Software Infrastructure forElectronic Commerce

All About Cryptography

Professor Fred B. SchneiderDept. of Computer Science

Cornell University

2

Goals

Learn what problems can (and cannot) be addressed using cryptography.

Become convinced that:– Designing a decent cryptosystem is extremely

difficult. – Using cryptography requires building a

substantial (but easily overlooked) infrastructure.

3

Encryption and Decryption

This is… aSxxywEncrypt

aSxxyw This is… Decrypt

Encryption key

Decryption key

plaintext

ciphertext

4

Encryption and Decryption:

Terminology

plaintext: input to encryption algorithm.ciphertext: output of encryption algorithm.

shared key (symmetric key) cryptography:– encryption key and decryption keys the same.– Encrypt & Decrypt functions often the same.

public key (asymmetric key) cryptography:– Encryption key and decryption keys different.– Encrypt & Decrypt functions are different.

5

Uses for Cryptography

Secrecy: Obscure the contents of messages or stored data from eavesdroppers.

Integrity: Detect any alteration performed after message or stored data is generated.

Authentication: Verify the identity of the source of a message or stored data. (Authentication of messages is useful in making authorization decisions.)

Non-repudiation: Establish for a third party the source and contents of a message or stored data.

6

What Encryption Does

Confusion: Unable to predict how changing the plaintext alters the ciphertext.

Diffusion: Local change to plaintext alters much of the ciphertext.

a x xy yx

Mechanisms: substitution and transposition.

Final Result:computational secrecy: Depends on resource limits. Bigger keys better. perfect secrecy: Will never be broken.

7

Secret Key Encryption Algorithms

DES (Data Encryption Standard) 64 bits in/out, 56 bits key. Computationally (in)secure. $1M tries all DES keys in 7 hrs

using 1993 hardware cracking machine.

Triple-DESAES (Advanced Encryption Standard) “Rijndael”

Variable block length & variable key length (128, 192, 256)

IDEA (International Data Encryption Algorithm) 64 bits in/out, 128 bit key. Computationally secure: at 1 billion key-tries/sec/processor,

system of a billion processors requires 1013 years to try every possible key (1000x longer than age of the universe).

8

Secret Key Encryption:

Implementing Secrecy

Notation:– E(m,K) Encrypt m using key K– D(x,K) Decrypt x using key K– AB: msg A sends msg to B

Protocol: 1. AB: E(m, KAB) A encrypts m using a key shared with B

2. B: D( E(m, KAB) , KAB) B decrypts message it

received.

9

Secret Key Encryption:

Implementing Authentication

AB: I’m AB: Generate random rB

BA: rB

AB: E(rB, KAB)

B: D(E(rB, KAB),KAB)=rB?

A: Generate random rA

AB: rA

BA: E(rA, KAB)

A: D(E(rA, KAB), KAB) = rA?

10

Secret Key Encryption:

Implementing Authentication

AB: I’m A A starts protocol

B: Generate random rB B generates challenge

BA: rB

AB: E(rB, KAB) A responds to B’s challenge

B: D(E(rB, KAB),KAB) = rB? B checks A’s response. Only A would know KAB

A: Generate random rA A generates challenge

AB: rA

BA: E(rA, KAB) B responds to A’s challenge

A: D(E(rA, KAB), KAB) = rA? A checks B’s response. Only B would know KAB

11

Secret Key Encryption:

Key Management Problem

Problem: N principals: N2 keys (2N keys for groups)

Solution: Key Distribution Center (KDC) Every principal shares a key with KDC. (N keys needed for this) KDC is trusted host:

• Generates keys only as needed.• Communicates those keys to parties.

Kerberos is an example. Mostly used for authentication / authorization in distributed systems (and not for secrecy).

12

Public Key Cryptography

Must you already share a secret to share another?

key needed

A: Secret in chest; Secure with LockA A

AB: Chest with LockA A

BA: Chest with LockA and LockB A, B

A: Remove LockA B

AB: Chest with LockB B

B: Remove LockB. Remove secret __

Key is a secret in chest. Lock is 1-way trap-door function.

13

Public Key Cryptography:

Encryption and Decryption

Notation:KA: public key for A (upper case K)

kA: private key for A (lower case k)For key pair K,k:

E(m,K): encrypt m with public key KD(x, k): decrypt x with private key k

Properties:D( E(m,K), k) = m E( D(m,k), K) = m (Optional)

E and D are expensive on long messages.

14

Public Key Cryptography:

Encryption Algorithms

RSA (Rivest-Shamir-Adelman): Based on factoring large numbers and computing logarithms in finite fields. Patent rights expire in 2000.

Elliptic Curve Cryptography: The “new, new thing”; not everyone believes this is secure.

15

Public Key Cryptography:

Digital signatures

h( msg ) = E( , KFBS)

… to check signature validity

Buy 100 QCOM for $132. -FBS D( h( msg ), kFBS)

msg

D( h( msg ), kFBS)

{msg}FBS denotes message msg signed by kFBS

?

16

Public Key Cryptography:

Properties of Cryptographic Hash

hash function: Encryption without keys!Variable length input Fixed length output (100-1000 bits).

Infeasible to determine input from output. find an input that has a particular (desired) output. find 2 inputs that have the same output.

Changing one bit (or more) in input leads to completely different output.

Examples of hash functions: MD5, SHA

17

Public Key Cryptography:

Certificates

Problem: How do principals learn others’ public keys?

Solution: Employ a certification authority (CA):– Trusted server that generates certificates

{ Fred , KFred }Verasign

when presented with evidence of principal’s identity.

– All hosts pre-configured with KVerasign.

– CA need not be on-line.

– Certificates can be stored anyplace and forwarded anywhere as needed.

18

Public Key Cryptography:

Revocation of Certificates

Problem: Compromise of a private key.

Solutions:– Associate expiration dates with certificates.

Risk: Period from compromise to expiration.

– Periodically issue certificate revocation list (CRL).Risk: Denial of service to delay CRL arrival.

– Support re-validation of certificates use.

19

Problem: Having a single CA is unrealistic! Nothing is trusted by everyone! Performance must scale.

Solution: Multiple CA’s. To find KA, find: If have KCA then find a certificate {A, KA}CA

Else find KCA1 for first link in chain:

{CA2, KCA2}CA1 {CA3, KCA3}CA2 … {CA7, KCA7}CA6 {A, KA}CA7

Each certificate may be managed by a different CA.What’s in a name? That’s the real problem…

Public Key Cryptography:

Multiple Certification Authorities

20

Public Key Cryptography:

Web of Trust

Problem: Having a single CA is unrealistic! Nothing is trusted by everyone! Performance must scale.

Solution: Have principals endorse certificates. If receive enough endorsements from

principals that you trust, then you decide binding is correct.

Revocation is difficult to manage. Introduced in PGP mail system.

21

Public Key Cryptography:

Public Key Infrastructure

Creation of certificates. Dissemination of certificates. Revocation of certificates.

Key escrow.– Allow recovery of data encrypted by an

old key. Data archives with old keys.

22

Misuse of Cryptography

Software-implemented content protection is a flawed idea.

Example: DVD encryption: DVD encrypted using CCS (content scrambling system) 40 bit key.

Weak key! Every DVD player comes with several “unlock” keys. Every DVD stores 400 copies of content decryption key; each copy is

encrypted with a different “unlock” key. Content decryption key must appear in the clear. With secure hardware, scheme would work…

11/1/99: DVD’s effectively no longer have their content protected. But copyright law still applies.

23

Misplaced Trust

Trust a certificate? Better trust the issuing CA!– Anyone can assign a name.– Anyone can assume a name.

Is your signing key secure?– Virus and malicious code attacks– (Guessable) password protected?