Cryptography Crash Course Symmetric Key Cryptography School on - - PowerPoint PPT Presentation
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(
School on Secure IoT, 2016
KU Leuven/COSIC
Clear text
CRYP TOB OX CRYP TOB OX
Clear text
%^C& @&^( %^C& @&^(
Alice Bob Eve
(Kerckhoffs’s principle)
English)
ciphertext
plaintext
plaintext appears: a brute force attack
force)
security of their cryptosystems
10010
11001 01011 11001
10010 01011 key is random string, as long as the plaintext information theoretic proof of security C P P Vernam scheme (1917) Shannon (1948) Mauborgne: one time pad
(1917+x)
function
next state function
function
next state function
sufficient to recover both of them
* = (pj Å zj)Å(pj * Å zj)= pj Å pj *
keystream repetitions
1. Key setup (once) 2. IV setup (once per message) 3. Keystream generation
Attacker’s abilities: obtains one ciphertext
(for now)
Possible security requirements: attempt #1: attacker cannot recover secret key attempt #2: attacker cannot recover all of plaintext Recall Shannon’s idea:
CT should reveal no “info” about PT
PRG must be unpredictable: ∀i: no “efficient” adv. can predict bit (i+1) for “non- neglible” ε PRG must be indistinguishable from real randomness: There exists some heuristical tests, e.g. NIST http://csrc.nist.gov/groups/ST/toolkit/rng/documentatio n_software.html
For b=0,1 define experiments EXP(0) and EXP(1) as: for b=0,1: Wb := [ event that EXP(b)=1 ] AdvSS[A,E] := | Pr[ W0 ] − Pr[ W1 ] | ∈ [0,1]
Chal.
b
kK
m0 , m1 M : |m0| = |m1| c E(k, mb)
b’ {0,1}
Thm: G:K ⟶{0,1}n is a secure PRG ⇒ stream cipher E derived from G is sem. sec. ∀ sem. sec. adversary A , ∃a PRG adversary B s.t. AdvSS[A,E] ≤ 2 ∙ AdvPRG[B,G]
Software oriented
Hardware oriented
analysis becomes impossible (infeasible)
AAAA AAAB AAAC … ZZZZ QAQZ WIJT ENTO … MIHB
elements: T[X] = f(X,key)
software
(Shannon)
functions (substitutions, S- boxes)
interconnection
rounds
Key Schedule
round
round round round
Plaintext 1 Key (256)
Key Schedule
round
round round round
plaintext2 Key (256)
C
ciphertext2 ciphertext1
banking schemes)
bad implementation mistakes
Key Schedule
round
round round round
plaintext Key (256) ciphertext
model: if an opponent can zeroize (= AND 0) 224 key bits of his choice (rather than C) he can find the key in a few seconds for any cipher with a 256-bit key
the key is an easy fix
AdvPRP[A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.”
Chal.
b
b=0: kK, f E(k,) b=1: fPerms[X]
x1 X
f(x1)
b’ {0,1}
f
, x2, …, xq , f(x2), …, f(xq)
Any secure PRP is also a secure PRF, if |X| is sufficiently large. Lemma: Let E be a PRP over (K,X) Then for any q-query adversary A:
Suppose |X| is large so that q2 / 2|X| is “negligible” Then AdvPRP [A,E] “negligible” AdvPRF[A,E] “negligible”
would not introduce weaknesses
P1 C1
P2 C2
P3 C3
P1 C1
P2 C2
P3 C3
+ + +
IV
AES IV P1 C1 AES AES Pi-1 Pi Ci-1 Ci AES Pj-1 Cj-1 AES AES Pj Pj+1 Cj Cj+1
Suppose E(k,m) always outputs same ciphertext for msg m. Then: If secret key is to be used multiple times
given the same plaintext message twice, encryption must produce different outputs.
Chal. Adv. kK m0 , m1 M c E(k, mb) m0 , m0 M c0 E(k, m0)
if c = c0
(k,n) pair never used more than once
Alice E m, n E(k,m,n)=c Bob D c, n D(k,c,n)=m k k
Let (E,D) be a PRP. ECBC(k,m): choose random IV∈X and do:
E(k,) E(k,) E(k,)
m[0] m[1] m[2] m[3] IV
E(k,)
c[0] c[1] c[2] c[3] IV ciphertext
CTR C1
+
P1
CTR+1 C2
+
P2
CTR+2 C3
+
P3
m[0] m[1] … F(k,IV) F(k,IV+1) … m[L] F(k,IV+L)
c[0] c[1] … c[L] IV IV
note: parallelizable (unlike CBC)
msg ciphertext
Let F: K × {0,1}n ⟶ {0,1}n be a secure PRF. E(k,m): choose a random IV {0,1}n and do:
Block ciphers
Stream ciphers
(LFSRs)
Protect short hash value rather than long text
This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). 1A3FD4128A198FB3CA345932
Preimage resistance: for given y, hard to find input x such that h(x) = y (2n operations) 2nd preimage resistance: hard to find x’ x such that h(x’) = h(x) (2n operations) Collision resistance: hard to find (x,x’) with x’ x such that h(x’) = h(x) (2n/2 operations)
Hello Bob, I am Alice. My password P is Xur%9pLr
OK! BUT
Alice Xur%9pLr
preimage
—
(username, password)
— (username,hash(password))
find a preimage
Hello Bob, I am Alice. My password P is Xur%9pLr
OK!
Bob stores f(P) rather than Alice’s secret P
P
One-way function f
f(P) Alice
f(Xur%9pLr)
10 20 30 40 50 60 70 lower case lower case + digits mixed case+digits keyboard 5 chars 6 chars 7 chars 8 chars 9 chars 10 chars
Problem: passwords from dictionaries
Hello Bob, I am Alice. My password P is Xur%9pLr
OK!
Bob stores f(P,S) || S rather than Alice’s secret P it is harder to attack the passwords of all users simultaneously
f(Xur%9pLr||987&*) || 987&*
P
One-way function f
f(P||S) S
give every user at registration a random publicly known value S (salt)
Alice
2nd preimage
channel (e.g., read it over the phone)
the recipient if he finds a second preimage of x
— compute a hash of the files on a USB
stick before you lend it to your friend
— you can store the hash on your laptop or
write it down
collision
software driver for the O/S company Bob
— x is correct code — x’ contains a backdoor that gives Alice access
to the machine
private key
these users verify the signature on x with Bob’s public key
h(x) = h(x’)!
collision
commit to a value x without revealing it
= h(x || r) to Bob
and r to Bob and he checks that y is correct
(x’,r’) with x’ x she can cheat
cheat
random oracle)
between them is complex
MD5 SHA SHA-1 SHA-256 SHA-512 HAVAL
RIPEMD RIPEMD-160 MD4
90 91 92 93 94 95 02
implications so far limited
more rounds)
(large permutations)
decades
Bob wants to know:
Data authentication is typically more complex than data confidentiality To just detect data manipulation: hash Otherwise: MAC (with a secret key)
This is an input to a MAC
long string, that is reduced by the hash function to a string of fixed
security conditions: it should be very hard for someone who does not know the secret key to compute the hash function on a new input. 7E6FD7198A198FB3C
Replace protection of authenticty of (long) message by protection of secrecy of (short) key Add MAC to the plaintext
Def: MAC I = (S,V) defined over (K,M,T) is a pair of algs:
Alice Bob
k k
message m tag
Generate tag: tag S(k, m) Verify tag: V(k, m, tag) = `yes’
?
Message Authentication Code think of it as a hash function with secret key:
large number of pairs {Xi, hK(Xi)} is known
secret key: forgery (verifiable or not verifiable)
bits
expected
(authentication codes): GCM and UMAC
should be replaced)
Attacker’s power: chosen message attack
Attacker’s goal: existential forgery
(m,t) { (m1,t1) , … , (mq,tq) }
⇒ attacker cannot produce a valid tag for a new message ⇒ given (m,t) attacker cannot even produce (m,t’) for t’ ≠ t
MAC ?
x2 ENC K1 x1 ENC K1 xt ENC K1 MACK1(x) G H1 H2 Ht-1 …
Security with AES-128:
and 2 known texts [Knudsen97] Acceptable for most applications (not for DES!)
prepend length to avoid that one can compute h(K1||x||y) from h(K1||x) without knowing K1
risky: less secure than h
K1 x x K2 K1 x K2
Most widely used MAC on the Internet. Building a MAC out of a hash function:
HMAC: S( k, m ) = H( kopad , H( kipad ll m ) )
implications
robustness
Cryptography Crash Course Public-key cryptography
KU Leuven/COSIC
School Secure IoT, 2016
1 Mathematical background
Prime numbers and modular arithmetic Elliptic curve One-way & trapdoor one-way functions
2 Public-key cryptosystems
Key agreement Public-key encryption Hybrid systems Digital signatures
Symmetric key cryptography
Key Alice ciphertext Bob Key
abc abc #!$
Public key cryptography
Public Key Bob Alice ciphertext Bob Private Key Bob
abc abc #!$
Elliptic Curves
Definition Elliptic curve E over field K is defined by y2 + a1xy + a3y = x3 + a2x2 + a4x + a6, ai ∈ K The set E(K) consists of all (x, y) ∈ K × K, which satisfy this equation together with ∞ ∞ is called point at infinity Theorem There exists addition law on E and the set E(K) is a group
Elliptic Curves over R
−8 −6 −4 −2 2 4 6 8 −6 −4 −2 2 4 6 −6 −4 −2 2 4 6 8 −6 −4 −2 2 4 6y2 = x3 + 4x2 + 4x + 3 y2 = x3 − 7x + 6
Addition Law on Elliptic Curve
R P Q x y
R = P ⊕ Q
Elliptic Curves over Finite Fields
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 u u u u u u u u u u u u u u u u u u u u u u u u u uThe elliptic curve y2 = x3 + x + 3 mod 23
One-way functions
Definition f : X − → Y : x → f (x) = y is a one-way function ⇔ ∀x ∈ X, f (x) is easy to compute Given y ∈ Y , finding an x ∈ X, with f (x) = y is a hard problem (computationally infeasible) Note: do such functions exist? = open problem
Candidate one-way functions
Multiplication: given p, q, compute n = p · q Inverse problem: given a large n, product of 2 primes of about the same size, find these primes Modular exponentiation: given a, n with a ∈ [1, n − 1] am mod n can be computed efficiently (square and multiply) Inverse problem (= discrete logarithm): given a, n and b, find x such that ax mod n ≡ b
Candidate one-way functions
Scalar multiplication on elliptic curve Let E be an EC over a finite field and P point on E Then Q = s · P can be computed efficiently (add and double) The ECDLP is to compute s given P and Q
Trapdoor one-way functions
Definition One-way functions which can be inverted using additional information, i.e. the trapdoor information
Trapdoor one-way functions
Definition One-way functions which can be inverted using additional information, i.e. the trapdoor information Example: Let n = p · q, consider modular exponentiation modulo n b = ae mod n Inverse operation: e-th root of b Given p and q inverse operation is easy, so p (and q) are the trapdoor information
1 Mathematical background
Prime numbers and modular arithmetic Elliptic curve One-way & trapdoor one-way functions
2 Public-key cryptosystems
Key agreement Public-key encryption Hybrid systems Digital signatures
Public-key key agreement: Diffie-Hellman
Transactions on Information Theory, vol. IT-22, Nov. 1976.
Agree on a secret key using commutative one-way functions
Private Key A Public Key B Public Key A Private Key B A shared secret B shared secret
Diffie-Hellman (1)
Choose a large prime number p and a generator g mod p Alice Bob a ∈R [1, p − 1], ga − ga − − − − − − − − → b ∈R [1, p − 1], gb ← gb − − − − − − − − − KBA = (gb)a KBA = (ga)b Note: all calculations mod p
Diffie-Hellman (2)
Diffie-Hellman assumption: given ga and gb, it is hard to compute ga·b If Diffie-Hellman assumption true, then key agreement secure (bar authentication) Diffie-Hellman problem cannot be harder than the discrete logarithm problem
Many groups: DHP equivalent with DLP, i.e. given oracle to solve DHP, also possible to solve DLP
Diffie-Hellman with Elliptic Curve
Choose an elliptic curve E(Fp) and generator G ∈ E(Fp) Alice Bob a ∈R [1, #E], aG − aG − − − − − − − − → b ∈R [1, #E], bG ← bG − − − − − − − − − KBA = a(bG) KBA = b(aG)
Public-key encryption
Send a confidential message protected with a public key (trapdoor
DSB[EPB(m)] = m
Public Key Bob Alice ciphertext Bob Private Key Bob
abc abc #!$
PB D E SB m
Public-key encryption
A public key encryption scheme E = (G, E, D) is a triple of algorithms: Key-generation algorithm: probabilistic algorithm G(k) which returns matching public/private key pair (P, K) given security parameter k, e.g. the length of the keys
Public-key encryption
A public key encryption scheme E = (G, E, D) is a triple of algorithms: Key-generation algorithm: probabilistic algorithm G(k) which returns matching public/private key pair (P, K) given security parameter k, e.g. the length of the keys Encryption algorithm: probabilistic algorithm EP : M → C which returns ciphertext c = EP(m) Decryption algorithm: deterministic algorithm DK : C → M ∪ {⊥}, with the property that DK(c) = m for c = EP(m)
Provable security of encryption
Trivial requirement: hard to invert (trapdoor) one-way function, or cryptographic primitive should be secure However: most real life attacks target higher level protocol
Provable security of encryption
Provable security = Reductionist security Define secure? Goal of adversary, i.e. what do we call a “break” of a protocol? Power of adversary, i.e. what is the adversary allowed during the attack? Computational model, i.e. do we make the assumption that ideal hash functions exist?
Provable security of encryption
Semantic security: Polynomial time adversary can learn nothing about plaintext given ciphertext Hard to use in practice
Provable security of encryption
Indistinguishability of encryptions:
abc
#!$
xyz 1 Find stage:
A produces messages m0 and m1
2 Guess stage:
A gets encryption cb of either m0 or m1
3 Goal:
A has to guess b with probability > 1/2 (not negligible)
Public-key encryption: attack models
Passive attack = CPA: Adversary has access to black box performing encryption, but not decryption
Public-key encryption: attack models
Passive attack = CPA: Adversary has access to black box performing encryption, but not decryption Chosen ciphertext attack = CCA1: Adversary has access to black box performing decryption, during the find stage only (i.e. before outputting m0 and m1)
Public-key encryption: attack models
Passive attack = CPA: Adversary has access to black box performing encryption, but not decryption Chosen ciphertext attack = CCA1: Adversary has access to black box performing decryption, during the find stage only (i.e. before outputting m0 and m1) Adaptive chosen ciphertext attack = CCA2: Adversary has access to black box performing decryption, during the entire attack, except to decrypt ciphertext cb
RSA: description
Key generation Find 2 primes p and q of ± 1024 bits and set n = p · q Compute ϕ(n) = (p − 1)(q − 1) Choose e co-prime to ϕ(n) (= ±1) Compute d = e−1 mod ϕ(n) public key = (e, n) private key = (d, n) or (p, q) Encryption: c = me mod n Decryption: m = cd mod n
RSA: security in practice
Need to use padding scheme (homomorphic property) Each user needs different n Small d is not secure (< 29% of length n) Small e requires adequate padding scheme Partial key exposure attacks . . . Chosen ciphertext attack on PKCS#1 v1.5 based on error messages
ElGamal encryption
Key generation: Parameters: (safe) prime p and generator g of GF(p)× Private key: x (1 < x < p − 1) Public key: y = gx mod p
ElGamal encryption
Key generation: Parameters: (safe) prime p and generator g of GF(p)× Private key: x (1 < x < p − 1) Public key: y = gx mod p Encryption: Random k with gcd(k, p − 1) = 1 r = gk mod p s = yk · m mod p Ciphertext: c = (r, s) Decryption: m = s · r−x mod p
ElGamal encryption
Security: discrete log problem, not factoring Ciphertext expansion Secure random number generator for k Non-deterministic encryption
Hybrid systems: KEM-DEM Construction
Alice C1 Bob
abc abc #!$
PB D E SB m C0 D E K K
KEM DEM
General DEM Construction (Encrypt-then-MAC)
Requires a MAC of key length n1 bits and symmetric cipher E
DEM Encryption: takes as input key K of n0 + n1 bits and message M
Parse K as k0||k1 where k0 has n0 bits and k1 has n1 bits Compute c0 = E(k0, M) Compute c1 = MAC(k1, c0) Return C = c0||c1
Note: Do NOT MAC-then-Encrypt or Encrypt-and-MAC (generally not secure)
ECIES-KEM (1)
System setup: as in ElGamal Key generation: as in ElGamal
Private key: random integer x Public key: H = xG
KEM.Encrypt: takes as input public key H
Generate random element r Compute C0 = rG Compute K = KDF(C0||rH) KDF: key derivation function, basically hash function combined with counter
ECIES-KEM (2)
Have to be a bit careful due to “small subgroup attacks” KEM.Decrypt: input private key x and ciphertext C0
Test if C0 has order q, so really in subgroup Compute H′ = xC0 Compute K = KDF(C0||H′) and return K
ECIES-KEM is secure in random oracle model assuming Gap-CDH is hard Gap-CDH: solve CDH using an oracle that solves DDH
Digital signatures
Private Key Alice Alice signed m Bob Public Key Alice
abc abc abc
PA V S SA m s
Digital signatures
Data integrity: authentication of content Data origin authentication: authentication of sender Non-repudiation: signer cannot deny signing message Digital signature: Can be verified by a third party (such as a judge) 2 operations: sign and verify
Digital signatures: security notions
Total break: adversary can produce signatures on any message, as if she was the valid key holder (basically has the private key) Selective forgery: adversary can forge a signature on single message chosen by someone else with high probability Existential forgery: adversary can forge signature on single message, even random message is OK
Digital signatures: attack models
Key only attack: Adversary has access to verification function (is public anyway) Known message attack: Adversary has list of messages previously signed by key holder Chosen message attack: Adversary has access to singing oracle
Digital signatures algorithms
RSA ElGamal signature (1985) and variants (1989, . . . ) DSA (Digital Signature Algorithm), FIPS 186 (1994) + variants: ECDSA Schnorr signatures + variants: ECSchnorr, ed25519 QUARTZ (based on MQ problem) ECNR: EC Nyberg-Rueppel Signatures Digital signature standards: ISO/IEC 9796, ISO/IEC 14888
ECC vs. RSA & DSA: Security
1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 50 100 150 200 250 300 350 400 450 500 Keylength conventional systems RSA and DSA Keylength elliptic curve systemKey lengths in bits for equivalent cryptographic strength ECDSA RSA/DSA
EC Digital Signature Algorithm (ECDSA)
ECDSA is elliptic curve analog of DSA Used to provide data origin authentication, data integrity and non-repudiation Standards for ECC (including ECDSA & ECIES):
ANSI X9.62, X9.63 NIST FIPS 186-2 IEEE 1363-2000 ISO/IEC 14888-3, 9796-4, 15946 SECG
EC Key Pair Generation
Domain parameters
Elliptic curve E over finite field Fq Point G ∈ E(Fq), n = ord(G) and cofactor h = #E(Fq)/n
Private and public key
Select random integer d in the interval [1, n − 1] Compute Q = d · G Public key is Q, private key is d
ECDSA Signature Generation
To sign a message m do the following:
1 Select a random integer k with 1 ≤ k ≤ n − 1 2 Compute k · G = (x1, y1) and r ≡ x1 mod n. If r = 0 go to
step 1
3 Compute k−1 mod n 4 Compute e = HASH(m) 5 Compute s ≡ k−1(e + dr) mod n. If s = 0 go to step 1 6 The signature for the message m is (r, s)
ECDSA Signature Verification
To verify a signature (r, s) on m do the following:
1 Verify that r and s are integers in the interval [1, n − 1] 2 Compute e = HASH(m) 3 Compute w ≡ s−1 mod n 4 Compute u1 ≡ ew mod n and u2 ≡ rw mod n 5 Compute u1 · G + u2 · Q = (x1, y1) and v ≡ x1 mod n 6 Accept signature if and only if v = r
ECSchnorr Signature Generation
To sign a message m do the following:
1 Select a random integer k with 1 ≤ k ≤ n − 1 2 Compute R = k · G = (x1, y1) 3 Compute e = HASH(mR) 4 Compute s ≡ k − de mod n. If s = 0 go to step 1 5 The signature for the message m is (s, e)
Verification:
1 Compute R′ = sG + eQ 2 Check e = HASH(mR′)
ECDSA/ECSchnorr
Sony Attack (2010): ECDSA with static k → full key recovery (signatures on different m) Bad randomness: both ECDSA and ECSchnorr vulnerable ECDSA: e.g. 3 bits of r for 100 signatures reveal d! ECSchnorr: no inverses, collission resiliance Variants (ed25519) avoid randomness issues.
Lots more about PK crypto
Special primitives: authentication, identity based encryption, blind signatures, anonymous/private authentication, key establishment, (fully) homomorphic encryption, zero knowledge... Attack algorithms Interaction attacks ↔ choice of parameters/system Security assumptions, models, provable security Efficient implementation Secure implementation ...
Slide credits: Bart Preneel Vincent Rijmen Frederik Vercauteren Jens Hermans Dan Boneh