Foundations of Network and Foundations of Network and Computer SecurityComputer Security

JJohn Black

Lecture #9Sep 16th 2009

CSCI 6268/TLEN 5550, Fall 2009

Announcements

• Quiz #2 will be next Friday, Sep 25th – Will cover material up to next Weds 9/23

Birthday Paradox

• Need another method– Birthday paradox: if we have 23 people in a

room, the probability is > 50% that two will share the same birthday

– This happens because 23 is near the square root of 365

• Sqrt(365) ≈ 19.1• More on this in a moment

Birthday Paradox (cont)

• Let’s do the math– Let n equal number of people in the class– Start with n = 1 and count upward

• Let NBM be the event that there are No-Birthday-Matches• For n=1, Pr[NBM] = 1• For n=2, Pr[NBM] = 1 x 364/365 ≈ .997• For n=3, Pr[NBM] = 1 x 364/365 x 363/365 ≈ .991• …• For n=22, Pr[NBM] = 1 x … x 344/365 ≈ .524• For n=23, Pr[NBM] = 1 x … x 343/365 ≈ .493

– Since the probability of a match is 1 – Pr[NBM] we see that n=23 is the smallest number where the probability exceeds 50%

Occupancy Problems

• What does this have to do with hashing?– Suppose each hash output is uniform and random on

{0,1}n

– Then it’s as if we’re throwing a ball into one of 2n bins at random and asking when a bin contains at least 2 balls

• This is a well-studied area in probability theory called “occupancy problems”

– It’s well-known that the probability of a collision occurs around the square-root of the number of bins

• If we have 2n bins, the square-root is 2n/2

Birthday Bounds

• This means that even a perfect n-bit hash function will start to exhibit collisions when the number of inputs nears 2n/2

– This is known as the “birthday bound”– It’s impossible to do better, but quite easy to

do worse

• It is therefore hoped that it takes (264) work to find collisions in MD5 and (280) work to find collisions in SHA-1

The Birthday Bound1.0

Pro

bab

ilit

y

0.0

0.5

2n

Number of Hash Inputs

2n/2

More Recently

• At CRYPTO 2004 (August)– Collisions found in HAVAL, RIPEMD, MD4, MD5, and

SHA-0 (240 operations)• Wang, Feng, Lai, Yu• Only Lai is well-known

– HAVAL was known to be bad– Dobbertin found collisions in MD4 years ago– MD5 news is big!

• CU team lowered time-to-collision to 3 mins (July 2005)

– SHA-0 isn’t used anymore (but see next slide)

Collisions in SHA-0

T A << 5 + gt (B, C, D) + E + Kt + Wt

Wt = { t-th word of Mi 0 t 15( Wt-3 Wt-8 Wt-14 Wt-16 ) << 1 16 t 79

A H0i-1; B H1

i-1; C H2i-1; D H3

i-1; E H4i-1

for t = 1 to 80 do

E D; D C; C B >> 2; B A; A T

H0i H0

i-1; H1i A + H1

i-1; H2i C+ H2

i-1; H3

i D + H3i-1; H4

i E + H4i-1

endH0..4

i-1

65

not in SHA-0

M1, M1’

Collision!

What Does this Mean?

• Who knows– Methods are not yet understood– Will undoubtedly be extended to more attacks– Maybe nothing much more will happen– But maybe everything will come tumbling

down?!

• But we have OTHER ways to build hash functions

A Provably-Secure Blockcipher-Based Compression Function

E

Mi

hi-1hi

n bits

n bits

n bits

The Big (Partial) Picture

PrimitivesBlock Ciphers

Hash Functions

Hard Problems

Stream Ciphers

First-LevelProtocols

Symmetric Encryption

Digital Signatures

MAC Schemes

Asymmetric Encryption

Second-LevelProtocols

SSH, SSL/TLS, IPSecElectronic Cash, Electronic Voting

(Can do proofs)

(Can do proofs)

(No one knows how to prove security; make assumptions)

Review

• What MACs have we seen thus-far?– CBCMAC, XCBC, UMAC, HMAC

– HMAC led to a discussion on crypto hash functions• MD5, SHA-1 are examples• These functions are unkeyed• Our hope is that they are collision-resistant

– We’ll pick up with a construction of a hash function from a blockcipher

A Provably-Secure Blockcipher-Based Compression Function

E

Mi

hi-1hi

n bits

n bits

n bits

The Big (Partial) Picture

PrimitivesBlock Ciphers

Hash Functions

Hard Problems

Stream Ciphers

First-LevelProtocols

Symmetric Encryption

Digital Signatures

MAC Schemes

Asymmetric Encryption

Second-LevelProtocols

SSH, SSL/TLS, IPSecElectronic Cash, Electronic Voting

(Can do proofs)

(Can do proofs)

(No one knows how to prove security; make assumptions)

Symmetric vs. Asymmetric

• Thus far we have been in the symmetric key model– We have assumed that Alice and Bob share some

random secret string– In practice, this is a big limitation

• Bootstrap problem• Forces Alice and Bob to meet in person or use some

mechanism outside our protocol• Not practical when you want to buy books at Amazon

• We need the Asymmetric Key model!

Asymmetric Cryptography

• In this model, we no longer require an initial shared key– First envisioned by Diffie in the late 70’s– Some thought it was impossible– MI6 purportedly already knew a method– Diffie-Hellman key exchange was first public

system• Later turned into El Gamal public-key system

– RSA system announced shortly thereafter

But first, a little math…

• A group is a nonempty set G along with an operation # : G x G → G such that for all a, b, c ∈G– (a # b) # c = a # (b # c) (associativity)– ∃ e G such that e # a = a # e = a (identity)∈– ∃ a-1 G such that a # a∈ -1 = e (inverses)

• If a,b G, a # b = b # a we say the group is ∀ ∈“commutative” or “abelian”– All groups in this course will be abelian

Notation

• We’ll get tired of writing the # sign and just use juxtaposition instead– In other words, a # b will be written ab– If some other symbol is conventional, we’ll use it instead

(examples to follow)• We’ll use power-notation in the usual way

– ab means aaaaa repeated b times– a-b means a-1a-1a-1a-1 repeated b times– Here a G, b Z∈ ∈

• Instead of e we’ll use a more conventional identity name like 0 or 1

• Often we write G to mean the group (along with its operation) and the associated set of elements interchangeably

Examples of Groups

• Z (the integers) under + ?• Q, R, C, under + ?• N under + ? • Q under x ?• Z under x ?• 2 x 2 matrices with real entries under x ?• Invertible 2 x 2 matrices with real entries under x ?

• Note all these groups are infinite – Meaning there are an infinite number of elements in them

• Can we have finite groups?

Finite Groups

• Simplest example is G = {0} under +– Called the “trivial group”

• Almost as simple is G = {0, 1} under addition mod 2

• Let’s generalize– Zm is the group of integers modulo m– Zm = {0, 1, …, m-1}– Operation is addition modulo m– Identity is 0– Inverse of any a Z∈ m is m-a– Also abelian

The Group Zm

• An example– Let m = 6– Z6 = {0,1,2,3,4,5}– 2+5 = 1– 3+5+1 = 3 + 0 = 3– Inverse of 2 is 4

• 2+4 = 0

• We can always pair an element with its inversea : 0 1 2 3 4 5a -1 : 0 5 4 3 2 1

• Inverses are always unique• An element can be its own inverse

– Above, 0 and 0, 3 and 3

Another Finite Group

• Let G = {0,1}n and operation is ⊕– A group?– What is the identity?– What is the inverse of a G?∈

• We can put some familiar concepts into group-theoretic notation:– Caesar cipher was just P + K = C in Z26

– One-time pad was just P K = C in the group ⊕just mentioned above

Multiplicative Groups

• Is {0, 1, …, m-1} a group under multiplication mod m?– No, 0 has no inverse

• Ok, toss out 0; is {1, …, m-1} a group under multiplication mod m?– Hmm, try some examples…

• m = 2, so G = {1} X• m = 3, so G = {1,2} X• m = 4, so G = {1,2,3} oops!• m = 5, so G = {1,2,3,4} X

Multiplicative Groups (cont)

• What was the problem?– 2,3,5 all prime– 4 is composite (meaning “not prime”)

• Theorem: G = {1, 2, …, m-1} is a group under multiplication mod m iff m is prime

Proof: →: suppose m is composite, then m = ab where a,b ∈

G and a, b 1. Then ab = m = 0 and G is not closed ←: follows from a more general theorem we state in a

moment

The Group Zm*

• a,b ∈ N are relatively prime iff gcd(a,b) = 1– Often we’ll write (a,b) instead of gcd(a,b)

• Theorem: G = {a : 1 ≤ a ≤ m-1, (a,m) = 1} and operation is multiplication mod m yields a group– We name this group Zm

*

– We won’t prove this (though not too hard)– If m is prime, we recover our first theorem

Examples of Zm*

• Let m = 15– What elements are in Z15

*?• {1,2,4,7,8,11,13,14}

– What is 2-1 in Z15*?

• First you should check that 2 Z∈ 15*

• It is since (2,15) = 1

– Trial and error:• 1, 2, 4, 7, 8 X

– There is a more efficient way to do this called “Euclid’s Extended Algorithm”

• Trust me

Euler’s Phi Function

• Definition: The number of elements of a group G is called the order of G and is written |G|– For infinite groups we say |G| = 1– All groups we deal with in cryptography are finite

• Definition: The number of integers i < m such that (i,m) = 1 is denoted (m) and is called the “Euler Phi Function”– Note that |Zm

*| = (m)

– This follows immediately from the definition of ()

Evaluating the Phi Function

• What is (p) if p is prime?– p-1

• What is (pq) if p and q are distinct primes?– If p, q distinct primes, (pq) = (p)(q)– Not true if p=q– We won’t prove this, though it’s not hard

Examples

• What is (3)?– |Z3

*| = |{1,2}| = 2

• What is (5)?

• What is (15)?– (15) = (3)(5) = 2 x 4 = 8

– Recall, Z15* = {1,2,4,7,8,11,13,14}

LaGrange’s Theorem

• Last bit of math we’ll need for RSA

• Theorem: if G is any finite group of order n, then a G, a∀ ∈ n = 1– Examples:

• 6 Z∈ 22, 6+6+…+6, 22 times = 0 mod 22

• 2 Z∈ 15*, 28 = 256 = 1 mod 15

• Consider {0,1}5 under ⊕– 01011 2 {0,1}5, 0101132 = 0000016 =00000

– It always works (proof requires some work)

Basic RSA Cryptosystem

• Basic Setup:– Alice and Bob do not share a key to start with– Alice will be the sender, Bob the receiver

• Reverse what follows for Bob to reply

– Bob first does key generation• He goes off in a corner and computes two keys• One key is pk, the “public key”• Other key is sk, the “secret key” or “private key”

– After this, Alice can encrypt with pk and Bob decrypts with sk