Title: Electronic Payment Systems:
1Electronic Payment Systems
- Chapter 1 Introduction to Cryptography
2Introduction to Cryptography
- Classical Cryptography
- Public-key Cryptography
3Classical Cryptography
- Sender, receiver share common key
- Keys may be the same, or trivial to derive from
one another - Sometimes called symmetric cryptography
- Two basic types
- Transposition ciphers
- Substitution ciphers
- Combinations are called product ciphers
4Public Key Cryptography
- Two keys
- Private key known only to individual
- Public key available to anyone
- Public key, private key inverses
- Idea
- Confidentiality encipher using public key,
decipher using private key - Integrity/authentication encipher using private
key, decipher using public one
5Comparison
6Cryptosystem
- Quintuple (E, D, M, K, C)
- M set of plaintexts
- K set of keys
- C set of ciphertexts
- E set of encryption functions e M ? K ? C
- D set of decryption functions d C ? K ? M
7Example
- Example Cæsar cipher
- M sequences of letters
- K i i is an integer and 0 i 25
- E Ek k ? K and for all letters m,
- Ek(m) (m k) mod 26
- D Dk k ? K and for all letters c,
- Dk(c) (26 c k) mod 26
- C M
8Attacks
- Opponent whose goal is to break cryptosystem is
the adversary - Assume adversary knows algorithm used, but not
key - Three types of attacks
- ciphertext only adversary has only ciphertext
goal is to find plaintext, possibly key - known plaintext adversary has ciphertext,
corresponding plaintext goal is to find key - chosen plaintext adversary may supply plaintexts
and obtain corresponding ciphertext goal is to
find key
9Basis for Attacks
- Mathematical attacks
- Based on analysis of underlying mathematics
- Statistical attacks
- Make assumptions about the distribution of
letters, pairs of letters (digrams), triplets of
letters (trigrams), etc. - Called models of the language
- Examine ciphertext, correlate properties with the
assumptions.
10Transposition Cipher
- Rearrange letters in plaintext to produce
ciphertext - Example (Rail-Fence Cipher)
- Plaintext is HELLO WORLD
- Rearrange as
- HLOOL
- ELWRD
- Ciphertext is HLOOL ELWRD
11Attacking the Cipher
- Anagramming
- If 1-gram frequencies match English frequencies,
but other n-gram frequencies do not, probably
transposition - Rearrange letters to form n-grams with highest
frequencies
12Example
- Ciphertext HLOOLELWRD
- Frequencies of 2-grams beginning with H
- HE 0.0305
- HO 0.0043
- HL, HW, HR, HD lt 0.0010
- Frequencies of 2-grams ending in H
- WH 0.0026
- EH, LH, OH, RH, DH 0.0002
- Implies E follows H
13Example
- Arrange so the H and E are adjacent
- HE
- LL
- OW
- OR
- LD
- Read off across, then down, to get original
plaintext
14Substitution Ciphers
- Change characters in plaintext to produce
ciphertext - Example (Cæsar cipher)
- Plaintext is HELLO WORLD
- Change each letter to the third letter following
it (X goes to A, Y to B, Z to C) - Key is 3, usually written as letter D
- Ciphertext is KHOOR ZRUOG
15Attacking the Cipher
- Exhaustive search
- If the key space is small enough, try all
possible keys until you find the right one - Cæsar cipher has 26 possible keys
- Statistical analysis
- Compare to 1-gram model of English
16Statistical Attack
- Compute frequency of each letter in ciphertext
- G 0.1 H 0.1 K 0.1 O 0.3
- R 0.2 U 0.1 Z 0.1
- Apply 1-gram model of English
- Frequency of characters (1-grams) in English is
on next slide
17Character Frequencies
a 0.080 h 0.060 n 0.070 t 0.090
b 0.015 i 0.065 o 0.080 u 0.030
c 0.030 j 0.005 p 0.020 v 0.010
d 0.040 k 0.005 q 0.002 w 0.015
e 0.130 l 0.035 r 0.065 x 0.005
f 0.020 m 0.030 s 0.060 y 0.020
g 0.015 z 0.002
18Public Key Cryptography Requirements
- It must be computationally easy to encipher or
decipher a message given the appropriate key - It must be computationally infeasible to derive
the private key from the public key - It must be computationally infeasible to
determine the private key from a chosen plaintext
attack
19RSA
- Exponentiation cipher
- Relies on the difficulty of determining the
number of numbers relatively prime to a large
integer n
20Background
- Totient function ?(n)
- Number of positive integers less than n and
relatively prime to n - Relatively prime means with no factors in common
with n - Example ?(10) 4
- 1, 3, 7, 9 are relatively prime to 10
- Example ?(21) 12
- 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are
relatively prime to 21
21Algorithm
- Choose two large prime numbers p, q
- Let n pq then ?(n) (p1)(q1)
- Choose e lt n such that e is relatively prime to
?(n). - Compute d such that ed mod ?(n) 1
- Public key (e, n) private key d
- Encipher c me mod n
- Decipher m cd mod n
22Example Confidentiality
- Take p 7, q 11, so n 77 and ?(n) 60
- Alice chooses e 17, making d 53
- Bob wants to send Alice secret message HELLO (07
04 11 11 14) - 0717 mod 77 28
- 0417 mod 77 16
- 1117 mod 77 44
- 1117 mod 77 44
- 1417 mod 77 42
- Bob sends 28 16 44 44 42
23Example
- Alice receives 28 16 44 44 42
- Alice uses private key, d 53, to decrypt
message - 2853 mod 77 07
- 1653 mod 77 04
- 4453 mod 77 11
- 4453 mod 77 11
- 4253 mod 77 14
- Alice translates message to letters to read HELLO
- No one else could read it, as only Alice knows
her private key and that is needed for decryption
24Example Integrity/Authentication
- Take p 7, q 11, so n 77 and ?(n) 60
- Alice chooses e 17, making d 53
- Alice wants to send Bob message HELLO (07 04 11
11 14) so Bob knows it is what Alice sent (no
changes in transit, and authenticated) - 0753 mod 77 35
- 0453 mod 77 09
- 1153 mod 77 44
- 1153 mod 77 44
- 1453 mod 77 49
- Alice sends 35 09 44 44 49
25Example
- Bob receives 35 09 44 44 49
- Bob uses Alices public key, e 17, n 77, to
decrypt message - 3517 mod 77 07
- 0917 mod 77 04
- 4417 mod 77 11
- 4417 mod 77 11
- 4917 mod 77 14
- Bob translates message to letters to read HELLO
- Alice sent it as only she knows her private key,
so no one else could have enciphered it - If (enciphered) messages blocks (letters)
altered in transit, would not decrypt properly
26Example Both
- Alice wants to send Bob message HELLO both
enciphered and authenticated (integrity-checked) - Alices keys public (17, 77) private 53
- Bobs keys public (37, 77) private 13
- Alice enciphers HELLO (07 04 11 11 14)
- (0753 mod 77)37 mod 77 07
- (0453 mod 77)37 mod 77 37
- (1153 mod 77)37 mod 77 44
- (1153 mod 77)37 mod 77 44
- (1453 mod 77)37 mod 77 14
- Alice sends 07 37 44 44 14
27Security Services
- Confidentiality
- Only the owner of the private key knows it, so
text enciphered with public key cannot be read by
anyone except the owner of the private key - Authentication
- Only the owner of the private key knows it, so
text enciphered with private key must have been
generated by the owner
28More Security Services
- Integrity
- Enciphered letters cannot be changed undetectably
without knowing private key - Non-Repudiation
- Message enciphered with private key came from
someone who knew it
29Warnings
- Encipher message in blocks considerably larger
than the examples here - If 1 character per block, RSA can be broken using
statistical attacks (just like classical
cryptosystems) - Attacker cannot alter letters, but can rearrange
them and alter message meaning - Example reverse enciphered message of text ON to
get NO
30Cryptographic Checksums
- Mathematical function to generate a set of k bits
from a set of n bits (where k n). - k is smaller then n except in unusual
circumstances - Example ASCII parity bit
- ASCII has 7 bits 8th bit is parity
- Even parity even number of 1 bits
- Odd parity odd number of 1 bits
31Hashing
32Example Use
- Bob receives 10111101 as bits.
- Sender is using even parity 6 1 bits, so
character was received correctly - Note could be garbled, but 2 bits would need to
have been changed to preserve parity - Sender is using odd parity even number of 1
bits, so character was not received correctly
33Definition
- Cryptographic checksum h A?B
- For any x ? A, h(x) is easy to compute
- For any y ? B, it is computationally infeasible
to find x ? A such that h(x) y - It is computationally infeasible to find two
inputs x, x? ? A such that x ? x? and h(x)
h(x?) - Alternate form (stronger) Given any x ? A, it is
computationally infeasible to find a different x?
? A such that h(x) h(x?).
34Collisions
- If x ? x? and h(x) h(x?), x and x? are a
collision - Pigeonhole principle if there are n containers
for n1 objects, then at least one container will
have 2 objects in it. - Application if there are 32 files and 8 possible
cryptographic checksum values, at least one value
corresponds to at least 4 files
35Keys
- Keyed cryptographic checksum requires
cryptographic key - DES in chaining mode encipher message, use last
n bits. Requires a key to encipher, so it is a
keyed cryptographic checksum. - Keyless cryptographic checksum requires no
cryptographic key - MD5 and SHA-1 are best known others include MD4,
HAVAL, and Snefru
36Notation
- X ? Y Z W kX,Y
- X sends Y the message produced by concatenating Z
and W enciphered by key kX,Y, which is shared by
users X and Y - A ? T Z kA W kA,T
- A sends T a message consisting of the
concatenation of Z enciphered using kA, As key,
and W enciphered using kA,T, the key shared by A
and T - r1, r2 nonces (nonrepeating random numbers)
37Session, Interchange Keys
- Alice wants to send a message m to Bob
- Assume public key encryption
- Alice generates a random cryptographic key ks and
uses it to encipher m - To be used for this message only
- Called a session key
- She enciphers ks with Bobs public key kB
- kB enciphers all session keys Alice uses to
communicate with Bob - Called an interchange key
- Alice sends m ks ks kB
38Secret-key systems structure
39Benefits
- Limits amount of traffic enciphered with single
key - Standard practice, to decrease the amount of
traffic an attacker can obtain - Prevents some attacks
- Example Alice will send Bob message that is
either BUY or SELL. Eve computes possible
ciphertexts BUY kB and SELL kB. Eve
intercepts enciphered message, compares, and gets
plaintext at once
40Electronic Payment Systems
- Chapter 2 Public Key Infrastructure
41Public Key Infrastructure
- Key exchange
- Session vs. interchange keys
- Classical, public key methods
- Cryptographic key infrastructure
- Certificates
- Digital signatures
42Key Exchange Algorithms
- Goal Alice, Bob get shared key
- Key cannot be sent in clear
- Attacker can listen in
- Key can be sent enciphered, or derived from
exchanged data plus data not known to an
eavesdropper - Alice, Bob may trust third party
- All cryptosystems, protocols publicly known
- Only secret data is the keys, ancillary
information known only to Alice and Bob needed to
derive keys - Anything transmitted is assumed known to attacker
43Classical Key Exchange
- Bootstrap problem how do Alice, Bob begin?
- Alice cant send it to Bob in the clear!
- Assume trusted third party, Cathy
- Alice and Cathy share secret key kA
- Bob and Cathy share secret key kB
- Use this to exchange shared key ks
44Simple Protocol
request for session key to Bob kA
Alice
Cathy
ks kA ks kB
Alice
Cathy
ks kB
Alice
Bob
45Problems
- How does Bob know he is talking to Alice?
- Replay attack Eve records message from Alice to
Bob, later replays it Bob may think hes talking
to Alice, but he isnt - Session key reuse Eve replays message from Alice
to Bob, so Bob re-uses session key - Protocols must provide authentication and defense
against replay
46Needham-Schroeder
Alice Bob r1
Alice
Cathy
Alice Bob r1 ks Alice ks kB
kA
Alice
Cathy
Alice ks kB
Alice
Bob
r2 ks
Alice
Bob
r2 1 ks
Alice
Bob
47Public Key Key Exchange
- Here interchange keys known
- eA, eB Alice and Bobs public keys known to all
- dA, dB Alice and Bobs private keys known only to
owner - Simple protocol
- ks is desired session key
ks eB
Alice
Bob
48Problem and Solution
- Vulnerable to forgery or replay
- Because eB known to anyone, Bob has no assurance
that Alice sent message - Simple fix uses Alices private key
- ks is desired session key
ks dA eB
Alice
Bob
49Notes
- Can include message enciphered with ks
- Assumes Bob has Alices public key, and vice
versa - If not, each must get it from public server
- If keys not bound to identity of owner, attacker
Eve can launch a man-in-the-middle attack (next
slide Cathy is public server providing public
keys) - Solution to this (binding identity to keys)
discussed later as public key infrastructure (PKI)
50Man-in-the-Middle Attack
send Bobs public key
Eve intercepts request
Alice
Cathy
send Bobs public key
Cathy
Eve
eB
Cathy
Eve
eE
Eve
Alice
ks eE
Eve intercepts message
Bob
Alice
ks eB
Bob
Eve
51Cryptographic Key Infrastructure
- Goal bind identity to key
- Public key bind identity to public key
- Crucial as people will use key to communicate
with principal whose identity is bound to key - Erroneous binding means no secrecy between
principals - Assume principal identified by an acceptable name
52Certificates
- Create token (message) containing
- Identity of principal (here, Alice)
- Corresponding public key
- Timestamp (when issued)
- Other information (perhaps identity of signer)
- signed by trusted authority (here, Cathy)
- CA eA Alice T dC
53Use
- Bob gets Alices certificate
- If he knows Cathys public key, he can decipher
the certificate - When was certificate issued?
- Is the principal Alice?
- Now Bob has Alices public key
- Problem Bob needs Cathys public key to validate
certificate - Problem pushed up a level
- signature chains
54Certificate Signature Chains
- Create certificate
- Generate hash of certificate
- Encipher hash with issuers private key
- Validate
- Obtain issuers public key
- Decipher enciphered hash
- Recompute hash from certificate and compare
- Problem getting issuers public key
55PKI basic entities and operations
56X.509 Chains
- Some certificate components in X.509v3
- Version
- Serial number
- Signature algorithm identifier hash algorithm
- Issuers name uniquely identifies issuer
- Interval of validity
- Subjects name uniquely identifies subject
- Subjects public key
- Signature enciphered hash
57X.509 Certificate Validation
- Obtain issuers public key
- The one for the particular signature algorithm
- Decipher signature
- Gives hash of certificate
- Recompute hash from certificate and compare
- If they differ, theres a problem
- Check interval of validity
- This confirms that certificate is current
58Issuers
- Certification Authority (CA) entity that issues
certificates
59Multiple Issuers
- Multiple issuers pose validation problem
- Alices CA is Cathy Bobs CA is Don how can
Alice validate Bobs certificate? - Have Cathy and Don cross-certify
- Each issues certificate for the other
60Cross certificates
61Validation and Cross-Certifying
- Certificates
- CathyltltAlicegtgt
- DanltltBobgt
- CathyltltDangtgt
- DanltltCathygtgt
- Alice validates Bobs certificate
- Alice obtains CathyltltDangtgt
- Alice uses (known) public key of Cathy to
validate CathyltltDangtgt - Alice uses CathyltltDangtgt to validate DanltltBobgtgt
62Certification Path Validation process
63Digital Signature
- Construct that authenticated origin, contents of
message in a manner provable to a disinterested
third party (judge) - Sender cannot deny having sent message (service
is nonrepudiation) - Limited to technical proofs
- Inability to deny ones cryptographic key was
used to sign - One could claim the cryptographic key was stolen
or compromised - Legal proofs, etc., probably required not dealt
with here
64Common Error
- Classical Alice, Bob share key k
- Alice sends m m k to Bob
- This is a digital signature
- WRONG
- This is not a digital signature
- Why? Third party cannot determine whether Alice
or Bob generated message
65Classical Digital Signatures
- Require trusted third party
- Alice, Bob each share keys with trusted party
Cathy - To resolve dispute, judge gets m kAlice, m
kBob, and has Cathy decipher them if messages
matched, contract was signed
m kAlice
Alice
Bob
m kAlice
Cathy
Bob
m kBob
Cathy
Bob
66Public Key Digital Signatures
- Alices keys are dAlice, eAlice
- Alice sends Bob
- m m dAlice
- In case of dispute, judge computes
- m dAlice eAlice
- and if it is m, Alice signed message
- Shes the only one who knows dAlice!
67(No Transcript)
68Digital signature with message encryption and
decryption
69(No Transcript)
70RSA Digital Signatures
- Use private key to encipher message
- Protocol for use is critical
- Key points
- Never sign random documents, and when signing,
always sign hash and never document - Mathematical properties can be turned against
signer - Sign message first, then encipher
- Changing public keys causes forgery
71Key Points
- Key management critical to effective use of
cryptosystems - Different levels of keys (session vs.
interchange) - Keys need infrastructure to identify holders,
allow revoking - Key escrowing complicates infrastructure
- Digital signatures provide integrity of origin
and content - Much easier with public key cryptosystems than
with classical cryptosystems