[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:04.15,Default,,0000,0000,0000,,Now that we understand chosen plaintext\Nsecurity, let's build encryption schemes
Dialogue: 0,0:00:04.15,0:00:08.52,Default,,0000,0000,0000,,that are chosen plaintext secure. And the\Nfirst such encryption scheme is going to
Dialogue: 0,0:00:08.52,0:00:12.51,Default,,0000,0000,0000,,be called cipher bock chaining. So here\Nis how cipher block chaining works.
Dialogue: 0,0:00:12.51,0:00:16.61,Default,,0000,0000,0000,,Cipher block chaining is a way of using a\Nblock cipher to get chosen plaintext
Dialogue: 0,0:00:16.61,0:00:20.87,Default,,0000,0000,0000,,security. In particular, we are going to\Nlook at a mode called cipher block chaining
Dialogue: 0,0:00:20.87,0:00:25.02,Default,,0000,0000,0000,,with a random IV. CBC stands for cipher\Nblock chaning. So suppose we have a block
Dialogue: 0,0:00:25.02,0:00:28.96,Default,,0000,0000,0000,,cipher, so EB is a block cipher. So now\Nlet's define CBC to be the following
Dialogue: 0,0:00:28.96,0:00:33.25,Default,,0000,0000,0000,,encryption scheme. So the encryption\Nalgorithm when it's asked to encrypt a
Dialogue: 0,0:00:33.25,0:00:37.99,Default,,0000,0000,0000,,message m, the first thing it's going to do\Nis it's going to choose a random IV that's
Dialogue: 0,0:00:37.99,0:00:41.96,Default,,0000,0000,0000,,exactly one block of the block\Ncipher. So IV is one cypher block.
Dialogue: 0,0:00:41.96,0:00:46.04,Default,,0000,0000,0000,,So in the case of AES the IV\Nwould be 16 bytes. And then we're
Dialogue: 0,0:00:46.04,0:00:50.65,Default,,0000,0000,0000,,gonna run through the algorithm here, the\NIV basically that we chose is gonna be XORed
Dialogue: 0,0:00:50.65,0:00:54.73,Default,,0000,0000,0000,,to the first plain text\Nblock. And then the result is gonna be
Dialogue: 0,0:00:54.73,0:00:58.86,Default,,0000,0000,0000,,encrypted using the block cipher and\Noutput of the first block of the ciphertext.
Dialogue: 0,0:00:58.86,0:01:03.04,Default,,0000,0000,0000,,And now comes the chaining part\Nwhere we actually use the first block of
Dialogue: 0,0:01:03.04,0:01:07.44,Default,,0000,0000,0000,,the ciphertext to kind of mask the second\Nblock of the plaintext. So we XOR
Dialogue: 0,0:01:07.44,0:01:11.59,Default,,0000,0000,0000,,the two together and the encryption of\Nthat becomes the second ciphertext block.
Dialogue: 0,0:01:11.59,0:01:15.54,Default,,0000,0000,0000,,And so on, and so on, and so forth. So\Nthis is cIpher block chaining, you can
Dialogue: 0,0:01:17.56,0:01:19.58,Default,,0000,0000,0000,,see that each cIpher block is chained and\NXORed into the next plaintext
Dialogue: 0,0:01:19.58,0:01:24.12,Default,,0000,0000,0000,,block, and the final ciphertext is going to\Nbe essentially the IV, the initial IV
Dialogue: 0,0:01:24.12,0:01:30.02,Default,,0000,0000,0000,,that we chose along with all the ciphertext blocks. I should say that IV stands
Dialogue: 0,0:01:30.02,0:01:35.80,Default,,0000,0000,0000,,for Initialization Vector. And we're going to\Nbe seeing that term used quite a bit,
Dialogue: 0,0:01:35.80,0:01:39.72,Default,,0000,0000,0000,,every time we need to pick something at\Nrandom at the beginning of the encryption
Dialogue: 0,0:01:39.72,0:01:43.54,Default,,0000,0000,0000,,scheme typically we'll call that an IV\Nfor initialization vector. So you notice
Dialogue: 0,0:01:43.54,0:01:47.32,Default,,0000,0000,0000,,that the cIphertext is a little bit\Nlonger than the plain text because we had
Dialogue: 0,0:01:47.32,0:01:51.15,Default,,0000,0000,0000,,to include this IV in the cIphertexts\Nwhich basically captures the randomness
Dialogue: 0,0:01:51.15,0:01:55.45,Default,,0000,0000,0000,,that was used during encryption. So the\Nfirst question is how do we decrypt the
Dialogue: 0,0:01:55.45,0:02:00.23,Default,,0000,0000,0000,,results of CBC encryption, and so\Nlet me remind you again that if when we
Dialogue: 0,0:02:00.23,0:02:04.47,Default,,0000,0000,0000,,encrypt the first message block we\NXOR it with the IV, encrypt the
Dialogue: 0,0:02:04.47,0:02:09.19,Default,,0000,0000,0000,,result and that becomes the first ciphertext\Nblock. So let me ask you how would
Dialogue: 0,0:02:09.19,0:02:13.67,Default,,0000,0000,0000,,you decrypt that? So given the first\Nciphertext block, how would you recover
Dialogue: 0,0:02:13.67,0:02:17.92,Default,,0000,0000,0000,,the original first plaintext block? So\Ndecryption is actually very similar to
Dialogue: 0,0:02:17.92,0:02:21.66,Default,,0000,0000,0000,,encryption, here I wrote down the\Ndecryption circuit, you can see basically
Dialogue: 0,0:02:21.66,0:02:25.96,Default,,0000,0000,0000,,it's almost the same thing except the XOR\Nis on the bottom, instead of on the top, and
Dialogue: 0,0:02:25.96,0:02:29.60,Default,,0000,0000,0000,,again you realize that essentially we\Nchopped off the IV as part of the
Dialogue: 0,0:02:29.60,0:02:33.75,Default,,0000,0000,0000,,decryption process and we only output the\Noriginal message back, the IV is dropped
Dialogue: 0,0:02:33.75,0:02:38.44,Default,,0000,0000,0000,,by the decryption algorithm. Okay, so the\Nfollowing theorem is going to show that in
Dialogue: 0,0:02:38.44,0:02:43.76,Default,,0000,0000,0000,,fact CBC mode encryption with a random IV\Nis in fact semantically secure under a
Dialogue: 0,0:02:43.76,0:02:48.96,Default,,0000,0000,0000,,chosen plaintext attack, and so let's\Ntake that more precisely, basically if we
Dialogue: 0,0:02:48.96,0:02:54.08,Default,,0000,0000,0000,,start with a PRP, in other words, our\Nblock cipher E, that is defined over a
Dialogue: 0,0:02:54.08,0:02:59.08,Default,,0000,0000,0000,,space X, then we are gonna to end up with\Na encryption algorithm Ecbc that takes
Dialogue: 0,0:02:59.08,0:03:03.94,Default,,0000,0000,0000,,messages of length L and outputs\Nciphertexts of length L+1. And then
Dialogue: 0,0:03:03.94,0:03:09.32,Default,,0000,0000,0000,,suppose we have an adversary that makes q\Nchosen plaintext queries. Then we can
Dialogue: 0,0:03:09.32,0:03:15.02,Default,,0000,0000,0000,,state the following security fact, that\Nfor every such adversary that's attacking
Dialogue: 0,0:03:15.02,0:03:20.18,Default,,0000,0000,0000,,Ecbc, to exist an adversary that's\Nattacking the PRP, the block cipher, with
Dialogue: 0,0:03:20.18,0:03:24.93,Default,,0000,0000,0000,,the following relation between the two\Nalgorithms, in other words, the advantage
Dialogue: 0,0:03:24.93,0:03:29.85,Default,,0000,0000,0000,,of algorithm A against the encryption scheme\Nis less than the advantage of algorithm B
Dialogue: 0,0:03:29.85,0:03:35.08,Default,,0000,0000,0000,,against the original PRP plus some noise\Nterm. So let me interpret this theorem for
Dialogue: 0,0:03:35.08,0:03:40.00,Default,,0000,0000,0000,,you as usual, so what this means is that\Nessentially since E is a secure PRP this
Dialogue: 0,0:03:40.00,0:03:45.05,Default,,0000,0000,0000,,quantity here is negligible, and our goal\Nis to say that adversary A's advantage is
Dialogue: 0,0:03:45.05,0:03:49.79,Default,,0000,0000,0000,,also negligible. However, here we are\Nprevented from saying that because we got
Dialogue: 0,0:03:49.79,0:03:54.63,Default,,0000,0000,0000,,this extra error term. This is often\Ncalled an error term and to argue that CBC
Dialogue: 0,0:03:54.63,0:03:59.68,Default,,0000,0000,0000,,is secure we have to make sure that the\Nerror term is also negligible. Because if
Dialogue: 0,0:03:59.68,0:04:04.47,Default,,0000,0000,0000,,both of these terms on the right are\Nnegligible, there sum is negligible and
Dialogue: 0,0:04:04.47,0:04:09.46,Default,,0000,0000,0000,,therefore the advantage of A against Ecbc\Nwould also be negligible. So this says
Dialogue: 0,0:04:09.46,0:04:14.56,Default,,0000,0000,0000,,that in fact for Ecbc to be secure it has better\Nbe the case that q squared L squared Is
Dialogue: 0,0:04:14.56,0:04:19.56,Default,,0000,0000,0000,,much, much, much smaller than the value X,\Nso let me remind you what q and L are, so
Dialogue: 0,0:04:19.56,0:04:24.57,Default,,0000,0000,0000,,L is simply the length of the messages\Nthat we're encrypting. Okay, so L could be
Dialogue: 0,0:04:24.57,0:04:29.90,Default,,0000,0000,0000,,like say a 1000, which means that we are\Nencrypting messages that are at most 1000
Dialogue: 0,0:04:29.90,0:04:35.30,Default,,0000,0000,0000,,AES blocks. q is the number of ciphertexts\Nthat the adversary gets to see under the
Dialogue: 0,0:04:35.30,0:04:40.77,Default,,0000,0000,0000,,CPA attack, but in real life what q is, is\Nbasically the number of times that we have
Dialogue: 0,0:04:40.77,0:04:46.04,Default,,0000,0000,0000,,used the key K to encrypt messages, in other\Nwords if we use a particular AES key to
Dialogue: 0,0:04:46.04,0:04:51.05,Default,,0000,0000,0000,,encrypt 100 messages, Q would be 100.\NIt is because the adversary would then see
Dialogue: 0,0:04:51.05,0:04:56.22,Default,,0000,0000,0000,,at most 100 messages encrypted under this key K. Okay\Nso lets see what this means in the real
Dialogue: 0,0:04:56.22,0:05:00.87,Default,,0000,0000,0000,,world. So here I've rewrote the error\Nbalance from the theorem. And just to remind
Dialogue: 0,0:05:00.87,0:05:05.09,Default,,0000,0000,0000,,you to use the messages encrypted with K\Nand L with the lengths of the messages and so
Dialogue: 0,0:05:05.09,0:05:09.37,Default,,0000,0000,0000,,suppose we want the adversary's advantage\Nto be less than one over two to the thirty
Dialogue: 0,0:05:09.37,0:05:13.35,Default,,0000,0000,0000,,two. This means that the error term had\Nbetter be less than one over two to the
Dialogue: 0,0:05:13.35,0:05:17.85,Default,,0000,0000,0000,,thirty two. Okay, so let's look at AES and see\Nwhat this mean. For AES, AES of course uses
Dialogue: 0,0:05:17.85,0:05:22.30,Default,,0000,0000,0000,,128 bit blocks, so X is going to be two\Nto the 128, the
Dialogue: 0,0:05:22.30,0:05:26.36,Default,,0000,0000,0000,,size of X is going to be 2 to the\N128, and if you
Dialogue: 0,0:05:26.36,0:05:30.86,Default,,0000,0000,0000,,plug this into the expression you see that\Nbasically the product q times L had
Dialogue: 0,0:05:30.86,0:05:35.48,Default,,0000,0000,0000,,better be less than two to the forty eight.\NThis means that after we use a particular
Dialogue: 0,0:05:35.48,0:05:40.01,Default,,0000,0000,0000,,key to encrypt 2 to the 48 AES\Nblocks we have to change the key. Okay, so
Dialogue: 0,0:05:40.01,0:05:46.97,Default,,0000,0000,0000,,essentially CBC stops being secure after\Nthe key is used to encrypt 2 to the 48 different AES blocks.
Dialogue: 0,0:05:46.97,0:05:49.57,Default,,0000,0000,0000,,So its\Nkinda nice that the security theorem tells
Dialogue: 0,0:05:49.57,0:05:54.50,Default,,0000,0000,0000,,you exactly how long the key can be used\Nand then how frequently, essentially, you have to
Dialogue: 0,0:05:54.50,0:05:59.58,Default,,0000,0000,0000,,replace the key. Now interestingly if you\Napply the same analogy to the 3DES it
Dialogue: 0,0:05:59.58,0:06:04.91,Default,,0000,0000,0000,,actually has a much shorter block, maybe\Nonly 64 bits, you see the key has to be
Dialogue: 0,0:06:04.91,0:06:10.48,Default,,0000,0000,0000,,changed much more frequently, maybe after every\N65 thousand DES blocks, essentially you need to generate a new key. So
Dialogue: 0,0:06:10.48,0:06:15.28,Default,,0000,0000,0000,,this is one of the reasons why AES has a\Nlarger block size so that in fact modes
Dialogue: 0,0:06:15.28,0:06:20.24,Default,,0000,0000,0000,,like CBC would be more secure and one can\Nuse the keys for a longer period of time, before having
Dialogue: 0,0:06:20.24,0:06:24.80,Default,,0000,0000,0000,,to replace it. What this means is having\Nto replace two to the sixteen blocks,
Dialogue: 0,0:06:24.80,0:06:29.59,Default,,0000,0000,0000,,each block of course is 8 bytes, so\Nafter you encrypt about half a megabyte of
Dialogue: 0,0:06:29.59,0:06:33.87,Default,,0000,0000,0000,,data you would have to change the DES key\Nwhich is actually quite low. And you
Dialogue: 0,0:06:33.87,0:06:37.64,Default,,0000,0000,0000,,notice with AES you can encrypt quite a\Nbit more data before you have to change the
Dialogue: 0,0:06:37.64,0:06:42.60,Default,,0000,0000,0000,,key. So I want to warn you about a very\Ncommon mistake that people have made when
Dialogue: 0,0:06:42.60,0:06:47.63,Default,,0000,0000,0000,,using CBC with a random IV. That is that\Nthe minute that the attacker can predict
Dialogue: 0,0:06:47.63,0:06:52.71,Default,,0000,0000,0000,,the IV that you're going to be using for\Nencrypting a particular message decipher
Dialogue: 0,0:06:52.71,0:06:57.80,Default,,0000,0000,0000,,this Ecbc is no longer CPA secure. So when\Nusing CBC with a random IV like we've
Dialogue: 0,0:06:57.80,0:07:02.25,Default,,0000,0000,0000,,just shown It's crucial that the IV is not\Npredictable. But lets see an attack. So
Dialogue: 0,0:07:02.25,0:07:06.28,Default,,0000,0000,0000,,suppose it so happens that given a\Nparticular encryption in a message that
Dialogue: 0,0:07:06.28,0:07:10.70,Default,,0000,0000,0000,,attacker can actually predict that IV that\Nwill be used for the next message. Well
Dialogue: 0,0:07:10.70,0:07:14.84,Default,,0000,0000,0000,,let's show that in fact the resulting\Nsystem is not CPA secure. So the first thing the
Dialogue: 0,0:07:14.84,0:07:19.20,Default,,0000,0000,0000,,adversary is going to do is, he is going\Nto ask for the encryption of a one block
Dialogue: 0,0:07:19.20,0:07:23.45,Default,,0000,0000,0000,,message. In particular that one block is\Ngoing to be zero. So what the adversary
Dialogue: 0,0:07:23.45,0:07:27.59,Default,,0000,0000,0000,,gets back is the encryption of one\Nblock, which namely is the encryption of
Dialogue: 0,0:07:27.59,0:07:31.75,Default,,0000,0000,0000,,the message namely zero, XOR the IV. Okay\Nand of course the adversary also gets the
Dialogue: 0,0:07:31.75,0:07:35.88,Default,,0000,0000,0000,,IV. Okay so now the adversary by\Nassumption can predict the IV that's gonna
Dialogue: 0,0:07:35.88,0:07:40.20,Default,,0000,0000,0000,,be used for the next encryption. Okay so\Nlet's say that IV is called, well IV. So
Dialogue: 0,0:07:40.20,0:07:44.46,Default,,0000,0000,0000,,next the adversary is going to issue his\Nsemantic security challenge and the
Dialogue: 0,0:07:44.46,0:07:49.17,Default,,0000,0000,0000,,message m0 is going to be the predicted IV\NXOR IV1 which was used in the encryption
Dialogue: 0,0:07:49.17,0:07:53.71,Default,,0000,0000,0000,,of c1. And the, the message of m1 is just\Ngoing to be some other message, it doesn't
Dialogue: 0,0:07:53.71,0:07:58.25,Default,,0000,0000,0000,,really matter what it is. So now let's see\Nwhat happens when the adversary receives
Dialogue: 0,0:07:58.25,0:08:02.35,Default,,0000,0000,0000,,the result of the semantic security\Nchallenge. Well, he is going to get the
Dialogue: 0,0:08:02.35,0:08:06.47,Default,,0000,0000,0000,,encryption of m0 or m1. So when the\Nadversary receives the encryption of m0,
Dialogue: 0,0:08:06.47,0:08:10.80,Default,,0000,0000,0000,,tell me what is the actual plain text\Nthat is encrypted in the ciphertext c?
Dialogue: 0,0:08:11.26,0:08:17.37,Default,,0000,0000,0000,,Well so the answer is that what is\Nactually encrypted is the message which is
Dialogue: 0,0:08:17.37,0:08:22.83,Default,,0000,0000,0000,,IV XOR IV1 XOR the IV that's used to\Nencrypt that message which happens to be
Dialogue: 0,0:08:22.83,0:08:28.30,Default,,0000,0000,0000,,IV and this of course is IV1. So when the\Nadversary receives the encryption of m0,
Dialogue: 0,0:08:28.30,0:08:33.17,Default,,0000,0000,0000,,he is actually receiving the block cipher\Nencryption of IV1. And lo and behold,
Dialogue: 0,0:08:33.17,0:08:38.44,Default,,0000,0000,0000,,you'll notice that he already has that\Nvalue from his chosen plaintext query.
Dialogue: 0,0:08:38.44,0:08:42.80,Default,,0000,0000,0000,,And then, when he is receiving the\Nencryption of message m1, he just received
Dialogue: 0,0:08:42.80,0:08:47.82,Default,,0000,0000,0000,,a normal CBC encryption of the message m1.\NSo you realize that now he has a simple
Dialogue: 0,0:08:47.82,0:08:53.06,Default,,0000,0000,0000,,way of breaking the scheme, namely what\Nhe'll do is he'll say, he's gonna ask, "Is the second
Dialogue: 0,0:08:53.06,0:08:58.35,Default,,0000,0000,0000,,block of the ciphertext c equal to the\Nvalue that I received in my CPA query?" If
Dialogue: 0,0:08:58.35,0:09:03.84,Default,,0000,0000,0000,,so I'll say that I received the encryption\Nof m0, otherwise I'll say that I received
Dialogue: 0,0:09:03.84,0:09:09.21,Default,,0000,0000,0000,,the encryption of m1. So really his test\Nis c1 he refers to the second block
Dialogue: 0,0:09:09.21,0:09:14.44,Default,,0000,0000,0000,,of c and c11 refers to the second block of\Nc1, if the two are equal he says zero,
Dialogue: 0,0:09:14.44,0:09:20.10,Default,,0000,0000,0000,,otherwise he says one. So the advantage of\Nthis adversary is going to be 1 and as a
Dialogue: 0,0:09:20.10,0:09:25.65,Default,,0000,0000,0000,,result, he completely breaks CPA security\Nof this CBC encryption. So the lesson here
Dialogue: 0,0:09:25.65,0:09:30.33,Default,,0000,0000,0000,,is, if the IV is predictable then, in\Nfact, there is no CPA security and
Dialogue: 0,0:09:30.33,0:09:35.62,Default,,0000,0000,0000,,unfortunately, this is actually a very\Ncommon mistake in practice. In particular
Dialogue: 0,0:09:35.62,0:09:41.34,Default,,0000,0000,0000,,even in SSL protocol and in TLS 1.1, it turns\Nout that IV for record number I is in fact
Dialogue: 0,0:09:41.34,0:09:46.36,Default,,0000,0000,0000,,the last ciphertext block of record I-1. That means that exactly given
Dialogue: 0,0:09:46.36,0:09:51.58,Default,,0000,0000,0000,,the encryption of record I-1, the\Nadversary knows exactly what IV is going
Dialogue: 0,0:09:51.58,0:09:56.03,Default,,0000,0000,0000,,to be used as record number I. Very\Nrecently, just last summer, this was
Dialogue: 0,0:09:56.03,0:10:00.74,Default,,0000,0000,0000,,actually converted into a pretty\Ndevastating attack on SSL. We'll describe
Dialogue: 0,0:10:00.74,0:10:06.02,Default,,0000,0000,0000,,that attack once we talk about SSL in more\Ndetail, but for now I wanted to make sure
Dialogue: 0,0:10:06.02,0:10:12.37,Default,,0000,0000,0000,,you understand than when you use CBC encryption,\Nits absolutely crucial that the IV be random.
Dialogue: 0,0:10:12.37,0:10:16.37,Default,,0000,0000,0000,,Okay, so now I going to show you the nonce based version of CBC encryption
Dialogue: 0,0:10:16.37,0:10:21.44,Default,,0000,0000,0000,,So in this mode the IV is replaced by non random but unique nonce
Dialogue: 0,0:10:21.44,0:10:23.93,Default,,0000,0000,0000,,for example the numbers 1,2,3,4,5, could all be used as a nonce, and now, the appeal of this mode
Dialogue: 0,0:10:23.93,0:10:25.25,Default,,0000,0000,0000,,is that if the recipient actually knows\Nwhat the nonce is supposed to be
Dialogue: 0,0:10:25.25,0:10:25.88,Default,,0000,0000,0000,,then there's no reason to include the nonce\Nin the ciphertext, in which case, the ciphertext
Dialogue: 0,0:10:25.88,0:10:26.20,Default,,0000,0000,0000,,is exactly the same length as the plaintext,\Nunlike CBC with the random IV,
Dialogue: 0,0:10:26.20,0:10:26.28,Default,,0000,0000,0000,,where we had to expand the ciphertext to include the IV, here, if the nonce is already known to the recipient,
Dialogue: 0,0:10:26.28,0:10:26.32,Default,,0000,0000,0000,,there's no reason to include it in the ciphertext, and\Nthe ciphertext is exactly the same length as the plaintext.
Dialogue: 0,0:10:26.32,0:10:26.34,Default,,0000,0000,0000,,So it's perfectly fine to use a non-random but unique nonce. However, it's absolutely crucial to know that,
Dialogue: 0,0:10:26.34,0:10:26.34,Default,,0000,0000,0000,,if you do this, there's one more step that you have\Nto do before you use the nonce in the CBC chain.
Dialogue: 0,0:10:26.34,0:10:26.36,Default,,0000,0000,0000,,In particular, in this mode now we're going to\Nbe using two independent keys, k and k1.
Dialogue: 0,0:10:26.36,0:10:26.43,Default,,0000,0000,0000,,The key k is, as before, going to be used to\Nencrypt the individual message blocks,
Dialogue: 0,0:10:26.43,0:10:26.47,Default,,0000,0000,0000,,However, this key k1 is going to be used to\Nencrypt the non-random but unique nonce,
Dialogue: 0,0:10:26.47,0:10:26.49,Default,,0000,0000,0000,,so that the output is going to be a random IV,\Nwhich is then used in the CBC chain.
Dialogue: 0,0:10:26.49,0:10:26.50,Default,,0000,0000,0000,,So this extra step here, encrypting the nonce\Nwith the key k1, is absolutely crucial.
Dialogue: 0,0:10:26.50,0:10:26.51,Default,,0000,0000,0000,,Without it, CBC mode encryption would not be secure.
Dialogue: 0,0:10:26.51,0:10:26.51,Default,,0000,0000,0000,,\NHowever it if is going to be a counter you
Dialogue: 0,0:10:26.51,0:10:32.05,Default,,0000,0000,0000,,need to do one more step. Before actually\Nencryption CBC and in particular you have
Dialogue: 0,0:10:32.05,0:10:37.38,Default,,0000,0000,0000,,to actually encrypt the notes to obtain\Nthe IV that will actually be used for
Dialogue: 0,0:10:37.38,0:10:42.92,Default,,0000,0000,0000,,encryption. The notes on CBC is similar to\Na random IV, the difference is that the
Dialogue: 0,0:10:42.92,0:10:48.05,Default,,0000,0000,0000,,notes is first encrypted and the results\Nis that the IV is used in the CBC
Dialogue: 0,0:10:48.05,0:10:52.73,Default,,0000,0000,0000,,encryption Now the beauty of this mode is\Nthat the Nance doesn't necessarily have to
Dialogue: 0,0:10:52.73,0:10:56.98,Default,,0000,0000,0000,,be included in the cipher text. It only\Nneeds to be in there if its unknowns are
Dialogue: 0,0:10:56.98,0:11:01.12,Default,,0000,0000,0000,,the decrypter but it if the decrypter\Nhappens to already know the value of the
Dialogue: 0,0:11:01.12,0:11:05.31,Default,,0000,0000,0000,,counter by some other means then in fact\Nthe cipher text is only as big as the
Dialogue: 0,0:11:05.31,0:11:09.29,Default,,0000,0000,0000,,plain text. There's no extra value\Ntransmitted in the cipher text. And again,
Dialogue: 0,0:11:09.29,0:11:13.59,Default,,0000,0000,0000,,I warn that when you're using non spaced\Nencryption, it's absolutely crucial that
Dialogue: 0,0:11:13.59,0:11:17.68,Default,,0000,0000,0000,,the key common Nance spare is only used\Nfor one message so for every message,
Dialogue: 0,0:11:17.68,0:11:22.03,Default,,0000,0000,0000,,either the Nance has changed or the key\Nhas changed. Okay, so here emphasize the
Dialogue: 0,0:11:22.03,0:11:26.50,Default,,0000,0000,0000,,fact that you need to do this extra\Nencryption step before actual using the
Dialogue: 0,0:11:26.50,0:11:31.09,Default,,0000,0000,0000,,Nance. This is very common mistake that\Nactually forgotten in practice and for
Dialogue: 0,0:11:31.09,0:11:35.80,Default,,0000,0000,0000,,example in TLS, this was not done and as a\Nresult there was a significant attack
Dialogue: 0,0:11:35.80,0:11:40.28,Default,,0000,0000,0000,,against CBC encryption in TLS. Remember\Nthe reason that this is so important to
Dialogue: 0,0:11:40.28,0:11:44.95,Default,,0000,0000,0000,,know is that in fact many crypto APIs are\Nset up to almost deliberately mislead the
Dialogue: 0,0:11:44.95,0:11:49.45,Default,,0000,0000,0000,,user to using CBC incorrectly. So let's\Nlook to see how CBC implemented inside of
Dialogue: 0,0:11:49.45,0:11:53.84,Default,,0000,0000,0000,,open SSL. So here are the arguments of the\Nfunction. Basically this is the plain
Dialogue: 0,0:11:53.84,0:11:58.12,Default,,0000,0000,0000,,text, this is the place where the cipher\Ntext will get written to. This is the
Dialogue: 0,0:11:58.12,0:12:02.76,Default,,0000,0000,0000,,length of the plain text. This is a, a Yes\Nkey Finally there is an argument here that
Dialogue: 0,0:12:02.76,0:12:06.44,Default,,0000,0000,0000,,says whether you are crypting or\Ndecrypting. And the most important
Dialogue: 0,0:12:06.44,0:12:10.88,Default,,0000,0000,0000,,parameter that I wanted to point out here\Nis the actual IV and unfortunately, the
Dialogue: 0,0:12:10.88,0:12:15.33,Default,,0000,0000,0000,,user is asked to supply this IV and the\Nfunction uses the IV directly in the CBC
Dialogue: 0,0:12:15.33,0:12:19.83,Default,,0000,0000,0000,,encryption mechanism. It doesn't encrypt\Nthe IV before using it and as a result, if
Dialogue: 0,0:12:19.83,0:12:24.33,Default,,0000,0000,0000,,you ever call this function using a non\Nrandom IV, the resulting encryption system
Dialogue: 0,0:12:24.33,0:12:28.82,Default,,0000,0000,0000,,won't be CPA secure. Okay, so it's very\Nimportant to know that when calling
Dialogue: 0,0:12:28.82,0:12:33.96,Default,,0000,0000,0000,,functions like this. Cbc encryption or\Nopen SSL either supply a truly random IV
Dialogue: 0,0:12:33.96,0:12:38.84,Default,,0000,0000,0000,,or if you want the IV to be a counter than\Nyou have to encrypt a counter using AAS
Dialogue: 0,0:12:38.84,0:12:43.67,Default,,0000,0000,0000,,before you actually call a CBC encrypt and\Nyou have to that yourself. So again, it's
Dialogue: 0,0:12:43.67,0:12:48.34,Default,,0000,0000,0000,,very important that the programmer knows\Nthat it needs to be done otherwise the CBC
Dialogue: 0,0:12:48.34,0:12:52.46,Default,,0000,0000,0000,,encryption is insecure. One last\Ntechnicality about CBC is what to do when
Dialogue: 0,0:12:52.46,0:12:57.18,Default,,0000,0000,0000,,the message is not a multiple of the block\Ncipher block length? That is what do we do
Dialogue: 0,0:12:57.18,0:13:01.69,Default,,0000,0000,0000,,if the last message block is shorter than\Nthe block length of AES, for example? So
Dialogue: 0,0:13:01.69,0:13:06.28,Default,,0000,0000,0000,,the last message block is less than\Nsixteen bytes. And the answer is if we add
Dialogue: 0,0:13:06.28,0:13:11.59,Default,,0000,0000,0000,,a pad to the last block so it becomes as\Nlong as sixteen bytes, as long as the AES
Dialogue: 0,0:13:11.59,0:13:16.63,Default,,0000,0000,0000,,block size. And this pad, of course, if\Ngoing to be removed during encryption. So
Dialogue: 0,0:13:16.63,0:13:21.87,Default,,0000,0000,0000,,here is a typical path, this is the path\Nthat is used in TLS. Basically a pad with
Dialogue: 0,0:13:21.87,0:13:26.92,Default,,0000,0000,0000,,N bytes then essentially what you do is\Nyou write the number N, N times. So for
Dialogue: 0,0:13:26.92,0:13:32.04,Default,,0000,0000,0000,,example if you pad with five bytes, you\Npad with the string 555555. So five bytes
Dialogue: 0,0:13:32.04,0:13:37.18,Default,,0000,0000,0000,,where each byte is the value five. And the\Nkey thing about this pad is basically when
Dialogue: 0,0:13:37.18,0:13:42.01,Default,,0000,0000,0000,,the decrypter receives the message, what\Nhe does is he looks at the last byte of
Dialogue: 0,0:13:42.01,0:13:46.97,Default,,0000,0000,0000,,the last block. So suppose that value is\Nfive, then he simply removes the last five
Dialogue: 0,0:13:46.97,0:13:51.82,Default,,0000,0000,0000,,bytes of the message. Now the question is\Nwhat do we do if in fact the message is a
Dialogue: 0,0:13:51.82,0:13:56.26,Default,,0000,0000,0000,,multiple of sixteen bytes so in fact no\Npad is needed? If we don't pad at all,
Dialogue: 0,0:13:56.26,0:14:00.48,Default,,0000,0000,0000,,well that's a problem because the\Ndecrypter is going to look at the very
Dialogue: 0,0:14:00.48,0:14:05.27,Default,,0000,0000,0000,,last byte of the last block which is not\Npart of the actual message and he's going
Dialogue: 0,0:14:05.27,0:14:10.00,Default,,0000,0000,0000,,to remove that many bytes from the plain\Ntext. So that actually would be a problem.
Dialogue: 0,0:14:10.00,0:14:15.36,Default,,0000,0000,0000,,So the solution is, if in fact there is no\Npad that's needed, nevertheless we still
Dialogue: 0,0:14:15.36,0:14:20.66,Default,,0000,0000,0000,,have to add a dummy block. And since we\Nadd the dummy block this would be a block
Dialogue: 0,0:14:20.66,0:14:25.83,Default,,0000,0000,0000,,that's basically contains sixteen bytes\Neach one containing the number sixteen.
Dialogue: 0,0:14:25.83,0:14:30.04,Default,,0000,0000,0000,,Okay, so we add essentially sixteen dummy\Nblocks. The decrypter, that when he's
Dialogue: 0,0:14:30.04,0:14:34.47,Default,,0000,0000,0000,,decrypting, he looks at the last byte of\Nthe last block, he sees that the value is
Dialogue: 0,0:14:34.47,0:14:38.82,Default,,0000,0000,0000,,sixteen, therefore he removes the entire\Nblock. And whatever's left is the actual
Dialogue: 0,0:14:38.82,0:14:42.98,Default,,0000,0000,0000,,plain text. So it's a bit unfortunate that\Nin fact if you're encrypting short
Dialogue: 0,0:14:42.98,0:14:47.02,Default,,0000,0000,0000,,messages with CBC and the messages happen\Nto be, say, 32 bytes, so they are a
Dialogue: 0,0:14:47.02,0:14:51.39,Default,,0000,0000,0000,,multiple of sixteen bytes, then you have\Nto add one more block and make all these
Dialogue: 0,0:14:51.39,0:14:55.11,Default,,0000,0000,0000,,ciphertexts be 48 bytes just to\Naccommodate the CBC padding. I should
Dialogue: 0,0:14:55.11,0:14:59.58,Default,,0000,0000,0000,,mention there's a variant of CBC called\NCBC with ciphertext stealing that actually
Dialogue: 0,0:14:59.58,0:15:03.79,Default,,0000,0000,0000,,avoids this problem, but I'm not gonna\Ndescribe that here. If you're interested
Dialogue: 0,0:15:03.79,0:15:07.91,Default,,0000,0000,0000,,you can look that up online. Okay, so\Nthat's the end of our discussion of CBC
Dialogue: 0,0:15:07.91,0:15:12.20,Default,,0000,0000,0000,,and in the next segment we'll see how to\Nuse counter modes to encrypt multiple
Dialogue: 0,0:15:12.20,0:15:13.72,Default,,0000,0000,0000,,messages using a single key.