Private Key Cryptography. TELE3119: Week2

Transcription

1 Private Key Cryptography TELE3119: Week2

2 Private Key Ecryptio Also referred to as: covetioal ecryptio symmetric key ecryptio secret-key or sigle-key ecryptio Oly alterative before public-key ecryptio i 1970 s Still most widely used alterative 2-2

3 Private Key Cryptography Oe key shared by both participators oe key, two operatios (ecryptio ad decryptio) 2-3

4 Example: Polyalphabetic ecryptio 500 years ago! moo-alphabetic ciphers, C 1, C 2,,C Cyclig patter: e.g., =4, C 1,C 3,C 4,C 3,C 2 ; C 1,C 3,C 4,C 3,C 2 ; For each ew plaitext symbol, use subseuet moo-alphabetic cipher i cyclic patter dog: d from C 1, o from C 3, g from C 4 Key: the ciphers ad the cyclic patter 2-4

5 Polyalphabetic ecryptio example Plaitext letter: a b c d e f g h i j k l m o p r s t u v w x y z C 1 (k=5) : f g h i j k l m o p r s t u v w x y z a b c d e C 2 (k=19) : t u v w x y z a b c d e f g h i j k l m o p r s Patter: C 1, C 2, C 2, C 1, C 2 Plaitext message: bob, i love you Cipher text message:? ghu, etox dhz Key? 2-5

6 Two types of moder private ciphers Stream ciphers ecrypt oe bit at a time E.g. RC4 Block ciphers Break plaitext message i eual-size blocks Ecrypt each block as a uit E.g. DES, IDEA, AES 2-6

7 Stream Ciphers pseudo radom iput key keystream geerator keystream Combie each bit of keystream with bit of plaitext to get bit of ciphertext XOR operatio m(i) = i th bit of message ks(i) = i th bit of keystream c(i) = i th bit of ciphertext c(i) = ks(i) Å m(i) (Å = exclusive or) m(i) = ks(i) Å c(i) 2-7

8 Review: XOR is their bit- XOR of two strigs i {0,1} wise additio mod 2 2-8

9 Give M ad C, ca you compute the Key? a) No, I caot compute the key b) Yes, the key is k = m c c) I ca oly compute half the bits of the key d) Yes, the key is k = m m 2-9

10 Give M ad C, ca you compute the Key? a) No, I caot compute the key b) Yes, the key is k = m c c) I ca oly compute half the bits of the key d) Yes, the key is k = m m Msg: Key: Ct:

11 RC4 Stream Cipher RC4 is a popular stream cipher Ecrypts plaitext 1 byte at a time Key ca be from 1 of 256 bytes Used i WEP for Ca be used i SSL Very fast Ecryptio/ Decryptio But, log keys As log as plaitext 2-11

12 Block ciphers Message to be ecrypted is processed i blocks of k bits (e.g., 64-bit blocks). Note: Small block size is t secure 1-to-1 mappig is used to map k-bit block of plaitext to k-bit block of ciphertext Example of oe possible mappig with k=3: iput output iput output What is the ciphertext for ? 2-12

13 Block ciphers How may possible mappigs are there for k=3? How may 3-bit iputs? How may permutatios of the 3-bit iputs? Aswer: 40,320 ; ot very may! I geeral, 2 k! mappigs; huge for k=64 Problem: Table approach reuires table with 2 64 etries, each etry with 64 bits Table too big: istead use fuctio that simulates a radomly permuted table 2-13

14 Prototype fuctio 64-bit iput 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 64-bit scrambler 8-bit to 8-bit mappig Loop for rouds 64-bit output 2-14

15 Why rouds i prototype? If oly a sigle roud, the oe bit of iput affects at most 8 bits of output. I 2 d roud, the 8 affected bits get scattered ad iputted ito multiple substitutio boxes. How may rouds? How may times do you eed to shuffle cards Becomes less efficiet as icreases 2-15

16 Questio What is the key for the prototype fuctio of block cipher? Note: Scramble fuctio is publicly kow 2-16

17 Ecryptig a large message Why ot just break message i 64-bit blocks, ecrypt each block separately? (paddig the last block if ecessary) If same block of plaitext appears twice, will give same ciphertext. t=1 m(1) = HTTP/1.1 block cipher t=17 m(17) = HTTP/1.1 block cipher c(1) c(17) = k329am02 = k329am02 A attacker could potetially guess the plaitext whe it sees idetical ciphertext blocks (usig kowledge about uderlyig protocol structure) 2-17

18 Ecryptig a large message How about: Geerate radom 64-bit umber r(i) for each plaitext block m(i) Calculate c(i) = K S ( m(i) Å r(i) ) Trasmit c(i), r(i), i=1,2, At receiver: m(i) = K S (c(i)) Å r(i) m= r(1)=001, r(2) =111, r(3)=100 c= Problem: iefficiet, eed to sed c(i) ad r(i) 2-18

19 Cipher Block Chaiig (CBC) CBC geerates its ow radom umbers Have ecryptio of curret block deped o result of previous block c(i) = K S ( m(i) Å c(i-1) ) m(i) = K S ( c(i)) Å c(i-1) How do we ecrypt first block? Iitializatio vector (IV): radom block = c(0) IV does ot have to be secret Chage IV for each message (or sessio) Guaratees that eve if the same message is set repeatedly, the ciphertext will be completely differet each time 2-19

20 Cipher Block Chaiig c(i-1) 2-20

21 CBC aalysis The receiver receives c(i) decrypts it with K s to obtai s(i) = m(i) Å c(i-1) also, kows the c(i-1) the, obtais the cleartext block from m(i) = s(i) Å c(i-1) Leakage? Idetical blocks of cleartext, (almost always) would result differet correspodig ciphertexts IV is set i plaitext, but Trudy does ot kow the private Key The seder seds oly oe overhead block (i.e. the IV) 2-21

22 CBC example Cosider the followig table Plaitext: ; IV = c(0) = 001 c(1) =? c(2) =? c(3) =? iput output iput output

23 CBC example Cosider the followig table Plaitext: ; IV = c(0) = 001 c(1) = K s (m(1) Å c(0))= 100 c(2) = K s (m(2) Å c(1))= 000 c(3) = K s (m(3) Å c(2))= 101 iput output iput output

24 Error propagatio i CBC Cosider a 4-block message: C 1 = K{ m 1 Å IV } C 2 = K{ m 2 Å C 1 } C 3 = K{ m 3 Å C 2 } C 4 = K{ m 4 Å C 3 } If C 2 is damaged durig trasmissio, what happes to the plaitext? 2-24

25 Error propagatio i CBC (ct d) Look at the decryptio process, where C is a garbled versio of C: P 1 = K{C 1 } Å IV P 2 = K{C 2 } Å C 1 P 3 = K{C 3 } Å C 2 P 4 = K{C 4 } Å C 3 P 1 is uaffected P 2 is garbled P 3 is garbled P 4 is uaffected, sice it depeds o C 4 ad C 3 Coclusio: two blocks chage, oe of them predictably 2-25

26 Cuttig ad Pastig CBC Cosider the ecrypted message IV, C 1, C 2, C 3, C 4, C 5 The shorteed message IV, C 1, C 2, C 3, C 4 appears valid The trucated message C 2, C 3, C 4, C 5 is valid; C 2 acts as IV Eve C 2, C 3, C 4 is valid, ad will decrypt properly. Ay subset of a CBC message will decrypt clealy. If we sip out blocks, leavig IV, C 1, C 4, C 5, we oly garble oe block of plaitext. Coclusio: if you wat message itegrity, ecryptio does NOT provide it, you have to do it yourself! 2-26

27 Popular block ciphers DES, 3DES, AES Use fuctios, rather tha predetermied tables alog with a complicated prototype Each uses a strig of bits for a key DES: 64-bit blocks with a 56-bit key AES: 128-bit blocks that ca operate with keys of 128, 192, ad 256 bits log 2-27

28 Private key crypto: DES DES: Data Ecryptio Stadard US ecryptio stadard [NIST 1993] 56-bit private key, 64-bit plaitext iput Block cipher with cipher block chaiig How secure is DES? DES Challege: 56-bit-key-ecrypted phrase decrypted (brute force) i less tha a day No kow good aalytic attack 2-28

29 DES structure Ecryptio Iitial permutatio bit per-roud key geerated from the 56-bit key 16 DES rouds: 64-bit iput + per-roud key è 64-bit output left ad right halves of (64-bit) output swapped fial permutatio (iverse of the iitial permutatio) Decryptio ruig backwards with per-roud keys i reverse order 2-29

30 Private key crypto: DES DES operatio iitial permutatio 16 idetical rouds of fuctio applicatio, each usig differet 48 bits of key fial permutatio 2-30

31 Why Permute? EDS: a modified DES without permutatios Let s assume we ca break EDS Give <plaitext, ciphertext> we ca calculate the Key <m, c> i DES Do iverse of iitial permutatio o m to get m Do iverse of fial permutatio o c to get c Feed <m, c > to our EDS ad get the Key o security value! make DES less efficiet to implemet i software 2-31

32 3DES (Triple DES) DES s 56-bit key is too short to be secure Ca we apply DES multiple times to make it stroger? How? 3DES: ecrypt 3 times with 3 distict keys (actually ecrypt, decrypt, ecrypt) 2-32

33 3DES 2-33

34 Double Ecryptio with DES Ecryptig twice with the same key? Plaitext èèciphertext K K brute-force attack still eeds to search oly 2 56 keys Each step of testig a key is twice as much work A factor of 2 is ot much added security the same level of extra work for good guys too! 2-34

35 Double Ecryptio with DES Ecryptig twice with two keys? a aive brute-force reuires searchig keys i fact, oly eed to search about 2 57 keys: meet-i-the-middle attack (a kow-plaitext attack) 2-35

36 meet-i-the-middle attack Assume, you have few <m 1,c 1 >, <m 2,c 2 > ad <m 3,c 3 > ecrypted by 2DES. Fid K 1 ad K 2. Make Table A of 2 56 etries K A (m 1 ) = r. Sort Table A by r Make Table B of 2 56 etries K B (r) = c 1. Sort Table B by r Search through sorted tables with matchig etries: <K A, r> ad <K B, r> pair of <K A, K B > is a cadidate Test cadidates with kow <m1, c1>, <m2, c2>, oly the correct key pair work for all of them 2-36

37 meet-i-the-middle attack 2 48 etries appear i both tables Oe of those correspods to the correct <K 1, K 2 > Computatio complexity: O(2 56 ) assumig eough space is provided to sort table A ad B i O(2 56 ) 2-37

38 3DES 2 keys used istead of 3 keys euivalet key legth is 112 bits 3DES operatios: EDE for ecryptio, DED for decryptio 3DES is iefficiet ad expesive Some systems implemet 3DES with 3 keys Not stadard If K 1 =K 2 è 3DES becomes euivalet of DES 2-38

39 AES: Advaced Ecryptio Stadard ew (Nov. 2001) symmetric-key NIST stadard, replacig DES processes data i 128 bit blocks 128, 192, or 256 bit keys brute force decryptio (try each key) takig 1 sec o DES, takes 149 trillio years for AES 2-39

40 PRIVATE KEY AGREEMENT 2-40

41 Oe Time Pad (OTP) Veram cipher (1917) The oly existig mathematically ubreakable ecryptio (Claude Shao) A truly radom key (ot geerated by a computer fuctio) The Key is used oly oce There should oly be two copies of the key: oe for the seder ad oe for the receiver Should be destroyed after use ciphertext = XOR (plaitext, key) plaitext = XOR (ciphertext, key) 2-41

42 OTP operatio two pads of paper cotaiig idetical radom seueces of letters are produced ad securely issued to both Alice chooses the appropriate uused page from the pad The way to do this is ormally arraged for i advace, as for istace 'use the 12th sheet o 1 May', or 'use the ext available sheet for the ext message'. The material o the selected sheet is the key for this message. Problem: two time pad is isecure! 2-42

43 OTP challeges Two Time Pad : c 1 = m 1 Å k c 2 = m 2 Å k Eavesdropper gets c 1 ad c 2 c 1 Å c 2 = m 1 Å m 2 Eough redudacy i ASCII (ad Eglish) that m 1 Å m 2 is eough to kow m 1 ad m 2 Impractical How do you trasfer OTP securely? As log as the message 2-43

44 Key distributio? 1. A key could be selected by A ad physically delivered to B. 2. A third party could select the key ad physically deliver it to A ad B. 3. If A ad B have previously ad recetly used a key, oe party could trasmit the ew key to the other, ecrypted usig the old key. 4. If A ad B each have a ecrypted coectio to a third party C (i.e. a key distributio ceter), C could deliver a key o the ecrypted liks to A ad B. 2-44

45 Diffie-Hellma Protocol Expoetial key agreemet Allows two users to exchage a secret key Reuires o prior secrets Real-time over a utrusted etwork 2-45

46 Diffie-Hellma Protocol Alice ad Bob ever met ad share o secrets Public ifo: p ad g p is a large prime umber (e.g. 512 bits) g is less tha p (with some restrictios: a primitive root of p) Pick secret, radom a Alice Compute k a =y a mod p = g ba mod p x = g a mod p Y= g b mod p Pick secret, radom b Bob Compute k b =x b mod p = g ab mod p 2-46

47 Diffie-Hellma Protocol k a =g ba mod p k b =g ab mod p Algebraically it is show that k a = k b Users ow have a symmetric private key to ecrypt 2-47

48 Example Alice ad Bob get public umbers p = 23, g = 9 Alice ad Bob compute public values X = 9 4 mod 23 = 6561 mod 23 = 6 Y = 9 3 mod 23 = 729 mod 23 = 16 Alice ad Bob exchage public umbers 2-48

49 Example (ct d) Alice ad Bob compute symmetric keys k a = y a mod p = 16 4 mod 23 = 9 k b = x b mod p = 6 3 mod 23 = 9 Alice ad Bob ow ca talk securely! 2-49

50 Is Diffie-Hellma Secure? Discrete Logarithm (DL) problem: give g a mod p, it s hard to extract a There is o kow efficiet algorithm for doig this This is ot eough for Diffie-Hellma to be secure! Computatioal Diffie-Hellma (CDH) problem: give g a ad g b, it s hard to compute g ab mod p uless you kow a or b, i which case it s easy 2-50

51 Applicatios of Diffie-Hellma Diffie-Hellma is curretly used i may protocols, amely: Secure Sockets Layer (SSL)/Trasport Layer Security (TLS) Secure Shell (SSH) Iteret Protocol Security (IPSec) Public Key Ifrastructure (PKI) 2-51

52 Properties of Diffie-Hellma Diffie-Hellma protocol is a secure key establishmet protocol agaist passive attackers Eavesdropper ca t fid the established key Ca use the ew key for symmetric cryptography Basic Diffie-Hellma protocol is ot secure agaist a active, ma-i-the-middle attacker Basic Diffie-Hellma protocol does ot provide autheticatio Alice might establish a secret key with a bad guy! IPsec combies Diffie-Hellma with sigatures, ati-dos cookies, etc. 2-52

53 (Wo)Ma-i-the-middle Attack A, g a A, g a Alice B, g b Trudy B, g b Bob Trudy kows both keys Usig Diffie-Hellma, Alice ad Bob caot detect a itruder 2-53

54 Research i Secret-Key agreemet Wearable devices, Sesors ad IoTs Resource-costraied Not euipped with radom umbers geerator Traditioal cryptography ca be resource-itesive Idea: Wireless chael that sesor (i.e. Alice) ad base-statio (i.e. Bob) share is uiue ad symmetric to them Elimiatig Recociliatio Cost i Secret Key Geeratio for Body- Wor Health Moitorig Devices, IEEE Tra. o Mob. Comp. [2014] 2-54

55 Secret Key geeratio Wireless chael characteristics (time or freuecy domai) Uiue to Alice ad Bob Eavesdropper (outside oe radio wavelegth from Alice or Bob) will measure differetly Chael Sesig Quatizatio Recociliatio 2-55