Cryptography and SSL in Smalltalk - StS 2003

49
Cryptography and SSL Cryptography and SSL in Smalltalk in Smalltalk Martin Kobetic Cincom Smalltalk Development January 2003

Transcript of Cryptography and SSL in Smalltalk - StS 2003

Page 1: Cryptography and SSL in Smalltalk - StS 2003

Cryptography and SSLCryptography and SSLin Smalltalkin Smalltalk

Martin Kobetic

Cincom Smalltalk Development

January 2003

Page 2: Cryptography and SSL in Smalltalk - StS 2003

CryptographyCryptography

bag of tricks ever growing lists of weaknesses fortune telling the “weakest link” tragedy

Page 3: Cryptography and SSL in Smalltalk - StS 2003

CryptographyCryptography

best tricks known (publicly) serious mathematical foundations astronomic margins public peer review competitive standardization (AES)

Page 4: Cryptography and SSL in Smalltalk - StS 2003

Secure SolutionsSecure Solutions

mature components balanced “economics” implementation quality

threats, countermeasures, failure modes

deployment qualityinfrastructure, processes, personnel

Page 5: Cryptography and SSL in Smalltalk - StS 2003

Cryptographic ObjectivesCryptographic Objectives

confidentiality– encryption

integrity– message authentication codes (MAC)

authentication– signatures

Page 6: Cryptography and SSL in Smalltalk - StS 2003

EncryptionEncryption

E(P) = C & D(C) = P one-time pad symmetric (secret) key ciphers

– EK(P) = C & DK(C) = P

asymmetric (public) key ciphers– EK1(P) = C & DK2(C) = P

Page 7: Cryptography and SSL in Smalltalk - StS 2003

Secret Key CiphersSecret Key Ciphers

bulk data encryption constructed from simple operations for

speed (xor, shift, x + y mod n, ...) two fundamental classes

– stream ciphers (RC4)– block ciphers (DES/AES)

Page 8: Cryptography and SSL in Smalltalk - StS 2003

Secret Key CiphersSecret Key Ciphers

key := ‘secret key’ asByteArray.alice := ARC4 key: key.(ctxt := alice encrypt: ‘Hello’) asString

bob := ARC4 key: key.(bob decrypt: ctxt) asString

Page 9: Cryptography and SSL in Smalltalk - StS 2003

Secret Key CiphersSecret Key Ciphers

key strength (HW Brute Force 1995)

1012yrs3s.01s.2µs$1T

1015yrs1h13s.2ms$1G

1018yrs37d3.5h.2s$1M

1019yrs1yr35h2s$100K

128b64b56b40b

Page 10: Cryptography and SSL in Smalltalk - StS 2003

Stream CiphersStream Ciphers

time-varying transformation on individual plain-text digits

Pike, A5, RC4, SEAL key-stream generator

– produces: k1, k2, k3, ....

– ci = pi xor ki & pi = ci xor ki

– State S, NextState(S), Output(S) avoid key reuse!

Page 11: Cryptography and SSL in Smalltalk - StS 2003

leaked trade secret of RSA Security (1994) 256 byte S-Box; 2 counters i=j=0

RC4 (1992)RC4 (1992)

next key-stream byte:i = (i + 1) mod 256j = (j+Si) mod 256swap Si and Sj

t = (Si + Sj) mod 256K = St

S-Box initialization:S = 0, ..., 255K = 256B of replicated keyfor i=0 to 255: j = (j + Si + Ki) mod 256 swap Si and Sj

Page 12: Cryptography and SSL in Smalltalk - StS 2003

Stream Ciphers - KAKStream Ciphers - KAK

synchronous ciphers (KAK)– NextStateK(S)

– Output(S) noise contained preprocessing synchronization critical not parallelizable

Page 13: Cryptography and SSL in Smalltalk - StS 2003

Stream Ciphers - CTAKStream Ciphers - CTAK

self-synchronizing ciphers (CTAK)– NextState (Ci-n...i)

– OutputK(S) synchronization decryption parallelizable random access noise propagates encryption not parallelizable

Page 14: Cryptography and SSL in Smalltalk - StS 2003

Block CiphersBlock Ciphers

fixed transformation on blocks of plaintext(e.g 64, 128 bits)

DES, IDEA, CAST, Blowfish, RC2, RC5 basic transformation applied in rounds

Page 15: Cryptography and SSL in Smalltalk - StS 2003

DES (1977)DES (1977)

csrc.nist.gov: FIPS PUB 46 (1977) FIPS PUB 46-3 (1999)

– triple DES still approved– single DES legacy systems only

64 bit block size 56 bit key (64 bits with parity) 16 rounds using 48 bit subkeys

Page 16: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - PaddingBlock Ciphers - Padding

alice := DES key: ‘secret8B’ asByteArray.alice encrypt: ‘Hello World!’.

alice := BlockPadding on: DES new.alice setKey: ‘secret8B’ asByteArray.alice encrypt: ‘Hello World!’.

Page 17: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - PaddingBlock Ciphers - Padding

must be reversible pad with padding size (1-8)

– aka PKCS#5 padding

pad with bits “100…0” ciphertext stealing

– different for different modes (ECB, CBC)

some modes don’t need padding

Page 18: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - ECBBlock Ciphers - ECB

electronic codebook mode

Ci = Ek(Pi)

Pi = Dk(Ci)

don’t use !

Page 19: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - CBCBlock Ciphers - CBC

cipher block chaining mode

Ci = Ek(Pi xor Ci-1)

Pi = Ci-1 xor Dk(Ci)

initialization vector (IV)– isn’t secret but unique, random– timestamp, nonce, random nr

Page 20: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - CBCBlock Ciphers - CBC

alice := CipherBlockChainingon: DES newiv: ‘nonce 8B’ asByteArray.

alice setKey: ‘secret8B’ asByteArray.alice encrypt: ‘a block a block ’.

Page 21: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - OFBBlock Ciphers - OFB

output feedback mode Si = Ek(Si-1)

Ci = Pi xor Si

Pi = Ci xor Si

like synchronous stream cipher(OutputFeeback on: DES new)

setKey: ‘secret8B’ asByteArray;setIV: ‘nonce 8B’ asByteArray

Page 22: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - CTRBlock Ciphers - CTR

counter mode

Si := Ek(Nonce || i)

Ci = Pi xor Si

Pi = Ci xor Si

OFB variant

Page 23: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - CFBBlock Ciphers - CFB

cipher feedback mode

Ci = Pi xor Ek(Ci-1)

Pi = Ci xor Ek(Ci-1)

like self-synchronizing stream cipher

(CipherFeeback on: DES new)setKey: ‘secret8B’ asByteArray;setIV: ‘nonce 8B’ asByteArray

Page 24: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - MixingBlock Ciphers - Mixing

interleaving– parallelizing “chained” modes

multiple encryption with single cipher– double encryption – no good– 3EDE (inner/outer CBC)

cascading different ciphers

Page 25: Cryptography and SSL in Smalltalk - StS 2003

Block Ciphers - MixingBlock Ciphers - Mixing

des3 := TrippleEDEOuterCBCfirst: DES newsecond: DES newthird: DES new.

des3 := DES new3EDE_CBC.des3 setKey: ’24bytes for 3 keys’ asByteArray.des3 setIV: ‘nonce 8B’ asByteArray.

Page 26: Cryptography and SSL in Smalltalk - StS 2003

AES (2001)AES (2001)

NIST FIPS PUB 197 (2001) - Rijndael 15 submissions (1998) 5 finalists: MARS, Serpent, Twofish, RC6 modes: ECB, CBC, CFB, OFB, CTR block size 128 bits key sizes 128, 192, 256 bits 10, 12, 14 rounds

Page 27: Cryptography and SSL in Smalltalk - StS 2003

Blowfish (1993)Blowfish (1993)

http://www.counterpane.com/blowfish.html block size 64-bits variable key size 32-448 bits not patented, royalty-free 2 parts: key expansion & data encryption 16 rounds, key dependent S-Boxes

Page 28: Cryptography and SSL in Smalltalk - StS 2003

Public Key CiphersPublic Key Ciphers

public and private key– hard to compute private from the public

based on “hard” problems– factoring, discrete logarithm

much slower key encryption/exchange, signing RSA, DSA, DH, ElGamal

Page 29: Cryptography and SSL in Smalltalk - StS 2003

Public Key CiphersPublic Key Ciphers

key lengths with similar “strength” (bits):symmetric:

asymmetric: 23041792768512384

128112806456

Page 30: Cryptography and SSL in Smalltalk - StS 2003

RSA (1977)RSA (1977)

RSA Security, PKCS #1modulus n = product of 2 large primes p, q

public: e = relatively prime to (p-1)(q-1)

private: d = e-1 mod ((p-1)(q-1))

C = Pe mod n [ P < n ] P = Cd mod n

Page 31: Cryptography and SSL in Smalltalk - StS 2003

RSARSA

keys := RSAKeyGenerator keySize: 512.alice := RSA new publicKey: keys publicKey.ctxt := alice encrypt: 'Hello World' asByteArray.ctxt asHexString

bob := RSA new privateKey: keys privateKey.(bob decrypt: ctxt) asString

Page 32: Cryptography and SSL in Smalltalk - StS 2003

Hash FunctionsHash Functions

one-way:hard to find the input for given output

collision resistant:hard to find two distinct inputs with the same output

data “finger-printing” MD2, MD4, MD5, SHA, RIPE-MD

Page 33: Cryptography and SSL in Smalltalk - StS 2003

Hash FunctionsHash Functions

unlimited input size >> fixed output size compression function:

M = M1, M2, ...

hi = f(Mi, hi-1)

MD-strengthening: include message length

Page 34: Cryptography and SSL in Smalltalk - StS 2003

Hash FunctionsHash Functions

(MD5 hash: 'Hello') asHexString

input := 'Hello World!' asByteArray readStream.sha := SHA new.sha updateWithNext: 5 from: input.sha updateFrom: input.sha digest asHexString

Page 35: Cryptography and SSL in Smalltalk - StS 2003

MD5 (1992)MD5 (1992)

http://www.ietf.org/rfc/rfc1321.txt (Ron Rivest) hash: 128-bits (16B) block: 512-bits (64B) padding: M | 10...0 | length (64bits)

Page 36: Cryptography and SSL in Smalltalk - StS 2003

SHA (1993)SHA (1993)

SHS - NIST FIPS PUB 180– hash: 160 bits (20B)– block: 512 bits (64B)– padding: M | 10...0 | length (64B)

FIPS 180-1: SHA-1 (1995) FIPS 180-2: SHA-256, 384, 512 (2002)

Page 37: Cryptography and SSL in Smalltalk - StS 2003

Message AuthenticationMessage Authentication

hash function with secret key (MAC) HMAC (RFC 2104, FIPS-198) (1997)

– H(K xor OPad, H(K xor IPad, text))– OPad = 0x5C[B], IPad = 0x36[B]– B = block size, K = key

CBC-MAC:– Hi = EK(Pi xor Hi-1);

– IV=0

Page 38: Cryptography and SSL in Smalltalk - StS 2003

HMACHMAC

alice := HMAC hash: SHA new.alice setKey: 'secret' asByteArray.(mac := alice hash: 'Hello World!') asHexString

bob := HMAC hash: SHA new.bob setKey: 'secret' asByteArray.mac = (bob hash: 'Hello World!')

Page 39: Cryptography and SSL in Smalltalk - StS 2003

Digital SignaturesDigital Signatures

authentic, non-reusable, unalterable RSA:

– signing:hash the plaintextencrypt digest with private key

– verifying:hash the plaintextdecrypt digest with public keycompare the digests

Page 40: Cryptography and SSL in Smalltalk - StS 2003

RSARSA

alice := RSA new privateKey: keys privateKey.sig := alice sign: 'Hello World' asByteArray.sig asHexString

bob := RSA new publicKey: keys publicKey.bob verify: sig of: 'Hello World' asByteArray

Page 41: Cryptography and SSL in Smalltalk - StS 2003

DSA (1994)DSA (1994)

NIST FIPS PUB 186– p prime (modulus): (512 + k*64 <= 1024)– q prime factor of p – 1 (160 bits)– g > 1; g^q mod p = 1 (g has order q mod p)– x < q (private key)– y = g^x mod p (public key)

FIPS 186-1 (1998): RSA(X9.31) FIPS 186-2 (2000): ECDSA(X9.62) change notice 2001: revised PRNG

Page 42: Cryptography and SSL in Smalltalk - StS 2003

DSADSA

keys := DSAKeyGenerator keySize: 512.alice := DSA new privateKey: keys privateKey.sig := alice sign: 'Hello World' asByteArray

bob := DSA new publicKey: keys publicKey.bob verify: sig of: 'Hello World' asByteArray

Page 43: Cryptography and SSL in Smalltalk - StS 2003

Key ManagementKey Management

“keys are pain”:generation, transfer, verification, usage, updating, storing, backup, compromise, lifetime, destruction

public-key cryptography helps– session key exchange– public key distribution

Page 44: Cryptography and SSL in Smalltalk - StS 2003

Diffie-Hellman (1976)Diffie-Hellman (1976)

establishing a shared secret value http://www.ietf.org/rfc/rfc2631.txt modulus p: large prime (>512b)

generator g: primitive mod pprivate x: random 1 < x < ppublic y: g^x mod ppublic y’: other party’s yshared secret: y’^x mod p

Page 45: Cryptography and SSL in Smalltalk - StS 2003

Diffie-HellmanDiffie-Hellman

gen := DHParameterGenerator m: 160 l: 512.alice := DH p: gen p q: gen q.ya := alice computePublicValue.

bob := DH p: alice p g: alice g.yb := bob computePublicValue.ss := bob computeSharedSecretUsing: ya

ss = (alice computeSharedSecretUsing: yb)

Page 46: Cryptography and SSL in Smalltalk - StS 2003

Digital CertificatesDigital Certificates

data signed by a “trusted” third party public key, subject & issuer identification,

certificate identification, validity certificate hierarchies certificate chain validation certificate revocation

Page 47: Cryptography and SSL in Smalltalk - StS 2003

X.509X.509

RFC 2459 (1999) > RFC 3279, 3280 (2002) ASN.1 – DER encoding X.509v1: version, serial nr, issuer, validity,

subject, public key, signature X.509v2: issuer/subject UID X.509v3: extensions (basic constraints, key

usage, key identifiers, policies, ...)

Page 48: Cryptography and SSL in Smalltalk - StS 2003

Random NumbersRandom Numbers

random: passes all statistical tests secure: unpredictable without the seed RFC 1750 (Recommendations) FIPS-186-2 (DSS) yarrow (www.counterpane.com) entropy gathering

– /dev/urandom– EGD, EGADS

Page 49: Cryptography and SSL in Smalltalk - StS 2003

SSLSSL

Believe it or not, it uses all that !

to be continued