CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz
Download
Report
Transcript CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz
CMSC 414
Computer and Network Security
Lecture 3
Jonathan Katz
HW1
Will be posted shortly
Work in teams
– Both students should contribute to all problems
– JCE fair game for the exam
Defining secrecy (take 1)
Even an adversary running for an unbounded
amount of time learns nothing about the message
from the ciphertext
Perfect secrecy
Formally, for all distributions over the message
space, all m, and all c:
Pr[M=m | C=c] = Pr[M=m]
One-time pad
and proof of security
Properties of the one-time pad?
Achieves perfect secrecy
– No eavesdropper (no matter how powerful) can
determine any information whatsoever about the
plaintext
(Essentially) useless in practice…
– Long key length
– Can only be used once (hence the name!)
– Insecure against known-plaintext attacks
These are inherent limitations of perfect secrecy
Computational secrecy
Computational secrecy
We can overcome the limitations of perfect
secrecy by (slightly) relaxing the definition
Instead of requiring total secrecy against
unbounded adversaries, require secrecy against
time-bounded adversaries except with some small
probability
– E.g., secrecy for 100 years, except with probability 2-80
How to define formally?
A simpler characterization
Perfect secrecy is equivalent to the following,
simpler definition:
– Given a ciphertext C which is known to be an
encryption of either M0 or M1, no adversary can guess
correctly which message was encrypted with
probability better than ½ + 2-80
running for 100 years
Computational security!
Is this definition too strong? Why not?
The take-home message
Weakening the definition slightly allows us to
construct much more efficient schemes!
Strictly speaking, no longer 100% absolutely
guaranteed to be secure
– Security of encryption now depends on security of
building blocks (which are analyzed extensively, and
are assumed to be secure)
– Given enough time, the scheme can be broken
Attacks
So far, we have been considering only passive
eavesdropping of a single ciphertext
– AKA, ciphertext-only attack
In practice, stronger attacks often need to be
considered
– Known plaintext
– Chosen plaintext
– Chosen ciphertext (includes chosen plaintext attacks)
Minimum requirements
The minimum level of security nowadays is
security against chosen-plaintext attacks
But security against chosen-ciphertext attacks (or
even stronger) is often necessary for certain
applications
– Make sure you are aware of this when deploying
encryption!
We will revisit this after discussing message
authentication
Randomized encryption
Can a deterministic encryption scheme be secure
against chosen-plaintext attacks?
To be secure against chosen-plaintext attack,
encryption must be randomized
Moral: always use randomized encryption!