Crypto Slides One

7/27/2019 Crypto Slides One

1/120

A Gentle Introduction toCryptography

Extended quote from Bruce Schneier's book,Secrets and Lies.

Cryptography plays a role in computer security,

but buggy computer systems and vulnerablecommunications are a reality that cryptographyhas not solved.


2/120

Quote from Eugene Spafford

Using encryption on the Internet is the equivalentof arranging an armored car to deliver credit cardinformation from someone living in a cardboard

box to someone living on a park bench.


3/120

Outline of these lectures

The general goals of cryptographic systems

Vulnerabilities of cryptographic systems

Two basic categories of cryptographicalgorithms:

Symmetric

Asymmetric (public key)

Methods for sharing keys (including Diffie-Hellman)


4/120

Outline (cont.)

Methods for ensuring data integrity (hashalgorithms)

Methods for authentication (digital signatures)


5/120

The General Goals of Cryptography

Confidentiality; assuring that only authorizedparties are able to understand the data.

Integrity; ensuring that when a message is sent

over a network, the message that arrives is thesame as the message that was originally sent.


6/120

Goals (cont.)

Authentication; ensuring that whoever supplies oraccesses sensitive data is an authorized party.

Nonrepudiation;ensuring that the intended

recipient actually received the message &ensuring that the sender actually sent themessage.


7/120

Basic Terms

Encryption: scrambling a message or data using aspecialized cryptographic algorithm.

Plaintext: the message or data before it gets

encrypted.

Ciphertext: the encrypted (scrambled) version ofthe message.

Cipher: the algorithm that does the encryption.


8/120

Basic Terms (cont.)

Decryption: the process of converting ciphertextback to the original plaintext.

Cryptanalysis: the science of breaking

cryptographic algorithms.

Cryptanalyst: a person who breaks cryptographiccodes; also referred to as the attacker.


9/120

More on Confidentiality

Confidentiality means that only authorized partiesare able to understand the data (authorized fromthe perspective of the party that encrypted the

data).It is okay if unauthorized parties know that thereis data. It is even okay if they copy the data, solong as they cannot understand it.


10/120

Authentication

How can we know that a party that provides uswith sensitive data is an authorized party?

How can we know that the party that is accessing

sensitive data is an authorized party?

This is a difficult problem on the Internet.

Two solutions are:

Passwords

Digital signatures


11/120

Integrity

This involves ensuring that when a message (orany kind of data, including documents andprograms) is sent over a network, the data that

arrives is the same as the data that was originallysent. It is important that the data has not beentampered with.

Technical solutions include:

Encryption

Hashing algorithms


12/120

Nonrepudiation

Ensuring that the intended recipient actually gotthe message.

Ensuring that the alleged sender actually sent the

message.

This is a difficult problem. How do we prove thata person's cryptographic credentials have not

been compromised?


13/120

An Important Message

In theory, some crytographic algorithms seem tobe EXTREMELY secure.

Vulnerabilities arise when systems administrators

do not deploy the encryption systems securely.

A fundamental rule: DON'T CODE YOUR OWNCRYPTOGRAPH ALGORITHMS.

Another rule: When using a cryptographic library,use the intuitive user interfaces provided withthose libraries.


14/120

Message from Cryptlib Developer,Peter Gutman

The major design philosophy behind the code[behind Cryptlib] is to give users the ability to

build secure apps without needing to spendseveral years learning crypto. ... [T]he importantpoint is that anybody should be able to employthem [important cryptographic algorithms]

without too much effort. ...


15/120

Standard Algorithms areIncredibly Secure

Using a 128 bit key for a symmetric encryptionalgorithm, there are 2128possible keys.

Even with the computing resources of the USgovernment, most of the software developersalive today will be dead before the government

could break such an encryption [Viega andMcGraw]


16/120

Incredibly secure (cont.)

Most security experts believe that 256-bit keysare good for the lifetime of the universe (manybillions of years).

The problem is that encryption is just one link inthe chain of security. Encryption is a reallystrong link in that chain, but one weak link breaksthe chain.

It is usually easier for the attacker to hack yourmachine and steal the plaintext than to break yourcipher.


17/120

A Simple Example

The plaintext:

0 1 0 0 0 0 1 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0

The key:

1 1 0 1 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0

The ciphertext

1 0 0 1 0 0 1 0 0 0 1 1 1 0 0 0 0 1 1 0 1 0 0 1


18/120

A Simple Encryption Example

ciphertext:

1 0 0 1 0 0 1 0 0 0 1 1 1 0 0 0 0 1 1 0 1 0 0 1

XORd with key

1 1 0 1 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0

yields plaintext

0 1 0 0 0 0 1 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0


19/120

Common Types of Attacks

Known cipher attacks: the attacker has theciphertext and she tries to decrypt the message bygenerating all possible keys.

Rarely successful because the number of possiblekeys is enormous.

Also, the decrypted message (for certain types ofdata) may not be easy to recognize when it appears.


20/120

Common Types of Attacks (cont.)

Known plaintext attack: the attacker has both theciphertext and the plaintext.

Again, this is difficult because there are so many

keys, but the plaintext information may makeexperimentation easier than in the previous case.

We are assuming that the attacker knows thealgorithm that was used for the encryption.


21/120


Chosen plaintext attacks: The cryptanalystintroduces the plaintext into the system and thenwatches for how that plaintext will be encrypted.

The Allies used this approach in WWII by sendingout false messages about allied troop movements.

Often the attacker will try to feed a planned sequenceof messages that would reveal the most about the way

in which the data is being encrypted.


22/120


Side channel attacks use seemingly incidentalinformation that can reveal important informationabout the key being used.

Viega and McGraw mention DPA (DifferentialPower Analysis) attacks on smart cards. A DPAattack analyzes the power output from a processorperforming an encryption algorithm in order to

get information about the key being used by thatalgorithm.


23/120

Symmetric Cryptography

Symmetric algorithms are used for:

Confidentiality

Data integrity

Even if an attacker captures the data, the attackerwill not be able to manipulate it in anymeaningful way.


24/120

Symmetric Cryptography (cont.)

Symmetric algorithms use a single key shared bytwo communicating parties.

The shared key must remain secret to ensure the

confidentiality of the encrypted data.The shared key problem is the main technologicalchallenge for this kind of encryption.

We will discuss solutions to the key exchangeproblem a bit later.


25/120

Figure A-1 from Viega and McGraw

The way symmetric encryption works is shown inFigure 1-A from Viega and McGraw.

The message and the key are provided as input to

the encryption algorithm.The output is the ciphertext, which can then betransferred over an insecure medium.


26/120

Figure 1-A (cont.)

On the receiver end, the secret key and theciphertext are inputs to the decryption algorithm.

The output is the original plaintext.


27/120

Symmetric Cryptography (cont.)

The secret key must be shared securely.Otherwise, the most sophisticated cryptographicalgorithm is useless.

One method of distributing the key is using thesneaker-net.

Protocols exist for exchanging keys over aninsurecure medium, but care must be taken toassure a good authentication process.

Asymmetric cryptography is a common methodfor sharing keys.


28/120

Symmetric Cryptography

Two main categories of symmetric algorithms:

Block ciphers

Stream ciphers

Most well-known and well-studied symmetricalgorithms use block ciphers.

Block ciphers break up the message into constant-

size blocks and encrypt the code block by block.


29/120

Block Ciphers

Typical block sizes are 64 bits or 128 bits.

Messages are padded (with extra bits) to fit theblock size.

The simplest type of block ciphers work in ECB(Electronic Code Book) mode. In this mode, eachblock is encrypted separately, independent of theother blocks (like in our simple XOR example).


30/120

Block Ciphers (cont.)

ECB block ciphers are not secure because givenplaintext is always encoded in the same way.

Thus, the attacker can look look for common

linguistic patterns.These patterns can help the attacker to figure outthe algorithm and key being used.


31/120


In CBC (Cipher Block Chaining) mode, blocksare also encrypted one at a time, but the initialstate for each block is dependent on the ciphertextof the previous block.

Thus, the same text will be encrypted in manydifferent ways. This makes it much moredifficult for the cryptanalyst to crack the cipher.

CBC mode is the default mode for many blockciphers.


32/120


A variety of block cipher modes exist (in additionto CBC) for making sure that repeated plaintext isencoded in different ways throughout themessage.

These modes are the default for the standardsecure symmetric encryption algorithms (likeDES).


33/120

Cipher Block Chaining (CBC) Mode

By adding gibberish into the middle of theciphertext, the attacker can interfere with thedecryption of a CBC encrypted message.

Two methods are used to defend against this kindof gibberish attack:

Encode the length of the message at the start of themessage or elsewhere to help the receiver figure out ifthe message has been tampered with.

Use a cryptographic checksum (or hash) as asignature for your message.


34/120


The longer the message, the better chance theattacker has of breaking the encryption.

Bruce Shneier says that a message would have to

be at least 34 gigabytes in length for a 64-bitcipher before this would become a genuine risk.


35/120


Two factors influence the security of a symmetricblock cipher:

The quality of the algorithm (e.g., ECB mode ciphers

are less secure).The length of the key (e.g., 64 bit blocks arequestionable, but 128 bit blocks are considered morethan adequate).

There is a classic trade-off between efficiencyand security.


36/120

Security is Hard to Prove

Demonstrating how secure a cryptographicalgorithm is remains an extremely hard problem.

The best test seems to be years of experience and

public exposure.The one-time pad method (which has been usedin the military) is absolutely secure, but not very

practical because the key changes with eachcommunication.


37/120

Extended Quote from Lecture Notes

The two basic goals of a cryptographic algorithmare (a) to make life difficult for the attacker and(b) to produce algorithms that are efficient both interms of space and time. An algorithm that is tooinefficient to be used in practice is of little valueeven if it were proven to be highly secure ...


38/120

Quote (cont.)

It is fairly easy for the cryptography researcher todesign an algorithm that is secure against allKNOWN forms of attack. It is far more difficultto design an algorithm that will be secure againsttypes of attacks that are still UNKNOWN. It isnearly impossible to predict new attacks againstblock ciphers that will be manifesting in future

years.


39/120

Quote (cont.)

For example, Viega and McGraw state that manypeople believe that the NSA has developedsophisticated attacks against block ciphers thatthey have not shared with the rest of the world.


40/120

Block Size

A 64-bit cipher is considered too small for highsecurity applications. According to BruceShneier (back in 1995), an organization such asthe NSA could break a 64-bit key in under oneminute.

A 256-bit key is believed to be secure enough thata computer made of all the matter in the universe

computing for the entire lifetime of the universewould have an infinitesimal probability of findinga key by brute force.


41/120

Quantum Computing

But, then there is alwaysQuantum Computing ....


42/120

Important Commercial Algorithms

The most important symmetric algorithms from acommercial point of view are:

DES (Data Encryption Standard)

3DESAES (Advanced Encryption Standard)

S


43/120

DES

This has been a US government standard formany years (although recently complimentedwith AES).

It uses a 64-bit key (actually, only 56 bits areused for the encryption, the other 8 bits are paritybits), so it is no longer viable.

Increased processing speeds (in recent years) aremaking brute force attacks on DES more viable.

3DES


44/120

3DES

Then, came the idea of using DES twice on agiven message.

A subtle form of attack was discovered which

made 2DES no better than DES.3DES proved to have the properties that 2DESwas supposed to have.

3DES is a viable and popular symmetric blockalgorithm.

3DES has one downside: it is inefficient.

DES A di D i


45/120

DES According to Denning

DES A di t D i


46/120

DES According to Denning

GET THE IDEA?

3DES


47/120

3DES

Despite the fact that it is inefficient, 3DES isconsidered a very good (and it is a very popular)choice for encryption.

Several good implementations of 3DES are easilydownloaded off the Internet.

AES


48/120

AES

The NIST (National Institute of Standards andTechnology) ran a competition for a newencryption standard.

The winners were announced in October 2000.

They were Joan Daemen and Vincent Rijmen.Their algorithm is called RijnDael or AES(Advanced Encryption Standard).

AES is now an accepted federal standard and iswidely available in open source form.Implementations are available in C++ and Java.

AES ( t )


49/120

AES (cont.)

3DES still has the advantage that it has beenstudied (in DES) form for many years.

The guestimate is that AES will be a viable

encryption standard for the next 50 years, butthere could be some surprises down the raod.

The Key Distribution Problem


50/120

The Key Distribution Problem

For symmetric ciphers, each pair ofcommunicating agents needs a unique key.

If there are lots of users, this creates a key

management problem.Key derivation algorithms are used to generate aunique key for each communicating pair.

If the master key for the key derivation algorithmis compromised, you've got a major problem.

Key Distribution (cont )


51/120

Key Distribution (cont.)

Some have even attacked derived keys in a keydistribution system to get the master key.

Another approach is to use a key management

system that generates session keys for eachcommunication. Even for the samecommunicating pair, the session keys will changefrom session to session.

Kerberos, from MIT, is a highly regarded opensource computer security product that supportssymmetric key management.

The Great Philosopher Yogi Berra


52/120

The Great Philosopher, Yogi Berra

It is difficult to make

predictions, especially aboutthe future.

Asymmetric (Public Key) Cryptography


53/120

Asymmetric (Public Key) Cryptography

Public key cryptography is an attempt tocircumvent the key distribution problemcompletely.

As it turns out, asymmetric algorithms tend to bevery inefficient.

Their main use is in solving the key exchangeproblem for symmetric cryptography.

Public Key Crypto (cont )


54/120

Public Key Crypto (cont.)

In asymmetric cryptography, each user has twokeys: a public key and a private key.

The public key is made public. For example, it

may be published on a Web site.The private key must be kept secret. It is nevershared with anyone.

The security of the private key in public keycrypto is as important as key security insymmetric crypto.



55/120


There is no key distribution problem in public keycryptography.

Some people have compared public key

cryptography to a mailbox. Many people can putmail into the mailbox (in effect, using the publickey), but only a postal worker with theappropriate key (corresponding to the private key)

can retrieve the mail from the mailbox.

Figure A-2


56/120

Figure A-2

Alice wants to send a message to Bob.

Alice uses Bobs public key to encrypt themessage.

The encrypted message is sent over the insecuremedium.

Bob uses his private key to decrypt the encrypted

message.No one but Bob knows the private key.



57/120


Public key encryption and decryption algorithmstend to be incredibly slow relative to symmetrickey algorithms.

Public key algorithms tend to be about 100 timesslower than DES.

In general, encrypting large messages usingpublic key cryptography is not considered

practical.



58/120


The most important use for public keycryptography is for solving the symmetriccryptography key exchange problem.

Viega and McGraw say that using public keycryptography is a more secure choice than usingkey derivation algorithms.

SSL uses this strategy: public key crypto for

sharing keys and symmetric algorithms forencrypting the message.

Rivest Shamir and Adelman (RSA)


59/120

Rivest, Shamir, and Adelman (RSA)

RSA is the most famous public key algorithm.

RSA starts with picking two HUMONGOUSprime numbers, p and q. Each of these prime

numbers contains hundreds to thousands of bits.The two prime numbers remain secret (they arethe private key).

Their product, n = p * q, is the public key.

RSA (cont.)


60/120

RSA (cont.)

The product (the public key) is used to encryptthe message.

Only someone who knows the prime factors can

decrypt the message in a reasonable amount oftime.

The security of RSA is based on the difficulty offactoring n into the prime factors p and q.

At this point in history, this is seen as a difficultproblem.

RSA (cont.)


61/120

RSA (cont.)

RSA is still considered secure after twenty yearsof use.

The big security problem is that some

implementations of RSA have been flawed andhad security problems of their own.

The software developer should use a well-testedand highly-regarded implementation of RSA.

Never code your own!!!

RSA (cont.)


62/120

RSA (cont.)

There are huge numbers of large prime numbers.

There are approximately 10151primes of length512 bits or less.

One interpretation is that there are enough primesof up to 512 bits to assign every atom in theuniverse 1074 prime numbers without everrepeating one of those primes.

The Future of RSA


63/120

The future of RSA is hard to predict.

It depends upon what happens in prime numberfactoring theory.

Not too many years ago, experts believed that noone would ever have the resources necessary tofactor a 128 bit number.

Now, an organization with adequate resources,can factor a 512 bit number in just a few months.

The Future of RSA (cont.)


64/120

( )

Viega and McGraw recommend that you use noless than a 2,048 bit key for data requiring long-term security (ten or more years).

It may be that 1,024 bit numbers may be nearingthe end of their usefulness even for short-termsecurity.

The longer the key, the longer it takes to encrypt

messages using public key cryptography.

Public Key Crypto Vulnerabilities


65/120

y yp

Public Key encryption algorithms are moresusceptible to chosen plaintext attacks thansymmetric algorithms.

However, since public key is generally used toencrypt small messages (like keys), plaintextattacks are not a practical problem.

More significant is the man-in-the-middle type

of attack.

Man-in-the-Middle Attacks


66/120

Figure A-3 depicts a man-in-the-middle attack.First, lets consider this kind of attack in terms ofAlice trying to send a message to Bob.

In this kind of attack, Ted sends Alice his ownpublic key, misrepresenting it as Bobs publickey.

Ted is pretending that he is Bob when he iscommunicating with Alice.

Man-in-the-Middle (cont.)


67/120

( )

Ted sends Bob Teds own public key,misrepresenting it as Alices public key.

Ted is pretending to be Alice when he

communicates with Bob.Ted is intercepting all traffic between Bob andAlice.



68/120

( )

When Alice sends Bob a message, she encrypts itusing Teds public key (she thinks it is Bobs).

When Ted receives Alices message, he can

decrypt it.Ted can then send Bob a modified or entirelydifferent message, encrypting it was Bobs publickey.

Bob decrypts the message, thinking it came fromAlice.



69/120

Figure A-3 depicts the situation in terms of aclient and a server.

The client (Alice) asks for the servers public keyso she can send secure information to the server(Bob).

But, the client is not communicating with theserver. She is communicating with the attacker,

who sends her his public key.



70/120

Meanwhile, the attacker establishes his secureconnection with the server.

This gives the attacker access to any informationthat the client sends to the server and anyinformation that the server sends back to theclient.

This kind of problem motivates the need for a

public key infrastructure (PKI).

PKI


71/120

The basic idea behind a Public Key Infrastructure(PKI) is that a trusted third party certifies validkeys.

Back to Bob and Alice. In this case, Alice wouldreceive Bobs public key through a trusted thirdparty, a certification authority (CA).

The CA would say, in effect: Alice, trust us, Bob

is a dependable fellow and this is Bobs publickey.

PKI (cont.)


72/120

Obviously, this does not solve the matter of trust(the security problem).

How can Alice be sure that she can trust the so-called trusted authority?

One of the largest CAs at this point in time isVerisign.

Verisign performs background checks onapplicants before issuing them a public key for afee.

PKI (cont.)


73/120

Verisigns track record is not perfect.Several people registered with Verisign under thename Bill Gates.

In March 2001 Microsoft announced that twofalse keys with MSs name on them had beenissued by a CA.

PKI (cont.)


74/120

The problem of trusted identity, takenfrom Viega and McGraw .

PKI (cont.)


75/120

Advice for developers fromViega and McGraw ...

Cryptographic Hashing Functionsfor Data Integrity


76/120

for Data Integrity

Cryptographic hashing functions are used toensure the integrity of data.

Cryptographic hashing functions are sometimescalled cryptographic checksums or integritychecksums.

Hashing functions are also used for digitalsignatures, which we shall discuss later.

Integrity Checksums


77/120

Since stuff happens, it is important to have somemeans of detecting unauthorized changes to files.

An integrity checksum is a value that is computedfrom the data that is being protected.

The integrity checksum is stored separately fromthe protected data.

Integrity checksums (cont.)


78/120

The recipient of the data recomputes thechecksum from the data that is received andcompares that checksum to the value that wasrecorded separately by the provider of the data.

If the original checksum and the recomputedchecksum do not match, then the data has beenchanged in some way.

Desirable Qualities forChecksum Computations


79/120

Checksum Computations

The computation must depend upon every singlebit in the data, so that if even one bit is changed,that will be reflected in the checksum.

The computation must be such that it would berare for two messages to have exactly the samechecksums.

The checksum should not reflect the original datain any obvious way.

Desirable properties (cont.)


80/120

The third property implies that an attacker wouldnot be able to figure out how to manipulate thedata so that the cryptographic checksums for thevalid data and the corrupted data would wind upbeing the same. Another way of stating this isthat it would be difficult for the attacker to

reverse engineer the checksum computation.

Hashing functions


81/120

Checksums are computed using hashingfunctions.

Hashing functions are one-way functions. Thismeans that the ciphertext (i.e., the checksum)cannot be used to reconstruct the plaintext.

The checksum (the ciphertext) is much smallerthan the plaintext.

Hashing functions (cont.)


82/120

Hashing functions provide a kind of digitalfingerprint.

When we take a fingerprint, we lose a lot ofinformation about the person.

Still fingerprints and checksums are usefuldespite the information that is lost.

Checksums are sometimes called cryptographicor digital fingerprints.

Hashing functions (cont.)


83/120

A checksum is sometimes called:A message digest, or

A message authentication code, or MAC

The security of the hashing function is related tothe size of the resulting checksum (in bits).

Viega and McGraw suggest using hashingfunctions that produce a checksum of at least 160

bits.

Checksum Systems


84/120

SHA-1 is a federal standard for computingchecksums.

SHA-1 does not use secret keys. The checksumis computed with a public hashing function andneeds to be stored in a safe way. For example:

On a secure medium an attacker cannot modify

Encrypted on a completely separate medium from the

original data

Checksum systems (cont.)


85/120

SHA-1 uses a 160 bit digest.SHA-1 is known to be secure.

Newer versions of SHA may have security

problems because they have not been asthoroughly tested as SHA-1.

Tripwire is a checksum system that works withthe operating system to see if files have been

created, deleted, or modified in an unauthorizedway.

Hashing Functions and Passwords


86/120

Hashing functions are often used to storepasswords for users who are logging onto a multi-user system.

When the user tries to log in with his or herestablished password, the login program hashes it,and compares the newly hashed password withthe stored hash.

If the two are equal, the system assumes the usertyped in the right password.

Telnet and other Internet Protocols


87/120

With Telnet, the password goes over the networkunhashed.

A packet sniffer could be used to catch thepassword in transit.

Telnet authentication provides a very low bar forpotential attackers to clear.

Other protocols that have a similarly weak

authentication mechanism include FTP, POP3,and IMAP.

Attacks on Hashing Computations


88/120

A brute force attack involves finding analternative text that will yield the same hashsignature. This is usually fairly difficult becausethe alternative text is likely to be gibberish.

An effective attack is called a birthday attack.

A Simple Birthday Attack


89/120

Suppose Bob and Alice enter an agreement inwhich Alice agrees to pay Bob $5.00 per widget.This agreement is sent to Bob with acryptographic checksum. Bob decides not to

store the original document on his server, just thechecksum thinking that would be adequateevidence if Alice tries to present an alternativedocument ...

A Simple Birthday Attack (cont.)


90/120

In fact, Alice does try to present an alternativedocument which states that the agreement is thatshe pay $1.00 per widget. Bob thinks she will failin a legal battle because he has the cryptographic

checksum. Unfortunately for Bob, Alice's newdocument has the same checksum as the originaland Bob loses in court.

A Simple Birthday Attack (cont.)


91/120

What Alice did (what is called a birthday attack)involved taking the original document (with theknown checksum) and replacing all references to$5 to $1. Then, she systematically reformats the

$1 per widget document by changing spaces totabs and so forth. Eventually she finds a $1document that has the same checksum as theoriginal $5 document.

This kind of attack would be difficult withchecksums of 512 or even 256 bits.

Digital Signatures for Authentication


92/120

Public key encryption enabled the development ofthe technology of digital signatures.

Digital signatures are somewhat analogous totraditional handwritten signatures.

Digital signatures are strongly bound to thedocument, but weakly bound to the individual.

A digital signature is computed, in part, using the

contents of the document being signed.

Main Goals of Digital Signatures


93/120

A signature should be proof of authenticity. Itsexistence on a document should be able toconvince people that the person whose signatureappears on the document signed the document.

A signature should be impossible to forge. Theperson who signed the document should not beable to claim that the signature is not theirs(support for non-repudiation).

Main Goals (cont.)


94/120

After the document is signed, it should beimpossible to alter the document withoutdetection. The signature is intrinsically linked tothe document that is being signed.

It should be impossible to transplant the signatureto another document. Again, the digital signatureis intrinsically linked to the document that isbeing signed.

Figure 12.1 from Denning


95/120

This figure shows one scheme for digitalsignatures that uses public key cryptography andhash algorithms (the usual technology).

As you might have guessed, Alice wants to send a

sign and encrypted message to Bob.

Here's how it works:

Figure 12.1 (cont.)


96/120

1. Alice generates a message key, K, for symmetricencryption. Alice encrypts the message M withK, getting the ciphertext message, CM.

2. Alice encrypts K with Bob's public key-

encrypting key, Kbobpub, getting the ciphertextkey, CK. This will allow Bob to retrieve the keyfor decrypting the ciphertext.

Figure 12.1 (cont.)


97/120

3. Alice uses a hashing function to compute achecksum for the message, M. She then encryptsthe checksum (for public key encryption) usingher private signature key KS

Alicepriv. The

encrypted checksum is the signature, S.4. Alice sends CK (the encrypted message key),

CM (the encrypted message), and S (the digitalsignature) to Bob.

Figure 12.1 (cont.)


98/120

5. Bob uses his private key, Kbobpriv, to decrypt CK.This gives him the key, K, that Alice originallysent to encrypt the message, M.

6. Bob uses K to decrypt CM (the encrypted

message) to get the message, M.

7. Bob uses Alice's public signature key KSAlicepub

to validate S, the digital signature. This requires

that Bob use the hashing function to hash themessage M. The resulting checksum should beequal to the decrypted signature, S.

Figure 12.1 (cont.)


99/120

This technology of digital signatures uses:A hash function to help generate the digitalsignature, S.

Symmetric (secret key) cryptography to encryptthe message, M.

Public key cryptography to share the secret keyused to encrypt and decrypt the message, M.

Public key cryptography to encrypt and decryptthe digital signature, S.

Pretty Good Privacy (PGP)


100/120

This is how Bob and Alice would accomplish thesame goals using a user-friendly e-mailencryption system called Pretty Good Privacy(PGP):

1. Alice composes an e-mail message to Bob. Sheclicks on a button or menu item that says sendsigned and encrypted.

Pretty Good Privacy (cont.)


101/120

2. The encryption system prompts Alice for apassword. The password unlocks her privatesignature key, which is stored encrypted on diskor on a separate storage medium.

3. The encryption system looks up Bobs public key(for encrypting messages sent to Bob underpublic key cryptography) in Alice's address bookor on her digital key ring which is stored in afile on her disk.



102/120

3 (cont.). The digital key ring generates K, thesymmetric key that will be shared with Bob, andcomputes CK, the encrypted key, CM, theencrypted message, and S, the digital signature.

It puts the message in the outbound queue.4. When the message shows up in Bob's inbox, he

clicks on a button to read the message.



103/120

5. Bob's encryption system prompts him for apassword, which unlocks his private key. Itdecrypts CK to retrieve K, and then uses K todecrypt CM, to get the message M.

6. The encryption system on Bob's machine thenlooks up Alice's public signture key in Bob'saddress book or key ring. It validates hersignature S. The decrypted message is displayedto Bob along with an indication as to whether thesignature was valid.



104/120

Alice and Bob each have two digital key ringswhen they use PGP. They have a private ring thatholds their private keys and a public ring thatholds their own public keys and the public keys

of those they are communicating with.The key rings are implemented as files stored on

the hard drive or on a diskette.

Diffie-Hellman


105/120

Diffie-Hellman is another popular method forsharing secret keys.

Diffie-Hellman has some similarities to the use ofpublic key encryption to share secret keys.

This method was developed in 1976 by WhitfieldDiffie and Martin Hellman, two cryptographers atStanford University.

In 1997 it was revealed that Britishcryptographers had developed a similar idea inthe 1960s and early 1970s.

Diffie-Hellman (cont.)


106/120

Here is a simple description of the Diffie-Hellmanprotocol that allows two parties to compute amessage key for symmetric encryption withoutthat secret ever being shared explicitly:

1. Each party independently generates a privatekey.

2. They each compute a public key as a

mathematical function of their individual privatekeys.



107/120

3. They exchange public keys.4. Each party then computes a message key (the

secret key) which is derived from their ownprivate key and the other person's public key.

They both arrive at the same message key.



108/120

The public keys must be computed using a one-way function (a hashing function) that makes itimposible to get back the private keys from thepublicly exchanged keys.

If an attacker has access to one party's public keyand the other party's private key, the attackercould compute the message key.

The mathematics is such that the publiclyexchanged keys cannot reveal either party'sprivate key.



109/120

The mathematics is based on the followingrelationship:

y = gx mod N

It is easy to compute y if g, x, and N are known, but

it is not easy to compute x if y, g, and N areknown.

The problem of finding x is called the discrete

logarithm problem because x is the logarithm of ybase g (mod N). For numbers that are hundredsof digits long, this is a hard problem.



110/120

Here is how Diffie-Hellman works, allowing Alliceand Bob to establish a secret message key.Assume that p is some prime number and g is abase number:

Alice generates a secret key, xalice.

Bob generates a secret key, xbob.

Alice computes a public key yalice = gxalice mod

p.

Bob generates a public key ybob = gxbob mod p.



111/120

Bob and Alice exchange their public keys.Alice now computes the message key, K, as

K = ybobxalice mod p

Bob now computes the message key, K, asK = yalicexbob mod p

Both Bob and Alice end up with the same key,

namely:K = gxalice * xbob mod p



112/120

In practice, very large numbers are used (severalhundred DIGITS each), but here is an exampleusing small numbers:

p = 11, g = 5, xalice = 2, xbob = 3.

Alice computes her public key

yalice = 52 mod 11 = 3.

Bob computes his public key

ybob = 53 mod 11 = 4.



113/120

Bob and Alice exchange their public keys.Alice computes the message key, K, as

K = 42 mod 11 = 5.

Bob computes the message key, K, asK = 33 mod 11 = 5.

Both kend up with the same message key,

namely:K = 52*3 mod 11 = 15,625 mod 11 = 5.


Diffie-Hellman are used in several network


114/120

Diffie Hellman are used in several networkprotocols and commercial products, includingPGP.

With Diffie-Hellman, keys can be generated as

needed (on the fly) and they can be discarded atthe end of the conversation.

Software Developers andCryptography

According to Viega and McGraw the most common


115/120

According to Viega and McGraw the most commonmistakes developers make with respect tocryptography are:

Failing to apply cryptographywhen it is needed.

Applying cryptography in an incorrect manner whenit is deployed.

Developers and Crypto (cont.)

The most important rule is:


116/120

The most important rule is:

Never, Never implement yourown cryptographic algorithms!!!An experienced cryptanalyst will not be deterredby the fact that an algorithm is secret (not in thepublic domain). Their tools do not require

knowledge of the algorithm.


The safest policy is to use a published, well-used


117/120

p y p ,algorithm that has been well-scrutinized byrespected cryptographers over a period of at leasta few years.


Viega and McGraw note that most of the major


118/120

g jnetwork protocols that use encryption have beenbroken at least once. These include:

SSL (Secure Socket Layer) version 2this should

never be used.SSH (Secure Shell Protocol) version 1this should

be avoided.

MS's Point-to-Point protocol used in MS's Virtual

Private Network (VPN).


It is not only important to use well-known


119/120

y pencryption algorithms, but also to use well-scrutinized implementations of those algorithms,because the algorithms could be implemented

incorrectly.Developers also need to understand the legalframework surrounding cryptography. The lawshave been weakened somewhat concerning

shipping strong crypto stuff overseas, but thereare still laws governing this domain.


The best bet, in terms of avoiding legal


120/120

g gcomplications, is to use off-the-shelf, freelyavailable cryptographic packages.

Handout with reviews of two cryptographic

libraries.

Documents

Crypto Slides One