Chapter 2: Security and Cryptography

Home , Cryptlib, Permutation box, Plaintext

Chapter 2: Security and cryptography

Dr. Mohamed Mahmoud http://www.cae.tntech.edu/~mmahmoud/ [email protected] Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols

2.4 Protocols Cryptology: - Cryptography - Cryptanalysis

- Cryptography, a word with Greek origins, means “secret writing.” - However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks.

– A cipher is a function which transforms a plaintext message into a ciphertext by a process called encryption

– Plaintext is recovered from the ciphertext by a process called decryption

1 Encryption / Decryption “attack at midnight” - plaintext

“buubdl bu njeojhiu” - ciphertext

2 Cryptanalysis

- The science and study of breaking ciphers, i.e., the process of determining the plaintext message from the ciphertext

- Objective to recover key not just message

- A common approach is brute-force attack – try all possible cases

3 Some Basic Terminology

Plaintext - original message Ciphertext - coded message Cipher - algorithm for transforming plaintext to ciphertext

Key - info used in cipher known only to sender/receiver Encryption: converting original message into a form unreadable by unauthorized individuals. converting plaintext to ciphertext Decipher (decrypt) - recovering ciphertext from plaintext Cryptography: process of making and using codes to secure transmission of information Cryptanalysis (codebreaking) - study of principles/methods of deciphering ciphertext without knowing key

Cryptology - field of both cryptography and cryptanalysis 4 Overview of Security Requirements

- Confidentiality - Entity Authentication - Data Integrity - Non-Repudiation - Access Control - Availability

Most of these security properties can be achieved through cryptographic functions.

5 Confidentiality

- Ability to keep information communicated between (among) authorized parties private - Observer should not be able to recover information - In a stronger sense, an observer cannot determine the parties involved or whether a communication session occurred - Usually achieved by encryption - Snooping refers to unauthorized access to or interception of data. - Traffic analysis refers to obtaining some other type of information by monitoring online traffic.

6 Entity Authentication

- Ability of the authorized parties in a communication session to ascertain the identity of other authorized parties – Mutual or one-way authentication - An entity authentication may be a user authentication or a device authentication - The party to be authenticated must provide some verifiable evidence to prove it is the entity identified by the identity. - The verification is to check whether the specific authentication data is valid, which can be generated only by the party with the claimed identity. - Authentication can thwart masquerading or spoofing attacks which happen when attackers impersonate

somebody else. 7 = (M, Authentication_data)

Alice

Bob

- Alice sends a msg M to Bob - Bob wants to be sure M is really from Alice - Alice attaches with the message an authentication data such as signature or message authentication code (MAC). - No one can generate this data except Alice (the owner of a secret key). - Bob is able to verify the authentication data 8 Data Integrity - Ability to ascertain that information exchanged has not been subject to additions, deletions, modifications or undue delay.

Attacks threatening integrity

Modification: attackers intercept a message and change it. Modification can be thwarted by using signature or message authentication code.

Replay: attackers obtain a copy of a message sent by a user and later tries to replay it. Usually timestamps are used to thwart replaying.

9 - Integrity is to prevent from altering the message content, while authenticity is to prevent from altering the message source.

- These two are inseparable. It is often to use a single cryptographic function to provide both.

- Usually, signature and hash functions or MAC can provide integrity and authentication

10 Non-Repudiation

- Ability to prevent an authorized party from denying the existence or contents of a communication session - Repudiation means that sender of a message might later deny that she has sent the message; the receiver of the message might later deny that he has received the message. - Ability to prove to an independent third party at a later date the author and contents of a message. - Digital signature is used to achieve this property.

11 Access control - Aims to prevent unauthorized access to resources

Availability - The information created and stored by an organization needs to be available to authorized entities. - Network/system should be available all the time. - Denial of service (DoS) is a very common attack that targets availability . It may slow down or totally interrupt the service of a system.

12 security is about how to prevent attacks, or -- if prevention is not possible -- how to detect attacks and recover from them.

Attacks can be Passive - Eavesdropping: The attacker simply listens and tries to interpret the data being exchanged – if the data is in-the- clear, they succeed - Traffic Analysis – the attacker gains information by determining how much activity is there, where access points are located, - Difficult to detect. Should be prevented

Active - Attempts to alter system resources or affect their operation, examples: masquerade (spoofing), replay, modification (substitution, insertion, destruction), denial of service - Difficult to prevent. Should be detected. 13 Categorization of passive and active attacks

14 Kerckhoff’s Principle Generally assumed that the attacker knows everything about the cryptosystem except the key If, for security, the system requires that details of the system be kept secret, it is not considered secure

15 Trust Model - A trust model is to define trust relations among different parties. - A trust relation can be defined for any two parties with a mutually equal trust or a asymmetric trust. - Some trust relations are assumptions for the security mechanisms, while the others are to be established through applying security mechanisms. - A trust model may include assumptions on the physical environment. For example, we may trust a server located in a company’s building more than a wireless access point installed in a rest area of highway. - A trust model is crucial in establishing a secure communication system. It can go wrong in many ways and result in security holes. 16 Adversary and Threat Models

- The parties that may attack the system. - The attackers’ objectives – what they want to do? - How they will attack the system? - What is the attackers’ capability, e.g., regarding computational power? - Is the attacker a single party or colluding with others?

17 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols

2.4 Protocols Groups A set of objects, along with a binary operation (meaning an operation that is applied to two objects at a time) on the elements of the set, must satisfy the following four properties if the set wants to be called a group:

1- Closure with respect to the operation. Closure means that if a and b are in the set, then the element a ◦ b = c is also in the set. The symbol ◦ denotes the operator for the desired operation.

2- Associativity with respect to the operation. Associativity means that (a ◦ b) ◦ c = a ◦ (b ◦ c).

3- Guaranteed existence of a unique identity element with regard to the operation. An element i would be called an identity element if for every a in the set, we have a ◦ i = a. 18 4- The existence of an inverse element for each element with regard to the operation. That is, for every a in the set, the set must also contain an element b such that a ◦ b = i assuming that i is the identity element.

In general, a group is denoted by {G, ◦} where G is the set of objects and ◦ is the operator.

19 Infinite groups, meaning groups based on sets of infinite size.

Examples: – The set of all integers — positive, negative, and zero - along with the operation of arithmetic addition constitutes a group

– The set of all even integers — positive, negative, and zero under the operation of arithmetic addition is a group

If the operation on the set elements is commutative, the group is called an abelian group. An operation ◦ is commutative if a ◦ b = b ◦ a. Finite Groups

20 21 Summary

22 23 If the group operation is addition, the group also allows for subtraction. Similarly, multiplicative groups allow division.

- A group is guaranteed to have a special element called the identity element. The identity element of a group is frequently denoted by the symbol 0. - As you now know, for every element a, the group must contain its inverse element b such that a + b = 0, where the operator ’+’ is the group operator. - So if we maintain the illusion that we want to refer to the group operation as addition, we can think of b in the above equation as the additive inverse of a and even denote it by −a. We can therefore write a + (−a) = 0 or more compactly as a − a = 0. - In general a − b = a + (−b) where −b is the additive inverse of b with respect to the group operator +. We may now refer to an expression of the sort a−b as representing subtraction.24 25 255 mod 11 = 2

27 mod 5 = 2 36 mod 12 = 0

(a+n) mod n = a

26 Set of Residues

The modulo operation creates a set, which in modular arithmetic is referred to as the set of least residues modulo n, or Zn.

Some Zn sets

27 Operation in Zn

The three binary operations that we discussed for the set Z can also be defined for the set Zn. The result may need to be mapped to Zn using the mod operator.

Binary operations in Zn

28 Example

Perform the following operations (the inputs come from Zn):

a. Add 7 to 14 in Z15.

b. Subtract 11 from 7 in Z13.

c. Multiply 11 by 7 in Z20.

Solution

29 Inverses

When we are working in modular arithmetic, we often need to find the inverse of a number relative to an operation. We are normally looking for an additive inverse (relative to an addition operation) or a multiplicative inverse (relative to a multiplication operation).

1- Additive Inverse

In Zn, two numbers a and b are additive inverses of each other if

In modular arithmetic, each integer has an additive inverse. The sum of an integer and its additive inverse is congruent to 0 modulo n. 30 Example

Find all additive inverse pairs in Z10.

Solution

The six pairs of additive inverses are (0, 0), (1, 9), (2, 8), (3, 7), (4, 6), and (5, 5).

31 2- Multiplicative Inverse

In Zn, two numbers a and b are the multiplicative inverse of each other if

In modular arithmetic, an integer may or may not have a multiplicative inverse. When it does, the product of the integer and its multiplicative inverse is congruent to 1 modulo n.

32 Example

Find all multiplicative inverse pairs in Z11.

Solution

We have seven pairs: (1, 1), (2, 6), (3, 4), (5, 9), (7, 8), (9, 5), and (10, 10).

33 Two More Sets

Cryptography often uses two more sets: Zp and Zp*. The modulus in these two sets is a prime number.

34 35 36 Rings

- If we can define one more operation on an abelian group, we have a ring, provided the elements of the set satisfy some properties with respect to this new operation also. - A ring is typically denoted {R,+,×} where R denotes the set of objects, ’+’ the operator with respect to which R is an abelian group, the ’×’ the additional operator needed for R to form a ring.

37 Properties of the elements with respect to the ring operator

- R must be closed with respect to the additional operator ’×’. -R must exhibit associativity with respect to the additional operator ‘×’. -The additional operator (that is, the “multiplication operator”) must distribute over the group addition operator. That is a × (b + c) = a × b + a × c (a + b) × c = a × c + b × c

-The “multiplication” operation is frequently shown by just concatenation in such equations: a(b + c) = ab + ac (a + b)c = ac + bc

38 Examples of Rings

- The set of all even integers, positive, negative, and zero, under the operations arithmetic addition and multiplication is a ring. - The set of all integers under the operations of arithmetic addition and multiplication is a ring. - The set of all real numbers under the operations of arithmetic addition and multiplication is a ring.

Commutative Rings - A ring is commutative if the multiplication operation is commutative for all elements in the ring. That is, if all a and b in R satisfy the property ab = ba

- The previous three examples are for commutative rings. 39 Rings: Summary

40 INTEGRAL DOMAIN

- An integral domain {R,+,×} is a commutative ring that obeys the following two additional properties: - ADDITIONAL PROPERTY 1: The set R must include an identity element for the multiplicative operation. That is, it should be possible to symbolically designate an element of the set R as ’1’ so that for every element a of the set we can say a1 = 1a = a - ADDITIONAL PROPERTY 2: Let 0 denote the identity element for the addition operation. If a multiplication of any two elements a and b of R results in 0, that is if ab = 0 then either a or b must be 0. - Examples of an integral domain: The set of all integers under the operations of arithmetic addition and multiplication. 41 Fields

- A field, denoted {F,+,×}, is an integral domain whose elements satisfy the following additional property: - For every element a in F, except the element designated 0 (the identity element for the ’+’ operator), there must also exist in F its multiplicative inverse. That is, if a ∈ F and a b= 0, then there must exist an element b ∈ F such that ab = ba = 1 where ‘1’ symbolically denotes the element which serves as the identity element for the multiplication operation. For a given a, the multiplicative inverse is designated as a−1. - Note again that a field has a multiplicative inverse for every element except the element that serves as the identity element for the group operator.

42 Examples of Fields

- The set of all real numbers under the operations of arithmetic addition and multiplication is a field.

- The set of all rational numbers under the operations of arithmetic addition and multiplication is a field.

- The set of all even integers, positive, negative, and zero, under the operations arithmetic addition and multiplication is NOT a field.

- The set of all integers under the operations of arithmetic addition and multiplication is NOT a field.

43 Fields: Summary

44 A deeper look

45 46 47 A field is a set of elements with addition and multiplication operations satisfying these rules:

1. Two operations (addition and multiplication) are defined on every element in the field.

2. Closure The addition/multiplication of two elements in the field gives an element in the field.

3. Associativity a+(b+c) = (a+b)+c and a(bc) = (ab)c, where a, b and c are elements in the field.

4. Commutativity a+b = b+a and ab = ba

5. Additive identity There’s a single element denoted 0 such that a + 0 = a for all elements in the field.

6. Multiplicative identity There is an element denoted 1 that

a.1 = a for every element in the field. 48 7. Additive inverses For every element a there is an element denoted -a such that a + (–a) =0.

8.Multiplicative inverses Every element a (except zero) has a multiplicative inverse, denoted a-1 such that a .a-1 = 1 .

9. Distributivity a(b+c) = ab+ac

GF(2) = Z2 with the usual addition and multiplication modulo 2

We have two elements 0 and 1.

49 Extending GF(2) to GF(22) - Find an irreducible polynomial f(x) defined over your base finite field. - Irreducible equation means it cannot be factored, i.e., f(x) is reducible if it has a factor x + a and a  GF(2) . - Add an element  to the group that satisfies f( ) = 0 - Using what you know of your finite field already, plus this fact, you can create the rest of the field. - Example, f(x) = X2+X+1, obviously, X or X+1 cannot factor it. If X is a factor f(0) should be 0 also if X+1 is a factor f(1)should be 0 because we take mod2. - To extend GF(2) to GF(22), we know the elements 0, 1 and  (the root of f(x)) how can we get the rest of the elements? We should have 4 elements. f( ) = 2+  +1 = 0 or 2=  +1 if you multiply  by itself you get element in the field that is  +1. - GF(22) = {0, 1, ,  +1} 50 We can work with addition in GF(22) by just working with vectors

The vectors are of the form (a0, a1), ai GF(2) which represents a0 + a1 . You can add them by just adding like vectors with each element being in GF(2) .

Multiplication cannot be done simply by multiplying elements

51 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols

2.4 Protocols Overview of Cryptosystems

Symmetric Key Asymmetric Key Hash function Cryptography Cryptography

Block Stream Unkeyed Keyed RSA Elgamal

MD5 HMAC DES RC4 SHA-1 AES A5

52 Symmetric-key cryptography

The same key is used by the sender (for encryption) and the receiver (for decryption).

53 Asymmetric-key cryptography

Two keys: public key and private key The public key is known but the private key is kept secret. 54 Comparison between two categories of cryptography

55 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols 2.3.1 Symmetric key cryptography

2.4 Protocols Classification of Ciphers Unconditionally Secure

- Cannot be broken regardless of the attackers’ computational abilities. - The only cipher known to be unconditionally secure is “one-time pads”

Computationally Secure - Secure against attackers with “reasonable” resources. - Messages have only limited “secret” lifetime. - Balance between cipher efficiency (speed) and security strength. - The key size increases with improvement in computational power. - Rekeying is a good idea. Using a key for a longtime is not a good security practice. 56 Encryption/Decryption

Encryption is the process of transforming a plaintext message m into ciphertext C using an a unique key K

An n bit block cipher is a function E: {0, 1}n x {0, 1}k  {0, 1}n, such that for k n n each K  {0, 1} , C = EK(m) is an invertible mapping from {0, 1} to {0, 1}

k bit key

Encryption can achieve message …

confidentiality … n bit input … E n bit output

Decryption is just the reverse operation; transforming ciphertext C into plaintext m under control of key m = DK(C) 57 EK(m) ciphertext m E D DK(EK(m)) = m plaintext

K eavesdropping K encryption key adversary decryption key

 goal of the adversary:  to systematically recover plaintexts from ciphertexts  to deduce the (decryption) key  An encryption scheme is secure if it is computationally infeasible for the adversary to determine the target decryption key  Kerckhoff’s principle:  we must assume that the adversary knows all details of E and D  security of the system should be based on the protection of the decryption key 58 Adversary models

1- Ciphertext-only attack

The adversary can only observe ciphertexts produced by the same encryption key

It should be (computationally) infeasible for an observer of C to recover either M or K (in a reasonable time)

59 2- Known-plaintext attack

The adversary can obtain corresponding plaintext-ciphertext pairs produced with the same encryption key

60 3- Chosen-plaintext attack

- The adversary can choose plaintexts and obtain the corresponding ciphertexts

61 Symmetric Key Cryptography

Block Stream

DES (Data Encryption Standard), NIST 1976 AES (Advanced Encryption Standard), NIST, 2000

Stream Cipher: encrypts (and decrypts) the plaintext one character (usually a bit) at a time. better suited for real time applications (like voice application).

Block cipher: breaks up the plaintext into blocks of a fixed length

(e.g. 128 bits), and encrypts the blocks one at a time. 62 Desirable Properties of Ciphers 1- Security

1.1 Diffusion: Process of spreading effect of plaintext or key as widely as possible over ciphertext

Avalanche effect: A desirable condition of any cipher is to have approximately half of the ciphertext bits change (at random) in response to a one bit change in the plaintext. Similarly, changing one key bit should result in the change of approximately half of the bits in the ciphertext (at random)

1.2 Confusion: The relationship between key and ciphertext bits should be complicated. Ciphertext and plaintext should appear to be statistically independent 63 Process of substituting characters or symbols to make relationship between ciphertext and key as complex as possible

Make the statistical relationship between a plaintext and the corresponding ciphertext as complex as possible in order to thread attempts to deduce the key.

2. Efficiency - High encryption and decryption rate. - Simplicity (easier to implement and analyze). - Suitability for hardware or software. - Key size should be small, but large enough to preclude exhaustive key search.

64 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols 2.3.1 Symmetric key cryptography A. Block Ciphers B. Stream ciphers

2.4 Protocols Data Encryption Standard (DES)

 One of most popular symmetric encryption cryptosystems  64-bit block size; 56-bit key  Adopted by NIST in 1976 as federal standard for encrypting non- classified information  Only intended to have limited lifetime

65 Underling principle: Take something simple and use it several times; hope that the result is complicated. 48 bits Easy to implement. The code of one round can be repeated. Also the decryption algorithm is close to the encryption.

56-bit key

It was observed that alternating “rounds” of simple substitutions and transpositions could produce a strong cipher (even though individual operations are not strong).

66 One round in DES ciphers

Why this approach is appealing? Inversion is easy. 67 Round key generator

- Key generator determines 16 subkeys from a key - Each key bit is used in around 14 out of 16 rounds

K (56)

Permuted Choice 1

(28) (28)

Left shift(s) Left shift(s)

(28) (28)

(48) K1 Permuted Choice 2

Left shift(s) Left shift(s)

(48) K2 Permuted Choice 2

68 … IP: initial permutation PC1: permuted choice 1 PC2: permuted choice 2

69 The DES round function F

32 bits are expanded to 48 bits 32 bits

48 bits key ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ injection

S1 S2 S3 S4 S5 S6 S7 S8

32 bits

Si – substitution box (S-box) P – permutation box (P-box) The input of each Si box is 6 bits but the output is 4 bits

70 The permutations, key generator, S boxes are fixed and public knowledge S-boxes are the only part of the DES that is non-linear.

6-bit: a0 a1 a2 a3 a4 a5 71 a0a5: to select row 0 to 3 a1a2a3a4: to select column 0 to 15 72 P-boxes

S-box introduces diffusion in the generation of the output from the input. Each plaintext bit must affect as many ciphertext bits as possible.

Permutation introduces confusion to the cipher

73 Permutation

This permutation table says that the first output bit will be the 16th bit of the input, the second output bit the 7th bit of the input, and so on,

Example:

74 Problem in DES: Small Key Size  not enough security for exhaustive search on key space

Assuming that, on the average, you’d need to try half the keys in a brute-force attack, a machine able to process 1000 keys per microsecond would need roughly 13 months to break the code. However, a parallel-processing machine trying 1 million keys simultaneously would need only about 10 hours.

75 Triple DES How can one construct a more secure block cipher from DES without changing the internals of DES?

Solution: Triple DES. Two keys in three rounds to extend the lifetime of DES

76 C = EK1(DK2(EK1(m))) Is bigger key better?

- There is a tradeoff between size, speed and power consumption of a cryptosystem. - Ideally, designers of cryptosystems will use an algorithm that will be secure for a window into the future with the intention that the system will be replaced as techniques and technology advances.

DES was found to be not as strong as originally believed also prompted NIST to initiate the development of new standards for data encryption. The result is AES.

77 Advanced Encryption Standard (AES)

- Supports keys of 128, 192 or 256 bits and messages of 128, 192 or 256 bits

78 AES Structure

79 A round structure

80 Byte Substitution

- The input is organized as an array of 4x4, 4x6, or 4x8 corresponding to 128, 192 or 256 bit input blocks respectively. - Each element in the array is one byte. - Non-linear, invertible byte substitution (S-box) - For each input byte take the multiplicative inverse over GF(28) by applying :

This step reduces the correlation between the input bits and the output

The relation between input and output bits cannot be described by easy math function

- For decryption, byte sub is used with inverse table. 81 Shift Row Transform

- Rows or the output of the S-boxes are shifted.

–Row 0 is not shifted –Row 1 is shifted 1 bytes –Row 2 is shifted 2 bytes –Row 3 is shifted 3 bytes

82 This step replaces each byte of a column by a function of all the bytes in the same column.

The inverse is a similar transform 83 Round Key Addition

- The Round Key is a simple bitwise XOR - Inversion is simply XOR with the same Round Key - The Cipher Key is expanded into a series of round keys through the Key Expansion algorithm. - It derives the 128-bit round key for each round from the original 128-bit encryption key. - The logic of the key expansion algorithm is to ensure that if you change one bit of the key, it should affect the round keys for several rounds.

The shift-rows step along with the mix-column step causes each bit of the ciphertext to depend on every bit of the plaintext after 10 rounds of processing

84 Block cipher modes of operation

ECB – Electronic Codebook: Used to encipher a single plaintext block

CBC – Cipher Block Chaining: Repeated use of the encryption algorithm to encipher a message consisting of many blocks

CFB – Cipher Feedback: Used to encipher a stream of characters, dealing with each character as it comes

OFB – Output Feedback: Used on noisy channels

CTR – Counter: Simplified OFB with certain advantages

85 ECB mode

Encryption

m1 m2 mN m K E K E … K E

C1 C2 CN Decryption C1 C2 CN

K D K D … K D

86 m1 m2 mN - Cipher acts as simple block substitution determined by key

- Fast and simple but identical plaintext blocks result in identical ciphertext blocks.

- Blocks are encrypted independently of other blocks. Ciphertext blocks can be cut from one message and pasted in another, possibly without detection.

- Error propagation: one bit error in a ciphertext block affects only the corresponding plaintext block (results in garbage)

- Overall: not recommended for messages longer than one block, or if keys are reused for more than one block

87 Cipher Block Chaining (CBC) mode

Encryption

m1 m2 m3 mN

IV + + + CN-1 +

K E K E K E … K E

Decryption C1 C2 C3 CN C1 C2 C3 CN

K D K D K D K D

IV + + + CN-1 + 88 m1 m2 m3 mN Properties of the CBC mode

- Combine previous ciphertext block with input (plaintext) block before encryption. - Repeated input blocks will produce different ciphertext blocks - Encrypting the same plaintexts under the same key, but different IVs result in different ciphertexts

- Ciphertext block Cj depends on mj and all preceding plaintext blocks. Rearranging ciphertext blocks affects decryption. However, proper decryption of a correct ciphertext block needs a correct preceding ciphertext block only.

- Error propagation: One bit error in a ciphertext block Cj has an

effect on the j-th and (j+1)-st plaintext block. mj’ is complete

garbage and mj+1’ has bit errors where Cj had

89 - The IV need not be secret, but its integrity should be protected

- Malicious modification of the IV allows an attacker to make predictable changes to the first plaintext block recovered

- One solution is to send the IV in an encrypted form at the beginning of the CBC encrypted message

90 Cipher Feedback (CFB) mode

Encryption Decryption

initialized with IV initialized with IV (s)

(s) shift register (n) shift register (n)

(n) (n)

K E K E

(n) (n)

select s bits select s bits

(s) (s) (s) (s) (s) (s) C + m mi + Ci i i

91 Properties of the CFB mode

 Encrypting the same plaintexts under the same key, but different IVs result in different ciphertexts

 The IV can be sent in clear. In CBC, the message is xored with IV.

 Ciphertext block Cj depends on mj and all preceding plaintext blocks  Rearranging ciphertext blocks affects decryption  Proper decryption of a correct ciphertext block needs the preceding n/s ciphertext blocks to be correct

 Error propagation:

 one bit error in a ciphertext block Cj has an effect on the decryption of that and the next n/s ciphertext blocks (the error remains in the shift register for n/s steps)

 mj’ has bit errors where Cj had, all the other erroneous plaintext blocks are garbage  An attacker may cause predictable bit changes in the j-th plaintext block

92 Output Feedback (OFB) mode

Encryption Decryption

initialized with IV initialized with IV

(s) (s) shift register (n) shift register (n)

(n) (n)

K E K E

(n) (n)

select s bits select s bits

(s) (s) (s) (s) (s) (s) m mi + Ci Ci + i

93 Properties of the OFB mode

 A different IV should be used for every new message, otherwise messages will be encrypted with the same key stream C1 XOR C2 = M1 XOR M2  the IV can be sent in clear  however, if the IV is modified by the attacker, then the cipher will never recover (unlike CFB)

 Ciphertext block Cj depends on mj only (does not depend on the preceding plaintext blocks)  however, rearranging ciphertext blocks affects decryption

 error propagation:  one bit error in a ciphertext block Cj has an effect on the decryption of only that ciphertext block

 mj’ has bit errors where Cj had  an attacker may cause predictable bit changes in the j-th plaintext block

 error recovery:  recovers from bit errors  never recovers if bits are lost or the IV is modified

94 Counter (CTR) mode

Decryption Encryption

counter + i counter + i

(n) (n)

K E K E

(n) (n)

(n) (n) (n) (n) mi + Ci Ci + mi

95 Properties of the CTR mode

 The i-th block can be decrypted independently of the others  parallelizable (unlike OFB)

 The values to be XORed with the plaintext can be pre-computed

 At least as secure as the other modes

note1: in CFB, OFB, and CTR mode only the encryption algorithm is used (decryption is not needed), that is why some ciphers (e.g., AES) is optimized for encryption

note2: the OFB and CTR modes essentially make a synchronous stream cipher out of a block cipher, whereas the CFB mode converts a block cipher into a self-synchronizing stream-cipher

96 Padding

- The length of the message may not be a multiple of the block size of the cipher

- One can add some extra bytes to the short end block until it reaches the correct size – this is called padding

- Usually the last byte indicates the number of padding bytes added – this allows the receiver to remove the padding

short end block padding

97 Exhaustive key search attack

 Given a small number of plaintext-ciphertext pairs encrypted under a key K, K can be recovered by exhaustive key search with 2k-1 processing complexity (expected number of operations)  input: (m, C), (m’, C’), …  progress through the entire key space, and for each candidate key K’, do the following:  Decrypt C with K’  if the result is not m, then throw away K’  if the result is m, then check the other pairs (m’, C’), …  if K’ does not work for at least one pair, then throw away K’ and take another key  if K’ worked for all pairs (m, C), (m’, C’), …, then output K’ as the target key  On average, the target key is found after searching half of the key space

 in practice, key size should be at least 128 bits

98 Algebraic attacks  having a large key size is only a necessary condition for the security of a block cipher  a block cipher can be broken due to the weaknesses in its internal (algebraic) structure, even if it uses large keys  example:  naïve exhaustive key search against DES: 255  attack using the complementation property of DES: 254 * * * Y = DESK(X) implies Y = DESK*(X ), where X denotes the bitwise complement of X  Differential cryptanalysis: how differences in information input can affect the resultant difference at the output differential cryptanalysis of DES: 247  linear cryptanalysis: finding affine approximations to the action of a cipher. linear cryptanalysis of DES: 243 99 Physical attacks

Timing attacks In timing attacks, the dependence of the execution time of the cipher on plaintext or key bits is exploited to derive key or plaintext information. An effective protection against timing attacks is writing the code in such a way that the number of cycles taken by an execution is independent of the value of key or plaintext bits (preferably a constant).

Power analysis attacks The attacker measures the power consumption or radiation of a cryptographic device to detect instructions being executed. This may leak information on key or plaintext bits if the instructions that are executed depend on the values of data that are being processed. An effective way to protect against this type of information leak is to program the cipher as a fixed sequence of instructions. 100 101 102 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols 2.3.1 Symmetric key cryptography A. Block Ciphers B. Stream ciphers

2.4 Protocols pad  (key) msg (plaintext)

ciphertext (encrypted msg)

103 - Suitable when data is transmitted in serial form (one bit at a time).

- A pseudorandom generator is used to generate Key-Stream which is combined with Message-Stream to produce Cipher- Stream

- No error propagation: a ciphertext character that is modified during transmission affects only the decryption of that character. May be advantageous when transmission errors are probable such as in wireless transmissions.

- Shannon’s Result (1948): One-time-pad is unbreakable assuming the key stream is random and cannot be reconstructed.

- One-time-pad means that different messages are encrypted by different key streams.

- The key stream is generated independently at the sender and receiver 104 Pseudorandom generator

seed 01101 1010010110.... PRBS (short) (long)

 A random number is a number that cannot be predicted by an observer before it is generated.  A cryptographic pseudo-random number generator (PRNG) is a mechanism that takes as input a (random and secret) seed, and outputs a longer “pseudorandom” sequence called the keystream.  if designed, implemented, and used properly, then even an adversary with enormous computational power should not be able to distinguish the PRNG output from a real random sequence

105 Pseudorandom generator: Feedback Shift Registers (FSR)

At each clock pulse: the state of each memory stage is shifted to the next stage in line, i.e., there is a transition from one state to next.

106 107 108 Desirable properties of PRNGs

 The adversary cannot compute the internal state of the PRNG, even if she has observed many outputs of the PRNG

 The adversary cannot compute the next output of the PRNG, even if she has observed many previous outputs of the PRNG

 If the adversary can observe or even manipulate the input samples that are fed in the PRNG, but she does not know the internal state of the PRNG, then the adversary cannot compute the next output and the next internal state of the PRNG

 If the adversary has somehow learned the internal state of the PRNG, but she cannot observe the input samples that are fed in the PRNG, then the adversary cannot figure out the internal state of the PRNG after the re-keying operation 109 - It should be difficult to detect the seed from the output stream otherwise the long term key can be detected.

- Many attacks tried to find the relation between the input and output, but this relation should be non-linear so that is difficult to be found by solving equations.

- Needs synchronization between the sender and the receiver. If a character is inserted into or deleted from the ciphertext stream then synchronization is lost and the plaintext cannot be recovered. Additional techniques must be used to recover from loss of synch.

- Pseudorandom generators should produce random bits that are essential to the security of systems such as key stream, session keys, and nonces. If bits are not random –attacker may be able to guess keys

- The keystream should be “indistinguishable” from a random sequence.

110 Dangers of Keystream Reuse

It is difficult to find a random stream, if we know it, why we do not just reuse it?

C1 C2

- If an adversary knows a portion C1 of ciphertext and the

corresponding plaintext M1, then she can easily find the

corresponding portion K1 = C1 ⊕ M1 of the keystream. - Thus, given portions of the keystream, it should be infeasible to learn any information about the rest of the Keystream.

- The same seed should not be reused to avoid generating the same key stream. Usually seeds have a secret key appended to a public value used once like IV. 111 Examples of Stream Ciphers in Practice

A5/1 in GSM System : for securing GSM conversations. E0 in Bluetooth Standard RC4 in WEP used in Wi-Fi

WEP (Wired Equivalent Privacy) Encryption Algorithm is RC4 Per-packet encryption key is 24-bit IV concatenated to a pre- shared key Used to protect Internet traffic using the SSL protocols

112 A GSM (a cellular system) conversation is sent as a sequence of frames per 4.6 millisecond, and each frame contains 228 bits.

113 114 Session key or seed consists of initial states for three LFSRs, a total of 64 bits.

Not a good idea to reuse the initial seed. It is calculated from a long-term key and a random value.

Majority function f(x1, x2, x3) = (y1, y2, y3) is defined by the following table. That is, yi = 1 if xi is in majority

115 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols 2.3.1 Symmetric key cryptography 2.3.2 Hash functions A. Unkeyed hash functions B. Keyed hash functions

2.4 Protocols Hash functions

- A hash function H() is a mathematical algorithm that maps a message (m) of arbitrary length to bit strings H(m) of fixed length (n bits).

- It generates message digest (or fingerprint) to confirm no content has changed.

message of arbitrary length hash function

fix length hash value / message digest / fingerprint

116 117 Properties

1- Ease of computation: given m, it is easy to compute H(m). 2- H() is a public function any one can calculate H(m) from m because a key is not needed. 2- Efficient: does not need too much energy or computations, i.e., computational time is too short. 3- One-way property (preimage resistance): given a hash value Y= H(m), it is computationally infeasible to find any input m so that H(m) = Y. 4- Collision means two different messages generate the same hash value. - Many-to-one mapping  collisions are unavoidable however, finding collisions are difficult  the hash value of a message can serve as a compact representative image of the message (similar to fingerprints). 118 - Weak collision resistance (2nd preimage resistance): given an input x, it is computationally infeasible to find a second input x’ such that h(x’) = h(x) X’ is called the preimage of X.

- Strong collision resistance (collision resistance): it is computationally infeasible to find any two distinct inputs x and x’ such that h(x) = h(x’).

- The attacker Eve sends M1 to Alice to sign. Since H(M1) = H(M2),

Eve also has Alice’s signature on M2.

119 Some Applications of Hash Functions - Signatures: The message digest can be input to a signature algorithm which generates or verifies the signature for the message. Signing the message digest rather than the message often improves the efficiency because the message digest is usually much smaller in size than the message. Any change to the message in transit will result in a different message digest, and the signature will fail to verify. Suppose that Alice can find two messages x1 and x2, with x1 <> x2 and H(x1) = H(x2). Alice can sign x1 and later claim to have signed x2.

A’s signature on the message

120 Adding confidentiality

It would not be possible for anyone to alter such a message, even when they have access to both the original message and the overall hash code 121 - Password protection on a multi-user computer system: Server stores (userid, H(password)) in a password file. Thus, if an attacker gets a copy of the password file, she does learn any passwords. - Modification Detection Codes: To ensure that a message m is not modified by unauthorized means, one computes H(m) and protects H(m) from unauthorized modification. e.g. virus protection. - Pseudorandom bit generation: Distilling random bits s from

several “random” sources x1, x2, . . . , xt. Output s = H(x1, x2, . .

. , xt). - Key derivation: Deriving a cryptographic key from a shared secret.

The only difference between the two messages is the extra space between the words “hungry” and “brown” in the second message. Notice how completely different the hash codes look. 122 Finding collisions is easier than finding preimages

123 Choosing the output size of a hash function

 The Birthday Paradox  let n be the output size of a hash function  among ~sqrt(2n) = 2n/2 randomly chosen messages, with high probability, there will be a collision pair  it is easier to find collisions than to find preimages or 2nd preimages for a given hash value in order to resist birthday attacks, 2n/2 should be sufficiently large (e.g., n = 160 bits)  origin of the name “Birthday Paradox”:  elements are dates in a year (N = 365)  among 1.177 sqrt(365)  23 randomly selected people, there will be at least two that have the same birthday with probability ½

124 125 Two very common hash functions

MD5, Rivest 1991 SHA-1 (1995), SHA-2, NIST

- MD5 produces as output a 128-bit "fingerprint" or "message digest" of the input. - MD5 is much faster than SHA. - Wang and Yu (2004) found collisions for (full) MD5 in 239 steps (about 15 minutes). - MD5 should not be used if collision resistance is required, but is probably okay as a one-way hash function. - MD5 is still used today. - SHA-1 produces a 160-bit output called a message digest. - The SHA-1 is specified in the standard for use with the DSA in electronic mail, electronic funds transfer, software distribution, data storage, and other applications which require data integrity

assurance and data origin authentication. 126 - Collisions have been found for MD5 and SHA-1 in 2005. - In 2001, NSA (National Security Agency) proposed variable output-length versions of SHA-1. Output lengths are 256 bits (SHA-256), 384 bits (SHA-384) and 512 bits (SHA-512). - SHA-2 is the collective name of these hash functions.

127 SHA-1

- Input is divided into fixed length blocks M1, M2, …, ML - Last block is padded with 0 bits if necessary - Fixed initializing value IV - Each input block is processed according to the following scheme - In SHA-1, n = 160, r =512

(r bits) M M1 M2 M1 ML-1 L

H(M) (n bits) (n bits) 128 One round for each Mi Each word is 32 bits

initialization values

Expand 16 word to 80 words

129 130 Non-linear functions

131 132 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols 2.3.1 Symmetric key cryptography 2.3.2 Hash functions A. Unkeyed hash functions B. Keyed hash functions

2.4 Applications and attacks - A keyed hashing function is called a message authentication code (MAC). - MAC functions can be viewed as hash functions with two functionally distinct inputs: a message and a secret key. - They produce a fixed size output (say n bits) called the MAC. - Practically it should be infeasible to produce a correct MAC for a message without the knowledge of the secret key. - MAC functions can be used to implement data integrity and message origin authentication services.

- HK(M) or MAC(M) is called the MAC of M.

message of arbitrary length MAC function secret key

fix length MAC 133 Properties of MAC functions

- Ease of computation: given an input x and a secret key k, it is

easy to compute MACk(x). Requires low battery energy and computational cycles: fast. - Key non-recovery: it is computationally infeasible to recover the

secret key k, given one or more text-MAC pairs (xi, MACk(xi)) for

that k. xi can be chosen by the attacker.

- Given (x, MACk(x)), it is computationally infeasible to compute

MACk(x’) for another message x’.

- Computation resistance: given zero or more text-MAC pairs (xi,

MACk(xi)), it is computationally infeasible to find a text-MAC pair

(x, MACk(x)) for any new input x. Computation resistance implies key non-recovery but the reverse is not true in general.

134 135 secret key

message MAC

MAC generation

message MAC MAC

compare

secret key verification yes/no

136 MACs based on block ciphers (CBC MAC)

Symmetric key encryption scheme is used to build CBC MAC

x1 x2 x3 xN

0 + + + cN-1 +

k E k E k E … k E

cN c1 c2 c3 -1 k’ E optional

Divide x into N blocks k E Compute the encryption of each block MAC Xor the ciphertext with next block

137 keyed-hash message authentication code (HMAC)

MACs Based on Hash Functions

Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC. the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. 138 HMAC is used in IPSEC (Internet Protocol Security) and SSL (Secure Sockets Layer)/TLS (Transport Layer Security).

139 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols 2.3.1 Symmetric key cryptography 2.3.2 Hash functions 2.3.3 Asymmetric key cryptography

2.4 Protocols - Symmetric-key and asymmetric-key ciphers will exist in parallel.

- They are complements of each other; the advantages of one can compensate for the disadvantages of the other.

- Asymmetric-key ciphers are sometimes called public-key ciphers. 140 It is easy to compute n = pq given p and q, but it is hard to find p and q given n while p and q are large primes. Used in RSA

Given g and (ga mod P) are two points in a finite field, it is infeasible to calculate a, where P is a large prime number.

Given P and aP are two points in an elliptic curve, it is infeasible to calculate a. 141 ed mod (n)=1

142 - If two numbers have a gcd of 1, then the smaller of the two numbers has a multiplicative inverse in the modulo of the larger number. - For any prime number P, every number from 1 up to P-1 has a gcd of 1 with P, and therefore has a multiplicative inverse in modulo P If two numbers m and n are relatively prime, then

Euler's theorem This states that if a and n are relatively prime then

The special case where n is prime is known as Fermat's little theorem. Fermat's little theorem

if p is a prime number, then for any integer a, the number ap − a is an integer multiple of p. This is expressed as

Fermat's little theorem is equivalent to the statement Fermat's little theorem is a special case of Euler's theorem: for any modulus n and any integer a coprime to n, we have

A slight generalization of Euler's theorem, which immediately follows from it, is: if a, n, x, y are integers with n positive and a and n coprime, then Fermat’s Little Theorem

143 Summary: Encryption, decryption, and key Generation in RSA

Done one time for each key pair

C: Ciphertext P C = Pe mod n P = Cd mod n P Plaintext Encryption Decryption Plaintext compute d to satisfy the congruence relation de  1 mod  ( n ) , i.e. de  1  k   ( n ) for some integer k

k ? cd  med  m1k(n)  mm(n)  m mod n  (n) Fermat’s Little Theorem m 1mod n 144 145 Jennifer creates a pair of keys for herself. She chooses p=397 and q=401. She calculates n=159,197 and (n) = 396 x 400 = 158,400. She then chooses e = 343 and d = 12,007. Ted wants to send the message “NO” to Jennifer. He changes each character to a number (from 00 to 25) with each character coded as two digits. He then concatenates the two coded characters and gets a four-digit number. The plaintext is 1314. Ted then uses e and n to encrypt the message. The ciphertext is 1314343 = 33,677 mod 159,197. Jennifer receives the message 33,677 and uses the decryption key d to decipher it as 33,67712,007 = 1314 mod 159,197. Jennifer then decodes 1314 as the message “NO”. Figure 30.25 shows the process.

146 Here is a more realistic example calculated with a computer. We choose a 512-bit p and q, calculate n and φ(n), We then choose e and calculate d. Finally, we show the results of encryption and decryption. The integer p is a 159-digit number.

The integer q is a 160-digit number.

147 The modulus n = p × q. It has 309 digits.

φ(n) = (p − 1)(q − 1) has 309 digits.

148 Bob chooses e = 35535. He then finds d.

Alice wants to send the message “THIS IS A TEST”, which can be changed to a numeric value using the 00−26 encoding scheme (26 is the space character).

149 The ciphertext calculated by Alice is C = Pe, which is

Bob can recover the plaintext from the ciphertext using P = Cd, which is

The recovered plaintext is “THIS IS A TEST” after decoding.

150 RSA in practice: - Time consuming process - DES is 100 times (in sw) and 10000 times (in hw) faster than RSA. - Usually exponentiation operations are time consuming. - Key length should be at least 1024 or 2048

151 152 Digital Signature

- One of the best features of public key Cryptography - Usually public key Cryptography is not used for encryption/decryption because they are time consuming.

No one can decrypt this except Bob No one can compose who knows the private key but any this except Bob who one can send the message knows the private key

Private key Public key

- + + - = KB (KB (m)) = m KB (KB (m))

use public key first, use private key first, followed by private key followed by public key Encryption Signature Result is the same! 153 Digital Signature

Cryptographic technique Simple digital signature for analogous to hand-written message m: signatures.  Bob encrypts m with his private key

 Sender (Bob) digitally signs dB, creating signed message, dB(m). document, establishing he is  Bob sends m and dB(m) to Alice. document owner/creator.  Verifiable, nonforgeable: recipient - Similar to MACs, digital signatures can (Alice) can verify that Bob, and no ensure message integrity and authenticity plus the following: Unforgeable by the one else, signed document. receiver and verifiable by a third party (non- repudiation)

154  Suppose Alice receives msg m, Alice thus verifies that: and digital signature dB(m)  Bob signed m.  Alice verifies m signed by Bob by  No one else signed m. applying Bob’s public key eB to  Bob signed m and not m’. d (m) then checks e (d (m) ) = m. B B B Non-repudiation:  If e (d (m) ) = m, whoever signed B B  Alice can take m, and signature m must have used Bob’s private d (m) to court and prove that Bob key. B signed m.

 However, asymmetric key algorithms are very slow:

 In practice, asymmetric key algorithms are typically hundreds to thousands times slower than symmetric key algorithms. Q: What if we need to sign a large document? Sign the fingerprint of the document (hash) because it is much shorter. 155 156 RSA Signature scheme

Sender site

157 Receiver site

158 M: Message K: A shared secret key MAC: Message authentication code

M + MAC

Insecure channel

A MAC provides message integrity and message authentication using a combination of a hash function and a secret key.

Another way to provide message integrity and message authentication is a digital signature.

159 The security of the signature scheme does not only depend on the security of the RSA but also the hash function

One way to attack the signature scheme:-

Should be difficult

160 161 Examples of digital signature scheme

 RSA  essentially identical to the RSA encryption scheme  signature = decryption with private key  typical signature length is 1024 bits

 DSA (Digital Signature Algorithm)  based on the ElGamal signature scheme  typical signature length is 1024 bits

 ECDSA (Elliptic Curve DSA)  same as DSA but works over elliptic curves  reduced signature length (typically 320 bits)

162 Digital Certificates

- It is feasible for any party to generate a pair of public and private keys. - Eve can generate such a key pair to fool others by claiming that it is Bob’s public key. - The information sent to Bob can be encrypted by the public key Eve generated, for which Eve knows the corresponding private key.

Solution: Binding a public key with its owner’s identity in a trusted way  digital certificates

- Certificate is an electronic document containing public key value and identifying information about the entity that owns the key. - Digital signature is attached to certificate’s file to certify that the file is from entity it claims to be from. - The entity that issues, renews, and revokes certificates is called certificate authority (CA).

163 Signing Bob’s + algorithm public + KB key KB CA - certificate for Bob’s Bob’s private K identifying key CA public key, signed information by CA

Certificates allow disseminating public keys in a trusted way without real-time access to certificate authority 164 Besides the public key and the identity, a certificate may include some other attributes, for example, the expiration date of the public key, the scope of the public key, i.e. whether it is used for encryption or signature, etc.

X.509 standard defines the format for public key certificates

165 How to verify a certificate?

1- Verify the CA’s signature. 2- Make sure the certificate is not expired. 3- Verify that the certificate is not revoked.

Since a certificate can be verified by CA’s public key, it seems we are back to the original question, that is, how it can be insured that it is CA’s but not Eve’s public key.

- A CA’s public key must be able to be recognized as authentic. Otherwise, it has no help by introducing a CA. - Introducing a CA converts a peer-to-peer trust assumption to a multiple- to-one trust assumption. - Practically, each party can obtain the CA’s public key by downloading it from a trusted server. - It can also install the CA’s public key in the communication devices, like Internet routers and personal computers. 166 Certificate Chain

- A system may consist of multiple administrations. Each

administration has its own certificate authority, CA1, · · · , CAn. - If two devices are in the domain of one CA, they can verify its certificates because they know its public key.

- If two nodes belong to two different CAs, each node needs to know the public key of the other CA in a trusted way.

- Solution: certificate hierarchy. It may employ a root CA trusted by both administrations.

- I and J, belonging to two different administrations cannot establish trust unless the two administrations have a commonly trusted third party.

167 - A higher level certificate authority will sign certificates of the lower level certificate authorities.

- In the figure, the root CA signs certificates for CA1 and CA2.

- Then, CA1 and CA2 sign certificates of the entities belonging to its

own administration. Precisely, CA1 signs entity I’s certificate while

CA2 will sign entity J’s certificate. - If entity I needs to verify a public key certificate of entity J, logically, the verification will include the following two steps:-

1. Verify the certificate of CA2. That is, verify the signature of root CA with root CA’s

public key. If it is valid, then CA2 is trusted because it is certified by the trusted root CA. 2. Verify the certificate of J’s public key. That

is, verify the signature of CA2 with CA2’s public key. If it is valid, then J’s public key is valid. 168 - Notice that entity I does not have to have any trust relationship

directly with CA2, which signs J’s public key certificate. - As long as entity I trusts the root CA’s public key, it can verify

whether CA2’s public key is trustable.

- Based on the verified trust on CA2’s public key, it can verify whether J’s public key is trustable. - This trust relationship can be described as a trust chain. - “Trust” can be traced back through structure to common CA - Certificate Chains consist of targets Certified public key plus Certified public keys of all CA’s back to common node (or root CA)

- Each node knows all the CAs to the root CA.

- y can trust CAC because it is certified by

CA3 that it trusts.

- y can trust CAB because it trusts CA2

because it is certified by the trusted CA1. 169 Certificate Revocation

- A certificate may have to be revoked before its expiration date for several reasons such as exposed private key, revoking a malicious certificate holder, etc.

- Certificate revocation list (CRL) is a black list that has the serial numbers of revoked certificated.

- CRLs are issued, maintained and signed by the CAs that issued the certificates.

- For certificate verification, it may have to verify whether it is included in a certificate revocation list (CRL).

- A revoked certificate’s serial number should be kept in the CRL until it is expired.

- Expired certificates should be removed from the CRL. Why?

- Tradeoff between certificate's lifetime, CRL length and overhead of

renewing certificates. 170 185 171 172 The ElGamal encryption scheme

 Key generation  Generate a large random prime p and choose generator g of the * multiplicative group Zp = {1, 2, …, p-1}  Select a random integer a, 1 ≤ a ≤ p-1, and compute A = ga mod p  The public key is (p, g, A)  The private key is a

 Encryption (by public key)  Select a random integer r, 1 ≤ r ≤ p-1, and compute R = gr mod p  Compute C = m×Ar mod p, m should be 1 ≤ m ≤ p-1  The ciphertext is the pair (R, C)

 Decryption  Compute Ra mod p This is a point in the field. Compute its multiplicative inverse R-a  Compute m = C × R-a mod p  Proof of decryption C × R-a = (m × Ar) x g-ar = (m × gar) x g-ar = m 173 r = 52 a = 12

Ar Ra

(R, C) = (38, 80) R-a R C R-a C

174 - It has the advantage that the same plaintext gives a different ciphertext (with near certainty) each time it is encrypted. If an attacker knows a plaintext-ciphertext pair, he cannot know the plaintext when it is encrypted several times. - Secure key size should be at least 2048

- gr mod p can be computed in advance.

- The random number r should not be reused. Why?

Assume M1 and M2 are encrypted using the same r.

r The ciphertext of message M1 is (R, C1 = M1A )

r The ciphertext of message M2 is (R, C2 = M2A )

-1 r r -1 -1 C1 x C2 = M1A (M2A ) = M1 M2 If the attacker knows one message he can get the other

175  Plaintext m is masked by a random factor, gar mod p.

 Given g, ga, gr mod p, what is gar mod p? No way to compute it. To obtain a or r logarithm should be taken which is difficult problem.

 Performance: Encryption: two exponentiations Decryption: one exponentiation and one inversion Size: The ciphertext is 2q (twice the plaintext)

176 Similar to encryption

P-1 P gh(m) mod p mod p S in the equation: s P-1) s = (h(m) – xr)k-1 mod p-1 s yrrs = gxrgsk = gxr+sk = gh(m) mod p k must be random, be destroyed after use, and never be reused why? X can be calculated 177 The algorithm is correct in the sense that a signature generated with the signing algorithm will always be accepted by the verifier.

The signature generation implies

Hence Fermat's little theorem implies

Fermat's little theorem

gr Is the most time consuming operation but it can be precomputed. K-1 Is the second most time consuming operation but it can be precomputed. gx gk

178 yrrs = gh(m) mod p?

gx :

179 gx

If two messages are sent using the same value of k and the same key, then an attacker can compute the private key directly

Without using k in the signature part S, signatures can be forged. 180 g

Mod 23

g9 gm

gr Is the most time consuming operation but it can be precomputed. 181 Digital Signature Standard (DSS)

- US Government approved signature scheme

- Designed by NIST & NSA in early 90's

- Uses the SHA hash algorithm

- DSS is the standard, DSA is the algorithm

- A variant on ElGamal

- Creates a 320 bit signature, but with 512-1024 bit security

- Security depends on difficulty of computing discrete logarithms

182 DSA Key Generation

 Public key values (p,q,g):  Choose 160-bit prime number q  Choose a large prime p with 2L-1 < p < 2L  where L= 512 to 1024 bits

 such that q is a 160 bit prime divisor of (p-1)  Choose g = h(p-1)/q  Where 1 < h < p-1 and h(p-1)/q mod p > 1  Users choose private & compute public key:  Choose random private key: x < q  Compute public key: y = gx mod p

183 DSA Signature Creation

 To sign a message M the sender:  generates a random signature key k, k < q  k must be random, be destroyed after use, and never be reused  then computes signature pair: r = (gk mod p)mod q s = [k-1(H(M)+ xr)] mod q H(M) = ks - xr  sends signature (r,s) with message M

(q, p) can be (160 bits, 1024 bits) or (256 bits, 2048 bits)

184 DSA Signature Verification

 having received M & signature (r,s)

 to verify a signature, recipient computes: u1= [H(M) s-1]mod q u2= (rs-1)mod q v = [(gu1 yu2)mod p ]mod q

 if v = r then signature is verified

-1 -1 u1 u2 H(M)S rxS -1 -1 g y = g g = gk-xrS+rxS = gk = r

185 Elliptic curves

- If q is a prime greater than 3 and

- Zq is a finite field modulo q.

- Then an elliptic curve E over Zq is the set of points (x, y) with x, y  Zq satisfy the following equation together with special point O, called as point at infinity

y2  x3 + ax + b (mod q) where,

x, y, a, b ∊ Zq,

186 187 Q P P

P + Q 2P

P+O = O+P = P P + (-P) = O

ECC addition is analog of modulo multiply ECC repeated addition is analog of modulo exponentiation

188 Elliptic Curve cryptography (ECC) Security

Elliptic curve discrete logarithm problem (ECDLP)

Given P and aP, there is no way to compute a, but given P and a, it is easy to compute aP.

This is more difficult than factorization  can use much smaller key sizes than with RSA for the same security level.

Shorter Key means less operations

With similar security, ECC offers significant computational advantages

189 An integer q is called a quadratic residue modulo n if there exists an integer x such that:

190 191 192 p = 23, a = 1, b = 1

193 194 195 196 -

First encode a message as a point on the elliptic curve M Qa is the public key of A

Ka is the private key of A

K is one time secret random value 197 Elliptic Curve Digital Signature Algorithm (ECDSA)

• Entity A has public key Qa = kaP, where ka is the private key and P is a generator. To sign a message m, does the following:

• Select a random integer k, where 1 <= k <= q-1

• Compute kP = (x1, y1) and r = x1 mod q. • Compute k-1 mod q. Compute e = SHA-1(m).

-1 • Compute s = k {e + ka . r} mod q.

A's signature for the message m is (r, s).

kP can be pre-computed.

198 To verify A's signature (r, s) on m, perform the following steps:

• Compute e = SHA-1(m).

-1 -1 • Compute u1 = e s mod q and u2 = r s mod q.

• Compute (x1, y1) = u1P + u2 Qa

• Accept the signature if and only if x1 = r.

Proof: -1 -1 -1 -1 u1P+ u2 Qa = e s P + r s ka P = s (e + r ka) P = s k s P = kP

1- If K is revealed, attackers can calculate the private key 2- If K is not used in S, the signature can be forged. 3- it is crucial to select different K for different signatures, otherwise the equation of S can be solved to calculate the private key (two equations with two unknowns)

This implementation failure was used, for example, to extract the signing key used in the PlayStation3 gaming-console. 199 - Comparing to RSA, ECC requires significantly smaller key size with same level of security.

- Benefits of having smaller key sizes (160-bit EC ~ 1024-bit RSA) : faster computations and need less storage space.

- ECC offers considerable bandwidth (short signature/ciphertext size) savings.

- ECC ideal for constrained environments : PDAs; Cellular Phones; Smart Cards  can be implemented on a simple processor.

- ECC security has not been well analyzed yet  Confidence level in ECC is not as high as RSA

200 Comparable Key Sizes for Equivalent Security

Symmetric scheme ECC-based scheme RSA/DSA (or security level) (size of n in bits) (modulus size in (key size in bits) bits) 56 112 512 80 160 1024 112 224 2048 128 256 3072 192 384 7680 256 512 15360

As with elliptic-curve cryptography in general, the bit size of the public key believed to be needed for ECDSA is about twice the size of the security level in bits.

A security level of 80 bits means that an attacker requires the equivalent of about 280 operations to find the private key 201 202 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols 2.3.1 Symmetric key cryptography 2.3.2 Hash functions 2.3.3 Asymmetric key cryptography 2.3.4 Identity based cryptography

2.4 Protocols 203 204 G1 and G2 are additive groups but GT is a multiplicative group

e(aP, bQ) = e(abP, Q) = e(P, abQ) = e(P, Q)ab = e(bP, aQ) e(P+P1, Q) = e(P, Q) e(P1, Q) e(P, Q+Q1) = e(P, Q) e(P, Q1) e(P+P1, Q+Q1) = e(P, Q+Q1) e(P1, Q+Q1) = e(P, Q) e(P, Q1) e(P1, Q) e(P1, Q1) e(P, Q) = e(Q, P) if e is symmetric 205 Sometimes the bilinear pairing maps G1 X G1 to GT

206 G1 and G2 are multiplicative groups and GT is also multiplicative group e(G1, G2 )  GT g1 and g’1 generators in G1 g2 and g’2 generators in G2

a b ab ab ab b a e(g1 , g2 ) = e(g1 , g2) = e(g1, g2 ) = e(g1, g2) = e(g1 , g2 ) e(g1g’1, g2) = e(g1, g2) e(g’1, g2) e(g1, g2 g’2) = e(g1, g2) e(g1, g’2) e(g1g’1, g2 g’2) = e(g1, g2 g’2) e(P1, g2 g’2) = e(g1, g2) e(g1, g’2) e(g’1, g2) e(g’1, g’2) e(g1, g2) = e(g2, g1) if e is symmetric 207 ,

r r e(DID, U) = e(sQID, rP) = e(QID, srP) = e(QID, sP) = gID

208 ,

e(S, P) e(Q,sP)h

= e((k-h)sQ, P) e(sQ, P)h

= e(sQ, P)k-h e(sQ, P)h = e(sQ, P)k = T S

209 e(P, S) = e(P, (r+h)sQ) = e(sP, (r+h)Q) = e(sP, rQ+hQ) = e(sP, T+hQ)

210 Outline

2.1 Introduction

2.2 Mathematical background

2.3 Cryptosystems and security protocols

2.4 Protocols Comparison between symmetric and asymmetric key cryptography

- Symmetric-key algorithms are generally fast, but Key management is a problem.

- However, asymmetric key algorithms are slow:

- In practice, asymmetric key algorithms are typically hundreds to thousands times slower than symmetric key algorithms.

That does not mean symmetric key cryptography is useless. It is used with asymmetric key cryptography as will be explained later. 212 213 214 Key Distribution Scenario

215 216 - TTP can “listen-in” to all users communications - Difficult to expand on large scale

More key establishment protocols will be explained later 217 218 219 Public key cryptography uses

Public key encryption: Any one can send a message but only the private key owner can decrypt it. There is no sender authentication but it has receiver authentication.

Digital signature: Sender authentication. The receiver can make sure that a message is sent from the claimed sender. It also provides message integrity.

Hybrid schemes: public key cryptography is used to share a symmetric key and symmetric key cryptography is used for encryption because it is more efficient.

220 Hybrid schemes

- DES (or AES) for encrypting actual data

- RSA for encrypting corresponding DES session key 221 These security attributes can be achieved:-

Message confidentiality Message integrity Message non-repudiation Message authenticity (sender authentication) Efficient because of using symmetric key encryption is more efficient than the public key encryption

Randomly Chosen K Digest (Message) Message + Signed with Encrypted with + Bob’s Private Key Alice’s Public Key Encrypted with Secret Key K

222 These security attributes can be achieved:-

Message confidentiality Message integrity Message non-repudiation X Message authenticity (sender authentication) Efficient because of using symmetric key encryption

Message Digest (Message) Randomly + Chosen K + Encrypted with Alice’s Public Key Encrypted with Secret Key K

223 Public/Private Key Pair Generation

- Difficulties to generate public/private key pairs: complicated mathematics operations. - Usually, public/private key pair is generated by a third party, for example, a certificate authority. But degrades non-repudiation - In this case, the private key will need to be transported to the owner in a secure manner.

Key Escrow

- If a signature key is lost or compromised, revocation can be done, new key and certificate issued - no problem! - If an encryption key is lost, legitimate recovery of information requires “key recovery” mechanism to be in place - Key escrow: allows for the components of a secret encryption key to be deposited with one (or more) trusted parties (called escrow agents) in such a way that the escrow agents can, upon receiving proper authorization, recover the encryption key from the components. 224 Why Key Escrow?

1) Law enforcement: Allows law enforcement authorities to decrypt intercepted encrypted data after obtaining the appropriate authorization from a court.

2) Allows users to recover data from ciphertext in the event that the encryption key is lost, e.g., employees losing keys or being unavailable to recover company property (data)

- Identity based encryption (IBE) has inherent key escrow because the private key is calculated from the public one.

225 Session key establishment protocols

- Goal of session key establishment protocols - Setup a shared secret between two (or more) parties - It is desired that the secret established by a fixed pair of parties varies on subsequent executions of the protocol (dynamicity) - Established shared secret is used as a session key to protect communication between the parties

- Motivation for use of session keys - Limit available ciphertext for cryptanalysis - Limit exposure caused by the compromise of a session key - Avoid long-term storage of a large number of secret keys (keys are created on-demand when actually required)

226 Basic classification

1- Key transport protocols - One party uses an existing key to transport a secret session key to another party.

Alice Bob

generate k A, EKb(k), Ta, SKa(B,EKb(k),Ta)

Alice generates a session key, encrypts it with Bob’s public key, then signs it, and sends it to Bob

Using a trusted third party to generate the session key and distribute it see slide 214

227 2- Key agreement (or key exchange) protocols - A shared secret is derived by the parties as a function of information contributed by each, such that no party can predetermine the resulting value. Ex. Diffie Hellman protocol. - One party cannot control the value of the established keys

What “Good” Protocols Should Provide

1. Symmetry of users’ input 2. Session key “freshness” - assurance that key is new and not being reused 3. Efficiency of establishment and verification: total number of bits transmitted (i.e., bandwidth used), number of messages exchanged, complexity of computations by each party (speed), possibility of precomputations to reduce on-line computational complexity. 4. Requirement of third party? 5. Non-repudiation of key 228 6. Perfect Forward Secrecy –disclosure of a session key does not disclose the session keys that were previously used. 7. Perfect Backward Secrecy -compromise of a session keys does not compromise session keys that will be used 8. Key confirmation: One party is assured that a second party actually possesses the session key. Possession of a key can be demonstrated by producing a one-way hash value of the key or encryption of known data with the key

229 Derive the session key from a long term key

– A and B exchange a long term Key K that is then used to derive a unique key for each message passed during the day

If an attacker can recover any message key - Attacker can recover all messages after the recovered key (complete forward break) - If the encryption system is secure, then the attacker cannot break previous keys (break-backwards protection) 230 E: encryption by the public key D: encryption with the private key

- Key Confirmation: achieved by encrypting a known value - Mutual authentication

- Key is fresh if K1 or K2 has not been used before 231 Diffie-Hellman Key Exchange Protocol

p should be 1024 or more.

* a generator of Zp

a and b are secret and should be large p and g are public 232 mod p

mod p mod p

K mod p = K = mod p

mod p

- K is the session symmetric key. - a and b are not sent in clear because they are secret. a b a - Sending g and g is secure because it is not feasible to know a given g and g 233 (gb mod p)a mod p = gba mod p

(ga mod p)b mod p = gab mod p

Security comes from the fact that computing discrete logarithms is hard. That is, given p, g and ga mod p, it is not feasible to compute private key a.

NO AUTHENTICATION, key freshness with randomly selected exponents, no party can control the key, no need for a trusted third party

234 235 236 Eve claims this is sent from Alice Eve claims this is sent from Bob

Authentication

Alice thinks that she exchanged a key with Bob Eve can act as Alice and Bob 237 238 A protocol with perfect forward secrecy 239 ECC Diffie-Hellman

Protocol 1

- The private keys of A and B are nA and nB

- The public keys of A and B are PA=nAP and PB=nBP

- Compute shared key: K=nAPB, K=nBPA

nAPB = nBPA = nAnBP - Any two nodes can calculate a shared key by knowing their public keys. - This is a long term key and should be used to derive session key.

Is man-in-the middle attack possible?

240 Protocol 2

- Nodes A and B have private keys dA and dB

- A and B have public keys QA = dAP and QB = dBP

- Node A selects a random integer rA, and computes RA = rAP sends it to B

- Node B selects a random integer rB, and computes RB = rBP sends it to B

- Node A computes the shared key as follows K = dArBP + rAQB

- Node B computes the shared key as follows K = dBrAP + rBQA

Is man-in-the middle attack possible?

241

Entity Authentication

- Entity authentication is a technique designed to let one party prove the identity of another party. - The basic idea: a cryptographic key is known only by a party with a given identity, and if a party can prove that it knows the key, then the party can be authenticated with the identity. - For entity authentication, a key is bound to an identity, while the proof of knowledge of the key is achieved through a cryptographic scheme. - Mutual Authentication is a procedure in which two parties conduct entity authentication mutually. - Unidirectional Authentication is a procedure in one party wants to verify the identity of the other party. - Entity authentication is often executed as an access authentication. That is, depending on the result of entity authentication, the entity can be authorized or rejected to access a network or certain information. For example, when a mobile phone is turned on, the first step is to register to the network for connections. 242 Challenge/response: Unidirectional symmetric-key authentication protocol

Encrypted with Alice-Bob secret key RB A nonce sent by Bob

1 Alice

RB 2

3 RB

Can be the keyed hash value of RB 243 Challenge/response: Unidirectional asymmetric-key encryption authentication protocol

Encrypted with Alice’s public key

RB A nonce sent by Bob

1 Alice

Bob, RB 2

3 RB

244 Challenge/response: Unidirectional authentication protocol Using signature

RB A nonce sent by Bob

1 Alice

RB 2

Bob, Sig (RB, Bob) 3 Signed with Alice’s private key

245 246 247 248 Assuming E wants to impersonate A, E can send the first message on the behalf of A without being detected. B will send the second message as it was to A. Then, if E is able to forge a valid

authentication tag in [IDA,RB]A, then it can successfully impersonate A.

In replay attack, E can impersonate B if RA is reused because it can replay the tag. To prevent such an attack, the random value should not be reused.

For each execution, one party selects a fresh random number to force another party to generate a new tag by using the key. 249 250 RA,

Comparisons with Protocol 1

Advantage: When replacing the random number with the sequence number, party A can send her authentication tag in the first message without waiting for party B’s random number to be sent. The mutual authentication can be conducted in two messages (i.e., two rounds).

Disadvantages: Each party must store two sequence numbers for every party it conducts mutual authentication, one for its own maximum used sequence number and another for another party’s maximum used sequence number. 251 252 253 254 E impersonates A

Lesson learned: The authentication tags on the two directions must be generated over different data fields such that a response generated for one direction cannot be used for another direction.

255 256 Common Cryptographic Libraries

OpenSSL http://www.openssl.org/

Cryptlib http://www.cs.auckland.ac.nz/~pgut001/cryptlib/

Crypto++ http://www.cryptopp.com/

BSAFE http://www.rsa.com/node.aspx?id=1204

MIRACL(Multiprecision Integer and Rational Arithmetic C/C++ Library) http://www.shamus.ie/

257 Questions

Mohamed Mahmoud