DOCSLIB.ORG

Provable Security in Practice: Analysis of SSH and CBC Mode with Padding

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Provable Security in Practice: Analysis of SSH and CBC Mode with Padding Provable Security in Practice: Analysis of SSH and CBC mode with Padding Gaven James Watson Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2010 Declaration These doctoral studies were conducted under the supervision of Prof. Kenneth G. Paterson. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Department of Mathe- matics as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Gaven James Watson June, 2010 2 Acknowledgements When I first started my PhD, I did not know where it would take me or even how much it was possible for me to achieve. I have been incredibly lucky to have worked on some interesting problems which have given birth to significant results. This has all been possible due to the excellent supervision of Prof. Kenny Paterson. His advice, constructive criticism and the odd amusing analogy have helped me, not only to develop as a researcher but have taught me a great deal about writing and presenting my work. What I have learnt will be invaluable in my future career, what- ever that may be. I also extend my gratitude to my advisor Dr. Steven Galbraith, whom I met during my Masters at Royal Holloway and without whom I would not have met Kenny. I am grateful to the EPSRC and BT whose financial support has kept me well fed and watered throughout the course of my PhD. Whilst working on SSH I had the good fortune to work with Martin Albrecht. His speedy implementation of our attacks on SSH and the new insight he brought to our research can be summed up in one word: awesome! During my time at Royal Holloway I have been lucky to meet and become friends with a vast array of people. There have been many great times shared in the office, on the tennis court or at home in the “Houses of Crypto”. Thanks to everyone who has made my time at Royal Holloway so enjoyable. A special thanks goes to Liz Quaglia and Sriram Srinivasan. Liz for being like a third sister to me and giving me somewhere to stay when I was homeless. Sriram for sharing his philosophies on life and being an education to live with. Finally I would like to thank my family: My sisters for setting the standards I’ve had to live up to, my nephews and niece for always being able to put a smile on my face and my parents for their unwavering support and guidance. 3 Abstract This thesis illustrates and examines the gap that exists between theoretical and practical cryptography. Provable security is a useful tool which allows cryptogra- phers to perform formal security analyses within a strict mathematical framework. Unfortunately, the formal modelling of provable security sometimes fails to match how particular schemes or protocols are implemented in real life. We examine how certain types of attack are not covered by the current techniques and show how this can be remedied by expanding existing security models to capture a much wider array of attacks. We begin by studying padding oracle attacks, a powerful class of side-channel, plaintext-recovering attacks introduced by Vaudenay. These attacks have been shown to work in practice against CBC mode when it is implemented in certain ways. In particular, padding oracle attacks have been demonstrated for certain im- plementations of SSL/TLS and IPsec. We develop new security models and proofs of security for CBC mode (with padding). These models show how to select padding schemes and in what order to combine CBC mode encryption, padding and authen- tication to provably provide a strong notion of security incorporating padding oracle attacks. Next we study the secure network protocol SSH. The first formal security analysis of the SSH Binary Packet Protocol (BPP) was performed by Bellare, Kohno and Namprempre. We present new plaintext-recovery attacks against the SSH BPP which partially invalidate this work. By examining why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, we are able to determine what features are missing from Bellare et al.’s original provable security analysis for SSH. Using this knowledge we define new security models that accurately capture the capabilities of real-world attackers, as well as security-relevant features of the SSH specifications and the OpenSSH implementation of SSH. Our new models then give us the ability to prove that SSH using counter mode encryption is secure against a much wider array of attacks, including our plaintext-recovery attacks. We conclude with further discussion of why the gap between theory and practice exists and suggest other ways of narrowing the gap. 4 Contents 1 Introduction 9 1.1 Motivation ................................ 9 1.2 Contribution ............................... 11 1.3 Publications................................ 12 1.4 OrganisationofThesis .......................... 12 2 Theoretical Preliminaries 15 2.1 CryptographicPrimitives . 15 2.1.1 BlockCiphers........................... 16 2.1.2 Encryption Schemes and Modes of Operation . 17 2.1.3 Message Authentication Codes . 23 2.1.4 EncodingSchemes ........................ 24 2.1.5 Authenticated Encryption with Associated Data . 25 2.2 ProvableSecurity............................. 26 2.2.1 AShortHistory ......................... 26 2.2.2 Practice-OrientedProvableSecurity . 27 2.2.3 Functions and Permutations . 28 2.2.4 Security Models for Symmetric Encryption . 31 2.2.5 Results for Generic Compositions . 44 3 Practical Preliminaries 48 3.1 NetworkProtocols ............................ 48 3.1.1 SSL/TLS ............................. 49 3.1.2 SSH ................................ 50 3.1.3 IPsec................................ 53 3.2 Side-ChannelAnalysis . 54 3.3 A Short History of Padding Oracle Attacks . 55 4 Formal Security Models for Padding Oracle Attacks 60 4.1 Introduction................................ 60 4.2 PaddingSchemes............................. 61 4.3 SecurityModels.............................. 62 4.3.1 One-waySecurity......................... 63 4.3.2 Left-or-Right Indistinguishability . 64 4.3.3 Real-or-Random Indistinguishability . 66 4.3.4 Find-then-Guess Security . 68 4.4 RelationsBetweenModels . 70 4.5 Summary ................................. 77 5 CONTENTS 5 Formal Security Analysis of CBC Mode Against Padding Oracle Attacks 78 5.1 Introduction................................ 79 5.2 FurtherDefinitions ............................ 80 5.2.1 Some Padding Schemes . 80 5.2.2 ArbitraryLengthCBCMode . 82 5.3 Padding Methods for Chosen-Plaintext Security . 83 5.3.1 Padding Methods With Invalid Paddings . 83 5.3.2 Padding Methods With No Invalid Paddings . 87 5.4 Constructions Achieving Chosen-Ciphertext Security . ....... 88 5.4.1 Encrypt-&-Authenticate . 91 5.4.2 Encrypt-then-Authenticate . 91 5.4.3 Authenticate-then-Encrypt . 95 5.5 Conclusion ................................ 101 6 Attacking SSH 104 6.1 Introduction................................ 104 6.1.1 OverviewofourAttack . 105 6.1.2 PreviousAttacksonSSH . 108 6.2 TheSSHBinaryPacketProtocol . 109 6.2.1 The OpenSSH Implementation of the BPP . 111 6.3 AttackingOpenSSH ........................... 113 6.3.1 Recovering14PlaintextBits . 113 6.3.2 Recovering32PlaintextBits . 114 6.3.3 IteratingtheAttack . 115 6.4 ExperimentalValidation . 117 6.5 Countermeasures ............................. 120 6.5.1 BPPRedesign .......................... 122 6.6 Conclusion ................................ 123 7 Formal Security Analysis of SSH 124 7.1 Introduction................................ 125 7.2 Existing Formal Security Analysis of SSH . 126 7.2.1 SSH-NPC and SSH-$NPC . 127 7.2.2 Further Provably Secure Variants . 129 7.3 ImprovingtheAnalysis . 129 7.3.1 OnlineEncryption . 130 7.4 ModellingtheSSHBPPanditsSecurity. 131 7.5 FurtherDefinitions ............................ 133 7.5.1 BuildingBlocks. 134 7.5.2 Encode-then-Encrypt-&-MAC. 137 7.6 SecurityModels.............................. 141 7.6.1 Chosen-PlaintextSecurity . 141 7.6.2 Chosen-CiphertextSecurity . 144 7.6.3 IntegrityofCiphertexts . 148 7.6.4 Security of Message Authentication Schemes . 150 7.7 SecurityAnalysis ............................. 151 6 CONTENTS 7.8 Conclusion ................................ 168 8 Conclusion 170 8.1 TheGapBetweenTheoryandPractice . 170 8.2 ClosingtheGap ............................. 171 Bibliography 173 7 Notation We denote here some of the notation that we shall use throughout this thesis. l,L The blocksize in bits/bytes respectively. xky The concatenation of the bit strings x and y. xy Shorthand for xky. xi The concatenation of the bit string x with itself i times. x[i] The i-th block of the string x. x[i...j] The concatenation of blocks i up to j of the bit string x. {0, 1}n All bit strings of length n bits. {0, 1}∗ All bit strings. x ⊕ y The bit-wise exclusive-or (XOR) of x and y. |x| The size of x in bits. 8x8 The size of x in bytes. 8j hiij The j-byte representation of integer i, where 0 ≤ i< 2 . x ←r X Denotes x being chosen uniformly at random from the set X. Exp An experiment. Adv An advantage function. A An adversary. AO An adversary with oracle access to O. M The message space of an encryption scheme. C The ciphertext space of an encryption scheme. 8 Chapter 1 Introduction Contents 1.1 Motivation ........................... 9 1.2 Contribution .......................... 11 1.3 Publications........................... 12 1.4 OrganisationofThesis . 12 This chapter gives an overview of the thesis. We provide the motivation for our research and describe the contributions of this thesis. In this chapter, we also present the overall structure of the thesis. 1.1 Motivation Over the past fifty years cryptography has begun to play an ever increasing role in our everyday lives, but ask the average man on the street what cryptography is and you may hear stories of governments, spies and if you’re lucky, great achievements such as the breaking of the Enigma code. Few people actually realise the important role cryptography plays in their lives and how frequently it is used.
Load more

Recommended publications
  • Alcatel-Lucent Security Advisory Sa0xx
    Alcatel-Lucent Security Advisory No. SA0053 Ed. 04 Information about Poodle vulnerability Summary POODLE stands for Padding Oracle On Downgraded Legacy Encryption. The POODLE has been reported in October 14th 2014 allowing a man-in-the-middle attacker to decrypt ciphertext via a padding oracle side-channel attack. The severity is not considered as the same for Heartbleed and/or bash shellshock vulnerabilities. The official risk is currently rated Medium. The classification levels are: Very High, High, Medium, and Low. The SSLv3 protocol is only impacted while TLSv1.0 and TLSv1.2 are not. This vulnerability is identified CVE- 2014-3566. Alcatel-Lucent Enterprise voice products using protocol SSLv3 are concerned by this security alert. Openssl versions concerned by the vulnerability: OpenSSL 1.0.1 through 1.0.1i (inclusive) OpenSSL 1.0.0 through 1.0.0n (inclusive) OpenSSL 0.9.8 through 0.9.8zb (inclusive) The Alcatel-Lucent Enterprise Security Team is currently investigating implications of this security flaw and working on a corrective measure, for OpenTouch 2.1.1 planned in Q4 2015, to prevent using SSLv3 that must be considered as vulnerable. This note is for informational purpose about the padding-oracle attack identified as “POODLE”. References CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 Advisory severity CVSS Base score : 4.3 (MEDIUM) - AV:N/AC:M/Au:N/C:P/I:N/A:N https://www.openssl.org/news/secadv_20141015.txt https://www.openssl.org/~bodo/ssl-poodle.pdf Description of the vulnerabilities Information about Poodle vulnerability (CVE-2014-3566).
    [Show full text]
  • Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities
    Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Robert Merget and Juraj Somorovsky, Ruhr University Bochum; Nimrod Aviram, Tel Aviv University; Craig Young, Tripwire VERT; Janis Fliegenschmidt and Jörg Schwenk, Ruhr University Bochum; Yuval Shavitt, Tel Aviv University https://www.usenix.org/conference/usenixsecurity19/presentation/merget This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities Robert Merget1, Juraj Somorovsky1, Nimrod Aviram2, Craig Young3, Janis Fliegenschmidt1, Jörg Schwenk1, and Yuval Shavitt2 1Ruhr University Bochum 2Department of Electrical Engineering, Tel Aviv University 3Tripwire VERT Abstract the encryption key. The attack requires a server that decrypts a message and responds with 1 or 0 based on the message va- The TLS protocol provides encryption, data integrity, and lidity. This behavior essentially provides the attacker with a authentication on the modern Internet. Despite the protocol’s cryptographic oracle which can be used to mount an adaptive importance, currently-deployed TLS versions use obsolete chosen-ciphertext attack. The attacker exploits this behavior cryptographic algorithms which have been broken using var- to decrypt messages by executing adaptive queries.Vaudenay ious attacks. One prominent class of such attacks is CBC exploited a specific form of vulnerable behavior, where im- padding oracle attacks. These attacks allow an adversary to plementations validate the CBC padding structure and re- decrypt TLS traffic by observing different server behaviors spond with 1 or 0 accordingly.
    [Show full text]
  • GCM) for Confidentiality And
    NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4
    [Show full text]
  • Block Cipher Modes
    Block Cipher Modes Data and Information Management: ELEN 3015 School of Electrical and Information Engineering, University of the Witwatersrand March 25, 2010 Overview Motivation for Cryptographic Modes Electronic Codebook Mode (ECB) Cipher Block Chaining (CBC) Cipher Feedback Mode (CFB) Output Feedback Mode (OFB) 1. Cryptographic Modes Problem: With block ciphers, same plaintext block always enciphers to the same ciphertext block under the same key 1. Cryptographic Modes Solution: Cryptographic mode: • block cipher • feedback • simple operations Simple operations, as the security lies in the cipher. 1. Cryptographic Modes 1.1 Considerations • The mode should not compromise security of cipher • Mode should conceal patterns in plaintext • Some random starting point is needed • Difficult to manipulate the plaintext by changing ciphertext • Requires multiple messages to be encrypted with same key • No significant impact on efficiency of cipher • Ciphertext same size as plaintext • Fault tolerance - recover from errors 2. Electronic Codebook Mode Uses the block cipher without modifications Same plaintext block encrypts to same ciphertext under same key Each plaintext block is encrypted independently of other plaintext blocks. Corrupted bits only affects one block Dropped/inserted bits cause sync errors ! all subsequent blocks decipher incorrectly 2. Electronic Codebook Mode 2.1 Advantages ECB exhibits `random access property' because plaintext blocks are encrypted independently • Encryption and decryption can be done in any order • Beneficial for databases, records can be added, deleted, modified, encrypted and deleted independently of other records Parallel implementation • Different blocks can simultaneously be decrypted on separate processors Many messages can be encrypted with the same key, since each block is independent. 2.
    [Show full text]
  • Technical Report RHUL–ISG–2019–1 27 March 2019
    20 years of Bleichenbacher attacks Gage Boyle Technical Report RHUL–ISG–2019–1 27 March 2019 Information Security Group Royal Holloway University of London Egham, Surrey, TW20 0EX United Kingdom Student Number: 100866673 Gage, Boyle 20 Years of Bleichenbacher Attacks Supervisor: Kenny Paterson Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. I declare that this assignment is all my own work and that I have acknowledged all quotations from published or unpublished work of other people. I also declare that I have read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences, and in accordance with these regulations I submit this project report as my own work. Signature: Date: Acknowledgements I would first like to thank my project supervisor, Kenny Paterson. This project would not have been possible without his continuous encouragement to push the boundaries of my knowledge, and I am grateful for the commitment and expertise that he has provided throughout. Secondly, I would like to thank Nimrod Aviram for his invaluable advice, particularly with respect to algorithm implementation and understanding the finer details of this project. Further thanks should go to Raja Naeem Akram, Oliver Kunz and David Morrison for taking the time to teach me Python and how to run my source code on an Ubuntu server. I am grateful for the time that David Stranack, Thomas Bingham and James Boyle have spent proof reading this project, and for the continuous support from my part- ner, Lisa Moxham.
    [Show full text]
  • Cryptographic Sponge Functions
    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................
    [Show full text]
  • Arxiv:1911.09312V2 [Cs.CR] 12 Dec 2019
    Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1.
    [Show full text]
  • Yet Another Padding Oracle in Openssl CBC Ciphersuites
    Yet Another Padding Oracle in OpenSSL CBC Ciphersuites presented by Raphael Finkel based on https://blog.cloudflare.com/ yet-another-padding-oracle-in-openssl-cbc-ciphersuites/ Keeping Current, September 5, 2018 The Cryptographic Doom Principle I reference: https://moxie.org/blog/ the-cryptographic-doom-principle/ by Moxie Marlinspike I If you have to perform any cryptographic operation before verifying the MAC (message authentication code) on a message you’ve received, it will somehow inevitably lead to doom. I MAC is a cryptographic digest based on a secret key shared by Alice and Bob. I Proper use of MAC: Encrypt Then Authenticate (Encrypt-then-MAC, EtA; used in IPsec) I Alice sends to Bob: E(P) || MAC(E(P)) I Detail: E(P) also includes such information as the initialization vector and the encryption algorithm; both are then covered by MAC(). I Bob first verifies MAC(E(P)), satisfying the principle. If that test passes, Bob decrypts P. I Good: Verifies integrity of E(P), therefore it also verifies integrity of P. I Good: MAC(E(P)) provides no information about P. Authenticate and encrypt (Encrypt-and-MAC, E&A; used in SSH) I Alice sends to Bob: E(P) || MAC(P) I Bob must first decrypt E(P) to get P, then confirm MAC(P), violating the principle. I Good: verifies integrity of P. I Not good: I May theoretically reveal information about P in MAC(P). I No integrity check on E(P). I Bad: vulnerable to chosen-ciphertext attacks on E. I Man-in-the-middle Morton can try various versions of E(P), noting whether Bob gets as far as trying to verify MAC(P).
    [Show full text]
  • Recommendation for Block Cipher Modes of Operation Methods
    NIST Special Publication 800-38A Recommendation for Block 2001 Edition Cipher Modes of Operation Methods and Techniques Morris Dworkin C O M P U T E R S E C U R I T Y ii C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2001 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary of Commerce for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director iii Reports on Information Security Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
    [Show full text]
  • The Whirlpool Secure Hash Function
    Cryptologia, 30:55–67, 2006 Copyright Taylor & Francis Group, LLC ISSN: 0161-1194 print DOI: 10.1080/01611190500380090 The Whirlpool Secure Hash Function WILLIAM STALLINGS Abstract In this paper, we describe Whirlpool, which is a block-cipher-based secure hash function. Whirlpool produces a hash code of 512 bits for an input message of maximum length less than 2256 bits. The underlying block cipher, based on the Advanced Encryption Standard (AES), takes a 512-bit key and oper- ates on 512-bit blocks of plaintext. Whirlpool has been endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption), which is a European Union-sponsored effort to put forward a portfolio of strong crypto- graphic primitives of various types. Keywords advanced encryption standard, block cipher, hash function, sym- metric cipher, Whirlpool Introduction In this paper, we examine the hash function Whirlpool [1]. Whirlpool was developed by Vincent Rijmen, a Belgian who is co-inventor of Rijndael, adopted as the Advanced Encryption Standard (AES); and by Paulo Barreto, a Brazilian crypto- grapher. Whirlpool is one of only two hash functions endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption) [13].1 The NESSIE project is a European Union-sponsored effort to put forward a portfolio of strong cryptographic primitives of various types, including block ciphers, symmetric ciphers, hash functions, and message authentication codes. Background An essential element of most digital signature and message authentication schemes is a hash function. A hash function accepts a variable-size message M as input and pro- duces a fixed-size hash code HðMÞ, sometimes called a message digest, as output.
    [Show full text]
  • Block Cipher and Data Encryption Standard (DES)
    Block Cipher and Data Encryption Standard (DES) 2021.03.09 Presented by: Mikail Mohammed Salim Professor 박종혁 Cryptography and Information Security 1 Block Cipher and Data Encryption Standard (DES) Contents • What is Block Cipher? • Padding in Block Cipher • Ideal Block Cipher • What is DES? • DES- Key Discarding Process • Des- 16 rounds of Encryption • How secure is DES? 2 Block Cipher and Data Encryption Standard (DES) What is Block Cipher? • An encryption technique that applies an algorithm with parameters to encrypt blocks of text. • Each plaintext block has an equal length of ciphertext block. • Each output block is the same size as the input block, the block being transformed by the key. • Block size range from 64 -128 bits and process the plaintext in blocks of 64 or 128 bits. • Several bits of information is encrypted with each block. Longer messages are encoded by invoking the cipher repeatedly. 3 Block Cipher and Data Encryption Standard (DES) What is Block Cipher? • Each message (p) grouped in blocks is encrypted (enc) using a key (k) into a Ciphertext (c). Therefore, 푐 = 푒푛푐푘(푝) • The recipient requires the same k to decrypt (dec) the p. Therefore, 푝 = 푑푒푐푘(푐) 4 Block Cipher and Data Encryption Standard (DES) Padding in Block Cipher • Block ciphers process blocks of fixed sizes, such as 64 or 128 bits. The length of plaintexts is mostly not a multiple of the block size. • A 150-bit plaintext provides two blocks of 64 bits each with third block of remaining 22 bits. • The last block of bits needs to be padded up with redundant information so that the length of the final block equal to block size of the scheme.
    [Show full text]
  • Characterization of Padding Rules and Different Variants of MD Hash Functions
    Characterization of Padding Rules and Different Variants of MD Hash Functions Mridul Nandi National Institute of Standards and Technology Outline • Introduction to hash function and known Padding Rules. • Thm1 : Suffix-free Padding rule is necessary and sufficient for MD hash functions. • Thm2 : A new suffix-free padding rule handling arbitrary message using log |M| bits and study comparison. • Thm3 : The simplest 10 k padding rule (no length overhead) is secure on a modified MD hash or mMD . • Thm4 : It also works for newly introduced design mode BCM ( Backward Chaining Mode ) and its modification mBCM . Introduction to Hash Function: Security notions, applications and MD iteration and known padding rules Hash Function Arbitrary Length Strings à fixed length strings 101010101010101010101010101010110101010101010010101010101101001001001001010101110100010101110100100001001011100010010001000101101 001010111010001010100010100010100101010101010101010101010000000000011111110110101011010101010101010010110101010101010101111110000 101010101010100101010101010011101010100110101010101010101010101010101010101010101010010111100001110101110000111010001100011110011 101010110101010101010101011001010001010101000010001010111000101110010100000101001110010101010101011101010101010101010101010101010 110101010101010010101010101101001001001001010101110100010101110100100001001011100010010001000101101001010111010001010100010100010 10010101010101010101010101000000000001111111011010101101010101010101001011010101010101010111111000010101010101010010101010101 001 1 10101010011010101010101010101010101010101010101010101001011110000111010111000011101000110001111001110101011010101010101010101
    [Show full text]