CMSC 414
Computer (and Network) Security
Lecture 4
Jonathan Katz
Some examples
 (Shift cipher)
 (Substitution cipher)
 (Vigenere cipher)
Moral of the story?
 Key space should be large
– Necessary, but not sufficient
 Don’t use “simple” schemes
 Thoroughly analyze schemes before using
– Better yet, use schemes that other, smarter
people have already analyzed…
Re-thinking the problem
 What do we mean by security?
– I.e., not being able to determine the key??
– Types of attacks
 Perfect security
– One-time pad
 Computational security
– Block ciphers and modes of encryption
– DES and AES
Notions of Security
 What constitutes a “break”?
 What kind of attacks?
 Note: always assume adversary knows full
details of the scheme (except the key…)
– Never aim for “security through obscurity”
Security goals?
 Adversary unable to recover the key
– Necessary, but meaningless on its own…
 Adversary unable to recover entire plaintext
– Good, but is it enough?
 Adversary unable to determine any
information at all about the plaintext
– Sounds great!
– Can we achieve it?
One-time pad
 (One-time pad)
Properties of one-time pad?
 Achieves perfect secrecy (proof)
– No eavesdropper (no matter how powerful) can
determine any information whatsoever about
the plaintext
 (Essentially) useless in practice…
– Long key length
– Can only be used once (hence the name!)
Weaken security guarantee?
 Instead of requiring that no adversary can learn
anything about the plaintext…
 …require that no adversary running in any
“reasonable amount of time” can learn anything
about the plaintext except with “very small
probability”
– “Reasonable time” = 106 years
– “Very small probability” = 2-64
– Computational security
Simpler characterization?
 Equivalent to the following, simpler
definition:
– Given a ciphertext C which is known to be an
encryption of either M0 or M1, an adversary
cannot guess which one was actually encrypted
– More precisely, no adversary running in
reasonable amount of time can guess correctly
with probability significantly better than ½.
The take-home message
 Weakening the definition slightly allows us
to construct much more efficient schemes!
 Strictly speaking, no longer 100%
absolutely guaranteed to be secure
– Security of encryption now depends on security
of building blocks (which are analyzed
extensively, and are assumed to be secure)
– Given enough time, the scheme can be broken
Security?
 We now have a working definition of what
it means for encryption to be secure
 What sort of attacks should we consider?
Attacks
 Ciphertext only
 Known plaintext
 Chosen plaintext
 Chosen ciphertext (includes chosen
plaintext attacks)
Attacks…
 A typical standard is security against
chosen-plaintext attacks
 Security against chosen-ciphertext attacks is
increasingly required
 Note that the one-time pad is insecure
against known-plaintext attack
Randomized encryption
 To be secure against chosen-plaintext
attack, encryption must be randomized
– We will see later how this comes into play
Block ciphers
 Keyed permutation; input/output length
 Large key space
 Modeled as a (family of) random
permutations…
 Example – “trivial” encryption:
– C = FK(m)
– This is not randomized…