WEBVTT 1 00:00:00.120 --> 00:00:03.799 Welcome to the deep dive. Today, we're venturing into the 2 00:00:04.440 --> 00:00:08.560 really fascinating realm of cryptography and computer security. 3 00:00:09.039 --> 00:00:11.759 Indeed, we've got quite a bit of material here, covering 4 00:00:11.800 --> 00:00:16.239 everything from the sort of deep mathematical roots of encryption 5 00:00:16.480 --> 00:00:18.559 all the way to how it protects us every day. 6 00:00:18.879 --> 00:00:21.719 Right, and our mission really is to sift through all this, 7 00:00:21.879 --> 00:00:24.239 pull out the key insights and maybe show you some 8 00:00:24.280 --> 00:00:28.280 connections you hadn't thought of. Because cryptography, it sounds technical, 9 00:00:28.519 --> 00:00:29.320 but it's everywhere. 10 00:00:29.359 --> 00:00:33.479 Oh absolutely, think about secure websites, messaging apps, even your phone, security, 11 00:00:33.560 --> 00:00:36.479 your car. It all relies on the stuff working behind 12 00:00:36.479 --> 00:00:37.399 the scenes. 13 00:00:37.200 --> 00:00:40.280 And the consequences if it doesn't work are pretty serious. 14 00:00:40.479 --> 00:00:44.240 Yeah, we're talking email hacks, bank accounts getting breached, identity theft. 15 00:00:44.840 --> 00:00:47.439 It's not just theory. These are real threats, which. 16 00:00:47.240 --> 00:00:50.039 Makes you wonder who's doing the attacking right. The motivations 17 00:00:50.119 --> 00:00:50.759 vary a lot. 18 00:00:50.719 --> 00:00:54.719 Totally, from criminals after money to while more organized groups 19 00:00:54.759 --> 00:00:57.920 with bigger targets. It really highlights why being proactive about 20 00:00:57.920 --> 00:00:59.399 security is so vital. 21 00:01:00.159 --> 00:01:02.200 For this deep dive, we're kind of splitting in two. 22 00:01:02.719 --> 00:01:07.079 Yeah, first, we'll tackle the basics, the foundational concepts of cryptography, 23 00:01:07.120 --> 00:01:08.319 how it all works at its. 24 00:01:08.159 --> 00:01:09.159 Core and done. 25 00:01:09.239 --> 00:01:12.000 Then we'll look at the practical side, how these ideas 26 00:01:12.040 --> 00:01:14.200 actually get built into the technologies you use. 27 00:01:14.319 --> 00:01:16.599 Okay, sounds good. Let's start with the big picture then 28 00:01:17.200 --> 00:01:18.680 computer security itself. 29 00:01:18.959 --> 00:01:22.280 Right. So, at as heart, information security is about protecting 30 00:01:22.319 --> 00:01:26.000 information and systems. It comes down to three key things 31 00:01:26.159 --> 00:01:28.439 often called the CIA. 32 00:01:27.840 --> 00:01:31.400 Triad CIA not the agency I assume. 33 00:01:31.560 --> 00:01:36.040 Huh No, not that CIA. It stands for confidentiality, integrity, 34 00:01:36.280 --> 00:01:37.200 and availability. 35 00:01:37.359 --> 00:01:42.519 Okay, confidentiality, keeping secret, secret, integrity, making sure data isn't 36 00:01:42.519 --> 00:01:44.359 messed with. What about availability? 37 00:01:44.480 --> 00:01:47.959 Availability is crucial. It means authorized users can actually get 38 00:01:47.959 --> 00:01:50.959 to the information and services when they need them. Security 39 00:01:51.040 --> 00:01:54.359 isn't just about locking things down. It's also about ensuring access. 40 00:01:54.439 --> 00:01:57.120 That's a great point. We often focus on the secrecy. 41 00:01:56.640 --> 00:02:01.239 Part exactly, but think about attacks that target availability. Sabotaging 42 00:02:01.239 --> 00:02:04.480 a system like say car breaks control to lectonically or 43 00:02:04.519 --> 00:02:07.640 deleting critical data, or just blocking access to servers. Those 44 00:02:07.640 --> 00:02:09.400 are all serious security breaches. 45 00:02:09.759 --> 00:02:13.800 So information security is the umbrella term, and cybersecurity fits 46 00:02:13.840 --> 00:02:14.360 underneath it. 47 00:02:14.400 --> 00:02:21.479 Pretty much. Cybersecurity focuses specifically on protecting that digital world, networks, devices, data, 48 00:02:21.879 --> 00:02:24.120 everything in cyberspace from attacks. 49 00:02:24.240 --> 00:02:28.000 Got it. Now, let's zoom in on cryptography itself. What's 50 00:02:28.039 --> 00:02:28.840 its main job? 51 00:02:29.159 --> 00:02:34.080 Fundamentally, cryptography is about enabling secure communication and building trust 52 00:02:34.199 --> 00:02:37.120 even when people don't know each other. It's about privacy 53 00:02:37.199 --> 00:02:40.479 and security and a connected world. And you know this 54 00:02:40.520 --> 00:02:41.479 isn't a new problem. 55 00:02:41.719 --> 00:02:44.319 Ah, right. The historical examples I saw those in the notes. 56 00:02:44.520 --> 00:02:47.639 Yeah, people have wanted to send secret messages for ages. 57 00:02:48.159 --> 00:02:50.280 Think about the ancient Greeks with their side tail a 58 00:02:50.360 --> 00:02:54.680 cylinder for scrambling messages, or even Thomas Jefferson's wheel cipher. 59 00:02:54.479 --> 00:02:56.199 Much more complex, I imagine a bit. 60 00:02:56.360 --> 00:03:00.360 Yeah, mechanical shows that drive for secrecy. These were early steps. 61 00:03:00.199 --> 00:03:02.280 And then we get to things like the Enigma machine 62 00:03:02.280 --> 00:03:02.960 in World War Two. 63 00:03:03.159 --> 00:03:06.520 Right, Enigma a huge leap in complexity for its time, 64 00:03:06.840 --> 00:03:09.800 electro mechanical, very sophisticated. 65 00:03:09.080 --> 00:03:11.240 Codes famously broken by Alan Turing and. 66 00:03:11.199 --> 00:03:16.039 His team exactly, which perfectly illustrates this constant cat and 67 00:03:16.080 --> 00:03:19.800 mouse game in cryptography. Code makers build something, code breakers 68 00:03:19.800 --> 00:03:21.840 try to crack it. It's always evolving. 69 00:03:22.080 --> 00:03:25.840 Now here's something interesting. Attacks on the algorithms themselves, they're 70 00:03:25.879 --> 00:03:28.240 not usually about tricking the user, are they? 71 00:03:28.319 --> 00:03:31.719 That's a key distinction. Things like phishing they prey on 72 00:03:31.800 --> 00:03:36.120 human error, but cryptanalysis attacking the crypto algorithm aims to 73 00:03:36.199 --> 00:03:39.800 find weaknesses in the math or the design itself, not 74 00:03:39.879 --> 00:03:42.199 trying to fool you into giving up your password. 75 00:03:42.360 --> 00:03:45.400 So how does cryptanalysis work? Then? Sounds complicated? 76 00:03:45.560 --> 00:03:49.080 It can be, but the core idea is using knowledge 77 00:03:49.120 --> 00:03:52.159 of how the algorithm is built, and often these designs 78 00:03:52.159 --> 00:03:55.479 are public. Plus looking for patterns in the original message, 79 00:03:55.560 --> 00:03:56.120 the plain. 80 00:03:55.960 --> 00:03:58.240 Text, using the ciphertext the encrypted. 81 00:03:57.919 --> 00:04:02.120 Message right, analyzing the ciphertech, knowing the algorithms structure, maybe 82 00:04:02.120 --> 00:04:05.879 knowing something about the likely plaintext, you use computation to 83 00:04:05.919 --> 00:04:08.199 try and figure out the secret key or the message. 84 00:04:08.280 --> 00:04:12.319 Okay, the notes mentioned unconditional versus computational security. What's the difference. 85 00:04:12.599 --> 00:04:16.839 Unconditional security is like the theoretical ideal. It means, even 86 00:04:16.879 --> 00:04:20.480 with infinite computing power, you couldn't break the cipher. The 87 00:04:20.519 --> 00:04:21.360 one time pad is. 88 00:04:21.360 --> 00:04:23.399 An example, but not very practical. 89 00:04:23.600 --> 00:04:26.920 Not usually, No, you need a key as long as 90 00:04:26.959 --> 00:04:32.279 the message perfectly random used only once securely shared. Tricky. 91 00:04:33.680 --> 00:04:38.360 Computational security is what we rely on, meaning it's theoretically breakable, 92 00:04:38.720 --> 00:04:40.800 but it would take an absurd amount of time and 93 00:04:40.839 --> 00:04:45.319 computing power, far beyond anything feasible. Our everyday crypto relies 94 00:04:45.360 --> 00:04:45.720 on this. 95 00:04:45.839 --> 00:04:51.079 Gotcha and quickly pseudorandom number generators PR andngs. They sound random, 96 00:04:51.120 --> 00:04:52.879 but they're not quite exactly. 97 00:04:53.120 --> 00:04:56.839 They're algorithms that produce sequences that look random, but they're deterministic. 98 00:04:56.920 --> 00:04:58.199 If you know the starting point, the. 99 00:04:58.160 --> 00:04:59.680 Seed, you can predict the whole sequence. 100 00:04:59.800 --> 00:05:02.079 Yeah, that's the risk. If an attacker gets the seed, 101 00:05:02.120 --> 00:05:05.480 the randomness collapses and any security relying on it is 102 00:05:05.560 --> 00:05:08.759 potentially gone. So true randomness for seating is vital. 103 00:05:08.879 --> 00:05:12.879 Okay, makes sense. So strong algorithms plus real randomness. Now, 104 00:05:12.959 --> 00:05:16.560 let's get into some of the math behind this. Modular arithmetic, right. 105 00:05:16.639 --> 00:05:19.639 Think of clock arithmetic. After twelve, you're back to one 106 00:05:19.800 --> 00:05:23.720 that's modulo twelve. Cryptography uses this a lot, working with 107 00:05:23.839 --> 00:05:27.800 numbers within a specific range a modulus. Concepts like Fermat's 108 00:05:27.800 --> 00:05:31.959 little theorem, modular square roots their tools in the crypto toolbox. 109 00:05:31.519 --> 00:05:35.040 And groups in fields. Sounds like abstract algebra class. 110 00:05:34.720 --> 00:05:38.560 It is a bit, but structures like ZP, integers modulo 111 00:05:38.600 --> 00:05:41.839 a prime P, or finite fields FP define how addition 112 00:05:41.959 --> 00:05:44.959 and multiplication work in these limited sets. They provide the 113 00:05:45.000 --> 00:05:49.120 mathematical playground for many crypto operations. The order of an element, 114 00:05:49.160 --> 00:05:51.759 for instance, is important for security in some systems. 115 00:05:51.959 --> 00:05:55.000 The notes show examples in finite fields, like F twenty three. 116 00:05:55.240 --> 00:05:56.000 That looks different. 117 00:05:56.240 --> 00:06:00.360 Yeah, it's math with polynomials over binary fields. We're working 118 00:06:00.399 --> 00:06:02.360 with strings of bits, and the rules for adding and 119 00:06:02.439 --> 00:06:07.000 multiplying are based on polynomial math modulo some irreducible polynomial 120 00:06:07.399 --> 00:06:10.879 sounds complex, but it gives a well defined structure for operations. 121 00:06:11.360 --> 00:06:14.920 Generators are elements that can create all others through repeated multiplications. 122 00:06:14.959 --> 00:06:17.120 Okay, I'll trust you on that one. And the Chinese 123 00:06:17.120 --> 00:06:18.879 remainder theorem, what's its role? 124 00:06:19.319 --> 00:06:24.360 Ugh crt. It's a clever theorem for solving systems of congruences, 125 00:06:24.399 --> 00:06:27.279 finding a number that leaves specific remainders when divided by 126 00:06:27.279 --> 00:06:31.279 different numbers. In crypto, especially RSA, it's used to speed 127 00:06:31.319 --> 00:06:34.519 things up. You can break a big calculation down into smaller, 128 00:06:34.680 --> 00:06:37.680 faster ones modulo the factors of the main number. 129 00:06:37.879 --> 00:06:42.040 Right optimization. Okay, mad foundations late, let's talk symmetric ciphers. 130 00:06:42.399 --> 00:06:43.480 The basic idea. 131 00:06:43.319 --> 00:06:48.560 Simple concept, one shared secret key, same key to encrypt 132 00:06:48.600 --> 00:06:51.920 the plaintext into ciphertext, same key to decrypt it back. 133 00:06:52.319 --> 00:06:55.000 Security hinges entirely on keeping that key secret. 134 00:06:55.199 --> 00:06:58.480 Like the vigenera cipher that's a step up from the 135 00:06:58.480 --> 00:06:59.639 basic Cazar shift right. 136 00:07:00.399 --> 00:07:03.560 Instead of shifting every letter the same amount, Vgenia uses 137 00:07:03.600 --> 00:07:05.839 a keyword. The keyword letter tells you how much to 138 00:07:05.879 --> 00:07:07.800 shift the corresponding plaintex. 139 00:07:07.399 --> 00:07:09.480 Letter, so you repeat the keyword yeap, repeat the. 140 00:07:09.519 --> 00:07:12.360 Keyword to match the message length, then use a Visionaire 141 00:07:12.399 --> 00:07:14.560 table to do the look up. It was much harder 142 00:07:14.600 --> 00:07:16.439 to break than Caesar for a long time because it 143 00:07:16.519 --> 00:07:19.920 uses multiple alphabets. Still breakable, though, especially now. 144 00:07:19.879 --> 00:07:22.680 And reusing keys and stream ciphers is a big no, no. 145 00:07:22.959 --> 00:07:27.079 Huge mistake. Stream ciphers often generate a keystream from the key. 146 00:07:27.720 --> 00:07:30.040 If you encrypt two different messages with the exact same 147 00:07:30.120 --> 00:07:33.959 keystream problems, big problems. An attacker can xor the two 148 00:07:34.040 --> 00:07:37.560 cipher texts together, the KEYSTRM cancels out, and they're left 149 00:07:37.560 --> 00:07:41.199 with the xor of the two original plaintexts. If they 150 00:07:41.279 --> 00:07:44.839 know or can guess part one message, they can often recover. 151 00:07:44.639 --> 00:07:46.959 Both, like using the same combo on two safes. 152 00:07:47.000 --> 00:07:48.439 Good analogy yeah. 153 00:07:48.199 --> 00:07:52.079 Which leads to crib based tax sounds like spying. 154 00:07:52.240 --> 00:07:54.000 It kind of is. A crib is just a piece 155 00:07:54.000 --> 00:07:56.000 of plaintext you guess might be in the message, like 156 00:07:56.079 --> 00:07:57.959 weather report in Enigma messages. 157 00:07:58.120 --> 00:07:59.160 How does guessing help? 158 00:07:59.360 --> 00:08:01.959 You? Try a line your guest crib against the cyphertext 159 00:08:02.000 --> 00:08:04.480 at different positions. If your guess is right, it can 160 00:08:04.519 --> 00:08:07.120 help you deduce parts of the key or confirm your guess. 161 00:08:07.360 --> 00:08:11.240 It was vital for breaking Enigma, combining language knowledge with cryptoanalysis. 162 00:08:11.360 --> 00:08:16.000 However, and the XR operation itself simple logic gate but fundamental. 163 00:08:15.480 --> 00:08:18.560 Here absolutely xor is its own inverse a XR B 164 00:08:18.879 --> 00:08:22.000 xr B gets you back to a so plaintext, XR 165 00:08:22.079 --> 00:08:27.000 key stream ciphertext ciphertext XR keystream plaintext very efficient. 166 00:08:26.800 --> 00:08:29.240 But the key reuse issue comes back to xor. 167 00:08:29.439 --> 00:08:32.120 Yes, because certext one xo R so for text two 168 00:08:32.159 --> 00:08:36.720 equals plaintext one, XR keystream, XR plaintext two, XR key stream. 169 00:08:37.120 --> 00:08:40.519 The keystreams cancel leaving plaintext one xo R plaintext. 170 00:08:40.120 --> 00:08:41.399 Two, and that leaks information. 171 00:08:41.519 --> 00:08:44.639 It can, yeah, especially with things like AC encoding. The 172 00:08:44.720 --> 00:08:48.039 bit patterns for letters versus spaces are different. XOR and 173 00:08:48.080 --> 00:08:51.080 ciphertext might reveal if one character was likely a space, 174 00:08:51.120 --> 00:08:53.279 which is a common character. It gives the attack or 175 00:08:53.320 --> 00:08:54.120 a starting point. 176 00:08:54.279 --> 00:08:58.080 Okay, fascinating how simple operations have big impacts. Let's switch 177 00:08:58.120 --> 00:09:02.480 to hash functions, m as and digital signatures different goals. 178 00:09:02.159 --> 00:09:05.480 Here, totally different. Symmetric crypto is about confidentiality. These are 179 00:09:05.480 --> 00:09:07.080 more about integrity and authenticity. 180 00:09:07.159 --> 00:09:10.120 So hash functions first, like a digital fingerprint. 181 00:09:09.799 --> 00:09:13.080 Exactly takes any input data, produces a fixed size output 182 00:09:13.200 --> 00:09:15.919 the hash. Good ones are one way, easy to compute 183 00:09:15.919 --> 00:09:18.720 the hash, hard to go from hashback to input and 184 00:09:18.840 --> 00:09:22.000 collision resistant. Hard to find two different inputs that give 185 00:09:22.039 --> 00:09:22.799 the same hash. 186 00:09:23.200 --> 00:09:27.840 Saha algorithms are common examples Saha one, Saha two, Saha 187 00:09:27.879 --> 00:09:28.559 three Right. 188 00:09:29.080 --> 00:09:31.879 Saha one is weak now, but SAHA two and SAHA 189 00:09:31.879 --> 00:09:35.320 three are widely used. They have different structures and output sizes. 190 00:09:35.600 --> 00:09:38.159 SAHA three uses something called the sponge construction. 191 00:09:38.320 --> 00:09:38.879 Sponge. 192 00:09:39.080 --> 00:09:41.879 Yeah, think of absorbing the input data into an internal 193 00:09:41.919 --> 00:09:45.200 state than squeezing the hash output out. It's a flexible 194 00:09:45.240 --> 00:09:47.000 design with good security properties. 195 00:09:47.080 --> 00:09:51.279 Okay, and MAA key's message authentication codes? How are they 196 00:09:51.279 --> 00:09:52.240 different from hashes? 197 00:09:52.639 --> 00:09:56.080 Hashes verify integrity? Was the data changed? MAA keys do 198 00:09:56.159 --> 00:09:59.320 that plus authentication. They use a secret key shared between 199 00:09:59.360 --> 00:10:02.720 sender and res How you compute the MA using the 200 00:10:02.720 --> 00:10:05.360 message and the secret key. Send the message and the 201 00:10:05.480 --> 00:10:08.519 mt tag. The receiver uses their copy of the key 202 00:10:08.559 --> 00:10:11.639 to recompute the MC on the receive message. If the 203 00:10:11.679 --> 00:10:13.919 tags matched, the message is intact and it came from 204 00:10:14.000 --> 00:10:14.600 someone with the. 205 00:10:14.639 --> 00:10:17.639 Key, So it uses a shared secret like symmetric encryption. 206 00:10:17.840 --> 00:10:20.399 Yes, HMAC is a common way to build up MC 207 00:10:20.600 --> 00:10:22.159 using a hash function and a key. 208 00:10:22.399 --> 00:10:24.960 Then digital signatures, they offer non repudiation. 209 00:10:25.240 --> 00:10:29.480 Exactly digital signatures use public key crypto. The sender signs 210 00:10:29.480 --> 00:10:31.720 the message or hash of it using their private key. 211 00:10:32.159 --> 00:10:35.159 Anyone can verify the signature using the sender's public key, 212 00:10:35.480 --> 00:10:40.240 and that proves it proves integrity, message wasn't changed, and authenticity. 213 00:10:40.519 --> 00:10:44.320 Only the private key owner could create that signature. Crucially, 214 00:10:44.799 --> 00:10:48.679 it provides non repudiation. The sender can't deny signing it 215 00:10:48.879 --> 00:10:51.639 because only they have the private key. That's a key 216 00:10:51.679 --> 00:10:53.279 difference from MAC got it. 217 00:10:53.759 --> 00:10:58.240 The notes mentioned generic attacks on hashes, pre image, second 218 00:10:58.240 --> 00:10:59.879 pre image collision. What are those? 219 00:11:00.080 --> 00:11:03.440 They target? The core properties pre image given a hash, 220 00:11:03.600 --> 00:11:06.879 find any input that produces it. Second pre image given 221 00:11:06.919 --> 00:11:09.240 an input and its hash. Find a different input with 222 00:11:09.279 --> 00:11:13.759 the same hash. Collision find any two different inputs with 223 00:11:13.799 --> 00:11:14.399 the same hash. 224 00:11:14.559 --> 00:11:16.759 All bad news for security, definitely. 225 00:11:17.080 --> 00:11:21.840 They undermine the integrity and authenticity guarantees. A collision, for example, 226 00:11:21.919 --> 00:11:24.120 could let someone create a malicious file with the same 227 00:11:24.159 --> 00:11:25.480 hash as a legitimate one. 228 00:11:25.559 --> 00:11:28.320 Okay, back to cipher's for a moment. Stream cipher is 229 00:11:28.320 --> 00:11:29.240 the synchronous model. 230 00:11:29.360 --> 00:11:32.639 Right In synchronist stream ciphers, both sender and receiver generate 231 00:11:32.679 --> 00:11:36.240 the exact same keystream independently based on a shared key 232 00:11:36.279 --> 00:11:38.720 and usually an IV initialization. 233 00:11:38.120 --> 00:11:40.840 Vector, and the keystream generation is separate from the message 234 00:11:41.000 --> 00:11:41.919 completely separate. 235 00:11:42.159 --> 00:11:45.720 Keystream generation doesn't depend on the plaintext or ciphertext. You 236 00:11:45.879 --> 00:11:48.840 just XR the plaintext with the generated keystream. 237 00:11:48.840 --> 00:11:54.240 Bits and linear feedbackshift registers LFSRs are used for making keystreams. 238 00:11:54.320 --> 00:11:57.919 They're a basic building block, simple hardware shift bits along 239 00:11:58.360 --> 00:12:01.879 calculate the next bit using XORs of previous bits based 240 00:12:01.919 --> 00:12:03.320 on a feedback polynomial. 241 00:12:03.480 --> 00:12:04.480 But they have weaknesses. 242 00:12:04.559 --> 00:12:08.200 Yeah, they're linearity algorithms like burlycamp Massy can figure out 243 00:12:08.240 --> 00:12:11.000 the feedback polynomial if they see enough of the output stream. 244 00:12:11.399 --> 00:12:16.559 So real world stream ciphers use more complex nonlinear methods 245 00:12:16.600 --> 00:12:19.440 on top of or instead of basic LFSRs. 246 00:12:19.519 --> 00:12:22.799 Okay, let's shift to block ciphers. Now, how are they different. 247 00:12:22.879 --> 00:12:25.519 Block ciphers work on fixed sized chunks of data like 248 00:12:25.559 --> 00:12:28.440 one hundred and twenty eight bits for as stream ciphers 249 00:12:28.440 --> 00:12:31.000 work bit by bit or bite by byte. Block ciphers 250 00:12:31.080 --> 00:12:33.240 use the same key for each block, but apply complex 251 00:12:33.279 --> 00:12:35.679 transformation within each block, usually. 252 00:12:35.440 --> 00:12:37.960 Over multiple rounds, and they're fundamental. 253 00:12:37.799 --> 00:12:41.159 Very use for encrypting bulk data and also as components 254 00:12:41.159 --> 00:12:43.879 in other crypto things like hash functions or even stream 255 00:12:43.919 --> 00:12:45.440 ciphers when used in certain modes. 256 00:12:45.600 --> 00:12:48.759 kDa and AES are the main standards mentioned right. 257 00:12:49.080 --> 00:12:51.919 TDA or triple DS was a way to strengthen the 258 00:12:51.960 --> 00:12:55.559 older DS by applying it three times. DS itself has 259 00:12:55.600 --> 00:12:58.720 two small a key size fifty six bits now, as 260 00:12:58.759 --> 00:13:01.360 is the modern standard keys one hundred and twenty eight 261 00:13:01.440 --> 00:13:04.000 hundred and ninety two two hundred fifty six bits. Stronger 262 00:13:04.039 --> 00:13:04.759 design the. 263 00:13:04.759 --> 00:13:08.480 Old DEES process, and it intricate permutations key schedules that 264 00:13:08.720 --> 00:13:09.559 f function. 265 00:13:09.440 --> 00:13:13.399 It was initial permutation scrambles the block, then sixteen rounds. 266 00:13:13.639 --> 00:13:16.919 Each round splits the block uses the round key derived 267 00:13:17.000 --> 00:13:19.120 via the key schedule in the F function on one 268 00:13:19.159 --> 00:13:22.799 half xrs the result with the other half than swaps halves. Finally, 269 00:13:22.840 --> 00:13:27.240 an inverse initial permutation. The F function itself involved expansion, 270 00:13:27.480 --> 00:13:30.080 s box substitutions, and permutation. 271 00:13:30.080 --> 00:13:32.600 Complex and the meat and the middle attack worked against 272 00:13:32.639 --> 00:13:34.000 double des yes. 273 00:13:34.000 --> 00:13:37.639 And it reduces the security significantly. Instead of trying all 274 00:13:37.720 --> 00:13:40.679 key pairs huge number, you encrypt the plain text with 275 00:13:40.759 --> 00:13:43.679 all possible first keys and decrypt the ciphertext of all 276 00:13:43.679 --> 00:13:46.200 possible second keys. You store the results and look for 277 00:13:46.200 --> 00:13:46.919 a match in the middle. 278 00:13:46.960 --> 00:13:49.080 Cuts down the work dramatically massively. 279 00:13:49.320 --> 00:13:52.279 It makes double des not much stronger than single ds 280 00:13:52.320 --> 00:13:55.360 against this attack. TDA is structured to resist this better, 281 00:13:55.399 --> 00:13:56.559 but it's still not ideal. 282 00:13:56.600 --> 00:13:59.360 Compared to AES, AES has its own steps. 283 00:13:59.759 --> 00:14:03.720 Like SI subbites right, AES uses a state matrix sub 284 00:14:03.720 --> 00:14:07.720 bytes replaces each byte using an s box lookup. Unlike 285 00:14:07.799 --> 00:14:11.639 DESS boxes, the ads F box has a clear mathematical 286 00:14:11.679 --> 00:14:16.320 structure based on finite field arithmetic. It provides nonlinearity, and 287 00:14:16.440 --> 00:14:20.360 mixed columns uses polynomial math YEP. Mixed columns mixes the 288 00:14:20.360 --> 00:14:23.039 bytes within each column of the state matrix. Treating columns 289 00:14:23.080 --> 00:14:27.159 as polynomials over a finite field. This provides diffusion changes 290 00:14:27.200 --> 00:14:28.080 spread quickly. 291 00:14:27.919 --> 00:14:29.679 Across the block and ad round key. 292 00:14:29.879 --> 00:14:33.120 That's the simpler step. Just xor the current state with 293 00:14:33.200 --> 00:14:35.399 the round key derived from the main key via the 294 00:14:35.440 --> 00:14:38.879 key schedule. This introduces the key material into the process 295 00:14:38.919 --> 00:14:39.480 each round. 296 00:14:39.559 --> 00:14:42.320 Okay, so that's encrypting one block. But for longer messages 297 00:14:42.320 --> 00:14:44.279 we need modes of operation exactly. 298 00:14:44.559 --> 00:14:46.399 A mode tells you how to use the block cipher 299 00:14:46.480 --> 00:14:49.679 repeatedly for a longer message. Different modes have different security 300 00:14:49.720 --> 00:14:50.720 properties and uses. 301 00:14:50.879 --> 00:14:54.360 Like ECB Electronic Codebook, simple but flawed. 302 00:14:54.240 --> 00:14:57.279 Very flawed for most uses, encrypts each block independently with 303 00:14:57.320 --> 00:15:00.440 the same key. The big problem identical p plain text 304 00:15:00.480 --> 00:15:02.519 blocks produce identical sofa text. 305 00:15:02.240 --> 00:15:03.679 Block, which reveals patterns. 306 00:15:04.000 --> 00:15:07.200 Totally encrypt an image with large areas of the same 307 00:15:07.240 --> 00:15:10.159 color using ECB, and you can often still see the 308 00:15:10.159 --> 00:15:14.159 outline of the original image in the ciphertext. Generally avoid 309 00:15:14.200 --> 00:15:18.919 ECB unless you have very specific, short, non repeating data. 310 00:15:19.000 --> 00:15:20.720 CBC cipher blockchaining is. 311 00:15:20.720 --> 00:15:24.759 Better, much better. Before encrypting a plaintext block, you XORR 312 00:15:24.799 --> 00:15:27.679 it with the previous ciphertext block for the first block, 313 00:15:27.720 --> 00:15:29.320 you use a random IV, so. 314 00:15:29.240 --> 00:15:32.320 Each ciphertext block depends on all previous plaintexts. 315 00:15:32.399 --> 00:15:36.399 Right, it hides patterns, but the IV needs to be unpredictable. 316 00:15:36.600 --> 00:15:39.120 If an attacker knows the IV, it can cause problems. 317 00:15:39.200 --> 00:15:42.159 Then OFB and CTR modes they act like stream ciphers. 318 00:15:42.240 --> 00:15:44.639 Yeah, they turn a block cipher into a stream cipher 319 00:15:44.799 --> 00:15:47.679 OFB feeds the cipher's output back as input for the 320 00:15:47.679 --> 00:15:51.000 next stage. CTR encrypts a counter value for each block 321 00:15:51.240 --> 00:15:55.480 and xrrs that result. With the plaintext advantages, CTR especially 322 00:15:55.559 --> 00:15:58.799 is efficient, can be parallelized, and doesn't need padding if 323 00:15:58.799 --> 00:16:01.120 the message isn't a perfect multiple of the block size, 324 00:16:01.159 --> 00:16:02.200 it's quite popular. 325 00:16:02.399 --> 00:16:04.759 And the birthday paradox vulnerability, how does that apply? 326 00:16:05.120 --> 00:16:07.519 The birthday paradox shows you don't need that many people 327 00:16:07.519 --> 00:16:09.120 in a room to have a good chance of to 328 00:16:09.159 --> 00:16:12.840 sharing a birthday. In crypto, with block size in after 329 00:16:12.879 --> 00:16:14.840 about two en blocks, you have a decent chance of 330 00:16:14.879 --> 00:16:18.519 seeing two identical ciphertext blocks a collision. What does that 331 00:16:18.559 --> 00:16:21.679 collision mean depends on the mode. In ECB, it means 332 00:16:21.720 --> 00:16:24.799 identical plaintext blocks. In other modes, it might leak some 333 00:16:24.879 --> 00:16:28.399 information or enable certain attacks. It tells us the block 334 00:16:28.440 --> 00:16:30.600 size needs to be large enough like EES is one 335 00:16:30.679 --> 00:16:33.360 hundred and twenty eight bits to make two and two 336 00:16:33.519 --> 00:16:35.720 a huge unachievable number of blocks. 337 00:16:35.799 --> 00:16:41.440 Okay, moving beyond just confidentiality, authenticated encryption right. 338 00:16:41.519 --> 00:16:46.000 This provides confidentiality and integrity authenticity together. Standard modes like 339 00:16:46.039 --> 00:16:49.879 CBC don't inherently stop someone from tampering with the ciphertext. 340 00:16:50.080 --> 00:16:51.960 How does authenticated encryption work? 341 00:16:52.200 --> 00:16:56.159 Modes like GCM glows countermode combine an encryption mode like 342 00:16:56.200 --> 00:16:59.799 CTR with a way to generate an authentication tag like GMAC. 343 00:17:00.320 --> 00:17:03.000 This tag is calculated over the ciphertext and optionally some 344 00:17:03.080 --> 00:17:07.279 associated data you want to protect but not encrypt like headers. Exactly. 345 00:17:07.640 --> 00:17:10.960 The receiver decrypts and also recalculates the tag. If the 346 00:17:11.000 --> 00:17:13.880 calculated tag doesn't match the received tag, they know the 347 00:17:13.960 --> 00:17:17.559 data was tampered with or is an authentic GCM uses 348 00:17:17.599 --> 00:17:20.839 a nonce number used ones for each encryption. 349 00:17:20.680 --> 00:17:22.960 And GMC is just the authentication part. 350 00:17:23.160 --> 00:17:27.079 Yes, if you only need integrity and authenticity and not confidentiality. 351 00:17:27.319 --> 00:17:33.319 These modes using nonzs like GCM CCM ASGCM SIV. They 352 00:17:33.359 --> 00:17:34.880 help against replay attacks too. 353 00:17:35.440 --> 00:17:37.960 Yes, because the nonce should be unique for each message 354 00:17:38.000 --> 00:17:41.240 under the same key. Replaying an old message with its 355 00:17:41.359 --> 00:17:44.880 nons would likely be detected or processed differently, and using 356 00:17:44.920 --> 00:17:49.000 nonzas means encrypting the same plaintext twice gives different ciphertexts, 357 00:17:49.119 --> 00:17:50.720 hiding repetitions. 358 00:17:50.119 --> 00:17:52.240 And they can resist chosen ciphertext attacks. 359 00:17:52.279 --> 00:17:55.359 That's a major goal. In a chosen ciphertext attack, the 360 00:17:55.400 --> 00:17:59.200 attacker gets to see plaintext for ciphertexts they choose authenticated 361 00:17:59.279 --> 00:18:01.880 encryption modes boil this because if the attacker submits a 362 00:18:01.880 --> 00:18:05.640 tampered ciphertext, the integrity check the tag verification fails, and 363 00:18:05.680 --> 00:18:09.279 the decryption process refuses to output plaintext or signals and error. 364 00:18:09.599 --> 00:18:12.720 It stops the attacker from learning through manipulated ciphertexts. 365 00:18:12.799 --> 00:18:15.000 Okay, so we have all these tools, how do we 366 00:18:15.039 --> 00:18:16.759 actually analyze if they're secure? 367 00:18:16.839 --> 00:18:21.279 Good question. Modern crypto relies on computational security. We assume 368 00:18:21.319 --> 00:18:25.200 the attacker has limited computing power. Security and analysis tries 369 00:18:25.240 --> 00:18:27.680 to prove that breaking the system would take an infeasible 370 00:18:27.720 --> 00:18:29.240 amount of computation. 371 00:18:29.039 --> 00:18:32.759 Using theoretical models like adversaries with access. 372 00:18:32.480 --> 00:18:36.400 To oracles exactly. An oracle is a hypothetical black box 373 00:18:36.480 --> 00:18:40.200 the attacker can query like an encryption oracle, give it plaintext, 374 00:18:40.319 --> 00:18:43.960 it returns ciphertext using the secret key. By seeing how 375 00:18:44.000 --> 00:18:46.960 the oracle responds to chosen inputs, the attacker tries to 376 00:18:47.039 --> 00:18:50.160 learn the key or break the system. Different oracles model 377 00:18:50.240 --> 00:18:51.880 different attack capabilities, and we. 378 00:18:51.880 --> 00:18:54.480 Talk about permutation families and function families. 379 00:18:54.599 --> 00:18:58.039 Yeah, that's mathematical modeling. A block cipher with a fixed 380 00:18:58.160 --> 00:19:01.960 key acts like a permutation, a scrambling of all possible blocks. 381 00:19:02.319 --> 00:19:05.279 The family is the set of all possible permutations you 382 00:19:05.359 --> 00:19:08.759 get by using all possible keys. We analyze how close 383 00:19:08.799 --> 00:19:11.759 this family is to a family of truly random permutations 384 00:19:11.839 --> 00:19:15.720 or functions. HMAC is an example where this analysis is used. 385 00:19:15.839 --> 00:19:18.480 The goal is to limit the adversaries advantage. Right. 386 00:19:19.079 --> 00:19:21.599 The advantage is how much better the adversary can do 387 00:19:21.680 --> 00:19:25.440 at breaking the system, like distinguishing cipher output from random 388 00:19:25.759 --> 00:19:29.480 or finding the key, compared to just guessing randomly. A 389 00:19:29.519 --> 00:19:33.920 secure system keeps the maximum possible advantage negligibly small, even 390 00:19:33.960 --> 00:19:35.400 for powerful adversaries. 391 00:19:35.480 --> 00:19:38.599 The notes give an example of an insecure PRP Yeah. 392 00:19:38.400 --> 00:19:42.400 A pseudorandom permutation. If the output is predictable from the input, 393 00:19:42.680 --> 00:19:46.279 it's not behaving randomly, so it's insecure. A simple linear 394 00:19:46.359 --> 00:19:47.799 relationship would be an example. 395 00:19:47.960 --> 00:19:50.640 And double encryption isn't always much better if the underlying 396 00:19:50.680 --> 00:19:52.640 cipher isn't a secure PRP. 397 00:19:52.680 --> 00:19:54.759 Correct We saw that with meat in the middle on 398 00:19:54.839 --> 00:19:58.960 double dies. If the cipher has exploitable structure just layering, 399 00:19:59.000 --> 00:20:01.319 it might not help as much you'd hope. But if 400 00:20:01.319 --> 00:20:04.559 it is a secure PIP, double encryption is generally. 401 00:20:04.160 --> 00:20:07.799