Grenzen der Kryptographie - FIM Homepage...Microsoft Research, Cambridge Grenzen der Kryptographie NS public key protocol (1978) nOnly B can decrypt the first message and form a reply

1

Grenzen der KryptographieMicrosoft Research

Grenzen der Kryptographie

Dieter GollmannMicrosoft Research

2

Grenzen der KryptographieMicrosoft Research, Cambridge

Summary

n Crypto does not solve security problemsn Crypto transforms security problemsn Typically, the new problems relate to key

management and the protection of keysn In these areas, reasonable solutions exist

for closed systems but hardly for open & public systems

3


Agenda

n A brief history of cryptographyn A long look at public key cryptographyn Security protocols and their verificationn Open and closed environmentsn Conclusions

4


The origins of cryptography

Alice

Bob

Two secure end systemscommunicate over aninsecure channel

The enemy is anoutsider listeningto traffic

5


Symmetric key encryption

Aencrypt

Bdecrypt

plaintext ciphertext plaintext

6


Symmetric Key Cryptography

n Encryption protects documents on the way fromA to B

n A and B need to share a keyn A procedure is required for A and B to obtain

their shared keyn For n parties to communicate directly, about n2

keys are neededn Security services: confidentiality, integrity,

authentication (data origin authentication, key exchange ≈ peer entity authentication)

7


Symmetric Key Cryptography

n Algorithms: DES, AES (Rijndael), …n No provable security n Algorithms designed to resist known attacks: e.g.

differential & linear cryptanalysisn Recommended key length: 80-90 bits n DES: 56-bit keys vulnerable to brute-force searchn DES designed to resist differential cryptanalysis

8


Key exchange: “authentication”

n Needham-Schroeder protocol: key transport protocol using a symmetric cipher for encryption: A and B obtain a session key Kab from server S (Trusted Third Party)

n A [B] shares a secret key Kas [Kbs] with Sn Nonces (random challenges) nA and nB in

messages prevent replay attacks

9


Needham-Schroeder protocol

1. A,B,nA

2. eKas(nA,B,Kab,eKbs(Kab,A))

S

A B

3. eKbs(Kab,A)

4. eKab(nB)

5. eKab(nB-1)

(basis for Kerberos)

10


History: Non-secret Encryption

n “Fact”: to exchange secret messages shared secrets are required

n Counterexample (Bell Labs, 1944): ¨ receiver adds noise on a telephone line¨ sender sends the message¨ attacker only hears noise¨ receiver gets message by cancelling own noise

n J.H.Ellis (CESG): described a scheme for non-secret (public key) encryption in 1970

11


Encryption with public keys

plaintext

Aencrypt

Bdecrypt

plaintext ciphertext

12


Public Key Cryptography

n Encryption protects documents on the way from A to B

n B has a public encryption key and a private decryption key

n A procedure is required for A to get an authentic copy of B’s public key (need not be easier than getting a shared secret key)

n For n parties to communicate, n key pairs are needed

13


Digital signatures

Asign

Bverify

documentdocument

+signature

acceptreject

14


Digital Signaturesn Protect authenticity of documents ‘signed by A’,

more precisely, a cryptographic mechanism for associating documents with verification keys

n A has a public verification key and a private signature key

n A procedure is required for B to get an authentic copy of A’s public key

n Provide authentication; on their own they do not provide non-repudiation at the level of persons

n Electronic signatures: a security service for associating documents with persons

15


Key exchange without secrets

Alice puts key in box and attaches a lock

Bob adds his lock and returns the box

Alice removesher lock and returns the box

Bob removes his lock and opens the box

e.g. the Diffie-Hellman protocol

16


Public Key Cryptography

n Algorithms: RSA, ElGamal (encryption), RSA, DSA, … (digital signatures), Diffie-Hellman (key agreement), elliptic curve algorithms

n Provable security: reduction proofs to open problems: factoring, discrete logarithm (DLP)

n Note: RSA ≠ factoring, DSA ≠ DLP, DH ≠ DLPn Provable security for protocols: reduction proofs to

breaking the crypto algorithms (Bellare-Rogaway)n Services: confidentiality, integrity, authentication,

non-repudiation (at the level of keys)

17


Key Sizes – RSA

Arjen Lenstra: Unbelievable Security, Asiacrypt 2001

18260986043793408253410842030

1723591603956304622339062020

1624684933560270919557472010

1538779183224242617236202001

AES 256

AES 192

AES 128

3K 3DES

2K 3DES

DES

18


Key Sizes – ‘2010’

Arjen Lenstra: Unbelievable Security, Asiacrypt 2001

2300170012001000860510ECC

86004600200016001200490XTR

170008900380029002100860LUC

160008500360027002000750RSA

AES 256

AES 192

AES 128

3K 3DES

2K 3DES

DES

19


Digital Signature Misconceptions

n Verification is decryption with the public key (as stated in X.509): Even untrue for RSA signatures (→ existential forgeries), does not hold for DSA; the output of ‘decrypt’ is of type ‘message’, the output of ‘verify’ is of type Boolean, …

n A signature binds the signer A to the document:verification links document and verification key

n Digital signatures are legally binding: even if recognized by law, digital signatures do not guarantee that there is a court with jurisdiction

20


Digital Signatures revisited

n Authentication: Signatures are mathematical evidence linking a document to a public key

n The link between a public key and a person has to be established by procedural means

n This link can be recorded in a certificate (but certificates are not necessary for verifying digital signatures, verification keys are)

n The holder of a private signature key has to protect the key from compromise and to be sure that the key is only used as intended

21


Electronic signatures

document nameperson

publicverification

key

privatesignature

key

digital signature certificate

key containersigning device

mathematicsmathematics

procedures

secure O/Sphysical security

procedures

22


Verifying security protocols

n Security services are typically provided by cryptographic protocols

n The design of security protocols is supposedly difficult and error prone

n There exists a substantial body of work on protocol analysis

n Can one trust the results of protocol analysis?n We will use the Needham-Schroeder public key

protocol as a case study

23


NS public key protocol (1978)

n Only B can decrypt the first message and form a reply containing the challenge nA

n Only A can decrypt the second message and form a reply containing the challenge nB

A B

1. ePB(nA,A)

2. ePA (nB,nA)

3. ePB(nB)

24


Fact sheetn Defined in the 1970s: principals are honestn Authentication: verifying the identity of the

communicating principals to one anothern Communications with servers can be done

without establishing a ‘connection’n Establish a shared session key from nA, nB

n Formal analysis in the BAN logic (1990): e.g.

A believes B believes nB is a secret shared by A and B

25


A second formal analysis (1995)

n Conducted by Gavin Lowe using CSP n CSP processes communicate on channelsn Goals and assumptions:¨Attacker can be a regular protocol participant¨ Initiator commits to a run with B when receiving

a reply ePA(nB,nA) containing the challenge nA

¨Responder commits to a run with A only if the message ePB(nA,A) came from A

n Why should the origin of challenges be verified?

26


Lowe’s ‘man-in-the-middle’ attack:connection-oriented (1995)

A E B

ePE(nA,A) ePB(nA,A)

ePA(nB,nA) ePA(nB,nA)

ePB(nB)ePE(nB)

Attack: Responder Bcan be tricked by a masquerading initiator

Proof: Initiator Aauthenticates responder E

27


Why is there proof and attack?

n Assumptions about the environment differ: E is a protocol participant but E is not ‘honest’

n Authentication goals differ: correspondence properties as used by Lowe became popular in the early 1990s, but were only intended to capture the authentication of protocol runs

n Correspondence ≈ authentication of connectionsþA sees a run with E and is connected to EýB sees a run with A but is connected to E

28


A triangle attack (connectionless)

A

E

B

ePE(nA,A) ePB(nA,A)

ePA(nB,nA)

ePB(nB)ePE(nB)

B has been tricked.Why? A was involved in the protocol run

The initiator cannot be misled. Why? E is not responding

29


Comments

n The proof is no longer ‘correct’ because we have an ‘attack’ where the responder does not run the protocol

n The attack is no longer an ‘attack’ because the initiator is involved in the protocol run

n Still, the attack violates properties claimed for the protocol: A is cheated because nAand nB are not secrets shared with E

30


Closed systems & open systems

There is an important difference between closed systems where parties look for protection from the outside (the old world cryptography came from) and open systemswhere parties look for protection from insiders (the new world of e-commerce)

31


Key exchange with a stranger

Alice puts key in box and attaches a lock

someone adds a lockand returns the box

Alice removesher lock and returns the box

someone removes the lock and opens the box

32


Conclusions

n Cryptography has its origins in communications security

n Not all security problems can be expressed as communications security problems

n Communications security tends to assume that end systems are secure and users are honest

n In today’s world, we have to secure applications where end systems are not secure and users are not necessarily honest

33


Conclusionsn Crypto algorithms are not provably secureØ Lars Knudsen: If it’s provably secure, it probably isn’t

n Crypto algorithms are practically very secure Ø unless you insist on inventing your own algorithms

n Crypto gives no more security than the keys usedØ key management is a frequent source of problemsØ Robert Morris sr.: The Enigma never was broken

n Crypto gives no more security than the end system it is running onØ designing secure end systems is the really difficult

security challenge

34


Conclusions

n Crypto relies on tamper-resistant devices and on alternative channels (trust)

n Tamper resistant devices + symmetric key crypto: CHAPS (see Davis & Price: Security for Computer Networks, 1984+89)

n Alternative channels for bootstrapping and for confirmation messages: GSM, book, newspaper

n Crypto depends on good security managementn End users are their own security managersØ “How to get full control over your PC”

35


Brave New World

government

bank

merchantcustomer

Can all these parties manage their own security?

36


Security & Security Services

SSL gives no security guarantees that are relevant for e-commerce.

Dr Richard Walton, Director of CESG

Digital certificates provide no actual security for electronic commerce; it's a complete sham.

Bruce Schneier: Secrets & Lies

There exist security services that do not provide any security at all

Roger Schell, Novell, ex-USAF

Documents

Grenzen der Kryptographie - FIM Homepage...Microsoft Research, Cambridge Grenzen der Kryptographie NS public key protocol (1978) nOnly B can decrypt the first message and form a reply