computer network security...key exchange ìinsecure communica-ons channel ì eve can see everything!...
TRANSCRIPT
![Page 1: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/1.jpg)
ìComputer Network SecurityCOMP 178 | Spring 2021 | University of the Pacific | Jeff Shafer
Cryptography:Key Exchange,
Public Key Cryptography,Authen8ca8on
![Page 2: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/2.jpg)
ìKey Exchange
Spring 2021Computer Network Security
2
![Page 3: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/3.jpg)
Challenge – Exchanging Keys
Spring 2021Computer Network Security
3
🙋
👨⚕ 👳
👩💻
👨🏭
👨🎤 𝐸𝑥𝑐ℎ𝑎𝑛𝑔𝑒𝑠 =𝑛 𝑛 − 1
2 =)6(6 − 1
2 = 15
The more par@es in communica@on, the more keys that need to be securely exchanged
Do we have to use out-of-band methods? (e.g., phone?)
![Page 4: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/4.jpg)
Key Exchange
ì Insecure communica-ons channelì Eve can see everything!
ì Alice and Bob agree on a shared secret (“key”) that Eve doesn’t knowì Despite Eve seeing
everything!
Spring 2021Computer Network Security
4
🙋(alice)
👨💼(bob)
😈(eve)
![Page 5: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/5.jpg)
Spring 2021Computer Network Security
5
Proposed public key cryptography.Diffie-Hellman key exchange.
Whitfield Diffie and Martin Hellman, “New directions in cryptography,” in IEEE Transactions on Information Theory, vol. 22, no. 6, Nov 1976.
![Page 6: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/6.jpg)
Diffie-Hellman Color Analogy
Spring 2021Computer Network Security
6
(1) It’s easy to mix two colors: + =
(2) Mixing two or more colors in a different order results in the same color:
+ + =
+ + =
(3) Mixing colors is one-way(Impossible to determine which colors went in to produce final result)
https://www.crypto101.io/
![Page 7: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/7.jpg)
Diffie-Hellman Color Analogy
Spring 2021Computer Network Security
7
🙋(alice)
👨💼(bob)
😈(eve)
(1) Start with public color ▇ – share across network(2) Alice picks secret color ▇ and mixes it to get ▇(3) Bob picks secret color ▇ and mixes it to get ▇
+
=
Mix
+
=
Mix
🔐 🔐
![Page 8: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/8.jpg)
Diffie-Hellman Color Analogy
Spring 2021Computer Network Security
8
🙋(alice)
👨💼(bob)
😈(eve)
(4) Alice and Bob exchange their mixed colors (▇,▇)(5) Eve will see the mixed colors too (▇,▇)(6) Alice adds her secret color ▇ to Bob’s mix ▇ = ▇(7) Bob adds his secret color ▇ to Alice’s mix ▇ = ▇
Mix Mix
🔐 🔐
==Eve can’t calculate ▇ !!
(secret keys were never shared)
![Page 9: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/9.jpg)
Diffie-Hellman Color Analogy
Spring 2021Computer Network Security
9
🙋(alice)
👨💼(bob)
🔐
🔐 Mix
Mix
=+
+
(order doesn’t matter)
=
=
![Page 10: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/10.jpg)
Diffie-Hellman Math
Spring 2021Computer Network Security
10
𝑦 ≡ (𝑔!) 𝑚𝑜𝑑 (𝑝)
y is defined as equal to gx modulo pp = prime number (modulus)g = base integerx = random integer
Assump&on: Compu&ng y is easy!But compu&ng x given y, g, and p is very hard!
Discrete Logarithm Problem
![Page 11: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/11.jpg)
Diffie-Hellman Math
Spring 2021Computer Network Security
11
🙋(alice)
👨💼(bob)
+
=
Mix
+
=
Mix
🔐 🔐
(1) Public color ▇ is a large prime number p and base g(2) Alice secret color ▇ is random integer rA(3) Bob secret color ▇ is random integer rB(4) Alice mixed color ▇ is mA(5) Bob mixed color ▇ is mB(6) Exchange mA and mB
𝑚! ≡ (𝑔"!) 𝑚𝑜𝑑 (𝑝)𝑚# ≡ (𝑔"") 𝑚𝑜𝑑 (𝑝)
![Page 12: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/12.jpg)
Diffie-Hellman Math
Spring 2021Computer Network Security
12
🙋(alice)
👨💼(bob)
🔐
🔐 Mix
Mix+
+
=
=
𝑠# ≡ 𝑚!"" 𝑚𝑜𝑑 (𝑝)
𝑠* = 𝑠+
𝑠! ≡ 𝑚#"! 𝑚𝑜𝑑 (𝑝)
![Page 13: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/13.jpg)
Diffie-Hellman Math
ì Doesn’t have to be modular divisionì Could be ellip,c curvesì Could be supersingular isogeny key exchangeì Could be <other math words>…
Spring 2021Computer Network Security
13
![Page 14: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/14.jpg)
ìPublic Key Cryptography
Spring 2021Computer Network Security
14
![Page 15: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/15.jpg)
Public Key Cryptography
ì Asymmetric cryptography
ì Sending data to Alice?ì Use her public Key
ì Alice receives your data?ì She decrypts it with her private key
Spring 2021Computer Network Security
15
![Page 16: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/16.jpg)
Spring 2021Computer Network Security
16
RSA encryp@on methodFirst public key method
Ron L. Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM (February 1978)
![Page 17: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/17.jpg)
Public-Key Algorithms
ì Key exchange algorithmsì Allows two parties to agree on a shared secret across an
insecure mediumì Example: Diffie-Hellman
ì Encryption algorithmsì Allows sender to encrypt without having to agree first on
a shared secretì Example: RSA
ì Signature algorithmsì Allows sender to sign information using sender’s private
key and receiver to validate using sender’s public key
Spring 2021Computer Network Security
17
![Page 18: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/18.jpg)
Public-Key Encryption
Spring 2021Computer Network Security
18
Public key encryption is awesome!
Should we use it everywhere?
![Page 19: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/19.jpg)
Caveat – Performance
ì Rarely use public key encryption by itself
ì Reasons:ì Size (RSA can’t encrypt anything larger than its modulus,
i.e. 4096 bits)ì Performance
ì RSA 2048 encryption: 0.08 megacycles/operation (256B)ì RSA 2048 decryption: 3.25 megacycles/operationì AES-GCM: 2-4 cycles per byte
ì https://www.cryptopp.com/benchmarks.html
Spring 2021Computer Network Security
19
Hybrid cryptosystem – Use public-key algorithms to coordinate keys, and then use symmetric ciphers (shared key) for bulk opera@ons
![Page 20: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/20.jpg)
ìAuthenticated Encryption
Spring 2021Computer Network Security
20
![Page 21: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/21.jpg)
Motivation
Spring 2021Computer Network Security
21
What if the a<acker ac)vely manipulatesdata instead of passively observing it?
![Page 22: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/22.jpg)
Motivation
Spring 2021Computer Network Security
22
🙋(alice)
👨💼(bob)
😈(eve
pretending to be bob)
How do we protect against this scenario?
😈(eve
pretending to be alice)
DH Exchange DH Exchange
🙋(alice)
👨💼(bob)
😈(eve)
Cease fire!
SDFJKWERVHU
Cease fire! Attack at Dawn!
KJFSDEROIXCVK
Attack at Dawn!
![Page 23: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/23.jpg)
Warning!
Spring 2021Computer Network Security
23
Encryption without authentication is almost certainly wrong…
Attackers don’t need to decrypt to modify ciphertext
![Page 24: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/24.jpg)
Authentication
ì Goal: Add information to message that only the real sender (not Eve!) could have computed
ì Authentication for symmetric-key encryptionì “Message Authentication Codes”ì MACs are generated and verified with the same key
ì Authentication for public-key encryptionì “Signatures”ì Signatures are generated with private key and
verified with public key
Spring 2021Computer Network Security
24
![Page 25: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/25.jpg)
Message Authentication Code (MAC)
ì Small piece of information used to verify message integrity / authenticity (“Tag”)
ì Key is shared secret between Alice and Bob
Spring 2021Computer Network Security
25
Message(arbitrarylength ciphertextor plaintext)
K
MAC
(Secret key)
Tag(fixed length)
Message
K
MAC
(Secret key)
Tag
Valid?
🙋(Sender)
👨💼(Receiver)
![Page 26: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/26.jpg)
Message Authentication Code (MAC)
ì Authen2cate and Encryptì Used by SSHì Authen?cate and
encrypt plaintext separately
ì C = E(KC ,P) and t=MAC(KM ,P)
ì Send C and t
Spring 2021Computer Network Security
26
How to combine ciphertext with a MAC?
![Page 27: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/27.jpg)
Message Authentication Code (MAC)
ì Authenticate, then Encryptì Used by TLSì Authenticate plaintext, then
encrypt {plaintext, tag}ì t=MAC(KM ,P) thenì C = E(KC , {P|t})ì Send C (t is part of C)
Spring 2021Computer Network Security
27
How to combine ciphertext with a MAC?
![Page 28: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/28.jpg)
Message Authentication Code (MAC)
ì Encrypt, then Authen2cate ì Used by IPSecì Standard ISO/IEC 19772:2009ì Encrypt plaintext, then
authen?cate ciphertextì C = E(KC , P) then
t=MAC(KM ,C)ì Send C and t
Spring 2021Computer Network Security
28
How to combine ciphertext with a MAC?
![Page 29: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/29.jpg)
Message Authentication Code (MAC)
ì Which to choose?ì Authen?cate and Encryptì Authen?cate, then Encryptì Encrypt, then Authen?cate
ì Consider what the receiver does to reverse process
ì When you receive a message, the very first thingyou do should be to authenJcate itì Anything else risks CERTAIN DOOM (eventually)
Spring 2021Computer Network Security
29
How to combine ciphertext with a MAC?
– Modern Best Practice
h"ps://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
![Page 30: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/30.jpg)
AEAD
ì We can do beKer sJll! What if authenJcaJon was part of our encrypJon scheme, and not a separate step?
ì Authen2cated Encryp2on with Associated Data (AEAD)ì Messages have two parts – example: emails
ì Content (encrypt!)ì Metadata (authenMcate, but plaintext)
Spring 2021Computer Network Security
31
A E
EncryptedAuthenticated
![Page 31: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/31.jpg)
AEAD Modes
ì Galois Counter Mode (GCM) – Good!ì Not patent encumberedì SSH, TLS 1.2, OpenVPNì Standardized in ISO/IEC 19772:2009ì Can be used by itself (authentication-only): GMAC
ì Many other AEAD modesì EAX, OCB 2.0, CCM, Key Wrap, …
Spring 2021Computer Network Security
32
![Page 32: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/32.jpg)
Modes of Operation
Encryp'on-OnlyNo Authen'ca'on
ì Counter (CTR) – Best!
ì Cipher Block Chaining (CBC) – Good
ì Electronic Code Book (ECB)– Don’t use!
ì Also ran: CFB, OFB, XTS, …
MACs – Message Integrity Only, No Encryp'on
ì GMAC - Good
ì HMAC – Goodì But why are you just
authenticating and not encrypting?
ì Also ran: ALG1-6, CMAC
Spring 2021Computer Network Security
33
Remember our Block Cipher Modes of Operation?
![Page 33: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/33.jpg)
Modes of Operation
Authenticated Encryption (Encrypt + Auth)
ì GCM – Good!
ì CCM – Good!
ì Also-ran: EAX, OCB 2.0, Key Wrap, …
Spring 2021Computer Network Security
34
Remember our Block Cipher Modes of Operation?
![Page 34: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/34.jpg)
Repeating the Warning…
Spring 2021Computer Network Security
35
Encryption without authentication is almost certainly wrong…
A8ackers don’t need to decrypt to modify ciphertext
![Page 35: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/35.jpg)
Authentication
ì Goal: Add information to message that only the real sender (not Eve!) could have computed
ì Authentication for symmetric-key encryptionì “Message Authentication Codes”ì MACs are generated and verified with the same key
ì Authentication for public-key encryptionì “Signatures”ì Signatures are generated with private key and
verified with public key
Spring 2021Computer Network Security
36
![Page 36: Computer Network Security...Key Exchange ìInsecure communica-ons channel ì Eve can see everything! ìAlice and Bob agree on a shared secret (“key”) that Eve doesn’t know ì](https://reader035.vdocuments.site/reader035/viewer/2022081621/61280c5dcbde80727e1eb8c5/html5/thumbnails/36.jpg)
Signatures
ì RSA-based signatures
ì Digital Signal Algorithm (DSA)
ì Elliptic Curve Digital Signature Algorithm (ECSDA)
Spring 2021Computer Network Security
37