cs682 –advanced security topics - ucy · •double letters are separated by x ... –approximate...
TRANSCRIPT
2
TheNeedforCryptography
• Peoplehadalwayssecrets• Ordinaryapplicationsarebasedonsecrecy– e.g.,elections(ore-voting)
• Machinesneedtoverifyinformation– detecterrors
• Unforgeableinformation– ordinarysignaturesvsdigitalsignatures
• Manynewapplications– Fromcarkeystosmartcards,andcellphones
3
CryptoRoadmap
• BasicConcepts• SymmetricCiphers• AsymmetricCiphers• CryptographicHashFunctions• DigitalSignatures• RandomNumbers
4
BasicConcepts
5
CryptoSystemPlainText CipherText
Secret
Secret
PublicPublic
SecurityviaObscurity
• Allcryptoalgorithmsareassumedtobeknown
• Securityisbasedon– Secrecyofthekey– Hardtoinfertheplaintextviatheciphertext
• Cryptanalysis– Infertheplaintextfromciphertext withoutknowingthekey
6
SimpleExample
7
Xà X+key(i.e.,‘a’becomes‘d’)
a simplemessage
dcwlpsohcphwwdjh
3
InventedbyJuliusCaesar!
C=P+Kmod26
(assuminganalphabetof26letters!)
Monoalphabetic ciphers
• Assumeanalphabet– abcdefghijklmnopqrstuvwxyz_
• Indextheletters– a is1,b is2,c is3,…,z is26,_ is27
• Selectakey(secret),whichshifts theorder– Assumingthekeyis3,thena isshiftedthreelettersandbecomesd,andz becomesb (wrapsaroundthealphabet)
8
MultipleandRunningKeys
• Vigenere Cipher– PolyalphabeticSubstitutionCiphers
9
Key = r, u, n (three Caesar’s keys)
tobeornottobethatisthequestionrunrunrunrunrunrunrunrunrunrunKIOVIEEIGKIOVNURNVJNUVKHVMGZIA
SecureEnough?
• Vigenere Cipher– PolyalphabeticSubstitutionCiphers
10
Key = r, u, n (three Caesar’s keys)
tobeornottobethatisthequestionrunrunrunrunrunrunrunrunrunrunKIOVIEEIGKIOVNURNVJNUVKHVMGZIA
FrequencyAnalysis
11
Attheciphertext:
FrequencyAnalysis
12
Englishtext:
Example
13
Repeat
14
One-TimePad
• PushingVigenere totheextreme!– Sizeofkeyissizeofplaintext– Avoidrepeatedpatterns
15
Plain: helpsnowdenKey: jitwojsktuwCipher: qmelgwggwyj
One-TimePad
16
Plain: helpsnowdenKey: jitwojsktuwCipher: qmelgwggwyj
Cipher: qmelgwggwyjKey: kejhopsktuwPlain: givesnowden
Key: jitwojsktuwCipher: pqoagwggwyjPlain: givesnowden
KeyIntegrity
MessageIntegrity
One-TimePad
• PushingVigenere totheextreme!– Sizeofkeyissizeofplaintext– Avoidrepeatedpatterns
17
Plain: heilhitlerKey: wclnbtdefjCipher:DGTYIBWPJA
One-TimePad
18
Plain: heilhitlerKey: wclnbtdefjCipher:DGTYIBWPJA
Cipher:DGTYIBWPJAKey: wggsbtdefjPlain: hanghitler
Cipher:DCYTIBWPJAKey: wclnbtdefjPlain: hanghitler
KeyIntegrityMessageIntegrity
One-timePad
• Pros– PerfectSecrecy
• Cons– Impracticallongkey– Keyintegrity, givenacipheryoucanselectanotherkeythatproducesadifferentvalidplaintext
–MessageIntegrity,givenakeyyoucanselectaciphertextthatproducesthedesiredplaintext
19
BlockCiphers
• Sofar,we:– Treatthemessageasone-dimensionstream– Useonlysubstitution–Wejustshift letters(i.e.,C=P+Kmod26)
• BlockCiphers– Splitmessagetoequallysizedblocks– Encrypteachblock
20
Playfair (rule1)
P A L M E
R S T O N
B C D F G
H I K Q U
V W X Y Z
21
Iftwolettersareinthesamerow(orcolumn)theyarereplacedbythesucceeding
letters:am becomesLE
Playfair (rule2)
P A L M E
R S T O N
B C D F G
H I K Q U
V W X Y Z
22
Otherwisethetwolettersstandattwoofthecornersoftherectangleinthetable,andwereplacethemwiththelettersat
theothertwocornersofthisrectangle:lo becomesMT
Playfair Algorithm
• Replaceallj withi inplaintext• Splitplaintextintwo-letterblocks• Doublelettersareseparatedbyx• z isused(conditionally)forpadding• ApplyRule1and2
23
Example
Lord Granville
lo rd gr an vi lx le sl et te rz
MT TB BN ES WH TL MR TA LN NL NV
24
SYMMETRICCIPHERS
25
26
HillCipher
• Eachletterisinterpretedasanumber(0-25)• Messageiswrittenasamatrix– CATbecomes:
• Forencryption– C=KM–M =K-1 C
27
2
M = 0
19
Transposition
• Producesanewpermutation ofthemessage• Doesnotchangethestatisticsofthemessage• Easiestwaytoimplementitisbymatrixmultiplication
28
Transposition
• Initialorder:[1,2,3,4,5]• Ifyouwanttoproduce[3,1,2,5,4]youneedtomultiplyitusing
29
0 1 0 0 0
0 0 1 0 0
1 0 0 0 0
0 0 0 0 1
0 0 0 1 0
BasicOperations
• Substitution(αντικατάσταση)– Changesthestatisticsofthemessagebysubstitutingletterswithotherletters
• Transposition (μετάθεση)– Reordersthelettersofthemessage
• Botharelinearoperations(reversible)
30
SymmetricCiphers
• Relativelyfast• Onekeyencryptsanddecrypts• Block-basedorStream-based• Severalrounds– SubstitutionsandTranspositions– Notonletters,butonbits(orbytes)
• Majorweakness– Keydistribution
31
PlainText
32
SymmetricCryptographicEncryption
PlainText CipherText
SymmetricCryptographicDecryption
CipherText
ModernSymmetricCiphers
• DES,3DES,andAES– AESisthedominantone,today
• Basedon– Substitutionsandtranspositions
• Verycomplex• Type– Block– Stream
33
BlockvsStream
• Blockcipher– A blockofplaintextistreatedasawholeandusedtoproduceablockofciphertext ofequallength
– Typically,ablocksizeof64or128bitsisused• Streamcipher– Plaintextistreatedasadatastream andonebitoronebyteisprocessedatatime
34
Blockcipher
• Plaintextof n bitsproducesaciphertext ofnbits– Blocksize:nbits
• Spaceofdifferentplaintextblocks:2^n– Eachblockmustbeunique
35
Reversibility
36
REVERSIBLEMAPPING IRREVERSIBLEMAPPING
Plaintext Ciphertext Plaintext Ciphertext
00 11 00 11
01 10 01 10
10 00 10 01
11 01 11 01
IdealSubstitutionCipher
37
Mapping:key4bitsx16rows
=64bits!
Problems
• Vulnerabletostatisticalattacks– Smallblockscantakelimitedtransformations– Largeblocks(increasen)areimpractical
• Keysize:4bitsx16rows– Ingeneral:nx2n
– Approximatetheidealcase– Example:64-bitblockrequiresakeyof64x264=1021bits(!!)
38
PracticalCiphers• Goal– Approximatetheidealcipher– Reducestatisticalpropertiesbetweenplaintext,ciphertext,andkey(s)
• CombiningSubstitutionsandTranspositions– Substitution:Eachplaintextelementorgroupofelementsisuniquelyreplacedbyacorrespondingciphertextelementorgroupofelements
– Transposition:Asequenceofplaintextelementsisreplacedbyapermutationofthatsequence;noelementsareaddedordeletedorreplacedinthesequence,rathertheorderinwhichtheelementsappearinthesequenceischanged
39
40
41
InformationTheoryApproach
• Confusion– Obscurestherelationshipbetweentheplaintextandtheciphertext
– Theeasiestwaytodothisisthroughsubstitution• Diffusion– Reducesrepeatedplaintextpatternsbyspreadingouttheplaintextovertheciphertext
– Theeasiestwaytodothisisthroughtransposition
42
RealizingSubstitution(S-box)
• Mapping6bitsofinputto4bits(takenfromDES)
• Example:011011
43
S-boxMiddle 4 bits of input
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
Outer bits
00 0010 1100 0100 0001 0111 1010 1011 0110 1000 0101 0011 1111 1101 0000 1110 1001
01 1110 1011 0010 1100 0100 0111 1101 0001 0101 0000 1111 1010 0011 1001 1000 0110
10 0100 0010 0001 1011 1010 1101 0111 1000 1111 1001 1100 0101 0110 0011 0000 1110
11 1011 1000 1100 0111 0001 1110 0010 1101 0110 1111 0000 1001 1010 0100 0101 0011
SuperComplicated!
44
http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
Properties
• Blocksize:– Largerblocksizesmeangreatersecuritybutreducedencryption/decryptionspeedforagivenalgorithm
– Ablocksizeof64bitsisreasonabletradeoff– AESusesa128-bitblocksize
• Keysize:– Largerkeysizemeansgreatersecuritybutmaydecreaseencryption/decryptionspeed
– Keysizesof64bitsorlessarenowwidelyconsideredtobeinadequate,and128bitshasbecomeacommonsize
45
Properties
• Numberofrounds:– Severalroundsareinvolved– Atypicalsizeis16rounds
• Subkey generationalgorithm:– Greatercomplexityinthisalgorithmshouldleadtogreaterdifficultyofcryptanalysis
46
Extra(desired)properties
• Fastsoftwareencryption/decryption:– Inmanycases,encryptionisembeddedinapplicationsorutilityfunctionsinsuchawayastoprecludeahardwareimplementation
• Easeofanalysis:– Thereisgreatbenefitinmakingthealgorithmeasytoanalyze
– Itiseasiertoanalyzethatalgorithmforcryptanalyticvulnerabilitiesandthereforedevelopahigherlevelofassuranceastoitsstrength
– DES,forexample,doesnothaveaneasilyanalyzedfunctionality
47
Blockmodes
48
Mode Description TypicalApplication
ElectronicCodebook(ECB) Eachblockof64plaintextbitsisencodedindependentlyusingthesamekey.
•Securetransmissionofsinglevalues(e.g.,anencryptionkey)
CipherBlockChaining(CBC)
TheinputtotheencryptionalgorithmistheXORofthenext64bitsofplaintextandthepreceding64bitsofciphertext.
•General-purposeblock-orientedtransmission•Authentication
Andsomemore:PCBC,CFB,OFB,CTR
Blockmodeisimportant
49
Original ECBencryption Non-ECBencryption
AdvancedEncryptionStandard(AES)
• SubsetofRijndael– Developedin1998bytwoBelgiancryptographers,JoanDaemen andVincentRijmen
• MostwidelyusedSymmetricCiphertoday• BlockSize– 128bits
• Keysize– 128,192,or256bits
50
AdvancedEncryptionStandard(AES)• 10rounds• Roundtypes– SubBytes,anS-boxsubstitutionstep– ShiftRows,apermutationstep–MixColumns,amatrixmultiplication(likeHillcipher)
– AddRoundKey,aXOR-basedoperationthatproducesanewkeybasedontheinitialone
51
AESS-box:-)
52
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
00 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
10 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
30 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
40 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
50 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
60 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
70 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
80 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
a0 e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
c0 ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
d0 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e0 e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
f0 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
Thecolumnisdeterminedbytheleastsignificant 4bits,andtherowisdeterminedbytheotherhalf(0x9a becomes0xb8)
OpenSSL
• OpenSSL isanOpenSourcelibraryforcryptographicoperations
• WritteninC,availableinmanylanguages– Java,Python,Ruby,etc.
53
STREAMCIPHERS
54
Theneedforrandomness
• Replayattacks– Addingarandomsecret(nonce)helpsagainstattackersthatreplay encryptedmessages
• Sessionkeygeneration– Sessionkeysarecryptographickeysthathaveashortlife
• GenerationofkeysfortheRSApublic-keyencryptionalgorithm– RSAisbasedonselectinglargeprimenumbersrandomly
• Streamciphers– Theirsecurityisentirelybasedonrandomness
55
Randomness
• Uniformdistribution– Thedistributionofbitsinthesequenceshouldbeuniform
– Thefrequencyofoccurrenceofonesandzerosshouldbeapproximatelyequal
• Independence– Nosubsequenceinthesequencecanbeinferredfromtheothers
• Securityrequirement– Unpredictability
56
RandomGeneratorTypes
• TrueRandomNumberGenerators(TRNGs)• Pseudo-randomNumberGenerators(PRNGs)
57
Converttobits Algorithm
Sourceoftruerandomness
Seed
Randombits Pseudo-randombits
TRNGs
58
PRNGs
r = f(seed);
59
Requirements• Uniformity– Occurrenceofazerooroneisequallylikely– Theexpectednumberofzeros(orones)isn/2,wheren=thesequencelength
• Scalability– Anytestapplicabletoasequencecanalsobeappliedtosubsequencesextractedatrandom
– Ifasequenceisrandom,thenanysuchextractedsubsequenceshouldalsoberandom
• Consistency– Thebehaviorofageneratormustbeconsistentacrossstartingvalues(seeds)
60
Tests• Frequencytest– Determinewhetherthenumberofonesandzerosinasequenceisapproximatelythesameaswouldbeexpectedforatrulyrandomsequence
• Runs test– Determinewhetherthenumberofrunsofonesandzerosofvariouslengthsisasexpected forarandomsequence
• Maurer’suniversalstatisticaltest– Detectwhetherornotthesequencecanbesignificantlycompressedwithoutlossofinformation
– Asignificantlycompressiblesequenceisconsideredtobenon-random
61
Unpredictability
• Forwardunpredictability– Iftheseedisunknown,thenextoutputbitinthesequenceshouldbeunpredictableinspiteofanyknowledgeofpreviousbitsinthesequence
• Backward unpredictability– Itshouldalsonotbefeasibletodeterminetheseedfromknowledgeofanygeneratedvalues
– Nocorrelationbetweenaseedandanyvaluegeneratedfromthatseedshouldbeevident
– Eachelementofthesequenceshouldappeartobetheoutcomeofanindependentrandomeventwhoseprobabilityis1/2
62
Seed
63
Converttobits
Algorithm
Sourceoftruerandomness
Seed
Pseudo-randombits
CryptographicPRNGs
• Existingcryptographicalgorithms– Streamciphers– Asymmetricciphers(RSA,computeprimes)
• Hashfunctions• MessageAuthenticationCodes(MACs)
64
Xn+1=(aXn+c) mod m
• X0 istheseed (assumeX0=1)• Selection ofa,c,andm,iscritical– a=7, c=0, m=32• 7, 17, 23, 1, 7, ...
– a=5• 5, 25, 29, 17, 21, 9, 13, 1, 5, ...
• Intheorym should be very large(2^31)
65
StreamCiphers
66
⊕11001100 plaintext
01101100 key stream
10100000 ciphertext
67
Pseudo-randomByteGenerator(keystream)
Key/Seed
Pseudo-randomByteGenerator(keystream)
⊕ ⊕plaintextstream ciphertext stream plaintextstream
Encryption Decryption
Key/Seed
RC4
• DesignedbyRonRivest in1987• UsedtodayinTLS– TLSistheciphersuitebehindHTTPS
• UsedinWEP– Gotbroken
• ThereareconcernsaboutthesecurityofRC4• Basedonrandompermutations• Periodisbelievedtobegreaterthan10100• 8to16machineoperationsarerequiredperbyteoftheciphertext
68
RC4– Initialization
/* Initialization */ for i = 0 to 255 do S[i] = i;T[i] = K[i mod keylen];
/* Initial Permutation of S */ j = 0;for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256; Swap (S[i], S[j]);
69
RC4– StreamGeneration
i, j = 0;while (true)
i = (i + 1) mod 256;j = (j + S[i]) mod 256; Swap (S[i], S[j]);t = (S[i] + S[j]) mod 256; k = S[t];
70
Encryption:XORthenextbyteofplaintextwithkDecryption:XORthenextbyteofciphertext withk
RC4
71
RC4
72
/* Initialization */ for i = 0 to 255 do S[i] = i;T[i] = K[i mod keylen];
RC4
73
/* Initialization */ for i = 0 to 255 do S[i] = i;T[i] = K[i mod keylen];
/* Initial Permutation of S */ j = 0;for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
RC4
74
/* Initialization */ for i = 0 to 255 do S[i] = i;T[i] = K[i mod keylen];
/* Initial Permutation of S */ j = 0;for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
/* Stream Generation */ i, j = 0;while (true) i = (i + 1) mod 256;j = (j + S[i]) mod 256; Swap (S[i], S[j]);t = (S[i] + S[j]) mod 256; k = S[t];
AdditionalReading
OntheSecurityofRC4inTLS. NadhemAlFardan, etal. InUsenix Security2013.https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan
75
BlockciphertoStreamcipher• Cipher-feedbackmode(CFB)– Ci =EK (Ci-1)⊕ Bi– Theencryptionofablock,Ci,istheencryptionofthepreviousblock,Ci-1,XORed withthecurrentplaintextblock,Bi
• Reducingtheblocksize– 1byte(orless)– Blockcipherbehaveslikeastreamcipher– Highoverhead
76
CryptographicAttacks• Ciphertext-only– Attackerhasaccesstociphertext ofoneormoremessages,encryptedallwiththesamekey
• Known-plaintext– Attackerhasaccesstooneormoreplaintext-ciphertextpairs,encryptedallwiththesamekey
• Chosen-plaintext– Attackercanchoseoneormoreplaintextmessagesandreceivetheirciphertext (eitheroff-lineoron-line)
• Chosen-ciphertext– Attackercanchoseoneormorechiphertext messagesandreceivetheirplaintext(eitheroff-lineoron-line)
77
ASYMMETRICENCRYPTION
78
ModularArithmetic
(10+13)mod12=23mod12=11mod12
Or,wecouldsay:11and23areequivalent,modulo12
Anotherwaytowritethis:10+13≡11(mod12)
79
ModularArithmetic
a ≡b (modn)ifa=b+kn,forsomeintegerk
Fortheexample:23≡11(mod12),since23=11+12,k=1
Anotherexample:82 ≡ 2(mod20),since82=2+4·20,k=4
80
ModularInverse
• Themultiplicativeinverseof4is1/4,since4·1/4=1• Inmodulararithmetic
4 ·x≡1(mod7),translatesto4·x=7·k+1,wherebothxandkareintegers
• Generalform1=(a ·x)modna-1 ≡x(modn)
• Notalwayssolvable– Theinverseof5,modulo14,is3– 2hasnoinversemodulo14
81
Primenumber
• Anintegerp >1isaprimenumberifandonlyifitsonlydivisorsare:1,p (and–p)
• Noothernumberevenlydividesit• Primes– 5,7,13,19,2521
• Nonprimes– 4,8,39,125
82
Relativeprimes(co-primes)• Twonumbersarerelativeprimewhentheysharenofactorsincommonotherthan1
• 15and28arerelativeprimes• 15and27arenotrelativeprimes• 13and500arerelativeprimes
83
Euler’sTotientFunction,φ(n)
• φ(n) isthenumberofpositivesintegerslessthannthatarerelativeprimeton
• φ(1)is1,bydefinition• Ifn=pq,wherep andqareprimes– φ(n)=(p-1)(q-1)– Superimportant!
84
Recipe1/3
• Supposeyouwanttoencryptthemessage:2– Let’ssaythatAmapsto0,Bmapsto1,andCmapsto2;youwanttomapCtoanotherletter
• Picktwoprimenumbers– p =2andq=7
• Multiplythem– n=pq =2·7=14
85
Recipe2/3
• Calculateφ(n),or φ(14)– φ(n)=(p-1)(q-1)=(2-1)(7-1)=6
• Pickanumberthatisrelativeprimeto6andsmallerthan6– e=5
• Solvetheequationx ·5≡1(mod6)– Findanintegerxthatifmultipliedwith5theresultis1mod6
– x=11,because55mod6=1mod6– let’scallthatd=11
86
Recipe3/3
• Forencryption25 mod14=32mod14=4(so2becomes4)
• Fordecryption– 411 mod14=4194304mod14=2
87
Whatdidjusthappen?
• Weencrypted2to4• Wedecrypted4backto2• Nosubstitution• Notransposition• Nosinglekey
88
RSA
89
Properties
• 2keys– PublicKey(nosecrecy)– PrivateKey(ifstoleneverythingislost)
• Easyalgorithm,buthard toreverse– Computationallyhardtoinferp andq fromn=pq– Computationallyhardmeanssolvableinnon-polynomialtime
90
RSA
• Encryption– C=Me modn
• Decryption–M=Cd modn=(Me modn)d=Med modn
• Keys– PublicKey ={e,n}– PrivateKey ={d,n}– ed ≡1modφ(n)
91
RSASteps• p,q,twoprimenumbers
– Private• n =pq
– n canbepublic,butrecallthatitishard toinferp andqbyjustknowingn
• e isrelativeprimetoφ(n)– Public– Recallφ(n)=(p-1)(q-1)
• dfrome,andφ(n)– Private
• ed ≡1modφ(n)– Canbecomputedsinceweknowp andq
92
RSAexample
1. Select p =17andq =112. Then, n =pq =17·11=1873. φ(n) = (p-1)(q-1) = 16·10 = 1604. Select e relativelyprimetoφ(n)=160and
lessthanφ(n); e =75. Determine d
- de ≡ 1(mod160) and d <160,- d =23,because23·7=161=(1·160)+1;
93
ComputationalAspects
• RSAbuildsonexponents• Intensiveoperation• Side channels
94
CRYPTOGRAPHYANDAPPLICATIONS
95
96
97
p(bigrandomprime)
q(bigrandomprime)
n=p· qcomputingpandqfromn requiressuper-polynomialtime inthenumberofdigits
Compute φ(n),φ(n)=(p-1)(q-1)onlyifncanbeexpressedasn=p· q,
wherepandqareprimes
Selecte whichisrelativeprimeto(p-1)(q-1)
Selectd fromd ·e≡1mod(p-1)(q-1)
PrivateKey{e,n}
PublicKey{d,n}
Bothkeys{e,n} and{d,n} areequivalent,anyofthemcanbeusedastheprivatekeyandtheotheroneasthepublickey
PlainText
RecallSymmetricCiphers
98
SymmetricCipher(Encryption)
PlainText CipherText
SymmetricCipher(Decryption)
CipherText
PlainText
AsymmetricEncryptionMode1
99
AsymmetricCipherPlainText CipherText
AsymmetricCipherCipherText
PublicKey
PrivateKey
PlainText
AsymmetricEncryptionMode2
100
AsymmetricCipherPlainText CipherText
AsymmetricCipherCipherText
PrivateKey
PublicKey
PlainText
RSA
101
(plaintext)e modnPlainText CipherText
(ciphertext)d modnCipherText
e,n
d,n
AsymmetricCiphers
• RSA– primefactorization
• ElGamal– Computingdiscretelogarithms
• Ellipticcurves–Morecomplicated,butsmallerkeysizes
102
CryptographicHashFunctions
103
message1(Nbits)
message2(Nbits)
HashValueA(256bits)
CryptographicHashFunction
HashValueB(256bits)
CryptographicHashFunction
Ideally:Ifmessage1andmessage2differbyonebit,thenAandBdifferin50%oftheirbits
High-levelProperties
• Complicatedone-wayfunctions• One-way– Hardtocomputethemessagebyhavingjustthehashvalue(ordigest)
– Nocryptographickeys– Shouldnotbeconfusedwithinvertiblefunctions(1-1)
• Collision– FindamessagethatcryptographicallyhashestoagivendigestH
104
Requirements
Requirement Description
Variableinputsize Hcanbeappliedtoablockofdataofanysize
Fixedoutput size Hproduces fixed-lengthoutput(calledhashvalue ormessagedigest)
Efficiency H(x)isrelatively easytocomputeforanygivenx(intermsofbothsoftware/hardwareimplementations)
Preimage resistant(one-wayproperty) Foranygivenhashvalueh, itiscomputationallyinfeasibletofindysuchthatH(y)=h
Second preimageresistant(weakcollisionresistant) For anygivenblockx,itiscomputationallyinfeasibletofindy<>xwithH(y)=H(x)
Collisionresistant (strongcollisionresistant) Itiscomputationallyinfeasible tofindanypair(x,y)suchthatH(x)=H(y)
Pseudorandomness OutputofHmeetsstandard testsforpseudorandomness
105
Lifetimesofcryptographichashfunctions
106
More:http://valerieaurora.org/hash.html
SHA256isconsideredcurrentlysafe
ModernApplications
• Ciphersuites– TransportLayerSecurity(TLS),encryptedsockets
• SymmetricKeydistribution• DigitalSignatures• Passwords
107
SymmetricKey
SymmetricKeyDistribution
108
(symmetrickey)dmodn
SymmetricKey CipherText
(symmetrickey)emodn
CipherText
d,n(publickey)
e,n
Theneedforsignatures
• Confidentialityisnotalwaysthekeyrequirementforcryptography
• Communicationbetweenuntrustedparties– BobmayforgeamessageandclaimthatitcamefromAlice
– Bobcandenysendingamessage
• Example– Anelectronicfundstransfertakesplace,andthereceiverincreasestheamountoffundstransferred
109
Requirements• Thesignaturemustbeabitpatternthatdependsonthe
messagetobesigned• Thesignaturemustusesomeinformationuniquetothe
sender,topreventbothforgeryanddenial• Itmustberelativelyeasytoproducethedigitalsignature• Itmustberelativelyeasytorecognizeandverifythedigital
signature• Itmustbecomputationallyinfeasibletoforgeadigital
signature,eitherbyconstructinganewmessageforanexistingdigitalsignatureorbyconstructingafraudulentdigitalsignatureforagivenmessage
• Itmustbepracticaltoretainacopyofthedigitalsignatureinstorage
110
DigitalSigning
111
Document(ArbitrarySize)
CryptographicHashKey(FixedSize)
MessageSignature
Public-KeyCryptography
(RSA)PrivateKey
SignedDocument
(ArbitrarySize+signature)
MessageSignature
VerifyingDigitalSignatures
112
Document(ArbitrarySize+signature) MessageSignature
DocumentHashKey
Public-KeyCryptography
(RSA)PublicKey
MessageSignature
Document(ArbitrarySize+signature)
DocumentHashKey
CryptographicHashFunction
Passwords
• Services– Storecryptographichashesofpasswords– Passwordsinplaintextaredeleted
• Authentication– Servicescheckonlycryptographichashesandnotplaintextpasswords
• Encryptingpasswordsisabadidea– Attackercanleakthekey
• Passwordsaresalted– Identicalplaintextpasswordsproducedifferenthashkeys
113
AttackingPasswords
• Bruteforce• Dictionaryattacks• Rainbowtables– Saltcanmakethisextremelyhard
• GPUs
114
115
116
OriginalFile
EncryptedFile
WannaCryHeader
AttackerRSAPublicKey(fixed),PuK
ComputedRSAPublicKey,Sub-PuK
ComputedRSAPrivateKey,Sub-PrK
ComputedAESKey(perfile),
EncK
1. EncryptfilewithEncK (per-fileencryption)
2. EncryptEncK withSub-PuK andstoreittoWannaCryHeader(per-hostencryption)
3. EncryptSub-PrKwithPuK andsendittoattacker(attackerhasadifferentdecryptionkeyperhost)
Readmore:WannaKey,https://github.com/aguinet/wannakey