Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 12 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
12
Dung lượng
593,05 KB
Nội dung
Online Cryptography Course Dan Boneh Stream ciphers A2acks on OTP and stream ciphers Dan Boneh Review OTP: E(k,m) = m ⊕ k , D(k,c) = c ⊕ k Making OTP pracGcal using a PRG: G: K ⟶ {0,1}n Stream cipher: E(k,m) = m ⊕ G(k) , D(k,c) = c ⊕ G(k) Security: PRG must be unpredictable (be2er def in two segments) Dan Boneh A2ack 1: two 1me pad is insecure !! Never use stream cipher key more than once !! C1 ← m1 ⊕ PRG(k) C2 ← m2 ⊕ PRG(k) Eavesdropper does: C1 ⊕ C2 → m1 ⊕ m2 Enough redundancy in English and ASCII encoding that: m1 ⊕ m2 → m1 , m2 Dan Boneh Real world examples • Project Venona • MS-‐PPTP (windows NT): k k Need different keys for C⟶S and S⟶C Dan Boneh Real world examples 802.11b WEP: CRC(m) m k PRG( IV ll k ) IV ciphetext Length of IV: 24 bits • Repeated IV a[er 224 ≈ 16M frames • On some 802.11 cards: IV resets to 0 a[er power cycle k Dan Boneh Avoid related keys 802.11b WEP: CRC(m) m k PRG( IV ll k ) IV ciphetext key for frame #1: (1 ll k) key for frame #2: (2 ll k) ⋮ k Dan Boneh A be2er construcGon k k PRG ⇒ now each frame has a pseudorandom key be2er soluGon: use stronger encrypGon method (as in WPA2) Dan Boneh Yet another example: disk encrypGon Dan Boneh Two Gme pad: summary Never use stream cipher key more than once !! • Network traffic: negoGate new key for every session (e.g TLS) • Disk encrypGon: typically do not use a stream cipher Dan Boneh A2ack 2: no integrity (OTP is malleable) m m⊕p enc ( ⊕k ) dec ( ⊕k ) m⊕k p ⊕ (m⊕k)⊕p ModificaGons to ciphertext are undetected and have predictable impact on plaintext Dan Boneh A2ack 2: no integrity (OTP is malleable) From: Bob enc ( ⊕k ) From: Bob ⋯ From: Eve dec ( ⊕k ) ⊕ From: Eve ModificaGons to ciphertext are undetected and have predictable impact on plaintext Dan Boneh End of Segment Dan Boneh