Introduc)on to Cryptography. Credits: Slide credits to David Brumley, Dan Boneh (ß has a MOOC)

Transcription

1 Introduc)on to Cryptography Credits: Slide credits to David Brumley, Dan Boneh (ß has a MOOC)

2 Cryptography is Everywhere Secure communication: web traf?ic: HTTPS wireless traf?ic: i WPA2 (and WEP), GSM, Bluetooth Encrypting 1iles on disk: EFS, TrueCrypt Content protection: CSS (DVD), AACS (Blue- Ray) User authentication Kerberos, HTTP Digest and much much more 2

3 Goal: Protect Alice s Communications with Bob Alice E c Public Channel c D Bob message m = I Love you, Bob Eve Eve is a very powerful, smart person (say any polynomial time alg) 3

4 History of Cryptography David Kahn, The code breakers (1996) 4

5 Caesar Cipher: c = m + 3 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Julius Caesar 100 BC- 44 BC 5

6 How would you a"ack messages encrypted with a subsatuaon cipher? 6

7 Jvl mlwclk yr jvl owmwez twp yusl w zyduo pjdcluj mqil zydkplmr. Hdj jvlz tykilc vwkc jy mlwku jvl wkj yr vwsiquo, tvqsv vlm?lc mlwc jvlg jy oklwjulpp. Zyd vwnl jvl fyjlujqwm jy cy jvl pwgl. Zydk plsklj fwpptykc qp: JYWPJ 7

8 AFacking SubsAtuAon Ciphers Trick 1: Word Frequency (if punctuation is removed?) Most common: e,t,a,o,i,n Least common: j,x,q,z Trick 2: Letter Frequency image source: wikipedia 8

9 Classical Approach: Iterated Design Scheme 1 Broken Scheme 2 Broken Scheme 3 Deploy Broken... No way to say anything is secure (and you may not know when broken) 9

10 Iterated design was only one we knew unal 1945 Claude Shannon:

11 Claude Shannon Formally de?ine: security goals adversarial models security of system wrt goals Beyond iterated design: Proof! 11

12 Cryptosystem m E c k d Alice k e c D Bob m or error Var Description m Message (aka plaintext). From the message space M c Ciphertext. From the ciphertext space C E Encryption Algorithm D Decryption Algorithm k e Encryption key. From the key space K k d Decryption. Also from the key space K 12

13 Symmetric Cryptography m E c k d Alice k e c D Bob m or error k = k e = k d Everyone who knows k knows the full secret 13

14 Asymmetric Cryptography m E c k d Alice k e c D Bob m or error k e!= k d Encryption Example: Bob generates private (k d )/public(k e ) keypair. Sends Alice public key To encrypt a message to Bob, Alice computes c = E(m,k e ) To decrypt, Bob computes m = D(c, k d ) 14

15 But all is not encryp*on Message Authentication Code (MAC): Only people with the private key k could have sent the message. Alice m s Bob Message m I love you, Bob s = MAC(m, k shared ) Eve (tries to alter m without detection) MAC(m, k shared ) =?= s 15

16 An interesang story... 16

17 1974 A student enrolls in the Computer Security Stanford Proposes idea for public key crypto. Professor shoots it down Picture: 17

18 1975 Ralph submits a paper to the Communications of the ACM I am sorry to have to inform you that the paper is not in the main stream of present cryptography thinking and I would not recommend that it be published in the Communications of the ACM. Experience shows that it is extremely dangerous to transmit key information in the clear." 18

19 Today Ralph Merkle: A Father of Cryptography Picture: 19

20 Covered in this class everyone shares same secret k Only 1 party has a secret Message Con?identiality Symmetric Trust Model Private key encryption Stream Ciphers Block Ciphers Asymmetric Trust Model Asymmetric encryption (aka public key) Message Authenticity and Integrity Message Authenticity Code (MAC) Digital Signature Scheme Principle 1: All algorithms public Principle 2: Security is determined only by key size Principle 3: If you roll your own, it will be insecure 20

21 M Alice M Bob Eve One Goal: Con>identiality Eve should not be able to read M. 21

22 Alice Bob Eve 4 Ways to break crypto: Ciphertext Only Known Plaintext Attack (KPA) Chosen Plaintext Attack (CPA) Chosen Ciphertext Attack (CCA) 22

23 Symmetric Cryptography Defn: A symmetric key cipher consists of 3 polynomial time algorithms: 1. KeyGen(l): A randomized algorithm that returns a key of length l. 2. E(k,m): A potentially randomized alg. that encrypts m with k. It returns a c in C 3. D(k,c): An always deterministic alg. that decrypts c with key k. It returns an m in M. And (correctness condition) 8m 2 M,k 2 K : D(k, E(k, m)) = m 23

24 The One Time Pad Miller, 1882 and Vernam, 1917 E(k, m) =k D(k, c) =k m = c c = m M = C = K = {0,1} n m: k: c: k: m:

25 QuesAon Given m and c encrypted with an OTP, can you compute the key? 1. No 2. Yes, the key is k = m c 3. I can only compute half the bits 4. Yes, the key is k = m m 25

26 QuesAon E(k, m) =k D(k, c) =k m = c c = m How many OTP keys map m to c? Depends on m 26

27 Good News: OTP is Perfectly Secure Thm: The One Time Pad is Perfectly Secure Must show: Pr [E(k, m 0 )=c] =Pr[E(k, m 1 )=c] where M = {0,1} m Intuition: Say that M = {00,01,10,11}, and m = 11. The adversary receives c = 10. It asks itself whether the plaintext was m 0 or m 1 (e.g., 01 or 10). It reasons: if m 0, then k = m 0 c = = 11. if m 1, then k = m 1 c = = 00. But all keys are equally likely, so it doesn t know which case it could be. 27

28 Two Time Pad is Insecure Two Time Pad: c 1 = m 1 k c 2 = m 2 k Eavesdropper gets c 1 and c 2. What is the problem? c 1 c 2 = m 1 m 2 28

29 The OTP provides perfect secrecy....but is that enough? 29

30 No Integrity Eve m enc ( k ) m k evil? m evil dec ( k )? m k evil 30

31 M Alice M Bob Eve Goal 2: Integrity Eve should not be able to alter M. 31

32 M Alice M Bob Eve Goal 3: Authenticity Eve should not be able to forge messages as Alice 32

33 M Public Channel Alice M Bob Eve Goals for Overall Crypto Scheme: Con?identiality, Integrity, and Authenticity 33

34 The Bad News Theorem Theorem: Perfect secrecy requires K >= M In practice, we usually shoot for computational security. 34

35 Summary Cryptography is a awesome tool But not a complete solution to security Con?identiality, Integrity, Authenticity, (Accountability) Perfect secrecy and OTP Good News and Bad News Semantic/Computational Security 35