斯坦福密码课程04.4-using-block-annotated.pptx

Using block ciphers Modes of operation:many time key (CBC) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. Construction 1: CBC with random IV Let (E,D) be a PRP. ECBC(k,m): choose random IV∈X and do: E(k,) E(k,) E(k,) m[0] m[1] m[2] m[3] IV    E(k,)  c[0] c[1] c[2] c[3] IV ciphertext Decryption circuit In symbols: c[0] = E(k, IV⨁m[0] ) ⇒ m[0] = D(k, c[0]) ⨁ IV CBC: CPA Analysis CBC Theorem: For any L0, If E is a secure PRP over (K,X) then  ECBC is a sem. sec. under CPA over (K, XL, XL+1). In particular, for a q-query adversary A attacking ECBC there exists a PRP adversary B s.t.: AdvCPA [A, ECBC]  2AdvPRP[B, E] + 2 q2 L2 / |X| Note: CBC is only secure as long as q2L2 |X| An example q = # messages encrypted with k , L = length of max message Suppose we want AdvCPA [A, ECBC] ≤ 1/232 ⇐ q2 L2 /|X| 1/ 232 AES: |X| = 2128 ⇒ q L 248 So, after 248 AES blocks, must change key 3DES: |X| = 264 ⇒ q L 216 AdvCPA [A, ECBC]  2PRP Adv[B, E] + 2 q2 L2 / |X| Warning: an attack on CBC with rand. IV CBC where attacker can predict the IV is not CPA-secure !! Suppose given c ⟵ ECBC(k,m) can predict IV for next message Chal. Adv. kK m0=IV⨁IV1 , m1 ≠ m0 output 0 if c[1] = c1[1] predict IV Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1) c  [ IV, E(k, m1⨁IV) ] Construction 1’: nonce-based CBC Cipher block chaining with unique nonce: key = (k,k1) E(k,) E(k,) E(k,) m[0] m[1] m[2] m[3]    E(k,)  c[0] c[1] c[2] c[3] nonce ciphertext nonce unique nonce means: (key, n) pair is used for only one message An example Crypto API (OpenSSL) void AES_cbc_encrypt( const unsigned char *in, unsigned char *out, size_t length, const AES_KEY *key, unsigned char *ivec,