ita, 14.11.2011 9-cryptostrength.pptx 1 internet security 1 (intsi1) prof. dr. andreas steffen...

ITA, 14.11.2011 9-CryptoStrength.pptx 1

Internet Security 1 (IntSi1)

Prof. Dr. Andreas Steffen

Institute for Internet Technologies and Applications (ITA)

9 Cryptographical Strength


Chat: Cryptographical Strength Needed Today?

SymmetricEncryptionData Integrity(Hash Function)Key Exchangebetween Peers

Key Size

Digital Signature

Recommended Algorithms

True Strength

bits

bits

bits

bits

bits

bits

bits

bits

Public Key Encryption

bits bits

User Password chars bits


Cryptographical Strength Needed Today?

SymmetricEncryptionData Integrity /Hash FunctionKey Exchangebetween Peers

Key Size

Digital Signature

Recommended Algorithms

True Strength

AES (CBC or Counter-Mode)

SHA-256

Diffie Hellmanwith Prime Modulus (MODP)

RSA / DSA

128 bits

256 bits

3072 bits

3072 bits

128 bits

128 bits

128 bits

128 bits

Public Key Encryption

RSA / El Gamal 3072 bits 128 bits

User Password Abbreviated Passphrase 13* chars ≈78 bits

*22 base64 characters would be required for 128 bit strength but impossible to memorize!


Equivalent Cryptographic Strength

RSA 3072

128 bit strength: number of private key signatures per second*

ECDSA 256

32

546

RSA 8192

ECDSA 384

1

233

192 bit strength: number of private key signatures per second*

*measured on an Intel Core2Duo T9400 platform (one core, 32 bit Linux OS)



9.1 NSA Suite B

Cryptography


NSA Suite B Cryptography 2005

• The secure sharing of information motivates the need for widespread cryptographic interoperability that meet appropriate security standards to protect classified information at the SECRET level.

• NSA has initiated three efforts to address these needs:• The Cryptographic Interoperability Strategy. • Expanding the use of GOTS products that meet a revised set of

security standards to protect information up to the SECRET level.

• Layered use of COTS products that meet a more robust set ofsecurity standards to protect information up to the SECRET level.

• Several IETF protocol standards have been identified as having potential widespread use. IETF RFCs have been established to allow the use of Suite B Cryptography with these protocols.


NSA Suite B with 128 Bit Security

SymmetricEncryption

Hash Function

Authenticated Encryption

Key SizeRecommended Algorithms

True Strength

AES

SHA-256

AES-GCM(Galois-Counter-Mode)

128 bits

256 bits

128 bits

128 bits

128 bits

128 bits

Key Exchangebetween Peers

Digital Signature

Elliptic Curve Diffie Hellman(ECP)

Elliptic Curve DSA

256 bits

256 bits

128 bits

128 bits


NSA Suite B with 192 Bit Security (SECRET)

* AES with 192 bit key is optional. Therefore AES with a 256 bit key is mandated.

SymmetricEncryptionData Integrity / Hash FunctionAuthenticated Encryption

Key SizeRecommended Algorithms

True Strength

AES

SHA-384

AES-GCM(Galois-Counter-Mode)

256* bits

384 bits

256* bits

256 bits

192 bits

256 bits

Key Exchangebetween Peers

Digital Signature

Elliptic Curve Diffie Hellman(ECP)

ECDSA

384 bits

384 bits

192 bits

192 bits


Microsoft Windows with Suite B Support

• Windows Vista SP1• Windows 7• Windows Server 2008• Windows Server 2008 R2


strongSwan VPN Solution with Suite B Support

# ipsec.conf for gateway moon

conn rw keyexchange=ikev2 ike=aes256-sha384-ecp384,aes128-sha256-ecp256! esp=aes256gcm16,aes128gcm16!

leftsubnet=10.1.0.0/24 leftcert=moonCert.der [email protected] right=%any rightsourceip=10.3.0.0/24 auto=add

# ipsec.secrets for gateway moon

: ECDSA moonKey.der

rw[1]: ESTABLISHED 9 seconds ago, 192.168.0.1[moon.strongswan.org]... 192.168.0.100[[email protected]]rw[1]: IKE SPIs: 7c1dcd22a8266a3b_i 12bc51bc21994cdc_r*,rw[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256rw{1}: INSTALLED, TUNNEL, ESP SPIs: c05d34cd_i c9f09b38_orw{1}: AES_GCM_16_128, 84 bytes_i (6s ago), 84 bytes_o (6s ago),rw{1}: 10.1.0.0/24 === 10.3.0.1/32



9.2 What the Heck are

Elliptic Curves!


What are Elliptic Curves?

-3 -2 -1 0 1 2 3-4

-3

-2

-1

0

1

2

3

4

y2 = x3 + ax + by2 = x3 + ax + b

4a3 + 27b2 04a3 + 27b2 0

General form:

Condition for distinctsingle roots:

Example:

y2 = x3 4x = x(x 2)(x +2)


What is an Algebraic Group <G,> ?

• Closure: a b must remain in G

• Associativity: a (b c) = (a b) c

• Neutral Element: a e = e a = a

• Inverse Element: a a' = a' a = e

• Commutativity: a b = b a (Abelian Group)

A group is an algebraic system consisting of a set G and anoperation such that for all elements a, b and c in G thefollowing conditions must be fulfilled:

Examples:

• Addition: <R, +> e = 0 , a' = -a

• Multiplication:<R-{0}, · > e = 1 , a' = a-1


-3 -2 -1 0 1 2 3-4

-3

-2

-1

0

1

2

3

4

Points P(x,y) on an Elliptic Curve form a Group

R = P + QR = P + Q

Group set:

All points P(x,y) lyingon an elliptic curve

Group operation:

Point addition

R'

RP

Q


-3 -2 -1 0 1 2 3-4

-3

-2

-1

0

1

2

3

4

Neutral and Inverse Elements

Inverse element:

P'(x,-y) = P(x,y)

is mirrored on x-axisPoint addition with inverse element:

P + P' = O

results in a neutralelement O(x,) at infinity P'

O

Neutral element:

P + O = P

P


-3 -2 -1 0 1 2 3-4

-3

-2

-1

0

1

2

3

4

Point Doubling – Adding a point to itself

R = P + P =2PR = P + P =2P

Point Doubling:

Form the tangent in

Point P(x,y)

R'

RP


-3 -2 -1 0 1 2 3-4

-3

-2

-1

0

1

2

3

4

Point Iteration – Adding a point k-1 times to itself

kP = P + P + ... + PkP = P + P + ... + P

Point Iteration:

3P

2PP


How can Geometry be useful for Cryptography?

Elliptic curves can be defined in a finite or Galois field GFp:

y2 = x3 + ax + b mod py2 = x3 + ax + b mod p

where the field size p is a prime number and

{0,1, ..., p-1} is an abelian group under addition mod p

and

{1, ..., p-1} is an abelian group under multiplication mod p.


Cryptographic Application – Secret Key Exchange

QA = aP

• Elliptic Curve Cryptosystem: ECC, basis point P and prime p

Common secret:

S = bQA = aQB = abPQB = bP

A = ga mod p

• Diffie-Hellman: Basis g and prime p

B = gb mod pCommon secret:

s = Ab = Ba = gab mod p



9.3 Authenticated Encryption with Associated

Data (AEAD)


Authenticated Encryption with Associated Data

• AEAD is based on specialblock cipher modes:

• Block size: 128 bits• Key size: 128/256 bits• Tag size : 128/96/64 bits• Nonce size: 128 bits

32 bits 64 bits 32 bits

• Recommended AEAD Modes: AES-Galois/Counter ModeAES-GMAC (auth. only)

• Alternative AEAD Modes:AES-CCMCAMELLIA-GCMCAMELLIA-CCM

Salt IV Counter

Salt IV 0 Salt IV 1 Salt IV 2

Key K Key K

Hash Subkey H

0………………..0

Key K

Hash Subkey Derivation



9.4 Practical Passwords


Random Passwords with 128 Bits of Entropy

• Digits (0..9): 39 digits 3.3 bits/digits• 39475 10485 98021 43380 05872 49759 70291 2634

• Hexadecimal (0..F): 32 nibbles 4 bits/nibble• 3F8A 84D1 EA7B 5092 C64F 8EA6 73BD F01B

• Alphabet (A..Z): 28 characters 4.7 bits/character• AWORH GHJBP IUCMX MLZFQ TZDOP ZJV

• Alphabet & Digits (A..Z, 0..9): 25 symbols 5.2 bits/symbol• E5RGL UPQ7A 8F3ZP NWTIC 22JBM

• Base64 (A..Z, a..z, 0..9, /, +): 22 symbols 6 bits/symbol• y5GNa Riq92 VCm4Q 1BOKl x0

• Cryptographically strong passwords are nearly impossibleto remember and very error-prone to type in blinded mode!


Example of a good 8 character pseudo-random password:

Aufbruch zu neuen Horizonten um 4 Uhr morgens: AznHu4Um

change every month!

Practical Passwords

30 CPUs30 CPUs

LengthLengthA…ZA…Z

26 symbols26 symbolsA…Z, 0…9A…Z, 0…9 A…Z, a…z, 0…9A…Z, a…z, 0…9

36 symbols36 symbols 62 symbols62 symbols

66 2 sec2 sec 11 sec11 sec 5 min5 min

88 18 min18 min 4 hours4 hours 13 days13 days

1010 8 days8 days 1 year1 year 136 years136 years

1 CPU1 CPU

LengthLengthA…ZA…Z

26 symbols26 symbolsA…Z, 0…9A…Z, 0…9 A…Z, a…z, 0…9A…Z, a…z, 0…9

36 symbols36 symbols 62 symbols62 symbols

66 48 sec48 sec 6 min6 min 2 hours2 hours

88 9 hours9 hours 5 days5 days 1 year1 year

1010 251 days251 days 18 years18 years 4‘094 years4‘094 years

Assumption: 2.2 GHz Intel Core Duo CPU ca. 6’500'000 MD5 password hashes/sec

Compromise

ita, 14.11.2011 9-cryptostrength.pptx 1 internet security 1 (intsi1) prof. dr. andreas steffen...

Documents