cs 134 fall2016 final reviewkeldefra/teaching/fall2016/uci...block ciphers 23 • originated with...
TRANSCRIPT
1
CS134
Fall2016FinalReview
SomeBasicsandTerminology
2
3
Terminology(Cryptography)• Cryptology,Cryptography,Cryptanalysis• Cipher,Cryptosystem,Encryptionscheme• Encryption/Decryption,Encipher/Decipher• Privacy/Confidentiality,Authentication,Identification• Integrity• Non-repudiation• Freshness,Timeliness• Intruder,Adversary,Interloper,Attacker• Anonymity,Unlinkability/Untraceability
4
Terminology(Security)
• AccessControl&Authorization• Accountability• IntrusionDetection• PhysicalSecurity• Tamper-Resistance• Certification&Revocation
5
Attacks,ServicesandMechanisms
• SecurityAttack: Anyaction(orevent)thataimstocompromise(undermine)thesecurityofinformation
• SecurityMechanism: Ameasure(techniqueormethod)designedtodetect,prevent,orrecoverfrom,asecurityattack
• SecurityService: somethingthatenhancesthesecurityofdataprocessingsystemsandinformationtransfers.A“securityservice”makesuseofoneormore“securitymechanisms”
• Example:– SecurityAttack:Eavesdropping(Interception)– SecurityMechanism:Encryption– SecurityService:Confidentiality
6
SecurityAttacks
• Interruption: attackonavailability
• Interception:attackonconfidentiality
• Modification: attackonintegrity
• Fabrication: attackonauthenticity
7
MainSecurityGoals
Integrity
Confidentiality
Availability
Authenticity
8
SecurityThreats:ThreatvsAttack?
By Injection By Deletion
9
ExampleSecurityServices
• Confidentiality:toassureinformationprivacyandsecrecy
• Authentication:toassertwhocreatedorsentdata
• Integrity:toshowthatdatahasnotbeenaltered
• AccessControl:topreventmisuseofresources
• Availability:toofferaccesstoresources,permanence,non-erasure
ExamplesofattacksonAvailability:
– DenialofService(DoS)Attacks
• e.g.,againstanameserver
– Malwarethatdeletesorencryptsfiles
10
SomeMethodsofDefense
• Cryptographyà confidentiality,authentication,identification,integrity,etc.
• SoftwareControls(e.g.,indatabases,operatingsystems)àprotectusersfromeachother
• HardwareControls(e.g.,smartcards,badges)à authenticateholders(users)
• Policies (e.g.,frequentpasswordchanges,separationsofduty)à preventinsiderattacks
• PhysicalControls(doors,guards,etc.)à controlphysicalaccess
11
Cryptographycanbeusedatdifferentlevels
• Algorithms:encryption,signatures,hashing,PseudoRandomNumberGenerator(PRNG)
• Protocols (2ormoreparties):keydistribution,authentication,identification,login,payment,etc.
• Systems:electroniccash,securefilesystems,smartcards,VPNs,e-voting,etc.
• Attacks:onalltheabove
12
TypesofAttainableSecurity
• Perfect,unconditionalor“informationtheoretic”:thesecurityisevidentfreeofany(computational/hardness)assumptions
• Reducibleor“provable”:securitycanbeshowntobebasedonsomecommon(oftenunproven)assumptions,e.g.,theconjectureddifficultyoffactoringlargeintegers
• Adhoc:thesecurityseemsgoodoften->“snakeoil”…
Takealookat:
http://www.ciphersbyritter.com/GLOSSARY.HTM
13
SomeApplicationsofCryptography
• Network,operatingsystemsecurity
• ProtectInternet,phone,spacecommunication
• Electronicpayments(e-commerce)
• Databasesecurity
• Software/contentpiracyprotection
• PayTV(e.g.,satellite)
• Militarycommunications
• Voting
14
Historical(Primitive)Ciphers
• Shift(e.g.,Caesar):Enck(x)=x+k mod26
• Affine:Enck1,k2(x)= k1 *x+k2 mod26
• Substitution:Encperm(x)=perm(x)
• Vigenere:EncK(x)=(X[0]+K[0],X[1]+K[1],…)
• Vernam:One-TimePad(OTP)
15
VERNAMOne-TimePad(OTP):World’sBestCipher
niotppcwhere
ccotpotppp
iii
n
n
n
<<"Å=
===
-
-
-
0:
},...,{ Ciphertext},...,{ stream pad time-One
},...,{ Plaintext
10
10
10
C A BC B A= ÅÅ =
16
VERNAMOne-TimePad(OTP):World’sBestCipher
• Vernam offersperfectinformation-theoreticsecurity,
but:
• HowlongdoestheOTPkeystreamneedtobe?
• HowdoAliceandBobexchangethekeystream?
17
CryptosystemsClassifiedalongthreedimensions:
1. Typeofoperationsusedfortransformingplaintextintociphertext• Binaryarithmetic:shifts,XORs,ANDs,etc.
• Typicalforconventional/symmetrickey encryption• Integerarithmetic
• Typicalforpublickey/asymmetrickeyencryption2. Numberofkeysused
• Symmetricorconventional(singlekeyused)• Asymmetricorpublic-key(2keys:1toencrypt,1todecrypt)
3. Howplaintextisprocessed:• Onebitatatime• Astringofanylength• Ablockofbits
Conventional/SymmetricKeyCryptography
18
Conventional(Symmetric)Cryptography
•AliceandBobshare akey KAB whichtheysomehowagreeupon(how?)• keydistribution/keymanagementproblem• ciphertextisroughlyaslongasplaintext• examples:Substitution,VernamOTP,DES,AES
19
plaintextciphertext
K AB
encryptionalgorithm
decryptionalgorithm
K AB
plaintextm
K(m)AB
K(m)ABm =K( )
AB
UsesofConventionalCryptography
•Messagetransmission(confidentiality):• Communicationoverinsecurechannels
•Securestorage:cryptonUnix•Strongauthentication:provingknowledgeofasecretwithoutrevealingit:• Seenextslide• Evecanobtainchosen<plaintext,ciphertext>pair• Challengeshouldbechosenfromalargepool
• Integritychecking:fixed-lengthchecksumformessageviasecretkeycryptography• SendMACalongwiththemessageMAC=H(m,K)
20
Challenge-ResponseAuthenticationExample
21
K AB
challenge
K AB
ra
KAB(ra) challengereply
rb
KAB(rb)
challenge
challengereply
22
ConventionalCryptography• Advantages
• highdatathroughput• relativelyshortkeysize• primitivestoconstructvariouscryptographic
mechanisms• Disadvantages
• keymustremainsecretatboth ends• keymustbedistributedsecurelyandefficiently• relativelyshortkeylifetime
BlockCiphers
23
• Originatedwithearly1970'sIBMefforttodevelopbankingsecuritysystems
• FirstresultwasLucifer,mostcommonvarianthas128-bitkeyandblocksize
• Wasnotsecureinanyofitsvariants
• CalledaFeistel orproduct cipher
• F()-functionisasimpletransformation,doesnothavetobereversible
• Eachstepiscalledaround;themorerounds,thegreaterthesecurity(toapoint)
• MostfamousexampleofthisdesignisDES
GenericExampleofBlockEncryption
20
25
ClassicFeistel Network
“RoundKeys”aregeneratedfromoriginalkeyvia
subkey generationalgorithm
Feistel Cipher Structure• BlockSize: largerblocksizesmeangreatersecurity
• KeySize: largerkeysizemeans greater security
•Number of Rounds: multiple rounds offerincreasingsecurity
• Subkey GenerationAlgorithm: greater complexity willlead togreater difficulty of cryptanalysis
• FastSoftwareEn/De-cryption: speedof execution ofthealgorithm becomes aconcern
26
DataEncryptionStandard(DES)Summary
• Permutation/substitutionblockcipher
• 64-bitdatablocks
• 56-bitkeys(8paritybits)
• 16rounds(shifts,XORs)
• Keyschedule
• S-boxselectionsecret…
• DES“aging”
• 2-DES:rendezvousattack
• 3-DES:112-bitsecurity
• DESx:118-bitsecurity
46
26
BasicStructure of DES
29
Encryption vsDecryption inDES
HowtoStrengthenDES:TheCaseofDoubleDES
• 2DES:C=DES(K1,DES(K2,P))
• Seemstobehardtobreakby“bruteforce”,approx.2111 trials
• AssumeEveistryingtobreak2DESandhasasingle(P,C)pair
Meet-in-the-middle(orRendesvouz)ATTACK:
I. ForeachpossibleK’i (where0<i <256)1. ComputeC’i =DES(K’i ,P)2. Store:[K’i,C’i ]intableT(sortedbyC’i)
II. ForeachpossibleK”i (where0<i <256)1. ComputeC”i =DES-1 (K”i ,C)2. LookupC”i inTç notexpensive!3. Iflookupsucceeds,output:K1=K’i,K2=K”i
TOTALCOST:O(256)operations+O(256)storage 43
DESVariantso3-DES(TripleDES)
oC=E(K1,D(K2,E(K1,P)))à 112effectivekeybits
oC=E(K3,D(K2,E(K1,P)))à 168effectivekeybits
oDESx
oC=K3XOR E(K2,(K1XORP))à seemslike184keybits
oEffectivekeybitsà approx.118
o2-DES:
oC=E(K2,E(K1,P))à rendezvous(meet-in-the-middleattack)
oAnothersimplevariation:
oC=K1XORE(K1’,P)à weak!
NOTE:Thesamevariantscanbeconstructedoutofanycipher44
ModesofOperation(notjustforDES,foranyblockcipher)
…
ENCRYPTION
…
…
…
P1 P2 Pi Pi+1 Pn-1 Pn
C1 C2 Ci Ci+1 Cn-1 Cn
http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation35
"Native”ECBModeElectronicCode-Book(ECB)Mode• Inputtoencryptionalgorithmiscurrentplaintextblock:
Ci =E(K,Pi)Pi=D(K,Ci )
• Duplicateplaintextblocks(patterns)visibleinciphertext• WhatifAliceencryptsonewordperplaintextblock?
• Ciphertext blockrearrangementispossible• Todetectit,needexplicitblocknumberinginplaintext
• Parallelencryptionanddecryption(randomaccess)• Errorinoneciphertext blockè one-blockloss• One-blocklossinciphertext?
36
CBCModeCipher-BlockChaining(CBC)Mode• InputtoencryptionalgorithmistheXORofcurrentplaintextblockandprecedingciphertext block:
Ci =E(K,PiXOR Ci-1 )C0=IVPi =D(K,Ci )XOR Ci-1
• Duplicateplaintextblocks(patterns)NOTexposed• Blockrearrangementisdetectable• Noparallelencryption• Howaboutparalleldecryption?
• Errorinoneciphertext blockè two-blockloss• One-blockciphertext loss?
37
OFBModeOutputFeedback(OFB)Mode• Key-streamisproducedbyrepeatedencryptionofVo:
Ci=E(K,Vi-1)XOR Pi V0=IVPi =E(K,Vi-1)XOR Ci
• Duplicateplaintextblocks(patterns)NOTexposed• Blockrearrangementisdetectable• Key-streamisindependentofplaintext• Howdoesthataffectspeedofencryption?Parallelism?
• Biterrorinoneciphertextblockè one-biterrorinplaintext• One-blockciphertextlossè bigmessJ• Canencryptlessthanblocksize
39
CFBModeCipherFeedback(CFB)Mode• Key-streamisproducedbyre-encryptionofprecedingciphertext -- Ci-1:
Ci =Pi XOR E(K,Ci-1) C0=IVPi =E(K,Ci-1)XOR Ci
• Duplicateplaintextblocks(patterns)NOTexposed• Blockrearrangementisdetectable• Key-streamisdependentonplaintext• Howdoesthataffectspeedofencryption?Parallelism?
• Biterrorinoneciphertext blockè one-bit+one-blocklossinplaintext• Adversarycanstillselectivelyflip/changebits
• One-blockciphertext lossè 1-extra-blockloss• Canencryptlessthanblocksize
40
CTRModeCounter(CTR)Mode• Key-streamisproducedbyencryptionincreasingcounter:
Ci =E(K,CTRi )XOR Pi CTRi =CTRi-1+1Pi =E(K,CTRi )XOR Ci
• Duplicateplaintextblocks(patterns)NOTexposed,unless?• Blockrearrangementisdetectable• Key-streamisindependentofplaintext• Parallelencryptionanddecryption(randomaccess)• Biterrorinoneciphertext blockè one-biterrorinplaintext• One-blockciphertext lossè bigmess• Canencryptlessthanblocksize
41
MACModeMessageAuthenticationCode(MAC)Mode• EncryptionisthesameasinCBCmode,but,ciphertext isNOTsent!
Ci=E(K,PiXOR Ci-1 )C0=IV
Whatissentorstored:P1,...,Pn,Cn=MAC
ReceiverrecomputesCnwithKandcompares
• AnychangeinplaintextresultsinunpredictablechangesinMAC
42
CryptographicHashFunctions
39
Purpose•CHF – one of the most important tools in moderncryptography and security
• In crypto, CHF instantiates a Random Oracle paradigm
• In security, used in a variety of authentication andintegrity applications
•Not the same as “hashing” used in DB or CRCs incommunications
40
41
Cryptographic HASHFunctions• Purpose: produce a fixed-size “fingerprint” or digest of arbitrarily longinput data
•Why? To guarantee integrity
• Properties of a “good” cryptographic HASH function H():1. Takes on input of any size2. Produces fixed-length output3. Easy to compute (efficient)4. Given any h, computationally infeasible to find any x such that H(x) = h5. For a given x, computationally infeasible to find y such that H(y) = H(x) and
y≠x6. Computationally infeasible to find any (x, y) such that H(x) = H(y) and x ≠ y
42
Construction• Ahashfunctionistypicallybasedonaninternalcompressionfunctionf()thatworksonfixed-sizeinputblocks(Mi)
• SortoflikeaChainedBlockCipher
• Producesahashvalueforeachfixed-sizeblockbasedon(1)itscontentand(2)hashvalueforthepreviousblock
• “Avalanche”effect:1-bitchangeininputproduces“catastrophic”andunpredictablechangesinoutput
fIV
M1
f fh1 h
M2 Mn
h2 hn-1…
43
TheBirthdayParadox
• probabilityofnocollisions:• P0=1*(1-1/n)*(1-2/n)*…*(1-(k-1)/n))==e(k(1-k)/2n)
• probabilityofatleastone:• P1=1-P0
• SetP1tobeatleast0.5andsolvefork:• k==1.17*SQRT(n)• k=22.3forn=365
So,what’sthepoint?
• Examplehashfunction:y=H(x)where:x=personandH()isBday()• yrangesoversetY=[1…365],letn=sizeofY,i.e.,numberofdistinctvaluesin
therangeofH()• Howmanypeopledoweneedto‘hash’tohaveacollision?• Or:whatistheprobabilityofselectingatrandomkDISTINCTnumbersfrom
Y?
44
TheBirthdayParadox
m = log(n) = size of H ()
2m = 2m/2 trials mustbe computationallyinfeasible!
45
HowLongShouldaHashbe?
• Manyinputmessagesyieldthesamehash• e.g.,1024-bitmessage,128-bithash• Onaverage,2896messagesmapintoonehash
• Withm-bithash,ittakesabout2m/2 trialstofindacollision(with≥0.5probability)• Whenm=64,ittakes232 trialstofindacollision(doableinverylittletime)• Today,needatleastm=160,requiringabout280 trials
46
Hash Function ExamplesSHA-1(weak)
MD5(defunct)
RIPEMD-160(unloved)J
Digestlength 160bits 128bits 160bits
Blocksize 512bits 512bits 512bits
#ofsteps 80(4roundsof20)
64(4rounds of 16)
160(5pairedroundsof16)
Maxmsgsize 264-1bits ∞ ∞
Other(stronger)variantsofSHAareSHA-256andSHA-512See:http://en.wikipedia.org/wiki/SHA_hash_functions
47
MD5• Author:R.Rivest,1992
• 128-bithash
• basedonearlier,weakerMD4(1990)
• Collisionresistance (B-dayattackresistance)
• only64-bit
• Outputsizenotlongenoughtoday (duetovariousattacks)
48
OverviewofMD5
49
MD5Padding
• GivenoriginalmessageM,addpaddingbits“100…”suchthatresultinglengthis64bitslessthanamultipleof512bits.
• Appendoriginallengthinbits tothepaddedmessage
• Finalmessagechoppedinto512-bitblocks
50
MD5:Padding
InputMessage
Output:128-bitDigest
Padding512bitBlock
InitialValue
1 2 3 4
FinalOutput
MD5 TransformationBlockbyBlock
51
MD5Blocks
MD5
MD5
MD5
MD5
512:B1
512:B2
512:B3
512:B4
Result
52
MD5Box
Initial128-bitvector
512-bitmessagechunks(16words)
128-bitresult
F(x,y,z)=(xÙ y)Ú (~xÙ z)G(x,y,z)=(xÙ z)Ú (yÙ~ z)H(x,y,z)=xÅ yÅ zI(x,y,z)=yÅ (xÙ ~z)
x¿y:xleftrotateybits
53
SecureHashAlgorithm(SHA)
• Revisedin1995asSHA-1• Input:Upto264 bits• Output:160bitdigest• 80-bitcollisionresistance
• Padwithatleast64bitstoresistpaddingattack• 1000…0||<messagelength>
• Processes512-bitblock• Initiate5x32bitMDregisters• Applycompressionfunction
• 4roundsof20stepseach• eachroundusesdifferentnon-linearfunction
• registersareshiftedandswitched
Ø SHA-0waspublishedbyNISTin1993
54
Digest Generationwith SHA-1
55
SHA-1VersusMD5
•SHA-1isastrongeralgorithm:•Abirthdayattackrequiresontheorderof280operations,incontrastto264 forMD5
•SHA-1has80stepsandyieldsa160-bithash(vs.128)- involvesmorecomputation
56
Summary:Whatarehashfunctions
goodfor?
57
MessageAuthenticationUsingaHashFunction
UsesymmetricencryptionsuchasAESor3-DES
• GenerateH(M)ofsamesizeasE()block
• UseEK(H(M))astheMAC(insteadof,say,DESMAC)
• AlicesendsEK(H(M)),M• BobreceivesC,M’decryptsCwithk,hashesresult
H(DK(C))=?=H(M’)
CollisionèMACforgery!
58
UsingHashforAuthentication
AliceandBobshareasecretkeyKAB
1. Aliceè Bob: randomchallengerA
2. Bobè Alice:H(KAB||rA),randomchallengerB
3. Aliceè Bob:H(KAB||rB)
OnlyneedtocompareH()results
59
UsingHashtoComputeMAC:Integrity•CannotjustcomputeandappendH(m)•Need“KeyedHash”:• Prefix:• MAC:H(KAB|m),almostworks,but…• Allowsconcatenationwitharbitrarymessage:
• H(KAB|m|m’ )• Suffix:• MAC:H(m|KAB),worksbetter,butwhatifm’isfoundsuchthatH(m)=H(m’)?
• HMAC:• H(KAB |H(KAB |m))
60
HashFunctionMAC(HMAC)•MainIdea:UseaMACderivedfromanycryptographichashfunction• hashfunctionsdonotuseakey,thereforecannotbeuseddirectlyasaMAC
•MotivationsforHMAC:• CryptographichashfunctionsexecutefasterinsoftwarethanencryptionalgorithmssuchasDES• Noneedforthereverseabilityofencryption• NoUSgovernmentexportrestrictions(wasimportantinthepast)
• Status:designatedasmandatoryforIPsecurity• AlsousedinTransportLayerSecurity(TLS),whichwillreplaceSSL,andinSET
61
HMACAlgorithm• ComputeH1=H()oftheconcatenationofMandK1• Topreventan“additionalblock”attack,computeagainH2=H()oftheconcatenationofH1andK2• K1andK2eachusehalfthebitsofK• Notation:
• K+ =Kpaddedwith0’s• ipad=00110110xb/8• opad=01011100xb/8
• Execution:• SameasH(M),plus2blocks
62
JustforFun…UsingaHashtoEncrypt
•(Almost)One-TimePad:similartoOFB• computebitstreamsusingH(),K,andIV• b1=H(KAB|IV),…,bi=H(KAB|bi-1),…• c1=p1Åb1,…,ci=piÅbi,…
•Or,mixintheplaintext• similartocipherfeedbackmode(CFB)• b1=H(KAB|IV),…,bi=H(KAB|ci-1),…• c1=p1Åb1,…,ci=piÅbi,…
SomeNumberTheoryandPublicKeyCryptography
63
64
DEFINITION:AnonemptysetGand operator@,(G,@), isagroup if:
• CLOSURE:forallx,yinG:• (x@y)isalsoinG
• ASSOCIATIVITY:forallx,y,zinG:• (x@y)@z=x@(y@z)
• IDENTITY:thereexistsidentityelement IinG,suchthat,forallxinG:
• I@x=xandx@I=x
• INVERSE:forallxinG,thereexistinverseelement x-1 inG,suchthat:
• x-1@x=I=x@x-1
DEFINITION: Agroup(G,@)isABELIANif:
• COMMUTATIVITY:forallx,yinG:
• x@y=y@x
Groups
65
DEFINITION:Anelementgin Gisagroupgenerator ofgroup(G,@)if:forallx inG,thereexistsi ≥0, suchthat:
x=gi =g@g@g@…@g(i times)Thismeanseveryelementofthegroupcanbegeneratedbygusing@.Inotherwords,G=<g>
DEFINITION: Agroup(G,@)iscyclic ifagroupgeneratorexists!
DEFINITION: Grouporder ofagroup(G,@)isthesizeofsetG,i.e.,|G|or#{G}orord(G)
DEFINITION: Group(G,@)isfinite iford(G)isfinite.
Groups (Cont.)
66
Z*N :PositiveIntegersmod(N)RelativelyPrimetoN
• Groupoperatoris“*”,modularmultiplication• Grouporderord(Z*N)=numberofintegersrelativelyprime toNdenotedby
phi(N)
• integersmodNareclosedundermultiplication:ifGCD(x,N)=1andGCD(y,N)=1,GCD(x*y,N)=1
• identityis1• inverseofxisfromEuclid’salgorithm: ux +vN =1(modN)=GCD(x,N)
so,x-1 =u(=xphi(N)-1)• multiplicationisassociative• multiplicationiscommutative(sothegroupisAbelian)
G =Z*Nnon-zerointegersmodN={1…,x,…n-1}suchthatGCD(x,N)=1
67
EuclidianAlgorithmPurpose: compute GCD(x,y)
GCD = Greatest Common Divisor
1),gcd(
mod1*
, of
1
1
1
=⇔∃Ζ∈∀
≡
−
−
−
−
nbb b nbb
bsetive invermultiplicab
n
Recall that:
11),( −∃⇒= bbn Euclidian
68
EuclidianAlgorithm(contd)
init : r0 = x r1 = y
q1 = r0 / r1⎢⎣ ⎥⎦ r2 = r0 mod r1
...= ...qi = ri−1 / ri⎢⎣ ⎥⎦ ri+1 = ri−1mod ri
...= ...qm−1 = rm−2 / rm−1
⎢⎣ ⎥⎦ rm = rm−2mod rm−1
(rm == 0)?OUTPUT rm−1
Example:x=24,y=15
1. 192. 163. 134. 20
Example:x=23,y=14
1. 192. 153. 144. 115. 40
69
ExtendedEuclidianAlgorithmPurpose: computeGCD(x,y)andinverseofy(ifitexists)
init : r0 = x r1 = y t0 = 0 t1 =1
q1 = r0 / r1⎢⎣ ⎥⎦ r2 = r0 mod r1 t1 =1
...= ...qi = ri−1 / ri
⎢⎣ ⎥⎦ ri+1 = ri−1mod ri ti = ti−2 − qi−1ti−1 mod r0
...= ...qm−1 = rm−2 / rm−1
⎢⎣ ⎥⎦ rm = rm−2mod rm−1 tm = tm−2 − qm−1tm−1 mod r0
if (rm =1) OUTPUT tm else if (rm = 0) OUTPUT "no inverse"
70
ExtendedEuclidianAlgorithm(contd)
Theorem: )1(1 >= i rtr ii rtm 11 =
I R T Q
0 87 0 --
1 11 1 7
2 10 80 1
3 1 8 --
Example: x=87 y=11
! " r mod tqtt r modrr rrq 0iiiiii1iiii 11211 / −−−−+− −===
71
I R T Q__
0 93 0 --
1 87 1 1
2 6 92 14
3 3 15 2
4 0 62 --
Example: x=93 y=87
ExtendedEuclidianAlgorithm(contd)
! " r mod tqtt r modrr rrq 0iiiiii1iiii 11211 / −−−−+− −===
72
ChineseRemainderTheorem(CRT)
The following system of n modular equations (congruences)
nn
1
m mod ax
m mod ax
≡
≡...
1
Has a unique solution:
ii
i
n1
n
ii
ii
m mod mM
y
mm M
Mmod ymM
ax
1
1
*...*:where
−
=
""#
$%%&
'=
=
""#
$%%&
'=∑
(all mi-s relatively prime).
73
CRTExample
!!"
#$$%
&
≡
≡
11375 mod x mod x
4777 modx mod y
7 mod mod y
mMmM M
MmodymMymMx
=+=
==
===
=
=
=
+=
−
−−
)8*7*32*11*5(8117
24711
7/11/
77])/(3)/(5[
12
111
2
1
2211
• Asymmetriccryptography
• Inventedin1974-1978(Diffie-HellmanandRivest-Shamir-Adleman)
• Twokeys:private(SK),public(PK)• Encryption:withpublickey;• Decryption:withprivatekey• DigitalSignatures:Signingbyprivatekey;Verificationbypublickey.i.e.,“encrypt”messagedigest/hash-- h(m)-- withprivatekey• Authorship(authentication)• Integrity:SimilartoMAC• Non-repudiation:can’tdowithsecretkeycryptography
•Muchslower thanconventionalcryptography• Oftenusedtogetherwithconventionalcryptography,e.g.,toencryptsessionkeys
74
PublicKeyCryptography
PublicKeyCryptography
75
plaintextmessage,m
ciphertextencryptionalgorithm
decryptionalgorithm
Bob’spublic key
plaintextmessagePK(m)
B
PKBBob’sprivate key
SKB
m=SK(PK(m))BB
UsesofPublicKeyCryptography•Datatransmission(confidentiality):• Aliceencryptsma usingPKB,Bobdecryptsittoobtainma usingSKb.
•SecureStorage:encryptwithownpublickey,laterdecryptwithownprivatekey•Authentication:• Noneedtostoresecrets,onlyneedpublickeys.• Secretkeycryptography:needtosharesecret keyforeverypersononecommunicateswith
•DigitalSignatures(authentication,integrity,non-repudiation)
76
77
Ø Advantagesl onlytheprivatekeymustbekeptsecretl relativelylonglifetimeofthekeyl moresecurityservicesl relativelyefficientdigitalsignaturesmechanisms
Ø Disadvantagesl lowdatathroughputl muchlargerkeysizesl distribution/revocationofpublickeysl securitybasedonconjecturedhardnessofcertaincomputationalproblems
PublicKeyCryptography
78
KeyPre-distribution:Diffie-Hellman“NewDirectionsinCryptography”1976
*p
System wide parameters :p large prime,
a generator in Z
−
−
−
Alice's secret: v, public: mod
Bob's secret: w, public: mod
va
wb
y a p y a p
=
=
Alice has: mod
Bob has: mod
( ) mod
( ) mod
wb
vav
ab b
wba a
y a py a p
K y p
K y p
=
=
=
=
=
79
PublicKeyPre-distribution:Diffie-Hellman
*
Diffie Hellman Problem:
:
mod mod
: mod
Discrete Log Problem::
mod:
p
v wa b
vw
va
p large prime, a generator in Z
Given
y a p and y a p
FIND a p
Given
y a p FIND v
−
− −
= =
=
80
PublicKeyPre-distribution:Diffie-Hellman
Decision DH Problem:
mod , mod:
mod
v wa b
vwab
p large prime, a generatorGiven :
y a p y a pDistinguish
K a pfrom a random number!
− −
= =
=
• DHAssumption:DHproblemisHARD(notP)• DLAssumption:DLproblemisHARD(notP)• DDHAssumption:solvingDDHproblemisHARD(notP)
81
Interactive(Public)KeyExchange:Diffie-Hellman
Eveispassive…
pay va mod=
SecurecommunicationwithKab
Chooserandomv
pay wb mod= Choose
randomw,Compute
pyK waba mod)(=
Compute( ) modv
ab bK y p=
82
TheMan-in-the-Middle(MitM)Attack(assumeEveisanactiveadversary!)
pay va mod=
SecurecommunicationwithKab
Chooserandomv
pay wb mod=
Chooserandomw,Compute
pyK waba mod)(=
Compute( ) modv
ab bK y p=
83
RSA(1976-8)Let n = pq where p,q − large primese,d ∈R Zn and ed ≡ 1 mod Φ(n)
where : Φ(n)= (p−1)(q−1)= pq− p− q−1
Secrets : p,q,d
Publics : n,e
Encryption : message =m < n
E(x) = y =me mod nDecryption : ciphertext = y
D( y) = x ' = yd mod n
84
Whydoesitallwork?
x ∈ Zn*
xed = x1modΦ(n) mod n =
xc*Φ(n)+1 mod n = x
But, recall that: gΦ(n) =1 mod n (Lagrange)
85
WhyisitSecure?
Why:nhasuniquefactorsp,q
Givenpandq,computing(p-1)(q-1)iseasy:
UseextendedEuclidian!
Conjecture:breakingRSAispolynomiallyequivalenttofactoringn.Recallthatnisvery,verylarge!
)(1 n mod ed Φ≡
86
SpeedingupRSADecryption
: C - RSA ciphertextmod( 1)
mod( 1)
compute:
mod
mod
and solve:mod
mod
p
q
p
q
dp
dq
p
q
Letd d pd d q
M C p
M C q
M M pM M q
= −
= −
=
=
=
=
)mod()]mod(
)mod([1
1
pqqppM
pqqMM
q
p
−
−
+
=
UsingChineseRemainderTheorem(CRT):
87
MoreonRSA•Modulusnisuniqueperuserà cannotsharen•WhathappensifAliceandBobsharethesamemodulus?• Alicehas(e’,d’,n)andBob– (e”,d”,n)• Alicewantstocomputed”(Bob’sprivatekey)• Sheknowsthat:e’*d’=1modphi(n)• So:e’*d’=k*phi(n)+1 and:e’*d’- 1=k*phi(n)• Alicejustneedstocomputeinverseofe”modX• whereX=e’*d’– 1=k*phi(n)• let’scallthisinversed’”• andrememberthat:d”’*e”=k’*k*phi(n)+1• canwebesurethat:d”’=d”?
• Isitpossiblethate”hasnoinversemodX?• Yes,ife”=phi(n)orgcd(e”,k)>1butthisisvery,veryUNLIKELY!
• Foralldecryptionpurposes,d”’isEQUIVALENTtod”• SupposeEveencryptedforBob:C=(m)e” modn• Alicecomputes:
Cd”’ modn=me”d”’ modn=(m)k’ *k*phi(n)+1 modn=m
88
ElGamalPKCryptosystem(1983)
mpmbbckm' pk compute
pk compute :Decryption
c}{k,ciphertext pmbpmyc : compute
pbk compute Zr random generate
Encryption
x :secretsybppublics
ZZCZP
pby residue publicyexponent privatex
generator element, primitive base, bprime largep
xrrxx
x
x
xrr
rp
pp
p
x
===
===
=∈
×==
≡−−−−
−−
−
−
mod)(.3mod)(.2
mod.1
.4modmod.3
mod:.2.1
:
,,:
mod;
1
1
1
**
*
89
DigitalSignatures
Asignaturescheme:
(P,A,K,Sign,Verify)
P- plaintext(msgs)
A - signatures
K- keys
Sign - signingfunction:(P*K)->A
Verify - verificationfunction:(P*A*K)à {0,1}
Usuallymessagehash • Integrity• Authentication• Non-Repudiation• Time-Stamping• Causality• Authorization
90
RSASignatureScheme
???)(:),(:onVerificati
:)(:Signing
,:,,:
mod1 andmod and primes (large) twoare qp wherepqnLet
1*)(
e
d
n
ymmyVerifyysignature
n mod mymSignmmessage
enPublicsdqpSecrets
1)1)(q(p(n)Φ(n) edΦ(n) deZe
=
==
=
--=F
º=Î
¹=-
F
Usethefactthat,inRSA,encryptionreverses“decryption”
91
RSASignatureScheme(contd)• TheGood:• Verificationcanbecheap(likeRSAencryption)• MechanicallysameasRSAdecryptionfunction• SecuritybasedonRSAencryption• Signingisharderbut#verify-s>1…• Deterministic
• TheBad:• RecallthatRSAismalleable:signaturescanbe“massaged”• Phony“random”signatures
• computeY=RSA(e,X)=Xe modn• XisasignatureofYbecauseYd=Xmodn
• TheUgly:• Signingrequiresintegrity!• Howtosignmultipleblocks?• Deterministic– needsadditionalrandomization!
92
ElGamalSignatureScheme
mxbmxbrxkrmrxbck
mck
rp
pp
p
x
bbbbkythat notice
pbpkyVerifying
c}{k,e signaturprxkmc : compute
pbk compute Zr random generate
Signing
x :secretsybppublics
ZZAZP
pby residue publicyexponent privatex
generator base, bprime largep
rrr
===
=
=−−=
=∈
×==
≡−−−−
−+−
−
−
)//(
1
1
**
*
)(:
???modmod:
.41mod)(.3
mod:.2.1
:
,,:
mod;
93
ElGamalPKCryptosystem
mpmbbckm' pk compute
pk compute :Decryption
c}{k,ciphertext pmbpmyc : compute
pbk compute Zr random generate
Encryption
x :secretsybppublics
ZZCZP
pby residue publicyexponent privatex
generator element, primitive base, bprime largep
xrrxx
x
x
xrr
rp
pp
p
x
===
===
=∈
×==
≡−−−−
−−
−
−
mod)(.3mod)(.2
mod.1
.4modmod.3
mod:.2.1
:
,,:
mod;
1
1
1*
**
*
mxbmxbrxkrmrxbck
mck
rp
pp
p
x
bbbbkythat notice
pbpkyVerifying
c}{k,e signaturprxkmc : compute
pbk compute Zr random generate
Signing
x :secretsybppublics
ZZAZP
pby residue publicyexponent privatex
generator base, bprime largep
rrr
===
=
=−−=
=∈
×==
≡−−−−
−+−
−
−
)//(
1
1*
**
*
)(:
???modmod:
.41mod)(.3
mod:.2.1
:
,,:
mod;
ElGamalSignatureScheme
94
ElGamalSignatureScheme(contd)
Thegood:• Signingischeap(er)• Designedasasignaturefunction• Non-deterministic(randomized)
Thebad:• NeedGOODsourceofrandomnumbers• Randomizerscannotberevealed(trace)• Randomizerscannotbereused
95
Ø Publickeyl encryption,signatures(esp.,non-repudiation)andkeymanagement
Ø Conventionall encryptionandsomedataintegrityapplications
Ø Keysizesl Keysinpublickeycryptomustbelarger(e.g.,2048bitsforRSA)thanthoseinconventionalcrypto(e.g.,112bitsfor3-DESor256bitsforAES)• mostattackson“good”conventionalcryptosystemsareexhaustivekeysearch(bruteforce)
• publickeycryptosystemsaresubjectto“short-cut”attacks(e.g.,factoringlargenumbersinRSA)
ComparisonSummary
96
Identification
•PublickeycryptographycanbealsousedforIDENTIFICATION• Identificationisaninteractiveprotocolwherebyoneparty:“prover”(whoclaimstobe,say,Alice)convincestheotherparty:“verifier”(Bob)thatsheisindeedAlice• Identificationcanbeaccomplishedwithpublickeydigitalsignatures•However,signaturesrevealinformation…•Also,signaturesare“transferable”,i.e.,anyonecanverifythem
97
Fiat-ShamirIdentificationScheme
• InFiat-Shamir,proverhasanRSAmodulusn=pq(factorizationissecret).
• Factorsthemselvesarenotusedintheprotocol.
• UnlikeRSA,atrustedcentercangenerateaglobaln,usedbyeveryone,aslongasnobodyknowsitsfactorization.Trustedcentercan“forget”thefactorizationaftercomputingn.
98
Fiat-ShamirIdentificationScheme
• SecretKey:Prover(P)choosesarandomvalue1<S<n(toserveasthekey)suchthatgcd(S,n)=1
• PublicKey:PcomputesI=S2 modn,publishes(I,n)ashispublickey.
• Purposeoftheprotocol:Phastoconvinceverifier(V)thatheknowsthesecretScorrespondingtothepublickey(I,n),• i.e.,toprovethatheknowsasquarerootofImodn,withoutrevealingSoranyportionthereof
99
Prover(Alice)
Verifier(Bob)
n, I=S2,SnpickrandomR;
setx=R2 modn I,x
query =01
RR*Smod n
Checkthat:R2 =xmodn(RS)2 =xImodn
Fiat-ShamirIdentificationScheme
100
VwantstoauthenticateidentityofP,whoclaimstohaveapublickeyI.Thus,VasksPtoconvincehimthatPknowsthesecretkeyScorrespondingtoI.
1. Pchoosesatrandom1<R<nandcomputes:X=R2modn
2. PsendsXtoV
3. VrandomlyrequestsfromPoneoftwothings(0or1):(a) R
or(b) RSmodn
4. Psendsrequestedinformation
Fiat-ShamirIdentificationScheme
101
5.Vchecksthecorrectanswer:a) R2 ?=X(modn)
or
b)(R*S)2 ?=X*I(modn)
6.Ifverificationfails,VconcludesthatPdoesnotknowS
7.Protocolisrepeatedt(usually20,30,orlogn)times,and,ifeachonesucceeds,VconcludesthatPistheclaimedparty.
Fiat-ShamirIdentificationScheme
102
CLAIM: ProtocoldoesnotrevealANYinformationaboutSor
ProtocolisZERO-KNOWLEDGE
Proof:WeshowthatnoinformationonSisrevealed:
• Clearly,whenPsendsXorR,hedoesnotrevealanyinformationonS.
• WhenPsendsRSmodn:• RSmodnisrandom,sinceRisrandomandgcd(S,n)=1.
• IfadversarycancomputeanyinformationonSfrom
I,n,XandRSmodnhecanalsocomputethesameinformationonSfromIandn,sincehecanchoosea
randomT=R’Smodnandcompute:
X’=T2I-1=(R’)2S2I-1=(R’)2
Fiat-ShamirZKIdentificationScheme
103
Clearly,ifPknowsS,thenVisconvincedofhisidentity.
IfPdoesnotknowS,hecaneither:1. knowR,butnotRSmodn.SinceheischoosingR,he
cannotmultiplyitbytheunknownvalueSor
2. chooseRSmodn,andthuscananswerthesecondquestion:RSmodn.But,inthiscase,hecannotanswerthefirstquestionR,sinceheneedstodividebytheunknownS.
Security
104
Security• Inanycase,adversarycannotanswerbothquestions,sinceotherwise
hecancomputeSastheratiobetweenthetwoanswers.
• But,weassumedthatcomputingSishard,equivalenttofactoringn.
• SincePdoesnotknowinadvance(whenchoosingRorRSmodn)whichquestionthatVwillask,hecannotforeseetherequiredchoice.HecansucceedinguessingV’squestionwithprobability1/2foreachquestion.
• TheprobabilitythatVfailstocatchPinallrunsisthus:2-t(e.g.,1in1,000,000,000fort=20)
AuthenticationProtocols
106
KDC
A B
(1)Request|B|N1 (2)EKa[Ks|Request|N1|EKb(Ks,A)]
(3)EKb[Ks,A]
(4)EKs[A,N2]
(5)EKs[f(N2)]Notes:• Msg2istiedtoMsg1• Msg2isfresh/new• Msg3ispossiblyold*• Msg1ispossiblyold(KDCdoesn’tauthenticateAlice)• BobauthenticatesAlice• BobauthenticatesKDC• AliceDOESNOTauthenticateBob
ATypicalKDC-basedKeyDistributionScenarioKDC=KeyDistributionCenter
EK[X]=EncryptionofXwithkeyK
ReflectionAttackandaFix• OriginalProtocol
1. A® B: rA2. B® A: {rA,rB }K3. A® B: rB
• Attack1. A® E: rA2. E® A: rA :Startinganewsession3. A® E: {rA,rA’}K :Replyto(2)4. E® A: {rA,rA’} K :Replyto(1)5. A® E: rA’
Solutions?• Use2differentuni-directionalkeysk” (AàB)andk’ (BàA)• Removesymmetry(direction,msg identifiers)
107
InterleavingAttacks
• ProtocolforMutualAuthentication1. A® B: A,rA,2. B® A: rB,{rB,rA,A}SKB3. A® B: rA’,{rA’,rB,B}SKA
• Attack1. E® B: A,rA2. B® E: rB,{rB,rA,A}SKB3. E® A: B,rB4. A® E: rA’,{rA’,rB,B}SKA5. E® B: rA’,{rA’,rB,B}SKA
• Attackduetosymmetricmessages(2),(3)
108
109
Merkle’s Puzzles(1974)
€
0 < i < 2n = NXi,Yi −− random secret keysindexi = random (secret) value
Puzzle Pi = {indexi,Xi,S}Yi
S −− fixed string, e.g., " Alice to Bob"}20|{ n
i iP <<
jindex
€
Pick random j, 0 < j < 2n
Select Pj
Break Yj by brute forceObtain {index j ,X j ,S}
€
Look up index j
Obtain X j EncryptedcommunicationwithXj
?
Issecuritycomputationalorinformationtheoretic?
110
PK-basedNeedham-Schroeder
TTP
A B3.[Na,A]
PKb
6.[Na,N
b]PKa
7.[Nb]PKb
Here,TTPactsasan“on-line”certificationauthority(CA)andtakescareofrevocation
1.A,B
2.{PKb,B}SKT
4.B,A5.{PKa,A}SKT
x.509Authentication&KeyDistributionProtocols
ABSKPKabaaa KotherBrt }][,,,,,1{
111
ABSKPKabaaa KotherBrt }][,,,,,2{
BASKPKbababb KotherrArt }][,,,,,,2{
ABSKPKabaaa KotherBrt }][,,,,,3{
BASKPKbababb KotherrArt }][,,,,,,3{
ASKbr },3{
One-w
ayAàB
Two-w
ayAàB
Tree-way
AßàB
LessonsLearned?
• Designingsecure protocolsishard.Therearemanydocumentedfailuresintheliterature.• Goodprotocolsarealreadystandardized(e.g.,ISO9798,X.509,…)– usethem!• Theproblemofverifyingsecuritygetsmuchharderasprotocolsgetmorecomplex(moreparties,messages,rounds).
112
KeyDistributionandPublicKeyInfrastructure
113
114
PublicKeyInfrastructure(Distribution)
• Problem: Howtodeterminethecorrectpublickeyofagivenentity• BindingbetweenIDENTITYandPUBLICKEY
• PossibleAttacks• Namespoofing:EveassociatesAlice’snamewithEve’spublickey• Keyspoofing:EveassociatesAlice’skeywithEve’sname• DoS:EveassociatesAlice’snamewithanonsensical(bogus)key
• Whathappensineachcase?
PublicKeyDistribution
• GeneralSchemes:
• Publicannouncement(e.g.,inanewsgrouporemailmessage)•Canbeforged
• Publiclyavailabledirectory•Canbetamperedwith
• Public-keycertificates(PKCs)issuedbytrustedoff-lineCertificationAuthorities(CAs)
115
116
Certificates
• Kohnfelder (BSThesis,MIT,1978)proposed“certificates”asyetanotherpublic-keydistributionmethod
• Certificate=explicitbindingbetweenapublickeyanditsowner’s(unique!)name
• Mustbeissued(andsigned)byarecognizedtrustedCertificateAuthority(CA)
• Issuancedoneoff-line
117
WhoIssuesCertificates?
• CA:CertificationAuthority• e.g.,GlobalSign,VeriSign,Thawte,etc.• lookintoyourbrowser...
• Trustworthy(atleasttoitsusers/clients)• Off-lineoperation(usually)• Hasitsownwell-knownlong-termcertificate• Maystore(asbackup)issuedcertificates• Verysecure:physicallyandelectronically
118
Certificates
• Procedure• BobregistersatlocalCA• Bobreceiveshiscertificate:
{PKB,IDB,issuance_time,expiration_time,etc.,...}SKCA
• BobsendscertificatetoAlice• AliceverifiesCA’ssignature
• PKCA hard-codedinsoftware
• AliceusesPKB forencryptionand/orverifyingsignatures
CertificationAuthorities
• CertificationAuthority(CA):bindspublickeytoaspecificentity• Eachentity(user,host,etc.)registersitspublickeywithCA.• Bobprovides“proofofidentity”toCA.• CAcreatescertificatebindingBobtothispublickey.• CertificatecontainingBob’spublickeydigitallysignedbyCA:
CAsays:“thisisBob’spublickey”
119
Bob’spublickey
PKB
Bob’sidentifyinginformation
digitalsignature
CAprivatekey
SKCA
PKB
certificateforBob’spublickey,signedby
CA
• WhenAlicewantstogetBob’spublickey:• GetBob’scertificate(fromBoborelsewhere)• UsingCA’spublickeyverifythesignatureonBob’scertificate• Checkforexpiration• Checkforrevocation(we’lltalkaboutthislater)• ExtractBob’spublickey
120
Bob’sPublicKey
PKB
digitalsignature
CAPublicKey PK
CA
PKB
CertificationAuthority
AuthenticatedPublic-Key-basedKeyExchange(Station-to-StationorSTSProtocol)
121
pay va mod=
Choose random v
Bobabbob
wb
yySIGpay},{
mod=
=
Chooserandom w,Compute
pyK waba mod)(=Compute
( ) mod
{ , }
vab b
alicealice a b
K y pSIG y y
=
=
bobbbob SIGyCERT ,,
alicealice SIGCERT ,
122
Howdoesitwork?
• Apublic/privatekey-pairisgeneratedbyuser• Userrequestscertificateviaalocalapplication(e.g.,web
browser)• Goodideatoproveknowledgeofprivatekeyaspartofthe
certificaterequest.Why?
• Publickeyandowner’snameareusuallypartofacertificate
• Privatekeysonlyusedforsmallamountofdata(signing,encryptionofsessionkeys)
• Symmetrickeys(e.g.,RC5,AES)usedforbulkdataencryption
123
CertificationAuthority(CA)
• CAmustverify/authenticatetheentityrequestinganewcertificate.
• CA’sowncertificateissignedbyahigher-levelCA.RootCA’scertificateisself-signedanditsnameis“well-known.”
• CAisacriticalpartofthesystemandmustoperateinasecureandpredictablewayaccordingtosomepolicy.
124
Whoneedsthem?• Alice’scertificateischeckedbywhomeverwantsto:
1)verifyhersignatures,and/or2)encryptdataforher.
• Asignatureverifier(orencryptor)must:• knowthepublickeyoftheCA(s)• trustallCAsinvolved
• Certificatecheckingis:verificationofthesignatureandvalidity
• Validity:expiration+revocationchecking
125
VerifyingaCertificate(assumingCommonCA)
Tobecoveredlater
126
BTW:
• CertificateTypes
• PK(Identity)certificates• BindPKtosomeidentitystring
• Attributecertificates• BindPKtoarbitraryattributeinformation,e.g.,
authorization,groupmembership
• Weconcentrateonformer
127
WhatarePKCertificatesGoodFor?
• SecurechannelsinTLS/SSLforwebservers
• Signedand/orencryptedemail(PGP,S/MIME)
• Authentication(e.g.,SSHwithRSA)
• Codesigning!
• Encryptingfiles(EFSinWindows)
• IPSec:encryption/authenticationatthenetwork
layer
128
ComponentsofaCertificationSystem• Requestandissuecertificates(differentcategories)with
verificationofidentity• Storageofcertificates• Publishing/distributionofcertificates(LDAP,HTTP)• Pre-installationofrootcertificatesinatrustedenvironment• SupportbyOSplatforms,applicationsandservices• Maintenanceofdatabaseofissuedcertificates(noprivate
keys!)• Helpdesk(information,lost+compromisedprivatekeys)• Advertisingrevokedcertificates(andsupportforapplications
toperformrevocationchecking)• Storage“guidelines”forprivatekeys
129
CASecurity
• MustminimizeriskofCAprivatekeybeingcompromised
• Besttohaveanoff-lineCA• Requestsmaycomeinelectronicallybutnotprocessed
inrealtime
• Inaddition,usingtamper-resistanthardwarefortheCAwouldhelp(shouldbeimpossibletoextractprivatekey)
130
MappingPersonalCertificatesintoAccounts/Names
• Certificatemustmap“one-to-one”intoanaccount/nameforthesakeofauthentication
• Insomesystems,mappingarebaseduponX.509namingattributesfromtheSubject field
• Example:VerisignissuescertificateasCN=FullName(account)
• Account/nameislocaltotheissuingdomain
131
StorageofPrivateKey
• Theproblemofhavingtheusertomanagetheprivatekey(usersupport,keylossorcompromise)
• ModernOS'soffersProtectedStoragewhichsavesprivatekeys(encrypted).
• Applicationstakeadvantageofthis;Browserssometimessaveprivatekeysencryptedinitsconfigurationdirectory
• Userswhomixapplicationsorplatformsmustmanuallyimport/exportprivatekeysviaPFXfiles.
132
KeyLengths
• StrongencryptionhasbeenadoptedsincetherelaxationofUSexportlaws
• E.g.,512- and1024-bitRSAisnotsafeanymore
• RootCAshouldhavean(RSA)keylengthof>=2048bitsgivenitsimportanceandtypicallifetimeof3-5years
• Apersonal(RSA)certificateshouldhavekeylengthofatleast1536bits
133
January2016RecommendationfromNationalSecurityAgency(NSA)https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-
Computing-FAQ.pdf
KeyLengths
CertificationTree/Hierarchy
LogicaltreeofCA-s
134
root
CA1
CA2CA3
PKroot
[PKCA1]SKroot
[PKCA2]SKCA1[PKCA3]SKroot
CA4[PKCA4]SKCA3
CertificateRevocationScenarioWhatif:• Bob’sCAgoesberserk?• Bobforgetshisprivatekey?• SomeonestealsBob’sprivatekey?• Boblooseshisprivatekey?• Bobwillinglydiscloseshisprivatekey?• Evecandecrypt/signwhileBob’scertificateisstillvalid...• BobreportskeylosstoCA(orCAfindsoutsomehow)• CAissuesaCertificateRevocationList(CRL)• Distributedinpublicannouncements• Publishedinpublicdatabases
• WhenverifyingBob’ssignatureorencryptingamessageforBob,AlicefirstchecksifBob’scertificateisstillvalid!• IMPORTANT:whataboutsignatures“Bob”generatedbeforeherealizedhiskeyislost?
135
Certificateisacapability!
• Certificaterevocationneedstooccurwhen:• certificateholderkeycompromise/loss• CAkeycompromise• endofcontract(e.g.,certificatesforemployees)
• CertificateRevocationList(CRL)listscertificatesthatarenotyetnaturallyexpiredbutrevoked
• CRLreissuedperiodically,evenifnoactivity!
• Moreonrevocationlater…
136
RequirementsforRevocation
• Timeliness• Beforeusingacertificate,mustcheckmostrecentrevocationstatus
• Efficiency• Computation• BandwidthandStorage• Availability
• Security
137
TypesofRevocation
• Implicit• Eachcertificateisperiodically(re-issued)• Alicehasafreshcertificateè Alicenotrevoked• Noneedtodistribute/publishrevocationinfo
• Explicit• Onlyrevokedcertificatesareperiodicallyannounced• Aliceʼscertificatenotlistedamongtherevokedè Alicenotrevoked• Needtodistribute/publishrevocationinfo
138
RevocationMethods
• CRL- CertificateRevocationList• CRL-DP,indirectCRL,dynamicCRL-DP,• Delta-CRL,windowedCRL,etc.• CertificateRevocationTree(CRT)andotherAuthenticatedDataStructures
• OCSP– On-lineCertificateStatusProtocol
• CRS- CertificateRevocationSystem
139
CertificateRevocationList(CRL)
• Off-linemechanism
• CRL=listofrevokedcertificates(e.g.,SNs)signedbyarevocationauthority(RA)
• RAnotalwaysCAthatissuedtherevokedPKC
• Periodicallyissued:daily,weekly,monthly,etc.
140
Pros&ConsofCRLs
• Pros• Simple• Doesnot needsecurechannelsforCRLdistribution
• Cons• Timeliness:“windowofvulnerability”• CRLscanbehuge• HowtodistributeCRLsreliably?
141
CertificateRevocationTree(CRT)
• ProposedbyP.Kocher(1998)
• Basedonhashtrees• HashtreesfirstproposedbyR.Merkleinanothercontextin1979(one-timesignatures)• ImprovementtoLamport-Diffieonetimesignature(OTS)scheme• Basedonthefollowingidea:• Awantstosign(inthefuture)1bitofinformation• AgivesBtheimageYproducedasY=F(X)• Tosign,Arevealsthepre-image:X• Bchecksthat:Y=F(X)
142
Merkle HashTrees:I
• AuthenticateasequenceofdatavaluesD0 ,D1 ,…,DN• Constructbinarytreeoverdatavalues
T0
D0 D2 D3D1 D4 D6 D7D5
T1 T2
T3 T4 T5 T6
Merkle HashTrees:II
• VerifierknowsT0• HowcanverifierauthenticatetreeleafDi ?• Solution:re-computeT0 usingDi• Example:toauthenticateD2,sendD2 andco-path=[D3 ,T3,T2]• VerifyT0 =H(H(T3 ||H(D2 ||D3 ))||T2 )
T0
D0 D2 D3D1 D4 D6 D7D5
T1 T2
T3 T4 T5 T6
CRTContd.
• ExpressrangesofSNofPKC’sastreeleaflabels:• E.g.,(5--12)means:5and12arerevoked,theotherslargerthan5andsmallerthan12areokay• Placethehashoftherangeintheleaf
• Responseincludesthecorrespondingtreeleaf,thenecessaryhashvaluesalongthepathtotheroot,thesignedroot
• TheCAperiodicallyupdatesthestructureanddistributestountrustedserverscalledConfirmationIssuers
145
ExampleofCRT
146
Signedroot (N 3,0)
HASH
N2,0
N1,1
N1,0
HASHN0,1
N0,0
HASH
N0,3
N0,2
HASH
N0,5
N0,4
HASH
N0,7
N0,6
HASH
N2,1
N1,3
N1,2
HASH
(-¥ to 7)HASH
(7 to 23)HASH
(23 to 27)HASH
(27 to 37)HASH
(37 to 49)HASH
(49 to 54)HASH
(54 to 88)HASH
(88 to +¥)HASH
query: Is 67 revoked?
CharacteristicsofCRT
• Eachresponserepresentsaproof
• Lengthofproofis:O(logn)• MuchshorterthanCRLwhichisO(n)• Wherenis#ofrevokedcertificates
• Onlyone“real” signaturefortreeroot(canbedoneoff-line)
147
ExplicitRevocation:OCSP
• OCSP=On-lineCertificateStatusProtocol(RFC2560)- June 1999
• Inplace ofor,as asupplement to,checking CRLs
• Obtain instantaneous statusofaPKC
• OCSPmay beused insensitive,volatilesettings,e.g.,stocktrades,electronic fundstransfer,military
148
OCSPPlayers
149
Alice
OCSPresponder
CABob
1. Cert request
2.
3. Transaction +
request
4. OCSP request
5. OCSP response / Error message6. Transaction response
Bob
OCSPDefinitiveResponse
•Alldefinitiveresponseshavetobesigned:
• eitherbyissuingCA
• orbyaTrustedResponder(OCSPclienttruststheTRʼsPKC)
• orbyaCAAuthorizedResponderwhichhasaspecialPKC(issuedbytheCA)sayingthatitcanissueOCSPresponsesonCAʼsbehalf
150
ResponsesforEachCertificate
•Response format:
• targetPKCSN
•PKCstatus:• good - positiveanswer• revoked - permanently/temporarily (on-hold)• unknown - responder doesn’t know about thecertificatebeingrequested
• response validity interval
•optionalextensions
151
SpecialTimingFields
•Aresponsecontainthreetimestamps:
• thisUpdate- timeatwhichthestatusbeingindicatedisknowntobecorrect
•nextUpdate- timeatorbeforewhichnewerinformationwillbeavailable
•producedAt- timeatwhichtheOCSPrespondersignedthisresponse.Usefulforresponsepre-production
152
SecurityConsiderations
•On-linemethod
•DoSvulnerability• floodofqueries+generatingsignatures!• unsignedresponsesà falseresponses• pre-computingresponsesofferssomeprotectionagainstDoS,but…
•Pre-computingresponsesallowsreplayattacks(sincenononceincluded)• butOCSPsigningkeycanbekeptoff-line
153
ImplicitRevocation:CertificateRevocationSystem(CRS)
• ProposedbyMicali(1996)• AimstoimproveCRLcommunicationcosts• Basicidea:CAperiodicallyrefreshesvalidcertificates• Usesoff-line/on-linesignatureschemetoreduceupdatecost
154
One-WayHashChains• Versatilecryptographicprimitive• Construction:
1. PickrandomYN andpublichashfunctionH()2. ComputeallvaluesYN-1,…,Y0 suchthatYi-1 =H(Yi)3. SecretROOT=YN ,publicANCHOR=Y0
• Properties:• Useinreverseorderofconstruction:Y0 ,Y1 ,…,YN
• HardtocomputeYi fromYj (ifj<i),easytocompute YjfromYi• Forexample:easytocomputeY1 fromY2 since Y1=H(Y2)• But,InfeasibletocomputeY2 fromY1
• VerifiercanefficientlyauthenticateYj knowingYi (j<i):byverifyingwhetherYj =Hi-j(Yi)=H(H(…H(Yi)...))• Thismethodisrobusttomissingvalues
YN-1 YNY1Y0HY2
HHH H …
CRS:CreationofaCertificate
• TwonewparametersinPKC:Y0 andN
Y0 =HMAX(YMAX)
N0 =H(N1)
• [Y0,N0]-- per-PKCsecretsstoredbyCA
• H()-- publicone-wayfunction,e.g.,SHA-2
156
ANCHOR ROOT
CRSExample:Certificateissuedforayear,refresheddaily
157
CA Public Directory
daily update UPDifor each certificate
- If Alice’s certificate is valid:•UPDi =Yi and•Yo = Hi(Yi) ß verifier can easily check this •Also, note that: Yi = HMAX-i(YMAX)
- If her certificate is revoked, UPDi = N1
- Y0 and N0 are distinct for each certificate
Verifier (Bob)NOTE: i=0 at issuance date
158
AccessControl
Recall:SecurityServices
• Confidentiality:toassureinformationprivacyandsecrecy
• Authentication:toassertwhocreatedorsentdata
• Integrity:toshowthatdatahasnotbeenaltered
• AccessControl: topreventmisuseofresources
• Availability:toofferaccesstoresources,permanence,non-erasure
ExamplesofattacksonAvailability:
– DenialofService(DoS)Attacks
• e.g.,againstanameserver
– Malwarethatdeletesorencryptsfiles 2
AccessControl(AC)
• A“language”forexpressingaccesscontrolpolicies:whocanaccesswhat,howandwhen…
• Enforcementofaccesscontrol• Identifyallresources(objects)andtheirgranularity• Identifyallpotentialusers(subjects)• Specifyrulesforsubject/objectinteraction• Guardtheminrealtime
160
ModelandTerminology
• Subjects:usersorprocesses
• Objects:resources(files,memory,printers,routers,plotters,disks,processes,etc.,etc.,...)
161
FocusofAccessControl
• Whatasubjectisallowedtodo
• Whatmaybedonewithanobject
162
AccessModes
163
• “Look”atanobject,e.g.:• Readfile• Checkprinterqueue• Printremotescreen• Querydatabase• etc.,etc.
• “Change”anobject,e.g.:• Write/append/erasefile• Printorfax• Displayonscreen• etc.,etc.
AccessRights
execute,read,append,andwrite
164
Observe
Alter
Execute Append Read Write
X
X
X X
UNIX/Linux/*xOperatingSystems
• execute:execute(program)file,searchdirectory
• read:readfromfile,listdirectory
• write:write(re-writeorappend)file,createorrenamefileindirectory
165
ACTypes
WhoisinchargeofsettingACpolicy?
• Discretionary:resourceowner
• Mandatory:system-widepolicy
166
AccessControlStructures
i. AccessControlMatrix
ii. Capabilities
iii. AccessControlLists
167
AccessControlMatrix
168
Alice
Bob
Bill.doc
{read,write}
{execute}
{execute}
{execute,read}
{execute,read,write}
Edit.exe Fun.com
Subject
Object
{0}
AccessControlLists1/2
Keepaccessrightstoanobjectwiththatobject:
§ ACLforbill.doc:§ Bob:read,write
§ ACLforedit.exe:§ Alice:execute;§ Bob:execute
§ ACLforfun.com:§ Alice:execute,read;§ Bill:execute,read,write
169
• AsmanyACLsasthereareobjects• EachACLeithersignedorstoredinprotectedplace• Hardtomanage
AccessControlLists2/2
• Managingaccessrightscanbedifficult
• Groupscanbehelpful…
• Groupssimplifydefinitionofaccesscontrolpolicies
170
AccessControlLists
171
S1 S2 S3
O4O3O2O1
G1
O5X
Capabilities1/2
• Capabilitiesareassociatedwithdiscretionaryaccesscontrol
• Reason:difficulttogetfullviewofwhohaspermissiontoaccessanobject
• Verydifficulttorevokeacapability(owners/objectshavetokeeptrackofallissuedcapabilities)
172
• Asmanycapabilitiesastherearesubject/objectpairs• Eachcapabilityeithersignedorotherwiseprotected• Hardtorevokeinadistributedsetting
Capabilities2/2
Keepaccessrightswiththesubject:
• Alice'scapabilities:• [edit.exe:execute];• [fun.com:execute,read]
• Bob'scapabilities:• [bill.doc:read,write]• [edit.exe:execute]• [fun.com:execute,read,write]
173
InSummary
• CentralizedSystems:
• ACLsarebetter
• DistributedSystems:
• Capabilitiesarebetter
174
175
ROLEBASEDACCESSCONTROL(RBAC)
176
RBACBasics
• Usersareassociatedwithroles
• Rolesareassociatedwithpermissions
• Auserhaspermissiononlyifs/hehasaroleassociatedwiththatpermission
177
Example:TheThreeMusketeers(User/PermissionAssociation)
palace
weapons
uniform
Athos
Porthos
Aramis
178
Example:TheThreeMusketeers(RBAC)
Musketeer
palace
weapons
uniform
AthosPorthosAramis
palace
weapons
uniform
Athos
Porthos
Aramis
179
Musketeer
palace
weapons
uniform
AthosPorthosAramis
palace
weapons
uniform
Athos
Porthos
Aramis
Example:TheThreeMusketeers(RBAC)
180
Musketeer
palace
weapons
uniform
AthosPorthosAramis
palace
weapons
uniform
Athos
Porthos
Aramis
HereRBACdoesn’twork…
Example:TheThreeMusketeers(RBAC)
181
Example:(D’Artagnon becomesaMusketeer)
Musketeer
palace
weapons
uniformD'Artagnan
palace
weapons
uniformD'Artagnan