DOCSLIB.ORG

Chapter 2: Security and Cryptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Chapter 2: Security and cryptography Dr. Mohamed Mahmoud http://www.cae.tntech.edu/~mmahmoud/ [email protected] Outline 2.1 Introduction 2.2 Mathematical background 2.3 Cryptosystems and security protocols 2.4 Protocols Cryptology: - Cryptography - Cryptanalysis - Cryptography, a word with Greek origins, means “secret writing.” - However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks. – A cipher is a function which transforms a plaintext message into a ciphertext by a process called encryption – Plaintext is recovered from the ciphertext by a process called decryption 1 Encryption / Decryption “attack at midnight” - plaintext “buubdl bu njeojhiu” - ciphertext 2 Cryptanalysis - The science and study of breaking ciphers, i.e., the process of determining the plaintext message from the ciphertext - Objective to recover key not just message - A common approach is brute-force attack – try all possible cases 3 Some Basic Terminology Plaintext - original message Ciphertext - coded message Cipher - algorithm for transforming plaintext to ciphertext Key - info used in cipher known only to sender/receiver Encryption: converting original message into a form unreadable by unauthorized individuals. converting plaintext to ciphertext Decipher (decrypt) - recovering ciphertext from plaintext Cryptography: process of making and using codes to secure transmission of information Cryptanalysis (codebreaking) - study of principles/methods of deciphering ciphertext without knowing key Cryptology - field of both cryptography and cryptanalysis 4 Overview of Security Requirements - Confidentiality - Entity Authentication - Data Integrity - Non-Repudiation - Access Control - Availability Most of these security properties can be achieved through cryptographic functions. 5 Confidentiality - Ability to keep information communicated between (among) authorized parties private - Observer should not be able to recover information - In a stronger sense, an observer cannot determine the parties involved or whether a communication session occurred - Usually achieved by encryption - Snooping refers to unauthorized access to or interception of data. - Traffic analysis refers to obtaining some other type of information by monitoring online traffic. 6 Entity Authentication - Ability of the authorized parties in a communication session to ascertain the identity of other authorized parties – Mutual or one-way authentication - An entity authentication may be a user authentication or a device authentication - The party to be authenticated must provide some verifiable evidence to prove it is the entity identified by the identity. - The verification is to check whether the specific authentication data is valid, which can be generated only by the party with the claimed identity. - Authentication can thwart masquerading or spoofing attacks which happen when attackers impersonate somebody else. 7 = (M, Authentication_data) Alice Bob - Alice sends a msg M to Bob - Bob wants to be sure M is really from Alice - Alice attaches with the message an authentication data such as signature or message authentication code (MAC). - No one can generate this data except Alice (the owner of a secret key). - Bob is able to verify the authentication data 8 Data Integrity - Ability to ascertain that information exchanged has not been subject to additions, deletions, modifications or undue delay. Attacks threatening integrity Modification: attackers intercept a message and change it. Modification can be thwarted by using signature or message authentication code. Replay: attackers obtain a copy of a message sent by a user and later tries to replay it. Usually timestamps are used to thwart replaying. 9 - Integrity is to prevent from altering the message content, while authenticity is to prevent from altering the message source. - These two are inseparable. It is often to use a single cryptographic function to provide both. - Usually, signature and hash functions or MAC can provide integrity and authentication 10 Non-Repudiation - Ability to prevent an authorized party from denying the existence or contents of a communication session - Repudiation means that sender of a message might later deny that she has sent the message; the receiver of the message might later deny that he has received the message. - Ability to prove to an independent third party at a later date the author and contents of a message. - Digital signature is used to achieve this property. 11 Access control - Aims to prevent unauthorized access to resources Availability - The information created and stored by an organization needs to be available to authorized entities. - Network/system should be available all the time. - Denial of service (DoS) is a very common attack that targets availability . It may slow down or totally interrupt the service of a system. 12 security is about how to prevent attacks, or -- if prevention is not possible -- how to detect attacks and recover from them. Attacks can be Passive - Eavesdropping: The attacker simply listens and tries to interpret the data being exchanged – if the data is in-the- clear, they succeed - Traffic Analysis – the attacker gains information by determining how much activity is there, where access points are located, - Difficult to detect. Should be prevented Active - Attempts to alter system resources or affect their operation, examples: masquerade (spoofing), replay, modification (substitution, insertion, destruction), denial of service - Difficult to prevent. Should be detected. 13 Categorization of passive and active attacks 14 Kerckhoff’s Principle Generally assumed that the attacker knows everything about the cryptosystem except the key If, for security, the system requires that details of the system be kept secret, it is not considered secure 15 Trust Model - A trust model is to define trust relations among different parties. - A trust relation can be defined for any two parties with a mutually equal trust or a asymmetric trust. - Some trust relations are assumptions for the security mechanisms, while the others are to be established through applying security mechanisms. - A trust model may include assumptions on the physical environment. For example, we may trust a server located in a company’s building more than a wireless access point installed in a rest area of highway. - A trust model is crucial in establishing a secure communication system. It can go wrong in many ways and result in security holes. 16 Adversary and Threat Models - The parties that may attack the system. - The attackers’ objectives – what they want to do? - How they will attack the system? - What is the attackers’ capability, e.g., regarding computational power? - Is the attacker a single party or colluding with others? 17 Outline 2.1 Introduction 2.2 Mathematical background 2.3 Cryptosystems and security protocols 2.4 Protocols Groups A set of objects, along with a binary operation (meaning an operation that is applied to two objects at a time) on the elements of the set, must satisfy the following four properties if the set wants to be called a group: 1- Closure with respect to the operation. Closure means that if a and b are in the set, then the element a ◦ b = c is also in the set. The symbol ◦ denotes the operator for the desired operation. 2- Associativity with respect to the operation. Associativity means that (a ◦ b) ◦ c = a ◦ (b ◦ c). 3- Guaranteed existence of a unique identity element with regard to the operation. An element i would be called an identity element if for every a in the set, we have a ◦ i = a. 18 4- The existence of an inverse element for each element with regard to the operation. That is, for every a in the set, the set must also contain an element b such that a ◦ b = i assuming that i is the identity element. In general, a group is denoted by {G, ◦} where G is the set of objects and ◦ is the operator. 19 Infinite groups, meaning groups based on sets of infinite size. Examples: – The set of all integers — positive, negative, and zero - along with the operation of arithmetic addition constitutes a group – The set of all even integers — positive, negative, and zero under the operation of arithmetic addition is a group If the operation on the set elements is commutative, the group is called an abelian group. An operation ◦ is commutative if a ◦ b = b ◦ a. Finite Groups 20 21 Summary 22 23 If the group operation is addition, the group also allows for subtraction. Similarly, multiplicative groups allow division. - A group is guaranteed to have a special element called the identity element. The identity element of a group is frequently denoted by the symbol 0. - As you now know, for every element a, the group must contain its inverse element b such that a + b = 0, where the operator ’+’ is the group operator. - So if we maintain the illusion that we want to refer to the group operation as addition, we can think of b in the above equation as the additive inverse of a and even denote it by −a. We can therefore write a + (−a) = 0 or more compactly as a − a = 0. - In general a − b = a + (−b) where −b is the additive inverse of b with respect to the group operator +. We may now refer to an expression of the sort a−b as representing subtraction.24 25 255 mod 11 = 2 27 mod 5 = 2 36 mod 12 = 0 (a+n) mod n = a 26 Set of Residues The modulo operation creates a set, which in modular arithmetic is referred to as the set of least residues modulo n, or Zn. Some Zn sets 27 Operation in Zn The three binary operations that we discussed for the set Z can also be defined for the set Zn. The result may need to be mapped to Zn using the mod operator. Binary operations in Zn 28 Example Perform the following operations (the inputs come from Zn): a. Add 7 to 14 in Z15. b. Subtract 11 from 7 in Z13. c. Multiply 11 by 7 in Z20. Solution 29 Inverses When we are working in modular arithmetic, we often need to find the inverse of a number relative to an operation.
Recommended publications
  • Basic Cryptography

    Basic Cryptography

    Basic cryptography • How cryptography works... • Symmetric cryptography... • Public key cryptography... • Online Resources... • Printed Resources... I VP R 1 © Copyright 2002-2007 Haim Levkowitz How cryptography works • Plaintext • Ciphertext • Cryptographic algorithm • Key Decryption Key Algorithm Plaintext Ciphertext Encryption I VP R 2 © Copyright 2002-2007 Haim Levkowitz Simple cryptosystem ... ! ABCDEFGHIJKLMNOPQRSTUVWXYZ ! DEFGHIJKLMNOPQRSTUVWXYZABC • Caesar Cipher • Simple substitution cipher • ROT-13 • rotate by half the alphabet • A => N B => O I VP R 3 © Copyright 2002-2007 Haim Levkowitz Keys cryptosystems … • keys and keyspace ... • secret-key and public-key ... • key management ... • strength of key systems ... I VP R 4 © Copyright 2002-2007 Haim Levkowitz Keys and keyspace … • ROT: key is N • Brute force: 25 values of N • IDEA (international data encryption algorithm) in PGP: 2128 numeric keys • 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years I VP R 5 © Copyright 2002-2007 Haim Levkowitz Symmetric cryptography • DES • Triple DES, DESX, GDES, RDES • RC2, RC4, RC5 • IDEA Key • Blowfish Plaintext Encryption Ciphertext Decryption Plaintext Sender Recipient I VP R 6 © Copyright 2002-2007 Haim Levkowitz DES • Data Encryption Standard • US NIST (‘70s) • 56-bit key • Good then • Not enough now (cracked June 1997) • Discrete blocks of 64 bits • Often w/ CBC (cipherblock chaining) • Each blocks encr. depends on contents of previous => detect missing block I VP R 7 © Copyright 2002-2007 Haim Levkowitz Triple DES, DESX,
  • Using Frankencerts for Automated Adversarial Testing of Certificate

    Using Frankencerts for Automated Adversarial Testing of Certificate

    Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker ∗ y Suman Janay Baishakhi Rayz Sarfraz Khurshidy Vitaly Shmatikovy ∗Google yThe University of Texas at Austin zUniversity of California, Davis Abstract—Modern network security rests on the Secure Sock- many open-source implementations of SSL/TLS are available ets Layer (SSL) and Transport Layer Security (TLS) protocols. for developers who need to incorporate SSL/TLS into their Distributed systems, mobile and desktop applications, embedded software: OpenSSL, NSS, GnuTLS, CyaSSL, PolarSSL, Ma- devices, and all of secure Web rely on SSL/TLS for protection trixSSL, cryptlib, and several others. Several Web browsers against network attacks. This protection critically depends on include their own, proprietary implementations. whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. In this paper, we focus on server authentication, which We design, implement, and apply the first methodology for is the only protection against man-in-the-middle and other large-scale testing of certificate validation logic in SSL/TLS server impersonation attacks, and thus essential for HTTPS implementations. Our first ingredient is “frankencerts,” synthetic and virtually any other application of SSL/TLS. Server authen- certificates that are randomly mutated from parts of real cer- tication in SSL/TLS depends entirely on a single step in the tificates and thus include unusual combinations of extensions handshake protocol. As part of its “Server Hello” message, and constraints. Our second ingredient is differential testing: if the server presents an X.509 certificate with its public key.
  • Block Ciphers and the Data Encryption Standard

    Block Ciphers and the Data Encryption Standard

    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
  • 1 Perfect Secrecy of the One-Time Pad

    1 Perfect Secrecy of the One-Time Pad

    1 Perfect secrecy of the one-time pad In this section, we make more a more precise analysis of the security of the one-time pad. First, we need to define conditional probability. Let’s consider an example. We know that if it rains Saturday, then there is a reasonable chance that it will rain on Sunday. To make this more precise, we want to compute the probability that it rains on Sunday, given that it rains on Saturday. So we restrict our attention to only those situations where it rains on Saturday and count how often this happens over several years. Then we count how often it rains on both Saturday and Sunday. The ratio gives an estimate of the desired probability. If we call A the event that it rains on Saturday and B the event that it rains on Sunday, then the intersection A ∩ B is when it rains on both days. The conditional probability of A given B is defined to be P (A ∩ B) P (B | A)= , P (A) where P (A) denotes the probability of the event A. This formula can be used to define the conditional probability of one event given another for any two events A and B that have probabilities (we implicitly assume throughout this discussion that any probability that occurs in a denominator has nonzero probability). Events A and B are independent if P (A ∩ B)= P (A) P (B). For example, if Alice flips a fair coin, let A be the event that the coin ends up Heads. If Bob rolls a fair six-sided die, let B be the event that he rolls a 3.
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA

    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
  • Stage De Master 2R

    Stage De Master 2R

    STAGE DE MASTER 2R SYSTEMES ELECTRONIQUES ET GENIE ELECTRIQUE PARCOURS SYSTEMES ELECTRONIQUES ANNEE UNIVERSITAIRE 2006/2007 CRYPTO-COMPRESSION BASED ON CHAOS OF STILL IMAGES FOR THE TRANSMISSION YIN XU École Polytechnique de l’Université de Nantes Laboratoire IREENA Encadrants du stage : Safwan EL ASSAD Vincent RICORDEL Stage effectué du (05/02/2007) au (09/07/2007) Acknowledgments I would like to express my gratitude to my supervisors Professor Safwan EL ASSAD and Professor Vincent RICORDEL, who have been giving me direction with great patience. As the tutor of the first part of my internship, Prof. RICORDEL coached me on the study of JPEG 2000 systems and I benefited a lot from his tutorials. His constructive suggestions on my research and careful correction of my submitted materials are deeply appreciated. And as the tutor of the second part of my internship, Prof. EL ASSAD pointed out a clear direction of the subject that I should follow, which spare me from the potential wasting of time. He was always encouraging me and thus providing me with more confidence to achieve the objects of the internship. Doctor. Abir AWAD helped me a lot on the program-performance comparisons of C++ and MATLAB and she also gave me many useful materials on my subject. I am really thankful. I would also give my thankfulness to Professor Joseph SAILLARD and Professor Patrick LE CALLET for attending my final defense as a member of the jury despite the busy occupation of their own work. Of course also send great thankfulness to my two supervisors Prof. EL ASSAD and Prof.
  • Symmetric Key Ciphers Objectives

    Symmetric Key Ciphers Objectives

    Symmetric Key Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives • Definition of Symmetric Types of Symmetric Key ciphers – Modern Block Ciphers • Full Size and Partial Size Key Ciphers • Components of a Modern Block Cipher – PBox (Permutation Box) – SBox (Substitution Box) –Swap – Properties of the Exclusive OR operation • Diffusion and Confusion • Types of Block Ciphers: Feistel and non-Feistel ciphers D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 1 Symmetric Key Setting Communication Message Channel Message E D Ka Kb Bob Alice Assumptions Eve Ka is the encryption key, Kb is the decryption key. For symmetric key ciphers, Ka=Kb - Only Alice and Bob knows Ka (or Kb) - Eve has access to E, D and the Communication Channel but does not know the key Ka (or Kb) Types of symmetric key ciphers • Block Ciphers: Symmetric key ciphers, where a block of data is encrypted • Stream Ciphers: Symmetric key ciphers, where block size=1 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 2 Block Ciphers Block Cipher • A symmetric key modern cipher encrypts an n bit block of plaintext or decrypts an n bit block of ciphertext. •Padding: – If the message has fewer than n bits, padding must be done to make it n bits. – If the message size is not a multiple of n, then it should be divided into n bit blocks and the last block should be padded. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 3 Full Size Key Ciphers • Transposition Ciphers: – Involves rearrangement of bits, without changing value. – Consider an n bit cipher – How many such rearrangements are possible? •n! – How many key bits are necessary? • ceil[log2 (n!)] Full Size Key Ciphers • Substitution Ciphers: – It does not transpose bits, but substitutes values – Can we model this as a permutation? – Yes.
  • Chapter 2 the Data Encryption Standard (DES)

    Chapter 2 the Data Encryption Standard (DES)

    Chapter 2 The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmet- ric or secret key cryptography and asymmetric or public key cryptography. Symmet- ric key cryptography is the oldest type whereas asymmetric cryptography is only being used publicly since the late 1970’s1. Asymmetric cryptography was a major milestone in the search for a perfect encryption scheme. Secret key cryptography goes back to at least Egyptian times and is of concern here. It involves the use of only one key which is used for both encryption and decryption (hence the use of the term symmetric). Figure 2.1 depicts this idea. It is necessary for security purposes that the secret key never be revealed. Secret Key (K) Secret Key (K) ? ? - - - - Plaintext (P ) E{P,K} Ciphertext (C) D{C,K} Plaintext (P ) Figure 2.1: Secret key encryption. To accomplish encryption, most secret key algorithms use two main techniques known as substitution and permutation. Substitution is simply a mapping of one value to another whereas permutation is a reordering of the bit positions for each of the inputs. These techniques are used a number of times in iterations called rounds. Generally, the more rounds there are, the more secure the algorithm. A non-linearity is also introduced into the encryption so that decryption will be computationally infeasible2 without the secret key. This is achieved with the use of S-boxes which are basically non-linear substitution tables where either the output is smaller than the input or vice versa. 1It is claimed by some that government agencies knew about asymmetric cryptography before this.
  • You Really Shouldn't Roll Your Own Crypto: an Empirical Study of Vulnerabilities in Cryptographic Libraries

    You Really Shouldn't Roll Your Own Crypto: an Empirical Study of Vulnerabilities in Cryptographic Libraries

    You Really Shouldn’t Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries Jenny Blessing Michael A. Specter Daniel J. Weitzner MIT MIT MIT Abstract A common aphorism in applied cryptography is that cryp- The security of the Internet rests on a small number of open- tographic code is inherently difficult to secure due to its com- source cryptographic libraries: a vulnerability in any one of plexity; that one should not “roll your own crypto.” In par- them threatens to compromise a significant percentage of web ticular, the maxim that complexity is the enemy of security traffic. Despite this potential for security impact, the character- is a common refrain within the security community. Since istics and causes of vulnerabilities in cryptographic software the phrase was first popularized in 1999 [52], it has been in- are not well understood. In this work, we conduct the first voked in general discussions about software security [32] and comprehensive analysis of cryptographic libraries and the vul- cited repeatedly as part of the encryption debate [26]. Conven- nerabilities affecting them. We collect data from the National tional wisdom holds that the greater the number of features Vulnerability Database, individual project repositories and in a system, the greater the risk that these features and their mailing lists, and other relevant sources for eight widely used interactions with other components contain vulnerabilities. cryptographic libraries. Unfortunately, the security community lacks empirical ev- Among our most interesting findings is that only 27.2% of idence supporting the “complexity is the enemy of security” vulnerabilities in cryptographic libraries are cryptographic argument with respect to cryptographic software.
  • Chap 2. Basic Encryption and Decryption

    Chap 2. Basic Encryption and Decryption

    Chap 2. Basic Encryption and Decryption H. Lee Kwang Department of Electrical Engineering & Computer Science, KAIST Objectives • Concepts of encryption • Cryptanalysis: how encryption systems are “broken” 2.1 Terminology and Background • Notations – S: sender – R: receiver – T: transmission medium – O: outsider, interceptor, intruder, attacker, or, adversary • S wants to send a message to R – S entrusts the message to T who will deliver it to R – Possible actions of O • block(interrupt), intercept, modify, fabricate • Chapter 1 2.1.1 Terminology • Encryption and Decryption – encryption: a process of encoding a message so that its meaning is not obvious – decryption: the reverse process • encode(encipher) vs. decode(decipher) – encoding: the process of translating entire words or phrases to other words or phrases – enciphering: translating letters or symbols individually – encryption: the group term that covers both encoding and enciphering 2.1.1 Terminology • Plaintext vs. Ciphertext – P(plaintext): the original form of a message – C(ciphertext): the encrypted form • Basic operations – plaintext to ciphertext: encryption: C = E(P) – ciphertext to plaintext: decryption: P = D(C) – requirement: P = D(E(P)) 2.1.1 Terminology • Encryption with key If the encryption algorithm should fall into the interceptor’s – encryption key: KE – decryption key: K hands, future messages can still D be kept secret because the – C = E(K , P) E interceptor will not know the – P = D(KD, E(KE, P)) key value • Keyless Cipher – a cipher that does not require the
  • Security Issues in the Diffie-Hellman Key Agreement Protocol

    Security Issues in the Diffie-Hellman Key Agreement Protocol

    Security Issues in the Diffie-Hellman Key Agreement Protocol Jean-Franc¸ois Raymond and Anton Stiglic Zero-Knowledge Systems Inc. jfr, anton ¡ @zeroknowledge.com Abstract Diffie-Hellman key agreement protocol [20] implementations have been plagued by serious security flaws. The attacks can be very subtle and, more often than not, have not been taken into account by protocol designers. In this summary we discuss both theoretical attacks against the Diffie-Hellman key agreement pro- tocol and attacks based on implementation details . It is hoped that computer se- curity practitioners will obtain enough information to build and design secure and efficient versions of this classic key agreement protocol. 1 Introduction In their landmark 1976 paper “New Directions in Cryptography”[20], Diffie and Hell- man present a secure key agreement protocol that can be carried out over public com- munication channels. Their protocol is still widely used to this day. Even though the protocol seems quite simple, it can be vulnerable to certain attacks. As with many cryptographic protocols, the Diffie-Hellman key agreement protocol (DH protocol) has subtle problems that cryptographers have taken many years to discover. This vulnerability is compounded by the fact that programmers often do not have a proper understanding of the security issues. In fact, bad implementations of crypto- graphic protocols are, unfortunately, common [2]. In this work, we attempt to give a comprehensive listing of attacks on the DH proto- col. This listing will, in turn, allow us to motivate protocol design decisions. Note that throughout this presentation emphasis is placed on practice. After reading this paper, one might not have an extremely detailed understanding of previous work and theoret- ical problems, but should have a very good idea about how to securely implement the DH protocol in different settings.
  • Network Security H B ACHARYA

    Network Security H B ACHARYA

    Network Security H B ACHARYA NETWORK SECURITY Day 2 NETWORK SECURITY Encryption Schemes NETWORK SECURITY Basic Problem ----- ----- ? Given: both parties already know the same secret How is this achieved in practice? Goal: send a message confidentially Any communication system that aims to guarantee confidentiality must solve this problem NETWORK SECURITY slide 4 One-Time Pad (Vernam Cipher) ----- 10111101… ----- = 10111101… 10001111… = 00110010… 00110010… = Key is a random bit sequence as long as the plaintext Decrypt by bitwise XOR of ciphertext and key: ciphertext key = (plaintext key) key = Encrypt by bitwise XOR of plaintext (key key) = plaintext and key: plaintext ciphertext = plaintext key Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon, 1949) NETWORK SECURITY slide 5 Advantages of One-Time Pad Easy to compute ◦ Encryption and decryption are the same operation ◦ Bitwise XOR is very cheap to compute As secure as theoretically possible ◦ Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources ◦ …if and only if the key sequence is truly random ◦ True randomness is expensive to obtain in large quantities ◦ …if and only if each key is as long as the plaintext ◦ But how do the sender and the receiver communicate the key to each other? Where do they store the key? NETWORK SECURITY slide 6 Problems with One-Time Pad Key must be as long as the plaintext ◦ Impractical in most realistic