Crypto

P Wentworth, Rhodes University
Distributed Web Computing 2003 CRYPTOGRAPHY LECTURES P Wentworth

www.cs.ru.ac.za/courses/honours/mmcourse email: p.wentworth@ru.ac.za
Public Key Encryption

How Public Key encryption works. The PGP package - making the theory concrete. How the Secure Socket Layer protocol takes this one step further, by hiding the encryption mechanisms from the user.
Executable content
How Applets and Executable Content create new security risks and problems. Mechanisms to make "untrusted" Java applets safe, by restricting them.
More advanced mechanisms which attempt to unrestrict Applets, by establishing authentication mechanisms and levels of privilege for them.
What Is Cryptography?
The science of using mathematics to encrypt and decrypt data.
Why use cryptography?

Some information is sensitive Our computers and the Internet are not secure. We can ensure that only the intended recipient can make sense of the data.
Conventional symmetric Cryptography
Single-key (symmetric) encryption

Choose key, encrypt: {plaintext} key Transmit key via secure channel Transmit message via insecure channel
Decrypt with same key - symmetric system. Strong encryption: hard to crack, even if you have plenty of plaintext/ciphertext samples. Some schemes: DES, RC4, AES (Rijndael) Pointless if you already have secure channel?
Hello (Key = 3) Encrypt
Sent on Internet Khoor
If I want to keep my key 3 secret, what decrypting key can I publish? Hello
Decrypt
Public Key Cryptography
Public-Key Cryptography
Breakthrough in 1977 by Merkle, followed by easier RSA system (Rivest, Shamir, Adelman). Two paired keys : one public, and one secret. Either key can decrypt its opposite partners encryption. let m = {plaintext} public-key implies plaintext = {m} secret-key. m = {p} secret-key And vice-versa: means that p = {m} public-key
Public Key Cryptography

Removes need for secret channel to share keys. Public and Private parts of key pair can each decrypt the others messages. Private key cannot easily be derived from what is published publicly. Neither public nor private keys can reverse their own encryptions.
Used in two different ways:

You encrypt something with Bill Gates public key. Only Bill Gates can decrypt it. This is how you send him a secret message. You encrypt something with your private key. Anyone can decrypt it. But it MUST have come from you. This is (loosely) how you sign something digitally.
How is this useful?

When you send your personal information to your bank, how do you know you are really talking to the bank? You can authenticate a remote person/computer/web site by sending a challenge message, and asking them to encrypt it with their private key. You can use their public key to check it.
RSA Internals
Based on trapdoor one-way function - easy to compute in one direction, hard to find inverse, unless you know the secret trapdoor. Two large random primes p, q are chosen and multiplied together. n = p*q. This is easy. Choose random e, such that e and (p-1)(q-1) are relatively prime. (i.e. their gcd is 1) (e, n) is the public key. Find d (the secret trapdoor) such that ed mod (p-1)(q-1) = 1 (d, n) is the private key. Now destroy p and q!
Break the message into blocks which are each a little smaller than the number of bits in n. e Encrypt each block with (e,n): Ci = M i mod n This can only be deciphered using the "inverse" d decryption key: (d,n) M i = Ci mod n Breaking the scheme (finding d) depends on factoring n. This is believed to be NP Hard - needs exponential amount of time. Typically p, q > 500 bits, or 150 digits. How can we know that p is prime if factoring is so tough? - We have cheap probabilistic tests.
For the mathematicians

mod 142948723481 C "Hello" 62746286823 RSA based on exponentiation in a finite field i.e. exponentiation using modulo, or "clock" arithmetic. This is a one-way function easy to compute. Given C and the modulus, hard to invert the effects of the exponentiation the Discrete Logarithm Problem. But it has a trapdoor some special key that makes it easy to find inverse. You can crack the encryption if you can factorize the modulus and find the trapdoor!
A Digest ...
is a short check sum or hash (typically 128 bits / 160 bits) of a message, good digests must be easy / fast to compute, but very difficult to construct another message which generates the same digest. (not reversible) Notation: digest[message] Two methods of computing digests are in wide use at present: MD5 and SHA (Secure Hash Algorithm). SHA is 160-bit hash approved for US Government use by NIST - National Institute for Standards and Technology.
Digital Signatures
{digest[message]} my-secret-key Signature cannot be used against another message (digest ensures this). Message cannot be altered without getting a different digest (digest property). Anybody can look up my-public-key and verify that only I could have encrypted this digest.
Security has two aspects

These provide the secret locks on our data.
The primitive algorithms like RSA, DES, SHA, Digital Signatures, etc And the higher-level protocols. How do we use the primitives in an exchange of messages (the protocol) so that we achieve a bigger goal, like authenticating someone, or checking a password? Our algorithms are generally secure. The protocols are much more tricky, and often open the door to attacks.
The Cast for Security Protocols

Alice, Bob - primary participants Carol, Dave - extra participants Eve - eavesdropper Mallory/Mallet - malicious active attacker Trent - trusted arbitrator Walter - warden, sometimes guards Alice & Bob. Peggy - prover Victor - verifier
Encrypting a message (basic protocol)

{message} B-publickey AB Bob can recover message by using his secret key to decrypt it. Only Bob will be able to recover message. Note that Alice doesnt use her own key.
In practice, sending to Alice

Prefer symmetric encryption (stronger, faster) but, how do we share the key securely? We choose a random session-key. and send Symmetric method
{message} session-key followed by {session-key} A-pubkey
and if the message is intended for many recipients, tack on Asymmetric method {session-key} B-pubkey
{session-key} C-pubkey
Protocol: Alice authenticating Bob - try 1

This is a higher level authentication protocol. Alice needs to know that Bob has bob-secretkey. She sends a random challenge (nonce) to be encrypted with Bobs secret key:
A B random-message B A {random-message} bob-secretkey
Problem: Bob would be very stupid to encrypt anything someone puts in front of him, because it can now only have originated from him!
Alice authenticating Bob - try 2

Why doesnt Bob rather return an encrypted digest - at least this eliminates the message:
A B message B A { digest[message] } bob-secretkey
Closer, but this is exactly the definition of a digital signature! Alice can attach the signature back to the original message which she originated. (Which probably says I, Bob, owe Alice $10 million.)

A B Hello, can you prove you really are Bob? msg = Alice, this really is Bob B A msg { digest[msg] } bob-secretkey
If Alice makes up the string, it is bad for Bob. Bob must originate some of the response:
Almost workable! But Mallory might record and replay Bobs message (a parrot attack ) next time, and fool Alice into disclosing her account details. We need some randomness from Alice.

A B Hello, prove you really are Bob, using this <new random string>?
msg = Alice, this really is Bob, and I got your <new random string> B A msg {digest[msg]} bob-secretkey Lessons
Alice needs fresh nonce against parrot attacks. Bob must originate some of the response.
Another primitive - Certificates

Alice uses Bobs public key for authenticating Bob. We cannot rely on Bob for this, because anyone can invent a key-pair and fool Alice. Public keys must be trustworthy. We use a digital certificate to bind a name to a public-key, like a kind of identity card.
Certificates
Contain issuers name, name of subject(Bob), public key of subject, and some expiry time stamps. Certificates are signed by the issuer. Site certificates also have domain / IP numbers. mmm, how do we know the issuers signature is not forged?
Certificate management scheme 1

Formal business wants hierarchy of issuers
each certificate contains signature of its issuer. can follow chain up to root issuers whose key everybody trusts and knows. you buy certificates from issuers. Visit the http://www.thawte.com website.
Could you fool Verisign into issuing a certificate to you in the name of Nedbank? See Netscape and IE security tabs.
Certificate management - scheme 2

Informal rings of trust:
Allow many signatures on every certificate. If you already trust some of these as introducers, you can trust the new certificate theyve signed. You yourself are the final authority. There are already big databases of signed certificates. In a very short time, there are a handful of signatures that everyone tends to trust. Could we get a Nedbank cert signed by our friends?
Alice authenticating Bob protocol

It is fine for Bob to supply his own certificate to Alice, (like showing your ID card) provided the certificate is properly underwritten.
A B Hello, prove you really are Bob, using this <nonce>
msg = I really am Bob, your <nonce>. B A msg { digest[msg] } bob-secretkey, and here is my certificate with my public key too, signed by our first Afronaught!
In practice
Once authentication has been achieved, a secret session-key is generated and exchanged. All exchanges after that can use a symmetric encryption algorithm based on the session key. This establishes a secure session. Bob doesnt know it really is Alice. Most bank customers dont have signed certificates, so the bank uses passwords to check identity, after the secure session is already established.
Avoiding garbling and parrot attacks

It is easy to record and to duplicate or delete a message without any understanding, or to inject some garbling. Digests are used to introduce a Message Authentication Code (MAC), into every message, to detect garbling. Each message needs a timestamp or a sequence number to detect parrot attacks or deletion of messages.
Netscapes SSL protocol

In public domain, now used by all browsers
https http smtp ftp telnet
SSL tcp/ip
SSL protocol
Provides security handshake
authentication; negotiation on level of security; exchange of a session key, checks site IP numbers.
Thereafter, encrypts and decrypts stream. https is different protocol (uses different port numbers, etc.) rather than overlayed onto http protocol. This minimized a risk of passing secure data over non-secured http . Competing attempts to put the security above the http layer. See Netscape site for news on a secure S/MIME type.
Perfect security Symmetric Have random pad bits 100010100111 XOR to encrypt; XOR again to decrypt. Never re-use the pad
A different encryption primitive: One-time pads
Only problems are
Are they truly random? We need a secure channel to distribute them. Sender/Receiver must be synchronised
One-time pads
Numbered swiss bank accounts: signal numbers Used for US/Russia hotline between presidents? Interesting reasoning to assert perfect security:
ciphertext 10010101 can be turned into any plaintext you want, e.g. 11110000 by some specific pad (01100101)
Because any plaintext is equally possible, the genuine plaintext has nothing to differentiate it from any other guess. So the method does not help or leak anything to the attacker
By contrast
Any key-based ciphertext has a pattern induced by the algorithm and the key. So you guess wrong, but can tell that the output is garbage, But guess right, and it suddenly makes sense So youve been helped by being able to tell when your guess is right. One time pads do not give you this help
What does e-commerce need?

Security Privacy Digital signatures Authentication Non-repudiation of contracts / orders / receipts / patent applications, etc. Irrefutable mechanisms for timestamping documents. etc.
TimeStamping Service Protocols

Arbitrated solution (a trusted entity, eg. SARB) adds a timestamp, then signs and keeps a copy of contract.
No privacy Large storage needed What if it is lost or destroyed? Will Trent collude with Alice? Could he backdate his computer clock timestamp it again?
Rather have Trent time-stamp hashes: he doesn't need to store full document. Solves first 3 problems.
Should we trust Trent, or seek protocols that reduce dependence on having trusted parties?
A better protocol: Trent could link timestamped docs to other users (document before, document after) in sequence: it places bounds on time, and he (probably) cannot plan who these others are. So unless he gets their agreement, Trent cannot change the timestamp. But we can still improve on this:
Distributed Timestamping Protocol

Alice hashes document and has unforgeable way of extracting multiple timestamping server names from her hash.
(e.g. there are a published list of 256 server names. Each byte in the hash is a number and says use this service number)
Each of them timestamps her document.
Needs widespread collusion to defeat this, and achieves objective without having to trust anyone.
A Commercial Timestamping System

Centralizes and "batches" requests for timestamps. Timestamps all, and creates hashes of timestamped docs and the batches. All others in your "batch" are your witnesses, and batch hash numbers can be published publically for later validation and cross-checking.
Alice: I know what Lotto numbers are coming up this week! Bob: Prove it! Alice: All prime numbers 2,3,5,7,11,13 Bob: Aha, Ill bet on them now Alice: Oops! How can Alice proves she knows something, or lodge a bet, without revealing what she is betting on, or revealing her secret?
Bit Commitment Protocol (just solving the problem for one bit will be enough!)
Always two stages:
Alice must commit to a choice without revealing it to Bob, Later when she does reveal it, it must be irrefutable. Can be many bits rather than just one.
How do you bet heads/tails on the Internet?
Using symmetric cryptography
Bit Commitment (in coin flipping)

B A <random number> A B { I choose Heads", <random number> } a_secret_key B A "The coin lands on Heads" A B here is a_secret_key to check my bet. Please pay me! (Whats going on here? Is Bob safe against Alice cheating, or is Alice safe against Bob cheating? How to fix?)
Later
Bit Commitment alternative protocol

Using one-way hashes b= 0(Heads) 1(Tails) AB H(R1, R2, b) ++ R1 Later AB
R1, R2, b
Bob doesn't have to participate it could be published by Alice it the newspaper. Ideal setting to try birthday attack against hash function, since Alice chooses both R1 and R2 ...
Whats a birthday attack?

Finding two people in a group with the same birthday. In cryptography, finding two messages that hash onto the same 128 or 160 bit hash. So if Alice can find R1, R2, and R3 such that C = Hash(R1, R2, 0) = Hash(R1, R3, 1) she can cheat by publishing C and R1, waiting for the outcome, then either revealing R2 or R3 to claim her prize.
Called Blobs
Alice can commit to blobs She can always open a blob And convince Bob of the value she committed to Bob never learns to open other blobs from Alice Blobs only carry their bit, they leak nothing else.
Timestamping Commitments, and Patent Rights

Could we encrypt, timestamp and publish a patentable idea, without revealing the idea? If someone else tries to patent, we decrypt and assert "prior art".
Now for a tougher protocol

In bit-commitment, Alice proves her choice by eventually revealing it How can Peggy convince Victor she knows a secret, say a pin number or a password, without ever revealing the secret?
Zero-knowledge proof protocols

Prover Peggy convinces verifier Victor that she knows the secret, but Victor learns nothing about the secret while she makes the proof.
These are interactive protocols.
Where is Peggy?
Peggy wants to prove she knows the secret to open the door. She commits by entering the tunnel on either side, Victor choses either left or right, Peggy comes out on the side Victor nominates. Maybe she just got lucky this time try again
Basic zero-knowledge protocol

Peggy commits to one of two alternatives. Victor chooses. Peggy's ability to satisfy Victor's choice must be evidence that she seems to have the secret. They can do this over and over again. Could they videotape this and convince a third party that no collusion took place? - No, and this serves as a "proof" that there is no leakage.
Cut and Choose Protocol

Peggys secret S1 solves a problem, P1. Peggy transforms S1 to S1 and P1 to P1 such that P1 solves S1. She reveals P1, and commits to either showing
A) How the transform P1 P1 happened, or B) How P1 is solved by S1
Victor may choose to verify either A or B, but not both.
An example: A zero-knowledge proof based on Graph Theory

Based on Isomorphisms in graphs. NP-Complete (easy to check, exponentially hard to find a solution)
Graph Theory
An Isomorphism (G1 G2) of graph G1 can be created by relabelling the nodes to get G2. It is exponentially hard for Victor to find the correspondence, but dead easy to check a solution. (This is the essence of what NP is all about.) R
F A B D C G H O E U D S H
???
E V
The isomorphism can be expressed as a simple remapping. This is Peggys secret.

ABCDEFGH RHODESUV
Note that Peggy didnt find her secret. She would have started with a random G1, chosen the remapping, and generated G2 from G1 and the remapping. (When she signs up initially with Victor, shell do this, and give him G1 and G2.)
To log on, Peggy must prove that she knows how G1 maps to G2 without revealing the mapping. She creates another relabelling and from that another isomorphic graph H G1. She uses this new relabelling to transform her original secret (G1 G2) into solving the correspondence G2 H. Now she reveals H, and commits to secrets G1 H and G2 H. Victor can open either secret and check it, but he never learns how G1 G2. Knowing the one isomorphism doesn't make finding the other any easier.
Graph Representation
Graphs are often represented as adjacency matrices. So an isomorphism is simply some permutation of the rows R and columns D A B C D E F G H
A B C D E F G H 1 1 1 1 1 1 1 1 1 1 1 1 ? 1 1 1 1 1 1 1 ? ? ? 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
S H U
E V O
? ? ? ? ? 1 1 1 1 1
A C G
???
Find the row/col labels Harder version: take out BD link, and add GF.
? ? 1 ? ? ? ? 1 1 ?
B H E D
Small variant: Hamiltonian Cycles

Peggy must prove that she knows Hamiltonian cycle in G without revealing it. Creates isomorphism G H, and uses existing cycle in G and the relabelling to produce the Hamiltonian cycle in H. Commits to both G H and to the Hamiltonian cycle in H Victor chooses and verifies one, but never both.
A Hamiltonian cycle in a graph is a path that visits every node exactly once. This is an NP problem hard to find a solution, but easy to check one out.
Graph Theory
F A H C G E B D
A H D F B G E C A solves. Suppose Peggy registers the graph with Victor, using AHDFBGECA as her secret.
Victor grants access to anyone who can prove they know a Hamiltonian cycle
Peggy wants to authenticate herself without revealing the cycle So she relabels all nodes and shuffles the graph around (creates an isomorphic graph) She chooses this relabelling ABCDEFGH RHODESUV
So Peggy gives this new isomorphic graph to victor, plus two committed F R secrets
B H D E G E O V D
Secret 1 = relabelling: ABCDEFGH RHODESUV Secret 2 = relabelled cycle: relabel(AHDFBGECA) RVDSHUEOR
Once Victor has the new graph he can open one of the secrets
Peggy either shows the cycle in the new graph, Or she reveals the correspondence between the old and the new graphs. Note that is not a proof for Victor: maybe she cheated and just solved one of the two problems, and was lucky that Victor asked for the right one. So he must repeat the exercise till he becomes convinced.
Stream Ciphers
Pseudo one-time pads Created from complex feedback algorithm to generate stream of bits. Essential for stream encryption, e.g. audio or multimedia stream.
A threat to any protocol: Subliminal Channels

Subliminal - below the level of consciousness
In general, if one party has to choose a random number that will be revealed, they could pick it "carefully", so that, say, bits 10 and 11 conveyed something extra to someone who knows where to look. Subliminal leakage of parts of your private key in every signature is serious! Well do more on Steganography later
Other Security Issues

Your private key on a smartcard? Single-logon computing? Government and policy issues - EFF

Crypto

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Crypto

Transféré par

Droits d'auteur :

Formats disponibles

P Wentworth, Rhodes University

Distributed Web Computing 2003 CRYPTOGRAPHY LECTURES P Wentworth

P Wentworth, Rhodes University

Public Key Encryption

P Wentworth, Rhodes University

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Why use cryptography?

P Wentworth, Rhodes University

Conventional symmetric Cryptography

Single-key (symmetric) encryption

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Hello (Key = 3) Encrypt

Sent on Internet Khoor

P Wentworth, Rhodes University

Public Key Cryptography

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Public Key Cryptography

P Wentworth, Rhodes University

Used in two different ways:

P Wentworth, Rhodes University

How is this useful?

P Wentworth, Rhodes University

P Wentworth, Rhodes University

P Wentworth, Rhodes University

For the mathematicians

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Security has two aspects

P Wentworth, Rhodes University

P Wentworth, Rhodes University

The Cast for Security Protocols

P Wentworth, Rhodes University

Encrypting a message (basic protocol)

In practice, sending to Alice

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Protocol: Alice authenticating Bob - try 1

P Wentworth, Rhodes University

Alice authenticating Bob - try 2

Alice authenticating Bob - try 3

P Wentworth, Rhodes University

Alice authenticating Bob - try 4

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Another primitive - Certificates

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Certificate management scheme 1

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Certificate management - scheme 2

P Wentworth, Rhodes University

Alice authenticating Bob protocol

P Wentworth, Rhodes University

P Wentworth, Rhodes University

Avoiding garbling and parrot attacks

P Wentworth, Rhodes University

Netscapes SSL protocol

P Wentworth, Rhodes University