Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona.

Similar presentations


Presentation on theme: "Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona."— Presentation transcript:

1 Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona

2 Copyright © 2005 David M. Wheeler, All Rights Reserved Introduction David M. Wheeler, CISSP 15 Years Experience in Computer & Network Security, 20 Years in the Industry Published papers on Key Management, Wireless Security, Java Security, Hardware Cryptographic Modules, and Platform Trust Built security systems and cryptographic algorithms at every system level, including applications, web services, network stacks, Operating System services, device drivers, and microcode firmware in CPUs. Have worked for Honeywell Bull, Motorola Government Systems Group, Touch Technology (Smartcard Services), and run my own consulting business Currently working for Intel, as the Manager and Design Lead for Intel’s Wireless Trusted Platform Module, a hardware cryptographic module embedded in an ARM-compliant Cellphone processor

3 Copyright © 2005 David M. Wheeler, All Rights Reserved Agenda l Terminology l Types of Algorithms l Symmetric Encryption Algorithms l Message Digest Algorithms l Public Key (Asymmetric) Algorithms l Digital Signature Algorithms l Resources

4 Copyright © 2005 David M. Wheeler, All Rights Reserved For Each Algorithm… l What Class of Algorithms does this algorithm belong to? –Example: This is a Message Digest Algorithm, or This is a Symmetric Encryption Algorithm l Characteristics of the Algorithm –Inputs, Outputs, Operations l What is this Algorithm used for? –Example: This algorithm is used to guarantee Confidentiality l What are the attacks and gotcha’s –What are some things a lot of people get wrong when using this algorithm l Some code in Java (and Maybe C++) l Resources and Links

5 Copyright © 2005 David M. Wheeler, All Rights Reserved Disclaimer BRIEF l This is a BRIEF introduction WISER l This is intended to make you WISER in your evaluation of security protections NOT l This is NOT intended to make you able to go roll-your-own security l Security expertise takes a lot of study, and a long time to get right l There is a lot of bad security out there

6 Algorithms

7 Copyright © 2005 David M. Wheeler, All Rights Reserved C.I.A. Algorithm Usages l Confidentiality –Concealment of information or resources Perhaps even concealment of the existence of information E.g. Suppose you knew of the existence of a voluntary HIV test in a particular persons medical records but you did not know the exact results or even the data of the test? –Access Control supports Confidentiality by restricting the availability of information to a particular group of entities l Integrity –Trustworthiness of data or resources –Data Integrity refers to the accuracy of the data (Integrity) –Origin Integrity refers to the verity of the data (Authentication) l Availability –Ability to use information or resources –Non-Repudiation supports availability since any action that may destabilize a system or information set will be traceable to the entity that caused the problem, making that entity accountable for their actions

8 Copyright © 2005 David M. Wheeler, All Rights Reserved Classes of Algorithms l Message Digest Algorithms l Symmetric Encryption Algorithms l Message Authentication Codes l Asymmetric Encryption Algorithms l Digital Signature Algorithms

9 Copyright © 2005 David M. Wheeler, All Rights Reserved Java Cryptography l Crypto Examples will be shown in Java l What is the JCA The Java Cryptography Architecture is a framework for accessing and developing cryptographic functionality for the Java platform. The JCA includes classes for digital signatures, message digests, certificates. l What is the JCE The Java Cryptography Extension is an extension to the JCA that provides security functionality restricted by export controls, including encryption, key exchange, and message authentication codes.

10 Copyright © 2005 David M. Wheeler, All Rights Reserved JCE Functions l Random Numbers uses a hash algorithm to generate random bytes l Hash Functions (digests) getInstance(), update(), digest(), reset() l Message Authentication Codes (MAC) getInstance(), init(), update(), doFinal() l Symmetric Ciphers getInstance(), init(), update(), doFinal() l Asymmetric Algorithms

11 Copyright © 2005 David M. Wheeler, All Rights Reserved Java Cryptographic Service Providers JCA allows the cryptography provider to be selected by the application 1. Edit the security properties file to add your provider to the beginning of the provider list so that it is executed first by default security.provider.1=cryptix.jce.provider.CryptixCrypto security.provider.2=com.rsa.jsafe.provider.JsafeJCE security.provider.3=sun.security.provider.Sun 2. Install the service provider to use at runtime Security.insertProviderAt( Security.getProvider(“cryptix.jce.provider.CryptoCryptix”), 1 ); 3. Specify the service provider to use when accessing the JCA/JCE Cipher c1 = Cipher.getInstance ( “DES/CBC/NoPadding”, “cryptix.jce.provider.CryptoCryptix” ); The crypto provider must be on the classpath or installed in the jre/lib/ext directory

12 Copyright © 2005 David M. Wheeler, All Rights Reserved Identifying Providers l The JCE can identify the providers Providers[] P = Security.getProviders(); P[i].getName(); P[i].getInfo(); P[i].getVersion();

13 Copyright © 2005 David M. Wheeler, All Rights Reserved Using BSAFE Crypto-J l Crypto-J provides both JCE compliant and custom interfaces l INSTALL –use CD to copy jar file and install using command jar xvf cryptoj32.jar l CONFIGURE PROVIDER –add Crypto-J provider to java.security file as security.provider.1= com.rsa.jsafe.provider.JsafeJCE l SETUP CLASSES –add the following jar files to the CLASSPATH crypto/jsafe.jar jceProvider/jsafeJCE.jar Also must install the Sun JCE

14 Message Digest Algorithms Also known as HASH Functions

15 Copyright © 2005 David M. Wheeler, All Rights Reserved What is a Message Digest Algorithm? Hash Functions l Also referred to as Hash Functions l Remember Hash Tables from Data Structures Class? Hash Maps? l A Hash Function maps any message of any length, to an element in a different set (the set of n-bit numbers) l Two different messages could map to the same value lossy compression l Basically, this can be considered lossy compression The space of all possible messages The space of all N-bit numbers

16 Copyright © 2005 David M. Wheeler, All Rights Reserved Technical Definition of MDAs l Message digest algorithms take a message of arbitrary size and create a digest of fixed size. l The algorithm takes the message and splits it into blocks of equal length (the block size of the algorithm) l The last block is padded, with a total message length attached (Merkle-Damgard Construction) l Each block is sent through the function in order. l After all blocks are processed, the fixed digest value is retrieved Message Block 0 Block 1 Block 2 … H(x) Digest Value < bits 160 bits Block n The numeric values shown in this figure represent the values for the SHA-1 algorithm

17 Copyright © 2005 David M. Wheeler, All Rights Reserved Characteristics of MDAs A Message Digest or Hash Algorithm must be: »One-Way (pre-image resistance) given an arbitrary digest z, it is infeasible to find y such that h(y) = z »Weakly Collision-Free (2nd preimage resistance) infeasible to find x such that x != y and h(x) = h(y) »Strongly Collision-Free (collision resistance) infeasible to find x and x’ such that h(x) = h(x’) Hash Functions are basically composed of series of cryptographic primitives with bit loss. Several Hash Functions are available: »SHA-1 ( ) »RIPEMD 160 ( ) »MD5 (no longer holds as strongly collision free) Message Hash Digest Handbook of Applied Cryptography, Menezes, Oorschot, and Vanstone, © 1997 CRC Press Dr. Dobbs Journal, January 1997

18 Copyright © 2005 David M. Wheeler, All Rights Reserved Uses for Hash Functions l Since hash functions... –characterize their input can be used for proving data integrity (digital signatures) –hide their actual input can be used to prove knowledge of input without revealing the input ( Sesame one-time passwords ) –appears highly random can be used to generate strong pseudo random data for keys, nonces, etc ( SecureRandom, key generation in SSL ) –cannot be reversed can be used for tokens or security tickets ( IPv6 cookies )

19 Copyright © 2005 David M. Wheeler, All Rights Reserved SHA-1 Secure Hash Algorithm 1 l Class of Algorithm: Message Digest (Hash) Function –the most widely used message digest (hash) algorithm –Being replaced by SHA-2 (longer digest length) l Characteristics: –Input: any binary data up to length 2 64 bits –Output: a 160-bit (20 byte) output characterizing the input data l Usage: Integrity –Create an integrity checksum for data –Characterize a message for digital signature l Attacks and Gotcha's –SHA-1 has been found to produce collisions in 2^32 work –Still used for majority of operations, but industry is switching to new algorithms –SHA-2 and AES-MAC

20 Copyright © 2005 David M. Wheeler, All Rights Reserved Secure Hash Algorithm 1 SHA-1, FIPS l SHA Input: –n-blocks 512 bits (16 words) –Maximum 2 64 bits 2 59 words l SHA Output: 160-bit (5 words) l SHA Processing: 1.Message is separated into blocks 2.Last block is padded out to 512 bits, minus 64-bits reserved for the bit length of the message 3.Blocks are processed through algorithm in sequence 4.Each block requires 80 rounds through the SHA operation shown to the right. 5.Digest is result A B C D E Comparative analysis of the Hardware Implementations of Hash Functions SHA-1 and SHA-512 By Grembowski et al, SHA-1 Mixing Function

21 Copyright © 2005 David M. Wheeler, All Rights Reserved SHA Operation Details ABC H0 H1 H2 H3 H4 W0 DE W15 … W16 W79 … Message Block S 1 (W t-3 *W t-8 *W t-16 ) WtWt x5A (0<=t<=10) 0x6ED9EBA1 (20<=t<=39) 0x8F1BBCDC (40<=t<=59) 0xCA62C1D6 (60<=t<=79) H0: 0x H1: 0xEFCDAB89 H2: 0x98BADCFE H3: H4: 0xC3D2E1F0 Initial H Vector

22 Copyright © 2005 David M. Wheeler, All Rights Reserved Message Digest 5 MD-5, l MD-5 Input: –n-blocks 512 bits (16 words) –Maximum 2 64 bits 2 59 words l MD-5 Output: 128-bit (4 words) l MD-5 Processing: 1.Message is separated into blocks 2.Last block is padded out to 512 bits, minus 64-bits reserved for the bit length of the message 3.Blocks are processed through algorithm in sequence 4.Digest is result A B C D Applied Cryptography, 2nd Edition, by Bruce Schneier AB CD AB CD Round 1 16 steps, one for each block Round 2 16 steps, one for each block Round 3 16 steps, one for each block Round 4 16 steps, one for each block Message Block

23 Copyright © 2005 David M. Wheeler, All Rights Reserved Java Message Digest Algorithm import java.security.*; class MDTest { static String message = “This is a test”; static void main(String args[]) { int alg = 0; if (args.length >= 1) { alg = Integer.parseInt(args[0]); } try { MessageDigest md; // Select a hash function based upon input param switch(alg) { case 0: md = MessageDigest.getInstance(“RIPEMD160”, “CryptixCrypto”); break; case 1: md = MessageDigest.getInstance(“SHA1”, “CryptixCrypto”); break; } // Send the data to be digested to the hash function md.update(message); md.update(message2); // can call this multiple times byte[] digest = md.digest(); // could add last bit of data here as well // can now print out bytes or use digest } catch(... }

24 Symmetric Encryption Algorithms

25 Copyright © 2005 David M. Wheeler, All Rights Reserved Encryption Technology l Encryption is a mechanism which encodes information using a secondary secret. »A usable encryption mechanism has the following properties: The information encoded by the encryption mechanism may be recovered using a decryption mechanism and a (possibly different) secondary secret. The information encoded by the encryption mechanism may not be easily recovered without the appropriate secondary secret. The information produced by the encryption mechanism does not identify the secondary secret used to encrypt (or decrypt) the information. There exists a large enough number of secondary secrets so that the secret used to encrypt (or decrypt) the information cannot be easily guessed. »A strong encryption mechanism has the following properties: The information produced by the encryption mechanism is of no value in recovering the original information without possession of the secondary secret. Knowledge of the original information and the encoded information (produced by the encryption mechanism) does not reveal the secondary secret used to create the encoded information. l The rules which define how an encryption mechanism transforms the original information is called a Cryptographic Algorithm

26 Copyright © 2005 David M. Wheeler, All Rights Reserved Encryption Algorithms l Classified by the way in which they use the secondary secret (or key) for encryption and decryption: »Symmetric: Uses the same key for encryption and decryption »Asymmetric: Uses one key for encryption and a different (but related) key for decryption l Strength of an algorithm is based upon the difficulty to perform certain functions »Ciphertext-Only Attack: Recover the plaintext from the ciphertext without any knowledge of the key »Known-Plaintext Attack: Recover the key given one or more pairs of plaintext and ciphertext »Chosen-Plaintext Attack: Recover the key by observing the ciphertext produced under encryption by the attacker’s choice of plaintext. »Chosen-Ciphertext: Recover the key by observing the plaintext produced under decryption by the attacker’s choice of ciphertext. Computer Security Basics, Russell and Gangemi, © 1991 O’Reilly & Associates

27 Copyright © 2005 David M. Wheeler, All Rights Reserved Usage of Symmetric Encryption Algorithms l Make private (encrypt) = Confidentiality –Physical example (Seal message in an envelope) BitaHans “Only I can read this message” Internet Okiznxc qwhoi Okiznxc qwhoi Message

28 Copyright © 2005 David M. Wheeler, All Rights Reserved Two Types of Symmetric Algorithms Block Cipher Stream Cipher EX OR KiKi Keystream Generator PT EX OR KiKi Keystream Generator PTCT KiKi PT Block CT Block Block Cipher Algorithm Block Cipher Algorithm KiKi

29 Copyright © 2005 David M. Wheeler, All Rights Reserved AES Advanced Encryption Standard l Class of Algorithm: Symmetric Block Cipher Algorithm –the newest symmetric encryption algorithm –replaced DES & 3DES (triple DES) as basic encryption l Characteristics: –Input: any binary data of 128 bits (16 bytes) –Input: a secret key (secondary secret) of 128, 192, or 256 bits –Output: 128-bits (16 bytes) of binary data, transformed input l Usage: Confidentiality –Create a protected representation of the input data (encrypted) l Attacks and Gotcha's –Security is only as good as the key – the key must be random –Raw AES (also called Electronic Code Book – ECB) not usually a good implementation

30 Copyright © 2005 David M. Wheeler, All Rights Reserved DES Data Encryption Standard l Class of Algorithm: Symmetric Block Cipher Algorithm –Created in mid 1970’s and adopted in 1976 –First public encryption standard, and 3DES still considered strong l Characteristics: –Input: any binary data of 64 bits (8 bytes) –Input: a secret key (secondary secret) of 56 bits (+parity) –Output: 64-bits (8 bytes) of binary data, transformed input l Usage: Confidentiality –Create a protected representation of the input data (encrypted) l Attacks and Gotcha's –Security is only as good as the key – the key must be random –There known weak and semi-weak keys (all zeros, all ones, and other patterns) –Raw DES/3DES (in ECB mode) not usually considered good

31 Copyright © 2005 David M. Wheeler, All Rights Reserved Block Ciphers Technical Details l Most block ciphers implement a Fiestel network, which is a series [>=3 and usually even] of rounds where each round is composed of a product cipher. At the end of each round the working ciphertext is swapped from right to left. In addition, by convention, all work is done on the right side of the inputs. l The product cipher [f] is a combination of two or more transformations that are [usually] reversible (e.g. XOR, bitwise expansion, substitution, etc.). Certain elements of the block cipher are inserted to equalize the use of bits because the transformation favors some bits over others –IP, Initial Permutation, reorders plaintext bytes in order to guarantee better mixing [i.e. encryption] of the plaintext –The K i ’s are components of the key after key scheduling. Key scheduling is performed to maximize the use of key bits Output Ciphertext IP -1 L 15 R 15 L 16 R 16 Input Plaintext IP L0L0 R0R0 L1L1 R1R1 f K1K1 f K2K2 f K Round DES Computation

32 Copyright © 2005 David M. Wheeler, All Rights Reserved Triple DES DES Encrypt DES Decrypt DES Encrypt k1k1 k2k2 k3k3 PTCT DES Decrypt DES Encrypt DES Decrypt k1k1 k2k2 k3k3 CTPT TDES Encryption TDES Decryption If key size = 128 bits, then k 1 = k 3 If key size = 192 bits, then k1.NE. k3

33 Copyright © 2005 David M. Wheeler, All Rights Reserved RC4 Rivest Cipher #4 l Class of Algorithm: Symmetric Stream Cipher Algorithm –Created by Ron Rivest (the ‘R’ in RSA) in 1987 –Trade Secret Released into the Public Domain (=free) l Characteristics: –Input: any binary data, of any length (byte by byte) –Input: a secret key (secondary secret) up to 256 bytes –Output: transformed input (byte by byte) l Usage: Confidentiality –Create a protected representation of the input data (encrypted) l Attacks and Gotcha's –Security is only as good as the key – the key must be random –Caution in use – stream ciphers can create some problems if the key is re-used (remember the WEP problems?) –Also can be used to generate random numbers

34 Copyright © 2005 David M. Wheeler, All Rights Reserved Other Symmetric Algorithms l Rijndael (pronounced “rain doll”) (Same as AES) l RC5, RC6 l MARS l Blowfish, l Twofish l IDEA (International Data Encryption Algorithm)

35 Copyright © 2005 David M. Wheeler, All Rights Reserved Modes of Operation l ECB: Electronic Code Book (Insecure) »Just encrypt each block according to the algorithm »Duplicate blocks encrypt to same thing »“the blue box is next to the blue boat » ^ ^ ^ ^ 4444 l CBC: Cipher Block Chaining (Most Common) »the current plaintext is XOR’ed with the previous block’s cipher text before being encrypted l PCBC: Propagating Cipher Block Chaining »like CBC but uses both cipher text and plaintext blocks l CFB: Cipher Feedback »the cipher produces a stream of encrypted bytes that are XOR’ed with the plaintext, like a key. The resulting ciphertext is used as input back into the cipher for the next block of bits to use to create key bits. This operates like a stream cipher. l OFB: Output Feedback (Can be weak) »like CFB, but uses cipher output, not cipher to feedback into cipher

36 Copyright © 2005 David M. Wheeler, All Rights Reserved Electronic Code Book

37 Copyright © 2005 David M. Wheeler, All Rights Reserved ECB Properties l For a given key, a PT block always encrypts to the same CT l No error extension – errors impact only the block containing the error l Encryption of the same message with the same key results in the same cipher text (bad)

38 Copyright © 2005 David M. Wheeler, All Rights Reserved Cipher Block Chaining

39 Copyright © 2005 David M. Wheeler, All Rights Reserved CBC Properties l IV must be random, but need not be secret l Error extension – error in received block n will impact blocks n and n+1 l Multiple encryptions of the same data with the same key yield different Cipher Text results

40 Copyright © 2005 David M. Wheeler, All Rights Reserved Counter Mode

41 Copyright © 2005 David M. Wheeler, All Rights Reserved CTR Mode Properties l For a given key, all count values for all counters must be unique (no roll-over) l Uses the encryption (forward) cipher for both encryption and decryption l No error extension –A single bit error in the CT results in a single bit error in the decrypted data in the same position (good for media)

42 Copyright © 2005 David M. Wheeler, All Rights Reserved Initialization Vectors l Why do we need an IV? –When using a mode other than ECB, how do you encrypt the first block (there is no previous cipher text block)? –How do I ensure two messages that start out the same don’t start out as encrypted the same? l An Initialization Vector is a like a second key, except it is not as important to keep absolutely secret as the key –Employed as the starting point for those modes that require a cipher text at time t 0.

43 Copyright © 2005 David M. Wheeler, All Rights Reserved Padding for Block Ciphers l Why padding? »Block ciphers must operate on a set number of bytes (8 or 16) »Most messages don’t break up into an even number of blocks l Issues with padding »Does padding start at the beginning of a message or at the end? »How do you know how many bytes of padding there are, or if there are no padding bytes? »What do the padding characters look like? Is there a sure-fire way to tell if the correct bytes are being taken off? l Typical use is the PKCS#5 Pad algorithm »Pad always at the end of the message »Always add padding, even if you add a full block of pad bytes »The value of pad bytes are equal to the number of pad bytes Examples

44 Copyright © 2005 David M. Wheeler, All Rights Reserved Java Symmetric Encryption w/ AES Algorithm try { // try to see if the AES algorithm is available Cipher c1 = Cipher.getInstance("AES/CBC/PKCS5Padding"); // If we do not fault, then the AES algorithm is available! // generate an AES key, since AES is available // there are no weak keys, so we can use a generic construction skey = new byte[16]; // 128 bits for AES secrand.nextBytes(skey); confidentialityKey = new SecretKeySpec(skey, "AES"); } catch (java.security.NoSuchAlgorithmException e) { // else handle exception …. } // make an IV for CBC mode CommonUtils.MakeRandomSecret( ivbytes ); IvParameterSpec iv1 = new IvParameterSpec(ivbytes); // initialize the cipher in ENCRYPT mode with key and IV c1.init(Cipher.ENCRYPT_MODE, confidentialityKey, (AlgorithmParameterSpec)iv1 ); // encrypt the data ciphertext = c1.doFinal( data );

45 HMAC Hashed Message Authentication Codes

46 Copyright © 2005 David M. Wheeler, All Rights Reserved Problems with Message Digests l Assume you received the following message: Dave, The attached file includes a super-special update for Windows made just for you. Please run the attached file immediately on your computer. - Bill Gates SHA-1 Digest l You calculate the SHA-1 Digest over the message and the file contents (including Bill Gate’s signature) and the Digest checks out. l QUESTION? Is this an authentic message? Who is this an authentic message from? YES! Unknown! SOLUTION? If there was someway to tie something that only Bill and I know (a secret) into the hash operation, no one could spoof us to each other

47 Copyright © 2005 David M. Wheeler, All Rights Reserved Hashed Message Authentication Code l Function –HMAC(Algorithm, Key, Data) = Digest Algorithm: Message Digest Algorithm that provides basis for HMAC compression function Key: A variable-length input that is used as the shared secret in computing the HMAC Data: input to be integrity protected Digest: same size as the digest produced by the underlying MDA l Operation –HMAC K = H[ (K+  opad) || H [ (K+  ipad) || M ] ] Key Expansion (Inner) (K+  ipad) Key Expansion (Outer) (K+  opad) Hash Outer w/ Inner Hash w/ Message (Inner Hash) H [ (K+  ipad) || M ]

48 Copyright © 2005 David M. Wheeler, All Rights Reserved H(x) HMAC Operation Cryptography and Network Security: Principles and Practice, 2nd Edition By William Stallings, Prentice Hall, Copyright 1999 Message Key Key+Pad ipad (0x36)  H(x) opad (0x5A)  Block 0 Block 1 Block 2 … H(x) Block n H(x) Digest Value (Intermediate) Digest Value (final)

49 Copyright © 2005 David M. Wheeler, All Rights Reserved SHA Operation on Input ABC H0 H1 H2 H3 H4 W0 DE W15 … W16 W79 … Message Block S 1 (W t-3 *W t-8 *W t-16 ) WtWt x5A (0<=t<=10) 0x6ED9EBA1 (20<=t<=39) 0x8F1BBCDC (40<=t<=59) 0xCA62C1D6 (60<=t<=79) H0: 0x H1: 0xEFCDAB89 H2: 0x98BADCFE H3: H4: 0xC3D2E1F0 Initial H Vector Effectively, the HMAC Key becomes a customized Initialization Vector for the Hash Function

50 Copyright © 2005 David M. Wheeler, All Rights Reserved Message Authentication using a Symmetric Block Cipher l Key Dependent one way hash function using a block algorithm in CBC or CFB Plaintext N-1 Input Block N-1 CIPH k Output Block N-1 Ciphertext N-1 Plaintext N Input Block N CIPH k Output Block N Ciphertext N Input Block N+1 CIPH k Output Block N+1 MAC Discard

51 Copyright © 2005 David M. Wheeler, All Rights Reserved Java HMAC Using the SHA-1 Algorithm // Generate an HMAC-SHA1-KEY secrand.nextBytes(hmackey); integrityKey = new SecretKeySpec(hmackey, "HmacSHA1"); // Now MAC the data to protect it's integrity // Make a proper keyed-MAC object Machmac = Mac.getInstance(“HmacSHA1”); // Initialize the MAC with the key hmac.init( integrityKey ); // Add data to the MAC hmac.update( data ); // add more data to MAC and get the digest digest = hmac.doFinal( more_data );

52 Copyright © 2005 David M. Wheeler, All Rights Reserved Properties of MDAs & HMAC PropertyMDAHMAC Confidentiality Data Integrity Authentication (Origin Integrity) Non- Repudiation partial -

53 Public Key Algorithms

54 Copyright © 2005 David M. Wheeler, All Rights Reserved Problem… There was a huge problem in the world of secret communication - Keys! If I want to send you information secretly, we need to share a key. The key, of course, must be known only to you and I. However, if I could send you a key secretly, then I could send you the original information secretly also…. A new encryption technology was born

55 Copyright © 2005 David M. Wheeler, All Rights Reserved Who Invented PK Technology? l Technology first publicly described by Whitfield Diffie and Martin Hellman in, “New Directions in Cryptography”, IEEE Transactions on Information Theory (Nov 1976) l First complete cryptosystem (RSA) described by Ronald Rivest, Adi Shamir and Len Adleman in, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, in April 1977; later published in CACM Vol 21 #2, Feb 1978 l Elliptic curve cryptosystems were first publicly proposed by Neal Koblitz and V. S. Miller in 1985; “Use of Elliptic Curves in Cryptography”, Advances in Cryptology - CRYPTO ‘85 Proceedings, Springer-Verlag, l First known inventors of PKT are now know to be British Intelligence officers of the GCHQ: James Ellis, Clifford Cocks and Malcolm Williamson ( ). The Code Book, Simon Sing, © 1999, Doubleday

56 Copyright © 2005 David M. Wheeler, All Rights Reserved What is Public Key Technology? l Broad term applied to a class of cryptographic algorithms whose decryption key is different from their encryption key, thereby allowing one key to be made “public” and the other key held “private.” l Also know as Asymmetric algorithms, since encryption is done with a different key than decryption (no symmetry).

57 Copyright © 2005 David M. Wheeler, All Rights Reserved Why Is Public Key Technology so Great? l PK Technology solves many problems with secure key distribution. l PK Technology provides the raw capability to perform proof of source and proof of receipt completely through digital means using a technique called digital signatures. l PK Technology has been widely proven in theory and practice. l PK Technology patents are expiring. Diffie-Hellman key exchange and El Gamal are now free of patent restrictions. RSA patent expires on 20 Sept 2000.

58 Copyright © 2005 David M. Wheeler, All Rights Reserved How Does Public Key Technology Work? l Public Key Technology is based upon difficult mathematical problems. The mathematical problems are hard to solve, but easy to verify. One such hard problem is factoring a large number; numerous repeated division operations are required to solve this problem, however only a small number of multiplications are required to verify a correct answer. Different PK algorithms use different mathematical problems: »RSA: Factorization of large numbers »EC: Projection of a point on an elliptic curve »El Gamal: Discrete Logarithm problem in a finite field l It is theorized that the security of a particular PK algorithm is defined by the key length, and that the particular key length required for a secure PK algorithm is directly proportional to the difficulty of the mathematical problem upon which the PK algorithm is based. l PK algorithms define an encryption operation, a decryption operation, and (sometimes) a digital signature operation.

59 Copyright © 2005 David M. Wheeler, All Rights Reserved Public Key Encryption & Decryption A User of PK has two keys A Public Key A Private Key The keys are opposites (inverses); Each key reverses the effects of the other. Message Encrypt Ciphertext

60 Copyright © 2005 David M. Wheeler, All Rights Reserved How Does Public Key Technology Work: Encrypting with a Public Key The Encryption Operation 1Obtain the public key of the person with whom you want to communicate securely; 2Encrypt the message with the receiving party’s public key; 3Transmit the message; 4Receiving party decrypts using their private key. Message Ciphertext Alice Bob Key delivery mechanism Encrypt Message delivery mechanism Ciphertext Encrypt Message

61 Copyright © 2005 David M. Wheeler, All Rights Reserved How Does Public Key Technology Work Encrypting with a Private Key The Encryption Operation 1Encrypt the message with the your own private key; 2Transmit the message; 3Send your public key to the person with whom you want to communicate securely; 4Receiving party decrypts using your public key. Message Ciphertext Alice Bob Key delivery mechanism Encrypt Message delivery mechanism Ciphertext Encrypt Message

62 Copyright © 2005 David M. Wheeler, All Rights Reserved RSA Rivest-Shamir-Adleman l Class of Algorithm: Asymmetric Cipher Algorithm –Publicly published in 1978 –Most widely used asymmetric algorithm (used in SSL/TLS) l Characteristics: –Key Generation: based on primes & inverses in a Field –Input: any binary data less than size of modulus –Input: public (or private key) plus the modulus –Output: integer < modulus l Usage: Confidentiality, Non-Repudiation –Create a protected representation of the input data (encrypted) –Create a digital signature (proof of source) of data –Create a digital envelope (private delivery) containing data l Attacks and Gotcha's –Security is only as good as the key – modulus components must be strong primes –Raw RSA encryption can be broken – formatting of data must be used (PKCS standards) –Complex issues around implementation – side-channel attacks

63 Copyright © 2005 David M. Wheeler, All Rights Reserved RSA Algorithm Conditions: 1.n = p*q, where p, q are prime and p  q 2.1

64 Copyright © 2005 David M. Wheeler, All Rights Reserved RSA Key Generation n = p*q, where p, q are prime and p  q l Primes must be selected randomly, otherwise an attacker can guess what prime you have used to generate your keys l Generalized method: 1.Select a random number, z, of the appropriate number of bits 2.If z is even, z = z+ 1 3.Test if z is prime, if so stop. 4.If not prime, compute z = z + 2, goto step 2. This can take a LONG time!

65 Digital Signatures

66 Copyright © 2005 David M. Wheeler, All Rights Reserved Remember Hash Functions? The Message Digest Algorithm A Message Digest or Hash Algorithm must be: »One-Way (pre-image resistance) given an arbitrary digest z, it is infeasible to find y such that h(y) = z »Weakly Collision-Free (2nd preimage resistance) infeasible to find x such that x != y and h(x) = h(y) »Strongly Collision-Free (collision resistance) infeasible to find x and x’ such that h(x) = h(x’) Hash Functions are basically composed of series of cryptographic primitives with bit loss. Several Hash Functions are available: »SHA-1 ( ) »RIPEMD 160 ( ) »MD5 (no longer holds as strongly collision free) Message Hash Digest Handbook of Applied Cryptography, Menezes, Oorschot, and Vanstone, © 1997 CRC Press Dr. Dobbs Journal, January 1997

67 Copyright © 2005 David M. Wheeler, All Rights Reserved John Hancock circa the 21st Century: The Digital Signature Operation 1Hash the message to be signed to produce a digest; 2Encrypt the digest only using the signing party’s private key; 3Transmit both the original message and the encrypted digest; 4Receiving party obtains the sender’s public key; 5Receiving party decrypts the digest with the sender’s public key 6Receiving party hashes the message to obtain an original digest 7Compare the decrypted digest with the original digest a match validates the signature on the message. Message Ciphertext Alice Bob Alice Key delivery mechanism Encrypt Message delivery mechanism Ciphertext Encrypt Hash Digest Message Hash Digest

68 Copyright © 2005 David M. Wheeler, All Rights Reserved 1Create a digital signature over the plaintext message using your private key; 2Generate a random symmetric key and encrypt the message with it; 3Encrypt the symmetric key with the recipients public key The Pony Express in a Jetson’s World: Digital Envelopes Digital Signature Protected Key Asymmetric Encrypt Hash Digest Alice Secret Message Symmetric Encrypt Asymmetric Encrypt Enciphered Message 4Send all three enciphered items to the recipient along with your public key; 5Only the intended recipient can unlock and validate your message. Random Symmetric Key

69 Copyright © 2005 David M. Wheeler, All Rights Reserved Breaking a Digital Signature l Total Break –Private Key is recovered l Selective Forgery –Adversary can create a valid signature on a predetermined message l Existential Forgery –Adversary can create a valid signature with no control over the message

70 Copyright © 2005 David M. Wheeler, All Rights Reserved PKCS#1.5 Signature Format l  (M) = ff … ff 00 || HashAlgID || Hash(M) l Ad hoc design l Resistant to multiplicative forgery –moduli near 2 k are more at risk, but still out of range l Widely deployed –SSL certificates –S/MIME l Included in IEEE P1363a; PKCS #1 v2.1 continues to support it

71 Copyright © 2005 David M. Wheeler, All Rights Reserved Probable Signature Scheme (PSS) Bellare-Rogaway (Eurocrypt ’96) l  (M) = 00 || H || G(H)  [salt || 00 … 00] where H = Hash(salt, M), salt is random, and G is a mask generation function –Mask Generation: T = T || Hash (mgfSeed || C). Note: The format above is as specified in PKCS #1 v2.1. Note: PSS is patent pending (but generously licensed) l Is included in IEEE P1363a; ANSI X9.31 to be revised to include it l Provably Secure –same paradigm as Optimal Asymmetric Encryption Padding (OAEP) l PSS has a tighter security proof, is less dependent on security of hash function

72 Copyright © 2005 David M. Wheeler, All Rights Reserved Digital Signature Standard (DSS) l US Govt approved signature scheme FIPS 186 l uses the SHA hash algorithm l designed by NIST & NSA in early 90's l DSS is the standard, DSA is the algorithm l a variant on ElGamal and Schnorr schemes l creates a 320 bit signature, but comparable to RSA bit security l security depends on difficulty of computing discrete logarithms Considered potentially weak given issues Surrounding SHA-1 Algorithm

73 Copyright © 2005 David M. Wheeler, All Rights Reserved DSA Key Generation (2) l Have shared global public key values (p,q,g): –a large prime p = 2 L where L= 512 to 1024 bits and is a multiple of 64 –choose q, a 160 bit prime factor of p-1 –choose g = h (p-1)/q where h 1 l Users choose private & compute public key: –choose x

74 Copyright © 2005 David M. Wheeler, All Rights Reserved DSA Signature Generation to sign a message M the sender: –generates a random signature key k, k

75 Copyright © 2005 David M. Wheeler, All Rights Reserved DSA Signature Verification having received M & signature (r,s) l to verify a signature, recipient computes: w = s -1 (mod q) u1= (SHA(M).w)(mod q) u2= (r.w)(mod q) v = (g u1.y u2 (mod p)) (mod q) if v=r then signature is verified

76 Copyright © 2005 David M. Wheeler, All Rights Reserved Questions/Resources l SHA-1: FIPS l MD-5: RFC 1321 l HMAC: RFC 2104 l AES: FIPS 197 l RSA: PKCS #1, ver 2.1 l DSS: FIPS l ECC/RSA/DH: IEEE 1364 l DISA PKI Site: l IETF PKIX: l PKCS Standards: l Applied Cryptography, Bruce Schneier l Cryptography and Network Security, William Stallings l Cryptography Theory and Practice, Douglas Stinson

77 Backup

78 Copyright © 2005 David M. Wheeler, All Rights Reserved DSA Algorithm : key generation 1.select a prime q of 160 bits 2.Choose 0  t  8, select t

79 Copyright © 2005 David M. Wheeler, All Rights Reserved DSA signature generation public key (p,q, ,y), private key (a) 1.Select a random integer k, 0 < k < q 2.Compute r=(  k mod p) mod q 3.compute k -1 mod q 4.Compute s=k -1  (h(m) + ar) mod q 5.signature = (r, s)

80 Copyright © 2005 David M. Wheeler, All Rights Reserved DSA signature verification public key (p,q, ,y), –Verify 0

81 Copyright © 2005 David M. Wheeler, All Rights Reserved Whose key is THIS? The need for Certificates l A Typical Public Key (PKCS#1, Appendix A) a d c de 7a b bb 7f b0 c0 01 c e1 9a 8d 8c 51 d0 53 b3 e3 78 2a 1d e5 dc 5a f4 eb e a1 df e6 7c dc 9a f5 5d bb ab l Public Keys are just numbers

82 Copyright © 2005 David M. Wheeler, All Rights Reserved Certificates Identity Principles l A principle (or subject) is an entity (person, machine, SW program, etc.) that owns a public/private key pair. l A certificate binds a particular key pair to a principle using “unique” information The Distinguished Name A Unique ID An address etc. l See RFC 2459 for a good example Version: 3 Serial Number: subject: David M. Wheeler, Intel, HPG, Chandler, AZ, US subjectID: Public: Modulus: 02400a66791dc de7ab77419bb7fb0….

83 Copyright © 2005 David M. Wheeler, All Rights Reserved But Can I Trust It? PKI and Certificate Authorities l A Certificate is really only an identity claim l Trust is bound into the certificate using a digital signature from someone you would likely trust (your grandmother, your bank, your company, your government) l This trusted entity is called a Certificate Authority or CA Version: 3 Serial Number: subject: David M. Wheeler, Intel, HPG, Chandler, AZ, US subject ID: Public: Modulus: 02400a66791dc de7ab77419bb7fb0…. Issuer: Intel Corp Issuer ID: 111xyz3456 INTEL DIGITAL SIGNATURE

84 Copyright © 2005 David M. Wheeler, All Rights Reserved An Example PKI Root (i.e. Verisign) CA - Intel CA - MS CA - Other CA - HPG CA - IAL certificates Self-Signed Certificate Signed by Verifying a certificate involves checking the digital signature on the certificate, and the signer of the certificate, all the way up the chain to a trusted entity in the hierarchy (possibly the root).

85 Copyright © 2005 David M. Wheeler, All Rights Reserved What Are The Issues With Public Key? l Does PK technology really solve all the problems of secure communication? »No. There are issues involved with transmitting the correct pieces, encrypted with the correct key, combined in the correct order. These are secure protocols which are used to guarantee the trust associated with public keys and reduce the risk of misuse. »How do I get other people’s public key? How do other people get my public keys? »The easy answer is by using an X.500 directory service. However, there are many hidden issues involved here: Who runs the directory? Can you trust them? How do all your applications get access to the directory? What protocols should I use? Should I ever store public keys locally? How many should I store? How often should I refresh them? l What prevents someone from creating keys and pretending to be me? »Because the Public keys are enclosed in a certificate (basically a signed envelope) they are guaranteed to be as trusted as the CA chain that signed the certificate. Who can be a CA? Do I have to pay a CA or a root for signing my keys? Can I be this entity for myself? How do I get this entity to sign my keys in the first place? »How can I trust the public keys that I have? »This is accomplished by verifying the signature on the certificate that contains the public key. How do I verify that the signer is authentic? Using the PKI hierarchy up to a trusted root. »What if I lose my private key? What if someone steals my private key? »Key revocation, Key recovery and Key escrow techniques may be used to protect against these occurrences, however some of these approaches are not popular, and may not scale well, either.

86 Copyright © 2005 David M. Wheeler, All Rights Reserved Information Security: Security Services l Confidentiality »Threat: Disclosure l Integrity »Threat: Modification l Identification & Authentication (I&A) »Threat: Masquerade (Impersonation), Fabrication, Spoofing l Non-Repudiation »Threat: Retraction, Replay, Spoofing l Reliability »Threat: Denial of Service, Interruption l Access Control »Threat: Eavesdropping, Permission violation, Penetration, Residue Recovery Computer Security Basics, Russell and Gangemi, © 1991 O’Reilly & Associates

87 Copyright © 2005 David M. Wheeler, All Rights Reserved Threats, Vulnerabilities, Safeguards and Counter-Measures l Security Policy: A written or implied statement about a system reflecting the expected support of CIA principles l Vulnerability: Characteristics of a system that make it susceptible to a particular threat l Threat: Any potential action or condition that risks a violation of the security policy by leveraging a vulnerability l Attack: An active instance of a threat attempting to leverage a vulnerability to overcome CIA principles (e.g. the security policy) l Safeguard: A passive security measure that prevents a threat from being successful l Counter-Measure: An active security measure that detects, and possibly reverses or diminishes the negative effects of an attack l Example: A tank is vulnerable to being blow up; A threat on the battlefield is a shoulder-launched missile; A safeguard is increased armor around sensitive areas of the tank (engine, fuel storage, munitions storage); A counter-measure is a flare system to divert heat-seeking missiles away from the tank engine


Download ppt "Copyright © 2005 David M. Wheeler, All Rights Reserved Desert Code Camp: Introduction to Cryptography David M. Wheeler May 6 th 2006 Phoenix, Arizona."

Similar presentations


Ads by Google