Download - Systems Security Week8
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 1/46
SecurityEngineering
CSE 3SE/CSE 5SEInstructor: Sambuddho
Chakravarty(Semester: Winter 2015)
Week 8: March 17 – March 20
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 2/46
Brief History of Cryto!rahy
- Ancient:- "omans
-Ceaser Ciher # S$%stit$tion Ciher
- &Shift' characters- !
*+,-.//: ,BC3H-4+M.6*"S/9W; C-*H"//: ;,BC3H-4+M.6*"S/9W
*+,-.//: /H -C B"6W. 6 4M*S 69" /H+,; 63 C-*H"//: B .";H 6+/ C+ 3"4M* +SB6 B-W9 ,+
ncrytion: n < (=>n) mo? 2@
ncrytion: n < (=An) mo? 2@
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 3/46
Brief History of Cryto!rahy
- Attacking Ceaser Cipher:- Sime %r$te force attacks AA ony 2@ aha%ets
in n!ish an!$a!e- re$ency anaysis AA ! aha%ets DE (or DeE)
an? D/E (or DtE) are the most fre$ent aha%et in!ish an!$a!e
- ncrytion of DE is aFays the sameG
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 4/46
Brief History of Cryto!rah- Medieval Age:
- 9i!enere Ciher (*oyaha%etic s$%stit$tion)- -nentor: 3ioan Battista Beaso in his 155J %ook La cifra
del Sig. Giovan Battista Bellaso (misattri%$te? to9i!enere)
*+,-.// :,//,C,/,W. : +M6.
*+,-.// :,//,C,/,W. :+M6.+M6.+C-*H" :+6*9".H" :+M6.+M6.+C-*H" :
+6*9".H"*+,-.// :
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 5/46
Brief History of Cryto!rah- Attacks against ignere Cipher:
- Har?er to %reak comare? to sime Ceaser s$%stit$tion- ach D%ockE is DeKectieyE a Ceaser s$%stit$tionAttack strategy:- ,ss$me the key en!th is knoFn- ,ss$me a ciher stream: nifon aicum niswt- irst character DnEL DaE an? DnE hae %een encryte? Fith
same key aha%et- Secon? character is encryte? Fith the same roF an? so
onG-
*erform fre$ency anaysis for each of the rstcharacters /he most fre$enty occ$rrin! character is DeELthe secon? most fre$enty occ$rrin! is DaE an? so onG
- *erform simiar fre$ency anaysis for the othercharacters as Fe
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 6/46
Brief History of Cryto!rah- Modern Era !"#th Century$:
- ectroAmechanica rotor machines to erform m$ties$%stit$tion ciher
(ni!ma MachineL -ma!e Co$rtsey: .ationa Cryto!rahicaM$se$mL .S,L Washin!ton C)
-n$t: Man$a key%oar?"otor ?iscs: S$%stit$tion cihers
6$t$t: CiherAstream # tee!rahic co?es # +am%oar?s*$!%oar?: ,??itiona ayer of s$%stit$tion ciher
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 7/46
Brief History of Cryto!rah- Inside the Enigma Machine
-n$t
6$t$t(ia3oFam
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 8/46
Some ,ttack Strate!ies
• noFnAainte=t attack: /he a?ersary knoFsainte=t#ciherte=t airs
• ChosenAainte=t attack: ,?ersary chooses aian? o%seres correson?in! ainte=ts to Fhich encryt
• ChosenAciherte=t attack: ,?ersary choosesciherte=ts an? sees the correson?in! ainte=Fhich they ?ecryt
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 9/46
9ernam Ciher (6ne /ime *a?s
- ernam Cipher !%ne &ime 'ads !%&'s$!()(*$:
- Each bit o+ the plain te,t is -%.ed 0ith each bit o+ thekey stream
- Sec$rity ies in en!th an? pseudo-randomness of the key strea
-Most %asic oeration: Messa!e 6" key
- Best $se case: se each key 6.+ once (6. /-MG) (consi?ecryto!rahicay sec$reG(Shannon – &*erfect Secrecy'))
*r ((M1L 1)) < *r ((M2L 2)) (for eery i in (ke
*+,-.// : H(7) (N) +(11) +(11) 6(1N) : (2J) M(12) C(2) (10) +(11)> (mo? 2@)C-*H" : (N) (1@) .(1J) 9(21) ;(25)
M2 6" 2 C2
M1 6" 1
C1
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 10/46
Stream Cihers- %&' Stream Ciphers
- ach key m$st %e $se? e=acty one- M$tie $sa!e of same key statistica crytanaysis attack
-"e$sa%e keyin! materia
- 3enerate neF keys Fitho$t reeain! hoF they are !enerat- /he encryte? ciher te=t sho$? not reea any informatio
a%o$t the key or the ainte=t- Each bit o+ the message is -%.ed 0ith the bit o+ the
key1- *ro%em Fith ShannonEs &*erfect Secrecy': ey en O Messa!e - So$tion: *"3 instea? of erfecty ran?om f$nction
- *"3: 3:P0L1QsP0L1Qn n RR s
- < 3(k) M < C <3(k) C < M
Important property o+ '.2:nre?icta%iity: noFin! some %itsof the key one sho$? not %e a%e to re?ictthe remainin! %its
3(k)
k
M
C
-nitia see
=an?e?
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 11/46
Some 9$nera%iities of Stream Cihers
- Multiple time usage o+ %&' is insecure
C1 < M1 k
C2 < M2 k
C1 C2 < M1 M2
asy to recoer ,SC-- messa!es M1L M2 from M1 M2
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 12/46
Some 9$nera%iities of Stream Cihers
- indo0s 'ointto'oint &unnelling'rotocol !MS''&'$
(M1 M2 MJ)
(S1 S2 SJ)
-Cient an? serer $se? the same key
- Cient an? serer messa!es co$? %e 6"Ae? to reea an 6" or the cient an? serer messa!es- 6ther ossi%e attacks – ciher te=t ony attack: /he a?ersary forces the cient to !enerate messa!es %ase? for secic messa! %$i? an? oraceBetter aroach : $se ?iKerent keys
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 13/46
Some 9$nera%iities of Stream Cihers
- Malleability:
,?ersary can mo?ify the ciherte=t Fitho$t knoFin!anythin! a%o$t the ainte=t an? res$t in e$iaent chan!e
the correson?in! ainte=t
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 14/46
Some *o$ar =ames of StreamACihe
• "CN:
• ate of creation: 1T87
• ey en!th: 8A%its (see?s) – 20N8A%its (!enerator)
• "an?omiUation: .oneL if -9 $se? then key m$st %e mi=e?• "emarks: H//*SL W* (%roken)
• ,ttack: noFnAain te=t attack
• ,5#1L ,5#2:
• ate of creation: 1T8T
• ey en!th: 5NA%its (23)
• "an?omiUation: 11NA%its
• "emarks: 9oice encrytion for 3SM netForks
• ,ttack: noFnAain te=t attack
• Sasa:• ate of creation: 200N
• ey en!th: 25@A%itsV ciher stream en!th: 512A%its
• "an?omiUation: @NA%it nonce
• "emarks: 6timiUe? for har?Fare imementations
• ,ttack: ,$massonL ischerL haUaeiL MeierL an? "ech%er!erL 2008 – probab
neutral bits attack.
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 15/46
Bock CihersMessa!e (M) ?ii?e? into m$tie %ocks
M1 M2 MJ MN MnA1 Mn
nA%its
CNC1 CJC2
-n$t: nA%its6$t$t: nA%itsey: O nA%its
5 1
5
2
5
J
5
n
f 1( 1 L
)
f 2( 2 L
)f n( n L
)
f 1( 1 L
)
M
m
1
m
2
m
n
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 16/46
Brief History of Bock Cihe• ary 1T70s: HorstAeiste roose? +$cifer %ock
ciher
• Bock siUe : 128A%itsL ey: 128A%its• 1T7J: .BS (noF .-S/) aske? for %ock ciher
roosas
• -BM s$%mits +$cifer
• 1T7@: .BS a?ots +$cifer Fith shorter key en!th an?
is cae? ata ncrytion Stan?ar?s (S)
A Bock siUe: @NA%its keyAen: 5@A%its
• 1TT7: S %roken %y e=ha$stie search (%r$te forcesearch)
• 2000: .-S/ a?ots "iXn?ae as ,S an? reaces S
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 17/46
S: core i?ea – eiste .etFor3ien f$nctions f 1L GL f ?: P0L1Qn Y P0L1Qn
3oa: %$i? inerti%e f$nction : P0L1Q2n Y P0
-n sym%os: "i < i("iA1)
+
in$t
"?A1
+?A1
"0
+0
n A
% i t
s
n A
% i t
s
"1
+1 Z
f 1
"2
+2 Z
f 2
4 Zf ?
Z
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 18/46
ecrytion circ$it
• -nersion is %asicay the same circ$itLFith f 1L GL f ? aie? in reerse or?er
• 3enera metho? for %$i?in! inerti%e f$nctions (cihers) from ar%itrary f$nctions
• se? in many %ock cihers G %$t not ,S
"1
+1
"?
+?
n A
% i t
s
n A
% i t
s
"?A1
+?A1
Z
f ?
"?A2
+?A2
Z
f ?A1
4
Z
f 1
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 19/46
S: 1@ ro$n? eiste netForkf 1L GL f 1@: P0L1QJ2 Y P0L1QJ2 L f i(=) < ( kiL = )
("o$n? key ?erie?from key )
in$t
@ N
% i t s
o$t
@ N
% i t s1@ ro$n?
eiste netFork-* -*A1
kkey
e=ansionk1 k2 k1@
4
/o inertL $se keys in reerse or?er
5@A%it key e=an?e?into 1@ N8A%it ro$n? keys
S chaen!e
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 20/46
S chaen!e
ms! < “ The unkn own mess ages is: XXXX
C/ < c1 c2 cJ
2oal: n? k [ P0L1Q5@ st S(kL mi) < ci for
1TT7: -nternet search AA 3 months
1TT8: machine (?ee crack) AA 3 days (2
1TTT: com%ine? search AA "" hours
200@: C6*,C6B,., (120 *3,s) * days (10
] 5@A%it cihers sho$? not %e $se? ^^ (128A%it
?ays)
,S: ,?ance? ncrytion Stan?ar? S$%
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 21/46
i n $ t
_
S1
S2
SJ
S8
4
s$%sayer
ermayer inersion
k1
_
S1
S2
SJ
S8
4
k2 S1
S2
SJ
S8
4 _4
k
,S: ,?ance? ncrytion Stan?ar? S$%*erm netFork (not eiste)
,S 128 h ti
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 22/46
,SA128 schematic
in$t
NN
10 ro$n?s(1)ByteS$
%(2)Shift"oF
(J)Mi=Co$mn
_
k2
4
kT
_
(1)ByteS$
%(2)Shift"o
F(J)Mi=Co$
mn
_
k1
_
k0
(1)ByteS
%(2)Shift"
F
o$t$tN
N
_k1
0key1@ %ytes
key e=ansion:
inerti%e
1@ %ytes Y17@ %ytes
/he ro$n? f$nction
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 23/46
/he ro$n? f$nction
• 6yteSub: a 1 %yte SA%o= 25@ %yte ta%e (eacom$ta%e)
• Shi+t.o0s:
• Mi,Columns:
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 24/46
Co?e siUe#erformance tra?eoKCo?e siUe *erform
*reAcom$tero$n? f$nctions(2NB or NB)
ar!estfast
ta%e oan?
*reAcom$teSA%o= ony (25@%ytes)
smaer soF
.o reAcom$tation smaest soF
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 25/46
,S in har?Fare
,S instr$ctions in -nte Westmere:
• aesenc7 aesenclast: ?o one ro$n? of ,S
128A%it re!isters: =mm1<stateL =mm2<ro$n? key
aesenc ,mm(7 ,mm" V $ts res$t in =mm1
• aeskeygenassist: erforms ,S key e=ansion
• Caim 1N = see?A$ oer 6enSS+ on same har?Fare
Simiar instr$ctions on ,M B$?oUer
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 26/46
Semantic Sec$rity for manyAtimeey $se? more than once ] a? sees many C/s F
key
Adversary8s po0er: chosenAainte=t attack (C
• Can o%tain the encrytion of ar%itrary messa!es ochoice
(conseratie mo?ein! of rea ife)
Adversary8s goal: Break sematic sec$rity
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 27/46
So$tion 1: ran?omiUe? encry• (kLm) is a ran?omiUe? a!orithm:
] encrytin! same ms! tFice !ies ?iKerent cihe(Fh)
] ciherte=t m$st %e on!er than ainte=t
"o$!hy seakin!: C/AsiUe < */AsiUe > &` ran?
m1
m0
enc m0
?ec
m1
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 28/46
So$tion 2: nonceA%ase? ncry
• nonce n: a a$e that chan!es from ms! to ms!
(kLn) air neer $se? more than once
• metho? 1: nonce is a counter (e! acket co$nte• $se? Fhen encrytor kees state from ms! to ms!
• if ?ecrytor has same stateL nee? not sen? nonce Fith C/
• metho? 2: encrytor chooses a random nonceL
,ice
mL n (kLmLn)<c
Bo%
cL n
k k
nonce
Constr$ction 1: CBC Fith ran?om
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 29/46
Constr$ction 1: CBC Fith ran?om
CBC(kLm): choose random -9:
(kL⋅) (kL⋅)
m0b m1b m2b m-9
⊕ ⊕
(kL⋅)
⊕
c0b c1b c2b c-9
ciherte=t
ti i it
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 30/46
ecrytion circ$it
(kL⋅) (kL⋅) (k
m0b m1b m2b m
⊕ ⊕ ⊕(kL⋅)
⊕
c0b c1b c2b cJ-9
%os: c0b < (kL -9_m0b ) ] m0b <
.once %ase? CBC
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 31/46
.onceA%ase? CBC
• Ciher %ock chainin! Fith $ni$e nonce: key < (k
E(k,⋅) E(k,⋅)
m[0] m[1] m[2]
⊕ ⊕
E(k,⋅)
⊕
c[0] c[1] c[2]nonce
cip
nonce
E(k1,⋅)
-9
$ni$e nonce means: (keyL n) air is $se? for o
inc$?e? ony if $nknoFn to ?ecrytor
Constr$ction 2: ran? ctrAmo?e
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 32/46
Constr$ction 2: ran? ctr mo?e
m0b m1b G
!k7I$!k7I9($ G
m+b
!k7I9$ ⊕
c0b c1b G c+b
-9
-9
note: araeiUa%e ($nike CBC)
ms!
ciherte=t
(kLm): choose a ran?om -9 ∈ P0L1Qn an? ?o:
C t ti 2E t ?
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 33/46
Constr$ction 2E: nonce ctrAmo?e
m0b m1b G
!k7I$!k7I9($ G
m+b
!k7I9$
c0b c1b G c+b
-9
-9
ms!
ciherte=t
nonce
128 %its
co$nter-9:
@N %its @N %its
s$re (kL=) is neer $se? more than onceL cho
starts at
for eery
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 34/46
Messa!e -nte!rity3oa: integrityL no con?entiaity
=ames:
• *rotectin! $%ic %inaries on ?isk
• *rotectin! %anner a?s on Fe% a!es
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 35/46
Messa!e inte!rity: M,Cs
ef: MAC - < (SL9) ?ene? oer (LML/) is aa!s:
• S(kLm) o$t$ts t in /
• 9(kLmLt) o$t$ts yes’ or no’
,ice Bo%
k kmessa!e m ta!
2enerate tag: tag S!k7 m$
eri+y tag: !k7 m7 ta
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 36/46
-nte!rity re$ires a secret key
• ,ttacker can easiy mo?ify messa!e m an? reAcomC"C
• C"C ?esi!ne? to ?etect randomL not maicio$s er
,ice Bo%
messa!e m ta!
2enerate tag: tag C.C!m$
eri+y tag: !m7 tag$
=ame: rotectin! system e
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 37/46
=ame: rotectin! system e
+ater a ir$s infects system an? mo?ies system e
ser re%oots into cean 6S an? s$ies his assFor• /hen: sec$re M,C ] a mo?ie? es Fi %e ?etecte
ose at insta time the system com$tes:
1
t1 <
S(kL1)
2
t2 <
S(kL2)
n
tn <
S(kLn)
4 k $s
ename ename ename
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 38/46
,ttacks ,!ainst M,Cs
• Existential Forgery /he attacker ro?$ces a si!of some messa!e m of his choice
• Selective Forgery /he attacker chooses a messthen !ets access to the $%ic key $se? for erian? ro?$ces a si!nat$re s of m
• ey recoery: 3ien the $%ic key for ericatioattacker ro?$ces the secret key for si!nin!
Encryte? CBCAM,C (CBCAM,C
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 39/46
raF CBC
Encryte? CBC M,C (CBC M,C
(kL⋅) (kL⋅) (kL⋅)
m0b m1b mJb mNb
⊕⊕
(kL⋅)
⊕
(k (L⋅)
.M,C (neste? M,C)
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 40/46
casca?e
.M,C (neste? M,C)
m0b m1b mJb mNb
= = = =k
k (
t
.M,C (neste? M,C) Fitho$t ast %ock a??in! > enc
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 41/46
casca?e
.M,C (neste? M,C) Fitho$t ast %ock a??in! > enc
m0b m1b mJb mNb
= = = =k
k (
t
Si?es Co$rtesy:
an Boneh
Why the ast encrytion ste in CBCA
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 42/46
Why the ast encrytion ste in CBC
,?ersary Forks as fooFs:
• Choose an ar%itrary oneA%ock messa!e m∈
• "e$est ta! for m 3et t < (kLm)
• 6$t$t t as M,C for!ery for the 2A%ock messa!e mE <
raFCBC(kL (mL t⊕m) ) < (kL (kLm)⊕(t⊕m) ) < (
< t
/he sec$rity %o$n?s are ti!ht: an
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 43/46
/he sec$rity %o$n?s are ti!ht: an
,fter si!nin!1#2 messa!es Fith CBCAM,C or
1#2
messa!es Fith .M,Cthe M,Cs %ecome insec$re
/he MerkeAam!ar? -terate? Constr
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 44/46
!
*B: a??in! %ock
h h h
m[0] m[1] m[2] m[3] ll PB
h-9
(=e?) H0 H1 H2 HJ
1000G0 ms!en
@N %its
-f no saca?? anothSi?es Co$rtesy:
an Boneh
Stan?ar?iUe? metho?: HM( h C)
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 45/46
Stan?ar?iUe? metho?: HM(HashAM,C)
Most Fi?ey $se? M,C on the -nternet
se for cac$atin! a messa!e a$thentication co?e (M
inoin! a cryto!rahic hash f$nction that may $secryto!rahic key
H: hash f$nction
e=ame: SH,A25@ V o$t$t is 25@ %its
B$i?in! a M,C o$t of a hash f$nction:
HM,C: S( kL m ) < H( k⊕oa? L >! k ipad ll m $
HM,C in ict$res
7/21/2019 Systems Security Week8
http://slidepdf.com/reader/full/systems-security-week8 46/46
Simiar to the .M,C *"
main ?iKerence: the tFo keys k1 k2 are ?een?en
h h
m[0] m[1] m[2] ll PB
h
h
R R Rh
k ipad?
-9(=e?)
R
R-9(=e?)
hR
k opad?
k1
k2