Abschlussarbeit. Zur Erlangung des akademischen Grades. Bachelor of Science. an der

 Emerald Sims
 7 days ago
 Views:
Transcription
1 Kryptanalytische Software und Sourcecodeanalyse eines Bitmessage OpenSource Clients zum vertraulichen Austausch von Nachrichten sowie Ausblick auf die Verwendbarkeit von Bitmessage im Alltag Abschlussarbeit Zur Erlangung des akademischen Grades Bachelor of Science an der HOCHSCHULE FÜR TECHNIK UND WIRTSCHAFT BERLIN FACHBEREICH V WIRTSCHAFTSWISSENSCHAFTEN II Internationale Medieninformatik 1. Prüferin: Prof. Dr. Debora WeberWulff 2. Prüfer: Herr Ulrich Eridy Lukau MatrikelNr July 21, 2014
2 C est lui qui cherche, trouve Danke Papa für deine stets sachliche und intellektuelle akademische Art sowie für dein Interesse und deine Geduld für all die Dinge die ich so tue. Dort wo dein Weg damals aufhörte, hat meiner begonnen. Alles was ich erreiche erreichst du mit mir. Ich widme dir diese Arbeit. Aber die nächste Arbeit kommt noch. Danke Mama! Merci beaucoup pour tout! Je t embrasse! Dieu te protege! C est pour toi aussi! Und danke Juju und Sabina! Danke Tosh! Danke Hasi und Max! Danke Strolchenbande! Danke Pfalz! Danke Maike! Danke Ingo! Danke Phil Wayne Wenneck, auf Murphys Law und die immer währenden Züge!!
3 Erklärung zur Sprache dieser Abschlussarbeit In Absprache mit meiner Betreuerin, habe ich mich dazu entschlossen diese Abschlussarbeit zwar in englischer Sprache, jedoch getreu der Aufgabenstellung durchzuführen. Daher ist die Aufgabenstellung auf dem der Titel zwar auf deutsch, der Inhalt jedoch auf englisch, man möge mir dies hoffentlich verzeihen. Vielen Dank 4
4 Contents 1 Introduction About Bitmessage About this Thesis Structure of this Thesis Bitmessage Cryptographic Blocks SymmetricKey Cryptography BlockCiphers and StreamCiphers CipherBlockChaining InitializationVector Bitmessage Encryption AES256CBC Introduction of the AES Successful Attacks on AES PublicKey Cryptography DiffieHellman KeyExchange Discrete Logarithm Problem (DLP) Koblitz Curve secp256k Message Authentification MAC / HMAC/ECDSA Cryptographic Hash Functions Secure Hash Algorithm RIPEMD The Bitmessage Protocol Bitmessage Integrated Encryption Elliptic Curve Integrated Encryption Scheme Ephemeral DiffieHellman KeyExchange BitmessageWorkflow Message Setup
5 Contents Contents Messagepropagation and processing The Bitmessage Address Base58 encoding Assembling a BitmessageAddress Decoding a BitmessageAddress BitcoinAddress vs BitmessageAddress Source Code Analysis Important Classes Pyelliptic Cryptographical Backbone Secure Hash Interface hashlib.py Python Code Quality Cryptographic Code Quality CCS Checklist Further Issues Disclosure Prospects on Applicability
6 1 Introduction 7
7 1Introduction 1.1AboutBitmessage 1.1 About Bitmessage Bitmessage is an anonymous and encrypted message delivery and authentification system based on an internet peertopeer network. It is an Open Source project and was developed and published under MIT licence 1 by Jonathan Warren in November, The name Bitmessage is an alteration of the name Bitcoin 2, from which Warren openly adopted most of the implemented ideas and principles as a basis for his own message system. The source code analysis will show up some of the similarities and differences between the two. Bitmessage is based on an underlying cryptographic network communications protocol, which is responsible for the encryptionkeys, the encryption itself and the anonymisation of every Bitmessage user. To communicate via Bitmessage a user needs to install the latest Bitmessage client called PyBitmessage 3, which is implemented in Python. As soon as a user installs and starts Bitmessage, the client connects to other Bitmessage clients around the world and represents a node (or in other words a peer ) that is connected to a worldwide peertopeer network. Every user has the possibility to use one or more Bitmessage addresses, that are comparable to addresses and can be used to communicate with other users. The messages are propagated through the whole network, meaning that every peer in the network gets every message. To send a message to another person, the message is passed from peer to peer until it reaches the recipient. This sort of propagating relies on the defined behavior of every peer. Each peer repeatedly downloads messages from a neighbor peer. Stored objects are again downloaded from other peers and so on, until the receiver downloads the message from another peer he is connected to. It is a trustless network, which means that the authentification is done without a central authority. Even though every peer gets every message, only the receiver will be able to read the message, since they are always encrypted. Furthermore, the encryption does not only cover the message body, but also the subject, which is a huge advantage over encrypted s, where it is not possible to encrypt the subject, nor the sender, 1 The MIT License (MIT) 2 More informations on Bitcoin: https://en.bitcoin.it/wiki/main_page 3 In further analysis the client and protocol will be called Bitmessage even if the clients real name is PyBitmessage to keep things simple 8
8 1 Introduction 1.2 About this Thesis nor the receiver. The message does not have the address attached to it. It is rather bound by encryption. Wheneverapeergetsanewmessage,itautomaticallychecks whether the message is bound for him and tries to decrypt it with a decryptionkey but only the targeted receiver has the correct key that enables him to decrypt the message. However, in order to keep anonymity, no peer alters or stops a message. Regardless whether a peer is successful decrypting or not, the message is still available for download for other peers. To notify the sender that the message has arrived, the recipient responds with a message, containing ackdata as acknowledgement to the sender. Data packages that float through the Bitmessage network are named objects. A sender or creator of an object is also anonymous in the network. By simply downloading objects from a connected neighbor peer the downloading peer cannot tell, whether the neighbor he downloaded the object from is the creator of object or not. Bitmessage can also be used to broadcast messages to several peers or to be setup as a mailinglist. It can also be installed on a server and act as an API About this Thesis This thesis will try to identify and explain every in Bitmessage applied cryptographic concept as well as its implementation in Python, by analysing and reviewing the source code. A reader of this thesis will gain a deep insight and knowledge of cryptographic primitives, functions, classes and schemes implemented in Bitmessage, along with the information how and why they are used. Some of them will be explained with examples, in a for cryptographic literature usual way. Additionally it will show parts of the source code as result of the analysis in order to build up coherences, if the particular source code implementation is ostensive and understandable enough. The reader will also be informed about eventually existing bugs and vulnerabilities of used cryptographic algorithms that could be dangerous for Bitmessage. However, finding bugs in an unknown code is hard, especially in the case of cryptographic opensource software. Hence, not mentioning or not finding any bugs does not mean that 4 For more informations on Bitmessage based use cases, services and other interesting Bitmessage projects see https://bitmessage.org/forum/index.php?topic=
9 1 Introduction 1.2 About this Thesis the software is secure. There could still be an exploit or an other vulnerability in the source code that could cause several hearts bleeding. Thus, Bitmessage needs more than this thesis to find them. At the moment of writing this document, it is the only detailed software analysis that contains more information about the implementation than the official Bitmessage wiki or the official GitHub. Subject to the thesis PyBitmessage PyBitmessage (beta) Latest Version: Main Developer: Jonathan Warren Date: January 25, 2014 Subject to this thesis is the PyBitmessage client version PyBitmessage is still beta. The sourcecode is available on GitHub 5. The compiled versions for Windows Mac and Linux can be found on the official Bitmessage Wiki Structure of this Thesis Seen the protocol as one big construct, it will be divided into several protocol building blocks so that each block can be analyzed alone. On a next step the whole scheme will be explained and analyzed using simple examples. The Analysis will end with the SourceCode analysis. This will be a structured process in order to sum up all possible vulnerabilities. The disclosure is the last chapter with a brief outlook on Bitmessages Applicability. 5 GitHub repository: https://github.com/bitmessage/pybitmessage 6 Bitmessage wiki:https://bitmessage.org/wiki/main_page 10
10 2 Bitmessage Cryptographic Blocks 11
11 2 Bitmessage Cryptographic Blocks 2.1 SymmetricKey Cryptography 2.1 SymmetricKey Cryptography In order to encrypt and decrypt the written message along with the subject, Bitmessage usessymmetrickey Cryptography. These symmetrickey algorithms only need one identical key for encryption and decryption (see Figure 1.2). As explained by Bruce Schneier in the Book Applied Cryptography [35], the encryption key can be calculated from the decryption key and viceversa. The symmetry relies on the reversible calculation of the key based on one single secret. This secretkey needs to remain hidden and is never communicated in plaintext. As soon as sender or receiver publishes the encryption or decryption key, the communication is no longer secure. Apossibleattackercouldrecreatethekeyandsabotagethecommunication. Example(Alice and Bob communicating on a symmetric cryptosystem ([35]) We asume that Alice and Bob agree on Bitmessage as encryption and communications system Alice and Bob agree on an identical key. Alice takes her plaintext message and encrypts it using the encryption algorithm and the key. This creates a ciphertext message. Alice sends the ciphertext message over Bitmessage to Bob. Bob decrypts the ciphertext message using the identical key and reads it. Symmetrickey algorithms are also known as: singlekey algorithms, onekey algorithms, privatekey algorithms or secretkey algorithms [35, 18]. Most symmetric cryptosystems choose one unique key for encryption and decryption which requires to be kept secret before and after communication, as long as the communication needs to be secret [35]. Sender and receiver have to agree on a key before the communication starts. The keyagreements must be secure, without giving an attacker the possibility to obtain any keysecrets. To overcome this challenge of Key Distribution ( Menezes et al. in Handbook of Applied Cryptography [18] ), Bitmessage draws successfully on Diffie 12
12 2 Bitmessage Cryptographic Blocks 2.1 SymmetricKey Cryptography key1 key1 Encryption Decryption Plaintext Cyphertext Original Plaintext Figure 2.1: Singlekey Encryption/Decryption Hellman KeyExchange. Sincesenderandreceivercannotmeetphysically,asecure method is mandatory. Due to the characteristics of Bitmessage as a serverless protocol, massive amounts of keys are managed by each and every peer and transported from point to point or, regarding the architecture of Bitmessage, from peer to peer. ReferringtoSchneier [35], since every pair of Bitmessage users communicating with each other requires a distinct key to exchange encrypted messages, the protocol needs to withstand the transportation of approximately n(n 1)/2 keys, where n is the number of users BlockCiphers and StreamCiphers The symmetric encryption can be implemented in two different ways: BlockCiphers and StreamCiphers [36, Ch. 9.3]. According to Schneier, streamcipher algorithms operate on streams of single bits, seperately converting each plaintext bit into a ciphertext bit [36, Ch. 9.3]. Blockcipher algorithms do not map single plaintext bits to ciphertext bits unlike streamciphers. As described by Paul van Oorshot et al. in the Book: Handbook of Applied Cryptography [19, P.224], they rather combine single bits to fixedsized nbit plaintext blocks and transform them to nbit ciphertext blocks [19, P. 224]. The size n is called the blocklength of one single block. Jonathan Warren identifies the encryptionscheme used by Bitmessage as encryption based on the Advanced Encryption Standard AES in cipherblock chaining mode [46]. The key used by Bitmessage for this symmetric encryption function is a kbit key with k =256[46]. Therefore, plaintextmessages are subdivided into particular blocks in a first step and separately transformed into ciphertextblocks using the 13
13 2 Bitmessage Cryptographic Blocks 2.1 SymmetricKey Cryptography chosen cipher in following steps. The blocksize used by Bitmessage for blockcipher encryption is 16 byte. This is defined as macro in the OpenSSLHighlevelclass openssl/aes.h 1 #aes. h 2 #define AES_BLOCK_SIZE 16 Listing 2.1: Blocksize definition used by PyBitmessage[caption The implemented symmetric encryptionscheme AES256CBC [46] identifies Bitmessage as a BlockCipher. However, as elaborated by Menezes et al. [19, P.192], it could also be named a streamcipher, usingamandatoryinitializationvector[19, P.192] to operate on streams of large blocks. But when considering the specifications of AES256CBC as defined in the official Federal Information Processing Standard 81 (FIPS81) [24], it must technically still be seen as Block Cipher CipherBlockChaining Cipherblockchaining was published as one of several recommended cipher block modes of operation by the National Institute of Standards and Technology (NIST) in 2001 on the Federal Information Processing Standard 81 FIPS81. [21]. The recommended operation modes named by the FIPS81 only covers FIPSapproved symmetric key block cipher algorithms... as underlying algorithm [21, p.7]. Since AES is FIPSapproved [24], Bitmessage strictly follows open standards of cryptography. Blocks are processed in a chainsequence in such a way that each block depends on the preceding block. Each preceding block is the input vector for the next calculation of the following cyphertextblock [36, Ch 9]. Therefore, the CBCalgorithm needs to remember the preceding result by using the vector as small amount of memory in order to calculate the next following block [19, P.230]. (See Figure 1.3) Applying CipherBlockChaining on a plaintextmessage, the message M is subdivided into M = m 0,m 1,m 2,...,m n 1,m n blocks, with each block the size of b. The input v of the function on each block m is calculated with v = m n c n 1. This applies 14
14 2 Bitmessage Cryptographic Blocks 2.1 SymmetricKey Cryptography to all blocks m with exception to the first block m 0, which uses the Initialization Vector (IV) as input, and v = m 0 IV is the initial calculation for the first encryption round. The resulting cyphertextblocks c 0...n are then concatenated to the cyphertextmessage C, sothatc = c 0,c 1,c 2,...,c n 1,c n. Each cyphertextblock has the same blocklength b as the original plaintextblock. m 0 m 1 m 2 m n1 IV Key 1 AES Key 1 AES Key 1 AES Key 1 AES C 0 C 1 C 2 C n1 C n Figure 2.2: Cipher Block Chaining InitializationVector The added InitializationVector or initial chaining value [36, Ch. 9.3] makes the encryptionscheme dependant on on the used key along with the used initializationvector. Plaintexts are only converted to the according ciphertext and viceversa if the identical Initialization Vector as well as the same secretkey are used for encryption and decryption. Using a different initializationvector results in a wrong ciphertext. Hence, it must be delivered together with the encrypted message. According to Bruce Schneier [36, Ch. 9] the InitializationVector can be a random dummy of data. Thus, securing the initial vector after encryption is not mandatory because it does not affect the security of the protocol as long as it is unpredictable as mentioned in several CryptoBlogs like Defuse Computer Security [31]. Schneier explains that since the initialvector is used once and the following vectors are results of a preceding blockciphertext, every vector will be exposed during encryption even if the initial vector is still secret [36, Ch. 9]. However, there are still open discussions throughout the cryptocommunity about wether the IV should be secure even if it is 15
15 2 Bitmessage Cryptographic Blocks 2.1 SymmetricKey Cryptography not required. Nevertheless, a new InitializationVector has to be created randomly for each messageencryption in order to ensure that encryption using the same secret key is always randomized. The randomization ensures that encrypted messages are unique [36, Ch. 9]. Furthermore, two identical plaintexts do not encrypt to the same ciphertext if the identical cypher is used [36, Ch. 9] several times. Reusing the same or nonrandom initializationvector for each message makes the system vulnerable to dictionary attacks, as stated by the Common Weakness Enumeration CWE329 [14]. Initialization Vectors on Bitmessage The IV used by Bitmessage for each message relies on 16 secure randomly generated bytes [46] which are not encrypted. Therefore each message sent via Bitmessage uses a new randomly generated initial vector with b = 16 bytes which are normally prefixed to the encrypted ciphertext. The function raw_encrypt() in pyelliptic/ecc.py contains the call OpenSSL.rand(). Itisusedeverytime when a message needs to be encrypted. 1 class ECC: 2 #... 3 def raw_encrypt(data,... ) 4 #... 5 iv = OpenSSL.rand(OpenSSL. get_cipher(ciphername). get_blocksize ()) 6 #... Thus, generating a random intitial value [46]. 1 bd db 7c b a2 f Listing 2.2: Generating the IV with the OpenSSL random function The previously used example of Alice and Bob communicating via Bitmessage now needs to be extended regarding AES256CBC as a main protocol building encryption block. Hence, both of them have to include the identical InitializationVector. Example(Alice and Bob communicating via Bitmessage AES256CBC) 16
16 2 Bitmessage Cryptographic Blocks 2.1 SymmetricKey Cryptography Alice and Bob agree on Bitmessage as encryption and communications system. Alice and Bob agree on an identical key for encryption and decryption. Alice and Bob agree on an identical IV regarding AES256CBC for symmetric encryption and decryption. Alice takes her plaintext message and encrypts it using the encryption algorithm. This creates a ciphertext message. Alice sends the ciphertext message over Bitmessage to Bob. Bob decrypts the ciphertext message using the identical key and identical IV for AES256CBC and reads the message Bitmessage Encryption AES256CBC By implementing AES256CBC on Bitmessage, as stated in [46], Jonathan Warren strictly follows the guidelines for cryptography of the National Institute of Standards and Technology NIST (see Table below). This may be the reason why Rijndael is used for symmetricencryption instead of other encryption algorithms like Twofish which was developed by Bruce Schneier. Bitmessage AES256CBC Client PyBitmessage Keylength 256 (bit) 32 (byte) Blocklength 128 (bit) 16 (byte) Note: AES256CBC identifies the used key as a 256 bit key Introduction of the AES The Advanced Encryption Standard is an international encryption standard initiated by the National Institute of Standards and Technology for symmetrickey encryption. 17
17 2 Bitmessage Cryptographic Blocks 2.1 SymmetricKey Cryptography As documented in the official Report on the Development of the Advanced Encryption Standard published on 2 October 2000 [23], the symmetrickey algorithm Rijndael has been chosen as Advanced Encryption Standard out of five finalists. Rijndael s combination of security, performance, efficiency, implementability, and flexibility make it an appropriate selection for the AES for use in the technology of today and in the future. [23, p.7] The procedure of selection, started by NIST in 1997, was organized openly to the extent that cryptography had the possibility to take part in analyzing participating algorithms [23]. The expression AES is used for the proposed cryptography standard using Rjindael, which was slightly modified. The modifications have been maintained in the Note of Naming, which were added to the official Rjindael Proposal [8] in The former blocklength and the keylength needed to be a multiple of only 32 bit. Especially the blocklength had to be at least greater than 128 bits but not greater than 256 bits. This has been restricted by NIST to only support cryptographic keys of 128, 192 and 256 bitsize and a blocksize of 128 bits [24]. The specifications for the cipher were published as the standard in November 2001 on the official Federal Information Processing Standard 197 FIPS197. This document can be used as reference to AES, in order to get an insight in the algorithms functioning [24]. Quoting the FIPS publication, the encryption standard AES may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information... requires cryptographic protection. [24]. The direct reference to Rijndael together with its history, developers and more details can be found in a book written by the inventors of Rijndael: Jonathan Daemen and Vincent Rijmen [9]. As mentioned in the RijndaelProposal [8], the algorithm itself as well as any of its implementations are not subject to any patents. Referring to the FIPS Publication, the AES is capable of using cryptographic keys of 128, 192 and 256 bitsize, to encrypt and decrypt data in blocks of 128 bits [24]. Using AES256CBC, identifies the key used by Bitmessage as a 256 bit key. In addition, Bitmessage does not subdivide the plaintext into blocks applying a blocklength of 64 bit (as mentioned above), but rather a blocklength of 128 bit as prescribed by the standard. 18
18 2 Bitmessage Cryptographic Blocks 2.1 SymmetricKey Cryptography Successful Attacks on AES Taking benefit from NIST s open call, AES/Rijndael has also been subject to cryptanalysis of the New European Schemes for Signatures, Integrity, and Encryption (NESSIES) research project, supported by a Commission of the European Communities. As elaborated in their Final report of European project number IST , published in 2004, NESSIES testifies as AES128 as: No security flaws have been found, and the 128bit block variant on which it is based was selected as the AES and has been wellstudied. (by NIST). However, there are also proven attacks on the AES128 variant according to the european report, applicable on Rijndael with a reduced round below 78 Rounds [27, 113]. Attacks like the Square Attack by Daemen et al. or Gilbert and Miniers ChosenPlaintextAttack have been stated to be the most successful attacks by NESSIES [27, p.112]. Especially the vulnerability to Square Attacks due to its mathematical structure has been concerned by R. Schroeppel in an official comment in May 2000 [24, p.27]. However, since the operationrounds of Rijndael increase with Rijndaels keylength, those attacks might not be full applicable on AES256, as used by Bitmessage. Possible Encryption Rounds Keylength Blocklength: Blocklength: Blocklength: 128bit 192bit 256bit Keysize: 128bit Keysize: 192bit Keysize: 256bit Due to Rijndaels strong algebraic nature, that has already been criticized during the selection process [24, p.28], there could still be theoretical attacks on AES256 derived from the previously mentioned, as stated by the NESSIES report: (AES256)...still warrants a separate analysis as the byte alignments of this variant are different from those of the 128bit block variant [27, p.121]. Other successful and serious attacks on AES, so called sidechannel attacks, have been reported on cryptanalysis by Dag Arne Osvik et al. on Cache Attacks and Countermeasures: the Case of AES in 2005 and Cachetiming attacks on AES [10], by Daniel J. Bernstein [3], demonstrating interprocess leakage and successful keyrecovery. The used sidechannelattacks by Shamir et al. including the SynchronousKnownData Attacks [10, p.3], needed additional malware working on 19
19 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography the same processor as the encryption algorithm. The attack observed the memory and cache management while interprocess communication on a processor. As e result, they have been able to break encryptions on OpenSSL and Linux dmcrypt partitions in 65 milliseconds[10, p.10; p.7]. Bernsteins successful timingattacks were also targeted to AES implemented on a sever for full keyrecovery [3, Ch.3]. In order to prove the security of Bitmessage, a precise cryptanalysis regarding OpenSSLs cachemanagement for AES used for Python needs to be accomplished, since there is no official cryptanalysis on the Bitmessage implementation available at this point. As pointed out by Shamir et al. for vulnerable systems, analysing the cache state of those algorithms is necessary whenever a process gets separated [10, p. 24]. Hence, it remains to mention that security does not rely on the implementation of Bitmessage only, but also on the users own care for security on the own Computer. Note: The Rijndael implementation used by PyBitmessage, depends on the aes implementation of the OpenSSL installation on the users PC. PyBitmessage implementation gets acces to the OpenSSL classes via python OpenSSL wrapper called pyelliptic. A highlevel implemantation of rijndael can be found in the appendix. 2.2 PublicKey Cryptography Bitmessage uses PublicKey Cryptography to transmit the keys securely over the network. In contrary to SymmetricKey Encryption, PublicKey algorithms use two distinct keys for encryption and decryption. The encryption key or publickey can be published, while the decryption or privatekey stays hidden. As explained by Schneier [36], publickey algorithms are more suitable to key encryption, due to their poor efficience if applied on big plaintexts, in contrary to symmetricalgorithms. Hence, they are mostly used to secure general message traffic or to encrypt session keys [36]. SymmetricKey Cryptography is much more efficient in encrypting or decrypting big plaintexts like messages. In the case of Bitmessage, PublicKey Cryptography secures the sharedsecret transmission between Alice and Bob. The shared secret, is a secret piece of data which must be securely generated and then securely transmitted in order to be usable as symmetrickey for AES. Bitmessage implements successfully the Diffie Hellman Key 20
20 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography Exchange method of PublicKey Cryptography to accomplish this task. The process is comparable to a Trapdoorfunction which is easy to use in calculating the publickey from a privatekey in forward direction, but hard to calculate backwards in order to recover the privatekey from given publickey. The difficulty relies in this case on Elliptic Curve Cryptography (ECC). This difficult mathematical problem is comparable to the discrete logarithm problem, mentioned above DiffieHellman KeyExchange The DiffieHellman KeyExchange is a publickey concept, which targets highest security goals, since it constitutes publickeysecurity. By using this method, Bitmessageclients can exchange publickeys and sharedsecrets between each other over a network, without giving a man in the middle the possibility to obtain any secrets. Diffie Hellman KeyExchange is most trivial explained, as done in this Videotutorial [4], using color generation between Alice and Bob, as well as Eve, tracking the communication between both continuously. 1 Step 1: Alice and Bob are communicating over a wire. They agree on a basic open color. Eve is in the middle of both and is able to obtain the open communicated color aggreement Yellow. Eve Alice Bob Figure 2.3: Diffie Hellman KeyExchange Step 1 1 This example bases on a simplified example of the Diffie Hellman KeyExchange on a Academic Videotutorial [4]. 21
21 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography Step 2: After both have agreed on one color openly, Alice creates a new color, which she keeps in secret. Bob does the same, generating a new color secretly. None of them will ever send this color over wire. Neither Bob knows Alice privatecolor nor Alice knows Bobs privatecolor. Eve sitting in the middle will not be able to obtain one of them neither. Eve Alice Bob Figure 2.4: Diffie Hellman KeyExchange Step 2 Step 3: Now Alice and Bob each, adds their own privatecolor to the openly communicated color. The Mixture generates a second color on each side and represents a publiccolor. The publiccolor can be used by both, to be sent over wire without exactly revealing the private color that has been added to the open color. Eve Alice Bob Figure 2.5: Diffie Hellman KeyExchange Step 3 Step 4: Alice and Bob both exchange their publiccolors. Eve, still listening to the communication, captures the two freshly communicated informations. Step 5: After exchangement Alice has two sets of colors, her own privatecolor 22
22 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography Eve Alice Bob Figure 2.6: Diffie Hellman KeyExchange Step 4 and Bobs publiccolor. Bob has also his own privatecolor and Alice publiccolor. Eve has the information of the first openly color and two public colors from Alice and Bob. Even though she has both key, she wont be able to obtain the exact recipe, which explains how exactly the public keys has been created. So she has information about the added color but not enough to recreate the secretcolors perfectly. Eve Alice Bob Figure 2.7: Diffie Hellman KeyExchange Step 5 Step 6: This step is the most significant part of this procedure. Alice on her side now adds the her private color to Bobs publiccolor and generates a new color, which has never appeared openly before between both of them. Bob does the same on the other side and creates the very same color Brown. Both have now successfully communicated a sharedsecret without revealing it. Even though Eve has collected every single information that has been communicated over the wire, she will not be able to recreate the sharedsecret color, since she needs either Alice or Bobs never published privatecolor. 23
23 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography Eve Alice Bob Figure 2.8: Diffie Hellman KeyExchange Step 6 Considering the colors of the example as keys, both participants create a privatekey and a publickey. The process of mixing the colors is considerable as arithmetic operation in Bitmessage. The security of this calculations must be as secure as possible, so that Eve does not have the ability to either recover the privatekey from the publickey or to obtain the secret, without knowledge of any hidden key. According to Bitmessage, she faces the Discrete Logarithm Problem. The key set up as well as the arithmetic operation in Bitmessage, are implemented by using Elliptic Curve Cryptography Discrete Logarithm Problem (DLP) The way how Alice and Bob creates their mixture of colors can be adopted on a numerical procedure which is easy to solve in one direction but fairly difficult in the other. The security of this procedure relies on the mathematical difficulty of solving a oneway function reversely. The oneway function Bitmessages publickey cryptography relies on is called the Discrete Logarithm Problem (DLP) found by Diffie and Hellman in 1998 [?]. Example: 1. Alice and Bob publicly agree on two numbers z and P with P is a Primenumber and z<p 2. Each of them creates a random number which is kept in private. Alice chooses a, Bobchoosesb 24
24 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography 3. Alice takes her private number and calculates z a mod P Y and sends Y to Bob. Bob does the same, and calculates z b mod P = X and sends X to Alice. 4. Alice takes X and calculates X a mod P = S, while S is the shared secret. Bob on his side does the same with Y,calculating Y b mod P S and gets the same shared secret. Both did exactly the same calculation to get the secret on each side since: X a mod P Y b mod P This true because: Alice calculation: X a mod P S using Bobs X which was calculated by X z b mod P is the same as z ba mod P and thus X a mod P z ba mod S Bobs calculation: Y b mod P S using Alice Y which was calculated by Y z a mod P, is the same as z ab mod P and thus Y b mod P z ab mod P S Since both have the same result S, this can also be written as 25
25 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography z ba mod P z ab mod P, Since flipping the exponents does not change the result: z ab mod P z ab mod P S shows that Alice and Bob are doing the same calculation on each side. The mathematical task for Eve is: How can she find S without knowing a or b? There is no mathematical trivial procedure for this calculation yet. It may be solved, using trial and error, but as soon as the Prime is chosen big enough, so that it consists of a large number of digits, this problem becomes computationally infeasible. It would cost a computer millions of years to solve the Discrete Logarithm Problem: X? mod P S subsectionelliptic Curve Cryptography (ECC) The DLP is the basis for Bitmessages security on publickey cryptography. However, DLP is not implemented based on modular arithmetic but rather applied on Elliptic Curve Cryptography (ECC). This is also known as Elliptic Curve Diffie Hellman (ECDH). Calculations on an elliptic curve over a finite field of primes also faces the DLP. While arithmetic operations like addition or multiplication can be defined for specific elliptic curves, division on these curves is a hard to solve problem. Addition is defined as adding a point to another. Multiplication can be done by repeatedly adding a point to it self. 26
26 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography Example: 2 Given two points X and G (which is a prime) on an elliptic curve over a finite field of primes, it is easy to use Addition (warum addition groß?)to add and multiply points since addition of points is also used for multiplication. Hence, calculating x G = X, sothatx is also a point on the curve and a member of the finite field of primes is easy to proceed with knowledge of x as the factor. However, reversing the formular to find an unknown factor x like X = x, sothat G x G = X is also a hard problem to solve due to the required division. This is comparable to a trapdoor function, which is easy to proceed in one direction but not in the other. Therefore:! x G = X is easy x G = X is hard 3 In order to generate the shared secret in publickey cryptography, Bitmessage implements ECDH to complete the ECIES. Therefore, every Bitmessage client uses the same specific curve and the identical parameters to ensure that the elliptic curve arithmetic is proceeded correctly. This information can be shared openly, since the used curve and the parameters are not secret. Hence, the parameters are hardcoded in pyelliptic/arithmetic.py. 3 P= Gx = Gy = G= (Gx,Gy) Listing 2.3: Elliptic Curve Parameters of sec256k1 2 This example is a simplified explanation of Elliptic Curve Cryptography. Elliptic Curves are complex mathematical structures. However, the details go beyond the scope of this thesis. The example is used to explain the meanings of the variables and calculations used in PyBitmessages arithmetic.py. For a deeper understanding of this topic research () on () Elliptic Curves is mandatory. 3 The arrows here do not represent vectors, but rather the direction. 27
27 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography While, P defines the size of the field, G is a point on that specific curve over the field meaning G must be a point between 0 and P. 4 Assuming that the required factor x is the privatekey, Bitmessage calculates: x privkey G point = X pubkey to gain the public key. As mentioned above, Elliptic Curve Point Multiplication (ECPM) is solved through repeated addition. The function base10_multiply() recursively calles the functions base10_add() and base10_double(), toaccomplishadouble and add calculation, using point addition and point doubling. 9 def privtopub(privkey) : 10 return point_to_hex( base10_multiply (G, decode ( privkey,16) ) ) def base10_multiply(a,n) : 13 if n == 0: return G 14 if n == 1: return a 15 if (n%2) == 0: return base10_double(base10_multiply(a,n/2)) 16 if (n%2) == 1: return base10_add( base10_double ( base10_multiply (a,n 17 /2)),a) 18 def base10_add(a,b) : 19 if a == None: return b[0],b[1] 20 if b == None: return a[0],a[1] 21 if a[0] == b[0]: 22 if a[1] == b[1]: return base10_double(a [0], a [1]) 23 else : return None 24 m= ((b[1] a[1]) inv(b[0] a[0],p)) % P 25 x = (m m a[0] b[0]) % P 26 y = (m (a[0] x) a[1]) % P 27 return (x,y) def base10_double(a) : 30 if a == None: return None 31 m= ((3 a[0] a[0]+a) inv(2 a[1],p)) % P 32 x = (m m 2 a[0]) % P 4 The size of this field is pretty huge. This can be seen here: 28
28 2 Bitmessage Cryptographic Blocks 2.2 PublicKey Cryptography 33 y = (m (a[0] x) a[1]) % P 34 return (x,y) Listing 2.4: ECPM calculation for private to public key The calculation Bitmessage clients do to reveal the shared secret, is also based on ECPM, calculating: x privkey G pubkey = X sharedsecret. The function multiply(privkey,pubkey) is also written in the same class. 35 def multiply(privkey,pubkey) : 36 return point_to_hex( base10_multiply (hex_to_point(pubkey), decode ( privkey,16) )) Listing 2.5: ECPM calculation for private to public key Koblitz Curve secp256k1 The parameters used for the elliptic curve calculation are associated with the Koblitz curve secp256k1. They are defined as such by Certicom Research in the official Standards for Efficient Cryptography (SEC) as 256bit Elliptic Curve Domain Parameters [32]. These constants are applied in Bitcoins Elliptic Curve Digital Signature Algorithm (ECDSA) [43],too. The National Institute of Standards and Technology also published official Standards for elliptic curves in digital signature algorithms in FIPS [26]. However, the parameters mentioned by the standard for a curve named P256 [26] are identical to the parameters mentioned by SEC for a 256bit pseudorandom curve secp256r1 [32]. When Satoshi Nakamoto, the official Bitcoin founder, developed Bitcoin in 2007 [47], he decided to use parameters for secp256k1 despite the fact that there already was a recommended NISTStandard for secp256r1. Jonathan Warren adopted the same curve specifications for Bitmessage. It is a remarkable implementation of a specific cryptographic primitive, in Bitcoin and Bitmessage, that completely differs from NISTStandards of Cryptography. Later in 2013, Dan Bernstein and Tanja Lange reported possible backdoors in NIST curves architecture, implemented by the 29
29 2 Bitmessage Cryptographic Blocks 2.3 Message Authentification NSA[2]. Their assumption started discussions in the Bitcoincommunity and amongst several cryptographyexperts. Bruce Schneier mentioned in a comment on his Blog that he does not trust the parameters which are proposed by NIST, because he believes they may have been manipulated by the NSA [38].The question why Satoshi Nakamoto had chosen secp256k1 instead of NISTs secp256r1 has also been discussed in several (Bitcoin)forums [11, 12] and other cryptography or Bitcoin related blogs and magazines [5, 28] amongst others. In conclusion, one must say that it is still uncertain whether Satoshi Nakamoto had more information regarding the recommended curves or a close relationship with the NSA or if he was perhaps just clever. Since his identity is also discussed on the internet [47, 17], this issue, along with the question of whether or not the chosen parameters are truly free of backdoors, remains open. 2.3 Message Authentification Like the explained encryption schemes, messages sent via Bitmessage need to be signed. The signature proves the ownership of the message in the network, so an attacker cannot impersonate a participant of the communication (i.e. by doing a Man in the Middle attack). This is solved by a digital signature scheme which is included in Bitmessage s publickey algorithm. Bitmessage does not use any central server as an Arbitrator, as described by Schneier in [36, Ch. 2.6]. An arbitrator could be a server that is trusted by the whole network. The task of an Arbitrator is to know the signatures and prove the authenticity of each participant. Since no trusted server is implemented by the protocol, Bitmessage is, as mentioned by Jonathan Warren in [46], a so called trustless protocol MAC / HMAC/ECDSA The authentification is implemented in, by using a Message Authentification Code (MAC) [36] for integrity, in order to sign each message by the author. The appended signature is also known as Message Authentification Code (MAC). [36]. The MAC can be used by Alice and Bob, when sharing a secret. Both of them are then able to validate their messages. According to the used public key scheme, message integrity can also be used by both with a private and a public key, based on the ideas of 30
30 2 Bitmessage Cryptographic Blocks 2.3 Message Authentification DiffieHellman. Both keys are not used for encryption, but rather for signing and authentification. This is applied in Bitmessage aselliptic Curve Digital Signature Algorithm (ECDSA) Example: Alice creates two public and private keypairs and names them signing keypair and encryption keypair Alice propagates her public signingkey and her public encryptionkey through the network Alice writes a Message and signs it with her private signingkey She then encrypts it using her private encryptionkey and sends the signed and encrypted Message to Bob Bob encrypts the Message using the sharedsecret and proves the included signature with Alice public signingkey The included MAC needs to be a specific code that indicates the integrity of a message, which means that, as soon as a message gets corrupted during transmission, Bob is be notified by the code. It also needs to be infeasible for an attacker to recreate the exact code that has been created by Alice. To accomplish this, Bitmessage uses Cryptographic Hash Functions to generate the authentification code. As input value for the hash function, Bitmessage uses a key in order to generate a Keyed Hashvalue according to HMAC as described in RFC2104. [?]. The MACScheme implemented in Bitmessage is, according to [46], a Keyed Hashing Scheme for Message Authentification (HMAC) Cryptographic Hash Functions Hash functions are basically central to public key cryptography [37]. These cryptographic functions are mathematical oneway functions, converting variablelength inputs or preimages, asdescribedbyschneier[37],intofixedsizehashvaluesor hashdigests. Asalreadymentionedabove,onewayfunctionsortrapdoor functions are easy to calculate in one direction but difficult to reverse. 31
31 2 Bitmessage Cryptographic Blocks 2.3 Message Authentification Example: Using x as preimage, it is simple to calculate f(x) as hashvalue. But calculating a missing x from given f(x) is not trivial and would take a computer,according to Schneier, millions of years [37]. Schneier also compares hashing to smashing a plate into millions of pieces, which is obviously easy but putting the plate back together is rather difficult [37]. The security relies thus on this difficulty. This onewayness [37] is fundamental for hashsecurity. Furthermore, hashfunctions needs to be, as stated by Schneier: collisionfree [37], which means that it must be computationally infeasible, as elaborated by Menezes et al.[20] to find two preimages with an equal hashvalue. In other words: It has to be extremely difficult or at least not trivial for an interceptive attacker to alter the file in a manner that results in an equal hash value (kein komma) that reveals the file as corrupted. The integrity therefore comes from the capability of hash function to create a completely different digest, shown in the sourcecode snippet below, as soon a bit or byte of the preimage has been changed while transmission. The integrity is therefore given by the property of hash function, to create a completely different digest, shown in the sourcecode snippet below, as soon a bit or byte of the preimage has been changed while transmission. 37 sha512("the jumping rabbit jumps very high" ) 38 8 a01c eb3997c603400e6983ce4ceef13fce149d8523a22508d589b5268c de7acea6ccf3e8564bbd1bf2621af9ef5cf52b7bfd69b5de b2ec # Adding an exclamation mark results in a completely different hash with the same size 42 sha512("the jumping rabbit jumps very high! " ) 43 ea9d3c60e12f6db034e141a43590f9b1a327a264a31ae2ffd513a05d729d85f2ecf e38e0b9331c3b3871c429ff fd976d660eb407e1dea Listing 2.6: Python example: sha512 Hashdigests Cryptographic hash functions are, due to their integrity, also known as fingerprints, cryptographic checksums or message integrity checks (MIC), as elaborated by Schneier in [37] or modification detection codes (MDCs) by Menezes et al. [20]. A Sender can use the hash of a file he wants to share with others and provide it. To prove the files s integrity a downloader examines the hashvalue of the downloaded file and compares it to the promoted hash. 32
32 2 Bitmessage Cryptographic Blocks 2.3 Message Authentification Example(Simple check wether the Message has been altered) Alice writes a message and hashes the message Alice encrypts the plaintext and the hashvalue with Bob s public key and sends the package to Bob Bob decrypts the package with his private key. Then he hashes the decrypted message and checks its hashvalue Bob then compares his created hashvalue with the hashvalue sent by Alice. If they match, the message is unmodified. Furthermore, the size of a hashdigest is always the same, according to the defined hash function, regardless of the preimages size. 45 sha512("the jumping rabbit jumps very high" ) 46 8 a01c eb3997c603400e6983ce4ceef13fce149d8523a22508d589b5268c de7acea6ccf3e8564bbd1bf2621af9ef5cf52b7bfd69b5de b2ec # A smaller input results in the same hash length 50 sha512("the jumping rabbit" ) 51 1 e888386e7d728a029901f8b5ef5ffd c377e01a497d1ece71b215ec3a1 52 fbe680bbbde629fa40d5f0e14cb5f9e3a7aef7c7a4b15201fe22cc4336bd4a Listing 2.7: Python example: sha512 Hashdigests Finally it has to be stated, that hashing is not in any way comparable to encryption. Encryption transforms plaintext into ciphertext and (given a keysecret) back to the corresponding plaintext. Hash functions,on the other hand, are not designed to be reversible Secure Hash Algorithm 512 Algorithm Message Size (bits) Block Size (bits) Word Size (bits) Message Digest Size (bits) SHA512 <
33 2 Bitmessage Cryptographic Blocks 2.3 Message Authentification Bitmessage implements SHA512 and SHA256 for hashing, which are cryptographic hash functions invented and patented by the National Security Agency (NSA) with the PatentID: US [29]. Both belong to the secure hash algorithm group SHA2 that has been released by the United States under royaltyfree license [30]. SHA2 algorithms were first published by the Institute of Standards and Technology (NIST) in Specifications and details of SHA512 can therefore be found and reviewed in the latest FIPS document FIPS [25]. While SHA256 is barely used by Bitmessage and only in order to convert privatekeys to Bitcoins Wallet Import Format (WIF) (see example taken from sourcecode below), SHA512 is included all over the code for most of the signing processes and key setups. It is especially used within the Bitmessage address generation (next to RIPEMD) and therefore one of the most important cryptographic elements in Bitmessage. 53 # An excellent way for us to store our keys is in Wallet Import Format 54 # https ://en. bitcoin. it/ wiki/ Wallet_import_format 55 # privencryptionkey = \x80 + potentialprivencryptionkey 57 checksum = hashlib. sha256 ( hashlib. sha256 ( privencryptionkey ). digest () ).digest()[0:4] 58 privencryptionkeywif = arithmetic. changebase ( privencryptionkey + checksum, 256, 58) 59 print privencryptionkeywif,privencryptionkeywif Listing 2.8: PyBitmessage sourcecode: utilization of sha256() 60 # sha = hashlib.new( sha512 ) 62 sha. update(senderspubsigningkey + senderspubencryptionkey) 63 #... Listing 2.9: PyBitmessage sourcecode: utilization of sha512() RIPEMD160 The RACE Integrity Primitives Evaluation Message Digest (RIPEMD) is also a cryptographic hashfunction used by Bitmessage. It is mainly used for address generation (will be explained later). The utilization of RIPEMD160 hash isremarkable since it is, unlike other hashfunctions, not an official cryptographic standard as proposed by 34
34 2 Bitmessage Cryptographic Blocks 2.3 Message Authentification Figure 2.9: One iteration in a SHA2 family compression function. Wikipedia, Picture: Kockmeyer (Source NIST. However, it is still recommended as a collisionresistent underlying compression function for TTMAC by NESSIE in the Portfolio of recommended cryptographic primitives [6]. As elaborated by Menezes et al., RIPEMD160 is an extended version of RIPEMD. RIPEMD is based on principles of the MD4 [33] algorithm by R.Rivest [19, p. 349] with some alterations. These are, for example, the number of rounds, chaining variables and number of rotations amongst other things [19]. The security requirements of the algorithms regarding hashvalue integrity, collisionresistance and applicability as checksum have to be similar to SHA2 algorithms in order to be used for digital signature algorithms. The RIPEMD160 test vectors to showing algorithms conduction, taken from [22], are as follows: message="" (empty string) 66 hash=9c1185a5c5e9fc ee8f548b2258d message="a" 69 hash=0bdc9d2d256b3ee9daae347be6f4dc835a467ffe message="abc" 72 hash=8eb208f7e05d987a9b044a8e98c6b087f15a0bfc message=" message digest" 75 hash=5d0689ef49d2fae572b881b123a85ffa21595f36 Listing 2.10: RIPEMD160 Testvectors [22] 35
35 2 Bitmessage Cryptographic Blocks 2.3 Message Authentification RIPEMD Security The security of RIPEMD160 is, as indicated in [19], comparable to SHA1, and provides an increased security against bruteforce attacks. However, SHA1 and MD4 have known security issues, that has been found by cryptographers all over the world. Hans Gobbertin stated MD4 as not collision free in his cryptanalysis in[15]. Hence, using MD4 in any cryptographic protocol is not recommended. He [Gobbertin] also found RIPEMD to be not collisionresistent because its design is similar to MD4, and therefore requested for it to be replaced by stronger algorithms[16] like RIPEMD160 or SHA1 in However SHA1 was later also scrutinized as elaborated in Bruce Schneiers Blog [34] and was therefore replaced by SHA2. SHA1 went through dozens of cryptanalyses before being proposed as a official Standard in contrary to RIPEMD160. This may be the reason why SHA1 has been more popular and consequently also attacked more often as RIPEMD Hence, there may still be unknown security issues in collisionresistence or several other attacks. However, at this point, no vulnerability has been found. But regardless of known or unknown vulnerabilities, RIPEMD160 is of particular importance to the address generation scheme used in Bitmessage as well as in Bitcoin. 36
36 3 The Bitmessage Protocol 37
37 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption 3.1 Bitmessage Integrated Encryption Bitmessage implements a Hybrid Encryption Scheme close to the hybrid encryption scheme explained by Schneier in [36]. It combines the concepts of symmetrickey cryptography and publickey cryptography. As applied by Bitmessage, the symmetric encryption is encapsulated in an asymmetric encryption. Schneier also mentions, that due to performance issues publickey algorithms usually perform worse than symmetrickey algorithms if applied i.e. on a huge plaintext [36]. Therefore, they are used to secure the communication by being responsible for messageauthentification (i.e. ECDSA) and keymanagement (i.e. Diffie Hellman KeyExchange). Both schemes provide two distinct but combined security layers. While the security of symmetrickey cryptography relies on the strength of the used secret key as well as the chosen encryption algorithm, publickey cryptography relies on strong principles such as ECC or DHP Elliptic Curve Integrated Encryption Scheme Nevertheless, the hybrid encryption scheme applied by Bitmessage needs to be specified as Elliptic Curve Integrated Encryption Scheme (ECIES), since the security of the used publickey scheme relies on elliptic curves. Hence, if ECIES is applied on the previously shown examples of Diffie Hellman KeyExchange, a shortened comparable example finally shows how the keys are generated in an ECIES. Eve Alice Bob Figure 3.1: ECIES/DH Generating a key pair. The lock symbolizes a publickey 38
38 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption Eve Alice Bob Figure 3.2: ECIES/DH PublicKey Exchange Eve Alice Bob Figure 3.3: ECIES/DH Shared SecretKey generation Ephemeral DiffieHellman KeyExchange The DiffieHellman KeyExchange concept can be designed for durable static keys, meaning that the keypairs are generated once between a sender and a receiver and as such reused unmodified for all further communications. Certainly, DiffieHellman can also be designed for nondurable or ephemeral keys as recommended by NIST in [13]. The latter has been chosen for Bitmessage and is also known as Ephemeral DiffieHellman (EDH). In contrary to the normal DH, EDH does not rely on static longlive but rather on shortlive ephemeral keys. They are changed every time a communication or session starts, and are therefore only used once. This improves security, as mentioned by Paul Bakker on a cryptography forum [1], explaining that changing 39
39 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption the keys for each connection improves the security regarding Perfect Forwards Secrecy. Hence, along with Bakker, one can say that even if a privatekey gets stolen, not only past communications are still secure (if encrypted) but also all following communication will be secure, thanks to different keys. Example: Alice and Bob agree on ECIES with ephemeral keys and an identical ellipticcurve as encryption and communications system. Alice generates a private/publickey pair using ECC and sends her publickey to Bob. Bob generates a private/publickey pair using ECC and sends his publickey to Alice. Alice receives Bobs publickey and wants to send him an encrypted message. Instead of using her firstly created key pair, she creates a new ephemeral private/publickey pair using ECC on the previously agreed curve. She then uses the ephemeral privatekey together with Bobs publickey in order to perform an ECPM and generates an ephemeral sharedsecret. She uses this secret as symmetrickey to encrypt the message and sends it along with her newly created ephemeral publickey to Bob. Bob receives the message and Alice ephemeral publickey. He performs an ECPM using his privatekey and Alice ephemeral publickey and gets the same ephemeral sharedsecret. Heusesthesecretkeytodecryptthecyphertext and reads it. Bob wants to respond to Alice and also generates a new ephemeral keypair. He uses the ephemeral privatekey and Alice original public key, creates a new ephemeral sharedsecret uses it as symmetrickey to encrypt the message and sends it to Alice along with the new ephemeral publickey. Alice encrypts the message using her original privatekey and Bobs ephemeral publickey. 40
40 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption NOTE: The shared secretkey alters every time before a new message is encrypted due to the always changing ephemeral privatekey. One could also say that ephemeral keys only last one encryption and one decryption session. However, encryption always needs the original publickey of the recipient as well as decryption always needs the decryptors original privatekey. The original private/publickey pairs are therefore, unlike ephemeral keys, never dropped. Bitmessage takes advantage of the in OpenSSL implemented ECC functions that perform mathematical tasks for new ephemeral keypairs to calculate Elliptic Curve arithmetic. Assuming the always changing IV which is also sent with the Message, in the case of AES256CBC, together with an always changing symmetrickey, this scheme seems to be a pretty good approach for high security goals. Even if Eve is able to obtain one single secret out of the communication, she will neither be able to read messages from the past nor upcomming messages BitmessageWorkflow The Bitmessage Encryption Scheme can be explained by putting the protocol building blocks together on a workflow Message Setup We Asume, that Alice already has Bobs BMAddress and wants to send him a message. 2 Step 1: Getting Bobs PublicKey In order to generate the shared secret, Alice needs Bobs publickey and her own privatekey. Since the BMAddress is a hash of the pubkeys, she sends a getpubkey request to the network. This request contains the ripe hash, she extracted from Bobs BMAddress. The request is passed to every user in the network via peer to 1 This presented workflow can also be seen on the bitmessage.org/wiki/encryption. However this wikipage is not public. Dummy data representing states of data are taken from there. 2 This example is used to show how which cryptographic primitives are involved. The code has been simplifiey. To set up and packing is implemented in in the method sendmsg in src/single Worker.py 41
41 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption peer. When a peer gets the request, it takes the ripehash and compares it to a list of ripehashs in its own local database. Bitmessage peers automatically save every publickey together with its ripe which is send over the wire in an own database. If the peer does not have a fitting key on in the database, he does not answer to Alice, but still passes the request to the next peer and so on. As soon as it reaches Bobs peer, the ripehash will fit to the own ripehash. He then sends a pubkey message back to the network which is also passed from peer to peer until it reaches Alice. Bobs pubkey message contains his public signingkey and his public encryptionkey in plaintext. Step 2: Setup a data package Alice assembles a data package containing her public keys and the written message to Bob. 1 payload += pubsigningkey 2 payload += pubencryptionkey 3 messagetotransmit = Subject : + \subject + \n + Body : + message 4 payload += messagetotransmit Step 7: Signing the package: After she assembled all necessary data, she signs the datapackage with her private signingkey using ECDSA. Signing will generate a 64byte value which is her signature. 1 signature = highlevelcrypto. sign(payload, privsigningkeyhex) 1 def sign( self, inputb) : 2 """ 3 Sign the input with ECDSA method and returns the signature 4 """ 5 try : 6 size = len(inputb) 7 buff = OpenSSL. malloc(inputb, size ) 8 digest = OpenSSL.malloc(0, 64) 9 md_ctx = OpenSSL.EVP_MD_CTX_create( ) 10 dgst_len = OpenSSL. pointer (OpenSSL. c_int(0) ) 11 siglen = OpenSSL. pointer(openssl.c_int(0)) 12 sig = OpenSSL.malloc(0, 151) 13 key = OpenSSL.EC_KEY_new_by_curve_name( self. curve ) 14 priv_key = OpenSSL.BN_bin2bn( self. privkey, len ( self. privkey), 0) 42
42 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption 15 pub_key_x = OpenSSL. BN_bin2bn( s e l f. pubkey_x, len ( s e l f. pubkey_x), 0) 16 pub_key_y = OpenSSL. BN_bin2bn( s e l f. pubkey_y, len ( s e l f. pubkey_y), 0) 17 OpenSSL. EC_KEY_set_private_key( key, priv_key ) 18 group = OpenSSL.EC_KEY_get0_group(key) 19 pub_key = OpenSSL.EC_POINT_new( group ) 20 OpenSSL. EC_POINT_set_affine_coordinates_GFp ( group, pub_key,pub_key_x,pub_key_y,0) 21 OpenSSL. EC_KEY_set_public_key( key, pub_key) ) == 0: 22 OpenSSL. EC_KEY_check_key( key ) ) == 0: 23 OpenSSL. ECDSA_sign(0, digest, dgst_len. contents, sig, siglen, key) 24 OpenSSL. ECDSA_verify (0, digest, dgst_len. contents, sig, siglen.contents, key) 25 return sig.raw[: siglen. contents.value] Step 8: Encrypt the prepayload: After she assembled and signed the datapackage, she adds the package and her signature into a prepayload. 1 payload += signature Step 9: Encryption: In order to prepare the encryption she takes Bobs public encryptionkey and a new ephemeral private encryptionkey and calculates a symmetric value using ECPM. This symmetric value is than hashed with sha512 resulting in a 64byte secret hashvalue. This hashvalue is then divided into two parts, each with 32byte size. The first part is called key_e and the second part is called key_m. Alice then, uses key_e as symmetric key together with a randomly created initialization vector to encrypt the prepayload using AES256CBC. After encryption, she uses key_m (as salt) together with the encrypted prepayload as input for the HMACSHA256 in order to create the MAC 1 encrypted = highlevelcrypto. encrypt(payload," pubencryptionkeybase256. encode ( hex )) 1 def raw_encrypt(data, pubkey_x, pubkey_y, curve= sect283r1, 2 ephemcurve=none, ciphername= aes 256 cbc ): 3 if ephemcurve is None : 4 ephemcurve = curve 43
43 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption 5 ephem = ECC( curve=ephemcurve ) 6 key = sha512(ephem. raw_get_ecdh_key(pubkey_x, pubkey_y) ). digest () 7 key_e, key_m = key [ : 3 2 ], key [ 3 2 : ] 8 pubkey = ephem. get_pubkey () 9 iv = OpenSSL.rand(OpenSSL. get_cipher(ciphername). get_blocksize ()) 10 ctx = Cipher(key_e, iv, 1, ciphername) 11 ciphertext = ctx. ciphering(data) 12 mac = hmac_sha256 (key_m, c i p h e r t e x t ) 13 return iv + pubkey + ciphertext + mac 1 def hmac_sha256(k, m) : 2 """ 3 Compute the key and the message with HMAC SHA """ 5 key = OpenSSL. malloc (k, len (k) ) 6 d = OpenSSL. malloc(m, len(m)) 7 md = OpenSSL. m a l l o c ( 0, 3 2 ) 8 i = OpenSSL. pointer(openssl. c_int(0)) 9 OpenSSL.HMAC(OpenSSL. EVP_sha256 (), key, len (k ), d, len (m), md, i ) 10 return md. raw Step 10: Sending After the encryption Alice collects all the components and adds them to a finalpayload, which is then sent as msgobject to Bob, containing: The initialization vector (plaintext) The ephemeral public encryptionkey The encrypted payload ( including: her publickeys, the message, her signature, afullackpayload) The 32 Message Authentification Code The object is send to the network. 44
44 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption Messagepropagation and processing Step 1: Getting a msg object A peer can be connected to 20 other peers. It repeatedly downloads new objects from every peer it is connected to. Step 2: Check if a message is bound for me In the case of a downloaded object beeing a msgobject, the peer uses every private encryption key it possesses to decrypt the message. If the decryption fails for all tried keys, the message will be ignored. Regardless whether the decryption was successful or not, the object will still be downloadable for other connected peers. 1 #See if it is a message 2 # bound for me by trying to decrypt it with my private keys. 3 for key, cryptorobject in shared.myeccryptorobjects. items () : 4 try : 5 decrypteddata = cryptorobject. decrypt( 6 data [ readposition :]) 7 toripe = key 8 initialdecryptionsuccessful = True 9 break 10 except Exception as err : 11 pass 12 if not initialdecryptionsuccessful : 13 return 1 def decrypt( self, data, ciphername= aes 256 cbc ): 2 """ 3 Decrypt data with ECIES method using the local private key 4 """ 5 blocksize = OpenSSL.get_cipher(ciphername). get_blocksize() 6 iv = data [: blocksize ] 7 i = blocksize 8 curve, pubkey_x, pubkey_y, i2 = ECC._decode_pubkey(data [ i :]) 9 i += i2 10 ciphertext = data[ i : len(data) 32] 11 i += len(ciphertext) 12 mac = data [ i : ] 13 key = sha512( self. raw_get_ecdh_key(pubkey_x, pubkey_y) ). digest () 14 key_e, key_m = key [ : 3 2 ], key [ 3 2 : ] 45
45 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption 15 if hmac_sha256(key_m, ciphertext )!= mac: 16 raise RuntimeError(" Fail to verify data" ) 17 ctx = Cipher(key_e, iv, 0, ciphername) 18 return ctx. ciphering ( ciphertext ) If Bob is the peer, the decryption will succeed, since his private encryptionkey multiplied with Alice ephemeral public encryption key will create the shared symmetric key. Step 3: Check if a message is correctly signed In the case of a successful decryption, the MAC signature included in the object is then verified. Regardless wether verification was successful or not, the object will again still be downloadable for other connected peers. verification, the message will be accepted def verify(self, sig, inputb): 2 bsig = OpenSSL. malloc(sig, len( sig )) 3 binputb = OpenSSL. malloc(inputb, len (inputb)) 4 digest = OpenSSL.malloc(0, 64) 5 dgst_len = OpenSSL. pointer (OpenSSL. c_int(0) ) 6 md_ctx = OpenSSL.EVP_MD_CTX_create( ) 7 If the message passed the 8 key = OpenSSL.EC_KEY_new_by_curve_name( self. curve ) 9 pub_key_x = OpenSSL. BN_bin2bn( s e l f. pubkey_x, len ( s e l f. pubkey_x), 0) 10 pub_key_y = OpenSSL. BN_bin2bn( s e l f. pubkey_y, len ( s e l f. pubkey_y), 0) 11 group = OpenSSL.EC_KEY_get0_group(key) 12 pub_key = OpenSSL.EC_POINT_new( group ) OpenSSL. EC_POINT_set_affine_coordinates_GFp ( group, pub_key, 15 pub_key_x, 16 pub_key_y, 17 0)) == 0: 18 OpenSSL. EC_KEY_set_public_key( key, pub_key) 19 OpenSSL. EC_KEY_check_key( key ) 20 OpenSSL.EVP_MD_CTX_init(md_ctx) 21 OpenSSL. EVP_DigestInit (md_ctx, OpenSSL. EVP_ecdsa () ) 3 There are several more checks for Address and Versionnumber as well as the calculated POW which is a condition for the message to be accepted. They are not included in this simplified example 46
46 3 The Bitmessage Protocol 3.1 Bitmessage Integrated Encryption 22 OpenSSL. EVP_DigestUpdate (md_ctx, binputb, len ( inputb ) ) 23 OpenSSL. EVP_DigestFinal (md_ctx, digest, dgst_len ) 24 ret = OpenSSL.ECDSA_verify(0, digest, dgst_len. contents, bsig, len( sig ), key) 25 if ret == 1: 26 return False # Fail to Check 27 else : 28 if ret == 0: 29 return False # Bad signature! 30 else : 31 return True # Good 32 return False 47
47 3 The Bitmessage Protocol 3.2 The Bitmessage Address 3.2 The Bitmessage Address The Bitmessage address is a core primitive of the implemented integrated encryption scheme. It incorporates the public signingkey as well as the public encryptionkey into a base58 encoded, 33 character hashstring, prepended with BM. 1 BM onkvu1kkl2uauss5upg9vxmqd3estmv79 The prefix has no cryptographic intension. Furthermore, the address includes the client s version number as well as the user s required stream number. Bitmessage enables users to generate as many distinct addresses as they want, either from randomly generated data or deterministically from a certain user s passphrase Base58 encoding The base58 encoding of the address does not have the intension to secure the contents of the adress but rather to ensure that it is properly transmitted and legible by human eyes. Base58 encoding excludes letters 0 (zero), O (uppercase o), l (lowercase L) and I (uppercase i), to prevent mistakes. This principle is also used by Bitcoin. The official Bitcoin Wiki states that problems with equal looking characters or nonalphanumeric characters can be problematic [44]. They also state a fact that makes handling Bitmessage Adresses less difficult: Doubleclicking selects the whole number as one word if it s all alphanumeric, [44]. This applies to Bitmessage Addresses, since they have to be shared electronically via or in a forum or a webpage. Thus, in general an area where users handle with Mouse and Mousepointers abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ The encoding and decoding is implemented in the class arithmetic.py as follows: 1 def get_code_string(base) : 2 #... 3 elif base == 58: return " ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" 4 #... 5 else : raise ValueError("Invalid base!") 6 7 def encode(val,base, minlen=0): 48
48 3 The Bitmessage Protocol 3.2 The Bitmessage Address 8 code_string = get_code_string(base) 9 result = "" 10 while val > 0: 11 result = code_string[val % base] + result 12 val /= base 13 if len(result) < minlen: 14 result = code_string [0] (minlen len( result ))+result 15 return result def decode(string, base) : 18 code_string = get_code_string(base) 19 result = 0 20 if base == 16: string = string.lower() 21 while len( string ) > 0: 22 result = base 23 result += code_string. find(string [0]) 24 string = string [1:] 25 return result Assembling a BitmessageAddress In order to generate an address, Bitmessage generates four different keys for asymetric signing and encryption. Key Private SigningKey Public SigningKey Private EncryptionKey Public EncryptionKey Size 256 (bit) 128 (bit) 128 (bit) 128 (bit) Note: The symmetric key for AES is not implemented here since it is not literally apartoftheaddress. Step 1: At first, two 32 byte values are generated, using the OpenSSL rand() function, implemented as follows: 76 def rand( self, size ) : 77 while self.rand_bytes(buffer, size)!= 1: 78 return buffer.raw 49
49 3 The Bitmessage Protocol 3.2 The Bitmessage Address Listing 3.1: Python OpenSSL random function The two random 32 byte values, represented in hexadecimal format 4,aresecretkey material, representing the private encryption and signingkeys. Both needs to be kept secret. 1 privatesigningkey : 2 93d0b61371a54b53df143b954035d612f8efa8a3ed1cf842c2186bfd8f privateencryptionkey : 4b0b73a54e19b059dc274ab69df095fe699f43b17397bca26fdf40f4d7400a3a Step 2: The two private keys are converted to public keys, using Elliptic Curve Point Multiplication. To enable mathematical operations, the private keys are previously converted into the Integer format and afterwards back into the hexadecimal format. 1 publicsigningkey : 2 044a367f049ec16cb6b6118eb734a9962d10b8db59c890cd08f210c43ff08bdf 3 09d16f502ca26cd0713f38988a1237f1fc8fa07b15653c996dc4013af6d15505ce 1 publicencryptionkey : d59177fc1d89555d38915f581b5ff2286b39d022ca0283d2bdd5c36be5 3 d3ce7b9b a562752e4b79475d1f51f5a b241227f45ed36a9 The derivation of private key to public key in Step 2, using ECPM is the cryptographic base of the keypair. An attacker needs to solve the mathematical problem based on ECC to obtain the privatekey from the public key. After Step 2, the keysetup is finished. Both keys are stored on a user s hard drive in a file named keys.dat. Unfortunately, the private keys are not saved encrypted by Bitmessage, with the consequence that as soon as an attacker gets access to a user s computer, the attacker gets also access to the user s private keys. Since hackers have several ways to capture a computer, this approach might be easiest way to obtain the secrets, rather than trying to solve the ECC problem. 4 To simplify the process, the results and different states are mostly shown in hex format eventhough the data is passed on digest level. 50
50 3 The Bitmessage Protocol 3.2 The Bitmessage Address Step 3: The public signingkey and the public encryptionkey represents the public keypair. Both are now converted into binaries. 5 They are used as input for the first round of hashing, in order to get the CombinedKeyBinaryHash (CKBH). In this case, SHA512 is used as hash function. The resulting hashdigest can not be used to recreate the public keypair, due to SHA512s onewayness. 1 sha512( publicencryptionkeybinary+publicsigningkeybinary) 2 16a31a932ebb910736ec3c84e816a14938dd6086fdf3a5737a587cdde1f114b1 3 b30a068b6942a20c1869e7cd0525b e5c63cc2174b2b a9be62 Step 4: This stage represents the second round of hashing, using the SHA512 Combined Key Binary Hash, created in Step 3 as input in order to create a ripehash using RIPEMD160 as hashfunction. 6 1 ripe160(combinedkeybinaryhash) : 2 3cd097eb7f35c87b5dc8b4538c22cb55312a9f Step 5: To create the final address the Addressversionnumber and the Streamnumber are now prepended to the ripehash. These numbers are previously converted to variable int format. Both prepended to the ripe, creates the important intermediateresult. This sets the basis information, the checksum (will be generated later) relies on, covering the unique ripe hash, which has been build with the public keypair. 1 varint(versionnumber =2) = 02 2 varint(streamnumber =1) = 01 3 intermediateresult = 02013cd097eb7f35c87b5dc8b4538c22cb55312a9f Step 6: The intermediateresult is now used as input for third round of hashing, using SHA512. This will produce the hashvalue of the intermediateresult named intermediatehashresult. 1 sha512( intermediateresult ) : e5aca86e cc bc13c62d41b8e381c66f280e05d5ad4b d8b274cd645807e5aec3b6fbbc6671aa66e9a50a4edcd8020c9f5592f924edc Step 7: The fourth round is the last round of sha512, providing a hash of a hashvalue created in Step 6. This step produces the important checksumhash 5 Both keys starts with 044 which specifies the encoding type (04x). This prefix is removed. 6 a possible x00 prefix of the resulting ripehash will be cut off by Bitmessage for packing issues 51
51 3 The Bitmessage Protocol 3.2 The Bitmessage Address 1 sha512(sha512( intermediateresult )) : 2 3bcb4d54dcef8a18f8e62d8be5f36259ecbed620e1acd282600d1f700e637a f28bd50c22da70e82fd3ffc2aefcc35dcb2fb86d4f473ecc7cb71c967448ab Step 8: In this step, the first 4 bytes are obtained and used as the checksum. The fact that only a few bytes of the checksumhash are sufficient to represent the checksum, relies on the charactaristics of the hashingfunction. An attacker would have to create a preimage [37], that creates a 512bit hash, containing the identical bytes on the first four positions (collision). This is rather difficult if SHA512 is collisionresistent. 1 3b: cb :4d:54 Step 9: The obtained checksum is now appended to the intermediateresult (Step 5) containting Versionnumber, Streamnumber and ripehash. This will be transformed into an Integer. Note: The appended checksum bytes are two rounds of hashing ahead of the rest. 1 Versionnumber Streamnumber ripe checksum cd097eb7f35c87b5dc8b4538c22cb55312a9f 3bcb4d54 The data transformed into an integer is represented as follows: 1 int : Step 10: The Integer created in Step 9: will now be encoded using base58 format. This reveals the typical BitmessageAddress format for the first time. 1 onkvu1kkl2uauss5upg9vxmqd3estmv79 Step 11: Finally adding the BM String creates the completed BitmessageAddress. 1 BM onkvu1kkl2uauss5upg9vxmqd3estmv79 Data Version Stream ripe checksum Hex cd097eb7f35c87b5dc8b4538c22cb55312a9f 3bcb4d54 Bytes
52 3 The Bitmessage Protocol 3.2 The Bitmessage Address Decoding a BitmessageAddress Every address used by Bitmessage needs to be decoded in order to obtain the needed information (Versionnumber, Streamnumber, ripedata). The address of a recipient needs to be typed into a textfield by the sender. The address is then subject to examination that proves the checksum. The address is not accepted if the checksumverification fails. Addresses are not exchanged over the BitmessageNetwork. If Alice wants to communicate with Bob, she needs to ask Bob for his Bitmessage address before she can send him a message. Bitmessage does not allow her to get his address through the network. He has to give her his address via another internetbased communication(forum, Webpage,Mail,Messenger), QRCode, Phone or on a simple piece of paper. However, even if she gets Bobs address she is not able to recover his public keypair from the address (since they are hashed) in order to send him a message. The publickeys are instead only sent through the network. Hence, she has to send a socalled getpubkey request, which contains the ripedata from Bob s address, to the BitmessageNetwork. This request is propagated from peer to peer until it reaches Bob. He then responds to the network with his public keypair. The response is then sent from peer to peer until it reaches Alice. Note: Alice will only get his public keypair if Bob is online, or if somebody else has already saved his publickey pair. This will work, since every peer saves publickeys which are propagated through the network. As soon as she has the Bitmessage address, her client starts decoding. Step 1: Bitmessage accepts an address with following format: 1 BM onkvu1kkl2uauss5upg9vxmqd3estmv79 Step2: The prepending BMString needs to be cut off. The remaining part is then base58 decoded and afterwards converted into an integer
53 3 The Bitmessage Protocol 3.2 The Bitmessage Address Step 3: The Integer gets converted into the hexadecimal format 7. The obtained value reveals the internal parts of the address, which has previously been included. In order to accept the address, the checksum needs to be verified 1 Versionnumber Streamnumber ripe checksum cd097eb7f35c87b5dc8b4538c22cb55312a9f 3bcb4d54 Step 4: In order to accept the address integrity the delivered checksum is cut off but will be remembered for the following integrity verification. 1 3b: cb :4d:54 Step 5: The remaining part, including Version and Streamnumber along with the ripehash, is used as input for two consecutive rounds of SHA512 hashing. The purpose of this procedure is to add two missing rounds of hashing, so that the data has the equal number of hashrounds like the obtained checksum. If the data is not corrupted, the resulting hashdigest will be identical to the checksumhash, that has previously been generated by the address owner. 1 #First round : 2 sha512(02013cd097eb7f35c87b5dc8b4538c22cb55312a9f) 3 4 = 3672e5aca86e cc bc13c62d41b8e381 5 c66f280e05d5ad4b86128d8b274cd645807e5aec3b6fb 6 bc6671aa66e9a50a4edcd8020c9f5592f924edc 1 #Second round : 2 3bcb4d54 dcef8a18f8e62d8be5f36259ecbed620e1acd d1f700e637a3843f28bd50c22da70e82fd3ffc2aefcc 4 35dcb2fb86d4f473ecc7cb71c967448ab Step 6: The first four bytes of the alleged checksumhash are supposed to be equal to the addressowners (internally created) checksum obtained in Step 4. The integritycheck will fail, if the checksums does not match. In a case of missmatch the address is invalid. 1 3b: cb :4d:54 = 3b: cb :4d:54 7 in the case of the length of the hex being uneven, a 0x00 byte will be added. This is not the case here 54
54 3 The Bitmessage Protocol 3.2 The Bitmessage Address Step 7: As soon as the check has been passed, assurance that the data has not been corrupted is given. The address is now ready to work with cd097eb7f35c87b5dc8b4538c22cb55312a9f 2 3 Ripe data 4 5 Streamnumber = Addressversionnumber = BitcoinAddress vs BitmessageAddress It is noteworthy that BitcoinAddresses are pretty similar to BitmessageAddresses, due to the nearly equal addressgeneration scheme. (See pictures) Both scheme includes Elliptic Curve generated Public keys and procedes them to final addresses. This Scheme is a coreconcept that has been adopted by Bitcoin. However, Jonathan Warren extended the scheme by replacing SHA256 with SHA512 and adding two extra bytes for Version and Streamnumber to the final address along with the BMstring. Furthermore, the manner of creating the checksum shares the same basic. 1 Bitcoinaddress : 2 16UwLL9Risc3QfPqBUvKofHmBQ7wMtjvM The reason why he chose a different hashfunction may be due to the higher security level provided by SHA512 compared to SHA256. However, it can be excluded, that the size of the hashdigest influenced his decision, since the hashdigest is either used to generate the checksum, or as input for the RIPEMD160 hashfunction that always has a 20byte hash output regardless of the input size. 55
55 3 The Bitmessage Protocol 3.2 The Bitmessage Address Figure 3.4: Conversion from public key to Bitcoin address[45] 56
Computer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 2 Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Cryptographic Tools cryptographic algorithms
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some HighLevel Goals Confidentiality Nonauthorized users have limited access Integrity
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. DiffieHellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationOverview. Public Key Algorithms I
Public Key Algorithms I Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc460104/ Louisiana State
More informationCryptography and Network Security Chapter 10. Fourth Edition by William Stallings
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Chapter 10 Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture out of the
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers Ruben Niederhagen September 18th, 2013 Introduction 2/22 Recall from last lecture: Publickey crypto: Pair of keys: public key for encryption, private key for decryption.
More informationPGP: An Algorithmic Overview
PGP: An Algorithmic Overview David Yaw 11/6/2001 VCSG482 Introduction The purpose of this paper is not to act as a manual for PGP, nor is it an indepth analysis of its cryptographic algorithms. It is
More informationnbit Output Feedback
nbit Output Feedback Cryptography IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 1 Properties of Output Feedback Mode No error propagation Active attacker can
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non Repudiation Authentication Cryptography
More informationSymmetric, Asymmetric, and One Way Technologies
Symmetric, Asymmetric, and One Way Technologies Crypto Basics Ed Crowley Fall 2010 1 Topics: Symmetric & Asymmetric Technologies Kerckhoff s Principle Symmetric Crypto Overview Key management problem Attributes
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationDiffieHellman Key Agreement
DiffieHellman Key Agreement (Anonymous) DiffieHellman 0. params: p, g 1. generate: a 2. compute: A= g a p 3. compute: s= B a p Alice A B s = g ab p Bob 0. params: p, g 1. generate: b 2. compute: B= g
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationOther Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?
ryptography Goals Protect private communication in the public world and are shouting messages over a crowded room no one can understand what they are saying 1 Other Uses of ryptography Authentication should
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationThe most important development from the work on publickey cryptography is the digital signature. Message authentication protects two parties who
1 The most important development from the work on publickey cryptography is the digital signature. Message authentication protects two parties who exchange messages from any third party. However, it does
More informationAdvanced Crypto. 2. Public key, private key and key exchange. Author: Prof Bill Buchanan
Advanced Crypto 2. Public key, private key and key exchange. Bob Alice Key Entropy. Key generators. Private key (AES, Twofish, CAST, IDEA, Blowfish, DES, 3DES, RC2, RC4/RC5, Skipjack, Camellia, Affine).
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationPublic Key Algorithms
Public Key Algorithms CS 472 Spring 13 Lecture 6 Mohammad Almalag 2/19/2013 Public Key Algorithms  Introduction Public key algorithms are a motley crew, how? All hash algorithms do the same thing: Take
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment.  Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4  Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Cryptography is the science of securely transmitting information such that nobody but the intended recipient may understand its contents. Cryptography has existed in some form
More informationWhite Paper for Wacom: Cryptography in the STU541 Tablet
Issue 0.2 Commercial In Confidence 1 White Paper for Wacom: Cryptography in the STU541 Tablet Matthew Dodd matthew@cryptocraft.co.uk Cryptocraft Ltd. Chapel Cottage Broadchalke Salisbury Wiltshire SP5
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationASYMMETRIC (PUBLICKEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLICKEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A nontechnical account of the history of publickey cryptography and the colorful characters
More informationChapter 11 Message Integrity and Message Authentication
Chapter 11 Message Integrity and Message Authentication Copyright The McGrawHill Companies, Inc. Permission required for reproduction or display. 11.1 Chapter 11 Objectives To define message integrity
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used publickey cryptosystem is RSA. The difficulty of attacking RSA is based on
More information10.1 Introduction 10.2 AsymmetricKey Cryptography AsymmetricKey Cryptography 10.3 RSA Cryptosystem
[Part 2] AsymmetricKey Encipherment AsymmetricKey Cryptography To distinguish between two cryptosystems: symmetrickey and asymmetrickey; To discuss the RSA cryptosystem; To introduce the usage of asymmetrickey
More informationPublic Key (asymmetric) Cryptography
PublicKey Cryptography Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@.veltri@unipr.it) Course of Network Security, Spring 2013 http:// ://www.tlc.unipr.it it/veltri Also referred
More information3 Symmetric Cryptography
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 3 Symmetric Cryptography Symmetric Cryptography Alice Bob m Enc c = e k (m) k c c Dec m = d k (c) Symmetric cryptography uses the same secret key k for encryption
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. DenialofService. Password Cracking. Traffic.
15441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing Endhost impersonation DenialofService Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationHOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography &
Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect
More information6 Cryptographic Techniques A Brief Introduction
6 Cryptographic Techniques A Brief Introduction 6.1 Introduction to Cryptography 6.2 Symmetric Encryption 6.3 Asymmetric (PublicKey) Encryption 6.4 Digital Signatures 6.5 Public Key Infrastructures Literature:
More informationA hash function is strongly collisionfree if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationSecurity Requirements
Message Authentication and Hash Functions CSCI 454/554 Security Requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination
More informationModern cryptography 2. CSCI 470: Web Science Keith Vertanen
Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Modern cryptography Overview Asymmetric cryptography DiffieHellman key exchange (last time) Pubic key: RSA Pretty Good Privacy (PGP) Digital
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationAppendix A: Introduction to cryptographic algorithms and protocols
Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ Appendix A: Introduction to cryptographic algorithms and protocols 2007 Levente Buttyán and JeanPierre Hubaux symmetric and asymmetric
More informationAbhijith Chandrashekar and Dushyant Maheshwary
By Abhijith Chandrashekar and Dushyant Maheshwary Introduction What are Elliptic Curves? Curve with standard form y 2 = x 3 + ax + b a, b ϵ R Characteristics of Elliptic Curve Forms an abelian group Symmetric
More informationRobust ECPAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 25312537 HIKARI Ltd, www.mhikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust ECPAKA Protocol for Wireless Mobile Networks
More informationSEC 1: Elliptic Curve Cryptography
Standards for Efficient Cryptography SEC 1: Elliptic Curve Cryptography Contact: Certicom Research Daniel R. L. Brown (dbrown@certicom.com) May 21, 2009 Version 2.0 c 2009 Certicom Corp. License to copy
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More information1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?
Introduction Answer the following questions. When a word count restriction is given for a question, exceeding it will result in marks being deducted. If your answer is more than twice the maximum length,
More informationBCA III Network security and Cryptography Examination2016 Model Paper 1
Time: 3hrs BCA III Network security and Cryptography Examination2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct
More informationDiffieHellman. Part 1 Cryptography 136
DiffieHellman Part 1 Cryptography 136 DiffieHellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for
More informationThere are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has
1 There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has unpatched bufferoverflow vulnerabilities. New projects should
More informationAn Introduction to Cryptographic Security Methods and Their Role in Securing Low Resource Computing Devices
An Introduction to Cryptographic Security Methods and Their Role in Securing Low Resource Computing Devices An Overview of Publickey Cryptosystems based on RSA, DiffieHellman and the Next Generation
More informationCryptographic Mechanisms: Recommendations and Key Lengths
Technical Guideline TR021024 Cryptographic Mechanisms: Recommendations and Key Lengths Part 4 Use of Secure Shell (SSH) (Version 201801) Federal Office for Information Security P.O.B. 20 03 63 D53133
More informationTuesday, January 17, 17. Crypto  mini lecture 1
Crypto  mini lecture 1 Cryptography Symmetric key cryptography (secret key crypto): sender and receiver keys identical Asymmetric key cryptography (public key crypto): encryption key public, decryption
More informationIntroduction to Modern SymmetricKey Ciphers
Introduction to Modern SymmetricKey Ciphers 1 Objectives Review a short history of DES. Define the basic structure of DES. List DES alternatives. Introduce the basic structure of AES. 2 Data Encryption
More informationThe question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).
Time: 3hrs BCA III Network security and Cryptography Examination2016 Model Paper 2 M.M:50 The question paper contains 40 multiple choice questions with four choices and students will have to pick the
More informationSpeedups of Elliptic CurveBased
Speedups of Elliptic CurveBased Schemes René Struik independent email: rstruik.ext@gmail.com IETF78 Maastricht The Netherlands July 2530, 2010 Results based on work conducted at Certicom Research
More informationCryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography
Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography Key Management The first key in a new connection or association is always delivered via a courier Once you have a key, you
More informationCSC574: Computer & Network Security
CSC574: Computer & Network Security Lecture 3 Prof. William Enck Spring 2016 (Derived from slides by Micah Sherr, Patrick McDaniel, and Peng Ning) Modern Cryptography 2 Kerckhoffs Principles Modern cryptosystems
More informationFirst Semester Examinations 2013/14 (Model Solution) INTERNET PRINCIPLES
PAPER CODE NO. EXAMINER : Martin Gairing COMP211 DEPARTMENT : Computer Science Tel. No. 0151 795 4264 First Semester Examinations 2013/14 (Model Solution) INTERNET PRINCIPLES TIME ALLOWED : Two Hours INSTRUCTIONS
More informationGroup Key Establishment Protocols
Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania Outline 1. Context and Motivation 2. Classifications
More informationWhatsApp Encryption Overview. Technical white paper
WhatsApp Encryption Overview Technical white paper July 6, 2017 Originally published April 5, 2016 Contents Introduction................................... 3 Terms......................................
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 24th March 2016 University Of Sydney Overview 1. CryptoBulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationApplied Cryptography Protocol Building Blocks
Applied Cryptography Protocol Building Blocks Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Protocols An algorithm describes a series of steps carried out by a process
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationCryptography 2017 Lecture 3
Cryptography 2017 Lecture 3 Block Ciphers  AES, DES Modes of Operation  ECB, CBC, CTR November 7, 2017 1 / 1 What have seen? What are we discussing today? What is coming later? Lecture 2 One Time Pad
More informationOn the Diculty of Software Key Escrow. Abstract. At Eurocrypt'95, Desmedt suggested a scheme which allows individuals to encrypt
On the Diculty of Software Key Escrow Lars R. Knudsen Katholieke Universiteit Leuven Dept. ElektrotechniekESAT Kardinaal Mercierlaan 94 B3001 Heverlee Torben P. Pedersen y Cryptomathic Arhus Science
More informationIntroduction to Cyber Security Week 2: Cryptography. Ming Chow
Introduction to Cyber Security Week 2: Cryptography Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Understand the difference between
More informationChapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao
Chapter 9: Database Security: An Introduction Nguyen Thi Ai Thao thaonguyen@cse.hcmut.edu.vn Spring 2016 Outline Introduction to Database Security Issues Types of Security Threats to databases Database
More informationCryptanalysis. Ed Crowley
Cryptanalysis Ed Crowley 1 Topics Cryptanalysis History Modern Cryptanalysis Characterization of Cryptanalysis Attacks Attack Types 2 Cryptanalysis Science of cracking ciphers and codes, decoding secrets,
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 4 The Advanced Encryption Standard (AES) Israel Koren ECE597/697 Koren Part.4.1
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 PublicKey Encryption: ElGamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationCS 332 Computer Networks Security
CS 332 Computer Networks Security Professor Szajda Last Time We talked about mobility as a matter of context: How is mobility handled as you move around a room? Between rooms in the same building? As your
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationCryptography Introduction
Cryptography Introduction Last Updated: Aug 20, 2013 Terminology Access Control o Authentication Assurance that entities are who they claim to be o Authorization Assurance that entities have permission
More informationRequest for Comments: 3566 Category: Standards Track Intel September The AESXCBCMAC96 Algorithm and Its Use With IPsec
Network Working Group Request for Comments: 3566 Category: Standards Track S. Frankel NIST H. Herbert Intel September 2003 Status of this Memo The AESXCBCMAC96 Algorithm and Its Use With IPsec This
More informationHistory Of Cryptography
1 Cryptography History Of Cryptography Pen and Paper Cryptography 2000 B.C. 1750 AD Examples: Caesar Vigenère Mechanical cipher machines 17501950 Confederate Army s Cipher Disk Japanese Red and Purple
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Michael J. Fischer Lecture 4 September 11, 2017 CPSC 467, Lecture 4 1/23 Analyzing Confidentiality of Cryptosystems Secret ballot elections Information protection Adversaries
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptographyrelated concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationFoundations of Cryptology
Multimedia Security Mauro Barni University of Siena Cryptography Cryptography is the art or science of keeping messages secret; the word cryptography is derived from Greek and literally means secret (crypto)
More informationCSC574: Computer & Network Security
CSC574: Computer & Network Security Lecture 4 Prof. William Enck Spring 2016 (Derived from slides by Micah Sherr, Patrick McDaniel, and Peng Ning) Announcements Homework 2, assigned. Due Friday, January
More informationFINDING CRYPTOGRAPHICALLY STRONG ELLIPTIC CURVES: A TECHNICAL REPORT
FINDING CRYPTOGRAPHICALLY STRONG ELLIPTIC CURVES: A TECHNICAL REPORT HAMISH IVEYLAW AND ROBERT ROLLAND Abstract. Elliptic curve cryptography is becoming the standard for public key cryptography. Unfortunately,
More informationDoubleDES, TripleDES & Modes of Operation
DoubleDES, TripleDES & Modes of Operation Prepared by: Dr. Mohamed AbdEldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationENCRYPTION USING LESTER HILL CIPHER ALGORITHM
ENCRYPTION USING LESTER HILL CIPHER ALGORITHM Thangarasu.N Research Scholar in Department of Computer Science Bharathiar University,Coimbatore Dr.Arul Lawrence SelvaKumar Dean & Professor, Department of
More information1 Achieving INDCPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving INDCPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationSecret Sharing With Trusted Third Parties Using Piggy Bank Protocol
Secret Sharing With Trusted Third Parties Using Piggy Bank Protocol Adnan Memon Abstract This paper presents a new scheme to distribute secret shares using two trusted third parties to increase security
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationCUBETYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS
CUBETYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS George W. Dinolt, James Bret Michael, Nikolaos Petrakos, Pantelimon Stanica Shortrange (Bluetooth) and to so extent mediumrange (WiFi) wireless
More informationThe Application of Elliptic Curves Cryptography in Embedded Systems
The Application of Elliptic Curves Cryptography in Embedded Systems Wang Qingxian School of Computer Science and Engineering University of Electronic Science and Technology China Introduction to Cryptography
More informationAnalysing Onion Routing BachelorThesis
Analysing Onion Routing BachelorThesis Steffen Michels June 22, 2009 Abstract Although methods for reaching security goals such as secrecy, integrity and authentication are widely used in the Internet,
More informationElliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai
Elliptic Curve Cryptography (ECC) based Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai 14th November, 2017 Focus of this talk What should
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationChapter 3 Traditional SymmetricKey Ciphers 3.1
Chapter 3 Traditional SymmetricKey Ciphers 3.1 Copyright The McGrawHill Companies, Inc. Permission required for reproduction or display. Chapter 3 Objectives To define the terms and the concepts of symmetric
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationElliptic Curve Cryptography
CMU Computer Club Talk Series Spring 2015 Elliptic Curve Cryptography We would like to thank Green Hills Software for sponsoring this talk series Green Hills make the world's highest performing compilers,
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, NeedhamSchroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationOutline. From last time. Feistel cipher. Some DES history DES. Block ciphers and modes of operation
Outline CSci 5271 Introduction to Computer Security Day 15: Cryptography part 2: publickey Stephen McCamant University of Minnesota, Computer Science & Engineering From last time Goal: bootstrap from
More informationA Simple User Authentication Scheme for Grid Computing
A Simple User Authentication Scheme for Grid Computing Rongxing Lu, Zhenfu Cao, Zhenchuai Chai, Xiaohui Liang Department of Computer Science and Engineering, Shanghai Jiao Tong University 800 Dongchuan
More information