CS431 Computer and Network Security

Cryptography

Abhishek Bichhawat 20/01/2023

Crypto…

● Cryptology is the study of Cryptography and Cryptanalysis

● Cryptography is the study of mathematical techniques to
enforce security properties
○ Only (one of many) means to an end
● Cryptanalysis is the study of how to break cryptographic
systems

2
Cryptography

● Idea of cryptography was to secretly transmit messages

● Secure communication between two parties

3
Cryptography

4
Cryptography

HOW ARE YOU?

5
Cryptography

HOW ARE YOU?

HOW ARE YOU?
SEND ME 100 RS.

6
History of Cryptography

● Earliest known is Scytale Cipher

○ Used by Spartans
○ Transposition cipher

7
Transposition Cipher Example

Decrypt: ITGIIAJKCILUIUSESNRSMOEYPAJSTM

A U T H O R

I A M J U S

T J O K I N

G S E C U R

I T Y I S S

I M P L E
8
History of Cryptography

● Caesar Cipher
○ Substitution Cipher
○ Used a key (0 to 25) that indicates no. of letters to shift before
replacing
DWWDFN EULGJH DW GDZQ

ATTACK BRIDGE AT DAWN

9
Simple Substitution Cipher

● Use keywords followed by remaining letters

● Suppose the keyword is ZEBRA
○ Substitution:
Plaintext alphabet ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext alphabet ZEBRASCDFGHIJKLMNOPQTUVWXY
● Decipher
FZJQDAHFIIAO
SIAA ZQ LKBA. VA ZOA RFPBLUAOAR!

10
Random Substitution Cipher

● Generate random one-to-one mapping between characters

● A → B, B → E, C → X, D → A, and so on
● Not a constant key shift
● The mapping shared between the parties
(symmetric key cryptography)
● Brute-force attack?
Random Substitution Cipher

● Generate random one-to-one mapping between characters

● A → B, B → E, C → X, D → A, and so on
● Frequency analysis attack
■ Some letters are more probable to occur
■ Use multiple encoded messages to reconstruct text
○ Count the occurrences in the “multiple” encrypted
messages that we have received and compare them
against the existing probabilities.
○ Improve by using digrams …
Polyalphabetic Ciphers

● Uses multiple substitution alphabets

● Use different monoalphabetic substitutions as one
progresses through the message
● Key properties
○ A set of related monoalphabetic substitution rules
is used
○ A key determines which particular rule is chosen
for a given transformation

● Enigma (WWII)
Vigenere Cipher

● Applies a different variant of the Caesar cipher on each letter

depending on a key
● The key gives the shift for each letter starting with a = 0
(no shift)
● The key “decrypt” provides the following shifts:
d = 3; e = 4; c = 2; r = 17; y = 24; p = 15; t = 19

14
Vigenere Cipher

IAMJUSTACLOWN
DECRYPTDECRYP

15
 Vigenere Cipher The Key

Encrypted Letters IAMJUSTACLOWN

Plaintext DECRYPTDECRYP

16
Vigenere Cipher

Decrypt this:
Wmrpnwff hto ngh jrgpnl hii ntpzss
Key is :
Bellaso

17
Vigenere Cipher

Key: ABCDABCDABCDABCD ABCDABCDABCD

Plaintext: cryptoisshortfor cryptography
Ciphertext: CSASTPKVSIQUTGQU CSASTPIUAQJB

18
Vigenere Cipher

● Autotext / Autokey
○ Pad the key with the plaintext, rather than repetitions of the key
■ Decryptyouare
■ Still vulnerable to frequency analysis
■ Can exploit statistical properties if fragment of ciphertext
recovered large enough

19
Vigenere Cipher

● Autotext
○ Pad the key with the plaintext, rather than repetitions of the key
■ Decryptyouare
■ Still vulnerable to frequency analysis
■ Can exploit statistical properties if fragment of ciphertext
recovered large enough
● Use a key as long as the text and statistically independent
(Vernam Cipher)

20
Vernam Cipher

● Key is as long as the plaintext and statistically independent

● Suppose P is the plaintext, K is the key, then the ciphertext is
generated as:
Ci = P i ⊕ K i

21
One-time Pad

● Proposed during WW1 (used in Cold War, too)

● Truly random key
● Key as long as the plaintext
● Never reused in whole or part
● Kept secret

22
One-time Pad

● Because the key is truly random, the same ciphertext can map
into any plaintext
● So, one-time pad is invulnerable to cryptanalysis

23
One-time Pad

● True randomness extremely difficult!

○ Computers can’t do it
● Impractical for large volumes of data
● Approximations are needed
○ Rotor machines

24
Rotor Machines

Use multi-stage encryption

25
Rotor Machines

● Use multi-stage encryption

● Each stage consists of a rotor, that performs a
monoalphabetic substitution
● Once a key is pressed the rotor shifts by one
position
● So, for one rotor, polyalphabetic substitution of
period 26
● Power is in using multiple rotors
○ Once the first rotor has completed a full revolution,
the second rotor advances by one pin, and so forth
● Widely used in Germany (WWII)
26
Rotor Machines

Before 1st Keystroke

27
Rotor Machines

After 1st Keystroke

28
Rotor Machines

Before 26th Keystroke

29
Rotor Machines

After 26th Keystroke

30
 Rotor Machines

● Achieve randomness of the key by multiple stages of

substitution
○ Deterministic, but with a very large period
● 3 stages:
○ 26x26x26 = 17,576 substitution alphabets used before repetition
● 5 stages
○ 26x26x26x26x26 = 11,881,376 substitution alphabets
David Kahn: “A period of that length thwarts any practical possibility of a straightforward solution on the basis of letter
frequency. This general solution would need about 50 letters per cipher alphabet, meaning that all five rotors would have to
go through their combined cycle 50 times. The ciphertext would have to be as long as all the speeches made on the floor of
the Senate and the House of Representatives in three successive sessions of Congress. No cryptanalyst is likely to bag that
kind of trophy in his lifetime; even diplomats, who can be as verbose as politicians, rarely scale those heights of loquacity.”
31
Rotor Machines

● Achieve randomness of the key by multiple stages of

substitution
○ Deterministic, but with a very large period
● 3 stages:
○ 26x26x26 = 17,576 substitution alphabets used before repetition
● 5 stages
○ 26x26x26x26x26 = 11,881,376 substitution alphabets
● Why are rotor machines important?
○ Basis for all multi-stage encryption ciphers,
e.g., DES (most widely used cipher)
32
Cryptography - An Exercise

33
CS431 Computer and Network Security

Symmetric Key
Cryptography
Abhishek Bichhawat 01/02/2023
Keys

● Basic building block in Cryptography

● Use the keys to encrypt messages (plaintext) to get the
ciphertext

2
Keys

● Basic building block in Cryptography

● Use the keys to encrypt messages (plaintext) to get the
ciphertext
● Two models
○ Symmetric Key
■ Alice and Bob both know the same secret key
○ Asymmetric Key
■ Keys are generated in pairs -
one secret part and one public part
■ Public part known to all while secret part is known only to
owner of the key
● Assume that key is the only secret part of each communication
3
Attacker Models (Eve)

● Ciphertext-only attack
○ Access only to the ciphertext
● Known-plaintext attack
○ Knows ciphertext and (partial) plaintext
● Replay attack
○ Replays the encrypted message between the two parties
● Chosen plaintext attack
○ Trick Alice into encrypting Eve’s messages (check ciphertexts)
● Chosen ciphertext attack
○ Trick Bob into decrypting some ciphertexts (use later)
4
Symmetric Key Cryptography

● Two parties share the same key

(or the keys should be trivially obtained from each other)

5
Symmetric Key Cryptography

C = EK(P)
P = DK (EK(P))
HI
P P
HI
CS431

C
EK DK

6
Stream Ciphers

● Approximation of one-time pad

○ Operate on the plaintext single symbol (bit, byte, letter) at a time
○ The same plaintext symbol will encrypt to a different symbol every time
it is encrypted
● Normally, employs XOR operations and IV (initialization vectors)
● Advantage
○ Relatively easy to implement in hardware
● Drawbacks
○ Keys must never be used twice
○ Susceptible to Bit flipping attack
7
Stream Ciphers - Key Reuse Attack

Assume messages M1 and M2 of same length and key K

EM1 = M1 ⊕ K EM2 = M2 ⊕ K
EM1 ⊕ EM2 = M1 ⊕ K ⊕ M2 ⊕ K
EM1 ⊕ EM2 = M1 ⊕ M2

8
Stream Ciphers - Key Reuse Attack

Assume messages M1 and M2 of same length and key K

EM1 = M1 ⊕ K EM2 = M2 ⊕ K
EM1 ⊕ EM2 = M1 ⊕ K ⊕ M2 ⊕ K
EM1 ⊕ EM2 = M1 ⊕ M2

● Can use initialization vectors along with the key

○ Random plaintexts mixed with key to derive new keys
(should be long enough to prevent replay)
9
Stream Ciphers - Bit-flipping Attack

● Adversary can alter part of the message without the key

(particularly used when the adversary knows format or part of
the message)
Ci = Pi ⊕ Ki
Pi’ = Pi ⊕ Ai
Ci = Pi ⊕ Ki ⊕ Pi’
Ci = Ai ⊕ Ki

10
Stream Ciphers - Bit-flipping Attack

● Adversary can alter part of the message without the key

(particularly used when the adversary knows format or part of
the message)
Ci = Pi ⊕ Ki
Pi’ = Pi ⊕ Ai
Ci = Pi ⊕ Ki ⊕ Pi’
Ci = Ai ⊕ Ki

Use Message Authentication Codes

11
Stream Ciphers - Summary

● Use fixed-length key K

● Use pseudo-random generator to generate keystream from
seed (initialization vector IV)
● C = P ⊕ PRG (K, IV)
● Send IV, C
● Practical examples
○ Vigenère with autotext, Vernam
○ RC4 (broken, various attacks)
■ Used in WEP, TLS…
○ A5/2, A5/1 (not secure, various attacks)
■ Used on GSM
○ Salsa20, ChaCha20 (still within security margins)
12
Block Ciphers

● Operate on blocks of n-bits of plaintext and ciphertext

● Same plaintext block is encrypted using the same key, always
encrypts to the same ciphertext block
● Examples
○ DES, AES, IDEA, …
○ Most “popular” ciphers
● Ciphers are bijective
○ Unique mapping between plaintexts and ciphertexts (Why?)
● {0, 1}k × {0, 1}n → {0, 1}n

13
Block Ciphers

● n-bit plaintext implies 2n possible plaintexts

Suppose a 2-bit plaintext. Then:
00 → 01 00 → 01 00 → 01 00 → 01 00 → 01
01 → 10 01 → 11 01 → 11 01 → 00 01 → 00
…
10 → 11 10 → 10 10 → 00 10 → 11 10 → 10
11 → 00 11 → 00 11 → 10 11 → 10 11 → 11

* Red indicates ciphertext

What is the number of possible mappings?
14
Block Ciphers

● n-bit plaintext implies 2n possibilities, so there could be 2n!

possible plaintext to ciphertext mappings
● Each k-bit key represents one of these mappings
i.e., key space is the number of possible permutations of blocks:
2n!

15
Block Ciphers

● Like monoalphabetic substitution cipher, vulnerable to

statistical analysis if block length is too small (e.g., 1 symbol)
● Hard to implement if too large
○ Ideal block cipher:
need a key of size n × 2n bits to provide all P→C mappings
● Usually 64 or 128 bits is the key length
○ How hard is it to run a brute-force attack on 128-bit key?

16
Block Cipher

● Key of length n × 2n (~log2(2n!)) impractical

● Replace it with a key of length L « n × 2n while trying to preserve
“randomness”
● Any idea on how to do that?

17
Feistel Cipher

● Divide the block into equal halves

● Perform F(Ri,Ki)
● Li+1 = Ri
● Ri+1 = Li ⊕ F(Ri,Ki)
● After n rounds, we obtain the
ciphertext

18
Feistel Cipher

● Decryption happens in reverse

● Perform F(Li+1,Ki)
● Ri = Li+1
● Li = Ri+1 ⊕ F(Li+1,Ki)
● After n rounds, we obtain the
plaintext

19
Data Encryption Standard

● Published in 1977, standardized in 1979

● Block size = 64 bit
● Key size = 64 bit, but only 56 bits usable
○ Parity bits in every byte of the key
● Feistel cipher (16 stages)
● Initial (IP) and final permutation (FP)
are inverse of each other

20
Data Encryption Standard

● Function F of DES
● 48 bit subkeys derived from K
● Operates on half block
○ Expanded to 48-bits in E
● Mixed both and divided into 8
● S-boxes substitutes the 6 bits with 4 bits
● P-box rearranges the 32 bits(generates a permutation)

21
Data Encryption Standard

● Hasn’t been broken yet, but…

○ Differential-linear cryptanalysis reduces the number of searches
to 229.2 and requires 215.8 chosen plaintexts
● 56-bit key is crackable by brute-force
○ Has been done by EFF (1998)
○ Machine < $250,000 breaks 56-bit key in < 3 days
○ Cambridge researchers broke IBM 4758 CCA DES keys in 37
hours using $995 FPGA board
● Try extending the encryption

22
Double DES

● Use two keys and encrypt twice :

C = EK1(EK2(P))
● This should give twice the security of DES :
Key is 2n bits long

23
Double DES

Decrypt the ciphertext 11

24
Double DES - Meet-in-the-middle

● Use two keys and encrypt twice :

C = EK1(EK2(P))
● This should give twice the security of DES :
Key is 2n bits long
● Susceptible to meet-in-the-middle attack
○ Known-plaintext attack
C = EK1(EK2(P))
DK1(C) = DK1 (EK1(EK2(P)))
DK1(C) = EK2(P)

25
Meet-in-the-middle attack

Decrypt the ciphertext 11

26
Triple DES

● Encryption:
Use two (three) keys, encrypt twice and decrypt once:
C = EK1(DK2(EK1(P))
C = EK3(DK2(EK1(P))
● Decryption:
P = DK1(EK2(DK1(C))
P = DK3(EK2(DK1(C))

● Key-size is 2112 bits

○ Might be enough for current computers
27
Data Encryption Standard

● Hasn’t been broken yet, but…

○ Differential-linear cryptanalysis reduces the number of searches
to 229.2 and requires 215.8 chosen plaintexts
● 56-bit key is crackable by brute-force
○ Has been done by EFF (1998)
○ Machine < $250,000 breaks 56-bit key in < 3 days
○ Cambridge researchers broke IBM 4758 CCA DES keys in 37
hours using $995 FPGA board
● Lifetime extended by doing it three times (Triple-DES)
● DES no longer a standard and should not be used for critical
applications anymore
○ Instead AES
28
Advanced Encryption Standard

● Successor to DES
● Open competition in 1997
○ Finalists included Schneier, Anderson, Wagner and others
○ Winners: Joan Daemen & Vincent Rijmen from Belgium
■ Rijndael
○ Substitution permutation network
○ Supports {128, 192, 256}-bit key size and 128-bit blocks
● http://www.moserware.com/2009/09/stick-figure-guide-to-ad
vanced.html

29
CS431 Computer and Network Security

Modes of Operation

Abhishek Bichhawat 03/02/2023

Advanced Encryption Standard

● Successor to DES
● Open competition in 1997
○ Finalists included Schneier, Anderson, Wagner and others
○ Winners: Joan Daemen & Vincent Rijmen from Belgium
■ Rijndael
○ Substitution permutation network
○ Supports {128, 192, 256}-bit key size and 128-bit blocks
● http://www.moserware.com/2009/09/stick-figure-guide-to-ad
vanced.html

2
Modes of Operation

3
Block Cipher - Modes of Operation

● Encrypting longer messages using block cipher

● Electronic Codebook (ECB): Naive approach to use AES
multiple times by breaking message into 128-bit messages.
● Key is the same!

4
ECB

5
Cipher Block Chaining

Add randomness to the process (remember IV from before)

Use the first ciphertext block

to add some randomness to
the second block

6
Cipher Block Chaining - Encryption

Choose a random IV. Split M into n plaintext blocks P1 … Pn

Compute Ci = EK(Pi ⊕ Ci-1); C0 = IV
Ciphertext : C0C1…Cn

7
Cipher Block Chaining - Decryption

Ciphertext : C0C1…Cn; C0 = IV
Compute Pi = DK(Ci) ⊕ Ci-1

8
Challenges with Symmetric Key Cryptography

● Alice and Bob can communicate securely using the shared

secret keys and algorithms like AES or DES

How did Alice and

Bob share the
secret key?

9
Challenges with Symmetric Key Cryptography

● How does Alice communicate with different parties?

10
Diffie-Hellman-Merkle (DH) Key Exchange

● Efforts were made to share symmetric keys

● Diffie-Hellman-Merkle
○ Solve key exchange problem by using
independent secret keys and public
information
○ Foundation for public (asymmetric) key
cryptography
● Similar method developed in UK by James
Ellis (1960s) but remained classified

11
Asymmetric Key Cryptography

12
DH Key Exchange

13
One-way Functions and Discrete Log Problems

● One-way function
○ Mathematical equivalent of the earlier examples
○ f(x) = y, given x you can compute f(x) but cannot compute x from y
○ Various functions that are one-way
● Exponentiation modulo prime
○ Choose g (some generator) and p (large prime) (both public)
○ f(x) = gx mod p
● Discrete logarithm problem (discrete log problem)
○ Given g, p, gx mod p for random x, it is computationally hard to find x

14
DH Key Exchange

g and p are
public values
Generate x Generate y

Compute gx mod p gx mod p gy mod p Compute gy mod p

Receive gy mod p Receive gx mod p

Compute (gy)x mod p Compute (gx)y mod p

15
DH Key Exchange Why mod p?

g and
g = 5p are
public
P = values
23
Generate x = 4 Generate y = 3

Compute gx mod p gx mod p gy mod p Compute gy mod p

Receive gy mod p Receive gx mod p

Compute (gy)x mod p Compute (gx)y mod p

16
DH Key Exchange

● Use modular arithmetic (remember clocks!)

17
DH Key Exchange

18
DH Key Exchange

● Steps
○ Agree publicly on g (base) and p (large prime) s.t. g < p - 1
○ Pick secret values x and y
○ Compute gx mod p and gy mod p
○ Send them to the other party, respectively
○ Compute gxy mod p, which is the new shared secret
● Eve can get gx mod p and gy mod p but cannot derive x and y

● Create an ephemeral or a session key (normally)

○ Short-lived key used for one (or few) encryptions
● What’s missing? Does not provide authentication!
19
Man-in-the-middle Attack

● Desired Property
○ Alice and Bob should know the shared secret
● What if there is a (wo)man-in-the-middle?
g and p are public values
m is Mallory’s secret
gx mod p gm mod p gy mod p

gm mod p gx mod p gy mod p gm mod p

Compute (gm)x mod p Compute (gx)m mod p (gy)m mod p

Compute (gy)m mod p

20
Man-in-the-middle Attack

● Desired Property
○ Alice and Bob should know the shared secret
● What if there is a man-in-the-middle?
○ Alice thinks she is talking to Bob
○ Bob thinks he is talking to Alice
○ But, both are talking to Mallory who
now shares secret keys with both
Alice and Bob (reading all their
messages comfortably)!
○ DH (as is described) is not secure against a MITM

21
Diffie-Hellman Key Exchange

● DH is an active protocol: Alice and Bob need to be online at the

same time to create a shared secret

22
CS431 Computer and Network Security

Asymmetric Key
Cryptography
Abhishek Bichhawat 10/02/2023
Challenges with Symmetric Key Cryptography

● Alice and Bob can communicate securely using the shared

secret keys and algorithms like AES or DES

How did Alice and

Bob share the
secret key?

2
Challenges with Symmetric Key Cryptography

● How does Alice communicate with different parties?

3
Diffie-Hellman-Merkle (DH) Key Exchange

● Efforts were made to share symmetric keys

● Diffie-Hellman-Merkle
○ Solve key exchange problem by using
independent secret keys and public
information
○ Foundation for public (asymmetric) key
cryptography
● Similar method developed in UK by James
Ellis (1960s) but remained classified

4
DH Key Exchange

5
DH Key Exchange

g and p are
public values
Generate x Generate y

Compute gx mod p gx mod p gy mod p Compute gy mod p

Receive gy mod p Receive gx mod p

Compute (gy)x mod p Compute (gx)y mod p

6
Man-in-the-middle Attack

● Desired Property
○ Alice and Bob should know the shared secret
● What if there is a man-in-the-middle?
○ Alice thinks she is talking to Bob
○ Bob thinks he is talking to Alice
○ But, both are talking to Mallory who
now shares secret keys with both
Alice and Bob (reading all their
messages comfortably)!
○ DH (as is described) is not secure against a MITM

7
Public Key Cryptography

● Keys are generated in pairs

○ Public key
○ Private key
● Public key is known to all
○ E.g., everyone knows that the public key PKA belongs to Alice
● Private key is known only to the owner
● Private key should not be derivable from the public key!
● Message encrypted with Alice’s public key can only be
decrypted by Alice’s private key
○ Gives authentication guarantees, too.
● Use modular arithmetic, discrete log problem etc.
(instead of XORs and bit-shifts) 8
Definition of PK Encryption Scheme

A public key encryption scheme is a triple〈G, E, D〉of efficiently computable

functions such that:

1. G is keygen function that outputs a “public key” PK and a “private key” SK

〈PK, SK〉 ← G (⋅)
2. E takes public key PK and plaintext M as input, and outputs a ciphertext
C ← EPK(M)
3. D takes a ciphertext C and private key SK, and outputs ⊥ or a plaintext
M ← DSK(c)
4. If C ← EPK(M) then M ← DSK(C)
5. If C ← EPK(M), then C and PK should reveal “no information” about M
9
RSA Public Key Encryption Algorithm

● Most popular public key encryption algorithm

● Developed shortly after Diffie-Hellman by
○ Ron Rivest
○ Adi Shamir
○ Leonard Adelman
● Allows encryption and authentication
● Clifford Cocks (w/ James Ellis and Malcolm Williamson), at
GCHQ (UK), invented independently a particular case of this
method 3 years before RSA, but it was classified by British
intelligence (declassified in 1997)
10
RSA

● Key generation:
○ Choose two large prime numbers p and q such that p ≠ q,
randomly and independently of each other.
○ Pick integer e coprime with (p-1)(q-1) (i.e., gcd(e, (p-1)(q-1)) = 1)
○ Compute d such that
ed mod (p-1)(q-1) = 1 mod (p-1)(q-1) (or) ed mod (p-1)(q-1) = 1
○ n = pq (Factoring problem)
○ Private key = (n, d)
○ Public key = (n, e)
● Messages are a numbers
11
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● D(n, d)(E(n, e)(m)) = m (ed mod (p-1)(q-1) = 1)
(ed - 1 = h(p-1) = k(q-1))

12
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● Let p = 7 and q = 17
○ n = 7 * 17 = 119
○ (p-1)(q-1) = 96
○ e should be coprime with 96 - choose 5
○ Compute d such that ed mod (p-1)(q-1) = 1, i.e., 5*d mod 96 = 1
■ Assume d is 77
13
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● D(n, d)(E(n, e)(m)) = m (ed - 1 = h(p-1) = k(q-1))
(me mod pq)d mod pq = m mod pq
med mod pq = m mod pq

14
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● D(n, d)(E(n, e)(m)) = m (ed - 1 = h(p-1) = k(q-1))
(me mod pq)d mod pq = m mod pq
med mod pq = m mod pq
med mod p = m mod p med mod q = m mod q
med - 1 m mod p = m mod p …
m(p - 1)h m mod p = m mod p … Fermat’s little theorem
(m(p - 1))h m mod p = m mod p … ap − 1 ≡ 1 (mod p) 15
RSA

● Encryption:
○ E(n, e)(m) = me mod n
● Decryption:
○ D(n, d)(c) = cd mod n
● D(n, d)(E(n, e)(m)) = m (ed - 1 = h(p-1) = k(q-1))
(me mod pq)d mod pq = m mod pq
med mod pq = m mod pq
med mod p = m mod p med mod q = m mod q
med - 1 m mod p = m mod p …
m(p - 1)h m mod p = m mod p …
(m(p - 1))h m mod p = m mod p … Fermat’s little theorem
1h m mod p = m mod p … ap − 1 ≡ 1 (mod p) 16
Attacks on RSA

● Bleichenbacher attack
○ Encryption with e = 3 can be decrypted easily
● Hastad’s broadcast attack (Coppersmith’s attack)
○ Clear-text message m sent to e or more recipients that share the
same exponent e, but different n (p and q), can be decrypted easily
via the Chinese remainder theorem.
○ c1 = m3 mod n1, c2 = m3 mod n2, c3 = m3 mod n3
○ Chinese remainder theorem gives c’ = m3 mod n1*n2*n3 = m3
(m3 .is smaller than n1*n2*n3)

17
Attacks on RSA

● Bleichenbacher attack
○ Encryption with e = 3 can be decrypted easily
● Hastad’s broadcast attack (Coppersmith’s attack)
● Deterministic encryption algorithm
○ Chosen plaintext attack against the cryptosystem
○ RSA without padding is not semantically secure

18
Attacks on RSA

● Bleichenbacher attack
○ Encryption with e = 3 can be decrypted easily
● Hastad’s broadcast attack (Coppersmith’s attack)
● Deterministic encryption algorithm
○ Chosen plaintext attack against the cryptosystem
● Vulnerable to chosen ciphertext attack
○ Product of two ciphertexts is equal to the encryption of the
product of the respective plaintexts

19
Attacks on RSA

● Bleichenbacher attack
○ Encryption with e = 3 can be decrypted easily
● Hastad’s broadcast attack (Coppersmith’s attack)
● Deterministic encryption algorithm
○ Chosen plaintext attack against the cryptosystem
● Vulnerable to chosen ciphertext attack
○ Product of two ciphertexts is equal to the encryption of the
product of the respective plaintexts
● Timing and power attacks
○ Measure time and power consumption to figure operations
20
Digital Signatures

21
Digital Signatures

● Digital signatures are a way to provide integrity/authenticity

● A digital signature scheme is a triple〈G, S, V〉of efficiently computable
algorithms
○ G outputs a “public key” VK and a “private key” SK:
〈VK, SK〉← G(⋅)
○ S takes a “message” m and SK as input and outputs a “signature” σ:
σ ← SSK(m)
○ V takes a “message” m, signature σ and public key VK as input, and outputs a bit
b:
b ← VVK(m, σ)
○ If σ ← SSK(m) then VVK(m, σ) outputs 1 (“valid”)
○ Given only VK and message/signature pairs {〈mi, SSK(mi)〉}i, it is computationally
infeasible to compute 〈m, σ〉such that VVK(m, σ) = 1 for any new m ≠ mi

22
Digital Signatures
YES!

Certificate Authority

Is this Alice’s
signature? 23
Digital Signatures

D E

M S S,M

24
RSA Signatures

● Key generation (same as in RSA PKE):

○ Choose two large prime numbers p and q such that p ≠ q.
○ Pick integer e coprime with (p-1)(q-1) (i.e., gcd(e, (p-1)(q-1)) = 1)
○ Compute d such that ed mod (p-1)(q-1) = 1
○ Private key = (n, d)
○ Public key = (n, e)
● Sign (d, m):
○ Compute sig = md mod pq
● Verify(e, n, m, sig):
○ Check m ≡ sige mod pq
25
Digital Signatures - Compromises

● Existential forgery
○ The attacker manages to forge a signature of (at least) one
message, but not necessarily of his choice
● Selective forgery
○ The attacker manages to forge a signature of (at least) one
message of his choice
● Universal forgery
○ The attacker manages to forge a signature of any message

26
Summary

● Public key encryption

○ Private and public key pairs
○ Public key encrypts and private key decrypts
○ Provides properties similar to symmetric key encryption
● Digital signatures
○ Provide integrity and authenticity for asymmetric schemes
○ Private and public key pairs
○ Encrypt with private key and decrypt with public key

27
CS431 Computer and Network Security

Message Authentication
Codes
Abhishek Bichhawat 22/02/2023
Message Authentication Codes (MAC)

● “Cryptographic checksum,” i.e., keyed hash

● Can use symmetric block cipher or (more commonly) one-way
hash function as a basis
● Provides authentication and integrity
○ Send message and tag (MAC)

2
Message Authentication Codes

A message authentication code (MAC) scheme is a triple〈G, T, V〉 of

efficiently computable functions
● G outputs a “secret key” K
K ← G(⋅)
● T takes a key K and “message” m as input, and outputs a “tag” t
t ← TK(m)
● V takes a message m, tag t and key K as input, and outputs a bit b
b ← VK(m, t)
● If t ← TK(m) then VK(m, t) outputs 1 (“valid”)
● Given only message/tag pairs {〈mi, TK(mi)〉}i, it is computationally
infeasible to compute 〈m, t〉 such that VK(m, t) = 1 for any new m
≠ mi
3
MAC

● Alice wants to send m to Bob and guarantee integrity

● Alice sends m and t = MAC(K, m) to Bob
● Bob receives m and t
● Bob computes MAC(K, m) and checks that it matches t
● If the MACs match, Bob is confident the message has not been
tampered with.

4
Hash Message Authentication Code (HMAC)

● Hash-based MAC
○ Cryptographic hash
○ Secret key
● Provide authentication using a shared secret instead of using
digital signatures
● Normally, we could have done MAC = H(Key || Message)
but this is susceptible to length extension attacks
● Instead, we do MAC = H(Key || H(Key || Message))

5
HMAC

6
Randomness

● Randomness is an important property required by

cryptographic algorithms
○ Used to generate nonces, IVs, keys etc.
● If the attacker can derive the random number, then no
guarantees remain
● We want to generate random numbers, securely
● Entropy
○ Measure of unpredictability of outputs (more is better)
○ Tossing a fair coin has a high unpredictability because both the
outcomes are equally possible
○ In general, uniform distribution has highest entropy
7
Randomness

● True randomness requires some physical source of entropy

○ Heat or light intensity
○ Human activity - moving the cursor, pressing keys (check PGP)
● Multiple sources of randomness may be better
● May be biased, at times
● Is also expensive

8
Pseudorandom number generators (PRNGs)

● Uses some randomness to generate random numbers

● They are deterministic
○ Algorithm is set and with the same seed value it generates the
random numbers in the same order
● But may be random for an adversary who does not know the
algorithm
● Input : Some random value
● Output : Pseudorandom numbers

9
Insecure PRNGs

● Casinos in Missouri experienced unusual activities

○ Suspicious players would hover over the lever and then spin at a
specific time to win
○ Vulnerability: Slot machines used predictable PRNGs
○ The PRNG output was based on the current time
● OpenSSL vulnerability
○ OpenSSL is a cryptographic library (assignment 2)
○ Used process-ids to seed the PRNG
○ Normally has only 32,768 possible numbers (in 32-bit machines)

10
Authenticated Encryption

● Scheme guaranteeing both confidentiality and integrity

● Either:
○ Combine two schemes providing each
○ Use a scheme providing both

11
Authenticated Encryption

● Scheme guaranteeing both confidentiality and integrity

● Combine two schemes providing each
○ Suppose a message M needs to be sent:
EncK1(M) and MACK2(M)
■ Provides integrity but no confidentiality because of the MAC
which is deterministic and is not IND-CPA
■ MACs in general may leak information about the message

12
Authenticated Encryption

● Scheme guaranteeing both confidentiality and integrity

● Combine two schemes providing each
○ Suppose a message M needs to be sent:
EncK1(M) and MACK2(EncK1(M))
■ Provides integrity
■ Provides confidentiality - MACs may leak information about
the ciphertext

13
MAC-then-Encrypt

● First compute MACK2(M)

● Then compute EncK1(M || MACK2(M))
● Shortcoming
○ Attacker can supply arbitrary tampered input, and you always have to
decrypt it
○ Passing attacker-chosen input through the decryption function can cause
side-channel leaks
○ Cause of “Lucky 13” attack in TLS 1.0
■ Use timing side-channel
■ Nice explanation here:
https://medium.com/@c0D3M/lucky-13-attack-explained-dd9a9fd
42fa6 14
Encrypt-then-MAC

● First compute EncK1(M)

● Then compute MACK2(EncK1(M))
○ Is better than MAC-then-encrypt

15
Authenticated Encryption

● Scheme guaranteeing both confidentiality and integrity

● Combine two schemes providing each
○ Suppose a message M needs to be sent:
EncK1(M || MACK2(M))
■ Provides integrity
■ Provides confidentiality

16
Authenticated Encryption with Additional Data

● Scheme guaranteeing both confidentiality and integrity

● Use scheme designed for both:
○ AEAD
■ Provides both confidentiality and integrity over plaintext
■ Provides integrity over the additional (associated) data

17
CS431 Computer and Network Security

PKI, Trust and Passwords

Abhishek Bichhawat 24/02/2023

Public Key Infrastructure

● Remember the problem of sharing public keys and the

man-in-the-middle attack
● Need an infrastructure to verify the authenticity of public keys

E D

M C M
2
Public Key Infrastructure

● Certificate Authority
○ Issues certificates
■ Endorses the public key of a participant
■ Binds the participant’s name to the public key
● Trust Anchor
○ Entity for which trust is assumed and not derived
○ Trust others’ data through the anchor
○ Identify a certificate authority using a root certificate
○ Stores certificates for all the participants that trust the anchor
○ Establish a chain of trust
■ Verify the sender and intermediate certificate issuers
3
 Chain of Trust Charlie
{KC}KA’

Alice
{KA}KCA’

DeeDee
{KD}KA’ Elsa
{KE}KD’
Trust anchor
{KCA}KCA’ Bob
{KB}KCA’
4
Trust Anchors

● Who can be a trust anchor?

○ Central universally trusted CA
■ Contains certificates for all users
■ CA’s public key known to everyone
■ Trust on CA implies trust on the signed public key received
■ We trust that the CA has verified the identity of the user
whose public key we are asking for

5
Trust Anchors

● Who can be a trust anchor?

○ Central universally trusted CA
■ Contains certificates for all users
■ CA’s public key known to everyone
■ Trust on CA implies trust on the signed public key received
■ We trust that the CA has verified the identity of the user
whose public key we are asking for
○ Problems with central trusted CA
■ Single point of failure
■ Scalability

6
Trust Anchors

● Who can be a trust anchor?

○ Central universally trusted CA with RA
■ RAs are intermediate regional authorities that can verify keys
and can sign keys if the CA delegates this authority
■ CA issues certificates to the RAs
■ Creates a certificate chain

7
Trust Anchors

● Who can be a trust anchor?

○ Multiple trusted CAs with RAs
■ Addresses scalability too
■ Some of them are added to the softwares when shipping

8
Web-of-Trust

9
Web-of-Trust

10
Web-of-Trust

● Challenges
○ Trust is not transitive
■ Just because Alice trusts Bob and Bob trusts Charlie,
it does not mean that Alice trusts Charlie
○ Trust is not absolute
■ You may trust someone for specific tasks but not other tasks
■ Some security expert:
“I trust my bank with my money but not with my children;
I trust my relatives with my children but not with my money.”

11
Stored Certificates

12
Certificate Revocation

● Certificate revocation is a mechanism to invalidate certificates

○ After a private key is disclosed
○ Employee leaves corporation
○ Certificate expired
■ Expiration time is usually chosen too long (updating
certificates is a lot of work)
■ Mitigates damage
○ Implementation flaws
■ ACME implementation Boulder (used, e.g., by Let’s Encrypt)
had a flaw that allowed an attacker to obtain certificates for
domains it does not own. As a consequence of this flaw, Let’s
Encrypt had to revoke more than 3 million certificates
○ Expensive process
13
Building a Cryptosystem

Requires understanding possible interactions between the

components
● Example
○ Pretty good privacy (Phil Zimmerman)
○ Used to digitally sign and/or encrypt email

14
Pretty Good Privacy

15
Passwords

16
Passwords

● Combination of characters to authenticate a user

○ When you create an account with a service: Create a password
○ When you later want to log in to the service: Type in the same
password again
● How does the service check that your password is correct?

17
Passwords

● Combination of characters to authenticate a user

○ When you create an account with a service: Create a password
○ When you later want to log in to the service: Type in the same
password again
● How does the service check that your password is correct?
○ Store a file listing every user’s password

18
Passwords

● Combination of characters to authenticate a user

○ When you create an account with a service: Create a password
○ When you later want to log in to the service: Type in the same
password again
● How does the service check that your password is correct?
○ Store a file listing every user’s password
○ Problem: What if an attacker hacks into the service? Now the
attacker knows everyone’s passwords!

19
Passwords

● Combination of characters to authenticate a user

○ When you create an account with a service: Create a password
○ When you later want to log in to the service: Type in the same
password again
● How does the service check that your password is correct?
○ Encrypt every user’s password before storing it

20
Passwords

● Combination of characters to authenticate a user

○ When you create an account with a service: Create a password
○ When you later want to log in to the service: Type in the same
password again
● How does the service check that your password is correct?
○ Encrypt every user’s password before storing it
○ Where’s the key stored?
○ Problem: The attacker could steal the encrypted passwords and
the key and decrypt everyone’s passwords!

21
Password Hashes

● Store a hash of the password

○ Hashes are
■ Deterministic: To verify a password, it has to hash to the same
value every time
■ One-way: We don’t want the attacker to reverse hashes into
original passwords
● Password verification
○ Hash the password provided by the user
○ See if the hash matches the password hash in the file

22
Attacks on Hashes

● Adversary can get access to the file containing password hashes

○ Hashes are deterministic so passwords that are common across
users will have the same hash value
○ Attacker can compute hash values for common passwords
■ Most people use passwords that are very common
■ Dictionary attack - Hash an entire directory of passwords
■ Rainbow tables - Makes brute-force easier

23
Offline Attacks on Password Hashes

● Adversary steals the

password file, and then
computes hashes herself
to check for matches.
● Adversary can try a huge
number of passwords
● If an attacker can do an
offline attack, you need a
really strong password
(e.g. 7 or more random
words)
24
https://xkcd.com/936/
Solutions for Offline Attacks on Password Hashes

● Add salt
○ Unique random number per user
○ For each user, store: username, salt,
H(password || salt)
○ To verify a password, look up the user’s
salt in the file, compute H(password || salt),
and check it matches the hash in the file
○ Salts are not secret

25
Solutions for Offline Attacks on Password Hashes

● Slow Hash
○ Use a hash function that computes hashes slowly
○ Legitimate users will not notice if it takes 0.0001 seconds or 0.1 seconds
for the server to check a password.
○ However, adversaries need to compute millions of hashes; using a slow
hash can slow the brute-force attack making them impractical

26
Online Attacks on Password Hashes

● Adversary interacts with the service (e.g., tries to log in to a website)

by trying every different password.
○ Start with common passwords like 123456, password, qwerty etc.
○ With a dictionary of the 10 most common passwords, you can expect to
find about 1% of users’ passwords
● The adversary doesn’t compute the hashes.
● The tries of the attacker are limited

27
Solution to Online Attacks on Passwords

● Rate-limiting
○ Limit the number of tries within a time limit
○ Lock accounts if a certain number of tries fail
○ May result in DoS
● Impose password requirements
○ Make it harder to guess password
● CAPTCHAs
○ Make it longer for adversary to complete a guess
○ Can remove the possibility of automated checks
● These may not help against untargeted attacks
28
Choosing Passwords

https://xkcd.com/538/ 29