Alice & Bob: Public key cryptography 101

Transcript

1. Alice & Bob
   Web & PHP Conference
   16-18 Sep - San Jose - USA
   Public key cryptography 101
   1
   

   View Slide

2. 2
   Joshua Thijssen
   Freelance consultant, developer and
   trainer @ NoxLogic
   Founder of the Dutch Web Alliance
   Development in PHP, Python, C, Java.
   Lead developer of Saffire.
   Blog: http://adayinthelifeof.nl
   Email: [email protected]
   Twitter: @jaytaph
   

   View Slide

3. 3
   

   View Slide

4. An introduction into public key cryptography
   4
   

   View Slide

5. 5
   Without this there would be
   no internet as we know today
   (really)
   

   View Slide

6. 6
   But there are cracks.
   (and they are bigger on the inside)
   

   View Slide

7. 7
   

   View Slide

8. An introduction into public key cryptography
   8
   

   View Slide

9. Meet Alice,
   and Bob.
   9
   Hi Bob!
   Hello Alice!
   

   View Slide

10. early encryption algorithms
    10
    http://www.flickr.com/photos/dpwk/1714014449/in/pool-1621478@N23/
    

    View Slide

11. ciphertext:
    12, 1, 13, 5
    “algorithm”:
    A = 1, B = 2, C = 3, ...., Z = 26
    =
    L A M E
    11
    ‣ SUBSTITUTION SCHEME
    

    View Slide

12. 12
    ciphertext:
            
    =
    W I N G D I N G S
    ‣ SUBSTITUTION SCHEME
    

    View Slide

13. “algorithm”:
    c = (m + k) mod 26
    ‣ CAESARIAN SHIFT
    13
    Message: C O D E
    Ciphertext (key=1): D P E F
    Ciphertext (key=2): E Q F G
    Ciphertext (key=-1): B M C D
    Ciphertext (key=0): C O D E
    Ciphertext (key=26): C O D E
    Ciphertext (key=52): C O D E
    http://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Caesar3.svg
    

    View Slide

14. ➡ Key is too easy to guess.
    ➡ Key has to be send to Bob.
    ➡ Deterministic.
    ➡ Prone to frequency analysis.
    14
    

    View Slide

15. ➡ The usage of every letter in the English (or
    any other language) can be represented by
    a percentage.
    ➡ ‘E’ is used 12.7% of the times in english
    texts, the ‘Z’ only 0.074%.
    ➡ ‘E’ is used 17.4% of the times in german
    texts, the ‘Q’ only 0.022%
    15
    

    View Slide

16. gl 7291 i owioa okddilnk ylgm hiu uflm mk cwgukl bs i
    dgegmiws okywm jkw i owgdf mvfs ngnl'm okddgm. mvfuf dfl
    cwkdcmes fuoicfn jwkd i dixgdyd-ufoywgms umkoainf mk mvf
    eku ilqfefu ylnfwqwkyln. mknis, umgee hilmfn bs mvf
    qkrfwldflm, mvfs uywrgrf iu ukengfwu kj jkwmylf. gj sky virf i
    cwkbefd, gj lk klf feuf oil vfec iln gj sky oil jgln mvfd., disbf sky
    oil vgwf, mvf i- mfid.
    16
    Intercepted message:
    

    View Slide

17. 17
    Let’s analyze:
    

    View Slide

18. 18
    

    View Slide

19. 19
    

    View Slide

20. In 1972 a crack commando unit was sent to prison by a
    military court for a crime they didn't commit. These men
    promptly escaped from a maximum-security stockade to the
    Los Angeles underground. Today, still wanted by the
    government, they survive as soldiers of fortune. If you have a
    problem, if no one else can help and if you can find them,
    maybe you can hire, The A- Team.
    20
    http://gutenberg.spiegel.de/buch/3664/4
    Decrypted message:
    

    View Slide

21. Determinism and the ability to apply
    frequency analysis are “bad things”
    21
    

    View Slide

22. ➡ Previous examples were symmetrical encryptions.
    ➡ Same key is used for both encryption and decryption.
    ➡ Good symmetrical encryptions: AES, Blowfish, (3)DES.
    ➡ They are fast and secure.
    22
    

    View Slide

23. Q: How does Alice send over the key securely
    to Bob? Everybody’s listening!
    23
    

    View Slide

24. Another encryption system:
    Asymmetrical encryption or public key encryption.
    24
    

    View Slide

25. Two keys instead of one:
    public key - available for everybody.
    Can be published on your blog.
    private key - For your eyes only!
    25
    

    View Slide

26. http://upload.wikimedia.org/wikipedia/commons/f/f9/Public_key_encryption.svg
    26
    

    View Slide

27. It is NOT possible to decrypt the message
    with same key that is used to encrypt.
    27
    

    View Slide

28. Encrypt with public key:
    - only private key (thus Alice) can decrypt.
    - message is only for Alice = encryption
    28
    Encrypt with private key:
    - only public key can decrypt.
    - message is guaranteed coming for Alice = signing
    

    View Slide

29. Symmetrical
    ✓ quick.
    ✓ not resource intensive.
    ✓ useful for small and large
    messages.
    ✗ need to send over the key
    to the other side.
    Asymmetrical
    ✓ no need to send over the
    (whole) key.
    ✓ can be used for encryption
    and validation (signing).
    ✗ very resource intensive.
    ✗ only useful for small messages.
    29
    

    View Slide

30. 30
    Q: How does Alice send over the key securely
    to Bob? Everybody’s listening!
    A: Use symmetrical encryption for the (large)
    message and encrypt the key used with an
    asymmetrical encryption method.
    

    View Slide

31. Hybrid
    ✓ quick
    ✓ not resource intensive
    ✓ useful for small and large messages
    ✓ safely exchange key data
    31
    

    View Slide

32. But how does it work?
    32
    

    View Slide

33. RSA
    Ron Rivest, Adi Shamir, Leonard
    Adleman
    33
    1978
    Pierre de Fermat, Leonard Euler
    17th - 18th century
    

    View Slide

34. Public key encryption works on the premise that it
    is practically impossible to refactor a large number
    back into 2 separate prime numbers
    Prime number is only divisible by 1 and
    itself: 2, 3, 5, 7, 11, 13, 17, 19 etc...
    34
    

    View Slide

35. “large” number: p * q = 221
    but we cannot calculate its
    prime factors without brute force.
    There is no “formula” (like e=mc2)
    (13 and 17)
    35
    

    View Slide

36. ➡ There is no proof that it’s impossible to refactor
    quickly. But nowadays we have to assume it’s
    possible by some, but not (yet) many.
    ➡ Brute-force decrypting is always lurking around
    (quicker/more machines, better algorithms).
    ➡ Better (pubkey) algorithms already exists!
    36
    

    View Slide

37. 37
    This is mathness!
    No, this is RSAAAA!
    

    View Slide

38. 38
    ➡ p = (large) prime number
    ➡ q = (large) prime number (but not too close to p)
    ➡ n = p . q (bit length of the RSA key)
    ➡ φ = (p-1) . (q-1) (the φ thingie is called phi)
    ➡ e = gcd(e, φ) = 1
    ➡ d = (d . e) mod φ = 1
    

    View Slide

39. Step 1: select primes P and Q
    ‣ P = 11
    ‣ Q = 3
    P = ? | Q = ? | N = ? | Phi = ? | e = ? | d = ?
    39
    

    View Slide

40. ➡ N = P . Q = 11 . 3 = 33
    ➡ φ = (11-1) . (3-1) = 10 . 2 = 20
    Step 2: calculate N and Phi
    40
    33 decimal equals 100001 in binary == 6 bit key
    P = 11 | Q = 3 | N = ? | Phi = ? | e = ? | d = ?
    

    View Slide

41. Step 3: find e
    ‣ e = 3
    ‣ gcd(e, φ) = 1 ==> gcd(3, 20) = 1
    41
    Fermat number: 2 + 1
    2
    n
    Fermat prime: Fermat nr that is also prime: 3, 5, 17, 257, 65537
    Study shows that 98.5% of the time 65537 is used
    P = 11 | Q = 3 | N = 33 | Phi = 20 | e = ? | d = ?
    

    View Slide

42. Step 4: find d
    ‣ brute force: (e.d mod φ = 1)
    ‣ Extended Euclidean Algorithm gives 7
    3 . 1 = 3 mod 20 = 3
    3 . 2 = 6 mod 20 = 6
    3 . 3 = 9 mod 20 = 9
    3 . 4 = 12 mod 20 = 12
    3 . 5 = 15 mod 20 = 15
    3 . 6 = 18 mod 20 = 18
    3 . 7 = 21 mod 20 = 1
    3 . 8 = 24 mod 20 = 4
    3 . 9 = 27 mod 20 = 7
    3.10 = 30 mod 20 = 10
    42
    P = 11 | Q = 3 | N = 33 | Phi = 20 | e = 3 | d = ?
    

    View Slide

43. That’s it:
    ➡ public key = (n, e) = (33, 3)
    ➡ private key = (n, d) = (33, 7)
    43
    

    View Slide

44. The actual math is much more complex since
    we use very large numbers, but it all comes
    down to these (relatively simple) calculations..
    44
    

    View Slide

45. 45
    jthijssen@debian-jth:~$ openssl rsa -text -noout -in server.key
    Private-Key: (256 bit)
    modulus:
    00:c2:d0:c4:1f:6f:78:16:82:d1:0c:dd:5a:af:de:f2:ff:31:c6:
    9b:3b:9f:e8:24:2a:5c:06:56:ea:d7:7c:c6:19
    publicExponent: 65537 (0x10001)
    privateExponent:
    22:8f:fd:2b:82:90:30:96:36:d6:6c:73:09:5e:a9:87:73:6e:
    2d:d4:d5:78:fc:3b:20:ea:0d:02:e5:2b:cb:3d
    prime1:
    00:f0:49:fd:91:18:01:53:92:8f:87:d7:2b:c8:19:7d:17
    prime2:
    00:cf:8d:a1:3b:93:af:61:77:8f:c9:8f:1d:aa:8d:b4:4f
    exponent1:
    00:e1:d8:c9:89:bc:84:52:a6:a8:5d:47:32:91:6a:d3:95
    exponent2:
    5a:88:b1:fa:d5:d9:db:8f:16:a6:5a:0a:1b:ba:42:1b
    coefficient:
    00:99:fa:de:80:d4:ee:f3:69:59:e5:8a:72:ad:e5:30:3d
    n
    e
    d
    

    View Slide

46. Encrypting a message:
    c = me mod n
    Decrypting a message:
    m = cd mod n
    46
    

    View Slide

47. Encrypting a message: private key = (n,d) = (33, 7):
    Decrypting a message: public key = (n,e) = (33, 3):
    m = 13, 20, 15, 5
    13^7 mod 33 = 7
    20^7 mod 33 = 26
    15^7 mod 33 = 27
    5^7 mod 33 = 14
    c = 7, 26, 27,14
    47
    c = 7, 26, 27,14
    7^3 mod 33 = 13
    26^3 mod 33 = 20
    27^3 mod 33 = 15
    14^3 mod 33 =5
    m = 13, 20, 15, 5
    

    View Slide

48. ➡ A message is an “integer”
    ➡ A message must be between 2 and n-1.
    ➡ Deterministic, so we must use a padding
    scheme to make it non-deterministic.
    48
    

    View Slide

49. ➡ Public Key Cryptography Standard #1
    ➡ Pads data with (random) bytes up to n bits
    in length (v1.5 or OAEP/v2.x).
    ➡ Got it flaws and weaknesses too. Always
    use the latest available version (v2.2)
    49
    

    View Slide

50. Data = 4E636AF98E40F3ADCFCCB698F4E80B9F
    The encoded message block, EMB, after encoding but before encryption, with random
    padding bytes shown in green:
    0002257F48FD1F1793B7E5E02306F2D3228F5C95ADF5F31566729F132AA12009
    E3FC9B2B475CD6944EF191E3F59545E671E474B555799FE3756099F044964038
    B16B2148E9A2F9C6F44BB5C52E3C6C8061CF694145FAFDB24402AD1819EACEDF
    4A36C6E4D2CD8FC1D62E5A1268F496004E636AF98E40F3ADCFCCB698F4E80B9F
    After RSA encryption, the output is:
    3D2AB25B1EB667A40F504CC4D778EC399A899C8790EDECEF062CD739492C9CE5
    8B92B9ECF32AF4AAC7A61EAEC346449891F49A722378E008EFF0B0A8DBC6E621
    EDC90CEC64CF34C640F5B36C48EE9322808AF8F4A0212B28715C76F3CB99AC7E
    609787ADCE055839829E0142C44B676D218111FFE69F9D41424E177CBA3A435B
    http://www.di-mgt.com.au/rsa_alg.html#pkcs1schemes 50
    

    View Slide

51. 51
    Practical applications of PKE
    

    View Slide

52. http://torontoemerg.files.wordpress.com/2010/09/spam.gif
    http://change-your-ip.com/wp-content/uploads/image/nigerian_419_scam.jpg
    52
    

    View Slide

53. 53
    

    View Slide

54. ➡ Did Bill really send this email?
    ➡ Do we know for sure that nobody has read
    this email (before it came to us?)
    ➡ Do we know for sure that the contents of
    the message isn’t tampered with?
    ➡ We use signing!
    Questions:
    54
    

    View Slide

55. ➡ Signing a message means adding a signature
    that authenticates the validity of a message.
    ➡ Like md5 or sha1, so when the message
    changes, so will the signature.
    ➡ This works on the premise that Alice and
    only Alice has the private key that can
    create the signature.
    Signing a message
    55
    

    View Slide

56. http://en.wikipedia.org/wiki/File:Digital_Signature_diagram.svg 56
    

    View Slide

57. 57
    ➡ Signing is important!
    ➡ apt-get / yum install to verify/proof authenticity
    ➡ Does your git clone does that? Does “composer
    install” does that? Does PEAR do that?
    ➡ Think about the consequences!
    

    View Slide

58. ➡ HTTP encapsulated by TLS (previously SSL).
    ➡ More or less: an encryption layer on top of http.
    HTTPS
    58
    

    View Slide

59. ➡ Actual encryption methodology is decided
    by the browser and the server (highest
    possible encryption used).
    ➡ Symmetric encryption (AES-256, others)
    ➡ But both sides needs the same key, so we
    have the same problem as before: how do we
    send over the key?
    59
    

    View Slide

60. ➡ Key is exchanged in a public/private encrypted
    communication.
    ➡ Which public key?
    ➡ It is stored inside the server’s SSL certificate
    60
    

    View Slide

61. 61
    jthijssen@debian-jth:~$ openssl x509 -text -noout -in github.pem
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    04:7f:be:2e:4b:de:00:84:d2:ca:f8:e3:ec:fe:70:58
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV CA-1
    Validity
    Not Before: Jun 10 00:00:00 2013 GMT
    Not After : Sep 2 12:00:00 2015 GMT
    Subject: businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/
    1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107, C=US, ST=California,
    L=San Francisco, O=GitHub, Inc., CN=github.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:ed:d3:89:c3:5d:70:72:09:f3:33:4f:1a:72:74:
    d9:b6:5a:95:50:bb:68:61:9f:f7:fb:1f:19:e1:da:
    04:31:af:15:7c:1a:7f:f9:73:af:1d:e5:43:2b:56:
    09:00:45:69:4a:e8:c4:5b:df:c2:77:52:51:19:5b:
    d1:2b:d9:39:65:36:a0:32:19:1c:41:73:fb:32:b2:
    3d:9f:98:ec:82:5b:0b:37:64:39:2c:b7:10:83:72:
    cd:f0:ea:24:4b:fa:d9:94:2e:c3:85:15:39:a9:3a:
    f6:88:da:f4:27:89:a6:95:4f:84:a2:37:4e:7c:25:
    78:3a:c9:83:6d:02:17:95:78:7d:47:a8:55:83:ee:
    13:c8:19:1a:b3:3c:f1:5f:fe:3b:02:e1:85:fb:11:
    66:ab:09:5d:9f:4c:43:f0:c7:24:5e:29:72:28:ce:
    d4:75:68:4f:24:72:29:ae:39:28:fc:df:8d:4f:4d:
    83:73:74:0c:6f:11:9b:a7:dd:62:de:ff:e2:eb:17:
    e6:ff:0c:bf:c0:2d:31:3b:d6:59:a2:f2:dd:87:4a:
    48:7b:6d:33:11:14:4d:34:9f:32:38:f6:c8:19:9d:
    f1:b6:3d:c5:46:ef:51:0b:8a:c6:33:ed:48:61:c4:
    1d:17:1b:bd:7c:b6:67:e9:39:cf:a5:52:80:0a:f4:
    ea:cd
    Exponent: 65537 (0x10001)
    

    View Slide

62. ➡ Browser sends over its encryption methods.
    ➡ Server decides which one to use.
    ➡ Server send certificate(s).
    ➡ Client sends “session key” encrypted by the
    public key found in the server certificate.
    ➡ Server and client uses the “session key” for
    symmetrical encryption.
    62
    

    View Slide

63. ➡ Thus: Public/private encryption is only used in
    establishing a secondary (better!?) encryption.
    ➡ SSL/TLS is a separate talk (it’s way more complex
    as this)
    ➡ http://www.moserware.com/2009/06/first-few-
    milliseconds-of-https.html
    63
    

    View Slide

64. ➡ Public key authentication
    ➡ Because you suck at creating and/or
    remembering passwords
    SSH
    64
    

    View Slide

65. ➡ Easy for tools / scripts to connect
    ➡ Easy for you (no remembering passwords)
    ➡ More fine grained security model.
    65
    

    View Slide

66. 66
    Some words of wisdom:
    (free of charge)
    

    View Slide

67. ➡ Don’t “invent” your own encryption. It will
    NOT be secure, and it WILL fail.
    ➡ Encryption is as strong as the weakest link,
    which 9 out of 10 times will be you.
    ➡ Encryptions evolve. Do not use today what
    you used 10 years ago.
    ➡ Every encryption will become obsolete!
    ➡ Always follow the best practices.
    67
    

    View Slide

68. http://farm1.static.flickr.com/73/163450213_18478d3aa6_d.jpg 68
    

    View Slide

69. 69
    Find me on twitter: @jaytaph
    Find me for development and training: www.noxlogic.nl
    Find me on email: [email protected]
    Find me for blogs: www.adayinthelifeof.nl
    http://joind.in/8889
    

    View Slide