SlideShare une entreprise Scribd logo

Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

Télécharger en tant que PPTX, PDF
David Evans
David Evans

This document discusses using symmetric encryption for applications beyond simple transmission of encrypted messages. It covers generating cryptographically secure random keys, using block cipher modes like CBC and CTR to encrypt files, and securely storing encryption keys and initialization vectors. Generating true randomness is impossible, so physical sources must be amplified with cryptographic pseudorandom number generators. Commonly used block cipher modes like ECB leak information, while CBC and CTR avoid this if properly implemented with random or changing nonces/IVs. Storing keys securely, such as encrypting them with a password-derived key, is also important for practical encrypted storage systems.

TechnologieFormation
1  sur  77
Stephen Kleene
Engineering Cryptographic Applications Day 2: Using (and Misusing) Symmetric Ciphers David Evans University of Virginia www.cs.virginia.edu/evans Microstrategy Course 11 October 2013
Recap: Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m), it is “hard” to learn anything interesting about m. “hard” = if correctly implemented and used, even the NSA can’t do it unless they have made dozens of theoretical breakthroughs or have energy comparable to Trillions of massive nuclear explosions evans@virginia.edu Engineering Crypto Applications 2
Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key evans@virginia.edu Key Engineering Crypto Applications 3
Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key 1. How to generate a good (unpredictable) key: randomness 2. How to use symmetric encryption to do more interesting things than just send one block: building an encrypted file server evans@virginia.edu Engineering Crypto Applications 4
Generating Randomness evans@virginia.edu Engineering Crypto Applications 5
0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 1011000100011 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 Which is random? 0001110111000 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 6
0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 C1 with sequences of 5 or more 1011000100011 C1 from Puzzle Challenge repeated symbols modified (message Crypto.Random) 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 0001110111000 random? Which is 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 7
Which is random? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 8
Which is random? random.org PHP rand() (atmospheric noise) (on Windows) Which should you use to generate cyrptographic keys? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 9
Defining Non-Randomness If you can find any predictable patterns in the sequence, it is definitely not random. evans@virginia.edu I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that. Supreme Court Justice Potter Stewart (or pornography) Engineering Crypto Applications 10
Defining Randomness й ров Andrey Kolmogorov (1903-1987) For a sequence s, its Kolmogorov Complexity K(s) = the length of the shortest description of s A sequence s is random, if K(s) = |s| + C (This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.) evans@virginia.edu Engineering Crypto Applications “He was to probability theory what Euclid was to geometry.” (Peter Lax) 11
Kolmogorov Complexities s = 000000000000000… evans@virginia.edu Engineering Crypto Applications 12
Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… evans@virginia.edu Engineering Crypto Applications 13
Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… description = “t = “”; int for (i = 1; for (j = for (j = i, j; i < N; i++) { 0; j < i; j++) t += „0‟; 0; j < i; j++) t += „1‟; }” K(s) = log |s| + C1 < |s| + C evans@virginia.edu Engineering Crypto Applications 14
Kolmogorov Complexities r=010110000111101100001110111010000000011101 100000001110110110010111110011011110010000011 100000011101110000000111010100100010100000101 000010011101110111111110011000101… "from Crypto.Random import random def random_sequence(n): return map(lambda x: random.choice([0, 1]), range(n)) " and state of random module (and any entropy added during generation) Hmmm…maybe answer from earlier slide was wrong! evans@virginia.edu Engineering Crypto Applications 15
If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? evans@virginia.edu Engineering Crypto Applications 16
If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? 1 2 3 4 5 The smallest natural number that 6 7 8 9 10 11 cannot be described in eleven words. evans@virginia.edu Engineering Crypto Applications 17
Randomness is Essential • Kolmogorov provides a definition of randomness but not a “useful” one: computing K(s) for an arbitrary s is undecidable (not just hard, theoretically impossible) • Impossible for a program to generate true randomness: program can generate longer sequence than itself • There are physical sources of randomness (or near randomness): quantum events, radioactive decay, thermal noise, lava lamps, key presses evans@virginia.edu Engineering Crypto Applications 18
Amplifying Physical Randomness Pseudo-Random Number Generator k = f(physical randomness) 0 AES 1 k AES 2 3 k k output AES output output Every once in a while, compute a new k using new physical randomness. evans@virginia.edu Engineering Crypto Applications 19
NIST SP 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (2006) evans@virginia.edu Engineering Crypto Applications 20
Dual-EC PRNG s0  physical randomness si +1= φ(si P) Update Internal State evans@virginia.edu P and Q are points on an elliptic curve ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 21
Elliptic Curves y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P Elliptic Curves are primarily used in asymmetric crypto – but also in Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 22
Elliptic Curves P+Q y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = negate intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P evans@virginia.edu Engineering Crypto Applications P Q 23
Elliptic Curves Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP. y2 = x3 – 7 (mod p) P + Q = point on curve where line PQ intersects kP = P + P + … + P (multiplication is just repeated addition) evans@virginia.edu Engineering Crypto Applications 24
Curve Used by Dual-EC PRNG NIST P-256 y2 = x3 + ax + b (mod p) 256 − 2224 + 2192 + 296 − 1 p=2 a=p−3= b= 115792089210356248762697446949407573530086143415290314195533631308867097853948 41058363725152142129326129780047268409114441015993725554835256314039467401291 Elliptic curve operations are expensive! Dual-EC PRNG is 1000x slower than strong PRNG’s built using symmetric ciphers. evans@virginia.edu Engineering Crypto Applications 25
Why would anyone use Elliptic Curves as basis for PRNG? • Easier to plant a back-door in it than designs based on symmetric ciphers • Can be used to provide provable security properties based on number theory – But not done for Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 26
Dual-EC PRNG Proposed as NIST standard (2005) s0  randomness P and Q are (random?) points on P-256. si +1= φ(si P) Update Internal State evans@virginia.edu ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 27
Image credit: Matthew Green OpenSSL-FIPS Implementation (using NIST P and Q values) evans@virginia.edu Engineering Crypto Applications 28
“Rump session” talk at CRYPTO 2007: You can choose Q such that: Q = dP then, it is easy to find e such that: P = eQ and then easy to learn state of PRNG from just one output! evans@virginia.edu Engineering Crypto Applications 29
Shumow and Ferguson’s conclusion: evans@virginia.edu Engineering Crypto Applications 30
Snowden Leak (5 September 2013) 2013 Intelligence Budget Request ($250M) 2013 Intelligence Budget Request evans@virginia.edu Engineering Crypto Applications 31
September 2013 evans@virginia.edu Engineering Crypto Applications 32
evans@virginia.edu Engineering Crypto Applications 33
evans@virginia.edu Engineering Crypto Applications 34
Randomness Summary • All cryptosystems depend on randomness • No way to test is a value is really random • Physical randomness is limited: need algorithms to amplify physical randomness • If you pseudorandom numbers are predictable, all is (almost always) lost evans@virginia.edu Engineering Crypto Applications 35
Building an Encrypted File System evans@virginia.edu Engineering Crypto Applications 36
Scenario • Documents about plan to overthrow government stored on (easily-stolen) device • Password/biometric-protected (assume that works, for now) Data should not be readable to someone who steals the device and can physically extract its non-volatile (flash) storage evans@virginia.edu Engineering Crypto Applications 37
Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k Encrypt each block with k evans@virginia.edu Engineering Crypto Applications 38
Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k If two blocks have the same plaintext, with ECB they have the same ciphertext! evans@virginia.edu Engineering Crypto Applications 39
Block Size 128 bits = 16 bytes "Benjamin Frankli" (16 characters) Almanack Mail pennsylvannians.txt declaration.txt evans@virginia.edu Engineering Crypto Applications 40
Time-Space Tradeoffs No-memory brute force attack: known crib AES known ciphertext Try all keys until you find one that fits evans@virginia.edu Engineering Crypto Applications Memory: 0 Time: 2127 encryptions (1T nuclear mega-bombs) 41
Time-Space Tradeoffs No-time (not) brute force attack: key AESkey(crib) 000…000 000…001 7ebc5137da5ff2 … Pre-compute table: 4d7b9328a582c … Break intercepted ciphertext message: one table lookup! evans@virginia.edu sort by ciphertext Time: 1 Memory: 2132 bytes ~$2 Decillion (1033) Engineering Crypto Applications 42
Won’t quite work like this for AES, but with some more tricks. Combination: Rainbow Tables Precompute: known crib AES Only store these: ciphertext 1 AES … AES ciphertext 264 … … known crib AES ciphertext 1 AES … AES ciphertext 264 Time: 264 Memory: 268 bytes (~$137 Trillion) evans@virginia.edu Engineering Crypto Applications 43
16 October 2013 University of Virginia cs4414 44
NSA Meltdown? “Experts estimate the new center in Utah can store data by the exabyte or zettabyte.” (Actual amount is highly classified.) 45
Cipher Block Chaining Mode (CBC) block 2 block 3 block 4 Initialization Vector block 1 AES AES AES evans@virginia.edu AES block 1 k block 2 block 3 block 4 Engineering Crypto Applications 46
Cipher Block Chaining Mode block 2 block 3 block 4 Initialization Vector block 1 AES AES AES AES block 1 k block 2 block 3 block 4  Avoids leaking repeated plaintexts − Cannot encrypt in parallel evans@virginia.edu Engineering Crypto Applications 47
Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter block 1 k block 2 block 1 evans@virginia.edu AES AES k Increase counter for each block block 2 Engineering Crypto Applications 48
Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter AES AES k k block 1 Increase counter for each block block 2  Avoids leaking repeated plaintexts  Can encrypt and decrypt in parallel ⁇ Systematic input block 1 evans@virginia.edu block 2 Engineering Crypto Applications 49
How should our young subversive store master key k and (per-file) nonces? evans@virginia.edu Engineering Crypto Applications 50
Storing the Key (?) AES k Human-Remembered 4-Digit PIN evans@virginia.edu Engineering Crypto Applications stored encrypted k 0704 51
Maybe this could work with a tamper-proof device? evans@virginia.edu Engineering Crypto Applications 52
R2B2: $200 robot that can try all 10000 fourdigit PINs in < 20 hours evans@virginia.edu Engineering Crypto Applications 53
Higher Entropy Passwords AES k Human-Remembered Long Password evans@virginia.edu stored encrypted k (44 bits of entropy) Engineering Crypto Applications 54
Scaling Work repeat 1000 times k Human-Remembered Long Password evans@virginia.edu stored 1000x encrypted k AES (44 bits of entropy) Engineering Crypto Applications 55
repeat 1000 times k AES stored 1000x encrypted k Scaling Work (44 bits of entropy) Time for one AES: 10 ms Time for 244 AESs: 5000 years (or 2 days with 1Mx computing power) Time for 1000x AES: 10 s Time for 244 1000x AES: 5M years evans@virginia.edu Engineering Crypto Applications 56
Scaling to a Web Service evans@virginia.edu Engineering Crypto Applications 57
http://epetitions.direct.gov.uk/ evans@virginia.edu Engineering Crypto Applications 58
http://petitions.whitehouse.gov evans@virginia.edu Engineering Crypto Applications 59
Early Password Schemes UserID benf Password flyakite samadams beer tj Monti07cello04 … Login: tj Password: wahoo Failed login. Guess again. … authentication check: guess == users[userID].password evans@virginia.edu Engineering Crypto Applications 60
Early Password Schemes UserID Password benf samadams tj … FAIL Login: tj Password: wahoo beer someone who gets Failed login. Guess again. Monti07cello04 password file learns … all passwords flyakite authentication check: guess == users[userID].password evans@virginia.edu Engineering Crypto Applications 61
Encrypted Passwords Scheme UserID benf Password AESK(flyakite) samadams AESK(beer) tj AESK(Monti07cello04) … Master key K Store passwords encrypted using K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 62
Encrypted Passwords Scheme UserID benf Password FAIL Master key K AES (beer) Store passwords someone who gets encrypted using K AES (Monti07cello04) password file and K … learns all passwords AESK(flyakite) samadams tj K K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 63
Hashed Passwords Scheme UserID benf Password AESflyakite(0) samadams AESbeer(0) tj AESMonti07cello04(0) … Store passwords by using them as key to encrypt 0 … authentication check: AESguess(0) == users[userID].password evans@virginia.edu Engineering Crypto Applications 64
Hashed Passwords Scheme UserID benf Password AESflyakite(K) FAIL samadams AESbeer(K) tj AESMonti07cello04(K) … … Master key K Store passwords by using them to encrypt K authentication check: AESguess(K) == users[userID].password evans@virginia.edu Engineering Crypto Applications 65
“If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm. evans@virginia.edu Engineering Crypto Applications 66
86% of users are dumb Single ASCII character Two characters 0.5% 2% Three characters 14% Four alphabetic letters 14% Five same-case letters 21% Six lowercase letters 18% Words in dictionaries or names 15% Other (possibly good passwords) 14% (Morris/Thompson 79) evans@virginia.edu Engineering Crypto Applications 67
Dictionary Attacks Seed list All 1-4 letter words List of common (dog) names Words from dictionary (4M words, 20+ languages) Phone numbers, dates, etc. Rules for generating passwords http://www.openwall.com/john/ Combining words from seed list Inserting numbers, symbols Anything written in any popular Replacing “l” with “1”, password advice document! “ate” with “8”, etc. evans@virginia.edu Engineering Crypto Applications 68
Aside: My 3-Word Password Advice Unimportant Passwords: use “silly” (protect service, not user) Important Passwords: Write them down (but somewhat obfuscated and in a secure place) If you can memorize it, it is not secure! (unless you have a well-trained memory) evans@virginia.edu Engineering Crypto Applications 69
Making Dictionary Attacks Harder UserID benf Password AESflyakite(0) Password AESflyakite1000(0) samadams AESbeer(0) AESbeer1000 (0) tj AESMonti07cello04(0) AESMonti07cello041000(0) … … … 1. Use a more expensive cryptographic hash function evans@virginia.edu Engineering Crypto Applications 70
Making Dictionary Attacks Harder UserID Salt (16 bits) Password benf 52455 AESflyakite1000(52455) samadams 50757 AESbeer1000 (50757) AESMonti07cello041000(47101 AES x 1000 makes dictionary attack 1000 times harder ) 16-bit salt makes dictionary attack 216 times harder (but doesn’t make targeted against one user harder) … … tj 47101 2. Add “salt” – randomly selected (but non-secret) value for each user evans@virginia.edu Engineering Crypto Applications 71
Two Big Problems Remaining: 1. Users are still morons evans@virginia.edu Engineering Crypto Applications 72
Two Big Problems Remaining: 1. Users are still morons (Solving Auditors calledscope of employees and this is outside 100 IRS this class.) managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. “We were able to convince 35 managers and employees to provide us their username and change their password,” the report said. GAO Audit of IRS (2005) evans@virginia.edu Engineering Crypto Applications 73
Two Big Problems Remaining: 2. Transmitting password Insecure Channel petitions.gov How does TJ know he’s really talking to petitions.gov? How can he establish a secure channel to transmit password? evans@virginia.edu Engineering Crypto Applications 74
Plan for Next Week Solving these problems using asymmetric cryptography: - Public key cryptosystems - Digital signatures - Public key protocols (TLS) open to requests! evans@virginia.edu MightBeEvil.com/crypto evans@virginia.edu Engineering Crypto Applications 75
evans@virginia.edu Engineering Crypto Applications 76

Recommandé

Public-Key Protocols
Public-Key ProtocolsPublic-Key Protocols
Public-Key ProtocolsDavid Evans
 
Cryptographic Future
Cryptographic FutureCryptographic Future
Cryptographic FutureDavid Evans
 
Crack Wep Wifi Under100seconds
Crack Wep Wifi Under100secondsCrack Wep Wifi Under100seconds
Crack Wep Wifi Under100secondsmvde3000
 
Classical cipher
Classical cipherClassical cipher
Classical cipherHoang Nguyen
 
Anninhmang K13 Mtt
Anninhmang K13 MttAnninhmang K13 Mtt
Anninhmang K13 MttQuynh Khuong
 
Engineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionEngineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionDavid Evans
 
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyLow Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyIOSR Journals
 
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyLow Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyIOSR Journals
 

Recommandé

Public-Key Protocols
Public-Key ProtocolsPublic-Key Protocols
Public-Key ProtocolsDavid Evans
 
Cryptographic Future
Cryptographic FutureCryptographic Future
Cryptographic FutureDavid Evans
 
Crack Wep Wifi Under100seconds
Crack Wep Wifi Under100secondsCrack Wep Wifi Under100seconds
Crack Wep Wifi Under100secondsmvde3000
 
Classical cipher
Classical cipherClassical cipher
Classical cipherHoang Nguyen
 
Anninhmang K13 Mtt
Anninhmang K13 MttAnninhmang K13 Mtt
Anninhmang K13 MttQuynh Khuong
 
Engineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionEngineering Cryptographic Applications: Symmetric Encryption
Engineering Cryptographic Applications: Symmetric EncryptionDavid Evans
 
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyLow Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyIOSR Journals
 
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyLow Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyIOSR Journals
 
Cryptography
CryptographyCryptography
CryptographyDavid Evans
 
Csr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCsr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCSR2011
 
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTSA SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTScsandit
 
DES Block Cipher Hao Qi
DES Block Cipher Hao QiDES Block Cipher Hao Qi
DES Block Cipher Hao QiInformation Security Awareness Group
 
Relaxation methods for the matrix exponential on large networks
Relaxation methods for the matrix exponential on large networksRelaxation methods for the matrix exponential on large networks
Relaxation methods for the matrix exponential on large networksDavid Gleich
 
Cryptography Baby Step Giant Step
Cryptography Baby Step Giant StepCryptography Baby Step Giant Step
Cryptography Baby Step Giant StepSAUVIK BISWAS
 
tracking.ppt
tracking.ppttracking.ppt
tracking.pptBangalirecipeLaboni
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
Ecc cipher processor based on knapsack algorithm
Ecc cipher processor based on knapsack algorithmEcc cipher processor based on knapsack algorithm
Ecc cipher processor based on knapsack algorithmAlexander Decker
 
Elliptic curve scalar multiplier using karatsuba
Elliptic curve scalar multiplier using karatsubaElliptic curve scalar multiplier using karatsuba
Elliptic curve scalar multiplier using karatsubaIAEME Publication
 
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...Frank Oellien
 
Crack wep-wifi-under100seconds (copied)
Crack wep-wifi-under100seconds (copied)Crack wep-wifi-under100seconds (copied)
Crack wep-wifi-under100seconds (copied)Pedro Mateus
 
Model-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsModel-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsQuoc-Sang Phan
 
Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)sankeld
 
Enhancing security in cloud storage
Enhancing security in cloud storageEnhancing security in cloud storage
Enhancing security in cloud storageShivam Singh
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7Infinity Tech Solutions
 
Backpropagation for Deep Learning
Backpropagation for Deep LearningBackpropagation for Deep Learning
Backpropagation for Deep LearningUniversitat Politècnica de Catalunya
 
rsa.ppt
rsa.pptrsa.ppt
rsa.pptArkadiansNatblida
 
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioElliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioInformation Security Awareness Group
 
Trick-or-Treat Protocols
Trick-or-Treat ProtocolsTrick-or-Treat Protocols
Trick-or-Treat ProtocolsDavid Evans
 
Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!David Evans
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksDavid Evans
 

Contenu connexe

Similaire à Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

Csr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCsr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCSR2011
 
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTSA SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTScsandit
 
Relaxation methods for the matrix exponential on large networks
Relaxation methods for the matrix exponential on large networksRelaxation methods for the matrix exponential on large networks
Relaxation methods for the matrix exponential on large networksDavid Gleich
 
Cryptography Baby Step Giant Step
Cryptography Baby Step Giant StepCryptography Baby Step Giant Step
Cryptography Baby Step Giant StepSAUVIK BISWAS
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
Ecc cipher processor based on knapsack algorithm
Ecc cipher processor based on knapsack algorithmEcc cipher processor based on knapsack algorithm
Ecc cipher processor based on knapsack algorithmAlexander Decker
 
Elliptic curve scalar multiplier using karatsuba
Elliptic curve scalar multiplier using karatsubaElliptic curve scalar multiplier using karatsuba
Elliptic curve scalar multiplier using karatsubaIAEME Publication
 
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...Frank Oellien
 
Crack wep-wifi-under100seconds (copied)
Crack wep-wifi-under100seconds (copied)Crack wep-wifi-under100seconds (copied)
Crack wep-wifi-under100seconds (copied)Pedro Mateus
 
Model-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsModel-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsQuoc-Sang Phan
 
Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)sankeld
 
Enhancing security in cloud storage
Enhancing security in cloud storageEnhancing security in cloud storage
Enhancing security in cloud storageShivam Singh
 
Trick-or-Treat Protocols
Trick-or-Treat ProtocolsTrick-or-Treat Protocols
Trick-or-Treat ProtocolsDavid Evans
 

Similaire à Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers (20)

Cryptography
CryptographyCryptography
Cryptography
 
Csr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydowCsr2011 june15 12_00_davydow
Csr2011 june15 12_00_davydow
 
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTSA SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTS
 
DES Block Cipher Hao Qi
DES Block Cipher Hao QiDES Block Cipher Hao Qi
DES Block Cipher Hao Qi
 
Relaxation methods for the matrix exponential on large networks
Relaxation methods for the matrix exponential on large networksRelaxation methods for the matrix exponential on large networks
Relaxation methods for the matrix exponential on large networks
 
Cryptography Baby Step Giant Step
Cryptography Baby Step Giant StepCryptography Baby Step Giant Step
Cryptography Baby Step Giant Step
 
tracking.ppt
tracking.ppttracking.ppt
tracking.ppt
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Ecc cipher processor based on knapsack algorithm
Ecc cipher processor based on knapsack algorithmEcc cipher processor based on knapsack algorithm
Ecc cipher processor based on knapsack algorithm
 
Elliptic curve scalar multiplier using karatsuba
Elliptic curve scalar multiplier using karatsubaElliptic curve scalar multiplier using karatsuba
Elliptic curve scalar multiplier using karatsuba
 
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...
Pre-Integrated Volume-Rendering with Randomized Transfer-Functions (V3D2 Work...
 
Crack wep-wifi-under100seconds (copied)
Crack wep-wifi-under100seconds (copied)Crack wep-wifi-under100seconds (copied)
Crack wep-wifi-under100seconds (copied)
 
Model-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsModel-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical Constraints
 
Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)
 
Enhancing security in cloud storage
Enhancing security in cloud storageEnhancing security in cloud storage
Enhancing security in cloud storage
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 
Backpropagation for Deep Learning
Backpropagation for Deep LearningBackpropagation for Deep Learning
Backpropagation for Deep Learning
 
rsa.ppt
rsa.pptrsa.ppt
rsa.ppt
 
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioElliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
 
Trick-or-Treat Protocols
Trick-or-Treat ProtocolsTrick-or-Treat Protocols
Trick-or-Treat Protocols
 

Plus de David Evans

Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!David Evans
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksDavid Evans
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeDavid Evans
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in BitcoinDavid Evans
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm ConfirmationsDavid Evans
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting TransactionsDavid Evans
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in ParadiseDavid Evans
 
Mining Economics
Mining EconomicsMining Economics
Mining EconomicsDavid Evans
 
Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More ParanoidDavid Evans
 
Asymmetric Key Signatures
Asymmetric Key SignaturesAsymmetric Key Signatures
Asymmetric Key SignaturesDavid Evans
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?David Evans
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the MassesDavid Evans
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of ReserveDavid Evans
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!David Evans
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinDavid Evans
 
Alternate Cryptocurrencies
Alternate CryptocurrenciesAlternate Cryptocurrencies
Alternate CryptocurrenciesDavid Evans
 

Plus de David Evans (20)

Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero Knowledge
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in Bitcoin
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm Confirmations
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting Transactions
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in Paradise
 
Bitcoin Script
Bitcoin ScriptBitcoin Script
Bitcoin Script
 
Mining Economics
Mining EconomicsMining Economics
Mining Economics
 
Mining
MiningMining
Mining
 
The Blockchain
The BlockchainThe Blockchain
The Blockchain
 
Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More Paranoid
 
Asymmetric Key Signatures
Asymmetric Key SignaturesAsymmetric Key Signatures
Asymmetric Key Signatures
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the Masses
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of Reserve
 
Silk Road
Silk RoadSilk Road
Silk Road
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, Permacoin
 
Alternate Cryptocurrencies
Alternate CryptocurrenciesAlternate Cryptocurrencies
Alternate Cryptocurrencies
 

Dernier

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Dernier (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

  • 2. Engineering Cryptographic Applications Day 2: Using (and Misusing) Symmetric Ciphers David Evans University of Virginia www.cs.virginia.edu/evans Microstrategy Course 11 October 2013
  • 3. Recap: Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m), it is “hard” to learn anything interesting about m. “hard” = if correctly implemented and used, even the NSA can’t do it unless they have made dozens of theoretical breakthroughs or have energy comparable to Trillions of massive nuclear explosions evans@virginia.edu Engineering Crypto Applications 2
  • 4. Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key evans@virginia.edu Key Engineering Crypto Applications 3
  • 5. Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key 1. How to generate a good (unpredictable) key: randomness 2. How to use symmetric encryption to do more interesting things than just send one block: building an encrypted file server evans@virginia.edu Engineering Crypto Applications 4
  • 7. 0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 1011000100011 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 Which is random? 0001110111000 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 6
  • 8. 0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 C1 with sequences of 5 or more 1011000100011 C1 from Puzzle Challenge repeated symbols modified (message Crypto.Random) 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 0001110111000 random? Which is 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 7
  • 9. Which is random? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 8
  • 10. Which is random? random.org PHP rand() (atmospheric noise) (on Windows) Which should you use to generate cyrptographic keys? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 9
  • 11. Defining Non-Randomness If you can find any predictable patterns in the sequence, it is definitely not random. evans@virginia.edu I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that. Supreme Court Justice Potter Stewart (or pornography) Engineering Crypto Applications 10
  • 12. Defining Randomness й ров Andrey Kolmogorov (1903-1987) For a sequence s, its Kolmogorov Complexity K(s) = the length of the shortest description of s A sequence s is random, if K(s) = |s| + C (This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.) evans@virginia.edu Engineering Crypto Applications “He was to probability theory what Euclid was to geometry.” (Peter Lax) 11
  • 13. Kolmogorov Complexities s = 000000000000000… evans@virginia.edu Engineering Crypto Applications 12
  • 14. Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… evans@virginia.edu Engineering Crypto Applications 13
  • 15. Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… description = “t = “”; int for (i = 1; for (j = for (j = i, j; i < N; i++) { 0; j < i; j++) t += „0‟; 0; j < i; j++) t += „1‟; }” K(s) = log |s| + C1 < |s| + C evans@virginia.edu Engineering Crypto Applications 14
  • 16. Kolmogorov Complexities r=010110000111101100001110111010000000011101 100000001110110110010111110011011110010000011 100000011101110000000111010100100010100000101 000010011101110111111110011000101… "from Crypto.Random import random def random_sequence(n): return map(lambda x: random.choice([0, 1]), range(n)) " and state of random module (and any entropy added during generation) Hmmm…maybe answer from earlier slide was wrong! evans@virginia.edu Engineering Crypto Applications 15
  • 17. If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? evans@virginia.edu Engineering Crypto Applications 16
  • 18. If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? 1 2 3 4 5 The smallest natural number that 6 7 8 9 10 11 cannot be described in eleven words. evans@virginia.edu Engineering Crypto Applications 17
  • 19. Randomness is Essential • Kolmogorov provides a definition of randomness but not a “useful” one: computing K(s) for an arbitrary s is undecidable (not just hard, theoretically impossible) • Impossible for a program to generate true randomness: program can generate longer sequence than itself • There are physical sources of randomness (or near randomness): quantum events, radioactive decay, thermal noise, lava lamps, key presses evans@virginia.edu Engineering Crypto Applications 18
  • 20. Amplifying Physical Randomness Pseudo-Random Number Generator k = f(physical randomness) 0 AES 1 k AES 2 3 k k output AES output output Every once in a while, compute a new k using new physical randomness. evans@virginia.edu Engineering Crypto Applications 19
  • 21. NIST SP 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (2006) evans@virginia.edu Engineering Crypto Applications 20
  • 22. Dual-EC PRNG s0  physical randomness si +1= φ(si P) Update Internal State evans@virginia.edu P and Q are points on an elliptic curve ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 21
  • 23. Elliptic Curves y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P Elliptic Curves are primarily used in asymmetric crypto – but also in Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 22
  • 24. Elliptic Curves P+Q y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = negate intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P evans@virginia.edu Engineering Crypto Applications P Q 23
  • 25. Elliptic Curves Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP. y2 = x3 – 7 (mod p) P + Q = point on curve where line PQ intersects kP = P + P + … + P (multiplication is just repeated addition) evans@virginia.edu Engineering Crypto Applications 24
  • 26. Curve Used by Dual-EC PRNG NIST P-256 y2 = x3 + ax + b (mod p) 256 − 2224 + 2192 + 296 − 1 p=2 a=p−3= b= 115792089210356248762697446949407573530086143415290314195533631308867097853948 41058363725152142129326129780047268409114441015993725554835256314039467401291 Elliptic curve operations are expensive! Dual-EC PRNG is 1000x slower than strong PRNG’s built using symmetric ciphers. evans@virginia.edu Engineering Crypto Applications 25
  • 27. Why would anyone use Elliptic Curves as basis for PRNG? • Easier to plant a back-door in it than designs based on symmetric ciphers • Can be used to provide provable security properties based on number theory – But not done for Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 26
  • 28. Dual-EC PRNG Proposed as NIST standard (2005) s0  randomness P and Q are (random?) points on P-256. si +1= φ(si P) Update Internal State evans@virginia.edu ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 27
  • 29. Image credit: Matthew Green OpenSSL-FIPS Implementation (using NIST P and Q values) evans@virginia.edu Engineering Crypto Applications 28
  • 30. “Rump session” talk at CRYPTO 2007: You can choose Q such that: Q = dP then, it is easy to find e such that: P = eQ and then easy to learn state of PRNG from just one output! evans@virginia.edu Engineering Crypto Applications 29
  • 31. Shumow and Ferguson’s conclusion: evans@virginia.edu Engineering Crypto Applications 30
  • 32. Snowden Leak (5 September 2013) 2013 Intelligence Budget Request ($250M) 2013 Intelligence Budget Request evans@virginia.edu Engineering Crypto Applications 31
  • 36. Randomness Summary • All cryptosystems depend on randomness • No way to test is a value is really random • Physical randomness is limited: need algorithms to amplify physical randomness • If you pseudorandom numbers are predictable, all is (almost always) lost evans@virginia.edu Engineering Crypto Applications 35
  • 38. Scenario • Documents about plan to overthrow government stored on (easily-stolen) device • Password/biometric-protected (assume that works, for now) Data should not be readable to someone who steals the device and can physically extract its non-volatile (flash) storage evans@virginia.edu Engineering Crypto Applications 37
  • 39. Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k Encrypt each block with k evans@virginia.edu Engineering Crypto Applications 38
  • 40. Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k If two blocks have the same plaintext, with ECB they have the same ciphertext! evans@virginia.edu Engineering Crypto Applications 39
  • 41. Block Size 128 bits = 16 bytes "Benjamin Frankli" (16 characters) Almanack Mail pennsylvannians.txt declaration.txt evans@virginia.edu Engineering Crypto Applications 40
  • 42. Time-Space Tradeoffs No-memory brute force attack: known crib AES known ciphertext Try all keys until you find one that fits evans@virginia.edu Engineering Crypto Applications Memory: 0 Time: 2127 encryptions (1T nuclear mega-bombs) 41
  • 43. Time-Space Tradeoffs No-time (not) brute force attack: key AESkey(crib) 000…000 000…001 7ebc5137da5ff2 … Pre-compute table: 4d7b9328a582c … Break intercepted ciphertext message: one table lookup! evans@virginia.edu sort by ciphertext Time: 1 Memory: 2132 bytes ~$2 Decillion (1033) Engineering Crypto Applications 42
  • 44. Won’t quite work like this for AES, but with some more tricks. Combination: Rainbow Tables Precompute: known crib AES Only store these: ciphertext 1 AES … AES ciphertext 264 … … known crib AES ciphertext 1 AES … AES ciphertext 264 Time: 264 Memory: 268 bytes (~$137 Trillion) evans@virginia.edu Engineering Crypto Applications 43
  • 45. 16 October 2013 University of Virginia cs4414 44
  • 46. NSA Meltdown? “Experts estimate the new center in Utah can store data by the exabyte or zettabyte.” (Actual amount is highly classified.) 45
  • 47. Cipher Block Chaining Mode (CBC) block 2 block 3 block 4 Initialization Vector block 1 AES AES AES evans@virginia.edu AES block 1 k block 2 block 3 block 4 Engineering Crypto Applications 46
  • 48. Cipher Block Chaining Mode block 2 block 3 block 4 Initialization Vector block 1 AES AES AES AES block 1 k block 2 block 3 block 4  Avoids leaking repeated plaintexts − Cannot encrypt in parallel evans@virginia.edu Engineering Crypto Applications 47
  • 49. Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter block 1 k block 2 block 1 evans@virginia.edu AES AES k Increase counter for each block block 2 Engineering Crypto Applications 48
  • 50. Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter AES AES k k block 1 Increase counter for each block block 2  Avoids leaking repeated plaintexts  Can encrypt and decrypt in parallel ⁇ Systematic input block 1 evans@virginia.edu block 2 Engineering Crypto Applications 49
  • 51. How should our young subversive store master key k and (per-file) nonces? evans@virginia.edu Engineering Crypto Applications 50
  • 52. Storing the Key (?) AES k Human-Remembered 4-Digit PIN evans@virginia.edu Engineering Crypto Applications stored encrypted k 0704 51
  • 53. Maybe this could work with a tamper-proof device? evans@virginia.edu Engineering Crypto Applications 52
  • 54. R2B2: $200 robot that can try all 10000 fourdigit PINs in < 20 hours evans@virginia.edu Engineering Crypto Applications 53
  • 55. Higher Entropy Passwords AES k Human-Remembered Long Password evans@virginia.edu stored encrypted k (44 bits of entropy) Engineering Crypto Applications 54
  • 56. Scaling Work repeat 1000 times k Human-Remembered Long Password evans@virginia.edu stored 1000x encrypted k AES (44 bits of entropy) Engineering Crypto Applications 55
  • 57. repeat 1000 times k AES stored 1000x encrypted k Scaling Work (44 bits of entropy) Time for one AES: 10 ms Time for 244 AESs: 5000 years (or 2 days with 1Mx computing power) Time for 1000x AES: 10 s Time for 244 1000x AES: 5M years evans@virginia.edu Engineering Crypto Applications 56
  • 58. Scaling to a Web Service evans@virginia.edu Engineering Crypto Applications 57
  • 61. Early Password Schemes UserID benf Password flyakite samadams beer tj Monti07cello04 … Login: tj Password: wahoo Failed login. Guess again. … authentication check: guess == users[userID].password evans@virginia.edu Engineering Crypto Applications 60
  • 62. Early Password Schemes UserID Password benf samadams tj … FAIL Login: tj Password: wahoo beer someone who gets Failed login. Guess again. Monti07cello04 password file learns … all passwords flyakite authentication check: guess == users[userID].password evans@virginia.edu Engineering Crypto Applications 61
  • 63. Encrypted Passwords Scheme UserID benf Password AESK(flyakite) samadams AESK(beer) tj AESK(Monti07cello04) … Master key K Store passwords encrypted using K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 62
  • 64. Encrypted Passwords Scheme UserID benf Password FAIL Master key K AES (beer) Store passwords someone who gets encrypted using K AES (Monti07cello04) password file and K … learns all passwords AESK(flyakite) samadams tj K K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 63
  • 65. Hashed Passwords Scheme UserID benf Password AESflyakite(0) samadams AESbeer(0) tj AESMonti07cello04(0) … Store passwords by using them as key to encrypt 0 … authentication check: AESguess(0) == users[userID].password evans@virginia.edu Engineering Crypto Applications 64
  • 66. Hashed Passwords Scheme UserID benf Password AESflyakite(K) FAIL samadams AESbeer(K) tj AESMonti07cello04(K) … … Master key K Store passwords by using them to encrypt K authentication check: AESguess(K) == users[userID].password evans@virginia.edu Engineering Crypto Applications 65
  • 67. “If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm. evans@virginia.edu Engineering Crypto Applications 66
  • 68. 86% of users are dumb Single ASCII character Two characters 0.5% 2% Three characters 14% Four alphabetic letters 14% Five same-case letters 21% Six lowercase letters 18% Words in dictionaries or names 15% Other (possibly good passwords) 14% (Morris/Thompson 79) evans@virginia.edu Engineering Crypto Applications 67
  • 69. Dictionary Attacks Seed list All 1-4 letter words List of common (dog) names Words from dictionary (4M words, 20+ languages) Phone numbers, dates, etc. Rules for generating passwords http://www.openwall.com/john/ Combining words from seed list Inserting numbers, symbols Anything written in any popular Replacing “l” with “1”, password advice document! “ate” with “8”, etc. evans@virginia.edu Engineering Crypto Applications 68
  • 70. Aside: My 3-Word Password Advice Unimportant Passwords: use “silly” (protect service, not user) Important Passwords: Write them down (but somewhat obfuscated and in a secure place) If you can memorize it, it is not secure! (unless you have a well-trained memory) evans@virginia.edu Engineering Crypto Applications 69
  • 71. Making Dictionary Attacks Harder UserID benf Password AESflyakite(0) Password AESflyakite1000(0) samadams AESbeer(0) AESbeer1000 (0) tj AESMonti07cello04(0) AESMonti07cello041000(0) … … … 1. Use a more expensive cryptographic hash function evans@virginia.edu Engineering Crypto Applications 70
  • 72. Making Dictionary Attacks Harder UserID Salt (16 bits) Password benf 52455 AESflyakite1000(52455) samadams 50757 AESbeer1000 (50757) AESMonti07cello041000(47101 AES x 1000 makes dictionary attack 1000 times harder ) 16-bit salt makes dictionary attack 216 times harder (but doesn’t make targeted against one user harder) … … tj 47101 2. Add “salt” – randomly selected (but non-secret) value for each user evans@virginia.edu Engineering Crypto Applications 71
  • 73. Two Big Problems Remaining: 1. Users are still morons evans@virginia.edu Engineering Crypto Applications 72
  • 74. Two Big Problems Remaining: 1. Users are still morons (Solving Auditors calledscope of employees and this is outside 100 IRS this class.) managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. “We were able to convince 35 managers and employees to provide us their username and change their password,” the report said. GAO Audit of IRS (2005) evans@virginia.edu Engineering Crypto Applications 73
  • 75. Two Big Problems Remaining: 2. Transmitting password Insecure Channel petitions.gov How does TJ know he’s really talking to petitions.gov? How can he establish a secure channel to transmit password? evans@virginia.edu Engineering Crypto Applications 74
  • 76. Plan for Next Week Solving these problems using asymmetric cryptography: - Public key cryptosystems - Digital signatures - Public key protocols (TLS) open to requests! evans@virginia.edu MightBeEvil.com/crypto evans@virginia.edu Engineering Crypto Applications 75