CMSC 414
Computer (and Network) Security
Lecture 5
Jonathan Katz
Attacks
 Ciphertext only
 Known plaintext
 Chosen plaintext
 Chosen ciphertext (includes chosen
plaintext attacks)
Randomized encryption
 To be secure against chosen-plaintext
attack, encryption must be randomized
– We will see later how this comes into play
Block ciphers
 Keyed (invertible) permutation;
input/output length
 Large key space; large input/output length
– Both are critical
 Modeled as a (family of) random
permutations…
A possible encryption scheme
 Example – “trivial” encryption:
– C = FK(m)
– This is not randomized…
An improved scheme
 <r, FK(r)  m >
 Is this secure…?
 What about for longer messages?
Modes of encryption
 ECB
– Ci = FK(mi)
 CBC
– Ci = FK(mi  Ci-1)
 OFB (stream cipher mode)
– zi = FK(zi-1); Ci = zi  mi
 CFB (stream cipher mode)
– zi = FK(Ci-1); Ci = zi  mi
Security?
 All previous modes (except ECB) are
secure against chosen-plaintext attacks
 None of these modes are secure against
chosen-ciphertext attacks
Data Encryption Standard (DES)
 Developed in 1977 by NBS
 56-bit key, 64-bit input/output
– A 64-bit key is derived from 56 random bits
– One bit in each octet is a parity-check bit
– The “short” key length is a major concern…
DES: High-level description
 Encryption proceeds in a sequence of 16
rounds
 Each round uses a 48-bit key (derived from
the main key), acts on a 64-bit input, and
produces a 64-bit output
DES: High-level description
 Each round proceeds as follows:
– Input is divided into (L, R)
– L’ = R
– R’ = L  F(K, R), where K is the round key
– F is a non-invertible function!
• But we will see that decryption is still possible
– (L’, R’) is then permuted in some fixed way to
give the output at that round
3-DES
 Expands the key length
 Now, key K = (K1, K2); |K| = 112
 The “new” block cipher is just:
– EK1,K2(m) = DESK1(DES-1K2(DESK1(m)))
 This is a permutation, and invertible…
Concerns about DES
 Short key length
– DES “cracker”, built for $250K, can break DES
in days
– Distributing the computation makes it faster
 Some (theoretical) attacks have been found
 Non-public design process
 3-DES is fairly slow
AES
 Public contest sponsored by NIST in ’97
– Narrowed to 5 finalists
– 4 years of intense analysis
 Efficiency and security taken into account
 128-bit key length and 128-bit block size
(minimum)
 Rijndael selected as the AES
– Supports variety of block/key sizes
Other ciphers?
 IDEA
 RC4
 No compelling reason to use anything other
than AES, in general
– Unless (possibly) you have very specific
performance requirements
– Even then, think twice
Public-key encryption (PKE)
Why PKE?
 Problem with private-key encryption is the
need to securely share keys
 PKE allows users to publish their public key
widely
– only need to keep their private key secret
 Development of PKE was a huge advance
– All classical systems, for 1000 years, were
symmetric-key based
Some basic number theory
 Modular arithmetic: Zp, ZN
 Euclidean gcd algorithm, inverses, Z*N
 Efficient modular exponentiation
 Groups, order, (N), Fermat’s theorem
 Primality testing