CE441: Data and Network Security Cryptography

CE441: Data and Network Security Cryptography — Symmetric

Behnam Momeni, PhD

Department of Computer Engineering Sharif University of Technology

Fall 2019

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 1 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Outline

1 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Cryptography: Deﬁnition and Models Classic Cryptography Cryptanalysis: A Glimpse

2 Conﬁdentiality-Providing Schemes

3 Integrity-Providing Schemes

4 Full Fledged Schemes

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 2 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Security Goals

Availability

CIA Triad

Conﬁdentiality Integrity

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 3 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Deﬁnition

Defining an scheme has two main parts Syntax: specifies operations which can be performed by honest participants of the scheme e.g. The symmetric encryption scheme, SE = (K, E, D), contains a key generation function K, an encryption function E, and a decryption function D k ← K : ∀m . Dk (Ek (m)) = m The scheme is modeled here Semantic: specifies conditions which must be met by a secure scheme The security definition is formalized here

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 4 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Game-based Deﬁnition

Model the scheme operations normally Then, devise a game between an adversary and a challenger Adversary tries to break the security deﬁnition Challenger wants to demonstrate inability of the adversary Adversary is trying to obtain some advantage e.g. in an encryption scheme, an adversary might want to learn the key or she might want to decrypt a ciphertext The advantage of an adversary can be deﬁned in terms of a success probability How probable is it to guess the key correctly? As probable as a random guess? −→ No advantage Better than a random guess? −→ Scheme is not too strong Formalize the advantage

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 5 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Game-based Deﬁnition

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 5 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? IND-CPA – Game-based Deﬁnition

For example, consider the scheme of SE = (K, E, D) The game of ciphertext indistinguishability under the chosen plaintext attack (IND-CPA) is deﬁned as follows: Challenger generates a secret key and a random b from {0, 1} k ←$ K, b ←$ {0, 1}

Adversary selects two possible messages: M0 and M1 $ Challenger encrypts Mb and reveals Cb ← Ek (Mb) Adversary must guess the b and distinguish C0 from C1 Adversary can ask about encryption of any plaintext The advantage of an adversary (A) can be formalized as AdvSE (A) = 2P[GuessSE (A) = true] − 1 Scheme is deﬁned to be secure if and only if AdvSE (A) is negligible for all A Abilities of A can be restricted by a model

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 6 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? IND-CPA – Game-based Deﬁnition

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 6 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Simulation-based Deﬁnition

Consider an ideal world parallel to the real world The scheme is defined similarly in both worlds But the ideal world is modified slightly to be trivially secure The real world’s security can be defined based on the ideal world Build an algorithm S which works in the ideal world and simulates the behavior of an adversary A which works in the real world If such a simulator exists for all adversaries, then both words will be semantically equivalent (Why?) Equivalence of both worlds means that the real world is as secure as the ideal world which was trivially secure Scheme is defined to be secure if and only if such a simulator exists

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 7 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Simulation-based Deﬁnition

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 7 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? IND-CPA – Simulation-based Deﬁnition

For example, consider the scheme of SE = (K, E, D) In the real world, an adversary A had access to the encryption of Mb and had to guess the value of b

In the ideal world, the encryption of Mb is not provided and hence no knowledge about b might be extracted from it Scheme is secure if a simulator S can be built in the ideal world to simulate the output distribution of A from the real world A simplified definition for the advantage of adversary is $ $ $ b ← {0, 1}, k ← K, Cb ← Ek (Mb) |C | |M | |C | |M | AdvSE (A) = P[A(1 b , Cb, 1 b ) = b] − P[S(1 b , 1 b ) = b] For the complete definition check [simproof] If scheme is secure, there will be an S for each A which makes AdvSE (A) negligibly small

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 8 / 94 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? IND-CPA – Simulation-based Deﬁnition

For example, consider the scheme of SE = (K, E, D) In the real world, an adversary A had access to the encryption of Mb and had to guess the value of b

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 8 / 94 Cryptology: Cryptography and Cryptanalysis Cryptography: Deﬁnition and Models Outline

1 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Cryptography: Deﬁnition and Models Classic Cryptography Cryptanalysis: A Glimpse

2 Conﬁdentiality-Providing Schemes

3 Integrity-Providing Schemes

4 Full Fledged Schemes

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 9 / 94 Cryptology: Cryptography and Cryptanalysis Cryptography: Deﬁnition and Models What Is Cryptography?

Historically used to explain encryption Goal: protect Conﬁdentiality Converting a plaintext to some ciphertext Adversary must not be able to decrypt the ciphertext Also refers to study of algorithms for authentication of messages Goal: protect Integrity (of what?) Determine who produced some message Identity of the message producer ...or ensure that message is not tampered Integrity of the message independent of its producer’s identity Can be applied on different kinds of messages Stored → e.g., a ﬁle In transit → e.g., a TCP segment

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 10 / 94 Cryptology: Cryptography and Cryptanalysis Cryptography: Deﬁnition and Models Crypto Terms

Encrypt/Decrypt, Encipher/Decipher Converting plaintext to some unintelligible form, ciphertext Sign/Verify Producing some auxiliary information to prove source identity Message Authentication Code (MAC) Producing some auxiliary information to prove message integrity Cryptography/Cryptanalysis Study principles and algorithms for applying/defeating Crypto-methods Cryptology = Cryptography ∪ Cryptanalysis

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 11 / 94 Cryptology: Cryptography and Cryptanalysis Cryptography: Deﬁnition and Models

Kerckhoff’s principle

A cryptosystem should be secure even if everything about the system, except the secret key, is public knowledge.

Borrowed from [40442-971:07-crypto.pdf], page 3 ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 12 / 94 Cryptology: Cryptography and Cryptanalysis Cryptography: Deﬁnition and Models Symmetric Cryptography

Image Ref: https://www.ssl2buy.com/wiki/wp-content/uploads/2015/12/Symmetric-Encryption.png ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 13 / 94 Cryptology: Cryptography and Cryptanalysis Cryptography: Deﬁnition and Models Asymmetric Cryptography

Image Ref: https://www.ssl2buy.com/wiki/wp-content/uploads/2015/12/Asymmetric-Encryption.png ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 14 / 94 Cryptology: Cryptography and Cryptanalysis Cryptography: Deﬁnition and Models Stream vs. Block Ciphers

Stream ciphers can process and encrypt an input stream plaintext bits are converted to ciphertext bits Variable-length inputs can be processed with no delay Block ciphers can process and encrypt a ﬁxed-length input block plaintext needs to be buffered and divided into blocks It might be necessary to pad the plaintext to ﬁll a block size It does not leak the exact length of the plaintext

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 15 / 94 Cryptology: Cryptography and Cryptanalysis Cryptography: Deﬁnition and Models Perfect vs. Computational Secrecy

Computational secrecy is achieved when a computationally bounded adversary cannot break the cryptosystem Asymptotically (for sufﬁciently large input size n) A polynomial time adversary cannot perform 2n computations Concretely An adversary who can perform 10 million decryption per second, needs more than seven years to check 251 different states Perfect secrecy is achieved when an unbounded adversary cannot break the cryptosystem There is not enough information to break it e.g. all possible plaintexts might be encrypted to produce a single ciphertext using different keys Using a bruteforce attack (i.e. by testing all possible keys), adversary can ﬁnd a set of plaintexts and their corresponding keys which could be encrypted to obtain a given ciphertext It is impossible to say which plaintext was really used ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 16 / 94 Cryptology: Cryptography and Cryptanalysis Classic Cryptography Outline

1 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Cryptography: Deﬁnition and Models Classic Cryptography Cryptanalysis: A Glimpse

2 Conﬁdentiality-Providing Schemes

3 Integrity-Providing Schemes

4 Full Fledged Schemes

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 17 / 94 Cryptology: Cryptography and Cryptanalysis Classic Cryptography Classic Encryption: Based on Substitution (1/2)

Caesar Cipher The n-th letter of the English alphabet is replaced by the letter at (n + k) mod 26 in the alphabet ...can be deﬁned for other alphabets too k is the key

Image Ref: https://en.wikipedia.org/wiki/File:Caesar_cipher_left_shift_of_3.svg ROT13 Rotates alphabet by 13 positions Special case of the Caesar Cipher There is no key Small key space can be bruteforced quickly

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 18 / 94 Cryptology: Cryptography and Cryptanalysis Classic Cryptography Classic Encryption: Based on Substitution (2/2)

Vigenère Cipher A poly-alphabetic cipher Several interwoven Caesar ciphers

Mi is shifted in the alphabet by Ki positions EK (M) = (Mi + Ki mod |K |) mod 26 Mono-alphabetic substitution cipher with an alphabet permutation as the key A permutation of the alphabet is selected as the key Each letter of the plaintext is replaced by another letter based on that permutation Key space size → 26! Combine Vigenère idea with an alphabet permutation key

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 19 / 94 Cryptology: Cryptography and Cryptanalysis Classic Cryptography Kasiski’s Method

Kasiski’s method can be used to divide a poly-alphabetic cipher into several mono-alphabetic ciphers The key is repeated over and over to encrypt a long plaintext And common words might be repeated in the plaintext If the same word is repeated in plaintext ...at a distance which is divisible by the key length ...its corresponding ciphertexts will be the same too For example, somekeysomekeysomekeysomekey (key) Theletterwasputinsidethejar (plaintext) Lvqpoxrwfiectslwzwshclvqnkv (ciphertext) Finding more repeated words in the ciphertext helps to ﬁnd the exact length of key with fewer trials Reading one letter after every key length letters, provides several mono-alphabetic ciphers

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 20 / 94 Cryptology: Cryptography and Cryptanalysis Classic Cryptography Frequency Analysis

Even though letters are substituted by unrelated letters, their usage frequencies are preserved e.g., the e letter is the mostly used letter in the English texts

Image Ref: https://en.wikipedia.org/wiki/File:English_letter_frequency_(alphabetic).svg...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 21 / 94 Cryptology: Cryptography and Cryptanalysis Classic Cryptography Classic Encryption: Based on Transposition

Letters of the plaintext are kept unchanged (defeating frequency analysis) ...but their locations are shufﬂed to obtain a permutation of plaintext Rail Fence cipher Write plaintext diagonally to cross imaginary rails and read them line by line. For example, consider the following plaintext W...E...C...R...L...T...E .E.R.D.S.O.E.E.F.E.A.O.C. ..A...I...V...D...E...N.. Ciphertext: WECRL TEERD SOEEF EAOCA IVDEN Skytale Wrap paper around a cylinder and then write the plaintext

Image Red: https://en.wikipedia.org/wiki/File:Skytale.png...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 22 / 94 Cryptology: Cryptography and Cryptanalysis Classic Cryptography Modern Encryption: Diffusion and Confusion

Diffusion Statistical properties of the plaintext should be distributed over a long structure. Preferably, all bits of the ciphertext are affected by every single bit of the plaintext uniformly to hinder statistical analysis Avalanche Effect Changing a single bit of plaintext should ﬂip every bit of the ciphertext with 0.5 probability Confusion The relationship of the ciphertext and key must be as convoluted and complicated as possible, hence, an adversary cannot easily restrict the key space Read more details at [Shannon:TheoryOfSecrecy]

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 23 / 94 Cryptology: Cryptography and Cryptanalysis Classic Cryptography Modern Encryption: SPN and Wide Trail Strategy

Use both classic approaches: substitution and permutation Substitution is the non-linear part Hard to model the relationship of input and output of a substitution box (S-Box) Permutation is the linear part Mixes results of different S-Boxes Also called a permutation box (P-Box) Contributes to the diffusion and hinders statistical analysis Substitution–Permutation Network (SPN) A network of several S-Boxes and P-Boxes mixing the plaintext and key bits through several rounds An important factor is the Wide Trail Strategy When parts of input changes, some S-Boxes will become active and parts of the output will be affected It is desirable to have a lot of active S-Boxes for any input modiﬁcation, so the non-linear properties of S-Boxes cannot be restricted easily ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 24 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Outline

1 Cryptology: Cryptography and Cryptanalysis Review: What Does Security Mean? Cryptography: Deﬁnition and Models Classic Cryptography Cryptanalysis: A Glimpse

2 Conﬁdentiality-Providing Schemes

3 Integrity-Providing Schemes

4 Full Fledged Schemes

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 25 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: What Do We Have?

Known Ciphertext Attack (KCA) ...or the Ciphertext-Only Attack (COA) Adversary only knows about some ciphertexts Known Plaintext Attack (KPA) Adversary knows about some leaked pairs of plaintext/ciphertext Chosen Plaintext Attack (CPA) Adversary can select desired plaintexts to be encrypted Adaptive Chosen Plaintext Attack (CPA2) Like CPA, but can query new plaintexts after observing challenges Chosen Ciphertext Attack (CCA) Adversary can select ciphertexts to be decrypted Adaptive Chosen Ciphertext Attack (CCA2) Like CCA, but can query new ciphertexts after observing challenges

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 26 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Bruteforce & Key Length

Bruteforce all possible keys to find out which one is correct An example of the known plaintext attack (KPA) C = EK (M) for some known (M, C) pair When a working K is identified, test it on another (M′, C′) pair to filter out possible false positives If valid plaintexts are distinguishable e.g., Tor cells with the digest header field e.g., some intelligible English words ...adversary just needs a ciphertext to bruteforce keys ...and check whether they are decrypted to some valid plaintext An example of the ciphertext-only attack (COA) For a key K with k bits 0 ≤ K < 2k all keys are not necessarily secure based on the scheme Bruteforce requires 2k checks in the worst case What about the average case? ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 27 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Block Size vs. Key Length

Block ciphers take n-bit blocks mapping them to other n-bit blocks They must be invertible (why?) E : K × {0, 1}n → {0, 1}n There are 2n distinct blocks ...and 2n! distinct permutations A subset of these permutations can be chosen by 2k distinct keys ...both of block size and key length contribute to the cipher’s security e.g., AES algorithm uses 128-bit blocks and a key with 128, 192, or 256 bits

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 28 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Substitution-Permutation Network (SPN)

Substitution Box (S-Box) The non-linear component replacing a sub-block bits Vulnerable to frequency analysis when used alone in classic ciphers Permutation Box (P-Box) The linear component permuting its input bits Can diffuse results of different S-Boxes (helps the wide trail strategy) Repeated in several rounds

Image Ref: https://en.wikipedia.org/wiki/File:SubstitutionPermutationNetwork2.png ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 29 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Linear Analysis (1/4)

Consider a single S-Box with four input/output bits S : {0, 1}4 → {0, 1}4 Mapping X = [X0, X1, X2, X3] input

to some Y = [Y0, Y1, Y2, Y3] output It is desired to approximate this S-Box with a linear formula

e.g., X1 ⊕ X3 = Y0 e.g., X0 ⊕ X2 ⊕ X3 = Y0 ⊕ Y3 Each formula holds true for a subset of 24 distinct (X, Y ) pairs We can construct a table indicating ...for each valid 4-bit X input (24 rows) 8 ...and each formula combining Xi and Yj bits with ⊕ (2 columns) ...whether that formula holds true (zero or one) Each column has enough information to compute the matching probability for one formula

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 30 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Linear Analysis (2/4)

Linear Approximation Table (LAT) Every linear formula of the input bits (24 rows) Every linear formula of the output bits (24 columns) Each cell indicates the probability that corresponding input/output formulas match with each other Select the best linear approximation of the S-Box based on LAT ...and follow its effect through the SPN during a path which has the maximum probability ...until the outputs of the second last round P P P P P ⊕ U = K = Ke i Pi j r,j r j r,j Pi Pi =a linear combination of plaintext bits j Ur,j =a linear combination of input bits of the last round e P P K = r j Kr,j =a linear combination of bits of different round keys

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 31 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Linear Analysis (3/4)

P5 P7 P8

An example of Known Plaintext Attack (KPA) K1,5 K1,7 K1,8 s s Many (P , C ) pairs are known S11 S12 S13 S14 For each possible target subkey 8 2 possible [K5,5,..., K5,8, K5,13,..., K5,16] K ...partially decrypt Cs to obtain outputs of 2,6 4th round and passing them through the S21 S22 S23 S24 s inverse of S-Boxes to obtain U4,j bits ...and check the linear formula P P K3,6 K3,14 Ps ⊕ Us = 0 i i j 4,j S31 S32 S33 S34 matches with >1/2 probability if Ke = 0 matches with <1/2 probability if Ke = 1 Correct target subkey is distinguished K4,6 K4,8 K4,14 K4,16 U4,6 U4,8 U4,14 U4,16 wrong subkeys match by 1/2 probability S41 S42 S43 S44

correct subkey matches by a considerable K5,5 ... K5,8 K5,13 ... K5,16

probability bias Figure 3. Sample Linear Approximation [cryptanalysis-tutorial] . . . Image. . . . Ref:. . Figure. . . . 3. of...... 13 B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 32 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Linear Analysis (4/4)

P P ⊕ Assume that i Pi j Ur,j = 0 holds with p probability ...or the ϵ = |p − 1/2| probability bias calculated based on the LAT probabilities 2 The linear analysis needs some small multiple of NL = 1/ϵ pairs of (Ps, Cs) to succeed If S-Boxes are highly non-linear ...and/or a lot of S-Boxes are activated the ϵ probability bias approaches zero and NL increases Making the attack not so much better than a complete bruteforce Read more details at [cryptanalysis-tutorial]

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 33 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Differential Analysis (1/4)

Consider a single S-Box with four input/output bits S : {0, 1}4 → {0, 1}4 Mapping X = [X0, X1, X2, X3] input

to some Y = [Y0, Y1, Y2, Y3] output For every two distinct inputs, compute their difference vector 1 1 1 1 1 2 2 2 2 2 First/Second inputs: X = [X0 , X1 , X2 , X3 ], X = [X0 , X1 , X2 , X3 ] 1 ⊕ 2 1 ⊕ 2 1 ⊕ 2 1 ⊕ 2 Their difference: ∆X = [X0 X0 , X1 X1 , X2 X2 , X3 X3 ] We can construct a table indicating ...for each valid 4-bit X 1 input (24 rows) ...and each valid 4-bit ∆X (24 columns) which corresponds to an specific X 2 = X 1 ⊕ ∆X per cell ...which outputs (Y 1 and Y 2) are produced corresponding to an specific ∆Y for that cell Each column has enough information to compute the probability that an specific ∆X for S-Box input produces some ∆Y in output ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 34 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Differential Analysis (2/4)

Difference Distribution Table (DDT) Every ∆X input difference (24 rows) Every ∆Y output difference (24 rows) Each cell indicates the probability that corresponding ∆X and ∆Y are mapped together Select the best differential of the S-Box based on DDT ...and follow its effect through the SPN during a path which has the maximum probability ...until the outputs of the second last round The XOR operation cancels the subkey bits effect (X 1 ⊕ K ) ⊕ (X 2 ⊕ K ) = X 1 ⊕ X 2 = ∆X Finally, we obtain one (∆X, ∆U) pair which indicates ...with the maximum probability in respect to other differentials ...plaintexts with ∆X difference ...produce inputs for the last round with ∆U difference ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 35 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Differential Analysis (3/4)

6P = [0000 1011 0000 0000]

An example of Chosen Plaintext Attack (CPA) ′ s s s ⊕ Choose several (P , P = P ∆X) pairs of S11 S12 S13 S14

plaintexts obtaining (Cs, C′s) pairs of ciphertexts For each possible target subkey 8 2 possible [K5,5,..., K5,8, K5,13,..., K5,16] ...partially decrypt Cs and C′s to obtain outputs S21 S22 S23 S24 of 4th round and passing them through the s ′s inverse of S-Boxes to obtain U4,j and U4,j bits ...and check the corresponding differential S31 S32 S33 S34 ∆Us = expected ∆U Correct target subkey is distinguished for correct subkey, differentials match with 6U4,5... 6U4,8 6U4,13... 6U4,16 considerable probability S41 S42 S43 S44

for wrong subkey, differentials match with K5,5 ... K5,8 K5,13 ... K5,16

negligible probability Figure 5. Sample Differential Characteristic Image Ref: Figure 5 of [cryptanalysis-tutorial] ...... 24 B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 36 / 94 Cryptology: Cryptography and Cryptanalysis Cryptanalysis: A Glimpse Cryptanalysis: Differential Analysis (4/4)

It is not required to check all obtained ciphertexts When ∆U indicates that some S-Boxes are not active ...their outputs must be identical If Cs and C′s differ in those output bits, differentials cannot match Assume that ∆X corresponds to ∆U (for the input of the last round) with pD probability

The differential analysis needs some small multiple of ND = 1/pD pairs of (Ps, P′s) plaintexts to succeed If S-Boxes assign low probabilities to different (∆X, ∆Y ) pairs ...and/or a lot of S-Boxes are activated the pD differential probability approaches zero and ND increases Making the attack not so much better than a complete bruteforce Read more details at [cryptanalysis-tutorial]

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 37 / 94 Conﬁdentiality-Providing Schemes Stream Ciphers Outline

1 Cryptology: Cryptography and Cryptanalysis

2 Conﬁdentiality-Providing Schemes Stream Ciphers Block Ciphers

3 Integrity-Providing Schemes

4 Full Fledged Schemes

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 38 / 94 Conﬁdentiality-Providing Schemes Stream Ciphers Information-Theoretic Perfect Secrecy

Shannon’s Theorem To encrypt message M ...selected from the message space M and obtain ciphertext C with information-theoretic perfect secrecy i.e., there is zero information leakage and an unbounded adversary cannot learn anything about the message by observing its ciphertext

P(M ← M) = P(M ← M|C = E(M))

it is required to have at least as many keys as the |M| Proof to have zero leakage ...observed C must be a valid encryption for every possible M ∈ M Hence, there should be a distinct key ...to map every M to the observed C

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 39 / 94 Conﬁdentiality-Providing Schemes Stream Ciphers One Time Pad (OTP)

Two parties share a very long randomly generated key (with uniform distribution) beforehand To send message M with length m = |M| The next m bits of the key which were not used for any other encryption ...are XORed with the message M

C = M ⊕ K

Achieves information-theoretic perfect secrecy (Why?)

Image Ref: http://www.ranum.com/security/computer_security/papers/otp-faq/otp.jpg ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 40 / 94 Conﬁdentiality-Providing Schemes Stream Ciphers Random & Pseudo-Random Numbers

Uniform Random n-bit Number Every n-bit number is chosen with the same probability P(X = x) = 2−n Available entropy: n bits Uniform Pseudo-Random n-bit Number Chosen n-bit numbers looks like uniform random numbers ...but they are not so Might have less entropy ...or might be generated using a deterministic algorithm e.g., select a random key K

Encrypt and output EK (0), EK (1), EK (2),... A computationally-bounded adversary who cannot distinguish output of the encryption function from true random bits without knowing the key accepts generated pseudo-random bits A computationally-unbounded adversary can bruteforce the key, generate the same stream of bits, and distinguish the true random

numbers from the computed numbers ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 41 / 94 Conﬁdentiality-Providing Schemes Stream Ciphers OTP: Pseudo-Random Numbers

Instead of sharing m = |M| bits of key for OTP Share some smaller state S |S| ≪ m And generate a pseudo-random stream of bits using the shared S ...used instead of the OTP key K Since computed K is indistinguishable from random bits Adversary cannot distinguish C = M ⊕ K from random bits The system is as strong as the shared state and pseudo-random number generator used

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 42 / 94 Conﬁdentiality-Providing Schemes Stream Ciphers OTP: Key Reuse

Key reuse breaks the security of OTP completely

Assume that key K is reused to encrypt M1 and M2 ) C1 = M1 ⊕ K =⇒ C1 ⊕ C2 = M1 ⊕ M2 C2 = M2 ⊕ K

It might be easy to recover both of M1 and M2 from M1 ⊕ M2 e.g., guess dictionary words for M1

...compute M2 = M1 ⊕ (M1 ⊕ M2) ...and check whether M2 is intelligible too Search Venona project for a real-world example!

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 43 / 94 Conﬁdentiality-Providing Schemes Stream Ciphers OTP: Malleability

OTP protects conﬁdentiality, but not integrity Flipping any bit from the ciphertext ...ﬂips the corresponding bit from the plaintext Generally, malleable schemes are vulnerable to CCA2

Submit M0 and M1 to challenger and obtain Cb = EK (Mb) Assume that malleability is described using f and g functions

...changing Cb to f (Cb) will change Mb to g(Mb)

Ask decryption oracle to decrypt f (Cb) to obtain g(Mb) Compare g(Mb) with g(M0) and g(M1) to ﬁnd the actual b

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 44 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Outline

1 Cryptology: Cryptography and Cryptanalysis

2 Conﬁdentiality-Providing Schemes Stream Ciphers Block Ciphers

3 Integrity-Providing Schemes

4 Full Fledged Schemes

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 45 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Stream vs. Block Cipher

Stream Cipher The plaintext bits are encrypted separately While encrypting the 10th bit, the 15th bit is not known yet e.g., a secret sequence of random bits was generated to be used when the next plaintext bits arrive Block Cipher The plaintext must have some ﬁxed length; called block size If the actual plaintext has less/more bits It must be padded and/or divided into block size units ...based on some Mode of Operation An stream cipher can be built using a block cipher ...as a pseudo-random number generator (PRNG)

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 46 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Data Encryption Standard (DES)

A block cipher standardized in 1977 Block size: 64 bits Key length: 56 bits The key space can be bruteforced Follows the Feistel Network structure with 16 rounds of encryption The key has 64 bits including 8 parity bits (56 bits of entropy) A key scheduler produces 16 round keys from these 56 bits Mitsuru Matsui discovered Linear Cryptanalysis in 1993 ...and could break DES in 1994 using a KPA with 243 complexity

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 47 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Feistel Network

Several identical rounds ...given some round key ...scheduled from the main key Applies round function F on right half ...and XORs results by left half If F is “random enough” its output acts like a pseudo-random encrypting left half like an OTP cipher If F is not “random enough” more rounds can compensate for that weakness F does not need to be invertible

Image Ref: https://en.wikipedia.org/wiki/File:Feistel_cipher_diagram_en.svg...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 48 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Improving DES: Double-DES and Triple-DES

Double-DES The key length of DES is 56 bits Apply DES two times in order to use two keys E E C = K2 ( K1 (M)) Triple-DES The key length of Double DES is 112 bits ...but its security is not more than 257 ...due to the Meet-in-the-Middle (MITM) attack Apply DES three times to achieve 2112 complexity E D E C = K3 ( K2 ( K1 (M))) Nevertheless, Triple-DES cannot resist against a 232 KPA in most modes of operation Due to the Sweet32 attack (discussed later) ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 49 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Meet-in-the-Middle (MITM): Breaking Double-DES

Double-DES E E C = K2 ( K1 (M)) For some known (M, C) pair E Compute and store S = (K1, K1 (M)) for all K1 ′ Compute and store S = (K2, DK (C)) for all K2 2 ′ For true (K1, K2) pair, we have S = S ′ Compare sets of S and S to ﬁnd candidate (K1, K2) pairs Test with another known (M, C) pair to detect false positives A trade-off between the time-complexity (k = |K1| = |K2|) reduced from O(22k ) ≈ 2112 to O(2k ) ≈ 257 and the memory-complexity increased from O(1) to O(2k ) ≈ 257 Why does Triple-DES achieve 112 bits of security? ...in front of the MITM attack ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 50 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Advanced Encryption Standard (AES)

Selected by NIST as the replacement of DES A contest (1997–1999) 15 candidate algorithms for the first round 5 finalist algorithms RC6, Mars, Twofish, Rijndael, etc. Rijndael won the competition by Vincent Rijmen and Joan Daemen AES uses the SPN structure Block size: 128 bits Key length: 128, 192, or 256 bits Number of rounds: 10, 12, or 14 Specifically designed to resist linear and differential cryptanalysis Considers 128-bit input as a 4x4 matrix of bytes Supported by modern CPUs for extra hardware-aided performance AES New Instructions (AES-NI) ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 51 / 94 Confidentiality-Providing Schemes Block Ciphers AES Algorithm: A Glimpse (1/5)

Image Ref: https://en.wikipedia.org/wiki/File:AES-AddRoundKey.svg ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 52 / 94 Conﬁdentiality-Providing Schemes Block Ciphers AES Algorithm: A Glimpse (2/5)

Image Ref: https://en.wikipedia.org/wiki/File:AES-SubBytes.svg

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 53 / 94 Conﬁdentiality-Providing Schemes Block Ciphers AES Algorithm: A Glimpse (3/5)

Image Ref: https://en.wikipedia.org/wiki/File:AES-ShiftRows.svg

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 54 / 94 Conﬁdentiality-Providing Schemes Block Ciphers AES Algorithm: A Glimpse (4/5)

Image Ref: https://en.wikipedia.org/wiki/File:AES-MixColumns.svg ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 55 / 94 Conﬁdentiality-Providing Schemes Block Ciphers AES Algorithm: A Glimpse (5/5)

Left Image Ref: https://www.cs.mcgill.ca/~kaleigh/computers/images/rijnconv.gif Right Image Ref: http://developer.amd.com/wordpress/media/2013/01/AES_Fig_1.jpg

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 56 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Secure Block Cipher In The Standard Model

Consider a block cipher such as E : K × {0, 1}n → {0, 1}n Since E is deterministic, as an example, it is not IND-CPA2 secure Reminder: Challenger selects b ← {0, 1} and K ← {0, 1}k uniformly at random Adversary has oracle access to EK (.) ...can choose plaintexts and receive their corresponding ciphertexts Adversary sends arbitrary M0 and M1 Challenger returns Cb = EK (Mb) Adversary can continue sending plaintexts and getting ciphertexts Adversary sends her guess about b E is deﬁned to be secure if and only if it is a pseudo-random permutation (PRP) That is, a computationally-bounded adversary with oracle access to

either block cipher EK (.) itself or some true random permutation π ...cannot distinguish them from each other ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 57 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Mode Of Operation: How To Encrypt N Blocks

Assume that E : K × {0, 1}n → {0, 1}n is a secure block cipher based on some security deﬁnition e.g., it is a PRP in the Standard Model Using E to encrypt N blocks improperly might compromise the overall security e.g., under chosen plaintext attack (CPA) E cannot be distinguished from a randomly chosen permutation it is PRP but when used to encrypt multiple messages

Adversary can ﬁrst query C0 = EK (M0) ...then select and submit M0 and M1 ...and compare C0 with Cb It is the duty of the mode of operation to build a secure scheme with semantic security given some secure block cipher in the standard model ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 58 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Mode Of Operation: Electronic Codebook (ECB)

Each block is encrypted independently (vulnerable to frequency analysis) Mi = Mj ⇐⇒ Ci = Cj

Image Ref: https://en.wikipedia.org/wiki/File:ECB_encryption.svg ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 59 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Mode Of Operation: Cipher Block Chaining (CBC)

Output of each block is mixed with the input of the next block Needs a random unpredictable initialization vector (IV)

Image Ref: https://en.wikipedia.org/wiki/File:CBC_encryption.svg

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 60 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Insecurity Of ECB For Repeated Messages

Left (Plain) Image Ref: https://commons.wikimedia.org/wiki/File:Tux.png Middle (ECB Encrypted) Image Ref: https://github.com/pakesson/diy-ecb-penguin Right (CBC Encrypted) Image Ref: https://github.com/pakesson/diy-ecb-penguin

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 61 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Mode Of Operation: Counter (CTR) A non-repeating/unique nonce is required A counter can be used, but it can be chosen randomly too Just uses the encryption block (even for decryption) For each plaintext block, corresponding nonce is encrypted ...and plaintext is XORed with the encrypted nonce

https://en.wikipedia.org/wiki/File:CTR_encryption_2.svg Image Ref: ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 62 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Initialization Vector (IV) vs. Nonce

For each scheme, take care to ﬁnd out whether an IV is required ...which must be unpredictable and unique or a nonce is enough ...which just requires to be unique e.g., the CBC mode requires an IV using it with a predictable unique nonce (such as a counter) is insecure some documents suggest using a predictable IV and ﬁx this issue by using EK (IV ) as the actual unpredictable IV This suggestion only works for two distinct randomly chosen keys Otherwise, observing ciphertext blocks leaks future IVs (How?)

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 63 / 94 Conﬁdentiality-Providing Schemes Block Ciphers

Performance: Crypto++ 5.6.0 [ Wei Dai ]

Intel Core 2 (on Windows Vista)

Cipher Block/key size Speed (MB/sec) RC4 126 Salsa20/12 643 3DES 64/168 10 AES/GCM 128/128 102

AES is about 8x faster with AES-NI : Intel Westmere and onwards

Borrowed from [40442-971:07-crypto.pdf], page 22 ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 64 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Birthday Paradox

For q randomly chosen persons with birthdays B1, B2,..., Bq Assume that Bi might refer to any day in a year with 365 days 1 ...with equal probability 365 (this is not true in reality) What is the probability p that Bi = Bj for two 1 ≤ i, j ≤ q? Intuitively, the probability should be small But for q = 23, the probability reaches to p = 50.7% ...and for q = 70, the probability reaches to p = 99.9% hence, the paradox!

p: Probability of having some collision among B1, B2,..., Bq

p: Probability of having no collision among B1, B2,..., Bq

365 364 365 − (q − 1) 365! p = 1 − p = 1 − . . ··· . = 1 − 365 365 365 (365 − q)!365q

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 65 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Birthday Attack – Finding A Collision

Select q numbers x1, x2,..., xq uniformly at random ...from a set of N numbers {a1, a2,..., aN } How many numbers (q) must be selected to observe a collision 1 with 2 probability? N N − 1 N − (q − 1) p = 1 − . . ··· . N N N 1 2 q − 1 = 1 − (1 − )(1 − ) ··· (1 − ) N N N ≃ 1 − e−1/N e−2/N ··· e−(q−1)/N

2 1 = 1 − e−q(q−1)/2N ≃ 1 − e−q /2N ≥ 2 p √ 2 1 =⇒ e−q /2N ≤ =⇒ q ≥ 2 ln(2)N ≃ 1.18 N 2

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 66 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Birthday Problem – Ciphertext-Only Attack Example

e.g., EK (.) block cipher is used in CBC mode to encrypt q blocks Produced ciphertext blocks are like xi randomly chosen numbers If there are N possible distinct ciphertext blocks 1 There will√ be at least one collision with 2 probability after observing around N ciphertexts Ci = EK (Mi ⊕ √Ci−1) = Cj = EK (Mj ⊕ Cj−1) for some 1 ≤ i, j ≤ q ≃ N =⇒ Mi ⊕ Ci−1 = Mj ⊕ Cj−1 =⇒ Mi ⊕ Mj = Ci−1 ⊕ Cj−1 Using CBC√ mode of operation with an ideal block cipher to encrypt more than N blocks leaks plaintext messages For n-bit input/output block sizes There are√N = 2n distinct block values At most N = 2n/2 blocks can be encrypted securely

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 67 / 94 Conﬁdentiality-Providing Schemes Block Ciphers Sweet32 Attack

Although Triple DES requires 2112 operations for MITM attack ...but it uses 64-bit blocks ...so it is broken after observing 232 ciphertext blocks 32 64 Encrypting 2 8 = 32GiB using a single key

Attack Logo Ref: https://sweet32.info/sweet32.svg

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 68 / 94 Integrity-Providing Schemes Using Block Ciphers Outline

1 Cryptology: Cryptography and Cryptanalysis

2 Conﬁdentiality-Providing Schemes

3 Integrity-Providing Schemes Using Block Ciphers Using Hash Functions

4 Full Fledged Schemes

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 69 / 94 Integrity-Providing Schemes Using Block Ciphers Message Authentication Code (MAC)

Compute a tag T for some given message M Easy to compute having a key K Hard to forge without the key K Protects message integrity Adversary can observe the plaintext message M Conﬁdentiality is not a goal But cannot modify M without being detected

T = MACK (M) Store or transmit the (M, T ) pair If multiple parties share a key They can verify that one of them has computed the tag Authenticity of the Message Contents But cannot ﬁnd out the original message producer Cannot Verify Authenticity of the Message Source

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 70 / 94 Integrity-Providing Schemes Using Block Ciphers MAC Using A Block Cipher: CBC Mode

Encrypt the given message M in CBC mode using EK (.) Use the last ciphertext block as the MAC of M It depends on all blocks of M What about the IV? In contrast to CBC mode for confidentiality, the IV must be fixed! EIV If MAC of message M was defined as (IV , T ) for some T = K (M) Adversary knows (IV , T ) pair for some message M with one block ′ ′ E IV ⊕M⊕M ′ ...now, can compute MAC of any other block M (T = K (M )) What about the message length? CBC-MAC is only secure when the length of M is fixed

Having MAC for T = EK (M1, M2,..., Mq ) and ′ ′ ′ ′ T = EK (M1, M2,..., Mq ) ...adversary can compute MAC of their concatenation with one modiﬁed block (length-extension attack)

′ ′ ′ ′ T = EK (M1, M2,..., Mq , T ⊕ M1, M2,..., Mq ) ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 71 / 94 Integrity-Providing Schemes Using Block Ciphers CBC-MAC For Variable-Length Messages

Instead of using the last ciphertext block directly Encrypt it with another key to produce MAC value Since MAC is computed by a separate key ...it cannot be mixed by other ciphertext blocks Note: All other ciphertext blocks must be kept secret ...or an adversary can concatenate corresponding plaintexts just like the length-extension attack

Image Ref: https://en.wikipedia.org/wiki/File:CBC-MAC_(encrypt_last_block)_structure.svg ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 72 / 94 Integrity-Providing Schemes Using Hash Functions Outline

1 Cryptology: Cryptography and Cryptanalysis

2 Conﬁdentiality-Providing Schemes

3 Integrity-Providing Schemes Using Block Ciphers Using Hash Functions

4 Full Fledged Schemes

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 73 / 94 Integrity-Providing Schemes Using Hash Functions Cryptographically Secure Hash Function: Syntax

A hash function family H : K × M → {0, 1}n indexed using a key K ∈ K key is known by adversary (also called an IV) compresses messages such as M ∈ M which can be strings with arbitrary lengths e.g., M ∈ {0, 1}m for some m > 0 in order to produce a ﬁxed-length digest n is called the hash length of H Example hash functions Based on the Merkle–Damgård structure MD5 (n = 128) SHA-1 (n = 160) SHA-2 (n = 224, 256, 384, or 512) Based on the Sponge structure SHA-3 (arbitrary length; standardized for n = 224, 256, 384, or 512)

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 74 / 94 Integrity-Providing Schemes Using Hash Functions Cryptographically Secure Hash Function: Semantics

Pre-Image Resistance Given any hash output (image), it should be computationally infeasible to find a corresponding{ hash input (pre-image}) ePre ←$ K ←$ AdvH (A) = max Pr[K ; M A(K ): HK (M) = Y ] Y ∈{0,1}n Second Pre-Image Resistance Given any hash (input, output) pair, it should be computationally infeasible to find another hash input (second pre-image) producing the same output { } eSec[m] $ ′ $ ′ ′ Adv (A) = max Pr[K ← K; M ← A(K ): (M ≠ M ) ∧ (HK (M) = HK (M ))] H M∈{0,1}m Collision Resistance It should be computationally infeasible for an adversary A to find two hash inputs with the same hash value Coll ←$ K ′ ←$ ̸ ′ ∧ ′ AdvH (A) = Pr[K ;(M, M ) A(K ): (M = M ) (HK (M) = HK (M ))] ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 75 / 94 Integrity-Providing Schemes Using Hash Functions CSHF Properties – Use Cases

Collision Resistance Signing the hash of some message If adversary can find two messages with the same hash value Bahram might sign a good contract and be sued over a bad contract Second Pre-Image Resistance Azadeh has sent an email M and signed its hash value If adversary can find another M′ mapped to the same hash value Email M can be replaced by M′ without invalidating its signature Pre-Image Resistance Hash of some password is stored in a database Stored hash values are compromised (e.g., by an SQLi vulnerability) If adversary can find a corresponding pre-image, she can login Is it safe to store pre-image resistant hash of passwords? Rainbow Table Attack What about hashing a salted password?

Dictionary Attack... use a “slow” function such. . . as. . . PBKDF2...... or. . Argon2...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 76 / 94 Integrity-Providing Schemes Using Hash Functions

SHA-256: Merkle-Damgard

m[0] m[1] m[2] m[3]

H(m) IV h h h h

h(t, m[i]): compression function Thm 1: if h is collision resistant then so is H “Thm 2”: if h is a PRF then HMAC is a PRF

Borrowed from [40442-971:07-crypto.pdf], page 28 ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 77 / 94 Integrity-Providing Schemes Using Hash Functions SHA-3 (Keccak): Sponge Construction State is initialized to zero containing r bits, namely rate, and c bits, namely capacity In several rounds, message blocks are absorbed XORed by the r part; then, state is updated by a round function f Afterwards, secret state depends on whole of the input message ...several squeezing rounds follow Providing r bits as the output of each round Capacity bits are kept secret (mitigating length extension attacks)

Image Ref: https://en.wikipedia.org/wiki/File:SpongeConstruction.svg...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 78 / 94 Integrity-Providing Schemes Using Hash Functions HMAC: Hash-Based MAC

A cryptographically secure hash function H is used ...as a black-box (i.e., with no modiﬁcation) ...using some key K chosen uniformly at random ...to build a secure MAC The underlying compression function of H is shown as h c is the internal state size (e.g., 160 bits for SHA-1) b is the message block size (e.g., 512 bits) Message M is padded to occupy a multiple of block size b and then processed to update the internal hash function state (s[0], s[1],..., s[n]) by applying h iteratively (s[0] = IV )

h : {0, 1}c × {0, 1}b → {0, 1}c

HMAC needs two keys (Kout , Kin) ...which are obtained from a main key chosen uniformly at random

Kout = K ⊕ opad, Kin = K ⊕ ipad, HMAC-1(K , M; H) = H ((K ⊕ opad)||H((K ⊕ ipad)||M)) ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 79 / 94 Integrity-Providing Schemes Using Hash Functions Secure MAC

A message authentication code (MAC) is secure if any only if ...it is a pseudo-random function (PRF) That is, a computationally-bounded adversary with oracle access to

either MACK (.) itself or some true random function f ...cannot distinguish them from each other Why is a PRF considered to be a secure MAC? ...for a randomly chosen function each input may be mapped to each output with equal probability ...tags are unforgeable without key Theorem: if the underlying compression function h of an iterated H hash function H is a PRF, then HMACK (.) is a PRF too

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 80 / 94 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Outline

1 Cryptology: Cryptography and Cryptanalysis

2 Conﬁdentiality-Providing Schemes

3 Integrity-Providing Schemes

4 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Authenticated Encryption With Associated Data (AEAD)

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 81 / 94 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Combining Two Encryption & Authentication Primitives

Protect both of conﬁdentiality and integrity E ...using an encryption scheme to protect conﬁdentiality; K1 (.)

...and a MAC scheme to protect integrity; MACK2 (.) of the message contents How to combine these two schemes? 1 Encrypt-Then-Authenticate or Encrypt-Then-MAC 2 Authenticate-Then-Encrypt or MAC-Then-Encrypt 3 Encrypt-And-Authenticate or Encrypt-And-MAC

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 82 / 94 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Encrypt-Then-MAC

First encrypt the plaintext M And then, authenticate the obtained ciphertext C

E C = K1 (M)

T = MACK2 (C) Transmit(C||T )

Most secure option Encryption protects conﬁdentiality And MAC cannot leak any information about the plaintext ...as it is computed over the public ciphertext Also MAC protects integrity of ciphertext ...in addition to plaintext which is protected indirectly Helpful to achieve IND-CCA2 by prohibiting ciphertext malleability Example usage: IPSec ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 83 / 94 Full Fledged Schemes Combining Two Encryption & Authentication Primitives MAC-Then-Encrypt

First authenticate the plaintext M And then, encrypt the authenticated message

T = MACK2 (M) E || C = K1 (M T ) Transmit(C)

Secure for certain combinations of encryption/MAC algorithms It is impossible to ﬁlter out altered ciphertexts before decryption Integrity of plaintext is protected by the MAC Conﬁdentiality of plaintext and its tag are protected by encryption Example usage: TLS v1.2 ...replaced by AEAD (discussed later) in TLS v1.3

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 84 / 94 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Encrypt-And-MAC

First authenticate the plaintext M But then, encrypt the plaintext alone

T = MACK2 (M) E C = K1 (M) Transmit(C||T )

Tricky to make it secure! Protects integrity of the plaintext, but not the ciphertext Might be vulnerable in CCA scenarios Unencrypted MAC might leak information about the plaintext Repeated messages =⇒ Same tags ...needs proper encoding of the message (e.g., including a large-enough sequence number) Example usage: SSH ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 85 / 94 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Padding Oracle

An example in support of the Encrypt-Then-MAC scheme Assume that an adversary can submit forged ciphertext C in order to ﬁnd out that either it could be decrypted with no error or more likely there was no corresponding valid message M e.g., when the MAC computed over message M is invalid or a padding error has occurred Message M should be padded ﬁrst to obtain M||P The padded message containing a multiple of the required block size is then encrypted. A forged ciphertext C does not decrypt to a properly padded message necessarily. The oracle which informs adversary whether some given ciphertext C corresponds to a properly padded message is called a padding oracle

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 86 / 94 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Recall: Decryption In CBC Mode Of Operation

Encrypting the padded message M which has N blocks ...using some randomly chosen unpredictable IV

M = M1||M2||M3|| · · · ||MN

C = C0||C1||C2||C3|| · · · ||CN , C0 = IV

Ci = EK (Mi ⊕ Ci−1)

Mi = DK (Ci ) ⊕ Ci−1

Image Ref: https://en.wikipedia.org/wiki/File:CBC_decryption.svg ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 87 / 94 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Padding Oracle Attack

Message M needs p extra bytes to occupy a multiple of block size For p = 0, a complete padding block is used (why?) The p extra padding bytes are ﬁlled by the encoded p number for ease of unpadding process (valid paddings are 1 or 2, 2 or 3, 3, 3 and so on)

Changing the last byte of CN−1 alters the last byte of MN ′ Bruteforce all 256 bytes for the last byte of CN−1 ...it makes a proper padding for byte 1 ′ ...or byte x if all the previous x bytes of MN contain byte x too ′ Test both conditions and bruteforce the second last byte of CN−1 ′ Two last bytes of MN are controlled ...if both are changed to byte 2, padding is valid ...the scenario of x bytes containing the byte x is ﬁltered out (how?) ′ Adversary can unambiguously control the last two bytes of MN ′ ...continue byte by byte to obtain complete control of MN D ′ ⊕ ′ i.e., all output bytes of K (CN ) = CN−1 MN are determined ...compute the real MN = DK (CN ) ⊕ CN−1 (and previous blocks similarly) ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 88 / 94 Full Fledged Schemes Authenticated Encryption With Associated Data (AEAD) Outline

1 Cryptology: Cryptography and Cryptanalysis

2 Conﬁdentiality-Providing Schemes

3 Integrity-Providing Schemes

4 Full Fledged Schemes Combining Two Encryption & Authentication Primitives Authenticated Encryption With Associated Data (AEAD)

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 89 / 94 Full Fledged Schemes Authenticated Encryption With Associated Data (AEAD) Authenticated Encryption With Associated Data

Authenticated encryption (AE) is a mode of operation ...which protects both of conﬁdentiality and integrity simultaneously can use ideas of previous section internally ...simpler to use because relationship of used primitives is designed properly and made transparent to the scheme’s user AE with associated data (AEAD) is an AE scheme which allows extra associated data to be authenticated without being encrypted ...useful for scenarios that associated data needs no conﬁdentiality e.g., source/destination IP addresses are not encrypted, so packet can be routed normally, but are desired to be authenticated similar to the payload which must be both authenticated and encrypted

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 90 / 94 Full Fledged Schemes Authenticated Encryption With Associated Data (AEAD)

OCB offset codebook mode More efficient authenticated encryption

m[0] m[1] m[2] m[3] checksum

P(N,k,0) ⊕ P(N,k,1) ⊕ P(N,k,2) ⊕ P(N,k,3) ⊕ P(N,k,0) ⊕

E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅)

P(N,k,0) ⊕ P(N,k,1) ⊕ P(N,k,2) ⊕ P(N,k,3) ⊕ auth ⊕

c[0] c[1] c[2] c[3] c[4]

Rogaway, …

Borrowed from [40442-971:07-crypto.pdf], page 33 ...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 91 / 94 Full Fledged Schemes Authenticated Encryption With Associated Data (AEAD) Galois/Counter Mode (GCM)

An AEAD block cipher mode of operation Used IV is indeed a nonce Only uniqueness is important Authentication key H is computed based on the encryption key K

Image Ref: https://en.wikipedia.org/wiki/File:GCM-Galois_Counter_Mode_with_IV.svg...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 92 / 94 References and Further Reading Bibliography References and Further Reading (1/2)

[40442-971:07-crypto.pdf] Mehdi Kharrazi, “CE 442/Computer and Network Security – Lecture 7 - Cryptography Overview,” Sharif University of Technology, Online: http://sharif.edu/~kharrazi/courses/40442-971/07-crypto.pdf, 2018 [simproof] Yehuda Lindell, “How To Simulate It – A Tutorial on the Simulation Proof Technique,” Cryptology ePrint Archive, Online: https://eprint.iacr.org/2016/046.pdf, 2016 [Shannon:TheoryOfSecrecy] Claude E. Shannon, “Communication Theory of Secrecy Systems,” Bell System Technical Journal, vol. 28, no. 4, pp. 656–715, Online: netlab.cs.ucla.edu/wiki/files/shannon1949.pdf, 1949 [cryptanalysis-tutorial] Howard M. Heys, “A Tutorial on Linear and Differential Cryptanalysis,” Cryptologia, vol. 26, no. 3, pp. 189–221, Online: www.cs.bc.edu/~straubin/crypto2017/heys.pdf, 2002

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 93 / 94 References and Further Reading Bibliography References and Further Reading (2/2)

[hashfunctions] Phillip Rogaway and Thomas Shrimpton, “Cryptographic hash-function basics: Deﬁnitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance,” International workshop on fast software encryption, pp. 371–388, Online: http://web.cs.ucdavis.edu/~rogaway/papers/relates.pdf, 2004 [hmacsecurity] Mihir Bellare, “New proofs for NMAC and HMAC: Security without collision-resistance,” Annual International Cryptology Conference, pp. 602–619, Online: http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html, 2006 [GCM] Morris Dworkin, “SP 800-38D – Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC,” National Institute of Standards & Technology (NIST), Online: https://csrc.nist.gov/publications/detail/sp/800-38d/final, 2007

...... B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 94 / 94