Introduction to Cryptography. Steven M. Bellovin September 27,

Similar documents
n-bit Output Feedback

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSE 127: Computer Security Cryptography. Kirill Levchenko

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Computer Security 3/23/18

Block Ciphers. Advanced Encryption Standard (AES)

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Encryption. INST 346, Section 0201 April 3, 2018

Lecture 1 Applied Cryptography (Part 1)

Unit 8 Review. Secure your network! CS144, Stanford University

CS 161 Computer Security

Practical Aspects of Modern Cryptography

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Computer Security: Principles and Practice

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

CPSC 467: Cryptography and Computer Security

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

CS61A Lecture #39: Cryptography

Symmetric, Asymmetric, and One Way Technologies

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Cryptography (Overview)

Cryptography MIS

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Cryptographic Systems

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CS 161 Computer Security

CS 161 Computer Security

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

Kurose & Ross, Chapters (5 th ed.)

Cryptographic Concepts

Chapter 9 Public Key Cryptography. WANG YANG

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CS 161 Computer Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

David Wetherall, with some slides from Radia Perlman s security lectures.

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

CSC 474/574 Information Systems Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Public Key Algorithms

EEC-484/584 Computer Networks

Spring 2010: CS419 Computer Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Garantía y Seguridad en Sistemas y Redes

Ref:

Cryptographic Hash Functions

Other Topics in Cryptography. Truong Tuan Anh

CS 161 Computer Security

Summary on Crypto Primitives and Protocols

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Spring 2010: CS419 Computer Security

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

CS 161 Computer Security

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS Computer Networks 1: Authentication

CIS 4360 Secure Computer Systems Symmetric Cryptography

Tuesday, January 17, 17. Crypto - mini lecture 1

Introduction to Cryptography. Lecture 6

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

EEC-682/782 Computer Networks I

CSC/ECE 774 Advanced Network Security

Public Key Cryptography

Cryptography (cont.)

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Encryption 2. Tom Chothia Computer Security: Lecture 3

Content of this part

CSE484 Final Study Guide

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Appendix A: Introduction to cryptographic algorithms and protocols

Key Exchange. Secure Software Systems

Lecture 2 Applied Cryptography (Part 2)

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Applied Cryptography and Computer Security CSE 664 Spring 2018

Public Key Algorithms

CSC 474/574 Information Systems Security

Cryptographic Checksums

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

PROTECTING CONVERSATIONS

Transcription:

Introduction to Cryptography Steven M. Bellovin September 27, 2016 1

Cryptography Introduction/Refresher Brief introduction to make sure everyone s is on the same page Important concepts: Symmetric ciphers Public key encryption Digital signatures Cryptographic hash functions Message Authentication Codes (MACs) Certificates Steven M. Bellovin September 27, 2016 2

What is a Cryptosystem? K = {0, 1} l P = {0, 1} m C = {0, 1} m E : P K C D : C K P p P, k K : D(E(p, k), k) = p It is infeasible to find F : P C K Let s start again, in English... Steven M. Bellovin September 27, 2016 3

What is a Cryptosystem? A cryptosystem is pair of algorithms that take a key and under control of that key convert plaintext to ciphertext and back. Plaintext is what you want to protect; ciphertext should appear to be random gibberish. The design and analysis of today s cryptographic algorithms is highly mathematical. Do not try to design your own algorithms. Steven M. Bellovin September 27, 2016 4

Properties of a Good Cryptosystem There should be no way short of enumerating all possible keys (a brute force or exhaustive search attack ) to find the key from any amount of ciphertext and plaintext, nor any way to produce plaintext from ciphertext without the key. Enumerating all possible keys must be infeasible. The ciphertext must be indistinguishable from true random values. Steven M. Bellovin September 27, 2016 5

Kerckhoffs Law (1883) There must be no need to keep the system secret, and it must be able to fall into enemy hands without inconvenience. In other words, the security of the system must rest entirely on the secrecy of the key. Steven M. Bellovin September 27, 2016 6

Keys Must be strongly protected Ideally, should be a random set of bits of the appropriate length Ideally, each key should be only be used for a limited time and for a limited amount of data Ensuring that these properties hold is a major goal of cryptographic research and engineering Steven M. Bellovin September 27, 2016 7

Cipher Strengths A cipher is no stronger than its key length: if there are too few keys, an attacker can enumerate all possible keys The old DES cipher has 56 bit keys arguably too few in 1976; far too few today. (Deep Crack was built in 1996 by the EFF for $250,000; today s equivalent costs $5,000 and is faster.) Strength of cipher depends on how long it needs to resist attack. No good reason to use less than 128-bit keys NSA rates 128-bit AES as good enough for SECRET traffic; 256-bit AES is good enough for TOP-SECRET traffic. But a cipher can be considerably weaker! (A monoalphabetic cipher over all possible byte values has 256! keys a length of 1684 bits but is trivially solvable.) Steven M. Bellovin September 27, 2016 8

Brute-Force Attacks Build massively parallel machine Can be distributed across the Internet Give each processor a set of keys and a plaintext/ciphertext pair If no known plaintext, look for probable plaintext (i.e., length fields, high-order bits of ASCII text, etc.) On probable hit, check another block and/or do more expensive tests Steven M. Bellovin September 27, 2016 9

Expensive Tests Which is real language? How can you tell? tqxxa iadxp rovvy gybvn ifmmp xpsme gdkkn vnqkc erqmrxu oh prqgh cpokpvs mf npoef anmintq kd lnmcd spwwz hzcwo jgnnq yqtnf hello world fcjjm umpjb dqplqwt ng oqpfg bonjour le monde adsxika ak gadfk Some approaches: the bigraph distribution, letter contact probabilities, entropy of the message, etc. Steven M. Bellovin September 27, 2016 10

CPU Speed versus Key Size Adding one bit to the key doubles the work factor for brute force attacks The effect on encryption time is often negligible or even free It costs nothing to use a longer RC4 key Going from 128-bit AES to 256-bit AES takes (at most) 40% longer, but increases the attacker s effort by a factor of 2 128 Using triple DES costs 3 more than DES to encrypt, but increases the attacker s effort by a factor of 2 112 Moore s Law favors the defender Steven M. Bellovin September 27, 2016 11

Block Ciphers Operate on a fixed-length set of bits Output blocksize generally the same as input blocksize Well-known examples: DES (56-bit keys; 64-bit blocksize); 3DES (112-bit keys; 64-bit blocksize); AES (128-, 192-, and 256-bit keys; 128-bit blocksize) Steven M. Bellovin September 27, 2016 12

Stream Ciphers Key stream generator produces a sequence S of pseudo-random bytes; key stream bytes are combined (generally via XOR) with plaintext bytes: P i S i C i Stream ciphers are very good for asynchronous traffic Best-known stream cipher is RC4; commonly used with TLS. (RC4 is now considered insecure; don t use it for new deployments and get rid of existing uses.) Key stream S must never be reused for different plaintexts: C = A K C = B K C C = A K B K = A B Guess at A and see if B makes sense; repeat for subsequent bytes Steven M. Bellovin September 27, 2016 13

Basic Structure of (Most) Block Ciphers Optional key scheduling convert supplied key to internal form Multiple rounds of combining the plaintext with the key. DES has 16 rounds; AES has 10 14 rounds, depending on key length Steven M. Bellovin September 27, 2016 14

Modes of Operation Direct use of a block cipher is inadvisable Enemy can build up code book of plaintext/ciphertext equivalents Beyond that, direct use only works on messages that are a multiple of the cipher block size in length Solution: several standard Modes of Operation, including Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), Galois Counter Mode (GCM), Counter (CTR), and more. (Some modes provide authentication as well as confidentiality.) All modes of operation except ECB require an extra block known as the Initialization Vector (IV). IVs must be unpredictable by the enemy. Steven M. Bellovin September 27, 2016 15

Example: Cipher Block Chaining P 1 P 2 P 3 IV Encrypt Encrypt Encrypt C 1 C 2 C 3 {P i C i 1 } k C i {C i } k 1 C i 1 P i Steven M. Bellovin September 27, 2016 16

Things to Notice About CBC Identical plaintext blocks do not, in general, produce the same ciphertext. (Why?) Each ciphertext block is a function of all previous plaintext blocks. (Why?) The converse is not true, but we won t go into that in this class It is possible for an attacker to make partially controlled changes to plaintext, by tinkering with the previous block of ciphertext We need message authentication in addition to encryption Steven M. Bellovin September 27, 2016 17

Galois Counter Mode Encryption Steven M. Bellovin September 27, 2016 18

Galois Counter Mode Much more complicated! Encrypts and authenticates in one pass Part of the message can be sent in plaintext, but is still authenticated Output is ciphertext plus a tag Encryptions can be done in parallel (good for high-speed devices) the IV is a counter If the tag computed during decryption doesn t match the tag computed during encryption, the decryption routine returns FAIL Steven M. Bellovin September 27, 2016 19

Alice and Bob Alice wants to communicate securely with Bob (Cryptographers frequently speak of Alice and Bob instead of A and B... ) What key should she use? Steven M. Bellovin September 27, 2016 20

Pre-Arranged Key Lists? What if you run out of keys? What if a key is stolen? Why is it necessary to destroy yesterday s [key]... list if it s never going to be used again? A used key, Your Honor, is the most critical key there is. If anyone can gain access to that, they can read your communications. (trial of Jerry Whitworth, a convicted spy.) What if Alice doesn t know in advance that she ll want to talk to Bob? Steven M. Bellovin September 27, 2016 21

The Solution: Public Key Cryptography Allows parties to communicate without prearrangement Separate keys for encryption and decryption Not possible to derive decryption key from encryption key Permissible to publish encryption key, so that anyone can send you secret messages All known public key systems are very expensive to use, in CPU time and bandwidth. Most public systems are based on mathematical problems. Steven M. Bellovin September 27, 2016 22

RSA The best-known public key system is RSA. Generate two large (these days, at least 1024-bit) primes p and q; let n = pq Pick two integers e and d such that ed 1 mod (p 1)(q 1). Often, e = 65537, since that simplifies encryption calculations. (Older systems use e = 3, but that s no longer recommended.) The public key is e, n ; the private key is d, n. To encrypt m, calculate c = m e mod n; to decrypt c, calculate m = c d mod n. The security of the system (probably) relies on the difficulty of factoring n. Finding such primes is relatively easy; factoring n is believed to be extremely hard. Steven M. Bellovin September 27, 2016 23

Classical Public Key Usage Alice publishes her public key in the phone book. Bob prepares a message and encrypts it with that key by doing a large exponentiation. Alice uses her private key to do a different large exponentiation. It s not that simple more in a few minutes... Steven M. Bellovin September 27, 2016 24

Complexities RSA calculations are very expensive; neither Bob nor Alice can afford to do many. RSA is too amenable to mathematical attacks; encrypting the wrong numbers is a bad idea. Example: yes 3 is only 69 bits, and won t be reduced by the modulus operation; finding 3 503565527901556194283 is easy. We need a better solution Steven M. Bellovin September 27, 2016 25

Speeds on my Laptop Algorithm ops/second bytes/sec AES-128-ECB 9,250,000 148,000,000 AES-128-CBC (256 bytes) 600,000 153,000,000 AES-256-ECB 7,140,000 114,240,000 RSA-2048 (encrypt) 14,900 3,800,000 RSA-2048 (decrypt) 375 96,000 Steven M. Bellovin September 27, 2016 26

A (More) Realistic Scenario Bob generates a random key k for a conventional cipher. Bob encrypts the message: c = {m} k. Bob pads k with a known amount of padding, to make it at least 1024 bits long; call this k. k is encrypted with Alice s public key e, n. Bob transmits {c, (k ) e mod n} to Alice. Alice uses d, n to recover k, removes the padding, and uses k to decrypt ciphertext c. In reality, it s even more complex than that... Steven M. Bellovin September 27, 2016 27

Forward Secrecy Someone who learns your private key can read old messages. Solution: Diffie-Hellman Key Exchange: A B : g x mod p B A : g y mod p where p is a large prime, b is a generator of the group of integers modulo p, and x and y are random integers < p. A and B can calculate g xy mod p; no eavesdropper can without solving the discrete log problem. Use that number as the data key not recoverable later if x and y are destroyed. This is called forward secrecy. Steven M. Bellovin September 27, 2016 28

Who Sent a Message? When Bob receives a message from Alice, how does he know who sent it? With traditional, symmetric ciphers, he may know that Alice has the only other copy of the key; with public key, he doesn t even know that Even if he knows, can he prove to a third party say, a judge that Alice sent a particular message? Steven M. Bellovin September 27, 2016 29

Digital Signatures RSA can be used backwards: you can encrypt with the private key, and decrypt with the public key. This is a digital signature: only Alice can sign her messages, but anyone can verify that the message came from Alice, by using her public key It s too expensive to sign the whole message. Instead, Alice calculates a cryptographic hash of the message and signs the hash value. If you sign the plaintext and encrypt the signature, the signer s identity is concealed; if you sign the ciphertext, a gateway can verify the signature without having to decrypt the message. Steven M. Bellovin September 27, 2016 30

They re Not Like Real Signatures Real signatures are strongly bound to the person, and weakly bound to the data Digital signatures are strongly bound to the data, and weakly bound to the person what if the key is stolen (or deliberately leaked)? A better term: digital signature algorithms provide non-repudiation Steven M. Bellovin September 27, 2016 31

Cryptographic Hash Functions Produce relatively-short, fixed-length output string from arbitrarily long input. Computationally infeasible to find two different input strings that hash to the same value ( collision ) Computationally infeasible to find any input string that hashes to a given value ( pre-image ) Computationally infeasible to find any input string that hashes to the same value as the hash of a given input ( second preimage ) Strength roughly equal to half the output length 128 bits and shorter are not very secure for general usage Steven M. Bellovin September 27, 2016 32

Common Hash Functions Best-known cryptographic hash functions: MD5 (128 bits), SHA-1 (160 bits), SHA2-256/384/512 (256/384/512 bits) Wang et al. have found collision attacks against MD5 and SHA-1 They re insecure. MD5 is basically gone; SHA-1 is rapidly being phased out browsers do not accept certificates signed with SHA-1 after January 1, 2016 SHA2-256/384/512 have the same basic structure as MD5 and SHA-1 but NIST now believes they re secure NIST held a design competition for a new hash SHA-3 function; the winner (Keccak) has a completely different structure Steven M. Bellovin September 27, 2016 33

The Birthday Paradox How many people need to be in a room for the probability that two will have the same birthday to be >.5? Naive answer: 183 Correct answer: 23 The question is not who has the same birthday as Alice? ; it s who has the same birthday as Alice or Bob or Carol or... assuming that none of them have the same birthday as any of the others Steven M. Bellovin September 27, 2016 34

The Birthday Attack Alice can prepare lots of variant contracts, looking for any two that have the same hash More precisely, she generates many trivial variants on m and m, looking for a match between the two sets This is much easier than finding a contract that has the same hash as a given other contract As a consequence, the strength of a hash function against brute force attacks is approximately half the output block size: 64 bits for MD5, 80 bits for SHA-1, etc. Steven M. Bellovin September 27, 2016 35

Message Integrity We need a way to prevent tampering with messages One choice: use GCM Or we can use a key and a cryptographic hash to generate a Message Authentication Code (MAC). One bad idea: append a cryptographic hash to some plaintext, and encrypt the whole thing with, say, CBC mode {P, H(P)} K This can fall victim to a chosen plaintext attack Steven M. Bellovin September 27, 2016 36

HMAC Build a MAC from a cryptographic hash function Best-known construct is HMAC provably secure under minimal assumptions HMAC(m, k) = H(opad k, H(ipad k, m)) where H is a cryptographic hash function and m is the message Note: do the HMAC over the ciphertext, not the plaintext Note: authentication key must be distinct from the confidentiality key Frequently, the output of HMAC is truncated Steven M. Bellovin September 27, 2016 37

Cryptography and Authentication Some way to use a cryptographic key to prove who you are (More on that later) Can go beyond simple schemes given above Can use symmetric or public key schemes Most public key schemes use certificates Steven M. Bellovin September 27, 2016 38

What are Certificates How does Alice get Bob s public key? What if the enemy tampers with the phone book? Sends the phone company a false change-of-key notice? Interferes with Alice s query to the phone book server? A certificate is a digitally-signed message containing an identity and a public key prevents tampering. Steven M. Bellovin September 27, 2016 39

Why Trust a Certificate? Who signed it? Why do you trust them? How do you know the public key of the Certificate Authority (CA)? Some public key (known as the trust anchor) must be provided out-of-band trust has to start somewhere. Steven M. Bellovin September 27, 2016 40

Certificate Authorities Who picks CAs? No one and every one. Your browser has some CAs built-in because the CA paid the browser vendor enough money. Is that grounds for trust? Matt Blaze: A commercial certificate authority can be trusted to protect you from anyone from whom they won t take money. Steven M. Bellovin September 27, 2016 41

What Else is in a Certificate? Technical information, such as algorithm identifiers More identification information company, location, etc. Expiration date Logos Certificate role Steven M. Bellovin September 27, 2016 42

Cryptographic Protocols Combine various cryptographic primitives in a series of messages Many different types, for many different goals Simplest example: realistic public key encryption message discussed earlier: {m} k, (pad(k)) e mod n Very common goal: Alice and Bob must agree on a key Very subtle; very hard to get right. Don t try it yourself Steven M. Bellovin September 27, 2016 43

Elliptic Curve Cryptography Based on points on curves of the form y 2 = x 3 + ax + b but use only integers modulo some large prime There are analogs to the most important public key and digital signature primitives using elliptic curves Keys are much shorter and much less CPU time is needed for a given level of security Steven M. Bellovin September 27, 2016 44

Cryptography and Quantum Computers Quantum computers if they can be built can crack a symmetric cipher in time proportional to the square root of the key space size For long-term secrets, use 256-bit AES, not 128-bit They can also do factoring efficiently RSA won t be secure; we need quantum-safe algorithms Many elliptic curve algorithms are also vulnerable If your secrets have to be protected for decades, you have to take action now The NSA has called for migration to post-quantum cryptographic algorithms but there s not yet a consensus on the proper public key algorithm Steven M. Bellovin September 27, 2016 45

Recommended Primitives Block cipher: AES, either with HMAC or (preferably) in GCM Stream cipher: RC4? It s insecure and all but dead; use AES in CTR mode instead Hash function: SHA2-256 or SHA3 Public key, digital signature: RSA with 2048-bit modulus (or Elliptic Curve Cryptography if patents aren t an issue and performance is) Stay tuned for the preferred post-quantum algorithm Steven M. Bellovin September 27, 2016 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback