Scribd
Upload
15 views64 pages

L3 Symmetric Ciphers

Uploaded by

rula mohammad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views64 pages

L3 Symmetric Ciphers

Uploaded by

rula mohammad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 64

Introduction to Computer and Network Security CIS441

Introduction to Computer and Network


Security
Modern Cryptography

Categories of Modern cryptography


Introduction to Computer and Network Security CIS441

2
Categories of Modern cryptography
Introduction to Computer and Network Security CIS441

● Symmetric Crypto.
○ use a shred key (secret key) for encryption and decryption.

● Asymmetric (public key) Crypto


○ use a public-private key pair where the public key is used by senders to
encrypt and only the recipient with the private key can decrypt the
message.

Categories of Modern cryptography


Introduction to Computer and Network Security CIS441

• The message is encrypted by using a


key and the same key is used to
decrypt the message
• Sender and recipient must both know
the key. This is a weakness!
• The key distribution problem
• Algorithms are less complex Fast and
faster

4
Categories of Modern cryptography
Introduction to Computer and Network Security CIS441

• Asymmetric encryption use two keys:


Public Key - to encrypt the data
Private Key - to decrypt the data
• These keys are generated together.
• The Public key(s) is distributed freely
between the sender and receiver.
• The Private Key is only used for Decryption
and will not be shared between the sender
and receiver.
• Algorithms are more Complex and slower

Symmetric-Key Encryption: Definition


Introduction to Computer and Network Security CIS441

● A symmetric-key encryption scheme has three algorithms:


○ KeyGen() → K: Generate a key K
○ E (K, M) → C: Encrypt a plaintext M using the key K to produce ciphertext C
○ D (K, C) → M: Decrypt a ciphertext C using the key K

Alice Insecure Channel Bob


Key Key

Encryption Decryption
Plaintext Ciphertext Plaintext
Algorithm Algorithm
6
Symmetric-Key Encryption: Definition
Introduction to Computer and Network Security CIS441

● What properties do we want from a symmetric encryption scheme?


○ Correctness: Decrypting a ciphertext should result in the message that was originally encrypted
■ D(K, E(K, M)) = M for all K ← KeyGen() and M
○ Efficiency: Encryption/decryption algorithms should be fast
○ Security: Confidentiality

Alice Insecure Channel Bob


Key Key

Encryption Decryption
Plaintext Ciphertext Plaintext
Algorithm Algorithm
7

Stream Ciphers
Introduction to Computer and Network Security CIS441

• A stream cipher is an algorithm that generates a long keystream from a (short) key
• Encrypts a digital data stream one bit or one byte at a time
• One time pad is example; but practical limitations
• Typical approach for stream cipher:
► Key (K ) used as input to bit-stream generator algorithm
► Algorithm generates cryptographic bit stream (ki ) used to encrypt plaintext

► Users share a key; use it to generate keystream

8
Stream Ciphers
Introduction to Computer and Network Security CIS441

● Stream ciphers were very popular because they are simple and fast
○ Used in WEP (RC4) and Cellular phones (A5/1, A5/2)
● They are still hard to use
○ Can’t ever reuse initial state (keys, initialization vector)
■ This was the major reason why WEP was broken
○ Stream ciphers can only encrypt a limited amount of data with the same seed
○ Ciphertext can be changed (just like OTP)
● Many popular stream ciphers are broken (RC4, A5/1, A5/2)

Stream Ciphers
Introduction to Computer and Network Security CIS441

• Substitution Attack:

– M = “Pay me $100.00”
– E(M) = M ⊕ K
– Suppose Eve knows M and E(M) but doesn't know K
– She can substitute M for M' by replacing E(M) with E’(M): Eve modifies this!
• E'(M) = E(M) ⊕ M ⊕ M' = M ⊕ K ⊕ M ⊕ M' = K ⊕ M'
• Eve can then replace E(M) with E'(M), which Bob will decrypt message as M' (“Pay me $900.00”)

• Countermeasure is to include message authentication code that helps detect manipulation


(i.e., provides integrity and authenticity)

10
Block Ciphers
Introduction to Computer and Network Security CIS441

• A block cipher is a function that replaces a fixed length input with a fixed
length output
– The input/output size is called the “block size”

• A block cipher can be thought of as a bijection on the input/output


space
– The key is the mapping of plaintext to ciphertext
– More accurately, the key is used to deterministically generate the mapping
• Typical block sizes are 64 or 128 bits
• Modes of operation used to apply block ciphers to larger plaintexts

11

Reversible and Irreversible Mappings


Introduction to Computer and Network Security CIS441

• n-bit block cipher takes n bit plaintext and produces n bit ciphertext
• 2n possible different plaintext blocks
• Encryption must be reversible (decryption possible)
• Each plaintext block must produce unique ciphertext block
• Total transformations is 2n!

Reversible Mapping Irreversible Mapping


Plaintext Ciphertext Plaintext Ciphertext

00 11 00 11
01 10 01 10
10 00 10 01
11 01 11 01
12
Ideal Block Cipher
Introduction to Computer and Network Security CIS441

►n-bitinput maps to 2n possible input states


►Substitution used to produce 2n output states
►Output states map to n-bit output
►Ideal block cipher allows maximum number of possible encryption
mappings from plaintext block
►Problems with ideal block cipher:
►Small block size: equivalent to classical substitution cipher; cryptanalysis
based on statistical characteristics feasible
►Large block size: key must be very large; performance/implementation

problems

13

Block Ciphers: Definition


Introduction to Computer and Network Security CIS441

● Block cipher: An encryption/decryption algorithm n bits


that encrypts a fixed-sized block of bits
● E(K,M) → C: Encryption k
k bits
E
○ Inputs: k-bit key K and an n-bit plaintext M
○ Output: An n-bit ciphertext C n bits
○ Sometimes written as: {0, 1}k × {0, 1}n → {0, 1}n
ciphertext
● D(K,C) → M: Decryption
○ Inputs: a k-bit key, and an n-bit ciphertext C ciphertext
○ Output: An n-bit plaintext n bits
○ Sometimes written as: {0, 1}k × {0, 1}n → {0, 1}n
○ The inverse of the encryption function k bits
k D
● Properties
○ Correctness: E(K,M) is a permutation n bits
○ Efficiency: Encryption/decryption should be fast
plaintext 14
○ Security: E behaves like a random permutation
Block Ciphers properties
Introduction to Computer and Network Security CIS441

● Correctness: E(K,M) must be a permutation (bijective function) on n-bit


strings (Each input must correspond to exactly one unique output)
00 00 00 00
01 01 01 01
10 10 10 10
11 11 11 11
Not bijective: Two Bijective: Each input
inputs encrypt to the maps to exactly one
same output unique output

● Security: A secure block cipher behaves like a randomly chosen permutation


from the set of all permutations on n-bit strings
● Efficiency : Encryption and decryption should be computable in microseconds 15

Properties a secure Cipher


Introduction to Computer and Network Security CIS441

• Confusion
o Hide the relationship between the ciphertext and the key
o Make relationship between ciphertext and key as complex as possible
o Apply complex (non-linear) substitution algorithm
o Substitution a -> b (Caesar cipher)

• Diffusion
o Hide the relationship between the plaintext and ciphertext
o Distribute plaintext statistics over the ciphertext (statistical analysis hard)
o Transposition or Permutation • abcd-> dacb (DES)
o repeatedly apply permutation (transposition) to data, and then apply function 16
Confusion and Diffusion
Introduction to Computer and Network Security CIS441

17

Block Cipher Basic Techniques


Introduction to Computer and Network Security CIS441

• Modern ciphers use multiple, alternating substitutions and


permutations to get confusion and diffusion
– Why does it have to alternate?
Substitution Permutation

18
Basic Form of Modern Block Ciphers
Introduction to Computer and Network Security CIS441

Plaintext block Key

Preprocessing Sub-Key Generation

Sub-Key #1
Rounds of Sub-Key #2
Encryption
Sub-Key #3
i=1,2,…,n

Sub-Key #n

Postprocessing

Ciphertext block 19

Substitution
Introduction to Computer and Network Security CIS441

General Block Substitution Encryption/Decryption Tables

20
Block ciphers: Brute-force attacks?
Introduction to Computer and Network Security CIS441

● How hard is it to run a brute-force attack on a 128-bit key?


● We have to try 2128 possibilities. How big is 2128?
● Handy approximation: 210 ≈ 103
● 2128 = 210*12.8 ≈ (103)12.8 ≈ (103)13 = 1039
● Suppose we have massive hardware that can try 109 (1 billion) keys in 1
nanosecond (a billionth of a second). That’s 1018 keys per second
● We’ll need 1039 / 1018 = 1021 seconds. How long is that?
● One year ≈ 3×107 seconds
● 1021 seconds / 3×107 ≈ 3×1013 years ≈ 30 trillion years
● Brute-forcing a 128-bit takes astronomically long

21

Block ciphers: Brute-force attacks?


Introduction to Computer and Network Security CIS441

● How hard is it to run a brute-force attack on a 256-bit key?


● We need 1052 of the brute-force devices from before
● If each brute-force device from before is 1 cubic millimeter, this would take
1043 cubic meters of space
● That’s the volume of 7×1015 suns!
● Brute-force attacks on modern block ciphers are not possible, assuming the
key is random and secret

22
Feistel Structure for Block Ciphers
Introduction to Computer and Network Security CIS441

● Feistel cipher is a type of block cipher, not a specific block cipher


● Feistel proposed the use of a cipher that alternates substitutions and
permutations (alternates confusion and diffusion functions)
● Is the structure used by many significant symmetric block ciphers
currently in use
● Approach:
○ Plaintext split into halves
○ Subkeys (or round keys) generated from key
○ Round function, F , applied to right half
○ Apply substitution on left half using XOR
○ Apply permutation: interchange to halves
23

Feistel Cipher: Encryption and Decryption


Introduction to Computer and Network Security CIS441

● Split plaintext block into left and right halves: P = (L0,R0)


Encryption: Decryption:
Start with the plaintext P = (L0,R0) Start with ciphertext C = (Ln,Rn)
For each round i = 1,2,...,n, compute For each round i = n,n1,…,1, compute
Li= Ri1 Ri1 = Li
Ri= Li1  F(Ri1,Ki) Li1 = Ri  F(Ri1,Ki)

where F is round function and Ki is subkey

Ciphertext: C = (Ln,Rn) Plaintext: P = (L0,R0)

24
Feistel Structure
Introduction to Computer and Network Security CIS441

25

Feistel Rounds : Encryption


Introduction to Computer and Network Security CIS441

● Let LEi and REi denote the output half-blocks at the end of the ith round of
processing. E’ denotes encryption.
● The relationship between output of the ith round and the output of the
previous round, (i − 1)th round, is given by
𝑹𝑬𝒊 = 𝑳𝑬𝒊 − 𝟏 ⊕ 𝑭 𝑹𝑬𝒊 − 𝟏, 𝑲𝒊
𝑳𝑬𝒊 = 𝑹𝑬𝒊 − 𝟏

○ 𝑲𝒊 is a round key derived from the main encryption key


○ 𝑭 is the Feistel function,
● Assuming 16 rounds of processing (which is typical), the output of the last round of
processing is given by
𝑅𝐸16 = 𝐿𝐸15 ⊕ 𝐹 𝑅𝐸15, 𝐾16
26
𝐿𝐸16 = 𝑅𝐸15
Feistel Rounds : Decryption
Introduction to Computer and Network Security CIS441

● The decryption algorithm is exactly the same as the encryption algorithm with the
only difference that the round keys are used in the reverse order.
● let LDi and RDi denote the left half and the right half of the output of the ith round.
○ LD1 and RD1 : the output of the first decryption round
○ LD0 and RD0: the input of the first decryption round
● The relationship between the two
halves that are input to the first decryption
round and the last round in the encryption
algorithm is:

27

Feistel Structure
Introduction to Computer and Network Security CIS441

28
Feistel Example
Introduction to Computer and Network Security CIS441

● Blocks =32 bits (two 16-bit halves) , key size =24 bits.
● Encryption :After round 14 we have DE7F03A6
○ L14(E) = DE7F and R14(E) = 03A6
○ K15 =12DE52.
○ After round 15, we have
○ L15(E) = 03A6
○ R15(E) = F(03A6, 12DE52) ⊕DE7F

29

Feistel Example
Introduction to Computer and Network Security CIS441

● Decryption :
○ L1(D)=R15(E) , R1(D)=L15(E)
○ L2(D)=R14(E) , R2(D)=L14(E)
○ L1(D)=F(03A6, 12DE52) ⊕DE7F
○ R1(D)=03A6
○ L2(D)= 03A6=R14(E)
○ R2(D)= F(03A6, 12DE52)⊕F((03A6, 12DE52)⊕DE7F]= DE7F=L14(E)

30
Feistel Example
Introduction to Computer and Network Security CIS441

R2
L14 R14 L2

K15

L15 R15 L1 R1

31

Data Encryption Standard (DES)


Introduction to Computer and Network Security CIS441

● Adopted by NIST in 1977.


● DES uses the Feistel cipher structure with 16 rounds of processing.
● DES uses 56-bit key, 64-bit input block, 64-bit output block
○ The key itself is specified with 8 bytes, but one bit of each byte is used as a parity
check.
● 16 sub-keys, each 48 bits
● DES encryption was broken in 1999
○ Triple DES (3DES) : three consecutive applications

32
DES structure
Introduction to Computer and Network Security CIS441

33

DES structure
Introduction to Computer and Network Security CIS441

34
Initial and Final Permutations P-Boxes
Introduction to Computer and Network Security CIS441

35

DES Function
Introduction to Computer and Network Security CIS441

Four sections:
● Expansion D-box:
○ RI−1 is a 32-bit input and KI is a 48-bit key,
we first need to expand RI−1 to 48 bits.
o RI−1 is divided into 8 4-bit sections.
o 4-bit is expanded to 6 bits.

36
DES Function
Introduction to Computer and Network Security CIS441

Four sections:
● XOR : on the expanded right section and the round key
● S-Boxes : mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input
and a 4-bit output.

37

DES Function
Introduction to Computer and Network Security CIS441

● 8 tables, to define the output boxes.

38
DES Function
Introduction to Computer and Network Security CIS441

● S-boxes example: DES (S5), mapping 6-bit input into a 4-bit output:
○ an input "011011" has outer bits "01" and inner bits "1101"; the corresponding
output would be "1001”

● Final Permutation: The last operation in the DES function is a permutation


with a 32-bit input and a 32-bit output , using a table
39

Key Generation
Introduction to Computer and Network Security CIS441

● creates sixteen 48-bit keys out of a


56-bit cipher key
● Parity Drop a compression
transposition step. It drops the parity
bits (bits 8, 16, 24, 32, …, 64)
● Shift Left: the key is divided into
two 28-bit parts.
○ Each part is shifted left (circular shift)
one or two bits.
○ In rounds 1, 2, 9, and 16, shifting is
one bit;
○ in the other rounds, it is two bits.
40
Key Generation
Introduction to Computer and Network Security CIS441

● Compression D-box:
○ changes the 58 bits to 48 bits, which are used as akey for a round.

41

Simplified DES
Introduction to Computer and Network Security CIS441

►Input (plaintext) block: 8-bits


►Output (ciphertext) block: 8-bits
►Key: 10-bits
►Rounds: 2
►Round keys generated using permutations and left shifts
►Encryption: initial permutation, round function, switch halves
►Decryption: Same as encryption, except round keys used in opposite order

42
Simplified DES
Introduction to Computer and Network Security CIS441

Simplified DES Key Generation 43

S-DES Operations
Introduction to Computer and Network Security CIS441

►P10 (permutate) ►EP (expand and permutate)


Input : 1 2 3 4 5 6 7 8 9 10 Input : 1 2 3 4
Output: 3 5 2 7 4 10 1 9 8 6 Output: 4 1 2 3 2 3 4 1

►P8 (select and permutate)


►IP (initial permutation)
Input : 1 2 3 4 5 6 7 8 9 10
Input : 1 2 3 4 5 6 7 8
Output: 6 3 7 4 8 5 10 9
Output: 2 6 3 1 4 8 5 7

►P4 (permutate) ►IP−1(inverse of IP)


Input : 1 2 3 4 ►LS-1 (left shift 1 position)
Output: 2 4 3 1 ►LS-2 (left shift 2 positions)
44
S-DES Encryption Details
Introduction to Computer and Network Security CIS441

45

S-DES S-Boxes
Introduction to Computer and Network Security CIS441

►S-DES (and DES) perform substitutions using S-Boxes


►S-Box considered as a matrix: input used to select
row/column; selected element is output
►Example
►4-bit input: bit1, bit2, bit3, bit4
►Plaintext:01110010
►bit1bit4 specifies row (0, 1, 2 or 3 in decimal)
►Key: 1010000010
►bit2bit3 specifies column
►Ciphertext: 01110111
►2-bit output

46
S-DES Summary
Introduction to Computer and Network Security CIS441

►Educationalencryption algorithm
►S-DES expressed as functions:

►Security of S-DES:
►10-bit key, 1024 keys: brute force easy

47

Double DES (2DES)


Introduction to Computer and Network Security CIS441

● Two DES-based encryption stages using two different keys.


C = E(K2, E(K1, P))
P = D(K1, D(K2, C))
● With 2 keys, each of length 56 bits, double DES in effect uses a 112 bit key.
● Meet-in-the-middle attack
● Suppose: plaintext- ciphertext pair (P,C) is available for attacker
● X = E(K1, P) = D(K2,C)
● The attacker creates a sorted table (TE) of all possible value for X for a given
P by trying all possible 256 keys. (256 entries).
● The attacker also creates another sorted table (TD) of all possible X
● by decrypting C using every one of the 256 keys. (256 entries). 48
Double DES (2DES)
Introduction to Computer and Network Security CIS441

●Every entry in TE will be


compared to every entry in TD
256 * 256 = 2112
●These comparisons involve
only 264 different possible
values (the plaintext block is
64 bits)
●Security of 2DES is the same
of DES
●Instead of using 2112 key
search tests, we have to use
256 key search tests two times.
49

3DES with two keys


Introduction to Computer and Network Security CIS441

● To employ three stages of encryption


● C = E(K3, E(K2, E(K1, P)))
● 168-bit keys
● One way to use triple DES is with just two keys as follows
● C = E(K1, D(K2, E(K1, P)))
● 112-bit keys, EDE encryption
○ when K1 = K2 = K3, 3DES with three keys become identical to regular DES.
○ When K1 = K3, we have 3DES with two keys.

50
The Avalanche Effect
Introduction to Computer and Network Security CIS441

● Aim: small change in key (or plaintext) produces large change in ciphertext
● Avalanche effect is present in DES (good for security)
● Following examples show the number of bits that change in output when two
different inputs are used, differing by 1 bit
○ Plaintext 1: 02468aceeca86420
○ Plaintext 2: 12468aceeca86420
○ Ciphertext difference: 32 bits
○ Key 1: 0f1571c947d9e859
○ Key 2: 1f1571c947d9e859
○ Ciphertext difference: 30

51

Block Cipher Modes of Operation


Introduction to Computer and Network Security CIS441

● Block cipher: operates on fixed length b-bit input to produce b-bit ciphertext
● What about encrypting plaintext longer than b bits?
● Break plaintext into b-bit blocks (padding if necessary) and apply cipher on
each block
● Security issues arise: different modes of operation have been developed
● Encryption with Block Ciphers: Modes of Operation
○ Electronic Code Book mode (ECB)
○ Cipher Block Chaining mode (CBC)
○ Output Feedback mode (OFB)
○ Cipher Feedback mode (CFB)
○ Counter mode (CTR)
○ Galois Counter Mode (GCM) 52
Block Cipher Modes of Operation
Introduction to Computer and Network Security CIS441

● Electronic Code Book (ECB):


● Each Block is encrypted separately
○ Each block of 64 plaintext bits is encoded independently using same key
○ Problem: with long message, repetition in plaintext may cause repetition in ciphertext

53

Block Cipher Modes of Operation


Introduction to Computer and Network Security CIS441

● Electronic Code Book (ECB):


● Each Block is encrypted separately
○ Each block of 64 plaintext bits is encoded independently using same key
○ Problem: with long message, repetition in plaintext may cause repetition in ciphertext

54
Electronic Code Book (ECB)
Introduction to Computer and Network Security CIS441

Here’s an AES block. Remember that it can


only encrypt 128-bit messages.

How can we use AES to encrypt a longer


message (say, 256 bits?)

55

Electronic Code Book (ECB)


Introduction to Computer and Network Security CIS441

Idea: Let’s use AES twice!

First 128 bits of message Second 128 bits of message

56
Electronic Code Book (ECB)
Introduction to Computer and Network Security CIS441

Note that we are using the same key twice. We


want to avoid a situation like one-time pads
where we need very long keys.

57

Electronic Code Book (ECB)


Introduction to Computer and Network Security CIS441

● Identical plaintexts are mapped to identical


ciphertexts

● Statistical properties in the plaintext are


preserved in the ciphertext

Original image

58
bitmaps in ECB mode
ECB Mode
Introduction to Computer and Network Security CIS441

● Notation: C = E(P,K), P=D(C,K)


Encrypt Decrypt
C0 = E(P0, K) P0 = D(C0, K)
C1 = E(P1, K) P1 = D(C1, K)
C2 = E(P2, K) … P2 = D(C2, K) …
● Encryption: Ci = E(Pi ,K) , i ≥ 1
● Decryption: Pi=D(Ci ,K)=D(E(Pi ,K)) , i ≥ 1

59

ECB Mode
Introduction to Computer and Network Security CIS441

● Advantages
○ no block synchronization between sender and receiver is required
○ bit errors caused by noisy channels only affect the corresponding
○ block but not succeeding blocks
○ Block cipher operating can be parallelized
○ advantage for high-speed implementations
● Disadvantages
○ ECB encrypts highly deterministically
○ identical plaintexts result in identical ciphertexts
○ an attacker recognizes if the same message has been sent twice
○ plaintext blocks are encrypted independently of previous blocks
■ an attacker may reorder ciphertext blocks which results in valid plaintext
○ No integrity protection, susceptible to replay attacks 60
Substitution Attack on ECB – Integrity
Introduction to Computer and Network Security CIS441

● Once a particular plaintext to ciphertext block mapping Pi → Ci is known, a sequence of


ciphertext blocks can easily be manipulated
○ Suppose an electronic bank transfer
○ the encryption key between the two banks
does not change too frequently
○ The attacker sends $1.00 transfers from his account at bank A to his account at bank B
repeatedly
■ He can check for ciphertext blocks that repeat, and he stores blocks 1,3 and 4 of these
transfers
○ He now simply replaces block 4 of other transfers with the block 4 that he stored before
■ all transfers from some account of bank A to some account of bank B are redirected to go into
the attacker’s B account!

61

How to overcome the problem of ECB?


Introduction to Computer and Network Security CIS441

The Initialization Vector (IV) is different for


every encryption. Now the first ciphertext
block will be different for every encryption!

62
How to overcome the problem of ECB?
Introduction to Computer and Network Security CIS441

Idea: The first ciphertext block was computed


with some randomness. Let’s use it to add
randomness to the second block.

63

How to overcome the problem of ECB?


Introduction to Computer and Network Security CIS441

Now the second ciphertext block has some


randomness in it. Let’s use it to add
randomness to the third block.

64
Cipher Block Chaining mode (CBC)
Introduction to Computer and Network Security CIS441

● Input to encryption algorithm is XOR of next block plaintext and preceding block ciphertext
● Initialization Vector (IV) must be known by sender/receiver, but secret from attacker
● There are two main ideas behind the CBC mode:
○ The encryption of all blocks are “chained together”
○ ciphertext yi depends not only on block xi but on all previous plaintext blocks as well
○ The encryption is randomized by using an initialization vector (IV)

65

Cipher Block Chaining mode (CBC)


Introduction to Computer and Network Security CIS441

Encryption Decryption
C0 = E(IV  P0, K), P0 = IV  D(C0, K),
C1 = E(C0  P1, K), P1 = C0  D(C1, K),
C2 = E(C1  P2, K),… P2 = C1  D(C2, K),…
● Encryption: Ci = E(Ci-1  Pi ,K) , i ≥ 1
● Decryption: Pi=Ci-1  D(Ci ,K) , i ≥ 1

○ For the first plaintext block P0 there is no previous ciphertext


○ An IV is added to the first plaintext to make each CBC encryption nondeterministic
○ The first ciphertext C0 depends on plaintext P0 and the IV
○ The second ciphertext C1 depends on the IV, P0 and P1
○ The third ciphertext C2 depends on the IV and P0 , P1 and P2, and so on
66
CBC Mode: Decryption
Introduction to Computer and Network Security CIS441

Ci = E(K,Pi ⊕ Ci-1) Definition of encryption

D(K,Ci) = D(E(K,Pi ⊕ Ci-1)) Decrypting both sides


D(K,Ci) = Pi ⊕ Ci-1 Decryption and encryption cancel
D(K,Ci) ⊕ Ci-1 = Pi ⊕ Ci-1 ⊕ Ci-1 XOR both sides with Ci-1
D(K,Ci) ⊕ Ci-1 = Pi XOR property

67

CBC Mode: Efficiency & Parallelism


Introduction to Computer and Network Security CIS441

● Can encryption be parallelized?


○ No - we have to wait for block i to finish before encrypting block i+1
● Can decryption be parallelized?
○ Yes - decryption only requires ciphertext as input

68
CBC Mode: Padding & Security
Introduction to Computer and Network Security CIS441

● What if you want to encrypt a message that isn’t a multiple of the block size?
○ CBC is only defined if the plaintext length is a multiple of the block size
● Solution: Pad the message until it’s a multiple of the block size
○ Padding: Adding dummy bytes at the end of the message until it’s the proper
length

● CBC is secure. With what assumption?


○ The IV must be randomly generated and never reused
○ What happens if you reuse the IV?
■ The scheme becomes deterministic: No more security
● Typically, the IV should be a non-secret nonce
(value used only once)

69

CBC Mode: IV Reuse


Introduction to Computer and Network Security CIS441

● Consider two three-block messages: P1P2P3 and P1P2P4


○ The first two blocks are the same for both messages, but the last block is different
○ What if we encrypt them with the same IV?
● When the IV is reused, CBC mode reveals when two messages start with the
same plaintext blocks, up to the first different plaintext block

70
Output Feedback mode (OFB)
Introduction to Computer and Network Security CIS441

● It is used to build a synchronous stream cipher from a block cipher


● The key stream is not generated bitwise but instead in a blockwise fashion
● The output of the cipher gives us key stream bits Oi with which we can encrypt plaintext
bits using the XOR operation

I0=
I1 I2 I1 I2

O0 O1 O2 O0 O1

71

OFB Encryption and Decryption


Introduction to Computer and Network Security CIS441

Encryption performed by the 2 parties Decryption


C 0 = P0  O 0 O0 =E(IV , K) =I1 P0 =C0  O0 ,
C1 = P1 O1 O1 =E(I1 , K) =I2 P1 =C1  O1 ,
C 2 = P2  O 2 O2 =E(I3 , K) =I3 P2 =C2  O2 ,
Encryption: Ci = Pi ,Oi ,i≥1
Oi= E(Ii , K) ,i≥1
Ii =Oi-1 ,i≥1
I0 =IV
Decryption: Pi = Ci ,Oi ,i≥1

• OFB is also nondeterministic,hence, encrypting the same plaintext twice results in different ciphertexts.
• One advantage: the block cipher computations are independent of the plaintext.
• Hence, one can precompute one or several blocks si of key stream material.
72
Cipher Feedback mode (CFB)
Introduction to Computer and Network Security CIS441

● Very similar to CBC

Encryption Decryption
C0 = E(IV ,K)  P0 P0 = E(IV ,K)  C0
C1 = E(C0,K )  P1 P1 = E(C0,K )  C1
C2 = E(C1,K )  P2… P2 = E(C1,K )  C2,…

● Encryption: Ci = E(Ci-1 ,K)  Pi ,i≥1


● Decryption: Pi= E(Ci-1 ,K)  Ci , i ≥ 1

73

Cipher Feedback mode (CFB)


Introduction to Computer and Network Security CIS441

74
Counter (CTR) Mode
Introduction to Computer and Network Security CIS441

The counter
increments per block
to ensure each block
cipher output is
different.

C1 Cm

● Encryption
● E(P, K):
○ Split M in plaintext blocks P1...Pm (each of block size n)
○ Choose random nonce
○ Compute and output (Nonce, C1, …, Cm) 75

CTR Mode: Decryption


Introduction to Computer and Network Security CIS441

● we are only using block cipher encryption, not decryption


● D (C, K):
○ Parse C into (nonce, C1, …, Cm)
○ Compute Pi by XORing Ci with output of E on nonce and counter
○ Concatenate resulting plaintexts and output M = P1 … Pm

C1 C2 Cm

76
Counter (CTR) Mode
Introduction to Computer and Network Security CIS441

● CTR is popular for random access Use block cipher like a stream cipher

Encryption Decryption
C0 = P0  E(IV, K), P0 = C0  E(IV, K),
C1 = P1  E(IV+1, K), P1 = C1  E(IV+1, K),
C2 = P2  E(IV+2, K),… P2 = C2  E(IV+2, K),…
● Encryption: Ci = Pi  E(IV+i ,K) , i ≥ 1
● Decryption: Pi=Ci  E(IV+i ,K) , i ≥ 1

○ The input to the block cipher is a counter which assumes a different value every time the block cipher
computes a new key stream block
○ the CTR mode can be parallelized since the 2nd encryption can begin before the 1st one has finished
○ Desirable for high-speed implementations, e.g., in network routers
77

What happens if we reuse IV?


Introduction to Computer and Network Security CIS441

CBC: Attacker can tell that two


messages have the same initial
plaintext blocks all the way until the
first block of difference

CTR: Attacker can compute the


XOR between two blocks of two
messages on the same positions

78
IVs and Nonces
Introduction to Computer and Network Security CIS441

● Initialization vector (IV): A random, but public, one-use value to introduce


randomness into the algorithm
○ For CTR mode, we say that you use a nonce (number used once), since the value has to be
unique, not necessarily random.
○ We use IV and nonce interchangeably
● Never reuse IVs
○ In some algorithms, IV/nonce reuse only leaks a little information (e.g. CBC)
○ In some algorithms, IV/nonce reuse leads to catastrophic failure (e.g. CTR)

● Randomly generate a new IV/nonce for every encryption


○ If the nonce is 128 bits or longer, the probability of generating the same IV/nonce twice is
astronomically small (basically 0)
○ Now you don’t ever have to think about IV/nonce reuse attacks!
79

Error propagation
Introduction to Computer and Network Security CIS441

• How error in one bit cascades to different decrypted bits.


• Bit errors may occur intentionally in attacks or randomly due to transmission errors

Mode Effect of bit errors in Ci Effect of bit errors in the IV


ECB Random bit errors in Pi —
Random bit errors in Pi
CBC Specific bit errors in P1
Specific bit errors in Pi+1
Specific bit errors in Pi
CFB Random bit errors in P1
Random bit errors in Pi+1
OFB Specific bit errors in Pi Random bit errors in P1, P2, …, Pn
Random bit errors in Pi for bit error in
CTR Specific bit errors in Pi
counter block Ti
80
Error propagation in CBC
Introduction to Computer and Network Security CIS441

● Look at the decryption process, where C’ is a corrupted version of C:

○ P1 depends only on C1 and IV, and is unaffected


○ P2 depends on C2 and C1, and hence is corrupted
○ P3 depends on C3 and C2, and is also corrupted.
○ P4 depends on C4 and C3, and not C2; it thus isn’t affected.

● Conclusion: Two blocks change,


● Some form of integrity check must be added
81

Comparing Modes of Operation


Introduction to Computer and Network Security CIS441

● General file or packet encryption: CBC.


○ input must be padded to multiple of cipher block size
● Risk of byte or bit deletion: CFB
● Bit stream; noisy line and error propagation is undesirable: OFB
● Very high-speed data: CTR
● In most situations, an integrity check is needed

82
Lack of Integrity and Authenticity
Introduction to Computer and Network Security CIS441

● Block ciphers are designed for confidentiality


● If an attacker tampers with the ciphertext, we are not guaranteed to detect it
● Remember Mallory: An active manipulator who wants to tamper with the
message

83

Lack of Integrity and Authenticity


Introduction to Computer and Network Security CIS441

● Consider CTR mode


● What if Mallory tampers with the ciphertext using XOR?

P a y M a l $ 1 0 0

M 0x50 0x61 0x79 0x20 0x4d 0x61 0x6c 0x20 0x24 0x31 0x30 0x30

EK(i) 0x8a 0xe3 0x5e 0xcf 0x3b 0x40 0x46 0x57 0xb8 0x69 0xd2 0x96

C 0xda 0x82 0x27 0xef 0x76 0x21 0x2a 0x77 0x9c 0x58 0xe2 0xa6
84
Lack of Integrity and Authenticity
Introduction to Computer and Network Security CIS441

● Suppose Mallory knows the message M


● How can Mallory change the M to say Pay Mal $900?

P a y M a l $ 1 0 0

M 0x50 0x61 0x79 0x20 0x4d 0x61 0x6c 0x20 0x24 0x31 0x30 0x30

EK(i) 0x8a 0xe3 0x5e 0xcf 0x3b 0x40 0x46 0x57 0xb8 0x69 0xd2 0x96

C 0xda 0x82 0x27 0xef 0x76 0x21 0x2a 0x77 0x9c 0x58 0xe2 0xa6
85

Lack of Integrity and Authenticity


Introduction to Computer and Network Security CIS441

Ci = Mi ⊕ Padi 0x58 = 0x31 ⊕ Padi Definition of CTR

Padi = Mi ⊕ Ci Padi = 0x58 ⊕ 0x31 Solve for the ith byte of the pad

= 0x69

C'i = M'i ⊕ Padi C'i = 0x39 ⊕ 0x69 Compute the changed ith byte

= 0x50

C 0xda 0x82 0x27 0xef 0x76 0x21 0x2a 0x77 0x9c 0x58 0xe2 0xa6

C’ 0xda 0x82 0x27 0xef 0x76 0x21 0x2a 0x77 0x9c 0x50 0xe2 0xa6
86
Lack of Integrity and Authenticity
Introduction to Computer and Network Security CIS441

● What happens when we decrypt C'?


○ The message looks like “Pay Mal $900” now!
○ Note: Mallory didn’t have to know the key; no integrity or authenticity for CTR mode!

C' 0xda 0x82 0x27 0xef 0x76 0x21 0x2a 0x77 0x9c 0x50 0xe2 0xa6

EK(i) 0x8a 0xe3 0x5e 0xcf 0x3b 0x40 0x46 0x57 0xb8 0x69 0xd2 0x96

P' 0x50 0x61 0x79 0x20 0x4d 0x61 0x6c 0x20 0x24 0x39 0x30 0x30
87
P a y M a l $ 9 0 0

Cryptography Roadmap
Introduction to Computer and Network Security CIS441

Symmetric-key Asymmetric-key

Confidentiality ● One-time pads ● RSA encryption


● Block ciphers with chaining ● ElGamal encryption
modes (e.g. AES-CBC)

Integrity, ● MACs (e.g. HMAC) ● Digital signatures (e.g. RSA


Authentication signatures)

● Hash functions ● Key management (certificates)


● Pseudorandom number generators ● Password management
● Public key exchange (e.g. Diffie-Hellman)
88
Introduction to Computer and Network Security CIS441

Cryptographic Hashes
Message Authentication Codes (MACs)

What Encryption Does and Does Not


Introduction to Computer and Network Security CIS441

• Does Src=Alice, Dst=Bob


Pay me $10
Src=Alice, Dst=Bob
Pay me $100
– Confidentiality Alice Eve Bob

• Doesn’t do
– Data integrity Middle-Person attack
– Source authentication

• Need: ensure that data is not altered and is from an


authenticated source
8
Authentication vs. Integrity
Introduction to Computer and Network Security CIS441

• Data/Message integrity is about ensuring that data cannot


change in an unauthorized way
– Data has not changed on disk
– Data has not changed in transit
• Data authentication / authenticity is about ensuring that a
message originated from a particular source
– A packet came from Alice
– A program from the Internet was released by Microsoft
• Many of the tools used for one can be used for the other
9

Hash Function: Definition


Introduction to Computer and Network Security CIS441

●A hash function is a function with a ● Hash function: H(M)


○Arbitrary and variable length input (called a “pre-image”) ○ Input: Arbitrary length message M
○Fixed length output (called a “hash” or “message digest”) ○ Output: Fixed length, n-bit hash
○ Sometimes written as {0, 1}* → {0, 1}n

● Properties Properties of Hash Functions


○ Correctness: Deterministic • Compression: reduces arbitrary length
■ Hashing the same input always produces string to fixed length hash
the same output • Ease of computation: given message M,
○ Efficiency: Efficient to compute h(M) is easy to compute
○ Security: One-way-ness (“preimage resistance”)
○ Security: Collision-resistance
○ Security: random/unpredictability, no predictable patterns for how changing
the input affects the output
■ Changing 1 bit in the input causes the output to be completely different 92
Hash Function: Intuition
Introduction to Computer and Network Security CIS441

● A hash function provides a fixed-length “fingerprint” over a sequence of bits


● Example: Document comparison
○ If Alice and Bob both have a 1 GB document, they can both compute a hash over the
document and (securely) communicate the hashes to each other
○ If the hashes are the same, the files must be the same, since they have the same “fingerprint”
○ If the hashes are different, the files must be different

93

Hash Function
Introduction to Computer and Network Security CIS441

● Since a message hash depends on all the bits in the input message
○ any alteration of the input message during transmission would cause its message digest
to not match with its original message hash.
● Used to check for forgeries, unauthorized alterations, etc.

● The only difference between the two messages shown above is the extra space between the words
“brown” and “fox” in the second message

94
Hash Function: Properties
Introduction to Computer and Network Security CIS441

● One-way-ness (preimage resistance): Given an output y, it is infeasible to


find any input x such that H(x) = y
● Here’s an output. Can you find an input that hashes to this output?
○ Note: The adversary just needs to find any input, not necessarily the input that was actually
used to generate the hash
● How hard? Brute-force: try every possible x, see if h(x)=y
○ SHA-1 (common hash function) has 160-bit output
■ Expect to try 2159 inputs before finding one that hashes to y.
● 2nd-Preimage Resistance (Weak Collision Resistance)
● For a specified input, it is computationally infeasible to find another input that produces
the same output
○ given x, it is difficult to find a second input x′ ≠ x such that h(x) = h(x′)
○ Brute force : 2159 95

Collision Resistance (Strong Collision Resistance)


Introduction to Computer and Network Security CIS441

● Collision: Two different inputs with the same output


○ x ≠ x' and H(x) = H(x')
○ Can we design a hash function with no collisions?
■ No, because there are more inputs than outputs (pigeonhole principle)
○ However, we want to make finding collisions infeasible for an attacker
● Collision resistance: It is infeasible to find any pair of inputs x' ≠ x such that
H(x) = H(x')
● Intuition: Can you find any two inputs that collide with the same hash output
for any output?

96
Hash Function Security Requirements
Introduction to Computer and Network Security CIS441

1. preimage resistance (or one-wayness)


2. second preimage resistance (or weak collision resistance)
3. collision resistance (or strong collision resistance)

97

Hash Function: Collision Resistance


Introduction to Computer and Network Security CIS441

● Birthday attack: Finding a collision on an n-bit output requires only 2n/2 tries
on average
○ This is why a group of 23 people are >50% likely to have at least one birthday in common
○ Compare to second preimage resistance, which requires 2n - 1 tries on average because you
are constrained to a specified hash output
○ Brute-force collision search is only 2n/2, not 2n
○ For SHA-1, this means 280 vs. 2159
● Intuitively, the hash function behaves like a random mapping, so H(x) maps x
to a random value
○ An attacker should not be able to predict how a change in input affects the output

98
Hash Function: Examples
Introduction to Computer and Network Security CIS441

● MD5
○ Output: 128 bits
○ Security: Completely broken
● SHA-1
○ Output: 160 bits
○ Security: Completely broken in 2017
○ Was known to be weak before 2017, but still used sometimes
● SHA-2
○ Output: 256, 384, or 512 bits (sometimes labeled SHA-256, SHA-384, SHA-512)
○ Not currently broken, but some variants are vulnerable to a length extension attack
○ Current standard
● SHA-3 (Keccak)
○ Output: 256, 384, or 512 bits
○ Current standard
99

Message Authentication
Introduction to Computer and Network Security CIS441

● Verify the integrity of a message


○ Ensure data received are exactly as sent
○ Assure identity of the sender is valid
● Hash function used to provide message authentication called message digest

● Receiver wants to verify:


○ Contents of the message have not been modified (data authentication)
○ Source of message is who they claim to be (source authentication)
● Different approaches available:
○ Symmetric Key Encryption
○ Message Authentication Codes (MACs)
○ Hash Functions
○ Public Key Encryption (i.e. Digital Signatures)
100
Message Authentication
Introduction to Computer and Network Security CIS441

● Confidentiality: only B (and A) can recover plaintext


● Source Authentication: A is only other user with key; must have come from A
● Data Authentication: successfully decrypted; data has not been modified
● Assumption: decryptor can recognise correct plaintext

101

Do hashes provide integrity?


Introduction to Computer and Network Security CIS441

● It depends on your threat model


● Scenario
○ Mozilla publishes a new version of Firefox
○ Alice downloads the program binary
○ How can she be sure that nobody tampered with the program?
● Idea: use cryptographic hashes
○ Mozilla hashes the program binary and publishes the hash on its website
○ Alice hashes the binary she downloaded and checks that it matches the hash on the website
○ If Alice downloaded a malicious program, the hash would not match (tampering detected!)
○ An attacker can’t create a malicious program with the same hash (collision resistance)
● Threat model: We assume the attacker cannot modify the hash on the
website
○ We have integrity, as long as we can communicate the hash securely
102
Do hashes provide integrity?
Introduction to Computer and Network Security CIS441

● It depends on your threat model


● Scenario
○ Alice and Bob want to communicate over an insecure channel
○ Mallory might tamper with messages
● Idea: Use cryptographic hashes
○ Alice sends her message with a cryptographic hash over the channel
○ Bob receives the message and computes a hash on the message
○ Bob checks that the hash he computed matches the hash sent by Alice
● Threat model: Mallory can modify the message and the hash
○ No integrity!

103

Do hashes provide integrity?


Introduction to Computer and Network Security CIS441

● It depends on your threat model


● If the attacker can modify the hash, hashes don’t provide integrity
● Main issue: Hashes are unkeyed functions
○ There is no secret key being used as input, so any attacker can compute a hash on any value
● Next: Use hashes to design schemes that provide integrity

104
Message hashing in a communication network.
Introduction to Computer and Network Security CIS441

105

Message hashing in a communication network.


Introduction to Computer and Network Security CIS441

106
Message hashing in a communication network.
Introduction to Computer and Network Security CIS441

107

Introduction to Computer and Network Security CIS441

Message Authentication Codes (MACs)

108
Cryptography Roadmap
Introduction to Computer and Network Security CIS441

Symmetric-key Asymmetric-key

Confidentiality ● One-time pads ● RSA encryption


● Block ciphers with chaining ● ElGamal encryption
modes (e.g. AES-CBC)

Integrity, ● MACs (e.g. HMAC) ● Digital signatures (e.g. RSA


Authentication signatures)

● Hash functions ● Key management (certificates)


● Pseudorandom number generators ● Password management
● Public key exchange (e.g. Diffie-Hellman)
109

How to Provide Integrity, Authentication


Introduction to Computer and Network Security CIS441

● Using symmetric-key setting


○ Assume that Alice and Bob share a secret key, and attackers don’t know the key
● We want to attach some piece of information to prove that someone with the
key sent this message
○ This piece of information can only be generated by someone with the key
○ MACs append an authentication tag to a message.
○ Both parties are generating the authentication tag and verifying it
● Motivation: any manipulations of a message in transit are detected
○ The goal is to ensure that (when Bob receives a message M from Alice)
■ M really originates with Alice and not someone else (Authentication )
■ M has not been modified in transit (Integrity)

110
MACs: Usage
Introduction to Computer and Network Security CIS441

● Alice wants to send M to Bob, but doesn’t want Mallory to tamper with it
● Alice sends M and T = MAC(K, M) to Bob
● Bob receives M and T
● Bob computes MAC(K, M) and checks that it matches T
● If the MACs match, Bob is confident the message has not been tampered
with (integrity)
Alice Insecure Channel Bob
Key Key

Message MAC Message Verify Message

T 111

MACs: Definition
Introduction to Computer and Network Security CIS441

● Two parts:
○ KeyGen() → K: Generate a key K
○ MAC(K, M) → T: Generate a tag T for the message M using key K
■ Inputs: A secret key and an arbitrary-length message
■ Output: A fixed-length tag on the message
● Properties
○ Correctness: Determinism **
○ Efficiency: Computing a MAC should be efficient
○ Security: secure

○ **A deterministic encryption scheme is a cryptosystem which always produces the same ciphertext for a given
plaintext and key, even over separate executions of the encryption algorithm
112
MAC Properties
Introduction to Computer and Network Security CIS441

1. Cryptographic checksum AMAC generates a cryptographically secure authentication


tag for a given message.
2. Symmetric MACs are based on secret symmetric keys. The signing and verifying
parties must share a secret key.
3. Arbitrary message size MACs accept messages of arbitrary length.
4. Fixed output length MACs generate fixed-size authentication tags.
5. Message integrity MACs provide message integrity: Any manipulations of a message
during transit will be detected by the receiver.
6. Message authentication The receiving party is assured of the origin of the message.
7. No nonrepudiation Since MACs are based on symmetric principles,
they do not provide nonrepudiation.

113

MACs from Hash Functions: HMAC


Introduction to Computer and Network Security CIS441

● use cryptographic hash functions such as SHA as a building block


● it is used in both the Transport
● Layer Security (TLS) protocol (indicated by the little lock symbol in your Web
browser) as well as in the IPsec protocol suite.
● The basic : is that the key is hashed together with the message.
● HMAC(K, M)= h(K||M) “||” denotes concatenation
● HMAC(K, M)= h(M||K)

114
HMAC :Keyed Hash Function as MAC
Introduction to Computer and Network Security CIS441

● HMAC is a keyed hash


○ Why would we need a key?
if Trudy replaces M with M' and also replaces h(M) with h(M'),
● How to compute HMAC?
Instead of encrypting the hash, we directly mix the key into M
● Two obvious choices: h(K,M) and h(M,K)
● Which is better?

115

Creating a MAC from a Hash


Introduction to Computer and Network Security CIS441

• Consider the following simple hash-based MAC – MACk(M) = h(k|M)


• Suppose Eve wanted to append M’ to M?

M, h(k|M) M|M’, h(k|M|M’)


Alice Eve Bob
– Goal: compute h(k|M|M’)
without knowing k
• Solution: Use h(k|M) as IV for next f iteration in h()

• Known as a Message Extension Attack


23
CBC-MAC
Introduction to Computer and Network Security CIS441

• The last block of a CBC-encrypted cipher text depends on


both the secret key and every block of plaintext
• It turns out that this can act as a good MAC
• Great if you need integrity but not confidentiality
• Caveat: If you use CBC to also encrypt, you must use a
different key to compute the MAC
P1 P2 PN
IV
CN–1

K K K

Encrypt Encrypt Encrypt

C1 C2 CN 28

Attacks on HMAC as a prefix MAC


Introduction to Computer and Network Security CIS441

● Hashes computed in blocks


○ h(B1,B2) = F(F(A,B1),B2) for some F and constant A
○ Then h(B1,B2) = F(h(B1),B2)
● Let M’ = (M,X)
○ Then h(K,M’) = F(h(K,M),X)
○ h(K,M’) = h(K,M,X)= F(h(K,M),X)
○ Attacker can compute HMAC of M’ without K
 Is h(M,K) better? h(K,M’) = h(M,X,K)= F(h(M,X),K)
○ Yes, but… if h(M’) = h(M) then we might have
h(M,K)=F(h(M),K)=F(h(M’),K)=h(M’,K)
120
HMAC
Introduction to Computer and Network Security CIS441

● HMAC(K, M):
○ Compute K' as a version of K that is the length of the hash output
■ If K is too short, pad K with 0’s to make it n bits
■ If K is too long, hash it so it’s n bits
○ Output H((K' ⊕ opad) || H((K' ⊕ ipad) || M))
● Use K' to derive two different keys
○ opad (outer pad) is the hard-coded byte 0x5c repeated until it’s the same length as K'
○ ipad (inner pad) is the hard-coded byte 0x36 repeated until it’s the same length as K'
○ As long as opad and ipad are different, you’ll get two different keys
○ For paranoia, the designers chose two very different bit patterns, even though they
theoretically need only differ in one bit

122

HMAC Properties
Introduction to Computer and Network Security CIS441

● HMAC(K, M) = H((K' ⊕ opad) || H((K' ⊕ ipad) || M))

● HMAC is a hash function, so it has the properties of the underlying hash too
○ Given HMAC(K, M) and K, an attacker can’t learn M
○ If the underlying hash is secure, HMAC doesn’t leak information about the message M

● You can’t verify a tag T if you don’t have K


○ This means that an attacker can’t brute-force the message M without knowing K

123
MACs from Block Ciphers: CBC-MAC
Introduction to Computer and Network Security CIS441

● MAC is computed as CBC residue


○ That is, compute CBC encryption, saving only final ciphertext block, the MAC
● MAC computation (assuming N blocks)
C0 = E(IV  P0, K),
C1 = E(C0  P1, K),
C2 = E(C1  P2, K),…
CN1 = E(CN2  PN1, K) = MAC
● MAC sent with IV and plaintext
● Receiver does same computation and verifies that result agrees with MAC
● Note: receiver must know the key K

124

Does a MAC work?


Introduction to Computer and Network Security CIS441

● Suppose Alice has 4 plaintext blocks


● Alice computes
C0 = E(IVP0,K), C1 = E(C0P1,K),
C2 = E(C1P2,K), C3 = E(C2P3,K) = MAC
● Alice sends IV,P0,P1,P2,P3 and MAC to Bob
● Suppose Trudy changes P1 to X
● Bob computes
C0 = E(IVP0,K), C1 = E(C0X,K),
C2 = E(C1P2,K), C3 = E(C2P3,K) = MAC  MAC
● That is, error propagates into MAC
● Trudy can’t make MAC == MAC without K

125
Confidentiality and Integrity
Introduction to Computer and Network Security CIS441

● You can use:


○ Asecure scheme (e.g. AES-CBC): Enc(K, M) and Dec(K, M)
○ An unforgeable MAC scheme (e.g. HMAC): MAC(K, M)
● First attempt: Alice sends Enc(K1, M) and MAC(K2, M)
○ Integrity? Yes, attacker can’t tamper with the MAC
○ Confidentiality? No, the MAC is not IND-CPA secure
● Idea: Let's compute the MAC on the ciphertext instead of the plaintext:
Enc(K1, M) and MAC(k2, Enc(K1, M))
○ Integrity? Yes, attacker can’t tamper with the MAC
○ Confidentiality? Yes, the MAC might leak info about the ciphertext, but that’s okay
● Idea: Let's encrypt the MAC too: Enc(K1, M || MAC(K2, M))
○ Integrity? Yes, attacker can’t tamper with the MAC
○ Confidentiality? Yes, everything is encrypted
126

MAC-then-Encrypt or Encrypt-then-MAC?
Introduction to Computer and Network Security CIS441

● MAC-then-encrypt
○ First compute MAC(K2, M)
○ Then encrypt the message and the MAC together: Enc(k1, M || MAC(K2, M))
● Encrypt-then-MAC
○ First compute Enc(K1, M)
○ Then MAC the ciphertext: MAC(K2, Enc(K1, M))
● Which is better?
○ In theory, both are secure if applied properly
○ MAC-then-encrypt has a flaw: You don’t know if tampering has occurred until after decrypting
■ Attacker can supply arbitrary tampered input, and you always have to decrypt it
■ Passing attacker-chosen input through the decryption function can cause side-channel
leaks
● Always use encrypt-then-MAC because it’s more robust to mistakes
127
AE and AEAD Encryption
Introduction to Computer and Network Security CIS441

● Both simultaneously assure the confidentiality and authenticity of data.


● Authenticated Encryption(AE) is a system which provides both confidentiality and
authenticity by typically using a single key.
○ Even though AE provides the confidentiality and integrity, it is still not secure from the
replay attacks.
● Use a scheme that is designed to provide confidentiality, integrity, and authenticity
● Authenticated encryption with additional data (AEAD): An algorithm that provides both
confidentiality and integrity over the plaintext and integrity over additional data
○ Additional data is usually context (e.g. memory address), so you can’t change the context without
breaking the MAC
○ AEAD binds associated data (AD) to the ciphertext and to the context where it is supposed to
appear so that attempts to "cut-and-paste" a valid ciphertext into a different context are detected
and rejected.
○ No more worrying about MAC-then-encrypt 128

AE and AEAD Encryption


Introduction to Computer and Network Security CIS441

Encrypt-then-MAC (EtM)
MAC-then-Encrypt (MtE)

Encrypt-and-MAC (E&M)

129
Example Uses of MAC
Introduction to Computer and Network Security CIS441

130

You might also like