Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example...
Transcript of Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example...
![Page 1: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/1.jpg)
Introduction 2018–01–24 1/27
Introduction to cryptology (GBIN8U16)]
Introduction
Pierre [email protected]
https://www-ljk.imag.fr/membres/Pierre.Karpman/tea.html
2018–01–24
![Page 2: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/2.jpg)
Introduction 2018–01–24 2/27
First things first
Main goals of this course:
▸ Motivate the field (why is cryptography useful?)
▸ Introduce some constructions (what’s a block cipher, a keyexchange?...)
▸ Introduce some attacks (how do yo compute a discretelogarithm?...)
▸ Introduce some implementation aspects (how do you do finitefield arithmetic?...)
▸ Introduce some real-life usage (e.g. SSH)
![Page 3: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/3.jpg)
Introduction 2018–01–24 3/27
Organisation
There will be:
▸ Lectures (such as this one)
▸ Tutorial sessions
▸ Practical/lab sessions and/or homework
▸ A controle continu evaluation (lab session/homework, detailsT.B.D.)
▸ A final exam (ditto)
![Page 4: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/4.jpg)
Introduction 2018–01–24 4/27
What’s crypto?
Quick answer: it’s about protecting secret data from adversaries
▸ In a communication (encrypted email, text messages; on theweb; when paying by credit card)
▸ On a device (encrypted hard-drive)
▸ During a computation (online voting)
▸ Etc.
![Page 5: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/5.jpg)
Introduction 2018–01–24 5/27
Where does crypto run?
Crypto needs on various platforms
▸ High-end CPUs (Server/Desktop/Laptop computers,...)
▸ Mobile processors (Phones,...)
▸ Microcontrollers (Smartcards,...)
▸ Dedicated hardware (accelerating coprocessors, cheapchips,...)
![Page 6: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/6.jpg)
Introduction 2018–01–24 6/27
Techno constraints
Varying contexts, varying requirements
▸ Speed (throughput)
▸ Speed (latency)
▸ Code/circuit size
▸ Energy/power consumption
▸ Protection v. physical attacks
⇒ Implementation plays a big part in crypto
![Page 7: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/7.jpg)
Introduction 2018–01–24 7/27
Quick example
A protocol (e.g. TLS) uses among others
▸ A key exchange algorithm (e.g. Diffie-Hellman)— “public-key” cryptography
▸ instantiated with a secure group (e.g. ANSSI FRP256V1)
▸ An authenticated-encryption mode of operation (e.g. GCM)— “symmetric-key” cryptography
▸ instantiated with a secure block cipher (e.g. the AES)
▸ A digital signature algorithm (e.g. ECDSA)— “public-key” + “symmetric-key” cryptography
▸ instantiated with a secure group and a secure hash function(e.g. SHA-3)
![Page 8: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/8.jpg)
Introduction 2018–01–24 8/27
Protocols can be complex
ClientHello
ServerHello(v, kx, rid )
(full handshake)kx = PSK|RSA PSK|DHE PSK|SRP|SRP RSA
ServerCertificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
ClientCCS
ClientFinished
ServerNewSessionTicket
ServerCCS
ServerFinished
ApplicationData∗
ntick = 1
kx = SRP RSA∥ chint = 1
kx = RSA PSK|SRP RSA
(full handshake)kx = DH|DH anon|ECDH|ECDH anon
ServerCertificate
ServerKeyExchange
(authenticate client?)
CertificateRequest
ServerHelloDone
ClientCertificate(coffer )
ClientKeyExchange
ClientCertificateVerify
ClientCCS
ClientFinished
ServerNewSessionTicket
ServerCCS
ServerFinished
ApplicationData∗
ntick = 1
cask = 1 &coffer = 1
coffer = 1
cask = 1
cask = 1 &kx = DH|ECDH
(full handshake)kx = RSA|DHE|ECDHE|RSA EXPORT|DHE EXPORT
ServerCertificate
ServerKeyExchange
(authenticate client?)
CertificateRequest
ServerHelloDone
ClientCertificate(coffer )
ClientKeyExchange
ClientCertificateVerify
ClientCCS
ClientFinished
ServerNewSessionTicket
ServerCCS
ServerFinished
ApplicationData∗
ntick = 1
cask = 1 &coffer = 1
cask = 1
cask = 1
kx = DHE|ECDHE|RSA EXPORT|DHE EXPORT
(abbreviated handshake)
ServerNewSessionTicket
ServerCCS
ServerFinished
ClientCCS
ClientFinished
ApplicationData∗
ntick = 1
rid = 1∥rtick = 1
rid = 0 & rtick = 0
rid = 0 & rtick = 0
ntick = 0
kx = RSA
cask = 0
cask = 0
cask = 0 ∥coffer = 0
ntick = 0
kx = DH anon|ECDH anon
kx = DH|ECDH
coffer = 2
cask = 0 ∥kx = DH anon|
ECDH anon
cask = 0
cask = 0 ∥coffer = 0
ntick = 0
kx= SRP|DHE PSK∥(kx = PSK &
chint = 1)kx = PSK& chint = 0kx = RSA PSK
& chint = 0
ntick = 0
Fig.9.M
essagesequences
forthe
ciphersuitescom
monly
enabledin
OpenSSL
552
552
Figure: Part of the TLS state machine, Beurdouche et al., 2015
![Page 9: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/9.jpg)
Introduction 2018–01–24 9/27
“Doing crypto”
▸ Designing new primitives/constructions(/protocols)
▸ Analysing existing primitives/...
▸ Deploying crypto in products
▸ Different goals, different techniques▸ Ad-hoc analysis, discrete mathematics, algorithmics▸ Computational number theory/algebraic geometry▸ Low-level implementation (assembly, hardware)▸ Formal methods▸ Following “good practice”
![Page 10: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/10.jpg)
Introduction 2018–01–24 10/27
Scope of an analysis
Many types of adversary
▸ Passive (“eavesdropper = Eve”)
▸ Not passive, i.e. active▸ With or w/o physical access
▸ Side channels▸ Fault attacks
▸ With varying scenarios (“one-time” or long-term secret?)
▸ With varying objectives
![Page 11: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/11.jpg)
Introduction 2018–01–24 11/27
Security objectives?
![Page 12: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/12.jpg)
Introduction 2018–01–24 11/27
Security objectives?
▸ Hard to find the secret (the key)
▸ Hard to find the message (confidentiality)
▸ Hard to change/forge a message (integrity/authenticity)
▸ Etc.
![Page 13: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/13.jpg)
Introduction 2018–01–24 12/27
Small informal focus
Example: indistiguishability (IND-CPA)
1 Submit messages to an oracle O to be encrypted, & get theresult
2 Choose, m0, m1, send both to O
3 Receive O(mb) for a random b ∈ {0,1}4 Goal: determine the value of b (better than by guessing)
▸ O has to be randomized
![Page 14: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/14.jpg)
Introduction 2018–01–24 13/27
A code that’s not IND-CPA
Figure: Calvin & Hobbes’ code (Watterson)
![Page 15: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/15.jpg)
Introduction 2018–01–24 14/27
Randomness is key in crypto
Random numbers always needed
▸ To generate keys
▸ To generate initialization vectors (IVs) or nonces
▸ To generate random masks (to protect against some attacks)
▸ Etc.
![Page 16: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/16.jpg)
Introduction 2018–01–24 15/27
Random number generation is not easy
Lead to severe vulnerabilities, several times. For instance:
▸ Debian’s OpenSSL key generation (2006–2008)
▸ WWW RSA private keys with shared factors (Lenstra et al.,2012)
▸ Smartcard RSA w/ biased private keys (Bernstein et al., 2013)
▸ Smartcard RSA w/ biased private keys (Nemec et al., 2017)
![Page 17: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/17.jpg)
Introduction 2018–01–24 16/27
How not to generate random numbers
Figure: XKCD’s PRNG (Munroe)
![Page 18: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/18.jpg)
Introduction 2018–01–24 16/27
How not to generate random numbers
Figure: Dilbert’s PRNG (Adams)
Terrible Kolmogorov complexity!
![Page 19: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/19.jpg)
Introduction 2018–01–24 17/27
How to generate them, then?
A basic idea (e.g. /dev/random)
▸ Set up a “random” state (from e.g. physical sources)
▸ Refresh it continuously as randomness comes by
▸ Extract and refresh when outputs are needed
![Page 20: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/20.jpg)
Introduction 2018–01–24 18/27
Random numbers are all you need?
A “perfect” encryption scheme, the one-time pad
1 Let the message m be in {0,1}n, n maybe large (say, 240)
2 Let the key k be$←Ð {0,1}n
3 The ciphertext c = m ⊕ k
▸ Knowing c does not give information about m (see sketch inTD)
Problems:
▸ Integrity not guaranteed
▸ Needs very large keys
▸ Needs “perfect” randomness too!
![Page 21: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/21.jpg)
Introduction 2018–01–24 19/27
A concrete alternative: stream ciphers
1 Let the message m be in {0,1}n, n maybe large (say, 240)
2 Let the key (secret) k be$←Ð {0,1}κ, κ small (say 128)
3 Let the IV (public) i be$←Ð {0,1}ν , ν small (say 128)
4 Let E ∶ {0,1}κ × {0,1}ν → {0,1}∗ be a stream cipher
5 The ciphertext c = m ⊕ ⌊E(k , i)⌋nAdvantages
▸ Small key, IV (Q: Why is an IV needed??)
“Problems”
▸ Still no integrity
▸ Not “perfect”
![Page 22: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/22.jpg)
Introduction 2018–01–24 20/27
Some stream ciphers
▸ RC4 (simple, quite broken)
▸ E0 (original Bluetooth cipher, broken)
▸ Snow 3G, ZUC (in mobile phones)
▸ Trivium (small and beautiful)
▸ Chacha (trendy)
▸ AES in counter mode (easy)
▸ Examples of symmetric (-key) cryptography
▸ Examples of (cryptographically secure) pseudo-randomnumber generators (PRNG)
Not stream ciphers
▸ random (3)
▸ MersenneTwister
![Page 23: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/23.jpg)
Introduction 2018–01–24 21/27
Other symmetric primitives
▸ Block ciphers (encrypt “blocks”), e.g. AES
▸ Message authentication codes (MACs, check authenticity),e.g. {A,B,C,D,E,F,G,H,I,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Z}MAC
▸ Hash functions (securely compress long messages to shortdigests), e.g. SHA-3
Also need, say, mode of operations (to get e.g. IND-CPA)
![Page 24: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/24.jpg)
Introduction 2018–01–24 22/27
Complementary primitives: public-key cryptography
Not all primitives need a single secret key. One can also have
▸ Trapdoor permutations (easy to encrypt, hard to decrypt w/othe trapdoor), e.g. RSA
▸ Public key exchange, e.g. Diffie-Hellman
▸ Signatures, e.g. DSA
![Page 25: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/25.jpg)
Introduction 2018–01–24 23/27
Assumptions
Public-key schemes depend on “cryptographic assumptions” (=hardness of some problems), e.g:
▸ Factorization of large numbers (¬PQ)
▸ Computation discrete logarithms in F∗q, E(Fq), ... (¬PQ)
▸ Syndrome decoding a random error-correcting code (PQ)
▸ Finding a short vector in a lattice (PQ)
▸ Solving a quadratic system of equations (PQ)
▸ Inverting hash functions (PQ)
▸ Etc.
Note: Assumptions can be attacked!
![Page 26: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/26.jpg)
Introduction 2018–01–24 24/27
Keys: secret, private, public...
What are crypto keys like?
▸ Stream/Block cipher: a binary string
▸ Hash functions: ∅▸ RSA: a prime number (secret), an integer (public)
▸ Diffie-Hellman: an integer (secret), a group element (public)
▸ Code-based: a (generating) matrix (of a code) (one secret,one public)
▸ Etc.
![Page 27: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/27.jpg)
Introduction 2018–01–24 25/27
Secrets large and small
What should the secret/public key size be (in bits)?
▸ Stream ciphers?
▸ Block ciphers?
▸ RSA?
▸ Diffie-Hellman (well-chosen F∗q)?
▸ Diffie-Hellman (well-chosen E(Fq))?
▸ Code-based (McEliece, Binary Goppa codes)?
![Page 28: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/28.jpg)
Introduction 2018–01–24 25/27
Secrets large and small
What should the secret/public key size be (in bits)?
▸ Stream ciphers: e.g. 128 bits (+ a large (e.g. 128 bits) IVnecessary)
▸ Block ciphers: e.g. 128 bits
▸ RSA: e.g. 3072 bits
▸ Diffie-Hellman (well-chosen F∗q): e.g. 3072 bits
▸ Diffie-Hellman (well-chosen E(Fq)): e.g. 256 bits
▸ Code-based (McEliece, Binary Goppa codes)? e.g. 200 000bytes
![Page 29: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/29.jpg)
Introduction 2018–01–24 25/27
Secrets large and small
What should the secret/public key size be (in bits)?
⇒ Quite a complex matter! (Follow recommendations, e.g. fromANSSI!)
![Page 30: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/30.jpg)
Introduction 2018–01–24 26/27
What’s 128 bits anyway?
Objective: run a function 2128 times within 34 years (≈ 230
seconds), assuming:
▸ Hardware at 250 iterations/s (that’s pretty good)
▸ Trivially parallelizable (that’s not always the case in practice)
▸ 1000 W per device, no overhead (that’s pretty good)
⇒▸ 2128−50−30 ≈ 248 machines needed▸ ≈ 280 000 000 GW ’round the clock
▸ ≈ 170 000 000 EPR nuclear power plants
(Of course, technology may improve, but here’s quite a safemargin)
![Page 31: Introduction to cryptology (GBIN8U16) 93 Introduction · Introduction 2018{01{24 7/27 Quick example Aprotocol(e.g. TLS) uses among others L A key exchange algorithm (e.g. Di e-Hellman)](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed73c0fd37f9f58ca6a851d/html5/thumbnails/31.jpg)
Introduction 2018–01–24 27/27
That’s all for today
Next week:
▸ Finite fields primer
▸ Block ciphers: what, why, how?