Brief overview of cryptography l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 48

Brief Overview of Cryptography PowerPoint PPT Presentation


  • 48 Views
  • Uploaded on
  • Presentation posted in: General

Brief Overview of Cryptography. Outline. cryptographic primitives symmetric key ciphers block ciphers stream ciphers asymmetric key ciphers cryptographic hash functions protocol primitives block cipher operation modes “enveloping” message authentication codes digital signatures

Download Presentation

Brief Overview of Cryptography

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Brief overview of cryptography l.jpg

Brief Overview of Cryptography


Outline l.jpg

Outline

  • cryptographic primitives

    • symmetric key ciphers

      • block ciphers

      • stream ciphers

    • asymmetric key ciphers

    • cryptographic hash functions

  • protocol primitives

    • block cipher operation modes

    • “enveloping”

    • message authentication codes

    • digital signatures

  • key management protocols

    • session key establishment with symmetric and asymmetric key techniques

    • Diffie-Hellman key exchange and the man-in-the-middle attack

    • public key certification


Operational model of encryption l.jpg

Operational model of encryption

Ek(x)

ciphertext

  • Kerckhoff’s assumption:

    • attacker knows E and D

    • attacker doesn’t know the (decryption) key

  • attacker’s goal:

    • to systematically recover plaintext from ciphertext

    • to deduce the (decryption) key

  • attack models:

    • ciphertext-only

    • known-plaintext

    • (adaptive) chosen-plaintext

    • (adaptive) chosen-ciphertext

E

D

x

plaintext

Dk’(Ek(x)) = x

attacker

k

encryption key

k’

decryption key

Cryptographic primitives


Symmetric key encryption l.jpg

pseudo-random

bit stream generator

stream ciphers

seed

plaintext

ciphertext

...

...

+

block ciphers

plaintext

ciphertext

block

cipher

padding

key

Symmetric key encryption

  • it is easy to compute k from k’ (and vice versa)

  • often k = k’

  • two main types: stream ciphers and block ciphers

Cryptographic primitives


One time pad theoretical vs practical security l.jpg

One-time pad – theoretical vs. practical security

  • one-time pad

    • a stream cipher where the key stream is a true random bit stream

    • unconditionally secure (Shannon, 1949)

    • however, the key must be as long as the plaintext to be encrypted

  • practical ciphers

    • use much shorter keys

    • are not unconditionally secure, but computationally infeasible to break

    • however, proving that a cipher is computationally secure is not easy

      • not enough to consider brute force attacks (key size) only

      • a cipher may be broken due to weaknesses in its (algebraic) structure

    • no proofs of security exist for many ciphers used in practice

    • if a proof exists, it usually relies on assumptions that are widely believed to be true (such as P ¹ NP)

Cryptographic primitives


Des data encryption standard l.jpg

input size: 64, output size: 64, key size: 56

16 rounds

Feistel structure

F need not be invertible

decryption is the same as encryption with reversed key schedule (hardware implementation!)

DES – Data Encryption Standard

X

(64)

Initial Permutation

(32)

(32)

F

(48)

+

K1

F

+

(48)

K2

Key Scheduler

(56)

K

F

+

(48)

K3

Cryptographic primitives

F

(48)

+

K16

Initial Permutation-1

Y

(64)


Des round function f l.jpg

DES round function F

  • Si – substitution box (S-box) (look-up table)

  • P – permutation box (P-box)

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

S1

S2

S3

S4

S5

S6

S7

S8

P

Cryptographic primitives


Des key scheduler l.jpg

Left shift(s)

Left shift(s)

Left shift(s)

Left shift(s)

Permuted Choice 2

Permuted Choice 2

DES key scheduler

K

  • each key bit is used in around 14 out of 16 rounds

(56)

Permuted Choice 1

(28)

(28)

(28)

(28)

(48)

K1

(48)

K2

Cryptographic primitives


Aes advanced encryption standard l.jpg

AES – Advanced Encryption Standard

  • NIST selected Rijndael (designed by Joan Daemen and Vincent Rijmen) as a successor of DES (3DES) in November 2001

  • Rijndael parameters

    • key size128192256

    • input/output size128128128

    • number of rounds 10 12 14

    • round key size128128128

  • not Feistel structure

  • decryption algorithm is different from encryption algorithm (optimized for encryption)

  • single 8 bit to 8 bit S-box

  • key injection (bitwise XOR)

Cryptographic primitives


General structure of rijndael encryption decryption l.jpg

General structure of Rijndael encryption/decryption

plaintext

plaintext

w[0..3]

add round key

add round key

inverse subs bytes

round 10

substitute bytes

inverse shift rows

shift rows

round 1

mix columns

inverse mix columns

w[4..7]

add round key

add round key

round 9

inverse subs bytes

inverse shift rows

expanded key

substitute bytes

shift rows

round 9

mix columns

inverse mix columns

w[36..39]

add round key

add round key

Cryptographic primitives

round 1

inverse subs bytes

substitute bytes

inverse shift rows

round 10

shift rows

w[40..43]

add round key

add round key

ciphertext

ciphertext


Rijndael shift row and mix column l.jpg

2 3 1 1

1 2 3 1

1 1 2 3

3 1 1 2

x

=

multiplications and additions

are performed over GF(28)

Rijndael – Shift row and mix column

shift row

s00

s01

s02

s03

s00

s01

s02

s03

s10

s11

s12

s13

LROT1

s11

s12

s13

s10

s20

s21

s22

s23

LROT2

s22

s23

s20

s21

s30

s31

s32

s33

LROT3

s33

s30

s31

s32

mix column

Cryptographic primitives

s00

s01

s02

s03

s’00

s’01

s’02

s’03

s10

s11

s12

s13

s’10

s’11

s’12

s’13

s20

s21

s22

s23

s’20

s’21

s’22

s’23

s30

s31

s32

s33

s’30

s’31

s’32

s’33


Rijndael key expansion l.jpg

Rijndael – Key expansion

k0

k4

k8

k12

  • function g

  • rotate word

  • substitute bytes

  • XOR with round constant

k1

k5

k9

k13

k2

k6

k10

k14

k3

k7

k11

k15

w0

w1

w2

w3

g

+

+

+

+

w4

w5

w6

w7

g

Cryptographic primitives

+

+

+

+

w8

w9

w10

w11


Rc4 stream cipher l.jpg

RC4 stream cipher

  • initialization (input: a seed K of keylen bytes)

    for i = 0 to 255 do

    S[i] = i;

    T[i] = K[i mod keylen];

  • initial permutation

    j = 0;

    for i = 0 to 255 do

    j = (j + S[i] + T[i]) mod 256;

    swap(S[i], S[j]);

  • stream generation (output: a stream of pseudo-random bytes)

    i, j = 0;

    while true

    i = (i + 1) mod 256;

    j = (j + S[i]) mod 256;

    swap(S[i], S[j]);

    t = (S[i] + S[j]) mod 256;

    output S[t];

Cryptographic primitives


Asymmetric key encryption l.jpg

Asymmetric key encryption

Ek(x)

ciphertext

  • breakthrough of Diffie and Hellman, 1976

  • it is hard (computationally infeasible) to compute k’ from k

  • k can be made public (public-key cryptography)

E

D

x

plaintext

Dk’(Ek(x)) = x

attacker

k

encryption key

k’

decryption key

Cryptographic primitives


Rsa rivest shamir adleman 1978 l.jpg

RSA (Rivest, Shamir, Adleman, 1978)

  • basis

    • computing xe mod n is easy but x1/e mod n is hard (n is composite)

    • intractability of integer factoring

  • key generation

    • select p, q large primes (about 500 bits each)

    • n = pq, f(n) = (p-1)(q-1)

    • select e such that 1 < e < f(n) and gcd(e, f(n)) = 1

    • compute d such that ed mod f(n) = 1 (this is easy if p and q are known)

    • public key is (e, n)

    • private key is d

  • encryption

    c = me mod n where m < n is the message

  • decryption

    cd mod n = m

Cryptographic primitives


Proof of rsa decryption l.jpg

Proof of RSA decryption

  • Fermat’s theorem

    Let r be a prime. If gcd(a, r) = 1, then ar-1 mod r = 1.

  • Euler’s generalization

    For every a and n where gcd(a, n) = 1, af(n) mod n = 1.

  • RSA decryption

    cd mod n

    = (me mod n)d mod n

    = med mod n

    = mkf(n)+1 mod n

    = m*(mf(n))k mod n

    = m*(mf(n) mod n)k mod n if gcd(m, n) = 1

    = m mod n = m

Cryptographic primitives


Proof of rsa decryption cont d l.jpg

Proof of RSA decryption cont’d

  • RSA decryption if gcd(m, n) > 1

    • either p|m or q|m

    • assume without loss of generality that p|m

    • note that in this case, q|m cannot hold since otherwise m ³ pq = n

    • this means that gcd(m, q) = 1

      cd mod p = med mod p = 0

      cd mod q = med mod q = mk(p-1)(q-1)+1 mod q = m*(m (q-1)) k(p-1) mod q =

      m*(m (q-1) mod q) k(p-1) mod q = m mod q

       p,q|(cd – m)

       cd – m= spq = sn

       cd = sn + m

       cd mod n = m mod n = m


Cryptographic hash functions l.jpg

Cryptographic hash functions

  • requirements

    • one-way: given a hash value y, it is computationally infeasible to find a message x such that h(x) = y

    • weak collision resistance: given a message x, it is computationally infeasible to find another message x’ such that h(x) = h(x’)

    • (strong) collision resistance: it is computationally infeasible to find two messages x and x’ such that h(x) = h(x’)

message of arbitrary length

hash function

fix length

message digest / hash value / fingerprint

Cryptographic primitives


How long should a hash value be l.jpg

How long should a hash value be?

  • birthday paradox

    • P(n, k) = Pr{ there exists at least one duplicate among k items where

      each item can take on one of n equally likely values}

    • P(n, k) > 1 – exp( -k*(k-1)/2n )

    • Q: What value of k is needed such that P(n, k) > 0.5 ?

    • A: k should approximately be n0.5

    • e.g., P(365, 23) > 0.5

  • birthday paradox applied to hash function h

    • n is the number of possible hash values

    • one can find a collision among n0.5 messages with probability greater than 0.5

    • if output size of h is 64 bits, then n0.5 is 232 too small

    • output size should be at least 128 but 160 is even better

Cryptographic primitives


General structure of hash functions l.jpg

General structure of hash functions

  • if the compression function f is collision resistant, then so is the iterated hash function (Merkle and Damgard, 1989)

  • if necessary, the final block is padded to b bits

  • the final block also includes the total length of the input (this makes the job of an attacker more difficult)

XL

X2

X3

X1

(b)

(b)

(b)

(b)

(n)

f

f

f

f

(n)

(n)

(n)

h(X)

(n)

CV0

CVL-1

CV2

CV3

CV1

Cryptographic primitives


Sha1 secure hash algorithm l.jpg

SHA1 – Secure Hash Algorithm

  • output size (n): 160 bits

  • input block size (b): 512 bits

  • padding is always used

  • CV0

    A = 67 45 23 01

    B = EF CD AB 89

    C = 98 BA DC FE

    D = 10 32 54 76

    E = C3 D2 E1 F0

64 bits

last input block

10000000 … 00000

length

512 bits

Cryptographic primitives


Sha1 compression function f l.jpg

SHA1 compression function f

CVi - 1

Xi

(5 x 32 = 160)

(512)

f[0..19], K[0..19], W[0..19]

20 steps

D

E

B

C

A

f[20..39], K[20..39], W[20..39]

20 steps

D

E

B

C

A

f[40..59], K[40..59], W[40..59]

20 steps

D

E

B

C

A

f[60..79], K[60..79], W[60..79]

20 steps

Cryptographic primitives

mod 232 additions

+

+

+

+

+

CVi


Sha1 compression function f cont d l.jpg

SHA1 compression function f cont’d

A

B

C

D

E

mod 232 additions

f[t]

+

LROT5

+

W[t]

+

LROT30

K[t]

+

A

B

C

D

E

Cryptographic primitives


Sha1 compression function f cont d24 l.jpg

SHA1 compression function f cont’d

  • f[t](B, C, D)

    t = 0..19f[t](B, C, D) = (B Ù C) Ú (ØB Ù D)

    t = 20..39f[t](B, C, D) = B Å C Å D

    t = 40..59 f[t](B, C, D) = (B Ù C) Ú (B Ù D) Ú (C Ù D)

    t = 60..79f[t](B, C, D) = B Å C Å D

  • W[t]

    W[0..15] = Xi

    t = 16..79 W[t] = LROT1(W[t-16] Å W[t-14] Å W[t-8] Å W[t-3])

  • K[t]

    t = 0..19 K[t] = 5A 82 79 99[230 x 21/2]

    t = 20..39 K[t] = 6E D9 EB A1[230 x 31/2]

    t = 40..59 K[t] = 8F 1B BC DC[230 x 51/2]

    t = 60..79 K[t] = CA 62 C1 D6[230 x 101/2]

Cryptographic primitives


Block cipher operation modes ecb l.jpg

C1

P1

CN

PN

C2

P2

E

D

K

K

E

D

E

D

K

K

K

K

C1

P1

CN

PN

C2

P2

Block cipher operation modes – ECB

  • Electronic Codebook (ECB)

    • encrypt

    • decrypt

Protocol primitives


Block cipher operation modes cbc l.jpg

PN

P1

P2

P3

+

+

+

+

E

E

E

E

K

K

K

K

CN-1

C1

C3

C2

CN

C2

C1

C3

D

D

D

D

K

K

K

K

+

+

+

+

PN

P1

P2

P3

Block cipher operation modes – CBC

  • Cipher Block Chaining (CBC)

    • encrypt

    • decrypt

IV

CN-1

Protocol primitives

IV

CN-1


Block cipher operation modes cfb l.jpg

Block cipher operation modes – CFB

  • Cipher Feedback (CFB)

    • encrypt– decrypt

initialized with IV

initialized with IV

(s)

(s)

shift register (n)

shift register (n)

(n)

(n)

E

E

K

K

(n)

(n)

select s bits

select s bits

(s)

(s)

(s)

(s)

(s)

(s)

Protocol primitives

Pi

Ci

Ci

Pi

+

+


Block cipher operation modes ofb l.jpg

Block cipher operation modes – OFB

  • Output Feedback (OFB)

    • encrypt– decrypt

initialized with IV

initialized with IV

(s)

(s)

shift register (n)

shift register (n)

(n)

(n)

E

E

K

K

(n)

(n)

select s bits

select s bits

(s)

(s)

Protocol primitives

(s)

(s)

(s)

(s)

Pi

Ci

Ci

Pi

+

+


Block cipher operation modes ctr l.jpg

Block cipher operation modes – CTR

  • Counter (CTR)

    • encrypt– decrypt

    • advantages

      • efficiency (parallelizable)

      • random access (the i-th block can be decrypted independently of the others)

      • preprocessing (the values to be XORed with the plaintext can be pre-computed)

      • security (at least as secure as the other modes)

      • simplicity (does not need the decryption algorithm)

counter + i

counter + i

(n)

(n)

E

E

K

K

(n)

(n)

(n)

(n)

(n)

(n)

Ci

Pi

Pi

Ci

+

+

Protocol primitives


Enveloping l.jpg

Enveloping

  • public-key encryption is slow (~1000 times slower than symmetric key encryption)

  • it is mainly used to encrypt symmetric bulk encryption keys

plaintext message

generate random

symmetric key

symmetric-key

cipher

(in CBC mode)

bulk encryption key

asymmetric-key

cipher

public key

of the receiver

Protocol primitives

digital envelop


Message authentication codes mac l.jpg

Message Authentication Codes (MAC)

  • used to protect the integrity of messages

  • also called cryptographic checksums

  • computation of a MAC involves a secret (shared key)

  • can be based on an encryption function E

    Y1 = EK(X1)

    Yi = EK(Xi + Yi-1)

    MACK(X) = Ylast

  • or a hash function h

    MACK(X) = h(X|K)

  • or both

    MACK(X) = EK(h(X))

Protocol primitives


Slide32 l.jpg

HMAC

  • definition

    HMACK(X) = h( (K+ + opad) | h( (K+ + ipad) | X ) )

    where

    • h is a hash function with input block size b and output size n

    • K+ is K padded with 0s on the left to obtain a length of b bits

    • ipad is 00110110 repeated b/8 times

    • opad is 01011100 repeated b/8 times

    • + is XOR and | is concatenation

  • design objectives

    • to use available hash functions

    • easy replacement of the embedded hash function

    • preserve performance of the original hash function

    • handle keys in a simple way

    • allow mathematical analysis

Protocol primitives


Digital signatures l.jpg

Digital signatures

  • similar to MACs but

    • unforgeable by the receiver

    • verifiable by a third party

  • used for message authentication and non-repudiation (of message origin)

  • based on public-key cryptography

    • signature generation is based on the private key of the sender

    • signature verification is based on the public key of the sender

  • example: RSA based digital signature

    • public key: (e, n); private key: (d, n)

    • signature generation (input: m; output: s)

      s(m) = md mod n

    • signature verification (input: s, m; output: yes/no)

      se mod n = m?

Protocol primitives


Hash and sign paradigm l.jpg

“Hash and sign” paradigm

  • motivation: public/private key operations are slow

  • approach: hash the message first and apply public/private key operations to the hash only

private key

of sender

generation

signature

message

hash

enc

h

signature

message

hash

dec

h

Protocol primitives

verification

compare

public key

of sender

yes/no


Elgamal signature scheme l.jpg

ElGamal signature scheme

  • key generation

    • generate a large random prime p and select a generator g of Zp*

    • select a random integer 0 < a < p-1

    • compute A = ga mod p

    • public key: ( p, g, A ) private key: a

  • signature generation for message m

    • select a random secret integer 0 < k < p – 1 such that gcd(k, p – 1) = 1

    • compute k-1 mod (p – 1)

    • compute r = gk mod p

    • compute s = k-1( h(m) – ar ) mod (p – 1)

    • signature on m is (s, r)

Protocol primitives


Elgamal signature scheme cont d l.jpg

ElGamal signature scheme cont’d

  • signature verification

    • obtain the public key (p, g, A) of the signer

    • verify that 0 < r < p; if not then reject the signature

    • compute v1 = Arrs mod p

    • compute v2 = gh(m) mod p

    • accept the signature iff v1 = v2

  • proof that signature verification works

    s º k-1( h(m) – ar ) (mod p – 1)

    ks º h(m) – ar (mod p – 1)

    h(m) º ks + ar (mod p – 1)

    gh(m)º gar+ksº (ga)r(gk)sº Arrs (mod p)

    thus, v1 = v2 is required

Protocol primitives


How to establish a shared symmetric key l.jpg

How to establish a shared symmetric key?

  • manually

    • pairwise symmetric keys are established manually

    • inflexible and doesn’t scale

  • with symmetric-key cryptography

    • long-term symmetric keys are established manually between each user and a Key Distribution Center (KDC)

    • cryptographic protocols that use these long-term keys are used to setup short-term (session) keys

    • the KDC must be fully trusted

  • with asymmetric-key cryptography

    • the symmetric key is encrypted with the public key of the intended receiver

    • how to obtain an authentic copy of the public key of the receiver?

Key management


The wide mouth frog protocol l.jpg

generate Kab

A, { B, Kab, Ta }Kas

A, { B, Kab, Ts’ }Kas

B, { A, Kab, Ts }Kbs

{ A, Kab, Ts(n) }Kbs

{ A, Kab, Ts’’ }Kbs

{ B, Kab, Ts’ }Kas

{ A, Kab, Ts }Kbs

M

(impersonating A and B)

S

B

The Wide-Mouth-Frog protocol

  • a vulnerability

A

S

B

Key management

...


The needham schroeder protocol 1978 l.jpg

A, B, Na

generate Kab

{ Na, B, Kab, {Kab, A}Kbs }Kas

{ Kab, A }Kbs

{ Nb }Kab

{ Nb -1}Kab

The Needham-Schroeder protocol (1978)

  • Denning and Sacco attack (1981)

    • message 3 doesn’t contain anything fresh for B

    • an attacker can cryptanalyze an old session key Kab and replay message 3 to B

    • the attacker can finish the protocol

    • B will think he shares a key Kab with A, but A is not involved at all

S

A

B

Key management


Public key needham schroeder 1978 l.jpg

{ A, Na }Kb

{ Na, Nb }Ka

{ Nb }Kb

{ A, Na }Km

{ A, Na }Kb

{ Na, Nb }Ka

{ Na, Nb }Ka

{ Nb }Km

{ Nb }Kb

Public-key Needham-Schroeder (1978)

  • since Na and Nb are known only to A and B, one may suggest that they can generate a key as f(Na, Nb)

  • Lowe’s attack (1995)

A

B

M

A

B

Key management


Diffie hellman key exchange 1976 l.jpg

A

B

Diffie-Hellman key exchange (1976)

Initially known:

p large prime

g generator of Zp*

Alice

Bob

generate random

number 0 < a < p-1

and calculate

A = ga mod p

generate random

number 0 < b < p-1

and calculate

B = gb mod p

calculate

K= Ab mod p = gab mod p

calculate

K= Ba mod p = gab mod p

Key management


Man in the middle attack l.jpg

A, Ka

{ message }Ka

A

B

M

A, Ka

A, Km

{ message }Km

{ message }Ka

Man-in-the-middle attack

  • consider the following protocol

  • the MiM attack

A

B

Key management


Public key certificates l.jpg

Public-key certificates

  • a certificate is data structure that contains

    • the public key

    • name of the owner of the public key

    • name of the issuer

    • date of issuing

    • expiration date

    • possibly other data

    • signature of the issuer

  • issuers are usually trusted third parties called Certification Authorities (CA)

    • need not be on-line

  • certificates are distributed through on-line databases called Certificate Directories

    • need not be trusted

Key management


Single ca l.jpg

Single CA

  • every public key is certified by a single CA

  • each user knows the public key of the CA

  • each user can verify every certificate

  • note: the CA must be trusted for issuing correct certificates

  • problem: doesn’t scale

CA

CA structures


Certificate chains l.jpg

Certificate chains

  • first certificate can be verified with a known public key

  • each further certificate can be verified with the public key from the previous certificate

  • last certificate contains the target key (Bob’s public key)

  • note: every issuer in the chain must be trusted (CA0, CA1, CA2)

CA2

KCA2

CA1

KCA1

Bob

KBob

KCA0

KCA2-1

KCA0-1

KCA1-1

CA structures


Ca structures l.jpg

CA structures

  • each user knows the public key of the root CA0

CA0

CA2

CA1

CA3

CA31

CA32

CA11

CA12

CA23

Alice

Bob

CA structures


Ca structures cont d l.jpg

CA structures cont’d

  • each user knows the public key of its local CA

CA0

CA2

CA1

CA3

CA31

CA32

CA11

CA12

CA23

Alice

Bob

CA structures


Ca structures cont d48 l.jpg

CA structures cont’d

  • each user knows the public key of her root CA

CA1

CA3

CA31

CA32

CA11

CA12

CA2

Alice

Bob

CA structures


  • Login