Cryptography

Merike Kaeo
merike@doubleshotsecurity.com

Steven M. Bellovin
https://www.cs.columbia.edu/~smb

1

 Topics To Cover

•  Symmetric Keys
•  Asymmetric Keys
•  Hash Functions
•  Encryption
•  Signing

2

 Cryptography Is Used For?

•  Authentication Protocols
•  Data Origin Authentication
•  Data Integrity
•  Data Confidentiality

3

 Crypto Basics
•  Building Blocks
–  Crypto algorithm: specifies the mathematical transformation that
is performed on data to encrypt/decrypt
–  Stream cipher: encrypts a digital stream one bit at a time (RC4)
–  Block cipher: transforms data in fixed-size blocks, one block at a
time
•  DES (56-bit keys; 64-bit blocksize
•  AES (128-, 192-, and 256-bit keys; 128-bit blocksize)
•  Good Crypto Algorithm Properties
–  Algorithm is NOT proprietary
–  Analyzed by public community to show that there are no
serious weaknesses
–  Explicitly designed for encryption
4

 What is a Cryptosystem?

•  A cryptosystem is pair of algorithms that take a key and

convert plaintext to ciphertext and back.
•  Plaintext and ciphertext are arbitrary strings of bits. A
key is also a string of bits that must be kept secret.
–  Secret key
–  Private key
•  Plaintext is what you want to protect; ciphertext should
appear to be random gibberish.

5

 Caution

•  Cryptography is a very subtle mathematical science

•  Even experts make very bad mistakes
•  Don’t invent your own
–  Example: SSL 3.0 has been around since 1996. It’s been
through several in-depth, expert reviews. Two new serious
flaws have been found in the last five years.
•  Don’t buy from vendors who say “our product is more
secure because of our proprietary algorithms”; they’re
almost always either lying or incompetent

6

 Kerckhoff’s Law (1883)

The system must not be required to be

secret, and it must be able to fall into the
hands of the enemy without inconvenience.

In other words, the security of the system must rest

entirely on the secrecy of the key.

7

 X-OR Function

1 xor 1 = 0 0 xor 0 = 0

1 xor 0 = 1 0 xor 1 = 1

Example 1: 0 1 1 0 0 1 0 1 xor’ed with 1 1 0 1 0 0 1 1

RESULT: 1 0 1 1 0 1 1 0

Example 2: 1 0 1 1 0 1 1 0 xor’ed with 1 1 0 1 0 0 1 1

RESULT: 0 1 1 0 0 1 0 1

8

 Block Cipher Modes

•  Defines how the block cipher algorithm is applied to the

data stream
•  Standard Modes of Operation
–  Electronic Code Book (ECB)
–  Cipher Block Chaining (CBC)
–  Cipher Feedback (CFB)
–  Output Feedback (OFB)
–  Counter (CTR)
–  Galois Counter Mode (GCM)
–  Counter with CBC-MAC (CCM)
•  ECB and CBC are the most important, but be aware of the others

9

 Electronic Code Book (ECB)
Plaintext Plaintext Plaintext
Block 1 Block 2 Block 3

ENCRYPT ENCRYPT ENCRYPT

Ciphertext 1 Ciphertext 2 Ciphertext 3

Problem: Identical plaintext blocks encrypted into identical ciphertext blocks

when the same key is used; produces visible patterns

Used primarily to transmit encrypted keys; very weak if used for general
Purpose encryption – never use it for a file or message
10

 Cipher Block Chaining (CBC)
Plaintext Plaintext Plaintext
Block 1 Block 2 Block 3

IV Xor Xor Xor

ENCRYPT ENCRYPT ENCRYPT

Ciphertext 1 Ciphertext 2 Ciphertext 3

ENCRYPT: {Pi ⊕ Ci−1}k → Ci

DECRYPT: {Ci}k−1 ⊕ Ci−1 → Pi

11

 Properties of CBC

•  The ciphertext of each encrypted block depends on the plaintext

of all preceeding blocks.
•  There is a dummy initial ciphertext block C0 known as the
Initialization Vector (IV); the receiver must know this value.
C1 = { P1 XOR IV }k
C2 = { P2 XOR C1 }k
C3 = { P3 XOR C2 }k
C4 = { P4 XOR C3 }k

If C2 is damaged during transmission, what happens to the

plaintext?

12

 Error Propagation in CBC Mode
•  Look at the decryption process, where C′ is a garbled
version of C:
P1 = {C1}k−1 ⊕ IV
P2 = {C’2}k−1 ⊕ C1
P3 = {C3}k−1 ⊕ C’2
P4 = {C4}k−1 ⊕ C3
•  P1 depends only on C1 and IV , and is unaffected
•  P2 depends on C2 and C1, and hence is garbled
•  P3 depends on C3 and C2, and is also garbled. The enemy can
control the change to P3
•  P4 depends on C4 and C3, and not C2; it thus isn’t affected
•  Conclusion: Two blocks change, one of them predictably
13

 Selecting A Block Cipher Mode

•  Small amounts of truly random data: ECB

–  Example: randomly generated keying material
–  Other modes can be used but ECB is most efficient
•  Protocols with added crypto integrity protection: CBC, CFB, OFB
•  High-speed mode: CTR
•  Encrypt/authenticate modes: GCM, CCM
•  Arbitrary communications with arbitrary data: CBC, CFB
–  Repeated plaintext data is obscured
–  Constantly changing encryption keys defeat differential cryptanalysis
attacks

14

 Public Key Encryption

Uses public/private keys

–  One key is mathematical inverse of the other

–  Private key is only known by owner of the pair

–  Public keys are stored in public servers

Private Public

Computing Key pair is computationally expensive!!

Common Algorithms: RSA, El Gamal, DSS, ECC
15

 Authentication and Integrity (1)

Private Public
Public

1
2

Router A Router B

1. Router A generates public/private key pair

2. Router A sends its public key to Router B

16

 Authentication and Integrity (2)

Private Public
3 4
Encrypted
Cleartext ENCRYPT DECRYPT Cleartext

Router A Router B

3.  Router A encrypts packet with its private key and sends
encrypted packet to Router B
4. Router B receives encrypted packet and decrypts with
Router A’s public key
Since only Router A has its private key, you are reasonably
Certain the data came from Router A
17

 Data Confidentiality (1)
Private Public
Public
1
2

Router A Router B

1. Router B generates public/private key pair

2.  Router B sends its public key to Router A

18

 Data Confidentiality (2)
Public
Private 4
3
Encrypted
Cleartext ENCRYPT DECRYPT Cleartext

Router A Router B

3. Router A encrypts packet with router B’s public key & sends
encrypted packet to Router B
4. Router B receives encrypted packet and decrypts with its’
private key

Since only Router B has its private key, it should be

only one to decrypt the traffic
19

 Secret Key Encryption
-  Two parties share the same secret key
-  Problem is securely distributing the key

Shared DES DES Shared

Secret Key Secret Key

Sensitive Sensitive
ENCRYPT Internet DECRYPT
Information Information
Cleartext Cleartext
Ciphertext

Common Algorithms: DES, 3DES, AES, IDEA

20

 Triple DES (3DES)

K1 K2 K3

Plaintext
ENCRYPT DECRYPT ENCRYPT Ciphertext 1
Block 1

•  Many applications use K3=K1, yielding a key length of 112 bits

•  Interoperable with conventional DES if K1=K2=K3

21

 AES

•  Published in November 2001

•  Rijndael algorithm developed by Dr. Joan Daemen and
Dr. Vincent Rijmen
•  Symmetric Block Cipher
–  128 bit blocks
–  3 key lengths: 128, 192, and 256 bits
–  symmetric and parallel
–  low memory requirement

22

 Why AES Instead of 3DES

•  DES is slow in software; 3DES is slower still

–  In 1976, when DES was designed, NSA only believed in
hardware encryptors
–  DES uses bit permutations, which are fast in hardware but
slow in software
–  AES uses byte operations: much faster
•  64-bit blocks are too small; information will leak
–  The limit is less than the square root of the block size: 232
blocks (235 bytes)
–  That’s 34 GB—not a lot today!

23

 Key Length
Key Length (in bits) Number of Combinations
40 240 = 1,099,511,627,776

56 256 = 7.2 x 1016

64 264 = 1.8 x 1019

112 2112 = 5.2 x 1033

128 2128 = 3.4 x 1038

192 2192 = 6.2 x 1057

256 2256 = 1.1 x 1077

The longer the keys the harder a brute force attack becomes

24

 Cryptographic Keys

•  Every principal has to have at least one key

•  It is not possible to communicate securely with
someone who doesn’t have a secret
–  Without one, it’s trivial for an attacker to impersonate them
•  Securely creating, storing, and handling keys is one of
the hardest practical issues in cryptography
•  Note: keys should be random

25

 Producing Effective Keys
Pseudo-random
Input Pseudo-randomOutput
number

-  Producing random seed value can be slow and inefficient

-  PRNG used when generating many separate keys

-  Properties of sequence #’s produced by a good PRNG

-  Equal chance that a given number falls anywhere

within the range of numbers being generated

-  The sequence should not repeat itself

Must be unpredictable, even to an enemy who knows some

- 
values 26

 Where Do Traffic Keys Come From?

•  Every conversation requires a key—where does it come

from?
•  Do not reuse the same key for many conversations
–  Encrypting too much traffic in one key aids cryptanalysis—
this has been known for more than 150 years
•  Instead, must create a new key each time
•  This process—key setup—is typically done by a
cryptographic protocol such as SSL

27

 Creating Traffic Keys

such as AES—but creating

secure key setup protocols
is also very hard
•  German mistakes doing
this helped the Allies crack
the Enigma cipher machine
during
the Enigma
Worldcipher
War IImachine
during World War II

28

 The Key Setup Problem

•  Alice has her secret

•  Bob has his secret
•  They want to exchange encrypted messages
•  How do they create a shared session key?
•  Should they each possess a set of shared keys, to be
used for one conversation only?

29

 Secret Key Scalability

Configuring shared secret keys easily becomes administrative

nightmare

If nothing else, what happens if Alice and Bob run out of shared
keys?

Need automated mechanism to securely derive secret keys

30

 Solutions

•  In the 1970s, the cryptographic world changed

–  Encryption devices became computerized: they could do
local computation
–  Networking started becoming common: encryption units
could exchange several messages to do key setup
–  Cryptography became an open subject, with published,
non-military research
–  Public key cryptography was invented

31

 Key Technology (e.g. Diffie-Hellman)

a,p

XA XB

YA = (aXA) mod p YB= (aXB) mod p

Z = (YB ) XAmod p Z = (YA )XB mod p

XA is Alice’s random number; XB is Bob’s



By exchanging numbers in the clear, two entities can
determine a new unique number (Z), known only to them

32

 DH Man-in-the Middle Attack

•  Diffie-Hellman is subject to a man-in-the-middle attack

•  Digital signatures of the ‘public values’ can enable each party to verify that the other
party actually generated the value

a,p

XA XB

YA YB

=> DH exchanges need to be authenticated!!

33

 Key Distribution Protocol

•  Alice and the Key Distribution Oversimplified and insecure…

Center (KDC) share a secret

key KDC

•  Bob and KDC also share a

Here
key

’s a k
•  The KDC sets up the session

ey

•  It’s secure—if done right, and
if the KDC is trustworthy
Alice
Bob

34

 Protocol Security

•  The first key distribution protocol was published in 1978

•  The first flaw was found in 1981
•  In 1987, the original authors repaired the flaw, and
found an error in the 1981 version
•  In 1996, a new flaw was found in the original
–  In modern notation, the protocol was 3 messages long
–  In retrospect, the flaw is very, very obvious—but it went
undetected for 18 years…
•  Cryptographic protocols are hard

35

 Some Protocol Security Issues

•  Replay attacks: someone resends an old message

•  Cut-and-paste: chop out pieces of one message, and
insert them into another
•  Multiple runs: run the protocol a number of times
(perhaps simultaneously), and feed answers from one
session into another
•  Interactions between primitives
•  Many more…

36

 Digital Signatures

•  A digital signature is a message appended to a

packet
•  Used to prove the identity of the sender and the
integrity of the packet
Routing
Update

37

 Digital Signatures

•  Two common public-key digital signature techniques:

–  RSA (Rivest, Shamir, Adelman)
–  DSS (Digital Signature Standard)
•  A sender uses its private key to sign a packet.
•  The receiver of the packet uses the sender’s public key to
verify the signature.
•  Successful verification assures:
–  The packet has not been altered
–  The identity of the sender

38

 But…

•  Digital signature algorithms are computationally

expensive
•  We can’t directly sign a large message or file
•  We need a way to “fingerprint” a file and sign just the
unique fingerprint
•  This fingerprint must be reasonably short, for any length
input file, and must uniquely identify the file (at least in
practice, though obviously not in theory)

39

 Hash Algorithm

•  Reduces a variable-length input to a fixed-length output

–  Output is called a hash or message digest or fingerprint
–  Output length is 128 bits for MD5 ,160 bits for SHA-1, 256/384/512 for
SHA-2, and 224/256/384/512 for SHA-3
•  Requirements
–  Can’t deduce input from output (preimage)
–  Can’t generate a given message’s hash output (second preimage)
–  Can’t find two inputs which produce the same output (collision)
•  Used to
–  Create data checksum to detect data modification
–  Create fixed-length encryption keys from passwords

40

 Why So Many?

•  MD5 is the oldest in widespread use. It’s too short (a

128-bit hash has a strength of 264 against brute force);
worse yet, Wang and her colleagues found a practical
collision attack
•  SHA-1 is also vulnerable to Wang’s attack
•  SHA-2 is structurally similar to MD5 and SHA-1, but
seems to be secure
•  That wasn’t known in 2006, so a competition was
started to pick SHA-3. Besides, it’s faster in hardware
than SHA-2 is
41

 Choosing a Hash Function

•  Retire MD5 immediately (though HMAC-MD5 is

probably safe enough)
•  The attacks on SHA-1 are still too expensive for most
attackers, but nation-states can launch them. Phase it
out when you can; do it soon if your attacker is a
government
•  SHA-2 is believed to be quite secure
•  SHA-3 is cheaper in hardware, but mostly unavailable
anywhere; it’s very, very new (just six weeks old!)

42

 Computing a Keyed-MAC

•  Message Authentication Code (MAC) creates a hash value

dependent on the key (password)
–  Shared secret key is xor’ed with specified array to produce K1
–  K1 is prepended to the message; this string is hashed
–  Shared secret key is xor’ed a 2nd time with another specified
array to produce K2
–  K2 is prepended to the previous hash; this string is also hashed

Hash1 = (K1 + message)hash

HMAC= (K2 + hash1)hash

HMAC-MD5-96 / HMAC-SHA-96 -> last hash truncated to 96 bits!!

43

 MD-5 Based Authentication (RFC 2385)

Routing Update

Router A

Hash
Function

Hash Routing Update

Hash

44

 MD-5 Based Authentication

Hash Routing Update

Receiving Router Separates
Routing Update and Hash
Routing Update

Hash
Function
The Routing Update and
the Preconfigured Shared
Key are used as Input to
the Hash Function

If Hashes Are Hash

Hash Equal, Routing Update
Is Accepted
45

 Not a Great Idea

•  No key management
–  Single, manually provisioned long-term secret used for all
conversations
–  Key must be changed at both ends simultaneously
–  (See RFC 4808 for how to work around that)
•  It uses an older, pre-HMAC scheme
•  But—it’s real, it exists today, and can be used on most
production routers to protect BGP traffic and
authenticate the other end

46

 Digital Signatures versus MACs

•  Both show that a message was sent by a given party

•  A MAC (including HMAC) can only be verified by
someone who also knows the key
–  Someone who knows the key could forge the message
•  A digital signature is signed with a private key, but
verified by anyone with a public key
–  No forgery is possible
–  You can prove who signed it to a judge!

47

 RSA Public Key Cryptography

•  Based on relative ease of multiplying large primes

together but almost impossible to factor the resulting
product
•  RSA keys: 3 special numeric values
•  Algorithm produces public keys that are tied to specific
private keys
•  Provides both digital signatures and public-key
encryption

48

 Generating RSA Keys

KeyE
( Usually 65,537 )

KeyD
Generate P,Q
P,Q

Mod N Mod N, KeyE = Public Key Material

PxQ
Mod N, KeyD = Private Key Material

49

 Whose Key is It?

•  How do you get the right public key for someone?

•  How do you know who owns a particular public key?
•  The answer is the certificate, a digitally signed message
containing a key and a name
•  Certificates are signed by a certificate authority (CA)

50

 Public Key Infrastructure

•  Mechanism to manage digital certificates

–  Whose public key?
–  What is the key good for?
•  Supports scalable security services using public key
cryptography
–  Authentication
–  Confidentiality
–  Data Integrity
–  Non-Repudiation

51

 PKI Components
•  Certification Authority
–  A trusted authority which issues digital certificates
–  Also publishes CRL (Certificate Revocation List)
•  Registration Authority
–  An entity that is trusted by the CA to vouch for the identity of users to a
CA
•  This entity is only trusted by the CA
•  Generally relies on operational controls and cryptographic security rather
than physical security
•  Repository
–  An electronic site that holds certificates and certificate status
information
•  Need not be a trusted system since all information is tamper-evident
•  Most commonly accesses via LDAP
•  Theoretically could be accesses using HTTP, FTP or even electronic mail
52

 Digital Certificate Lifecycle
Key Pair Generated

Certificate Issued

Recertify Certificate valid

and in use Private Key
compromised

Certificate Expires Certificate

Revoked

Keypair Expired

53

Check Certificates on Windows XP

•  Windows maintains
certificates in certificate
stores

•  View a certificate store
from the Run dialog
box by opening
Certmgr.msc

•  Sample personal
certificate is shown

•  A certificate is signed
by its issuing CA

54

What’s In A Certificate?

55

 Who Can Be a CA?

•  A CA signs certificates, but which CA? Who picks Cas?

•  Perhaps another CA issues a certificate to other CAs—
but who picked them?
•  Ultimately, you have to trust someone—the trust anchor
•  Modern operating systems and browsers come with a
list of built-in CAs
•  You are trusting your vendors; they have decided to
trust certain CAs
–  Are these CAs trustworthy?

56

 The Browser CA Problem

•  Microsoft trusts over 300 certificate authorities

–  If you delete one, Windows will helpfully reload it for
you…
•  Mozilla trusts 150
•  Apple trusts 180
•  Any CA your browser trusts can issue a certificate for any
site at all, even if there is already some other certificate for it
•  If any single CA is compromised, your browser can be
fooled
•  This has happened…

57

 The Diginotar Case

•  Someone penetrated Diginotar (a CA) and stole its private

key
•  This key was used to create fake certificates for gmail.com
•  People in Iran who tried to connect securely to gmail instead
connected to somewhere else—but it looked authentic,
because there was a Diginotar-issued certificate for Google
•  Note: Diginotar was not Google’s CA…
•  Diginotar is (a) no longer trusted by browsers, and (b) out of
business…

58

 Protecting Browsers: DANE

•  How can we protect browsers from malicious CAs?

–  The root of the problem is that the trust chain does not
agree with the user’s expectations
•  A user types www.ait.ac.th; the DNS delegation chain is
the root, .th, .ac.th, etc.
•  The certificate is valid because of one of the CAs in the
browser
•  The site owner is the only link; the user doesn’t see the
CA, and the CA doesn’t care about the DNS name
•  Can we put trust information into the DNS?
59

 DANE

•  Add a new DNS record that identifies the certificate

–  The DNS records are under the control of the site owner
•  The browser can retrieve this record (along with the A
or AAAA records), and verify that the SSL certificate
matches what the DNS says
•  But—what if the DNS records are attacked?
1.  It’s still better; an attacker would have penetrate a CA and
the DNS
2.  We can use DNSSEC to protect the DNS entry

60