Refresher: Applied Cryptography

Similar documents
Crypto Background & Concepts SGX Software Attestation

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

18-642: Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

18-642: Cryptography 11/15/ Philip Koopman

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

CS 161 Computer Security

Cryptography MIS

CS155. Cryptography Overview

Data Integrity. Modified by: Dr. Ramzi Saifan

Kurose & Ross, Chapters (5 th ed.)

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CSE 127: Computer Security Cryptography. Kirill Levchenko

Information Security CS526

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Lecture 1 Applied Cryptography (Part 1)

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

CS 161 Computer Security

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

Computer Security CS 526

1.264 Lecture 28. Cryptography: Asymmetric keys

Practical Aspects of Modern Cryptography

CS Computer Networks 1: Authentication

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Using Cryptography CMSC 414. October 16, 2017

Winter 2011 Josh Benaloh Brian LaMacchia

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

David Wetherall, with some slides from Radia Perlman s security lectures.

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Cryptography: More Primitives

Cryptographic Hash Functions

What did we talk about last time? Public key cryptography A little number theory

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

CS155. Cryptography Overview

Introduction to Symmetric Cryptography

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Cryptographic hash functions and MACs

1 Achieving IND-CPA security

6.857 L17. Secure Processors. Srini Devadas

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CS 495 Cryptography Lecture 6

Authentication Part IV NOTE: Part IV includes all of Part III!

Security in ECE Systems

CSE484 Final Study Guide

Unit 8 Review. Secure your network! CS144, Stanford University

UNIT - IV Cryptographic Hash Function 31.1

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

CS 161 Computer Security

RSA. Public Key CryptoSystem

ECE 646 Lecture 8. Modes of operation of block ciphers

Computational Security, Stream and Block Cipher Functions

CIS 4360 Secure Computer Systems Applied Cryptography

T Cryptography and Data Security

Introduction to Cryptography. Ramki Thurimella

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Spring 2010: CS419 Computer Security

T Cryptography and Data Security

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Lecture 2 Applied Cryptography (Part 2)

Scanned by CamScanner

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Some Aspects of Block Ciphers

Ref:

Security. Communication security. System Security

Tuesday, January 17, 17. Crypto - mini lecture 1

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Symmetric Cryptography

Cryptography (Overview)

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Cryptographic Concepts

Feedback Week 4 - Problem Set

CSC 580 Cryptography and Computer Security

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Cryptographic Systems

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Outline Key Management CS 239 Computer Security February 9, 2004

CS 161 Computer Security

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Summary on Crypto Primitives and Protocols

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Cryptography and Network Security

Symmetric-Key Cryptography

Cryptography. Andreas Hülsing. 6 September 2016

Some Stuff About Crypto

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

EEC-682/782 Computer Networks I

PROTECTING CONVERSATIONS

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

CSC/ECE 774 Advanced Network Security

Overview. SSL Cryptography Overview CHAPTER 1

EEC-484/584 Computer Networks

Transcription:

Refresher: Applied Cryptography (emphasis on common tools for secure processors) Chris Fletcher Fall 2017, 598 CLF, UIUC

Complementary reading Intel SGX Explained (ISE) Victor Costan, Srini Devadas https://eprint.iacr.org/2016/086.pdf Pages 31-42 Read, use as reference. Don t need to memorize. This lecture also takes material from Security Basics by Ruby Lee (Hot chips 2016)

Paper presentations Email me if You don t see your name on website for presentation & You haven t already gotten an email from me We have run out of days! If you aren t assigned yet, select from Additional reads papers Expectations for presentation Conference talk length (15-20 min) w/ slides Slides will be posted to website John Alsop on bat

Security objectives Privacy Alice sends msg m to Bob. Only Bob should be able to read m. Integrity Alice sends msgs m 1 m n to Bob. Authenticity Bob receives msg p. Bob can verify p \in m 1 m n. Freshness Bob has received msgs p 1 p n. Bob can verify p i = m i. Identity Availability Bob wants to know if Alice is really Alice Does Bob ever see the n messages?

Symmetric cryptography Encrypt key (p) = ciphertext Decrypt key (c) = plaintext Privacy Shared key (random bits) between encrypter/decrypter Key issues: generating a truly random key, keeping the key secret

One-time pad Goal: encrypt L bits key = [rand(0, 1) for i = 1 L] Encrypt key (bit i ) = bit i key i Decrypt key (bit i ) = bit i key i = xor Perfect secrecy Problem: key = L Basic mixing w/ XOR used by many modern cryptosystems (symmetric and asymmetric)

Block ciphers (e.g., DES, AES) Encrypt key (.), Decrypt key (.) take s-bit inputs One-time pads Encrypt arbitrary length message? Break into s-bit chunks. But how? P i = P j C i = C j When i!= j, this is a problem

Ciphertext travels with auxiliary state Recall: need CBC or CTR for randomized encryption Encrypt key (p) = c = {Ctr, ciphertext} Decrypt key (c) = plaintext Ctr sometimes called IV (initialization vector) Send increasing counter: sender must remember count Send random IV: must ensure IV is never re-used

Block cipher implementation Break into rounds e.g., Fiestel structure Once again, approximations to One-time pads = xor Single round encryption: Encrypt key (plaintext = {L 0, R 0 }): L 1 = R 0 Behavior depends R 1 = L 0 F(R 0, key) on key, R 0 is public = return {L 1, R 1 } attackable in HW Decrypt key (ciphertext = {L 1, R 1 }): R 0 = L 1 L 0 = R 1 F(L 1, key) return {L 0, R 0 } Decrypt key (Encrypt key ({L 0, R 0 })) = Decrypt key ( {R 0, L 0 F(R 0, key)} ) = {L 0 F(R 0, key) F(R 0, key), R 0 } = {L 0, R 0 }

Cryptographic hashing (e.g., SHA1 - SHA3) Hash(p) = digest p = arbitrarily long, digest length = λ is system property One way: If Hash(p) = digest: cannot determine p given digest and Hash(.) Avalanche: Bob Smith got an A+ in ELE386 in Spring 2005 01eace851b72386c46 Bob Smith got an B+ in ELE386 in Spring 2005 936f8991c111f2cefaw Ideally, we would have Random oracle model Hash(p): static Dict if Dict[in] == null: Dict[in] = flip λ fair coins return D[in]

Message Authentication Codes Privacy + Authenticity/Freshness? msg Keyed hash authenticity MAC = Hash(ciphertext key) msg = {MAC, ciphertext} w/o key, cannot forge MAC w/ key, can check MAC against ciphertext = concatenation Keyed hash + nonce freshness MAC = Hash(ciphertext i key i) msg = {MAC, i, ciphertext i } Nonce may be random or counter

Authenticated encryption Combine encryption scheme w/ extra mechanism for integrity Dedicated modes (e.g., GCM) for creating authentication tags Encryption then MAC

Secure processor (trusted) Protecting memory Privacy Randomized encryption Store {Ctr i, ciphertext i } tuples externally Integrity Authenticity Store {MAC i, Ctr i, ciphertext i } tuples externally Freshness Idea: Re-use Ctr i as the nonce! Totally broken. We store Ctr i externally, Adversary can give us any {MAC j, Ctr j, ciphertext j }. DRAM, Flash, Disk, Cold storage Fix: store all nonces inside processor Problem: Too much storage (~64bits / block of external memory)

Integrity trees Most common: Merkle tree = freshness w/ O(1) on-chip storage Secure processor (trusted) root = Hash(f 2i f 2i+1 ) root Check B 0? f i = Hash(g 2i g 2i+1 ) f 0 f 1 g i = Hash(h 2i h 2i+1 ) g 0 g 1 g 2 g 3 h i = Hash(B i ) h 0 h 1 h 2 h 3 h 4 h 5 h 6 h 7 B 0 B 1 B 2 B 3 B 4 B 5 B 6 B 7

Public key cryptography (e.g., RSA, EC, lattice-based) Two keys: private key (key_priv keep secret), public key(key_pub safe to release publicly) Encryption Encrypt key_pub (p) = ciphertext Decrypt key_priv (c) = plaintext Mailbox location is public, mailbox key is private Digital signatures Proof that msg comes from whoever owns private key corresponding to key_pub Sign key_priv (msg) := Hash(msg); signature = Encrypt key_priv (h) return {signature, msg} Verify step: Decrypt key_pub (signature) =? Hash(msg)

Public key crypto: RSA (functionality not security) First instance of public key crypto (circa 1978) Choose RSA modulus n We will work in group (Z* n, *); Z* n = {x < n gcd(x, n) = 1} Choose key_pub = e randomly, choose key_priv = d s.t. d*e 1 mod Z* n Encrypt e (m) = c = (m e ) mod n Decrypt d (m e ) = (m e ) d mod n = m (1 + Z*n k) mod n By our definition of d = m (mod n) By Euler s theorem Crucial security issues: how to choose n so that attacker can t get d

RSA issues Read out decryption key d via shared resource attacks Padding schemes How to get randomized encryption? E.g., CBC, CTR modes. If e is small, how to guarantee wrap-around mod n.

Public key equivocation Recall w/ digital signatures: Proof that msg comes from whoever owns private key corresponding to key_pub Problem: How do you know who key_pub belongs to? Key parties, https://keybase.io/ Web of trust: Person i posts certificate i = {name/etc i, key_pub i } Person j signs certificate i via key_priv j If you trust person j, you can now trust certificate i Many people can sign (endorse) certificate i to improve confidence.

Public key infrastructures (PKIs) Problem: Trust in web of trust is not black and white PKI: endorsement = chain of trust back to single key Root Certificate authority (RCA) Certificate authorities (CAs) Chain of trust: certificate i = {name/etc i, key_pub i } certificate i signed with key_priv CA_1 key_pub CA_1 signed with key_priv RCA key_pub RCA boxed with your machine. Hardware security module (HSM) e.g., IBM 4758 key_priv RCA key_pub RCA key_priv CA_0, key_priv CA_1, key_pub CA_0, key_pub CA_1,

Secure channels Asymetric crypto is slow, symmetric crypto is fast Privacy + Authenticity/Freshness msg Idea: establish key (symmetric) via Encrypt key_pub (key) Need to verify key_pub via PKI first

Putting it together: Secure Processor Init Initialization: Remote attestation Secure boot Computing a measurement (cryptographic hash) of software running on secure processor PKI Verifying that the measurement comes from the expected secure processor

Secure boot: Creating the measurement SHA-1 = cryptographic hash function Recall: Hash(p) = digest, one-way Figure: Intel SGX Explained; Victor Costan and Srini Devadas

PKI: Verifying the measurement

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback