390 likes | 534 Views
THE. U NIVERSITY. T. of. ULSA. 4. Using Encryption Wisely. Sujeet Shenoi Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK 74104 sujeet@utulsa.edu. U NIVERSITY. THE. T. ULSA. of. 4. Using Encryption Wisely.
E N D
THE UNIVERSITY T of ULSA 4. Using Encryption Wisely Sujeet ShenoiCenter for Information SecurityDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 sujeet@utulsa.edu
UNIVERSITY THE T ULSA of 4. Using Encryption Wisely Encryption provides a “false sense of security” • Must be used correctly • Practices • Protocols
UNIVERSITY THE T ULSA of Encryption Speed Delay Time • Stream Stream-Block Block • DES: 64-bit blocks • RSA: 100-200-bit blocks (limited security with short blocks) Speed • Symmetric algorithms are much faster (1,000 to 5,000) • Hardware solutions are much faster • RSA: 220K Bits/s vs 0.5K Bits/s/MIPS • DES: 1,200,000K Bits/s vs 400K Bits/s/MIPS
UNIVERSITY THE T ULSA of Block Replay Transaction Format • Depositor NameSrcActDestActAmount 24 bytes 8 8 8 3 DES 1 DES 1 DES 1 DES Original Transactions • Intruder xxx I# zz$ • John Doe yyyJD#8K$ Fabricated Transaction • Intruder yyy I# 8K$
UNIVERSITY THE T ULSA of Block Chaining • Prevents “Block Replay” • x x = 0 (1011 1011 = 0000) • Encryption • C1: { P1 }K • C2: { P2 C1 }K • Cj: { Pj Cj-1}K • Decryption • P1: { C1 }K • P2: { C2 }K C1 • Pj: { Cj }K Cj-1
UNIVERSITY THE T ULSA of Initial Chaining Value • Block Chaining conceals identical blocks • Only if each block is preceded by something unique • Suppose messages always begin with: “US Army HQ” • Encryption • C1: { IV }K (IV: Random Initial Vector) • C2: { P1 C1}K • Cj: { Pj-1 Cj-1}K • Decryption • P0: { C1 }K • Pj: { Cj+1 }K Cj
UNIVERSITY THE T ULSA of One Way Encryption Use special functions • f(x) = x3 x = (f(x))1/3 (difficult to compute) • f(x) = x2 x = (f(x))1/2 (no unique inverse, e.g., for f(x) = 4) • System stores f(pwd) • User enters string • System computes f(string) and compares with f(pwd) • Internet Worm (Nov. 2, 1988)
UNIVERSITY THE T ULSA of Cryptographic Sealing Integrity (as opposed to Secrecy) • Store <file> and SHA(<file>) • A cryptographic checksum could be the last block of a chained DES encryption
UNIVERSITY THE T ULSA of Authentication and Time Stamps Authentication • Biometrics Time Stamps • Prevent replays • Chronology • Sender’s and receiver’s time stamps must match
UNIVERSITY THE T ULSA of Cipher Block Chain (CBC) • Prevents block replay • Self-healing (Error in block Cj affects Bj and Bj+1) • Encryption • C1: { B1 }K (Usually B1 = Initial Vector) • C2: { B2 C1 }K • Cj: { Bj Cj-1}K • Decryption • Bj: { Cj }K Cj-1
UNIVERSITY THE T ULSA of Cipher Feedback (CFB) • Block nature of DES is inconvenient • Partial final block must be padded (size of ciphertext > size of plaintext) • Encryption cannot begin until entire 64-bit block is input (secure networks: every character must be encrypted) • CFB: Block Stream • Encryption error only affects the next 8 characters
UNIVERSITY THE T ULSA of Double Encryption DES is “weak” Can we use two 56-bit DES keys back to back? • { { Message }K1 }K2 • 56-bit key 256 possibilities • Two 56-bit keys 2112 possibilities? • No! • 257 possibilities (Merkle, 1981)
UNIVERSITY THE T ULSA of Triple DES Uses two 56-bit DES keys; Same hardware/software Encryption 1. C1 = DESEncrypt(P, K1) 2. C2 = DESDecrypt(C1, K2) 3. C3 = DESEncrypt(C2, K1) Decryption 1. D2 = DESDecrypt(C3, K1) 2. D1 = DESEncrypt(D2, K2) 3. P = DESDecrypt(D1, K1)
THE UNIVERSITY T of ULSA 5. Cryptographic Protocols Sujeet ShenoiCenter for Information SecurityDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 sujeet@utulsa.edu
UNIVERSITY THE T ULSA of 5. Cryptographic Protocols Cryptographic Protocol • Orderly sequence of steps to achieve certain security properties • Established in advance • Mutually subscribed • Unambiguous • Complete
UNIVERSITY THE T ULSA of Kinds of Protocols Arbitrated Protocols • Trusted third party participates in each transaction • Expensive, slow, vulnerable Adjudicated Protocols • Third party judges fairness after the fact • Address disadvantages of arbitrated protocols • Detect failure only after the fact Self-Enforcing Protocols • Guarantee fairness; cheating is immediately obvious • May not exist for every situation
UNIVERSITY THE T ULSA of Applications of Protocols • Key Distribution • Certificates • Digital Signatures • Clipper Key Exchange • Mental Poker • Voting by Computer • Oblivious Transfer • Contract Signing • Certified Mail
UNIVERSITY THE T ULSA of Key Distribution Protocols 1. Symmetric Key Exchange (without Server) 2. Symmetric Key Exchange (with Server) 3. Asymmetric Key Exchange (without Server) 4. Asymmetric Key Exchange (with Server)
UNIVERSITY THE T ULSA of Sym. Key Exchange (No Server) Requirements • A & B share KM (Master Key) Protocol 1. A: Generates session key: KS 2. A B: { KS }KM
UNIVERSITY THE T ULSA of Sym. Key Exchange (Server) Needham-Schroeder Protocol 1. A S : A B IA (IA: Unique session ID) 2. S A : { IA, B, KAB, { KAB, A }KB }KA (new KAB) 3. A B : { KAB, A}KB
UNIVERSITY THE T ULSA of Asym. Key Exchange (No Server) Important Point • Asymmetric key encryption is very expensive • Never encrypt message; transmit encrypted sym. key Protocol 1. A B: { { KAB }KApriv }KBpub 2a. B A: { n }KAB (n: Random number) 2b. A B: { n + 1 }KAB
UNIVERSITY THE T ULSA of Asym. Key Exchange (Server) Protocol 1. A S: A B 2. S A: { KBpub, B }KSpriv 3. A B: { A, IA }KBpub (IA: message reference) 4. B S: B A 5. S B: { KApub, A }KSpriv 6. B A: { IA, IB }KApub (IB: message reference) 7. A B: { KAB, IB }KBpub (KAB: message)
UNIVERSITY THE T ULSA of Certificates Binding an Individual’s Identity and Public Key • A: President and CEO • B, C: Vice Presidents • C supervises D and E • B’s Certificate: { IDB, PosB, KBpub, H(.) }KApriv • C’s Certificate: { IDC, PosC, KCpub, H(.) }KApriv • D’s Certificate: { IDD, PosD, KDpub, H(.) }KCpriv C’s Certificate • Always need a top-level authority
UNIVERSITY THE T ULSA of Digital Signature Protocols Goals • Non Forgeable [M, sig(M, P)] • Authentic • Non Alterable; Non Reusable • Non Repudiation • Symmetric Key Protocol (Arbiter (A) needed) • Cryptographic Sealing (Arbiter (A) needed) • Asymmetric Key Protocol (Self-Enforcing)
UNIVERSITY THE T ULSA of Symmetric Key (Digital Signature) Symmetric Key Protocol (Non Forgeability, Authenticity, Non Repudiation) • S A: { M}KS • A R: { M, S, { M}KS }KR • R: Unlocks with KR Saves M and { M}KS
UNIVERSITY THE T ULSA of Cryptographic Sealing (Dig. Sig.) Cryptographic Sealing Function • f(M) unique value • S and R register fS and fR with Arbiter A Protocol (No Secrecy) 1. S A: M fS(M) 2. A: Recomputes fS(M) Compares with fS(M) received from S 3. A R: M S fS(M) fR(M, S)
UNIVERSITY THE T ULSA of Asymmetric Key (Digital Signature) Protocol 1 (Non Forgeability, Authenticity, Non Repud.) • S R: { M}KSpriv • R: { { M}KSpriv}KSpub M (saves { M}KSpriv) Protocol 2 (Double Encryption: Privacy) • S R: { { M}KSpriv }KRpub • R: { { { { M}KSpriv}KRpub }KSpub}KRpriv M
UNIVERSITY THE T ULSA of Clipper Key Exchange Algorithm Seven Step Protocol • Three steps for key exchange • Four steps for mutual authentication • S & R share secret key KP, symmetric algorithm and asymmetric algorithm
UNIVERSITY THE T ULSA of Clipper Key Exchange (contd.) Step 1 S R: { KSpub }KP Step 2 R: Uses KP to obtain KSpub R: Chooses random session key Kk R S: { { Kk }KP }KSpub Step 3 S : Uses KSpriv andKP to obtain Kk
UNIVERSITY THE T ULSA of Clipper Authentication (contd.) Step 4 S R: { M}Kk M: Random string Step 5 R: Uses Kk to obtain M R S: { M, N}Kk N: Random string Step 6 S : Checks M Step 7 R : Checks N
UNIVERSITY THE T ULSA of Mental Poker Protocol Symmetric Key Implementation • A B: { m1 }KA … { m10 }KA • B: Locks 5 messages: { { mj }KA }KB … • B A: { mi }KA … & { { mj }KA }KB … • A: Unlocks all 10 messages with KA Keeps 5 messages: { { mi }KA }KA …= mi … • A B: { { { mj }KA }KB }KA… = { mj }KB … • B: Unlocks all 5 messages with KB Keeps 5 messages: { { mj }KB }KB … = mj …
UNIVERSITY THE T ULSA of Mental Poker Protocol (contd.) Asymmetric Key Implementation • A B: { m1 }KApub … { m10 }KApub • B: Locks 5 messages: { { mj }KApub }KBpub… • B A: { mi }KApub … & { { mj }KApub }KBpub… • A: Unlocks all 10 messages with KApriv Keeps 5 msgs: { { mi }KApub }KApriv…= mi … • A B: { { { mj }KApub }KBpub}KApriv… = { mj }KBpub … • B: Unlocks all 5 messages with KBpriv Keeps 5 msgs: { { mj }KBpub }KBpriv… = mj …
UNIVERSITY THE T ULSA of Voting by Computer Protocol 2*n Link Chain (n: number of voters) • Results at each link can be made public without destroying anonymity • During the last n links, anyone can go back to check, but only one can go forward • Assume three voters (J, K, L) • Two pairs of public keys • (KJpriv, KJpub ); (KKpriv, KKpub ); (KLpriv, KLpub ) • (RJpriv, RJpub ); (RKpriv, RKpub ); (RLpriv, RLpub ) • Ripub embeds random string; allows voter i to check vote
UNIVERSITY THE T ULSA of Voting by Computer (contd.) Step 0 • Each voter encrypts vote and sends it to J • J has: RJpub °RKpub °RLpub °KJpub °KKpub °KLpub (vi) Steps 1-3 • J (K, L) verifies vote is in pool with RJpriv (RKpriv ,RLpriv ) • Applies RJpriv (RKpriv ,RLpriv ) to each vote • Sends votes to K (L, J) • J has: KJpub °KKpub °KLpub (vi)
UNIVERSITY THE T ULSA of Voting by Computer (contd.) Steps 4-6 • J (K, L) applies KJpriv (KKpriv ,KLpriv ) • Applies KJpriv (KKpriv ,KLpriv ) to each vote • Signs all votes • Sends votes to K (L) • L has all votes: vi • L counts votes • L posts results
UNIVERSITY THE T ULSA of Oblivious Transfer Protocol Eight Step Protocol (Flipping a coin at a distance) 1. A: Picks two asymmetric key pairs: (KIpriv, KIpub ) (KJpriv, KJpub ) 2. B: Picks symmetric key: KB 3. A B: KIpub KJpub 4. B: Picks one key at random: KHpub B A: { KB }KHpub 5. A: Picks I or J at random (say: J) Computes: KA = { { KB }KHpub }KJpriv (KA = KB if H = J) 6. A B: { A loses }KA J 7. B: M = { { A loses }KA }KB B A: M H (B loses if H J) 8. B A: KIpriv KJpriv (for verification)
UNIVERSITY THE T ULSA of Contract Signing Protocol 1. A: Selects 2n symmetric keys: C1 .. C2n Arranges them in pairs: (Ci, Cn+i) i = 1 .. n 2. A B: i = { S }Ci i = 1 .. 2n (S = Std Msg; i: S-puzzle) 3. A: Agrees to contract if B can produce a pair (Ci, Cn+i) for any i (S-puzzle solution) 4. B: Repeats Steps 1-3: keys: Di and S-puzzles: i 5. A B: Exchange (Ci, Cn+i) … by Oblivious Transfer Protocol B A: Exchange (Di, Dn+i) … by Oblivious Transfer Protocol 6. For each bit j: A B: jth bit of Ci i = 1 .. 2n B A: jth bit of Di i = 1 .. 2n
UNIVERSITY THE T ULSA of Certified Mail Protocol 1. A: Selects n + 1 symmetric keys: g0 .. gn Computes: gn+i = g0 gi i = 1 .. n 2. A B: G = { M }g0 (g0 = gn+i gi for all i) 3. A B: Gi = { SA }gi i = 1 .. 2n (SA = Std Msg) 4. B: Selects 2n symmetric keys: h1 .. h2n B A: Hi = { SB }hi i = 1 .. 2n (SB = Std Msg) 5. B: Agrees to acknowledge receipt of plaintext of G if A can produce any one of (hi, hn+i) and all gj (j = 1 .. 2n) 6. A B: Exchange (gi, gn+i) … by Oblivious Transfer Protocol B A: Exchange (hi, hn+i) … by Oblivious Transfer Protocol 7. For each bit j: A B: jth bit of gi i = 1 .. 2n B A: jth bit of hi i = 1 .. 2n