Asymmetric Cryptography Key Exchange 3 Recapitulation: Symmetric - - PowerPoint PPT Presentation

Network and Communications Security (IN3210/IN4210)

Asymmetric Cryptography

Key Exchange

3

Network and Communications Security (IN3210/IN4210)

Recapitulation: Symmetric Encryption

• One problem: key exchange

4

Dear Bob .... Encryption Decryption Dear Bob .... Symmectric Key 6R4Y2 hlbMZ CB...

Alice Bob Eve

Key Generator

Network and Communications Security (IN3210/IN4210)

Diffie Hellman Key exchange

• Creating common (symmetric) key only known to the communication

partners

• Created by Whitfield Diffie and Martin Hellman in 1976

Image source: Wikipedia

5

Network and Communications Security (IN3210/IN4210)

Illustration of DH Key Exchange

Image source: Wikipedia

6

Network and Communications Security (IN3210/IN4210)

Logarithm

• Choose (integer) b and a and calculate y = ba
• Given just b and y can you calculate a?
• Easy (logarithm): a = logb y
• Example:

− b = 7, y = 13841287201, a = ?

7

Network and Communications Security (IN3210/IN4210)

Modular Arithmetic

• mod operator: x mod n

− remainder when performing an integer division of x and n

• Example:

− 19 mod 3 = 1 (19 = 6 * 3 + 1) − 13 mod 3 = 1 (13 = 4 * 3 + 1) − 1234 mod 10 = 4 − 220 mod 10 = 6

8

Network and Communications Security (IN3210/IN4210)

Discrete Logarithm

• Choose integer b, a and n and calculate y = ba mod n
• Given just b, n and y can you calculate a?
• Example:

− b = 7, n = 1023, y = 439, a = ?

• Hard problem: Discrete Logarithm Problem (DLP)
• No simple calculation
• Only (known) method: test all possible values for a (infeasible for large n)

9

Network and Communications Security (IN3210/IN4210)

Diffie Hellman Key exchange

• Alice and Bob agree on (public parameters):

− Large prime number p − Generator g (i.e. g is primitive root mod p)

• Alice:

− chooses a (secret) random number a − calculates α = ga mod p − sends α to Bob

• Bob:

− chooses a (secret) random number b − calculates β = gb mod p − sends β to Alice

• Calculation of common secret:

− Alice: βa mod p = (gb mod p)a mod p = (gb)a mod p − Bob: αb mod p = (gamod p)b mod p = (ga)b mod p = gab mod p = K a b

α β gamod p gbmod p

Network and Communications Security (IN3210/IN4210)

Diffie Hellman Key exchange

• (Passive) attacker learns:

− g − p − gb mod p − ga mod p

• For calculating K the attacker needs additionally a or b
• a or b can not easily be derived from the know values (DLP)

gamod p gbmod p

Eve

11

Network and Communications Security (IN3210/IN4210)

Weakness of DH Key Exchange

Mallory

gb ge ga ge

Secure Communication Secure Communication

K1 = gae mod p K2 = gbe mod p Solution: later!

12

Network and Communications Security (IN3210/IN4210)

Breaking DH

• g and p must be chosen carefully

− e.g. p – 1 shall have small prime factors − otherwise mathematical “tricks” are possible for breaking DLP − (details are irrelevant in this course)

• Always possible: test all possible values for a (or b)

− Which size to choose for p?

▪ 512 bit → practically broken (2015) ▪ 1024 bit → estimated costs for breaking: 100 million $ ▪ 2048 bit → secure, but long runtime

13

Asymmetric Encryption

Network and Communications Security (IN3210/IN4210)

Asymmetric Encryption

• Problem of symmetric encryption:

− Shared secret must be distributed

• Problem of DH key exchange:

− interactive protocol − both parties must be “online” in order to start encrypted communication

• Asymmetric Encryption:

− Use different keys for de- and encryption − Public encryption key is published (everyone can encrypt) − Private decryption key is kept confidential (just owner can decrypt)

15

Network and Communications Security (IN3210/IN4210)

Asymmetric Encryption

• Two distinct keys (private key and public key) are used for encryption and

decryption respectively

Dear Bob .... Encryption Decryption Dear Bob .... Key Pair Generator Public Key Private Key 6R4Y2 hlbM ZCB...

Alice Bob Eve

16

Network and Communications Security (IN3210/IN4210)

Asymmetric Encryption

• Based on number theoretic problems

− RSA: Factorisation Problem − ElGamal: Discrete Logarithm Problem

• RSA: named after its inventors (1978):

− Ronald Rivest − Adi Shamir − Leonard Adleman

Image sources:

• University of Southern California
• Massachusetts Institute of Technology

18

Network and Communications Security (IN3210/IN4210)

RSA (Textbook Version)

• Key generation:

− Choose two prime numbers p and q − Calc n = p · q, m = (p – 1) (q – 1) − Choose e and d with e · d (mod m) = 1 − Public key: n, e − Private key: d

• Encryption of message M (integer < n):

− C = M e mod n

• Decryption of cipher text C:

− M’ = C d mod n

• M' = (M e)d mod n = M

Follows from Euler‘s Theorem Typically:

• Set e = 65537
• Calculate d using the

Extended Euclidean algorithm

19

Network and Communications Security (IN3210/IN4210)

Breaking RSA

• Key generation:

− Choose two prime numbers p and q − Calc n = p · q, m = (p – 1) (q – 1) − Choose e and d with e · d (mod m) = 1 − Public key: n, e − Private key: d

• Attacker:

− Knows n and e − Factorizes n, i.e. finds p and q − Calculates m and d

Example: n = 15 → p = 3, q = 5

Easy for small numbers, hard for large numbers:

Factorization problem

20

Network and Communications Security (IN3210/IN4210)

RSA Calculation

• 1. problem: calculation effort

− 𝑦𝑜 = 𝑦 ∙ ⋯ ∙ 𝑦

𝑜

→ n – 1 multiplications

• Square and Multiply:

− Write n in binary; remove the first 1 − For every 1 perform first a square (...2) operation then a multiply operation (• x) − For every 0 perform a square (...2) operation

• Example:

− n = 2310 = 101112 → Q QM QM QM − 𝑦23 = 𝑦2 2 ∙ 𝑦

2 ∙ 𝑦 2

∙ 𝑦 − 7 multiplications instead of 22

• “Standard” value for e:

− 6553710 = 100000000000000012 → 16 multiplications

21

Network and Communications Security (IN3210/IN4210)

RSA Calculation

• 2. problem: large intermediate values:

− “Me mod n” is smaller than n, but “Me“ is very large

• Property of mod operator:

− (x • y) mod n = ((x mod n) • (y mod n)) mod n

• Application to Square and Multiply:

− Perform a “mod” operation after every square or multiply step − Example:

▪ 𝑦23 mod 𝑜 = 𝑦2 mod 𝑜 2 mod 𝑜 ∙ 𝑦 mod 𝑜

2mod 𝑜 ∙ 𝑦 mod 𝑜 2

…

− No intermediate value is larger than 𝑜2

22

Network and Communications Security (IN3210/IN4210)

Prime Numbers

• How to calculate large (~ 500 - 2000 bits) prime numbers?
• 2 types of primality tests:

− Deterministic (too slow for large numbers) − Probabilistic (fast, but not 100% correct)

• Example: Solovay–Strassen primality test:

− max ½ probability of wrong answer − Algorithm for testing “n prime?”

▪ Repeat k times:

• Choose random number a
• Run primality test (uses number a as parameter)
• If false return „not prime“

▪ Return „probable prime“

− Error probability: 1/2k, e.g. 2-100 for k = 100

23

Network and Communications Security (IN3210/IN4210)

Breaking RSA

• Best known attack on RSA:

factorizing n

• Competition for factorizing given

numbers (created 1991): RSA Factoring Challenge

• Consequence: RSA-1024 is not

secure any more

Source: Wikipedia, RSA number Decimal digits Binary digits Factored on RSA-100 100 330 April 1, 1991 RSA-110 110 364 April 14, 1992 RSA-120 120 397 July 9, 1993 RSA-129 129 426 April 26, 1994 RSA-130 130 430 April 10, 1996 RSA-140 140 463 February 2, 1999 RSA-150 150 496 April 16, 2004 RSA-155 155 512 August 22, 1999 RSA-160 160 530 April 1, 2003 RSA-170 170 563 December 29, 2009 RSA-576 174 576 December 3, 2003 RSA-180 180 596 May 8, 2010 RSA-190 190 629 November 8, 2010 RSA-640 193 640 November 2, 2005 RSA-200 200 663 May 9, 2005 RSA-210 210 696 September 26, 2013 RSA-704 212 704 July 2, 2012 RSA-220 220 729 May 13, 2016 RSA-230 230 762 August 15, 2018 RSA-232 232 768 February 17, 2020 RSA-768 232 768 December 12, 2009 RSA-240 240 795 Dec 2, 2019 RSA-250 250 829 Feb 28, 2020

24

Network and Communications Security (IN3210/IN4210)

Hybrid Encryption (1/3)

• Pros and cons of (a)symmetric encryption:

− Asymmetric encryption:

▪ easier key management vs. slow performance + limited message size

− Symmetric encryption:

▪ good performance (1000x times faster) vs. key exchange problem

• Hybrid Encryption: combining the advantages:

− Encrypt a random symmetric session key by means of asymmetric encryption − Encrypt the data with the symmetric session key and by means of symmetric encryption

26

Network and Communications Security (IN3210/IN4210)

Hybrid Encryption (2/3)

• Encryption process

Dear Bob .... Symmetric Encryption Symmetric Key

Alice

Key Generator Asymetric Encryption 6R4Y2hlb MZCBaj39 c2jmCw... Encrypted

• Sym. Key

Bob‘s Public Key

27

Network and Communications Security (IN3210/IN4210)

Hybrid Encryption (3/3)

• Decryption process

Dear Bob .... Symmetric Decryption Symmetric Key

Bob

6R4Y2hlb MZCBaj39 c2jmCw... Encrypted

• Sym. Key

Asymmetric Decryption Bob‘s Private Key

28

Network and Communications Security (IN3210/IN4210)

Exchange of Public Keys

• Confidentiality not required

→ passive attacker can read the public key (no problem)

Alice Bob Eve “Alice”, pub(A) Enc(pub(A), M)

29

Network and Communications Security (IN3210/IN4210)

Exchange of Public Keys

• Integrity highly required

→ active attacker can modify/exchange the public key

Solution: later!

Alice Bob Mallory “Alice”, pub(A) Enc(pub(E), M) “Alice”, pub(E)

30

Hash Functions

Network and Communications Security (IN3210/IN4210)

Integrity testing

Alice Bob

32

Network and Communications Security (IN3210/IN4210)

Hash Function

h( · )

Alice Bob

33

Network and Communications Security (IN3210/IN4210)

Definition of Hash Function

h : * → n

NoZXJuZCBhw59lbiBNw6R4Y2hlbnMZCBhw59lFLDvGJlbiwgSm9naHVydCB1bm QgUXV4Y2hlbnMgVsOw59l2R4Y2hlbnMgVsOZ2R4bnMgVsOVsIFLDhcms= Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam

• voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita

kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet,, sed diam eirmod ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et duo dolores et ea. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum amet. da39a3ee5e6b4b0d3255 68ac906495480a3404be 15a391c7de1f07f4885af

34

Network and Communications Security (IN3210/IN4210)

Real life example: Integrity Protection for Dowloads

• Ubuntu: File„MD5SUM“
• Xfce: Note on Web site

cf10bdd7abb067e639b3fb47fa8cadbd *ubuntu-11.04-alternate-amd64+mac.iso 14984b15a391c7de1f07f4885bef2d5c *ubuntu-11.04-desktop-amd64+mac.iso 99950b6c45250c51fa53342c5832ebd2 *ubuntu-11.04-dvd-amd64.iso e8c522fc69d3bf2fda99b63b8f7c12f3 *ubuntu-11.04-dvd-i386.iso

35

Network and Communications Security (IN3210/IN4210)

Properties of Hash Functions

4711 4711

h(x) = 4711 h(y) = 4711

Alice Bob

36

Network and Communications Security (IN3210/IN4210)

Hash collisions

• Collision

− There exists two messages x and y: x ≠ y and h(x) = h(y)

• In every hash function collisions exist!
• Two types of collisions:

− “accidental”: selecting x and y randomly − “intentional”: calculating x and y

• Reducing the probability of accidental collisions:

− Choose co-domain (= length of hash value) large enough

• What about “intentional” collisions?

37

Network and Communications Security (IN3210/IN4210)

Poor Hash Function

• Checksum:

S e l l 1 8 b o o k s 1 0 E U R e a c h L o r e m i p s u m d o l o r s i t a m e t c o n s e t e t u r S e l l 1 1 b o o k s 8 0 E U R e a c h

39 AC 2E 31 7F 03 F5 81

38

Network and Communications Security (IN3210/IN4210)

(Strong) Collision resistance

• In “good” hash functions it shall be hard to calculate collisions
• Collision resistant:

− It is not possible (within “reasonable” computation time) to find a collision i.e. two messages x and y with h(x) = h(y)

• Remarks:

− with unlimited computation time of course collisions can always be found

39

Network and Communications Security (IN3210/IN4210)

Properties of Hash functions

4711 Alice Bob Eve

43

Network and Communications Security (IN3210/IN4210)

One-way function

• One-way property (preimage resistant):

− There exist no (efficient) inverse function for h, i.e. − it is not possible to calculate message x from its hash value H (with h(x) = H)

• h collision resistant  h one-way function

44

Network and Communications Security (IN3210/IN4210)

Summary of Properties

• Preimage resistance (one-way):

− For any given H, it is computationally infeasible to find x such that h(x) = H

• Second preimage resistance (weak collision resistance):

− For any given x, it is computationally infeasible to find y ≠ x where h(y) = h(x)

• (Strong) collision resistance:

− It is computationally infeasible to find any pair (x, y) such that h(x) = h(y)

45

Network and Communications Security (IN3210/IN4210)

Common Hash Algorithms

• MD5

− Message-Digest-Algorithm (R. Rivest, 1992) − 128 bit digest

• SHA-1

− Secure Hash Algorithm (NIST/NSA, 1994) − 160 bit digest

• SHA-2

− Secure Hash Algorithm 2 (NIST/NSA, 2002) − Digest sizes: SHA-224, SHA-256, SHA-384, SHA-512

• SHA-3

− Secure Hash Algorithm 3 (NIST 2015) − Digest sizes: SHA3-224, SHA3-256, SHA3-384, SHA3-512

47

Network and Communications Security (IN3210/IN4210)

SHA-1 – Internal Structure

E D C B A <<5 >>2 + + + E D C B A K F +

5 x 32 Bit 80 x

M

160 Bit

W

5 x 32 Bit

48

Network and Communications Security (IN3210/IN4210)

Merkle Damgård Construction (SHA-1, SHA-2)

Block 1 f IV Block 2 Message M f f Block m Hash h(M) f

n bit n bit n bit

... ...

Compression function f Hash function h

f collision resistant  h collision resistant

Length

• f M

49

Network and Communications Security (IN3210/IN4210)

Security of Hash Algorithms

• Known attacks on Hash properties

Algorithm Attack on Collision resistence Attack on One-way property

MD5 Yes Yes SHA-1 Yes No SHA-2 (Yes) No SHA-3 No No

50

Network and Communications Security (IN3210/IN4210)

Security of Hash Algorithms

51

Network and Communications Security (IN3210/IN4210)

SHA-3 Competition

• Creating new Hash function (successor of SHA-2)
• Open competition by NIST started 2007
• Public analysis and discussion of candidates
• Criteria:

− Performance − Security − Diversity

• Winner (announced 2012): Keccak
• Standardized as SHA-3 (2015)

52

Network and Communications Security (IN3210/IN4210)

Breaking Hashes

• How to find the pre-image of H? (i.e. finding m with h(m) = H)
• Brute force attack: testing all possible values for m

− rather simple if the set of “all possible values” is rather small − Examples:

▪ m is a short/simple password ▪ m is an IP address

• Variation: Dictionary attack: testing just certain values

− Examples

▪ typical passwords (“1234”, “admin”, ...) ▪ real world words (“dog”, “car”, ...)

• Alternative: Lookup in a pre-calculated list of “all” m and h(m)

− Practical implementation: Rainbow Table

54

Network and Communications Security (IN3210/IN4210)

Breaking Hashes – Countermeasures

• Brute force/Dictionary:

− avoid short/simple messages − use special resource consuming “hash” functions (e.g. scrypt, Argon2) − add a secret value to the hash calculation: pepper (not always possible)

• Rainbow table:

− avoid short/simple messages − add a (non-secret) random value to the hash calculation: salt

55

MAC and Digital Signature

Network and Communications Security (IN3210/IN4210)

Integrity Protection using Hashes

57

Network and Communications Security (IN3210/IN4210)

Integrity Protection using Hashes

Dear Bob .... Dear Bob .... Dear Bob .... Dear Bob ....

hash = ? hash

Dear Bob ....

58

Network and Communications Security (IN3210/IN4210)

Message Authentication Code

Dear Bob .... Dear Bob .... Dear Bob .... Dear Bob ....

MAC = ? MAC

Dear Bob ....

59

Network and Communications Security (IN3210/IN4210)

Message Authentication Code

• A Message Authentication Code (MAC) is a short piece of information

used to authenticate a message

• The involved key enables to provide authentication means in addition to

integrity

• In some contexts a MAC is also called a symmetric signature
• First idea for implementation:

mack(m) = h(k || m) (here || is the concatenation operator)

• Problem: vulnerable to length extension attack (details not shown here)

60

Network and Communications Security (IN3210/IN4210)

Message Authentication Code

• Solution: HMAC

mack(m) = HMAC(m, k) = h(k XOR opad || h(k XOR ipad || m))

− with opad and ipad fixed constants:

▪ ipad = the byte 0x36 repeated B times ▪ opad = the byte 0x5C repeated B times ▪ (with B the internal data size in bytes of hash function h; e.g. 64 for SHA-1)

65

Network and Communications Security (IN3210/IN4210)

Message Authentication Code

• Security services:

− Authenticity − Integrity

• Limitations:

− For verification knowledge of secret key required − Every owner of the secret key can create the MAC − → not possible to decide if Alice or Bob created the MAC − → the actual creator of the MAC can deny the creation − → no “non-repudiation” property

66

Network and Communications Security (IN3210/IN4210)

Digital Signature

• Equivalent to traditional handwritten signatures
• Properties:

− Only one person can create the signature − Everyone can verify the signature − Can identify the creator of the signature − Is bound to a specific document − Prohibits changes to the document

67

 non-repudiation  integrity  authenticity

Network and Communications Security (IN3210/IN4210)

Digital Signature (here: RSA)

Dear Bob .... Dear Bob .... Dear Bob .... Dear Bob .... Encryption Hash

= ?

Hash Decryption Dear Bob ....

69

Network and Communications Security (IN3210/IN4210)

Digital Signature

• Properties:

− Only one person can create the signature

▪ Private key required

− Everyone can verify the signature

▪ Public key is sufficient (but: requires the correct public key)

− Can identify the creator of the signature

▪ Owner of the private key = creator (unless private key was stolen)

− Is bound to a specific document

▪ move signature to a different document → hash of document ≠ hash inside signature (unless collision) → verification fails

− Prohibits changes to the document

▪ change of document → change of hash (unless collision) → verification fails

70

✓ ✓ ✓ ✓ ✓

Network and Communications Security (IN3210/IN4210)

Again: Integrity Protection for Dowloads

Putty – SSH Client for Windows

71

Final Remarks

Network and Communications Security (IN3210/IN4210)

Crypto Primitives and their Usage

Confidentiality Integrity Authenticity Non-repudiation Encryption (Cipher) Hash Functions Digital Signature  

75

Network and Communications Security (IN3210/IN4210)

Elliptic Curve Cryptography

• DSA and DH are based on modular exponentiation over a (finite) field of

integers

• One can perform similar operations on an “elliptic curve”
• Main advantage:

− same security level with shorter keys − better performance (runtime up to 10 times faster)

Security Level RSA/DH (NIST) RSA/DH (ECRYPT) ECDH/ECDSA 80 1024 1248 160 112 2048 2432 224 128 3072 3248 256 192 7680 7936 384 256 15360 15424 512

76

Network and Communications Security (IN3210/IN4210)

Practical Usage Recommendations

• Symmetric Encryption: AES-256, mode: GCM (later)
• Asymmetric Encryption: RSA-2048
• Key exchange: ECDHE-256
• Hash: SHA-256
• Message Authentication:

− AES in GCM mode (authenticated encryption) − Poly1305 (e.g. in combination with ChaCha20)

• Signature:

− RSA-2048 with SHA-256 − ECDSA-256 with SHA-256

77

Network and Communications Security (IN3210/IN4210)

Further Reading

• Paar (2010):

− Chapters: 6, 7, 8, 10, 11, 12

78