foundations of network and computer security j j ohn black lecture #9 sep 16 th 2009 csci 6268/tlen...
Post on 20-Dec-2015
217 views
TRANSCRIPT
Foundations of Network and Foundations of Network and Computer SecurityComputer Security
JJohn Black
Lecture #9Sep 16th 2009
CSCI 6268/TLEN 5550, Fall 2009
Birthday Paradox
• Need another method– Birthday paradox: if we have 23 people in a
room, the probability is > 50% that two will share the same birthday
– This happens because 23 is near the square root of 365
• Sqrt(365) ≈ 19.1• More on this in a moment
Birthday Paradox (cont)
• Let’s do the math– Let n equal number of people in the class– Start with n = 1 and count upward
• Let NBM be the event that there are No-Birthday-Matches• For n=1, Pr[NBM] = 1• For n=2, Pr[NBM] = 1 x 364/365 ≈ .997• For n=3, Pr[NBM] = 1 x 364/365 x 363/365 ≈ .991• …• For n=22, Pr[NBM] = 1 x … x 344/365 ≈ .524• For n=23, Pr[NBM] = 1 x … x 343/365 ≈ .493
– Since the probability of a match is 1 – Pr[NBM] we see that n=23 is the smallest number where the probability exceeds 50%
Occupancy Problems
• What does this have to do with hashing?– Suppose each hash output is uniform and random on
{0,1}n
– Then it’s as if we’re throwing a ball into one of 2n bins at random and asking when a bin contains at least 2 balls
• This is a well-studied area in probability theory called “occupancy problems”
– It’s well-known that the probability of a collision occurs around the square-root of the number of bins
• If we have 2n bins, the square-root is 2n/2
Birthday Bounds
• This means that even a perfect n-bit hash function will start to exhibit collisions when the number of inputs nears 2n/2
– This is known as the “birthday bound”– It’s impossible to do better, but quite easy to
do worse
• It is therefore hoped that it takes (264) work to find collisions in MD5 and (280) work to find collisions in SHA-1
More Recently
• At CRYPTO 2004 (August)– Collisions found in HAVAL, RIPEMD, MD4, MD5, and
SHA-0 (240 operations)• Wang, Feng, Lai, Yu• Only Lai is well-known
– HAVAL was known to be bad– Dobbertin found collisions in MD4 years ago– MD5 news is big!
• CU team lowered time-to-collision to 3 mins (July 2005)
– SHA-0 isn’t used anymore (but see next slide)
Collisions in SHA-0
T A << 5 + gt (B, C, D) + E + Kt + Wt
Wt = { t-th word of Mi 0 t 15( Wt-3 Wt-8 Wt-14 Wt-16 ) << 1 16 t 79
A H0i-1; B H1
i-1; C H2i-1; D H3
i-1; E H4i-1
for t = 1 to 80 do
E D; D C; C B >> 2; B A; A T
H0i H0
i-1; H1i A + H1
i-1; H2i C+ H2
i-1; H3
i D + H3i-1; H4
i E + H4i-1
endH0..4
i-1
65
not in SHA-0
M1, M1’
Collision!
What Does this Mean?
• Who knows– Methods are not yet understood– Will undoubtedly be extended to more attacks– Maybe nothing much more will happen– But maybe everything will come tumbling
down?!
• But we have OTHER ways to build hash functions
The Big (Partial) Picture
PrimitivesBlock Ciphers
Hash Functions
Hard Problems
Stream Ciphers
First-LevelProtocols
Symmetric Encryption
Digital Signatures
MAC Schemes
Asymmetric Encryption
Second-LevelProtocols
SSH, SSL/TLS, IPSecElectronic Cash, Electronic Voting
(Can do proofs)
(Can do proofs)
(No one knows how to prove security; make assumptions)
Review
• What MACs have we seen thus-far?– CBCMAC, XCBC, UMAC, HMAC
– HMAC led to a discussion on crypto hash functions• MD5, SHA-1 are examples• These functions are unkeyed• Our hope is that they are collision-resistant
– We’ll pick up with a construction of a hash function from a blockcipher
The Big (Partial) Picture
PrimitivesBlock Ciphers
Hash Functions
Hard Problems
Stream Ciphers
First-LevelProtocols
Symmetric Encryption
Digital Signatures
MAC Schemes
Asymmetric Encryption
Second-LevelProtocols
SSH, SSL/TLS, IPSecElectronic Cash, Electronic Voting
(Can do proofs)
(Can do proofs)
(No one knows how to prove security; make assumptions)
Symmetric vs. Asymmetric
• Thus far we have been in the symmetric key model– We have assumed that Alice and Bob share some
random secret string– In practice, this is a big limitation
• Bootstrap problem• Forces Alice and Bob to meet in person or use some
mechanism outside our protocol• Not practical when you want to buy books at Amazon
• We need the Asymmetric Key model!
Asymmetric Cryptography
• In this model, we no longer require an initial shared key– First envisioned by Diffie in the late 70’s– Some thought it was impossible– MI6 purportedly already knew a method– Diffie-Hellman key exchange was first public
system• Later turned into El Gamal public-key system
– RSA system announced shortly thereafter
But first, a little math…
• A group is a nonempty set G along with an operation # : G x G → G such that for all a, b, c ∈G– (a # b) # c = a # (b # c) (associativity)– ∃ e G such that e # a = a # e = a (identity)∈– ∃ a-1 G such that a # a∈ -1 = e (inverses)
• If a,b G, a # b = b # a we say the group is ∀ ∈“commutative” or “abelian”– All groups in this course will be abelian
Notation
• We’ll get tired of writing the # sign and just use juxtaposition instead– In other words, a # b will be written ab– If some other symbol is conventional, we’ll use it instead
(examples to follow)• We’ll use power-notation in the usual way
– ab means aaaaa repeated b times– a-b means a-1a-1a-1a-1 repeated b times– Here a G, b Z∈ ∈
• Instead of e we’ll use a more conventional identity name like 0 or 1
• Often we write G to mean the group (along with its operation) and the associated set of elements interchangeably
Examples of Groups
• Z (the integers) under + ?• Q, R, C, under + ?• N under + ? • Q under x ?• Z under x ?• 2 x 2 matrices with real entries under x ?• Invertible 2 x 2 matrices with real entries under x ?
• Note all these groups are infinite – Meaning there are an infinite number of elements in them
• Can we have finite groups?
Finite Groups
• Simplest example is G = {0} under +– Called the “trivial group”
• Almost as simple is G = {0, 1} under addition mod 2
• Let’s generalize– Zm is the group of integers modulo m– Zm = {0, 1, …, m-1}– Operation is addition modulo m– Identity is 0– Inverse of any a Z∈ m is m-a– Also abelian
The Group Zm
• An example– Let m = 6– Z6 = {0,1,2,3,4,5}– 2+5 = 1– 3+5+1 = 3 + 0 = 3– Inverse of 2 is 4
• 2+4 = 0
• We can always pair an element with its inversea : 0 1 2 3 4 5a -1 : 0 5 4 3 2 1
• Inverses are always unique• An element can be its own inverse
– Above, 0 and 0, 3 and 3
Another Finite Group
• Let G = {0,1}n and operation is ⊕– A group?– What is the identity?– What is the inverse of a G?∈
• We can put some familiar concepts into group-theoretic notation:– Caesar cipher was just P + K = C in Z26
– One-time pad was just P K = C in the group ⊕just mentioned above
Multiplicative Groups
• Is {0, 1, …, m-1} a group under multiplication mod m?– No, 0 has no inverse
• Ok, toss out 0; is {1, …, m-1} a group under multiplication mod m?– Hmm, try some examples…
• m = 2, so G = {1} X• m = 3, so G = {1,2} X• m = 4, so G = {1,2,3} oops!• m = 5, so G = {1,2,3,4} X
Multiplicative Groups (cont)
• What was the problem?– 2,3,5 all prime– 4 is composite (meaning “not prime”)
• Theorem: G = {1, 2, …, m-1} is a group under multiplication mod m iff m is prime
Proof: →: suppose m is composite, then m = ab where a,b ∈
G and a, b 1. Then ab = m = 0 and G is not closed ←: follows from a more general theorem we state in a
moment
The Group Zm*
• a,b ∈ N are relatively prime iff gcd(a,b) = 1– Often we’ll write (a,b) instead of gcd(a,b)
• Theorem: G = {a : 1 ≤ a ≤ m-1, (a,m) = 1} and operation is multiplication mod m yields a group– We name this group Zm
*
– We won’t prove this (though not too hard)– If m is prime, we recover our first theorem
Examples of Zm*
• Let m = 15– What elements are in Z15
*?• {1,2,4,7,8,11,13,14}
– What is 2-1 in Z15*?
• First you should check that 2 Z∈ 15*
• It is since (2,15) = 1
– Trial and error:• 1, 2, 4, 7, 8 X
– There is a more efficient way to do this called “Euclid’s Extended Algorithm”
• Trust me
Euler’s Phi Function
• Definition: The number of elements of a group G is called the order of G and is written |G|– For infinite groups we say |G| = 1– All groups we deal with in cryptography are finite
• Definition: The number of integers i < m such that (i,m) = 1 is denoted (m) and is called the “Euler Phi Function”– Note that |Zm
*| = (m)
– This follows immediately from the definition of ()
Evaluating the Phi Function
• What is (p) if p is prime?– p-1
• What is (pq) if p and q are distinct primes?– If p, q distinct primes, (pq) = (p)(q)– Not true if p=q– We won’t prove this, though it’s not hard
Examples
• What is (3)?– |Z3
*| = |{1,2}| = 2
• What is (5)?
• What is (15)?– (15) = (3)(5) = 2 x 4 = 8
– Recall, Z15* = {1,2,4,7,8,11,13,14}
LaGrange’s Theorem
• Last bit of math we’ll need for RSA
• Theorem: if G is any finite group of order n, then a G, a∀ ∈ n = 1– Examples:
• 6 Z∈ 22, 6+6+…+6, 22 times = 0 mod 22
• 2 Z∈ 15*, 28 = 256 = 1 mod 15
• Consider {0,1}5 under ⊕– 01011 2 {0,1}5, 0101132 = 0000016 =00000
– It always works (proof requires some work)
Basic RSA Cryptosystem
• Basic Setup:– Alice and Bob do not share a key to start with– Alice will be the sender, Bob the receiver
• Reverse what follows for Bob to reply
– Bob first does key generation• He goes off in a corner and computes two keys• One key is pk, the “public key”• Other key is sk, the “secret key” or “private key”
– After this, Alice can encrypt with pk and Bob decrypts with sk