Professional Documents
Culture Documents
Handout 7 - Cryptography
Handout 7 - Cryptography
Principles of cryptography
Message integrity, authentication
Security: 8- 1
The language of cryptography
Alice’s Bob’s
KA encryption KB decryption
key key
plaintext encryption ciphertext decryption plaintext
algorithm algorithm
m: plaintext message
KA(m): ciphertext, encrypted with key KA
m = KB(KA(m))
Security: 8- 2
Types of Cryptography
Crypto often uses keys:
• Algorithm is known to everyone
• Only “keys” are secret
Hash functions
• Involves the use of no keys
• Nothing secret: How can this be useful?
Cryptography: Computational Security
Breaking an encryption scheme / Cryptanalysis
cipher-text only attack: known-plaintext attack:
Trudy has ciphertext she Trudy has plaintext
can analyze corresponding to ciphertext
two approaches: • e.g., in monoalphabetic
cipher, Trudy determines
• brute force: search pairings for a,l,i,c,e,b,o,
through all keys
• statistical analysis
chosen-plaintext attack:
Trudy can get ciphertext for
chosen plaintext
Security: 8- 5
Cryptanalysis
Attack depends on information available to adversary:
• Ciphertext-only: adversary only has the ciphertext available and wants to
determine the plaintext encrypted
• Known-plaintext attack: adversary learns one or more pairs of
ciphertext/plaintext encrypted under the same key, tries to determine plaintext
based on a different ciphertext
• Chosen-plaintext attack: adversary can obtain the encryption of any plaintext,
tries to determine the plaintext for a different ciphertext
• Chosen-ciphertext attack: adversary can obtain the decryption of any ciphertext
except the one the adversary wants to decrypt
• Chosen-text attack: adversary can obtain the encryption/decryption of any
plaintext/ciphertext
Some Definitions
Unconditional Security: No matter how much computer
power or time is available, the cipher cannot be broken
since the ciphertext provides insufficient information to
uniquely determine the corresponding plaintext (hard
to achieve)
Computational Security: Given limited computing
resources (time needed for calculations is greater than
age of universe), the cipher cannot be broken
Brute Force Search
Always possible to simply try every key
26!
Symmetric Key Cryptography
Security: 8- 9
Symmetric key cryptography
KS KS
Block cipher
• Operates on fixed-size blocks (e.g., 64 or 128 bits)
• Maps plaintext blocks to same size ciphertext blocks
• Today use AES; other algorithms: DES, Blowfish, etc.
Simple encryption scheme (1)
Caesar cipher: earliest known substitution cipher
Very old, very simple symmetric key algorithm
by Julius Caesar
first attested use in military affairs
replaces each letter by 3rd letter on
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
Simple encryption scheme (2)
Caesar cipher:
can define transformation as:
• abcdefghijk lmnopqrstuvwxyz How hard to break this
• DE FGH I J KLMNOPQR S TUVWXY Z ABC simple cipher?
mathematically give each letter a number
• abcdefghi j k l m n o p q r s t u v w x y z
• 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Security: 8- 23
Stream Cipher: One-Time Pad
Share a random key K
Encrypt plaintext by xor with sequence of bits
• encrypt(key, text) = key text (bit-by-bit)
Decrypt ciphertext by xor with same bits
• decrypt(key, text) = key text (bit-by-bit)
Advantages:
• Easy to compute encrypt, decrypt from key, text
• This is a theoretically secure cipher (unbreakable)
Disadvantage:
• Key is as long as the plaintext!
• How does sender get key to receiver securely?
RC4 Stream Cipher
RC4 is a popular stream cipher
• Was extensively analyzed and considered good
• Remarkable for its simplicity and speed in software
• Key can be from 1 to 256 bytes
• Used in WEP for 802.11
• Was used in SSL and its successor TLS
Now compute
Prototype Function et al
64-bit input
S1 S2 S3 S4 S5 S6 S7 S8
64-bit intermediate
Loop for
n rounds 64-bit output
In 2nd round, the 8 affected bits get scattered and inputted into multiple
substitution boxes.
Security: 8- 33
Symmetric key
crypto: DES
DES operation
initial permutation
16 identical “rounds” of
function application,
each using different 48
bits of key
final permutation
DES Strength – Key Size
56-bit keys have 256= 7.2 x 1016 values
Brute force search looks hard
Recent advances have shown it is possible
• in 1997 on Internet in a few months
• in 1998 on dedicated hardware in a few days
• in 1999 above combined in 22hrs!
Still must be able to recognize plaintext
Must now consider alternatives to DES
DES Strength – Analytic Attacks
Now have several analytic attacks on DES
These utilize some deep structure of the cipher
• By gathering information about encryptions
• Can eventually recover some/all of the sub-key bits
• If necessary then exhaustively search for the rest
Security: 8- 39
Public Key Cryptography
Security: 8- 40
Public Key Cryptography
symmetric key crypto: public key crypto
requires sender, receiver radically different approach
know shared secret key [Diffie-Hellman76, RSA78]
Q: how to agree on key in sender, receiver do not
first place (particularly if share secret key
never “met”)?
public encryption key
Also in symmetric, parties known to all
are equal
• Can NOT protect sender private decryption key
from receiver forging a known only to receiver
message & claiming is sent
by sender
Security: 8- 41
Why Public-Key Cryptography?
Developed to address two key issues:
Key distribution–how to have secure communications in general
without having to trust a KDC with your key
Digital signatures–how to verify a message comes intact from the
claimed sender
Public Key Cryptography
+
K Bob’s public key
B
- Bob’s private
K
B key
Encryption
Public Key Cryptography
- Alice’s Private
K
A key
+ Alice’s Public
K
A key
Authentication
Public key encryption algorithms
requirements:
1
+
. -.
need KB ( ) and K ( ) such that
B
- +
K (K (m)) = m
B B
+
2 given public key KB ,
it should be impossible to
-
compute private key K B
Security: 8- 46
Public Key Characteristics
Public-Key algorithms rely on two keys where:
Either of the two related keys can be used for encryption, with
the other used for decryption (for some algorithms)
Public Key Crypto - Secrecy
Public Key Crypto - Authentication
Authentication & Confidentiality
Public-Key Applications
Can classify uses into 3 categories:
• Encryption/decryption (provide secrecy)
• Digital signatures (provide authentication)
• Key exchange (of session keys)
Some algorithms are suitable for all uses, others are
specific to one
Security of Public Key Schemes
Public key schemes are no more or less secure than private
key schemes
Like private key schemes brute force exhaustive search
attack is always theoretically possible
But keys used are too large (>512bits)
More generally the hard problem is known, but is made hard
enough to be impractical to break
Requires the use of very large numbers
Hence is slow compared to private key schemes
Prerequisite: modular arithmetic
x mod n = remainder of x when divide by n
facts:
[(a mod n) + (b mod n)] mod n = (a+b) mod n
[(a mod n) - (b mod n)] mod n = (a-b) mod n
[(a mod n) * (b mod n)] mod n = (a*b) mod n
thus
(a mod n)d mod n = ad mod n
example: x=14, n=10, d=2:
(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196 xd mod 10 = 6
Security: 8- 53
RSA: getting ready
message: just a bit pattern
bit pattern can be uniquely represented by an integer number
thus, encrypting a message is equivalent to encrypting a
number
example:
m= 10010001. This message is uniquely represented by the decimal
number 145.
to encrypt m, we encrypt the corresponding number, which gives a
new number (the ciphertext).
Security: 8- 54
RSA: Creating public/private key pair
1. choose two large prime numbers p, q. (e.g., 1024 bits each)
Security: 8- 56
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).
encrypting 8-bit messages.
decrypt:
c cd m = cdmod n
17 481968572106750915091411825223071697 12
Security: 8- 57
Why does RSA work?
must show that cd mod n = m, where c = me mod n
fact: for any x and y: xy mod n = x(y mod z) mod n
• where n= pq and z = (p-1)(q-1)
thus,
cd mod n = (me mod n)d mod n
= med mod n
= m(ed mod z) mod n
= m1 mod n
=m
Security: 8- 58
RSA: another important property
The following property will be very useful later:
- + + -
KB(K (m)) = m = K (K (m))
B B B
Security: 8- 59
- + + -
Why KB(K (m)) = m = K (K (m)) ?
B B B
Security: 8- 60
Why is RSA secure?
suppose you know Bob’s public key (n,e). How hard is it to
determine d?
essentially need to find factors of n without knowing the two
factors p and q
• fact: factoring a big number is hard
Security: 8- 61
RSA in practice: session keys
exponentiation in RSA is computationally intensive
DES is at least 100 times faster than RSA
use public key crypto to establish secure connection, then
establish second key – symmetric session key – for
encrypting data
session key, KS
Bob and Alice use RSA to exchange a symmetric session key KS
once both have KS, they use symmetric key cryptography
Security: 8- 62
Session Keys
Exponentiation is computationally intensive
DES is at least 100 times faster than RSA
Session key, KS
Bob and Alice use RSA to exchange a symmetric key KS
Once both have KS, they use symmetric key cryptography
Breaking Ciphers: Cipher Strengths
A cipher is no stronger than its key length
• If there are too few keys, an attacker can enumerate all possible keys
DES has 56 bits — far too few today
• Crack the code: < 3days in 1998, 22 hours in 1999, msec nowadays
Strength of cipher depends on how long it needs to resist attack
• Computational security
No good reason to use less than 128 bits
• NSA rates 128-bit AES as good enough for SECRET traffic; 256-bit AES is good
enough for TOP-SECRET traffic
• Keys for certificate authorities should be at least 2048 bits
• But a cipher can be considerably weaker! A mono-alphabetic cipher over all
256 byte values has a 1684-bit key (log2 256! ≈ 1684), but is trivially solvable
Breaking Ciphers: Computational Power
Adding one bit to the key doubles the work factor for brute
force attacks
• The effect on encryption time is often negligible or even free
Going from 128-bit AES to 256-bit AES takes (at most) 40%
longer, but increases the attacker’s effort by a factor of 2128
Using triple DES costs 3× more to encrypt, but increases the
attacker’s effort by a factor of 2112
Breaking Ciphers: Computational Power
For RSA, doubling the modulus length increases encryption time by 4X
and decryption time by 8X
Attack time against RSA is based on factoring algorithms, not brute
force: there are far too many possible primes for brute force to be ever
possible
Hardware factoring machine (TWIRL):
• Initial R&D cost $20M
• 512-bit RSA keys can be factored with a device costing $5K in about 10 minutes
• 1024-bit RSA keys can be factored with a device costing $10M in about 6 weeks
Authentication
Security: 8- 67
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
Security: 8- 68
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
in a network, Bob
can not “see”
Alice, so Trudy
simply declares
“I am Alice” herself to be Alice
Security: 8- 69
Authentication: another try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap2.0: Alice says “I am Alice” in an IP packet containing
her source IP address
Alice’s
IP address “I am Alice”
failure scenario??
Security: 8- 70
Authentication: another try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap2.0: Alice says “I am Alice” in an IP packet containing
her source IP address
Security: 8- 71
Authentication: a third try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap3.0: Alice says “I am Alice” Alice says “I am Alice” and
sends her secret password to “prove” it.
Alice’s Alice’s
IP addr password “I am Alice” failure scenario??
Alice’s OK
IP addr
Security: 8- 72
Authentication: a third try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap3.0: Alice says “I am Alice” Alice says “I am Alice” and
sends her secret password to “prove” it.
playback attack:
Alice’s Alice’s
IP addr password “I am Alice” Trudy records
Alice’s packet
and later
plays it back to Bob
Security: 8- 73
Authentication: a modified third try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap3.0: Alice says “I am Alice” Alice says “I am Alice” and
sends her encrypted secret password to “prove” it.
Alice’s encrypted
IP addr password “I am Alice” failure scenario??
Alice’s OK
IP addr
Security: 8- 74
Authentication: a modified third try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap3.0: Alice says “I am Alice” Alice says “I am Alice” and
sends her encrypted secret password to “prove” it.
Alice’s encrypted
IP addr password “I am Alice” playback attack still
works: Trudy records
Alice’s packet
and later plays it
back to Bob
Security: 8- 75
Authentication: a fourth try
Goal: avoid playback attack
nonce: number (R) used only once-in-a-lifetime
protocol ap4.0: to prove Alice “live”, Bob sends Alice nonce, R
Alice must return R, encrypted with shared secret key
“I am Alice”
R
KA-B(R) Bob know Alice is live, and
only Alice knows key to
encrypt nonce, so it must
Failures, drawbacks? be Alice!
Security: 8- 76
Authentication: ap5.0
ap4.0 requires shared symmetric key - can we authenticate
using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”
Bob computes
R + -
- K (K (R)) = R
K A (R) A A
and knows only Alice could
Send me your public key have the private key, that
+ encrypted R such that
K A (R) + -
K (K (R)) = R
A A
Security: 8- 77
Authentication: ap5.0 – there’s still a flaw!
man (or woman) in the middle attack: Trudy poses as Alice (to Bob) and
as Bob (to Alice)
I am Alice I am Alice
R
-
K (R)
?
T
R Where are Send me your public key
- mistakes +
K (R) K Bob computes
A made here? T + -
Send me your public key K (K T(R)) = R,
+ T
K authenticating
A Trudy as Alice
Trudy recovers m: +
Trudy recovers Bob’s m: + - + K (m) Bob sends a personal
- + m = K (K (m)) T
m = K (K (m)) K (m) T T message, m to Alice
A A A sends m to Alice
and she and Bob meet a week encrypted with
later in person and discuss m, Alice’s public key
not knowing Trudy knows m
Security: 8- 78
Message Integrity
Security: 8- 79
Message Integrity /Message Authentication
Message authentication is concerned with:
• Protecting the integrity of a message
• Validating identity of originator
• Non-repudiation of origin (dispute resolution)
Security: 8- 85
Digital signatures
-
suppose Alice receives msg m, with signature: m, KB(m)
+ -
Alice verifies m signed by Bob by applying Bob’s public key KB to KB(m)
+ -
then checks KB(KB(m) ) = m.
+ -
If KB(KB(m) ) = m, whoever signed m must have used Bob’s private key
Alice thus verifies that:
Bob signed m
no one else signed m
Bob signed m and not m’
non-repudiation: -
Alice can take m, and signature KB(m) to court and prove that Bob
signed m
Security: 8- 86
Message digests
computationally expensive to public-key-encrypt long messages
goal: fixed-length, easy- to-compute digital “fingerprint”
apply hash function H to m, get fixed size message digest, H(m)
large
message H: Hash
Function H(m)
m
?
equal
Security: 8- 89
Hash Functions
Security: 8- 90
Hash function algorithms
MD5 hash function widely used (RFC 1321)
• computes 128-bit message digest in 4-step process.
• arbitrary 128-bit string x, appears difficult to construct msg m whose
MD5 hash is equal to x
• suffer from extensive vulnerabilities
SHA-1 is also used
• US standard [NIST, FIPS PUB 180-1]
• 160-bit message digest
Security: 8- 91
Applications of Hash Functions
Password files (one way)
Security: 8- 97
Message Authentication Code (MAC)
Generated by an algorithm that creates a small fixed-
sized block
• Depending on both message and some key
• Like encryption though need not be reversible
Appended to message as a signature
Receiver performs same computation on message and
checks it matches the MAC
Provides assurance that message is unaltered and
comes from sender
Applications of MAC Functions
Security: 8- 107
Digital Signatures
Cryptographic technique analogous to hand-written
signatures
Sender (Bob) digitally signs document, establishing that he
is document owner/creator
Goal is similar to that of a MAC, except now use public-key
cryptography
Verifiable, non-forgeable: recipient (Alice) can prove to
someone that Bob, and no one else (including Alice), must
have signed document
Digital Signatures
Message authentication protects two parties from a third
party but it does not protect them against each other:
Alice may forge a different message and claim that it
came from Bob. She appends an authentication code
using the key she shares with Bob
Bob can deny sending a message to Alice because he
knows it is possible for her to forge one.
Digital Signatures
In case of no trust between sender and receiver, a solution is
the digital signature which is similar to handwritten signature:
It must verify the author and the date and time of signature
It must authenticate the contents at the time of signature
It must be verifiable by third parties to resolve disputes
Digital Signatures Properties
Must depend on the message being signed
Must use information unique to sender
• To prevent both forgery and denial
Must be relatively easy to produce
Must be relatively easy to recognize & verify
Be computationally infeasible to forge
• With new message for existing digital signature
• With fraudulent digital signature for given message
Be practical to save digital signature in storage
Digital Signatures
Simple digital signature for message m:
Bob signs m by encrypting with his private key KB,
-
creating “signed” message, KB(m) -
- Bob’s private
Bob’s message, m K B key
-
K B(m)
Dear Alice
Bob’s message, m,
Oh, how I have missed
you. I think of you all
Public key signed
the time! …(blah blah encryption (encrypted) with
blah) algorithm his private key
Bob
Digital Signature = Signed MAC
Alice verifies signature and
Bob sends digitally signed
integrity of digitally signed
message: message:
large
message H: hash encrypted
m function H(m)
msg digest
-
KB(H(m))
Bob’s digital large
private signature message
key - (encrypt) m Bob’s digital
KB public
+ signature
key KB
encrypted H: hash (decrypt)
msg digest function
-
+ KB(H(m))
H(m) H(m)
equal
?
Digital Signatures
Public-key encryption
• Alice publishes encryption key
• Anyone can send encrypted message
• Only Alice can decrypt messages with this key
Digital signature scheme
• Alice publishes key for verifying signatures
• Anyone can check a message signed by Alice
• Only Alice can send signed messages
Certificate Authority (CA)
Security: 8- 115
Authentication: ap5.0 – let’s fix it!!
Recall the problem: Trudy poses as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
-
K (R)
?
T
R Where are Send me your public key
- mistakes +
K (R) K Bob computes
A made here? T + -
Send me your public key K (K T(R)) = R,
+ T
K authenticating
A Trudy as Alice
Trudy recovers m: +
Trudy recovers Bob’s m: + - + K (m) Bob sends a personal
- + m = K (K (m)) T
m = K (K (m)) K (m) T T message, m to Alice
A A A sends m to Alice
and she and Bob meet a week encrypted with
later in person and discuss m, Alice’s public key
not knowing Trudy knows m
Security: 8- 116
Need for certified public keys
motivation: Trudy plays pizza prank on Bob
• Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me
four pepperoni pizzas. Thank you, Bob
• Trudy signs order with her private key
• Trudy sends order to Pizza Store
• Trudy sends to Pizza Store her public key,
but says it’s Bob’s public key
• Pizza Store verifies signature; then
delivers four pepperoni pizzas to Bob
• Bob doesn’t even like pepperoni
Security: 8- 117
Public key Certification Authorities (CA)
certification authority (CA): binds public key to particular entity, E
entity (person, website, router) registers its public key with CE
provides “proof of identity” to CA
• CA creates certificate binding identity E to E’s public key
• certificate containing E’s public key digitally signed by CA: CA says “this is E’s
public key”
Bob’s digital
public + signature +
key KB (encrypt) KB
CA’s
private
K
- certificate for Bob’s
Bob’s key
identifying
CA public key, signed by CA
information
Security: 8- 118
Public key Certification Authorities (CA)
when Alice wants Bob’s public key:
• gets Bob’s certificate (Bob or elsewhere)
• apply CA’s public key to Bob’s certificate, get Bob’s public key
digital Bob’s
+
KB signature + public
(decrypt) KB key
CA’s
public +
key K CA
Security: 8- 119
Certificates: Content
Primary standard X.509 (RFC 2459)
Certificate contains:
• Issuer name
• Entity name, address, domain name, etc.
• Entity’s public key
• Digital signature (signed with issuer’s private key)