Post on 07-Jan-2016
description
Cryptography
ECT 582 – Winter 2004
Robin Burke
Discussion
Outline
Background Symmetric encryption Cryptographic attacks Public-key encryption Protecting message integrity Digital signatures Cryptographic software
Why cryptography?
Two rolesconfidentialityintegrity
Essential security propertiesespecially important on a public
network
Cryptography in History
Very oldprobably as old as writing
Hebrew ATBASH cipher500-600 BC
Julius Caesar's substitution cipher50-60 BC
Basic idea
Plaintext (P) message to send
Alice sender
Bob recipient
Eve eavesdropper
Ciphertext (C) scrambled version of the message
Algorithm technique for turning P into C (and back)
How it works
The algorithm f is a secretshared by A and B
ProcessA computes f(P) = CTransmits C to BB computes f'(C) = PE doesn't know the secret
Problem
Secret algorithms hard to develop Once disclosed
all messages readable
Better solution
f is a function of two valuesf(k, P) = C
Usually reversiblef' (k, C) = P
k = the secret key
Symmetric encryption
Alice and Bob perform the same operationsame key k
BenefitsAlgorithm doesn't have to be secretDisclosure of one key leaves other
message still protected
New problem
Shared secretAlice and Bob need to know k
Why can't Alice encrypt k and send it to Bob?
Attacks
confidentiality Brute force
try every possible key Cryptanalysis
use properties of encrypted message to narrow range of possible keys
Cryptographic algorithms
Very difficult to develop Existing algorithms
DES• obsolete
Triple DES RCx AES IDEA Blowfish
Differences
Key sizeVariableFixed size
Proprietary vs open History Cryptographic strength
The Real Issue
Plaintext contains information Ciphertext should "look random"
no information for cryptanalysis How to do this
spread the information arounduse the key as a seed for a complex
pattern
Brute force effort
We assume that keys are chosen randomlyall bit patterns equally likely
Three bit key23 = 8 possibilities from 000 to 111
How long to guess?on average 4 guesses will be enough
Key Size
Larger key protects against a brute force attack56 bits = 72 quintillion keys
But"Deep Crack" 90 billion keys / sec.distributed.net 250 billion keys / sec.
Key Space
Whole key space isn't used?less space to searchthis can make a big difference
Passwords = poor keyspaceCan only use keyboard charactersPeople often use only a fraction of that
Sharing Secret Data
How do A and B agree on k? Need an alternative secure channel
Solvable for spiesUnsolvable for the Internet
Public-key encryption
asymmetricone key to encipheranother to decipher
A pair of functionsf1 (k1, P) = Cf2 (k2, C) = P
Public key = k1
Private key = k2
What's the big deal?
Shared secret no longer needed k1 can be divulged to the world
All it can do is encrypt k2 must be secret
Encryption mode
Alice gets Bob's public key b1
Alice computes f1 (b1, P) = C Bob receives C Bob computes f2 (b2, C) = P
Authentication mode
Alice computes f2 (a2, P) = C Bob computes f1 (a1, C) = P
anyone could do this No privacy
but identifies originonly Alice could have encoded C
Public-key algorithms
Very, very difficult to create Algorithms
Diffie-Helman / ElGamalRSAElliptic curve
RSA
Select e Select p and q
primep-1 and e have no common divisorsq-1 and e also
public modulus n = pq private modulus d
(de – 1) divisible by (p – 1) and (q – 1)
RSA continued
public keyn + e
private keyn + d
Pe mod n = C Cd mod n = P
Example: key generation
e = 5, p = 7, q = 17 n = 119 d = 77 de – 1 = 384. divisible by 6 and 16. k1 = (5, 119) k2 = (77, 119),
Example: encryption
EncryptionP = 65 (ASCII 'A')C = 655 mod 119 = 46
DecryptionC = 46P = 4677 mod 119 = 65
Example: authentication
P = 65 Authenticate
S = 6577 mod 119 = 39Send S, k1
VerifyP = 395 mod 119 = 65Only the private key holder could have
sent
ElGamal
RSA depends on the mathematical properties of primesfactoring of a large n into primes p and q
ElGamaluses "discrete logarithm"
ElGamal
Alice and Bob agree on prime number p generator a
Generation step Alice generates a random number x Bob generates a random number y
Exchange step Alice sends Bob ax mod p Bob sends Alice ay mod p
Shared key Alice and Bob both compute K = axy mod p
ElGamal
Eve listeningknows a and plearns ax mod p and ay mod pbut cannot recover K
NoteBob won't learn x eitherNot useful for encryption"One-way function"
Public key version
Bob generates both x and ypublic key is ay mod p
Practical Cryptographic Implementation PGP Uses RSA for public-key crypto Problem
too slow Solution
Use IDEAGenerate a symmetric keyShare it using RSA
PGP Dataflow
Protecting integrity
Message Authentication Code Process
Alice writes PAlice computes m(P) = MAlice sends Bob P + MBob computes m(P). Compares M
Useful even if P is not encrypted
Attacks
If Eve modifies P P'Bob computes m(P'). Won't match M
What if Eve modifies P P' andalso computes m(P') = M'sends P' + M'
m also needs a shared secretm(k, P)
MAC Features
should be much shorter than the original message
small change in message should result in very different MAC
difficult to reverse engineer
Digital Signatures
MAC does not support non-repudiation
Bob could receive P + Mverify that it came from Alice
But Bob could also alter P P'recompute m(k, P') = M'
Tell the judge that Alice sent P' + M'how to prove otherwise
Digital Signature
AuthenticationOnly Alice can computef2 (k2, P) = C
Combine with a messageP + CNow anyone can check that P
matches CBob could not generate C
DSA
Federal standard Uses a variant of ElGamal Three public values
p = prime modulusq = prime divisor of p-1g = j (p-1)/q mod pwhere j is a random integer < p
To sign
Generate a hash h of P Pick a random number k Generate two values
r = (gk mod p) mod qs = (k-1 (h + kr) mod qwhere (k-1 k) mod q = 1
Send message P + r + s
To verify
(complicated) Receive message P' with r' and s' Compute hash h' of received P' w = s'-1 mod q u1 = h' w mod q u2 = r' w mod q v = (gu1 yu2 mod p) mod q r' should equal v
Attacker
Knows p, q, and g Does not know k Infeasible to compute the r, s pair
without knowing k
Elliptic curve
Math is very complex But the basic idea is that we define a
curvey2 + xy = x3 + ax2 + bthe parameters of the curve are the
secret knowledge
Encryption
P and Q are points on the curve P+Q is defined geometrically k*P = C
Encryption, cont'd
A specific base point G is selected and published for use with the curve E(q).
A private key k is selected as a random integer;
the value P = k*G is published as the public key
If Alice and Bob have private keys kA and kB, and public keys PA and PB, then
Alice can calculate kA*PB = (kA*kB)*G; and Bob can compute the same value as kB*PA = (kB*kA)*G.
Elliptic curve
BenefitsFaster to compute than RSA or
ElGamalComputationally "harder" inverse
problem = better security for same key size
Drawbackstill somewhat newmaybe flaws not yet known
Attacking digital signatures
Bob wants to send Alice a secure message P Eve wants to modify it Bob signs P with private key kb1, creating MAC M Bob sends P + M + kb2 to Alice Eve intercepts this message Eve creates a modified message P' Signs it with her private key ke1
Sends P' + M' + ke2
Alice gets P' Verifies the signature against the public key Eve wins
Man in the middle
The "man in the middle" can masquerade as the sender
DSA has no authentication defense We know
the message was unchanged since signing whoever signed it used the private key that
matches the supplied public key We don't know
that the signer is actually the sender who does the public key belong to?
Answer: next two weeks
Public key certificates Public key infrastructure Read
Ford & Baum, Ch. 6
Assignment #2
Question 1effectiveness of brute force
Questions 2 & 3 running PGPuse shrike
Question 41-2 page discussion of the results of 2
& 3