Cryptographic methods

Transcription

1 Cryptographic methods Contents Concepts and Principles History of encryption Modern cryptography Symmetric key cryptography Public key cryptography Key agreement protocols Hash functions, digital signature Authentication methods Public key infrastructure - Certificates Secure Protocols 1

2 Data security General data security Technical data security Firewalls, IDS Virus protection Cryptography Cryptology = science of encryption Cryptography = developing new cryptosystems Cryptanalysis = science of breaking cryptosystems 2

3 Levels Application level * f.e banking applications, software Secure protocols * SSL, TLS = SSL v3, SSH Enryption algorithms RSA, DES, AES, IDEA, Twofish, SHA-1, RC5,. During installation of for example SSL server, we have to choose which encryption algorithms are supported. That is why it is necessary to know the basic types of cryptoalgorithms and their strength Parts of a typical encryption software 1. Authentication 2. Key agreement 3. Encryption of messages 4. Digital signature 3

4 Principle of encryption Encryption key K1 Decryption key K2 Message m Encryption function E(m,k1) Ciphertext C Decryption function D(c,k2) Message m sender recipient If encryption key K1 = decryption key K2, we talk of symmetric encryption. If K1 is different from K2, we talk of asymmetric encryption, or public key encryption if encryption key is public. General principles Kerckhoff s principle Auguste Kerckhoff 1883 In a good cryptosystem the security must base only on the key. The algorithm should be completely public Wikipedia: Dr. Auguste Kerckhoffs ( ) was a Dutch linguist and cryptographer 4

5 Key space If the cryptosystem is well planned, the best way to break it is brute force (exhaustive search using all possible keys). How long does the brute force search take, depends on the number of possible keys, the size of the key space Modern supercomputers or grid calculations can search through 2 80 keys in reasonable time. Thus the lower limit of secure key size is 80 bits. ( today probably more) The following key ís 80 bits long Examples of password spaces Security limit against brute force attack = 2 80 = 1.2 *10 24 Example1: English characters, no numbers, no distinction between uppercase and lowercase letters, password length 8 characters Space 26 8 = 2 *10 11 weak Example2: English characters (big and small) +numbers, password length 8 characters : Space 62 8 = 2 *10 14 still weak Example2: English characters (big and small) +numbers, password length 13 characters : Space = 2 *10 23 strong Example2: Enchanged character set (120 char): Space = 9 *10 24 safe and strong 5

6 Historical ciphers Caesar cipher - Cipher is based on rotation of alphabet - The key is the amount of rotation of the inner disk. Picture: Message AAMU is encrypted as NNZH 6

7 One Time Pad = THE ONLY UNBREAKABLE CIPHER Message and One-Time random bit string is XORred to get the cipher Decryption is made by XORring the same key with the cipher XOR addition : = 0, = 0, = 1, = 1 Encryption: Message Key Cipher Decryption: Cipher Key Message Moscow- Washington hot line used this cipher. The hot line was established after Cuban crisis by Kennedy and Hrutsev. Enigma Last pre-computer cryptosystem was used by Germans in II world war. It was a typewriter-like machine called Enigma. The allies got one Enigma from a sinking submarine, and managed to solve the principle. British mathematicians build the World s first computer during the war to breaking German messages Enigma had three rotating disks. Their initial position was the key When a character was pressed at the keyboard, its image character was lightened. The images were written up one by one forming the cipher. Simultaneously the rotor disks rotated to a new position. Recipient typed the cipher characters with keyboards and could read the original message characters on the screen. 7

8 Questions for lecture 2 1. What is meant by INTEGRITY in Inf. Security 2. What is meant by NON-REPUDIATION 3. What is meant by cryptanalysis 4. Define symmetric and asymmetric encryption 5. What is Kerckhoff principle 6. Define Key Space 7. What is lower limit of secure key space size Modern cryptography II ms ekr Block ciphers 1976 DES > 2001 AES 1975 Caesarsalaus Vige- neren salaus One time pad Enigma Public key ciphers 1977 RSA > ECC l--- > 1991 A5 Stream ciphers in military use GSM encryption 8

9 Modern cryptoalgorithms Symmetric algorithms Public key ciphers Stream ciphers Block ciphers -RSA - Elgamal - ECC - A5 (GSM) - RC5 - DES - AES - IDEA Relative speed: - Twofish - 3DES Stream ciphers 2 Block ciphers 1 PK ciphers 1/50 Synchronous stream ciphers Key k Key k Pseudorandom Bit generator Pseudorandom Bit generator Binary message XOR cipher XOR Message GSM encryption A5 (1991) is of this type. A micro circuit produces a key based stream of statistically random bits, which are XORred to the digitalized voice. In some SSL- connections a stream cipher RC4 is used. 9

10 GSM encryption Authentication A3 Operator sends the mobile phone a random number R. The phone calculates from R and SIM key Ki a response RES, and sends it to the operator. Operator calculates also RES from clients Ki. It the numbers match, mobile phone is authenticated. Key agreement A8 Operator sends another random number R. Both parties calculate from R and Sim- key Ki the encryption key K which is used in encryption of the phone call Encryption A5 Encryption key K initializes the bit generator and the generator starts to produce pseudorandom bits which are XORred to the message bits. Operator produces the same bit stream and is able to decrypt the message Key is 64 bits (actually only 56 bits) much below the security limit 80. For governments GSM encryption is easy to break. Block ciphers DES AES Kasumi IDEA M1 M2 M3 t h i s i s t h e m e s s a g e t o b e s e n t K DES K DES K DES w h c g o i t w z x n b v r y u i e w c b n d s C1 C2 C3 Message M is divided into blocks m1,m2,m3, ( today 128 bits) Key k is at least128 bit. Cipher is the sequence c1, c2, c3, c4 In CBC mode the cipher of the previous block is brought as input to the encryption of the next block. 10

11 Modes of operation All block ciphers can be used in following modes: 1) ECB Electronic Codebook The blocks are encrypted independently. If the same block is repeated, the cipher is same. This mode of operation is not safe. 2) CBC Cipher Block Chaining (most important) The ciphertext of the previous block is part of the input of encryption of the next block. Every block influences the ciphers of the following blocks. So two identical blocks have different cipher texts in different parts of the message. 3) CFB Cipher FeedBack The cipher of a block influences the following ciphers, but in slightly different way than in CBC. This mode can be regarded as a stream cipher mode. 4) OFB Output FeedBack Can also be regarded as stream cipher mode. History of block ciphers USA s government was computerized USA s banks and Business was computerized Cold war & Organized crime Lucifer project (IBM + NSA) DES bit block cipher Competition 1998 AES winner: Rijndael (new name AES) Many key lengths: 128, 196, 256 bits 11

12 More about block ciphers They must work both as software, and hardware chip versions Fast, reliable (speed >1 Gbs) DES was meant to be kept secret AES is public (Kerckhoff s principle) Minimum safe key length 80 bits (now 128) Used for encryption of large amounts of data Performance of different ciphers Block cipher is 50 times faster than standards public key ciphers 12

13 EU recommendations 2007 Key length (bits) Description 72 Can be broken with basic tools 80 In theory holds againts attacks 96 Generally regarded as absolute minimum 112 Adequate minimum 128 Recommended for normal use 256 Required for top secret documents AES128 AES256 Hybrid cryptosystems SSL, TLS, SSH - protocols RSA RSA 1. Authentication 2. Symmetric Key agreement Uses several algorithms, taking the best properties of each. 3. Encryption of data AES 4. Digital signatures RSA Only data encryption uses fast block ciphers Other functions use public key encryption like RSA 13

14 Public key encryption Public key cryptosystems RSA = standard since 1978 ECC is probably the successor Principle Bob s public key Ke CA = certification authority = key server message m E(m, Ke) cipher c D(c, Kd) message m Bob:n private key Kd Alice Bob 14

15 RSA = PK standard 1978 Constant exponent e = Every user has a public key: n = modulus = product of two primes p and q Every user has a private key decryption key d = e -1 mod (p-1)(q-1) Steps: 1. Message blocks are represented as integers m 2. Encryption c = m e mod n, where n= recipients public key 3. Decryption m = c d mod n PKI = Public key infrastructure Network of Certification Authority Public key encryption needs a network which gives reliably public keys CA provides public key in form of certificates. Goal is that there would not exists actors in net giving false public keys and thus being able to catch messages meant to be secret Example: VeriSign 15

16 Phases of secure session Typical secure protocol (SSL, SSH) uses many algorithms start handshake of computers Authentication Agreeing on symmetric key Data encryption RSA RSA AES End Authentication with public key system (like RSA) 16

17 Challenge response authentication version 1 Client Server Random number R Client compares V e mod n = R? Response V = R d mod n Keys: Public n,e Private: d It there is a match, authentication is accepted In version 1 The public key n of the server is delivered to the customer manually with an installation disk PKI = Public key infrastructure Network of Certification Authorities Just like phone operators publish telephone catalogues, a public key cryptosystem needs a trusted network, which store public keys of users. Asking recipients public key directly or relying on the public key on his web-site is not secure because of the possible man-in-the-middle attack. (Websites can be falsified and an enemy can steal your query during the transmission and answer with his public key instead of the recipients.) 17

18 Man in the middle attack Alice wants to change encrypted messages with Bob. What can happen? Eve acts between Alice and Bob, pretending to Alice that she is Bob and pretending to Bob to be Alice. Eve gives her public keys to Alice as Bob s public key and vice versa. Eve captures and reads all the messages between A and B and can even change them without them being able to detect it. This attack can be avoided by using CA networks Challenge response authentication version 2 Client Server Random number R Client gets servers public key from certificate Client compares : V e mod n = R? response V = R d mod n Request of servers public key n Digitally signed certificate containing n CA s digitally signed certificate Verisign.com Public key N, Private key D n,e d It they match, verification is done Verisign s public key N is in most common web-browsers 18

19 CA network delivers public keys in a digitally signed, standardized X.509 form X.509 Certificate Version : 1 Serial Number : 7983 Algorithm: SHA256WithRSAEncryption Issuer: VeriSign Ltd Validity : Not Before July :00 GMT Not After July :00 GMT Subject: Subject Public Key Info Matti Matikainen, Rovaniemi Public Key Algorithm RSAencryption Subject Public Key: RSA (1024 bit) Modulus: d5 0c..f3 31 e1 Exponent: Certificate Signature Algorithm SHA256WithRSAEncryption Certificate Signature a5 55 7c d a0 c4 (2048 bits) Links: Google Chrome browser shows certificates in cleartext webmail.kolumbus.fi Nordea Solo Webmail.ramk.fi Cipher RC4 Pk : RSA(2048) Hash: MD5 cipher 3DES PK : RSA(2048) cipher AES128 PK : RSA(2048) CA: Verisign Class 3 CA: Verisign Class 3 CA: Sonera Class 2 19

20 Key agreement on symmetric key Main algorihms: 1. RSA key exchange 2. Diffie Hellman key exchange Digital envelope - method Alice writes a message Alice generates AES key K Alice encrypts message with AES with K Alice sends cipher and the key with it encrypted with Bob s RSA public key n Bob gets K using his RSA private key d Encrypted symmetric key Bob decrypts message 20

21 Key agreement with RSA Alice writes message M chooses key K AES AES encrypted message + key K encrypted with Bob:s public key n Bob RSA avaimet Julkiset : (n,e) Yksityinen d RSA key exchange used in most TLS connections Bob uses private key d to get K and decrypts the message Diffie Hellman key agreement Prime p and base g are given Alice chooses random a Bob chooses random b y a = g a mod p y b = g b mod p * A and B send each other the powers as their public key K = Y b a mod p Security limit : p > 1024 bit prime K = Y a b mod p A and B calcu- late symmetric key K = g ab mod p 21

22 Diffie Hellman example Prime p = 281 and base g = 11 Alice chooses a = 101 Bob chooses b = 160 y a = mod 281 = 255 y b = mod 281 = 165 * A ja B change public keys K = mod 281 = 59 K = mod 281 = 59 A and B calculate K Diffie Hellman security If modulus p is sufficiently large ( > 1024 bits), then the enemy listening the channel cannot calculate the private keys a and b even if they can see powers g a mod p and g b mod p. This is because solving x from a x = y mod n, where a, y and n are given integers, is one of the hard problems in Mathematics DLP = Discrete logarithm problem: Given a, b, n Z, solve x from a x = b mod n 22

23 PK- key length recommendations Description RSA DH, Elgamal Broken with basic tools 816 bits Broken in reasonable time ECC In theory adequate Generally viewed as minimum Minimum security Conclusion: RSA key lengths are too big Causes memory problems and low performance in smart cards Elliptic curve cryptosystem ECC is the recommended successor Recommended for normal use For top secret documents Eu recommendation 2008 Hash -functions Definition: Hash functions are one-way functions, which produce a fixed length hash value from messages Usage: 1. Hash is used to ensure integrity of data transfer (not a single bit has changed during the transfer). 2. Server s password files include the hash values of user passwords instead of passwords themselves Requirements of a good hash function 1.Hash function h(m) is one-way function: It is impossible to calculate the message from its hash 2. First collision resistance: For given hash h(m), it is impossible to find another message with the same hash. 3. Second collision resistance: In general it is impossible to create to messages m1 and m2 with the same hash. 23

24 Password files Alice Server Logon:_Alice.Mills Passwd: mypasswd Hash Alice.Mills 2b4f448s Password file:. Alice.Mills 2b4f338a Typical hashes MD5 SHA128 SHA256 - broken - broken - safe Xiaoyun Wang showed how to break almost all hashes in 2005 Hash["Tämä on koeviesti, josta lasketaan tiiviste","md5"] Hash["Tämä on koeviesti, josta lasketaan tiiviste","sha"] Hash["Tämä on koeviesti, josta lasketaan tiiviste","sha256"]

25 Typical iterated hash -function M1 M2 Ms h0 f h1 f h s f h(m) WORKS LIKE A BLOCK CIPHER THE LAST OUTPU T VECTOR IS THE HASH The message M is divided into blocks ( typically 128 bit = 16 characters) The hash function starts from initial value h0. Iteration function f calculates next chain value h k+1 from the previous value h k and message block M k. The last output h(m) is the hash h(m) Hash reveals the changes during data transfer Original message and its hash Hash["Tämä on koeviesti, josta lasketaan tiiviste","md5"] Altered message and its hash Hash["Tämä on koeviesti, josta lasketaan tieviste","md5"] The change of hash reveals the altering of the message 25

26 MAC = message authentication code MAC is typically a hash function, combined with the use of symmetric key Hash function is a checksum, which is sent with the message to prove the integrity of the message MAC proves not only the integrity of the message, but also proves the authenticity of the sender of the message Digital signatures Secures that 1) message is unaltered 2) sender is authenticated Combines hash function and RSA sha1rsa is a very typical digital signature in SSL connections 26

27 Digital signature CA Sender s public key Senders private key d Allekirj. Signature S verify Yes/N o Hash value message => hash Message hash hash Sender Recipient Digital signature = integer send with the message = hash of the message encrypted with senders private key d Verification of digital signature Recipient decrypts the signature with senders public key and gets the hash value. Another has value he calculates directly from the message received. If there is a match, signature is accepted. 27

28 Authentication Authentication factors Auth. can be based on 1. Some unique property 2. Something you possess 3. Something you know Fingerprint Iris of the eye Voice ID card Pin password Two factor authentication : Principle that at least two factors of the above list should be used in each authentication. 28

29 Authentication concepts = A procedure to get a proof of someone s identity in online service Response is immediate: acceptance of rejection Weak authentication Strong authentication * Fixed passwords * One time passwords Challenge response authentication Zero knowledge authentication One way and two way authentication One way authentication: Only one of the parties is authenticated Two way authentication: Both parties are authenticated Requirements for authentication 1) When A proofs his identity to B in the process, B cannot use the information he receives again in an authentication process to a third party C (pin code, password must never be transferred in the protocol) 2) Probability of a situation, where a third party C could be accepted as A in the protocol, is negligible. 3) The previous is true even if C had a possibility to "listen" lots of authentication processes between A and B. Using time stamps, and serial numbers helps to achieve the last requirements. 29

30 Random number authentication * User A shows that he knows a secret without revealing it * B sends a random challenge number and A sends it back encrypted 1. Bank sends random R (challenge) to card 2. Card uses its RSA private key d and sends the response RES 3. Bank decrypts RES with cards public key and compares with R Time stamp authentication * A shows that he knows the private key d by using it to send a time stamp of his computer to B encrypted with d. client 1. Client encrypts time with d and sends it to server server 2. Server decrypts with clients public key. It the result is valid time, authentication is accepted 30

31 Secure protocols SSH = protocol used for remote use of company s network SSL, TLS = protocol used in Internet banking, net shopping, webmail, data transfer, VPN connections SET = protocol for using credit card in Internet Attack types Ciphertext only attack: * The enemy has ciphertexts and he tries with brute force attack to find out the key. Known plaintext attack: * The enemy has ciphertext and some knowledge of contents also. * Example The Britts broke German cipher, because the knew the contents of messages of German headquarters to their submarines. 31

32 Man in the middle attack: * Eve operates between Alice and Bob, capturing messages. She pretents to both parties to be the other communicating party. SSL Certificates is a way to prevent Man in the Middle attacks Dictionary attack against password files Hacker has a dictionary of for example most common passwords and their variations. He precalculates the hash values of the dictionary and tries to find matches in a password file. Protection: Password salting = Adding random string ( salt ) to password before hashing ( salt must be also saved into password file) Shadow files = in Linux password hashes are saved to a separate hidden shadow file Replay attack: Enemy records the authentication data. Idea is to playback that data later to get into the system Using time stamps and serial numbers for packages prevents this Remote key systems in car locks used to be sensitive for replay attack. Nowadays this is corrected. Every signal from the car key is different from previous. (A list of one time passwords is used) 32