Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.

Download Report

Transcript Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger. 

Lecture 24
Cryptography
CPE 401 / 601
Computer Network Systems
slides are modified from Jim Kurose and Keith Ross and Dave Hollinger
Cryptography
 Encryption

Scramble data so that only someone with a secret
can make sense of the data.
 Decryption
 Descrambling encrypted data.
Cryptography
2
The language of cryptography
Alice’s
K encryption
A
key
plaintext
encryption
algorithm
Bob’s
K decryption
B key
ciphertext
decryption plaintext
algorithm
symmetric key crypto: sender, receiver keys identical
public-key crypto: encryption key public, decryption key
secret (private)
Cryptography
3
Symmetric key cryptography
substitution cipher: substituting one thing for another

monoalphabetic cipher: substitute one letter for another
plaintext:
abcdefghijklmnopqrstuvwxyz
ciphertext:
mnbvcxzasdfghjklpoiuytrewq
E.g.:
Plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc
Q: How hard to break this simple cipher?
 brute force?
 other?
Cryptography
4
Symmetric key cryptography
KA-B
KA-B
plaintext
message, m
encryption ciphertext
algorithm
K (m)
A-B
decryption plaintext
algorithm
m = K ( KA-B(m) )
A-B
symmetric key crypto: Bob and Alice share know same
(symmetric) key: K
A-B
 e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher
 Q: how do Bob and Alice agree on key value?
Cryptography
5
DES: Data Encryption Standard
 US encryption standard [NIST 1993]
 56-bit symmetric key, 64-bit plaintext input
 How secure is DES?
DES Challenge: 56-bit-key-encrypted phrase
“Strong cryptography makes the world a safer
place” decrypted (brute force) in 4 months
 no known “backdoor” decryption approach

 making DES more secure:
use three keys sequentially (3-DES) on each datum
 use cipher-block chaining

Cryptography
6
DES
DES operation
initial permutation
16 identical “rounds” of
function application,
each using different
48 bits of key
final permutation
Cryptography
7
AES: Advanced Encryption Standard
 symmetric-key NIST standard
replacing DES
 Nov 2001

 processes data in 128 bit blocks
 128, 192, or 256 bit keys
 brute force decryption (try each key)
taking 1 sec on DES, takes 149 trillion
years for AES
Cryptography
8
Block Cipher
64-bit input
loop for
n rounds
8bits
T1
8 bits
8bits
8bits
T
T
2
3
8bits
T
4
8bits
T
5
8bits
8bits
8bits
T
T
T
6
7
8
8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits
64-bit scrambler
64-bit output
 one pass through: input bit affects eight output bits
 multiple passes: each input bit afects all output bits
 block ciphers: DES, 3DES, AES
Cryptography
9
Public key cryptography
symmetric key crypto
 requires sender, receiver know shared secret key
 Q: how to agree on key in first place
 particularly if never “met”?
public key cryptography
 radically different approach
 Diffie-Hellman76, RSA78
not share secret key
 public encryption key known to all
 private decryption key known only to receiver
 sender, receiver do
Cryptography
10
Public key cryptography
+ Bob’s public
B key
K
K
plaintext
message, m
encryption ciphertext
algorithm
+
K (m)
B
- Bob’s private
B key
decryption plaintext
algorithm message
+
m = K B(K (m))
B
Cryptography
11
Public key encryption algorithms
Requirements:
need K ( ) and K ( ) such that
1
+
B
.
-
+
B
B
B
.
K (K (m)) = m
2
+
given public key KB , it should be
impossible to compute
private key KB
RSA: Rivest, Shamir, Adleman algorithm
Cryptography
12
RSA: Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors
with z. (e, z are “relatively prime”)
4. Choose d such that ed-1 is exactly divisible by z.
(in other words: ed mod z = 1 )
5. Public key is (n,e). Private key is (n,d).
+
KB
-
KB
Cryptography
13
RSA: Encryption, decryption
0. Given (n,e) and (n,d) as computed above
1. To encrypt bit pattern, m, compute
e
e
c = m mod n (i.e., remainder when m is divided by n)
2. To decrypt received bit pattern, c, compute
d
m = c dmod n (i.e., remainder when c is divided by n)
Magic
m = (m e mod n) d mod n
happens!
c
Cryptography
14
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z.
encrypt:
decrypt:
letter
m
me
l
12
1524832
c
17
d
c
481968572106750915091411825223071697
c = me mod n
17
m = cd mod n letter
12
l
Cryptography
15
RSA: Why is that
m = (m e mod n) d mod n
Useful number theory result: If p,q prime and
n = pq, then:
y
y mod (p-1)(q-1)
x mod n = x
mod n
e
(m mod n) d mod n = medmod n
= m
ed mod (p-1)(q-1)
mod n
(using number theory result above)
1
= m mod n
(since we chose ed to be divisible by
(p-1)(q-1) with remainder 1 )
= m
Cryptography
16
RSA: another important property
The following property will be very useful later:
-
+
B
B
K (K (m))
+ = m = K (K (m))
B B
use public key
first, followed
by private key
use private key
first, followed
by public key
Result is the same!
Cryptography
17
Using Keys
 Private keys are used for decrypting
 Public keys are used for encrypting
plaintext
encryption
ciphertext
public key
ciphertext
decryption
plaintext
private key
Cryptography
18
Transmitting over an insecure
channel
Alice wants to send Bob a private message.
Apublic is Alice’s public key.
Aprivate is Alice’s private key.
Bpublic is Bob’s public key.
Bprivate is Bob’s private key.
Cryptography
19
Hello Bob,
Wanna get together?
Alice
encrypt using Bpublic
Bob
decrypt using Bprivate
Cryptography
20
OK Alice,
Your place or mine?
Alice
decrypt using Aprivate
Bob
encrypt using Apublic
Cryptography
21
Bob’s Dilemma
 Nobody can read the message from Alice,
but anyone could produce it.
 How does Bob know that the message was
really sent from Alice?
 Bob may be comforted to know that only
Alice can read his reply.
Cryptography
22
Alice can sign her message!
 Alice can create a digital signature and
prove she sent the message

or someone with knowledge of her private key
 The signature can be a message digest
encrypted with Aprivate.
Cryptography
23
Message Digest
 Also known as “hash function” or “one-way
transformation”.
 Transforms a message of any length and
computes a fixed length string.
 We want it to be hard to guess what the
message was given only the digest.

Guessing is always possible.
Cryptography
24
Digital Signature
 Public key cryptography is also used to
provide digital signatures
signing
plaintext
signed message
private key
signed message
verification
plaintext
public key
Cryptography
25
Alice’s Signature
 Alice feeds her original message through a
hash function and encrypts the message
digest with Aprivate.
 Bob can decrypt the message digest using
Apublic.
 Bob can compute the message digest himself.
 If the 2 message digests are identical, Bob
knows Alice sent the message.
Cryptography
26
Revised Scheme
Alice
Sign with Aprivate
encrypt using Bpublic
Bob
check signature using Apublic
decrypt using Bprivate
Cryptography
27
Why the digest?
 Alice could just encrypt her name, and then
Bob could decrypt it with Apublic.

Why wouldn’t this be sufficient?
 Suppose Alice denies she sent the message?
 Bob can prove that only someone with Alice’s
key could have produced the message.
Cryptography
28
Solution?
 Always start your messages with:

Dear Mehmet,
 Create a digest from the encrypted
message and sign that digest.
 There are many other schemes as well.
Cryptography
29
Speed
 Secret key encryption/decryption algorithms
are much faster than public key algorithms.
 Many times a combination is used:
 use public key cryptography to share a secret key.
 use the secret key to encrypt the bulk of the
communication.
Cryptography
30
Authentication
Goal: Bob wants Alice to “prove” her identity to
him
Protocol 1.0: Alice says “I am Alice”
“I am Alice”
Failure scenario??
Cryptography
32
Authentication
Goal: Bob wants Alice to “prove” her identity to
him
Protocol 1.0: Alice says “I am Alice”
“I am Alice”
in a network,
Bob cannot “see”
Alice, so Trudy simply
declares
herself to be Alice
Cryptography
33
Authentication: another try
Protocol 2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Alice’s
“I am Alice”
IP address
Failure scenario??
Cryptography
34
Authentication: another try
Protocol 2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Alice’s
IP address
Trudy can create
a packet
“spoofing”
“I am Alice” Alice’s address
Cryptography
35
Authentication: another try
Protocol 3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
Alice’s Alice’s
“I’m Alice”
IP addr password
Alice’s
IP addr
OK
Failure scenario??
Cryptography
36
Authentication: another try
Protocol 3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
Alice’s Alice’s
“I’m Alice”
IP addr password
Alice’s
IP addr
OK
playback attack:
Trudy records Alice’s
packet and later
plays it back to Bob
Alice’s Alice’s
“I’m Alice”
IP addr password
Cryptography
37
Authentication: yet another try
Protocol 3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
Alice’s encrypted
“I’m Alice”
IP addr password
Alice’s
IP addr
OK
Failure scenario??
Cryptography
38
Authentication: yet another try
Protocol 3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
Alice’s encrypted
“I’m Alice”
IP addr password
Alice’s
IP addr
OK
Record and
playback
still works!
Alice’s encrypted
“I’m Alice”
IP addr password
Cryptography
39
Authentication: yet another try
Goal: avoid playback attack
Nonce: number (R) used only once–in-a-lifetime
4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key
“I am Alice”
R
KA-B(R)
Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
be Alice!
Cryptography
40
Authentication: ap5.0
ap4.0 requires shared symmetric key
 can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”
R
Bob computes
+ -
-
K A (R)
“send me your public key”
+
KA
KA(KA (R)) = R
and knows only Alice
could have the private
key, that encrypted R
such that
+ K (K (R)) = R
A A
Cryptography
41
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
I am Alice
R
I am Alice
R
K (R)
T
K (R)
A
Send me your public key
+
K
T
Send me your public key
+
K
A
- +
m = K (K (m))
A A
+
K (m)
A
Trudy gets
- +
m = K (K (m))
sends T
m toTAlice
+
K (m)
T
encrypted with
Alice’s public key
Cryptography
42
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
Difficult to detect:
 Bob receives everything that Alice sends, and vice
versa. (e.g., so Bob, Alice can meet one week later and
recall conversation)
 problem is that Trudy receives all messages as well!
Cryptography
43