introduction to computer security - réseaux et...
TRANSCRIPT
Introduction to Computer Security
Matthieu Giraud
LIMOS, Universite Clermont Auvergne
Matthieu Giraud (LIMOS) Computer Security 1 / 131
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 2 / 131
Historic
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 3 / 131
Historic
Information hiding
SECRETWRITING
CRYPTOGRAPHY
STEGANOGRAPHY(hidden)
(scrambled)
SUBSTITUTION
TRANSPOSITION
CODE(replace words)
CIPHER(replace letters)
Cryptology : the study of secret writing
Steganography : the science of hiding messages in other messages
Cryptography : the science of secret writingNote : terms like encrypt, encode, and encipher are often (loosely andwrongly) used interchangeably
Matthieu Giraud (LIMOS) Computer Security 4 / 131
Historic
Kerchoffs Principle
In 1883, a Dutch linguist Auguste Kerchoff von Nieuwenhof stated in hisbook “La Cryptographie Militaire” that :
“the security of a crypto-system must be totally dependent on the secrecyof the key, not the secrecy of the algorithm.”
Matthieu Giraud (LIMOS) Computer Security 5 / 131
Historic
Mono-alphabetic substitution ciphers
Simplest kind of cipher. Idea over 2,000 years old.
Let K be the set of all permutations on the alphabet A. Define foreach e ∈ K an encryption transformation Ee on stringsm = m1m2 · · ·mn ∈M as
Ee(m) = e(m1)e(m2) · · · e(mn) = c1c2 · · · cn = c .
To decrypt c , compute the inverse permutation d = e−1 and
Dd(c) = d(c1)d(c2) · · · d(cn) = m .
Ee is a simple substitution cipher or a mono-alphabetic substitutioncipher.
Matthieu Giraud (LIMOS) Computer Security 6 / 131
Historic
Substitution cipher examples
KHOOR ZRUOG
= HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.
Zl anzr vf Nqnz = My name is Adam ROT13 : shift each letter by 13places.
2-25-5 2-25-5 = BYE BYEAlphanumeric : substitute numbers for letters.
How hard are these to cryptanalyze ? Caesar ? General ?
Matthieu Giraud (LIMOS) Computer Security 7 / 131
Historic
Substitution cipher examples
KHOOR ZRUOG = HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.
Zl anzr vf Nqnz = My name is Adam ROT13 : shift each letter by 13places.
2-25-5 2-25-5 = BYE BYEAlphanumeric : substitute numbers for letters.
How hard are these to cryptanalyze ? Caesar ? General ?
Matthieu Giraud (LIMOS) Computer Security 7 / 131
Historic
Substitution cipher examples
KHOOR ZRUOG = HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.
Zl anzr vf Nqnz
= My name is Adam ROT13 : shift each letter by 13places.
2-25-5 2-25-5 = BYE BYEAlphanumeric : substitute numbers for letters.
How hard are these to cryptanalyze ? Caesar ? General ?
Matthieu Giraud (LIMOS) Computer Security 7 / 131
Historic
Substitution cipher examples
KHOOR ZRUOG = HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.
Zl anzr vf Nqnz = My name is Adam ROT13 : shift each letter by 13places.
2-25-5 2-25-5 = BYE BYEAlphanumeric : substitute numbers for letters.
How hard are these to cryptanalyze ? Caesar ? General ?
Matthieu Giraud (LIMOS) Computer Security 7 / 131
Historic
Substitution cipher examples
KHOOR ZRUOG = HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.
Zl anzr vf Nqnz = My name is Adam ROT13 : shift each letter by 13places.
2-25-5 2-25-5
= BYE BYEAlphanumeric : substitute numbers for letters.
How hard are these to cryptanalyze ? Caesar ? General ?
Matthieu Giraud (LIMOS) Computer Security 7 / 131
Historic
Substitution cipher examples
KHOOR ZRUOG = HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.
Zl anzr vf Nqnz = My name is Adam ROT13 : shift each letter by 13places.
2-25-5 2-25-5 = BYE BYEAlphanumeric : substitute numbers for letters.
How hard are these to cryptanalyze ? Caesar ? General ?
Matthieu Giraud (LIMOS) Computer Security 7 / 131
Historic
Substitution cipher examples
KHOOR ZRUOG = HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.
Zl anzr vf Nqnz = My name is Adam ROT13 : shift each letter by 13places.
2-25-5 2-25-5 = BYE BYEAlphanumeric : substitute numbers for letters.
How hard are these to cryptanalyze ? Caesar ? General ?
Matthieu Giraud (LIMOS) Computer Security 7 / 131
Historic
(In)security of substitution ciphers
Key spaces are typically huge. 26 letters 26 ! possible keys.
Trivial to crack using frequency analysis (letters, digraphs...)
Frequencies for English based on data-mining books/articles.
Matthieu Giraud (LIMOS) Computer Security 8 / 131
Historic
Homophonic substitution ciphers
To each a ∈ A, associate a set H(a) of strings of t symbols, whereH(a), a ∈ A are pairwise disjoint. A homophonic substitution cipherreplaces each a with a randomly chosen string from H(a). To decrypta string c of t symbols, one must determine an a ∈ A such thatc ∈ H(a). The key for the cipher is the sets H(a).
Exercice
A = {a, b, c}, H(a) = {001, 010, 100}, H(b) = {011, 110, 101} etH(c) = {000, 111}.Quel est le message clair des chiffres suivants : 001101111, 110011000 ?
Rational : makes frequency analysis more difficult.Cost : data expansion and more work for decryption.
Matthieu Giraud (LIMOS) Computer Security 9 / 131
Historic
Homophonic substitution ciphers
To each a ∈ A, associate a set H(a) of strings of t symbols, whereH(a), a ∈ A are pairwise disjoint. A homophonic substitution cipherreplaces each a with a randomly chosen string from H(a). To decrypta string c of t symbols, one must determine an a ∈ A such thatc ∈ H(a). The key for the cipher is the sets H(a).
Exercice
A = {a, b, c}, H(a) = {001, 010, 100}, H(b) = {011, 110, 101} etH(c) = {000, 111}.Quel est le message clair des chiffres suivants : 001101111, 110011000 ?
Rational : makes frequency analysis more difficult.Cost : data expansion and more work for decryption.
Matthieu Giraud (LIMOS) Computer Security 9 / 131
Historic
Polyalphabetic substitution ciphers
Idea (Leon Alberti) : conceal distribution using family of mappings.
A polyalphabetic substitution cipher is a block cipher with blocklength t over alphabet A where :
the key space K consists of all ordered sets of t permutations over A,(p1, p2, . . . , pt).Encryption of m = m1 · · ·mt under key e = (p1, · · · , pt) isEe(m) = p1(m1) · · · pt(mt).Decryption key for e is d = (p−1
1 , · · · p−1t ).
Matthieu Giraud (LIMOS) Computer Security 10 / 131
Historic
Example : Vigenere ciphers
Key given by sequence of numbers e = e1, . . . , et , where
pi (a) = (a + ei ) mod n
defining a permutation on an alphabet of size n.
Exercice
English (n = 26), with k = 3,7,10.Dechiffrez le texte suivant :
Ee(m) = WOS VJS SOO UPC FLB WHS QSI QVD VLM XYO
m = THI SCI PHE RIS CER TAI NLY NOT SEC URE
Matthieu Giraud (LIMOS) Computer Security 11 / 131
Historic
Example : Vigenere ciphers
Key given by sequence of numbers e = e1, . . . , et , where
pi (a) = (a + ei ) mod n
defining a permutation on an alphabet of size n.
Exercice
English (n = 26), with k = 3,7,10.Dechiffrez le texte suivant :
Ee(m) = WOS VJS SOO UPC FLB WHS QSI QVD VLM XYO
m = THI SCI PHE RIS CER TAI NLY NOT SEC URE
Matthieu Giraud (LIMOS) Computer Security 11 / 131
Historic
One-time pads (Vernam cipher)
A one-time pad is a cipher defined over {0, 1}. Message m1 · · ·mn isencrypted by a binary key string k1 · · · kn.
Ek1···kn(m1 · · ·mn) = (m1 ⊕ k1) · · · (mn ⊕ kn)
Dk1···kn(c1 · · · cn) = (c1 ⊕ k1) · · · (cn ⊕ kn)
Example :
m = 010111k = 110010
c = 100101
Since every key sequence is equally likely, so is every plaintext !Unconditional (information theoretic) security, if key isn’t reused !
Moscow–Washington communication previously secured this way.
Problem ?
Securely exchanging and synchronizing long keys.
Matthieu Giraud (LIMOS) Computer Security 12 / 131
Historic
One-time pads (Vernam cipher)
A one-time pad is a cipher defined over {0, 1}. Message m1 · · ·mn isencrypted by a binary key string k1 · · · kn.
Ek1···kn(m1 · · ·mn) = (m1 ⊕ k1) · · · (mn ⊕ kn)
Dk1···kn(c1 · · · cn) = (c1 ⊕ k1) · · · (cn ⊕ kn)
Example :
m = 010111k = 110010
c = 100101
Since every key sequence is equally likely, so is every plaintext !Unconditional (information theoretic) security, if key isn’t reused !
Moscow–Washington communication previously secured this way.
Problem ? Securely exchanging and synchronizing long keys.
Matthieu Giraud (LIMOS) Computer Security 12 / 131
Historic
Transposition ciphers
For block length t, let K be the set of permutations on {1, . . . , t}.For each e ∈ K and m ∈M
Ee(m) = me(1)me(2) · · ·me(t) .
The set of all such transformations is called a transposition cipher.
To decrypt c = c1c2 · · · ct compute Dd(c) = cd(1)cd(2) · · · cd(t), whered is inverse permutation.
Matthieu Giraud (LIMOS) Computer Security 13 / 131
Historic
Exercice : chiffre par transposition
On veut chiffrer “Hello world” via la transposition{2, 5, 6, 3, 1, 8, 9, 10, 4, 7}.Quel est le chiffre ?
Quelle est la transposition inverse ?
Matthieu Giraud (LIMOS) Computer Security 14 / 131
Historic
Composite ciphers
Ciphers based on just substitutions or transpositions are not secure
Ciphers can be combined. However . . .
two substitutions are really only one more complex substitution,two transpositions are really only one transposition,but a substitution followed by a transposition makes a new hardercipher.
Product ciphers chainsubstitution-transposition combinations.
Difficult to do by hand invention of cipher machines.
Matthieu Giraud (LIMOS) Computer Security 15 / 131
Historic
ENIGMA
Three-rotor German military Enigma machineDayly keys are used and stored in a book.There are 10114 possibilities for one cipher.
Other German Tricks
A space was omitted or replaced by an X. The X was generally used aspoint or full stop. They replaced the comma by Y and the question sign byUD. The combination CH, as in ”Acht” (eight) or ”Richtung” (direction)were replaced by Q (AQT, RIQTUNG).
Matthieu Giraud (LIMOS) Computer Security 16 / 131
Historic
Shannon’s Principle 1949
Confusion
The purpose of confusion is to make the relation between the key and theciphertext as complex as possible.
Ciphers that do not offer much confusion (such as Vigenere cipher) aresusceptible to frequency analysis.
Diffusion
Diffusion spreads the influence of a single plaintext bit over manyciphertext bits.
The best diffusing component is substitution (homophonic)
Principle
A good cipher design uses Confusion and Diffusion together
Matthieu Giraud (LIMOS) Computer Security 17 / 131
Historic
Shannon’s Principle 1949
Confusion
The purpose of confusion is to make the relation between the key and theciphertext as complex as possible.
Ciphers that do not offer much confusion (such as Vigenere cipher) aresusceptible to frequency analysis.
Diffusion
Diffusion spreads the influence of a single plaintext bit over manyciphertext bits.
The best diffusing component is substitution (homophonic)
Principle
A good cipher design uses Confusion and Diffusion together
Matthieu Giraud (LIMOS) Computer Security 17 / 131
Historic
Shannon’s Principle 1949
Confusion
The purpose of confusion is to make the relation between the key and theciphertext as complex as possible.
Ciphers that do not offer much confusion (such as Vigenere cipher) aresusceptible to frequency analysis.
Diffusion
Diffusion spreads the influence of a single plaintext bit over manyciphertext bits.
The best diffusing component is substitution (homophonic)
Principle
A good cipher design uses Confusion and Diffusion together
Matthieu Giraud (LIMOS) Computer Security 17 / 131
Chiffrement par bloc et modes
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 18 / 131
Chiffrement par bloc et modes
Chiffrement par bloc
m, un message clair
c , le chiffre de m
|m| = |c | = n bits
m
sk Enc
c
c
sk Dec
m
Matthieu Giraud (LIMOS) Computer Security 19 / 131
Chiffrement par bloc et modes
Mode ECB (Electronic CodeBook)
Soit |m| = k · n avec k > 1.On a m = (m1, . . . ,mk) avec |mi | = n bits.
mi
sk Enc
ci
ci
sk Dec
mi
Matthieu Giraud (LIMOS) Computer Security 20 / 131
Chiffrement par bloc et modes
Exercice
1 Quel est l’inconvenient du mode ECB ?
2 Quel est le schema de dechiffrement pour le mode ECB ?
Matthieu Giraud (LIMOS) Computer Security 21 / 131
Chiffrement par bloc et modes
Mode CBC (Cipher Block Chaining)
Encryption :
Enc
m0
sk
c0
Enc
m1
sk
c1
IV
· · · · · · Enc
mn
sk
cn
Matthieu Giraud (LIMOS) Computer Security 22 / 131
Chiffrement par bloc et modes
Mode CBC (Cipher Block Chaining)
Decryption :
Dec
m0
sk
c0
Dec
m1
sk
c1
IV
· · · · · · Dec
mn
sk
cn
Matthieu Giraud (LIMOS) Computer Security 23 / 131
Chiffrement par bloc et modes
Exercice
Ecrivez l’algorithme de chiffrement et l’algorithme de dechiffrement dumode CBC.
Matthieu Giraud (LIMOS) Computer Security 24 / 131
Chiffrement par bloc et modes
Mode CFB (Cipher FeedBack)
Encryption :
Enc
c0
sk
m0
Enc
c1
sk
m1
IV
· · · · · · Enc
cn
sk
mn
Matthieu Giraud (LIMOS) Computer Security 25 / 131
Chiffrement par bloc et modes
Mode CFB (Cipher FeedBack)
Decryption :
Enc
m0
sk
c0
Enc
m1
sk
c1
IV
· · · · · · Enc
mn
sk
cn
Matthieu Giraud (LIMOS) Computer Security 26 / 131
Chiffrement par bloc et modes
Mode OFB (Output FeedBack)
Encryption :
Enc
c0
sk
m0
Enc
c1
sk
m1
IV
· · · · · · Enc
cn
sk
mn
Matthieu Giraud (LIMOS) Computer Security 27 / 131
Chiffrement par bloc et modes
Mode OFB (Output FeedBack)
Decryption :
Enc
m0
sk
c0
Enc
m1
sk
c1
IV
· · · · · · Enc
mn
sk
cn
Matthieu Giraud (LIMOS) Computer Security 28 / 131
Classical Symmetric Encryptions
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 29 / 131
Classical Symmetric Encryptions
Schema de Feistel
Construction datant des annees 70.
m, un message de longueur n (n pair)
On decoupe m en deux blocs L0 et R0 avec |L0| = |R0| = n2
m = L0‖R0
Matthieu Giraud (LIMOS) Computer Security 30 / 131
Classical Symmetric Encryptions
Schema de Feistel
Chiffrement en trois rondes :
fsk1
fsk2
fsk3
L0 R0
L3 R3
Pour 1 ≤ i ≤ 3 :Li = Ri−1
Ri = Li−1 ⊕ f (Ri−1, ski )
Matthieu Giraud (LIMOS) Computer Security 31 / 131
Classical Symmetric Encryptions
Exercice
Soit m = 1101111010.
sk1 = 10101, sk2 = 11001 et sk3 = 10111.
fsk(x) = x ⊕ sk
Quel est le chiffre de m avec trois rondes du schema de Feistel ?
Matthieu Giraud (LIMOS) Computer Security 32 / 131
Classical Symmetric Encryptions
Exercice
Trouvez le schema de dechiffrement pour le schema de Feistel.
Matthieu Giraud (LIMOS) Computer Security 33 / 131
Classical Symmetric Encryptions
Schema de Feistel
Le dechiffrement se fait exactement de la meme facon :
Ri−1 = Li Li−1 = Ri ⊕ f (Ri−1,Ki )
On applique les clefs de tours dans l’ordre inverse.
Matthieu Giraud (LIMOS) Computer Security 34 / 131
Classical Symmetric Encryptions
Le DES (Data Encryption Standard)
Standard de chiffrement par bloc de 1977 2000
Effectue 16 tours du schema de Feistel
m
sk Enc
c
|m| = 64 bits
|sk| = 56 bits
Matthieu Giraud (LIMOS) Computer Security 35 / 131
Classical Symmetric Encryptions
DES (Data Encryption Standard)
Permutation initiale au debut et permutation inverse a la fin
Chaque ronde i utilise une clef ki derivee de la clef secrete principalesk
La fonction f correspond a deux permutations et a une substitutions-box
Matthieu Giraud (LIMOS) Computer Security 36 / 131
Classical Symmetric Encryptions
DES (Data Encryption Standard)
fk1
fk2
fk15
fk16
IP
L R
IP−1
L′ R ′
Matthieu Giraud (LIMOS) Computer Security 37 / 131
Classical Symmetric Encryptions
DES / Initial Permutation (IP)
58
60
62
64
57
59
61
63
50
52
54
56
49
51
53
55
42
44
46
48
41
43
45
47
34
36
38
40
33
35
37
39
26
28
30
32
25
27
29
31
18
20
22
24
17
19
21
23
10
12
14
16
9
11
13
15
2
4
6
8
1
3
5
7
Matthieu Giraud (LIMOS) Computer Security 38 / 131
Classical Symmetric Encryptions
DES / Final Permutation (IP−1)
40
39
38
37
36
35
34
33
8
7
6
5
4
3
2
1
48
47
46
45
44
43
42
41
16
15
14
13
12
11
10
9
56
55
54
53
52
51
50
49
24
23
22
21
20
19
18
17
64
63
62
61
60
59
58
57
32
31
30
29
28
27
26
25
Matthieu Giraud (LIMOS) Computer Security 39 / 131
Classical Symmetric Encryptions
Le DES (Data Encryption Standard)
L i−1 R i−1
P−Box Permutation
Left Shift Left Shift
S−Box Substitution
Compression Permutation
Expansion Permutation
RL i i
32 48
28
i−1K
K i
Matthieu Giraud (LIMOS) Computer Security 40 / 131
Classical Symmetric Encryptions
Le DES (Data Encryption Standard)
Matthieu Giraud (LIMOS) Computer Security 41 / 131
Classical Symmetric Encryptions
DES / Expansion Permutation (E)
32
4
8
12
16
20
24
28
1
5
9
13
17
21
25
29
2
6
10
14
18
22
26
30
3
7
11
15
19
23
27
31
4
8
12
16
20
24
28
32
5
9
13
17
21
25
29
1
Matthieu Giraud (LIMOS) Computer Security 42 / 131
Classical Symmetric Encryptions
Le DES (Data Encryption Standard)
Les S-boxes
Ce sont des fonctions booleennes vectorielles non-lineaires.Elles permettent d’apporter de la confusion : le but est de rendre complexeles relations entre bits de chiffre et bits de clef.
Matthieu Giraud (LIMOS) Computer Security 43 / 131
Classical Symmetric Encryptions
Le DES (Data Encryption Standard)
Comment fonctionnent-elles ?
Elles prennent en entrees 6 bits (b1b2b3b4b5b6) et en ressortent 4.
2 bits exterieurs (b1b6) et 4 bits interieurs (b2b3b4b5)
La sortie est donnee par la table de la S-boxe correspondante
Table S-boxe
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0
1
2
3
Matthieu Giraud (LIMOS) Computer Security 44 / 131
Classical Symmetric Encryptions
S-Boxes : S1, S2, S3, S4
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 70 15 7 4 14 2 13 1 10 6 12 11 9 5 3 84 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 103 13 4 7 15 2 8 14 12 0 1 10 6 9 11 50 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 71 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 1513 8 11 5 6 15 0 3 4 7 2 12 1 10 14 910 6 9 0 12 11 7 13 15 1 3 14 5 2 8 43 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
Matthieu Giraud (LIMOS) Computer Security 45 / 131
Classical Symmetric Encryptions
S-Boxes : S5, S6, S7 and S8
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 914 11 2 12 4 7 13 1 5 0 15 10 3 9 8 64 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 1110 15 4 2 7 12 9 5 6 1 13 14 0 11 3 89 14 15 5 2 8 12 3 7 0 4 10 1 13 11 64 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 113 0 11 7 4 9 1 10 14 3 5 12 2 15 8 61 4 11 13 12 3 7 14 10 15 6 8 0 5 9 26 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 71 15 13 8 10 3 7 4 12 5 6 11 0 14 9 27 11 4 1 9 12 14 2 0 6 10 13 15 3 5 82 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Matthieu Giraud (LIMOS) Computer Security 46 / 131
Classical Symmetric Encryptions
Exercice : S-Boxes S1
S-boxe 1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S-boxe 2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
Soient m1 = (101110) et m2 = (010111). Donnez la sortie de m1 et de m2
par la S-boxe 1 et aussi par la S-boxe 2.
Matthieu Giraud (LIMOS) Computer Security 47 / 131
Classical Symmetric Encryptions
DES / Permutation (P)
16
1
2
19
7
15
8
13
20
23
24
30
21
26
14
6
29
5
32
22
12
18
27
11
28
31
3
4
17
10
9
25
Matthieu Giraud (LIMOS) Computer Security 48 / 131
Classical Symmetric Encryptions
Le DES (Data Encryption Standard)
L i−1 R i−1
P−Box Permutation
Left Shift Left Shift
S−Box Substitution
Compression Permutation
Expansion Permutation
RL i i
32 48
28
i−1K
K i
Matthieu Giraud (LIMOS) Computer Security 49 / 131
Classical Symmetric Encryptions
DES / Key Schedule
Input
Secret key sk, |sk | = 64 bits
Permutation Choice 1 (PC1)
Permutation Choice 2 (PC2)
Left shifts r1, r2, . . . , r16
Output
16 round keys : k1, k2, . . . , k16, |ki | = 48 bits
Matthieu Giraud (LIMOS) Computer Security 50 / 131
Classical Symmetric Encryptions
DES / Permutation Choice (PC1)
57
1
10
19
63
7
14
21
49
58
2
11
55
62
6
13
41
50
59
3
47
54
61
5
33
42
51
60
39
46
53
28
25
34
43
52
31
38
45
20
17
26
35
44
23
30
37
12
9
18
27
36
15
22
29
4
Matthieu Giraud (LIMOS) Computer Security 51 / 131
Classical Symmetric Encryptions
DES / Permutation Choice (PC2)
14
3
23
16
41
30
44
46
17
28
19
7
52
40
49
42
11
15
12
27
31
51
39
50
24
6
4
20
37
45
56
36
1
21
26
13
47
33
34
29
5
10
8
2
55
48
53
32
Matthieu Giraud (LIMOS) Computer Security 52 / 131
Classical Symmetric Encryptions
DES / Left Shifts
r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15 r16
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Matthieu Giraud (LIMOS) Computer Security 53 / 131
Classical Symmetric Encryptions
DES / Generation of k1
1 Apply PC1 on sk to obtain k ′ of 56 bits
2 Divide k ′ in two 28-bit parts to obtain k ′1 and k ′23 Apply r1 on k ′1 and k ′2 to obtain k
′′1 and k
′′2
4 Apply PC2 on k′′1 ‖k
′′2 to obtain k1 of 48 bits.
Matthieu Giraud (LIMOS) Computer Security 54 / 131
Classical Symmetric Encryptions
DES / Generation of ki (2 ≤ i ≤ 16)
1 Apply ri on ki−1 to obtain k ′i−1
2 Apply PC2 on k ′i−1 to obtain ki of 48 bits.
Matthieu Giraud (LIMOS) Computer Security 55 / 131
Classical Symmetric Encryptions
Le DES (Data Encryption Standard)
Quelle est la faiblesse du DES ?
La faiblesse du DES : la taille de sa clef secrete !
Seulement 56 bits...
En cryptographie symetrique, on souhaite aujourd’hui une clef de 256 bits.
Matthieu Giraud (LIMOS) Computer Security 56 / 131
Classical Symmetric Encryptions
Le DES (Data Encryption Standard)
Quelle est la faiblesse du DES ?
La faiblesse du DES : la taille de sa clef secrete !
Seulement 56 bits...
En cryptographie symetrique, on souhaite aujourd’hui une clef de 256 bits.
Matthieu Giraud (LIMOS) Computer Security 56 / 131
Classical Symmetric Encryptions
3DES (Triple DES)
Pour palier a la faiblesse du DES due a sa clef de 56 bits trop courte, onutilise encore couramment aujourd’hui (dans le monde bancaire) unevariante utilisant 3 clefs DES sk1, sk2 et sk3.
Matthieu Giraud (LIMOS) Computer Security 57 / 131
Classical Symmetric Encryptions
3DES
We have C = EncK3(DecK2(EncK1(M)))
Matthieu Giraud (LIMOS) Computer Security 58 / 131
Classical Symmetric Encryptions
3DES
C = EncK3(DecK2(EncK1(M)))
Three options
1 Three different keys ⇒ one key of 168 bits
2 sk1 = sk3 and sk2 6= sk1 ⇒ one key of 112 bits
3 sk1 = sk2 = sk3 ⇒ one key of 56 bits (compatibility with DES)
What is the disadvantage ?
Three times slower...
Matthieu Giraud (LIMOS) Computer Security 59 / 131
Classical Symmetric Encryptions
3DES
C = EncK3(DecK2(EncK1(M)))
Three options
1 Three different keys ⇒ one key of 168 bits
2 sk1 = sk3 and sk2 6= sk1 ⇒ one key of 112 bits
3 sk1 = sk2 = sk3 ⇒ one key of 56 bits (compatibility with DES)
What is the disadvantage ?
Three times slower...
Matthieu Giraud (LIMOS) Computer Security 59 / 131
Classical Symmetric Encryptions
Find a New Symmetric Scheme
Call to replace DES.A competition is organized between 1997 and 2001.
Matthieu Giraud (LIMOS) Computer Security 60 / 131
Classical Symmetric Encryptions
AES (Advanced Encryption Standard)
Block cipher, approved for use by US Government in 2002. Verypopular standard, designed by two Belgian cryptographers (Daemenand Rijmen)
Block-size : 128 bits
Key size : 128, 192, or 256 bits
Uses various substitutions and transpositions, and key scheduling indifferent rounds
Algorithm believed secure. Only attacks are based on side channelanalysis, i.e. attacking implementations that inadvertently leakinformation about the key
Matthieu Giraud (LIMOS) Computer Security 61 / 131
Classical Symmetric Encryptions
AES (Advanced Encryption Standard)
Key size # rounds
128 10
192 12
256 14
Matthieu Giraud (LIMOS) Computer Security 62 / 131
Classical Symmetric Encryptions
AES : High-Level Cipher Algorithm
KeyExpansion using Rijndael’s key schedule
Initial Round : AddRoundKey
Rounds :1 SubBytes : a non-linear substitution step where each byte is replaced
with another according to a lookup table.2 ShiftRows : a transposition step where each row of the state is shifted
cyclically a certain number of steps.3 MixColumns : a mixing operation which operates on the columns of the
state, combining the four bytes in each column4 AddRoundKey : each byte of the state is combined with the round key ;
each round key is derived from the cipher key using a key schedule.
Final Round (no MixColumns)1 SubBytes2 ShiftRows3 AddRoundKey
Matthieu Giraud (LIMOS) Computer Security 63 / 131
Classical Symmetric Encryptions
AES
Matthieu Giraud (LIMOS) Computer Security 64 / 131
Classical Symmetric Encryptions
AES / SubBytes
Matthieu Giraud (LIMOS) Computer Security 65 / 131
Classical Symmetric Encryptions
AES / SubBytes
Exercise
Apply SubBytes on the following block :
14 f1 3d 024d a5 b7 6671 9c 81 acda 95 6a e1
Matthieu Giraud (LIMOS) Computer Security 66 / 131
Classical Symmetric Encryptions
AES / SubBytes
Exercise
Apply SubBytes on the following block :
14 f1 3d 024d a5 b7 6671 9c 81 acda 95 6a e1
Matthieu Giraud (LIMOS) Computer Security 66 / 131
Classical Symmetric Encryptions
AES / ShiftRows
Matthieu Giraud (LIMOS) Computer Security 67 / 131
Classical Symmetric Encryptions
AES / ShiftRows
Exercise
Apply ShiftRows on the following block :
14 f1 3d 02
4d a5 b7 66
71 9c 81 ac
da 95 6a e1
Matthieu Giraud (LIMOS) Computer Security 68 / 131
Classical Symmetric Encryptions
AES / MixColumns
Matthieu Giraud (LIMOS) Computer Security 69 / 131
Classical Symmetric Encryptions
AES / MixColumns
Each column is multiplied by the following matrix :02 03 01 0101 02 03 0101 01 02 0303 01 01 02
Matthieu Giraud (LIMOS) Computer Security 70 / 131
Classical Symmetric Encryptions
AES / AddRoundKey
Matthieu Giraud (LIMOS) Computer Security 71 / 131
Classical Symmetric Encryptions
AES / AddRoundKey
Exercise
Add the the round key to the block B :
Round key
14 f1 3d 02
4d a5 b7 66
71 9c 81 ac
da 95 6a e1
Block B
23 f1 45 02
6a a5 e1 1c
4e c9 ff 5d
b3 01 22 b4
Matthieu Giraud (LIMOS) Computer Security 72 / 131
Classical Symmetric Encryptions
Key Schedule / Second Round
Secret key
23 f1 45 02
6a a5 e1 1c
4e c9 ff 5d
b3 01 22 b4
1 We take the last column
2 We apply a up rotation
3 SubBytes
4 Add first column andRcon(1)
02 1c 9c 251c ⇒ 5d ⇒ 4c ⇒ e95d b4 8d 7db4 02 77 d5
This column becomes the first column of the second round key
Matthieu Giraud (LIMOS) Computer Security 73 / 131
Classical Symmetric Encryptions
Key Schedule / Second Round
Secret key
23 f1 45 02
6a a5 e1 1c
4e c9 ff 5d
b3 01 22 b4
1 We take the last column
2 We apply a up rotation
3 SubBytes
4 Add first column andRcon(1)
02 1c 9c 251c ⇒ 5d ⇒ 4c ⇒ e95d b4 8d 7db4 02 77 d5
This column becomes the first column of the second round key
Matthieu Giraud (LIMOS) Computer Security 73 / 131
Classical Symmetric Encryptions
Key Schedule / Second Round
Secret key
23 f1 45 02
6a a5 e1 1c
4e c9 ff 5d
b3 01 22 b4
1 We take the last column
2 We apply a up rotation
3 SubBytes
4 Add first column andRcon(1)
02 1c 9c 251c ⇒ 5d ⇒ 4c ⇒ e95d b4 8d 7db4 02 77 d5
This column becomes the first column of the second round key
Matthieu Giraud (LIMOS) Computer Security 73 / 131
Classical Symmetric Encryptions
Key Schedule / Second Round
We have one of the four columns of the round key
Secret key
23 f1 45 02 25
6a a5 e1 1c e9
4e c9 ff 5d 7d
b3 01 22 b4 d5
For the three other columns
Ci = Ci−1 ⊕ Ci−4
with 6 ≤ i ≤ 8
Matthieu Giraud (LIMOS) Computer Security 74 / 131
Classical Symmetric Encryptions
Key Schedule / Other Round
We repeat this process by replacing the secret key by the key of the secondround, the key of the third round, and so on and so forth.
Matthieu Giraud (LIMOS) Computer Security 75 / 131
Classical Symmetric Encryptions
AES
Matthieu Giraud (LIMOS) Computer Security 76 / 131
Hash Functions
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 77 / 131
Hash Functions
Hash Functions
Definition
A hash function H takes as input a bit-string of any finite length andreturns a corresponding digest of fixed length.
h : {0, 1}∗ → {0, 1}n
Example
h : {0, 1}∗ → {0, 1}b1 . . . bn 7→ b1
Matthieu Giraud (LIMOS) Computer Security 78 / 131
Hash Functions
Hash Functions
Definition
A hash function H takes as input a bit-string of any finite length andreturns a corresponding digest of fixed length.
h : {0, 1}∗ → {0, 1}n
Example
h : {0, 1}∗ → {0, 1}b1 . . . bn 7→ b1
Matthieu Giraud (LIMOS) Computer Security 78 / 131
Hash Functions
Properties of Cryptographic Hash Functions (1/3)
Pre-image resistance
Given an output y , it is computationally infeasible to compute x such that
h(x) = y
Matthieu Giraud (LIMOS) Computer Security 79 / 131
Hash Functions
Properties of Cryptographic Hash Functions (2/3)
Second Pre-image resistance
Given an input x , it is computationally infeasible to compute x ′ such that
h(x ′) = h(x)
Matthieu Giraud (LIMOS) Computer Security 80 / 131
Hash Functions
Properties of Cryptographic Hash Functions (3/3)
Collision resistance
It is computationally infeasible to compute x and x ′ such that
h(x) = h(x ′)
Matthieu Giraud (LIMOS) Computer Security 81 / 131
Hash Functions
Merkle-Damgard Construction
Let f be a compression fonction
f : {0, 1}m → {0, 1}n,m > n
1 Break the message x to hash in blocks of size m − n
x = x1x2 . . . xt
2 Pad xt with zeros as necessary
3 Define xt+1 as the binary representation of the bit length of x
4 Iterate over the blocks
h0 = 0n
hi = f (hi−1||xi )h(x) = ht+1
Matthieu Giraud (LIMOS) Computer Security 82 / 131
Hash Functions
Merkle-Damgard Construction
Let f be a compression fonction
f : {0, 1}m → {0, 1}n,m > n
1 Break the message x to hash in blocks of size m − n
x = x1x2 . . . xt
2 Pad xt with zeros as necessary
3 Define xt+1 as the binary representation of the bit length of x
4 Iterate over the blocks
h0 = 0n
hi = f (hi−1||xi )h(x) = ht+1
Matthieu Giraud (LIMOS) Computer Security 82 / 131
Hash Functions
Merkle-Damgard Construction
pad(x) = x1 x2 x3 x4
fh0 = IV fh1
fh2
fh3
· · ·
Matthieu Giraud (LIMOS) Computer Security 83 / 131
Hash Functions
Merkle-Damgard Construction
Examples
MD5
SHA-1
Matthieu Giraud (LIMOS) Computer Security 84 / 131
Hash Functions
Merkle-Damgard Construction
Theorem
If the compression function f is collision resistant, then the obtained hashfunction h is collision resistant.
Matthieu Giraud (LIMOS) Computer Security 85 / 131
Hash Functions
Sponge Construction
Let f be a permutation fonction or a transformation
f : {0, 1}n → {0, 1}n
1 Break the message m to hash in blocks of size r (r < n)
m = m0m1 . . .mt
2 Pad mt with zeros as necessary
3 Iterate over the blocks
r0 = 0r
c0 = 0n−r
ci‖ri = f (ci−1||(ri−1 ⊕mi−1))
h(m) = ct‖rt
Matthieu Giraud (LIMOS) Computer Security 86 / 131
Hash Functions
Sponge Construction
Absorbing phase Squeezing phase
m0
c bits
r bits
f
m1
f
m2
f
m3
f
z0
f
z1
f
z2
Example
SHA-3
Matthieu Giraud (LIMOS) Computer Security 87 / 131
Hash Functions
Use of Cryptographic Hash Functions
Compute a digest y from a given message m. The digest should be specificto the message.
Examples
Use y in place of m in a trustworthy way.
“Did you get m correctly ? Here’s y to check.” (file-sharing)
“I sign y to prove that I wrote m.”
Matthieu Giraud (LIMOS) Computer Security 88 / 131
MAC
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 89 / 131
MAC
MAC (Message Authentication Code)
Idea
A MAC guarantees the integrity of the message and authenticates thesender via a secret key.
Difference with Hash Functions
We need a secret key to verify the integrity of the message. Thisgaruantees the authenticity of the message.
Matthieu Giraud (LIMOS) Computer Security 90 / 131
MAC
MAC (Message Authentication Code)
Alicesk
Bobsk
m
MACsk(m) = mac mac?= MACsk(m)
Matthieu Giraud (LIMOS) Computer Security 91 / 131
MAC
MAC Based on Block Cipher
mt−1
Esk
ct−1
· · · · · ·
ct−2
m2
Esk
c2
m1
Esk
c1
m0
Esk
c0
IV
Matthieu Giraud (LIMOS) Computer Security 92 / 131
MAC
MAC Based on Hash Function (HMAC)
msk
ipad
Hsk
opad
H
HMACsk(m)
Matthieu Giraud (LIMOS) Computer Security 93 / 131
Classical Asymmetric Encryptions
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 94 / 131
Classical Asymmetric Encryptions
One-way Function and Trapdoor
Definition
A function is One-way, if
1 it is easy to compute
2 its inverse is hard to compute, i.e.
Pr[mr← {0, 1}∗; y := f (m) : f (A(y , f )) = y ]
is negligible.
Trapdoor
Inverse is easy to compute given an additional information.
Matthieu Giraud (LIMOS) Computer Security 95 / 131
Classical Asymmetric Encryptions
Example of Algorithmically Hard Problem
Integer Factoring
Let p and q be two big prime numbers.
Given p and q, it is easy to compute n = p · qGiven n = p · q, it is difficult to find p and q
Matthieu Giraud (LIMOS) Computer Security 96 / 131
Classical Asymmetric Encryptions
RSA (Rivest-Shamir-Adleman)
Let p and q be two big prime numbers.
Public key pk = (n, e)
n = p · qgcd(e, ϕ(n)) = 1
Secret key sk = d
e · d ≡ 1 mod ϕ(n)
Matthieu Giraud (LIMOS) Computer Security 97 / 131
Classical Asymmetric Encryptions
RSA / Encryption and Decryption
Encryption
Let M be the message to encrypt, then
C ≡ Me mod n
Decryption
Let C be the message to decrypt, then
M ≡ Cd mod n
Matthieu Giraud (LIMOS) Computer Security 98 / 131
Classical Asymmetric Encryptions
RSA / Encryption and Decryption
Encryption
Let M be the message to encrypt, then
C ≡ Me mod n
Decryption
Let C be the message to decrypt, then
M ≡ Cd mod n
Matthieu Giraud (LIMOS) Computer Security 98 / 131
Classical Asymmetric Encryptions
RSA / Example
Exercise
Let p = 3 and q = 7
1 Compute n and ϕ(n)
2 Let e = 5, encrypt the message M = 2
3 Let d = 5, decrypt the cipher c = 3
Matthieu Giraud (LIMOS) Computer Security 99 / 131
Classical Asymmetric Encryptions
Complexity Estimates
Estimates for integer factoring [Lenstra-Verheul 2000]
Modulus n Operations(bits) (log2)
512 58
1024 80
2048 111
4096 149
8192 156
≈ 260 years
Matthieu Giraud (LIMOS) Computer Security 100 / 131
Classical Asymmetric Encryptions
Another Example of Algorithmically Hard Problem
Discrete Logarithm Problem
Let p be a big prime number, g be a generator of the multiplicative groupZ∗p and x ∈ {1, . . . , p − 1}.
Given p, g and x , it is easy to compute y ≡ g x mod p
Given p, g and y , it is difficult to find x
Matthieu Giraud (LIMOS) Computer Security 101 / 131
Classical Asymmetric Encryptions
ElGamal Encryption Scheme
Let p be a big prime number and g a generator of the multiplicative groupZ∗p.
Private key sk = x
x ∈ {1, . . . , p − 1}
Public key pk = (g , p, h)
h ≡ g x mod p
Matthieu Giraud (LIMOS) Computer Security 102 / 131
Classical Asymmetric Encryptions
ElGamal / Encryption and Decryption
Encryption
Let M be the message to encrypt and r a random element of{1, . . . , p − 1}, then
C = (C1,C2) = (g r mod p,M · hr mod p)
Decryption
Let C be the cipher to decrypt, then
M ≡ C2 · C−a1 mod p
Matthieu Giraud (LIMOS) Computer Security 103 / 131
Classical Asymmetric Encryptions
ElGamal / Encryption and Decryption
Encryption
Let M be the message to encrypt and r a random element of{1, . . . , p − 1}, then
C = (C1,C2) = (g r mod p,M · hr mod p)
Decryption
Let C be the cipher to decrypt, then
M ≡ C2 · C−a1 mod p
Matthieu Giraud (LIMOS) Computer Security 103 / 131
Classical Asymmetric Encryptions
ElGamal / Example
Exercise
Let a = 2 and (p, g) = (5, 3).
1 Compute h and decrypt the cipher c = (4, 2)
2 The random number r = 2 was used to compute the cipher c . Checkthat the message found in the previous question give c if r = 2 is used
Matthieu Giraud (LIMOS) Computer Security 104 / 131
Classical Asymmetric Encryptions
RSA vs ElGamal ?
Exercise
Which is the difference between RSA and ElGamal if we encrypt the samemessage M twice ?
Matthieu Giraud (LIMOS) Computer Security 105 / 131
Classical Asymmetric Encryptions
OAEP (Optimal Asymmetric Encryption Padding)
Used with RSA, OAEP give the probabilistic property.
Composition
A hash function G
A hash function H
Two XOR
Matthieu Giraud (LIMOS) Computer Security 106 / 131
Classical Asymmetric Encryptions
OAEP (Optimal Asymmetric Encryption Padding)
Used with RSA, OAEP give the probabilistic property.
Composition
A hash function G
A hash function H
Two XOR
Matthieu Giraud (LIMOS) Computer Security 106 / 131
Classical Asymmetric Encryptions
OAEP (Optimal Asymmetric Encryption Padding)
Algorithm
1 m is padded with k1 zeros to be n − k0 bits in length
2 r is a randomly generated k0-bit string
3 G expands the k0 bits of r to n − k0 bits
4 s = m00 . . . 0⊕ G (r)
5 H reduces the n − k0 bits of s to k0 bits
6 t = r ⊕ H(s)
Matthieu Giraud (LIMOS) Computer Security 107 / 131
Classical Asymmetric Encryptions
OAEP (Optimal Asymmetric Encryption Padding)
m
n − k0 − k1 bits
00 . . . 0
k1 bits
r
k0 bits
⊕G
⊕H
s
n − k0 bits
t
k0 bits
Matthieu Giraud (LIMOS) Computer Security 108 / 131
Classical Asymmetric Encryptions
OAEP (Optimal Asymmetric Encryption Padding)
Exercise
What is the decryption algorithm of OAEP ?
Matthieu Giraud (LIMOS) Computer Security 109 / 131
Classical Asymmetric Encryptions
OAEP (Optimal Asymmetric Encryption Padding)
Decryption Algortithm
r = t ⊕ H(s)
m = s ⊕ G (r)
If [m]k1 = 0k1 , the algorithm returns [m]n, otherwise it returns “Reject”
[m]k1 denotes the k1 least significant bits of m
[m]n denotes the n most significant bits of m
Matthieu Giraud (LIMOS) Computer Security 110 / 131
Classical Asymmetric Encryptions
Others Cryptosystems
Bellare & Rogaway (1993)
f (r)||x ⊕ G (r)||H(x ||r)
Zheng & Seberry (1993)
f (r)||G (r)⊕ (x ||H(x))
Matthieu Giraud (LIMOS) Computer Security 111 / 131
Classical Asymmetric Encryptions
Diffie-Hellman Key Exchange
Idea
Use properties of asymmetric encryption to exchange secret key betweenAlice and Bob.
Diffie-Hellman’s method is based on Discret Logarithm Problem.
Matthieu Giraud (LIMOS) Computer Security 112 / 131
Classical Asymmetric Encryptions
Diffie-Hellman Key Exchange
Public parameters :g, p
Alice
a ∈R {1, . . . , p − 1}
A = ga mod p
K = (B)a = gba
Bob
b ∈R {1, . . . , p − 1}
B = gb mod p
K = (A)b = gab
A
B
Matthieu Giraud (LIMOS) Computer Security 113 / 131
Digital Signature
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 114 / 131
Digital Signature
Digital Signature
Definition
A digital signature is a mathematical scheme for demonstrating theauthenticity of digital messages or documents.
A signature scheme depends on a asymmetric cryptosystem.
Matthieu Giraud (LIMOS) Computer Security 115 / 131
Digital Signature
Digital Signature
Alice(pkA, skA)
Bob
sgnskA(m) = s s
Bob checks the signature with the Alice’s public key.
Matthieu Giraud (LIMOS) Computer Security 116 / 131
Digital Signature
Signature with RSA
Let p and q be two big prime numbers.
Public key pk = (n, e)
n = p · qgcd(e, ϕ(n)) = 1
Secret key sk = d
e · d ≡ 1 mod ϕ(n)
Matthieu Giraud (LIMOS) Computer Security 117 / 131
Digital Signature
RSA / Signature and Verification
Signature
Let m be the message to sign, then
s ≡ md mod n
Verification
Let s be a signature, we verify the signature computing
m?≡ se mod n
Matthieu Giraud (LIMOS) Computer Security 118 / 131
Digital Signature
RSA / Signature and Verification
Signature
Let m be the message to sign, then
s ≡ md mod n
Verification
Let s be a signature, we verify the signature computing
m?≡ se mod n
Matthieu Giraud (LIMOS) Computer Security 118 / 131
Digital Signature
RSA / Signature and Verification
Exercise
1 Let p = 3 and q = 5. Compute (e, d) such that gcd(e, ϕ(n)) = 1 andd · e ≡ 1 mod ϕ(n)
2 Give the signature of the message m = 2
3 Check the previous signature
Matthieu Giraud (LIMOS) Computer Security 119 / 131
Asymmetric vs Symmetric
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 120 / 131
Asymmetric vs Symmetric
Comparison
Size of the key
Complexity of computation
Key distribution
Signature only possible with asymmetric scheme
Matthieu Giraud (LIMOS) Computer Security 121 / 131
Asymmetric vs Symmetric
Computational Cost of Encryption
2 hours of video (3Ghz CPU)
DVD 4,7 G.B Blu-Ray 25 GB
Schemes encrypt decrypt encrypt decrypt
RSA 2048 22min 24h 115min 130hRSA 1024 21min 10h 111min 53h
AES 20sec 20sec 105sec 105sec
Matthieu Giraud (LIMOS) Computer Security 122 / 131
Public Key Infrastructure
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 123 / 131
Public Key Infrastructure
Concept of Key Certificate
Main idea
Alice trusts Bob and knows his public key
Bob has signed asserting that Carol’s key is K
Then Alice may be willing to believe that Carol’s key is K
Definition
A key certificate is an assertion that a certain key belongs to a certainentity, which is digitally signed by an entity (usually a different one).
Matthieu Giraud (LIMOS) Computer Security 124 / 131
Public Key Infrastructure
Public Key Infrastructure (PKI)
Definition
PKI is an infrastructure build of certificates and servers to create, manageand publish certificate to allow autenticity certified by an authority.
Matthieu Giraud (LIMOS) Computer Security 125 / 131
Public Key Infrastructure
Two Kinds of PKI
Hierarchical PKI
Certificate Authorities are different of users
X.509 (PKIX)
Non-Hierarchical PKI
Each user manages his own trust network
Pretty Good privacy (PGP)
Matthieu Giraud (LIMOS) Computer Security 126 / 131
Public Key Infrastructure
Example https for Gmail
Gmail sends to your browser its public key and a certificate signed bya certificate authority Thawte Consulting (Pty) Ltd. to prove that thiskey really is Gmail’s key
Your browser will verify Thawte’s signature on Gmail’s key using thepublic key of this reputable key certificate authority, stored in yourbrowser
Hence your browser trust Gmail
Matthieu Giraud (LIMOS) Computer Security 127 / 131
Public Key Infrastructure
Public Key Infrastructure (PKI)
PKI Mains Features
Generation of public and private keys
Certificate generation
Remise du certificat au porteur
Certificate publication
Certificate verification
Certificate revocation
Others :
Protection of private keyJournalisation of actionsRevocations of privates keysStorage of certifcates
CA : Certification AuthorityRA : Registration Authority
Matthieu Giraud (LIMOS) Computer Security 128 / 131
Conclusion
Sommaire
1 Historic
2 Chiffrement par bloc et modes
3 Classical Symmetric Encryptions
4 Hash Functions
5 MAC
6 Classical Asymmetric Encryptions
7 Digital Signature
8 Asymmetric vs Symmetric
9 Public Key Infrastructure
10 Conclusion
Matthieu Giraud (LIMOS) Computer Security 129 / 131
Conclusion
Thank you for your attention.Questions ?
Matthieu Giraud (LIMOS) Computer Security 130 / 131
Bibliography
Bibliography
L’Histoire des codes secrets (Simon Singh)
Architecture PKI et communications securiees (Jean-GuillaumeDumas, Pascal Lafourcade, Patrick Redon)
Cours de cryptographie (Gilles Zemor)
Matthieu Giraud (LIMOS) Computer Security 131 / 131