CS549: Cryptography and Network Security

Transcription

1 CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1

2 Notice This lecture note (Cryptography and Network Security) is prepared by Xiang-Yang Li. This lecture note has benefited from numerous textbooks and online materials. Especially the Cryptography and Network Security 2 nd edition by William Stallings and the Cryptography: Theory and Practice by Douglas Stinson. You may not modify, publish, or sell, reproduce, create derivative works from, distribute, perform, display, or in any way exploit any of the content, in whole or in part, except as otherwise expressly permitted by the author. The author has used his best efforts in preparing this lecture note. The author makes no warranty of any kind, expressed or implied, with regard to the programs, protocols contained in this lecture note. The author shall not be liable in any event for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, or use of these. Cryptography and Network Security 2

3 Cryptography and Network Key Management and generation Xiang-Yang Li Cryptography and Network Security 3

4 Key Exchange Public key systems are much slower than private key system Public key system is then often for short data Signature, key distribution Key distribution One party chooses the key and transmits it to other user Key agreement Protocol such two parties jointly establish secret key over public communication channel Key is the function of inputs of two users Cryptography and Network Security 4

5 Distribution of Public Keys can be considered as using one of: Public announcement Publicly available directory Public-key authority Public-key certificates Cryptography and Network Security 5

6 Public Key Management Simple one: publish the public key Such as newsgroups, yellow-book, etc. But it is not secure, although it is convenient Anyone can forge such a announcement Ex: user B pretends to be A, and publish a key for A Then all messages sent to A, readable by B! Let trusted authority maintain the keys Need to verify the identity, when register keys User can replace old keys, or void old keys Cryptography and Network Security 6

7 Possible Attacks Observe all messages over the channel So assume that all plaintext messages are available to all Save messages for reuse later So have to avoid replay attack Masquerade various users in the network So have to be able to verify the source of the message Cryptography and Network Security 7

8 Public Announcement users distribute public keys to recipients or broadcast to community at large eg. append PGP keys to messages or post to news groups or list major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user Cryptography and Network Security 8

9 Publicly Available Directory can obtain greater security by registering keys with a public directory directory must be trusted with properties: contains {name,public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically still vulnerable to tampering or forgery Cryptography and Network Security 9

10 Public-Key Authority improve security by tightening control over distribution of keys from directory has properties of directory and requires users to know public key for the directory then users interact with directory to obtain any desired public key securely does require real-time access to directory when keys are needed Cryptography and Network Security 10

11 Public-Key Authority Cryptography and Network Security 11

12 Cont. More advanced distribution A sends request-for-key(b) to authority with timestamp, that is, Ida Idb Time Authority replies with key(b) (encrypted by its private key), that is E KTta (KUb Ida Idb Time) A initiates a message to B, including a random number N a, its ID A B then ask authority to get key(a) B sends A (encrypted by A s public key) N a and N b A then replies B N b encrypted by B s public key Cryptography and Network Security 12

13 Cont. In above scheme, the authority is bottleneck New approach: certificate Any user can read certificate, determine name and public key of the certificate s owner Any user can verify the authority of certificate Only the authority can create and update certificate Any user can verify the time-stamp of certificate The certificate is C A =E KR auth [T,ID A, KU A ] Time-stamp is to avoid reuse of voided key Cryptography and Network Security 13

14 Public-Key Certificates certificates allow key exchange without real-time access to public-key authority a certificate binds identity to public key usually with other info such as period of validity, rights of use etc with all contents signed by a trusted Public-Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key To validate the certificate, we need another certificate, one that matches the Issuer (of CA) in the first certificate. Then we take the RSA public key from the second (CA) certificate, use it to decode the signature on the first certificate to obtain an MD5 hash, which must match an actual MD5 hash computed over the rest of the certificate. Cryptography and Network Security 14

15 X.509 The structure of a X.509 v3 digital certificate is as follows: Certificate Version Serial Number Algorithm ID Issuer Validity Not Before Not After Subject Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional)... Certificate Signature Algorithm Certificate Signature Cryptography and Network Security 15

16 Sample Certificate Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5withrsaencryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/ Address=server-certs@thawte.com Validity Not Before: Jul 9 16:04: GMT Not After : Jul 9 16:04: GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN= Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: (0x10001) Signature Algorithm: md5withrsaencryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f Cryptography and Network Security 16

17 Security In 2005, Arjen Lenstra and Benne de Weger demonstrated "how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys," achieved using a collision attack on the MD5 hash function See Certificates/ddl-full.pdf Cryptography and Network Security 17

18 Public-Key Certificates Cryptography and Network Security 18

19 Public-Key Distribution of Secret Keys use previous methods to obtain public-key can use for secrecy or authentication but public-key algorithms are slow so usually want to use private-key encryption to protect message contents hence need a session key have several alternatives for negotiating a suitable session Cryptography and Network Security 19

20 Simple Secret Key Distribution proposed by Merkle in 1979 A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key A decrypts the session key and both use problem is that an opponent can intercept and impersonate both halves of protocol Cryptography and Network Security 20

21 Secret key Distribution Simple secret key distribution A generates KU A and KR A, sends KU A to B B generates a secret key k s B sends k s to A using A s public key KU A A decrypts the message to get the secret key k s To get more security, the public/private keys can be regenerated when needed But vulnerable to the active attack! Attacker E can compromise the communication between A and B as follows Cryptography and Network Security 21

22 Cont. Attacking A generates KU A and KR A, sends ID A, KU A to B E intercepts the message, transmits ID A, KU E to B B generates a secret key k s B sends k s to A using A s public key KU E E intercepts the message, decrypt it and get k s E sends A the message K s, encrypted by KU A A decrypts the message to get the secret key k s Now E knows K s, but A, B are unaware of it Cryptography and Network Security 22

23 Secret Key Distribution So need confidentiality and authentication A and B need to use a secure method to exchange their public keys Schemes A initiates a message to B, E KU B(N a,id a ) B replies it with E KU A(N a,n b ) A then replies it with E KU B(N b ) A sends B the message E KU B (E KR A(Ks)) Security The first 3 steps are used to assure that A is A, B is B Cryptography and Network Security 23

24 Public-Key Distribution of Secret Keys if have securely exchanged public-keys: Cryptography and Network Security 24

25 Key Predistribution Trusted Authority (TA) generates keys for all pair of users and transmits to them Large overhead (for TA and user) Blom Scheme Keys are chosen from a finite field Z p P is public prime number TA transmits k+1 elements of Z p to each user over secure channel Secure condition: any set of at most k users (not U,V) can not determine any information about K u,v Cryptography and Network Security 25

26 Blom Blom's scheme is currently used by the HDCP copy protection scheme to generate shared keys for high-definition content sources and receivers, such as HD DVD players and high-definition televisions. Cryptography and Network Security 26

27 Blom Scheme Scheme (when k=1) Each user u has distinct element r u from Z p TA choose a,b,c and defines f(x,y)=a+b(x+y)+cxy mod p For each u, TA computes g u (x)=f(x, r u ) mod p TA transmits g u (x) to user u Two users u and v compute the common key f(r u, r v )= a+b(r u + r v )+c r u r v mod p Here f(r u, r v )= g v (r u )= g u (r v ) Cryptography and Network Security 27

28 Security of Blom Scheme Less than k users can not determine keys However, more than k users can compute any keys Solving equations to get a,b,c for k=1 Generally Function f(x,y)=sum a i,j x i y j mod p Here a i,j =a j,i Cryptography and Network Security 28

29 More Practice Trent chooses a random and secret matrix Dk x k over the finite field GF(p), where p is a prime number. D is required when a new user is to be added to the key sharing group. For example, let p = 17, and D = Trent then computes their private keys: galice = (D * IAlice), gbob = (D * IBob). Cryptography and Network Security 29

30 Cont Let IAlice =, and IBob =. Trent will create Alice's and Bob's secret keys as follows galice = Cryptography and Network Security 30

31 Cont She computes the shared key k(alice / Bob) = galice * IBob kalice / Bob = Cryptography and Network Security 31

32 Diffie-Hellman Key Predist. Computationally secure if discrete logarithm is intractable Scheme Assume prime number p public and an integer c public Each user u has secret component a u User u computes b u =c a u mod p TA certifies it by computing (ID(u), b u, sig TA (ID(u), b u )) The common key of two users u and v is K=c a u a v mod p Cryptography and Network Security 32

33 Diffie Hellman Around September 1974, Diffie (Graduate student) had been traveling USA with his wife, Mary, discussing cryptography with anyone who was available. At the time, there was very little published material about modern methods and much was classified. Very few people were interested in the topic and Marty Hellman (at Stanford that time) even says that many of his colleagues felt that it was "born classified," like secrets about the atomic bomb, because it was so important to national security. John Gill gave the idea of exponential Cryptography and Network Security 33

34 Diffie-Hellman Key Exchange Computationally secure if discrete logarithm is intractable Scheme Assume prime number p public and an integer c public Each user u chooses a secret component a u (new!) User u computes b u =c a u mod p User v computes b v =c a v mod p The common key of two users u and v is K=c a u a v mod p Cryptography and Network Security 34

35 Diffie-Hellman Problem Diffie-Hellman problem definition Given b u =g a u mod p, b v =g a v mod p, how to compute g a v a u mod p? Here g is a primitive element of mod p The problem is not harder than the discrete logarithmetic problem, because the later one can always be used to solve it It can be proved that it has the same difficulty as the ElGamal encryption system Cryptography and Network Security 35

36 Middle Attack Intruder w intercept the communications Intruder w communications with u Intruder w communications with v The key computed by u is K=c a u a v mod p c a u c a u u w v c a v c a v Cryptography and Network Security 36

37 Authenticated Key Agreement Introducing the identification scheme before key exchange does not help The attacker remains inactive until identification done Simplified station to station protocol Key agreement protocol itself authenticates the user s identity at the same time the key being defined Cryptography and Network Security 37

38 Station-to-station Protocol Scheme Each user has a certificate C(v)=(Id v,ver v,sig TA (Id v,ver v )) User u selects a u and computes b u =c a u mod p User v selects a v and computes Value b v =c a v mod p Key K=c a u a v mod p Signature y v =sig v (b u,b v ) User v sends (C(V), b v, y v ) to U User u computes K=c a u a v mod p, verifies y v, and C(V) User u computes y u =sig u (b u,b v ), sends (C(u),y u ) to V User v verifies y u, and C(u) Cryptography and Network Security 38

39 MTI Agreement Protocol Scheme Assume prime number p public and an integer c public Each user has certificate c(u)=(id u,b u, sig TA (Id u,b u )) Here b u = c a u mod p Each user u chooses a secret component r u (new!) User u computes s u =c r u mod p, sends (c(u),s u ) User v computes s v =c r v mod p, sends (c(v),s v ) The common key of two users u and v is K=c r v a u+ r u a v mod p= s v a u b v r u mod p= s u a v b u r v mod p Cryptography and Network Security 39