320 likes | 518 Vues
Cryptology. Some slides were adapted from a presentation by DJ Holub. - by permission. What I will talk about. History Basic Cryptography Public Key Cryptography SSL Certificates Certificates, Servers, and Browsers. In the beginning, there were substitution ciphers.
E N D
Cryptology Some slides were adapted from a presentation by DJ Holub. - by permission
What I will talk about • History • Basic Cryptography • Public Key Cryptography • SSL • Certificates • Certificates, Servers, and Browsers
In the beginning, there were substitution ciphers. • One letter was substituted for another to transform plaintext into ciphertext • Sometimes the substitution involved a shift, as in: • A B C D E F G H I J K L M N O P Q R S T U V W X Y Z • T U V W X Y Z A B C D E F G H I J K L M N O P Q R S • Here the shift is K = 8. • (This is known as a caesar cipher, Caesar used K=3). • Sometimes the substitution involved (apparently) random substitutions • A B C D E F G H I J K L M N O P Q R S T U V W X Y Z • G P H I L J A M N D K E R C B X Y S O T V F Z B W U • Each of 26 characters was used one-to-one, so letter frequency was not hidden. As a consequence, with each letter substitution you cracked, the remaining ones were easier to figure out.
Is a caesar cipher easy to decode? • Here is a ciphertext produced with a shift: • BUUBDLABUAEBXO ATTACK AT DAWN What is the corresponding plaintext? (Take a moment to examine this). For K = 1. (Caesar used K=3) By brute-forceattack, one could try all possible values of K (here a mere 26 choices) to decode a message.
A better method is to use a general table to define the substitution to be made: • For each letter in the plaintext, the table tells which letter to put in the ciphertext. For example: • ABCDEFGHIJKLMNOPQRSTUVWXYZ • THE QUICKBROWNFXJMPDVRLAZYG • Plaintext: ATTACK AT DAWN • Ciphertext: HVVH OTHVTQHAF • Better than Caesar cipher. (Why?) There are 27! > 1028 tables to try out!!
In reality: • Simple substitution ciphers are easy to break: • ‘E’ is the most frequent letter in English. Cryptanalysts get a good start by looking for the most frequent letter and replacing it with an ‘E’. • Two-letter combinations can be taken into account: certain combinations (for example ‘QR’) never occur in English, while others (for example ‘ER’) are very common. By examining frequencies of combinations of letters, a substitution cipher can be broken.
Transposition ciphers have also been used • How do I know that: • trste heekle tcevo sreen aepsl rttye shstt eehhm ceas • actually says: • The only secrets are the secrets that keep themselves
I arranged the plaintext in rows of 10 characters and wrote the ciphertext from the columns. • Theonlysec • retsarethe • secretstha • tkeepthems • elves • trste heekle tcevo sreen aepsl rttye shstt eehhm ceas
Remember Mary Queen of Scots? She lost her head because she used this kind of cipher (and because a trusted servant turned out not to be trustworthy). • Many variations on substitution ciphers have been developed • Extra letters were thrown in to confuse • Blocks of letters were encoded • Each letter of a message was coded using a different substitution cipher
Vigenere Cipher • How to make attacks more difficult? • A small repeated key is used to determine the value of K for each letter. At each step, the key letter index is added to the plaintext letter index. This provides for a variable shift. • Key: ABCABCABCABCAB • Plaintext: ATTACK AT DAWN • Ciphertext: BVWBENACWAFDXP ‘B’ = 2 ‘N’ = 14 ‘P’ = 2 + 14 = 16 Longer keys provide better ciphertext. (What if the length of the key = length of the Plaintext?)
Vigenere Cipher • Simple implementation: • To encrypt (produce ciphertext): • XOR the key with the plaintext. • To decrypt (produce plain text): • XOR the key with the ciphertext.
Mary Queen of Scots might have kept her head if she had used a random list of letters (key) to encrypt her messages to Anthony Babington. • How could Babington be sure the message actually came from Mary? • How could Babington know what Mary was doing with the key to produce ciphertext from plaintext? • How could she give Babington the same key without Thomas Morgan intercepting it? • How could Babington be sure Mary's message was not changed in transit?
Modern Algorithms • Modern computer cryptographic algorithms are really just mathematical variations on the substitution/transformation schemes. • Three kinds of algorithms have emerged, each of which solves a different part of the problem • One-way hash algorithms, also known as message-digest and secure-hash algorithms, create a unique fingerprint for a document. If the document is modified in any way, even by one bit, it will generate a substantially different fingerprint. • Symmetric encryption algorithms use a single key for encryption and decryption. They are fast, but are susceptible to key interception. • Asymmetric encryption algorithms use a pair of keys. When one key is used to encrypt, the other key must be used to decrypt. PK algorithms are asymmetric. Asymmetric algorithms require very large keys (1024 and 2048) and are slow in comparison to symmetric algorithms.
Public Key Cryptosystems • Key distribution problem most problematic, particularly in e-commerce and other commercial applications. • Use a ‘phone book’ of encryption keys: everyone’s encryption (public) key (call it P) is public knowledge. • I have mine on my personal home page. • For someone to send me a private message, they would look up my public key P and use it to encrypt the message. • Upon receipt, I decrypt it with my private (secret) key (call it S).
Public Key Cryptosystems • P = public key • S = secret (private) key • M = some message • For this system to work, at least the following conditions must be satisfied: • S(P(M)) = M for every message M • All (S, P) pairs are distinct • Deriving S from P is as hard as reading M • Both S and P are easy to compute Fundamental cryptographic property security security Usabilty
Public Key Cryptosystems • Scheme was outlined by Diffie and Hellman in 1976, but they had no method to satisfy all these conditions. • Soon afterwards, such a method was discovered by Rivest, Shamir, and Adelman. The scheme was known as the RSA public-key cryptosystem. • System is based on arithmetic algorithms performed on very large integers.
Public Key Cryptosystems • Encryption key P is the integer pair (N, p) • Decryption key S is the integer pair (N, s), where s is kept secret. • Numbers are intended to be very large (N~200 digits and s,p ~ 100 digits)
Public Key Cryptosystems • The message is broken up into numbers < N (for example by taking log N bits at a time from the binary string corresponding to the character encoding of the message) • Then these numbers are raised to a power modulo N: • To encrypt a piece of a message M • C = P(M) = Mp mod N • To decrypt a ciphertext C: • M = S(C) = Cs mod N
Secure Socket Layers (SSL) • These four concepts lie at the core of SSL (Secure Socket Layers): • Authentication of identity • Selection of encryption algorithm • Secure key exchange • Integrity of the message
Authentication • The public key/private key pair • A ciphertext encrypted with a public key can only be decrypted by the corresponding private key • Babington would use Mary's public key to encrypt his messages to her • Mary would have decrypted those messages with her private key
Handshake • Through a negotiation process known as a handshake, an SSL client and server authenticate their identities • Initiation by client (ClientHello) • The client always initiates the SSL connection and handshake • The client sends: • a random cookie • cipher suites it supports, in order by preference
Handshake (ct’d) • Reply by Server (ServerHello) • The server sends • a random cookie • the cipher suite it prefers among those listed in the ClientHello
Handshake (ct’d) • Authentication of identify • The server presents its X.509 certificate (which contains its public key) to the client • The server may, but usually does not, ask the client for its certificate (CertificateRequest) • The server sends a ServerHelloDone • Client authenticates the server • The client verifies that the certificate is in order and has been issued by an acceptable CA.
Selection of Encryption Algorithm • Selection of encryption algorithm • In its ClientHello, the client informed the server of the cipher suites (algorithms) it supports • In its ServerHello, the server indicated which of these it would like to use • The client either accepts that suite or proposes an alternate (ChangeCipherSpec) • If the client and server agree on a suite, they continue
Handshake • Session key exchange • Using a random seed value (called a nonce) from the client and server, the client generates a random session key. • The session key is used for message encryption using a symmetric algorithm • Another (also generated) key is used for applying the Message Authentication Code (MAC) (a digest)
Handshake • The client sends a ChangeCipherSpec to indicate that it is ready to proceed using the negotiated cipher suite and keys • Both client and server send a Finished, which is the first message encrypted according to the negotiated cipher suite and keys • From this point forward, for each application message sent, SSL applies a MAC and then encrypts the message and MAC using the session key
SSL Complications (No longer a problem?) • The export of encryption products (software and hardware) is tightly controlled by the US government • The US government classifies cryptographic algorithms as munitions (like Bradley Fighting Vehicles) and restricts the key strength for export • The government only allows 40-bit keys in exported encryption software • Everything on the web is (potentially) exported • 40-bit keys are not long enough for secure encryption (A graduate student at Cal broke RSA's 40-bit key in 4 hours.) • Revised export regulations have removed many restrictions
SSL Complications (No longer a problem?) – ct’d • SSL effectively requires RSA public key cryptography • SSL originally only supported RSA public key cryptography (PKC) and RSA encryption algorithms, effectively granting them a monopoly • RSA owns a patent on its PK algorithm in the U.S. and Canada • Commercial secure web servers must license RSAREF or BSAFE to be legal in this country • Until that patent expires, we are all ho$tage$ • The minimum purchase for a complete, licensed SSL implementation that uses RSA algorithms is $15,000 + $7,000 • Celebrate RSA Independence Day: September 20, 2000
Public Key Distribution • PKs are distributed in an X.509 certificate issued by a Certificating Authority (CA) • CA merely certifies that a public key belongs to a given entity, and that that entity owns the common name. • The secure server certificate itself is just a data record that contains • The public key issued to a single server • Distinguished Name, which has subfields of • Common name, organization, organizational unit, city, country • Expiration date • Serial number • The CA "signs" the certificate (encrypted hash)
Browser Authentication of Server • When a browser receives a certificate, it verifies that: • The common name matches the DNS entry exactly, and with MSIE, the server name • That it recognizes the CA that signed the certificate • That the CA actually signed the certificate • It does this by hashing the certificate, decrypting the "signature" with the CA's public key, and comparing the two • Therefore, CAs must have certificates, and those certificates must be installed in the browser • If an older browser doesn't accept the certificate: • Netscape will complain but encrypt anyway • IE will complain and not allow SSL
Certificate Chains • CAs also have certificates (usually several) which contain the public key they use to sign certificates • Who signs a CA certificate? • Each CA certificate chains to a "root" certificate • A CA may self-sign its own root certificate, as do VeriSign and Thawte • A CA may chain to another CAs root certificate, as Equifax does to Thawte • A CA offers more than one kind of secure server certificate by having separate chains back to its root certificate.
Demo of Public Key Encryption • Browser CA certificates • Example server certificate • PK cryptography demo • Links • www.gnupg.org(GNU Privacy Guard) • http://www.gpg4win.org/ (gpg for win32 with gui tools)