CSE484/CSEM584ComputerSecurity:MoreCryptography
TA:JaredMoorejlcmoore@cs
Logistics
• Lab1FinaldueTOMORROW (11:59pm).• ForquickestresponsefromTAs,emailallofus:
[email protected]• Checkforumforsometips.• Homework#2 outnow(crypto),dueonFriday,5/55pm.
LastWeekQuestions
• WhatisthedifferencebetweenAESandencryptionmodes(CBC,CTR,etc.)?– AESandDESdefinetheblockcipherandcanbeusedwithvariousmodes
• Wherearepasswordsaltsstored?Doweassumeanattackhasaccesstothem?– Inthesamefileasthepasswordhashes.Yes.
SomeNumberTheoryFacts
• Euler totient function ϕ(n) (n≥1) is the number of integers in the [1,n] interval that are relatively prime to n– Two numbers are relatively prime if their greatest
common divisor (gcd) is 1– Easy to compute for primes: ϕ(p)=p-1– Note that ϕ(ab)=conϕ(a)ϕ(b)
• Euler’s theorem: if a ∈ Zn*, then aϕ(n)≡ 1 (mod n)Zn*: integers relatively prime to n
4/27/17 CSE484/CSEM584- Spring2016 4
DHSummary
• Publicinfo:p (largeprime)andg (generatorofZp*)
Zp*={1,2…p-1};∀a∈Zp*∃i suchthata≡ gi (modp)
RSASummary
• Keygeneration– Generatelargeprimesp,q
• Say,1024bitseach(needprimality testing,too)– Computen=pq andϕ(n)=(p-1)(q-1)– Choosesmalle,relativelyprimetoϕ(n)(inZn*)– Computeuniquedsuchthated ≡ 1(modϕ(n))– Publickey=(e,n);privatekey=(d,n)
• Encryption ofm:c=memodn– Modularexponentiationbyrepeatedsquaring
• Decryption ofc:cd modn=(me)d modn=m
WhyRSADecryptionWorks
e⋅d≡ 1(modϕ(n)),thus e⋅d=1+k⋅ϕ(n) forsomek
LetmbeanyintegerinZn*(notallofZn)cd modn =(me)d modn =m1+k⋅ϕ(n)modn
=(mmodn)*(mk⋅ϕ(n) modn)
Recall:Euler’stheorem:ifa∈ Zn*,thenaϕ(n)=1modn
cd modn =(mmodn)*(1modn)=mmodn
Proofomitted:TrueforallminZn,notjustminZn*
4/27/17 CSE484/CSEM584- Spring2016 7
Readthepaper!
• https://people.csail.mit.edu/rivest/Rsapaper.pdf
SampleRSADecryption
• 2621513 714131312814 15131420963125261416 2315262 6131
• p=3,q=11,n=33,e=7,d=3
• A-1B-2C-3D-4E-5F-6G-7H-8I-9J-10K-11L-12M-13N-14O-15P-16Q-17R-18S-19T-20U-21V-22W-23X-24Y-25Z-26
SampleRSADecryption
• Howtocomputed?– Recall:ed ≡ 1(modϕ(n))(whereϕ(n)=(p-1)(q-1))– Sodisinverseofemodϕ(n).– Howtocomputemodularinverse?• UseextendedEuclideanalgorithm• …orWolframAlphaJ• Notethatthisishardifyoudon’tknowϕ(n) (i.e.,can’tfactorn).
PublicKeyCryptoSummary
• Diffie-Hellman:Whyisitsecure?– Discretelog;computationalDHproblem;decisionalDHproblemarehard.
• RSA:Whyisitsecure?– Takingeth rootishard;Factoringishard.
CryptographySummary• Goal:Privacy– One-timepad– Blockciphersw/symmetrickeys(e.g.,DES,AES)
• Modes:EBC,CBC,CTR– Publickeycrypto(e.g.,Diffie-Hellman,RSA)
• Goal:Integrity– MACs,oftenusinghashfunctions(e.g,MD5,SHA-256)
• Goal:PrivacyandIntegrity– Encrypt-then-MAC(why?)
• Goal:Authenticity(andIntegrity)– Digitalsignatures(e.g.,RSA,DSS)
CertificateAuthorities
• CAssigncertificates;rootCAscanauthorizeintermediateCAs(certificatechains).
• Problemswiththismodel?• Ideasforalternatesolutions?– Examples:Perspectives(http://perspectives-project.org/),Convergence(http://convergence.io/)• Bothrelyonnotaryservers(chosenbytheuser):browsercheckscertificatesitseesagainstthoseseenovertimebytrustednotaries. Howdoesthishelp?
SSLStripAttack
[FiguresthankstoElie Bursztein.Seealsohttp://www.thoughtcrime.org/software/sslstrip/.]
SSLStripAttack
http://elie.im/index.php
<html> <body> <form action="https://elie.im/login.php"> <input type="text" name="login"/> <input type="password" name="pass"/> </form> </body></html>
https://elie.im/login.php
login: Eliepassword: secretpass
Server
Client
http://elie.im/index.php
<html> <body> <form action="http://elie.im/login.php"> <input type="text" name="login"/> <input type="password" name="pass"/> </form> </body></html>
http://elie.im/login.php
login: Eliepassword: secretpass
Man-in-the-middleAttacker
SSL Strip Flow
[FiguresthankstoElie Bursztein.Seealsohttp://www.thoughtcrime.org/software/sslstrip/.]
SSLUserInterfaceAttacks
[FiguresthankstoElie Bursztein]
SSLUserInterfaceAttacks
[FiguresthankstoElie Bursztein]
1. Valid HTTPS page
2. HTTP page
3. HTTP page+ Lock spoofing
SSLUserInterfaceAttacks
[FiguresthankstoElie Bursztein]