# Security – Keys, Digital Signatures and Certificates I

## Presentation on theme: "Security – Keys, Digital Signatures and Certificates I"— Presentation transcript:

Security – Keys, Digital Signatures and Certificates I
CS3517 Distributed Systems and Security Lecture 19

Modern Cryptography Relates to
Communication: encrypt / decrypt with key Symmetric: use a secret key for both encryption and decryption Asymmetric: use different keys for encryption and decryption, usually a public key and a private key Authentication, Data Integrity: encrypt for creating a unique “fingerprint” or “message digest” for a digital object (e.g. a message or files) digital signatures, certificates A public key fingerprint is a short sequence of bytes used to authenticate or look up a longer public key. A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. Message digests are important. Cryptographic hash functions have many information security applications, notably in digital signatures (a mathematical scheme for demonstrating the authenticity of a digital message or document).

Modern Cryptography Classic ciphers encrypted written text messages
Modern ciphers operate on the bit sequences representing digital objects to be transmitted (“plain text”) to produce an encoded result (“cipher text”) Block ciphers: encoding the plain text (sequence of bits) takes place in a block-wise fashion Stream ciphers: bit-wise encoding of a stream of plain text with a key Goal for a high-quality cipher Fast and resource-efficient in encoding Breaking the cipher would require an effort many magnitudes larger , making cryptanalysis impractical A block cipher is an algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream.

Symmetric-Key Encryption (Secret Key Encryption)
Plaintext Plaintext Encryption / Decryption Algorithm Secret Key Shared Via Trusted Channel Encryption / Decryption Algorithm A trusted channel is any means of communication over which you have sufficient control to be ‘assured’ of its ability to uphold your security requirements. Ciphertext Ciphertext Same key is used by sender and receiver, has to be shared via some trusted channel

Secret Key Encryption Concepts
Plaintext: Original message or data, input to encryption algorithm Encryption algorithm: Performs substitutions and transformations on the plaintext Secret key: The exact substitutions and transformations performed depend on the key, is also an input to the encryption algorithm Ciphertext: Encrypted message produced as output, depends on the plaintext and the key Decryption algorithm Encryption algorithm run in reverse, takes ciphertext and key as input, produces plaintext as output Substitutions – Caeser, transformations – columnar transformations

Secret Key Cryptography
Relies on a symmetric key for encryption and decryption Encryption algorithm should be hard to break Attackers should be unable to decrypt ciphertext or discover the key (even if they have a set of corresponding cipher / plain texts) The larger the key size, the harder to attack Sender and receiver must obtain copies of the secret key in a secure fashion As long as the key is kept secret, the cryptographic procedure does not have to be secret Symmetric key – for both encryption and decryption. What we call a symmetric model of a cryptography system. The larger the key size, the harder to attack – True? Not always. What about other techniques to attack the cipher? Remember frequency analysis from last lecture, and repeating poly-alphabetic ciphers (Vigniere)? Sender and receiver must obtain copies of the secret key in a secure fashion – This is itself a significant security challenge!

Block Ciphers Message is broken into blocks (usually 16 or 32bit words), each block is encrypted separately Operate with a fixed transformation procedure on large blocks of plaintext data Block Ciphers Feistel Cipher Is the first block cipher, which inspired subsequent cipher methods such as DES, etc. Substitution-Permutation (SP) network Remember, a block cipher is an algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Feistel Cipher - a symmetric structure used in the construction of block ciphers. A large proportion of block ciphers use the scheme, including the Data Encryption Standard (DES).

Symmetric-key Encryption
Encryption methods DES (Data Encryption Standard) Was highly influential in modern cryptography Developed by IBM Is now considered unsecure due to its key size (56 bits) 3DES Is a form of DES that is regarded as secure, uses three keys and three executions of the DES algorithm AES (Advanced Encryption Standard) Has superseded DES Cast-128 Uses fixed, carefully designed S-boxes for subkey generation RC5 Fast, variable number of rounds, variable key length IDEA Uses a 128-bit key, does not use S-boxes, but a combination of three operations: XOR, binary addition of 16-bit integer, binary multiplication of 16-bit integers; IDEA is used in PGP (Pretty Good Privacy) Blowfish High execution speed, small footprint, variable keys up to 448 bits, uses S-boxes and XOR, S-boxes are not fixed but dynamically created from key Very strong crypto-algorithm, no practical weaknesses found so far DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small. The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

DES Data Encryption Standard
Plaintext DES is the archetypal block cipher — an algorithm that takes a fixed-length string of plaintext bits and transforms it through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits, and it is always quoted as such. There are 16 identical stages of processing, termed rounds. There is also an initial (IP) and final permutation (FP), which are inverses (IP "undoes" the action of FP, and vice versa). IP and FP have no cryptographic significance, but were included in order to facilitate loading blocks in and out of mid-1970s 8-bit based hardware. Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is known as the Feistel scheme. The Feistel structure ensures that decryption and encryption are very similar processes — the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms. The F-function (box) scrambles half a block together with some of the key. The output from the F-function is then combined with the other half of the block, and the halves are swapped before the next round. After the final round, the halves are swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes. The basic structure is a three-step process: permute the input data, run it through a sequence of 16 passes using a ladder-like data flow structure, and then reverse the initial permutation. The permutation is an interesting step: it doesn't really add anything to the encryption as such. What it does is add a step to the computation: since there's no known attack short of brute force, it serves to increase the time it takes to perform a brute-force attack. To crack a message, you need to do the encryption and/or decryption process, and that means doing the permutations - which take time. All that the permutations at the start and finish of the process do is add computation time, so that cracking the encryption by brute force requires more work. The interesting thing is what comes after the permutation. You split the input block into two 32-bit sub-blocks, which each contain half of the permuted block. Then you pass the subblocks through an encryption ladder called a Feistel structure, where at each step, one of the two blocks is put through something called a Feistel block. The output from the Feistel structure is then exclusive-or'ed with the result of the previous step. 16 repetitions Ciphertext

DES Data Encryption Standard
Plaintext 64-bit Block 56-bit Key Initial Permutation Create Subkey K1 Round 1 Left-Shift, Permutation K2 Round 2 Left-Shift, Permutation DES is the archetypal block cipher — an algorithm that takes a fixed-length string of plaintext bits and transforms it through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits, and it is always quoted as such. There are 16 identical stages of processing, termed rounds. There is also an initial and final permutation, which are inverses (IP "undoes" the action of FP, and vice versa). IP and FP have no cryptographic significance, but were included in order to facilitate loading blocks in and out of mid-1970s 8-bit based hardware.[22] Before the main rounds, the block is divided into two 32-bit halves and processed alternately; this criss-crossing is known as the Feistel scheme. The Feistel structure ensures that decryption and encryption are very similar processes — the only difference is that the subkeys are applied in the reverse order when decrypting. The rest of the algorithm is identical. This greatly simplifies implementation, particularly in hardware, as there is no need for separate encryption and decryption algorithms. The ⊕ symbol denotes the exclusive-OR (XOR) operation. The F-function scrambles half a block together with some of the key. The output from the F-function is then combined with the other half of the block, and the halves are swapped before the next round. After the final round, the halves are swapped; this is a feature of the Feistel structure which makes encryption and decryption similar processes. The basic structure is a three-step process: permute the input data, run it through a sequence of 16 passes using a ladder-like data flow structure, and then reverse the initial permutation. The permutation is an interesting step: it doesn't really add anything to the encryption as such. What it does is add a step to the computation: since there's no known attack short of brute force, it serves to increase the time it takes to perform a brute-force attack. To crack a message, you need to do the encryption and/or decryption process, and that means doing the permutations - which take time. All that the permutations at the start and finish of the process do is add computation time, so that cracking the encryption by brute force requires more work. The interesting thing is what comes after the permutation. You split the input block into two 32-bit sub-blocks, which each contain half of the permuted block. Then you pass the subblocks through an encryption ladder called a Feistel structure, where at each step, one of the two blocks is put through something called a Feistel block. The output from the Feistel structure is then exclusive-or'ed with the result of the previous step. This is illustrated by the diagram to the right. K16 Round 16 Left-Shift, Permutation 32-bit Swap Initial Permutation Ciphertext

Shannon’s Principles for Cryptography
Shannon’s principles of “confusion” and “diffusion” Problems: non-uniformity of individual letters in plain text (e.g. Letter “E” occurs most often in English text) should not be reflected in ciphertext or hard to derive Confusion: Make the relationship between plaintext and ciphertext (their statistical features in terms of non-uniformity) too complex to be exploited by an attacker Diffusion: Output bits in ciphertext should depend on input bits in plaintext in a very complicated way – a change of one input bit should change at least half of all output bits an unpredictable / pseudorandom manner , (and not just one bit of it) Claude Shannon's original definitions say: Confusion refers to making the relationship between the ciphertext and the symmetric key as complex and involved as possible; Diffusion refers to making the relationship between the plaintext and the ciphertext as complex and involved as possible. To make it complex a series of well-defined steps that can be followed as a procedure must be used as an algorithm which can manipulate the data. e.g. Fiestal structure

Substitution-Permutation Network
SP-Networks (SPN) describe a series of substitution and permutation operations to be applied on plain text The plaintext is separated into blocks (16bit words) The encoding operates over a sequence of rounds (“layers”), reapplying substitution and permutation operations over and over again to the output of a previous round

SP-Network (Example)    16 bit of the Plaintext Key K0 S1 S2 S3 S4
Generate sub-key for round 0 XOR S1 S2 S3 S4 P K1 XOR Generate sub-key for round 1 S1 S2 S3 S4 S = Substitution Box, P = Permutations. Output is XORed with the (sub)key. Then repeat for more rounds. P Etc. Kn Generate sub-key for round n 16 bit of the Ciphertext

Substitution and Permutation
Substitution in an SP-Network is performed with a so-called “substitution box” or S-box: Are used to obscure or “confuse” the relationship between key and ciphertext Takes as input m bits, produces a corresponding output of n bits Implemented as an m x n lookup table Substitution table is carefully designed to reduce vulnerability (Shannon: a change of one input bit should change at least half of all output bits) Permutation is performed with a so-called “permutation box” or P-box: Takes the output of all substitution boxes as its input Re-orders (permutes) bits to produce output

Substitution and Permutation
Substitution and Permutation are called the “mixing transformations” by Shannon S-box: provides “confusion” of input bits P-box: provides “diffusion” across S-box inputs Remember - Confusion refers to making the relationship between the ciphertext and the symmetric key as complex and involved as possible; Diffusion refers to making the relationship between the plaintext and the ciphertext as complex and involved as possible. P1 S1 P2 S5 P3 S9 P4 S2 S6 S10 Plaintext block Ciphertext block S3 S7 S11 S4 S8 S12

Based on the Rijndael algorithm Uses a SP-network Fixed block size of 128 bits Supports key sizes of 128, 192 and 256 bits Is fast in encryption / decryption both in software and hardware implementations Is the default encryption standard for the US government Probably cannot be cracked with current technology Rijndael algorithm – background Brute force attacks against 256 bit AES are in the multiple billions of years.

Discussion of Secret-Key Cryptography
Advantages High rates of data throughput, with hardware solutions up to hundreds of megabytes per second Key length is relatively short Symmetric-key ciphers can also be combined to produce stronger ciphers Disadvantage The key must remain secret at both ends Cryptographic practice leads to frequent key change In large networks, many key pairs have to be managed The key must remain secret at both ends – how? Difficult question with no single answer. Discussed shortly. Keys are updated. This needs to be synchronised across all users – or Availability suffers.

Robustness Average time required for exhaustive key search:
Key Size (in bits) Number of Alternative Keys Time required at 106 Decryptions/s 32 232 = 4.3 x 109 2.15 milliseconds 56 256 = 7.2 x 1016 10 hours 128 2128 = 3.4 x 1038 5.4 x 1018 years 168 2168 = 3.7 x 1050 5.8 x 1030 years

Key Distribution With any symmetric algorithm, the key must be agreed upon by sender and receiver in a secure way Before 1976, key exchange was by far the biggest problem in secure communications Possible Strategies: A key could be selected by A and physically delivered to B A third party could select the key and physically deliver it to A and B If A and B have previously used a key, one party could transmit the new key by encrypting it with the old key If both A and B have an encrypted connection with a third party C, C could deliver a key on the encrypted links to A and B

Diffie-Hellman Key Exchange
Developed in 1976, is a key exchange method where two parties exchange information that allows them to derive the same key, but never actually exchange the key Method: Two parties, Alice and Bob, agree on a large prime number p and a small integer g; these two numbers are public Alice picks a secret large random integer a, and calculates a number A: A becomes a public key, Alice transmits A to Bob Bob picks a secret large random integer b, and calculates a number B: B becomes a public key, Bob transmits B to Alice Alice computes the secret key: Bob computes the secret key: Rules p must be a prime number, p > 2 g must be a small integer, g < p a and b are large random integers, a < p-1, b < p-1 The method was followed shortly afterwards by RSA, an implementation of public key cryptography using asymmetric algorithms. Discuss RSA later. Large primes are highly sought after. Very hard to compute. Largest is currently digits. ‘Large’ is defined in relation to the prime.

Diffie-Hellman Key Exchange
Example Alice Bob p = 13 p = 13 g = 6 g = 6 Random secret Random secret a = 3 b = 10 Calculate public value Calculate public value Prime p and integer g are public. Both pick random secret numbers a or b, and calculate A or B (public keys) respectively. They exchange these keys and use them to calculate a secret key. A = 63 mod 13 = 8 B = 610 mod 13 = 4 Calculate secret key Calculate secret key K = 43 mod 13 = 12 K = 810 mod 13 = 12

Key Distribution Session key Permanent key
Data encryption with a one-time session key, is destroyed at the conclusion of a session Permanent key Used between entities for the purpose of distributing session keys

Public Key Cryptography
Using one secret (private) key poses a security risk A solution to this problem is “Public Key Cryptography” Two keys: public and private (secret) key The keys are matched so that A message encrypted with the public key can be decrypted using the private key A message encrypted with the private key can be decrypted using the public key Using one secret key poses a security risk – Attackers can eavesdrop on decrypted comms (confidentiality) – and launch man in the middle style attacks (integrity). Public and private keys mean? – Asymmetric key encryption.

Public-Key Encryption (Asymmetric Key Encryption)
Plaintext KeyE KeyD Plaintext Encryption / Decryption Algorithm Encryption / Decryption Algorithm Like the basic diagram we saw at the beginning of Lecture 18. The plain text and the encryption key are inputs to the encryption algorithm. The cipher text is the output. The cipher text and the decryption key are inputs to the decryption algorithm. The plain text is the output. And vice versa. Ciphertext Ciphertext Two different keys: public key, private key

Applications for Public Key Cryptography
Encryption / Decryption The sender encrypts the message with the recipients public key Digital Signature The sender “signs” a message with its private key. For this, a cryptographic algorithm is applied to the whole message or to a small block of data that is a function of the message (a “fingerprint” of the message, called a message “digest”) Key Exchange Exchange key information using the private key of one or both parties What keys are used where? Digests were mentioned earlier in the lecture.

Public-Key Cryptography
Privacy: Encryption with public key, decryption with private key Anyone can send a message, using the public key of the receiver no one else can read the message, because only the private key can decrypt the message Only the owner of the private key can decrypt the message

Public-Key Cryptography
Authenticity Encryption with the private key, decryption with the public key Receivers of a message can verify who sent the message with the sender’s public key Only the owner of the private key can have generated such an encrypted message

Public-Key Cryptography- Requirements
Easy to generate a public key / private key pair Easy for a sender to generate ciphertext using the public key Easy for the receiver to decrypt ciphertext using the private key Computationally infeasible to determine the private key, knowing the public key Computationally infeasible to recover the message without the private key, knowing the public key and ciphertext Either of the two keys can be used for encryption, with the other used for decryption

RSA Public-Key Cryptosystem
RSA (Rivest, Shamnir, Adleman, 1977): best known, regarded as the most practical public-key scheme Used for encrypting messages, key exchange and creating digital signatures Is a block cipher Plaintext and Ciphertext are represented as integers in the range of [0 .. n-1] for some n Blocks – fixed length groups of bits. The algorithm capitalises on the fact that there is no efficient way to factor (numbers you can multiply together to get another number) very large ( digit) numbers.

RSA Encryption: Decryption
A ciphertext block C is the result of encryption of a plaintext block M, using the publicly known numbers e and n Decryption A plaintext block M is the result of decryption of a ciphertext block C, using the secret number d

RSA Key Generation To do:
Public Key: both sender and receiver must know the values of n and e Calculate number n (maximum possible value of a plaintext / ciphertext block) Calculate number e (a value needed for encryption) Private Key Calculate number d (a value needed for decryption) only the receiver knows the value of d n and e effectively give you the public key. See Wikipedia for a good explanation of how the calculations are performed. We’ll go through it too.

RSA Key Generation Calculate n Calculate the public e What is
Select two large prime numbers p and q, these are secret Calculate: n = p x q Calculate the public e e is “relatively prime” to the Euler Totient (n) e < (n) What is “relatively prime” ? Euler Totient (n) ? In number theory, two integers a and b are said to be co-prime, relatively prime or mutually prime if the only positive integer that evenly divides both of them is 1. This is equivalent to their greatest common divisor being 1. Euler's totient (phi function), φ(n) counts the number of positive integers less than or equal to n that are relatively prime to n. Next slide has more on this.

RSA Relatively prime numbers: Euler Totient (n)
Two integers n and m are relatively prime, if their greatest common divisor is 1: gcd(n,m) = 1 n and m do not share any common positive prime factors (divisors) except 1 Euler Totient (n) Is the number of positive integers that are ≤ n and that are relatively prime to n E.g.: n = 10, {1,3,7,9} is the set of positive integers relative prime to 10, therefore: (n) = 4 If n is the product of two prime numbers, p and q, then (n) = (p-1)(q-1) E.g.: p = 3, q = 5, n = p x q = 3 x 5 = 15, therefore: (n) = (p-1)(q-1) = 2 x 4 = 8 n = 15, {1,2,4,6,7,8,11,13} Euler Totient – so you find all the prime numbers less than or equal to n, and count them up.

RSA Key Generation Calculate n Calculate the public e
Calculate: n = p x q, p and q are two large prime numbers Calculate the public e We know: If n = p x q, p and q are prime numbers, then (n) = (p-1)(q-1) Choose e: e is relatively prime to (p-1)(q-1) and 1 < e < (p-1)(q-1) Calculate the private key d d = e-1 mod (p-1)(q-1) Result Public key KPUB = {e,n} Private key KPRIV = {d,n} Encryption: encrypt a plaintext M to generate a ciphertext C via C = Me mod n Decryption: decrypt a ciphertext C to generate a plaintext M via M = Cd mod n

RSA Example Select two prime numbers, p = 11, q = 3
Calculate n = pq = 11 x 3 = 33 Calculate (p-1)(q-1) = 10 x 2 = 20 Select e such that e is relatively prime to (p-1)(q-1) = 20 and e < 20 We select e = 3 Calculate d such that de = 1 mod 20 and d < 20 That means: 3d= 1 mod 20 Result: d = 7, because (7 x 3)/20 has the remainder 1 (that’s the same as: 77x5 = 21 = 2 x , or 21  1 mod 20) Keys Public Key = {3, 20} Private Key = {7, 20} Encrypt Plaintext M = 5 Calculate ciphertext: C = 53 mod 33 = 125 mod 33 = 26 Decrypt Ciphertext = 26 Calculate plaintext M = 267 mod 33 = 5

RSA Cryptanalysis Brute force Factoring n:
Attack: try all possible private keys Defence: the larger the number of bits for encoding e and d, the more secure this form of encoding will be Problem: large keys slow down calculations Factoring n: Vulnerability comes from the number n: If the number n is calculated from two large prime numbers p and q, finding these two secret prime factors by factoring n would allow us to calculate all elements of the RSA Factoring n is a hard problem We can factor a 512-bit number with 100s of CPU years (available to NSA, not random hacker) We cannot factor 1024-bit numbers with present technology and math