Alice & Bob: Public key cryptography 101

Alice & Bob
CodeConnexx
8-9 november 2013, Maastricht
Public key cryptography 101
1

View Slide

An introduction
2

View Slide

3
Without this there would be
no internet as we know today
(really)

View Slide

example “encryption” algorithms
4
http://www.ﬂickr.com/photos/dpwk/1714014449/in/[email protected]/

View Slide

ciphertext:
3, 15, 4, 5
“algorithm”:
A = 1, B = 2, C = 3, ...., Z = 26
=
C O D E
5

View Slide

6
ciphertext:
        
=
W I N G D I N G S

View Slide

“algorithm”:
c = (m + k) mod 26
7
Message: C O D E
Ciphertext (key=1): D P E F
Ciphertext (key=2): E Q F G
Ciphertext (key=-1): B M C D
Ciphertext (key=0): C O D E
http://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Caesar3.svg

View Slide

➡ Key is too easy to guess.
➡ Key has to be send to Bob.
➡ Deterministic.
➡ Prone to frequency analysis.
8

View Slide

➡ ‘E’ is used 12.7% of the times in english texts.
➡ The ‘Z’ only 0.074%.
➡ ‘E’ is used 17.4% of the times in german
texts, the ‘Q’ only 0.022%
9

View Slide

gl 7291 i owioa okddilnk ylgm hiu uflm mk cwgukl bs i
dgegmiws okywm jkw i owgdf mvfs ngnl'm okddgm. mvfuf dfl
cwkdcmes fuoicfn jwkd i dixgdyd-ufoywgms umkoainf mk mvf
eku ilqfefu ylnfwqwkyln. mknis, umgee hilmfn bs mvf
qkrfwldflm, mvfs uywrgrf iu ukengfwu kj jkwmylf. gj sky virf i
cwkbefd, gj lk klf feuf oil vfec iln gj sky oil jgln mvfd., disbf sky
oil vgwf, mvf i- mfid.
10
Intercepted message:

View Slide

11
Let’s analyze:

View Slide

12

View Slide

13

View Slide

In 1972 a crack commando unit was sent to prison by a
military court for a crime they didn't commit. These men
promptly escaped from a maximum-security stockade to the
Los Angeles underground. Today, still wanted by the
government, they survive as soldiers of fortune. If you have a
problem, if no one else can help and if you can ﬁnd them,
maybe you can hire, The A- Team.
14
http://gutenberg.spiegel.de/buch/3664/4
Decrypted message:

View Slide

Determinism and the ability to apply
frequency analysis are “bad things”
15

View Slide

➡ Previous examples were symmetrical encryptions.
➡ Same key is used for both encryption and decryption.
➡ Good symmetrical encryptions: AES, Blowﬁsh, (3)DES.
➡ They are fast and secure.
16

View Slide

Q: How does Alice send over the message +
key securely to Bob? Everybody’s listening!
17

View Slide

Another encryption system:
Asymmetrical encryption or public key encryption.
18

View Slide

public key - available for everybody.
19
KEYPAIR
private key - For your eyes only!

View Slide

It is NOT possible to decrypt the message
with same key that is used to encrypt.
20

View Slide

21
Use public key to encrypt: private key to decrypt
OR
private key to encrypt: public key to decrypt.

View Slide

22
Encryption
Signing

View Slide

23
Awesome! So why not using asymmetrical
encryption for everything??

View Slide

24
It’s too slow!

View Slide

Symmetrical
✓ quick.
✓ not resource intensive.
✓ encryption only
✓ useful for small and large
messages.
✗ need to send over the key
to the other side.
Asymmetrical
✓ no need to send over the
(whole) key.
✓ can be used for encryption and
signing.
✗ very resource intensive.
✗ only useful for small messages.
25

View Slide

26
Q: How does Alice send over the message + key
securely to Bob? Everybody’s listening!
A: Use symmetrical encryption for the (large)
message and encrypt the key used with an
asymmetrical encryption method.

View Slide

➡ Alice generates a random string:
➡ “monkeypooh”
➡ Alice encrypts this string with Bobs
PUBLIC key => “sdfafkjasdgaag”
27

View Slide

28
“sdfafkjasdgaag”
???
(slow) public key encryption

View Slide

➡ Bob received “sdfafkjasdgaag”
➡ Bob decrypts the message with his
PRIVATE key => “monkeypooh”
29

View Slide

30
???
(fast) symmetrical encryption using key “monkeypooh”
1001001010111
omglolbbq! haha hacker noobs!

View Slide

31
Hybrid Encryption

View Slide

Hybrid
✓ quick
✓ not resource intensive
✓ useful for small and large messages
✓ safely exchange key data
32

View Slide

33
Signing

View Slide

34
➡ Maybe even more important than
encryption?
➡ Signing is authenticating that a message is
actually send by the sender and is not
compromised in any way.

View Slide

➡ Bob creates a message:
“i don’t like mondays”.
➡ Bob creates a md5() from this message:
“b54c7cf4312cd6e2c37fd3f1ec681116”
➡ Bob encrypts this MD5 with his PRIVATE
key => “43tt34tqegadsgadsgA”
35

View Slide

36
“i don’t like mondays”
“43tt34tqegadsgadsgA”

View Slide

➡ Alice decrypts the hash with Bob’s
PUBLIC key:
“b54c7cf4312cd6e2c37fd3f1ec681116”
➡ Alice creates a md5() from the message =>
“b54c7cf4312cd6e2c37fd3f1ec681116”
➡ Alice checks if both hashes match.
37

View Slide

➡ Can’t change message, because encrypted
hash would not match.
➡ Can’t change hash, because only Bob’s
private key can encrypt.
38

View Slide

39
Great,.. but not really convinced...

View Slide

40
How many of you are actually using this
encryption and signing in practice??

View Slide

41
100%

View Slide

42

View Slide

43

View Slide

➡ When we go to a HTTPS website, we are
establishing a symmetrical encryption.
➡ We use asymmetrical encryption to
exchange the (random) key used.
➡ The public key we need to use is found in
the SSL-certiﬁcate.
44

View Slide

45
How do we know that the site is actually
run by the ones we think they are?

View Slide

46
PRIVATE
COMMUNICATION
ENDPOINT
AUTHENTICATION

View Slide

➡ It is signed (by somebody else) that states:
this certiﬁcate / URL truly belongs to them.
➡ Signed by their PRIVATE key, so we can use
their PUBLIC key to check the signature.
47

View Slide

➡ (Root) Certiﬁcate Authorities
➡ They are automatically built into your
browser / OS and you will automatically
trust them.
48

View Slide

49
http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt
185

View Slide

➡ We are forced to trust companies that
make a living on selling as many certiﬁcates
as possible..
➡ It’s a ﬂawed system, but the best we have :(
50

View Slide

51
➡ But, we can ﬁx pretty much everything else!

View Slide

52
➡ Email: privately communicate between you
and somebody else.
➡ Making sure your email isn’t tampered with
and actually comes from you.
➡ Enigmail / gpgsuite
➡ Pretty easy to setup and use

View Slide

53
➡ Every time you commit something to version
control / github, you sign it with your key!
➡ Download new software (yum, apt, packagist)

View Slide

54
lots of ppl with keys lots of implementations
not many ppl with keys no implementations
no implementations not many ppl with keys

View Slide

55
Here’s another problem:
➡ Everybody can create a key
➡ And everybody can pretend to be anyone else

View Slide

56
➡ We use a system called: web-of-trust

View Slide

57

View Slide

➡ How do we create the web-of-trust?
58

View Slide

➡ Every time you meet a person in real life.
➡ key signing parties on meetups,
conferences, places where enough people
come together.
➡ No need for a computer / laptop. Only
your key (ﬁngerprint) and something that
identiﬁes you being you (driving license, ID
etc)
59

View Slide

60
http://chemnitzer.linux-tage.de/2009/service/pgp_en.html

View Slide

61

View Slide

➡ Add GPG/PGP extension to your email
client (enigmail / gpgsuite etc).
➡ Create a keypair.
➡ Use!
➡ Worry about the web-of-trust later!
62

View Slide

➡ PKE enables us to (automatically) enrich
your content with security and/or privacy.
➡ It’s still hard to implement, but it’s getting
better and easier.
➡ (e-)mail was hard too!
➡ We *need* it.
63

View Slide

http://farm1.static.ﬂickr.com/73/163450213_18478d3aa6_d.jpg 64

View Slide

65
Find me on twitter: @jaytaph
Find me for development and training: www.noxlogic.nl
Find me on email: [email protected]
Find me for blogs: www.adayinthelifeof.nl
http://joind.in/9608

View Slide

Alice & Bob: Public key cryptography 101

Alice & Bob: Public key cryptography 101

Joshua Thijssen

More Decks by Joshua Thijssen

Featured

Transcript