Chris Reade 1

Internet Security Technologies

Part 1: Cryptography

Chris Readehttp://www.kingston.ac.uk/~ku07009

Chris Reade 2

Cryptography

• Main Concepts– Secret key, – Public Key, – Message Digest, – Signatures, – Certificates

• Some History of Cryptography• RSA in more detail• RSA application to Digital cash

Chris Reade 3

Reading• Web Security, Privacy & Commerce (2nd Ed)

Simson Garfinkel (O'Reilly 2002)

Further Reading

• Security Technologies for the WWWRolf Oppliger (Artech House) 1999

• Secrets and Lies (Digital Security in a Networked World)Bruce Schneier (John Wiley and sons) 2000

• Applied Cryptography (2nd Ed)Bruce Schneier (John Wiley and sons) 1996

• PGP: Pretty Good Privacy Simson Garfinkel (O'Reilly 1995)

(See examples on web as well - Java)

Chris Reade 4

Cryptography main concepts

Encrypt Decrypt

CipherTextPlainText PlainText (orig)

• Algorithms (ciphers)Historical (restricted - the algorithm is the

secret)Modern (open algorithm+secret key)

• Protocols• Symmetric Key Systems• Asymmetric Key Systems• One way Hash (Message digest)• Digital Signatures• Certificates

Chris Reade 5

Roles for Cryptography

• AuthenticationIdentification of author or participant

• AuthorisationChecking participant is allowed to do ...

• ConfidentialityProtecting information from

eavesdropping

• IntegrityAbility to check info has not been altered

• NonrepudiationReceipts

Chris Reade 6

Secret (Symmetric) Key Systems

PEk(P)

Dk( Ek(P))

=

Plaintext

P

Encrypt (using k)

Ek(P)

Decrypt (using k)

Cipher text

Alice Bob

k - is a secret key held by Alice and Bob (= kAB)

Chris Reade 7

Secret Key Security

Recovery of P from Ek(P) is supposed to becomputationally infeasible without knowledge of k. Of course this depends on the size of k.

k usually from 40 to 448 bits. 56 bits used in early systems such as DES now crackable in under 24hrs 128 bits about 72 days 448 bits longer than age of universe

Chris Reade 8

Java Example (DES secret key)Java Sources in folder: SecurityCode/SecretKeyExample contains

MakeSecretKey.javaEncrypt.java Decrypt.java DesEncrypter.javasampleData.txt (unix text file)

compile% javac MakeSecretKey.java% javac DesEncrypter.java (used by Encrypt and Decrypt)% javac Encrypt.java% javac Decrypt.java

run MakeSecretKey (no args) to generate a key in a file 'secretkey'

% java MakeSecretKey

run Encrypt with 2 args (secretkey file and data file to encode)creates encrypted version in file 'encrypt.out'

% java Encrypt secretkey sampleData.txt

run Decrypt with 2 args (secretkey file and data file to decode)creates decrypted version in file 'decrypt.out'

% java Decrypt secretkey encrypt.out

Chris Reade 9

Secret Key System Examples• Example Ciphers

– DES (Data Encryption Standard 1977 - now thoroughly cracked - 56 bit)

– Triple DES (168 bit) also known as DES-EDE– Blowfish (used in OpenSSH - up to 448 bit)– IDEA (International Data Encryption Algorithm 1990

- used in PGP - 128 bit)– RC2, RC4, RC5 (Ron Rivest's Code at RSA Data Security)– AES (Advanced Encryption Standard Oct 2000

Rijndaal algorithm - replacing DES - 128 bit)

• Problems with Secret Key– Distribution of keys in secret

– Logistics - no. of keys O(n2) and safe storage of keys

Chris Reade 10

Diffie-Hellman key Distribution1976 (but independently and earlier by Cocks and Williamson in UK)

Common knowledge - prime p, and generator number g (derived from p)(arithmetic modulo p)

Alice Bob

Secret a

K = (gb)a

Secret b

K = (ga)b

same K !!

Public ga Public gb

ga gb

Note eavesdropper Eve has p,g, ga, gb but cannot compute K withouta or b because finding logg(ga) is computationally hard.

Diffie-Hellman is used in SSH (secure shell)

Chris Reade 11

Public (Asymmetric) Key Systems

Diffie + Hellman concept 1975 - Also Merkle but not published at time.First algorithm Rivest, Shamir, Addleman -- RSA 1977

Can encode (lock) with either key;Use other key to decode (unlock). Think of:

k (public key) as padlock, k-1 (private key)

Dual keys k, k-1

Chris Reade 12

Encrypting with Public Key System

Alice uses Bob's public key (padlock) to encrypt messages for Bob.Bob uses Alice's public key (padlock) to encrypt messages for Alice.

Only Alice has kA-1 (private key) so only Alice can decrypt {P'} kA

{{P'} kA } kA-1 = P'

Private key kA-1

Public key kA

Alice Bob

Private key kB-1

Public key kB

{P} kB

{P'} kA

Notation {P}k for Ek(P) Similarly {P}k-1 means Dk-1(P)

Chris Reade 13

Public (Asymmetric) Key Systems (ctd)

• O(n) keys required BUT• open to more attacks• 1000 times more expensive

computationally• Examples: RSA (1977), ElGamel(1997)

used in PGP and SSL• Comparative strengths (key lengths):

Asymmetric (RSA) Symmetric (RC2)512 bit > 40 bit1024 bit << 128 bit

Chris Reade 14

Combining both systems

kAB Session key created by Alice (to be shared) kB Bob's Public keyP Plain text

Bob decrypts {kAB} kB with private key kB-1 to obtain shared key kAB

Both can now use kAB for encrypting messages for session(E.g. Bob can decrypt {P} kAB with kAB to get P)

Alice Bob

{kAB} kB

{P} kAB

Chris Reade 15

Digital Signatures (problem)

Problem:Alice needs to 'sign' something electronic so that Bob can be sure it could only have come from Alice.

How can this be done?

Clue:Note that {P} k can be decrypted with k-1 but also

{P} k-1 can be decrypted with k

Chris Reade 16

Digital Signatures (solution)

Solution: Use public key system!!!

Alice Bob

{P} kA-1

{P} kA-1

is plaintext P 'digitally signed' with Alice's private key kA-1

Bob (and anyone else who knows Alice's public key kA)can use kA to decrypt and confirm 'P was created by Alice'.

Actually: {P} kA-1 was created by someone who knows kA

-1 (presumed only Alice but keys can be stolen!)

Chris Reade 17

Digital Signatures and Encryption

Problem: What if only Bob should see the signed document?

Alice Bob

{{P} kA-1 } kB

{{P} kA-1 } kB is

P digitally signed with Alice's private key kA-1 to give {P} kA

-1

then encrypted for Bob's eyes only (using Bob's public key kB).

Bob uses his private key kB-1 to decrypt {{P} kA

-1 } kB into {P} kA-1 ,

then checks signature with Alice's public key kA and recovers P

Problem: Expensive for large documents, so use Digests (see next)

Chris Reade 18

Message Digest Functions(One Way Hash Functions)

• Hash Functionsh : source -> target

(Usually targets are much smaller than sources and fixed length)

• One Way– inverse computationally 'hard':

given y = h(x), can't discover x from y– effectively collision free:

given x, can't find any other z such that h(x)=h(z)

(Note "can't" means "computationally infeasable")

Results of hash are called:digests, fingerprints, message authentication codes

(MACs)

Chris Reade 19

ExampleJava Sources in folder: SecurityCode MessageDigestEncoder.javacompile

% javac MessageDigestEncoder.java

Run MessageDigestEncoder with 2 args(algorithm name - either MD5 or SHA-1 - and source data file)

% java MessageDigestEncoder MD5 sampleData.txt

filename: sampleData.txtdc db c8 e4 93 26 32 62 dd 4c 9e ad d0 38 d3 97

% java MessageDigestEncoder SHA-1 sampleData.txt filename: sampleData.txt96 15 77 d0 72 65 f6 9f c3 c8 fb ce f6 c2 33 8b bf 32 1e 54(Note MD5 no longer regarded as secure)

Chris Reade 20

Use of Digest (hash)(Authenticating a file copy)

• Another example: Password files on unix (Needham & Guy)• Common MAC algorithms, used in Internet routing protocols

U.S. SHA-1, MD5 (MD5 no longer considered secure) Europe RIPEMD-160

• HMAC is a core Internet protocol which uses a MAC as above along with a key to authenticate messages, hashing as h(k,h(k,P))

x = h(P)x=y?

P

Alice Bob

P? (maybe P)

yh

h

Chris Reade 21

Use of digest (hash) with Password-Based Encryption (PBE)

• Message Digest h is used with password to create a key (k)then this is used with symmetric key encryption

• Knowing password (and Message digest function h) is enough to obtain key k and decrypt plaintext P

• Problem is: 266 is much smaller than 2128 - need length 8+ mixed Capitals/other symbols

key k=h(Password)

Passwd

{P}k

k

P

Encrypt(Symmetric)h

Chris Reade 22

Digital Signatures using DigestProblem: Public key is expensive computation for large plaintext.

Plaintext sent (unencrypted) with signed digest. Is this safe?What if intercepted and new plaintext substituted?

PPlaintext

Sign digest (using kA-1)

h(P)

Alice

{h(P)} kA-1

P, {h(P)} kA-1Message digest fn. h

Send Pair

Chris Reade 23

Java Example (Signature)Java Sources in folder: SecurityCode GenSig.java and VerSig.javaCompile both

%javac GenSig.java%javac VerSig.java

Running GenSig requires sample data file to sign%java GenSig sampleData.txt

Generates 2 files: sig and chrisPublicKey

Checking a signature with VerSig requiresthe public key, the signature, and the sample

%java VerSig chrisPublicKey sig sampleData.txt

signature verifies: true

Chris Reade 24

Certificates

Alice would like to make her public key available, but in a secure way.

(Eve could create a public key and claim it is Alice's, then intercept messages meant for Alice, using this key)

Alice needs a document which states that this is her key and is signed by a trusted authority (c.f. an id card)

The document is a certificate and it is signed by a certificating authority (who can check out validity, and revoke certificates).

Certificates are widely used in Internet protocols.

Chris Reade 25

Certificates ctd.

P

Plaintext P = Information about Alice + Alice's public key kA

Sign (using kC-1)

Alice

Certificate

Certificating AuthorityKeys: kC , kC

-1

Add info about CA

N.B. A message or transaction can have a chain of certificates.Each CA needs its own certificate…..

Chris Reade 26

RSA(some mathematical details)

Chris Reade 27

Anonymous Electronic Cash(application of RSA- David Chaum 1980)

Chris Reade 28

Some history (1)

….Turing WW2…1971 Lucifer (IBM) 128bit (permutations/subs)1974 Merkle's puzzles1976 Digital Encryption Standard (DES) 56bit!(NSA Nat Sec Agency influence)(Now easily cracked - move to Triple DES and now AES Advanced Encryption Standard)

1976 NP complete problems used:-Discrete Logs, Prime Factors; Diffie-Hellman Key distribution; RSA (Rivest Shamir Adleman)

Chris Reade 29

Some history (2)1986 Phil Zimmerman: Pretty Good Privacy (see book)

1989 BAN Logic Burrows Abadi Needham(Formal Logic for Knowledge and Belief)

1993 NSA Clipper Chip('Key Escrow' attempts - FBI and wiretapping rights)

1994 RSA129 cracked (129 digits ~ 429 bits)

1998 DES Deep Crack machine (4.5 days 56bit key)(128 bits for symmetric key algs, see http://slashdot.org/articles/01/02/22/218229.shtml1024 bits for public key algs now recommended)

2000 AES (Rijndahl algorithm) to replace DESBecame full standard Dec 2001

The real problem is flawed algorithms (non open - snake oil)and the human factor (see 'Secrets and Lies' - e.g entropy of passwords)