CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Modern Cryptography

CSC 382: Computer Security Slide #1

CSC 382: Computer Security

Modern Cryptography


Overview

1. Cryptographic Checksums1. Hash Functions2. HMAC

2. Number Theory Review3. Public Key Cryptography

1. One-Way Trapdoor Functions2. Diffie-Helman3. RSA

4. Modern Steganography


Hash Functions

Checksum to verify data integrity.

Hash Function h: AB– Input A: variable length– Output B: fixed length “fingerprint” of input

Many inputs produce same output.

Example Hash Function– Sum 32-bit words of message mod 232.


Hash Function: ASCII Parity

ASCII parity bit– ASCII has 7 bits; 8th bit is for “parity”

– Even parity: even number of 1 bits

– Odd parity: odd number of 1 bits

Bob receives “10111101” as bits.– Sender is using even parity; 6 1 bits, so character was

received correctly• Note: could be garbled, but 2 bits would need to have been

changed to preserve parity

– Sender is using odd parity; even number of 1 bits, so character was not received correctly


Cryptographic Checksums

Hash with authentication/integrity protection– Cannot obtain original message from hash.– Cannot find another message with same hash.

Additional Names– Message Authentication Code– Message Digest


One-Way Function

Function f easy to compute, hard to reverse– Given x, easy to calculate f(x).– Given f(x), hard to compute x.

What’s easy and what’s hard?– easy: polynomial time– hard: exponential time– Are there any one-way functions?


Cryptographic Checksum Definition

A function h: AB such that:1. For any x IN A, h(x) is easy to compute.2. For any y IN B, it is computationally

infeasible to find x IN A such that h(x) = y.3. It is computationally infeasible to find x, x´

IN A such that x ≠ x´ and h(x) = h(x´).


Collisions

If x ≠ x´ and h(x) = h(x´), x and x´ collide.– Pigeonhole principle: if there are n containers

for n+1 objects, then at least one container will have 2 objects in it.

– Application: suppose n = 5 and k = 3. Then there are 32 elements of A and 8 elements of B, so at least one element of B has at least 4 corresponding elements of A.


Hash Function Examples

Input– “Cryptography”

Output (base64 encoded):– http://www.xml-dev.com/blog/sha1.php

– MD5 (128-bit)• 64ef07ce3e4b420c334227eecb3b3f4c

– SHA1 (160-bit)• b804ec5a0d83d19d8db908572f51196505d09f98


Keyed Hash FunctionHash function + secret keyWhy?

– AuthenticationHow?

– Symmetric encryption algorithm• Use last 64 bits of DES in CBC mode.

– HMAC algorithm• Incorporate key into a keyless hash algorithm.• Created to avoid export restrictions on

encryption algorithms.


HMAC

HMAC = Hash Function + Key

Inputs:– h: keyless cryptographic checksum function

that takes data in blocks of b bytes and outputs blocks of l bytes.

– k: cryptographic key. – k´: k modified to be of length b.

• If short, pad with 0 bytes.

• If long, hash to length b.


HMAC

HMAC-h(k, m) = h(k´ opad || h(k´ ipad || m)) exclusive or– || concatenation– ipad is 00110110 repeated b times.– opad is 01011100 repeated b times.

Security depends on security of hash function h.


Current State of Hash Functions

MD4, MD5, SHA-0 Collisions (2004)SHA-1 Collisions (2005)

– Effort required is 269 instead of 280.

No effective pre-image attacks discovered yet.What’s the impact?

– Attacker could create two documents.• Document A requires payment of $500.• Document B requires payment of $50,000.

– Digital signatures sign MAC, not document.– Both documents have same MAC.

Use SHA-256 for now.


Number Theory Review

1. Prime Numbers

2. Fundamental Theorem of Arithmetic

3. Greatest Common Divisors

4. Relatively Prime Numbers

5. Modular Inverses

6. Euler’s Totient Function


Fundamental Thm of Arithmetic

Definition: An integer n > 1 is prime if its only factors are 1 and n.

Definition: An integer n > 1 that is not prime is composite.

Theorem: An integer n > 1 can be written as a product of prime numbers.

n = p1a p2

b p3c p4

d …


Greatest Common Divisor

Definition: The greatest common divisor of integers a and b > 0, gcd(a,b) is the largest number that divides both a and b.

Definition: Two integers a and b > 0 are relatively prime if gcd(a,b) = 1.

Theorem: If n is prime, then every integer from 1 to n-1 is relatively prime to n.


Modular Inverses

Multiplicative Inverse: The inverse of a number x is a number x-1 such that xx-1 = 1.

Modular Inverse: An integer x-1 such that 1 = (x x-1) mod n

There is not always a solution.2 has no inverse mod 16

A unique solution exists if x and n are relatively prime.


Euler Totient Function

Euler’s totient function (n)Number of positive integers less than n and relatively prime to n.

Example: (10) = 41, 3, 7, 9 are relatively prime to 10

Theorem: If gcd(a,b)=1, (ab) = (a) (b)Note: If n is prime, (n) = n – 1Result: If a, b prime, (ab) = (a-1)(b-1)


Euler’s Totient Theorem

Theorem: If n > 1 and gcd(a,n) = 1, then

a(n) mod n = 1.

Corollary: If n > 1 and gcd(a,n) = 1, then

a(n)-1 mod n

is the modular inverse of a mod n.


Why do we need PK Cryptography?

Classical cryptography session:

1. Alice and Bob agree on algorithm.

2. Alice and Bob agree on key.

3. Alice encrypts her message with agreed upon algorithm and key.

4. Alice sends ciphertext message to Bob.

5. Bob decrypts ciphertext with same algorithm and key as Alice used.


Public Key Cryptography

Two keys– Private key known only to owner.– Public key available to anyone.

Applications– Confidentiality:

• Sender enciphers using recipient’s public key, • Receiver deciphers using their private key.

– Integrity/authentication: • Sender enciphers using own private key, • Recipient deciphers using sender’s public key.


Requirements

1. It must be computationally easy to encipher or decipher a message given the appropriate key.

2. It must be computationally infeasible to derive the private key from the public key.

3. It must be computationally infeasible to determine the private key from a chosen plaintext attack.


One-Way Trapdoor Functions

Trapdoor one-way Function: One-way function whose inverse is easy to calculate only if given a special piece of information.

Example: Prime factoring– Easy to calculate product.– Difficult to calculate prime factors from product.– Easy to calculate one prime factor, given others.


Diffie-Hellman

Compute a common, shared key– Called a symmetric key exchange protocol.

Based on discrete logarithm problem– Given integers n and g and prime number p,

compute k such that n = gk mod p.– Solutions known for small p.– Computationally infeasible for large p.


Algorithm

Shared Constants– prime modulus p, – integer base g ≠ {0, 1, p–1}

Procedure– User A(lice) chooses a private key k.– Computes public key K = gk mod p.– Enciphers user B(ob) public key using own

private key to obtain the shared key S.– Encrypt msgs w/ symmetric cipher using S key.


Algorithm

Alice chooses private key kAlice, computes public key KAlice = gkAlice mod p.

To communicate with Bob, Alice computes Kshared = KBob

kAlice mod p

To communicate with Alice, Bob computes Kshared = KAlice

kBob mod p

Modular exponentiation ensures SA,B = SB,A.For practical use, p must be very large.


Example

Assume p = 53 and g = 17

Alice chooses kAlice = 5– Then KAlice = 175 mod 53 = 40

Bob chooses kBob = 7– Then KBob = 177 mod 53 = 6

Shared key:– KBob

kAlice mod p = 65 mod 53 = 38– KAlice

kBob mod p = 407 mod 53 = 38


RSA

Exponentiation cipher, not just key exchange.

Relies on the difficulty of determining the number of numbers relatively prime to a large integer n.


Algorithm

Choose two large prime numbers p, q– Let n = pq; then (n) = (p–1)(q–1)– Choose e < n such that e relatively prime to (n).– Compute inverse of e, d

• ed mod (n) = 1

Public key: (e, n)Private key: dEncipher: c = me mod nDecipher: m = cd mod n


Example: Confidentiality

Take p = 7, q = 11, so n = 77 and (n) = 60Alice chooses e = 17, making d = 53Bob wants to send Alice secret message HELLO (07

04 11 11 14)– 0717 mod 77 = 28– 0417 mod 77 = 16– 1117 mod 77 = 44– 1117 mod 77 = 44– 1417 mod 77 = 42

Bob sends 28 16 44 44 42


Example

Alice receives 28 16 44 44 42Alice uses private key, d = 53, to decrypt message:

– 2853 mod 77 = 07– 1653 mod 77 = 04– 4453 mod 77 = 11– 4453 mod 77 = 11– 4253 mod 77 = 14

Alice translates message to letters to read HELLO– No one else could read it, as only Alice knows her

private key and that is needed for decryption.


Ex: Integrity/AuthenticationTake p = 7, q = 11, so n = 77 and (n) = 60Alice chooses e = 17, making d = 53Alice wants to send Bob message HELLO (07 04 11 11 14)

so Bob knows it is what Alice sent (no changes in transit, and authenticated)– 0753 mod 77 = 35– 0453 mod 77 = 09– 1153 mod 77 = 44– 1153 mod 77 = 44– 1453 mod 77 = 49

Alice sends 35 09 44 44 49


ExampleBob receives 35 09 44 44 49Bob uses Alice’s public key, e = 17, n = 77, to decrypt message:– 3517 mod 77 = 07– 0917 mod 77 = 04– 4417 mod 77 = 11– 4417 mod 77 = 11– 4917 mod 77 = 14

Bob translates message to letters to read HELLO– Alice sent it as only she knows her private key– If (enciphered) message’s blocks (letters) altered in

transit, would not decrypt properly


Example: BothAlice wants to send Bob message HELLO both enciphered and authenticated (integrity-checked)– Alice’s keys: public (17, 77); private: 53– Bob’s keys: public: (37, 77); private: 13

Alice enciphers HELLO (07 04 11 11 14):– (0753 mod 77)37 mod 77 = 07– (0453 mod 77)37 mod 77 = 37– (1153 mod 77)37 mod 77 = 44– (1153 mod 77)37 mod 77 = 44– (1453 mod 77)37 mod 77 = 14

Alice sends 07 37 44 44 14


Security Services

Confidentiality– Only the owner of the private key knows it, so

text enciphered with public key cannot be read by anyone except the owner of the private key.

Authentication– Only the owner of the private key knows it, so

text enciphered with private key must have been generated by the owner.


More Security Services

Integrity– Enciphered letters cannot be changed

undetectably without knowing private key.

Non-Repudiation– Message enciphered with private key came

from someone who knew it.


Warnings

Encipher message in blocks considerably larger than the examples here– If 1 character per block, RSA can be broken

using statistical attacks (just like classical cryptosystems.)

– Attacker cannot alter letters, but can rearrange them and alter message meaning.

• Ex: reverse ciphertext of message ON to get NO


Using gpg

Generate a public/private keypair

zappa> gpg --gen-keyPlease select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) RSA (sign only)Your selection? 1


Using gpg: exchanging keys

Giving someone your public keygpg --export --armor your_email_addr

Adding someone’s public key to your key ringgpg --import jameskey.pub

Confirming that you’ve got their keygpg --fingerprint james

Trusting their keygpg –edit-key james> sign


Using gpg: encryption

Encryption:Import public key of recipientgpg --output file.gpg --encrypt --armor --recipient [email protected] file.txt

Decryption:gpg --output file.txt --decrypt file.gpg

mailto:[email protected]


Using gpg: digital signatures

Digitally sign a file using your keygpg --output file.sig --armor --sign file.txt

Verify a digital signature gpg --verify file.siggpg: Signature made Sat Feb 28 14:54:30 2004 EST using DSA key ID 74291942

gpg: Good signature from "James Walden <[email protected]>"


SteganographyHiding messages in another text (the covertext) so that no one except intended recipient knows a message has been sent.– Wax Tablets: In ancient times, messages were written

in wax poured on top of a stone or wood tablet. Messages were hidden by engraving them in the stone then pouring wax over them.

– Invisible Ink: Write message using lemon juice on paper. Write covertext in regular ink after dries. Heat to view hidden message.

– Null Cipher: Hide message in ordinary text, using nth

letter of each word, or every nth word of the message.


Digital Steganography

1. Choose a cover medium file.– JPEG, MP3, etc.

2. Identify redundant bits in cover medium.– Low order bits in image and audio files.

3. Replace subset of redundant data with secret message.

4. Send steganographic file to recipient.


JSteg: JPEG Steganography

JPEG image format– For each color component, a discrete cosine transform

(DCT) transforms successive 8x8 pixel blocks into 64 DCT coefficients.

– Quantize DCT coefficients.

Derek Upham’s JSteg algorithm– LSBs of DCT coefficients are redundancy.

– Modification of a single DCT coef affects all 64 pixels.

– Frequency domain changes are not visually observable.


SteganalysisCompare steganographic file with original.

– 100% effective at identifying presence.– Original file is “secret key” of steganography.

Statistical analysis– Inserting high entropy changes histogram of color

frequencies in predictable ways.– Reduces frequency difference between adjacent colors.

Countermeasures– Insert less information to reduce impact.– Choose DCT coefficients to modify at random.– Alternate +/- DCT coefficient value to encode bits.– Use parity of groups of DCT LSBs to encode a message.


Key Points1. Two types of cryptosystems:

– classical (symmetric)– public key (asymmetric)

2. Cryptographic checksums provide integrity check.– One-way functions.– Keyed hash functions.

3. Public Key Cryptography– One-way trapdoor functions.– Confidentiality: encipher with public, deciper with private– Integrity: encipher with private, decipher with public

4. Steganography– Hiding existence of message inside other data.


References1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.2. Cryptography Research, “Hash Collision FAQ,”

http://www.cryptography.com/cnews/hash.html, 2005.3. Paul Garrett, Making, Breaking Codes: An Introduction to Cryptology,

Prentice Hall, 2001.4. Steven Levy, Crypto, Penguin Putnam, 2002.5. Wenbo Mao, Modern Cryptography: Theory and Practice, Prentice Hall,

2004.6. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook

of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996.

7. Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996.8. NIST, FIPS-198a, “The Keyed-Hash Message Authentication Code

(HMAC)”, http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf9. Niels Provos and Peter Honeyman, “Hide and Seek: An Introduction to

Steganography,” IEEE Security & Privacy, May/June 2003.10. John Viega and Gary McGraw, Building Secure Software, Addison-Wesley,

2002.

http://www.cryptography.com/cnews/hash.html

http://www.cacr.math.uwaterloo.ca/hac/authors/ajm.html

http://www.cacr.math.uwaterloo.ca/hac/authors/ajm.html

http://www.cacr.math.uwaterloo.ca/hac/authors/pvo.html

http://www.cacr.math.uwaterloo.ca/hac/authors/pvo.html

http://www.cacr.math.uwaterloo.ca/hac/authors/sav.html

http://www.cacr.math.uwaterloo.ca/hac/

http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf

Documents

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Modern Cryptography