Chapter 4: Symmetric Encryption

Question 1

Symmetric encryption uses a shared secret symmetric key k. What are some implicit assumptions?

Answer 1

• k is shared between two (Alice and Bob) or more (group) participants
• Besides these participants, nobody else knows k → k is secret
• k is used to encrypt and decrypt → k is symmetric

Question 2

• Terminology
• Plaintext m: The message itself
• Ciphertext c: The encrypted plaintext
• Operators:
• Encryption: c = Enck (m)
• Decryption: m = Deck (c)
• Basic correctness requirement for Symmetric Encryption:

Answer 2

Deck (Enck (m)) = m

Question 3

• Why is len(c) >= len(m)? What security goals are fulfilled? Explain. (Symmetric Encryption)

Answer 3

• The second block of m is padded with extra data to have a full block of 16 Byte

Confidentiality.

NOT Authenticity: An attacker could modify c . Deck (c) will most probably yield garbled text. Receiver can only assume that the message was modified but not prove it!

NOT Integrity. Attacker could just send some random c and spoof Alice’s IP address.
Deck (c) will yield garbled text. Receiver can only assume that the message is not authentic but not prove it!

Question 4

Example for Enc and Dec: One-Time-Pad (OTP)

Answer 4

Question 5

Kerckhoffs’s principle
“The cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience.”

Explain the consequences and benefits.

Answer 5

Consequences* The cipher, i.e., the encryption algorithm, can be public. (In fact it should be!). If the cipher is public, security depends on the key, which must be kept secret.

Benefits: * If security would depend on the cipher’s obscurity and the cipher leaks we would need to build a new one
You don’t have to come up with a new cipher for each communication partner; selecting a new key is sufficient
* If the cipher does not need to be hidden, we can perform review procedures that increase confidence in the cipher

Question 6

Examples of secure real-world symmetric ciphers
* AES (block cipher)
* 3DES (block cipher)
* ChaCha20 (stream cipher)
* One-Time-Pad (stream cipher)
* Why can we trust them?

Answer 6

• The ciphers are published,
• and they have been publicly reviewed/analyzed by cryptographers.
• They are standardized.
• Well-tested/optimized implementations are available in the library of your favorite programming language

Question 7

What are the Dos of crypto?

Answer 7

• Do use standardized ciphers from your library
• Be aware of the dangers:
• Unlikely: A well-established cipher is broken or backdoored
• Likely: Wrong usage of the cipher (maybe in conjunction with other cryptographic algorithms) compromises security (RTFM)!

Question 8

What are the DONTS of Crypto?

Answer 8

• Don’t implement your own cipher.
  “Any person can invent a security system so clever that he or she can’t imagine a way of breaking it.”
  (Schneier’s law)
• Don’t claim “it’s encrypted, it is secure”.
  Encryption ↑= Security
  Forgetting integrity and authenticity may be worse than any information leakage! → Padding Oracle attack
• Key management (key exchange, rekeying, etc.) is difficult and highly important and shouldn’t be neglected

Question 9

Attacking Symmetric Ciphers
* Goal: given c, learn something about m and/or k
* If something about k (e.g. some bits) can be learned, the attack is already successful. Why?
* We can repeat the attack and learn more about k
* Knowing a couple of bits of k might allow us to brute-force the rest

Explain the attack scenarios.

Answer 9

Cipher-text only attack, Known-Plaintext attack, Chosen Plain-text or chosen-ciphertext attack

Question 10

Attacking Symmetric Ciphers Security of Ciphers
* A cipher is secure if the best known attack is brute-forcing all keys.2
* Brute-Force: exhaustively testing all keys by decrypting c with the k-candidate;
We assume to have found the “right” key when decryption result “looks reasonable”. Exemplify.

Answer 10

Question 11

One-Time-Pad: A Perfect Cipher
* Reminder: Encotp (m) = m XOR otp, Decotp (c) = c XOR otp, otp is random. Cover the attack scenarios.

Answer 11

Question 12

Drawbacks of One-Time Pad

Answer 12

• Necessary key length in bits: length(otp) = length(m)
• otp must not be reused
• Key generation and key distribution is difficult
• Applicability in many real-world use cases difficult (Think: encrypted web-traffic between server and clients)

Question 13

Wish list for practical ciphers

• length(k ) &laquo_space;length(m)
• …
• Key reusable for several messages
• Unavoidable implication (for length(m)&raquo_space; length(k )):
• Cipher is still secure (when…)

Answer 13

Key of fixed length, e.g. 128 bit

• k can be brute-forced
• Brute force attack succeeds when a k is found which decrypts c to an “reasonable” m.
• If m is not perfectly random, c cannot be perfectly random

key size is sufficient!

Question 14

Example of iCry– insecure Cryptographic cipher

Answer 14

Question 15

Block and Stream Ciphers: differentiate( Assume: shared symmetric k of fixed length)

• Block cipher
• Encrypts and decrypts inputs of length n to outputs of length n
• Block length n
• Examples: AES, DES, 3DES, Blowfish, Twofish, ……

Answer 15

• Stream cipher
• Generates a random bit stream, called key stream
• c = keystream ↗ m
• Examples: ChaCha20, RC4 (broken!)

Question 16

Interlude: Which Symmetric Cipher should I use?
* Probably AES
* Reasons to use AES:

Answer 16

• Fast: 200 MBit/s in software and > 2 GB/s with Intel AES-NI
• Hardware implementations for embedded devices available
• A well-tested implementation is available in your library
• Secure (attacks exist, but AES is practically secure)
• AES seems to be the best we have, and it is among the most researched algorithms