Post on 21-Jan-2017
Intro to Cryptography
Michael Soltys
California State University at Channel Islands
August 20, 2015 v1.1
Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 1/45
WEP, WPA/WPA2 SSL/SSH
PGP/GPG
RSA Encryption 128 bytes:
BE 89 0E A1 AD FA 7D 58 6A A1 6A E4
3B ED 75 E4 3E F2 19 F7 F3 0F FA D9
EF 62 10 52 7B FC DD 94 96 A8 35 6B
1B 50 60 2E 2E 79 AC 7C 2E A3 81 DE
8D 37 F9 EE 6E 4F 82 C7 E4 12 04 55
AF 57 69 94 8C EF 2E 50 7A 6D 53 0F
5B 5F 62 58 5E CF F2 DF F4 4D CE 71
B6 82 D7 86 E5 4F 77 E4 91 AA E4 BD
5A 65 AA 9E 20 4F 38 5E B4 8B E0 36
45 80 A8 D5 24 5C 46 9D F1 80 C0 6B
62 A5 1F 26 5E AE 17 47
DRMFairPlay
MD5
5c3079df8a48623f5aa10f0181a7ab03
Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 2/45
I We know how to do crypto scientifically→ and it is a huge help
I But, in practice most security problems due to buggy code→ writing software that is not buggy is the problem ofCS/SE
I Challenge 1: build secure systems with insecure components→ similar to building reliable systems with unreliablecomponents
I Challenge 2: the art of making the right trade-offs to satisfycontradictory objectives (e.g., security & speed)
Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 3/45
Cryptography is the art of computing & communicating in thepresence of an adversary
cryptography = κρυπτo (hidden or secret) + γραφη (writing)
Three broad applications:
I encryption
I authentication
I integrity checking
Not all security is an application of crypto, e.g., Firewalls.
Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 4/45
Fundamental TENET of cryptography
Lots of smart people have been trying to figure out howto break X ,
but so far they have not been able to come up with anything yet.
Therefore X is “secure” . . .
Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 5/45
Fundamental ASSUMPTION of cryptography
Everybody knows how it works, i.e., the algorithm is publicknowledge.
The secret is the “key”.
In principle it can always be broken; but in practice it is too muchwork for the “bad guy.”
Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 6/45
Great free tools to practice the ideas presented in these slides:
GnuPG (http://www.gnupg.org)
OpenSSL (http://www.openssl.org)
Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 7/45
plaintextencryption−→ ciphertext
decryption−→ plaintext
I Caesar cipher: key a secret number between 1 and 25.
I Monoalphabetic cipher: key a secret pairing — 26! ≈ 1026
Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 8/45
Three basic attacks:
I ciphertext only
I known plaintext
I chosen plaintext
Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 9/45
Three types of cryptographic functions:
I hash functions (0 keys)
I secret functions (1 key)
I public key functions (2 keys)
Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 10/45
Secret (Symmetric) key crypto
plaintext
encryption
decryption
key
ciphertext
plaintext ciphertext
Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 11/45
Public (Asymmetric) key crypto
private key
encryption
plaintext ciphertext
ciphertext plaintextdecryption
public key
Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 12/45
Digital signature scheme
public key
plaintext
signing
signed message
plaintextsigned message
verification
private key
Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 13/45
Symmetric Ciphers
I Substitutions
I Permutations
I XOR
Crypto - Michael Soltys August 10, 2015 v1.1 Symmetric ciphers - 14/45
Rounds of substitutions & permutations
Crypto - Michael Soltys August 10, 2015 v1.1 Symmetric ciphers - 15/45
XOR, exclusive OR
x y x ⊕ y
0 0 00 1 11 0 11 1 0
If a, b ∈ {0, 1}n then a⊕ b is a string in {0, 1}n where the i-th bitis ai ⊕ bi
Bit-wise XOR
Can also Bit-wise XOR a stream
Crypto - Michael Soltys August 10, 2015 v1.1 Symmetric ciphers - 16/45
DES (1977)
“Data Encryption Standard”
IBM’s cipher + NSA =⇒ DES
DES
56 bitskey
64 bitsinput
64 bitsoutput
Technically, key is also 64 bits, but each octet is
x1 x2 x3 x4 x5 x6 x7 y where y =⊕7
i=1 xi .
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 17/45
inverse of original permutation
64−bit input
permutation
Round 1
Round 2
Round 16
Generate 16 keys, each
of 48−bits from the
initial 56−bits
56−bit key
swap left & right sides
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 18/45
4
32−bit L
32−bit R
32−bit R
ManglerFunction
32−bit Lnn
n+1 n+1
+
Kn
1
2
3
Reversible “Feistel cipher.”
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 19/45
Example: Apache HTTP server access
.htaccess & .htpasswd
Can create a (variant of) DES login/password pair:
htpasswd -cbd ./.htpasswd crypto 7u3pr4aa
and the result is is the file .htpasswd containing:
crypto:9.ZzClMRzHfmc
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 20/45
On:
http://www.cas.mcmaster.ca/~soltys/cs3c03-w13/ReadingList
.htpasswd consists of:
netsec2013:$apr1$fr2JPfTa$HEzejdyg5DE2MFGVCIzd21
created with command:
htpasswd -cbm ./.htpasswd netsec2013 tigerblood
which produces an MD5 hash
I -d is crypt() a variant of DES
I -m is MD5
I -s is SHA1
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 21/45
I crypt() function
I man 3 crypt for details
I password truncated to 8 letters
I each encoded with 7 (ASCII)bits
I giving 56 bits of input
I salt used to “perturb”
I displayed in Base64
64 bits
DES
DES
DES
DES
64 bits of 0s 56 bit passwd
1
2
25
3
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 22/45
h = crypt("passwd","h")
perl -e ’print crypt("7u3pr4aa"," 9. ZzClMRzHfmc ")’
outputs eYZUcvy1BSUak
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 24/45
Challenge
Who can break break crypt() htpasswd corresponding to:
.DubBN4dRdP7w
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 25/45
AES
NIST: National Institute of Standards
“Rijndael”
FIPS 2001
AES-128, AES-192, AES-256
Crypto - Michael Soltys August 10, 2015 v1.1 AES - 26/45
Block ciphers
Encrypting messages longer than 64 bits (KPS, chp 4)
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. k-bit Cipher Feedback Mode (CFB)
4. k-bit Output Feedback Mode (OFB)
5. Counter Mode (CTR)
Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 27/45
ECB
K
message...
m m m m mm 1 2 3 4 5 6
e e e e e e1 2 3 4 5 6
Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 28/45
CBC
K
m m m m
IV
c c c c1 2 3 4
1 2 3 4
enc enc enc enc
xor xor xor xor
K K K
Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 30/45
Stream ciphers: RC4
Message m and one-time pad p both in {0, 1}n.
A stream cipher generates successive bits pi to encode a stream ofbits mi as ci = mi ⊕ pi .
Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 32/45
(Keep in mind that 28 = 256)
let S[i] be an array of octets (i.e., bytes)
Initialize S:
for i=0 . . . 255S[i]=i
end for
j=0
for i=0 . . . 255j=(j+S[i]+key[i mod keylength]) mod 256
swap S[i] and S[j]
end for
Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 33/45
Generate pseudo-random bit stream (byte at a time)
i=0
j=0
while "next byte needed"
i=(i+1) mod 256
j=(j+S[i]) mod 256
swap S[i] and S[j]
k=S[(S[i]+S[j]) mod 256]
output k
end while
Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 34/45
802.11 Wireless Networks Security
WEP (Wired Equivalent Privacy) uses RC4 — deprecated!
WPA (Wi-Fi Protected Access)
I WPA uses RC4-type called TKIP (larger keys than WEP)
I WPA2 uses AES
WPA/WPA2 part of 802.11i as of 2004.
Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 35/45
WEP
"ciphertext"
InitVector
"one−time pad" = "keystream"
00101101011101011000101110...
"plaintext" 110111001011000111100100...
+
1111000111000100011...
=
RC4Key
(IV)
concatenation
|
Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 36/45
openssl ciphers -vName; Protocol; Kx=key exchange; Au=authentication; Enc=encryption; Mac=message digest
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 37/45
Public Key Crypto
I Diffie-Hellman
I ElGamal
I RSA
Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 38/45
Diffie-Hellman Key Exchange
I Oldest public key cryptosystem still in use.
I Allows two individuals to agree on a shared key, even thoughthey can only exchange messages in public.
I A weakness is that there is no authentication; the other mightbe a “bad guy.”
I Described in RFC 2631
Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 39/45
0
2
4
6
8
10
12
14
16
0 2 4 6 8 10 12 14 16
"primitive.txt"
Plot of log3(x) over Z17.
Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 40/45
Alice Bob1 Public: p, g such that Zp = 〈g〉2 Choose secret a Choose secret b3 Computer A := ga Compute B := gb
4 Send A to Bob −→ ←− Send B to Alice5 Compute Ba Compute Ab
Alice & Bob have shared value6 Ab = (ga)b = gab = gba = (gb)a = Ba
Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 41/45
1. Alice and Bob agree to use a prime p = 23 and base g = 5.
2. Alice chooses secret a = 8; sends Bob A = ga (mod p)
2.1 A = 58 (mod 23)
2.2 A = 16
3. Bob chooses secret b = 15; sends Alice B = gb (mod p)
3.1 B = 515 (mod 23)
3.2 B = 19
4. Alice computes s = Ba (mod p)
4.1 s = 198 (mod 23)
4.2 s = 9
5. Bob computes s = Ab (mod p)
5.1 s = 1615 (mod 23)
5.2 s = 9
Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 42/45
Computing large powers in (Zn, ∗) can be done efficiently withrepeated squaring—for example, if (m)b = cr . . . c1c0, thencompute
a0 = a, a1 = a20, a2 = a21, . . . , ar = a2r−1 (mod n),
and so am = ac00 ac11 · · · acrr (mod n).
Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 43/45
DH only resists passive adversaries.
A passive attack is one in which the intruder eavesdrops but doesnot modify the message stream in any way.
An active attack is one in which the intruder may:
I transmit messages
I replay old messages
I modify messages in transit
I delete selected messages from the wire
A typical active attack is one in which an intruder impersonatesone end of the conversation, or acts as a man-in-the-middle. Thisattack motivates the need for authentication.
Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 44/45