lecture8.pdf, Lecture notes of Cryptography and System Security

Download lecture8.pdf and more Lecture notes Cryptography and System Security in PDF only on Docsity! 1 Cryptography Overview John Mitchell Cryptography uIs • A tremendous tool • The basis for many security mechanisms uIs not • The solution to all security problems • Reliable unless implemented properly • Reliable unless used improperly uEncryption scheme: • functions to encrypt, decrypt data • key generation algorithm uSecret vs. public key • Public key: publishing key does not reveal key-1 • Secret key: more efficient; can have key = key-1 uHash function • Map input to short hash; ideally, no collisions uSignature scheme • Functions to sign data, verify signature Basic Concepts in Cryptography Five-Minute University uEverything you could remember, five years after taking CS255 … ? Father Guido Sarducci Cryptosystem uA cryptosystem consists of five parts • A set P of plaintexts • A set C of ciphertexts • A set K of keys • A pair of functions encrypt: K × P → C decrypt: K × C → P such that for every key k∈K and plaintext p∈P decrypt(k, encrypt(k, p)) = p OK def’n to start with, but doesn’t include key generation or prob encryption. Primitive example: shift cipher uShift letters using mod 26 arithmetic • Set P of plaintexts {a, b, c, … , x, y, z} • Set C of ciphertexts {a, b, c, … , x, y, z} • Set K of keys {1, 2, 3, … , 25} • Encryption and decryption functions encrypt(key, letter) = letter + key (mod 26) decrypt(key, letter) = letter - key (mod 26) uExample encrypt(3, stanford) = vwdqirug ROT-13 is used in newsgroup postings, etc. 2 Evaluation of shift cipher uAdvantages • Easy to encrypt, decrypt • Ciphertext does look garbled uDisadvantages • Not very good for long sequences of English words – Few keys -- only 26 possibilities – Regular pattern • encrypt(key,x) is same for all occurrences of letter x • can use letter-frequency tables, etc Letter frequency in English uFive frequency groups [Beker and Piper] E has probability 0.12 TAOINSHR have probability 0.06 - 0.09 DL have probability ~ 0.04 CUMWFGYPB have probability 0.015 - 0.028 VKJXQZ have probability < 0.01 Possible to break letter-to-letter substitution ciphers. • 1400: Arabs did careful analysis of words in Koran • 1500: realized that letter-frequency could break substitution ciphers One-time pad uSecret-key encryption scheme (symmetric) • Encrypt plaintext by xor with sequence of bits • Decrypt ciphertext by xor with same bit sequence uScheme for pad of length n • Set P of plaintexts: all n-bit sequences • Set C of ciphertexts: all n-bit sequences • Set K of keys: all n-bit sequences • Encryption and decryption functions encrypt(key, text) = key ⊕ text (bit-by-bit) decrypt(key, text) = key ⊕ text (bit-by-bit) Evaluation of one-time pad uAdvantages • Easy to compute encrypt, decrypt from key, text • As hard to break as possible – This is an information-theoretically secure cipher – Given ciphertext, all possible plaintexts are equally likely, assuming that key is chosen randomly uDisadvantage • Key is as long as the plaintext – How does sender get key to receiver securely? Idea for stream cipher: use pseudo-random generators for key... What is a “secure” cryptosystem? uIdea • If enemy intercepts ciphertext, cannot recover plaintext uIssues in making this precise • What else might your enemy know? – The kind of encryption function you are using – Some plaintext-ciphertext pairs from last year – Some information about how you choose keys • What do we mean by “cannot recover plaintext” ? – Ciphertext contains no information about plaintext – No efficient computation could make a reasonable guess In practice ... uInformation-theoretic security is possible • Shift cipher, one-time pad are info-secure for short message uBut not practical • Long keys needed for good security • No public-key system uTherefore • Cryptosystems in use are either – Just found to be hard to crack, or – Based on computational notion of security 5 Complete Algorithm for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j]) i, j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ]) uKey scheduling uRandom generator 53 …218912413412321 6 …543210 Permutation of 256 bytes, depending on key 53 …218912413412321 ji (all arithmetic mod 256) +24 Review: Complexity Classes Answer in polynomial space may need exhaustive search If yes, can guess and check in polynomial time Answer in polynomial time, with high probability Answer in polynomial time compute answer directly P BPP NP PSpace easy hard One-way functions uA function f is one-way if it is • Easy to compute f(x), given x • Hard to compute x, given f(x), for most x uExamples (we believe they are one way) • f(x) = divide bits x = y@z and multiply f(x)=y*z • f(x) = 3x mod p, where p is prime • f(x) = x3 mod pq, where p,q are primes with |p|=|q| One-way trapdoor uA function f is one-way trapdoor if • Easy to compute f(x), given x • Hard to compute x, given f(x), for most x • Extra “trapdoor” information makes it easy to compute x from f(x) uExample (we believe) • f(x) = x3 mod pq, where p,q are primes with |p|=|q| • Compute cube root using (p-1)*(q-1) uTrapdoor function to encrypt and decrypt • encrypt(key, message) • decrypt(key -1, encrypt(key, message)) = message uResists attack • Cannot compute m from encrypt(key, m) and key, unless you have key-1 Public-key Cryptosystem key pair Example: RSA uArithmetic modulo pq • Generate secret primes p, q • Generate secret numbers a, b with xab ≡ x mod pq uPublic encryption key 〈n, a〉 • Encrypt(〈n, a〉, x) = xa mod n uPrivate decryption key 〈n, b〉 • Decrypt(〈n, b〉, y) = yb mod n uMain properties • This works • Cannot compute b from n,a – Apparently, need to factor n = pq n 6 How RSA works (quick sketch) uLet p, q be two distinct primes and let n=p*q • Encryption, decryption based on group Zn * • For n=p*q, order φ(n) = (p-1)*(q-1) – Proof: (p-1)*(q-1) = p*q - p - q + 1 uKey pair: 〈a, b〉 with ab ≡ 1 mod φ(n) • Encrypt(x) = xa mod n • Decrypt(y) = yb mod n • Since ab ≡ 1 mod φ(n), have xab ≡ x mod n – Proof: if gcd(x,n) = 1, then by general group theory, otherwise use “Chinese remainder theorem”. How well does RSA work? uCan generate modulus, keys fairly efficiently • Efficient rand algorithms for generating primes p,q – May fail, but with low probability • Given primes p,q easy to compute n=p*q and φ(n) • Choose a randomly with gcd(a, φ(n))=1 • Compute b = a-1 mod φ(n) by Euclidean algorithm uPublic key n, a does not reveal b • This is not proven, but believed uBut if n can be factored, all is lost ... Public-key crypto is significantly slower than symmetric key crypto Message integrity uFor RSA as stated, integrity is a weak point • encrypt(k*m) = (k*m)e = ke * me = encrypt(k)*encrypt(m) • This leads to “chosen ciphertext” form of attack – If someone will decrypt new messages, then can trick them into decrypting m by asking for decrypt(ke *m) uImplementations reflect this problem • “The PKCS#1 … RSA encryption is intended primarily to provide confidentiality. … It is not intended to provide integrity.” RSA Lab. Bulletin uAdditional mechanisms provide integrity One-way hash functions uLength-reducing function h • Map arbitrary strings to strings of fixed length uOne way • Given y, hard to find x with h(x)=y • Given m, hard to find m’ with h(m) = h(m’) uCollision resistant • Hard to find any distinct m, m’ with h(m)=h(m’) Iterated hash functions uRepeat use of block cipher or custom function • Pad input to some multiple of block length • Iterate a length-reducing function f – f : 22k -> 2k reduces bits by 2 – Repeat h0= some seed hi+1 = f(hi, xi) • Some final function g completes calculation Pad to x=x1x2 …xk f g xi f(xi-1) x Applications of one-way hash uPassword files (one way) uDigital signatures (collision resistant) • Sign hash of message instead of entire message uData integrity • Compute and store hash of some data • Check later by recomputing hash and comparing uKeyed hash fctns for message authentication • MAC – Message Authentication Code 7 Basic CBC-MAC PlainPlain Text Text Block Cipher IV=0 Block Cipher Block Cipher Block Cipher CBC block cipher, discarding all but last output block Additional post-processing (e.g, encrypt with second key) can improve output Digital Signatures uPublic-key encryption • Alice publishes encryption key • Anyone can send encrypted message • Only Alice can decrypt messages with this key uDigital signature scheme • Alice publishes key for verifying signatures • Anyone can check a message signed by Alice • Only Alice can send signed messages Properties of signatures uFunctions to sign and verify • Sign(Key-1, message) • Verify(Key, x, m) = uResists forgery • Cannot compute Sign(Key-1, m) from m and Key • Resists existential forgery: given Key, cannot produce Sign(Key-1, m) for any random or otherwise arbitrary m true if x = Sign(Key-1, m) false otherwise RSA Signature Scheme uPublish decryption instead of encryption key • Alice publishes decryption key • Anyone can decrypt a message encrypted by Alice • Only Alice can send encrypt messages uIn more detail, • Alice generates primes p, q and key pair 〈a, b〉 • Sign(x) = xa mod n • Verify(y) = yb mod n • Since ab ≡ 1 mod φ(n), have xab ≡ x mod n Public-Key Infrastructure (PKI) uAnyone can send Bob a secret message • Provided they know Bob’s public key uHow do we know a key belongs to Bob? • If imposter substitutes another key, read Bob’s mail uOne solution: PKI • Trusted root authority (VeriSign, IBM, United Nations) – Everyone must know the verification key of root authority • Root authority can sign certificates • Certificates identify others, including other authorities • Leads to certificate chains uEncryption scheme: encrypt(key, plaintext) decrypt(key ,ciphertext) uSecret vs. public key • Public key: publishing key does not reveal key • Secret key: more efficient; can have key = key uHash function • Map long text to short hash; ideally, no collisions • Keyed hash (MAC) for message authentication uSignature scheme • Private key and public key provide authentication-1 -1 -1 -1 Crypto Summary