15-853 Page 1 CPS 214 Computer Networks and Distributed Systems Cryptography Basics RSA SSL SSH Kerberos
Feb 13, 2016
15-853 Page 1
CPS 214 Computer Networks and Distributed Systems
Cryptography BasicsRSASSLSSHKerberos
15-853 Page 2
Basic Definitions
Private Key or Symmetric: Key1 = Key2
Public Key or Asymmetric: Key1 Key2Key1 or Key2 is public depending on the protocol
Encryption
Decryption
Key1
Key2
Cyphertext
Ekey1(M) = C
Dkey2(C) = M
Original Plaintext
Plaintext
15-853 Page 3
What does it mean to be secure?Unconditionally Secure: Encrypted message
cannot be decoded without the keyShannon showed in 1943 that key must be as
long as the message to be unconditionally secure – this is based on information theory
A one time pad – xor a random key with a message (Used in 2nd world war)
Security based on computational cost: it is computationally “infeasible” to decode a message without the key.
No (probabilistic) polynomial time algorithm can decode the message.
15-853 Page 4
Primitives: One-Way Functions(Informally): A function Y = f(x)is one-way if it is easy to compute y from x but
“hard” to compute x from y
Building block of most cryptographic protocolsAnd, the security of most protocols rely on their
existence.Unfortunately, not known to exist. This is true
even if we assume P NP.
15-853 Page 5
One-way functions: possible definition
1. F(x) is polynomial time2. F-1(x) is NP-hard
What is wrong with this definition?
15-853 Page 6
One-way functions:better definition
For most y no single PPT (probabilistic polynomial time) algorithm can compute x
Roughly: at most a fraction 1/|x|k instances x are easy for any k and as |x| ->
This definition can be used to make the probability of hitting an easy instance arbitrarily small.
15-853 Page 7
Some examples (conjectures)Factoring:
x = (u,v)y = f(u,v) = u*v If u and v are prime it is hard to generate
them from y.Discrete Log: y = gx mod p
where p is prime and g is a “generator” (i.e., g1, g2, g3, … generates all values < p).
DES with fixed message: y = DESx(m)This would assume a family of DES functions
of increasing key size (for asymptotics)
15-853 Page 8
One-way functions in private-key protocols
y = ciphertext m = plaintext k = keyIs y = Ek(m) (i.e. f = Ek)a one-way function with respect to y and m?
What do one-way functions have to do with private-key protocols?
15-853 Page 9
One-way functions in private-key protocols
y = ciphertext m = plaintext k = keyHow about y = Ek(m) = E(k,m) = Em(k) (i.e. f = Em)should this be a one-way function?
In a known-plaintext attack we know a (y,m) pair.The m along with E defines f Em(k) needs to be easy Em
-1(y) should be hardOtherwise we could extract the key k.
15-853 Page 10
One-way functions in public-key protocols
y = ciphertext m = plaintext k = public key
Consider: y = Ek(m) (i.e., f = Ek)We know k and thus f Ek(m) needs to be easy Ek
-1(y) should be hardOtherwise we could decrypt y.But what about the intended recipient, who
should be able to decrypt y?
15-853 Page 11
One-Way Trapdoor FunctionsA one-way function with a “trapdoor”The trapdoor is a key that makes it easy to
invert the function y = f(x)Example: RSA (conjecture)
y = xe mod nWhere n = pq (p, q are prime)p or q or d (where ed = 1 mod (p-1)(q-1)) can
be used as trapdoorsIn public-key algorithms
f(x) = public key (e.g., e and n in RSA)Trapdoor = private key (e.g., d in RSA)
15-853 Page 12
One-way Hash FunctionsY = h(x) where
– y is a fixed length independent of the size of x. In general this means h is not invertible since it is many to one.
– Calculating y from x is easy– Calculating any x such that y = h(x) give y
is hardUsed in digital signatures and other protocols.
15-853 Page 13
Protocols: Digital SignaturesGoals:
1. Convince recipient that message was actually sent by a trusted source
2. Do not allow repudiation, i.e., that’s not my signature.
3. Do not allow tampering with the message without invalidating the signature
Item 2 turns out to be really hard to do
15-853 Page 14
Using Public Keys
More Efficiently
Alice BobDk1(m)
Alice BobDk1(h(m)) + m
K1 = Alice’s private keyBob decrypts it with her public key
h(m) is a one-way hash of m
15-853 Page 15
Key ExchangePrivate Key method
Public Key method
Trent
Alice Bob
Eka(k) Ekb(k)Generates k
Alice BobGenerates k
Ek1(k)
k1 = Bob’s public keyOr we can use a direct protocol, such as Diffie-Hellman (discussed later)
15-853 Page 16
Private Key Algorithms
Encryption
Decryption
Key1
Key1
Cyphertext
Ek(M) = C
Dk(C) = M
Original Plaintext
Plaintext
What granularity of the message does Ek encrypt?
15-853 Page 17
Private Key AlgorithmsBlock Ciphers: blocks of bits at a time
– DES (Data Encryption Standard)Banks, linux passwords (almost), SSL, kerberos, …
– Blowfish (SSL as option)– IDEA (used in PGP, SSL as option)– Rijndael (AES) – the new standard
Stream Ciphers: one bit (or a few bits) at a time– RC4 (SSL as option)– PKZip– Sober, Leviathan, Panama, …
15-853 Page 18
Private Key: Block CiphersEncrypt one block at a time (e.g. 64 bits) ci = f(k,mi) mi = f’(k,ci)Keys and blocks are often about the same size.Equal message blocks will encrypt to equal codeblocks
– Why is this a problem?Various ways to avoid this:
– E.g. ci = f(k,ci-1 mi) “Cipher block chaining” (CBC)
Why could this still be a problem?
Solution: attach random block to the front of the message
15-853 Page 19
Iterated Block Ciphers
Consists of n rounds
R = the “round” function
si = state after round iki = the ith round key
R
R
R
s1
.
.
.
m
c
.
.
.
keyk1
k2
kn
s2
15-853 Page 20
Iterated Block Ciphers: Decryption
Run the rounds in reverse.
Requires that R has an inverse.
R-1
R-1
R-1
s1
.
.
.
m
c
.
.
.
key
k2
kn
s2
k1
15-853 Page 21
Feistel NetworksIf function is not invertible rounds can still be made
invertible. Requires 2 rounds to mix all bits.
F ki
XOR
F ki
XOR
high bits low bits
Forwards Backwards
R R-1
Used by DES (the Data Encryption Standard)
15-853 Page 22
Product CiphersEach round has two components:
– Substitution on smaller blocksDecorrelate input and output: “confusion”
– Permutation across the smaller blocksMix the bits: “diffusion”
Substitution-Permutation Product CipherAvalanche Effect: 1 bit of input should affect all
output bits, ideally evenly, and for all settings of other in bits
15-853 Page 23
RijndaelSelected by AES (Advanced Encryption Standard,
part of NIST) as the new private-key encryption standard.
Based on an open “competition”.– Competition started Sept. 1997.– Narrowed to 5 Sept. 1999
• MARS by IBM, RC6 by RSA, Twofish by Counterplane, Serpent, and Rijndael
– Rijndael selected Oct. 2000.– Official Oct. 2001? (AES page on Rijndael)
Designed by Rijmen and Daemen (Dutch)
15-853 Page 24
Public Key CryptosystemsIntroduced by Diffie and Hellman in 1976.
Encryption
Decryption
K1
K2
Cyphertext
Ek(M) = C
Dk(C) = M
Original Plaintext
Plaintext Public Key systemsK1 = public keyK2 = private key
Digital signaturesK1 = private keyK2 = public key
Typically used as part of a more complicated protocol.
15-853 Page 25
One-way trapdoor functionsBoth Public-Key and Digital signatures make use
of one-way trapdoor functions.Public Key:
– Encode: c = f(m)– Decode: m = f-1(c) using trapdoor
Digital Signatures:– Sign: c = f-1(m) using trapdoor– Verify: m = f(c)
15-853 Page 26
Example of SSL (3.0)SSL (Secure Socket Layer) is the standard for the web (https).Protocol (somewhat simplified): Bob -> amazon.com B->A: client hello: protocol version, acceptable ciphers A->B: server hello: cipher, session ID, |amazon.com|verisign
B->A: key exchange, {masterkey}amazon’s public key
A->B: server finish: ([amazon,prev-messages,masterkey])key1
B->A: client finish: ([bob,prev-messages,masterkey])key2
A->B: server message: (message1,[message1])key1
B->A: client message: (message2,[message2])key2
|h|issuer = Certificate = Issuer, <h,h’s public key, time stamp>issuer’s private key
<…>private key = Digital signature {…}public key = Public-key encryption [..] = Secure Hash (…)key = Private-key encryptionkey1 and key2 are derived from masterkey and session ID
hand-shake
data
15-853 Page 27
Diffie-Hellman Key ExchangeA group (G,*) and a primitive element
(generator) g is made public.– Alice picks a, and sends ga to Bob– Bob picks b and sends gb to Alice– The shared key is gab
Note this is easy for Alice or Bob to compute, but assuming discrete logs are hard is hard for anyone else to compute.
Can someone see a problem with this protocol?
15-853 Page 28
Person-in-the-middle attack
Alice BobMallory
ga
gbgd
gc
Key1 = gad Key1 = gcb
Mallory gets to listen to everything.
15-853 Page 29
RSAInvented by Rivest, Shamir and Adleman in 1978Based on difficulty of factoring.Used to hide the size of a group Zn
* since: .Factoring has not been reduced to RSA
– an algorithm that generates m from c does not give an efficient algorithm for factoring
On the other hand, factoring has been reduced to finding the private-key.– there is an efficient algorithm for factoring
given one that can find the private key.
)/11()(|
* pnnnp
n
15-853 Page 30
RSA Public-key Cryptosystem
What we need:• p and q, primes of
approximately the same size
• n = pq (n) = (p-1)(q-1)
• e Z (n)*
• d = inv. of e in Z (n)*
i.e., d = e-1 mod (n)
Public Key: (e,n)Private Key: d
Encode:m ZnE(m) = me mod n
Decode:D(c) = cd mod n
15-853 Page 31
RSA continuedWhy it works:D(c) = cd mod n = med mod n = m1 + k(p-1)(q-1) mod n = m1 + k (n) mod n = m(m (n))k mod n = m (because (n) = 0 mod (n))Why is this argument not quite sound?
What if m Zn* then m(n) 1 mod n
Answer 1: Not hard to show that it still works. Answer 2: jackpot – you’ve factored n
15-853 Page 32
RSA computationsTo generate the keys, we need to
– Find two primes p and q. Generate candidates and use primality testing to filter them.
– Find e-1 mod (p-1)(q-1). Use Euclid’s algorithm. Takes time log2(n)
To encode and decode– Take me or cd. Use the power method.
Takes time log(e) log2(n) and log(d) log2(n) .In practice e is selected to be small so that
encoding is fast.
15-853 Page 33
Security of RSAWarning:
– Do not use this or any other algorithm naively!Possible security holes:
– Need to use “safe” primes p and q. In particular p-1 and q-1 should have large prime factors.
– p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n).
– e cannot be too small– Don’t use same n for different e’s.– You should always “pad”
15-853 Page 34
RSA PerformancePerformance: (600Mhz PIII) (from: ssh toolkit):
Algorithm Bits/key Mbits/sec
RSA Keygen 1024 .35sec/key2048 2.83sec/key
RSA Encrypt 1024 1786/sec 3.52048 672/sec 1.2
RSA Decrypt 1024 74/sec .0742048 12/sec .024
ElGamal Enc. 1024 31/sec .031ElGamal Dec. 1024 61/sec .061DES-cbc 56 95twofish-cbc 128 140Rijndael 128 180
15-853 Page 35
RSA in the “Real World”Part of many standards: PKCS, ITU X.509,
ANSI X9.31, IEEE P1363Used by: SSL, PEM, PGP, Entrust, …
The standards specify many details on the implementation, e.g.– e should be selected to be small, but not too
small– “multi prime” versions make use of n = pqr…
this makes it cheaper to decode especially in parallel (uses Chinese remainder theorem).
15-853 Page 36
Factoring in the Real WorldQuadratic Sieve (QS):
– Used in 1994 to factor a 129 digit (428-bit) number. 1600 Machines, 8 months.
Number field Sieve (NFS):
– Used in 1999 to factor 155 digit (512-bit) number. 35 CPU years. At least 4x faster than QS
– Used in 2003-2005 to factor 200 digits (663 bits) 75 CPU years ($20K prize)
2/12/1 ))(ln(ln)))(ln(1()( nnnoenT
3/23/1 ))(ln(ln)))(ln1(923.1()( nnoenT
15-853 Page 37
SSH v2• Server has a permanent “host” public-private key pair
(RSA or DSA) . Client warns if public host key changes.• Diffie-Hellman used to exchange session key.
– Server selects g and p and sends to client.– Client and server create DH private keys. Client
sends public DH key.– Server sends public DH key and signs hash of DH
shared secret and other 12 other values with its private “host” key.
• Symmetric encryption using 3DES, Blowfish, AES, or Arcfour begins.
• User can authenticate by sending password or using public-private key pair.
• If using keys, server sends “challenge” signed with users public key for user to decode with private key.
15-853 Page 38
KerberosA key-serving system based on Private-Keys (DES).Assumptions• Built on top of TCP/IP networks• Many “clients” (typically users, but perhaps
software)• Many “servers” (e.g. file servers, compute
servers, print servers, …)• User machines and servers are potentially
insecure without compromising the whole system
• A kerberos server must be secure.
15-853 Page 39
Kerberos (kinit)Kerberos
AuthenticationServer
Client Service Server
Ticket Granting Server(TGS)
12 3 4
5
1. Request ticket-granting-ticket (TGT)2. <TGT>3. Request server-ticket (ST)4. <ST>5. Request service
15-853 Page 40
C = client S = server K = key or session keyT = timestamp V = time rangeTGS = Ticket Granting Service A = Net Address
Ticket Granting Ticket: TC,TGS = TGS,{C,A,V,KC,TGS}KTGS
Server Ticket: TC,S = S, {C,A,V,KC,S}KS
Authenticator: AC,S = {C,T}KC,S
1. Client to Kerberos: C,TGS2. Kerberos to Client: {KC,TGS}KC, TC,TGS 3. Client to TGS: {TC,TGS , S}, AC,TGS
4. TGS to Client: {KC,S}KC,TGS, TC,S
5. Client to Server: AC,S, TC,S
Kerberos V Message Formats
Possibly repeat
15-853 Page 41
Kerberos NotesAll machines have to have synchronized clocks
– Must not be able to reuse authenticatorsServers should store all previous and valid
tickets– Help prevent replays
Client keys are typically a one-way hash of the password. Clients do not keep these keys.
Kerberos 5 uses CBC mode for encryption Kerberos 4 was insecure because it used a nonstandard mode.