applied cryptography spring 2015. lecture times thursdays14:30-16:00room 413 16 lectures some...

Applied Cryptography

Spring 2015

Lecture times

Thursdays 14:30-16:00 room 413

16 lectures

Some changes are possible (but hopefully, not too many).

Requirements

Attend lectures (if you want to)Collect at least 20 points

2 practical assignments 20 points each Written exam 20 points

Any of the above is optionalThe grade will be calculated (approximately) as follows:

10 56-60 6 32-389 52-55 5 24-318 46-51 4 20-237 39-45

Problems covered Text encryption/decryption

Ciphers

Digital signatures Hash functions (used also for authentication) Digital signature algorithms

Protocols Key generation and exchange Certificates

Some real cryptographic systems SSL and TLS standards (+ some others), email security Smartcards, EMV, data authentication GSM and cryptograpy, DVD "protection" etc

Security of encryptions. Some attacks

Problems covered

Text encryption/decryption Ciphers

Symmetric and asymmetric ciphers

Symmetric vs. asymmetric cryptography

Symmetric ciphers – sender and recipient use the same key Dkey(Ekey(m)) = m

Substitution cipher is an example of a symmetric cipher

Impractical for big systems – number of keys is quadratic in the number of users

The solution – asymmetric algorithms. Think of a locked mailbox! Different keys for encryption and decryption Dprivate key(Epublic key(m)) = m

Problems covered


Symmetric and asymmetric ciphers Which ciphers to use?

Substitution

The key is a permutation of the letters of the alphabet, i.e. a bijection

Encryption is performed by substituting each letter for its corresponding letter

Decryption is the same as encryption with the difference that the inverse is used

Simple example – substitution cipher

:E

1E

Substitution cipher – example

ABCDEFGHIJKLMNOPQRSTUVWXYZ

UWGRPNQSBJXMECAIZOYTDFHKLV

Example: Encrypt MY DOG ATE YOUR CAT using the key

Breaking the substitution cipher

Substitution ciphers are easily broken using frequency analysis

We use the fact that different letters (or combination of letters) occur with different probability

Example – break

TK IL KQ JKT TK IL TBST CR TBL OULRTCKJ

Frequency of letters in English: ETAOINSHRDLU Most common two letter words: OF TO IN IS IT BE BY HE AS

ON AT OR AN SO IF NO

Problems covered



Substitution XOR

Vigenère cipher (poly-alphabetic)

Example:

Encryption key - string of n characters e.g. "gold"

We represent it with numbers corresponding to

symbols from alphabet - (6,14,11,13)

To encrypt i-th symbol from the block of length n,

we add to it i-th number from the key (modulo size

of alphabet)

Vernam cipher (XOR)

Message: m1,...,mn n bits

Key: k1,...,kn n bits

Ciphertext: c1,...,cn, where ci = mi ki

Vigenère cipher and one time pads

Apart from secure key distribution problem Vigenere cipher is unbreakable if key length is not shorter than encrypted text and each key is used only once (so called one-time-pad)

Problems covered



Substitution XOR DES, IDEA, AES etc (symmetric)

Data Encryption Standard (DES)

[From Andre L. M. dos Santos ]

Financial companies found the need for a cryptographic algorithm that would have the blessing of the US government (=NSA)

First call for candidates in May 73, followed by a new call in August 74

Not very many submissions (Why?) IBM submitted Lucifer

NSA worked with IBM in redesigning the algorithm

Data Encryption Standard (DES)

Key length: 56 + 8 parity bits = 64 bits

8 bits are used for parity check, why is that? to make it 265 times less secure! read why 56 bits? section in the textbook.

How secure is DES? In 1998 $150K machine can break the key in 5 days! For added security, triple DES is 256 more secure.

[From Ravi Mukkamala]

Enciphering Enciphering ComputationComputation

DES

[From Sai Kovvuri]

[From Henric Johnson]

DES

Feistel ciphers

Li-1

RiLi

Ri-1

f(Ri-1,K)

+

K

AES - Single round

Time to break a code (10Time to break a code (1066 decryptions/µs)decryptions/µs)

[From Henric Johnson]

Problems covered



Substitution XOR DES, IDEA, AES etc (symmetric) RSA etc (asymmetric)

Asymmetric cryptography

Each user has a public and a private key The public key is published in a “phone book” The private key is kept secret Messages encrypted with the public key can be

decrypted with the private key

To send a message to Mårten, look up Mårten’s public key in the “phone book”.

Mårten can then decrypt the message with his private key

Number of keys is linear in the number of users

RSA

Asymmetric cryptographic algorithm published in 1978 (Rivest, Shamir, Adleman)

The most popular asymmetric algorithm used today

Now free to use – patent expired in 2000 Relies on the hardness of factoring a number

consisting of two primes

Actually invented by Cocks (from UK) in 1973,

unfortunately the work was classified...

Public-key cryptosystems

P: * * public keyS: * * secret key

For an arbitrary message M* we must have:

• M = S(P(M)), and• M = P(S(M))

Public-key cryptosystems - Encryption

[Adapted from T.Cormen, C.Leiserson, R. Rivest]

The RSA public-key cryptosystem

p,q - two large primes (100 digits or more)n = pqe - small odd integer that is relatively prime to

(p – 1)(q – 1)d - integer such that de 1 (mod (p – 1)(q – 1))

(it can be shown that it always exists)

P = (e,n) - public keyS = (d,n) - secret key

Encoding: P(M) = Me (mod n)Decoding: S(C) = Cd (mod n)

It works!

RSA - Correctness

n = pqe - odd and relatively prime to (p – 1)(q – 1)d - such that de 1(mod (p – 1)(q – 1))P(M) = Me (mod n), S(C) = Cd (mod n)

P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1)

M 0 (mod p) Med M(Mp–1)k(q–1) (mod p) M(1)k(q–1) (mod p) M (mod p)

M 0 (mod p) Med M (mod p)

RSA - Correctness

Med M (mod p)

Med M (mod q)

Thus Med M (mod n)

RSA - Complexity

Encoding: P(M) = Me (mod n)

Decoding: S(C) = Cd (mod n)

Breaking RSA

If we can factor n we can break RSA Suppose we know p, q such that pq = n We can compute (p – 1)(q – 1) It is now trivial to compute d = e-1 mod ((p – 1)(q – 1))

The largest number that is (publicly) known to have been factored today is 512 bits

Breaking RSA

If we can factor n we can break RSA Suppose we know p, q such that pq = n We can compute (p – 1)(q – 1) It is now trivial to compute d = e-1 mod ((p – 1)(q – 1))

The largest number that is (publicly) known to have been factored today is 512 bits

As of 2005 the largest number factored by general-purpose methods was 663 bits long

Breaking RSA

If we can factor n we can break RSA

As of 2005 the largest number factored by general-purpose methods was 663 bits long

RSA keys are typically 1024–2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable future.

Other attacks exist for certain uses of RSA

Problems covered




Stream ciphers and block ciphers

Block ciphers

A block cipher B is an encryption function Ekey:

{0,1}k {0,1}l and a decryption function Dkey:{0,1}l

{0,1}k such that Dkey(Ekey(m)) = m.

The value k is called block length. Usually k = l.

Commonly used block ciphers include DES, 3DES and IDEA.

n bitsClear (plain) text Cipher text

Key

Stream ciphers

Problems covered




Stream ciphers and block ciphers Chaining

What happens when the clear text is longer than the block length k?

Most simple solution — encrypt each block separately.

This mode is called ECB, Electronic Code Book

Clear text

Cipher text

Enc Enc Enc EncKey

Chaining ciphers - ECB

[From Mårten Trolin]

Chaining ciphers - CBC

Problems covered




Stream ciphers and block ciphers Chaining Libraries of cryptographic functions

Problems covered


Symmetric and asymmetric ciphers Which ciphers to use? Stream and block ciphers Chaining Stream ciphers and block ciphers Chaining Libraries of cryptographic functions

Digital signatures Hash functions

MD5, SHA-1 etc

Public-key cryptosystems - Digital signature

[Adapted from T.Cormen, C.Leiserson, R. Rivest]

Unix passwords

httpd:Nologin:100:22:httpd:/usr/users/httpd:/bin/shguest:41LYDCYHYJzHQ:200:15:Guest:/usr/users/guest:/bin/tcshoracle:Nologin:201:200::/usr/users/oracle:/bin/tcshmysql:LS6qP.LbvchSk:202:202::/usr/users/mysql:/bin/tcshAndris:Ie7K1yjGLDqsw:203:203::/usr/users/Andris:/bin/tcsh

Initially Unix password length was up to 8 characters, encrypted by 1-way hash function crypt(3).

Are they safe?

Let H be a hash function One-way

Given x, unfeasible to compute an v such that H(v) = x

Collision-free Unfeasible to find x1 and x2 such that H(x1) =

H(x2) and x1 x2

Properties of good hash functions

MD5MD5 Message Digest Algorithm

[From H. Yoon]

Step 1: Append padding bits Padded so that its bit length 448 mod 512 (i.e., the length of padded message is 64 bits

less than an integer multiple of 512 bits) Padding is always added, even if the message is already of the desired length (1 to 512

bits) Padding bits: 1000….0 (a single 1-bit followed by the necessary number of 0-bits)


[From H. Yoon]

Step 1: Append padding bits

Step 2: Append length 64-bit length: contains the length of the original message modulo 264

The expanded message is Y0, Y1, …, YL-1; the total length is L 512 bits

The expanded message can be thought of as a multiple of 16 32-bit words

Let M[0 … N-1] denote the word of the resulting message, where N = L 16


MD5 processing of a single 512-bit block

(MD5 compression function)

[From H. Yoon]

SHA-3 - Keccak

The sponge construction for hash functions. pi are input, zi are hashed output. The unused "capacity" c should be twice the desired resistance to collision or preimage attacks.Designed by: G.Bertoni, J.Daemen, M.Peeters, G.Assche.Built upon RadioGatún.

Selected as SHA-3 on 2.10.2012.Hash sizes:224,256,384,512

Problems covered


Symmetric and asymmetric ciphers Which ciphers to use? Stream and block ciphers Chaining Stream ciphers and block ciphers Chaining Libraries of cryptographic functions

Digital signatures Hash functions

MD5, SHA-1 etc

Digital signature algorithms (DSA etc)

Digital signature algorithm - DSA

Problems covered


Digital signatures Hash functions Digital signature algorithms

Protocols Key generation and exchange

What is a protocol?

Protocol - a series of steps, involving two or more parties, designed to accomplish a task.

For cryptographic protocols:

— It should not be possible to do more or learn more than what is specified in the protocol

Types of protocols

Communications using symmetric cryptography

(1) Alice and Bob agree on a cryptosystem. (2) Alice and Bob agree on a key. (3) Alice takes her plaintext message and encrypts it using

the encryption algorithm and the key. This creates a ciphertext message.

(4) Alice sends the ciphertext message to Bob. (5) Bob decrypts the ciphertext message with the same

algorithm and key and reads it.

Communications using public-key cryptography

(1) Alice and Bob agree on a public-key cryptosystem. (2) Bob sends Alice his public key. (3) Alice encrypts her message using Bob’s public key and

sends it to Bob.(4) Bob decrypts Alice’s message using his private key.

Problems covered




Digital Certificates

A digital identity document binding a public-private key pair to a specific person or organization

Verifying a digital signature only proves that the signer had the private key corresponding to the public key used to decrypt the signature

This does not prove that the public-private key pair belonged to the claimed individual

We need an independent third party to verify the person’s identity (through non-electronic means) and issue a digital certificate

[Adapted from Information Security Group, ICU]

Public Key Certificate (EMV)

Public Key Certificate

EMV formatting

CertificateCore

General information about the user and the application

Public Key Remainder

Public Key

User’s public key (including remainder)

Signature (decryption) by a Trusted Third Party

Hash Result

Hash of data

[From M.Ganley]

Digital Certificates

[Adapted from Information Security Group, ICU]

InternetDigitalWallet

Cyber Shopping Mall

PaymentSystem

Certificate Authority

customer

merchant

bank

authority

Problems covered




Some real cryptographic systems SSL and TLS standards (+ some others)

SSL – establishing communications

Problems covered




Some real cryptographic systems SSL and TLS standards (+ some others), email security Smartcards, EMV, data authentication Electronic voting systems (or their absence :) (???)

• 8 (16, 32) bit CPU • Often at 3.5795 or 4.9152 MHz• RAM : 128 bytes- 16 Kbytes• ROM : 1 - 32 Kbytes

• Contains the code• EEPROM : 1 - 32 Kbytes

• Contains the data• A small part are OTP (One Time Programmable) bytes

• Optional:Random Noise Generation, sensors, security logic,Modular Exponentiations Unit or Co-processor

What are "smart cards"?

EMV – Europay, MasterCard, Visa

Necessary to have standards for smart-cards Physical size Electrical connection API for payment applications

Any smart-card must be usable anywhere Europay, MasterCard and Visa have

created specifications named EMV for this purpose

Smart-card transaction flow

Card Terminal Acquirer Issuer

Card – terminalinteraction

On-line authorization(conditional)

Card – terminal interaction(if after online authorization)

Transaction data transfer(possibly including declined transactions’ info)


Ciphers




GSM security

Radio Base Station

RBS

MSC

SGSN

Base Station Controller

CS - Confidentiality, A5/1A5/2A5/3 (new, open)

GPRS - Confidentiality:GEA1GEA2GEA3 (new, open)

Authentication:A3 Algorithm

[From M.Näslund]

54 bits is the effective key length of the A5/1 algorithm.40 bits is the effective key lengthof the GEA algorithm.Both algorithm employ (“ineffective”)64-bit keys.

DVD data encryption

[From D.Touretzky]

DVD - authentication

[From G.Kesden]

Key revocation - subset difference scheme


Ciphers




Security of encryptions. Some attacks

Textbooks

Bruce Schneier

Applied Cryptography: Protocols, Algorithms, and Source Code in C

John Wiley & Sons 1996

Textbooks

Wenbo Mao

Modern Cryptography: theoryand practice

Prentice Hall, 2003

Textbooks

Niels FergusonBruce Schneier

Practical Cryptography

Wiley Publishing Inc 2003

Textbooks

Alfred J. MenezesPaul C. van OorschotScott A. Vanstone

Handbook of Applied Cryptography

CRC Press 1996

Textbooks

Stephen Thomas

SSL and TLS Essentials:Securing the Web

Wiley Publishing Inc. 2000

Textbooks

Eric Rescorla

SSL and TLS:Designing and building securesystems

Addison-Wesley 2001

Textbooks

Jason Weiss

Java Cryptographic Extensions

Morgan Kaufmann Publishers 2004

Web page(s)

http://susurs.mii.lu.lv/juris/courses/ac2015.html

It is expected to contain:

short summaries of lectures

power point presentations

problems for programming assignments/project

your grades (???)

other relevant information (exam dates, changes in lecture times etc)

Web page(s)

http://susurs.mii.lu.lv/juris/courses/ac2015.html

Course material also available as e-course:

https://estudijas.lu.lv/login/index.php

The original lectures by Mårten Trolin (Spring 2003) are available on DVD

Contact information

Juris Vīksna

Room 421, Rainis boulevard 29

email: [email protected]

phone: +371-67213716

applied cryptography spring 2015. lecture times thursdays14:30-16:00room 413 16 lectures some...

Documents