Académique Documents
Professionnel Documents
Culture Documents
Executable content
How Applets and Executable Content create new security risks and problems. Mechanisms to make "untrusted" Java applets safe, by restricting them.
More advanced mechanisms which attempt to unrestrict Applets, by establishing authentication mechanisms and levels of privilege for them.
What Is Cryptography?
The science of using mathematics to encrypt and decrypt data.
Decrypt with same key - symmetric system. Strong encryption: hard to crack, even if you have plenty of plaintext/ciphertext samples. Some schemes: DES, RC4, AES (Rijndael) Pointless if you already have secure channel?
If I want to keep my key 3 secret, what decrypting key can I publish? Hello
Decrypt
Public-Key Cryptography
Breakthrough in 1977 by Merkle, followed by easier RSA system (Rivest, Shamir, Adelman). Two paired keys : one public, and one secret. Either key can decrypt its opposite partners encryption. let m = {plaintext} public-key implies plaintext = {m} secret-key. m = {p} secret-key And vice-versa: means that p = {m} public-key
RSA Internals
Based on trapdoor one-way function - easy to compute in one direction, hard to find inverse, unless you know the secret trapdoor. Two large random primes p, q are chosen and multiplied together. n = p*q. This is easy. Choose random e, such that e and (p-1)(q-1) are relatively prime. (i.e. their gcd is 1) (e, n) is the public key. Find d (the secret trapdoor) such that ed mod (p-1)(q-1) = 1 (d, n) is the private key. Now destroy p and q!
Break the message into blocks which are each a little smaller than the number of bits in n. e Encrypt each block with (e,n): Ci = M i mod n This can only be deciphered using the "inverse" d decryption key: (d,n) M i = Ci mod n Breaking the scheme (finding d) depends on factoring n. This is believed to be NP Hard - needs exponential amount of time. Typically p, q > 500 bits, or 150 digits. How can we know that p is prime if factoring is so tough? - We have cheap probabilistic tests.
A Digest ...
is a short check sum or hash (typically 128 bits / 160 bits) of a message, good digests must be easy / fast to compute, but very difficult to construct another message which generates the same digest. (not reversible) Notation: digest[message] Two methods of computing digests are in wide use at present: MD5 and SHA (Secure Hash Algorithm). SHA is 160-bit hash approved for US Government use by NIST - National Institute for Standards and Technology.
Digital Signatures
{digest[message]} my-secret-key Signature cannot be used against another message (digest ensures this). Message cannot be altered without getting a different digest (digest property). Anybody can look up my-public-key and verify that only I could have encrypted this digest.
The primitive algorithms like RSA, DES, SHA, Digital Signatures, etc And the higher-level protocols. How do we use the primitives in an exchange of messages (the protocol) so that we achieve a bigger goal, like authenticating someone, or checking a password? Our algorithms are generally secure. The protocols are much more tricky, and often open the door to attacks.
Prefer symmetric encryption (stronger, faster) but, how do we share the key securely? We choose a random session-key. and send Symmetric method
{message} session-key followed by {session-key} A-pubkey
and if the message is intended for many recipients, tack on Asymmetric method {session-key} B-pubkey
{session-key} C-pubkey
Problem: Bob would be very stupid to encrypt anything someone puts in front of him, because it can now only have originated from him!
Closer, but this is exactly the definition of a digital signature! Alice can attach the signature back to the original message which she originated. (Which probably says I, Bob, owe Alice $10 million.)
If Alice makes up the string, it is bad for Bob. Bob must originate some of the response:
Almost workable! But Mallory might record and replay Bobs message (a parrot attack ) next time, and fool Alice into disclosing her account details. We need some randomness from Alice.
msg = Alice, this really is Bob, and I got your <new random string> B A msg {digest[msg]} bob-secretkey Lessons
Alice needs fresh nonce against parrot attacks. Bob must originate some of the response.
Certificates
Contain issuers name, name of subject(Bob), public key of subject, and some expiry time stamps. Certificates are signed by the issuer. Site certificates also have domain / IP numbers. mmm, how do we know the issuers signature is not forged?
Could you fool Verisign into issuing a certificate to you in the name of Nedbank? See Netscape and IE security tabs.
msg = I really am Bob, your <nonce>. B A msg { digest[msg] } bob-secretkey, and here is my certificate with my public key too, signed by our first Afronaught!
In practice
Once authentication has been achieved, a secret session-key is generated and exchanged. All exchanges after that can use a symmetric encryption algorithm based on the session key. This establishes a secure session. Bob doesnt know it really is Alice. Most bank customers dont have signed certificates, so the bank uses passwords to check identity, after the secure session is already established.
SSL tcp/ip
SSL protocol
Provides security handshake
authentication; negotiation on level of security; exchange of a session key, checks site IP numbers.
Thereafter, encrypts and decrypts stream. https is different protocol (uses different port numbers, etc.) rather than overlayed onto http protocol. This minimized a risk of passing secure data over non-secured http . Competing attempts to put the security above the http layer. See Netscape site for news on a secure S/MIME type.
Perfect security Symmetric Have random pad bits 100010100111 XOR to encrypt; XOR again to decrypt. Never re-use the pad
Are they truly random? We need a secure channel to distribute them. Sender/Receiver must be synchronised
One-time pads
Numbered swiss bank accounts: signal numbers Used for US/Russia hotline between presidents? Interesting reasoning to assert perfect security:
ciphertext 10010101 can be turned into any plaintext you want, e.g. 11110000 by some specific pad (01100101)
Because any plaintext is equally possible, the genuine plaintext has nothing to differentiate it from any other guess. So the method does not help or leak anything to the attacker
By contrast
Any key-based ciphertext has a pattern induced by the algorithm and the key. So you guess wrong, but can tell that the output is garbage, But guess right, and it suddenly makes sense So youve been helped by being able to tell when your guess is right. One time pads do not give you this help
Rather have Trent time-stamp hashes: he doesn't need to store full document. Solves first 3 problems.
Should we trust Trent, or seek protocols that reduce dependence on having trusted parties?
A better protocol: Trent could link timestamped docs to other users (document before, document after) in sequence: it places bounds on time, and he (probably) cannot plan who these others are. So unless he gets their agreement, Trent cannot change the timestamp. But we can still improve on this:
Needs widespread collusion to defeat this, and achieves objective without having to trust anyone.
Alice: I know what Lotto numbers are coming up this week! Bob: Prove it! Alice: All prime numbers 2,3,5,7,11,13 Bob: Aha, Ill bet on them now Alice: Oops! How can Alice proves she knows something, or lodge a bet, without revealing what she is betting on, or revealing her secret?
Bit Commitment Protocol (just solving the problem for one bit will be enough!)
Always two stages:
Alice must commit to a choice without revealing it to Bob, Later when she does reveal it, it must be irrefutable. Can be many bits rather than just one.
Later
R1, R2, b
Bob doesn't have to participate it could be published by Alice it the newspaper. Ideal setting to try birthday attack against hash function, since Alice chooses both R1 and R2 ...
Called Blobs
Alice can commit to blobs She can always open a blob And convince Bob of the value she committed to Bob never learns to open other blobs from Alice Blobs only carry their bit, they leak nothing else.
Where is Peggy?
Peggy wants to prove she knows the secret to open the door. She commits by entering the tunnel on either side, Victor choses either left or right, Peggy comes out on the side Victor nominates. Maybe she just got lucky this time try again
Graph Theory
An Isomorphism (G1 G2) of graph G1 can be created by relabelling the nodes to get G2. It is exponentially hard for Victor to find the correspondence, but dead easy to check a solution. (This is the essence of what NP is all about.) R
F A B D C G H O E U D S H
???
E V
Note that Peggy didnt find her secret. She would have started with a random G1, chosen the remapping, and generated G2 from G1 and the remapping. (When she signs up initially with Victor, shell do this, and give him G1 and G2.)
To log on, Peggy must prove that she knows how G1 maps to G2 without revealing the mapping. She creates another relabelling and from that another isomorphic graph H G1. She uses this new relabelling to transform her original secret (G1 G2) into solving the correspondence G2 H. Now she reveals H, and commits to secrets G1 H and G2 H. Victor can open either secret and check it, but he never learns how G1 G2. Knowing the one isomorphism doesn't make finding the other any easier.
Graph Representation
Graphs are often represented as adjacency matrices. So an isomorphism is simply some permutation of the rows R and columns D A B C D E F G H
A B C D E F G H 1 1 1 1 1 1 1 1 1 1 1 1 ? 1 1 1 1 1 1 1 ? ? ? 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
S H U
E V O
? ? ? ? ? 1 1 1 1 1
A C G
???
Find the row/col labels Harder version: take out BD link, and add GF.
? ? 1 ? ? ? ? 1 1 ?
B H E D
A Hamiltonian cycle in a graph is a path that visits every node exactly once. This is an NP problem hard to find a solution, but easy to check one out.
Graph Theory
F A H C G E B D
A H D F B G E C A solves. Suppose Peggy registers the graph with Victor, using AHDFBGECA as her secret.
Victor grants access to anyone who can prove they know a Hamiltonian cycle
Peggy wants to authenticate herself without revealing the cycle So she relabels all nodes and shuffles the graph around (creates an isomorphic graph) She chooses this relabelling ABCDEFGH RHODESUV
So Peggy gives this new isomorphic graph to victor, plus two committed F R secrets
B H D E G E O V D
Once Victor has the new graph he can open one of the secrets
Peggy either shows the cycle in the new graph, Or she reveals the correspondence between the old and the new graphs. Note that is not a proof for Victor: maybe she cheated and just solved one of the two problems, and was lucky that Victor asked for the right one. So he must repeat the exercise till he becomes convinced.
Stream Ciphers
Pseudo one-time pads Created from complex feedback algorithm to generate stream of bits. Essential for stream encryption, e.g. audio or multimedia stream.
In general, if one party has to choose a random number that will be revealed, they could pick it "carefully", so that, say, bits 10 and 11 conveyed something extra to someone who knows where to look. Subliminal leakage of parts of your private key in every signature is serious! Well do more on Steganography later