SCU-PRF CONSTRUCTING A SECURE CHANNEL USING A PSEUDORANDOM FUNCTION A Thesis Presented to the faculty of the Department of Computer Science California State University, Sacramento Submitted in partial satisfaction of the requirements for the degree MASTER OF SCIENCE in Computer Science by Matthew Clarke-Lauer SPRING 2012 SCU-PRF CONSTRUCTING A SECURE CHANNEL USING A PSEUDORANDOM FUNCTION A Thesis by Matthew Clarke-Lauer Approved by: , Committee Chair Dr. Theodore Krovetz , Second Reader Dr. V. Scott Gordon , Third Reader Dr. Jinsong Ouyang Date ii Student: Matthew Clarke-Lauer I certify that this student has met the requirements for format contained in the University format manual, and that this thesis is suitable for shelving in the Library and credit is to be awarded for the thesis. , Department Chair Dr. Cui Zhang Date Department of Computer Science iii Abstract of SCU-PRF CONSTRUCTING A SECURE CHANNEL USING A PSEUDORANDOM FUNCTION by Matthew D. Clarke-Lauer The establishment of a secure channel of communication between two parties is a primary goal of modern cryptography. In an ideal world, the secure channel is a dedicated, untappable, and impenetrable method of transmitting data between a sender and receiver. An adversary would be unable to see or modify any information crossing the channel. Unfortunately, that is not possible in the real world. Most communication is done using channels that are susceptible to eavesdropping and in- terference. In order to overcome these problem cryptography attempts to recreate the secure channel in order to provide confidentiality and authenticity to all com- munications between two parties. Pseudorandom functions provide an ideal starting point for designing cryptographic primitives that met these goals. Work done by Philip Rogaway and Mihir Bellare has shown the usefulness of a random oracle as a starting point for developing asymmetric-key cryptographic primitives. This paper expands on that concept by providing algorithms that meet the goals of confidentiality and authenticity by using a conceptual pseudorandom function to construct a set of symmetric-key cryptographic primitives. Due to it's flexibility and simplicity, a conceptual pseudorandom function is used to construct a iv symmetric-key cipher and a message authentication code that are both simple and efficient, while meeting the requirements of a confidentiality and authenticity. Based on those two primitives, an authenticated encryption scheme is built in order to provide the guarantees of the secure channel. This paper provides the design and implementation for the SCU-PRF, a pseu- dorandom function created by combining the Salsa20 stream cipher and the VHASH universal hash function. The SCU-PRF is designed with the goal of efficiency, re- quiring little more computation than the base components of Salsa20 and VHASH. Using the algorithms built with the conceptual PRF, a complete implementation of the protocols is created using SCU-PRF. When tested SCU-PRF proved to be an efficient and flexible pseudorandom function with a performance profile ideal for constructing a high efficiency secure channel. , Committee Chair Dr. Theodore Krovetz Date v DEDICATION This work is dedicated to my wife Annie and my son Eli. Thank you for providing me a reason to always strive for better vi ACKNOWLEDGMENT I would like to thank my advisor, Dr. Ted Krovetz, for his time and encour- agement in finishing this Master's thesis. Without his guidance this thesis would not have been possible. vii TABLE OF CONTENTS Page Dedication . vi Acknowledgement . vii List of Tables . xi List of Figures . xii Chapter 1. INTRODUCTION . 1 2. PSEUDORANDOM FUNCTIONS AND THEIR MATHEMATICAL BACK- GROUND . 4 2.1. Adversarial Models . 4 2.2. Mathematical Background . 5 2.2.1. Functions . 5 2.2.2. Randomness . 6 2.2.3. Pseudorandomness . 7 2.3. Related Work . 8 3. OVERVIEW OF THE SECURE CHANNEL . 10 3.1. Trust Models . 10 3.2. Privacy . 11 3.2.1. Block Cipher . 11 3.2.2. Stream Cipher . 12 3.3. Authenticity . 14 3.3.1. Message Authentication Code . 15 viii 3.3.2. Universal Hash-Functions Family . 16 4. CONSTRUCTING THE SECURE CHANNEL WITH PSEUDORANDOM FUNCTIONS . 18 4.1. Conceptual Pseudorandom Function . 18 4.2. Confidentiality Using a PRF . 18 4.3. Authentication Using a PRF . 20 4.4. Constructing the Secure Channel . 21 5. SCU-PRF - STREAM CIPHER UNIVERSAL HASH PSEUDORANDOM FUNCTION . 23 5.1. Test Environment . 23 5.2. Phase 1 - Compression . 23 5.2.1. VHASH . 24 5.2.2. Probability of Hash Collisions . 25 5.3. Phase 2 - Expansion . 27 5.3.1. Salsa20 . 27 5.4. Engineering Obstacles . 29 5.4.1. Key Handling . 29 5.4.2. VHASH Modifications . 29 5.4.3. Salsa20 Modifications . 29 5.4.4. SCU-PRF Context . 30 5.5. SCU-PRF Algorithm . 30 5.5.1. SCU-PRF Performance . 30 5.6. Cryptographic Applications and Performance . 31 5.6.1. Encryption . 31 ix 5.6.2. Authentication . 33 5.6.3. Secure Channel Performance . 37 5.7. Performance Overview . 39 6. CONCLUSION . 41 6.1. Future Work . 42 Appendix . Source Code . 44 References . 54 x LIST OF TABLES Page Table 5.1. Specifications of Lenovo T400 Test Platform . 24 Table 5.2. Performance of VHASH-128 in CPU Cycles Per Block . 25 Table 5.3. Performance of SCU-PRF in CPU Cycles Per Byte . 32 Table 5.4. Performance of SCU-PRF Based Encryption in CPU Cycles Per Byte . 34 Table 5.5. Performance of SCU-PRF Based Authentication in CPU Cycles Per Byte . 36 Table 5.6. Performance of SCU-PRF Based Authenticated Encryption in CPU Cycles Per Byte . 38 Table 5.7. Cryptographic Algorithm Performance Comparison . 40 xi LIST OF FIGURES Page Figure 3.1. Encryption Data Flow . 12 Figure 3.2. Message Authentication Data Flow . 15 Figure 3.3. Message Authentication Code Data Flow . 16 Figure 5.1. SCU-PRF Design . 28 Figure 5.2. SCU-PRF Efficiency . 33 Figure 5.3. SCU-PRF Based Encryption Efficiency . 35 Figure 5.4. SCU-PRF Based MAC Efficiency . 35 Figure 5.5. SCU-PRF Based Authenticate Encryption Efficiency . 37 xii 1 CHAPTER 1 INTRODUCTION As technology has advanced, so has the act of communication. Exchanging information in a secure fashion has changed with the advent of digital communica- tions and the internet. As society moves away from a physical and analog world, the methods used for providing privacy have changed. Digital eavesdropping has become more prevalent due to the flow of information around the globe. A message can be modified and transmitted in a fraction of a second by an adversary with simple and affordable tools. Due to these changes, the difficulty of providing confidentiality and authenticity has grown. Cryptography is the study of techniques for providing information security. It uses mathematical systems to establish a secure channel for communications. In order to provide a secure channel, two major goals must be achieved: confidentiality and authenticity. To achieve these goals, a number of different tools or cryptographic primitives are utilized, many of which have their foundations in the ability to produce random data. The goal of confidentiality is to prevent an unauthorized party from access- ing secret information. This could be as simple as preventing a third party from reading an email between family members or as complex as protecting a database of private consumer information. Encryption schemes are used to achieve confiden- tial communication. They provide a party with the ability to disguise or encrypt a message. For example, substitution cipher requires letters of the original message to be substituted for other letters of the alphabet. This is a very rudimentary cipher 2 and was historically performed by hand using a shared key, a piece of shared private information. The cipher is used to encode a message, or plain text, into its secret equivalent, or cipher text. In the case of the substitution cipher, the key was just a list of the letters in the alphabet along with the letters they are mapped to. Once the encrypted message was received, the same key would be used to reverse the encryp- tion, providing the receiver with the original message. While the use of this style of cipher is now obsolete, the concept of using a shared private key to encode plain text messages into the cipher text equivalent is the basis for all modern encryption.[4] The goal of authenticity is two fold. Message authenticity is the concept of determining whether a message was modified. On the other hand, user authenticity provides a guarantee about the identity of the sender of a message. Unless the receiver physically observes the sender creating the message, the source of a message and the message's authenticity is unknown to a receiver. Cryptography has solved this problem by creating a message authentications code(MAC). The sender can use the shared private-key, like the cipher example above, to create a signature or fingerprint that represents the message using the MAC. The signature or fingerprint is a condensed representation of the message that is not easily recreated and serves as proof that the message came from the sender. The receiver can create their own signature based on the message and if the two are the same then the message must be unmodified and must have come from the sender or a party with the same private key.[4] Within cryptography, the concept of randomness, or statistically unrelated data[16], is used to achieve the goals of confidentiality and authenticity. Unfor- tunately, true randomness is very difficult to achieve with modern computers. Due to the fact the computers are deterministic machines, pseudorandomness is used in- 3 stead. Pseudorandom data is generated deterministically from non-random sources and should be computationally indistinguishable from true randomness.[1] This al- lows cryptographic primitives to be built using a reproducible source of data that appears to be random.