CSCD27 Cryptography Protocols

Transcript

1. Cryptographic Hash Functions Thierry Sans

2. Cryptographic hashing H(mn) = m’n’ is a hash function if

   • H is one-way function • n (bit length) is unbounded • n’ is short (and usually fixed) ➡ H is a lossy compression function Two families of hash functions • Non-keyed a.k.a message digest 
 e.g. password protection, digital signatures • Keyed a.k.a MAC - Message Authentication Code 
 e.g. message integrity H(mn) = m’n’ Hk(mn) = m’n’ H m1 m2 m3 x1 x2

3. Computational complexity • Given H and m, computing x is

   easy (polynomial or linear) • Given H and x, computing m is hard (exponential) ➡ H is not invertible H m x

4. Preimage resistance and collision resistance PR - Preimage Resistance ➡

   given H and x, hard to find m 
 e.g. password storage 2PR - Second Preimage Resistance ➡ given H, m and x, hard to find m’ such that H(m) = H(m’) = x
 e.g. virus resistance (Tripwire tool) CR - Collision Resistance ➡ given H, hard to find m and m’ such that H(m) = H(m’) = x
 e.g. digital signatures CR 㱺 2PR 㱺 PR H m x

5. Hash functions in practice

6. Non-keyed vs Keyed hash functions Most hash functions require an

   IV (Initialization Vector) • Non keyed
 the IV (Initialization Vector) is fixed • Keyed
 the key is supplied as the IV ➡ The commonly used standards are non keyed H(mn) = m’n’ Hk(mn) = m’n’ n bits n’ bits H m x IV n’ bits

7. Common hash functions Name MD5 SHA-1 SHA-2 SHA-3 Variant SHA-224

   SHA-256 SHA-384 SHA-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Year 1992 1993 2001 2012 Designer Rivest NSA NSA Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche Input 
 n bits 512 512 512 512 1024 1024 1152 1088 832 576 Output 
 n’ bits 128 160 224 256 384 512 224 256 384 512 Speed
 cycle/byte 6.8 11.4 15.8 17.7 12.5 Considered
 Broken yes yes no no n bits n’ bits H m x IV n’ bits

8. How to hash long messages ? Merkle–Damgård construction Property :

   if H is CR then Merkel-Damgard is CR x H IV m1 m2 m3 m4 m4 p H H H H m split m in blocks of n bits and add padding p n n’ n’ n bits n’

9. Security of hash functions

10. Brute-forcing a hash function CR - Collision Resistance ➡ given

    H, hard to find m and m’ such that H(m) = H(m’) = x Given a hash function H of n bits input output • Reaching all possibilities • On average, an attacker should try half of them H m x 2n cases 2n-1 cases

11. Birthday Paradox “There are 50% chance that 2 people have

    the same birthday in a room of 23 people” N-bits security ➡ Given a hash function H of n bits output, 
 a collision can be found in around 2n/2 evaluations
 e.g SHA-256 is 128 bits security

12. Broken hash functions beyond the birthday paradox Year Collision MD5

    2013 224 evaluations (239 with prefix) SHA-1 2015 257 evaluations

13. Playing with cryptography
 beyond confidentiality

14. Security goals Let us consider 3 new security goals (beyond

    confidentiality) • Integrity : protecting the content of a message • Authentication : protecting the origin of a message • Non-repudiation : protecting the identity of the originator

15. Security mechanisms Hash MAC Digital Signature Integrity Authentication Non- repudiation

    Keys None Symmetric Asymmetric

16. Hashing (Integrity) m || H(m) Integrity

17. MAC - Message Authentication Code Alice an Bob share a

    key k ➡ Option 1 : using a keyed hash function on the message MACk (m) = Hk (m) ➡ Option 2 : using a non-keyed hash function on the message (HMAC) MACk (m) = H(k || m) m || MACk(m) k MAC key k Integrity Authentication

18. Length extension attack MACk (m || m’) = H(MACk (m)

    || m’) Vulnerable : MD5, SHA-1 and SHA-2 (but not SHA-3) ➡ Assignment 3 - Part 3

19. Good MAC with non-keyed hash Alice an Bob share a

    key k ➡ Option 1 : envelope method MACk (m) = H(k || m || k) ➡ Option 2 : padding method 
 pad(k,m) returns a message with a length factor of the hash input a = H(pad(k,m) || m) MACk (m) = H(pad(k,a) || a) m || MACk(m) k MAC key k Integrity Authentication

20. MAC with symmetric encryption k MAC key m || MACk(m)

    k Integrity Authentication Alice an Bob share a key k ➡ Encrypt the hash using symmetric encryption (DES, AES …) MACk(m) = Ek(H(m))

21. MAC and Confidentiality Alice an Bob share two keys Ke

    and Km Option 1 EKe(m) || HKm(m) e.g SSH Option 2 EKe(m || HKm(m)) e.g SSL Option 3 EKe(m) || HKm(EKe(m)) e.g IPsec Ke encryption key Km MAC key ke km Integrity Authentication Confidentiality

22. Digital Signatures Ksa Alice’s Secret Key Ksb Kpa, Kpb public

    keys m || SIGKsa(m) Integrity Authentication Non-repudiation Alice an Bob have a pair of asymmetric keys ➡ Use public cryptography to sign and verify SIGKsa(m) = EKsa(H(m)) VERKpa(m, s) = (DKpa(s) == H(m)) VERKpa(m, SIGKsa(m))
23. None

24. Digital Signatures and Confidentiality Ksa Alice’s Secret Key Ksb Kpa,

    Kpb public keys Integrity Authentication Non-repudiation Confidentiality Alice an Bob have a pair of asymmetric keys ➡ Use public cryptography to encrypt, sign and verify EKpb(m) || SIGKsa(m) ๏ Too slow to encrypt long message

25. Digital Signatures and Confidentiality Ksa Alice’s Secret Key Ksb Kpa,

    Kpb public keys Integrity Authentication Non-repudiation Confidentiality 1. Alice generates an asymmetric session key k 2. Use both symmetric and asymmetric cryptography to encrypt, sign and verify the message and the key EKpb(k) || Ek(m || EKsa(H(m))

26. Hey, this how GPG works ! source “GNU_Privacy_Guard” on Wikipedia

27. ✓ HTTPS = HTTP + TLS ➡ TLS - Transport

    Layer Security (a.k.a SSL) provides • confidentiality : end-to-end secure channel • integrity : authentication handshake
 Hey, this how HTTPS works ! example.com HTTPS request HTTPS response Who are you? I am example.com

28. Are we done with cryptography yet ? NO ! Problem

    1 The mechanics of mutual authentication and keys exchange is prone to attacks (e.g. replay attack, man-in-the-middle attack) ➡ Cryptography Protocols Problem 2 Alice has never seen Bob, how can she trust his identity ➡ Trust Models

29. Cryptography Protocols

30. Definition Protocol Expected behaviors when engaging in communication Computer(-to-computer) protocol

    • Communication protocols (Ethernet, TCP, IP, Email, Web…) • Security protocols • Authentication protocol • Key-exchange protocol

31. Protocol Goal Assumptions • 3 principals Alice, Bob, Mallory have

    published public keys • They can talk to each using the same protocol Goal When two parties engage in the communication, they want to 1. make sure that they talk to the right person (authentication) 2. exchange a symmetric session key

32. The attacker model The attacker has the same privileges as

    the other principals 1. send and receive messages 2. encrypt and decrypt with known keys In addition, the attacker has full control over the network 3. intercept messages

33. Authentication, key exchange and message exchange EKpb(“Hi, I am Alice!”,

    Kab) “Hi, Alice!” EKab(mb) EKab(ma)

34. Replay attack EKpm(A, Kab) EKpb(A, Kab) “Hi, Alice!” ๏ Bob

    believes he is talking to Alice !

35. Challenge-Response using a password and pkey EKpb(A, Kab) “Hi, Alice!”

    “What is your password?” EKpb(pwd)

36. Eavesdrop and replay attack EKpb(A, Kab) “Hi, Alice!” “What is

    …?” EKpb(pwd) ๏ Bob believes he is talking to Alice !

37. Challenge-Response using a nonce EKpb(A, Kab) “Hi, Alice!” EKpa(n) EKpb(n)

38. The attacker pretends to be Bob EKpb(A, Kab) “Hi, Alice!”

    EKpa(n) EKpb(n) ๏ No Mutual Authentication

39. The (almost) Needham-Shroeder protocol (1978) EKpb(A, Kab, nb) EKpa(na, nb)

    “Hi, Alice!” EKpb(na)

40. Man-in-the-middle attack (Lowe’s 1995) EKpm(A, Kab, nb) “Hi, Alice!” EKpa(na,

    nb) EKpb(A, Kab, nb) EKpb(na) EKbm(na)

41. Trust Models

42. Two trust models How to establish the authenticity of the

    binding between someone and its public key ? Centralized trust model ➡ PKI - Public Key Infrastructure Decentralized trust model ➡ Web of Trust

43. Do you trust the GPG key ? Alice should verify

    Bob’s public key fingerprint • either by communicating with Bob over another channel • or by trusting someone that already trusts Bob ➡ the web of trust Alice Bob I am Bob! Pkm

44. The web of trust Alice Dan Erin Carol Bob trust

    i.e has_signed Pk transitive trust

45. Do you trust the network ? example.com I am example.com!

    The browser should verify the certificate ➡ PKI - Public Key Infrastructure

46. Generating and using (self-signed) certificates Who are you? I am

    example.com I don’t know

47. Self-signed certificates
 are not trusted by
 your browser

48. Signed Certificate Certificate Authority (CA) Who are you? I am

    example.com I trust so

49. The Chain of Trust Root CA Intermediate CA Intermediate CA

    I trust 
 so ⇒ ⇒ ⇒

50. Your browser trusts many root CAs by default

51. Real attacks