Cryptography MELISSA CHASE, MSR
Modern Cryptography “…the scientific study of techniques for securing digital information, transactions, and distributed computations” – Katz and Lindell ’07 ◦ Authentication ◦ Verifiable elections ◦ Secure auctions ◦ Electronic cash ◦ …. Today: Secure Communication ◦ How can Alice securely communicate with Bob over an untrusted channel
Historical Cryptography Used for transmitting secret information: Ceasar cipher: ◦ Key is 3, i.e. shift letter right by 3 ◦ Plaintext: meet me at central park ◦ Ciphertext: phhw ph dw fhqwudo sdun ◦ Can we break this? ◦ Yes: brute force attack, or letter frequencies Vignere cipher ◦ Key is cat , i.e. shift first letter right by 3, second letter right by letter right by 1, third letter right by 20, then repeat ◦ Plaintext: meet me at central park catc at ca tcatcat catc ◦ Ciphertext: pfyw ny du whonubh sbln ◦ Brute force attacks are harder, letter frequencies still work ◦ Even a small piece of plaintext with corresponding ciphertext is enough to recover the ke y *Example from [Daswani]
Principles of modern cryptography Kerckhoff’s rule: Cryptographic algorithms should be public ◦ Security rests on keeping keys secret (and choosing keys at random) ◦ Community can verify security of algorithms before they are deployed Clearly define assumptions and security guarantees ◦ Understand exactly what is assumed from underlying building blocks/mathematical tools ◦ Understand exactly what security guarantees the crypto system provides ◦ Crypto is a tool! (no guarantees if used incorrectly, or if the rest of the system is insecure)
Principles of modern cryptography An adversary with unbounded power can break (essentially) all crypto ◦ Ex. Can try to decrypt with all possible keys. Unless you have as many possible keys as possible messages, this allows adversary to rule out some messages Estimate reasonable bounds on power of adversary – crypto should be unbreakable for any adversary within those limits ◦ Ideally, cost for honest parties to use crypto scales linearly/quadratically, but cost for adversary to break crypto scales exponentially Cryptographic algorithms are parameterized by security levels ◦ 128-bit level crypto should take roughly 2 128 operations to break ◦ (Time to exhaustively try every 128-bit key) ◦ 256-bit crypto should take twice as long for honest parties to run (or maybe 4x), but 2 128 times as many operations to break
Secure Communication Alice Bank “My password is 485853.” “Transfer $100 to Carol” Eve Eve can see what passes over the network Alice wants to guarantee: ◦ Confidentiality: Eve does not learn anything about Alice’s message (Encryption) ◦ Integrity: Eve cannot change Alice’s message (MACs/Signatures)
Confidentiality: Symmetric Key Setting Alice Bank 𝒍 𝒍 𝐷 C ← 𝐹𝑜𝑑 𝑙 ( “My password…” ) 𝐸𝑓𝑑 𝑙 (𝐷) Eve “My password…” Correctness: 𝐸𝑓𝑑 𝑙 𝐹𝑜𝑑 𝑙 𝑁 = 𝑁 for all valid keys 𝑙, messages 𝑁 How to define confidentiality?
Confidentiality: Symmetric Key Setting Alice Bank 𝒍 𝒍 𝐷 𝐸𝑓𝑑 𝑙 (𝐷) C ← 𝐹𝑜𝑑 𝑙 ( “My password…” ) “My password…” Eve How to define confidentiality? IND-CPA (chosen- plaintext attack): Eve can’t distinguish an encryption of 𝑛 0 from an encryption of 𝑛 1 In real protocols, Eve may be able to: ◦ Even if she gets to choose 𝑛 0 , 𝑛 1 • Narrow down likely messages ◦ Even if she can ask to see encryptions of messages of her choice In real protocols, Eve may be able to: • Influence other messages Alice sends ◦ IND-CCA (chosen-ciphertext attack): Even if Eve also gets to ask Bank to decrypt any other ciphertexts In real protocols, Eve may be able to: • Send ciphertexts to Bob and see how he responds
A Tool: Block Ciphers A keyed permutation 𝐺 𝑙 that works on blocks of bits. 𝑁 𝐺(𝑁) ◦ E.g. 256-bit strings to 256-bit strings −1 ◦ With key, can compute 𝐺 𝑙 and inverse 𝐺 𝑙 𝐿 𝐺 𝐺 −1 ◦ Without key, 𝐺 𝑙 looks like a random mapping 𝐿 Most common block cipher: AES 𝐺(𝑁) 𝑁 ◦ Also DES, Triple DES (outdated) ◦ Carefully designed by experts in cryptanalysis ◦ Bitwise operations and lookup tables
A Tool: Block Ciphers A keyed permutation 𝐺 𝑙 that works on blocks of bits. 𝑁 𝐺(𝑁) ◦ E.g. 256-bit strings to 256-bit strings −1 ◦ With key, can compute 𝐺 𝑙 and inverse 𝐺 𝑙 𝐿 𝐺 𝐺 −1 ◦ Without key, 𝐺 𝑙 looks like a random mapping 𝐿 How to build secure encryption? How about: 𝐺(𝑁) 𝑁 ◦ 𝐹𝑜𝑑 𝑙 𝑁 : output 𝐺 𝑙 (𝑁) −1 (𝐷) ◦ 𝐸𝑓𝑑 𝑙 𝐷 : output 𝐺 𝑙 Is this a real problem? Problem: Adversary can tell if same message is encrypted twice! ◦ (Why does this break our definition?) ◦ This is electronic codebook mode (ECB mode) - insecure [Wikipedia]
A Tool: Block Ciphers A keyed permutation 𝐺 𝑙 that works on blocks of bits. 𝑁 𝐺(𝑁) ◦ E.g. 256-bit strings to 256-bit strings −1 ◦ With key, can compute 𝐺 𝑙 and inverse 𝐺 𝑙 𝐿 𝐺 𝐺 −1 ◦ Without key, 𝐺 𝑙 looks like a random mapping 𝐿 How to build secure encryption? Try 2: 𝐺(𝑁) 𝑁 Can prove ◦ 𝐹𝑜𝑑 𝑙 𝑁 : choose random 256-bit string 𝑆 . Output (𝑆, 𝐺 𝑙 𝑆 ⊕ 𝑁) that this gives CPA ◦ 𝐸𝑓𝑑 𝑙 𝑆, 𝐷′ : output 𝑁 = 𝐺 𝑙 𝑆 ⊕ 𝐷′ security! (if F has above What if I want to encrypt a longer message? property) ◦ Could run above encryption many times – to encrypt N bits, need 2N bits ◦ OR 𝐹𝑜𝑑 𝑙 𝑁 1 , … , 𝑁 𝑜 : choose random 256-bit string 𝑆 . Output (𝑆, 𝐺 𝑙 𝑆||1 ⊕ 𝑁 1 , 𝐺 𝑙 𝑆||2 ⊕ 𝑁 2 , … ) ◦ Called counter (CTR) mode ◦ Other secure modes of operation e.g. CBC mode
Integrity: Symmetric Key Setting Alice Bank “My password is 485853.” “Transfer $100 to Carol” Eve What if Eve tries to change “Transfer $100…” to “Transfer $900…”? ◦ Encryption does not prevent this! ◦ e.g. in CTR mode Eve can take (𝑆, 𝐺 𝑙 𝑆 ⊕ 𝑁) and flip bits in second half of C – also flips bits of resulting M
MACs Use a message authentication code (MAC): Alice Bank 𝒍 𝒍 𝑈, “Transfer $100 to Carol” 𝑊𝑓𝑠𝑗𝑔𝑧 𝑙 (𝑈, “Transfer $100…” ) 𝑈 ← 𝑁𝐵𝐷 𝑙 ( “Transfer $100…” ) Valid or Forgery Eve Correctness: 𝑊𝑓𝑠𝑗𝑔𝑧 𝑙 𝑁𝐵𝐷 𝑙 𝑁 = Valid for all 𝑁, 𝐿 Security: Eve cannot generate a tag for a message Alice didn’t send ◦ Even given tags on other messages of her choice In real protocols, Eve may be able to: • Influence messages Alice sends ◦ Even if she can modify tags and see if they still verify. • Try sending messages to Bob and see how he responds
MACs: How do we construct a MAC? Given a block cipher: Never use same k for Enc and MAC ◦ 𝐺 𝑙 𝑁 is a good MAC for short 𝑁 ◦ For longer 𝑁 = 𝑁 1 , … , 𝑁 𝑜 , how about 𝐺 𝑙 𝑁 1 , … , 𝐺 𝑙 𝑁 𝑜 ? ◦ Eve can rearrange blocks! ◦ One option: CBC-MAC (chains messages together) Alternative: Cryptographic hash functions ◦ Compression: Maps long strings to fixed length ones (e.g. 256 bits) ◦ Collision resistance: Hard to find 2 strings that hash to the same thing. ◦ (Because of compression, such collisions must exist, but they should be computationally difficult to find) ◦ E.g. SHA-1, SHA-2, SHA-3. (Again, designed by expert cryptanalysts.) 𝑁𝐵𝐷 𝑙 𝑁 : 𝐺 𝑙 (𝐼 𝑁 ) is a secure MAC ◦ Or, can construct just from hash function 𝑁𝐵𝐷 𝑙 𝑁 : 𝐼 𝐿 1 || 𝐼 𝐿 2 ||𝑁 ◦ Called HMAC, requires stronger properties from hash function
Authenticated Encryption Alice Bank 𝒍 𝒍 𝐷 𝐸𝑓𝑑 𝑙 (𝐷) C ← 𝐹𝑜𝑑 𝑙 ( “My password…” ) “My password…” Eve What if we want both confidentiality and integrity at once? Combine Encryption and MACs to get Authenticated Encryption ◦ Guarantees Eve learns nothing about messages and if Eve tries to add her own messages Bank can tell Tag may reveal info about How do we combine the two? M ◦ Encrypt and MAC: 𝐷 ← 𝐹𝑜𝑑 𝑙 𝑁 . 𝑈 ← 𝑁𝐵𝐷 𝑙 𝑁 . Output (𝐷, 𝑈) ◦ Encrypt then MAC: 𝐷 ← 𝐹𝑜𝑑 𝑙 𝑁 . 𝑈 ← 𝑁𝐵𝐷 𝑙 𝐷 . Output (𝐷, 𝑈) Eve could try to modify C ◦ MAC then Encrypt: 𝑈 ← 𝑁𝐵𝐷 𝑙 𝐷 . 𝐷 ← 𝐹𝑜𝑑 𝑙 𝑁||𝑈 . Output 𝐷. and see if T still verifies
Secure Communication Alice Bank 𝒍 𝒍 C, 𝑈 Where do keys come from? ◦ How do Alice and Bank share a key if they haven’t talked before? ◦ How many keys do Alice and Bank have to store? Public Key Crypto (aka Asymmetric-Key Crypto) ◦ Bob generates a pair of keys, a public key, and a secret key ◦ Bob publishes public key ◦ Security should hold even if Eve is given Bob’s public key Caveat: How does Alice know public key belongs to Bob? (Need public key infrastructure)
Confidentiality: Public Key Setting Alice Bank 𝒒𝒍 𝑪 𝐭𝒍 𝑪 𝐷 𝐸𝑓𝑑 𝑡𝑙 𝐶 (𝐷) C ← 𝐹𝑜𝑑 𝑞𝑙 𝐶 ( “My password…” ) “My password…” Eve 𝑞𝑙 𝐶 Security guarantee: Eve can’t learn anything about 𝑁 from 𝐷, even given 𝑞𝑙 𝐶 ◦ Encryption must be randomized! ◦ Otherwise, Eve can try encrypting different 𝑁 s and see what gives the right 𝐷
Recommend
More recommend
