EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim
Jan 02, 2016
EE515/IS523 Think Like an
AdversaryLecture 4
Crypto in a Nutshell
Yongdae Kim
Recaphttp://security101.kr
E-mail policy Include [ee515] or [is523] in the subject of your e-
Student Surveyhttp://bit.ly/SiK9M3
paper presentation surveyhttp://bit.ly/18HDzCg
Basic Cryptography
Yongdae Kim
SKE with Secure channel
Plaintext source
EncryptionEe(m) = c
destination
DecryptionDd(c) = m
c Insecure channel
Alice Bob
Adversary
Key source
e
m m
d Secure channel
PKE with insecure channel
Plaintext source
EncryptionEe(m) = c
destination
DecryptionDd(c) = m
cInsecure channel
Alice Bob
PassiveAdversary
Key source
d
m m
e Insecure channel
Public key should be authentic!
ee
ee
EEee(m)(m)
ee’’
EEee’’(m)(m)EEee(m)(m)
Need to authenticate public keys
Digital SignaturesPrimitive in authentication and non-
repudiation
Signature Process of transforming the message and some
secret information into a tag
NomenclatureM is set of messagesS is set of signaturesSA: M ! S for A, kept private
VA is verification transformation from M to S for A, publicly known
Key Establishment, Management
Key establishmentProcess to whereby a shared secret key becomes
available to two or more partiesSubdivided into key agreement and key transport.
Key managementThe set of processes and mechanisms which
support key establishment The maintenance of ongoing keying relationships
between parties
Symmetric vs. Public keyPros Cons
SKE High data throughput Relatively short key size
The key must remain secret at both ends
O(n2) keys to be managed Relatively short lifetime of
the key
PKE
O(n) keys Only the private key
must be kept secret longer key life time digital signature
Low data throughput Much larger key sizes
Symmetric key EncryptionSymmetric key encryption
if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e
Usually e = d
Block cipherbreaks up the plaintext messages to be
transmitted into blocks of a fixed length, and encrypts one block at a time
Stream cipherencrypt individual characters of plaintext
message one at a time, using encryption transformation which varies with time
Hash function and MAC A hash function is a function h
compression ease of computation Properties
one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)
Examples: SHA-1, MD-5
MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk
ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance
Example: HMAC
How Random is the Hash function?
Applications of Hash Function
File integrity
Digital signatureSign = SSK(h(m))
Password verificationstored hash = h(password)
File identifier
Hash table
Generating random numbers
Hash function and MAC A hash function is a function h
compression ease of computation Properties
one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)
Examples: SHA-1, MD-5
MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk
ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance
Example: HMAC
MAC construction from Hash Prefix
M=h(k||x) appending y and deducing h(k||x||y) form h(k||x) without
knowing k Suffix
M=h(x||k) possible a birthday attack, an adversary that can choose x
can construct x’ for which h(x)=h(x’) in O(2n/2)
STATE OF THE ART: HMAC (RFC 2104) HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding The outer hash operates on an input of two blocks Provably secure
How to use MAC?A & B share a secret key kA sends the message x and the MAC
M←Hk(x)B receives x and M from AB computes Hk(x) with received MB checks if M=Hk(x)
PKE with insecure channel
Plaintext source
EncryptionEe(m) = c
destination
DecryptionDd(c) = m
cInsecure channel
Alice Bob
PassiveAdversary
Key source
d
m m
e Insecure channel
Digital Signature
IntegrityAuthenticationNon-repudiationI did not
have intimate relations with that woman,…, Ms. Lewinsky
Digital Signature with Appendix
Schemes with appendixRequires the message as input to verification
algorithmRely on cryptographic hash functions rather than
customized redundancy functionsDSA, ElGamal, Schnorr etc.
Digital Signature with Appendix
M
m mh
Mh
h s*
SSA,k
Mh x Su 2{True, False}
VA
s* = SA,k(mh)
u = VA(mh, s*)
Authentication
How to prove your identity?Prove that you know a secret information
When key K is shared between A and ServerA S: HMACK(M) where M can provide freshnessWhy freshness?
Digital signature?A S: SigSK(M) where M can provide freshness
Comparison?
Encryption and Authentication
EK(M)
Redundancy-then-Encrypt: EK(M, R(M))
Hash-then-Encrypt: EK(M, h(M))
Hash and Encrypt: EK(M), h(M)
MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M)
MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))
Challenge-response authentication
Alice is identified by a secret she possessesBob needs to know that Alice does indeed possess
this secretAlice provides response to a time-variant
challengeResponse depends on both secret and challenge
UsingSymmetric encryptionOne way functions
Challenge Response using SKE
Alice and Bob share a key KTaxonomy
Unidirectional authentication using timestamps
Unidirectional authentication using random numbers
Mutual authentication using random numbers
Unilateral authentication using timestampsAlice Bob: EK(tA, B)Bob decrypts and verified that timestamp is OKParameter B prevents replay of same message in
B A direction
Challenge Response using SKE
Unilateral authentication using random numbersBob Alice: rb
Alice Bob: EK(rb, B)
Bob checks to see if rb is the one it sent out Also checks “B” - prevents reflection attack
rb must be non-repeating
Mutual authentication using random numbersBob Alice: rb
Alice Bob: EK(ra, rb, B)
Bob Alice: EK(ra, rb)
Alice checks that ra, rb are the ones used earlier
Challenge-response using OWF
Instead of encryption, used keyed MAC hK
Check: compute MAC from known quantities, and check with message
SKID3Bob Alice: rb
Alice Bob: ra, hK(ra, rb, B)
Bob Alice: hK(ra, rb, A)
Key Establishment, Management
Key establishmentProcess to whereby a shared secret key becomes
available to two or more partiesSubdivided into key agreement and key transport.
Key managementThe set of processes and mechanisms which
support key establishment The maintenance of ongoing keying relationships
between parties