Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
IN3210 – Network Security
Cryptographic Foundations
History of Cryptography
2
Confidential Communication
DearBob....
DearBob....
Alice Bob
Eve
3
Confidential Communication
A B
4
Steganography
⚫ Examples:− Tattoo on head + growing hair
back
− Invisible ink
− Micro dot
⚫ Security by obscurity
⚫ Typically not conformingwith Kerckhoff’s principle
⚫ Modern steganography:− Printer steganography
− Embedding into multimedia data
Imag
e S
ou
rce:
Wik
iped
ia
5
Cryptology
⚫ Cryptography− Practice and study of using mathematics to protect data/information
− From Greek
▪ kryptos: "hidden, secret" and
▪ gráphō: "I write"
⚫ Cryptanalysis− Practice and study of finding weaknesses or insecurity in a
cryptographic scheme, thus permitting its subversion or evasion
− From Greek
▪ analýein: "to loosen" or "to untie"
6
Classical Cipher
⚫ Caesar Cipher (50 B.C.)
A B C D EZYX
A B C D EZYX
Hello Khoor
Plaintext Chiffre-text
3 Key
Imag
e S
ou
rce:
ww
w.a
ster
ix.c
om
7
Encryption
Key = 3 Key = 3
KhoorHello Hello
8
Symmetric Encryption
DearBob....
Encryption Decryption
DearBob....
6R4Y2hlbMZCB...
Alice Bob
Eve
9
Caesar Cipher
⚫ Which plaintext is encrypted here?− Ymjvznhpgwtbsktcozruxtajwymjqfeditl.
⚫ Try each possible key:1. Xliuymgofvsarjsbnyqtwszivxlipedchsk.
2. Wkhtxlfneurzqiramxpsvryhuwkhodcbgrj.
3. Vjgswkemdtqyphqzlworuqxgtvjgncbafqi.
4. Uifrvjdlcspxogpykvnqtpwfsuifmbazeph.
5. Thequickbrownfoxjumpsoverthelazydog.
6. Sgdpthbjaqnvmenwitlornudqsgdkzyxcnf.
7. Rfcosgaizpmuldmvhsknqmtcprfcjyxwbme.
8. Qebnrfzhyoltkclugrjmplsboqebixwvald.
9. Pdamqeygxnksjbktfqilokranpdahwvuzkc.
10. …
Testing all possible values (e.g. of a key) is
calledBrute Force Attack
10
Security of Crypto Systems
⚫ The previous attack assumes that the attacker knows:a) the Caesar cipher was used for encryption
b) how the Caesar cipher work
⚫ What is the effect if the attacker does not have this information?
⚫ More general: is a crypto system more secure if the system and its internal function kept secret?
11
Kerckhoff‘s Principle
⚫ “A cryptosystem should be secure even if the attacker knows all details about the system (including the encryption and decryption algorithms), with the exception of the secret key.“
⚫ Common mistake: keeping cryptographic algorithms secret increases the security (“security by obscurity”)
⚫ Example: GSM A5 algorithms− Details kept secret
− No cryptanalysis by the research community possible
− Attackers found weaknesses
− Nearly all variants nowadays broken!
Auguste Kerckhoffs(1835 – 1903)
Dutch crytographer
Imag
e S
ou
rce:
Wik
iped
ia
12
2
12
Caesar Cipher
TGF
BON
HUT
RED
18
Finding the correct keyis hard, withoutknowledge of
(at least part of)the plaintext.
13
One-Time Pad Encryption
k3
k2
B2 A0 C1 C2 E7 FB FE FA 89 AA AF 56 6A 67
Attack at dawn!
Retreat at 1100
The cat is dead
k1
k4
14
Basic Types of Attacks (on the Encryption Key)
⚫ Ciphertext-only attack− The attacker has access to one or several ciphertexts
⚫ Known-plaintext attack− The attacker has access to one or several plaintext / ciphertext pairs
⚫ Chosen-plaintext attack− The attacker can retrieve ciphertexts for arbitrarily chosen plaintexts
⚫ (Adaptive) chosen-ciphertext attack− The attacker can retrieve plaintexts for arbitrarily chosen ciphertexts
15
Monoalphabetical Substitution
⚫ Improvement over Caesar cipher
⚫ Each letter is replaced by (exactly) one other letter
⚫ Example:
⚫ Number of possible keys?
⚫ 26! 1026 288
Plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext: U F L P W D R A S J M C O N Q Y B V T E X H Z K G I
16
Monoalphabetical Substitution
⚫ Can easily be broken by analyzing the letter frequency in the cipher text
⚫ Large key space is a requisite but not sufficient for a secure encryption scheme
⚫ Next improvement: polyalphabetical substitution (e.g. Vignere, 1550)
th 1.52%
he 1.28%
in 0.94%
er 2,26%
an 2,00%
re 1,99%
nd 1,88%
at 1,79%
Bigram Frequency(english text)
Letter Frequency(english text)
17
Enigma
⚫ Invented 1918 by Arthur Scherbius
⚫ Electro-mechanical rotor cipher machines
⚫ Used by the German forces during WWII
⚫ Implements a polyalphabeticalsubstitution cipher
Imag
e S
ou
rce
: Wik
ipe
dia
18
Enigma
⚫ When pressing a button on the keyboard:− (at least) on rotor is turning on position
− an electrical circuit is closed and one bulb lights up
Imag
e S
ou
rce
: Wik
iped
ia
19
Enigma
⚫ Encryption was broken by Polish and British codebreakers in Bletchley Park
⚫ Most famous member:− Alan Turing
Imag
e S
ou
rce:
htt
p:/
/ww
w.c
ryp
tom
use
um
.co
m/,
Wik
ipe
dia
20
Enigma
⚫ Simulator:− http://users.telenet.be/d.rijmenants/en/enigmasim.htm
21
History of Cryptography
⚫ Simon Singh
⚫ The Code Book: The Secret History of Codes and Code-breaking
22
Crypto Primitives and their Usage
Confidentiality Integrity Authenticity Non-repudiation
Encryption(Cipher)
Hash Functions Digital Signature
23
(Symmetric) Encryption
24
Encryption
⚫ Encryption− Process of converting ordinary information the so-called plaintext into
unintelligible gibberish the so-called ciphertext
⚫ Decryption− Reverse process converting ciphertext back to
plaintext
⚫ Cipher (or cypher)− Pair of algorithms which create the encryption and
the reversing decryption
− The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key
25
Symmetric Encryption
⚫ The same key (secret key) is used for encryption and decryption
DearBob....
Encryption Decryption
DearBob....
Symmectric Key
6R4Y2hlbMZCB...
Alice Bob
Eve
Key Generator
26
Formalization of (symmetric) Encryption
⚫ Space of plain texts: P
⚫ Space of cipher texts: C
⚫ Space of keys: K
⚫ Encryption:
E: P x K→ C, E(x, k) = Ek(x)
⚫ Decryption:
D: C x K→ P, D(y, k) = Dk(y)
⚫ D is the invers function of E, i.e. for all x ∈ P and k ∈ K:
Dk(Ek(x)) = x
27
Formalization of Caesar Cipher
⚫ Numerical encoding of letters: A → 0, B → 1, …, Z → 25
⚫ Space of plain texts: P = ℤ26 = {0, 1, …, 25}
⚫ Space of cipher texts: C = ℤ26⚫ Space of keys: K = ℤ26⚫ Encryption:
Ek(x) = x + k mod 26
⚫ Decryption:
Dk(x) = x + (– k) mod 26
⚫ Size of key space? → |K| = 26
28
Stream Cipher
29
Plain text m Encryption
Cipher stream c
Key stream ks
Key stream ks
Cipher stream c
DecryptionPlain text m‘ = m
Stream Ciphers
⚫ A stream cipher is a symmetric key cipher where plaintext bits (mi) are combined with a pseudorandom cipher bit stream (key stream ks)
⚫ The pseudorandom key stream is generated by a pseudorandom number generator from a (shared) key
30
Key stream ksPRNG
Key k
Plain text m
Cipher stream c
One time pad
⚫ Key stream is completely random and only used once
⚫ Problem: key exchange (key has same size than plain/cipher text)
⚫ Provable perfectly secure(can only broken if key is known)
⚫ Cipher text can mean anything
31
Examples for Stream Ciphers
⚫ A5/1 and A5/2 (1989; used in GSM) → broken
⚫ RC4 (1987) → broken
⚫ Salsa20 (2005)
⚫ ChaCha20 (2008)
32
Block Cipher
⚫ A block cipher (Enc) is a symmetric key cipher and takes as input an n-bit block of plaintext and a key (k), and outputs a n-bit block of ciphertext
Enck
n bit
n bit
THIS IS A SIMPLE PLAINTEXT MESSAGE.
Encryption
X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü
Encryption Encryptionk k k
33
Examples for Block Ciphers
⚫ DES (Data Encryption Standard)
⚫ AES (Advanced Encryption Standard)
⚫ Blowfish
⚫ Twofish
⚫ RC6
⚫ MARS
⚫ Serpent
AES
35
Image S
ou
rce: Wikip
edia
AES and DES
⚫ DES (NIST 1977)− 64 bit blocks und 56 bit keys
− Standard encryption in 1980s and 1990s
⚫ Advanced Encryption Standard (AES)− AES (Rijndael) developed by Belgian cryptographers
− Standardized by NIST in 2000 as DES successor
− 128 bit blocks and 128, 192, 256 bit keys
Brute force attack on AES and DES
⚫ Brute force attack on 56 key:− 1998: EFF DES Cracker (ASICs), 4.5 days,
250.000$
− 2006: COPACOBANA (FPGA), 6.4 days, 10.000$
− 2012: Pico Computing (FPGA), 0.5 days
⚫ Brute force attack on 128 or 256 bit key? (Assumption: breaking 56 bit in 1 second)
Key length Duration
56 bit 1 s
64 bit 4 m
80 bit 194 d
112 bit 109 a
128 bit 1014 a
192 bit 1033 a
256 bit 1052 a
Padding
⚫ What happens if you want to encrypt 100 bit with a 128 bit block cipher?
⚫ You must fill the plaintext up to the block length of the cipher
⚫ Approaches− Decryption process knows the data length
▪ Example: from a header entry
▪ Block can be filled with random bits/byte
− Decryption process does not know the data length
▪ Padding bits/bytes must be marked
Padding – One and Zeros
⚫ Attach one binary 1 followed by none, one or multiple binary 0
11010010 101110
11010010 10111010
11010010 1011100
11010010 10111001
11010010 10111001
11010010 10111001 10000000 00000000
Padding PKCS#5
⚫ Padding of whole bytes
⚫ Let L be the block size (in bytes)
⚫ When N bytes are missing to a full block (1 N L):add N bytes each with the value N
⚫ Examples (L = 8, XX = existing message, all numbers in hex)− XX XX XX XX XX XX XX XX | XX XX XX XX XX XX XX 01
− XX XX XX XX XX XX XX XX | XX XX XX XX XX 03 03 03
− XX XX XX XX XX XX XX XX | XX 07 07 07 07 07 07 07
− XX XX XX XX XX XX XX XX | 08 08 08 08 08 08 08 08
⚫ Invalid padding example:− XX XX XX XX XX XX XX XX | XX XX XX XX XX XX 08 02
40
Modes of Operation
⚫ Block ciphers operate on a fixed length input − DES, 3DES, IDEA: 64 bit
− AES: 128, 192, 256 bit
⚫ Processing of larger input− Cut input into blocks of the required block size and process them one
after the other
⚫ This naïve approach is also known as the Electronic Codebook (ECB) mode of operation
Block Cipher: Electronic Code Book
THIS IS A SIMPLE PLAINTEXT MESSAGE.
Encryption
X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü
Encryption Encryption
42
Block Cipher: Electronic Code Book
THIS IS A SIMPLE PLAINTEXT MESSAGE.
Encryption
X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü
Encryption Encryption
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Encryption
Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0
Encryption Encryption
43
ECBEncryption
Electronic Codebook (ECB)
⚫ Identical plaintext blocks are encrypted into identical ciphertext blocks
⚫ No protection of block order
⚫ Eases replay attacks
Imag
e S
ou
rce:
Wik
iped
ia
Cipher Block Chaining (CBC)
b0
bn
b1
...
Enc
c0
k Enc
cn
k
Nachricht
Geheimtext
...
Enc
c1
k
IV
Plain Text
Cipher Text
CBCEncryption
Cipher Block Chaining (CBC)
⚫ Identical plaintext blocks are NOT encrypted into identical ciphertext blocks
⚫ More “randomness” inside the encrypted data
⚫ However: XOR of plain and cipher text can be misused (later)
Ima
ge So
urce: W
ikiped
ia
Symmetric Encryption
⚫ One remaining problem: key generation
47
DearBob....
Encryption Decryption
DearBob....
Symmectric Key
6R4Y2hlbMZCB...
Alice Bob
Eve
Key Generator
Detour: Key Generation
⚫ Keys are derived from random numbers
⚫ Random number generation is not trivial
⚫ Computers are deterministic and can only generate pseudo random numbers
⚫ Poor “random” numbers which can be anticipated allow attacker calculation of keys
48
Detour: Key Generation
⚫ OpenSSL bug in Debian
49
Symmetric Encryption
⚫ Another remaining problem: key exchange
DearBob....
Encryption Decryption
DearBob....
Symmectric Key
6R4Y2hlbMZCB...
Alice Bob
Key Generator
50
Eve
Key Exchange and Asymmetric Encryption
51
Diffie Hellman Key exchange
⚫ Creating common (symmetric) key only known to the communication partners
⚫ Created by Whitfield Diffie and Martin Hellman in 1976
Ima
ge
so
urc
e: W
ikip
ed
ia
Illustration of DH Key Exchange
Imag
e so
urc
e: W
ikip
edia
Modular Arithmetic
⚫ a b (mod n) there is an integer k such that a – b = kn
⚫ Example:− 13 19 (mod 3), because 19 – 13 = 2 * 3
⚫ Simplified (sufficient for this lecture): mod operator
⚫ x mod n: remainder when performing an integer division of xand n
⚫ Example:− 19 mod 3 = 1
− 13 mod 3 = 1
− 1234 mod 10 = 4
− 220 mod 10 = 6
54
Logarithm
⚫ Choose (integer) b and a and calculate y = ba
⚫ Given just b and y can you calculate a?
⚫ Easy (logarithm): a = logb y
⚫ Example: − b = 7, y = 13841287201, a = ?
55
Discrete Logarithm
⚫ Choose integer b, a and n and calculate y = ba mod n
⚫ Given just b, n and y can you calculate a?
⚫ Example: − b = 7, n = 1023, y = 439, a = ?
⚫ Hard problem: Discrete Logarithm Problem (DLP)
⚫ No simple calculation
⚫ Only (known) method: test all possible values for a (infeasible for large n)
56
Diffie Hellman Key exchange
⚫ Alice and Bob agree on (public parameters):− Large prime number p
− Generator g (i.e. g is primitive root mod p)
⚫ Alice chooses a random number aand sends ga mod p to Bob
⚫ Bob chooses a random number band send gb mod p to Alice
⚫ Calculation of common secret: − Alice: (gb)a mod p
− Bob: (ga)b mod p
ga mod p
gbmod p
= gab mod p = K
Diffie Hellman Key exchange
⚫ (Passive) attacker learns:− g
− p
− gb mod p
− ga mod p
⚫ For calculating K the attacker needs additionally a or b
⚫ a or b can not (easily) derived from the know values: DLP
ga mod p
gbmod p
Eve
Weakness of DH Key Exchange
Mallory gb
ge
ga
ge
Secure Communication Secure Communication
K1 = gae mod p K2 = gbe mod p
Solution: later!
Breaking DH
⚫ Certain
⚫ Which size to choose for p?− 512 bit → practically broken (2015)
− 1024 bit → estimated costs for breaking: 100 million $
− 2048 bit → secure, but long runtime
60
Asymmetric Encryption
⚫ Problem of symmetric encryption:− Shared secret must be distributed
⚫ Problem of DH key exchange:− interactive protocol
− both parties must be “online” in order to start encrypted communication
⚫ Asymmetric Encryption:− Use different keys for de- and encryption
− Public encryption key is published (everyone can encrypt)
− Private decryption key is kept confidential (just owner can decrypt)
Asymmetric Encryption
⚫ Two distinct keys (private key and public key) are used for encryption and decryption respectively
DearBob....
Encryption Decryption
DearBob....
Key PairGenerator
Public Key
PrivateKey
6R4Y2hlbMZCB...
Alice Bob
Eve
Formalization of (asymmetric) Encryption
⚫ Space of plain texts: P
⚫ Space of cipher texts: C
⚫ Space of keys: public/private key pairs: K PK x SK
⚫ Encryption:
E: P x PK→ C, E(x, pk) = Epk(x)
⚫ Decryption:
D: C x SK→ P, D(y, sk) = Dsk(y)
⚫ D is the invers function of E, i.e. for all x ∈ P and (pk, sk) ∈ K:
Dsk(Epk(x)) = x
Asymmetric Encryption
⚫ Based on number theoretic problems
− RSA: Factorisation Problem
− ElGamal: Discrete Logarithm Problem (DLP)
⚫ RSA: named after its inventors (1978):
− Ronald Rivest
− Adi Shamir
− Leonard Adleman
Image sources:• University of Southern California• Massachusetts Institute of Technology
RSA
⚫ Choose two prime numbers p and q
⚫ Calc n = p · q, m = (p – 1) (q – 1)
⚫ Choose e and d with e · d ≡ 1 (mod m)
⚫ Public key: n, e
⚫ Private key: d
⚫ Encryption of message M:
C = M e mod n
⚫ Decryption of cipher text C:
M’ = C d mod n
⚫ M' = (M e)d mod n = M
Follows fromEuler‘s Theorem
RSA Calculation
⚫ 1. problem: calculation effort− 𝑥𝑛 = 𝑥 ∙ ⋯ ∙ 𝑥
𝑛
→ n – 1 multiplications
⚫ Square and Multiply:− Write n in binary; remove the first 1− For evert 1 perform first a square (...2) operation then a multiply operation
(• x)− For evert 0 perform a multiply operation (• x)
⚫ Example:− n = 2310 = 101112 → Q QM QM QM
− 𝑥23 = 𝑥2 2 ∙ 𝑥2∙ 𝑥
2
∙ 𝑥
− 7 multiplications instead of 22
⚫ “Standard” value for e: − 6553710 = 100000000000000012 → 16 multiplications
66
RSA Calculation
⚫ 2. problem: large intermediate values:− “Me mod n” is smaller than n, but “Me“ is very large
⚫ Property of mod operator:− (x • y) mod n = ((x mod n) • (y mod n)) mod n
⚫ Application to Square and Multiply:− Perform a “mod” operation after every square or multiply step
− Example:
▪ 𝑥23 mod 𝑛 = 𝑥2 mod 𝑛 2 mod 𝑛 ∙ 𝑥 mod 𝑛2mod 𝑛 ∙ 𝑥 mod 𝑛
2
…
− No intermediate value is larger than 𝑛2
67
Prime Numbers
⚫ How to calculate large (~ 500 - 2000 bits) prime numbers?
⚫ 2 types of primality tests:− Deterministic
− Probabilistic
⚫ Example: Solovay–Strassen primality test: − max ½ probability of wrong answer
− Algorithm for testing is n is prime▪ Repeat k times:
o Choose random number a
o Run primality test (uses number a as parameter)
o If false return „not prime“
▪ Return „probable prime“
− Error probability: 1/2k, e.g. 2-100 for k = 100
Breaking RSA
⚫ Best known attack on RSA: factorizing n
RSA number
Decimal digits
Binary digits
Cash prize offered
Factored on
RSA-100 100 330 $1000 April 1, 1991
RSA-110 110 364 $4429 April 14, 1992
RSA-120 120 397 $5895 July 9, 1993
RSA-129 129 426 $100 April 26, 1994
RSA-130 130 430 $14,527 April 10, 1996
RSA-140 140 463 $17,226 February 2, 1999
RSA-150 150 496 April 16, 2004
RSA-155 155 512 $9383 August 22, 1999
RSA-160 160 530 April 1, 2003
RSA-170 170 563 December 29, 2009
RSA-576 174 576 $10,000 December 3, 2003
RSA-180 180 596 May 8, 2010
RSA-190 190 629 November 8, 2010
RSA-640 193 640 $20,000 November 2, 2005
RSA-200 200 663 May 9, 2005
RSA-210 210 696 September 26, 2013
RSA-704 212 704 $30,000 July 2, 2012
RSA-220 220 729 May 13, 2016
RSA-768 232 768 $50,000 December 12, 2009
So
urc
e: W
ikip
edia
Hybrid Encryption (1/3)
⚫ Pros and cons of (a)symmetric encryption:− Symmetric encryption:
▪ good performance (1000x times faster) vs. key exchange problem
− Asymmetric encryption:
▪ easier key management vs. slow performance + limited message size
⚫ Hybrid Encryption: combining the advantages:− Encrypt a random symmetric session key by means of asymmetric
encryption
− Encrypt the data with the symmetric session key and by means of symmetric encryption
Hybrid Encryption (2/3)
⚫ Encryption process
DearBob....
SymmetricEncryption
Symmetric Key
Alice
Key Generator
AsymetricEncryption
6R4Y2hlbMZCBaj39c2jmCw...
Encrypted Key
Bob‘s Public Key
Hybrid Encryption (3/3)
⚫ Decryption process
DearBob....
SymmetricDecryption
Symmetric Key
Bob
6R4Y2hlbMZCBaj39c2jmCw...
Encrypted Key
AsymmetricDecryption
Bob‘s Private Key
Exchange of Public Keys
⚫ Confidentiality not required → passive attacker can read the public key (no problem)
AliceBob Eve
“Alice”, pub(A)
Enc(pub(A), M)
Exchange of Public Keys
⚫ Integrity highly required → active attacker can modify/exchange the public key (system broken!)
Solution: later!
AliceBob Mallory
“Alice”, pub(A)
Enc(pub(E), M)
“Alice”, pub(E)
Hash Functions
Integrity testing
Alice Bob
Hash Function
h( · )
Alice Bob
Definition of Hash Function
⚫h : * →nNoZXJuZCBhw59lbiBNw6R4Y2hlbnMZCBhw59lFLDvGJlbiwgSm9naHVydCB1bmQgUXV4Y2hlbnMgVsOw59l2R4Y2hlbnMgVsOZ2R4bnMgVsOVsIFLDhcms=
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumyeirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diamvoluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clitakasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumyeirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diamvoluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clitakasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet,, sed diam eirmod ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et duo dolores et ea. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum amet.
da39a3ee5e6b4b0d3255
68ac906495480a3404be
15a391c7de1f07f4885af
Real life example: Integrity Protection for Dowloads
⚫ Ubuntu: File„MD5SUM“
⚫ Xfce: Note on Web site
cf10bdd7abb067e639b3fb47fa8cadbd *ubuntu-11.04-alternate-amd64+mac.iso
14984b15a391c7de1f07f4885bef2d5c *ubuntu-11.04-desktop-amd64+mac.iso
99950b6c45250c51fa53342c5832ebd2 *ubuntu-11.04-dvd-amd64.iso
e8c522fc69d3bf2fda99b63b8f7c12f3 *ubuntu-11.04-dvd-i386.iso
Properties of Hash Functions
47114711
h(M) = 4711 h(M’) = 4711
Alice Bob
Collision resistant
⚫ Collision− There exists two messages M and M’:
M ≠ M’ and h(M) = h(M’)
⚫ Avoiding accidental collisions:− Choose co-domain large enough
⚫ Collision resistant :− It is not possible (using “reasonable” computation time) to find a
collision i.e. two messages M and M’ with h(M) = h(M’)
Poor Hash Function
⚫ Checksum:
S e l l 1 8
b o o k s 1 0
E U R e a c h
L o r e m i p s
u m d o l o r s
i t a m e t c o
n s e t e t u r
S e l l 1 1
b o o k s 8 0
E U R e a c h
39 AC 2E 31 7F 03 F5 81
Requirement for Hash Function
⚫ Randomness− Small change on input→ large change on output
− Avalanche effect
⚫ Rule of thumb− 1 input bit is changed→ 50 % output bits are changed
⚫ Example:− SHA-1(„Hallo“) = 59d9a6df06b9f610f7db8e036896ed03662d168f
− SHA-1(„Hello“) = f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0
Birthday Paradoxon
⚫ There are 23 people in one room
⚫ What is the probability for „2 persons have the same birthday“ (just day and month, not year)
⚫ Answer: approx. 50%
Birthday Attack
⚫ Let h be a hash function with co-domain of size 2n
(i.e. with hash values of length n bit)
⚫ Calculation of collision needs 2n/2 checks (average)
⚫ Conclusion: choose n as large as possible
⚫ Current recommendation:− (average) 280 checks required
− Hash value have minimum length 160 bit
⚫ If (at n bit length) less tests than 2n/2 required:Hash function has weakness
Properties of Hash functions
4711
Alice BobEve
One-way function
⚫ One-way property (preimage resistant):− There exist no (efficient) inverse function for h, i.e.
− It is not possible to calculate message M from hash value H with: h(M) = H
⚫ h collision resistant h one-way function
Types of Hash Algorithms
⚫ Encryption-based− Uses block ciphers
− Low performance
− insecure
⚫ Algebraic− Uses number theory problems (e.g. discrete logarithm)
− Low performance
⚫ Ad-Hoc Design− Uses: AND, OR, XOR, SHIFT, S-Boxes
− Most widespread usage
Common Hash Algorithms
⚫ MD5− Message-Digest-Algorithm (R. Rivest, 1992)
− RFC 1321
− Input: < 264 bit, Output: 128 bit
⚫ SHA-1− Secure Hash Algorithm (NIST/NSA, 1994)
− Input: < 264 bit, Output: 160 bit
⚫ SHA-2− Secure Hash Algorithm (NIST/NSA, 2002)
− SHA-256: Input: < 264 bit, Output: 256 bit
− SHA-384: Input: < 2128 bit, Output: 384 bit
− SHA-512: Input: < 2128 bit, Output: 512 bit
SHA-1 – Internal Structure
E D C B A
<<5
>>2
+
+
+
E D C B A
K
F+
5 x 32 Bit
80 x
M
160 BitW
5 x 32 Bit
Merkle Damgård Construction
Block 1
fIV
Block 2
Message M
f f
Block m
Hashh(M)
fn bit
n bit
n bit
...
...
Compression function f Hash function h
f collision resistant h collision resistant
Lengthof M
Security of Hash Algorithms
⚫ Known attacks on Hash properties
Algorithm Attack onCollision resistence
Attack onOne way property
MD5 Yes Yes
SHA-1 Yes No
SHA-2 (Yes) No
Security of Hash Algorithms
SHA-3 Competition
⚫ Creating new Hash function (successor of SHA-2)
⚫ Open competition by NIST started 2007
⚫ Public analysis and discussion of candidates
⚫ Criteria:− Performance
− Security
− Diversity
⚫ Winner (announced 2012): Keccak
⚫ Standardized as SHA-3 (2015)
Breaking Hashes
⚫ „Anonymous“exam results
Breaking Hashes
⚫ How to find the pre-image of H? (i.e. finding m with h(m) = H)
⚫ Brute force attack: testing all possible values for m− rather simple if the set of “all possible values” is rather small
− Examples:▪ m is a short/simple password
▪ m is a matriculation number
▪ m is an IP address
⚫ Variation: Dictionary attack: testing just certain values− Examples
▪ typical passwords (“1234”, “admin”, ...)
▪ real world words (“dog”, “car”, ...)
⚫ Lookup in a pre-calculated list of “all” m and h(m)− Practical implementation: Rainbow Table
96
Breaking Hashes – Countermeasures
⚫ Brute force/Dictionary:− avoid short/simple messages
− use special resource consuming “hash” functions (e.g. scrypt, Argon2)
− add a secret value to the hash calculation: pepper (not always possible)
⚫ Rainbow table:− avoid short/simple messages
− add a (non-secret) random value to the hash calculation: salt
97
Integrity Protection and Digital Signature
Message Authentication Code
DearBob....
DearBob....
DearBob....
DearBob....
MAC
= ?
MAC
DearBob....
Message Authentication Code
⚫ A Message Authentication Code (MAC) is a short piece of information used to authenticate a message
⚫ The involved key enables to provide authentication means in addition to integrity
⚫ In some contexts a MAC is also called a symmetric signature
⚫ First idea for implementation:
mack(m) = h(k || m)
(here || is the concatenation operator)
f
m
f f...
...
k
mac
e
mac f f mac*
...
IV
f f f...
...
k
f f mac*
...
IV
e mac*m
Length extension attack (simplified)
⚫ Possible with hash functions based on M-D-Construction
⚫ Idea:− A and B have shared secret k
− A creates message m and mac = h(k||m)
− E intercepts message and MAC
− E creates e and m* = m||e and mac* = h(k||m*) = h(k||m||e)(no knowledge of k is required!)
− E sends m* and mac* to B
− B verifies m* and mac* and thinks the message is from A
Length extension attack (simplified)
⚫ The attacker was able to create a message m* = m || eand a MAC mac* with mac*=h(k||m*)
⚫ No knowledge of k is required
⚫ Problem: is m* still making sense to the recipient?
⚫ Example:− Original message:
count=10&lat=37&user_id=1&long=-119&waffle=eggo
− New message:count=10&lat=37&user_id=1&long=-119&waffle=eggo&waffle=liege
Example Source: Wikipedia
Message Authentication Code
⚫ Solution: HMAC
mack(m) = HMAC(m, k)= h(k XOR opad || h(k XOR ipad || m))
− with opad and ipad fixed constants:
▪ ipad = the byte 0x36 repeated B times
▪ opad = the byte 0x5C repeated B times
▪ (with B the internal data size in bytes of hash function h; e.g. 64 for SHA-1)
Message Authentication Code
⚫ Security services:− Authenticity
− Integrity
⚫ Limitations:− For verification knowledge of secret key required
− Every owner of the secret key can create the MAC
− → not possible to decide if Alice or Bob created the MAC
− → the actual creator of the MAC can deny the creation
− → no “non-repudiation” property
106
Digital Signature
⚫ Equivalent to traditional handwritten signatures
⚫ Properties:− Only one person can create the signature
− Everyone can verify the signature
− Can identify the creator of the signature
− Is bound to a specific document
− Prohibits changes to the document
107
non-repudiation
integrity
authenticity
Formalization of Digital Signature
⚫ Space of messages: M
⚫ Space of signatures: S
⚫ Space of keys: public/private key pairs: K PK x SK
⚫ Sign operation:
Sig: M x SK→ S, sig = Sig(m, sk)
⚫ Verify operation:
Verify: M x S x PK→ {true, false}, isValid = Verify(m, sig, pk)
⚫ Valid signature: for all m ∈M and (pk, sk) ∈ K
Verify(m, Sig(m, sk), pk) = true
108
Digital Signature (here: RSA)
DearBob....
DearBob....
DearBob....
DearBob....
Encryption
Hash
= ?
HashDecryption
DearBob....
Digital Signature
⚫ Properties:− Only one person can create the signature
▪ Private key required
− Everyone can verify the signature▪ Public key is sufficient (need the correct public key)
− Can identify the creator of the signature▪ Owner of the private key = creator (unless private key was stolen)
− Is bound to a specific document▪ move signature to a different document→ hash of document ≠ hash inside signature (unless collision) → verification fails
− Prohibits changes to the document▪ change of document→ change of hash (unless collision) → verification fails
110
✓
✓
✓
✓
✓
Again: Integrity Protection for Dowloads
Putty – SSH Client for Windows
Digital Signature (in general)
DearBob....
DearBob....
DearBob....
DearBob....
Sign
Hash
HashVerify
valid / invalid
DearBob....
Digital Signature
⚫ Example algorithms:− RSA with SHA2
− DSA with SHA2
− ECDSA with SHA2
Final Remarks
114
Elliptic Curve Cryptography
⚫ DSA and DH are based on modular exponentiation over a (finite) field of integers
⚫ One can perform similar operations on an “elliptic curve”
⚫ Main advantage: − same security level with shorter key
− better performance (runtime up to 10 times faster)
Security Level RSA/DH (NIST) RSA/DH (ECRYPT) ECDH
80 1024 1248 160
112 2048 2432 224
128 3072 3248 256
192 7680 7936 384
256 15360 15424 512
Practical Usage Recommendations
⚫ Symmetric Encryption: AES-256, mode: GCM (later)
⚫ Asymmetric Encryption: RSA-2048 (or longer)
⚫ Key exchange: ECDHE-256
⚫ Hash: SHA-256
⚫ Message Authentication:− AES in GCM mode (authenticated encryption)
− Poly1305 (e.g. in combination with ChaCha20)
⚫ Signature: − RSA-2048 with SHA-256 (or longer)
− ECDSA-256 with SHA-256