Applied Cryptography Protocol Building Blocks

Transcription

1 Applied Cryptography Protocol Building Blocks Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1

2 Protocols An algorithm describes a series of steps carried out by a process to accomplish a task. A protocol can be viewed as a description of the communication steps that are carried out by two or more communicating processes to carry out a task, or, if you like, a distributed algorithm. 2

3 Cryptographic Protocols In cryptographic protocols we are concerned with unintended anonymous participants (eavesdroppers or active intruders) which makes it necessary to design the protocols in such a way that Participants learn only what the protocol intends them to learn, Protocol messages provide useful information only to genuine participants Protocol messages are designed so that only genuine participants can generate them 3

4 Arbitrated Protocol Example: buying a house (Dutch protocol). Buyer and seller agree on a trusted third party, the arbitrator. In this example, the arbitrator is a notary public. Buyer gives money to the arbitrator, who keeps it in escrow, The arbitrator verifies seller s title to the house and lets the seller sign the transfer of title to the buyer. The arbitrator then gives the escrowed money to the seller. 4

5 Arbitrated and Adjudicated Protocols Trent Alice Arbitrated Protocol Bob Alice Evidence Bob Evidence Trent Adjudicated Protocol 5

6 Passive and Active Attacks Alice Eve Bob Plaintext Encryption Sender A E(M) = C Ciphertext Decryption Plaintext M Receiver B D(C) = M Mallory Alice Modification Insertion Deletion Replay Bob Plaintext Encryption M Sender A E(M) = C Ciphertext Decryption Plaintext M Receiver B D(C) = M 6

7 Cheaters A malicious participant in a protocol is called a cheater. There are many protocols that defend against cheating. Banking protocols are an obvious example. Passive cheaters run a protocol according to its rules, but try to obtain information they are not supposed to get. Active cheaters abuse protocols in order to mislead other participants. 7

8 Symmetric Cryptography Alice Bob Encryption Decryption Encryption Decryption M Encryption C Decryption M 8

9 Key Issues Keys must be distributed in secret If keys are compromised, all traffic encrypted with that key may be exposed Each pair of principals requires a separate key n principals need n(n 1)/2 keys Key management is really, really important! 9

10 One-way functions One-way functions have many functions in cryptographic algorithms. Given x and a one-way function f, y = f (x) is relatively easy to compute, but given y and f, finding x : y = f (x) is computationally infeasible. 10

11 Computationally Infeasible Cryptographic algorithms rely on the property that it is easy to encrypt or decrypt messages with the appropriate keys, or calculate digests, but very hard to find keys. The RSA public-key cryptosystem, for example, relies on the fact that, given two large prime numbers p, and q, it is easy to compute n = p q, but, given only n, it is very difficult indeed to factor n into its constituents p and q. There are no mathematical proofs for the difficulty of breaking any cryptographic algorithm; in fact, algorithms are broken with frightening regularity. 11

12 One-way Hash Many names: one-way hash function, message digest, fingerprint, cryptographic checksum, message integrity check (MIC), manipulation-detection code. A message digest takes a variable-length string (which could be as large as a whole book) and computes a fixed-length (e.g., 128 bits) one-way function with the property that: given the message digest and, if you like, the string that produced it it is computationally infeasible to produce a different string with the same digest. Hash functions are usually not secret. They are intended to prevent tampering. 12

13 Message Authentication Code A message authentication code (MAC) or data authentication code (DAC) is a message digest of a message and a secret key. If you know the secret key, you can verify the MAC. 13

14 Public-Key Cryptography Alice Bob Encryption Decryption Encryption Decryption M Encryption C Decryption M 14

15 Key Management Note that Eve learns nothing useful from this exchange: she learns Bob s public key, but that key is useless for decrypting Alice s message. Bob s public key is exactly what it says: public. Everybody could put their public key is a database and Alice could get Bob s key from there. The number of keys goes up linearly with the number of principals, not quadratically as in the case of symmetric cryptosystems. 15

16 Symmetric Algorithms in Practice There are many official and unofficial standards for symmetric encryption: DES, Triple-DES, IDEA, RC5, Blowfish,... Symmetric encryption is quite fast: with hardware support, DES runs at 200 MBps; in software, DES will do 2 MBps on a Pentium II at 400 MHz. IDEA is twice as fast. Software Blowfish five times. RC5 is three to four. Triple-DES is three times slower (naturally). DES has a small key: 56 bits. All other useful cryptographic systems have bigger keys. IDEA has a 128-bit key. Standards with keys smaller than 56 bits are only popular with governments for obvious reasons. 16

17 Asymmetric Algorithms in Practice The notion of asymmetric cryptography was invented by Diffie and Hellman in the mid-seventies. The first practical algorithm was invented a few years later by Rivest, Shamir and Adleman. There is now a small set of known algorithms, but RSA remains the best known. With hardware support, speeds of 100 megabytes per second have been achieved; in software, speeds are only a few kilobytes per second (1024-bit key). Keys are much larger for asymmetric encryption. 17

18 Hybrid Cryptosystems Since asymmetric cryptography has more functionality and symmetric encryption is much faster, it is interesting to combine the two: Asymmetric cryptography can be used to authenticate the parties and to agree on a key for a symmetric cryptosystem. That key is then used for the duration of a single session. This has a number of advantages... 18

19 Advantages of Hybrid Cryptoystems The amount of encryption with long-term keys is minimized, thus reducing the probability of compromise of those keys. The session key is used for encrypting the bulk of the data, but it is used only once. If this key is compromised, the damage is limited. One has to be careful what gets encrypted with a publickey system: The attacker knows the (public) encryption key, so, any time the number of different messages is small, an attacker can encrypt each one to see if it encrypts to the encrypted message that was sent. 19

20 Digital Signatures We want to create a digital analogue of the handwritten signature that has the same important properties. It is 1. Authentic: the recipient believes the signer deliberately signed the document. 2. Unforgeable: the signature proves that the signer, and nobody else, signed the document. 3. Single purpose: the signature is attached to the document and cannot be moved to a different one. 4. Unalterable: after it has been signed, the document can no longer be changed. 5. Unrepudiable: after the fact, the signer can not successfully deny having signed the document. 20

21 Digital Signatures with an Arbitrator Trent, the arbitrator is trusted by everyone. What he says is true. Alice shares K AT with Trent; only Alice and Trent know K AT. Bob shares K BT with Trent; only Bob and Trent know K BT. 1. {B needs M} KAT 2. {A says M} KBT Properties: (1) Authentic; (2) Unforgeable; (3) Single purpose; (4) Unalterable; (5) Unrepudiable; 21

22 More Properties of Symmetric Signatures Bob cannot show Alice s signed message to Carol. He has to ask Trent to show it to her: 1. {C needs {A says M} KBT } KBT 2. {A says M} KT C Or, if you like accuracy and complexity: 1. {C needs {A says M}} KBT 2. {{B says A says M} {A oncesaid B needs M} 22

23 Trent is a Liability Trent has to be absolutely trustworthy. If he makes mistakes, no matter how rarely, nobody is going to trust him. And if his database of shared keys should ever be compromised, the world around him would collapse. Trent is in the path of every signed communication. makes Trent a bottleneck. This Replicating Trent may solve that problem, but it makes the problem of making him truly worthy of his trust so much more complicated. It really would be nice if there were something better. 23

24 Signatures with Public-Key Cryptography Some public-key algorithms are almost symmetric they can be used in two directions: anything encrypted with one key can be decrypted with the other. We use this as follows (remember our notation: K is the public key, K 1 is the private key): 1. A says {M} K 1 A 2. {{M} K 1 } K A A =? M Properties: (1) Authentic; (2) Unforgeable; (3) Single purpose; (4) Unalterable; (5) Unrepudiable; 24

25 Timestamps Signed messages without timestamps are vulnerable to replay attacks. Suppose Alice s message was a digital cheque. Bob could then try to cash it multiple times. If Alice s message contained a timestamp remember Logical Clocks? Sequence numbers are timestamps too the bank could (and would) recognize replay attack by keeping track of timestamps. 25

26 Signatures and Digests Public-key encryption is slow. Signing a large message by encrypting it with PK encryption is a time-consuming affair. A practical alternative is to compute a one-way hash of the message and to encrypt that with a secret key instead: 1. A says M {H(M)} K 1 A 2. {{H(M)} K 1 } K A A =? H(M) This works, because one-way hashes are designed such that the probability that an attacker can find a message M such that H(M ) = H(M) is vanishingly small. 26

27 Multiple Signatures With hashes, a document M can easily carry multiple signatures. Each signature is a fixed-length encryption of the message digest, using a different secret key each time: M, {H(M)} K 1 A, {H(M)} KB 1, {H(M)} KC 1 Notation: S A (M) or {M} SA is message M signed by Alice. V A (S A (M))=? M is the verification. 27

28 Repudiation of Digital Signatures Alice signs M and then she conveniently loses her key. When confronted with M and her signature, she denies ever having signed it and points out that she has lost her key. Repudiation is denying something you did. Time stamps help to some extent. In digital payment schemes, nonrepudiation is important. Locking secret keys in tamperproof environments (such as smart cards one day hope to be) helps a lot. 28

29 Signed and Sealed Messages Here s the cryptographic equivalent of signing a letter and putting it into a sealed envelope. 1. E B (S A (M)) 2. V A (D B (E B (S A (M))))=? M 29

30 You could try it the other way round 1. S A (E B (M)) 2. D B (V A (S A (E B (M))))=? M But: 1. S A (E B (M)) 2. S M (E B (M)) [= S M (V A (S A (E B (M))))] Never sign anything you can t read! 30

31 Not a Good Receipt 1. E B (S A (M)) 2. V A (D B (E B (S A (M))))=? M 3. E A (S B (M)) 31

32 Here s why (V = E and S = D) 1. E B (D A (M)) (message for Bob) 2. E B (D A (M)) (literal replay) 3. E M (D B (E B (D A (M)))) = E M (D A (M)) (gibberis 4. E M (D B (E M (D A (M)))) (receipt) 5. D M (E B (D M (E M (D B (E M (D A (M))))))) = M (!) Never, ever, encrypt something you didn t generate yourself! 32

33 A Better Receipt 1. E B (S A (M), N A ) 2. V A (D B (E B (S A (M))))=? M 1. S B (N A, N B ) N A is a random number used as a nonce. Bob adds N B so that he doesn t encrypt something he didn t generate himself. 33

34 Lessons Don t sign something you can t read Don t sign or encrypt something you didn t generate Don t use exactly the same algorithm/key for signing and decrypting Use timestamps or nonces to prevent replay attacks Don t respond to gibberish (and make sure messages you send don t look like gibberish) 34

35 Certificates How does Bob know Alice s public key? Alice could tell Bob, but Mallory could change the message. We need Trent as a universally trusted agent. Trent, in his role of certification authority or key distribution center, constructs messages of the form: S T (T T, Alice s public key is K A ), where T T is Trent s timestamp and T S is, of course, Trent s signature. Trent s messages are certificates, signed and dated statements. Trent can send them when somebody needs them, or he can put them in a database, for others to retrieve. 35

36 Random Numbers Keys and nonces are almost always generated with the help of a random-number generator. If you don t use a good random number generator, it is likely your enemies can guess your keys. It s happened. 36

37 Good random numbers The number of zeroes and ones is approximately equal Half the runs should be of length one, a quarter of length two, etc. A random sequence must not be compressible It must be computationally infeasible to predict the next bit, even knowing the algorithm and all the previous bits (but not the internal state of the generator) 37

38 Using Random Number Devices Devices exist that measure quantom noise in a resistor and convert that to sequences of ones and zeroes. This is about as random as you can get. Some programs use humans as a source of quantum noise: the user is requested to rattle the keyboard; keystrokes and their timings are used to provide a sequence of seeds for a pseudo random-number generator 38