Cryptography Midterm
1. Confidentiality - Prevent access by unauthorized users 2. Integrity - data is modified without being detected 3. Authenticity - data is from claimed sender 4. Non-repudiation - "you can't deny what you have done" 5. Availability - service/data should be available to legitimate users
Security Properties
Triple DES (3DES)
specific type of cipher that: - expands key size from 56 bits to 80+ - c = Ek3(Dk2(Ek1(M))) - m = Dk1(Ek2(Dk3(c))) - Defined as doing EDE with k1, k2, k3 but k1 is usually set to k3
Data encryption standard (DES)
specific type of cipher with: - 64-bit input block and output block - 56-bit key (64 total, but 8 are parity bits) - 2 inputs: 1. Ln, Rn - results of previous round 2. Kn (round key) - output: Ln+1, Rn+1 (results of the current round) - 56-bit key is not quite secure now
Threat model
- a set of threats to consider for a particular system - ex. The attacker can read messages transmitted over network - ex. The attack cannot modify messages transmitted over network
Vulnerability
- a system weakness or artifact that allows an attacker to harm a system's security - sources include bad design, bad implementation (software bugs), bad deployment/configurations, improper use (use a system for unintended purposes)
Substitution cipher
- an arbitrary mapping of one letter to another - 26! possible mappings of letters - is not secure as it appears - statistical analysis of language can easily break it (certain letters and letter combinations are more common than others)
Chosen plain text attack
- attacker has <plain text, cipher text> pairs for his chosen plain texts - attacker's goal is to find the encryption key or other plain texts
Known plain text attack
- attacker has some <plain text, cipher text> pairs - attacker's goal is to find the encryption key or other plain texts
Cipher text only attack
- attacker only has ciphertexts - attacker's goal is to find the plain text by brute-force
Trust
- belief that a system component will behave as expected
Security vs complexity
- complexity is the worst enemy of security - more complexity = less security
Electronic Code Book (ECB)
- divides a large message into blocks (size depends on the block cipher used, e.g. 56 bits for DES) - Encrypts/decrypts one block at a time - problems include: 1. repeated plain text blocks yield repeated cipher text blocks 2. attacker can rearrange or modify blocks to affect plain text
RSA encryption/decryption
- encrypt m with receiver's public key: c = m^e mod n (size of message cannot exceed the size of modulus n) - decrypt c with receiver's private key: m = c^d mod n Example: - Public key (e, n) = (3, 33); public key (d, n) = (7, 33) - Message m = 2 - Encryption: 2^3 mod 33 = 8 - Decryption: 8^7 mod 33 = 2
Counter Mode (CTR)
- encryption: ci = Ek(IV+i) XOR mi encrypts the nonce IV with the counter then XOR with m - decryption: mi = Ek(IV+i) XOR ci - main advantage: can decrypt an arbitrary block (useful for random access file encryption) - typical setup: 48 bit message number, 16 bits of additional nonce data, 64 bits for counter
Block cipher
- generic mode of encryption/decryption - fixed-length input/output/key - input size = output size - secret key crypto systems take a key (e.g. 64 or 128 bits), generate a 1 to 1 mapping that looks random to someone who does not know the key
Hash and Hash chain
- h = H(m) h: hash value m: hash preimage - hash chain - a successive application of cryptographic hash function H to a message m H^0(m) = m H^1(m) = H(m) H^2(m) = H(H(m)) etc
Fundamental tenet of cryptography
- if lots of smart people have failed to solve a problem than it probably won't be solved soon
RSA security
- key size: 2048+ bits - so far nobody has broken it
Padding
- method of appending/concatenating to plain text in order for it to be of a fixed length - must be reversible (appending 0's will make it non-reversible) - in practice, at least 1 byte is added to each message even for those with suitable length - 2 different schemes: 1. Append 1000...0 2. Append n bytes each with value n (where n denotes the number of bytes needed to pad
Modular Arithmetic
- modulo n - perform regular arithmetic and replace the result with its remainder when divided by n
Cryptographic handshakes
- once keys are known to two parties, need a handshake to authenticate; based on what you know
RSA key generation
- pick 2 large primes p and q - calculate key length: n = p * q - Compute Φ(n) = (p-1)(q-1) - pick an int, e, which is relatively prime to Φ(n) - determine d = e^-1 mod Φ(n) - public key: (e, n) - private key: (d, n)
Hashed password with salt
- problem: protects a database of hashed passwords; stored as <user, H(pwd)>; problem with this is attacker can compute hash of a dictionary and compare against all users -solution: salt is random non-secret, different for each user; stored as <user, salt, H(pwd, salt)>, users with some pwd have different hasses
Security vs Performance
- security is usually a priority over performance
Nonce
- sequence number - 32-48 bits in most systems - time stamp (time synchronization assumed)
RSA Digital Signature
- signing message m with sender's private key: s = m^d mod n - sending <m, s> to the receiver - verifying signature with public key: m = s^e mod n - same key can be used for encryption and signature
Public-Key Cryptography Standard (PKCS)
- standard for the encoding of information signed or encrypted through RSA to avoid pitfalls - encode the message to make the encrypted signed message larger and have other security properties
Diffie-Hellman Protocol
- started the modern age of cryptography - two principles Alice (A) and Bob (B) - setup: A and B agree on a prime number p and a base g that is less than p - step 1: A picks a random value a (<p-1), B picks a random value b (<p-1) - step 2: A computes TA = g^a mod p and sends it to B - step 3: B computes TB = g^b mod p and sends it to A - step 4: A computes the secret key k = (TB)^a mod p = g^ab mod p - step 5: B computes the secret key k = (TA)^b mod p = g^ab mod p
Reasons to publish your algorithm
- the bad guys will learn your algorithm anyway - if you publish your algorithm, the good guys provide free consulting by trying to crack it - most commercial algorithms are published - most military algorithms are not
Security model
- threat model + trust model - threat model describes those you should protect against (who adversaries are, what they can do) - trust model describes those you don't worry about
Nonce-generated IV
- type of IV - "number used once" - does not have to be secret - each message is given one - IV generated by encrypting this number
Counter IV
- type of IV where first message: IV = 0, second message: IV = 1, etc - also is not a good idea: if the first blocks of the messages have simple differences, then the simple IV counter could very well cancel the differences in the XOR, and generate identical cipher text blocks again
Random IV
- type of IV where sender chooses an IV at random and sends it as the first block - disadvantage: cipher text is one block longer than plain text
Meet-in-the-middle attacks
- type of attack that occurs in double DES - happens when encrypted with k1 then k2
Cipher block chaining
- type of cipher with an initialization vector (IV) transmitted along with ciphertexts - ci = Ek(mi XOR ci-1) - c0 = IV - IV cannot be omitted or constant because if two messages start with the same plain text block, their encryptions will start with the same cipher text blocks
Block cipher modes
- used when you need to encrypt something not exactly 1 block long
Threat
- way in which an attacker can adversely impact a system's security - an ability of the attacker
Pitfalls to avoid
- when e = 3, encrypting messages whose value is smaller than n^1/3 then cipher text is m^3 - encrypting low-entropy messages Ex. message 1 - "Alice has diabetes"; message 2 - "Alice does not have diabetes"; attacker can encrypt 1 and 0 using Bob's public key and compare with Alice's ciphertext
Message authentication code (MAC)
- A construction that detects tampering with messages - MAC function: 1. input: fixed-size key, k 2. input: arbitrary length message, m 3. output: fixed-size MAC value
MACs with hashes
- Alice wants to authenticate her message m to Bob - Alice and Bob share a secret key, k - One solution: MAC = H(k|m) Alice -> Bob: m, MAC Bob can verify MAC using his key k - problem: can compute MAC without knowing k. Most hash algorithms divide large messages into fixed-length chunks and digest chunk by chunk. For n> 1, H(n) can be derived from H(n-1) and chunk n. Thus from <m, H(m)>, you can append chunks to m to get m' and derive H(m') - solution: use a cryptographic key k and a cryptographic hash algorithm H: HMAC(k, m) = H(K|H(k|m))
Key Distribution - Public Keys
- How to bind a public key to a name? - basic idea: have a trusted node called Certification Authority (CA) who signs a certificate which specify a name and a corresponding public key - format: <name, public key, expiration time, serial number, CA's signature> - <private key, public key> is generated by user, public key is certified by CA
Properties of Hash
- One-way - it is computationally hard to invert H(); given H(m), it is hard to know m unless trying all possible values of m - collision-resistant - computationally infeasible to find two messages m1 and m2 such that H(m1) = H(m2)
The reason why we need D-H
- Perfect forward secrecy (PFS) - prevents me from decrypting a conversation even if I break into both parties after it ends or if the private key is escrowed - use D-H to exchange a session key and use it to encrypt the session only
Which mode to use
- Recommended mode to use: Cipher block chaining (CBC) with random IV and CTR - CTR only when the system can guarantee the uniqueness of nonce
Encrypted Communications
- Suppose Alice and Bob have a shared secret key k Alice->Bob: Ek(m) Bob: D(Ek(m)) = m - Suppose no shared secret key, but Alice knows Bob's public key pubk Alice->Bob: Epubk(k) to encrypt the key k then Ek(m) Bob: Dprik(Epubk(k)) to decrypt the key k then D(Ek(m)) = m
Man in the middle
Avoid man in the middle: - sign with private key - encrypting with the other person's public key
Why is D-H secure?
Reasons why D-H is secure: - with the best known mathematical techniques, this is somewhat harder than factoring a composite of the same magnitude as p - subtlety: they haven't proven that the algorithms are as hard to break as the underlying problem
Trust model
describes who is trusted to do what in a system
Cryptographic hash algorithm
hash function H: - a mathematical transformation that takes an arbitrary sized input, and generates a fixed size output - H(m): the hash value of message m - aka message digest or one-way transformation - ex. include MD5, SHA-1 - instead of signing m, sign H(m)
MD5
hash function: - 128 bit hash value designed in 1991 - collision resistance can be broken in 2^18 time - not secure anymore
SHA-1
hash function: - 160 bit hash value - no longer for most cryptographic uses after 2010
SHA-2
hash function: - still in use - includes SHA-256 and SHA-512
One-time pad
type of cipher where: - A and B share a random secret bit string k of length n - A wants to send a message m of length n - Encryption: c = m XOR k - Decryption: m = c XOR k Has perfect secrecy because: - suppose attacker knows c = 0, want to infer m - since k is equally likely to be 0 and 1 and m = c XOR k, m is equally likely to be 0 and 1 - thus, from c, attacker learns NO information about m
Secret key cryptography (aka symmetric cryptography)
type of cryptography where: - encryption key = decryption key (e.g. DES, AES, RC4) - encryption: c = Ek(m) - decryption: m = Dk(c)
Public key cryptography
type of cryptography where: - two keys per user: 1. private key, d - only known by the owner 2. public key, e - known by the world - sender encrypts a message using the receiver's public key: c = Ee(m) - receiver decrypts ciphertext using private key: m = Ed(c) - ex. RSA, elliptic curve cryptography (ECC)
