CMSC 414 Computer (and Network) Security Lecture 8

1
CMSC 414Computer (and Network) SecurityLecture
8

• Jonathan Katz

2
Administrative stuff

• HW2 (will be) out
• Due in 2 weeks
• Two papers (will be) linked from syllabus
• Discuss one of these next time

3
Integrity of messages
4
Integrity vs. secrecy

• Integrity and secrecy are distinct concerns
• Secrecy passive eavesdropper cannot get any
  information about the message
• Integrity active attacker cannot change the
  message (without being detected)
• Important
• Authentication does not provide secrecy
• Encryption does not provide integrity

5
Scenarios

• Possibility of active attacks?
• Malicious routers
• Radio broadcast
• Even the best message integrity scheme does not
  protect against replay attacks
• Protect against this at the application level

6
Cryptographic integrity

• Non-cryptographic checksums
• Meant to defend against (random) errors
• Not meant to defend against active attacks
• Must use cryptographic techniques

7
Private-key case

• Message authentication codes (MACs)
• Attack model and definition of security
• Example CBC MAC
• CBC MAC is secure if the underlying block cipher
  is secure
• CBC encryption does not authenticate data

8
Some final notes

• Non-repudiation?
• How to achieve encryption and integrity?
• Secure channels
• Trivial approaches do not work
• Encrypt-then-mac
• Must use distinct keys
• Special-purpose modes

9
Public-key case

• Digital signature schemes (signatures)
• Attack model and definition of security
• Should be obvious that public-key encryption
  provides no authentication at all

10
Important point

• Signing and decrypting are not the same
• In general, signing a message by decrypting
  it is a BAD idea
• Having said that

11
RSA signatures I

• Textbook RSA
• Why textbook RSA is completely insecure! (Two
  attacks)

12
RSA signatures for real

• Hash functions
• Collision-resistance
• Birthday attacks
• Scrambling
• How to fix RSA signatures
• Why does this work?
• Is it actually secure?