COMP4109 : Applied Cryptography

Size: px

Start display at page:

Download "COMP4109 : Applied Cryptography"

Lee Harper
6 years ago
Views:

1 COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University

2 Applied Cryptography Day 11 public-key cryptography Die-Hellman some math some problems 2

3 how to share a secret? private-key cryptography works private-key cryptography is generally fast private-key cryptography requires shared secrets how do we share the secrets? 3

4 how to share a secret? private-key cryptography works private-key cryptography is generally fast private-key cryptography requires shared secrets how do we share the secrets? 3

5 Die-Hellman Die-Hellman key exchange roulette Joseph Hobson Jagger poker Citigal Netscape Wagner and Goldberg 4

6 Roulette Joseph Hobson Jagger The Man who broke the bank at Monte Carlo magic numbers 7, 8, 9, 17, 18, 19, 22, 28, 29 in 1875 took away the equivalent of $6,000,000 5

7 Pseudorandom Numbers true random numbers are expensive to obtain use pseudorandom numbers instead use a pseudorandom number generator PRNG deterministic algorithm uses a small truly random seed to generate a large amount of pseudorandom numbers 6

8 Poker Citigal software security consulting ASF Software Inc. shuing algorithm for online poker 7

9 Poker procedure TDeck.Shuffle; var ctr: Byte; tmp: Byte; random_number: Byte; begin { Fill the deck with unique cards } for ctr := 1 to 52 do Card[ctr] := ctr; { Generate a new seed based on the system clock } randomize; { Randomly rearrange each card } for ctr := 1 to 52 do begin random_number := random(51)+1; tmp := card[random_number]; card[random_number] := card[ctr]; card[ctr] := tmp; end; CurrentCard := 1; JustShuffled := True; end; 8

10 Poker procedure TDeck.Shuffle; var ctr: Byte; tmp: Byte; random_number: Byte; begin { Fill the deck with unique cards } for ctr := 1 to 52 do Card[ctr] := ctr; { Generate a new seed based on the system clock } randomize; { Randomly rearrange each card } for ctr := 1 to 52 do begin random_number := random(51)+1; tmp := card[random_number]; card[random_number] := card[ctr]; card[ctr] := tmp; end; CurrentCard := 1; JustShuffled := True; end; 9

11 Poker procedure TDeck.Shuffle; var ctr: Byte; tmp: Byte; random_number: Byte; begin { Fill the deck with unique cards } for ctr := 1 to 52 do Card[ctr] := ctr; { Generate a new seed based on the system clock } randomize; { Randomly rearrange each card } for ctr := 1 to 52 do begin random_number := random(51)+1; tmp := card[random_number]; card[random_number] := card[ctr]; card[ctr] := tmp; end; CurrentCard := 1; JustShuffled := True; end; 10

12 Poker procedure TDeck.Shuffle; var ctr: Byte; tmp: Byte; random_number: Byte; begin { Fill the deck with unique cards } for ctr := 1 to 52 do Card[ctr] := ctr; { Generate a new seed based on the system clock } randomize; { Randomly rearrange each card } for ctr := 1 to 52 do begin random_number := random(51)+1; tmp := card[random_number]; card[random_number] := card[ctr]; card[ctr] := tmp; end; CurrentCard := 1; JustShuffled := True; end; 11

13 Poker Citigal 52! possible shued decks (51! when you don't move the last card) 2 32 possible decks when you use 32-bit "random" number 2 26 possible seeds 86,4000, milliseconds in a day possible seeds allowed to sync with clock of server 12

14 Poker Citigal 13

15 Netscape random numbers and SSL David Wagner and Ian Goldberg (from WEP break) 1995 Netscape creates SSL for secure communication 14

16 Netscape RNG_GenerateRandomBytes() x = MD5(seed); seed = seed + 1; return x; global variable challenge, secret_key; create_key() RNG_CreateContext(); tmp = RNG_GenerateRandomBytes(); tmp = RNG_GenerateRandomBytes(); challenge = RNG_GenerateRandomBytes(); secret_key = RNG_GenerateRandomBytes(); 15

17 Netscape global variable seed; RNG_CreateContext() (seconds, microseconds) = time of day; /* since 1970 */ pid = process ID; ppid = parent process ID; a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid << 12)); seed = MD5(a, b); /* 128-bits */ mklcpr(x) /* not cryptographically significant; */ return ((0xDEECE66D * x + 0x2BBB62DC) >> 1); MD5() /* a very good standard mixing function */ 16

18 Netscape global variable seed; RNG_CreateContext() (seconds, microseconds) = time of day; /* since 1970 */ pid = process ID; ppid = parent process ID; a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid << 12)); seed = MD5(a, b); /* 128-bits */ mklcpr(x) /* not cryptographically significant; */ return ((0xDEECE66D * x + 0x2BBB62DC) >> 1); MD5() /* a very good standard mixing function */ 17

19 Netscape a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid 12)); seed = MD5(a,b); seconds, microseconds each 32-bits, pid, ppid each 16-bits 2 96 bits at best (remember MD5 outputs 128-bits) there are only 1,000,000 microseconds a = mklcpr(microseconds) has about 2 20 values (not 2 32 ) pid is not a secret (and ppid is often 1) if you on the same machine ps send invalid and check the bounce time on machine can be recovered packet sning reveals time 18

20 Netscape a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid 12)); seed = MD5(a,b); seconds, microseconds each 32-bits, pid, ppid each 16-bits 2 96 bits at best (remember MD5 outputs 128-bits) there are only 1,000,000 microseconds a = mklcpr(microseconds) has about 2 20 values (not 2 32 ) pid is not a secret (and ppid is often 1) if you on the same machine ps send invalid and check the bounce time on machine can be recovered packet sning reveals time 18

21 Netscape a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid 12)); seed = MD5(a,b); seconds, microseconds each 32-bits, pid, ppid each 16-bits 2 96 bits at best (remember MD5 outputs 128-bits) there are only 1,000,000 microseconds a = mklcpr(microseconds) has about 2 20 values (not 2 32 ) pid is not a secret (and ppid is often 1) if you on the same machine ps send invalid and check the bounce time on machine can be recovered packet sning reveals time 18

22 Netscape a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid 12)); seed = MD5(a,b); seconds, microseconds each 32-bits, pid, ppid each 16-bits 2 96 bits at best (remember MD5 outputs 128-bits) there are only 1,000,000 microseconds a = mklcpr(microseconds) has about 2 20 values (not 2 32 ) pid is not a secret (and ppid is often 1) if you on the same machine ps send invalid and check the bounce time on machine can be recovered packet sning reveals time 18

23 Netscape a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid 12)); seed = MD5(a,b); seconds, microseconds each 32-bits, pid, ppid each 16-bits 2 96 bits at best (remember MD5 outputs 128-bits) there are only 1,000,000 microseconds a = mklcpr(microseconds) has about 2 20 values (not 2 32 ) pid is not a secret (and ppid is often 1) if you on the same machine ps send invalid and check the bounce time on machine can be recovered packet sning reveals time 18

24 Netscape random numbers and SSL with seconds, pid and ppid known, milliseconds is searched in less than a minute ('95) 19

25 Netscape random numbers and SSL with seconds, pid and ppid known, milliseconds is searched in less than a minute ('95) consequences of this attack 19

26 Netscape random numbers and SSL with seconds, pid and ppid known, milliseconds is searched in less than a minute ('95) consequences of this attack rst publicized (unexploited) attack (NY Times) 19

27 Netscape random numbers and SSL with seconds, pid and ppid known, milliseconds is searched in less than a minute ('95) consequences of this attack rst publicized (unexploited) attack (NY Times) Netscape (and others) nally sees the light? 19

28 Netscape random numbers and SSL with seconds, pid and ppid known, milliseconds is searched in less than a minute ('95) consequences of this attack rst publicized (unexploited) attack (NY Times) Netscape (and others) nally sees the light? original SSL uses closed algorithms (attack needed reverse engineering) RSA approached Netscape to review their original code (denied) 19

29 Netscape random numbers and SSL with seconds, pid and ppid known, milliseconds is searched in less than a minute ('95) consequences of this attack rst publicized (unexploited) attack (NY Times) Netscape (and others) nally sees the light? original SSL uses closed algorithms (attack needed reverse engineering) RSA approached Netscape to review their original code (denied) Netscape approached RSA to review their next version! 19

30 Netscape random numbers and SSL with seconds, pid and ppid known, milliseconds is searched in less than a minute ('95) consequences of this attack rst publicized (unexploited) attack (NY Times) Netscape (and others) nally sees the light? original SSL uses closed algorithms (attack needed reverse engineering) RSA approached Netscape to review their original code (denied) Netscape approached RSA to review their next version! Paul Kocher (of side channel attack fame) helps with SSL3 19

31 Pseudorandom Numbers we need cryptographically secure PRNGs needs to pass the next-bit test you cannot guess the n-th output bit given all n 1 previous bits with probability signicantly greater than 1/2 exposing the current state should not reveal the previous output bits this gives forward security if PRNG uses randomness during operation exposing the current state should not reveal the future output bits sadly, PRNGs are often to crypto what magnetism is to electricity & magnetism... 20

32 Pseudorandom Numbers we need cryptographically secure PRNGs needs to pass the next-bit test you cannot guess the n-th output bit given all n 1 previous bits with probability signicantly greater than 1/2 exposing the current state should not reveal the previous output bits this gives forward security if PRNG uses randomness during operation exposing the current state should not reveal the future output bits sadly, PRNGs are often to crypto what magnetism is to electricity & magnetism... 20

33 A CSPRNG here is a potential cryptographically secure PRNG Blum-Blum-Shub choose random primes p, q and let N = pq both p and q must be congruent to 3 modulo 4 choose random seed x0 x 0 0,1 and gcd(x 0, N) = 1 using the recurrence x i+1 = x 2 i mod N, generate bits b i = LSB(x i ) b i = Parity(x i ) security is based on the believed diculty of factoring 21

34 A CSPRNG here is a real(ish) cryptographically secure PRNG Blum-Micali let p be a large prime and g be a primitive root modulo p let x0 Z p be a truly random seed using the recurrence x i+1 = g x i mod p, generate bits b i = { 1 if xi < p if x i p 1 2 security follows if computing discrete logarithms modulo p is infeasible 22

35 CSPRNGs NIST SP A: This standard has three uncontroversial CSPRNGs named Hash_DRBG, HMAC_DRBG, and CTR_DRBG; and a PRNG named Dual_EC_DRBG which has been shown to not be cryptographically secure and probably has a kleptographic NSA backdoor. Fortuna: Ferguson/Fortuna.pdf 23

Summary on Crypto Primitives and Protocols

Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance