Class 5 Channels and Preview CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S 14/
Class 5Channels and Preview
CIS 755: Advanced Computer SecuritySpring 2014
Eugene Vasserman
http://www.cis.ksu.edu/~eyv/CIS755_S14/
Last time: Basic primitives
• Confidentiality (encryption)– Symmetric (e.g. AES)– Asymmetric (e.g. RSA)
• Hash functions• Integrity and authentication– Symmetric (authentication codes)– Asymmetric (signatures)
• Random numbers
Preview of Math in Asymmetric Crypto
• Diffie-Hellman–Discrete logarithm is “hard”–Computational, decisional (“flavors”)
• RSA–Prime factorization is “hard”
• Quantum computing and Shor’s algorithm• Elliptic Curves• Bilinear Maps
In practice: Optimizations
• Asymmetric encryption:–Password Secret Key ESK(K), EK(M)
• Signatures:–Password Secret Key M, SigSK(h(M))
• Why do this? Why is this safe?• Symmetric:–Password Key
derivation/stretching/strengthening function K
In practice: Problems
• Composability:http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
• Attack on PKCS #1 v2 standard-compliant RSA OAEP leaks plaintext bits:
http://www.springerlink.com/content/tw5tuqb3hxbn9grq/
• This attack also leaks plaintext bits in a lot of systems that use CBC block cipher mode:
http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.psxkcd.com
• Example: WEP– IV, RC4(IV, k) (M, c(M))–Claim: 24-bit IV + 40-bit key = 64-bit
security
• Example: WEP– IV, RC4(IV, k) (M,
c(M))– Claim: 24-bit IV + 40-
bit key = 64-bit security
• On the right: text from Jonathan Katz
Problems: Composability• Is this secure against chosen-plaintext attacks?
– It is randomized…
• 40-bit key (in some implementations)!– Claims that, with IV, this gives a 64-bit effective key(!)
• And how is the IV chosen?– Only 24 bits long -- IV repetitions are a problem!– Reset to 0 upon re-initialization– Some implementations increment the IV as a counter
• A repeating IV allows the attacker to compute the XOR of two plaintexts– We have discussed already how this can be damaging
• Small IV space means the attacker can build a dictionary of (IV, RC4(IV, k)) pairs– If portions of some plaintexts known, this enables determination of other
plaintexts
• Known-plaintext attacks discovered on this usage of RC4– Possible because the first byte of plaintext is a fixed, known header!
• Chosen-plaintext attacks– Send IP traffic/e-mail to the mobile host and watch it get forwarded– Transmit broadcast messages to access point– Authentication spoofing
• No cryptographic integrity protection– The checksum is linear (i.e., c(xy) = c(x)c(y)) and unkeyed, and therefore
easy to attack– Allows IP redirection attack– Allows TCP “reaction” attacks
• Look at whether TCP checksum is valid• Form of chosen-ciphertext attack
• Encryption used to provide authenticationof mobile station (access point sends nonce; station returns an encryption of the nonce)– Allows easy spoofing after eavesdropping
Problems: Side channels
• Side-channel attacks VERY damaging–Power– Timing• See news (2013) and cool stuff (2014) pages
– Error messages!
• Different errors in SSH leak information (mismatch between implementation and specification of CBC block cipher mode):
http://portal.acm.org/citation.cfm?id=586112
Cool stuff
• Elliptic curves– y2 = x3 + ax + b
• Secure multiparty computation–General existence result• Communication complexity
• Threshold cryptography– Encryption, signatures, secret sharing
More cool stuff
• Identity-based encryption (IBE)– Time period-based
• Attribute-based encryption (ABE)• Zero-knowledge (ZK) proofs–General existence result in NP– Interactive or non-interactive (NZIK)• Strength from number of rounds or predefined
• Homomorphic encryption
Yet more cool stuff
• Key management–Key trees• Hierarchical, time-based access
• One-time use tokens–Compare to capabilities
• Blind signatures• Compact signature aggregation• Commitments (vs. hashes)