iLab Modern cryptography for communications security Benjamin Hof - - PowerPoint PPT Presentation

iLab

Modern cryptography for communications security Benjamin Hof hof@in.tum.de

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München

Cryptography – 14ss

1

Outline

Cryptography Private-key Public-key

2

Outline

Cryptography Private-key Public-key

3

Scope

Focus on:

◮ modern cryptography ◮ methods used in communications security

Based on: Introduction to modern cryptography, Katz and Lindell, 2007.

4

Communication

by Melissa Elliott https://twitter.com/0xabad1dea/status/400676797874208768

5

What we are concerned with

Alice Bob “Let’s meet up at 9!”

6

What we are concerned with

Alice Bob “Let’s meet up at 9!” BfV

Roens/Wikipedia. CC-by-sa 2.0

6

What we are concerned with

Alice Bob Eve “Let’s meet up at 9!” passive attack: eavesdropping We want to provide confidentiality!

6

What we are concerned with

Alice Bob Mallory “You can trust Trent!” active attack: message modification We want to provide authentification!

6

Limitations

◮ cryptography is typically bypassed, not broken ◮ not applied correctly ◮ not implemented correctly ◮ subverted

communication

◮ existence ◮ time ◮ extent ◮ partners 7

Kerckhoffs’ principle

Security should only depend on secrecy of the key, not the secrecy of the system.

◮ key easier to keep secret ◮ change ◮ compatibility

No security by obscurity.

◮ scrutiny ◮ standards ◮ reverse engineering 8

Another principle as a side note

the system should be usable easily

◮ Kerckhoffs actually postulated 6 principles ◮ this one got somewhat forgotten ◮ starting to be rediscovered in design of secure applications and

libraries

Example

TextSecure, NaCl

9

Modern cryptography

relies on

◮ formal definitions ◮ precisely defined assumptions ◮ mathematical proofs

Proofs require to formulate assumptions explicitly.

10

Randomness

◮ required to do any cryptography at all ◮ somewhat difficult to get in a computer (deterministic!) ◮ required to be cryptographically secure: indistiguishable from

truly random

Example

used to generate keys or other information unkown to any other parties

11

Reduction

◮ type of proof commonly used in cryptography ◮ reduce security of a construction to security of underlying

primitive

◮ easier to design and replace parts 12

Our goals

private-key (symmetric)

◮ confidentiality ◮ authenticity

public-key (asymmetric)

◮ confidentiality ◮ authenticity ◮ key exchange

Something providing confidentiality generally makes no statement whatsoever about authenticity.

13

Outline

Cryptography Private-key Public-key

14

Private-key encryption scheme

• 1. k ← Gen(1n), security parameter 1n
• 2. c ← Enck(m), m ∈ {0, 1}∗
• 3. m := Deck(c)

◮ provide confidentiality ◮ definition of security: chosen-plaintext attack (CPA)

Cryptography uses theoretical attack games to analyze and formalize security.

15

The eavesdropping experiment

C A k ← Gen(1n) input 1n

The eavesdropping experiment

C A k ← Gen(1n) input 1n b ← {0, 1} c ← Enck(mb)

• utput b′

m0, m1 c

◮ A succeeds, iff b = b′ 16

Discussion of the eavesdropping experiment

◮ |m0| = |m1| ◮ probabilistic polynomial time algorithms ◮ success probability should be 0.5 + negligible ◮ if so, Enc has indistinguishable encryptions in the presence of

an eavesdropper

17

A block cipher

Example

◮ pseudorandom permutation: deterministic ◮ chop m into 128 bit blocks

m k AES c 128 bit Does this function survive the eavesdropping experiment?

18

Chosen-plaintext attack

C k ← {0, 1}n

Chosen-plaintext attack

C k ← {0, 1}n c ← Enck(m) . . . A m c . . .

Chosen-plaintext attack

C k ← {0, 1}n c ← Enck(m) . . . A m c . . . b ← {0, 1} m0, m1

• E

n c

k

( m

b

)

20

Chosen-plaintext attack

C k ← {0, 1}n c ← Enck(m) . . . A m c . . . b ← {0, 1} m0, m1

• E

n c

k

( m

b

) C (cont’d) c ← Enck(m) . . . A (cont’d) . . .

• utput bit b′

m c

20

Chosen-plaintext attack

C k ← {0, 1}n c ← Enck(m) . . . A m c . . . b ← {0, 1} m0, m1

• E

n c

k

( m

b

) C (cont’d) c ← Enck(m) . . . A (cont’d) . . .

• utput bit b′

m c

20

Discussion of CPA

◮

Enc is secure under chosen-plaintext attack

◮ again, messages must have same length ◮ multiple-use key ◮ non-deterministic (e. g. random initialization vector) or state ◮ CTR, CBC, OFB 21

Example constructions: counter mode

Example

◮ randomized AES counter mode (AES-CTR$) ◮ choose nonce r ← {0, 1}128, key k ← {0, 1}128 ◮ great if you have dedicated circuits for AES, else vulnerable to

timing attacks r k AES m0 ⊕ c0 r + 1 k AES m1 ⊕ c1

· · ·

complete ciphertext c := (r, c0, c1, · · · )

22

Example constructions: stream ciphers

Example

A modern stream cipher, fast in software: 96 bit nonce 256 bit key 32 bit initial counter ChaCha ⊕ plaintext ciphertext keystream

23

Message authentication code

• 1. k ← Gen(1n), security parameter 1n
• 2. t ← Mack(m), m ∈ {0, 1}∗
• 3. b := Vrfyk(m, t)

b = 1 means valid, b = 0 invalid

◮ message authenticity/integrity ◮ detect tampering ◮ no protection against replay ◮ “existentially unforgeable” 25

Adaptive chosen-message attack

C A k ← Gen(1n) input 1n t := Mack(m) m ( m , t ) . . . . . .

• utput (m′, t)

◮ let Q be the set of all queries m ◮ A succeeds, iff Vrfyk(m′, t) = 1 and m′ /

∈ Q

26

Used in practice

Example

◮ HMAC based on hash functions ◮ CMAC based on CBC mode ◮ authenticated encryption: OCB, GCM 28

Cryptographic hash functions

private-key

◮ encryption ◮ message

authentication codes

◮ hash functions

public-key

. . .

29

Hash functions

◮ arbitrary length input ◮ compressing

• 1. collision resistance

find x = x′ s. t. H(x) = H(x′)

• 2. second pre-image resistance

given x, find x′ = x s. t. H(x′) = H(x)

• 3. pre-image resistance

given y = H(x) with a randomly chosen x, find x′ s. t. H(x′) = y “H is one-way”

30

input H(·)

• utput

fixed length

HMAC

A popular MAC:

◮ opad is 0x36, ipad is 0x5C

tag := H(k ⊕ opadH(k ⊕ ipadm))

◮ use SHA2-512, truncate tag to 256 bits

Used with Merkle-Damgård functions, since they allow to compute from H(km) the extension H(kmtail).

31

Combining privacy and authentication

◮ encrypt-then-authenticate: c ← Enck1(m), t ← Mack2(c)

This is generally secure.

◮ authenticated encryption

Also a good choice.

◮ bad ideas of times gone by:

◮ encrypt-and-authenticate: c ← Enck1(m), t ← Mack2(m) ◮ authenticate-then-encrypt: t ← Mack2(m), c ← Enck1(mt)

32

Outline

Cryptography Private-key Public-key

33

The idea

We no longer have one shared key, but each participant has a key pair:

◮ a private key we give to nobody else ◮ a public key to be published, e. g. on a keyserver 34

Public-key cryptography

◮ based on mathematical problems believed to be hard ◮ proofs often only in the weaker random oracle model ◮ only authenticated channels needed for key exchange, not

private

◮ less keys required ◮ orders of magnitude slower

Problems believed to be hard

◮ RSA assumption based on integer factorization ◮ discrete logarithm and Diffie-Hellman assumption

◮ elliptic curves ◮ El Gamal encryption ◮ Digital Signature Standard/Algorithm

35

Public-key cryptography

private-key

◮ encryption ◮ message

authentication codes

◮ hash functions

public-key

◮ encryption ◮ signatures ◮ key exchange 36

Uses

◮ encryption

◮ encrypt with public key of key owner ◮ decrypt with private key

◮ signatures

◮ sign with private key ◮ verify with public key of key owner ◮ authentication with non-repudiation

◮ key exchange

◮ protect past sessions against key compromise

37

Perfect forward security

Idea

◮ attacker captures traffic ◮ later: an endpoint is compromised → keys are compromised

We want: security of past connections should not be broken.

Perfect forward security

protection of past sessions against:

◮ compromise of session key ◮ compromise of long-term identity key

lack: key escrow

38

Elliptic curve Diffie-Hellman key exchange

◮ E(Fp2) ◮ p = 2255 − 19 ◮ E : y2 = x3 + 486662x2 + x

a ← {0, 1}255 b ← {0, 1}255 A := aG s := aB k := KDF(X(s)) B := bG s := bA k := KDF(X(s)) A B

(Other ECDH cryptosystems will need additional verification steps.)

39

Perfect forward security

◮ generate new DH key for each connection ◮ wipe old symmetric keys

Compromise of long term keys in combination with eavesdropping does not break security of past connections anymore!

40

RSA encryption

Textbook RSA

0.0 (N, p, q) ← GenModulus(1n) 0.1 φ(N) := (p − 1)(q − 1) 0.2 find e: gcd(e, Φ(N)) = 1 0.3 d := [e−1 mod Φ(N)]

• 1. encrypt with public key pk = N, e a message m ∈ Z∗

N

c := [me mod N]

• 2. decrypt with private key sk = N, d a ciphertext c ∈ Z∗

N

m := [cd mod N]

◮ textbook RSA is not secure ◮ padding schemes needed

◮ attacks exist, but used often: PKCS #1 v1.5 ◮ better security: PKCS #1 v2.1 (OAEP)

41

Optimal asymmetric encryption padding

m||0

n 2

r ← {0, 1}n G ⊕ H ⊕ ˆ m := ˆ m0|| ˆ m1 c := [ ˆ me mod N] ˆ m1 ˆ m0 recall: public key N, e

42

Signatures

◮ (often) slower ◮ non-repudiation ◮ verify OS packages

RSA signatures

◮ textbook RSA is insecure ◮ hash-and-sign paradigm (no proof) ◮ PKCS #1 v1.5 ◮ use RSASSA-PSS 43

RSASSA-PSS encoding function

M SHA2 hash salt pad SHA2 salt pad MGF ⊕ masked data block hash || 0xBC

44

Hybrid approach

Public-key cryptography

◮ valuable properties ◮ slow

Hybrid encryption

◮ protect symmetric key with public-key cryptography ◮ protect bulk traffic with private-key cryptography 45

Combining private-key and public-key methods in protocols

• e. g.:

handshake

◮ DHE key exchange ◮ signatures for entity authentication ◮ key derivation ◮ . . .

transport

◮ authenticated encryption ◮ replay protection 46

Key size equivalents

security RSA DLOG EC 80 1248 1248 160 very short term, ≤ 4a 112 2432 2432 224 medium-term, ≈ 20a 128 3248 3248 256 long-term, generic rec., ≈ 30a 192 7936 7936 384 256 15424 15424 512

ECRYPT II, 2012

• penssl on my i7-2620m, ops/s (very unscientific):

◮ 105.1 sig RSA4096 ◮ 757.8 sig RSA2048 ◮ 3322.2 vrfy ECDSAp256

(Don’t get hung up on matching key sizes.)

47

Considerations

◮ different keys for different purposes ◮ algorithms from eSTREAM, Suite B

◮ e. g. Salsa20, AES

◮ keysizes: ECRYPT2, Suite B, keylength.com

◮ e. g. RSA keys > 3248 bit

◮ keys based on passwords: scrypt, bcrypt, PBKDF2

In networking, timing is not “just a side channel”. Demand constant-time implementations.

48

Words of caution

limits

◮ crypto will not solve your problem ◮ only a small part of a secure system ◮ don’t implement yourself

difficult to solve problems

◮ trust / key distribution

◮ revocation

◮ ease of use

many requirements remaining

◮ replay ◮ timing attack ◮ endpoint security 49