Computer security Lecture 7 - Cryptography as security tool

Transcription

Computer security Lecture 7
Cryptography as security tool
“Cryptography” is a Greek word that means
“hidden writing”
Used to hide message from someone, and sometimes prevent
them from creating a new message
Key
Alice
Key
Encrypt
Decrypt
Eve
Bob
“Cryptography” is a Greek word that means
“hidden writing”
Used to hide message from someone, and sometimes prevent
them from creating a new message
Key
Alice
Key
Verify
Create MAC
Eve
Bob
Cryptography is today used in other settings
too
There are situations where participants don’t really trust each
other, but a third party
Customer
Merchant
Bank
Cryptography is today used in other settings
too
There are situations where the authorities want access to the
communication channel
Alice
Bob
Law enforcement
Cryptography
I
A security tool, not a general solution
I
Cryptography usually converts a communication security
problem into a key management problem
I
So now you must take care of the key security problem,
which becomes a problem of computer security
Images of cryptographic tasks
Hide information securely,
opens with identical keys
(symmetric key cryptography)
Everyone can hide information,
opens with private key
(asymmetric key cryptography)
Make something visible,
but hinder changes
(signatures)
Enable simple checking of data
(hash functions)
Terminology
I
The plaintext is the information in its normal form
I
The ciphertext or cryptogram is the transformed plaintext
I
The secret parameter for the encryption (known only to the
sender and intended recipients) is called the key
I
The key decides how the transformation is done
Kerckhoff’s principle
I
A cryptosystem should be secure even if everything about
the system, except the key, is public knowledge.
Classical crypto example: Caesar cipher
I
Exchange every plaintext letter into the letter x positions
further on in the alphabet
I
The key is the letter that A is transformed into
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
Hello world
Jgnnq yqtnf
I
I
Hello world
Jgnnq yqtnf
I
I
Hello world
Jgnnq yqtnf
I
I
Hello world
Jgnnq yqtnf
Alternative description of Caesar cipher
I
Replace every plaintext letter with its (zero-offset) position
in the alphabet (“A”=0, “B”=1, etc., up to the number of
letters n)
I
Express the key as an integer k using the same system
I
If the plaintext as an integer is m, the cryptogram as an
integer c = m + k modulo n
I
The cryptogram letter is then the letter corresponding to
the number c
I
The plaintext “H” gives m = 7, and k = 2 results in
c = 7 + 2 (mod 26), so cryptogram is “J”
Breaking Caesar, example
I
I
Cryptogram: Icnnkc qopkc fkxkuc guv kp rctvgu swcgtwo
wpco kpeqnwpv Dgnikcg. . .
Try each key, stop trying for each key when the plaintext
becomes impossible
A B C D E F G H I J
I H G F E D C B A Z
c b a z y x w v u t
n
l k j
h g f e
n
l
j
f e
k
i
g
c b
a
u t
o
i h
m
g f
n
h
i
c
a
d
i
v
i
K
Y
s
d
d
L
X
r
c
M N O P Q R S T U
W V U T S R Q P O
q p o n m l k j i
b
z y x
u t
z y
u t
w v
r q
o n
j i
c
x w
a
v u
b
v
w
q
o
r
w
j
w
V
N
h
s
W X Y Z
M L K J
g f e d
r
p o
r
p o
o
m l
g
e d
u
s r
s
q p
t
r
o
m
Breaking Caesar, example
I
I
Cryptogram: Icnnkc qopkc fkxkuc guv kp rctvgu swcgtwo
wpco kpeqnwpv Dgnikcg. . .
Try each key, stop trying for each key when the plaintext
becomes impossible
A B C D E F G H I J K L M N O P Q R S
I H G F E D C B A Z Y X W V U T S R Q
c b a z y x w v u t s r q p o n m l k
n
l k j
h g f e d c b
z y x
n
l
j
f e d
z y
k
i
g
c b
w v
Only remaining
a
u t possible key:
o n C
o
i h
c
Plaintext:g fGallia estaomnis
m
divisa in
n
h partes tres,
b quarum
incoluntc Belgae, ...w
i
a
o
d
r
i
w
v
j
i
w
T U V
P O N
j i h
u t s
u t
r q
j i
x w
v u
unam
v
q
W X Y Z
M L K J
g f e d
r
p o
r
p o
o
m l
g
e d
u
s r
s
q p
t
r
o
m
Simple substitution
I
Create a table of plaintext characters and their
corresponding crypto characters
I
Crypto characters can be just ordinary letters, but also
anything else
I
Each crypto character must occur only once in the table to
enable unique decryption
G Z E J D Y I T Q A U M B W R F C X H N S L O K P V
Breaking simple substitution
I
Every crypto letter will occur exactly as often as its
plaintext counterpart occurs in plaintext.
I
Every combination of crypto letters (digrams, trigrams etc.)
will occur as often as the corresponding plaintext
combinations.
I
Count how often letters, bigrams and trigrams occur in the
cryptogram, and try to identify the ones corresponding to
common plaintext letters and common letter combinations.
I
Fill in so that remaining gaps form words.
The letter distribution of English is uneven
1
26
A B C D E F G H I J K L M N O P Q R S T UV W XY Z
I
An even distribution would look like the above
1
26
A B C D E F G H I J K L M N O P Q R S T UV W XY Z
I
I
But the single letter distribution of English is uneven
1
26
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Å Ä Ö
I
I
But the single letter distribution of Swedish is uneven
Cryptanalysis
The goal of cryptanalysis can be
I
reveal the key
I
decrypt (part of) cryptograms without the key
I
encrypt (part of) plaintexts without the key
In order to break a cipher you could
I
Try all possible keys (brute force, exhaustive search)
I
Use plaintext alphabet statistics
I
Use both single letter statistics, and digram, trigram, and
word statistics
I
Do calculations adjusted to the algorithm
Algorithm strength
I
This is measured in the amount of work needed to break
the cipher
I
The comparison is with brute force
I
For Caesar crypto, you need to check 26 keys, or just under
25 values
I
For simple substitution you need to check 26! keys
(≈ 4 × 1026 ), or just over 288 values
I
But with letter statistics this drops quickly
Key size
I
There are 31536000 seconds in a year ≈ 225
I
If you can try one key every microsecond, you can find a 45
bit key in around one year (106 ≈ 220 )
I
If you have 1000 such processors, you can find a 55 bit key
in around one year
I
With 1000 processors that try one key every nanosecond,
the expected time to find a 128 bit key is more than 1018
years
Key length
Table 7.4: Security levels (symmetric equivalent)
Security
(bits)
32
64
72
80
96
Protection
Comment
Real-time, individuals
Very short-term, small org
Short-term, medium org
Medium-term, small org
Very short-term, agencies
Long-term, small org
Only auth. tag size
Not for confidentiality in new systems
Legacy standard level
112
Medium-term protection
128
Long-term protection
256
”Foreseeable future”
Smallest general-purpose
< 4 years protection
(E.g., use of 2-key 3DES,
< 240 plaintext/ciphertexts)
2-key 3DES restricted to 106 plaintext/ciphertexts,
≈ 10 years protection
(E.g., 3-key 3DES)
Good, generic application-indep.
Recommendation, ≈ 30 years
Good protection against quantum computers unless Shor’s algorithm applies.
From “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)”
Strength of algorithms
I
There is one perfectly secure algorithm: the One Time Pad,
which needs a (random secret shared) key as long as the
message
I
Modern ciphers are immune to simple attacks
I
Algorithm weakness is almost never a problem with
approved algorithms today
I
Badly chosen keys, bad key management, and bad
implementations are the current problems
Algorithm types
There are three basic algorithm types
I
Stream ciphers, very fast and suited for confidentiality, not
data integrity
I
Block ciphers, can be symmetric key which are fast, and
asymmetric that are slower, both suited for confidentiality
and integrity (with some precautions)
I
One way functions, fast, only for data integrity
The perfect stream cipher: the One-time-pad
I
Useful for sending secret data without preserved data
integrity
I
Use a long random bitsequence as key
I
Add this to the plaintext to form the cryptogram
ki
mi
+
ci
A practical stream cipher
I
Useful for sending secret data without preserved data
integrity
I
Use a long pseudo-random bitsequence as key, generated
from a short seed (key) k and initial state s0
I
Add this to the plaintext to form the cryptogram
Sequence
generator
State: si
k
ki
mi
+
ci
Proper randomness, and sharing it
I
Generate a pseudorandom “key stream” from a seed, a
“real key” much shorter than the full “key stream” added
to the message
I
Make the set of possible seeds, the real keys, so large that
exhaustive search is impossible
I
Eliminate shortcuts to finding this key from the “key
stream”
Stream ciphers and message integrity
I
Imagine you are able to intercept the bank transfer that
puts your salary into your bank account, and that it is
encrypted with a stream cipher, and not authenticated
I
You know what your salary is, and in what position it is on
the bank transfer:
... CR LF SPC SPC SPC SPC SPC SPC 3 0 0 0 0 CR LF ...
... 13 10 32 32 32 32 32 32 51 48 48 48 48 13 10 ...
I
I
the bank transfer:
... 13 10 32 32 32 32 32 32 51 48 48 48 48 13 10 ...
I
You intercept the ciphertext
... 74 112 4 19 235 156 99 113 125 19 1 192 191 25 212 ...
I
I
the bank transfer:
... 13 10 32 32 32 32 32 32 51 48 48 48 48 13 10 ...
I
... 74 112 4 19 235 156 99 113 125 19 1 192 191 25 212 ...
I
The 19 in the ciphertext is at the same position as the first
48 in the cleartext
I
I
the bank transfer:
... 13 10 32 32 32 32 32 32 51 51 48 48 48 13 10 ...
I
... 74 112 4 19 235 156 99 113 125 16 1 192 191 25 212 ...
I
Changing 19 to 16 in the ciphertext changes the first 48 to
51 in the received cleartext. Noone will notice :)
Block ciphers
I
Messages are treated in blocks of characters with fixed
block size
I
The key remains fixed for at least one session
mi
Block
encryption
Key
ci
Data Encryption Standard
Input
IP
L0
R0
k1
Round 1
+
f
k2
Round 2
+
f
..
.
(14 more rounds)
L16
R16
IP−1
Output
DES Substitution boxes
Ri
f
32 bits
Expander
48 bits
+
ki
6 bits
S1
S2
S3
S4
S5
4 bits
Permutation
32 bits
f (Ri , ki )
S6
S7
S8
DES key schedule
Key
56 bits
Key-permutation
C0
D0
Rotation
Rotation
C1
D1
Each key bit is used in
(close to) 14 of 16 rounds
Choice
k1
48 bits
Rotation
Rotation
..
.
..
.
DES chip
DES chip analysis
I
I
I
One problem in particular is RÖS
Used key leaking out as electromagnetic radiation
or as in Laboration 2, as variations in power consumption
Key length
Security
(bits)
32
64
72
80
96
Protection
Comment
Only auth. tag size
112
128
256
(E.g., 3-key 3DES)
Block ciphers
I
Messages are treated in blocks of characters with fixed
block size
I
The key remains fixed for at least one session
I
Direct use (“Electronic Code Book”) makes repeated
plaintext blocks produce repeated cipher blocks
I
Don’t use ECB
mi
Block
encryption
Key
ci
Block cipher in Cipher Block Chaining mode
I
Most common mode to preserve data integrity
I
One whole block at a time
I
Feedback of previous cipher block
I
Propagates transmission errors (one bit transmission error
destroys one whole block plus one more bit)
ci−1
c0 = IV
mi
+
Block
encryption
Key
ci
Symmetric key cryptography
In symmetric key systems, the encryption key is the same as the
decryption key
Key
Alice
Key
Encrypt
Decrypt
Eve
Bob
Asymmetric key cryptography
In asymmetric key systems, the encryption key and the
decryption key are different
Encryption
Key
Alice
Decryption
Key
Encrypt
Decrypt
Eve
Bob
Public key cryptography
The encryption key can be public, so that anyone can send
secret messages to Bob
Public
Encryption
Key
Anyone
Secret
Decryption
Key
Encrypt
Decrypt
Eve
Bob
Public key cryptography
Public
Encryption
Key
Anyone
Secret
Decryption
Key
Encrypt
Decrypt
Bob
Eve
I
Each user has a pair of keys, one public encryption key e,
one secret decryption key d
I
It is computationally hard to calculate d from e
I
This is achieved by basing the algorithm on a difficult
problem from number theory
Public key example: RSA
I
Choose two very large primes p and q, and publish n = pq
I
Choose a public encryption key e (gcd(e, (p − 1)(q − 1)) = 1)
I
Calculate the secret decryption key d = e −1 mod (p − 1)(q − 1)
I
Encrypt with c = me mod n
I
Decrypt with c d = med = m1 = m mod n
e, n
Anyone
d, n
m
Encrypt
c
Decrypt
Eve
m
Bob
Key length
MACs and digital signatures
I
A Message Authentication Code is a “seal of autenticity”
created in a symmetric key system
I
If the same MAC can be created at the verifier, then the
message hasn’t changed in transit
I
Everyone that can check the MAC can create the MAC
Key
Alice
Key
m
m,MAC
Create MAC
Eve
Verify
m?
Bob
Secret key
Alice
Public key
m
Sign
m, s
Verify
m?
Anyone
Eve
I
A Digital Signature is a “seal of autenticity” created in an
asymmetric key system
I
If the Digital Signature can be verified at the verifier, then
the message hasn’t changed in transit
I
Here, only Alice can sign
e, n
d, n
Alice
m
Sign
m, s
Verify
m?
Anyone
Eve
I
In RSA, the secret “decryption” key now is the secret
signing key, while the public “encryption” key now is the
public verification key
I
The same pair e, d should not be used both for
confidentiality and integrity
One-way hash functions
I
Large messages take time to MAC or sign
I
A hash function creates an output that is much smaller
than the message (or file)
I
For any hash function, it should be easy to calculate h(x)
from x
I
Then, it is easy to create MACs or digital signatures for
h(x)
I
A one-way function is one where it is easy to calculate
y = f (x), but computationally hard to calculate x = f −1 (y )
One-way hash functions
I
A one-way function is one where it is easy to calculate
y = f (x), but computationally hard to calculate x = f −1 (y )
I
But a hash function has output much shorter than the input
I
There must be messages for which the output collides (so
f −1 doesn’t exist)
I
“Collision resistant” does not mean that no two messages
get the same hash value, it means it is hard to find two
such messages
Three kinds of hash functions
I
For a one-way hash function, it is hard to find a preimage:
to calculate x 0 from h(x) so that h(x 0 ) = h(x)
I
For a weakly collision-resistant hash function, it is hard to
find a second preimage: to calculate x 0 from x so that
h(x 0 ) = h(x)
I
For a strongly collision-resistant hash function, it is hard to
find a collision: to find x and x 0 (x 0 6= x) such that
h(x 0 ) = h(x)
Example: RSA digital signatures
e, n
d, n
Alice
m
Sign
m, s
Verify
m?
Anyone
Eve
I
Set up for RSA and choose a collision-resistant hash
function
I
Sign using s = (h(m))d mod n
I
Verify by checking that h(m) equals s e mod n
Standard algorithms?
I
ISO does not standardize algorithms
I
NIST (National Institute for Standards and Technology)
does register standards for federal use in the US
I
NIST standards and other well tested algorithms are used
as some kinds of de facto standards
I
Examples are DES, AES and the SHA family
De facto standard algorithms
I
Stream ciphers: The A family in GSM and E family in
Bluetooth
I
Symmetric block ciphers: DES (56 bits), AES (128-256
bits), Blowfish, . . .
I
Asymmetric ciphers: RSA (any key size) and Elliptic Curve
Cryptography (ECC, any key size), . . .
I
Cryptographic hashes: MD5 (128 bit hashes, weak), SHA-1
(160 bit hashes, deprecated), SHA-2 (224-512 bit hashes),
SHA-3 (224-512 bit hashes, ?), . . .
Key length
Security
(bits)
32
64
72
80
96
Protection
Comment
Only auth. tag size
112
128
256
(E.g., 3-key 3DES)
Key length
Basic questions for crypto users
I
Is the algorithm strong enough?
I
Does the algorithm really work against my
perceived threat?
I
What about key management?
I
What standard algorithm should I use?
I
NEVER design a cryptosystem on your own
I
Watch out for snake oil

Computer security Lecture 7 - Cryptography as security tool

Transcription

Similar documents

Cipher Type Detection

Introduction to Computer Security

pdf

Classical Techniques: Substitution  Substitute a character, digit or symbol for each

Ryan James Cancino

Classical Encryption Techniques Symmetric Encryption

SPU Manila INTER-OFFICE BULLETIN

Metal 1pg Metal1pg

A Modified Version of Playfair Cipher Using 7×4 Matrix

Jan. 26, 2009

Solve The Cryptogram, Solve The Mystery of Pig! Cryptogram #1

An Introduction to Symmetric Cryptology Outline Information security

New slides

Cryptography`s Past, Present, and Future Role in Society