ECE 443/518 – Computer Cyber Security Lecture 05 Modes of Operation, Cryptographic Hash Functions Professor Jia Wang Department of Electrical and Computer Engineering Illinois Institute of Technology September 8, 2021 1/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
27
Embed
ECE 443/518 Computer Cyber Security Lecture 05 Modes of ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Professor Jia WangDepartment of Electrical and Computer Engineering
Illinois Institute of Technology
September 8, 2021
1/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Outline
Modes of Operation
Cryptographic Hash Functions
2/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Reading Assignment
I This lecture: UC 5.1 – 5.1.5, 11.2
I Next lecture: UC 11.3, 11.5, 12, 5.1.6
3/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Outline
Modes of Operation
Cryptographic Hash Functions
4/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Electronic Code Book (ECB)
(Wikipedia)5/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I A substitution cipher based on a block cipher like AES.I Padding: when message size is not multiples of block size
I Alice appends additional bits that Bob will identify.I E.g. 1 followed by necessary number of 0’s.
I Oscar the passive adversaryI Known-plaintext attack using padding.I Traffic analysis possible since same plaintext blocks always
encrypts to same ciphertext blocks.
I Can be parallelized as long as the message is available.
6/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Active Adversaries and Integrity
I We introduce passive adversaries to address confidentiality.I For integrity, we could address it by active adversaries.
I They can modify or even insert messages.I E.g. reorder/substitute/modify/create blocks.
I With the ability to manipulate ciphertext, active adversariescould evenI Break confidentiality by side-channel attack.I Break higher level protocols by replay attack.
I ECB doesn’t provide much protect against active adversaries.I E.g. reordering and substitution attacks – all blocks will
decrypt but may mean things completely different whencombined together.
I No matter how secure the underlying block cipher is.
I Any other ways to apply block ciphers to long messages?I Will they protect against active adversaries?
7/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Cipher Block Chaining (CBC)
(Wikipedia)
8/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I “Randomize” plaintext blocksI Use previous ciphertext blocks.I Use an initialization vector (IV) for the first plaintext block.
I Choice of IVI Probabilistic encryption: different IVs results in different
ciphertexts even if the plaintext and the key are the same.I A.k.a nonce – a number used only once.I Usually randomly chosen and transmitted before ciphertext.
I Oscar will see it.I If that’s a concern, Alice could just encrypt IV.
I Only decryption can be parallelized.
9/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
CBC and Active Adversaries
I CBC provides better protection against active adversaries thanECB.I Reordering and substitution attacks less likely to work as Bob
will receive “random” blocks.
I Nevertheless, Bob still need to decide whether someonemodifies the message or it is just Alice sending a randommessage.I Need other mechanisms for integrity! Will discuss later.
10/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Output Feedback (OFB)
(Wikipedia)11/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I A stream cipher (CSPRNG) based on a block cipher.I Random IV guarantees probabilistic encryption.
I Only need encryption from the block cipher.I No need to implement decryption – save hardware resource.
I Cannot be parallelized.I Key stream can be precomputed as long as storage permits.
12/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Cipher Feedback (CFB)
(Wikipedia)
13/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I An asynchronous stream cipher as the key stream depends onboth key and previou ciphertext (and plaintext).I Otherwise very similar to OFB.
I Only need encryption and decryption can be parallelized.
14/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Counter Mode (CTR)
(Wikipedia)
15/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I A stream cipher that can be fully parallelized.
I Only need encryption as OFB and CFB.I There is a limitation on message size for a given IV.
I OFB also has limitation on message size, although it should bemuch longer.
16/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Outline
Modes of Operation
Cryptographic Hash Functions
17/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Motivation
I How should we address active adversaries?I Three steps
I Integrity without a secret key: Cryptographic Hash FunctionsI Integrity with a secret key: Message Authentication CodesI Confidentiality and integrity: Authenticated Encryption
18/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Integrity without Secret Key
I Alice has developed a marvelous game and wants everyone toplay it.
I The installation package is huge – Alice decides to seek helpfrom third parties for distribution.I Because required bandwidth is either too expensive or
technically infeasible.I E.g. via BitTorrent.
I It is not possible for Bob, who wants to download the game,to setup a secret key with Alice.
I Oscar, who participates in package distribution, plans to addhis/her own adware to the package to make some profit.
I Integrity: how to design a mechanism to ensure Bob toreceive the authentic package from Alice?
19/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Hash Functions
(Paar and Pelzl)
I Input x : messages of arbitrary lengths
I Output z = h(x): message digest, a.k.a fingerprint, with fixedsize, say m bits.
20/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Preimage Resistance (One-Wayness)
Given a hash function h and a message digest z , find a message xsuch that:
z == h(x).
I If someone could derive h−1 from h, then he/she maycompute x = h−1(z).
I A “good” hash function should be one-way.I E.g. to allow infinite many messages to map to any z .
21/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Alice’s Mechanism
I From the package x , Alice publishes the message digestz = h(x) on her website.I The message digest is so short, e.g. m = 256, that Alice
doesn’t need to worry about bandwidth.
I Bob obtains the package x ′, computes z ′ = h(x ′), and verifiesthat z == z ′.I Can Bob be sure x == x ′ now? Don’t try to answer it now –
state your assumptions and think of attacks!
I Assumption: Oscar can’t modify z on Alice’s website.I I.e. an authentic channel that guarentees only integrity –
anyone can see but no one could modify z .I In comparison with the secure channel that guarentees both
confidentiality and integrity to setup secret keys.
I Attack: Oscar create a package with the same message digestso that Bob won’t find out what he received is not authentic.
22/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Second Preimage Resistance (Weak Collision Resistance)
Given a hash function h, a message x1 and its message digestz1 = h(x1), find a message x2 6= x1 such that for its message digestz2 = h(x2),
z2 == z1.
I Weak collision is unavoidable: x2 always exists.I Collision: different messages map to the same message digest.I The practical question is how easily Oscar can find one.
I Oscar’s attack: choose x2 randomly and compute z2 = h(x2).I z2 == z1 with a probability of at least 1
2m for some z1.
I If Oscar repeats the attack N times, the probability of findingx2 is 1− (1− 1
2m )N .I About 63% for N = 2m.I Not a concern if m is large enough when Oscar is
computationally bounded.
I What about cryptanalysis that uses properties of h and x1?
23/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Oscar’s Trick
I Knowing there may exist little hope to modify Alice’s packagewithout being caught, Oscar decides to create his/her owngame package to distribute the adware.
I Oscar’s trick: create two packages x and x ′ such thatI h(x) == h(x ′)I Good package x : just the game.I Bad package x ′: the game and the adware.
I Oscar then delivers x ′ to Bob through third parties.
I If Bob finds the adware in x ′, Oscar shows Bob x and claimssomeone else creates x ′.
I Will second preimage resistance help?
24/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
(Strong) Collision Resistance
Given a hash function h, find two messages x1 6= x2 such that:
h(x2) == h(x1).
I Birthday Attack: what is the probability that two in our classhave the same birthday?I How many students are needed to have a 50% chance of two
colliding birthdays? 23.
I Roughly speaking, if Oscar creates 2m2 random packages, then
there is 50% chance of collision.I If half of the packages are good and half are bad, there is 50%
chance for the collision to happen between a good and a badpackage.
I There is 25% chance for Oscar to find x and x ′ for the trick.
I Bob may still resist such attack by requesting m to be largeenough.I But what about cryptanalysis?
25/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Cryptographic Hash Functions
I Cryptographic Hash Functions: a hash function that isI Preimage resistantI Second preimage resistantI (Strong) collision resistant
I With a proper choice of m.I As of now, consider m = 256 or more.
I Be so even under cryptanalysis.I A “bad” choice of h may lead to attack of second preimage
resistance using far less than 2m messages, or attack of strongcollision resistance using far less than 2
m2 messages.
I E.g. cyclic redundancy check (CRC) is a good hash functionagainst data corruption but not a good cryptographic hashfunction.
26/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Summary
I Block ciphers can be applied in different modes to encrypt along message.
I Use random IV to guarantee probabilistic encryption.
I Stream ciphers built on top of block ciphers only need theencryption operation, saving hardware resources.
I CTR mode can be fully parallelized.
I Cryptographic hash functions need to be preimage resistant,second preimage resistant, and (strong) collision resistant.
27/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT