computer network security...key exchange ìinsecure communica-ons channel ì eve can see everything!...

ìComputer Network SecurityCOMP 178 | Spring 2021 | University of the Pacific | Jeff Shafer

Cryptography:Key Exchange,

Public Key Cryptography,Authen8ca8on

ìKey Exchange

Spring 2021Computer Network Security

2

Challenge – Exchanging Keys


3

🙋

👨⚕ 👳

👩💻

👨🏭

👨🎤 𝐸𝑥𝑐ℎ𝑎𝑛𝑔𝑒𝑠 =𝑛 𝑛 − 1

2 =)6(6 − 1

2 = 15

The more par@es in communica@on, the more keys that need to be securely exchanged

Do we have to use out-of-band methods? (e.g., phone?)

Key Exchange

ì Insecure communica-ons channelì Eve can see everything!

ì Alice and Bob agree on a shared secret (“key”) that Eve doesn’t knowì Despite Eve seeing

everything!


4

🙋(alice)

👨💼(bob)

😈(eve)


5

Proposed public key cryptography.Diffie-Hellman key exchange.

Whitfield Diffie and Martin Hellman, “New directions in cryptography,” in IEEE Transactions on Information Theory, vol. 22, no. 6, Nov 1976.

Diffie-Hellman Color Analogy


6

(1) It’s easy to mix two colors: + =

(2) Mixing two or more colors in a different order results in the same color:

+ + =

+ + =

(3) Mixing colors is one-way(Impossible to determine which colors went in to produce final result)

https://www.crypto101.io/

https://www.crypto101.io/



7

🙋(alice)

👨💼(bob)

😈(eve)

(1) Start with public color ▇ – share across network(2) Alice picks secret color ▇ and mixes it to get ▇(3) Bob picks secret color ▇ and mixes it to get ▇

+

=

Mix

+

=

Mix

🔐 🔐



8

🙋(alice)

👨💼(bob)

😈(eve)

(4) Alice and Bob exchange their mixed colors (▇,▇)(5) Eve will see the mixed colors too (▇,▇)(6) Alice adds her secret color ▇ to Bob’s mix ▇ = ▇(7) Bob adds his secret color ▇ to Alice’s mix ▇ = ▇

Mix Mix

🔐 🔐

==Eve can’t calculate ▇ !!

(secret keys were never shared)



9

🙋(alice)

👨💼(bob)

🔐

🔐 Mix

Mix

=+

+

(order doesn’t matter)

=

=

Diffie-Hellman Math


10

𝑦 ≡ (𝑔!) 𝑚𝑜𝑑 (𝑝)

y is defined as equal to gx modulo pp = prime number (modulus)g = base integerx = random integer

Assump&on: Compu&ng y is easy!But compu&ng x given y, g, and p is very hard!

Discrete Logarithm Problem

Diffie-Hellman Math


11

🙋(alice)

👨💼(bob)

+

=

Mix

+

=

Mix

🔐 🔐

(1) Public color ▇ is a large prime number p and base g(2) Alice secret color ▇ is random integer rA(3) Bob secret color ▇ is random integer rB(4) Alice mixed color ▇ is mA(5) Bob mixed color ▇ is mB(6) Exchange mA and mB

𝑚! ≡ (𝑔"!) 𝑚𝑜𝑑 (𝑝)𝑚# ≡ (𝑔"") 𝑚𝑜𝑑 (𝑝)

Diffie-Hellman Math


12

🙋(alice)

👨💼(bob)

🔐

🔐 Mix

Mix+

+

=

=

𝑠# ≡ 𝑚!"" 𝑚𝑜𝑑 (𝑝)

𝑠* = 𝑠+

𝑠! ≡ 𝑚#"! 𝑚𝑜𝑑 (𝑝)

Diffie-Hellman Math

ì Doesn’t have to be modular divisionì Could be ellip,c curvesì Could be supersingular isogeny key exchangeì Could be <other math words>…


13

ìPublic Key Cryptography


14

Public Key Cryptography

ì Asymmetric cryptography

ì Sending data to Alice?ì Use her public Key

ì Alice receives your data?ì She decrypts it with her private key


15


16

RSA encryp@on methodFirst public key method

Ron L. Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM (February 1978)

Public-Key Algorithms

ì Key exchange algorithmsì Allows two parties to agree on a shared secret across an

insecure mediumì Example: Diffie-Hellman

ì Encryption algorithmsì Allows sender to encrypt without having to agree first on

a shared secretì Example: RSA

ì Signature algorithmsì Allows sender to sign information using sender’s private

key and receiver to validate using sender’s public key


17

Public-Key Encryption


18

Public key encryption is awesome!

Should we use it everywhere?

Caveat – Performance

ì Rarely use public key encryption by itself

ì Reasons:ì Size (RSA can’t encrypt anything larger than its modulus,

i.e. 4096 bits)ì Performance

ì RSA 2048 encryption: 0.08 megacycles/operation (256B)ì RSA 2048 decryption: 3.25 megacycles/operationì AES-GCM: 2-4 cycles per byte

ì https://www.cryptopp.com/benchmarks.html


19

Hybrid cryptosystem – Use public-key algorithms to coordinate keys, and then use symmetric ciphers (shared key) for bulk opera@ons

https://www.cryptopp.com/benchmarks.html

ìAuthenticated Encryption


20

Motivation


21

What if the a<acker ac)vely manipulatesdata instead of passively observing it?

Motivation


22

🙋(alice)

👨💼(bob)

😈(eve

pretending to be bob)

How do we protect against this scenario?

😈(eve

pretending to be alice)

DH Exchange DH Exchange

🙋(alice)

👨💼(bob)

😈(eve)

Cease fire!

SDFJKWERVHU

Cease fire! Attack at Dawn!

KJFSDEROIXCVK

Attack at Dawn!

Warning!


23

Encryption without authentication is almost certainly wrong…

Attackers don’t need to decrypt to modify ciphertext

Authentication

ì Goal: Add information to message that only the real sender (not Eve!) could have computed

ì Authentication for symmetric-key encryptionì “Message Authentication Codes”ì MACs are generated and verified with the same key

ì Authentication for public-key encryptionì “Signatures”ì Signatures are generated with private key and

verified with public key


24

Message Authentication Code (MAC)

ì Small piece of information used to verify message integrity / authenticity (“Tag”)

ì Key is shared secret between Alice and Bob


25

Message(arbitrarylength ciphertextor plaintext)

K

MAC

(Secret key)

Tag(fixed length)

Message

K

MAC

(Secret key)

Tag

Valid?

🙋(Sender)

👨💼(Receiver)


ì Authen2cate and Encryptì Used by SSHì Authen?cate and

encrypt plaintext separately

ì C = E(KC ,P) and t=MAC(KM ,P)

ì Send C and t


26

How to combine ciphertext with a MAC?


ì Authenticate, then Encryptì Used by TLSì Authenticate plaintext, then

encrypt {plaintext, tag}ì t=MAC(KM ,P) thenì C = E(KC , {P|t})ì Send C (t is part of C)


27



ì Encrypt, then Authen2cate ì Used by IPSecì Standard ISO/IEC 19772:2009ì Encrypt plaintext, then

authen?cate ciphertextì C = E(KC , P) then

t=MAC(KM ,C)ì Send C and t


28



ì Which to choose?ì Authen?cate and Encryptì Authen?cate, then Encryptì Encrypt, then Authen?cate

ì Consider what the receiver does to reverse process

ì When you receive a message, the very first thingyou do should be to authenJcate itì Anything else risks CERTAIN DOOM (eventually)


29


– Modern Best Practice

h"ps://moxie.org/2011/12/13/the-cryptographic-doom-principle.html

https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html

AEAD

ì We can do beKer sJll! What if authenJcaJon was part of our encrypJon scheme, and not a separate step?

ì Authen2cated Encryp2on with Associated Data (AEAD)ì Messages have two parts – example: emails

ì Content (encrypt!)ì Metadata (authenMcate, but plaintext)


31

A E

EncryptedAuthenticated

AEAD Modes

ì Galois Counter Mode (GCM) – Good!ì Not patent encumberedì SSH, TLS 1.2, OpenVPNì Standardized in ISO/IEC 19772:2009ì Can be used by itself (authentication-only): GMAC

ì Many other AEAD modesì EAX, OCB 2.0, CCM, Key Wrap, …


32

Modes of Operation

Encryp'on-OnlyNo Authen'ca'on

ì Counter (CTR) – Best!

ì Cipher Block Chaining (CBC) – Good

ì Electronic Code Book (ECB)– Don’t use!

ì Also ran: CFB, OFB, XTS, …

MACs – Message Integrity Only, No Encryp'on

ì GMAC - Good

ì HMAC – Goodì But why are you just

authenticating and not encrypting?

ì Also ran: ALG1-6, CMAC


33

Remember our Block Cipher Modes of Operation?

Modes of Operation

Authenticated Encryption (Encrypt + Auth)

ì GCM – Good!

ì CCM – Good!

ì Also-ran: EAX, OCB 2.0, Key Wrap, …


34

Remember our Block Cipher Modes of Operation?

Repeating the Warning…


35

Encryption without authentication is almost certainly wrong…

A8ackers don’t need to decrypt to modify ciphertext

Authentication

ì Goal: Add information to message that only the real sender (not Eve!) could have computed

ì Authentication for symmetric-key encryptionì “Message Authentication Codes”ì MACs are generated and verified with the same key

ì Authentication for public-key encryptionì “Signatures”ì Signatures are generated with private key and

verified with public key


36

Signatures

ì RSA-based signatures

ì Digital Signal Algorithm (DSA)

ì Elliptic Curve Digital Signature Algorithm (ECSDA)


37

computer network security...key exchange ìinsecure communica-ons channel ì eve can see everything!...

Documents