sign in sign up
<<
Home , CrypTool

INF140

Cryptography

Overview

Confidentiality

Symmetric Crypto Authentication Cryptographic Tools and Algorithms Public Crypto

Digital Signatures Key Management INF140 - Introduction to Cybersecurity Summary

Chunlei Li1

1 1/89 The slides are adjusted from the one by Steve Gordon INF140 Contents Cryptography

Overview Cryptography for Security Confidentiality

Symmetric Crypto for Confidentiality Authentication

Public Key Crypto

Digital Signatures Symmetric Cryptography

Key Management

Summary Integrity and Authenticity

Public Key Cryptography

Digital Signatures

Key Management

Summary

2/89 INF140 No Cryptography, No Security! Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

Cryptography is necessary but not sufficient for security

3/89 INF140 Security Attributes by Cryptography Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

Non-repudiation: one aspect for accountability

4/89 INF140 Contents Cryptography

Overview Cryptography for Security Confidentiality

Symmetric Crypto Encryption for Confidentiality Authentication

Public Key Crypto

Digital Signatures Symmetric Cryptography

Key Management

Summary Integrity and Authenticity

Public Key Cryptography

Digital Signatures

Key Management

Summary

5/89 INF140 Encryption for Confidentiality Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto I Aim: assure confidential information not made available

Digital Signatures to unauthorised individuals (data confidentiality) Key Management I How: encrypt the original data; anyone can see the Summary encrypted data, but only authorised individuals can decrypt to see the original data I Used for both sending data across network and storing data on a computer system

6/89 INF140 Model of Encryption for Confidentiality Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

7/89 INF140 Model of Encryption for Confidentiality Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

I Symmetric Cryptography: Key1 = Key 2 I Public Key Cryptography: Key1 6= Key 2

8/89 INF140 Terminology Cryptography

Overview original message Confidentiality

Symmetric Crypto encrypted or coded message Authentication Encryption convert from plaintext to ciphertext Public Key Crypto (enciphering) Digital Signatures Decryption restore the plaintext from ciphertext Key Management (deciphering) Summary Key information used in cipher known only to sender/receiver Cipher a particular algorithm (cryptographic system) Cryptography study of algorithms used for encryption study of techniques for decryption without knowledge of plaintext Cryptology cryptography + cryptanalysis

9/89 INF140 Characterising Cryptographic Systems Cryptography

Overview Confidentiality Operations used for encryption: Symmetric Crypto

Authentication Substitution replace one element in plaintext with another Public Key Crypto Transposition re-arrange elements Digital Signatures Product systems multiple stages of substitutions and Key Management transpositions Summary Mathematical Transformation trap-door one-way functions

Number of keys used: Symmetric sender/receiver use same key (single-key, secret-key, shared-key, conventional) Public-key sender/receiver use different keys (asymmetric)

10/89 INF140 Contents Cryptography

Overview Cryptography for Security Confidentiality

Symmetric Crypto Encryption for Confidentiality Authentication

Public Key Crypto

Digital Signatures Symmetric Cryptography

Key Management

Summary Integrity and Authenticity

Public Key Cryptography

Digital Signatures

Key Management

Summary

11/89 INF140 Symmetric Key Encryption for Confidentiality Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

Requirements I Strong encryption algorithm: given algorithm, ciphertext and known pairs of (plaintext, ciphertext), attacker should be unable to find plaintext or key I keys: sender and receiver both have shared a secret key; no-one else knows the key

12/89 INF140 Attacks Cryptography

Overview Goal of the Attacker Confidentiality I Discover the plaintext (good) Symmetric Crypto

Authentication I Discover the key (better)

Public Key Crypto Digital Signatures Assumed Attacker Knowledge Key Management I Ciphertext Summary I Algorithm I Other pairs of (plaintext, ciphertext) using same key

Attack Methods Brute-force attack Try every possible key on ciphertext Cryptanalysis Exploit characteristics of algorithm to deduce plaintext or key Assumption: attacker can recognise correct plaintext

13/89 INF140 Block vs Stream Ciphers Cryptography

Overview Block Ciphers Confidentiality Symmetric Crypto I Encrypt plaintext block by block, typically 64 or 128 bits Authentication I Encryption performed by scrambling plaintext and key Public Key Crypto I Different operation modes with probabilistic encryption Digital Signatures for improved security Key Management Summary I Widely used in e-commerce

Stream Ciphers I Encrypt plaintext by bits/bytes/words I Encryption performed by XOR plaintext with keystream (created by pseudo-random number generator) I Fast algorithms/implementations in hardware I Cannot re-use keys

14/89 INF140 Examples of Substitution Ciphers Cryptography

Overview Caesar Cipher Confidentiality

Symmetric Crypto I Earliest known cipher, used by Julius Caesar (Roman

Authentication general 2000 years ago) Public Key Crypto I Replace each letter by the letter three positions along in Digital Signatures alphabet Key Management Summary Generalised Caesar Cipher (try cryptool-online) I Allow shift by k positions I Assume each letter assigned number (a = 0, b = 1, . . . )

C = E(k, p) = (P + K) mod 26

P = D(k, C) = (C − K) mod 26 I Security: vulnerable to the brute force attack

15/89 INF140 Cryptography Mono-alphabetic (Substitution) Ciphers Overview Mono-alphabetic: use a single alphabet for both Confidentiality I

Symmetric Crypto plaintext and ciphertext Authentication I Arbitrary substitution: one element maps to any other Public Key Crypto element Digital Signatures I n element alphabet allows n! permutations or keys Key Management I Example: Summary Plain :A B C D E ... W X Y Z Cipher:D Z G L S ... B T F Q

I Security I Caesar cipher: 26 keys I Mono-alphabetic (English alphabet): 26! keys (> 4 × 1026) I Vulnerable to frequency attacks

16/89 INF140 Cryptography Playfair Cipher - Initialization Overview 1. Create 5x5 and write keyword (row by row) Confidentiality

Symmetric Crypto 2. Fill out remainder with alphabet, not repeating any

Authentication letters Public Key Crypto 3. Special: Treat I and J as same letter Digital Signatures Key Management Playfair Cipher - Encryption Summary 1. Operate on pair of letters (digram) at a time 2. Special: if digram with same letters, separate by special letter (e.g. x) 3. Plaintext in same row: replace with letters to right 4. Plaintext in same column: replace with letters below 5. Else, replace by letter in same row as it and same column as other plaintext letter

17/89 INF140

Cryptography I Plaintext: helloworld Overview

Confidentiality I Keyword: security Symmetric Crypto S E C U R Authentication I T Y A B Public Key Crypto D F G H K Digital Signatures

Key Management L M N O P

Summary Q V W X Z Plaintext: HE LX XL OW OR LD Ciphertext: FU OQ QO ... QL Security I frequency attack: diagram of 676 entries I relatively easy (digrams, trigrams, expected words)

18/89 INF140 Vigen`ereCipher Cryptography I Set of 26 general Caesar ciphers Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

I Letter in key determines the Caesar cipher to use I Example: key = uib Plain : INTERNETTECHNOLOGIES Key: UIBUIBUIBUIBUIBUIBUIBUI Cipher: CVUYZOYBUYKIHWMIOJYA I Multiple ciphertext letters for each plaintext letter, e.g.,

19/89 the first I→C and the second I→J INF140 Vigen`ereCipher - Is it Breakable? Cryptography

Overview Confidentiality I Yes Symmetric Crypto I Monoalphabetic or Vigen`erecipher? Letter frequency Authentication analysis Public Key Crypto Digital Signatures I Determine length of keyword Key Management I For keyword length m, Vigen`ereis m mono-alphabetic Summary substitutions I Break the mono-alphabetic ciphers separately I Weakness is repeating, structured keyword How to destroy the structure of keyword in the key string? I combine the keyword and plaintext: Autokey cipher I have sufficiently long key: Vernam cipher

20/89 INF140 Rotor Machine - Enigma Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

I Web-based Simulator of Enigma I Web-based Simulator of Turing Bomb

21/89 INF140 Example Transposition Cipher: Rail-Fence Cryptography Railfence Overview Encryption: Plaintext letters written in diagonals over K Confidentiality rows; ciphertext obtained by reading row-by-row. For Symmetric Crypto example, Authentication Public Key Crypto I plaintext: attackpostponed Digital Signatures I key: 3 Key Management ciphertext: ACSNTAKOTOETPPD Summary I Column-Transposition Cipher Encryption: Ciphertext obtained by reading column-by-column, but re-arranged transposition according to the key. For example I plaintext: attackpostponeduntiltwoamxyz I key: 4312567 I ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ 22/89 INF140 Product System Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures Combine substitution and transposition and repeat them n

Key Management times. For example,

Summary 1. Apply Vigenere cipher with Kn,1

2. Apply Rail-fence cipher with Kn,2

23/89 INF140 Modern Block Ciphers Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

I Encrypt a block of plaintext as a whole to produce same sized ciphertext I Typical block sizes are 64 or 128 bits I Modes of operation used to apply block ciphers to larger I Two widely used standard: DES and AES

24/89 INF140 Data Encryption Standard (DES) Cryptography

Overview Confidentiality I Designed by IBM and NSA; standardised by NIST in Symmetric Crypto 1977 as FIPS-46 Authentication I 1999: NIST recommended Triple-DES; DES only for Public Key Crypto legacy systems Digital Signatures I 2005: FIPS-46 standard withdrawn Key Management I Block size: 64 bits Summary I Key length: 56 bits (64 bits, but 8 are parity) I Feistel structure I Decryption is almost identical to encryption → single implementation for both algorithms I Key size is insecure; algorithm considered secure I Status: not recommended

25/89 INF140 Advanced Encryption Standard (AES) Cryptography

Overview

Confidentiality Symmetric Crypto I NIST held competition to select algorithm to replace Authentication DES/3DES in 1997 Public Key Crypto I Won by Rijndael algorithm by Rijmen and Daemen Digital Signatures I 2001: Standardised as FIPS-197 Key Management I Block size: 128 Summary I Key length: 128, 192, 256 bits I Substitution-permutation network I Status: used in many products, e.g. WiFi (WPA), full (BitLocker, FileVault2, dm-crypt, LUKS), Internet security (HTTPS), . . .

26/89 INF140 AES-Rijndael Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

Vincent is now an adjunct professor in the Selmer Center

27/89 INF140 DES vs AES Cryptography

Overview

Confidentiality Symmetric Crypto DES AES Authentication I Standardized in 1977 I Standardized in 2001 Public Key Crypto 64-bit blocks 128-bit blocks Digital Signatures I I Key Management I 56-bit key: 16 x 48-bit I 128/192/256-bit key: Summary round keys 10/12/14 128-bit rkeys I Feistel Structure I SPN structure I F processes 32 bits I F processes 128 bits I bitwise operaton I bytewise operaton I 8 S-boxes (6 → 4) I one S-box (8 → 8) I Sbox not involved in I Sbox used in gen. gen. round keys round keys I 1 state/4 words/16 bytes/128 bits

28/89 INF140 Brute Force Attacks - Time Cost Cryptography

Overview

Confidentiality Symmetric Crypto I Age of Earth: 4 × 109 years Authentication Age of Universe: 1.3 × 1010 years Public Key Crypto I

Digital Signatures Key Key Worst case time at speed: Key Management length space 109/sec 1012/sec 1015/sec Summary 32 232 4 sec 4 ms 4 us 56 256 833 days 20 hrs 72 sec 64 264 584 yrs 213 days 5 hours 128 2128 1022 yrs 1019 yrs 1016 yrs 192 2192 1041 yrs 1038 yrs 1035 yrs 256 2256 1060 yrs 1057 yrs 1054 yrs

29/89 INF140 How Fast/Expensive is a Brute Force Attack Cryptography Today? Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

I My MacPro: ≈ 2 × 108 blocks/sec I Brute Force: > 1022 years I Age of Universe: 1.3 × 1010 years

30/89 INF140 Contents Cryptography

Overview Cryptography for Security Confidentiality

Symmetric Crypto Encryption for Confidentiality Authentication

Public Key Crypto

Digital Signatures Symmetric Cryptography

Key Management

Summary Integrity and Authenticity

Public Key Cryptography

Digital Signatures

Key Management

Summary

31/89 INF140 Authentication Cryptography

Overview

Confidentiality

Symmetric Crypto Integrity and authenticity usually come in pairs

Authentication Authentication= integrity+ authenticity Public Key Crypto I Authentication: receiver wants to verify: Digital Signatures 1. Contents of the message have not been modified (data Key Management integrity) Summary 2. Source of message is who they claim to be (source authenticity) I Different approaches available: I Symmetric Key Encryption I Hash Functions I Message Authentication Codes I Digital Signatures (Public Key Cryptography)

32/89 INF140 Hash Functions (Message Digest) Cryptography

Overview Confidentiality A cryptographic hash function, H(), takes Symmetric Crypto I a variable sized input message, M, Authentication

Public Key Crypto I and produces a fixed size, small output hash, h, i.e.

Digital Signatures h = H(M). Key Management

Summary

33/89 INF140 Cryptography Security Requirement Overview Preimage resistant: For any given h, computationally Confidentiality infeasible to find y such that H(y) = h Symmetric Crypto (one-way property) Authentication

Public Key Crypto Second preimage resistant: For any given x, computationally

Digital Signatures infeasible to find y 6= x with H(y) = H(x) Key Management (weak collision resistant) Summary Collision resistant: Computationally infeasible to find any pair (x, y) such that H(x) = H(y) (strong collision resistant)

Brute Force Attacks The complexity depends on hash value length of n bits: I Preimage and second preimage resistant: 2n I Collision resistant: 2n/2

34/89 INF140 Required Properties when using Hash Functions Cryptography

Overview

Confidentiality Symmetric Crypto Not all applications of hash functions require all properties Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

35/89 INF140 Hash Algorithms: MD5 Cryptography

Overview

Confidentiality

Symmetric Crypto Authentication I Message Digest algorithm 5, developed by Ron Rivest in Public Key Crypto 1991 Digital Signatures I Standardised by IETF in RFC 1321 Key Management

Summary I Generates 128-bit hash I Was commonly used by applications, passwords, file integrity; no longer recommended I Collision and other attacks possible; tools publicly available to attack MD5

36/89 INF140 Hash Algorithms: SHA series Cryptography

Overview

Confidentiality

Symmetric Crypto I Secure Hash Algorithm, developed by NIST Authentication

Public Key Crypto I Standardised by NIST in FIPS 180 in 1993 Digital Signatures I Improvements over time: SHA-0, SHA-1, SHA-2, Key Management SHA-3 Summary I SHA-1 (and SHA-0) are considered insecure; no longer recommended I SHA-2 considered secure I SHA-3 has been standardized and deployed (e.g. the Etherum)

37/89 INF140 A Brief Introduction of SHA-256 Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary I An input M is padded such that the length is a multiple of 512 bits long

I M is parsed into message blocks M1, M2, ··· , MN I The blocks are processed one at a time:

Hi = Hi−1  CMi (Hi−1) where + is word-wise mod 232 addition and C is a compression function with 256-bit output

38/89 Overview of SHA Family INF140 Assumptions: Authentication with Symmetric Cryptography Key and MACs Overview

Confidentiality

Symmetric Crypto

Authentication Public Key Crypto I An entity receiving ciphertext that successfully decrypts Digital Signatures with symmetric secret key KAB knows that the original Key Management message has not been modified and that it originated at Summary one of the owners of the secret key (i.e. A or B). I An entity receiving a message with attached MAC that successfully verifies, knows that the message has not been modified and originated at one of the owners of the MAC secret key.

40/89 INF140 Authentication using Message Authentication Cryptography Codes Overview

Confidentiality

Symmetric Crypto I Append small, fixed-size block of data to message:

Authentication cryptographic checksum or MAC

Public Key Crypto

Digital Signatures MAC = F(K, M)

Key Management

Summary I M = input message I F = MAC function I K = shared secret key of k bits I MAC = message authentication code (or tag) of n bits I MAC function also called keyed hash function I MAC function similar to encryption, but does not need to be reversible I Easier to design stronger MAC functions than encryption functions

41/89 INF140 Authentication using Message Authentication Cryptography Codes Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

42/89 INF140 MAC Algorithms Cryptography

Overview

Confidentiality

Symmetric Crypto I Data Authentication Algorithm (DAA): based on DES;

Authentication considered insecure Public Key Crypto I Cipher-Based Message Authentication Code (CMAC): Digital Signatures mode of operation used with Triple-DES and AES Key Management OMAC, PMAC, UMAC, VMAC, . . . Summary I I HMAC: MAC function derived from cryptographic hash functions I MD5/SHA are fast in software (compared to block ciphers) I Libraries for hash functions widely available I Security of HMAC depends on security of hash function used

43/89 INF140 HMAC Cryptography

Overview

Confidentiality HMAC(K,m)=H((K⊕ opad)||H((K⊕ ipad)||m))

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

44/89 INF140 Summary on Symmetric Cryptographic Primitives Cryptography

Overview Confidentiality Reversible Key Input/Output Size Instances Symmetric Crypto Block Ciphers Yes Yes Block Size 3DES, AES Authentication Stream Ciphers Yes Yes Byte or Word RC4, Trivium Public Key Crypto MACs No Yes Variable/Fixed CMAC, HMAC Digital Signatures Hash No No Variable/Fixed SHA-1/2/3

Key Management

Summary

Common Features: I iterative operations on the input (and key if in place) I the output is a random-like binary string I this feature enables the design of one primitive based on other secure primitives

45/89

INF140 Password-Based Key Derivation Func. (PBKDF) Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

MK = PBKDF2(P, S, C, dkLen) I P: Password; S: Salt; C: number of iterations I dkLen: intended length of derived key (< 232) I len := dkLen/hLen I int(i):=32-bit encoding of the integer i 48/89 INF140 Generation of Secret Keys Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication Public Key Crypto The security of symmetric cryptography depends on Digital Signatures

Key Management I symmetric primitives: strength/quality of the design,

Summary implementation, etc. I secret keys: key generation, key distribution, key management, etc

49/89 INF140 Contents Cryptography

Overview Cryptography for Security Confidentiality

Symmetric Crypto Encryption for Confidentiality Authentication

Public Key Crypto

Digital Signatures Symmetric Cryptography

Key Management

Summary Integrity and Authenticity

Public Key Cryptography

Digital Signatures

Key Management

Summary

50/89 INF140 Birth of Public-Key Cryptography

Overview

Confidentiality Symmetric Crypto I Beginning to 1960’s: permutations and substitutions Authentication (Caesar, rotor machines, DES, . . . ) Public Key Crypto I 1960’s: NSA secretly discovered public-key Digital Signatures cryptography Key Management

Summary I 1970: first known (secret) report on public-key cryptography by CESG, UK I 1976: Diffie and Hellman public introduction to public-key cryptography I Avoid reliance on third-parties for key distribution I Allow digital signatures I 1978: Rivest, Shamir and Adlemen created RSA

51/89 INF140 Overview of Public-Key Cryptography Cryptography

Overview

Confidentiality Symmetric Crypto I key pair: each one has both private key and public key Authentication I Public Key Crypto I by encryption: encrypt shared key with the receiver’s Digital Signatures public key Key Management I by exchange: each of the two communicating parties Summary combine its private key with the other end’s public key I : encrypt the hash of a file with the sender’s private key Drawback in Performace public key crypto algorithms typically much slower than symmetric key algorithms (appr. 1000 times slower)

52/89 INF140 Public and Private Keys Cryptography

Overview Public Key Confidentiality Symmetric Crypto I For secrecy: used in encryption Authentication I For authentication: used in decryption Public Key Crypto I Available to anyone Digital Signatures

Key Management

Summary Private Key I For secrecy: used in decryption I For authentication: used in decryption I Secret, known only by owner

Public-Private Key Pair I User A has pair of related keys, public and private: (PUA, PRA)

53/89 INF140 Assumptions: Public Key Encryption Cryptography

Overview There is a pair of keys, public (PU) and private (PR). Confidentiality I One key from the pair is used for encryption, the other Symmetric Crypto

Authentication is used for decryption. Each entity has their own pair,

Public Key Crypto e.g. (PUA, PRA). Digital Signatures I Encrypting a plaintext message, M, with a key, Key Management produces ciphertext C, e.g. C = E(PUA, M). Summary I Decrypting ciphertext with the correct key will produce the original plaintext. The decrypter will be able to recognise that the plaintext is correct (and therefore the key is correct). E.g. M = D(PRA, C). I Decrypting ciphertext using the incorrect key will not produce the original plaintext. The decrypter will be able to recognise that the key is wrong, i.e. the decryption will produce unrecognisable output.

54/89 INF140 Confidentiality with Public Key Crypto Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

I Encrypt using receivers public key I Decrypt using receivers private key I Only the person with private key can successful decrypt

55/89 INF140 Authentication with Public Key Crypto Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

I Encrypt using senders private key I Decrypt using senders public key I Only the person with private key could have encrypted

56/89 INF140 Applications of Public Key Cryptosystems Cryptography

Overview

Confidentiality

Symmetric Crypto I Secrecy, encryption/decryption of messages Authentication I mostly used for encrypting/decrypting secret session Public Key Crypto keys, which is known as key exchange Digital Signatures

Key Management I Digital signature, sign message with private key

Summary

57/89 INF140 Requirements of Public-Key Cryptography Cryptography 1. Computationally easy for B to generate pair (PUb,PRb) Overview 2. Computationally easy for A, knowing PUb and message Confidentiality M, to generate ciphertext: Symmetric Crypto

Authentication C = E(PUb, M) Public Key Crypto Digital Signatures 3. Computationally easy for B to decrypt ciphertext using Key Management PRb: Summary

M = D(PRb, C) = D[PRb, E(PUb, M)]

4. Computationally infeasible for attacker, knowing PUb and C, to determine PRb 5. Computationally infeasible for attacker, knowing PUb and C, to determine M 6. (Optional) Two keys can be applied in either order:

M = D[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]

58/89 INF140 Requirements of Public-Key Cryptography Cryptography

Overview 6 requirements lead to need for trap-door one-way function Confidentiality

Symmetric Crypto I Every function value has unique inverse Authentication I Calculation of function is easy Public Key Crypto I Calculation of inverse is infeasible, unless certain Digital Signatures information is known Key Management

Summary Y = fk (X ) easy, if k and Y are known −1 X = fk (Y ) easy, if k and Y are known −1 X = fk (Y ) infeasible, if Y is known but k is not

I What is easy? What is infeasible? I Computational complexity of algorithm gives an indication I Easy if can be solved in polynomial time as function of input

59/89 INF140 Public-Key Cryptanalysis Cryptography Brute Force Attacks Overview Confidentiality I Use large key to avoid brute force attacks Symmetric Crypto I Public key algorithms less efficient with larger keys Authentication Public-key cryptography mainly used for key Public Key Crypto I management and signatures Digital Signatures

Key Management

Summary Compute Private Key from Public Key I No known feasible methods using standard computing

Probable-Message Attack 0 0 I Encrypt all possible M using PUb—for the C that matches C, attacker knows M I Only feasible of M is short I Solution for short messages: append random bits to make it longer 60/89 INF140 Example Public-Key Algorithm: RSA Cryptography Key Generation Overview

Confidentiality 1. Choose primes p and q, and calculate n = pq Symmetric Crypto 2. Select e: gcd(φ(n), e) = 1, where Authentication φ(n) = (p − 1)(q − 1) and 1 < e < φ(n) Public Key Crypto 3. Find d ≡ e−1 (mod φ(n)) Digital Signatures

Key Management 4. n and e are public; p, q and d are private

Summary Encryption Encryption of plaintext M, where M < n:

C = Me mod n

Decryption Decryption of ciphertext C:

M = C d mod n

61/89 INF140

Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

62/89 INF140 Public-Key Algorithm: RSA Cryptography

Overview Created by RonRivest, AdiShamir and LenAdleman in Confidentiality I

Symmetric Crypto 1978 Authentication I Security of RSA Public Key Crypto 1. Brute force attack on d Digital Signatures 2. Factor n into its two prime factors

Key Management 3. Determine φ(n) directly, without determining p or q

Summary 4. Determine d directly, without determining φ(n) I Factoring is considered the easiest. Some records by length of n: I 1991: 330 bits (100 digits) I 2003: 576 bits (174 digits) I 2005: 640 bits (193 digits) I 2009: 768 bit (232 digits), 1020 operations, 2000 years on single core 2.2 GHz computer I Typical length of n: 2048 bits, 4096 bits

63/89 INF140 Diffie-Hellman Key Exchange Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication I Diffie and Hellman proposed public key crypto-system in Public Key Crypto 1976 Digital Signatures Key Management I Algorithm for exchanging secret key (not for secrecy of Summary data) I Based on discrete logarithms I Easy to calculate exponential modulo a prime I Infeasible to calculate inverse, i.e. discrete logarithm

64/89 INF140 Diffie-Hellman Key Exchange Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

65/89 INF140 Key Exchange Algorithm: Diffie-Hellman Scheme Cryptography Public Parameter Overview Confidentiality I a large odd prime p with generator α: 0 p−2 Symmetric Crypto Zp = {0, 1,..., p} = {0, α , . . . , α } Authentication Key Exchange Public Key Crypto Alice chooses a private key ka, send Bob its public key Digital Signatures I Pub = αka Key Management A Summary I Bob chooses a private key kb, send Alice its public key k PubB = α b Encryption Key Generation

I Alice uses its private key ka, Bob’s pub key PubB to calculate the encryption key: ka ka kb kakb K = Pubb = (α ) = α I Bob uses its private key kb, Bob’s pub key PubA to calculate the encryption key: kb kb ka kakb K = PubA = (α ) = α

66/89 INF140 Diffie-Hellman Key Exchange Example Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

An online calculator: http://www.dkerr.com/cgi-bin/modexp.pl?

67/89 INF140 Security of Diffie-Hellman Key Exchange Cryptography

Overview I Insecure against man-in-the-middle-attack Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

I Learned lesson: the authenticity of public key is crucial I Countermeasure is to use digital signatures and public-key certificates

68/89 INF140 Contents Cryptography

Overview Cryptography for Security Confidentiality

Symmetric Crypto Encryption for Confidentiality Authentication

Public Key Crypto

Digital Signatures Symmetric Cryptography

Key Management

Summary Integrity and Authenticity

Public Key Cryptography

Digital Signatures

Key Management

Summary

69/89 INF140 Digital Signatures Cryptography

Overview

Confidentiality

Symmetric Crypto Aim of a signature: prove to anyone that a message Authentication I

Public Key Crypto originated at (or is approved by) a particular user Digital Signatures I Symmetric key cryptography Key Management I Two users, A and B, share a secret key K Summary I Receiver of message (user A) can verify that message came from the other user (B) I User C cannot prove that the message came from B (it may also have came from A) I Public key cryptography can provide signature: only one user has the private key

70/89 INF140 Assumptions: Digital Signatures Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication Public Key Crypto I A digital signature of a message M is the hash of that Digital Signatures message encrypted with the signers private key, i.e. Key Management S = E(PR, H(M)) Summary I An entity receiving a message with an attached digital signature knows that that message originated by the signer of the message.

71/89 INF140 Digital Signature Operations (Concept) Cryptography

Overview Signing Confidentiality Symmetric Crypto I User signs a message by encrypting with own private key Authentication Public Key Crypto S = E(PRA, M) Digital Signatures Key Management I User attaches signature to message Summary Verification I User verifies a message by decrypting signature with signer’s public key

0 M = D(PUA, S)

I User then compares received message M with decrypted M0; if identical, signature is verified

72/89 INF140 Digital Signature Operations (Practice) Cryptography No need to encrypt entire message; encrypt hash of message Overview

Confidentiality Signing Symmetric Crypto I User signs a message by encrypting hash of message Authentication with own private key Public Key Crypto

Digital Signatures S = E(PRA, H(M)) Key Management Summary I User attaches signature to message

Verification I User verifies a message by decrypting signature with signer’s public key

h = D(PUA, S)

I User then compares hash of received message, H(M), with decrypted h; if identical, signature is verified

73/89 INF140 Digital Signature Algorithms Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication I RSA Public Key Crypto I Digital Signature Algorithm (DSA): FIPS-186 Digital Signatures I ECDSA: DSA with elliptic curve cryptography Key Management ElGamal signature scheme: DSA is enhancement of Summary I ElGamal I Bilinear pairing based signatures, e.g. BLS I Different hash algorithms can be used; e.g. SHA2 I Preimage resistant, second preimage resistant, collision resistant

74/89 INF140

Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

75/89

INF140 Contents Cryptography

Overview Cryptography for Security Confidentiality

Symmetric Crypto Encryption for Confidentiality Authentication

Public Key Crypto

Digital Signatures Symmetric Cryptography

Key Management

Summary Integrity and Authenticity

Public Key Cryptography

Digital Signatures

Key Management

Summary

77/89 INF140 Key Management Cryptography

Overview Challenges Confidentiality Symmetric Crypto I How to share a secret key? Authentication I How to obtain someone else’s public key? Public Key Crypto When to change keys? Digital Signatures I

Key Management

Summary Assumptions and Principles I Many users wish to communicate securely across network I Attacker can intercept any location in network I Manual interactions between users are undesirable (e.g. physical exchange of keys) I More times a key is used, greater chance for attacker to discover the key

78/89 INF140 Exchanging Secret Keys Cryptography

Overview

Confidentiality Option 1: Manual Exchange of All Keys Symmetric Crypto Authentication I All users exchange secret keys with all other users Public Key Crypto manually (e.g. face-to-face) Digital Signatures I Inconvenient Key Management Summary Option 2: Manual Exchange of Master Keys I All users exchange master key with trusted, central entity (e.g. Key Distribution Centre) I Session keys automatically exchanged between users via KDC I Security and performance bottleneck at KDC

79/89 INF140 Exchanging Secret Keys Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication Public Key Crypto Option 3: Public Key Cryptography to Exchange Secrets Digital Signatures I Use public-key cryptography to securely and Key Management automatically exchange secret keys Summary I Example 1: user A encrypts secret with user B’s public key; sends to B I Example 2: Diffie-Hellman secret key exchange

80/89 INF140 Distributing Public Keys Cryptography

Overview I By design, public keys are made public Confidentiality I Issue: how to ensure public key of A actually belongs to Symmetric Crypto A (and not someone pretending to be A) Authentication

Public Key Crypto I Approaches for public key distribution

Digital Signatures 1. Public announcement (web page, email, newspaper)

Key Management 2. Publish in electronic directory (which manually

Summary authenticates users) 3. Public key authority: I Users manually publish key at authority, and gain authorities public key I Users automatically request other users public keys from authority 4. Public key certificates I Users manually register with authority I Authority issues certificates to users: users public key signed by authority I Users automatically exchange certificates

81/89 INF140 Key Hierarchy and Lifetimes Cryptography

Overview

Confidentiality Symmetric Crypto I Master keys used to securely exchange session keys Authentication I Session keys used to securely exchange data Public Key Crypto

Digital Signatures I Change session keys automatically and regularly Key Management I Change master keys manually and seldom Summary I Session key lifetime: I Shorter lifetime is more secure; but increases overhead of exchanges I Connection-oriented protocols (e.g. TCP): new session key for each connection I Connection-less protocols (e.g. UDP/IP): change after fixed period or certain number of packets sent

82/89 INF140 Contents Cryptography

Overview Cryptography for Security Confidentiality

Symmetric Crypto Encryption for Confidentiality Authentication

Public Key Crypto

Digital Signatures Symmetric Cryptography

Key Management

Summary Integrity and Authenticity

Public Key Cryptography

Digital Signatures

Key Management

Summary

83/89 INF140 Key Points Cryptography

Overview

Confidentiality

Symmetric Crypto Symmetric key encryption used for file and network data Authentication I

Public Key Crypto confidentiality (AES, 3DES) Digital Signatures I Public key encryption used for key exchange and source Key Management authentication (RSA, DH, certificates) Summary I MAC functions used for data and source authentication (HMAC) I Hash function used for data authentication (MD5, SHA) I Public key crypto combined with hash functions for digital signatures

84/89 INF140 Summary: Cryptography for Security Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication

Public Key Crypto

Digital Signatures

Key Management

Summary

Credit: the book “Everyday cryptography: Fundamental principles and applications”

85/89 Hybrid of Modern Cryptography INF140 Common Principles used in Security Cryptography

Overview I Experience: Algorithms that have been used over a long Confidentiality period are less likely to have security flaws than newer Symmetric Crypto algorithms. Authentication Public Key Crypto I Performance: Symmetric key algorithms are significantly Digital Signatures faster than public key algorithms (appr. 1000 times) Key Management I Performance: The time to complete a cryptographic Summary operation is linearly proportional with the input data size. I Key Distribution: Keys should be distributed using automatic means. I Key Re-use: The more times a key is used, the greater the chance of an attacker discovering that key. I Multi-layer Security: Using multiple overlapping security mechanisms can increase the security of a system.

87/89 INF140 Security Issues Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication Public Key Crypto I Key management and distribution: difficult to confirm Digital Signatures that public key belongs to claimed entity Key Management I Implementation: flaws in software implementations can Summary weaken otherwise secure algorithms I Algorithm design: difficult to prove security of algorithms

88/89 INF140 References & Reading Cryptography

Overview

Confidentiality

Symmetric Crypto

Authentication Public Key Crypto I Reading: Cryptographic Tools in Chapter 2 Digital Signatures Wikipedia: Cryptography Key Management I

Summary I Optional Reading I Classical Cryptographic Tools: practicalcryptography I Cryptographic algorithms in Chapters 20 and 21 I Wikipedia: Comparison of Cryptography Libraries

89/89