appendix a: introduction to cryptographic algorithms and ...setia/cs818/lectures/lecture2.pdf ·...
TRANSCRIPT
1
© 2007 Levente Buttyán and Jean-Pierre Hubaux
Security and Cooperation in Wireless Networks
http://secowinet.epfl.ch/
Appendix A: Introduction to cryptographicalgorithms and protocols
symmetric andasymmetric keyencryption;hash functions;MAC functions;digital signatures;key establishmentprotocols;advancedauthenticationtechniques;
2/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Chapter outline
A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques
2
3/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Introduction
security is about how to prevent attacks, or -- if prevention is notpossible -- how to detect attacks and recover from them
an attack is a a deliberate attempt to compromise a system; it usuallyexploits weaknesses in the system’s design, implementation, operation,or management
attacks can be– passive
• attempts to learn or make use of information from the system but does not affectsystem resources
• examples: eavesdropping message contents, traffic analysis• difficult to detect, should be prevented
– active• attempts to alter system resources or affect their operation• examples: masquerade (spoofing), replay, modification (substitution, insertion,
destruction), denial of service• difficult to prevent, should be detected
A.1 Introduction
4/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Main security services
authentication– aims to detect masquerade– provides assurance that a communicating entity is the one that it claims to be
access control– aims to prevent unauthorized access to resources
confidentiality– aims to protect data from unauthorized disclosure– usually based on encryption
integrity– aims to detect modification and replay– provides assurance that data received are exactly as sent by the sender
non-repudiation– provides protection against denial by one entity involved in a communication
of having participated in all or part of the communication– two basic types: non-repudiation of origin and non-repudiation of delivery
A.1 Introduction
3
5/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Some security mechanisms
encryption– symmetric key, asymmetric (public) key
digital signature
access control schemes– access control lists, capabilities, security labels, ...
data integrity mechanisms– message authentication codes, sequence numbering, time stamping,
cryptographic chaining
authentication protocols– passwords, cryptographic challenge-response protocols, biometrics
traffic padding, route control, …
A.1 Introduction
6/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Chapter outline
A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques
4
7/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
E Dmplaintext
Kencryption key
K’decryption key
EK(m)ciphertext
DK’ (EK(m)) = m
eavesdroppingadversary
Classical model of encryption
goal of the adversary:– to systematically recover plaintexts from ciphertexts– to deduce the (decryption) key
Kerckhoff’s principle:– we must assume that the adversary knows all details of E and D– security of the system should be based on the protection of the
decryption key
A.2 Encryption
8/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Adversary models
ciphertext-only attack– the adversary can only observe ciphertexts produced by the same
encryption key
known-plaintext attack– the adversary can obtain corresponding plaintext-ciphertext pairs
produced with the same encryption key
(adaptive) chosen-plaintext attack– the adversary can choose plaintexts and obtain the corresponding
ciphertexts
(adaptive) chosen-ciphertext attack– the adversary can choose ciphertexts and obtain the corresponding
plaintexts
related-key attack– the adversary can obtain ciphertexts, or plaintext-ciphertext pairs that
are produced with different encryption keys that are related in aknown way to a specific encryption key
A.2 Encryption
5
9/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Security of encryption schemes
an encryption scheme is secure in a given adversary model ifit is computationally infeasible for the adversary to determinethe target decryption key under the assumptions of the givenmodel
for many encryption schemes used in practice, no proof ofsecurity exists– these schemes are used, nevertheless, because they are efficient and
they resist all known attacks
some encryption schemes are provably secure, howeverthese schemes are often inefficient
A.2 Encryption
10/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Basic classification encryption schemes
symmetric-key encryption– it is easy to compute K’ from K (and vice versa)– usually K’ = K– two main types:
• stream ciphers – operate on individual characters of the plaintext• block ciphers – process the plaintext in larger blocks of characters
asymmetric-key encryption– it is hard (computationally infeasible) to compute K’ from K– K can be made public ( public-key cryptography)
A.2 Encryption
6
11/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Block ciphers
an n bit block cipher is a function E: {0, 1}n x {0, 1}k {0, 1}n, suchthat for each K ∈ {0, 1}k, E(x, K) = EK(x) is an invertible mapping from{0, 1}n to {0, 1}n
E… …
…
n bit input n bit output
k bit key
A.2 EncryptionBlock ciphers
12/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Block cipher design criteria
completeness– each bit of the output block should depend on each bit of the input
block and on each bit of the key
avalanche effect– changing one bit in the input block should change approximately half
of the bits in the output block– similarly, changing one key bit should result in the change of
approximately half of the bits in the output block
statistical independence– input and output should appear to be statistically independent
A.2 EncryptionBlock ciphers
7
13/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
How to satisfy the design criteria?
complex encryption function can be built by composingseveral simple operations which offer complementary – butindividually insufficient – protection
simple operations:– elementary arithmetic operations– logical operations (e.g., XOR)– modular multiplication– transpositions– substitutions– ...
combine two or more transformations in a manner that theresulting cipher is more secure than the individualcomponents
A.2 EncryptionBlock ciphers
14/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Example: DES (Data Encryption Standard)
input size: 64 output size: 64 key size: 56 16 rounds Feistel structure
Initial Permutation
F+
F+
F+
F+
…
Initial Permutation-1
(64)
(64)
(32)(32)
(48)
(48)
(48)
(48)
Key
Sche
dule
r
(56)
K
K1
K2
K16
K3
X
YA.2 EncryptionBlock ciphers
8
15/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Example: the DES round function F
Si – substitution box (S-box)
P – permutation box (P-box)
++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++
S1 S2 S3 S4 S5 S6 S7 S8
P
keyinjection
A.2 EncryptionBlock ciphers
16/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Example: the DES key scheduler
each key bit is used inaround 14 out of 16rounds
Permuted Choice 1
Permuted Choice 2
Left shift(s) Left shift(s)
Permuted Choice 2
Left shift(s) Left shift(s)
…
(28)
(56)K
(28)
(28)(28)
(48)
(48)
K1
K2
A.2 EncryptionBlock ciphers
9
17/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Exhaustive key search attack
given a small number of plaintext-ciphertext pairs encrypted under a keyK, K can be recovered by exhaustive key search with 2k-1 processingcomplexity (expected number of operations)– input: (X, Y), (X’, Y’), …– progress through the entire key space, and for each candidate key K’, do the
following:• decrypt Y with K’• if the result is not X, then throw away K’• if the result is X, then check the other pairs (X’, Y’), …• if K’ does not work for at least one pair, then throw away K’ and take another key• if K’ worked for all pairs (X, Y), (X’, Y’), …, then output K’ as the target key
– on average, the target key is found after searching half of the key space
if the plaintexts are known to contain redundancy, then ciphertext-onlyexhaustive key search is possible with a relatively small number ofciphertexts
in practice, key size should be at least 128 bits
A.2 EncryptionBlock ciphers
18/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Algebraic attacks
having a large key size is only a necessary condition for thesecurity of a block cipher– a block cipher can be broken due to the weaknesses in its internal
(algebraic) structure, even if it uses large keys
example:– naïve exhaustive key search against DES: 255
– attack using the complementation property of DES: 254
Y = DESK(X) implies Y* = DESK*(X*), where X* denotes the bitwisecomplement of X
– differential cryptanalysis of DES: 247
– linear cryptanalysis of DES: 243
A.2 EncryptionBlock ciphers
10
19/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Block cipher modes of operation
ECB – Electronic Codebook– used to encipher a single plaintext block (e.g., a DES key)
CBC – Cipher Block Chaining– repeated use of the encryption algorithm to encipher a message
consisting of many blocks
CFB – Cipher Feedback– used to encipher a stream of characters, dealing with each character
as it comes
OFB – Output Feedback– another method of stream encryption, used on noisy channels
CTR – Counter– simplified OFB with certain advantages
A.2 EncryptionBlock cipher modes of operation
20/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
ECB mode
encrypt
decrypt
E
P1
C1
K E
P2
C2
K E
PN
CN
K…
D
C1
P1
K D
C2
P2
K D
CN
PN
K…
A.2 EncryptionBlock cipher modes of operation
11
21/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Properties of the ECB mode
identical plaintext blocks result in identical ciphertext blocks(under the same key, of course)– messages to be encrypted often have very regular formats– repeating fragments, special headers, string of 0s, etc. are quite
common
blocks are encrypted independently of other blocks– reordering ciphertext blocks result in correspondingly reordered
plaintext blocks– ciphertext blocks can be cut from one message and pasted in
another, possibly without detection
error propagation: one bit error in a ciphertext block affectsonly the corresponding plaintext block (results in garbage)
overall: not recommended for messages longer than oneblock, or if keys are reused for more than one block
A.2 EncryptionBlock cipher modes of operation
22/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
CBC mode
encrypt
decrypt
E
P1
C1
K
+
E
P2
C2
K
+
E
P3
C3
K
+
E
PN
CN
K
+IV CN-1
…
D
C1
P1
K
+IV
D
C2
P2
K
+
D
C3
P3
K
+
D
CN
PN
K
+CN-1
A.2 EncryptionBlock cipher modes of operation
12
23/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Properties of the CBC mode
encrypting the same plaintexts under the same key, but different IVsresult in different ciphertexts
ciphertext block Cj depends on Pj and all preceding plaintext blocks– rearranging ciphertext blocks affects decryption– however, dependency on the preceding plaintext blocks is only via the
previous ciphertext block Cj-1
– proper decryption of a correct ciphertext block needs a correct precedingciphertext block only
error propagation:– one bit error in a ciphertext block Cj has an effect on the j-th and (j+1)-st
plaintext block• Pj’ is complete garbage and Pj+1’ has bit errors where Cj had• an attacker may cause predictable bit changes in the (j+1)-st plaintext block
error recovery:– recovers from bit errors (self-synchronizing)– cannot, however, recover from frame errors (“lost” bits)
A.2 EncryptionBlock cipher modes of operation
24/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Integrity of the IV in the CBC mode
the IV need not be secret, but its integrity should beprotected– malicious modification of the IV allows an attacker to make
predictable changes to the first plaintext block recovered
one solution is to send the IV in an encrypted form at thebeginning of the CBC encrypted message
A.2 EncryptionBlock cipher modes of operation
13
25/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Padding
the length of the message may not be a multiple of the blocksize of the cipher
one can add some extra bytes to the short end block until itreaches the correct size – this is called padding
usually the last byte indicates the number of padding bytesadded – this allows the receiver to remove the padding
05
short end block padding
A.2 EncryptionBlock cipher modes of operation
26/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
CFB mode
encrypt decrypt
E
Pi Ci
K
+
shift register (n)
(n)
select s bits
(n)
(s)(s) (s)
(s)
initialized with IV
E
Ci Pi
K
+
shift register (n)
(n)
select s bits
(n)
(s)(s) (s)
(s)initialized with IV
A.2 EncryptionBlock cipher modes of operation
14
27/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Properties of the CFB mode
encrypting the same plaintexts under the same key, but different IVsresult in different ciphertexts
the IV can be sent in clear
ciphertext block Cj depends on Pj and all preceding plaintext blocks– rearranging ciphertext blocks affects decryption– proper decryption of a correct ciphertext block needs the preceding n/s
ciphertext blocks to be correct
error propagation:– one bit error in a ciphertext block Cj has an effect on the decryption of that
and the next n/s ciphertext blocks (the error remains in the shift register forn/s steps)
• Pj’ has bit errors where Cj had, all the other erroneous plaintext blocks are garbage• an attacker may cause predictable bit changes in the j-th plaintext block
error recovery:– self synchronizing, but requires n/s blocks to recover
A.2 EncryptionBlock cipher modes of operation
28/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
OFB mode
encrypt decrypt
E
Pi Ci
K
+
shift register (n)
(n)
select s bits
(n)
(s)
(s) (s)
(s)
initialized with IV
E
Ci Pi
K
+
shift register (n)
(n)
select s bits
(n)
(s)
(s) (s)
(s)
initialized with IV
A.2 EncryptionBlock cipher modes of operation
15
29/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Properties of the OFB mode
a different IV should be used for every new message, otherwisemessages will be encrypted with the same key stream
the IV can be sent in clear– however, if the IV is modified by the attacker, then the cipher will never
recover (unlike CFB)
ciphertext block Cj depends on Pj only (does not depend on thepreceding plaintext blocks)– however, rearranging ciphertext blocks affects decryption
error propagation:– one bit error in a ciphertext block Cj has an effect on the decryption of only
that ciphertext block• Pj’ has bit errors where Cj had• an attacker may cause predictable bit changes in the j-th plaintext block
error recovery:– recovers from bit errors– never recovers if bits are lost or the IV is modified
A.2 EncryptionBlock cipher modes of operation
30/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
CTR mode
encrypt decrypt
E
Pi Ci
K
+
(n)
(n)
(n)
counter + i
(n)
E
Ci Pi
K
+
(n)
(n)
(n)
counter + i
(n)
A.2 EncryptionBlock cipher modes of operation
16
31/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Properties of the CTR mode
similar to OFB
cycle length depends on the size of the counter (typically 2n)
the i-th block can be decrypted independently of the others– parallelizable (unlike OFB)– random access
the values to be XORed with the plaintext can be pre-computed
at least as secure as the other modes
note1: in CFB, OFB, and CTR mode only the encryption algorithm is used(decryption is not needed), that is why some ciphers (e.g., AES) isoptimized for encryption
note2: the OFB and CTR modes essentially make a synchronous streamcipher out of a block cipher, whereas the CFB mode converts a blockcipher into a self-synchronizing stream-cipher
A.2 EncryptionBlock cipher modes of operation
32/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Stream ciphers
while block ciphers simultaneously encrypt groups ofcharacters, stream ciphers encrypt individual characters– may be better suited for real time applications
stream ciphers are usually faster than block ciphers inhardware (but not necessarily in software)
limited or no error propagation– may be advantageous when transmission errors are probable
note: the distinction between stream ciphers and blockciphers is not definitive– stream ciphers can be built out of block ciphers using CFB, OFB, or
CTR modes– a block cipher in ECB or CBC mode can be viewed as a stream cipher
that operates on large characters
A.2 EncryptionStream ciphers
17
33/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Synchronous stream ciphers
the key stream is generated independently of the plaintext and of theciphertext
needs synchronization between the sender and the receiver– if a character is inserted into or deleted from the ciphertext stream then
synchronization is lost and the plaintext cannot be recovered– additional techniques must be used to recover from loss of synch.
no error propagation– a ciphertext character that is modified during transmission affects only the
decryption of that character an attacker can make changes to selected ciphertext characters and know
exactly what effect these changes have on the plaintext (if h = XOR)
σi gk h
fkσi+1
zi
pi
ci
A.2 EncryptionStream ciphers
34/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Self-synchronizing stream ciphers
the key stream is generated as a function of a fixed number of previousciphertext characters
self-synchronizing– since the size t of the register is fixed, a lost ciphertext character affects only
the decryption of the next t ciphertext characters
limited error propagation– if a ciphertext character is modified, then decryption of the next t ciphertext
characters may be incorrect
ciphertext characters depend on all previous plaintext characters– better diffusion of plaintext statistics
gk hzi
pi
ci
…
regi
ster
A.2 EncryptionStream ciphers
18
35/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
The Vernam cipher and the one-time pad
Vernam cipher– ci = pi ⊕ ki for i = 1, 2, …
where pi are the plaintext digits, ki are the key stream digits, ci arethe ciphertext digits, and ⊕ is the bitwise XOR operation
one-time pad– a Vernam cipher where the key stream digits are generated
independently and uniformly at random– the one-time pad is unconditionally secure [Shannon, 1949]
• I(P; C) = H(P) - H(P|C) = 0
– a necessary condition for a symmetric key cipher to beunconditionally secure is that H(K) ≥ H(P) [Shannon, 1949]
• practically, the key must have as many bits as the compressed plaintext• impractical because of key management problems
A.2 EncryptionStream ciphers
36/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Asymmetric-key encryption
asymmetric-key encryption– it is hard (computationally infeasible) to compute K’ from K
K can be made public (public-key cryptography)– no need for key setup before communication
public-keys are not confidential but they must be authentic !
the security of asymmetric-key encryption schemes is usually based onsome well-known or widely believed hard problems
E Dmplaintext
K(public) encryption key
K’(private) decryption key
EK(m)ciphertext
DK’ (EK(m)) = m
attacker
A.2 EncryptionA.2.2 Asymmetric-key encryption
19
37/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Examples for hard problems
factoring problem– given a positive integer n, find its prime factors
• true complexity is unknown• it is believed that it does not belong to P
discrete logarithm problem– given a prime p, a generator g of Zp
*, and an element y in Zp*, find
the integer x, 0 ≤ x ≤ p-2, such that gx mod p = y• true complexity is unknown• it is believed that it does not belong to P
Diffie-Hellman problem– given a prime p, a generator g of Zp
*, and elements gx mod p andgy mod p, find gxy mod p
• true complexity is unknown• it is believed that it does not belong to P
A.2 EncryptionA.2.2 Asymmetric-key encryption
38/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
The RSA encryption scheme
key generation– select p, q large primes (about 500 bits each)– n = pq, φ(n) = (p-1)(q-1)– select e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1– compute d such that ed mod φ(n) = 1 (this is easy if φ(n) is known)– the public key is (e, n)– the private key is d
encryption– represent the message as an integer m in [0, n-1]– compute c = me mod n
decryption– compute m = cd mod n
A.2 EncryptionA.2.2 Asymmetric-key encryption
20
39/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Relation to factoring
the problem of computing d from (e, n) is computationallyequivalent to the problem of factoring n– if one can factor n, then one can easily compute d– if one can compute d, then one can efficiently factor n
the problem of computing m from c and (e, n) (called theRSA problem) is believed to be computationally equivalent tofactoring– if one can factor n, then one can easily compute m from c and (e, n)– there’s no formal proof for the other direction
A.2 EncryptionA.2.2 Asymmetric-key encryption
40/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
The need for salting
let us assume that the adversary observes a ciphertextc = EK(m)
let the set of possible plaintexts be M
if M is small, then the adversary can try to encrypt everymessage in M with the publicly known key K until she findsthe message m that maps into c
the usual way to prevent this attack is to randomize theencryption– some random bytes are added to the plaintext message before
encryption through the application of the PKCS #1 formatting rules– when the message is decrypted, the recipient can recognize and
discard these random bytes
A.2 EncryptionA.2.2 Asymmetric-key encryption
21
41/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
The ElGamal encryption scheme
key generation– generate a large random prime p and choose generator g of the
multiplicative group Zp* = {1, 2, …, p-1}
– select a random integer a, 1 ≤ a ≤ p-2, and compute A = ga mod p– the public key is (p, g, A)– the private key is a
encryption– represent the message as an integer m in [0, p-1]– select a random integer r, 1 ≤ r ≤ p-2, and compute R = gr mod p– compute C = m⋅Ar mod p– the ciphertext is the pair (R, C)
decryption– compute m = C⋅Rp-1-a mod p
proof of decryptionC⋅Rp-1-a ≡ m⋅Ar⋅Rp-1-a ≡ m⋅gar⋅gr(p-1-a) ≡ m⋅(gp-1)r ≡ m (mod p)
A.2 EncryptionA.2.2 Asymmetric-key encryption
42/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Relation to hard problems
security of the ElGamal scheme is said to be based on thediscrete logarithm problem in Zp
*, although equivalence hasnot been proven yet
recovering m given p, g, A, R, and C is equivalent to solvingthe Diffie-Hellman problem
A.2 EncryptionA.2.2 Asymmetric-key encryption
22
43/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Digital enveloping
plaintext message
symmetric-keycipher
(e.g., in CBC mode)
public keyof the receiver
asymmetric-keycipher
digital envelop
generate randomsymmetric key
bulk encryption key
most popular public-key encryption methods are several orders ofmagnitude slower than the best known symmetric key schemes
public-key encryption is used together with symmetric-key encryption;the technique is called digital enveloping
A.2 EncryptionA.2.2 Asymmetric-key encryption
44/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Chapter outline
A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques
23
45/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Hash functions
a hash function maps bit strings of arbitrary finite length tobit strings of fixed length (n bits)
many-to-one mapping collisions are unavoidable however, finding collisions are difficult the hash value of a
message can serve as a compact representative image of themessage (similar to fingerprints)
message of arbitrary length
fix lengthhash value / message digest / fingerprint
hash function
A.3 Hash functions
46/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Desirable properties of hash functions
ease of computation– given an input x, the hash value h(x) of x is easy to compute
weak collision resistance (2nd preimage resistance)– given an input x, it is computationally infeasible to find a second input
x’ such that h(x’) = h(x)
strong collision resistance (collision resistance)– it is computationally infeasible to find any two distinct inputs x and x’
such that h(x) = h(x’)
one-way property (preimage resistance)– given a hash value y (for which no preimage is known), it is
computationally infeasible to find any input x s.t. h(x) = y
A.3 Hash functions
24
47/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
The Birthday Paradox
Given a set of N elements, from which we draw k elements randomly(with replacement). What is the probability of encountering at least onerepeating element?
first, compute the probability of no repetition:– the first element x1 can be anything– when choosing the second element x2, the probability of x2 ≠ x1 is 1-1/N– when choosing x3, the probability of x3 ≠ x2 and x3 ≠ x1 is 1-2/N– …– when choosing the k-th element, the probability of no repetition is 1-
(k-1)/N– the probability of no repetition is (1 - 1/N)(1 - 2/N)…(1 – (k-1)/N)– when x is small, (1-x) ≈ e-x
– (1 - 1/N)(1 - 2/N)…(1 – (k-1)/N) = e-1/Ne-2/N … e-(k-1)/N = e-k(k-1)/2N
the probability of at least one repetition after k drawing is 1 – e-k(k-1)/2N
A.3 Hash functions
48/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
The Birthday Paradox (cont’d)
How many drawings do you need, if you want the probability of at leastone repetition to be ε ?
solve the following for k: ε = 1 – e-k(k-1)/2N
k(k-1) = 2N ln(1/1-ε)k ≈ sqrt(2N ln(1/1-ε))
examples:ε = ½ k ≈ 1.177 sqrt(N)ε = ¾ k ≈ 1.665 sqrt(N)ε = 0.9 k ≈ 2.146 sqrt(N)
origin of the name “Birthday Paradox”:– elements are dates in a year (N = 365)– among 1.177 sqrt(365) ≈ 23 randomly selected people, there will be at least
two that have the same birthday with probability ½
A.3 Hash functions
25
49/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Choosing the output size of a hash function
the Birthday Paradox have a profound impact on the designof hash functions (and other cryptographic algorithms andprotocols)!– let n be the output size of a hash function– among ~sqrt(2n) = 2n/2 randomly chosen messages, with high
probability, there will be a collision pair– it is easier to find collisions than to find preimages or 2nd preimages
for a given hash value in order to resist birthday attacks, 2n/2 should be sufficiently large
(e.g., n = 160 bits)
A.3 Hash functions
50/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Iterated hash functions
input is divided into fixed length blocks x1, x2, …, xL
last block is padded if necessary– Merkle-Damgard strengthening: padding contains the length of the message
each input block is processed according to the following scheme
f is called the compression function– can be based on a block cipher, or– can be a dedicated compression function
x1
CV0
(b)
(n) (n)
CV1
f
x2
(b)
(n)
CV2
f
x3
(b)
(n)
CV3
f
xL
(b)
(n) h(x) = CVLf
CVL-1
…
A.3 Hash functions
26
51/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Chapter outline
A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques
52/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Message authentication codes (MACs)
MAC functions can be viewed as hash functions with twofunctionally distinct inputs: a message and a secret key
they produce a fixed size output (say n bits) called the MAC practically it should be infeasible to produce a correct MAC
for a message without the knowledge of the secret key MAC functions can be used to implement data integrity and
message origin authentication services
message of arbitrary length
fix lengthMAC
MAC function secret key
A.4 Message authentication codes
27
53/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
MAC generation and verification
MACmessage MAC
gene
rati
onsecret key
MACmessage MAC
veri
fica
tion
secret keycompare
yes/no
A.4 Message authentication codes
54/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Desirable properties of MAC functions
ease of computation– given an input x and a secret key k, it is easy to compute MACk(x)
key non-recovery– it is computationally infeasible to recover the secret key k, given one
or more text-MAC pairs (xi, MACk(xi)) for that k
computation resistance– given zero or more text-MAC pairs (xi, MACk(xi)), it is computationally
infeasible to find a text-MAC pair (x, MACk(x)) for any new input x ≠ xi
– computation resistance implies key non-recovery but the reverse isnot true in general
A.4 Message authentication codes
28
55/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
CBC MAC
CBC MAC is secure for messages of a fixednumber of blocks
(adaptive chosen-text existential) forgery ispossible if variable length messages areallowed
it is recommended to involve the length ofthe message in the CBC MAC computation
E
x1
k
+
E
x2
k
+
E
x3
k
+
E
xN
cN
k
+0 cN-1
…
c1 c2 c3E-1
E
k’
k
MAC
optional
A.4 Message authentication codes
56/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
HMAC
k+ ⊕ ipad
CV0f
x1
f
xL|padding1
f
k+ ⊕ opad
CV0f
M|padding2
f
MCV1
inner
CV1outer
HMACk(x)
…
hash fn
hash fn
HMACk(X) = H( k’’|H( k’|X ))
A.4 Message authentication codes
29
57/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Chapter outline
A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques
58/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Digital signatures
similar to MACs but– unforgeable by the receiver– verifiable by a third party
used for message authentication and non-repudiation (ofmessage origin)
based on public-key cryptography– private key defines a signing transformation SA
• SA(m) = σ
– public key defines a verification transformation VA
• VA(m, σ) = true if SA(m) = σ• VA(m, σ) = false otherwise
A.5 Digital signatures
30
59/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Attacks on digital signature schemes
key-only attack– only the public key is available to the adversary
known-message attack– the adversary has signatures for a set of messages known to her but
not chosen by her
chosen-message attack– the adversary obtains signatures for messages chosen by her before
attempting to break the signature scheme
adaptive chosen-message attack– the adversary is allowed to use the signer as an oracle– she may request signatures for messages which depend on previously
obtained signatures
A.5 Digital signatures
60/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
“Hash-and-sign” paradigm
public/private key operations are slow hash the message first and apply public/private key operations to the
hash value only
h enc
private keyof sender
message hash signature
hmessage hash
dec
public keyof sender
signature
compare
yes/no
gene
rati
onve
rifi
cati
on
A.5 Digital signatures
31
61/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Examples of digital signature scheme
RSA– essentially identical to the RSA encryption scheme– signature = decryption with private key– typical signature length is 1024 bits
DSA (Digital Signature Algorithm)– based on the ElGamal signature scheme– typical signature length is 1024 bits
ECDSA (Elliptic Curve DSA)– same as DSA but works over elliptic curves– reduced signature length (typically 320 bits)
A.5 Digital signatures
62/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Chapter outline
A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques
32
63/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Session key establishment protocols
goal of session key establishment protocols– to setup a shared secret between two (or more) parties– it is desired that the secret established by a fixed pair of parties
varies on subsequent executions of the protocol (dynamicity)– established shared secret is used as a session key to protect
communication between the parties
motivation for use of session keys– to limit available ciphertext for cryptanalysis– to limit exposure caused by the compromise of a session key– to avoid long-term storage of a large number of secret keys (keys are
created on-demand when actually required)– to create independence across communication sessions or
applications
A.6 Session key establishment protocols
64/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Basic classification
key transport protocols– one party creates or otherwise obtains a secret value, and securely
transfers it to the other party
key agreement protocols– a shared secret is derived by the parties as a function of information
contributed by each, such that no party can predetermine theresulting value
A.6 Session key establishment protocols
33
65/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Further services
entity authentication
implicit key authentication– one party is assured that no other party aside from a specifically identified
second party (and possibly some trusted third parties) may gain access tothe established session key
key confirmation– one party is assured that a second (possibly unidentified) party actually
possesses the session key– possession of a key can be demonstrated by
• producing a one-way hash value of the key or• encryption of known data with the key
explicit key authentication– implicit key authentication + key confirmation
key freshness– one party is assured that the key is new (never used before)
A.6 Session key establishment protocols
66/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Further protocol characteristics
reciprocity– guarantees are provided unilaterally– guarantees are provided mutually
efficiency– number of message exchanges (passes) required– total number of bits transmitted (i.e., bandwidth used)– complexity of computations by each party– possibility of precomputations to reduce on-line computational complexity
third party requirements– on-line, off-line, or no third party at all– degree and type of trust required in the third party
system setup– distribution of initial keying material
A.6 Session key establishment protocols
34
67/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
The Wide-Mouth-Frog protocol
Alice BobServer
generate k
A, EKas( B, k, Ta )
EKbs( A, k, Ts )
summary: a simple key transport protocol that uses a trusted third partyAlice generates the session key and sends it to Bob via the trusted third party
characteristics: implicit key authentication for Alice explicit key authentication for Bob key freshness for Bob with timestamps (flawed) unilateral entity authentication of Alice on-line third party (Server) trusted for secure relaying of keys and
verification of freshness, in addition A is trusted for generating good keys initial long-term keys between the parties and the server are required
A.6 Session key establishment protocols
68/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
A flaw in the Wide-Mouth-Frog protocol
summary: after observing one run of the protocol, Trudy can continuously use the Server as an oracle until she wants to bring about re-authentication between Alice and Bob
B, EKbs( A, k, Ts )
EKas( B, k, Ts(1))
A, EKas( B, k, Ts(1))
EKbs( A, k, Ts(2))
...
EKbs( A, k, Ts(n))
BobTrudyServer
A.6 Session key establishment protocols
35
69/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Signed encrypted keys
BobAlice
A, EKb(k), Ta, SKa(B,EKb(k),Ta)
generate k
summary: Alice generates a session key, encrypts it with Bob’s public key, then sings it, and sends it to Bob
characteristics: unilateral entity authentication (of Alice), mutual implicit key authentication, no key confirmation, key freshness with timestamp, clock synchronization, off-line third party for issuing public key certificates may be required, initial exchange of public keys between the parties may be required, Alice is trusted to generate keys, non-repudiation guarantee for Bob
A.6 Session key establishment protocols
70/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
The Diffie-Hellman protocol
BobAlice
select random xcompute gx mod p
select random ycompute gy mod p
gx mod p
gy mod p
compute k = (gy)x mod p compute k = (gx)y mod p
summary: a key agreement protocol based on one-way functions; in particular, securityof the protocol is based on the hardness of the discrete logarithm problem and that of the Diffie-Hellman problem
characteristics: NO AUTHENTICATION, key freshness with randomly selected exponents, no party can control the key, no need for a trusted third party
assumptions: p is a large prime, g is a generator of Zp*, both are publicly known system
parameters
A.6 Session key establishment protocols
36
71/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Chapter outline
A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques
72/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Pseudo-random number generators (PRNGs)
a random number is a number that cannot be predicted byan observer before it is generated– if the number is generated within the range [0, N-1], then its value
cannot be predicted with any better probability than 1/N– the above is true even if the observer is given all previously
generated numbers
a cryptographic pseudo-random number generator (PRNG) isa mechanism that processes somewhat unpredictable inputsand generates pseudo-random outputs– if designed, implemented, and used properly, then even an
adversary with enormous computational power should not be able todistinguish the PRNG output from a real random sequence
A.7 Pseudo-random number generators
37
73/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
General operation of PRNGs
A.7 Pseudo-random number generators
internalstate
unpredictableinput samples(from physicalprocesses)
pseudo-random bitsindistinguishable fromreal random bits
…one-way fn
entropypool
re-keying
state update
74/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Desirable properties of PRNGs
the adversary cannot compute the internal state of thePRNG, even if she has observed many outputs of the PRNG
the adversary cannot compute the next output of the PRNG,even if she has observed many previous outputs of the PRNG
if the adversary can observe or even manipulate the inputsamples that are fed in the PRNG, but she does not knowthe internal state of the PRNG, then the adversary cannotcompute the next output and the next internal state of thePRNG
if the adversary has somehow learned the internal state ofthe PRNG, but she cannot observe the input samples thatare fed in the PRNG, then the adversary cannot figure outthe internal state of the PRNG after the re-keying operation
A.7 Pseudo-random number generators
38
75/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Chapter outline
A.1 IntroductionA.2 EncryptionA.3 Hash functionsA.4 Message authentication codesA.5 Digital signaturesA.6 Session key establishment protocolsA.7 Pseudo-random number generatorsA.8 Advanced authentication techniques
76/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Advanced authentication techniques
hash chains
Merkle-trees
broadcast authentication with TESLA
A.8 Advanced authentication techniques
39
77/77Security and Cooperation in Wireless NetworksAppendix A: Intro to cryptographic algorithms and protocols
Conclusions
security services are implemented by using securitymechanisms
many security mechanisms are based on cryptography (e.g.,encryption, digital signature, message authentication codes,…)
but be cautious: “If you think cryptography is going to solve your problem, you don't understand
cryptography and you don't understand your problem.”-- Bruce Schneier
other important aspects are– physical protection– procedural rules– education