Upload
cael
View
14
Download
1
Embed Size (px)
DESCRIPTION
CMSC 414 Computer and Network Security Lecture 4. Jonathan Katz. One-time pad. The one-time pad achieves perfect secrecy But, it has a number of drawbacks Key size equal to message size Can only be used once Insecure under chosen-plaintext attack - PowerPoint PPT Presentation
Citation preview
CMSC 414Computer and Network Security
Lecture 4
Jonathan Katz
One-time pad
The one-time pad achieves perfect secrecy
But, it has a number of drawbacks– Key size equal to message size– Can only be used once– Insecure under chosen-plaintext attack
Unfortunately, these drawbacks are inherent if we want perfect secrecy
A weaker security guarantee
Instead of requiring that no adversary can learn anything about the plaintext…
…require that no adversary running in a “reasonable amount of time” can learn anything about the plaintext except with “very small probability”– “Reasonable time” = 106 years– “Very small probability” = 2-64
– Computational security
A simpler characterization
Equivalent to the following, simpler definition:– Given a ciphertext C which is known to be an
encryption of either M0 or M1, no adversary running in a reasonable amount of time can guess correctly which message was encrypted with probability significantly better than ½.
The take-home message
Weakening the definition slightly allows us to construct much more efficient schemes!
Strictly speaking, no longer 100% absolutely guaranteed to be secure– Security of encryption now depends on security
of building blocks (which are analyzed extensively, and are assumed to be secure)
– Given enough time, the scheme can be broken
Attacks
As always, we can couple our security notion with a variety of attacks– Ciphertext only– Known plaintext– Chosen plaintext– Chosen ciphertext (includes chosen plaintext
attacks)
Attacks…
The default standard is security against chosen-plaintext attacks
Security against chosen-ciphertext attacks is increasingly required
Note that the one-time pad is insecure even against known-plaintext attack
Randomized encryption
To be secure against chosen-plaintext attack, encryption must be randomized– We will see later how this comes into play
Moral: always use randomized encryption!
Block ciphers
Keyed permutation; input/output length
Large key space
Modeled as a (family of) random permutations…
Example – “trivial” encryption:– C = FK(m)
– This is not randomized…
Modes of encryption
ECB– Ci = FK(mi)
CBC– Ci = FK(mi Ci-1)
OFB (stream cipher mode)– zi = FK(zi-1); Ci = zi mi
CFB (stream cipher mode)– zi = FK(Ci-1); Ci = zi mi
Security?
All previous modes (except ECB) are secure against chosen-plaintext attacks– ECB is deterministic…