Grenzen der Kryptographie

Transcription

1 Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1

2 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate to key management and the protection of keys In these areas, reasonable solutions exist for closed systems but hardly for open & public systems 2

3 Agenda A brief history of cryptography A long look at public key cryptography Security protocols and their verification Open and closed environments Conclusions 3

4 The origins of cryptography Alice The enemy is an outsider listening to traffic Two secure end systems communicate over an insecure channel Bob 4

5 Symmetric key encryption A B encrypt decrypt plaintext ciphertext plaintext 5

6 Symmetric Key Cryptography Encryption protects documents on the way from A to B A and B need to share a key A procedure is required for A and B to obtain their shared key For n parties to communicate directly, about n 2 keys are needed Security services: confidentiality, integrity, authentication (data origin authentication, key exchange peer entity authentication) 6

7 Symmetric Key Cryptography Algorithms: DES, AES (Rijndael), No provable security Algorithms designed to resist known attacks: e.g. differential & linear cryptanalysis Recommended key length: bits DES: 56-bit keys vulnerable to brute-force search DES designed to resist differential cryptanalysis 7

8 Key exchange: authentication Needham-Schroeder protocol: key transport protocol using a symmetric cipher for encryption: A and B obtain a session key K ab from server S (Trusted Third Party) A [B] shares a secret key K as [K bs ] with S Nonces (random challenges) n A and n B in messages prevent replay attacks 8

9 Needham-Schroeder protocol S (basis for Kerberos) 1. A,B,n A 2. ek as (n A,B,K ab,ek bs (K ab,a)) 3. ek bs (K ab,a) A 4. ek ab (n B ) 5. ek ab (n B -1) B 9

10 History: Non-secret Encryption Fact : to exchange secret messages shared secrets are required Counterexample (Bell Labs, 1944): receiver adds noise on a telephone line sender sends the message attacker only hears noise receiver gets message by cancelling own noise J.H.Ellis (CESG): described a scheme for nonsecret (public key) encryption in

11 Encryption with public keys A B plaintext encrypt ciphertext decrypt plaintext 11

12 Public Key Cryptography Encryption protects documents on the way from A to B B has a public encryption key and a private decryption key A procedure is required for A to get an authentic copy of B s public key (need not be easier than getting a shared secret key) For n parties to communicate, n key pairs are needed 12

13 Digital signatures document A sign document + signature B verify accept reject 13

14 Digital Signatures Protect authenticity of documents signed by A, more precisely, a cryptographic mechanism for associating documents with verification keys A has a public verification key and a private signature key A procedure is required for B to get an authentic copy of A s public key Provide authentication; on their own they do not provide non-repudiation at the level of persons Electronic signatures: a security service for associating documents with persons 14

15 Key exchange without secrets Alice puts key in box and attaches a lock e.g. the Diffie-Hellman protocol Alice removes her lock and returns the box Bob adds his lock and returns the box Bob removes his lock and opens the box 15

16 Public Key Cryptography Algorithms: RSA, ElGamal (encryption), RSA, DSA, (digital signatures), Diffie-Hellman (key agreement), elliptic curve algorithms Provable security: reduction proofs to open problems: factoring, discrete logarithm (DLP) Note: RSA factoring, DSA DLP, DH DLP Provable security for protocols: reduction proofs to breaking the crypto algorithms (Bellare-Rogaway) Services: confidentiality, integrity, authentication, non-repudiation (at the level of keys) 16

17 Key Sizes RSA DES 2K 3DES 3K 3DES AES 128 AES 192 AES Arjen Lenstra: Unbelievable Security, Asiacrypt

18 Key Sizes 2010 DES 2K 3DES 3K 3DES AES 128 AES 192 AES 256 RSA LUC XTR ECC Arjen Lenstra: Unbelievable Security, Asiacrypt

19 Digital Signature Misconceptions Verification is decryption with the public key (as stated in X.509): Even untrue for RSA signatures ( existential forgeries), does not hold for DSA; the output of decrypt is of type message, the output of verify is of type Boolean, A signature binds the signer A to the document: verification links document and verification key Digital signatures are legally binding: even if recognized by law, digital signatures do not guarantee that there is a court with jurisdiction 19

20 Digital Signatures revisited Authentication: Signatures are mathematical evidence linking a document to a public key The link between a public key and a person has to be established by procedural means This link can be recorded in a certificate (but certificates are not necessary for verifying digital signatures, verification keys are) The holder of a private signature key has to protect the key from compromise and to be sure that the key is only used as intended 20

21 Electronic signatures public verification key digital signature mathematics mathematics procedures certificate document signing device secure O/S physical security procedures private signature key name person key container 21

22 Verifying security protocols Security services are typically provided by cryptographic protocols The design of security protocols is supposedly difficult and error prone There exists a substantial body of work on protocol analysis Can one trust the results of protocol analysis? We will use the Needham-Schroeder public key protocol as a case study 22

23 NS public key protocol (1978) 1. ep B (n A,A) A 2. ep A (n B,n A ) 3. ep B (n B ) B Only B can decrypt the first message and form a reply containing the challenge n A Only A can decrypt the second message and form a reply containing the challenge n B 23

24 Fact sheet Defined in the 1970s: principals are honest Authentication: verifying the identity of the communicating principals to one another Communications with servers can be done without establishing a connection Establish a shared session key from n A, n B Formal analysis in the BAN logic (1990): e.g. A believes B believes n B is a secret shared by A and B 24

25 A second formal analysis (1995) Conducted by Gavin Lowe using CSP CSP processes communicate on channels Goals and assumptions: Attacker can be a regular protocol participant Initiator commits to a run with B when receiving a reply ep A (n B,n A ) containing the challenge n A Responder commits to a run with A only if the message ep B (n A,A) came from A Why should the origin of challenges be verified? 25

26 Lowe s man-in-the-middle attack: connection-oriented (1995) ep E (n A,A) ep B (n A,A) ep A (n B,n A ) ep A (n B,n A ) A E B ep E (n B ) ep B (n B ) Proof: Initiator A authenticates responder E Attack: Responder B can be tricked by a masquerading initiator 26

27 Why is there proof and attack? Assumptions about the environment differ: E is a protocol participant but E is not honest Authentication goals differ: correspondence properties as used by Lowe became popular in the early 1990s, but were only intended to capture the authentication of protocol runs Correspondence authentication of connections A sees a run with E and is connected to E B sees a run with A but is connected to E 27

28 A triangle attack (connectionless) A ep E (n A,A) E ep B (n A,A) ep E (n B ) ep B (n B ) ep A (n B,n A ) B The initiator cannot be misled. Why? E is not responding B has been tricked. Why? A was involved in the protocol run 28

29 Comments The proof is no longer correct because we have an attack where the responder does not run the protocol The attack is no longer an attack because the initiator is involved in the protocol run Still, the attack violates properties claimed for the protocol: A is cheated because n A and n B are not secrets shared with E 29

30 Closed systems & open systems There is an important difference between closed systems where parties look for protection from the outside (the old world cryptography came from) and open systems where parties look for protection from insiders (the new world of e-commerce) 30

31 Key exchange with a stranger Alice puts key in box and attaches a lock Alice removes her lock and returns the box someone adds a lock and returns the box someone removes the lock and opens the box 31

32 Conclusions Cryptography has its origins in communications security Not all security problems can be expressed as communications security problems Communications security tends to assume that end systems are secure and users are honest In today s world, we have to secure applications where end systems are not secure and users are not necessarily honest 32

33 Conclusions Crypto algorithms are not provably secure Lars Knudsen: If it s provably secure, it probably isn t Crypto algorithms are practically very secure unless you insist on inventing your own algorithms Crypto gives no more security than the keys used key management is a frequent source of problems Robert Morris sr.: The Enigma never was broken Crypto gives no more security than the end system it is running on designing secure end systems is the really difficult security challenge 33

34 Conclusions Crypto relies on tamper-resistant devices and on alternative channels (trust) Tamper resistant devices + symmetric key crypto: CHAPS (see Davis & Price: Security for Computer Networks, ) Alternative channels for bootstrapping and for confirmation messages: GSM, book, newspaper Crypto depends on good security management End users are their own security managers How to get full control over your PC 34

35 Brave New World bank government Can all these parties manage their own security? merchant customer 35

36 Security & Security Services There exist security services that do not provide any security at all Roger Schell, Novell, ex-usaf SSL gives no security guarantees that are relevant for e-commerce. Dr Richard Walton, Director of CESG Digital certificates provide no actual security for electronic commerce; it's a complete sham. Bruce Schneier: Secrets & Lies 36