Intro Crypto & Security Dr. Jose L. Muñoz Tapia Information Security Group (ISG) Universitat Politècnica de Catalunya (UPC) 1/44 Symmetric-key Cryptography Concept K K Encrypt Algorithm Clear Text Message m Cypher Text c c=C(K,m) Decript Algorithm Clear Text m=D(K,C(K,m)) • In many symmetric algorithms, the “C” and decryption algorithms “D” are also identical. • Their main drawback is that the two parties must somehow exchange the symmetric key in a secure way. • This problem is relevant for large scenarios and it is is known as the “key distribution problem”. 2/44 Symmetric-key Cryptography Formally i • Symmetric-key cryptography is sometimes also called secret-key cryptography. • Symmetric-key encryption involves using a single key K to encrypt and to decrypt data. • The sender and the recipient share the knowledge of a secret key that is used to encrypt and decrypt the messages exchanged between them. 3/44 Symmetric-key Cryptography Formally ii • Formally: • The message m is encrypted by applying the symmetric algorithm C to m using the key K: c = C(K, m) • The secret message c is decrypted by applying the inverse algorithm D = C−1 to the secret message c with the key K: m = D(K, c) = C−1 (K, c) 4/44 Confusion and Diffusion • The cryptogram must be completely “dark” with respect to the statistical properties of the message in clear. • For this purpose we use: • Diffusion: dissipates the statistical structure of clear text about the cryptogram. • Confusion: makes the relationship between the cryptogram and the secret key as complicated as possible. 5/44 DES: Data Encryption Standard • Symmetric block cipher developed by IBM in early 1970s. • Later, slightly modiﬁed and standardized by the NSA. • 56-bit symmetric key (64 including parity bits). • Plaintext and ciphertext of blocks of 64-bit. • Algorithm widely deployed, without known back doors. • With the current calculation power, DES with a 56-bit key is broken by brute force in days. 6/44 Feistel Structure 7/44 Triple-DES • Also a symmetric-key block cipher. • Using the same encrypter, triple-DES consists of three-time encryption. • Plaintext and ciphertext of blocks of 64-bit. • Key sizes of 168, 112 or 56 bits, depending on the mode of operation: • • • • Keying option 1: all three keys are independent. Keying option 2: Ka and Kb are independent, Kc = Ka. Keying option 3: all keys are identical, Ka = Kb = Kc. There are other variants. • Considered secure until 2030 by the NIST. 8/44 AES: Advanced Encryption Standard • “New” standard for symmetric block cryptography (Nov. 2001) to replace DES. • Based on ideas similar to DES, but not the same algorithm. • Optimized for encrypting so tware. • 128-bit data blocks. • Variable keys of 128, 192, or 256 bits. 9/44 Cypher Modes Intro • Block cipher algorithms (e.g. DES or AES) use ﬁxed-length data blocks, for instance 64 or 128 bits. • The way in which they manage these blocks are call cypher mode. • There are many cipher modes, this is just a brief summary of them. 10/44 Electronic Code Book Mode (ECB) i • ECB is the most simplistic cipher mode. • ECB breaks the message in equally-sized blocks to cipher them separately. • Last block should be padded before encrypting. • Advantages: possibility of ciphering blocks in parallel, or accessing to these blocks in a random way. 11/44 Electronic Code Book Mode (ECB) ii • Disadvantages make ECB barely used. • Equal blocks always have as a result the same cipher block. 12/44 Electronic Code Book Mode (ECB) iii • When ciphering images: • Dictionary attacks (compare input with known outputs). • An attacker can delete blocks without being noticed, or can capture these blocks to re-send them later. 13/44 Cipher Block Chaining Mode (CBC) i • CBC divides the message in blocks. • CBC uses XOR to combine the previous block with the actual one. • An initialization vector (IV) is used for the ﬁrst block. 14/44 Cipher Block Chaining Mode (CBC) ii • To decipher the message, it is used the same procedure but in the reverse order. • Regarding IV: • It must be random, but it can be known. • It should not be predicted so attackers cannot select the plaintext to perform a dictionary attack. 15/44 Cipher Block Chaining Mode (CBC) iii • Cipherig is sequential (it cannot be parallelized). • An error in one bit in the plaintext or in the IV will affect to all the next ciphertexts. • The plaintext can be recovered using two adjacent ciphertext. • As a consequence, deciphering could be parallelized. • Deciphering with a wrong IV affect the ﬁrst ciphertext, but not the following blocks. 16/44 Counter Mode (CTR o CM) i • ECB and CBC are block ciphering algorithms, but CTR is a stream cipher. • A block ciphering is used to obtain a pseudo-random stream called keystream. • This keystream is convined with the plaintext by means of XOR. • To generate the keystream, a counter combined with a nonce is ciphered with ECB, and the counter is incremented. 17/44 Counter Mode (CTR o CM) ii • The value of the counter could be known, but it is better to keep it secret. • The value nonce+counter should be known by both ends of the communication. 18/44 Counter Mode (CTR o CM) iii • Advantages of CTR: • Possibility of pre-calculating the keystream (and/or work in parallel). • Random access to the keystream. • Leaks very few information about the key. • Drawbacks: • Reusing a counter with the same key can be a disaster, as the same keystream will be used. • Modifying bits of the plaintext is easy, as modifying a bit in the ciphertext the corresponding bit in the plaintext is modiﬁed (bit-ﬂipping attacks). • Better to use this cipher mode in conjunction with an integrity protection mechanism. 19/44 Public Key Cryptography • Symmetric cryptography: • The sender and receiver must share a secret, before being able to establish a secure communication. • How do you do this if Alice and Bob have not had any prior contact? • Public key crytography: • The sender and receiver do not share a secret. • Each user has two keys: • One key is PUBLIC (it can be distributed). • The other is PRIVATE (to keep secret). • One key is used for encryption and the other for decryption (asymmetric algorithm). • In some algorithms, both keys can be used for encryption and decryption, but with different purposes! 20/44 Conditions for a Public Key System • Diffie and Hellman postulated the conditions that a public-key system must fulﬁll: 1. It is computationally easy for a party B to generate a pair: (public key KpuB , private key KprB ). 2. It is computationally easy for a sender A, knowing the public key and the message to be encrypted, m, to generate the corresponding ciphertext c = C(KpuB , m) 3. It is computationally easy for the receiver B to decrypt the resulting cipher text using the private key to recover the original message. m = D(KprB , c) = D(KprB , C(KpuB , m)) 4. It is computationally infeasible for an opponent, knowing the public key, KpuB , to determinate the private key, KprB . 5. It is computationally infeasible for an opponent, knowing the public key, KpuB , and a ciphertext, c, to recover the original message, m. 21/44 Public Key Cryptography Concept Crypt Algorithm PlainText Message m cipherText c=C(KpuB,m) KpuB Bob’s public key KprB Bob’s private key Decrypt Algorithm PlainText m=D(KprB,C(KpuB,m)) 22/44 Uses of Public Key Cryptography i PKC uses Fundamentally there are three uses: encryption, digital signature and key exchange. • Encryption: • The sender A uses the public key of the receiver B KpuB to encrypt the message m. c = C(KpuB , m) • The receiver B uses its secret key KprB to decrypt the message: m = D(KprB , c) = D(KprB , C(KpuB , m)) 23/44 Uses of Public Key Cryptography ii • Digital signature: • A digital signature emulates a physical signature. • It generates a digital proof that only the creator / sender of the message can create, but that everyone can identify as belonging to the creator. • B wants to sign a message m, and to do so it encrypts it with his secret key KprB (only B can perform this). sig(m) = C(KprB , m) • Anyone can verify this signature by decrypting this with the public key of B KpuB (anyone can do this as the key is public): m = D(KpuB , sig(m)) = D(KpuB , C(KprB , m)) 24/44 Uses of Public Key Cryptography iii • The encryption (signature) can be applied to the complete message or to a small block of data that is a function of the message • Digital signature provides integrity, authenticity and non-repudiation. • Key exchange: • Asymmetric cryptography can be used to exchange a symmetric key. • This exchange may be performed in various ways involving one or both of the private keys of sender and receiver. 25/44 Key Public Key Algorithms • DH: Diffie Hellman (1976) • Can only be used for key exchange. • Based on the discrete logarithm problem. • RSA (Rivest, Shamir, Adleman) (1977) • The most famous and used of all public key algorithms • Based on number theory (factorization of large prime numbers). • It allows to perform the three functions. • DSA: Digital Signature Algorithm (1991) • Only used to sign. • Based on the discrete logarithm problem. And many more, modern ones based on elliptic curves, lattices, etc. 26/44 Performance & Hybrid Cryptography • Public key encryption is much more costly than symmetric encryption • Can be even 1000 times more expensive in terms of CPU. • Keys should be larger to provide the same level of security (AES 128 bits, RSA 1024.). • Solution: hybrid cryptography, which is using PKC to exchange or negotiate a symmetric session key. 27/44 Hash Functions • Used by computer engineering such as efficient database searches. • Search for a postal address: • Avenue of the chapel, block 6, Rimac • Efficient search with a hash function: • Simple algorithm example for our hash function: • We use the ASCII code of each letter a = 97, v = 118 ... • We add the ASCII codes of all the letters of the postal address. Ex. 49245. • Our hash will only go from 0 to 999, for that we do 49254mod1000 = 254. • The address Hash is 254. • We look for in the database the entry with hash value 254. • Note that there may be collisions !! 28/44 Hash Functions & Security Message m H: Hash Function H(m) • In security, we use non-invertible hash funcions also called One Way Hash Functions (OWHF). • A OWHF is a function that takes a variable length input (pre-image), and computes a ﬁxed-length output string (which is usually smaller than the pre-image) called the hash value, digest or check value. • Given the hash it is computationally infeasible to ﬁnd a message (pre-image) with that hash. • In fact, one cannot determine any usable information about a message with that hash, not even a single bit. • It is also computationally impossible to determine two messages which produce the same hash. 29/44 One Way Hash Functions (OWHF) • OWHF are generally much faster than digital signature. • Typically the hash of the document is signed, instead of the whole document. • A hash function H must have the following properties: 1. 2. 3. 4. H can be applied to a block of data of any size. H produces a ﬁxed-length output. H(m) is relatively easy to compute for any given m. For any given digest d, it is computationally infeasible to ﬁnd m such that H(m) = d. 5. For any given message m, it is computationally infeasible to ﬁnd another message m′ ̸= m with H(m′ ) = H(m). 6. It is computationally infeasible to ﬁnd any pair (m, m′ ) such that H(m) = H(m′ ). 30/44 Hash Algorithms • MD5: • Published by Rivest in 1992, RFC 1321. • Summary of 128 bits • The security of the MD5 has been severely compromised, and weaknesses have been exploited. • MD5 is considered cryptographically broken and unsuitable for further use. • SHA-1: • US standart for the NIST (FIPS PUB 180-1), 1993. • Summary of 160 bits • No longer considered secure against well-funded opponents. • Now, others are recommended: SHA-2 family: • NIST standart, 2001. • Summary of 224, 256, 384, or 512 bits. • SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. 31/44 Message Authentication Code (MAC) and HMACs • A message authentication code (MAC) is a short piece of information used to authenticate a message. • Provides authenticity and integrity. • It does not provide non-repudiation. • Accepts as input a secret key and an arbitrary-length message to be authenticated • HMACs are MACs based on the use of a hash function. • Produces a ﬁxed length output, called MAC (or HMAC in case of using hash functions). M M M MAC H C M H K K MAC C =? compare 32/44 Conﬁdentiality and integrity K2 K2 M M Enc M’ M’ Dec MAC H M M K1 H K1 MAC Enc Enc =? compare Alice Bob 33/44 Digital signature with hash • Digital signature protocol with hash functions: • • • • Alice calculates the hash of the message. Alice encrypts the hash with her private key. Alice sends the message and encrypted hash to Bob. Bob calculates the hash of the message and decrypts the signed hash, using Alice’s public key. If both match, the signature is valid. 34/44 Veriﬁcation of the digital signature Bob Alice Message Message Signature Message Alice’s Public Key Hash() Hash() digest crypt() signature Alice’s Private Key decrypt() digest digest’ If equal → signature is valid 35/44 Key management problem • Management of cryptographic keys in a cryptosystem. • Including generation, exchange, storage, use, and replacement of keys. • Key management is always a problem, for both symmetric and public key cryptography: • In symmetric crypto: how we distribute symmetric keys? • In public key crypto: how we distribute public keys? 36/44 Distribution of Symmetric Keys: Trivial Solution • Trivial solution: if there are N users it is necessary to establish of the order of N2 shared secret keys. • N2 is not scalable, how to do this on a shared network? • We also need a secure channel to transmit these keys remotely. N users N(N-1) relationships • The need for reliable intermediaries is observed. • The trusted intermediary in the case of symmetric cryptography is called the Key Distribution Center (KDC). 37/44 Distribution of symmetric keys: with a KDC • Alice, Bob need a shared symmetric key. • The KDC shares a symmetric key with each registered user. • Alice and Bob each know only their symmetric key shared with the KDC. • In this case, if there are N users, there are N shared keys. KA-KDC KB-KDC KA-KDC KDC KX-KDC KB-KDC 38/44 A Protocol with KDC How do you set the symmetric key using the KDC? • The simplest protocol is as follows: KDC K A-KDC(A,B) Alice Creates KS KA-KDC(Ks , KB-KDC(A, Ks) ) Bob KB-KDC(A,Ks) Alice and Bob can communicate using KS as symmetric key 39/44 Kerberos • Authentication protocol created by MIT. • Follow the client/server model. • Based on tickets: the KDC issues tickets of short duration so users can negotiate a session key. • To include a new user, it is necessary to create a shared key between this newcomer and the KDC. • The KDC must be completely trusted. • The KDC can be a bottleneck or even a single point of failure. 40/44 Naïve Public Key Announcement Alice KpuA Bob KpuB Alice C(KpuB,M1) Naïve way Bob C(KpuA,M2) Spoofing attack Alice KpuA Trudy KpuT <<KpuB>> 41/44 Men in the Middle Attack Men in the Middle Attack Alice KpuA KpuT <<KpuB>> Trudy KpuT <<KpuA>> Bob KpuB C(KpuT,M1) C(KpuB,M1’) C(KpuA,M2’) C(KpuT,M2) M1’=f (M1) M2’=f (M2) 42/44 Digital Certiﬁcates i • In this case the intermediary (TTP) is called the Certiﬁcation Authority (CA). CA Req?Bob Bob Alice C(KprCA,{Bob,KpuB}) • The CA signs the public keys it certiﬁes along with the identity of the owner of each key. • A certiﬁcate is a digital document that cryptographically links an identity with a public key. • This binding is made by means of a digital signature. • Trusting on the CA, we can trust on the certiﬁcates issued by this CA. 43/44 Digital Certiﬁcates ii • Using certiﬁcates Man-in-the-Middle attacks can be avoided in the distribution of public keys. • We only have to trust one public key (the CA’s one)!! • The CA distributes its public key by means of a self-signed certiﬁcate: • In this way the CA proves that it knows its private key and the transport of the public key is done by means of a certiﬁcate (standard form). • Self-signed certiﬁcates are called root certiﬁcates (and the corresponding CA is called root CA or root CA). 44/44