Tuesday, January 17, 17. Crypto - mini lecture 1

Similar documents
Cryptography. Rachel Greenstadt July 18, 2013

Study Guide to Mideterm Exam

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Cryptography Lecture 7

Introduction to Cryptography Lecture 7

Lecture 2 Applied Cryptography (Part 2)

RSA. Public Key CryptoSystem

Cryptography and Network Security

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Some Stuff About Crypto

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Overview. Public Key Algorithms I

Encryption Details COMP620

Public Key Cryptography

Public Key Cryptography

Crypto Basics. Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Cryptography and Network Security

Security. Communication security. System Security

Encryption. INST 346, Section 0201 April 3, 2018

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Lecture 6 - Cryptography

Public Key Algorithms

CS408 Cryptography & Internet Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

18-642: Cryptography 11/15/ Philip Koopman

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

Computer Security: Principles and Practice

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Lecture 1 Applied Cryptography (Part 1)

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptographic Concepts

Cryptographic Hash Functions. *Slides borrowed from Vitaly Shmatikov

Chapter 3 Public Key Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Public Key Algorithms

18-642: Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Introduction to Cryptography. Vasil Slavov William Jewell College

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

Computer Security 3/23/18

Public Key Algorithms

Lecture 2. Cryptography: History + Simple Encryption,Methods & Preliminaries. Cryptography can be used at different levels

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Goals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010

Chapter 9 Public Key Cryptography. WANG YANG

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

Security: Cryptography

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

David Wetherall, with some slides from Radia Perlman s security lectures.

Public-key encipherment concept

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

CS669 Network Security

Lecture IV : Cryptography, Fundamentals

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

n-bit Output Feedback

CSC 474/574 Information Systems Security

Topics. Number Theory Review. Public Key Cryptography

Garantía y Seguridad en Sistemas y Redes

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Cryptography MIS

Channel Coding and Cryptography Part II: Introduction to Cryptography

Practical Aspects of Modern Cryptography

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

CS682 Advanced Security Topics

Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6

Public Key Encryption

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

Lecture 6: Overview of Public-Key Cryptography and RSA

CRYPTOGRAPHY & DIGITAL SIGNATURE

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

Public Key Cryptography and RSA

RSA (algorithm) History

Introduction to Cryptography. Lecture 6

CSC 474/574 Information Systems Security

Kurose & Ross, Chapters (5 th ed.)

LECTURE 4: Cryptography

Making and Breaking Ciphers

Cryptographic Hash Functions

Classical Cryptography. Thierry Sans

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

PROTECTING CONVERSATIONS

What did we talk about last time? Public key cryptography A little number theory

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Technological foundation

CSC 580 Cryptography and Computer Security

Transcription:

Crypto - mini lecture 1

Cryptography Symmetric key cryptography (secret key crypto): sender and receiver keys identical Asymmetric key cryptography (public key crypto): encryption key public, decryption key secret (private)

Goal of Encryption Provide confidentiality - no one can read the data not anonymity

Vernam Ciphers XOR cipher - encryption and decryption the same, Block of data XOR key Vernam s cipher used a message with a paper tape loop that read off the key More modern versions use a pseudorandom number generator (stream cipher) One-time pad - If key perfectly random AND only used once, then perfect secrecy is assured Drawbacks?

Reusing one-time pads M1 K1 E1 = M2 K1 E2 = E1 E2 =

Old School Cryptography Caesar cipher - shift cipher (each letter replaced by one a fixed length down) Veni, vidi, vici -> Yhql, ylgl, ylel Monoalphabetic substitution : substitute one letter for another S-box - bit level substitution Transposition - Permute the order of the message P-box - bit level transposition

Multiple Round Ciphers Multiple rounds of complex ciphers made up of permutations, substitutions, xor, etc Examples DES, AES DES not so secure because key too short Hard to understand, little proof of security (except that if anyone knows how to break they re not telling)

Data Lifetime List three types of data whose lifetime (amount of time for which confidentiality protection is needed) is approximately one day. List three whose lifetime is closer to one year. List three whose lifetime is closer to one century.

Encrypt Block State SubBytes Add AES Mix - Shift the Round Transformation Columns overview 128-bit Rows Keyinput (Cipher) // simplified DES Security! State is a 4 by 4 array of bytes, initialized (col-by-col) with the 16-byte plaintext block (see below)! Final value of state is returned as ciphertext DES not State too 0 susceptible 1 to 2 differential 3 or linear encrypt (plaintext, roundkey) state = cryptanalysis plaintext state = AddRoundKey (state, roundkey[0]) for round BUT, = 156-bit to ROUNDS key is just too short state = SubBytes 2 (state) in[2] in[6] in[10] in[14] Change each EFF s byte Deep of state Crack with breaks corresponding 56 hours byte (1998) from for SBOX state = ShiftRows 3 (state) in[3] in[7] in[11] in[15] matrix: if round $250,000 < SBOX ROUNDS [X,Y] then state = AffineTranformation({XY} = MixColumns each (state) byte of the -1 state ) is Affine state Transformation = AddRoundKey does (state, a roundkey[round]) matrix multiplication followed by! Bytes end of distributed.net State correspond to finite vector and field Deep elements addition Crack in GF(222 8 ) hours (1999)! Columns return of state State correspond // convert to to WORDS, 1-dim. and i.e. return 4-term as polynomials ciphertext In the MixColumns step, each column of with the finite state field is COPACOBANA FPGA machine $10,000, 6.4 days elements in GF(2 byte 8 ), as coefficients. is shifted differs for operation each row. ( ). per key 0 // note in[0] plaintext in[4] is 1-dim., in[8] state 2-dim. in[12] 1 in[1] in[5] in[9] in[13] In the AddRoundKey step, In the ShiftRows step, bytes combined each row with of a the byte state of the are shifted cyclically to the left. round The number subkey using of places the XOR each multiplied with a fixed polynomial c(x).

Security of AES Most successful attacks are side-channel attacks Side-channel attacks use weaknesses in the physical implementation of the system, not the algorithm or brute-force keycracking D.J. Bernstein showed that delays in encryption time due to cache misses can be used to infer key, demonstrated against a custom remote server using OpenSSL s AES implementation, Osvik et al showed that local attacks could infer the key in 65 milliseconds

Problems with Symmetric Key Crypto Scalability - separate communication between N people requires N(N-1)/2 keys Key management Key disposal Key change Key distribution Key storage and backup

Applications of Public Key Crypto Encryption for confidentiality Anyone can encrypt a message With symmetric key cryptography, must know secret key to encrypt Only someone who knows private key can decrypt Key management is simpler (maybe) Secret is stored only at one site Digital signatures for authentication Can sign a message with private key Session Key establishment Exchange messages to create a special session key Then use symmetric key cryptography

Diffie-Hellman Protocol (1976) Alice and Bob never met and share no secrets Public info : p and g p is a large prime number, g is a generator of Zp * Zp * ={1,2,...,p-1}; a Zp* i such that a=g i mod p Modular arithmetic (numbers wrap around after they reach p) 0 = p mod p

Why is Diffie-Hellman Secure? Discrete Log (DL) problem: given g x mod p, it s hard to extract x There is no known efficient algorithm for doing this This is not enough for Diffie-Hellman to be secure! (Why?) Computational Diffie-Hellman problem: given g x and g y, it s hard to compute g xy mod p unless you know x or y, in which case it s easy Decisional Diffie-Hellman (DDH) problem: given g x and g y, it s hard to distinguish between g xy mod p and g r mod p where r is random

Properties of Diffie-Hellman Assuming DDH problem is hard, Diffie-Hellman protocol is a secure key establishment protocol against passive attackers Eavesdropper can t distinguish between established key and a random value Can use new key for symmetric cryptography Approx. 1000 times faster than modular exponentiation Diffie-Hellman protocol (by itself) does not provide authentication

Diffie-Hellman Handshake Alice EBob(g x ) g y, H(K) Bob K= g xy This depends on the hardness of discrete log (hard to find x from g x ) Now both sides have a symmetric key, K= g xy, Why do we need to encrypt g x? Why do we need H(K)? What s still broken?

Requirements for Public Key Crypto Key generation: computationally easy to generate a pair (public key PK, private key SK) Computationally hard to obtain private key SK given only public key PK Encryption: given plaintext M and public key PK easy to compute ciphertext C = EPK(M) Decryption: given ciphertext C = E PK(M) and private key SK, easy to compute plaintext M Infeasible to compute M from C without SK Even infeasible to learn partial information about M Trapdoor function: Decrypt(SK,Encrypt(PK,M))=M

RSA: Number Theory Euler totient function ϕ(n), where n 1, is the number of integers in the [1,n] interval that are relatively prime to n Two numbers are relatively prime if their greatest common divisor (gcd) is 1 Euler s theorem: if a Zn *, then a ϕ(n) =1 mod n Special case: Fermat s Little Theorem: if p is prime and gcd(a,p)=1, then a p-1 =1 mod p

RSA Cryptosystem Key generation: Generate large primes p, q (1024 bits? 2048?) use primality test Compute n=pq and ϕ(n)=(p-1)(q-1) Choose small e, relatively prime to ϕ(n) Typically, e=3 or e=2 16 +1=65537 Compute unique d such that ed = 1 mod ϕ(n) Public key = (e,n); private key = d Encryption of m: c = me mod n Modular exponentiation by repeated squaring Decryption of c: cd mod n = (m e ) d mod n = m

Why Decryption Works e d=1 mod ϕ(n) Thus e d=1+k ϕ(n)=1+k(p-1)(q-1) for some k Let m be any integer in Zn If gcd(m,p)=1, then m ed =m mod p By Fermat s Little Theorem, m p-1 =1 mod p Raise both sides to the power k(q-1) and multiply by m m 1+k(p-1)(q-1) =m mod p, thus m ed =m mod p By the same argument, m ed =m mod q Since p and q are distinct primes and p q=n, m ed =m mod n

Why is RSA Secure? RSA problem: given n=pq, e such that gcd(e,(p-1)(q-1))=1 and c, find m such that m e =c mod n i.e., recover m from ciphertext c and public key (n,e) by taking e th root of c There is no known efficient algorithm for doing this Factoring problem: given positive integer n, find primes p1,, pk such that n=p1 e1 p2 e2 pk ek If factoring is easy, then RSA problem is easy, but there is no known reduction from factoring to RSA It may be possible to break RSA without factoring n

Caveats Don t use RSA directly e =3 is a common exponent If m < n1/3, then c = m 3 < n and can just take the cube root of c to recover m Even problems if pad m in some ways [Hastad] Let c i = m 3 mod ni - same message is encrypted to three people Adversary can compute m 3 mod n1n2n3 (using Chinese Remainder Theorem) Then take ordinary cube root to recover m

Integrity in RSA Encryption Plain RSA does not provide integrity Given encryptions of m1 and m2, attacker can create encryption of m1 m2 (m1e) (m2e) mod n = (m1 m2)e mod n Attacker can convert m into m k without decrypting (m e ) k mod n = (m k ) e mod n In practice, OAEP is used: instead of encrypting M, encrypt M G(r) ; r H(M G(r)) r is random and fresh, G and H are hash functions Resulting encryption is plaintext-aware: infeasible to compute a valid encryption without knowing plaintext if hash functions are good and RSA problem is hard

OAEP Encryption To encode, messages are padded with k1 zeros to be n k0 bits in length r is a random k0 bit string G expands the k0 bits of r to n k0 bits. X = m00..0 G(r) H reduces the n k0 bits of X to k0 bits. Y = r H(X) The output is X Y where X is shown in the diagram as the leftmost block and Y as the rightmost block. To decode, recover random string as r = Y H(X) recover message as m00..0 = X G(r)

Randomness and Cryptography Recent work (soon to be published) by Lenstra et al and Heninger et al shows many keys out there generated with bad randomness ~ 4% RSA moduli shared between two certificates Most crypto libraries use /dev/urandom even though no guaranteed entropy (especially on boot) Real, concrete problem in applied security

Digital Signatures

Digital Signature Properties Authentication - It s really Bob that sent this Nonrepudiation - Bob can t later claim he didn t mean this Integrity - This is the thing Bob meant to send

RSA Signatures Public key is (n,e), private key is d To sign message m: s = m d mod n Signing and decryption are the same operation in RSA (not true for all schemes) It s infeasible to compute s on m if you don t know d To verify signature s on message m: s e mod n = (m d ) e mod n = m Just like encryption Anyone who knows n and e (public key) can verify signatures produced with d (private key) In practice, also need padding & hashing (why?)

More on Signing Decryption not always signature Sign a hash not the message Signing a hash image with size equal to modulus is provably secure

Introduction to Hash Functions If H is a hash function, m is an input bit string, and h is the output of H applied to the input m, then we write h = H(m). Some common and useful terminology: If h = H(m) then h is called the "hash" of m, m is called a "preimage" of h, for a given input m, a "second preimage" of m is a different input m' such that H(m) = H(m'), if m and m' are different inputs such that H(m) = H(m') then the pair {m,m'} is called a "collision" for H.

Collision Resistance Strong collision resistance Hard to find *any* x,y such that h(x)=h(y) Weak collision resistance / preimage attacks First preimage attack: given hash h 1, find m such that h(m) = h1 Second preimage attack : Given message m 1 find message m2 such that h(m1) = h(m2)

First case H( hello world ) = x find y such that H(y) =x Second case m and m s.t. H(m) = H(m )

Birthday Attacks on Collision Resistance Given function h, goal is find two inputs x,y such that h(x) = h(y) Based on the birthday paradox: A group of 23 or more people will have the same probability > 50% H different outputs, then expected 1.25*sqrt(H) to find a match so 2160 outputs for SHA-1, leads to approx 2 80 tries

Example Hash Functions MD5 - NOT SECURE SHA1 - Questionable Security SHA2-4 functions, reasonable security SHA3 (Keccak)

Public Key Infrastructure (PKI) Only secure if binding between public key and owner is correct Approaches to verifying this Hierarchical certificate authorities (x509) Local trust model (SPKI/SDSI) Web of trust (PGP/GPG)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback