Network security - Modern cryptography for communications ...
Transcript of Network security - Modern cryptography for communications ...
![Page 1: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/1.jpg)
Network securityModern cryptography for communications security
Benjamin [email protected]
Lehrstuhl für Netzarchitekturen und NetzdiensteFakultät für Informatik
Technische Universität München
Cryptography part 2 – 15ws
1 / 43
![Page 2: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/2.jpg)
Outline
Hash functions and private-key cryptography
Public-key setting
2 / 43
![Page 3: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/3.jpg)
Outline
Hash functions and private-key cryptography
Public-key setting
3 / 43
![Page 4: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/4.jpg)
Cryptographic hash functions
private-keyI encryptionI message
authentication codesI hash functions
public-key. . .
4 / 43
![Page 5: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/5.jpg)
Hash functions
I variable length inputI fixed length output
provide:
1. pre-image resistancegiven H(x) with a randomly chosen x ,cannot find x ′ s. t. H(x ′) = H(x)“H is one-way”
2. second pre-image resistancegiven x , cannot find x ′ 6= x s. t. H(x ′) = H(x)
3. collision resistancecannot find x 6= x ′ s. t. H(x) = H(x ′)
5 / 43
input
H(·)
output
fixed length
![Page 6: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/6.jpg)
Birthday problem
question oneI number of people in a room requiredI s. t. P[same birthday as you] ≥ 0.5:
1− (364365n) ≥ 0.5
≥ 253 people necessary.
question twoI number of people in a room requiredI s. t. P[at least two people with same birthday] ≥ 0.5≈ const ·
√365 ≈ 23.
6 / 43
![Page 7: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/7.jpg)
Birthday problem
question oneI number of people in a room requiredI s. t. P[same birthday as you] ≥ 0.5:
1− (364365n) ≥ 0.5
≥ 253 people necessary. Second pre-image
question twoI number of people in a room requiredI s. t. P[at least two people with same birthday] ≥ 0.5≈ const ·
√365 ≈ 23. Collision
6 / 43
![Page 8: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/8.jpg)
Birthday problem (cont’d)
I collision resitance is the strongest propertyI implies pre-image resistance and second pre-image resistance
I usually broken broken first: MD5, SHA1I hash function with output size of 128 bit: ≤ 2128 possible
outputsI finding collisions:
√2128 = 264
I minimum output size: 256
7 / 43
![Page 9: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/9.jpg)
HMAC
A popular MAC:I opad is 0x36, ipad is 0x5C
tag := H(k ⊕ opad‖H(k ⊕ ipad‖m))I use SHA2-512, truncate tag to 256 bits
Used with Merkle-Damgård functions, since they allow to computefrom H(k‖m) the extension H(k‖m‖tail).
8 / 43
![Page 10: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/10.jpg)
Combining confidentiality and authentication
I encrypt-then-authenticate:c ← Enck1(m), t ← Mack2(c)transmit: 〈c, t〉This is generally secure.
I authenticated encryptionAlso a good choice.e. g. offset codebook (OCB), Galois counter mode (GCM)
9 / 43
![Page 11: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/11.jpg)
Recap: private-key cryptography
I attacker power: probabilistic polynomial timeI confidentiality defined as IND-CPA:
encryption, e. g. AES-CTR$I message authentication defined as existentially unforgeable
under adaptive chosen-message attack:message authentication codes, e. g. HMAC-SHA2
I authenticated encryption modes
10 / 43
![Page 12: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/12.jpg)
Outline
Hash functions and private-key cryptography
Public-key setting
11 / 43
![Page 13: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/13.jpg)
The idea
We no longer have one shared key, but each participant has a keypair:
I a private key we give to nobody elseI a public key to be published, e. g. on a keyserver
12 / 43
![Page 14: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/14.jpg)
Public-key cryptography
I based on mathematical problems believed to be hardI proofs often only in the weaker random oracle modelI only authenticated channels needed for key exchange, not
privateI less keys requiredI orders of magnitude slower
Problems believed to be hardI RSA assumption based on integer factorizationI discrete logarithm and Diffie-Hellman assumption
I elliptic curvesI El Gamal encryptionI Digital Signature Standard/Algorithm
13 / 43
![Page 15: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/15.jpg)
Public-key cryptography
private-keyI encryptionI message
authentication codesI hash functions
public-keyI encryptionI signaturesI key exchange
14 / 43
![Page 16: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/16.jpg)
Uses
I encryptionI encrypt with public key of key ownerI decrypt with private key
I signaturesI sign with private keyI verify with public key of key ownerI authentication with non-repudiation
I key exchangeI protect past sessions against key compromise
Encryption and signing have nothing to do with each other.
15 / 43
![Page 17: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/17.jpg)
Uses
I encryptionI encrypt with public key of key ownerI decrypt with private key
I signaturesI sign with private keyI verify with public key of key ownerI authentication with non-repudiation
I key exchangeI protect past sessions against key compromise
Encryption and signing have nothing to do with each other.
15 / 43
![Page 18: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/18.jpg)
Public-key encryption scheme
1. (pk, sk)← Gen(1n), security parameter 1n
2. c ← Encpk(m)3. m := Decsk(c)
We may need to map the plaintext onto the message space.
16 / 43
![Page 19: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/19.jpg)
RSA primitiveTextbook RSA0.0 (N, p, q)← GenModulus(1n)0.1 φ(N) := (p − 1)(q − 1)0.2 find e: gcd(e, φ(N)) = 10.3 d := [e−1 mod φ(N)]1. public key pk = 〈N, e〉2. private key sk = 〈N, d〉
operations:
1. public key operation on a value y ∈ Z∗Nz := [y e mod N]we denote z := RSApk(y)
2. private key operation on a value z ∈ Z∗Ny := [zd mod N]we denote y := RSAsk(z) 17 / 43
![Page 20: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/20.jpg)
RSA assumption
steps
1. choose uniform x ∈ Z∗N2. A is given N, e, and [x e mod N]
assumptionInfeasable to recover x .
18 / 43
![Page 21: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/21.jpg)
Chosen-plaintext attack
A
(pk, sk)← Gen(1n)
c ← Encpk(m)
......
b ← {0, 1}
pk
m
c
m0,m1
Encpk (mb)
A
c ← Encpk(m)
......
m
c
output bit b′
19 / 43
![Page 22: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/22.jpg)
Security of RSAI textbook RSA is deterministic → must be insecure against CPA⇒ textbook RSA is not secureI can be used to build secure encryption functions with
appropriate encoding scheme
We want a construction with proof:I use the RSA functionI breaking the construction implies ability to factor large
numbersI “breaks RSA assumption”I factoring belived to be difficult (assumption!)
I secure at least against CPA
armoring (“padding”) schemes needed
I attacks exist, but used often: PKCS #1 v1.5I better security: PKCS #1 v2.1/v2.2 (OAEP)
20 / 43
![Page 23: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/23.jpg)
Chosen-ciphertext attackA
(pk, sk)← Gen(1n)
m := Decsk(c)
......
b ← {0, 1}
pk
c
m
m0,m1
Encpk (mb)
A
m := Decsk(c)
......
c
m
output bit b′
Adversary may not request decryption of Encpk(mb) itself.
21 / 43
![Page 24: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/24.jpg)
Chosen-ciphertext attackA
(pk, sk)← Gen(1n)
m := Decsk(c)
......
b ← {0, 1}
pk
c
m
m0,m1
Encpk (mb)
A
m := Decsk(c)
......
c
m
output bit b′
Adversary may not request decryption of Encpk(mb) itself.
21 / 43
![Page 25: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/25.jpg)
Chosen-ciphertext attackA
(pk, sk)← Gen(1n)
m := Decsk(c)
......
b ← {0, 1}
pk
c
m
m0,m1
Encpk (mb)
A
m := Decsk(c)
......
c
m
output bit b′
Adversary may not request decryption of Encpk(mb) itself.21 / 43
![Page 26: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/26.jpg)
Chosen-ciphertext attackA
(pk, sk)← Gen(1n)
m := Decsk(c)
......
b ← {0, 1}
pk
c
m
m0,m1
Encpk (mb)
A
m := Decsk(c)
......
c
m
output bit b′
Adversary may not request decryption of Encpk(mb) itself.21 / 43
![Page 27: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/27.jpg)
Chosen-ciphertext attackA
(pk, sk)← Gen(1n)
m := Decsk(c)
......
b ← {0, 1}
pk
c
m
m0,m1
Encpk (mb)
A
m := Decsk(c)
......
c
m
output bit b′
Adversary may not request decryption of Encpk(mb) itself.21 / 43
![Page 28: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/28.jpg)
Optimal asymmetric encryption padding
m0m1
m||0k1 r ← {0, 1}k0
G
⊕
H
⊕
m := m0||m1c := RSApk(m)
recall: c := [me mod N]22 / 43
![Page 29: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/29.jpg)
Discussion
A proof exists with
assumptions:I G , H hash functions with random oracle propertyI RSA assumption: RSA is one-way
result:⇒ RSA-OAEP secure against CCAI negligible probability
23 / 43
![Page 30: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/30.jpg)
Signature scheme
1. (pk, sk)← Gen(1n)2. σ ← Signsk(m)3. b := Vrfypk(m, σ)
b = 1 means valid, b = 0 invalid
24 / 43
![Page 31: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/31.jpg)
Signatures
I (often) slower than MACsI non-repudiationI verify OS packages
RSA signaturesI RSA not a secure signature functionI PKCS #1 v1.5I use RSASSA-PSS
25 / 43
![Page 32: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/32.jpg)
Adaptive chosen-message attack
A
(pk, sk)← Gen(1n)
σ ← Signsk(m)
......
output (m′, σ′)
pk
m
(m, σ)
I let Q be the set of all queries mI A succeeds, iff Vrfypk(m′, σ′) = 1 and m′ /∈ Q
26 / 43
![Page 33: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/33.jpg)
Goal
I signature function using RSAI breaking signature function implies breaking the RSA
assumptionI proof
27 / 43
![Page 34: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/34.jpg)
RSASSA-PSS m
SHA2
hash
salt SHA2
⊕ MGF
masked data block hash
RSAsk(·)
pad1 salt
pad2
0xBC
28 / 43
![Page 35: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/35.jpg)
Overview: signatures using RSA
sign
sk m
σ
verify
pkm′
σ
valid/invalid
m, σ m′, σ
Signsk(m) :
em ← PSS(m) // encodingσ := RSAsk(em)
Vrfypk(m′, σ) :
em := RSApk(σ)salt := recover -PSS-salt(em)em′ := PSS(m′, salt)em′ ?= em
29 / 43
![Page 36: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/36.jpg)
Discussion
A proof exists with
assumptions:I random oracle modelI RSA assumption: RSA is one-way
result:⇒ RSA-PSS existentially unforgeable under adaptive
chosen-message attackI negligible probability
30 / 43
![Page 37: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/37.jpg)
Combining signatures and encryption
Goal: S sends message m to R , assuring:I secrecyI message came from S
encrypt-then-authenticateI 〈S, c,SignskS (c)〉I attacker A executes CCA: 〈A, c, SignskA(c)〉
successful attack
31 / 43
![Page 38: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/38.jpg)
Combining signatures and encryption
Goal: S sends message m to R , assuring:I secrecyI message came from S
encrypt-then-authenticateI 〈S, c,SignskS (c)〉I attacker A executes CCA: 〈A, c, SignskA(c)〉 successful attack
31 / 43
![Page 39: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/39.jpg)
Signcryption cont’d
authenticate-then-encryptI σ ← SignskS (m)I 〈S,EncekR (m||σ)〉I Malicious R to R’: 〈S,EncekR′ (m||σ)〉
successful attack
solution for AtEI compute σ ← SignskS (m||R)
32 / 43
![Page 40: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/40.jpg)
Signcryption cont’d
authenticate-then-encryptI σ ← SignskS (m)I 〈S,EncekR (m||σ)〉I Malicious R to R’: 〈S,EncekR′ (m||σ)〉 successful attack
solution for AtEI compute σ ← SignskS (m||R)
32 / 43
![Page 41: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/41.jpg)
Perfect forward securityAssume
I long-term (identity) keysI session keys (for protecting one connection)
IdeaI attacker captures private-key encrypted trafficI later: an endpoint is compromised → keys are compromised
We want: security of past connections should not be broken.
Perfect forward securityprotection of past sessions against:
I compromise of session keyI compromise of long-term key
33 / 43
![Page 42: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/42.jpg)
Decisional Diffie-Hellman assumptionAlice Bob
compute s compute s
DHa
DHb
[store transcript]
C A
b ← {0, 1}if b = 0 : s := s,else: s random←−−−−
output b′
s, transcript
34 / 43
![Page 43: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/43.jpg)
Textbook Diffie-Hellman key exchangeI p primeI generator g (primitive root for cyclic group of Zp):{g0, g1, g2, . . . } = {1, 2, . . . , p − 1}
a← Zp b ← Zp
X := ga mod p
s := Y a mod pk := KDF (s)
Y := gb mod p
s := Xb mod pk := KDF (s)
(p, g , X )
Y
I Y a = gba = gab = Xb mod pI insecure for certain weak values
35 / 43
![Page 44: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/44.jpg)
Elliptic curve Diffie-Hellman key exchange: X25519
I p = 2255 − 19I E (Fp × Fp)I E : y2 = x3 + 486662x2 + x
a← {0, 1}255 b ← {0, 1}255
A := aG
B := bG
s := aBk := KDF (sx )
s := bAk := KDF (sx )
A
B
(Other ECDH cryptosystems will need additional verification steps.)
36 / 43
![Page 45: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/45.jpg)
Perfect forward security
I generate new DH key for each connectionI wipe old shared keys
Compromise of long term keys in combination with eavesdroppingdoes not break security of past connections anymore!
37 / 43
![Page 46: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/46.jpg)
Hybrid approachPublic-key cryptography
I valuable propertiesI slow
Hybrid encryptionI protect shared key with public-key cryptographyI protect bulk traffic with private-key cryptography
Example
k ← {0, 1}n
w ← Encpk(k)c0 ← Enck(msg0)c1 ← Enck(msg1) transmit: 〈w , c0, c1〉 38 / 43
![Page 47: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/47.jpg)
Combining private-key and public-key methods in protocols
e. g.:
handshakeI Diffie-Hellman key exchangeI signatures for entity authenticationI key derivationI . . .
transportI private-key authenticated encryptionI replay protection
39 / 43
![Page 48: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/48.jpg)
Key size equivalents
private-key hash output RSA DLOG EC
128 256 3072 3072 256 near term256 512 15360 15360 512 long term
ENISA report, Nov. 2014
openssl on my E5-1630, ops/s (very unscientific):I 175 sig RSA4096I 1773 sig RSA2048I 10990 vrfy ECDSAp256
40 / 43
![Page 49: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/49.jpg)
Considerations
I different keys for different purposesI algorithms from competitions: eSTREAM, PHC, AES, SHA,
CAESARI e. g. Salsa20, AES
I keysizes: ENISA, ECRYPT2, Suite B, keylength.comI e. g. ECRYPT2: RSA keys ≥ 3248 bit
I keys based on passwords: Argon2, scrypt, bcrypt, PBKDF2
In networking, timing is not “just a side channel”. Demandconstant-time implementations.
41 / 43
![Page 50: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/50.jpg)
What has to go right
algorithms
protocol design
implementation
library API design
deployment & correct usage
cryptographic security
software security, side channel
insipired by Matthew D. Green, Pascal Junod
42 / 43
![Page 51: Network security - Modern cryptography for communications ...](https://reader031.fdocuments.in/reader031/viewer/2022012410/616a62ac11a7b741a351eb45/html5/thumbnails/51.jpg)
Words of cautionlimits
I crypto will not solve your problemI only a small part of a secure systemI don’t implement yourself
difficult to solve problemsI trust / key distribution
I revocationI ease of use
many requirements remainingI replayI timing attackI endpoint security
43 / 43