Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography for software engineers: A quick o...

Cryptography for software engineers: A quick overview

Cryptography for software engineers: A quick overview

Avatar for Jas Chhabra

Jas Chhabra

August 22, 2014
Tweet

More Decks by Jas Chhabra

Other Decks in Technology

Transcript

  1. 5 What is AES? •  AES is a block cipher

    •  Block Ciphers: Work on fixed blocks of data •  Current commonly used block ciphers use 128 bit blocks Visualizing&Ideal&Block&Cipher& 128& &bits& 1011….00 0000…00000 0000….11 0000…00001 1001….00 1111….1110 1100….11 1111….1111 Randomly&mapped&lookup&table&of&size&2&^128&& 128& &bits& Input& Output& Random&& mapping&
  2. 6 What does AES do? Single&Round&of&AES& Round&Key&XOR&Data& Fixed&lookup&table&mapping& ShiR&each&byte&by&fixed& offset&

    Mixed&with&a&linear& transformaVon&funcVon& Repeat&for&10X14& rounds&depending& on&size&of&key.&
  3. 7 Quick Note: Kerckhoff’s principal •  The security of the

    encryption scheme must depend only on the secrecy of the key Ke , and not on the secrecy of the algorithm Why? •  Algorithms are hard to change •  It is difficult to get cryptographic algorithms right and it is better to publish it for analysis.
  4. 8 Alice decides to use AES encryption Alice Bob Eve

    c&=&E(K,&c)& c& m&=&D(K,&c)& Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci &=&E(K,&mi )&& ECB$ Mode$
  5. 9 But Eve is clever. She changes the message in

    following way Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci &=&E(Ke ,&mi )&& ECB$ Mode$ Eve$Swaps$ these$blocks$ Alice$Sends$$following$ Buy INTC 90 50 shares Eve$receives$following$ Each&block&mi &=&D(Ke ,&ci )&&
  6. 10 AES Electronic Code book (ECB) mode issues •  Blocks

    can be swapped •  Patterns can be detected Original&image& Encrypted&image& AES&ECB& mode&
  7. 11 Quick Note : Padding •  Block ciphers work on

    messages that are multiple of block size •  If message is not a multiple of block size, padding is required •  Two common padding schemes: •  Append 128 and then as many 0s as needed to make message a multiple of block size •  Determine number of bytes required n > 0 to make it a multiple of block size. Add n bytes, each with value n DD DD DD DD DD DD DD DD DD DD DD DD 80 00 00 00 DD DD DD DD DD DD DD DD DD DD DD DD 04 04 04 04 DD DD DD DD DD DD DD DD 08 08 08 08 08 08 08 08
  8. 12 Alice looked up other block cipher modes She likes

    two : •  CBC •  CTR Let us look at both
  9. 13 Quick Note: IV •  Initialization vector: Used in block

    ciphers as an input along with the key •  Fixed IV : IV that doesn’t change •  Counter IV: IV=0 for first message, IV = 1 for second etc. •  Random IV: Large random number as IV for each message •  Nonce-Generated IV: “Number used once” per key •  Message numbers •  Random number + message number
  10. 14 Quick XOR  refresher •  1  0 =

    0  1 = 1 •  0  0 = 1  1 = 0 •  A  0 = A •  A  A = 0 •  A  A  A= A
  11. 15 CBC : Cipher Block Chaining (Encryption) Block Cipher Encryption

    Plaintext& IV& Key& CipherText& Block Cipher Plaintext& IV& Key& CipherText& Ci $=$Ek (Pi $$Ci>1 )$,$C0 $=$IV$
  12. 16 CBC : Cipher Block Chaining (Decryption) Block Cipher Ciphertext&

    IV& Key& Plaintext& Block Cipher Ciphertext& IV& Key& Plaintext& Pi $=$Dk (Ci )$$Ci>1 ,$$C0 $=$IV$
  13. 17 CBC: Which IV to use? •  Fixed IV: What

    if two messages start with the same plaintext block? •  Counter IV: If first block of messages have simple difference, the XOR with a counter may cancel them out. •  Random IV : Good. But requires a random number to be sent •  Nonce IV: Good. Use a smaller random number + counter.
  14. 18 CTR: Counter mode (Encryption) Block Cipher Encryption F45a34…….&000000& Key&

    CipherText& Ki $=$E(K,$Nonce$||$i)$for$i=1,….,k$ Ci $=$Pi $$Ki $$ Nonce& Counter& Plaintext& Block Cipher Encryption F45a34…….&000001& Key& CipherText& Nonce& Counter& Plaintext&
  15. 19 CTR: Counter mode (Decryption) Block Cipher Encryption F45a34…….&000000& Key&

    Plaintext& Ki $=$E(K,$Nonce$||$i)$for$i=1,….,k$ Ci $=$Pi $$Ki $$ Nonce& Counter& Plaintext& CipherText& Block Cipher Encryption F45a34…….&000001& Key& Plaintext& Nonce& Counter& Plaintext& CipherText&
  16. 20 AES CTR •  Counter = Nonce || i • 

    If ever the counter is repeated. •  Cx ⊕ Cy = E(K,counter) ⊕ Px ⊕ E(K,counter) ⊕ Py •  i.e. Cx ⊕ Cy = Px ⊕ Py •  Never Ever repeat counter with same key
  17. 21 CTR Advantages •  Random access is possible. •  Both

    encryption and decryption can be parallelized. •  Needs only encryption implementation
  18. 22 Alice decides to use AES CTR encryption Alice Bob

    Eve c&=&E(Ke,& Nonce||i)&$Pi& c& m&=&E(Ke Nonce&||&i)&$Ci & Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci &=&E(Ke ,&Nonce||i)&$Pi& && ECB$ Mode$
  19. 23 Eve is clever •  Sends using CTR. •  She

    changes the first block by performing a XOR with (Buy  Sell) •  So first block becomes: •  c = E(Ke, Nonce||1) ⊕ Buy ⊕ (Buy ⊕ Sell) •  i.e. c = E(Ke, Nonce||1) ⊕ Sell •  So, Bob gets: Sell INTC 50 90 shares
  20. 25 Alice figures she needs something to protect this message

    •  Her goal this time is to ensure that Eve can’t change the message. •  Doesn’t care about confidentiality (to keep things simple) •  She looks up hash functions
  21. 26 What is a hash function? Ideal Hash Function Arbitrary&length&

    input&& Fixed&length&output& •  Random&mapping& •  Same&output&for&same&input&
  22. 27 Defining security of hash functions •  Pre-image resistance: • 

    Given a hash h it should be difficult to find any message m such that h = hash(m). •  Second pre-image resistance •  Given an input m1 it should be difficult to find another input m2 such that m1 ≠ m2 and hash(m1) = hash(m2). •  Collision resistance •  It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2).
  23. 28 Standard hash functions •  MD5 : Don’t use • 

    SHA1 : Avoid. Not recommended for usage. Only use if system gives you no other choice. •  SHA2 : Use this. •  SHA3 (not finalized) •  One of the properties (bug ?) of the hash functions above is that •  If m = m1, m2 •  H(m) = h(h(m1),m2) •  This is called the length extension issue
  24. 29 Alice is now confident •  She decides to use

    SHA-2 hash •  Assume: •  Alice and Bob share a secret key K just like Encryption
  25. 30 Alice decides to use SHA-2 Alice Bob Eve Buy

    INTC 50 SHA2(K|| Data) K$is$the$secret$
  26. 31 As usual Eve is clever •  Eve computes • 

    Sha2( SHA2 ( K||Data), 90) •  Also, changes the message to Buy INTC 50 Sha2( SHA2 ( K||Data), 90) 90
  27. 32 How to fix this? •  Use HMAC •  HMAC

    (K,m) = H((K  opad) || H((K  ipad) || m)) •  opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant), •  ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant). Other MACs are available, but this is the most commonly recommended
  28. 33 Horton Principle •  "Authenticate what is being meant, not

    what is being said” •  Suppose you had two messages to send. •  M1 & M2 •  You just send M1||M2|| HMAC(M1||M2) •  What happens?
  29. 35 Lesson: Always structure your message to be unambiguous and

    then MAC the whole thing •  For example Send: •  { message1_length= aa; message1=“M1”; message2_length=bb; message2=“M2”; } HMAC ({….}) "AuthenVcate&what&is&being&meant,&not&what&is&being&said”&
  30. 36 Alternative MAC 1: CBC-MAC •  CBC-MAC: Use CBC with

    IV=0 and return the last block as the MAC •  H0 = IV. IV Should be fixed. Generally 0. •  Hi = E(K, Pi ⊕ Hi-1 ) •  MAC = Hk •  Why IV= 0? •  CBC-MAC is good and secure, but suffers from certain types on collision attacks. •  So, use CMAC.
  31. 37 Alternative MAC2 : CMAC •  Same as CBC-MAC, except

    the way last block is handled •  Generate two keys k1 & k2 from the MAC key k •  Calculate MAC using CBC-MAC except for last block. •  Change the last block (mn ′) to following before applying CBC-MAC •  If mn ′ is a complete block •  mn = k1 ⊕ mn ′ •  else mn = k2 ⊕ (mn ′∥ 10…02 ).
  32. 39 Alice wants the following •  Eve shouldn’t learn anything

    about the messages except for the timing and size •  Bob should only get proper messages and is able to figure out the correct order. •  Duplicates are detected •  Message modifications are detected •  By now you have probably guessed that this can be achieved by combination of Encryption and Authentication
  33. 40 Authentication and Encryption Three possibilities: 1.  MAC then encrypt

    all including MAC 2.  Encrypt and then MAC the encrypted message 3.  Encrypt and MAC the plaintext message •  Which one to use?
  34. 41 Encrypt and MAC the plaintext message •  Not recommended

    as any weakness in MAC will leak info about the message.
  35. 42 MAC and then encrypt the whole message including MAC

    •  Eve only gets to see ciphertext and encrypted MAC •  Much harder to attack MAC •  This is fine to use. •  Potential timing attacks with padding (TLS Lucky 13 attack)
  36. 43 Encrypt and then MAC the encrypted message •  Can

    drop invalid message fast without decryption •  Is not in fully line with Horton’s principal •  There may be ambiguity •  This is good to use •  We will use this and add authenticated headers for removing ambiguity
  37. 44 Secure Channel : Generate Keys •  KEYSENDENC ← HMAC-SHA2(K,

    "Enc Alice to Bob") •  KEYRECENC ← HMAC-SHA2(K, "Enc Bob to Alice") •  KEYSENDAUTH ← HMAC-SHA2(K,"Auth Alice to Bob") •  KEYRECAUTH ← HMAC-SHA2(K,"Auth Bob to Alice") •  Swap Encryption & Decryption key if message is from Bob to Alice
  38. 45 Message counters •  Two message counters •  Cab =

    Alice-to-Bob Message counter •  Cba = Bob-to-Alice message counter •  Both Alice and Bob store state of both counters •  Initialize both to 0.
  39. 46 Alice sending message to Bob •  We will only

    go through this direction •  Bob to Alice is identical
  40. 47 Choosing CTR counter •  It is recommended that number

    of blocks encrypted with an AES 128 bit key < 264-1 •  This is because after 264 block you will be able to distinguish from random •  To ensure that, we use counter for message sent from Alice to Bob never repeats and number of blocks encrypted < 264 •  Counter = (Cab || i) for the ith block in this particular message. •  Ensure that Cab < 232 -1 •  Ensure that length(m) < 232 -1 * block_size
  41. 48 Alice Sending a message •  Ensure that Cab <

    232 -1 •  Increment Cab •  Ensure that length(m) < (232 -1) * block_size •  Use Counter = (Cab || i) for the ith block for AES-CTR Version Cab Length Header Encrypted message HMAC-SHA2 Type Message
  42. 49 Bob: Receiving a message •  Ensure that Cab >

    Last received Cab •  Check HMAC of the message •  Drop if it does not match •  Store Cab . Check Version. •  Decrypt using AES CTR •  Counter = (Cab || i) for the ith block •  Check type and process accordingly. Version Cab Length Header Encrypted message HMAC-SHA2 Type Message
  43. 53 Mod p operations •  9 mod 7 = 2

    •  Remainder left after division •  9 = 7*1 +2 •  16 mod 7 = 2 •  16 = 7*2 + 2
  44. 55 Other values Pre-Known/Exchanged values: •  p,g,q (may be exchanged

    as part of the protocol) •  Always check: •  p = Nq +1 •  (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 •  Make sure q is a large enough prime (≥ 256 bits) •  Make sure p is large enough prime (≥ 2048 bits)
  45. 56 Man in the middle Alice Alice gx& Eve gv&

    gy& gw& K&=&(gw)x& K&=&(gv)y& K1 &=&(gx)w& & K1 &=&(gy)v&
  46. 57 So, how to exchange? •  Assume there is some

    way to authenticate messages. •  We will see how to do that in Public/Private key cryptography •  Authenticated DH Protocol •  First we will look at RSA Public Private Key cryptography
  47. 62 RSA : key generation (1/2) •  Generate two distinct

    large prime numbers p & q •  Calculate n = p *q •  Compute t = (p-1)(q-1) OR t = lcm (p-1,q-1) •  Choosing t like this implies •  xt = 1 mod n •  xt+1 = x mod n •  Proof by authority !
  48. 63 RSA : key generation (2/2) •  Choosing t like

    this implies xkt+1 = x mod n •  Proof by authority ! •  Choose ed = 1 mod t , i.e. ed = t + 1 •  Common e value is 216 + 1 = 65,537 •  Public Key : n,e •  Private Key : n, d
  49. 64 Example RSA key generation •  p = 61 and

    q = 53 •  n = 61*53 = 3233 •  t = (p-1)(q-1) = (61-1)(53-1) = 3120 •  Let e = 17. Then solving for ed = 1 mod t •  d = 2753 •  2753*17 = 15*3120 +1 •  46801 = 46800 + 1
  50. 65 RSA encryption/ decryption •  c = me mod n

    •  m = cd mod n •  X = (me)d mod n •  We know ed = kt +1 •  X = mkt+1 mod n •  Or X = (mt)k * m mod n •  We also know, for any x: xt = 1 mod n •  So X = (1)k * m mod n = m •  Hence we can decrypt !
  51. 66 RSA encryption/ decryption example •  Let m = 65.

    Then using previous e = 17,d=2753, n=3233 •  c = 6517 (mod 3233) = 2790 •  m = 27902753 (mod 3233) = 65
  52. 67 RSA: why not to sign/encrypt data directly •  If

    you sign m1 and m2 •  m1 d (mod n) •  m2 d (mod n) •  Attacker can compute m3 d (mod n) = m1 d * m2 d (mod n)
  53. 68 What is recommended? •  Use one of the standards

    for signing and encryption •  Signing: RSA-PSS (RSA –Probabilistic signature scheme) •  Encryption: RSA-OAEP (RSA-Optimal asymmetric encryption protocol) •  Don’t use same key for encryption and signing •  Attacker may be able to exploit decryption (public key) for getting signatures (private key) from you or other way around •  Encryption keys and signing keys generally have different lifetimes
  54. 74 Elliptic curve discrete logarithm problem •  With a curve

    of form y2 = x3+ ax + b mod p, where p is a large prime and operation point addition + •  P + P +…+ P = dP = T •  Given dP and P, it should be hard to compute d. •  d is kept secret like a private key •  Intuitively: P+P+P… for very large d (>160 bits) Source:&Chapter&9&of&Understanding&Cryptography&by&Christof&Paar&and&Jan&Pelzl&
  55. 75 Example of ECC usage: ECDH (simplified) Alice Bob Given&a&prime&p,&a&suitable&ellipVc&curve&E&and&a&point&P=(xP,yP)&

    Choose&kPrA =&a&{2,&3,…,&#EX1}& & Compute&kPubA =&A&=&aP&=&(xA ,yA )& Choose&kPrB =&b&{2,&3,…,&#EX1}& & Compute&kPubB =&B&=&bP&=&(xB ,yB )& A& B& Compute&aB&=&Tab& Compute&bA&=&Tab& •  One&of&the&coordinates&of&the&point&TAB&(usually&the&xXcoordinate)&can&be&used&as& session&key&&(oRen&aRer&applying&a&hash&funcVon)&
  56. 76 Elliptic curve summary •  Elliptic Curve Cryptography (ECC) is

    based on the discrete logarithm problem. •  ECC provides the same level of security as RSA or discrete logarithm systems with much shorter key sizes (160-256 bits) vs (1024-3072 bits) •  ECC can be used for key exchange, signatures and encryption •  ECC generally has performance advantage over RSA
  57. 78 Why DH Protocol? •  Lot of time security cert

    only supports signing •  Perfect Forward Security •  Even if you find my private keys later you can not decrypt my communication
  58. 80 Reminder DH Pre-Known/Exchanged values: •  p,g,q (may be exchanged

    as part of the protocol) •  Always check: •  p = Nq +1 •  (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 •  Make sure q is a large enough prime (≥ 256 bits) •  Make sure p is large enough prime (≥ 2048 bits)
  59. 82 Identity misbinding attack on DH Alice Bob A,&gx& B,&gy,&SigB

    (gx,&gy)&& SigA (gx,&gy)&& E&doesn’t&know&K&=&gxy&,&but&B&thinks&that&anything&coming& from&A&is&coming&from&E& Eve E,&gx& B,&gy,&SigB (gx,&gy)&& SigE (gx,&gy)&&
  60. 84 Limitations •  Both parties need to know each other’s

    identity before they can authenticate •  Leaves a signed proof of communication (signing peer’s identity) •  Sigma solves these issues
  61. 85 Sigma Basic version Alice Bob gx& B,&gy,&SigB (gx,&gy),&MacKm (B)&&

    A,&SigA (gx,&gy),&MacKm (A)&&& •  Km &is&derived&from&gxy&& •  Does&not&require&knowing&peer’&id&for&own&auth& •  Adds&deniability& & Alice Bob A,&gx& B,&gy,&SigB (gx,&gy,&A)& A,&SigA (gx,&gy,&B),&& Authenticated DH
  62. 86 Sigma-I: Active protection of Initiator’s ID Alice Bob gx&

    gy,&{B,&SigB (gx,&gy),&MACKm (B)}$Ke$$ {A,$SigA (gx,&gy),&MACKm (A)}Ke$$ •  Km &and&Ke &are&derived&from&gxy&& •  IniVator’s&id&is&protected&and&not&revealed&except&to& an&authenVcated&party&
  63. 87 Sigma-R: Active protection of Responder’s ID Alice Bob gx&

    &{A,&SigA (gx,&gy),&MACKm (A)}$Ke$$ {B,SigA (gx,&gy),&MACKm’ (B)}Ke’$$ •  Km &and&Ke &are&derived&from&gxy&& •  Responder’s&ID&is&not&revealed&unVl&iniVator's&is& revealed& gy&
  64. 88 Next Part •  EPID based Sigma key exchange • 

    PKI : Public key infrastructure •  Why random numbers are important? •  Clocks and monotonic counters •  Storing secrets •  Analysis of common protocols •  TLS •  Sigma key exchange •  IKE and IPSEC