sign in sign up
<<
Home , EFF DES cracker, RC6

IN3210 – Network Security Cryptographic Foundations History of

2 Confidential Communication

Eve

Dear Dear Bob Bob ......

Alice Bob

3 Confidential Communication

A B

4

⚫ Examples: − Tattoo on head + growing hair back − Invisible ink − Micro dot ⚫ Security by obscurity ⚫ Typically not conforming with Kerckhoff’s principle ⚫ Modern steganography: − Printer steganography

− Embedding into multimedia Image Source: Wikipedia Source: Image data

5 Cryptology

⚫ Cryptography − Practice and study of using mathematics to protect data/information − From Greek ▪ kryptos: "hidden, secret" and ▪ gráphō: "I write" ⚫ − Practice and study of finding weaknesses or insecurity in a cryptographic scheme, thus permitting its subversion or evasion − From Greek ▪ analýein: "to loosen" or "to untie"

6 Classical Cipher

⚫ Caesar Cipher (50 B.C.) X Y Z A B C D E

3

X Y Z A B C D E

Hello Khoor

Plaintext Chiffre-

text Image Source: www.asterix.com Source: Image

7

Key = 3 Key = 3

KhoorHello Hello

8 Symmetric Encryption

6R4Y2 Eve hlbMZ CB...

Dear Dear Bob Bob Encryption Decryption ......

Alice Bob

9 Caesar Cipher Testing all possible values (e.g. of a key) is called ⚫ Which is encrypted here? Brute Force Attack − Ymjvznhpgwtbsktcozruxtajwymjqfeditl. ⚫ Try each possible key: 1. Xliuymgofvsarjsbnyqtwszivxlipedchsk. 2. Wkhtxlfneurzqiramxpsvryhuwkhodcbgrj. 3. Vjgswkemdtqyphqzlworuqxgtvjgncbafqi. 4. Uifrvjdlcspxogpykvnqtpwfsuifmbazeph. 5. Thequickbrownfoxjumpsoverthelazydog. 6. Sgdpthbjaqnvmenwitlornudqsgdkzyxcnf. 7. Rfcosgaizpmuldmvhsknqmtcprfcjyxwbme. 8. Qebnrfzhyoltkclugrjmplsboqebixwvald. 9. Pdamqeygxnksjbktfqilokranpdahwvuzkc. 10. …

10 Security of Crypto Systems

⚫ The previous attack assumes that the attacker knows: a) the Caesar cipher was used for encryption b) how the Caesar cipher work ⚫ What is the effect if the attacker does not have this information? ⚫ More general: is a crypto system more secure if the system and its internal function kept secret?

11 Kerckhoff‘s Principle

⚫ “A should be secure even if the attacker knows all details about the system (including the encryption and decryption algorithms), with the exception of the secret key.“ ⚫ Common mistake: keeping cryptographic algorithms secret increases the security (“security by obscurity”) ⚫ Example: GSM A5 algorithms Auguste Kerckhoffs − Details kept secret (1835 – 1903) Dutch crytographer − No cryptanalysis by the research community possible − Attackers found weaknesses Wikipedia Source: Image − Nearly all variants nowadays broken! 12 Caesar Cipher

BON 18

TGF HUT 12

Finding the correct key 2 is hard, without RED knowledge of (at least part of) the plaintext.

13 One-Time Pad Encryption

Attack at dawn!

k1

k2 Retreat at 1100

B2 A0 C1 C2 E7 FB FE FA 89 AA AF 56 6A 67

k3

The cat is dead

k4

14 Basic Types of Attacks (on the Encryption Key)

-only attack − The attacker has access to one or several ⚫ Known-plaintext attack − The attacker has access to one or several plaintext / ciphertext pairs ⚫ Chosen-plaintext attack − The attacker can retrieve ciphertexts for arbitrarily chosen ⚫ (Adaptive) chosen-ciphertext attack − The attacker can retrieve plaintexts for arbitrarily chosen ciphertexts

15 Monoalphabetical Substitution

⚫ Improvement over Caesar cipher ⚫ Each letter is replaced by (exactly) one other letter ⚫ Example:

Plaintext: a b c d e f g h i j k l m n o p r s t u v w x y z

Ciphertext: U F L P W D R A S J M C O N Q Y B V T E X H Z K G I

⚫ Number of possible keys?

⚫ 26!  1026  288

16 Monoalphabetical Substitution

⚫ Can easily be broken by analyzing the letter frequency in the cipher text ⚫ Large key space is a requisite but not sufficient for a secure encryption scheme ⚫ Next improvement: polyalphabetical substitution (e.g. Vignere,

1550) th 1.52% he 1.28% Bigram Frequency in 0.94% (english text) er 2,26% an 2,00% re 1,99% nd 1,88% Letter Frequency at 1,79% (english text) 17 Enigma

⚫ Invented 1918 by Arthur Scherbius ⚫ Electro-mechanical rotor cipher machines ⚫ Used by the German forces during WWII ⚫ Implements a polyalphabetical substitution cipher

18 Image Source: Wikipedia Source:Image Enigma

⚫ When pressing a button on the keyboard: − (at least) on rotor is turning on position − an electrical circuit is closed and

one bulb lights up Wikipedia

19 Image Source : : Source Image Enigma

⚫ Encryption was broken by Polish and British codebreakers in Bletchley Park ⚫ Most famous member:

− Alan Turing Wikipedia , http://www.cryptomuseum.com/

20 Source: Image Enigma

⚫ Simulator: − http://users.telenet.be/d.rijmenants/en/enigmasim.htm

21

Singh ⚫ The Code Book: The Secret History of Codes and Code- breaking

22 Crypto Primitives and their Usage

Confidentiality Integrity  Authenticity  Non-repudiation

Encryption Hash Functions (Cipher)

23 (Symmetric) Encryption

24 Encryption

⚫ Encryption − Process of converting ordinary information the so-called plaintext into unintelligible gibberish the so-called ciphertext ⚫ Decryption − Reverse process converting ciphertext back to plaintext ⚫ Cipher (or cypher) − Pair of algorithms which create the encryption and the reversing decryption − The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key

25 Symmetric Encryption

⚫ The same key (secret key) is used for encryption and decryption

6R4Y2 Eve hlbMZ CB...

Dear Dear Bob Bob Encryption Decryption ......

Alice Bob

Key Generator Symmectric Key

26 Formalization of (symmetric) Encryption

⚫ Space of plain texts: P ⚫ Space of cipher texts: C ⚫ Space of keys: K ⚫ Encryption:

E: P x K → C, E(x, k) = Ek(x) ⚫ Decryption:

D: C x K → P, D(y, k) = Dk(y) ⚫ D is the invers function of E, i.e. for all x ∈ P and k ∈ K:

Dk(Ek(x)) = x

27 Formalization of Caesar Cipher

⚫ Numerical encoding of letters: A → 0, B → 1, …, Z → 25

⚫ Space of plain texts: P = ℤ26 = {0, 1, …, 25}

⚫ Space of cipher texts: C = ℤ26

⚫ Space of keys: K = ℤ26 ⚫ Encryption:

Ek(x) = x + k mod 26 ⚫ Decryption:

Dk(x) = x + (– k) mod 26 ⚫ Size of key space? → |K| = 26

28

Key stream ks

Cipher stream c

Plain text m Encryption

Key stream ks

Cipher stream c

Plain text m‘ = m Decryption

29 Stream Ciphers

⚫ A stream cipher is a symmetric key cipher where plaintext

bits (mi) are combined with a pseudorandom cipher bit stream (key stream ks) ⚫ The pseudorandom key stream is generated by a pseudorandom number generator from a (shared) key

Key k

PRNG Key stream ks

Cipher stream c

Plain text m

30 One time pad

⚫ Key stream is completely random and only used once ⚫ Problem: (key has same size than plain/cipher text) ⚫ Provable perfectly secure (can only broken if key is known) ⚫ Cipher text can mean anything

31 Examples for Stream Ciphers

⚫ A5/1 and A5/2 (1989; used in GSM) → broken ⚫ RC4 (1987) → broken ⚫ Salsa20 (2005) ⚫ ChaCha20 (2008)

32

⚫ A block cipher (Enc) is a symmetric key cipher and takes as input an n-bit block of plaintext and a key (k), and outputs a n-bit block of ciphertext

THIS IS A SIMPLE PLAINTEXT MESSAGE. n bit k Enc k Encryption k Encryption k Encryption

n bit X&jÜ(mA’8Dwßµ<3 Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü

33 Examples for Block Ciphers

⚫ DES () ⚫ AES (Advanced Encryption Standard) ⚫ ⚫ RC6 ⚫ MARS ⚫

AES Image Source: Wikipedia

35 AES and DES

⚫ DES (NIST 1977) − 64 bit blocks und 56 bit keys − Standard encryption in 1980s and 1990s ⚫ Advanced Encryption Standard (AES) − AES (Rijndael) developed by Belgian cryptographers − Standardized by NIST in 2000 as DES successor − 128 bit blocks and 128, 192, 256 bit keys Brute force attack on AES and DES

⚫ Brute force attack on 56 key: − 1998: EFF DES Cracker (ASICs), 4.5 days, 250.000$ − 2006: COPACOBANA (FPGA), 6.4 days, 10.000$ Key length Duration − 2012: Pico Computing (FPGA), 0.5 days 56 bit 1 s ⚫ Brute force attack on 128 or 256 bit key? 64 bit 4 m (Assumption: breaking 56 bit in 1 80 bit 194 d second) 112 bit 109 a 128 bit 1014 a 192 bit 1033 a 256 bit 1052 a

⚫ What happens if you want to encrypt 100 bit with a 128 bit block cipher? ⚫ You must fill the plaintext up to the block length of the cipher ⚫ Approaches − Decryption process knows the data length ▪ Example: from a header entry ▪ Block can be filled with random bits/byte − Decryption process does not know the data length ▪ Padding bits/bytes must be marked Padding – One and Zeros

⚫ Attach one binary 1 followed by none, one or multiple binary 0

11010010 101110

11010010 10111010

11010010 1011100

11010010 10111001

11010010 10111001

11010010 10111001 10000000 00000000 Padding PKCS#5

⚫ Padding of whole bytes ⚫ Let L be the block size (in bytes)

⚫ When N bytes are missing to a full block (1  N  L): add N bytes each with the value N ⚫ Examples (L = 8, XX = existing message, all numbers in hex) − XX XX XX XX XX XX XX XX | XX XX XX XX XX XX XX 01 − XX XX XX XX XX XX XX XX | XX XX XX XX XX 03 03 03 − XX XX XX XX XX XX XX XX | XX 07 07 07 07 07 07 07 − XX XX XX XX XX XX XX XX | 08 08 08 08 08 08 08 08 ⚫ Invalid padding example: − XX XX XX XX XX XX XX XX | XX XX XX XX XX XX 08 02

40 Modes of Operation

⚫ Block ciphers operate on a fixed length input − DES, 3DES, IDEA: 64 bit − AES: 128, 192, 256 bit ⚫ Processing of larger input − Cut input into blocks of the required block size and process them one after the other ⚫ This naïve approach is also known as the Electronic Codebook (ECB) mode of operation Block Cipher: Electronic Code Book

THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption Encryption Encryption

X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq% 7Ö1k5a$jA~Kq1§ü

42 Block Cipher: Electronic Code Book THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption Encryption Encryption

X&jÜ(mA’8Dwßµ<3 Ji8(clÄ+#/2Haq% 7Ö1k5a$jA~Kq1§ü

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Encryption Encryption Encryption

Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 43 Electronic Codebook (ECB)

⚫ Identical plaintext blocks are encrypted into identical ciphertext blocks ⚫ No protection of block order ⚫ Eases replay attacks

ECB

Encryption Image Source: Wikipedia Source: Image Cipher Block Chaining (CBC)

NachrichtPlain Text

b0 b1 ... bn

IV

Enc k Enc k Enc k

c0 c1 ... cn

GeheimtextCipher Text Cipher Block Chaining (CBC)

⚫ Identical plaintext blocks are NOT encrypted into identical ciphertext blocks ⚫ More “randomness” inside the encrypted data ⚫ However: XOR of plain and cipher text can be misused (later)

CBC Image Source:Wikipedia Encryption Symmetric Encryption

⚫ One remaining problem: key generation

6R4Y2 Eve hlbMZ CB...

Dear Dear Bob Bob Encryption Decryption ......

Alice Bob

Key Generator Symmectric Key

47 Detour: Key Generation

⚫ Keys are derived from random numbers ⚫ is not trivial ⚫ Computers are deterministic and can only generate pseudo random numbers ⚫ Poor “random” numbers which can be anticipated allow attacker calculation of keys

48 Detour: Key Generation

⚫ OpenSSL bug in Debian

49 Symmetric Encryption

⚫ Another remaining problem: key exchange

6R4Y2 Eve hlbMZ CB...

Dear Dear Bob Bob Encryption Decryption ......

Alice Bob

Key Generator Symmectric Key

50 Key Exchange and Asymmetric Encryption

51 Diffie Hellman Key exchange

⚫ Creating common (symmetric) key only known to the communication partners

⚫ Created by and in 1976 Image source: Wikipedia source:Image

Illustration of DH Key Exchange Image source: Wikipedia source: Image

⚫ a  b (mod n)  there is an integer k such that a – b = kn ⚫ Example: − 13  19 (mod 3), because 19 – 13 = 2 * 3 ⚫ Simplified (sufficient for this lecture): mod operator ⚫ x mod n: remainder when performing an integer division of x and n ⚫ Example: − 19 mod 3 = 1 − 13 mod 3 = 1 − 1234 mod 10 = 4 − 220 mod 10 = 6

54 Logarithm

⚫ Choose (integer) b and a and calculate y = ba ⚫ Given just b and y can you calculate a?

⚫ Easy (logarithm): a = logb y ⚫ Example: − b = 7, y = 13841287201, a = ?

55 Discrete Logarithm

⚫ Choose integer b, a and n and calculate y = ba mod n ⚫ Given just b, n and y can you calculate a? ⚫ Example: − b = 7, n = 1023, y = 439, a = ? ⚫ Hard problem: Discrete Logarithm Problem (DLP) ⚫ No simple calculation ⚫ Only (known) method: test all possible values for a (infeasible for large n)

56 Diffie Hellman Key exchange

⚫ Alice and Bob agree on (public parameters): − Large prime number p ga mod p − Generator g (i.e. g is primitive root mod p) ⚫ Alice chooses a random number a and sends ga mod p to Bob gbmod p ⚫ Bob chooses a random number b and send gb mod p to Alice ⚫ Calculation of common secret: − Alice: (gb)a mod p = gab mod p = K − Bob: (ga)b mod p Diffie Hellman Key exchange

⚫ (Passive) attacker learns: − g − p ga mod p − gb mod p − ga mod p ⚫ For calculating K the attacker needs gbmod p additionally a or b ⚫ a or b can not (easily) derived from the know values: DLP

Eve Weakness of DH Key Exchange

ga Mallory gb

ge ge

Secure Communication Secure Communication ae K = gbe mod p K1 = g mod p 2

Solution: later! Breaking DH

⚫ Certain ⚫ Which size to choose for p? − 512 bit → practically broken (2015) − 1024 bit → estimated costs for breaking: 100 million $ − 2048 bit → secure, but long runtime

60 Asymmetric Encryption

⚫ Problem of symmetric encryption: − must be distributed ⚫ Problem of DH key exchange: − interactive protocol − both parties must be “online” in order to start encrypted communication ⚫ Asymmetric Encryption: − Use different keys for de- and encryption − Public encryption key is published (everyone can encrypt) − Private decryption key is kept confidential (just owner can decrypt) Asymmetric Encryption

⚫ Two distinct keys (private key and public key) are used for encryption and decryption respectively

Eve 6R4Y2 hlbM ZCB...

Dear Dear Bob Encryption Decryption Bob ......

Alice Bob Private Key Key Pair Generator Public Key Formalization of (asymmetric) Encryption

⚫ Space of plain texts: P ⚫ Space of cipher texts: C

⚫ Space of keys: public/private key pairs: K  PK x SK ⚫ Encryption:

E: P x PK → C, E(x, pk) = Epk(x) ⚫ Decryption:

D: C x SK → P, D(y, sk) = Dsk(y) ⚫ D is the invers function of E, i.e. for all x ∈ P and (pk, sk) ∈ K:

Dsk(Epk(x)) = x Asymmetric Encryption

⚫ Based on number theoretic problems − RSA: Factorisation Problem − ElGamal: Discrete Logarithm Problem (DLP) ⚫ RSA: named after its inventors (1978): − Ronald Rivest − Adi Shamir − Leonard Adleman

Image sources: • University of Southern California • Massachusetts Institute of Technology RSA

⚫ Choose two prime numbers p and q ⚫ Calc n = p · q, m = (p – 1) (q – 1) ⚫ Choose e and d with e · d ≡ 1 (mod m) ⚫ Public key: n, e ⚫ Private key: d ⚫ Encryption of message M: C = M e mod n ⚫ Decryption of cipher text C: M’ = C d mod n ⚫ M' = (M e)d mod n = M

Follows from Euler‘s Theorem RSA Calculation

⚫ 1. problem: calculation effort − 푥푛 = 푥 ∙ ⋯ ∙ 푥 → n – 1 multiplications 푛 ⚫ and Multiply: − Write n in binary; remove the first 1 − For evert 1 perform first a square (...2) operation then a multiply operation (• x) − For evert 0 perform a multiply operation (• x) ⚫ Example:

− n = 2310 = 101112 → Q QM QM QM 2 2 − 푥23 = 푥2 2 ∙ 푥 ∙ 푥 ∙ 푥 − 7 multiplications instead of 22 ⚫ “Standard” value for e:

− 6553710 = 100000000000000012 → 16 multiplications

66 RSA Calculation

⚫ 2. problem: large intermediate values: − “Me mod n” is smaller than n, but “Me“ is very large ⚫ Property of mod operator: − (x • y) mod n = ((x mod n) • (y mod n)) mod n ⚫ Application to Square and Multiply: − Perform a “mod” operation after every square or multiply step − Example: 2 2 ▪ 푥23 mod 푛 = 푥2 mod 푛 2 mod 푛 ∙ 푥 mod 푛 mod 푛 ∙ 푥 mod 푛 … − No intermediate value is larger than 푛2

67 Prime Numbers

⚫ How to calculate large (~ 500 - 2000 bits) prime numbers? ⚫ 2 types of primality tests: − Deterministic − Probabilistic ⚫ Example: Solovay–Strassen primality test: − max ½ probability of wrong answer − Algorithm for testing is n is prime ▪ Repeat k times: o Choose random number a o Run primality test (uses number a as parameter) o If false return „not prime“ ▪ Return „probable prime“ − Error probability: 1/2k, e.g. 2-100 for k = 100 RSA Decimal Binary Cash prize Factored on Breaking RSA number digits digits offered RSA-100 100 330 $1000 April 1, 1991 RSA-110 110 364 $4429 April 14, 1992 RSA-120 120 397 $5895 July 9, 1993 ⚫ Best known RSA-129 129 426 $100 April 26, 1994 attack on RSA: RSA-130 130 430 $14,527 April 10, 1996 RSA-140 140 463 $17,226 February 2, 1999 factorizing n RSA-150 150 496 April 16, 2004 RSA-155 155 512 $9383 August 22, 1999 RSA-160 160 530 April 1, 2003 RSA-170 170 563 December 29, 2009 RSA-576 174 576 $10,000 December 3, 2003

RSA-180 180 596 May 8, 2010

RSA-190 190 629 November 8, 2010 RSA-640 193 640 $20,000 November 2, 2005 RSA-200 200 663 May 9, 2005 RSA-210 210 696 September 26, 2013 RSA-704 212 704 $30,000 July 2, 2012

RSA-220 220 729 May 13, 2016

RSA-768 232 768 $50,000 December 12, 2009 Wikipedia Source: Hybrid Encryption (1/3)

⚫ Pros and cons of (a)symmetric encryption: − Symmetric encryption: ▪ good performance (1000x times faster) vs. key exchange problem − Asymmetric encryption: ▪ easier key management vs. slow performance + limited message size ⚫ Hybrid Encryption: combining the advantages: − Encrypt a random symmetric session key by means of asymmetric encryption − Encrypt the data with the symmetric session key and by means of symmetric encryption Hybrid Encryption (2/3)

⚫ Encryption process

Dear 6R4Y2hlb Symmetric Bob MZCBaj39 Encryption .... c2jmCw...

Alice Encrypte d Key

Key Asymetric Generator Symmetric Key Encryption

Bob‘s Public Key Hybrid Encryption (3/3)

⚫ Decryption process

6R4Y2hlb Dear Symmetric MZCBaj39 Bob Decryption c2jmCw......

Encrypte Bob d Key

Asymmetric Decryption Symmetric Key

Bob‘s Private Key Exchange of Public Keys

⚫ Confidentiality not required → passive attacker can read the public key (no problem)

Bob Eve Alice

“Alice”, pub(A)

Enc(pub(A), M) Exchange of Public Keys

⚫ Integrity highly required → active attacker can modify/exchange the public key (system broken!)

Bob Mallory Alice

“Alice”, pub(A) “Alice”, pub(E)

Enc(pub(E), M)

Solution: later! Hash Functions Integrity testing

Alice Bob Hash Function

h( · )

Alice Bob Definition of Hash Function

n ⚫h : * →  NoZXJuZCBhw59lbiBNw6R4Y2hlbnMZCBhw59lFLDvGJlbiwgSm9naHVydCB1 bmQgUXV4Y2hlbnMgVsOw59l2R4Y2hlbnMgVsOZ2R4bnMgVsOVsIFLDhcms=

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. 68ac906495480a3404be Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet,, sed diam eirmod ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et duo dolores et ea. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum amet.

da39a3ee5e6b4b0d3255 15a391c7de1f07f4885af Real life example: Integrity Protection for Dowloads

⚫ Ubuntu: File„MD5SUM“

cf10bdd7abb067e639b3fb47fa8cadbd *ubuntu-11.04-alternate-amd64+mac.iso 14984b15a391c7de1f07f4885bef2d5c *ubuntu-11.04-desktop-amd64+mac.iso 99950b6c45250c51fa53342c5832ebd2 *ubuntu-11.04-dvd-amd64.iso e8c522fc69d3bf2fda99b63b8f7c12f3 *ubuntu-11.04-dvd-i386.iso

⚫ Xfce: Note on Web site Properties of Hash Functions

h(M) = 4711 h(M’) = 4711

4711 4711

Alice Bob Collision resistant

⚫ Collision − There exists two messages M and M’: M ≠ M’ and h(M) = h(M’) ⚫ Avoiding accidental collisions: − Choose co-domain large enough ⚫ Collision resistant : − It is not possible (using “reasonable” computation time) to find a collision i.e. two messages M and M’ with h(M) = h(M’) Poor Hash Function

⚫ Checksum: L o r e m i p s u m d o l o r s i t a m e t c o n s e t e t u r

39 AC 2E 31 7F 03 F5 81

S e l l 1 8 S e l l 1 1 b o o k s 1 0 b o o k s 8 0 E U R e a c h E U R e a c h Requirement for Hash Function

⚫ Randomness − Small change on input → large change on output − ⚫ Rule of thumb − 1 input bit is changed → 50 % output bits are changed ⚫ Example: − SHA-1(„Hallo“) = 59d9a6df06b9f610f7db8e036896ed03662d168f − SHA-1(„Hello“) = f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0 Birthday Paradoxon

⚫ There are 23 people in one room ⚫ What is the probability for „2 persons have the same birthday“ (just day and month, not year) ⚫ Answer: approx. 50% Birthday Attack

⚫ Let h be a hash function with co-domain of size 2n (i.e. with hash values of length n bit) ⚫ Calculation of collision needs 2n/2 checks (average) ⚫ Conclusion: choose n as large as possible ⚫ Current recommendation: − (average) 280 checks required −  Hash value have minimum length 160 bit ⚫ If (at n bit length) less tests than 2n/2 required: Hash function has weakness Properties of Hash functions

4711

Alice Eve Bob One-way function

⚫ One-way property (preimage resistant): − There exist no (efficient) inverse function for h, i.e. − It is not possible to calculate message M from hash value H with: h(M) = H

⚫ h collision resistant  h one-way function Types of Hash Algorithms

⚫ Encryption-based − Uses block ciphers − Low performance − insecure ⚫ Algebraic − Uses number theory problems (e.g. discrete logarithm) − Low performance ⚫ Ad-Hoc Design − Uses: AND, OR, XOR, SHIFT, S-Boxes − Most widespread usage Common Hash Algorithms

⚫ MD5 − Message-Digest-Algorithm (R. Rivest, 1992) − RFC 1321 − Input: < 264 bit, Output: 128 bit ⚫ SHA-1 − Secure Hash Algorithm (NIST/NSA, 1994) − Input: < 264 bit, Output: 160 bit ⚫ SHA-2 − Secure Hash Algorithm (NIST/NSA, 2002) − SHA-256: Input: < 264 bit, Output: 256 bit − SHA-384: Input: < 2128 bit, Output: 384 bit − SHA-512: Input: < 2128 bit, Output: 512 bit SHA-1 – Internal Structure

E D C B A 5 x 32 Bit

+ <<5

K +

80 x + F >>2 160 Bit + W M

E D C B A 5 x 32 Bit Merkle Damgård Construction

Compression function f Hash function h

n bit Length Message M of M n bit n bit f

Block 1 Block 2 ... Block m

Hash IV f f f ... h(M)

f collision resistant  h collision resistant Security of Hash Algorithms

⚫ Known attacks on Hash properties

Algorithm Attack on Attack on Collision resistence One way property MD5 Yes Yes SHA-1 Yes No SHA-2 (Yes) No Security of Hash Algorithms SHA-3 Competition

⚫ Creating new Hash function (successor of SHA-2) ⚫ Open competition by NIST started 2007 ⚫ Public analysis and discussion of candidates ⚫ Criteria: − Performance − Security − Diversity ⚫ Winner (announced 2012): Keccak ⚫ Standardized as SHA-3 (2015) Breaking Hashes

⚫ „Anonymous“ exam results Breaking Hashes

⚫ How to find the pre-image of H? (i.e. finding m with h(m) = H) ⚫ Brute force attack: testing all possible values for m − rather simple if the set of “all possible values” is rather small − Examples: ▪ m is a short/simple password ▪ m is a matriculation number ▪ m is an IP address ⚫ Variation: Dictionary attack: testing just certain values − Examples ▪ typical passwords (“1234”, “admin”, ...) ▪ real world words (“dog”, “car”, ...) ⚫ Lookup in a pre-calculated list of “all” m and h(m) − Practical implementation: Rainbow Table

96 Breaking Hashes – Countermeasures

⚫ Brute force/Dictionary: − avoid short/simple messages − use special resource consuming “hash” functions (e.g. scrypt, Argon2) − add a secret value to the hash calculation: pepper (not always possible) ⚫ Rainbow table: − avoid short/simple messages − add a (non-secret) random value to the hash calculation: salt

97 Integrity Protection and Digital Signature Message Authentication Code

Dear Dear Dear Dear Dear Bob Bob Bob Bob Bob ......

MAC MAC = ? Message Authentication Code

⚫ A Message Authentication Code (MAC) is a short piece of information used to authenticate a message ⚫ The involved key enables to provide authentication means in addition to integrity ⚫ In some contexts a MAC is also called a symmetric signature ⚫ First idea for implementation:

mack(m) = h(k || m)

(here || is the concatenation operator) k m

...

IV f f ... f mac

e

...

mac f f mac* m e mac*

k

......

IV f f ... f f f mac* Length extension attack (simplified)

⚫ Possible with hash functions based on M-D-Construction ⚫ Idea: − A and B have shared secret k − A creates message m and mac = h(k||m) − E intercepts message and MAC − E creates e and m* = m||e and mac* = h(k||m*) = h(k||m||e) (no knowledge of k is required!) − E sends m* and mac* to B − B verifies m* and mac* and thinks the message is from A Length extension attack (simplified)

⚫ The attacker was able to create a message m* = m || e and a MAC mac* with mac*=h(k||m*) ⚫ No knowledge of k is required ⚫ Problem: is m* still making sense to the recipient? ⚫ Example: − Original message: count=10&lat=37&user_id=1&long=-119&waffle=eggo − New message: count=10&lat=37&user_id=1&long=-119&waffle=eggo&waffle=liege

Example Source: Wikipedia Message Authentication Code

⚫ Solution: HMAC

mack(m) = HMAC(m, k) = h(k XOR opad || h(k XOR ipad || m)) − with opad and ipad fixed constants: ▪ ipad = the byte 0x36 repeated B times ▪ opad = the byte 0x5C repeated B times ▪ (with B the internal data size in bytes of hash function h; e.g. 64 for SHA-1) Message Authentication Code

⚫ Security services: − Authenticity − Integrity ⚫ Limitations: − For verification knowledge of secret key required − Every owner of the secret key can create the MAC − → not possible to decide if Alice or Bob created the MAC − → the actual creator of the MAC can deny the creation − → no “non-repudiation” property

106 Digital Signature

⚫ Equivalent to traditional handwritten signatures ⚫ Properties: − Only one person can create the signature  non-repudiation − Everyone can verify the signature

− Can identify the creator of the signature  authenticity

− Is bound to a specific document  integrity − Prohibits changes to the document

107 Formalization of Digital Signature

⚫ Space of messages: M ⚫ Space of signatures: S

⚫ Space of keys: public/private key pairs: K  PK x SK ⚫ Sign operation: Sig: M x SK → S, sig = Sig(m, sk) ⚫ Verify operation: Verify: M x S x PK → {true, false}, isValid = Verify(m, sig, pk) ⚫ Valid signature: for all m ∈ M and (pk, sk) ∈ K Verify(m, Sig(m, sk), pk) = true

108 Digital Signature (here: RSA)

Dear Dear Dear Dear Dear Bob Bob Bob Bob Bob ......

Hash Hash Decryption

Encryption = ? Digital Signature

⚫ Properties: − Only one person can create the signature ✓ ▪ Private key required − Everyone can verify the signature ✓ ▪ Public key is sufficient (need the correct public key) − Can identify the creator of the signature ▪ Owner of the private key = creator (unless private key was stolen) ✓ − Is bound to a specific document ▪ move signature to a different document ✓ → hash of document ≠ hash inside signature (unless collision) → verification fails − Prohibits changes to the document ✓ ▪ change of document → change of hash (unless collision) → verification fails

110 Again: Integrity Protection for Dowloads

Putty – SSH Client for Windows Digital Signature (in general)

Dear Dear Dear Dear Dear Bob Bob Bob Bob Bob ......

Hash Verify Hash

Sign

valid / invalid Digital Signature

⚫ Example algorithms: − RSA with SHA2 − DSA with SHA2 − ECDSA with SHA2 Final Remarks

114 Elliptic Curve Cryptography

⚫ DSA and DH are based on modular exponentiation over a (finite) field of integers ⚫ One can perform similar operations on an “elliptic curve” ⚫ Main advantage: − same security level with shorter key − better performance (runtime up to 10 times faster)

Security Level RSA/DH (NIST) RSA/DH (ECRYPT) ECDH 80 1024 1248 160 112 2048 2432 224 128 3072 3248 256 192 7680 7936 384 256 15360 15424 512 Practical Usage Recommendations

⚫ Symmetric Encryption: AES-256, mode: GCM (later) ⚫ Asymmetric Encryption: RSA-2048 (or longer) ⚫ Key exchange: ECDHE-256 ⚫ Hash: SHA-256 ⚫ Message Authentication: − AES in GCM mode (authenticated encryption) − Poly1305 (e.g. in combination with ChaCha20) ⚫ Signature: − RSA-2048 with SHA-256 (or longer) − ECDSA-256 with SHA-256