Internet Lab (iLab1) Introduction to Cryptography Lars Wstrich - - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Internet Lab (iLab1) Introduction to Cryptography

Lars Wüstrich ilab1@net.in.tum.de

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Slides based on: Network Security Introduction to modern cryptography (slides by Benjamin Hof) A Graduate Course in Applied Cryptography (Dan Boneh and Victor Shoup) Cryptography – WiSe 2019/20

Outline

Cryptography Security Goals Symmetric encryption Hash functions Asymetric cryptography Summary

1/35

Outline

Cryptography Security Goals Symmetric encryption Hash functions Asymetric cryptography Summary

2/35

What is Cryptography?

• It is
• a tool to protect information in computer systems
• the basis of many security mechanisms
• It is NOT:
• the holy grail that solves all security problems
• something that you should try to invent yourself

We are just users of cryptography

3/35

Goals of cryptography

• 1. Secure communication in computer networks

Protection from:

• Eavesdropping
• Tampering

HTTPS 4/35

Goals of cryptography

• 2. Protect files (beyond computer networks)

File 1 File 2 Alice Alice Protection from:

• Eavesdropping
• Tampering

Disk 5/35

Outline

Cryptography Security Goals Symmetric encryption Hash functions Asymetric cryptography Summary

6/35

Security Goals

Our main security goals in computer networks are CIA:

• Confidentiality
• Integrity
• Authenticity

In addition to that, there are the goals of

• Accountability (non-repudiation)
• Availability
• Access control

7/35

8/35

Building Blocks of Cryptography

Cryptography

Confidentiality Public-Key Encryption Block Ciphers, Stream Ciphers Origin Non-Repudiation Entity Authentication Digital Signatures Zero-Knowledge Proofs Data Authentication MAC Algorithms Hash Functions

Authenticated Encryption

9/35

Outline

Cryptography Security Goals Symmetric encryption Hash functions Asymetric cryptography Summary

10/35

What helps us reach our goals?

Symmetric Crypto Asymmetric Crypto Confidentiality Integrity Authenticity Key Exchange

11/35

Symmetric Encryption

E Alice m E(k, m) = c k D Bob c D(k, c) = m k

In symmetric encryption there are two algorithms

• 1. An ecnryption algorithm E
• 2. A decryption algrothm D

In addition there is a secret key k which is shared by the communicating parties.

12/35

Kerckhoffs’ principle

Security should only depend on secrecy of the key, not the secrecy of the system.

• key easier to keep secret
• change
• compatibility

No security by obscurity.

• scrutiny
• standards
• reverse engineering

13/35

Block ciphers

• fixed key length and block length
• chop m into n bit blocks
• pad the last block

m k E c n bit

14/35

Stream ciphers

Stream ciphers, create a key stream that is XORed onto the message: nonce key initialization vector E ⊕ plaintext ciphertext keystream

15/35

What can we do so far?

Symmetric Crypto Asymmetric Crypto Confidentiality

• Integrity

Authenticity Key exchange

16/35

Outline

Cryptography Security Goals Symmetric encryption Hash functions Asymetric cryptography Summary

17/35

• Common practice in data communications: error detection code, to identify random errors introduced

during transmission

• Most simple error detection code: Parity
• 7 data bits, 1 parity bit
• Prefixes data with 1 (0) if number of set data bits is odd (even)
• 00 11 00 11
• 10 11 00 10
• Further examples: Bit-Interleaved Parity, Cyclic Redundancy Check (CRC)

18/35

• Common practice in data communications: error detection code, to identify random errors introduced

during transmission

• Most simple error detection code: Parity
• 7 data bits, 1 parity bit
• Prefixes data with 1 (0) if number of set data bits is odd (even)
• 00 11 00 11
• 10 11 00 10
• Further examples: Bit-Interleaved Parity, Cyclic Redundancy Check (CRC)
• Underlying idea of these codes: add redundancy to a message for being able to detect, or even correct

transmission errors

18/35

• Common practice in data communications: error detection code, to identify random errors introduced

during transmission

• Most simple error detection code: Parity
• 7 data bits, 1 parity bit
• Prefixes data with 1 (0) if number of set data bits is odd (even)
• 00 11 00 11
• 10 11 00 10
• Further examples: Bit-Interleaved Parity, Cyclic Redundancy Check (CRC)
• Underlying idea of these codes: add redundancy to a message for being able to detect, or even correct

transmission errors

• The error detection/correction code of choice and its parameters is a trade-off between:
• Computational overhead
• Increase of message length
• ... and depends on the probability/characteristics of errors on the transmission medium

18/35

• We want to achieve: Integrity
• We received message m. Has m been modified by an attacker?

19/35

• We want to achieve: Integrity
• We received message m. Has m been modified by an attacker?
• It is a different (and much harder!) problem to determine if m has been modified on purpose!

19/35

• We want to achieve: Integrity
• We received message m. Has m been modified by an attacker?
• It is a different (and much harder!) problem to determine if m has been modified on purpose!
• Why?

19/35

• We want to achieve: Integrity
• We received message m. Has m been modified by an attacker?
• It is a different (and much harder!) problem to determine if m has been modified on purpose!
• Why?
• It is unlikely that a random error that modified a message also "fixes" the messages error detection code
• An attacker can modify the message and fix the respective error detection code

19/35

• We want to achieve: Integrity
• We received message m. Has m been modified by an attacker?
• It is a different (and much harder!) problem to determine if m has been modified on purpose!
• Why?
• It is unlikely that a random error that modified a message also "fixes" the messages error detection code
• An attacker can modify the message and fix the respective error detection code
• Consequently, we need to add a code that fulfills some additional properties which should make it

computationally infeasible for an attacker to tamper with messages

19/35

• We want to achieve: Integrity
• We received message m. Has m been modified by an attacker?
• It is a different (and much harder!) problem to determine if m has been modified on purpose!
• Why?
• It is unlikely that a random error that modified a message also "fixes" the messages error detection code
• An attacker can modify the message and fix the respective error detection code
• Consequently, we need to add a code that fulfills some additional properties which should make it

computationally infeasible for an attacker to tamper with messages

• Therefore we need:

1. Cryptographic Hash Functions 2. Message Authentication Codes 19/35

Hash functions

• one way function
• easy to compute
• variable length input
• fixed length output

20/35

input H(·)

• utput

fixed length

• A function H is called a cryptographic hash function if:

21/35

• A function H is called a cryptographic hash function if:

1. H is a one way function For all pre-specified outputs y, it is computationally infeasible to find an x with H(x) = y "For any possible hash value y of a hash function, I cannot efficiently find an input x that yields y" → 1st pre-image resistance 21/35

• A function H is called a cryptographic hash function if:

1. H is a one way function For all pre-specified outputs y, it is computationally infeasible to find an x with H(x) = y "For any possible hash value y of a hash function, I cannot efficiently find an input x that yields y" → 1st pre-image resistance 2. Given x it is computationally infeasible to find any second input x’ with x = x’ such that H(x) = H(x’) "Given a first message x, I cannot efficiently find a second, different message x ′ that yields the same hash value as x" → 2nd pre-image resistance Note: This property is very important for digital signatures. 21/35

• A function H is called a cryptographic hash function if:

1. H is a one way function For all pre-specified outputs y, it is computationally infeasible to find an x with H(x) = y "For any possible hash value y of a hash function, I cannot efficiently find an input x that yields y" → 1st pre-image resistance 2. Given x it is computationally infeasible to find any second input x’ with x = x’ such that H(x) = H(x’) "Given a first message x, I cannot efficiently find a second, different message x ′ that yields the same hash value as x" → 2nd pre-image resistance Note: This property is very important for digital signatures. 3. It is computationally infeasible to find any pair (x, x’) with x = x’ such that H(x) = H(x’) "I cannot efficiently find a pair of different input values x and x ′ that yield the same hash value" → Collision resistance 21/35

• A function H is called a cryptographic hash function if:

1. H is a one way function For all pre-specified outputs y, it is computationally infeasible to find an x with H(x) = y "For any possible hash value y of a hash function, I cannot efficiently find an input x that yields y" → 1st pre-image resistance 2. Given x it is computationally infeasible to find any second input x’ with x = x’ such that H(x) = H(x’) "Given a first message x, I cannot efficiently find a second, different message x ′ that yields the same hash value as x" → 2nd pre-image resistance Note: This property is very important for digital signatures. 3. It is computationally infeasible to find any pair (x, x’) with x = x’ such that H(x) = H(x’) "I cannot efficiently find a pair of different input values x and x ′ that yield the same hash value" → Collision resistance 4. It is computationally infeasible to distinguish H(x) from a random n-bit value → Random oracle property 21/35

Can Hashing ensure Integrity?

Alice (A) Bob (B) m, H(m) Alice (A) Bob (B) m, H(m) m‘, H(m‘)

• k
• k

Case: No attacker Case: With attacker

22/35

Can Hashing ensure Integrity?

Alice (A) Bob (B) m, H(m) Alice (A) Bob (B) m, H(m) m‘, H(m‘)

• k
• k

Case: No attacker Case: With attacker

• Applying a hash function is not sufficient to secure a message.
• H(m) needs to be protected.

22/35

Can Hashing ensure Integrity?

Alice (A) Bob (B) m, MACK (m) Alice (A) Bob (B) m, MACK (m) m', MACK (m)

• k

not ok

Case: No attacker Case: With attacker share symmetric key K

• Simply hashing a message and appending the hash is not secure against intentional manipulation

(compare with CRC)!

23/35

Can Hashing ensure Integrity?

Alice (A) Bob (B) m, MACK (m) Alice (A) Bob (B) m, MACK (m) m', MACK (m)

• k

not ok

Case: No attacker Case: With attacker share symmetric key K

• Simply hashing a message and appending the hash is not secure against intentional manipulation

(compare with CRC)!

• Solution:
• Include a secret in the hash.
• Since the secret key k is unknown to the attacker, the attacker cannot compute MACK (m’).

23/35

Message authentication codes

• (Cryptographic) hashes alone do not protect against tampering!
• MACs include a secret key K in addition to the message m they aim to protect.
• Only the persons with knowledge of K can (re-)compute the MAC.

24/35

Message authentication codes

• (Cryptographic) hashes alone do not protect against tampering!
• MACs include a secret key K in addition to the message m they aim to protect.
• Only the persons with knowledge of K can (re-)compute the MAC.
• Procedure:
• Sender s computes MACK (m).
• <m, MACK (m)> is sent to the receiver r.
• r receives <m′, MACK (m)>.
• r can compute MACK (m′) based on his knowledge of K and m′.
• If MACK (m′)=MACK (m), he knows that m=m′, since nobody else had knowledge of K.

24/35

Message authentication codes

• (Cryptographic) hashes alone do not protect against tampering!
• MACs include a secret key K in addition to the message m they aim to protect.
• Only the persons with knowledge of K can (re-)compute the MAC.
• Procedure:
• Sender s computes MACK (m).
• <m, MACK (m)> is sent to the receiver r.
• r receives <m′, MACK (m)>.
• r can compute MACK (m′) based on his knowledge of K and m′.
• If MACK (m′)=MACK (m), he knows that m=m′, since nobody else had knowledge of K.
• MACs:
• Do prove message integrity.
• Do detect tampering.
• Cannot be forged.
• Can be replayed.

24/35

Message authentication codes

• (Cryptographic) hashes alone do not protect against tampering!
• MACs include a secret key K in addition to the message m they aim to protect.
• Only the persons with knowledge of K can (re-)compute the MAC.
• Procedure:
• Sender s computes MACK (m).
• <m, MACK (m)> is sent to the receiver r.
• r receives <m′, MACK (m)>.
• r can compute MACK (m′) based on his knowledge of K and m′.
• If MACK (m′)=MACK (m), he knows that m=m′, since nobody else had knowledge of K.
• MACs:
• Do prove message integrity.
• Do detect tampering.
• Cannot be forged.
• Can be replayed.
• Do MACs prove authenticity?
• It depends on the definition and scenario
• If k is shared between Alice and Bob and k is only used by Alice to compute MACs of massages sent from her to

Bob, Bob can be sure that the messages was sent by Alice

• If k is a shared group key used by Alice, Bob, Cesar, ... the receiver does not know who sent the message
• Also, an external observer cannot validate the MAC as k is unknown

24/35

What can we do?

Symmetric Crypto Asymmetric Crypto Confidentiality

• Integrity

(with hashes) Authenticity ∼ Key exchange

25/35

Basic key exchange: The Diffie-Hellman key exchange

Public parameter: g, p Alice a ∈R {2, ... , p − 2} A = ga mod p K = (B)a = gba Bob b ∈R {2, ... , p − 2} B = gb mod p K = (A)b = gab

A B

The Diffie-Hellman key exchange provides perfect forward secrecy.

26/35

Outline

Cryptography Security Goals Symmetric encryption Hash functions Asymetric cryptography Summary

27/35

Why would we need Public Key Cryptography?

28/35

Why would we need Public Key Cryptography?

• Our previously introduced ciphers and authentication mechanisms require a common, pre-shared, secret

key

• Out-of-band sharing is not always an option
• Key exchange needs to be conducted securely
• Symmetric mechanisms require a considerable amount of keys in the system :

28/35

Why would we need Public Key Cryptography?

• Our previously introduced ciphers and authentication mechanisms require a common, pre-shared, secret

key

• Out-of-band sharing is not always an option
• Key exchange needs to be conducted securely
• Symmetric mechanisms require a considerable amount of keys in the system :

Assume n parties, only unique keys and symmetric crypto:

• Every party needs to keep n − 1 keys secret
• One symmetric key for every pair in the system
• Amount of secret keys in the system: n(n−1)

2

∈ O(n2)

28/35

Why would we need Public Key Cryptography?

• Our previously introduced ciphers and authentication mechanisms require a common, pre-shared, secret

key

• Out-of-band sharing is not always an option
• Key exchange needs to be conducted securely
• Symmetric mechanisms require a considerable amount of keys in the system
• Asymmetric Crypto reduces this number :

28/35

Why would we need Public Key Cryptography?

• Our previously introduced ciphers and authentication mechanisms require a common, pre-shared, secret

key

• Out-of-band sharing is not always an option
• Key exchange needs to be conducted securely
• Symmetric mechanisms require a considerable amount of keys in the system
• Asymmetric Crypto reduces this number :

Assume n parties, only unique keys and asymmetric crypto:

• Every party has a public key and a private key
• Every party keeps their own private key secret
• Every party publishes their public key
• Amount of secret keys in the system: n ∈ O(n)

28/35

Why would we need Public Key Cryptography?

• Our previously introduced ciphers and authentication mechanisms require a common, pre-shared, secret

key

• Out-of-band sharing is not always an option
• Key exchange needs to be conducted securely
• Symmetric mechanisms require a considerable amount of keys in the system
• Asymmetric Crypto reduces this number
• Different keys used for en-/decryption: a public and a private (secret) key (pk, sk)

28/35

Public Key Cryptography

E D Alice Bob m m c c pk sk Bob creates a public and private key pair (pk, sk) and gives pk to Alice 29/35

Authentication with public key cryptography - Digital Signatures

• Similar to public key encryption schemes
• There is also a key pair (pk, sk)
• There are two functions:

1. a signing function S(m, sk) that outputs a signature σ 2. a verification function V(pk, m, σ) that outputs True or False

• When A wants to sign a message m, it sends m, S(m, skA ) = m, σm to B.
• B can verify the signature σm of m by computing V(m, pkA , σm)

30/35

Applications of Digital Signatures

• Code signing: Software vendor signs its code that can be verified by the clients
• Certificates

31/35

Problems with asymmetric cryptography?

• public keys need to be managed
• computationally more expensive due to math properties of E and D

Therefore, often hybrid approaches are used

32/35

Hybrid approaches

• Use asymmetric crypto for authentication and key exchange/establishment
• Use symmetric crypto for the real data transfer
• TLS is a prime example that uses this approach

33/35

Outline

Cryptography Security Goals Symmetric encryption Hash functions Asymetric cryptography Summary

34/35

What can we do?

Symmetric Crypto Asymmetric Crypto Confidentiality

• Integrity

(with hashes) Authenticity ∼

• Key exchange
• 35/35