lecture8.pdf, Lecture notes of Cryptography and System Security

Basic Concepts in Cryptography. Five-Minute University ... encrypt(3, stanford) = vwdqirug ... Idea for stream cipher: use pseudo-random generators for key.

Typology: Lecture notes

2022/2023

Uploaded on 05/11/2023

agrata
agrata 🇺🇸

4

(7)

258 documents

1 / 10

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Cryptography Overview
John Mitchell
Cryptography
uIs
A tremendous tool
The basis for many security mechanisms
uIs not
The solution to all security problems
Reliable unless implemented properly
Reliable unless used improperly
uEncryption scheme:
functions to encrypt, decrypt data
key generation algorithm
uSecret vs. public key
Public key: publishing key does not reveal key-1
Secret key: more efficient; can have key = key-1
uHash function
Map input to short hash; ideally, no collisions
uSignature scheme
Functions to sign data, verify signature
Basic Concepts in Cryptography Five-Minute University
uEverything you could remember, five years
after taking CS255 … ?
Father Guido Sarducci
Cryptosystem
uA cryptosystem consists of five parts
A set P of plaintexts
A set C of ciphertexts
A set K of keys
A pair of functions
encrypt: K ×P C
decrypt: K ×C P
such that for every key kK and plaintext pP
decrypt(k, encrypt(k, p)) = p
OK defn to start with, but doesnt include key generation or prob encryption.
Primitive example: shift cipher
uShift letters using mod 26 arithmetic
Set P of plaintexts {a, b, c, … , x, y, z}
Set C of ciphertexts {a, b, c, … , x, y, z}
Set K of keys {1, 2, 3, … , 25}
Encryption and decryption functions
encrypt(key, letter) = letter + key (mod 26)
decrypt(key, letter) = letter -key (mod 26)
uExample
encrypt(3, stanford) = vwdqirug
ROT-13 is used in newsgroup postings, etc.
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download lecture8.pdf and more Lecture notes Cryptography and System Security in PDF only on Docsity!

Cryptography Overview

John Mitchell

Cryptography

uIs

  • A tremendous tool
  • The basis for many security mechanisms

uIs not

  • The solution to all security problems
  • Reliable unless implemented properly
  • Reliable unless used improperly

uEncryption scheme:

  • functions to encrypt, decrypt data
  • key generation algorithm

uSecret vs. public key

  • Public key: publishing key does not reveal key -
  • Secret key: more efficient; can have key = key -

uHash function

  • Map input to short hash; ideally, no collisions

uSignature scheme

  • Functions to sign data, verify signature

Basic Concepts in Cryptography Five-Minute University

uEverything you could remember, five years

after taking CS255 …?

Father Guido Sarducci

Cryptosystem

uA cryptosystem consists of five parts

  • A set P of plaintexts
  • A set C of ciphertexts
  • A set K of keys
  • A pair of functions encrypt: K × P → C decrypt: K × C → P such that for every key k∈K and plaintext p∈P decrypt(k, encrypt(k, p)) = p

OK def’n to start with, but doesn’t include key generation or prob encryption.

Primitive example: shift cipher

uShift letters using mod 26 arithmetic

  • Set P of plaintexts {a, b, c, … , x, y, z}
  • Set C of ciphertexts {a, b, c, … , x, y, z}
  • Set K of keys {1, 2, 3, … , 25}
  • Encryption and decryption functions encrypt(key, letter) = letter + key (mod 26) decrypt(key, letter) = letter - key (mod 26)

uExample

encrypt(3, stanford) = vwdqirug

ROT-13 is used in newsgroup postings, etc.

Evaluation of shift cipher

uAdvantages

  • Easy to encrypt, decrypt
  • Ciphertext does look garbled

uDisadvantages

  • Not very good for long sequences of English words
    • Few keys -- only 26 possibilities
    • Regular pattern
      • encrypt(key,x) is same for all occurrences of letter x
      • can use letter-frequency tables, etc

Letter frequency in English

uFive frequency groups [Beker and Piper]

E has probability 0. TAOINSHR have probability 0.06 - 0. DL have probability ~ 0. CUMWFGYPB have probability 0.015 - 0. VKJXQZ have probability < 0.

Possible to break letter-to-letter substitution ciphers.

  • 1400: Arabs did careful analysis of words in Koran
  • 1500: realized that letter-frequency could break substitution ciphers

One-time pad

uSecret-key encryption scheme (symmetric)

  • Encrypt plaintext by xor with sequence of bits
  • Decrypt ciphertext by xor with same bit sequence

uScheme for pad of length n

  • Set P of plaintexts: all n-bit sequences
  • Set C of ciphertexts: all n-bit sequences
  • Set K of keys: all n-bit sequences
  • Encryption and decryption functions encrypt(key, text) = key ⊕ text (bit-by-bit) decrypt(key, text) = key ⊕ text (bit-by-bit)

Evaluation of one-time pad

uAdvantages

  • Easy to compute encrypt, decrypt from key, text
  • As hard to break as possible
    • This is an information-theoretically secure cipher
    • Given ciphertext, all possible plaintexts are equally likely, assuming that key is chosen randomly

uDisadvantage

  • Key is as long as the plaintext
    • How does sender get key to receiver securely?

Idea for stream cipher: use pseudo-random generators for key...

What is a “secure” cryptosystem?

uIdea

  • If enemy intercepts ciphertext, cannot recover plaintext

uIssues in making this precise

  • What else might your enemy know?
    • The kind of encryption function you are using
    • Some plaintext-ciphertext pairs from last year
    • Some information about how you choose keys
  • What do we mean by “cannot recover plaintext”?
    • Ciphertext contains no information about plaintext
    • No efficient computation could make a reasonable guess

In practice ...

uInformation-theoretic security is possible

  • Shift cipher, one-time pad are info-secure for short message

uBut not practical

  • Long keys needed for good security
  • No public-key system

uTherefore

  • Cryptosystems in use are either
    • Just found to be hard to crack, or
    • Based on computational notion of security

Cipher Block Chaining (CBC)

Plain Text Plain Text

Ciphe r Tex t Cip her T

Block Cipher

IV

Block Cipher

Block Cipher

Block Cipher

Advantages: Identical blocks encrypted differently Last ciphertext block depends on entire input

Comparison (for AES, by Bart Preneel)

Similar plaintext blocks produce similar ciphertext (see outline of head)

No apparent pattern

RC4 stream cipher – “Ron’s Code”

uDesign goals (Ron Rivest, 1987):

  • speed
  • support of 8-bit architecture
  • simplicity (to circumvent export regulations)

uWidely used

• SSL/TLS

  • Windows, Lotus Notes, Oracle, etc.
  • Cellular Digital Packet Data
  • OpenBSD pseudo-random number generator

RSA Trade Secret

uHistory

  • 1994 – leaked to cypherpunks mailing list
  • 1995 – first weakness (USENET post)
  • 1996 – appeared in Applied Crypto as “alleged RC4”
  • 1997 – first published analysis

Weakness is predictability of first bits; best to discard them

Encryption/Decryption

key

plain text plain text

cipher text cipher t

state

Security

uGoal: indistinguishable from random sequence

  • given part of the output stream, it is impossible to distinguish it from a random string

uProblems

  • Second byte [MS01]
    • Second byte of RC4 is 0 with twice expected probability
  • Related key attack [FMS01]
    • Bad to use many related keys (see WEP 802.11b)

u Recommendation

  • Discard the first 256 bytes of RC4 output [RSA, MS]

Complete Algorithm

for i := 0 to 255 S[i] := i j := 0 for i := 0 to 255 j := j + S[i] + key[i] swap (S[i], S[j])

i, j := 0 repeat i := i + 1 j := j + S[i] swap (S[i], S[j]) output (S[ S[i] + S[j] ])

uKey scheduling

uRandom generator

21123134249121853 …

0 1 2 3 4 5 6 … Permutation of 256 bytes, depending on key

(^21123134249121853) … i j

(all arithmetic mod 256)

Review: Complexity Classes

Answer in polynomial space may need exhaustive search

If yes, can guess and check in polynomial time

Answer in polynomial time, with high probability

Answer in polynomial time compute answer directly

P

BPP

NP

PSpace

easy

hard

One-way functions

uA function f is one-way if it is

  • Easy to compute f(x), given x
  • Hard to compute x, given f(x), for most x

uExamples (we believe they are one way)

  • f(x) = divide bits x = y@z and multiply f(x)=y*z
  • f(x) = 3x^ mod p, where p is prime
  • f(x) = x^3 mod pq, where p,q are primes with |p|=|q|

One-way trapdoor

uA function f is one-way trapdoor if

  • Easy to compute f(x), given x
  • Hard to compute x, given f(x), for most x
  • Extra “trapdoor” information makes it easy to compute x from f(x)

uExample (we believe)

  • f(x) = x^3 mod pq, where p,q are primes with |p|=|q|
  • Compute cube root using (p-1)*(q-1)

uTrapdoor function to encrypt and decrypt

  • encrypt(key, message)
  • decrypt(key -1, encrypt(key, message)) = message

uResists attack

  • Cannot compute m from encrypt(key, m) and key, unless you have key-

Public-key Cryptosystem

key pair

Example: RSA

uArithmetic modulo pq

  • Generate secret primes p, q
  • Generate secret numbers a, b with xab^ ≡ x mod pq

uPublic encryption key 〈n, a〉

  • Encrypt(〈n, a〉, x) = xa^ mod n

uPrivate decryption key 〈n, b〉

  • Decrypt(〈n, b〉, y) = yb^ mod n

uMain properties

  • This works
  • Cannot compute b from n,a
    • Apparently , need to factor n = pq

n

Basic CBC-MAC

Plain Text Plain Text

Block Cipher

IV=

Block Cipher

Block Cipher

Block Cipher

CBC block cipher, discarding all but last output block Additional post-processing (e.g, encrypt with second key) can improve output

Digital Signatures

uPublic-key encryption

  • Alice publishes encryption key
  • Anyone can send encrypted message
  • Only Alice can decrypt messages with this key

uDigital signature scheme

  • Alice publishes key for verifying signatures
  • Anyone can check a message signed by Alice
  • Only Alice can send signed messages

Properties of signatures

uFunctions to sign and verify

  • Sign(Key-1, message)
  • Verify(Key, x, m) =

uResists forgery

  • Cannot compute Sign(Key-1, m) from m and Key
  • Resists existential forgery: given Key, cannot produce Sign(Key-1, m) for any random or otherwise arbitrary m

true if x = Sign(Key-1, m) false otherwise

RSA Signature Scheme

uPublish decryption instead of encryption key

  • Alice publishes decryption key
  • Anyone can decrypt a message encrypted by Alice
  • Only Alice can send encrypt messages

uIn more detail,

  • Alice generates primes p, q and key pair 〈a, b〉
  • Sign(x) = xa^ mod n
  • Verify(y) = yb^ mod n
  • Since ab ≡ 1 mod φ(n), have xab^ ≡ x mod n

Public-Key Infrastructure (PKI)

uAnyone can send Bob a secret message

  • Provided they know Bob’s public key

uHow do we know a key belongs to Bob?

  • If imposter substitutes another key, read Bob’s mail

uOne solution: PKI

  • Trusted root authority (VeriSign, IBM, United Nations)
    • Everyone must know the verification key of root authority
  • Root authority can sign certificates
  • Certificates identify others, including other authorities
  • Leads to certificate chains

uEncryption scheme:

encrypt(key, plaintext) decrypt(key ,ciphertext)

uSecret vs. public key

  • Public key: publishing key does not reveal key
  • Secret key: more efficient; can have key = key

uHash function

  • Map long text to short hash; ideally, no collisions
  • Keyed hash (MAC) for message authentication

uSignature scheme

  • Private key -1and public key provide authentication

     - 

Crypto Summary

Limitations of cryptography

uMost security problems are not crypto problems

  • This is good
    • Cryptography works!
  • This is bad
    • People make other mistakes; crypto doesn’t solve them

uExamples

  • Deployment and management problems [Anderson]
  • Ineffective use of cryptography
    • Example 802.11b WEP protocol

Why cryptosystems fail [Anderson]

uSecurity failures not publicized

  • Government: top secret
  • Military: top secret
  • Private companies
    • Embarrassment
    • Stock price
    • Liability

uPaper reports problems in banking industry

  • Anderson hired as consultant representing unhappy customers, 1992 class action suit

Anderson study of bank ATMs

uUS Federal Reserve regulations

  • Customer not liable unless bank proves fraud

uUK regulations significantly weaker

  • Banker denial and negligence
  • Teenage girl in Ashton under Lyme
    • Convicted of stealing from her father, forced to plead guilty, later determined to be bank error
  • Sheffield police sergeant
    • Charged with theft and suspended from job; bank error

u1992 class action suit

Sources of ATM Fraud

uInternal Fraud

  • PINs issued through branches, not post
    • Bank employees know customer’s PIN numbers
  • One maintenance engineer modified an ATM
    • Recorded bank account numbers and PINs
  • One bank issues “master” cards to employees
    • Can debit cash from customer accounts
  • Bank with good security removed control to cut cost
    • No prior study of cost/benefit; no actual cost reduction
    • Increase in internal fraud at significant cost
    • Employees did not report losses to management out of fear

Sources of ATM Fraud

uExternal Fraud

  • Full account numbers on ATM receipts
    • Create counterfeit cards
      • Attackers observe customers, record PIN
      • Get account number from discarded receipt
    • One sys: Telephone card treated as previous bank card
      • Apparently programming bug
      • Attackers observe customer, use telephone card
  • Attackers produce fake ATMs that record PIN
  • Postal interception accounts for 30% if UK fraud
    • Nonetheless, banks have poor postal control procedures
  • Many other problems
    • Test sequence causes ATM to output 10 banknotes

Sources of ATM Fraud

uPIN number attacks on lost, stolen cards

  • Bank suggestion of how to write down PIN
    • Use weak code; easy to break
  • Programmer error - all customers issued same PIN
  • Banks store encrypted PIN on file
    • Programmer can find own encrypted PIN, look for other accounts with same encrypted PIN
  • One large bank stores encrypted PIN on mag strip
    • Possible to change account number on strip, leave encrypted PIN, withdraw money from other account

Summary

uMain functions from cryptography

  • Public-key encryption, decryption, key generation
  • Symmetric encryption
    • Block ciphers, CBC Mode
    • Stream cipher
  • Hash functions
    • Cryptographic hash
    • Keyed hash for Message Authentication Code (MAC)
  • Digital signatures

uBe careful

  • Many non-intuitive properties; prefer public review
  • Need to implement, use carefully