Cryptographic Foundations History of Cryptography 2 Confidential - - PowerPoint PPT Presentation

IN3210 – Network Security

Cryptographic Foundations

History of Cryptography

2

Confidential Communication

Dear Bob .... Dear Bob ....

Alice Bob Eve

3

Confidential Communication A B

4

Steganography

⚫ Examples:

− Tattoo on head + growing hair back − Invisible ink − Micro dot

⚫ Security by obscurity ⚫ Typically not conforming

with Kerckhoff’s principle

⚫ Modern steganography:

− Printer steganography − Embedding into multimedia data

Image Source: Wikipedia 5

Cryptology

⚫ Cryptography

− Practice and study of using mathematics to protect data/information − From Greek

▪ kryptos: "hidden, secret" and ▪ gráphō: "I write"

⚫ Cryptanalysis

− Practice and study of finding weaknesses or insecurity in a cryptographic scheme, thus permitting its subversion or evasion − From Greek

▪ analýein: "to loosen" or "to untie"

6

Classical Cipher

⚫ Caesar Cipher (50 B.C.)

A B C D E Z Y X A B C D E Z Y X Hello Khoor

Plaintext Chiffre- text

3

Key

Image Source: www.asterix.com 7

Encryption

Key = 3 Key = 3 Khoor Hello Hello

8

Symmetric Encryption

Dear Bob .... Encryption Decryption Dear Bob .... 6R4Y2 hlbMZ CB...

Alice Bob Eve

9

Caesar Cipher

⚫ Which plaintext is encrypted here?

− Ymjvznhpgwtbsktcozruxtajwymjqfeditl.

⚫ Try each possible key:

1. Xliuymgofvsarjsbnyqtwszivxlipedchsk. 2. Wkhtxlfneurzqiramxpsvryhuwkhodcbgrj. 3. Vjgswkemdtqyphqzlworuqxgtvjgncbafqi. 4. Uifrvjdlcspxogpykvnqtpwfsuifmbazeph. 5. Thequickbrownfoxjumpsoverthelazydog. 6. Sgdpthbjaqnvmenwitlornudqsgdkzyxcnf. 7. Rfcosgaizpmuldmvhsknqmtcprfcjyxwbme. 8. Qebnrfzhyoltkclugrjmplsboqebixwvald. 9. Pdamqeygxnksjbktfqilokranpdahwvuzkc.

• 10. …

Testing all possible values (e.g. of a key) is called Brute Force Attack

10

Security of Crypto Systems

⚫ The previous attack assumes that the attacker knows:

a) the Caesar cipher was used for encryption b) how the Caesar cipher work

⚫

What is the effect if the attacker does not have this information?

⚫

More general: is a crypto system more secure if the system and its internal function kept secret?

11

Kerckhoff‘s Principle

⚫ “A cryptosystem should be secure even if the

attacker knows all details about the system (including the encryption and decryption algorithms), with the exception of the secret key.“

⚫ Common mistake: keeping cryptographic

algorithms secret increases the security (“security by obscurity”)

⚫ Example: GSM A5 algorithms

− Details kept secret − No cryptanalysis by the research community possible − Attackers found weaknesses − Nearly all variants nowadays broken!

Auguste Kerckhoffs (1835 – 1903) Dutch crytographer

Image Source: Wikipedia 12

2 12

Caesar Cipher

TGF BON HUT RED 18 Finding the correct key is hard, without knowledge of (at least part of) the plaintext.

13

One-Time Pad Encryption

k3 k2

B2 A0 C1 C2 E7 FB FE FA 89 AA AF 56 6A 67

Attack at dawn! Retreat at 1100 The cat is dead k1 k4

14

Basic Types of Attacks (on the Encryption Key)

⚫ Ciphertext-only attack

− The attacker has access to one or several ciphertexts

⚫ Known-plaintext attack

− The attacker has access to one or several plaintext / ciphertext pairs

⚫ Chosen-plaintext attack

− The attacker can retrieve ciphertexts for arbitrarily chosen plaintexts

⚫ (Adaptive) chosen-ciphertext attack

− The attacker can retrieve plaintexts for arbitrarily chosen ciphertexts

15

Monoalphabetical Substitution

⚫ Improvement over Caesar cipher ⚫ Each letter is replaced by (exactly) one other letter ⚫ Example: ⚫ Number of possible keys? ⚫ 26!  1026  288

Plaintext: a b c d e f g h i j k l m n

• p

q r s t u v w x y z Ciphertext: U F L P W D R A S J M C O N Q Y B V T E X H Z K G I

16

Monoalphabetical Substitution

⚫ Can easily be broken by analyzing the letter frequency in the

cipher text

⚫ Large key space is a requisite but not sufficient for a secure

encryption scheme

⚫ Next improvement: polyalphabetical substitution (e.g. Vignere,

1550)

th 1.52% he 1.28% in 0.94% er 2,26% an 2,00% re 1,99% nd 1,88% at 1,79%

Bigram Frequency (english text) Letter Frequency (english text)

17

Enigma

⚫ Invented 1918 by Arthur Scherbius ⚫ Electro-mechanical rotor cipher

machines

⚫ Used by the German forces during

WWII

⚫ Implements a polyalphabetical

substitution cipher

Image Source: Wikipedia 18

Enigma

⚫ When pressing a button on the keyboard:

− (at least) on rotor is turning on position − an electrical circuit is closed and

• ne bulb lights up

Image Source : Wikipedia 19

Enigma

⚫ Encryption was broken

by Polish and British codebreakers in Bletchley Park

⚫ Most famous member:

− Alan Turing

Image Source: http://www.cryptomuseum.com/, Wikipedia 20

Enigma

⚫ Simulator:

− http://users.telenet.be/d.rijmenants/en/enigmasim.htm

21

History of Cryptography

⚫ Simon Singh ⚫ The Code Book: The Secret

History of Codes and Code- breaking

22

Crypto Primitives and their Usage

Confidentiality Integrity Authenticity Non-repudiation Encryption (Cipher) Hash Functions Digital Signature  

23

(Symmetric) Encryption

24

Encryption

⚫ Encryption

− Process of converting ordinary information the so-called plaintext into unintelligible gibberish the so-called ciphertext

⚫ Decryption

− Reverse process converting ciphertext back to plaintext

⚫ Cipher (or cypher)

− Pair of algorithms which create the encryption and the reversing decryption − The detailed operation of a cipher is controlled both by the algorithm and in each instance by a key

25

Symmetric Encryption

⚫ The same key (secret key) is used for encryption and

decryption

Dear Bob .... Encryption Decryption Dear Bob .... Symmectric Key 6R4Y2 hlbMZ CB...

Alice Bob Eve

Key Generator

26

Formalization of (symmetric) Encryption

⚫ Space of plain texts: P ⚫ Space of cipher texts: C ⚫ Space of keys: K ⚫ Encryption:

E: P x K → C, E(x, k) = Ek(x)

⚫ Decryption:

D: C x K → P, D(y, k) = Dk(y)

⚫ D is the invers function of E, i.e. for all x ∈ P and k ∈ K:

Dk(Ek(x)) = x

27

Formalization of Caesar Cipher

⚫ Numerical encoding of letters: A → 0, B → 1, …, Z → 25 ⚫ Space of plain texts: P = ℤ26 = {0, 1, …, 25} ⚫ Space of cipher texts: C = ℤ26 ⚫ Space of keys: K = ℤ26 ⚫ Encryption:

Ek(x) = x + k mod 26

⚫ Decryption:

Dk(x) = x + (– k) mod 26

⚫ Size of key space? → |K| = 26

28

Stream Cipher

29

Plain text m

Encryption

Cipher stream c Key stream ks Key stream ks Cipher stream c

Decryption

Plain text m‘ = m

Stream Ciphers

⚫ A stream cipher is a symmetric key cipher where plaintext

bits (mi) are combined with a pseudorandom cipher bit stream (key stream ks)

⚫ The pseudorandom key stream is generated by a

pseudorandom number generator from a (shared) key

30

Key stream ks

PRNG

Key k Plain text m Cipher stream c

One time pad

⚫ Key stream is completely random and only used once ⚫ Problem: key exchange

(key has same size than plain/cipher text)

⚫ Provable perfectly secure

(can only broken if key is known)

⚫ Cipher text can mean anything

31

Examples for Stream Ciphers

⚫ A5/1 and A5/2 (1989; used in GSM) → broken ⚫ RC4 (1987) → broken ⚫ Salsa20 (2005) ⚫ ChaCha20 (2008)

32

Block Cipher

⚫ A block cipher (Enc) is a symmetric key cipher and takes as

input an n-bit block of plaintext and a key (k), and outputs a n-bit block of ciphertext

Enc k n bit n bit THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption

X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü

Encryption Encryption

k k k

33

Examples for Block Ciphers

⚫ DES (Data Encryption Standard) ⚫ AES (Advanced Encryption Standard) ⚫ Blowfish ⚫ Twofish ⚫ RC6 ⚫ MARS ⚫ Serpent

AES

35

Image Source: Wikipedia

AES and DES

⚫ DES (NIST 1977)

− 64 bit blocks und 56 bit keys − Standard encryption in 1980s and 1990s

⚫ Advanced Encryption Standard (AES)

− AES (Rijndael) developed by Belgian cryptographers − Standardized by NIST in 2000 as DES successor − 128 bit blocks and 128, 192, 256 bit keys

Brute force attack on AES and DES

⚫ Brute force attack on 56 key:

− 1998: EFF DES Cracker (ASICs), 4.5 days, 250.000$ − 2006: COPACOBANA (FPGA), 6.4 days, 10.000$ − 2012: Pico Computing (FPGA), 0.5 days

⚫ Brute force attack on 128 or 256 bit key?

(Assumption: breaking 56 bit in 1 second)

Key length Duration 56 bit 1 s 64 bit 4 m 80 bit 194 d 112 bit 109 a 128 bit 1014 a 192 bit 1033 a 256 bit 1052 a

Padding

⚫ What happens if you want to encrypt 100 bit with a 128 bit

block cipher?

⚫ You must fill the plaintext up to the block length of the cipher ⚫ Approaches

− Decryption process knows the data length

▪ Example: from a header entry ▪ Block can be filled with random bits/byte

− Decryption process does not know the data length

▪ Padding bits/bytes must be marked

Padding – One and Zeros

⚫ Attach one binary 1 followed by none, one or multiple binary 0

11010010 101110 11010010 10111010 11010010 1011100 11010010 10111001 11010010 10111001 11010010 10111001 10000000 00000000

Padding PKCS#5

⚫ Padding of whole bytes ⚫ Let L be the block size (in bytes) ⚫ When N bytes are missing to a full block (1  N  L):

add N bytes each with the value N

⚫ Examples (L = 8, XX = existing message, all numbers in hex)

− XX XX XX XX XX XX XX XX | XX XX XX XX XX XX XX 01 − XX XX XX XX XX XX XX XX | XX XX XX XX XX 03 03 03 − XX XX XX XX XX XX XX XX | XX 07 07 07 07 07 07 07 − XX XX XX XX XX XX XX XX | 08 08 08 08 08 08 08 08

⚫ Invalid padding example:

− XX XX XX XX XX XX XX XX | XX XX XX XX XX XX 08 02

40

Modes of Operation

⚫ Block ciphers operate on a fixed length input

− DES, 3DES, IDEA: 64 bit − AES: 128, 192, 256 bit

⚫ Processing of larger input

− Cut input into blocks of the required block size and process them one after the other

⚫ This naïve approach is also known as the Electronic

Codebook (ECB) mode of operation

Block Cipher: Electronic Code Book

THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption

X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü

Encryption Encryption

42

Block Cipher: Electronic Code Book

THIS IS A SIMPLE PLAINTEXT MESSAGE.

Encryption

X&jÜ(mA’8Dwßµ<3Ji8(clÄ+#/2Haq%7Ö1k5a$jA~Kq1§ü

Encryption Encryption

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Encryption

Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0

Encryption Encryption

43

ECB Encryption

Electronic Codebook (ECB)

⚫ Identical plaintext blocks are encrypted into identical

ciphertext blocks

⚫ No protection of block order ⚫ Eases replay attacks

Image Source: Wikipedia

Cipher Block Chaining (CBC)

b0 bn b1 ...

Enc

c0 k

Enc

cn k Nachricht Geheimtext ...

Enc

c1 k IV

Plain Text Cipher Text

CBC Encryption

Cipher Block Chaining (CBC)

⚫ Identical plaintext blocks are NOT encrypted into identical

ciphertext blocks

⚫ More “randomness” inside the encrypted data ⚫ However: XOR of plain and cipher text can be misused (later)

Image Source: Wikipedia

Symmetric Encryption

⚫ One remaining problem: key generation

47

Dear Bob .... Encryption Decryption Dear Bob .... Symmectric Key 6R4Y2 hlbMZ CB...

Alice Bob Eve

Key Generator

Detour: Key Generation

⚫ Keys are derived from random numbers ⚫ Random number generation is not trivial ⚫ Computers are deterministic and can only generate

pseudo random numbers

⚫ Poor “random” numbers which can be anticipated

allow attacker calculation of keys

48

Detour: Key Generation

⚫ OpenSSL bug

in Debian

49

Symmetric Encryption

⚫ Another remaining problem: key exchange

Dear Bob .... Encryption Decryption Dear Bob .... Symmectric Key 6R4Y2 hlbMZ CB...

Alice Bob

Key Generator

50

Eve

Key Exchange and Asymmetric Encryption

51

Diffie Hellman Key exchange

⚫ Creating common (symmetric) key only known to the

communication partners

⚫ Created by Whitfield Diffie and Martin Hellman in 1976

Image source: Wikipedia

Illustration of DH Key Exchange

Image source: Wikipedia

Modular Arithmetic

⚫ a  b (mod n)  there is an integer k such that a – b = kn ⚫ Example:

− 13  19 (mod 3), because 19 – 13 = 2 * 3

⚫ Simplified (sufficient for this lecture): mod operator ⚫ x mod n: remainder when performing an integer division of x

and n

⚫ Example:

− 19 mod 3 = 1 − 13 mod 3 = 1 − 1234 mod 10 = 4 − 220 mod 10 = 6

54

Logarithm

⚫ Choose (integer) b and a and calculate y = ba ⚫ Given just b and y can you calculate a? ⚫ Easy (logarithm): a = logb y ⚫ Example:

− b = 7, y = 13841287201, a = ?

55

Discrete Logarithm

⚫ Choose integer b, a and n and calculate y = ba mod n ⚫ Given just b, n and y can you calculate a? ⚫ Example:

− b = 7, n = 1023, y = 439, a = ?

⚫ Hard problem: Discrete Logarithm Problem (DLP) ⚫ No simple calculation ⚫ Only (known) method: test all possible values for a

(infeasible for large n)

56

Diffie Hellman Key exchange

⚫ Alice and Bob agree on (public

parameters):

− Large prime number p − Generator g (i.e. g is primitive root mod p)

⚫ Alice chooses a random number a

and sends ga mod p to Bob

⚫ Bob chooses a random number b

and send gb mod p to Alice

⚫ Calculation of common secret:

− Alice: (gb)a mod p − Bob: (ga)b mod p

gamod p gbmod p

= gab mod p = K

Diffie Hellman Key exchange

⚫ (Passive) attacker learns:

− g − p − gb mod p − ga mod p

⚫ For calculating K the attacker needs

additionally a or b

⚫ a or b can not (easily) derived from

the know values: DLP

gamod p gbmod p

Eve

Weakness of DH Key Exchange

Mallory

gb ge ga ge

Secure Communication Secure Communication

K1 = gae mod p K2 = gbe mod p Solution: later!

Breaking DH

⚫ Certain ⚫ Which size to choose for p?

− 512 bit → practically broken (2015) − 1024 bit → estimated costs for breaking: 100 million $ − 2048 bit → secure, but long runtime

60

Asymmetric Encryption

⚫ Problem of symmetric encryption:

− Shared secret must be distributed

⚫ Problem of DH key exchange:

− interactive protocol − both parties must be “online” in order to start encrypted communication

⚫ Asymmetric Encryption:

− Use different keys for de- and encryption − Public encryption key is published (everyone can encrypt) − Private decryption key is kept confidential (just owner can decrypt)

Asymmetric Encryption

⚫ Two distinct keys (private key and public key) are used for

encryption and decryption respectively

Dear Bob .... Encryption Decryption Dear Bob .... Key Pair Generator Public Key Private Key 6R4Y2 hlbM ZCB...

Alice Bob Eve

Formalization of (asymmetric) Encryption

⚫ Space of plain texts: P ⚫ Space of cipher texts: C ⚫ Space of keys: public/private key pairs: K  PK x SK ⚫ Encryption:

E: P x PK → C, E(x, pk) = Epk(x)

⚫ Decryption:

D: C x SK → P, D(y, sk) = Dsk(y)

⚫ D is the invers function of E, i.e. for all x ∈ P and (pk, sk) ∈ K:

Dsk(Epk(x)) = x

Asymmetric Encryption

⚫ Based on number theoretic

problems

− RSA: Factorisation Problem − ElGamal: Discrete Logarithm Problem (DLP)

⚫ RSA: named after its inventors

(1978):

− Ronald Rivest − Adi Shamir − Leonard Adleman

Image sources:

• University of Southern California
• Massachusetts Institute of Technology

RSA

⚫ Choose two prime numbers p and q ⚫ Calc n = p · q, m = (p – 1) (q – 1) ⚫ Choose e and d with e · d ≡ 1 (mod m) ⚫ Public key: n, e ⚫ Private key: d ⚫ Encryption of message M:

C = M e mod n

⚫ Decryption of cipher text C:

M’ = C d mod n

⚫ M' = (M e)d mod n = M

Follows from Euler‘s Theorem

RSA Calculation

⚫ 1. problem: calculation effort

− 𝑦𝑜 = 𝑦 ∙ ⋯ ∙ 𝑦

𝑜

→ n – 1 multiplications

⚫ Square and Multiply:

− Write n in binary; remove the first 1 − For evert 1 perform first a square (...2) operation then a multiply operation (• x) − For evert 0 perform a multiply operation (• x)

⚫ Example:

− n = 2310 = 101112 → Q QM QM QM − 𝑦23 = 𝑦2 2 ∙ 𝑦

2 ∙ 𝑦 2

∙ 𝑦 − 7 multiplications instead of 22

⚫ “Standard” value for e:

− 6553710 = 100000000000000012 → 16 multiplications

66

RSA Calculation

⚫ 2. problem: large intermediate values:

− “Me mod n” is smaller than n, but “Me“ is very large

⚫ Property of mod operator:

− (x • y) mod n = ((x mod n) • (y mod n)) mod n

⚫ Application to Square and Multiply:

− Perform a “mod” operation after every square or multiply step − Example:

▪ 𝑦23 mod 𝑜 = 𝑦2 mod 𝑜 2 mod 𝑜 ∙ 𝑦 mod 𝑜

2mod 𝑜 ∙ 𝑦 mod 𝑜 2

…

− No intermediate value is larger than 𝑜2

67

Prime Numbers

⚫ How to calculate large (~ 500 - 2000 bits) prime numbers? ⚫ 2 types of primality tests:

− Deterministic − Probabilistic

⚫ Example: Solovay–Strassen primality test:

− max ½ probability of wrong answer − Algorithm for testing is n is prime

▪ Repeat k times:

• Choose random number a
• Run primality test (uses number a as parameter)
• If false return „not prime“

▪ Return „probable prime“

− Error probability: 1/2k, e.g. 2-100 for k = 100

Breaking RSA

⚫ Best known

attack on RSA: factorizing n

RSA number Decimal digits Binary digits Cash prize

• ffered

Factored on RSA-100 100 330 $1000 April 1, 1991 RSA-110 110 364 $4429 April 14, 1992 RSA-120 120 397 $5895 July 9, 1993 RSA-129 129 426 $100 April 26, 1994 RSA-130 130 430 $14,527 April 10, 1996 RSA-140 140 463 $17,226 February 2, 1999 RSA-150 150 496 April 16, 2004 RSA-155 155 512 $9383 August 22, 1999 RSA-160 160 530 April 1, 2003 RSA-170 170 563 December 29, 2009 RSA-576 174 576 $10,000 December 3, 2003 RSA-180 180 596 May 8, 2010 RSA-190 190 629 November 8, 2010 RSA-640 193 640 $20,000 November 2, 2005 RSA-200 200 663 May 9, 2005 RSA-210 210 696 September 26, 2013 RSA-704 212 704 $30,000 July 2, 2012 RSA-220 220 729 May 13, 2016 RSA-768 232 768 $50,000 December 12, 2009 Source: Wikipedia

Hybrid Encryption (1/3)

⚫ Pros and cons of (a)symmetric encryption:

− Symmetric encryption:

▪ good performance (1000x times faster) vs. key exchange problem

− Asymmetric encryption:

▪ easier key management vs. slow performance + limited message size

⚫ Hybrid Encryption: combining the advantages:

− Encrypt a random symmetric session key by means of asymmetric encryption − Encrypt the data with the symmetric session key and by means of symmetric encryption

Hybrid Encryption (2/3)

⚫ Encryption process

Dear Bob .... Symmetric Encryption Symmetric Key

Alice

Key Generator Asymetric Encryption 6R4Y2hlb MZCBaj39 c2jmCw... Encrypte d Key Bob‘s Public Key

Hybrid Encryption (3/3)

⚫ Decryption process

Dear Bob .... Symmetric Decryption Symmetric Key

Bob

6R4Y2hlb MZCBaj39 c2jmCw... Encrypte d Key Asymmetric Decryption Bob‘s Private Key

Exchange of Public Keys

⚫ Confidentiality not required

→ passive attacker can read the public key (no problem)

Alice Bob Eve “Alice”, pub(A) Enc(pub(A), M)

Exchange of Public Keys

⚫ Integrity highly required

→ active attacker can modify/exchange the public key (system broken!) Solution: later!

Alice Bob Mallory “Alice”, pub(A) Enc(pub(E), M) “Alice”, pub(E)

Hash Functions

Integrity testing

Alice Bob

Hash Function

h( · )

Alice Bob

Definition of Hash Function

⚫h : * → n

NoZXJuZCBhw59lbiBNw6R4Y2hlbnMZCBhw59lFLDvGJlbiwgSm9naHVydCB1 bmQgUXV4Y2hlbnMgVsOw59l2R4Y2hlbnMgVsOZ2R4bnMgVsOVsIFLDhcms= Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et doloremagna aliquyam erat, sed diam

• voluptua. At vero eos et accusam et justo duo doloreset ea rebum. Stet clita

kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et doloremagna aliquyam erat, sed diam

• voluptua. At vero eos et accusam et justo duo doloreset ea rebum. Stet clita

kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet,, sed diam eirmod ut laboreet doloremagna aliquyamerat, sed diam voluptua. At vero eos et accusamet duo dolores et

• ea. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum amet.

da39a3ee5e6b4b0d3255 68ac906495480a3404be 15a391c7de1f07f4885af

Real life example: Integrity Protection for Dowloads

⚫ Ubuntu: File„MD5SUM“ ⚫ Xfce: Note on Web site

cf10bdd7abb067e639b3fb47fa8cadbd *ubuntu-11.04-alternate-amd64+mac.iso 14984b15a391c7de1f07f4885bef2d5c *ubuntu-11.04-desktop-amd64+mac.iso 99950b6c45250c51fa53342c5832ebd2 *ubuntu-11.04-dvd-amd64.iso e8c522fc69d3bf2fda99b63b8f7c12f3 *ubuntu-11.04-dvd-i386.iso

Properties of Hash Functions

4711 4711

h(M) = 4711 h(M’) = 4711

Alice Bob

Collision resistant

⚫ Collision

− There exists two messages M and M’: M ≠ M’ and h(M) = h(M’)

⚫ Avoiding accidental collisions:

− Choose co-domain large enough

⚫ Collision resistant :

− It is not possible (using “reasonable” computation time) to find a collision i.e. two messages M and M’ with h(M) = h(M’)

Poor Hash Function

⚫ Checksum:

S e l l 1 8 b o o k s 1 0 E U R e a c h L o r e m i p s u m d o l o r s i t a m e t c o n s e t e t u r S e l l 1 1 b o o k s 8 0 E U R e a c h

39 AC 2E 31 7F 03 F5 81

Requirement for Hash Function

⚫ Randomness

− Small change on input → large change on output − Avalanche effect

⚫ Rule of thumb

− 1 input bit is changed → 50 % output bits are changed

⚫ Example:

− SHA-1(„Hallo“) = 59d9a6df06b9f610f7db8e036896ed03662d168f − SHA-1(„Hello“) = f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0

Birthday Paradoxon

⚫ There are 23 people in one room ⚫ What is the probability for „2 persons have the same

birthday“ (just day and month, not year)

⚫ Answer: approx. 50%

Birthday Attack

⚫ Let h be a hash function with co-domain of size 2n

(i.e. with hash values of length n bit)

⚫ Calculation of collision needs 2n/2 checks (average) ⚫ Conclusion: choose n as large as possible ⚫ Current recommendation:

− (average) 280 checks required −  Hash value have minimum length 160 bit

⚫ If (at n bit length) less tests than 2n/2 required:

Hash function has weakness

Properties of Hash functions

4711 Alice Bob Eve

One-way function

⚫ One-way property (preimage resistant):

− There exist no (efficient) inverse function for h, i.e. − It is not possible to calculate message M from hash value H with: h(M) = H

⚫ h collision resistant  h one-way function

Types of Hash Algorithms

⚫ Encryption-based

− Uses block ciphers − Low performance − insecure

⚫ Algebraic

− Uses number theory problems (e.g. discrete logarithm) − Low performance

⚫ Ad-Hoc Design

− Uses: AND, OR, XOR, SHIFT, S-Boxes − Most widespread usage

Common Hash Algorithms

⚫ MD5

− Message-Digest-Algorithm (R. Rivest, 1992) − RFC 1321 − Input: < 264 bit, Output: 128 bit

⚫ SHA-1

− Secure Hash Algorithm (NIST/NSA, 1994) − Input: < 264 bit, Output: 160 bit

⚫ SHA-2

− Secure Hash Algorithm (NIST/NSA, 2002) − SHA-256: Input: < 264 bit, Output: 256 bit − SHA-384: Input: < 2128 bit, Output: 384 bit − SHA-512: Input: < 2128 bit, Output: 512 bit

SHA-1 – Internal Structure

E D C B A <<5 >>2 + + + E D C B A K F +

5 x 32 Bit 80 x

M

160 Bit

W

5 x 32 Bit

Merkle Damgård Construction

Block 1 f IV Block 2 Message M f f Block m Hash h(M) f

n bit n bit n bit

... ...

Compression function f Hash function h

f collision resistant  h collision resistant

Length

• f M

Security of Hash Algorithms

⚫ Known attacks on Hash properties

Algorithm Attack on Collision resistence Attack on One way property

MD5 Yes Yes SHA-1 Yes No SHA-2 (Yes) No

Security of Hash Algorithms

SHA-3 Competition

⚫ Creating new Hash function (successor of SHA-2) ⚫ Open competition by NIST started 2007 ⚫ Public analysis and discussion of candidates ⚫ Criteria:

− Performance − Security − Diversity

⚫ Winner (announced 2012): Keccak ⚫ Standardized as SHA-3 (2015)

Breaking Hashes

⚫ „Anonymous“

exam results

Breaking Hashes

⚫ How to find the pre-image of H? (i.e. finding m with h(m) = H) ⚫ Brute force attack: testing all possible values for m

− rather simple if the set of “all possible values” is rather small − Examples:

▪ m is a short/simple password ▪ m is a matriculation number ▪ m is an IP address

⚫ Variation: Dictionary attack: testing just certain values

− Examples

▪ typical passwords (“1234”, “admin”, ...) ▪ real world words (“dog”, “car”, ...)

⚫ Lookup in a pre-calculated list of “all” m and h(m)

− Practical implementation: Rainbow Table

96

Breaking Hashes – Countermeasures

⚫ Brute force/Dictionary:

− avoid short/simple messages − use special resource consuming “hash” functions (e.g. scrypt, Argon2) − add a secret value to the hash calculation: pepper (not always possible)

⚫ Rainbow table:

− avoid short/simple messages − add a (non-secret) random value to the hash calculation: salt

97

Integrity Protection and Digital Signature

Message Authentication Code

Dear Bob .... Dear Bob .... Dear Bob .... Dear Bob ....

MAC = ? MAC

Dear Bob ....

Message Authentication Code

⚫ A Message Authentication Code (MAC) is a short piece of

information used to authenticate a message

⚫ The involved key enables to provide authentication means in

addition to integrity

⚫ In some contexts a MAC is also called a symmetric signature ⚫ First idea for implementation:

mack(m) = h(k || m)

(here || is the concatenation operator)

f m f f

... ...

k mac e mac f f mac*

...

IV

f f f

... ...

k f f mac*

...

IV e mac* m

Length extension attack (simplified)

⚫ Possible with hash functions based on M-D-Construction ⚫ Idea:

− A and B have shared secret k − A creates message m and mac = h(k||m) − E intercepts message and MAC − E creates e and m* = m||e and mac* = h(k||m*) = h(k||m||e) (no knowledge of k is required!) − E sends m* and mac* to B − B verifies m* and mac* and thinks the message is from A

Length extension attack (simplified)

⚫ The attacker was able to create a message m* = m || e

and a MAC mac* with mac*=h(k||m*)

⚫ No knowledge of k is required ⚫ Problem: is m* still making sense to the recipient? ⚫ Example:

− Original message: count=10&lat=37&user_id=1&long=-119&waffle=eggo − New message: count=10&lat=37&user_id=1&long=-119&waffle=eggo&waffle=liege

Example Source: Wikipedia

Message Authentication Code

⚫ Solution: HMAC

mack(m) = HMAC(m, k) = h(k XOR opad || h(k XOR ipad || m))

− with opad and ipad fixed constants:

▪ ipad = the byte 0x36 repeated B times ▪ opad = the byte 0x5C repeated B times ▪ (with B the internal data size in bytes of hash function h; e.g. 64 for SHA-1)

Message Authentication Code

⚫ Security services:

− Authenticity − Integrity

⚫ Limitations:

− For verification knowledge of secret key required − Every owner of the secret key can create the MAC − → not possible to decide if Alice or Bob created the MAC − → the actual creator of the MAC can deny the creation − → no “non-repudiation” property

106

Digital Signature

⚫ Equivalent to traditional handwritten signatures ⚫ Properties:

− Only one person can create the signature − Everyone can verify the signature − Can identify the creator of the signature − Is bound to a specific document − Prohibits changes to the document

107

 non-repudiation  integrity  authenticity

Formalization of Digital Signature

⚫ Space of messages: M ⚫ Space of signatures: S ⚫ Space of keys: public/private key pairs: K  PK x SK ⚫ Sign operation:

Sig: M x SK → S, sig = Sig(m, sk)

⚫ Verify operation:

Verify: M x S x PK → {true, false}, isValid = Verify(m, sig, pk)

⚫ Valid signature: for all m ∈ M and (pk, sk) ∈ K

Verify(m, Sig(m, sk), pk) = true

108

Digital Signature (here: RSA)

Dear Bob .... Dear Bob .... Dear Bob .... Dear Bob .... Encryption Hash

= ?

Hash Decryption Dear Bob ....

Digital Signature

⚫ Properties:

− Only one person can create the signature

▪ Private key required

− Everyone can verify the signature

▪ Public key is sufficient (need the correct public key)

− Can identify the creator of the signature

▪ Owner of the private key = creator (unless private key was stolen)

− Is bound to a specific document

▪ move signature to a different document → hash of document ≠ hash inside signature (unless collision) → verification fails

− Prohibits changes to the document

▪ change of document → change of hash (unless collision) → verification fails

110

✓ ✓ ✓ ✓ ✓

Again: Integrity Protection for Dowloads

Putty – SSH Client for Windows

Digital Signature (in general)

Dear Bob .... Dear Bob .... Dear Bob .... Dear Bob .... Sign Hash Hash Verify valid / invalid Dear Bob ....

Digital Signature

⚫ Example algorithms:

− RSA with SHA2 − DSA with SHA2 − ECDSA with SHA2

Final Remarks

114

Elliptic Curve Cryptography

⚫ DSA and DH are based on modular exponentiation over a

(finite) field of integers

⚫ One can perform similar operations on an “elliptic curve” ⚫ Main advantage:

− same security level with shorter key − better performance (runtime up to 10 times faster)

Security Level RSA/DH (NIST) RSA/DH (ECRYPT) ECDH 80 1024 1248 160 112 2048 2432 224 128 3072 3248 256 192 7680 7936 384 256 15360 15424 512

Practical Usage Recommendations

⚫ Symmetric Encryption: AES-256, mode: GCM (later) ⚫ Asymmetric Encryption: RSA-2048 (or longer) ⚫ Key exchange: ECDHE-256 ⚫ Hash: SHA-256 ⚫ Message Authentication:

− AES in GCM mode (authenticated encryption) − Poly1305 (e.g. in combination with ChaCha20)

⚫ Signature:

− RSA-2048 with SHA-256 (or longer) − ECDSA-256 with SHA-256