Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Network and Communications Security (IN3210/IN4210)
Asymmetric Cryptography
Key Exchange
3
Network and Communications Security (IN3210/IN4210)
Recapitulation: Symmetric Encryption
● One problem: key exchange
4
DearBob....
Encryption Decryption
DearBob....
Symmectric Key
6R4Y2hlbMZCB...
Alice Bob
Eve
Key Generator
Network and Communications Security (IN3210/IN4210)
Diffie Hellman Key exchange
● Creating common (symmetric) key only known to the communication partners
● Created by Whitfield Diffie and Martin Hellman in 1976
Imag
e so
urc
e: W
ikip
edia
5
Network and Communications Security (IN3210/IN4210)
Illustration of DH Key Exchange
Imag
e so
urc
e: W
ikip
edia
6
Network and Communications Security (IN3210/IN4210)
Logarithm
● Choose (integer) b and a and calculate y = ba
● Given just b and y can you calculate a?
● Easy (logarithm): a = logb y
● Example:
− b = 7, y = 13841287201, a = ?
7
Network and Communications Security (IN3210/IN4210)
Modular Arithmetic
● mod operator: x mod n
− remainder when performing an integer division of x and n
● Example:
− 19 mod 3 = 1 (19 = 6 * 3 + 1)
− 13 mod 3 = 1 (13 = 4 * 3 + 1)
− 1234 mod 10 = 4
− 220 mod 10 = 6
8
Network and Communications Security (IN3210/IN4210)
Discrete Logarithm
● Choose integer b, a and n and calculate y = ba mod n
● Given just b, n and y can you calculate a?
● Example:
− b = 7, n = 1023, y = 439, a = ?
● Hard problem: Discrete Logarithm Problem (DLP)
● No simple calculation
● Only (known) method: test all possible values for a (infeasible for large n)
9
Network and Communications Security (IN3210/IN4210)
Diffie Hellman Key exchange
● Alice and Bob agree on (public parameters):− Large prime number p
− Generator g (i.e. g is primitive root mod p)
● Alice:− chooses a (secret) random number a
− calculates α = ga mod p
− sends α to Bob
● Bob:− chooses a (secret) random number b
− calculates β = gb mod p
− sends β to Alice
● Calculation of common secret: − Alice: βa mod p = (gb mod p)a mod p = (gb)a mod p
− Bob: αb mod p = (gamod p)b mod p = (ga)b mod p= gab mod p = K
a b
α
β
ga mod p
gbmod p
Network and Communications Security (IN3210/IN4210)
Diffie Hellman Key exchange
● (Passive) attacker learns:− g
− p
− gb mod p
− ga mod p
● For calculating K the attacker needs additionally a or b
● a or b can not easily be derived from the know values (DLP)
ga mod p
gbmod p
Eve
11
Network and Communications Security (IN3210/IN4210)
Weakness of DH Key Exchange
Mallory gb
ge
ga
ge
Secure Communication Secure Communication
K1 = gae mod p K2 = gbe mod p
Solution: later!12
Network and Communications Security (IN3210/IN4210)
Breaking DH
● g and p must be chosen carefully
− e.g. p – 1 shall have small prime factors
− otherwise mathematical “tricks” are possible for breaking DLP
− (details are irrelevant in this course)
● Always possible: test all possible values for a (or b)
− Which size to choose for p?▪ 512 bit → practically broken (2015)
▪ 1024 bit → estimated costs for breaking: 100 million $
▪ 2048 bit → secure, but long runtime
13
Asymmetric Encryption
Network and Communications Security (IN3210/IN4210)
Asymmetric Encryption
● Problem of symmetric encryption:
− Shared secret must be distributed
● Problem of DH key exchange:
− interactive protocol
− both parties must be “online” in order to start encrypted communication
● Asymmetric Encryption:
− Use different keys for de- and encryption
− Public encryption key is published (everyone can encrypt)
− Private decryption key is kept confidential (just owner can decrypt)
15
Network and Communications Security (IN3210/IN4210)
Asymmetric Encryption
● Two distinct keys (private key and public key) are used for encryption and decryption respectively
DearBob....
Encryption Decryption
DearBob....
Key PairGenerator
Public Key
PrivateKey
6R4Y2hlbMZCB...
Alice Bob
Eve
16
Network and Communications Security (IN3210/IN4210)
Asymmetric Encryption
● Based on number theoretic problems
− RSA: Factorisation Problem
− ElGamal: Discrete Logarithm Problem
● RSA: named after its inventors (1978):
− Ronald Rivest
− Adi Shamir
− Leonard Adleman
Imag
e so
urc
es:
•U
niv
ers
ity
of
Sou
ther
n C
alif
orn
ia•
Mas
sach
use
tts
Inst
itu
te o
fTe
chn
olo
gy
18
Network and Communications Security (IN3210/IN4210)
RSA (Textbook Version)
● Key generation:− Choose two prime numbers p and q
− Calc n = p · q, m = (p – 1) (q – 1)
− Choose e and d with e · d (mod m) = 1
− Public key: n, e
− Private key: d
● Encryption of message M (integer < n): − C = M e mod n
● Decryption of cipher text C:− M’ = C d mod n
● M' = (M e)d mod n = M Follows fromEuler‘s Theorem
Typically: • Set e = 65537• Calculate d using the
Extended Euclideanalgorithm
19
Network and Communications Security (IN3210/IN4210)
Breaking RSA
● Key generation:
− Choose two prime numbers p and q
− Calc n = p · q, m = (p – 1) (q – 1)
− Choose e and d with e · d (mod m) = 1
− Public key: n, e
− Private key: d
● Attacker:
− Knows n and e
− Factorizes n, i.e. finds p and q
− Calculates m and d
Example: n = 15 → p = 3, q = 5
Easy for small numbers, hard for large numbers:
Factorization problem
20
Network and Communications Security (IN3210/IN4210)
RSA Calculation
● 1. problem: calculation effort− 𝑥𝑛 = 𝑥 ∙ ⋯ ∙ 𝑥
𝑛
→ n – 1 multiplications
● Square and Multiply:− Write n in binary; remove the first 1− For every 1 perform first a square (...2) operation then a multiply operation (• x)− For every 0 perform a square (...2) operation
● Example:− n = 2310 = 101112 → Q QM QM QM
− 𝑥23 = 𝑥2 2 ∙ 𝑥2∙ 𝑥
2
∙ 𝑥
− 7 multiplications instead of 22
● “Standard” value for e: − 6553710 = 100000000000000012 → 16 multiplications
21
Network and Communications Security (IN3210/IN4210)
RSA Calculation
● 2. problem: large intermediate values:
− “Me mod n” is smaller than n, but “Me“ is very large
● Property of mod operator:
− (x • y) mod n = ((x mod n) • (y mod n)) mod n
● Application to Square and Multiply:
− Perform a “mod” operation after every square or multiply step
− Example:
▪ 𝑥23 mod 𝑛 = 𝑥2 mod 𝑛 2 mod 𝑛 ∙ 𝑥 mod 𝑛2mod 𝑛 ∙ 𝑥 mod 𝑛
2
…
− No intermediate value is larger than 𝑛2
22
Network and Communications Security (IN3210/IN4210)
Prime Numbers
● How to calculate large (~ 500 - 2000 bits) prime numbers?
● 2 types of primality tests:− Deterministic (too slow for large numbers)
− Probabilistic (fast, but not 100% correct)
● Example: Solovay–Strassen primality test: − max ½ probability of wrong answer
− Algorithm for testing “n prime?”▪ Repeat k times:
o Choose random number a
o Run primality test (uses number a as parameter)
o If false return „not prime“
▪ Return „probable prime“
− Error probability: 1/2k, e.g. 2-100 for k = 100
23
Network and Communications Security (IN3210/IN4210)
Breaking RSA
● Best known attack on RSA: factorizing n
● Competition for factorizing given numbers (created 1991):RSA Factoring Challenge
● Consequence: RSA-1024 is not secure any more
Sou
rce:
Wik
iped
ia,
RSA number Decimal digits Binary digits Factored on
RSA-100 100 330 April 1, 1991
RSA-110 110 364 April 14, 1992
RSA-120 120 397 July 9, 1993
RSA-129 129 426 April 26, 1994
RSA-130 130 430 April 10, 1996
RSA-140 140 463 February 2, 1999
RSA-150 150 496 April 16, 2004
RSA-155 155 512 August 22, 1999
RSA-160 160 530 April 1, 2003
RSA-170 170 563 December 29, 2009
RSA-576 174 576 December 3, 2003
RSA-180 180 596 May 8, 2010
RSA-190 190 629 November 8, 2010
RSA-640 193 640 November 2, 2005
RSA-200 200 663 May 9, 2005
RSA-210 210 696 September 26, 2013
RSA-704 212 704 July 2, 2012
RSA-220 220 729 May 13, 2016
RSA-230 230 762 August 15, 2018
RSA-232 232 768 February 17, 2020
RSA-768 232 768 December 12, 2009
RSA-240 240 795 Dec 2, 2019
RSA-250 250 829 Feb 28, 2020
24
Network and Communications Security (IN3210/IN4210)
Hybrid Encryption (1/3)
● Pros and cons of (a)symmetric encryption:
− Asymmetric encryption: ▪ easier key management vs. slow performance + limited message size
− Symmetric encryption: ▪ good performance (1000x times faster) vs. key exchange problem
● Hybrid Encryption: combining the advantages:
− Encrypt a random symmetric session key by means of asymmetric encryption
− Encrypt the data with the symmetric session key and by means of symmetric encryption
26
Network and Communications Security (IN3210/IN4210)
Hybrid Encryption (2/3)
● Encryption process
DearBob....
SymmetricEncryption
Symmetric Key
Alice
Key Generator
AsymetricEncryption
6R4Y2hlbMZCBaj39c2jmCw...
EncryptedSym. Key
Bob‘s Public Key
27
Network and Communications Security (IN3210/IN4210)
Hybrid Encryption (3/3)
● Decryption process
DearBob....
SymmetricDecryption
Symmetric Key
Bob
6R4Y2hlbMZCBaj39c2jmCw...
EncryptedSym. Key
AsymmetricDecryption
Bob‘s Private Key
28
Network and Communications Security (IN3210/IN4210)
Exchange of Public Keys
● Confidentiality not required → passive attacker can read the public key (no problem)
AliceBob Eve
“Alice”, pub(A)
Enc(pub(A), M)
29
Network and Communications Security (IN3210/IN4210)
Exchange of Public Keys
● Integrity highly required → active attacker can modify/exchange the public key
Solution: later!
AliceBob Mallory
“Alice”, pub(A)
Enc(pub(E), M)
“Alice”, pub(E)
30
Hash Functions
Network and Communications Security (IN3210/IN4210)
Integrity testing
Alice Bob32
Network and Communications Security (IN3210/IN4210)
Hash Function
h( · )
Alice Bob
33
Network and Communications Security (IN3210/IN4210)
Definition of Hash Function
h : * →nNoZXJuZCBhw59lbiBNw6R4Y2hlbnMZCBhw59lFLDvGJlbiwgSm9naHVydCB1bmQgUXV4Y2hlbnMgVsOw59l2R4Y2hlbnMgVsOZ2R4bnMgVsOVsIFLDhcms=
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumyeirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diamvoluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clitakasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Loremipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmodtempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasdgubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Loremipsum dolor sit amet,, sed diam eirmod ut labore et dolore magna aliquyamerat, sed diam voluptua. At vero eos et accusam et duo dolores et ea. Stet clitakasd gubergren, no sea takimata sanctus est Lorem ipsum amet.
da39a3ee5e6b4b0d3255
68ac906495480a3404be
15a391c7de1f07f4885af
34
Network and Communications Security (IN3210/IN4210)
Real life example: Integrity Protection for Dowloads
● Ubuntu: File„MD5SUM“
● Xfce: Note on Web site
cf10bdd7abb067e639b3fb47fa8cadbd *ubuntu-11.04-alternate-amd64+mac.iso
14984b15a391c7de1f07f4885bef2d5c *ubuntu-11.04-desktop-amd64+mac.iso
99950b6c45250c51fa53342c5832ebd2 *ubuntu-11.04-dvd-amd64.iso
e8c522fc69d3bf2fda99b63b8f7c12f3 *ubuntu-11.04-dvd-i386.iso
35
Network and Communications Security (IN3210/IN4210)
Properties of Hash Functions
47114711
h(x) = 4711 h(y) = 4711
Alice Bob
36
Network and Communications Security (IN3210/IN4210)
Hash collisions
● Collision
− There exists two messages x and y: x ≠ y and h(x) = h(y)
● In every hash function collisions exist!
● Two types of collisions:
− “accidental”: selecting x and y randomly
− “intentional”: calculating x and y
● Reducing the probability of accidental collisions:
− Choose co-domain (= length of hash value) large enough
● What about “intentional” collisions?
37
Network and Communications Security (IN3210/IN4210)
Poor Hash Function
● Checksum:
S e l l 1 8
b o o k s 1 0
E U R e a c h
L o r e m i p s
u m d o l o r s
i t a m e t c o
n s e t e t u r
S e l l 1 1
b o o k s 8 0
E U R e a c h
39 AC 2E 31 7F 03 F5 81
38
Network and Communications Security (IN3210/IN4210)
(Strong) Collision resistance
● In “good” hash functions it shall be hard to calculate collisions
● Collision resistant:
− It is not possible (within “reasonable” computation time) to find a collision i.e. two messages x and y with h(x) = h(y)
● Remarks:
− with unlimited computation time of course collisions can always be found
39
Network and Communications Security (IN3210/IN4210)
Properties of Hash functions
4711
Alice BobEve
43
Network and Communications Security (IN3210/IN4210)
One-way function
● One-way property (preimage resistant):
− There exist no (efficient) inverse function for h, i.e.
− it is not possible to calculate message x from its hash value H (with h(x) = H)
● h collision resistant h one-way function
44
Network and Communications Security (IN3210/IN4210)
Summary of Properties
● Preimage resistance (one-way):
− For any given H, it is computationally infeasible to find x such that h(x) = H
● Second preimage resistance (weak collision resistance):
− For any given x, it is computationally infeasible to find y ≠ x where h(y) = h(x)
● (Strong) collision resistance:
− It is computationally infeasible to find any pair (x, y) such that h(x) = h(y)
45
Network and Communications Security (IN3210/IN4210)
Common Hash Algorithms
● MD5− Message-Digest-Algorithm (R. Rivest, 1992)
− 128 bit digest
● SHA-1− Secure Hash Algorithm (NIST/NSA, 1994)
− 160 bit digest
● SHA-2− Secure Hash Algorithm 2 (NIST/NSA, 2002)
− Digest sizes: SHA-224, SHA-256, SHA-384, SHA-512
● SHA-3− Secure Hash Algorithm 3 (NIST 2015)
− Digest sizes: SHA3-224, SHA3-256, SHA3-384, SHA3-512
47
Network and Communications Security (IN3210/IN4210)
SHA-1 – Internal Structure
E D C B A
<<5
>>2
+
+
+
E D C B A
K
F+
5 x 32 Bit
80 x
M
160 BitW
5 x 32 Bit
48
Network and Communications Security (IN3210/IN4210)
Merkle Damgård Construction (SHA-1, SHA-2)
Block 1
fIV
Block 2
Message M
f f
Block m
Hashh(M)
fn bit
n bit
n bit
...
...
Compression function f Hash function h
f collision resistant h collision resistant
Lengthof M
49
Network and Communications Security (IN3210/IN4210)
Security of Hash Algorithms
● Known attacks on Hash properties
Algorithm Attack onCollision resistence
Attack onOne-way property
MD5 Yes Yes
SHA-1 Yes No
SHA-2 (Yes) No
SHA-3 No No
50
Network and Communications Security (IN3210/IN4210)
Security of Hash Algorithms
51
Network and Communications Security (IN3210/IN4210)
SHA-3 Competition
● Creating new Hash function (successor of SHA-2)
● Open competition by NIST started 2007
● Public analysis and discussion of candidates
● Criteria:
− Performance
− Security
− Diversity
● Winner (announced 2012): Keccak
● Standardized as SHA-3 (2015)
52
Network and Communications Security (IN3210/IN4210)
Breaking Hashes
● How to find the pre-image of H? (i.e. finding m with h(m) = H)
● Brute force attack: testing all possible values for m− rather simple if the set of “all possible values” is rather small
− Examples:▪ m is a short/simple password
▪ m is an IP address
● Variation: Dictionary attack: testing just certain values− Examples
▪ typical passwords (“1234”, “admin”, ...)
▪ real world words (“dog”, “car”, ...)
● Alternative: Lookup in a pre-calculated list of “all” m and h(m)− Practical implementation: Rainbow Table
54
Network and Communications Security (IN3210/IN4210)
Breaking Hashes – Countermeasures
● Brute force/Dictionary:
− avoid short/simple messages
− use special resource consuming “hash” functions (e.g. scrypt, Argon2)
− add a secret value to the hash calculation: pepper (not always possible)
● Rainbow table:
− avoid short/simple messages
− add a (non-secret) random value to the hash calculation: salt
55
MAC and Digital Signature
Network and Communications Security (IN3210/IN4210)
Integrity Protection using Hashes
57
Network and Communications Security (IN3210/IN4210)
Integrity Protection using Hashes
DearBob....
DearBob....
DearBob....
DearBob....
hash
= ?
hash
DearBob....
58
Network and Communications Security (IN3210/IN4210)
Message Authentication Code
DearBob....
DearBob....
DearBob....
DearBob....
MAC
= ?
MAC
DearBob....
59
Network and Communications Security (IN3210/IN4210)
Message Authentication Code
● A Message Authentication Code (MAC) is a short piece of information used to authenticate a message
● The involved key enables to provide authentication means in addition to integrity
● In some contexts a MAC is also called a symmetric signature
● First idea for implementation:
mack(m) = h(k || m)
(here || is the concatenation operator)
● Problem: vulnerable to length extension attack (details not shown here)
60
Network and Communications Security (IN3210/IN4210)
Message Authentication Code
● Solution: HMAC
mack(m) = HMAC(m, k)= h(k XOR opad || h(k XOR ipad || m))
− with opad and ipad fixed constants:▪ ipad = the byte 0x36 repeated B times
▪ opad = the byte 0x5C repeated B times
▪ (with B the internal data size in bytes of hash function h; e.g. 64 for SHA-1)
65
Network and Communications Security (IN3210/IN4210)
Message Authentication Code
● Security services:
− Authenticity
− Integrity
● Limitations:
− For verification knowledge of secret key required
− Every owner of the secret key can create the MAC
− → not possible to decide if Alice or Bob created the MAC
− → the actual creator of the MAC can deny the creation
− → no “non-repudiation” property
66
Network and Communications Security (IN3210/IN4210)
Digital Signature
● Equivalent to traditional handwritten signatures
● Properties:
− Only one person can create the signature
− Everyone can verify the signature
− Can identify the creator of the signature
− Is bound to a specific document
− Prohibits changes to the document
67
non-repudiation
integrity
authenticity
Network and Communications Security (IN3210/IN4210)
Digital Signature (here: RSA)
DearBob....
DearBob....
DearBob....
DearBob....
Encryption
Hash
= ?
HashDecryption
DearBob....
69
Network and Communications Security (IN3210/IN4210)
Digital Signature
● Properties:− Only one person can create the signature
▪ Private key required
− Everyone can verify the signature▪ Public key is sufficient (but: requires the correct public key)
− Can identify the creator of the signature▪ Owner of the private key = creator (unless private key was stolen)
− Is bound to a specific document▪ move signature to a different document→ hash of document ≠ hash inside signature (unless collision) → verification fails
− Prohibits changes to the document▪ change of document→ change of hash (unless collision) → verification fails
70
✓
✓
✓
✓
✓
Network and Communications Security (IN3210/IN4210)
Again: Integrity Protection for Dowloads
Putty – SSH Client for Windows
71
Final Remarks
Network and Communications Security (IN3210/IN4210)
Crypto Primitives and their Usage
Confidentiality Integrity Authenticity Non-repudiation
Encryption(Cipher)
Hash Functions Digital Signature
75
Network and Communications Security (IN3210/IN4210)
Elliptic Curve Cryptography
● DSA and DH are based on modular exponentiation over a (finite) field of integers
● One can perform similar operations on an “elliptic curve”● Main advantage:
− same security level with shorter keys− better performance (runtime up to 10 times faster)
Security Level RSA/DH (NIST) RSA/DH (ECRYPT) ECDH/ECDSA
80 1024 1248 160
112 2048 2432 224
128 3072 3248 256
192 7680 7936 384
256 15360 15424 512
76
Network and Communications Security (IN3210/IN4210)
Practical Usage Recommendations
● Symmetric Encryption: AES-256, mode: GCM (later)
● Asymmetric Encryption: RSA-2048
● Key exchange: ECDHE-256
● Hash: SHA-256
● Message Authentication:
− AES in GCM mode (authenticated encryption)
− Poly1305 (e.g. in combination with ChaCha20)
● Signature:
− RSA-2048 with SHA-256
− ECDSA-256 with SHA-256
77
Network and Communications Security (IN3210/IN4210)
Further Reading
● Paar (2010):
− Chapters: 6, 7, 8, 10, 11, 12
78