cryptography ect 582 – winter 2004 robin burke. discussion

Download Cryptography ECT 582 – Winter 2004 Robin Burke. Discussion

Post on 11-Jan-2016

221 views

Category:

Documents

2 download

Embed Size (px)

TRANSCRIPT

  • CryptographyECT 582 Winter 2004Robin Burke

  • Discussion

  • OutlineBackgroundSymmetric encryptionCryptographic attacksPublic-key encryptionProtecting message integrityDigital signaturesCryptographic software

  • Why cryptography?Two rolesconfidentialityintegrityEssential security propertiesespecially important on a public network

  • Cryptography in HistoryVery oldprobably as old as writingHebrew ATBASH cipher500-600 BCJulius Caesar's substitution cipher50-60 BC

  • Basic ideaPlaintext (P)message to sendAlicesenderBobrecipientEveeavesdropperCiphertext (C)scrambled version of the messageAlgorithmtechnique for turning P into C (and back)

  • How it worksThe algorithm f is a secretshared by A and BProcessA computes f(P) = CTransmits C to BB computes f'(C) = PE doesn't know the secret

  • ProblemSecret algorithms hard to developOnce disclosedall messages readable

  • Better solutionf is a function of two valuesf(k, P) = CUsually reversiblef' (k, C) = Pk = the secret key

  • Symmetric encryptionAlice and Bob perform the same operationsame key kBenefitsAlgorithm doesn't have to be secretDisclosure of one key leaves other message still protected

  • New problemShared secretAlice and Bob need to know kWhy can't Alice encrypt k and send it to Bob?

  • Attacksconfidentiality Brute forcetry every possible keyCryptanalysisuse properties of encrypted message to narrow range of possible keys

  • Cryptographic algorithmsVery difficult to developExisting algorithmsDESobsoleteTriple DESRCxAESIDEABlowfish

  • DifferencesKey sizeVariableFixed sizeProprietary vs openHistoryCryptographic strength

  • The Real IssuePlaintext contains informationCiphertext should "look random"no information for cryptanalysisHow to do thisspread the information arounduse the key as a seed for a complex pattern

  • Brute force effortWe assume that keys are chosen randomlyall bit patterns equally likelyThree bit key23 = 8 possibilities from 000 to 111How long to guess?on average 4 guesses will be enough

  • Key SizeLarger key protects against a brute force attack56 bits = 72 quintillion keysBut"Deep Crack" 90 billion keys / sec.distributed.net 250 billion keys / sec.

  • Key SpaceWhole key space isn't used?less space to searchthis can make a big differencePasswords = poor keyspaceCan only use keyboard charactersPeople often use only a fraction of that

  • Sharing Secret DataHow do A and B agree on k?Need an alternative secure channelSolvable for spiesUnsolvable for the Internet

  • Public-key encryptionasymmetricone key to encipheranother to decipherA pair of functionsf1 (k1, P) = Cf2 (k2, C) = PPublic key = k1Private key = k2

  • What's the big deal?Shared secret no longer neededk1 can be divulged to the worldAll it can do is encryptk2 must be secret

  • Encryption modeAlice gets Bob's public key b1Alice computes f1 (b1, P) = CBob receives CBob computes f2 (b2, C) = P

  • Authentication modeAlice computes f2 (a2, P) = CBob computes f1 (a1, C) = Panyone could do thisNo privacybut identifies originonly Alice could have encoded C

  • Public-key algorithmsVery, very difficult to createAlgorithmsDiffie-Helman / ElGamalRSAElliptic curve

  • RSASelect eSelect p and qprimep-1 and e have no common divisorsq-1 and e alsopublic modulus n = pqprivate modulus d(de 1) divisible by (p 1) and (q 1)

  • RSA continuedpublic keyn + eprivate keyn + dPe mod n = CCd mod n = P

  • Example: key generatione = 5, p = 7, q = 17n = 119d = 77de 1 = 384. divisible by 6 and 16.k1 = (5, 119)k2 = (77, 119),

  • Example: encryptionEncryptionP = 65 (ASCII 'A')C = 655 mod 119 = 46DecryptionC = 46P = 4677 mod 119 = 65

  • Example: authenticationP = 65AuthenticateS = 6577 mod 119 = 39Send S, k1VerifyP = 395 mod 119 = 65Only the private key holder could have sent

  • ElGamalRSA depends on the mathematical properties of primesfactoring of a large n into primes p and qElGamaluses "discrete logarithm"

  • ElGamalAlice and Bob agree onprime number pgenerator aGeneration stepAlice generates a random number xBob generates a random number yExchange stepAlice sends Bob ax mod pBob sends Alice ay mod pShared keyAlice and Bob both compute K = axy mod p

  • ElGamalEve listeningknows a and plearns ax mod p and ay mod pbut cannot recover KNoteBob won't learn x eitherNot useful for encryption"One-way function"

  • Public key versionBob generates both x and ypublic key is ay mod p

  • Practical Cryptographic ImplementationPGPUses RSA for public-key cryptoProblemtoo slowSolutionUse IDEAGenerate a symmetric keyShare it using RSA

  • PGP Dataflow

  • Protecting integrityMessage Authentication CodeProcessAlice writes PAlice computes m(P) = MAlice sends Bob P + MBob computes m(P). Compares MUseful even if P is not encrypted

  • AttacksIf Eve modifies P P'Bob computes m(P'). Won't match MWhat if Eve modifies P P' andalso computes m(P') = M'sends P' + M'm also needs a shared secretm(k, P)

  • MAC Featuresshould be much shorter than the original messagesmall change in message should result in very different MACdifficult to reverse engineer

  • Digital SignaturesMAC does not support non-repudiationBob could receive P + Mverify that it came from AliceBut Bob could also alter P P'recompute m(k, P') = M'Tell the judge that Alice sent P' + M'how to prove otherwise

  • Digital SignatureAuthenticationOnly Alice can computef2 (k2, P) = CCombine with a messageP + CNow anyone can check that P matches CBob could not generate C

  • DSAFederal standardUses a variant of ElGamalThree public valuesp = prime modulusq = prime divisor of p-1g = j (p-1)/q mod pwhere j is a random integer < p

  • To signGenerate a hash h of PPick a random number kGenerate two valuesr = (gk mod p) mod qs = (k-1 (h + kr) mod qwhere (k-1 k) mod q = 1Send message P + r + s

  • To verify(complicated)Receive message P' with r' and s'Compute hash h' of received P'w = s'-1 mod qu1 = h' w mod qu2 = r' w mod qv = (gu1 yu2 mod p) mod qr' should equal v

  • AttackerKnows p, q, and gDoes not know kInfeasible to compute the r, s pair without knowing k

  • Elliptic curveMath is very complexBut the basic idea is that we define a curvey2 + xy = x3 + ax2 + bthe parameters of the curve are the secret knowledge

  • EncryptionP and Q are points on the curveP+Q is defined geometricallyk*P = C

  • Encryption, cont'dA specific base point G is selected and published for use with the curve E(q). A private key k is selected as a random integer; the value P = k*G is published as the public key If Alice and Bob have private keys kA and kB, and public keys PA and PB, then Alice can calculate kA*PB = (kA*kB)*G; and Bob can compute the same value as kB*PA = (kB*kA)*G.

  • Elliptic curveBenefitsFaster to compute than RSA or ElGamalComputationally "harder" inverse problem = better security for same key sizeDrawbackstill somewhat newmaybe flaws not yet known

  • Attacking digital signaturesBob wants to send Alice a secure message PEve wants to modify itBob signs P with private key kb1, creating MAC MBob sends P + M + kb2 to AliceEve intercepts this messageEve creates a modified message P'Signs it with her private key ke1Sends P' + M' + ke2Alice gets P'Verifies the signature against the public keyEve wins

  • Man in the middleThe "man in the middle" can masquerade as the senderDSA has no authentication defenseWe knowthe message was unchanged since signingwhoever signed it used the private key that matches the supplied public keyWe don't knowthat the signer is actually the senderwho does the public key belong to?

  • Answer: next two weeksPublic key certificatesPublic key infrastructureReadFord & Baum, Ch. 6

  • Assignment #2Question 1effectiveness of brute forceQuestions 2 & 3 running PGPuse shrikeQuestion 41-2 page discussion of the results of 2 & 3