




























































































Studia grazie alle numerose risorse presenti su Docsity
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Prepara i tuoi esami
Studia grazie alle numerose risorse presenti su Docsity
Prepara i tuoi esami con i documenti condivisi da studenti come te su Docsity
Trova i documenti specifici per gli esami della tua università
Preparati con lezioni e prove svolte basate sui programmi universitari!
Rispondi a reali domande d’esame e scopri la tua preparazione
Riassumi i tuoi documenti, fagli domande, convertili in quiz e mappe concettuali
Studia con prove svolte, tesine e consigli utili
Togliti ogni dubbio leggendo le risposte alle domande fatte da altri studenti come te
Esplora i documenti più scaricati per gli argomenti di studio più popolari
Ottieni i punti per scaricare
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Un corso di sicurezza informatica e di rete, con una panoramica sui cifrari simmetrici e asimmetrici, le funzioni di hash, i numeri casuali e primi. Vengono descritti i principali algoritmi di cifratura simmetrica e asimmetrica, come l'AES e il RSA, e le loro proprietà. Inoltre, vengono presentati gli standard di crittografia come il PKCS#1 e le funzioni di hash come SHA-1 e SHA-3. utile per gli studenti di informatica e di ingegneria informatica che vogliono approfondire la sicurezza informatica e di rete.
Tipologia: Appunti
1 / 140
Questa pagina non è visibile nell’anteprima
Non perderti parti importanti!





























































































1 Introduction
Security freedom from, or resilence against, potential harm caused by others. Safety prevents from unintentional accidents. Physical security prevents from unauthorized access to facilities and resources. Logical security involves software safeguards (subset of computer security), includes in- formation security. Computer security, known as cybersecurity, refers to the security of computing devices such as computers and smartphones, as well as computer networks (private and public) and the Internet. Cryptography provides some building blocks for implementing Computer security. Cryptoanalysis study of crypto systems to learn their properties, break them (attacks and proof of correctness).
Building blocks are used to offer security services:
Terminology:
In our communication model we have three entities, secured ones (Bob and Alice) and an intruder (Trudy or Oscar). The intruder can be:
2 Symmetric Ciphers
Our communication model schema is composed by two host that want communicate, through a reliable but insecure channel, and an Intruder. The first host encrypt the message with a key 푦 = 퐸푘 (푥) and the second host will decrypt such message 푥 = 퐷푘 (푦), we assume that the symmetric key 푘 is exchanged through a secure channel. Two example of cipher:
푦푖 = 퐸푘 (푥푖) = (푥푖 + 푘) 푚표푑 26 푥푖 = 퐷푘 (푦푖) = (푦푖 − 푘) 푚표푑 26
With a brute force attack this method is easily breakable (try values of 푘 in [ 0 , 26 ]).
Analyzing the previous ciphers we understood that key space should be large to avoid brute force and ciphers should hide the statistical properties of the encrypted plaintext (ciphertext symbols should appear to be random).
Perfect cipher, given a plaintext space = { 0 , 1 }푛, 퐷 known, and a ciphertext 푦 then the probability that exists a key 푘 such that 퐷푘 (푦) = 푥 for any plaintext 푥 is equal to the apriori probability that x is the plaintext 푃푟 [푥|푦] = 푃푟 [푥], in other words, the ciphertext does not reveal any information on the plaintext:
푃푟 [푥|푦] = 푃푟 [푥 ∧ 푦]/푃푟 [푦] conditional probability 푃푟 [푥 ∧ 푦] = 푃푟 [푥|푦]푃푟 [푦] = 푃푟 [푦|푥]푃푟 [푥] Bayes 푃푟 [푥 ∧ 푦] = 푃푟 [푥]푃푟 [푦]
Then we can state that 푃푟 [푥]푃푟 [푦] = 푃푟 [푦|푥]푃푟 [푥] ⇒ 푃푟 [푦] = 푃푟 [푦|푥].
We have a plaintext space { 0 , 1 }푛, a key space { 0 , 1 }푛, a symmetric scheme (key chosen using a True Random Number Generator (TRNG)), the key is only used once (each message is encrypted with a different key):
푦 = 퐸푘 (푥) = 푥 ⊕ 푘 푥 = 퐷푘 (푦) = 푦 ⊕ 푘 = (푥 ⊕ 푘) ⊕ 푘 = 푥 ⊕ (푘 ⊕ 푘) = 푥 ⊕ 0
OTP is a perfect cipher. Practical problems |푘 | = |푥|, requires TRNG, need to change key for each message. We need different key for each message because if the intruder get two ciphertexts with the
same key and combine such ciphertexts will get a combination of the original messages (without the encryption). If we have |푘 | < |푥| we cannot have a perfect cipher (Shannon’s Theorem). Proof by contradic- tion: 2 |푘^ |^ < 2 |푥| 푃푟 [푦 0 ] > 0 ciphertext must exists 푆 = {퐷푘 (푦 0 ) : 푘 ∈ 퐾} K is the set of all possible key ∃ 푥 푠푢푐ℎ 푡ℎ푎푡 푥 ∉ 푆 ∀ 푘 ∈ 퐾 : 퐸푘 (푥) ≠ 푦 0 ⇒ 푃푟 [푦 0 ] = 0
To implement symmetric ciphers we have to main approaches:
Given a plaintext x (푥푖 is the i-th bit from x), keystream s (where |푥| == |푠|, 푠푖 is the i-th bit from s): 푦푖 = 퐸푠푖 = 푥푖 ⊕ 푠푖 = 푥푖 + 푠푖 푚표푑 2 (mod 2 is equal to the XOR) 푥푖 = 퐷푠푖 = 푦푖 ⊕ 푠푖 = 푦푖 + 푠푖 푚표푑 2
A stream cipher is called synchronous when 푠푖 is a function of the key, asynchronous when 푠푖 is a function of the key and previous bits of y. Cipher must provide the keystream generator.
2.2.1 A5/1 (GSM) and LFSR
Based on three Linear Feedback Shift Registers (LFSR). Each LFSR is composed by Flip Flop (can store 1 bit information). Each FF is CLK=1, then FF stores the input IN, emitting the stored value into OUT (even when CLK=0), 푝푖 enable/disable feedback line (switch variable).
Assuming a LFSR with 푚 = 3 , 푝 0 = 푝 1 = 1 , 푝 2 = 0 the output length is 2^3 − 1 (after such value the sequence is repeated) 푠푖+ 3 = 푠푖+ 1 + 푠푖 mod 2 where 퐹퐹 0 = 푠푖 or more in general:
푗= 0
푝 (^) 푗 · 푠푖+ 푗 mod 2 푝 (^) 푗 ∈ { 0 , 1 }, 푠푖 ∈ { 0 , 1 }
We can have many operation modes that will be described later. Common operations’ properties:
A concept connected to diffusion and confusion is Avalanche effect, very small changes in the plaintext lead to big changes in the ciphertext, very small changes in the key lead to big changes in the ciphertext.
2.3.1 Electronic Code Block (ECB)
Is a simple and efficient operation mode, the implementation can be parallelized. Does not conceal plaintext patterns.
An intruder can reorder the block, the blocks can be replaced, removed and appended. En- crypting the same message twice will generate the same ciphertext.
2.3.2 Cipher Block Chaining (CBC)
In this operation mode block 푦푖 depends on 푦푖− 1 , the encryption is randomized using an IV. The encryption is not parallelizable the out 푦푖 depends on out of 푦푖− 1. The decryption is parallelizable the out 푥푖 depends on in of 푦푖− 1. If one bit flipped in 푥푖 then all subsequent blocks are affected. If one bit is flipped in 푦푖− 1 then 푥푖− 1 is affected in an unpredictable manner, while 푥푖 in a predictable manner. This could be exploited by an attacker.
The initialization vector should be different for each message, otherwise an attacker can understand when we are encrypting again the same message. The IV can be made public. CBC can be seen as an asynchronous stream cipher. Message must be padded to a size multiple of the block size (a block cipher can deal only with a fixed block size), this was true even for ECB, there are two possible strategies, padding which however increases the size and ciphertext stealing. Ciphertext stealing encryption, pad the last partial plaintext block with 0s, encrypt the whole padded plaintext using the standard CBC mode, swap the last two ciphertext blocks, truncate the ciphertext to the length of the original plaintext. Ciphertext stealing decryption, swap the last two ciphertext block, decrypt the modified ci- phertext using the standard CBC mode, truncate the plaintext to the length of the original ciphertext.
2.3.3 Propagation Cipher Block Chaining (PCBC)
Is designed to propagate small changes to all subsequent blocks both during encryption and decryption. However if two adjacent ciphertext blocks are exchanged subsequent decrypted blocks are not affected.
2.3.4 Cipher FeedBack (CFB)
Asynchronous stream cipher, we have error propagation in encryption, encryption is not par- allelizable, encryption algorithm is both used in encryption and decryption, decryption can be parallelizable, one bit error in ciphertext blocks, affect two plaintext blocks (other blocks are fine) no need of padding.
There is no need for the IV to be secret, but it is important that it is never reused with the same key. For CBC and CFB reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages. In CBC the IV must be unpredictable at encryption time. For OFB and CTR reusing an IV completely destroys security.
CBC with PKCS#7 padding scheme, the value of each added byte is the number of bytes that are added. Is this approach still secure? Assuming that an application use this approach and when performing decryption of a cipher- text provided by a user, returns a return code (the plaintext is not revealed), KO if the padding scheme is not respected by the ciphertext (after decryption) or OK if the padding scheme is respected by the ciphertext. Is it possible for an attacker to exploit this feedback from the application? The scenario where an application provides feedback about the validity of the padding for a message is defined as padding oracle (from this padding oracle attack). Given the padding oracle it is possible to perform an attack able to reveal the plaintext or the secret key, even when the cipher is secure and the operation mode is secure. We are now considering an attack against CBC with PKCS#7 scheme (Chosen Ciphertext Attack (CCA)), in CBC we encrypt a block 푥푖 in this way 푦푖 = 퐸푘 (푥푖 ⊕ 푦푖− 1 ), the decryp- tion will be 푥푖 = 퐷푘 (푦푖) ⊕ 푦푖− 1 = 퐷푘 (퐸푘 (푥푖 ⊕ 푦푖− 1 )) ⊕ 푦푖− 1 and assuming the cipher is correct 푥푖 = 푥푖 ⊕ 푦푖− 1 ⊕ 푦푖− 1. In the padding oracle attack we exploit the property of CBC designing a new ciphertext with two blocks, we do not care about decryption of the first ciphertext block as we cannot learn enything from it even if the padding oracle gives us some feedback, we care about the decryp- tion of the second ciphertext block as we know how to bitwise or blockwise manipulate it due to XOR and the feedback from the padding oracle can be valuable. Assuming the attacker intercepts a ciphertext y and there is padding oracle. Let us define 푦푖 [ 푗] as the j-th byte of 푦푖, to decrypt a block 푦푖 with 푖 > 0 he builds a new ciphertext 푦′^ with two blocks 푦′^ = 푦′ 0 ||푦푖, he now chooses a random value for 푦′ 0 and call 256 times the padding oracle, setting each time the last byte 푦′ 0 to a different value in [ 0 , 255 ]. Internally the oracle will compute 푥′ 푖 = 퐷푘 (푦푖) ⊕ 푦′ 0 and 푥 푖′ [ 푗] = 퐷푘 (푦푖) [ 푗] ⊕ 푦′ 0 [ 푗] and check wheater the padding scheme is respected. Since we are trying all possible values for the last byte of 푦′ 0 and due to how XOR works, we can expect that there is at least one value where the oracle will give OK since 푥′ 푖 [ 푗] = 1, with j equal to the last byte of the block. We get a decrypted block that is valid for the padding scheme (the last byte is one, hence meaning that there is one byte padding and no other bytes must be checked except the last one). The oracle will give OK even when 푥′ 푖 [ 푗 − 1 ] = 2 and 푥′ 푖 [ 푗] = 2 or 푥′ 푖 [ 푗 − 2 ] = 3 and 푥 푖′ [ 푗 − 1 ] = 3 and 푥′ 푖 [ 푗] = 3 and so on with similar patterns. Now the attacker can compute 푥푖 [ 푗]:
푥′ 푖 [ 푗] = 퐷푘 (푦푖) [ 푗] ⊕ 푦′ 0 [ 푗] = (푥푖 ⊕ 푦푖− 1 ) [ 푗] ⊕ 푦′ 0 [ 푗] = 푥푖 [ 푗] ⊕ 푦푖− 1 [ 푗] ⊕ 푦′ 0 [ 푗] 푥푖 [ 푗] = 푥′ 푖 [ 푗] ⊕ 푦푖− 1 [ 푗] ⊕ 푦′ 0 [ 푗]
We have that 푥′ 푖 [ 푗] = 1 (after bruteforce), 푦푖− 1 [ 푗] is known (a block from the ciphertext), and 푦′ 0 [ 푗] is known (decided by the attacker), hence he can compute 푥푖 [ 푗]. At this point the attacker knows the last byte of the plaintext block 푥푖 and he can iterate this process to get other bytes in the same block. To get the value of 푥푖 [ 푗 − 1 ] the attacker has to build a ciphertext such that the last two bytes of the plaintext are equal to 2. He builds a new ciphertext 푦′^ with two blocks 푦′^ = 푦′ 0 ||푦푖, he need to find 푦′ 0 such that 푥 푖′ [ 푗] = 2 and 푥′ 푖 [ 푗 − 1 ] = 2
se we have that: 푥′ 푖 [ 푗] = 푥푖 [ 푗] ⊕ 푦푖− 1 [ 푗] ⊕ 푦′ 0 [ 푗] 2 = 푥푖 [ 푗] ⊕ 푦푖− 1 [ 푗] ⊕ 푦′ 0 [ 푗] 푦′ 0 [ 푗] = 2 ⊕ 푥푖 [ 푗] ⊕ 푦푖− 1 [ 푗]
Hence the values of 푦′ 0 [ 푗] can be derived since 푥푖 [ 푗] is known after the previous step. To guess the right value for 푦′ 0 [ 푗 − 1 ] he tries 256 values. For one possible assignment of 푦′ 0 [ 푗 − 1 ] the oracle will confirm that the padding scheme is respected. Now the attacker can derive the value of 푥푖 [ 푗 − 1 ]:
푥 푖′ [ 푗 − 1 ] = 퐷푘 (푦푖) [ 푗 − 1 ] ⊕ 푦′ 0 [ 푗 − 1 ] = (푥푖 ⊕ 푦푖− 1 ) [ 푗 − 1 ] ⊕ 푦′ 0 [ 푗 − 1 ] = = 푥푖 [ 푗 − 1 ] ⊕ 푦푖− 1 [ 푗 − 1 ] ⊕ 푦′ 0 [ 푗 − 1 ] 푥푖 [ 푗 − 1 ] = 푥′ 푖 [ 푗 − 1 ] ⊕ 푦푖− 1 [ 푗 − 1 ] ⊕ 푦′ 0 [ 푗 − 1 ]
where 푥′ 푖 [ 푗 − 1 ] = 2, 푦푖− 1 [ 푗 − 1 ] is known (a block from the ciphertext), and 푦′ 0 [ 푗 − 1 ] is known (decided by the attacker), this process can be repeated to recover other bytes in the same block. After computing the last byte we can check whether our assumption on 푥 푖′ [ 푗] was correct (if it is not we need to test another value). If the IV is sent as the first block of the ciphertext without any authentication we can still play the attack, however this is unlikely and we cannot expect to recover the first block as this attack requires to control a ciphertext with at least two blocks. To prevent this attack we have to not provide padding oracle (no feedback after decryption).
2.3.8 Data encryption standard (DES)
Classified design elements, based on Feistel Design. Key length is 56 bits (very weak, can be broken in less than 24 hours), block size is 64 bits. Feistel Network, allows encryption and decryption to be the same/similar. Hence, function F does not have to be invertible. If F is pseudorandom function with 푘푖 used as seeds (subkeys derived from the secret key k) then is sufficient to make it a strong pseudorandom permutation.
DES can be broken for this reason we may think to move to another cipher (AES), that is a safe
Another idea to make the cipher stronger is key whitening, the common form is xor-encrypt- xor (using XOR before the first round and after the last round of encryption). DES-X is 퐷퐸 푆 − 푋 (푥) = 푘 2 ⊕ (퐷퐸 푆푘 (푥 ⊕ 푘 1 )), will use three keys (k 56 bits, 푘 1 64 bits, 푘 2 64 bits) for a total of 184 bits. However effective key size is only 119 bits when the attacker can obtain enough (plaintext , ciphertext) pairs.
Assuming a key space larger than the message space. A brute force can produce false posi- tives, keys 푘푖 that are found are not the one used for the encryption. The likelihood of this is related to the relative size of the key. Assuming a cipher with a block width of 64 bit and a key size of 80 bit if we encrypt 푥 1 under all possible 2^80 keys, we obtain 2^80 ciphertexts however exists only 2^64 different ones, if we run through all keys for a given (plaintext, ciphertext) pair, we find on average 2^80 / 264 = 216 keys that perform the mapping 푒푘 (푥 1 ) = 푦 1. Given a block cipher with a key length of k bits and a block size of n bits, as well as t (plain- text, ciphertext) pairs (푥 1 , 푦 1 ), · · · , (푥푡 , 푦푡 ), the expected number of false keys which encrypt all plaintexts to the corresponding ciphertexts is 2푘−푡푛. For the last example assuming only two pairs we have that the likelihood is 2^80 −^2 ·^64 = 2 −^48. For almost all practical purposes two pairs are sufficient (if we have some pairs brute force is very effective).
AES is the most widely used symmetric cipher today. The requirements for all AES candidate submissions were:
The number of rounds of AES depends on the chosen key length, key of 128푏푖푡푠 = 10 푟표푢푛푑푠, key of 192푏푖푡푠 = 12 푟표푢푛푑푠 and key of 256푏푖푡푠 = 14 푟표푢푛푑푠. Each round consist of different layers:
Each round has the same schema, only the last round has no MixColumn layer:
AES is a byte-oriented cipher, and it is not based on Feistel network (no pseudo random generator), but on a substitution-permutation network. The state A (the 128-bit data path), can be arranged in a 4 × 4 matrix (as example 퐴 0 , 퐴 1 , 퐴 2 , 퐴 3 compose the first column of the matrix), with 퐴 0 , · · · , 퐴 15 denoting the 16-byte input of AES.