# It Security ## Security Goals - CIA - Confidentiality - only authorized entities can access assets in a system - Attacks: - Eavesdropping - inteception of data during transfer - Traffic Analysis - analyze address information or timings to deduce who communicatos with whom - Integrity - only authorized entities can change assets in a system - Attacks: - Modification - intercept and modify data in transfer - Masquerading - modify SCR address information of a data packet in transfer - Replay - intercept a data packet in transfer and later replay it - Repudiation - deny an action such as having sent a specific data packet - Availability - authorized entities can access assets in a system as intended - Attack: Denial of Service- flooding a server with fake requests, jam signal with stronger singal on the same frequency, enter password wrongly to get the account blocked   ## Encryption Scheme definition Noted as a tuple (P, C, K, E, D): - P = plaintexts - C = ciphertexts - K = keys - E = encryption functions - D = decryption functions   For any K_1 in K, there is a K_2 in K such that for all p in P, D_K_2(E_K_1(p)) = p For symmetric encryption, K_1 = K_2 This definition doesn't cover any notion of security ## Symmetric Encription scheme Properties: - Bob and Alice share the same key in advance - Decription is *difficult* without the key   ## Caesar Cipher = Letter shift by k amount vulnerable to Brute force attacks (exhaustive search attacks)   ## Monoalphabetic Substitution Cipher = replace each letter by a fixed permutation of the alphabet key space is very large -> No brute force, however: vulnerable to frequency analysis, as Monoaplhabetic Substitution preservers letter frequencies   ## Perfect Secrecy Defintion: > An encryption scheme is said to provide **perfect secrecy** iff given a probability distribution Pr on P, and Pr(P) > 0 for all plaintexts p and for each p in P, c in C and k in K chosen uniformly at random Pr(p|c) = Pr(p) Meaning: Whether or not c is observed, p is as likely as its occurrence in the plaintext space A cipher providing perfect secrecy cannot be broken by an attacker. Not even by one with infinite computational resources and infinite time. (Shannon'S Theorem)   ## One-Time-Pad (OTP) *aka Vernam Cipher or Vernam's One-Time-Pad* for each encryption, chose a key uniformly at random. Encryption: C = P xor K Decryption: C xor K = P xor K xor K = P - Advantages: - Easy to compute (XOR is cheap computation) - As secure as theoretically possible - -> Security independent of the attacker's resources - garantees confidentiality - Disadvantages - Key must be as long as plaintext - impractical - does not guarantee **integrity** - insecure if keys are reused   **Learn the Prove for perfect secrecy by heart!** ## Computational Security = An encryption scheme is called computationally secure iff all known attacks against the cipher are computationally infeasible within any reasonable amout of time/resources   ## Attacker Models - Ciphertext only attack - attacker knows only cipher text - known plaintext attack - knows some pairs of plaintext and ciphertext - chosen plaintext attack - can obtain ciphertext for plaintexts of his choice - chosen ciphertext attack - can obtain plaintext for ciphertexts of his choice before target ciphertext is known Security in a chosen-ciphertext setting is hardest to achieve Ciphertext-only setting is more difficult for the attacker -> easier to achieve   ## Stream Ciphers Idea: - Replace K with PRBG: - Seed of PRBG with a truly random key K - PRBG should be cryptographically secure, though there is no proof - new initialization vector for each P   > For each plaintext P select a fresh IV and set C = E_K(P) = IV || P xor PRBG(IV, K) > > PRBG(IV, K) is referred to as *key stream*. The same key K is used for multiple plaintexts   Weakness: If IV is reused with the same key, Stream Cipher is vulnerable to known-plaintext attacks (cf Chap 2 slide 32) E.g. used to attack WPA2 (KRACK attack)   examples: - broken - - A5/1 - E0 - unbroken - SNOW 3G - CHACHA20 - blockciphers in CTR mode   ## Block Ciphers Operate on plaintext blocks of a specific length - called the block length b of the cipher - plaintext space P = ciphertext space C = {0,1}^b   Examples: - broken - DES - IDEA - unbroken - KASUMI - AES Camellia   ## Advanced Encryption Standard (AES) more scure and efficient than 3DES, block length of 128 bit, regardless of key length   Operates on rounds: input and output of each round represented as 4x4 byte matrices Operations: - Substitute Byte(SB) - substitutes one byte - Round Key Addition (KA) - XOR byt with corresponding key - Shift Row (SR) - Shift a row by different amounts - Mix Column (MC) - Multiplication of a column by a given matrix   Overall Operation: plaintext -> KA -> SB -> SR -> MC* -> KA -> ciphertext & next round continuing after first KA operation *MC not done in the last round! Number of rounds depends on key size: - 128 bit key -> 10 rounds - 192 -> 12 - 256 -> 14   Modes of encryption: - Electronic Code Book (ECB) - Cipher Block Chaining (CBC) - Counter (CTR) - Output Feedback (OFB) -> covered exercises   ### Electronic Codebook Mode (ECB) - Encryption: C_i = E_k(P_i) for i = 1, ..., n - Decryption: P_i = D_k(C_i) for i = 1, ..., n - Requires padding of P_n to b bit   Problem: - Same P_i leads to same C_i -> Patterns are visible -> ECB should not be used!   ### Cipher Block Chaining Mode (CBC) - IV = C_0 - Encryption: C_i = E_k(P_i xor C_i-1) for i = 1, ..., n - Decryption: P_i = D_k(C_i) xor C_i-1 for i = 1, ..., n - Requires padding of P_n to b bit   - Requires a fresh IV for each plaintext to encrypt! If same IV is reused on P and P*, then C_1 and C_1* reveal whether P_1 = P_1* - Vulnerable to a padding-oracle attack Should not be used anymore   ### Counter Mode (CTR) - IV public, fresh for each plaintext - Encryption: C_i = E_k(IV+i) xor P_i for i = 1, ..., n - Decryption: P_i = C_i xor E_k(IV+i) for i = 1, ..., n   Properties: - CTR does not require padding - Ciphertext has the same size as plaintext - CTR turns a block cipher into stream cipher - CTR encryption and decryption can be parallelized