COMP4109 : Applied Cryptography

Transcription

1 COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University

2 Applied Cryptography Day 2 information security cryptographic primitives unkeyed primitives NSA... one-way functions hash functions 2

3 Information Security The term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modication, or destruction in order to provide integrity, which means guarding against improper information modication or destruction, and includes ensuring information non-repudiation and authenticity; condentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and availability, which means ensuring timely and reliable access to and use of information. Cryptography can help with integrity and condentiality. Title 44 (US Congress) 3

4 Information Security The term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modication, or destruction in order to provide integrity, which means guarding against improper information modication or destruction, and includes ensuring information non-repudiation and authenticity; condentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and availability, which means ensuring timely and reliable access to and use of information. Cryptography can help with integrity and condentiality. Title 44 (US Congress) 3

5 Information Security cryptography security crypto provides mathematical tools to help with information security it is a small part of security it is an essential part of security security is a chain weakest link is the target one weak link is all that is needed to break a system crypto is generally not the weakest link 4

6 Information Security cryptography security crypto provides mathematical tools to help with information security it is a small part of security it is an essential part of security security is a chain weakest link is the target one weak link is all that is needed to break a system crypto is generally not the weakest link the math in the crypto is not the weakest link 4

7 Cryptography Cryptography is about secure communication in the presence of third parties (called adversaries) Adversaries who are they? insider/outsider, vendor, eavesdropper, governments what do they know? implementation details, passwords, social media information what resources do they have? large computing power, control communication lines, inuence/corrupt entities 5

8 Cryptography Cryptography is about secure communication in the presence of third parties (called adversaries) Adversaries who are they? insider/outsider, vendor, eavesdropper, governments what do they know? implementation details, passwords, social media information what resources do they have? large computing power, control communication lines, inuence/corrupt entities 5

9 Cryptography Cryptography is about secure communication in the presence of third parties (called adversaries) Adversaries who are they? insider/outsider, vendor, eavesdropper, governments what do they know? implementation details, passwords, social media information what resources do they have? large computing power, control communication lines, inuence/corrupt entities 5

10 Cryptography Cryptography is about secure communication in the presence of third parties (called adversaries) Adversaries assume the adversary knows the whole system and it components, except for the secret key(s)/parameter(s) - Kerckho's Principle assume the adversary has strong abilities 6

11 Cryptography Cryptographic Primitives are tools that help provide secure communication in the presence of adversaries encryption schemes, hash functions, digital signatures, PRNGs are all examples three types of cryptographic primitives 7

12 Cryptography Cryptographic Primitives unkeyed systems which do not need any secret parameters one-way functions, hash functions, random bit generators private-key systems which rely on a shared secret key symmetric ciphers (block/stream ciphers), message authentication codes (MACs), pseudo-random bit generators (PRGs) public-key systems which rely on a secret parameter known to only one party public key exchange, public-key cryptosystems (RSA), digital signature schemes 8

13 Cryptography For any cryptographic primitive there can be various possible denitions of security. We'll use the following for now... The security of a system is based on how much work is needed to break it if the best known attack on a system requires 2 l operations then the security strength of the system is l this corresponds to an exhaustive search guessing an l-bit secret key what values of l are (in)secure? 9

14 Cryptography from NIST 10

15 Cryptography from NIST Note: 128-bit security corresponds to 256-bit ECC and 3072-bit RSA 10

16 Unkeyed Primitives some cryptographic primitives do not require any secret parameters one-way functions hash functions random bit generators 11

17 One-Way Functions A one-way function f is an easily computable function f : A B which is computationally dicult to invert in the average case. Given x A, it is easy to compute f (x) = y B. But, given y B, it is dicult to compute any x A such that f (x) = y for all but a negligible number of y. 12

18 One-Way Functions A one-way function f is an easily computable function f : A B which is computationally dicult to invert in the average case. Given x A, it is easy to compute f (x) = y B. But, given y B, it is dicult to compute any x A such that f (x) = y for all but a negligible number of y. it is not known if any one-way functions exist 12

19 One-Way Functions A one-way function f is an easily computable function f : A B which is computationally dicult to invert in the average case. Given x A, it is easy to compute f (x) = y B. But, given y B, it is dicult to compute any x A such that f (x) = y for all but a negligible number of y. it is not known if any one-way functions exist existence of one-way functions implies P NP 12

20 One-Way Functions A one-way function f is an easily computable function f : A B which is computationally dicult to invert in the average case. Given x A, it is easy to compute f (x) = y B. But, given y B, it is dicult to compute any x A such that f (x) = y for all but a negligible number of y. it is not known if any one-way functions exist existence of one-way functions implies P NP some functions are thought to be one-way 12

21 One-Way Functions A one-way function f is an easily computable function f : A B which is computationally dicult to invert in the average case. Given x A, it is easy to compute f (x) = y B. But, given y B, it is dicult to compute any x A such that f (x) = y for all but a negligible number of y. it is not known if any one-way functions exist existence of one-way functions implies P NP some functions are thought to be one-way multiplying two dierent primes 12

22 One-Way Functions A one-way function f is an easily computable function f : A B which is computationally dicult to invert in the average case. Given x A, it is easy to compute f (x) = y B. But, given y B, it is dicult to compute any x A such that f (x) = y for all but a negligible number of y. it is not known if any one-way functions exist existence of one-way functions implies P NP some functions are thought to be one-way multiplying two dierent primes squaring a number modulo N=pq 12

23 (Unkeyed) Hash Functions A hash function h is an easily computable function h : {0,1} {0,1} n. All hash functions have two basic properties compression : h maps binary strings of arbitrary (but nite) length to binary strings of xed length ease of computation : computes h(x) in time polynomial in log x A cryptographic hash function has some additional properties preimage resistance: given y it is hard to nd an x such that h(x) = y. (one-way) second preimage resistance: given x it is hard to nd x x such that h(x) = h(x ) (weak collision resistance) collision resistance: it is hard to nd x,x such that x x and h(x) = h(x ) (strong collision resistance) 13

24 Hash Functions for h(x) = y, x is called the message and y is the hash, or message digest 14

25 Hash Functions for h(x) = y, x is called the message and y is the hash, or message digest preimage resistance or one-way given a hash value it is hard to nd a message that hashes to it old Unix passwords and /etc/passwd 14

26 Hash Functions for h(x) = y, x is called the message and y is the hash, or message digest preimage resistance or one-way given a hash value it is hard to nd a message that hashes to it old Unix passwords and /etc/passwd second preimage resistance or weak collision resistance given a message it is hard to nd a dierent message with the same hash value hash-and-sign digital signatures 14

27 Hash Functions for h(x) = y, x is called the message and y is the hash, or message digest preimage resistance or one-way given a hash value it is hard to nd a message that hashes to it old Unix passwords and /etc/passwd second preimage resistance or weak collision resistance given a message it is hard to nd a dierent message with the same hash value hash-and-sign digital signatures collision resistance or strong collision resistance it is hard to nd two dierent messages with the same hash value HashCollisions/ NIST_05.pdf 14

28 Hash Functions other desirable properties resistence to length-extension attacks hard to nd two messages with similar hashes non-malleable given h(x), compute h(x ) where x and x are related ideally, acts like a random function 15

29 Hash Functions there are some relationships between dierent propertis collision resistance 2nd preimage resistance 2nd preimage resistance collision resistance collision resistance preimage resistance let H : {0,1} {0,1} n be collision resistant consider J : {0,1} {0,1} n+1 J(x) = { 1 x x = n 0 H(x) x n J is collision resistant, J is not preimage resistant (one-way) 16

30 Hash Functions hash function uses password storage modication detection codes (MDCs) digital signatures (hash & sign) commitments authenticate many objects (Merkle tree) 17

31 Hash Functions hash function uses password storage needs preimage resistance (one-way) modication detection codes (MDCs) digital signatures (hash & sign) commitments authenticate many objects (Merkle tree) 17

32 Hash Functions hash function uses password storage needs preimage resistance (one-way) modication detection codes (MDCs) needs 2nd preimage resistance (weak collision resistance) digital signatures (hash & sign) commitments authenticate many objects (Merkle tree) 17

33 Hash Functions hash function uses password storage needs preimage resistance (one-way) modication detection codes (MDCs) needs 2nd preimage resistance (weak collision resistance) digital signatures (hash & sign) needs collision resistance (need not be one-way) commitments authenticate many objects (Merkle tree) 17

34 Hash Functions hash function uses password storage needs preimage resistance (one-way) modication detection codes (MDCs) needs 2nd preimage resistance (weak collision resistance) digital signatures (hash & sign) needs collision resistance (need not be one-way) commitments needs all three properites + non-maleability authenticate many objects (Merkle tree) 17

35 Hash Functions hash function uses password storage needs preimage resistance (one-way) modication detection codes (MDCs) needs 2nd preimage resistance (weak collision resistance) digital signatures (hash & sign) needs collision resistance (need not be one-way) commitments needs all three properites + non-maleability authenticate many objects (Merkle tree) needs collision resistance 17

36 Hash Functions some hash functions n broken? MD4 128 not collision resistant MD5 128 not collision resistant SHA SHA SHA SHA-3 224, 256, 384, 512 Tiger 192 Skein arbitrary. 18

37 Hash Functions look at hash function construction next time compression function, Merkle-Damgard sponge others... 19

38 Crypto Today readings for next class Freedom to Tinker Schneier on Security 20