






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An overview of basic cryptographic concepts, including encryption schemes, secret key vs. public key, hash functions, MAC, signature schemes, and one-time pad. It also discusses Feistel networks, AES (Rijndael), and one-way functions. The document emphasizes that cryptography is a powerful tool but is not a solution to all security problems and must be implemented and used properly. It also briefly introduces SSL/TLS as a standard for internet security.
Typology: Lecture notes
1 / 11
This page cannot be seen from the preview
Don't miss anything!







CS 155 Spring 2006
you spend a lot of time becoming an expert you subject your design to outside review
Father Guido Sarducci
Establish shared secret key using public-key cryptography Signed certificates for authentication
Transmit data using negotiated key, encryption function
“Theoretical idea,” but leads to stream cipher
Iterate a “scrambling function” Examples: DES, Lucifer, FREAL, Khufu, Khafre, LOKI, GOST, CAST, Blowfish, … AES (Rijndael) is also block cipher, but different
Modular exponentiation is a “one-way” fctns Examples: RSA, El Gamal, elliptic curve systems, ...
encrypt(key, text) = key ⊕ text (bit-by-bit) decrypt(key, text) = key ⊕ text (bit-by-bit)
Easy to compute encrypt, decrypt from key, text As hard to break as possible This is an information-theoretically secure cipher Given ciphertext, all possible plaintexts are equally likely, assuming that key is chosen randomly
Key is as long as the plaintext How does sender get key to receiver securely?
Idea for stream cipher: use pseudo-random generators for key...
Encryption of block n+1may depend on block n
Iterating a function f on parts of a message Producing an invertible transformation
Weakness is predictability of first bits; best to discard them
Stream cipher: one-time pad based on pseudo-random generator
Second byte of RC4 is 0 with twice expected probability
Bad to use many related keys (see WEP 802.11b)
for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j])
i, j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ])
Permutation of 256 bytes, depending on key
(all arithmetic mod 256)
may need exhaustive search
compute answer directly
key pair
Generate secret primes p, q Generate secret numbers a, b with x ab^ ≡ x mod pq
Encrypt(〈n, a〉, x) = x a^ mod n
Decrypt(〈n, b〉, y) = yb^ mod n
This works Cannot compute b from n,a Apparently, need to factor n = pq
n
Proof: (p-1)(q-1) = pq - p - q + 1
Proof: if gcd(x,n) = 1, then by general group theory, otherwise use “Chinese remainder theorem”.
Efficient rand algorithms for generating primes p,q May fail, but with low probability Given primes p,q easy to compute n=p*q and φ(n) Choose a randomly with gcd(a, φ(n))= Compute b = a-1 mod φ(n) by Euclidean algorithm
This is not proven, but believed
Public-key crypto is significantly slower than symmetric key crypto
Internet standard RFC Uses hash of key, message: HMAC (^) K (M) = Hash[ (K+^ XOR opad) || Hash[(K+^ XOR ipad)||M)] ] Low overhead opad, ipad are constants Any of MD5, SHA-1, RIPEMD- 160, … can be used
⊕
⊕
K+ is the key padded out to size
MD4 considered broken: Den Boer, Bosselaers, and Dobbertin, 1996, ‘meaningful’ collisions MD5 potentially weak: Dobbertin, 1996, collisions in the MD5 compression function Iterated hash functions for which compression function fixed points can be found (i.e., all hashes in the SHA family): Drew Dean et al. (1999) found 2nd preimage weakness (hidden in Dean’s thesis, never published) MD5 and up (128-bit keys or greater): security of practical applications not seriously questioned Strong belief in effectiveness of tweaks
Slides: A.K. Lenstra, B. de Weger
August 2004: X. Wang et al.: actual random collisions in MD4 (‘no time’), MD5 in time ≈ 239 , etc., for any IV A. Joux: cascading of iterated L-bit and perfect M-bit hash does not result in L+M-bit hash – as commonly believed A. Joux: actual random collision for SHA-0 in time ≈ 2 51 E. Biham: cryptanalysis of SHA-1 variants October 2004, Kelsey/Schneier (based on Joux): 2nd preimage weakness in any iterated hash (improving Dean) Feb 14, 2005, X. Wang et al. (based on Wang/Joux/Biham): actual random collision for SHA-0 in time ≈ 2 39 random collision possibility for SHA-1 in time ≈ 2 69 (or 2 66 ) (advantage: 2^69 < 2 80 )
Provided they know Bob’s public key
If imposter substitutes another key, read Bob’s mail
Trusted root authority (VeriSign, IBM, United Nations) Everyone must know the verification key of root authority Check your browser; there are hundreds!! Root authority can sign certificates Certificates identify others, including other authorities Leads to certificate chains
header of public key part, may assume thatp1 consists of whole number of blocks
Slides: A.K. Lenstra, B. de Weger
Trick: can choosem cleverly to get collision
1 & 3: due to iterative nature of hashes 2: a new trick for RSA moduli construction
Construct colliding p 1 || m || p 2 and p 1 || m’ || p 2 as follows: Prepend: pick properly formatted p1 with names etc., whole # blocks compute p 1 ’s intermediate hash value h ask X. Wang to find random collision m 1 , m 2 with h as IV p 1 ||m 1 and p 1 ||m 2 now collide as well Promote: find m 3 s.t. m 1 ||m 3 = m and m 2 ||m 3 = m’ are RSA moduli random m 1 , m 2 extended to meaningful m 1 ||m 3 and m 2 ||m 3 Append: p 1 ||m 1 ||m 3 = p 1 || m and p 1 ||m 2 ||m 3 = p 1 || m’ still collide and so do p 1 || m ||p 2 and p 1 || m’ ||p 2 for any p 2
ClientHello ServerHello, [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone
[CertificateVerify]
Finished
switch to negotiated cipher
Finished
switch to negotiated cipher
Version, Crypto choice, nonce
Version, Choice, nonce, Signed certificate containing server’s public key Ks
server’s key Ks switch to negotiated cipher
Hash of sequence of messages
Hash of sequence of messages
Full account numbers on ATM receipts Create counterfeit cards Attackers observe customers, record PIN Get account number from discarded receipt One sys: Telephone card treated as previous bank card Apparently programming bug Attackers observe customer, use telephone card Attackers produce fake ATMs that record PIN Postal interception accounts for 30% of UK fraud Nonetheless, banks have poor postal control procedures Many other problems Test sequence causes ATM to output 10 banknotes
Use weak code; easy to break
Programmer can find own encrypted PIN, look for other accounts with same encrypted PIN
Possible to change account number on strip, leave encrypted PIN, withdraw money from other account
Not knowledgeable enough to tell the difference
System design Application programming Administration
POP/IMAP passwords easily sniffed off the air. Laptops in parking lot can access internal network.
Provides 40-bit or 128-bit encryption using RC4 …
802.11b card key (^) data CRC-32 key
ciphertext (^) , IV (IV is 24 bit initialization vector)
CRC-32 is linear Attacker can easily modify packets in transit, e.g. inject “rm –rf *” Should use MAC for integrity
Fluhrer-Mantin-Shamir: RC4 is insecure in prepending IV mode Given 106 packets can get key. Implemented by Stubblefield, AirSnort, WEPCrack, … Correct construction: packet-key = SHA-1( IV || key ) use longer IV, random.
data CRC-
ciphertext (^) , IV
Public-key encryption, decryption, key generation Symmetric encryption Block ciphers, CBC Mode Stream cipher Hash functions Cryptographic hash Keyed hash for Message Authentication Code (MAC) Digital signatures
Many non-intuitive properties; prefer public review Need to implement, use carefully