Class 2Cryptography Refresher

CIS 755: Advanced Computer SecuritySpring 2015

Eugene Vasserman

http://www.cis.ksu.edu/~eyv/CIS755_S15/

Administrative stuff

• Schedule updated–More changes soon, but they won’t be major

• Watch for quiz announcements• Periodically check main page for news and

schedule page for changes and slideshttp://www.cis.ksu.edu/~eyv/CIS755_S15/

• Paper reading and the “huh?” moment

Security basics

• “What is being secured?”–And security goal/property

• “Secure against what?”– Threat/attacker model, players and resources

• Kerckhoffs’ principle–Roughly, the only thing secret about a security

system should be the secret key• Shannon’s maxim– “The enemy knows the system”

Safety vs. security

• Think like an adversary!• Random → malicious faults• Engineering for security:

“What’s the worst that can happen?”Assume it will…

• Always, always, ALWAYS state your assumptions!

More basics

• Trusted vs. trustworthy– e.g. the recent SSL Certificate Authority fiasco

• Risk, hazard, vulnerability–Adversary, ROI, scale

• Assurance levels– “Rainbow” book series, Common Criteria

• Method of returning to secure states• Fail-closed/secure or fail-open/insecure?

Security mechanisms (incomplete list)

• Access control• Authentication• Separation of roles• Logging• Trusted components in the hands of

trustworthy parties

Always state your

assumptions!

Basic cryptographic primitives

• Confidentiality (encryption)– Symmetric (e.g. AES)– Asymmetric (e.g. RSA)

• Hash functions• Integrity and authentication– Symmetric (authentication codes)– Asymmetric (signatures)

• Key agreement• Random numbers

Encryption

• Basic idea: someone seeing ciphertext learns nothing about plaintext without correct key

• With or without authentication• Symmetric – based on tests/best guess– e.g. AES (block cipher)

• Asymmetric – based on math assumptions– e.g. RSA

Security properties of encryption

• Semantic security• Chosen plaintext security (IND-CPA)• Chosen ciphertext security (IND-CCA)– IND-CCA2

• Security proof “games”

NEVER BUILD YOUR OWN WHEN

SOLUTION EXISTS!!!

Aside: Information theory

• Conditional vs. unconditional security–Unconditional, e.g. one-time pad–Conditional e.g. RSA, AES

• …• Symmetric encryption• Hash functions

• Remember: confusion and diffusion

Basic (but more complex) primitives

• Confidentiality (encryption)– Symmetric (e.g. AES), asymmetric (e.g. RSA)– Malleable vs. non-malleable– Deterministic vs. randomized

• Hash functions• Message authentication codes, signatures• Random numbers• Key agreement

Some basic cryptographic primitives

• Confidentiality (encryption)– Symmetric (e.g. AES) EK(M), DK(M)

–Asymmetric (e.g. RSA) EPK(M), DSK(M)

• Hash functions (e.g. SHA-3) h(M)• Integrity and authentication– Symmetric (MACs) MACK(M)

– Asymmetric (signatures) SigSK(M), VPK(M)

• Key agreement• Random numbers n = nonce

or E-1

• Example: WEP– IV, RC4(IV, k) (M, c(M))–Claim: 24-bit IV + 40-bit key = 64-bit

security

• Example: WEP– IV, RC4(IV, k) (M,

c(M))– Claim: 24-bit IV + 40-

bit key = 64-bit security

• On your right: text from Jonathan Katz

Aside: composability• Is this secure against chosen-plaintext attacks?

– It is randomized…

• 40-bit key (in some implementations)!– Claims that, with IV, this gives a 64-bit effective key(!)

• And how is the IV chosen?– Only 24 bits long -- IV repetitions are a problem!– Reset to 0 upon re-initialization– Some implementations increment the IV as a counter

• A repeating IV allows the attacker to compute the XOR of two plaintexts– We have discussed already how this can be damaging

• Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs– If portions of some plaintexts known, this enables determination of other

plaintexts

• Known-plaintext attacks discovered on this usage of RC4– Possible because the first byte of plaintext is a fixed, known header!

• Chosen-plaintext attacks– Send IP traffic/e-mail to the mobile host and watch it get forwarded– Transmit broadcast messages to access point– Authentication spoofing

• No cryptographic integrity protection– The checksum is linear (i.e., c(xy) = c(x)c(y)) and unkeyed, and therefore

easy to attack– Allows IP redirection attack– Allows TCP “reaction” attacks

• Look at whether TCP checksum is valid• Form of chosen-ciphertext attack

• Encryption used to provide authenticationof mobile station (access point sends nonce; station returns an encryption of the nonce)– Allows easy spoofing after eavesdropping

Questions?