mirror of
https://github.com/calofmijuck/blog.git
synced 2025-12-06 22:53:51 +00:00
fix: remove # after image links
This commit is contained in:
@@ -155,7 +155,7 @@ There are many ways of achieving security.
|
|||||||
|
|
||||||
### Basics of a Cryptosystem
|
### Basics of a Cryptosystem
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- A **message** in *plaintext* is given to an **encryption algorithm**.
|
- A **message** in *plaintext* is given to an **encryption algorithm**.
|
||||||
- The encryption algorithm uses an **encryption key** to create a *ciphertext*.
|
- The encryption algorithm uses an **encryption key** to create a *ciphertext*.
|
||||||
|
|||||||
@@ -63,7 +63,7 @@ $$
|
|||||||
|
|
||||||
#### The Feistel Function
|
#### The Feistel Function
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
|
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
|
||||||
|
|
||||||
@@ -179,7 +179,7 @@ AES, DES use fixed block size for encryption. How do we encrypt longer messages?
|
|||||||
|
|
||||||
### Electronic Codebook Mode (ECB)
|
### Electronic Codebook Mode (ECB)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Codebook is a mapping table.
|
- Codebook is a mapping table.
|
||||||
- For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
|
- For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
|
||||||
@@ -198,7 +198,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
|
|
||||||
### Cipher Block Chaining Mode (CBC)
|
### Cipher Block Chaining Mode (CBC)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Two identical messages produce to different ciphertexts.
|
- Two identical messages produce to different ciphertexts.
|
||||||
- This prevents chosen plaintext attacks
|
- This prevents chosen plaintext attacks
|
||||||
@@ -248,7 +248,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
|
|
||||||
### Cipher Feedback Mode (CFB)
|
### Cipher Feedback Mode (CFB)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- The message is treated as a stream of bits; similar to stream cipher
|
- The message is treated as a stream of bits; similar to stream cipher
|
||||||
- **Result of the encryption is fed to the next stage.**
|
- **Result of the encryption is fed to the next stage.**
|
||||||
@@ -283,7 +283,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
|
|
||||||
### Output Feedback Mode (OFB)
|
### Output Feedback Mode (OFB)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Very similar to stream cipher.
|
- Very similar to stream cipher.
|
||||||
- Initialization vector is used as a seed to generate the key stream.
|
- Initialization vector is used as a seed to generate the key stream.
|
||||||
@@ -316,7 +316,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
|
|
||||||
### Counter Mode (CTR)
|
### Counter Mode (CTR)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Without chaining, we use a counter (typically incremented by $1$).
|
- Without chaining, we use a counter (typically incremented by $1$).
|
||||||
- Counter starts from the initialization vector.
|
- Counter starts from the initialization vector.
|
||||||
|
|||||||
@@ -83,7 +83,7 @@ We have a root CA at the top. Then there are issuing CAs below. We usually reque
|
|||||||
|
|
||||||
### Certificate Validation
|
### Certificate Validation
|
||||||
|
|
||||||
[^1]
|
[^1]
|
||||||
|
|
||||||
Since we have a hierarchy of CAs, certificate validation must also follow the hierarchy. When we receive a certificate, it is highly likely to be signed by an non-root CA.
|
Since we have a hierarchy of CAs, certificate validation must also follow the hierarchy. When we receive a certificate, it is highly likely to be signed by an non-root CA.
|
||||||
|
|
||||||
|
|||||||
@@ -146,7 +146,7 @@ Here's how the client and the server establishes a connection using the TLS hand
|
|||||||
> 3. Use the server's public key to share a secret.
|
> 3. Use the server's public key to share a secret.
|
||||||
> 4. Both parties generate a symmetric key from the shared secret.
|
> 4. Both parties generate a symmetric key from the shared secret.
|
||||||
|
|
||||||
[^1]
|
[^1]
|
||||||
|
|
||||||
- `ServerKeyExchange`, `ClientKeyExchange` is optional. Used sometimes if Diffie-Hellman is used.
|
- `ServerKeyExchange`, `ClientKeyExchange` is optional. Used sometimes if Diffie-Hellman is used.
|
||||||
- The actual messages and process differ for each protocol and ciphers used.
|
- The actual messages and process differ for each protocol and ciphers used.
|
||||||
|
|||||||
@@ -292,7 +292,7 @@ We can deduce that if a PRG is predictable, then it is insecure.
|
|||||||
|
|
||||||
*Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G]$ is non-negligible.
|
*Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G]$ is non-negligible.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
1. The challenger PRG will send a bit string $x$ to $\mathcal{B}$.
|
1. The challenger PRG will send a bit string $x$ to $\mathcal{B}$.
|
||||||
- In experiment $0$, PRG gives pseudorandom string $G(k)$.
|
- In experiment $0$, PRG gives pseudorandom string $G(k)$.
|
||||||
@@ -318,7 +318,7 @@ The theorem implies that if next bit predictors cannot distinguish $G$ from true
|
|||||||
|
|
||||||
To motivate the definition of semantic security, we consider a **security game framework** (attack game) between a **challenger** (ex. the creator of some cryptographic scheme) and an **adversary** $\mathcal{A}$ (ex. attacker of the scheme).
|
To motivate the definition of semantic security, we consider a **security game framework** (attack game) between a **challenger** (ex. the creator of some cryptographic scheme) and an **adversary** $\mathcal{A}$ (ex. attacker of the scheme).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> **Definition.** Let $\mathcal{E} = (G, E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. For a given adversary $\mathcal{A}$, we define two experiments $0$ and $1$. For $b \in \lbrace 0, 1 \rbrace$, define experiment $b$ as follows:
|
> **Definition.** Let $\mathcal{E} = (G, E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. For a given adversary $\mathcal{A}$, we define two experiments $0$ and $1$. For $b \in \lbrace 0, 1 \rbrace$, define experiment $b$ as follows:
|
||||||
>
|
>
|
||||||
|
|||||||
@@ -131,7 +131,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
|
|||||||
|
|
||||||
### Electronic Codebook Mode (ECB)
|
### Electronic Codebook Mode (ECB)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- ECB mode encrypts each block with the same key.
|
- ECB mode encrypts each block with the same key.
|
||||||
- Blocks are independent of each other.
|
- Blocks are independent of each other.
|
||||||
@@ -139,7 +139,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
|
|||||||
|
|
||||||
### Ciphertext Block Chain Mode (CBC)
|
### Ciphertext Block Chain Mode (CBC)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**.
|
Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**.
|
||||||
|
|
||||||
@@ -190,7 +190,7 @@ Note that if $k_1$ is the same as the key used for encrypting messages, then thi
|
|||||||
|
|
||||||
### Counter Mode (CTR)
|
### Counter Mode (CTR)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**.
|
Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**.
|
||||||
|
|
||||||
|
|||||||
@@ -83,7 +83,7 @@ The attacker shouldn't be able to create a new ciphertext that decrypts properly
|
|||||||
|
|
||||||
In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected.
|
In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
|
> **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
|
||||||
>
|
>
|
||||||
@@ -138,7 +138,7 @@ Most natural constructions of CCA secure schemes satisfy AE, so we don't need to
|
|||||||
|
|
||||||
We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples.
|
We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Encrypt-and-MAC (E&M)
|
### Encrypt-and-MAC (E&M)
|
||||||
|
|
||||||
|
|||||||
@@ -106,7 +106,7 @@ Now we want to construct collision resistant hash functions that work for arbitr
|
|||||||
|
|
||||||
The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function.
|
The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows.
|
> **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows.
|
||||||
>
|
>
|
||||||
@@ -151,7 +151,7 @@ Now we only have to build a collision resistant compression function. We can bui
|
|||||||
|
|
||||||
Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange#collision-resistance-based-on-dl-problem).
|
Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange#collision-resistance-based-on-dl-problem).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows.
|
> **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows.
|
||||||
>
|
>
|
||||||
@@ -216,7 +216,7 @@ This can be thought of as blocking the length extension attack from prepending t
|
|||||||
|
|
||||||
### HMAC
|
### HMAC
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
|
This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
|
||||||
|
|
||||||
|
|||||||
@@ -74,7 +74,7 @@ $$
|
|||||||
|
|
||||||
We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
|
We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$.
|
> 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$.
|
||||||
> 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$.
|
> 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$.
|
||||||
@@ -189,7 +189,7 @@ Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many comm
|
|||||||
|
|
||||||
We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication.
|
We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext.
|
The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext.
|
||||||
|
|
||||||
@@ -211,7 +211,7 @@ Before Diffie-Hellman, Merkle proposed an idea for secure key exchange protocol
|
|||||||
|
|
||||||
The idea was to use *puzzles*, which are problems that can be solved with some effort.
|
The idea was to use *puzzles*, which are problems that can be solved with some effort.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
|
> Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
|
||||||
> 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.
|
> 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.
|
||||||
|
|||||||
Reference in New Issue
Block a user