Upload
victor-clarke
View
217
Download
2
Embed Size (px)
Citation preview
CSC 382: Computer Security Slide #1
CSC 382: Computer Security
Modern Cryptography
CSC 382: Computer Security Slide #2
Overview
1. Cryptographic Checksums1. Hash Functions2. HMAC
2. Number Theory Review3. Public Key Cryptography
1. One-Way Trapdoor Functions2. Diffie-Helman3. RSA
4. Modern Steganography
CSC 382: Computer Security Slide #3
Hash Functions
Checksum to verify data integrity.
Hash Function h: AB– Input A: variable length– Output B: fixed length “fingerprint” of input
Many inputs produce same output.
Example Hash Function– Sum 32-bit words of message mod 232.
CSC 382: Computer Security Slide #4
Hash Function: ASCII Parity
ASCII parity bit– ASCII has 7 bits; 8th bit is for “parity”
– Even parity: even number of 1 bits
– Odd parity: odd number of 1 bits
Bob receives “10111101” as bits.– Sender is using even parity; 6 1 bits, so character was
received correctly• Note: could be garbled, but 2 bits would need to have been
changed to preserve parity
– Sender is using odd parity; even number of 1 bits, so character was not received correctly
CSC 382: Computer Security Slide #5
Cryptographic Checksums
Hash with authentication/integrity protection– Cannot obtain original message from hash.– Cannot find another message with same hash.
Additional Names– Message Authentication Code– Message Digest
CSC 382: Computer Security Slide #6
One-Way Function
Function f easy to compute, hard to reverse– Given x, easy to calculate f(x).– Given f(x), hard to compute x.
What’s easy and what’s hard?– easy: polynomial time– hard: exponential time– Are there any one-way functions?
CSC 382: Computer Security Slide #7
Cryptographic Checksum Definition
A function h: AB such that:1. For any x IN A, h(x) is easy to compute.2. For any y IN B, it is computationally
infeasible to find x IN A such that h(x) = y.3. It is computationally infeasible to find x, x´
IN A such that x ≠ x´ and h(x) = h(x´).
CSC 382: Computer Security Slide #8
Collisions
If x ≠ x´ and h(x) = h(x´), x and x´ collide.– Pigeonhole principle: if there are n containers
for n+1 objects, then at least one container will have 2 objects in it.
– Application: suppose n = 5 and k = 3. Then there are 32 elements of A and 8 elements of B, so at least one element of B has at least 4 corresponding elements of A.
CSC 382: Computer Security Slide #9
Hash Function Examples
Input– “Cryptography”
Output (base64 encoded):– http://www.xml-dev.com/blog/sha1.php
– MD5 (128-bit)• 64ef07ce3e4b420c334227eecb3b3f4c
– SHA1 (160-bit)• b804ec5a0d83d19d8db908572f51196505d09f98
CSC 382: Computer Security Slide #10
Keyed Hash FunctionHash function + secret keyWhy?
– AuthenticationHow?
– Symmetric encryption algorithm• Use last 64 bits of DES in CBC mode.
– HMAC algorithm• Incorporate key into a keyless hash algorithm.• Created to avoid export restrictions on
encryption algorithms.
CSC 382: Computer Security Slide #11
HMAC
HMAC = Hash Function + Key
Inputs:– h: keyless cryptographic checksum function
that takes data in blocks of b bytes and outputs blocks of l bytes.
– k: cryptographic key. – k´: k modified to be of length b.
• If short, pad with 0 bytes.
• If long, hash to length b.
CSC 382: Computer Security Slide #12
HMAC
HMAC-h(k, m) = h(k´ opad || h(k´ ipad || m)) exclusive or– || concatenation– ipad is 00110110 repeated b times.– opad is 01011100 repeated b times.
Security depends on security of hash function h.
CSC 382: Computer Security Slide #13
Current State of Hash Functions
MD4, MD5, SHA-0 Collisions (2004)SHA-1 Collisions (2005)
– Effort required is 269 instead of 280.
No effective pre-image attacks discovered yet.What’s the impact?
– Attacker could create two documents.• Document A requires payment of $500.• Document B requires payment of $50,000.
– Digital signatures sign MAC, not document.– Both documents have same MAC.
Use SHA-256 for now.
CSC 382: Computer Security Slide #14
Number Theory Review
1. Prime Numbers
2. Fundamental Theorem of Arithmetic
3. Greatest Common Divisors
4. Relatively Prime Numbers
5. Modular Inverses
6. Euler’s Totient Function
CSC 382: Computer Security Slide #15
Fundamental Thm of Arithmetic
Definition: An integer n > 1 is prime if its only factors are 1 and n.
Definition: An integer n > 1 that is not prime is composite.
Theorem: An integer n > 1 can be written as a product of prime numbers.
n = p1a p2
b p3c p4
d …
CSC 382: Computer Security Slide #16
Greatest Common Divisor
Definition: The greatest common divisor of integers a and b > 0, gcd(a,b) is the largest number that divides both a and b.
Definition: Two integers a and b > 0 are relatively prime if gcd(a,b) = 1.
Theorem: If n is prime, then every integer from 1 to n-1 is relatively prime to n.
CSC 382: Computer Security Slide #17
Modular Inverses
Multiplicative Inverse: The inverse of a number x is a number x-1 such that xx-1 = 1.
Modular Inverse: An integer x-1 such that 1 = (x x-1) mod n
There is not always a solution.2 has no inverse mod 16
A unique solution exists if x and n are relatively prime.
CSC 382: Computer Security Slide #18
Euler Totient Function
Euler’s totient function (n)Number of positive integers less than n and relatively prime to n.
Example: (10) = 41, 3, 7, 9 are relatively prime to 10
Theorem: If gcd(a,b)=1, (ab) = (a) (b)Note: If n is prime, (n) = n – 1Result: If a, b prime, (ab) = (a-1)(b-1)
CSC 382: Computer Security Slide #19
Euler’s Totient Theorem
Theorem: If n > 1 and gcd(a,n) = 1, then
a(n) mod n = 1.
Corollary: If n > 1 and gcd(a,n) = 1, then
a(n)-1 mod n
is the modular inverse of a mod n.
CSC 382: Computer Security Slide #20
Why do we need PK Cryptography?
Classical cryptography session:
1. Alice and Bob agree on algorithm.
2. Alice and Bob agree on key.
3. Alice encrypts her message with agreed upon algorithm and key.
4. Alice sends ciphertext message to Bob.
5. Bob decrypts ciphertext with same algorithm and key as Alice used.
CSC 382: Computer Security Slide #21
Public Key Cryptography
Two keys– Private key known only to owner.– Public key available to anyone.
Applications– Confidentiality:
• Sender enciphers using recipient’s public key, • Receiver deciphers using their private key.
– Integrity/authentication: • Sender enciphers using own private key, • Recipient deciphers using sender’s public key.
CSC 382: Computer Security Slide #22
Requirements
1. It must be computationally easy to encipher or decipher a message given the appropriate key.
2. It must be computationally infeasible to derive the private key from the public key.
3. It must be computationally infeasible to determine the private key from a chosen plaintext attack.
CSC 382: Computer Security Slide #23
One-Way Trapdoor Functions
Trapdoor one-way Function: One-way function whose inverse is easy to calculate only if given a special piece of information.
Example: Prime factoring– Easy to calculate product.– Difficult to calculate prime factors from product.– Easy to calculate one prime factor, given others.
CSC 382: Computer Security Slide #24
Diffie-Hellman
Compute a common, shared key– Called a symmetric key exchange protocol.
Based on discrete logarithm problem– Given integers n and g and prime number p,
compute k such that n = gk mod p.– Solutions known for small p.– Computationally infeasible for large p.
CSC 382: Computer Security Slide #25
Algorithm
Shared Constants– prime modulus p, – integer base g ≠ {0, 1, p–1}
Procedure– User A(lice) chooses a private key k.– Computes public key K = gk mod p.– Enciphers user B(ob) public key using own
private key to obtain the shared key S.– Encrypt msgs w/ symmetric cipher using S key.
CSC 382: Computer Security Slide #26
Algorithm
Alice chooses private key kAlice, computes public key KAlice = gkAlice mod p.
To communicate with Bob, Alice computes Kshared = KBob
kAlice mod p
To communicate with Alice, Bob computes Kshared = KAlice
kBob mod p
Modular exponentiation ensures SA,B = SB,A.For practical use, p must be very large.
CSC 382: Computer Security Slide #27
Example
Assume p = 53 and g = 17
Alice chooses kAlice = 5– Then KAlice = 175 mod 53 = 40
Bob chooses kBob = 7– Then KBob = 177 mod 53 = 6
Shared key:– KBob
kAlice mod p = 65 mod 53 = 38– KAlice
kBob mod p = 407 mod 53 = 38
CSC 382: Computer Security Slide #28
RSA
Exponentiation cipher, not just key exchange.
Relies on the difficulty of determining the number of numbers relatively prime to a large integer n.
CSC 382: Computer Security Slide #29
Algorithm
Choose two large prime numbers p, q– Let n = pq; then (n) = (p–1)(q–1)– Choose e < n such that e relatively prime to (n).– Compute inverse of e, d
• ed mod (n) = 1
Public key: (e, n)Private key: dEncipher: c = me mod nDecipher: m = cd mod n
CSC 382: Computer Security Slide #30
Example: Confidentiality
Take p = 7, q = 11, so n = 77 and (n) = 60Alice chooses e = 17, making d = 53Bob wants to send Alice secret message HELLO (07
04 11 11 14)– 0717 mod 77 = 28– 0417 mod 77 = 16– 1117 mod 77 = 44– 1117 mod 77 = 44– 1417 mod 77 = 42
Bob sends 28 16 44 44 42
CSC 382: Computer Security Slide #31
Example
Alice receives 28 16 44 44 42Alice uses private key, d = 53, to decrypt message:
– 2853 mod 77 = 07– 1653 mod 77 = 04– 4453 mod 77 = 11– 4453 mod 77 = 11– 4253 mod 77 = 14
Alice translates message to letters to read HELLO– No one else could read it, as only Alice knows her
private key and that is needed for decryption.
CSC 382: Computer Security Slide #32
Ex: Integrity/AuthenticationTake p = 7, q = 11, so n = 77 and (n) = 60Alice chooses e = 17, making d = 53Alice wants to send Bob message HELLO (07 04 11 11 14)
so Bob knows it is what Alice sent (no changes in transit, and authenticated)– 0753 mod 77 = 35– 0453 mod 77 = 09– 1153 mod 77 = 44– 1153 mod 77 = 44– 1453 mod 77 = 49
Alice sends 35 09 44 44 49
CSC 382: Computer Security Slide #33
ExampleBob receives 35 09 44 44 49Bob uses Alice’s public key, e = 17, n = 77, to decrypt message:– 3517 mod 77 = 07– 0917 mod 77 = 04– 4417 mod 77 = 11– 4417 mod 77 = 11– 4917 mod 77 = 14
Bob translates message to letters to read HELLO– Alice sent it as only she knows her private key– If (enciphered) message’s blocks (letters) altered in
transit, would not decrypt properly
CSC 382: Computer Security Slide #34
Example: BothAlice wants to send Bob message HELLO both enciphered and authenticated (integrity-checked)– Alice’s keys: public (17, 77); private: 53– Bob’s keys: public: (37, 77); private: 13
Alice enciphers HELLO (07 04 11 11 14):– (0753 mod 77)37 mod 77 = 07– (0453 mod 77)37 mod 77 = 37– (1153 mod 77)37 mod 77 = 44– (1153 mod 77)37 mod 77 = 44– (1453 mod 77)37 mod 77 = 14
Alice sends 07 37 44 44 14
CSC 382: Computer Security Slide #35
Security Services
Confidentiality– Only the owner of the private key knows it, so
text enciphered with public key cannot be read by anyone except the owner of the private key.
Authentication– Only the owner of the private key knows it, so
text enciphered with private key must have been generated by the owner.
CSC 382: Computer Security Slide #36
More Security Services
Integrity– Enciphered letters cannot be changed
undetectably without knowing private key.
Non-Repudiation– Message enciphered with private key came
from someone who knew it.
CSC 382: Computer Security Slide #37
Warnings
Encipher message in blocks considerably larger than the examples here– If 1 character per block, RSA can be broken
using statistical attacks (just like classical cryptosystems.)
– Attacker cannot alter letters, but can rearrange them and alter message meaning.
• Ex: reverse ciphertext of message ON to get NO
CSC 382: Computer Security Slide #38
Using gpg
Generate a public/private keypair
zappa> gpg --gen-keyPlease select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) RSA (sign only)Your selection? 1
CSC 382: Computer Security Slide #39
Using gpg: exchanging keys
Giving someone your public keygpg --export --armor your_email_addr
Adding someone’s public key to your key ringgpg --import jameskey.pub
Confirming that you’ve got their keygpg --fingerprint james
Trusting their keygpg –edit-key james> sign
CSC 382: Computer Security Slide #40
Using gpg: encryption
Encryption:Import public key of recipientgpg --output file.gpg --encrypt --armor --recipient [email protected] file.txt
Decryption:gpg --output file.txt --decrypt file.gpg
CSC 382: Computer Security Slide #41
Using gpg: digital signatures
Digitally sign a file using your keygpg --output file.sig --armor --sign file.txt
Verify a digital signature gpg --verify file.siggpg: Signature made Sat Feb 28 14:54:30 2004 EST using DSA key ID 74291942
gpg: Good signature from "James Walden <[email protected]>"
CSC 382: Computer Security Slide #42
SteganographyHiding messages in another text (the covertext) so that no one except intended recipient knows a message has been sent.– Wax Tablets: In ancient times, messages were written
in wax poured on top of a stone or wood tablet. Messages were hidden by engraving them in the stone then pouring wax over them.
– Invisible Ink: Write message using lemon juice on paper. Write covertext in regular ink after dries. Heat to view hidden message.
– Null Cipher: Hide message in ordinary text, using nth
letter of each word, or every nth word of the message.
CSC 382: Computer Security Slide #43
Digital Steganography
1. Choose a cover medium file.– JPEG, MP3, etc.
2. Identify redundant bits in cover medium.– Low order bits in image and audio files.
3. Replace subset of redundant data with secret message.
4. Send steganographic file to recipient.
CSC 382: Computer Security Slide #44
JSteg: JPEG Steganography
JPEG image format– For each color component, a discrete cosine transform
(DCT) transforms successive 8x8 pixel blocks into 64 DCT coefficients.
– Quantize DCT coefficients.
Derek Upham’s JSteg algorithm– LSBs of DCT coefficients are redundancy.
– Modification of a single DCT coef affects all 64 pixels.
– Frequency domain changes are not visually observable.
CSC 382: Computer Security Slide #45
SteganalysisCompare steganographic file with original.
– 100% effective at identifying presence.– Original file is “secret key” of steganography.
Statistical analysis– Inserting high entropy changes histogram of color
frequencies in predictable ways.– Reduces frequency difference between adjacent colors.
Countermeasures– Insert less information to reduce impact.– Choose DCT coefficients to modify at random.– Alternate +/- DCT coefficient value to encode bits.– Use parity of groups of DCT LSBs to encode a message.
CSC 382: Computer Security Slide #46
Key Points1. Two types of cryptosystems:
– classical (symmetric)– public key (asymmetric)
2. Cryptographic checksums provide integrity check.– One-way functions.– Keyed hash functions.
3. Public Key Cryptography– One-way trapdoor functions.– Confidentiality: encipher with public, deciper with private– Integrity: encipher with private, decipher with public
4. Steganography– Hiding existence of message inside other data.
CSC 382: Computer Security Slide #47
References1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.2. Cryptography Research, “Hash Collision FAQ,”
http://www.cryptography.com/cnews/hash.html, 2005.3. Paul Garrett, Making, Breaking Codes: An Introduction to Cryptology,
Prentice Hall, 2001.4. Steven Levy, Crypto, Penguin Putnam, 2002.5. Wenbo Mao, Modern Cryptography: Theory and Practice, Prentice Hall,
2004.6. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook
of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996.
7. Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996.8. NIST, FIPS-198a, “The Keyed-Hash Message Authentication Code
(HMAC)”, http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf9. Niels Provos and Peter Honeyman, “Hide and Seek: An Introduction to
Steganography,” IEEE Security & Privacy, May/June 2003.10. John Viega and Gary McGraw, Building Secure Software, Addison-Wesley,
2002.