Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Information security wikipedia , lookup
Cryptographic hash function wikipedia , lookup
Information theory wikipedia , lookup
Community informatics wikipedia , lookup
Digital signature wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Cryptography wikipedia , lookup
Diffie–Hellman key exchange wikipedia , lookup
Repetition – Lect1 Datasäkerhet/Data security EDA625 – Lect2 2016 Ben Smeets History of IT security Managing Security Risk and Threat analysis (Risk och Sårbarhetsanalys) Computer Security Confidentiality Integrity Availability ITSEC, Common Criteria, Orange Book Legal aspects Books and further reading. Ordlista LTH Electrical and Information Technology - Datasäkerhet EDA625 1 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 2 Agenda – Lect2 Cryptography A few words on Cryptanalysis 2.1 CRYPTOGRAPHY AND KEY ESTABLISHMENT Covers and expands chapters 14 and 15 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 3 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 4 Cryptography (Chap 14*) The old paradigm Insecure communication links Introduction to the basic concepts Understand the type of problems cryptography can address Indicate the computer security features that are required to support cryptography Cryptographic basic functions Key agreement protocols Public-Key Infrastructure Cryptanalysis A B data confidentiality data integrity data origin authentication (active) wiretapper Chap 11 in 2nd edition 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 5 New paradigms - Ecommerce A 2016 Ben Smeets 6 New paradigms - Law enforcement B A The insiders have no reason to trust each other Trusted Third Party TTP Non-repudiation services generate evidence for resolving a dispute LTH Electrical and Information Technology - Datasäkerhet EDA625 B LEA TTP 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 7 Law Enforcement Agency LEA interception warrant obliges to access to communication operator must provide a key escrow service 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 8 Cryptographic keys Cryptographic mechanisms Cryptographic algorithms use keys to protect data Encryption algorithms Integrity check functions (cryptographic hash functions) Digital signature schemes Key establishment protocols Key management is the topic of addressing Where are keys generated? How are keys generated? Where are keys stored? How do they get there? Where are keys used How are they revoked and replaced? 2016 Ben Smeets 9 LTH Electrical and Information Technology - Datasäkerhet EDA625 Use ideas from: Arbitrary length hash functions One-way permutations Block cipher Ciphers crypto primitives Symmetric -key Publickey 2016 Ben Smeets Arbitrary length MACs Identification schemes Ciphers 10 Common approaches to construct primitives Cryptographic primitives Unkeyed 2016 Ben Smeets LTH Electrical and these Information Technology - Datasäkerhet EDA625 (there are more but in this course are the important ones) Stream cipher Combinatorics Algebra Number Theory Probability Theory Theoretical Computer Science Signatures LTH Electrical and Information Technology - Datasäkerhet EDA625 11 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 12 Some mathematics - Modular arithmetic Examples Definition: a b mod m iff a-b=k·m for some integer k (in words: the difference of a and b is a multiple of m) + operation (7 mod 21) + (18 mod 21) = 25 mod 21 = 4 mod 21 * operation (7 mod 21) * (18 mod 21) = 126 mod 21 = 0 mod 21 !!!!! Calculation rules: addition ‘+’: (a mod m) ‘+’ (b mod m) = (a+b mod m) multiplication‘·’ : (a mod m) ‘·’ (b mod m) = (a · b mod m) this may look strange but this is the answer since 21 divides 126 Usually we just write + instead of ‘+’ and · instead of ‘·’(or even drop the · symbol, i.e., a · b = ab 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 13 Examples: inverse mod p 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 14 More mathematics Let p=17 and choose a=3 The inverse of a mod 17 is denoted as a-1 (mod 17) Let p be a prime and a an arbitrary (nonzero) integer. The multiplicative order modulo p is defined to be the smallest integer n such that an = 1 mod p. The value of a-1 (mod 17) = 6 Indeed 3*6 (mod 17)=18 (mod 17) =1 (mod 17) Question: Is there always an inverse mod p? Fermat’s Little Theorem: For all a (not zero modulo p) we have ap-1 = 1 mod p. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 15 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 16 Computing inverses mod m ! If m is a prime then we can use Fermat’s little theorem Discrete log problem (DLP): Given prime p, the base a, and y=ax mod p, find the discrete logarithm x of y. In general we can use Euclid’s algorithm for computing the gcd to obtain the inverse mod m Factorization: Given an integer n, find its prime factors. Remember: there is not always an inverse mod m. So you need to check if it exists. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 N-th root (mod m) problem: Given numbers a and m, find x such that a=xN mod m 17 ! Encryption ! Famous problems with crypto relevance Encryption algorithm, cipher - protects confidentiality Symmetric algorithms: same secret key for encryption/decryption. (fast) Asymmetric algorithms: Public encryption key, secret decryption key. (slow) 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 18 Symmetric encryption Block ciphers vs Stream ciphers Examples of a block ciphers : DES, AES, Blowfish, Kazumi. Triple-DES (EDE): C = eK1(dK2 ( eK1(P))) Examples of stream ciphers: RC4, SNOW, Sober, E0, A5/1, A5/2. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 19 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 20 ! Block cipher – structure (most of them) Three Block cipher modes ! Electronic code book mode (ECB): Data in key Cipher block chaining mode (CBC): Ci=eK(Pi Ci-1) , C0=IV, = XOR Key scheduler Round functions Round keys AES DES IDEA Output feedback mode (OFB): Ci= Pi Oi , Oi=eK(Oi-1), O0= IV Data out 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 21 Chess board 2016 Ben Smeets 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 22 DES encryption ECB mode – separate blocks LTH Electrical and Information Technology - Datasäkerhet EDA625 23 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 24 Block ciphers need padding DES encryption CBC mode – block chaining PKCS#7 If data fills complete block then add new block with bytes set to block length of the cipher, e.g. 16 bytes set to 0x10 for AES. Else fill the block with bytes set to the value equal to the number of padding bytes added. For example if we have to add three padding bytes then the last block looks like [ X, X, X, …., X, 0x03, 0x03, 0x03] data bytes padding bytes bytes of last block to encrypt 2016 Ben Smeets 25 LTH Electrical and Information Technology - Datasäkerhet EDA625 ! Stream ciphers Key Keystream generator Plaintext mt LTH Electrical and Information Technology - Datasäkerhet EDA625 RSA encryption (asymmetric) 26 ! Pick primes p, q and integer d such that gcd(d,p1)=1, gcd(d,q-1)=1. (usually 1<d< (p-1)(q-1)) Public key: n, e, where n=p×q and e×d=1 mod (p-1)(q-1). zt Ciphertext ct ct=mt 2016 Ben Smeets 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 zt 27 Encryption: c=me mod n. Decryption: m=cd mod n 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 28 Why does RSA work? Simultaneous solutions mod p and mod q Encryption-Decryption: (assume m 0 mod p or q) (me)d mod n = med mod n = m1+k(p-1)(q-1) mod n (for some k) = (m1 mod n)((m(p-1)(q-1))k mod n) = (m mod n) (1k mod n) =m where we use that m(p-1)(q-1) mod p = 1(q-1) mod p = 1 mod p, and likewise m(p-1)(q-1) mod q = 1(p-1) mod q = 1 mod q which gives, with additional work (see next slide), that m(p-1)(q-1) mod n = 1 mod n 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 Generalization of this is called the Chinese Remainder Theorem 29 Strength of mechanisms LTH Electrical and Information Technology - Datasäkerhet EDA625 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 30 Integrity check functions – hash functions Properties of function (call it here h) ease of computation: easy to compute h(x) compression: arbitrary bitlengths to fixed length one-way: given y it is in general infeasible to find x such that h(x)=y weak collision resistance: given x,h(x) it is infeasible to find x’ such that h(x)=h(x’) strong collision resistance: it is infeasable to find x,x’ such that h(x)=h(x’) Empirically secure Secure based on the fact that none has broken it for some time. Provably secure We prove that breaking a scheme is at least as hard as breaking some well known problem like factoring or discrete log. Unconditionally secure The schemes are secure even if the adversary has unlimited computing power 2016 Ben Smeets Let n= p x q, where p,q are two different primes If a in [0, n)={0,1,…,n-1} and then (*) a = 1 mod p and (**) a = 1 mod q if and only if a = 1 “one side of the proof” Suppose p < q, and from (**) let a = 1 + k×q. From (*) then p divides a-1=k×q so p must divide k. Thus a= 1 + k’ pq= 1+k’n for some k’. But then a lies not in the interval [0, n) for k’ 0 so k’ must be 0 and thus a =1 31 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 32 Birthday Paradox Manipulation detection codes MDCs One-way hash function: x x’ compression, …, weak collision resistance Expected # trials before collision to given y=h(x) is 2n-1 Collision-resistant hash functions: compression, …, strong collision resistance Collision Expected # trials before collision to a previous observed y=h(x) is n n/2 2n values (½ 2 ) (is approx 2 ) h(x) 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 33 Hash functions The function h(x)=gx mod p is a one-way function for suitable values of p, g. (discrete exponentiation) To invert the function, you must solve the DLP. Problem - it’s slow... LTH Electrical and Information Technology - Datasäkerhet EDA625 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 34 How to construct a fast hash function No secret information (no keys) Ex. 2016 Ben Smeets The result: hash value, message digest, checksum 35 Compression function h with fixed input/output length Input x of arbitrary length is broken up into blocks x = x1 x2 ...xm where padding is applied to the last block h0 fixed value. Recursive applications of h by hi = h(xi|| hi-1) for i=1..m Finally, hm is the hash result. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 36 Merkle-Damgård construction x1 … x2 h h xm … MACs Message authentication codes proves the integrity of a message (source). Computed from two inputs, message and a key (therefore MACs are also called keyed hash functions). length h h IV Security property: For any key k unknown to the adversary, given a set of values (xi, hk(xi)), it is (almost) impossible to compute hk(x) for a new message x. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 37 LTH Electrical and Information Technology - Datasäkerhet EDA625 38 Be careful to make your own MAC: HMAC Having a hash construction hi = h(xi|| hi-1) in the MAC algorithm MAC(k,x) = h(k||x), with key k results in an insecure construction Take any (good) hash function h HMAC(x)=h(k||p1 ||h(k||p2||x)) Problem with MACs: Transmitter and receiver share the same key k. Hence, no possibility to resolve internal disputes! 2016 Ben Smeets 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 39 To see this let: x=x1 x2 ...xm and x’=x1 x2 ...xmy Now if we know MAC(k,x) then we can compute the MAC(k, x’) without knowing the key since MAC(k, x’)=h(y||MAC(k,x)) 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 40 Modern ciphering modes Secure Hash Algorithm family (SHA) SHA-1 (Other hash functions MD4, MD5, RIPE-MD) 512 bit blocks, 160 bit hash, “comes” with DSA. Padding 1 one+zeros to 448 bits then a 64 bit length field. SHA-2: SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 is still in use but weaknesses have been found. SHA-2 not so often used. SHA-1 replaced by SHA-3 (based on KECCAK) Keccak ´has good hardware performance, with speed/area trade-offs, outperforming SHA-2 by an order of magnitude Keccak has overall good software performance. On AMD™ Bulldozer™, 128-bit and 256-bit security hashing tops at 4.8 and 5.9 cycles/byte, respectively. On Intel™ Sandy Bridge™, the same functions reach 5.4 and 6.9 cycles/byte. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 41 For block ciphers we need padding to extend the data so it will be a multiple of the block length (that last block is filled with data and so-called padding bytes) This can be dangerous as was shown by Vaudenai in the so-called padding oracle attack on block cipher in CBC mode (as used in TLS) “attacker” 2016 Ben Smeets Padding error or OK “oracle” Offical Decryptor (e.g. the banks TLS server) LTH Electrical and Information Technology - Datasäkerhet EDA625 Much faster Applied in new TLS version Also referred to as AEAD (Authenticated Encryption Associated Data) mode • Input: plaintext, key, and optionally a header in plaintext that will not be encrypted, but will be covered by authenticity protection. • Output: ciphertext and authentication tag (Message Authentication Code). Example AES-GCM (Galois Counter Mode) • Modern processors have HW support for this • X86: PCLMULQDQ instruction 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 42 Padding oracle attack Problem with implementations Guess byte that is masked by only a padding byte and send it to the oracle Combine ciphering with integrity protection 43 Recall: Cipher block chaining mode (CBC): Ci=eK(Pi Ci-1) , C0=IV, = XOR So decryption is Pi=dK(Ci) Ci-1 Now if we have the following IV,C1,C2 and C2 contains encrypted padding bytes 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 44 Use of hash functions Digital signatures There are many … Hash passwords In digital signatures In hash chains such as the Block chain in Bitcoin Digital signature scheme = signature algorithm + verification algorithm private signature key + public verification key Property: A third party can resolve disputes about the validity of a signature without the signer’s private key. Support non-repudiation. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 45 cont’d 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 Two examples of digital signatures Public-key cryptography DSS (relies on discrete log problem) It is computationally infeasible to compute the private signature key from the public verification key. 2016 Ben Smeets 46 LTH Electrical and Information Technology - Datasäkerhet EDA625 So it can be made to work whenever we can show that we have discrete log mechanism RSA Signatures (relies on RSA encryption) 47 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 48 El Gamal signatures (basis for DSA/DSS) RSA signatures See course book for DSA/DSS scheme itself Pick primes p,q and integer e such that gcd(e,p-1)=1, gcd(e,q-1)=1. Public key: n, d, where n=pq and e·d 1 mod lcm(p-1,q-1). Hash message to m and then signature s=me mod n. Verification: Hash received message to m and check if sd =m mod n p prime number, g order p-1 modulo p a is private signature key, ya=ga mod p public verification key. To sign m A picks random k, gcd(k,p-1)=1, computes r= gk mod p and solves a · r + k · s = m mod (p-1) in the unknown s. Signature on m is now (r,s) Verification: Check if (ya)r · rs = gm mod p 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 Property: We can select public d to be small (e.g. d=3 or d=216+1). This allows fast verification. 49 RSA signature in practice 1 Doc 2016 Ben Smeets 50 signed message hash(Doc) Doc 2 Hash Pad Encrypt Combine LTH Electrical and Information Technology - Datasäkerhet EDA625 RSA signature and birthday attack Doc 10$ signature 4 1. 2. 3. 4. 2016 Ben Smeets hash(Doc) + padding hash(Doc) hash(Doc’) Doc’ 1000$ 3 RSA = changes here regard as number 0,…, n-1 LTH Electrical and Information Technology - Datasäkerhet EDA625 51 2016 Ben Smeets and changes here LTH Electrical and Information Technology - Datasäkerhet EDA625 52 Key establishment protocols (chapter 15) Diffie-Hellman protocol Key agreement protocol: Two parties establish a common key on their own. Key agreement protocol p prime, g order p-1 element. A picks random a and sends ya=ga mod p to B B picks random b and sends yb=gb mod p to A Key transport protocol: Two parties establish a common key communicating with a trusted server. The common key is k= gab mod p, which both A and B can calculate by k = (yb)a = (ya)b Two examples: • Diffie-Hellman protocol • Needham-Schroeder protocol 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 53 Diffie-Hellman protocol - Example 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 54 Needham-Schroeder protocol (Kerberos) Key transport protocol A, B have session keys (Kas resp Kbs) with server S p=19, g=2 (order is 18, i.e. 2, 22=4…,29 =18,…,218=1mod 19) A picks random a: say a=11 and sends ya=211 mod 19= 15 to B B picks random b: say 7 and sends yb=27 mod 19=14 to A S 1. A->S: A,B,Na =TTP 2. S->A: eKas(Na,B,Kab,eKbs(Kab,A)) 2 The common key is k= gab mod p, which both A and B can calculate A: computes (yb)a mod 19=(14)11 (mod 19) = 13=key for A B: computes (ya)b mod 19=(15)7 (mod 19) = 13=key for B 3. A->B: eKbs(Kab,A) 1 4. B->A: eKab(Nb) 3 A 4 5 B 5. A->B: eKab(Nb-1) Now A and B agree on Kab Nx a nonce value = number appearing once 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 55 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 56 Replacement of RSA in signature: ECC Replacement of RSA: ECC Elliptic Curve Cryptography uses the fact that we can define an operation on certain algebraic structures called elliptic curves that gives a problem similar to the discrete logarithm problem for which we do not know an efficient algorithm For our purpose an elliptic curve is a plane curve which consists of the points satisfying the equation y2 = x3 + ax + b, along with a distinguished point at infinity, denoted . Operation = addition of points line on the curve, e.g. addition of J and K, as defined by the diagram 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 57 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 reflect 58 ECC: operation = point addition (J K) ECC: operation = point doubling (J=K) Consider two distinct points J and K such that J = (xJ , yJ ) and K = (xK , yK ) Let L = J + K, where L = (xL , yL ), and let J K, then x L = s2 - x J – x K yL = - yJ + s (xJ – xL ) where s = (yJ– yK )/(xJ– xK), s is the slope of the line through J and K. If K = -J i.e. K = (xJ , -yJ ) then J + K = O. where O is the point at infinity. If K = J then J + K = 2J then point doubling equations are used. Note: J + K = K + J Consider a distinct points J such that J = (xJ , yJ ) Let L =2 J , where L = (xL , yL ), and let yJ 0, then x L = s2 - 2 x J yL = - yJ + s (xJ – xL ) where s = (3xJ + a )/(2yJ), s is the tangent at J and a is the parameter from the curve. If yJ 0 then 2J = O, where O is the point at infinity. Point doubling Point doubling is the addition of a point J on the elliptic curve to itself to obtain another point L on the same elliptic curve. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 59 Curve is usually defined over Prime field (i.e. calculating mod p) Binary fields F2m 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 60 ECC vs RSA - storage ECC vs RSA - speed For the same estimated complexity of breaking the systems ECC requires much smaller numbers. Storage ECDSA and ECES over GF(q) RSA 1024-bit n and e=216+1 system parameters (4 x 160)+1 = 641 0 public key 160+1 = 161 1024 + 17 = 1041 private key 160 (801 with system 2048 (or 2560 with parameters) CRT information) 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 61 Certificates Not so easy to compare and binary field case is special. For prime fields: Speed (1 curve add=10 mod ops) ECDSA or ECES over GF(q), q 160 bit RSA with 1024-bit n, e=216+1, and CRT Discrete logarithm systems with 1024bit prime encryption 120 17 480 decryption 60 384 240 signing 60 384 240 verification 120 17 480 2016 Ben Smeets 62 Certificate – typical format How does B know that the verification key ya that is used to verify A’s signature is indeed user A’s public verification key? To solve this question Public-key encryption and signature schemes rely on certificates. Certificate = links an identity to a public key Description -version -encoding info Public key Usage info Signature 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 LTH Electrical and Information Technology - Datasäkerhet EDA625 63 2016 Ben Smeets The signature “proofs” that the public key is approved by the cert issuer LTH Electrical and Information Technology - Datasäkerhet EDA625 64 Certificate –Example X509 v3 certificate How does it work? Certification authority (CA) is trusted CA links identity-public key by signing a document containing (e.g.) user name, key, CA, expiry date, etc. To verify a certificate, you need the CA public verification key. The CA verification key may need to be verified by another CA, including another certificate, etc. NTP is highly Certificate: recommended Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Apr 22 19:21:50 1998 GMT Not After : Apr 22 19:21:50 1999 GMT Subject: C=US, O=Globus, O=NACI, OU=SDSC, CN=Richard Frost Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69: <snip> b4:e1:54:e7:87:57:b7:d0:61 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8: <snip> 8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17: 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 65 Public Key Infrastructure (PKI) Cert 1 2016 Ben Smeets 66 May include attributes such as access right, usage conditions, etc. in the certificate The corresponding private key will then provide a capability equipped with the access rights specified in the certificate. X.509 structure for certificates Cert 2 Cert B CA cert LTH Electrical and Information Technology - Datasäkerhet EDA625 Certificates in PKI Cert A Self-signed 2016 Ben Smeets revocation of certificates; the really tricky aspect Verifies LTH Electrical and Information Technology - Datasäkerhet EDA625 67 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 68 Certificates (cont’d) Positive aspects Scalable: many users Can be used in off-line situations Negative aspects Certificate revocation is difficult Certificate revocation status checking is problematic 2.2 CRYPTANALYSIS • On-line checking: Online Certificate Status Protocol (OCSP) • Distribution of Certificate Revocation Lists (CRLs) Extends chapter 14 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 69 Cryptanalysis 2016 Ben Smeets Unicity Distance (Shannon ‘48) Cleartext M[i] Key Uncertainty Any technique can be used ! By demonstration: 70 LTH Electrical and Information Technology - Datasäkerhet EDA625 (log # keys that are possible) Show that you can break the system (i.e. find key, decrypt message, forge a signature, find a collisions, etc) in a significant number of cases K(ey) b (b bits) Unicity distance = D*blocksize Block cipher C[i] By theoretical analysis Not necessarily breaking a complete system in practice Distinguisher attacks Key strength is (significantly) less than designed. 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 No uncertainty left =key is uniquely determined This means that Ciphers leak information about the key when being used to encrypt, e.g. English text D 71 2016 Ben Smeets Number of observed crypto blocks i LTH Electrical and Information Technology - Datasäkerhet EDA625 72 Consequence Techniques for cryptanalysis Since most data sources have redundancy we have a situation where after some time of use of a cipher the key is uniquely determined, always. In practice we often do not know how to use (in an algorithm) the observed data to recover the key. Thus we often have to rely on computational facts and assumptions (e.g. discrete logarithm) to show that we cannot cryptanalyze the cipher 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 73 Brute force Using general purpose computer Using special hardware FPGAs: e.g. DES in less than a day Copacabana, 2006 GPUs: e.g. Nvidia GPU Custom HW: very expensive: likely something for national security agencies that can spend much money 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 75 Statistical Algebra Physical phenomena (e.g. results of information leakage) Brute force (or close to it) 2016 Ben Smeets LTH Electrical and Information Technology - Datasäkerhet EDA625 74