CMSC 414 Computer and Network Security Lecture 2

Jonathan Katz

JCE tutorial
In class next Wednesday HW1 will use it

Assigned readings from lecture 1

Inside the Twisted Mind of the Security

Professional
We are All Security Customers Information Security and Externalities Comments?

A high-level survey of cryptography

Caveats
Everything I present will be (relatively) informal I may simplify, but I will not say anything that is an outright lie Cryptography offers formal definitions and

rigorous proofs of security (neither of which we will cover here)

For more details, take CMSC 456 in the Fall (or read my book)!

If you think you already know cryptography from

somewhere else (CMSC456, CISSP, your job, the news), you are probably mistaken

Goals of cryptography
Crypto deals primarily with three goals: Confidentiality Integrity (of data) Authentication (of resources, people, systems) Other goals also considered E.g., non-repudiation E-cash (e.g., double spending) General secure multi-party computation Anonymity

Private- vs. public-key settings

For the basic goals, there are two settings: Private-key / shared-key / symmetric-key / secret-key Public-key The private-key setting is the classical one

(thousands of years old)

The public-key setting dates to the 1970s

Private-key cryptography
The communicating parties share some

information that is random and secret

This shared information is called a key Key is not known to an attacker This key must be shared (somehow) in advance of their communication

To emphasize
Alice and Bob share a key K Must be shared securely Must be completely random Must be kept completely secret from attacker We dont discuss (for now) how they do this You can imagine they meet on a dark street corner and Alice hands a USB device (with a key on it) to Bob

Private-key cryptography
For confidentiality: Private-key (symmetric-key) encryption For data integrity: Message authentication codes

Canonical applications
Two (or more) distinct parties communicating

over an insecure network

E.g., secure communication

A single party who is communicating with itself

over time
E.g., secure storage

Alice K shared info

Bob K

Alice K

Bob K

Bob K

Security?
We will specify the exact threat model being

addressed
We will also specify the security guarantees that

are ensured, within this threat model

Here: informally; CMSC 456: formally

Crucial to understand these issues before crypto

can be successfully deployed!

Make sure the stated threat model matches your application Make sure the security guarantees are what you need

Security through obscurity?

Always assume that the full details of crypto

protocols and algorithms are public

Known as Kerckhoffs principle The only secret information is a key

Security through obscurity is a bad idea True in general; even more true in the case of cryptography Home-brewed solutions are BAD! Standardized, widely-accepted solutions are GOOD!

Security through obscurity?

Why not?

Easier to maintain secrecy of a key than an

algorithm
Reverse engineering Social engineering Insider attacks

Easier to change the key than the algorithm

In general setting, much easier to share an

algorithm than for everyone to use their own

Private-key encryption

Functional definition
Encryption algorithm: Takes a key and a message (plaintext), and outputs a ciphertext c EK(m) possibly randomized! Decryption algorithm: Takes a key and a ciphertext, and outputs a message (or perhaps an error) m = DK(c)

Correctness: for all K, we have DK(EK(m)) = m

We have not yet said anything about security

Alice K shared info

Bob K

Alice c K cEK(m)

Bob K m=DK(c)

A classic example: shift cipher

Assume the English uppercase alphabet (no

lowercase, punctuation, etc.)

View letters as numbers in {0, , 25}

The key is a random letter of the alphabet

Encryption done by addition modulo 26

Is this secure? Exhaustive key search Automated determination of the key

Another example: substitution cipher

The key is a random permutation of the alphabet Note: key space is huge! Encryption done in the natural way Is this secure? Frequency analysis A large key space is necessary, but not sufficient,

for security

Another example: Vigenere cipher

More complicated version of shift cipher Believed to be secure for over 100 years Is it secure?

Attacking the Vigenere cipher

Let pi (for i=0, , 25) denote the frequency of

letter i in English-language text

Known that pi2 0.065

For each candidate period t, compute frequencies

{qi} of letters in the sequence c0, ct, c2t,

For the correct value of t, we expect qi2 0.065 For incorrect values of t, we expect qi2 1/26

Once we have the period, can use frequency

analysis as in the case of the shift cipher

Moral of the story?

Dont use simple schemes

Dont use schemes that you design yourself Use schemes that other people have already designed and analyzed

A fundamental problem
A fundamental problem with classical

cryptography is that no definition of security was ever specified

It was not even clear what it meant for a scheme to be secure

As a consequence, proving security was not even

an option
So how can you know when something is secure? (Or is at least based on well-studied, widely-believed assumptions)

Defining security?
What is a good definition? Why is a good definition important?

Security goals?
Adversary unable to recover the key Necessary, but meaningless on its own Adversary unable to recover entire plaintext Good, but is it enough?

Adversary unable to determine any information at

all about the plaintext

Formalize? Sounds great! Can we achieve it?

Note
Even given our definition, we need to consider the

threat model
Multiple messages or a single message? Passive/active adversary? Chosen-plaintext attacks?

The threat model matters! The classical ciphers we have seen are immediately broken by a known-plaintext attack

Defining secrecy (take 1)

Even an adversary running for an unbounded

amount of time learns nothing about the message from the ciphertext
Perfect secrecy

Formally, for all distributions over the message

space, all m, and all c: Pr[M=m | C=c] = Pr[M=m]

Next time: the one-time pad; its limitations; overcoming these limitations