Cryptography Overview Cryptography Basic Cryptographic Concepts Five
Total Page：16
File Type：pdf, Size：1020Kb
CS 155 Spring 2006 Cryptography Is A tremendous tool Cryptography Overview The basis for many security mechanisms Is not John Mitchell The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent yourself unless you spend a lot of time becoming an expert you subject your design to outside review Basic Cryptographic Concepts Five-Minute University Encryption scheme: functions to encrypt, decrypt data key generation algorithm Secret key vs. public key -1 Public key: publishing key does not reveal key -1 Father Guido Sarducci Secret key: more efficient, generally key = key Hash function, MAC Everything you could remember, five Map input to short hash; ideally, no collisions MAC (keyed hash) used for message integrity years after taking CS255 … ? Signature scheme Functions to sign data, verify signature Web Purchase Secure communication 1 Secure Sockets Layer / TLS SSL/TLS Cryptography Standard for Internet security Public-key encryption Key chosen secretly (handshake protocol) Originally designed by Netscape Key material sent encrypted with public key Goal: “... provide privacy and reliability between two communicating applications” Symmetric encryption Two main parts Shared (secret) key encryption of data packets Signature-based authentication Handshake Protocol Client can check signed server certificate Establish shared secret key using public-key cryptography Signed certificates for authentication And vice-versa, in principal Record Layer Hash for integrity Transmit data using negotiated key, encryption function Client, server check hash of sequence of messages MAC used in data packets (record protocol) Example cryptosystems One-time pad One-time pad Secret-key encryption scheme (symmetric) “Theoretical idea,” but leads to stream cipher Encrypt plaintext by xor with sequence of bits Feistel construction for symmetric key crypto Decrypt ciphertext by xor with same bit sequence Iterate a “scrambling function” Examples: DES, Lucifer, FREAL, Khufu, Khafre, LOKI, Scheme for pad of length n GOST, CAST, Blowfish, … Set P of plaintexts: all n-bit sequences AES (Rijndael) is also block cipher, but different Set C of ciphertexts: all n-bit sequences Complexity-based public-key cryptography Set K of keys: all n-bit sequences Modular exponentiation is a “one-way” fctns Examples: RSA, El Gamal, elliptic curve systems, ... Encryption and decryption functions encrypt(key, text) = key ⊕ text (bit-by-bit) decrypt(key, text) = key ⊕ text (bit-by-bit) Evaluation of one-time pad Feistel networks Advantages Many block algorithms are Feistel networks Easy to compute encrypt, decrypt from key, text A block cipher encrypts data in blocks As hard to break as possible Encryption of block n+1 may depend on block n This is an information-theoretically secure cipher Given ciphertext, all possible plaintexts are equally likely, Feistel network is a standard construction for assuming that key is chosen randomly Iterating a function f on parts of a message Disadvantage Producing an invertible transformation Key is as long as the plaintext AES (Rijndael) is related How does sender get key to receiver securely? Also a block cipher with repeated rounds Not a Feistel network Idea for stream cipher: use pseudo-random generators for key... 2 Feistel network: One Round Data Encryption Standard Divide n-bit input in half and repeat Developed at IBM, some input from NSA, widely used Scheme requires Feistel structure L i-1 R i-1 Function f(Ri-1 ,Ki) Permute input bits Computation for Ki Repeat application of a S-box function K e.g., permutation of key K f i Apply inverse permutation to produce output Advantage Worked well in practice (but brute-force attacks now) Systematic calculation ⊕ Efficient to encrypt, decrypt Easy if f is table, etc. Not provably secure Invertible if Ki known Improvements L i R i Get Ri-1 from Li Compute f(R i-1 ,Ki) Triple DES, AES (Rijndael) Compute Li-1 by ⊕ Block cipher modes (for DES, AES, …) Electronic Code Book (ECB) ECB – Electronic Code Book mode Plain Text Plain Text Divide plaintext into blocks Encrypt each block independently, with same key CBC – Cipher Block Chaining Block Block Block Block XOR each block with encryption of previous block Cipher Cipher Cipher Cipher Use initialization vector IV for first block OFB – Output Feedback Mode Iterate encryption of IV to produce stream cipher CFB – Cipher Feedback Mode Ciphe r Tex t Cip her T Output block yi = input xi + encyrptK(yi-1) Problem: Identical blocks encrypted identically No integrity check Cipher Block Chaining (CBC) Comparison (for AES, by Bart Preneel) Plain Text Plain Text IV Block Block Block Block Cipher Cipher Cipher Cipher Similar plaintext blocks produce similar ciphertext (see outline of head) Ciphe r Tex t Cip her T No apparent pattern Advantages: Identical blocks encrypted differently Last ciphertext block depends on entire input 3 RC4 stream cipher – “Ron’s Code” RSA Trade Secret Design goals (Ron Rivest, 1987): History speed 1994 – leaked to cypherpunks mailing list support of 8-bit architecture 1995 – first weakness (USENET post) simplicity (circumvent export regulations) 1996 – appeared in Applied Crypto as Widely used “alleged RC4” 1997 – first published analysis SSL/TLS Windows, Lotus Notes, Oracle, etc. Cellular Digital Packet Data OpenBSD pseudo-random number generator Weakness is predictability of first bits; best to discard them Encryption/Decryption Security key Goal: indistinguishable from random sequence given part of the output stream, it is impossible to distinguish it from a random string Problems state 000111101010110101 Second byte [MS01] ⊕ Second byte of RC4 is 0 with twice expected probability plain text plain text Related key attack [FMS01] = Bad to use many related keys (see WEP 802.11b) cipher text cipher t Recommendation Discard the first 256 bytes of RC4 output [RSA, MS] Stream cipher: one-time pad based on pseudo-random generator Complete Algorithm (all arithmetic mod 256) Complexity Classes Key scheduling for i := 0 to 255 S[i] := i hard Answer in polynomial space 0 1 2 3 4 5 6 … j := 0 PSpace may need exhaustive search for i := 0 to 255 Permutation of 256 bytes, depending on key j := j + S[i] + key[i] NP If yes, can guess and check in swap (S[i], S[j]) 2 123 134 24 1 218 53 … polynomial time i, j := 0 Random generator repeat Answer in polynomial time, with BPP i := i + 1 high probability j := j + S[i] 2 123 134 24 9 218 53 … swap (S[i], S[j]) P i j Answer in polynomial time output (S[ S[i] + S[j] ]) +24 easy compute answer directly 4 One-way functions One-way trapdoor A function f is one-way if it is A function f is one-way trapdoor if Easy to compute f(x), given x Easy to compute f(x), given x Hard to compute x, given f(x), for most x Hard to compute x, given f(x), for most x Extra “trapdoor” information makes it easy to Examples (we believe they are one way) compute x from f(x) f(x) = divide bits x = y@z and multiply f(x)=y*z x f(x) = 3 mod p, where p is prime Example (we believe) 3 3 f(x) = x mod pq, where p,q are primes with |p|=|q| f(x) = x mod pq, where p,q are primes with |p|=|q| Compute cube root using (p-1)*(q-1) Public-key Cryptosystem Example: RSA Trapdoor function to encrypt and decrypt Arithmetic modulo pq encrypt(key, message) n Generate secret primes p, q ab key pair Generate secret numbers a, b with x ≡ x mod pq Public encryption key 〈n, a〉 -1 a decrypt(key , encrypt(key, message)) = message Encrypt(〈n, a〉, x) = x mod n Private decryption key 〈n, b〉 b Resists attack Decrypt(〈n, b〉, y) = y mod n Main properties Cannot compute m from encrypt(key, m) and key, This works unless you have key-1 Cannot compute b from n,a Apparently, need to factor n = pq How RSA works (quick sketch) How well does RSA work? Let p, q be two distinct primes and let n=p*q Can generate modulus, keys fairly efficiently * Efficient rand algorithms for generating primes p,q Encryption, decryption based on group Zn May fail, but with low probability For n=p*q, order φ(n) = (p-1)*(q-1) Given primes p,q easy to compute n=p*q and φ(n) Proof: (p-1)*(q-1) = p*q - p - q + 1 Choose a randomly with gcd(a, φ(n))=1 Key pair: 〈a, b〉 with ab ≡ 1 mod φ(n) Compute b = a-1 mod φ(n) by Euclidean algorithm a Encrypt(x) = x mod n Public key n, a does not reveal b b Decrypt(y) = y mod n This is not proven, but believed ab Since ab ≡ 1 mod φ(n), have x ≡ x mod n But if n can be factored, all is lost ... Proof: if gcd(x,n) = 1, then by general group theory, otherwise use “Chinese remainder theorem”. Public-key crypto is significantly slower than symmetric key crypto 5 Message integrity Cryptographic hash functions Length-reducing function h For RSA as stated, integrity is a weak point Map arbitrary strings to strings of fixed length e e e encrypt(k*m) = (k*m) = k * m = encrypt(k)*encrypt(m) One way (“preimage resistance”) This leads to “chosen ciphertext” form of attack Given y, hard to find x with h(x)=y If someone will decrypt new messages, then can trick them Collision resistant into decrypting m by asking for decrypt(ke *m) Implementations reflect this problem Hard to find any distinct m, m’ with h(m)=h(m’) nd “The PKCS#1 … RSA encryption is intended primarily to Also useful: 2 preimage resistance provide confidentiality.