Security requirements Preimage resistance: for given y, hard to find input x such that h(x) = y (2 n operations) 2 nd preimage resistance: hard to find x’ x such that h(x’) = h(x) (2 n operations) Collision resistance: hard to find (x,x ’) with x’ x such that h(x’) = h(x) (2 n/2 operations)
Identification with passwords Hello Bob, I am Alice. OK! My password P is Xur%9pLr Alice Xur%9pLr BUT • Eve can guess the password •Eve can listen to the channel and learn Alice’s password •Bob needs to know Alice’s secret •Bob needs to store Alice’s secret in a secure way
Preimage resistance preimage • in a password file, one does not store — (username, password) ? • but — (username,hash(password)) • this is sufficient to verify a password h • an attacker with access to the password file has to find a preimage h(x) 2 n
Improved identification with passwords Hello Bob, I am Alice. OK! My password P is P Xur%9pLr One-way function f f(P) Alice f(Xur%9pLr ) Bob stores f(P) rather than Alice’s secret P • it is difficult to deduce P from f(P)
Password entropy: effective key length 70 60 50 5 chars 40 6 chars 7 chars 30 8 chars 9 chars 20 10 chars 10 0 lower case lower case mixed keyboard + digits case+digits Problem: passwords from dictionaries
Improving passwords with salts Hello Bob, I am Alice. OK! My password P is P S Xur%9pLr One-way function f f(P||S) give every user at registration a random publicly known value S (salt) Alice f(Xur%9pLr||987&*) || 987&* Bob stores f(P, S ) || S rather than Alice’s secret P it is harder to attack the passwords of all users simultaneously
Second preimage resistance 2 nd preimage • transmit x over a fast but insecure channel • transmit h(x) over a slow but authenticated ? channel (e.g., read it over the phone) x • an attacker has access to x but he can only fool h h the recipient if he finds a second preimage of x • another example: h(x ’ ) h(x) = — compute a hash of the files on a USB stick before you lend it to your friend 2 n — you can store the hash on your laptop or write it down
Collision resistance • hacker Alice prepares two versions of a collision software driver for the O/S company Bob — x is correct code x ’ x — x ’ contains a backdoor that gives Alice access to the machine • Alice submits x for inspection to Bob h h • if Bob is satisfied, he digitally signs h(x) with his private key • Alice now distributes x ’ to users of the O/S; h(x ’ ) these users verify the signature on x with Bob ’ s = h(x) public key 2 n/2 • however, this signature also works for x ’ , as h(x) = h(x ’ )!
Collision resistance • in many cryptographic protocols, Alice wants to collision commit to a value x without revealing it • Alice picks a secret random string r and sends y x ’ x = h(x || r) to Bob • in a later phase of the protocol, Alice reveals x h h and r to Bob and he checks that y is correct • if Alice can find a collision, that is (x,r) and h(x ’ ) (x ’ ,r ’ ) with x ’ x she can cheat = h(x) 2 n/2 • if Bob can find a preimage, he can learn x and cheat
Applications • short unique identifier to a string • digital signatures • data authentication • one-way function of a string • protection of passwords • micro-payments • confirmation of knowledge/commitment • pseudo-random string generation/key derivation • entropy extraction • construction of MAC algorithms, stream ciphers, block ciphers,…
Applications • collision resistance is not always necessary • other properties are needed: • pseudo-randomness if keyed (with secret key) • indifferentiable from random oracle: PRO (pseudo- random oracle) • near-collision resistance • partial preimage resistance • multiplication freeness • formalizing these properties and the relation between them is complex
MDx-type hash function history MD4 Ext. MD4 90 91 MD5 92 HAVAL RIPEMD 93 SHA 94 SHA-1 RIPEMD-160 95 SHA-256 02 SHA-512
Hash functions: conclusions • Cryptographic meltdown but fortunately implications so far limited • Designers often too optimistic (usually need 2x more rounds) • Keccak/SHA-3: new approach based on sponges (large permutations) • SHA-4 competition? Unlikely in the next two decades
MAC
Data authentication Bob wants to know: • the source of the information (data origin) • that the information has not been modified • (optionally) timeliness and sequence Data authentication is typically more complex than data confidentiality To just detect data manipulation: hash Otherwise: MAC (with a secret key)
MAC • CBC-MAC Replace protection of authenticty of (long) • HMAC message by protection of secrecy of (short) key Add MAC to the plaintext This is an input to a MAC algorithm. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional 7E6FD7198A198FB3C security conditions: it should be very hard for someone who does not know the secret key to compute the hash function on a new input.
Message integrity: MACs k k message m tag Alice Bob Generate tag: Verify tag: ? tag S(k, m) V(k, m, tag) = `yes ’ Def: MAC I = (S,V) defined over (K,M,T) is a pair of algs: • S(k,m) outputs t in T • V(k,m,t) outputs `yes ’ or `no ’
Informal Definition Message Authentication Code think of it as a hash function with secret key: • description of h public • X arbitrary length fixed length m (32 . . . 160 bits) • computation of h K (X) “ easy ” given X and K • computation of h K (X) “ hard ” given only X , even if a large number of pairs { X i , h K (X i ) } is known • Calculation of h K (X) without knowledge of secret key: forgery (verifiable or not verifiable)
Informal Definition • typical MAC lengths: 32..96 bits • Forgery attacks: 2 m steps with m the MAC length in bits • typical key lengths: (56)..112..160 bits • Exhaustive key search: 2 k steps with k the key length in bits • birthday attacks: security level smaller than expected • internal memory n bits; result m bits • output transformation g • forgery after 2 n/2 known and ≤ 2 n−m chosen texts
MAC algorithms • Banking: CBC-MAC based on triple-DES or EMAC • Internet: HMAC, CMAC (was OMAC) based on AES • information theoretic secure MAC algorithms (authentication codes): GCM and UMAC • highly efficient (for long messages) • large key (UMAC) • part of the key refreshed per message (while full key should be replaced) • leads to lack of robustness
Secure MACs Attacker’s power: chosen message attack for m 1 ,m 2 ,…, m q attacker is given t i S(k,m i ) • Attacker ’ s goal: existential forgery • produce some new valid message/tag pair (m,t). (m,t) { (m 1 ,t 1 ) , … , ( m q ,t q ) } ⇒ attacker cannot produce a valid tag for a new message ⇒ given (m,t) attacker cannot even produce (m,t ’) for t’ ≠ t
Examples • AES: a MAC for 16-byte messages. • Main question: how to convert Small-MAC into a Big- MAC ? • Two main constructions used in practice: • CBC-MAC (banking – ANSI X9.9, X9.19, FIPS 186-3) • HMAC (Internet protocols: SSL, IPsec , SSH, …) • Both convert a small-PRF into a big-PRF.
CBC-MAC x 2 x 1 x t H 1 H t-1 H 2 … G K 1 K 1 ENC K 1 ENC ENC MAC K1 ( x ) • standards (ANSI, ISO, IEC, NIST) • proof of security by [Bellare-Kilian-Rogaway] for fixed length inputs only • m = block length/2 up to block length • need special operation in last block for arbitrary length inputs • Use different key (=LMAC) or XOR key to G (=CMAC)
CBC-MAC Security with AES-128: • Key search: 2 128 encryptions • Guess MAC: 1/2 m • Birthday forgery attack: • m = 128: 2 64 known and 1 chosen text • m = 64: 2 66 chosen texts • Improved attack for m = 64: 2 33 chosen texts and 2 known texts [Knudsen97] Acceptable for most applications (not for DES!)
MAC based on hash? K 1 x • Secret prefix : h(K 1 ||x) prepend length to avoid that one can compute h(K 1 ||x||y) from h(K 1 ||x) without knowing K 1 • Secret suffix : h(x||K 2 ) x K 2 off-line attacks on h • Envelope : h(K 1 ||x||K 2 ) K 1 x K 2 risky: less secure than h • Better variants: MDx-MAC and HMAC :
Standardized method: HMAC Most widely used MAC on the Internet. Building a MAC out of a hash function: HMAC: S( k, m ) = H ( k opad , H( k ipad ll m ) )
Summary • authentication ↔ secrecy • symmetric authentication ↔ digital signature • hash functions form a flexible tool, but are hard to design • SHA-1 would have needed 128-160 steps instead of 80 • hash function attacks: meltdown but with limited implications • theory is developing • MAC algorithms: much more mature • Universal hash function based: fast but lack some robustness • secure protocols needed (serial numbers, timestamping)
Cryptography Crash Course Public-key cryptography Cryptography Crash Course Public-key cryptography Dr. Ir. Jens Hermans KU Leuven/COSIC School Secure IoT, 2016
Cryptography Crash Course Public-key cryptography 1 Mathematical background Prime numbers and modular arithmetic Elliptic curve One-way & trapdoor one-way functions 2 Public-key cryptosystems Key agreement Public-key encryption Hybrid systems Digital signatures
Cryptography Crash Course Public-key cryptography Symmetric key cryptography Alice Bob ciphertext abc abc #!$ Key Key
Cryptography Crash Course Public-key cryptography Public key cryptography Alice Bob ciphertext abc abc #!$ Public Key Bob Private Key Bob
Cryptography Crash Course Public-key cryptography Mathematical background Elliptic curve Elliptic Curves Definition Elliptic curve E over field K is defined by y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 , a i ∈ K The set E ( K ) consists of all ( x , y ) ∈ K × K , which satisfy this equation together with ∞ ∞ is called point at infinity Theorem There exists addition law on E and the set E ( K ) is a group
Cryptography Crash Course Public-key cryptography Mathematical background Elliptic curve Elliptic Curves over R 6 6 4 4 2 2 0 0 −2 −2 −4 −4 −6 −6 −8 −6 −4 −2 0 2 4 6 8 −6 −4 −2 0 2 4 6 8 y 2 = x 3 + 4 x 2 + 4 x + 3 y 2 = x 3 − 7 x + 6
Cryptography Crash Course Public-key cryptography Mathematical background Elliptic curve Addition Law on Elliptic Curve y Q x P R R = P ⊕ Q
Cryptography Crash Course Public-key cryptography Mathematical background Elliptic curve Elliptic Curves over Finite Fields u u u 22 u 21 20 u 19 u 18 u 17 u 16 u u u 15 u 14 u 13 12 11 u 10 u 9 u u u 8 u 7 u 6 u 5 u 4 3 u 2 u u u 1 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 The elliptic curve y 2 = x 3 + x + 3 mod 23
Cryptography Crash Course Public-key cryptography Mathematical background One-way & trapdoor one-way functions One-way functions Definition f : X − → Y : x �→ f ( x ) = y is a one-way function ⇔ ∀ x ∈ X , f ( x ) is easy to compute Given y ∈ Y , finding an x ∈ X , with f ( x ) = y is a hard problem (computationally infeasible) Note: do such functions exist? = open problem
Cryptography Crash Course Public-key cryptography Mathematical background One-way & trapdoor one-way functions Candidate one-way functions Multiplication : given p , q , compute n = p · q Inverse problem: given a large n , product of 2 primes of about the same size, find these primes Modular exponentiation : given a , n with a ∈ [1 , n − 1] a m mod n can be computed efficiently (square and multiply) Inverse problem (= discrete logarithm ): given a , n and b , find x such that a x mod n ≡ b
Cryptography Crash Course Public-key cryptography Mathematical background One-way & trapdoor one-way functions Candidate one-way functions Scalar multiplication on elliptic curve Let E be an EC over a finite field and P point on E Then Q = s · P can be computed efficiently (add and double) The ECDLP is to compute s given P and Q
Cryptography Crash Course Public-key cryptography Mathematical background One-way & trapdoor one-way functions Trapdoor one-way functions Definition One-way functions which can be inverted using additional information, i.e. the trapdoor information
Cryptography Crash Course Public-key cryptography Mathematical background One-way & trapdoor one-way functions Trapdoor one-way functions Definition One-way functions which can be inverted using additional information, i.e. the trapdoor information Example: Let n = p · q , consider modular exponentiation modulo n b = a e mod n Inverse operation: e-th root of b Given p and q inverse operation is easy, so p (and q ) are the trapdoor information
Cryptography Crash Course Public-key cryptography Public-key cryptosystems 1 Mathematical background Prime numbers and modular arithmetic Elliptic curve One-way & trapdoor one-way functions 2 Public-key cryptosystems Key agreement Public-key encryption Hybrid systems Digital signatures
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Key agreement Public-key key agreement: Diffie-Hellman W. Diffie and M. E. Hellman, New Directions in Cryptography , IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976. Agree on a secret key using commutative one-way functions A B Public Key B Public Key A Private Key B Private Key A shared secret shared secret
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Key agreement Diffie-Hellman (1) Choose a large prime number p and a generator g mod p Alice Bob a ∈ R [1 , p − 1] , g a g a − − − − − − − − → − b ∈ R [1 , p − 1] , g b g b ← − − − − − − − − − K BA = ( g b ) a K BA = ( g a ) b Note: all calculations mod p
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Key agreement Diffie-Hellman (2) Diffie-Hellman assumption : given g a and g b , it is hard to compute g a · b If Diffie-Hellman assumption true, then key agreement secure (bar authentication) Diffie-Hellman problem cannot be harder than the discrete logarithm problem Many groups: DHP equivalent with DLP, i.e. given oracle to solve DHP, also possible to solve DLP
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Key agreement Diffie-Hellman with Elliptic Curve Choose an elliptic curve E ( F p ) and generator G ∈ E ( F p ) Alice Bob a ∈ R [1 , # E ] , aG aG − − − − − − − − → − b ∈ R [1 , # E ] , bG ← bG − − − − − − − − − K BA = a ( bG ) K BA = b ( aG )
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Public-key encryption Send a confidential message protected with a public key (trapdoor one-way functions) D S B [ E P B ( m )] = m Alice Bob m ciphertext abc abc D E #!$ Public Key Bob Private Key Bob P B S B
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Public-key encryption A public key encryption scheme E = ( G , E , D ) is a triple of algorithms: Key-generation algorithm : probabilistic algorithm G ( k ) which returns matching public/private key pair ( P , K ) given security parameter k , e.g. the length of the keys
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Public-key encryption A public key encryption scheme E = ( G , E , D ) is a triple of algorithms: Key-generation algorithm : probabilistic algorithm G ( k ) which returns matching public/private key pair ( P , K ) given security parameter k , e.g. the length of the keys Encryption algorithm : probabilistic algorithm E P : M → C which returns ciphertext c = E P ( m ) Decryption algorithm : deterministic algorithm D K : C → M ∪ {⊥} , with the property that D K ( c ) = m for c = E P ( m )
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Provable security of encryption Trivial requirement: hard to invert (trapdoor) one-way function, or cryptographic primitive should be secure However: most real life attacks target higher level protocol
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Provable security of encryption Provable security = Reductionist security Define secure ? Goal of adversary , i.e. what do we call a “break” of a protocol? Power of adversary , i.e. what is the adversary allowed during the attack? Computational model , i.e. do we make the assumption that ideal hash functions exist?
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Provable security of encryption Semantic security : Polynomial time adversary can learn nothing about plaintext given ciphertext Hard to use in practice
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Provable security of encryption Indistinguishability of encryptions : abc xyz 1 Find stage : A produces messages m 0 and m 1 2 Guess stage : A gets encryption c b of either m 0 or m 1 3 Goal : A has to guess b with probability > 1 / 2 (not negligible) #!$
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Public-key encryption: attack models Passive attack = CPA : Adversary has access to black box performing encryption, but not decryption
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Public-key encryption: attack models Passive attack = CPA : Adversary has access to black box performing encryption, but not decryption Chosen ciphertext attack = CCA1 : Adversary has access to black box performing decryption, during the find stage only (i.e. before outputting m 0 and m 1 )
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption Public-key encryption: attack models Passive attack = CPA : Adversary has access to black box performing encryption, but not decryption Chosen ciphertext attack = CCA1 : Adversary has access to black box performing decryption, during the find stage only (i.e. before outputting m 0 and m 1 ) Adaptive chosen ciphertext attack = CCA2 : Adversary has access to black box performing decryption, during the entire attack, except to decrypt ciphertext c b
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption RSA: description Key generation Find 2 primes p and q of ± 1024 bits and set n = p · q Compute ϕ ( n ) = ( p − 1)( q − 1) Choose e co-prime to ϕ ( n ) ( � = ± 1) Compute d = e − 1 mod ϕ ( n ) public key = ( e , n ) private key = ( d , n ) or ( p , q ) Encryption : c = m e mod n Decryption : m = c d mod n
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption RSA: security in practice Need to use padding scheme (homomorphic property) Each user needs different n Small d is not secure ( < 29% of length n ) Small e requires adequate padding scheme Partial key exposure attacks . . . Chosen ciphertext attack on PKCS#1 v1.5 based on error messages
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption ElGamal encryption Key generation: Parameters: (safe) prime p and generator g of GF ( p ) × Private key : x (1 < x < p − 1) Public key : y = g x mod p
Cryptography Crash Course Public-key cryptography Public-key cryptosystems Public-key encryption ElGamal encryption Key generation: Parameters: (safe) prime p and generator g of GF ( p ) × Private key : x (1 < x < p − 1) Public key : y = g x mod p Encryption: Random k with gcd( k , p − 1) = 1 r = g k mod p s = y k · m mod p Ciphertext : c = ( r , s ) Decryption: m = s · r − x mod p
Recommend
More recommend
![Crash Course Entrepreneurship Crash Course Escape from Corporate [Case Study] Who wants](https://c.sambuz.com/929136/crash-course-s.jpg)
