CRYPTOGRAPHY. Jakub Laszczyk. June 7th,

Size: px

Start display at page:

Download "CRYPTOGRAPHY. Jakub Laszczyk. June 7th,"

Lorin Adams
5 years ago
Views:

1 CRYPTOGRAPHY Jakub Laszczyk June 7th,

2 Agenda About What is it? And History Part 1 - Hashing Part 2 - Symmetric Keys Part 3 - Asymmetric Keys Conclusion 2

3 About Karman Interactive is a mobile apps services company founded in 2012 now based in Kanata. 3

4 About Jakub Laszczyk - Senior Developer at Karman Interactive 4

5 5

6 What is Cryptography? The design and analysis of protocols that obfuscate data to all except the intended party. 6

7 History Early cryptography was exclusively used for encryption and decryption of messages Spartan Army Julius Caesar 7

8 Caesar s Cipher ABCDEFGHIJKLMNOPQRSTUVWXYZ EFGHIJKLMNOPQRSTUVWXYZABCD ATTACK AT DAWN EXXEGO EX HEAR 8

9 Modern Cryptography Cryptography has evolved to provide more sophisticated message encryption as well as data verification, and authentication. It is a crucial piece of technology that facilitates online activities such as e-commerce, banking, and communication. 9

10 Part 1 Hashing 10

11 What is Hashing? One way functions Deterministic - Same input will always return the output hash(abc) = BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD 11

12 What is Hashing? Outputs are well distributed and unique Input Output abc BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20 015AD abd A52D159F262B2C6DDB724A61840BEFC36EB30C88877A4030B65CBE C9 acb 8E B3BFC2003F791C B0EA035D16379BFEC16B72D376E27 2FA57 12

13 What is Hashing? Should not be reversible! hash(abc) = BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD hash -1(BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD) = undefined 13

14 Source: Plain Text Offenders ( 14

15 Hashing can be used in user authentication Client Server username: jakub password: { "user": "jakub", "pass": "Pa$$word" } username: jakub password: 923D4E08B2B F AA4 C5795D68D29 CF68639BC59 40B21541BCE 99CC98C34 15

16 SALT? Protects against two people using same password Passwords do get reused site to site. Guards against Lookup tables, Rainbow tables 16

17 Best lookup table is Google! 923D4E08B2BF AA4C5795D68D29CF68639BC5940B21541BCE99CC98C34 = Pa$$word 17

18 When generating the SALT don t use your everyday random number generator! Use a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). Generated CSPRNG are unpredictable C++ std::random_device C# System.Security.Cryptography.RNGCryptoServiceProvider Java java.security.securerandom 18

19 Password: Pa$$word SALT:B4rjhY4g6LblQcqGNkVT6d45pmvZAcI78suhBzAaE0vY1qKsP/7BFo32UohgvTIn9czXKU4 1SZ1ilUeOUdpnOw== SHA-256 (Pa$$wordB4rjhY4g6LblQcqGNkVT6d45pmvZAcI78suhBzAaE0vY1qKsP/7BFo32UohgvTIn9cz XKU41SZ1ilUeOUdpnOw== ) = a066a2bb773b26b cecf0515a cb5af d30377d

20 username Password hash salt jakub a066a2bb773b26b cecf0515a cb 5af d30377d B4rjhY4g6LblQcqGNkVT 6d45pmvZAcI78suhBzAa E0vY1qKsP/7BFo32Uohg vtin9czxku41sz1ilueo UdpnOw== alice edba52ca865f269708d0 08a635d84e15b1b0d6bb 7e15a26dd3a51558d633 2db9 9XodWePFTO2htvi2E85g 4wT0mS1Zm6mYn2Jm6ieX NT1XMmtH96crGB6yiA8f GkSMFskeNFnnrzezMCBh cm79fw== bob 79f54613f1a f828dab11d365c248f7c a66fa649e1cbb6638a9a ec8c uybqzp1h4ok/2crpf7un rj1vxd4il/uc7xrrn8w+ uwgg34z+hp3n4iy6wew/ 1SyqlsOcSN1OqgQWyl4A 4FDDWg== 20

21 Brute Force Need to use key stretching to hash Bcrypt scrypt DON T USE MD5, SHA1, SHA2 21

22 Password: Pa$$word SALT:B4rjhY4g6LblQcqGNkVT6d45pmvZAcI78suhBzAaE0vY1qKsP/7BFo32UohgvTIn9czXKU4 1SZ1ilUeOUdpnOw== scrypt(pa$$wordb4rjhy4g6lblqcqgnkvt6d45pmvzaci78suhbzaae0vy1qksp/7bfo32uohgvt In9czXKU41SZ1ilUeOUdpnOw== ) Difficulties: CPU 16384; Memory 13; Parallelization 19; Output size

23 f28fec53284beae4f09e0c7d6148d49cd14c9e2f1f110fc5c6ba10e8345cf3f4c809c7 b56cd2e6b8dad f184defbe92c77744d80a88f805cd46eb34f898170c4a9d 735fd647e5d7ce310eae2954e105945ae20a ae1f e79610fd36f 7fd8ac40ba7b41d11f2d589a21f9920b45f81494f554b f292f06bfaa5e7e99 928f1df12574eae793e774fb1a7b069559f843a779e7f ff832e0781 c1ac60309e95bc925a b4a2ec7a9b58a6df597a4d7899a814e12ef4ce 7355db5d06d5aaa04644af026f0a0ca8009c83f011f66b869c529e968047bc5d1710 d0cef8eb88bab3b00fbe f98726acc1600ce13bbc8511d939d88b374d930 9d91a712e91a68a6ca1034bc e974c2d057dd766633cdddf16ca d1b8b38fa831b825737ae104043cf9da72dceec60902cde623945bfe0f695fb1d8 d6201f2ecc704179deebf4e25e7bbe7f9992e8c3042b4a0ad0b2d81c92b0b d06579b8729ae12fc3ec a3bbec5dc f3bdb653083c b66 f9b8d2fd2d3f4d0ab235d407e449f49d40e8a0e660945b125ad2faad047a04d b141120de0944a aab8da4950df5031add39fe773db226d7d2bf6c2 0c505945c079bfde9dfd360c8c2e774032ae8feb9291e0d8dca80a51f5d

24 ...086c be50d8f9247eedf06cbf250fa13ecc46075e4edc693ba73c5ce7ca 8df007bb2d9c630ae11d96bec f4c69b939c4b3604b2d0f090b05ab3f1b 30c6fe49f0de7cbd8764feae449af4da9342c5faeee5ba58921e21e35fb83aba4419 d19f583df5a7d174bfd323551ee9fada8db0ef29a76f111420b06d68b5ec de318fe2d8daeaa24af1c7745e2482a564f7f0ca8ddc6b3e72b67fda54a d6d40acfe ab aaca4c e adb03ebf6a5a7a9 ea274697b25f8505f6fb2ba30baaab1d9ded0fc7a578ba82a36c7e0879d6c235d6fc a969b4d5e7d76f9e c0d34b50bdca1170d907f700505cb7a4d0d ae3d9174ce4cb393b3843cff5a7e975c013fe463d4e71d7a3b378fa7fa6ac94e 47cf9964cba8fef1bd18c76c1df795608e676dcef16cbba5ecd2a72a0c55a10ec05a9 8adbdf2319c47033a14e6eccd35e3e8894efd7e0ee0ab6425dacdc7016ad6502fad 0288d7b3cf9166f3ab4dcfdd69658f a718f29eb09bbb0e52dc8a96e2ab32 85a149d10d8619f4c30fb83576ec75ffdb803fd917573ba e226aeec47fcc 0a21bbf707499efe470df395c086fc0b7d0eb735af2c6102e b87204fb989 b46bc603a5bef eddf6d67c5c5c0cbafab09cddcf6d3cbdc19fac1d... 24

25 ...f91f037b333a519e15cc270e2be526ba64cd03bc692a87e554c2c346b16747b35 633eab56a603eef31102b3440a09d78c239dfd3a8631ebed9bc0d918fb9c5193c73 be2ecc05211a1b061c4400d76a0b7283a3b4a1f9958d6fb53c5d120d007a18f28ce 66e24b6611b076c5efc3d34675f6c7c517e969b3fe319f1a9d cc3dff41dc f d21a39c11f960be3f86e993f80f9f9d29fa009edf66eb66efb1caa95a7 a00b77b182b6ce1f6e3cfc9ed7496c99d87ace4e3c6405ed1c318e1ce456355f234 04c0356d149f0db8d6973aea9892d d0f2acbee00ca77180c d f45bcebe7adbb0376cc01d4fd3a0448c0a b0dc a8f8048ebf ad2bc31d239ea2b5fa2d23310eb82dfda666a6c77796d4b2e659f47d75e57 be3107b1266bc3d5b c9d2db eba592d8b8d36e6f53c18eb33f9 bd2199df7103f89cdec548eb94e a0a22b5e88f0a903a467d4f219a69a4f 2e1bebac1e20ef d8b41ab179d87110bbb52eb55e8227b52ae5b5c b5d3f241465fde688f01af0cd2dda93bc cad1f1323d221897e5e4b49 2d01f4e72f27c5f0486f6f2b42cbd8aaf40ec26555be0b287cbd01c023bd27901dda9 c8b39d37a9de601545c5505af6a846fa6aba43144c7e6e7df8768a7fc3d... 25

26 ...d19df070a4aac f5bdb80a377256f70138edfe1baf60ae30f5fadadecf7b bbbbed94052cf de83bc0019fc38edb4ac2c0a517ce4614a931e88b0f df90bb710ef9cbc ecf86d19204b da02f046c a9fb71d9 a549ed48e793408a844cb d7a5b120149edb215d6e1108c acd 83f73cff15ca c22f482b4f27f21a79547b1f6274f00738f1ce99e69be49c4ca 97f7237f60427b6115ca6feb58509f71a3981ac68baffabd0f900ea5fd1ec9c4d4ac21 cd cf612fcba744eac559d388672ed421f13bd0f4a25900c75db2d624f51 95cf6030a8ee88a87b17934daf0d9108bc332d c0a840a340c88e04e87321 d6772fb6d d12c8fda1bcf9ef6f f2a62ce549abc059c16ef97ea427 bb8c e99c4444d d84e16a5fb77c919b35f41d98a90d473b8fe ef96949b0d03d4fd8df2be4aee ae2adf98bf654ec5c65a3f 1796b86b406c adc5a52fc139bca46deeef7c057f2815b06b6d34d212ff98 d084f5d3ae7b7d2f485f24d2fae14af07bc0e51b1be79c5a2d4b312d47dda6664dff9 e722c2cd55e52e9659be09a2868f63a151307aa370597a790a081d7e1ca8d086ad 0fcd637cd4df32bdea a294017e2ae71fdba8461eb9e f2ba97aa e85a069d8ca4c3a487f8f55803cfe109a8f0163abf

27 Test it yourself! 27

28 Part 1 - Conclusion One way functions are deterministic, unique, and irreversible Applications - authentication, data integrity checking Use key stretching algorithms and SALT if hashing passwords 28

29 Part 2 Symmetric Key 29

30 Symmetric Key Symmetric key Same secret key is used to encrypt and decrypt data. Algorithm is fast Twofish, Serpent, AES (Rijndael) Three steps to encrypting and decrypting Initialization vector Secret key Mode 30

31 IV - Initialization vector Random number that is used with the secret key to further scramble the data and makes it harder for a potential hacker to decrypt the data by searching for patterns within the data Must be random otherwise it may expose data 31

32 Modes CBC, ECB, CFB, CTR, etc... 32

33 Modes CBC, ECB, CFB, CTR, etc... Source: Wikipedia ( 33

34 Modes CBC, ECB, CFB, CTR, etc... Source: Wikipedia ( 34

35 Modes CBC, ECB, CFB, CTR, etc... Source: Wikipedia ( 35

Source: Wikipedia (https://en.wikipedia.

36 Source: Wikipedia ( 36

37 Modes Example of a image encryption using ECB mode 37

38 Modes Example of a image encryption using CBC mode 38

39 Sample outputs of Twofish mode: CBC, secret: 628f2ba97aa e85a069, message: hello! +3+Tj8agQk6R1jVItAYnwvaS1CHo0H75coXsvarCbaY= 2vKtmQqMC/Qybd3EJ3TCjEmxj3/rGowEy40ZntXtkB0= DUSngM5WwE6XzjbxDKes/ZCB2VYz3Ljgxb+Tu27xlhQ= ncolnkex762ny6kxmdw4agxodbl3xrpflvdlavwzksm= LchkwbogGTlQwngCK6nKOJovY4oNGsWLiPqMLDJ/MCM= Try it yourself

40 Mode Counter Source: Wikipedia ( 40

41 Plaintext message: Factorio tonight? Plaintext message: Factorio tonight? Plaintext message: Factorio tonight? 41

42 Since the same key is used for encrypting and decrypting how to establish this shared secret? 42

43 Part 3 Asymmetric Key 43

44 Asymmetric Key Public key you generate and share which will then be used for encrypting messages Private key you keep secret and you use to decrypt a message Very easy to establish secure communication with someone on the other side of the world Algorithm is slow and input that can be encrypted is limited by size! 44

45 Asymmetric Key 45

46 Asymmetric Key TNYq/OTHEhIkpdoizIM7mxFQtXU EAvUs/IvoipNZbugmTcHX0IgvBs/r F8+KvVFB= 46

47 The fox has moved 47

48 Asymmetric Key - RSA Example Encrypt Decrypt cipher = message e mod n message = cipher d mod n 48

49 RSA private and public keys are generated via a 5 step process starting with 2 prime numbers p = 611,543 q = 313,777 You would discard these prime numbers after generating your keys! 49

50 Public Key Select two large prime numbers p = 611,543; q = 313,777 Calculate n = (p - 1)(q - 1) = 191,888,127,911 Find a number for e such that 1 < e < n and is a coprime of n (e = 17) Public key: (n = 191,888,127,911, e = 17) 50

51 Private Key Using Extended Euclidean Algorithm calculate d using p, q, and e. ed = 1 mod (p - 1)(q - 1) ed = 1 mod 191,888,127,911 d = 39,506,188,769 (KEEP SECRET) Private Key: (n = 191,888,127,911, d = 39,506,188,769) 51

52 message = HELLO H E L L O ,562,633 52

53 My public key e = 17; n = 191,888,127,911 cipher = message e mod n cipher = 151,562,633 cipher = 17 mod 191,888,127,911 97,222,580,177 53

54 97,222,580, STX (Start of Text) C } â a Transmit: C}âa 54

55 message = cipher d mod n message = 97,222,580, mod 191,888,127,911 message = 44,507,164,191!= 151,562,633 (HELLO) 55

56 Private key d = 39,506,188,769; n = 191,888,127,911 message = cipher d mod n message = 97,222,580,177 39,506,188,769 mod 191,888,127,911 message = 151,562,633 HELLO 56

57 I can respond to the sender with a message that is encrypted using my private key. The receiver would use my public key to decrypt. This is amazing! 57

58 In practice the private and public keys used are way larger For example the latest prime number found in 2017 and was 23,249,425 digits long! Factoring the product of 2 large integers is hard for a computer 58

59 RSA Factoring Challenge - $200,000 (USD) RSA-2048:

60 Send me an -----BEGIN PUBLIC KEY----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFNzreP8Y35BrrnP40j0 zu0cuic4fyqitzv88k1dgmpf+iaptlk42dnc2bcy4emwg64tgo/mp3e+rusef5go jlonc38s9kxiucckjyrmfyf17so3bufahrkm2/rmmolqjjs5/omcxhpiuhgrv553 Y1cBhgrOAEC/KV3Fas7gpIPtanOPaPLT/t6hu5sHQAARZ6k4DowUY8pWebapWueQ mqjjz5p+1e+odcbef/7i81dpbsycunsmjvyhj/urnwbk/aiaflsegs2oxw7u4cx9 i1jy/mcshvresufguuo27pq1jwu38dgdlt2uclk6ty1flmjwgjfay304ho4mpaqv rwidaqab -----END PUBLIC KEY----- Linux/mac OpenSSL: Windows OpenSSL: 60

61 Conclusion Thank you! Questions? 61

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis