Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1
Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate to key management and the protection of keys In these areas, reasonable solutions exist for closed systems but hardly for open & public systems 2
Agenda A brief history of cryptography A long look at public key cryptography Security protocols and their verification Open and closed environments Conclusions 3
The origins of cryptography Alice The enemy is an outsider listening to traffic Two secure end systems communicate over an insecure channel Bob 4
Symmetric key encryption A B encrypt decrypt plaintext ciphertext plaintext 5
Symmetric Key Cryptography Encryption protects documents on the way from A to B A and B need to share a key A procedure is required for A and B to obtain their shared key For n parties to communicate directly, about n 2 keys are needed Security services: confidentiality, integrity, authentication (data origin authentication, key exchange peer entity authentication) 6
Symmetric Key Cryptography Algorithms: DES, AES (Rijndael), No provable security Algorithms designed to resist known attacks: e.g. differential & linear cryptanalysis Recommended key length: 80-90 bits DES: 56-bit keys vulnerable to brute-force search DES designed to resist differential cryptanalysis 7
Key exchange: authentication Needham-Schroeder protocol: key transport protocol using a symmetric cipher for encryption: A and B obtain a session key K ab from server S (Trusted Third Party) A [B] shares a secret key K as [K bs ] with S Nonces (random challenges) n A and n B in messages prevent replay attacks 8
Needham-Schroeder protocol S (basis for Kerberos) 1. A,B,n A 2. ek as (n A,B,K ab,ek bs (K ab,a)) 3. ek bs (K ab,a) A 4. ek ab (n B ) 5. ek ab (n B -1) B 9
History: Non-secret Encryption Fact : to exchange secret messages shared secrets are required Counterexample (Bell Labs, 1944): receiver adds noise on a telephone line sender sends the message attacker only hears noise receiver gets message by cancelling own noise J.H.Ellis (CESG): described a scheme for nonsecret (public key) encryption in 1970 10
Encryption with public keys A B plaintext encrypt ciphertext decrypt plaintext 11
Public Key Cryptography Encryption protects documents on the way from A to B B has a public encryption key and a private decryption key A procedure is required for A to get an authentic copy of B s public key (need not be easier than getting a shared secret key) For n parties to communicate, n key pairs are needed 12
Digital signatures document A sign document + signature B verify accept reject 13
Digital Signatures Protect authenticity of documents signed by A, more precisely, a cryptographic mechanism for associating documents with verification keys A has a public verification key and a private signature key A procedure is required for B to get an authentic copy of A s public key Provide authentication; on their own they do not provide non-repudiation at the level of persons Electronic signatures: a security service for associating documents with persons 14
Key exchange without secrets Alice puts key in box and attaches a lock e.g. the Diffie-Hellman protocol Alice removes her lock and returns the box Bob adds his lock and returns the box Bob removes his lock and opens the box 15
Public Key Cryptography Algorithms: RSA, ElGamal (encryption), RSA, DSA, (digital signatures), Diffie-Hellman (key agreement), elliptic curve algorithms Provable security: reduction proofs to open problems: factoring, discrete logarithm (DLP) Note: RSA factoring, DSA DLP, DH DLP Provable security for protocols: reduction proofs to breaking the crypto algorithms (Bellare-Rogaway) Services: confidentiality, integrity, authentication, non-repudiation (at the level of keys) 16
Key Sizes RSA DES 2K 3DES 3K 3DES AES 128 AES 192 AES 256 2001 620 1723 2426 3224 7918 15387 2010 747 1955 2709 3560 8493 16246 2020 906 2233 3046 3956 9160 17235 2030 1084 2534 3408 4379 9860 18260 Arjen Lenstra: Unbelievable Security, Asiacrypt 2001 17
Key Sizes 2010 DES 2K 3DES 3K 3DES AES 128 AES 192 AES 256 RSA 750 2000 2700 3600 8500 16000 LUC 860 2100 2900 3800 8900 17000 XTR 490 1200 1600 2000 4600 8600 ECC 510 860 1000 1200 1700 2300 Arjen Lenstra: Unbelievable Security, Asiacrypt 2001 18
Digital Signature Misconceptions Verification is decryption with the public key (as stated in X.509): Even untrue for RSA signatures ( existential forgeries), does not hold for DSA; the output of decrypt is of type message, the output of verify is of type Boolean, A signature binds the signer A to the document: verification links document and verification key Digital signatures are legally binding: even if recognized by law, digital signatures do not guarantee that there is a court with jurisdiction 19
Digital Signatures revisited Authentication: Signatures are mathematical evidence linking a document to a public key The link between a public key and a person has to be established by procedural means This link can be recorded in a certificate (but certificates are not necessary for verifying digital signatures, verification keys are) The holder of a private signature key has to protect the key from compromise and to be sure that the key is only used as intended 20
Electronic signatures public verification key digital signature mathematics mathematics procedures certificate document signing device secure O/S physical security procedures private signature key name person key container 21
Verifying security protocols Security services are typically provided by cryptographic protocols The design of security protocols is supposedly difficult and error prone There exists a substantial body of work on protocol analysis Can one trust the results of protocol analysis? We will use the Needham-Schroeder public key protocol as a case study 22
NS public key protocol (1978) 1. ep B (n A,A) A 2. ep A (n B,n A ) 3. ep B (n B ) B Only B can decrypt the first message and form a reply containing the challenge n A Only A can decrypt the second message and form a reply containing the challenge n B 23
Fact sheet Defined in the 1970s: principals are honest Authentication: verifying the identity of the communicating principals to one another Communications with servers can be done without establishing a connection Establish a shared session key from n A, n B Formal analysis in the BAN logic (1990): e.g. A believes B believes n B is a secret shared by A and B 24
A second formal analysis (1995) Conducted by Gavin Lowe using CSP CSP processes communicate on channels Goals and assumptions: Attacker can be a regular protocol participant Initiator commits to a run with B when receiving a reply ep A (n B,n A ) containing the challenge n A Responder commits to a run with A only if the message ep B (n A,A) came from A Why should the origin of challenges be verified? 25
Lowe s man-in-the-middle attack: connection-oriented (1995) ep E (n A,A) ep B (n A,A) ep A (n B,n A ) ep A (n B,n A ) A E B ep E (n B ) ep B (n B ) Proof: Initiator A authenticates responder E Attack: Responder B can be tricked by a masquerading initiator 26
Why is there proof and attack? Assumptions about the environment differ: E is a protocol participant but E is not honest Authentication goals differ: correspondence properties as used by Lowe became popular in the early 1990s, but were only intended to capture the authentication of protocol runs Correspondence authentication of connections A sees a run with E and is connected to E B sees a run with A but is connected to E 27
A triangle attack (connectionless) A ep E (n A,A) E ep B (n A,A) ep E (n B ) ep B (n B ) ep A (n B,n A ) B The initiator cannot be misled. Why? E is not responding B has been tricked. Why? A was involved in the protocol run 28
Comments The proof is no longer correct because we have an attack where the responder does not run the protocol The attack is no longer an attack because the initiator is involved in the protocol run Still, the attack violates properties claimed for the protocol: A is cheated because n A and n B are not secrets shared with E 29
Closed systems & open systems There is an important difference between closed systems where parties look for protection from the outside (the old world cryptography came from) and open systems where parties look for protection from insiders (the new world of e-commerce) 30
Key exchange with a stranger Alice puts key in box and attaches a lock Alice removes her lock and returns the box someone adds a lock and returns the box someone removes the lock and opens the box 31
Conclusions Cryptography has its origins in communications security Not all security problems can be expressed as communications security problems Communications security tends to assume that end systems are secure and users are honest In today s world, we have to secure applications where end systems are not secure and users are not necessarily honest 32
Conclusions Crypto algorithms are not provably secure Lars Knudsen: If it s provably secure, it probably isn t Crypto algorithms are practically very secure unless you insist on inventing your own algorithms Crypto gives no more security than the keys used key management is a frequent source of problems Robert Morris sr.: The Enigma never was broken Crypto gives no more security than the end system it is running on designing secure end systems is the really difficult security challenge 33
Conclusions Crypto relies on tamper-resistant devices and on alternative channels (trust) Tamper resistant devices + symmetric key crypto: CHAPS (see Davis & Price: Security for Computer Networks, 1984+89) Alternative channels for bootstrapping and for confirmation messages: GSM, book, newspaper Crypto depends on good security management End users are their own security managers How to get full control over your PC 34
Brave New World bank government Can all these parties manage their own security? merchant customer 35
Security & Security Services There exist security services that do not provide any security at all Roger Schell, Novell, ex-usaf SSL gives no security guarantees that are relevant for e-commerce. Dr Richard Walton, Director of CESG Digital certificates provide no actual security for electronic commerce; it's a complete sham. Bruce Schneier: Secrets & Lies 36