Cryptography and SSL in Smalltalk - StS 2003

Cryptography and SSLCryptography and SSLin Smalltalkin Smalltalk

Martin Kobetic

Cincom Smalltalk Development

January 2003

CryptographyCryptography

bag of tricks ever growing lists of weaknesses fortune telling the “weakest link” tragedy

CryptographyCryptography

best tricks known (publicly) serious mathematical foundations astronomic margins public peer review competitive standardization (AES)

Secure SolutionsSecure Solutions

mature components balanced “economics” implementation quality

threats, countermeasures, failure modes

deployment qualityinfrastructure, processes, personnel

Cryptographic ObjectivesCryptographic Objectives

confidentiality– encryption

integrity– message authentication codes (MAC)

authentication– signatures

EncryptionEncryption

E(P) = C & D(C) = P one-time pad symmetric (secret) key ciphers

– EK(P) = C & DK(C) = P

asymmetric (public) key ciphers– EK1(P) = C & DK2(C) = P

Secret Key CiphersSecret Key Ciphers

bulk data encryption constructed from simple operations for

speed (xor, shift, x + y mod n, ...) two fundamental classes

– stream ciphers (RC4)– block ciphers (DES/AES)

Secret Key CiphersSecret Key Ciphers

key := ‘secret key’ asByteArray.alice := ARC4 key: key.(ctxt := alice encrypt: ‘Hello’) asString

bob := ARC4 key: key.(bob decrypt: ctxt) asString

Secret Key CiphersSecret Key Ciphers

key strength (HW Brute Force 1995)

1012yrs3s.01s.2µs$1T

1015yrs1h13s.2ms$1G

1018yrs37d3.5h.2s$1M

1019yrs1yr35h2s$100K

128b64b56b40b

Stream CiphersStream Ciphers

time-varying transformation on individual plain-text digits

Pike, A5, RC4, SEAL key-stream generator

– produces: k1, k2, k3, ....

– ci = pi xor ki & pi = ci xor ki

– State S, NextState(S), Output(S) avoid key reuse!

leaked trade secret of RSA Security (1994) 256 byte S-Box; 2 counters i=j=0

RC4 (1992)RC4 (1992)

next key-stream byte:i = (i + 1) mod 256j = (j+Si) mod 256swap Si and Sj

t = (Si + Sj) mod 256K = St

S-Box initialization:S = 0, ..., 255K = 256B of replicated keyfor i=0 to 255: j = (j + Si + Ki) mod 256 swap Si and Sj

Stream Ciphers - KAKStream Ciphers - KAK

synchronous ciphers (KAK)– NextStateK(S)

– Output(S) noise contained preprocessing synchronization critical not parallelizable

Stream Ciphers - CTAKStream Ciphers - CTAK

self-synchronizing ciphers (CTAK)– NextState (Ci-n...i)

– OutputK(S) synchronization decryption parallelizable random access noise propagates encryption not parallelizable

Block CiphersBlock Ciphers

fixed transformation on blocks of plaintext(e.g 64, 128 bits)

DES, IDEA, CAST, Blowfish, RC2, RC5 basic transformation applied in rounds

DES (1977)DES (1977)

csrc.nist.gov: FIPS PUB 46 (1977) FIPS PUB 46-3 (1999)

– triple DES still approved– single DES legacy systems only

64 bit block size 56 bit key (64 bits with parity) 16 rounds using 48 bit subkeys

Block Ciphers - PaddingBlock Ciphers - Padding

alice := DES key: ‘secret8B’ asByteArray.alice encrypt: ‘Hello World!’.

alice := BlockPadding on: DES new.alice setKey: ‘secret8B’ asByteArray.alice encrypt: ‘Hello World!’.

Block Ciphers - PaddingBlock Ciphers - Padding

must be reversible pad with padding size (1-8)

– aka PKCS#5 padding

pad with bits “100…0” ciphertext stealing

– different for different modes (ECB, CBC)

some modes don’t need padding

Block Ciphers - ECBBlock Ciphers - ECB

electronic codebook mode

Ci = Ek(Pi)

Pi = Dk(Ci)

don’t use !

Block Ciphers - CBCBlock Ciphers - CBC

cipher block chaining mode

Ci = Ek(Pi xor Ci-1)

Pi = Ci-1 xor Dk(Ci)

initialization vector (IV)– isn’t secret but unique, random– timestamp, nonce, random nr

Block Ciphers - CBCBlock Ciphers - CBC

alice := CipherBlockChainingon: DES newiv: ‘nonce 8B’ asByteArray.

alice setKey: ‘secret8B’ asByteArray.alice encrypt: ‘a block a block ’.

Block Ciphers - OFBBlock Ciphers - OFB

output feedback mode Si = Ek(Si-1)

Ci = Pi xor Si

Pi = Ci xor Si

like synchronous stream cipher(OutputFeeback on: DES new)

setKey: ‘secret8B’ asByteArray;setIV: ‘nonce 8B’ asByteArray

Block Ciphers - CTRBlock Ciphers - CTR

counter mode

Si := Ek(Nonce || i)

Ci = Pi xor Si

Pi = Ci xor Si

OFB variant

Block Ciphers - CFBBlock Ciphers - CFB

cipher feedback mode

Ci = Pi xor Ek(Ci-1)

Pi = Ci xor Ek(Ci-1)

like self-synchronizing stream cipher

(CipherFeeback on: DES new)setKey: ‘secret8B’ asByteArray;setIV: ‘nonce 8B’ asByteArray

Block Ciphers - MixingBlock Ciphers - Mixing

interleaving– parallelizing “chained” modes

multiple encryption with single cipher– double encryption – no good– 3EDE (inner/outer CBC)

cascading different ciphers

Block Ciphers - MixingBlock Ciphers - Mixing

des3 := TrippleEDEOuterCBCfirst: DES newsecond: DES newthird: DES new.

des3 := DES new3EDE_CBC.des3 setKey: ’24bytes for 3 keys’ asByteArray.des3 setIV: ‘nonce 8B’ asByteArray.

AES (2001)AES (2001)

NIST FIPS PUB 197 (2001) - Rijndael 15 submissions (1998) 5 finalists: MARS, Serpent, Twofish, RC6 modes: ECB, CBC, CFB, OFB, CTR block size 128 bits key sizes 128, 192, 256 bits 10, 12, 14 rounds

Blowfish (1993)Blowfish (1993)

http://www.counterpane.com/blowfish.html block size 64-bits variable key size 32-448 bits not patented, royalty-free 2 parts: key expansion & data encryption 16 rounds, key dependent S-Boxes

Public Key CiphersPublic Key Ciphers

public and private key– hard to compute private from the public

based on “hard” problems– factoring, discrete logarithm

much slower key encryption/exchange, signing RSA, DSA, DH, ElGamal

Public Key CiphersPublic Key Ciphers

key lengths with similar “strength” (bits):symmetric:

asymmetric: 23041792768512384

128112806456

RSA (1977)RSA (1977)

RSA Security, PKCS #1modulus n = product of 2 large primes p, q

public: e = relatively prime to (p-1)(q-1)

private: d = e-1 mod ((p-1)(q-1))

C = Pe mod n [ P < n ] P = Cd mod n

RSARSA

keys := RSAKeyGenerator keySize: 512.alice := RSA new publicKey: keys publicKey.ctxt := alice encrypt: 'Hello World' asByteArray.ctxt asHexString

bob := RSA new privateKey: keys privateKey.(bob decrypt: ctxt) asString

Hash FunctionsHash Functions

one-way:hard to find the input for given output

collision resistant:hard to find two distinct inputs with the same output

data “finger-printing” MD2, MD4, MD5, SHA, RIPE-MD

Hash FunctionsHash Functions

unlimited input size >> fixed output size compression function:

M = M1, M2, ...

hi = f(Mi, hi-1)

MD-strengthening: include message length

Hash FunctionsHash Functions

(MD5 hash: 'Hello') asHexString

input := 'Hello World!' asByteArray readStream.sha := SHA new.sha updateWithNext: 5 from: input.sha updateFrom: input.sha digest asHexString

MD5 (1992)MD5 (1992)

http://www.ietf.org/rfc/rfc1321.txt (Ron Rivest) hash: 128-bits (16B) block: 512-bits (64B) padding: M | 10...0 | length (64bits)

SHA (1993)SHA (1993)

SHS - NIST FIPS PUB 180– hash: 160 bits (20B)– block: 512 bits (64B)– padding: M | 10...0 | length (64B)

FIPS 180-1: SHA-1 (1995) FIPS 180-2: SHA-256, 384, 512 (2002)

Message AuthenticationMessage Authentication

hash function with secret key (MAC) HMAC (RFC 2104, FIPS-198) (1997)

– H(K xor OPad, H(K xor IPad, text))– OPad = 0x5C[B], IPad = 0x36[B]– B = block size, K = key

CBC-MAC:– Hi = EK(Pi xor Hi-1);

– IV=0

HMACHMAC

alice := HMAC hash: SHA new.alice setKey: 'secret' asByteArray.(mac := alice hash: 'Hello World!') asHexString

bob := HMAC hash: SHA new.bob setKey: 'secret' asByteArray.mac = (bob hash: 'Hello World!')

Digital SignaturesDigital Signatures

authentic, non-reusable, unalterable RSA:

– signing:hash the plaintextencrypt digest with private key

– verifying:hash the plaintextdecrypt digest with public keycompare the digests

RSARSA

alice := RSA new privateKey: keys privateKey.sig := alice sign: 'Hello World' asByteArray.sig asHexString

bob := RSA new publicKey: keys publicKey.bob verify: sig of: 'Hello World' asByteArray

DSA (1994)DSA (1994)

NIST FIPS PUB 186– p prime (modulus): (512 + k*64 <= 1024)– q prime factor of p – 1 (160 bits)– g > 1; g^q mod p = 1 (g has order q mod p)– x < q (private key)– y = g^x mod p (public key)

FIPS 186-1 (1998): RSA(X9.31) FIPS 186-2 (2000): ECDSA(X9.62) change notice 2001: revised PRNG

DSADSA

keys := DSAKeyGenerator keySize: 512.alice := DSA new privateKey: keys privateKey.sig := alice sign: 'Hello World' asByteArray

bob := DSA new publicKey: keys publicKey.bob verify: sig of: 'Hello World' asByteArray

Key ManagementKey Management

“keys are pain”:generation, transfer, verification, usage, updating, storing, backup, compromise, lifetime, destruction

public-key cryptography helps– session key exchange– public key distribution

Diffie-Hellman (1976)Diffie-Hellman (1976)

establishing a shared secret value http://www.ietf.org/rfc/rfc2631.txt modulus p: large prime (>512b)

generator g: primitive mod pprivate x: random 1 < x < ppublic y: g^x mod ppublic y’: other party’s yshared secret: y’^x mod p

Diffie-HellmanDiffie-Hellman

gen := DHParameterGenerator m: 160 l: 512.alice := DH p: gen p q: gen q.ya := alice computePublicValue.

bob := DH p: alice p g: alice g.yb := bob computePublicValue.ss := bob computeSharedSecretUsing: ya

ss = (alice computeSharedSecretUsing: yb)

Digital CertificatesDigital Certificates

data signed by a “trusted” third party public key, subject & issuer identification,

certificate identification, validity certificate hierarchies certificate chain validation certificate revocation

X.509X.509

RFC 2459 (1999) > RFC 3279, 3280 (2002) ASN.1 – DER encoding X.509v1: version, serial nr, issuer, validity,

subject, public key, signature X.509v2: issuer/subject UID X.509v3: extensions (basic constraints, key

usage, key identifiers, policies, ...)

Random NumbersRandom Numbers

random: passes all statistical tests secure: unpredictable without the seed RFC 1750 (Recommendations) FIPS-186-2 (DSS) yarrow (www.counterpane.com) entropy gathering

– /dev/urandom– EGD, EGADS

SSLSSL

Believe it or not, it uses all that !

to be continued