Thông tin tài liệu
Online Cryptography Course Dan Boneh Stream ciphers A2acks on OTP and stream ciphers Dan Boneh Review OTP: E(k,m) = m ⊕ k , D(k,c) = c ⊕ k Making OTP pracGcal using a PRG: G: K ⟶ {0,1}n Stream cipher: E(k,m) = m ⊕ G(k) , D(k,c) = c ⊕ G(k) Security: PRG must be unpredictable (be2er def in two segments) Dan Boneh A2ack 1: two 1me pad is insecure !! Never use stream cipher key more than once !! C1 ← m1 ⊕ PRG(k) C2 ← m2 ⊕ PRG(k) Eavesdropper does: C1 ⊕ C2 → m1 ⊕ m2 Enough redundancy in English and ASCII encoding that: m1 ⊕ m2 → m1 , m2 Dan Boneh Real world examples • Project Venona • MS-‐PPTP (windows NT): k k Need different keys for C⟶S and S⟶C Dan Boneh Real world examples 802.11b WEP: CRC(m) m k PRG( IV ll k ) IV ciphetext Length of IV: 24 bits • Repeated IV a[er 224 ≈ 16M frames • On some 802.11 cards: IV resets to 0 a[er power cycle k Dan Boneh Avoid related keys 802.11b WEP: CRC(m) m k PRG( IV ll k ) IV ciphetext key for frame #1: (1 ll k) key for frame #2: (2 ll k) ⋮ k Dan Boneh A be2er construcGon k k PRG ⇒ now each frame has a pseudorandom key be2er soluGon: use stronger encrypGon method (as in WPA2) Dan Boneh Yet another example: disk encrypGon Dan Boneh Two Gme pad: summary Never use stream cipher key more than once !! • Network traffic: negoGate new key for every session (e.g TLS) • Disk encrypGon: typically do not use a stream cipher Dan Boneh A2ack 2: no integrity (OTP is malleable) m m⊕p enc ( ⊕k ) dec ( ⊕k ) m⊕k p ⊕ (m⊕k)⊕p ModificaGons to ciphertext are undetected and have predictable impact on plaintext Dan Boneh A2ack 2: no integrity (OTP is malleable) From: Bob enc ( ⊕k ) From: Bob ⋯ From: Eve dec ( ⊕k ) ⊕ From: Eve ModificaGons to ciphertext are undetected and have predictable impact on plaintext Dan Boneh End of Segment Dan Boneh
Ngày đăng: 09/11/2019, 06:41
Xem thêm: 02 3 stream annotated tủ tài liệu bách khoa