Brief Overview of Cryptography

Brief Overview of

Cryptography

Outline

 cryptographic primitives

– symmetric key ciphers

• block ciphers

• stream ciphers

– asymmetric key ciphers

– cryptographic hash functions

 protocol primitives

– block cipher operation modes – “enveloping”

– message authentication codes – digital signatures

 key management protocols

– session key establishment with symmetric and asymmetric key techniques

– Diffie-Hellman key exchange and the man-in-the-middle attack

– public key certification

C ry p to gr a p hi c pr im iti ve s

E E D D

x

plaintext

k

encryption key

k’

decryption key E_k(x)

ciphertext D_k’ (E_k(x)) = x

attacker

Operational model of encryption

 Kerckhoff’s assumption:

– attacker knows E and D

– attacker doesn’t know the (decryption) key

 attacker’s goal:

– to systematically recover plaintext from ciphertext – to deduce the (decryption) key

 attack models:

– ciphertext-only – known-plaintext

– (adaptive) chosen-plaintext – (adaptive) chosen-ciphertext

block ciphers

block cipher block cipher

plaintext ciphertext

padding key

Symmetric key encryption

 it is easy to compute k from k’ (and vice versa)

 often k = k’

 two main types: stream ciphers and block ciphers

pseudo-random bit stream generator

pseudo-random bit stream generator

...

+ ...

stream ciphers

p to gr a p hi c pr im iti ve s

One-time pad – theoretical vs.

practical security



one-time pad

– a stream cipher where the key stream is a true random bit stream

– unconditionally secure (Shannon, 1949)

– however, the key must be as long as the plaintext to be encrypted



practical ciphers

– use much shorter keys

– are not unconditionally secure, but computationally infeasible to break

– however, proving that a cipher is computationally secure is not easy

• not enough to consider brute force attacks (key size) only

• a cipher may be broken due to weaknesses in its (algebraic) structure

– no proofs of security exist for many ciphers used in practice – if a proof exists, it usually relies on assumptions that are

widely believed to be true (such as P  NP)

C ry p to gr a p hi c pr im iti ve s

DES – Data Encryption Standard

 input size: 64, output size: 64, key size: 56

 16 rounds

 Feistel structure

– F need not be invertible – decryption is the same

as encryption with

reversed key schedule (hardware

implementation!)

Initial Permutation Initial Permutation

FF

+

FF

+

FF

+

FF

+

…

Initial Permutation^-1

(64)

(32) (32)

(48)

(48)

(48)

(48)

Key Scheduler

(56)

K K₁

K₂

K₁₆ K₃ X

ry p to gr a p hi c pr im iti ve s

DES round function F

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 S7S7 S8S8

PP

 Si – substitution box (S-box) (look-up table)

 P – permutation box (P-box)

C ry p to gr a p hi c pr im iti ve s

DES key scheduler

Permuted Choice 1 Permuted Choice 1

Permuted Choice 2 Permuted Choice 2 Left shift(s) Left shift(s)

Permuted Choice 2 Permuted Choice 2 Left shift(s) Left shift(s)

…

(28) (56)

K

(28)

(28) (28)

(48)

(48)

K₁

K₂

 each key bit is used in around 14 out of 16 rounds

p to gr a p hi c pr im iti ve s

AES – Advanced Encryption Standard

 NIST selected Rijndael (designed by Joan

Daemen and Vincent Rijmen) as a successor of DES (3DES) in November 2001

 Rijndael parameters

– key size 128 192 256

– input/output size 128 128 128 – number of rounds 10 12 14 – round key size 128 128 128

 not Feistel structure

 decryption algorithm is different from encryption algorithm (optimized for encryption)

 single 8 bit to 8 bit S-box

 key injection (bitwise XOR)

C ry p to gr a p hi c pr im iti ve s

General structure of Rijndael encryption/decryption

p to gr a p hi c pr im iti ve s

add round key substitute bytes

shift rows mix columns add round key

substitute bytes shift rows mix columns add round key substitute bytes

shift rows add round key

plaintext

add round key inverse subs bytes

inverse shift rows inverse mix columns

add round key inverse subs bytes

inverse shift rows

inverse mix columns add round key inverse subs bytes

inverse shift rows add round key

plaintext w[0..3]

w[4..7]

w[36..39]

w[40..43]

expanded key

round 1round 9round 10 round 1round 9round 10

Rijndael – Shift row and mix column

C ry p to gr a p hi c pr im iti ve s

s₀₀ s₁₀ s₂₀ s₃₀

s₀₁ s₁₁ s₂₁ s₃₁

s₀₂ s₁₂ s₂₂ s₃₂

s₀₃ s₁₃ s₂₃ s₃₃

s₀₀ s₁₁ s₂₂ s₃₃

s₀₁ s₁₂ s₂₃ s₃₀

s₀₂ s₁₃ s₂₀ s₃₁

s₀₃ s₁₀ s₂₁ s₃₂

LROT1 LROT2 LROT3

shift row

s₀₀ s₁₀ s₂₀ s₃₀

s₀₁ s₁₁ s₂₁ s₃₁

s₀₂ s₁₂ s₂₂ s₃₂

s₀₃ s₁₃ s₂₃ s₃₃

s’₀₀ s’₁₀ s’₂₀ s’₃₀

s’₀₁ s’₁₁ s’₂₁ s’₃₁

s’₀₂ s’₁₂ s’₂₂ s’₃₂

s’₀₃ s’₁₃ s’₂₃ s’₃₃

mix column

2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2

x =

multiplications and additions are performed over GF(2⁸)

Rijndael – Key expansion

p to gr a p hi c pr im iti ve s

k₀ k₁ k₂ k₃

k₄ k₅ k₆ k₇

k₈ k₉ k₁₀ k₁₁

k₁₂ k₁₃ k₁₄ k₁₅

w₀ w₁ w₂ w₃

w₄ w₅ w₆ w₇

+

gg

+ + +

w₈ w₉ w₁₀ w₁₁

+

gg

+ + +

… function g

- rotate word - substitute bytes

- XOR with round constant

RC4 stream cipher



initialization (input: a seed K of keylen bytes)

for i = 0 to 255 do S[i] = i;

T[i] = K[i mod keylen];



initial permutation

j = 0;

for i = 0 to 255 do

j = (j + S[i] + T[i]) mod 256;

swap(S[i], S[j]);



stream generation (output: a stream of pseudo- random bytes)

i, j = 0;

while true

i = (i + 1) mod 256;

j = (j + S[i]) mod 256;

swap(S[i], S[j]);

t = (S[i] + S[j]) mod 256;

output S[t];

C ry p to gr a p hi c pr im iti ve s

Asymmetric key encryption

 breakthrough of Diffie and Hellman, 1976

 it is hard (computationally infeasible) to compute k’ from k

 k can be made public (public-key cryptography)

E E D D

x

plaintext

k

encryption key

k’

decryption key E_k(x)

ciphertext D_k’ (E_k(x)) = x

attacker

p to gr a p hi c pr im iti ve s

RSA (Rivest, Shamir, Adleman, 1978)

 basis

– computing x^e mod n is easy but x^1/e mod n is hard (n is composite)

– intractability of integer factoring

 key generation

– select p, q large primes (about 500 bits each) – n = pq, (n) = (p-1)(q-1)

– select e such that 1 < e < (n) and gcd(e, (n)) = 1

– compute d such that ed mod (n) = 1 (this is easy if p and q are known)

– public key is (e, n) – private key is d

 encryption

c = m^e mod n where m < n is the message

 decryption

c^d mod n = m

C ry p to gr a p hi c pr im iti ve s

Proof of RSA decryption

 Fermat’s theorem

Let r be a prime. If gcd(a, r) = 1, then a

mod r = 1.

 Euler’s generalization

For every a and n where gcd(a, n) = 1, a

mod n

= 1.

 RSA decryption

c

mod n

= (m

mod n)

mod n

= m

mod n

= m

mod n

= m*(m

)

mod n

= m*(m

mod n)

mod n

= m mod n = m

p to gr a p hi c pr im iti ve s

Proof of RSA decryption cont’d

 RSA decryption if gcd(m, n) > 1

– either p|m or q|m

– assume without loss of generality that p|m – note that in this case, q|m cannot hold since

otherwise m  pq = n

– this means that gcd(m, q) = 1 c^d mod p = m^ed mod p = 0

c^d mod q = m^ed mod q = mk(p-1)(q-1)+1 mod q = m*(m ^(q-

1)) ^k(p-1) mod q =

m*(m ^(q-1) mod q) ^k(p-1) mod q = m mod q

 p,q|(c^d – m)

 c^d – m = spq = sn

 c^d = sn + m

 c^d mod n = m mod n = m

Cryptographic hash functions

 requirements

– one-way: given a hash value y, it is computationally infeasible to find a message x such that h(x) = y

– weak collision resistance: given a message x, it is computationally infeasible to find another message x’ such that h(x) = h(x’)

– (strong) collision resistance: it is computationally infeasible to find two messages x and x’ such that h(x) = h(x’)

message of arbitrary length

fix length

message digest / hash value / fingerprint

p to gr a p hi c pr im iti ve s

hash function hash function

How long should a hash value be?

 birthday paradox

– P(n, k) = Pr{ there exists at least one duplicate among k items where

each item can take on one of n equally likely values}

– P(n, k) > 1 – exp( -k*(k-1)/2n )

– Q: What value of k is needed such that P(n, k) > 0.5 ? – A: k should approximately be n^0.5

– e.g., P(365, 23) > 0.5

 birthday paradox applied to hash function h

– n is the number of possible hash values

– one can find a collision among n^0.5 messages with probability greater than 0.5

– if output size of h is 64 bits, then n^0.5 is 2³²  too small – output size should be at least 128 but 160 is even

better

C ry p to gr a p hi c pr im iti ve s

General structure of hash functions

 if the compression function f is collision resistant, then so is the iterated hash function (Merkle and Damgard, 1989)

 if necessary, the final block is padded to b bits

 the final block also includes the total length of the input (this makes the job of an attacker

more difficult)

ff

X₁

CV₀

(b)

(n) (n)

CV₁ ff

X₂

(b)

(n)

CV₂ ff

X₃

(b)

(n)

CV₃ CV_L-1 ff

X_L

(b)

(n) h(X)

…

p to gr a p hi c pr im iti ve s

SHA1 – Secure Hash Algorithm

 output size (n): 160 bits

 input block size (b): 512 bits

 padding is always used

 CV

A = 67 45 23 01 B = EF CD AB 89 C = 98 BA DC FE D = 10 32 54 76 E = C3 D2 E1 F0

C ry p to gr a p hi c pr im iti ve s

10000000 … 00000 ^length

512 bits

64 bits

last input block

SHA1 compression function f

ry p to gr a p hi c pr im iti ve s

f[0..19], K[0..19], W[0..19]

20 steps

f[0..19], K[0..19], W[0..19]

20 steps

f[20..39], K[20..39], W[20..39]

20 steps

f[20..39], K[20..39], W[20..39]

20 steps

f[40..59], K[40..59], W[40..59]

20 steps

f[40..59], K[40..59], W[40..59]

20 steps

f[60..79], K[60..79], W[60..79]

20 steps

f[60..79], K[60..79], W[60..79]

20 steps

+ + + + +

A B C D E

A B C D E

A B C D E

CV_{i - 1}

(5 x 32 = 160)

X_i

(512)

mod 2³² additions

SHA1 compression function f cont’d

C ry p to gr a p hi c pr im iti ve s

LROT5 LROT5

+

LROT30 LROT30

f[t]f[t]

+ + +

A B C D E

A B C D E

W[t]

K[t]

mod 2³² additions

SHA1 compression function f cont’d

 f[t](B, C, D)

t = 0..19 f[t](B, C, D) = (B  C)  (B  D) t = 20..39 f[t](B, C, D) = B  C  D

t = 40..59 f[t](B, C, D) = (B  C)  (B  D)  (C  D) t = 60..79 f[t](B, C, D) = B  C  D

 W[t]

W[0..15] = Xi

t = 16..79 W[t] = LROT1(W[t-16]  W[t-14]  W[t- 8]  W[t-3])

 K[t]

t = 0..19 K[t] = 5A 82 79 99 [2³⁰ x 2^1/2] t = 20..39 K[t] = 6E D9 EB A1 [2³⁰ x 3^1/2] t = 40..59 K[t] = 8F 1B BC DC [2³⁰ x 5^1/2] t = 60..79 K[t] = CA 62 C1 D6 [2³⁰ x 10^1/2]

p to gr a p hi c pr im iti ve s

Block cipher operation modes – ECB

 Electronic Codebook (ECB)

– encrypt

– decrypt

P ro to co l p ri m iti ve s

EE

P₁

C₁

K EE

P₂

C₂

K EE

P_N

C_N

… K

DD

C₁

P₁

K DD

C₂

P₂

K DD

C_N

P_N K

…

Block cipher operation modes – CBC

 Cipher Block Chaining (CBC)

– encrypt

– decrypt

EE

P₁

C₁ K

+

EE

P₂

C₂ K

+

EE

P₃

C₃ K

+

EE

P_N

C_N-1 K

IV C_N-1 +

…

DD

C₁ K

IV +

DD

C₂ K

+

DD

C₃ K

+

DD

C_N K

+ C_N-1

to co l p ri m iti ve s

Block cipher operation modes – CFB

 Cipher Feedback (CFB)

– encrypt – decrypt

EE

P_i C_i

K

+

shift register (n)

(n)

select s bits select s bits

(n)

(s)

(s) (s)

(s)

initialized with IV

EE

C_i P_i

K

+

shift register (n)

(n)

select s bits select s bits

(n)

(s)

(s) (s)

(s)

initialized with IV

P ro to co l p ri m iti ve s

Block cipher operation modes – OFB

 Output Feedback (OFB)

– encrypt – decrypt

EE

P_i C_i

K

+

shift register (n)

(n)

select s bits select s bits

(n)

(s)

(s) (s)

(s)

initialized with IV

EE

C_i P_i

K

+

shift register (n)

(n)

select s bits select s bits

(n)

(s)

(s) (s)

(s)

initialized with IV

to co l p ri m iti ve s

Block cipher operation modes – CTR

 Counter (CTR)

– encrypt – decrypt

– advantages

• efficiency (parallelizable)

• random access (the i-th block can be decrypted independently of the others)

• preprocessing (the values to be XORed with the plaintext can be pre-computed)

• security (at least as secure as the other modes)

• simplicity (does not need the decryption algorithm)

EE

P_i C_i

K

+

(n)

(n) (n)

counter + i

(n)

EE

C_i P_i

K

+

(n)

(n) (n)

counter + i

(n)

P ro to co l p ri m iti ve s

Enveloping

 public-key encryption is slow (~1000 times slower than symmetric key encryption)

 it is mainly used to encrypt symmetric bulk encryption keys

to co l p ri m iti ve s

generate random symmetric key generate random

symmetric key symmetric-key

cipher (in CBC mode) symmetric-key

cipher (in CBC mode)

plaintext message

public key of the receiver

asymmetric-key cipher

asymmetric-key cipher

digital envelop

bulk encryption key

Message Authentication Codes (MAC)

 used to protect the integrity of messages

 also called cryptographic checksums

 computation of a MAC involves a secret (shared key)

 can be based on an encryption function E

Y

= E

(X

)

Y

= E

(X

+ Y

) MAC

(X) = Y

 or a hash function h

MAC

(X) = h(X|K)

 or both

MAC

(X) = E

(h(X))

P ro to co l p ri m iti ve s

HMAC

 definition

HMACK(X) = h( (K⁺ + opad) | h( (K⁺ + ipad) | X ) ) where

– h is a hash function with input block size b and output size n

– K⁺ is K padded with 0s on the left to obtain a length of b bits

– ipad is 00110110 repeated b/8 times – opad is 01011100 repeated b/8 times – + is XOR and | is concatenation

 design objectives

– to use available hash functions

– easy replacement of the embedded hash function – preserve performance of the original hash function – handle keys in a simple way

to co l p ri m iti ve s

Digital signatures

 similar to MACs but

– unforgeable by the receiver – verifiable by a third party

 used for message authentication and non- repudiation (of message origin)

 based on public-key cryptography

– signature generation is based on the private key of the sender

– signature verification is based on the public key of the sender

 example: RSA based digital signature

– public key: (e, n); private key: (d, n)

– signature generation (input: m; output: )

(m) = m^d mod n

– signature verification (input: , m; output: yes/no)

^e mod n = m?

P ro to co l p ri m iti ve s

“Hash and sign” paradigm

 motivation: public/private key operations are slow

 approach: hash the message first and apply public/private key operations to the hash only

to co l p ri m iti ve s

hh encenc

private key of sender

message hash signature

hh

message hash

decdec

public key of sender

signature

compare compare generationverification

ElGamal signature scheme

 key generation

– generate a large random prime p and select a generator g of Z

*

– select a random integer 0 < a < p-1 – compute A = g

mod p

– public key: ( p, g, A ) private key: a

 signature generation for message m

– select a random secret integer 0 < k < p – 1 such that gcd(k, p – 1) = 1

– compute k

mod (p – 1) – compute r = g

mod p

– compute s = k

( h(m) – ar ) mod (p – 1) – signature on m is (s, r)

P ro to co l p ri m iti ve s

ElGamal signature scheme cont’d

 signature verification

– obtain the public key (p, g, A) of the signer – verify that 0 < r < p; if not then reject the

signature

– compute v

= A

r

mod p – compute v

= g

mod p

– accept the signature iff v

= v

 proof that signature verification works

s  k

( h(m) – ar ) (mod p – 1) ks  h(m) – ar (mod p – 1)

h(m)  ks + ar (mod p – 1)

g

 g

 (g

)

(g

)

 A

r

(mod p) thus, v

= v

is required

to co l p ri m iti ve s

How to establish a shared symmetric key?

 manually

– pairwise symmetric keys are established manually – inflexible and doesn’t scale

 with symmetric-key cryptography

– long-term symmetric keys are established manually between each user and a Key Distribution Center (KDC)

– cryptographic protocols that use these long-term keys are used to setup short-term (session) keys – the KDC must be fully trusted

 with asymmetric-key cryptography

– the symmetric key is encrypted with the public key of the intended receiver

– how to obtain an authentic copy of the public key of the receiver?

K e y m an ag e m e n t

y m an ag e m e n t

A, { B, K_ab, T_a }_Kas

{ A, K_ab, T_s }_Kbs

A S B

generate K_ab

S B

M

(impersonating A and B)

B, { A, K_ab, T_s }_Kbs { B, K_ab, T_s’ }_Kas

A, { B, K_ab, T_s’ }_Kas { A, K_ab, T_s’’ }_Kbs

...

The Wide-Mouth-Frog protocol

 a vulnerability

The Needham-Schroeder protocol (1978)

 Denning and Sacco attack (1981)

– message 3 doesn’t contain anything fresh for B

– an attacker can cryptanalyze an old session key Kab and replay message 3 to B

– the attacker can finish the protocol

– B will think he shares a key K_ab with A, but A is not involved at all

K e y m an ag e m e n t

A, B, N_a

{ N_a, B, K_ab, {K_ab, A}_Kbs }_Kas

S A B

generate K_ab

{ K_ab, A }_Kbs { N_b }_Kab { N_b -1}_Kab

Public-key Needham-Schroeder (1978)



since N

and N

are known only to A and B, one may suggest that they can generate a key as f(N

, N

)



Lowe’s attack (1995)

A B

{ A, N_a }_Kb { N_a, N_b }_Ka

{ N_b }_Kb

A B

{ A, N_a }_Km

{ N_a, N_b }_Ka

{ N_b }_Km

M

{ A, N_a }_Kb

{ N_a, N_b }_Ka

{ N_b }_Kb

y m an ag e m e n t

generate random number 0 < a < p-1

and calculate A = g^a mod p generate random number 0 < a < p-1

and calculate A = g^a mod p

generate random number 0 < b < p-1

and calculate B = g^b mod p generate random number 0 < b < p-1

and calculate B = g^b mod p

calculate

K= B^a mod p = g^ab mod p calculate

K= B^a mod p = g^ab mod p calculate

K= A^b mod p = g^ab mod p calculate

K= A^b mod p = g^ab mod p

Diffie-Hellman key exchange (1976)

Initially known:

p large prime

g generator of Z_p*

A B

Alice Bob

K e y m an ag e m e n t

Man-in-the-middle attack

 consider the following protocol

 the MiM attack

A B

A, K_a { message }_Ka

A, K_a

{ message }_Ka

A M B

A, K_m

{ message }_Km

y m an ag e m e n t

Public-key certificates

 a certificate is data structure that contains

– the public key

– name of the owner of the public key – name of the issuer

– date of issuing – expiration date

– possibly other data

– signature of the issuer

 issuers are usually trusted third parties called Certification Authorities (CA)

– need not be on-line

 certificates are distributed through on-line databases called Certificate Directories

– need not be trusted

K e y m an ag e m e n t

Single CA

 every public key is certified by a single CA

 each user knows the public key of the CA

 each user can verify every certificate

 note: the CA must be trusted for issuing correct certificates

 problem: doesn’t scale

CA

…

structures

Certificate chains

 first certificate can be verified with a known public key

 each further certificate can be verified with the public key from the previous certificate

 last certificate contains the target key (Bob’s public key)

 note: every issuer in the chain must be trusted (CA0, CA1, CA2)

CA1 K_CA1

K_CA0^-1

CA2 K_CA2

K_CA1^-1

Bob K_Bob

K_CA2^-1

K_CA0

CA structures

CA structures

CA₀

CA₁ CA₂ CA₃

CA₁₁ CA₁₂ CA₂₃ CA₃₁ CA₃₂

 each user knows the public key of the root CA

Alice Bob

structures

CA structures cont’d

 each user knows the public key of its local CA

CA₀

CA₁ CA₂ CA₃

CA₁₁ CA₁₂ CA₂₃ CA₃₁ CA₃₂

Alice Bob

CA structures

CA structures cont’d

 each user knows the public key of her root CA

CA₁ CA₃

CA₁₁ CA₁₂ CA₂ CA₃₁ CA₃₂

Alice Bob

structures