Cast of Characters Alice and Bob Applied Cryptography Week 1 Alice - - PDF document

Applied Cryptography Week 1 Basic Tools and Protocols

Frank Beatrous

Applied Cryptography Week 1Basic Tools and Protocols – p.1/53

Cast of Characters

Alice and Bob Alice and Bob are always sending secret messages to each other. Eve Eve is always listening in (Eavesdropping) on Alice’s and Bob’s conversations. Mallory Mallory is always trying to tamper with Alice’s and Bob’s data.

Applied Cryptography Week 1Basic Tools and Protocols – p.2/53

The Basic Problems of Cryptography

Secrecy Alice wants to send Bob a message without revealing it’s content to Eve.

Applied Cryptography Week 1Basic Tools and Protocols – p.3/53

Basic Tool: Symmetric Encryption

Applied Cryptography Week 1Basic Tools and Protocols – p.4/53

Symmetric Algorithms

Symmetric encryption (AKA secret key encryption) uses two algorithms:

Plaintext Key Ciphertext Encryption Algorithm Decryption Algorithm Key Ciphertext Plaintext

The same key is used for encryption and decryption.

Applied Cryptography Week 1Basic Tools and Protocols – p.5/53

Shared Secrets

To use symmetric encryption, Alice and Bob must share a secret key. Security of symmetric encryption depends on keeping the key secret from Eve.

Applied Cryptography Week 1Basic Tools and Protocols – p.6/53

A Toy Symmetric Cipher

A toy example: Shift cipher The key is a number k between 0 and 25. Encryption: Each character is right shifted by k characters, wrapping around to the beginning of the alphabet when the end is reached. k = 3 plaintext: Z E B R A ↓ ↓ ↓ ↓ ↓ ciphertext: C H E U D Decryption: Each character is left shifted by k characters.

Applied Cryptography Week 1Basic Tools and Protocols – p.7/53

Commonly Used Symmetric Algorithms

Some commonly used symmetric algorithms: DES, 3DES, AES, CAST, IDEA, BLOWFISH, TWOFISH

Applied Cryptography Week 1Basic Tools and Protocols – p.8/53

The Key Exchange Problem

Alice and Bob have never met, but want to use symmetric encryption. How can they agree on a shared secret key without revealing it to Eve?

Applied Cryptography Week 1Basic Tools and Protocols – p.9/53

Basic Tool: Public Key Encryption

Applied Cryptography Week 1Basic Tools and Protocols – p.10/53

Public Key Algorithms

Public key encryption (AKA asymmetric encryption) uses two keys:

Encryption Algorithm Plaintext Ciphertext Public key Decryption Algorithm Ciphertext Plaintext Secret key

In contrast with symmetric encryption, different keys are used for encryption and decryption.

Applied Cryptography Week 1Basic Tools and Protocols – p.11/53

Sending a Secret Message

Sending Bob a secret message Bob publishes his encryption key, and keeps his decryption key secret. Alice looks up Bob’s public encryption key. Alice encrypts her message using Bob’s encryption key. Alice sends the encrypted message to Bob. (And Eve, of course, intercepts it.) Bob decrypts Alice’s message using his secret decryption key.

Applied Cryptography Week 1Basic Tools and Protocols – p.12/53

Basic Security

Key security requirement: It should be difficult to recover the decryption key from the encryption key.

Applied Cryptography Week 1Basic Tools and Protocols – p.13/53

Key Generation

Key generation: In addition to encryption and decryption algorithms, public key methods require a key generation algorithm, which produces matched pairs of keys.

Encryption key Random input key Decryption Key generation algorithm

Applied Cryptography Week 1Basic Tools and Protocols – p.14/53

Commonly Used Algorithms

Widely used public key algorithms: RSA, ElGamal.

Applied Cryptography Week 1Basic Tools and Protocols – p.15/53

Hybrid Encryption

Applied Cryptography Week 1Basic Tools and Protocols – p.16/53

Hybrid Encryption

Hybrid encryption uses both symmetric and public key methods. Alice looks up Bob’s public encryption key. Alice generates a random session key. Alice encrypts the session key to Bob’s encryption key. Alice sends the encrypted session key to Bob. Bob decrypts the session key with his secret decryption key. Alice and Bob exchange messages using a symmetric algorithm and the shared session key.

Applied Cryptography Week 1Basic Tools and Protocols – p.17/53

Why Use a Hybrid System?

Symmetric algorithms are much faster than public key algorithms. Public key encryption solves the key exchange problem. Hybrid systems give the advantages of both by using public key methods only for initial setup. Virtually all public key encryption packages use hybrid methods, including PGP , SSL SSH.

Applied Cryptography Week 1Basic Tools and Protocols – p.18/53

Authentication Tools

Applied Cryptography Week 1Basic Tools and Protocols – p.19/53

One Way Hash (AKA Message Digest)

A one way hash algorithm takes an arbitrary length message as input and produces a fixed length message digest as output.

Message Digest Hash Algorithm Message

“One way” means it’s computationally difficult to find two messages that hash to the same value.

Applied Cryptography Week 1Basic Tools and Protocols – p.20/53

Verifying Data with a Hash

A message digest serves as a digital fingerprint for data. To verify integrity of data: Obtain the message digest from a reliable source. Use the hash algorithm to calculate the message digest. Compare the calculated value with the value

• btained in the first step. The data is assumed intact

if the two values agree. Popular hash algorithms: MD4, MD5, SHA

Applied Cryptography Week 1Basic Tools and Protocols – p.21/53

Message Authentication Codes (MACs)

A MAC is a hash algorithm that takes a secret key as an additional input.

MAC Algorithm key MAC message

Using a secret key protects against forgery. MAC can only be verified by someone who knows the secret key.

Applied Cryptography Week 1Basic Tools and Protocols – p.22/53

Signatures

Digital signatures require separate algorithms for signing and verifying, as well as a key generation algorithm.

Signing Algorithm Message Secret key Signature Algorithm Verification Message Signature Public key Result: valid/invalid

Applied Cryptography Week 1Basic Tools and Protocols – p.23/53

Using Signature Algorithms

Sending Bob a Signed message Alice composes a message to Bob and signs it with her secret signing key. Alice sends Bob the message and the signature. Bob looks up Alice’s public verification key. Bob uses Alice’s public key to verify Alice’s signature.

Applied Cryptography Week 1Basic Tools and Protocols – p.24/53

Using Signature Algorithms (2)

A valid signature insures that: The message actually came from Alice, since only Alice knows her secret signing key. Mallory has not tampered with the message, since a modified message will cause verification to fail.

Applied Cryptography Week 1Basic Tools and Protocols – p.25/53

Signing/Verification Keys

Popular public key encryption systems (RSA, ElGamal) also support digital signatures Secret decryption keys can also be used for signing. Public encryption keys can also be used for signature verification. In addition to full public key systems supporting both encryption and signing, there is at least one signature

• nly system (DSA) in common use.

Applied Cryptography Week 1Basic Tools and Protocols – p.26/53

Signature Length

Since no two messages can produce the same signature, a signature must contain as much information as the message being signed. A signature must, therefore, be as long as the message. Full signatures are impractical on long messages.

Applied Cryptography Week 1Basic Tools and Protocols – p.27/53

Signing a Message Digest

Practical signature schemes generally combine signatures with one way hashes.

Digest Signing Algorithm Algorithm Hash Message Secret key Signature Message

Applied Cryptography Week 1Basic Tools and Protocols – p.28/53

Verifying a Signed Digest

Digest Message Algorithm Hash Algorithm Verification Signature Public key Result: valid/invalid Message

Applied Cryptography Week 1Basic Tools and Protocols – p.29/53

Security Considerations: Symmetric Encryption

Applied Cryptography Week 1Basic Tools and Protocols – p.30/53

Brute Force Attack

A brute force attack tries the decryption algorithm with every possible key on a given ciphertext until one is found that correctly decrypts. The time required for a brute force attack depends on the number of possible keys that must be tried and the speed at which they can be tested. The table below compares the time for a brute force attack at rates of

• ne million keys per second and 100 billion keys per

second for keys of various sizes.

Key length (bits)

106 keys/sec 1011 keys/sec 40 12.7 days 11 seconds 56 2285 years 8.3 days 128 1025 years 1020 years

Applied Cryptography Week 1Basic Tools and Protocols – p.31/53

Brute Force Attack (2)

In 1998, the Electronic Frontier Foundation built a dedicated machine for brute forcing DES. Deep Crack could test 92 billion DES keys per second DES keys could be broken in an average of four days. The cost of building the machine in 1998 was $200,000. The following year, a DES key was broken in 23 hours using a distributed attack using idle time of over 100,000 computers.

Applied Cryptography Week 1Basic Tools and Protocols – p.32/53

Brute Force Attack (3)

Key lengths for some popular symmetric algorithms:

Algorithm Key size

DES 56 3DES 112 AES 128, 192, 256 TWOFISH 128, 192, 256 IDEA 128 56 bit keys (DES) are no longer considered secure due to vulnerability to brute force attack.

Applied Cryptography Week 1Basic Tools and Protocols – p.33/53

Weak Algorithms

A weak encryption algorithm can allow patterns in the plaintext to be reflected in the ciphertext. These patterns can be exploited by cryptanalysts to compromise message content and/or keys. The best algorithms in use today do not seem to exhibit the above weakness. A strong algorithm should yield to no attack that is faster than brute force.

Applied Cryptography Week 1Basic Tools and Protocols – p.34/53

Security Considerations: Public Key Encryption

Applied Cryptography Week 1Basic Tools and Protocols – p.35/53

The Basic Dilemma

Security of any public key system requires: Alice must be able to calculate a decryption key. Eve must not be able to calculate Alice’s decryption key even if she knows Alice’s encryption key. Calculation of a decryption key from the corresponding encryption key should be computationally expensive. Eg, it should require one million years of supercomputer time. Generation of key pairs must be computationally easy, so that Alice can generate her keys.

Applied Cryptography Week 1Basic Tools and Protocols – p.36/53

Hard Problems

Public key algorithms are designed so that Eve must solve a computationally hard problem to recover a decryption key from an encryption key; Key generation, encryption, and decryption require

• nly computationally easy problems.

Applied Cryptography Week 1Basic Tools and Protocols – p.37/53

Hard Problems (2)

The computational difficulty of an algorithm is measured by how the running time scales as the size of the input (in bits) increases. For example, the running time is O(np) if the running time with n bit input is no more than a constant times np. The table below estimates the running time for O(n), O(n2), and O(n2) algorithms with 1000 bit inputs, assuming each runs in one second with a ten bit input.

10 bit input 1000 bit input

O(n) 1 second 100 seconds O(n2) 1 second 2.8 hours O(n3) 1 second 11.6 days

Applied Cryptography Week 1Basic Tools and Protocols – p.38/53

Hard Problems (3)

A problem is considered easy if it can be solved in polynomial time in the number of input bits. Ie, if the running time is 0(np) for some number p, where n is the maximum number of input bits. Eg, the grade school multiplication algorithm has running time 0(n2) for factors of at most n bits, so integer multiplication is an easy problem. There is no known polynomial time algorithm for finding the prime factors of a given integer, so the factorization problem is presumed hard.

Applied Cryptography Week 1Basic Tools and Protocols – p.39/53

Hard Problems (4)

Security of RSA is based on the presumed difficulty of the factorization problem. Security of ElGamal is based on the presumed difficulty

• f the Discrete Logarithm Problem.

Applied Cryptography Week 1Basic Tools and Protocols – p.40/53

Chosen Plaintext Attack

Public key algorithms can be vulnerable to chosen

plaintext attacks.

Alice encrypts a secret number between 1 and 1000 to Bob’s public key and sends the ciphertext to Bob. Eve intercepts the ciphertext. Eve uses Bob’s public key to encrypt each of the numbers 1, 2, . . . , 1000. She compares each ciphertext to the one she intercepted. When she finds a match, she has found the plaintext.

Applied Cryptography Week 1Basic Tools and Protocols – p.41/53

Chosen Plaintext Attack (2)

This attack can be defeated by appending random padding to the plaintext before encryption. Symmetric algorithms are not vulnerable to this attack, since Eve cannot encrypt the chosen plaintexts without the secret key.

Applied Cryptography Week 1Basic Tools and Protocols – p.42/53

Security of Hash Algorithms

Applied Cryptography Week 1Basic Tools and Protocols – p.43/53

Brute Forcing a Hash

A brute force attack against a hash algorithm randomly chooses messages and calculates their digests until a message is found whose digest matches that of a given message. For an algorithm that produces an n bit digest, the expected number of trials for a brute force attack is 2n. Thus security depends on the length of the digest

• produced. Estimates for the time required to brute force

a 128 and 160 bit hashes are given below.

Size (bits)

106 trials/sec 1011 trials/sec 128 1025 years 1020 years 160 1034 years 1029 years

Applied Cryptography Week 1Basic Tools and Protocols – p.44/53

Birthday Attacks

There is a more sophisticated attack which reduces the expected number of trials to break an n bit hash from 2n to 2n/2. Estimated times for a birthday attack against 128 and 160 bit hashes are given below.

Size (bits)

106 trials/sec 1011 trials/sec 128 106 years 6 years 160 1010 years 105 years For the truly paranoid, security of a 128 bit hash could be a concern against a very well funded adversary. The Digital Signature Standard (DSS) specifies a 160 bit hash (SHA).

Applied Cryptography Week 1Basic Tools and Protocols – p.45/53

Digest Sizes of Popular Algorithms

Digest sizes for the two most commonly used hash algorithms are MD5 128 bits SHA 160 bits There is a security/speed tradeoff. MD5 is faster than SHA. The Digital Signature Standard requires SHA, for increased security.

Applied Cryptography Week 1Basic Tools and Protocols – p.46/53

Applications to Authentication Protocols

Applied Cryptography Week 1Basic Tools and Protocols – p.47/53

Password Based Authentication: Hashes

Alice wants to prove her identity to Bob (who is probably a machine). Bob keeps a record of Alice’s hashed password. He does not know the password itself. Bob asks Alice to prove her identity by sending her secret password. Alice sends Bob her clear password. Bob hashes the password and compares the result to the hashed password in his records. If they match, he believes he is talking to Alice.

Applied Cryptography Week 1Basic Tools and Protocols – p.48/53

Password Authentication: Hashes (2)

Bob forgets the clear password that Alice sent him, since only Alice is supposed to know it! This authentication method is used for standard unix authentication. Two flaws: Eve could sniff Alice’s clear password. Bob could log Alice’s clear password.

Applied Cryptography Week 1Basic Tools and Protocols – p.49/53

Authentication: Symmetric Crypto

Alice wants to prove her identity to Bob by proving that she knows a secret password. Bob maintains a record of Alice’s password. Bob generates a random number, and encrypts it using a symmetric algorithm with Alice’s password as key. Bob sends Alice the encrypted number. Alice decrypts the number, using her password as key. Alice sends the decrypted number back to Bob.

Applied Cryptography Week 1Basic Tools and Protocols – p.50/53

Authentication: Symmetric Crypto(2)

Bob compares the number Alice sent with the

• riginal random number. If they match, Alice is

authenticated. This authentication method is used by Kerberos. Eve cannot sniff Alice’s password, since it is never transmitted. Bob knows Alice’s secret password, and could use it for evil purposes.

Applied Cryptography Week 1Basic Tools and Protocols – p.51/53

Public Key Authentication

Alice wants to prove her identity to Bob Bob maintains a record of Alice’s public encryption key. Bob generates a random number and encrypts it using Alice’s public key. Bob sends Alice the encrypted number. Alice decrypts the number using her secret decryption key. Alice sends the decrypted number back to Bob.

Applied Cryptography Week 1Basic Tools and Protocols – p.52/53

Public Key Authentication (2)

Bob compares the number received from Alice with the original random number. If they match, Alice is authenticated. Security advantages Bob does not need to know any of Alice’s secrets, even temporarily. Eve cannot intercept any secrets, since none are transmitted. Variants of this method are used by SSL and SSH.

Applied Cryptography Week 1Basic Tools and Protocols – p.53/53