e., not being able to determine the key??
• Types of attacks
• Perfect security
• One-time pad
• Computational security
• Block ciphers and modes of encryption
• DES and AES

5
Notions of Security

• What constitutes a break?
• What kind of attacks?
• Note always assume adversary knows full details
  of the scheme (except the key)
• Never aim for security through obscurity

6
Security goals?

• Adversary unable to recover the key
• Necessary, but meaningless on its own
• Adversary unable to recover entire plaintext
• Good, but is it enough?
• Adversary unable to determine any information at
  all about the plaintext
• Sounds great!
• Can we achieve it?

7
One-time pad

• (One-time pad)

8
Properties of one-time pad?

• Achieves perfect secrecy (proof)
• No eavesdropper (no matter how powerful) can
  determine any information whatsoever about the
  plaintext
• (Essentially) useless in practice
• Long key length
• Can only be used once (hence the name!)

9
Weaken security guarantee?

• Instead of requiring that no adversary can learn
  anything about the plaintext
• require that no adversary running in any
  reasonable amount of time can learn anything
  about the plaintext except with very small
  probability
• Reasonable time 106 years
• Very small probability 2-64
• Computational security

10
Simpler characterization?

• Equivalent to the following, simpler definition
• Given a ciphertext C which is known to be an
  encryption of either M0 or M1, an adversary
  cannot guess which one was actually encrypted
• More precisely, no adversary running in
  reasonable amount of time can guess correctly
  with probability significantly better than ½.

11
The take-home message

• Weakening the definition slightly allows us to
  construct much more efficient schemes!
• Strictly speaking, no longer 100 absolutely
  guaranteed to be secure
• Security of encryption now depends on security of
  building blocks (which are analyzed extensively,
  and are assumed to be secure)
• Given enough time, the scheme can be broken

12
Security?

• We now have a working definition of what it means
  for encryption to be secure
• What sort of attacks should we consider?

13
Attacks

• Ciphertext only
• Known plaintext
• Chosen plaintext
• Chosen ciphertext (includes chosen plaintext
  attacks)

14
Attacks

• A typical standard is security against
  chosen-plaintext attacks
• Security against chosen-ciphertext attacks is
  increasingly required
• Note that the one-time pad is insecure against
  known-plaintext attack

15
Randomized encryption

• To be secure against chosen-plaintext attack,
  encryption must be randomized
• We will see later how this comes into play

16
Block ciphers

• Keyed permutation input/output length
• Large key space
• Modeled as a (family of) random permutations
• Example trivial encryption
• C FK(m)
• This is not randomized