Cryptography for software engineers: A quick overview

Slide 1

Slide 1 text

1 Cryptography for architects and engineers Jasmeet Chhabra CryptoGraphy For Software Engineers Jas Chhabra

Slide 2

Slide 2 text

2 Introducing Alice, Bob and Eve Alice Bob Eve Alice&wants&to&send&a&message&to&Bob.&Eve&is&going&to&be&able&to&read&any& message&sent.&What&should&Alice&do?&

Slide 3

Slide 3 text

3 Alice has heard of Encryption Alice Bob Eve c&=&E(K,&c)& c& m&=&D(K,&c)&

Slide 4

Slide 4 text

4 Alice searches the Internet and finds that AES seems to be the standard

Slide 5

Slide 5 text

5 What is AES? •  AES is a block cipher •  Block Ciphers: Work on fixed blocks of data •  Current commonly used block ciphers use 128 bit blocks Visualizing&Ideal&Block&Cipher& 128& &bits& 1011….00 0000…00000 0000….11 0000…00001 1001….00 1111….1110 1100….11 1111….1111 Randomly&mapped&lookup&table&of&size&2&^128&& 128& &bits& Input& Output& Random&& mapping&

Slide 6

Slide 6 text

6 What does AES do? Single&Round&of&AES& Round&Key&XOR&Data& Fixed&lookup&table&mapping& ShiR&each&byte&by&ﬁxed& oﬀset& Mixed&with&a&linear& transformaVon&funcVon& Repeat&for&10X14& rounds&depending& on&size&of&key.&

Slide 7

Slide 7 text

7 Quick Note: Kerckhoff’s principal •  The security of the encryption scheme must depend only on the secrecy of the key Ke , and not on the secrecy of the algorithm Why? •  Algorithms are hard to change •  It is difficult to get cryptographic algorithms right and it is better to publish it for analysis.

Slide 8

Slide 8 text

8 Alice decides to use AES encryption Alice Bob Eve c&=&E(K,&c)& c& m&=&D(K,&c)& Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci &=&E(K,&mi )&& ECB$ Mode$

Slide 9

Slide 9 text

9 But Eve is clever. She changes the message in following way Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci &=&E(Ke ,&mi )&& ECB$ Mode$ Eve$Swaps$ these$blocks$ Alice$Sends$$following$ Buy INTC 90 50 shares Eve$receives$following$ Each&block&mi &=&D(Ke ,&ci )&&

Slide 10

Slide 10 text

10 AES Electronic Code book (ECB) mode issues •  Blocks can be swapped •  Patterns can be detected Original&image& Encrypted&image& AES&ECB& mode&

Slide 11

Slide 11 text

11 Quick Note : Padding •  Block ciphers work on messages that are multiple of block size •  If message is not a multiple of block size, padding is required •  Two common padding schemes: •  Append 128 and then as many 0s as needed to make message a multiple of block size •  Determine number of bytes required n > 0 to make it a multiple of block size. Add n bytes, each with value n DD DD DD DD DD DD DD DD DD DD DD DD 80 00 00 00 DD DD DD DD DD DD DD DD DD DD DD DD 04 04 04 04 DD DD DD DD DD DD DD DD 08 08 08 08 08 08 08 08

Slide 12

Slide 12 text

12 Alice looked up other block cipher modes She likes two : •  CBC •  CTR Let us look at both

Slide 13

Slide 13 text

13 Quick Note: IV •  Initialization vector: Used in block ciphers as an input along with the key •  Fixed IV : IV that doesn’t change •  Counter IV: IV=0 for first message, IV = 1 for second etc. •  Random IV: Large random number as IV for each message •  Nonce-Generated IV: “Number used once” per key •  Message numbers •  Random number + message number

Slide 14

Slide 14 text

14 Quick XOR refresher •  1 0 = 0 1 = 1 •  0 0 = 1 1 = 0 •  A 0 = A •  A A = 0 •  A A A= A

Slide 15

Slide 15 text

15 CBC : Cipher Block Chaining (Encryption) Block Cipher Encryption Plaintext& IV& Key& CipherText& Block Cipher Plaintext& IV& Key& CipherText& Ci $=$Ek (Pi $$Ci>1 )$,$C0 $=$IV$

Slide 16

Slide 16 text

16 CBC : Cipher Block Chaining (Decryption) Block Cipher Ciphertext& IV& Key& Plaintext& Block Cipher Ciphertext& IV& Key& Plaintext& Pi $=$Dk (Ci )$$Ci>1 ,$$C0 $=$IV$

Slide 17

Slide 17 text

17 CBC: Which IV to use? •  Fixed IV: What if two messages start with the same plaintext block? •  Counter IV: If first block of messages have simple difference, the XOR with a counter may cancel them out. •  Random IV : Good. But requires a random number to be sent •  Nonce IV: Good. Use a smaller random number + counter.

Slide 18

Slide 18 text

18 CTR: Counter mode (Encryption) Block Cipher Encryption F45a34…….&000000& Key& CipherText& Ki $=$E(K,$Nonce$||$i)$for$i=1,….,k$ Ci $=$Pi $$Ki $$ Nonce& Counter& Plaintext& Block Cipher Encryption F45a34…….&000001& Key& CipherText& Nonce& Counter& Plaintext&

Slide 19

Slide 19 text

19 CTR: Counter mode (Decryption) Block Cipher Encryption F45a34…….&000000& Key& Plaintext& Ki $=$E(K,$Nonce$||$i)$for$i=1,….,k$ Ci $=$Pi $$Ki $$ Nonce& Counter& Plaintext& CipherText& Block Cipher Encryption F45a34…….&000001& Key& Plaintext& Nonce& Counter& Plaintext& CipherText&

Slide 20

Slide 20 text

20 AES CTR •  Counter = Nonce || i •  If ever the counter is repeated. •  Cx ⊕ Cy = E(K,counter) ⊕ Px ⊕ E(K,counter) ⊕ Py •  i.e. Cx ⊕ Cy = Px ⊕ Py •  Never Ever repeat counter with same key

Slide 21

Slide 21 text

21 CTR Advantages •  Random access is possible. •  Both encryption and decryption can be parallelized. •  Needs only encryption implementation

Slide 22

Slide 22 text

22 Alice decides to use AES CTR encryption Alice Bob Eve c&=&E(Ke,& Nonce||i)&$Pi& c& m&=&E(Ke Nonce&||&i)&$Ci & Buy INTC 50 90 shares Block& !"#$ %&'( )*+, +-.. /019 Each&block&ci &=&E(Ke ,&Nonce||i)&$Pi& && ECB$ Mode$

Slide 23

Slide 23 text

23 Eve is clever •  Sends using CTR. •  She changes the first block by performing a XOR with (Buy Sell) •  So first block becomes: •  c = E(Ke, Nonce||1) ⊕ Buy ⊕ (Buy ⊕ Sell) •  i.e. c = E(Ke, Nonce||1) ⊕ Sell •  So, Bob gets: Sell INTC 50 90 shares

Slide 24

Slide 24 text

24 Break/Recap

Slide 25

Slide 25 text

25 Alice figures she needs something to protect this message •  Her goal this time is to ensure that Eve can’t change the message. •  Doesn’t care about confidentiality (to keep things simple) •  She looks up hash functions

Slide 26

Slide 26 text

26 What is a hash function? Ideal Hash Function Arbitrary&length& input&& Fixed&length&output& •  Random&mapping& •  Same&output&for&same&input&

Slide 27

Slide 27 text

27 Defining security of hash functions •  Pre-image resistance: •  Given a hash h it should be difficult to find any message m such that h = hash(m). •  Second pre-image resistance •  Given an input m1 it should be difficult to find another input m2 such that m1 ≠ m2 and hash(m1) = hash(m2). •  Collision resistance •  It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2).

Slide 28

Slide 28 text

28 Standard hash functions •  MD5 : Don’t use •  SHA1 : Avoid. Not recommended for usage. Only use if system gives you no other choice. •  SHA2 : Use this. •  SHA3 (not finalized) •  One of the properties (bug ?) of the hash functions above is that •  If m = m1, m2 •  H(m) = h(h(m1),m2) •  This is called the length extension issue

Slide 29

Slide 29 text

29 Alice is now confident •  She decides to use SHA-2 hash •  Assume: •  Alice and Bob share a secret key K just like Encryption

Slide 30

Slide 30 text

30 Alice decides to use SHA-2 Alice Bob Eve Buy INTC 50 SHA2(K|| Data) K$is$the$secret$

Slide 31

Slide 31 text

31 As usual Eve is clever •  Eve computes •  Sha2( SHA2 ( K||Data), 90) •  Also, changes the message to Buy INTC 50 Sha2( SHA2 ( K||Data), 90) 90

Slide 32

Slide 32 text

32 How to fix this? •  Use HMAC •  HMAC (K,m) = H((K opad) || H((K ipad) || m)) •  opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant), •  ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant). Other MACs are available, but this is the most commonly recommended

Slide 33

Slide 33 text

33 Horton Principle •  "Authenticate what is being meant, not what is being said” •  Suppose you had two messages to send. •  M1 & M2 •  You just send M1||M2|| HMAC(M1||M2) •  What happens?

Slide 34

Slide 34 text

34 M1&=&“Rachael&Ray&ﬁnds&inspiraVon&is&cooking”& M2=&“&her&family&and&her&dog”&

Slide 35

Slide 35 text

35 Lesson: Always structure your message to be unambiguous and then MAC the whole thing •  For example Send: •  { message1_length= aa; message1=“M1”; message2_length=bb; message2=“M2”; } HMAC ({….}) "AuthenVcate&what&is&being&meant,¬&what&is&being&said”&

Slide 36

Slide 36 text

36 Alternative MAC 1: CBC-MAC •  CBC-MAC: Use CBC with IV=0 and return the last block as the MAC •  H0 = IV. IV Should be fixed. Generally 0. •  Hi = E(K, Pi ⊕ Hi-1 ) •  MAC = Hk •  Why IV= 0? •  CBC-MAC is good and secure, but suffers from certain types on collision attacks. •  So, use CMAC.

Slide 37

Slide 37 text

37 Alternative MAC2 : CMAC •  Same as CBC-MAC, except the way last block is handled •  Generate two keys k1 & k2 from the MAC key k •  Calculate MAC using CBC-MAC except for last block. •  Change the last block (mn ′) to following before applying CBC-MAC •  If mn ′ is a complete block •  mn = k1 ⊕ mn ′ •  else mn = k2 ⊕ (mn ′∥ 10…02 ).

Slide 38

Slide 38 text

Secure Channel

Slide 39

Slide 39 text

39 Alice wants the following •  Eve shouldn’t learn anything about the messages except for the timing and size •  Bob should only get proper messages and is able to figure out the correct order. •  Duplicates are detected •  Message modifications are detected •  By now you have probably guessed that this can be achieved by combination of Encryption and Authentication

Slide 40

Slide 40 text

40 Authentication and Encryption Three possibilities: 1.  MAC then encrypt all including MAC 2.  Encrypt and then MAC the encrypted message 3.  Encrypt and MAC the plaintext message •  Which one to use?

Slide 41

Slide 41 text

41 Encrypt and MAC the plaintext message •  Not recommended as any weakness in MAC will leak info about the message.

Slide 42

Slide 42 text

42 MAC and then encrypt the whole message including MAC •  Eve only gets to see ciphertext and encrypted MAC •  Much harder to attack MAC •  This is fine to use. •  Potential timing attacks with padding (TLS Lucky 13 attack)

Slide 43

Slide 43 text

43 Encrypt and then MAC the encrypted message •  Can drop invalid message fast without decryption •  Is not in fully line with Horton’s principal •  There may be ambiguity •  This is good to use •  We will use this and add authenticated headers for removing ambiguity

Slide 44

Slide 44 text

44 Secure Channel : Generate Keys •  KEYSENDENC ← HMAC-SHA2(K, "Enc Alice to Bob") •  KEYRECENC ← HMAC-SHA2(K, "Enc Bob to Alice") •  KEYSENDAUTH ← HMAC-SHA2(K,"Auth Alice to Bob") •  KEYRECAUTH ← HMAC-SHA2(K,"Auth Bob to Alice") •  Swap Encryption & Decryption key if message is from Bob to Alice

Slide 45

Slide 45 text

45 Message counters •  Two message counters •  Cab = Alice-to-Bob Message counter •  Cba = Bob-to-Alice message counter •  Both Alice and Bob store state of both counters •  Initialize both to 0.

Slide 46

Slide 46 text

46 Alice sending message to Bob •  We will only go through this direction •  Bob to Alice is identical

Slide 47

Slide 47 text

47 Choosing CTR counter •  It is recommended that number of blocks encrypted with an AES 128 bit key < 264-1 •  This is because after 264 block you will be able to distinguish from random •  To ensure that, we use counter for message sent from Alice to Bob never repeats and number of blocks encrypted < 264 •  Counter = (Cab || i) for the ith block in this particular message. •  Ensure that Cab < 232 -1 •  Ensure that length(m) < 232 -1 * block_size

Slide 48

Slide 48 text

48 Alice Sending a message •  Ensure that Cab < 232 -1 •  Increment Cab •  Ensure that length(m) < (232 -1) * block_size •  Use Counter = (Cab || i) for the ith block for AES-CTR Version Cab Length Header Encrypted message HMAC-SHA2 Type Message

Slide 49

Slide 49 text

49 Bob: Receiving a message •  Ensure that Cab > Last received Cab •  Check HMAC of the message •  Drop if it does not match •  Store Cab . Check Version. •  Decrypt using AES CTR •  Counter = (Cab || i) for the ith block •  Check type and process accordingly. Version Cab Length Header Encrypted message HMAC-SHA2 Type Message

Slide 50

Slide 50 text

Exchanging keys

Slide 51

Slide 51 text

51 How to exchange key K?

Slide 52

Slide 52 text

52 General idea of key exchange

Slide 53

Slide 53 text

53 Mod p operations •  9 mod 7 = 2 •  Remainder left after division •  9 = 7*1 +2 •  16 mod 7 = 2 •  16 = 7*2 + 2

Slide 54

Slide 54 text

54 Basic Diffie-Hellman Key exchange Alice Bob gx& gy& K&=&(gy)x& K&=&(gx)y&

Slide 55

Slide 55 text

55 Other values Pre-Known/Exchanged values: •  p,g,q (may be exchanged as part of the protocol) •  Always check: •  p = Nq +1 •  (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 •  Make sure q is a large enough prime (≥ 256 bits) •  Make sure p is large enough prime (≥ 2048 bits)

Slide 56

Slide 56 text

56 Man in the middle Alice Alice gx& Eve gv& gy& gw& K&=&(gw)x& K&=&(gv)y& K1 &=&(gx)w& & K1 &=&(gy)v&

Slide 57

Slide 57 text

57 So, how to exchange? •  Assume there is some way to authenticate messages. •  We will see how to do that in Public/Private key cryptography •  Authenticated DH Protocol •  First we will look at RSA Public Private Key cryptography

Slide 58

Slide 58 text

Asymmetric (Public/Private Key) Cryptography

Slide 59

Slide 59 text

59 Asymmetric (Public/Private) Cryptography Alice Bob Exchange&public&keys&when&they& meet&at&a&party&

Slide 60

Slide 60 text

60 Asymmetric (Public/Private) Cryptography : Signing Alice Bob Sign&with&Alice’s&Private&Key&(Buy& 20&shares&of&INTC)& Verify&with&Alice’s&Public&key&and& perform&transacVon&

Slide 61

Slide 61 text

61 Asymmetric (Public/Private) Cryptography : Encryption Alice Bob Encrypt&with&Bob’s&Public&Key& (Secret&message)& Decrypt&with&Bob’s&Public&key&and& read&secret&message&

Slide 62

Slide 62 text

62 RSA : key generation (1/2) •  Generate two distinct large prime numbers p & q •  Calculate n = p *q •  Compute t = (p-1)(q-1) OR t = lcm (p-1,q-1) •  Choosing t like this implies •  xt = 1 mod n •  xt+1 = x mod n •  Proof by authority !

Slide 63

Slide 63 text

63 RSA : key generation (2/2) •  Choosing t like this implies xkt+1 = x mod n •  Proof by authority ! •  Choose ed = 1 mod t , i.e. ed = t + 1 •  Common e value is 216 + 1 = 65,537 •  Public Key : n,e •  Private Key : n, d

Slide 64

Slide 64 text

64 Example RSA key generation •  p = 61 and q = 53 •  n = 61*53 = 3233 •  t = (p-1)(q-1) = (61-1)(53-1) = 3120 •  Let e = 17. Then solving for ed = 1 mod t •  d = 2753 •  2753*17 = 15*3120 +1 •  46801 = 46800 + 1

Slide 65

Slide 65 text

65 RSA encryption/ decryption •  c = me mod n •  m = cd mod n •  X = (me)d mod n •  We know ed = kt +1 •  X = mkt+1 mod n •  Or X = (mt)k * m mod n •  We also know, for any x: xt = 1 mod n •  So X = (1)k * m mod n = m •  Hence we can decrypt !

Slide 66

Slide 66 text

66 RSA encryption/ decryption example •  Let m = 65. Then using previous e = 17,d=2753, n=3233 •  c = 6517 (mod 3233) = 2790 •  m = 27902753 (mod 3233) = 65

Slide 67

Slide 67 text

67 RSA: why not to sign/encrypt data directly •  If you sign m1 and m2 •  m1 d (mod n) •  m2 d (mod n) •  Attacker can compute m3 d (mod n) = m1 d * m2 d (mod n)

Slide 68

Slide 68 text

68 What is recommended? •  Use one of the standards for signing and encryption •  Signing: RSA-PSS (RSA –Probabilistic signature scheme) •  Encryption: RSA-OAEP (RSA-Optimal asymmetric encryption protocol) •  Don’t use same key for encryption and signing •  Attacker may be able to exploit decryption (public key) for getting signatures (private key) from you or other way around •  Encryption keys and signing keys generally have different lifetimes

Slide 69

Slide 69 text

69 Elliptic curve cryptography

Slide 70

Slide 70 text

70 Elliptic curve example : y2 = x3+ ax + b

Slide 71

Slide 71 text

71 Point addition on curve: A+B A B$ A+B$

Slide 72

Slide 72 text

72 Point inverse: A+B P$ >P$

Slide 73

Slide 73 text

73 What about P+P P$ 2P$=$P$+$P$

Slide 74

Slide 74 text

74 Elliptic curve discrete logarithm problem •  With a curve of form y2 = x3+ ax + b mod p, where p is a large prime and operation point addition + •  P + P +…+ P = dP = T •  Given dP and P, it should be hard to compute d. •  d is kept secret like a private key •  Intuitively: P+P+P… for very large d (>160 bits) Source:&Chapter&9&of&Understanding&Cryptography&by&Christof&Paar&and&Jan&Pelzl&

Slide 75

Slide 75 text

75 Example of ECC usage: ECDH (simplified) Alice Bob Given&a&prime&p,&a&suitable&ellipVc&curve&E&and&a&point&P=(xP,yP)& Choose&kPrA =&a&{2,&3,…,&#EX1}& & Compute&kPubA =&A&=&aP&=&(xA ,yA )& Choose&kPrB =&b&{2,&3,…,&#EX1}& & Compute&kPubB =&B&=&bP&=&(xB ,yB )& A& B& Compute&aB&=&Tab& Compute&bA&=&Tab& •  One&of&the&coordinates&of&the&point&TAB&(usually&the&xXcoordinate)&can&be&used&as& session&key&&(oRen&aRer&applying&a&hash&funcVon)&

Slide 76

Slide 76 text

76 Elliptic curve summary •  Elliptic Curve Cryptography (ECC) is based on the discrete logarithm problem. •  ECC provides the same level of security as RSA or discrete logarithm systems with much shorter key sizes (160-256 bits) vs (1024-3072 bits) •  ECC can be used for key exchange, signatures and encryption •  ECC generally has performance advantage over RSA

Slide 77

Slide 77 text

77 Diffie-Hellman

Slide 78

Slide 78 text

78 Why DH Protocol? •  Lot of time security cert only supports signing •  Perfect Forward Security •  Even if you find my private keys later you can not decrypt my communication

Slide 79

Slide 79 text

79 Reminder: Basic Diffie-Hellman Key exchange Alice Alice gx& gy& K&=&(gy)x& K&=&(gx)y&

Slide 80

Slide 80 text

80 Reminder DH Pre-Known/Exchanged values: •  p,g,q (may be exchanged as part of the protocol) •  Always check: •  p = Nq +1 •  (gx)q = 1 mod p, g ≠ 1, gx ≠ 1 •  Make sure q is a large enough prime (≥ 256 bits) •  Make sure p is large enough prime (≥ 2048 bits)

Slide 81

Slide 81 text

81 Attempt 1: Authenticated DH Alice Bob A,&gx& B,&gy,&SigB (gx,&gy)&& SigA (gx,&gy)&& Any&issues?&

Slide 82

Slide 82 text

82 Identity misbinding attack on DH Alice Bob A,&gx& B,&gy,&SigB (gx,&gy)&& SigA (gx,&gy)&& E&doesn’t&know&K&=&gxy&,&but&B&thinks&that&anything&coming& from&A&is&coming&from&E& Eve E,&gx& B,&gy,&SigB (gx,&gy)&& SigE (gx,&gy)&&

Slide 83

Slide 83 text

83 Authenticated DH Alice Bob A,&gx& B,&gy,&SigB (gx,&gy,&A)&& SigA (gx,&gy , &B)&&

Slide 84

Slide 84 text

84 Limitations •  Both parties need to know each other’s identity before they can authenticate •  Leaves a signed proof of communication (signing peer’s identity) •  Sigma solves these issues

Slide 85

Slide 85 text

85 Sigma Basic version Alice Bob gx& B,&gy,&SigB (gx,&gy),&MacKm (B)&& A,&SigA (gx,&gy),&MacKm (A)&&& •  Km &is&derived&from&gxy&& •  Does¬&require&knowing&peer’&id&for&own&auth& •  Adds&deniability& & Alice Bob A,&gx& B,&gy,&SigB (gx,&gy,&A)& A,&SigA (gx,&gy,&B),&& Authenticated DH

Slide 86

Slide 86 text

86 Sigma-I: Active protection of Initiator’s ID Alice Bob gx& gy,&{B,&SigB (gx,&gy),&MACKm (B)}$Ke$$ {A,$SigA (gx,&gy),&MACKm (A)}Ke$$ •  Km &and&Ke &are&derived&from&gxy&& •  IniVator’s&id&is&protected&and¬&revealed&except&to& an&authenVcated&party&

Slide 87

Slide 87 text

87 Sigma-R: Active protection of Responder’s ID Alice Bob gx& &{A,&SigA (gx,&gy),&MACKm (A)}$Ke$$ {B,SigA (gx,&gy),&MACKm’ (B)}Ke’$$ •  Km &and&Ke &are&derived&from&gxy&& •  Responder’s&ID&is¬&revealed&unVl&iniVator's&is& revealed& gy&

Slide 88

Slide 88 text

88 Next Part •  EPID based Sigma key exchange •  PKI : Public key infrastructure •  Why random numbers are important? •  Clocks and monotonic counters •  Storing secrets •  Analysis of common protocols •  TLS •  Sigma key exchange •  IKE and IPSEC