Summary on Crypto Primitives and Protocols

Similar documents
Random number generation

Pseudo-random number generators

Lecture 1 Applied Cryptography (Part 1)

Appendix A: Introduction to cryptographic algorithms and protocols

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Content of this part

CSE 127: Computer Security Cryptography. Kirill Levchenko

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

CIS 4360 Secure Computer Systems Symmetric Cryptography

Security Requirements

Information Security CS526

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

COMP4109 : Applied Cryptography

CSCE 715: Network Systems Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptography MIS

Session key establishment protocols

Session key establishment protocols

Security: Cryptography

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

05 - WLAN Encryption and Data Integrity Protocols

Unit 8 Review. Secure your network! CS144, Stanford University

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

ECE 646 Lecture 8. Modes of operation of block ciphers

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Message authentication codes

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CSE484 Final Study Guide

Secure Internet Communication

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Message Authentication Codes and Cryptographic Hash Functions

Spring 2010: CS419 Computer Security

Stream Ciphers. Stream Ciphers 1

Authenticated Encryption in TLS

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

CSC 474/574 Information Systems Security

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Findings for

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Computer Security CS 526

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Message authentication

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Security. Communication security. System Security

Block Cipher Modes of Operation

Data Integrity. Modified by: Dr. Ramzi Saifan

BCA III Network security and Cryptography Examination-2016 Model Paper 1

NIST Cryptographic Toolkit

Symmetric, Asymmetric, and One Way Technologies

n-bit Output Feedback

Data Security and Privacy. Topic 14: Authentication and Key Establishment

PROTECTING CONVERSATIONS

Computer Security: Principles and Practice

Chapter 6 Contemporary Symmetric Ciphers

(2½ hours) Total Marks: 75

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Double-DES, Triple-DES & Modes of Operation

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Encryption. INST 346, Section 0201 April 3, 2018

Wireless LAN Security. Gabriel Clothier

CSC 474/574 Information Systems Security

TLS1.2 IS DEAD BE READY FOR TLS1.3

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Information Security CS526

Cryptography: The strongest link in the chain *

Implementing Cryptography: Good Theory vs. Bad Practice

CS408 Cryptography & Internet Security

Introduction to Cryptography. Lecture 3

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Block Cipher Operation. CS 6313 Fall ASU

Winter 2011 Josh Benaloh Brian LaMacchia

Lecture 4: Hashes and Message Digests,

Symmetric Crypto MAC. Pierre-Alain Fouque

Randomness Extractors. Secure Communication in Practice. Lecture 17

1.264 Lecture 28. Cryptography: Asymmetric keys

TLS 1.1 Security fixes and TLS extensions RFC4346

Cryptographic hash functions and MACs

CS155. Cryptography Overview

Permutation-based Authenticated Encryption

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

David Wetherall, with some slides from Radia Perlman s security lectures.

Study Guide to Mideterm Exam

Practical Aspects of Modern Cryptography

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Grenzen der Kryptographie

CSC 774 Network Security

UNIT - IV Cryptographic Hash Function 31.1

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CSC/ECE 774 Advanced Network Security

S. Erfani, ECE Dept., University of Windsor Network Security

symmetric cryptography s642 computer security adam everspaugh

CS155. Cryptography Overview

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Transcription:

Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán

Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance coded data data eavesdropping receiver key data DECODING Summary on Crypto Primitives and Protocols 2/24

Symmetric key (conventional) encryption stream ciphers XOR (+ or ) one-time pad (truely random key stream) m i stream ciphers (pseudo random key stream)» large size of the effective state space is important K G z i» do not provide any integrity protection» does not increase message length c i block ciphers operate on larger blocks (typical size is 128 bits) can be viewed as random permutations product ciphers use simple operations in many rounds AES (block size: 128; key size = 128, 192, 256) X E Y K Summary on Crypto Primitives and Protocols 3/24

Attacks Kerckhoff s principle it is assumed that the encryption algorithm is known to the attacker attack models ciphertext-only attack known-plaintext attack (adaptive) chosen-plaintext attack (adaptive) chosen-ciphertext attack exhaustive key search attack average complexity is 2 k-1, if key length is k bits algebraic attacks weaknesses in the algebraic structure of a cipher may lead to attacks that are substantially more efficient than the exhaustive key search attack Summary on Crypto Primitives and Protocols 4/24

Block cipher modes Cipher Block Chaining (CBC) IV: unpredictable, non-manipulable padding padding oracle attack X 1 X 2 X 3 IV + + + Y N-1 K E K E K E K Y 1 Y 2 Y 3 X N + E Y N Electronic Code Book (ECB) IV Cipher Feedback (CFB) Output Feedback (OFB) Counter (CTR) K m i state E c i special modes: CBC-CTS (ciphertext stealing) authenticated encryption modes: CCM, GCM, OCB Summary on Crypto Primitives and Protocols 5/24

Asymmetric (public) key encryption encryption and decryption are performed with different keys in fact, the key has two parts: one part is used for encryption; this can even be public the other part is used for decryption; this must be kept private computing the private part from the public part is hard only the public key needs to be transmitted to the recipient, and this does not need a secure channel there is no need to have shared secret between sender and recipient this makes key management easier example: RSA Summary on Crypto Primitives and Protocols 6/24

Hybrid encryption public key crypto is slower than symmetric key crypto and require longer (e.g. 2048 bits) keys for similar security the speed problem can be solved with hybrid encryption: DATA PRNG symmetric encryption symmetric key coded DATA public KEY public key encryption coded sym key Summary on Crypto Primitives and Protocols 7/24

Security of public key crypto schemes security is usually related to the difficulty of some problems that are widely believed to be hard to solve examples: factoring computing discrete logarithm sometimes it can even be rigorously proven that breaking the encryption scheme would mean that there exist an efficient solution to the related hard problem (reduction proof) although widely used practical schemes have no complete proofs practical considerations: semantic security non-malleability Summary on Crypto Primitives and Protocols 8/24

Other primitives cryptographic hash functions map arbitrary long inputs into a fixed length output (digest, hash value) three important properties: 1. collision resistance 2. weak collision resistance (2nd preimage resistance) 3. one-wayness (preimage resistance) birthday paradox complexity of brute force collision search is 2 n/2 MAC functions similar to hash functions, but have an additional input (a symmetric key) used for message integrity protection and message origin authentication digital signature schemes similar to MAC functions, but use asymmetric keys besides integrity protection and origin authentication, they also ensure non-repudiation Summary on Crypto Primitives and Protocols 9/24

Using a MAC function Sender key DATA MAC function MAC key DATA MAC function MAC Receiver =? Summary on Crypto Primitives and Protocols 10/24

Hash-and-sign approach generation message private key of sender h hash enc signature signed message message h hash hash dec signature verification compare accept / reject public key of sender Summary on Crypto Primitives and Protocols 11/24

General model of cryptographic coding Sender DATA encoding key ENCODING encryption confidentiality checksum integrity protection, message origin authentication Attacker e.g.: e-mail, file, IP packet Receiver spatial or temporal distance decoding key coded ADAT DATA eavesdropping replay modification forgery DATA DECODING decoding key = encoding key conventional cryptography (symmetric key crypto) decoding key encoding key public key cryptography (asymmetric key crypto) Summary on Crypto Primitives and Protocols 12/24

Support functions random number generation a (cryptographic) random number is a number that cannot be predicted with better probability than random coin flips (even if all previous outputs have been observed) a pseudo-random number generator (PRNG) processes somewhat unpredictable inputs and generates pseudo-random outputs (look very similar to real random numbers) somewhat unpredictable input collect update PRNG re-seed state generate pseudo-random output design of PRNGs where do you get real random input? when and how do you re-generate the internal state of your PRNG? how do you generate the output? attacker models (only some outputs can be observed... state compromise extension) example: Fortuna Summary on Crypto Primitives and Protocols 13/24

Support functions key exchange protocols allow two remote parties to setup a shared key when needed attacker model:» attacker controls the communication channel (Man-in-the-Middle)» cannot break crypto primitives» eavesdropping, injection, replay, reflection, interleaving, typing attacks security requirements:» key authentication (implicit or explicit) cryptographic protection» key freshness timestamps, nonces, key agreement main design principle:» make sure that interpretation of messages does not implicitely depend on context classification» key transport (using only symmetroc key crypto or using public key crypto)» key agreement Summary on Crypto Primitives and Protocols 14/24

WiFi security security challenges in wireless networks no physical protection of communication channels broadcast nature of communications WEP operation (station authentication, message integrity and confidentiality) WEP flaws, possible attacks, lessons learned WPA, WPA2 new authentication framework (802.1X, EAP, key hierarchy) TKIP (WPA) (design constraints and weaknesses) AES-CCM (WPA2) Summary on Crypto Primitives and Protocols 15/24

TLS TLS subprotocols and their functions TLS Record Protocol uses strong algorithms (HMAC, AES) good protection against passive eavesdropping some protection against traffic analysis (random length padding) vulnerable to some padding oracle attacks (Lucky 13, POODLE) TLS Handshake Protocol uses strong algorithms (RSA, DH, DSS, well designed PRF based on HMAC) some protection against passive and active attacks possibly vulnerable to some active attacks (e.g., DROWN) attacks on SSL/TLS CBC padding oracle attack and variants (e.g., Lucky 13, POODLE) CBC predictible IV vulnerability (BEAST) attacks exploiting compression ratio and timing side channels (BREACH, TIME, CRIME) cross-protocol attacks (DROWN) Summary on Crypto Primitives and Protocols 16/24

What goes wrong in practice? key management issues e.g., keys are generated with weak random number generators protocol weaknesses e.g., crypto algorithms are used in wrong ways implementation issues bugs side channels (e.g., timing attacks) human stupidity e.g., using home made crypto algortihms Summary on Crypto Primitives and Protocols 18/24

EXAMPLES

Early version of Netscape s PRNG RNG_CreateContext() (seconds, microseconds) = time of day; pid = process ID; ppid = parent process ID; a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid << 12) ); seed = MD5(a b); mklcpr(x) return((0xdeece66d*x + 0x2BBB62DC) >> 1) RNG_GenerateRandomBytes() x = MD5(seed); seed = seed+1; return x; create_key() RNG_CreateContext(); RNG_GenerateRandomBytes(); RNG_GenerateRandomBytes(); client_random = RNG_GenerateRandomBytes(); // sent in client_hello pre_master_secret = RNG_GenerateRandomBytes(); Summary on Crypto Primitives and Protocols 20/24

Attacking the Netscape PRNG if an attacker has an account on the UNIX machine running the browser ps command lists running processes attacker learns pid, ppid the attacker can guess the time of day with seconds precision (assumption) only unknown is the value of microseconds ~2 20 possibilities each possibility can be tested easily against the client_random sent in clear in the client_hello message if the attacker has no account on the machine running the browser a has 20 bits of randomness, b has 27 bits of randomness seed has 47 bits of randomness (compared to 128 bit advertised security) ppid is often just a bit smaller than pid sendmail generates message IDs from its pid» send mail to an unknown user on the attacked machine» mail will bounce back with a message ID generated by sendmail» attacker learns the last process ID generated on the attacked machine» this may reduce possibilities for pid Summary on Crypto Primitives and Protocols 21/24

secureurl.php Nguyen Quoc Bao, Secure URL 2.0, www.phpclasses.org/quocbao_secureurl designed to hide URL parameters and protect their integrity Summary on Crypto Primitives and Protocols 22/24

Breaking secureurl.php we analyzed this package in the context of a penetration testing work that we conducted for request by a client the client s web site used the secureurl.php package for hiding URL parameters the entire design of the site s defense architecture heavily depended on the assumption that URL parameters were properly hidden we broke the cryptographic algorithm of secureurl.php, and this also allowed us to successfully break into the client s system (with some additional work, of course) in this case, the use of bad cryptography created a false impression of security for our client we reported the flaw at http://seclists.org/bugtraq/2011/sep/139 Summary on Crypto Primitives and Protocols 23/24

Breaking secureurl.php encryption is based on XOR-ing the plaintext parameter string with the MD5 digest of a user defined secret key repeated as many times as needed to mask the entire plaintext parameter string the same MD5 digest is used for every request! if we can guess a plaintext parameter string, and observe its encrypted version, then we can compute this MD5 digest, and we are done we could obtain plaintext parameter strings in multiple ways some pages contained some parameter names and values in plaintext accidentally (e.g., comments or debug messages) the web site contained open source web components, and we could examine the original program to get information on what parameter strings it used Summary on Crypto Primitives and Protocols 24/24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback