IN3210 – Network Security

Cryptographic Foundations

History of Cryptography

2

Confidential Communication

DearBob....

DearBob....

Alice Bob

Eve

3

Confidential Communication

A B

4

Steganography

⚫ Examples:− Tattoo on head + growing hair

back

− Invisible ink

− Micro dot

⚫ Security by obscurity

⚫ Typically not conformingwith Kerckhoff’s principle

⚫ Modern steganography:− Printer steganography

− Embedding into multimedia data

Imag

e S

ou

rce:

Wik

iped

ia

5

Cryptology

⚫ Cryptography− Practice and study of using mathematics to protect data/information

− From Greek

▪ kryptos: "hidden, secret" and

▪ gráphō: "I write"

⚫ Cryptanalysis− Practice and study of finding weaknesses or insecurity in a

cryptographic scheme, thus permitting its subversion or evasion

− From Greek

▪ analýein: "to loosen" or "to untie"

6

Classical Cipher

⚫ Caesar Cipher (50 B.C.)

A B C D EZYX

A B C D EZYX

Hello Khoor

Plaintext Chiffre-text

3 Key

Imag

e S

ou

rce:

ww

w.a

ster

ix.c

om

7

Encryption

Key = 3 Key = 3

KhoorHello Hello

8

Symmetric Encryption

DearBob....

Encryption Decryption

DearBob....

6R4Y2hlbMZCB...

Alice Bob

Eve

9

Caesar Cipher

⚫ Which plaintext is encrypted here?− Ymjvznhpgwtbsktcozruxtajwymjqfeditl.

⚫ Try each possible key:1. Xliuymgofvsarjsbnyqtwszivxlipedchsk.

2. Wkhtxlfneurzqiramxpsvryhuwkhodcbgrj.

3. Vjgswkemdtqyphqzlworuqxgtvjgncbafqi.

4. Uifrvjdlcspxogpykvnqtpwfsuifmbazeph.

5. Thequickbrownfoxjumpsoverthelazydog.

6. Sgdpthbjaqnvmenwitlornudqsgdkzyxcnf.

7. Rfcosgaizpmuldmvhsknqmtcprfcjyxwbme.

8. Qebnrfzhyoltkclugrjmplsboqebixwvald.

9. Pdamqeygxnksjbktfqilokranpdahwvuzkc.

10. …

Testing all possible values (e.g. of a key) is

calledBrute Force Attack

10

Security of Crypto Systems

⚫ The previous attack assumes that the attacker knows:a) the Caesar cipher was used for encryption

b) how the Caesar cipher work

⚫ What is the effect if the attacker does not have this information?

⚫ More general: is a crypto system more secure if the system and its internal function kept secret?

11

Kerckhoff‘s Principle

⚫ “A cryptosystem should be secure even if the attacker knows all details about the system (including the encryption and decryption algorithms), with the exception of the secret key.“

⚫ Common mistake: keeping cryptographic algorithms secret increases the security (“security by obscurity”)

⚫ Example: GSM A5 algorithms− Details kept secret

− No cryptanalysis by the research community possible

− Attackers found weaknesses

− Nearly all variants nowadays broken!

Auguste Kerckhoffs(1835 – 1903)

Dutch crytographer

Imag

e S

ou

rce:

Wik

iped

ia

12

2

12

Caesar Cipher

TGF

BON

HUT

RED

18

Finding the correct keyis hard, withoutknowledge of

(at least part of)the plaintext.

13

One-Time Pad Encryption

k3

k2

B2 A0 C1 C2 E7 FB FE FA 89 AA AF 56 6A 67

Attack at dawn!

Retreat at 1100

The cat is dead

k1

k4

14

Basic Types of Attacks (on the Encryption Key)

⚫ Ciphertext-only attack− The attacker has access to one or several ciphertexts

⚫ Known-plaintext attack− The attacker has access to one or several plaintext / ciphertext pairs

⚫ Chosen-plaintext attack− The attacker can retrieve ciphertexts for arbitrarily chosen plaintexts

⚫ (Adaptive) chosen-ciphertext attack− The attacker can retrieve plaintexts for arbitrarily chosen ciphertexts

15

Monoalphabetical Substitution

⚫ Improvement over Caesar cipher

⚫ Each letter is replaced by (exactly) one other letter

⚫ Example:

⚫ Number of possible keys?

⚫ 26! 1026 288

Plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z

Ciphertext: U F L P W D R A S J M C O N Q Y B V T E X H Z K G I

16

Monoalphabetical Substitution

⚫ Can easily be broken by analyzing the letter frequency in the cipher text

⚫ Large key space is a requisite but not sufficient for a secure encryption scheme

⚫ Next improvement: polyalphabetical substitution (e.g. Vignere, 1550)

th 1.52%

he 1.28%

in 0.94%

er 2,26%

an 2,00%

re 1,99%

nd 1,88%

at 1,79%

Bigram Frequency(english text)

Letter Frequency(english text)

17

Enigma

⚫ Invented 1918 by Arthur Scherbius

⚫ Electro-mechanical rotor cipher machines

⚫ Used by the German forces during WWII

⚫ Implements a polyalphabeticalsubstitution cipher

Imag

e S

ou

rce

: Wik

ipe

dia

18

Enigma

⚫ When pressing a button on the keyboard:− (at least) on rotor is turning on position

− an electrical circuit is closed and one bulb lights up

Imag

e S

ou

rce

: Wik

iped

ia

19

Enigma

⚫ Encryption was broken by Polish and British codebreakers in Bletchley Park

⚫ Most famous member:− Alan Turing

Imag

e S

ou

rce:

htt

p:/

/ww

w.c

ryp

tom

use

um

.co

m/,

Wik

ipe

dia

20

Enigma

⚫ Simulator:− http://users.telenet.be/d.rijmenants/en/enigmasim.htm

21

History of Cryptography

⚫ Simon Singh

⚫ The Code Book: The Secret History of Codes and Code-breaking

22

Crypto Primitives and their Usage

Confidentiality Integrity Authenticity Non-repudiation

Encryption(Cipher)

Hash Functions Digital Signature

23

(Symmetric) Encryption

24

Encryption

⚫ Encryption− Process of converting ordinary information the so-called plaintext into

unintelligible gibberish the so-called ciphertext

⚫ Decryption− Reverse process converting ciphertext back to

plaintext

⚫ Cipher (or cypher)− Pair of algorithms which create the encryption and

the reversing decryption

− The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key

25

Symmetric Encryption

⚫ The same key (secret key) is used for encryption and decryption

DearBob....

Encryption Decryption

DearBob....

Symmectric Key

6R4Y2hlbMZCB...

Alice Bob

Eve

Key Generator

26

Formalization of (symmetric) Encryption

⚫ Space of plain texts: P

⚫ Space of cipher texts: C

⚫ Space of keys: K

⚫ Encryption:

E: P x K→ C, E(x, k) = Ek(x)

⚫ Decryption:

D: C x K→ P, D(y, k) = Dk(y)

⚫ D is the invers function of E, i.e. for all x ∈ P and k ∈ K:

Dk(Ek(x)) = x

27

Formalization of Caesar Cipher

⚫ Numerical encoding of letters: A → 0, B → 1, …, Z → 25

⚫ Space of plain texts: P = ℤ26 = {0, 1, …, 25}

⚫ Space of cipher texts: C = ℤ26⚫ Space of keys: K = ℤ26⚫ Encryption:

Ek(x) = x + k mod 26

⚫ Decryption:

Dk(x) = x + (– k) mod 26

⚫ Size of key space? → |K| = 26

28

Stream Cipher

29

Plain text m Encryption

Cipher stream c

Key stream ks

Key stream ks

Cipher stream c

DecryptionPlain text m‘ = m

Stream Ciphers

⚫ A stream cipher is a symmetric key cipher where plaintext bits (mi) are combined with a pseudorandom cipher bit stream (key stream ks)

⚫ The pseudorandom key stream is generated by a pseudorandom number generator from a (shared) key

30

Key stream ksPRNG

Key k

Plain text m

Cipher stream c

One time pad

⚫ Key stream is completely random and only used once

⚫ Problem: key exchange (key has same size than plain/cipher text)

⚫ Provable perfectly secure(can only broken if key is known)

⚫ Cipher text can mean anything

31

Examples for Stream Ciphers

⚫ A5/1 and A5/2 (1989; used in GSM) → broken

⚫ RC4 (1987) → broken

⚫ Salsa20 (2005)

⚫ ChaCha20 (2008)

32

Block Cipher

⚫ A block cipher (Enc) is a symmetric key cipher and takes as input an n-bit block of plaintext and a key (k), and outputs a n-bit block of ciphertext

Enck

n bit

n bit

THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption

X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü

Encryption Encryptionk k k

33

Examples for Block Ciphers

⚫ DES (Data Encryption Standard)

⚫ AES (Advanced Encryption Standard)

⚫ Blowfish

⚫ Twofish

⚫ RC6

⚫ MARS

⚫ Serpent

AES

35

Image S

ou

rce: Wikip

edia

AES and DES

⚫ DES (NIST 1977)− 64 bit blocks und 56 bit keys

− Standard encryption in 1980s and 1990s

⚫ Advanced Encryption Standard (AES)− AES (Rijndael) developed by Belgian cryptographers

− Standardized by NIST in 2000 as DES successor

− 128 bit blocks and 128, 192, 256 bit keys

Brute force attack on AES and DES

⚫ Brute force attack on 56 key:− 1998: EFF DES Cracker (ASICs), 4.5 days,

250.000$

− 2006: COPACOBANA (FPGA), 6.4 days, 10.000$

− 2012: Pico Computing (FPGA), 0.5 days

⚫ Brute force attack on 128 or 256 bit key? (Assumption: breaking 56 bit in 1 second)

Key length Duration

56 bit 1 s

64 bit 4 m

80 bit 194 d

112 bit 109 a

128 bit 1014 a

192 bit 1033 a

256 bit 1052 a

Padding

⚫ What happens if you want to encrypt 100 bit with a 128 bit block cipher?

⚫ You must fill the plaintext up to the block length of the cipher

⚫ Approaches− Decryption process knows the data length

▪ Example: from a header entry

▪ Block can be filled with random bits/byte

− Decryption process does not know the data length

▪ Padding bits/bytes must be marked

Padding – One and Zeros

⚫ Attach one binary 1 followed by none, one or multiple binary 0

11010010 101110

11010010 10111010

11010010 1011100

11010010 10111001

11010010 10111001

11010010 10111001 10000000 00000000

Padding PKCS#5

⚫ Padding of whole bytes

⚫ Let L be the block size (in bytes)

⚫ When N bytes are missing to a full block (1 N L):add N bytes each with the value N

⚫ Examples (L = 8, XX = existing message, all numbers in hex)− XX XX XX XX XX XX XX XX | XX XX XX XX XX XX XX 01

− XX XX XX XX XX XX XX XX | XX XX XX XX XX 03 03 03

− XX XX XX XX XX XX XX XX | XX 07 07 07 07 07 07 07

− XX XX XX XX XX XX XX XX | 08 08 08 08 08 08 08 08

⚫ Invalid padding example:− XX XX XX XX XX XX XX XX | XX XX XX XX XX XX 08 02

40

Modes of Operation

⚫ Block ciphers operate on a fixed length input − DES, 3DES, IDEA: 64 bit

− AES: 128, 192, 256 bit

⚫ Processing of larger input− Cut input into blocks of the required block size and process them one

after the other

⚫ This naïve approach is also known as the Electronic Codebook (ECB) mode of operation

Block Cipher: Electronic Code Book

THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption

X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü

Encryption Encryption

42

Block Cipher: Electronic Code Book

THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption

X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü

Encryption Encryption

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Encryption

Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0

Encryption Encryption

43

ECBEncryption

Electronic Codebook (ECB)

⚫ Identical plaintext blocks are encrypted into identical ciphertext blocks

⚫ No protection of block order

⚫ Eases replay attacks

Imag

e S

ou

rce:

Wik

iped

ia

Cipher Block Chaining (CBC)

b0

bn

b1

...

Enc

c0

k Enc

cn

k

Nachricht

Geheimtext

...

Enc

c1

k

IV

Plain Text

Cipher Text

CBCEncryption

Cipher Block Chaining (CBC)

⚫ Identical plaintext blocks are NOT encrypted into identical ciphertext blocks

⚫ More “randomness” inside the encrypted data

⚫ However: XOR of plain and cipher text can be misused (later)

Ima

ge So

urce: W

ikiped

ia

Symmetric Encryption

⚫ One remaining problem: key generation

47

DearBob....

Encryption Decryption

DearBob....

Symmectric Key

6R4Y2hlbMZCB...

Alice Bob

Eve

Key Generator

Detour: Key Generation

⚫ Keys are derived from random numbers

⚫ Random number generation is not trivial

⚫ Computers are deterministic and can only generate pseudo random numbers

⚫ Poor “random” numbers which can be anticipated allow attacker calculation of keys

48

Detour: Key Generation

⚫ OpenSSL bug in Debian

49

Symmetric Encryption

⚫ Another remaining problem: key exchange

DearBob....

Encryption Decryption

DearBob....

Symmectric Key

6R4Y2hlbMZCB...

Alice Bob

Key Generator

50

Eve

Key Exchange and Asymmetric Encryption

51

Diffie Hellman Key exchange

⚫ Creating common (symmetric) key only known to the communication partners

⚫ Created by Whitfield Diffie and Martin Hellman in 1976

Ima

ge

so

urc

e: W

ikip

ed

ia

Illustration of DH Key Exchange

Imag

e so

urc

e: W

ikip

edia

Modular Arithmetic

⚫ a b (mod n) there is an integer k such that a – b = kn

⚫ Example:− 13 19 (mod 3), because 19 – 13 = 2 * 3

⚫ Simplified (sufficient for this lecture): mod operator

⚫ x mod n: remainder when performing an integer division of xand n

⚫ Example:− 19 mod 3 = 1

− 13 mod 3 = 1

− 1234 mod 10 = 4

− 220 mod 10 = 6

54

Logarithm

⚫ Choose (integer) b and a and calculate y = ba

⚫ Given just b and y can you calculate a?

⚫ Easy (logarithm): a = logb y

⚫ Example: − b = 7, y = 13841287201, a = ?

55

Discrete Logarithm

⚫ Choose integer b, a and n and calculate y = ba mod n

⚫ Given just b, n and y can you calculate a?

⚫ Example: − b = 7, n = 1023, y = 439, a = ?

⚫ Hard problem: Discrete Logarithm Problem (DLP)

⚫ No simple calculation

⚫ Only (known) method: test all possible values for a (infeasible for large n)

56

Diffie Hellman Key exchange

⚫ Alice and Bob agree on (public parameters):− Large prime number p

− Generator g (i.e. g is primitive root mod p)

⚫ Alice chooses a random number aand sends ga mod p to Bob

⚫ Bob chooses a random number band send gb mod p to Alice

⚫ Calculation of common secret: − Alice: (gb)a mod p

− Bob: (ga)b mod p

ga mod p

gbmod p

= gab mod p = K

Diffie Hellman Key exchange

⚫ (Passive) attacker learns:− g

− p

− gb mod p

− ga mod p

⚫ For calculating K the attacker needs additionally a or b

⚫ a or b can not (easily) derived from the know values: DLP

ga mod p

gbmod p

Eve

Weakness of DH Key Exchange

Mallory gb

ge

ga

ge

Secure Communication Secure Communication

K1 = gae mod p K2 = gbe mod p

Solution: later!

Breaking DH

⚫ Certain

⚫ Which size to choose for p?− 512 bit → practically broken (2015)

− 1024 bit → estimated costs for breaking: 100 million $

− 2048 bit → secure, but long runtime

60

Asymmetric Encryption

⚫ Problem of symmetric encryption:− Shared secret must be distributed

⚫ Problem of DH key exchange:− interactive protocol

− both parties must be “online” in order to start encrypted communication

⚫ Asymmetric Encryption:− Use different keys for de- and encryption

− Public encryption key is published (everyone can encrypt)

− Private decryption key is kept confidential (just owner can decrypt)

Asymmetric Encryption

⚫ Two distinct keys (private key and public key) are used for encryption and decryption respectively

DearBob....

Encryption Decryption

DearBob....

Key PairGenerator

Public Key

PrivateKey

6R4Y2hlbMZCB...

Alice Bob

Eve

Formalization of (asymmetric) Encryption

⚫ Space of plain texts: P

⚫ Space of cipher texts: C

⚫ Space of keys: public/private key pairs: K PK x SK

⚫ Encryption:

E: P x PK→ C, E(x, pk) = Epk(x)

⚫ Decryption:

D: C x SK→ P, D(y, sk) = Dsk(y)

⚫ D is the invers function of E, i.e. for all x ∈ P and (pk, sk) ∈ K:

Dsk(Epk(x)) = x

Asymmetric Encryption

⚫ Based on number theoretic problems

− RSA: Factorisation Problem

− ElGamal: Discrete Logarithm Problem (DLP)

⚫ RSA: named after its inventors (1978):

− Ronald Rivest

− Adi Shamir

− Leonard Adleman

Image sources:• University of Southern California• Massachusetts Institute of Technology

RSA

⚫ Choose two prime numbers p and q

⚫ Calc n = p · q, m = (p – 1) (q – 1)

⚫ Choose e and d with e · d ≡ 1 (mod m)

⚫ Public key: n, e

⚫ Private key: d

⚫ Encryption of message M:

C = M e mod n

⚫ Decryption of cipher text C:

M’ = C d mod n

⚫ M' = (M e)d mod n = M

Follows fromEuler‘s Theorem

RSA Calculation

⚫ 1. problem: calculation effort− 𝑥𝑛 = 𝑥 ∙ ⋯ ∙ 𝑥

𝑛

→ n – 1 multiplications

⚫ Square and Multiply:− Write n in binary; remove the first 1− For evert 1 perform first a square (...2) operation then a multiply operation

(• x)− For evert 0 perform a multiply operation (• x)

⚫ Example:− n = 2310 = 101112 → Q QM QM QM

− 𝑥23 = 𝑥2 2 ∙ 𝑥2∙ 𝑥

2

∙ 𝑥

− 7 multiplications instead of 22

⚫ “Standard” value for e: − 6553710 = 100000000000000012 → 16 multiplications

66

RSA Calculation

⚫ 2. problem: large intermediate values:− “Me mod n” is smaller than n, but “Me“ is very large

⚫ Property of mod operator:− (x • y) mod n = ((x mod n) • (y mod n)) mod n

⚫ Application to Square and Multiply:− Perform a “mod” operation after every square or multiply step

− Example:

▪ 𝑥23 mod 𝑛 = 𝑥2 mod 𝑛 2 mod 𝑛 ∙ 𝑥 mod 𝑛2mod 𝑛 ∙ 𝑥 mod 𝑛

2

…

− No intermediate value is larger than 𝑛2

67

Prime Numbers

⚫ How to calculate large (~ 500 - 2000 bits) prime numbers?

⚫ 2 types of primality tests:− Deterministic

− Probabilistic

⚫ Example: Solovay–Strassen primality test: − max ½ probability of wrong answer

− Algorithm for testing is n is prime▪ Repeat k times:

o Choose random number a

o Run primality test (uses number a as parameter)

o If false return „not prime“

▪ Return „probable prime“

− Error probability: 1/2k, e.g. 2-100 for k = 100

Breaking RSA

⚫ Best known attack on RSA: factorizing n

RSA number

Decimal digits

Binary digits

Cash prize offered

Factored on

RSA-100 100 330 $1000 April 1, 1991

RSA-110 110 364 $4429 April 14, 1992

RSA-120 120 397 $5895 July 9, 1993

RSA-129 129 426 $100 April 26, 1994

RSA-130 130 430 $14,527 April 10, 1996

RSA-140 140 463 $17,226 February 2, 1999

RSA-150 150 496 April 16, 2004

RSA-155 155 512 $9383 August 22, 1999

RSA-160 160 530 April 1, 2003

RSA-170 170 563 December 29, 2009

RSA-576 174 576 $10,000 December 3, 2003

RSA-180 180 596 May 8, 2010

RSA-190 190 629 November 8, 2010

RSA-640 193 640 $20,000 November 2, 2005

RSA-200 200 663 May 9, 2005

RSA-210 210 696 September 26, 2013

RSA-704 212 704 $30,000 July 2, 2012

RSA-220 220 729 May 13, 2016

RSA-768 232 768 $50,000 December 12, 2009

So

urc

e: W

ikip

edia

Hybrid Encryption (1/3)

⚫ Pros and cons of (a)symmetric encryption:− Symmetric encryption:

▪ good performance (1000x times faster) vs. key exchange problem

− Asymmetric encryption:

▪ easier key management vs. slow performance + limited message size

⚫ Hybrid Encryption: combining the advantages:− Encrypt a random symmetric session key by means of asymmetric

encryption

− Encrypt the data with the symmetric session key and by means of symmetric encryption

Hybrid Encryption (2/3)

⚫ Encryption process

DearBob....

SymmetricEncryption

Symmetric Key

Alice

Key Generator

AsymetricEncryption

6R4Y2hlbMZCBaj39c2jmCw...

Encrypted Key

Bob‘s Public Key

Hybrid Encryption (3/3)

⚫ Decryption process

DearBob....

SymmetricDecryption

Symmetric Key

Bob

6R4Y2hlbMZCBaj39c2jmCw...

Encrypted Key

AsymmetricDecryption

Bob‘s Private Key

Exchange of Public Keys

⚫ Confidentiality not required → passive attacker can read the public key (no problem)

AliceBob Eve

“Alice”, pub(A)

Enc(pub(A), M)

Exchange of Public Keys

⚫ Integrity highly required → active attacker can modify/exchange the public key (system broken!)

Solution: later!

AliceBob Mallory

“Alice”, pub(A)

Enc(pub(E), M)

“Alice”, pub(E)

Hash Functions

Integrity testing

Alice Bob

Hash Function

h( · )

Alice Bob

Definition of Hash Function

⚫h : * →nNoZXJuZCBhw59lbiBNw6R4Y2hlbnMZCBhw59lFLDvGJlbiwgSm9naHVydCB1bmQgUXV4Y2hlbnMgVsOw59l2R4Y2hlbnMgVsOZ2R4bnMgVsOVsIFLDhcms=

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumyeirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diamvoluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clitakasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumyeirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diamvoluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clitakasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet,, sed diam eirmod ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et duo dolores et ea. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum amet.

da39a3ee5e6b4b0d3255

68ac906495480a3404be

15a391c7de1f07f4885af

Real life example: Integrity Protection for Dowloads

⚫ Ubuntu: File„MD5SUM“

⚫ Xfce: Note on Web site

cf10bdd7abb067e639b3fb47fa8cadbd *ubuntu-11.04-alternate-amd64+mac.iso

14984b15a391c7de1f07f4885bef2d5c *ubuntu-11.04-desktop-amd64+mac.iso

99950b6c45250c51fa53342c5832ebd2 *ubuntu-11.04-dvd-amd64.iso

e8c522fc69d3bf2fda99b63b8f7c12f3 *ubuntu-11.04-dvd-i386.iso

Properties of Hash Functions

47114711

h(M) = 4711 h(M’) = 4711

Alice Bob

Collision resistant

⚫ Collision− There exists two messages M and M’:

M ≠ M’ and h(M) = h(M’)

⚫ Avoiding accidental collisions:− Choose co-domain large enough

⚫ Collision resistant :− It is not possible (using “reasonable” computation time) to find a

collision i.e. two messages M and M’ with h(M) = h(M’)

Poor Hash Function

⚫ Checksum:

S e l l 1 8

b o o k s 1 0

E U R e a c h

L o r e m i p s

u m d o l o r s

i t a m e t c o

n s e t e t u r

S e l l 1 1

b o o k s 8 0

E U R e a c h

39 AC 2E 31 7F 03 F5 81

Requirement for Hash Function

⚫ Randomness− Small change on input→ large change on output

− Avalanche effect

⚫ Rule of thumb− 1 input bit is changed→ 50 % output bits are changed

⚫ Example:− SHA-1(„Hallo“) = 59d9a6df06b9f610f7db8e036896ed03662d168f

− SHA-1(„Hello“) = f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0

Birthday Paradoxon

⚫ There are 23 people in one room

⚫ What is the probability for „2 persons have the same birthday“ (just day and month, not year)

⚫ Answer: approx. 50%

Birthday Attack

⚫ Let h be a hash function with co-domain of size 2n

(i.e. with hash values of length n bit)

⚫ Calculation of collision needs 2n/2 checks (average)

⚫ Conclusion: choose n as large as possible

⚫ Current recommendation:− (average) 280 checks required

− Hash value have minimum length 160 bit

⚫ If (at n bit length) less tests than 2n/2 required:Hash function has weakness

Properties of Hash functions

4711

Alice BobEve

One-way function

⚫ One-way property (preimage resistant):− There exist no (efficient) inverse function for h, i.e.

− It is not possible to calculate message M from hash value H with: h(M) = H

⚫ h collision resistant h one-way function

Types of Hash Algorithms

⚫ Encryption-based− Uses block ciphers

− Low performance

− insecure

⚫ Algebraic− Uses number theory problems (e.g. discrete logarithm)

− Low performance

⚫ Ad-Hoc Design− Uses: AND, OR, XOR, SHIFT, S-Boxes

− Most widespread usage

Common Hash Algorithms

⚫ MD5− Message-Digest-Algorithm (R. Rivest, 1992)

− RFC 1321

− Input: < 264 bit, Output: 128 bit

⚫ SHA-1− Secure Hash Algorithm (NIST/NSA, 1994)

− Input: < 264 bit, Output: 160 bit

⚫ SHA-2− Secure Hash Algorithm (NIST/NSA, 2002)

− SHA-256: Input: < 264 bit, Output: 256 bit

− SHA-384: Input: < 2128 bit, Output: 384 bit

− SHA-512: Input: < 2128 bit, Output: 512 bit

SHA-1 – Internal Structure

E D C B A

<<5

>>2

+

+

+

E D C B A

K

F+

5 x 32 Bit

80 x

M

160 BitW

5 x 32 Bit

Merkle Damgård Construction

Block 1

fIV

Block 2

Message M

f f

Block m

Hashh(M)

fn bit

n bit

n bit

...

...

Compression function f Hash function h

f collision resistant h collision resistant

Lengthof M

Security of Hash Algorithms

⚫ Known attacks on Hash properties

Algorithm Attack onCollision resistence

Attack onOne way property

MD5 Yes Yes

SHA-1 Yes No

SHA-2 (Yes) No

Security of Hash Algorithms

SHA-3 Competition

⚫ Creating new Hash function (successor of SHA-2)

⚫ Open competition by NIST started 2007

⚫ Public analysis and discussion of candidates

⚫ Criteria:− Performance

− Security

− Diversity

⚫ Winner (announced 2012): Keccak

⚫ Standardized as SHA-3 (2015)

Breaking Hashes

⚫ „Anonymous“exam results

Breaking Hashes

⚫ How to find the pre-image of H? (i.e. finding m with h(m) = H)

⚫ Brute force attack: testing all possible values for m− rather simple if the set of “all possible values” is rather small

− Examples:▪ m is a short/simple password

▪ m is a matriculation number

▪ m is an IP address

⚫ Variation: Dictionary attack: testing just certain values− Examples

▪ typical passwords (“1234”, “admin”, ...)

▪ real world words (“dog”, “car”, ...)

⚫ Lookup in a pre-calculated list of “all” m and h(m)− Practical implementation: Rainbow Table

96

Breaking Hashes – Countermeasures

⚫ Brute force/Dictionary:− avoid short/simple messages

− use special resource consuming “hash” functions (e.g. scrypt, Argon2)

− add a secret value to the hash calculation: pepper (not always possible)

⚫ Rainbow table:− avoid short/simple messages

− add a (non-secret) random value to the hash calculation: salt

97

Integrity Protection and Digital Signature

Message Authentication Code

DearBob....

DearBob....

DearBob....

DearBob....

MAC

= ?

MAC

DearBob....

Message Authentication Code

⚫ A Message Authentication Code (MAC) is a short piece of information used to authenticate a message

⚫ The involved key enables to provide authentication means in addition to integrity

⚫ In some contexts a MAC is also called a symmetric signature

⚫ First idea for implementation:

mack(m) = h(k || m)

(here || is the concatenation operator)

f

m

f f...

...

k

mac

e

mac f f mac*

...

IV

f f f...

...

k

f f mac*

...

IV

e mac*m

Length extension attack (simplified)

⚫ Possible with hash functions based on M-D-Construction

⚫ Idea:− A and B have shared secret k

− A creates message m and mac = h(k||m)

− E intercepts message and MAC

− E creates e and m* = m||e and mac* = h(k||m*) = h(k||m||e)(no knowledge of k is required!)

− E sends m* and mac* to B

− B verifies m* and mac* and thinks the message is from A

Length extension attack (simplified)

⚫ The attacker was able to create a message m* = m || eand a MAC mac* with mac*=h(k||m*)

⚫ No knowledge of k is required

⚫ Problem: is m* still making sense to the recipient?

⚫ Example:− Original message:

count=10&lat=37&user_id=1&long=-119&waffle=eggo

− New message:count=10&lat=37&user_id=1&long=-119&waffle=eggo&waffle=liege

Example Source: Wikipedia

Message Authentication Code

⚫ Solution: HMAC

mack(m) = HMAC(m, k)= h(k XOR opad || h(k XOR ipad || m))

− with opad and ipad fixed constants:

▪ ipad = the byte 0x36 repeated B times

▪ opad = the byte 0x5C repeated B times

▪ (with B the internal data size in bytes of hash function h; e.g. 64 for SHA-1)

Message Authentication Code

⚫ Security services:− Authenticity

− Integrity

⚫ Limitations:− For verification knowledge of secret key required

− Every owner of the secret key can create the MAC

− → not possible to decide if Alice or Bob created the MAC

− → the actual creator of the MAC can deny the creation

− → no “non-repudiation” property

106

Digital Signature

⚫ Equivalent to traditional handwritten signatures

⚫ Properties:− Only one person can create the signature

− Everyone can verify the signature

− Can identify the creator of the signature

− Is bound to a specific document

− Prohibits changes to the document

107

non-repudiation

integrity

authenticity

Formalization of Digital Signature

⚫ Space of messages: M

⚫ Space of signatures: S

⚫ Space of keys: public/private key pairs: K PK x SK

⚫ Sign operation:

Sig: M x SK→ S, sig = Sig(m, sk)

⚫ Verify operation:

Verify: M x S x PK→ {true, false}, isValid = Verify(m, sig, pk)

⚫ Valid signature: for all m ∈M and (pk, sk) ∈ K

Verify(m, Sig(m, sk), pk) = true

108

Digital Signature (here: RSA)

DearBob....

DearBob....

DearBob....

DearBob....

Encryption

Hash

= ?

HashDecryption

DearBob....

Digital Signature

⚫ Properties:− Only one person can create the signature

▪ Private key required

− Everyone can verify the signature▪ Public key is sufficient (need the correct public key)

− Can identify the creator of the signature▪ Owner of the private key = creator (unless private key was stolen)

− Is bound to a specific document▪ move signature to a different document→ hash of document ≠ hash inside signature (unless collision) → verification fails

− Prohibits changes to the document▪ change of document→ change of hash (unless collision) → verification fails

110

✓

✓

✓

✓

✓

Again: Integrity Protection for Dowloads

Putty – SSH Client for Windows

Digital Signature (in general)

DearBob....

DearBob....

DearBob....

DearBob....

Sign

Hash

HashVerify

valid / invalid

DearBob....

Digital Signature

⚫ Example algorithms:− RSA with SHA2

− DSA with SHA2

− ECDSA with SHA2

Final Remarks

114

Elliptic Curve Cryptography

⚫ DSA and DH are based on modular exponentiation over a (finite) field of integers

⚫ One can perform similar operations on an “elliptic curve”

⚫ Main advantage: − same security level with shorter key

− better performance (runtime up to 10 times faster)

Security Level RSA/DH (NIST) RSA/DH (ECRYPT) ECDH

80 1024 1248 160

112 2048 2432 224

128 3072 3248 256

192 7680 7936 384

256 15360 15424 512

Practical Usage Recommendations

⚫ Symmetric Encryption: AES-256, mode: GCM (later)

⚫ Asymmetric Encryption: RSA-2048 (or longer)

⚫ Key exchange: ECDHE-256

⚫ Hash: SHA-256

⚫ Message Authentication:− AES in GCM mode (authenticated encryption)

− Poly1305 (e.g. in combination with ChaCha20)

⚫ Signature: − RSA-2048 with SHA-256 (or longer)

− ECDSA-256 with SHA-256