Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CSCI 362 Computer and Network Security
Cryptology
If you like this subject...
Dr. Kahn is a Bucknell alumnus,class of 1951
Dr. Singh’s bookis a world-widebest seller
Mr. Stephensonis a very successfulcontemporarywriter of fiction
fiction
non-fiction non-fiction
Function
This is a test of the emergency broadcast system. If this had been an actual emergency, you would have been instructed where to tune in your area for news and official information.
f
BAAS+TU1A/TRVR.IP-HDM3MFWRRPPTY/BERYRWKFH6ARAMWM9+KW:IHVV8VUN-PAMG(TF:LNVLAA:RPCFAOAQU43GHM:HZWCD/HNYC.VORB6QGAMJUNEGU:LHRUC.NY-HQVX(BF:JZWI:PRRD8TIB-BAEL(TFD+ZHWIRINO8WHPBFIIMQHF.
Cipher
This is a test of the emergency broadcast system. If this had been an actual emergency, you would have been instructed where to tune in your area for news and official information.
fBAAS+TU1A/TRVR.IP-HDM3MFWRRPPTY/BERYRWKFH6ARAMWM9+KW:IHVV8VUN-PAMG(TF:LNVLAA:RPCFAOAQU43GHM:HZWCD/HNYC.VORB6QGAMJUNEGU:LHRUC.NY-HQVX(BF:JZWI:PRRD8TIB-BAEL(TFD+ZHWIRINO8WHPBFIIMQHF.
f -1
Function
This is a test of the emergency broadcast system. If this had been an actual emergency, you would have been instructed where to tune in your area for news and official information.
f
BAAS+TU1A/TRVR.IP-HDM3MFWRRPPTY/BERYRWKFH6ARAMWM9+KW:IHVV8VUN-PAMG(TF:LNVLAA:RPCFAOAQU43GHM:HZWCD/HNYC.VORB6QGAMJUNEGU:LHRUC.NY-HQVX(BF:JZWI:PRRD8TIB-BAEL(TFD+ZHWIRINO8WHPBFIIMQHF.
K0 K1 Kn-1...
p c
c = f (p, K0, K1, ..., Kn-1)
Cipher
This is a test of the emergency broadcast system. If this had been an actual emergency, you would have been instructed where to tune in your area for news and official information.
f
BAAS+TU1A/TRVR.IP-HDM3MFWRRPPTY/BERYRWKFH6ARAMWM9+KW:IHVV8VUN-PAMG(TF:LNVLAA:RPCFAOAQU43GHM:HZWCD/HNYC.VORB6QGAMJUNEGU:LHRUC.NY-HQVX(BF:JZWI:PRRD8TIB-BAEL(TFD+ZHWIRINO8WHPBFIIMQHF.
K0 K1 Kn-1... KEY(S)
p c
c = f (p, K0, K1, ..., Kn-1)
Notation
plaintext = pciphertext = c
K0,K1,...,Kn-1c = E (p)
K0,K1,...,Kn-1p = D (c)
encipherment, encryption
decipherment, decryption
Symmetric Key Cipher
K0,K1,...,Kn-1c = E (p)
K0,K1,...,Kn-1p = D (c)
K0,K1,...,Kn-1p = D (E (p))K0,K1,...,Kn-1
Identical encipherment and decipherment keys
Stream Cipher
plaintext stream ciphertext stream
key stream
fThis is a test of... BAAS+TU1A/TRVR.IP...
c[i] = f (p[i], K[i])
w#4a57123$g$#%H*...
The length of the keystream must match the length of the plaintext stream
Stream Cipher
plaintext stream ciphertext stream
key stream
fThis is a test of... BAAS+TU1A/TRVR.IP...
w#4a57123$g$#%H*...
g
key
XKCD241012
Stream Cipher
plaintext stream ciphertext stream
key stream
fThis is a test of... BAAS+TU1A/TRVR.IP...
w#4a57123$g$#%H*...
g
key
XKCD241012
arbitrarylength
arbitrarylength
fixedlength
CryptanalysisThe science of recovering the plaintext of a message without knowledge of the encryption key. Successful cryptanalysis may result in the recovery of a message or an encryption key.
Kerckhoffs’ Principle: Secrecy must rely solely on the encryption key (the attacker may have detailed information on the cryptographic algorithm).
Compromise is the disclosure of a key without the use of any cryptanalysis.
An attack is an attempt to recover plaintext or key from a collection of enciphered messages.
Cryptanalysis AttacksCiphertext-only attack
Given the ciphertext of several messages enciphered with the same algorithm (and perhaps the same key), recover the plaintext of as many messages as possible, or yet recover the key(s) used.
C1 = Ek(P1), C2 = Ek(P2), ..., Ci = Ek(Pi) Deduce
P1, P2, ..., Pi and/or
an algorithm to infer Pi+1 from Ci+1
Cryptanalysis AttacksKnown-plaintext attack
Force the adversary to encipher a known plaintext. The captured encipherment of the known text can reveal characteristics of algorithm and key.
P1, Ek(P1), P2, Ek(P2), ..., Pi, Ek(Pi), where P1, P2, ..., Pi are chosen by the attacker
Deduce
k and/or
an algorithm to infer Pi+1 from Ci+1
Given
Cryptanalysis AttacksFrequency analysis
If bash is invoked with the name sh, it tries to mimic the startupbehavior of historical versions of sh as closely as possible, whileconforming to the POSIX standard as well. When invoked as aninteractive login shell, or a non-interactive shell with the --loginoption, it first attempts to read and execute commands from/etc/profile and ~/.profile, in that order. The --noprofile optionmay be used to inhibit this behavior. When invoked as an interactiveshell with the name sh, bash looks for the variable ENV, expands itsvalue if it is defined, and uses the expanded value as the name of afile to read and execute. Since a shell invoked as sh does not attemptto read and execute commands from any other startup files, the--rcfile option has no effect. A non-interactive shell invoked withthe name sh does not attempt to read any other startup files. Wheninvoked as sh, bash enters posix mode after the startup files areread.
PLAINTEXT:
Cryptanalysis AttacksFrequency analysis
li edvk lv lqyrnhg zlwk wkh qdph vk, lw wulhv wr plplf wkh vwduwxsehkdylru ri klvwrulfdo yhuvlrqv ri vk dv forvhob dv srvvleoh, zklohfrqiruplqj wr wkh srvla vwdqgdug dv zhoo. zkhq lqyrnhg dv dqlqwhudfwlyh orjlq vkhoo, ru d qrq-lqwhudfwlyh vkhoo zlwk wkh --orjlqrswlrq, lw iluvw dwwhpswv wr uhdg dqg hahfxwh frppdqgv iurp/hwf/suriloh dqg ~/.suriloh, lq wkdw rughu. wkh --qrsuriloh rswlrqpdb eh xvhg wr lqklelw wklv ehkdylru. zkhq lqyrnhg dv dq lqwhudfwlyhvkhoo zlwk wkh qdph vk, edvk orrnv iru wkh yduldeoh hqy, hasdqgv lwvydoxh li lw lv ghilqhg, dqg xvhv wkh hasdqghg ydoxh dv wkh qdph ri diloh wr uhdg dqg hahfxwh. vlqfh d vkhoo lqyrnhg dv vk grhv qrw dwwhpsw wr uhdg dqg hahfxwh frppdqgv iurp dqb rwkhu vwduwxsilohv, wkh --ufiloh rswlrq kdv qr hiihfw. d qrq-lqwhudfwlyh vkhoo lqyrnhgzlwk wkh qdph vk grhv qrw dwwhpsw wr uhdg dqb rwkhu vwduwxs ilohv. zkhq lqyrnhg dv vk, edvk hqwhuv srvla prgh diwhu wkh vwduwxsilohv duh uhdg.
CIPHERTEXT:
English Language(Sources: “Moby Dick”, by Herman Melville and “The Picture of Dorian Gray”, by Oscar Wilde)
Cryptanalysis AttacksFrequency analysis
English Language Additive Cipher
Cryptanalysis AttacksFrequency analysis
English Language Multiplicative Cipherk=11
Cryptanalysis AttacksFrequency analysis
English Language Affine Cipherk=(s=11,r=5)
Cryptanalysis AttacksFrequency analysis
Ideally, a cipher would completely flatten the single symbol frequencies bars.
The Vigenère cipher doesn’t quite meet this goal, but it does a better job than the other ciphers we’ve seen.
Cryptanalysis AttacksFrequency analysis
TH 52563
HE 44727
ER 29017
IN 28537
AN 27957
RE 23086
HA 21373
ND 21089
ED 19388
OU 19306
NG 17848
HI 17183
AT 16986
EN 16622
ON 15453
ING 14442
THE 9619
HAT 7309
THA 6487
HER 6063
ERE 5911
TER 4821
THI 4308
VER 4214
ENT 4174
ITH 3918
WIT 3663
GHT 3254
WHA 3173
HIN 3118
Repeated LettersTextbook: SS, EE, TT, LL, MM, OOTotal letters in text: 1764911
A 10B 517C 612D 741E 7506F 1876G 452H 5I 52K 3L 10374
digrams trigrams 4-grams Most repeated symbols
THER 4412
OULD 2578
IGHT 2383
HERE 2332
THIN 2192
TION 2114
HING 2084
OUGH 1910
WHAL 1712
EVER 1629
HALE 1596
TING 1499
RING 1340
THOU 1298
Cryptanalysis AttacksFrequency analysis
ST 14235
AR 14030
TE 13669
LE 13419
ES 13348
OR 13327
SE 12663
IS 12375
EA 12333
AL 11941
VE 11308
AS 10470
LL 10374
NE 10348
NT 10292
ION 2993
OME 2984
EVE 2947
EAR 2907
AIN 2891
INT 2834
AVE 2823
OUL 2811
HOU 2800
ESS 2756
IGH 2756
NCE 2755
TED 2728
HEN 2690
ULD 2578
ERED 1257
WOUL 1239
LING 1226
NING 1225
OUND 1185
OTHE 1175
KING 1067
ANCE 1060
SELF 1031
ERIN 1022
MENT 1016
DING 998
EATH 992
ATHE 986
ATIO 984
NDER 977
M 908N 1085O 5514P 1607R 2040S 4766T 2801U 1X 21Z 66
Additional statistics
Mr. Zoliparia laffs. Whare did u get yoor litl pal? he askz. She crold out thi woodwurk, I sez, n he laffs agen an Im evin moar embrasd n getting qwite swety now. Dat dahn ant! Makin a full ov me. N makin mah fais awl beeg an bloted in dat bust shees wukin on now n stew not going bak in hir box Ither.
This is a slightly modified passage fromFeersum Endjinn, by Iain M. Banks
Is it possible to write mangled but understandable English (or any other language) and purposefully alter the relative frequencies of individual characters and perhaps even of digrams, trigrams, etc? Is it possible to write large chunks of text avoiding one specific letter? Ultimately, what we are asking ourselves is: can we create plaintext that distorts the language signature so much that it makes ciphertext frequency analysis hard?
Does frequency analysis work on short texts? How large do texts need to be for it to work well?
Cryptanalysis AttacksLimitations of Frequency analysis
Cryptanalysis AttacksRubberhose attack
Sometimes, it may be much “easier” to obtain encryption keys by means of threats, torture, blackmail, espionage, etc. Of course, one has to weigh in the ethics of such types of attacks.
Since the human element may be considered the weakest link in the chain that security is built on, it may be the easiest to break.
One Time Pad
plaintext stream ciphertext stream
key stream
fThis is a test of... BAAS+TU1A/TRVR.IP...
c[i] = f (p[i], K[i])
w#4a57123$g$#%H*...
One Time Pad
•Truly random keystreams
•Truly unique keystreams for the encipherment of each message
•Perfectly secure key distribution to all parties involved
•Perfect key confidentiality
One Time Pad
plaintext stream ciphertext stream
key stream
fThis is a test of... BAAS+TU1A/TRVR.IP...
c[i] = f (p[i], K[i])
w#4a57123$g$#%H*...
PROVABLY
UNBREAKABLE
One Time Pad
plaintext stream ciphertext stream
key stream
fThis is a test of... BAAS+TU1A/TRVR.IP...
c[i] = f (p[i], K[i])
w#4a57123$g$#%H*...
PROVABLY
UNBREAKABLE
If this is so great, why aren’t people using it?
One Time Pad
plaintext stream ciphertext stream
key stream
xor1011010111 ?
c[i] = p[i] xor K[i]
0110111010
Block Cipher
plaintext ciphertext
fTHISISATESTOFTHEMERGENCYB...
BAAS+TU1A/TRVR.IP-HDM3MFWRRPPT...
key
XKCD241012
Blocks have fixed length
Block Cipher
plaintext ciphertext
fTHISISATESTOFTHEMERGENCYB...
BAAS+TU1A/TRVR.IP-HDM3MFW...key
XKCD241012arbitrarylength
arbitrarylengthfixed
length
Feistel Ciphers(Harst Feistel, 1950s-1960s)
input
Left half Right half
f1
f2
f3
The symbol means bitwise XOR.
Functions f1, f2, …, fi are called round functions.
Notation for Feistel ciphers:
successive round functions
example on the left
Decryption of Feistel ciphers:
The round functions do not have to be individually invertible: fewer constraints on how to achieve good diffusion and confusion, leads to smaller code size, faster implementation in software, fewer gates in hardware, etc.
ψ(f, g, h, . . .) = ψ(f1, f2, f3)
ψ(f1, f2, f3, . . . , fn−1, fn) =
ψ−1(fn, fn−1, . . . , f3, f2, f1)
The DES Algorithm
Each 64-bit block of plaintext goes through:
• An initial permutation.
• 16 rounds of substitution and transposition operations influenced by a 48-bit subkey for each round, which is derived from the 56-bit DES key.
• A final permutation.
64-bit block
64-bit block
plaintext
ciphertext
56-bit key
round 1
round 2
round 3
round 4
round 5
round 16
roundsubkey
generation
…IP
FP
DES is a Feistel CipherEncryption: Take each block and divide into two halves, L and R. Each round consists of computing the XOR of L with F(Ki,R) for some function F, and round key Ki, and then swapping L and R.
Decryption: Swap L and R, then XOR L with F(Ki,R).
Single DES Round:
Bit shuffle ExpandSubstituteF
RLKi
A DES Round 64-bit input
64-bit output
L1 (32-bit) R1 (32-bit)
R2 (32-bit)L2 (32-bit)
EP
XOR
S-Box
P-Box
XOR
Subkeyi
Consider a C implementation:
Question: How do you perform bitwise operations?
Question: How do you split a 64-bit value into two 32-bit values?
Question: How do you permute the bits in a variable?
S-boxes• S-boxes perform substitution operations.• There are 8 different S-boxes.• Each S-box takes 6 input bits and produces 4 output bits:
• Bits 1-6 are the input to S-box 1.• Bits 7-12 are the input to S-box 2, etc.
S-box Operation• Each S-box contains 4 rows and 16 columns of entries• Example - S-box 1:
• The first and last of the 6 input bits to an S-box form a two-digit binary number that specifies one of the 4 rows:– 00 for the zeroth row, 01 for the first row, 10 for the second row, and 11 for the third
row.
• The middle four input bits form a four-digit binary number that specifies one of the 16 columns:– 0000 for the zeroth column, 0001 for the first column, . . ., and 1111 for the 15th
column.
S-box Operation
• The entry found at the intersection of the specified row and column is the four-digit binary output for the S-box.
Examples using S-box 1:
• 011010 (input) = row 0, column 13 = 9 = 1001 (output).• 110010 (input) = row 2, column 9 = 12 = 1100 (output).• 000011 (input) = row 1, column 1 = 15 = 1111 (output).
The S-boxes
Example
• The 48-bit result of the XOR operation:– 110011111011001001001011100101110100010001001001
• The 32-bit result of the S-box substitutions:– 10110101001111111100010011101010
P-box
• The 32-bit output of the S-boxes is passed through a P-box.
• The P-box permutes the bits into a new order:
– The first output bit from the S-boxes is moved into position 16.
– The second bit is moved into position 7.
– The third bit is moved into position 20.
…
– The thirty-second bit is moved into position 25.
Second XOR Operation
• The 32-bit output of the P-box is XORed with the left half of the original 64-bit input block– Output from P-box (32 bits)
• 10001101110101100101011001011111
– Left half of input block (32 bits)• 11100010101110100011100011001101
• The 32-bit output of the XOR operation:– 01101111011011000110111010010010
Decryption
• The same algorithm and key are used for decryption.• The subkeys are applied in the opposite order:–Subkey 16 is used during the first round of decryption,–Subkey 15 is used during the second round of decryption, …–Subkey 1 is used during the 16th round of decryption.
Stronger Encryption with DES 3DES:
- Define two key values K1 and K2.
- Each block is encrypted as: (the second pass encrypts with decryption)
- Decryption does the reverse:
E D E
K1 K2 K1
m c
D E D
K1 K2 K1
c m
Note that encrypting twice with the same key is not much more than a single encryption (exhaustive search requires the same number of keys to be tested; it is true that each key has to be tested twice, but that isn’t a big deal).
Also, encrypting twice with two keys is not as strong as encrypting once with a key twice as long. There exists a possible attack that breaks double-encryption DES in roughly twice the time for a brute-force attack on single-encryption DES.
See [Kaufman 2002] if you want to understand why the 3rd time is the charm.
DES Summary
• DES is deprecated and vulnerable to attacks with modern computing technology. NIST recommends that AES be used instead.
• DES helped to focus and unify the cryptography research community.
• NIST’s 1998 call for an Advanced Encryption Standard to replace DES produced 15 promising candidate algorithms from researchers all over the world.
Block Cipher Modes
Using Block Ciphers: PaddingIf the plaintext length is not an exact multiple of the block size, the plaintext needs to be
padded.
• Clearly, padding must be reversible.
• An erroneous padding must be treated as an authentication failure.
• Let l(P) be the length of the plaintext in bytes. Use one of the two following schemes:
1) Append a single byte with value 128, then as many 0 bytes to make l(P) a multiple of the block size b.
2) Let n be the number of padding bytes required. Pad P with n bytes, each with value n. Calculate n so that it satisfies:
Electronic Code Book (ECB)
P1 P2 P3 P4 P5 P6 P7 P8 P9
plaintext message
E E E E E E E E E
C1 C2 C3 C4 C5 C6 C7 C8 C9
- If any two blocks mi and mj are identical, the corresponding ci and cj will also be identical: one can learn the key from the repeated blocks.- The blocks can be rearranged or tampered with.
K K K K K K K K K
ciphertext message
BIG ISSUES
Cipher Block Chaining (CBC)
E
- If all messages were to use the same IV, someone could figure out facts about the messages being encrypted.
- If IV is chosen randomly, then even if the same message is repeatedly encrypted, their corresponding ciphertext will be different each time.
- The message may still be modified in transit: the effect may be obvious to human eyes, but hard to spot by a program.
P1
C1
IV
E
P2
C2
E
P3
C3
E
P4
C4
E
P5
C5
E
P6
C6
E
P7
C7
K K K K K K K
BIG ISSUES
Cipher Block Chaining (CBC)
Each block of plaintext is “randomized” according to the previous ciphertext block. Identical plaintext blocks will most likely encrypt to different ciphertext blocks.
How do you choose C0 (the initialization vector)? Two different messages starting with the same block, yield ciphertexts that start with the same block: this opens a breach for attackers. Possible solutions:
1) Use a message counter.2) Use a random number:
3) Use a nonce: Each message is given a nonce (a unique number used only once). You have to be careful never to use the same nonce twice with the same key! Each message P is assigned a number (a counter that does not wrap around). This number is used to construct a nonce unique in the whole system. The nonce has the size of a block, and is next encrypted with K producing C0. Send the message number in front of the ciphertext, so that the receiver can
reconstruct the nonce. The receiver must accept any one message number only once!
Output Feedback Mode (OFB)This is actually a stream cipher: the message is XORed with the one-time pad generated by OFB.
- The IV can be chosen randomly and sent with the ciphertext or it can be generated from a nonce.
-There is no need for padding: you only send as many ciphertext bytes as there are plaintext bytes.
- The secrecy relies on the one-time pad really being used only once!
- If a lot of data is encrypted, it is possible that a sequence of key blocks could start repeating…
K0 = IV
Ki = E(K,Ki−1), for i = 1, . . . , k
Ci = Pi ⊕Ki
Output Feedback Mode (OFB)
P1
C1
E
K
K0
P2
C2
E
K
P3
C3
E
K
Pk
Ck
E
K
...
K0 = IV
Ki = E(K,Ki−1), for i = 1, . . . , k
Ci = Pi ⊕Ki
Output Feedback Mode (OFB)
P1
C1
E
K
K0
P2
C2
E
K
P3
C3
E
K
Pk
Ck
E
K
...
pseudo-random number generator
seed
K0 = IV
Ki = E(K,Ki−1), for i = 1, . . . , k
Ci = Pi ⊕Ki
Counter Mode (CTR)
Ki = E(K, nonce�i), for i = 1, . . . , k
Ci = Pi ⊕Ki
Counter Mode (CTR)
E
P1
K1
IV
K
C1
E
P2
IV || 1
K
C2
E
P3
IV || 2
K
C3
K2 K3
Ki = E(K, nonce�i), for i = 1, . . . , k
Ci = Pi ⊕Ki
Counter Mode (CTR)
E
P1
K1
IV
K
C1
E
P2
IV || 1
K
C2
E
P3
IV || 2
K
C3
K2 K3
Ki = E(K, nonce�i), for i = 1, . . . , k
Ci = Pi ⊕Ki
This is also a stream cipher. The key stream is generated very simply using the IV as a starting point and adding to it a counter value (which represents the number of blocks processed).
pseudo-random number generatorseed
Message Digest Functions
Overview
• Cryptographic hash functions are functions that:– Map an arbitrary-length (but finite) input to a fixed-size output.– Are one-way (hard to invert).– Are collision-resistant (difficult to find two values that produce the
same output).
• Examples:– Message digest functions - protect the integrity of data by creating
a fingerprint of a digital document.– Message Authentication Codes (MAC) - protect both the integrity
and authenticity of data by creating a fingerprint based on both the digital document and a secret key.
Checksums vs. Message Digests
• Checksums:– Used to produce a compact representation of a message.– If the message changes the checksum will probably not match.– Good: accidental changes to a message can be detected.– Bad: easy to purposely alter a message without changing the checksum.
• Message digests:– Used to produce a compact representation (called the fingerprint or
digest) of a message.– If the message changes the digest will probably not match.– Good: accidental changes to a message can be detected.– Good: difficult to alter a message without changing the digest.
Hash Functions
• Message digest functions are hash functions:• A hash function, H(M)=h, takes an arbitrary-length input, M, and
produces a fixed-length output, h.
• Example hash function:• H = sum all the letters of an input word modulo 26.• Input = a word.• Output = a number between 0 and 25, inclusive.• Example:
• H(“Elvis”) = ((‘E’ + ‘L’ + ‘V’ + ‘I’ + ‘S’) mod 26)• H(“Elvis”) = ((5+12+22+9+19) mod 26)• H(“Elvis”) = (67 mod 26)• H(“Elvis”) = 15
Collisions
• For the hash function:• H = sum all the letters of an input word modulo 26.
• There are more inputs (words) than possible outputs (numbers 0-25).
• Some different inputs produce the same output.• A collision occurs when two different inputs produce the
same output:• The values x and y are not the same, but H(x) and H(y) are
the same.
Collision-Resistant Hash Functions
• Hash functions for which it is difficult to find collisions are called collision-resistant.
• A collision-resistant hash function, H(M)=h:• For any message, M1, it is difficult to find another
message, M2 such that:• M1 and M2 are not the same.• H(M1) and H(M2) are the same.
One-Way Hash Functions
• A function, H(M)=h, is one-way if:• Forward direction: given M it is easy to compute h.
• Backward direction: given h it is difficult to compute M.
• A one-way hash function:• Easy to compute the hash for a given message.• Hard to determine what message produced a given hash
value.
Message Digest Functions
Message digest functions are collision-resistant, one-way hash functions:
• Given a message it is easy to compute its digest.• Hard to find any message that produces a given digest
(one-way).• Hard to find any two messages that have the same
digest (collision-resistant).
Using Message Digest Functions
Message digest functions can be used to protect data integrity:• A company makes some software available for download
over the World Wide Web.
• Users want to be sure that they receive a copy that has not been tampered with.
• Solution:• The company creates a message digest for its software.
• The digest is transmitted (securely) to users.
• Users compute their own digest for the software they receive.
• If the digests match the software probably has not been altered.
The Secure Hash Algorithm (SHA)
• A Federal Information Processing Standard (FIPS 180-1) adopted by the U.S. government in 1995.
• Based on a message digest function called MD4 created by Ron Rivest.
• Developed by NIST and the NSA.• Input: a message of b bits.• Output: a 160-bit message digest.
What secure means is relative: a number of proof of concept results have shown collisions with variants of SHA.
SHA - Padding• Input: a message of b bits
• Padding makes the message length a multiple of 512 bits.
• The input is always padded (even if its length is already a multiple of 512).
• Padding is accomplished by appending to the input:– A single bit, 1,
– Enough additional bits, all 0, to make the final 512-bit block exactly 448 bits long,
– A 64-bit integer representing the length of the original message in bits.
SHA – Padding Example
• Consider the following message:• M = 01100010 11001010 1001 (20 bits)
• To pad we append:• 1 (1 bit),
• 427 0s (because 448-21 = 427 bits),
• 64-bit binary representation of the number 20 (64 bits).
• Result:• Pad(M) = 01100010 11001010 10011000 00000000 . . . 00000000
00010100 (512 bits).
• 464 0s have been omitted above (denoted by the ellipsis).
Message Digests are not enough…
• Example: We want to use a message digest function to protect files on our computer from intruders:– Calculate digests for important files and store them in a table.– Recompute and check from time to time to verify that the files have not
been modified.
• Good: if someone modifies a file the change will be detected since the digest of that file will be different.
• Bad: the attacker could just compute new digests for modified files and install them in the table.
• What is needed is a function that depends not only on the message, but also on some kind of secret.
Attacks on Message Digests
• Brute-force: Let H be a message digest, a one-way function and M be some piece of data. Can you find a piece of data M’ such that H(M) = H(M’)? Say that you generate sequences of M’ and compute H(M’) for each one until you find a match. How many M’ would you have to test?
• Birthday Attack: Say that H(.) produces n bits. If you choose M’ at random, you need to try at most 2n/2 messages to have greater than 50% chance of finding the M’ that you want. (See the Birthday Paradox in probability theory textbooks.)
Message Authentication Codes
• A message authentication code (MAC) is a key-dependent message digest function:
MAC(Key,Message) = h
• The MAC can only be created or verified by someone who knows Key.
• One can turn a one-way hash function into a MAC by encrypting the hash value with a symmetric-key cipher.
Using a MAC
MAC can be used to protect data integrity and authenticity:
• Want to use a MAC to protect files on our computer against tampering:• Calculate MAC values for important files and store them in a table,• Recompute MACs from time to time and compare to stored values to verify that the
files haven’t been modified.
• Good: If someone modifies a file the hash of that file will be different.
• Good: As long as no one knows the proper key, new MACs can’t be stored in the table to cover the intruder’s tracks.
Implementing a MAC
Question: Does this structure look familiar?
Libraries for MDs and MACs
mhash: Supports SHA1, GOST, HAVAL256, HAVAL224, HAVAL192, HAVAL160, HAVAL128, MD5, MD4, RIPEMD160, TIGER, TIGER160, TIGER128, CRC32B and CRC32 checksums. Free (GNU LGPL).
http://mhash.sourceforge.net
Openssl: All that you could want and more. http://openssl.org
java.security: Offers a number of classes for applications needing crypto primitives. MessageDigest, for instance, is a class that produces digests according to MD5 or SHA.
http://java.sun.com/j2se/1.4.2/docs/api/
Summary
Message digests• Message digest functions are collision-resistant, one-way hash functions:
• Collision-resistant: hard to find two values that produce the same output,• One-way: hard to determine what input produced a given output.
• Protects the integrity of a digital document.
MACs– A message authentication code is a key-dependent message digest
function:• The output is a function of both the hash function and a secret key.• The MAC can only be created or verified by someone who knows the key.
– Protects the integrity and the authenticity of a digital document.
Public Key Algorithms
Secret Key Cryptography
Alice Bob
plaintext
key
ciphertext
key
plaintext
openchannel
Alice and Bob share a secret: the key value.The communication on the open channel is secure as long as only trusted parties know the key.
Problem: Key distribution (the insecure channel won’t help there).
Public Key Cryptography
Alice Bob
plaintext
key<Alice,private>
ciphertext
key<Alice,pub>
plaintext
openchannel
Question: How has this solved the key distribution problem?
key<Alice,pub>
openchannel
openchannel
key<Alice,pub>
key<Bob,pub>
key<Bob,private>key<Bob,public>
Public Key Cryptography
Generate a private key for Bob (Bpriv). This is a secret and must be known only to Bob.
Generate a public key for Bob (Bpub). This is not a secret and must be disclosed to anyone who wants to send messages to Bob.
If Alice wants to communicate secretly with Bob, she needs to get a hold of Bob public key. Then, Alice encrypts her message with Bpub and sends it to Bob. Only Bob, who holds Bpriv can decrypt Alice’s message.
If Bob wants to put his digital signature on messages he sends out, he can encrypts them with his private key Bpriv. Whoever receives these messages and has Bpub is able to decrypt the messages. These parties can be sure that only someone with Bpriv, that is Bob, could have signed them. This can be used to guarantee non-repudiation.
Modular Addition
+ 0 1 2 3 4 5 6 7 8 9
0 0 1 2 3 4 5 6 7 8 9
1 1 2 3 4 5 6 7 8 9 0
2 2 3 4 5 6 7 8 9 0 1
3 3 4 5 6 7 8 9 0 1 2
4 4 5 6 7 8 9 0 1 2 3
5 5 6 7 8 9 0 1 2 3 4
6 6 7 8 9 0 1 2 3 4 5
7 7 8 9 0 1 2 3 4 5 6
8 8 9 0 1 2 3 4 5 6 7
9 9 0 1 2 3 4 5 6 7 8
If we encipher with addition mod 10, we decipher with subtraction mod 10 (subtract normally; if result is negative, add 10).
Modular Multiplication. 0 1 2 3 4 5 6 7 8 9
0 0 0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6 7 8 9
2 0 2 4 6 8 0 2 4 6 8
3 0 3 6 9 2 5 8 1 4 7
4 0 4 8 2 6 0 4 8 2 6
5 0 5 0 5 0 5 0 5 0 5
6 0 6 2 8 4 0 6 2 8 4
7 0 7 4 1 8 5 2 9 6 3
8 0 8 6 4 2 0 8 6 4 2
9 0 9 8 7 6 5 4 3 2 1
We have a cipher if we multiply by 1, 3, 7, or 9. To decipher, we multiply by key-1, the multiplicative inverse of the key, that is, the number by which you’d multiply (mod 10) key to get 1.
encipher=3, decipher=7
encipher=1, decipher=1
encipher=9, decipher=9
encipher=7, decipher=3
What we want is to find numbers that are relatively prime to 10 because they will have multiplicative inverses, and thus we’ll have a cipher with modular multiplication.
Modular MultiplicationSo far we understand that if we can choose a key that has a multiplicative inverse,
we have a cipher with modular multiplication.
How many numbers less than n are relatively prime to n?
Modular Exponentiationxy 0 1 2 3 4 5 6 7 8 9 10 11 12
0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 1 2 4 8 6 2 4 8 6 2 4 8 6
3 1 3 9 7 1 3 9 7 1 3 9 7 1
4 1 4 6 4 6 4 6 4 6 4 6 4 6
5 1 5 5 5 5 5 5 5 5 5 5 5 5
6 1 6 6 6 6 6 6 6 6 6 6 6 6
7 1 7 9 3 1 7 9 3 1 7 9 3 1
8 1 8 4 2 6 8 4 2 6 8 4 2 6
9 1 9 1 9 1 9 1 9 1 9 1 9 1
To have a cipher with modular exponentiation we need to be able to define encipher and decipher operations. How can we find the exponentiative inverse?
This works for primes and products of distinct primes.
RSA
Encryption Decryption Digital Signature
Why RSA Works
RSA uses arithmetic mod n, where n=pq.
We chose d and e so that de=1 mod φ(n).
We know that φ(n)=(p-1)(q-1), so for any x:
Why RSA is Secure
If you know n, you could say that by factoring it into n=pq, you could compute φ(n), then e and d.
When n is sufficiently large, factoring it is no walk in the park. RSA is secure as long as n is so large that in order to factor it, one would have to spend a very long time using the most advanced computing resources.
Diffie-HelmanProblem: Two parties, Alice and Bob, need to agree on a key value to use, but
can communicate only via an insecure channel.
Solution: Two prime numbers p and g are chosen and publicly distributed. Each of the parties picks a large random number and keeps it secret; say we then have SA and SB.
Alice picks SA. Alice computes
Bob picks SB. Bob computes
Alice and Bob exchange TA and TB (in whatever order).
Alice computes . Bob computes .
Now, both Alice and Bob computed the same number:
“Man”-in-the-middle Attack
Eve
Questions: What allowed this kind of attack to happen? How can one prevent against it?
Public Key InfrastructureGoal: To distribute public keys. Who can say that the public keys
you find in some database really belong to the people they are said to belong? What is needed is for someone trustworthy to distribute keys and to vouch for the authenticity of these keys (a Certification Authority, CA).
A Public Key Infrastructure (PKI) consists of:– certificates,
– a certificate repository,
– a method for revoking certificates, and
– a method for evaluating a chain of certificates from known and trusted public keys (trust anchors).
CertificateDefinition: a certificate is a signed message vouching that a
certain public key really belongs to a particular name.
Say you trust a specific CA called TrustMeDude. A certificated issued by TrustMeDude can tell you what Bob’s public key is:
As long as you know the public key from TrustMeDude, you can verify the signature on the certificate and be sure that it was issued by that CA.
Trust Chains
Such trust chains allow for relationships to be verified and extended, but there are problems in this model...
Trust ModelsMonopoly model: there is a single CA for the whole world which can be
trusted by all.
Monopoly plus Registration Authorities: the single CA chooses RAs to securely check, obtain, and vouch for public keys.
Delegated CAs: the trust anchor CA can issue certificates to other CAs, vouching for their keys and trustworthiness.
Oligarchy model: there are many trust anchors, a certificate from any of them is acceptable (web browsers).
Anarchy model: each user is responsible for defining the trust anchors; anyone is allowed to vouch for anyone else (PGP).
References
• Fundamentals of Secure Computer Systems, Brett Tjaden. Franklin, Beedle & Associates, 2003.
• Security Engineering, Ross Anderson. Wiley, 2001.
• Applied Cryptography, Bruce Schneier. Wiley, 1996.
• Practical Cryptography, Bruce Schneier and Neils Ferguson. Wiley, 2002.
• The Code Book, Simon Singh.