all ilabs and p2pss
play

All iLabs and P2PSS Modern cryptography for communications security - PowerPoint PPT Presentation

Jan 15, 2024 •263 likes •705 views

All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 17ss 1 / 34

  1. All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Cryptography – 17ss 1 / 34

  2. Outline Cryptography Symmetric setting 2 / 34

  3. Outline Cryptography Symmetric setting 3 / 34

  4. Scope Focus on: ◮ modern cryptography ◮ methods used in communications security Based on: Introduction to modern cryptography, Katz and Lindell, 2 nd edition, 2015. 4 / 34

  5. Communication by Melissa Elliott https://twitter.com/0xabad1dea/status/400676797874208768 5 / 34

  6. What we are concerned with “Let’s meet up at 9!” Alice Bob 6 / 34

  7. What we are concerned with “Let’s meet up at 9!” Alice Bob BfV Roens/Wikipedia. CC-by-sa 2.0 6 / 34

  8. What we are concerned with “Let’s meet up at 9!” Alice Bob Eve passive attack: eavesdropping We want to provide confidentiality! 6 / 34

  9. What we are concerned with “This will not be on the exam!” Mallory Alice Bob active attack: message modification or forgery We want to provide message authentication! 6 / 34

  10. Limitations ◮ cryptography is typically bypassed, not broken ◮ not applied correctly ◮ not implemented correctly ◮ subverted No protection of information about the communication. ◮ existence ◮ time ◮ extent ◮ partners 7 / 34

  11. Kerckhoffs’ principle Security should only depend on secrecy of the key, not the secrecy of the system. ◮ key easier to keep secret ◮ change ◮ compatibility No security by obscurity. ◮ scrutiny ◮ standards ◮ reverse engineering 8 / 34

  12. Another principle as a side note The system should be usable easily. ◮ Kerckhoffs actually postulated 6 principles ◮ this one got somewhat forgotten ◮ considered uncontroversial by Kerckhoffs ◮ starting to be rediscovered in design of secure applications and libraries Example Signal, NaCl 9 / 34

  13. What should secure encryption guarantee? It should be impossible for the attacker to 10 / 34

  14. What should secure encryption guarantee? It should be impossible for the attacker to ◮ recover the key. ◮ recover the entire plaintext from the ciphertext. ◮ recover any character of the plaintext from the ciphertext. 10 / 34

  15. What should secure encryption guarantee? It should be impossible for the attacker to ◮ recover the key. ◮ recover the entire plaintext from the ciphertext. ◮ recover any character of the plaintext from the ciphertext. Regardless of any information an attacker already has, a ciphertext should leak no additional information about the underlying plaintext. 10 / 34

  16. Modern cryptography relies on ◮ formal definitions ◮ precisely defined assumptions ◮ mathematical proofs Reductionist security arguments, the proofs, require to formulate assumptions explicitly. 11 / 34

  17. A definition of security A scheme is secure, if any probabilistic polynomial time adversary succeeds in breaking the scheme with at most negligible probability. Negligible For every polynomial p and for all sufficiently large values of n : 1 f ( n ) < p ( n ) e.g., f ( n ) = 1 2 n Church-Turing Hypothesis We believe polynomial time models all computers. 12 / 34

  18. Our goals symmetric (secret-key) asymmetric (public-key) ◮ confidentiality ◮ confidentiality ◮ authenticity ◮ authenticity (as in: message integrity) ◮ key exchange Something providing confidentiality generally makes no statement whatsoever about authenticity. 13 / 34

  19. Motivation What does a perfectly encrypted message look like? 14 / 34

  20. Uniform distribution P : U → [0 , 1] � P ( x ) = 1 x ∈ U ∀ x ∈ U : P ( x ) = 1 | U | 15 / 34

  21. Randomness ◮ required to do any cryptography at all ◮ somewhat difficult to get in a computer (deterministic!) ◮ required to be cryptographically secure: indistiguishable from truly random ◮ not provided in programming languages Example used to generate keys or other information unkown to any other parties 16 / 34

  22. Collecting unpredictable bits ◮ physical phenomena ◮ time between emission of particles during radioactive decay ◮ thermal noise from a semiconductor diode or resistor ◮ software-based ◮ elapsed time between keystrokes or mouse movement ◮ packet interarrival times ◮ attacker must not be able to guess/influence the collected values 1. collect pool of high-entropy data 2. process into sequence of nearly independent and unbiased bits 17 / 34

  23. Pseudo-random generator G : { 0 , 1 } s → { 0 , 1 } n , n ≫ s 18 / 34

  24. Outline Cryptography Symmetric setting 19 / 34

  25. Symmetric encryption scheme 1. k ← Gen (1 n ), security parameter 1 n 2. c ← Enc k ( m ) , m ∈ { 0 , 1 } ∗ 3. m := Dec k ( c ) ◮ provide confidentiality ◮ definition of security: chosen-plaintext attack (CPA) Cryptography uses theoretical attack games to analyze and formalize security. C : challenger, ← means non-deterministic, A : adversary := means deterministic 20 / 34

  26. The eavesdropping experiment C A k ← Gen (1 n ) input 1 n

  27. The eavesdropping experiment C A k ← Gen (1 n ) input 1 n m 0 , m 1 b ← { 0 , 1 } c ← Enc k ( m b ) c output b ′ ◮ A succeeds, iff b = b ′ 21 / 34

  28. Discussion of the eavesdropping experiment ◮ | m 0 | = | m 1 | ◮ probabilistic polynomial time algorithms ◮ success probability should be 0 . 5 + negligible ◮ if so, Enc has indistinguishable encryptions in the presence of an eavesdropper 22 / 34

  29. Pseudorandom permutation F : { 0 , 1 } ∗ × { 0 , 1 } ∗ → { 0 , 1 } ∗ ◮ F k ( x ) and F − 1 k ( y ) efficiently computable ◮ F k be indistinguishable from uniform permutation ◮ adversary may have access to F − 1 We can assume that all inputs and the output have the same length. 23 / 34

  30. A block cipher Example ◮ fixed key length and block length ◮ chop m into 128 bit blocks m k 128 bit AES c Does this function survive the eavesdropping experiment? 24 / 34

  31. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n 25 / 34

  32. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) c . . . . . . 25 / 34

  33. Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) c . . . . . . m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 25 / 34

  34. Chosen-plaintext attack C A C (cont’d) A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) m c c ← Enc k ( m ) . . c . . . . . . . . . . output bit b ′ m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 25 / 34

  35. Chosen-plaintext attack C A C (cont’d) A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) m c c ← Enc k ( m ) . . c . . . . . . . . . . output bit b ′ m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 25 / 34

  36. Discussion of CPA ◮ Enc is secure under chosen-plaintext attack ◮ again, messages must have same length ◮ multiple-use key ◮ non-deterministic (e. g. random initialization vector) or state ◮ block cipher requires operation mode , e. g.: counter (CTR), output-feedback (OFB), . . . 26 / 34

  37. Example constructions: counter mode Example ◮ randomised AES counter mode (AES-CTR$) ◮ choose nonce r ← { 0 , 1 } 128 , key k ← { 0 , 1 } 128 ◮ great if you have dedicated circuits for AES, else vulnerable to timing attacks r AES r + 1 AES k k m 0 ⊕ m 1 ⊕ c 0 c 1 · · · complete ciphertext c := ( r , c 0 , c 1 , · · · ) 27 / 34

  38. Example constructions: stream ciphers Example A modern stream cipher, fast in software: 128 bit key 96 bit nonce 32 bit initial counter ChaCha keystream plaintext ⊕ ciphertext 28 / 34

  39. Message authentication code (MAC) 1. k ← Gen (1 n ), security parameter 1 n 2. t ← Mac k ( m ) , m ∈ { 0 , 1 } ∗ 3. b := Vrfy k ( m , t ) b = 1 means valid, b = 0 invalid ◮ transmit � m , t � ◮ tag t is a short authenticator ◮ message authenticity ⇔ integrity ◮ detect tampering ◮ no protection against replay ◮ “existentially unforgeable” ◮ security definition: adaptive chosen-message attack 29 / 34

  40. Adaptive chosen-message attack C A k ← Gen (1 n ) input 1 n m t ← Mac k ( m ) � m , t � . . . . . . output � m ′ , t ′ � ◮ let Q be the set of all queries m ◮ A succeeds, iff Vrfy k ( m ′ , t ′ ) = 1 and m ′ / ∈ Q 30 / 34

  41. Used in practice Example ◮ HMAC based on hash functions ◮ CMAC based on cipher block chaining mode (CBC) ◮ authenticated encryption modes 31 / 34

  42. Example: side-channel attack How does tag verification work and how to implement tag comparison correctly? 32 / 34

  43. Recap: secret-key cryptography ◮ attacker power: probabilistic polynomial time ◮ confidentiality defined as IND-CPA: encryption, e. g. AES-CTR$ ◮ message authentication defined as existentially unforgeable under adaptive chosen-message attack: message authentication codes, e. g. HMAC-SHA2 ◮ authenticated encryption modes 33 / 34

  44. Combining confidentiality and authentication ◮ encrypt-then-authenticate is generally secure: c ← Enc k 1 ( m ) , t ← Mac k 2 ( c ) transmit: � c , t � ◮ authenticated encryption is also a good choice: e. g. offset codebook (OCB), Galois counter mode (GCM) c , t ← AEAD enc ( ad , m ) k m := AEAD dec ( ad , c , t ) or verification failure k 34 / 34

More recommend