Cryptography and SSL in Smalltalk - StS 2003
-
Upload
martin-kobetic -
Category
Documents
-
view
372 -
download
0
Transcript of Cryptography and SSL in Smalltalk - StS 2003
Cryptography and SSLCryptography and SSLin Smalltalkin Smalltalk
Martin Kobetic
Cincom Smalltalk Development
January 2003
CryptographyCryptography
bag of tricks ever growing lists of weaknesses fortune telling the “weakest link” tragedy
CryptographyCryptography
best tricks known (publicly) serious mathematical foundations astronomic margins public peer review competitive standardization (AES)
Secure SolutionsSecure Solutions
mature components balanced “economics” implementation quality
threats, countermeasures, failure modes
deployment qualityinfrastructure, processes, personnel
Cryptographic ObjectivesCryptographic Objectives
confidentiality– encryption
integrity– message authentication codes (MAC)
authentication– signatures
EncryptionEncryption
E(P) = C & D(C) = P one-time pad symmetric (secret) key ciphers
– EK(P) = C & DK(C) = P
asymmetric (public) key ciphers– EK1(P) = C & DK2(C) = P
Secret Key CiphersSecret Key Ciphers
bulk data encryption constructed from simple operations for
speed (xor, shift, x + y mod n, ...) two fundamental classes
– stream ciphers (RC4)– block ciphers (DES/AES)
Secret Key CiphersSecret Key Ciphers
key := ‘secret key’ asByteArray.alice := ARC4 key: key.(ctxt := alice encrypt: ‘Hello’) asString
bob := ARC4 key: key.(bob decrypt: ctxt) asString
Secret Key CiphersSecret Key Ciphers
key strength (HW Brute Force 1995)
1012yrs3s.01s.2µs$1T
1015yrs1h13s.2ms$1G
1018yrs37d3.5h.2s$1M
1019yrs1yr35h2s$100K
128b64b56b40b
Stream CiphersStream Ciphers
time-varying transformation on individual plain-text digits
Pike, A5, RC4, SEAL key-stream generator
– produces: k1, k2, k3, ....
– ci = pi xor ki & pi = ci xor ki
– State S, NextState(S), Output(S) avoid key reuse!
leaked trade secret of RSA Security (1994) 256 byte S-Box; 2 counters i=j=0
RC4 (1992)RC4 (1992)
next key-stream byte:i = (i + 1) mod 256j = (j+Si) mod 256swap Si and Sj
t = (Si + Sj) mod 256K = St
S-Box initialization:S = 0, ..., 255K = 256B of replicated keyfor i=0 to 255: j = (j + Si + Ki) mod 256 swap Si and Sj
Stream Ciphers - KAKStream Ciphers - KAK
synchronous ciphers (KAK)– NextStateK(S)
– Output(S) noise contained preprocessing synchronization critical not parallelizable
Stream Ciphers - CTAKStream Ciphers - CTAK
self-synchronizing ciphers (CTAK)– NextState (Ci-n...i)
– OutputK(S) synchronization decryption parallelizable random access noise propagates encryption not parallelizable
Block CiphersBlock Ciphers
fixed transformation on blocks of plaintext(e.g 64, 128 bits)
DES, IDEA, CAST, Blowfish, RC2, RC5 basic transformation applied in rounds
DES (1977)DES (1977)
csrc.nist.gov: FIPS PUB 46 (1977) FIPS PUB 46-3 (1999)
– triple DES still approved– single DES legacy systems only
64 bit block size 56 bit key (64 bits with parity) 16 rounds using 48 bit subkeys
Block Ciphers - PaddingBlock Ciphers - Padding
alice := DES key: ‘secret8B’ asByteArray.alice encrypt: ‘Hello World!’.
alice := BlockPadding on: DES new.alice setKey: ‘secret8B’ asByteArray.alice encrypt: ‘Hello World!’.
Block Ciphers - PaddingBlock Ciphers - Padding
must be reversible pad with padding size (1-8)
– aka PKCS#5 padding
pad with bits “100…0” ciphertext stealing
– different for different modes (ECB, CBC)
some modes don’t need padding
Block Ciphers - ECBBlock Ciphers - ECB
electronic codebook mode
Ci = Ek(Pi)
Pi = Dk(Ci)
don’t use !
Block Ciphers - CBCBlock Ciphers - CBC
cipher block chaining mode
Ci = Ek(Pi xor Ci-1)
Pi = Ci-1 xor Dk(Ci)
initialization vector (IV)– isn’t secret but unique, random– timestamp, nonce, random nr
Block Ciphers - CBCBlock Ciphers - CBC
alice := CipherBlockChainingon: DES newiv: ‘nonce 8B’ asByteArray.
alice setKey: ‘secret8B’ asByteArray.alice encrypt: ‘a block a block ’.
Block Ciphers - OFBBlock Ciphers - OFB
output feedback mode Si = Ek(Si-1)
Ci = Pi xor Si
Pi = Ci xor Si
like synchronous stream cipher(OutputFeeback on: DES new)
setKey: ‘secret8B’ asByteArray;setIV: ‘nonce 8B’ asByteArray
Block Ciphers - CTRBlock Ciphers - CTR
counter mode
Si := Ek(Nonce || i)
Ci = Pi xor Si
Pi = Ci xor Si
OFB variant
Block Ciphers - CFBBlock Ciphers - CFB
cipher feedback mode
Ci = Pi xor Ek(Ci-1)
Pi = Ci xor Ek(Ci-1)
like self-synchronizing stream cipher
(CipherFeeback on: DES new)setKey: ‘secret8B’ asByteArray;setIV: ‘nonce 8B’ asByteArray
Block Ciphers - MixingBlock Ciphers - Mixing
interleaving– parallelizing “chained” modes
multiple encryption with single cipher– double encryption – no good– 3EDE (inner/outer CBC)
cascading different ciphers
Block Ciphers - MixingBlock Ciphers - Mixing
des3 := TrippleEDEOuterCBCfirst: DES newsecond: DES newthird: DES new.
des3 := DES new3EDE_CBC.des3 setKey: ’24bytes for 3 keys’ asByteArray.des3 setIV: ‘nonce 8B’ asByteArray.
AES (2001)AES (2001)
NIST FIPS PUB 197 (2001) - Rijndael 15 submissions (1998) 5 finalists: MARS, Serpent, Twofish, RC6 modes: ECB, CBC, CFB, OFB, CTR block size 128 bits key sizes 128, 192, 256 bits 10, 12, 14 rounds
Blowfish (1993)Blowfish (1993)
http://www.counterpane.com/blowfish.html block size 64-bits variable key size 32-448 bits not patented, royalty-free 2 parts: key expansion & data encryption 16 rounds, key dependent S-Boxes
Public Key CiphersPublic Key Ciphers
public and private key– hard to compute private from the public
based on “hard” problems– factoring, discrete logarithm
much slower key encryption/exchange, signing RSA, DSA, DH, ElGamal
Public Key CiphersPublic Key Ciphers
key lengths with similar “strength” (bits):symmetric:
asymmetric: 23041792768512384
128112806456
RSA (1977)RSA (1977)
RSA Security, PKCS #1modulus n = product of 2 large primes p, q
public: e = relatively prime to (p-1)(q-1)
private: d = e-1 mod ((p-1)(q-1))
C = Pe mod n [ P < n ] P = Cd mod n
RSARSA
keys := RSAKeyGenerator keySize: 512.alice := RSA new publicKey: keys publicKey.ctxt := alice encrypt: 'Hello World' asByteArray.ctxt asHexString
bob := RSA new privateKey: keys privateKey.(bob decrypt: ctxt) asString
Hash FunctionsHash Functions
one-way:hard to find the input for given output
collision resistant:hard to find two distinct inputs with the same output
data “finger-printing” MD2, MD4, MD5, SHA, RIPE-MD
Hash FunctionsHash Functions
unlimited input size >> fixed output size compression function:
M = M1, M2, ...
hi = f(Mi, hi-1)
MD-strengthening: include message length
Hash FunctionsHash Functions
(MD5 hash: 'Hello') asHexString
input := 'Hello World!' asByteArray readStream.sha := SHA new.sha updateWithNext: 5 from: input.sha updateFrom: input.sha digest asHexString
MD5 (1992)MD5 (1992)
http://www.ietf.org/rfc/rfc1321.txt (Ron Rivest) hash: 128-bits (16B) block: 512-bits (64B) padding: M | 10...0 | length (64bits)
SHA (1993)SHA (1993)
SHS - NIST FIPS PUB 180– hash: 160 bits (20B)– block: 512 bits (64B)– padding: M | 10...0 | length (64B)
FIPS 180-1: SHA-1 (1995) FIPS 180-2: SHA-256, 384, 512 (2002)
Message AuthenticationMessage Authentication
hash function with secret key (MAC) HMAC (RFC 2104, FIPS-198) (1997)
– H(K xor OPad, H(K xor IPad, text))– OPad = 0x5C[B], IPad = 0x36[B]– B = block size, K = key
CBC-MAC:– Hi = EK(Pi xor Hi-1);
– IV=0
HMACHMAC
alice := HMAC hash: SHA new.alice setKey: 'secret' asByteArray.(mac := alice hash: 'Hello World!') asHexString
bob := HMAC hash: SHA new.bob setKey: 'secret' asByteArray.mac = (bob hash: 'Hello World!')
Digital SignaturesDigital Signatures
authentic, non-reusable, unalterable RSA:
– signing:hash the plaintextencrypt digest with private key
– verifying:hash the plaintextdecrypt digest with public keycompare the digests
RSARSA
alice := RSA new privateKey: keys privateKey.sig := alice sign: 'Hello World' asByteArray.sig asHexString
bob := RSA new publicKey: keys publicKey.bob verify: sig of: 'Hello World' asByteArray
DSA (1994)DSA (1994)
NIST FIPS PUB 186– p prime (modulus): (512 + k*64 <= 1024)– q prime factor of p – 1 (160 bits)– g > 1; g^q mod p = 1 (g has order q mod p)– x < q (private key)– y = g^x mod p (public key)
FIPS 186-1 (1998): RSA(X9.31) FIPS 186-2 (2000): ECDSA(X9.62) change notice 2001: revised PRNG
DSADSA
keys := DSAKeyGenerator keySize: 512.alice := DSA new privateKey: keys privateKey.sig := alice sign: 'Hello World' asByteArray
bob := DSA new publicKey: keys publicKey.bob verify: sig of: 'Hello World' asByteArray
Key ManagementKey Management
“keys are pain”:generation, transfer, verification, usage, updating, storing, backup, compromise, lifetime, destruction
public-key cryptography helps– session key exchange– public key distribution
Diffie-Hellman (1976)Diffie-Hellman (1976)
establishing a shared secret value http://www.ietf.org/rfc/rfc2631.txt modulus p: large prime (>512b)
generator g: primitive mod pprivate x: random 1 < x < ppublic y: g^x mod ppublic y’: other party’s yshared secret: y’^x mod p
Diffie-HellmanDiffie-Hellman
gen := DHParameterGenerator m: 160 l: 512.alice := DH p: gen p q: gen q.ya := alice computePublicValue.
bob := DH p: alice p g: alice g.yb := bob computePublicValue.ss := bob computeSharedSecretUsing: ya
ss = (alice computeSharedSecretUsing: yb)
Digital CertificatesDigital Certificates
data signed by a “trusted” third party public key, subject & issuer identification,
certificate identification, validity certificate hierarchies certificate chain validation certificate revocation
X.509X.509
RFC 2459 (1999) > RFC 3279, 3280 (2002) ASN.1 – DER encoding X.509v1: version, serial nr, issuer, validity,
subject, public key, signature X.509v2: issuer/subject UID X.509v3: extensions (basic constraints, key
usage, key identifiers, policies, ...)
Random NumbersRandom Numbers
random: passes all statistical tests secure: unpredictable without the seed RFC 1750 (Recommendations) FIPS-186-2 (DSS) yarrow (www.counterpane.com) entropy gathering
– /dev/urandom– EGD, EGADS
SSLSSL
Believe it or not, it uses all that !
to be continued