ece 443/518 computer cyber security lecture 05 modes of
TRANSCRIPT
ECE 443/518 – Computer Cyber SecurityLecture 05 Modes of Operation,Cryptographic Hash Functions
Professor Jia WangDepartment of Electrical and Computer Engineering
Illinois Institute of Technology
September 8, 2021
1/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Outline
Modes of Operation
Cryptographic Hash Functions
2/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Reading Assignment
I This lecture: UC 5.1 – 5.1.5, 11.2
I Next lecture: UC 11.3, 11.5, 12, 5.1.6
3/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Outline
Modes of Operation
Cryptographic Hash Functions
4/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Electronic Code Book (ECB)
(Wikipedia)5/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I A substitution cipher based on a block cipher like AES.I Padding: when message size is not multiples of block size
I Alice appends additional bits that Bob will identify.I E.g. 1 followed by necessary number of 0’s.
I Oscar the passive adversaryI Known-plaintext attack using padding.I Traffic analysis possible since same plaintext blocks always
encrypts to same ciphertext blocks.
I Can be parallelized as long as the message is available.
6/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Active Adversaries and Integrity
I We introduce passive adversaries to address confidentiality.I For integrity, we could address it by active adversaries.
I They can modify or even insert messages.I E.g. reorder/substitute/modify/create blocks.
I With the ability to manipulate ciphertext, active adversariescould evenI Break confidentiality by side-channel attack.I Break higher level protocols by replay attack.
I ECB doesn’t provide much protect against active adversaries.I E.g. reordering and substitution attacks – all blocks will
decrypt but may mean things completely different whencombined together.
I No matter how secure the underlying block cipher is.
I Any other ways to apply block ciphers to long messages?I Will they protect against active adversaries?
7/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Cipher Block Chaining (CBC)
(Wikipedia)
8/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I “Randomize” plaintext blocksI Use previous ciphertext blocks.I Use an initialization vector (IV) for the first plaintext block.
I Choice of IVI Probabilistic encryption: different IVs results in different
ciphertexts even if the plaintext and the key are the same.I A.k.a nonce – a number used only once.I Usually randomly chosen and transmitted before ciphertext.
I Oscar will see it.I If that’s a concern, Alice could just encrypt IV.
I Only decryption can be parallelized.
9/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
CBC and Active Adversaries
I CBC provides better protection against active adversaries thanECB.I Reordering and substitution attacks less likely to work as Bob
will receive “random” blocks.
I Nevertheless, Bob still need to decide whether someonemodifies the message or it is just Alice sending a randommessage.I Need other mechanisms for integrity! Will discuss later.
10/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Output Feedback (OFB)
(Wikipedia)11/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I A stream cipher (CSPRNG) based on a block cipher.I Random IV guarantees probabilistic encryption.
I Only need encryption from the block cipher.I No need to implement decryption – save hardware resource.
I Cannot be parallelized.I Key stream can be precomputed as long as storage permits.
12/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Cipher Feedback (CFB)
(Wikipedia)
13/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I An asynchronous stream cipher as the key stream depends onboth key and previou ciphertext (and plaintext).I Otherwise very similar to OFB.
I Only need encryption and decryption can be parallelized.
14/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Counter Mode (CTR)
(Wikipedia)
15/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Discussions
I A stream cipher that can be fully parallelized.
I Only need encryption as OFB and CFB.I There is a limitation on message size for a given IV.
I OFB also has limitation on message size, although it should bemuch longer.
16/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Outline
Modes of Operation
Cryptographic Hash Functions
17/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Motivation
I How should we address active adversaries?I Three steps
I Integrity without a secret key: Cryptographic Hash FunctionsI Integrity with a secret key: Message Authentication CodesI Confidentiality and integrity: Authenticated Encryption
18/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Integrity without Secret Key
I Alice has developed a marvelous game and wants everyone toplay it.
I The installation package is huge – Alice decides to seek helpfrom third parties for distribution.I Because required bandwidth is either too expensive or
technically infeasible.I E.g. via BitTorrent.
I It is not possible for Bob, who wants to download the game,to setup a secret key with Alice.
I Oscar, who participates in package distribution, plans to addhis/her own adware to the package to make some profit.
I Integrity: how to design a mechanism to ensure Bob toreceive the authentic package from Alice?
19/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Hash Functions
(Paar and Pelzl)
I Input x : messages of arbitrary lengths
I Output z = h(x): message digest, a.k.a fingerprint, with fixedsize, say m bits.
20/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Preimage Resistance (One-Wayness)
Given a hash function h and a message digest z , find a message xsuch that:
z == h(x).
I If someone could derive h−1 from h, then he/she maycompute x = h−1(z).
I A “good” hash function should be one-way.I E.g. to allow infinite many messages to map to any z .
21/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Alice’s Mechanism
I From the package x , Alice publishes the message digestz = h(x) on her website.I The message digest is so short, e.g. m = 256, that Alice
doesn’t need to worry about bandwidth.
I Bob obtains the package x ′, computes z ′ = h(x ′), and verifiesthat z == z ′.I Can Bob be sure x == x ′ now? Don’t try to answer it now –
state your assumptions and think of attacks!
I Assumption: Oscar can’t modify z on Alice’s website.I I.e. an authentic channel that guarentees only integrity –
anyone can see but no one could modify z .I In comparison with the secure channel that guarentees both
confidentiality and integrity to setup secret keys.
I Attack: Oscar create a package with the same message digestso that Bob won’t find out what he received is not authentic.
22/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Second Preimage Resistance (Weak Collision Resistance)
Given a hash function h, a message x1 and its message digestz1 = h(x1), find a message x2 6= x1 such that for its message digestz2 = h(x2),
z2 == z1.
I Weak collision is unavoidable: x2 always exists.I Collision: different messages map to the same message digest.I The practical question is how easily Oscar can find one.
I Oscar’s attack: choose x2 randomly and compute z2 = h(x2).I z2 == z1 with a probability of at least 1
2m for some z1.
I If Oscar repeats the attack N times, the probability of findingx2 is 1− (1− 1
2m )N .I About 63% for N = 2m.I Not a concern if m is large enough when Oscar is
computationally bounded.
I What about cryptanalysis that uses properties of h and x1?
23/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Oscar’s Trick
I Knowing there may exist little hope to modify Alice’s packagewithout being caught, Oscar decides to create his/her owngame package to distribute the adware.
I Oscar’s trick: create two packages x and x ′ such thatI h(x) == h(x ′)I Good package x : just the game.I Bad package x ′: the game and the adware.
I Oscar then delivers x ′ to Bob through third parties.
I If Bob finds the adware in x ′, Oscar shows Bob x and claimssomeone else creates x ′.
I Will second preimage resistance help?
24/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
(Strong) Collision Resistance
Given a hash function h, find two messages x1 6= x2 such that:
h(x2) == h(x1).
I Birthday Attack: what is the probability that two in our classhave the same birthday?I How many students are needed to have a 50% chance of two
colliding birthdays? 23.
I Roughly speaking, if Oscar creates 2m2 random packages, then
there is 50% chance of collision.I If half of the packages are good and half are bad, there is 50%
chance for the collision to happen between a good and a badpackage.
I There is 25% chance for Oscar to find x and x ′ for the trick.
I Bob may still resist such attack by requesting m to be largeenough.I But what about cryptanalysis?
25/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Cryptographic Hash Functions
I Cryptographic Hash Functions: a hash function that isI Preimage resistantI Second preimage resistantI (Strong) collision resistant
I With a proper choice of m.I As of now, consider m = 256 or more.
I Be so even under cryptanalysis.I A “bad” choice of h may lead to attack of second preimage
resistance using far less than 2m messages, or attack of strongcollision resistance using far less than 2
m2 messages.
I E.g. cyclic redundancy check (CRC) is a good hash functionagainst data corruption but not a good cryptographic hashfunction.
26/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT
Summary
I Block ciphers can be applied in different modes to encrypt along message.
I Use random IV to guarantee probabilistic encryption.
I Stream ciphers built on top of block ciphers only need theencryption operation, saving hardware resources.
I CTR mode can be fully parallelized.
I Cryptographic hash functions need to be preimage resistant,second preimage resistant, and (strong) collision resistant.
27/27 ECE 443/518 – Computer Cyber Security, Fall 2021, Dept. of ECE, IIT