Top Banner
Introduction to Encryption 6 th Feb 2014
45

Introduction to encryption

Dec 08, 2014

Download

Technology

faffyman

A brief overview of historical cryptography, moving into modern methods and a few How-To examples for PHP.

Talk given to @phpbelfast PHP User Group - Feb 2014 by @faffyman
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Introduction to encryption

Introduction to Encryption

6th Feb 2014

Page 2: Introduction to encryption

Who am I?

PHP Developer

@faffyman@phpbelfast

Page 3: Introduction to encryption

What’s this talk about?

Mostly the Why and the WhatAnd just a little bit of the How

Page 4: Introduction to encryption

What this talk is not about

Probability Theory behind encryption

encryption model definitions

Page 5: Introduction to encryption

Why Encrypt?Secure communications- TLS Email- SSL web

Filesystems-DVD-Memory Cards

Online Voting

WEP

Payment Gateways-Credit Cards-Bitcoins

Cable TV Signals

Skype Calls

DRM

Page 6: Introduction to encryption

What is Encryption?

It’s all Greek to me

Είναι όλα ελληνικά για μένα

Page 7: Introduction to encryption

*Encryption is…

“An algorithm that can encode a

message such that it is only readable by

authorized persons”

*Generally speaking.

Page 8: Introduction to encryption

*Encryption is… a Cipher..

“A pair of algorithms such that the

output ciphertext of the encoding

algorithm can be efficiently transformed

back to the original text by the decoding

algorithm”*not always true

Page 9: Introduction to encryption

Examples of Encryption through

history

Page 10: Introduction to encryption

Also known as the shift cipher

Or substitution cipher

The Caesar Cipher

Page 11: Introduction to encryption

Plain : ABCDEFGHIJKLMNOPQRSTUVWXYZCipher: XYZABCDEFGHIJKLMNOPQRSTUVW

Shift 3 chars left

Ciphertext: QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALDPlaintext: the quick brown fox jumps over the lazy dog

Page 12: Introduction to encryption

16th Century Rome

Is a Modulo shift cipher

The Vigener Cipher

Page 13: Introduction to encryption

Plain : PHP BELFAST ENCRYTION TALKKey : BLI NKSTUDI OSBLINKST UDIO

Cipher: RTY PPEZVWC TEEDHHTHH OEUZ

Create a repeating key the same length as the message

P = 16 + B=2 = 18 = R

H = 8 + L=12 = 20 = T

L = 12 + S=19 = 31 % 26 = 5 = E

Page 14: Introduction to encryption

Famous WWII message involving JFK

Playfair Mr Kennedy

http://j.mp/pFAIR

P H B E LF A S T CD G I K MN O Q R UV W X Y Z

IN TR OD UC TI ON TO EN CR YP TI ON

DQ KY NG ZM SK QO AR PR TU VE SK QO

Page 15: Introduction to encryption

Symantically secure, practically useless

The One Time Pad

Very fast encode / decode

1917, Vernam

Stream Cipher

Page 16: Introduction to encryption

The One Time Pad

Uses A Random Key of equal length to the messageAJDPWNCGS82NCPS03NCBS72HGTWX1EZMBLHPY04YDVS2DSB0

Page 17: Introduction to encryption

Rotor Machines

Lorenz Cipher (a.k.a. Tunny)

Enigma

“Nothing to report”

Page 18: Introduction to encryption

There is a lot if it - yes

Encryption is just XOR?

M: 0 1 1 0 1 1 1Ke: 1 0 1 1 0 0 1

C: 1 1 0 1 1 1 0

Kd: 1 0 1 1 0 0 1

M: 0 1 1 0 1 1 1

Page 19: Introduction to encryption

Symmetric Ciphers

D ( K, E(k, m) ) = M

Decryption of Encrypted Message = Original Message

Page 20: Introduction to encryption

Symmetric Ciphers

2 Identical Inputs = 2 different outputs

Page 21: Introduction to encryption

Stream Ciphers

And

Block Ciphers

Making It Practical

In danger of getting complex

now…

Page 22: Introduction to encryption

Pseudo Randomness

Pseudo Random Key PRF – Pseudo Rand FunctionPRG – Pseudo Rand GeneratorPRP – Pseudo Rand Permutation

Page 23: Introduction to encryption

Pseudo Random Keys

Short Input => Long Output

Page 24: Introduction to encryption

Data Encryption StandardDES

1970 – 1976 - IBMs Lucifer cipher approved as Fed. Standard

1997 - DES is broken by exhaustive searchInternet search – took 3 months1998 – Deep Crack does it in 3 days (cost $250K)1999 – combined search 22 hours

2000 – New Fed Standard adopted. Rijndael or AES

Page 25: Introduction to encryption

Feistel Network

http://j.mp/feistDES

Common Block Cipher Construction

DES is a 16 round Fiestel construction

Page 26: Introduction to encryption

Advanced Encryption Standard

AESUses block cipher – But NOT a Fiestel Construction

1997: DES Broken NIST requests proposal for new std1999: 5 shortlisted options2000: Rijndael chosen to be new AES

Page 27: Introduction to encryption

AES

Page 28: Introduction to encryption

Side Channel Attacks

• Timing Attacks• Power Attacks• Sound Attacks• Replay Attacks

j.mp/1c9v9Vi

Page 29: Introduction to encryption

ECBElectronic Code Book

j.mp/1kONKMk

Encrypted with ECB Encrypted in other modesshow pseudo randomness

Page 30: Introduction to encryption

CBCChain Block Cipher

j.mp/1kONKMk

Page 31: Introduction to encryption

CTRCounter Mode

Page 32: Introduction to encryption

MICs and MACsMessage Integrity or Authentication

CodeBasically - Hash FunctionsMD5 - weakSHA-1 - weakSHA-256 - better

Anti-Tamper codes

Page 33: Introduction to encryption

Authenticated Encryption

Encrypt then MAC - always provides A.E.

MAC then Encrypt is open to CCA attacks - it’s ok IF you use rand-CBC or rand-CTR mode - still open to padding attacks

Page 34: Introduction to encryption

Key Exchange

Page 35: Introduction to encryption

Public/Private Keys

Public key used to encryptPrivate key used to decrypt

Uses large primes (600+ digits) and modulus of the powers of factors of that prime

Page 36: Introduction to encryption

Public/Private KeysALICE BOB

Generate array of public & private keys

Bob chooses one public key

Chooses a random secret {0,1}128

encrypts it using Public Key

Alice decrypts with Secret keyTo obtain Bobs random number

They now have a shared secret or key (Bobs number) with which to encrypt future messages

Page 37: Introduction to encryption

PHP – password storage

j.mp/1nPFttR

• Raw / Plaintext – do people really do this? • Roll your own encryption mechanism• MySQL Encrypt() • MD5() – no collision too common• SHA and store salt• bcrypt – No salt storage required• phpass – no salt storage required

Page 38: Introduction to encryption

*NEVER*Roll your own

Golden Rule:Libraries, libraries, libraries

Always use a tried & tested library

Page 39: Introduction to encryption

PHP – MAC

hash_hmac()

hash_hmac ($algo, $data, $key [$raw_output = false])

hash_hmac(’sha256’,’phpbelfast rocks', ’MySecret');

php.net/hash_hmac

Page 40: Introduction to encryption

PHP crypt()

j.mp/1nPFttR

Page 41: Introduction to encryption

PHP – openssl library

j.mp/1dp8OTq

openssl_get_cipher_methods()

openssl_cipher_iv_length()

openssl_encrypt()

openssl_decrypt()

Page 42: Introduction to encryption

PHPass – for php v 5.4-

j.mp/phpass

Page 43: Introduction to encryption

PHP password_hash()v5.5+

php.net/password_hashj.mp/1err98n

password_hash( $password, $algo [, $options] )

password_verify( $password, $hash )

Page 44: Introduction to encryption

Cover image -Enigma Machine by Skittledoghttp://flic.kr/p/9VjJz5

Creative Commonshttp://creativecommons.org/licenses/by-nc-sa/2.0/

Fiestel Network DiagramDan Boneh, Stanford Unversity (Coursera – Cryptography I course)

Link Bundle j.mp/1iq3xA5

Credits

Page 45: Introduction to encryption

“Only amateurs attack machines, professionals attack humans”- Bruce Schneier

Final Thought