1 / 48

Brief Overview of Cryptography

Brief Overview of Cryptography. Outline. cryptographic primitives symmetric key ciphers block ciphers stream ciphers asymmetric key ciphers cryptographic hash functions protocol primitives block cipher operation modes “enveloping” message authentication codes digital signatures

noma
Télécharger la présentation

Brief Overview of Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Brief Overview of Cryptography

  2. Outline • cryptographic primitives • symmetric key ciphers • block ciphers • stream ciphers • asymmetric key ciphers • cryptographic hash functions • protocol primitives • block cipher operation modes • “enveloping” • message authentication codes • digital signatures • key management protocols • session key establishment with symmetric and asymmetric key techniques • Diffie-Hellman key exchange and the man-in-the-middle attack • public key certification

  3. Operational model of encryption Ek(x) ciphertext • Kerckhoff’s assumption: • attacker knows E and D • attacker doesn’t know the (decryption) key • attacker’s goal: • to systematically recover plaintext from ciphertext • to deduce the (decryption) key • attack models: • ciphertext-only • known-plaintext • (adaptive) chosen-plaintext • (adaptive) chosen-ciphertext E D x plaintext Dk’(Ek(x)) = x attacker k encryption key k’ decryption key Cryptographic primitives

  4. pseudo-random bit stream generator stream ciphers seed plaintext ciphertext ... ... + block ciphers plaintext ciphertext block cipher padding key Symmetric key encryption • it is easy to compute k from k’ (and vice versa) • often k = k’ • two main types: stream ciphers and block ciphers Cryptographic primitives

  5. One-time pad – theoretical vs. practical security • one-time pad • a stream cipher where the key stream is a true random bit stream • unconditionally secure (Shannon, 1949) • however, the key must be as long as the plaintext to be encrypted • practical ciphers • use much shorter keys • are not unconditionally secure, but computationally infeasible to break • however, proving that a cipher is computationally secure is not easy • not enough to consider brute force attacks (key size) only • a cipher may be broken due to weaknesses in its (algebraic) structure • no proofs of security exist for many ciphers used in practice • if a proof exists, it usually relies on assumptions that are widely believed to be true (such as P ¹ NP) Cryptographic primitives

  6. input size: 64, output size: 64, key size: 56 16 rounds Feistel structure F need not be invertible decryption is the same as encryption with reversed key schedule (hardware implementation!) DES – Data Encryption Standard X (64) Initial Permutation (32) (32) F (48) + K1 F + (48) K2 Key Scheduler (56) K F + (48) K3 … Cryptographic primitives F (48) + K16 Initial Permutation-1 Y (64)

  7. DES round function F • Si – substitution box (S-box) (look-up table) • P – permutation box (P-box) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + S1 S2 S3 S4 S5 S6 S7 S8 P Cryptographic primitives

  8. Left shift(s) Left shift(s) Left shift(s) Left shift(s) Permuted Choice 2 Permuted Choice 2 DES key scheduler K • each key bit is used in around 14 out of 16 rounds (56) Permuted Choice 1 (28) (28) (28) (28) (48) K1 (48) K2 Cryptographic primitives …

  9. AES – Advanced Encryption Standard • NIST selected Rijndael (designed by Joan Daemen and Vincent Rijmen) as a successor of DES (3DES) in November 2001 • Rijndael parameters • key size 128 192 256 • input/output size 128 128 128 • number of rounds 10 12 14 • round key size 128 128 128 • not Feistel structure • decryption algorithm is different from encryption algorithm (optimized for encryption) • single 8 bit to 8 bit S-box • key injection (bitwise XOR) Cryptographic primitives

  10. General structure of Rijndael encryption/decryption plaintext plaintext w[0..3] add round key add round key inverse subs bytes round 10 substitute bytes inverse shift rows shift rows round 1 mix columns inverse mix columns w[4..7] add round key add round key round 9 inverse subs bytes inverse shift rows expanded key substitute bytes shift rows round 9 mix columns inverse mix columns w[36..39] add round key add round key Cryptographic primitives round 1 inverse subs bytes substitute bytes inverse shift rows round 10 shift rows w[40..43] add round key add round key ciphertext ciphertext

  11. 2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2 x = multiplications and additions are performed over GF(28) Rijndael – Shift row and mix column shift row s00 s01 s02 s03 s00 s01 s02 s03 s10 s11 s12 s13 LROT1 s11 s12 s13 s10 s20 s21 s22 s23 LROT2 s22 s23 s20 s21 s30 s31 s32 s33 LROT3 s33 s30 s31 s32 mix column Cryptographic primitives s00 s01 s02 s03 s’00 s’01 s’02 s’03 s10 s11 s12 s13 s’10 s’11 s’12 s’13 s20 s21 s22 s23 s’20 s’21 s’22 s’23 s30 s31 s32 s33 s’30 s’31 s’32 s’33

  12. Rijndael – Key expansion k0 k4 k8 k12 • function g • rotate word • substitute bytes • XOR with round constant k1 k5 k9 k13 k2 k6 k10 k14 k3 k7 k11 k15 w0 w1 w2 w3 g + + + + w4 w5 w6 w7 g Cryptographic primitives + + + + w8 w9 w10 w11 …

  13. RC4 stream cipher • initialization (input: a seed K of keylen bytes) for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen]; • initial permutation j = 0; for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256; swap(S[i], S[j]); • stream generation (output: a stream of pseudo-random bytes) i, j = 0; while true i = (i + 1) mod 256; j = (j + S[i]) mod 256; swap(S[i], S[j]); t = (S[i] + S[j]) mod 256; output S[t]; Cryptographic primitives

  14. Asymmetric key encryption Ek(x) ciphertext • breakthrough of Diffie and Hellman, 1976 • it is hard (computationally infeasible) to compute k’ from k • k can be made public (public-key cryptography) E D x plaintext Dk’(Ek(x)) = x attacker k encryption key k’ decryption key Cryptographic primitives

  15. RSA (Rivest, Shamir, Adleman, 1978) • basis • computing xe mod n is easy but x1/e mod n is hard (n is composite) • intractability of integer factoring • key generation • select p, q large primes (about 500 bits each) • n = pq, f(n) = (p-1)(q-1) • select e such that 1 < e < f(n) and gcd(e, f(n)) = 1 • compute d such that ed mod f(n) = 1 (this is easy if p and q are known) • public key is (e, n) • private key is d • encryption c = me mod n where m < n is the message • decryption cd mod n = m Cryptographic primitives

  16. Proof of RSA decryption • Fermat’s theorem Let r be a prime. If gcd(a, r) = 1, then ar-1 mod r = 1. • Euler’s generalization For every a and n where gcd(a, n) = 1, af(n) mod n = 1. • RSA decryption cd mod n = (me mod n)d mod n = med mod n = mkf(n)+1 mod n = m*(mf(n))k mod n = m*(mf(n) mod n)k mod n  if gcd(m, n) = 1 = m mod n = m Cryptographic primitives

  17. Proof of RSA decryption cont’d • RSA decryption if gcd(m, n) > 1 • either p|m or q|m • assume without loss of generality that p|m • note that in this case, q|m cannot hold since otherwise m ³ pq = n • this means that gcd(m, q) = 1 cd mod p = med mod p = 0 cd mod q = med mod q = mk(p-1)(q-1)+1 mod q = m*(m (q-1)) k(p-1) mod q = m*(m (q-1) mod q) k(p-1) mod q = m mod q  p,q|(cd – m)  cd – m= spq = sn  cd = sn + m  cd mod n = m mod n = m

  18. Cryptographic hash functions • requirements • one-way: given a hash value y, it is computationally infeasible to find a message x such that h(x) = y • weak collision resistance: given a message x, it is computationally infeasible to find another message x’ such that h(x) = h(x’) • (strong) collision resistance: it is computationally infeasible to find two messages x and x’ such that h(x) = h(x’) message of arbitrary length hash function fix length message digest / hash value / fingerprint Cryptographic primitives

  19. How long should a hash value be? • birthday paradox • P(n, k) = Pr{ there exists at least one duplicate among k items where each item can take on one of n equally likely values} • P(n, k) > 1 – exp( -k*(k-1)/2n ) • Q: What value of k is needed such that P(n, k) > 0.5 ? • A: k should approximately be n0.5 • e.g., P(365, 23) > 0.5 • birthday paradox applied to hash function h • n is the number of possible hash values • one can find a collision among n0.5 messages with probability greater than 0.5 • if output size of h is 64 bits, then n0.5 is 232 too small • output size should be at least 128 but 160 is even better Cryptographic primitives

  20. General structure of hash functions • if the compression function f is collision resistant, then so is the iterated hash function (Merkle and Damgard, 1989) • if necessary, the final block is padded to b bits • the final block also includes the total length of the input (this makes the job of an attacker more difficult) XL X2 X3 X1 (b) (b) (b) (b) (n) f f f f (n) (n) (n) h(X) (n) … CV0 CVL-1 CV2 CV3 CV1 Cryptographic primitives

  21. SHA1 – Secure Hash Algorithm • output size (n): 160 bits • input block size (b): 512 bits • padding is always used • CV0 A = 67 45 23 01 B = EF CD AB 89 C = 98 BA DC FE D = 10 32 54 76 E = C3 D2 E1 F0 64 bits last input block 10000000 … 00000 length 512 bits Cryptographic primitives

  22. SHA1 compression function f CVi - 1 Xi (5 x 32 = 160) (512) f[0..19], K[0..19], W[0..19] 20 steps D E B C A f[20..39], K[20..39], W[20..39] 20 steps D E B C A f[40..59], K[40..59], W[40..59] 20 steps D E B C A f[60..79], K[60..79], W[60..79] 20 steps Cryptographic primitives mod 232 additions + + + + + CVi

  23. SHA1 compression function f cont’d A B C D E mod 232 additions f[t] + LROT5 + W[t] + LROT30 K[t] + A B C D E Cryptographic primitives

  24. SHA1 compression function f cont’d • f[t](B, C, D) t = 0..19 f[t](B, C, D) = (B Ù C) Ú (ØB Ù D) t = 20..39 f[t](B, C, D) = B Å C Å D t = 40..59 f[t](B, C, D) = (B Ù C) Ú (B Ù D) Ú (C Ù D) t = 60..79 f[t](B, C, D) = B Å C Å D • W[t] W[0..15] = Xi t = 16..79 W[t] = LROT1(W[t-16] Å W[t-14] Å W[t-8] Å W[t-3]) • K[t] t = 0..19 K[t] = 5A 82 79 99 [230 x 21/2] t = 20..39 K[t] = 6E D9 EB A1 [230 x 31/2] t = 40..59 K[t] = 8F 1B BC DC [230 x 51/2] t = 60..79 K[t] = CA 62 C1 D6 [230 x 101/2] Cryptographic primitives

  25. C1 P1 CN PN C2 P2 E D K K E D E D K K K K C1 P1 CN PN C2 P2 Block cipher operation modes – ECB • Electronic Codebook (ECB) • encrypt • decrypt … … Protocol primitives

  26. PN P1 P2 P3 + + + + E E E E K K K K CN-1 C1 C3 C2 CN C2 C1 C3 D D D D K K K K + + + + PN P1 P2 P3 Block cipher operation modes – CBC • Cipher Block Chaining (CBC) • encrypt • decrypt IV CN-1 … Protocol primitives IV CN-1

  27. Block cipher operation modes – CFB • Cipher Feedback (CFB) • encrypt – decrypt initialized with IV initialized with IV (s) (s) shift register (n) shift register (n) (n) (n) E E K K (n) (n) select s bits select s bits (s) (s) (s) (s) (s) (s) Protocol primitives Pi Ci Ci Pi + +

  28. Block cipher operation modes – OFB • Output Feedback (OFB) • encrypt – decrypt initialized with IV initialized with IV (s) (s) shift register (n) shift register (n) (n) (n) E E K K (n) (n) select s bits select s bits (s) (s) Protocol primitives (s) (s) (s) (s) Pi Ci Ci Pi + +

  29. Block cipher operation modes – CTR • Counter (CTR) • encrypt – decrypt • advantages • efficiency (parallelizable) • random access (the i-th block can be decrypted independently of the others) • preprocessing (the values to be XORed with the plaintext can be pre-computed) • security (at least as secure as the other modes) • simplicity (does not need the decryption algorithm) counter + i counter + i (n) (n) E E K K (n) (n) (n) (n) (n) (n) Ci Pi Pi Ci + + Protocol primitives

  30. Enveloping • public-key encryption is slow (~1000 times slower than symmetric key encryption) • it is mainly used to encrypt symmetric bulk encryption keys plaintext message generate random symmetric key symmetric-key cipher (in CBC mode) bulk encryption key asymmetric-key cipher public key of the receiver Protocol primitives digital envelop

  31. Message Authentication Codes (MAC) • used to protect the integrity of messages • also called cryptographic checksums • computation of a MAC involves a secret (shared key) • can be based on an encryption function E Y1 = EK(X1) Yi = EK(Xi + Yi-1) MACK(X) = Ylast • or a hash function h MACK(X) = h(X|K) • or both MACK(X) = EK(h(X)) Protocol primitives

  32. HMAC • definition HMACK(X) = h( (K+ + opad) | h( (K+ + ipad) | X ) ) where • h is a hash function with input block size b and output size n • K+ is K padded with 0s on the left to obtain a length of b bits • ipad is 00110110 repeated b/8 times • opad is 01011100 repeated b/8 times • + is XOR and | is concatenation • design objectives • to use available hash functions • easy replacement of the embedded hash function • preserve performance of the original hash function • handle keys in a simple way • allow mathematical analysis Protocol primitives

  33. Digital signatures • similar to MACs but • unforgeable by the receiver • verifiable by a third party • used for message authentication and non-repudiation (of message origin) • based on public-key cryptography • signature generation is based on the private key of the sender • signature verification is based on the public key of the sender • example: RSA based digital signature • public key: (e, n); private key: (d, n) • signature generation (input: m; output: s) s(m) = md mod n • signature verification (input: s, m; output: yes/no) se mod n = m? Protocol primitives

  34. “Hash and sign” paradigm • motivation: public/private key operations are slow • approach: hash the message first and apply public/private key operations to the hash only private key of sender generation signature message hash enc h signature message hash dec h Protocol primitives verification compare public key of sender yes/no

  35. ElGamal signature scheme • key generation • generate a large random prime p and select a generator g of Zp* • select a random integer 0 < a < p-1 • compute A = ga mod p • public key: ( p, g, A ) private key: a • signature generation for message m • select a random secret integer 0 < k < p – 1 such that gcd(k, p – 1) = 1 • compute k-1 mod (p – 1) • compute r = gk mod p • compute s = k-1( h(m) – ar ) mod (p – 1) • signature on m is (s, r) Protocol primitives

  36. ElGamal signature scheme cont’d • signature verification • obtain the public key (p, g, A) of the signer • verify that 0 < r < p; if not then reject the signature • compute v1 = Arrs mod p • compute v2 = gh(m) mod p • accept the signature iff v1 = v2 • proof that signature verification works s º k-1( h(m) – ar ) (mod p – 1) ks º h(m) – ar (mod p – 1) h(m) º ks + ar (mod p – 1) gh(m)º gar+ksº (ga)r(gk)sº Arrs (mod p) thus, v1 = v2 is required Protocol primitives

  37. How to establish a shared symmetric key? • manually • pairwise symmetric keys are established manually • inflexible and doesn’t scale • with symmetric-key cryptography • long-term symmetric keys are established manually between each user and a Key Distribution Center (KDC) • cryptographic protocols that use these long-term keys are used to setup short-term (session) keys • the KDC must be fully trusted • with asymmetric-key cryptography • the symmetric key is encrypted with the public key of the intended receiver • how to obtain an authentic copy of the public key of the receiver? Key management

  38. generate Kab A, { B, Kab, Ta }Kas A, { B, Kab, Ts’ }Kas B, { A, Kab, Ts }Kbs { A, Kab, Ts(n) }Kbs { A, Kab, Ts’’ }Kbs { B, Kab, Ts’ }Kas { A, Kab, Ts }Kbs M (impersonating A and B) S B The Wide-Mouth-Frog protocol • a vulnerability A S B Key management ...

  39. A, B, Na generate Kab { Na, B, Kab, {Kab, A}Kbs }Kas { Kab, A }Kbs { Nb }Kab { Nb -1}Kab The Needham-Schroeder protocol (1978) • Denning and Sacco attack (1981) • message 3 doesn’t contain anything fresh for B • an attacker can cryptanalyze an old session key Kab and replay message 3 to B • the attacker can finish the protocol • B will think he shares a key Kab with A, but A is not involved at all S A B Key management

  40. { A, Na }Kb { Na, Nb }Ka { Nb }Kb { A, Na }Km { A, Na }Kb { Na, Nb }Ka { Na, Nb }Ka { Nb }Km { Nb }Kb Public-key Needham-Schroeder (1978) • since Na and Nb are known only to A and B, one may suggest that they can generate a key as f(Na, Nb) • Lowe’s attack (1995) A B M A B Key management

  41. A B Diffie-Hellman key exchange (1976) Initially known: p large prime g generator of Zp* Alice Bob generate random number 0 < a < p-1 and calculate A = ga mod p generate random number 0 < b < p-1 and calculate B = gb mod p calculate K= Ab mod p = gab mod p calculate K= Ba mod p = gab mod p Key management

  42. A, Ka { message }Ka A B M A, Ka A, Km { message }Km { message }Ka Man-in-the-middle attack • consider the following protocol • the MiM attack A B Key management

  43. Public-key certificates • a certificate is data structure that contains • the public key • name of the owner of the public key • name of the issuer • date of issuing • expiration date • possibly other data • signature of the issuer • issuers are usually trusted third parties called Certification Authorities (CA) • need not be on-line • certificates are distributed through on-line databases called Certificate Directories • need not be trusted Key management

  44. Single CA • every public key is certified by a single CA • each user knows the public key of the CA • each user can verify every certificate • note: the CA must be trusted for issuing correct certificates • problem: doesn’t scale CA … CA structures

  45. Certificate chains • first certificate can be verified with a known public key • each further certificate can be verified with the public key from the previous certificate • last certificate contains the target key (Bob’s public key) • note: every issuer in the chain must be trusted (CA0, CA1, CA2) CA2 KCA2 CA1 KCA1 Bob KBob KCA0 KCA2-1 KCA0-1 KCA1-1 CA structures

  46. CA structures • each user knows the public key of the root CA0 CA0 CA2 CA1 CA3 CA31 CA32 CA11 CA12 CA23 Alice Bob CA structures

  47. CA structures cont’d • each user knows the public key of its local CA CA0 CA2 CA1 CA3 CA31 CA32 CA11 CA12 CA23 Alice Bob CA structures

  48. CA structures cont’d • each user knows the public key of her root CA CA1 CA3 CA31 CA32 CA11 CA12 CA2 Alice Bob CA structures

More Related