ECEN 5022 Cryptography

Similar documents
Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CS 161 Computer Security

CS 161 Computer Security

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

1 Identification protocols

UNIT - IV Cryptographic Hash Function 31.1

HOST Authentication Overview ECE 525

Password. authentication through passwords

2.1 Basic Cryptography Concepts

Introduction to Cryptography. Ramki Thurimella

Public-key Cryptography: Theory and Practice

Kurose & Ross, Chapters (5 th ed.)

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS Computer Networks 1: Authentication

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

CS 161 Computer Security

CSC/ECE 774 Advanced Network Security

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Session key establishment protocols

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Security: Cryptography

Session key establishment protocols

CSC 774 Network Security

S. Erfani, ECE Dept., University of Windsor Network Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Key Establishment and Authentication Protocols EECE 412

Strong Password Protocols

Spring 2010: CS419 Computer Security

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Encryption. INST 346, Section 0201 April 3, 2018

Cryptographic Checksums

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Security Requirements

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Lecture 6 - Cryptography

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

CS 161 Computer Security

Other Topics in Cryptography. Truong Tuan Anh

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Data Integrity. Modified by: Dr. Ramzi Saifan

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Public Key Algorithms

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSC 474/574 Information Systems Security

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

A Tour of Classical and Modern Cryptography

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

CSE 127: Computer Security Cryptography. Kirill Levchenko

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Lecture 7 - Applied Cryptography

CS 161 Computer Security

Cryptanalysis. Ed Crowley

RSA. Public Key CryptoSystem

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

CS61A Lecture #39: Cryptography

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

CSC 8560 Computer Networks: Network Security

CPSC 467: Cryptography and Computer Security

Number Theory and RSA Public-Key Encryption

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Lecture IV : Cryptography, Fundamentals

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Introduction to Cryptography. Lecture 6

Ref:

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cryptography Introduction

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

CSCE 813 Internet Security Kerberos

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Computer Security: Principles and Practice

Cryptography ThreeB. Ed Crowley. Fall 08

Chapter 9: Key Management

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

HY-457 Information Systems Security

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Applied Cryptography Protocol Building Blocks

Full file at

Cryptography and Network Security

Digital Signatures. Cole Watson

1-7 Attacks on Cryptosystems

Part VI. Public-key cryptography

What did we talk about last time? Public key cryptography A little number theory

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Diffie-Hellman. Part 1 Cryptography 136

5. Authentication Contents

Cryptography Math/CprE/InfAs 533

Introduction to Modern Cryptography. Benny Chor

Transcription:

Introduction University of Colorado Spring 2008

Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such topics as authentication, message integrity, digital signatures, and cryptographic protocols. Classical cryptography is typically concerned with patterns in languages and how to conceal them. For English the starting point is usually the 26 letter alphabet (often converted to numbers 0... 25). Modern cryptography, which includes the notion of public-key cryptography (W. Diffie and M.E. Hellman, New Directions in Cryptography, IEEE Trans. Info. Thy., IT-22, n. 6, Nov. 1976, pp. 644-654), is a multidisciplinary subject which uses results from algebra, number theory, probability and information theory, computational complexity, statistics, combinatorics, and graph theory.

Need for Secrecy Eve m Alice m m Bob The original goal of cryptography is encryption for secrecy. Alice wants to send a message m to Bob, but Eve listens in. The use of names (Alice and Bob for the good guys and Eve for the eavesdropper) is traditional in cryptography.

Encryption Introduction Eve c Alice c c Bob c = E(K e,m) m=d(k e,c) Alice and Bob use encryption to keep their communication secret from Eve. Alice and Bob agree on a secret encryption key K e, using a secure communication channel. When Alice sends a message m to Bob she encrypts it as c = E(K e, m). m is also called plaintext and c is also called ciphertext. Bob decrypts the message as m = D(K e, c). Eve does not have the secret key K e and cannot decrypt the ciphertext.

Kerckhoffs Principle Introduction To decrypt the ciphertext c, two things must be known: (i) the decryption algorithm D and (ii) the key K e. It is tempting (but foolish) to argue that the most secure startegy is to keep both D and K e secret. Kerkhoffs Principle. The security of the encryption scheme must depend only on the secrecy of the key K e and not on the secrecy of the algorithm(s) D (and E). Reasons: Cryptographic systems are built for many users and are used for many years. Thus, changing algorithms (if they are compromised) is expensive and difficult to do. Because many users use the same algorithm, it is infeasible to keep it secret. In fact, the algorithms should be published, so that everybody can try to find flaws. By publishing your algorithm you can have it analyzed for free!

Need for Authentication Eve m Alice m m m Bob Eve can do more than just listen in. She can delete a message so that Bob never receives it. She can also try to alter the message m (or invent a new message) so that Bob receives message m. Problem: Suppose Bob just received a message. How does he know it came from Alice and not from Eve? Solution: Use a message authentication code (MAC).

Authentication Alice a=h(k a,m) Eve m m, a m, a m,a Bob h(k a,m)=a h(k a,m ) a h is a MAC function (often a hash function). Alice now sends both m and a to Bob. He recomputes a from m and checks against received a. If Eve sends m instead of m, h(k a, m ) a for a good MAC function.

Authentication If Eve does not know K a, then she cannot send m and corresponding a to Bob. But Eve can still delete messages, or delay messages, or change the order of messages. Thus, some form of message integrity is also needed. A simple strategy is to use time stamps and/or number the messages sequentially. Note that it is possible to combine secrecy and authentication.

Key Distribution Problem Eve c Alice c c Bob K e K e K e Secure Channel To use (conventional) encryption and/or authentication, Alice and Bob must share secret keys K e and/or K a. To exchange keys there must be a secure channel. Distributing and managing keys is one of the difficult problems of cryptography. Alice and Bob can meet for dinner once a month, but if there are N = 100 people, then N(N 1)/2 = 100 99/2 = 4950 pairs of keys need to be distributed securely.

Public Key Cryptography Eve c Alice c c Bob c = E(K e,m) m=d(k d,c) K d K e K e is public encryption key for Bob, K d is Bob s secret decryption key. For public-key cryptography K e K d. Moreover, it must be infeasible to compute K d from knowledge of K e. Necessary to recover m: D ( K d, E(K e, m) ) = m. Another name for public-key encryption is asymmetric-key encryption. Simplification of key distribution problem: Bob now only has to distribute/publish his public key K e that everybody can use.

Digital Signatures Alice m, s m, s Bob s = σ(k d,m) v(k e,m,s)? A digital signature must have the property that everyone can check it, but only one person can generate it. Alice computes signature s for message m as s = σ(k d, m) using her private key K d. She sends m, s to Bob. Bob receives m, s and uses Alice s public key K e to verify the signature with v(k e, m, s). This works like a MAC, except that it is verified with a public key, whereas the private key is needed to generate s.

Public Key Infrastructure Public-key cryptography simplifies the key management problem, but Alice still needs to be able to find Bob s key and be sure that it s not Malice who pretends to be Bob. The general solution is to use a public key intrastructure (PKI). The main idea is to set up a central authority, called certificate authority (CA). Each user then takes their public key to the CA and the CA verifies their identity (e.g., using a passport or a fingerprint). The CA then signs the user s public, saying something to the effect: The CA has verified that this key is Bob s public key. Some problems: The CA must be trusted by everybody. And what if the CA issues a false certificate (e.g, based on a forged ID)? Who is liable?

Ciphertext-Only Attack The cryptanalyst has (one or more) cryptograms available that were encrypted with the same key and tries to find the corresponding plaintext(s). The cryptanalyst may also try to deduce the key from the cryptograms. This is the most difficult type of attack. A ciphertext-only attack is what most people tend to think of when they hear talk about breaking an encryption system.

Known Plaintext Attack The cryptanalyst has one (or more) plaintext(s) and the corresponding ciphertext(s), all based on the same key, available. available. The goal is to find the encryption and/or decryption key or an algorithm that can decrypt any further messages encrypted with the same key. Plaintext/ciphertext pairs may be obtained from standard messages or message headers (e.g., e-mail autoreply), or from mailings that are sent encrypted to several people, including a cryptanalyst.

Chosen Plaintext Attack Here it is assumed that the cryptanalyst has obtained (temporary) access to an encryption device. This is clearly easily possible for public key encryption where the encryption key and algorithm are public knowledge. The cryptanalyst chooses plaintexts with desirable properties and computes the corresponding ciphertexts. The goal is to find the decryption key or an algorithm that can decrypt all messages that are encrypted with the same key. A big advantage of a chosen plaintext attack is that the cryptanalyst can repeatedly encrypt new plaintexts with modifications derived from previous encryptions.

Chosen Ciphertext Attack In this case the cryptanalyst has gained (temporary) access to a decryption device and can compute the plaintext for any ciphertext. Often the cryptanalyst gets to choose both plaintext and ciphertext values. The goal is again to obtain the decryption key or an algorithm for computing the plaintext from the ciphertext. The chosen ciphertext attack is the most powerful of the cryptanalytic attacks discussed here.

Birthday Attacks If there are 23 people at a party, the probability that two have the same birthday is a little larger than 0.5. In general, if an element can take on n values and there are r such elements with independently and uniformly assigned values, then the probability that they all have different values is (assume r n for the approximations) ( 1 1 n )( 1 2 n ) ( 1 r 1 n r 1 ) i=1 e i/n = e r(r 1) 2n e r2 2n. Thus, the probability that two or more items out of r have the same value is p 1 e r2 2n and if r 1.18 n then p 0.5. If a function h(.) can take on n values, then a collision (h(x 1 ) = h(x 2 ), x 1 x 2 ) occurs with probability 0.5 after n trials.

Yuval s Birthday Attack INP: m 1 legitimate message. m 2 fraudulent message. h b-bit hash function. OUTP: m 1, m 2 resulting from minor modifications of m 1, m 2 with h(m 1 ) = h(m 2 ). 1. Generate t = 2 b/2 minor modifications m 1 of m 1. 2. Compute and store h(m 1 ) for all m 1. 3. Generate minor modifications m 2 of m 2 and compute h(m 2 ) until match in h(m 1 ) table is found. p(success) 0.5 if approximately 2 b = 2 b/2 hash functions h(m 1 ) and h(m 2 ) are checked. = effort 2 2 b/2 rather than 2 b required. Example: 2 128 = 3.4 10 38 but 2 2 64 = 3.7 10 19. One year = 3.15 10 16 ns.

Meet in the Middle Attacks A meet in the middle attack is more flexible than a birthday attack. Birthday attack example (for comparison): Consider a system that uses a MAC with a 64-bit key on messages with standard headers (e.g., People s Bank of South Dakota, this is transaction number... ). Each message uses a new randomly chosen key. The attacker stores the MAC values of all headers and the messages that follow in a table. After about 2 32 messages there is a 50% chance that two header MAC values are the same, and thus the two corresponding messages (which use the same MAC key as the header) can be exchanged without detection, thereby compromising the MAC system.

Meet in the Middle Attacks Meet in the middle attack example: Consider the same MAC system as for the birthday attack. Now the attacker chooses 2 32 MAC keys at random, computes the MAC for the standard header and stores both the MAC and the key in a table. Then the attacker listens to each message and checks the MAC of the standard header against the stored MACs. If the MAC is in the table, then it was most likely computed using the same key as the one stored in the table. Now the attacker can insert an arbitrary message since he knows the MAC key. The attacker has precomputed the MAC on 1 out of every 2 32 keys on the average. Thus, after listening to 2 32 transactions, he can expect to see a MAC that matches one of the stored MACs and thus the effort is about 2 2 32.

Meet in the Middle Attack on 2-DES m e.g., DES 1 e.g., DES 2 E(K 1,m) x = E(K 1,m) E(K 2,x) c=e(k 2,E(K 1,m)) K 1 K 2 Double encryption with two keys K 1, K 2. Does this increase effective key size? Key observation: x can be written as x = E(K 1, m) and as x = D(K 2, c) = use known plaintext meet in middle attack. As shown on next slide, effective key length for 2-DES is only increased from 56 to 57 bits. = Need to use at least 3-DES to see improvement over 1-DES.

Meet in the Middle Attack on 2-DES Assume two plaintext/ciphertext pairs (m a, c a ) and (m b, c b ) are known and keylength of K 1, K 2 is L for each. Algorithm: 1. For each possible K 1 compute x K1 = E(K 1, m a ) and store (x K1, K 1 ). Requires 2 L storage locations. 2. For each K 2 compute x K2 = D(K 2, c a ) and look for x K2 = x K1 in table. When a match is found, check that K 1, K 2 were used for encryption by computing E(K 2, E(K 1, m b )) and comparing it to c b. If check fails continue computing D(K 2, c a ) and checking in table. Need to compute at most 2 2 L = 2 L+1 encryptions/decryptions. Thus, effective keyspace size only increased from L to L + 1 (from 56 to 57 bits for 2-DES).

Cryptographic Protocols A protocol is a series of steps, involving two or more parties, designed to accomplish a task. A protocol has a well-defined sequence from start to finish. Every step must be executed in turn, and no step can be taken before the previous step is finished. At least two people are required to complete the protocol, one person alone does not make a protocol. A cryptographic protocol is a protocol that uses cryptography. The point of using cryptography is to prevent or detect eavesdropping or cheating.

Coin Flipping over Telephone Alice and Bob have agreed on (i) x having property P means heads, otherwise result is tails. (ii) One-way function x h(x), x / h(x) such that h(x) does not reveal property P. Protocol: 1. Alice picks random x, computes h(x) and reads it to Bob over the phone. This is Alice s committment. She knows whether x has property P or not. 2. Bob tells Alice his guess whether x has property P or not. This is Bob s committment. 3. Alice reads x to Bob. This is the first verification step. 4. Bob checks x for property P and verifies h(x). This is the second verification step.

Coin Flipping over Telephone For Alice s committment to work it must be impossible to find x with property P c (x) such that h(x ) = h(x). Note that Alice could try to influence the result by biasing heads and tails. Examples for P and h(x): P: x is even. h(x) = x 2 (mod n) for n = pq, p, q, p q, large primes with p = 3 (mod 4) and q = 3 (mod 4). h(x) = pq where p, q are large primes, with p = 1 (mod 4) and q = 3 (mod 4). x has property P if p < q.

Identification or Entity Authentication Basis: 1) Something known, like password, PIN, or secret encryption key. 2) Something possessed, like passport, chip card, or magnetic striped card. 3) Something inherent, like a fingerprint or a retinal pattern. Identification protocol can provide unilateral or mutual identification. Difference between entity and message authentication: Entity authentication is real-time, does not need meaningful message. Message authentication applies to meaningful message, not timeliness.

Passwords (Weak Authentication) Claimant presents password pw and verifier checks correctness against pw stored in database. Susceptible to dictionary attacks, replay attacks, database attacks. To prevent database attack (stealing passwords directly from database) use one-way function h and store only h(pw) in database. To make dictionary attacks (trying all the strings that people typically use as passwords) more difficult, use random number s ( salt ) and store s and h(pw, s) in database. To prevent replay attacks, use sequence of one-time passwords.

Challenge-Response Identification To obtain strong authentication, real-time interaction between claimant (C) and verifier (V ) is needed. Example using public-key cryptography: r 1,r 2 random numbers C a 1 a 1 V a 1 = E(K V e,r 1,C) r 1,A=D(K V d,a 1) C a 2 a 2 V r 1,r 2 =D(K C d,a 2) verify r 1 a 2 = E(K C e,r 1,r 2 ) C r 2 r 2 V verify r 2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback