Encryption is the process of encoding a message such. Decryption is the reverse process, ie, transforming an

Transcription

1 CS 392/68 Computer Security Module Private Key Cryptography Data Encryption Encryption is the process of encoding a message such that its meaning is not obvious. Decryption is the reverse process, ie, transforming an encrypted message to its original form. Plaintext Ciphertext Plaintext Encryption Decryption We denote plaintext by P and ciphertext by C. C = E(P), P = D(C) and P = D(E(P)), where E() is the encryption function (algorithm) and D() the decryption function. Kerckhoff s Principle How do you prevent and eavesdropper from computing P, given C? Keep the encryption algorithm E() secret. BAD IDEA!! Choose E() (and corresponding D()) from a large collection, based on secret key. GOOD IDEA!! Kerckhoff s principle. Secret Key Plaintext Ciphertext Plaintext Encryption Decryption C = E(K, P) and P = D(K, C) Module 2 - Private Key Crypto 3 Symmetric and Asymmetric Cryptosystems Just by changing key we have different encryptions of one plaintext. If the encryption key and the decryption key are the same then we have a symmetric encryption scheme (also private key, one-key). If the encryption key and the decryption key are different then we have an asymmetric encryption scheme (also public key, two-key). A cryptosystem then a five-tuple consisting of ) The set of all plaintexts 2) The set of all ciphertexts 3) The set of all keys 4) A family of encryption functions 5) A family of decryption functions.

2 Example Caesar Cipher Let messages be all lower case from a through z (no spaces or punctuation). itsnotthathardtoread Represent letters by numbers from to 25. Encryption function C i = E(P i ) = P i + K. where K is secret key and addition done modulo 26. Decryption is P i = D(C i ) = C i - K. UNIX ROT3 uses K as 3. Module 2 - Private Key Crypto 5 Cryptanalysis A cryptosystem had to be secure against the following kinds of attacks: Ciphertext only attack. Known plaintext attack. Chosen plaintext attack. Adaptive chosen plaintext attack. Chosen ciphertext attack. Chosen key attack. Of course there is one attack against which no cryptosystem can offer protection rubber hose attack. Brute Force Attacks. Since the key space is finite, given a ciphertext a cryptanalyst can try and check all possible keys. For above to be not feasible, key space should be large!! How large? How about 2 56? Large enough to make it impractical for an adversary. But what is impractical today, may not be so tomorrow. In practice, for a good cryptosystem, the only possible attack should be the brute force attack, which should be impractical into the foreseeable future, as slong as message may have value. Module 2 - Private Key Crypto 7 Substitution Ciphers Basic idea substitute each block of plaintext by a different block. If plaintext is English then Mona-alphabetic substitution. Poly-alphabetic substitution. If plaintext is binary string then map one block of bits to another. Plaintext: Ciphertext: This is called block encryption. Very common.

3 A P B O C L Encryption by Mono-alphabetic Substitution. D Y P K E T O B F E K G C U H H E T I N M J K L M N O P Q R S T U V W X Y Z I R O N M A U V R S B K W A D F G J B S R P S D T F M Q Key space is large 26! (How do you remember a key? See example). However, mono-alphabetic substitution is easy to break as it preserves source first order statistics. Large key space is necessary but not sufficient condition for security! Module 2 - Private Key Crypto 9 E T R A X Z Encryption by Poly-alphabetic Substitution. P O L Y T Playfair cipher. E C H N I/ Used by British Army in WW and U V R S BJ WW2. Can be broken easily today with K W A D F only a ciphertext of length about G M Q X Z. Encrypt plaintext a pair at a time. Two letters specify a rectangle. Substitute by opposite corner pair. Eg: VX -> SM. If they fall in same row or column, then using next pair in circular manner. Eg: LY -> TP. Repeated letters are broken by filler letter. I/J chosen randomly. Poly-alphabetic Cipher Vigenere. Use K mono-alphabetic ciphers E, E 2, E k. In position i, of plaintext, use cipher E i. Example using Caesar ciphers Plaintext: helloiloveyouwontyoutellmeyourname Key: polytechnicpolytechnicpolytechnicpoly Ciphertext: wswjhmnv coxc A little harder to break but trivial once you know key length! Some well known techniques for determining key length See text. Module 2 - Private Key Crypto Vernam The Perfect Substitution Cipher. If we use Vigenere with key length as long as plaintext, then cryptanalysis will be difficult! If we change key every time we encrypt then cryptanalyst s job becomes even more difficult. Onetime pad or Vernam Cipher. How do we get such long keys? A large book shared by transmitter and receiver. Initial key followed by previous messages themselves!! Random number sequence based on common shared and secret seed. Such a cipher is difficult to break but not very practical.

4 Binary Vernam Unconditional Security. If plaintext is binary string and key is binary string of equal length then encryption can be done by a simple exclusive or operation. Plaintext: Key: Ciphertext: If plaintexts are uniformly distributed and keys are random then such a system offers unconditional security perfect secrecy! (Under the right mathematical formulation and assumptions). How do we obtain random bit-strings for shared secret keys? Again system is not practical. Module 2 - Private Key Crypto 3 Encryption by Transposition P O K E M O N M A S T E R O E N T E M P Harder to break than substitution ciphers Preserve first order statistics One can arrange plaintext in table and sort rows and columns. K M O A S R Product Ciphers To get improved security one can encrypt the ciphertext again. If one uses same algorithm super encryption. May or may not be useful. For example, super-encryption with Caesar cipher is as good as single encryption! If one uses different algorithms product cipher. Product ciphers based on sequence of substitutions and transpositions are very popular. You will see one later DES. Module 2 - Private Key Crypto 5 Shannon Characteristics of Good Ciphers The amount of secrecy needed should determine the amount of labor appropriate for encryption and decryption. The set of keys and enciphering algorithms should be free from complexity. The implementation of the process should be as simple as possible. Errors in ciphering should not propagate and cause corruption of future information in the message. The size of enciphered text should be no longer than the text of the original message.

5 Confusion and Diffusion Confusion: The cryptanalyst should not be able to predict what changing one character in the plaintext will do to the ciphertext. Diffusion: Changes in the key should affect many parts in the ciphertext. Perfect Secrecy Module 2 - Private Key Crypto 7 M M 2 M 3 C Four possible C 2 Keys K,K 2, K 3, And K 4 C 3 M 4 C 4 M 5 C 5 Given a ciphertext, cryptanalyst cannot reduce uncertainty. Property can be formulated in more mathematically rigorous manner. Imperfect Secrecy M C M 2 C 2 M 3 C 3 C 4 C 5 Given C we know Message is M 3!! Given C 5, only one bit of uncertainty. Module 2 - Private Key Crypto 9 DES Data Encryption Standard Private key. Encrypts by series of substitution and transpositions. Worldwide standard for more than 2 years. Has a history of controversy. Designed by IBM (Lucifer) with later help (interference?) from NSA. No longer considered secure for highly sensitive applications. Replacement standard (AES) recently completed.

6 DES - Overview DES Each iteration. Module 2 - Private Key Crypto 2 DES Computation of F(R i-,k i ) Module 2 - Private Key Crypto 23 Computation of F: Expansion function E: maps bit string of length 32 to bit string of length 48. Permutes bits in a fixed way and duplicates certain bits Key schedule: each round uses a 48 bit key obtained by performing permutations, shifts, and discarding bits from the original 56 bit key. Fixed algorithm for each round resulting 48 bit string broken into 8 6-bit strings

7 S-boxes: S S( bb 2b3b4b5b6) Sj Is the table entry from row : bb Module 2 - Private Key Crypto 25 2 column : b 3b S( ) = table[,9] = 6d = 4 b 5 b 6 x Plain text Initial permutation (IP) L R R L F( R, K) Round- (key K ) Rounds 2-5 L5 R5 R5 Round-6 (key K 6 ) L5 F( R5, K 6) swap L5 F( R5, K 6) R5 IP inverse L5 F( R5, K 6) R5 y L5 F( R5, K 6) R5 R5 IP inverse Cipher text IP Round- (K 6 ) L5 F( R5, K 6) F( R5, K6) = encrypt decrypt R5 L5 Since b b= b =b Encryption Modes - ECB. A block encryption scheme can encrypt a long message (file) in Electronic Code Book (ECB) mode. If same key is used then identical plaintext blocks map to identical ciphertext.

8 Cipher Block Chain (CBC) Mode. Module 2 - Private Key Crypto 29 CBC Pros and Cons. If IV is different then different instances of same message (or block) will get encrypted differently. How does receiver know IV? Choose at random and send encrypted as first block. What happens if k th cipher block C K gets corrupted in transmission. With ECB Only decrypted P K is affected. With CBC? Only blocks P K and P K+ are affected!! This can also allow some message tampering! What if one plaintext block P K is changed? With ECB only C K affected. With CBC all subsequent ciphertext blocks will be affected. This leads to an effective MAC based on DES CBC. Cipher Feedback Mode (CFB). Module 2 - Private Key Crypto 3 CFB Properties J is normally 8. Change in one plaintext bit is going to affect all subsequent ciphertext bits. So can be used for MAC. Change in ciphertext bit results in???

9 Output Feedback Mode (OFB). OFB Properties. Module 2 - Private Key Crypto 33 Bit errors in transmission do not propagate. One can selectively flip ciphertext bits to flip corresponding decrypted plaintext bits. Bad!! DES Security S-Box design not well understood (secret). Has survived some recent sophisticated attacks (differential cryptanalysis). Key is too short (thanks to NSA!). Hence is vulnerable to brute force attack. 998 distributed attack took 3 months. $,, machine will crack DES in 35 minutes 997 estimate., 2.5 days. In 999 EFF achieved 245 billion keys per second rate to crack in 22 hours. Module 2 - Private Key Crypto 35 DES Cracking machine

10 Super-encryption. If key length is a concern, then instead of encrypting once, encrypt twice!! C = E K2 (E K (P)) P = D K2 (D K (C)) Does this result in a larger key space? That is a new mapping that could not have been obtained by a single key? With Caesar cipher NO! With DES yes! Encrypting with multiple keys is known as superencryption. May not always be a good idea. Double DES Module 2 - Private Key Crypto 37 Double DES is almost as easy to break as single DES (Needs more memory though)! Double DES Meet-in-the-middle Attack. Based on the observation that, if C = E K2 (E K (P)) Then X = E K (P) = D K2 (C). Given a known (P, C) pair, encrypt P with all possible values of K and store result in table T. Next, decrypt C with all possible keys K and check result. If match occurs then check key pair with new known (P, C) pair. If match occurs, you have found the keys. Else continue as before. Process will terminate successfully. Module 2 - Private Key Crypto 39 Meet-in-the-middle Explanation. The first match does not say anything as we have 2 64 ciphertexts and 2 2 keys. On the average 2 2 / 2 64 = 2 48 keys will produce same ciphertext. So there could be 2 48 false alarms. However, with second known (P, C) pair, probability that E K (P) = D K2 (C) is So, probability that false alarm will survive two known (P, C) pairs is 2 48 / 2 64 = 2-6. One can always check a third pair to further reduce the chance of a false alarm.

11 Triple DES Triple DES (2 keys) requires 2 2 search. Is reasonably secure. 3 keys requires AES History Module 2 - Private Key Crypto 4 National Institute of Science and Technology DES is an aging standard that no longer addresses today s needs for strong encryption Triple -DES: Endorsed by NIST as today s defacto standard AES: The Advanced Encryption Standard Finalized in 2 Goal To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents AES candidate algorithms were required to be: Symmetric-key, supporting 28, 92, and 256 bit keys Royalty-Free Unclassified (i.e. public domain) Available for worldwide export History (cont.) AES Round-3 Finalist Algorithms: MARS Candidate offering from IBM RC6 Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm Twofish From Counterpane Internet Security, Inc. Serpent Designed by Ross Anderson, Eli Biham and Lars Knudsen Rijndael Designed by Joan Daemen and Vincent Rijmen Module 2 - Private Key Crypto 43 Rijndael The Winner: Rijndael Joan Daemen (of Proton World International) and Vincent Rijmen (of Katholieke Universiteit Leuven). (pronounced Rhine-doll ) Allows only 28, 92, and 256-bit key sizes (unlike the other candidates) Variable block length of 28, 92, or 256 bits. All nine combinations of key/block length possible. A block is the smallest data size the algorithm will encrypt Vast speed improvement over DES in both hardware and software implementations 846 bytes/sec on a 2MHz 85 (@ 2 CPI) 8.8 Mbytes/sec on a 2MHz Pentium Pro

12 Rijndael Structure Rijndael consists of an initial Round Key addition; Nr- Rounds; a final round. In pseudo C code, this gives: Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; AddRoundKey(State,ExpandedKey); For( i= ; i<nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); } Module 2 - Private Key Crypto 45 Rijndael Key W KE Key Expansion Round Keys k k 2 k 3 K n-2 K n- k n X r r 2 r 3 R n-2 R n- r n Y Encryption Rounds r r n Key is expanded to a set of n round keys Input block X undergoes n rounds of operations (each operation is based on value of the nth round key), until it reaches a final round. Strength relies on the fact that it s difficult to obtain the intermediate result (or state) ) of round n from round n+ without the round key. Number of Rounds Number of rounds (Nr) as a function of the block (Nb) and key length (Nk) in 32 bit words. Nr Nb = 4 Nb = 6 Nb = 8 Nk = Nk = Nk = Module 2 - Private Key Crypto 47 Rijndael K n Detailed view of round n Result from round n- ByteSub ShiftRow MixColumn AddRoundKey Pass to round n+ Each round performs the following operations: Non-linear Layer: No linear relationship between the input and output of a round Linear Mixing Layer: Guarantees high diffusion over multiple rounds Very small correlation between bytes of the round input and the bytes of the output Key Addition Layer: Bytes of the input are simply XOR ed with the expanded round key

13 Rijndael Three layers provide strength against known types of cryptographic attacks: Rijndael provides full diffusion after only two rounds Linear and differential cryptanalysis Known-key and related-key attacks Square attack Interpolation attacks Weak-keys Rijndael has been shown to be K-secure: No key-recovery attacks faster than exhaustive search exist No known symmetry properties in the round mapping No weak keys No related-key attacks: No two keys have a high number of expanded round keys in common Rijndael: ByteSub Module 2 - Private Key Crypto 49 Each byte at the input of a round undergoes a nonlinear byte substitution according to the following:. First, taking the multiplicative inverse in GF(28). is mapped onto itself. 2. Then, applying an affine (over GF(2)) transformation. Substitution ( S )-box Affine Transform Rijndael: ShiftRow Depending on the block length, each row of the block is cyclically shifted according to the above table Module 2 - Private Key Crypto 5 Rijndael: MixColumn Each column is multiplied by a fixed polynomial C(x) = 3 *X 3 + *X 2 + *X + 2 This corresponds to matrix multiplication b(x) = c(x) a(x):

14 Rijndael: Key Expansion and Addition Each word is simply XOR ed with the expanded round key Key Expansion algorithm: KeyExpansion(int* Key[4*Nk], int* EKey[Nb*(Nr+)]) { for(i = ; i < Nk; i++) EKey[i] = (Key[4*i],Key[4*i+],Key[4*i+2],Key[4*i+3]); for(i = Nk; i < Nb * (Nr + ); i++) { temp = EKey[i - ]; if (i % Nk == ) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; EKey[i] = EKey[i - Nk] ^ temp; } } Module 2 - Private Key Crypto 53 Rijndael: Implementations Rijndael is well suited for software implementations on 8- bit processors (important for Smart Cards ) Operations focus on bytes and nibbles, not 32 or 64 bit integers Layers such as ByteSub can be efficiently implemented using small tables in ROM (e.g. < 256 bytes). No special instructions are required to speed up operation For 32-bit implementations: An entire round can be implemented via a fast table lookup routine on machines with 32-bit or higher word lengths Considerable parallelism exists in the algorithm Each layer operates in a parallel manner on bytes of the round state, all four component transforms act on individual parts of the block Although the Key expansion is complicated and cannot be parallelised, it only needs to be performed once until the two parties switch keys. Rijndael: Implementations Hardware Implementations Performs very well in software, but in some cases more performance is required (e.g. server and VPN applications). Multiple S-Box engines, round-key EXORs, and byte shifts can all be implemented efficiently in hardware when absolute speed is required Small amount of hardware can vastly speed up 8-bit implementations Inverse Cipher Except for the non-linear ByteSub step, each part of Rijndael has a straightforward inverse and the operations simply need to be undone in the reverse order. Same code that encrypts a block can also decrypt the same block simply by changing certain tables and polynomials for each layer. The rest of the operation remains identical. Module 2 - Private Key Crypto 55 Rijndael Future Rijndael is an extremely fast, state-of-the-art, highly secure algorithm Has efficient implementations in both hardware and software; it requires no special instructions to obtain good performance on any computing platform Despite being the chosen by NIST as the AES candidate winner, Rijndael is not yet automatically the new encryption standard Triple-DES, still highly secure and supported by NIST, is expected to be common for the foreseeable future.

15 Other Private Key Cryptosystems IDEA Twofish Blowfish RC4, RC5, RC6 Serpent MARS Feal Module 2 - Private Key Crypto 57 CS 392/CS 68 - Computer Security Nasir Memon Polytechnic University Module 3 Public Key Cryptography. RSA. Course Logistics Homework due tonight. Module 2 - Private Key Crypto 59 Private key cryptography revisited. Key distribution and management is a serious problem! N users O(N 2) keys!

16 Public key cryptography Key management problem potentially simpler (not really that simple as we will see later!!!). Module 2 - Private Key Crypto 6 P O K E M O N Plaintext A Simple Example Public Key Phone Book Peggy Olivia Kathy Erica Mary Olga Nancy Private Key Inverted Phone Book Anyone can map from plaintext to ciphertext. Decryption easy only with inverted phone book. P O K E M O N Ciphertext Plaintext One-way functions and trapdoors. A function f() is said to be one-way if given x it is easy to compute y = f (x), but given y it is hard to compute x = f - (y). A trap-door one-way function f K () is such that to compute y = f K (x) is easy if K and x are known. x = f - K(y) is easy if K and y are known. x = f - K (y) is hard if y is known but K is unknown. Given a trap-door one-way function one can design a public key cryptosystem. Module 2 - Private Key Crypto 63 Encryption and -way trap doors Two keys: public encryption key e private decryption key d Encryption easy when e is known Decryption hard when d is not known d provides trap door : decryption easy when d is known We ll study the RSA public key encryption scheme. First we need some number theory.

17 Some Number Theory We ll need some number theory to define a one-way trap-door function: Elementary (Review?): Divisors Prime numbers relative primes Modular arithmetic Advanced (Hand-waving overview) Euler s totient function Lagrange s theorem Divisors Module 2 - Private Key Crypto 65 x divides y (written x y) if the remainder is when y is divided by x 8, 2 8, 4 8, 8 8 The divisors of y are the numbers that divide y divisors of 8: {,2,4,8} For every number y y y y Prime numbers A number is prime if its only divisors are and itself: 2,3,5,7,,3,7,9, Fundamental theorem of arithmetic: For every number x, there is a unique set of primes {p,,p n } and a unique set of positive exponents {e,,e n } such that e en x = p *... * pn Module 2 - Private Key Crypto 67 Common divisors The common divisors of two numbers x,y are the numbers z such that z x and z y common divisors of 8 and 2: intersection of {,2,4,8} and {,2,3,4,6,2} = {,2,4} greatest common divisor: gcd(x,y) is the number z such that z is a common divisor of x and y no common divisor of x and y is larger than z gcd(8,2) = 4

18 Relative primes x and y are relatively prime if they have no common divisors, other than Equivalently, x and y are relatively prime if gcd(x,y) = 9 and 4 are relatively prime 9 and 5 are not relatively prime Modular Arithmetic Module 2 - Private Key Crypto 69 Definition: x is congruent to y mod m, if m divides (xy). Equivalently, x and y have the same remainder when divided by m. Notation: x y(mod m) Example: 4 5(mod9) We work in Z m = {,, 2,, m-}, the ring of integers modulo m with binary operators + and * defined modulo m. Example: Z 9 ={,,2,3,4,5,6,7,8} We abuse notation and often write = instead of Addition and Multiplication Many of the same properties as addition and multiplication of integers: Commutative Associative Distributive Additive inverses Some differences: Some elements have multiplicative inverses Module 2 - Private Key Crypto 7 Addition in Z m : Addition is well-defined: if = 7 mod = 2 mod 9. x x'(modm) y y'(modm) then x+ y x' + y'(modm)

19 Additive inverses in Z m is the additive identity in Z m x + x(modm) + x(modm) Additive inverse Every element has unique additive inverse = mod 9. 4 is additive inverse of 5. Module 2 - Private Key Crypto 73 Multiplication in Z m : Multiplication is well-defined: if x x' (modm) y y' (modm) then x y x' y' (modm) 3 * 4 = 3 mod 9. 3 * 8 = 6 mod 9. 3 * 3 = mod 9. Multiplicative inverses in Z m is the multiplicative identity in Z m x x(modm) x(modm) Multiplicative inverse SOME, but not ALL elements have unique multiplicative inverse. In Z 9 : 3*=, 3*=3, 3*2=6, 3*3=, 3*4=3, 3*5=6,, so 3 does not have a multiplicative inverse. On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2, 4*6=6, 4*7=, so 4 - =7 Module 2 - Private Key Crypto 75 Which numbers have inverses? In Z m, x has a multiplicative inverse if and only if x and m are relatively prime E.g., 3 and 4 in Z 9 If gcd(x,m) > then lcm(x,m) < xm, so there is a number y, < y < m such that m xy. yx = (mod m) So x does not have a multiplicative inverse If gcd(x,m) =, as y varies, y*x takes on m distinct values, so for some value, y*x= mod m.

20 Euler s totient function Given positive integer n, Euler s totient function Φ(n) is the number of positive numbers less than n that are relatively prime to n. Fact: If p is prime then Φ ( p) = p {,2,3,,p-} are relatively prime to p. Module 2 - Private Key Crypto 77 Euler s totient function Fact: If p and q are prime and n=pq then Φ( n) = ( p )( q ) Each number that is not divisible by p or by q is relatively prime to pq. E.g. p=5, q=7: {,2,3,4,-,6,-,8,9,-,,2,3,-,-,6,7,8,9,-,-,22,23,24,-,26,27,-,29,-,3,32,33,34,-} (p-)(q-) = pq-p-q+ Important Fact If a is relatively prime to n then Φ( a n ) modn (This is a corollary to a theorem due to Lagrange that states that the order of an element of a multiplicative group divides the order of the group. It s applied to the group Z n* of residues mod n that are relatively prime to n.) Module 2 - Private Key Crypto 79 RSA overview Alice wants people to be able to send her encrypted messages. She chooses two (large) prime numbers, p and q and computes n=pq and Φ(n). [ large = digits +] She chooses a number e such that e is relatively prime to Φ(n) and computes d, the inverse of e in Z Φ(n) She publicizes the pair (e,n) as her public key. She keeps d secret and destroys p, q, and Φ(n) Plaintext and ciphertext messages are elements of Z n and e is the encryption key.

21 RSA overview Bob wants to send a message x (an element of Z n ) to Alice. He looks up her encryption key, (e,n), in a directory. The encrypted message is y= E( x) = x e modn Bob sends y to Alice. RSA overview Module 2 - Private Key Crypto 8 To decrypt the message y= E( x) = x e modn she s received from Bob, Alice computes D( y) = y d modn Claim: D(y) = x RSA encryption function is -way trap door Need to show D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E - [y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent. Module 2 - Private Key Crypto 83 E and D are inverses: Case : gcd(x,n)= D( y) = y ( x x x ed ( x e e ( x ) modn) d modn modn tφ( n) + Φ( n) d modn modn t x modn x modn d t ) x modn Becauseed modφ( n) From important fact

22 Theorem (Fermat) If p is prime and x is in Z p then x p x modp p Proof: If p x then modp Otherwise, Φ( p) = x x p p = x p Φ( p) x modp modp Module 2 - Private Key Crypto 85 Alternative Proof that E and D are inverses ed = tφ( n) + = t( p )( q ) + x ( x x x x p p tφ( n) p ( x modp t ) tφ( n) + ed ( q ) modp x modp x modp ed x) modp By analogous argument So n ( x x ed ed x) x modn q ( x ed x) Module 2 - Private Key Crypto 87 Tiny RSA example. Let p = 7, q =. Then n = 77 and Φ( n) = 6 Choose e = 3. Then d = 3 - mod 6 = 37. Let message = 2. E(2) = 2 3 mod 77 = 3. D(3) = 3 37 mod 77=2

23 Slightly Larger RSA example. Let p = 47, q = 7. Then n = 3337 and Φ( pq) = 46* 7= 322 Choose e = 79. Then d = 79 - mod 322 = 9. Let message = Break it into 3 digit blocks to encrypt. E(688) = mod 3337 = 57. E(232) = mod 3337 = 2756 D(57) = 57 9 mod 3337 = 688. D(2756) = mod 3337 = 232. Module 2 - Private Key Crypto 89 RSA encryption function is -way trap door Need to show D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E - [y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent. Decryption without trapdoor Suppose Oscar intercepts the encrypted message y that Bob has sent to Alice. Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message) If Oscar can compute d = e - mod Φ(n) then d he can use the formulad( y) = y modn= x to recover the plaintext x. If Oscar can compute Φ(n), he can compute d (the same way Alice did). Module 2 - Private Key Crypto 9 Decryption without trapdoor Oscar knows that n is the product of two primes If he can factor n, he can compute Φ(n) But factoring large numbers is very difficult: Grade school method takes O( n) divisions. Prohibitive for large n, such as 2 digits (roughly 52 bits) Better factorization algorithms exist, but they are still too slow for large n Lower bound for factorization is an open problem

24 How big should n be? Today we need n to be at least 768 bits. Better 24 or even 248 bits. Φ( n) No other (implementation independent) attack on RSA known. Φ( n) Module 2 - Private Key Crypto 93 RSA encryption function is -way trap door Need to show D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E - [y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent. Efficient exponentiation Usual approach to computing x c is inefficient when c is large. Instead, represent c as bit string b k- b and use the following algorithm: z = For i = k- downto do z = z 2 mod n if b i = then z = z* x mod n Module 2 - Private Key Crypto 95 Example: 3 37 mod 77 z = z 2 mod n i if b i = then z = z* x mod n b z 3 =**3 mod =3*3 mod =53*53 mod =37*37*3 mod 77 7 =29*29 mod 77 2 =7*7*3 mod 77

25 RSA encryption function is -way trap door Need to show D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E - [y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent. Key selection Module 2 - Private Key Crypto 97 To select keys we need efficient algorithms to Select large primes Primes are dense so choose randomly. Probabilistic primality testing methods known. Work in logarithmic time. Compute multiplicative inverses Extended Euclidean algorithm Euclidean Algorithm: gcd(r,r ) Main idea: If y = ax + b then gcd(x,y) = gcd(x,b) r = qr + r 2 r = q r + r r = q r + r m 2 m m m r = q r + m m m gcd( r, r ) = gcd( r, r ) =... = gcd( r, r ) = r 2 m m m Module 2 - Private Key Crypto 99 Computing inverse of a mod n Main Idea: Looking for inverse of a mod n means looking for x such that x*a y*n =. To compute inverse of a mod n, do the following: Compute gcd(a, n) using Euclidean algorithm. Since a is relatively prime to m (else there will be no inverse) gcd(a, n) =. So you can obtain linear combination of r m and r m- that yields. Work backwards getting linear combination of r i and r i- that yields. When you get to linear combination of r and r you are done as r =n and r = a.

26 Example Inverse of 5 mod = 2 * = 2 * = 7 * + Now, 5 2 * 7 = 5 2 (37 2 * 5) = 5 * 5 2 * 37 = So, inverse of 5 mod 37 is 5 by definition!! Module 2 - Private Key Crypto Extended Euclidean Algorithm (Textbook) Define: t t = = j = tj 2 qj tj t Can prove by induction: for <=j<=m r tr modr j j So if gcd(r,r )=, then modr t m r mod r Pseudocode for computing b - mod m (Textbook) Computation of the values t j can be incorporated into Euclidean algorithm (see code on next slide). In this code, the variables q, b, and r hold the values of the quotients and remainders; the variables t,t, and temp hold the values of t i-, t i, t i+, respectively at the point labelled ** on the i th iteration of the loop. For our purposes, this will be executed with b=e and m= Φ(n) Module 2 - Private Key Crypto 3 Pseudocode for computing b - mod m (Textbook) n=m // the modulus b=b // the number we re inverting mod m t= t= q=n div b /*integer division */ r= n-q*b while r > do temp = t-q*t if temp >= then temp = temp mod m else temp = n-((-temp) mod m) // *** see previous slide t = t t = temp n = b b = r q = n div b r = n q*b /*end of loop */ if b = then t is b inverse (mod m)

27 Example: 3 - mod 6 (Textbook) n b t Key selection t q 4 2 r temp Module 2 - Private Key Crypto 5 5 To select keys we need efficient algorithms to Select large primes Primes are dense so choose randomly. Probabilistic primality testing methods known. Work in logarithmic time. Compute multiplicative inverses Extended Euclidean algorithm Probabilistic Primality Testing A probabilistic algorithm is an algorithm that gives you result with a well defined probability of error. A yes-biased Monte-Carlo algorithm is a probabilistic algorithm for a decision problem, such that a yes answer is always correct, but a no answer may be incorrect. Error probability εmeans the probability of an incorrect ( no ) is at most ε. Module 2 - Private Key Crypto 7 Solovay-Strassen primality test Consider the Jacobi function J(r,p) defined as follows: if r= = J p r r ifrisoddandr ( p )/ 2 J( r, p) r modp J( r, p) 2 ( p )/8 J( r / 2) ( ) if riseven Let Test(r,p) be true iff and gcd(r,p) =. Facts: ( r )*( p )/4 ( mod, ) ( ) If p is prime then Test(r,p) is true for all r s.t. <=r<=p-. If p is an odd composite number then Test(r,p) is true for at most half of the numbers r s.t. <=r<=p-

28 Solovay-Strassen primality test A yes-biased Monte-Carlo algorithm for the decision problem Is p composite? with error probability /2 Let p be a candidate which we d like to check Algorithm: choose a random integer r, <=r<=p- If Test(r,p) is false then answer yes (p is composite, i.e., is not prime) else answer no (p is not composite, i.e. is prime) To reduce error probability repeat many times Module 2 - Private Key Crypto 9 How Alice can select primes p,q: int select-a-prime() { while true { randomly choose large integer p for (i= ;i<k;i++) { if SS says p is composite break }; return p; /*p is prime with high probability */ }; /* end of while loop */ } Since primes are dense, this will terminate after a reasonable number of iterations Key selection To select keys we need efficient algorithms to Select large primes Primes are dense so choose randomly. Probabilistic primality testing methods known. Work in logarithmic time. Compute multiplicative inverses Extended Euclidean algorithm Module 2 - Private Key Crypto RSA encryption function is -way trap door Need to show D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E - [y] cannot be computed efficiently without knowledge of the (private) decryption key d. Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent.

29 Other Public Key cryptosystems Knapsack Most versions not considered secure any more. Discrete Log Depends on intractability of discrete log problem, that is, given x and x y mod n find y Elliptic Curve. Involves taking discrete logs in elliptic curve groups. Much more security than RSA for given key size. Used in WAP. Further Reading Module 2 - Private Key Crypto 3 Cryptography: Theory and Practice D. Stinson. CRC Press. Handbook of Applied Cryptography Menezes et. al. CRC Press. Cryptography and Network Security William Stallings. Applied Cryptography B. Schneier. John Wiley. North American Crypto archive Crypto Resource page Ron Rivest s crypto page Cryptography Research Inc. Resource page Cryptography archive: AES home page CS 392/68 - Computer Security Module 4 Authentication, Digital Signatures, Message Digests and Cryptographic Hash Functions. Nasir Memon Polytechnic University Course Issues HW due today. HW 2 will be posted later today.

30 Authentication Codes Authentication codes provide assurance that message has not been tampered with and has indeed originated from a specific source. Integrity. Authentication Key Verification Key Independent of encryption. X Y Y X Alice (Transmitter) Oscar Bob (Receiver) Also applicable to stored file on disk model where we have a file stored on disk and we Authentic? Module 2 - Private Key Crypto 7 Substitution and Impersonation. Impersonation Attack: Oscar introduces a message into the channel, hoping to have it accepted authentic by Bob. Substitution Attack: Oscar observes a message Y in the channel which he intercepts and replaces by another message Z hoping to have it accepted as authentic by Bob. A good authentication technique should provide us quantitative or qualitative guarantees against substitution and impersonation attacks. Authentication, Signatures and MAC s. Authentication is a rich and formal subject with codes known that provide unconditional security. We focus instead on Digital Signatures and Message Authentication Codes (MAC s) which are widely used in practice but offer only computational security. In all of the above cases authentication is generally performed in practice by appending a tag to the message m a Module 2 - Private Key Crypto 9 where m is message and a is either an RSA Based Signature Message Alice signs Signed message Bob verifies Message Hello, I love you Encrypt With Private key Hjkhrk Hj837* *ji8hj] Decrypt With Public key Hello, I love you Alice signs message by encrypting with private key. Bob decrypts message with Alice s public key.

31 RSA signature properties Verification: Bob knows message is from Alice. Since he decrypted it with her public key, it must have been encrypted with her private key. Oscar needs to know Alice s private key to modify or forge messages. Signature cannot be attached to a different document. However, signed message can be replayed unless further precautions are taken. Transfer $M from my account to Oscar s. -- Alice Module 2 - Private Key Crypto 2 Digital Signature Standard (DSS) Adopted as standard in 994 Modified version of ElGamal signature scheme Public and private key, as in RSA Security based on hardness of the discrete logarithm problem in Zp, for suitable values of p. We do not study DSS in this course. Digital Signatures General Framework. In general denote signing message m by user x, using private key by S x (m) and verification by V x (m). Digital signature with encryption is then Alice signs m to get S A (m). She then encrypts with Bob s public key to get E B (S A (m)). Bob decrypts with private key to get D B (E B (S A (m))) = S A (m). It is better to first sign and then encrypt rather than encrypt and then sign. Why?? Module 2 - Private Key Crypto 23 Many esoteric types of signatures known Signing With Message Digests A fixed length fingerprint of a message. Instead of signing message, sign the message digest.

32 Cryptographic Hash Functions Requirements of cryptographic hash functions: Can be applied to data of any length. Output is fixed length. Relatively easy to compute h(x), given x. Infeasible to get x, given h(x). Given x, infeasible to find y such that h(x) = h(y). Weak collision property. Infeasible to find any pair x and y such that h(x) = h(y). Strong collision property. Module 2 - Private Key Crypto 25 MLHF A Cryptographic Hash Function? Consider the following hash function: Treat message as sequence of 32 bit words and add them together to get hash value. Consider the message IOU.99BOB. In hex it is 49, 4F, 55, 32, 3, 3, 2E, 39, 39, 42, 4F, 42. This adds to B2, C, D2, AC. The message IOU9.BOB also has the same hash value! A very poor cryptographic hash function. MLHF Memon s Lousy Hash Function! MD5 - Message Digest Algorithm Module 2 - Private Key Crypto 27 MD5 Processing for Each Block 4 rounds for each 52 bit block Each round uses different primitive function F, G, H and I Buffers initialized as follows: A : B: EFCDAB89 C: 98BADCFE

33 MD5 Processing in Each Round. Hash Output Length x Module 2 - Private Key Crypto 29 y z F G H I How long should be the output (n bits) of a cryptographic hash function? To find collision we can randomly select messages and check if the hash matches any that we know. Throwing k balls in N = 2 n bins. How large should k be, before the probability of landing two balls in the same becomes greater than ½? Birthday paradox says that a collision can be found in roughly sqrt(n) = 2 (n/2) trials for an n Birthday Paradox Probability that hash values of k random messages are distinct is (that is, no collisions) is: k 2 k i = N N = N i= n i= k( k )/2N 2 3 (as for small,,as = + ) 2! 3! = k i/ n x x ( e ) xe x e x x x e So for at least one collision we have probability of whose value is above.5 when k=.7 N kk ( )/2N ( ) e Module 2 - Private Key Crypto 3 Other Cryptographic Hash Functions Many other hash functions SHA Secure Hash Algorithm RIPEM MD4 MD6 Etc.

34 Message Authentication Codes Some applications require key-based cryptographic hash - Message Authentication Code (Cryptographic Check Sum). Strength of system depends both on size of key and size of MAC. A MAC can be constructed based on any private key cryptosystem though this can be computationally expensive. MAC Using DES. Module 2 - Private Key Crypto 33 HMAC Developed as part of IPSEC - RFC 24. Also used in SSL etc. Key based hash but almost has fast as nonkey based hash functions. Avoids export restrictions unlike DES based MAC. Provable security. Can be used with different hash functions like MD5 etc. Module 2 - Private Key Crypto 35 HMAC Block size b bits. K + - K padded with bits on the left to make b bits. ipad repeated b/8 times. opad repeated b/8 times. Essentially HMAC K = H[(K + +opad) H[(K + +ipad) M]]

35 HMAC An Efficient Implementation Further Reading Module 2 - Private Key Crypto 37 The MD5 unofficial homepage HMAC RFC Secure Hash Algorithm SHA Digital Signature Standard - DSS CS 392/68 - Computer Security Module 5 Key Exchange Algorithms Nasir Memon Polytechnic University Course Issues HW 2 due Thursday!

36 Key Exchange The cryptographic primitives we have seen so far assume either Alice and Bob share a secret key which is unknown to Oscar. Alice has a trusted copy of Bob s public key. But how does this happen in the first place?!! Alice and Bob meet and manually exchange key. Not always practical or possible. We need key exchange protocols! There are key distribution protocols and key Module 2 - Private Key Crypto 4 agreement protocols. Session Key Exchange With KDC. Protocol assumes that Alice and Bob share a session key K A and K B with a Key Distribution Center (KDC). Alice calls Trent (Trusted KDC) and requests a session key to communicate with Bob. Trent generates random session key K and sends E KA (K) to Alice and E KB (K) to Bob. Alice and Bob decrypt with K A and K B respectively to get K. This is a key distribution protocol. Susceptible to replay attack! Session Key Exchange With KDC. A -> KDC ID A ID B N (Hello, I am Alice, I want to talk to Bob, I need a session Key and here is a random nonce identifying this request) KDC -> A E KA ( K ID B N E KB (K ID A )) Encrypted(Here is a key, for you to talk to Bob as per your request N and also an envelope to Bob containing the same key) A -> B E KB (K ID A ) (I would like to talk using key in envelope sent by KDC) B -> A E K (N 2 ) (OK Alice, But can you prove to me that you are indeed Alice and know the key?) A -> A E K (f(n 2 )) (Sure I can!) Last two steps - challenge-response. Commonly used to thwart replay attack. Module 2 - Private Key Crypto 43 Session Key Exchange With Public Keys Alice gets Bob s public key from KDC. Alice generates a random session key, encrypts with Bob s public key and sends to Bob. Bob decrypts using his private key to get session key. Alice and Bob exchange a challengeresponse. Above is still susceptible to man-in-the-middle

37 Man-in-the-middle Attack Alice send request to KDC. Mallory intercepts and sends his own public key. Alice generates random session key and encrypts using Mallory s (she thinks Bob s) public key and send to Bob. Mallory intercepts session key, decrypts, then encrypts with Bob s public key and send to Bob. Bob decrypts session key. Alice and Bob use a session key to communicate that Bob knows! Module 2 - Private Key Crypto 45 Diffie-Hellman Key Exchange Protocol for exchanging secret key over public channel. Select global parameters n and g. n is prime and g is a primitive root in Z n. These parameters are public and known to all. Alice privately selects random a and sends to Bob g a mod n. Bob privately selects random b and sends to Alice g b mod n. Alice and Bob privately compute g ab which is their shared secret. An observer Oscar can only compute g a mod n g b The Discrete Log Problem Given y and a in Z p where p is prime, find the unique x in Z p, such that y = a x mod p. For example given 2 and 5 in Z 7, find the unique x such that 5 x = 2 mod 7. 5 = 5, 5 2 = 4, 5 3 = 6, 5 4 = 2, 5 5 = 3, 5 6 = Now, given 949 and 2 in Z 2579, find the unique x such that 2 x = 949 mod 2579!! = 949 mod Check with bc. No efficient algorithm known NP-Hard. Note, a has to be a primitive root. 2 = 2, 2 2 = 4, 2 3 =, 2 4 = 2, 2 5 = 4, 2 6 = Module 2 - Private Key Crypto 47 Public Key Management Diffie-Hellman is susceptible to man-in-themiddle attack. Mallory captures a and b in transmission and replaces with own a and b. Essentially runs two Diffie-Hellman s. One with Alice and one with Bob. How do you trust a public key?. Public announcement of keys. 2. Publicly available directory. 3. Public Key Authority. 4. Web of Trust (PGP).

38 Public Key Management 5. Public Key Certificates. Certificate consisting of user s ID and public key. Signed by a trusted third party A Certificate Authority (CA). There could be many CA s. There could be a hierarchy of CA s. Which approach is best? and 2 are really no solution. 3 does not scale well. 4 is interesting but has not succeeded in practice as expected. 5 is the solution Module embraced 2 - Private Key by Crypto industry. This is what 49 Public Directory or Authority Solutions. If Alice and Bob want to talk they both get each others public key from central directory or authority. Disadvantages Does not scale well. KDC has to store every user s public key. KDC provides single point of failure. Performance bottleneck. Multiple directories or authorities do not solve the above problems. Instead Digital Certificates. Public Key Certificate Public Key Certificate Signed messages specifying a name (identity) and the corresponding public key. Signed by whom Certification Authority (CA), an organization that issues public key certificates. We assume that everyone is in possession of a trusted copy of the CA s public key. CA could be Internal CA. Outsourced CA. Trusted Third-Party CA. Module 2 - Private Key Crypto 5 Public Key Certificate Note: Mechanism of certification and content of certificate, will vary but at the minimum we have verification and contains ID and Public Key.

39 Certificate Revocation CA also needs some mechanism to revoke certificates Private key compromised. CA mistake in issuing certificate. Particular service the certificate grants access to may no longer exist. CA compromised. Expiration time solves the problems only partially. Certification Revocation Lists (CRL) a list of every certificate that has been revoked but not expired. CRL s quickly Module grow 2 - Private large! Key Crypto 53 Advantages of CA Over KDC CA does not need to be on-line! CA can be very simple computing device. If CA crashes, life goes on (except CRL). Certificates can be stored in an insecure manner!! Compromised CA cannot decrypt messages. Scales well. Multiple CA s Certificates validating each other s Public Key CIA KDC KGB KDC Alice Bob How does Alice talk to Bob? She obtains Bob s certificate signed by KGB- KDC. She obtains KGB-KDC s certificate signed by CIA-KDC. Concept can be generalized to multiple CA s. Module 2 - Private Key Crypto 55 X.59 Clearly, there is a need for standardization X.59. Originally 988, revised 93 and 95. X.59 is part of X.5 series that defines a directory service. Defines a framework for authentication services by X.5 directory to its users. Used in S/MIME, IPSEC, SSL, SET etc. Does not dictate use of specific algorithm (recommends RSA).

40 X.59 Certificate Module 2 - Private Key Crypto 57 X.59 CA Hierarchy Example. Y<<X>> means the certificate of user X issued by CA Y. To talk to B, A obtains the following chain X<<W>> W<<V>> V<<Y>> Y<<Z>> Z<<B>> Simpler if X has X<<Z>> X.59 Authentication One-way. Establishes the following Identity of A and message was generated by A Message was intended for B Integrity and originality of message. Module 2 - Private Key Crypto 59 X.59 Authentication Two-way. One-Way plus the above which establishes the following Identity of B and message was generated by B Message was intended for A Integrity and originality of message.

41 X.59 Authentication Three-way. Nonce s echoed back and forth to prevent replay attacks. Needed when synchronized clock is not available. Module 2 - Private Key Crypto 6 Public-key Infrastructure (PKI) Combination of digital certificates, public-key cryptography, and certificate authorities. A typical enterprise's PKI encompasses issuance of digital certificates to users and servers end-user enrollment software integration with corporate certificate directories tools for managing, renewing, and revoking certificates; and related services and support Verisign, Thawte and Entrust PKI providers. Your own PKI using Netscape/Microsoft certificate servers Ten Risks of PKI Ellison and Schneier Who do we trust, and for what? Who is using my key? How secure is the verifying computer? Which John Robinson is he? Is the CA an authority? Is the user part of the security design? Was it one CA or a CA plus a Registration Authority? How did the CA identify the certificate holder? How secure are the certificate practices? Module 2 - Private Key Crypto 63 Why are we using the CA process, anyway? Further Reading X.59 page Ten Risks of PKI -