Upload
polly-blankenship
View
234
Download
3
Tags:
Embed Size (px)
Citation preview
Cryptography
1
History – Of Cryptography
Pen and Paper Cryptography 2000 B.C. – 1750 AD Examples: Caesar Vigenère
Mechanical cipher machines 1750- 1950 Confederate Army’s Cipher Disk Japanese Red and Purple Machines German Enigma
Modern Computer Cryptography DES, Rijndael / AES, RSA, ECC, Chameleon,
2
Crypto Vocabulary
Plaintext – A message in its natural format readable by an attacker
Ciphertext – Message altered to be unreadable by anyone except the intended recipients
Key – Sequence that controls the operation and behavior of the cryptographic algorithm
Keyspace – Total number of possible values of keys in a crypto algorithm
3
Crypto Vocabulary 2
Initialization Vector – Random values used with ciphers to ensure no patterns are created during encryption
Cryptosystem – The combination of algorithm, key, and key management functions used to perform cryptographic operations
4
Cryptosystem Services
ConfidentialityIntegrityAuthenticityNonrepudiationAccess Control
5
Types of Cryptography
Asymmetric, and Symmetric
Stream-based Ciphers Mixes plaintext with key stream Good for real-time services
Block Ciphers Substitution and transposition
6
Encryption Systems
Substitution Cipher Convert one letter to another Cryptoquip
Transposition Cipher Change position of letter in text Word Jumble
Monoalphabetic Cipher Caesar
7
Encryption Systems
Polyalphabetic Cipher VigenèreModular Mathematics Running Key CipherOne-time Pads Randomly generated keys
8
Steganography
Hiding a message within another medium, such as an imageExample Modify color map of JPEG image Image of Snowden’s GirlfriendLindsey Mills that contains encodedInformation that is still unknown
9
Cryptographic Methods
Symmetric Same key for encryption and decryption Key distribution problem
Asymmetric Mathematically related key pairs for
encryption and decryption Public and private keys
10
Cryptographic Methods
Hybrid Combines strengths of both methods Asymmetric distributes symmetric key
Also known as a session key Symmetric provides bulk encryption Example:
SSL negotiates a hybrid method
11
Attributes of Strong Encryption
Confusion Change key values each round Performed through substitution Complicates plaintext/key relationship
Diffusion Change location of plaintext in ciphertext Done through transposition
12
Symmetric Algorithms
DES3DESAES (ECB, CBC, TXC,)RC4, RC5IDEABlowfish, TwoFishChameleon
13
Symmetric Encryption
14
E, D: cipher k: secret key (e.g., 128 bits)m, c: plaintext, ciphertext n: nonce (aka IV)
Alice
Em, n E(k,m,n)=c
Bob
Dc, n D(k,c,n)=m
k k
15
First example: One Time Pad (single use key)
Vernam (1917)
Shannon ‘49: OTP is “secure” against ciphertext-only attacks
0 1 0 1 1 1 0 0 01Key:
1 1 0 0 0 1 1 0 00Plaintext:
1 0 0 1 1 0 1 0 01Ciphertext:
16
Stream ciphers (single use key)
Problem: OTP key is as long the messageSolution: Pseudo random key -- stream ciphers
Stream ciphers: RC4 (113MB/sec) , SEAL (293MB/sec)
key
PRBG
message
ciphertext
c PRBG(k) m
Dangers in using stream ciphers
One time key !! “Two time pad” is insecure:
C1 m1 PRBG(k)
C2 m2 PRBG(k)
Eavesdropper does:
C1 C2 m1 m2
Enough redundant information in English that:
m1 m2 m1 , m2
Symmetric encryption: nonce (IV)
18
E, D: cipher k: secret key (e.g., 128 bits)m, c: plaintext, ciphertext n: nonce (aka IV)
Alice
Em, n E(k,m,n)=c
Bob
Dc, n D(k,c,n)=m
k k
nonce
Use Cases
Single use key: (one time key) Key is only used to encrypt one message
encrypted email: new key generated for every email No need for nonce (set to 0)
Multi use key: Key used to encrypt multiple messages
SSL: same key used to encrypt many packets Need either unique nonce or random nonce
Multi use key, but all plaintexts are distinct: Can eliminate nonce (use 0) using special mode (SIV)
19
Block ciphers: crypto work horse
E, D CT Block
n Bits
PT Block
n Bits
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
IV handled as part of PT block
21
Building a block cipher
Input: (m, k)Repeat simple mixing operation several times DES: Repeat 16 times:
AES-128: Mixing step repeated 10 times
Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force,
…
mL mR
mR mLF(k,mR)
Block Ciphers Built by Iteration
R(k,m): round function for DES (n=16), for AES (n=10)
key k
key expansion
k1 k2 k3 kn
R(k
1, )
R(k
2, )
R(k
3, )
R(k
n, )
m c
23
Incorrect use of block ciphers
Electronic Code Book (ECB):
Problem: if m1=m2 then c1=c2
PT:
CT:
m1 m2
c1 c2
AES
24
AES
AES
26
Chameleon
27
Asymmetric Algorithms
Diffie-HellmanRSAElliptic Curve Cryptography (ECC)
28
Complexity Classes
Answer in polynomial space may need exhaustive search
If yes, can guess and check in polynomial time
Answer in polynomial time, with high probability
Answer in polynomial time compute answer directly
P
BPP
NP
PSpace
easy
hard
Example: RSA
Arithmetic modulo pq Generate secret primes p, q Generate secret numbers a, b with xab x mod pq
Public encryption key n, a Encrypt(n, a, x) = xa mod n
Private decryption key n, b Decrypt(n, b, y) = yb mod n
Main properties This appears to be a “trapdoor permutation” Cannot compute b from n,a
Apparently, need to factor n = pq
n
Why RSA works (quick sketch)
Let p, q be two distinct primes and let n=p*q Encryption, decryption based on group Zn
* For n=p*q, order (n) = (p-1)*(q-1)
Proof: (p-1)*(q-1) = p*q - p - q + 1
Key pair: a, b with ab 1 mod (n) Encrypt(x) = xa mod n Decrypt(y) = yb mod n Since ab 1 mod (n), have xab x mod n
Proof: if gcd(x,n) = 1, then by general group theory, otherwise use “Chinese remainder theorem”.
Textbook RSA is insecure
What if message is from a small set (yes/no)? Can build table
What if I want to outbid you in secret auction? I take your encrypted bid c and submit c (101/100)e mod n
What if there’s some protocol in which I can learn other message decryptions?
OAEP [BR94, Shoup ’01]
Preprocess message for RSA
If RSA is trapdoor permutation, then this is chosen-ciphertext secure (if H,G “random oracles”)
In practice: use SHA-1 or MD5 for H and G
H+
G +
Plaintext to encrypt with RSA
rand.Message 01 00..0
Check padon decryption.Reject CT if invalid.
{0,1}n-1
Digital Signatures
Public-key encryption Alice publishes encryption key Anyone can send encrypted message Only Alice can decrypt messages with this key
Digital signature scheme Alice publishes key for verifying signatures Anyone can check a message signed by Alice Only Alice can send signed messages
Properties of signatures
Functions to sign and verify Sign(Key-1, message)
Verify(Key, x, m) =
Resists forgery Cannot compute Sign(Key-1, m) from m and Key Resists existential forgery:
given Key, cannot produce Sign(Key-1, m) for any random or arbitrary m
true if x = Sign(Key-1, m)false otherwise
RSA Signature Scheme
Publish decryption instead of encryption key Alice publishes decryption key Anyone can decrypt a message encrypted by Alice Only Alice can send encrypt messages
In more detail, Alice generates primes p, q and key pair a, b Sign(x) = xa mod n Verify(y) = yb mod n Since ab 1 mod (n), have xab x mod n
Generally, sign hash of message instead of full plaintext
Public-Key Infrastructure (PKI)
Anyone can send Bob a secret message Provided they know Bob’s public key
How do we know a key belongs to Bob? If imposter substitutes another key, can read Bob’s mail
One solution: PKI Trusted root authority (VeriSign, IBM, United Nations)
Everyone must know the verification key of root authority Check your browser; there are hundreds!!
Root authority can sign certificates Certificates identify others, including other authorities Leads to certificate chains
Public-Key Infrastructure
Certificate Authority
Client Server
Known public signature verification key Ka
Sign(Ka-1, Ks), Sign(Ks, msg)
CertificateSign(Ka-1, Ks)Ks
Server certificate can be verified by any client that has CA key Ka
Certificate authority is “off line”
Ka
Hashing Algorithms
MD5 Computes 128-bit hash value Widely used for file integrity checking
SHA-1 Computes 160-bit hash value NIST approved message digest algorithm
SHA-256
39
Birthday Attack
Collisions Two messages with the same hash value
Based on the “birthday paradox”Hash algorithms should be resistant to this attack
40
Message Authentication Codes
Small block of data generated with a secret key and appended to a messageHMAC (RFC 2104) Uses hash instead of cipher for speed Used in SSL/TLS and IPSec
41
Digital Signatures
Hash of message encrypted with private key
Digital Signature Standard (DSS)• DSA/RSA/ECD-SA plus SHA
DSS provides• Sender authentication• Verification of message integrity• Nonrepudiation
42
Encryption Management
Key Distribution Center (KDC) Uses master keys to issue session keys Example: Kerberos
ANSI X9.17 Used by financial institutions Hierarchical set of keys Higher levels used to distribute lower
43
Public Key Infrastructure
All components needed to enable secure communication Policies and Procedures Keys and Algorithms Software and Data Formats
Assures identity to usersProvides key management features
44
PKI Components
Digital Certificates• Contains identity and verification info
Certificate Authorities• Trusted entity that issues certificates
Registration Authorities• Verifies identity for certificate requests
Certificate Revocation List (CRL)
45
PKI Cross Certification
Process to establish a trust relationship between CAs
Allows each CA to validate certificates issued by the other CA
Used in large organizations or business partnerships
46
Cryptanalysis
The study of methods to break cryptosystems
Often targeted at obtaining a keyAttacks may be passive or active
47
Cryptanalysis
Kerckhoff’s Principle The only secrecy involved with a
cryptosystem should be the key
Cryptosystem Strength How hard is it to determine the secret
associated with the system?
48
Cryptanalysis Attacks
Brute force Trying all key values in the keyspace
Frequency Analysis Guess values based on frequency of
occurrence
Dictionary Attack Find plaintext based on common words
49
Cryptanalysis Attacks (statistical)
WORD COUNT PERCENT bar graph
the 53.10 B 7.14% the
of 30.97 B 4.16% ofand 22.63 B 3.04%
and to 19.35 B 2.60% to in 16.89 B 2.27% ina 15.31 B 2.06% a is 8.38 B 1.13% is that 8.00 B 1.08%
that for 6.55 B 0.88% for
50
LET COUNT PERCENT bar graphE 445.2 B 12.49% ET 330.5 B 9.28% TA 286.5 B 8.04% AO 272.3 B 7.64% OI 269.7 B 7.57% IN 257.8 B 7.23% NS 232.1 B 6.51% SR 223.8 B 6.28% RH 180.1 B 5.05% HL 145.0 B 4.07% LD 136.0 B 3.82% DC 119.2 B 3.34% CU 97.3 B 2.73% UM 89.5 B 2.51% MF 85.6 B 2.40% FP 76.1 B 2.14% P
Cryptanalysis Attacks
Replay Attack Repeating previous known values
Factoring Attacks Find keys through prime factorization
Ciphertext-OnlyKnown Plaintext
Format or content of plaintext available
51
Cryptanalysis Attacks
Chosen Plaintext Attack can encrypt chosen plaintext
Chosen Ciphertext Decrypt known ciphertext to discover key
Differential Power Analysis Side Channel Attack Identify algorithm and key length
52
Cryptanalysis Attacks
Social Engineering Humans are the weakest link
RNG Attack Predict IV used by an algorithm
Temporary Files May contain plaintext
53
E-mail Security Protocols
Privacy Enhanced Email (PEM)Pretty Good Privacy (PGP)
Based on a distributed trust model Each user generates a key pair
S/MIME Requires public key infrastructure Supported by most e-mail clients
54
Network Security
Link Encryption Encrypt traffic headers + data Transparent to users
End-to-End Encryption Encrypts application layer data only Network devices need not be aware
55
Network Security
SSL/TLS• Supports mutual authentication• Secures a number of popular network
services
IPSec• Security extensions for TCP/IP protocols• Supports encryption and authentication• Used for VPNs
56
Questions?
57