Recall: Private Key Cryptography CS162 • Private Key (Symmetric) Encryption: – Single key used for both encryption and decryption Operating Systems and • Plaintext: Unencrypted Version of message Systems Programming • Ciphertext: Encrypted Version of message Lecture 25 Plaintext Plaintext Encrypt Decrypt A Touch more Security and Insecure Quantum Computing + IoT Transmission SPY (ciphertext) CIA Key Key December 7th, 2015 • Important properties – Can’t derive plain text from ciphertext (decode) without Prof. John Kubiatowicz access to key http://cs162.eecs.Berkeley.edu – Can’t derive key from plain text and ciphertext – As long as password stays secret, get both secrecy and authentication • Symmetric Key Algorithms: DES, Triple-DES, AES 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.2 Recall: Public Key Encryption Details Non-Repudiation: RSA Crypto & Signatures • Idea: K can be made public, keep K private public private • Suppose Alice has published public key KE Insecure Channel • If she wishes to prove who she is, she can send a message x encrypted with her private key KD (i.e., Bpublic Bprivate Aprivate Apublic she sends E(x, KD)) – Anyone knowing Alice’s public key KE can recover x, verify that Alice must have sent the message Alice Insecure Channel Bob » It provides a signature • Gives message privacy (restricted receiver): – Alice can’t deny it non-repudiation – Public keys (secure destination points) can be acquired by anyone/used by anyone • Could simply encrypt a hash of the data to sign a – Only person with private key can decrypt message document that you wanted to be in clear text • What about authentication? – Use combination of private and public key • Note that either of these signature techniques work – AliceBob: [(I’m Alice)Aprivate Rest of message]Bpublic perfectly well with any data (not just messages) – Provides restricted sender and receiver – Could sign every datum in a database, for instance • But: how does Alice know that it was Bob who sent her Bpublic? And vice versa… – Need a certificate authority to sign keys! 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.3 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.4 RSA Crypto & Signatures (cont’d) Digital Certificate Authorities • How do you know KE is Alice’s public key? • Trusted authority (e.g., Verisign) signs binding I will pay between Alice and KE with its private key KVprivate Bob $500 – C = E({Alice, KE}, KVprivate) – C: digital certificate • Alice: distribute her digital certificate, C • Anyone: use trusted authority’s KVpublic, to extract Alice’s public key from C – D(C, KVpublic) = D(E({Alice, KE}, KVprivate), KVpublic) = {Alice, KE} • Where does someone get KVpublic from? I will pay – Typically compiled into the browser (for instance)! Bob $500 – Can you trust this?? 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.5 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.6 Properties of RSA Public Cryptosystems Simple Public Key Authentication • Requires generating large, random prime numbers • Each side need only to know the other side’s public key – Algorithms exist for quickly finding these (probabilistic!) – No secret key need be shared A • Requires exponentiating very large numbers • A encrypts a nonce (random num.) x B – Again, fairly fast algorithms exist – Avoid replay attacks, e.g., • Overall, much slower than symmetric key crypto attacker impersonating client or – One general strategy: use public key crypto to exchange server a (short) symmetric session key • B proves it can recover x, generates » Use that key then with AES or such second nonce y • How difficult is recovering d, the private key? • A can authenticate itself to B in the same way – Equivalent to finding prime factors of a large number • A and B have shared private secrets Notation: E(m,k) – » Many have tried - believed to be very hard on which to build private key! encrypt message m (= brute force only) with key k – We just did secure key distribution! » (Though quantum computers could do so in polynomial time!) • Many more details to make this work securely in practice! 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.7 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.8 Summary of Our Crypto Toolkit Putting It All Together - HTTPS • If we can securely distribute a key, then • What happens when you click on https://www.amazon.com? – Symmetric ciphers (e.g., AES) offer fast, presumably strong confidentiality • Public key cryptography does away with • https = “Use HTTP over SSL/TLS” (potentially major) problem of secure key – SSL = Secure Socket Layer distribution – TLS = Transport Layer Security – But: not as computationally efficient » Successor to SSL » Often addressed by using public key crypto to – Provides security layer (authentication, encryption) exchange a session key on top of TCP • Digital signature binds the public key to an entity » Fairly transparent to applications • Public Key Pairs can serve as Identities! – Verified by certificate authority – Or distributed by other techniques 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.9 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.10 HTTPS Connection (SSL/TLS) (cont’d) Inside the Server’s Certificate • Browser (client) connects Browser Amazon • Name associated with cert (e.g., Amazon) via TCP to Amazon’s • Amazon’s RSA public key HTTPS server • A bunch of auxiliary info (physical address, type of • Client sends over list of cert, expiration time) crypto protocols it supports • Name of certificate’s signatory (who signed it) • Server picks protocols to • A public-key signature of a hash (SHA-256) of all this use for this session – Constructed using the signatory’s private RSA key, i.e., • Server sends over its – Cert = E(HSHA256(KApublic, www.amazon.com, …), KSprivate)) certificate » KApublic: Amazon’s public key • (all of this is in the clear) » KSprivate: signatory (certificate authority) private key • … 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.11 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.12 HTTPS Connection (SSL/TLS) cont’d Administrivia • Midterm 2 grading still continuing Browser Amazon • Browser constructs a random – ETA: very soon. session key K used for data – Have a couple of sub problems still to grade communication – Solutions have been posted – Private key for bulk crypto K • Final Exam • Browser encrypts K using – Friday, December 18th, 2015. Amazon’s public key – 3-6P, Wheeler Auditorium • Browser sends E(K, KA ) public K – All material from the course to server » (excluding option lecture on 12/7) • Browser displays » With slightly more focus on second half, but you are still responsible for all the material • All subsequent comm. encrypted w/ symmetric cipher – Two sheets of notes, both sides (e.g., AES128) using key K – Will need dumb calculator – E.g., client can authenticate using • Targeted review sessions: See posts on Piazza a password – Possibly 3 different sessions focused on parts of course 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.13 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.14 Use Quantum Mechanics to Compute? Quantization: Use of “Spin” • Weird but useful properties of quantum mechanics: North – Quantization: Only certain values or orbits are good » Remember orbitals from chemistry??? – Superposition: Schizophrenic physical elements don’t quite Spin ½ particle: Representation: know whether they are one thing or another (Proton/Electron) |0> or |1> • All existing digital abstractions try to eliminate QM – Transistors/Gates designed with classical behavior – Binary abstraction: a “1” is a “1” and a “0” is a “0” • Quantum Computing: Use of Quantization and Superposition to compute. South • Interesting results: • Particles like Protons have an intrinsic “Spin” – Shor’s algorithm: factors in polynomial time! when defined with respect to an external – Grover’s algorithm: Finds items in unsorted database in time magnetic field proportional to square-root of n. • Quantum effect gives “1” and “0”: – Materials simulation: exponential classically, linear-time QM – Either spin is “UP” or “DOWN” nothing between 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.15 12/7/15 Kubiatowicz CS162 ©UCB Fall 2015 Lec 25.16 Now add Superposition! A register can have many values! • The bit can be in a combination of “1” and “0”: • Implications of superposition: – Written as: = C0|0> + C1|1> – An n-bit register can have 2n values simultaneously! – The C’s are complex numbers! – 3-bit example: 2 2 – Important Constraint: |C0| + |C1| =1 = C000|000>+ C001|001>+ C010|010>+ C011|011>+ • If measure bit to see what looks like, C100|100>+ C101|101>+ C110|110>+ C111|111> 2 – With probability |C0| we will find |0> (say “UP”) • Probabilities of measuring all bits are set by 2 coefficients: – With probability |C1| we will find |1> (say “DOWN”) 2 • Is this a real effect? Options: – So, prob of getting |000> is |C000| , etc. – This is just statistical – given a large number of protons, a – Suppose we measure only one bit (first): 2 2 2 2 2 fraction of them (|C0| ) are “UP” and the rest are down. » We get “0” with probability: P0=|C000| +|C001| +|C010| +|C011| Result: = (C000|000>+ C001|001>+ C010|010>+ C011|011>) – This is a real effect, and the proton is really both things 2 2 2 2 until you try to look at it » We get “1” with probability: P1=|C100| +|C101| +|C110| +|C111| Result: = (C100|100>+ C101|101>+ C110|110>+ C111|111>) • Reality: second choice! • Problem: Don’t want environment to measure – There are experiments to prove it! before ready! – Solution: Quantum Error Correction Codes! 12/7/15