cs4765 intro to cryptography. a brief ancient history 1900 b.c. in egypt using...
TRANSCRIPT
cs4765
Intro to Cryptography
A brief Ancient history
• 1900 B.C. In Egypt using "non-standard" hieroglyphs• 1500 B.C. Mesopotamian tablet
– enciphered formula for making pottery glazes
• 500-600B.C. Hebrew ATBASH cipher• 486 B.C. Greek skytale• 50-60 B.C. Julius Caesar's simple substitution cipher• Kama Sutra of Vatsyayana
– lists secret writing as the 44th, secret talking as the 45th of 64 arts men and women should know.
• Ancient China allowed only the upper classes to read/write so they could kept "state" secrets
brief current history
• Until modern times, cryptography was used the governments/militaries to kept "state" secrets, battle plans, etc.
• The general populations didn't use it or used simple cyphers, such as the "Decoder ring".
General Idea of Cryptography
• The original message is know as plaintext• If two people (Bob and Alice) want to talk
privately, then they covert the plaintext into a ciphertext message.– ciphertext is gibberish, so that nobody else can read it
(say Eve).
– Bob and Alice can both transform the ciphertext back to plaintext so they can "talk".
– The transformation is an algorithm.
The Key
• The key is why cryptography works today– Without a key, everyone would have to have
different algorithms in order to send encrypted messages to different people, without everyone who knows the algorithm being about to view it.
• Same concept as the key to your front door.– There are not that many lock manufactures.
Crypto Toolbox
• Symmetric Algorithms– as so called Private-key Encryption
• Message Authentication Codes
• One-way Hash Algorithms
• Public-key Encryption
• Digital Signatures
Symmetric Encryption
• Each person in the group share the same key.– They use the key to encrypt and decrypt the message.
– If you need to cut some out of the group (say Eve), the key is changed. All new messages can't be read by Eve, but she can still read all the old ones.
• The algorithm is more than likely known by everyone.– The Data Encryption Standard (DES) has been a
standard since 1977
Symmetric EncryptionSAME KEY USED FORBOTH ENRCYPTIONAND DECRYPTION
SENDER AND RECIPIENT MUSTBOTH KNOW THE KEYTHIS IS A WEAKNESS
SOURCE: STEIN, WEB SECURITY
Common Symmetric Algorithms
• DES
• triple-DES
• RC4
• RC5
• IDEA
• Blowfish
• AES
Data Encryption Standard (DES)• Symmetric, key-based encryption-decryption
standard. • Block cipher: operates on 64-bit blocks• Uses 56-bit key• 16 “rounds” -- key for each round is a 48-bit
function of the original 56-bit key. Each key bit participates in an average of 14 rounds
• Completely symmetric. Same algorithm decrypts.• Fast implementation in hardware: 1 gigabit/second
Data Encryption Standard (DES)64 BITS OF MESSAGE INPUT PERMUTATION
INVERSE OF INPUTPERMUTATION
SUBKEYS:EACH IS A 48-BITFUNCTION OF A56-BIT KEY
OUTPUT: 64 BITS OFENCRYPTED TEXT
LEFT HALF OFBLOCK (32 BITS)
f IS A COMPLICATEDFUNCTION INVOLVINGVARIOUS PERMUTATIONS
SOURCE: SCHNEIER, APPLIED CRYPTOGRAPHY
IS EXCLUSIVE-OR
The problem: keys• The key security becomes the new problem.
– The data is "protected", but…– How does one distribute keys securely– The keys must stored, used, and destroyed securely.
• Worse, is if you are using pairwise keys– 10 users, need 45 keys, 100 users, need 4,950 keys
Attacking Symmetric Algorithms
• Known-plaintext attack– analyst has copy of the plaintext and ciphertext
• Now they can recover the key and use it on other documents
• MS Word docs all start with the same hundreds of bytes, so you recover the keys from that section and then read the rest of the document.
– Remember most algorithms are known.• Even if they start out secret they are normally reverse
engineered at some point.
• 1883 Auguste Kerchkhoffs, "There is no secrecy in the algorithm, it's all the key".
Recognizing PlainText
• How do you know when it is plaintext?– Normally it looks like plaintext, ie it's readable
message, or data file for an application.– Otherwise, it looks like gibberish or unreadable
by the applications.
Unicity distance
• measures the amount of ciphertext required such there is only one reasonable plaintext.– the number depends on both the characteristics of the
plaintext and key length.– If we encrypt a single ASCII letter.
• There are 26 possible plaintexts out of 256 possible decryptions. Any random key to decrypt it has 26/256 chance of producing a valid plaintext.
– But looking it you won't know if it is the right plaintext or not.• e-mail message encrypted, eventually a plaintext emerges that
look correct, because we know there will be words, phrases, sentences and grammar. Odds are very small it not the correct plaintext.
Unicity distance (2)
• For English, the unicity distance is K/6.8 characters– Where K is the key length– 6.8 is a measure of the natural redundancy of English
• for DES-encrypted ASCII the unicity distance is 8.2 bytes, for 128-bit ciphers it about 19 bytes.– For an English message longer than 19 bytes, a
decryptions that looks like english is mostly the correct plaintext.
– we'll get back to key length later on.
Message Authentication Codes
• don't protect privacy, instead ensure authentication and integrity.– use a shared secret key, like symmetric encryption.
– When Alice wants to send a message to bob, she computes the MAC of the message (using the key) and appends to the message, since every message has unique MAC for each key
– Bob then computes its MAC again (same key) and compares it to the MAC in the message.
• If they match, it's from Alice and the original message.
Message Authentication Codes (2)
• While Eve can read the message, she can't change it, nor can she fake an e-mail from Alice to Bob.– Assuming she doesn't have key.
• Commonly used by banks, IP traffic.– Can be used in Databases, to ensure the data is
correct as well.
One-Way hash functions
• Like digital fingerprints or digital signature.– small pieces of data and can identify larger digital objects
• Called one-way, because you can't reproduce the object from the hash.
• Common ones: SHA-1, SHS, RIPEMD-160, MD4, MD5• Common computer use:
– Downloading ISO images of linux distro's• Get the ISO image (normally about 650MBs), • get the md5sum from the distro's website (32 characters). • run md5sum on the ISO to produce the md5sum
– If they match, it's correct. If not, delete it and download again.
Public-key Encryption
• The problem with MAC and symmetric encryption is the shared key.
• Public-key encryption or asymmetric encryption fixes this.– There is no shared secret key.
• 1976 is publicly explained by Diffie and Hellman– British intelligence figured it years before
• Ellis, Cocks, and Williamson
Basic idea
• Based on a mathematical function that is easy to compute in one direction, but hard to computer in the other
• Example:– Given 2 numbers, it easy to multiply them
together– Given a single product, it difficult to find the
correct two factors.
Public-key Encryption (2)
• Instead of a single key, there are two keys– a public key and private key
• public key is the encryption key, private is the decryption key
• 1 key can't be used the compute the other key.
– So now Bob can publish his public key and Alice can send him a message.
• Or anyone else who can find his public key
Public-Key (Asymmetric) Encryption
1. USERS WANT TO SEND PLAINTEXT TO RECIPIENT WEBSITE
2. SENDERS USE SITE’S PUBLIC KEY FOR ENCRYPTION
3. SITE USES ITS PRIVATE KEY FOR DECRYPTION
4. ONLY WEBSITE CAN DECRYPT THE CIPHERTEXT. NO ONE ELSE KNOWS HOW
SOURCE: STEIN, WEB SECURITY
Public-Key Encryption• Alice wants to send Bob a secure message M.
• Alice uses Bob’s public key to encrypt M.
• Bob uses his private key to decrypt M.
• Bob is the ONLY ONE who can do this,so M is secure.
ALICE’SCLEARTEXT
ALICE’SCODEDTEXT
ALICE’SCODEDTEXT
ALICE’SCLEARTEXT
TRANSM ISSION
BOB DECRYPTS WITHHIS PRIVATE KEY
ALICE ENCRYPTS WITHBOB’S PUBLIC KEY
BOB’SPUBLIC
KEY
BOB’SPRIVATE
KEY
Alice and Bob.
• Alice, Bob, and Eve have a long and sordid tale in this field.
• If you are interested:– http://en.wikipedia.org/wiki/Alice_and_Bob– http://downlode.org/Etext/alicebob.html– http://xkcd.com/177/
Common use
• The method described is not actually how it is done.– Instead they use a hybrid method– uses a symmetric algorithm to encrypt the message
with a random key (session key). She then encrypts the session key with Bob's public key and sends both to Bob.
– Bob decrypts the session key and then uses that key to decrypt the message.
– It's faster!
Problems
• Anyone could have sent it the message.– Bob's key is public after all
• Was it really Alice?
• How does Alice find Bob's key?– His current key– And is it really Bob's key?
• Could be an impostor, say Eve.
– We'll get back to this later one
Digital Signatures
• Like MAC, but using public keys.• We reverse the use of the keys.• The private key is used to encrypt the
message and the public decrypts the message– Now we know it can only be from that person.– This has some problems.
• Anyone can read it.
Digital Signatures• Alice wants to send Bob a message M so that Bob is sure
Alice is the sender.
• Alice uses her own private key to encrypt M.
• Bob uses Alice’s public key to decrypt M.
• Alice is the ONLY ONE who could have sent it.
ALICE’SCLEARTEXT
ALICE’SCODEDTEXT
ALICE’SCODEDTEXT
ALICE’SCLEARTEXT
TRANSM ISSION
BOB DECRYPTS WITHALICE’S PUBLIC KEY
ALICE ENCRYPTS WITHHER PRIVATE KEY
ALICE’SPRIVATE
KEY
ALICE’SPUBLIC
KEY
Digital Signatures (2)
• So instead, a message key is used– A message key is the hash of the message.– The hash is encrypted with the private key– The cyphertext has is appended to the end of
the message. Like MAC.
– Again faster and simpler .• Also you don't have to decrypt the message to read
it, just to make sure the message is authentic.
Secure Authenticated Messages• Alice must send Bob a secret & authenticated message M
so Bob is sure it was sent by Alice. Use both encryption and signature.
ALICE’SCODEDTEXT
ALICE’SCODEDTEXT
(AUTHENTICATED)
ALICE’SCLEARTEXT
BOB DECRYPTS WITHALICE’S PUBLIC KEY
ALICE ENCRYPTS WITHHER PRIVATE KEY
ALICE ENCRYPTS WITHBOB’S PUBLIC KEY
ALICE’SCODED AND
SIGNED TEXT
ALICE’SCODED AND
SIGNED TEXT
T R A NSMI
T
ALICE’SCLEAR TEXT
(DECRYPTED ANDAUTHENTICATED)
BOB DECRYPTS WITHHIS PRIVATE KEY
BOB’S PUBLIC
ALICE’S PUBLIC
BOB’S PRIVATE
ALICE’S PRIVATE
4 KEYSNEEDED:
Why any of these algorithms can fail
• Random numbers
• Key Length
Random Numbers
• The generation of random numbers is too important to be left to chance.– Robert R. Coveyou
• Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin.– John Von Neumann
• In other words, getting random numbers from a deterministic computer is impossible!
Random Numbers (2)
• Instead we get numbers that are hopefully unpredictable and irreproducible.– Otherwise, the encryption is pointless.
• Methods used to create "random numbers"– noisy diodes in hardware, Geiger counters, radio-noise
receivers, air turbulences in disk drives, "random" arrival time of successive network packets, and time.
• One system on the internet used a digital camera directed at a set of lava lamps.
– random movements of the mouse, typing, even gargle into a microphone
Random Numbers (3)
• Whatever it is, it needs to be "unpredictable" otherwise, it is repeatable.
• Random number generators use these inputs directly or as seeds for mathematical random number generators.– Other places in COSC, the seed value is as way to get
the same set of random number for test sets.
Key Length
• Big… BIG debates over key length and what that means!
• First the actual key length– for a brute-force attack, if a key is n bits long
then there are 2n possible keys. 40-bit key, there are about a trillion possible keys
• So on average the computer needs to try about half of the trillion keys. (less than 18 minutes on average)
Brute-forcing keys
• in 98 a machine called DES Deep Crack tried 90 billion keys per second– average 4.5 days for a 56-bit DES key
• All brute force scale linearly; twice the number of computer can try twice the keys, etc…
• but add 1 bit, takes twice as long, 2-bits, 4-times as long, 10-bits is about thousand times.
• Triple-DES has 112-bit (2112 could take a million years), over a thousand times longer for 128-bit key
• But experts are recommending 1,024-bit keys or longer– Why?????? And does it actually work?
Key length and entropy
• Entropy in cryptography is a measure of uncertainly.– The more uncertain something is the more entropy,
which is a good thing for cryptography• Example:
– A random person from the general public is either male or female, 1 bit of uncertainly.
• IE, I have a max of 2 guesses. But on average how many guesses will I make?
• The same question for this class? Still a max of two guesses, but the answer is much more certain, so what is entropy for this course?
Key length and entropy
• The same is true for key lengths.– just because it is 128-bits doesn't mean there is
128 bits of entropy• IE I don't have two try 2128 keys, probably far fewer.
– Key length assumes all possible keys are likely.• Will a random number generator produce all
possible keys or are certain groups of keys more likely?
Key length, entropy, and pass-phrases
• Many keys are generated from passwords or pass-phrases.– 10-character ASCII passwords might require
80-bits to represent, but have fare less then 80 bits of entropy.
• High-order ASCII bits won't appear and passwords are normally close to real words, instead of random character strings
• Some entropy estimates are 4-bits of entropy per character for a password
ASCII table
Key length, entropy, and pass-phrases (2)
• 8-character passwords are about the same as a 32-bit key.– If you want to 128-bit key, you are going to need a 98-
character English pass-phrase.– This causes much of cryptography for fall apart.
• Think about using an Windows password for 128-bit encryption scheme.
• Even PGP fails on face if you choose short or bad pass-phrases.
– This is also what causes may cryptography algorithms to be abandoned, to easy to brute force the keys.
Examples
• Netscape 1.1 SSL failed because the while the algorithm used 128-bit keys, the random number generator only had 20-bit entropy– IE it was broken in the same time as 20-bit key
• European GSM Cell phones used A5/1 algorithm with a 64-bit key.– A flaw in the algorithm allowed the key to be
broken in the time it takes to brute-force a 30-bit key.
References
• Computer Security, Dieter Gollmann, Wiley, 2003
• Secrets & lies Digital Security in a Networked World, Bruce Schneier, Wiley, 2004
• Practical Cryptography, Ferguson & Schneier, Wiley, 2003
Next time
• Putting these "primitives" together to form protocols for applications.
QA&