1 part 3: cryptography u large numbers u random numbers u cryptographic hashes u symmetric...
TRANSCRIPT
1
Part 3: Cryptography
Large Numbers Random Numbers Cryptographic Hashes Symmetric Encryption Asymmetric Encryption (public keys) Digital Signatures Digital Certificates Protocols
2
Why Cryptography?
Authenticate humans and devices Communication is private Data storage can be made private Certificates make no use of shared secrets All the technologies are open, trusted, well known and
proven Software can be “attested” All known network attacks do not work against
cryptographically secure communications Except Denial of Service
3
Cryptography?
Cryptography provides “strong” techniques for Privacy Authentication Non-repudiation Un-forge-ability
Most cryptography schemes are based on Cryptographic Hashes Symmetric encryption Public Key Encryption Digital Signatures
Public Key Encryption is the solution to the problem of shared secrets
And much more
4
Large Numbers
210 1,024
220 1,048,576
230 1,073,741,824
240 1,099,511,627,776 1 sec
250 1,125,899,906,842,620 17 mins
260 1,152,921,504,606,850,000 291 days
270 1,180,591,620,717,410,000,000 68 years
280 1,208,925,819,614,630,000,000,000 69,731 years
290 1,237,940,039,285,380,000,000,000,000 71,404,104 years
2100 1,267,650,600,228,230,000,000,000,000,000 73,117,802,169 years
Time to crack a key, if 1 trillion keys can be tested in 1 sec
Total Number of Atoms on Earth: 2^160
5
Random Numbers
Cryptographically Secure Random Numbers (CSR) Can be generated by pseudo-random-number-generators
(CSRPRNG)
Two 128 bit random numbers cannot be the same Will happen once in 1015 million years (!) Birthday Paradox: may happen as soon as 107 years
Used to generate keys, identifications Cannot guess random numbers
Ok, maybe 1 in 1015 million years
One in every “few thousand” numbers are prime
6
Cryptographic Hashes
A hash of a document is a fixed sized number (also called message digest) produced by some hashing algorithm (MD5, SHA-1)
No two documents can have the same hash Surprising, but with high level of confidence Slight changes in a document causes large changes in the hash
A hash of any data can be used as a “fingerprint” of that data
HDocument hash
7
Hash collisions
Thought to be impossible Only one known so far for a “good” algorithm
MD5 hash collision
8
Symmetric Encryption
Same key for encryption and decryption, Ek(Ek(m)) = m
Used for privacy
Many “unbreakable” schemes exist
Open algorithms are the best DES, 3DES, IDEA, AES
Key exchange a major problem (shared secret)
EPlaintext: m
Ciphertext: Ek(m)
Key: k
m
k
E
9
Asymmetric Encryption
Also known as Public Key Encryption Different keys for encryption and decryption, Ek2(Ek1(m)) = m Very varied applications Key exchange is trivial
Em
Ek1(m)
Public key: k1
m
Private key: k2
E
Note:
k1 and k2 are unrelated, yet related
Cannot find k2 if k1 is given
But there is only one k2, given a k1
My convention: K1A = Alice’s Public Key, K2A = Alice’s Private Key
10
Cryptanalysis
Breaking encryption using many different techniques, rather than “Brute Force”
Known Ciphertext Attack Known Plaintext Attack Chosen Plain text attack Adaptive chosen plaintext attack Differential Cryptanalysis Linear Cryptanalysis
11
Steganography
Hiding data in data, in some obscure way
LSB of pictures First letter of each paragraph
Security via obscurity Has some important advantages,
specially when steganography is combined with cryptography
By removing all but the last 2 bite of each color component, an almost completely black image results. Making the resulting image 85 times brighter results in the second image
12
Kerkhoff’s Principle
Paraphrased, the set of six rules imply:
The security of a cryptosystem must depend on the key and not the encryption algorithm. The algorithms must be widely known.
Almost all known situations where the algorithm was kept secret, have been “broken”
Enigma DVD encryption GSM encryption RFID encryption (not secret, but deployed quickly): WiFi encryption (WEP)
13
Pitfalls of Proprietary Algorithms
Proprietary algorithms violate Kerkhoff’s principle, even if the designers did not want to violate the principle
Designers of cryptosystems fail to see its flaws Even without knowing the cipher, the ciphers are broken Open standards are very important in cryptography, they
algorithms must be scrutinized heavily
14
Substitution Ciphers
Substitute a letter with another letter
Caesar Cipher Mono alphabetic Very easy to break
Vigenere Cipher Poly alphabetic Took 300 years to break Kasiski Attack Now we know it is easily
breakable
Vigenere Cipher Table
A B C D E F G H I J K L M N O P
A A B C D E F G H I J K L M N O P
B B C D E F G H I J K L M N O P Q
C C D E F G H I J K L M N O P Q R
D D E F G H I J K L M N O P Q R S
E E F G H I J K L M N O P Q R S T
F F G H I J K L M N O P Q R S T U
G G H I J K L M N O P Q R S T U V
H H I J K L M N O P Q R S T U V W
I I J K L M N O P Q R S T U V W X
J J K L M N O P Q R S T U V W X Y
K K L M N O P Q R S T U V W X Y Z
15
Unbreakable Cipher
Unconditionally secure Cannot be broken with brute force ONE TIME PAD Not practically usable either
16
Block and Stream Ciphers
Block Cipher:N bit block of data is encrypted with N bits of key to produce N bits of output
DES, AES, IDEA Most of the current ciphers
Stream Cipher Works one bit at a time of
plaintext Good for hardware
implementations RC4, SEAL
Encrypter
State Machine
Plaintext
Plaintext
Key
Ciphertext
Key
Ciphertext
17
DES
Data Encryption Standard (DES) was created in after a NIST issued RFP in 1973, which culminated in the winner “Lucifer”. Lucifer was modified by NSA to yield DES
Plaintext -> Initial Permutation -> 16 rounds -> final permutation ->Ciphertext
S-BOX: Confusion P-BOX: Permutation
18
DES “Round”
L R Key
Key’L’ R’
P-Box
S-Box
Expansion
shift shift
Compression
5232 32
48
32
48
PBOX
0: 16 1: 72: 203: 214: 295: 126: 287: 178: 19: 15 10: 23 11: 26 12: 5 13: 18 14: 31
SBOX
0: 14 1: 42: 133: 14: 25: 156: 117: 88: 39: 10 10: 6 11: 12 12: 5 13: 9 14: 0
19
Crypto Protocols
Cryptographic Protocols are “self enforcing” protocols As opposed to arbitrated or adjudicated protocols
They are used for: Privacy, Integrity, Authentication, Non-repudiation, Access Control, Anonymity Time stamping Voting Cash …and much more
20
Coin Tossing
Alice and Bob wants to toss a coin, on the telephone
Alice chooses a random number R Alice sends to Bob an N bit
cryptographic hash(R) Bob guesses even or odd Alice send Bob R
How does that work? It does, and there are many more coin
toss protocols
21
Communication
Symmetric Key Communication Alice and Bob agrees on a key K Alice sends Bob a message M encrypted in K
using algorithm E
A -> B Ek(M) Bob decrypts message: Dk(Ek(M)) = M
B->A Ek(M) Alice decrypts message: Dk(Ek(M)) = M
How does Alice and Bob exchange K? “key exchange”
22
Key Exchange
Diffie Helman Key Exchange Public Key based Key exchange
Bob sends the communication key S (session key) to Alice, encrypted in Alice’s public key
No one other than Alice can find the session key
Can be done over insecure networks Vulnerability: Man in the middle
attacks Solution: Use digital certificates
Alice
Bob
Bob
Alice
K1A
EK1A(S)
K1A = Alice’s Public Key, K2A = Alice’s Private Key
23
Authentication
Bob sends a challenge to Alice Challenge = random number
Alice responds with the number, encrypted in Alice’s private key
Bob knows Alice’s public key, hence decrypts the response and finds it’s the same as the random number she sent
No one other than Alice can do this Alice never exposes the private key
Public Key = User ID Private Key = Password
NO LEAKAGE POSSIBLE!
Alice
Bob
Bob
Alice
R
EK2A(R)
24
RSA
Rivest Shamir Adelman: Patented in 1983, expired in 2000
Based on difficulty of factorization
Choose two large random prime numbers p and q,
Compute n = p*q
Compute φ(n) = (p-1)(q-1)
Choose an integer e, such that e, is coprime to φ(n)
-- e, is released as the public key
Compute d, to satisfy (d*e) mod φ(n) = 1
-- d, is kept as the private key
25
RSA
Encryption (of message m)
(m)e mod n
Decryption (of cipher m’)
(m’)e mod n
RSA property
((m)e)d mod n = m
26
Secure Hybrid Communication
Protocol 1
Alice -> Bob: Hello “Alice”
Bob -> Alice: “Alice”+”Bob”, EK2B(hash(“Alice”+”Bob”))
Protocol 2
Alice -> Bob: Hello “Alice”
Bob -> Alice: “Bob”, K1B
Alice -> Bob: Prove it
Bob -> Alice: “Alice”+”Bob”, EK2B(hash(“Alice”+”Bob”))
K1A = Alice’s Public Key, K2A = Alice’s Private Key
27
Secure Hybrid Communication
Protocol 3Alice -> Bob: Hello “Alice”Bob -> Alice: “Bob”, Bob’s CertificateAlice -> Bob: Prove it
Bob -> Alice: “Alice”+”Bob”, EK2B(hash(“Alice”+”Bob”))
Protocol 4Alice -> Bob: Hello “Alice”Bob -> Alice: “Bob”, Bob’s CertificateAlice -> Bob: Prove it
Bob -> Alice: “Alice”+”Bob”, EK2B(hash(“Alice”+”Bob”))
Alice -> Bob: EK1B(KEY)
[all communications]: EKEY (message)
Discussed later
28
Man in the Middle
Without certificates MITM attacks possible on public key protocols
Certificate issuance, verification and Certificate Authority public Key distribution forms the underlying infrastructure of PKI
PKI = Public Key Infrastructure
Web of Trust can also be used
“Certificates” are covered after Digital Signatures
29
Digital Signatures
Digital Signatures are like real paper signatures, but much better
Properties include: Verifiably Authentic (with high degree of confidence) Unforgeable: Another person cannot sign Not reusable: Cannot lift signature from one document to another Unalterable: The signed document cannot be altered Non repudiable: The person signing cannot claim she did not sign it
Simple Signature Scheme
Alice signs a document: EK2A(DOCUMENT)
K1A = Alice’s Public Key, K2A = Alice’s Private Key
30
Digital Signatures
An electronic document can be signed E.g. a check via Email!
The document cannot be altered, forged, repudiated
Very powerful technique, much better than paper signatures
D = Document
Cryptographic Hash of D
Signature of H = EK2A(H)
D H S
31
Digital Certificates
Digital signatures and public key authentication assumes you know a persons public key
How do you know for sure?
A digital certificate is a ID-Card, with a persons identity and public key and a “certificate authority’s” (CA) signature
Can be verified Provides safe authentication Safe from most attacks, cannot be forged, cannot be
misused
Name and Information
for Alice
Alice’s Public Key
Signature of Certificate Authority
Digital certificate
32
Communication with Certificates
Certificates can be used to determine identity without any attack possibilities
As long as the certificate authority is trusted
Since certificates are PKI based, key exchange is simple Protocol 4 (from earlier) is used
33
Message Authentication Codes
To preserve message integrity Makes sure no one tampers, or replaces and sender is
authenticated on every message
EKEY(message, EKEY( h (message)))
Added number of
bits is small
34
Hierarchical Certificates
CA1Pub Key
rCA Sig
rCA
CA3CA2CA1
AlicePub Key
CA1 Sig
Alice
CA1Pub Key
rCA Sig
35
Attacks on Public Keys
Alice meets Bob and knows his public key Alice send a random number to Bob for challenge response
and Bob encrypts the number using private key and returns
Alice can fool Bob into decrypting documents, signing documents
Alice sends Bob a “good document” Bob signs and returns Alice can fool Bob into signing a “bad document”
Birthday Attack
36
Birthday “Paradox”
There are N people in a room.
What is the probability that two people have the same birthday?
37
Match Probabilities
Choose a number (0..9)
Now pick a number at random, what is the probability of getting the chosen number?
Try Fail Success
1 0.90 0.1
2 0.81 0.19
3 0.73 0.27
4 0.66 0.34
5 0.59 0.41
6 0.53 0.47
7 0.48 0.52
8 0.43 0.57
9 0.39 0.61
10 0.35 0.65
Pick numbers at random (0..9)
What is the probability that you get two numbers with same value?
Try Fail Success
1 0.9000 0.1000
2 0.7200 0.2800
3 0.5040 0.4960
4 0.3024 0.6976
5 0.1512 0.8488
6 0.0605 0.9395
7 0.0181 0.9819
8 0.0036 0.9964
9 0.0004 0.9996
10 0.0000 1.0000
38
How to do a Birthday Attack
Create a Good Document Create a Bad Documents “Perturb” or change the documents a million+ times Hash them and see if there is a match between a good
document and bad document With 80 bit hashes, chances are quite high Moral: Use 160bit hashes
39
The final PKI lesson
Never encrypt something that was given to you with private key and let others know the result. Change it first.
Never sign something that was given to you. Change it first.
40
Other Protocols
Cryptographic Protocols exist for: Timestamping Group communication Group signatures Secret sharing, secret splitting Secure multiparty computations Blinding and “cut and choose” Coin tossing, card dealing Secure electronic elections Digital cash and micropayments Many more