iLab Modern cryptography for communications security Benjamin Hof - PowerPoint PPT Presentation

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Cryptography – 15ws 1 / 72

Outline Cryptography Private-key setting Public-key setting Meta 2 / 72

Outline Cryptography Private-key setting Public-key setting Meta 3 / 72

Scope Focus on: ◮ modern cryptography ◮ methods used in communications security Based on: Introduction to modern cryptography, Katz and Lindell, 2 nd edition, 2015. 4 / 72

Communication by Melissa Elliott https://twitter.com/0xabad1dea/status/400676797874208768 5 / 72

What we are concerned with “Let’s meet up at 9!” Alice Bob 6 / 72

What we are concerned with “Let’s meet up at 9!” Alice Bob BfV Roens/Wikipedia. CC-by-sa 2.0 6 / 72

What we are concerned with “Let’s meet up at 9!” Alice Bob Eve passive attack: eavesdropping We want to provide confidentiality! 6 / 72

What we are concerned with “You can trust Trent!” Mallory Alice Bob active attack: message modification We want to provide message authentication! 6 / 72

Limitations ◮ cryptography is typically bypassed, not broken ◮ not applied correctly ◮ not implemented correctly ◮ subverted communication ◮ existence ◮ time ◮ extent ◮ partners 7 / 72

Kerckhoffs’ principle Security should only depend on secrecy of the key, not the secrecy of the system. ◮ key easier to keep secret ◮ change ◮ compatibility No security by obscurity. ◮ scrutiny ◮ standards ◮ reverse engineering 8 / 72

Another principle as a side note The system should be usable easily. ◮ Kerckhoffs actually postulated 6 principles ◮ this one got somewhat forgotten ◮ starting to be rediscovered in design of secure applications and libraries Example Signal, NaCl 9 / 72

Modern cryptography relies on ◮ formal definitions ◮ precisely defined assumptions ◮ mathematical proofs Reductionist security arguments, the “proofs”, require to formulate assumptions explicitly. 10 / 72

Uniform distribution P : U → [0 , 1] � P ( x ) = 1 x ∈ U ∀ x ∈ U : P ( x ) = 1 | U | 11 / 72

Randomness ◮ required to do any cryptography at all ◮ somewhat difficult to get in a computer (deterministic!) ◮ required to be cryptographically secure: indistiguishable from truly random ◮ not provided in programming languages Example used to generate keys or other information unkown to any other parties 12 / 72

Collecting unpredictable bits 1. collect pool of high-entropy data 2. process into sequence of nearly independent and unbiased bits ◮ physical phenomena ◮ time between emission of particles during radioactive decay ◮ thermal noise from a semiconductor diode or resistor ◮ software-based ◮ elapsed time between keystrokes or mouse movement ◮ packet interarrival times ◮ attacker must not be able to guess/influence the collected values 13 / 72

Pseudo-random generator G : { 0 , 1 } s → { 0 , 1 } n , n ≫ s 14 / 72

A definition of security A scheme is secure, if any probabilistic polynomial time adversary succeeds in breaking the scheme with at most negligible probability. Negligible For every polynomial p and for all sufficiently large values of n : 1 f ( n ) < p ( n ) e.g., f ( n ) = 1 2 n Church-Turing Hypothesis We believe polynomial time models all computers. 15 / 72

Our goals private-key (symmetric) public-key (asymmetric) ◮ confidentiality ◮ confidentiality ◮ authenticity ◮ authenticity (as in: message integrity) ◮ key exchange Something providing confidentiality generally makes no statement whatsoever about authenticity. 16 / 72

Outline Cryptography Private-key setting Public-key setting Meta 17 / 72

Private-key encryption scheme 1. k ← Gen (1 n ), security parameter 1 n 2. c ← Enc k ( m ) , m ∈ { 0 , 1 } ∗ 3. m := Dec k ( c ) ◮ provide confidentiality ◮ definition of security: chosen-plaintext attack (CPA) Cryptography uses theoretical attack games to analyze and formalize security. C : challenger, ← means non-deterministic, A : adversary := means deterministic 18 / 72

The eavesdropping experiment C A k ← Gen (1 n ) input 1 n

The eavesdropping experiment C A k ← Gen (1 n ) input 1 n m 0 , m 1 b ← { 0 , 1 } c ← Enc k ( m b ) c output b ′ ◮ A succeeds, iff b = b ′ 19 / 72

Discussion of the eavesdropping experiment ◮ | m 0 | = | m 1 | ◮ probabilistic polynomial time algorithms ◮ success probability should be 0 . 5 + negligible ◮ if so, Enc has indistinguishable encryptions in the presence of an eavesdropper 20 / 72

Pseudorandom permutation F : { 0 , 1 } ∗ × { 0 , 1 } ∗ → { 0 , 1 } ∗ ◮ F k ( x ) and F − 1 k ( y ) efficiently computable ◮ F k be indistinguishable from uniform permutation ◮ adversary may have access to F − 1 We can assume that all inputs and the output have the same length. 21 / 72

A block cipher Example ◮ fixed key lenght and block length ◮ chop m into 128 bit blocks m k 128 bit AES c Does this function survive the eavesdropping experiment? 22 / 72

Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n 23 / 72

Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) c . . . . . . 23 / 72

Chosen-plaintext attack C A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) c . . . . . . m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 23 / 72

Chosen-plaintext attack C A C (cont’d) A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) m c c ← Enc k ( m ) . . c . . . . . . . . . . output bit b ′ m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 23 / 72

Chosen-plaintext attack C A C (cont’d) A k ← Gen (1 n ) input 1 n m c ← Enc k ( m ) m c c ← Enc k ( m ) . . c . . . . . . . . . . output bit b ′ m , m 1 0 b ← { 0 , 1 } E n c ( m ) k b 23 / 72

Discussion of CPA ◮ Enc is secure under chosen-plaintext attack ◮ again, messages must have same length ◮ multiple-use key ◮ non-deterministic (e. g. random initialization vector) or state ◮ block cipher requires operation mode : counter (CTR), output-feedback (OFB), . . . 24 / 72

Example constructions: counter mode Example ◮ randomised AES counter mode (AES-CTR$) ◮ choose nonce r ← { 0 , 1 } 128 , key k ← { 0 , 1 } 128 ◮ great if you have dedicated circuits for AES, else vulnerable to timing attacks r AES r + 1 AES k k m 0 ⊕ m 1 ⊕ c 0 c 1 · · · complete ciphertext c := ( r , c 0 , c 1 , · · · ) 25 / 72

Example constructions: stream ciphers Example A modern stream cipher, fast in software: 256 bit key 96 bit nonce 32 bit initial counter ChaCha keystream plaintext ⊕ ciphertext 26 / 72

Message authentication code 1. k ← Gen (1 n ), security parameter 1 n 2. t ← Mac k ( m ) , m ∈ { 0 , 1 } ∗ 3. b := Vrfy k ( m , t ) b = 1 means valid, b = 0 invalid ◮ transmit � m , t � ◮ tag t is a short authenticator ◮ message authenticity ⇔ integrity ◮ detect tampering ◮ no protection against replay ◮ “existentially unforgeable” ◮ security definition: adaptive chosen-message attack 27 / 72

Adaptive chosen-message attack C A k ← Gen (1 n ) input 1 n m t ← Mac k ( m ) ( m , t ) . . . . . . output ( m ′ , t ′ ) ◮ let Q be the set of all queries m ◮ A succeeds, iff Vrfy k ( m ′ , t ′ ) = 1 and m ′ / ∈ Q 28 / 72

Used in practice Example ◮ HMAC based on hash functions ◮ CMAC based on CBC mode ◮ authenticated encryption modes 29 / 72

Side-channel attacks How does tag verification work and how to implement tag comparison correctly? 30 / 72

Cryptographic hash functions private-key public-key . . . ◮ encryption ◮ message authentication codes ◮ hash functions 31 / 72

Hash functions input ◮ variable length input ◮ fixed length output H ( · ) provide: 1. pre-image resistance output given H ( x ) with a randomly chosen x , cannot find x ′ s. t. H ( x ′ ) = H ( x ) fixed length “H is one-way” 2. second pre-image resistance given x , cannot find x ′ � = x s. t. H ( x ′ ) = H ( x ) 3. collision resistance cannot find x � = x ′ s. t. H ( x ) = H ( x ′ ) 32 / 72

Birthday problem question one ◮ number of people in a room required ◮ s. t. P [same birthday as you] ≥ 0 . 5: � 364 � n 1 − ≥ 0 . 5 365 ≥ 253 people necessary. question two ◮ number of people in a room required ◮ s. t. P [at least two people with same birthday] ≥ 0 . 5 √ ≈ const · 365 ≈ 23. 33 / 72

Birthday problem question one ◮ number of people in a room required ◮ s. t. P [same birthday as you] ≥ 0 . 5: � 364 � n 1 − ≥ 0 . 5 365 ≥ 253 people necessary. Second pre-image question two ◮ number of people in a room required ◮ s. t. P [at least two people with same birthday] ≥ 0 . 5 √ ≈ const · 365 ≈ 23. Collision 33 / 72

Birthday problem (cont’d) ◮ collision resitance is the strongest property ◮ implies pre-image resistance and second pre-image resistance ◮ usually broken broken first: MD5, SHA1 ◮ hash function with output size of 128 bit: ≤ 2 128 possible outputs √ 2 128 = 2 64 ◮ finding collisions: ◮ minimum output size: 256 34 / 72