1 / 47

Overview of Cryptography

Overview of Cryptography. Introduction Symmetric-key cryptography Block ciphers Symmetric-key algorithms Cipher block modes Stream cipher Public-key cryptography Digital signature Public key distribution Public-key algorithms Cryptographic hash function Attack complexity Application

dalit
Download Presentation

Overview of Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Overview of Cryptography

  2. Introduction Symmetric-key cryptography Block ciphers Symmetric-key algorithms Cipher block modes Stream cipher Public-key cryptography Digital signature Public key distribution Public-key algorithms Cryptographic hash function Attack complexity Application Digital signature Message authentication code Key establishment server-based Public-key based Key agreement (Diffie-Hellman) Contents

  3. Confidentiality Data integrity Authentication Entity authentication (identification) Message authentication (data origin authentication) Verification of message timeliness and sequences Non-repudiation Availability Access control Information security objectives

  4. Unkeyed primitives Arbitrary length hash functions One-way permutations Random sequences Symmetric-key primitives Symmetric-key ciphers Block ciphers Stream ciphers Arbitrary length hash functions (MACs) Signatures Pseudorandom sequences Identification primitives Public-key primitives Public-key ciphers Signatures Identification primitives Security primitives (tools)

  5. The crypto attributes are evaluated w.r.t. various criteria. Level of security Functionality Methods of operation Performance Ease of implementation Criteria

  6. Cryptology: the art and science of making and breaking “secrete codes” Cryptography: making “secrete codes” Cryptanalysis: breaking “secrete codes” Crypto

  7. Other terms: single-key, one-key, private-key, conventional encryption Why do symmetric cryto need a key, not just a certain transformation? One of the major issues is to find an efficient method to agree upon and exchange keys securely. Key distribution problem Symmetric-key encryption

  8. adversary Secure channel key source e e c decryption De(c)=m encryption Ee(m)=c unsecure channel m m Plaintext source destination

  9. Substitution ciphers Transposition ciphers Composition ciphers Product ciphers block ciphers

  10. Data Encryption Standard (DES) Adapted in 1973 by NIST 64-bits blocks, 56 bits key Triple DES ANSI X9.17 in 1986 168 bits key Advanced Encryption Standard (AES) Adapted in 2001 by NIST 128 bits block length, key length 128 bits(192, 256) International Data Encryption Algorithm (IDEA) Published in 1991 Block size 64bits, key size 128 bits Blowfish In 1993 Key size: variable to 448, block size: 64bits RC5 In 1994 Key size: variable to 2048, block size: 64bits Symmetric-key encryption algorithms

  11. Block cipher modes of operation ECB: Electronic code book CBC: Cipher block chaining CFB: Cipher feedback OFB: Output feedback CTR: Counter mode Cipher Block modes

  12. plaintext is XORed with keystream generated from secret key and initialization vector (IV) Vernam cipher (one-time pad) RC4, Seal LFSR Stream cipher

  13. First publicly proposed by Diffie and Hellman in 1976. Each entity maintains two keys: public key(K+) which is known to everyone and private key(K-) which is known to the owner. DK-(EK+(M))=M, DK+(EK-(M))=M Public-key cryptography

  14. Public-key encryption adversary unsecure channel key source KB+(Bob’s public key) K-(Bob’s private key) decryption DKB-(c)=m encryption EKB+(m)=c c unsecure channel m m Plaintext source destination Bob Alice

  15. Suppose N entities, how can any pair of them establish a secret key? To use symmetric-key crypto, requires secret and authentic channel to set up shared secret (symmetric) key Need O(N2) keys Key management is challenging Public-key crypto advantage Each entity only needs to know N-1 authentic public keys Easier to establish authentic public keys than symmetric keys Advantage of Public-key crypto

  16. Message encryption : hardly used Digital signature Symmetric-Key distribution Public-key application

  17. Digital signature Digital Signature key source K+ K- s DK+(s)=m EK-(m)=S m m Message source M’ accept If m∈M’ Verifier B Signer A

  18. m=m’? m m EK-(M) S DK+(S)=m’ S (signature) verifier Signer

  19. Public-key Distribution A1 A2 K1- K2- C=EK6+(m) public file A1: K1+ A2: K2+ A3: K3+ A4: K4+ A5: K5+ A6: K6+ A6 A3 K6- K3- m=DK6-(c) A4 A5 K4- K5-

  20. Impersonation by adversary • An adversary alters the public file by replacing the public key K6+ by Ka+ A1 K1- A1: K1+ A2: K2+ A3: K3+ A4: K4+ A5: K5+ A6: Ka+ c=E ka+(m) Ka+ c adversary A6 c’ private key Ka- K6- Dka-(c)=m EK6+(m)=c’ m=DK6-(c)

  21. The entities must use a TTP to certify the public key of each entity. (verify the authenticity of the public key) TTP distributes a pair of a public key and its owner, with the TTP’s signature which is formed by TTP’s private key. TTP’s public key is known to every entity, and they trust the TTP’s public key is genuine. When entities receive a public key, they decrypt the attached signature by TTP’s public key, proving the pair is genuine. In this way all entities can obtain the public keys of the other entities. TTP is often called the Certificate Authority (CA). Authentication by Trusted Third Party(TTP)

  22. RSA Since it was first published in 1978, it has become the most widely accepted algorithm. Digital Signature Standard(DSS) NIST standard Used only for digital signature, not for encryption or key exchange Elliptic-Curve cryptography (ECC) IEEE P1367 Appeared to be secure for smaller key size than RSA Public-key crypto algorithms

  23. Duration of 1024-bit RSA encryption ~1 ms on 1 GHz Pentium Duration of 1024-bit RSA decryption ~10 ms on 1 GHz Pentium Duration to encrypt 1 Mbyte file? Encrypt 1024 bits / RSA operation = 128 bytes 1 Mbyte = 220 bytes Time: 220 / 27 * 1ms = 213 ms = 8 seconds! Compare with the time by the symmetric key? Encrypting Large File with RSA?

  24. Symmetric crypto Need shared secret key 80 bit key for high security (year 2010) ~1,000,000 ops/s on 1GHz processor 10x speedup in HW Public-key crypto Need authentic public key 2048 bit key (RSA) for high security (year 2010) ~100 signatures/s~1000 verify/s (RSA) on 1GHz processor Limited speedup in HW Symmetric-key vs. public-key

  25. A computationally efficient function mapping binary strings of arbitrary length to binary strings of some fixed length, called hash-values. Properties of a secure hash function One-way Given y = H(x), cannot find x’ s.t. H(x’) = y Weak collision resistance Given x, cannot find x’≠ x s.t. H(x) = H(x’) Strong collision resistance Cannot find x, x’ s.t. x’ ≠ x and H(x) = H(x’) Cryptographic Hash function

  26. Assume secure hash function with n-bit output One-wayness: given output y, how many operations does it take to find any x,such that H(x) = y? Assumption: best attack is random search For each trial x, probability that output is y is 2-n P[find x after m trials]=1-(1-2-n)m Rule of thumb: find x after 2n-1 trials on average Attack complexity: One-way

  27. Weak collision resistance: given input x, how many operations does it take to find another x’≠ x, s.t. H(x) = H(x’)? Assumption: best attack is random search For each trial x’, probability that output is equal is 2-n P[find x after m trials]=1-(1-2-n)m Rule of thumb: find x’ after 2n-1 trials on average Attack complexity: Weak collision

  28. Strong collision resistance: how many operations does it take to find x and x’, s.t. x’≠ x and H(x)= H(x’)? Assumption: best attack is random search Algorithm picks random x’, checks whether H(x’) matches any other output value previously seen P[find col after m trials]= 1-(1-1/2n)(1-2/2n)(1-3/2n)…(1-(m+1)/2n) Rule of thumb: find collision after 2n/2 trials on average (1.17*2n/2 to be a bit more precise) Attack complexity: strong collision

  29. Suppose N people in a room How large must N be before the probability someone has same birthday as me is 1/2 ? Solve: 1/2 = 1  (364/365)N for N We find N = 253 Pre-Birthday Problem

  30. How many people need to be in a room to have a probability > 50% that at least two people have the same birthday? Answer: approximately 1.17*3651/2 ~ 22.4 Birthday Paradox

  31. SHA-1 Developed by NIST and published in 1993 Input: max. length of less than 264bits Input is processed in 512 bits blocks. Output: 160 bits hash code MD5 RFC 1321 Input: arbitrary length, output: 128 bits RIPEMD-160 Developed by European RACE Integrity Primitives Evaluation (RIPE) project Input: arbitrary length, output: 160 bits One-way hash function algorithms

  32. SHA-1 does not provide collision resistance any more: requires only 269 operations to find a hash collision(2005) How long would it take to find collision? 269 / (220 * 220 ) = 229 seconds 1 year has approximately 225 seconds 229 / 225 ~ 16 years How secure is SHA-1?

  33. Earlier this week, three Chinese cryptographers showed that SHA-1 is not collision-free. That is, they developed an algorithm for finding collisions faster than brute force. SHA-1 produces a 160-bit hash. That is, every message hashes down to a 160-bit number. Given that there are an infinite number of messages that hash to each possible value, there are an infinite number of possible collisions. But because the number of possible hashes is so large, the odds of finding one by chance is negligibly small (one in 280, to be exact). If you hashed 280 random messages, you'd find one pair that hashed to the same value. That's the "brute force" way of finding collisions, and it depends solely on the length of the hash value. "Breaking" the hash function means being able to find collisions faster than that. And that's what the Chinese did. They can find collisions in SHA-1 in 269 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. Two comparable massive computations illustrate that point. (Feb. 15, 2005. Bruce Schneier)

  34. One of the main applications of the hash function is to generate a small block of message tag which is called MAC. MAC provides the authenticity and integrity of messages (no confidentiality) A sender computes MAC( K, M ), or MACK( M ) where K is the shared secret key between two entities. and send <M, MAC( K, M )>. Message Authentication Code (MAC)

  35. MAC by symmetric-key encryption without hash function • Using a symmetric-key, a sender generates a small block of data, known as a message authentication code (MAC) and appends it to the message. C=EKAB(M) Take the last L bits. M M M = MAC MAC MAC EKAB(M) Take the last L bits. L: the length of MAC Bob Alice

  36. MAC by symm-key encryption • A sender applies a symm-key encryption to a small block of data which is generated by a hash function. H H(M) M M M = MAC MAC H EKAB(H(M)) DKAB(MAC) H(M) MAC Bob Alice

  37. MAC by public-key (Digital Signature) • Hash function provides the fast way of generating digital signature using the public-key cryptography. H H(M) M M M = MAC MAC H EKA-(H(M)) DKA+(MAC) H(M) MAC Bob Alice

  38. Hash functions such as SHA-1 does not rely on a secret key. HMAC is the most widely accepted algorithm for MAC which incorporates a secret key into existing hash function algorithm. In HMAC, a hash function is treated as a “black box,” which means any available hash function can be used. RFC 2104 MAC with shared secret key

  39. Example: HMAC-MD5 • H: MD5 hash function • MAC(K, M ) = H(K  opad || H(K  ipad || M)) ipad = 3636..36, opad = 5C5C..5C (512bits)

  40. Key establishment Process by which a shared secret key becomes available to two or more parties Key management A set of processes and mechanisms which support key establishment and the maintenance of ongoing keying relationships between parties, including replacing older keys with new keys Key establishment

  41. Server-less key establishment Server-based key establishment Public-key based key establishment Key agreement algorithm Diffie-Hellman Key establishment

  42. Key establishment with TTP • A Trusted Third Party (TTP) generates a key k (session key) and sends it encrypted by each of the fixed keys. A1 A2 K1 K2 TTP Ek1(k15) A6 Key source A3 Ek15(m) K6 K3 Ek5(k) A5 A4 K5 K4

  43. A sender encrypts the shared secret key by the other entity’s public key. Key establishment by public key EKAB(m) m EKAB(m) EKB+(KAB) EKB+(KAB) Bob Alice

  44. The Diffie-Hellman key exchange algorithm enables two entities to exchange a secret key securely. The algorithm depends on the difficulty of computing discrete logarithms. Key agreement: Diffie-Hellman key exchange

  45. Public values: large prime p, generator g ga mod p = x Discrete logarithm problem: given x, g, and p, find a Table g=2, p=11 Discrete Logarithm Problem nth element 1st element Cyclic Group G Generator α … α1 α2 α3 αx= β

  46. Public values: large prime p, generator g (primitive root of p) Alice has secret value a, Bob has secret b A  B: ga (mod p) B  A: gb (mod p) Bob computes (ga)b = gab (mod p) Alice computes (gb)a = gab (mod p) Symmetric key= gab (mod p) Diffie-Hellman Key exchange

  47. Passive attacks Active attacks Attacks of protocols Known-key attack Replay Impersonation Dictionary Forward search Interleaving attack Classes of attacks

More Related