cmsc 414 computer and network security lecture 2
DESCRIPTION
CMSC 414 Computer and Network Security Lecture 2. Jonathan Katz. JCE tutorial. In class next Wednesday HW1 will use it. Assigned readings from lecture 1. “Inside the Twisted Mind of the Security Professional” “We are All Security Customers” “Information Security and Externalities” - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/1.jpg)
CMSC 414Computer and Network Security
Lecture 2
Jonathan Katz
![Page 2: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/2.jpg)
JCE tutorial
In class next Wednesday
HW1 will use it
![Page 3: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/3.jpg)
Assigned readings from lecture 1
“Inside the Twisted Mind of the Security Professional”
“We are All Security Customers”
“Information Security and Externalities”
Comments?
![Page 4: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/4.jpg)
A high-level survey of cryptography
![Page 5: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/5.jpg)
Caveats Everything I present will be (relatively) informal
– I may simplify, but I will not say anything that is an outright lie…
Cryptography offers formal definitions and rigorous proofs of security (neither of which we will cover here)– For more details, take CMSC 456 in the Fall (or read
my book)!
If you think you already know cryptography from somewhere else (CMSC456, CISSP, your job, the news), you are probably mistaken
![Page 6: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/6.jpg)
Goals of cryptography Crypto deals primarily with three goals:
– Confidentiality– Integrity (of data)– Authentication (of resources, people, systems)
Other goals also considered– E.g., non-repudiation– E-cash (e.g., double spending)– General secure multi-party computation– Anonymity– …
![Page 7: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/7.jpg)
Private- vs. public-key settings
For the basic goals, there are two settings:– Private-key / shared-key / symmetric-key / secret-key
– Public-key
The private-key setting is the “classical” one (thousands of years old)
The public-key setting dates to the 1970s
![Page 8: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/8.jpg)
Private-key cryptography
The communicating parties share some information that is random and secret– This shared information is called a key
– Key is not known to an attacker
– This key must be shared (somehow) in advance of their communication
![Page 9: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/9.jpg)
To emphasize
Alice and Bob share a key K– Must be shared securely
– Must be completely random
– Must be kept completely secret from attacker
We don’t discuss (for now) how they do this – You can imagine they meet on a dark street corner and
Alice hands a USB device (with a key on it) to Bob
![Page 10: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/10.jpg)
Private-key cryptography
For confidentiality:– Private-key (symmetric-key) encryption
For data integrity:– Message authentication codes
![Page 11: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/11.jpg)
Canonical applications
Two (or more) distinct parties communicating over an insecure network– E.g., secure communication
A single party who is communicating “with itself” over time– E.g., secure storage
![Page 12: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/12.jpg)
Alice Bob
shared infoK K
Alice
K
Bob
K
![Page 13: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/13.jpg)
Bob
K
Bob
K
![Page 14: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/14.jpg)
Security? We will specify the exact threat model being
addressed
We will also specify the security guarantees that are ensured, within this threat model– Here: informally; CMSC 456: formally
Crucial to understand these issues before crypto can be successfully deployed!– Make sure the stated threat model matches your
application– Make sure the security guarantees are what you need
![Page 15: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/15.jpg)
Security through obscurity?
Always assume that the full details of crypto protocols and algorithms are public– Known as Kerckhoffs’ principle
– The only secret information is a key
“Security through obscurity” is a bad idea…– True in general; even more true in the case of
cryptography
– Home-brewed solutions are BAD!
– Standardized, widely-accepted solutions are GOOD!
![Page 16: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/16.jpg)
Security through obscurity?
Why not?
Easier to maintain secrecy of a key than an algorithm– Reverse engineering
– Social engineering
– Insider attacks
Easier to change the key than the algorithm
In general setting, much easier to share an algorithm than for everyone to use their own
![Page 17: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/17.jpg)
Private-key encryption
![Page 18: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/18.jpg)
Functional definition Encryption algorithm:
– Takes a key and a message (plaintext), and outputs a ciphertext
– c EK(m) possibly randomized!
Decryption algorithm:– Takes a key and a ciphertext, and outputs a message (or
perhaps an error)– m = DK(c)
Correctness: for all K, we have DK(EK(m)) = m
We have not yet said anything about security…
![Page 19: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/19.jpg)
Alice Bob
shared infoK K
Alice
K
Bob
Kc
cEK(m) m=DK(c)
![Page 20: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/20.jpg)
A classic example: shift cipher Assume the English uppercase alphabet (no
lowercase, punctuation, etc.)– View letters as numbers in {0, …, 25}
The key is a random letter of the alphabet
Encryption done by addition modulo 26
Is this secure?– Exhaustive key search– Automated determination of the key
![Page 21: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/21.jpg)
Another example: substitution cipher
The key is a random permutation of the alphabet– Note: key space is huge!
Encryption done in the natural way
Is this secure?– Frequency analysis
A large key space is necessary, but not sufficient, for security
![Page 22: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/22.jpg)
Another example: Vigenere cipher
More complicated version of shift cipher
Believed to be secure for over 100 years
Is it secure?
![Page 23: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/23.jpg)
Attacking the Vigenere cipher
Let pi (for i=0, …, 25) denote the frequency of letter i in English-language text– Known that Σ pi
2 ≈ 0.065
For each candidate period t, compute frequencies {qi} of letters in the sequence c0, ct, c2t, …
For the correct value of t, we expect Σ qi2 ≈ 0.065
– For incorrect values of t, we expect Σ qi2 ≈ 1/26
Once we have the period, can use frequency analysis as in the case of the shift cipher
![Page 24: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/24.jpg)
Moral of the story?
Don’t use “simple” schemes
Don’t use schemes that you design yourself– Use schemes that other people have already designed
and analyzed…
![Page 25: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/25.jpg)
A fundamental problem
A fundamental problem with “classical” cryptography is that no definition of security was ever specified– It was not even clear what it meant for a scheme to be
“secure”
As a consequence, proving security was not even an option– So how can you know when something is secure?
– (Or is at least based on well-studied, widely-believed assumptions)
![Page 26: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/26.jpg)
Defining security?
What is a good definition?
Why is a good definition important?
![Page 27: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/27.jpg)
Security goals?
Adversary unable to recover the key– Necessary, but meaningless on its own…
Adversary unable to recover entire plaintext– Good, but is it enough?
Adversary unable to determine any information at all about the plaintext– Formalize?
– Sounds great!
– Can we achieve it?
![Page 28: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/28.jpg)
Note
Even given our definition, we need to consider the threat model– Multiple messages or a single message?
– Passive/active adversary?
– Chosen-plaintext attacks?
The threat model matters!– The classical ciphers we have seen are immediately
broken by a known-plaintext attack
![Page 29: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/29.jpg)
Defining secrecy (take 1)
Even an adversary running for an unbounded amount of time learns nothing about the message from the ciphertext
Perfect secrecy
Formally, for all distributions over the message space, all m, and all c: Pr[M=m | C=c] = Pr[M=m]
![Page 30: CMSC 414 Computer and Network Security Lecture 2](https://reader036.vdocuments.mx/reader036/viewer/2022062408/56813c08550346895da56b10/html5/thumbnails/30.jpg)
Next time: the one-time pad;its limitations;
overcoming these limitations