iLab Modern cryptography for communications security Benjamin Hof - PowerPoint PPT Presentation

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Cryptography – 14ss 1

Outline Cryptography Private-key Public-key 2

Outline Cryptography Private-key Public-key 3

Scope Focus on: ◮ modern cryptography ◮ methods used in communications security Based on: Introduction to modern cryptography, Katz and Lindell, 2007. 4

Communication by Melissa Elliott https://twitter.com/0xabad1dea/status/400676797874208768 5

What we are concerned with “Let’s meet up at 9!” Alice Bob 6

What we are concerned with “Let’s meet up at 9!” Alice Bob BfV Roens/Wikipedia. CC-by-sa 2.0 6

What we are concerned with “Let’s meet up at 9!” Alice Bob Eve passive attack: eavesdropping We want to provide confidentiality! 6

What we are concerned with “You can trust Trent!” Alice Mallory Bob active attack: message modification We want to provide authentification! 6

Limitations ◮ cryptography is typically bypassed, not broken ◮ not applied correctly ◮ not implemented correctly ◮ subverted communication ◮ existence ◮ time ◮ extent ◮ partners 7

Kerckhoffs’ principle Security should only depend on secrecy of the key, not the secrecy of the system. ◮ key easier to keep secret ◮ change ◮ compatibility No security by obscurity. ◮ scrutiny ◮ standards ◮ reverse engineering 8

Another principle as a side note the system should be usable easily ◮ Kerckhoffs actually postulated 6 principles ◮ this one got somewhat forgotten ◮ starting to be rediscovered in design of secure applications and libraries Example TextSecure, NaCl 9

Modern cryptography relies on ◮ formal definitions ◮ precisely defined assumptions ◮ mathematical proofs Proofs require to formulate assumptions explicitly. 10

Randomness ◮ required to do any cryptography at all ◮ somewhat difficult to get in a computer (deterministic!) ◮ required to be cryptographically secure: indistiguishable from truly random Example used to generate keys or other information unkown to any other parties 11

Reduction ◮ type of proof commonly used in cryptography ◮ reduce security of a construction to security of underlying primitive ◮ easier to design and replace parts 12

Our goals private-key (symmetric) public-key (asymmetric) ◮ confidentiality ◮ confidentiality ◮ authenticity ◮ authenticity ◮ key exchange Something providing confidentiality generally makes no statement whatsoever about authenticity. 13

Outline Cryptography Private-key Public-key 14

Private-key encryption scheme 1. k ← Gen (1 n ), security parameter 1 n 2. c ← Enc k ( m ) , m ∈ { 0 , 1 } ∗ 3. m := Dec k ( c ) ◮ provide confidentiality ◮ definition of security: chosen-plaintext attack (CPA) Cryptography uses theoretical attack games to analyze and formalize security. 15

The eavesdropping experiment C A input 1 n k ← Gen (1 n )

The eavesdropping experiment C A input 1 n k ← Gen (1 n ) m 0 , m 1 b ← { 0 , 1 } c ← Enc k ( m b ) c output b ′ ◮ A succeeds, iff b = b ′ 16

Discussion of the eavesdropping experiment ◮ | m 0 | = | m 1 | ◮ probabilistic polynomial time algorithms ◮ success probability should be 0 . 5 + negligible ◮ if so, Enc has indistinguishable encryptions in the presence of an eavesdropper 17

A block cipher Example ◮ pseudorandom permutation: deterministic ◮ chop m into 128 bit blocks m k 128 bit AES c Does this function survive the eavesdropping experiment? 18

Chosen-plaintext attack C k ← { 0 , 1 } n

Chosen-plaintext attack C A m k ← { 0 , 1 } n c ← � Enc k ( m ) c . . . . . .

Chosen-plaintext attack C A m k ← { 0 , 1 } n c ← � Enc k ( m ) c . . . . . . m 0 , m 1 b ← { 0 , 1 } � E n c ( m k ) b 20

Chosen-plaintext attack C A m k ← { 0 , 1 } n c ← � Enc k ( m ) C (cont’d) A (cont’d) c m . . . . . . c ← � Enc k ( m ) m 0 , m 1 c b ← { 0 , 1 } . . . . . . � E n c ( m k ) output bit b ′ b 20

Chosen-plaintext attack C A m k ← { 0 , 1 } n c ← � Enc k ( m ) C (cont’d) A (cont’d) c m . . . . . . c ← � Enc k ( m ) m 0 , m 1 c b ← { 0 , 1 } . . . . . . � E n c ( m k ) output bit b ′ b 20

Discussion of CPA ◮ � Enc is secure under chosen-plaintext attack ◮ again, messages must have same length ◮ multiple-use key ◮ non-deterministic (e. g. random initialization vector) or state ◮ CTR, CBC, OFB 21

Example constructions: counter mode Example ◮ randomized AES counter mode (AES-CTR$) ◮ choose nonce r ← { 0 , 1 } 128 , key k ← { 0 , 1 } 128 ◮ great if you have dedicated circuits for AES, else vulnerable to timing attacks r AES r + 1 AES k k m 0 ⊕ m 1 ⊕ c 0 c 1 · · · complete ciphertext c := ( r , c 0 , c 1 , · · · ) 22

Example constructions: stream ciphers Example A modern stream cipher, fast in software: 96 bit nonce 32 bit initial counter 256 bit key ChaCha keystream plaintext ⊕ ciphertext 23

Message authentication code 1. k ← Gen (1 n ), security parameter 1 n 2. t ← Mac k ( m ) , m ∈ { 0 , 1 } ∗ 3. b := Vrfy k ( m , t ) b = 1 means valid, b = 0 invalid ◮ message authenticity/integrity ◮ detect tampering ◮ no protection against replay ◮ “existentially unforgeable” 25

Adaptive chosen-message attack C A k ← Gen (1 n ) input 1 n m t := Mac k ( m ) ( m , t ) . . . . . . output ( m ′ , t ) ◮ let Q be the set of all queries m ◮ A succeeds, iff Vrfy k ( m ′ , t ) = 1 and m ′ / ∈ Q 26

Used in practice Example ◮ HMAC based on hash functions ◮ CMAC based on CBC mode ◮ authenticated encryption: OCB, GCM 28

Cryptographic hash functions private-key public-key . . . ◮ encryption ◮ message authentication codes ◮ hash functions 29

Hash functions input ◮ arbitrary length input ◮ compressing H ( · ) 1. collision resistance find x � = x ′ s. t. H ( x ) = H ( x ′ ) output 2. second pre-image resistance given x , find x ′ � = x s. t. H ( x ′ ) = H ( x ) fixed length 3. pre-image resistance given y = H ( x ) with a randomly chosen x , find x ′ s. t. H ( x ′ ) = y “H is one-way” 30

HMAC A popular MAC: ◮ opad is 0x36, ipad is 0x5C tag := H ( k ⊕ opad � H ( k ⊕ ipad � m )) ◮ use SHA2-512, truncate tag to 256 bits Used with Merkle-Damgård functions, since they allow to compute from H ( k � m ) the extension H ( k � m � tail ). 31

Combining privacy and authentication ◮ encrypt-then-authenticate: c ← Enc k 1 ( m ) , t ← Mac k 2 ( c ) This is generally secure. ◮ authenticated encryption Also a good choice. ◮ bad ideas of times gone by: ◮ encrypt-and-authenticate: c ← Enc k 1 ( m ) , t ← Mac k 2 ( m ) ◮ authenticate-then-encrypt: t ← Mac k 2 ( m ) , c ← Enc k 1 ( m � t ) 32

Outline Cryptography Private-key Public-key 33

The idea We no longer have one shared key, but each participant has a key pair: ◮ a private key we give to nobody else ◮ a public key to be published, e. g. on a keyserver 34

Public-key cryptography ◮ based on mathematical problems believed to be hard ◮ proofs often only in the weaker random oracle model ◮ only authenticated channels needed for key exchange, not private ◮ less keys required ◮ orders of magnitude slower Problems believed to be hard ◮ RSA assumption based on integer factorization ◮ discrete logarithm and Diffie-Hellman assumption ◮ elliptic curves ◮ El Gamal encryption ◮ Digital Signature Standard/Algorithm 35

Public-key cryptography private-key public-key ◮ encryption ◮ encryption ◮ message ◮ signatures authentication codes ◮ key exchange ◮ hash functions 36

Uses ◮ encryption ◮ encrypt with public key of key owner ◮ decrypt with private key ◮ signatures ◮ sign with private key ◮ verify with public key of key owner ◮ authentication with non-repudiation ◮ key exchange ◮ protect past sessions against key compromise 37

Perfect forward security Idea ◮ attacker captures traffic ◮ later: an endpoint is compromised → keys are compromised We want: security of past connections should not be broken. Perfect forward security protection of past sessions against: ◮ compromise of session key ◮ compromise of long-term identity key lack: key escrow 38

Elliptic curve Diffie-Hellman key exchange ◮ E ( F p 2 ) ◮ p = 2 255 − 19 ◮ E : y 2 = x 3 + 486662 x 2 + x a ← { 0 , 1 } 255 b ← { 0 , 1 } 255 A := aG A B := bG B s := bA k := KDF ( X ( s )) s := aB k := KDF ( X ( s )) (Other ECDH cryptosystems will need additional verification steps.) 39

Perfect forward security ◮ generate new DH key for each connection ◮ wipe old symmetric keys Compromise of long term keys in combination with eavesdropping does not break security of past connections anymore! 40