Electronic Payment Systems:

1
Electronic Payment Systems

• Chapter 1 Introduction to Cryptography

2
Introduction to Cryptography

• Classical Cryptography
• Public-key Cryptography

3
Classical Cryptography

• Sender, receiver share common key
• Keys may be the same, or trivial to derive from
  one another
• Sometimes called symmetric cryptography
• Two basic types
• Transposition ciphers
• Substitution ciphers
• Combinations are called product ciphers

4
Public Key Cryptography

• Two keys
• Private key known only to individual
• Public key available to anyone
• Public key, private key inverses
• Idea
• Confidentiality encipher using public key,
  decipher using private key
• Integrity/authentication encipher using private
  key, decipher using public one

5
Comparison
6
Cryptosystem

• Quintuple (E, D, M, K, C)
• M set of plaintexts
• K set of keys
• C set of ciphertexts
• E set of encryption functions e M ? K ? C
• D set of decryption functions d C ? K ? M

7
Example

• Example Cæsar cipher
• M sequences of letters
• K i i is an integer and 0 i 25
• E Ek k ? K and for all letters m,
• Ek(m) (m k) mod 26
• D Dk k ? K and for all letters c,
• Dk(c) (26 c k) mod 26
• C M

8
Attacks

• Opponent whose goal is to break cryptosystem is
  the adversary
• Assume adversary knows algorithm used, but not
  key
• Three types of attacks
• ciphertext only adversary has only ciphertext
  goal is to find plaintext, possibly key
• known plaintext adversary has ciphertext,
  corresponding plaintext goal is to find key
• chosen plaintext adversary may supply plaintexts
  and obtain corresponding ciphertext goal is to
  find key

9
Basis for Attacks

• Mathematical attacks
• Based on analysis of underlying mathematics
• Statistical attacks
• Make assumptions about the distribution of
  letters, pairs of letters (digrams), triplets of
  letters (trigrams), etc.
• Called models of the language
• Examine ciphertext, correlate properties with the
  assumptions.

10
Transposition Cipher

• Rearrange letters in plaintext to produce
  ciphertext
• Example (Rail-Fence Cipher)
• Plaintext is HELLO WORLD
• Rearrange as
• HLOOL
• ELWRD
• Ciphertext is HLOOL ELWRD

11
Attacking the Cipher

• Anagramming
• If 1-gram frequencies match English frequencies,
  but other n-gram frequencies do not, probably
  transposition
• Rearrange letters to form n-grams with highest
  frequencies

12
Example

• Ciphertext HLOOLELWRD
• Frequencies of 2-grams beginning with H
• HE 0.0305
• HO 0.0043
• HL, HW, HR, HD lt 0.0010
• Frequencies of 2-grams ending in H
• WH 0.0026
• EH, LH, OH, RH, DH 0.0002
• Implies E follows H

13
Example

• Arrange so the H and E are adjacent
• HE
• LL
• OW
• OR
• LD
• Read off across, then down, to get original
  plaintext

14
Substitution Ciphers

• Change characters in plaintext to produce
  ciphertext
• Example (Cæsar cipher)
• Plaintext is HELLO WORLD
• Change each letter to the third letter following
  it (X goes to A, Y to B, Z to C)
• Key is 3, usually written as letter D
• Ciphertext is KHOOR ZRUOG

15
Attacking the Cipher

• Exhaustive search
• If the key space is small enough, try all
  possible keys until you find the right one
• Cæsar cipher has 26 possible keys
• Statistical analysis
• Compare to 1-gram model of English

16
Statistical Attack

• Compute frequency of each letter in ciphertext
• G 0.1 H 0.1 K 0.1 O 0.3
• R 0.2 U 0.1 Z 0.1
• Apply 1-gram model of English
• Frequency of characters (1-grams) in English is
  on next slide

17
Character Frequencies
a 0.080 h 0.060 n 0.070 t 0.090
b 0.015 i 0.065 o 0.080 u 0.030
c 0.030 j 0.005 p 0.020 v 0.010
d 0.040 k 0.005 q 0.002 w 0.015
e 0.130 l 0.035 r 0.065 x 0.005
f 0.020 m 0.030 s 0.060 y 0.020
g 0.015 z 0.002
18
Public Key Cryptography Requirements

1. It must be computationally easy to encipher or
   decipher a message given the appropriate key
2. It must be computationally infeasible to derive
   the private key from the public key
3. It must be computationally infeasible to
   determine the private key from a chosen plaintext
   attack

19
RSA

• Exponentiation cipher
• Relies on the difficulty of determining the
  number of numbers relatively prime to a large
  integer n

20
Background

• Totient function ?(n)
• Number of positive integers less than n and
  relatively prime to n
• Relatively prime means with no factors in common
  with n
• Example ?(10) 4
• 1, 3, 7, 9 are relatively prime to 10
• Example ?(21) 12
• 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are
  relatively prime to 21

21
Algorithm

• Choose two large prime numbers p, q
• Let n pq then ?(n) (p1)(q1)
• Choose e lt n such that e is relatively prime to
  ?(n).
• Compute d such that ed mod ?(n) 1
• Public key (e, n) private key d
• Encipher c me mod n
• Decipher m cd mod n

22
Example Confidentiality

• Take p 7, q 11, so n 77 and ?(n) 60
• Alice chooses e 17, making d 53
• Bob wants to send Alice secret message HELLO (07
  04 11 11 14)
• 0717 mod 77 28
• 0417 mod 77 16
• 1117 mod 77 44
• 1117 mod 77 44
• 1417 mod 77 42
• Bob sends 28 16 44 44 42

23
Example

• Alice receives 28 16 44 44 42
• Alice uses private key, d 53, to decrypt
  message
• 2853 mod 77 07
• 1653 mod 77 04
• 4453 mod 77 11
• 4453 mod 77 11
• 4253 mod 77 14
• Alice translates message to letters to read HELLO
• No one else could read it, as only Alice knows
  her private key and that is needed for decryption

24
Example Integrity/Authentication

• Take p 7, q 11, so n 77 and ?(n) 60
• Alice chooses e 17, making d 53
• Alice wants to send Bob message HELLO (07 04 11
  11 14) so Bob knows it is what Alice sent (no
  changes in transit, and authenticated)
• 0753 mod 77 35
• 0453 mod 77 09
• 1153 mod 77 44
• 1153 mod 77 44
• 1453 mod 77 49
• Alice sends 35 09 44 44 49

25
Example

• Bob receives 35 09 44 44 49
• Bob uses Alices public key, e 17, n 77, to
  decrypt message
• 3517 mod 77 07
• 0917 mod 77 04
• 4417 mod 77 11
• 4417 mod 77 11
• 4917 mod 77 14
• Bob translates message to letters to read HELLO
• Alice sent it as only she knows her private key,
  so no one else could have enciphered it
• If (enciphered) messages blocks (letters)
  altered in transit, would not decrypt properly

26
Example Both

• Alice wants to send Bob message HELLO both
  enciphered and authenticated (integrity-checked)
• Alices keys public (17, 77) private 53
• Bobs keys public (37, 77) private 13
• Alice enciphers HELLO (07 04 11 11 14)
• (0753 mod 77)37 mod 77 07
• (0453 mod 77)37 mod 77 37
• (1153 mod 77)37 mod 77 44
• (1153 mod 77)37 mod 77 44
• (1453 mod 77)37 mod 77 14
• Alice sends 07 37 44 44 14

27
Security Services

• Confidentiality
• Only the owner of the private key knows it, so
  text enciphered with public key cannot be read by
  anyone except the owner of the private key
• Authentication
• Only the owner of the private key knows it, so
  text enciphered with private key must have been
  generated by the owner

28
More Security Services

• Integrity
• Enciphered letters cannot be changed undetectably
  without knowing private key
• Non-Repudiation
• Message enciphered with private key came from
  someone who knew it

29
Warnings

• Encipher message in blocks considerably larger
  than the examples here
• If 1 character per block, RSA can be broken using
  statistical attacks (just like classical
  cryptosystems)
• Attacker cannot alter letters, but can rearrange
  them and alter message meaning
• Example reverse enciphered message of text ON to
  get NO

30
Cryptographic Checksums

• Mathematical function to generate a set of k bits
  from a set of n bits (where k n).
• k is smaller then n except in unusual
  circumstances
• Example ASCII parity bit
• ASCII has 7 bits 8th bit is parity
• Even parity even number of 1 bits
• Odd parity odd number of 1 bits

31
Hashing
32
Example Use

• Bob receives 10111101 as bits.
• Sender is using even parity 6 1 bits, so
  character was received correctly
• Note could be garbled, but 2 bits would need to
  have been changed to preserve parity
• Sender is using odd parity even number of 1
  bits, so character was not received correctly

33
Definition

• Cryptographic checksum h A?B
• For any x ? A, h(x) is easy to compute
• For any y ? B, it is computationally infeasible
  to find x ? A such that h(x) y
• It is computationally infeasible to find two
  inputs x, x? ? A such that x ? x? and h(x)
  h(x?)
• Alternate form (stronger) Given any x ? A, it is
  computationally infeasible to find a different x?
  ? A such that h(x) h(x?).

34
Collisions

• If x ? x? and h(x) h(x?), x and x? are a
  collision
• Pigeonhole principle if there are n containers
  for n1 objects, then at least one container will
  have 2 objects in it.
• Application if there are 32 files and 8 possible
  cryptographic checksum values, at least one value
  corresponds to at least 4 files

35
Keys

• Keyed cryptographic checksum requires
  cryptographic key
• DES in chaining mode encipher message, use last
  n bits. Requires a key to encipher, so it is a
  keyed cryptographic checksum.
• Keyless cryptographic checksum requires no
  cryptographic key
• MD5 and SHA-1 are best known others include MD4,
  HAVAL, and Snefru

36
Notation

• X ? Y Z W kX,Y
• X sends Y the message produced by concatenating Z
  and W enciphered by key kX,Y, which is shared by
  users X and Y
• A ? T Z kA W kA,T
• A sends T a message consisting of the
  concatenation of Z enciphered using kA, As key,
  and W enciphered using kA,T, the key shared by A
  and T
• r1, r2 nonces (nonrepeating random numbers)

37
Session, Interchange Keys

• Alice wants to send a message m to Bob
• Assume public key encryption
• Alice generates a random cryptographic key ks and
  uses it to encipher m
• To be used for this message only
• Called a session key
• She enciphers ks with Bobs public key kB
• kB enciphers all session keys Alice uses to
  communicate with Bob
• Called an interchange key
• Alice sends m ks ks kB

38
Secret-key systems structure
39
Benefits

• Limits amount of traffic enciphered with single
  key
• Standard practice, to decrease the amount of
  traffic an attacker can obtain
• Prevents some attacks
• Example Alice will send Bob message that is
  either BUY or SELL. Eve computes possible
  ciphertexts BUY kB and SELL kB. Eve
  intercepts enciphered message, compares, and gets
  plaintext at once

40
Electronic Payment Systems

• Chapter 2 Public Key Infrastructure

41
Public Key Infrastructure

• Key exchange
• Session vs. interchange keys
• Classical, public key methods
• Cryptographic key infrastructure
• Certificates
• Digital signatures

42
Key Exchange Algorithms

• Goal Alice, Bob get shared key
• Key cannot be sent in clear
• Attacker can listen in
• Key can be sent enciphered, or derived from
  exchanged data plus data not known to an
  eavesdropper
• Alice, Bob may trust third party
• All cryptosystems, protocols publicly known
• Only secret data is the keys, ancillary
  information known only to Alice and Bob needed to
  derive keys
• Anything transmitted is assumed known to attacker

43
Classical Key Exchange

• Bootstrap problem how do Alice, Bob begin?
• Alice cant send it to Bob in the clear!
• Assume trusted third party, Cathy
• Alice and Cathy share secret key kA
• Bob and Cathy share secret key kB
• Use this to exchange shared key ks

44
Simple Protocol
request for session key to Bob kA
Alice
Cathy
ks kA ks kB
Alice
Cathy
ks kB
Alice
Bob
45
Problems

• How does Bob know he is talking to Alice?
• Replay attack Eve records message from Alice to
  Bob, later replays it Bob may think hes talking
  to Alice, but he isnt
• Session key reuse Eve replays message from Alice
  to Bob, so Bob re-uses session key
• Protocols must provide authentication and defense
  against replay

46
Needham-Schroeder
Alice Bob r1
Alice
Cathy
Alice Bob r1 ks Alice ks kB
kA
Alice
Cathy
Alice ks kB
Alice
Bob
r2 ks
Alice
Bob
r2 1 ks
Alice
Bob
47
Public Key Key Exchange

• Here interchange keys known
• eA, eB Alice and Bobs public keys known to all
• dA, dB Alice and Bobs private keys known only to
  owner
• Simple protocol
• ks is desired session key

ks eB
Alice
Bob
48
Problem and Solution

• Vulnerable to forgery or replay
• Because eB known to anyone, Bob has no assurance
  that Alice sent message
• Simple fix uses Alices private key
• ks is desired session key

ks dA eB
Alice
Bob
49
Notes

• Can include message enciphered with ks
• Assumes Bob has Alices public key, and vice
  versa
• If not, each must get it from public server
• If keys not bound to identity of owner, attacker
  Eve can launch a man-in-the-middle attack (next
  slide Cathy is public server providing public
  keys)
• Solution to this (binding identity to keys)
  discussed later as public key infrastructure (PKI)

50
Man-in-the-Middle Attack
send Bobs public key
Eve intercepts request
Alice
Cathy
send Bobs public key
Cathy
Eve
eB
Cathy
Eve
eE
Eve
Alice
ks eE
Eve intercepts message
Bob
Alice
ks eB
Bob
Eve
51
Cryptographic Key Infrastructure

• Goal bind identity to key
• Public key bind identity to public key
• Crucial as people will use key to communicate
  with principal whose identity is bound to key
• Erroneous binding means no secrecy between
  principals
• Assume principal identified by an acceptable name

52
Certificates

• Create token (message) containing
• Identity of principal (here, Alice)
• Corresponding public key
• Timestamp (when issued)
• Other information (perhaps identity of signer)
• signed by trusted authority (here, Cathy)
• CA eA Alice T dC

53
Use

• Bob gets Alices certificate
• If he knows Cathys public key, he can decipher
  the certificate
• When was certificate issued?
• Is the principal Alice?
• Now Bob has Alices public key
• Problem Bob needs Cathys public key to validate
  certificate
• Problem pushed up a level
• signature chains

54
Certificate Signature Chains

• Create certificate
• Generate hash of certificate
• Encipher hash with issuers private key
• Validate
• Obtain issuers public key
• Decipher enciphered hash
• Recompute hash from certificate and compare
• Problem getting issuers public key

55
PKI basic entities and operations
56
X.509 Chains

• Some certificate components in X.509v3
• Version
• Serial number
• Signature algorithm identifier hash algorithm
• Issuers name uniquely identifies issuer
• Interval of validity
• Subjects name uniquely identifies subject
• Subjects public key
• Signature enciphered hash

57
X.509 Certificate Validation

• Obtain issuers public key
• The one for the particular signature algorithm
• Decipher signature
• Gives hash of certificate
• Recompute hash from certificate and compare
• If they differ, theres a problem
• Check interval of validity
• This confirms that certificate is current

58
Issuers

• Certification Authority (CA) entity that issues
  certificates

59
Multiple Issuers

• Multiple issuers pose validation problem
• Alices CA is Cathy Bobs CA is Don how can
  Alice validate Bobs certificate?
• Have Cathy and Don cross-certify
• Each issues certificate for the other

60
Cross certificates
61
Validation and Cross-Certifying

• Certificates
• CathyltltAlicegtgt
• DanltltBobgt
• CathyltltDangtgt
• DanltltCathygtgt
• Alice validates Bobs certificate
• Alice obtains CathyltltDangtgt
• Alice uses (known) public key of Cathy to
  validate CathyltltDangtgt
• Alice uses CathyltltDangtgt to validate DanltltBobgtgt

62
Certification Path Validation process
63
Digital Signature

• Construct that authenticated origin, contents of
  message in a manner provable to a disinterested
  third party (judge)
• Sender cannot deny having sent message (service
  is nonrepudiation)
• Limited to technical proofs
• Inability to deny ones cryptographic key was
  used to sign
• One could claim the cryptographic key was stolen
  or compromised
• Legal proofs, etc., probably required not dealt
  with here

64
Common Error

• Classical Alice, Bob share key k
• Alice sends m m k to Bob
• This is a digital signature
• WRONG
• This is not a digital signature
• Why? Third party cannot determine whether Alice
  or Bob generated message

65
Classical Digital Signatures

• Require trusted third party
• Alice, Bob each share keys with trusted party
  Cathy
• To resolve dispute, judge gets m kAlice, m
  kBob, and has Cathy decipher them if messages
  matched, contract was signed

m kAlice
Alice
Bob
m kAlice
Cathy
Bob
m kBob
Cathy
Bob
66
Public Key Digital Signatures

• Alices keys are dAlice, eAlice
• Alice sends Bob
• m m dAlice
• In case of dispute, judge computes
• m dAlice eAlice
• and if it is m, Alice signed message
• Shes the only one who knows dAlice!

67
(No Transcript)
68
Digital signature with message encryption and
decryption
69
(No Transcript)
70
RSA Digital Signatures

• Use private key to encipher message
• Protocol for use is critical
• Key points
• Never sign random documents, and when signing,
  always sign hash and never document
• Mathematical properties can be turned against
  signer
• Sign message first, then encipher
• Changing public keys causes forgery

71
Key Points

• Key management critical to effective use of
  cryptosystems
• Different levels of keys (session vs.
  interchange)
• Keys need infrastructure to identify holders,
  allow revoking
• Key escrowing complicates infrastructure
• Digital signatures provide integrity of origin
  and content
• Much easier with public key cryptosystems than
  with classical cryptosystems