Introduction to Cryptography. Ramki Thurimella

Transcription

1 Introduction to Cryptography Ramki Thurimella

2 Encryption & Decryption 2

3 Generic Setting 3

4 Kerckhoff s Principle Security of the encryption scheme must depend only on The secret key NOT on the secrecy of the algorithm Algorithms do not usually change Nobody designs a separate algorithm for each pair of users There could be million users using the same algorithm (Eve can easily get a copy) 4

5 Kerckhoff s Principle (cont.) Netscape fiasco (details in NYT article) There is usually a healthy distrust of Proprietary Confidential Or otherwise secret algorithms Publishing encourages other security researchers to find flaws & suggest fixes SCADA 5

6 Authentication 6

7 MAC Assuming Alice and Bob somehow agree on a key K e 7

8 Authentication Eve can still Delay or Delete messages Replay Change the message order So, MAC is typically combined with sequence numbers With this, Bob can receive a subsequence of messages sent by Alice 8

9 Public-Key Cryptography Encryption Figure from 9

10 Public-Key Cryptography (cont.) Both Alice and Bob have a pair of keys, one that is public and one private that they keep secret. Given a public key, one cannot derive the corresponding private key Solves the key-distribution problem Used in the first phase of SSL to exchange a symmetric key Why not use asymmetric key cryptography for everything? 10

11 Public-Key Cryptography (cont.) Modular arithmetic on large (thousands of digits) integers is slooow! Digital signatures: If Alice applies her secret key and sends the message, then every one in possession of her public key can verify that the message originated from Alice The key pair can be applied in either order, i.e. the function composition is commutative. This order of function application is useful for authentication 11

12 Public-Key Cryptography (cont.) Digital Signatures Figure from 12

13 Can the pubic key be trusted? Eve can replace Alice s public key with a different one How can Bob be sure that the public key of Alice really belongs to Alice? Have a Certification Authority (CA) sign the public key vouching for the authenticity How can CA s public key be trusted? Hardcode (bury) the public key of a handful of CA s in the browsers/operating systems Some example CAs are Verisign, GoDaddy, Comodo 13

14 Problems with PKI For scale, the task of signing public keys is delegated to lower level CAs. That is, there is a hierarchy: root CA and lower-level CAs One CA might not be trustworthy to everyone in the world What if CA s secret key is stolen? CA s liability 14

15 Attacks Ciphertext-only model Known-Plaintext model Chosen-Plaintext model Chosen-Ciphertext model Distinguishing Attack goal Other (information leakage or side-channel) Attack Digital Signatures Timing information (how fast encryption and decryption took) & Ciphertext length 15

16 Ciphertext-only model Eve has access only to the ciphertext Hardest because Eve has the least amount of information This is the attack most people are referring to when they say breaking an encryption system The goal is to decrypt a message, or derive the secret key 16

17 Known-Plaintext model Eve has ciphertext + corresponding plaintext Goal: derive the secret key How did Eve get her hands on the plaintext? Predictable Some parts of Auto responders, if the recipient is on a vacation Padding characters Heart-beat messages Eve received legitimately from Alice (as part of a protocol) Ciphertext is a draft version, later Alice and Bob publish the final version 17

18 Chosen-Plaintext model Eve has control over the plaintext Can feed Alice a chosen plaintext p have Alice produce the corresponding ciphertext c Eve uses c and p to derive the secret key E.g. Eve has access to Unix passwd file She can invoke the passwd function, supply different words (say from a dictionary) and compare with the encrypted entries in the passwd file Dictionary Attack To see your own linux password hash % sudo getent shadow $USER cut -d : -f 2 Offline and Online 18

19 Chosen-Ciphertext model Misnomer it is really chosen-plaintext + chosen-ciphertext, i.e. Given plaintext, you get ciphertext Given ciphertext, you get plaintext Goal: derive the secret key Eve might have stolen the encryption system and trying to figure out the inner workings 19

20 Distinguishing Attack goal An attack that does not entirely decrypt or find the secret key, but Reveals partial information about the message Any nontrivial method that distinguishes between the ideal encryption and the actual one 20

21 Information leakage or sidechannel Attacks on authentication or digital signatures Eve might know The time it took to compute c Energy consumed Eavesdropping on keystrokes 21

22 Birthday Attacks Source: 22

23 Birthday Attacks (cont.) Assume all birthdays are equally probable By pigeon-hole principle, if the number of people n is 367, then P(collision) = 1 n c 2 when n=23 is 253 pairs n c 2 is O(n 2 ) Collision probability exceeds 50% when n is greater than sample space 23

24 Birthday Attacks (cont.) How is this related to cryptography For secure financial transactions, use a fresh 64-bit authentication key There are 2 64 (=18*10 18 ) key values But, after 2 64 = 2 32 (only 4 billion), two transactions use the same key with more 50% probability Assume every transaction starts with Are you ready? Eve can compare the new MAC with the old ones and see if any of the old ones is being repeated If yes, Eve can mount a replay attack 24

25 Meet-in-the-middle Attacks Cousins of Birthday Attacks Fall under the broad category of collision attacks Method Choose 2 32 different 64-bit keys at random Compute the MAC for Are you ready? for each one If MAC from the transaction matches one of the 2 32 MACs that were precomputed, then the precomputed key matches Alice s key with high likelihood Insert arbitrary messages since the secret key is 25

26 Meet-in-the-middle Attacks (cont.) How many messages does she need to listen to before Eve has a hit? The probability that Alice s key matches one of the precomputed keys is 1/2 32 Expected value of a collision is 1 after witnessing 2 32 transactions Far fewer than brute-forcing 2 64 values 26

27 Meet-in-the-middle Attacks (cont.) Abstractly Say the sample space is N Eve has generated a set of P keys Alice has generated Q keys Number of pairs = P*Q Collision occurs when P*Q is close N P = N (1/3) and Q = N (2/3) This attack provides more flexibility to Eve She should choose P and Q so as to minimize the total cost 27

28 Security Level How much work does it take to break a system? steps to break a 235-bit key What is a step? Could be looking up a table entry Database hit Computing a simple function Could take 1 clock cycle 1 second 10 6 clock cycles Abstractly, we would like difficulty relative to a brute-force attack Textbook assumes 1 step = 1 clock cycle to simplify analysis 28

29 Security Level (cont.) Current systems require 128-bit security for them to last for next few decades For engineering reasons, the key length is typically a power of 2 Security level Focuses only how much work Eve has to do Ignores interaction with the system (Does Eve have access to plaintext or the encryption system?) 29

30 Performance Cryptographic algorithms are seen as slow DO NOT attempt to roll your own crypto system Adding AES one would take roughly 20% performance hit If https initialization is slow, it is better throw more hardware at it than to write your own ssl There are already enough insecure fast systems; we don t need another one 30

31 Complexity Complexity is the worst enemy of security Test Test Fix 31

32 Complexity (cont.) Testing shows only the presence of errors, not the absence of them Dijkstra Testing can only test for functionality Security is the absence of functionality, i.e. the Test attacker should not be able to achieve a certain property; Testing is not suitable for this Build a robust system ground up (factor security in design) Modularize correctness must be a local property 32