Python代写:CS588BlockCipherModesofOperation


比较几种加密算法的加密模式(ECB, CBC, CTR, GCM),编写代码验证。

Requirement

Please following the submission checklist below. Late submissions will be
penalized according to course policy. Your writeup MUST include the following
information:

  1. List of collaborators (on all parts of the project, not just the writeup)
  2. List of references used (online material, course nodes, textbooks, wikipedia,…)
  3. Number of late days used on this assignment
  4. Total number of late days used thus far in the entire semester
    If any of this information is missing, at least 20% of the points for the
    assignment will automatically be deducted from your assignment. See also
    discussion on plagiarism and the collaboration policy on the course syllabus.
    While we provide you with the tools to run this lab at any platform (Windows,
    Linux and Mac OS), I strongly recommend working at a Linux or Mac OS machine
    as it will make things considerably easier for you. The instructions given for
    the rest of the description of the lab are therefore explicitly for this case
    (unless otherwise noted).

Objectives

In this lab, you will investigate the strengths and weaknesses of various
block cipher modes of operation.

Getting Familiar with Modes of Operation

A mode of operation is a way of using block ciphers like AES, which only
encrypt a fixed number of bits, to encrypt arbitrary-length messages.
You can experiment with AES and modes of operation in Python.
THIS_MODE = AES.MODE_ECB
KEY_SIZE = AES.key_size[0]
key = Random.new().read(KEY_SIZE)
iv = Random.new().read(AES.block_size)
message = ‘hello world’
cipher = AES.new(key, THIS_MODE, iv)
ciphertext = cipher.encrypt(pad(message))
—|—
We suggest you use the following pad and unpad functions to pad your message
with 0’s to the appropriate length before encrypting, and remove the zeros
upon decryption:
def pad(s):
“””Takes in a string, and returns that string with zeros appended.
Padding should be performed prior to encryption.
“”” return s + b”\0” * (AES.block_size - len(s) % AES.block_size)
def unpad(s):
“””Removes trailing zeros from a string.
Unpadding should be performed after decryption.
“”” return s.rstrip(b”\0”)
—|—

Electronic Code Book (ECB) Mode

Electronic Code Book (ECB) mode is illustrated in Figure 1. ECB mode
essentially encrypts each block of the ciphertext independently.
In tux6.ppm, you will find an image. (PPM binary format is a simple image
format where the pixels were represented as uncompressed bytes.) Encrypt that
image using Electronic Code Book (ECB) mode. Encrypt the same image using
Cipher Block Chaining (CBC) mode (described in Section 3). (When encrypting,
remove the three header lines from tux6.ppm, and prepend them unencrypted to
the ciphertext.)
Recall the definition of CPA security for a symmetric encryption scheme. When
playing the following game with a Challenger, no efficient Adversary should be
able to win with probability much more than half:

  • A key k for the encryption scheme is chosen uniformly at random by the Challenger.
  • The Adversary, which does not know k, is given access to an oracle that computes Enck() on a message m of the adversary’s choice.
  • The Adversary chooses two messages of equal length, m0 and m1 , and sends them to the
    Challenger.
  • The Challenger chooses a random bit b, produces the challenge ciphertext c = Enck(mb), and sends c to the adversary.
  • The Adversary may continue to send any message of its choice to the the oracle that computes Enck().
  • The Adversary outputs b0 = 0 if it thinks that c was the encryption of m0 , and b0 = 1 otherwise.
  • The Adversary wins if b0 = b.
    Prove that AES in ECB mode cannot satisfy the definition of CPA-secure
    encryption. In other words, present an algorithm for an Adversary that wins
    the game described above.

What to submit

  1. A file called ECB_image.ppm, with the image encrypted using Electronic Code Book mode.
  2. A file called CBC_image.ppm, with the image encrypted using Cipher Block Chaining mode.
  3. A file called ECB_writeup.txt, with a proof that AES in ECB mode is not CPA-secure.

Cipher Block Chaining (CBC) Mode

Cipher Block Chaining mode is illustrated in Figure 2. It XORs each ciphertext
block with the next plaintext before encryption. For the first block, a random
initialization vector (IV) is used instead. Note that the IV needs to be
included as part of the ciphertext in order for decryption to be possible. It
has been proven that CBC mode, unlike ECB mode, is CPA-secure if the block
cipher encryption function is a pseudorandom permutation.
However, if the IVs are incremented like a counter instead of being chosen at
random, this breaks down, as you will show in this section.
In CBC_ciphertext you will find a ciphertext. You know that it was produced
using the initialization vector in CBC_iv1, and that the ciphertext encrypts
the message in CBC_message1: “turn to page 01”. The sender isn’t using CBC
mode correctly; they should be choosing random initialization vectors, but
instead, they are incrementing the initialization vector like a counter,
adding 1 to it for every message sent. A few messages later, they will be
using the IV in CBC_iv2. What two messages can you specify as m0 and m1 in the
CPA security game when it is time to use CBC_iv2, such that you will be able
to tell the difference between the two encryptions?

What to submit

  1. A file called CBC_writeup.txt describing m0 and m1 , and explaining why this choice of message would allow you to break CPA-security.

Counter (CTR) Mode

Counter mode is illustrated in Figure 3. A random IV is chosen (as in CBC
mode), and IV , IV + 1, IV + 2, etc are fed through the block cipher
encryption function to produce a stream of randomlooking bits to XOR the
message with. It has been proven that counter mode is CPA-secure if the block
cipher encryption function is a pseudorandom permutation. However, it is
malleable, meaning that an adversary who sees a ciphertext can produce a
different ciphertext encrypting a related message!
In CTR_ciphertext and CTR_iv, find an AES in CTR mode ciphertext and the
corresponding initialization vector. You know that the ciphertext encrypts a
four digit number n that is a multiple of 10. Find a ciphertext (using the
same IV) encrypting n + 5.
Next, recall the definition of CCA2 security for a symmetric encryption
scheme. When playing the following game with a Challenger, no efficient
Adversary should be able to win with probability much more than half:

  • A key k for the encryption scheme is chosen uniformly at random by the Challenger.
  • The Adversary, which does not know k, is given access to an oracle that computes Enck() on a message m of the Adversary’s choice. The Adversary also has access to an oracle that computes Deck() on a ciphertext c of the Adversary’s choice.
  • The Adversary chooses two messages of equal length, m0 and m1 , and sends them to the Challenger.
  • The Challenger chooses a random bit b, produces the challenge ciphertext c = Enck(mb), and sends c to the Adversary.
  • The Adversary may continue to send any message of its choice to the the oracle that computes Enck(). It may also continue to send any ciphertext other than c to the the oracle that computes Deck().
  • The Adversary outputs b0 = 0 if it thinks that c was the encryption of m0 , and b0 = 1 otherwise.
  • The Adversary wins if b0 = b.
    Prove that AES in CTR mode cannot satisfy the definition of CCA2-secure
    encryption. In other words, present an algorithm for an Adversary that wins
    the game described above.

What to submit

  1. A Python 2.x script named CTR_solution.py that:
    * (a) Takes in two parameters:
    • i. The path to a file with a ciphertext, and
    • ii. The path to a file with an initialization vector.
      • (b) Prints the ciphertext encrypting the message in the original ciphertext +5, assuming that the original ciphertext encrypts a four-digit multiple of 10.
  2. A file called CTR_writeup.txt that proves that AES in CTR mode cannot satisfy the definition of CCA2-secure encryption.

Galois Counter Mode (GCM)

Galois counter mode is a mode of operation that offers both confidentiality
and integrity; that is, it is not vulnerable to attacks like the one you
executed in CTR_solution.py. You can read more about Galois counter mode on
Wikipedia ( https://en.wikipedia.org/wiki/Galois/Counter_Mode ). You can also read a
blog post explaining why GCM has recently become very popular ( [
https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-
ciphersuites/ ](https://blog.cloudflare.com/padding-oracles-and-the-decline-
of-cbc-mode-ciphersuites/) )

Modes of Encryption in the Wild

In Google chrome, you can see details about the security of a website by
clicking on the lock icon to the left of the URL. If the site is secure, it
should say “Secure Connection - Your information (for example, passwords or
credit card numbers) is private when it is sent to this site.” If you click on
“Details” right under that statement, you will see some additional
information, like what mode of operation is being used in TLS.
Choose 3 websites that offer secure connections and use the AES block cipher.
What mode of operation are they using?

What to submit

  1. A file called websites.txt naming the websites and the mode of encryption they use.

文章作者: SafePoker
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 SafePoker !
  目录