Cryptography MELISSA CHASE, MSR Modern Cryptography the scientific - - PowerPoint PPT Presentation

Cryptography

MELISSA CHASE, MSR

Modern Cryptography

“…the scientific study of techniques for securing digital information, transactions, and distributed computations” – Katz and Lindell ’07

• Authentication
• Verifiable elections
• Secure auctions
• Electronic cash
• ….

Today: Secure Communication

• How can Alice securely communicate with Bob over an untrusted channel

Historical Cryptography

Used for transmitting secret information: Ceasar cipher:

• Key is 3, i.e. shift letter right by 3
• Plaintext: meet me at central park
• Ciphertext: phhw ph dw fhqwudo sdun
• Can we break this?
• Yes: brute force attack, or letter frequencies

Vignere cipher

• Key is cat, i.e. shift first letter right by 3, second letter right by letter right by 1, third letter right by 20, then

repeat

• Plaintext: meet me at central park

catc at ca tcatcat catc

• Ciphertext: pfyw ny du whonubh sbln
• Brute force attacks are harder, letter frequencies still work
• Even a small piece of plaintext with corresponding ciphertext is enough to recover the key

*Example from [Daswani]

Principles of modern cryptography

Kerckhoff’s rule: Cryptographic algorithms should be public

• Security rests on keeping keys secret (and choosing keys at random)
• Community can verify security of algorithms before they are deployed

Clearly define assumptions and security guarantees

• Understand exactly what is assumed from underlying building blocks/mathematical tools
• Understand exactly what security guarantees the crypto system provides
• Crypto is a tool! (no guarantees if used incorrectly, or if the rest of the system is insecure)

Principles of modern cryptography

An adversary with unbounded power can break (essentially) all crypto

• Ex. Can try to decrypt with all possible keys. Unless you have as many possible keys as possible

messages, this allows adversary to rule out some messages

Estimate reasonable bounds on power of adversary – crypto should be unbreakable for any adversary within those limits

• Ideally, cost for honest parties to use crypto scales linearly/quadratically, but cost for adversary to break

crypto scales exponentially

Cryptographic algorithms are parameterized by security levels

• 128-bit level crypto should take roughly 2128 operations to break
• (Time to exhaustively try every 128-bit key)
• 256-bit crypto should take twice as long for honest parties to run (or maybe 4x), but 2128 times as many
• perations to break

Secure Communication

Eve can see what passes over the network Alice wants to guarantee:

• Confidentiality: Eve does not learn anything about Alice’s message (Encryption)
• Integrity: Eve cannot change Alice’s message (MACs/Signatures)

Alice Bank “My password is 485853.” “Transfer $100 to Carol” Eve

Confidentiality: Symmetric Key Setting

Correctness: 𝐸𝑓𝑑𝑙 𝐹𝑜𝑑𝑙 𝑁 = 𝑁 for all valid keys 𝑙, messages 𝑁 How to define confidentiality?

Alice 𝒍 Bank 𝒍 C ← 𝐹𝑜𝑑𝑙(“My password…”) Eve 𝐸𝑓𝑑𝑙(𝐷) 𝐷 “My password…”

Confidentiality: Symmetric Key Setting

How to define confidentiality? IND-CPA (chosen-plaintext attack): Eve can’t distinguish an encryption of 𝑛0 from an encryption

• f 𝑛1
• Even if she gets to choose 𝑛0, 𝑛1
• Even if she can ask to see encryptions of messages of her choice
• IND-CCA (chosen-ciphertext attack): Even if Eve also gets to ask Bank to decrypt any other ciphertexts

Alice 𝒍 Bank 𝒍 C ← 𝐹𝑜𝑑𝑙(“My password…”) Eve 𝐸𝑓𝑑𝑙(𝐷) 𝐷 “My password…”

In real protocols, Eve may be able to:

• Send ciphertexts to Bob and see how he responds

In real protocols, Eve may be able to:

• Narrow down likely messages

In real protocols, Eve may be able to:

• Influence other messages Alice sends

A Tool: Block Ciphers

A keyed permutation 𝐺𝑙 that works on blocks of bits.

• E.g. 256-bit strings to 256-bit strings
• With key, can compute 𝐺𝑙 and inverse 𝐺𝑙

−1

• Without key, 𝐺𝑙 looks like a random mapping

Most common block cipher: AES

• Also DES, Triple DES (outdated)
• Carefully designed by experts in cryptanalysis
• Bitwise operations and lookup tables

𝐺 𝑁 𝐿 𝐺(𝑁) 𝐺−1 𝐺(𝑁) 𝐿 𝑁

A Tool: Block Ciphers

A keyed permutation 𝐺𝑙 that works on blocks of bits.

• E.g. 256-bit strings to 256-bit strings
• With key, can compute 𝐺𝑙 and inverse 𝐺𝑙

−1

• Without key, 𝐺𝑙 looks like a random mapping

How to build secure encryption? How about:

• 𝐹𝑜𝑑𝑙 𝑁 : output 𝐺𝑙(𝑁)
• 𝐸𝑓𝑑𝑙 𝐷 : output 𝐺𝑙

−1(𝐷)

Problem: Adversary can tell if same message is encrypted twice!

• (Why does this break our definition?)
• This is electronic codebook mode (ECB mode) - insecure

𝐺 𝑁 𝐿 𝐺(𝑁) 𝐺−1 𝐺(𝑁) 𝐿 𝑁 Is this a real problem?

[Wikipedia]

A Tool: Block Ciphers

A keyed permutation 𝐺𝑙 that works on blocks of bits.

• E.g. 256-bit strings to 256-bit strings
• With key, can compute 𝐺𝑙 and inverse 𝐺𝑙

−1

• Without key, 𝐺𝑙 looks like a random mapping

How to build secure encryption? Try 2:

• 𝐹𝑜𝑑𝑙 𝑁 : choose random 256-bit string 𝑆. Output (𝑆, 𝐺𝑙 𝑆 ⊕ 𝑁)
• 𝐸𝑓𝑑𝑙 𝑆, 𝐷′ : output 𝑁 = 𝐺𝑙 𝑆 ⊕ 𝐷′

What if I want to encrypt a longer message?

• Could run above encryption many times – to encrypt N bits, need 2N bits
• OR 𝐹𝑜𝑑𝑙 𝑁1, … , 𝑁𝑜 : choose random 256-bit string 𝑆. Output (𝑆, 𝐺𝑙 𝑆||1 ⊕ 𝑁1, 𝐺𝑙 𝑆||2 ⊕ 𝑁2, … )
• Called counter (CTR) mode
• Other secure modes of operation e.g. CBC mode

𝐺 𝑁 𝐿 𝐺(𝑁) 𝐺−1 𝐺(𝑁) 𝐿 𝑁

Can prove that this gives CPA security!

(if F has above property)

Integrity: Symmetric Key Setting

What if Eve tries to change “Transfer $100…” to “Transfer $900…”?

• Encryption does not prevent this!
• e.g. in CTR mode Eve can take (𝑆, 𝐺𝑙 𝑆 ⊕ 𝑁) and flip bits in second half of C – also flips bits of

resulting M Alice Bank “My password is 485853.” “Transfer $100 to Carol” Eve

MACs

Correctness: 𝑊𝑓𝑠𝑗𝑔𝑧𝑙 𝑁𝐵𝐷𝑙 𝑁 = Valid for all 𝑁, 𝐿 Security: Eve cannot generate a tag for a message Alice didn’t send

• Even given tags on other messages of her choice
• Even if she can modify tags and see if they still verify.

Alice 𝒍 Bank 𝒍 𝑈, “Transfer $100 to Carol” Eve

Use a message authentication code (MAC):

𝑈 ← 𝑁𝐵𝐷𝑙(“Transfer $100…”) 𝑊𝑓𝑠𝑗𝑔𝑧𝑙 (𝑈, “Transfer $100…”) Valid or Forgery

In real protocols, Eve may be able to:

• Influence messages Alice sends
• Try sending messages to Bob and see how he responds

MACs: How do we construct a MAC?

Given a block cipher:

• 𝐺𝑙 𝑁 is a good MAC for short 𝑁
• For longer 𝑁 = 𝑁1, … , 𝑁𝑜, how about 𝐺𝑙 𝑁1 , … , 𝐺𝑙 𝑁𝑜 ?
• Eve can rearrange blocks!
• One option: CBC-MAC (chains messages together)

Alternative: Cryptographic hash functions

• Compression: Maps long strings to fixed length ones (e.g. 256 bits)
• Collision resistance: Hard to find 2 strings that hash to the same thing.
• (Because of compression, such collisions must exist, but they should be computationally difficult to find)
• E.g. SHA-1, SHA-2, SHA-3. (Again, designed by expert cryptanalysts.)

𝑁𝐵𝐷𝑙 𝑁 : 𝐺𝑙(𝐼 𝑁 ) is a secure MAC

• Or, can construct just from hash function 𝑁𝐵𝐷𝑙 𝑁 : 𝐼 𝐿1|| 𝐼 𝐿2||𝑁
• Called HMAC, requires stronger properties from hash function

Never use same k for Enc and MAC

Authenticated Encryption

What if we want both confidentiality and integrity at once? Combine Encryption and MACs to get Authenticated Encryption

• Guarantees Eve learns nothing about messages and if Eve tries to add her own messages Bank can tell

How do we combine the two?

• Encrypt and MAC: 𝐷 ← 𝐹𝑜𝑑𝑙 𝑁 . 𝑈 ← 𝑁𝐵𝐷𝑙 𝑁 . Output (𝐷, 𝑈)
• Encrypt then MAC: 𝐷 ← 𝐹𝑜𝑑𝑙 𝑁 . 𝑈 ← 𝑁𝐵𝐷𝑙 𝐷 . Output (𝐷, 𝑈)
• MAC then Encrypt: 𝑈 ← 𝑁𝐵𝐷𝑙 𝐷 . 𝐷 ← 𝐹𝑜𝑑𝑙 𝑁||𝑈 . Output 𝐷.

Alice 𝒍 Bank 𝒍 C ← 𝐹𝑜𝑑𝑙(“My password…”) Eve 𝐸𝑓𝑑𝑙(𝐷) 𝐷 “My password…”

Tag may reveal info about M Eve could try to modify C and see if T still verifies

Secure Communication

Where do keys come from?

• How do Alice and Bank share a key if they haven’t talked before?
• How many keys do Alice and Bank have to store?

Public Key Crypto (aka Asymmetric-Key Crypto)

• Bob generates a pair of keys, a public key, and a secret key
• Bob publishes public key
• Security should hold even if Eve is given Bob’s public key

Caveat: How does Alice know public key belongs to Bob? (Need public key infrastructure)

Alice 𝒍 Bank 𝒍 C, 𝑈

Confidentiality: Public Key Setting

Security guarantee: Eve can’t learn anything about 𝑁 from 𝐷, even given 𝑞𝑙𝐶

• Encryption must be randomized!
• Otherwise, Eve can try encrypting different 𝑁s and see what gives the right 𝐷

Alice 𝒒𝒍𝑪 Bank 𝐭𝒍𝑪 C ← 𝐹𝑜𝑑𝑞𝑙𝐶(“My password…”) Eve 𝑞𝑙𝐶 𝐸𝑓𝑑𝑡𝑙𝐶(𝐷) 𝐷 “My password…”

Public Key Encryption

Tool: RSA function N = product of 2 large primes Basic equation: 𝑍 = 𝑌𝑓mod N

• Without the factorization of N, it’s easy to find Y given e, X
• Without the factorization of N, it’s thought to be hard to find X given e, Y
• Given the factorization of N, it’s easy to find X given e, Y

Roughly, 𝑂, 𝑓 will be the public key, and its factorization will be the secret key How do we encrypt?

• 𝐹𝑜𝑑𝑂,𝑓(𝑁) = 𝑁𝑓
• Not secure – Eve can test for messages 𝑁
• Instead, apply randomized padding to 𝑁 first: 𝐹𝑜𝑑𝑂,𝑓(𝑁) = (𝑄𝑏𝑒(𝑁, 𝑆))𝑓
• Appropriate padding gives secure scheme (RSA-OAEP), with some extra assumptions

RSA Assumption

Secure Communication

Tradeoffs:

• Asymmetric Key Crypto:
• Easier Key management
• Much slower! (~1000 times)

Hybrid Approach

• Use public-key crypto to share a key
• Then use symmetric key crypto

E.g. Hybrid encryption: To encrypt long messages to 𝑞𝑙𝐶

• Choose random 𝑙
• Encrypt 𝑙 under 𝑞𝑙𝐶 using public key scheme
• Encrypt 𝑁 under 𝑙 using symmetric key scheme

Secure Communication

Other issues we didn’t have time for

• Encryption and signatures based on the discrete logarithm problem (e.g. DSA)
• Certificates (How does Alice know that this public key does belong to the bank?)
• Establishing a secure channel (e.g. TLS)
• Generating good randomness
• How to generate and store keys
• Encryption and MACs/signatures and tools in other applications

Other resources: Bellare-Rogaway lecture notes: http://cseweb.ucsd.edu/~mihir/cse207/classnotes.html Coursera classes on cryptography

• by Jonathan Katz: https://www.coursera.org/course/cryptography
• by Dan Boneh: https://www.coursera.org/course/crypto