CS682 Advanced Security Topics

Transcription

1 CS682 Advanced Security Topics Lecture 2 Applied Cryptography Elias Athanasopoulos eliasathan@cs.ucy.ac.cy

2 2

3 The Need for Cryptography People had always secrets Ordinary applications are based on secrecy e.g., elections (or e-voting) Machines need to verify information detect errors Unforgeable information ordinary signatures vs digital signatures Many new applications From car keys to smartcards, and cellphones 3

4 Crypto Roadmap Basic Concepts Symmetric Ciphers Asymmetric Ciphers Cryptographic Hash Functions Digital Signatures Random Numbers 4

5 Basic Concepts Secret Public Public Plain Text Crypto System Cipher Text Secret 5

6 Security via Obscurity All crypto algorithms are assumed to be known Security is based on Secrecy of the key Hard to infer the plaintext via the ciphertext Cryptanalysis Infer the plaintext from ciphertext without knowing the key 6

7 Simple Example a simple message X à X + key (i.e., a becomes d ) dcwlpsohcp hwwdjh Invented by Julius Caesar! C = P + K mod 26 (assuming an alphabet of 26 letters!) 3 7

8 Monoalphabetic ciphers Assume an alphabet abcdefghijklmnopqrstuvwxyz_ Index the letters a is 1, b is 2, c is 3,, z is 26, _ is 27 Select a key (secret), which shifts the order Assuming the key is 3, then a is shifted three letters and becomes d, and z becomes b (wraps around the alphabet) 8

9 Multiple and Running Keys Vigenere Cipher Polyalphabetic Substitution Ciphers Key = r, u, n (three Caesar s keys) tobeornottobethatisthequestion runrunrunrunrunrunrunrunrunrun KIOVIEEIGKIOVNURNVJNUVKHVMGZIA 9

10 Secure Enough? Vigenere Cipher Polyalphabetic Substitution Ciphers Key = r, u, n (three Caesar s keys) tobeornottobethatisthequestion runrunrunrunrunrunrunrunrunrun KIOVIEEIGKIOVNURNVJNUVKHVMGZIA 10

11 Frequency Analysis At the cipher text: 11

12 Frequency Analysis English text: 12

13 Example 13

14 Repeat 14

15 One-Time Pad Pushing Vigenereto the extreme! Size of key is size of plain text Avoid repeated patterns Plain: helpsnowden Key: jitwojsktuw Cipher: qmelgwggwyj 15

16 One-Time Pad Key Integrity Plain: helpsnowden Key: jitwojsktuw Cipher: qmelgwggwyj Message Integrity Cipher: qmelgwggwyj Key: kejhopsktuw Plain: givesnowden Key: jitwojsktuw Cipher: pqoagwggwyj Plain: givesnowden 16

17 One-Time Pad Pushing Vigenereto the extreme! Size of key is size of plain text Avoid repeated patterns Plain: heilhitler Key: wclnbtdefj Cipher:DGTYIBWPJA 17

18 One-Time Pad Key Integrity Plain: heilhitler Key: wclnbtdefj Cipher:DGTYIBWPJA Message Integrity Cipher:DGTYIBWPJA Key: wggsbtdefj Plain: hanghitler Cipher:DCYTIBWPJA Key: wclnbtdefj Plain: hanghitler 18

19 One-time Pad Pros Perfect Secrecy Cons Impractical long key Key integrity, given a cipher you can select another key that produces a different valid plain text Message Integrity, given a key you can select a cipher text that produces the desired plain text 19

20 Block Ciphers So far, we: Treat the message as one-dimension stream Use only substitution We just shift letters (i.e., C = P + K mod 26) Block Ciphers Split message to equally sized blocks Encrypt each block 20

21 Playfair (rule 1) If two letters are in the same row (or column) they are replaced by the succeeding letters: am becomes LE P A L M E R S T O N B C D F G H I K Q U V W X Y Z 21

22 Playfair (rule 2) Otherwise the two letters stand at two of the corners of the rectangle in the table, and we replace them with the letters at the other two corners of this rectangle: lo becomes MT P A L M E R S T O N B C D F G H I K Q U V W X Y Z 22

23 Playfair Algorithm Replace all j with i in plaintext Split plaintext in two-letter blocks Double letters are separated by x z is used (conditionally) for padding Apply Rule 1 and 2 23

24 Example Lord Granville lo rd gr an vi lx le sl et te rz MT TB BN ES WH TL MR TA LN NL NV 24

25 SYMMETRIC CIPHERS 25

26 26

27 Hill Cipher Each letter is interpreted as a number (0-25) Message is written as a matrix CAT becomes: For encryption C = K M M = K -1 C 2 M =

28 Transposition Produces a new permutation of the message Does not change the statistics of the message Easiest way to implement it is by matrix multiplication 28

29 Transposition Initial order: [1, 2, 3, 4, 5] If you want to produce [3, 1, 2, 5, 4] you need to multiply it using

30 Basic Operations Substitution (αντικατάσταση) Changes the statistics of the message by substituting letters with other letters Transposition (μετάθεση) Reorders the letters of the message Both are linear operations (reversible) 30

31 Symmetric Ciphers Relatively fast One key encrypts and decrypts Block-based or Stream-based Several rounds Substitutions and Transpositions Not on letters, but on bits (or bytes) Major weakness Key distribution 31

32 Plain Text Symmetric Cryptographic Encryption Cipher Text Cipher Text Symmetric Cryptographic Decryption Plain Text 32

33 Modern Symmetric Ciphers DES, 3DES, and AES AES is the dominant one, today Based on Substitutions and transpositions Very complex Type Block Stream 33

34 Block vs Stream Block cipher A block of plaintext is treated as a whole and used to produce a block of ciphertext of equal length Typically, a block size of 64 or 128 bits is used Stream cipher Plaintext is treated as a data stream and one bit or one byte is processed at a time 34

35 Block cipher Plaintext of n bits produces a ciphertext of n bits Block size: n bits Space of different plaintext blocks: 2^n Each block must be unique 35

36 Reversibility REVERSIBLE MAPPING IRREVERSIBLE MAPPING Plaintext Ciphertext Plaintext Ciphertext

37 Ideal Substitution Cipher Mapping: key 4 bits x 16 rows = 64 bits! 37

38 Problems Vulnerable to statistical attacks Small blocks can take limited transformations Large blocks (increase n) are impractical Key size: 4 bits x 16 rows In general: n x 2 n Approximate the ideal case Example: 64-bit block requires a key of 64 x 2 64 = bits (!!) 38

39 Practical Ciphers Goal Approximate the ideal cipher Reduce statistical properties between plaintext, ciphertext, and key(s) Combining Substitutions and Transpositions Substitution: Each plaintext element or group of elements is uniquely replaced by a corresponding ciphertext element or group of elements Transposition: A sequence of plaintext elements is replaced by a permutation of that sequence; no elements are added or deleted or replaced in the sequence, rather the order in which the elements appear in the sequence is changed 39

40 40

41 41

42 Information Theory Approach Confusion Obscures the relationship between the plaintext and the ciphertext The easiest way to do this is through substitution Diffusion Reduces repeated plaintext patterns by spreading out the plaintext over the ciphertext The easiest way to do this is through transposition 42

43 Realizing Substitution (S-box) Mapping 6 bits of input to 4 bits (taken from DES) Example: S-box Middle 4 bits of input Outer bits

44 Super Complicated! 44

45 Properties Block size: Larger block sizes mean greater security but reduced encryption/decryption speed for a given algorithm A block size of 64 bits is reasonable tradeoff AES uses a 128-bit block size Key size: Larger key size means greater security but may decrease encryption/decryption speed Key sizes of 64 bits or less are now widely considered to be inadequate, and 128 bits has become a common size 45

46 Properties Number of rounds: Several rounds are involved A typical size is 16 rounds Subkey generation algorithm: Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis 46

47 Extra (desired) properties Fast software encryption/decryption: In many cases, encryption is embedded in applications or utility functions in such a way as to preclude a hardware implementation Ease of analysis: There is great benefit in making the algorithm easy to analyze It is easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its strength DES, for example, does not have an easily analyzed functionality 47

48 Block modes Mode Description Typical Application Electronic Codebook (ECB) Cipher Block Chaining (CBC) Each block of 64 plaintext bits is encoded independently using the same key. The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of ciphertext. And some more: PCBC, CFB, OFB, CTR Secure transmission of single values (e.g., an encryption key) General-purpose blockoriented transmission Authentication 48

49 Block mode is important Original ECB encryption Non-ECB encryption 49

50 Advanced Encryption Standard (AES) Subset of Rijndael Developed in 1998 by two Belgian cryptographers, Joan Daemen and Vincent Rijmen Most widely used Symmetric Cipher today Block Size 128 bits Key size 128, 192, or 256 bits 50

51 Advanced Encryption Standard (AES) 10 rounds Round types SubBytes, an S-box substitution step ShiftRows, a permutation step MixColumns, a matrix multiplication (like Hill cipher) AddRoundKey, a XOR-based operation that produces a new key based on the initial one 51

52 AES S-box :-) a 0b 0c 0d 0e 0f c 77 7b f2 6b 6f c b fe d7 ab ca 82 c9 7d fa f0 ad d4 a2 af 9c a4 72 c0 20 b7 fd f f7 cc 34 a5 e5 f1 71 d c7 23 c a e2 eb 27 b c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 d0 ef aa fb 43 4d f9 02 7f 50 3c 9f a a3 40 8f 92 9d 38 f5 bc b6 da ff f3 d2 80 cd 0c 13 ec 5f c4 a7 7e 3d 64 5d f dc 22 2a ee b8 14 de 5e 0b db a0 e0 32 3a 0a c c2 d3 ac e4 79 b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 ba e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 70 3e b f6 0e b9 86 c1 1d 9e e0 e1 f d9 8e 94 9b 1e 87 e9 ce df f0 8c a1 89 0d bf e d 0f b0 54 bb 16 The column is determined by the least significant 4 bits, and the row is determined by the other half (0x9a becomes 0xb8) 52

53 OpenSSL OpenSSL is an Open Source library for cryptographic operations Written in C, available in many languages Java, Python, Ruby, etc. 53

54 STREAM CIPHERS 54

55 The need for randomness Replay attacks Adding a random secret (nonce) helps against attackers that replay encrypted messages Session key generation Session keys are cryptographic keys that have a short life Generation of keys for the RSA public-key encryption algorithm RSA is based on selecting large prime numbers randomly Stream ciphers Their security is entirely based on randomness 55

56 Randomness Uniform distribution The distribution of bits in the sequence should be uniform The frequency of occurrence of ones and zeros should be approximately equal Independence No subsequence in the sequence can be inferred from the others Security requirement Unpredictability 56

57 Random Generator Types True Random Number Generators (TRNGs) Pseudo-random Number Generators (PRNGs) Source of true randomness Seed Convert to bits Algorithm Random bits Pseudo-random bits 57

58 TRNGs 58

59 PRNGs r = f(seed); 59

60 Requirements Uniformity Occurrence of a zero or one is equally likely The expected number of zeros (or ones) is n/2, where n = the sequence length Scalability Any test applicable to a sequence can also be applied to subsequences extracted at random If a sequence is random, then any such extracted subsequence should also be random Consistency The behavior of a generator must be consistent across starting values (seeds) 60

61 Tests Frequency test Determine whether the number of ones and zeros in a sequence is approximately the same as would be expected for a truly random sequence Runs test Determine whether the number of runs of ones and zeros of various lengths is as expected for a random sequence Maurer s universal statistical test Detect whether or not the sequence can be significantly compressed without loss of information A significantly compressible sequence is considered to be non-random 61

62 Unpredictability Forward unpredictability If the seed is unknown, the next output bit in the sequence should be unpredictable in spite of any knowledge of previous bits in the sequence Backward unpredictability It should also not be feasible to determine the seed from knowledge of any generated values No correlation between a seed and any value generated from that seed should be evident Each element of the sequence should appear to be the outcome of an independent random event whose probability is 1/2 62

63 Seed Source of true randomness Convert to bits Seed Algorithm Pseudo-random bits 63

64 Cryptographic PRNGs Existing cryptographic algorithms Stream ciphers Asymmetric ciphers (RSA, compute primes) Hash functions Message Authentication Codes (MACs) 64

65 Xn+1 =(axn +c) mod m X0 is the seed (assume X0=1) Selection of a, c, and m, is critical a=7, c=0, m=32 7, 17, 23, 1, 7,... a=5 5, 25, 29, 17, 21, 9, 13, 1, 5,... In theory m should be very large (2^31) 65

66 Stream Ciphers plaintext key stream ciphertext 66

67 Key / Seed Key / Seed Pseudo-random Byte Generator (key stream) Pseudo-random Byte Generator (key stream) plaintext stream ciphertext stream plaintext stream Encryption Decryption 67

68 RC4 Designed by Ron Rivest in 1987 Used today in TLS TLS is the cipher suite behind HTTPS Used in WEP Got broken There are concerns about the security of RC4 Based on random permutations Period is believed to be greater than to 16 machine operations are required per byte of the ciphertext 68

69 RC4 Initialization /* Initialization */ for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen]; /* Initial Permutation of S */ j = 0; for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256; Swap (S[i], S[j]); 69

70 RC4 Stream Generation i, j = 0; while (true) i = (i + 1) mod 256; j = (j + S[i]) mod 256; Swap (S[i], S[j]); t = (S[i] + S[j]) mod 256; k = S[t]; Encryption: XOR the next byte of plaintext with k Decryption: XOR the next byte of ciphertext with k 70

71 RC4 71

72 RC4 /* Initialization */ for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen]; 72

73 RC4 /* Initialization */ for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen]; /* Initial Permutation of S */ j = 0; for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256; Swap (S[i], S[j]); 73

74 RC4 /* Initialization */ for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen]; /* Stream Generation */ i, j = 0; while (true) i = (i + 1) mod 256; j = (j + S[i]) mod 256; Swap (S[i], S[j]); t = (S[i] + S[j]) mod 256; k = S[t]; /* Initial Permutation of S */ j = 0; for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256; Swap (S[i], S[j]); 74

75 Additional Reading On the Security of RC4 in TLS. Nadhem AlFardan, et al. In Usenix Security ity13/technical-sessions/paper/alfardan 75

76 Block cipher to Stream cipher Cipher-feedback mode (CFB) C i = E K (C i-1 ) B i The encryption of a block, C i, is the encryption of the previous block, C i-1, XORed with the current plaintext block, B i Reducing the block size 1 byte (or less) Block cipher behaves like a stream cipher High overhead 76

77 Cryptographic Attacks Ciphertext-only Attacker has access to ciphertext of one or more messages, encrypted all with the same key Known-plaintext Attacker has access to one or more plaintext-ciphertext pairs, encrypted all with the same key Chosen-plaintext Attacker can chose one or more plaintext messages and receive their ciphertext (either off-line or on-line) Chosen-ciphertext Attacker can chose one or more chiphertext messages and receive their plaintext (either off-line or on-line) 77

78 ASYMMETRIC ENCRYPTION 78

79 Modular Arithmetic ( ) mod 12 = 23 mod 12 = 11 mod 12 Or, we could say: 11 and 23 are equivalent, modulo 12 Another way to write this: (mod 12) 79

80 Modular Arithmetic a b (mod n) if a = b + kn, for some integer k For the example: (mod 12), since 23 = , k = 1 Another example: 82 2 (mod 20), since 82 = , k = 4 80

81 Modular Inverse The multiplicative inverse of 4 is 1/4, since 4 1/4 = 1 In modular arithmetic 4 x 1 (mod 7), translates to 4 x = 7 k + 1, where both x and k are integers General form 1 = (a x) mod n a -1 x (mod n) Not always solvable The inverse of 5, modulo 14, is 3 2 has no inverse modulo 14 81

82 Prime number An integer p > 1 is a prime number if and only if its only divisors are: 1, p (and p) No other number evenly divides it Primes 5, 7, 13, 19, 2521 Non primes 4, 8, 39,

83 Relative primes (co-primes) Two numbers are relative prime when they share no factors in common other than 1 15 and 28 are relative primes 15 and 27 are not relative primes 13 and 500 are relative primes 83

84 Euler s Totient Function, φ(n) φ(n) is the number of positives integers less than n that are relative prime to n φ(1) is 1, by definition If n = pq, where p and q are primes φ(n) = (p-1)(q-1) Super important! 84

85 Recipe 1/3 Suppose you want to encrypt the message: 2 Let s say that A maps to 0, B maps to 1, and C maps to 2; you want to map C to another letter Pick two prime numbers p = 2 and q = 7 Multiply them n = pq = 2 7 = 14 85

86 Recipe 2/3 Calculate φ(n), or φ(14) φ(n) = (p-1) (q-1) = (2-1) (7-1) = 6 Pick a number that is relative prime to 6 and smaller than 6 e = 5 Solve the equation x 5 1 (mod 6) Find an integer x that if multiplied with 5 the result is 1 mod 6 x = 11, because 55 mod 6 = 1 mod 6 let s call that d = 11 86

87 Recipe 3/3 For encryption 2 5 mod 14 = 32 mod 14 = 4 (so 2 becomes 4) For decryption 4 11 mod 14 = mod 14 = 2 87

88 What did just happen? We encrypted 2 to 4 We decrypted 4 back to 2 No substitution No transposition No single key 88

89 RSA 89

90 Properties 2 keys Public Key (no secrecy) Private Key (if stolen everything is lost) Easy algorithm, but hard to reverse Computationally hard to infer p and q from n = pq Computationally hard means solvable in nonpolynomial time 90

91 RSA Encryption C = M e mod n Decryption M = C d mod n = (M e mod n) d = M ed mod n Keys Public Key = {e, n} Private Key = {d, n} ed 1 mod φ(n) 91

92 RSA Steps p, q, two prime numbers Private n = pq n can be public, but recall that it is hard to infer p and q by just knowing n e is relative prime to φ(n) Public Recall φ(n) = (p-1)(q-1) d from e, and φ(n) Private ed 1 mod φ(n) Can be computed since we know p and q 92

93 RSA example 1. Select p = 17 and q = Then, n = pq = = φ(n) = (p-1)(q-1) = = Select e relatively prime to φ(n) = 160 and less than φ(n); e = 7 5. Determine d - de 1 (mod 160) and d < 160, - d = 23, because 23 7 = 161 = (1 160) + 1; 93

94 Computational Aspects RSA builds on exponents Intensive operation Side channels 94

95 CRYPTOGRAPHY AND APPLICATIONS 95

96 96

97 p (big random prime) q (big random prime) n = p q computing p and q from n requires superpolynomial time in the number of digits Compute φ(n), φ(n) = (p-1)(q-1) only if n can be expressed as n = p q, where p and q are primes Select e which is relative prime to (p-1)(q-1) Select d from d e 1 mod (p-1)(q-1) Private Key {e, n} Public Key {d, n} Both keys {e, n} and {d, n} are equivalent, any of them can be used as the private key and the other one as the public key 97

98 Recall Symmetric Ciphers Plain Text Symmetric Cipher (Encryption) Cipher Text Cipher Text Symmetric Cipher (Decryption) Plain Text 98

99 Asymmetric Encryption Mode 1 Plain Text Asymmetric Cipher Cipher Text Public Key Cipher Text Asymmetric Cipher Plain Text Private Key 99

100 Asymmetric Encryption Mode 2 Plain Text Asymmetric Cipher Cipher Text Private Key Cipher Text Asymmetric Cipher Plain Text Public Key 100

101 RSA Plain Text (plain text) e mod n Cipher Text e, n Cipher Text (cipher text) d mod n Plain Text d, n 101

102 Asymmetric Ciphers RSA prime factorization ElGamal Computing discrete logarithms Elliptic curves More complicated, but smaller key sizes 102

103 Cryptographic Hash Functions message 1 (N bits) Cryptographic Hash Function Hash Value A (256 bits) message 2 (N bits) Cryptographic Hash Function Hash Value B (256 bits) Ideally: If message 1 and message 2 differ by one bit, then A and B differ in 50% of their bits 103

104 High-level Properties Complicated one-way functions One-way Hard to compute the message by having just the hash value (or digest) No cryptographic keys Should not be confused with invertible functions (1-1) Collision Find a message that cryptographically hashes to a given digest H 104

105 Requirements Requirement Variable input size Fixed output size Efficiency Preimage resistant (one-way property) Second preimage resistant (weak collision resistant) Collision resistant (strong collision resistant) Pseudorandomness Description H can be applied to a block of data of any size H produces fixed-length output (called hash value or message digest) H(x) is relatively easy to compute for any given x (in terms of both software/hardware implementations) For any given hash value h, it is computationally infeasible to find y such that H(y) = h For any given block x, it is computationally infeasible to find y <> x with H(y) = H(x) It is computationally infeasible to find any pair (x,y) such that H(x) = H(y) Output of H meets standard tests for pseudorandomness 105

106 Lifetimes of cryptographic hash functions More: SHA256 is considered currently safe 106

107 Modern Applications Cipher suites Transport Layer Security (TLS), encrypted sockets Symmetric Key distribution Digital Signatures Passwords 107

108 Symmetric Key Distribution Symmetric Key (symmetric key) d mod n Cipher Text d, n (public key) Cipher Text (symmetric key) e mod n Symmetric Key e, n 108

109 The need for signatures Confidentiality is not always the key requirement for cryptography Communication between untrusted parties Bob may forge a message and claim that it came from Alice Bob can deny sending a message Example An electronic funds transfer takes place, and the receiver increases the amount of funds transferred 109

110 Requirements The signature must be a bit pattern that depends on the message to be signed The signature must use some information unique to the sender, to prevent both forgery and denial It must be relatively easy to produce the digital signature It must be relatively easy to recognize and verify the digital signature It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message It must be practical to retain a copy of the digital signature in storage 110

111 Digital Signing Document (Arbitrary Size) Cryptographic Hash Key (Fixed Size) Public-Key Cryptography (RSA) Private Key Signed Document (Arbitrary Size + signature) Message Signature Message Signature 111

112 Verifying Digital Signatures Document (Arbitrary Size + signature) Document (Arbitrary Size + signature) Message Signature Message Signature Cryptographic Hash Function Public-Key Cryptography (RSA) Public Key Document Hash Key Document Hash Key 112

113 Passwords Services Store cryptographic hashes of passwords Passwords in plaintext are deleted Authentication Services check only cryptographic hashes and not plaintext passwords Encrypting passwords is a bad idea Attacker can leak the key Passwords are salted Identical plaintext passwords produce different hash keys 113

114 Attacking Passwords Brute force Dictionary attacks Rainbow tables Salt can make this extremely hard GPUs 114

115 115

116 Original File Attacker RSA Public Key (fixed), PuK Computed RSA Public Key, Sub-PuK Computed RSA Private Key, Sub-PrK Computed AES Key (per file), EncK 1. Encrypt file with EncK (per-file encryption) 2. Encrypt EncK with Sub-PuK and store it to WannaCry Header (per-host encryption) 3. Encrypt Sub-PrK with PuK and send it to attacker (attacker has a different decryption key per host) WannaCry Header Encrypted File Read more: WannaKey, 116