Transcript CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz

CMSC 414
Computer and Network Security
Lecture 4
Jonathan Katz
One-time pad
 The one-time pad achieves perfect secrecy
 But, it has a number of drawbacks
– Key size equal to message size
– Can only be used once
– Insecure under chosen-plaintext attack
 Unfortunately, these drawbacks are inherent
if we want perfect secrecy
A weaker security guarantee
 Instead of requiring that no adversary can learn
anything about the plaintext…
 …require that no adversary running in a
“reasonable amount of time” can learn anything
about the plaintext except with “very small
probability”
– “Reasonable time” = 106 years
– “Very small probability” = 2-64
– Computational security
A simpler characterization
 Equivalent to the following, simpler
definition:
– Given a ciphertext C which is known to be an
encryption of either M0 or M1, no adversary
running in a reasonable amount of time can
guess correctly which message was encrypted
with probability significantly better than ½.
The take-home message
 Weakening the definition slightly allows us
to construct much more efficient schemes!
 Strictly speaking, no longer 100%
absolutely guaranteed to be secure
– Security of encryption now depends on security
of building blocks (which are analyzed
extensively, and are assumed to be secure)
– Given enough time, the scheme can be broken
Attacks
 As always, we can couple our security
notion with a variety of attacks
–
–
–
–
Ciphertext only
Known plaintext
Chosen plaintext
Chosen ciphertext (includes chosen plaintext
attacks)
Attacks…
 The default standard is security against
chosen-plaintext attacks
 Security against chosen-ciphertext attacks is
increasingly required
 Note that the one-time pad is insecure even
against known-plaintext attack
Randomized encryption
 To be secure against chosen-plaintext
attack, encryption must be randomized
– We will see later how this comes into play
 Moral: always use randomized encryption!
Block ciphers
 Keyed permutation; input/output length
 Large key space
 Modeled as a (family of) random
permutations…
 Example – “trivial” encryption:
– C = FK(m)
– This is not randomized…
Modes of encryption
 ECB
– Ci = FK(mi)
 CBC
– Ci = FK(mi  Ci-1)
 OFB (stream cipher mode)
– zi = FK(zi-1); Ci = zi  mi
 CFB (stream cipher mode)
– zi = FK(Ci-1); Ci = zi  mi
Security?
 All previous modes (except ECB) are
secure against chosen-plaintext attacks
– ECB is deterministic…