1

Lecture 30

SecurityApril 11, 2005

Cryptography

symmetric-key crypto: sender, receiver keys identicalpublic-key crypto: encrypt key public, decrypt key

secret

Figure 7.3 goes here

plaintext plaintext

ciphertext

KAKB

Symmetric Key Cryptography

symmetric key crypto: Bob and Alice share knowsame (symmetric) key: K

e.g., key is knowing substitution pattern in monoalphabetic substitution cipher

Problem: how do Bob and Alice agree on key value?

plaintextciphertext

KA-B

encryptionalgorithm

decryption algorithm

A-B

KA-B

plaintextmessage, m K (m)

A-BK (m)A-Bm = K ( ) A-B

Key Exchange Diffie & Hellman, 1976 Exchange secret key over insecure medium Alice chooses secret value KA and Bob chooses secret value

KB

Alice chooses p and g, both prime numbers and g is primitivemodule p (can be public)

Alice sends to Bob (g, p, gKA mod p) Bob send to Alice (g, p, gKB mod p) Alice computes k = (gKB mod p)KA mod p and Bob computes

k’ = (gKA mod p)KB mod p k=k’, therefore k is the new secret key

DESDES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64 bit plaintext input How secure is DES?

DES Challenge: 56-bit-key-encrypted phrase (“Strongcryptography makes the world a safer place”) decrypted(brute force) in 4 months

no known “backdoor” decryption approach making DES more secure

use three keys sequentially (3-DES) on each datum use cipher-block chaining

Advanced EncryptionStandard (AES) new (Nov. 2001) symmetric-key NIST

standard, replacing DES processes data in 128 bit blocks 128, 192, or 256 bit keys brute force decryption (try each key) takes

149 trillion years for AES

2

Public Key Cryptographysymmetric key crypto requires sender,

receiver knowshared secret key

Q: how to agree onkey in first place(particularly ifnever “met”)?

public key cryptography radically different

approach [Diffie-Hellman76, RSA78]

sender, receiver donot share secret key

encryption key public(known to all)

decryption keyprivate (known onlyto receiver)

Public Key Cryptography

Figure 7.7 goeshere

RSA

Rivest, Shamir, Adleman, 1977 Most commonly used

encryption/authentication algorithm (includedin Web browsers)

Algorithm: use two large prime numbers to derive a public

key and a private key prime numbers can be discarded keep private key secret, publish public key

RSA: Choosing Keys

1. Choose two large prime numbers p, q. (e.g., 1024 bits each)

2. Compute n = pq, z = (p-1)(q-1)

3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).

4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).

5. Public key is (n,e). Private key is (n,d).

RSA: Encryption/Decryption0. Given (n,e) and (n,d) as computed above

1. To encrypt bit pattern, m, computec = m mod ne (i.e., remainder when m is divided by n)e

2. To decrypt received bit pattern, c, computem = c mod nd (i.e., remainder when c is divided by n)d

m = (m mod n)e mod ndMagichappens!

RSA ExampleBob chooses p=5, q=7. Then n=35, z=24.

e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z).

letter m me c = m mod ne

l 12 1524832 17

c m = c mod nd17 481968572106750915091411825223072000 12

cd letterl

encrypt:

decrypt:

3

AuthenticationGoal: Bob wants Alice to “prove” her identity

to himProtocol ap1.0: Alice says “I am Alice”

Authentication: Another TryProtocol ap2.0: Alice says “I am Alice” and sends her IP

address along to “prove” it.

Authentication: Another TryProtocol ap3.0: Alice says “I am Alice” and sends her

secret password to “prove” it.

Authentication: Another TryProtocol ap3.1: Alice says “I am Alice” and sends her

encrypted secret password to “prove” it.

I am Aliceencrypt(password)

Authentication: Another TryGoal: avoid playback attack

Failures, drawbacks?

Figure 7.11 goes here

Nonce: number (R) used only once in a lifetimeap4.0: to prove Alice “live”, Bob sends Alice nonce, R.

Alice must return R, encrypted with shared secret key

Authentication: Another Try

Figure 7.12 goes here

ap4.0 requires shared symmetric key problem: how do Bob, Alice agree on key can we authenticate using public key techniques?

ap5.0: use nonce, public key cryptography

4

AP5.0: Security Hole?

Figure 7.14 goes here

Man (woman) in the middle attack: Trudyposes as Alice (to Bob) and as Bob (to Alice)

Need “certified” public keys (more later …)

AP5.0: Security Hole?

Figure 7.14 goes here

Man (woman) in the middle attack: Trudyposes as Alice (to Bob) and as Bob (to Alice)

Need “certified” public keys (more later …)

Digital SignaturesCryptographic

technique analogousto hand-writtensignatures.

Sender (Bob) digitallysigns document,establishing he isdocument owner/creator.

Verifiable, nonforgeable:recipient (Alice) can verifythat Bob, and no one else,signed document.

Simple digital signaturefor message m:

Bob encrypts m with hisprivate key dB, creatingsigned message, dB(m).

Bob sends m and dB(m) toAlice.

Digital Signatures Suppose Alice

receives msg m, anddigital signature dB(m)

Alice verifies msigned by Bob byapplying Bob’s publickey eB to dB(m) thenchecks eB(dB(m) ) =m.

If eB(dB(m) ) = m,whoever signed mmust have usedBob’s private key.

Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not

m’.Non-repudiation:

Alice can take m, andsignature dB(m) tocourt and prove thatBob signed m.

Message DigestsComputationally

expensive to public-key-encrypt longmessages

Goal: fixed-length, easy-to-compute digital“fingerprint”

apply hash function Hto m, get fixed sizemessage digest, H(m).

Hash function properties: many-to-1 produces fixed-size

msg digest (fingerprint) given message digest

x, computationallyinfeasible to find msuch that x = H(m)

H: HashFunction

Internet ChecksumInternet checksum has some properties of hash

function:➼ produces fixed length digest (16-bit sum) of message➼ is many-to-oneBut given message with given hash value, it is easy to

find another message with same hash value:

I O U 10 0 . 99 B O B

49 4F 55 3130 30 2E 3939 42 D2 42

message ASCII format

B2 C1 D2 AC

I O U 90 0 . 19 B O B

49 4F 55 3930 30 2E 3139 42 D2 42

message ASCII format

B2 C1 D2 ACdifferent messagesbut identical checksums!

5

Digital Signature = SignedMessage DigestBob sends digitally signed

message:Alice verifies signature and

integrity of digitally signedmessage:

Hash Function Algorithms Internet checksum would

make a poor messagedigest. Too easy to find two

messages with samechecksum.

MD5 hash function widely used. Computes 128-bit message

digest in 4-step process. arbitrary 128-bit string x,

appears difficult to constructmsg m whose MD5 hash isequal to x.

SHA-1 is also used. US standard 160-bit message digest

Trusted IntermediariesProblem:

How do twoentities establishshared secret keyover network?

Solution: trusted key

distribution center(KDC) acting asintermediarybetween entities

Problem: When Alice obtains

Bob’s public key(from web site, e-mail, diskette), howdoes she know it isBob’s public key,not Trudy’s?

Solution: trusted certification

authority (CA)

Key Distribution Center (KDC) Alice,Bob need

shared symmetrickey.

KDC: server sharesdifferent secret keywith each registereduser.

Alice, Bob know ownsymmetric keys, KA-

KDC KB-KDC , forcommunicating withKDC.

❒ Alice communicates withKDC, gets session key R1,and KB-KDC(A,R1)

❒ Alice sends BobKB-KDC(A,R1), Bob extracts R1

❒ Alice, Bob now share thesymmetric key R1.

Certification Authorities Certification authority (CA)

binds public key toparticular entity.

Entity (person, router, etc.)can register its public keywith CA. Entity provides “proof

of identity” to CA. CA creates certificate

binding entity to publickey.

Certificate digitallysigned by CA.

When Alice wants Bob’s publickey:

gets Bob’s certificate (Bob orelsewhere).

Apply CA’s public key to Bob’scertificate, get Bob’s public key

Certificate Serial number (unique to issuer) info about certificate owner, including algorithm

and key value itself (not shown)❒ info about

certificateissuer

❒ valid dates❒ digital

signatureby issuer

6

Secure Protocols Basic security algorithms are not enough:

how do you use them, how do you react when somethinghappens?

Secure protocols define how basic security tools are used: provide higher levels of security by merging strengths of several

basic security tools provide simple security mechanisms provide standards

Examples: PGP (encryption, decryption, signature of email), SSL: secure

socket layer, SSH: secure (remote) shell, HTTPS: secure HTTP

Secure Email

• generates random symmetric private key, KS.• encrypts message with KS• also encrypts KS with Bob’s public key.• sends both KS(m) and eB(KS) to Bob.

• Alice wants to send secret e-mail message, m, to Bob.

Secure Email• Alice wants to provide sender authentication &message integrity.

• Alice digitally signs message.• sends both message (in the clear) and digital signature.

Secure Email• Alice wants to provide secrecy, sender authentication, message integrity.

Note: Alice uses both her private key, Bob’s publickey.

Pretty Good Privacy PGP PGP designed by Phillip Zimmerman for electronic

mail Uses three known techniques:

IDEA for encrypting email message International Data Exchange Algorithm block cipher with 64-bit blocks similar in concept but different in details from DES uses 128-bit keys patented, but free for non-commercial use

PGP RSA public key encryption

permits keys up to 2,047 bits in length Digital signatures use MD5 or SHA-1

PGP generates a random 128-bit symmetric key, used byIDEA for each email message

PGP generates its own public/private key pairs Keys are stored locally using a hashed pass phrase PGP does not use conventional certificates (too expensive) Instead,

users generate and distribute their own public keys sign each other’s public keys save trusted public keys on public-key ring users build a web of trust users determine how much to trust

7

Pretty Good Privacy PGP Internet e-mail encryption

scheme, a de-factostandard.

Uses symmetric keycryptography, public keycryptography, hashfunction, and digitalsignature as described.

Provides secrecy, senderauthentication, integrity.

Inventor, Phil Zimmerman,was target of 3-yearfederal investigation.

---BEGIN PGP SIGNED MESSAGE---Hash: SHA1

Bob:My husband is out of towntonight.Passionately yours,Alice

---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/12EpJ+lo8gE4vB3m

qJhFEvZP9t6n7G6m5Gw2---END PGP SIGNATURE---

A PGP signed message:

GPG: Gnu Privacy Guard

GPG is primarily meant for securing email: can also use it to encrypt/decrypt/sign any

message... free alternative to PGP http://www.gpg.org

Allows you to: create public/private key pairs encrypt/decrypt messages sign/check messages

GPG Create your own public/private key pair:

gpg --gen-keys you will be asked several questions: which kind of key you

want, which size, how long it will stay valid, username,email address, etc. (keep default values)

then it will ask you for a passphrase: type any passphrase (e.g., “I like rabbits very much”) your private key will be encrypted with the passphrase

before storing on disk GPG will ask you for your passphrase each time it needs

to access your private key

Disseminating Your Public Key You can give it to anyone:

people who may want to communicate with you using GPG never hand out your private key

What’s my public key?gpg --export --armor <Your_Name>

You can add somebody else’s public key to your keyring:gpg --import <filename>

You can list the keys in your keyring:gpg --list-keys

Encryption/Decryption withGPG

Encryption: must specify the destination of your message,

message will be encrypted with the recipientspublic key (key must be in keyring)

gpg --armor --encrypt -r <recipient> < <file_to_encrypt>

Decryption: GPG will use your private key to decrypt a

received file, you will be asked for yourpassphrase

gpg --decrypt < <file_to_decrypt>

Signatures with GPG Sign a message (you will be asked for your

passphrase):gpg --output <output_file> --clearsign <document_to_sign> message and signature will be written to output_file

Check a signature:gpg --verify <document_to_check>

You can encrypt and sign a document:gpg --armor --sign --encrypt -r cpoellab@cse.nd.edu <

message To decrypt and check:

gpg --decrypt <encrypted_and_signed_message>