Page 1
4. Using Encryption Wisely4. Using Encryption Wisely
UNIVERSITYTHE
of ULSAT
Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security
Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104
[email protected] @utulsa.edu
Page 2
UNIVERSITYTHE
of ULSAT
4. Using Encryption Wisely4. Using Encryption Wisely
Encryption provides a “false sense of security”
• Must be used correctly
• Practices
• Protocols
Page 3
UNIVERSITYTHE
of ULSAT
Encryption SpeedEncryption Speed
Delay Time
• Stream Stream-Block Block
• DES: 64-bit blocks
• RSA: 100-200-bit blocks (limited security with short blocks)
Speed
• Symmetric algorithms are much faster (1,000 to 5,000)
• Hardware solutions are much faster
• RSA: 220K Bits/s vs 0.5K Bits/s/MIPS
• DES: 1,200,000K Bits/s vs 400K Bits/s/MIPS
Page 4
UNIVERSITYTHE
of ULSAT
Block ReplayBlock Replay
Transaction Format
• Depositor Name SrcAct DestAct Amount 24 bytes 8 8 8 3 DES 1 DES 1 DES 1 DES
Original Transactions
Intruder xxx I# zz$ John Doe yyy JD# 8K$
Fabricated Transaction
Intruder yyy I# 8K$
Page 5
UNIVERSITYTHE
of ULSAT
Block ChainingBlock Chaining
• Prevents “Block Replay”
• x x = 0 (1011 1011 = 0000)
• Encryption
– C1: { P1 }K
– C2: { P2 C1 }K
– Cj: { Pj Cj-1}K
• Decryption
– P1: { C1 }K
– P2: { C2 }K C1
– Pj: { Cj }K Cj-1
Page 6
UNIVERSITYTHE
of ULSAT
Initial Chaining ValueInitial Chaining Value
• Block Chaining conceals identical blocks
• Only if each block is preceded by something unique
• Suppose messages always begin with: “US Army HQ”
• Encryption
– C1: { IV }K (IV: Random Initial Vector)
– C2: { P1 C1}K
– Cj: { Pj-1 Cj-1}K
• Decryption
– P0: { C1 }K
– Pj: { Cj+1 }K Cj
Page 7
UNIVERSITYTHE
of ULSAT
One Way EncryptionOne Way Encryption
Use special functions
• f(x) = x3 x = (f(x))1/3 (difficult to compute)
• f(x) = x2 x = (f(x))1/2 (no unique inverse, e.g., for f(x) = 4)
• System stores f(pwd)
• User enters string
• System computes f(string) and compares with f(pwd)
• Internet Worm (Nov. 2, 1988)
Page 8
UNIVERSITYTHE
of ULSAT
Cryptographic SealingCryptographic Sealing
Integrity (as opposed to Secrecy)
• Store <file> and SHA(<file>)
• A cryptographic checksum could be the last block of a chained DES encryption
Page 9
UNIVERSITYTHE
of ULSAT
Authentication and Time StampsAuthentication and Time Stamps
Authentication
• Biometrics
Time Stamps
• Prevent replays
• Chronology
• Sender’s and receiver’s time stamps must match
Page 10
UNIVERSITYTHE
of ULSAT
Cipher Block Chain (CBC)Cipher Block Chain (CBC)
• Prevents block replay
• Self-healing (Error in block Cj affects Bj and Bj+1)
• Encryption
– C1: { B1 }K (Usually B1 = Initial Vector)
– C2: { B2 C1 }K
– Cj: { Bj Cj-1}K
• Decryption
– Bj: { Cj }K Cj-1
Page 11
UNIVERSITYTHE
of ULSAT
Cipher Feedback (CFB)Cipher Feedback (CFB)
• Block nature of DES is inconvenient
– Partial final block must be padded (size of ciphertext > size of plaintext)
– Encryption cannot begin until entire 64-bit block is input (secure networks: every character must be encrypted)
• CFB: Block Stream
– Encryption error only affects the next 8 characters
Page 12
UNIVERSITYTHE
of ULSAT
Double EncryptionDouble Encryption
DES is “weak”
Can we use two 56-bit DES keys back to back?
• { { Message }K1 }K2
• 56-bit key 256 possibilities
• Two 56-bit keys 2112 possibilities?
• No!
• 257 possibilities (Merkle, 1981)
Page 13
UNIVERSITYTHE
of ULSAT
Triple DESTriple DES
Uses two 56-bit DES keys; Same hardware/software
Encryption
1. C1 = DESEncrypt(P, K1)
2. C2 = DESDecrypt(C1, K2)
3. C3 = DESEncrypt(C2, K1)
Decryption
1. D2 = DESDecrypt(C3, K1)
2. D1 = DESEncrypt(D2, K2)
3. P = DESDecrypt(D1, K1)
Page 14
5. Cryptographic Protocols5. Cryptographic Protocols
UNIVERSITYTHE
of ULSAT
Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security
Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104
[email protected] @utulsa.edu
Page 15
UNIVERSITYTHE
of ULSAT
5. Cryptographic Protocols5. Cryptographic Protocols
Cryptographic Protocol
• Orderly sequence of steps to achieve certain security properties
• Established in advance
• Mutually subscribed
• Unambiguous
• Complete
Page 16
UNIVERSITYTHE
of ULSAT
Kinds of ProtocolsKinds of Protocols
Arbitrated Protocols
• Trusted third party participates in each transaction
• Expensive, slow, vulnerable
Adjudicated Protocols
• Third party judges fairness after the fact
• Address disadvantages of arbitrated protocols
• Detect failure only after the fact
Self-Enforcing Protocols
• Guarantee fairness; cheating is immediately obvious
• May not exist for every situation
Page 17
UNIVERSITYTHE
of ULSAT
Applications of ProtocolsApplications of Protocols
• Key Distribution
• Certificates
• Digital Signatures
• Clipper Key Exchange
• Mental Poker
• Voting by Computer
• Oblivious Transfer
• Contract Signing
• Certified Mail
Page 18
UNIVERSITYTHE
of ULSAT
Key Distribution ProtocolsKey Distribution Protocols
1. Symmetric Key Exchange (without Server)
2. Symmetric Key Exchange (with Server)
3. Asymmetric Key Exchange (without Server)
4. Asymmetric Key Exchange (with Server)
Page 19
UNIVERSITYTHE
of ULSAT
Sym. Key Exchange (No Server)Sym. Key Exchange (No Server)
Requirements
• A & B share KM (Master Key)
Protocol
1. A: Generates session key: KS
2. A B: { KS }KM
Page 20
UNIVERSITYTHE
of ULSAT
Sym. Key Exchange (Server)Sym. Key Exchange (Server)
Needham-Schroeder Protocol
1. A S : A B IA (IA: Unique session ID)
2. S A : { IA, B, KAB, { KAB, A }KB }KA
(new KAB)
3. A B : { KAB, A}KB
Page 21
UNIVERSITYTHE
of ULSAT
Asym. Key Exchange (No Server)Asym. Key Exchange (No Server)
Important Point
• Asymmetric key encryption is very expensive
• Never encrypt message; transmit encrypted sym. key
Protocol
1. A B: { { KAB }KApriv }KB
pub
2a. B A: { n }KAB (n: Random number)
2b. A B: { n + 1 }KAB
Page 22
UNIVERSITYTHE
of ULSAT
Asym. Key Exchange (Server)Asym. Key Exchange (Server)
Protocol
1. A S: A B
2. S A: { KBpub, B }KS
priv
3. A B: { A, IA }KBpub (IA: message reference)
4. B S: B A
5. S B: { KApub, A }KS
priv
6. B A: { IA, IB }KApub (IB: message reference)
7. A B: { KAB, IB }KBpub (KAB : message)
Page 23
UNIVERSITYTHE
of ULSAT
CertificatesCertificates
Binding an Individual’s Identity and Public Key
• A: President and CEO
• B, C: Vice Presidents
• C supervises D and E
• B’s Certificate: { IDB, PosB, KBpub, H(.) }KA
priv
• C’s Certificate: { IDC, PosC, KCpub, H(.) }KA
priv
• D’s Certificate: { IDD, PosD, KDpub, H(.) }KC
priv C’s Certificate
• Always need a top-level authority
Page 24
UNIVERSITYTHE
of ULSAT
Digital Signature ProtocolsDigital Signature Protocols
Goals
• Non Forgeable [M, sig(M, P)]
• Authentic
• Non Alterable; Non Reusable
• Non Repudiation
• Symmetric Key Protocol (Arbiter (A) needed)
• Cryptographic Sealing (Arbiter (A) needed)
• Asymmetric Key Protocol (Self-Enforcing)
Page 25
UNIVERSITYTHE
of ULSAT
Symmetric Key (Digital Signature)Symmetric Key (Digital Signature)
Symmetric Key Protocol
(Non Forgeability, Authenticity, Non Repudiation)
• S A: { M }KS
• A R: { M, S, { M }KS
}KR
• R: Unlocks with KR
Saves M and { M }KS
Page 26
UNIVERSITYTHE
of ULSAT
Cryptographic Sealing (Dig. Sig.)Cryptographic Sealing (Dig. Sig.)
Cryptographic Sealing Function
• f(M) unique value
• S and R register fS and fR with Arbiter A
Protocol (No Secrecy)
1. S A: M fS(M)
2. A: Recomputes fS(M) Compares with fS(M) received from S
3. A R: M S fS(M) fR(M, S)
Page 27
UNIVERSITYTHE
of ULSAT
Asymmetric Key (Digital Signature)Asymmetric Key (Digital Signature)
Protocol 1 (Non Forgeability, Authenticity, Non Repud.)
• S R: { M }KS
priv
• R: { { M }KS
priv }KS
pub M (saves { M }KS
priv)
Protocol 2 (Double Encryption: Privacy)
• S R: { { M }KS
priv }KRpub
• R: { { { { M }KS
priv }KR
pub }KSpub
}KR
priv M
Page 28
UNIVERSITYTHE
of ULSAT
Clipper Key Exchange AlgorithmClipper Key Exchange Algorithm
Seven Step Protocol
• Three steps for key exchange
• Four steps for mutual authentication
• S & R share secret key KP, symmetric algorithm and asymmetric algorithm
Page 29
UNIVERSITYTHE
of ULSAT
Clipper Key Exchange (contd.)Clipper Key Exchange (contd.)
Step 1
S R: { KSpub }KP
Step 2
R: Uses KP to obtain KSpub
R: Chooses random session key Kk
R S: { { Kk }KP
}KSpub
Step 3
S : Uses KSpriv and KP to obtain Kk
Page 30
UNIVERSITYTHE
of ULSAT
Clipper Authentication (contd.)Clipper Authentication (contd.)
Step 4
S R: { M }Kk M: Random string
Step 5
R: Uses Kk to obtain M
R S: { M, N }Kk N: Random string
Step 6
S : Checks M
Step 7
R : Checks N
Page 31
UNIVERSITYTHE
of ULSAT
Mental Poker ProtocolMental Poker Protocol
Symmetric Key Implementation
• A B: { m1 }KA … { m10 }KA
• B: Locks 5 messages: { { mj }KA }KB
…
• B A: { mi }KA … & { { mj }KA
}KB …
• A: Unlocks all 10 messages with KA
Keeps 5 messages: { { mi }KA }KA
… = mi …
• A B: { { { mj }KA }KB
}KA … = { mj }KB
…
• B: Unlocks all 5 messages with KB
Keeps 5 messages: { { mj }KB }KB
… = mj …
Page 32
UNIVERSITYTHE
of ULSAT
Mental Poker Protocol (contd.)Mental Poker Protocol (contd.)
Asymmetric Key Implementation
• A B: { m1 }KApub … { m10 }KA
pub
• B: Locks 5 messages: { { mj }KApub }KB
pub …
• B A: { mi }KApub … & { { mj }KA
pub }KBpub
…
• A: Unlocks all 10 messages with KApriv
Keeps 5 msgs: { { mi }KApub }KA
priv …
= mi …
• A B: { { { mj }KApub }KB
pub }KA
priv … = { mj }KBpub …
• B: Unlocks all 5 messages with KBpriv
Keeps 5 msgs: { { mj }KBpub }KB
priv … = mj …
Page 33
UNIVERSITYTHE
of ULSAT
Voting by Computer ProtocolVoting by Computer Protocol
2*n Link Chain (n: number of voters)
• Results at each link can be made public without destroying anonymity
• During the last n links, anyone can go back to check, but only one can go forward
• Assume three voters (J, K, L)
• Two pairs of public keys
– (KJpriv, KJ
pub ); (KKpriv, KK
pub ); (KLpriv, KL
pub )
– (RJpriv, RJ
pub ); (RKpriv, RK
pub ); (RLpriv, RL
pub )
– Ripub embeds random string; allows voter i to check vote
Page 34
UNIVERSITYTHE
of ULSAT
Voting by Computer (contd.)Voting by Computer (contd.)
Step 0
• Each voter encrypts vote and sends it to J
– J has: RJpub ° RK
pub ° RLpub ° KJ
pub ° KKpub ° KL
pub (vi)
Steps 1-3
• J (K, L) verifies vote is in pool with RJpriv (RK
priv , RLpriv )
• Applies RJpriv (RK
priv , RLpriv ) to each vote
• Sends votes to K (L, J)
– J has: KJpub ° KK
pub ° KLpub (vi)
Page 35
UNIVERSITYTHE
of ULSAT
Voting by Computer (contd.)Voting by Computer (contd.)
Steps 4-6
• J (K, L) applies KJpriv (KK
priv , KLpriv )
• Applies KJpriv (KK
priv , KLpriv ) to each vote
• Signs all votes
• Sends votes to K (L)
– L has all votes: vi
– L counts votes
– L posts results
Page 36
UNIVERSITYTHE
of ULSAT
Oblivious Transfer ProtocolOblivious Transfer Protocol
Eight Step Protocol (Flipping a coin at a distance)
1. A: Picks two asymmetric key pairs: (KIpriv, KI
pub ) (KJpriv, KJ
pub )
2. B: Picks symmetric key: KB
3. A B: KIpub KJ
pub 4. B: Picks one key at random: KH
pub
B A: { KB }KHpub
5. A: Picks I or J at random (say: J)
Computes: KA = { { KB }KHpub }KJ
priv (KA = KB if H = J)
6. A B: { A loses }KA J
7. B: M = { { A loses }KA }KB
B A: M H (B loses if H J)
8. B A: KIpriv KJ
priv (for verification)
Page 37
UNIVERSITYTHE
of ULSAT
Contract Signing ProtocolContract Signing Protocol
1. A: Selects 2n symmetric keys: C1 .. C2n
Arranges them in pairs: (Ci, Cn+i) i = 1 .. n
2. A B: i = { S }Ci i = 1 .. 2n (S = Std Msg; i: S-puzzle)
3. A: Agrees to contract if B can produce a pair (Ci, Cn+i) for any i
(S-puzzle solution)
4. B: Repeats Steps 1-3: keys: Di and S-puzzles: i
5. A B: Exchange (Ci, Cn+i) … by Oblivious Transfer Protocol
B A: Exchange (Di, Dn+i) … by Oblivious Transfer Protocol
6. For each bit j:
A B: jth bit of Ci i = 1 .. 2n
B A: jth bit of Di i = 1 .. 2n
Page 38
UNIVERSITYTHE
of ULSAT
Certified Mail ProtocolCertified Mail Protocol
1. A: Selects n + 1 symmetric keys: g0 .. gn
Computes: gn+i = g0 gi i = 1 .. n
2. A B: G = { M }g0 (g0 = gn+i gi for all i)
3. A B: Gi = { SA }gi i = 1 .. 2n (SA = Std Msg)
4. B: Selects 2n symmetric keys: h1 .. h2n
B A: Hi = { SB }hi i = 1 .. 2n (SB = Std Msg)
5. B: Agrees to acknowledge receipt of plaintext of G if A can produce any one of (hi, hn+i) and all gj (j = 1 .. 2n)
6. A B: Exchange (gi, gn+i) … by Oblivious Transfer Protocol
B A: Exchange (hi, hn+i) … by Oblivious Transfer Protocol
7. For each bit j:
A B: jth bit of gi i = 1 .. 2n
B A: jth bit of hi i = 1 .. 2n