Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Foundations of Network and Computer Security John Black CSCI 6268/TLEN 5550, Spring 2015 OpenSSL • Was SSLeay • Open Source • Has everything we’ve talked about and a lot more • Most everything can be done on the command line • Ungainly, awkward, inconsistent – Mostly because of history – Have fun, it’s the only game in town • http://www.openssl.org/ Brief Tutorial • This is a grad class; you can figure it out from the man page, but… – Syntax is % openssl <cmd> <parms> – cmd can be ‘enc’, ‘rsautl’, ‘x509’, and more – We’ll start with the ‘enc’ command (symmetric encryption) – Let’s look at the enc command in more detail OpenSSL enc command • • openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [a] [-K key] [-iv IV] [-p] [-P] -ciphername can be – des-ecb (yuk!), des-cbc (hmm), des (same as des-cbc), des-ede3-cbc, des3 (same), aes-128-cbc, bf, cast, idea, rc5 – Can omit the ‘enc’ command if specifying these… kind of hokey • If you don’t specify filenames, reads from and writes to stdin/stdout – Looks like garbage, of course • If you don’t specify a password on the command line, it prompts you for one – Why are command-line passwords bad? – You can use environment variables but this is bad too – You can point to a file on disk… less bad • What does the password do? – Password is converted to produce IV and blockcipher key enc (cont) % openssl aes-128-cbc –P enter aes-128-cbc encryption password: salt=39A9CF66C733597E key=FB7D6E2490318E5CFC113751C10402A4 iv =6ED946AD35158A2BD3E7B5BAFC9A83EA • salt is a random number generated for each encryption in order to make the key and iv different even with the same password – Begins to get confusing… didn’t we just change the IV before? – Use this mode only when deriving a new key for each encryption • Eg, when encrypting a file on disk for our own use – If key is fixed, we specify it and the iv explicitly % openssl aes-128-cbc –K FB7D6E2490318E5CFC113751C10402A4 –iv 6ED946AD35158A2BD3E7B5BAFC9A83EA Understanding Passwords vs. a Specified IV and Key • So there are two modes you can use with enc – 1) Specify the key and IV yourself • This means YOU are in charge of ensuring the IV doesn’t repeat – Use a good random number source or – Use a counter (which you have to maintain… headache!) – 2) Use a passphrase • OpenSSL uses randomness for you by generating a salt along with the IV and AES key • Passphrases are less secure (more guessable) in general • Either way, we get non-deterministic encryption Passphrase-Based enc Passphrase salt hash function iv, key (128 bits each) AES-128-CBC salt plaintext ciphertext Things to think about: • How to decrypt? Is the IV needed in the ciphertext? • Is the passphrase safe even though the salt and iv are known? So How to Encrypt • Let’s encrypt the file ‘test’ % cat test hi there % openssl aes-128-cbc -in test enter aes-128-cbc encryption password: Verifying - enter aes-128-cbc encryption password: Salted__mTR&Qi¦¹K¯¿Óàg&5&kE • What’s up with the garbage? – Of course the AES outputs aren’t ASCII! – Use –base64 option base64 • This is an encoding scheme (not cryptographic) – Translates each set of 6 bits into a subset of ASCII which is printable – Makes ‘garbage’ binary into printable ASCII • Kind of like uuencode – – – – Of course this mapping is invertible For encryption we want to do this after we encrypt For decryption, we undo this before we decrypt This is the –a flag for ‘enc’ but –base64 works as well and is preferable Example: base64 • Let’s encrypt file ‘test’ again, but output readable ciphertext % openssl aes-128-cbc -in test -base64 enter aes-128-cbc encryption password: Verifying - enter aes-128-cbc encryption password: U2FsdGVkX1/tdjfZnPrD+mSjBBO7InU8Mo4ttzTk8eY= • We’ll always use this option when dealing with portability issues – Like sending ciphertext over email Decrypting • The command to decrypt is once again ‘enc’ – This makes no sense; get used to it – Use the –d flag to tell enc to decrypt – Let’s decrypt the string U2FsdGVkX1/tdjfZnPrD+mSjBBO7InU8Mo4ttzTk8eY= which I’ve placed into a file called ‘test.enc’ % openssl enc -d -in test.enc U2FsdGVkX18FZENOZFZdYvLoqPdpRTgZw2CZIQs6bMQ= Hunh? • It just gave back the ciphertext?! – We didn’t specify an encryption algorithm – Default is the identity map (get used to it) – Let’s try again % openssl aes-128-cbc -d -in test.enc enter aes-128-cbc decryption password: bad magic number • Ok, now what’s wrong? Error messages not useful • We forgot to undo the –base64 – The error msg didn’t tell us that (get used to it) – One more try: % openssl aes-128-cbc -d -in test.enc -base64 enter aes-128-cbc decryption password: hi there – It was all worth it, right? – Now it’s your turn Project #0 • I’ll give you a ciphertext, you find the password – Password is a three-letter lowercase alpha string – Main purpose is to get you to figure out where openssl lives on your computer(s) – Don’t do it by hand – Full description on our web page • Due Feb 18th, in class Symmetric vs. Asymmetric • Thus far we have been in the symmetric key model – We have assumed that Alice and Bob share some random secret string – In practice, this is a big limitation • Bootstrap problem • Forces Alice and Bob to meet in person or use some mechanism outside our protocol • Not practical when you want to buy books at Amazon • We need the Asymmetric Key model! Asymmetric Cryptography • In this model, we no longer require an initial shared key – First envisioned by Diffie in the late 70’s – Some thought it was impossible – MI6 purportedly already knew a method – Diffie-Hellman key exchange was first public system • Later turned into El Gamal public-key system – RSA system announced shortly thereafter But first, a little math… • A group is a nonempty set G along with an operation # : G x G → G such that for all a, b, c ∈G – (a # b) # c = a # (b # c) – ∃ e ∈ G such that e # a = a # e = a – ∃ a-1 ∈ G such that a # a-1 = e (associativity) (identity) (inverses) • If ∀a,b ∈ G, a # b = b # a we say the group is “commutative” or “abelian” – All groups in this course will be abelian Notation • We’ll get tired of writing the # sign and just use juxtaposition instead – In other words, a # b will be written ab – If some other symbol is conventional, we’ll use it instead (examples to follow) • We’ll use power-notation in the usual way – ab means aaaaa repeated b times – a-b means a-1a-1a-1a-1 repeated b times – Here a ∈ G, b ∈ Z • Instead of e we’ll use a more conventional identity name like 0 or 1 • Often we write G to mean the group (along with its operation) and the associated set of elements interchangeably Examples of Groups • • • • • • • Z (the integers) under + ? Q, R, C, under + ? N under + ? Q under x ? Z under x ? 2 x 2 matrices with real entries under x ? Invertible 2 x 2 matrices with real entries under x ? • Note all these groups are infinite – Meaning there are an infinite number of elements in them • Can we have finite groups? Finite Groups • Simplest example is G = {0} under + – Called the “trivial group” • Almost as simple is G = {0, 1} under addition mod 2 • Let’s generalize – – – – – – Zm is the group of integers modulo m Zm = {0, 1, …, m-1} Operation is addition modulo m Identity is 0 Inverse of any a ∈ Zm is m-a Also abelian The Group Zm • An example – – – – – Let m = 6 Z6 = {0,1,2,3,4,5} 2+5 = 1 3+5+1 = 3 + 0 = 3 Inverse of 2 is 4 • 2+4 = 0 • We can always pair an element with its inverse a : a -1 : 0 0 1 5 2 4 3 3 4 2 • Inverses are always unique • An element can be its own inverse – Above, 0 and 0, 3 and 3 5 1 Another Finite Group • Let G = {0,1}n and operation is ⊕ – A group? – What is the identity? – What is the inverse of a ∈ G? • We can put some familiar concepts into group-theoretic notation: – Caesar cipher was just P + K = C in Z26 – One-time pad was just P ⊕ K = C in the group just mentioned above Multiplicative Groups • Is {0, 1, …, m-1} a group under multiplication mod m? – No, 0 has no inverse • Ok, toss out 0; is {1, …, m-1} a group under multiplication mod m? – Hmm, try some examples… • • • • m = 2, so G = {1} X m = 3, so G = {1,2} X m = 4, so G = {1,2,3} oops! m = 5, so G = {1,2,3,4} X Multiplicative Groups (cont) • What was the problem? – 2,3,5 all prime – 4 is composite (meaning “not prime”) • Theorem: G = {1, 2, …, m-1} is a group under multiplication mod m iff m is prime Proof: →: suppose m is composite, then m = ab where a,b ∈ G and a, b 1. Then ab = m = 0 and G is not closed ←: follows from a more general theorem we state in a moment The Group Zm* • a,b ∈ N are relatively prime iff gcd(a,b) = 1 – Often we’ll write (a,b) instead of gcd(a,b) • Theorem: G = {a : 1 ≤ a ≤ m-1, (a,m) = 1} and operation is multiplication mod m yields a group – We name this group Zm* – We won’t prove this (though not too hard) – If m is prime, we recover our first theorem Examples of Zm* • Let m = 15 – What elements are in Z15*? • {1,2,4,7,8,11,13,14} – What is 2-1 in Z15*? • First you should check that 2 ∈ Z15* • It is since (2,15) = 1 – Trial and error: • 1, 2, 4, 7, 8 X – There is a more efficient way to do this called “Euclid’s Extended Algorithm” • Trust me Euler’s Phi Function • Definition: The number of elements of a group G is called the order of G and is written |G| – For infinite groups we say |G| = 1 – All groups we deal with in cryptography are finite • Definition: The number of integers i < m such that (i,m) = 1 is denoted (m) and is called the “Euler Phi Function” – Note that |Zm*| = (m) – This follows immediately from the definition of () Evaluating the Phi Function • What is (p) if p is prime? – p-1 • What is (pq) if p and q are distinct primes? – If p, q distinct primes, (pq) = (p)(q) – Not true if p=q – We won’t prove this, though it’s not hard Examples • What is (3)? – |Z3*| = |{1,2}| = 2 • What is (5)? • What is (15)? – (15) = (3)(5) = 2 x 4 = 8 – Recall, Z15* = {1,2,4,7,8,11,13,14} LaGrange’s Theorem • Last bit of math we’ll need for RSA • Theorem: if G is any finite group of order n, then ∀ a ∈ G, an = 1 – Examples: • 6 ∈ Z22, 6+6+…+6, 22 times = 0 mod 22 • 2 ∈ Z15*, 28 = 256 = 1 mod 15 • Consider {0,1}5 under ⊕ – 01011 2 {0,1}5, 0101132 = 0000016 =00000 – It always works (proof requires some work) Basic RSA Cryptosystem • Basic Setup: – Alice and Bob do not share a key to start with – Alice will be the sender, Bob the receiver • Reverse what follows for Bob to reply – Bob first does key generation • He goes off in a corner and computes two keys • One key is pk, the “public key” • Other key is sk, the “secret key” or “private key” – After this, Alice can encrypt with pk and Bob decrypts with sk