An Invitation to Cryptography: From Herotodus to Snowden › ~davidcash › 284-autumn-19 ›...
Transcript of An Invitation to Cryptography: From Herotodus to Snowden › ~davidcash › 284-autumn-19 ›...
David Cash
An Invitation to Cryptography: From Herotodus to Snowden
CMSC 28400, Autumn 2019, Lecture 1
University of Chicago
Slides only rarely after today!
I think Cryptography is
Fun and Interesting
Important&
Beautiful and unique math Clever attacks Philosophy, precisely Oh the drama!
For your daily life For businesses For liberty and democracy Life or death for many
Grecco-Persion Wars c. 500 BC
Herodotus (499-449BC)
Goal: Private Communication
HELP IS COMING
Communication channel (insecure)
Stegnography: Cryptography Prehistory ~600-400BC
Credit: Peter van der Sluijs https://creativecommons.org/licenses/by-sa/3.0/deed.en
Credit: Museum Berlin https://creativecommons.org/licenses/by-sa/3.0/deed.en
The Beginnings of Encryption, ~400BC
Credit: Wikipedia user Luringen https://creativecommons.org/licenses/by-sa/3.0/deed.en
Scytale
Substitution Ciphers, c. 50BC + earlier
Julius Caesar (100-44BC)
More on Friday!
Frequency Analysis and Al-Kindi (801-873 AD)
More on Friday!The first page of al-Kindi's
manuscript "On Deciphering Cryptographic Messages"
Blaise de Vigenère (1523-1596) (not the inventor)
Polyalphabetic Ciphers: Le Chiffre Indéchiffrable
More on Friday!
Credit: Augusto Buonafalce https://creativecommons.org/licenses/by-sa/3.0/deed.en
Leon Battista Alberti (1404-1472)
Homophonic Ciphers: Le Grand Chiffre (c. 1626-1811)
Louis XIV (1638-1715)
Guessed that “124-22-125-46-345” stood for “les en-ne-mie-s”
Étienne Bazeries (1846-1931) broke it in 1890s(!)
Homophonic Ciphers: Copiale Cipher (1760)
Broken in 2011 using machine learning!
Kevin Knight Beáta Megyesi
+ Christiane Schaefer
Les Cabinets Noirs (Black Chambers) 1700s—today?
Privacy and the Telegraph (mid 1800s)
Credit: ITU Pictureshttps://creativecommons.org/licenses/by/2.0/
Quarterly Review, 1853
Zimmerman Telegram (1917)
Unbroken Ciphertexts
Voynich Manuscript (early 1400s?)
Unbroken Ciphertexts
Beale Ciphers (1819)
Mechanical-ciphers: c. 1900-1980s
Photograph by Rama, Wikimedia Commons, Cc-by-sa-2.0-fr https://creativecommons.org/licenses/by-sa/2.0/fr/deed.en
Cracking Enigma (early 30s — end of WWII)
Marian Rejewski (1905-1980) Alan Turing (1912-1954)
Details next week!
Claude Shannon (1916-2001)
Postwar Cryptography: Moving from Art to Science
The Modern Cryptography Era Begins: DES,1970s
Horst Feistel (1915-1990)
+
Key Distribution Problem
The Internet
My CC num = 4417 4001 7234 1189 amazon.com
The Public-Key Revolution (1978)
Basic question: If two people are talking in the presence of an eavesdropper, and they don’t have pre-shared a key, is there any way they can send private messages?
Rivest, Shamir, Adleman in 1978: Yes, differently!Turing Award, 2002,+ no money
Diffie and Hellman in 1976: Yes!
Turing Award, 2015, + Million Dollars
Cocks, Ellis, Williamson in 1969, at GCHQ:Yes, we know about both…
Pat on the back?
RSA and Diffie-Hellman use… Number theory
Euclid (~300BC) Leonard Euler (1707-1783)
!!! !!!
Elliptic-Curve Cryptography (1985, deployed 2004)
Neal Koblitz Victor Miller Diophantus (~250AD)
!!!
Provable Security (1980s — present)
Shafi Goldwasser Silvio MicaliTuring Award, 2012, + 250k Dollars
Cryptowars of the 1990s
The Breaking of DES
Attack Complexity Year
Biham&Shamir 247 encrypted blocks 1992
DESCHALL 41 days 1997
EFF Deepcrack 4.5 days 1998
EFF Deepcrack 22 hours 1999
- 3DES (“Triple DES”) is still used by banks - 3DES encrypts three times - 3DES is not known to be broken but should be avoided
Advanced Encryption Standard (AES) 2001—present
Vincent Rijmen Joan Daemen
+
Crypto Today
Crypto primitives
• RSA, DSA, ECDSA
• Diffie–Hellman, ECDH
• HMAC• MD5, SHA1,
SHA-2• DES, 3DES,
RC4, AES• Export grade
Ciphersuitedetails
• Data structures• Key derivation• Encryption
modes, IVs• Padding
Advanced functionality
• Alerts & errors• Certification /
revocation• Negotiation• Renegotiation• Session
resumption• Key reuse• Compression• State machine
Libraries
• OpenSSL• LibreSSL,
BoringSSL• NSS• GnuTLS• SChannel• Java JSSE• Everest / miTLS• s2n
Applications
• Web browsers: Chrome, Firefox, IE/Edge, Safari
• Web servers: Apache, IIS, nginx, node, …
• Application SDKs
• Certificates• Protocols
• HTTP, IMAP, ..
Attacks on TLS
Attacks on TLS Stebila • 2018-09-04 5
Cross-protocol
DH/ECDH attack
RC4 biases,rc4nomore,Bar Mitzvah
CRIME, BREACH, HEIST
Triple handshake attack
gotofail;
Goldberg & Wagner
Netscape PRNG attack
FREAK, Logjam
Sweet32
Lucky13
Termination,Cookie Cutter
Bleichenbacher
SSL 2.0 downgrade,
FREAK, Logjam
POODLE
BEAST
Cross-protocol DH/ECDH attack
SLOTH
Bleichenbacher,
Collisions
Ray & Dispensa
DebianOpenSSL
entropy bug
“Most dangerous code…”
MalloDroid
CCS injection
BERserk
Heartbleed
CA breaches
Frankencerts
Virtual host confusion
SSL strippingSMACK
STARTTLS
injectionLucky
microseconds
Jager et al.DROWN
Cryptowars of the 2010-2020s
Cryptography Today: An International Community
Crypto beyond secure channels: Secure Multiparty Computation
……
…
…
Everyone learns outcome of vote (majority YEA or NAY) No one learns anything else about individual votes (or margin of victory)
YEAYEA
NAY
YEA
NAY
YEAYEA
YEA
YEA
NAY
NAY
NAY
Crypto beyond secure channels: Zero-Knowledge Proofs
I know primes p,q such that pq = N.
Prove it! Show me p and q.Number N
But p and q are private…
Zero-Knowledge Proof
p,q
Green person is convinced blue person knows p and q such that pq=N. But green person learns nothing else about p and q.
I’m convinced that
you know primes p,q such that
pq=N!
This class: CSMC 28400 “Cryptography”…
… Counts for the theory sequence (BS/BA in CS). You will work with definitions, theorems, and proofs.
… Is a Computer Science class. You will write programs building and breaking crypto.
Algorithms analysis (Big-Oh) Discrete probability Modular arithmetic
Will assume knowledge in…
Math ProgrammingWrite short programs Understand binary/hex Get by with python
Not assumed: Computer security Any crypto knowledge
Outline of Topics
1. Classical ciphers and how to break them 2. Enigma and the Polish Attack 3. One-time pad and perfect secrecy
1. Blockciphers: DES and/or AES 2. Provable security and symmetric encryption 3. Message authentication 4. Hash functions 5. Bugs and attacks!
Part 1: Classical Crypto (Weeks 1-2)
Part 2: Modern Symmetric Crypto (Weeks 3-6)
Part 3: Public-Key Crypto (Weeks 7-10)
1. Number theory refresh 2. Group theory 3. Discrete logarithms, factoring, RSA problems 4. Diffie-Hellman and RSA key exchange/encryption 5. Elliptic curves 6. Bugs and attacks!
Themes:
1. Attacks! 2. Math AND CS 3. Definitions 4. Proofs
After finishing this class, you should able to…
… Understand design rationale for lots of modern crypto.
… Evaluate the security of many crypto constructions.
… Implement attacks against crypto.
This class won’t cover everything, including…
… Lots of relevant crypto. 284 is just a start.
… How to securely implement crypto (!).
… How to design a secure system (website, app, …)
Assessment
1. Theory Problem Sets (1 per week, due Fridays) 2. Programing Problem Sets (Projects) (3 or 4 total) 3. Two midterm exams: Weeks 5 and 8 4. Final exam at end of term
Please read the syllabus carefully: https://www.cs.uchicago.edu/~davidcash/284-autumn-19/
First assignment out Friday.
No participation / attendance grade
The End