Transcript A (  B)

Chapter 2: Foundations
The problem of providing secret communication over
insecure media is the most traditional and basic problem of
cryptography.
1
◎Foundations
Terminologies: Sender vs. Receiver
Messages vs. Encryption
Plaintext
Encryption vs. Decryption
Algorithms vs. Ciphers
Symmetric alg. vs. Public-Key alg.
Cryptanalysis
Security of Cryptosystems
Classical Cryptography vs. PKC
Plaintext
Encryption
Ciphertext
Decryption
Original
Plaintext
A cryptographic algorithm, also called a cipher, is the mathematical
function used for encryption and decryption. To encrypt a plaintext
message, apply an encryption algorithm to the plaintext. To decrypt
a ciphertext , apply a decryption algorithm to the ciphertext.
2
◎Foundations
E(P) = C
D(C) = P ,
D( E(P) ) = P ; describe these terms P, C, E, D ?
If the security of an algorithm is based on keeping the nature of the algorithm
secret, it is called RESTRICTED(algorithm).
There are two general forms of key-based algorithms: symmetric and publickey. Symmetric algorithms are algorithms where the encryption key can be
calculated from the decryption key and vice versa. In many such systems,
the encryption key and the decryption key are the same.
Ek ( P)  C
VS.
Dk (C )  P
Ek 1 ( P)  C
Dk 2 (C )  P
Dk ( Ek ( P))  P
Dk 2 ( Ek1 ( P))  P
3
◎Foundations
PS. Symmetric algorithm are also called secret-key alg, single-key
alg. or one-key alg..
Symmetric algotithms can also be divided into two categories:
(a) stream algorithms or stream ciphers
(b) block algorithms or block ciphers
KEY
Plaintext
Encryption
Ciphertext
Decryption
Original
Plaintext
Plaintext
Encryption KEY
Decryption KEY
(public key)
(private key)
Encryption
Ciphertext
Decryption
Original
Plaintext
4
◎Foundations
In this class, ALGORITHM will refer specifically to the
MATHEMATICAL TRANSFORMATIONS for encryption and
decryption. CRYPTOSYSTEMS will refer to the algorithm, plus the way
in which it is implemented.
There are three kinds of cryptographic functions: hash functions, secret
key functions, and public key functions. We will describe what each
kind is, and what it is useful for. Public key cryptography involves the
use of two keys. Secret key cryptography involves the use of one key.
Hash functions involve the use of zero keys ! Try to imagine what that
could possibly mean, and what use it could possibly have --- an
algorithm everyone knows with no secret key, and yet it has uses in
security.
5
◎Foundations
CRYPTANALYSIS：
共有六種攻擊法，今依其難易度分成下述：
(1) Ciphertext-only attack.
Given： C1  Ek ( P1 ),...,Ci  Ek ( Pi )
Deduce：Either P1 , P2 ,...,Pi ; k ；or an algorithm to infer
Pi 1 from Ci 1  Ek ( Pi 1 )
(2) Known-plaintext attack.
Given： P1 , C1  Ek ( P1 ),...,Pi , Ci  Ek ( Pi )
Deduce：Either k, or an algorithm to infer Pi 1 from Ci 1  Ek ( Pi 1 )
(3) Chosen-plaintext attack.
Given：同上；where the cryptanalysis choose P1 , P2 ,...,P
Deduce：同上
6
◎Foundations
(4) Adaptive-chosen-plaintext attack.
動態選取明密文：由第一次選取而得之結果去決定第二次選取之明
密文對（pair）
(5)Chosen-ciphertext attack.
給予數對 “密文→明文” 而求出key k
(6) Chosen-key attack.
This is not an attack when you are given the key. It is strange and
obscure, not very practical.
7
◎Foundations
Security of Cryptosystems
All algorithms but one are theoretically breakable, given enough time and
computing resources.
If the time and money required to break an algorithm is more than the
value of the encrypted data, then it is probably safe. An algorithm that is
not breakable in practice is SECURE.
Unconditionally secure VS. Computationally secure ,only a one-time pad
is unbreakable given infinite resources(key 之長度大於明文長度).
（針對 前者而言，這種僅用一次key的方法之管理成本高）
The amount of computing time and power required to recover the
encryption key is called the WORK FACTOR, and is expressed as an order
of magnitude.
8
◎Foundations
A cryptosystem is also called a CODE or a CIPHER.
參考資料：Substitution Ciphers & Transposition Cipher
This cryptosystem is
DES, Simple XOR 均屬於此種類別，
called a stream cipher
P XOR K = C
which is a classical
cryptosystem.
C XOR K = P
( P XOR K ) XOR K = P
9
1 . Foundations, including terminology and concepts of
cryptography.
2. Cryptographic Protocols, including protocol build blocks
(secure cryptographic module), basic protocols (key exchange,
authentication, secret sharing, etc.), intermediate protocols
(subliminal channel, group signature, key escrow, etc.), advanced
protocols (zero-knowledge proofs, blind signature, oblivious
transfer, etc.), esoteric( 奧 秘 的 ) protocols (secure elections,
anonymous broadcast, digital cash, etc.).
10
3 . Cryptographic Techniques, including key length, key
management, and the using algorithms.
4. Cryptographic Algorithms, including mathematical
backgrounds, DES and other block ciphers, one-way hash
functions, public key cryptosystems.
5. Example Implementations, including some well-known
commercial products and standards.
11
A protocol is a series of steps, involving two or more
parties, designed to accomplish a task.
Trent
Alice
Arbitrator:a trusted third party
Adjudicator: is necessary in
case of dispute
Bob
12
Bob
Alice
Evidence
Trent
(After the fact)
Alice
Bob
13
Key Exchange (KE)
A session key: used for only one particular communication session.(會議金鑰)
{A common cryptographic technique is to encrypt each individual
conversation between two people with a separate key}
Q: 如何將此一session key k 安全配送到送收雙方?
Ans: 數種提案…
(一) KE with symmetric cryptography(若KDC已然給A、 B密鑰)
(1) A (  KDC): 要求製作session key k
(2) KDC (  A): ESKA (k) 及 ESKＢ (IDA , k)
(3) A: DSKA(ESKA(k)) = k
(  B): ESKB(IDA , k)
(4) B: DSKB(ESKB (IDA , k)) = (IDA , k)
(5) A & B 從此有 k 可用.
若KDC被外人Mallet攻陷則慘矣！(由於此處以對稱式密碼為基,故用KDC/TTP取代CA)
14
傳統(對稱性)加密法之數位簽章需可信賴之第三
者之助方得竟其功.{參考下圖}
M=Dka(C)
C’=Ekb(M)
2. C
3. C’
1. C=Eka(M)
M=Dkb(C’)
Alice 與 Bob 沒有約定session key,兩人與 TTP 分別約
定 session keys ka 及 kb, Bob 收到密文后直接轉給 TTP,
而 TTP 用與 Alice 約定之session key 解得明文,再用與
Bob約定之 session key 加密后,送給Bob.
15
（二) KE with public-key cryptography
(1)
B (  A): PKB {B 直接送自己的公鑰給 A 的確是奇怪之舉 !}
(2)
A
: 產製 k （randomly)
(  B): PKB(k)
(3)
B
: SKB(PKB(k)) = k
(4)
A & B 從此有 k 可用.
Employing public-keys without CA’s support ? ( see next page for more details)
此協定雖說用PKC,但是太過簡略;因為(1)沒有CA之助, (2)沒有考量man-inthe-middle攻擊, (3) 竟然不加認證A之身分! (如果我們沒有CA概念則可理解)
16
（三) KE with public-key cryptography using a public-key database
(1)
A (  CA-like): PKB
(2)
A
: 產製 k （randomly)
(  B): PKB(k)
(3)
B
: SKB(PKB(k)) = k
(4)
A & B 從此有 k 可用.
若有攪局者, M, 在A與B之間宛如database之姿,則此種攻擊謂之
Ｍan-in-the-Middle Attach (refer to next page now)
Point: 這一類協定需要讓A與B交談雙方能夠相互印證對方;即mutual
authentication;若需要透過CA之助,則A/B 與CA亦得相互認證.
注意上面兩協定均欠缺mutual authentication,當然不安全.
17
(1)
A  B: PKA
(2)
B  A: PKB
(3)
A  B: EPKM(M)
M  B: PKM {M 用 PKM 取代 PKA}
M  A: PKM {M 用 PKM 取代 PKB}
{Alice encrypts M with Bob’s public key, she thought}
M  B: DSKM (EPKM(M))=M
EPKB(M)
( B)
(4) Similarly, when Bob sends message M’ to Alice, Mallet does the same tricky game.
18
Ｒivest & Shamir針對此攻擊法(Man-in-the-Middle Attack) 提出 “Interlock protocol”:
{ A要 B 給重要訊息 mB 之安全協定}
(1) A (  B): PKA
(2) B (  A): PKB
(3) A (  B): half( PKB ( mA)) = α {譬如 僅取奇數位元/ 或mA之hash值}
(4) B (  A): half( PKA ( mB)) = γ
(5) A (  B): half( PKB ( mA)) 之另一半 = β
(6) B
: SKB(α, β) = mA
(  A): half( PKA ( mB))之另一半 = δ {注意 此協定旨在保護 mB }
(7) A
: SKA(γ , δ) = mB
何以如此設計?
mA應該是讓Bob可以據以認證Alice身分之資訊
因 一半密文無法解密,等你送出此一半,則無法挽回 !
想一想: M攔截A與B之訊息且取代之以自己之訊息,則兩訊息
無關聯性;要之,M僅能愚弄兩者.
19
（四) KE with digital signatures
引入數位簽章可防KE作業時遭受 man-in-the-middle 攻擊;由於
KDC利用自己的密鑰對Ａ與B之公鑰簽章,因此A與B可利用KDC之公
鑰驗證自己收到的公鑰是欲通訊之對方所有,KDC之功能類似今日之
CA.
（五) Key and Message Transmission
In the protocol below, Alice sends Bob the message, M, without
any previous key-exchange( KE) protocol:
(1) A : 產製a random session key, k 且對訊息M加密; Ek(M) =α
(2) A (  KDC): PKB
(3) A : EPKB(k) = β
(4) A (  B): α , β
(5)
B
{為了加強安全, 也可簽章之: ESKA(α , β )}
: DPKA(ESKA(α,β)) = (α,β); DSKB(EPKB(k)) = k; Dk(Ek(M)) = M
This is how public-key cryptography is most often used in a communications system.
It can be combined with digital signature, timestamps, and any other security protocols.
20
（六) Key and Message Broadcast (在上一個協定之延伸概念下)
Alice can send the encrypted message to Bob, Carol, and Dave:
(1) A:
Ek(M)
(2) A ( KDC): PKB , PKC , PKD
(3) A (  Bob, Carol, and Dave): EPKB(k), EPKC(k), EPKD(k) and Ek(M)
(4) Only Bob, Carol, and Dave can decrypt the k key using his or her private key.
(5) Only Bob, Carol, and Dave can decrypt Alice’s message using k.
至此,我們體會到環環相扣(mutual authentication)之必要性.
21
Some things you should know:
Privacy: the ability to keep anyone but the intended recipient
from reading the message.
Authentication: reassurance to the recipient of the identity of
the sender.
Integrity: reassurance to the recipient that the message has
not been altered since it was transmitted by the
sender.
Non-repudiation: the ability of the recipient to prove to a
third party that the sender really did send
the message.
(also called third party authentication.)
22
Two hard problems:
(1) Factoring problem: n = p * q (knowing n, hard to get prime
p or prime q)
(2) Discrete Logarithm Problem (DLP) : y = gx mod p
(knowing y and large prime p and g, hard to get x)
23
1. 對任意一明文 M需滿足 gcd(M, n) = 1, 此處 n=p*q; p與q為兩大質數.
2. 如何求 e 與 d兩數?
可取一與(n)互質之數 e, 根據 e*d mod (n) = 1之條件,可求解 d (refer to上一頁)
3. 若 e 與 n 公開, 而 d 與 (n) 保密, 則安全可保.
4. 若有人欲分解 n = p*q,若 n 是200位數,而電腦可處理 106 指令/秒(即1 MIPS)則破解
需106 年.(此因數分解是NP-complete 問題)
5. 公開金鑰與對稱金鑰兩者之系統整合現況:
密文
Encrypted
session key
明文
收方私鑰
產製亂數
通訊基碼
session key
RSA加密
RSA解密
DES解密
DES加密
密文
RSA解密
通訊基碼
session key
Encrypted
session key
PKDB
RSA加密
發方私鑰
發方公鑰
收方公鑰
24