Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Sicurezza informatica e di rete, Appunti di Sicurezza Dei Sistemi Informativi

Un corso di sicurezza informatica e di rete, con una panoramica sui cifrari simmetrici e asimmetrici, le funzioni di hash, i numeri casuali e primi. Vengono descritti i principali algoritmi di cifratura simmetrica e asimmetrica, come l'AES e il RSA, e le loro proprietà. Inoltre, vengono presentati gli standard di crittografia come il PKCS#1 e le funzioni di hash come SHA-1 e SHA-3. utile per gli studenti di informatica e di ingegneria informatica che vogliono approfondire la sicurezza informatica e di rete.

Tipologia: Appunti

2020/2021

In vendita dal 15/07/2022

MatteoMar.
MatteoMar. 🇮🇹

5

(1)

4 documenti

1 / 140

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
Computer and Network Security
Matteo Marinacci
Academic Year 2021-2022
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Anteprima parziale del testo

Scarica Sicurezza informatica e di rete e più Appunti in PDF di Sicurezza Dei Sistemi Informativi solo su Docsity!

Computer and Network Security

Matteo Marinacci

Academic Year 2021-

Contents

  • 1 Introduction
  • 2 Symmetric Ciphers
    • 2.1 One-Time-Pad (OTP)
    • 2.2 Stream Ciphers
      • 2.2.1 A5/1 (GSM) and LFSR
      • 2.2.2 RC-4, Ron’s Code (or Rivest Cipher 4)
    • 2.3 Block Ciphers
      • 2.3.1 Electronic Code Block (ECB)
      • 2.3.2 Cipher Block Chaining (CBC)
      • 2.3.3 Propagation Cipher Block Chaining (PCBC)
      • 2.3.4 Cipher FeedBack (CFB)
      • 2.3.5 Output FeedBack (OFB)
      • 2.3.6 Counter Mode (CTR)
      • 2.3.7 Initialization vector and operation modes
      • 2.3.8 Data encryption standard (DES)
    • 2.4 Advanced Encryption Standard (AES)
      • 2.4.1 Byte Substitution Layer
      • 2.4.2 Diffusion Layer
      • 2.4.3 Key Addition Layer
      • 2.4.4 Key Schedule
      • 2.4.5 Decryption
  • 3 Asymmetric Ciphers
    • 3.1 Diffie and Hellman (DH) Algorithm for Key Exchange
      • 3.1.1 Small subgroup confinement attack
      • 3.1.2 DH is secure?
      • 3.1.3 Elgamal Encryption Scheme
    • 3.2 RSA
      • 3.2.1 RSA encryption
      • 3.2.2 RSA decryption
      • 3.2.3 RSA key generation
      • 3.2.4 RSA properties
      • 3.2.5 RSA correctness
      • 3.2.6 Is RSA secure?
      • 3.2.7 PKCS#1: RSA Cryptography Standard
  • 4 Hash Functions
    • 4.1 Birthday Paradox
    • 4.2 Real World Cryptographic Hash Functions
      • 4.2.1 SHA-1
      • 4.2.2 SHA-3
  • 5 Random and Prime Numbers
    • 5.1 BSI Evaluation Criteria
    • 5.2 Finding Large Random Primes
  • 6 Message Authentication Code
    • 6.1 Message Authentication Code (MAC)
      • 6.1.1 Properties of Message Authentication Codes
      • 6.1.2 Security Requirement
      • 6.1.3 Adversary Model
      • 6.1.4 Implementing MAC
    • 6.2 Authenticated Encryption (AE)
      • 6.2.1 Encrypt-then-MAC (EtM)
      • 6.2.2 Encrypt-and-MAC (E&M)
      • 6.2.3 MAC-then-Encrypt (MtE)
      • 6.2.4 Authenticated Encryption with Associated Data (AEAD)
    • 6.3 Galois Counter Mode (GCM)
  • 7 Digital Signatures
    • 7.1 Digital Signature Forgery
      • 7.1.1 Universal Forgery
      • 7.1.2 Selective Forgery
      • 7.1.3 Existential Forgery
    • 7.2 How to implement a DS scheme based on a PK scheme?
      • 7.2.1 Signing using private key
      • 7.2.2 PKCS#1 Digital Signature
      • 7.2.3 Elgamal Signature Scheme
      • 7.2.4 The Digital Signature Algorithm (DSA)
      • 7.2.5 Elliptic curver vs Digital Signatures
    • 7.3 Timestamping a document
    • 7.4 Two or more parties signing the same document?
    • 7.5 Common Applications of digital signatures
  • 8 Authentication
    • 8.1 Authentication through Passwords
      • 8.1.1 Dictionary Attack
      • 8.1.2 Additionally problems of hashed passwords
      • 8.1.3 Salted Passwords
      • 8.1.4 Remote authentication
      • 8.1.5 Lamport’s Hash
      • 8.1.6 Strong Password Protocols
    • 8.2 Authentication protocols based on a shared secret
      • 8.2.1 Challenge/response based on shared secret
      • 8.2.2 Use of a timestamp to limit replay attacks
      • 8.2.3 Mutual Authentication
      • 8.2.4 Real-world protocols
      • 8.2.5 Practical problem of sharing a secret with each entity
    • 8.3 Authentication protocols based on a trusted party
      • 8.3.1 MITM attack, authentication with a trusted party
      • 8.3.2 Authentication with a trusted party (revised)
      • 8.3.3 MITM attack, authentication with a trusted party (revised)
      • 8.3.4 Needham-Schroeder (NS) symmetric protocol
      • 8.3.5 NS replay attack (Denning and Sacco)
      • 8.3.6 How to prevent replay attacks?
    • 8.4 Standard Kerberos v4/v5
      • 8.4.1 Kerberos simplified version (some fixes later)
      • 8.4.2 Session key and Ticket-granting Ticket (TGT)
      • 8.4.3 Kerberos realms
    • 8.5 Authentication protocols based on public keys
      • 8.5.1 Needham-Schroeder public-key protocol
    • 8.6 Standard: X.509 (RFC 5280)
      • 8.6.1 X.509: one-way authentication
      • 8.6.2 X.509: two-ways authentication
      • 8.6.3 X.509: three-ways authentication
      • 8.6.4 Challenge-response: ISO/IEC 9798-3 Mutual authentication
      • 8.6.5 Public Key Infrastructure (PKI)
      • 8.6.6 X.509 Certificate
      • 8.6.7 X.509 Version
      • 8.6.8 OCSP
      • 8.6.9 What if we do not want to trust a centralized root CA?
  • 9 IPSec
    • 9.1 퐼푃푆푒푐urity
      • 9.1.1 Benefits of IPSec
      • 9.1.2 Practical applications of IPSec
      • 9.1.3 Security features
      • 9.1.4 IPSec Services
      • 9.1.5 IPSec Architecture
      • 9.1.6 Services provided by AH and ESP protocols
    • 9.2 Security Associations
      • 9.2.1 Security Association Database (SADB)
      • 9.2.2 Multicast SA
      • 9.2.3 Security Policy Database (SPDB)
      • 9.2.4 SA selectors
      • 9.2.5 SADB vs SPDB
      • 9.2.6 Transport vs Tunnel Mode
      • 9.2.7 Authentication Header (AH)
      • 9.2.8 Encapsulating Security Payload (ESP)
      • 9.2.9 Combining Security Associations
      • 9.2.10 Authentication plus Confidentiality
      • 9.2.11 Key Management
  • 10 SSL/TLS
    • 10.1 SSL (Secure Socket Layer)
      • 10.1.1 SSL Architecture
      • 10.1.2 Sessions and Connections
      • 10.1.3 SSL Record Protocol
      • 10.1.4 Authentication: MAC
      • 10.1.5 Encoding methods
      • 10.1.6 SSL record
    • 10.2 Handshake protocol
      • 10.2.1 Phase
      • 10.2.2 Phase
      • 10.2.3 Phase
      • 10.2.4 Phase
      • 10.2.5 SSL Session Resumption
    • 10.3 SSL vs TLS
      • 10.3.1 Paying in the Web: SSL
      • 10.3.2 SSL/TLS: heartbeat and heartbleed
      • 10.3.3 POODLE attack
    • 10.4 SSH
  • 11 Firewall
    • 11.1 Firewall Types
      • 11.1.1 Packet Filtering
      • 11.1.2 FTP Packet Filter
      • 11.1.3 Weaknesses of Packet Filters
      • 11.1.4 Fragmentation Attacks
      • 11.1.5 Limitation of Stateless Filtering
      • 11.1.6 Session Filtering
    • 11.2 Iptables
      • 11.2.1 Built-in chains
      • 11.2.2 Tables
      • 11.2.3 Targets
      • 11.2.4 Iptables extended modules
      • 11.2.5 Adding a new rule
    • 11.3 Firewall: examples
      • 11.3.1 Example
      • 11.3.2 Example
      • 11.3.3 Example
      • 11.3.4 Example
      • 11.3.5 Example
      • 11.3.6 Example
      • 11.3.7 Example
      • 11.3.8 Example
      • 11.3.9 Example
      • 11.3.10 Example
      • 11.3.11 Example
      • 11.3.12 Iptables administration
    • 11.4 Firewalls: other approaches
      • 11.4.1 Circuit-Level Gateway
      • 11.4.2 Application-Level Gateway
    • 11.5 Web Application Firewall: e.g., modsecurity (open source)
      • 11.5.1 WAF: practical issues
    • 11.6 Comparison
    • 11.7 Other firewalls’ operations
    • 11.8 Firewall: where to place it
    • 11.9 Bastion Host
    • 11.10Protecting Addresses and Routes
    • 11.11General problems with Firewalls
  • 12 Shamir’s Secret Sharing
    • 12.1 Sharing a Secret
      • 12.1.1 Sharing S with n subjects
    • 12.2 Shamir Secret Sharing (SSS)
      • 12.2.1 Introducing a third party
  • 13 Access Control
    • 13.1 Access Control Mechanism
      • 13.1.1 Object
      • 13.1.2 Subject
    • 13.2 Access Operations - Access Modes
    • 13.3 Access Permissions
      • 13.3.1 Object Hierarchy
      • 13.3.2 Role Hierarchy
      • 13.3.3 Group Hierarchy
      • 13.3.4 Access Mode Hierarchy
      • 13.3.5 Groups and Negative Permissions
      • 13.3.6 Ownership and Administration
    • 13.4 Access Control Structures
    • 13.5 Basic Operations in Access Control
  • 14 Access Control Models
    • 14.1 DAC
      • 14.1.1 DAC: The HRU Model
      • 14.1.2 The HRU Model, Primitive Operations
      • 14.1.3 The HRU Model, Commands
      • 14.1.4 The HRU Model, Protection Systems
      • 14.1.5 The HRU Model, States
      • 14.1.6 The HRU Model, Safety of States
      • 14.1.7 The HRU Model, Safety
      • 14.1.8 The HRU Model, An example of unsafe protection system
      • 14.1.9 The HRU Model, Concluding Remarks
      • 14.1.10 Other Models
      • 14.1.11 DAC models, DBMS vs OS
      • 14.1.12 The Trojan Horse
    • 14.2 MAC
      • 14.2.1 Bell and LaPadula Model
      • 14.2.2 BLP Model, access classes
      • 14.2.3 BLP Model, examples
      • 14.2.4 BLP Model, Axioms
      • 14.2.5 Bell and LaPadula Model Summary
      • 14.2.6 Problem
      • 14.2.7 Bell and LaPadula final thoughts
      • 14.2.8 Covert Channels
      • 14.2.9 Covert Channels, example
      • 14.2.10 Covert Channels, 2PL
  • 15 Mathematical Background
    • 15.1 Modulo Operator
    • 15.2 Algebraic Structures
      • 15.2.1 Group
      • 15.2.2 Ring
      • 15.2.3 Field
      • 15.2.4 Finite fields (or Galois Fields)
    • 15.3 Euclidean Algorithm
  • 15.4 Extended Euclidean Algorithm
  • 15.5 Euler’s Phi Function (or Totient Function)
  • 15.6 Fermat’s Little Theorem
  • 15.7 Euler’s Theorem
  • 15.8 Chinese Remainder Theorem (CRT)
  • 15.9 Order of an Element
  • 15.10Cyclic Group
  • 15.11Discrete Logarithm Problem (DLP) on Z∗ 푝
  • 15.12Integer Factorization Problem (IFP)

1 Introduction

Security freedom from, or resilence against, potential harm caused by others. Safety prevents from unintentional accidents. Physical security prevents from unauthorized access to facilities and resources. Logical security involves software safeguards (subset of computer security), includes in- formation security. Computer security, known as cybersecurity, refers to the security of computing devices such as computers and smartphones, as well as computer networks (private and public) and the Internet. Cryptography provides some building blocks for implementing Computer security. Cryptoanalysis study of crypto systems to learn their properties, break them (attacks and proof of correctness).

Building blocks are used to offer security services:

  • Confidentiality, information kept secret from all except authorized parties, ciphers de- signed to offer this.
  • Data Integrity, information not tampered while in transit, crucial for ensuring that data has not been altered by a third party (cryptographic hash function offer this).
  • Availability, system or information is reliably available to the end users.
  • Message Authentication, the sender/creator of the message is authentic (digital sig- nature).
  • Entity Authentication (identification), establish and verify the identity of an entity (passwords, and multi factor authentication).
  • Non repudiation, sender of a message cannot deny the creation of the message.

Terminology:

  • Encryption function E
  • Decryption function D or E−^1
  • Encryption key k 1
  • Decryption key k 2
  • Key space is the number of bits used for keys
  • Message space is the number of bits used message
  • 푚 = 퐷푘 2 (퐸푘 1 (푚))
  • When 푘 1 = 푘 2 the scheme is symmetric
  • When 푘 1 ≠ 푘 2 the scheme is asymmetric
  • The message 푚 is called plaintext, encrypted 푚 is called ciphertext

In our communication model we have three entities, secured ones (Bob and Alice) and an intruder (Trudy or Oscar). The intruder can be:

2 Symmetric Ciphers

Our communication model schema is composed by two host that want communicate, through a reliable but insecure channel, and an Intruder. The first host encrypt the message with a key 푦 = 퐸푘 (푥) and the second host will decrypt such message 푥 = 퐷푘 (푦), we assume that the symmetric key 푘 is exchanged through a secure channel. Two example of cipher:

  • Shift cipher (Caesar’s cipher), the main idea is to shift letters in the alphabet by k position (if 푘 = 13 is called ROT13):

푦푖 = 퐸푘 (푥푖) = (푥푖 + 푘) 푚표푑 26 푥푖 = 퐷푘 (푦푖) = (푦푖 − 푘) 푚표푑 26

With a brute force attack this method is easily breakable (try values of 푘 in [ 0 , 26 ]).

  • Substitution cipher, the main idea is to map letter to a different letter (k is the map- ping, chosen randomly). With a brute force attack this methods seems secure (try all 26! mapping = 288 ), instead using a letter frequency analysis we exploit that the statistical property of the text are not affected by the substitution (looking at pair and triples of letters to break the entire algorithm).

Analyzing the previous ciphers we understood that key space should be large to avoid brute force and ciphers should hide the statistical properties of the encrypted plaintext (ciphertext symbols should appear to be random).

Perfect cipher, given a plaintext space = { 0 , 1 }푛, 퐷 known, and a ciphertext 푦 then the probability that exists a key 푘 such that 퐷푘 (푦) = 푥 for any plaintext 푥 is equal to the apriori probability that x is the plaintext 푃푟 [푥|푦] = 푃푟 [푥], in other words, the ciphertext does not reveal any information on the plaintext:

푃푟 [푥|푦] = 푃푟 [푥 ∧ 푦]/푃푟 [푦] conditional probability 푃푟 [푥 ∧ 푦] = 푃푟 [푥|푦]푃푟 [푦] = 푃푟 [푦|푥]푃푟 [푥] Bayes 푃푟 [푥 ∧ 푦] = 푃푟 [푥]푃푟 [푦]

Then we can state that 푃푟 [푥]푃푟 [푦] = 푃푟 [푦|푥]푃푟 [푥] ⇒ 푃푟 [푦] = 푃푟 [푦|푥].

2.1 One-Time-Pad (OTP)

We have a plaintext space { 0 , 1 }푛, a key space { 0 , 1 }푛, a symmetric scheme (key chosen using a True Random Number Generator (TRNG)), the key is only used once (each message is encrypted with a different key):

푦 = 퐸푘 (푥) = 푥 ⊕ 푘 푥 = 퐷푘 (푦) = 푦 ⊕ 푘 = (푥 ⊕ 푘) ⊕ 푘 = 푥 ⊕ (푘 ⊕ 푘) = 푥 ⊕ 0

OTP is a perfect cipher. Practical problems |푘 | = |푥|, requires TRNG, need to change key for each message. We need different key for each message because if the intruder get two ciphertexts with the

same key and combine such ciphertexts will get a combination of the original messages (without the encryption). If we have |푘 | < |푥| we cannot have a perfect cipher (Shannon’s Theorem). Proof by contradic- tion: 2 |푘^ |^ < 2 |푥| 푃푟 [푦 0 ] > 0 ciphertext must exists 푆 = {퐷푘 (푦 0 ) : 푘 ∈ 퐾} K is the set of all possible key ∃ 푥 푠푢푐ℎ 푡ℎ푎푡 푥 ∉ 푆 ∀ 푘 ∈ 퐾 : 퐸푘 (푥) ≠ 푦 0 ⇒ 푃푟 [푦 0 ] = 0

To implement symmetric ciphers we have to main approaches:

  • Stream ciphers, inspired by OTP, given a secret key generate a byte of stream called keystream that has the same length as the message, encrypt/decrypt bits from x indi- vidually using a XOR operation with the keystream (as in OTP).
  • Block ciphers, split the message x in blocks of fixed size, encrypt/decrypt each block, different operation mode.

2.2 Stream Ciphers

Given a plaintext x (푥푖 is the i-th bit from x), keystream s (where |푥| == |푠|, 푠푖 is the i-th bit from s): 푦푖 = 퐸푠푖 = 푥푖 ⊕ 푠푖 = 푥푖 + 푠푖 푚표푑 2 (mod 2 is equal to the XOR) 푥푖 = 퐷푠푖 = 푦푖 ⊕ 푠푖 = 푦푖 + 푠푖 푚표푑 2

A stream cipher is called synchronous when 푠푖 is a function of the key, asynchronous when 푠푖 is a function of the key and previous bits of y. Cipher must provide the keystream generator.

2.2.1 A5/1 (GSM) and LFSR

Based on three Linear Feedback Shift Registers (LFSR). Each LFSR is composed by Flip Flop (can store 1 bit information). Each FF is CLK=1, then FF stores the input IN, emitting the stored value into OUT (even when CLK=0), 푝푖 enable/disable feedback line (switch variable).

Assuming a LFSR with 푚 = 3 , 푝 0 = 푝 1 = 1 , 푝 2 = 0 the output length is 2^3 − 1 (after such value the sequence is repeated) 푠푖+ 3 = 푠푖+ 1 + 푠푖 mod 2 where 퐹퐹 0 = 푠푖 or more in general:

푗= 0

푝 (^) 푗 · 푠푖+ 푗 mod 2 푝 (^) 푗 ∈ { 0 , 1 }, 푠푖 ∈ { 0 , 1 }

We can have many operation modes that will be described later. Common operations’ properties:

  • Confusion, each binary digit of the ciphertext should depend on several parts of the key. It hides the relationship between the ciphertext and the key (making the finding difficult), and if a single bit in a key is changed, the calculation of the values of most or all of the bits in the ciphertext will be affected, to achieve this method we can use substitution (AES, DES).
  • Diffusion, changing a single bit of the plaintext, then half of the bits in the ciphertext should change (the converse holds). The idea is to hide statistical properties of the plaintext, to achieve this method we can do bit permutation (DES).

A concept connected to diffusion and confusion is Avalanche effect, very small changes in the plaintext lead to big changes in the ciphertext, very small changes in the key lead to big changes in the ciphertext.

2.3.1 Electronic Code Block (ECB)

Is a simple and efficient operation mode, the implementation can be parallelized. Does not conceal plaintext patterns.

An intruder can reorder the block, the blocks can be replaced, removed and appended. En- crypting the same message twice will generate the same ciphertext.

2.3.2 Cipher Block Chaining (CBC)

In this operation mode block 푦푖 depends on 푦푖− 1 , the encryption is randomized using an IV. The encryption is not parallelizable the out 푦푖 depends on out of 푦푖− 1. The decryption is parallelizable the out 푥푖 depends on in of 푦푖− 1. If one bit flipped in 푥푖 then all subsequent blocks are affected. If one bit is flipped in 푦푖− 1 then 푥푖− 1 is affected in an unpredictable manner, while 푥푖 in a predictable manner. This could be exploited by an attacker.

The initialization vector should be different for each message, otherwise an attacker can understand when we are encrypting again the same message. The IV can be made public. CBC can be seen as an asynchronous stream cipher. Message must be padded to a size multiple of the block size (a block cipher can deal only with a fixed block size), this was true even for ECB, there are two possible strategies, padding which however increases the size and ciphertext stealing. Ciphertext stealing encryption, pad the last partial plaintext block with 0s, encrypt the whole padded plaintext using the standard CBC mode, swap the last two ciphertext blocks, truncate the ciphertext to the length of the original plaintext. Ciphertext stealing decryption, swap the last two ciphertext block, decrypt the modified ci- phertext using the standard CBC mode, truncate the plaintext to the length of the original ciphertext.

2.3.3 Propagation Cipher Block Chaining (PCBC)

Is designed to propagate small changes to all subsequent blocks both during encryption and decryption. However if two adjacent ciphertext blocks are exchanged subsequent decrypted blocks are not affected.

2.3.4 Cipher FeedBack (CFB)

Asynchronous stream cipher, we have error propagation in encryption, encryption is not par- allelizable, encryption algorithm is both used in encryption and decryption, decryption can be parallelizable, one bit error in ciphertext blocks, affect two plaintext blocks (other blocks are fine) no need of padding.

There is no need for the IV to be secret, but it is important that it is never reused with the same key. For CBC and CFB reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages. In CBC the IV must be unpredictable at encryption time. For OFB and CTR reusing an IV completely destroys security.

CBC with PKCS#7 padding scheme, the value of each added byte is the number of bytes that are added. Is this approach still secure? Assuming that an application use this approach and when performing decryption of a cipher- text provided by a user, returns a return code (the plaintext is not revealed), KO if the padding scheme is not respected by the ciphertext (after decryption) or OK if the padding scheme is respected by the ciphertext. Is it possible for an attacker to exploit this feedback from the application? The scenario where an application provides feedback about the validity of the padding for a message is defined as padding oracle (from this padding oracle attack). Given the padding oracle it is possible to perform an attack able to reveal the plaintext or the secret key, even when the cipher is secure and the operation mode is secure. We are now considering an attack against CBC with PKCS#7 scheme (Chosen Ciphertext Attack (CCA)), in CBC we encrypt a block 푥푖 in this way 푦푖 = 퐸푘 (푥푖 ⊕ 푦푖− 1 ), the decryp- tion will be 푥푖 = 퐷푘 (푦푖) ⊕ 푦푖− 1 = 퐷푘 (퐸푘 (푥푖 ⊕ 푦푖− 1 )) ⊕ 푦푖− 1 and assuming the cipher is correct 푥푖 = 푥푖 ⊕ 푦푖− 1 ⊕ 푦푖− 1. In the padding oracle attack we exploit the property of CBC designing a new ciphertext with two blocks, we do not care about decryption of the first ciphertext block as we cannot learn enything from it even if the padding oracle gives us some feedback, we care about the decryp- tion of the second ciphertext block as we know how to bitwise or blockwise manipulate it due to XOR and the feedback from the padding oracle can be valuable. Assuming the attacker intercepts a ciphertext y and there is padding oracle. Let us define 푦푖 [ 푗] as the j-th byte of 푦푖, to decrypt a block 푦푖 with 푖 > 0 he builds a new ciphertext 푦′^ with two blocks 푦′^ = 푦′ 0 ||푦푖, he now chooses a random value for 푦′ 0 and call 256 times the padding oracle, setting each time the last byte 푦′ 0 to a different value in [ 0 , 255 ]. Internally the oracle will compute 푥′ 푖 = 퐷푘 (푦푖) ⊕ 푦′ 0 and 푥 푖′ [ 푗] = 퐷푘 (푦푖) [ 푗] ⊕ 푦′ 0 [ 푗] and check wheater the padding scheme is respected. Since we are trying all possible values for the last byte of 푦′ 0 and due to how XOR works, we can expect that there is at least one value where the oracle will give OK since 푥′ 푖 [ 푗] = 1, with j equal to the last byte of the block. We get a decrypted block that is valid for the padding scheme (the last byte is one, hence meaning that there is one byte padding and no other bytes must be checked except the last one). The oracle will give OK even when 푥′ 푖 [ 푗 − 1 ] = 2 and 푥′ 푖 [ 푗] = 2 or 푥′ 푖 [ 푗 − 2 ] = 3 and 푥 푖′ [ 푗 − 1 ] = 3 and 푥′ 푖 [ 푗] = 3 and so on with similar patterns. Now the attacker can compute 푥푖 [ 푗]:

푥′ 푖 [ 푗] = 퐷푘 (푦푖) [ 푗] ⊕ 푦′ 0 [ 푗] = (푥푖 ⊕ 푦푖− 1 ) [ 푗] ⊕ 푦′ 0 [ 푗] = 푥푖 [ 푗] ⊕ 푦푖− 1 [ 푗] ⊕ 푦′ 0 [ 푗] 푥푖 [ 푗] = 푥′ 푖 [ 푗] ⊕ 푦푖− 1 [ 푗] ⊕ 푦′ 0 [ 푗]

We have that 푥′ 푖 [ 푗] = 1 (after bruteforce), 푦푖− 1 [ 푗] is known (a block from the ciphertext), and 푦′ 0 [ 푗] is known (decided by the attacker), hence he can compute 푥푖 [ 푗]. At this point the attacker knows the last byte of the plaintext block 푥푖 and he can iterate this process to get other bytes in the same block. To get the value of 푥푖 [ 푗 − 1 ] the attacker has to build a ciphertext such that the last two bytes of the plaintext are equal to 2. He builds a new ciphertext 푦′^ with two blocks 푦′^ = 푦′ 0 ||푦푖, he need to find 푦′ 0 such that 푥 푖′ [ 푗] = 2 and 푥′ 푖 [ 푗 − 1 ] = 2

se we have that: 푥′ 푖 [ 푗] = 푥푖 [ 푗] ⊕ 푦푖− 1 [ 푗] ⊕ 푦′ 0 [ 푗] 2 = 푥푖 [ 푗] ⊕ 푦푖− 1 [ 푗] ⊕ 푦′ 0 [ 푗] 푦′ 0 [ 푗] = 2 ⊕ 푥푖 [ 푗] ⊕ 푦푖− 1 [ 푗]

Hence the values of 푦′ 0 [ 푗] can be derived since 푥푖 [ 푗] is known after the previous step. To guess the right value for 푦′ 0 [ 푗 − 1 ] he tries 256 values. For one possible assignment of 푦′ 0 [ 푗 − 1 ] the oracle will confirm that the padding scheme is respected. Now the attacker can derive the value of 푥푖 [ 푗 − 1 ]:

푥 푖′ [ 푗 − 1 ] = 퐷푘 (푦푖) [ 푗 − 1 ] ⊕ 푦′ 0 [ 푗 − 1 ] = (푥푖 ⊕ 푦푖− 1 ) [ 푗 − 1 ] ⊕ 푦′ 0 [ 푗 − 1 ] = = 푥푖 [ 푗 − 1 ] ⊕ 푦푖− 1 [ 푗 − 1 ] ⊕ 푦′ 0 [ 푗 − 1 ] 푥푖 [ 푗 − 1 ] = 푥′ 푖 [ 푗 − 1 ] ⊕ 푦푖− 1 [ 푗 − 1 ] ⊕ 푦′ 0 [ 푗 − 1 ]

where 푥′ 푖 [ 푗 − 1 ] = 2, 푦푖− 1 [ 푗 − 1 ] is known (a block from the ciphertext), and 푦′ 0 [ 푗 − 1 ] is known (decided by the attacker), this process can be repeated to recover other bytes in the same block. After computing the last byte we can check whether our assumption on 푥 푖′ [ 푗] was correct (if it is not we need to test another value). If the IV is sent as the first block of the ciphertext without any authentication we can still play the attack, however this is unlikely and we cannot expect to recover the first block as this attack requires to control a ciphertext with at least two blocks. To prevent this attack we have to not provide padding oracle (no feedback after decryption).

2.3.8 Data encryption standard (DES)

Classified design elements, based on Feistel Design. Key length is 56 bits (very weak, can be broken in less than 24 hours), block size is 64 bits. Feistel Network, allows encryption and decryption to be the same/similar. Hence, function F does not have to be invertible. If F is pseudorandom function with 푘푖 used as seeds (subkeys derived from the secret key k) then is sufficient to make it a strong pseudorandom permutation.

DES can be broken for this reason we may think to move to another cipher (AES), that is a safe

Another idea to make the cipher stronger is key whitening, the common form is xor-encrypt- xor (using XOR before the first round and after the last round of encryption). DES-X is 퐷퐸 푆 − 푋 (푥) = 푘 2 ⊕ (퐷퐸 푆푘 (푥 ⊕ 푘 1 )), will use three keys (k 56 bits, 푘 1 64 bits, 푘 2 64 bits) for a total of 184 bits. However effective key size is only 119 bits when the attacker can obtain enough (plaintext , ciphertext) pairs.

Assuming a key space larger than the message space. A brute force can produce false posi- tives, keys 푘푖 that are found are not the one used for the encryption. The likelihood of this is related to the relative size of the key. Assuming a cipher with a block width of 64 bit and a key size of 80 bit if we encrypt 푥 1 under all possible 2^80 keys, we obtain 2^80 ciphertexts however exists only 2^64 different ones, if we run through all keys for a given (plaintext, ciphertext) pair, we find on average 2^80 / 264 = 216 keys that perform the mapping 푒푘 (푥 1 ) = 푦 1. Given a block cipher with a key length of k bits and a block size of n bits, as well as t (plain- text, ciphertext) pairs (푥 1 , 푦 1 ), · · · , (푥푡 , 푦푡 ), the expected number of false keys which encrypt all plaintexts to the corresponding ciphertexts is 2푘−푡푛. For the last example assuming only two pairs we have that the likelihood is 2^80 −^2 ·^64 = 2 −^48. For almost all practical purposes two pairs are sufficient (if we have some pairs brute force is very effective).

2.4 Advanced Encryption Standard (AES)

AES is the most widely used symmetric cipher today. The requirements for all AES candidate submissions were:

  • Block cipher with 128-bit block size
  • Three supported key lengths, 128, 192 and 256 bit
  • Security relative to other submitted algorithms
  • Efficiency in software and hardware

The number of rounds of AES depends on the chosen key length, key of 128푏푖푡푠 = 10 푟표푢푛푑푠, key of 192푏푖푡푠 = 12 푟표푢푛푑푠 and key of 256푏푖푡푠 = 14 푟표푢푛푑푠. Each round consist of different layers:

  1. ByteSub ⇒ Confusion (substitute)
  2. ShitRow ⇒ Diffusion (hide statistical properties)
  3. MixColumn ⇒ Diffusion (hide statistical properties)
  4. Key Addition ⇒ Key whitening (key before the round and at the end)

Each round has the same schema, only the last round has no MixColumn layer:

AES is a byte-oriented cipher, and it is not based on Feistel network (no pseudo random generator), but on a substitution-permutation network. The state A (the 128-bit data path), can be arranged in a 4 × 4 matrix (as example 퐴 0 , 퐴 1 , 퐴 2 , 퐴 3 compose the first column of the matrix), with 퐴 0 , · · · , 퐴 15 denoting the 16-byte input of AES.