1

Part 3: Cryptography

Large Numbers Random Numbers Cryptographic Hashes Symmetric Encryption Asymmetric Encryption (public keys) Digital Signatures Digital Certificates Protocols

2

Why Cryptography?

Authenticate humans and devices Communication is private Data storage can be made private Certificates make no use of shared secrets All the technologies are open, trusted, well known and

proven Software can be “attested” All known network attacks do not work against

cryptographically secure communications Except Denial of Service

3

Cryptography?

Cryptography provides “strong” techniques for Privacy Authentication Non-repudiation Un-forge-ability

Most cryptography schemes are based on Cryptographic Hashes Symmetric encryption Public Key Encryption Digital Signatures

Public Key Encryption is the solution to the problem of shared secrets

And much more

4

Large Numbers

210 1,024

220 1,048,576

230 1,073,741,824

240 1,099,511,627,776 1 sec

250 1,125,899,906,842,620 17 mins

260 1,152,921,504,606,850,000 291 days

270 1,180,591,620,717,410,000,000 68 years

280 1,208,925,819,614,630,000,000,000 69,731 years

290 1,237,940,039,285,380,000,000,000,000 71,404,104 years

2100 1,267,650,600,228,230,000,000,000,000,000 73,117,802,169 years

Time to crack a key, if 1 trillion keys can be tested in 1 sec

Total Number of Atoms on Earth: 2^160

5

Random Numbers

Cryptographically Secure Random Numbers (CSR) Can be generated by pseudo-random-number-generators

(CSRPRNG)

Two 128 bit random numbers cannot be the same Will happen once in 1015 million years (!) Birthday Paradox: may happen as soon as 107 years

Used to generate keys, identifications Cannot guess random numbers

Ok, maybe 1 in 1015 million years

One in every “few thousand” numbers are prime

6

Cryptographic Hashes

A hash of a document is a fixed sized number (also called message digest) produced by some hashing algorithm (MD5, SHA-1)

No two documents can have the same hash Surprising, but with high level of confidence Slight changes in a document causes large changes in the hash

A hash of any data can be used as a “fingerprint” of that data

HDocument hash

7

Hash collisions

Thought to be impossible Only one known so far for a “good” algorithm

MD5 hash collision

8

Symmetric Encryption

Same key for encryption and decryption, Ek(Ek(m)) = m

Used for privacy

Many “unbreakable” schemes exist

Open algorithms are the best DES, 3DES, IDEA, AES

Key exchange a major problem (shared secret)

EPlaintext: m

Ciphertext: Ek(m)

Key: k

m

k

E

9

Asymmetric Encryption

Also known as Public Key Encryption Different keys for encryption and decryption, Ek2(Ek1(m)) = m Very varied applications Key exchange is trivial

Em

Ek1(m)

Public key: k1

m

Private key: k2

E

Note:

k1 and k2 are unrelated, yet related

Cannot find k2 if k1 is given

But there is only one k2, given a k1

My convention: K1A = Alice’s Public Key, K2A = Alice’s Private Key

10

Cryptanalysis

Breaking encryption using many different techniques, rather than “Brute Force”

Known Ciphertext Attack Known Plaintext Attack Chosen Plain text attack Adaptive chosen plaintext attack Differential Cryptanalysis Linear Cryptanalysis

11

Steganography

Hiding data in data, in some obscure way

LSB of pictures First letter of each paragraph

Security via obscurity Has some important advantages,

specially when steganography is combined with cryptography

By removing all but the last 2 bite of each color component, an almost completely black image results. Making the resulting image 85 times brighter results in the second image

12

Kerkhoff’s Principle

Paraphrased, the set of six rules imply:

The security of a cryptosystem must depend on the key and not the encryption algorithm. The algorithms must be widely known.

Almost all known situations where the algorithm was kept secret, have been “broken”

Enigma DVD encryption GSM encryption RFID encryption (not secret, but deployed quickly): WiFi encryption (WEP)

13

Pitfalls of Proprietary Algorithms

Proprietary algorithms violate Kerkhoff’s principle, even if the designers did not want to violate the principle

Designers of cryptosystems fail to see its flaws Even without knowing the cipher, the ciphers are broken Open standards are very important in cryptography, they

algorithms must be scrutinized heavily

14

Substitution Ciphers

Substitute a letter with another letter

Caesar Cipher Mono alphabetic Very easy to break

Vigenere Cipher Poly alphabetic Took 300 years to break Kasiski Attack Now we know it is easily

breakable

Vigenere Cipher Table

A B C D E F G H I J K L M N O P

A A B C D E F G H I J K L M N O P

B B C D E F G H I J K L M N O P Q

C C D E F G H I J K L M N O P Q R

D D E F G H I J K L M N O P Q R S

E E F G H I J K L M N O P Q R S T

F F G H I J K L M N O P Q R S T U

G G H I J K L M N O P Q R S T U V

H H I J K L M N O P Q R S T U V W

I I J K L M N O P Q R S T U V W X

J J K L M N O P Q R S T U V W X Y

K K L M N O P Q R S T U V W X Y Z

15

Unbreakable Cipher

Unconditionally secure Cannot be broken with brute force ONE TIME PAD Not practically usable either

16

Block and Stream Ciphers

Block Cipher:N bit block of data is encrypted with N bits of key to produce N bits of output

DES, AES, IDEA Most of the current ciphers

Stream Cipher Works one bit at a time of

plaintext Good for hardware

implementations RC4, SEAL

Encrypter

State Machine

Plaintext

Plaintext

Key

Ciphertext

Key

Ciphertext

17

DES

Data Encryption Standard (DES) was created in after a NIST issued RFP in 1973, which culminated in the winner “Lucifer”. Lucifer was modified by NSA to yield DES

Plaintext -> Initial Permutation -> 16 rounds -> final permutation ->Ciphertext

S-BOX: Confusion P-BOX: Permutation

18

DES “Round”

L R Key

Key’L’ R’

P-Box

S-Box

Expansion

shift shift

Compression

5232 32

48

32

48

PBOX

0: 16 1: 72: 203: 214: 295: 126: 287: 178: 19: 15 10: 23 11: 26 12: 5 13: 18 14: 31

SBOX

0: 14 1: 42: 133: 14: 25: 156: 117: 88: 39: 10 10: 6 11: 12 12: 5 13: 9 14: 0

19

Crypto Protocols

Cryptographic Protocols are “self enforcing” protocols As opposed to arbitrated or adjudicated protocols

They are used for: Privacy, Integrity, Authentication, Non-repudiation, Access Control, Anonymity Time stamping Voting Cash …and much more

20

Coin Tossing

Alice and Bob wants to toss a coin, on the telephone

Alice chooses a random number R Alice sends to Bob an N bit

cryptographic hash(R) Bob guesses even or odd Alice send Bob R

How does that work? It does, and there are many more coin

toss protocols

21

Communication

Symmetric Key Communication Alice and Bob agrees on a key K Alice sends Bob a message M encrypted in K

using algorithm E

A -> B Ek(M) Bob decrypts message: Dk(Ek(M)) = M

B->A Ek(M) Alice decrypts message: Dk(Ek(M)) = M

How does Alice and Bob exchange K? “key exchange”

22

Key Exchange

Diffie Helman Key Exchange Public Key based Key exchange

Bob sends the communication key S (session key) to Alice, encrypted in Alice’s public key

No one other than Alice can find the session key

Can be done over insecure networks Vulnerability: Man in the middle

attacks Solution: Use digital certificates

Alice

Bob

Bob

Alice

K1A

EK1A(S)

K1A = Alice’s Public Key, K2A = Alice’s Private Key

23

Authentication

Bob sends a challenge to Alice Challenge = random number

Alice responds with the number, encrypted in Alice’s private key

Bob knows Alice’s public key, hence decrypts the response and finds it’s the same as the random number she sent

No one other than Alice can do this Alice never exposes the private key

Public Key = User ID Private Key = Password

NO LEAKAGE POSSIBLE!

Alice

Bob

Bob

Alice

R

EK2A(R)

24

RSA

Rivest Shamir Adelman: Patented in 1983, expired in 2000

Based on difficulty of factorization

Choose two large random prime numbers p and q,

Compute n = p*q

Compute φ(n) = (p-1)(q-1)

Choose an integer e, such that e, is coprime to φ(n)

-- e, is released as the public key

Compute d, to satisfy (d*e) mod φ(n) = 1

-- d, is kept as the private key

25

RSA

Encryption (of message m)

(m)e mod n

Decryption (of cipher m’)

(m’)e mod n

RSA property

((m)e)d mod n = m

26

Secure Hybrid Communication

Protocol 1

Alice -> Bob: Hello “Alice”

Bob -> Alice: “Alice”+”Bob”, EK2B(hash(“Alice”+”Bob”))

Protocol 2

Alice -> Bob: Hello “Alice”

Bob -> Alice: “Bob”, K1B

Alice -> Bob: Prove it

Bob -> Alice: “Alice”+”Bob”, EK2B(hash(“Alice”+”Bob”))

K1A = Alice’s Public Key, K2A = Alice’s Private Key

27

Secure Hybrid Communication

Protocol 3Alice -> Bob: Hello “Alice”Bob -> Alice: “Bob”, Bob’s CertificateAlice -> Bob: Prove it

Bob -> Alice: “Alice”+”Bob”, EK2B(hash(“Alice”+”Bob”))

Protocol 4Alice -> Bob: Hello “Alice”Bob -> Alice: “Bob”, Bob’s CertificateAlice -> Bob: Prove it

Bob -> Alice: “Alice”+”Bob”, EK2B(hash(“Alice”+”Bob”))

Alice -> Bob: EK1B(KEY)

[all communications]: EKEY (message)

Discussed later

28

Man in the Middle

Without certificates MITM attacks possible on public key protocols

Certificate issuance, verification and Certificate Authority public Key distribution forms the underlying infrastructure of PKI

PKI = Public Key Infrastructure

Web of Trust can also be used

“Certificates” are covered after Digital Signatures

29

Digital Signatures

Digital Signatures are like real paper signatures, but much better

Properties include: Verifiably Authentic (with high degree of confidence) Unforgeable: Another person cannot sign Not reusable: Cannot lift signature from one document to another Unalterable: The signed document cannot be altered Non repudiable: The person signing cannot claim she did not sign it

Simple Signature Scheme

Alice signs a document: EK2A(DOCUMENT)

K1A = Alice’s Public Key, K2A = Alice’s Private Key

30

Digital Signatures

An electronic document can be signed E.g. a check via Email!

The document cannot be altered, forged, repudiated

Very powerful technique, much better than paper signatures

D = Document

Cryptographic Hash of D

Signature of H = EK2A(H)

D H S

31

Digital Certificates

Digital signatures and public key authentication assumes you know a persons public key

How do you know for sure?

A digital certificate is a ID-Card, with a persons identity and public key and a “certificate authority’s” (CA) signature

Can be verified Provides safe authentication Safe from most attacks, cannot be forged, cannot be

misused

Name and Information

for Alice

Alice’s Public Key

Signature of Certificate Authority

Digital certificate

32

Communication with Certificates

Certificates can be used to determine identity without any attack possibilities

As long as the certificate authority is trusted

Since certificates are PKI based, key exchange is simple Protocol 4 (from earlier) is used

33

Message Authentication Codes

To preserve message integrity Makes sure no one tampers, or replaces and sender is

authenticated on every message

EKEY(message, EKEY( h (message)))

Added number of

bits is small

34

Hierarchical Certificates

CA1Pub Key

rCA Sig

rCA

CA3CA2CA1

AlicePub Key

CA1 Sig

Alice

CA1Pub Key

rCA Sig

35

Attacks on Public Keys

Alice meets Bob and knows his public key Alice send a random number to Bob for challenge response

and Bob encrypts the number using private key and returns

Alice can fool Bob into decrypting documents, signing documents

Alice sends Bob a “good document” Bob signs and returns Alice can fool Bob into signing a “bad document”

Birthday Attack

36

Birthday “Paradox”

There are N people in a room.

What is the probability that two people have the same birthday?

37

Match Probabilities

Choose a number (0..9)

Now pick a number at random, what is the probability of getting the chosen number?

Try Fail Success

1 0.90 0.1

2 0.81 0.19

3 0.73 0.27

4 0.66 0.34

5 0.59 0.41

6 0.53 0.47

7 0.48 0.52

8 0.43 0.57

9 0.39 0.61

10 0.35 0.65

Pick numbers at random (0..9)

What is the probability that you get two numbers with same value?

Try Fail Success

1 0.9000 0.1000

2 0.7200 0.2800

3 0.5040 0.4960

4 0.3024 0.6976

5 0.1512 0.8488

6 0.0605 0.9395

7 0.0181 0.9819

8 0.0036 0.9964

9 0.0004 0.9996

10 0.0000 1.0000

38

How to do a Birthday Attack

Create a Good Document Create a Bad Documents “Perturb” or change the documents a million+ times Hash them and see if there is a match between a good

document and bad document With 80 bit hashes, chances are quite high Moral: Use 160bit hashes

39

The final PKI lesson

Never encrypt something that was given to you with private key and let others know the result. Change it first.

Never sign something that was given to you. Change it first.

40

Other Protocols

Cryptographic Protocols exist for: Timestamping Group communication Group signatures Secret sharing, secret splitting Secure multiparty computations Blinding and “cut and choose” Coin tossing, card dealing Secure electronic elections Digital cash and micropayments Many more