Lecture 1: Cryptography for Network Security

About This Presentation

Title:

Lecture 1: Cryptography for Network Security

Description:

Birthday attacks imply need longer hash values. You might think a 64-bit hash ... designed for compatibility with increased security provided by the AES cipher ... – PowerPoint PPT presentation

Number of Views:206

Avg rating:3.0/5.0

Slides: 57

Provided by: TheL76

Learn more at: https://web.cse.ohio-state.edu

Category:

more less

Transcript and Presenter's Notes

Title: Lecture 1: Cryptography for Network Security

1
Lecture 1 Cryptography for Network Security

Anish Arora
CSE5473
Introduction to Network Security

2
Symmetric encryption
3
Symmetric encryption requirements

two requirements for secure use of symmetric
encryption
a strong encryption algorithm
a secret key known only to sender / receiver
y S x in notation of book Y EK(X)
x S y X DK(Y)
assume encryption algorithm is known
implies a secure channel to distribute key

4
Block versus stream ciphers

block ciphers divide messages into blocks, each
is then en/decrypted
like a substitution on very big characters
64-bits or more
would need table of 264 entries for a 64-bit
block
instead create from smaller building blocks
using idea of a product cipher
substitution (S-box) provides confusion
permutation (P-box) provides diffusion
stream ciphers process messages a bit or byte at
a time
typically have a (pseudo) random stream key

5
Block versus stream ciphers contd

key should satisfy
statistical uniformity of distribution of
numbers in sequence
unpredictability of successive members of
sequence
randomness of key destroys statistical properties
in message
but must not reuse stream key
e.g. RC4 used in SSL and WEP
many current ciphers are block ciphers
many symmetric block ciphers use Feistel Cipher
Structure

6
Pseudo random functions (PRFs)

A pseudo random function is an
efficiently computable function
that emulates a random oracle
and there is no efficient algorithm for
distinguishing a PRF function, chosen randomly
from its PRF family, from a random oracle
Random oracle is a function that responds to
every query with a random response from its
range
note that response is deterministic
note that it is impossible to implement a random
oracle
Main property of PRF
all its outputs appear to be random
assuming function is chosen in random

7
Pseudo random generators (PRGs)

PRFs should not be confused with PRGs
Main property of PRG
a single output of a PRG appears to be random
Cryptographically secure (CS) PRGs are used for
generating a pool of randomness
for selecting keys, seeds, nonces, one-time pads
sources of physical randomness may suffice
geiger counters, thermal noise measurement
observing random activity on keyboard or screen
CSPRGs can be constructed using crypto
primitives, or number theoretically
PRFs can be generated from PRGs

8
Fesitel schema for symmetric encryption

Overall processing at each iteration use two
32-bit halves L and R
Li Ri-1
Ri Li-1 ? F(Ri-1, Ki)

9
Data Encryption Standard (DES)

A widely used symmetric encryption scheme
Algorithm is referred to as Data Encryption
Algorithm (DEA)
DES is a block cipher
Plaintext is processed in 64-bit blocks
Key is usually 56-bits in length
n rounds, in each
every block first undergoes key-based
substitution
then all blocks are collated and undergo
key-based permutation
Easy in hardware, slow in software
selection of block size, key size, rounds, round
function, subkey generation scheme trades off
security vs speed

10
The function F in DES

takes 32-bit R half 48-bit subkey and
expands R to 48-bits using perm E
adds to subkey
passes through 8 S-boxes to get 32-bit result
finally permutes this using 32-bit perm P

11
DEA
Decryption runs backward
12
DES History

IBM developed Lucifer cipher
by team led by Feistel
used 64-bit data blocks with 128-bit key
Then redeveloped as a commercial cipher with
input from NSA others
In 1973, NBS issued request for proposals for a
national cipher standard
IBM submitted their revised Lucifer which was
eventually accepted as the DES
DES standard is public
But there has been considerable controversy over
design
in choice of 56-bit key (vs original Lucifer
128-bit)
and because design criteria were classified

13
Breaking DES
14
Concerns about DEA

Key length of only 56-bits is insufficient
Even with larger keys, breaking is feasible if
you have
known plaintext or have repeated encryptions
generally these are statistical attacks
access to timing or power consumption information
use knowledge of implementation to derive subkey
bits
exploit fact that calculations take varying times
based on input value
particularly problematic on smartcards

15
Weaknesses in DES

DES has Weak and Semi-Weak Keys The round key
construction is such that
Any key comprising All 0s, All 1s, Alternating 0s
and 1a, or Alternating 1s and 0s is its own
inverse (these are the 4 weak keys)
The set of keys composed of two halves each of
the above sorts is such that each key has an
inverse in this set (these are 12 semi-weak keys)
Complement key property means that brute force
search for DES is of complexity 255, not 256

16
DES Electronic Code Book

In encryption via ECB, repeated 64-bit blocks are
identically encrypted
ECB attackers who know the data structure (e.g.
fields such as salary) can reorder blocks while
preserving structure

17
Cipher Block Chaining

To overcome ECB weakness, add (i.e. XOR) a random
number to each 64-bit block being encrypted, and
additionally communicate the random number in the
clear
This is inefficient
Approximation only communicate the initial
random number, and derive the successive random
numbers from the previously encrypted message
Initial random number is called the
initialization vector
Default IVs, such as All Zeroes, can be used, but
is insecure for repeated transmissions of the
same message sequence

18
Cipher Block Chaining
19
A CBC threat

If message structure is known, intruder can
systematically ensure that a modified message is
delivered, by changing the previous ciphertext
but then the previous plaintext is deciphered in
a way not controlled by intruder
An alternative to CBC is the Counter Mode (CTR)
precompute encryptions of a counter value and
XOR with successive messages (this method enjoys
parallelism)
to avoid reusing the same sequence of precomputed
encryptions, prefix a nonce (which is made
public) to the counter value sequence
note message blocks are not encrypted, just
XOR-ed, unlike CBC mode

20
Multiple DES, 3DES

Two successive encryptions with different keys
are better than one 56 bit key
E2.E1 to encrypt and D2.D1 to decrypt
Combinatorially, two keys yields more
permutations than those possible with one key
However, meet-in-the-middle cryptanalysis reduces
complexity of attack to 256, so net improvement
is not large
3DES uses two keys E1.D2.E1 to encrypt and
D1.E2.D1 to decrypt
or three keys E3.D2.E1 to encrypt and
D3.E2.D1 to decrypt

21
Other symmetric block ciphers

Blowfish
Easy to implement
High execution speed
Run in less than 5K of memory
Uses a 32 to 448 bit key
RC5
Suitable for hardware and software
Fast, simple, but proprietary
Adaptable to processors of different word lengths
Variable number of rounds
Variable-length key
Low memory requirement
High security
Data-dependent rotations

22
AES

AES, Elliptic Curve, IDEA, Public Key
cryptography concern numbers finite fields
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug 99
Rijndael was selected as the AES in Oct 2000
issued as a standard in Nov 2001
Symmetric block cipher, 128-bit data,
128/192/256-bit keys
provide full specification design details
both C Java implementations
NIST have released all submissions unclassified
analyses
iterative (vs feistel) cipher, operates on entire
block per round

23
Asymmetric encryption Public key cryptography
24
Security of public key schemes

brute force attacks infeasible since keys used
are too large (gt 512bits)
security relies on a large computation difference
in difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
the hard problem is generally known, its just
made too hard to do in practice
requires the use of very large numbers
hence is slow compared to private key schemes

25
Background

Asymmetric cryptography invented by Diffie and
Helman 76
3 categories of uses
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)

26
Authentication using public keys
27
RSA

by Rivest, Shamir Adleman of MIT in 1977
best known widely used public-key scheme
based on exponentiation in a finite (Galois)
field over integers modulo a prime
exponentiation takes O((log n)3) operations
(easy)
uses large integers (e.g. 1024 bits)
security due to cost of factoring large numbers
factorization takes O(e log n log log n)
operations (hard)

28
RSA

To encrypt a message M the sender
obtain public key of recipient KUe,N
computes CMe mod N, where 0MltN
To decrypt the ciphertext C the receiver
uses its private key KRd,p,q
computes MCd mod N
Message M is smaller than modulus N (so block if
needed)

29
RSA key generation

1 determine two primes at random - p, q
primes p,q must not be easily derived from mod
Np.q
means must be sufficiently large
typically guess and use probabilistic test
2 select either e or d and compute the other
exponents e, d are inverses in mod (p-1).(q-1)
the goal is that selection of d should be random
and unpredictable
e is computed using extended Euclidean algorithm
its okay for e to be predictable (e.g. small),
so encr. fast
but e should not be too small, e.g. 3

30
RSA Example

Select primes p17 q11
Compute n pq 1711187
Compute ø(n)(p1)(q-1)1610160
Select e gcd(e,160)1 choose e7
Determine d de1 mod 160 and d lt 160
i.e. d23 since 237161 101601
Publish public key KU7,187
Keep secret private key KR23,17,11

31
RSA Example (contd.)

sample RSA encryption/decryption is
given message M 88 (note 88lt187)
encryption
C 887 mod 187 11
decryption
M 1123 mod 187 88

32
RSA Key Setup

Each user generates a public/private key pair by
selecting two large primes at random - p, q
computing their system modulus Np.q
note ø(N)(p-1)(q-1)
selecting at random the encryption key e
where 1lteltø(N), gcd(e,ø(N))1
solve following equation to find decryption key d
e.d1 mod ø(N) and 0dN
publish their public encryption key KUe,N
keep secret private decryption key KRd,p,q

33
Fermats Little Theorem

Theorem If n is prime,
an-1 1 mod n
Proof a mod n, 2a mod n, (n-1)a mod n
since n is prime , a is not divisible by n
1, 2, n
gt
a x 2a x x (n-1)a (n-1)! mod n
an-1 1 mod n

34
Why RSA Works

because of Euler's Theorem
aø(n)mod N 1 where gcd(a,N)1
in RSA have
Np.q
ø(N)(p-1)(q-1)
carefully chosen e d to be inverses mod ø(N)
hence e.d1k.ø(N) for some k
hence Cd (Me)d M1k.ø(N) M1.(Mø(N))q
M1.(1)q M1 M mod N

35
Security of RSA

Factoring numbers is hard
Breaking (p-1)(q-1) or d is not easier than
factoring n
i.e. there is an easy way to factor n once
(p-1)(q-1) is broken
likewise if d is broken

36
Small M

M0 and M1 are obviously not secure on
encryption, even if e is very large
Likewise, for other small M, Me would be smaller
than N and Me mod N can be precomputed and
checked by the passive eavesdropper
Even if Alice adds a large salt s to M, the
attacker can compute the encryption of s as well
as its successors (s1 ...) to guess M

37
Avoiding Message Guessing

Add random padding to make M large and
unpredictable
Public Key Cryptographic Standard replace M with
M
M0 padding 10 gt64 random bits
00000000 M
OAEP Scheme Optimal asymmetric encryption
padding
sender XORs message with output of the
cryptographic hash function with random input
recipient obtains random and XORs out
cryptographic hash
David Evans

38
Exponentiation

can use the Square and Multiply Algorithm
a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to
compute the result
look at binary representation of exponent
only takes O(log2 n) multiples for number n
e.g. 75 74.71 3.7 10 mod 11
e.g. 3129 3128.31 5.3 4 mod 11

39
RSA (contd.)

Due to Rivest, Shamir Adleman of MIT in 1977
Best known widely used public-key scheme
Based on exponentiation in a finite (Galois)
field over integers modulo a prime
exponentiation takes O((log n)3) operations
(easy)
Uses large integers (e.g. 1024 bits)
Security due to cost of factoring large numbers
factorization takes O(e log n log log n)
operations (hard)
barring dramatic breakthrough 1024 bit RSA
secure
Timing attacks possible
exploit time taken in exponentiation to infer
operands
countermeasures
use constant exponentiation time, add random
delays

40
Hash functions

a hash function produces a fingerprint of some
file/message/data
h H(M)
condenses a variable-length message M
to a fixed-sized fingerprint
usually assume that the hash function is public,
not keyed
cf. MAC which is keyed
hash used to detect changes to message, e.g. by
creating a digital signature or fingerprint of a
message
cryptographically secure hashes also used to
generate PRFs, e.g. to derive keys

41
Requirements for hash functions

can be applied to any sized message M
produces fixed-length output h
is easy to compute hH(M) for any message M
given h is infeasible to find x s.t. H(x)h
one-way property
given x is infeasible to find y s.t. H(y)H(x)
weak collision resistance
is infeasible to find any x,y s.t. H(y)H(x)
strong collision resistance

42
Simple hash functions

there are several proposals for simple functions,
based on XOR of message blocks
e.g. longitudinal redundancy check
xor of columns of n-bit block arranged in rows
e.g. above circular left shift of hash after
each row
effect of rotated XOR (RXOR) is to randomize the
input
but these lack weak collision resistance
simply add a block to obtain desired hash
need a stronger cryptographic function, which
tolerates strong collision resistance as well

43
More on weak collision resistance

How big should our hash function be?
If attacker can perform 263 hashes, hash function
should have 64 bits is output so that probability
that the attacker can find another message with
the same hash is less than 0.5
Assuming hash function distribution is uniform
Prob (one guess gives same hash) 2-64
Prob (the guess does not give same hash) 1- 2-64
Prob (2L hash guesses dont give the same hash)
(1- 2-64)263

44
Birthday attacks imply need longer hash values

You might think a 64-bit hash is secure, but by
Birthday Paradox is not
Given k people, what is the probability that
there are two people with the same birthday
If birthdays uniformly distributed over 365
days,
probability of no duplicates 365x364x x
(365-k1) / 365k
365!/((365-k)! x 365k)

45
Birthday attacks imply need longer hash values

birthday attack on strong-collision resistance
works thus
opponent generates 2m/2 variations of a valid
message all with essentially the same meaning
opponent also generates 2m/2 variations of a
desired fraudulent message
two sets of messages are compared to find pair
with same hash (probability gt 0.5 by birthday
paradox)
have user sign the valid message, then substitute
the forgery which will have a valid signature
conclusion is that need to use longer hash values
also, you might wish to change every message you
sign !

46
Hash algorithms

similarities in evolution of hash functions
block ciphers
increasing power of brute-force attacks led to
evolution in algorithms
from DES to AES in block ciphers
from MD4 MD5 to SHA-1 in hash algorithms
likewise tend to use common iterative structure
as do block ciphers
iteration of collision-resistant round
compression function preserves collision
resistance
good round functions should have an avalanche
effect
small changes in input should have large changes
in output

47
Block ciphers as hash functions

can use block ciphers as hash functions
using H00 and zero-pad of final block
compute Hi EMi Hi-1
and use final block as the hash value
similar to cipher block chaining but without a
key
but resulting hash should not be too small
(64-bit)
like block ciphers have brute-force attacks, and
a number of analytic attacks on iterated hash
functions

48
MD5

designed by Ronald Rivest (the R in RSA)
latest in a series of MD2, MD4
produces a 128-bit hash value
until recently was the most widely used hash
algorithm
in recent times had both brute-force
cryptanalytic concerns
specified as Internet standard RFC1321

49
MD5 overview

pad message so its length is 448 mod 512
append a 64-bit length value to message
initialise 4-word (128-bit) MD buffer (A,B,C,D)
process message in 16-word (512-bit) blocks
using 4 rounds of 16-bit operations on message
block buffer
add output to buffer input to form new buffer
value
output hash value is the final buffer value

50
MD5 overview
51
MD4

precursor to MD5
also produces a 128-bit hash of message
has 3 rounds of 16 steps vs 4 in MD5
design goals
collision resistant (hard to find collisions)
direct security (no dependence on "hard"
problems)
fast, simple, compact
favours little-endian systems (e.g., PCs)

52
Strength of MD5

MD5 hash is dependent on all message bits
Rivest claimed security is as strong as can be
with 128 bit code
known attacks are
Berson 92 attacked any 1 round using differential
cryptanalysis (but cant extend)
Boer Bosselaers 93 found a pseudo collision
(again unable to extend)
Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
conclusion was that MD5 should be vulnerable soon
In 2004, an attack was found

53
Secure Hash Algorithm (SHA)

SHA was designed by NIST NSA in 1993, revised
1995 as SHA-1
US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet
RFC3174
nb. the algorithm is SHA, the standard is SHS
produces 160-bit hash values
now the generally preferred hash algorithm
SHA-1 is now regarded as broken (with a
theoretical attack of 251)
This year SHA-3 is being finalized
based on design of MD4 with key differences

54
SHA overview

pad message so its length is 448 mod 512
append a 64-bit length value to message
initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
process message in 16-word (512-bit) chunks
expand 16 words into 80 words by mixing
shifting
use 4 rounds of 20 bit operations on message
block buffer
add output to input to form new buffer value
output hash value is the final buffer value

55
SHA-1 verses MD5

brute force attack is harder (160 vs 128 bits for
MD5)
was regarded as less vulnerable to attacks
(compared to MD4/5), but this is no longer true
a little slower than MD5 (80 vs 64 steps)
both designed as simple and compact
optimised for big endian CPU's (vs MD5 which is
optimised for little endian CPUs)

56
Revised secure hash standard