Upload
david-evans
View
365
Download
1
Embed Size (px)
DESCRIPTION
Second session in Applied Cryptography course held at AMC Theater in Tyson's Corner (http://www.mightbeevil.com/crypto). Generating keys for symmetric ciphers (randomness) Cipher modes Using symmetric ciphers for authentication Password management
Citation preview
Stephen Kleene
Microstrategy Course11 October 2013
Engineering Cryptographic
Applications
Day 2: Using
(and Misusing)
Symmetric Ciphers
David EvansUniversity of Virginiawww.cs.virginia.edu/evans
Engineering Crypto Applications 3
Recap: Symmetric Encryption
AES AESPlaintextCiphertext
PlaintextInsecure Channel
Key Key
Correctness property: for all possible messages m, D(E(m)) = m
Security property: given c E(m), it is “hard” to learn anything interesting about m.
“hard” = if correctly implemented and used, even the NSA can’t do it unless they have made dozens of theoretical breakthroughs or have energy comparable to Trillions of massive nuclear explosions
Engineering Crypto Applications 4
Today: Using Symmetric Encryption
AES AESPlaintextCiphertext
PlaintextInsecure Channel
Key Key
Engineering Crypto Applications 5
Today: Using Symmetric Encryption
AES AESPlaintextCiphertext
PlaintextInsecure Channel
Key Key
1. How to generate a good (unpredictable) key: randomness
2. How to use symmetric encryption to do more interesting things than just send one block: building an encrypted file server
Engineering Crypto Applications [email protected]
Generating Randomness
Engineering Crypto Applications [email protected]
01011000011110110000111011101000000001110110000000111011011001011111001101111001000001110000001110111000000011101010010001010000010100001001110111011111111001100010110101000000100110011100011000001101010000111001011001101110101111110110000010010111011010000000110110110011101100100101101001110111110100010001100011011000110001001101001010001110101000010010101001010100110001011000010000000001100010110111111010010100101000110011010110011101011001111001000000101111
01011010011010110000111011101010001001110110001000111011011001011011001101101001001001110010001110111001000011101010010001010100010100001001110111011010111001100010110101010000100110011100011001001101010000111001011001101110101110110110100010010111011010010000110110110011101100100101101001110110110100010001100011011000110001001101001010001110101000010010101001010100110001011000010010001001100010110110111010010100101000110011010110011101011001101001000100101111
Which is random?
Engineering Crypto Applications [email protected]
01011000011110110000111011101000000001110110000000111011011001011111001101111001000001110000001110111000000011101010010001010000010100001001110111011111111001100010110101000000100110011100011000001101010000111001011001101110101111110110000010010111011010000000110110110011101100100101101001110111110100010001100011011000110001001101001010001110101000010010101001010100110001011000010000000001100010110111111010010100101000110011010110011101011001111001000000101111
01011010011010110000111011101010001001110110001000111011011001011011001101101001001001110010001110111001000011101010010001010100010100001001110111011010111001100010110101010000100110011100011001001101010000111001011001101110101110110110100010010111011010010000110110110011101100100101101001110110110100010001100011011000110001001101001010001110101000010010101001010100110001011000010010001001100010110110111010010100101000110011010110011101011001101001000100101111
Which is random?
C1 from Puzzle Challenge(message Crypto.Random)
C1 with sequences of 5 or more repeated symbols modified
Engineering Crypto Applications 9
Which is random?
Source of images: http://boallen.com/random-numbers.html
Engineering Crypto Applications 10
Which is random?
Source of images: http://boallen.com/random-numbers.html
PHP rand()(on Windows)
random.org(atmospheric noise)
Which should you use to generate cyrptographic keys?
Engineering Crypto Applications 11
Defining Non-Randomness
If you can find any predictable patterns in the sequence, it is definitely not
random.
I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that.
Supreme Court Justice Potter Stewart (or pornography)
Engineering Crypto Applications 12
Defining Randomness
Андр й Колмог рове́� о́�Andrey Kolmogorov
(1903-1987)
For a sequence s, its Kolmogorov Complexity K(s) = the length of the
shortest description of s
A sequence s is random, if K(s) = |s| + C
(This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.)
“He was to probability theory what Euclid was to
geometry.” (Peter Lax)
Engineering Crypto Applications 14
Kolmogorov Complexities
s = 000000000000000…description = “N repeated 0s”K(s) = log |s| + C1 < |s| + Ct =
010011000111000011110000011111…
Engineering Crypto Applications 15
Kolmogorov Complexities
s = 000000000000000…description = “N repeated 0s”K(s) = log |s| + C1 < |s| + Ct =
010011000111000011110000011111…
description = “t = “”; int i, j;
for (i = 1; i < N; i++) { for (j = 0; j < i; j++) t += ‘0’; for (j = 0; j < i; j++) t += ‘1’; }”K(s) = log |s| + C1 < |s| + C
Engineering Crypto Applications 16
Kolmogorov Complexities
r=010110000111101100001110111010000000011101100000001110110110010111110011011110010000011100000011101110000000111010100100010100000101000010011101110111111110011000101…
"from Crypto.Random import randomdef random_sequence(n): return map(lambda x: random.choice([0, 1]), range(n)) " and state of random module (and any entropy added during generation)
Hmmm…maybe answer from earlier slide was wrong!
Engineering Crypto Applications 17
If your mind isn’t blown yet…
What is the smallest natural number that cannot be described in eleven words?
Engineering Crypto Applications 18
If your mind isn’t blown yet…
What is the smallest natural number that cannot be described in eleven words?
The smallest natural number that
cannot be described in eleven words.
1 2 3 4 5
6 7 8 9 10 11
Engineering Crypto Applications 19
Randomness is Essential• Kolmogorov provides a definition of randomness
but not a “useful” one: computing K(s) for an arbitrary s is undecidable (not just hard, theoretically impossible)
• Impossible for a program to generate true randomness: program can generate longer sequence than itself
• There are physical sources of randomness (or near randomness): quantum events, radioactive decay, thermal noise, lava lamps, key presses
Engineering Crypto Applications 20
Amplifying Physical Randomness
Pseudo-Random Number Generator
AES
k = f(physical randomness)0
k
AES1
k
AES2
k
output output output
AES3
Every once in a while, compute a new k using new physical randomness.
Engineering Crypto Applications 21
NIST SP 800-90: Recommendation for Random Number Generation Using
Deterministic Random Bit Generators (2006)
Engineering Crypto Applications 22
Dual-EC PRNG
sisi +1= φ(si ×P)s0 physical randomness
Update Internal State
P and Q are points on an elliptic curve
Generate Output Bits
ri = φ(si ×Q)16 least significant bits of ri’s x-coordinate
Engineering Crypto Applications 23
Elliptic Curves
y2 = x3 – 7 (mod p)
Addition: P + Q = intersection of curve with line through P and Q
Multiplication: repeated additionkP = P + P + … + P
Discrete values: x and y are integers!
Elliptic Curves are primarily used in asymmetric crypto – but also in Dual EC PRNG
Engineering Crypto Applications 24
Elliptic Curves
y2 = x3 – 7 (mod p)
Addition: P + Q = negate intersection of curve with line through P and Q
Multiplication: repeated addition kP = P + P + … + P
Discrete values: x and y are integers!
PQ
P + Q
Engineering Crypto Applications 25
Elliptic Curves
Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP.
y2 = x3 – 7 (mod p)
P + Q = point on curve where line PQ intersectskP = P + P + … + P (multiplication is just repeated addition)
Engineering Crypto Applications 26
Curve Used by Dual-EC PRNG
NIST P-256 y2 = x3 + ax + b (mod p)p = 2256 − 2224 + 2192 + 296 − 1a = p − 3 = 115792089210356248762697446949407573530086143415290314195533631308867097853948b = 41058363725152142129326129780047268409114441015993725554835256314039467401291Elliptic curve operations are expensive! Dual-EC PRNG is 1000x slower than strong PRNG’s built using symmetric ciphers.
Engineering Crypto Applications 27
Why would anyone use Elliptic Curves as basis for PRNG?
• Easier to plant a back-door in it than designs based on symmetric ciphers
• Can be used to provide provable security properties based on number theory– But not done for Dual EC PRNG
Engineering Crypto Applications 28
Dual-EC PRNG Proposed as NIST standard (2005)
sisi +1= φ(si ×P)s0 randomness
Update Internal State
P and Q are (random?) points on P-256.
Generate Output Bits
ri = φ(si ×Q)16 least significant bits of ri’s x-coordinate
Engineering Crypto Applications [email protected]
OpenSSL-FIPS Implementation (using NIST P and Q values)
Image credit: Matthew Green
Engineering Crypto Applications [email protected]
“Rump session” talk at CRYPTO 2007:
You can choose Q such that: Q = dPthen, it is easy to find e such that: P = eQand then easy to learn state of PRNG from just one output!
Engineering Crypto Applications [email protected]
Shumow and Ferguson’s conclusion:
Engineering Crypto Applications [email protected]
2013 Intelligence Budget Request
Snowden Leak (5 September 2013)2013 Intelligence Budget Request ($250M)
Engineering Crypto Applications [email protected]
Engineering Crypto Applications [email protected]
Engineering Crypto Applications 36
Rand
omne
ss S
umm
ary
• All cryptosystems depend on randomness• No way to test is a value is really random• Physical randomness is limited: need
algorithms to amplify physical randomness• If you pseudorandom numbers are
predictable, all is (almost always) lost
Engineering Crypto Applications 38
Scenario
• Documents about plan to overthrow government stored on (easily-stolen) device
• Password/biometric-protected (assume that works, for now)
Data should not be readable to someone who steals the device and can physically extract its non-volatile (flash) storage
Engineering Crypto Applications 39
Electronic Codebook Mode
declaration.txt
divide into
128-bit blocks
block 1
block 2
block 3
block n-1block n
…block 4
AES
AES
AES
AES
AES
AES
kEncrypt each block with k
block 1
block 2
block 3
block n-1block n
…
block 4
Engineering Crypto Applications 40
Electronic Codebook Mode
declaration.txt
divide into
128-bit blocks
block 1
block 2
block 3
block n-1block n
…block 4
AES
AES
AES
AES
AES
AES
k
block 1
block 2
block 3
block n-1block n
…
block 4
If two blocks have the same plaintext, with ECB they have the same ciphertext!
Engineering Crypto Applications 41
Block Size
128 bits = 16 bytes
"Benjamin Frankli" (16 characters)
declaration.txt
pennsylvannians.txt
Almanack
Engineering Crypto Applications 42
Time-Space Tradeoffs
No-memory brute force attack:
known crib
AESknown
ciphertext
Try all keys until you find one that fits
Memory: 0Time: 2127
encryptions(1T nuclear mega-bombs)
Engineering Crypto Applications 43
Time-Space Tradeoffs
No-time (not) brute force attack:
Pre-compute table:
key AESkey(crib)
000…000 4d7b9328a582c
000…001 7ebc5137da5ff2
… …sort by ciphertext
Break intercepted ciphertext message:
one table lookup!
Time: 1Memory: 2132 bytes~$2 Decillion (1033)
Engineering Crypto Applications 44
Combination: Rainbow Tables
known crib
AESciphertext
1
Precompute:
AES ciphertext 264
… AES
known crib
AESciphertext
1AES ciphertext
264… AES
… …
Only store these:
Won’t quite work like this for AES, but with some more tricks.
Time: 264
Memory: 268 bytes (~$137 Trillion)
April 12, 2023 University of Virginia cs4414 45
46
NSA Meltdown?
“Experts estimate the new center in Utah can store data by the exabyte or zettabyte.” (Actual amount is highly classified.)
Engineering Crypto Applications 47
Cipher Block Chaining Mode (CBC)
block 1
k
Initi
aliza
tion
Vect
or AES
block 1
block 2
AES
block 2
block 3
AES
block 3
block 4
AES
block 4
Engineering Crypto Applications 48
Cipher Block Chaining Mode
block 1
k
Initi
aliza
tion
Vect
or AES
block 1
block 2
AES
block 2
block 3
AES
block 3
block 4
AES
block 4
Avoids leaking repeated plaintexts− Cannot encrypt in parallel
Engineering Crypto Applications 49
Counter Mode (CTR)
block 1
k
Nonce
AES
block 1
00000000
block 2
k
Nonce
AES
block 2
00000001
…
Increase counter for each block
Counter
Engineering Crypto Applications 50
Counter Mode (CTR)
block 1
k
Nonce
AES
block 1
00000000
block 2
k
Nonce
AES
block 2
00000001
…
Increase counter for each block
Counter
Avoids leaking repeated plaintexts Can encrypt and decrypt in parallel⁇ Systematic input
Engineering Crypto Applications [email protected]
How should our young subversive store master key k and (per-file) nonces?
Engineering Crypto Applications 52
Storing the Key (?)
AESkstored encrypted k
Human-Remembered 4-Digit PIN 0704
Engineering Crypto Applications 53
Maybe this could work with a tamper-proof
device?
Engineering Crypto Applications [email protected]
R2B2: $200 robot that can try all 10000 four-digit PINs in < 20 hours
Engineering Crypto Applications 55
Higher Entropy Passwords
AESkstored encrypted k
Human-Remembered Long Password
(44 bits of entropy)
Engineering Crypto Applications 56
Scaling Work
AESkstored 1000xencrypted k
Human-Remembered Long Password
(44 bits of entropy)
repeat 1000 times
Engineering Crypto Applications 57
Scaling Work
AESkstored 1000xencrypted k
(44 bits of entropy)
repeat 1000 times
Time for one AES: 10 msTime for 244 AESs: 5000 years
(or 2 days with 1Mx computing power)
Time for 1000x AES: 10 sTime for 244 1000x AES: 5M years
Engineering Crypto Applications [email protected]
Scaling to a Web Service
Engineering Crypto Applications [email protected]
http://epetitions.direct.gov.uk/
Engineering Crypto Applications [email protected]
http://petitions.whitehouse.gov
Engineering Crypto Applications [email protected]
Early Password SchemesUserID Password
benf flyakite
samadams beer
tj Monti07cello04
… …
Login: tjPassword: wahooFailed login. Guess again.
authentication check:guess == users[userID].password
Engineering Crypto Applications [email protected]
Early Password SchemesUserID Password
benf flyakite
samadams beer
tj Monti07cello04
… …
Login: tjPassword: wahooFailed login. Guess again.
authentication check:guess == users[userID].password
FAILsomeone who gets password file learns
all passwords
Engineering Crypto Applications 63
Encrypted Passwords Scheme
UserID Password
benf AESK(flyakite)
samadams AESK(beer)
tj AESK(Monti07cello04)
… …
authentication check:AESK(guess) == users[userID].password
Master key KStore passwords encrypted using K
Engineering Crypto Applications 64
Encrypted Passwords Scheme
UserID Password
benf AESK(flyakite)
samadams AESK(beer)
tj AESK(Monti07cello04)
… …
authentication check:AESK(guess) == users[userID].password
Master key KStore passwords encrypted using K
FAILsomeone who gets password file and K learns all passwords
Engineering Crypto Applications 65
Hashed Passwords Scheme
UserID Password
benf AESflyakite(0)
samadams AESbeer(0)
tj AESMonti07cello04(0)
… …
authentication check:AESguess(0) == users[userID].password
Store passwords by using them as key to encrypt 0
Engineering Crypto Applications 66
Hashed Passwords Scheme
UserID Password
benf AESflyakite(K)
samadams AESbeer(K)
tj AESMonti07cello04(K)
… …
authentication check:AESguess(K) == users[userID].password
Master key KStore passwords by using them to encrypt K
FAIL
Engineering Crypto Applications [email protected]
“If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm.
Engineering Crypto Applications [email protected]
86% of users are dumbSingle ASCII character 0.5%Two characters 2%
Three characters 14%
Four alphabetic letters 14%
Five same-case letters 21%
Six lowercase letters 18%
Words in dictionaries or names 15%
Other (possibly good passwords) 14%
(Morris/Thompson 79)
At Least
Engineering Crypto Applications 69
Dictionary AttacksSeed list
All 1-4 letter wordsList of common (dog) namesWords from dictionary
(4M words, 20+ languages)
Phone numbers, dates, etc.Rules for generating passwords
Combining words from seed listInserting numbers, symbolsReplacing “l” with “1”,
“ate” with “8”, etc.
http://www.openwall.com/john/
Anything written in any popular password advice document!
Engineering Crypto Applications 70
Aside: My 3-Word Password Advice
Unimportant Passwords: use “silly”(protect service, not user)
Important Passwords:
Write them down (but somewhat obfuscated and in a secure
place)
If you can memorize it, it is not secure! (unless you have a well-trained memory)
Engineering Crypto Applications 71
Making Dictionary Attacks Harder
UserID Password
benf AESflyakite(0)
samadams AESbeer(0)
tj AESMonti07cello04(0)
… …
1. Use a more expensive cryptographic hash function
Password
AESflyakite1000(0)
AESbeer1000 (0)
AESMonti07cello041000(0)
…
Engineering Crypto Applications 72
Making Dictionary Attacks Harder
UserID Salt (16 bits) Password
benf 52455 AESflyakite1000(52455)
samadams 50757 AESbeer1000 (50757)
tj 47101 AESMonti07cello041000(47101)
… …
2. Add “salt” – randomly selected (but non-secret) value for each user
AES x 1000 makes dictionary attack 1000 times harder16-bit salt makes dictionary attack 216 times harder (but doesn’t make targeted against one user harder)
Engineering Crypto Applications 73
Two Big Problems Remaining:1. Users are still morons
Engineering Crypto Applications 74
Two Big Problems Remaining:1. Users are still morons
Auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. “We were able to convince 35 managers and employees to provide us their username and change their password,” the report said.
GAO Audit of IRS (2005)
(Solving this is outside scope of this class.)
Engineering Crypto Applications 75
Two Big Problems Remaining:2. Transmitting password
petitions.govInsecure Channel
How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?
Engineering Crypto Applications 76
[email protected]/crypto
Plan for Next WeekSolving these problems using asymmetric cryptography:- Public key cryptosystems- Digital signatures- Public key protocols (TLS)
open to requests!
Engineering Crypto Applications [email protected]