Download Cryptography in Computer & Network Security: Hash Algorithms & Authentication Codes and more Study notes Computer Science in PDF only on Docsity! CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger Hash Algorithms • Hash algorithm – Compression of data into a hash value – E.g., h(d) = parity(d) – Such algorithms are generally useful in programs • … as used in cryptosystems – One-way - (computationally) hard to invert h() , i.e., compute h-1(y), where y=h(d) – Collision resistant hard to find two data x1 and x2 such that h(x1) == h(x2) • Q: What can you do with these constructs? 2 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger HMAC • MAC that meets the following properties – Collision-resistant – Attacker cannot computer proper digest without knowing K • Even if attacker can see an arbitrary number of digests H(k+x) • Simple MAC has a flaw – Block hash algorithms mean that new content can be added – Turn H(K+m) to H(K+m+m’) where m’ is controlled by an attacker • HMAC(K, d) = H(K + H(K + d)) – Attacker cannot extend MAC as above – Prove it to yourself 5 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger Birthday Attack • Q: Why is resilience to birthday attacks important? • A birthday attack is a name used to refer to a class of brute-force attacks. – birthday paradox : the probability that two or more people in a group of 23 share the same birthday is >than 50% • General formulation – function f() whose output is uniformly distributed – On repeated random inputs n = { n1, n2, , .., nk } • Pr(ni = nj) = 1.2k1/2, for some 1 <= i,j <= k, 1 <= j < k, i != j • E.g., 1.2(3651/2) ~= 23 6 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Using hash values as authenticators • Consider the following scenario • Alice is a teacher who has not decided if she will cancel the next lecture. • When she does decide, she communicates to Bob the student through Mallory, her evil TA. • She does not care if Bob shows up to a cancelled class • Alice does not trust Mallory to deliver the message. • She and Bob use the following protocol: 1. Alice invents a secret t 2. Alice gives Bob h(t), where h() is a crypto hash function 3. If she cancels class, she gives t to Mallory to give to Bob – If does not cancel class, she does nothing – If Bob receives the token t, he knows that Alice sent it 7 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Hash Chain (cont.) • Why is this protocol secure? • On day d, H(26-d)(t) acts as an authenticated value (authenticator) because Mallory could not produce t without inverting H() because for any Hk(t) she has k>(26-d) • That is, Mallory potentially has access to the hash values for all days prior to today, but that provides no information on today’s value, because they are all post-images of today’s value – Note: Mallory can again convince Bob that class is occurring by not delivering H(26-d)(t) • Important: chain of hash values are ordered authenticators • Important that Bob got the original value H26(t) from Alice directly (was provably authentic) 10 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger Basic truths of cryptography … • Cryptography is not frequently the source of security problems – Algorithms are well known and widely studied • Use of crypto commonly is … (e.g., WEP) – Vetted through crypto community – Avoid any “proprietary” encryption – Claims of “new technology” or “perfect security” are almost assuredly snake oil 11 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger Why Cryptosystems Fail • In practice, what are the causes of cryptosystem failures – Not crypto algorithms typically 12 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger More Complex Issues • PIN key derivation – Set terminal key from two shares – Download PIN key encrypted under terminal key • Other banks’ PIN keys – Encrypt ‘working keys’ under a zone key – Re-encrypt under ATM bank’s working key • Must keep all these keys secret 15 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger Products Have Problems • Despite well understood crypto foundations, products don’t always work securely – Lose secrets due to encryption in software – Incompatibilities (borrow my terminal) – Poor product design • Back doors enabled, non-standard crypto, lack of entropy, etc. – Sloppy operations • Ignore attack attempts, share keys, procedures are not defined or followed – Cryptanalysis sometimes • Home-grown algorithms!, improper parameters, cracking DES 16 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger Problems • Systems may work in general, but – Are difficult to use in practice – Counter-intuitive – Rewards aren’t clear – Correct usage is not clear – Too many secrets ultimately • Fundamentally, two problems – Too complex to use – No way to determine if use if correct 17 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger Building systems with cryptography • Use quality libraries – SSLeay, lim (from Lenstra), Victor Shoup’s library, RSAREF, cryptolib – Find out what cryptographers think of a package before using it • Code review like crazy • Educate yourself on how to use library – Caveats by original designer and programmer 20 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger Common issues that lead to pitfalls • Generating randomness • Storage of secret keys • Virtual memory (pages secrets onto disk) • Protocol interactions • Poor user interface • Poor choice of key length, prime length, using parameters from one algorithm in another 21 CSE543 Computer (and Network) Security - Fall 2005 - Professor McDaniel7 Jaeger A really good book on the topic • The Code Book, Simon Singh, Anchor Books, 1999. 22