Fall 2022

CC551: Computer and Network

Security
Lecture 5

Ahmed Kosba

Department of Computer and Systems Engineering

Faculty of Engineering, Alexandria University

1
Outline
• Symmetric Encryption (cont.)
• 3-DES
• Randomized encryption and CPA-security
• Block cipher modes of operation (Encryption of arbitrary-length messages)
• Chosen-ciphertext Attacks
• Padding-oracle attacks

2
Triple DES (3DES)
An attempt to improve DES as DES uses a short key of only 56 bits so brute force can be applied
on it in 2^56, while we need the key to be at least 112 bits so any brute force that would be applied on it
would require 2^112 which is not computationally possible unless after a very very long time.

3
How to make use DES ideas to design a more
secure?
Options: Not a good option because ciphers are sensitive, and a small change may require many other changes and ruin it.
• Change the cipher itself to use a longer key.
• Use the cipher as a black box and construct a more secure scheme
using multiple calls with different keys.

Which alternative would sound easier? second option

4
 Meet-in-the-middle attack: brute force on k1 and k2 separately (2^56 * 2),
this means he has (m, c) (know plaintext attack)
k1

Attempt 1 k1 x k2 x`
m E x
00...0 - (k1*, k2*) and
00...0 (k1`, k2`) ...... are set of
2^56 k2*
2^56 k1* k2 possible keys.
k2`
x`
• Double Encryption
k1` D c 11...1
11...1 k1 56 bits k2 56 bits
c = E(k2 , E(k1, m))
- Why are there many
possibilities? size of key space
is larger than the size of the
message space. x
k 128 bits m E E c

m 64 bits 2DES c 64 bits

k3 112 bits
Possible concerns:
m c
- Would this be equivalent to E(k3, m) for some other k3 ? E

It was proven not [Stallings].

- So, is this secure for usage in practice?
No, efficient attacks are possible. Meet-in-the-middle attack
5
 Cost of this attack:

2^56 + 2^56 + matching x and x` (by sorting and a linear pass)

Meet-in-the-Middle Attack
- We are saving the key because when we sort, we need the key (not sequential).
to generate
table 1
to generate
table 2
(concatenate the tables) n*lg(n)
- Also, there might be duplicates in x and we can add a column to indicate whether x is from table 1 or 2.
- meet in the middle attack on 3-DES will cost 2^112.
• Suppose n is the key length of DES and b is the block length.
• Given c = E(k2 , E(k1, m))
Assume the attacker obtained a pair (m, c) - To narrow down the number of possible keys, we can try other
pairs of known plaintexts and get the intersection between the set
Let x = E(k1, m) = D(k2, c) of keys resulting from each know plaintext pair.

- For each k1 in {0,1}n, compute x = E(k1, m). Store (x, k1) in a table T1.
- For each k2 in {0,1}n, compute x’ = D(k2, c). Store (x’, k2) in a table T2.
- Find entries in T1 and T2 such that x = x’.
- Note that there can be more than one pair (k1, k2) at which x = x’, but the attack can
be repeated using other known plaintext-ciphertext pairs to find the (k1, k2) that the
sender uses.
- Time complexity: O(n 2n) if sorting is used to find the matches.
- Space complexity: O((n + b) 2n) n:b: key size
block size
Not Secure (Recall n = 56) 6
 Any advantages for using decryption as the middle box?
3-DES Backward Compatibility with DES
Here, the decryption step won't cause a problem because it's done using a
different key so it would be treated as encryption
• Variant 1: k1 k2 k3
• 3 Keys
m E D E c
How would this help? Decryption block can be replaced with encryption
The previous attack (meet in the middle), would decrease block, and it would still work
the cost of brute force from 2^168 to 2^112 (our goal).
k1 k2 k1
• Variant 2:
• 2 Keys
m E D E c

• Note: It is also possible to use DES Encryption in the three blocks. Small block length of 64 bits causes problems, still.
• Variant 1 is also vulnerable to meet-in-the-middle attack, but the complexity of the attack will be 22n.
• Variant 1 provides more security theoretically than variant 2.
7
A theoretic attack was proposed against Variant 2 that requires 2n chosen plaintexts.
Status

NIST Special Publication 800-131A Revision 2

Transitioning the Use of Cryptographic Algorithms and Key Lengths (March 2019)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf 8
Outline
• Symmetric Encryption (cont.)
• 3-DES
• Randomized encryption and CPA-security
• Block cipher modes of operation (Encryption of arbitrary-length messages)
• Chosen-ciphertext Attacks
• Padding-oracle attacks

9
How to provide security for multiple
encryptions?
• Goal: defend against an eavesdropper that observes multiple
ciphertexts. - if c1 = c2, m1 will be equal to m2 which is info for the attacker
All the previous encryption algorithms were deterministic, which means that if I try to encrypt the same plaintext more
than once, the same ciphertext will appear every time which can be negatively used by the adversary.

• Solution (informal):
• Instead of having a deterministic encryption algorithm, let the encryption
algorithm be randomized (probabilistic).
• Encrypting the same message twice should result into different ciphertexts.
• What will be the challenge if a randomized algorithm is used?
• The decryption algorithm will have to account for the randomness as well.
• Will see shortly how.

10
How to provide security against chosen-
plaintext attacks? (CPA security)
• Goal: defend against an attacker that can obtain encryptions of
chosen plaintexts.
• Known result: Defending against CPA for a single encryption will imply
CPA security for the multiple encryptions setting.

• We will use pseudorandom functions and randomization to achieve

the desired goal.
• The following construction is proven to be CPA-secure assuming a
pseudorandom function is used. We will not cover the proof.
• Main proof idea: If an adversary manages to break the algorithm, this will
imply that the used function is not pseudorandom (can be distinguished from
a random function).
• The details and the proof are in the KL textbook. 11
CPA security: How to provide security against
chosen-plaintext attacks? (informal)
• Let F be a pseudorandom function and n be the message length.
• Key Generation: Choose uniform key k ϵ {0, 1}n
• Encryption: Given k ϵ {0, 1}n and a message m ϵ {0, 1}n
• Choose uniform r ϵ {0, 1}n can't be used in practice because it will double the
size of the ciphertext, each c will have r
• Output the ciphertext c as c := ⟨ r, Fk(r)  m ⟩ concatenated.
• Decryption: Given ciphertext c = ‹ r, s › and key k
• Output the plaintext m as m := Fk(r)  s S: cipher without r

12
 CPA security: How to provide security against
chosen-plaintext attacks? (Informal)
Random String r

- one-time pad is not secure against CPA,

if I have the m and c, I can easily get the key.
key is the same

Key F

O/P
Ciphertext
Plaintext

13
Outline
• Symmetric Encryption (cont.)
• 3-DES
• Randomized encryption and CPA-security
• Block cipher modes of operation (Encryption of arbitrary-length messages)
• Chosen-ciphertext Attacks
• Padding-oracle attacks

14
Block Cipher Modes of Operation
Encryption of Arbitrary-length Messages

15
Block Cipher Modes of Operation: ECB
1G

• Electronic Code Book (ECB) Mode m1 m2 mk

m1 m2 m3
k F k F

c1 c2
k F k F k F
- no randomness
- change is localized (patterns in the
plaintext appear in the ciphertext)
c1 c2 c3
Any problems?

16
 Block Cipher Modes of Operation: ECB
• Problems
• No randomization (no CPA security)
• Patterns in the plaintext could appear in the resulting ciphertext.

17
Figure from Wikipedia
 Block Cipher Modes of Operation: CBC
IV: initilisation vector
• Cipher Block Chaining (CBC) mode. Note: The IV is sent
with the ciphertext
IV m1 m2 m3 blocks.

   - without Iv, there won't be randomness

- IV can't be repeated or predicted in this
mode.
…. Decryption
k F k F k F
m1 m2 m3

c1 c2 c3
IV   
….
Encryption k F-1 k F-1 k F-1
- Function (F) must be invertible to be able to decrypt the cipher

c1 c2 c3 18
Block Cipher Modes of Operation: CBC
• How to choose the initialization vector?
• The IV cannot not be predictable.
• The IV should not repeat.
• CBC characteristics:
• An invertible function is used, i.e., a pseudorandom permutation/block
cipher.
• Encryption cannot be performed in parallel.
• Decryption can be performed in parallel.
To decrypt c3, we only need c2 (already known) and IV (also known).

19
Block Cipher Modes of Operation: Stateful CBC?
• Is the chained CBC mode (stateful CBC mode) secure against CPA
attacks?
m1 m2 m3 c3 m4 m5
IV

    
k F k F k F k F k F

c1 c2 c4 c5
c3
Example:
The attacker can learn if m1 is a message m’ assume m1 = m` (hello)
- Set m4 = IV  c3  m’ c1 Fk(IV XOR m`)
m4 = c3 XOR IV XOR m`
- Check if c4 = c1 if c4 = c1, then the message is the same (m1 = hello). 20
XORing can be done before F calculation but F operations
must be done sequentially (not parallel)
in encryption and decryption. Note: The IV is sent
Block Cipher Modes of Operation: OFB with the ciphertext
blocks.
IV

Output Feedback mode

• While it’s still sequential, most of k F k F k F
Encryption
the computation can take place
in advance without knowing the

m3
plaintext.
 
m1 m2
to keep the randomness
• The IV cannot repeat (why?)
c1 c2 c3
• The IV could be chosen uniformly
at random (assuming a sufficient
block length), or a stateful variant IV
can be used.
- Encryption and decryption can't be done in parallel. k F k F k F Decryption
• Note: The function F does not
have to be invertible.

c3
 
c1 c2
21
m1 m2 m3
 Note: The counter
value is sent with
the ciphertext
Block Cipher Modes of Operation:
CTR+1
CTRCTR+2
blocks.
CTR
Counter (CTR) mode
• Encryption/Decryption can be done k F k F k F
in parallel. Encryption
• The inputs CTR + i, cannot repeat

m3
 
m1 m2
over all encryptions with the same
key (Why?).
- block length must be long (128 bits) c1 c2 c3
• Note: because if it's not, it will be repeated easily
• To achieve the above, the CTR value CTR CTR+1 CTR+2
can be chosen uniformly at random,
assuming a sufficient block length.
k F k F k F
• A stateful variant is also possible. Decryption
• There are other implementation
variants, where the CTR is expressed c3

c1 c2
as (nonce ‖ counter). ‖ denotes  
concatenation. 22
m1 m2 m3
 Note about OFB and CTR modes
• Earlier, we have shown that chained (stateful) CBC is not secure
against CPA attacks.
• However, stateful secure variants of OFB and CTR exist.
Notes:

- CTR is more sensitive to errors in CTR initialization

than CBC is sensitive to errors in IV initialization.
- IV is the same length as the message block, if it's small,
number of collisions will increase (repeated IVs) after certain
number of encryptions.

23
Security and Implementation Aspects (1/2)
• Block length: What if the block length was selected to be short?
• If the block length is short, the randomly selected IV will be expected to
repeat after a certain number of encryptions. This will break the security of
the scheme.
• Recall: The IV has the same length as the block length.
• If the block length of 64 bits, a repetition is likely to happen (with more than
0.5 probability) after more than 232 encryptions are performed.
See the Birthday paradox. We will discuss this paradox later in the course.
• The short block length is one of the DES, and 3-DES drawbacks. The block
length in AES is 128 bits, which avoids this drawback.

• Note: In practice, there is usually a limit for the maximum numbers of

blocks that can be encrypted under the same key using a specific
mode to avoid security issues.
24
Security and Implementation Aspects (2/2)
• Misuse of initialization vector
• If the initialization vector is not chosen properly, e.g., due to mistakes in
implementation or improper randomness generation, security will not hold.
• Some of the previous modes are more sensitive to misuse of initialization
vector, e.g., OFB and CTR (can you see why?). CBC mode can be affected as
well, but not as OFB or CTR.

• What if the message length is not a multiple of the block length?

• The message will have to be padded in modes like CBC and ECB. We will see a
way shortly.
• Padding does not have to be applied for CTR and OFB modes.

25
Outline
• Symmetric Encryption (cont.)
• 3-DES
• Randomized encryption and CPA-security
• Block cipher modes of operation (Encryption of arbitrary-length messages)
• Chosen-ciphertext Attacks
• Padding-oracle attacks

26
Chosen-ciphertext Attacks

27
Recall: Chosen-ciphertext Attacks
• In this threat model, the adversary can acquire decryptions of
selected ciphertexts (except for the original ciphertext).
• Is this a realistic scenario?

• Shortly, we will see a real-world attack

• Given one bit of information about the decrypted ciphertexts, the adversary
can learn the whole plaintext.

• To realize this attack, we will introduce “malleability”.

28
Malleability (Informal)
• An encryption scheme is malleable if it is possible to modify the
ciphertext in a way that causes a predictable change in the plaintext,
without knowing the original plaintext.

• All the encryption schemes we discussed so far are malleable.

• If Alice sends an encrypted transaction using one-time pad to a bank, and the
attacker knows the format of the message, the attacker can change the
amount.

29
Malleability (Example)

c c’

Alice
Change the last few bits of c
m = WITHDRAW 1000 m’ = WITHDRAW xxxx

k 
c

30
Encryption using block cipher modes of
operation - Revisited
• In the following, we will consider the CBC mode case.
• What if the plaintext message is not a multiple of the block length L in CBC
mode?
• Padding

• PKCS#5 Padding:
• If the message is of length x bytes, and the block length of length L bytes, then (L – (x
mod L)) bytes will need to be added as padding.
• Let b = L – (x mod L).
• All the padded bytes will have the value of b.
• If b = 4, then four bytes will be padded as 0x04040404.

• Note that if the message is a multiple of block length, padding would still
take place. Why? to be sure when the message actually ends and not confuse the message with padding,
31
Padding Example
• If the block length L = 8 bytes,
• The sender pads the message according to the previous rule, e.g., if the
message length is 5, it will be padded as:

xx xx xx xx xx 03 03 03

• After decryption, the receiver checks the padding and proceeds if padding
was done correctly.

32
Padding Oracle
• What if the padding is done incorrectly?
• An error message will be returned by the receiver.
• This one-bit of information can be used in an attack.
• Note: This still holds if there is any change in timing, or no responses.

• This flaw was present in many web applications.

33
 Recall: CBC mode Encryption / Decryption
IV m1 m2 m3

  
….
k F k F k F Note: Any change in ci will affect mi+1

Decryption
c1 c2 c3
m1 m2 m3
Encryption
IV   
….
k F-1 k F-1 k F-1

c1 c2 c3
Padding Oracle Attack
• Let’s consider two blocks only for simplicity.
• Padded plaintext = IV  F-1(k, c1)

• The attacker will modify the IV, and check the reaction of the receiver.

Success/Error?
IV’, c1
IV, c1

35
Padding Oracle Attack
• Padding Oracle Attack Animation
• Slides by Prof. Jonathan Katz [Link]
• Follow-up questions:
• Why does the attacker choose to modify IV not the ciphertext?
• How to protect against this kind of attacks?
• We will study this later in the course.

36