1 / 83

Crypto and the Internet: Real-World Usage

Crypto and the Internet: Real-World Usage. Josh Benaloh Senior Cryptographer Microsoft Research. Todo. After digital certificate slide ~#54 Add a picture of a browser when talking about verisign. Internet Security?. The Internet was not designed for security.

joanne
Download Presentation

Crypto and the Internet: Real-World Usage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Crypto and the Internet: Real-World Usage Josh Benaloh Senior Cryptographer Microsoft Research

  2. Todo • After digital certificate slide ~#54 • Add a picture of a browser when talking about verisign

  3. Internet Security? • The Internet was not designed for security. • Sending data via the Internet is like sending post cards through the mail … …when you don’t trust the Post Office.

  4. You (client) Merchant (server) A Typical Internet Session I want to make a purchase. What is your Credit Card Number? My Credit Card is 6543 2345 6789 8765.

  5. Basic Encryption Can we at least protect the credit card number so that it won’t be revealed to anyone except the intended merchant?

  6. Kerckhoffs’s Principle (1883) The security of a cryptosystem should depend only on the key. You should assume that attackers know everything about your system except the key.

  7. PINs, Passwords, & Keys Informally … • A PIN is a 4-6 digit speed bump. • A password is a short, user-chosen, usually guessable selection from a small dictionary. • A key is an unguessable, randomly chosen string – usually at least 128 bits.

  8. Off-Line Attacks • Don’t even think about using user-chosen passwords as encryption keys. • Don’t even think about using keys derived deterministically from user-chosen passwords. • Given the ciphertext, an attacker can do a (guided) exhaustive search through the space to find the password.

  9. Symmetric Encryption • If the client has a pre-existing relationship with the merchant, the two parties may have a shared secret key K – known only to these two. • User encrypts private data with key K. • Merchant decrypts data with key K.

  10. Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. • Stream ciphers • Block ciphers

  11. Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. • Stream ciphers • Block ciphers

  12. Stream Ciphers RC4, A5/1, SEAL, etc. • Use the key as a seed to a pseudo-random number-generator. • Take the stream of output bits from the PRNG and XOR it with the plaintext to form the ciphertext.

  13. Stream Cipher Encryption Plaintext: PRNG(seed): Ciphertext:

  14. Stream Cipher Decryption Ciphertext: PRNG(seed): Plaintext:

  15. A PRNG: Alleged RC4 Initialization S[0..255] = 0,1,…,255; j=0 K[0..255] = Key,Key,Key,… for i = 0 to 255 j = (j + S[i] + K[i]) mod 256 swap S[i] and S[j]

  16. A PRNG: Alleged RC4 Iteration i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap S[i] and S[j] t = (S[i] + S[j]) mod 256 Output S[t]

  17. Some Good Properties • Stream ciphers are typically very fast. • Stream ciphers can be very simple. • The same function is used for encryption and decryption.

  18. Stream Cipher Security If two plaintexts are ever encrypted with the same stream cipher and key C1 = K  P1 C2 = K  P2 an attacker can easily compute C1  C2 = P1  P2 from which P1 and P2 can usually be teased apart easily.

  19. Stream Cipher Encryption Plaintext: PRNG(seed): Ciphertext:

  20. Stream Cipher Integrity • It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way.

  21. Stream Cipher Integrity • It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $0,000,002.00 to the account of my good friend Alice.

  22. Stream Cipher Integrity • It is easy for an adversary (even one who can’t decrypt the ciphertext) to alter the plaintext in a known way. Bob to Bob’s Bank: Please transfer $1,000,002.00 to the account of my good friend Alice.

  23. Symmetric Ciphers Private-key (symmetric) ciphers are usually divided into two classes. • Stream ciphers • Block ciphers

  24. Block Ciphers AES, DES, 3DES, Twofish, etc. Key Usually 16 or more bytes Block Cipher Ciphertext Plaintext Data Usually 8 or 16 bytes

  25. How to Build a Block Cipher Plaintext Block Cipher Key Ciphertext

  26. Feistel Ciphers Ugly

  27. Feistel Ciphers Ugly

  28. Feistel Ciphers Ugly

  29. Ugly Feistel Ciphers

  30. Ugly Ugly Feistel Ciphers

  31. Feistel Ciphers • Typically, Feistelciphers are iterated for about 10-16 rounds. • Different “sub-keys” are used for each round. • Even a weak round function can yield a strong Feistel cipher if iterated sufficiently.

  32. Ugly Ugly Feistel Ciphers

  33. Ugly Ugly Feistel Ciphers Key1 Key2

  34. Feistel Ciphers • Typically, Feistelciphers are iterated for about 10-16 rounds. • Different “sub-keys” are used for each round. • Even a weak round function can yield a strong Feistel cipher if iterated sufficiently.

  35. You (client) Merchant (server) Transfer of Confidential Data I want to make a purchase. What is your Credit Card Number? My Credit Card is E(6543 2345 6789 8765).

  36. You (client) Merchant (server) Transfer of Confidential Data I want to make a purchase. Please encrypt your credit number with our shared secret key. What shared secret key???

  37. Asymmetric Encryption • What if the user and merchant have no prior relationship? • Asymmetric encryption allows someone to encrypt a message for a recipient without knowledge of the recipient’s decryption key.

  38. The Fundamental Equation

  39. The Fundamental Equation When is unknown, it can be efficiently computed.

  40. The Fundamental Equation When is unknown, the problem is known as the discrete logarithm and is generally believed to be hard to solve.

  41. The Fundamental Equation When is unknown, the problem is known as discrete root finding and is generally believed to be hard to solve … without the factorization of .

  42. The Fundamental Equation The problem is not well-studied for the case when is unknown.

  43. How to compute Compute and then reduce . • If , and each are -bit integers, consists of ~ bits. • Since there are roughly particles in the universe, storage is a problem.

  44. How to compute • Repeatedly multiplying by by itself times (with a modulo reduction after each multiplication) solves the storage problem. • However, we would need to perform ~64-bit multiplications per second to complete the computation before the sun burns out.

  45. How to compute Multiplication by Repeated Doubling To compute , compute , , , , , and sum up those values dictated by the binary representation of . Example: .

  46. How to compute Exponentiation by Repeated Squaring To compute , compute , , , , , and multiply those values dictated by the binary representation of . Example: .

  47. How to compute We can now perform a -bit modular exponentiation using ~-bit modular multiplications. • squarings: , ,, , • ~ “ordinary” multiplications

  48. The Fundamental Equation When is unknown, the problem is known as discrete root finding and is generally believed to be hard to solve … without the factorization of .

  49. RSA Encryption/Decryption • Select two large primes and . • Publish the product . • The exponent is typically fixed at . • Encrypt message as . • Decrypt ciphertext as . • Note .

  50. RSA Signatures and Verification • Not only is , but also . • To form a signature of message , create . • To verify the signature, check that matches .

More Related