enei 2014 - cryptography

CryptographyJoão Paulo Barraca <[email protected]>

ENEI 2014 - Aveiro

mailto:[email protected]

Privacy

Restrict information to a limited number of entities

Privacy

State of being free from being observed

Flickr, valpearl/5103209989

Security

• The state of being free from danger or threat

Security

The state of being free from danger or

threat

Flickr, juanktru/3503494338

Cryptography

Write something in a covert way Greek: Kryptós (Hidden),

graphein (Write) !

Similar to Steganography

Cryptography

Flickr, delgrossodotcom/3211643440

Cryptography

key = ‘qwerty’

text = ‘Meet with Alex at 13:05’

Base64( AES-128-ECB(key, text) )

U2FsdGVkX1/Q7MhqgxAWF5YU57uZRzDfCDuJa6k0uQW9CZvB22svyiE/WdxKXid3

Cryptography

key = ‘qwerty’

text = ‘Meet with Alex at 13:05’

Base64( AES-128-ECB(key, text) )

U2FsdGVkX1/Q7MhqgxAWF5YU57uZRzDfCDuJa6k0uQW9CZvB22svyiE/WdxKXid3

Output seems to be random

Steganography!text = ‘Meet with Alex at 13:05’ method = encode Least Significant Bit (00000001)


Covert Channel


Output seems to be unmodified

Cryptography Uses

Increase Security

2 - Assure origin of information (Authentication)

1 - Condition access to information (Privacy)

Ancient Times

• Simple ciphers

• Transposition: change symbol order

• Substitution: replace symbols

• Transmit encoded messages

• Military, Political partners, Private conversations

Flickr, stuckincustoms/189321498

Scytale

Flickr, templar-revenged/12468322164

!

Transposition Cipher !

Used by Greeks and Spartans

Caesar Cipher !

!

E -> B N -> K E -> B I -> F

Substitution Cipher

Stallings, W. Cryptography and Internet Security: Principles and Practices. Upper Saddle River: Prentice, 1999.

XIX, XX centuries

More complex ciphers

Using electro-mechanical devices

Integration with communication lines (telegraph)

Flickr, elsie/3916831047

Enigma Transposition Cipher

Flickr, timg_vancouver/200625463

Flickr, brewbooks/3317243295

Lorenz Vernan Cipher (substitution)

Modern Times: > 1970

• Even more complex ciphers !

• Based on mathematical models • Applied by computers • Impossible to solve by hand!

!

• Mostly use substitution algorithms

Symmetric Crypto• Single key to cipher and decipher

• Key sets state of cipher algorithm

Text CipherAlgorithm Cryptogram

Key

CipherAlgorithm Text

Key

???

Stream Ciphers• Key sets cipher state

• Cipher produces random sequence

• Sequence is XORed with data

Stream Ciphers

Text

CipherAlgorithm

Key

CipherAlgorithm

Key

???

++ Cryptogram Text

Key Stream Key Stream

Stream Ciphers

• 1 byte encoded (XOR) at a time

• Very fast!

• Good for communications!

• Size of input equals size of output

• Typical Key Sizes: >128 bits

Stream Ciphers

• A5 - Mobile Phone Communications

• RC4 - Wifi WEP, Internet HTTPS

• O

Original Text

Cryptogram seems to be random

Block Ciphers

• Input processed in blocks

• Block size related to key size

!

• Output is multiple of block size • Typical sizes: 64bits, 128bits, 192bits, 256bits

Block Ciphers

• Cipher algorithm does substitutions and permutations

• Key defines how

• Typical algorithms: AES, Blowfish, 3DES…

Block Ciphers

CipherKey Decipher Key

???

Cryptogram

Cryptogram

Cryptogram doesn’t seems to be random

Block Ciphers

• Blocks with same content will result in same output

• … because blocks are ciphered individually

• …. no feedback mechanism

Cipher Modes• Aditional Cipher Modes destroy patterns

• eg, Cipher-block chaining (CBC)

CipherKey

Block 1

Cryptogram

CipherKey

Cryptogram

Block 2

+ +IV

Asymmetric Crypto

• Uses a pair of keys:

• Public Key: every one may have it

• Private Key: never should be disclosed

• One key can do the oposite of the other

Confidentiality

CipherPublicKey

Decipher

???

Cryptogram

Cryptogram

PrivateKey

Authentication

CipherPrivateKey

Decipher

???

Cryptogram

Cryptogram

PublicKey

Who uses cryptography?

Should I (You) use?

Flickr, icedsoul/3194511482

Spies

Flickr, dunechaser/2630433944

Military

Flickr, lord_dane/4809995767

… and every one else

Cryptography

It’s a building block of our society

Flickr, nickobec/359440072

Enforces Security

• Cipher: Restricts access to Information

• Only holder of KEY can decipher cryptogram

!

• Authentication: Restricts access to Actions

• KEY asserts identity of its holder

Flickr, adulau/7712545428

In other words…

• You really know with whom you are sharing information

• Entities are Authenticated

• Mechanisms really restrict who accesses information

• Data is private

Flickr, adulau/7712545428

Wifi

• Restrict Access to authorised users

• eg, Your friends

• Make traffic confidential

• Wireless signals travel a long distance

Flickr, _miki/3425273296

Wifi

• Shared key (Password) provided by user is converted into key

• All traffic is ciphered

• Only key holders are authorised to associate

• Prevents eavesdropping and usage

Wifi

• WEP: RC4 (Stream Cipher, weak)

• Uses 24bits IV (‘random’) + 104bit Key

• WPA/WPA2: AES/CCMP (Block Ciphers)

• 128bit, per packet key

• 802.1x: Extensible Authentication Protocol (EAP)

Mobile Phones

Identify user Identify sim card (client) Identify terminal Make all traffic confidencial

Flickr, 26311710@N02/3235380837

Mobile Phones

• SIM card is protected by PIN

• Contains algorithms for authentication

• Contains Keys shared with Service Provider

• Terminal contains identifier (IMEI)

• Traffic is ciphered

Secure Sockets Layer (SSL)

• Protect traffic over communication networks

• Authenticate endpoints

• Make traffic confidential


• Extensively used in the Internet

• HTTPS, IMAPS, POP3S, XMPP, etc..

• Based on Certificates and Asymmetric Cryptography

• Established tunnel before actual data


• Server has Certificated issued by Trusted CA

• Client has temporary keys or trusted certificate

• Single (Server) or Mutual authentication

• All traffic is confidential

Identification

• Identify citizen / user

• Stronger method than visual ones

• Enable authentication over the Internet

• eg, web pages, emails, digital documents

Identification

• Smart Card protected by PIN codes

• Certificate issued by State

• Private Key that can be used for signing

• Card is secure against tampering

• Private Key never leaves Smart Card

Identification

I'm Maria

Prove It! Random_number

Sure! Sign(Random_number), CertVerify Certificate

VerifySignature

RequestCard to Sign

Hello Maria!

Information Confidentiality• Most systems provide

Software ciphered storage

• FileVault, BitLocker, TrueCrypt

• Devices also support ciphered storage

• Self Encrypting Drives

Seagate

Attacking Cryptographic

Systems

Direct Attacks• Analyse cryptographic algorithms

• Find weaknesses in its components

• Require serious mathematical skills

!

• Frequent contests to elect the best algorithm

• ex: 3DES, AES, SHA

Direct Attacks

• Brute force

• Try every possible combination

• Example: RSA 2048

• Time required: ~6.4 quadrillion years

• Universe age: 13.2 billion years

http://www.digicert.com/TimeTravel/math.htm ECRYPT II

http://www.digicert.com/TimeTravel/math.htm

Direct Attacks

• Brute force






Considering evolution in computer capacity RSA 2048 secure until 2030

!Source, ECRYPT II


Direct Attacks

• Brute force






If aiming at a user created password, results should be ready soon


Indirect Attacks

• Obtain information indirectly

• Algorithm is not broken

• Implementation is broken

• Implementation leaks information

• User is the frequent target

Human Behaviour

Power Leakage

Consumption when Key bit is 0

Consumption when Key bit is 1

Wikimedia Foundation

Sound Leakage

Daniel et al

Implementation Errors

• Heartbleed bug in openssl 1.0.1-1.0.1f

• Allows extracting 64Kbytes from server memory

• Affects all systems using SSL

Implementation Errors

... if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; …

Apple “GOTO” bug, 2014

Thanks

enei 2014 - cryptography

Education