Introduction to Symmetric-key and Public-key Cryptography
Overview Cryptography: secure communication over insecure communication channels Three goals Confidentiality Only authorized people can see the message Integrity If the message is tampered by an attacker, we can know Authenticity We can check whether a message is from a given person
Brief History of Crypto 2,000 years ago Caesar Cypher: shifting each letter forward by a fixed amount Encode and decode by hand During World War I/II Mechanical era: a mechanical device for encrypting messages After World War II Modern cryptography: rely on mathematics and electronic computers
Plaintext and ciphertext Plaintext is the message before encryption Ciphertext is the encrypted message
Modern Cryptography Symmetric-key cryptography The same secret key is used by both endpoints of a communication Public-key cryptography (or asymmetric cryptography) Two endpoints use different keys
Roadmap Symmetric-key cryptography Public-key cryptography Confidentiality Block cipher Stream cipher Integrity & authenticity HMAC Public-key cryptography Public-key encryption Digital signature
Symmetric-key cryptography :Block Cipher Encrypt/Decrypt messages in fixed size blocks using the same secret key k-bit secret key n-bit plaintext/ciphertext n bits n bits E, D Plaintext Block Ciphertext Block Key k Bits
Examples of Block Cipher DES - Data Encryption Standard (1977) Works on 64 bit block with 56 bit keys Developed by IBM (Lucifer) improved by NSA Brute force attack feasible in 1997 AES – Advanced Encryption Standard (1997) Block size 128 bits Key can be 128, 192, or 256 bits
Modes of Operation Block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks with 56-bit key Need to en/decrypt arbitrary amounts of data NIST SP 800-38A defines 5 modes of operation Divide a long message into blocks and encypt each one using a block cipher
Stream cipher For a message with a length k Generate a key with length k This is often a pseudo-random bit stream generated from a master secret key Encryption and decryption are simple Examples RC4 (insecure) ChaCha20-Poly1305
Hash functions Properties Variable input size Fixed output size (e.g., 512 bits) Efficient to compute Pseudo-random (mixes up input well)
Cryptographic hash functions Cryptogtaphic hash functions add conditions Preimage resistance Given h, intractable to find y such that H(y)=h Second preimage resistance Given x, intractable to find y≠x such that H(y)=H(x) Collision resistance Intractable to find x, y such that y≠x and H(y)=H(x)
We have a cryptographic hash function crisis Popular hash function MD5 Thoroughly broken Government standard function SHA-1, SHA-2 Theoretical weaknesses “New” cryptographic hash function SHA-3 Too new to fully evaluate Maybe good enough
Message Integrity: Hashed Message Authentication Codes (HMACs) Goal: provide message integrity and authenticity ex: Protecting public binaries on disk. k k Message m tag Alice Bob Generate tag: tag S(k, m) Verify tag: V(k, m, tag) = `yes’ ?
HMAC Most widely used MAC on the Internet. H: hash function. example: SHA-256; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( kopad , H( kipad , m ) ) opad, ipad: fixed strings
Public key encryption Def: a public-key encryption system is a triple of algs. (G, E, D) G(): randomized alg. outputs a key pair (pk, sk) E(pk, m): randomized alg. that takes m∈M and outputs c ∈C D(sk, c): det. alg. that takes c∈C and outputs m∈M or ⊥ Consistency: ∀(pk, sk) output by G : ∀m∈M: D(sk, E(pk, m) ) = m
Building Block: Trapdoor Functions (TDF) Def: a trapdoor function over X is a triple of efficient algs. (G, F, F-1) G(): randomized alg. outputs a key pair (pk, sk) F(pk,⋅): deterministic alg. that defines a function X ⟼ Y F-1(sk,⋅): defines a function Y ⟼ X that inverts F(pk,⋅) Security: (G, F, F-1) is secure if F(pk, ⋅) is a “one-way” function: given F(pk, x) and pk it is difficult to find x for all x in X: F-1(sk, F(pk, x) ) = x
Example TDF: RSA set N pq (3072 bits 925 digits) alg. G(): generate two equal length primes p, q set N pq (3072 bits 925 digits) set e 216+1 = 65537 set d e-1 (mod (N)) pk = (N, e) ; sk = (N, d) RSA(pk, x) : x (xe mod N) Inverting this function is believed to be as hard as factoring N RSA-1(sk, y) : y (yd mod N)
Public Key Encryption with a TDF G(): generate pk and sk E(pk, m): choose random x domain(F) and set k H(x) c0 F(pk, x) , c1 E(k, m) (E: symm. cipher) send c = (c0, c1) D(sk, c=(c0,c1) ): x F-1(sk, c0) , k H(x) , m D(k, c1) c0 c1
Digital signature Bind message to author An author uses its private key to create a signature Signature is different for different message Anyone can verify the signature with the author’s public key It is hard for attackers to forge a signature for a message without knowing the private key
Digital Signatures: applications Software distribution Windows Update File Microsoft’s signature on file
Certificates How we can know a public key belongs to the author? Use certificate A trusted third party issues a digital certificate saying that a public key belongs to the author Widely used in Internet