ThierrySans
September 29, 2016
670

# CSCD27 Cryptography Protocols

#### ThierrySans

September 29, 2016

## Transcript

2. ### Cryptographic hashing H(mn) = m’n’ is a hash function if

• H is one-way function • n (bit length) is unbounded • n’ is short (and usually ﬁxed) ➡ H is a lossy compression function Two families of hash functions • Non-keyed a.k.a message digest   e.g. password protection, digital signatures • Keyed a.k.a MAC - Message Authentication Code   e.g. message integrity H(mn) = m’n’ Hk(mn) = m’n’ H m1 m2 m3 x1 x2
3. ### Computational complexity • Given H and m, computing x is

easy (polynomial or linear) • Given H and x, computing m is hard (exponential) ➡ H is not invertible H m x
4. ### Preimage resistance and collision resistance PR - Preimage Resistance ➡

given H and x, hard to ﬁnd m   e.g. password storage 2PR - Second Preimage Resistance ➡ given H, m and x, hard to ﬁnd m’ such that H(m) = H(m’) = x  e.g. virus resistance (Tripwire tool) CR - Collision Resistance ➡ given H, hard to ﬁnd m and m’ such that H(m) = H(m’) = x  e.g. digital signatures CR 㱺 2PR 㱺 PR H m x

6. ### Non-keyed vs Keyed hash functions Most hash functions require an

IV (Initialization Vector) • Non keyed  the IV (Initialization Vector) is ﬁxed • Keyed  the key is supplied as the IV ➡ The commonly used standards are non keyed H(mn) = m’n’ Hk(mn) = m’n’ n bits n’ bits H m x IV n’ bits
7. ### Common hash functions Name MD5 SHA-1 SHA-2 SHA-3 Variant SHA-224

SHA-256 SHA-384 SHA-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Year 1992 1993 2001 2012 Designer Rivest NSA NSA Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche Input   n bits 512 512 512 512 1024 1024 1152 1088 832 576 Output   n’ bits 128 160 224 256 384 512 224 256 384 512 Speed  cycle/byte 6.8 11.4 15.8 17.7 12.5 Considered  Broken yes yes no no n bits n’ bits H m x IV n’ bits
8. ### How to hash long messages ? Merkle–Damgård construction Property :

if H is CR then Merkel-Damgard is CR x H IV m1 m2 m3 m4 m4 p H H H H m split m in blocks of n bits and add padding p n n’ n’ n bits n’

10. ### Brute-forcing a hash function CR - Collision Resistance ➡ given

H, hard to ﬁnd m and m’ such that H(m) = H(m’) = x Given a hash function H of n bits input output • Reaching all possibilities • On average, an attacker should try half of them H m x 2n cases 2n-1 cases
11. ### Birthday Paradox “There are 50% chance that 2 people have

the same birthday in a room of 23 people” N-bits security ➡ Given a hash function H of n bits output,   a collision can be found in around 2n/2 evaluations  e.g SHA-256 is 128 bits security
12. ### Broken hash functions beyond the birthday paradox Year Collision MD5

2013 224 evaluations (239 with preﬁx) SHA-1 2015 257 evaluations

14. ### Security goals Let us consider 3 new security goals (beyond

conﬁdentiality) • Integrity : protecting the content of a message • Authentication : protecting the origin of a message • Non-repudiation : protecting the identity of the originator
15. ### Security mechanisms Hash MAC Digital Signature Integrity Authentication Non- repudiation

Keys None Symmetric Asymmetric

17. ### MAC - Message Authentication Code Alice an Bob share a

key k ➡ Option 1 : using a keyed hash function on the message MACk (m) = Hk (m) ➡ Option 2 : using a non-keyed hash function on the message (HMAC) MACk (m) = H(k || m) m || MACk(m) k MAC key k Integrity Authentication
18. ### Length extension attack MACk (m || m’) = H(MACk (m)

|| m’) Vulnerable : MD5, SHA-1 and SHA-2 (but not SHA-3) ➡ Assignment 3 - Part 3
19. ### Good MAC with non-keyed hash Alice an Bob share a

key k ➡ Option 1 : envelope method MACk (m) = H(k || m || k) ➡ Option 2 : padding method   pad(k,m) returns a message with a length factor of the hash input a = H(pad(k,m) || m) MACk (m) = H(pad(k,a) || a) m || MACk(m) k MAC key k Integrity Authentication
20. ### MAC with symmetric encryption k MAC key m || MACk(m)

k Integrity Authentication Alice an Bob share a key k ➡ Encrypt the hash using symmetric encryption (DES, AES …) MACk(m) = Ek(H(m))
21. ### MAC and Conﬁdentiality Alice an Bob share two keys Ke

and Km Option 1 EKe(m) || HKm(m) e.g SSH Option 2 EKe(m || HKm(m)) e.g SSL Option 3 EKe(m) || HKm(EKe(m)) e.g IPsec Ke encryption key Km MAC key ke km Integrity Authentication Conﬁdentiality
22. ### Digital Signatures Ksa Alice’s Secret Key Ksb Kpa, Kpb public

keys m || SIGKsa(m) Integrity Authentication Non-repudiation Alice an Bob have a pair of asymmetric keys ➡ Use public cryptography to sign and verify SIGKsa(m) = EKsa(H(m)) VERKpa(m, s) = (DKpa(s) == H(m)) VERKpa(m, SIGKsa(m))
23. None
24. ### Digital Signatures and Conﬁdentiality Ksa Alice’s Secret Key Ksb Kpa,

Kpb public keys Integrity Authentication Non-repudiation Conﬁdentiality Alice an Bob have a pair of asymmetric keys ➡ Use public cryptography to encrypt, sign and verify EKpb(m) || SIGKsa(m) ๏ Too slow to encrypt long message
25. ### Digital Signatures and Conﬁdentiality Ksa Alice’s Secret Key Ksb Kpa,

Kpb public keys Integrity Authentication Non-repudiation Conﬁdentiality 1. Alice generates an asymmetric session key k 2. Use both symmetric and asymmetric cryptography to encrypt, sign and verify the message and the key EKpb(k) || Ek(m || EKsa(H(m))

27. ### ✓ HTTPS = HTTP + TLS ➡ TLS - Transport

Layer Security (a.k.a SSL) provides • conﬁdentiality : end-to-end secure channel • integrity : authentication handshake  Hey, this how HTTPS works ! example.com HTTPS request HTTPS response Who are you? I am example.com
28. ### Are we done with cryptography yet ? NO ! Problem

1 The mechanics of mutual authentication and keys exchange is prone to attacks (e.g. replay attack, man-in-the-middle attack) ➡ Cryptography Protocols Problem 2 Alice has never seen Bob, how can she trust his identity ➡ Trust Models

30. ### Deﬁnition Protocol Expected behaviors when engaging in communication Computer(-to-computer) protocol

• Communication protocols (Ethernet, TCP, IP, Email, Web…) • Security protocols • Authentication protocol • Key-exchange protocol
31. ### Protocol Goal Assumptions • 3 principals Alice, Bob, Mallory have

published public keys • They can talk to each using the same protocol Goal When two parties engage in the communication, they want to 1. make sure that they talk to the right person (authentication) 2. exchange a symmetric session key
32. ### The attacker model The attacker has the same privileges as

the other principals 1. send and receive messages 2. encrypt and decrypt with known keys In addition, the attacker has full control over the network 3. intercept messages
33. ### Authentication, key exchange and message exchange EKpb(“Hi, I am Alice!”,

Kab) “Hi, Alice!” EKab(mb) EKab(ma)
34. ### Replay attack EKpm(A, Kab) EKpb(A, Kab) “Hi, Alice!” ๏ Bob

believes he is talking to Alice !

36. ### Eavesdrop and replay attack EKpb(A, Kab) “Hi, Alice!” “What is

…?” EKpb(pwd) ๏ Bob believes he is talking to Alice !

38. ### The attacker pretends to be Bob EKpb(A, Kab) “Hi, Alice!”

EKpa(n) EKpb(n) ๏ No Mutual Authentication
39. ### The (almost) Needham-Shroeder protocol (1978) EKpb(A, Kab, nb) EKpa(na, nb)

“Hi, Alice!” EKpb(na)
40. ### Man-in-the-middle attack (Lowe’s 1995) EKpm(A, Kab, nb) “Hi, Alice!” EKpa(na,

nb) EKpb(A, Kab, nb) EKpb(na) EKbm(na)

42. ### Two trust models How to establish the authenticity of the

binding between someone and its public key ? Centralized trust model ➡ PKI - Public Key Infrastructure Decentralized trust model ➡ Web of Trust
43. ### Do you trust the GPG key ? Alice should verify

Bob’s public key ﬁngerprint • either by communicating with Bob over another channel • or by trusting someone that already trusts Bob ➡ the web of trust Alice Bob I am Bob! Pkm
44. ### The web of trust Alice Dan Erin Carol Bob trust

i.e has_signed Pk transitive trust
45. ### Do you trust the network ? example.com I am example.com!

The browser should verify the certiﬁcate ➡ PKI - Public Key Infrastructure
46. ### Generating and using (self-signed) certiﬁcates Who are you? I am

example.com I don’t know

48. ### Signed Certiﬁcate Certiﬁcate Authority (CA) Who are you? I am

example.com I trust so
49. ### The Chain of Trust Root CA Intermediate CA Intermediate CA

I trust   so ⇒ ⇒ ⇒