15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern...
-
date post
22-Dec-2015 -
Category
Documents
-
view
226 -
download
0
Transcript of 15-349 Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern...
15-349
Introduction to Computer and Network Security
Iliano Cervesato
26 August 2008 – Modern Cryptography
2
Where we are
Course intro Cryptography
Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols
Program/OS security & trust Networks security Beyond technology
3
Outline
Cryptographic schemes Design principles
Confusion and diffusion Randomization Kerchoff’s principle
Mathematical foundations Computational complexity One-way functions Trapdoors
What is a secure cipher?
4
(Symmetric) Encryption Schemes
(K, E, D)
Key generation algorithm K : {0,1}
Encryption algorithm E : {0,1} x {0,1} {0,1}
Ek : {0,1} {0,1}
Decryption algorithm D: {0,1} x {0,1} {0,1}
Dk : {0,1} {0,1}
5
What makes a cipher good ?
behaves as expectedFunctionally sound
based on mathematicsConfusion and diffusion
examined by expertsOpen design
stood the test of timeMoore’s law
6
Functional requirements
E, D : {0,1}n x {0,1} {0,1}n
Dk(Ek(m)) = m For every k, Ek is an injection with inverse Dk
Ek(m) is easy to compute, given m and k
Dk(x) is easy to compute, given x and k
Polynomial in max{n,} - often linear
If x = Ek(m), it is hard to find m without k Exponential in
7
Confusion and Diffusion
Confusion Replace symbol with
another Hide plaintext symbols
Diffusion Mix up symbols Spread plaintext
around
WHATANI
ZZZJUCL
WHATANI
ANWIHAT
Modern ciphers are a combination
8
Augmenting diffusion
Make it harder for attackerRepeated encryptions of same text
are different
RandomizationEk : {0,1} x {0,1} {0,1}
Dk : {0,1} {0,1}
It must be that >
Part of all modern ciphers
9
Open Design
Kerchoff’s Principle (1883)The security of a cryptosystem must not depend on keeping the algorithm secret
No security by obscurity
Better Lots of smart but innocuous people dissect
it Than a single smart malicious
10
Shannon’s criteria
1. Strength of cipher proportional to effort
2. Keys should be simple
3. Implementation should be simple
4. Errors should not propagate
5. Size of ciphertext same as plaintext
11
Critique to Shannon’s Criteria
Shannon’s criteria based on manual process
1. Strength of cipher proportional to effort Strength should be depend on value, cost, time
2. Keys should be simple Not necessarily
3. Implementation should be simple Efficient!
4. Errors should not propagate Yes, many countermeasures nowadays
5. Size of ciphertext same as plaintext Not necessarily
Computers allow powerful automation
12
Computational problems
Finite space of solutions Always decidable
Can grow in size (n) Bigger size, bigger solution space
Questions How hard is it to find a solution? How hard is it to verify a solution?
“Hard” = amount of time Generic algorithms
– Best algorithm possible Not special cases!
13
Computational classes
P Finding solution polynomial in n
– Element lookup in list – O(n)– Sorting a list – O(n2)
Verifying solution also polynomial in n
NP Verifying solution polynomial in n
Finding solution may not be polynomial in n– Polynomial if we can “guess”– Polynomial if we can try solutions in parallel
EXP Finding solution exponential in n
Verifying solution may not be polynomial in n
14
Computational complexity
P NP EXP P EXP
P = NP ? Open problem Believed false
n n2
n3
n100
PNPEXP
2n
22n
15
NP-Complete problems
In NP As hard or harder than any other NP problem
Represent all NP problems– If polynomial solution exists, all NP problems have
one• P = NP
– If not, no NP-complete problem has one• P NP
Characteristics Always solvable Verifying solution is polynomial No known polynomial way to find solution
Exponential as far as we know
16
Computation in practice
Bounded by time If a small polynomial instance is solvable
Slightly larger instance also solvable Possibly with tomorrow’s technology
If a small exponential instance is solvable Slightly larger instance may not be solvable
Maybe not even with tomorrow’s technology
… but Moore’s law is exponential? Physical limitations Can always choose a big enough instance
17
NP-Completeness and Crypto
Require attacker to solve an NP-complete problem to find plaintext Exponential work in n But …
Crumbles if P = NP May be easy for small n Side channel attacks Advances in technology
– But Moore’s law is exponential ??
Trends in cryptography Rely on problems that are harder than NP
Quantum cryptography
18
One-way functions
Easy to compute f(i) o Evaluation in P
Linear
Hard to invert f-1(o) I Inverse is NP-
complete
Foundations of Hashing
finput output
Easy – P
Hard – NP
19
One-way functions with trapdoor Easy to compute
f(i,t) o Encryption in P
Linear
Hard to invert normally f-1(o) i Decryption without key is NP-complete
Easy to invert through trapdoor f-1(o,t) i Decryption with key in P
Linear
Foundations of Encryption Digital signatures
finput output
Easy – P
Hard – NP
Easy – P
trapdoor
20
Some NP-complete Problems
Boolean satisfiability Is there an assignment of boolean value that make a
formula in conjunctive normal form true? Knapsack
Is there a way to fill a bag of a given size completely with objects of various sizes?
Cliques Does a graph have a complete subgraph of a given
size? Discrete logarithm
Is there a such that ga mod n = b Integer factorization
What are the prime factors of number n?
21
When is a Cipher Secure?
Polynomial adversary cannot tell a real encryption box from a fake one
m
x
Ek(_)
m
x
Ek(0)
22
Formal Definition
Let E: {0,1} x {0,1} {0,1}
A(x m) = 1 iff x = Ek(m) A algorithm polynomial in key length
xm = Ek(m)
(K,E,D) is a secure encryption scheme if polynomial p(_) s.t. > k {0,1}
Pr[A(xm m) = 1] - Pr[A(x0 m) = 1] < 1/p()
23
Key length
The strength of a cipher is given by the length of the key Strength is non-polynomial in
10% longer key requires much more than 10% extra work
Often each extra bit doubles the effort
To get a stronger cipher, make key longer! Guideline for modern ciphers
Ciphers with variable key length– RSA– AES
Not sufficient for bad ciphers!