Prof Paar, In case you still may see this, I am eternally grateful for your willingness to make this content available online. I have your book and I truly believe without your content, a student like myself (did not attend high school) would never be able to study this subject. I have been able to grasp everything this far taught and learned a lot of math along the way. Should we meet in the future (which I believe we will) I'll owe you a drink. Thanks again. (I tried to send this as an email but it bounced back)
I remember watching this a year ago and I didn't know what any of this meant. Then I started university and realized how awesome this lecture was. I felt like a pro throughout the entire lecture.
dear professor paar, decryption part of AES hasnt been put up so i had to go through your book and i couldnt ki and W[1] to W [ 43} part could you please elaborate, i think its a part of key schedule
The explanation of IV is much more clear when it is just treated as the output of a previous block, that didn't exist, so a nonce is used. The stream modes are much more easily explained by referring to a one-time-pad, and talking completely separately about generating the keystream for one. My favorite is AES256 CTR, because in the real-world, you need to range request out of encrypted data.
Let's say that my second block is a high precision date up to miliseconds . since in CBC blocks are chained, that would mean that if I where to use the same IV for every message, my messages would still be secure after the second block? That would work in the other way around, I could make my IV a high precision date?
Propose an OFB mode scheme which encrypts one byte of plaintext at a time, e.g., for encrypting key strokes from a remote keyboard. The block cipher used is AES. Perform one block cipher operation for every new plaintext byte. Draw a block diagram of your scheme and pay particular attention to the bit lengths used in your diagram , . key stream bits equal 128 bits or 8 bits ??
Is si-1 like yi-1? And if the Yi correspond to plain text xi then if we store previous Yi how does not lead to having the same cipher ttext I goes I don't understand the difference between output feedback mode and cipher block chaining mode
For ECB, If oscar wiretaps the communication and gets the message in the encrypted form , would it still be difficult to figure out the key given that he even knows the clear text. Would the key space still be 2^128 ?
Yes, the key space for a 128-bit-key cipher would still be 2^128. In fact, it is the standard assumption in cryptography that the attacker does know a few pieces of plaintext. regards, christof
For ECB example where Oscar changes the bank account in all transfers for his own bank account so he gets all the money: this would be only possible while transfers are encrypted with the same key as Oscar's 1€ transfers were done in the beginning, right?
In ECB mode, from a practical standpoint, can Oscar really change the Cipher text and send it onto the Bank B? The Cipher text does not have to go through Oscar before going to Bank B (not serial) and in fact goes to Bank B and him “in parallel.” By the time he changes the Cipher text, Bank B has already received it. What am I missing?
+Tom M The attack method for this example is called Man in the Middle because it requires that Oscar has the ability to insert himself into the communications stream in a way that allows him to intercept, inspect, manipulate, and forward each message originating from Alice. The messages that are of no interest to Oscar are simply forwarded, the interesting ones are manipulated then forwarded.
Oscar has to know beforehand that there are five blocks and what they are. So he knows that the fourth block is his Bank B account number. He can get that when he sees the 5 identical blocks 100 times after doing a transfer 100 times.
It seems like there is at least one lecture out. The previous one stops at MixColumns. And there is no information on making up different keys and decryption. Is it possible to get the missing part?
Sir, in the ECB attack example, how will he exchange acc no. block with his acc no? the acc. no. bits will be diffused over the whole message. And moreover, changing one bit in plaintext changes multiple bits in ciphertext, so how really will he do traffic analysis here?
Good point, but an important assumption is that the account number is NOT spread over the entire text but confined to one block. Please check 24:05. cheers, christof
Please have a look at Chapter 4 of our book Understanding Cryptography. You can download this chapter at www.crypto-textbook.com. You'll find the key schedule in Section 4.4.4 good luck, christof
In ECB Mode, why can't we introduce one or two random bits into each block ? If we do that diffusion will take care of the attackers intent. Am I right or wrong ?
You can certainly do that and it would help "a little". Here are the limitations of the approach you propose: If you introduce 1 random bit, every plaintext would have only 2 associated ciphertexts. An attacker would pretty quickly realize this. If you use 2 bits, there would be 4 ciphertext versions of each plaintext etc. If you would go up to, say, 48 random bits, the scheme would become stronger but you would waste a lot of bits just for the randomization. In general, for a block cipher with n input bits, one would like to be able to generate 2^n different ciphertexts which all represent the same plaintext. This is exactly what you can do with CBC mode.
When I'm on the internet and it says 'https', meaning 'secure', how exactly am I secure? It says my connection is being encrypted with AES_128, but who is the one who that has the key to encrypt my connection?
+brendan hardy https means that the SSL (or TLS) protocol is active. The key exchange is done with public-key algorithms. Please check out my RSA and Diffie-Hellman lectures for details how such a key exchange works. cheers, christof
Even if Oscar wiretaps the communication network and looks at the data transferred everytime his account is encrypted with a different key. Even if he stored the encrypted text of his bank account number and then replaced this in a different message the decryption will not work as the key would be different in that transaction right? The keys are changed with every transaction. This is not clear to me. Can anyone help me to understand this?
I use the drawing from 1:22:00 in my explanation. The main idea of OFB is to xor a pseudo random bitstream to your plaintext and to get your plaintext back you simply use the same pseudo random bitstream and xor it again. The question is now how do you get the pseudo random bitstream and this is done by using an encryption funktion e. (like AES) The initial input for the encryption funktion is IV(same properties as the IV in CBC) after encrytion with your key K you get Si wich is your pseudo random bitstream. Now you can xor 128bits but you most likely need more so you feedback your Si into your encryption funktion to get again 128 new pseudo random bits and so on. The decryped your message you xor the same bitstream again so you need the same encrytion function e the same key K and the same inital input IV. He also mantiones, that because you get alway a more then one bit out of your encryption function you can xor your plaintext in parallel (eg. the first 128 bits of your plaintext with the first 128bits Si) which is faster.
+kushal amin Oscar collected many copies of the encrypted version of his account number while he was making those 100 small transactions from his account at Bank A to his account at Bank B. All that he needs to do is insert the encrypted version of his Bank B account number into the message (in the correct place) and the money flows to him.
Superb Explanation.....You just simplified cryptography !! In CBC mode the first problem faced in ECB mode was addressed using IV but how was second problem of encrypting whole message addressed???.....IV are not secret so any intruder can intercept and modify a particular block of cipher text and then again send it to the receiver...how is this issue addressed?
Good point. CBC mode, just like ECB, does not provide what is called "message integrity". There are different ways of achieving message integrity, though: message authentications codes, or MAC, (cf. my Lecture 22), digital signature (cf. Lecture 18) or so-called authenticated encryption modes (sorry, no lecture on this). regards, christof
The class is so good that even when the professor speaks German I feel like I understand.
lmao
Prof Paar, In case you still may see this, I am eternally grateful for your willingness to make this content available online. I have your book and I truly believe without your content, a student like myself (did not attend high school) would never be able to study this subject. I have been able to grasp everything this far taught and learned a lot of math along the way. Should we meet in the future (which I believe we will) I'll owe you a drink. Thanks again. (I tried to send this as an email but it bounced back)
More on block ciphers: introduction 2:30
Electronic code book mode (ECB) 16:20
Cipher block chaining mode(CBC) 44:30
Output feedback mode(OFB) 1:13:00
I remember watching this a year ago and I didn't know what any of this meant. Then I started university and realized how awesome this lecture was. I felt like a pro throughout the entire lecture.
Appreciate these lectures very much. Your enthusiasm is fantastic and brings the content to life.
Who knew taking German classes along side my CS ones would come in so handy!
14 years after the recording of this video, It is still perfect
without this, how can I understand modes of operations of block cipher!great teachings from the heart!
Mr Paar, these contents are GREAT GREAT GREAT. Thank you so much for making them online. Greetings from Turkey!!
dear professor paar, decryption part of AES hasnt been put up so i had to go through your book and i couldnt ki and W[1] to W [ 43} part could you please elaborate, i think its a part of key schedule
Excellent, crystal clear lecture. Thanks for recording this and sharing it to the world.
Thank you, Danke Shon!!
Wow. My book also did not make it clear that OFB is a stream cipher. Your lectures are awesome!
Thank you sooo much for this lectures! I love them!!!!!
Dear Mr. Paar, You are the best.
Excellent lecture!
The explanation of IV is much more clear when it is just treated as the output of a previous block, that didn't exist, so a nonce is used. The stream modes are much more easily explained by referring to a one-time-pad, and talking completely separately about generating the keystream for one. My favorite is AES256 CTR, because in the real-world, you need to range request out of encrypted data.
Any video series of such class shows coding as well of those theory, implementation part.
Awesome! Its more than 3 years later. Can we watch that course about determinism and cryptanalysis somewhere?
Let's say that my second block is a high precision date up to miliseconds .
since in CBC blocks are chained, that would mean that if I where to use the same IV for every message, my messages would still be secure after the second block?
That would work in the other way around, I could make my IV a high precision date?
So to understand the is the attack possible when all transactions going from bank a to b have the same cipher ( coded) text
Propose an OFB mode scheme which encrypts one byte of plaintext at a time,
e.g., for encrypting key strokes from a remote keyboard. The block cipher used is
AES. Perform one block cipher operation for every new plaintext byte. Draw a block
diagram of your scheme and pay particular attention to the bit lengths used in your
diagram , . key stream bits equal 128 bits or 8 bits ??
Amazing!!!
Is si-1 like yi-1? And if the Yi correspond to plain text xi then if we store previous Yi how does not lead to having the same cipher ttext I goes I don't understand the difference between output feedback mode and cipher block chaining mode
Thanks you !
Thanks!
also how whould oscar know which amounts are being transferred
Thanks a lot
For ECB, If oscar wiretaps the communication and gets the message in the encrypted form , would it still be difficult to figure out the key given that he even knows the clear text. Would the key space still be 2^128 ?
Yes, the key space for a 128-bit-key cipher would still be 2^128. In fact, it is the standard assumption in cryptography that the attacker does know a few pieces of plaintext. regards, christof
For ECB example where Oscar changes the bank account in all transfers for his own bank account so he gets all the money: this would be only possible while transfers are encrypted with the same key as Oscar's 1€ transfers were done in the beginning, right?
exactly.
In ECB mode, from a practical standpoint, can Oscar really change the Cipher text and send it onto the Bank B? The Cipher text does not have to go through Oscar before going to Bank B (not serial) and in fact goes to Bank B and him “in parallel.” By the time he changes the Cipher text, Bank B has already received it. What am I missing?
+Tom M The attack method for this example is called Man in the Middle because it requires that Oscar has the ability to insert himself into the communications stream in a way that allows him to intercept, inspect, manipulate, and forward each message originating from Alice. The messages that are of no interest to Oscar are simply forwarded, the interesting ones are manipulated then forwarded.
Sir, how oscar identifies his account num block which encrypted in AES becoz 5 blocks are in a protocol, how can he distinguish them
Oscar has to know beforehand that there are five blocks and what they are. So he knows that the fourth block is his Bank B account number. He can get that when he sees the 5 identical blocks 100 times after doing a transfer 100 times.
It seems like there is at least one lecture out. The previous one stops at MixColumns. And there is no information on making up different keys and decryption. Is it possible to get the missing part?
no, the topic was too broad and he could not manage the time. they probably did this part in a recitation. there is no lecture uploaded.
Sir, in the ECB attack example, how will he exchange acc no. block with his acc no? the acc. no. bits will be diffused over the whole message. And moreover, changing one bit in plaintext changes multiple bits in ciphertext, so how really will he do traffic analysis here?
Good point, but an important assumption is that the account number is NOT spread over the entire text but confined to one block. Please check 24:05. cheers, christof
Got it, Sir. Thank you so much!
Dear, you mentioned that there are four algorithms didn't win with Rijndael alg, but they are also secure
Where can I find them?
Thanks in advance
Just search on the Internet for the "AES finalist algorithms". cheers, christof
Dear Professor, Just a simple funny question why your attacker is OSCAR :D I usually came across Mallory.
sabah suhail i've usually seen Eve used, as in, the eves dropper listening in to the encrypted conversation.
Professor what about Key Addition, key schedule for 128 bit, 192 bit, 256 bit nd decryption of AES I can't find anyone who explains like you
Please have a look at Chapter 4 of our book Understanding Cryptography. You can download this chapter at www.crypto-textbook.com. You'll find the key schedule in Section 4.4.4
good luck, christof
very nice😀😀😀😀
In ECB Mode, why can't we introduce one or two random bits into each block ? If we do that diffusion will take care of the attackers intent. Am I right or wrong ?
You can certainly do that and it would help "a little". Here are the limitations of the approach you propose: If you introduce 1 random bit, every plaintext would have only 2 associated ciphertexts. An attacker would pretty quickly realize this. If you use 2 bits, there would be 4 ciphertext versions of each plaintext etc. If you would go up to, say, 48 random bits, the scheme would become stronger but you would waste a lot of bits just for the randomization. In general, for a block cipher with n input bits, one would like to be able to generate 2^n different ciphertexts which all represent the same plaintext. This is exactly what you can do with CBC mode.
Introduction to Cryptography by Christof Paar Thanks Dr! Crystal Clear!
What about GCM and XTS ?
When I'm on the internet and it says 'https', meaning 'secure', how exactly am I secure? It says my connection is being encrypted with AES_128, but who is the one who that has the key to encrypt my connection?
+brendan hardy https means that the SSL (or TLS) protocol is active. The key exchange is done with public-key algorithms. Please check out my RSA and Diffie-Hellman lectures for details how such a key exchange works. cheers, christof
@@introductiontocryptography4223 sir , you have not discussed about block cipher decryption in this lecture video
Even if Oscar wiretaps the communication network and looks at the data transferred everytime his account is encrypted with a different key. Even if he stored the encrypted text of his bank account number and then replaced this in a different message the decryption will not work as the key would be different in that transaction right? The keys are changed with every transaction. This is not clear to me. Can anyone help me to understand this?
Good point. I hope I made it clear that the key does NOT change. If it does, you are absolutely right, the attack doesn't work. regards, christof
@@introductiontocryptography4223 But how does Oskar know that its his account (as all information are encrypted)?
@@mmm763 Because when he made hundards of transactions he can see the similarties btw data he got, so He assume hey this is my account.
could not understand OFB because that part was mostly in German :/
If some one knows both English and German, maybe he can translate that part and upload it as subtitles, Thanks!
I use the drawing from 1:22:00 in my explanation.
The main idea of OFB is to xor a pseudo random bitstream to your plaintext and to get your plaintext back you simply use the same pseudo random bitstream and xor it again.
The question is now how do you get the pseudo random bitstream and this is done by using an encryption funktion e. (like AES) The initial input for the encryption funktion is IV(same properties as the IV in CBC) after encrytion with your key K you get Si wich is your pseudo random bitstream.
Now you can xor 128bits but you most likely need more so you feedback your Si into your encryption funktion to get again 128 new pseudo random bits and so on.
The decryped your message you xor the same bitstream again so you need the same encrytion function e the same key K and the same inital input IV.
He also mantiones, that because you get alway a more then one bit out of your encryption function you can xor your plaintext in parallel (eg. the first 128 bits of your plaintext with the first 128bits Si) which is faster.
in this Ecb example Oscar replace his account no. with original.
but original is encrypted . so is there need of encrypt Oscar's account.no???
+kushal amin Oscar collected many copies of the encrypted version of his account number while he was making those 100 small transactions from his account at Bank A to his account at Bank B. All that he needs to do is insert the encrypted version of his Bank B account number into the message (in the correct place) and the money flows to him.
CSB @ 44:00
i would have never imagined, that I will be once attending an almost crime school in germany with its famously law-abiding citizens. lol.
Awesome Videos! I just wish everything were in English and the other modes were explained as well XD
Superb Explanation.....You just simplified cryptography !!
In CBC mode the first problem faced in ECB mode was addressed using IV but how was second problem of encrypting whole message addressed???.....IV are not secret so any intruder can intercept and modify a particular block of cipher text and then again send it to the receiver...how is this issue addressed?
Good point. CBC mode, just like ECB, does not provide what is called "message integrity". There are different ways of achieving message integrity, though: message authentications codes, or MAC, (cf. my Lecture 22), digital signature (cf. Lecture 18) or so-called authenticated encryption modes (sorry, no lecture on this). regards, christof
hashes
Line command proof.blocked.
can i get the code for ECB in C or C++ ??
Crypto libraries provide that. Intel IPP Crypto is one I know of.
Confused about CBC "Verkettung"? Look it up on wikipedia. Seriously, people.
en.wikipedia.org/wiki/Block_cipher_mode_of_operation
Oh Dear sir, you missed Decryption of AES !
get rich quick scheme😂
3*3=+3+4+5+6