240 likes | 414 Vues
15-349 Introduction to Computer and Network Security. Iliano Cervesato 26 August 2008 – Modern Cryptography. Where we are. Course intro Cryptography Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols
E N D
15-349Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography
Where we are • Course intro • Cryptography • Intro to crypto • Modern crypto • Symmetric encryption • Asymmetric encryption • Beyond encryption • Cryptographic protocols • Attacking protocols • Program/OS security & trust • Networks security • Beyond technology
Outline • Cryptographic schemes • Design principles • Confusion and diffusion • Randomization • Kerchoff’s principle • Mathematical foundations • Computational complexity • One-way functions • Trapdoors • What is a secure cipher?
(Symmetric) Encryption Schemes (K, E, D) • Key generation algorithm • K : {0,1}k • Encryption algorithm • E : {0,1}a x {0,1}k{0,1}c • Ek : {0,1}a{0,1}c • Decryption algorithm • D: {0,1}c x {0,1}k{0,1}a • Dk : {0,1}c{0,1}a
What makes a cipher good ? • behaves as expected • Functionally sound • based on mathematics • Confusion and diffusion • examined by experts • Open design • stood the test of time • Moore’s law
Functional requirements E, D : {0,1}n x {0,1}k{0,1}n • Dk(Ek(m)) = m • For every k, Ek is an injection with inverse Dk • Ek(m) is easy to compute, given m and k • Dk(x) is easy to compute, given x and k • Polynomial in max{n,k} - often linear • If x = Ek(m), it is hard to find m without k • Exponential in k
Confusion Replace symbol with another Hide plaintext symbols Diffusion Mix up symbols Spread plaintext around Confusion and Diffusion WHATANI WHATANI ZZZJUCL ANWIHAT Modern ciphers are a combination
Augmenting diffusion • Make it harder for attacker • Repeated encryptions of same text are different • Randomization • Ek : {0,1}ax {0,1}r{0,1}c • Dk : {0,1}c{0,1}a • It must be that c > a • Part of all modern ciphers
Open Design Kerchoff’s Principle (1883) The security of a cryptosystem must not depend on keeping the algorithm secret No security by obscurity • Better • Lots of smart but innocuous people dissect it • Than a single smart malicious
Shannon’s criteria • Strength of cipher proportional to effort • Keys should be simple • Implementation should be simple • Errors should not propagate • Size of ciphertext same as plaintext
Critique to Shannon’s Criteria Shannon’s criteria based on manual process • Strength of cipher proportional to effort • Strength should be depend on value, cost, time • Keys should be simple • Not necessarily • Implementation should be simple • Efficient! • Errors should not propagate • Yes, many countermeasures nowadays • Size of ciphertext same as plaintext • Not necessarily Computers allow powerful automation
Computational problems • Finite space of solutions • Always decidable • Can grow in size (n) • Bigger size, bigger solution space • Questions • How hard is it to find a solution? • How hard is it to verify a solution? • “Hard” = amount of time • Generic algorithms • Best algorithm possible • Not special cases!
Computational classes • P • Finding solution polynomial in n • Element lookup in list – O(n) • Sorting a list – O(n2) • Verifying solution also polynomial in n • NP • Verifying solution polynomial in n • Finding solution may not be polynomial in n • Polynomial if we can “guess” • Polynomial if we can try solutions in parallel • EXP • Finding solution exponential in n • Verifying solution may not be polynomial in n
Computational complexity • P NP EXP • P EXP • P = NP ? • Open problem • Believed false EXP NP P n n2 n3 n100 2n 22n
NP-Complete problems • In NP • As hard or harder than any other NP problem • Represent all NP problems • If polynomial solution exists, all NP problems have one • P = NP • If not, no NP-complete problem has one • P NP • Characteristics • Always solvable • Verifying solution is polynomial • No known polynomial way to find solution • Exponential as far as we know
Computation in practice • Bounded by time • If a small polynomial instance is solvable • Slightly larger instance also solvable • Possibly with tomorrow’s technology • If a small exponential instance is solvable • Slightly larger instance may not be solvable • Maybe not even with tomorrow’s technology • … but Moore’s law is exponential? • Physical limitations • Can always choose a big enough instance
NP-Completeness and Crypto • Require attacker to solve an NP-complete problem to find plaintext • Exponential work in n • But … • Crumbles if P = NP • May be easy for small n • Side channel attacks • Advances in technology • But Moore’s law is exponential ?? • Trends in cryptography • Rely on problems that are harder than NP • Quantum cryptography
One-way functions • Easy to compute • f(i) o • Evaluation in P • Linear • Hard to invert • f-1(o) I • Inverse is NP-complete • Foundations of • Hashing Easy – P f input output Hard – NP
One-way functions with trapdoor • Easy to compute • f(i,t) o • Encryption in P • Linear • Hard to invert normally • f-1(o) i • Decryption without key is NP-complete • Easy to invert through trapdoor • f-1(o,t) i • Decryption with key in P • Linear • Foundations of • Encryption • Digital signatures Easy – P Hard – NP f input output Easy – P trapdoor
Some NP-complete Problems • Boolean satisfiability • Is there an assignment of boolean value that make a formula in conjunctive normal form true? • Knapsack • Is there a way to fill a bag of a given size completely with objects of various sizes? • Cliques • Does a graph have a complete subgraph of a given size? • Discrete logarithm • Is there a such that ga mod n = b • Integer factorization • What are the prime factors of number n?
When is a Cipher Secure? m m Polynomial adversary cannot tell a real encryption box from a fake one Ek(_) Ek(0) x x
Formal Definition Let • E: {0,1}a x {0,1}k{0,1}c • A(xm) = 1 iff x = Ek(m) • A algorithm polynomial in key length k • xm = Ek(m) (K,E,D) is a secure encryption scheme if polynomial p(_) K s.t. k > K k {0,1}k Pr[A(xmm) = 1] - Pr[A(x0m) = 1] < 1/p(k)
Key length • The strength of a cipher is given by the length of the key • Strength is non-polynomial in k • 10% longer key requires much more than 10% extra work • Often each extra bit doubles the effort • To get a stronger cipher, make key longer! • Guideline for modern ciphers • Ciphers with variable key length • RSA • AES • Not sufficient for bad ciphers!