CSE 291-I: Applied Cryptography

Nadia Heninger UCSD

Spring 2020 Lecture 124 Legal Notice

The Zoom session for this class will be recorded and made available asynchronously on Canvas to registered students. Announcements

1. HW 6 is due Friday! Last time: Elliptic curve cryptography •

This time: Identification, certificates, and authenticated key exchange • Diffie-Hellman Key Exchange

A B A M B

' b ab mama. ← ¢ 's ) Kitts# Kaluga

A B A B #ME, peAlk €pkAlk)§umGc)

B A A → , ccefncp.ca#sisnscetB £¥kDµ €piAdPkA A ce M LSkB(c)lWtB Diffie-Hellman Man-in-the-Middle

B A M B A ' ab ' ba a' b b'a ' g g b g g ab ← ¢ 's ) Kitts# Kaluga Unauthenticated key exchange is vulnerable to • man-in-the-middle attacks A B A B #ME, peAlk €pkAlk)§umGc)

B A A → , ccefncp.ca#sisnscetB £¥kDµ €piAdPkA A ce M LSkB(c)lWtB A B A M B

' b ab ← ¢ 's ) Kitts# Kaluga RSA/Public-Key Key Exchange

A B A B #ME, peAlk €pkAlk)§umGc)

B A A → , ccefncp.ca#sisnscetB £¥kDµ €piAdPkA A ce M LSkB(c)lWtB A B A M B

' b ab ← ¢ RSA/Public-Key Key Exchange MITM 's ) Kitts# Kaluga

A B A B #ME, peAlk €pkAlk)§umGc)

B A A → , ccefncp.ca#sisnscetB £¥kDµ €piAdPkA A ce M LSkB(c)lWtB Network security model

Attacker may: Intercept any messages that are sent • Replay any messages that have been sent • Selectively drop messages • Generate their own valid public keys • Obtain certificates for their identity from certificate authorities. • Challenge-response authentication

Identification problem: Verifying that the party you are communicating with is who you think it is.

B B A c A lax Texchange T k k K k ¥4> B If Alice and Bob already share a secret, they can use the secret to A Make, authenticateA their identity. ← Bu. Sk A B A B co, "A si £ob" ← ④ A certs B < µ #pka B cEmp#⇒ A lax B A MEI I Kb ka ka Kb k id k Eileen → Eid → B B A c A lax Texchange T k k Challenge-responseK authentication with signatures k ¥4> We can also use public-key cryptography for this. A B Make, A ← Bu. Sk A B A B co, "A si £ob" ← ④ A certs B < µ #pka B cEmp#⇒ A lax B A MEI I Kb ka ka Kb k id k Eileen → Eid → PGP key signing : Public-key infrastructure of key : I . Compare fingerprint public HC key) ( ) ul key 2. Generate sign key your

key serve. 3- Upload to public Q: How do parties trust public keys they receive? • - ? ? t.IT ? A: Public-key infrastructure: • % • Web of trust (e.g. PGP) • Trust on First Use (e.g. SSH) • Certificate Authorities (e.g. TLS) sign messages

to - source egypt re . codes used s guy. : email key repository PGP encrypted , public called SSL) Security (previously TLS: layer Hates - encryption) Transport networkHattie Capp Kye for mail , encrypted protocol SMTP (other sending protocol ( HTTPS) , e.g. HTTP Public key certificates

Certificates bind public keys • to identities Signature from trusted • certificate authority Build trust from some • trusted root key B B A c A lax Texchange T k k K k ¥4>

A B , Attempt 1 to combine identificationMake with key exchange sore identification protocol means use A I like sign challenge response ← Bu. - Sk A B A B co, "A si £ob" ← ④ A certs B < µ #pka B cEmp#⇒ A lax B A MEI I Kb ka ka Kb k id k Eileen → Eid → B B A c A lax Texchange T k k K k ¥4>

A B Make, MITM attack against naive identification then key exchange

A - identification use challenge response protocol Bu. means ← - Sk A B A B co, "A si £ob" ← ④ A certs B < µ #pka insecure B cEmp#⇒ A lax B A MEI I Kb ka ka Kb k id k Eileen → Eid → B B A c A lax Texchange T k k K k ¥4>

A B Make, A ← Bu. Sk A B A B co, "A si £ob" ← ④ A certs B < µ Attempt 2 to combine identification with key exchange # pka pH or RZA key exchange - B cEmp#⇒ A lax B A MEI Iidentification protocol Kb inside encrypted channel ka Kb or ka k id k Eileen → Eid → B B A c A lax Texchange T k k K k ¥4>

A B Make, A ← Bu. Sk A B A B co, "A si £ob" ← ④ A certs B < µ #pka MITM attack against naive key exchange then identification B cEmp#⇒ A lax B A MEI I Kb ka ka Kb k id k Eileen → Eid →

Conclusion: We need to integrate key exchange and identification to have a secure protocol. A B A M B

' b ab ← ¢ 's ) Kitts# Kaluga

A B A B #ME, Attempt 3 at authenticated public key key exchange peAlk €pkAlk)§umGc)

- H) A - {If#lice's ident B A , → k B = p identity) { lBob's ccefncp.ca#sisnscetB B £¥kDµ €piAdPkA WeA authenticatece the key exchange ciphertext.M LSkB(c)lWtB A B A M B

' b ab ← ¢ 's ) Kitts# Kaluga

A B A B #ME, peAlk €pkAlk)§umGc) Replay attack B A A → , ccefncp.ca#sisnscetB £¥kDµ €piAdPkA A ce M LSkB(c)lWtB

Nothing binds the authentication to the session, so an attacker can replay the messages later. A thinks she is talking to B, but is actually talking to M. M does not know secret key k,butifAthenusesastreamcipher (or similar), M could exploit vulnerability Asecureauthenticatedkeyexchangewithpublickey encryption

nonce -session random per I A A ⇒sB Cc=↳cpkALk,sigAicertB_ t / identifies ( identity CCI-ncp.ca#,g=signgpncA)certBn.certA Alice Bob A - B ) r certs B c - Gncpualkir A , - ← m - cc=EncptB sisnpemcn.gs?cesmr=sismskBln4AtcetB

A I

C'=GncpaaCkDµ"P"AW),cetB 9¥B resign picrglr Insecure authenticated key exchange with public key encryptionA B A, Bsignsnoncebutnotciphertext.CC-ENp.ca#signprccert-BAr.certA-Bcc=EncpuACk),signpetB

B A

M Isipears A B A, MITMCC-ENp.ca#signprccert-BAr.certA-Bcc=EncpuACk),signpetB attacker can choose session key

B A

' pkalk)M ears IsipF F- ) cent B sisnpkblr ,

Signature is not bound to ciphertext, so can be replayed by MITM attacker. Insecure authenticated key exchange with public key encryption

Bdoesnotincludeidentityinkeyexchangeciphertext.

A A ⇒sB Cc=↳cpkALk,sigAicertB_ CCI-ncp.ca#,g=signgpncA)certBn.certA A - B ) r certs B c - Gncpualkir A , - ← m - cc=EncptB sisnpemcn.gs?cesmr=sismskBln4AtcetB

A I

C'=GncpaaCkDµ"P"AW),cetB 9¥B resign picrglr A B A,

Identity misbinding attack

CC-ENp.ca#signprccert-BAr.certA-Bcc=EncpuACk),signpetBif 19A)

- Mallory doesn't lean

k but can for-ad , from B . B messages A in qq id ears putt M Isip k k sisnpubmlr.c.nl,cetM

A thinks she is talking to M. B thinks he is talking to A. server hello: server random, [RSA]

certificate = RSA pubkey k2048 +CAsignatures

client key exchange: RSAenck2048 (pms)

client finished: Authkmc (dialog) KDF(pms, KDF(pms, server finished: Authkms (dialog) randoms) ! randoms) k , k , k ! Enc ( mc ms e kmc , kms , ke ke request)

TLS 1.2 RSA Key Exchange 

client hello: client random list of cipher suites [. . . RSA . . . ] ← client key exchange: RSAenck2048 (pms)

client finished: Authkmc (dialog) KDF(pms, KDF(pms, server finished: Authkms (dialog) randoms) ! randoms) k , k , k ! Enc ( mc ms e kmc , kms , ke ke request)

TLS 1.2 RSA Key Exchange 

client hello: client random

choose [. . . RSA . . . ] serve , site ¢ cipher server hello: server random, [RSA]

certificate = RSA pubkey k2048 +CAsignatures server finished: Authkms (dialog)

Encke (request)

TLS 1.2 RSA Key Exchange 

client hello: client random [. . . RSA . . . ] server hello: server random, [RSA]

certificate = RSA pubkey k2048 +CAsignatures

client key exchange: RSAenck2048 (pms)

client finished: Authkmc (dialog) A KDF(pms, KDF(pms, symmetric MAC randoms) randoms) ! ! kmc , kms , ke kmc , kms , ke Encke (request)

TLS 1.2 RSA Key Exchange 

client hello: client random [. . . RSA . . . ] server hello: server random, [RSA]

certificate = RSA pubkey k2048 +CAsignatures

client key exchange: RSAenck2048 (pms)

client finished: Authkmc (dialog) KDF(pms, KDF(pms, server finished: Authkms (dialog) randoms) randoms) ! ! kmc , kms , ke kmc , kms , ke - TLS 1.2 RSA Key Exchange - Typically only one sided authenticator to client  server authenticate client not authenticated to serve

client hello: client random [. . . RSA . . . ] server hello: server random, [RSA]

certificate = RSA pubkey k2048 +CAsignatures

client key exchange: RSAenck2048 (pms)

client finished: Authkmc (dialog) KDF(pms, KDF(pms, server finished: Authkms (dialog) randoms) ! randoms) k , k , k ! Enc ( mc ms e kmc , kms , ke ke request) ^ symmetric authenticated encryption server hello: server random, [DHE]

certificate = public RSA key + CA signatures a a server kex: p, g, g , SignRSAkey(p, g, g )

client kex: gb KDF(g ab, KDF(g ab, Auth ( client finished: kmc dialog) randoms) randoms) ! ! kmc , kms , ke server finished: Authkm (dialog) kmc , kms , ke s

Encke (request)

TLS 1.2 Diffie-Hellman Key Exchange 

client hello: client random

list of Cipa- suites [. . . DHE . . . ]← client kex: gb KDF(g ab, KDF(g ab, Auth ( client finished: kmc dialog) randoms) randoms) ! ! kmc , kms , ke server finished: Authkm (dialog) kmc , kms , ke s

Encke (request)

TLS 1.2 Diffie-Hellman Key Exchange 

client hello: client random [. . . DHE . . . ] server's choice of site server hello: server random, [DHE]¢ cipher

certificate = public RSA key + CA signatures a a server kex: p, g, g , SignRSAkey(p, g, g ) server finished: Authkms (dialog)

Encke (request)

TLS 1.2 Diffie-Hellman Key Exchange 

client hello: client random [. . . DHE . . . ] server hello: server random, [DHE]

certificate = public RSA key + CA signatures a a server kex: p, g, g , SignRSAkey(p, g, g )

client kex: gb KDF(g ab, KDF(g ab, Auth ( client finished: kmc dialog) randoms) randoms) ! ! kmc , kms , ke kmc , kms , ke Encke (request)

TLS 1.2 Diffie-Hellman Key Exchange 

client hello: client random [. . . DHE . . . ] server hello: server random, [DHE]

certificate = public RSA key + CA signatures a a server kex: p, g, g , SignRSAkey(p, g, g )

client kex: gb KDF(g ab, KDF(g ab, Auth ( client finished: kmc dialog) randoms) randoms) ! ! kmc , kms , ke server finished: Authkm (dialog) kmc , kms , ke s TLS 1.2 Diffie-Hellman Key Exchange 

client hello: client random [. . . DHE . . . ] server hello: server random, [DHE]

certificate = public RSA key + CA signatures a a server kex: p, g, g , SignRSAkey(p, g, g )

client kex: gb KDF(g ab, KDF(g ab, Auth ( client finished: kmc dialog) randoms) randoms) ! ! kmc , kms , ke server finished: Authkm (dialog) kmc , kms , ke s

Encke (request) Protocol flaws in TLS 1.2  Cipher suite choice is not authenticated with signatures, only • with symmetric MAC using negotiated key at end of handshake. • Cipher suite downgrade attacks: FREAK, Logjam • Cross-protocol cipher suite attacks: let RSA key exchange be interpreted as Diffie-Hellman key exchange. • Elliptic curve choice also not authenticated: theoretical downgrade attack (CurveSwap)

TLS version negotiation not authenticated: MITM can force • downgrade connection to lowest TLS version supported by both

Handshake is unencrypted. • • Leaks massive amount of metadata: certificates, SNI (server name indication), extensions, signatures, etc. to passive eavesdropper. A A ⇒B sc=↳cpkAlk,sigAicertB_ CC=EncpeaLk#=signnAertB

NcertA A - B ) r certs B c - Encpualkr A , - ← m - cc=EncpuAtB sisnpemcn.gs?cesmr=sismskBln9AtcetB TLS 1.3

site random, cipher A AB c ga , S T £¥aCkDµ B Isin' T T cent B , cg#,cipW

- handshake - KDF entire ) - ( - - K ------. - - KDFL ) - Encrypted K handshake handshake, gab) entire Cert sissies (entire -,

Major changes: RSA key exchange removed • RSA PSS padding for signatures • Fixed Diffie-Hellman groups only • Server signs entire handshake • Symmetric keys derived from entire handshake • Handshake is encrypted after initial key exchange • Version negotiation includes downgrade protection in nonces • - It k ( - i) why Nima> Named Niki? e. D= p Dlg \

I = - m ltklpg ( ) ti) - - - N Mod Ni ptg Image N, ,oo"oooo Ni News Nch =L mod ( - ( ) H) Nimal - pg pts modular reduction is live- in m ' ' -I - - kN Ninth ? = mod N Ny because imbalancedopeerds d e

: ' Nl to all uelesatbotter ' 1. Divide to do m often get by Need e.d = , + K N

tree . - kN of the → Nz Nz Nt , tm ⇒ also- ? I , m2 time what ite encrypt N - 1060-108 Nt mod ' slow for m NzNz too came mal N 't ' seed ' ' N q. Compete od = med = mltk " N ' ) Method " " " (News oh × 2 linear Miz El " ←••← Sm m " # " '' 4 X line in mix { , , Lin Ita r ka ↳ m smh- th '

: Elliptic core points Bonehlvenkatesan Hidden Number Problem C- : ( of are Xi'D MY IFP shows that MSB, 2. representation gab to = hare can map 2 hardcore if you oracle that random and leaks Msp ga , : : G ) generates a ga ( a. ' otgab = > an compute T y gab group ger.