Upload
albert-hensley
View
218
Download
3
Embed Size (px)
Citation preview
ITA, 14.11.2011 9-CryptoStrength.pptx 1
Internet Security 1 (IntSi1)
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
9 Cryptographical Strength
ITA, 14.11.2011 9-CryptoStrength.pptx 2
Chat: Cryptographical Strength Needed Today?
SymmetricEncryptionData Integrity(Hash Function)Key Exchangebetween Peers
Key Size
Digital Signature
Recommended Algorithms
True Strength
bits
bits
bits
bits
bits
bits
bits
bits
Public Key Encryption
bits bits
User Password chars bits
ITA, 14.11.2011 9-CryptoStrength.pptx 3
Cryptographical Strength Needed Today?
SymmetricEncryptionData Integrity /Hash FunctionKey Exchangebetween Peers
Key Size
Digital Signature
Recommended Algorithms
True Strength
AES (CBC or Counter-Mode)
SHA-256
Diffie Hellmanwith Prime Modulus (MODP)
RSA / DSA
128 bits
256 bits
3072 bits
3072 bits
128 bits
128 bits
128 bits
128 bits
Public Key Encryption
RSA / El Gamal 3072 bits 128 bits
User Password Abbreviated Passphrase 13* chars ≈78 bits
*22 base64 characters would be required for 128 bit strength but impossible to memorize!
ITA, 14.11.2011 9-CryptoStrength.pptx 4
Equivalent Cryptographic Strength
RSA 3072
128 bit strength: number of private key signatures per second*
ECDSA 256
32
546
RSA 8192
ECDSA 384
1
233
192 bit strength: number of private key signatures per second*
*measured on an Intel Core2Duo T9400 platform (one core, 32 bit Linux OS)
ITA, 14.11.2011 9-CryptoStrength.pptx 5
Internet Security 1 (IntSi1)
9.1 NSA Suite B
Cryptography
ITA, 14.11.2011 9-CryptoStrength.pptx 6
NSA Suite B Cryptography 2005
• The secure sharing of information motivates the need for widespread cryptographic interoperability that meet appropriate security standards to protect classified information at the SECRET level.
• NSA has initiated three efforts to address these needs:• The Cryptographic Interoperability Strategy. • Expanding the use of GOTS products that meet a revised set of
security standards to protect information up to the SECRET level.
• Layered use of COTS products that meet a more robust set ofsecurity standards to protect information up to the SECRET level.
• Several IETF protocol standards have been identified as having potential widespread use. IETF RFCs have been established to allow the use of Suite B Cryptography with these protocols.
ITA, 14.11.2011 9-CryptoStrength.pptx 7
NSA Suite B with 128 Bit Security
SymmetricEncryption
Hash Function
Authenticated Encryption
Key SizeRecommended Algorithms
True Strength
AES
SHA-256
AES-GCM(Galois-Counter-Mode)
128 bits
256 bits
128 bits
128 bits
128 bits
128 bits
Key Exchangebetween Peers
Digital Signature
Elliptic Curve Diffie Hellman(ECP)
Elliptic Curve DSA
256 bits
256 bits
128 bits
128 bits
ITA, 14.11.2011 9-CryptoStrength.pptx 8
NSA Suite B with 192 Bit Security (SECRET)
* AES with 192 bit key is optional. Therefore AES with a 256 bit key is mandated.
SymmetricEncryptionData Integrity / Hash FunctionAuthenticated Encryption
Key SizeRecommended Algorithms
True Strength
AES
SHA-384
AES-GCM(Galois-Counter-Mode)
256* bits
384 bits
256* bits
256 bits
192 bits
256 bits
Key Exchangebetween Peers
Digital Signature
Elliptic Curve Diffie Hellman(ECP)
ECDSA
384 bits
384 bits
192 bits
192 bits
ITA, 14.11.2011 9-CryptoStrength.pptx 9
Microsoft Windows with Suite B Support
• Windows Vista SP1• Windows 7• Windows Server 2008• Windows Server 2008 R2
ITA, 14.11.2011 9-CryptoStrength.pptx 10
strongSwan VPN Solution with Suite B Support
# ipsec.conf for gateway moon
conn rw keyexchange=ikev2 ike=aes256-sha384-ecp384,aes128-sha256-ecp256! esp=aes256gcm16,aes128gcm16!
leftsubnet=10.1.0.0/24 leftcert=moonCert.der [email protected] right=%any rightsourceip=10.3.0.0/24 auto=add
# ipsec.secrets for gateway moon
: ECDSA moonKey.der
rw[1]: ESTABLISHED 9 seconds ago, 192.168.0.1[moon.strongswan.org]... 192.168.0.100[[email protected]]rw[1]: IKE SPIs: 7c1dcd22a8266a3b_i 12bc51bc21994cdc_r*,rw[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256rw{1}: INSTALLED, TUNNEL, ESP SPIs: c05d34cd_i c9f09b38_orw{1}: AES_GCM_16_128, 84 bytes_i (6s ago), 84 bytes_o (6s ago),rw{1}: 10.1.0.0/24 === 10.3.0.1/32
ITA, 14.11.2011 9-CryptoStrength.pptx 11
Internet Security 1 (IntSi1)
9.2 What the Heck are
Elliptic Curves!
ITA, 14.11.2011 9-CryptoStrength.pptx 12
What are Elliptic Curves?
-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
y2 = x3 + ax + by2 = x3 + ax + b
4a3 + 27b2 04a3 + 27b2 0
General form:
Condition for distinctsingle roots:
Example:
y2 = x3 4x = x(x 2)(x +2)
ITA, 14.11.2011 9-CryptoStrength.pptx 13
What is an Algebraic Group <G,> ?
• Closure: a b must remain in G
• Associativity: a (b c) = (a b) c
• Neutral Element: a e = e a = a
• Inverse Element: a a' = a' a = e
• Commutativity: a b = b a (Abelian Group)
A group is an algebraic system consisting of a set G and anoperation such that for all elements a, b and c in G thefollowing conditions must be fulfilled:
Examples:
• Addition: <R, +> e = 0 , a' = -a
• Multiplication:<R-{0}, · > e = 1 , a' = a-1
ITA, 14.11.2011 9-CryptoStrength.pptx 14
-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
Points P(x,y) on an Elliptic Curve form a Group
R = P + QR = P + Q
Group set:
All points P(x,y) lyingon an elliptic curve
Group operation:
Point addition
R'
RP
Q
ITA, 14.11.2011 9-CryptoStrength.pptx 15
-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
Neutral and Inverse Elements
Inverse element:
P'(x,-y) = P(x,y)
is mirrored on x-axisPoint addition with inverse element:
P + P' = O
results in a neutralelement O(x,) at infinity P'
O
Neutral element:
P + O = P
P
ITA, 14.11.2011 9-CryptoStrength.pptx 16
-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
Point Doubling – Adding a point to itself
R = P + P =2PR = P + P =2P
Point Doubling:
Form the tangent in
Point P(x,y)
R'
RP
ITA, 14.11.2011 9-CryptoStrength.pptx 17
-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
Point Iteration – Adding a point k-1 times to itself
kP = P + P + ... + PkP = P + P + ... + P
Point Iteration:
3P
2PP
ITA, 14.11.2011 9-CryptoStrength.pptx 18
How can Geometry be useful for Cryptography?
Elliptic curves can be defined in a finite or Galois field GFp:
y2 = x3 + ax + b mod py2 = x3 + ax + b mod p
where the field size p is a prime number and
{0,1, ..., p-1} is an abelian group under addition mod p
and
{1, ..., p-1} is an abelian group under multiplication mod p.
ITA, 14.11.2011 9-CryptoStrength.pptx 19
Cryptographic Application – Secret Key Exchange
QA = aP
• Elliptic Curve Cryptosystem: ECC, basis point P and prime p
Common secret:
S = bQA = aQB = abPQB = bP
A = ga mod p
• Diffie-Hellman: Basis g and prime p
B = gb mod pCommon secret:
s = Ab = Ba = gab mod p
ITA, 14.11.2011 9-CryptoStrength.pptx 20
Internet Security 1 (IntSi1)
9.3 Authenticated Encryption with Associated
Data (AEAD)
ITA, 14.11.2011 9-CryptoStrength.pptx 21
Authenticated Encryption with Associated Data
• AEAD is based on specialblock cipher modes:
• Block size: 128 bits• Key size: 128/256 bits• Tag size : 128/96/64 bits• Nonce size: 128 bits
32 bits 64 bits 32 bits
• Recommended AEAD Modes: AES-Galois/Counter ModeAES-GMAC (auth. only)
• Alternative AEAD Modes:AES-CCMCAMELLIA-GCMCAMELLIA-CCM
Salt IV Counter
Salt IV 0 Salt IV 1 Salt IV 2
Key K Key K
Hash Subkey H
0………………..0
Key K
Hash Subkey Derivation
ITA, 14.11.2011 9-CryptoStrength.pptx 22
Internet Security 1 (IntSi1)
9.4 Practical Passwords
ITA, 14.11.2011 9-CryptoStrength.pptx 23
Random Passwords with 128 Bits of Entropy
• Digits (0..9): 39 digits 3.3 bits/digits• 39475 10485 98021 43380 05872 49759 70291 2634
• Hexadecimal (0..F): 32 nibbles 4 bits/nibble• 3F8A 84D1 EA7B 5092 C64F 8EA6 73BD F01B
• Alphabet (A..Z): 28 characters 4.7 bits/character• AWORH GHJBP IUCMX MLZFQ TZDOP ZJV
• Alphabet & Digits (A..Z, 0..9): 25 symbols 5.2 bits/symbol• E5RGL UPQ7A 8F3ZP NWTIC 22JBM
• Base64 (A..Z, a..z, 0..9, /, +): 22 symbols 6 bits/symbol• y5GNa Riq92 VCm4Q 1BOKl x0
• Cryptographically strong passwords are nearly impossibleto remember and very error-prone to type in blinded mode!
ITA, 14.11.2011 9-CryptoStrength.pptx 24
Example of a good 8 character pseudo-random password:
Aufbruch zu neuen Horizonten um 4 Uhr morgens: AznHu4Um
change every month!
Practical Passwords
30 CPUs30 CPUs
LengthLengthA…ZA…Z
26 symbols26 symbolsA…Z, 0…9A…Z, 0…9 A…Z, a…z, 0…9A…Z, a…z, 0…9
36 symbols36 symbols 62 symbols62 symbols
66 2 sec2 sec 11 sec11 sec 5 min5 min
88 18 min18 min 4 hours4 hours 13 days13 days
1010 8 days8 days 1 year1 year 136 years136 years
1 CPU1 CPU
LengthLengthA…ZA…Z
26 symbols26 symbolsA…Z, 0…9A…Z, 0…9 A…Z, a…z, 0…9A…Z, a…z, 0…9
36 symbols36 symbols 62 symbols62 symbols
66 48 sec48 sec 6 min6 min 2 hours2 hours
88 9 hours9 hours 5 days5 days 1 year1 year
1010 251 days251 days 18 years18 years 4‘094 years4‘094 years
Assumption: 2.2 GHz Intel Core Duo CPU ca. 6’500'000 MD5 password hashes/sec
Compromise