


































































Studia grazie alle numerose risorse presenti su Docsity
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Prepara i tuoi esami
Studia grazie alle numerose risorse presenti su Docsity
Prepara i tuoi esami con i documenti condivisi da studenti come te su Docsity
Trova i documenti specifici per gli esami della tua università
Preparati con lezioni e prove svolte basate sui programmi universitari!
Rispondi a reali domande d’esame e scopri la tua preparazione
Riassumi i tuoi documenti, fagli domande, convertili in quiz e mappe concettuali
Studia con prove svolte, tesine e consigli utili
Togliti ogni dubbio leggendo le risposte alle domande fatte da altri studenti come te
Esplora i documenti più scaricati per gli argomenti di studio più popolari
Ottieni i punti per scaricare
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Teoria esame Computer Network Seciruty
Tipologia: Appunti
1 / 74
Questa pagina non è visibile nell’anteprima
Non perderti parti importanti!



































































Cryptography and Security differ, in fact Cryptography deals with secrecy of information, Security deals with problems of fraud, like message modifications or user authentication. Security might use Cryptography, and encryption doesn’t live alone without some form of authentication. We will call:
A Threat is a menace, a source of danger, instead an Exploit is a software or a chuck of data, or a sequence of commands that take advantage of a vulnerability to cause unintended or unanticipated behavior to occur on computer. The communication model is:
Instead a Threat (attack ) model is:
The Adversary can be Passive, that means that will reads the exchanged messages (without changes), or Active, that means that can modify the message between Alice and Bob, or can send fake messages claiming that they have been sent by someone else (Alice or Bob). The passive adversary model is also called Packet Sniffing, instead an active adversary model is also called IP Spoofing, in which T is able to forge messages that look like messages sent by A or B by
The proof is done by contradiction:
We have several different attack models like:
The idea is that Alice and Bob share:
There are two different approaches Stream Cipher and Block Cipher:
The idea is try to simulate the one-time-pad, so we define a secret key called Seed, and we use the seed to generate a byte stream called Keystream:
In a synchronous stream cipher the output of the encryption function is generated independently from the plaintext and the ciphertext. So we have for synchronous stream cipher:
A5 is an encryption algorithm (1987) used to provide over-the-air communication privacy in the GSM cellular telephone standard. Initially it was kept secret, but the general design was leaked in 1994 and the algorithms were entirely reverse engineered in 1999.
RC or Ron’s Code was an algorithm easy to program, fast and very popular considered safe between 1987 and 1994, in which we have:
Algorithm RC-4 Init j = 0; S 0 = 0, S 1 = 1, ... , S 255 = 255; assume a key of 256 bytes: k 0 , ... , k 255 (if the key is shorter repeat); for i = 0 to 255 do: j = (j + Si + ki) mod 256; exchange Si and Sj ;
AES or Advanced Encryption Standard is an algorithm based on symmetric block cipher in which we have a block size of 128 bits and a key lengths of 128, 192 or 256 bit that use finite fields algebra, and now have fun with settordici mathematical formulas and almost useless concepts:
n a? Only D’Amore knows, we spent two days wondering why the fuck he used this notation), we say that a is of order n if an^ = 0:
e il set dei numeri naturali congruenti in modulo ai numeri che vanno da 0 a a m − 1 , Z m∗e il subset di Zm considerando solo i numeri coprimi con m (due numeri sono coprimi se non hanno nessun divisore comune apparte 1), la funzione toziente di eulero e la funzione che restituisce il numero di interi coprimi tra 1 e il numero m tipo φ(8) = 4 perche 1 , 3 , 5 , 7 sono coprimi);Now finally the AES, that is a symmetric block cipher with key lengths of 128, 192 or 256 bit, and it’s resistance to all known attacks. It’s simple and it’s fast, so it’s very good for devices with limited computing power. When we have Input and Output block length of 128 bits the State of 128 bits we can arrange it as a 4-by-4 matrix of bytes. 128 since we have 16 elements in the matrix and each element is in byte that is formed by 8 bits so (16 · 8 = 128).
When we have a key length of 128,196,256 bits the Cipher Key Layout that is arranged in a 4-by- 32 n matrix of bytes (where n = 128, 196 , 256 bit):
The algorithm at high level (without explanations in details that we will see later ) is:
Algorithm High level AES AES(State, Key); KeyExpansion(Key, ExpandKey); AddRoundKey(Key, ExpandKey [0]); for (i = 1, i < R, i + +) do: Round(State, ExpandKey [i]); F inalRound(State, ExpandKey [R]);
So, this code is repeated for each block of the plain text (each block is of 128 bits), so we start with a key of 128 bit, but before we start the rounds (that are 10) since we don’t want to use the same key of 128 bits for all the different blocks, we need to expand the key in such a way for each block we have a different key of 128 bits. The encryption is done by following this scheme:
We can see that every state is done by the encryption of the precedent round with the key extended of the current block. 128 bits AES uses 10 rounds, in which the secret key of 128 bits is expanded to 10 round keys of 128 bits each. Each round changes the state, then we XOR the round key, if we have longer keys we add one round for every extra 32 bits. Now we will see in details what happen in each single round, we start from the assumption that the plain text that we are going to encrypt is divided in state of 128 bit and each state can be divided in a matrix 4 × 4. We will transform the state by applying:
The Substitution operates on every byte separately: Ai,j ← A− i,j^1 , so we apply a transformation in place in every single block, the operation is a multiplicative inverse which is highly non-linear. If Ai,j = 0 then we don’t change Ai,j. It’s important to note that the substitution is invertible.
We will Shift each element of each row to the right, 0 for the first row, 1 for the second row, 2 for the third row, 3 for the fourth row. This shift is invertible.
In the Mixing Columns operation every state column is considered as a Polynomial over GF (2^8 ), we will multiply with an invertible polynomial 03 x^3 + 01x^2 + 01x + 02(mod x^4 + 1) the Inv instead is 0Bx^3 + 0Dx^2 + 09x + 0E.
The Key Expansion instead will generate a different key per round, and need a 4 × 4 matrix of values per round. It’s based upon a non-linear transformation of the original key.
Breaking 1 or 2 rounds of the AES is easy, actually is not known how to break 5 rounds, and breaking the full 10 rounds efficiently is considered impossible.
All block ciphers operate on blocks of fixed length cause message can be of any length and because encrypting the same plaintext under the same key always produces the same output. Several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbitrary length.
ECB or also called Electronic Code Book is an stream cipher in which we encrypt each plaintext block separately, and it’s very simple and efficient, and also it’s possible to implement it in a parallel way. It doesn’t conceal plaintext patterns, and it’s possible to attack it with active attacks, in fact plaintext can be manipulated by removing, repeating or interchanging blocks.
We can see that the last plaintext block is not divisible for 128 (plaintext block size, our block is made by n bits) so we fill the block with all 0, the XOR will be done only by the first n bits of the previous ciphertext. So during the decryption the block will be
P (^) n∗
C n∗− 1 |C n∗∗− 1
so in order to get the original plaintext the result will be XORed with Cn− 1 in this way we obtain: [ P (^) n∗
C n∗− 1 |C n∗∗− 1
C n∗− 1 |C n∗∗− 1
= [P (^) n∗ | 000000 ...]
PCBC is designed to extend or propagate a single bit error both in encryption and decryption (before if there was a bit error it will propagate to change all the message here only a bit). Here we have that the current plaintext (i) before encryption is XORed with: plaintexti− 1
ciphertexti− 1. In the decryption will happen the same procedure, but the XOR will happen after the decryption, so since the decryption need the plaintext of the precedent block is not possible anymore to do it in parallel like in the CBC.
On a message encrypted in PCBC mode, if two adjacent ciphertext blocks are exchanged, this doesn’t affect the decryption of subsequent blocks (this doesn’t happen to CBC ):
(Dk(Ci+1)
Ii+1);
(Dk(Ci)
Ii);
(Dk(Ci+1)
Ci
Dk(Ci)
Ii
CFB is similar to CBC but makes a block cipher into an asynchronous stream cipher, so it supports some re-synchronizing after error if the input to the encryptor is given by through a shift-register. In the encryptor the plaintext will be XORed after applying the encrypt (in the CBC we do it before). Since the XOR is done after encryption we don’t need anymore to pad last block with 0 when the plaintext size is not a multiple of the block size:
The decryption can be made in parallel since in order to obtain the plaintext I only need the current block and the precedent ciphertext. If there is an error in the output of the encryption al- gorithm this error will not be propagated in all the other blocks, since it will only infect the current XOR and the decryption of the next block. So CFB shares two advantages over CBC, the block cipher is only ever used in the encryption direction and the message doesn’t need to be padded to a multiple of the cipher block size.
When we want to use a CFB with shift register, we start by initializing a shift register the size of the block size with the initialization vector, this will be encrypted with the block cipher and the highest s bits of the result are XORed with s bits of the plaintext to produce s bits of ciphertext, that then we be shifted in the register and this process will be repeated for the next s bits of plaintext. The decryption is similar, we start with the initialization vector we encrypt and XOR the high bits of the result with s bits of the ciphertext to produce s bits of plaintext, then we shift the s bits of the ciphertext into the shift register and encrypt again:
CTR or Integer Counter Mode turns a block cipher into a stream cipher, in fact it generates the next keystream block by encrypting successive values of a counter. This counter can be any function which produces a sequence which is guaranteed not to repeat for a long time. It has similar characteristics to OFB but it also allows a random access property during decryption, so it’s well suited to operation on a multi-processor machine where blocks can be encrypted in parallel. The generation of each ciphered block is independent from any other blocks since we use a different seed for each block.
Of course we have problems if we repeat the seed like OFB. When we use CTR we can decrypt the message starting from block i for any i, since we don’t need to decrypt from the first block.
2.2.8 Initialization Vector
Most modes (except ECB ) require an Initialization vector, or IV, that is a sort of dummy block used to kick off the process for the first real block. It doesn’t need to be secret in most case but it’s important that it is never reused with the same key, in fact, in CBC and CFB, reusing IV leaks some information about the first block of plaintext. In CBC mode the IV must be unpredictable in encryption time. For OFB and CTR reusing an IV completely destroys security.
2.2.9 Strengthening a cipher
There are two ways in order to strengthening a cipher:
Since the goal of the adversary it to find the secret key, the double DES cannot be used, in fact if we have a double cipher with two different keys the adversary can use the meet-in-the-middle attack. If fact if plaintext/ciphertext pairs are known, we have 2n^ encryption and 2n^ decryption so 2 keys of n bits. So it’s possible to try all possible 2n^ encryptions of the plaintext and all possible 2 n^ decryptions of the ciphertext. In other words, the presence of two different keys is represented as a function h(x) = g(f (x)), and the middle attack try to map the co-domain given the domain of the function f with the counter-image of the co-domain of the g function, so if initially you think to have a set of 2^2 n^ keys in reality the attacker will make 2n^ attempts, cause assuming that the adversary knows some ciphertexts C and some plaintexts P , the attacker can in parallel encrypt P and decrypt C trying to find some correspondences and if he find them he found the key.
It’s even possible to use the triple encrypting with the CBC, and this can be done in two ways, by external CBC, in which we use a triple encoding, or internal CBC, in which we have an encryption after a decryption (with a different key) and another encryption.
The goal is to ensure the integrity of messages even in presence of an active adversary who sends own messages. It’s important to note that authentication is orthogonal to secrecy (so they are independent between each other), so the secrecy of a messages doesn’t not imply that the sender of the message is actually the one with who you think you are communicating.
The authentication algorithm is called A, the verification algorithm is called V (accept/reject), the authentication key is k, and the message space is usually a binary strings. Every message between Alice and Bob is a pair : (m, Ak(m)), where Ak(m) is called the authentication tag of m. The authentication algorithm is called MAC, Message Authentication Code, in fact Ak(m) is frequently denoted as M ACk(m) and the verification is done by executing authentication on m and comparing it with M ACk(m). The security requirement is that adversary can’t construct a new legal pair (m, M ACk(m)) even after seeing a (mi, M ACk(mi)). The output should be as short as possible and the MAC function is not 1-to-1.
The adversary knows the MAC algorithm, knows plaintext pairs (m, M ACk(m)), and knows cho- sen plaintext (unrealistic) so choose m get M ACk(m) and the goal is given n legal pairs find a new