lecture 3: cryptography ii cs 336/536: computer network security fall 2014 nitesh saxena

Lecture 3: Cryptography II

CS 336/536: Computer Network SecurityFall 2014

Nitesh Saxena

Lecture 1 - Introduction

Course AdministrationEveryone receiving my emails?Lecture slides worked okay?Both ppt and pdf versionsEveryone knows how to access the course web page?HW/Lab 1 heads upTo be posted coming MondayLabs become active starting next weekNO LAB THIS WEEK*


Outline of Todays LectureBlock Cipher Modes of EncryptionPublic Key Crypto OverviewNumber Theory BackgroundPublic Key Encryption (RSA)Public Key Signatures*


Block Cipher Encryption Modes*Lecture 1 - Introduction*


Lecture 2 - Cryptography - IBlock Cipher Encryption modesElectronic Code Book (ECB)Cipher Block Chain (CBC)Most popular oneOthers (we will not cover)Cipher Feed Back (CFB)Output Feed Back (OFB)

**


Lecture 2 - Cryptography - IAnalysisWe will analyze each mode in terms of:SecurityComputational Efficiency (parallelizing encryption/decryption)Transmission ErrorsIntegrity Protection

**


Lecture 2 - Cryptography - IElectronic Code Book (ECB) ModeAlthough DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode.

Deterministic -- If same key is used then identical plaintext blocks map to identical ciphertext**


Example why ECB is bad?*Lecture 2 - Cryptography - I*TuxTux encrypted with AES in ECB mode


Lecture 2 - Cryptography - ICipher Block Chain (CBC) Mode

**encryptiondecryption


Lecture 2 - Cryptography - ICBC TraitsRandomized encryption IV Initialization vector serves as the randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computationIV is a random valueIV is no secret; it is sent along with the ciphertext blocks (it is part of the ciphertext)

**


Example why CBC is good?*Lecture 2 - Cryptography - I*TuxTux encrypted with AES in CBC mode


Lecture 2 - Cryptography - ICBC More PropertiesWhat happens if k-th cipher block CK gets corrupted in transmission.With ECB Only decrypted PK is affected.With CBC?Only blocks PK and PK+1 are affected!!What if one plaintext block PK is changed?With ECB only CK affected.With CBC all subsequent ciphertext blocks will be affected.Avalanche effectThis leads to an effective integrity protection mechanism (or message authentication code (MAC))**


Security of Block Cipher ModesECB is not even secure against eavesdroppers (ciphertext only and known plaintext attacks)CBC is secure against CPA attacks (assuming 3-DES or AES is used in each block computation); automatically secure against eavesdropping attacksHowever, not secure against CCA. Why?Intuitively, this is because the ciphertext can be massaged in a meaningful way*


CBC Mode CCA AttackAssume adversary has eavesdropped upon a ciphertext (C0, C1, C2) -- corresponding to a plaintext (M1, M2). C0 is IV.Adversary is not allowed to query for (C0, C1, C2) itself With CBC, adversary queries for (C0, C1, C2) and obtains (M1, M2) [X denotes bit-wise complement of X]*


How to achieve CCA security?Prevent any massaging of the ciphertextIntuitively, this can be achieved by using integrity protection mechanisms (such as MACs), which we will study laterThe ciphertext is generated using CBC and a MAC is generated on this ciphertextBoth ciphertext and the MAC is sent offThe other party decrypts only if MAC is valid*Lecture 2.3 - Private Key Cryptography III*


Advanced Encryption Standard (AES) National Institute of Science and TechnologyDES is an aging standard that no longer addresses todays needs for strong encryptionTriple-DES: Endorsed by NIST as todays defacto standardAES: The Advanced Encryption StandardFinalized in 2001Goal To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documentsAES candidate algorithms were required to be:Symmetric-key, supporting 128, 192, and 256 bit keysRoyalty-FreeUnclassified (i.e. public domain)Available for worldwide exportLecture 2.3 - Private Key Cryptography III**


AESAES Round-3 Finalist Algorithms:MARSCandidate offering from IBMRC6Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithmTwofishFrom Counterpane Internet Security, Inc.SerpentDesigned by Ross Anderson, Eli Biham and Lars KnudsenRijndael: the winner!Designed by Joan Daemen and Vincent RijmenLecture 2.3 - Private Key Cryptography III**


Other Symmetric Ciphers and their applicationsIDEA (used in PGP)Blowfish (password hashing in OpenBSD)RC4 (used in WEP), RC5SAFER (used in Bluetooth)

Lecture 2.3 - Private Key Cryptography III**


Some QuestionsDouble encryption in DES increases the key space size from 2^56 to 2^112 true or false?Is known-plaintext an active or a passive attack?Is chosen-ciphertext attack an active or a passive attack?Reverse Engineering is applied to what design of systems open or closed?Alice needs to send a 64-bit long top-secret letter to Bob. Which of the ciphers that we studied today should she use?

*Lecture 2.2 - Private Key Cryptography II*


Some QuestionsC=DES(K,P); where (P, C are 64-bit long blocks). What would be DES(K,PPPP) in ECB mode? What it would be in CBC mode?ECB is secure for sending just one block of data: true or false?Is it okay to re-use IV in CBC? Why/why not?Is ECB secure against CPA?Is CBC secure against CPA?

Lecture 2.3 - Private Key Cryptography III**


Public Key Crypto Overview and Number Theory*Lecture 1 - Introduction*


Recall: Private Key/Public Key CryptographyPrivate Key: Sender and receiver share a common (private) keyEncryption and Decryption is done using the private keyAlso called conventional/shared-key/single-key/ symmetric-key cryptographyPublic Key: Every user has a private key and a public keyEncryption is done using the public key and Decryption using private keyAlso called two-key/asymmetric-key cryptography*


Private key cryptography revisited.Good: Quite efficient Bad: Key distribution and management is a serious problem*


Public key cryptography modelGood: Key management problem potentially simplerBad: Much slower than private key crypto (well see later!) *


Public Key EncryptionTwo keys:public encryption key eprivate decryption key dEncryption easy when e is knownDecryption easy when d is knownDecryption hard when d is not knownWell study such public key encryption schemes; first we need some number theory.*


Public Key Encryption: Security NotionsVery similar to what we studied for private key encryptionWhats the difference?

*


Group: Definition(G,.) (where G is a set and . : GxGG) is said to be a group if following properties are satisfied:Closure : for any a, b G, a.b GAssociativity : for any a, b, c G, a.(b.c)=(a.b).cIdentity : there is an identity element such that a.e = e.a = a, for any a GInverse : there exists an element a-1 for every a in G, such that a.a-1 = a-1.a = e

Abelian Group: Group which also satisfies commutativity , i.e., a.b = b.a

*Lecture 1 - Introduction*


Groups: ExamplesSet of all integers with respect to addition --(Z,+) Set of all integers with respect to multiplication (Z,*) not a groupSet of all real numbers with respect to multiplication (R,*) Set of all integers modulo m with respect to modulo addition (Zm, modular addition)

*


Divisorsx divides y (written x | y) if the remainder is 0 when y is divided by x1|8, 2|8, 4|8, 8|8The divisors of y are the numbers that divide ydivisors of 8: {1,2,4,8}For every number y1|yy|y*


Prime numbersA number is prime if its only divisors are 1 and itself:2,3,5,7,11,13,17,19, *


Common divisorsThe common divisors of two numbers x,y are the numbers z such that z|x and z|ycommon divisors of 8 and 12:intersection of {1,2,4,8} and {1,2,3,4,6,12}= {1,2,4}greatest common divisor: gcd(x,y) is the number z such thatz is a common divisor of x and yno common divisor of x and y is larger than zgcd(8,12) = 4*


Euclidean Algorithm: gcd(r0,r1)*Main idea: If y = ax + b then gcd(x,y) = gcd(x,b)


Example gcd(15,37)37 = 2 * 15 + 715 = 2 * 7 + 17 = 7 * 1 + 0 gcd(15,37) = 1

*


Relative primesx and y are relatively prime if they have no common divisors, other than 1Equivalently, x and y are relatively prime if gcd(x,y) = 19 and 14 are relatively prime9 and 15 are not relatively prime*


Modular ArithmeticDefinition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m. Notation: Example: We work in Zm = {0, 1, 2, , m-1}, the group of integers modulo mExample: Z9 ={0,1,2,3,4,5,6,7,8}We abuse notation and often write = instead of **Public Key Cryptography -- II


Addition in Zm :Addition is well-defined:

3 + 4 = 7 mod 9.3 + 8 = 2 mod 9.**Public Key Cryptography -- II


Additive inverses in Zm0 is the additive identity in Zm

Additive inverse of a is -a mod m = (m-a)Every element has unique additive inverse. 4 + 5= 0 mod 9. 4 is additive inverse of 5.

**Public Key Cryptography -- II


Multiplication in Zm :Multiplication is well-defined:

3 * 4 = 3 mod 9.3 * 8 = 6 mod 9.3 * 3 = 0 mod 9.**Public Key Cryptography -- II


Multiplicative inverses in Zm1 is the multiplicative identity in Zm

Multiplicative inverse (x*x-1=1 mod m)SOME, but not ALL elements have unique multiplicative inverse. In Z9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, , so 3 does not have a multiplicative inverse (mod 9)On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=1, so 4-1=7, (mod 9)



Which numbers have inverses?In Zm, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1E.g., 4 in Z9



Extended Euclidian: a-1 mod nMain Idea: Looking for inverse of a mod n means looking for x such that x*a y*n = 1.To compute inverse of a mod n, do the following:Compute gcd(a, n) using Euclidean algorithm.Since a is relatively prime to m (else there will be no inverse) gcd(a, n) = 1.So you can obtain linear combination of rm and rm-1 that yields 1.Work backwards getting linear combination of ri and ri-1 that yields 1.When you get to linear combination of r0 and r1 you are done as r0=n and r1= a.**Public Key Cryptography -- II


Example 15-1 mod 3737 = 2 * 15 + 715 = 2 * 7 + 17 = 7 * 1 + 0Now,15 2 * 7 = 115 2 (37 2 * 15) = 15 * 15 2 * 37 = 1So, 15-1 mod 37 is 5.**Public Key Cryptography -- II


Modular Exponentiation:Square and Multiply methodUsual approach to computing xc mod n is inefficient when c is large.Instead, represent c as bit string bk-1 b0 and use the following algorithm:z = 1For i = k-1 downto 0 doz = z2 mod n if bi = 1 then z = z* x mod n



Example: 3037 mod 77*z = z2 mod n if bi = 1 then z = z* x mod n*Public Key Cryptography -- II

i b z5 1 30 = 1*1*30 mod 774 0 53 = 30*30 mod 773 0 37 = 53*53 mod 772 1 29 = 37*37*30 mod 771 0 71 = 29*29 mod 770 1 2 = 71*71*30 mod 77


Other DefinitionsThe number of elements in a group is called the order of the groupOrder of an element a is the lowest i (>0) such that ai = e (identity) *Public Key Cryptography -- II


Lagranges TheoremOrder of an element in a group divides the order of the group**Public Key Cryptography -- II


Eulers totient functionGiven positive integer n, Eulers totient function is the number of positive numbers less than n that are relatively prime to n Fact: If p is prime then {1,2,3,,p-1} are relatively prime to p.**Public Key Cryptography -- II


Eulers totient function

Fact: If p and q are prime and n=pq then

Each number that is not divisible by p or by q is relatively prime to pq.E.g. p = 5, q = 7: {1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-}pq p - (q-1) = (p-1)*(q-1)**Public Key Cryptography -- II


Eulers Theorem and Fermats TheoremIf a is relatively prime to n then If a is relatively prime to p then ap-1 = 1 mod p

Proof : follows from Lagranges Theorem**Public Key Cryptography -- II


Eulers Theorem and Fermats TheoremEG: Compute 9100 mod 17:

p =17, so p-1 = 16. 100 = 616+4. Therefore, 9100=9616+4=(916)6(9)4 . So mod 17 we have 9100 (916)6(9)4 (mod 17) (1)6(9)4 (mod 17) (81)2 (mod 17) 16

Public Key Cryptography -- II**


Some questions2-1 mod 4 =?Find x such thatx = 4 (mod 5)x = 7 (mod 8)x = 3 (mod 9)Order of a group is 5. What can be the order of an element in this group?



Further ReadingChapter 4 of StallingsChapter 2.4 of HAC**Public Key Cryptography -- II


The RSA Cryptosystem (Encryption)

*


Textbook RSA: KeyGenAlice wants people to be able to send her encrypted messages.She chooses two (large) prime numbers, p and q and computes n=pq and . [large = 1024 bits +]She chooses a number e such that e is relatively prime to and computes d, the inverse of e in , i.e., ed =1 mod She publicizes the pair (e,n) as her public key. (e is called RSA exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and

Plaintext and ciphertext messages are elements of Zn and e is the encryption key.*


RSA: EncryptionBob wants to send a message x (an element of Zn*) to Alice.He looks up her encryption key, (e,n), in a directory.The encrypted message is

Bob sends y to Alice.*


RSA: DecryptionTo decrypt the message

shes received from Bob, Alice computes

Claim: D(y) = x*


RSA: why does it all workNeed to showD[E[x]] = x E[x] and D[y] can be computed efficiently if keys are knownE-1[y] cannot be computed efficiently without knowledge of the (private) decryption key d.Also, it should be possible to select keys reasonably efficientlyThis does not have to be done too often, so efficiency requirements are less stringent.

*


E and D are Inverses*Because From Eulers Theorem


Tiny RSA example.Let p = 7, q = 11. Then n = 77 and

Choose e = 13. Then d = 13-1 mod 60 = 37.Let message = 2.E(2) = 213 mod 77 = 30.D(30) = 3037 mod 77=2 *


Slightly Larger RSA example.Let p = 47, q = 71. Then n = 3337 and

Choose e = 79. Then d = 79-1 mod 3220 = 1019.Let message = 688232 Break it into 3 digit blocks to encrypt.E(688) = 68879 mod 3337 = 1570. E(232) = 23279 mod 3337 = 2756D(1570) = 15701019 mod 3337 = 688. D(2756) = 27561019 mod 3337 = 232.*


Security of RSA: RSA assumptionSuppose Oscar intercepts the encrypted message y that Bob has sent to Alice.Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message)If Oscar can compute d = e-1 mod then he can use to recover the plaintext x.If Oscar can compute , he can compute d (the same way Alice did).*


Security of RSA: factoring Oscar knows that n is the product of two primesIf he can factor n, he can compute But factoring large numbers is very difficult:Grade school method takes divisions.Prohibitive for large n, such as 160 bitsBetter factorization algorithms exist, but they are still too slow for large nLower bound for factorization is an open problem

*


How big should n be?Today we need n to be at least 1024-bitsThis is equivalent to security provided by 80-bit long keys in private-key cryptoNo other attack on RSA knownExcept some side channel attacks, based on timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem!

*


Key selectionTo select keys we need efficient algorithms toSelect large primesPrimes are dense so choose randomly.Probabilistic primality testing methods known. Work in logarithmic time.Compute multiplicative inversesExtended Euclidean algorithm*


RSA in PracticeTextbook RSA is insecureKnown-plaintext?CPA?CCA?In practice, we use a randomized version of RSA, called RSA-OAEPUse PKCS#1 standard for RSA encryptionhttp://www.rsa.com/rsalabs/node.asp?id=2125Interested in details of OAEP: refer to (section 3.1 of) http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf *


Some questionsc1 = RSA_Enc(m1), c2 = RSA_Enc(m2). What is RSA_Enc(m1m2)?Homomorphic propertyWhat is RSA_Enc(2m1)?Malleability (not a good property!)

*


Some QuestionsRSA stands for Robust Security Algorithm, right?If e is small (such as 3)Encryption is faster than decryption or the other way round?Private key crypto has key distribution problem and Public key crypto is slowHow about a hybrid approach?Do you know how ssl/ssh works?

*


Some QuestionsI encrypt m with Alices RSA PK, I get cI encryt m again, I get --?What does this mean?What if I do the above with DES?

*


Further ReadingStallings Chapter 11HAC Chapter 9*Lecture 4: Hash Functions*


Digital Signatures*Lecture 1 - Introduction*


Public Key SignaturesSigner has public key, private key pairSigner signs using its private keyVerifier verifies using public key of the signerLecture 3.4: Public Key Cryptography IV


Security Notion/Model for SignaturesExistential Forgery under (adaptively) chosen message attack (CMA)Adversary (adaptively) chooses messages mi of its choiceObtains the signature si on each miOutputs any message m ( mi) and a signature s on mLecture 3.4: Public Key Cryptography IV


RSA SignaturesKey Generation: same as in encryptionSign(m): s = md mod NVerify(m,s): (se == m mod N)

The above text-book version is insecure; why?In practice, we use a randomized version of RSA (implemented in PKCS#1)Hash the message and then sign the hashLecture 3.4: Public Key Cryptography IV


*******Discuss in each mode: parallelizing encryption/decryptionwhat happens if plaintext block is corruptedwhat happens if ciphertext block is corruptedcan it be used for message authentication**Discuss in each mode: parallelizing encryption/decryptionwhat happens if plaintext block is corruptedwhat happens if ciphertext block is corruptedcan it be used for message authentication********Discuss in each mode: parallelizing encryption/decryptionwhat happens if plaintext block is corruptedwhat happens if ciphertext block is corruptedcan it be used for message authentication*************************************************************Show an example: x^64 will require 6 squarings (or 6 multiplications).1000000

****************************************Say something about the brute force attack on RSA. Why exactly should N be 1024 bits?**************Show the exact operation: when you verify, you either get a yes or a no. Not really something as in encryption.*****

lecture 3: cryptography ii cs 336/536: computer network security fall 2014 nitesh saxena

Documents

lecture slides

nitesh saxena lecture

plaintext block pk

ciphertext c0

previous block

cryptography iics

cryptography ianalysiswe

identical ciphertext