Cryptographic Foundations History of Cryptography 2 Confidential - PowerPoint PPT Presentation

Padding PKCS#5 ⚫ Padding of whole bytes ⚫ Let L be the block size (in bytes) ⚫ When N bytes are missing to a full block (1  N  L): add N bytes each with the value N ⚫ Examples (L = 8, XX = existing message, all numbers in hex) − XX XX XX XX XX XX XX XX | XX XX XX XX XX XX XX 01 − XX XX XX XX XX XX XX XX | XX XX XX XX XX 03 03 03 − XX XX XX XX XX XX XX XX | XX 07 07 07 07 07 07 07 − XX XX XX XX XX XX XX XX | 08 08 08 08 08 08 08 08 ⚫ Invalid padding example: − XX XX XX XX XX XX XX XX | XX XX XX XX XX XX 08 02 40

Modes of Operation ⚫ Block ciphers operate on a fixed length input − DES, 3DES, IDEA: 64 bit − AES: 128, 192, 256 bit ⚫ Processing of larger input − Cut input into blocks of the required block size and process them one after the other ⚫ This naïve approach is also known as the Electronic Codebook (ECB) mode of operation

Block Cipher: Electronic Code Book THIS IS A SIMPLE PLAINTEXT MESSAGE . Encryption Encryption Encryption X&jÜ (mA’8Dwßµ<3 Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1 § ü 42

Block Cipher: Electronic Code Book THIS IS A SIMPLE PLAINTEXT MESSAGE . Encryption Encryption Encryption X&jÜ (mA’8Dwßµ<3 Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1 § ü AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Encryption Encryption Encryption Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 43

Electronic Codebook (ECB) ⚫ Identical plaintext blocks are encrypted into identical ciphertext blocks ⚫ No protection of block order ⚫ Eases replay attacks Image Source: Wikipedia ECB Encryption

Cipher Block Chaining (CBC) Nachricht Plain Text ... b 0 b 1 b n IV k k k Enc Enc Enc ... c 0 c 1 c n Geheimtext Cipher Text

Cipher Block Chaining (CBC) ⚫ Identical plaintext blocks are NOT encrypted into identical ciphertext blocks ⚫ More “randomness” inside the encrypted data ⚫ However: XOR of plain and cipher text can be misused (later) CBC Image Source: Wikipedia Encryption

Symmetric Encryption ⚫ One remaining problem: key generation Eve 6R4Y2 hlbMZ CB... Dear Dear Bob Decryption Bob Encryption .... .... Alice Bob Key Generator Symmectric Key 47

Detour: Key Generation ⚫ Keys are derived from random numbers ⚫ Random number generation is not trivial ⚫ Computers are deterministic and can only generate pseudo random numbers ⚫ Poor “random” numbers which can be anticipated allow attacker calculation of keys 48

Detour: Key Generation ⚫ OpenSSL bug in Debian 49

Symmetric Encryption ⚫ Another remaining problem: key exchange Eve 6R4Y2 hlbMZ CB... Dear Dear Bob Decryption Bob Encryption .... .... Alice Bob Key Generator Symmectric Key 50

Key Exchange and Asymmetric Encryption 51

Diffie Hellman Key exchange ⚫ Creating common (symmetric) key only known to the communication partners ⚫ Created by Whitfield Diffie and Martin Hellman in 1976 Image source: Wikipedia

Illustration of DH Key Exchange Image source: Wikipedia

Modular Arithmetic ⚫ a  b (mod n )  there is an integer k such that a – b = kn ⚫ Example: − 13  19 (mod 3), because 19 – 13 = 2 * 3 ⚫ Simplified (sufficient for this lecture): mod operator ⚫ x mod n : remainder when performing an integer division of x and n ⚫ Example: − 19 mod 3 = 1 − 13 mod 3 = 1 − 1234 mod 10 = 4 − 2 20 mod 10 = 6 54

Logarithm ⚫ Choose (integer) b and a and calculate y = b a ⚫ Given just b and y can you calculate a ? ⚫ Easy (logarithm): a = log b y ⚫ Example: − b = 7, y = 13841287201, a = ? 55

Discrete Logarithm ⚫ Choose integer b, a and n and calculate y = b a mod n ⚫ Given just b , n and y can you calculate a ? ⚫ Example: − b = 7, n = 1023, y = 439, a = ? ⚫ Hard problem: Discrete Logarithm Problem (DLP) ⚫ No simple calculation ⚫ Only (known) method: test all possible values for a (infeasible for large n ) 56

Diffie Hellman Key exchange ⚫ Alice and Bob agree on (public parameters): g a mod p − Large prime number p − Generator g (i.e. g is primitive root mod p ) ⚫ Alice chooses a random number a and sends g a mod p to Bob g b mod p ⚫ Bob chooses a random number b and send g b mod p to Alice ⚫ Calculation of common secret: − Alice: ( g b ) a mod p = g ab mod p = K − Bob: ( g a ) b mod p

Diffie Hellman Key exchange ⚫ (Passive) attacker learns: − g g a mod p − p − g b mod p − g a mod p ⚫ For calculating K the attacker needs g b mod p additionally a or b ⚫ a or b can not (easily) derived from the know values: DLP Eve

Weakness of DH Key Exchange g b g a Mallory g e g e Secure Communication Secure Communication K 2 = g be mod p K 1 = g ae mod p Solution: later!

Breaking DH ⚫ Certain ⚫ Which size to choose for p ? − 512 bit → practically broken (2015) − 1024 bit → estimated costs for breaking: 100 million $ − 2048 bit → secure, but long runtime 60

Asymmetric Encryption ⚫ Problem of symmetric encryption: − Shared secret must be distributed ⚫ Problem of DH key exchange: − interactive protocol − both parties must be “online” in order to start encrypted communication ⚫ Asymmetric Encryption: − Use different keys for de- and encryption − Public encryption key is published (everyone can encrypt) − Private decryption key is kept confidential (just owner can decrypt)

Asymmetric Encryption ⚫ Two distinct keys (private key and public key) are used for encryption and decryption respectively Eve 6R4Y2 hlbM ZCB... Dear Dear Bob Bob Encryption Decryption .... .... Alice Bob Private Key Key Pair Generator Public Key

Formalization of (asymmetric) Encryption ⚫ Space of plain texts: P ⚫ Space of cipher texts: C ⚫ Space of keys: public/private key pairs: K  PK x SK ⚫ Encryption: E : P x PK → C , E ( x , pk ) = E pk ( x ) ⚫ Decryption: D : C x SK → P , D ( y , sk ) = D sk ( y ) ⚫ D is the invers function of E , i.e. for all x ∈ P and ( pk , sk ) ∈ K : D sk ( E pk ( x )) = x

Asymmetric Encryption ⚫ Based on number theoretic problems − RSA: Factorisation Problem − ElGamal: Discrete Logarithm Problem (DLP) ⚫ RSA: named after its inventors (1978): − Ronald Rivest − Adi Shamir − Leonard Adleman Image sources: University of Southern California • Massachusetts Institute of Technology •

RSA ⚫ Choose two prime numbers p and q ⚫ Calc n = p · q , m = ( p – 1) ( q – 1) ⚫ Choose e and d with e · d ≡ 1 (mod m ) ⚫ Public key: n, e ⚫ Private key: d ⚫ Encryption of message M : C = M e mod n ⚫ Decryption of cipher text C : M’ = C d mod n ⚫ M' = ( M e ) d mod n = M Follows from Euler‘s Theorem

RSA Calculation ⚫ 1. problem: calculation effort − 𝑦 𝑜 = 𝑦 ∙ ⋯ ∙ 𝑦 → n – 1 multiplications 𝑜 ⚫ Square and Multiply: − Write n in binary; remove the first 1 − For evert 1 perform first a square (... 2 ) operation then a multiply operation (• x) − For evert 0 perform a multiply operation (• x) ⚫ Example: − n = 23 10 = 10111 2 → Q QM QM QM 2 2 ∙ 𝑦 − 𝑦 23 = 𝑦 2 2 ∙ 𝑦 ∙ 𝑦 − 7 multiplications instead of 22 ⚫ “Standard” value for e: − 65537 10 = 10000000000000001 2 → 16 multiplications 66

RSA Calculation ⚫ 2. problem: large intermediate values: − “ M e mod n ” is smaller than n, but “ M e “ is very large ⚫ Property of mod operator: − ( x • y ) mod n = (( x mod n ) • ( y mod n )) mod n ⚫ Application to Square and Multiply: − Perform a “mod” operation after every square or multiply step − Example: 2 2 mod 𝑜 ∙ 𝑦 mod 𝑜 ▪ 𝑦 23 mod 𝑜 = 𝑦 2 mod 𝑜 2 mod 𝑜 ∙ 𝑦 mod 𝑜 … − No intermediate value is larger than 𝑜 2 67

Prime Numbers ⚫ How to calculate large (~ 500 - 2000 bits) prime numbers? ⚫ 2 types of primality tests: − Deterministic − Probabilistic ⚫ Example: Solovay – Strassen primality test: − max ½ probability of wrong answer − Algorithm for testing is n is prime ▪ Repeat k times: o Choose random number a o Run primality test (uses number a as parameter) o If false return „not prime“ ▪ Return „probable prime“ − Error probability: 1/2 k , e.g. 2 -100 for k = 100

Breaking RSA RSA Decimal Binary Cash prize Factored on number digits digits offered RSA-100 100 330 $1000 April 1, 1991 RSA-110 110 364 $4429 April 14, 1992 ⚫ Best known RSA-120 120 397 $5895 July 9, 1993 RSA-129 129 426 $100 April 26, 1994 attack on RSA: RSA-130 130 430 $14,527 April 10, 1996 RSA-140 140 463 $17,226 February 2, 1999 factorizing n RSA-150 150 496 April 16, 2004 RSA-155 155 512 $9383 August 22, 1999 RSA-160 160 530 April 1, 2003 RSA-170 170 563 December 29, 2009 RSA-576 174 576 $10,000 December 3, 2003 RSA-180 180 596 May 8, 2010 RSA-190 190 629 November 8, 2010 RSA-640 193 640 $20,000 November 2, 2005 RSA-200 200 663 May 9, 2005 Source: Wikipedia RSA-210 210 696 September 26, 2013 RSA-704 212 704 $30,000 July 2, 2012 RSA-220 220 729 May 13, 2016 RSA-768 232 768 $50,000 December 12, 2009

Hybrid Encryption (1/3) ⚫ Pros and cons of (a)symmetric encryption: − Symmetric encryption: ▪ good performance (1000x times faster) vs. key exchange problem − Asymmetric encryption: ▪ easier key management vs. slow performance + limited message size ⚫ Hybrid Encryption: combining the advantages: − Encrypt a random symmetric session key by means of asymmetric encryption − Encrypt the data with the symmetric session key and by means of symmetric encryption

Hybrid Encryption (2/3) ⚫ Encryption process 6R4Y2hlb Dear Symmetric Bob MZCBaj39 Encryption .... c2jmCw... Alice Encrypte d Key Key Asymetric Generator Encryption Symmetric Key Bob‘s Public Key

Hybrid Encryption (3/3) ⚫ Decryption process 6R4Y2hlb Dear Symmetric MZCBaj39 Bob Decryption c2jmCw... .... Encrypte Bob d Key Asymmetric Decryption Symmetric Key Bob‘s Private Key

Exchange of Public Keys ⚫ Confidentiality not required → passive attacker can read the public key (no problem) Bob Eve Alice “Alice”, pub(A) Enc(pub(A), M)

Exchange of Public Keys ⚫ Integrity highly required → active attacker can modify/exchange the public key (system broken!) Bob Mallory Alice “Alice”, pub(A) “Alice”, pub(E) Enc(pub(E), M) Solution: later!

Hash Functions

Integrity testing Alice Bob

Hash Function h ( · ) Alice Bob

Definition of Hash Function ⚫ h :  * →  n NoZXJuZCBhw59lbiBNw6R4Y2hlbnMZCBhw59lFLDvGJlbiwgSm9naHVydCB1 bmQgUXV4Y2hlbnMgVsOw59l2R4Y2hlbnMgVsOZ2R4bnMgVsOVsIFLDhcms= Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et doloremagna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo doloreset ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. 68ac906495480a3404be Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et doloremagna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo doloreset ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet,, sed diam eirmod ut laboreet doloremagna aliquyamerat, sed diam voluptua. At vero eos et accusamet duo dolores et ea. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum amet. da39a3ee5e6b4b0d3255 15a391c7de1f07f4885af

Real life example: Integrity Protection for Dowloads ⚫ Ubuntu: File„MD5SUM“ cf10bdd7abb067e639b3fb47fa8cadbd *ubuntu-11.04-alternate-amd64+mac.iso 14984b15a391c7de1f07f4885bef2d5c *ubuntu-11.04-desktop-amd64+mac.iso 99950b6c45250c51fa53342c5832ebd2 *ubuntu-11.04-dvd-amd64.iso e8c522fc69d3bf2fda99b63b8f7c12f3 *ubuntu-11.04-dvd-i386.iso ⚫ Xfce: Note on Web site

Properties of Hash Functions h ( M ’) = 4711 h ( M ) = 4711 4711 4711 Alice Bob

Collision resistant ⚫ Collision − There exists two messages M and M ’: M ≠ M ’ and h ( M ) = h ( M ’) ⚫ Avoiding accidental collisions: − Choose co-domain large enough ⚫ Collision resistant : − It is not possible (using “reasonable” computation time) to find a collision i.e. two messages M and M ’ with h ( M ) = h ( M ’)

Poor Hash Function ⚫ Checksum: L o r e m i p s u m d o l o r s i t a m e t c o n s e t e t u r 39 AC 2E 31 7F 03 F5 81 S e l l 1 8 S e l l 1 1 b o o k s 1 0 b o o k s 8 0 E U R e a c h E U R e a c h

Requirement for Hash Function ⚫ Randomness − Small change on input → large change on output − Avalanche effect ⚫ Rule of thumb − 1 input bit is changed → 50 % output bits are changed ⚫ Example: − SHA- 1(„H a llo“) = 59d9a6df06b9f610f7db8e036896ed03662d168f − SHA- 1(„H e llo“) = f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0

Birthday Paradoxon ⚫ There are 23 people in one room ⚫ What is the probability for „2 persons have the same birthday“ (just day and month, not year) ⚫ Answer: approx. 50%

Birthday Attack ⚫ Let h be a hash function with co-domain of size 2 n (i.e. with hash values of length n bit) ⚫ Calculation of collision needs 2 n /2 checks (average) ⚫ Conclusion: choose n as large as possible ⚫ Current recommendation: − (average) 2 80 checks required −  Hash value have minimum length 160 bit ⚫ If (at n bit length) less tests than 2 n /2 required: Hash function has weakness

Properties of Hash functions 4711 Eve Bob Alice

One-way function ⚫ One-way property (preimage resistant): − There exist no (efficient) inverse function for h, i.e. − It is not possible to calculate message M from hash value H with: h ( M ) = H ⚫ h collision resistant  h one-way function

Types of Hash Algorithms ⚫ Encryption-based − Uses block ciphers − Low performance − insecure ⚫ Algebraic − Uses number theory problems (e.g. discrete logarithm) − Low performance ⚫ Ad-Hoc Design − Uses: AND, OR, XOR, SHIFT, S-Boxes − Most widespread usage

Common Hash Algorithms ⚫ MD5 − Message-Digest-Algorithm (R. Rivest, 1992) − RFC 1321 − Input: < 2 64 bit, Output: 128 bit ⚫ SHA-1 − Secure Hash Algorithm (NIST/NSA, 1994) − Input: < 2 64 bit, Output: 160 bit ⚫ SHA-2 − Secure Hash Algorithm (NIST/NSA, 2002) − SHA-256: Input: < 2 64 bit, Output: 256 bit − SHA-384: Input: < 2 128 bit, Output: 384 bit − SHA-512: Input: < 2 128 bit, Output: 512 bit

SHA-1 – Internal Structure E D C B A 5 x 32 Bit + <<5 + K 80 x F + >>2 160 Bit + W M E D C B A 5 x 32 Bit

Merkle Damgård Construction Compression function f Hash function h n bit Length Message M of M n bit n bit f ... Block 1 Block 2 Block m Hash ... IV f f f h ( M ) f collision resistant  h collision resistant

Security of Hash Algorithms ⚫ Known attacks on Hash properties Algorithm Attack on Attack on Collision resistence One way property MD5 Yes Yes SHA-1 Yes No SHA-2 (Yes) No

Security of Hash Algorithms

SHA-3 Competition ⚫ Creating new Hash function (successor of SHA-2) ⚫ Open competition by NIST started 2007 ⚫ Public analysis and discussion of candidates ⚫ Criteria: − Performance − Security − Diversity ⚫ Winner (announced 2012): Keccak ⚫ Standardized as SHA-3 (2015)

Breaking Hashes ⚫ „Anonymous“ exam results

Breaking Hashes ⚫ How to find the pre-image of H ? (i.e. finding m with h ( m ) = H ) ⚫ Brute force attack: testing all possible values for m − rather simple if the set of “all possible values” is rather small − Examples: ▪ m is a short/simple password ▪ m is a matriculation number ▪ m is an IP address ⚫ Variation: Dictionary attack: testing just certain values − Examples ▪ typical passwords (“1234”, “admin”, ...) ▪ real world words (“dog”, “car”, ...) ⚫ Lookup in a pre- calculated list of “all” m and h ( m ) − Practical implementation: Rainbow Table 96

Breaking Hashes – Countermeasures ⚫ Brute force/Dictionary: − avoid short/simple messages − use special resource consuming “hash” functions (e.g. scrypt, Argon2) − add a secret value to the hash calculation: pepper (not always possible) ⚫ Rainbow table: − avoid short/simple messages − add a (non-secret) random value to the hash calculation: salt 97

Integrity Protection and Digital Signature

Message Authentication Code Dear Dear Dear Dear Dear Bob Bob Bob Bob Bob .... .... .... .... .... MAC MAC = ?

Message Authentication Code ⚫ A Message Authentication Code (MAC) is a short piece of information used to authenticate a message ⚫ The involved key enables to provide authentication means in addition to integrity ⚫ In some contexts a MAC is also called a symmetric signature ⚫ First idea for implementation: mac k ( m ) = h ( k || m ) (here || is the concatenation operator)