Intro Crypto & Security
Dr. Jose L. Muñoz Tapia
Information Security Group (ISG)
Universitat Politècnica de Catalunya (UPC)
1/44
Symmetric-key Cryptography Concept
K
K
Encrypt
Algorithm
Clear
Text
Message m
Cypher
Text c
c=C(K,m)
Decript
Algorithm
Clear Text
m=D(K,C(K,m))
• In many symmetric algorithms, the “C” and decryption algorithms “D”
are also identical.
• Their main drawback is that the two parties must somehow exchange
the symmetric key in a secure way.
• This problem is relevant for large scenarios and it is is known as the
“key distribution problem”.
2/44
Symmetric-key Cryptography Formally i
• Symmetric-key cryptography is sometimes also called secret-key
cryptography.
• Symmetric-key encryption involves using a single key K to
encrypt and to decrypt data.
• The sender and the recipient share the knowledge of a secret
key that is used to encrypt and decrypt the messages exchanged
between them.
3/44
Symmetric-key Cryptography Formally ii
• Formally:
• The message m is encrypted by applying the symmetric algorithm
C to m using the key K:
c = C(K, m)
• The secret message c is decrypted by applying the inverse
algorithm D = C−1 to the secret message c with the key K:
m = D(K, c) = C−1 (K, c)
4/44
Confusion and Diffusion
• The cryptogram must be completely “dark” with respect to the
statistical properties of the message in clear.
• For this purpose we use:
• Diffusion: dissipates the statistical structure of clear text about
the cryptogram.
• Confusion: makes the relationship between the cryptogram and
the secret key as complicated as possible.
5/44
DES: Data Encryption Standard
• Symmetric block cipher developed by IBM in early 1970s.
• Later, slightly modified and standardized by the NSA.
• 56-bit symmetric key (64 including parity bits).
• Plaintext and ciphertext of blocks of 64-bit.
• Algorithm widely deployed, without known back doors.
• With the current calculation power, DES with a 56-bit key is
broken by brute force in days.
6/44
Feistel Structure
7/44
Triple-DES
• Also a symmetric-key block cipher.
• Using the same encrypter, triple-DES consists of three-time
encryption.
• Plaintext and ciphertext of blocks of 64-bit.
• Key sizes of 168, 112 or 56 bits, depending on the mode of
operation:
•
•
•
•
Keying option 1: all three keys are independent.
Keying option 2: Ka and Kb are independent, Kc = Ka.
Keying option 3: all keys are identical, Ka = Kb = Kc.
There are other variants.
• Considered secure until 2030 by the NIST.
8/44
AES: Advanced Encryption Standard
• “New” standard for symmetric block cryptography (Nov. 2001) to
replace DES.
• Based on ideas similar to DES, but not the same algorithm.
• Optimized for encrypting so tware.
• 128-bit data blocks.
• Variable keys of 128, 192, or 256 bits.
9/44
Cypher Modes Intro
• Block cipher algorithms (e.g. DES or AES) use fixed-length data
blocks, for instance 64 or 128 bits.
• The way in which they manage these blocks are call cypher
mode.
• There are many cipher modes, this is just a brief summary of
them.
10/44
Electronic Code Book Mode (ECB) i
• ECB is the most simplistic cipher mode.
• ECB breaks the message in equally-sized blocks to cipher them
separately.
• Last block should be padded before encrypting.
• Advantages: possibility of ciphering blocks in parallel, or
accessing to these blocks in a random way.
11/44
Electronic Code Book Mode (ECB) ii
• Disadvantages make ECB barely used.
• Equal blocks always have as a result the same cipher block.
12/44
Electronic Code Book Mode (ECB) iii
• When ciphering images:
• Dictionary attacks (compare input with known outputs).
• An attacker can delete blocks without being noticed, or can
capture these blocks to re-send them later.
13/44
Cipher Block Chaining Mode (CBC) i
• CBC divides the message in blocks.
• CBC uses XOR to combine the previous block with the actual one.
• An initialization vector (IV) is used for the first block.
14/44
Cipher Block Chaining Mode (CBC) ii
• To decipher the message, it is used the same procedure but in
the reverse order.
• Regarding IV:
• It must be random, but it can be known.
• It should not be predicted so attackers cannot select the plaintext
to perform a dictionary attack.
15/44
Cipher Block Chaining Mode (CBC) iii
• Cipherig is sequential (it cannot be parallelized).
• An error in one bit in the plaintext or in the IV will affect to all
the next ciphertexts.
• The plaintext can be recovered using two adjacent ciphertext.
• As a consequence, deciphering could be parallelized.
• Deciphering with a wrong IV affect the first ciphertext, but not
the following blocks.
16/44
Counter Mode (CTR o CM) i
• ECB and CBC are block ciphering algorithms, but CTR is a stream
cipher.
• A block ciphering is used to obtain a pseudo-random stream
called keystream.
• This keystream is convined with the plaintext by means of XOR.
• To generate the keystream, a counter combined with a nonce is
ciphered with ECB, and the counter is incremented.
17/44
Counter Mode (CTR o CM) ii
• The value of the counter could be known, but it is better to keep
it secret.
• The value nonce+counter should be known by both ends of the
communication.
18/44
Counter Mode (CTR o CM) iii
• Advantages of CTR:
• Possibility of pre-calculating the keystream (and/or work in
parallel).
• Random access to the keystream.
• Leaks very few information about the key.
• Drawbacks:
• Reusing a counter with the same key can be a disaster, as the
same keystream will be used.
• Modifying bits of the plaintext is easy, as modifying a bit in the
ciphertext the corresponding bit in the plaintext is modified
(bit-flipping attacks).
• Better to use this cipher mode in conjunction with an integrity
protection mechanism.
19/44
Public Key Cryptography
• Symmetric cryptography:
• The sender and receiver must share a secret, before being able to
establish a secure communication.
• How do you do this if Alice and Bob have not had any prior
contact?
• Public key crytography:
• The sender and receiver do not share a secret.
• Each user has two keys:
• One key is PUBLIC (it can be distributed).
• The other is PRIVATE (to keep secret).
• One key is used for encryption and the other for decryption
(asymmetric algorithm).
• In some algorithms, both keys can be used for encryption and
decryption, but with different purposes!
20/44
Conditions for a Public Key System
• Diffie and Hellman postulated the conditions that a public-key system
must fulfill:
1. It is computationally easy for a party B to generate a pair: (public key KpuB ,
private key KprB ).
2. It is computationally easy for a sender A, knowing the public key and the
message to be encrypted, m, to generate the corresponding ciphertext
c = C(KpuB , m)
3. It is computationally easy for the receiver B to decrypt the resulting cipher
text using the private key to recover the original message.
m = D(KprB , c) = D(KprB , C(KpuB , m))
4. It is computationally infeasible for an opponent, knowing the public key,
KpuB , to determinate the private key, KprB .
5. It is computationally infeasible for an opponent, knowing the public key,
KpuB , and a ciphertext, c, to recover the original message, m.
21/44
Public Key Cryptography Concept
Crypt
Algorithm
PlainText
Message m
cipherText
c=C(KpuB,m)
KpuB
Bob’s public
key
KprB
Bob’s
private key
Decrypt
Algorithm
PlainText
m=D(KprB,C(KpuB,m))
22/44
Uses of Public Key Cryptography i
PKC uses
Fundamentally there are three uses: encryption, digital signature
and key exchange.
• Encryption:
• The sender A uses the public key of the receiver B KpuB to encrypt
the message m.
c = C(KpuB , m)
• The receiver B uses its secret key KprB to decrypt the message:
m = D(KprB , c) = D(KprB , C(KpuB , m))
23/44
Uses of Public Key Cryptography ii
• Digital signature:
• A digital signature emulates a physical signature.
• It generates a digital proof that only the creator / sender of the
message can create, but that everyone can identify as belonging to
the creator.
• B wants to sign a message m, and to do so it encrypts it with his
secret key KprB (only B can perform this).
sig(m) = C(KprB , m)
• Anyone can verify this signature by decrypting this with the public
key of B KpuB (anyone can do this as the key is public):
m = D(KpuB , sig(m)) = D(KpuB , C(KprB , m))
24/44
Uses of Public Key Cryptography iii
• The encryption (signature) can be applied to the complete
message or to a small block of data that is a function of the
message
• Digital signature provides integrity, authenticity and
non-repudiation.
• Key exchange:
• Asymmetric cryptography can be used to exchange a symmetric
key.
• This exchange may be performed in various ways involving one or
both of the private keys of sender and receiver.
25/44
Key Public Key Algorithms
• DH: Diffie Hellman (1976)
• Can only be used for key exchange.
• Based on the discrete logarithm problem.
• RSA (Rivest, Shamir, Adleman) (1977)
• The most famous and used of all public key algorithms
• Based on number theory (factorization of large prime numbers).
• It allows to perform the three functions.
• DSA: Digital Signature Algorithm (1991)
• Only used to sign.
• Based on the discrete logarithm problem.
And many more, modern ones based on elliptic curves, lattices, etc.
26/44
Performance & Hybrid Cryptography
• Public key encryption is much more costly than symmetric
encryption
• Can be even 1000 times more expensive in terms of CPU.
• Keys should be larger to provide the same level of security (AES
128 bits, RSA 1024.).
• Solution: hybrid cryptography, which is using PKC to exchange
or negotiate a symmetric session key.
27/44
Hash Functions
• Used by computer engineering such as efficient database
searches.
• Search for a postal address:
• Avenue of the chapel, block 6, Rimac
• Efficient search with a hash function:
• Simple algorithm example for our hash function:
• We use the ASCII code of each letter a = 97, v = 118 ...
• We add the ASCII codes of all the letters of the postal address. Ex.
49245.
• Our hash will only go from 0 to 999, for that we do 49254mod1000 =
254.
• The address Hash is 254.
• We look for in the database the entry with hash value 254.
• Note that there may be collisions !!
28/44
Hash Functions & Security
Message
m
H: Hash
Function
H(m)
• In security, we use non-invertible hash funcions also called One Way
Hash Functions (OWHF).
• A OWHF is a function that takes a variable length input (pre-image), and
computes a fixed-length output string (which is usually smaller than
the pre-image) called the hash value, digest or check value.
• Given the hash it is computationally infeasible to find a message
(pre-image) with that hash.
• In fact, one cannot determine any usable information about a message
with that hash, not even a single bit.
• It is also computationally impossible to determine two messages which
produce the same hash.
29/44
One Way Hash Functions (OWHF)
• OWHF are generally much faster than digital signature.
• Typically the hash of the document is signed, instead of the
whole document.
• A hash function H must have the following properties:
1.
2.
3.
4.
H can be applied to a block of data of any size.
H produces a fixed-length output.
H(m) is relatively easy to compute for any given m.
For any given digest d, it is computationally infeasible to find m
such that H(m) = d.
5. For any given message m, it is computationally infeasible to find
another message m′ ̸= m with H(m′ ) = H(m).
6. It is computationally infeasible to find any pair (m, m′ ) such that
H(m) = H(m′ ).
30/44
Hash Algorithms
• MD5:
• Published by Rivest in 1992, RFC 1321.
• Summary of 128 bits
• The security of the MD5 has been severely compromised, and
weaknesses have been exploited.
• MD5 is considered cryptographically broken and unsuitable for
further use.
• SHA-1:
• US standart for the NIST (FIPS PUB 180-1), 1993.
• Summary of 160 bits
• No longer considered secure against well-funded opponents.
• Now, others are recommended: SHA-2 family:
• NIST standart, 2001.
• Summary of 224, 256, 384, or 512 bits.
• SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
31/44
Message Authentication Code (MAC) and HMACs
• A message authentication code (MAC) is a short piece of information
used to authenticate a message.
• Provides authenticity and integrity.
• It does not provide non-repudiation.
• Accepts as input a secret key and an arbitrary-length message to be
authenticated
• HMACs are MACs based on the use of a hash function.
• Produces a fixed length output, called MAC (or HMAC in case of using
hash functions).
M
M
M
MAC
H
C
M
H
K
K
MAC
C
=?
compare
32/44
Confidentiality and integrity
K2
K2
M
M
Enc
M’
M’
Dec
MAC
H
M
M
K1
H
K1
MAC
Enc
Enc
=?
compare
Alice
Bob
33/44
Digital signature with hash
• Digital signature protocol with hash functions:
•
•
•
•
Alice calculates the hash of the message.
Alice encrypts the hash with her private key.
Alice sends the message and encrypted hash to Bob.
Bob calculates the hash of the message and decrypts the signed
hash, using Alice’s public key. If both match, the signature is valid.
34/44
Verification of the digital signature
Bob
Alice
Message
Message
Signature
Message
Alice’s
Public
Key
Hash()
Hash()
digest
crypt()
signature
Alice’s
Private
Key
decrypt()
digest
digest’
If equal → signature is valid
35/44
Key management problem
• Management of cryptographic keys in a cryptosystem.
• Including generation, exchange, storage, use, and replacement
of keys.
• Key management is always a problem, for both symmetric and
public key cryptography:
• In symmetric crypto: how we distribute symmetric keys?
• In public key crypto: how we distribute public keys?
36/44
Distribution of Symmetric Keys: Trivial Solution
• Trivial solution: if there are N
users it is necessary to
establish of the order of N2
shared secret keys.
• N2 is not scalable, how to do
this on a shared network?
• We also need a secure channel
to transmit these keys remotely.
N users
N(N-1) relationships
• The need for reliable intermediaries is observed.
• The trusted intermediary in the case of symmetric cryptography is
called the Key Distribution Center (KDC).
37/44
Distribution of symmetric keys: with a KDC
• Alice, Bob need a shared symmetric key.
• The KDC shares a symmetric key with each registered user.
• Alice and Bob each know only their symmetric key shared with the KDC.
• In this case, if there are N users, there are N shared keys.
KA-KDC
KB-KDC
KA-KDC
KDC
KX-KDC
KB-KDC
38/44
A Protocol with KDC
How do you set the symmetric key using the KDC?
• The simplest protocol is as follows:
KDC
K A-KDC(A,B)
Alice
Creates KS
KA-KDC(Ks , KB-KDC(A, Ks) )
Bob
KB-KDC(A,Ks)
Alice and Bob can communicate using KS as symmetric key
39/44
Kerberos
• Authentication protocol created by MIT.
• Follow the client/server model.
• Based on tickets: the KDC issues tickets of short duration so
users can negotiate a session key.
• To include a new user, it is necessary to create a shared key
between this newcomer and the KDC.
• The KDC must be completely trusted.
• The KDC can be a bottleneck or even a single point of failure.
40/44
Naïve Public Key Announcement
Alice
KpuA
Bob
KpuB
Alice
C(KpuB,M1)
Naïve way
Bob
C(KpuA,M2)
Spoofing attack
Alice
KpuA
Trudy
KpuT <<KpuB>>
41/44
Men in the Middle Attack
Men in the Middle Attack
Alice
KpuA
KpuT <<KpuB>>
Trudy
KpuT <<KpuA>>
Bob
KpuB
C(KpuT,M1)
C(KpuB,M1’)
C(KpuA,M2’)
C(KpuT,M2)
M1’=f (M1)
M2’=f (M2)
42/44
Digital Certificates i
• In this case the intermediary
(TTP) is called the
Certification Authority (CA).
CA
Req?Bob
Bob
Alice
C(KprCA,{Bob,KpuB})
• The CA signs the public keys
it certifies along with the
identity of the owner of
each key.
• A certificate is a digital document that cryptographically links an
identity with a public key.
• This binding is made by means of a digital signature.
• Trusting on the CA, we can trust on the certificates issued by this
CA.
43/44
Digital Certificates ii
• Using certificates Man-in-the-Middle attacks can be avoided in
the distribution of public keys.
• We only have to trust one public key (the CA’s one)!!
• The CA distributes its public key by means of a self-signed
certificate:
• In this way the CA proves that it knows its private key and the
transport of the public key is done by means of a certificate
(standard form).
• Self-signed certificates are called root certificates (and the
corresponding CA is called root CA or root CA).
44/44
