1 overview of cryptography. contents introduction symmetric-key cryptography block ciphers...
TRANSCRIPT
1
Overview of Cryptography
Contents Introduction Symmetric-key cryptography
Block ciphers Symmetric-key algorithms Cipher block modes Stream cipher
Public-key cryptography Digital signature Public key distribution Public-key algorithms
Cryptographic hash function Attack complexity Application
Digital signature Message authentication code
Key establishment server-based Public-key based Key agreement (Diffie-Hellman)
Information security objectives Confidentiality Data integrity Authentication
Entity authentication (identification) Message authentication (data origin
authentication) Verification of message timeliness and sequences
Non-repudiation Availability Access control
Security primitives (tools)
Unkeyed primitives Arbitrary length hash functions One-way permutations Random sequences
Symmetric-key primitives Symmetric-key ciphers
Block ciphers Stream ciphers
Arbitrary length hash functions (MACs) Signatures Pseudorandom sequences Identification primitives
Public-key primitives Public-key ciphers Signatures Identification primitives
Criteria
The crypto attributes are evaluated w.r.t. various criteria. Level of security Functionality Methods of operation Performance Ease of implementation
Crypto
Cryptology: the art and science of making and breaking “secrete codes”
Cryptography: making “secrete codes”
Cryptanalysis: breaking “secrete codes”
Symmetric-key encryption
Other terms: single-key, one-key, private-key,
conventional encryption Why do symmetric cryto need a key,
not just a certain transformation? One of the major issues is to find an
efficient method to agree upon and exchange keys securely. Key distribution problem
Plaintext
source
encryption
Ee(m)=c
key
sourcee
destination
decryption
De(c)=m
m munsecure channel
c
Secure channele
adversary
block ciphers
Substitution ciphers Transposition ciphers Composition ciphers Product ciphers
Symmetric-key encryption algorithms
Data Encryption Standard (DES) Adapted in 1973 by NIST 64-bits blocks, 56 bits key
Triple DES ANSI X9.17 in 1986 168 bits key
Advanced Encryption Standard (AES) Adapted in 2001 by NIST 128 bits block length, key length 128 bits(192, 256)
International Data Encryption Algorithm (IDEA) Published in 1991 Block size 64bits, key size 128 bits
Blowfish In 1993 Key size: variable to 448, block size: 64bits
RC5 In 1994 Key size: variable to 2048, block size: 64bits
Cipher Block modes
Block cipher modes of operation ECB: Electronic code book CBC: Cipher block chaining CFB: Cipher feedback OFB: Output feedback CTR: Counter mode
Stream cipher
plaintext is XORed with keystream generated from secret key and initialization vector (IV) Vernam cipher (one-time pad) RC4, Seal LFSR
Public-key cryptography
First publicly proposed by Diffie and Hellman in 1976.
Each entity maintains two keys: public key(K+) which is known to everyone and private key(K-) which is known to the owner. DK-(EK+(M))=M, DK+(EK-(M))=M
Public-key encryption
Plaintext
source
encryption
EKB+(m)=c
key
sourceKB+(Bob’s public key)
destination
decryption
DKB-(c)=m
m munsecure channel
c
unsecure channel
K-(Bob’s private key)
adversary
Alice Bob
Advantage of Public-key crypto Suppose N entities, how can any pair of
them establish a secret key? To use symmetric-key crypto, requires secret and authentic
channel to set up shared secret (symmetric) key Need O(N2) keys Key management is challenging
Public-key crypto advantage Each entity only needs to know N-1 authentic public keys Easier to establish authentic public keys than symmetric keys
Public-key application
Message encryption : hardly used Digital signature Symmetric-Key distribution
Digital Signature
Digital signature
key
source
Message
source M’
EK-(m)=S
m
Signer A
K-
accept
If m∈M’
DK+(s)=m
m
K+
s
Verifier B
m
EK-(M)
S
(signature)
m
DK+(S)=m’S
m=m’?
Signerverifier
Public-key Distribution
K1-
C=EK6+(m)
K6-
m=DK6-(c)
A1 A2
A3
A4
A5
A6 A1: K1+
A2: K2+
A3: K3+
A4: K4+
A5: K5+
A6: K6+
public file
K5-
K4-
K3-
K2-
A1: K1+
A2: K2+
A3: K3+
A4: K4+
A5: K5+
A6: Ka+
Impersonation by adversary
An adversary alters the public file by replacing the public key K6+ by Ka+
c=E ka+(m)
A1
private key Ka-
adversary
Dka-(c)=m EK6+(m)=c’
A6
c
c’
Ka+
K1-
K6-
m=DK6-(c)
Authentication by Trusted Third Party(TTP)
The entities must use a TTP to certify the public key of each entity. (verify the authenticity of the public key)
TTP distributes a pair of a public key and its owner, with the TTP’s signature which is formed by TTP’s private key.
TTP’s public key is known to every entity, and they trust the TTP’s public key is genuine.
When entities receive a public key, they decrypt the attached signature by TTP’s public key, proving the pair is genuine. In this way all entities can obtain the public keys of the other entities.
TTP is often called the Certificate Authority (CA).
Public-key crypto algorithms
RSA Since it was first published in 1978, it has
become the most widely accepted algorithm. Digital Signature Standard(DSS)
NIST standard Used only for digital signature, not for encryption
or key exchange Elliptic-Curve cryptography (ECC)
IEEE P1367 Appeared to be secure for smaller key size than
RSA
Encrypting Large File with RSA? Duration of 1024-bit RSA encryption
~1 ms on 1 GHz Pentium Duration of 1024-bit RSA decryption
~10 ms on 1 GHz Pentium Duration to encrypt 1 Mbyte file?
Encrypt 1024 bits / RSA operation = 128 bytes 1 Mbyte = 220 bytes Time: 220 / 27 * 1ms = 213 ms = 8 seconds! Compare with the time by the symmetric key?
Symmetric-key vs. public-key Symmetric crypto
Need shared secret key 80 bit key for high security (year 2010) ~1,000,000 ops/s on 1GHz processor 10x speedup in HW
Public-key crypto Need authentic public key 2048 bit key (RSA) for high security (year 2010) ~100 signatures/s
~1000 verify/s (RSA) on 1GHz processor Limited speedup in HW
Cryptographic Hash function
A computationally efficient function mapping binary strings of arbitrary length to binary strings of some fixed length, called hash-values.
Properties of a secure hash function One-way
Given y = H(x), cannot find x’ s.t. H(x’) = y Weak collision resistance
Given x, cannot find x’ ≠ x s.t. H(x) = H(x’) Strong collision resistance
Cannot find x, x’ s.t. x’ ≠ x and H(x) = H(x’)
Attack complexity: One-way
Assume secure hash function with n-bit
output
One-wayness: given output y, how many
operations does it take to find any x,
such that H(x) = y? Assumption: best attack is random search
For each trial x, probability that output is y is 2-n
P[find x after m trials]=1-(1-2-n)m
Rule of thumb: find x after 2n-1 trials on average
Attack complexity: Weak collision Weak collision resistance: given input
x, how many operations does it take to find another x’ ≠ x, s.t. H(x) = H(x’)? Assumption: best attack is random search For each trial x’, probability that output is
equal is 2-n P[find x after m trials]=1-(1-2-n)m Rule of thumb: find x’ after 2n-1 trials on
average
Attack complexity: strong collision Strong collision resistance: how many
operations does it take to find x and x’, s.t. x’ ≠ x and H(x) = H(x’)? Assumption: best attack is random search Algorithm picks random x’, checks whether H(x’)
matches any other output value previously seen P[find col after m trials]=
1-(1-1/2n)(1-2/2n)(1-3/2n)…(1-(m+1)/2n) Rule of thumb: find collision after 2n/2 trials on
average (1.17*2n/2 to be a bit more precise)
Pre-Birthday Problem
Suppose N people in a room How large must N be before the
probability someone has same birthday as me is 1/2 ? Solve: 1/2 = 1 (364/365)N for N We find N = 253
Birthday Paradox How many people need to be in a
room to have a probability > 50% that at least two people have the same birthday?
Answer: approximately 1.17*3651/2 ~ 22.4
One-way hash function algorithms SHA-1
Developed by NIST and published in 1993 Input: max. length of less than 264bits
Input is processed in 512 bits blocks. Output: 160 bits hash code
MD5 RFC 1321 Input: arbitrary length, output: 128 bits
RIPEMD-160 Developed by European RACE Integrity
Primitives Evaluation (RIPE) project Input: arbitrary length, output: 160 bits
How secure is SHA-1?
SHA-1 does not provide collision resistance any more: requires only 269 operations to find a hash collision(2005)
How long would it take to find collision? 269 / (220 * 220 ) = 229 seconds 1 year has approximately 225 seconds 229 / 225 ~ 16 years
Earlier this week, three Chinese cryptographers showed that SHA-1 is not
collision-free. That is, they developed an algorithm for finding collisions
faster than brute force.
SHA-1 produces a 160-bit hash. That is, every message hashes down to a
160-bit number. Given that there are an infinite number of messages that
hash to each possible value, there are an infinite number of possible
collisions. But because the number of possible hashes is so large, the
odds of finding one by chance is negligibly small (one in 280
, to be exact). If
you hashed 280
random messages, you'd find one pair that hashed to the
same value. That's the "brute force" way of finding collisions, and it
depends solely on the length of the hash value. "Breaking" the hash
function means being able to find collisions faster than that. And that's
what the Chinese did.
They can find collisions in SHA-1 in 269
calculations, about 2,000 times
faster than brute force. Right now, that is just on the far edge of feasibility
with current technology. Two comparable massive computations illustrate
that point.
(Feb. 15, 2005. Bruce Schneier)
Message Authentication Code (MAC) One of the main applications of the hash
function is to generate a small block of message tag which is called MAC.
MAC provides the authenticity and integrity of messages (no confidentiality) A sender computes MAC( K, M ), or MACK( M )
where K is the shared secret key between two entities.
and send <M, MAC( K, M )>.
MAC by symmetric-key encryption without hash function Using a symmetric-key, a sender
generates a small block of data, known as a message authentication code (MAC) and appends it to the message.
EKAB(M)
Take the last L bits.
L: the length of MAC
M
MAC
MAC
M
MAC
C=EKAB(M)
Take the last L bits.M
=
Alice Bob
MAC by symm-key encryption
A sender applies a symm-key encryption to a small block of data which is generated by a hash function.
M
MAC
MAC
M
MAC
M
=
Alice Bob
EKAB(H(M))
H(M)
H
H H(M)
DKAB(MAC)
MAC by public-key (Digital Signature) Hash function provides the fast way of
generating digital signature using the public-key cryptography.
M
MAC
MAC
M
MAC
M
=
Alice Bob
EKA-(H(M))
H(M)
H
H H(M)
DKA+(MAC)
MAC with shared secret key
Hash functions such as SHA-1 does not rely on a secret key.
HMAC is the most widely accepted algorithm for MAC which incorporates a secret key into existing hash function algorithm.
In HMAC, a hash function is treated as a “black box,” which means any available hash function can be used.
RFC 2104
Example: HMAC-MD5
H: MD5 hash function
MAC(K, M ) = H(K opad || H(K ipad || M))
ipad = 3636..36, opad = 5C5C..5C (512bits)
Key establishment
Key establishment Process by which a shared secret key
becomes available to two or more parties Key management
A set of processes and mechanisms which support key establishment and the maintenance of ongoing keying relationships between parties, including replacing older keys with new keys
Key establishment
Server-less key establishment Server-based key establishment Public-key based key establishment Key agreement algorithm
Diffie-Hellman
Key establishment with TTP
A Trusted Third Party (TTP) generates a key k (session key) and sends it encrypted by each of the fixed keys.
K1
A1
K6
A6
K5
A5
K2
A2
K3
A3
K4
A4
Key
source
TTP
Ek1(k15)
Ek5(k)
Ek15(m)
Key establishment by public key A sender encrypts the shared secret
key by the other entity’s public key.
EKAB(m)m
EKB+(KAB)
EKAB(m)
EKB+(KAB)
Alice Bob
Key agreement: Diffie-Hellman key exchange The Diffie-Hellman key exchange
algorithm enables two entities to exchange a secret key securely.
The algorithm depends on the difficulty of computing discrete logarithms.
Discrete Logarithm Problem
Public values: large prime p, generator g ga mod p = x Discrete logarithm problem: given x, g, and p, find a Table g=2, p=11
a 1 2 3 4 5 6 7 8 9 10
ga 2 4 8 5 10 9 7 3 6 1
Cyclic Group G
α1 α2 α3 …Generator α αx = β
1st element
nth element
Diffie-Hellman Key exchange Public values:
large prime p, generator g (primitive root of p) Alice has secret value a, Bob has secret b
A B: ga (mod p)
B A: gb (mod p)
Bob computes (ga)b = gab (mod p)
Alice computes (gb)a = gab (mod p)
Symmetric key= gab (mod p)
Classes of attacks
Passive attacks Active attacks
Attacks of protocols Known-key attack Replay Impersonation Dictionary Forward search Interleaving attack