Outline Hash functions and MACs, cont’d Building a secure channel CSci 5271 Announcements intermission Introduction to Computer Security Crypto combined slides Public-key crypto basics Public key encryption and signatures Stephen McCamant University of Minnesota, Computer Science & Engineering Cryptographic protocols, pt. 1 Key distribution and PKI Kinds of attacks Security levels For function with ❦ -bit output: Pre-image, “inversion”: given ② , find ① such that Preimage and second preimage should have ❍ ✭ ① ✮ ❂ ② complexity ✷ ❦ Second preimage, targeted collision: given ① , ❍ ✭ ① ✮ , Collision has complexity ✷ ❦❂✷ find ① ✵ ✻ ❂ ① such that ❍ ✭ ① ✵ ✮ ❂ ❍ ✭ ① ✮ Conservative: use hash function twice as big as (Free) collision: find ① ✶ , ① ✷ such that ❍ ✭ ① ✶ ✮ ❂ ❍ ✭ ① ✷ ✮ block cipher key Though if you’re paranoid, cipher blocks can repeat too Non-cryptographic hash functions Short hash function history On the way out: MD5 (128 bit) Flaws known, collision-finding now routine The ones you probably use for hash tables SHA(-0): first from NIST/NSA, quickly withdrawn CRCs, checksums Likely flaw discovered 3 years later Output too small, but also not resistant to attack SHA-1: fixed SHA-0, 160-bit output. E.g., CRC is linear and algebraically nice ✷ ✻✵ collision attack described in 2013 First public collision found (using 6.5 kCPU yr) in 2017 Length extension problem SHA-2 and SHA-3 SHA-2: evolutionary, larger, improvement of SHA-1 MD5, SHA1, etc., computed left to right over blocks Exists as SHA- ❢ ✷✷✹❀ ✷✺✻❀ ✸✽✹❀ ✺✶✷ ❣ Can sometimes compute ❍ ✭ ❛ ❦ ❜ ✮ in terms of But still has length-extension problem ❍ ✭ ❛ ✮ SHA-3: chosen recently in open competition like AES ❦ means bit string concatenation Formerly known as Keccak, official standard Aug. 2015 New design, fixes length extension Makes many PRF-style constructions insecure Not yet very widely used
MAC: basic idea CBC-MAC construction Message authentication code: similar to hash Same process as CBC encryption, but: function, but with a key Start with IV of 0 Return only the last ciphertext block Adversary without key cannot forge MACs Both these conditions needed for security Strong definition: adversary cannot forge anything, For fixed-length messages (only), as secure as the even given chosen-message MACs on other block cipher messages HMAC construction Outline Hash functions and MACs, cont’d ❍ ✭ ❑ ❦ ▼ ✮ : insecure due to length extension Building a secure channel Still not recommended: ❍ ✭ ▼ ❦ ❑ ✮ , ❍ ✭ ❑ ❦ ▼ ❦ ❑ ✮ Announcements intermission HMAC: ❍ ✭ ❑ ✟ ❛ ❦ ❍ ✭ ❑ ✟ ❜ ❦ ▼ ✮✮ Public-key crypto basics Standard ❛ ❂ ✵①✺❝ ✄ , ❜ ❂ ✵①✸✻ ✄ Public key encryption and signatures Probably the most widely used MAC Cryptographic protocols, pt. 1 Key distribution and PKI Session keys Order of operations Encrypt and MAC (“in parallel”) Don’t use your long term password, etc., directly as Safe only under extra assumptions on the MAC a key Encrypt then MAC Instead, session key used for just one channel Has cleanest formal safety proof In modern practice, usually obtained with public-key MAC then Encrypt crypto Preferred by FS&K for some practical reasons Separate keys for encryption and MACing Can also be secure Authenticated encryption modes Ordering and message numbers Encrypting and MACing as separate steps is about Also don’t want attacker to be able to replay or twice as expensive as just encrypting reorder messages “Authenticated encryption” modes do both at once Simple approach: prefix each message with counter Newer (circa 2000) innovation, many variants Discard duplicate/out-of-order messages NIST-standardized and unpatented: Galois Counter Mode (GCM)
Padding Padding oracle attack Have to be careful that decoding of padding does Adjust message size to match multiple of block size not leak information To be reversible, must sometimes make message E.g., spend same amount of time MACing and longer checking padding whether or not padding is right E.g.: for 16-byte block, append either ✶ , or ✷ ✷ , or Remote timing attack against CBC TLS published ✸ ✸ ✸ , up to 16 “16” bytes 2013 Don’t actually reinvent the wheel Outline Hash functions and MACs, cont’d This is all implemented carefully in OpenSSL, SSH, Building a secure channel etc. Announcements intermission Good to understand it, but rarely sensible to Public-key crypto basics reimplement it Public key encryption and signatures You’ll probably miss at least one of decades’ worth Cryptographic protocols, pt. 1 of attacks Key distribution and PKI Exercise set 3 Outline Hash functions and MACs, cont’d Building a secure channel Covering crypto, up through abstract protocols Announcements intermission Available since this morning Public-key crypto basics Due a week from today 11/6 Public key encryption and signatures Cryptographic protocols, pt. 1 Key distribution and PKI Pre-history of public-key crypto Box and locks analogy Alice wants to send Bob a gift in a locked box First invented in secret at GCHQ They don’t share a key Proposed by Ralph Merkle for UC Berkeley grad. Can’t send key separately, don’t trust UPS security class project Box locked by Alice can’t be opened by Bob, or vice-versa First attempt only barely practical Professor didn’t like it Merkle then found more sympathetic Stanford collaborators named Diffie and Hellman
Box and locks analogy Protocol with clip art Alice wants to send Bob a gift in a locked box They don’t share a key Can’t send key separately, don’t trust UPS Box locked by Alice can’t be opened by Bob, or vice-versa Math perspective: physical locks commute Protocol with clip art Protocol with clip art Protocol with clip art Public key primitives Public-key encryption (generalizes block cipher) Separate encryption key EK (public) and decryption key DK (secret) Signature scheme (generalizes MAC) Separate signing key SK (secret) and verification key VK (public) Modular arithmetic Generators and discrete log Modulo a prime ♣ , non-zero values and ✂ have a Fix modulus ♥ , keep only remainders mod ♥ nice (“group”) structure mod 12: clock face; mod ✷ ✸✷ : ✉♥s✐❣♥❡❞ ✐♥t ❣ is a generator if ❣ ✵ ❀ ❣❀ ❣ ✷ ❀ ❣ ✸ ❀ ✿ ✿ ✿ cover all ✰ , ✲ , and ✂ work mostly the same elements Division: see Exercise Set 1 Easy to compute ① ✼ ✦ ❣ ① Exponentiation: efficient by square and multiply Inverse, discrete logarithm , hard for large ♣
Diffie-Hellman key exchange Relationship to a hard problem Goal: anonymous key exchange We’re not sure discrete log is hard (likely not even Public parameters ♣ , ❣ ; Alice and Bob have resp. NP-complete), but it’s been unsolved for a long time secrets ❛ , ❜ Alice ✦ Bob: ❆ ❂ ❣ ❛ If discrete log is easy (e.g., in P), DH is insecure ✭ mod ♣ ✮ Bob ✦ Alice: ❇ ❂ ❣ ❜ Converse might not be true: DH might have other ✭ mod ♣ ✮ Alice computes ❇ ❛ ❂ ❣ ❜❛ ❂ ❦ problems Bob computes ❆ ❜ ❂ ❣ ❛❜ ❂ ❦ Categorizing assumptions Key size, elliptic curves Need key sizes ✘ 10 times larger then security level Math assumptions unavoidable, but can categorize Attacks shown up to about 768 bits E.g., build more complex scheme, shows it’s “as Elliptic curves: objects from higher math with secure” as DH because it has the same underlying analogous group structure assumption (Only tenuously connected to ellipses) Commonly “decisional” (DDH) and “computational” Elliptic curve algorithms have smaller keys, about 2 ✂ (CDH) variants security level Outline General description Hash functions and MACs, cont’d Building a secure channel Public-key encryption (generalizes block cipher) Announcements intermission Separate encryption key EK (public) and decryption key DK (secret) Public-key crypto basics Signature scheme (generalizes MAC) Public key encryption and signatures Separate signing key SK (secret) and verification key VK (public) Cryptographic protocols, pt. 1 Key distribution and PKI RSA setup RSA encryption Choose ♥ ❂ ♣q , product of two large primes, as modulus Public key is ✭ ♥❀ ❡ ✮ ♥ is public, but ♣ and q are secret Encryption of ▼ is ❈ ❂ ▼ ❡ ✭ mod ♥ ✮ Compute encryption and decryption exponents ❡ Private key is ✭ ♥❀ ❞ ✮ Decryption of ❈ is ❈ ❞ ❂ ▼ ❡❞ ❂ ▼ and ❞ such that ✭ mod ♥ ✮ ▼ ❡❞ ❂ ▼ ✭ mod ♥ ✮
Recommend
More recommend
