Intro to Cryptography

Intro to Cryptography

Michael Soltys

California State University at Channel Islands

August 20, 2015 v1.1

Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 1/45

WEP, WPA/WPA2 SSL/SSH

PGP/GPG

RSA Encryption 128 bytes:

BE 89 0E A1 AD FA 7D 58 6A A1 6A E4

3B ED 75 E4 3E F2 19 F7 F3 0F FA D9

EF 62 10 52 7B FC DD 94 96 A8 35 6B

1B 50 60 2E 2E 79 AC 7C 2E A3 81 DE

8D 37 F9 EE 6E 4F 82 C7 E4 12 04 55

AF 57 69 94 8C EF 2E 50 7A 6D 53 0F

5B 5F 62 58 5E CF F2 DF F4 4D CE 71

B6 82 D7 86 E5 4F 77 E4 91 AA E4 BD

5A 65 AA 9E 20 4F 38 5E B4 8B E0 36

45 80 A8 D5 24 5C 46 9D F1 80 C0 6B

62 A5 1F 26 5E AE 17 47

DRMFairPlay

MD5

5c3079df8a48623f5aa10f0181a7ab03


I We know how to do crypto scientifically→ and it is a huge help

I But, in practice most security problems due to buggy code→ writing software that is not buggy is the problem ofCS/SE

I Challenge 1: build secure systems with insecure components→ similar to building reliable systems with unreliablecomponents

I Challenge 2: the art of making the right trade-offs to satisfycontradictory objectives (e.g., security & speed)


Cryptography is the art of computing & communicating in thepresence of an adversary

cryptography = κρυπτo (hidden or secret) + γραφη (writing)

Three broad applications:

I encryption

I authentication

I integrity checking

Not all security is an application of crypto, e.g., Firewalls.


Fundamental TENET of cryptography

Lots of smart people have been trying to figure out howto break X ,

but so far they have not been able to come up with anything yet.

Therefore X is “secure” . . .


Fundamental ASSUMPTION of cryptography

Everybody knows how it works, i.e., the algorithm is publicknowledge.

The secret is the “key”.

In principle it can always be broken; but in practice it is too muchwork for the “bad guy.”


Great free tools to practice the ideas presented in these slides:

GnuPG (http://www.gnupg.org)

OpenSSL (http://www.openssl.org)


plaintextencryption−→ ciphertext

decryption−→ plaintext

I Caesar cipher: key a secret number between 1 and 25.

I Monoalphabetic cipher: key a secret pairing — 26! ≈ 1026

Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 8/45

Three basic attacks:

I ciphertext only

I known plaintext

I chosen plaintext


Three types of cryptographic functions:

I hash functions (0 keys)

I secret functions (1 key)

I public key functions (2 keys)


Secret (Symmetric) key crypto

plaintext

encryption

decryption

key

ciphertext

plaintext ciphertext


Public (Asymmetric) key crypto

private key

encryption

plaintext ciphertext

ciphertext plaintextdecryption

public key


Digital signature scheme

public key

plaintext

signing

signed message

plaintextsigned message

verification

private key


Symmetric Ciphers

I Substitutions

I Permutations

I XOR

Crypto - Michael Soltys August 10, 2015 v1.1 Symmetric ciphers - 14/45

Rounds of substitutions & permutations


XOR, exclusive OR

x y x ⊕ y

0 0 00 1 11 0 11 1 0

If a, b ∈ {0, 1}n then a⊕ b is a string in {0, 1}n where the i-th bitis ai ⊕ bi

Bit-wise XOR

Can also Bit-wise XOR a stream


DES (1977)

“Data Encryption Standard”

IBM’s cipher + NSA =⇒ DES

DES

56 bitskey

64 bitsinput

64 bitsoutput

Technically, key is also 64 bits, but each octet is

x1 x2 x3 x4 x5 x6 x7 y where y =⊕7

i=1 xi .

Crypto - Michael Soltys August 10, 2015 v1.1 DES - 17/45

inverse of original permutation

64−bit input

permutation

Round 1

Round 2

Round 16

Generate 16 keys, each

of 48−bits from the

initial 56−bits

56−bit key

swap left & right sides


4

32−bit L

32−bit R

32−bit R

ManglerFunction

32−bit Lnn

n+1 n+1

+

Kn

1

2

3

Reversible “Feistel cipher.”


Example: Apache HTTP server access

.htaccess & .htpasswd

Can create a (variant of) DES login/password pair:

htpasswd -cbd ./.htpasswd crypto 7u3pr4aa

and the result is is the file .htpasswd containing:

crypto:9.ZzClMRzHfmc


On:

http://www.cas.mcmaster.ca/~soltys/cs3c03-w13/ReadingList

.htpasswd consists of:

netsec2013:$apr1$fr2JPfTa$HEzejdyg5DE2MFGVCIzd21

created with command:

htpasswd -cbm ./.htpasswd netsec2013 tigerblood

which produces an MD5 hash

I -d is crypt() a variant of DES

I -m is MD5

I -s is SHA1


I crypt() function

I man 3 crypt for details

I password truncated to 8 letters

I each encoded with 7 (ASCII)bits

I giving 56 bits of input

I salt used to “perturb”

I displayed in Base64

64 bits

DES

DES

DES

DES

64 bits of 0s 56 bit passwd

1

2

25

3


h = crypt("passwd","h")

perl -e ’print crypt("7u3pr4aa"," 9. ZzClMRzHfmc ")’

outputs eYZUcvy1BSUak


Challenge

Who can break break crypt() htpasswd corresponding to:

.DubBN4dRdP7w


AES

NIST: National Institute of Standards

“Rijndael”

FIPS 2001

AES-128, AES-192, AES-256

Crypto - Michael Soltys August 10, 2015 v1.1 AES - 26/45

Block ciphers

Encrypting messages longer than 64 bits (KPS, chp 4)

1. Electronic Code Book (ECB)

2. Cipher Block Chaining (CBC)

3. k-bit Cipher Feedback Mode (CFB)

4. k-bit Output Feedback Mode (OFB)

5. Counter Mode (CTR)

Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 27/45

ECB

K

message...

m m m m mm 1 2 3 4 5 6

e e e e e e1 2 3 4 5 6


Plaintext ECB


CBC

K

m m m m

IV

c c c c1 2 3 4

1 2 3 4

enc enc enc enc

xor xor xor xor

K K K


Plaintext ECB CBC


Stream ciphers: RC4

Message m and one-time pad p both in {0, 1}n.

A stream cipher generates successive bits pi to encode a stream ofbits mi as ci = mi ⊕ pi .

Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 32/45

(Keep in mind that 28 = 256)

let S[i] be an array of octets (i.e., bytes)

Initialize S:

for i=0 . . . 255S[i]=i

end for

j=0

for i=0 . . . 255j=(j+S[i]+key[i mod keylength]) mod 256

swap S[i] and S[j]

end for


Generate pseudo-random bit stream (byte at a time)

i=0

j=0

while "next byte needed"

i=(i+1) mod 256

j=(j+S[i]) mod 256

swap S[i] and S[j]

k=S[(S[i]+S[j]) mod 256]

output k

end while


802.11 Wireless Networks Security

WEP (Wired Equivalent Privacy) uses RC4 — deprecated!

WPA (Wi-Fi Protected Access)

I WPA uses RC4-type called TKIP (larger keys than WEP)

I WPA2 uses AES

WPA/WPA2 part of 802.11i as of 2004.


WEP

"ciphertext"

InitVector

"one−time pad" = "keystream"

00101101011101011000101110...

"plaintext" 110111001011000111100100...

+

1111000111000100011...

=

RC4Key

(IV)

concatenation

|


openssl ciphers -vName; Protocol; Kx=key exchange; Au=authentication; Enc=encryption; Mac=message digest

DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1

AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1

EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1

DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5

DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1

DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1

DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1

SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1

RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5

RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1

EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1

DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5

EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export

EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export

EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export

EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export

EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export

EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export


Public Key Crypto

I Diffie-Hellman

I ElGamal

I RSA

Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 38/45

Diffie-Hellman Key Exchange

I Oldest public key cryptosystem still in use.

I Allows two individuals to agree on a shared key, even thoughthey can only exchange messages in public.

I A weakness is that there is no authentication; the other mightbe a “bad guy.”

I Described in RFC 2631


0

2

4

6

8

10

12

14

16

0 2 4 6 8 10 12 14 16

"primitive.txt"

Plot of log3(x) over Z17.


Alice Bob1 Public: p, g such that Zp = 〈g〉2 Choose secret a Choose secret b3 Computer A := ga Compute B := gb

4 Send A to Bob −→ ←− Send B to Alice5 Compute Ba Compute Ab

Alice & Bob have shared value6 Ab = (ga)b = gab = gba = (gb)a = Ba


1. Alice and Bob agree to use a prime p = 23 and base g = 5.

2. Alice chooses secret a = 8; sends Bob A = ga (mod p)

2.1 A = 58 (mod 23)

2.2 A = 16

3. Bob chooses secret b = 15; sends Alice B = gb (mod p)

3.1 B = 515 (mod 23)

3.2 B = 19

4. Alice computes s = Ba (mod p)

4.1 s = 198 (mod 23)

4.2 s = 9

5. Bob computes s = Ab (mod p)

5.1 s = 1615 (mod 23)

5.2 s = 9


Computing large powers in (Zn, ∗) can be done efficiently withrepeated squaring—for example, if (m)b = cr . . . c1c0, thencompute

a0 = a, a1 = a20, a2 = a21, . . . , ar = a2r−1 (mod n),

and so am = ac00 ac11 · · · acrr (mod n).


DH only resists passive adversaries.

A passive attack is one in which the intruder eavesdrops but doesnot modify the message stream in any way.

An active attack is one in which the intruder may:

I transmit messages

I replay old messages

I modify messages in transit

I delete selected messages from the wire

A typical active attack is one in which an intruder impersonatesone end of the conversation, or acts as a man-in-the-middle. Thisattack motivates the need for authentication.


How to do a “man-in-the-middle” on DH?

Alice Eve BobgSA = 8389 gSX = 5876 gSB = 9267

8389 −→ 5876 −→5876←− 9267←−

Shared key

KAX = 5876SA = 8389SX

and shared key

KBX = 9267SX = 5876SB


Intro to Cryptography

Internet

Transcript of Intro to Cryptography