cryptography - university of notre damecpoellab/teaching/cse354/sp30.pdfhash function algorithms...
TRANSCRIPT
1
Lecture 30
SecurityApril 11, 2005
Cryptography
symmetric-key crypto: sender, receiver keys identicalpublic-key crypto: encrypt key public, decrypt key
secret
Figure 7.3 goes here
plaintext plaintext
ciphertext
KAKB
Symmetric Key Cryptography
symmetric key crypto: Bob and Alice share knowsame (symmetric) key: K
e.g., key is knowing substitution pattern in monoalphabetic substitution cipher
Problem: how do Bob and Alice agree on key value?
plaintextciphertext
KA-B
encryptionalgorithm
decryption algorithm
A-B
KA-B
plaintextmessage, m K (m)
A-BK (m)A-Bm = K ( ) A-B
Key Exchange Diffie & Hellman, 1976 Exchange secret key over insecure medium Alice chooses secret value KA and Bob chooses secret value
KB
Alice chooses p and g, both prime numbers and g is primitivemodule p (can be public)
Alice sends to Bob (g, p, gKA mod p) Bob send to Alice (g, p, gKB mod p) Alice computes k = (gKB mod p)KA mod p and Bob computes
k’ = (gKA mod p)KB mod p k=k’, therefore k is the new secret key
DESDES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64 bit plaintext input How secure is DES?
DES Challenge: 56-bit-key-encrypted phrase (“Strongcryptography makes the world a safer place”) decrypted(brute force) in 4 months
no known “backdoor” decryption approach making DES more secure
use three keys sequentially (3-DES) on each datum use cipher-block chaining
Advanced EncryptionStandard (AES) new (Nov. 2001) symmetric-key NIST
standard, replacing DES processes data in 128 bit blocks 128, 192, or 256 bit keys brute force decryption (try each key) takes
149 trillion years for AES
2
Public Key Cryptographysymmetric key crypto requires sender,
receiver knowshared secret key
Q: how to agree onkey in first place(particularly ifnever “met”)?
public key cryptography radically different
approach [Diffie-Hellman76, RSA78]
sender, receiver donot share secret key
encryption key public(known to all)
decryption keyprivate (known onlyto receiver)
Public Key Cryptography
Figure 7.7 goeshere
RSA
Rivest, Shamir, Adleman, 1977 Most commonly used
encryption/authentication algorithm (includedin Web browsers)
Algorithm: use two large prime numbers to derive a public
key and a private key prime numbers can be discarded keep private key secret, publish public key
RSA: Choosing Keys
1. Choose two large prime numbers p, q. (e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).
4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
RSA: Encryption/Decryption0. Given (n,e) and (n,d) as computed above
1. To encrypt bit pattern, m, computec = m mod ne (i.e., remainder when m is divided by n)e
2. To decrypt received bit pattern, c, computem = c mod nd (i.e., remainder when c is divided by n)d
m = (m mod n)e mod ndMagichappens!
RSA ExampleBob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z).
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd17 481968572106750915091411825223072000 12
cd letterl
encrypt:
decrypt:
3
AuthenticationGoal: Bob wants Alice to “prove” her identity
to himProtocol ap1.0: Alice says “I am Alice”
Authentication: Another TryProtocol ap2.0: Alice says “I am Alice” and sends her IP
address along to “prove” it.
Authentication: Another TryProtocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
Authentication: Another TryProtocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
I am Aliceencrypt(password)
Authentication: Another TryGoal: avoid playback attack
Failures, drawbacks?
Figure 7.11 goes here
Nonce: number (R) used only once in a lifetimeap4.0: to prove Alice “live”, Bob sends Alice nonce, R.
Alice must return R, encrypted with shared secret key
Authentication: Another Try
Figure 7.12 goes here
ap4.0 requires shared symmetric key problem: how do Bob, Alice agree on key can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
4
AP5.0: Security Hole?
Figure 7.14 goes here
Man (woman) in the middle attack: Trudyposes as Alice (to Bob) and as Bob (to Alice)
Need “certified” public keys (more later …)
AP5.0: Security Hole?
Figure 7.14 goes here
Man (woman) in the middle attack: Trudyposes as Alice (to Bob) and as Bob (to Alice)
Need “certified” public keys (more later …)
Digital SignaturesCryptographic
technique analogousto hand-writtensignatures.
Sender (Bob) digitallysigns document,establishing he isdocument owner/creator.
Verifiable, nonforgeable:recipient (Alice) can verifythat Bob, and no one else,signed document.
Simple digital signaturefor message m:
Bob encrypts m with hisprivate key dB, creatingsigned message, dB(m).
Bob sends m and dB(m) toAlice.
Digital Signatures Suppose Alice
receives msg m, anddigital signature dB(m)
Alice verifies msigned by Bob byapplying Bob’s publickey eB to dB(m) thenchecks eB(dB(m) ) =m.
If eB(dB(m) ) = m,whoever signed mmust have usedBob’s private key.
Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not
m’.Non-repudiation:
Alice can take m, andsignature dB(m) tocourt and prove thatBob signed m.
Message DigestsComputationally
expensive to public-key-encrypt longmessages
Goal: fixed-length, easy-to-compute digital“fingerprint”
apply hash function Hto m, get fixed sizemessage digest, H(m).
Hash function properties: many-to-1 produces fixed-size
msg digest (fingerprint) given message digest
x, computationallyinfeasible to find msuch that x = H(m)
H: HashFunction
Internet ChecksumInternet checksum has some properties of hash
function:➼ produces fixed length digest (16-bit sum) of message➼ is many-to-oneBut given message with given hash value, it is easy to
find another message with same hash value:
I O U 10 0 . 99 B O B
49 4F 55 3130 30 2E 3939 42 D2 42
message ASCII format
B2 C1 D2 AC
I O U 90 0 . 19 B O B
49 4F 55 3930 30 2E 3139 42 D2 42
message ASCII format
B2 C1 D2 ACdifferent messagesbut identical checksums!
5
Digital Signature = SignedMessage DigestBob sends digitally signed
message:Alice verifies signature and
integrity of digitally signedmessage:
Hash Function Algorithms Internet checksum would
make a poor messagedigest. Too easy to find two
messages with samechecksum.
MD5 hash function widely used. Computes 128-bit message
digest in 4-step process. arbitrary 128-bit string x,
appears difficult to constructmsg m whose MD5 hash isequal to x.
SHA-1 is also used. US standard 160-bit message digest
Trusted IntermediariesProblem:
How do twoentities establishshared secret keyover network?
Solution: trusted key
distribution center(KDC) acting asintermediarybetween entities
Problem: When Alice obtains
Bob’s public key(from web site, e-mail, diskette), howdoes she know it isBob’s public key,not Trudy’s?
Solution: trusted certification
authority (CA)
Key Distribution Center (KDC) Alice,Bob need
shared symmetrickey.
KDC: server sharesdifferent secret keywith each registereduser.
Alice, Bob know ownsymmetric keys, KA-
KDC KB-KDC , forcommunicating withKDC.
❒ Alice communicates withKDC, gets session key R1,and KB-KDC(A,R1)
❒ Alice sends BobKB-KDC(A,R1), Bob extracts R1
❒ Alice, Bob now share thesymmetric key R1.
Certification Authorities Certification authority (CA)
binds public key toparticular entity.
Entity (person, router, etc.)can register its public keywith CA. Entity provides “proof
of identity” to CA. CA creates certificate
binding entity to publickey.
Certificate digitallysigned by CA.
When Alice wants Bob’s publickey:
gets Bob’s certificate (Bob orelsewhere).
Apply CA’s public key to Bob’scertificate, get Bob’s public key
Certificate Serial number (unique to issuer) info about certificate owner, including algorithm
and key value itself (not shown)❒ info about
certificateissuer
❒ valid dates❒ digital
signatureby issuer
6
Secure Protocols Basic security algorithms are not enough:
how do you use them, how do you react when somethinghappens?
Secure protocols define how basic security tools are used: provide higher levels of security by merging strengths of several
basic security tools provide simple security mechanisms provide standards
Examples: PGP (encryption, decryption, signature of email), SSL: secure
socket layer, SSH: secure (remote) shell, HTTPS: secure HTTP
Secure Email
• generates random symmetric private key, KS.• encrypts message with KS• also encrypts KS with Bob’s public key.• sends both KS(m) and eB(KS) to Bob.
• Alice wants to send secret e-mail message, m, to Bob.
Secure Email• Alice wants to provide sender authentication &message integrity.
• Alice digitally signs message.• sends both message (in the clear) and digital signature.
Secure Email• Alice wants to provide secrecy, sender authentication, message integrity.
Note: Alice uses both her private key, Bob’s publickey.
Pretty Good Privacy PGP PGP designed by Phillip Zimmerman for electronic
mail Uses three known techniques:
IDEA for encrypting email message International Data Exchange Algorithm block cipher with 64-bit blocks similar in concept but different in details from DES uses 128-bit keys patented, but free for non-commercial use
PGP RSA public key encryption
permits keys up to 2,047 bits in length Digital signatures use MD5 or SHA-1
PGP generates a random 128-bit symmetric key, used byIDEA for each email message
PGP generates its own public/private key pairs Keys are stored locally using a hashed pass phrase PGP does not use conventional certificates (too expensive) Instead,
users generate and distribute their own public keys sign each other’s public keys save trusted public keys on public-key ring users build a web of trust users determine how much to trust
7
Pretty Good Privacy PGP Internet e-mail encryption
scheme, a de-factostandard.
Uses symmetric keycryptography, public keycryptography, hashfunction, and digitalsignature as described.
Provides secrecy, senderauthentication, integrity.
Inventor, Phil Zimmerman,was target of 3-yearfederal investigation.
---BEGIN PGP SIGNED MESSAGE---Hash: SHA1
Bob:My husband is out of towntonight.Passionately yours,Alice
---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/12EpJ+lo8gE4vB3m
qJhFEvZP9t6n7G6m5Gw2---END PGP SIGNATURE---
A PGP signed message:
GPG: Gnu Privacy Guard
GPG is primarily meant for securing email: can also use it to encrypt/decrypt/sign any
message... free alternative to PGP http://www.gpg.org
Allows you to: create public/private key pairs encrypt/decrypt messages sign/check messages
GPG Create your own public/private key pair:
gpg --gen-keys you will be asked several questions: which kind of key you
want, which size, how long it will stay valid, username,email address, etc. (keep default values)
then it will ask you for a passphrase: type any passphrase (e.g., “I like rabbits very much”) your private key will be encrypted with the passphrase
before storing on disk GPG will ask you for your passphrase each time it needs
to access your private key
Disseminating Your Public Key You can give it to anyone:
people who may want to communicate with you using GPG never hand out your private key
What’s my public key?gpg --export --armor <Your_Name>
You can add somebody else’s public key to your keyring:gpg --import <filename>
You can list the keys in your keyring:gpg --list-keys
Encryption/Decryption withGPG
Encryption: must specify the destination of your message,
message will be encrypted with the recipientspublic key (key must be in keyring)
gpg --armor --encrypt -r <recipient> < <file_to_encrypt>
Decryption: GPG will use your private key to decrypt a
received file, you will be asked for yourpassphrase
gpg --decrypt < <file_to_decrypt>
Signatures with GPG Sign a message (you will be asked for your
passphrase):gpg --output <output_file> --clearsign <document_to_sign> message and signature will be written to output_file
Check a signature:gpg --verify <document_to_check>
You can encrypt and sign a document:gpg --armor --sign --encrypt -r [email protected] <
message To decrypt and check:
gpg --decrypt <encrypted_and_signed_message>