Embed Size (px)
DESCRIPTION
Cryptography for architect and engineers
Citation preview
1
Cryptography for architects and engineers
Jasmeet Chhabra
2
Introducing Alice, Bob and Eve
Alice Bob
Eve
Alice wants to send a message to Bob. Eve is going to be able to read any message sent. What should Alice do?
3
Alice has heard of Encryption
Alice Bob
Eve
c = E(K, c)
c
m = D(K, c)
4
Alice searches the Internet and finds that AES seems to be the standard
5
What is AES? • AES is a block cipher
• Block Ciphers: Work on fixed blocks of data
• Current commonly used block ciphers use 128 bit blocks
Visualizing Ideal Block Cipher
128 bits
1011….000000…000000000….110000…00001
1001….001111….11101100….111111….1111
Randomly mapped lookup table of size 2 ^128
128 bitsInput OutputRandom
mapping
6
What does AES do?
Single Round of AES
Round Key XOR Data
Fixed lookup table mapping
Shift each byte by fixed offset
Mixed with a linear transformation function
Repeat for 10-14 rounds depending on size of key.
7
Quick Note: Kerckhoff’s principal
• The security of the encryption scheme must depend only on the secrecy of the key Ke, and not on the secrecy of the algorithm
Why?
• Algorithms are hard to change
• It is difficult to get cryptographic algorithms right and it is better to publish it for analysis.
8
Alice decides to use AES encryption
Alice Bob
Eve
c = E(K, c)
c
m = D(K, c)
Buy INTC 50 90 shares
Block
Buyw INTC 5698 9e44 shar
Each block ci = E(K, mi) ECB Mode
9
But Eve is clever. She changes the message in following way
Buy INTC 50 90 shares
Block
Buyw INTC 56989e44 shar
Each block ci = E(Ke, mi) ECB Mode
Eve Swaps these blocks
Alice Sends following
Buy INTC 90 50 shares
Eve receives followingEach block mi = D(Ke, ci)
10
AES Electronic Code book (ECB) mode issues
• Blocks can be swapped
• Patterns can be detected
Original image Encrypted image
AES ECB mode
11
Quick Note : Padding
• Block ciphers work on messages that are multiple of block size• If message is not a multiple of block size, padding is
required
• Two common padding schemes:• Append 128 and then as many 0s as needed to make
message a multiple of block size
• Determine number of bytes required n > 0 to make it a multiple of block size. Add n bytes, each with value n
DD DD DD DD DD DD DD DDDD DD DD DD 80 00 00 00
DD DD DD DD DD DD DD DDDD DD DD DD 04 04 04 04
DD DD DD DD DD DD DD DD08 08 08 08 08 08 08 08
12
Alice looked up other block cipher modes
She likes two :
• CBC
• CTR
Let us look at both
13
Quick Note: IV
• Initialization vector: Used in block ciphers as an input along with the key• Fixed IV : IV that doesn’t change
• Counter IV: IV=0 for first message, IV = 1 for second etc.
• Random IV: Large random number as IV for each message
• Nonce-Generated IV: “Number used once” per key• Message numbers• Random number + message number
14
Quick XOR ⊕ refresher
• 1 ⊕ 0 = 0 ⊕ 1 = 1
• 0 ⊕ 0 = 1 ⊕ 1 = 0
• A ⊕ 0 = A
• A ⊕ A = 0
• A ⊕ A ⊕ A= A
15
CBC : Cipher Block Chaining (Encryption)
Block Cipher
Encryption
Plaintext
IV
Key
CipherText
Block Cipher
Plaintext
IV
Key
CipherText
Ci = Ek(Pi C⊕ i-1) , C0 = IV
16
CBC : Cipher Block Chaining (Decryption)
Block Cipher
Ciphertext
IV
Key
Plaintext
Block Cipher
Ciphertext
IV
Key
Plaintext
Pi = Dk(Ci) C⊕ i-1, C0 = IV
17
CBC: Which IV to use?
• Fixed IV: What if two messages start with the same plaintext block?
• Counter IV: If first block of messages have simple difference, the XOR with a counter may cancel them out.
• Random IV : Good. But requires a random number to be sent
• Nonce IV: Good. Use a smaller random number + counter.
18
CTR: Counter mode (Encryption)
Block Cipher
Encryption
F45a34……. 000000
Key
CipherText
Ki = E(K, Nonce || i) for i=1,….,kCi = Pi K⊕ i
Nonce Counter
Plaintext
Block Cipher
Encryption
F45a34……. 000001
Key
CipherText
Nonce Counter
Plaintext
19
CTR: Counter mode (Decryption)
Block Cipher
Encryption
F45a34……. 000000
Key
Plaintext
Ki = E(K, Nonce || i) for i=1,….,kCi = Pi K⊕ i
Nonce Counter
Plaintext
CipherText
Block Cipher
Encryption
F45a34……. 000001
Key
Plaintext
Nonce Counter
Plaintext
CipherText
20
AES CTR
• Counter = Nonce || i
• If ever the counter is repeated.
• Cx ⊕ Cy = E(K,counter) ⊕ Px ⊕ E(K,counter) ⊕ Py
• i.e. Cx ⊕ Cy = Px ⊕ Py
• Never Ever repeat counter with same key
21
CTR Advantages
• Random access is possible.
• Both encryption and decryption can be parallelized.
• Needs only encryption implementation
22
Alice decides to use AES CTR encryption
Alice Bob
Eve
c = E(Ke, Nonce||i) ⊕ Pi
c
m = E(KeNonce || i) ⊕ Ci
Buy INTC 50 90 shares
Block
Buyw INTC 5698 9e44 shar
Each block ci = E(Ke, Nonce||i) ⊕ Pi
ECB Mode
23
Eve is clever
• Sends using CTR.
• She changes the first block by performing a XOR with (Buy ⊕ Sell)
• So first block becomes:
• c = E(Ke, Nonce||1) ⊕ Buy ⊕ (Buy ⊕ Sell)
• i.e. c = E(Ke, Nonce||1) ⊕ Sell
• So, Bob gets:
Sell INTC 50 90 shares
24
Break/Recap
25
Alice figures she needs something to protect this message
• Her goal this time is to ensure that Eve can’t change the message.
• Doesn’t care about confidentiality (to keep things simple)
• She looks up hash functions
26
What is a hash function?
Ideal Hash Function
Arbitrary length input
Fixed length output
• Random mapping• Same output for same input
27
Defining security of hash functions
• Pre-image resistance:• Given a hash h it should be difficult to find any
message m such that h = hash(m).
• Second pre-image resistance• Given an input m1 it should be difficult to find another
input m2 such that m1 ≠ m2 and hash(m1) = hash(m2).
• Collision resistance• It should be difficult to find two different messages m1
and m2 such that hash(m1) = hash(m2).
28
Standard hash functions
• MD5 : Don’t use
• SHA1 : Avoid. Not recommended for usage. Only use if system gives you no other choice.
• SHA2 : Use this.
• SHA3 (not finalized)
• One of the properties (bug ?) of the hash functions above is that• If m = m1, m2
• H(m) = h(h(m1),m2)
• This is called the length extension issue
29
Alice is now confident
• She decides to use SHA-2 hash
• Assume: • Alice and Bob share a secret key K just like Encryption
30
Alice decides to use SHA-2
Alice Bob
Eve
Buy INTC 50 SHA2(K|| Data)
K is the secret
31
As usual Eve is clever
• Eve computes• Sha2( SHA2 ( K||Data), 90)
• Also, changes the message to
Buy INTC 50 Sha2( SHA2 ( K||Data), 90)90
32
How to fix this?
• Use HMAC
• HMAC (K,m) = H((K ⊕ opad) || H((K ⊕ ipad) || m))• opad is the outer padding (0x5c5c5c…5c5c, one-
block-long hexadecimal constant),
• ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
Other MACs are available, but this is the most commonly recommended
33
Horton Principle
• "Authenticate what is being meant, not what is being said”
• Suppose you had two messages to send. • M1 & M2
• You just send M1||M2|| HMAC(M1||M2)
• What happens?
34
M1 = “Rachael Ray finds inspiration is cooking”M2= “ her family and her dog”
35
Lesson: Always structure your message to be unambiguous and then MAC the whole thing• For example Send:• {
message1_length= aa;message1=“M1”;message2_length=bb; message2=“M2”;} HMAC ({….})
"Authenticate what is being meant, not what is being said”
36
Alternative MAC 1: CBC-MAC
• CBC-MAC: Use CBC with IV=0 and return the last block as the MAC
• H0 = IV. IV Should be fixed. Generally 0.
• Hi = E(K, Pi⊕ Hi-1)
• MAC = Hk
• Why IV= 0?
• CBC-MAC is good and secure, but suffers from certain types on collision attacks.
• So, use CMAC.
37
Alternative MAC2 : CMAC
• Same as CBC-MAC, except the way last block is handled
• Generate two keys k1 & k2 from the MAC key k
• Calculate MAC using CBC-MAC except for last block.
• Change the last block (mn′) to following before applying CBC-MAC
• If mn′ is a complete block
• mn = k1 ⊕ mn′
• else mn = k2 ⊕ (mn′∥ 10…02).
Secure Channel
39
Alice wants the following
• Eve shouldn’t learn anything about the messages except for the timing and size
• Bob should only get proper messages and is able to figure out the correct order.• Duplicates are detected
• Message modifications are detected
• By now you have probably guessed that this can be achieved by combination of Encryption and Authentication
40
Authentication and Encryption
Three possibilities:
1. MAC then encrypt all including MAC
2. Encrypt and then MAC the encrypted message
3. Encrypt and MAC the plaintext message
• Which one to use?
41
Encrypt and MAC the plaintext message
• Not recommended as any weakness in MAC will leak info about the message.
42
MAC and then encrypt the whole message including MAC
• Eve only gets to see ciphertext and encrypted MAC
• Much harder to attack MAC
• This is fine to use.• Potential timing attacks with padding (TLS Lucky 13
attack)
43
Encrypt and then MAC the encrypted message
• Can drop invalid message fast without decryption
• Is not in fully line with Horton’s principal• There may be ambiguity
• This is good to use• We will use this and add authenticated headers for
removing ambiguity
44
Secure Channel : Generate Keys
• KEYSENDENC ← HMAC-SHA2(K, "Enc Alice to Bob")
• KEYRECENC ← HMAC-SHA2(K, "Enc Bob to Alice")
• KEYSENDAUTH ← HMAC-SHA2(K,"Auth Alice to Bob")
• KEYRECAUTH ← HMAC-SHA2(K,"Auth Bob to Alice")
• Swap Encryption & Decryption key if message is from Bob to Alice
45
Message counters
• Two message counters
• Cab = Alice-to-Bob Message counter
• Cba =Bob-to-Alice message counter
• Both Alice and Bob store state of both counters
• Initialize both to 0.
46
Alice sending message to Bob
• We will only go through this direction
• Bob to Alice is identical
47
Choosing CTR counter
• It is recommended that number of blocks encrypted with an AES 128 bit key < 264-1
• This is because after 264 block you will be able to distinguish from random
• To ensure that, we use counter for message sent from Alice to Bob never repeats and number of blocks encrypted < 264
• Counter = (Cab || i) for the ith block in this particular message.
• Ensure that Cab < 232 -1
• Ensure that length(m) < 232 -1 * block_size
48
Alice Sending a message• Ensure that Cab < 232 -1
• Increment Cab
• Ensure that length(m) < (232 -1) * block_size
• Use Counter = (Cab || i) for the ith block for AES-CTR
Version CabLength
Header Encrypted message HMAC-SHA2
TypeMessage
49
Bob: Receiving a message• Ensure that Cab > Last received Cab
• Check HMAC of the message• Drop if it does not match
• Store Cab. Check Version.
• Decrypt using AES CTR
• Counter = (Cab || i) for the ith block
• Check type and process accordingly.
Version CabLength
Header Encrypted message HMAC-SHA2
TypeMessage
Exchanging keys
51
How to exchange key K?
52
General idea of key exchange
53
Mod p operations
• 9 mod 7 = 2• Remainder left after division
• 9 = 7*1 +2
• 16 mod 7 = 2• 16 = 7*2 + 2
54
Basic Diffie-Hellman Key exchange
Alice Bob
gx
gy
K = (gy)x K = (gx)y
55
Other values
Pre-Known/Exchanged values:
• p,g,q (may be exchanged as part of the protocol)
• Always check:• p = Nq +1
• (gx)q = 1 mod p, g ≠ 1, gx ≠ 1
• Make sure q is a large enough prime (≥ 256 bits)
• Make sure p is large enough prime (≥ 2048 bits)
56
Man in the middle
Alice Alice
gx
Eve
gv
gy
gw
K = (gw)x K = (gv)yK1 = (gx)w
K1 = (gy)v
57
So, how to exchange?
• Assume there is some way to authenticate messages.• We will see how to do that in Public/Private key
cryptography
• Authenticated DH Protocol
• First we will look at RSA Public Private Key cryptography
Asymmetric (Public/Private Key) Cryptography
59
Asymmetric (Public/Private) Cryptography
Alice Bob
Exchange public keys when they meet at a party
60
Asymmetric (Public/Private) Cryptography : Signing
Alice Bob
Sign with Alice’s Private Key (Buy 20 shares of INTC)
Verify with Alice’s Public key and perform transaction
61
Asymmetric (Public/Private) Cryptography : Encryption
Alice Bob
Encrypt with Bob’s Public Key (Secret message)
Decrypt with Bob’s Public key and read secret message
62
RSA : key generation (1/2)• Generate two distinct large prime numbers p & q
• Calculate n = p *q
• Compute t = (p-1)(q-1) OR t = lcm (p-1,q-1)
• Choosing t like this implies • xt = 1 mod n
• xt+1 = x mod n
• Proof by authority
63
RSA : key generation (2/2)• Choosing t like this implies xkt+1 = x mod n• Proof by authority
• Choose ed = 1 mod t , i.e. ed = t + 1• Common e value is 216 + 1 = 65,537
• Public Key : n,e
• Private Key : n, d
64
Example RSA key generation
• p = 61 and q = 53
• n = 61*53 = 3233
• t = (p-1)(q-1) = (61-1)(53-1) = 3120
• Let e = 17. Then solving for ed = 1 mod t• d = 2753• 2753*17 = 15*3120 +1• 46801 = 46800 + 1
65
RSA encryption/ decryption
• c = me mod n
• m = cd mod n• X = (me)d mod n
• We know ed = kt +1
• X = mkt+1 mod n
• Or X = (mt)k* m mod n
• We also know, for any x: xt = 1 mod n
• So X = (1)k* m mod n = m
• Hence we can decrypt
66
RSA encryption/ decryption example
• Let m = 65. Then using previous e = 17,d=2753, n=3233
• c = 6517 (mod 3233) = 2790
• m = 27902753 (mod 3233) = 65
67
RSA: why not to sign/encrypt data directly
• If you sign m1 and m2
• m1d (mod n)
• m2d (mod n)
• Attacker can compute m3d (mod n) = m1
d * m2d
(mod n)
68
What is recommended?
• Use one of the standards for signing and encryption• Signing: RSA-PSS (RSA –Probabilistic signature
scheme)
• Encryption: RSA-OAEP (RSA-Optimal asymmetric encryption protocol)
• Don’t use same key for encryption and signing• Attacker may be able to exploit decryption (public key)
for getting signatures (private key) from you or other way around
• Encryption keys and signing keys generally have different lifetimes
69
Elliptic curve cryptography
70
Elliptic curve example : y2 = x3+ ax + b
71
Point addition on curve: A+B
A
B
A+B
72
Point inverse: A+B
P
-P
73
What about P+P
P
2P = P + P
74
Elliptic curve discrete logarithm problem• With a curve of form y2 = x3+ ax + b mod p, where
p is a large prime and operation point addition +• P + P +…+ P = dP = T
• Given dP and P, it should be hard to compute d.• d is kept secret like a private key
• Intuitively: P+P+P… for very large d (>160 bits)
Source: Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl
75
Example of ECC usage: ECDH (simplified)
Alice Bob
Given a prime p, a suitable elliptic curve E and a point P=(xP,yP)
Choose kPrA= a {2, 3,…, #E-1}
Compute kPubA= A = aP = (xA,yA)
Choose kPrB= b {2, 3,…, #E-1}
Compute kPubB= B = bP = (xB,yB)
A
B
Compute aB = Tab
Compute bA = Tab
• One of the coordinates of the point TAB (usually the x-coordinate) can be used as session key (often after applying a hash function)
76
Elliptic curve summary
• Elliptic Curve Cryptography (ECC) is based on the discrete logarithm problem.
• ECC provides the same level of security as RSA or discrete logarithm systems with much shorter key sizes (160-256 bits) vs (1024-3072 bits)
• ECC can be used for key exchange, signatures and encryption
• ECC generally has performance advantage over RSA
77
Diffie-Hellman
78
Why DH Protocol?
• Lot of time security cert only supports signing
• Perfect Forward Security• Even if you find my private keys later you can not
decrypt my communication
79
Reminder: Basic Diffie-Hellman Key exchange
Alice Alice
gx
gy
K = (gy)x K = (gx)y
80
Reminder DH
Pre-Known/Exchanged values:
• p,g,q (may be exchanged as part of the protocol)
• Always check:• p = Nq +1
• (gx)q = 1 mod p, g ≠ 1, gx ≠ 1
• Make sure q is a large enough prime (≥ 256 bits)
• Make sure p is large enough prime (≥ 2048 bits)
81
Attempt 1: Authenticated DH
Alice Bob
A, gx
B, gy, SigB(gx, gy)
SigA(gx, gy)
Any issues?
82
Identity misbinding attack on DH
Alice Bob
A, gx
B, gy, SigB(gx, gy)
SigA(gx, gy)
E doesn’t know K = gxy , but B thinks that anything coming from A is coming from E
Eve
E, gx
B, gy, SigB(gx, gy)
SigE(gx, gy)
83
Authenticated DH
Alice Bob
A, gx
B, gy, SigB(gx, gy, A)
SigA(gx, gy, B)
84
Limitations
• Both parties need to know each other’s identity before they can authenticate
• Leaves a signed proof of communication (signing peer’s identity)
• Sigma solves these issues
85
Sigma Basic version
Alice Bob
gx
B, gy, SigB(gx, gy), MacKm(B)
A, SigA(gx, gy), MacKm(A)
• Km is derived from gxy • Does not require knowing peer’ id for own auth• Adds deniability
Alice Bob
A, gx
B, gy, SigB(gx, gy, A)
A, SigA(gx, gy, B),
Authenticated DH
86
Sigma-I: Active protection of Initiator’s ID
Alice Bob
gx
gy, {B, SigB(gx, gy), MACKm(B)} Ke
{A, SigA(gx, gy), MACKm(A)}Ke
• Km and Ke are derived from gxy • Initiator’s id is protected and not revealed except to
an authenticated party
87
Sigma-R: Active protection of Responder’s ID
Alice Bob
gx
{A, SigA(gx, gy), MACKm(A)} Ke
{B,SigA(gx, gy), MACKm’(B)}Ke’
• Km and Ke are derived from gxy • Responder’s ID is not revealed until initiator's is
revealed
gy
88
Next Part• EPID based Sigma key exchange
• PKI : Public key infrastructure
• Why random numbers are important?
• Clocks and monotonic counters
• Storing secrets
• Analysis of common protocols• TLS
• Sigma key exchange
• IKE and IPSEC
