Network and Communications Security (IN3210/IN4210 ...Hybrid Encryption (1/3) Pros and cons of (a)symmetric encryption: −Asymmetric encryption: easier key management vs. slow performance

Network and Communications Security (IN3210/IN4210)

Asymmetric Cryptography

Key Exchange

3


Recapitulation: Symmetric Encryption

● One problem: key exchange

4

DearBob....

Encryption Decryption

DearBob....

Symmectric Key

6R4Y2hlbMZCB...

Alice Bob

Eve

Key Generator


Diffie Hellman Key exchange

● Creating common (symmetric) key only known to the communication partners

● Created by Whitfield Diffie and Martin Hellman in 1976

Imag

e so

urc

e: W

ikip

edia

5


Illustration of DH Key Exchange

Imag

e so

urc

e: W

ikip

edia

6


Logarithm

● Choose (integer) b and a and calculate y = ba

● Given just b and y can you calculate a?

● Easy (logarithm): a = logb y

● Example:

− b = 7, y = 13841287201, a = ?

7


Modular Arithmetic

● mod operator: x mod n

− remainder when performing an integer division of x and n

● Example:

− 19 mod 3 = 1 (19 = 6 * 3 + 1)

− 13 mod 3 = 1 (13 = 4 * 3 + 1)

− 1234 mod 10 = 4

− 220 mod 10 = 6

8


Discrete Logarithm

● Choose integer b, a and n and calculate y = ba mod n

● Given just b, n and y can you calculate a?

● Example:

− b = 7, n = 1023, y = 439, a = ?

● Hard problem: Discrete Logarithm Problem (DLP)

● No simple calculation

● Only (known) method: test all possible values for a (infeasible for large n)

9



● Alice and Bob agree on (public parameters):− Large prime number p

− Generator g (i.e. g is primitive root mod p)

● Alice:− chooses a (secret) random number a

− calculates α = ga mod p

− sends α to Bob

● Bob:− chooses a (secret) random number b

− calculates β = gb mod p

− sends β to Alice

● Calculation of common secret: − Alice: βa mod p = (gb mod p)a mod p = (gb)a mod p

− Bob: αb mod p = (gamod p)b mod p = (ga)b mod p= gab mod p = K

a b

α

β

ga mod p

gbmod p



● (Passive) attacker learns:− g

− p

− gb mod p

− ga mod p

● For calculating K the attacker needs additionally a or b

● a or b can not easily be derived from the know values (DLP)

ga mod p

gbmod p

Eve

11


Weakness of DH Key Exchange

Mallory gb

ge

ga

ge

Secure Communication Secure Communication

K1 = gae mod p K2 = gbe mod p

Solution: later!12


Breaking DH

● g and p must be chosen carefully

− e.g. p – 1 shall have small prime factors

− otherwise mathematical “tricks” are possible for breaking DLP

− (details are irrelevant in this course)

● Always possible: test all possible values for a (or b)

− Which size to choose for p?▪ 512 bit → practically broken (2015)

▪ 1024 bit → estimated costs for breaking: 100 million $

▪ 2048 bit → secure, but long runtime

13

Asymmetric Encryption



● Problem of symmetric encryption:

− Shared secret must be distributed

● Problem of DH key exchange:

− interactive protocol

− both parties must be “online” in order to start encrypted communication

● Asymmetric Encryption:

− Use different keys for de- and encryption

− Public encryption key is published (everyone can encrypt)

− Private decryption key is kept confidential (just owner can decrypt)

15



● Two distinct keys (private key and public key) are used for encryption and decryption respectively

DearBob....

Encryption Decryption

DearBob....

Key PairGenerator

Public Key

PrivateKey

6R4Y2hlbMZCB...

Alice Bob

Eve

16



● Based on number theoretic problems

− RSA: Factorisation Problem

− ElGamal: Discrete Logarithm Problem

● RSA: named after its inventors (1978):

− Ronald Rivest

− Adi Shamir

− Leonard Adleman

Imag

e so

urc

es:

•U

niv

ers

ity

of

Sou

ther

n C

alif

orn

ia•

Mas

sach

use

tts

Inst

itu

te o

fTe

chn

olo

gy

18


RSA (Textbook Version)

● Key generation:− Choose two prime numbers p and q

− Calc n = p · q, m = (p – 1) (q – 1)

− Choose e and d with e · d (mod m) = 1

− Public key: n, e

− Private key: d

● Encryption of message M (integer < n): − C = M e mod n

● Decryption of cipher text C:− M’ = C d mod n

● M' = (M e)d mod n = M Follows fromEuler‘s Theorem

Typically: • Set e = 65537• Calculate d using the

Extended Euclideanalgorithm

19


Breaking RSA

● Key generation:

− Choose two prime numbers p and q

− Calc n = p · q, m = (p – 1) (q – 1)

− Choose e and d with e · d (mod m) = 1

− Public key: n, e

− Private key: d

● Attacker:

− Knows n and e

− Factorizes n, i.e. finds p and q

− Calculates m and d

Example: n = 15 → p = 3, q = 5

Easy for small numbers, hard for large numbers:

Factorization problem

20


RSA Calculation

● 1. problem: calculation effort− 𝑥𝑛 = 𝑥 ∙ ⋯ ∙ 𝑥

𝑛

→ n – 1 multiplications

● Square and Multiply:− Write n in binary; remove the first 1− For every 1 perform first a square (...2) operation then a multiply operation (• x)− For every 0 perform a square (...2) operation

● Example:− n = 2310 = 101112 → Q QM QM QM

− 𝑥23 = 𝑥2 2 ∙ 𝑥2∙ 𝑥

2

∙ 𝑥

− 7 multiplications instead of 22

● “Standard” value for e: − 6553710 = 100000000000000012 → 16 multiplications

21


RSA Calculation

● 2. problem: large intermediate values:

− “Me mod n” is smaller than n, but “Me“ is very large

● Property of mod operator:

− (x • y) mod n = ((x mod n) • (y mod n)) mod n

● Application to Square and Multiply:

− Perform a “mod” operation after every square or multiply step

− Example:

▪ 𝑥23 mod 𝑛 = 𝑥2 mod 𝑛 2 mod 𝑛 ∙ 𝑥 mod 𝑛2mod 𝑛 ∙ 𝑥 mod 𝑛

2

…

− No intermediate value is larger than 𝑛2

22


Prime Numbers

● How to calculate large (~ 500 - 2000 bits) prime numbers?

● 2 types of primality tests:− Deterministic (too slow for large numbers)

− Probabilistic (fast, but not 100% correct)

● Example: Solovay–Strassen primality test: − max ½ probability of wrong answer

− Algorithm for testing “n prime?”▪ Repeat k times:

o Choose random number a

o Run primality test (uses number a as parameter)

o If false return „not prime“

▪ Return „probable prime“

− Error probability: 1/2k, e.g. 2-100 for k = 100

23


Breaking RSA

● Best known attack on RSA: factorizing n

● Competition for factorizing given numbers (created 1991):RSA Factoring Challenge

● Consequence: RSA-1024 is not secure any more

Sou

rce:

Wik

iped

ia,

RSA number Decimal digits Binary digits Factored on

RSA-100 100 330 April 1, 1991

RSA-110 110 364 April 14, 1992

RSA-120 120 397 July 9, 1993

RSA-129 129 426 April 26, 1994

RSA-130 130 430 April 10, 1996

RSA-140 140 463 February 2, 1999

RSA-150 150 496 April 16, 2004

RSA-155 155 512 August 22, 1999

RSA-160 160 530 April 1, 2003

RSA-170 170 563 December 29, 2009

RSA-576 174 576 December 3, 2003

RSA-180 180 596 May 8, 2010

RSA-190 190 629 November 8, 2010

RSA-640 193 640 November 2, 2005

RSA-200 200 663 May 9, 2005

RSA-210 210 696 September 26, 2013

RSA-704 212 704 July 2, 2012

RSA-220 220 729 May 13, 2016

RSA-230 230 762 August 15, 2018

RSA-232 232 768 February 17, 2020

RSA-768 232 768 December 12, 2009

RSA-240 240 795 Dec 2, 2019

RSA-250 250 829 Feb 28, 2020

24

https://en.wikipedia.org/wiki/RSA-100
























Hybrid Encryption (1/3)

● Pros and cons of (a)symmetric encryption:

− Asymmetric encryption: ▪ easier key management vs. slow performance + limited message size

− Symmetric encryption: ▪ good performance (1000x times faster) vs. key exchange problem

● Hybrid Encryption: combining the advantages:

− Encrypt a random symmetric session key by means of asymmetric encryption

− Encrypt the data with the symmetric session key and by means of symmetric encryption

26



● Encryption process

DearBob....

SymmetricEncryption

Symmetric Key

Alice

Key Generator

AsymetricEncryption

6R4Y2hlbMZCBaj39c2jmCw...

EncryptedSym. Key

Bob‘s Public Key

27



● Decryption process

DearBob....

SymmetricDecryption

Symmetric Key

Bob

6R4Y2hlbMZCBaj39c2jmCw...

EncryptedSym. Key

AsymmetricDecryption

Bob‘s Private Key

28


Exchange of Public Keys

● Confidentiality not required → passive attacker can read the public key (no problem)

AliceBob Eve

“Alice”, pub(A)

Enc(pub(A), M)

29


Exchange of Public Keys

● Integrity highly required → active attacker can modify/exchange the public key

Solution: later!

AliceBob Mallory

“Alice”, pub(A)

Enc(pub(E), M)

“Alice”, pub(E)

30

Hash Functions


Integrity testing

Alice Bob32


Hash Function

h( · )

Alice Bob

33


Definition of Hash Function

h : * →nNoZXJuZCBhw59lbiBNw6R4Y2hlbnMZCBhw59lFLDvGJlbiwgSm9naHVydCB1bmQgUXV4Y2hlbnMgVsOw59l2R4Y2hlbnMgVsOZ2R4bnMgVsOVsIFLDhcms=

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumyeirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diamvoluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clitakasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Loremipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmodtempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasdgubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Loremipsum dolor sit amet,, sed diam eirmod ut labore et dolore magna aliquyamerat, sed diam voluptua. At vero eos et accusam et duo dolores et ea. Stet clitakasd gubergren, no sea takimata sanctus est Lorem ipsum amet.

da39a3ee5e6b4b0d3255

68ac906495480a3404be

15a391c7de1f07f4885af

34


Real life example: Integrity Protection for Dowloads

● Ubuntu: File„MD5SUM“

● Xfce: Note on Web site

cf10bdd7abb067e639b3fb47fa8cadbd *ubuntu-11.04-alternate-amd64+mac.iso

14984b15a391c7de1f07f4885bef2d5c *ubuntu-11.04-desktop-amd64+mac.iso

99950b6c45250c51fa53342c5832ebd2 *ubuntu-11.04-dvd-amd64.iso

e8c522fc69d3bf2fda99b63b8f7c12f3 *ubuntu-11.04-dvd-i386.iso

35


Properties of Hash Functions

47114711

h(x) = 4711 h(y) = 4711

Alice Bob

36


Hash collisions

● Collision

− There exists two messages x and y: x ≠ y and h(x) = h(y)

● In every hash function collisions exist!

● Two types of collisions:

− “accidental”: selecting x and y randomly

− “intentional”: calculating x and y

● Reducing the probability of accidental collisions:

− Choose co-domain (= length of hash value) large enough

● What about “intentional” collisions?

37


Poor Hash Function

● Checksum:

S e l l 1 8

b o o k s 1 0

E U R e a c h

L o r e m i p s

u m d o l o r s

i t a m e t c o

n s e t e t u r

S e l l 1 1

b o o k s 8 0

E U R e a c h

39 AC 2E 31 7F 03 F5 81

38


(Strong) Collision resistance

● In “good” hash functions it shall be hard to calculate collisions

● Collision resistant:

− It is not possible (within “reasonable” computation time) to find a collision i.e. two messages x and y with h(x) = h(y)

● Remarks:

− with unlimited computation time of course collisions can always be found

39


Properties of Hash functions

4711

Alice BobEve

43


One-way function

● One-way property (preimage resistant):

− There exist no (efficient) inverse function for h, i.e.

− it is not possible to calculate message x from its hash value H (with h(x) = H)

● h collision resistant h one-way function

44


Summary of Properties

● Preimage resistance (one-way):

− For any given H, it is computationally infeasible to find x such that h(x) = H

● Second preimage resistance (weak collision resistance):

− For any given x, it is computationally infeasible to find y ≠ x where h(y) = h(x)

● (Strong) collision resistance:

− It is computationally infeasible to find any pair (x, y) such that h(x) = h(y)

45


Common Hash Algorithms

● MD5− Message-Digest-Algorithm (R. Rivest, 1992)

− 128 bit digest

● SHA-1− Secure Hash Algorithm (NIST/NSA, 1994)

− 160 bit digest

● SHA-2− Secure Hash Algorithm 2 (NIST/NSA, 2002)

− Digest sizes: SHA-224, SHA-256, SHA-384, SHA-512

● SHA-3− Secure Hash Algorithm 3 (NIST 2015)

− Digest sizes: SHA3-224, SHA3-256, SHA3-384, SHA3-512

47


SHA-1 – Internal Structure

E D C B A

<<5

>>2

+

+

+

E D C B A

K

F+

5 x 32 Bit

80 x

M

160 BitW

5 x 32 Bit

48


Merkle Damgård Construction (SHA-1, SHA-2)

Block 1

fIV

Block 2

Message M

f f

Block m

Hashh(M)

fn bit

n bit

n bit

...

...

Compression function f Hash function h

f collision resistant h collision resistant

Lengthof M

49


Security of Hash Algorithms

● Known attacks on Hash properties

Algorithm Attack onCollision resistence

Attack onOne-way property

MD5 Yes Yes

SHA-1 Yes No

SHA-2 (Yes) No

SHA-3 No No

50


Security of Hash Algorithms

51


SHA-3 Competition

● Creating new Hash function (successor of SHA-2)

● Open competition by NIST started 2007

● Public analysis and discussion of candidates

● Criteria:

− Performance

− Security

− Diversity

● Winner (announced 2012): Keccak

● Standardized as SHA-3 (2015)

52


Breaking Hashes

● How to find the pre-image of H? (i.e. finding m with h(m) = H)

● Brute force attack: testing all possible values for m− rather simple if the set of “all possible values” is rather small

− Examples:▪ m is a short/simple password

▪ m is an IP address

● Variation: Dictionary attack: testing just certain values− Examples

▪ typical passwords (“1234”, “admin”, ...)

▪ real world words (“dog”, “car”, ...)

● Alternative: Lookup in a pre-calculated list of “all” m and h(m)− Practical implementation: Rainbow Table

54


Breaking Hashes – Countermeasures

● Brute force/Dictionary:

− avoid short/simple messages

− use special resource consuming “hash” functions (e.g. scrypt, Argon2)

− add a secret value to the hash calculation: pepper (not always possible)

● Rainbow table:

− avoid short/simple messages

− add a (non-secret) random value to the hash calculation: salt

55

MAC and Digital Signature


Integrity Protection using Hashes

57


Integrity Protection using Hashes

DearBob....

DearBob....

DearBob....

DearBob....

hash

= ?

hash

DearBob....

58


Message Authentication Code

DearBob....

DearBob....

DearBob....

DearBob....

MAC

= ?

MAC

DearBob....

59



● A Message Authentication Code (MAC) is a short piece of information used to authenticate a message

● The involved key enables to provide authentication means in addition to integrity

● In some contexts a MAC is also called a symmetric signature

● First idea for implementation:

mack(m) = h(k || m)

(here || is the concatenation operator)

● Problem: vulnerable to length extension attack (details not shown here)

60



● Solution: HMAC

mack(m) = HMAC(m, k)= h(k XOR opad || h(k XOR ipad || m))

− with opad and ipad fixed constants:▪ ipad = the byte 0x36 repeated B times

▪ opad = the byte 0x5C repeated B times

▪ (with B the internal data size in bytes of hash function h; e.g. 64 for SHA-1)

65



● Security services:

− Authenticity

− Integrity

● Limitations:

− For verification knowledge of secret key required

− Every owner of the secret key can create the MAC

− → not possible to decide if Alice or Bob created the MAC

− → the actual creator of the MAC can deny the creation

− → no “non-repudiation” property

66


Digital Signature

● Equivalent to traditional handwritten signatures

● Properties:

− Only one person can create the signature

− Everyone can verify the signature

− Can identify the creator of the signature

− Is bound to a specific document

− Prohibits changes to the document

67

non-repudiation

integrity

authenticity


Digital Signature (here: RSA)

DearBob....

DearBob....

DearBob....

DearBob....

Encryption

Hash

= ?

HashDecryption

DearBob....

69


Digital Signature

● Properties:− Only one person can create the signature

▪ Private key required

− Everyone can verify the signature▪ Public key is sufficient (but: requires the correct public key)

− Can identify the creator of the signature▪ Owner of the private key = creator (unless private key was stolen)

− Is bound to a specific document▪ move signature to a different document→ hash of document ≠ hash inside signature (unless collision) → verification fails

− Prohibits changes to the document▪ change of document→ change of hash (unless collision) → verification fails

70

✓

✓

✓

✓

✓


Again: Integrity Protection for Dowloads

Putty – SSH Client for Windows

71

Final Remarks


Crypto Primitives and their Usage

Confidentiality Integrity Authenticity Non-repudiation

Encryption(Cipher)

Hash Functions Digital Signature

75


Elliptic Curve Cryptography

● DSA and DH are based on modular exponentiation over a (finite) field of integers

● One can perform similar operations on an “elliptic curve”● Main advantage:

− same security level with shorter keys− better performance (runtime up to 10 times faster)

Security Level RSA/DH (NIST) RSA/DH (ECRYPT) ECDH/ECDSA

80 1024 1248 160

112 2048 2432 224

128 3072 3248 256

192 7680 7936 384

256 15360 15424 512

76


Practical Usage Recommendations

● Symmetric Encryption: AES-256, mode: GCM (later)

● Asymmetric Encryption: RSA-2048

● Key exchange: ECDHE-256

● Hash: SHA-256

● Message Authentication:

− AES in GCM mode (authenticated encryption)

− Poly1305 (e.g. in combination with ChaCha20)

● Signature:

− RSA-2048 with SHA-256

− ECDSA-256 with SHA-256

77


Further Reading

● Paar (2010):

− Chapters: 6, 7, 8, 10, 11, 12

78

Network and Communications Security (IN3210/IN4210 ...Hybrid Encryption (1/3) Pros and cons of (a)symmetric encryption: −Asymmetric encryption: easier key management vs. slow performance

Documents