1 / 32

Foundations of Network and Computer Security

Foundations of Network and Computer Security. J ohn Black Lecture #9 Sep 16 th 2009. CSCI 6268/TLEN 5550, Fall 2009. Announcements. Quiz #2 will be next Friday, Sep 25 th Will cover material up to next Weds 9/23. Birthday Paradox. Need another method

ardara
Download Presentation

Foundations of Network and Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foundations of Network and Computer Security John Black Lecture #9 Sep 16th 2009 CSCI 6268/TLEN 5550, Fall 2009

  2. Announcements • Quiz #2 will be next Friday, Sep 25th • Will cover material up to next Weds 9/23

  3. Birthday Paradox • Need another method • Birthday paradox: if we have 23 people in a room, the probability is > 50% that two will share the same birthday • This happens because 23 is near the square root of 365 • Sqrt(365) ≈ 19.1 • More on this in a moment

  4. Birthday Paradox (cont) • Let’s do the math • Let n equal number of people in the class • Start with n = 1 and count upward • Let NBM be the event that there are No-Birthday-Matches • For n=1, Pr[NBM] = 1 • For n=2, Pr[NBM] = 1 x 364/365 ≈ .997 • For n=3, Pr[NBM] = 1 x 364/365 x 363/365 ≈ .991 • … • For n=22, Pr[NBM] = 1 x … x 344/365 ≈ .524 • For n=23, Pr[NBM] = 1 x … x 343/365 ≈ .493 • Since the probability of a match is 1 – Pr[NBM] we see that n=23 is the smallest number where the probability exceeds 50%

  5. Occupancy Problems • What does this have to do with hashing? • Suppose each hash output is uniform and random on {0,1}n • Then it’s as if we’re throwing a ball into one of 2n bins at random and asking when a bin contains at least 2 balls • This is a well-studied area in probability theory called “occupancy problems” • It’s well-known that the probability of a collision occurs around the square-root of the number of bins • If we have 2n bins, the square-root is 2n/2

  6. Birthday Bounds • This means that even a perfect n-bit hash function will start to exhibit collisions when the number of inputs nears 2n/2 • This is known as the “birthday bound” • It’s impossible to do better, but quite easy to do worse • It is therefore hoped that it takes (264) work to find collisions in MD5 and (280) work to find collisions in SHA-1

  7. The Birthday Bound 1.0 Probability 0.5 0.0 2n/2 2n Number of Hash Inputs

  8. More Recently • At CRYPTO 2004 (August) • Collisions found in HAVAL, RIPEMD, MD4, MD5, and SHA-0 (240 operations) • Wang, Feng, Lai, Yu • Only Lai is well-known • HAVAL was known to be bad • Dobbertin found collisions in MD4 years ago • MD5 news is big! • CU team lowered time-to-collision to 3 mins (July 2005) • SHA-0 isn’t used anymore (but see next slide)

  9. Collisions in SHA-0 M1, M1’ not in SHA-0 Wt= { t-th word of Mi 0 £t £ 15 ( Wt-3Å Wt-8Å Wt-14Å Wt-16 ) << 1 16 £t £ 79 A ¬ H0i-1; B ¬ H1i-1; C ¬ H2i-1; D ¬ H3i-1; E ¬ H4i-1 65 for t = 1 to 80 do T¬ A << 5 + gt (B, C, D) + E + Kt + Wt E ¬ D; D ¬ C; C ¬ B >> 2; B ¬ A; A ¬ T end H0..4i-1 Collision! H0i¬ A + H0i-1; H1i¬ A + H1i-1; H2i¬ C+ H2i-1; H3i¬ D + H3i-1; H4i¬ E + H4i-1

  10. What Does this Mean? • Who knows • Methods are not yet understood • Will undoubtedly be extended to more attacks • Maybe nothing much more will happen • But maybe everything will come tumbling down?! • But we have OTHER ways to build hash functions

  11. A Provably-Secure Blockcipher-Based Compression Function Mi n bits hi hi-1 E n bits n bits

  12. The Big (Partial) Picture Second-Level Protocols SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting (Can do proofs) First-Level Protocols Symmetric Encryption Asymmetric Encryption Digital Signatures MAC Schemes (Can do proofs) Block Ciphers Stream Ciphers Hash Functions Hard Problems Primitives (No one knows how to prove security; make assumptions)

  13. Review • What MACs have we seen thus-far? • CBCMAC, XCBC, UMAC, HMAC • HMAC led to a discussion on crypto hash functions • MD5, SHA-1 are examples • These functions are unkeyed • Our hope is that they are collision-resistant • We’ll pick up with a construction of a hash function from a blockcipher

  14. A Provably-Secure Blockcipher-Based Compression Function Mi n bits hi hi-1 E n bits n bits

  15. The Big (Partial) Picture Second-Level Protocols SSH, SSL/TLS, IPSec Electronic Cash, Electronic Voting (Can do proofs) First-Level Protocols Symmetric Encryption Asymmetric Encryption Digital Signatures MAC Schemes (Can do proofs) Block Ciphers Stream Ciphers Hash Functions Hard Problems Primitives (No one knows how to prove security; make assumptions)

  16. Symmetric vs. Asymmetric • Thus far we have been in the symmetric key model • We have assumed that Alice and Bob share some random secret string • In practice, this is a big limitation • Bootstrap problem • Forces Alice and Bob to meet in person or use some mechanism outside our protocol • Not practical when you want to buy books at Amazon • We need the Asymmetric Key model!

  17. Asymmetric Cryptography • In this model, we no longer require an initial shared key • First envisioned by Diffie in the late 70’s • Some thought it was impossible • MI6 purportedly already knew a method • Diffie-Hellman key exchange was first public system • Later turned into El Gamal public-key system • RSA system announced shortly thereafter

  18. But first, a little math… • A group is a nonempty set G along with an operation # : G x G → G such that for all a, b, c ∈ G • (a # b) # c = a # (b # c) (associativity) • ∃ e ∈ G such that e # a = a # e = a (identity) • ∃ a-1 ∈ G such that a # a-1 = e (inverses) • If ∀a,b ∈ G, a # b = b # a we say the group is “commutative” or “abelian” • All groups in this course will be abelian

  19. Notation • We’ll get tired of writing the # sign and just use juxtaposition instead • In other words, a # b will be written ab • If some other symbol is conventional, we’ll use it instead (examples to follow) • We’ll use power-notation in the usual way • ab means aaaaa repeated b times • a-b means a-1a-1a-1a-1 repeated b times • Here a ∈ G, b ∈ Z • Instead of e we’ll use a more conventional identity name like 0 or 1 • Often we write G to mean the group (along with its operation) and the associated set of elements interchangeably

  20. Examples of Groups • Z (the integers) under + ? • Q, R, C, under + ? • N under + ? • Q under x ? • Z under x ? • 2 x 2 matrices with real entries under x ? • Invertible 2 x 2 matrices with real entries under x ? • Note all these groups are infinite • Meaning there are an infinite number of elements in them • Can we have finite groups?

  21. Finite Groups • Simplest example is G = {0} under + • Called the “trivial group” • Almost as simple is G = {0, 1} under addition mod 2 • Let’s generalize • Zm is the group of integers modulo m • Zm = {0, 1, …, m-1} • Operation is addition modulo m • Identity is 0 • Inverse of any a ∈ Zm is m-a • Also abelian

  22. The Group Zm • An example • Let m = 6 • Z6 = {0,1,2,3,4,5} • 2+5 = 1 • 3+5+1 = 3 + 0 = 3 • Inverse of 2 is 4 • 2+4 = 0 • We can always pair an element with its inverse a : 0 1 2 3 4 5 a -1 : 0 5 4 3 2 1 • Inverses are always unique • An element can be its own inverse • Above, 0 and 0, 3 and 3

  23. Another Finite Group • Let G = {0,1}n and operation is ⊕ • A group? • What is the identity? • What is the inverse of a ∈ G? • We can put some familiar concepts into group-theoretic notation: • Caesar cipher was just P + K = C in Z26 • One-time pad was just P ⊕ K = C in the group just mentioned above

  24. Multiplicative Groups • Is {0, 1, …, m-1} a group under multiplication mod m? • No, 0 has no inverse • Ok, toss out 0; is {1, …, m-1} a group under multiplication mod m? • Hmm, try some examples… • m = 2, so G = {1} X • m = 3, so G = {1,2} X • m = 4, so G = {1,2,3} oops! • m = 5, so G = {1,2,3,4} X

  25. Multiplicative Groups (cont) • What was the problem? • 2,3,5 all prime • 4 is composite (meaning “not prime”) • Theorem: G = {1, 2, …, m-1} is a group under multiplication mod m iff m is prime Proof: →: suppose m is composite, then m = ab where a,b ∈ G and a, b  1. Then ab = m = 0 and G is not closed ←: follows from a more general theorem we state in a moment

  26. The Group Zm* • a,b ∈N are relatively prime iff gcd(a,b) = 1 • Often we’ll write (a,b) instead of gcd(a,b) • Theorem: G = {a : 1 ≤ a ≤ m-1, (a,m) = 1} and operation is multiplication mod m yields a group • We name this group Zm* • We won’t prove this (though not too hard) • If m is prime, we recover our first theorem

  27. Examples of Zm* • Let m = 15 • What elements are in Z15*? • {1,2,4,7,8,11,13,14} • What is 2-1 in Z15*? • First you should check that 2 ∈ Z15* • It is since (2,15) = 1 • Trial and error: • 1, 2, 4, 7, 8 X • There is a more efficient way to do this called “Euclid’s Extended Algorithm” • Trust me

  28. Euler’s Phi Function • Definition: The number of elements of a group G is called the order of G and is written |G| • For infinite groups we say |G| = 1 • All groups we deal with in cryptography are finite • Definition: The number of integers i < m such that (i,m) = 1 is denoted (m) and is called the “Euler Phi Function” • Note that |Zm*| = (m) • This follows immediately from the definition of ()

  29. Evaluating the Phi Function • What is (p) if p is prime? • p-1 • What is (pq) if p and q are distinct primes? • If p, q distinct primes, (pq) = (p)(q) • Not true if p=q • We won’t prove this, though it’s not hard

  30. Examples • What is (3)? • |Z3*| = |{1,2}| = 2 • What is (5)? • What is (15)? • (15) = (3)(5) = 2 x 4 = 8 • Recall, Z15* = {1,2,4,7,8,11,13,14}

  31. LaGrange’s Theorem • Last bit of math we’ll need for RSA • Theorem: if G is any finite group of order n, then ∀ a ∈ G, an = 1 • Examples: • 6 ∈ Z22, 6+6+…+6, 22 times = 0 mod 22 • 2 ∈ Z15*, 28 = 256 = 1 mod 15 • Consider {0,1}5 under ⊕ • 01011 2 {0,1}5, 0101132 = 0000016 =00000 • It always works (proof requires some work)

  32. Basic RSA Cryptosystem • Basic Setup: • Alice and Bob do not share a key to start with • Alice will be the sender, Bob the receiver • Reverse what follows for Bob to reply • Bob first does key generation • He goes off in a corner and computes two keys • One key is pk, the “public key” • Other key is sk, the “secret key” or “private key” • After this, Alice can encrypt with pk and Bob decrypts with sk

More Related