crypto slides one
Post on 14-Apr-2018
232 Views
Preview:
TRANSCRIPT
-
7/27/2019 Crypto Slides One
1/120
A Gentle Introduction toCryptography
Extended quote from Bruce Schneier's book,Secrets and Lies.
Cryptography plays a role in computer security,
but buggy computer systems and vulnerablecommunications are a reality that cryptographyhas not solved.
-
7/27/2019 Crypto Slides One
2/120
Quote from Eugene Spafford
Using encryption on the Internet is the equivalentof arranging an armored car to deliver credit cardinformation from someone living in a cardboard
box to someone living on a park bench.
-
7/27/2019 Crypto Slides One
3/120
Outline of these lectures
The general goals of cryptographic systems
Vulnerabilities of cryptographic systems
Two basic categories of cryptographicalgorithms:
Symmetric
Asymmetric (public key)
Methods for sharing keys (including Diffie-Hellman)
-
7/27/2019 Crypto Slides One
4/120
Outline (cont.)
Methods for ensuring data integrity (hashalgorithms)
Methods for authentication (digital signatures)
-
7/27/2019 Crypto Slides One
5/120
The General Goals of Cryptography
Confidentiality; assuring that only authorizedparties are able to understand the data.
Integrity; ensuring that when a message is sent
over a network, the message that arrives is thesame as the message that was originally sent.
-
7/27/2019 Crypto Slides One
6/120
Goals (cont.)
Authentication; ensuring that whoever supplies oraccesses sensitive data is an authorized party.
Nonrepudiation;ensuring that the intended
recipient actually received the message &ensuring that the sender actually sent themessage.
-
7/27/2019 Crypto Slides One
7/120
Basic Terms
Encryption: scrambling a message or data using aspecialized cryptographic algorithm.
Plaintext: the message or data before it gets
encrypted.
Ciphertext: the encrypted (scrambled) version ofthe message.
Cipher: the algorithm that does the encryption.
-
7/27/2019 Crypto Slides One
8/120
Basic Terms (cont.)
Decryption: the process of converting ciphertextback to the original plaintext.
Cryptanalysis: the science of breaking
cryptographic algorithms.
Cryptanalyst: a person who breaks cryptographiccodes; also referred to as the attacker.
-
7/27/2019 Crypto Slides One
9/120
More on Confidentiality
Confidentiality means that only authorized partiesare able to understand the data (authorized fromthe perspective of the party that encrypted the
data).It is okay if unauthorized parties know that thereis data. It is even okay if they copy the data, solong as they cannot understand it.
-
7/27/2019 Crypto Slides One
10/120
Authentication
How can we know that a party that provides uswith sensitive data is an authorized party?
How can we know that the party that is accessing
sensitive data is an authorized party?
This is a difficult problem on the Internet.
Two solutions are:
Passwords
Digital signatures
-
7/27/2019 Crypto Slides One
11/120
Integrity
This involves ensuring that when a message (orany kind of data, including documents andprograms) is sent over a network, the data that
arrives is the same as the data that was originallysent. It is important that the data has not beentampered with.
Technical solutions include:
Encryption
Hashing algorithms
-
7/27/2019 Crypto Slides One
12/120
Nonrepudiation
Ensuring that the intended recipient actually gotthe message.
Ensuring that the alleged sender actually sent the
message.
This is a difficult problem. How do we prove thata person's cryptographic credentials have not
been compromised?
-
7/27/2019 Crypto Slides One
13/120
An Important Message
In theory, some crytographic algorithms seem tobe EXTREMELY secure.
Vulnerabilities arise when systems administrators
do not deploy the encryption systems securely.
A fundamental rule: DON'T CODE YOUR OWNCRYPTOGRAPH ALGORITHMS.
Another rule: When using a cryptographic library,use the intuitive user interfaces provided withthose libraries.
-
7/27/2019 Crypto Slides One
14/120
Message from Cryptlib Developer,Peter Gutman
The major design philosophy behind the code[behind Cryptlib] is to give users the ability to
build secure apps without needing to spendseveral years learning crypto. ... [T]he importantpoint is that anybody should be able to employthem [important cryptographic algorithms]
without too much effort. ...
-
7/27/2019 Crypto Slides One
15/120
Standard Algorithms areIncredibly Secure
Using a 128 bit key for a symmetric encryptionalgorithm, there are 2128possible keys.
Even with the computing resources of the USgovernment, most of the software developersalive today will be dead before the government
could break such an encryption [Viega andMcGraw]
-
7/27/2019 Crypto Slides One
16/120
Incredibly secure (cont.)
Most security experts believe that 256-bit keysare good for the lifetime of the universe (manybillions of years).
The problem is that encryption is just one link inthe chain of security. Encryption is a reallystrong link in that chain, but one weak link breaksthe chain.
It is usually easier for the attacker to hack yourmachine and steal the plaintext than to break yourcipher.
-
7/27/2019 Crypto Slides One
17/120
A Simple Example
The plaintext:
0 1 0 0 0 0 1 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0
The key:
1 1 0 1 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0
The ciphertext
1 0 0 1 0 0 1 0 0 0 1 1 1 0 0 0 0 1 1 0 1 0 0 1
-
7/27/2019 Crypto Slides One
18/120
A Simple Encryption Example
ciphertext:
1 0 0 1 0 0 1 0 0 0 1 1 1 0 0 0 0 1 1 0 1 0 0 1
XORd with key
1 1 0 1 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0
yields plaintext
0 1 0 0 0 0 1 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0
-
7/27/2019 Crypto Slides One
19/120
Common Types of Attacks
Known cipher attacks: the attacker has theciphertext and she tries to decrypt the message bygenerating all possible keys.
Rarely successful because the number of possiblekeys is enormous.
Also, the decrypted message (for certain types ofdata) may not be easy to recognize when it appears.
-
7/27/2019 Crypto Slides One
20/120
Common Types of Attacks (cont.)
Known plaintext attack: the attacker has both theciphertext and the plaintext.
Again, this is difficult because there are so many
keys, but the plaintext information may makeexperimentation easier than in the previous case.
We are assuming that the attacker knows thealgorithm that was used for the encryption.
-
7/27/2019 Crypto Slides One
21/120
Common Types of Attacks (cont.)
Chosen plaintext attacks: The cryptanalystintroduces the plaintext into the system and thenwatches for how that plaintext will be encrypted.
The Allies used this approach in WWII by sendingout false messages about allied troop movements.
Often the attacker will try to feed a planned sequenceof messages that would reveal the most about the way
in which the data is being encrypted.
-
7/27/2019 Crypto Slides One
22/120
Common Types of Attacks (cont.)
Side channel attacks use seemingly incidentalinformation that can reveal important informationabout the key being used.
Viega and McGraw mention DPA (DifferentialPower Analysis) attacks on smart cards. A DPAattack analyzes the power output from a processorperforming an encryption algorithm in order to
get information about the key being used by thatalgorithm.
-
7/27/2019 Crypto Slides One
23/120
Symmetric Cryptography
Symmetric algorithms are used for:
Confidentiality
Data integrity
Even if an attacker captures the data, the attackerwill not be able to manipulate it in anymeaningful way.
-
7/27/2019 Crypto Slides One
24/120
Symmetric Cryptography (cont.)
Symmetric algorithms use a single key shared bytwo communicating parties.
The shared key must remain secret to ensure the
confidentiality of the encrypted data.The shared key problem is the main technologicalchallenge for this kind of encryption.
We will discuss solutions to the key exchangeproblem a bit later.
-
7/27/2019 Crypto Slides One
25/120
Figure A-1 from Viega and McGraw
The way symmetric encryption works is shown inFigure 1-A from Viega and McGraw.
The message and the key are provided as input to
the encryption algorithm.The output is the ciphertext, which can then betransferred over an insecure medium.
-
7/27/2019 Crypto Slides One
26/120
Figure 1-A (cont.)
On the receiver end, the secret key and theciphertext are inputs to the decryption algorithm.
The output is the original plaintext.
-
7/27/2019 Crypto Slides One
27/120
Symmetric Cryptography (cont.)
The secret key must be shared securely.Otherwise, the most sophisticated cryptographicalgorithm is useless.
One method of distributing the key is using thesneaker-net.
Protocols exist for exchanging keys over aninsurecure medium, but care must be taken toassure a good authentication process.
Asymmetric cryptography is a common methodfor sharing keys.
-
7/27/2019 Crypto Slides One
28/120
Symmetric Cryptography
Two main categories of symmetric algorithms:
Block ciphers
Stream ciphers
Most well-known and well-studied symmetricalgorithms use block ciphers.
Block ciphers break up the message into constant-
size blocks and encrypt the code block by block.
-
7/27/2019 Crypto Slides One
29/120
Block Ciphers
Typical block sizes are 64 bits or 128 bits.
Messages are padded (with extra bits) to fit theblock size.
The simplest type of block ciphers work in ECB(Electronic Code Book) mode. In this mode, eachblock is encrypted separately, independent of theother blocks (like in our simple XOR example).
-
7/27/2019 Crypto Slides One
30/120
Block Ciphers (cont.)
ECB block ciphers are not secure because givenplaintext is always encoded in the same way.
Thus, the attacker can look look for common
linguistic patterns.These patterns can help the attacker to figure outthe algorithm and key being used.
-
7/27/2019 Crypto Slides One
31/120
Block Ciphers (cont.)
In CBC (Cipher Block Chaining) mode, blocksare also encrypted one at a time, but the initialstate for each block is dependent on the ciphertextof the previous block.
Thus, the same text will be encrypted in manydifferent ways. This makes it much moredifficult for the cryptanalyst to crack the cipher.
CBC mode is the default mode for many blockciphers.
-
7/27/2019 Crypto Slides One
32/120
Block Ciphers (cont.)
A variety of block cipher modes exist (in additionto CBC) for making sure that repeated plaintext isencoded in different ways throughout themessage.
These modes are the default for the standardsecure symmetric encryption algorithms (likeDES).
-
7/27/2019 Crypto Slides One
33/120
Cipher Block Chaining (CBC) Mode
By adding gibberish into the middle of theciphertext, the attacker can interfere with thedecryption of a CBC encrypted message.
Two methods are used to defend against this kindof gibberish attack:
Encode the length of the message at the start of themessage or elsewhere to help the receiver figure out ifthe message has been tampered with.
Use a cryptographic checksum (or hash) as asignature for your message.
-
7/27/2019 Crypto Slides One
34/120
Block Ciphers (cont.)
The longer the message, the better chance theattacker has of breaking the encryption.
Bruce Shneier says that a message would have to
be at least 34 gigabytes in length for a 64-bitcipher before this would become a genuine risk.
-
7/27/2019 Crypto Slides One
35/120
Block Ciphers (cont.)
Two factors influence the security of a symmetricblock cipher:
The quality of the algorithm (e.g., ECB mode ciphers
are less secure).The length of the key (e.g., 64 bit blocks arequestionable, but 128 bit blocks are considered morethan adequate).
There is a classic trade-off between efficiencyand security.
-
7/27/2019 Crypto Slides One
36/120
Security is Hard to Prove
Demonstrating how secure a cryptographicalgorithm is remains an extremely hard problem.
The best test seems to be years of experience and
public exposure.The one-time pad method (which has been usedin the military) is absolutely secure, but not very
practical because the key changes with eachcommunication.
-
7/27/2019 Crypto Slides One
37/120
Extended Quote from Lecture Notes
The two basic goals of a cryptographic algorithmare (a) to make life difficult for the attacker and(b) to produce algorithms that are efficient both interms of space and time. An algorithm that is tooinefficient to be used in practice is of little valueeven if it were proven to be highly secure ...
-
7/27/2019 Crypto Slides One
38/120
Quote (cont.)
It is fairly easy for the cryptography researcher todesign an algorithm that is secure against allKNOWN forms of attack. It is far more difficultto design an algorithm that will be secure againsttypes of attacks that are still UNKNOWN. It isnearly impossible to predict new attacks againstblock ciphers that will be manifesting in future
years.
-
7/27/2019 Crypto Slides One
39/120
Quote (cont.)
For example, Viega and McGraw state that manypeople believe that the NSA has developedsophisticated attacks against block ciphers thatthey have not shared with the rest of the world.
-
7/27/2019 Crypto Slides One
40/120
Block Size
A 64-bit cipher is considered too small for highsecurity applications. According to BruceShneier (back in 1995), an organization such asthe NSA could break a 64-bit key in under oneminute.
A 256-bit key is believed to be secure enough thata computer made of all the matter in the universe
computing for the entire lifetime of the universewould have an infinitesimal probability of findinga key by brute force.
-
7/27/2019 Crypto Slides One
41/120
Quantum Computing
But, then there is alwaysQuantum Computing ....
-
7/27/2019 Crypto Slides One
42/120
Important Commercial Algorithms
The most important symmetric algorithms from acommercial point of view are:
DES (Data Encryption Standard)
3DESAES (Advanced Encryption Standard)
S
-
7/27/2019 Crypto Slides One
43/120
DES
This has been a US government standard formany years (although recently complimentedwith AES).
It uses a 64-bit key (actually, only 56 bits areused for the encryption, the other 8 bits are paritybits), so it is no longer viable.
Increased processing speeds (in recent years) aremaking brute force attacks on DES more viable.
3DES
-
7/27/2019 Crypto Slides One
44/120
3DES
Then, came the idea of using DES twice on agiven message.
A subtle form of attack was discovered which
made 2DES no better than DES.3DES proved to have the properties that 2DESwas supposed to have.
3DES is a viable and popular symmetric blockalgorithm.
3DES has one downside: it is inefficient.
DES A di D i
-
7/27/2019 Crypto Slides One
45/120
DES According to Denning
DES A di t D i
-
7/27/2019 Crypto Slides One
46/120
DES According to Denning
GET THE IDEA?
3DES
-
7/27/2019 Crypto Slides One
47/120
3DES
Despite the fact that it is inefficient, 3DES isconsidered a very good (and it is a very popular)choice for encryption.
Several good implementations of 3DES are easilydownloaded off the Internet.
AES
-
7/27/2019 Crypto Slides One
48/120
AES
The NIST (National Institute of Standards andTechnology) ran a competition for a newencryption standard.
The winners were announced in October 2000.
They were Joan Daemen and Vincent Rijmen.Their algorithm is called RijnDael or AES(Advanced Encryption Standard).
AES is now an accepted federal standard and iswidely available in open source form.Implementations are available in C++ and Java.
AES ( t )
-
7/27/2019 Crypto Slides One
49/120
AES (cont.)
3DES still has the advantage that it has beenstudied (in DES) form for many years.
The guestimate is that AES will be a viable
encryption standard for the next 50 years, butthere could be some surprises down the raod.
The Key Distribution Problem
-
7/27/2019 Crypto Slides One
50/120
The Key Distribution Problem
For symmetric ciphers, each pair ofcommunicating agents needs a unique key.
If there are lots of users, this creates a key
management problem.Key derivation algorithms are used to generate aunique key for each communicating pair.
If the master key for the key derivation algorithmis compromised, you've got a major problem.
Key Distribution (cont )
-
7/27/2019 Crypto Slides One
51/120
Key Distribution (cont.)
Some have even attacked derived keys in a keydistribution system to get the master key.
Another approach is to use a key management
system that generates session keys for eachcommunication. Even for the samecommunicating pair, the session keys will changefrom session to session.
Kerberos, from MIT, is a highly regarded opensource computer security product that supportssymmetric key management.
The Great Philosopher Yogi Berra
-
7/27/2019 Crypto Slides One
52/120
The Great Philosopher, Yogi Berra
It is difficult to make
predictions, especially aboutthe future.
Asymmetric (Public Key) Cryptography
-
7/27/2019 Crypto Slides One
53/120
Asymmetric (Public Key) Cryptography
Public key cryptography is an attempt tocircumvent the key distribution problemcompletely.
As it turns out, asymmetric algorithms tend to bevery inefficient.
Their main use is in solving the key exchangeproblem for symmetric cryptography.
Public Key Crypto (cont )
-
7/27/2019 Crypto Slides One
54/120
Public Key Crypto (cont.)
In asymmetric cryptography, each user has twokeys: a public key and a private key.
The public key is made public. For example, it
may be published on a Web site.The private key must be kept secret. It is nevershared with anyone.
The security of the private key in public keycrypto is as important as key security insymmetric crypto.
Public Key Crypto (cont )
-
7/27/2019 Crypto Slides One
55/120
Public Key Crypto (cont.)
There is no key distribution problem in public keycryptography.
Some people have compared public key
cryptography to a mailbox. Many people can putmail into the mailbox (in effect, using the publickey), but only a postal worker with theappropriate key (corresponding to the private key)
can retrieve the mail from the mailbox.
Figure A-2
-
7/27/2019 Crypto Slides One
56/120
Figure A-2
Alice wants to send a message to Bob.
Alice uses Bobs public key to encrypt themessage.
The encrypted message is sent over the insecuremedium.
Bob uses his private key to decrypt the encrypted
message.No one but Bob knows the private key.
Public Key Crypto (cont )
-
7/27/2019 Crypto Slides One
57/120
Public Key Crypto (cont.)
Public key encryption and decryption algorithmstend to be incredibly slow relative to symmetrickey algorithms.
Public key algorithms tend to be about 100 timesslower than DES.
In general, encrypting large messages usingpublic key cryptography is not considered
practical.
Public Key Crypto (cont )
-
7/27/2019 Crypto Slides One
58/120
Public Key Crypto (cont.)
The most important use for public keycryptography is for solving the symmetriccryptography key exchange problem.
Viega and McGraw say that using public keycryptography is a more secure choice than usingkey derivation algorithms.
SSL uses this strategy: public key crypto for
sharing keys and symmetric algorithms forencrypting the message.
Rivest Shamir and Adelman (RSA)
-
7/27/2019 Crypto Slides One
59/120
Rivest, Shamir, and Adelman (RSA)
RSA is the most famous public key algorithm.
RSA starts with picking two HUMONGOUSprime numbers, p and q. Each of these prime
numbers contains hundreds to thousands of bits.The two prime numbers remain secret (they arethe private key).
Their product, n = p * q, is the public key.
RSA (cont.)
-
7/27/2019 Crypto Slides One
60/120
RSA (cont.)
The product (the public key) is used to encryptthe message.
Only someone who knows the prime factors can
decrypt the message in a reasonable amount oftime.
The security of RSA is based on the difficulty offactoring n into the prime factors p and q.
At this point in history, this is seen as a difficultproblem.
RSA (cont.)
-
7/27/2019 Crypto Slides One
61/120
RSA (cont.)
RSA is still considered secure after twenty yearsof use.
The big security problem is that some
implementations of RSA have been flawed andhad security problems of their own.
The software developer should use a well-testedand highly-regarded implementation of RSA.
Never code your own!!!
RSA (cont.)
-
7/27/2019 Crypto Slides One
62/120
RSA (cont.)
There are huge numbers of large prime numbers.
There are approximately 10151primes of length512 bits or less.
One interpretation is that there are enough primesof up to 512 bits to assign every atom in theuniverse 1074 prime numbers without everrepeating one of those primes.
The Future of RSA
-
7/27/2019 Crypto Slides One
63/120
The future of RSA is hard to predict.
It depends upon what happens in prime numberfactoring theory.
Not too many years ago, experts believed that noone would ever have the resources necessary tofactor a 128 bit number.
Now, an organization with adequate resources,can factor a 512 bit number in just a few months.
The Future of RSA (cont.)
-
7/27/2019 Crypto Slides One
64/120
( )
Viega and McGraw recommend that you use noless than a 2,048 bit key for data requiring long-term security (ten or more years).
It may be that 1,024 bit numbers may be nearingthe end of their usefulness even for short-termsecurity.
The longer the key, the longer it takes to encrypt
messages using public key cryptography.
Public Key Crypto Vulnerabilities
-
7/27/2019 Crypto Slides One
65/120
y yp
Public Key encryption algorithms are moresusceptible to chosen plaintext attacks thansymmetric algorithms.
However, since public key is generally used toencrypt small messages (like keys), plaintextattacks are not a practical problem.
More significant is the man-in-the-middle type
of attack.
Man-in-the-Middle Attacks
-
7/27/2019 Crypto Slides One
66/120
Figure A-3 depicts a man-in-the-middle attack.First, lets consider this kind of attack in terms ofAlice trying to send a message to Bob.
In this kind of attack, Ted sends Alice his ownpublic key, misrepresenting it as Bobs publickey.
Ted is pretending that he is Bob when he iscommunicating with Alice.
Man-in-the-Middle (cont.)
-
7/27/2019 Crypto Slides One
67/120
( )
Ted sends Bob Teds own public key,misrepresenting it as Alices public key.
Ted is pretending to be Alice when he
communicates with Bob.Ted is intercepting all traffic between Bob andAlice.
Man-in-the-Middle (cont.)
-
7/27/2019 Crypto Slides One
68/120
( )
When Alice sends Bob a message, she encrypts itusing Teds public key (she thinks it is Bobs).
When Ted receives Alices message, he can
decrypt it.Ted can then send Bob a modified or entirelydifferent message, encrypting it was Bobs publickey.
Bob decrypts the message, thinking it came fromAlice.
Man-in-the-Middle (cont.)
-
7/27/2019 Crypto Slides One
69/120
Figure A-3 depicts the situation in terms of aclient and a server.
The client (Alice) asks for the servers public keyso she can send secure information to the server(Bob).
But, the client is not communicating with theserver. She is communicating with the attacker,
who sends her his public key.
Man-in-the-Middle (cont.)
-
7/27/2019 Crypto Slides One
70/120
Meanwhile, the attacker establishes his secureconnection with the server.
This gives the attacker access to any informationthat the client sends to the server and anyinformation that the server sends back to theclient.
This kind of problem motivates the need for a
public key infrastructure (PKI).
PKI
-
7/27/2019 Crypto Slides One
71/120
The basic idea behind a Public Key Infrastructure(PKI) is that a trusted third party certifies validkeys.
Back to Bob and Alice. In this case, Alice wouldreceive Bobs public key through a trusted thirdparty, a certification authority (CA).
The CA would say, in effect: Alice, trust us, Bob
is a dependable fellow and this is Bobs publickey.
PKI (cont.)
-
7/27/2019 Crypto Slides One
72/120
Obviously, this does not solve the matter of trust(the security problem).
How can Alice be sure that she can trust the so-called trusted authority?
One of the largest CAs at this point in time isVerisign.
Verisign performs background checks onapplicants before issuing them a public key for afee.
PKI (cont.)
-
7/27/2019 Crypto Slides One
73/120
Verisigns track record is not perfect.Several people registered with Verisign under thename Bill Gates.
In March 2001 Microsoft announced that twofalse keys with MSs name on them had beenissued by a CA.
PKI (cont.)
-
7/27/2019 Crypto Slides One
74/120
The problem of trusted identity, takenfrom Viega and McGraw .
PKI (cont.)
-
7/27/2019 Crypto Slides One
75/120
Advice for developers fromViega and McGraw ...
Cryptographic Hashing Functionsfor Data Integrity
-
7/27/2019 Crypto Slides One
76/120
for Data Integrity
Cryptographic hashing functions are used toensure the integrity of data.
Cryptographic hashing functions are sometimescalled cryptographic checksums or integritychecksums.
Hashing functions are also used for digitalsignatures, which we shall discuss later.
Integrity Checksums
-
7/27/2019 Crypto Slides One
77/120
Since stuff happens, it is important to have somemeans of detecting unauthorized changes to files.
An integrity checksum is a value that is computedfrom the data that is being protected.
The integrity checksum is stored separately fromthe protected data.
Integrity checksums (cont.)
-
7/27/2019 Crypto Slides One
78/120
The recipient of the data recomputes thechecksum from the data that is received andcompares that checksum to the value that wasrecorded separately by the provider of the data.
If the original checksum and the recomputedchecksum do not match, then the data has beenchanged in some way.
Desirable Qualities forChecksum Computations
-
7/27/2019 Crypto Slides One
79/120
Checksum Computations
The computation must depend upon every singlebit in the data, so that if even one bit is changed,that will be reflected in the checksum.
The computation must be such that it would berare for two messages to have exactly the samechecksums.
The checksum should not reflect the original datain any obvious way.
Desirable properties (cont.)
-
7/27/2019 Crypto Slides One
80/120
The third property implies that an attacker wouldnot be able to figure out how to manipulate thedata so that the cryptographic checksums for thevalid data and the corrupted data would wind upbeing the same. Another way of stating this isthat it would be difficult for the attacker to
reverse engineer the checksum computation.
Hashing functions
-
7/27/2019 Crypto Slides One
81/120
Checksums are computed using hashingfunctions.
Hashing functions are one-way functions. Thismeans that the ciphertext (i.e., the checksum)cannot be used to reconstruct the plaintext.
The checksum (the ciphertext) is much smallerthan the plaintext.
Hashing functions (cont.)
-
7/27/2019 Crypto Slides One
82/120
Hashing functions provide a kind of digitalfingerprint.
When we take a fingerprint, we lose a lot ofinformation about the person.
Still fingerprints and checksums are usefuldespite the information that is lost.
Checksums are sometimes called cryptographicor digital fingerprints.
Hashing functions (cont.)
-
7/27/2019 Crypto Slides One
83/120
A checksum is sometimes called:A message digest, or
A message authentication code, or MAC
The security of the hashing function is related tothe size of the resulting checksum (in bits).
Viega and McGraw suggest using hashingfunctions that produce a checksum of at least 160
bits.
Checksum Systems
-
7/27/2019 Crypto Slides One
84/120
SHA-1 is a federal standard for computingchecksums.
SHA-1 does not use secret keys. The checksumis computed with a public hashing function andneeds to be stored in a safe way. For example:
On a secure medium an attacker cannot modify
Encrypted on a completely separate medium from the
original data
Checksum systems (cont.)
-
7/27/2019 Crypto Slides One
85/120
SHA-1 uses a 160 bit digest.SHA-1 is known to be secure.
Newer versions of SHA may have security
problems because they have not been asthoroughly tested as SHA-1.
Tripwire is a checksum system that works withthe operating system to see if files have been
created, deleted, or modified in an unauthorizedway.
Hashing Functions and Passwords
-
7/27/2019 Crypto Slides One
86/120
Hashing functions are often used to storepasswords for users who are logging onto a multi-user system.
When the user tries to log in with his or herestablished password, the login program hashes it,and compares the newly hashed password withthe stored hash.
If the two are equal, the system assumes the usertyped in the right password.
Telnet and other Internet Protocols
-
7/27/2019 Crypto Slides One
87/120
With Telnet, the password goes over the networkunhashed.
A packet sniffer could be used to catch thepassword in transit.
Telnet authentication provides a very low bar forpotential attackers to clear.
Other protocols that have a similarly weak
authentication mechanism include FTP, POP3,and IMAP.
Attacks on Hashing Computations
-
7/27/2019 Crypto Slides One
88/120
A brute force attack involves finding analternative text that will yield the same hashsignature. This is usually fairly difficult becausethe alternative text is likely to be gibberish.
An effective attack is called a birthday attack.
A Simple Birthday Attack
-
7/27/2019 Crypto Slides One
89/120
Suppose Bob and Alice enter an agreement inwhich Alice agrees to pay Bob $5.00 per widget.This agreement is sent to Bob with acryptographic checksum. Bob decides not to
store the original document on his server, just thechecksum thinking that would be adequateevidence if Alice tries to present an alternativedocument ...
A Simple Birthday Attack (cont.)
-
7/27/2019 Crypto Slides One
90/120
In fact, Alice does try to present an alternativedocument which states that the agreement is thatshe pay $1.00 per widget. Bob thinks she will failin a legal battle because he has the cryptographic
checksum. Unfortunately for Bob, Alice's newdocument has the same checksum as the originaland Bob loses in court.
A Simple Birthday Attack (cont.)
-
7/27/2019 Crypto Slides One
91/120
What Alice did (what is called a birthday attack)involved taking the original document (with theknown checksum) and replacing all references to$5 to $1. Then, she systematically reformats the
$1 per widget document by changing spaces totabs and so forth. Eventually she finds a $1document that has the same checksum as theoriginal $5 document.
This kind of attack would be difficult withchecksums of 512 or even 256 bits.
Digital Signatures for Authentication
-
7/27/2019 Crypto Slides One
92/120
Public key encryption enabled the development ofthe technology of digital signatures.
Digital signatures are somewhat analogous totraditional handwritten signatures.
Digital signatures are strongly bound to thedocument, but weakly bound to the individual.
A digital signature is computed, in part, using the
contents of the document being signed.
Main Goals of Digital Signatures
-
7/27/2019 Crypto Slides One
93/120
A signature should be proof of authenticity. Itsexistence on a document should be able toconvince people that the person whose signatureappears on the document signed the document.
A signature should be impossible to forge. Theperson who signed the document should not beable to claim that the signature is not theirs(support for non-repudiation).
Main Goals (cont.)
-
7/27/2019 Crypto Slides One
94/120
After the document is signed, it should beimpossible to alter the document withoutdetection. The signature is intrinsically linked tothe document that is being signed.
It should be impossible to transplant the signatureto another document. Again, the digital signatureis intrinsically linked to the document that isbeing signed.
Figure 12.1 from Denning
-
7/27/2019 Crypto Slides One
95/120
This figure shows one scheme for digitalsignatures that uses public key cryptography andhash algorithms (the usual technology).
As you might have guessed, Alice wants to send a
sign and encrypted message to Bob.
Here's how it works:
Figure 12.1 (cont.)
-
7/27/2019 Crypto Slides One
96/120
1. Alice generates a message key, K, for symmetricencryption. Alice encrypts the message M withK, getting the ciphertext message, CM.
2. Alice encrypts K with Bob's public key-
encrypting key, Kbobpub, getting the ciphertextkey, CK. This will allow Bob to retrieve the keyfor decrypting the ciphertext.
Figure 12.1 (cont.)
-
7/27/2019 Crypto Slides One
97/120
3. Alice uses a hashing function to compute achecksum for the message, M. She then encryptsthe checksum (for public key encryption) usingher private signature key KS
Alicepriv. The
encrypted checksum is the signature, S.4. Alice sends CK (the encrypted message key),
CM (the encrypted message), and S (the digitalsignature) to Bob.
Figure 12.1 (cont.)
-
7/27/2019 Crypto Slides One
98/120
5. Bob uses his private key, Kbobpriv, to decrypt CK.This gives him the key, K, that Alice originallysent to encrypt the message, M.
6. Bob uses K to decrypt CM (the encrypted
message) to get the message, M.
7. Bob uses Alice's public signature key KSAlicepub
to validate S, the digital signature. This requires
that Bob use the hashing function to hash themessage M. The resulting checksum should beequal to the decrypted signature, S.
Figure 12.1 (cont.)
-
7/27/2019 Crypto Slides One
99/120
This technology of digital signatures uses:A hash function to help generate the digitalsignature, S.
Symmetric (secret key) cryptography to encryptthe message, M.
Public key cryptography to share the secret keyused to encrypt and decrypt the message, M.
Public key cryptography to encrypt and decryptthe digital signature, S.
Pretty Good Privacy (PGP)
-
7/27/2019 Crypto Slides One
100/120
This is how Bob and Alice would accomplish thesame goals using a user-friendly e-mailencryption system called Pretty Good Privacy(PGP):
1. Alice composes an e-mail message to Bob. Sheclicks on a button or menu item that says sendsigned and encrypted.
Pretty Good Privacy (cont.)
-
7/27/2019 Crypto Slides One
101/120
2. The encryption system prompts Alice for apassword. The password unlocks her privatesignature key, which is stored encrypted on diskor on a separate storage medium.
3. The encryption system looks up Bobs public key(for encrypting messages sent to Bob underpublic key cryptography) in Alice's address bookor on her digital key ring which is stored in afile on her disk.
Pretty Good Privacy (cont.)
-
7/27/2019 Crypto Slides One
102/120
3 (cont.). The digital key ring generates K, thesymmetric key that will be shared with Bob, andcomputes CK, the encrypted key, CM, theencrypted message, and S, the digital signature.
It puts the message in the outbound queue.4. When the message shows up in Bob's inbox, he
clicks on a button to read the message.
Pretty Good Privacy (cont.)
-
7/27/2019 Crypto Slides One
103/120
5. Bob's encryption system prompts him for apassword, which unlocks his private key. Itdecrypts CK to retrieve K, and then uses K todecrypt CM, to get the message M.
6. The encryption system on Bob's machine thenlooks up Alice's public signture key in Bob'saddress book or key ring. It validates hersignature S. The decrypted message is displayedto Bob along with an indication as to whether thesignature was valid.
Pretty Good Privacy (cont.)
-
7/27/2019 Crypto Slides One
104/120
Alice and Bob each have two digital key ringswhen they use PGP. They have a private ring thatholds their private keys and a public ring thatholds their own public keys and the public keys
of those they are communicating with.The key rings are implemented as files stored on
the hard drive or on a diskette.
Diffie-Hellman
-
7/27/2019 Crypto Slides One
105/120
Diffie-Hellman is another popular method forsharing secret keys.
Diffie-Hellman has some similarities to the use ofpublic key encryption to share secret keys.
This method was developed in 1976 by WhitfieldDiffie and Martin Hellman, two cryptographers atStanford University.
In 1997 it was revealed that Britishcryptographers had developed a similar idea inthe 1960s and early 1970s.
Diffie-Hellman (cont.)
-
7/27/2019 Crypto Slides One
106/120
Here is a simple description of the Diffie-Hellmanprotocol that allows two parties to compute amessage key for symmetric encryption withoutthat secret ever being shared explicitly:
1. Each party independently generates a privatekey.
2. They each compute a public key as a
mathematical function of their individual privatekeys.
Diffie-Hellman (cont.)
-
7/27/2019 Crypto Slides One
107/120
3. They exchange public keys.4. Each party then computes a message key (the
secret key) which is derived from their ownprivate key and the other person's public key.
They both arrive at the same message key.
Diffie-Hellman (cont.)
-
7/27/2019 Crypto Slides One
108/120
The public keys must be computed using a one-way function (a hashing function) that makes itimposible to get back the private keys from thepublicly exchanged keys.
If an attacker has access to one party's public keyand the other party's private key, the attackercould compute the message key.
The mathematics is such that the publiclyexchanged keys cannot reveal either party'sprivate key.
Diffie-Hellman (cont.)
-
7/27/2019 Crypto Slides One
109/120
The mathematics is based on the followingrelationship:
y = gx mod N
It is easy to compute y if g, x, and N are known, but
it is not easy to compute x if y, g, and N areknown.
The problem of finding x is called the discrete
logarithm problem because x is the logarithm of ybase g (mod N). For numbers that are hundredsof digits long, this is a hard problem.
Diffie-Hellman (cont.)
-
7/27/2019 Crypto Slides One
110/120
Here is how Diffie-Hellman works, allowing Alliceand Bob to establish a secret message key.Assume that p is some prime number and g is abase number:
Alice generates a secret key, xalice.
Bob generates a secret key, xbob.
Alice computes a public key yalice = gxalice mod
p.
Bob generates a public key ybob = gxbob mod p.
Diffie-Hellman (cont.)
-
7/27/2019 Crypto Slides One
111/120
Bob and Alice exchange their public keys.Alice now computes the message key, K, as
K = ybobxalice mod p
Bob now computes the message key, K, asK = yalicexbob mod p
Both Bob and Alice end up with the same key,
namely:K = gxalice * xbob mod p
Diffie-Hellman (cont.)
-
7/27/2019 Crypto Slides One
112/120
In practice, very large numbers are used (severalhundred DIGITS each), but here is an exampleusing small numbers:
p = 11, g = 5, xalice = 2, xbob = 3.
Alice computes her public key
yalice = 52 mod 11 = 3.
Bob computes his public key
ybob = 53 mod 11 = 4.
Diffie-Hellman (cont.)
-
7/27/2019 Crypto Slides One
113/120
Bob and Alice exchange their public keys.Alice computes the message key, K, as
K = 42 mod 11 = 5.
Bob computes the message key, K, asK = 33 mod 11 = 5.
Both kend up with the same message key,
namely:K = 52*3 mod 11 = 15,625 mod 11 = 5.
Diffie-Hellman (cont.)
Diffie-Hellman are used in several network
-
7/27/2019 Crypto Slides One
114/120
Diffie Hellman are used in several networkprotocols and commercial products, includingPGP.
With Diffie-Hellman, keys can be generated as
needed (on the fly) and they can be discarded atthe end of the conversation.
Software Developers andCryptography
According to Viega and McGraw the most common
-
7/27/2019 Crypto Slides One
115/120
According to Viega and McGraw the most commonmistakes developers make with respect tocryptography are:
Failing to apply cryptographywhen it is needed.
Applying cryptography in an incorrect manner whenit is deployed.
Developers and Crypto (cont.)
The most important rule is:
-
7/27/2019 Crypto Slides One
116/120
The most important rule is:
Never, Never implement yourown cryptographic algorithms!!!An experienced cryptanalyst will not be deterredby the fact that an algorithm is secret (not in thepublic domain). Their tools do not require
knowledge of the algorithm.
Developers and Crypto (cont.)
The safest policy is to use a published, well-used
-
7/27/2019 Crypto Slides One
117/120
p y p ,algorithm that has been well-scrutinized byrespected cryptographers over a period of at leasta few years.
Developers and Crypto (cont.)
Viega and McGraw note that most of the major
-
7/27/2019 Crypto Slides One
118/120
g jnetwork protocols that use encryption have beenbroken at least once. These include:
SSL (Secure Socket Layer) version 2this should
never be used.SSH (Secure Shell Protocol) version 1this should
be avoided.
MS's Point-to-Point protocol used in MS's Virtual
Private Network (VPN).
Developers and Crypto (cont.)
It is not only important to use well-known
-
7/27/2019 Crypto Slides One
119/120
y pencryption algorithms, but also to use well-scrutinized implementations of those algorithms,because the algorithms could be implemented
incorrectly.Developers also need to understand the legalframework surrounding cryptography. The lawshave been weakened somewhat concerning
shipping strong crypto stuff overseas, but thereare still laws governing this domain.
Developers and Crypto (cont.)
The best bet, in terms of avoiding legal
-
7/27/2019 Crypto Slides One
120/120
g gcomplications, is to use off-the-shelf, freelyavailable cryptographic packages.
Handout with reviews of two cryptographic
libraries.
top related