1 / 84

Cryptography and System Security

Cryptography and System Security. Michael Pramateftakis Room Z940 Tel: (089-289)23622 E-Mail: pramateftakis@ei.tum.de. Organisatorisches. Vorlesung: Do., 12:30-14:00, N1170 Übung: Do., 14:00-14:45, N1170 Skript und Folien auf Englisch Vorlesung, Diskussion und Prüfung auf Deutsch.

Download Presentation

Cryptography and System Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptography and System Security Michael Pramateftakis Room Z940 Tel: (089-289)23622 E-Mail: pramateftakis@ei.tum.de

  2. Organisatorisches • Vorlesung: Do., 12:30-14:00, N1170 • Übung: Do., 14:00-14:45, N1170 • Skript und Folien auf Englisch • Vorlesung, Diskussion und Prüfung auf Deutsch. Hinweis: Ab 3.5.2004 neue Vorlesung (WA) “Applied IT-Security” Mo. 14:00-15:30, Hörsaal 0999, Vorl. auf Englisch in Zusammenarbeit mit der Fraunhofer Gesellschaft (Dr. Stephan Spitz)

  3. Lecture Overview • Motivation • Security Services and Mechanisms • Cryptographic Mechanisms • Discrete Algebra • Cryptographic Algorithms • Cryptographic Protocols • Security and the Internet • Smartcards and Security Applications

  4. 1. Motivation Why cryptography?

  5. Business offers, contacts Internet Money, Payments Payment Browsing, Orders… Attacker Exemplary Scenario Other companies Bank Internet users Company Network

  6. Further catchwords • Hackers, Crackers, Script kiddies etc. • Denial of Service • Address spoofing • Connection hijacking • Firewall, NAT, Intrusion detection • Spam • E-mail fakingetc., etc., …

  7. 2. Security Services and Mechanisms Cryptography’s most basic terms and definitions

  8. Basic terms • Security Services • Security Mechanisms • Cryptographic algorithms

  9. Security Services • Security services describe what a user requires from a security system: • Confidentiality (or Nondisclosure of Information) • Authentication • Verifiability and Nonrepudiation • Anonymity • Access Control Security services remedy threats.

  10. Security Mechanisms and Algorithms • Security Mechanisms:The technical and procedural means used to implement security services.(e.g. encryption provides confidentiality.) • Algorithms:Concrete implementations of security mechanisms.(e.g. DES implements encryption)

  11. Relations • Services, mechanisms and algorithms are related to one another. • The relation is formally defined in the OSI security architecture. • Security systems are designed and parameterized based on these relations. Services, Mechanisms and Algorithms are very basic and important terms!Distinguish between them correctly!

  12. 3. Cryptographic Mechanisms Mechanism Details

  13. Symmetric Encryption k k c f f-1 m m Decryption m= f-1(k,c) Encryption c= f(k,m) Secure Environment Secure Environment m: Plaintext message c: Cipher k: Key f: Encryption Function f-1: Decryption Function (Inverse of f) • Symmetric = Same key for encryption and decryption. • Key is secret, secure environment needed at sender and receiver.

  14. Symmetric Encryption Different kinds of symmetric encryption schemes: • Characterwise with a key.<Output char.> = f (k,<Input char.>) • Blockwise with a key.<Output block> = f (k,<Input block>) • Symbolwise/bitwise with sequence of keysk: k1,k2,k3,… • Blockwise with block chaining.

  15. Perfect Security Prerequisites for perfect security: • Unlimited key length. • Truly random key sequence. • One-time pad. • |K| >= |C| >= |M| Every message can be mapped to every cipher with a different key! Thus, for a given cipher, every possible message is equiprobable, since a proper key can always be constructed! An attacker cannot make any assumptions about the message.

  16. Perfect Security c1 k1 c2 c3 m3 c4 k5 c5 C |M|=|C|=|K| Keys equiprobable Messages equiprobable M

  17. Asymmetric Encryption d e c f f m m Decryption m= fd(c) Public Encryption c= fe(m) Secure Environment m: Plaintext message c: Cipher e: Encryption Key d: Decryption Key f: Asymmetric Function • Asymmetric = Different keys for encryption and decryption. • Only decryptionkey is secret, secure environment needed only at receiver side.

  18. Asymmetric Encryption • Sender encrypts with receiver’s public key. • Receiver decrypts with his own private key. Thus, everybody can send encrypted messages to the receiver without needing to exchange a secret.

  19. Digital Signature • Creator of message signs with own private key. • Everybody can verify the signature with the creator’s public key. • The correspondence of the creator’s person to the respective public key must be reliably known. • Signed messages are not encrypted.

  20. 4. Discrete Algebra Basics of modulo-arithmetics

  21. Discrete Algebra Chapter Overview: • Definition of modulo-n arithmetics • Groups, Rings and Fields, Galois field • Multiplicative-inverse elements in mod n • Powers in mod n, related theorems • Chinese remainder theorem • Discrete logarithms

  22. Groups An algebra on a finite or infinite set of elements satisfying the following axioms: • The sum of 2 arbitrary elements a+b is defined and is an element of this set. • The sum is associative: (a+b)+c=a+(b+c) • A null-element 0 exists, such that for any element a holds a+0=a • Every element a has an additive-inverse element a-1 such that a+a-1=0 is called a Group. Addition and subtraction are defined for groups.

  23. Rings If all preceding axioms hold, plus: • The sum is commutative: a+b=b+a • The product of 2 arbitrary elements a·b is defined and is an element of this set. • The product is associative: (a·b)·c=a·(b·c) • The distributive law holds: a·(b+c)=a·b+a·c we have a Ring. Multiplication is defined for a ring along addition and subtraction.

  24. Fields If all preceding axioms hold, plus: • The product is commutative: a·b=b·a • There is an one-element 1, such that a·1=a holds for every element a • Every element a≠0 has a multiplicative inverse element a-1, such that a·a-1=1 we have a Field. Division is defined for a field along multiplication, addition and subtraction.

  25. Arithmetics mod n • For arithmetics modulo-n axioms 1 to 10 are valid. • For arithmetics modulo-p, where p is a prime number, axioms 1 to 11 are valid. We’ll show that every element a[0,n-1] can be replaced by any element of the same remainder class Ra. When the axioms are proven, the calculus rules of algebra apply.

  26. Multiplicative-inverse elements • In modulo-n arithmetics, an element a≠0 with hcd(n,a)=1 has a multiplicative inverse element a-1. • One way to find it would be a search of 1·a,2·a,3·a,… which is not practical for large modules. • Another way is through the fact that hcd(n,a)=1=a·n+b·aThe above mod n yields 1=b·a mod n and thus a-1=b

  27. Euler’s f-function The f-function for a natural number n is defined as: The quantity of numbers less than n, that are relatively prime to n f(n)=| {z[1,n-1] where hcd(n,z)=1} | Since for a prime number p all numbers z<p are relatively prime to it: f(p)=p-1

  28. Euler’s f-function In the case where n=p·q, p≠q prime: f(p·q)=(p-1)·(q-1) because: f(p·q)=[p·q-1]-(p-1)-(q-1)= f(p·q)=(p-1)·(q-1) All possible numbers Multiples of q Multiples of p

  29. Euler’s theorem af(n)≡1 (mod n) for a|hcd(n,a)=1 This is formula (4.4.2) since f(p)=p-1. The relation is also called “Small theorem of Fermat” ap-1≡1 (mod p), for a[1,p-1]

  30. RSA Generalization (RSA: Rivest, Shamir, Adleman, inventors of the RSA algorithm) Take Euler’s theorem, exponentiate with iN and multiply with a: • af(n)≡1 (mod n) • (af(n))i≡1i ai·f(n)≡1 (mod n) • ai·f(n)+1≡a valid for a[0,n-1] with n=p or n=p·q, p≠q

  31. 5. Cryptographic Algorithms Symmetric and asymmetric encryption algorithms

  32. Chapter Overview • DES • DES-based MAC • DES-based cryptohash-function • AES • IDEA • Block operation modes • RSA • El Gamal methods • Certificates

  33. DES DES history: • Developed by IBM • Published in 1974 • ‘National Bureau of Standards’, today NIST, recognizes DES as a standard in 1977 • ‘American National Standards Institute’ recognizes DES as standard (ANSI X3.92) in 1981

  34. DES DES attributes: • Symmetric algorithm • Block cipher: Message blocks of 64 bits. Encryption to cipher blocks of 64 bits. • Key of 64 bits. Significant key length is 56 bits, with 8 parity bits. |K|=256 64 bits mi 64 bits mi DES DES-1 Key k 64(56) bits Encryption Decryption 64 bits ci 64 bits ci

  35. AES Encryption round Data block di-1: 128 bits/16 bytes AES key: 128/192/256 bits Transformations based on byte-operations - Substitution -Permutation - Intermix Round key derivation from AES key 10/12/14 depending on key size Data block di: 128 bits/16 bytes • No transformation box in initial round • No intermix for last round

  36. AES Encryption round Transformations: • Substitution • Each byte is replaced by its multiplicative inverse value. • Bytes are used to represent polynomials of grade less than 8, due to modular reduction with an irreducible polynomial of grade 8. • Bytes are interpreted as elements of a finite field. Addition and multiplication are defined, but are not the same with the ones used for numbers. • Permutation • Interchange of byte positions. • Intermix • Matrix multiplication of bytes in the internal ‘State’.

  37. AES Encryption round Key derivation: With keylength 128 bits, each round requires 128 bits. The key is split into 4 words of 4 bytes each. wi=wi-1 XOR wi-4 When i mod 4=0, key transformation (KT) is applied. KT involves byte shifts, substitutions and the addition of a ‘round constant’, powers of 2 in the GF(28). KT … w0 w1 w2 w3 w4 w5 w6 w7 Key for round 1 AES key =key for round 0

  38. c1 m1 m2 c2 BA BA BA-1 BA-1 k k k k m1 c2 m2 c1 Block operation modes Electronic Codebook (ECB) ci=BA(mi), mi=BA-1(ci) Receiver: Decryption Sender: Encryption … … … … Time

  39. Block operation modes Properties of ECB • Every block is independent of other blocks. • Same plaintext is encrypted to same ciphertext. • Error propagation: If an error occurs in a cipher block, only the respective plaintext block is affected. • Synchronization: If the receiver cannot synchronize block boundaries, decryption is impossible.

  40. m1 BA k c1 Block operation modes Cipher Block Chaining (CBC) ci=BA(mici-1), mi=BA-1(ci)ci-1, c0=IV Receiver: Decryption Sender: Encryption m1 … c1 c2 … IV BA-1 BA-1 k k BA k IV … m1 m2 … c1

  41. Block operation modes Properties of CBC • The initialization vector IV must be specified. It must not be secret. • A cipher block depends on IV and all plaintext blocks before it. Identical plaintexts are encrypted to different ciphertexts. • The sequence of the blocks is significant. If the sequence changes, the cipher changes. • Identical plaintext sequences are encrypted to identical cipher sequences, so different IVs should be used. • Error propagation: If an error occurs in a cipher block, this and the next plaintext block cannot be decrypted. • Synchronization: If synchronization is regained at this cipher block, the next plaintext block and all following ones can be decrypted.

  42. BA BA k k Block operation modes Cipher Feedback (CFB) ci=BA(ci-1)mi, mi=BA(ci-1)ci, c0=IV Receiver: Decryption Sender: Encryption ci-1 ci-1 ci mi mi ci Similar properties to CBC. Messages shorter than blocksize possible.

  43. BA BA k k Block operation modes Output Feedback (OFB) zi=BA(zi-1), ci=zimi, mi=zici, z0=IV Receiver: Decryption Sender: Encryption zi-1 mi zi-1 ci ci mi Shorter messages than blocksize possible

  44. Block operation modes OFB properties • State sequence zi does not depend on the plaintext. • Corresponds to encryption with pseudonoise, with a random number generator with nonlinear feedback. • Error propagation: none. • Synchronization: If block boundary synchronization is lost, the system must be resynchronized.

  45. RSA Creating an RSA key pair: We will work in arithmetics modulo n, with: n=p·q, p≠q prime f(n)=(p-1)·(q-1) We select one of the keys randomly, e.g. e, with the following restrictions: 1<e<f(n) and hcd(e,f(n))=1 The other key is the multiplicative inverse of e modulo f(n): e·d≡1 mod f(n)

  46. RSA • A’s public key is thus: eA,n • A’s secret key is: dA The prime factors of n cannot be found out. (Difficult task of factorization) Euler’s theorem (ai·f(n)+1) mod n=a yields with e·d≡1 mod f(n): (me·d) mod n=m for 0≤m<n as i·f(n)+1≡1 mod f(n) as well. so, you encrypt a message by raising to one key (here e) and decrypt by raising to the other (here d), modulo n.

  47. RSA Thus, the following formulas apply: Encryption: c=(me) mod n Decryption: (cd) mod n=(me)d mod n=m Signature: s=(md) mod n Verification: (se) mod n=(md)e mod n=m The operations are computationally intensive. (e.g. 1000 times slower than IDEA)

  48. RSA Applications of RSA: • Digital signature on message hash-values. • Transmission of symmetric session keys in hybrid cryptography systems. Due to high complexity, RSA is not useful for bulk data encryption.

  49. Chinese Remainder Theorem The Chinese remainder theorem calculates a number x mod n=p·q, when the remainders of x modulo p and modulo q are known. Known: (x mod p) and (x mod q) Result: (x mod n) with n=p·q

  50. Chinese Remainder Theorem The hcd of two natural numbers p and q with no common factors can be written as: hcd(p,q)=1=s·p+t·q where s and t can be calculated with the extended Euclidean algorithm. With a=x mod p and b=x mod q known, we can deduce x=(b·s·p+a·t·q) mod n=p·q See proof in script, p.38.

More Related