1 / 52

Cryptography

Cryptography. ECT 582 – Winter 2004 Robin Burke. Discussion. Outline. Background Symmetric encryption Cryptographic attacks Public-key encryption Protecting message integrity Digital signatures Cryptographic software. Why cryptography?. Two roles confidentiality integrity

neil
Télécharger la présentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptography ECT 582 – Winter 2004 Robin Burke

  2. Discussion

  3. Outline • Background • Symmetric encryption • Cryptographic attacks • Public-key encryption • Protecting message integrity • Digital signatures • Cryptographic software

  4. Why cryptography? • Two roles • confidentiality • integrity • Essential security properties • especially important on a public network

  5. Cryptography in History • Very old • probably as old as writing • Hebrew ATBASH cipher • 500-600 BC • Julius Caesar's substitution cipher • 50-60 BC

  6. Basic idea • Plaintext (P) • message to send • Alice • sender • Bob • recipient • Eve • eavesdropper • Ciphertext (C) • scrambled version of the message • Algorithm • technique for turning P into C (and back)

  7. How it works • The algorithm f is a secret • shared by A and B • Process • A computes f(P) = C • Transmits C to B • B computes f'(C) = P • E doesn't know the secret

  8. Problem • Secret algorithms hard to develop • Once disclosed • all messages readable

  9. Better solution • f is a function of two values • f(k, P) = C • Usually reversible • f' (k, C) = P • k = the secret key

  10. Symmetric encryption • Alice and Bob perform the same operation • same key k • Benefits • Algorithm doesn't have to be secret • Disclosure of one key leaves other message still protected

  11. New problem • Shared secret • Alice and Bob need to know k • Why can't Alice encrypt k and send it to Bob?

  12. Attacks confidentiality • Brute force • try every possible key • Cryptanalysis • use properties of encrypted message to narrow range of possible keys

  13. Cryptographic algorithms • Very difficult to develop • Existing algorithms • DES • obsolete • Triple DES • RCx • AES • IDEA • Blowfish

  14. Differences • Key size • Variable • Fixed size • Proprietary vs open • History • Cryptographic strength

  15. The Real Issue • Plaintext contains information • Ciphertext should "look random" • no information for cryptanalysis • How to do this • spread the information around • use the key as a seed for a complex pattern

  16. Brute force effort • We assume that keys are chosen randomly • all bit patterns equally likely • Three bit key • 23 = 8 possibilities from 000 to 111 • How long to guess? • on average 4 guesses will be enough

  17. Key Size • Larger key protects against a brute force attack • 56 bits = 72 quintillion keys • But • "Deep Crack" 90 billion keys / sec. • distributed.net 250 billion keys / sec.

  18. Key Space • Whole key space isn't used? • less space to search • this can make a big difference • Passwords = poor keyspace • Can only use keyboard characters • People often use only a fraction of that

  19. Sharing Secret Data • How do A and B agree on k? • Need an alternative secure channel • Solvable for spies • Unsolvable for the Internet

  20. Public-key encryption • asymmetric • one key to encipher • another to decipher • A pair of functions • f1 (k1, P) = C • f2 (k2, C) = P • Public key = k1 • Private key = k2

  21. What's the big deal? • Shared secret no longer needed • k1 can be divulged to the world • All it can do is encrypt • k2 must be secret

  22. Encryption mode • Alice gets Bob's public key b1 • Alice computes f1 (b1, P) = C • Bob receives C • Bob computes f2 (b2, C) = P

  23. Authentication mode • Alice computes f2 (a2, P) = C • Bob computes f1 (a1, C) = P • anyone could do this • No privacy • but identifies origin • only Alice could have encoded C

  24. Public-key algorithms • Very, very difficult to create • Algorithms • Diffie-Helman / ElGamal • RSA • Elliptic curve

  25. RSA • Select e • Select p and q • prime • p-1 and e have no common divisors • q-1 and e also • public modulus n = pq • private modulus d • (de – 1) divisible by (p – 1) and (q – 1)

  26. RSA continued • public key • n + e • private key • n + d • Pe mod n = C • Cd mod n = P

  27. Example: key generation • e = 5, p = 7, q = 17 • n = 119 • d = 77 • de – 1 = 384. divisible by 6 and 16. • k1 = (5, 119) • k2 = (77, 119),

  28. Example: encryption • Encryption • P = 65 (ASCII 'A') • C = 655 mod 119 = 46 • Decryption • C = 46 • P = 4677 mod 119 = 65

  29. Example: authentication • P = 65 • Authenticate • S = 6577 mod 119 = 39 • Send S, k1 • Verify • P = 395 mod 119 = 65 • Only the private key holder could have sent

  30. ElGamal • RSA depends on the mathematical properties of primes • factoring of a large n • into primes p and q • ElGamal • uses "discrete logarithm"

  31. ElGamal • Alice and Bob agree on • prime number p • generator a • Generation step • Alice generates a random number x • Bob generates a random number y • Exchange step • Alice sends Bob ax mod p • Bob sends Alice ay mod p • Shared key • Alice and Bob both compute K = axy mod p

  32. ElGamal • Eve listening • knows a and p • learns ax mod p and ay mod p • but cannot recover K • Note • Bob won't learn x either • Not useful for encryption • "One-way function"

  33. Public key version • Bob generates both x and y • public key is ay mod p

  34. Practical Cryptographic Implementation • PGP • Uses RSA for public-key crypto • Problem • too slow • Solution • Use IDEA • Generate a symmetric key • Share it using RSA

  35. PGP Dataflow

  36. Protecting integrity • Message Authentication Code • Process • Alice writes P • Alice computes m(P) = M • Alice sends Bob P + M • Bob computes m(P). Compares M • Useful even if P is not encrypted

  37. Attacks • If Eve modifies P  P' • Bob computes m(P'). • Won't match M • What if Eve modifies P  P' and • also computes m(P') = M' • sends P' + M' • m also needs a shared secret • m(k, P)

  38. MAC Features • should be much shorter than the original message • small change in message should result in very different MAC • difficult to reverse engineer

  39. Digital Signatures • MAC does not support non-repudiation • Bob could receive P + M • verify that it came from Alice • But Bob could also alter P  P' • recompute m(k, P') = M' • Tell the judge that Alice sent P' + M' • how to prove otherwise

  40. Digital Signature • Authentication • Only Alice can compute • f2 (k2, P) = C • Combine with a message • P + C • Now anyone can check that P matches C • Bob could not generate C

  41. DSA • Federal standard • Uses a variant of ElGamal • Three public values • p = prime modulus • q = prime divisor of p-1 • g = j (p-1)/q mod p • where j is a random integer < p

  42. To sign • Generate a hash h of P • Pick a random number k • Generate two values • r = (gk mod p) mod q • s = (k-1 (h + kr) mod q • where (k-1 k) mod q = 1 • Send message P + r + s

  43. To verify • (complicated) • Receive message P' with r' and s' • Compute hash h' of received P' • w = s'-1 mod q • u1 = h' w mod q • u2 = r' w mod q • v = (gu1 yu2 mod p) mod q • r' should equal v

  44. Attacker • Knows p, q, and g • Does not know k • Infeasible to compute the r, s pair without knowing k

  45. Elliptic curve • Math is very complex • But the basic idea is that we define a curve • y2 + xy = x3 + ax2 + b • the parameters of the curve are the secret knowledge

  46. Encryption • P and Q are points on the curve • P+Q is defined geometrically • k*P = C

  47. Encryption, cont'd • A specific base point G is selected and published for use with the curve E(q). • A private key k is selected as a random integer; • the value P = k*G is published as the public key • If Alice and Bob have private keys kA and kB, and public keys PA and PB, then • Alice can calculate kA*PB = (kA*kB)*G; and Bob can compute the same value as kB*PA = (kB*kA)*G.

  48. Elliptic curve • Benefits • Faster to compute than RSA or ElGamal • Computationally "harder" inverse problem = better security for same key size • Drawback • still somewhat new • maybe flaws not yet known

  49. Attacking digital signatures • Bob wants to send Alice a secure message P • Eve wants to modify it • Bob signs P with private key kb1, creating MAC M • Bob sends P + M + kb2 to Alice • Eve intercepts this message • Eve creates a modified message P' • Signs it with her private key ke1 • Sends P' + M' + ke2 • Alice gets P' • Verifies the signature against the public key • Eve wins

  50. Man in the middle • The "man in the middle" can masquerade as the sender • DSA has no authentication defense • We know • the message was unchanged since signing • whoever signed it used the private key that matches the supplied public key • We don't know • that the signer is actually the sender • who does the public key belong to?

More Related