This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Foundations of Network and Foundations of Network and Computer Security Computer Security J J ohn Black Lecture #6 Sep 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009 Digression on the OneTime Pad • Suppose Alice and Bob shared a 10,000 bit string K that was secret, uniformly random – Can Alice send Bob a 1KB message M with “perfect” security? – 1KB is 8192 bits; let X be the first 8192 bits of the shared string K – Alice sets C = M X, and sends C to Bob ⊕ – Bob computes C X and recovers M ⊕ • Recall that M X X = M ⊕ ⊕ Security of the OneTime Pad • Consider any bit of M, m i , and the corresponding bits of X and C, (x i , c i ) – Then c i = m i x ⊕ i – Given that some adversary sees c i go across a wire, what can he discern about the bit m i ? • Nothing! Since x i is equally likely to be 0 or 1 – So why not use the onetime pad all the time? • Shannon proved (1948) that for perfect security the key must be at least as long as the message – Impractical OneTime Pad (cont) • Still used for verytopsecret stuff – Purportedly used by Russians in WW II • Note that it is very important that each bit of the pad be used at most one time! – The infamous “two time pad” is easily broken • Imagine C = M X, C’ = M’ X ⊕ ⊕ • Then C C’ = M X M’ X = M M’ ⊕ ⊕ ⊕ ⊕ ⊕ • Knowing the xor of the two messages is potentially very useful • ntime pad for large n is even worse (WEP does this) Counter Mode – CTR • Blockcipher E under key K, M broken into m blocks of n bits, as usual • Nonce N is typically a counter, but not required C = N C i = E K (N++) M ⊕ i • Ciphertext is C = C C 1 … C m CTR Mode • Again, n bits of ciphertext expansion • Nondeterministic encryption • Fully parallelizable in both directions • Not that widely used despite being known for a long time – People worry about counter overlap producing pad reuse Why I Like Modes of Operation • Modes are “provably secure” – Unlike blockciphers which are deemed “hopefully secure” after intense scrutiny by experts, modes can be proven secure like this: • Assume blockcipher E is secure (computationally indistinguishable from random, as we described) • Then the mode is secure in an analogous blackbox experiment – The proof technique is done via a “reduction” much like you did in your NPCompleteness class – The argument goes like this: suppose we could break the mode with computational resources X, Y, Z. Then we could distinguish the blockcipher with resources X’, Y’, Z’ where these resources aren’t that much different from X, Y, and Z Security Model • Alice and Bob – Traditional names – Let’s us abbreviate A and B – Adversary is the bad guy • This adversary is passive ; sometimes called “eve” – Note also the absence of sidechannels • Power consumption, timing, error messages, etc Adversary Alice Key K Key K Bob Various Attack Models • KnownCiphertext Attack (KCA)...
View
Full
Document
 Winter '09
 Black
 Cryptography, Computer Security, hash function, Cryptographic hash function, Message authentication code, Hash functions, Alice Adversary Key K Bob

Click to edit the document details