Beruflich Dokumente
Kultur Dokumente
Cryptography Overview
Cryptography
Is
A tremendous tool The basis for many security mechanisms The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent yourself unless
you spend a lot of time becoming an expert you subject your design to outside review
Is not
Auguste Kerckhoffs
A cryptosystem should be secure even if everything about the system, except the secret key, is public knowledge.
Compute servers
Application servers
Cloud Storage
Symmetric Cryptography
Assumes parties already share a secret key
E, D: cipher k: secret key (e.g. 128 bits) m, c: plaintext, ciphertext n: nonce Encryption algorithm is publicly known
(aka IV)
Use Cases
Single use key:
encrypted email:
Vernam
Key: Plaintext:
(1917)
0 1
1 1
0 0
1 0
1 0
1 1
0 1
0 0
1 0
0 0
Ciphertext:
Shannon 49:
Stream ciphers
key
Problem: OTP key is as long the message Solution: Pseudo random key -- stream ciphers
PRG
PRG(k)
message ciphertext
C1 m1 PRG(k)
C2 m2 PRG(k)
Eavesdropper does:
C1 C2
m1 m2
m1 m2
m1 , m 2
PT Block
E, D
CT Block
Key
k Bits
Canonical examples: 1. 3DES: n= 64 bits, 2. AES: k = 168 bits n=128 bits, k = 128, 192, 256 bits
AES-128:
Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force,
R(kn, )
R(k1, )
R(k2, )
R(k3, )
R(k,m):
Problem:
if
m1=m2
then c1=c2
In pictures
E(k,)
E(k,)
E(k,)
E(k,)
IV
c[0]
c[1]
c[2]
c[3]
Best: use a fresh random IV for every message Can use unique IV
benefit:
IV
IV
m[0]
m[1]
m[2]
m[3]
E(k,)
E(k,)
E(k,)
E(k,)
E(k1,)
IV
c[0]
c[1]
c[2]
c[3]
ciphertext
In pictures
(parallel encryption)
m[L]
E(k,IV) E(k,IV+1)
E(k,IV+L)
IV
c[0]
c[1]
c[L]
Performance:
Pentium 4, 2.1 GHz
Cipher
Crypto++ 5.2.1
[ Wei Dai ]
113 293 9 61
Data integrity
Message Integrity:
MACs
k Alice
Message m
tag
note:
Secure MACs
Attacker information: chosen message attack
Construction 1: ECBC
m[0] m[1] m[2] m[3]
E(k,) E(k,)
E(k,)
E(k,)
Raw CBC
key = (k, k1) E(k1,)
tag
SHA-256:
m[0]
Merkle-Damgard
m[1] m[2] m[3]
IV
H(m)
h(t, m[i]): compression function Thm 1: Thm 2: if h is collision resistant then so is H if h is a PRF then HMAC is a PRF
PMAC:
m[3] P(k,3)
F(k,)
F(k,)
P(k,2)
F(k,)
F(k,)
F(k1,)
tag
Given tag on a message m, attacker can deduce tag for some other message m How: good crypto exercise
(CCA)
MAC key = KI Enc KE
OCB
offset codebook mode
checksum P(N,k,0)
E(k,)
E(k,)
P(N,k,2)
P(N,k,3)
E(k,) E(k,)
E(k,)
P(N,k,0)
c[0]
P(N,k,1)
c[1]
P(N,k,2)
P(N,k,3)
c[2] c[3]
auth
c[4]
Rogaway,
Public-key Cryptography
pk
sk
Applications
Session setup
Alice Generate (pk, sk) (for now, only eavesdropping security)
pk
E(pk, x)
Non-interactive applications: (e.g. Email) Bob sends email to Alice encrypted using pkalice Note: Bob needs pkalice (public key management)
Applications
Encryption in non-interactive settings: Encrypted File Systems
write
read
skA Alice
E(pkA, KF)
E(pkB, KF)
File
Applications
Encryption in non-interactive settings: Key escrow: data recovery without Bobs key
write
Escrow Service
E(pkB, KF)
In pictures:
F(pk, x) header Es( H(x), m ) body
Security Theorem: If (G, F, F-1) is a secure TDF, (Es, Ds) provides auth. enc. and H: X K is a random oracle then (G,E,D) is CCAro secure.
Digital Signatures
Public-key encryption
Alice publishes encryption key Anyone can send encrypted message Only Alice can decrypt messages with this key
Alice publishes key for verifying signatures Anyone can check a message signed by Alice Only Alice can send signed messages
H: M X a hash function
Sign( sk, mX) : output
sig = F-1(sk, H(m)
Security: existential unforgeability under a chosen message attack in the random oracle model
Provided they know Bobs public key If imposter substitutes another key, can read Bobs mail
Back to SSL/TLS
Version, Crypto choice, nonce Version, Choice, nonce, Signed certificate containing servers public key Ks
Limitations of cryptography
Most security problems are not crypto problems
This is good
Cryptography works!
This is bad
People make other mistakes; crypto doesnt solve them
WEP ineffective, highly embarrassing for industry Occasional unexpected attacks on systems subjected to serious review