Upload
chevytruck315
View
231
Download
0
Embed Size (px)
Citation preview
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 3/67
Cryptography usage
Did you use any cryptography
• today?• over the last week?
2/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 5/67
Cryptography usage
• https invokes the Secure Socket Layer (SSL) communicationsecurity protocol to securely transmit your credit card number tothe server
• SSL uses cryptography3/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 7/67
What is cryptography about?
Adversary: clever person with powerful computer
Goals:
• Data privacy
• Data integrity and authenticity
5/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 10/67
Integrity and authenticity example
AliceBob(Bank)
Alice
Pay $100 to Charlie
-
Adversary Eve might
• Modify “Charlie” to “Eve”• Modify “$100” to “$1000”
Integrity prevents such attacks.
8/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 12/67
Medical databases
Doctor
Reads F AModifies F A to F ′
A
Get Alice-
F A
Put: Alice, F ′A-
Database
Alice F ABob F B
Alice F ′A
Bob F B
• Privacy: F A,F ′A
contain confidential information and we want toensure the adversary does not obtain them
9/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 13/67
Medical databases
Doctor
Reads F AModifies F A to F ′
A
Get Alice-
F A
Put: Alice, F ′A-
Database
Alice F ABob F B
Alice F ′A
Bob F B
• Privacy: F A,F ′A
contain confidential information and we want toensure the adversary does not obtain them
• Integrity and authenticity: Need to ensure– doctor is authorized to get Alice’s file– F A,F ′
Aare not modified in transit
– F A is really sent by database
–F ′A is really sent by (authorized) doctor
9/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 14/67
What is cryptography about?
Adversary: clever person with powerful computer
Goals:
• Data privacy
• Data integrity and authenticity
10/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 15/67
Ideal World
Cryptonium pipe: Cannot see inside or alter content.
11/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 16/67
Ideal World
Cryptonium pipe: Cannot see inside or alter content.
All our goals would be achieved!
11/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 18/67
Cryptographic schemes
E : encryption algorithmD: decryption algorithm
K e : encryption keyK d : decryption key
12/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 21/67
Cryptographic schemes
E : encryption algorithmD: decryption algorithm
K e : encryption keyK d : decryption key
How do keys get distributed? Magic, for now!
14/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 22/67
Why is cryptography hard?
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 23/67
Why is cryptography hard?
• One cannot anticipate an adversary strategy in advance; number of possibilities is infinite.
• “Testing” is not possible in this setting.
17/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 25/67
Early history
Substitution ciphers/Caesar ciphers:
K e = K d = π : Σ → Σ, a secret permutation
e.g., Σ = {A,B ,C , . . .} and π is as follows:
σ A B C D · · ·π(σ) E A Z U · · ·
E π(CAB ) = π(C )π(A)π(B )
= Z E A
Dπ(ZEA) = π−1(Z )π−1(E )π−1(A)
= C A B
Not very secure! (Common newspaper puzzle)
18/56
The age of machines
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 26/67
The age of machines
Enigma: German World War II machine
Broken by British in an effort led by Turing
19/56
Shannon and One-Time-Pad (OTP) Encryption
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 27/67
Shannon and One Time Pad (OTP) Encryption
K e = K d = K $← {0, 1}k
K chosen at random
from {0, 1}k
For any M ∈ {0, 1}k
– E K (M ) = K ⊕ M – DK (C ) = K ⊕ C
20/56
Shannon and One-Time-Pad (OTP) Encryption
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 28/67
Shannon and One Time Pad (OTP) Encryption
K e = K d = K $← {0, 1}k
K chosen at random
from {0, 1}k
For any M ∈ {0, 1}k
– E K (M ) = K ⊕ M – DK (C ) = K ⊕ C
Theorem (Shannon): OTP is perfectly secure as long as only onemessage encrypted.
“Perfect” secrecy, a notion Shannon defines, captures mathematical
impossibility of breaking an encryption scheme.
Fact: if |M | > |K |, then no scheme is perfectly secure.
20/56
Modern Cryptography: A Computational Science
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 29/67
Modern Cryptography: A Computational Science
Security of a “practical” system must rely not on the impossibility but
on the computational difficulty of breaking the system.
(“Practical” = more message bits than key bits)
21/56
Modern Cryptography: A Computational Science
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 30/67
Modern Cryptography: A Computational Science
Rather than:
“It is impossible to break the scheme”
We might be able to say:
“No attack using ≤ 2160 time succeeds with probability ≥ 2−20”
I.e., Attacks can exist as long as cost to mount them is prohibitive, where
Cost = computing time/memory, $$$
22/56
Classical Approach: Iterated design
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 31/67
C ass ca pp oac te ated des g
Scheme 1.1
24/56
Classical Approach: Iterated design
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 32/67
pp g
Scheme 1.1 → bug!
24/56
Classical Approach: Iterated design
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 33/67
pp g
Scheme 1.1 → bug!↓
Scheme 1.2
24/56
Classical Approach: Iterated design
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 34/67
pp g
Scheme 1.1 → bug!↓
Scheme 1.2 → bug!
24/56
Classical Approach: Iterated design
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 35/67
pp g
Scheme 1.1 → bug!↓
Scheme 1.2 → bug!
↓...↓
Scheme 1.n
24/56
Classical Approach: Iterated design
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 36/67
Scheme 1.1 → bug!↓
Scheme 1.2 → bug!
↓...↓
Scheme 1.n → deploy
24/56
Classical Approach: Iterated design
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 37/67
Scheme 1.1 → bug!↓
Scheme 1.2 → bug!
↓...↓
Scheme 1.n → deploy → bug!
24/56
Good cryptography
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 38/67
• Understanding the goals: Formal adversarial models and definitionsof security goals
• Beyond iterated design: Proof by reduction that a constructionachieves its goal
25/56
Defining security
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 39/67
A great deal of design tries to produces schemes without first asking:
“What exactly is the security goal?”This leads to schemes that are complex, unclear, and wrong.
26/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 42/67
What does it mean for an encryption scheme to provide privacy?
Does it mean that given C = E K e (M ), adversary cannot
• recover M ?
• recover the first bit of M ?• recover the XOR of the first and the last bits of M ?
• . . .
We will provide a formal definition for privacy, justify it, and show it
implies the above (and more).
28/56
The factoring problem
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 43/67
Input: Composite integer N
Desired output: prime factors of N
Example:Input: 85
Output:
29/56
The factoring problem
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 44/67
Input: Composite integer N
Desired output: prime factors of N
Example:Input: 85
Output: 17, 5
29/56
The factoring problem
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 45/67
Input: Composite integer N
Desired output: prime factors of N
Example:Input: 85
Output: 17, 5
Can we write a factoring program?
29/56
The factoring problem
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 46/67
Input: Composite integer N
Desired output: prime factors of N
Example:Input: 85
Output: 17, 5
Can we write a factoring program? Easy!
Alg Factor(N ) // N a product of 2 primes
For i = 2, 3, . . . , ⌈√ N ⌉ do
If N mod i = 0 then return i
29/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 49/67
Provide
• A scheme
• A proof of security
The proof establishes something like:“The only way to break the scheme is to factor a large number”
or, put another way
“If an adversary breaks the scheme, it must have found a fast
factoring algorithm.”
31/56
Provable Security
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 50/67
Bug in scheme implies
• attacker has found a way to factor fast
• attacker is smarter than Gauss
• and smarter than all living mathematicians...
32/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 51/67
Atomic Primitives or Problems
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 52/67
Examples:• Factoring: Given large N = pq , find p , q
• Block cipher primitives: DES, AES, ...
• Hash functions: MD5, SHA1, ...
Features:
• Few such primitives
• Bugs rare
•Design an art, confidence by history.
33/56
Atomic Primitives or Problems
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 53/67
Examples:• Factoring: Given large N = pq , find p , q
• Block cipher primitives: DES, AES, ...
• Hash functions: MD5, SHA1, ...
Features:
• Few such primitives
• Bugs rare
•Design an art, confidence by history.
Drawback: Don’t directly solve any security problem.
33/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 55/67
Goal: Solve security problem of direct interest.
Examples: encryption, authentication, digital signatures, keydistribution, . . .
Features:
• Lots of them
• Bugs common in practice
34/56
Lego Approach
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 56/67
We typically design high-level primitives from atomic ones
Atomic primitive
↓Transformer
↓High-level primitive
History shows that the Transformer is usually the weak link:
•Atomic primitives secure, yet
• Higher level primitive insecure
35/56
Provable security
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 57/67
Enables us to get transformers for which we can guarantee
Atomic primitive secure
⇒High-level primitive secure
I.e., If attacker breaks encryption scheme then they are smarter thanGauss.
36/56
Provable security in practice
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 58/67
Proven-secure schemes in use (SSL, SSH, IPSec, . . . ) :
• HMAC
• OAEP• ECIES
• . . .
37/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 59/67
Cryptography beyond communication security
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 60/67
Parties 1, 2, 3, . . . , n.
Party i has the integer x i ∈ {0, . . . ,M − 1}
They want to know
x =x 1 + . . . + x n
n
but each party i wants to keep its own x i private.
40/56
Cryptography beyond communication security
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 61/67
Parties 1, 2, 3, . . . , n.
Party i has the integer x i ∈ {0, . . . ,M − 1}
They want to know
x =x 1 + . . . + x n
n
but each party i wants to keep its own x i private.
Usage:
x i = score of student i on homework 1
x i = vote of party i for proposition X on ballot
...
40/56
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 66/67
Will you play?
Casino can cheat. It returns , T for some T = g
Crypto can fix this!
42/56
Security today
7/30/2019 Crypto - Intro
http://slidepdf.com/reader/full/crypto-intro 67/67
• Millions of dollars of loss due to credit-card fraud, phishing, identitytheft, ...
•Lack of privacy: Enormous amounts of information about each of us is collected and harvested by businesses dedicated to thispurpose
Cryptography is a central tool in getting more security and privacy
43/56