cs549: cryptography and network security · notice© this lecture note (cryptography and network...
TRANSCRIPT
Cryptography and Network Security 1
CS549:Cryptography and Network Security
© by Xiang-Yang Li
Department of Computer Science, IIT
Cryptography and Network Security 2
Notice©This lecture note (Cryptography and Network Security) is prepared by
Xiang-Yang Li. This lecture note has benefited from numerous textbooks and online materials. Especially the “Cryptography and Network Security” 2nd edition by William Stallings and the “Cryptography: Theory and Practice” by Douglas Stinson.
You may not modify, publish, or sell, reproduce, create derivative works from, distribute, perform, display, or in any way exploit any of the content, in whole or in part, except as otherwise expressly permitted by the author.
The author has used his best efforts in preparing this lecture note. The author makes no warranty of any kind, expressed or implied, with regard to the programs, protocols contained in this lecture note. The author shall not be liable in any event for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, or use of these.
Cryptography and Network Security 3
Cryptography and Network
Key Management and generationXiang-Yang Li
Cryptography and Network Security 4
Key Exchange
Public key systems are much slower than private key system
Public key system is then often for short dataSignature, key distribution
Key distributionOne party chooses the key and transmits it to other user
Key agreementProtocol such two parties jointly establish secret key over public communication channelKey is the function of inputs of two users
Cryptography and Network Security 5
Distribution of Public Keys
can be considered as using one of:Public announcementPublicly available directoryPublic-key authorityPublic-key certificates
Cryptography and Network Security 6
Public Key Management
Simple one: publish the public keySuch as newsgroups, yellow-book, etc.But it is not secure, although it is convenient
Anyone can forge such a announcementEx: user B pretends to be A, and publish a key for AThen all messages sent to A, readable by B!
Let trusted authority maintain the keysNeed to verify the identity, when register keysUser can replace old keys, or void old keys
Cryptography and Network Security 7
Possible Attacks
Observe all messages over the channelSo assume that all plaintext messages are available to all
Save messages for reuse laterSo have to avoid replay attack
Masquerade various users in the networkSo have to be able to verify the source of the message
Cryptography and Network Security 8
Public Announcement
users distribute public keys to recipients or broadcast to community at large
eg. append PGP keys to email messages or post to news groups or email list
major weakness is forgeryanyone can create a key claiming to be someone else and broadcast ituntil forgery is discovered can masquerade as claimed user
Cryptography and Network Security 9
Publicly Available Directory
can obtain greater security by registering keys with a public directorydirectory must be trusted with properties:
contains {name,public-key} entriesparticipants register securely with directoryparticipants can replace key at any timedirectory is periodically publisheddirectory can be accessed electronically
still vulnerable to tampering or forgery
Cryptography and Network Security 10
Public-Key Authority
improve security by tightening control over distribution of keys from directoryhas properties of directoryand requires users to know public key for the directorythen users interact with directory to obtain any desired public key securely
does require real-time access to directory when keys are needed
Cryptography and Network Security 12
Cont.
More advanced distributionA sends request-for-key(B) to authority with time-stamp, that is, Ida|Idb|TimeAuthority replies with key(B) (encrypted by its private key), that is EKTta(KUb| Ida|Idb|Time)A initiates a message to B, including a random number Na, its IDA
B then ask authority to get key(A)B sends A (encrypted by A’s public key) Na and Nb
A then replies B Nb encrypted by B’s public key
Cryptography and Network Security 13
Cont.
In above scheme, the authority is bottleneckNew approach: certificate
Any user can read certificate, determine name and public key of the certificate’s ownerAny user can verify the authority of certificateOnly the authority can create and update certificateAny user can verify the time-stamp of certificate
The certificate isCA=EKRauth[T,IDA, KUA]Time-stamp is to avoid reuse of voided key
Cryptography and Network Security 14
Public-Key Certificatescertificates allow key exchange without real-time access to public-key authoritya certificate binds identity to public key
usually with other info such as period of validity, rights of use etcwith all contents signed by a trusted Public-Key or Certificate Authority (CA)can be verified by anyone who knows the public-key authorities public-key To validate the certificate, we need another certificate, one that matches the Issuer (of CA) in the first certificate. Then we take the RSA public key from the second (CA) certificate, use it to decode the signature on the first certificate to obtain an MD5 hash, which must match an actual MD5 hash computed over the rest of the certificate.
Cryptography and Network Security 15
X.509The structure of a X.509 v3 digital certificate is as follows:Certificate
Version Serial Number Algorithm ID Issuer Validity
Not Before Not After
Subject Subject Public Key Info
Public Key Algorithm Subject Public Key
Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional)
... Certificate Signature Algorithm Certificate Signature
Cryptography and Network Security 16
Sample CertificateCertificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[email protected] Validity
Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT
Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f
Cryptography and Network Security 17
Security
In 2005, Arjen Lenstra and Benne de Weger demonstrated "how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys," achieved using a collision attack on the MD5 hash function Seehttp://www.win.tue.nl/~bdeweger/CollidingCertificates/ddl-full.pdf
Cryptography and Network Security 19
Public-Key Distribution of Secret Keys
use previous methods to obtain public-keycan use for secrecy or authenticationbut public-key algorithms are slowso usually want to use private-key encryption to protect message contentshence need a session keyhave several alternatives for negotiating a suitable session
Cryptography and Network Security 20
Simple Secret Key Distribution
proposed by Merkle in 1979A generates a new temporary public key pairA sends B the public key and their identityB generates a session key K sends it to A encrypted using the supplied public keyA decrypts the session key and both use
problem is that an opponent can intercept and impersonate both halves of protocol
Cryptography and Network Security 21
Secret key Distribution
Simple secret key distributionA generates KUA and KRA, sends KUA to BB generates a secret key ks
B sends ks to A using A’s public key KUA
A decrypts the message to get the secret key ks
To get more security, the public/private keys can be regenerated when neededBut vulnerable to the active attack!
Attacker E can compromise the communication between A and B as follows
Cryptography and Network Security 22
Cont.
AttackingA generates KUA and KRA, sends IDA, KUA to BE intercepts the message, transmits IDA, KUE to BB generates a secret key ks
B sends ks to A using A’s “public key” KUE
E intercepts the message, decrypt it and get ks
E sends A the message Ks, encrypted by KUA
A decrypts the message to get the secret key ks
Now E knows Ks, but A, B are unaware of it
Cryptography and Network Security 23
Secret Key Distribution
So need confidentiality and authenticationA and B need to use a secure method to exchange their public keys
SchemesA initiates a message to B, EKUB(Na,IDa) B replies it with EKUA(Na,Nb)A then replies it with EKUB(Nb)A sends B the message EKUB (EKRA(Ks))
SecurityThe first 3 steps are used to assure that A is A, B is B
Cryptography and Network Security 24
Public-Key Distribution of Secret Keys
if have securely exchanged public-keys:
Cryptography and Network Security 25
Key Predistribution
Trusted Authority (TA) generates keys for all pair of users and transmits to them
Large overhead (for TA and user)Blom Scheme
Keys are chosen from a finite field Zp
P is public prime numberTA transmits k+1 elements of Zp to each user over secure channelSecure condition: any set of at most k users (not U,V) can not determine any information about Ku,v
Cryptography and Network Security 26
Blom
Blom's scheme is currently used by the HDCP copy protection scheme to generate shared keys for high-definition content sources and receivers, such as HD DVD players and high-definition televisions.
Cryptography and Network Security 27
Blom Scheme
Scheme (when k=1)Each user u has distinct element ru from Zp
TA choose a,b,c and defines f(x,y)=a+b(x+y)+cxy mod p
For each u, TA computes gu(x)=f(x, ru) mod p
TA transmits gu(x) to user uTwo users u and v compute the common key
f(ru, rv)= a+b(ru + rv)+c ru rv mod pHere f(ru, rv)= gv(ru)= gu(rv)
Cryptography and Network Security 28
Security of Blom Scheme
Less than k users can not determine keysHowever, more than k users can compute any keys
Solving equations to get a,b,c for k=1Generally
Function f(x,y)=Sum ai,jxiyj mod pHere ai,j=aj,i
Cryptography and Network Security 29
More Practice
Trent chooses a random and secret matrix Dk x k over the finite field GF(p), where p is a prime number. D is required when a new user is to be added to the key sharing group.For example, let p = 17, and D =
Trent then computes their private keys: gAlice = (D * IAlice), gBob = (D * IBob) .
Cryptography and Network Security 30
Cont
Let IAlice = , and IBob = .
Trent will create Alice's and Bob's secret keys as follows
gAlice =
Cryptography and Network Security 31
Cont
She computes the shared key k(Alice / Bob) = gAlice * IBob
kAlice / Bob =
Cryptography and Network Security 32
Diffie-Hellman Key Predist.
Computationally secure if discrete logarithm is intractable
SchemeAssume prime number p public and an integer c publicEach user u has secret component au
User u computes bu=c au mod pTA certifies it by computing
(ID(u), bu, sigTA(ID(u), bu))The common key of two users u and v is
K=c au av mod p
Cryptography and Network Security 33
Diffie Hellman
Around September 1974, Diffie (Graduate student) had been traveling USA with his wife, Mary, discussing cryptography with anyone who was available.
At the time, there was very little published material about modern methods and much was classified. Very few people were interested in the topic and Marty Hellman (at Stanford that time) even says that many of his colleagues felt that it was "born classified," like secrets about the atomic bomb, because it was so important to national security. John Gill gave the idea of exponential
Cryptography and Network Security 34
Diffie-Hellman Key Exchange
Computationally secure if discrete logarithm is intractable
SchemeAssume prime number p public and an integer c publicEach user u chooses a secret component au (new!)User u computes bu=c au mod pUser v computes bv=c av mod pThe common key of two users u and v is
K=c au av mod p
Cryptography and Network Security 35
Diffie-Hellman Problem
Diffie-Hellman problem definitionGiven bu=gau mod p, bv=gav mod p, how to compute gavau mod p? Here g is a primitive element of mod pThe problem is not harder than the discrete log-arithmetic problem, because the later one can always be used to solve itIt can be proved that it has the same difficulty as the ElGamal encryption system
Cryptography and Network Security 36
Middle Attack
Intruder w intercept the communicationsIntruder w communications with uIntruder w communications with vThe key computed by u is
K=c au av’ mod p
u w vc au c au’
c av’ c av
Cryptography and Network Security 37
Authenticated Key Agreement
Introducing the identification scheme before key exchange does not help
The attacker remains inactive until identification doneSimplified station to station protocol
Key agreement protocol itself authenticates the user’s identity at the same time the key being defined
Cryptography and Network Security 38
Station-to-station Protocol
SchemeEach user has a certificate
C(v)=(Idv,verv,sigTA(Idv,verv))User u selects au and computes bu=c au mod pUser v selects av and computes
Value bv=c av mod pKey K=c au av mod p Signature yv=sigv(bu,bv)
User v sends (C(V), bv, yv) to UUser u computes K=c au av mod p, verifies yv, and C(V)User u computes yu=sigu(bu,bv), sends (C(u),yu) to VUser v verifies yu, and C(u)
Cryptography and Network Security 39
MTI Agreement Protocol
SchemeAssume prime number p public and an integer c publicEach user has certificate c(u)=(Idu,bu, sigTA(Idu,bu))
Here bu= c au mod pEach user u chooses a secret component ru (new!)User u computes su=c ru mod p, sends (c(u),su)User v computes sv=c rv mod p, sends (c(v),sv)The common key of two users u and v is
K=c rvau+ ru av mod p= sv aubv
ru mod p= su avbu
rv mod p