Download Datasäkerhet/Data security EDA625 – Lect2 CRYPTOGRAPHY

Repetition – Lect1
Datasäkerhet/Data security
EDA625 – Lect2
2016 Ben Smeets
History of IT security
Managing Security
Risk and Threat analysis (Risk och Sårbarhetsanalys)
Computer Security
Confidentiality
Integrity
Availability
ITSEC, Common Criteria, Orange Book
Legal aspects
Books and further reading.
Ordlista
LTH Electrical and Information Technology - Datasäkerhet EDA625
1
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
2
Agenda – Lect2
Cryptography
A few words on Cryptanalysis
2.1
CRYPTOGRAPHY AND KEY
ESTABLISHMENT
Covers and expands chapters 14 and 15
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
3
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
4
Cryptography (Chap 14*)
The old paradigm
Insecure communication links
Introduction to the basic concepts
Understand the type of problems cryptography can
address
Indicate the computer security features that are
required to support cryptography
Cryptographic basic functions
Key agreement protocols
Public-Key Infrastructure
Cryptanalysis
A
B
data confidentiality
data integrity
data origin authentication
(active)
wiretapper
Chap 11 in 2nd edition
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
5
New paradigms - Ecommerce
A
2016 Ben Smeets
6
New paradigms - Law enforcement
B
A
The insiders have no reason to trust each other
Trusted Third Party TTP
Non-repudiation services generate evidence for
resolving a dispute
LTH Electrical and Information Technology - Datasäkerhet EDA625
B
LEA
TTP
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
7
Law Enforcement Agency LEA
interception warrant obliges to access to
communication
operator must provide a key escrow service
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
8
Cryptographic keys
Cryptographic mechanisms
Cryptographic algorithms use keys to protect data
Encryption algorithms
Integrity check functions (cryptographic hash
functions)
Digital signature schemes
Key establishment protocols
Key management is the topic of addressing
Where are keys generated?
How are keys generated?
Where are keys stored?
How do they get there?
Where are keys used
How are they revoked and replaced?
2016 Ben Smeets
9
LTH Electrical and Information Technology - Datasäkerhet EDA625
Use ideas from:
Arbitrary length hash
functions
One-way
permutations
Block cipher
Ciphers
crypto
primitives
Symmetric
-key
Publickey
2016 Ben Smeets
Arbitrary length
MACs
Identification
schemes
Ciphers
10
Common approaches to construct primitives
Cryptographic primitives
Unkeyed
2016 Ben Smeets
LTH Electrical
and these
Information
Technology
- Datasäkerhet EDA625
(there
are more but in this
course
are
the important
ones)
Stream
cipher
Combinatorics
Algebra
Number Theory
Probability Theory
Theoretical Computer Science
Signatures
LTH Electrical and Information Technology - Datasäkerhet EDA625
11
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
12
Some mathematics - Modular arithmetic
Examples
Definition:
a b mod m iff a-b=k·m for some integer k
(in words: the difference of a and b is a multiple of m)
+ operation
(7 mod 21) + (18 mod 21) = 25 mod 21
= 4 mod 21
* operation
(7 mod 21) * (18 mod 21) = 126 mod 21
= 0 mod 21 !!!!!
Calculation rules:
addition
‘+’: (a mod m) ‘+’ (b mod m) = (a+b mod m)
multiplication‘·’ : (a mod m) ‘·’ (b mod m) = (a · b mod m)
this may look strange but this is the answer since 21 divides
126
Usually we just write + instead of ‘+’ and · instead of ‘·’(or
even drop the · symbol, i.e., a · b = ab
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
13
Examples: inverse mod p
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
14
More mathematics
Let p=17 and choose a=3
The inverse of a mod 17 is denoted as a-1 (mod 17)
Let p be a prime and a an arbitrary (nonzero)
integer.
The multiplicative order modulo p is defined to be
the
smallest integer n such that an = 1 mod p.
The value of a-1 (mod 17) = 6
Indeed 3*6 (mod 17)=18 (mod 17) =1 (mod 17)
Question: Is there always an inverse mod p?
Fermat’s Little Theorem:
For all a (not zero modulo p) we have ap-1 = 1 mod p.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
15
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
16
Computing inverses mod m
!
If m is a prime then we can use Fermat’s little
theorem
Discrete log problem (DLP):
Given prime p, the base a, and y=ax mod p, find the
discrete logarithm x of y.
In general we can use Euclid’s algorithm for
computing the gcd to obtain the inverse mod m
Factorization:
Given an integer n, find its prime factors.
Remember: there is not always an inverse mod m.
So you need to check if it exists.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
N-th root (mod m) problem:
Given numbers a and m, find x such that a=xN mod
m
17
!
Encryption
!
Famous problems with crypto relevance
Encryption algorithm, cipher - protects confidentiality
Symmetric algorithms: same secret key for
encryption/decryption. (fast)
Asymmetric algorithms: Public encryption key,
secret decryption key. (slow)
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
18
Symmetric encryption
Block ciphers vs Stream ciphers
Examples of a block ciphers : DES, AES, Blowfish,
Kazumi.
Triple-DES (EDE):
C = eK1(dK2 ( eK1(P)))
Examples of stream ciphers: RC4, SNOW, Sober,
E0, A5/1, A5/2.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
19
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
20
!
Block cipher – structure (most of them)
Three Block cipher modes
!
Electronic code book mode (ECB):
Data in
key
Cipher block chaining mode (CBC):
Ci=eK(Pi Ci-1) , C0=IV,
= XOR
Key scheduler
Round
functions
Round
keys
AES
DES
IDEA
Output feedback mode (OFB):
Ci= Pi Oi , Oi=eK(Oi-1), O0= IV
Data out
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
21
Chess board
2016 Ben Smeets
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
22
DES encryption ECB mode – separate blocks
LTH Electrical and Information Technology - Datasäkerhet EDA625
23
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
24
Block ciphers need padding
DES encryption CBC mode – block chaining
PKCS#7
If data fills complete block then add new block with bytes
set to block length of the cipher, e.g. 16 bytes set to 0x10
for AES.
Else fill the block with bytes set to the value equal to the
number of padding bytes added. For example if we have
to add three padding bytes then the last block looks like
[ X, X, X, …., X, 0x03, 0x03, 0x03]
data bytes
padding bytes
bytes of last block to encrypt
2016 Ben Smeets
25
LTH Electrical and Information Technology - Datasäkerhet EDA625
!
Stream ciphers
Key
Keystream
generator
Plaintext mt
LTH Electrical and Information Technology - Datasäkerhet EDA625
RSA encryption (asymmetric)
26
!
Pick primes p, q and integer d such that gcd(d,p1)=1, gcd(d,q-1)=1. (usually 1<d< (p-1)(q-1))
Public key: n, e,
where n=p×q and e×d=1 mod (p-1)(q-1).
zt
Ciphertext
ct
ct=mt
2016 Ben Smeets
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
zt
27
Encryption:
c=me mod n.
Decryption:
m=cd mod n
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
28
Why does RSA work?
Simultaneous solutions mod p and mod q
Encryption-Decryption: (assume m 0 mod p or q)
(me)d mod n = med mod n
= m1+k(p-1)(q-1) mod n (for some k)
= (m1 mod n)((m(p-1)(q-1))k mod n)
= (m mod n) (1k mod n)
=m
where we use that m(p-1)(q-1) mod p = 1(q-1) mod p = 1 mod p,
and likewise
m(p-1)(q-1) mod q = 1(p-1) mod q = 1 mod q
which gives, with additional work (see next slide), that
m(p-1)(q-1) mod n = 1 mod n
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
Generalization of this is called the Chinese Remainder Theorem
29
Strength of mechanisms
LTH Electrical and Information Technology - Datasäkerhet EDA625
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
30
Integrity check functions – hash functions
Properties of function (call it here h)
ease of computation: easy to compute h(x)
compression: arbitrary bitlengths to fixed length
one-way: given y it is in general infeasible to find x such that
h(x)=y
weak collision resistance: given x,h(x) it is infeasible to find
x’ such that h(x)=h(x’)
strong collision resistance: it is infeasable to find x,x’ such
that h(x)=h(x’)
Empirically secure
Secure based on the fact that none has broken it for
some time.
Provably secure
We prove that breaking a scheme is at least as hard
as breaking some well known problem like factoring or
discrete log.
Unconditionally secure
The schemes are secure even if the adversary has
unlimited computing power
2016 Ben Smeets
Let n= p x q, where p,q are two different primes
If a in [0, n)={0,1,…,n-1} and then
(*) a = 1 mod p and
(**) a = 1 mod q if and only if a = 1
“one side of the proof”
Suppose p < q, and from (**) let a = 1 + k×q. From (*) then p
divides a-1=k×q so p must divide k. Thus a= 1 + k’ pq= 1+k’n
for some k’. But then a lies not in the interval [0, n) for k’ 0 so
k’ must be 0 and thus a =1
31
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
32
Birthday Paradox
Manipulation detection codes MDCs
One-way hash function:
x
x’
compression, …, weak collision resistance
Expected # trials before
collision
to given y=h(x) is 2n-1
Collision-resistant hash functions:
compression, …, strong collision resistance
Collision
Expected # trials before
collision
to a previous observed y=h(x)
is
n
n/2
2n values (½ 2 ) (is approx 2 )
h(x)
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
33
Hash functions
The function h(x)=gx mod p is a one-way function for
suitable values of p, g. (discrete exponentiation) To invert
the function, you must solve the DLP.
Problem - it’s slow...
LTH Electrical and Information Technology - Datasäkerhet EDA625
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
34
How to construct a fast hash function
No secret information (no keys)
Ex.
2016 Ben Smeets
The result: hash value, message digest, checksum
35
Compression function h with fixed input/output
length
Input x of arbitrary length is broken up into
blocks x = x1 x2 ...xm where padding is applied
to the last block
h0 fixed value. Recursive applications of h by
hi = h(xi|| hi-1) for i=1..m
Finally, hm is the hash result.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
36
Merkle-Damgård construction
x1
…
x2
h
h
xm
…
MACs
Message authentication codes proves the integrity
of a message (source).
Computed from two inputs, message and a key
(therefore MACs are also called keyed hash
functions).
length
h
h
IV
Security property: For any key k unknown to the
adversary, given a set of values (xi, hk(xi)), it is
(almost) impossible to compute hk(x) for a new
message x.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
37
LTH Electrical and Information Technology - Datasäkerhet EDA625
38
Be careful to make your own MAC:
HMAC
Having a hash construction hi = h(xi|| hi-1) in the
MAC algorithm MAC(k,x) = h(k||x), with key k results
in an insecure construction
Take any (good) hash function h
HMAC(x)=h(k||p1 ||h(k||p2||x))
Problem with MACs: Transmitter and receiver share
the same key k. Hence, no possibility to resolve
internal disputes!
2016 Ben Smeets
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
39
To see this let:
x=x1 x2 ...xm and x’=x1 x2 ...xmy
Now if we know MAC(k,x) then we can compute the
MAC(k, x’) without knowing the key since
MAC(k, x’)=h(y||MAC(k,x))
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
40
Modern ciphering modes
Secure Hash Algorithm family (SHA)
SHA-1 (Other hash functions MD4, MD5, RIPE-MD)
512 bit blocks, 160 bit hash, “comes” with DSA.
Padding 1 one+zeros to 448 bits then a 64 bit length field.
SHA-2: SHA-224, SHA-256, SHA-384, SHA-512
SHA-1 is still in use but weaknesses have been found.
SHA-2 not so often used.
SHA-1 replaced by SHA-3 (based on KECCAK)
Keccak ´has good hardware performance, with speed/area trade-offs, outperforming SHA-2 by an order
of magnitude
Keccak has overall good software performance. On AMD™ Bulldozer™, 128-bit and 256-bit security
hashing tops at 4.8 and 5.9 cycles/byte, respectively. On Intel™ Sandy Bridge™, the same functions
reach 5.4 and 6.9 cycles/byte.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
41
For block ciphers we need padding to extend the
data so it will be a multiple of the block length (that
last block is filled with data and so-called padding
bytes)
This can be dangerous as was shown by Vaudenai
in the so-called padding oracle attack on block
cipher in CBC mode (as used in TLS)
“attacker”
2016 Ben Smeets
Padding error or OK
“oracle”
Offical Decryptor
(e.g. the banks TLS server)
LTH Electrical and Information Technology - Datasäkerhet EDA625
Much faster
Applied in new TLS version
Also referred to as AEAD (Authenticated Encryption
Associated Data) mode
• Input: plaintext, key, and optionally a header in plaintext that will
not be encrypted, but will be covered by authenticity protection.
• Output: ciphertext and authentication tag (Message Authentication
Code).
Example AES-GCM (Galois Counter Mode)
• Modern processors have HW support for this
• X86: PCLMULQDQ instruction
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
42
Padding oracle attack
Problem with implementations
Guess byte that is
masked by only a
padding byte
and send it to the oracle
Combine ciphering with integrity protection
43
Recall:
Cipher block chaining mode (CBC):
Ci=eK(Pi Ci-1) , C0=IV,
= XOR
So decryption is
Pi=dK(Ci) Ci-1
Now if we have the following IV,C1,C2 and C2
contains encrypted padding bytes
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
44
Use of hash functions
Digital signatures
There are many …
Hash passwords
In digital signatures
In hash chains such as the Block chain in Bitcoin
Digital signature scheme =
signature algorithm + verification algorithm
private signature key + public verification key
Property: A third party can resolve disputes about the
validity of a signature without the signer’s private key.
Support non-repudiation.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
45
cont’d
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
Two examples of digital signatures
Public-key cryptography
DSS
(relies on discrete log problem)
It is computationally infeasible to compute the
private signature key from the public verification
key.
2016 Ben Smeets
46
LTH Electrical and Information Technology - Datasäkerhet EDA625
So it can be made to work
whenever we can show that
we have discrete log
mechanism
RSA Signatures
(relies on RSA encryption)
47
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
48
El Gamal signatures (basis for DSA/DSS)
RSA signatures
See course book for DSA/DSS scheme itself
Pick primes p,q and integer e such that
gcd(e,p-1)=1, gcd(e,q-1)=1.
Public key: n, d,
where n=pq and e·d 1 mod lcm(p-1,q-1).
Hash message to m and then
signature s=me mod n.
Verification: Hash received message to m and
check if sd =m mod n
p prime number, g order p-1 modulo p
a is private signature key,
ya=ga mod p
public verification key.
To sign m A picks random k, gcd(k,p-1)=1,
computes r= gk mod p and solves
a · r + k · s = m mod (p-1)
in the unknown s. Signature on m is now (r,s)
Verification: Check if (ya)r · rs = gm mod p
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
Property: We can select public d to be small (e.g.
d=3 or d=216+1). This allows fast verification.
49
RSA signature in practice
1
Doc
2016 Ben Smeets
50
signed message
hash(Doc) Doc
2
Hash
Pad
Encrypt
Combine
LTH Electrical and Information Technology - Datasäkerhet EDA625
RSA signature and birthday attack
Doc
10$
signature
4
1.
2.
3.
4.
2016 Ben Smeets
hash(Doc) +
padding
hash(Doc)
hash(Doc’)
Doc’
1000$
3
RSA
=
changes here
regard as number 0,…, n-1
LTH Electrical and Information Technology - Datasäkerhet EDA625
51
2016 Ben Smeets
and changes here
LTH Electrical and Information Technology - Datasäkerhet EDA625
52
Key establishment protocols (chapter 15)
Diffie-Hellman protocol
Key agreement protocol: Two parties establish a
common key on their own.
Key agreement protocol
p prime, g order p-1 element.
A picks random a and sends ya=ga mod p to B
B picks random b and sends yb=gb mod p to A
Key transport protocol: Two parties establish a
common key communicating with a trusted server.
The common key is k= gab mod p,
which both A and B can calculate by
k = (yb)a = (ya)b
Two examples:
• Diffie-Hellman protocol
• Needham-Schroeder protocol
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
53
Diffie-Hellman protocol - Example
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
54
Needham-Schroeder protocol (Kerberos)
Key transport protocol
A, B have session keys (Kas resp Kbs) with server S
p=19, g=2 (order is 18, i.e. 2, 22=4…,29 =18,…,218=1mod
19)
A picks random a: say a=11
and sends ya=211 mod 19= 15 to B
B picks random b: say 7
and sends yb=27 mod 19=14 to A
S
1. A->S: A,B,Na
=TTP
2. S->A: eKas(Na,B,Kab,eKbs(Kab,A))
2
The common key is k= gab mod p, which both A and B can
calculate
A: computes (yb)a mod 19=(14)11 (mod 19) = 13=key for A
B: computes (ya)b mod 19=(15)7 (mod 19) = 13=key for B
3. A->B: eKbs(Kab,A)
1
4. B->A: eKab(Nb)
3
A
4
5
B
5. A->B: eKab(Nb-1)
Now A and B
agree on Kab
Nx a nonce value = number appearing once
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
55
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
56
Replacement of RSA in signature: ECC
Replacement of RSA: ECC
Elliptic Curve Cryptography uses the fact that we
can define an operation on certain algebraic
structures called elliptic curves that gives a problem
similar to the discrete logarithm problem for which
we do not know an efficient algorithm
For our purpose an elliptic curve is a plane curve
which consists of the points satisfying the equation
y2 = x3 + ax + b,
along with a distinguished point at infinity, denoted .
Operation = addition of points
line
on the curve, e.g.
addition of J and K, as
defined by the diagram
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
57
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
reflect
58
ECC: operation = point addition (J K)
ECC: operation = point doubling (J=K)
Consider two distinct points J and K such that J = (xJ , yJ ) and K = (xK , yK )
Let L = J + K, where L = (xL , yL ), and let J K, then
x L = s2 - x J – x K
yL = - yJ + s (xJ – xL )
where s = (yJ– yK )/(xJ– xK), s is the slope of the line through J and K.
If K = -J i.e. K = (xJ , -yJ ) then J + K = O. where O is the point at infinity.
If K = J then J + K = 2J then point doubling equations are used.
Note: J + K = K + J
Consider a distinct points J such that J = (xJ , yJ )
Let L =2 J , where L = (xL , yL ), and let yJ 0, then
x L = s2 - 2 x J
yL = - yJ + s (xJ – xL )
where s = (3xJ + a )/(2yJ), s is the tangent at J and a is the parameter
from the curve.
If yJ 0 then 2J = O, where O is the point at infinity.
Point doubling
Point doubling is the addition of a point J on the elliptic curve to itself
to obtain another point L on the same elliptic curve.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
59
Curve is usually defined over
Prime field (i.e. calculating mod p)
Binary fields F2m
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
60
ECC vs RSA - storage
ECC vs RSA - speed
For the same estimated complexity of breaking the
systems ECC requires much smaller numbers.
Storage
ECDSA and ECES over
GF(q)
RSA 1024-bit n and
e=216+1
system parameters
(4 x 160)+1 = 641
0
public key
160+1 = 161
1024 + 17 = 1041
private key
160 (801 with system 2048 (or 2560 with
parameters)
CRT information)
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
61
Certificates
Not so easy to compare and binary field case is
special.
For prime fields:
Speed
(1 curve add=10
mod ops)
ECDSA or ECES
over GF(q),
q 160 bit
RSA with 1024-bit n,
e=216+1, and CRT
Discrete logarithm
systems with 1024bit prime
encryption
120
17
480
decryption
60
384
240
signing
60
384
240
verification
120
17
480
2016 Ben Smeets
62
Certificate – typical format
How does B know that the verification key ya that is
used to verify A’s signature is indeed user A’s public
verification key?
To solve this question
Public-key encryption and signature schemes rely
on certificates.
Certificate = links an identity to a public key
Description
-version
-encoding info
Public key
Usage info
Signature
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
LTH Electrical and Information Technology - Datasäkerhet EDA625
63
2016 Ben Smeets
The signature
“proofs” that the
public key is approved
by the cert issuer
LTH Electrical and Information Technology - Datasäkerhet EDA625
64
Certificate –Example X509 v3 certificate
How does it work?
Certification authority (CA) is trusted
CA links identity-public key by signing a document
containing (e.g.)
user name, key, CA, expiry date, etc.
To verify a certificate, you need the CA public
verification key.
The CA verification key may need to be verified by
another CA, including another certificate, etc.
NTP is highly
Certificate:
recommended
Data:
Version: 3 (0x2)
Serial Number: 28 (0x1c)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Globus, CN=Globus Certification Authority
Validity
Not Before: Apr 22 19:21:50 1998 GMT
Not After : Apr 22 19:21:50 1999 GMT
Subject: C=US, O=Globus, O=NACI, OU=SDSC, CN=Richard Frost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69:
<snip>
b4:e1:54:e7:87:57:b7:d0:61
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8:
<snip>
8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17:
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
65
Public Key Infrastructure (PKI)
Cert 1
2016 Ben Smeets
66
May include attributes such as access right, usage
conditions, etc. in the certificate
The corresponding private key will then provide a
capability equipped with the access rights specified
in the certificate.
X.509 structure for certificates
Cert 2
Cert B
CA
cert
LTH Electrical and Information Technology - Datasäkerhet EDA625
Certificates in PKI
Cert A
Self-signed
2016 Ben Smeets
revocation of certificates; the really tricky aspect
Verifies
LTH Electrical and Information Technology - Datasäkerhet EDA625
67
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
68
Certificates (cont’d)
Positive aspects
Scalable: many users
Can be used in off-line situations
Negative aspects
Certificate revocation is difficult
Certificate revocation status checking is problematic
2.2
CRYPTANALYSIS
• On-line checking: Online Certificate Status Protocol (OCSP)
• Distribution of Certificate Revocation Lists (CRLs)
Extends chapter 14
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
69
Cryptanalysis
2016 Ben Smeets
Unicity Distance (Shannon ‘48)
Cleartext
M[i]
Key Uncertainty
Any technique can be used !
By demonstration:
70
LTH Electrical and Information Technology - Datasäkerhet EDA625
(log # keys that are possible)
Show that you can break the system (i.e. find key, decrypt
message, forge a signature, find a collisions, etc) in a
significant number of cases
K(ey)
b
(b bits)
Unicity distance = D*blocksize
Block
cipher
C[i]
By theoretical analysis
Not necessarily breaking a complete system in practice
Distinguisher attacks
Key strength is (significantly) less than designed.
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
No uncertainty left
=key is uniquely determined
This means that
Ciphers leak information
about the key when being
used to encrypt, e.g. English text
D
71
2016 Ben Smeets
Number of observed
crypto blocks i
LTH Electrical and Information Technology - Datasäkerhet EDA625
72
Consequence
Techniques for cryptanalysis
Since most data sources have redundancy we have a
situation where after some time of use of a cipher the key is
uniquely determined, always.
In practice we often do not know how to use (in an algorithm)
the observed data to recover the key. Thus we often have to
rely on computational facts and assumptions (e.g. discrete
logarithm) to show that we cannot cryptanalyze the cipher
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
73
Brute force
Using general purpose computer
Using special hardware
FPGAs: e.g. DES in less than a day
Copacabana, 2006
GPUs: e.g. Nvidia GPU
Custom HW: very expensive: likely something for national
security agencies that can spend much money
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
75
Statistical
Algebra
Physical phenomena (e.g. results of information
leakage)
Brute force (or close to it)
2016 Ben Smeets
LTH Electrical and Information Technology - Datasäkerhet EDA625
74