View
220
Download
0
Tags:
Embed Size (px)
Citation preview
Chris Reade 1
Internet Security Technologies
Part 1: Cryptography
Chris Readehttp://www.kingston.ac.uk/~ku07009
Chris Reade 2
Cryptography
• Main Concepts– Secret key, – Public Key, – Message Digest, – Signatures, – Certificates
• Some History of Cryptography• RSA in more detail• RSA application to Digital cash
Chris Reade 3
Reading• Web Security, Privacy & Commerce (2nd Ed)
Simson Garfinkel (O'Reilly 2002)
Further Reading
• Security Technologies for the WWWRolf Oppliger (Artech House) 1999
• Secrets and Lies (Digital Security in a Networked World)Bruce Schneier (John Wiley and sons) 2000
• Applied Cryptography (2nd Ed)Bruce Schneier (John Wiley and sons) 1996
• PGP: Pretty Good Privacy Simson Garfinkel (O'Reilly 1995)
(See examples on web as well - Java)
Chris Reade 4
Cryptography main concepts
Encrypt Decrypt
CipherTextPlainText PlainText (orig)
• Algorithms (ciphers)Historical (restricted - the algorithm is the
secret)Modern (open algorithm+secret key)
• Protocols• Symmetric Key Systems• Asymmetric Key Systems• One way Hash (Message digest)• Digital Signatures• Certificates
Chris Reade 5
Roles for Cryptography
• AuthenticationIdentification of author or participant
• AuthorisationChecking participant is allowed to do ...
• ConfidentialityProtecting information from
eavesdropping
• IntegrityAbility to check info has not been altered
• NonrepudiationReceipts
Chris Reade 6
Secret (Symmetric) Key Systems
PEk(P)
Dk( Ek(P))
=
Plaintext
P
Encrypt (using k)
Ek(P)
Decrypt (using k)
Cipher text
Alice Bob
k - is a secret key held by Alice and Bob (= kAB)
Chris Reade 7
Secret Key Security
Recovery of P from Ek(P) is supposed to becomputationally infeasible without knowledge of k. Of course this depends on the size of k.
k usually from 40 to 448 bits. 56 bits used in early systems such as DES now crackable in under 24hrs 128 bits about 72 days 448 bits longer than age of universe
Chris Reade 8
Java Example (DES secret key)Java Sources in folder: SecurityCode/SecretKeyExample contains
MakeSecretKey.javaEncrypt.java Decrypt.java DesEncrypter.javasampleData.txt (unix text file)
compile% javac MakeSecretKey.java% javac DesEncrypter.java (used by Encrypt and Decrypt)% javac Encrypt.java% javac Decrypt.java
run MakeSecretKey (no args) to generate a key in a file 'secretkey'
% java MakeSecretKey
run Encrypt with 2 args (secretkey file and data file to encode)creates encrypted version in file 'encrypt.out'
% java Encrypt secretkey sampleData.txt
run Decrypt with 2 args (secretkey file and data file to decode)creates decrypted version in file 'decrypt.out'
% java Decrypt secretkey encrypt.out
Chris Reade 9
Secret Key System Examples• Example Ciphers
– DES (Data Encryption Standard 1977 - now thoroughly cracked - 56 bit)
– Triple DES (168 bit) also known as DES-EDE– Blowfish (used in OpenSSH - up to 448 bit)– IDEA (International Data Encryption Algorithm 1990
- used in PGP - 128 bit)– RC2, RC4, RC5 (Ron Rivest's Code at RSA Data Security)– AES (Advanced Encryption Standard Oct 2000
Rijndaal algorithm - replacing DES - 128 bit)
• Problems with Secret Key– Distribution of keys in secret
– Logistics - no. of keys O(n2) and safe storage of keys
Chris Reade 10
Diffie-Hellman key Distribution1976 (but independently and earlier by Cocks and Williamson in UK)
Common knowledge - prime p, and generator number g (derived from p)(arithmetic modulo p)
Alice Bob
Secret a
K = (gb)a
Secret b
K = (ga)b
same K !!
Public ga Public gb
ga gb
Note eavesdropper Eve has p,g, ga, gb but cannot compute K withouta or b because finding logg(ga) is computationally hard.
Diffie-Hellman is used in SSH (secure shell)
Chris Reade 11
Public (Asymmetric) Key Systems
Diffie + Hellman concept 1975 - Also Merkle but not published at time.First algorithm Rivest, Shamir, Addleman -- RSA 1977
Can encode (lock) with either key;Use other key to decode (unlock). Think of:
k (public key) as padlock, k-1 (private key)
Dual keys k, k-1
Chris Reade 12
Encrypting with Public Key System
Alice uses Bob's public key (padlock) to encrypt messages for Bob.Bob uses Alice's public key (padlock) to encrypt messages for Alice.
Only Alice has kA-1 (private key) so only Alice can decrypt {P'} kA
{{P'} kA } kA-1 = P'
Private key kA-1
Public key kA
Alice Bob
Private key kB-1
Public key kB
{P} kB
{P'} kA
Notation {P}k for Ek(P) Similarly {P}k-1 means Dk-1(P)
Chris Reade 13
Public (Asymmetric) Key Systems (ctd)
• O(n) keys required BUT• open to more attacks• 1000 times more expensive
computationally• Examples: RSA (1977), ElGamel(1997)
used in PGP and SSL• Comparative strengths (key lengths):
Asymmetric (RSA) Symmetric (RC2)512 bit > 40 bit1024 bit << 128 bit
Chris Reade 14
Combining both systems
kAB Session key created by Alice (to be shared) kB Bob's Public keyP Plain text
Bob decrypts {kAB} kB with private key kB-1 to obtain shared key kAB
Both can now use kAB for encrypting messages for session(E.g. Bob can decrypt {P} kAB with kAB to get P)
Alice Bob
{kAB} kB
{P} kAB
Chris Reade 15
Digital Signatures (problem)
Problem:Alice needs to 'sign' something electronic so that Bob can be sure it could only have come from Alice.
How can this be done?
Clue:Note that {P} k can be decrypted with k-1 but also
{P} k-1 can be decrypted with k
Chris Reade 16
Digital Signatures (solution)
Solution: Use public key system!!!
Alice Bob
{P} kA-1
{P} kA-1
is plaintext P 'digitally signed' with Alice's private key kA-1
Bob (and anyone else who knows Alice's public key kA)can use kA to decrypt and confirm 'P was created by Alice'.
Actually: {P} kA-1 was created by someone who knows kA
-1 (presumed only Alice but keys can be stolen!)
Chris Reade 17
Digital Signatures and Encryption
Problem: What if only Bob should see the signed document?
Alice Bob
{{P} kA-1 } kB
{{P} kA-1 } kB is
P digitally signed with Alice's private key kA-1 to give {P} kA
-1
then encrypted for Bob's eyes only (using Bob's public key kB).
Bob uses his private key kB-1 to decrypt {{P} kA
-1 } kB into {P} kA-1 ,
then checks signature with Alice's public key kA and recovers P
Problem: Expensive for large documents, so use Digests (see next)
Chris Reade 18
Message Digest Functions(One Way Hash Functions)
• Hash Functionsh : source -> target
(Usually targets are much smaller than sources and fixed length)
• One Way– inverse computationally 'hard':
given y = h(x), can't discover x from y– effectively collision free:
given x, can't find any other z such that h(x)=h(z)
(Note "can't" means "computationally infeasable")
Results of hash are called:digests, fingerprints, message authentication codes
(MACs)
Chris Reade 19
ExampleJava Sources in folder: SecurityCode MessageDigestEncoder.javacompile
% javac MessageDigestEncoder.java
Run MessageDigestEncoder with 2 args(algorithm name - either MD5 or SHA-1 - and source data file)
% java MessageDigestEncoder MD5 sampleData.txt
filename: sampleData.txtdc db c8 e4 93 26 32 62 dd 4c 9e ad d0 38 d3 97
% java MessageDigestEncoder SHA-1 sampleData.txt filename: sampleData.txt96 15 77 d0 72 65 f6 9f c3 c8 fb ce f6 c2 33 8b bf 32 1e 54(Note MD5 no longer regarded as secure)
Chris Reade 20
Use of Digest (hash)(Authenticating a file copy)
• Another example: Password files on unix (Needham & Guy)• Common MAC algorithms, used in Internet routing protocols
U.S. SHA-1, MD5 (MD5 no longer considered secure) Europe RIPEMD-160
• HMAC is a core Internet protocol which uses a MAC as above along with a key to authenticate messages, hashing as h(k,h(k,P))
x = h(P)x=y?
P
Alice Bob
P? (maybe P)
yh
h
Chris Reade 21
Use of digest (hash) with Password-Based Encryption (PBE)
• Message Digest h is used with password to create a key (k)then this is used with symmetric key encryption
• Knowing password (and Message digest function h) is enough to obtain key k and decrypt plaintext P
• Problem is: 266 is much smaller than 2128 - need length 8+ mixed Capitals/other symbols
key k=h(Password)
Passwd
{P}k
k
P
Encrypt(Symmetric)h
Chris Reade 22
Digital Signatures using DigestProblem: Public key is expensive computation for large plaintext.
Plaintext sent (unencrypted) with signed digest. Is this safe?What if intercepted and new plaintext substituted?
PPlaintext
Sign digest (using kA-1)
h(P)
Alice
{h(P)} kA-1
P, {h(P)} kA-1Message digest fn. h
Send Pair
Chris Reade 23
Java Example (Signature)Java Sources in folder: SecurityCode GenSig.java and VerSig.javaCompile both
%javac GenSig.java%javac VerSig.java
Running GenSig requires sample data file to sign%java GenSig sampleData.txt
Generates 2 files: sig and chrisPublicKey
Checking a signature with VerSig requiresthe public key, the signature, and the sample
%java VerSig chrisPublicKey sig sampleData.txt
signature verifies: true
Chris Reade 24
Certificates
Alice would like to make her public key available, but in a secure way.
(Eve could create a public key and claim it is Alice's, then intercept messages meant for Alice, using this key)
Alice needs a document which states that this is her key and is signed by a trusted authority (c.f. an id card)
The document is a certificate and it is signed by a certificating authority (who can check out validity, and revoke certificates).
Certificates are widely used in Internet protocols.
Chris Reade 25
Certificates ctd.
P
Plaintext P = Information about Alice + Alice's public key kA
Sign (using kC-1)
Alice
Certificate
Certificating AuthorityKeys: kC , kC
-1
Add info about CA
N.B. A message or transaction can have a chain of certificates.Each CA needs its own certificate…..
Chris Reade 28
Some history (1)
….Turing WW2…1971 Lucifer (IBM) 128bit (permutations/subs)1974 Merkle's puzzles1976 Digital Encryption Standard (DES) 56bit!(NSA Nat Sec Agency influence)(Now easily cracked - move to Triple DES and now AES Advanced Encryption Standard)
1976 NP complete problems used:-Discrete Logs, Prime Factors; Diffie-Hellman Key distribution; RSA (Rivest Shamir Adleman)
Chris Reade 29
Some history (2)1986 Phil Zimmerman: Pretty Good Privacy (see book)
1989 BAN Logic Burrows Abadi Needham(Formal Logic for Knowledge and Belief)
1993 NSA Clipper Chip('Key Escrow' attempts - FBI and wiretapping rights)
1994 RSA129 cracked (129 digits ~ 429 bits)
1998 DES Deep Crack machine (4.5 days 56bit key)(128 bits for symmetric key algs, see http://slashdot.org/articles/01/02/22/218229.shtml1024 bits for public key algs now recommended)
2000 AES (Rijndahl algorithm) to replace DESBecame full standard Dec 2001
The real problem is flawed algorithms (non open - snake oil)and the human factor (see 'Secrets and Lies' - e.g entropy of passwords)