Cryptography for architect and engineers
-
Upload
jasmeet-chhabra -
Category
Technology
-
view
323 -
download
2
description
Transcript of Cryptography for architect and engineers
![Page 1: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/1.jpg)
1
Cryptography for architects and engineers
Jasmeet Chhabra
![Page 2: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/2.jpg)
2
Introducing Alice, Bob and Eve
Alice Bob
Eve
Alice wants to send a message to Bob. Eve is going to be able to read any message sent. What should Alice do?
![Page 3: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/3.jpg)
3
Alice has heard of Encryption
Alice Bob
Eve
c = E(K, c)
c
m = D(K, c)
![Page 4: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/4.jpg)
4
Alice searches the Internet and finds that AES seems to be the standard
![Page 5: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/5.jpg)
5
What is AES? • AES is a block cipher
• Block Ciphers: Work on fixed blocks of data
• Current commonly used block ciphers use 128 bit blocks
Visualizing Ideal Block Cipher
128 bits
1011….000000…000000000….110000…00001
1001….001111….11101100….111111….1111
Randomly mapped lookup table of size 2 ^128
128 bitsInput OutputRandom
mapping
![Page 6: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/6.jpg)
6
What does AES do?
Single Round of AES
Round Key XOR Data
Fixed lookup table mapping
Shift each byte by fixed offset
Mixed with a linear transformation function
Repeat for 10-14 rounds depending on size of key.
![Page 7: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/7.jpg)
7
Quick Note: Kerckhoff’s principal
• The security of the encryption scheme must depend only on the secrecy of the key Ke, and not on the secrecy of the algorithm
Why?
• Algorithms are hard to change
• It is difficult to get cryptographic algorithms right and it is better to publish it for analysis.
![Page 8: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/8.jpg)
8
Alice decides to use AES encryption
Alice Bob
Eve
c = E(K, c)
c
m = D(K, c)
Buy INTC 50 90 shares
Block
Buyw INTC 5698 9e44 shar
Each block ci = E(K, mi) ECB Mode
![Page 9: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/9.jpg)
9
But Eve is clever. She changes the message in following way
Buy INTC 50 90 shares
Block
Buyw INTC 56989e44 shar
Each block ci = E(Ke, mi) ECB Mode
Eve Swaps these blocks
Alice Sends following
Buy INTC 90 50 shares
Eve receives followingEach block mi = D(Ke, ci)
![Page 10: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/10.jpg)
10
AES Electronic Code book (ECB) mode issues
• Blocks can be swapped
• Patterns can be detected
Original image Encrypted image
AES ECB mode
![Page 11: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/11.jpg)
11
Quick Note : Padding
• Block ciphers work on messages that are multiple of block size• If message is not a multiple of block size, padding is
required
• Two common padding schemes:• Append 128 and then as many 0s as needed to make
message a multiple of block size
• Determine number of bytes required n > 0 to make it a multiple of block size. Add n bytes, each with value n
DD DD DD DD DD DD DD DDDD DD DD DD 80 00 00 00
DD DD DD DD DD DD DD DDDD DD DD DD 04 04 04 04
DD DD DD DD DD DD DD DD08 08 08 08 08 08 08 08
![Page 12: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/12.jpg)
12
Alice looked up other block cipher modes
She likes two :
• CBC
• CTR
Let us look at both
![Page 13: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/13.jpg)
13
Quick Note: IV
• Initialization vector: Used in block ciphers as an input along with the key• Fixed IV : IV that doesn’t change
• Counter IV: IV=0 for first message, IV = 1 for second etc.
• Random IV: Large random number as IV for each message
• Nonce-Generated IV: “Number used once” per key• Message numbers• Random number + message number
![Page 14: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/14.jpg)
14
Quick XOR ⊕ refresher
• 1 ⊕ 0 = 0 ⊕ 1 = 1
• 0 ⊕ 0 = 1 ⊕ 1 = 0
• A ⊕ 0 = A
• A ⊕ A = 0
• A ⊕ A ⊕ A= A
![Page 15: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/15.jpg)
15
CBC : Cipher Block Chaining (Encryption)
Block Cipher
Encryption
Plaintext
IV
Key
CipherText
Block Cipher
Plaintext
IV
Key
CipherText
Ci = Ek(Pi C⊕ i-1) , C0 = IV
![Page 16: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/16.jpg)
16
CBC : Cipher Block Chaining (Decryption)
Block Cipher
Ciphertext
IV
Key
Plaintext
Block Cipher
Ciphertext
IV
Key
Plaintext
Pi = Dk(Ci) C⊕ i-1, C0 = IV
![Page 17: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/17.jpg)
17
CBC: Which IV to use?
• Fixed IV: What if two messages start with the same plaintext block?
• Counter IV: If first block of messages have simple difference, the XOR with a counter may cancel them out.
• Random IV : Good. But requires a random number to be sent
• Nonce IV: Good. Use a smaller random number + counter.
![Page 18: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/18.jpg)
18
CTR: Counter mode (Encryption)
Block Cipher
Encryption
F45a34……. 000000
Key
CipherText
Ki = E(K, Nonce || i) for i=1,….,kCi = Pi K⊕ i
Nonce Counter
Plaintext
Block Cipher
Encryption
F45a34……. 000001
Key
CipherText
Nonce Counter
Plaintext
![Page 19: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/19.jpg)
19
CTR: Counter mode (Decryption)
Block Cipher
Encryption
F45a34……. 000000
Key
Plaintext
Ki = E(K, Nonce || i) for i=1,….,kCi = Pi K⊕ i
Nonce Counter
Plaintext
CipherText
Block Cipher
Encryption
F45a34……. 000001
Key
Plaintext
Nonce Counter
Plaintext
CipherText
![Page 20: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/20.jpg)
20
AES CTR
• Counter = Nonce || i
• If ever the counter is repeated.
• Cx ⊕ Cy = E(K,counter) ⊕ Px ⊕ E(K,counter) ⊕ Py
• i.e. Cx ⊕ Cy = Px ⊕ Py
• Never Ever repeat counter with same key
![Page 21: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/21.jpg)
21
CTR Advantages
• Random access is possible.
• Both encryption and decryption can be parallelized.
• Needs only encryption implementation
![Page 22: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/22.jpg)
22
Alice decides to use AES CTR encryption
Alice Bob
Eve
c = E(Ke, Nonce||i) ⊕ Pi
c
m = E(KeNonce || i) ⊕ Ci
Buy INTC 50 90 shares
Block
Buyw INTC 5698 9e44 shar
Each block ci = E(Ke, Nonce||i) ⊕ Pi
ECB Mode
![Page 23: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/23.jpg)
23
Eve is clever
• Sends using CTR.
• She changes the first block by performing a XOR with (Buy ⊕ Sell)
• So first block becomes:
• c = E(Ke, Nonce||1) ⊕ Buy ⊕ (Buy ⊕ Sell)
• i.e. c = E(Ke, Nonce||1) ⊕ Sell
• So, Bob gets:
Sell INTC 50 90 shares
![Page 24: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/24.jpg)
24
Break/Recap
![Page 25: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/25.jpg)
25
Alice figures she needs something to protect this message
• Her goal this time is to ensure that Eve can’t change the message.
• Doesn’t care about confidentiality (to keep things simple)
• She looks up hash functions
![Page 26: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/26.jpg)
26
What is a hash function?
Ideal Hash Function
Arbitrary length input
Fixed length output
• Random mapping• Same output for same input
![Page 27: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/27.jpg)
27
Defining security of hash functions
• Pre-image resistance:• Given a hash h it should be difficult to find any
message m such that h = hash(m).
• Second pre-image resistance• Given an input m1 it should be difficult to find another
input m2 such that m1 ≠ m2 and hash(m1) = hash(m2).
• Collision resistance• It should be difficult to find two different messages m1
and m2 such that hash(m1) = hash(m2).
![Page 28: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/28.jpg)
28
Standard hash functions
• MD5 : Don’t use
• SHA1 : Avoid. Not recommended for usage. Only use if system gives you no other choice.
• SHA2 : Use this.
• SHA3 (not finalized)
• One of the properties (bug ?) of the hash functions above is that• If m = m1, m2
• H(m) = h(h(m1),m2)
• This is called the length extension issue
![Page 29: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/29.jpg)
29
Alice is now confident
• She decides to use SHA-2 hash
• Assume: • Alice and Bob share a secret key K just like Encryption
![Page 30: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/30.jpg)
30
Alice decides to use SHA-2
Alice Bob
Eve
Buy INTC 50 SHA2(K|| Data)
K is the secret
![Page 31: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/31.jpg)
31
As usual Eve is clever
• Eve computes• Sha2( SHA2 ( K||Data), 90)
• Also, changes the message to
Buy INTC 50 Sha2( SHA2 ( K||Data), 90)90
![Page 32: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/32.jpg)
32
How to fix this?
• Use HMAC
• HMAC (K,m) = H((K ⊕ opad) || H((K ⊕ ipad) || m))• opad is the outer padding (0x5c5c5c…5c5c, one-
block-long hexadecimal constant),
• ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
Other MACs are available, but this is the most commonly recommended
![Page 33: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/33.jpg)
33
Horton Principle
• "Authenticate what is being meant, not what is being said”
• Suppose you had two messages to send. • M1 & M2
• You just send M1||M2|| HMAC(M1||M2)
• What happens?
![Page 34: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/34.jpg)
34
M1 = “Rachael Ray finds inspiration is cooking”M2= “ her family and her dog”
![Page 35: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/35.jpg)
35
Lesson: Always structure your message to be unambiguous and then MAC the whole thing• For example Send:• {
message1_length= aa;message1=“M1”;message2_length=bb; message2=“M2”;} HMAC ({….})
"Authenticate what is being meant, not what is being said”
![Page 36: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/36.jpg)
36
Alternative MAC 1: CBC-MAC
• CBC-MAC: Use CBC with IV=0 and return the last block as the MAC
• H0 = IV. IV Should be fixed. Generally 0.
• Hi = E(K, Pi⊕ Hi-1)
• MAC = Hk
• Why IV= 0?
• CBC-MAC is good and secure, but suffers from certain types on collision attacks.
• So, use CMAC.
![Page 37: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/37.jpg)
37
Alternative MAC2 : CMAC
• Same as CBC-MAC, except the way last block is handled
• Generate two keys k1 & k2 from the MAC key k
• Calculate MAC using CBC-MAC except for last block.
• Change the last block (mn′) to following before applying CBC-MAC
• If mn′ is a complete block
• mn = k1 ⊕ mn′
• else mn = k2 ⊕ (mn′∥ 10…02).
![Page 38: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/38.jpg)
Secure Channel
![Page 39: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/39.jpg)
39
Alice wants the following
• Eve shouldn’t learn anything about the messages except for the timing and size
• Bob should only get proper messages and is able to figure out the correct order.• Duplicates are detected
• Message modifications are detected
• By now you have probably guessed that this can be achieved by combination of Encryption and Authentication
![Page 40: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/40.jpg)
40
Authentication and Encryption
Three possibilities:
1. MAC then encrypt all including MAC
2. Encrypt and then MAC the encrypted message
3. Encrypt and MAC the plaintext message
• Which one to use?
![Page 41: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/41.jpg)
41
Encrypt and MAC the plaintext message
• Not recommended as any weakness in MAC will leak info about the message.
![Page 42: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/42.jpg)
42
MAC and then encrypt the whole message including MAC
• Eve only gets to see ciphertext and encrypted MAC
• Much harder to attack MAC
• This is fine to use.• Potential timing attacks with padding (TLS Lucky 13
attack)
![Page 43: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/43.jpg)
43
Encrypt and then MAC the encrypted message
• Can drop invalid message fast without decryption
• Is not in fully line with Horton’s principal• There may be ambiguity
• This is good to use• We will use this and add authenticated headers for
removing ambiguity
![Page 44: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/44.jpg)
44
Secure Channel : Generate Keys
• KEYSENDENC ← HMAC-SHA2(K, "Enc Alice to Bob")
• KEYRECENC ← HMAC-SHA2(K, "Enc Bob to Alice")
• KEYSENDAUTH ← HMAC-SHA2(K,"Auth Alice to Bob")
• KEYRECAUTH ← HMAC-SHA2(K,"Auth Bob to Alice")
• Swap Encryption & Decryption key if message is from Bob to Alice
![Page 45: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/45.jpg)
45
Message counters
• Two message counters
• Cab = Alice-to-Bob Message counter
• Cba =Bob-to-Alice message counter
• Both Alice and Bob store state of both counters
• Initialize both to 0.
![Page 46: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/46.jpg)
46
Alice sending message to Bob
• We will only go through this direction
• Bob to Alice is identical
![Page 47: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/47.jpg)
47
Choosing CTR counter
• It is recommended that number of blocks encrypted with an AES 128 bit key < 264-1
• This is because after 264 block you will be able to distinguish from random
• To ensure that, we use counter for message sent from Alice to Bob never repeats and number of blocks encrypted < 264
• Counter = (Cab || i) for the ith block in this particular message.
• Ensure that Cab < 232 -1
• Ensure that length(m) < 232 -1 * block_size
![Page 48: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/48.jpg)
48
Alice Sending a message• Ensure that Cab < 232 -1
• Increment Cab
• Ensure that length(m) < (232 -1) * block_size
• Use Counter = (Cab || i) for the ith block for AES-CTR
Version CabLength
Header Encrypted message HMAC-SHA2
TypeMessage
![Page 49: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/49.jpg)
49
Bob: Receiving a message• Ensure that Cab > Last received Cab
• Check HMAC of the message• Drop if it does not match
• Store Cab. Check Version.
• Decrypt using AES CTR
• Counter = (Cab || i) for the ith block
• Check type and process accordingly.
Version CabLength
Header Encrypted message HMAC-SHA2
TypeMessage
![Page 50: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/50.jpg)
Exchanging keys
![Page 51: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/51.jpg)
51
How to exchange key K?
![Page 52: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/52.jpg)
52
General idea of key exchange
![Page 53: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/53.jpg)
53
Mod p operations
• 9 mod 7 = 2• Remainder left after division
• 9 = 7*1 +2
• 16 mod 7 = 2• 16 = 7*2 + 2
![Page 54: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/54.jpg)
54
Basic Diffie-Hellman Key exchange
Alice Bob
gx
gy
K = (gy)x K = (gx)y
![Page 55: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/55.jpg)
55
Other values
Pre-Known/Exchanged values:
• p,g,q (may be exchanged as part of the protocol)
• Always check:• p = Nq +1
• (gx)q = 1 mod p, g ≠ 1, gx ≠ 1
• Make sure q is a large enough prime (≥ 256 bits)
• Make sure p is large enough prime (≥ 2048 bits)
![Page 56: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/56.jpg)
56
Man in the middle
Alice Alice
gx
Eve
gv
gy
gw
K = (gw)x K = (gv)yK1 = (gx)w
K1 = (gy)v
![Page 57: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/57.jpg)
57
So, how to exchange?
• Assume there is some way to authenticate messages.• We will see how to do that in Public/Private key
cryptography
• Authenticated DH Protocol
• First we will look at RSA Public Private Key cryptography
![Page 58: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/58.jpg)
Asymmetric (Public/Private Key) Cryptography
![Page 59: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/59.jpg)
59
Asymmetric (Public/Private) Cryptography
Alice Bob
Exchange public keys when they meet at a party
![Page 60: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/60.jpg)
60
Asymmetric (Public/Private) Cryptography : Signing
Alice Bob
Sign with Alice’s Private Key (Buy 20 shares of INTC)
Verify with Alice’s Public key and perform transaction
![Page 61: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/61.jpg)
61
Asymmetric (Public/Private) Cryptography : Encryption
Alice Bob
Encrypt with Bob’s Public Key (Secret message)
Decrypt with Bob’s Public key and read secret message
![Page 62: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/62.jpg)
62
RSA : key generation (1/2)• Generate two distinct large prime numbers p & q
• Calculate n = p *q
• Compute t = (p-1)(q-1) OR t = lcm (p-1,q-1)
• Choosing t like this implies • xt = 1 mod n
• xt+1 = x mod n
• Proof by authority
![Page 63: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/63.jpg)
63
RSA : key generation (2/2)• Choosing t like this implies xkt+1 = x mod n• Proof by authority
• Choose ed = 1 mod t , i.e. ed = t + 1• Common e value is 216 + 1 = 65,537
• Public Key : n,e
• Private Key : n, d
![Page 64: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/64.jpg)
64
Example RSA key generation
• p = 61 and q = 53
• n = 61*53 = 3233
• t = (p-1)(q-1) = (61-1)(53-1) = 3120
• Let e = 17. Then solving for ed = 1 mod t• d = 2753• 2753*17 = 15*3120 +1• 46801 = 46800 + 1
![Page 65: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/65.jpg)
65
RSA encryption/ decryption
• c = me mod n
• m = cd mod n• X = (me)d mod n
• We know ed = kt +1
• X = mkt+1 mod n
• Or X = (mt)k* m mod n
• We also know, for any x: xt = 1 mod n
• So X = (1)k* m mod n = m
• Hence we can decrypt
![Page 66: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/66.jpg)
66
RSA encryption/ decryption example
• Let m = 65. Then using previous e = 17,d=2753, n=3233
• c = 6517 (mod 3233) = 2790
• m = 27902753 (mod 3233) = 65
![Page 67: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/67.jpg)
67
RSA: why not to sign/encrypt data directly
• If you sign m1 and m2
• m1d (mod n)
• m2d (mod n)
• Attacker can compute m3d (mod n) = m1
d * m2d
(mod n)
![Page 68: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/68.jpg)
68
What is recommended?
• Use one of the standards for signing and encryption• Signing: RSA-PSS (RSA –Probabilistic signature
scheme)
• Encryption: RSA-OAEP (RSA-Optimal asymmetric encryption protocol)
• Don’t use same key for encryption and signing• Attacker may be able to exploit decryption (public key)
for getting signatures (private key) from you or other way around
• Encryption keys and signing keys generally have different lifetimes
![Page 69: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/69.jpg)
69
Elliptic curve cryptography
![Page 70: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/70.jpg)
70
Elliptic curve example : y2 = x3+ ax + b
![Page 71: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/71.jpg)
71
Point addition on curve: A+B
A
B
A+B
![Page 72: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/72.jpg)
72
Point inverse: A+B
P
-P
![Page 73: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/73.jpg)
73
What about P+P
P
2P = P + P
![Page 74: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/74.jpg)
74
Elliptic curve discrete logarithm problem• With a curve of form y2 = x3+ ax + b mod p, where
p is a large prime and operation point addition +• P + P +…+ P = dP = T
• Given dP and P, it should be hard to compute d.• d is kept secret like a private key
• Intuitively: P+P+P… for very large d (>160 bits)
Source: Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl
![Page 75: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/75.jpg)
75
Example of ECC usage: ECDH (simplified)
Alice Bob
Given a prime p, a suitable elliptic curve E and a point P=(xP,yP)
Choose kPrA= a {2, 3,…, #E-1}
Compute kPubA= A = aP = (xA,yA)
Choose kPrB= b {2, 3,…, #E-1}
Compute kPubB= B = bP = (xB,yB)
A
B
Compute aB = Tab
Compute bA = Tab
• One of the coordinates of the point TAB (usually the x-coordinate) can be used as session key (often after applying a hash function)
![Page 76: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/76.jpg)
76
Elliptic curve summary
• Elliptic Curve Cryptography (ECC) is based on the discrete logarithm problem.
• ECC provides the same level of security as RSA or discrete logarithm systems with much shorter key sizes (160-256 bits) vs (1024-3072 bits)
• ECC can be used for key exchange, signatures and encryption
• ECC generally has performance advantage over RSA
![Page 77: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/77.jpg)
77
Diffie-Hellman
![Page 78: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/78.jpg)
78
Why DH Protocol?
• Lot of time security cert only supports signing
• Perfect Forward Security• Even if you find my private keys later you can not
decrypt my communication
![Page 79: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/79.jpg)
79
Reminder: Basic Diffie-Hellman Key exchange
Alice Alice
gx
gy
K = (gy)x K = (gx)y
![Page 80: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/80.jpg)
80
Reminder DH
Pre-Known/Exchanged values:
• p,g,q (may be exchanged as part of the protocol)
• Always check:• p = Nq +1
• (gx)q = 1 mod p, g ≠ 1, gx ≠ 1
• Make sure q is a large enough prime (≥ 256 bits)
• Make sure p is large enough prime (≥ 2048 bits)
![Page 81: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/81.jpg)
81
Attempt 1: Authenticated DH
Alice Bob
A, gx
B, gy, SigB(gx, gy)
SigA(gx, gy)
Any issues?
![Page 82: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/82.jpg)
82
Identity misbinding attack on DH
Alice Bob
A, gx
B, gy, SigB(gx, gy)
SigA(gx, gy)
E doesn’t know K = gxy , but B thinks that anything coming from A is coming from E
Eve
E, gx
B, gy, SigB(gx, gy)
SigE(gx, gy)
![Page 83: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/83.jpg)
83
Authenticated DH
Alice Bob
A, gx
B, gy, SigB(gx, gy, A)
SigA(gx, gy, B)
![Page 84: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/84.jpg)
84
Limitations
• Both parties need to know each other’s identity before they can authenticate
• Leaves a signed proof of communication (signing peer’s identity)
• Sigma solves these issues
![Page 85: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/85.jpg)
85
Sigma Basic version
Alice Bob
gx
B, gy, SigB(gx, gy), MacKm(B)
A, SigA(gx, gy), MacKm(A)
• Km is derived from gxy • Does not require knowing peer’ id for own auth• Adds deniability
Alice Bob
A, gx
B, gy, SigB(gx, gy, A)
A, SigA(gx, gy, B),
Authenticated DH
![Page 86: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/86.jpg)
86
Sigma-I: Active protection of Initiator’s ID
Alice Bob
gx
gy, {B, SigB(gx, gy), MACKm(B)} Ke
{A, SigA(gx, gy), MACKm(A)}Ke
• Km and Ke are derived from gxy • Initiator’s id is protected and not revealed except to
an authenticated party
![Page 87: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/87.jpg)
87
Sigma-R: Active protection of Responder’s ID
Alice Bob
gx
{A, SigA(gx, gy), MACKm(A)} Ke
{B,SigA(gx, gy), MACKm’(B)}Ke’
• Km and Ke are derived from gxy • Responder’s ID is not revealed until initiator's is
revealed
gy
![Page 88: Cryptography for architect and engineers](https://reader036.fdocuments.net/reader036/viewer/2022062513/55746d72d8b42a146f8b53fb/html5/thumbnails/88.jpg)
88
Next Part• EPID based Sigma key exchange
• PKI : Public key infrastructure
• Why random numbers are important?
• Clocks and monotonic counters
• Storing secrets
• Analysis of common protocols• TLS
• Sigma key exchange
• IKE and IPSEC