320 likes | 443 Views
Foundations of Network and Computer Security. J ohn Black Lecture #9 Sep 16 th 2009. CSCI 6268/TLEN 5550, Fall 2009. Announcements. Quiz #2 will be next Friday, Sep 25 th Will cover material up to next Weds 9/23. Birthday Paradox. Need another method
E N D
Foundations of Network and Computer Security John Black Lecture #9 Sep 16th 2009 CSCI 6268/TLEN 5550, Fall 2009
Announcements • Quiz #2 will be next Friday, Sep 25th • Will cover material up to next Weds 9/23
Birthday Paradox • Need another method • Birthday paradox: if we have 23 people in a room, the probability is > 50% that two will share the same birthday • This happens because 23 is near the square root of 365 • Sqrt(365) ≈ 19.1 • More on this in a moment
Birthday Paradox (cont) • Let’s do the math • Let n equal number of people in the class • Start with n = 1 and count upward • Let NBM be the event that there are No-Birthday-Matches • For n=1, Pr[NBM] = 1 • For n=2, Pr[NBM] = 1 x 364/365 ≈ .997 • For n=3, Pr[NBM] = 1 x 364/365 x 363/365 ≈ .991 • … • For n=22, Pr[NBM] = 1 x … x 344/365 ≈ .524 • For n=23, Pr[NBM] = 1 x … x 343/365 ≈ .493 • Since the probability of a match is 1 – Pr[NBM] we see that n=23 is the smallest number where the probability exceeds 50%
Occupancy Problems • What does this have to do with hashing? • Suppose each hash output is uniform and random on {0,1}n • Then it’s as if we’re throwing a ball into one of 2n bins at random and asking when a bin contains at least 2 balls • This is a well-studied area in probability theory called “occupancy problems” • It’s well-known that the probability of a collision occurs around the square-root of the number of bins • If we have 2n bins, the square-root is 2n/2
Birthday Bounds • This means that even a perfect n-bit hash function will start to exhibit collisions when the number of inputs nears 2n/2 • This is known as the “birthday bound” • It’s impossible to do better, but quite easy to do worse • It is therefore hoped that it takes (264) work to find collisions in MD5 and (280) work to find collisions in SHA-1
The Birthday Bound 1.0 Probability 0.5 0.0 2n/2 2n Number of Hash Inputs
More Recently • At CRYPTO 2004 (August) • Collisions found in HAVAL, RIPEMD, MD4, MD5, and SHA-0 (240 operations) • Wang, Feng, Lai, Yu • Only Lai is well-known • HAVAL was known to be bad • Dobbertin found collisions in MD4 years ago • MD5 news is big! • CU team lowered time-to-collision to 3 mins (July 2005) • SHA-0 isn’t used anymore (but see next slide)
Collisions in SHA-0 M1, M1’ not in SHA-0 Wt= { t-th word of Mi 0 £t £ 15 ( Wt-3Å Wt-8Å Wt-14Å Wt-16 ) << 1 16 £t £ 79 A ¬ H0i-1; B ¬ H1i-1; C ¬ H2i-1; D ¬ H3i-1; E ¬ H4i-1 65 for t = 1 to 80 do T¬ A << 5 + gt (B, C, D) + E + Kt + Wt E ¬ D; D ¬ C; C ¬ B >> 2; B ¬ A; A ¬ T end H0..4i-1 Collision! H0i¬ A + H0i-1; H1i¬ A + H1i-1; H2i¬ C+ H2i-1; H3i¬ D + H3i-1; H4i¬ E + H4i-1
What Does this Mean? • Who knows • Methods are not yet understood • Will undoubtedly be extended to more attacks • Maybe nothing much more will happen • But maybe everything will come tumbling down?! • But we have OTHER ways to build hash functions
A Provably-Secure Blockcipher-Based Compression Function Mi n bits hi hi-1 E n bits n bits
The Big (Partial) Picture Second-Level Protocols SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting (Can do proofs) First-Level Protocols Symmetric Encryption Asymmetric Encryption Digital Signatures MAC Schemes (Can do proofs) Block Ciphers Stream Ciphers Hash Functions Hard Problems Primitives (No one knows how to prove security; make assumptions)
Review • What MACs have we seen thus-far? • CBCMAC, XCBC, UMAC, HMAC • HMAC led to a discussion on crypto hash functions • MD5, SHA-1 are examples • These functions are unkeyed • Our hope is that they are collision-resistant • We’ll pick up with a construction of a hash function from a blockcipher
A Provably-Secure Blockcipher-Based Compression Function Mi n bits hi hi-1 E n bits n bits
The Big (Partial) Picture Second-Level Protocols SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting (Can do proofs) First-Level Protocols Symmetric Encryption Asymmetric Encryption Digital Signatures MAC Schemes (Can do proofs) Block Ciphers Stream Ciphers Hash Functions Hard Problems Primitives (No one knows how to prove security; make assumptions)
Symmetric vs. Asymmetric • Thus far we have been in the symmetric key model • We have assumed that Alice and Bob share some random secret string • In practice, this is a big limitation • Bootstrap problem • Forces Alice and Bob to meet in person or use some mechanism outside our protocol • Not practical when you want to buy books at Amazon • We need the Asymmetric Key model!
Asymmetric Cryptography • In this model, we no longer require an initial shared key • First envisioned by Diffie in the late 70’s • Some thought it was impossible • MI6 purportedly already knew a method • Diffie-Hellman key exchange was first public system • Later turned into El Gamal public-key system • RSA system announced shortly thereafter
But first, a little math… • A group is a nonempty set G along with an operation # : G x G → G such that for all a, b, c ∈ G • (a # b) # c = a # (b # c) (associativity) • ∃ e ∈ G such that e # a = a # e = a (identity) • ∃ a-1 ∈ G such that a # a-1 = e (inverses) • If ∀a,b ∈ G, a # b = b # a we say the group is “commutative” or “abelian” • All groups in this course will be abelian
Notation • We’ll get tired of writing the # sign and just use juxtaposition instead • In other words, a # b will be written ab • If some other symbol is conventional, we’ll use it instead (examples to follow) • We’ll use power-notation in the usual way • ab means aaaaa repeated b times • a-b means a-1a-1a-1a-1 repeated b times • Here a ∈ G, b ∈ Z • Instead of e we’ll use a more conventional identity name like 0 or 1 • Often we write G to mean the group (along with its operation) and the associated set of elements interchangeably
Examples of Groups • Z (the integers) under + ? • Q, R, C, under + ? • N under + ? • Q under x ? • Z under x ? • 2 x 2 matrices with real entries under x ? • Invertible 2 x 2 matrices with real entries under x ? • Note all these groups are infinite • Meaning there are an infinite number of elements in them • Can we have finite groups?
Finite Groups • Simplest example is G = {0} under + • Called the “trivial group” • Almost as simple is G = {0, 1} under addition mod 2 • Let’s generalize • Zm is the group of integers modulo m • Zm = {0, 1, …, m-1} • Operation is addition modulo m • Identity is 0 • Inverse of any a ∈ Zm is m-a • Also abelian
The Group Zm • An example • Let m = 6 • Z6 = {0,1,2,3,4,5} • 2+5 = 1 • 3+5+1 = 3 + 0 = 3 • Inverse of 2 is 4 • 2+4 = 0 • We can always pair an element with its inverse a : 0 1 2 3 4 5 a -1 : 0 5 4 3 2 1 • Inverses are always unique • An element can be its own inverse • Above, 0 and 0, 3 and 3
Another Finite Group • Let G = {0,1}n and operation is ⊕ • A group? • What is the identity? • What is the inverse of a ∈ G? • We can put some familiar concepts into group-theoretic notation: • Caesar cipher was just P + K = C in Z26 • One-time pad was just P ⊕ K = C in the group just mentioned above
Multiplicative Groups • Is {0, 1, …, m-1} a group under multiplication mod m? • No, 0 has no inverse • Ok, toss out 0; is {1, …, m-1} a group under multiplication mod m? • Hmm, try some examples… • m = 2, so G = {1} X • m = 3, so G = {1,2} X • m = 4, so G = {1,2,3} oops! • m = 5, so G = {1,2,3,4} X
Multiplicative Groups (cont) • What was the problem? • 2,3,5 all prime • 4 is composite (meaning “not prime”) • Theorem: G = {1, 2, …, m-1} is a group under multiplication mod m iff m is prime Proof: →: suppose m is composite, then m = ab where a,b ∈ G and a, b 1. Then ab = m = 0 and G is not closed ←: follows from a more general theorem we state in a moment
The Group Zm* • a,b ∈N are relatively prime iff gcd(a,b) = 1 • Often we’ll write (a,b) instead of gcd(a,b) • Theorem: G = {a : 1 ≤ a ≤ m-1, (a,m) = 1} and operation is multiplication mod m yields a group • We name this group Zm* • We won’t prove this (though not too hard) • If m is prime, we recover our first theorem
Examples of Zm* • Let m = 15 • What elements are in Z15*? • {1,2,4,7,8,11,13,14} • What is 2-1 in Z15*? • First you should check that 2 ∈ Z15* • It is since (2,15) = 1 • Trial and error: • 1, 2, 4, 7, 8 X • There is a more efficient way to do this called “Euclid’s Extended Algorithm” • Trust me
Euler’s Phi Function • Definition: The number of elements of a group G is called the order of G and is written |G| • For infinite groups we say |G| = 1 • All groups we deal with in cryptography are finite • Definition: The number of integers i < m such that (i,m) = 1 is denoted (m) and is called the “Euler Phi Function” • Note that |Zm*| = (m) • This follows immediately from the definition of ()
Evaluating the Phi Function • What is (p) if p is prime? • p-1 • What is (pq) if p and q are distinct primes? • If p, q distinct primes, (pq) = (p)(q) • Not true if p=q • We won’t prove this, though it’s not hard
Examples • What is (3)? • |Z3*| = |{1,2}| = 2 • What is (5)? • What is (15)? • (15) = (3)(5) = 2 x 4 = 8 • Recall, Z15* = {1,2,4,7,8,11,13,14}
LaGrange’s Theorem • Last bit of math we’ll need for RSA • Theorem: if G is any finite group of order n, then ∀ a ∈ G, an = 1 • Examples: • 6 ∈ Z22, 6+6+…+6, 22 times = 0 mod 22 • 2 ∈ Z15*, 28 = 256 = 1 mod 15 • Consider {0,1}5 under ⊕ • 01011 2 {0,1}5, 0101132 = 0000016 =00000 • It always works (proof requires some work)
Basic RSA Cryptosystem • Basic Setup: • Alice and Bob do not share a key to start with • Alice will be the sender, Bob the receiver • Reverse what follows for Bob to reply • Bob first does key generation • He goes off in a corner and computes two keys • One key is pk, the “public key” • Other key is sk, the “secret key” or “private key” • After this, Alice can encrypt with pk and Bob decrypts with sk