EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.

EE515/IS523 Think Like an

AdversaryLecture 4

Crypto in a Nutshell

Yongdae Kim

Recaphttp://security101.kr

E-mail policy Include [ee515] or [is523] in the subject of your e-

mail

Student Surveyhttp://bit.ly/SiK9M3

paper presentation surveyhttp://bit.ly/18HDzCg

Basic Cryptography

Yongdae Kim

SKE with Secure channel

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

c Insecure channel

Alice Bob

Adversary

Key source

e

m m

d Secure channel

PKE with insecure channel

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

cInsecure channel

Alice Bob

PassiveAdversary

Key source

d

m m

e Insecure channel

Public key should be authentic!

ee

ee

EEee(m)(m)

ee’’

EEee’’(m)(m)EEee(m)(m)

Need to authenticate public keys

Digital SignaturesPrimitive in authentication and non-

repudiation

Signature Process of transforming the message and some

secret information into a tag

NomenclatureM is set of messagesS is set of signaturesSA: M ! S for A, kept private

VA is verification transformation from M to S for A, publicly known

Key Establishment, Management

Key establishmentProcess to whereby a shared secret key becomes

available to two or more partiesSubdivided into key agreement and key transport.

Key managementThe set of processes and mechanisms which

support key establishment The maintenance of ongoing keying relationships

between parties

Symmetric vs. Public keyPros Cons

SKE High data throughput Relatively short key size

The key must remain secret at both ends

O(n2) keys to be managed Relatively short lifetime of

the key

PKE

O(n) keys Only the private key

must be kept secret longer key life time digital signature

Low data throughput Much larger key sizes

Symmetric key EncryptionSymmetric key encryption

if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e

Usually e = d

Block cipherbreaks up the plaintext messages to be

transmitted into blocks of a fixed length, and encrypts one block at a time

Stream cipherencrypt individual characters of plaintext

message one at a time, using encryption transformation which varies with time

Hash function and MAC A hash function is a function h

compression ease of computation Properties

one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)

Examples: SHA-1, MD-5

MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk

ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance

Example: HMAC

How Random is the Hash function?

Applications of Hash Function

File integrity

Digital signatureSign = SSK(h(m))

Password verificationstored hash = h(password)

File identifier

Hash table

Generating random numbers

Hash function and MAC A hash function is a function h

compression ease of computation Properties

one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)

Examples: SHA-1, MD-5

MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk

ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance

Example: HMAC

MAC construction from Hash Prefix

M=h(k||x) appending y and deducing h(k||x||y) form h(k||x) without

knowing k Suffix

M=h(x||k) possible a birthday attack, an adversary that can choose x

can construct x’ for which h(x)=h(x’) in O(2n/2)

STATE OF THE ART: HMAC (RFC 2104) HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding The outer hash operates on an input of two blocks Provably secure

How to use MAC?A & B share a secret key kA sends the message x and the MAC

M←Hk(x)B receives x and M from AB computes Hk(x) with received MB checks if M=Hk(x)

PKE with insecure channel

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

cInsecure channel

Alice Bob

PassiveAdversary

Key source

d

m m

e Insecure channel

Digital Signature

IntegrityAuthenticationNon-repudiationI did not

have intimate relations with that woman,…, Ms. Lewinsky

Digital Signature with Appendix

Schemes with appendixRequires the message as input to verification

algorithmRely on cryptographic hash functions rather than

customized redundancy functionsDSA, ElGamal, Schnorr etc.

Digital Signature with Appendix

M

m mh

Mh

h s*

SSA,k

Mh x Su 2{True, False}

VA

s* = SA,k(mh)

u = VA(mh, s*)

Authentication

How to prove your identity?Prove that you know a secret information

When key K is shared between A and ServerA S: HMACK(M) where M can provide freshnessWhy freshness?

Digital signature?A S: SigSK(M) where M can provide freshness

Comparison?

Encryption and Authentication

EK(M)

Redundancy-then-Encrypt: EK(M, R(M))

Hash-then-Encrypt: EK(M, h(M))

Hash and Encrypt: EK(M), h(M)

MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M)

MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))

Challenge-response authentication

Alice is identified by a secret she possessesBob needs to know that Alice does indeed possess

this secretAlice provides response to a time-variant

challengeResponse depends on both secret and challenge

UsingSymmetric encryptionOne way functions

Challenge Response using SKE

Alice and Bob share a key KTaxonomy

Unidirectional authentication using timestamps

Unidirectional authentication using random numbers

Mutual authentication using random numbers

Unilateral authentication using timestampsAlice Bob: EK(tA, B)Bob decrypts and verified that timestamp is OKParameter B prevents replay of same message in

B A direction

Challenge Response using SKE

Unilateral authentication using random numbersBob Alice: rb

Alice Bob: EK(rb, B)

Bob checks to see if rb is the one it sent out Also checks “B” - prevents reflection attack

rb must be non-repeating

Mutual authentication using random numbersBob Alice: rb

Alice Bob: EK(ra, rb, B)

Bob Alice: EK(ra, rb)

Alice checks that ra, rb are the ones used earlier

Challenge-response using OWF

Instead of encryption, used keyed MAC hK

Check: compute MAC from known quantities, and check with message

SKID3Bob Alice: rb

Alice Bob: ra, hK(ra, rb, B)

Bob Alice: hK(ra, rb, A)

Key Establishment, Management

Key establishmentProcess to whereby a shared secret key becomes

available to two or more partiesSubdivided into key agreement and key transport.

Key managementThe set of processes and mechanisms which

support key establishment The maintenance of ongoing keying relationships

between parties