introduction to computer security - réseaux et...

Introduction to Computer Security

Matthieu Giraud

LIMOS, Universite Clermont Auvergne

Matthieu Giraud (LIMOS) Computer Security 1 / 131

Sommaire

1 Historic

2 Chiffrement par bloc et modes

3 Classical Symmetric Encryptions

4 Hash Functions

6 Classical Asymmetric Encryptions

7 Digital Signature

8 Asymmetric vs Symmetric

9 Public Key Infrastructure

10 Conclusion

Historic

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

Historic

Information hiding

SECRETWRITING

CRYPTOGRAPHY

STEGANOGRAPHY(hidden)

(scrambled)

SUBSTITUTION

TRANSPOSITION

CODE(replace words)

CIPHER(replace letters)

Cryptology : the study of secret writing

Steganography : the science of hiding messages in other messages

Cryptography : the science of secret writingNote : terms like encrypt, encode, and encipher are often (loosely andwrongly) used interchangeably

Historic

Kerchoffs Principle

In 1883, a Dutch linguist Auguste Kerchoff von Nieuwenhof stated in hisbook “La Cryptographie Militaire” that :

“the security of a crypto-system must be totally dependent on the secrecyof the key, not the secrecy of the algorithm.”

Historic

Mono-alphabetic substitution ciphers

Simplest kind of cipher. Idea over 2,000 years old.

Let K be the set of all permutations on the alphabet A. Define foreach e ∈ K an encryption transformation Ee on stringsm = m1m2 · · ·mn ∈M as

Ee(m) = e(m1)e(m2) · · · e(mn) = c1c2 · · · cn = c .

To decrypt c , compute the inverse permutation d = e−1 and

Dd(c) = d(c1)d(c2) · · · d(cn) = m .

Ee is a simple substitution cipher or a mono-alphabetic substitutioncipher.

Historic

Substitution cipher examples

KHOOR ZRUOG

= HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.

Zl anzr vf Nqnz = My name is Adam ROT13 : shift each letter by 13places.

2-25-5 2-25-5 = BYE BYEAlphanumeric : substitute numbers for letters.

How hard are these to cryptanalyze ? Caesar ? General ?

Historic

KHOOR ZRUOG = HELLO WORLDCaesar cipher : each plaintext character is replaced by the characterthree to the right modulo 26.

Historic

Zl anzr vf Nqnz

= My name is Adam ROT13 : shift each letter by 13places.

Historic

2-25-5 2-25-5

= BYE BYEAlphanumeric : substitute numbers for letters.

Historic

(In)security of substitution ciphers

Key spaces are typically huge. 26 letters 26 ! possible keys.

Trivial to crack using frequency analysis (letters, digraphs...)

Frequencies for English based on data-mining books/articles.

Historic

Homophonic substitution ciphers

To each a ∈ A, associate a set H(a) of strings of t symbols, whereH(a), a ∈ A are pairwise disjoint. A homophonic substitution cipherreplaces each a with a randomly chosen string from H(a). To decrypta string c of t symbols, one must determine an a ∈ A such thatc ∈ H(a). The key for the cipher is the sets H(a).

Exercice

A = {a, b, c}, H(a) = {001, 010, 100}, H(b) = {011, 110, 101} etH(c) = {000, 111}.Quel est le message clair des chiffres suivants : 001101111, 110011000 ?

Rational : makes frequency analysis more difficult.Cost : data expansion and more work for decryption.

Historic

Homophonic substitution ciphers

To each a ∈ A, associate a set H(a) of strings of t symbols, whereH(a), a ∈ A are pairwise disjoint. A homophonic substitution cipherreplaces each a with a randomly chosen string from H(a). To decrypta string c of t symbols, one must determine an a ∈ A such thatc ∈ H(a). The key for the cipher is the sets H(a).

Exercice

A = {a, b, c}, H(a) = {001, 010, 100}, H(b) = {011, 110, 101} etH(c) = {000, 111}.Quel est le message clair des chiffres suivants : 001101111, 110011000 ?

Rational : makes frequency analysis more difficult.Cost : data expansion and more work for decryption.

Historic

Polyalphabetic substitution ciphers

Idea (Leon Alberti) : conceal distribution using family of mappings.

A polyalphabetic substitution cipher is a block cipher with blocklength t over alphabet A where :

the key space K consists of all ordered sets of t permutations over A,(p1, p2, . . . , pt).Encryption of m = m1 · · ·mt under key e = (p1, · · · , pt) isEe(m) = p1(m1) · · · pt(mt).Decryption key for e is d = (p−1

1 , · · · p−1t ).

Historic

Example : Vigenere ciphers

Key given by sequence of numbers e = e1, . . . , et , where

pi (a) = (a + ei ) mod n

defining a permutation on an alphabet of size n.

Exercice

English (n = 26), with k = 3,7,10.Dechiffrez le texte suivant :

Ee(m) = WOS VJS SOO UPC FLB WHS QSI QVD VLM XYO

m = THI SCI PHE RIS CER TAI NLY NOT SEC URE

Historic

Example : Vigenere ciphers

Key given by sequence of numbers e = e1, . . . , et , where

pi (a) = (a + ei ) mod n

defining a permutation on an alphabet of size n.

Exercice

English (n = 26), with k = 3,7,10.Dechiffrez le texte suivant :

Ee(m) = WOS VJS SOO UPC FLB WHS QSI QVD VLM XYO

m = THI SCI PHE RIS CER TAI NLY NOT SEC URE

Historic

One-time pads (Vernam cipher)

A one-time pad is a cipher defined over {0, 1}. Message m1 · · ·mn isencrypted by a binary key string k1 · · · kn.

Ek1···kn(m1 · · ·mn) = (m1 ⊕ k1) · · · (mn ⊕ kn)

Dk1···kn(c1 · · · cn) = (c1 ⊕ k1) · · · (cn ⊕ kn)

Example :

m = 010111k = 110010

c = 100101

Since every key sequence is equally likely, so is every plaintext !Unconditional (information theoretic) security, if key isn’t reused !

Moscow–Washington communication previously secured this way.

Problem ?

Securely exchanging and synchronizing long keys.

Historic

One-time pads (Vernam cipher)

A one-time pad is a cipher defined over {0, 1}. Message m1 · · ·mn isencrypted by a binary key string k1 · · · kn.

Ek1···kn(m1 · · ·mn) = (m1 ⊕ k1) · · · (mn ⊕ kn)

Dk1···kn(c1 · · · cn) = (c1 ⊕ k1) · · · (cn ⊕ kn)

Example :

m = 010111k = 110010

c = 100101

Since every key sequence is equally likely, so is every plaintext !Unconditional (information theoretic) security, if key isn’t reused !

Moscow–Washington communication previously secured this way.

Problem ? Securely exchanging and synchronizing long keys.

Historic

Transposition ciphers

For block length t, let K be the set of permutations on {1, . . . , t}.For each e ∈ K and m ∈M

Ee(m) = me(1)me(2) · · ·me(t) .

The set of all such transformations is called a transposition cipher.

To decrypt c = c1c2 · · · ct compute Dd(c) = cd(1)cd(2) · · · cd(t), whered is inverse permutation.

Historic

Exercice : chiffre par transposition

On veut chiffrer “Hello world” via la transposition{2, 5, 6, 3, 1, 8, 9, 10, 4, 7}.Quel est le chiffre ?

Quelle est la transposition inverse ?

Historic

Composite ciphers

Ciphers based on just substitutions or transpositions are not secure

Ciphers can be combined. However . . .

two substitutions are really only one more complex substitution,two transpositions are really only one transposition,but a substitution followed by a transposition makes a new hardercipher.

Product ciphers chainsubstitution-transposition combinations.

Difficult to do by hand invention of cipher machines.

Historic

ENIGMA

Three-rotor German military Enigma machineDayly keys are used and stored in a book.There are 10114 possibilities for one cipher.

Other German Tricks

A space was omitted or replaced by an X. The X was generally used aspoint or full stop. They replaced the comma by Y and the question sign byUD. The combination CH, as in ”Acht” (eight) or ”Richtung” (direction)were replaced by Q (AQT, RIQTUNG).

Historic

Shannon’s Principle 1949

Confusion

The purpose of confusion is to make the relation between the key and theciphertext as complex as possible.

Ciphers that do not offer much confusion (such as Vigenere cipher) aresusceptible to frequency analysis.

Diffusion

Diffusion spreads the influence of a single plaintext bit over manyciphertext bits.

The best diffusing component is substitution (homophonic)

Principle

A good cipher design uses Confusion and Diffusion together

Historic

Confusion

Diffusion

Principle

Historic

Confusion

Diffusion

Principle

Chiffrement par bloc et modes

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

Chiffrement par bloc

m, un message clair

c , le chiffre de m

|m| = |c | = n bits

sk Enc

sk Dec

Mode ECB (Electronic CodeBook)

Soit |m| = k · n avec k > 1.On a m = (m1, . . . ,mk) avec |mi | = n bits.

sk Enc

sk Dec

Exercice

1 Quel est l’inconvenient du mode ECB ?

2 Quel est le schema de dechiffrement pour le mode ECB ?

Mode CBC (Cipher Block Chaining)

Encryption :

· · · · · · Enc

Mode CBC (Cipher Block Chaining)

Decryption :

· · · · · · Dec

Exercice

Ecrivez l’algorithme de chiffrement et l’algorithme de dechiffrement dumode CBC.

Mode CFB (Cipher FeedBack)

Encryption :

· · · · · · Enc

Mode CFB (Cipher FeedBack)

Decryption :

· · · · · · Enc

Mode OFB (Output FeedBack)

Encryption :

· · · · · · Enc

Mode OFB (Output FeedBack)

Decryption :

· · · · · · Enc

Classical Symmetric Encryptions

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

Schema de Feistel

Construction datant des annees 70.

m, un message de longueur n (n pair)

On decoupe m en deux blocs L0 et R0 avec |L0| = |R0| = n2

m = L0‖R0

Schema de Feistel

Chiffrement en trois rondes :

Pour 1 ≤ i ≤ 3 :Li = Ri−1

Ri = Li−1 ⊕ f (Ri−1, ski )

Exercice

Soit m = 1101111010.

sk1 = 10101, sk2 = 11001 et sk3 = 10111.

fsk(x) = x ⊕ sk

Quel est le chiffre de m avec trois rondes du schema de Feistel ?

Exercice

Trouvez le schema de dechiffrement pour le schema de Feistel.

Schema de Feistel

Le dechiffrement se fait exactement de la meme facon :

Ri−1 = Li Li−1 = Ri ⊕ f (Ri−1,Ki )

On applique les clefs de tours dans l’ordre inverse.

Le DES (Data Encryption Standard)

Standard de chiffrement par bloc de 1977 2000

Effectue 16 tours du schema de Feistel

sk Enc

|m| = 64 bits

|sk| = 56 bits

DES (Data Encryption Standard)

Permutation initiale au debut et permutation inverse a la fin

Chaque ronde i utilise une clef ki derivee de la clef secrete principalesk

La fonction f correspond a deux permutations et a une substitutions-box

DES (Data Encryption Standard)

IP−1

L′ R ′

DES / Initial Permutation (IP)

DES / Final Permutation (IP−1)

L i−1 R i−1

P−Box Permutation

Left Shift Left Shift

S−Box Substitution

Compression Permutation

Expansion Permutation

RL i i

i−1K

DES / Expansion Permutation (E)

Les S-boxes

Ce sont des fonctions booleennes vectorielles non-lineaires.Elles permettent d’apporter de la confusion : le but est de rendre complexeles relations entre bits de chiffre et bits de clef.

Comment fonctionnent-elles ?

Elles prennent en entrees 6 bits (b1b2b3b4b5b6) et en ressortent 4.

2 bits exterieurs (b1b6) et 4 bits interieurs (b2b3b4b5)

La sortie est donnee par la table de la S-boxe correspondante

Table S-boxe

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

S-Boxes : S1, S2, S3, S4

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 70 15 7 4 14 2 13 1 10 6 12 11 9 5 3 84 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 103 13 4 7 15 2 8 14 12 0 1 10 6 9 11 50 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15

13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 71 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 1513 8 11 5 6 15 0 3 4 7 2 12 1 10 14 910 6 9 0 12 11 7 13 15 1 3 14 5 2 8 43 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

S-Boxes : S5, S6, S7 and S8

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 914 11 2 12 4 7 13 1 5 0 15 10 3 9 8 64 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14

11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 1110 15 4 2 7 12 9 5 6 1 13 14 0 11 3 89 14 15 5 2 8 12 3 7 0 4 10 1 13 11 64 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 113 0 11 7 4 9 1 10 14 3 5 12 2 15 8 61 4 11 13 12 3 7 14 10 15 6 8 0 5 9 26 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 71 15 13 8 10 3 7 4 12 5 6 11 0 14 9 27 11 4 1 9 12 14 2 0 6 10 13 15 3 5 82 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

Exercice : S-Boxes S1

S-boxe 1

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

S-boxe 2

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10

3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5

0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15

13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

Soient m1 = (101110) et m2 = (010111). Donnez la sortie de m1 et de m2

par la S-boxe 1 et aussi par la S-boxe 2.

DES / Permutation (P)

L i−1 R i−1

P−Box Permutation

Left Shift Left Shift

S−Box Substitution

Compression Permutation

Expansion Permutation

RL i i

i−1K

DES / Key Schedule

Secret key sk, |sk | = 64 bits

Permutation Choice 1 (PC1)

Permutation Choice 2 (PC2)

Left shifts r1, r2, . . . , r16

Output

16 round keys : k1, k2, . . . , k16, |ki | = 48 bits

DES / Permutation Choice (PC1)

DES / Permutation Choice (PC2)

DES / Left Shifts

r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15 r16

1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

DES / Generation of k1

1 Apply PC1 on sk to obtain k ′ of 56 bits

2 Divide k ′ in two 28-bit parts to obtain k ′1 and k ′23 Apply r1 on k ′1 and k ′2 to obtain k

′′1 and k

′′2

4 Apply PC2 on k′′1 ‖k

′′2 to obtain k1 of 48 bits.

DES / Generation of ki (2 ≤ i ≤ 16)

1 Apply ri on ki−1 to obtain k ′i−1

2 Apply PC2 on k ′i−1 to obtain ki of 48 bits.

Quelle est la faiblesse du DES ?

La faiblesse du DES : la taille de sa clef secrete !

Seulement 56 bits...

En cryptographie symetrique, on souhaite aujourd’hui une clef de 256 bits.

Quelle est la faiblesse du DES ?

La faiblesse du DES : la taille de sa clef secrete !

Seulement 56 bits...

En cryptographie symetrique, on souhaite aujourd’hui une clef de 256 bits.

3DES (Triple DES)

Pour palier a la faiblesse du DES due a sa clef de 56 bits trop courte, onutilise encore couramment aujourd’hui (dans le monde bancaire) unevariante utilisant 3 clefs DES sk1, sk2 et sk3.

We have C = EncK3(DecK2(EncK1(M)))

C = EncK3(DecK2(EncK1(M)))

Three options

1 Three different keys ⇒ one key of 168 bits

2 sk1 = sk3 and sk2 6= sk1 ⇒ one key of 112 bits

3 sk1 = sk2 = sk3 ⇒ one key of 56 bits (compatibility with DES)

What is the disadvantage ?

Three times slower...

C = EncK3(DecK2(EncK1(M)))

Three options

1 Three different keys ⇒ one key of 168 bits

2 sk1 = sk3 and sk2 6= sk1 ⇒ one key of 112 bits

3 sk1 = sk2 = sk3 ⇒ one key of 56 bits (compatibility with DES)

What is the disadvantage ?

Three times slower...

Find a New Symmetric Scheme

Call to replace DES.A competition is organized between 1997 and 2001.

AES (Advanced Encryption Standard)

Block cipher, approved for use by US Government in 2002. Verypopular standard, designed by two Belgian cryptographers (Daemenand Rijmen)

Block-size : 128 bits

Key size : 128, 192, or 256 bits

Uses various substitutions and transpositions, and key scheduling indifferent rounds

Algorithm believed secure. Only attacks are based on side channelanalysis, i.e. attacking implementations that inadvertently leakinformation about the key

AES (Advanced Encryption Standard)

Key size # rounds

128 10

192 12

256 14

AES : High-Level Cipher Algorithm

KeyExpansion using Rijndael’s key schedule

Initial Round : AddRoundKey

Rounds :1 SubBytes : a non-linear substitution step where each byte is replaced

with another according to a lookup table.2 ShiftRows : a transposition step where each row of the state is shifted

cyclically a certain number of steps.3 MixColumns : a mixing operation which operates on the columns of the

state, combining the four bytes in each column4 AddRoundKey : each byte of the state is combined with the round key ;

each round key is derived from the cipher key using a key schedule.

Final Round (no MixColumns)1 SubBytes2 ShiftRows3 AddRoundKey

AES / SubBytes

Exercise

Apply SubBytes on the following block :

14 f1 3d 024d a5 b7 6671 9c 81 acda 95 6a e1

AES / SubBytes

Exercise

Apply SubBytes on the following block :

14 f1 3d 024d a5 b7 6671 9c 81 acda 95 6a e1

AES / ShiftRows

Exercise

Apply ShiftRows on the following block :

14 f1 3d 02

4d a5 b7 66

71 9c 81 ac

da 95 6a e1

AES / MixColumns

Each column is multiplied by the following matrix :02 03 01 0101 02 03 0101 01 02 0303 01 01 02

AES / AddRoundKey

Exercise

Add the the round key to the block B :

Round key

14 f1 3d 02

4d a5 b7 66

71 9c 81 ac

da 95 6a e1

Block B

23 f1 45 02

6a a5 e1 1c

4e c9 ff 5d

b3 01 22 b4

Key Schedule / Second Round

Secret key

23 f1 45 02

6a a5 e1 1c

4e c9 ff 5d

b3 01 22 b4

1 We take the last column

2 We apply a up rotation

3 SubBytes

4 Add first column andRcon(1)

02 1c 9c 251c ⇒ 5d ⇒ 4c ⇒ e95d b4 8d 7db4 02 77 d5

This column becomes the first column of the second round key

Secret key

23 f1 45 02

6a a5 e1 1c

4e c9 ff 5d

b3 01 22 b4

3 SubBytes

02 1c 9c 251c ⇒ 5d ⇒ 4c ⇒ e95d b4 8d 7db4 02 77 d5

Secret key

23 f1 45 02

6a a5 e1 1c

4e c9 ff 5d

b3 01 22 b4

3 SubBytes

02 1c 9c 251c ⇒ 5d ⇒ 4c ⇒ e95d b4 8d 7db4 02 77 d5

We have one of the four columns of the round key

Secret key

23 f1 45 02 25

6a a5 e1 1c e9

4e c9 ff 5d 7d

b3 01 22 b4 d5

For the three other columns

Ci = Ci−1 ⊕ Ci−4

with 6 ≤ i ≤ 8

Key Schedule / Other Round

We repeat this process by replacing the secret key by the key of the secondround, the key of the third round, and so on and so forth.

Hash Functions

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

Hash Functions

Definition

A hash function H takes as input a bit-string of any finite length andreturns a corresponding digest of fixed length.

h : {0, 1}∗ → {0, 1}n

Example

h : {0, 1}∗ → {0, 1}b1 . . . bn 7→ b1

Hash Functions

Definition

A hash function H takes as input a bit-string of any finite length andreturns a corresponding digest of fixed length.

h : {0, 1}∗ → {0, 1}n

Example

h : {0, 1}∗ → {0, 1}b1 . . . bn 7→ b1

Hash Functions

Properties of Cryptographic Hash Functions (1/3)

Pre-image resistance

Given an output y , it is computationally infeasible to compute x such that

h(x) = y

Hash Functions

Second Pre-image resistance

Given an input x , it is computationally infeasible to compute x ′ such that

h(x ′) = h(x)

Hash Functions

Collision resistance

It is computationally infeasible to compute x and x ′ such that

h(x) = h(x ′)

Hash Functions

Merkle-Damgard Construction

Let f be a compression fonction

f : {0, 1}m → {0, 1}n,m > n

1 Break the message x to hash in blocks of size m − n

x = x1x2 . . . xt

2 Pad xt with zeros as necessary

3 Define xt+1 as the binary representation of the bit length of x

4 Iterate over the blocks

h0 = 0n

hi = f (hi−1||xi )h(x) = ht+1

Hash Functions

Let f be a compression fonction

f : {0, 1}m → {0, 1}n,m > n

1 Break the message x to hash in blocks of size m − n

x = x1x2 . . . xt

2 Pad xt with zeros as necessary

3 Define xt+1 as the binary representation of the bit length of x

h0 = 0n

hi = f (hi−1||xi )h(x) = ht+1

Hash Functions

pad(x) = x1 x2 x3 x4

fh0 = IV fh1

· · ·

Hash Functions

Examples

Hash Functions

Theorem

If the compression function f is collision resistant, then the obtained hashfunction h is collision resistant.

Hash Functions

Sponge Construction

Let f be a permutation fonction or a transformation

f : {0, 1}n → {0, 1}n

1 Break the message m to hash in blocks of size r (r < n)

m = m0m1 . . .mt

2 Pad mt with zeros as necessary

r0 = 0r

c0 = 0n−r

ci‖ri = f (ci−1||(ri−1 ⊕mi−1))

h(m) = ct‖rt

Hash Functions

Sponge Construction

Absorbing phase Squeezing phase

c bits

r bits

Example

Hash Functions

Use of Cryptographic Hash Functions

Compute a digest y from a given message m. The digest should be specificto the message.

Examples

Use y in place of m in a trustworthy way.

“Did you get m correctly ? Here’s y to check.” (file-sharing)

“I sign y to prove that I wrote m.”

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

MAC (Message Authentication Code)

A MAC guarantees the integrity of the message and authenticates thesender via a secret key.

Difference with Hash Functions

We need a secret key to verify the integrity of the message. Thisgaruantees the authenticity of the message.

MAC (Message Authentication Code)

Alicesk

MACsk(m) = mac mac?= MACsk(m)

MAC Based on Block Cipher

mt−1

ct−1

· · · · · ·

ct−2

MAC Based on Hash Function (HMAC)

HMACsk(m)

Classical Asymmetric Encryptions

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

One-way Function and Trapdoor

Definition

A function is One-way, if

1 it is easy to compute

2 its inverse is hard to compute, i.e.

Pr[mr← {0, 1}∗; y := f (m) : f (A(y , f )) = y ]

is negligible.

Trapdoor

Inverse is easy to compute given an additional information.

Example of Algorithmically Hard Problem

Integer Factoring

Let p and q be two big prime numbers.

Given p and q, it is easy to compute n = p · qGiven n = p · q, it is difficult to find p and q

RSA (Rivest-Shamir-Adleman)

Public key pk = (n, e)

n = p · qgcd(e, ϕ(n)) = 1

Secret key sk = d

e · d ≡ 1 mod ϕ(n)

RSA / Encryption and Decryption

Encryption

Let M be the message to encrypt, then

C ≡ Me mod n

Decryption

Let C be the message to decrypt, then

M ≡ Cd mod n

RSA / Encryption and Decryption

Encryption

Let M be the message to encrypt, then

C ≡ Me mod n

Decryption

Let C be the message to decrypt, then

M ≡ Cd mod n

RSA / Example

Exercise

Let p = 3 and q = 7

1 Compute n and ϕ(n)

2 Let e = 5, encrypt the message M = 2

3 Let d = 5, decrypt the cipher c = 3

Complexity Estimates

Estimates for integer factoring [Lenstra-Verheul 2000]

Modulus n Operations(bits) (log2)

512 58

1024 80

2048 111

4096 149

8192 156

≈ 260 years

Another Example of Algorithmically Hard Problem

Discrete Logarithm Problem

Let p be a big prime number, g be a generator of the multiplicative groupZ∗p and x ∈ {1, . . . , p − 1}.

Given p, g and x , it is easy to compute y ≡ g x mod p

Given p, g and y , it is difficult to find x

ElGamal Encryption Scheme

Let p be a big prime number and g a generator of the multiplicative groupZ∗p.

Private key sk = x

x ∈ {1, . . . , p − 1}

Public key pk = (g , p, h)

h ≡ g x mod p

ElGamal / Encryption and Decryption

Encryption

Let M be the message to encrypt and r a random element of{1, . . . , p − 1}, then

C = (C1,C2) = (g r mod p,M · hr mod p)

Decryption

Let C be the cipher to decrypt, then

M ≡ C2 · C−a1 mod p

ElGamal / Encryption and Decryption

Encryption

Let M be the message to encrypt and r a random element of{1, . . . , p − 1}, then

C = (C1,C2) = (g r mod p,M · hr mod p)

Decryption

Let C be the cipher to decrypt, then

M ≡ C2 · C−a1 mod p

ElGamal / Example

Exercise

Let a = 2 and (p, g) = (5, 3).

1 Compute h and decrypt the cipher c = (4, 2)

2 The random number r = 2 was used to compute the cipher c . Checkthat the message found in the previous question give c if r = 2 is used

RSA vs ElGamal ?

Exercise

Which is the difference between RSA and ElGamal if we encrypt the samemessage M twice ?

OAEP (Optimal Asymmetric Encryption Padding)

Used with RSA, OAEP give the probabilistic property.

Composition

A hash function G

A hash function H

Two XOR

Used with RSA, OAEP give the probabilistic property.

Composition

A hash function G

A hash function H

Two XOR

Algorithm

1 m is padded with k1 zeros to be n − k0 bits in length

2 r is a randomly generated k0-bit string

3 G expands the k0 bits of r to n − k0 bits

4 s = m00 . . . 0⊕ G (r)

5 H reduces the n − k0 bits of s to k0 bits

6 t = r ⊕ H(s)

n − k0 − k1 bits

00 . . . 0

k1 bits

k0 bits

n − k0 bits

k0 bits

Exercise

What is the decryption algorithm of OAEP ?

Decryption Algortithm

r = t ⊕ H(s)

m = s ⊕ G (r)

If [m]k1 = 0k1 , the algorithm returns [m]n, otherwise it returns “Reject”

[m]k1 denotes the k1 least significant bits of m

[m]n denotes the n most significant bits of m

Others Cryptosystems

Bellare & Rogaway (1993)

f (r)||x ⊕ G (r)||H(x ||r)

Zheng & Seberry (1993)

f (r)||G (r)⊕ (x ||H(x))

Diffie-Hellman Key Exchange

Use properties of asymmetric encryption to exchange secret key betweenAlice and Bob.

Diffie-Hellman’s method is based on Discret Logarithm Problem.

Diffie-Hellman Key Exchange

Public parameters :g, p

a ∈R {1, . . . , p − 1}

A = ga mod p

K = (B)a = gba

b ∈R {1, . . . , p − 1}

B = gb mod p

K = (A)b = gab

Digital Signature

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

Digital Signature

Definition

A digital signature is a mathematical scheme for demonstrating theauthenticity of digital messages or documents.

A signature scheme depends on a asymmetric cryptosystem.

Digital Signature

Alice(pkA, skA)

sgnskA(m) = s s

Bob checks the signature with the Alice’s public key.

Digital Signature

Signature with RSA

Public key pk = (n, e)

n = p · qgcd(e, ϕ(n)) = 1

Secret key sk = d

e · d ≡ 1 mod ϕ(n)

Digital Signature

RSA / Signature and Verification

Signature

Let m be the message to sign, then

s ≡ md mod n

Verification

Let s be a signature, we verify the signature computing

m?≡ se mod n

Digital Signature

Signature

Let m be the message to sign, then

s ≡ md mod n

Verification

Let s be a signature, we verify the signature computing

m?≡ se mod n

Digital Signature

Exercise

1 Let p = 3 and q = 5. Compute (e, d) such that gcd(e, ϕ(n)) = 1 andd · e ≡ 1 mod ϕ(n)

2 Give the signature of the message m = 2

3 Check the previous signature

Asymmetric vs Symmetric

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

Comparison

Size of the key

Complexity of computation

Key distribution

Signature only possible with asymmetric scheme

Computational Cost of Encryption

2 hours of video (3Ghz CPU)

DVD 4,7 G.B Blu-Ray 25 GB

Schemes encrypt decrypt encrypt decrypt

RSA 2048 22min 24h 115min 130hRSA 1024 21min 10h 111min 53h

AES 20sec 20sec 105sec 105sec

Public Key Infrastructure

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

Concept of Key Certificate

Main idea

Alice trusts Bob and knows his public key

Bob has signed asserting that Carol’s key is K

Then Alice may be willing to believe that Carol’s key is K

Definition

A key certificate is an assertion that a certain key belongs to a certainentity, which is digitally signed by an entity (usually a different one).

Public Key Infrastructure (PKI)

Definition

PKI is an infrastructure build of certificates and servers to create, manageand publish certificate to allow autenticity certified by an authority.

Two Kinds of PKI

Hierarchical PKI

Certificate Authorities are different of users

X.509 (PKIX)

Non-Hierarchical PKI

Each user manages his own trust network

Pretty Good privacy (PGP)

Example https for Gmail

Gmail sends to your browser its public key and a certificate signed bya certificate authority Thawte Consulting (Pty) Ltd. to prove that thiskey really is Gmail’s key

Your browser will verify Thawte’s signature on Gmail’s key using thepublic key of this reputable key certificate authority, stored in yourbrowser

Hence your browser trust Gmail

Public Key Infrastructure (PKI)

PKI Mains Features

Generation of public and private keys

Certificate generation

Remise du certificat au porteur

Certificate publication

Certificate verification

Certificate revocation

Others :

Protection of private keyJournalisation of actionsRevocations of privates keysStorage of certifcates

CA : Certification AuthorityRA : Registration Authority

Conclusion

Sommaire

1 Historic

4 Hash Functions

7 Digital Signature

10 Conclusion

Conclusion

Thank you for your attention.Questions ?

matthieu.giraud@uca.fr

Bibliography

L’Histoire des codes secrets (Simon Singh)

Architecture PKI et communications securiees (Jean-GuillaumeDumas, Pascal Lafourcade, Patrick Redon)

Cours de cryptographie (Gilles Zemor)

introduction to computer security - réseaux et...

Documents

yann giraud september 2018 - yann giraud | history of...

laurence giraud-johnstone school of creative and cultural...

math.univ-bpclermont.frmath.univ-bpclermont.fr/~serlet/differentiel.pdf ·...

acoustique terminales sti2d...

stéphane giraud egis france ppp

first design review matthieu giraud-carrier kyra moon...

giraud 2013 rescate vehicular 97 2003 (1)

the downfall of general giraud: a study of american wartime

particle physics and cosmology from almost-commutative...

energy harvesting from ambient vibrationsenergy harvesting...

© 2012 viviana marie giraud - university of...

giraud · created date: 11/26/2020 5:30:50 pm

a remeshing procedure for numerical simulation of forming...

the weak kpz universality conjecture in...

2008 giraud kellen senior thesis

christophe giraud - université...

1 denis grondin / julien giraud – 01 december 2008 slab...

plantes arbres arbustes toxiques perrin julia et giraud...

zope : environnement professionnel steve giraud pentila...

linkage disequilibrium with linkage analysis of multiline...