Upload
emery-daniels
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
Lecture 3: Cryptography II
CS 336/536: Computer Network SecurityFall 2013
Nitesh Saxena
Course Administration
• Everyone receiving my emails?• Lecture slides worked okay?– Both ppt and pdf versions
• Everyone knows how to access the course web page?
• HW/Lab 1 heads up– To be posted coming Monday– Labs become active starting next week
2
Outline of Today’s Lecture
• Block Cipher Modes of Encryption• Public Key Crypto Overview• Number Theory Background• Public Key Encryption (RSA)• Public Key Signatures
3
Block Cipher Encryption Modes
04/21/23 Lecture 1 - Introduction 4
Lecture 2 - Cryptography - I
Block Cipher Encryption modes
• Electronic Code Book (ECB)• Cipher Block Chain (CBC)– Most popular one
• Others (we will not cover)– Cipher Feed Back (CFB)– Output Feed Back (OFB)
04/21/23 5
Lecture 2 - Cryptography - I
Analysis
We will analyze each mode in terms of:•Security•Computational Efficiency (parallelizing encryption/decryption)•Transmission Errors•Integrity Protection
04/21/23 6
Lecture 2 - Cryptography - I
Electronic Code Book (ECB) Mode• Although DES encrypts 64 bits (a block) at a time, it can
encrypt a long message (file) in Electronic Code Book (ECB) mode.
• Deterministic -- If same key is used then identical plaintext blocks map to identical ciphertext
04/21/23 7
Example – why ECB is bad?
04/21/23 Lecture 2 - Cryptography - I 8
Tux Tux encrypted with AES in ECB mode
Lecture 2 - Cryptography - I
Cipher Block Chain (CBC) Mode
04/21/23 9
encryption
decryption
Lecture 2 - Cryptography - I
CBC Traits
• Randomized encryption • IV – Initialization vector serves as the
randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation
• IV is a random value• IV is no secret; it is sent along with the
ciphertext blocks (it is part of the ciphertext)04/21/23 10
Example – why CBC is good?
04/21/23 Lecture 2 - Cryptography - I 11
Tux Tux encrypted with AES in CBC mode
Lecture 2 - Cryptography - I
CBC – More Properties• What happens if k-th cipher block CK gets
corrupted in transmission.– With ECB – Only decrypted PK is affected.– With CBC?
• Only blocks PK and PK+1 are affected!!
• What if one plaintext block PK is changed?– With ECB only CK affected.– With CBC all subsequent ciphertext blocks will be
affected.• “Avalanche effect”
– This leads to an effective integrity protection mechanism (or message authentication code (MAC))
04/21/23 12
Security of Block Cipher Modes• ECB is not even secure against eavesdroppers
(ciphertext only and known plaintext attacks)• CBC is secure against CPA attacks (assuming 3-
DES or AES is used in each block computation); automatically secure against eavesdropping attacks
• However, not secure against CCA. Why?• Intuitively, this is because the ciphertext can
be “massaged” in a meaningful way13
CBC Mode CCA Attack• Assume adversary has eavesdropped upon a ciphertext
– (C0, C1, C2) -- corresponding to a plaintext (M1, M2). C0 is IV.
• Adversary is not allowed to query for (C0, C1, C2) itself • With CBC, adversary queries for (C0’, C1, C2) and
obtains (M1’, M2) [X’ denotes bit-wise complement of X]
14
How to achieve CCA security?• Prevent any massaging of the ciphertext• Intuitively, this can be achieved by using
integrity protection mechanisms (such as MACs), which we will study later
• The ciphertext is generated using CBC/CFB/OFB and a MAC is generated on this ciphertext
• Both ciphertext and the MAC is sent off• The other party decrypts only if MAC is valid04/21/23
Lecture 2.3 - Private Key Cryptography III
15
Advanced Encryption Standard (AES)
• National Institute of Science and Technology– DES is an aging standard that no longer addresses today’s needs for
strong encryption– Triple-DES: Endorsed by NIST as today’s defacto standard
• AES: The Advanced Encryption Standard– Finalized in 2001– Goal – To define Federal Information Processing Standard (FIPS) by
selecting a new powerful encryption algorithm suitable for encrypting government documents
– AES candidate algorithms were required to be:• Symmetric-key, supporting 128, 192, and 256 bit keys• Royalty-Free• Unclassified (i.e. public domain)• Available for worldwide export
Lecture 2.3 - Private Key Cryptography III
04/21/23 16
AES
• AES Round-3 Finalist Algorithms:– MARS
• Candidate offering from IBM– RC6
• Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm
– Twofish• From Counterpane Internet Security, Inc.
– Serpent• Designed by Ross Anderson, Eli Biham and Lars Knudsen
– Rijndael: the winner!• Designed by Joan Daemen and Vincent Rijmen
Lecture 2.3 - Private Key Cryptography III
04/21/23 17
Other Symmetric Ciphers and their applications
• IDEA (used in PGP)• Blowfish (password hashing in OpenBSD)• RC4 (used in WEP), RC5• SAFER (used in Bluetooth)
Lecture 2.3 - Private Key Cryptography III
04/21/23 18
Some Questions• Double encryption in DES increases the key space
size from 2^56 to 2^112 – true or false?• Is known-plaintext an active or a passive attack?• Is chosen-ciphertext attack an active or a passive
attack?• Reverse Engineering is applied to what design of
systems – open or closed?• Alice needs to send a 64-bit long top-secret letter to
Bob. Which of the ciphers that we studied today should she use?
04/21/23Lecture 2.2 - Private Key
Cryptography II19
Some Questions• C=DES(K,P); where (P, C are 64-bit long blocks). What would
be DES(K,”PPPP”) in ECB mode? What it would be in CBC mode?
• ECB is secure for sending just one block of data: true or false?• Is it okay to re-use IV in CBC? Why/why not?• Alice needs to send a *long* top-secret message to Bob.
Which of the ciphers that we studied today can she use?• Is ECB secure against CPA?• Is CBC secure against CPA?
Lecture 2.3 - Private Key Cryptography III
04/21/23 20
Public Key Crypto Overview and Number Theory
04/21/23 Lecture 1 - Introduction 21
Recall: Private Key/Public Key Cryptography
• Private Key: Sender and receiver share a common (private) key– Encryption and Decryption is done using the
private key– Also called conventional/shared-key/single-key/
symmetric-key cryptography• Public Key: Every user has a private key and a
public key– Encryption is done using the public key and
Decryption using private key– Also called two-key/asymmetric-key cryptography
22
Private key cryptography revisited.
• Good: Quite efficient (as you’ll see from the HW#2 programming exercise on AES)
• Bad: Key distribution and management is a serious problem
23
Public key cryptography model
• Good: Key management problem potentially simpler• Bad: Much slower than private key crypto (we’ll see later!)
24
Public Key Encryption
• Two keys:– public encryption key e– private decryption key d
• Encryption easy when e is known• Decryption easy when d is known• Decryption hard when d is not known• We’ll study such public key encryption schemes; first
we need some number theory.
25
Public Key Encryption: Security Notions
• Very similar to what we studied for private key encryption– What’s the difference?
26
Group: Definition(G,.) (where G is a set and . : GxGG) is said to be a group if following properties are satisfied:1. Closure : for any a, b G, a.b G2. Associativity : for any a, b, c G, a.(b.c)=(a.b).c3. Identity : there is an identity element such that a.e = e.a = a,
for any a G4. Inverse : there exists an element a-1 for every a in G, such
that a.a-1 = a-1.a = e
Abelian Group: Group which also satisfies commutativity , i.e., a.b = b.a
04/21/23 Lecture 1 - Introduction 27
Groups: Examples
• Set of all integers with respect to addition --(Z,+)
• Set of all integers with respect to multiplication (Z,*) – not a group
• Set of all real numbers with respect to multiplication (R,*)
• Set of all integers modulo m with respect to modulo addition (Zm, “modular addition”)
28
Divisors
• x divides y (written x | y) if the remainder is 0 when y is divided by x– 1|8, 2|8, 4|8, 8|8
• The divisors of y are the numbers that divide y– divisors of 8: {1,2,4,8}
• For every number y– 1|y– y|y
29
Prime numbers
• A number is prime if its only divisors are 1 and itself:– 2,3,5,7,11,13,17,19, …
• Fundamental theorem of arithmetic:– For every number x, there is a unique set of
primes {p1, … ,pn} and a unique set of positive exponents {e1, … ,en} such that
30
enenppx *...*1
1
Common divisors
• The common divisors of two numbers x,y are the numbers z such that z|x and z|y– common divisors of 8 and 12:
• intersection of {1,2,4,8} and {1,2,3,4,6,12}• = {1,2,4}
• greatest common divisor: gcd(x,y) is the number z such that– z is a common divisor of x and y– no common divisor of x and y is larger than z
• gcd(8,12) = 4
31
Euclidean Algorithm: gcd(r0,r1)
32
0 1 1 2
1 2 2 3
2 1 1
1
0 1 1 2 1
...
0
gcd( , ) gcd( , ) ... gcd( , )
m m m m
m m m
m m m
r q r r
r q r r
r q r r
r q r
r r r r r r r
Main idea: If y = ax + b then gcd(x,y) = gcd(x,b)
Example – gcd(15,37)
• 37 = 2 * 15 + 7• 15 = 2 * 7 + 1• 7 = 7 * 1 + 0 gcd(15,37) = 1
33
Relative primes
• x and y are relatively prime if they have no common divisors, other than 1
• Equivalently, x and y are relatively prime if gcd(x,y) = 1– 9 and 14 are relatively prime– 9 and 15 are not relatively prime
34
Modular Arithmetic
• Definition: x is congruent to y mod m, if m divides (x-y). Equivalently, x and y have the same remainder when divided by m.
Notation: Example: • We work in Zm = {0, 1, 2, …, m-1}, the group of
integers modulo m• Example: Z9 ={0,1,2,3,4,5,6,7,8}• We abuse notation and often write = instead
of 35
)(modmyx 14 5(mod9)
04/21/23 Public Key Cryptography -- II
Addition in Zm :
• Addition is well-defined:
– 3 + 4 = 7 mod 9.– 3 + 8 = 2 mod 9.
36
)(mod''
)(mod'
)(mod'
myxyx
then
myy
mxx
if
04/21/23 Public Key Cryptography -- II
Additive inverses in Zm
• 0 is the additive identity in Zm
• Additive inverse of a is -a mod m = (m-a)– Every element has unique additive inverse. – 4 + 5= 0 mod 9. – 4 is additive inverse of 5.
37
)(mod0)(mod0 mxmxx
04/21/23 Public Key Cryptography -- II
Multiplication in Zm :
• Multiplication is well-defined:
– 3 * 4 = 3 mod 9.– 3 * 8 = 6 mod 9.– 3 * 3 = 0 mod 9.
38
)(mod''
)(mod'
)(mod'
myxyx
then
myy
mxx
if
04/21/23 Public Key Cryptography -- II
Multiplicative inverses in Zm
• 1 is the multiplicative identity in Zm
• Multiplicative inverse (x*x-1=1 mod m)– SOME, but not ALL elements have unique
multiplicative inverse. – In Z9 : 3*0=0, 3*1=3, 3*2=6, 3*3=0, 3*4=3, 3*5=6, …,
so 3 does not have a multiplicative inverse (mod 9)– On the other hand, 4*2=8, 4*3=3, 4*4=7, 4*5=2,
4*6=6, 4*7=1, so 4-1=7, (mod 9)
39
)(mod1)(mod1 mxmxx
04/21/23 Public Key Cryptography -- II
Which numbers have inverses?
• In Zm, x has a multiplicative inverse if and only if x and m are relatively prime or gcd(x,m)=1– E.g., 4 in Z9
4004/21/23 Public Key Cryptography -- II
Extended Euclidian: a-1 mod n
• Main Idea: Looking for inverse of a mod n means looking for x such that x*a – y*n = 1.
• To compute inverse of a mod n, do the following:– Compute gcd(a, n) using Euclidean algorithm.– Since a is relatively prime to m (else there will be no inverse) gcd(a, n)
= 1.– So you can obtain linear combination of rm and rm-1 that yields 1.
– Work backwards getting linear combination of ri and ri-1 that yields 1.
– When you get to linear combination of r0 and r1 you are done as r0=n and r1= a.
4104/21/23 Public Key Cryptography -- II
Example – 15-1 mod 37
• 37 = 2 * 15 + 7• 15 = 2 * 7 + 1• 7 = 7 * 1 + 0Now,• 15 – 2 * 7 = 1• 15 – 2 (37 – 2 * 15) = 1• 5 * 15 – 2 * 37 = 1So, 15-1 mod 37 is 5.
4204/21/23 Public Key Cryptography -- II
Modular Exponentiation:Square and Multiply method
• Usual approach to computing xc mod n is inefficient when c is large.
• Instead, represent c as bit string bk-1 … b0 and use the following algorithm:
z = 1For i = k-1 downto 0 doz = z2 mod n
if bi = 1 then z = z* x mod n
4304/21/23 Public Key Cryptography -- II
Example: 3037 mod 77
44
z = z2 mod n
if bi = 1 then z = z* x mod n
i b z
5 1 30 =1*1*30 mod 77
4 0 53 =30*30 mod 77
3 0 37 =53*53 mod 77
2 1 29 =37*37*30 mod 77
1 0 71 =29*29 mod 77
0 1 2 =71*71*30 mod 77
04/21/23 Public Key Cryptography -- II
Other Definitions• An element g in G is said to be a generator of a
group if a = gi for every a in G, for a certain integer i– A group which has a generator is called a cyclic group
• The number of elements in a group is called the order of the group
• Order of an element a is the lowest i (>0) such that ai = e (identity)
• A subgroup is a subset of a group that itself is a group
45Public Key Cryptography -- II
Lagrange’s Theorem
• Order of an element in a group divides the order of the group
4604/21/23 Public Key Cryptography -- II
Euler’s totient function
• Given positive integer n, Euler’s totient function is the number of positive numbers less than n that are relatively prime to n
• Fact: If p is prime then – {1,2,3,…,p-1} are relatively prime to p.
47
( ) 1p p
)(n
04/21/23 Public Key Cryptography -- II
Euler’s totient function
• Fact: If p and q are prime and n=pq then
• Each number that is not divisible by p or by q is relatively prime to pq.– E.g. p=5, q=7:
{1,2,3,4,-,6,-,8,9,-,11,12,13,-,-,16,17,18,19,-,-,22,23,24,-,26,27,-,29,-,31,32,33,34,-}
– pq-p-(q-1) = (p-1)(q-1)
48
)1)(1()( qpn
04/21/23 Public Key Cryptography -- II
Euler’s Theorem and Fermat’s Theorem
• If a is relatively prime to n then
• If a is relatively prime to p then ap-1 = 1 mod p
Proof : follows from Lagrange’s Theorem
49
na n mod1)(
04/21/23 Public Key Cryptography -- II
Euler’s Theorem and Fermat’s Theorem
EG: Compute 9100 mod 17:
p =17, so p-1 = 16. 100 = 6·16+4. Therefore, 9100=96·16+4=(916)6(9)4 . So mod 17 we have 9100 (916)6(9)4 (mod 17) (1)6(9)4 (mod 17) (81)2 (mod 17) 16
Public Key Cryptography -- II04/21/23 50
Some questions
• 2-1 mod 4 =?
• Find x such that– x = 4 (mod 5)– x = 7 (mod 8)– x = 3 (mod 9)
• Order of a group is 5. What can be the order of an element in this group?
5104/21/23 Public Key Cryptography -- II
Further Reading
• Chapter 4 of Stallings• Chapter 2.4 of HAC
5204/21/23 Public Key Cryptography -- II
The RSA Cryptosystem (Encryption)
53
“Textbook” RSA: KeyGen• Alice wants people to be able to send her encrypted
messages.• She chooses two (large) prime numbers, p and q and
computes n=pq and . [“large” = 1024 bits +]• She chooses a number e such that e is relatively prime to
and computes d, the inverse of e in , i.e., ed =1 mod • She publicizes the pair (e,n) as her public key. (e is called RSA
exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and
• Plaintext and ciphertext messages are elements of Zn and e is the encryption key.
54
)(n)(n
)(nZ
)(n
)(n
RSA: Encryption
• Bob wants to send a message x (an element of Zn
*) to Alice.
• He looks up her encryption key, (e,n), in a directory.
• The encrypted message is
• Bob sends y to Alice.55
nxxEy e mod)(
RSA: Decryption
• To decrypt the message
she’s received from Bob, Alice computes
Claim: D(y) = x56
nyyD d mod)(
nxxEy e mod)(
RSA: why does it all work• Need to show
D[E[x]] = x E[x] and D[y] can be computed efficiently if keys
are known E-1[y] cannot be computed efficiently without
knowledge of the (private) decryption key d.
• Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so
efficiency requirements are less stringent.57
E and D are Inverses
58
nxnx
nxx
nx
nx
nx
nnx
nyyD
t
tn
nt
ed
de
de
d
modmod1
mod)(
mod
mod
mod)(
mod)mod(
mod)(
)(
1)(
Because
From Euler’s Theorem
)(mod1 ned
Tiny RSA example.
• Let p = 7, q = 11. Then n = 77 and
• Choose e = 13. Then d = 13-1 mod 60 = 37.• Let message = 2.• E(2) = 213 mod 77 = 30.• D(30) = 3037 mod 77=2
59
60)( n
Slightly Larger RSA example.
• Let p = 47, q = 71. Then n = 3337 and
• Choose e = 79. Then d = 79-1 mod 3220 = 1019.• Let message = 688232… Break it into 3 digit
blocks to encrypt.• E(688) = 68879 mod 3337 = 1570. E(232) = 23279 mod 3337 = 2756• D(1570) = 15701019 mod 3337 = 688. D(2756) = 27561019 mod 3337 = 232.
60
322070*46)( pq
Security of RSA: RSA assumption• Suppose Oscar intercepts the encrypted
message y that Bob has sent to Alice.• Oscar can look up (e,n) in the public directory
(just as Bob did when he encrypted the message)
• If Oscar can compute d = e-1 mod then he can use to recover the plaintext x.
• If Oscar can compute , he can compute d (the same way Alice did). 61
xnyyD d mod)(
)(n
)(n
Security of RSA: factoring
• Oscar knows that n is the product of two primes
• If he can factor n, he can compute • But factoring large numbers is very difficult:– Grade school method takes divisions.– Prohibitive for large n, such as 160 bits– Better factorization algorithms exist, but they are
still too slow for large n– Lower bound for factorization is an open problem
62
)(n
)( nO
How big should n be?
• Today we need n to be at least 1024-bits– This is equivalent to security provided by 80-bit
long keys in private-key crypto
• No other attack on RSA known– Except some side channel attacks, based on
timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem!
63
Key selection
• To select keys we need efficient algorithms to– Select large primes• Primes are dense so choose randomly.• Probabilistic primality testing methods known. Work in
logarithmic time.
– Compute multiplicative inverses• Extended Euclidean algorithm
64
RSA in Practice
• Textbook RSA is insecure– Known-plaintext?– CPA?– CCA?
• In practice, we use a “randomized” version of RSA, called RSA-OAEP– Use PKCS#1 standard for RSA encryptionhttp://www.rsa.com/rsalabs/node.asp?id=2125– Interested in details of OAEP: refer to (section 3.1 of)
http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf
65
Some questions
• c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). – What is RSA_Enc(m1m2)?
• Homomorphic property
– What is RSA_Enc(2m1)?• Malleability (not a good property!)
• Is it possible to find inverses mod n (RSA modulus)?
66
Some Questions
• RSA stands for Robust Security Algorithm, right?• If e is small (such as 3)
– Encryption is faster than decryption or the other way round?
• Private key crypto has key distribution problem and Public key crypto is slow– How about a hybrid approach?– Do you know how ssl/ssh works?
67
Some Questions
• I encrypt m with Alice’s RSA PK, I get c– I encryt m again, I get --?– What does this mean?
• What if I do the above with DES?
68
Further Reading
• Stallings Chapter 11• HAC Chapter 9
04/21/23 Lecture 4: Hash Functions 69
Digital Signatures
04/21/23 Lecture 1 - Introduction 70
Public Key Signatures
• Signer has public key, private key pair• Signer signs using its private key• Verifier verifies using public key of the signer
Lecture 3.4: Public Key Cryptography IV
Security Notion/Model for Signatures
• Existential Forgery under (adaptively) chosen message attack (CMA)– Adversary (adaptively) chooses messages mi of its
choice– Obtains the signature si on each mi
– Outputs any message m (≠ mi) and a signature s on m
Lecture 3.4: Public Key Cryptography IV
RSA Signatures
• Key Generation: same as in encryption• Sign(m): s = md mod N• Verify(m,s): (se == m mod N)
• The above text-book version is insecure; why?• In practice, we use a randomized version of
RSA (implemented in PKCS#1)– Hash the message and then sign the hash
Lecture 3.4: Public Key Cryptography IV