an invitation to cryptography: from herotodus to snowden › ~davidcash › 284-autumn-19 ›...

David Cash

An Invitation to Cryptography: From Herotodus to Snowden

CMSC 28400, Autumn 2019, Lecture 1

University of Chicago

Slides only rarely after today!

I think Cryptography is

Fun and Interesting

Important&

Beautiful and unique math Clever attacks Philosophy, precisely Oh the drama!

For your daily life For businesses For liberty and democracy Life or death for many

Grecco-Persion Wars c. 500 BC

Herodotus (499-449BC)

Goal: Private Communication

HELP IS COMING

Communication channel (insecure)

Stegnography: Cryptography Prehistory ~600-400BC

Credit: Peter van der Sluijs https://creativecommons.org/licenses/by-sa/3.0/deed.en

Credit: Museum Berlin https://creativecommons.org/licenses/by-sa/3.0/deed.en

The Beginnings of Encryption, ~400BC

Credit: Wikipedia user Luringen https://creativecommons.org/licenses/by-sa/3.0/deed.en

Scytale

Substitution Ciphers, c. 50BC + earlier

Julius Caesar (100-44BC)

More on Friday!

Frequency Analysis and Al-Kindi (801-873 AD)

More on Friday!The first page of al-Kindi's

manuscript "On Deciphering Cryptographic Messages"

Blaise de Vigenère (1523-1596) (not the inventor)

Polyalphabetic Ciphers: Le Chiffre Indéchiffrable 

More on Friday!

Credit: Augusto Buonafalce https://creativecommons.org/licenses/by-sa/3.0/deed.en

Leon Battista Alberti (1404-1472)

Homophonic Ciphers: Le Grand Chiffre (c. 1626-1811)

Louis XIV (1638-1715)

Guessed that “124-22-125-46-345” stood for “les en-ne-mie-s”

Étienne Bazeries (1846-1931) broke it in 1890s(!)

Homophonic Ciphers: Copiale Cipher (1760)

Broken in 2011 using machine learning!

Kevin Knight Beáta Megyesi

+ Christiane Schaefer

Les Cabinets Noirs (Black Chambers) 1700s—today?

Privacy and the Telegraph (mid 1800s)

Credit: ITU Pictureshttps://creativecommons.org/licenses/by/2.0/

Quarterly Review, 1853

Zimmerman Telegram (1917)

Unbroken Ciphertexts

Voynich Manuscript (early 1400s?)

Unbroken Ciphertexts

Beale Ciphers (1819)

Mechanical-ciphers: c. 1900-1980s

Photograph by Rama, Wikimedia Commons, Cc-by-sa-2.0-fr https://creativecommons.org/licenses/by-sa/2.0/fr/deed.en

Cracking Enigma (early 30s — end of WWII)

Marian Rejewski (1905-1980) Alan Turing (1912-1954)

Details next week!

Claude Shannon (1916-2001)

Postwar Cryptography: Moving from Art to Science

The Modern Cryptography Era Begins: DES,1970s

Horst Feistel (1915-1990)

+

Key Distribution Problem

The Internet

My CC num = 4417 4001 7234 1189 amazon.com

The Public-Key Revolution (1978)

Basic question: If two people are talking in the presence of an eavesdropper, and they don’t have pre-shared a key, is there any way they can send private messages?

Rivest, Shamir, Adleman in 1978: Yes, differently!Turing Award, 2002,+ no money

Diffie and Hellman in 1976: Yes!

Turing Award, 2015, + Million Dollars

Cocks, Ellis, Williamson in 1969, at GCHQ:Yes, we know about both…

Pat on the back?

RSA and Diffie-Hellman use… Number theory

Euclid (~300BC) Leonard Euler (1707-1783)

!!! !!!

Elliptic-Curve Cryptography (1985, deployed 2004)

Neal Koblitz Victor Miller Diophantus (~250AD)

!!!

Provable Security (1980s — present)

Shafi Goldwasser Silvio MicaliTuring Award, 2012, + 250k Dollars

Cryptowars of the 1990s

The Breaking of DES

Attack Complexity Year

Biham&Shamir 247 encrypted blocks 1992

DESCHALL 41 days 1997

EFF Deepcrack 4.5 days 1998

EFF Deepcrack 22 hours 1999

- 3DES (“Triple DES”) is still used by banks - 3DES encrypts three times - 3DES is not known to be broken but should be avoided

Advanced Encryption Standard (AES) 2001—present

Vincent Rijmen Joan Daemen

+

Crypto Today

Crypto primitives

• RSA, DSA, ECDSA

• Diffie–Hellman, ECDH

• HMAC• MD5, SHA1,

SHA-2• DES, 3DES,

RC4, AES• Export grade

Ciphersuitedetails

• Data structures• Key derivation• Encryption

modes, IVs• Padding

Advanced functionality

• Alerts & errors• Certification /

revocation• Negotiation• Renegotiation• Session

resumption• Key reuse• Compression• State machine

Libraries

• OpenSSL• LibreSSL,

BoringSSL• NSS• GnuTLS• SChannel• Java JSSE• Everest / miTLS• s2n

Applications

• Web browsers: Chrome, Firefox, IE/Edge, Safari

• Web servers: Apache, IIS, nginx, node, …

• Application SDKs

• Certificates• Protocols

• HTTP, IMAP, ..

Attacks on TLS

Attacks on TLS Stebila • 2018-09-04 5

Cross-protocol

DH/ECDH attack

RC4 biases,rc4nomore,Bar Mitzvah

CRIME, BREACH, HEIST

Triple handshake attack

gotofail;

Goldberg & Wagner

Netscape PRNG attack

FREAK, Logjam

Sweet32

Lucky13

Termination,Cookie Cutter

Bleichenbacher

SSL 2.0 downgrade,

FREAK, Logjam

POODLE

BEAST

Cross-protocol DH/ECDH attack

SLOTH

Bleichenbacher,

Collisions

Ray & Dispensa

DebianOpenSSL

entropy bug

“Most dangerous code…”

MalloDroid

CCS injection

BERserk

Heartbleed

CA breaches

Frankencerts

Virtual host confusion

SSL strippingSMACK

STARTTLS

injectionLucky

microseconds

Jager et al.DROWN

Cryptowars of the 2010-2020s

Cryptography Today: An International Community

Crypto beyond secure channels: Secure Multiparty Computation

……

…

…

Everyone learns outcome of vote (majority YEA or NAY) No one learns anything else about individual votes (or margin of victory)

YEAYEA

NAY

YEA

NAY

YEAYEA

YEA

YEA

NAY

NAY

NAY

Crypto beyond secure channels: Zero-Knowledge Proofs

I know primes p,q such that pq = N.

Prove it! Show me p and q.Number N

But p and q are private…

Zero-Knowledge Proof

p,q

Green person is convinced blue person knows p and q such that pq=N. But green person learns nothing else about p and q.

I’m convinced that

you know primes p,q such that

pq=N!

This class: CSMC 28400 “Cryptography”…

… Counts for the theory sequence (BS/BA in CS). You will work with definitions, theorems, and proofs.

… Is a Computer Science class. You will write programs building and breaking crypto.

Algorithms analysis (Big-Oh) Discrete probability Modular arithmetic

Will assume knowledge in…

Math ProgrammingWrite short programs Understand binary/hex Get by with python

Not assumed: Computer security Any crypto knowledge

Outline of Topics

1. Classical ciphers and how to break them 2. Enigma and the Polish Attack 3. One-time pad and perfect secrecy

1. Blockciphers: DES and/or AES 2. Provable security and symmetric encryption 3. Message authentication 4. Hash functions 5. Bugs and attacks!

Part 1: Classical Crypto (Weeks 1-2)

Part 2: Modern Symmetric Crypto (Weeks 3-6)

Part 3: Public-Key Crypto (Weeks 7-10)

1. Number theory refresh 2. Group theory 3. Discrete logarithms, factoring, RSA problems 4. Diffie-Hellman and RSA key exchange/encryption 5. Elliptic curves 6. Bugs and attacks!

Themes:

1. Attacks! 2. Math AND CS 3. Definitions 4. Proofs

After finishing this class, you should able to…

… Understand design rationale for lots of modern crypto.

… Evaluate the security of many crypto constructions.

… Implement attacks against crypto.

This class won’t cover everything, including…

… Lots of relevant crypto. 284 is just a start.

… How to securely implement crypto (!).

… How to design a secure system (website, app, …)

Assessment

1. Theory Problem Sets (1 per week, due Fridays) 2. Programing Problem Sets (Projects) (3 or 4 total) 3. Two midterm exams: Weeks 5 and 8 4. Final exam at end of term

Please read the syllabus carefully: https://www.cs.uchicago.edu/~davidcash/284-autumn-19/

First assignment out Friday.

No participation / attendance grade

The End