1 Symmetric algorithm Public key algorithm Secret key public key - - PDF document

SLIDE 1

1

Cryptographic Systems

Authentication & Communication Protocols

Paul Krzyzanowski • Distributed Systems

Cryptography ≠ security

Cryptography may be a component of a secure system Adding cryptography may not make a system secure

Paul Krzyzanowski • Distributed Systems

Terms

Plaintext (cleartext), message M encryption, E(M) produces ciphertext, C= E(M) decryption: M= D(C) Cryptographic algorithm, cipher

Paul Krzyzanowski • Distributed Systems

Terms: types of ciphers

• restricted cipher
• sym m etric algorithm
• public key algorithm

Paul Krzyzanowski • Distributed Systems

Restricted cipher

Secret algorithm

• Leaking
• Reverse engineering

– RC4 – All digital cellular encryption algorithms – DVD and DIVX video compression – Firewire – Enigma cipher machine – Every NATO and Warsaw Pact algorithm during Cold War

Paul Krzyzanowski • Distributed Systems

The key

SLIDE 2

2

Paul Krzyzanowski • Distributed Systems

Symmetric algorithm

Secret key C = EK(M) M = DK(C)

Paul Krzyzanowski • Distributed Systems

Public key algorithm

public key and private key

C1 = Epublic(M) M = Dprivate(C1)

also:

C2 = Eprivate(M) M = Dpublic(C2)

Paul Krzyzanowski • Distributed Systems

McCarthy’s puzzle (1958)

• Two countries are at war
• One country sends spies to the other

country

• To return safely, spies must give the

border guards a password

• Spies can be trusted
• Guards chat – information given to

them may leak

Paul Krzyzanowski • Distributed Systems

McCarthy’s puzzle

Challenge

– How can a guard authenticate a person without knowing the password? – Enemies cannot use the guard’s knowledge to introduce their own spies

Paul Krzyzanowski • Distributed Systems

Solution to McCarthy’s puzzle

Michael Rabin, 1958 Use one- w ay function, B= f(A) – Guards get B …

• Enemy cannot compute A

– Spies give A, guards compute f(A)

• If the result is B, the password is correct.

Example function:

Middle squares

• Take a 100-digit number (A), and square it
• Let B = middle 100 digits of 200-digit result

Paul Krzyzanowski • Distributed Systems

One-way functions

• Easy to compute in one direction
• Difficult to compute in the other

Examples: Factoring: pq = N EASY find p,q given N DIFFICULT Discrete Log: ab mod c = N EASY find b given a, c, N DIFFICULT

SLIDE 3

3

Paul Krzyzanowski • Distributed Systems

McCarthy’s puzzle example

Example with an 18 digit number A = 289407349786637777 A2 = 83756614110525308948445338203501729 Middle square, B = 110525308948445338 Given A, it is easy to compute B Given B, it is extremely hard to compute A

110525308948445338

Paul Krzyzanowski • Distributed Systems

More terms

• one-w ay function

– Rabin, 1958: McCarthy’s problem – middle squares, exponentiation, …

• [ one-way] hash function

– message digest, fingerprint, cryptographic checksum, integrity check

• encrypted hash

– message authentication code – only possessor of key can validate message

Paul Krzyzanowski • Distributed Systems

More terms

• Stream cipher

– Encrypt a m essage a character at a time

• Block cipher

– Encrypt a m essage a chunk at a time

Paul Krzyzanowski • Distributed Systems

Yet another term

• Digital Signature

– Authenticate, not encrypt message – Use pair of keys (private, public) – Owner encrypts message with private key – Sender validates by decrypting with public key – Generally use hash(message).

Paul Krzyzanowski • Distributed Systems

Cryptography: what is it good for?

• Authentication

– determine origin of message

• I ntegrity

– verify that m essage has not been modified

• Nonrepudiation

– sender should not be able to falsely deny that a message was sent

• Confidentiality

– others cannot read contents of the message

Paul Krzyzanowski • Distributed Systems

Cryptographic toolbox

• Symmetric encryption
• Public key encryption
• One-way hash functions
• Random number generators
• Message authentication codes
• Digital signatures

SLIDE 4

4

Classic Cryptosystems Substitution Ciphers

Paul Krzyzanowski • Distributed Systems

Cæsar cipher

Earliest docum ented m ilitary use of crypto

– Julius Caesar c. 60 BC – shift cipher: simple variant of a substitution cipher – each letter replaced by one n positions away modulo alphabet size n = shift value = key

Sim ilar scheme used in India

– early Indians also used substitutions based on phonetics similar to pig latin

currently seen as ROT13 in netnews

Paul Krzyzanowski • Distributed Systems

Cæsar cipher

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z U V W X Y Z A B C D E F G H I J K L M N O P Q R S T shift alphabet by n (6)

Paul Krzyzanowski • Distributed Systems

Cæsar cipher

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z MY CAT HAS FLEAS GS

Paul Krzyzanowski • Distributed Systems

Cæsar cipher

• Convey one piece of information for

decryption: shift value

• trivially easy to crack (26 possibilities for a

26 character alphabet)

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z MY CAT HAS FLEAS GSWUNBMUFZYUM

SLIDE 5

5

Paul Krzyzanowski • Distributed Systems

Ancient Hebrew variant (ATBASH)

• c. 600 BC
• No information (key) needs to be conveyed!

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z T S R Q P O N M L K J I H G F E D C B A Z Y X W V U MY CAT HAS FLEAS NBXZGSZHUOVZH

Paul Krzyzanowski • Distributed Systems

Substitution cipher

• General case: arbitrary mapping
• both sides must have substitution alphabet

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z E A J T N C I F Z W O Y B X G K U D V H M P S R L Q MY CAT HAS FLEAS IVSMXAMBQCLMB

Paul Krzyzanowski • Distributed Systems

Substitution cipher

Easy to decode:

– vulnerable to frequency analysis Moby Dick Shakespeare

(1.2M chars) (55.8M chars)

e 12.300% e 11.797%

• 7.282%
• 8.299%

d 4.015% d 3.943% b 1.773% b 1.634% x 0.108% x 0.140%

Paul Krzyzanowski • Distributed Systems

Polyalphabetic ciphers

Designed to thwart frequency analysis techniques

– different ciphertext symbols can represent the same plaintext symbol

• 1 → many relationship between

letter and substitute

Leon Battista Alberti: 1466: invented key

– two disks – line up predetermined letter on inner disk with outer disk – plaintext on inner → ciphertext on

• uter

– after n symbols, the disk is rotated to a new alignment

A J B M C Q D S Z G Y P encrypt: A→J decrypt: J →A

Paul Krzyzanowski • Distributed Systems

Vigenère polyalphabetic cipher

• Blaise de Vigenère , court of Henry III of France, 1518
• Use table and key word to encipher a message
• repeat keyword over text: (e.g. key= FACE)

FA CEF ACE FACEF .... MY CAT HAS FLEAS

• encrypt: find intersection:

row = keyword letter column = plaintext letter

• decrypt: column = keyword letter, search for

intersection = ciphertext letter

• message is encrypted with as many substitution ciphers

as there are letters in the keyword

Paul Krzyzanowski • Distributed Systems

Vigenère polyalphabetic cipher

A B C D E F G H I J K L M N O P Q R S T A B C D E F G H I J K L M N O P Q R S T B C D E F G H I J K L M N O P Q R S T U C D E F G H I J K L M N O P Q R S T U V D E F G H I J K L M N O P Q R S T U V W E F G H I J K L M N O P Q R S T U V W X F G H I J K L M N O P Q R S T U V W X Y

plaintext letter keytext letter ciphertext letter

SLIDE 6

6

Paul Krzyzanowski • Distributed Systems

Vigenère polyalphabetic cipher

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z FA CEF ACE FACEF MY CAT HAS FLEAS R

Paul Krzyzanowski • Distributed Systems

Vigenère polyalphabetic cipher

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z FA CEF ACE FACEF MY CAT HAS FLEAS RY EEY HCW KLGEX

Transposition Ciphers

Paul Krzyzanowski • Distributed Systems

Transposition ciphers

• Permute letters in plaintext according to

rules

• Knowledge of rules will allow message

to be decrypted

Paul Krzyzanowski • Distributed Systems

Transposition ciphers: staff cipher

MYCATHASFLEAS M Y C HAS EAS MHE

M H E

Paul Krzyzanowski • Distributed Systems

Transposition ciphers: staff cipher

MYCATHASFLEAS M Y C HAS EAS MHEYAA

C S S

CSS

SLIDE 7

7

Paul Krzyzanowski • Distributed Systems

Transposition ciphers: staff cipher

MYCATHASFLEAS C A T SFL Sxy MHEYAACSS

A F x Pad out the text. This is a block cipher versus a stream cipher

AFx

Paul Krzyzanowski • Distributed Systems

Transposition ciphers: staff cipher

MYCATHASFLEAS C A T SFL Sxy MHEYAACSSAFx

T L y

TLy

Paul Krzyzanowski • Distributed Systems

Transposition cipher

Table version of staff cipher

– enter data horizontally, read it vertically – secrecy is the width of the table

M Y C A T H A S F L E A S x y z MYCATHASFLEAS

Paul Krzyzanowski • Distributed Systems

Transposition cipher

Table version of staff cipher

– enter data horizontally, read it vertically – secrecy is the width of the table

M Y C A T H A S F L E A S x y z MYCATHASFLEAS MTFS

Paul Krzyzanowski • Distributed Systems

Transposition cipher

Table version of staff cipher

– enter data horizontally, read it vertically – secrecy is the width of the table

M Y C A T H A S F L E A S x y z MYCATHASFLEAS MTFSYHLxCAEyASAz

Paul Krzyzanowski • Distributed Systems

Transposition cipher with key

– permute letters in plaintext according to key – read down columns, sorting by key

Key: 3 1 4 2

M Y C A T H A S F L E A S x y z MYCATHASFLEAS

SLIDE 8

8

Paul Krzyzanowski • Distributed Systems

Transposition cipher with key

– permute letters in plaintext according to key – read down columns, sorting by key

Key: 3 1 4 2

M Y C A T H A S F L E A S x y z YHLx YHLx MYCATHASFLEAS

Paul Krzyzanowski • Distributed Systems

Transposition cipher with key

– permute letters in plaintext according to key – read down columns, sorting by key

Key: 3 1 4 2

M Y C A T H A S F L E A S x y z ASAz YHLxASAz MYCATHASFLEAS

Paul Krzyzanowski • Distributed Systems

Transposition cipher with key

– permute letters in plaintext according to key – read down columns, sorting by key

Key: 3 1 4 2

M Y C A T H A S F L E A S x y z MTFS YHLxASAzMTFS MYCATHASFLEAS

Paul Krzyzanowski • Distributed Systems

Transposition cipher with key

– permute letters in plaintext according to key – read down columns, sorting by key

Key: 3 1 4 2

M Y C A T H A S F L E A S x y z CAEy YHLxASAzMTFSCAEy MYCATHASFLEAS

Paul Krzyzanowski • Distributed Systems

Transposition cipher with key

– permute letters in plaintext according to key – read down columns, sorting by key

Key: 3 1 4 2

M Y C A T H A S F L E A S x y z YHLxASAzMTFSCAEY MYCATHASFLEAS

Paul Krzyzanowski • Distributed Systems

Combined ciphers

• Combine transposition with substitution

ciphers

– German ADFGVX cipher (WWI)

• can be troublesome to implement

– may require a lot of mem ory – may require that messages be certain lengths

• Difficult with manual cryptography

SLIDE 9

9

Electro-mechanical cryptographic engines

Paul Krzyzanowski • Distributed Systems

Rotor machines

1920s: mechanical devices used for automating encryption rotor m achine

– set of independently rotating cylinders through which electrical pulses flow – each cylinder has input & output pin for each letter of the alphabet – implements version of Vigenère cipher – each rotor implements a substitution cipher – output of each rotor is fed into the next rotor

Paul Krzyzanowski • Distributed Systems

Rotor machines

• Simplest rotor machine: single cylinder
• after a character is entered, the cylinder

rotates one position

– internal combinations shifted by one – polyalphabetic substitution cipher with a period of 26 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Paul Krzyzanowski • Distributed Systems

Single cylinder rotor machine

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z G V I L C M B Q F K D O S P Z H R E U Z N X A T W J A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K H W J M D N C R G L E P T Q Z I S F V A O Y B U X

rotate

Paul Krzyzanowski • Distributed Systems

Single cylinder rotor machine

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z MY CAT HAS FLEAS S

Paul Krzyzanowski • Distributed Systems

Single cylinder rotor machine

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z MY CAT HAS FLEAS SU

SLIDE 10

10

Paul Krzyzanowski • Distributed Systems

Single cylinder rotor machine

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z MY CAT HAS FLEAS SUIUVAYOINKBY

Paul Krzyzanowski • Distributed Systems

Multi-cylinder rotor machines

Single cylinder rotor machine

– substitution cipher with a period = length of alphabet (e.g., 26)

Multi-cylinder rotor machine

– feed output of one cylinder as input to the next one – first rotor advances after character is entered – second rotor advances after a full period of the first – polyalphabetic substitution cipher

• period = (length of alphabet) number of rotors
• 3 26-char cylinders ⇒ 263 = 17,576 substitution

alphabets

• 5 26-char cylinders ⇒ 265 = 11,881,367

substitution alphabets

Paul Krzyzanowski • Distributed Systems

Enigma

• Enigma machine used in

Germany during WWII

• Three rotor system

– 263 = 17,576 possible rotor positions

• Input data perm uted via

patch panel before sending to rotor engine

• Data from last rotor reflected back through

rotors ⇒ m akes encryption sym m etric

• Need to know initial settings of rotor

– setting was f(date) – find in book of codes

• broken by group at Bletchley Park (Alan Turing)

Paul Krzyzanowski • Distributed Systems

Enigma

Keyboard (input) Glowlamps (results) Plugboard

Rotors Reflector

Paul Krzyzanowski • Distributed Systems

One-time pads

Only provably secure encryption schem e

• invented in 1917
• large non-repeating set of random key letters

written on a pad

• each key letter on the pad encrypts exactly
• ne plaintext character

– encryption is addition of characters modulo 26

• sender destroys pages that have been used
• receiver maintains identical pad

Paul Krzyzanowski • Distributed Systems

One-time pads

If pad contains KWXOPWMAELGHW… and we want to encrypt MY CAT HAS FLEAS M + K mod 26 = W Y + W mod 26 = U C + X mod 26 = Z A + O mod 26 = O T + P mod 26 = I H + W mod 26 = D A + M mod 26 = M S + A mod 26 = S F + E mod 26 = J L + L mod 26 = W E + G mod 26 = K A + H mod 26 = H S + W mod 26 = O

SLIDE 11

11

Paul Krzyzanowski • Distributed Systems

One-time pads

Can be extended to binary data

– random key sequence as long as the message – exclusive-or key sequence with message – receiver has the same key sequence

Paul Krzyzanowski • Distributed Systems

One-time pads

Problems with one-time pads

– key needs to be as long as the m essage! – key storage can be problematic

• may need to store a lot of data

– keys have to be generated randomly

• cannot use pseudo-random number generator

– cannot reuse key sequence – sender and receiver must remain synchronized (e.g. cannot lose a message)

Paul Krzyzanowski • Distributed Systems

Digression: random numbers

• “anyone who considers arithm etical methods
• f producing random digits is, of course, in a

state of sin”

– John vonNeumann

• Pseudo-random generators

– Linear feedback shift registers – Multiplicative lagged Fibonacci generators – Linear congruential generator

• Obtain random ness from:

– time between keystrokes – Cosmic rays – Electrical noise – Other encrypted messages

Computer Cryptography

Paul Krzyzanowski • Distributed Systems

DES

• Data Encryption Standard

– adopted as a federal standard in 1976

• block cipher, 64 bit blocks
• 56 bit key

– all security rests with the key

• substitution followed by a permutation

(transposition)

– same combination of techniques is applied

• n the plaintext block 16 times

Paul Krzyzanowski • Distributed Systems

DES

64 bit plaintext block 64 bit plaintext block initial permutation, IP initial permutation, IP left half, L1 left half, L1 right half, R0 right half, R0

f f

R1 = L0 ⊕ f(R0, K1) R1 = L0 ⊕ f(R0, K1) L1= R0 L1= R0

K1 16 rounds

L15= R14 L15= R14 R15 = L14 ⊕ f(R14, K15) R15 = L14 ⊕ f(R14, K15)

48-bit subkey permuted from key

f f

L16 = R15 L16 = R15 R16 = L15 ⊕ f(R15, K16) R16 = L15 ⊕ f(R15, K16)

K16

final permutation, IP-1 final permutation, IP-1 64 bit ciphertext block 64 bit ciphertext block

SLIDE 12

12

Paul Krzyzanowski • Distributed Systems

DES: f

What’s in f ?

– Key bits are shifted – 48 bits selected from 56-bits of the key – right half of data expanded to 48 bits via expansion perm utation – combined with 48 bits of a shifted and permuted key via XOR – sent through 8 S-boxes producing 32 new bits via compression permutation – permuted again

• utput of f is then combined with left half

via another XOR

Paul Krzyzanowski • Distributed Systems

DES: S-boxes

• After compressed key is XORed with expanded

block

– 48-bit result moves to substitution operation via 8 substitution boxes (s-boxes)

• Each S-box has

– 6-bit input – 4-bit output

• 48 bits divided into eight 6-bit sub-blocks
• Each block is operated by a separate S-box
• key components of DES’ security
• net result: 48 bit input generates 32 bit output

Paul Krzyzanowski • Distributed Systems

DES: f

DATA: right 32 bits KEY: 56 bits S S S S S S S S DATA: left 32 bits DATA: left 32 bits New DATA: right 32 bits New DATA: right 32 bits 48 bits 48 bits

Paul Krzyzanowski • Distributed Systems

Is DES secure?

56-bit key makes DES relatively weak

– Brute-force attack

Can double encryption work for DES?

– Useless if we could find a key K such that EK(P) = EK2(EK1(P)) – This does not hold for DES

Late 1990’s:

– DES cracker machines built to crack DES keys in a few hours – DES Deep Crack: 90 billion keys/ second – Distributed.net: test 250 billion keys/ second

Paul Krzyzanowski • Distributed Systems

Double DES

Vulnerable to meet-in-the-middle attack If we know some pair (P, C), then:

[ 1] Encrypt P for all 256 values of K1 [ 2] Decrypt C for all 256 values of K2

For each match where [ 1] = [ 2]

– test the two keys against another P, C pair – if match, you are assured that you have the key

Paul Krzyzanowski • Distributed Systems

Triple DES

Prevent meet-in-the-middle attack with

– three stages – and two keys

Triple DES: C = EK1(DK2(EK1(P))) Decryption used in middle step for compatibility with DES C = EK(DK(EK(P))) ≡ C = EK1(P)

SLIDE 13

13

Paul Krzyzanowski • Distributed Systems

Popular symmetric algorithms

I DEA - I nternational Data Encryption Algorithm

– 1992 – 128-bit keys, operates on 8-byte blocks (like DES) – algorithm is more secure than DES

RC4 , by Ron Rivest

– 1995 – key size up to 2048 bits – not secure against multiple messages encrypted with the same key

AES - Advanced Encryption Standard

– NIST proposed successor to DES, chosen in October 2000 – based on Rigndael cipher – 128, 192, and 256 bit keys

Paul Krzyzanowski • Distributed Systems

AES

From NIST:

Assum ing that one could build a machine that could recover a DES key in a second (i.e., try 256 keys per second), then it would take that machine approximately 149 trillion years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.

http: / / csrc.nist.gov/ encryption/ aes/

Paul Krzyzanowski • Distributed Systems

Types of attacks

Ciphertext-only attack

– Recover plaintext given ciphertext – Almost never occurs: too difficult

Known plaintext attack

– Analyst has copy of plaintext & ciphertext – E.g., Norway saying “Nothing to report”

Chosen plaintext attack

– Analyst chooses message that gets encrypted

E.g., start military activity in town with obscure name

Paul Krzyzanowski • Distributed Systems

Protocol attacks

• Eavesdropping
• Active attacks

– Insert, delete, change messages

• Man-in-the-middle attack

– Eavesdropper intercepts

• Malicious host

Secure Communication

Paul Krzyzanowski • Distributed Systems

Alice

Symmetric cryptography

• Both parties must agree on a secret key, K
• message is encrypted, sent, decrypted at
• ther side
• Key distribution must be secret

– otherwise messages can be decrypted – users can be impersonated EK(P) DK(C)

Bob

SLIDE 14

14

Paul Krzyzanowski • Distributed Systems

Key explosion

• Each pair of users needs a separate key for

secure comm unication

Alice Bob KAB 2 users: 1 key Bob Alice KAB Charles KBC KAC 3 users: 3 keys 6 users: 1 5 keys 4 users: 6 keys 100 users: 4950 keys 1000 users: 399500 keys n users: keys 2 1) ( − n n

Paul Krzyzanowski • Distributed Systems

Key distribution

Secure key distribution is the biggest problem with cryptography

Paul Krzyzanowski • Distributed Systems

Key exchange

How can you communicate securely with someone you’ve never met?

– Whit Diffie - idea for a public key algorithm – goal: sender can create two sets of keys: one public and one private – sender sends data encrypted with the receiver’s public key – receiver can decrypt data with her private key – challenge: can this be done securely?

• Knowledge of public key should not allow derivation of

private key

Paul Krzyzanowski • Distributed Systems

Diffie-Hellman exponential key exchange

Key distribution algorithm

– first algorithm to use public/ private keys – not public key encryption – based on difficulty of computing discrete logarithms in a finite field compared with ease of calculating exponentiation

allows us to negotiate a secret session key without fear of eavesdroppers

Paul Krzyzanowski • Distributed Systems

Diffie-Hellman exponential key exchange

• All arithmetic perform ed in

field of integers modulo some large number

• Both parties agree on

– a large prim e num ber p – and a number α < p

• Each party generates a public/ private key pair

private key for user i: Xi public key for user i: Yi=

p

i

X mod

α

Paul Krzyzanowski • Distributed Systems

Diffie-Hellman exponential key exchange

• Alice has secret key

XA

• Alice has public key

YA

• Alice computes
• Bob has secret key

XB

• Bob has public key

YB p Y K

A

X B

mod =

K = ( Bob’s public key) ( Alice’s private key) m od p

SLIDE 15

15

Paul Krzyzanowski • Distributed Systems

Diffie-Hellman exponential key exchange

• Alice has secret key

XA

• Alice has public key

YA

• Alice computes
• Bob has secret key

XB

• Bob has public key

YB

• Bob computes

p Y K

A

X B

mod = p Y K

B

X A

mod ' =

K’ = ( Alice’s public key) ( Bob’s private key) m od p

Paul Krzyzanowski • Distributed Systems

Diffie-Hellman exponential key exchange

• Alice has secret key

XA

• Alice has public key

YA

• Alice computes
• expanding:
• Bob has secret key

XB

• Bob has public key

YB

• Bob computes
• expanding:

p Y K

A

X B

mod = p Y K

B

X A

mod ' = p p p p Y K

A B A B A

X X X X X B

mod mod ) mod ( mod α α = = = p p p p Y K

B A B A B

X X X X X A

mod mod ) mod ( mod ' α α = = = K is a com m on key, known only to Bob and Alice K = K’

Paul Krzyzanowski • Distributed Systems

Diffie-Hellman example

• Alice picks

XA = 18

• Alice’s public key is:

YA = 718 mod 31667 = 6780

• K = 2218418mod

31667 K = 1 4 2 6 5

• Bob picks

XB = 27

• Bob’s public key is:

YB = 727 mod 31667 = 22184

• K = 678027mod

31667 K = 1 4 2 6 5 Suppose p = 31667, α = 7

Paul Krzyzanowski • Distributed Systems

Key distribution problem is solved!

• User maintains private key
• Publishes public key in database

(“phonebook”)

• Communication begins with key exchange to

establish a com mon key

• Common key can be used to encrypt a

session key

– increase difficulty of breaking common key by reducing the amount of data we encrypt with it – session key is valid only for one communication session

Paul Krzyzanowski • Distributed Systems

RSA

• Ron Rivest, Adi Shamir, Leonard Adleman created a true

public key encryption algorithm in 1977

• Each user generates two keys

– private key (kept secret) – public key

• Data encrypted with the private key can only be

decrypted with the corresponding public key

– integrity, authentication

• Data encrypted with the public key can only be

decrypted with the corresponding private key

– secure comm unication

• difficulty of algorithm based on the difficulty of factoring

large numbers

– keys are functions of a pair of large (~ 200 digits) prime numbers

Paul Krzyzanowski • Distributed Systems

RSA algorithm

Generate keys

– choose two random large prim e numbers p, q – Compute the product n= pq – random ly choose the encryption key, e, such that e and (p-1)(q-1) are relatively prime – use the extended Euclidean algorithm to compute the decryption key, d: ed = 1 m od ((p-1)(q-1)) d = e-1 mod ((p-1)(q-1)) – discard p, q

SLIDE 16

16

Paul Krzyzanowski • Distributed Systems

RSA algorithm

• encrypt

– divide data into numerical blocks < n – encrypt each block:

c = m e m od n

• decrypt:

m = cd m od n

Paul Krzyzanowski • Distributed Systems

Communication with public key algorithms

Different keys for encrypting and decrypting

– no need to worry about key distribution

Paul Krzyzanowski • Distributed Systems

Communication with public key algorithms

Alice Bob Alice’s public key: KA Alice’s public key: KA Bob’s public key: KB Bob’s public key: KB

exchange public keys (or look up in a directory/ DB)

Paul Krzyzanowski • Distributed Systems

EB(P) Db(C)

Alice Bob Alice’s public key: KA Alice’s public key: KA Bob’s public key: KB Bob’s public key: KB encrypt message with Bob’s public key decrypt message with Bob’s private key

Communication with public key algorithms

Paul Krzyzanowski • Distributed Systems

EB(P) Db(C)

Alice Bob Alice’s public key: KA Alice’s public key: KA Bob’s public key: KB Bob’s public key: KB

Da(C) EA(P)

decrypt message with Alice’s private key encrypt message with Alice’s public key

Communication with public key algorithms

encrypt message with Bob’s public key decrypt message with Bob’s private key

Paul Krzyzanowski • Distributed Systems

Public key woes

Public key cryptography is great but:

– RSA about 100 times slower than DES in software, 1000 times slower in HW – vulnerable to chosen plaintext attack

• if you know the data is one of n messages, just

encrypt each message with the recipient’s public key and compare

– it’s a good idea to reduce the amount of data encrypted with any given key

• but generating RSA keys is computationally very time

consuming

SLIDE 17

17

Paul Krzyzanowski • Distributed Systems

Hybrid cryptosystems

• use public key cryptography to encrypt a

randomly generated symmetric key session key

Paul Krzyzanowski • Distributed Systems

Communication with a hybrid cryptosystem

Alice Bob Bob’s public key: KB Bob’s public key: KB

Get recipient’s public key (or fetch from directory/ database)

Paul Krzyzanowski • Distributed Systems

Communication with a hybrid cryptosystem

Alice Bob Bob’s public key: KB Bob’s public key: KB

Pick random session key, K EB(K) EB(K) Encrypt session key with Bob’s public key Bob decrypts K with his private key K = Db(EB(K))

Paul Krzyzanowski • Distributed Systems

Communication with a hybrid cryptosystem

Alice Bob Bob’s public key: KB Bob’s public key: KB

EB(K) EB(K) K = Db(EB(K)) EK(P) DK(C) encrypt message using a symmetric algorithm and key K decrypt message using a symmetric algorithm and key K

Paul Krzyzanowski • Distributed Systems

Communication with a hybrid cryptosystem

Alice Bob Bob’s public key: KB Bob’s public key: KB

EB(K) EB(K) K = Db(EB(K)) EK(P) DK(C) decrypt message using a symmetric algorithm and key K encrypt message using a symmetric algorithm and key K DK(C’) EK(P’)

Digital Signatures

SLIDE 18

18

Paul Krzyzanowski • Distributed Systems

Digital signatures

We use signatures because a signature is:

Authentic Unforgeable Not reusable Non repudiatable Renders docum ent unalterable

Paul Krzyzanowski • Distributed Systems

Digital signatures

We use signatures because a signature is

Authentic Unforgeable Not reusable Non repudiatable Renders docum ent unalterable ALL UNTRUE! Can we do better with digital signatures?

Paul Krzyzanowski • Distributed Systems

Digital signatures - arbitrated protocol

Arbitrated protocol using sym m etric encryption

– turn to trusted third party (arbiter) to authenticate messages Alice Bob Trent

C= EA(P)

Alice encrypts message for herself and sends it to Trent Trent is trusted and has everyone’s keys

Paul Krzyzanowski • Distributed Systems

Digital signatures - arbitrated protocol

Alice Bob Trent

P= DA(C)

Trent receives Alice’s message and decrypts it with Alice’s key

• this authenticates that it came from Alice
• he may choose to log a hash of the message to

create a record of the transmission

Paul Krzyzanowski • Distributed Systems

Digital signatures - arbitrated protocol

Alice Bob Trent Trent now encrypts the message for Bob and sends it to Bob

C’= EB(P)

Paul Krzyzanowski • Distributed Systems

Digital signatures - arbitrated protocol

Alice Bob Trent Bob receives the message and decrypts it

• it must have come from Trent

since only Trent and Bob have Bob’s key

• if the message says it’s from Alice, it must be - we trust Trent

P’= DB(C’)

SLIDE 19

19

Paul Krzyzanowski • Distributed Systems

Digital signatures with multiple parties

Bob can forward the message to Charles in the same manner. Trent can validate stored hash to ensure that Bob did not alter the message Alice Bob Trent Bob encrypts message with his key and sends it to Trent

P’= DB(C’)

Charles

C’’= EB(P’)

Paul Krzyzanowski • Distributed Systems

Digital signatures with multiple parties

Alice Bob Trent Trent decrypts the message

• knows it must be from Bob
• looks up ID to match original hash from Alice’s message
• validates that the message has not been modified
• adds a “signed by Bob” indicator to the message

Charles

P’’= DB(C’’)

Paul Krzyzanowski • Distributed Systems

Digital signatures with multiple parties

Alice Bob Trent Trent encrypts the new message for Charles Charles

C’’’= EC(P’’)

Paul Krzyzanowski • Distributed Systems

Digital signatures with multiple parties

Alice Bob Trent Charles decrypts the message

• knows the message must have come from Trent
• trusts Trent’s assertion that the message originated with Alice

and was forwarded through Bob Charles

P’’’= DC(C’’’)

Paul Krzyzanowski • Distributed Systems

Digital signatures - public key cryptography

Ea(P) DA(C)

Alice Bob encrypt message with Alice’s private key

decrypt message with Alice’s public key

Encrypting a message with a private key is the same as signing!

Paul Krzyzanowski • Distributed Systems

Digital signatures - public key cryptography

• What if Alice was sending Bob binary

data?

– Bob m ight have a hard time knowing whether the decryption was successful or not

• Public key encryption is considerably

slower than symmetric encryption

– what if the message is very large?

• What if we don’t want to hide the

message, yet want a valid signature?

SLIDE 20

20

Paul Krzyzanowski • Distributed Systems

Digital signatures - public key cryptography

• Create a hash of the message
• Encrypt the hash and send it with the

message

• Validate the hash by decrypting it and

comparing it with the hash of the received message

Paul Krzyzanowski • Distributed Systems

Digital signatures - public key cryptography

Alice Bob

H(P)

Alice generates a hash of the message

Paul Krzyzanowski • Distributed Systems

Digital signatures - public key cryptography

Alice Bob

H(P)

Alice encrypts the hash with her private key

Ea(H(P))

Paul Krzyzanowski • Distributed Systems

Digital signatures - public key cryptography

Alice Bob

H(P)

Alice sends Bob the message and the encrypted hash

Ea(H(P))

Paul Krzyzanowski • Distributed Systems

Digital signatures - public key cryptography

Alice Bob

H(P)

• 1. Bob decrypts the has using Alice’s public key
• 2. Bob computes the hash of the message sent by Alice

C = Ea(H(P)) H(P) H’ = DA(C)

Paul Krzyzanowski • Distributed Systems

Digital signatures - public key cryptography

Alice Bob

H(P)

If the hashes match

• the encrypted hash must have been generated by Alice
• the signature is valid

C = Ea(H(P)) H(P) H’ = DA(C)

SLIDE 21

21

Paul Krzyzanowski • Distributed Systems

Digital signatures - multiple signers

Bob Bob generates a hash (same as Alice’s) and encrypts it with his private key

• sends Charles:

{ message, Alice’s encrypted hash, Bob’s encrypted hash} Alice

H(P) C = Ea(H(P)) C2 = Eb(H(P))

Charles

Paul Krzyzanowski • Distributed Systems

Digital signatures - multiple signers

Bob Charles:

• generates a hash of the message: H(P)
• decrypts Alice’s encrypted hash with Alice’s public key
• validates Alice’s signature
• decrypts Bob’s encrypted hash with Bob’s public key
• validates Bob’s signature

Alice

H(P) C = Ea(H(P)) C2 = Eb(H(P))

Charles

H2 = DA(C2) H1 = DA(C)

Paul Krzyzanowski • Distributed Systems

Secure and authenticated messaging If we want secrecy of the message

– combine encryption with a digital signature – use a session key: pick a random key, K, to encrypt the message with a symmetric algorithm – encrypt K with the public key of each recipient – for signing, encrypt the hash of the message with sender’s private key

Paul Krzyzanowski • Distributed Systems

Secure and authenticated messaging

Alice

H(P)

Alice generates a digital signature by encrypting the message digest with her private key.

C1 = Ea(H(P))

Paul Krzyzanowski • Distributed Systems

Secure and authenticated messaging

Alice

H(P)

Alice picks a random key, K, and encrypts the message (P) with it using a symmetric algorithm.

C1 = Ea(H(P)) C = EK(P)

Paul Krzyzanowski • Distributed Systems

Secure and authenticated messaging

Alice

H(P)

Alice encrypts the session key for each recipient of this message: Bob and Charles using their public keys.

C1 = Ea(H(P)) C = EK(P)

K K K K

C2 = EB(K)

K K

C3 = EC(K)

SLIDE 22

22

Paul Krzyzanowski • Distributed Systems

Secure and authenticated messaging

Alice

H(P)

The aggregate message is sent to Bob and Charles

C1 = Ea(H(P)) C = EK(P)

K K K K

C2 = EB(K)

K K

C3 = EC(K)

Message: Signature: Key for Bob: K K K K Key for Charles:

Bob Charles

Message from Alice

Paul Krzyzanowski • Distributed Systems

Message: Signature: Key for Bob: K K K K Key for Charles: Message from Alice

Secure and authenticated messaging

Bob receives the message:

• extracts key by decrypting it with his private key

K = Eb( C2)

Paul Krzyzanowski • Distributed Systems

Message: Signature: Key for Bob: K K K K Key for Charles: Message from Alice

Secure and authenticated messaging

Bob decrypts the message using K

K = Eb(C2) P = D K( C)

Paul Krzyzanowski • Distributed Systems

Message: Signature: Key for Bob: K K K K Key for Charles: Message from Alice

Secure and authenticated messaging

Bob computes the hash of the message

K = Eb(C2) P = DK(C) H( P)

Paul Krzyzanowski • Distributed Systems

Message: Signature: Key for Bob: K K K K Key for Charles: Message from Alice

Secure and authenticated messaging

Bob looks up Alice’s public key

K = Eb(C2) P = DK(C) H(P) KA

Paul Krzyzanowski • Distributed Systems

Message: Signature: Key for Bob: K K K K Key for Charles: Message from Alice

Secure and authenticated messaging

Bob decrypts Alice’s signature using Alice’s public key

K = Eb(C2) P = DK(C) H(P) H 1 = D A( C1)

SLIDE 23

23

Paul Krzyzanowski • Distributed Systems

Message: Signature: Key for Bob: K K K K Key for Charles: Message from Alice

Secure and authenticated messaging

Bob validates Alice’s signature

K = Eb(C2) P = DK(C) H(P) H1 = DA(C1) H 1 = H( P) ?

Paul Krzyzanowski • Distributed Systems

Cryptographic toolbox

• Symmetric encryption
• Public key encryption
• One-way hash functions
• Random number generators

– Nonces, session keys

• Message authentication codes

– Made from hash functions

• Digital signatures

– Commonly: encrypted hash functions

The end