introduction to security and crypto n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction to Security and Crypto PowerPoint Presentation
Download Presentation
Introduction to Security and Crypto

Loading in 2 Seconds...

play fullscreen
1 / 43

Introduction to Security and Crypto - PowerPoint PPT Presentation


  • 164 Views
  • Uploaded on

Introduction to Security and Crypto. Agenda. Basics of security Basics of cryptography Symmetric Crypto DES example, block chaining Key exchange, Asymetric Crypto RSA example Public Key Infrastructure Trust Provisionning Attacks and how to cope with it Attacks on Algorithms

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Introduction to Security and Crypto' - maille


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

Agenda

  • Basics of security
  • Basics of cryptography
    • Symmetric Crypto
    • DES example, block chaining
    • Key exchange, Asymetric Crypto
    • RSA example
  • Public Key Infrastructure
  • Trust Provisionning
  • Attacks and how to cope with it
    • Attacks on Algorithms
    • Attacks on Implementations
    • Attacks on Protocols
  • Two Examples
    • A7 FS-application Trust provisioning + Offline Authentication
    • TLS and support of A70CM
embedded nfc
Embedded NFC

Basics of Security

security goals

Tue, at 10 at my place. Alice

Mon, at 10 at my place. Alice

At 10 at my place

Alice

At 10 at my place

Anneliese

Alice

Security Goals

Confidentiality: Eavesdropping possible?

Authenticity: Sender correct?

Integrity: Message modified?

Non-Repudiation: Message signed?

But also: Availability (i.e.: preventing denial of service), Privacy (personal data towards merchant or third parties)

security goals and algorithms
Security Goals and Algorithms

Authenticity:

Asymmetric Crypto / Signature / Hash

Confidentiality:

Symmetric Crypto

Integrity:

Hash / Signature / MAC

Non-repudiation:

Hash / Signature

there is no such thing as perfect security
There is no such thing as „perfect security“

There is no such thing as “perfect security” – A secure system makes an attack more expensive than the value of the advantage gained by the attacker.

attacks principles
Attacks & Principles
  • Kerckhoffs’ principle: The attacker always knows the algorithm; the only information unknown to him/her is the key.
  • Brute force attack
    • Exhaustive search over all keys
    • Single plaintext-ciphertext-pair may be enough to determine the correct key
    • Cannot be avoided
    • Goal: Make it practically infeasible, i.e. key space is so large that the search takes more than a lifetime
  • Side Channel Attacks:
    • Even if a cryptographic algorithm offers high level of security, its implementation may still leak information about secrets or keys: timing behavior, current consumption, electromagnetic radiation etc establish so called side channels for secret information.
  • There is no such thing as “perfect security” – A secure system makes an attack more expensive than the value of the advantage gained by the attacker.
embedded nfc1
Embedded NFC

Basics of Cryptography

Symmetric Crypto

symmetric encryption
Symmetric Encryption

Key

Key

Plaintext

Plaintext

Ciphertext

Encryption

DES

Triple-DES

AES

Decryption

DES-1

Triple-DES-1

AES-1

 Confidentiality: Eavesdropping not easily possible

slide11

Introduction - What is Android ?

Platform Architecture

Platform Components

Platform Initialization

How to get Android sources

A bit of history…

The Caesar cipher

slide12

Introduction - What is Android ?

Platform Architecture

Platform Components

Platform Initialization

How to get Android sources

Block Ciphers

DES

Block Chaining

symmetric block ciphers des and aes

Algorithm

Block m4

Block m3

Block c2

Block c1

Symmetric block ciphers: DES and AES
  • Plaintextisdividedintoblocks m1, m2, ... ofthe same length
  • Every block isencryptedunderthe same key.
  • Typical block lengths: DES – 64 bit, AES – 128 bit
  • Typicalkeylengths: DES – 56 bit; AES – 128, 192, 256 bit
des data encryption standard

L0

R0

Input 64 bit

K1

Key 56 bit

F

Permutation IP

L1

R1

round i

Round key i

round 16

Round key 16

Permutation IP –1

L15

R15

K16

Output 64 bit

F

L16

R16

R16

DES - Data Encryption Standard
  • Most important example for Feistel ciphers (ie: same operations to encrypt and decrypt)
  • Published in 1977 as a standard for the American governmental institutions
  • Significant weakness: 56 bit key is too short 1999 Deep Crack: 100.000 PCs computed key within 22 hours and 15 minutes
modes of operation

Block m4

Block m3

Block c2

Block c1

Algorithm

Modes of Operation
  • Modes of Operation
    • How to ensure that the ordering of blocks is not changed by an attacker?
    • Dependencies between encrypted blocks: Cipher Block Chaining (CBC)
problems of block encryption
Problems of block encryption

ECB-Example:

Electronic Code Book Mode:

Identical blocks are identically encrypted.

m1

m2

m3

(3)DES

Enciphering

(3)DES

Enciphering

(3)DES

Enciphering

c1

c2

c3

cbc mode

m1

m2

m3

IV

(3)DES

Enciphering

(3)DES

Enciphering

(3)DES

Enciphering

c1

c2

c3

CBC Mode

CBC-Example:

Cipher Block Chaining Mode:

Identical blocks are differently encrypted.

triple des
Triple-DES
  • Triple-DES = triple encryption using DES with two or three external keys: DES(k1, DES-1(k2, DES(k1,m)))
  • Question: Why is the decryption DES-1 in the middle?

Compatibility: When implementing Triple-DES and choosing k1 = k2, then one gets the single DES. Therefore, only one algorithm needs to be implemented to get Triple-DES and single DES.

  • Question: Why is not Double-DES used instead of Triple-DES?

Meet-in-the-middle attack!

  • Security comparison
    • Two keys – NIST estimation: effectively 80 bits
    • Three keys – NIST estimation: effectively 112 bits
aes scheme

plaintext

Round key 0

Round 1 (round key 1)

Round 2 (round key 2)

Round n (round key n)

ciphertext

ByteSub

ShiftRow

MixColumn

AddRoundKey

AES – Scheme
  • AES is standardized for key lengths of 128 bit, 192 bit, 256 bit, and block size of 128 bit.
  • The number of rounds depends on key length used: 10 up to 14
  • Round Function:
security goals and algorithms hash function
Security Goals andAlgorithms; HASH Function

Authentication:

Asymmetric Crypto / Signature / Hash

Confidentiality:

Symmetric Crypto

Integrity:

Hash / Signature / MAC

Non-repudiation:

Hash / Signature

hashfunctions
Hashfunctions
  • Analogy: digital fingerprints
  • Compression: Data ofarbitrarylengthismappedto n bits. (Typicalvalues: 128/160 bits)
  • Cryptographicproperties
  • Preimageof a hashishardto find.
  • Twodataelementswiththe same hashvaluearehardto find (Collisions).

Data

Hash

hashfunctions1

m

m'

m

m

m'

Hashfunctions
  • Compression: Data ofarbitrarylengthismappedto n bits.
  • Preimageof a hashishardto find.One-wayness: Givenh(m) findingmisinfeasible.
  • Twodataelementswiththe same hashvaluearehardto find (Collisions).Collisionresistance:Itisinfeasibleto find mandm‘whicharemappedtothe same value. (birthday paradox; outputshouldbeat least 160 bits)

h(m)

secure hash algorithm sha
Secure Hash Algorithm (SHA)
  • First version: SHA-0 (160 bit output) in early 90s
  • SHA-1 only a minor change to SHA-0
  • Chinese Research Group attacked SHA-1:
    • On collision resistance only expected effort: 280, real effort 263 (Birthday paradox)
    • Applicability highly depends on application
  • SHA-224,256,512 etc … xxx giving the length of output
  • SHA-3 in reviewandselectionprocess
message authentication codes mac hash

At 10 at my place

Alice

At 10 at my place

Anneliese

Authentication

The active attacker: Who is the origin of a message?

Message Authentication Codes: MAC, HASH

K

m, MAC

Message Authentication Code (“symmetric signature”)

A authenticates her message by computing a tagMAC and sends it together with the message to B.B can verify this tag by re-computing it and checkwhether the two results match.

m,

K

computesMAC= HK(m)

verifiesMAC = HK(m) ?

The function H can be either a hash function (SHA, MD5), or a symetric block cipher based on DES or AES (CMAC,…).

 Integrity: Message can’t be easily modified

slide26

Introduction - What is Android ?

Platform Architecture

Platform Components

Platform Initialization

How to get Android sources

Key Exchange

Asymmetric Crypto

what about the keys
What about the Keys?
  • Alice and Bob need to share the same key. How to share it securely?
  • Pre distribution? (ie: keys exchanges in a “secure environment”)
    • Trust provisionning (see later)
  • Secured Key Exchange
    • Diffie Hellman and asymetric cryptography
diffie hellmann key exchange
Diffie Hellmann Key Exchange

Private “keys”

Public “keys”

asymmetric crypto the idea
Asymmetric Crypto: The Idea

Bob‘s Public Key

Bob‘s Private Key

Plaintext

Plaintext

Ciphertext

Encryption

RSA

ECC

Decryption

RSA

ECC

asymmetric crypto signatures
AsymmetricCrypto: Signatures

Bob‘s Private Key

Bob‘s Public Key

Plaintext, Hash

Plaintextverified

Plaintext, Hash, Signature

Signature Generation

(Decryption)

RSA

ECC

SignatureVerification

(Encryption andComparewith Hash)

RSA

ECC

principles of asymmetric encryption
Everyone can put a letter into Bob‘s mailbox.Everyone can encrypt message for Bob.Everyonecan verify Bob’s signature

Encryption

Decryption

Hello Bob,

....

...

Hello Bob,

....

...

Bob

Principles of Asymmetric Encryption

Only Bob can open his mailbox with his private key.Only Bob can decrypt with his private key. Only Bob can create his own signature

slide33

Introduction - What is Android ?

Platform Architecture

Platform Components

Platform Initialization

How to get Android sources

Asymmetric Crypto: RSA

slide34

dB

A: nA,eA

B: nB,eB

C : nC,eC

dC

dA

RSA
  • Based on the so called factorization problem:
    • Given two prime numbers, it is easy to multiply them. Given the product, it is difficult to find the prime numbers.
  • RSA Keys – Every participant has
    • a modulus n = p*q (public), the product of two large prime numbers
    • a public exponent e(for performance reasons, one often chooses small prime numbers with few 1’s)
    • a private exponent d.
rsa operation
RSA - Operation

Encryption

Decryption

The sender computes

c = me mod n,

where

m is the message, (n, e)is the public key of the receiver, and cis the cipher text.

The receiver computes

cd mod n,

where c is the cipher text and d is the private key of the receiver.

It holds:cd mod n = med mod n = m.

  • For signing it is the other way round:
    • Signing is the same operation as decrypting
    • Verifying a signature is the same operation as encrypting
rsa some math
RSA – SomeMath

c = memod n and m = cdmod n - Why?

  • Primes p, q ; n = p*q
  • Thus, φ(n) = (p-1)*(q-1) = |{ x | x and n arecoprime }|.
  • Euler‘s Theorem: cφ(n) mod n = 1 mod n
  • Let e, d such that
    • e andφ(n) arecoprime, thus inverse of e modφ(n) exists
    • e*d = 1 modφ(n)
  • Let‘sprove RSA:
    • cdmod n = (me)dmod n = medmod n // substitution = m1+k*φ(n)mod n = m1 * mk*φ(n)mod n // definitionmodulo = m1 * (mφ(n)) k mod n = m * 1kmod n // Euler‘s Theorem= m
slide37
RSA
  • Size of the RSA keys
    • The bit length of the modulus is called the size of an RSA key. The public exponent is usually a lot shorter; the private exponent is of the same length as the modulus.
    • Today, everything larger than 1024 2048 bit is considered to be secure.
  • Implementation
    • Chinese Remainder Theorem (CRT) is a mathematical fact that allows to make decryption and signing significantly more efficient. Has to be carefully implemented in order to be secure.
    • Implementation without CRT is often called “straight forward” – significantly less performance, but usually less security issues as well
embedded nfc2
Embedded NFC

Public Key Infrastructure

threat authenticity of public keys

A : E A

B : E B

E X

C : E CU : E U

V : E V

Threat: Authenticity of Public Keys
  • AttackMr. X replaces B’s public key EB by his own public key EX.
  • Consequences:
    • Encryption: Only X can read messages that are meant for B.
    • Signature: B’s signatures are not verifiable – B’s signatures are invalid! X can sign messages that are verified as Bob’s signatures.
certificates

DCA

Certificates

DA

A, EA

Cert(A)

  • Name and public key are signed by a trustworthy institution (certification authority, CA).
  • Message (name, public key) and the CA’s signature on it are called “certificate”: Cert(A) = {A, EA}, DCA{A, EA}
  • Format of Certificates have to be specified – X.509 for example
  • Tree-likestructurepossible – pathoftrust
random numbers
Random numbers
  • Facts:
    • In cryptography, often “unpredictable” numbers are needed (for keys for example).
    • Example: Generate a 128 bit AES key – required is, that even if an attacker “knows” 127 bits of this key, he should not be able to guess the missing bit with a better probability than ½.
    • There is NO mathematical way to determine whether the outcome of an “random number generator” is unpredictable!!!!
    • The best thing offered by mathematicians are statistical tests: but they can only test whether a sequence of random numbers has a specific structure or property (and hence is NOT unpredictable). A statistical test never gives a POSITIVE result. Passing a test, only means a sequence does not have one specific (of many) negative properties.