Cryptography

ECT 582 – Winter 2004

Robin Burke

Discussion

Outline

Background Symmetric encryption Cryptographic attacks Public-key encryption Protecting message integrity Digital signatures Cryptographic software

Why cryptography?

Two rolesconfidentialityintegrity

Essential security propertiesespecially important on a public

network

Cryptography in History

Very oldprobably as old as writing

Hebrew ATBASH cipher500-600 BC

Julius Caesar's substitution cipher50-60 BC

Basic idea

Plaintext (P) message to send

Alice sender

Bob recipient

Eve eavesdropper

Ciphertext (C) scrambled version of the message

Algorithm technique for turning P into C (and back)

How it works

The algorithm f is a secretshared by A and B

ProcessA computes f(P) = CTransmits C to BB computes f'(C) = PE doesn't know the secret

Problem

Secret algorithms hard to develop Once disclosed

all messages readable

Better solution

f is a function of two valuesf(k, P) = C

Usually reversiblef' (k, C) = P

k = the secret key

Symmetric encryption

Alice and Bob perform the same operationsame key k

BenefitsAlgorithm doesn't have to be secretDisclosure of one key leaves other

message still protected

New problem

Shared secretAlice and Bob need to know k

Why can't Alice encrypt k and send it to Bob?

Attacks

confidentiality Brute force

try every possible key Cryptanalysis

use properties of encrypted message to narrow range of possible keys

Cryptographic algorithms

Very difficult to develop Existing algorithms

DES• obsolete

Triple DES RCx AES IDEA Blowfish

Differences

Key sizeVariableFixed size

Proprietary vs open History Cryptographic strength

The Real Issue

Plaintext contains information Ciphertext should "look random"

no information for cryptanalysis How to do this

spread the information arounduse the key as a seed for a complex

pattern

Brute force effort

We assume that keys are chosen randomlyall bit patterns equally likely

Three bit key23 = 8 possibilities from 000 to 111

How long to guess?on average 4 guesses will be enough

Key Size

Larger key protects against a brute force attack56 bits = 72 quintillion keys

But"Deep Crack" 90 billion keys / sec.distributed.net 250 billion keys / sec.

Key Space

Whole key space isn't used?less space to searchthis can make a big difference

Passwords = poor keyspaceCan only use keyboard charactersPeople often use only a fraction of that

Sharing Secret Data

How do A and B agree on k? Need an alternative secure channel

Solvable for spiesUnsolvable for the Internet

Public-key encryption

asymmetricone key to encipheranother to decipher

A pair of functionsf1 (k1, P) = Cf2 (k2, C) = P

Public key = k1

Private key = k2

What's the big deal?

Shared secret no longer needed k1 can be divulged to the world

All it can do is encrypt k2 must be secret

Encryption mode

Alice gets Bob's public key b1

Alice computes f1 (b1, P) = C Bob receives C Bob computes f2 (b2, C) = P

Authentication mode

Alice computes f2 (a2, P) = C Bob computes f1 (a1, C) = P

anyone could do this No privacy

but identifies originonly Alice could have encoded C

Public-key algorithms

Very, very difficult to create Algorithms

Diffie-Helman / ElGamalRSAElliptic curve

RSA

Select e Select p and q

primep-1 and e have no common divisorsq-1 and e also

public modulus n = pq private modulus d

(de – 1) divisible by (p – 1) and (q – 1)

RSA continued

public keyn + e

private keyn + d

Pe mod n = C Cd mod n = P

Example: key generation

e = 5, p = 7, q = 17 n = 119 d = 77 de – 1 = 384. divisible by 6 and 16. k1 = (5, 119) k2 = (77, 119),

Example: encryption

EncryptionP = 65 (ASCII 'A')C = 655 mod 119 = 46

DecryptionC = 46P = 4677 mod 119 = 65

Example: authentication

P = 65 Authenticate

S = 6577 mod 119 = 39Send S, k1

VerifyP = 395 mod 119 = 65Only the private key holder could have

sent

ElGamal

RSA depends on the mathematical properties of primesfactoring of a large n into primes p and q

ElGamaluses "discrete logarithm"

ElGamal

Alice and Bob agree on prime number p generator a

Generation step Alice generates a random number x Bob generates a random number y

Exchange step Alice sends Bob ax mod p Bob sends Alice ay mod p

Shared key Alice and Bob both compute K = axy mod p

ElGamal

Eve listeningknows a and plearns ax mod p and ay mod pbut cannot recover K

NoteBob won't learn x eitherNot useful for encryption"One-way function"

Public key version

Bob generates both x and ypublic key is ay mod p

Practical Cryptographic Implementation PGP Uses RSA for public-key crypto Problem

too slow Solution

Use IDEAGenerate a symmetric keyShare it using RSA

PGP Dataflow

Protecting integrity

Message Authentication Code Process

Alice writes PAlice computes m(P) = MAlice sends Bob P + MBob computes m(P). Compares M

Useful even if P is not encrypted

Attacks

If Eve modifies P P'Bob computes m(P'). Won't match M

What if Eve modifies P P' andalso computes m(P') = M'sends P' + M'

m also needs a shared secretm(k, P)

MAC Features

should be much shorter than the original message

small change in message should result in very different MAC

difficult to reverse engineer

Digital Signatures

MAC does not support non-repudiation

Bob could receive P + Mverify that it came from Alice

But Bob could also alter P P'recompute m(k, P') = M'

Tell the judge that Alice sent P' + M'how to prove otherwise

Digital Signature

AuthenticationOnly Alice can computef2 (k2, P) = C

Combine with a messageP + CNow anyone can check that P

matches CBob could not generate C

DSA

Federal standard Uses a variant of ElGamal Three public values

p = prime modulusq = prime divisor of p-1g = j (p-1)/q mod pwhere j is a random integer < p

To sign

Generate a hash h of P Pick a random number k Generate two values

r = (gk mod p) mod qs = (k-1 (h + kr) mod qwhere (k-1 k) mod q = 1

Send message P + r + s

To verify

(complicated) Receive message P' with r' and s' Compute hash h' of received P' w = s'-1 mod q u1 = h' w mod q u2 = r' w mod q v = (gu1 yu2 mod p) mod q r' should equal v

Attacker

Knows p, q, and g Does not know k Infeasible to compute the r, s pair

without knowing k

Elliptic curve

Math is very complex But the basic idea is that we define a

curvey2 + xy = x3 + ax2 + bthe parameters of the curve are the

secret knowledge

Encryption

P and Q are points on the curve P+Q is defined geometrically k*P = C

Encryption, cont'd

A specific base point G is selected and published for use with the curve E(q).

A private key k is selected as a random integer;

the value P = k*G is published as the public key

If Alice and Bob have private keys kA and kB, and public keys PA and PB, then

Alice can calculate kA*PB = (kA*kB)*G; and Bob can compute the same value as kB*PA = (kB*kA)*G.

Elliptic curve

BenefitsFaster to compute than RSA or

ElGamalComputationally "harder" inverse

problem = better security for same key size

Drawbackstill somewhat newmaybe flaws not yet known

Attacking digital signatures

Bob wants to send Alice a secure message P Eve wants to modify it Bob signs P with private key kb1, creating MAC M Bob sends P + M + kb2 to Alice Eve intercepts this message Eve creates a modified message P' Signs it with her private key ke1

Sends P' + M' + ke2

Alice gets P' Verifies the signature against the public key Eve wins

Man in the middle

The "man in the middle" can masquerade as the sender

DSA has no authentication defense We know

the message was unchanged since signing whoever signed it used the private key that

matches the supplied public key We don't know

that the signer is actually the sender who does the public key belong to?

Answer: next two weeks

Public key certificates Public key infrastructure Read

Ford & Baum, Ch. 6

Assignment #2

Question 1effectiveness of brute force

Questions 2 & 3 running PGPuse shrike

Question 41-2 page discussion of the results of 2

& 3