390 likes | 484 Vues
Language Studies and Academics. Parts of Speech. 1. Parts of Speech - Quick Review. Person, place, or thing. Replaces a noun. Action or state of being. Shows a relationship (in place or time). Describes a noun. Connecting words. Describes a verb. Short exclamation inserted in sentence.
E N D
Cryptography and System Security Michael Pramateftakis Room Z940 Tel: (089-289)23622 E-Mail: pramateftakis@ei.tum.de
Organisatorisches • Vorlesung: Do., 12:30-14:00, N1170 • Übung: Do., 14:00-14:45, N1170 • Skript und Folien auf Englisch • Vorlesung, Diskussion und Prüfung auf Deutsch. Hinweis: Ab 3.5.2004 neue Vorlesung (WA) “Applied IT-Security” Mo. 14:00-15:30, Hörsaal 0999, Vorl. auf Englisch in Zusammenarbeit mit der Fraunhofer Gesellschaft (Dr. Stephan Spitz)
Lecture Overview • Motivation • Security Services and Mechanisms • Cryptographic Mechanisms • Discrete Algebra • Cryptographic Algorithms • Cryptographic Protocols • Security and the Internet • Smartcards and Security Applications
1. Motivation Why cryptography?
Business offers, contacts Internet Money, Payments Payment Browsing, Orders… Attacker Exemplary Scenario Other companies Bank Internet users Company Network
Further catchwords • Hackers, Crackers, Script kiddies etc. • Denial of Service • Address spoofing • Connection hijacking • Firewall, NAT, Intrusion detection • Spam • E-mail fakingetc., etc., …
2. Security Services and Mechanisms Cryptography’s most basic terms and definitions
Basic terms • Security Services • Security Mechanisms • Cryptographic algorithms
Security Services • Security services describe what a user requires from a security system: • Confidentiality (or Nondisclosure of Information) • Authentication • Verifiability and Nonrepudiation • Anonymity • Access Control Security services remedy threats.
Security Mechanisms and Algorithms • Security Mechanisms:The technical and procedural means used to implement security services.(e.g. encryption provides confidentiality.) • Algorithms:Concrete implementations of security mechanisms.(e.g. DES implements encryption)
Relations • Services, mechanisms and algorithms are related to one another. • The relation is formally defined in the OSI security architecture. • Security systems are designed and parameterized based on these relations. Services, Mechanisms and Algorithms are very basic and important terms!Distinguish between them correctly!
3. Cryptographic Mechanisms Mechanism Details
Symmetric Encryption k k c f f-1 m m Decryption m= f-1(k,c) Encryption c= f(k,m) Secure Environment Secure Environment m: Plaintext message c: Cipher k: Key f: Encryption Function f-1: Decryption Function (Inverse of f) • Symmetric = Same key for encryption and decryption. • Key is secret, secure environment needed at sender and receiver.
Symmetric Encryption Different kinds of symmetric encryption schemes: • Characterwise with a key.<Output char.> = f (k,<Input char.>) • Blockwise with a key.<Output block> = f (k,<Input block>) • Symbolwise/bitwise with sequence of keysk: k1,k2,k3,… • Blockwise with block chaining.
Perfect Security Prerequisites for perfect security: • Unlimited key length. • Truly random key sequence. • One-time pad. • |K| >= |C| >= |M| Every message can be mapped to every cipher with a different key! Thus, for a given cipher, every possible message is equiprobable, since a proper key can always be constructed! An attacker cannot make any assumptions about the message.
Perfect Security c1 k1 c2 c3 m3 c4 k5 c5 C |M|=|C|=|K| Keys equiprobable Messages equiprobable M
Asymmetric Encryption d e c f f m m Decryption m= fd(c) Public Encryption c= fe(m) Secure Environment m: Plaintext message c: Cipher e: Encryption Key d: Decryption Key f: Asymmetric Function • Asymmetric = Different keys for encryption and decryption. • Only decryptionkey is secret, secure environment needed only at receiver side.
Asymmetric Encryption • Sender encrypts with receiver’s public key. • Receiver decrypts with his own private key. Thus, everybody can send encrypted messages to the receiver without needing to exchange a secret.
Digital Signature • Creator of message signs with own private key. • Everybody can verify the signature with the creator’s public key. • The correspondence of the creator’s person to the respective public key must be reliably known. • Signed messages are not encrypted.
4. Discrete Algebra Basics of modulo-arithmetics
Discrete Algebra Chapter Overview: • Definition of modulo-n arithmetics • Groups, Rings and Fields, Galois field • Multiplicative-inverse elements in mod n • Powers in mod n, related theorems • Chinese remainder theorem • Discrete logarithms
Groups An algebra on a finite or infinite set of elements satisfying the following axioms: • The sum of 2 arbitrary elements a+b is defined and is an element of this set. • The sum is associative: (a+b)+c=a+(b+c) • A null-element 0 exists, such that for any element a holds a+0=a • Every element a has an additive-inverse element a-1 such that a+a-1=0 is called a Group. Addition and subtraction are defined for groups.
Rings If all preceding axioms hold, plus: • The sum is commutative: a+b=b+a • The product of 2 arbitrary elements a·b is defined and is an element of this set. • The product is associative: (a·b)·c=a·(b·c) • The distributive law holds: a·(b+c)=a·b+a·c we have a Ring. Multiplication is defined for a ring along addition and subtraction.
Fields If all preceding axioms hold, plus: • The product is commutative: a·b=b·a • There is an one-element 1, such that a·1=a holds for every element a • Every element a≠0 has a multiplicative inverse element a-1, such that a·a-1=1 we have a Field. Division is defined for a field along multiplication, addition and subtraction.
Arithmetics mod n • For arithmetics modulo-n axioms 1 to 10 are valid. • For arithmetics modulo-p, where p is a prime number, axioms 1 to 11 are valid. We’ll show that every element a[0,n-1] can be replaced by any element of the same remainder class Ra. When the axioms are proven, the calculus rules of algebra apply.
Multiplicative-inverse elements • In modulo-n arithmetics, an element a≠0 with hcd(n,a)=1 has a multiplicative inverse element a-1. • One way to find it would be a search of 1·a,2·a,3·a,… which is not practical for large modules. • Another way is through the fact that hcd(n,a)=1=a·n+b·aThe above mod n yields 1=b·a mod n and thus a-1=b
Euler’s f-function The f-function for a natural number n is defined as: The quantity of numbers less than n, that are relatively prime to n f(n)=| {z[1,n-1] where hcd(n,z)=1} | Since for a prime number p all numbers z<p are relatively prime to it: f(p)=p-1
Euler’s f-function In the case where n=p·q, p≠q prime: f(p·q)=(p-1)·(q-1) because: f(p·q)=[p·q-1]-(p-1)-(q-1)= f(p·q)=(p-1)·(q-1) All possible numbers Multiples of q Multiples of p
Euler’s theorem af(n)≡1 (mod n) for a|hcd(n,a)=1 This is formula (4.4.2) since f(p)=p-1. The relation is also called “Small theorem of Fermat” ap-1≡1 (mod p), for a[1,p-1]
RSA Generalization (RSA: Rivest, Shamir, Adleman, inventors of the RSA algorithm) Take Euler’s theorem, exponentiate with iN and multiply with a: • af(n)≡1 (mod n) • (af(n))i≡1i ai·f(n)≡1 (mod n) • ai·f(n)+1≡a valid for a[0,n-1] with n=p or n=p·q, p≠q
5. Cryptographic Algorithms Symmetric and asymmetric encryption algorithms
Chapter Overview • DES • DES-based MAC • DES-based cryptohash-function • AES • IDEA • Block operation modes • RSA • El Gamal methods • Certificates
DES DES history: • Developed by IBM • Published in 1974 • ‘National Bureau of Standards’, today NIST, recognizes DES as a standard in 1977 • ‘American National Standards Institute’ recognizes DES as standard (ANSI X3.92) in 1981
DES DES attributes: • Symmetric algorithm • Block cipher: Message blocks of 64 bits. Encryption to cipher blocks of 64 bits. • Key of 64 bits. Significant key length is 56 bits, with 8 parity bits. |K|=256 64 bits mi 64 bits mi DES DES-1 Key k 64(56) bits Encryption Decryption 64 bits ci 64 bits ci
AES Encryption round Data block di-1: 128 bits/16 bytes AES key: 128/192/256 bits Transformations based on byte-operations - Substitution -Permutation - Intermix Round key derivation from AES key 10/12/14 depending on key size Data block di: 128 bits/16 bytes • No transformation box in initial round • No intermix for last round
AES Encryption round Transformations: • Substitution • Each byte is replaced by its multiplicative inverse value. • Bytes are used to represent polynomials of grade less than 8, due to modular reduction with an irreducible polynomial of grade 8. • Bytes are interpreted as elements of a finite field. Addition and multiplication are defined, but are not the same with the ones used for numbers. • Permutation • Interchange of byte positions. • Intermix • Matrix multiplication of bytes in the internal ‘State’.
AES Encryption round Key derivation: With keylength 128 bits, each round requires 128 bits. The key is split into 4 words of 4 bytes each. wi=wi-1 XOR wi-4 When i mod 4=0, key transformation (KT) is applied. KT involves byte shifts, substitutions and the addition of a ‘round constant’, powers of 2 in the GF(28). KT … w0 w1 w2 w3 w4 w5 w6 w7 Key for round 1 AES key =key for round 0
c1 m1 m2 c2 BA BA BA-1 BA-1 k k k k m1 c2 m2 c1 Block operation modes Electronic Codebook (ECB) ci=BA(mi), mi=BA-1(ci) Receiver: Decryption Sender: Encryption … … … … Time
Block operation modes Properties of ECB • Every block is independent of other blocks. • Same plaintext is encrypted to same ciphertext. • Error propagation: If an error occurs in a cipher block, only the respective plaintext block is affected. • Synchronization: If the receiver cannot synchronize block boundaries, decryption is impossible.
m1 BA k c1 Block operation modes Cipher Block Chaining (CBC) ci=BA(mici-1), mi=BA-1(ci)ci-1, c0=IV Receiver: Decryption Sender: Encryption m1 … c1 c2 … IV BA-1 BA-1 k k BA k IV … m1 m2 … c1
Block operation modes Properties of CBC • The initialization vector IV must be specified. It must not be secret. • A cipher block depends on IV and all plaintext blocks before it. Identical plaintexts are encrypted to different ciphertexts. • The sequence of the blocks is significant. If the sequence changes, the cipher changes. • Identical plaintext sequences are encrypted to identical cipher sequences, so different IVs should be used. • Error propagation: If an error occurs in a cipher block, this and the next plaintext block cannot be decrypted. • Synchronization: If synchronization is regained at this cipher block, the next plaintext block and all following ones can be decrypted.
BA BA k k Block operation modes Cipher Feedback (CFB) ci=BA(ci-1)mi, mi=BA(ci-1)ci, c0=IV Receiver: Decryption Sender: Encryption ci-1 ci-1 ci mi mi ci Similar properties to CBC. Messages shorter than blocksize possible.
BA BA k k Block operation modes Output Feedback (OFB) zi=BA(zi-1), ci=zimi, mi=zici, z0=IV Receiver: Decryption Sender: Encryption zi-1 mi zi-1 ci ci mi Shorter messages than blocksize possible
Block operation modes OFB properties • State sequence zi does not depend on the plaintext. • Corresponds to encryption with pseudonoise, with a random number generator with nonlinear feedback. • Error propagation: none. • Synchronization: If block boundary synchronization is lost, the system must be resynchronized.
RSA Creating an RSA key pair: We will work in arithmetics modulo n, with: n=p·q, p≠q prime f(n)=(p-1)·(q-1) We select one of the keys randomly, e.g. e, with the following restrictions: 1<e<f(n) and hcd(e,f(n))=1 The other key is the multiplicative inverse of e modulo f(n): e·d≡1 mod f(n)
RSA • A’s public key is thus: eA,n • A’s secret key is: dA The prime factors of n cannot be found out. (Difficult task of factorization) Euler’s theorem (ai·f(n)+1) mod n=a yields with e·d≡1 mod f(n): (me·d) mod n=m for 0≤m<n as i·f(n)+1≡1 mod f(n) as well. so, you encrypt a message by raising to one key (here e) and decrypt by raising to the other (here d), modulo n.
RSA Thus, the following formulas apply: Encryption: c=(me) mod n Decryption: (cd) mod n=(me)d mod n=m Signature: s=(md) mod n Verification: (se) mod n=(md)e mod n=m The operations are computationally intensive. (e.g. 1000 times slower than IDEA)
RSA Applications of RSA: • Digital signature on message hash-values. • Transmission of symmetric session keys in hybrid cryptography systems. Due to high complexity, RSA is not useful for bulk data encryption.
Chinese Remainder Theorem The Chinese remainder theorem calculates a number x mod n=p·q, when the remainders of x modulo p and modulo q are known. Known: (x mod p) and (x mod q) Result: (x mod n) with n=p·q
Chinese Remainder Theorem The hcd of two natural numbers p and q with no common factors can be written as: hcd(p,q)=1=s·p+t·q where s and t can be calculated with the extended Euclidean algorithm. With a=x mod p and b=x mod q known, we can deduce x=(b·s·p+a·t·q) mod n=p·q See proof in script, p.38.