Understanding Cryptology
Understanding CryptologyCore Concepts
Dr. Kerry A. McKay1Approved for Public Release. Distribution
Unlimited 13-1379All materials is licensed under a Creative Commons
Share Alike
license.http://creativecommons.org/licenses/by-sa/3.0/2
GoalsProvide an accessible introduction to cryptologyNo math
degree requiredProvide abstract ideasUnderstand form of many
algorithms rather than details of just a fewCover a little of
everythingLay groundwork for deeper study in specialized areas33Day
1Overview of cryptology Introduction to cryptographyA high level
view of cryptography and cryptanalysisSymmetric
cryptographyAsymmetric cryptographyAdditional primitives
4Day 2ProtocolsCryptanalysisCase studiesStandardizationSummary
and lessons5AdministriviaSign inThere is some math in here, but Ive
tried to keep it to a minimumThis course was designed with a
bachelors level computer scientist in mindIf you dont understand
something, just ask!
6Recommended readingBook for courseUnderstanding Cryptography: A
Textbook for Students and PractitionersPaar and Pelzl
Companion websitehttp://www.crypto-textbook.com/Slides developed
by authorsVideos
7
Additional SuggestionsAppliedTheoryCryptography
EngineeringFerguson, Schneier, Kohno
Applied CryptographySchneier
Cryptography: Theory and PracticeStinson
Introduction to Modern CryptographyKatz, Lindell8
What is Cryptology?Cryptology is the scientific study of
cryptography and cryptanalysis (according to Merriam-Webster)People
often say cryptography to mean both
Cryptography is the science of secret writing with the goal of
hiding the meaning of a messageThis is different from
steganography, where the presence of the message is hidden
Cryptanalysis is the science and art of breaking
cryptosystems9Crypto topics covered in this
course10Cryptography11CryptographyCryptography has expanded over
the yearsSymmetric ciphersBoth encryption and decryption use the
same keyAsymmetric ciphersDifferent keys for encryption and
decryptionProtocolsInherently cryptographicApplied cryptography
Well talk about each of these more later12What can cryptography
do for you?People sometimes think that adding cryptography makes
something secureNot trueCryptography cant solve everythingBuffer
overflow, social engineering, malware, etc.For the problems it can
solve, it needs to be used correctly
13Cryptography in information assuranceConfidentialityPrevents
unauthorized parties from accessing informationEncryption removes
meaning from information
IntegrityEnsures that data cannot be modified without
detectionHash functions make it extremely difficult to change
information
AuthenticationEnsure that a message was created by a particular
partyKey only known by party
1414Start with a classicLets begin with a concrete exampleCaesar
(shift) cipher
To do this, we need to take a quick look at modular
addition15Modular ArithmeticWhat time is it?What time will it be in
24 hours?
Modular arithmetic deals with operations in finite setsHours are
mod 24 for military time{0,1,2,,23}Hours are mod 12 on standard
clocks {12, 1, 2, , 11}The zero is written as 12 (12 mod 12 =
0)Minutes are mod 60{0, 1, 2, , 59}Days, weeks, months etc. can
also be expressed this way16Modular ArithmeticTo calculate A mod B,
take the remainderA = qB + r, where 0 r < BBy the division
theorem r is the remainder of A/BA mod B = r = A - qB
Examples12+12 mod 24 = 012 + 12 mod 20 = 45*1 mod 8 = 55*5 mod
20 = 5
17Example18012345+ 0 mod 6012345Example19012345+ 1 mod
6123450Example20012345+ 2 mod 6234501Back to Caesars cipherMap each
letter, A-Z, to an integer, 0-25Select letter as secret keyConvert
message and key to integersAdd key to each character modulo
26Convert back to
lettersLetter#Letter#A0N13B1O14C2P15D3Q16E4R17F5S18G6T19H7U20I8V21J9W22K10X23L11Y24M12Z2521ExampleMessage:
HELLO WORLD7 4 11 11 14 22 14 17 11 3Key: E4
Encryption11 8 15 15 18 0 18 21 15
7LIPPSASVPHLetter#Letter#A0N13B1O14C2P15D3Q16E4R17F5S18G6T19H7U20I8V21J9W22K10X23L11Y24M12Z2522ExampleNow
lets decrypt itInverse of addition mod 26 is subtraction mod
26Subtract 4 from each integer
LIPPSASVPH11 8 15 15 18 0 18 21 15 7
Decryption7 4 11 11 14 22 14 17 11 3HELLOWORLD
Letter#Letter#A0N13B1O14C2P15D3Q16E4R17F5S18G6T19H7U20I8V21J9W22K10X23L11Y24M12Z2523Whats
really going on?Encryption and decryption are abstract concepts
Lets abstract this furtherPlaintext: unencrypted
messageCiphertext: encrypted message24The basic pictureThe set of
all possible plaintextsThe set of all possible ciphertexts25c
=Encrypt(m, k)The keyThe key determines the map destinationIn this
picture, three different keys cause the same element to map to
three different values26Is the mapping one-to-one?Sometimes the
encryption is deterministicEvery time you run it with the same
plaintext-key pair, you get the same resultSometimes the encryption
is probabilisticYou may get different results The same key with the
same message will give one of a set of results
Decryption is always deterministicYou MUST get the original
message back27Probabilistic mappingsSometimes randomness is part of
the encryption process28mrandEncryptKeyciphertextf(m,
rand)EncryptKeyciphertextEnter the adversaryThroughout this course
we will refer to the party attacking the system as the adversary
The adversarys goal is to find the plaintext or key with much less
effort than guessingThe key is better, because then they can easily
find all plaintexts that were encrypted under the same key29The
adversarys viewThe adversary knows the ciphertext (and maybe
more)Reduce the work any way they can30Know that the message must
fall in this range, so it cant be the orange (dashed) key31
http://xkcd.com/257/The role of Cryptanalysis in
CryptographyCryptanalysis plays a very important role in designing
cryptosystemsState-of-the-art analysis techniques drive the
designsIf an attack exists, a new algorithm should be resilient to
itDetermines the security of an algorithmIf an algorithm has a
100-bit key but there is an attack that requires only 240
encryptions, then the algorithm only provides 40 bits of
securityKey length determines the work for brute force, but not for
smarter attacks
3232Kerckhoffs PrincipleA cryptosystem should be secure even if
the attacker knows all details about the system, with the exception
of the secret key. In particular, the system should be secure when
the attacker knows the encryption and decryption algorithms.
It all comes down to the keySecurity through obscurity is not a
good idea33Security in CryptographyAn algorithm is only as secure
as the most advanced cryptanalysis against itThere is no silver
bullet, there is no spoon, and there is no one definition of
secureIn fact, our definition of secure changes every day
A better question might be What does it take to be considered
secure today?
34Key lengthWe just saw that cryptography provides a map from
one set to anotherThe only way to get the original message back
from the ciphertext is to invert the map (go backwards)This means
choosing the right keyFor an algorithm to be considered secure, it
needs to be computationally infeasible for an adversary to get the
key with effort under a thresholdThe key needs to come from a large
enough key space (set of possible keys)That threshold keeps
rising35Key length and key spaceKey length is measured in bitsA key
that is n bits long provides a key space of size 2nAssumingAll keys
are possibleNo two keys produce the same mapping
How big does n need to be?
36Key length then and nowIn 1976, DES was the standard
algorithm, with a 56-bit keyIn 1980, Skipjack had an 80-bit keyTDEA
(triple DES) has 112 or 168 bits of key, depending on version56-bit
version for backward compatibilityIn 1998, NIST called for a new
standard with key sizes 128, 192, and 256
Today, you should have at least 112 bits of security80 bits is
still acceptable, but is being phased outAfter 2013, the minimum
will be 112
(Note: these sizes are for symmetric algorithms. Asymmetric
algorithms, in general, require larger keys)37A game: adversarial
indistinguishabilityOne of the many definitions of security
involves a gameTwo playersRulesPlayer 2 chooses two messages and
tells player 1Player 1 chooses one of the two messagesEncrypts the
messageSends the encrypted message back to player 2Player 2s task
is to determine whether the encrypted message is an encryption of
m0 or m1
3838Adversarial indistinguishability (continued)3912m0, m1Choose
i=0or i=1. Encryptmi.E(mi, key)iSet i toguess (0 or 1)i =
i?correct/incorrectExercisePair up and decide who is player 1 and
who is player twoPlayer 1Come up with a simple deterministic
function to encrypt a number from 1 to 100 (remember it needs to be
invertible)For example, f(x) = 2xYou need to be able to compute
this in your head!Player 2Choose two numbers from 1 to 100 (but not
the same one twice!) to use as messagesPlay a few rounds Keep track
of when player 2 is right and wrongplayer 1 has to use the same
function every time
40This exercise should take about 10 minutes40Exercise
(continued)After a few rounds, Did you begin to see patterns?Did
you choose numbers (messages) in ways to get new information?Do you
choose them in a way that made you right more often?
4141Exercise (continued)If player 2 knows something useful
(doesnt have to be the function, but a hunch) then they will have
significantly more right or wrong after many roundsCan distinguish
ciphertext from noiseIf player 2 knows nothing, they will have
about as many right as wrong after many roundsNo better than
flipping a coin42countIf more wrong then right, reverse
intuition42Section SummaryCryptology is the study of
codesCryptography is the study of designing codesCryptanalysis is
the study of breaking codesCryptanalysis plays a key role in
algorithm designEncryption algorithms generally fall into two
categoriesSymmetricAsymmetric
43Symmetric cryptography44Symmetric algorithmsThe sending and
receiving party use the same keyAlice computes y =
Encrypt(x,k)Alice sends y to BobBob computes x = Decrypt(y,k)
The Caesar cipher was an example of symmetric
cryptography45Types of symmetric cryptoSymmetric encryption
algorithms fall into two categoriesBlock ciphersStream ciphers
Used for different purposesBoth must provide confusion and
diffusion46Confusion and DiffusionClaude Shannon was a famous
information theoristDefined two properties that are widely used in
symmetric cryptographic primitives
ConfusionRelationship between key and ciphertext is obscured
DiffusionThe influence of one plaintext symbol is spread over
many ciphertext symbols with the goal of hiding statistical
properties of the plaintextAdversary must do more work to find
statistical properties47Encrypt HELLO and YELLOOnly the first
symbol (letter) of the ciphertext changes47ExerciseForm groups of
4-6 peopleEach group shouldCome up with a one-sentence message
Choose a key in A-Z (0-25)Encrypt the message with the Caesar
cipherExchange your ciphertext with another groupFind the message
the other group wrote48Another Look at the Caesar Cipher How does
the Caesar cipher stack up in terms of confusion and diffusion?
ConfusionYes
DiffusionChanging one symbol in the plaintext has a very
predictable resultOnly changes one symbol in the output 49One-time
padOne-time pad (OTP) is the only cryptosystem that achieves
perfect secrecyGiven ciphertext c, plaintext message mRandom
variables X and Y (for plaintext and ciphertext,
respectively)Pr[X=m|Y=c] = Pr[X=m]The a posteriori probability that
the plaintext is m is equal to the a priori probability that the
plaintext is m In other words, knowing the ciphertext doesnt give
you any additional insight into the value of the
plaintext50One-time pad (continued)OTP is also unconditionally
secureIt cannot be broken even with infinite computational
resourcesAn attacker with infinite resources can break a 10,000-bit
key cipher in one time-stepHave 210,000 computers each try a
keyThats more computers than atoms in the universe!System is
computationally secureAdversary is computationally
bounded51One-time pad (continued)How does this miraculous
cryptosystem work?Plaintext m = xox1xn-2xn-1 in binaryCiphertext c
= yoy1yn-2yn-1 in binaryKey stream K = kok1kn-2kn-1 in binary
52Random numbersourcexiyikiWhy doesnt everyone use OTP?The key
bits need to be truly randomDoes your computer have true random
number generator? Mine doesntThe sender and receiver must have the
same key streamHow do you communicate the key stream securely?A bit
of the key stream can only be used onceKey needs to be as long as
the messageThats a lot of bits over timeA lot to have to send
securely
Bottom line: doable, but not practical for the vast majority of
applications53The good newsFortunately, we can approximate a OTP
with a stream cipher
Main idea:Use a shorter key to generate a key stream in a
pseudorandom fashionPracticalDoes not achieve perfect secrecyCan
achieve computational security54Stream cipherMessage m =
xox1xn-2xn-1 in binaryEach xi is combined with a bit of the key
stream via exclusive-or (addition modulo 2)
55Key streamgeneratorSeed (key)xiyikiStream cipherDecryption is
the same as encryptionSwap plaintext and ciphertext56Key
streamgeneratoryixikiSeed (key)ExampleSuppose a stream cipher with
the following recurrence:xi+4 = xi + xi+1 mod 2i 1
Suppose that the initial values are (1,0,0,0)5757Example
(continued)10001x5 = x1 + x2 mod 2100010x6 = x2 + x3 mod 21000100x7
= x3 + x4 mod 210001001x8 = x4 + x5 mod 2100010011x9 = x5 + x6 mod
2
1000100110x10 = x6 + x7 mod 210001001101x11 = x7 + x8 mod
2100010011010x12 = x8 + x9 mod 21000100110101x13 = x9 + x10 mod
210001001101011x14 = x10 + x11 mod 2
58Example (continued)So we have a stream that looks like
10001001101011 Suppose we want to encrypt 10101010Combine message
and key stream with addition modulo 2 (exclusive-or)
59Message10101010Key
stream10001001Ciphertext00100011SecurityThat example was not
secure, because the key stream was too predictable60Do you have to
use xor?Well no. But it has nice properties and is most
commonFastNo carries to deal withSame function for encryption and
decryptionDont need a separate stream or operation to decrypt
This is perhaps best shown by example
61Instead of using addition mod 2, lets generalize to addition
mod m, m > 2There will be lg(m)-1 carry values in the
computationConcrete example: m=27
Bitwise operations are convenient because we can skip a
register
Addition mod m62 1 0 1 1 1 1+ 1 1 1 1 1 1 1 1 1 1 1 0 1 0 1 1 1
0CarriesSumOther benefits of XORDecryption performed by inverting
combining operationThe inverse operation of addition mod m is
subtraction mod mThe inverse operation of multiplication mod m is
multiplication mod m, but you would need a different key streamThe
inverse operation of XOR is XORa XOR b = cc XOR b =
a63Multiplication (mod 5): 1 is inverse of 1, 3 is inverse of 2, 2
is inverse of 3, 4 is inverse of 4Would need inverse key stream to
decrypt.
Could also invert addition with addition and different key
stream 63So how can a stream cipher be secure?Like the OTP, the
security lies in the randomness properties of the key streamDont
use the same bits of the key stream more than once, or elsea XOR k
= ab XOR k = ba XOR b = a XOR k XOR b XOR k = a XOR bAssume
adversary knows a and b Now a much smaller plaintext space for a
and bCan use heuristics to determine a and bGives adversary an
advantage 64
Practical stream ciphersLarge state size, large input key
(>112 bits)Function that updates state is complicated and
nonlinearState outputs few bits at each update (preferably one)
In useRC4SnowSalsaTrivium65QuestionDoes anyone happen to know
what the US standard stream cipher is?66AnswerThat was a trick
questionWe dont have one
We might in the not-too-distant future67Why isnt there a US
standard stream cipher?There hasnt been an outcry for oneBlock
ciphers are more studied and better understood
NIST is currently looking into this, but it is a new project
68Block ciphersMain idea: instead of encrypting one bit at a
time, encrypt several bits togetherThe grouping of bits is called a
block
Block ciphers play a significant role in many cryptographic
systems
Lets start by considering operations on a single block
69Block cipher encryptionPlaintext m = xox1xn-2xn-1 in
binaryCiphertext c = yoy1yn-2yn-1 in binaryKey KBlock size = j
70EncryptKx0x1x2 xj-1y0y1y2 yj-1Block cipher decryptionTo
decrypt, need to apply (possibly different) decryption
algorithm71DecryptKx0x1x2 xj-1y0y1y2 yj-1Block vs.
streamConstrained devicesStream cipher
Real-time streaming dataIf packets are multiple of block length,
block cipher wont incur too high a penaltyIf packet size varies
widely, stream cipher may be better bet
Everything elseBlock cipher is probably best bet72An essential
toolBlock ciphers are not only used for encryptionThey are used to
constructStream ciphersPseudorandom number generatorsHash
functionsMessage authentication codes
Bottom line: block ciphers are an essential tool in symmetric
cryptography73Well get to these laterMore than a blockWhat happens
when you need to encrypt more than one block?74Mode of
operationBlock ciphers are used in conjunction with a mode of
operationMode of operation determines how the blocks connectRight
cipher + wrong mode = wrong solution
Well discussElectronic Codebook mode (ECB)Cipher Block Chaining
mode (CBC)Cipher Feedback mode (CFB)Output Feedback mode
(OFB)Counter mode (CTR)
75ECBThe most basic modeEach block is encrypted
independently
Lets look at the pros and cons76plaintext block 1ciphertext
block 1EncryptKplaintext block 2ciphertext block 2EncryptKplaintext
block 3ciphertext block 3EncryptKECB: prosAn error in one block
will not affect othersTransmission errorsMissing blocksEasily
parallelizableEfficient to compute
77ECB: consLeaks information about repeating blocksRepeating
plaintext results in repeated ciphertextAdversary can rearrange
messageattack dont stop! vs. stop! dont attackAdversary can
substitute blocks78
ECB example: block substitutionSuppose the following blocks are
part of a banking protocol
Sending and receiving banks share a keyAdversary Opens accounts
at each bankSends money from one to the other, captures
ciphertextNow can identify transfers between the two banksWhen
other transfers go between those banks, replaces receiving account
# with hisGets lots of money Withdraws money and commences with
getaway plan79Sending bankSending account #Receiving bankReceiving
account #Amount $CBCMost commonBlocks dependent on previous
blocksRequires an initialization vector (IV)80plaintext block
1ciphertext block 1EncryptKplaintext block 2ciphertext block
2EncryptKplaintext block 3ciphertext block 3EncryptKIVCBC:
decryptionEncryption: XOR then encryptDecryption: decrypt then
XOR81ciphertext block 1plaintext block 1DecryptKciphertext block
2plaintext block 2DecryptKciphertext block 3plaintext block
3DecryptKIVCBC: a few more words on IVIV is same size as blockIV is
not a secretSent in the clear with ciphertextNecessary for
decryptionThink twice about using predictable IV
valuesExamplesCountersRepeated valuesUsing last ciphertext block of
previous encrypted packetAdvanced attacks exploit
predictabilityE.g. BEASTUse random IV for each encryptionThis is
importantRandom IV is necessary for security properties to
hold82CBC: error toleranceEncryptionEncryption errors propagate
forwardEach block uses the result of the previous blockIf there was
an error in encrypting block 1, that error affects block 2, block
3, and so on
Decryption Wrong IV in decryption only corrupts first
blockAgain, dont consider IV secretChange to a block of ciphertext
corrupts decryption of only two blocksAdding blocks to the end of
ciphertext wont alter anything beforeProbably decrypt to rubbish,
but theres a chance it wont8383CBC: pros & consProsIV makes
encryption probabilisticSame message-key pair map to different
values when IVs are differentMore difficult to attack through
substitutionDecryption can be parallelized
ConsEncryption sequentialCannot be parallelizedEncryption errors
propagateBit flip early on messes up a lot
Ciphertext stealing may be pro or conDoes not require message
expansion (padding)84CFBStream cipherlike functionality from a
block cipherIV has to be unpredictableDecryption is same operation
as encryption85plaintext block 1ciphertext block
1EncryptKIVplaintext block 2ciphertext block 2EncryptKplaintext
block 3ciphertext block 3EncryptK85OFBSimilar to CFBTurns block
cipher into a stream cipherIV has to be unique, but not necessarily
random86plaintext block 1ciphertext block 1EncryptKIVplaintext
block 2ciphertext block 2EncryptKplaintext block 3ciphertext block
3EncryptKCTRDifferent variantsTalk about one in NIST SP
800-38aTurns block cipher into stream cipherCounter increases with
each blockDoes not need to be secretNeeds to be unique across
blocks87plaintext block 1ciphertext block 1EncryptKplaintext block
2ciphertext block 2EncryptKplaintext block 3ciphertext block
3EncryptKCounter 1Counter 2Counter 3What if adversary can call
encrypt w/o knowing key (i.e. on a smartcard)?- They can generate
the key stream and find the plaintext87Choosing a modeGeneral
knowledgeCBC = good, ECB = badIt isnt this simpleEverything depends
on contextThere are more modes to considerOthers we talked about
and more that we didntWhat are your requirements?Parallelizable?
Error tolerant? Synchronizing? Memory, speed, energy requirements?
Malleability?Its difficult to generalizeWhat is right for one
situation may be wrong for another8888Block cipher
construction89Common structureProduct cipherCombines two or more
transformationsResulting cipher more secure than components Round
functionProvides confusion and diffusionKey combined with state
(confusion)Data mixing/permutations (diffusion)
Round 1Round 2plaintextciphertextRound n-1Round n90Round
structure: SPNSubstitution Permutation Network (SPN)Substitution
box (S-box)Invertible non-linear functionOften implemented as
look-up tablesPermutationChange bit locations91
Round structure: FeistelSplit state into left and rightEncrypt
and decrypt functions use same logicSmaller footprintf contains a
non-linear functionS-boxes do not need to be invertible in Feistel
ciphersg is operation to combine the left and rightExample: xor
92ARXAddition-Rotation-XORTwo kinds of linear
operationsTranslating them into a single linear form is difficult
over many roundsActs as simple substitution boxNo need for
tablesEasy to compute
93More rounds = more security, right?Not exactlyWhile this seems
intuitive, there is a caveatRounds cannot be exactly identicalTools
for thisKey scheduleRound constants94Show slide attack on
board94Concrete example: AESLets look at the round components of a
real cipherRound consists of nonlinear step and linear mixingWhich
provides confusion, and which provide diffusion?
Round structureSubBytesnonlinearityShiftRows, MixColumnLinear
mixingAddKeyCombine key with state via exclusive-or
95AES: SubBytesByte substitutionReplace a byte of data with
another according to a functionThe function is invertible so that
we can reverse the substitutionSr,c = S-Box(Sr,c)
96AES: ShiftRows and MixColumnsShiftRowsCircular shift on each
row of the stateShift amount differs by rowMixColumnsMultiply each
column of the state by a fixed matrixS*,c = S*,c matrix97
Asymmetric Cryptography98Asymmetric CryptoAsymmetric
cryptography = public key cryptographyDifferent key used by
different partiesKey use is not symmetric
Mailbox analogyThere is a locked mailbox with a slotAnyone can
put a message in the boxOnly a person with the mailbox key can
retrieve the messages99The Basic PictureBob gives Alice his public
key, kpubAlice can send Bob x, encrypted with Bobs public keyOnly a
person who knows Bobs private key can decrypt it and get x 100
Principles of asymmetric ciphersBased on hard problemsNot
confusion and diffusionAs long as there is no polynomial-time
algorithm to solve underlying problem, algorithm secure*with
reasonable key length101FactoringGiven an integer n, find the prime
factorization42 = 2 * 21 = 2 * 3 * 7Now do it for a 2048-bit
integerYea it is toughTrapdoor function that requires knowledge of
factorizationPrimes are part of the private keyAdversary only gets
the productHas a lot of work ahead102Factoring: RSAN=p*q, p and q
are primesEncryption: xe mod NDecryption: xd mod N
RSA public key has (e, N)Decryption exponent d derived from e, p
and q103Discrete logarithmGiven xa = y and x, what is a?There are
conditions Only certain set/operation combinations can be used for
cryptox must be a generator (x has to create all elements of set
when you keep multiplying it by itself)104Post-quantumSolve
factoring and you also solve discrete logShors algorithm does just
thatThe catch is that you need a quantum computer to run itResearch
in post-quantum asymmetric algorithmsMultivariate public keyThe
coefficients of polynomials are polynomialsLattice-based
cryptographyCode-based cryptographyError-correcting
codes105Symmetric Vs. AsymmetricSymmetricAsymmetricSame key for
encryption and decryptionDifferent keys for encryption and
decryptionBased on confusion and diffusionBased on number theoretic
problemsRepeated iterations of simple functionCan be expressed as
simple equation106When should I use what?Symmetric algorithms More
computationally efficientKey distribution is a problemAsymmetric
algorithmsMore computationally expensiveDo not need to agree upon a
keyNeed to establish authenticity of public keySymmetric better for
sending dataAsymmetric better for sending symmetric keysWrap
symmetric key
107Key lengthKey lengths for asymmetric algorithms are different
from symmetricIn general, it takes a longer key to have the same
protection against brute force attacks108
Note: This is no longer sufficientKey length (continued) Why do
you think that asymmetric algorithms require longer keys?109For
n-bit key, all 2n keys not equally likely.Not every x in 2n is a
possible key (because of structure)Factoring problems require
primesComposites not candidates109More primitives110Now that weve
looked at symmetric and asymmetric topics, well dive a little
further into both areas110Hash functionsDo not encrypt/decryptDo
not provide confidentialityDo fall under symmetric
cryptographyConstructed with symmetric primitives
Provide means of integrity checking111What is a hash
function?Function that maps arbitrary-length input to fixed size
outputOutput space is smallerMultiple inputs map to same
output112Cryptographic hash functionsWhen we say hash functions, we
often mean cryptographic hash functionsCreate a digital fingerprint
of data
Three propertiesCollision resistance (strong collision
resistance)Preimage resistanceSecond preimage resistance (weak
collision resistance)
There are variants for each of these, but only main concept
covered here113Collision resistanceInfeasible to find x y such that
h(x) = h(y)
Resistance is upper-bounded by the birthday problem
114Birthday problemDeals with probability that two people have
the same birthdayWe have n people in this roomThere are 365 days in
a year366 if February 29 included
Probability of two of the same birthday is about 0.5 when n=23
115Birthday problem (continued)Assume only 365 daysStart with two
peoplePr(2 people no same birthday) = 1 1/365Add a third personPr(3
people no same birthday) = (1 1/365)(1 - 2/365)Add t more
peoplePr(n people no same birthday) = (1 1/365)(1 - 2/365)(1
(n-1)/365)
116Birthday problem (continued)Pr(at least one collision) = 1
Pr(no collision) 1 - (1 1/365)(1 - 2/365)(1 (n-1)/365)
Let n=231 - (1 1/365)(1 - 2/365)(1 (23-1)/365) = 0.507 0.5
Lets try it with this group
When can we guarantee a collision? Pr(collision) = 1117Pigeon
hole principle118If n pigeons are put in m pigeon holes, n > m,
then at least one hole contains more than one pigeonNote that some
holes may be empty
Pigeon hole and collisionsIf the output space size is m, then
m+1 inputs needed to guarantee a collision
Assuming 365 days, need 366 people to guarantee at least two
share a birthdayNeed 367 people if assuming 366 days
For hash function with n-bit output (m=2n), then 2n+1 message
blocks needed for collision119Birthday boundOutput should be too
large for m+1 blocks to be feasibleBirthday attack (based on
birthday problem) bigger concernGeneric attack that works on any
hash functionNot guaranteed to be best attack on any specific hash
functionProvides the birthday bound120
Recall that 80-bits is ok for now, but moving towards 112Random
oracle modelCaptures the ideal hash functionGive the oracle xOracle
responds with a seemingly random valueAlways responds in the same
way for the same inputThink of as looking up h(x) in a massive book
of truly random numbers
There is no such thing as a true random oracleBut we want our
hash functions to act like one
121Random oracle model (continued)We were thinking in this model
just nowAll birthdays not equally likelyProbably true, but when we
think in the ROM, they arePr[h(x) = y] = 1/MWhere M is the size of
the outputKnowing h(x) should give no insight about the result of
any other valueMust query oracle to find h(x)122Random oracle model
(continued)If a hash function can be reliably distinguished from a
random oracle, then there is troubleIn the ROM, interesting things
can be provenCollision resistance implies preimage
resistance123Exercise: random oracleBreak into pairsDecide who will
be player 1 and who will be player 2Player 1 acts as oracleCome up
with a simple hash function (not cryptographic) on integersExample:
h(x) = 2x+3 mod 5Make sure you have a modular operation to keep the
output size fixedDont tell player 2 your functionPlayer 2Query the
oracle with integersGiven the result of several queries, try to
guess the results for other values you havent queried with yetTell
player 1, and they will tell you if you are right or wrongKeep
track of right and wrongSwitch roles124Exercise: random oracle
(continued)It is helpful to make a table to capture what youve
learned so farBased on this table, what do you think h(20)
is?125xh(x)0011500100151The function here was h(x) = x mod
2125Iterated hash constructionFixed-size blocks as inputCompression
function acts as a random mappingIngests a block of the message
126
A lot like block cipher, but blocks combined
Dough analogyFlatten dough (add a block)Fold dough (compression
function)
126Preimage resistanceGiven z, infeasible to find x such that
h(x) = zInfeasible to find a value that maps to h(x)
127preimageimagef(x)=y : y is image of x under ff-1(y)=x : x is
preimage of y under f (all x that map to y)127Second preimage
resistanceGiven x, infeasible to find y x such that h(x) =
h(y)Infeasible to find second value that maps to h(x)
128preimageimageMessage authentication
codesAuthenticationSomeone who knows the key created this
MACIntegrityIf the message is altered, the MAC will not match
129
MAC integrityIntegrity + authenticationCan detect accidental or
nefarious modifications
Can have variable length MACFixed length MAC nicerSign a
hashHash function provides additional integrity check130Who created
the message?Alice, Bob, and Charlie share a keyMessage: Charlie is
stupidCharlie is upset and wants to know who wrote itAlice says Bob
didBob says Alice didBecause they both know the key, it could have
been either of themNo definitive proof which one created itIt may
have even been Charlie, as far as Alice and Bob are
concerned131Digital signaturesIn the real world, contracts are
finalized with signaturesSigning indicates that you agree to
termsSignature assumed to be unique to individualLegal and social
barriers to prevent forgeries
Only the person who knows a key can generate a valid
signatureOnly one person knows that key (supposedly)Authenticates
signer132Digital signatures (continued)Uses asymmetric encryption
and hash functionsSign with private keyAnyone can verify signature
using public keyBut asymmetric operations expensiveWhat if message
is longer than allowed?133How RSA digital signatures workBob hashes
plaintext messageMake fixed size inputSign (encrypt) hash with his
private key
Alice decrypts signature with Bobs public keyHashes
messageVerifies that the two match134
Nonrepudiation and confidentialityNonrepudiationBob cant deny
creating the signature
If confidentiality needed on messageSign, then encrypt message
(or message + signature)Why not sign the encrypted data?May
inadvertently sign wrong infoAllows bait and switch by party
sharing symmetric keyWould you sign an envelope containing a
contract, hoping the contract is the one you think it is?Signing
message then encrypting both is analogous to signing a contract,
then putting it in an envelope
135135Signatures and encryptionSign and encrypt messageSign and
encrypt message + signature
Why might one be better than the other?136137
http://xkcd.com/177/Protocols138Kinds of crypto protocolsThere
are lots of crypto protocolsKey distributionMultiparty
computationZero-knowledgeVotingAnd many moreWell focus on the most
common: key distribution139Key distribution problemAssume every
user in a network must share a symmetric key with every other userN
users means on the order of N2 keysImagine that this network is the
InternetManagement nightmare
140
140Key AgreementKey agreement is a very important concept in
using cryptographySecurity of communications relies on secrecy of
keyHow can parties exchange keys without compromising the
key?Parties create key togetherOne party creates key and sends to
the otherKey derived by trusted third party and sent to both141Key
distribution centerCan use symmetric keys to create a session
keyRequires a trusted third party, KDCAlice and KDC share a key
encrypting key (KEK)Same for BobAlice establishes key with
BobRequests a key from KDCKDC generates a short-term keyDistributes
key to Alice and Bob, encrypted by respective KEKsAlice and Bob now
share a key
142KDC example143
This image from the text does not show Bob receiving y and y_B,
but he does143KDC pros and consProsKDC stores N KEKsEach user only
needs KEKKey establishment once for each new userThis secure
channel outside scope of discussionConsIf KEK compromised,
adversary can masquerade as AliceReplayAdversary can impersonate
KDC and send Alice and Bob old keysNo way to ensure freshnessTrusts
that session key is with Bob, but may not be able to
verifyAdversary can change requestSingle point of failureKDC
compromise brings system to a halt 144144KerberosWell-known KDC
protocolTime mattersSession keys have lifetimeLifetime
encryptedPrevents replayChallenge to KDCAlice knows shes talking to
KDC, not adversary
145Simplified Kerberos146
146ConsFixed some of the cons of first KDC
protocolRemainingSingle point of failureLack of forward secrecyIf
adversary compromises session key, all communications under that
key are at riskOnly for duration of key lifetimeSetting up KEK for
new user147Key establishment models148Point-to-point centralizedOne
party gives the key to the other partyDirect
communication149AliceBobKCentralized key managementA single party
generates and manages keysMay distribute to both partiesOne party
may be responsible for passing it onEach party shares a distinct
key with the KDC, but not each otherCentralized key
generation150KDCAliceBobKKKDCAliceBobKKKey translation centerLike
centralized key management, but key generated by a partyDistributed
key generation151KTCAliceBobKKDiffie-Hellman key
agreementAsymmetric methodBoth parties agree on parameters and
pEach party chooses a secret exponent
152
DH pros and consProsDoes not require a trusted third partyDoes
not require any other keysConsDoes not authenticate either party
(may not be a con)Allows man-in-the-middle (MITM) attack153
153CertificatesProvide binding between public key and
partyPublic key bound to AlicePublic key bound to BobAlice and Bob
can verify that they are talking to each other, not someone in the
middleGenerated by certificate authority (CA)Trusted third
party154Key transport with CAsTrusted authority issues
certificatesSigned by trusted authorityKey exchange with
certificatesAlice gets Bobs certificate from BobVerify that Bobs
certificate is valid using CA public keyCreate session keyEncrypt
session key with Bobs public key (in certificate)Send to BobBob
decrypts with private keySession key established
155Obtaining keys156
DH with certificatesCertificates for authenticationRequires
trusted certificate authority157
Typo in book: should be bTypo in this image. On the right,
should be B=Kpub,B = alphab mod p(wrong case of b in image)157CAs
and PKIPublic-key infrastructure (PKI) CAs + supportKey storage,
distribution, etc.CA1 signs CA2, CA2 signs CA1Parties with CA1
certificates can now talk to parties with CA2 certificatesAbility
to revoke certificatesCertificate Revocation List
(CRL)BlacklistAlice checks CRL to verify that Bobs certificate is
not on the listIf it is on the list, reject it158X.509Minimum
certificate contains key and identityX.509 contains a lot more
In IE, go to Tools > Internet Options > Content >
CertificatesBrowse certificatesGo to your favorite login page (e.g.
gmail)Right-click on the pageProperties > certificates159
Exercise: certificates and RSAMost (if not all) the certificates
just seen were RSAWhat might an RSA key exchange with certificates
look like?160Server authentication, client-server
authentication160CA trust models161Trust with separate domainsTwo
CAs have no trust relationshipEach CA is part of its own
domainUsers in one domain unable to verify authenticity of
certificates originating from other domain162CA 1CA
2User11User12User21User22HAC 13.6.2162Strict hierarchical trust
modelInteroperability between domainsRooted treeVerify certificates
all the way up to the root163CA 3CA 1CA
2User11User12User21User22Multiple rooted treeCross-certificate
between two CAsCertificate for X signed by YCertificate for Y
signed by X164CA 3CA 1CA 2User11User12User21User22CA 6CA 4CA
5User41User42User41User42Reverse certificatesCAs lower in the
hierarchy also sign for CAs that are higherForward certificateChild
certificate signed by immediate parentReverse certificateParent
certificate signed by immediate child165CA 3CA 1CA
2User11User12User21User22Reverse certificates
(continued)Verification different than strict hierarchical
modelStart with public key of CA that created certificateFind least
common ancestorDo not need to go up to the root
166Directed graph trust modelDistributed trust modelWeb of
TrustNo root or tree mandatedAn CA may cross-certify any otherEach
user entity start with its local CA
167CA 3CA 1CA 2CA 6CA 4CA 5Food for thoughtSymmetric
exchangeKeys have lifetimeLimit damage by adversaryAsymmetricCA
revokes compromised certificates
If you use biometric data as keys, what happens if youre
compromised?Gummy bears foil fingerprint
readershttp://www.schneier.com/crypto-gram-0205.html#5Id like a new
set of fingerprints, please168168Cryptanalysis169AdversariesThere
are two kinds of adversaries to considerComputationally
unboundedThere is no limit to their computing powerOnly OTP can
beat themComputationally boundedReal world
170Asking the Right QuestionsPeople sometimes ask me for crypto
help
Question: How do I break ?My answer: wait 10 years
Surprisingly, people dont like this Ok, I only give these kinds
of answers to people I know pretty wellThe reason I say this is
because that is what they askedBut it is not what they
meant171Attack modelsThe adversary (who is sometimes you!) doesnt
always have access to the same informationDifferent levels of
access enable different types of attacksEach of these levels of
access is captured by a model Knowing what model youre working with
will help you assess your options172Brute forceThe most nave
approachWill always workShould take a long, long timeThe message
should no longer be sensitive by the time the attack
succeeds173Ciphertext-onlyGoal: find key or plaintextAccess to a
set ciphertexts
This applies whenever access to encrypted data is
availableConfiscated computer with FDECapturing encrypted network
traffic174Known plaintextGoal: find keyAccess to a set of
plaintext-ciphertext pairs, created with the same encryption
key
This applies when there is knowledge of the plaintext the
corresponds to captured ciphertextBad implementation leaves
plaintext data structureData structure or packet payload always the
sameObtained plaintext through another channel175Chosen
ciphertextGoal: find key or plaintextAccess to decryption function,
possibly resulting plaintextsIf errors occur, such as incorrect
plaintext format, plaintexts may not be released to adversary
Attack may be adaptiveCreate ciphertext based on what youve
learned
Applicable when decryption requests can be madeTrusted
computingAnything that doesnt ask for the key for
decryption176Chosen plaintextGoal: find keyAccess to encryption
function and resulting ciphertextsMay be adaptive
Applicable when encryption key not in adversarys controlService
offered by entity or deviceSmart cardsCrypto chips177Other
informationAccess to implementationBinary dataHardware module
May be able to get data from the implementation without going
after the crypto itself178Good bets179Physical access to
computations allows bypass of many protective mechanisms.Protocols
give a lot of options.More information gives the adversary greater
abilities179And moreSometimes there is more info to leverageUse in
conjunction with one of these models
ExampleRelated-keyKnown-plaintextChosen ciphertextUse multiple
keys instead of single keyKnow something about the relationship
between them
180If two keys share half their bits, can use collected data
from both keys to find shared portion180Mathematical (analytical)
attacks181Of more theoretical interestThere are several analytical
attacks out thereLots of beautiful math Symmetric
cornerstonesLinear cryptanalysisDifferential
cryptanalysisAsymmetricFactoringDiscrete logTricks when bad
parameters used to make key182General principles for analytic
attacksReduce your workIsolate parts of the state/key as much as
possible2n/3 + 2n/3 + 2n/3 is a lot smaller than 2n Example:
n=98+8+8 = 24 vs. 512 This is why diffusion is importantPrevents
adversary from isolating sections
183Symmetric analytical attacks in briefLinear cryptanalysisFind
linear relationships between plaintext, ciphertext, and keyAllows
adversary to find parity of the keyReduces key space search
considerablyDifferential cryptanalysisKnown difference between
plaintexts results in certain ciphertext difference with some
probabilityDifference could be introduced into ciphertext instead
of plaintextDifference could be in related keys184Linear vs.
differentialWhich one requires a stronger adversary?What models
might each use?185FactoringSuppose you dont have a quantum
computerYou can factor 512-bits on your own with publicly available
toolsMsieve, GGNFSCurrently, record is 768-bit integerTook 3+ years
by expertsGeneral number field sieve (GNFS)Relies on heuristics and
a lot of memory and computing power
186Discrete logHeres a high level view of two methodsIndex
calculus methodProbabilistic algorithmLinear algebraGroup
theoryPollards rho algorithmGenerator generates all values of the
finite setThere must be a cycleFind a cyclexi congruent x2i modulo
mGives equation that can be used solve discrete log directlyHas
analog for factoring
187Implementation attacks188Implementation MattersA mathematical
specification is one thing, but an implementation is a whole new
beastImplementations leak informationVulnerable to side channel
cryptanalysisExamplesTime to computeDifferent inputs to an
operation may cause subtle timing differencesOlder OpenSSL
implementation was subject to thisCache attacks on AES cloud
computing environment
189Power and EM attacksDifferent operations take different
amounts of powerSimple power analysis (SPA)Differential power
analysis (DPA)Operations alter electromagnetic field
differently190
Image from Differential Power Analysis by Kocher et al.Power and
EM fields (continued)Can perform adaptive chosen ciphertext attacks
to obtain plaintext and key, a small amount at a timeCan perform
adaptive chosen plaintext to find key
191Linear search for key possible191Power and EM: an
exampleSuppose guessing bit correctly makes a spike in a particular
locationStart with key all zeros, key is n bitsFor i=0 to
n-1Decrypt or encrypt withk[i]=1k[i]=0Keep the value that causes a
bigger spikeO(n) encryption/decryption
192
Image from Differential Power Analysis by Kocher et
al.192Grabbing the keyThe key has to be exposed somewhereSoftware
implementationIn memoryHardwareIn flash memory or hard coded
Physically extracting key from hardware is trickyNeed to shave
off chip to get at gates or memoryMay destroy chipMay accidentally
destroy key
193193Example: square-and-multiply side channelAn efficient way
of computing xe mod n is using an algorithm called
square-and-multiplyStarts with a=1Work from most significant bit of
e downIf current key bit is 1, multiply follows square
(SM)a=a2a=axIf current key bit is 0, square alone (S)a=a2What is
the value of e based on this string?
194SSSSMSMSMSMSSSM0000011111194Exercise: securely computing
square-and-multiplyBreak into groups and answer the followingWhat
is it that makes the attack on the previous slide possible?How can
you prevent this attack on square-and-multiply?
195DemoWhat do square and multiply operations look
like?JCrypTool demo
196Attacks: further readingRemote timing attacks are practical
by Boneh and BrumleyDifferential Power Analysis by Kocher et
al.
197Social Attacks198199
http://xkcd.com/538/The left is hard and expensive. The right is
easy and cheap.199Social attacksAttacking the crypto is usually
pretty hard and requires skill (unless an attack has been included
in a tool)Why not just go around the crypto?Humans are generally
the weakest link in a systemPeople can be coercedSomeone holds a
gun to your head and says your secret key or your lifeWhat would
you do?What if they threatened someone you
love?EspionageBlackmailBribery
200Phishing and impersonationYour account has been suspended due
to suspicious activity. Please follow the link and enter your
username and password to verify your identity and reactivate your
account.Completely bypasses the cryptography201Policy attacksIn
addition to social attacks on people, can attack policiesPolicies
force certain behaviorPasswordsCommon to derive secret key from
passwordBackward compatibilityPolicy knowledge can give the
adversary an advantagePassword rulesForce use of deprecated
cipher
202The human brain & passwordsPeople can remember 5-9 chunks
of informationUnfamiliar things make smaller chunksE.g. Rks9%3Each
character a chunkFamiliar things enable larger chunksE.g. four
score and seven years agoThe entire phrase one chunk (or 6
chunks)four comes from a much larger set than RWords in phrase
related, so phrase not high entropyfour pig ninja gumby minitrue
fire less predictable
203If key generated from password, lack of entropy in the
password results in lack of entropy in the key.This gives the
adversary an advantage.Dictionary attack.203Password rules204
http://xkcd.com/936/Exercise: identifying attack vectorsImagine
a protocol where a button is pressed on a remote, and a light turns
on or offRemote is physical device, i.e. dongleThe transmitter and
receiver each have a shared fixed value, v, and a counter,
ctrCounters increment and are synchedTransmitter and receiver share
a symmetric key, KTransmitter sends encrypted message E(v||ctr, K)
to receiverReceiver decrypts messageIf v is correct and ctr is in
acceptable range, turn on/off light and increment counterElse, do
nothing
205Exercise: identifying attack vectors (continued)Your goal:
turn the light on/off
What are possible attack vectors?206206How to attack a
protocol207Man-in-the-middleSaw this with Diffie-HellmanConvince A
and B that they are talking to each otherIn reality, A is talking
to E (who claims to be B)B is talking to E (who claims to be A)E is
transparent to both A and B
208ReflectionSuppose A and B share a key, kSuppose they
authenticate each other with the following protocolABrAEk(rA,rB)
rB209Reflection (continued)E can impersonate B by reflecting
messages back to ATwo protocols running at onceIntercept messagesA
believes it has authenticated B, but B was not involved at
allAErAEk(rA,rA) rBrAEk(rA, rB = rA) 210Mitigating
reflectionDifferent keys for different communication
directionsInclude identifier of originating party in messagesIf A
gets an encrypted message from A, then reflection can be
detected211Interleaving attackAssume all public keys authenticA and
B choose random values and sign them
ABrArB,sB (rB,rA,A) rA,sA (rA,rB,B) 212Interleaving attack
(continued)Authenticate with B as AE initiates with B as AE
initiates as A with BUse messages from one exchange to finish the
otherAEBrArB,sB (rB,rA,A) rBrA,sA (rA,rB,B) rA,sA (rA,rB,B)
213213Misplaced trustA trusted third party is inherently
trustedWhat could happen if the TTP is not trustworthy?214Examples:
TTP doesnt check authentication (Alice thinks shes talking to Bob,
but TTP never verified Bob)TTP leaks your info and voids
security214When is an algorithm broken?215Is it broken?Think of
your data (plaintext or keys) as delicious candy and an encryption
algorithm as a piataThat makes cryptanalysts kids with batsThey
keep hitting the piata, making dentsEventually a seam splitsThen it
cracks open and the candy falls outIt is clearly broken at this
pointThe dents dont mean its broken, but they start to add upYou
may even be able to get a couple pieces of candy out of a split
seam216Imprecise analogy216Is it broken? (continued)Attacks
accumulateAn academic attack hits the sceneImproved over many
iterationsEventually becomes practicalIf best practical attack has
complexity below security threshold, the algorithm is brokenIf
theres not much left, it is close enough and you should already be
transitioningIf a property you were counting on is compromised,
transition now
Example: new attack on AES shaves off almost 2 bitsEven with
that, 126 > 112, so it is ok for now217Maybe its broken, maybe
its notAll algorithms will eventually be brokenIt is a matter of
whenYou should start to worry when the attacks look like they might
become practical soonExample: SHA12004: Attacks in SHA-0Plans to
attack SHA-12005: Attack on SHA-1Collisions, not preimagesNot
recommended in new applicationsOk in legacy applications, where
collision less importantToday: SHA-1 still in use (have > 250
complexity for collision)SHA-2 family preferredSHA-3 standard in
progress218More attacks than discussed here.
In NSRL, only preimage attacks relevant, so collision attacks on
hash functions it uses dont change security218It will all break
eventuallyThere is often a significant cost to changing
algorithmsEspecially in hardwareBackward compatibility is always an
issueCryptology is dynamic, not staticAttacks take a long time to
mature, but break could be tomorrowWhen algorithm crippled, need to
act quicklyPlan for change in any design
219Case StudiesWhen good crypto goes bad220ImportantThere is
crypto, and theres the system it is part ofAs soon as you look at
crypto as part of a system rather than a stand-alone object, things
changeYou need to be mindful of the attack vectors that you
introduce221WEPWired Equivalent PrivacySecure wireless network
communicationsWEP is a good example of doing it wrongBut why?222WEP
(continued)Uses RC4 stream cipherSeed has two partsIV: 24 bits
(public)Key: 40 bits (secret)CRC32 for integrity
Lets take a look at each of these
223WEP: key and IVExport restrictions limited key size64-bit WEP
is 40-bit secret plus 24-bit IVThere is a 128-bit version104-bit
secret plus 24-bit IVCipher key = IV||secret
First rule of stream ciphersDont reuse the same key stream224 is
not largeEspecially on a high-volume networkSmall IV space causes
high probability of using same key stream more than onceBAD!224WEP:
RC4Bias in key streamBytes do not occur with equal probabilityFirst
couple bytes have strong biasFor each packet, youre at the
beginning of the key streamBias in every packetAttacker can collect
several messagesAlready knows IVsCan get info on XOR of two
messagesThe secret is revealed with an obtainable amount of data
and some analysisNote this is all possible from nothing but
ciphertexts225WEP: integrity checkCRC32Cyclic redundancy check,
32-bitsLinear and predictableGood for detecting random transmission
errorsNot cryptographically secureAdversary can make changes such
that CRC32(modified) = CRC32(original)i.e. bit flippingTerrible
integrity checkIt wasnt designed for this purpose226WEP is good for
somethingIn all fairness, all ciphers broken eventuallyWEP fails
even if RC4 still worked wellIt is important because it does
contribute to our knowledge of what not to doIt also gives support
to an attack model
Related-key attack modelSome people say that it is
unrealisticPeople who defend it just need to point to WEP
227EMV PaymentChip and PIN is Broken by Murdoch et al.Europay,
MasterCard, VisaProminent payment protocolKnown as chip and
PINPayer uses smartcard and PINGoal: minimize cost of disputes from
issuing bank
228EMV Payment (continued)Two places for burdenPayer used chip
and PINVerified, so user must be authenticBurden on account
holderPayer signedMerchant verified signatureBurden on merchant
229EMV: protocolTVR: terminal verification results, ARQC:
authorization request cryptogram, ATC: application transaction
counter, IAD: issuer application data, ARPC: authorization response
cryptogram, ARC: authorization response code, TC: transaction
certificate230
Cardholder verification byte of TVR only set if verification
attempted and failed.Only failure condition records are
required.230EMV: what went wrongIt is possible to enter an
unintended stateThree parts of protocol are separatedCard
authenticationCardholder verificationTransaction
authorizationPartial views paint different views of the worldTVR
doesnt specify what verification method used on successMainly lists
failuresCompartmentalizing lets adversary build their own
verification process231Transaction not end-to-end231EMV: attackUse
FPGA, software, and dummy card to intercept communications with
stolen cardAlter cardholder verificationTrick terminal into
thinking PIN verification succeededReal card believes terminal does
not support PIN verificationThinks merchant verified
signatureMerchant thinks PIN was verifiedProtocol records dont
indicate how cardholder verification performedNo record to identify
inconsistency
232EMV: attack (continued)233
EMV: attack (continued)CaveatsRequires hardware for
man-in-the-middleThat wiring up your sleeve might raise suspicion
on a hot summer day
Authors of this paper have assisted in dispute cases where card
stolenLucky customers have the encoded cardholder verification on
receiptsDecoding shows that signature was used, not PINWere able to
get money backUnlucky customers (most of them) didnt have this
recordNo way to show signature useSystem does not provide adequate
evidence
234VOIPPhoneme - basic building block of speechSome VOIP
protocols compress phonemes, then encrypt with stream cipherStream
cipher encryption preserves length of messagePhonemes compress to
different sizes
What does this mean for the adversary?235Note difficulty and
required skills to do this235VOIP: problemsCorrelation between
packet length and phonemePacket length gives information to
attackerAttacker can learn something about encrypted VOIP
conversationsWho is talkingWhat languageWhat they are sayingSee
Uncovering Spoken Phrases in Encrypted Voice over IP Conversations
by Wright et al.
236KeeLoqRemember the exercise where the remote turns on the
light?That was a simplification of KeeLoq code hopping
schemeCounter prevents replaysInstead of turning on a light, it
opens your car or garage door
Attackers goal: open the door237237KeeLoq: attacksSocial
attacksMay gain physical accessClone dongleNoticeableCan watch
signals via side channelNo access to plaintext
238KeeLoq: device keyDevice key is secret shared between
receiver and transmitterDerived using a manufacturer keyHonda,
Toyota, etc.Once you know the manufacturer key, you can spoof
anything you have the serial number for239
KeeLoq: power analysisDifferential power analysis used to find
keysCloning transmitterWith physical access to remote10-30
tracesWithout physical accessCloned by eavesdropping, if
manufacturer key knownWith device key, decrypt message to obtain
fixed values and counterDenial of serviceIncrement counter so that
real remote counter is outside acceptable window
240KeeLoq: final notesDetails in On the Power of Power Analysis
in the Real World: A Complete Break of the KeeLoq Code Hopping
SchemeDefend against attacks with sufficiently random longer
seedsThe authors found manufacturer keysTo my knowledge, have only
released them to the manufacturers as proofOnly need to eavesdrop
at most two message to clone a transmitterIt takes skill to pull
off key extractionOnly need to use skill once to find manufacturer
keyRest can be performed by unskilled adversary
241Standards242StandardsSeveral international standardsSome
countries have their own standardsSome design internallySome use
designs from other countriesUS has mix of NSA and
internationally-designed crypto standardsDES, SHA-1 examples of
NSAAES, SHA-3 examples of internationalAnyone who wants to do
business with the US government needs to implement our
standardsChina likes algorithms designed in ChinaNeeded their own
stream cipher for 3G LTE (long term evolution)
243OrganizationsThis is not an exhaustive list
Government organizationsi.e. National Institute of Standards and
Technology (NIST), NSACRYPTREC (Japan)RSA LabsInternet Engineer
Task Force (IETF)Institute of Electrical and Electronic Engineers
(IEEE)American National Standards Institute (ANSI)ECRYPT
II244NISTComputer security division provides a suite of approved
cryptographic algorithmsBlock ciphersAES (advanced encryption
standard)Triple DES (also called 3DES, TDEA)DES (flawed,
deprecated)Hash functionsSHA (flawed, deprecated)SHA-1
(phase-out)SHA-2 family SHA-3 family245245PKCSPublic key
cryptography standardsRSA labsRSA standards (PKCS #1)Encryption and
signaturesDiffie-Hellman key agreement (PKCS #3)Password-based
cryptography (PKCS #5)Elliptic curve cryptography (PKCS #13)And
more
246RSA, the algorithmRSA, part of EMC corp.IETFProtocol
standardsTransport Layer Security (RFC 5246)Kerberos (RFC
4120)Secure Shell Transport Layer Protocol (RFC 4253)Extensions to
protocols
Crypto algorithm standardsCamellia (RFC 3713)
Also a good source of April fools jokes247Selection by
competitionTrend towards competition-based standards
selectionSelection committee puts out a call for submissionsAll
submissions meeting requirements are available for public
scrutinySubmitters attack each others proposalsBenefitsAccess to
best cryptographers and cryptanalysts in the worldFree labor for
selection committeePapers and dissertations for academicsFame and
gloryWith a very select crowd
248NIST competition-based projectsAdvanced Encryption
StandardFIPS standard published 11/26/2001RijndaelVincent Rijmen
and Joan Daemen
SHA-3Competition winner announced 10/2/2012KeccakGuido Bertoni,
Joan Daemen, Michal Peeters and Gilles Van Assche.
249Other projectsNESSIE (New European Schemes for Signatures,
Integrity and Encryption)Selected symmetric and asymmetric
primitivesAll stream cipher submissions were defeated
eSTREAMStream cipher competition organized by ECRYPTInspired by
results of NESSIE
CRYPTREC (Cryptography Research and Evaluation
Committees)Japanese Government
250Closing Remarks251SummaryCryptology is the study of
codesCryptography is the study of designing codesCryptanalysis is
the study of breaking codesThe only thing that should be considered
secret is the keyEncryption algorithms generally fall into two
categoriesSymmetricAsymmetricCiphers provide confidentialityHash
functions provide integrityMACs and digital signatures provide
integrity and authentication252Summary (continued)There are several
types of attacks possibleEach have different restrictions and
relative difficultyAn algorithm is broken when it no longer
provides the security properties that it shouldEncrypted is not
synonymous with secureThere are several bodies that dictate
standards253Key lessonsthe whole is greater than the sum of the
partsYou cannot just look for the best cryptoYou need the right
crypto for the right application, used in the right wayThe entire
system has propertiesSome properties of the system may negate the
properties provided by the cryptoThere are many factors that come
into play when choosing a cryptographic algorithm or
protocol254More resourcesMore suggested readingHandbook of Applied
CryptographyAn excellent reference for state of the art in
1997Available in text or digital format
(http://www.cacr.math.uwaterloo.ca/hac/)
255More resourcesNIST cryptographic technology
grouphttp://csrc.nist.gov/groups/ST/NIST cryptographic
toolkithttp://csrc.nist.gov/groups/ST/toolkit/index.htmlPublications
of standards and recommendationsIACR eprint archiveNew papers in
cryptology (not peer reviewed)http://eprint.iacr.org/eSTREAM
projecthttp://www.ecrypt.eu.org/stream/
256
