1 / 60

Modern Cryptography Lecture 4

Modern Cryptography Lecture 4. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “[5471] Project proposal” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects

tilden
Télécharger la présentation

Modern Cryptography Lecture 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modern CryptographyLecture 4 Yongdae Kim

  2. Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • Proposal due: Feb 21 • I’ll send you comments on your preproposal. • 2nd assignment is due 2/14 2:15 PM. • Check Calendar

  3. Recap • Math… • Proof techniques • Divisibility: a dividesb (a|b) if  c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b)   x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1  a has an arithmetic inverse modulo n. • Counting, probability, cardinality, … • Security Overview • one-way function if f(x) is easy to compute for all x  X, but it is computationally infeasible to find any x  X such that f(x) =y. • trapdoor one-way function if given trapdoor information, it becomes feasible to find an x  X such that f(x) =y.

  4. Security: Overview

  5. Attacks Normal Flow Destination Source Interruption: Availability Interception: Confidentiality Destination Destination Source Source Modification: Integrity Fabrication: Authenticity Destination Destination Source Source

  6. Taxonomy of Attacks • Passive attacks • Eavesdropping • Traffic analysis • Active attacks • Masquerade • Replay • Modification of message content • Denial of service

  7. Big picture Trusted third party (e.g. arbiter, distributor of secret information) Bob Alice Information Channel Message Message Secret Information Secret Information Eve

  8. Terminology for Encryption • M denotes a set called the message space • M consists of strings of symbols from an alphabet • An element of M is called a plaintext • C denotes a set called the ciphertext space • C consists of strings of symbols from an alphabet • An element of C is called a ciphertext • K denotes a set called the key space • An element of K is called a key • Ee is an encryption function where e  K • Dd called a decryption function where d  K

  9. Symmetric-key encryption • Encryption scheme is symmetric-key • if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e • Usually e = d • Block Cipher • Breaks plaintext into block of fixed length • Encrypts one block at a time • Stream Cipher • Takes a plaintext string and produces a ciphertext string using keystream • Block cipher with block length 1

  10. Symmetric Key Encryption • Why do we use key? • Or why not use just a shared encryption function? Adversary c Insecure channel Encryption Ee(m) = c Decryption Dd(c) = m m m Plaintext source destination Alice Bob

  11. SKE with Secure Channel Adversary e Secure channel Key source e c Insecure channel Encryption Ee(m) = c Decryption Dd(c) = m m m Plaintext source destination Alice Bob

  12. Public-key Encryption (Crypto) • Every entity has a private key SKand a public key PK • Public key is known to all • It is computationally infeasible to find SK from PK • Only SK can decrypt a message encrypted by PK • If A wishes to send a private message M to B • A encrypts M by B’s public key, C = EBPK(M) • B decrypts C by his private key, M = DBSK(C)

  13. PKE with Insecure Channel Passive Adversary e Insecure channel Key source d c Insecure channel Encryption Ee(m) = c Decryption Dd(c) = m m m Plaintext source destination Alice Bob

  14. e e’ Ee’(m) e Ee(m) Public key should be authentic! • Need to authenticate public keys Ee(m)

  15. Digital Signatures • Primitive in authentication and non-repudiation • Signature • Process of transforming the message and some secret information into a tag • Nomenclature • M is set of messages • S is set of signatures • SA is signature transformation from M to S for A, kept private • VA is verification transformation from M to S for A, publicly known

  16. Definitions • Digital Signature - a data string which associates a message with some originating entity • Digital Signature Generation Algorithm – a method for producing a digital signature • Digital signature verification algorithm – a method for verifying that a digital signature is authentic (i.e., was indeed created by the specified entity). • Digital Signature Scheme - consists of a signature generation algorithm and an associated verification algorithm

  17. Digital Signature with Appendix • Schemes with appendix • Requires the message as input to verification algorithm • Rely on cryptographic hash functions rather than customized redundancy functions • DSA, ElGamal, Schnorr etc.

  18. Mh x S VA u 2{True, False} Digital Signature with Appendix M Mh S SA,k h m mh s* s* = SA,k(mh) u = VA(mh, s*)

  19. Hash function and MAC • A hash function is a function h • compression — h maps an input x of arbitrary finite bitlength, to an output h(x) of fixed bitlength n. • ease of computation — h(x) is easy to compute for given x and h • Properties • one-way: for a given y, find x’ such that h(x’) = y • collision resistance: find x and x’ such that h(x) = h(x’) • MAC (message authentication codes) • both authentication and integrity • MAC is a family of functions hk • ease of computation (if k is known !!) • compression, x is of arbitrary length, hk(x) has fixed length • computation resistance: given (x’,hk(x’)) it is infeasible to compute a new pair (x, hk(x)) for any new x x’

  20. Message Authentication Code MAC • MAC is a family of functions hk • ease of computation (if k is known !!) • compression, x is of arbitrary length, hk(x) has fixed length • computation resistance: given (x’,hk(x’)) it is infeasible to compute a new pair (x, hk(x)) for any new x x’ • Typical use • A ! B: (x, H = hk(x)) • B: verifies if H = hk(x) • Properties • Without k, no one can generate valid MAC. • Without k, no one can verify MAC. • both authentication and integrity

  21. Authentication • How to prove your identity? • Prove that you know a secret information • When key K is shared between A and Server • A  S: HMACK(M) where M can provide freshness • Why freshness? • Digital signature? • A  S: SigSK(M) where M can provide freshness • Comparison?

  22. Encryption and Authentication • EK(M) • Redundancy-then-Encrypt: EK(M, R(M)) • Hash-then-Encrypt: EK(M, h(M)) • Hash and Encrypt: EK(M), h(M) • MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M) • MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))

  23. Key Management Through SKE • Each entity Ai shares symmetric key Ki with a TTP • TTP generates a session key Ks and sends EKi(Ks) • Pros • Easy to add and remove entities • Each entity needs to store only one long-term secret key • Cons • Initial interaction with the TTP • TTP needs to maintain n long-term secret keys • TTP can read all messages • Single point of failure

  24. Authentication • Authentication • Message (Data origin) authentication • provide to one party which receives a message assurance of the identity of the party which originated the message. • Entity authentication (identification) • one party of both the identity of a second party involved, and that the second was active at the time the evidence was created or acquired.

  25. Key Management • Key establishment • Process to whereby a shared secret key becomes available to two or more parties • Subdivided into key agreement and key transport. • Key management • The set of processes and mechanisms which support key establishment • The maintenance of ongoing keying relationships between parties

  26. Key Management Through SKE • Pros • Easy to add and remove entities • Each entity needs to store only one long-term secret key • Cons • Initial interaction with the TTP • TTP needs to maintain n long-term secret keys • TTP can read all messages • Single point of failure KA, KB 1. A, B 2. EKA(SK), EKB(SK) 3. ESK(“Hi”), EKB(SK) 4. ESK(“Hi, Alice”) KA KB

  27. Key Management Through PKE • Advantages • TTP not required • Only n public keys need to be stored • The central repository could be a local file • Problem • Public key authentication problem • Solution • Need of TTP to certify the public key of each entity 0xDAD12345 Alice 0xBADD00D1 Bob 1. Alice, PKA 2. Bob, PKB SKA,PKA SKB,PKB

  28. Public Key Certificates • Entities trust a third party, who issues a certificate • Certificate = (data part, signature part) • Data part = (name, public-key, other information) • Signature = (signature of TTP on data part) • If B wants to verify authenticity of A’s public key • Acquire public key certificate of A over a secured channel • Verify TTP’s signature • If signature verified A’s public key in the certificate is authentic

  29. ID-based Cryptography • No public key • Public key = ID (email, name, etc.) • PKG • Private key generation center • SKID = PKGS(ID) • PKG’s public key is public. • distributes private key associated with the ID • Encryption: C= EID(M) • Decryption: DSK(C) = M

  30. Discussion (PKI vs. Kerberos vs. IBE) • On-line vs. off-line TTP • Implication? • Non-reputation? • Revocation? • Scalability? • Trust issue?

  31. Kerckhoff’s Principle • Security should depend only on the key • Don’t assume enemy won’t know algorithm • Can capture machines, disassemble programs, etc. • Too expensive to invent new algorithm if it might have been compromised • Security through obscurity isn’t • Look at history of examples • Better to have scrutiny by open experts • “The enemy knows the system being used.” (Claude Shannon)

  32. Classical and Block Ciphers

  33. Some History: Caesar Cipher I LOVE YOU K NQXG AQW

  34. Historical (Primitive) Ciphers • Shift (e.g., Caesar): Enck(x) = x+k mod 26 • Affine: Enck1,k2(x) = k1 *x + k2 mod 26 • Substitution: Encperm(x) = perm(x) • Vernam: one-time pad (OTP)

  35. Analysis • Kerckhoff’s Principle • Shift cipher • Average number of trials = 26/2 = 13 :-) • Substitution cipher

  36. Vernam One-time pad • C = P  K • Vernam offers perfect information-theoretic security, but: • How long does the OTP keystream needs to be? • Key length = Plaintext length = Ciphertext length • How do Alice and Bob exchange the keystream?

  37. Average time for exhaustive key search

  38. Block Cipher • Definition • Modes of operation • Strengthening Block Cipher • Product/Feistel Cipher • DES

  39. Block Cipher • E: VnKVn • Vn = {0,1}n, K = {0, 1}k, n is called block length, k is called key size • E(P, K) = C for K  K and P, C  Vn • E(P, K) = EK(P) is invertible mapping from Vn to Vn • EK: encryption function • D(C, K) = DK(C) is the inverse of EK • Dk: decryption function P (plaintext) P (plaintext) E K Key EK C (ciphertext) C (ciphertext)

  40. Evaluation of Block Cipher • Estimated security level: sufficient scrutiny by expert cryptanalysis • Key size • Throughput • Block size • Block size impacts both security (larger is desirable) and complexity (larger is more costly to implement). • Complexity of cryptographic mapping • Algorithmic complexity affects the implementation costs both in terms of development and fixed resources • Data expansion • Error propagation

  41. k D Modes of Operation • A block cipher encrypts plaintext in fixed-size n-bit blocks (often n =128). What happens if your message is greater than the block size? xj c0=IV Cj-1 xj k E E-1 k k E Cj-1 xj’ xj’ I1=IV Ij Ij Ij Ij I1=IV k E E k k E E k Oj Oj Oj Oj xj xj’ xj xj’

  42. Modes of Operation • ECB • Encryption: cjEK(xj) • Decryption: xj E−1K (cj) • CBC • Encryption: c0 IV, cj EK(cj−1 xj) • Decryption: c0 IV, xj cj−1  E−1K(cj) • CFB • Encryption: I1 IV, cj xj EK(Ij), Ij+1 = cj • Decryption: I1 IV, xj cj EK(Ij), Ij+1 = cj • OFB • Encryption: I1 IV, oj = EK(Ij), cj xj oj, Ij+1 = oj • Decryption: I1 IV, oj = EK(Ij), xj cj oj, Ij+1 = oj

  43. Modes of Operation (CTR) CTR CTR+1 CTR+N-1 k E k E k E x1 x2 xN c1 c2 cN CTR CTR+1 CTR+N-1 k E k E k E c1 c2 cN x1 x2 xN

  44. CTR advantages • Hardware efficiency • Parallelizable • Software efficiency • Similar, modern processors support parallel computation • Preprocessing • Pad can be computed earlier • Random-access • Each ciphertext block can be encrypted independently • important in applications like hard-disk encryption • Provable security • no worse than what one gets for CBC encryption • Simplicity • No decryption algorithm and key scheduling

  45. Double DES • C = EK2[EK1 [P]] • P = DK1[DK2[C]] • Reduction to single stage? • EK2[EK1 [P]] =? EK3[P] • It was proven that it does not hold

  46. Meet-in-the-middle Attack • Diffie 1977 • Exhaustively cracking it requires 2112? • C = EK2[EK1 [P]] • X = EK1 [P] = DK2[C] • Given a known pair, (P, C) • Encrypt P with all possible 256 values of K1 • Store this results and sort by X • Decrypt C with all possible 256 K2, and check table • If same, accept it as the correct key • Are we done? &&#@!#(

  47. Meet-in-the-middle Attack, cnt • Little statistics • For any P, there are 264 possible C • DDES uses 112 bit key, so 2112 keys • Given C, there are 2112/264 = 248 possible P • So there are 248 false alarms • If one more (P’, C’) pair, we can reduce it to 2-16 • So using two (plaintext, ciphertext) pairs, we can break DDES c * 256 encryption/decryption • C = EK2[DK1 [P]] different?

  48. Triple DES with two keys • Obvious counter to DDES: Use three keys • Complexity? • 168 bit key • Triple DES = EDE = encrypt-decrypt-encrypt • C = EK1[DK2 [EK1[P]]] • Attacks? • No practical one so far

  49. … … … … S … S S S S S S … … … … … … P … … … … … … … … ... … … … … … S … P Product Cipher • To build complex function to compose several simple operation offer complementary, but individually insufficient protection • Basic operation: transposition, translation (XOR) and linear transformation, arithmetic operation, mod mult, simple substitution • Substitution-permutation (SP) network is product cipher composed of a number of stages each involving substitution and permutation

  50. Feistel Cipher • Virtually all conventional block ciphers • by Horst Feistel of IBM in 1973 • The realization of a Feistel Network depends on the choice of the following parameters and features: • Block size: larger block sizes mean greater security • Key Size: larger key size means greater security • Number of rounds: multiple rounds offer increasing security • Subkey generation algorithm: greater complexity will lead to greater difficulty of cryptanalysis. • Fast software encryption/decryption: the speed of execution of the algorithm becomes a concern

More Related