brief overview of cryptography. 2 outline cryptographic primitives – symmetric key ciphers block...
Post on 18-Dec-2015
246 views
TRANSCRIPT
2
Outline
cryptographic primitives– symmetric key ciphers
• block ciphers• stream ciphers
– asymmetric key ciphers– cryptographic hash functions
protocol primitives– block cipher operation modes– “enveloping”– message authentication codes – digital signatures
key management protocols– session key establishment with symmetric and asymmetric key techniques– Diffie-Hellman key exchange and the man-in-the-middle attack– public key certification
3Cry
pto
gra
phic
prim
itive
s
EE DDxplaintext
kencryption key
k’decryption key
Ek(x)ciphertext Dk’ (Ek(x)) = x
attacker
Operational model of encryption
Kerckhoff’s assumption:– attacker knows E and D– attacker doesn’t know the (decryption) key
attacker’s goal:– to systematically recover plaintext from ciphertext– to deduce the (decryption) key
attack models:– ciphertext-only– known-plaintext– (adaptive) chosen-plaintext– (adaptive) chosen-ciphertext
4
block ciphers
blockcipher
blockcipher
plaintext ciphertext
keypadding
Symmetric key encryption
it is easy to compute k from k’ (and vice versa) often k = k’ two main types: stream ciphers and block ciphers
pseudo-randombit stream generator
pseudo-randombit stream generator
+... ...plaintext ciphertext
stream ciphers seed
Cry
pto
gra
phic
prim
itive
s
5
One-time pad – theoretical vs. practical security
one-time pad– a stream cipher where the key stream is a true random bit stream– unconditionally secure (Shannon, 1949)– however, the key must be as long as the plaintext to be encrypted
practical ciphers – use much shorter keys – are not unconditionally secure, but computationally infeasible to break– however, proving that a cipher is computationally secure is not easy
• not enough to consider brute force attacks (key size) only• a cipher may be broken due to weaknesses in its (algebraic) structure
– no proofs of security exist for many ciphers used in practice– if a proof exists, it usually relies on assumptions that are widely
believed to be true (such as P NP)
Cry
pto
gra
phic
prim
itive
s
6
DES – Data Encryption Standard
input size: 64, output size: 64, key size: 56
16 rounds Feistel structure
– F need not be invertible– decryption is the same as
encryption with reversed key schedule (hardware implementation!)
Initial PermutationInitial Permutation
FF+
FF+
FF+
FF+
…
Initial Permutation-1Initial Permutation-1
(64)
(64)
(32)(32)
(48)
(48)
(48)
(48)
Key
Sch
edul
er(56)
K
K1
K2
K16
K3
X
Y
Cry
pto
gra
phic
prim
itive
s
7
DES round function F
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 S7S7 S8S8
PP
Si – substitution box (S-box) (look-up table) P – permutation box (P-box)
Cry
pto
gra
phic
prim
itive
s
8
DES key scheduler
Permuted Choice 1Permuted Choice 1
Permuted Choice 2Permuted Choice 2
Left shift(s) Left shift(s)
Permuted Choice 2Permuted Choice 2
Left shift(s) Left shift(s)…
(28)
(56)
K
(28)
(28)(28)
(48)
(48)
K1
K2
each key bit is used in around 14 out of 16 rounds
Cry
pto
gra
phic
prim
itive
s
9
AES – Advanced Encryption Standard
NIST selected Rijndael (designed by Joan Daemen and Vincent Rijmen) as a successor of DES (3DES) in November 2001
Rijndael parameters– key size 128 192 256– input/output size 128 128 128– number of rounds 10 12 14– round key size 128 128 128
not Feistel structure decryption algorithm is different from encryption algorithm
(optimized for encryption) single 8 bit to 8 bit S-box key injection (bitwise XOR)
Cry
pto
gra
phic
prim
itive
s
10
General structure of Rijndael encryption/decryptionC
ryp
tog
raph
ic p
rimiti
ves
add round key
substitute bytes
shift rows
mix columns
add round key
substitute bytes
shift rows
mix columns
add round key
substitute bytes
shift rows
add round key
plaintext
ciphertext
add round key
inverse subs bytes
inverse shift rows
inverse mix columns
add round key
inverse subs bytes
inverse shift rows
inverse mix columns
add round key
inverse subs bytes
inverse shift rows
add round key
plaintext
ciphertext
w[0..3]
w[4..7]
w[36..39]
w[40..43]
expa
nded
key
roun
d 1
roun
d 9
roun
d 10
round 1round 9
round 10
11
Rijndael – Shift row and mix columnC
ryp
tog
raph
ic p
rimiti
ves
s00
s10
s20
s30
s01
s11
s21
s31
s02
s12
s22
s32
s03
s13
s23
s33
s00
s11
s22
s33
s01
s12
s23
s30
s02
s13
s20
s31
s03
s10
s21
s32
LROT1
LROT2
LROT3
shift row
s00
s10
s20
s30
s01
s11
s21
s31
s02
s12
s22
s32
s03
s13
s23
s33
s’00
s’10
s’20
s’30
s’01
s’11
s’21
s’31
s’02
s’12
s’22
s’32
s’03
s’13
s’23
s’33
mix column
2 3 1 11 2 3 11 1 2 33 1 1 2
x =
multiplications and additionsare performed over GF(28)
12
Rijndael – Key expansionC
ryp
tog
raph
ic p
rimiti
ves
k0
k1
k2
k3
k4
k5
k6
k7
k8
k9
k10
k11
k12
k13
k14
k15
w0 w1 w2 w3
w4 w5 w6 w7
+
gg
+ + +
w8 w9 w10 w11
+
gg
+ + +
…
function g- rotate word- substitute bytes- XOR with round constant
13
RC4 stream cipher
initialization (input: a seed K of keylen bytes)for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
initial permutationj = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
swap(S[i], S[j]);
stream generation (output: a stream of pseudo-random bytes)i, j = 0;
while true
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
swap(S[i], S[j]);
t = (S[i] + S[j]) mod 256;
output S[t];
Cry
pto
gra
phic
prim
itive
s
14
Asymmetric key encryption
breakthrough of Diffie and Hellman, 1976 it is hard (computationally infeasible) to compute k’ from k k can be made public (public-key cryptography)
EE DDxplaintext
kencryption key
k’decryption key
Ek(x)ciphertext Dk’ (Ek(x)) = x
attacker
Cry
pto
gra
phic
prim
itive
s
15
RSA (Rivest, Shamir, Adleman, 1978)
basis– computing xe mod n is easy but x1/e mod n is hard (n is composite)– intractability of integer factoring
key generation– select p, q large primes (about 500 bits each)– n = pq, (n) = (p-1)(q-1)– select e such that 1 < e < (n) and gcd(e, (n)) = 1– compute d such that ed mod (n) = 1 (this is easy if p and q are known)– public key is (e, n)– private key is d
encryptionc = me mod n where m < n is the message
decryptioncd mod n = m
Cry
pto
gra
phic
prim
itive
s
16
Proof of RSA decryption
Fermat’s theoremLet r be a prime. If gcd(a, r) = 1, then ar-1 mod r = 1.
Euler’s generalizationFor every a and n where gcd(a, n) = 1, a(n) mod n = 1.
RSA decryptioncd mod n
= (me mod n)d mod n
= med mod n
= mk(n)+1 mod n
= m*(m(n))k mod n
= m*(m(n) mod n)k mod n if gcd(m, n) = 1
= m mod n = m
Cry
pto
gra
phic
prim
itive
s
17
Proof of RSA decryption cont’d
RSA decryption if gcd(m, n) > 1– either p|m or q|m– assume without loss of generality that p|m– note that in this case, q|m cannot hold since otherwise m pq = n– this means that gcd(m, q) = 1
cd mod p = med mod p = 0
cd mod q = med mod q = mk(p-1)(q-1)+1 mod q = m*(m (q-1)) k(p-1) mod q =
m*(m (q-1) mod q) k(p-1) mod q = m mod q
p,q|(cd – m)
cd – m = spq = sn
cd = sn + m
cd mod n = m mod n = m
18
Cryptographic hash functions
requirements– one-way: given a hash value y, it is computationally infeasible to find a
message x such that h(x) = y – weak collision resistance: given a message x, it is computationally
infeasible to find another message x’ such that h(x) = h(x’)– (strong) collision resistance: it is computationally infeasible to find two
messages x and x’ such that h(x) = h(x’)
message of arbitrary length
fix lengthmessage digest / hash value / fingerprint
Cry
pto
gra
phic
prim
itive
s
hash functionhash function
19
How long should a hash value be?
birthday paradox– P(n, k) = Pr{ there exists at least one duplicate among k items where
each item can take on one of n equally likely values}– P(n, k) > 1 – exp( -k*(k-1)/2n )– Q: What value of k is needed such that P(n, k) > 0.5 ?– A: k should approximately be n0.5
– e.g., P(365, 23) > 0.5
birthday paradox applied to hash function h– n is the number of possible hash values– one can find a collision among n0.5 messages with probability greater
than 0.5– if output size of h is 64 bits, then n0.5 is 232 too small– output size should be at least 128 but 160 is even better
Cry
pto
gra
phic
prim
itive
s
20
General structure of hash functions
if the compression function f is collision resistant, then so is the iterated hash function (Merkle and Damgard, 1989)
if necessary, the final block is padded to b bits the final block also includes the total length of the input (this
makes the job of an attacker more difficult)
ff
X1
CV0
(b)
(n)(n)
CV1
ff
X2
(b)
(n)
CV2
ff
X3
(b)
(n)
CV3 CVL-1
ff
XL
(b)
(n)h(X)…
Cry
pto
gra
phic
prim
itive
s
21
SHA1 – Secure Hash Algorithm
output size (n): 160 bits input block size (b): 512 bits padding is always used
CV0
A = 67 45 23 01
B = EF CD AB 89
C = 98 BA DC FE
D = 10 32 54 76
E = C3 D2 E1 F0
Cry
pto
gra
phic
prim
itive
s
10000000 … 00000 length
512 bits
64 bits
last input block
22
SHA1 compression function fC
ryp
tog
raph
ic p
rimiti
ves
f[0..19], K[0..19], W[0..19]20 steps
f[0..19], K[0..19], W[0..19]20 steps
f[20..39], K[20..39], W[20..39]20 steps
f[20..39], K[20..39], W[20..39]20 steps
f[40..59], K[40..59], W[40..59]20 steps
f[40..59], K[40..59], W[40..59]20 steps
f[60..79], K[60..79], W[60..79]20 steps
f[60..79], K[60..79], W[60..79]20 steps
+ + + + +
A CB ED
A CB ED
A CB ED
CVi - 1
CVi
(5 x 32 = 160)Xi
(512)
mod 232 additions
23
SHA1 compression function f cont’dC
ryp
tog
raph
ic p
rimiti
ves
LROT5LROT5
+
LROT30LROT30
f[t]f[t]
+
+
+
A B C D E
A B C D E
W[t]
K[t]
mod 232 additions
24
SHA1 compression function f cont’d
f[t](B, C, D)t = 0..19 f[t](B, C, D) = (B C) (B D)
t = 20..39 f[t](B, C, D) = B C D
t = 40..59 f[t](B, C, D) = (B C) (B D) (C D)
t = 60..79 f[t](B, C, D) = B C D
W[t]W[0..15] = Xit = 16..79 W[t] = LROT1(W[t-16] W[t-14] W[t-8] W[t-3])
K[t]t = 0..19 K[t] = 5A 82 79 99 [230 x 21/2]
t = 20..39 K[t] = 6E D9 EB A1 [230 x 31/2]
t = 40..59 K[t] = 8F 1B BC DC [230 x 51/2]
t = 60..79 K[t] = CA 62 C1 D6 [230 x 101/2]
Cry
pto
gra
phic
prim
itive
s
25
Block cipher operation modes – ECB
Electronic Codebook (ECB)– encrypt
– decrypt
Pro
toco
l pri
miti
ves
EE
P1
C1
K EE
P2
C2
K EE
PN
CN
K…
DD
C1
P1
K DD
C2
P2
K DD
CN
PN
K
…
26
Block cipher operation modes – CBC
Cipher Block Chaining (CBC)– encrypt
– decrypt
EE
P1
C1
K
+
EE
P2
C2
K
+
EE
P3
C3
K
+
EE
PN
CN-1
K
+IV CN-1
…
DD
C1
P1
K
+IV
DD
C2
P2
K
+
DD
C3
P3
K
+
DD
CN
PN
K
+CN-1
Pro
toco
l pri
miti
ves
27
Block cipher operation modes – CFB
Cipher Feedback (CFB)– encrypt – decrypt
EE
Pi Ci
K
+
shift register (n)
(n)
select s bitsselect s bits
(n)
(s)
(s) (s)
(s)
initialized with IV
EE
Ci Pi
K
+
shift register (n)
(n)
select s bitsselect s bits
(n)
(s)
(s) (s)
(s)
initialized with IV
Pro
toco
l pri
miti
ves
28
Block cipher operation modes – OFB
Output Feedback (OFB)– encrypt – decrypt
EE
Pi Ci
K
+
shift register (n)
(n)
select s bitsselect s bits
(n)
(s)
(s) (s)
(s)
initialized with IV
EE
Ci Pi
K
+
shift register (n)
(n)
select s bitsselect s bits
(n)
(s)
(s) (s)
(s)
initialized with IV
Pro
toco
l pri
miti
ves
29
Block cipher operation modes – CTR
Counter (CTR)– encrypt – decrypt
– advantages• efficiency (parallelizable)• random access (the i-th block can be decrypted independently of the others)• preprocessing (the values to be XORed with the plaintext can be pre-computed)• security (at least as secure as the other modes)• simplicity (does not need the decryption algorithm)
EE
Pi Ci
K
+
(n)
(n)
(n)
counter + i
(n)
EE
Ci Pi
K
+
(n)
(n)
(n)
counter + i
(n)
Pro
toco
l pri
miti
ves
30
Enveloping
public-key encryption is slow (~1000 times slower than symmetric key encryption)
it is mainly used to encrypt symmetric bulk encryption keys
Pro
toco
l pri
miti
ves
generate randomsymmetric key
generate randomsymmetric key
symmetric-keycipher
(in CBC mode)
symmetric-keycipher
(in CBC mode)
plaintext message
public keyof the receiver
asymmetric-keycipher
asymmetric-keycipher
digital envelop
bulk encryption key
31
Message Authentication Codes (MAC)
used to protect the integrity of messages also called cryptographic checksums computation of a MAC involves a secret (shared key) can be based on an encryption function E
Y1 = EK(X1)
Yi = EK(Xi + Yi-1)
MACK(X) = Ylast
or a hash function hMACK(X) = h(X|K)
or bothMACK(X) = EK(h(X))
Pro
toco
l pri
miti
ves
32
HMAC
definitionHMACK(X) = h( (K+ + opad) | h( (K+ + ipad) | X ) )
where– h is a hash function with input block size b and output size n– K+ is K padded with 0s on the left to obtain a length of b bits– ipad is 00110110 repeated b/8 times– opad is 01011100 repeated b/8 times– + is XOR and | is concatenation
design objectives– to use available hash functions– easy replacement of the embedded hash function– preserve performance of the original hash function– handle keys in a simple way– allow mathematical analysis
Pro
toco
l pri
miti
ves
33
Digital signatures
similar to MACs but– unforgeable by the receiver– verifiable by a third party
used for message authentication and non-repudiation (of message origin)
based on public-key cryptography– signature generation is based on the private key of the sender– signature verification is based on the public key of the sender
example: RSA based digital signature– public key: (e, n); private key: (d, n)– signature generation (input: m; output: )
(m) = md mod n– signature verification (input: , m; output: yes/no)
e mod n = m?
Pro
toco
l pri
miti
ves
34
“Hash and sign” paradigm
motivation: public/private key operations are slow approach: hash the message first and apply public/private key operations
to the hash only
Pro
toco
l pri
miti
ves
hh encenc
private keyof sender
message hash signature
hhmessage hash
decdec
public keyof sender
signature
comparecompare
yes/no
gene
ratio
nve
rific
atio
n
35
ElGamal signature scheme
key generation– generate a large random prime p and select a generator g of Zp*
– select a random integer 0 < a < p-1– compute A = ga mod p– public key: ( p, g, A ) private key: a
signature generation for message m– select a random secret integer 0 < k < p – 1 such that gcd(k, p – 1) = 1– compute k-1 mod (p – 1)– compute r = gk mod p– compute s = k-1( h(m) – ar ) mod (p – 1)– signature on m is (s, r)
Pro
toco
l pri
miti
ves
36
ElGamal signature scheme cont’d
signature verification– obtain the public key (p, g, A) of the signer– verify that 0 < r < p; if not then reject the signature– compute v1 = Arrs mod p
– compute v2 = gh(m) mod p
– accept the signature iff v1 = v2
proof that signature verification workss k-1( h(m) – ar ) (mod p – 1)
ks h(m) – ar (mod p – 1)
h(m) ks + ar (mod p – 1)
gh(m) gar+ks (ga)r(gk)s Arrs (mod p)
thus, v1 = v2 is required
Pro
toco
l pri
miti
ves
37
How to establish a shared symmetric key?
manually– pairwise symmetric keys are established manually– inflexible and doesn’t scale
with symmetric-key cryptography– long-term symmetric keys are established manually between each user
and a Key Distribution Center (KDC)– cryptographic protocols that use these long-term keys are used to
setup short-term (session) keys– the KDC must be fully trusted
with asymmetric-key cryptography– the symmetric key is encrypted with the public key of the intended
receiver– how to obtain an authentic copy of the public key of the receiver?
Ke
y m
an
age
me
nt
38Ke
y m
an
age
me
nt
A, { B, Kab, Ta }Kas{ A, Kab, Ts }Kbs
A BS
generate Kab
S BM
(impersonating A and B)
B, { A, Kab, Ts }Kbs
{ B, Kab, Ts’ }Kas
A, { B, Kab, Ts’ }Kas
{ A, Kab, Ts’’ }Kbs
...
{ A, Kab, Ts(n) }Kbs
The Wide-Mouth-Frog protocol
a vulnerability
39
The Needham-Schroeder protocol (1978)
Denning and Sacco attack (1981)– message 3 doesn’t contain anything fresh for B– an attacker can cryptanalyze an old session key Kab and replay
message 3 to B– the attacker can finish the protocol– B will think he shares a key Kab with A, but A is not involved at all
Ke
y m
an
age
me
nt
A, B, Na
{ Na, B, Kab, {Kab, A}Kbs }Kas
S BA
generate Kab
{ Kab, A }Kbs
{ Nb }Kab
{ Nb -1 }Kab
40
Public-key Needham-Schroeder (1978)
since Na and Nb are known only to A and B, one may suggest that they can generate a key as f(Na, Nb)
Lowe’s attack (1995)
A B{ A, Na }Kb
{ Na, Nb }Ka
{ Nb }Kb
A B{ A, Na }Km
{ Na, Nb }Ka
{ Nb }Km
M
{ A, Na }Kb
{ Na, Nb }Ka
{ Nb }Kb
Ke
y m
an
age
me
nt
41
generate randomnumber 0 < a < p-1
and calculateA = ga mod p
generate randomnumber 0 < a < p-1
and calculateA = ga mod p
generate randomnumber 0 < b < p-1
and calculateB = gb mod p
generate randomnumber 0 < b < p-1
and calculateB = gb mod p
calculateK= Ba mod p = gab mod p
calculateK= Ba mod p = gab mod p
calculateK= Ab mod p = gab mod p
calculateK= Ab mod p = gab mod p
Diffie-Hellman key exchange (1976)
Initially known: p large prime g generator of Zp*
A
B
Alice Bob
Ke
y m
an
age
me
nt
42
Man-in-the-middle attack
consider the following protocol
the MiM attack
A BA, Ka
{ message }Ka
A, Ka
{ message }Ka
A M BA, Km
{ message }Km
Ke
y m
an
age
me
nt
43
Public-key certificates
a certificate is data structure that contains– the public key– name of the owner of the public key– name of the issuer– date of issuing– expiration date– possibly other data– signature of the issuer
issuers are usually trusted third parties called Certification Authorities (CA)– need not be on-line
certificates are distributed through on-line databases called Certificate Directories– need not be trusted
Ke
y m
an
age
me
nt
44
Single CA
every public key is certified by a single CA each user knows the public key of the CA each user can verify every certificate note: the CA must be trusted for issuing correct certificates
problem: doesn’t scale
CA
…
CA
str
uctu
res
45
Certificate chains
first certificate can be verified with a known public key each further certificate can be verified with the public key from
the previous certificate last certificate contains the target key (Bob’s public key) note: every issuer in the chain must be trusted (CA0, CA1,
CA2)
CA1KCA1
KCA0-1
CA2KCA2
KCA1-1
BobKBob
KCA2-1
KCA0
CA
str
uctu
res
46
CA structures
CA0
CA1 CA2 CA3
CA11 CA12 CA23CA31 CA32
each user knows the public key of the root CA0
Alice Bob
CA
str
uctu
res
47
CA structures cont’d
each user knows the public key of its local CA
CA0
CA1 CA2 CA3
CA11 CA12 CA23CA31 CA32
Alice Bob
CA
str
uctu
res