Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CSCD27 Cryptography Protocols

ThierrySans
September 29, 2016
690

CSCD27 Cryptography Protocols

ThierrySans

September 29, 2016
Tweet

Transcript

  1. Cryptographic hashing H(mn) = m’n’ is a hash function if

    • H is one-way function • n (bit length) is unbounded • n’ is short (and usually fixed) ➡ H is a lossy compression function Two families of hash functions • Non-keyed a.k.a message digest 
 e.g. password protection, digital signatures • Keyed a.k.a MAC - Message Authentication Code 
 e.g. message integrity H(mn) = m’n’ Hk(mn) = m’n’ H m1 m2 m3 x1 x2
  2. Computational complexity • Given H and m, computing x is

    easy (polynomial or linear) • Given H and x, computing m is hard (exponential) ➡ H is not invertible H m x
  3. Preimage resistance and collision resistance PR - Preimage Resistance ➡

    given H and x, hard to find m 
 e.g. password storage 2PR - Second Preimage Resistance ➡ given H, m and x, hard to find m’ such that H(m) = H(m’) = x
 e.g. virus resistance (Tripwire tool) CR - Collision Resistance ➡ given H, hard to find m and m’ such that H(m) = H(m’) = x
 e.g. digital signatures CR 㱺 2PR 㱺 PR H m x
  4. Non-keyed vs Keyed hash functions Most hash functions require an

    IV (Initialization Vector) • Non keyed
 the IV (Initialization Vector) is fixed • Keyed
 the key is supplied as the IV ➡ The commonly used standards are non keyed H(mn) = m’n’ Hk(mn) = m’n’ n bits n’ bits H m x IV n’ bits
  5. Common hash functions Name MD5 SHA-1 SHA-2 SHA-3 Variant SHA-224

    SHA-256 SHA-384 SHA-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Year 1992 1993 2001 2012 Designer Rivest NSA NSA Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche Input 
 n bits 512 512 512 512 1024 1024 1152 1088 832 576 Output 
 n’ bits 128 160 224 256 384 512 224 256 384 512 Speed
 cycle/byte 6.8 11.4 15.8 17.7 12.5 Considered
 Broken yes yes no no n bits n’ bits H m x IV n’ bits
  6. How to hash long messages ? Merkle–Damgård construction Property :

    if H is CR then Merkel-Damgard is CR x H IV m1 m2 m3 m4 m4 p H H H H m split m in blocks of n bits and add padding p n n’ n’ n bits n’
  7. Brute-forcing a hash function CR - Collision Resistance ➡ given

    H, hard to find m and m’ such that H(m) = H(m’) = x Given a hash function H of n bits input output • Reaching all possibilities • On average, an attacker should try half of them H m x 2n cases 2n-1 cases
  8. Birthday Paradox “There are 50% chance that 2 people have

    the same birthday in a room of 23 people” N-bits security ➡ Given a hash function H of n bits output, 
 a collision can be found in around 2n/2 evaluations
 e.g SHA-256 is 128 bits security
  9. Broken hash functions beyond the birthday paradox Year Collision MD5

    2013 224 evaluations (239 with prefix) SHA-1 2015 257 evaluations
  10. Security goals Let us consider 3 new security goals (beyond

    confidentiality) • Integrity : protecting the content of a message • Authentication : protecting the origin of a message • Non-repudiation : protecting the identity of the originator
  11. MAC - Message Authentication Code Alice an Bob share a

    key k ➡ Option 1 : using a keyed hash function on the message MACk (m) = Hk (m) ➡ Option 2 : using a non-keyed hash function on the message (HMAC) MACk (m) = H(k || m) m || MACk(m) k MAC key k Integrity Authentication
  12. Length extension attack MACk (m || m’) = H(MACk (m)

    || m’) Vulnerable : MD5, SHA-1 and SHA-2 (but not SHA-3) ➡ Assignment 3 - Part 3
  13. Good MAC with non-keyed hash Alice an Bob share a

    key k ➡ Option 1 : envelope method MACk (m) = H(k || m || k) ➡ Option 2 : padding method 
 pad(k,m) returns a message with a length factor of the hash input a = H(pad(k,m) || m) MACk (m) = H(pad(k,a) || a) m || MACk(m) k MAC key k Integrity Authentication
  14. MAC with symmetric encryption k MAC key m || MACk(m)

    k Integrity Authentication Alice an Bob share a key k ➡ Encrypt the hash using symmetric encryption (DES, AES …) MACk(m) = Ek(H(m))
  15. MAC and Confidentiality Alice an Bob share two keys Ke

    and Km Option 1 EKe(m) || HKm(m) e.g SSH Option 2 EKe(m || HKm(m)) e.g SSL Option 3 EKe(m) || HKm(EKe(m)) e.g IPsec Ke encryption key Km MAC key ke km Integrity Authentication Confidentiality
  16. Digital Signatures Ksa Alice’s Secret Key Ksb Kpa, Kpb public

    keys m || SIGKsa(m) Integrity Authentication Non-repudiation Alice an Bob have a pair of asymmetric keys ➡ Use public cryptography to sign and verify SIGKsa(m) = EKsa(H(m)) VERKpa(m, s) = (DKpa(s) == H(m)) VERKpa(m, SIGKsa(m))
  17. Digital Signatures and Confidentiality Ksa Alice’s Secret Key Ksb Kpa,

    Kpb public keys Integrity Authentication Non-repudiation Confidentiality Alice an Bob have a pair of asymmetric keys ➡ Use public cryptography to encrypt, sign and verify EKpb(m) || SIGKsa(m) ๏ Too slow to encrypt long message
  18. Digital Signatures and Confidentiality Ksa Alice’s Secret Key Ksb Kpa,

    Kpb public keys Integrity Authentication Non-repudiation Confidentiality 1. Alice generates an asymmetric session key k 2. Use both symmetric and asymmetric cryptography to encrypt, sign and verify the message and the key EKpb(k) || Ek(m || EKsa(H(m))
  19. ✓ HTTPS = HTTP + TLS ➡ TLS - Transport

    Layer Security (a.k.a SSL) provides • confidentiality : end-to-end secure channel • integrity : authentication handshake
 Hey, this how HTTPS works ! example.com HTTPS request HTTPS response Who are you? I am example.com
  20. Are we done with cryptography yet ? NO ! Problem

    1 The mechanics of mutual authentication and keys exchange is prone to attacks (e.g. replay attack, man-in-the-middle attack) ➡ Cryptography Protocols Problem 2 Alice has never seen Bob, how can she trust his identity ➡ Trust Models
  21. Definition Protocol Expected behaviors when engaging in communication Computer(-to-computer) protocol

    • Communication protocols (Ethernet, TCP, IP, Email, Web…) • Security protocols • Authentication protocol • Key-exchange protocol
  22. Protocol Goal Assumptions • 3 principals Alice, Bob, Mallory have

    published public keys • They can talk to each using the same protocol Goal When two parties engage in the communication, they want to 1. make sure that they talk to the right person (authentication) 2. exchange a symmetric session key
  23. The attacker model The attacker has the same privileges as

    the other principals 1. send and receive messages 2. encrypt and decrypt with known keys In addition, the attacker has full control over the network 3. intercept messages
  24. Eavesdrop and replay attack EKpb(A, Kab) “Hi, Alice!” “What is

    …?” EKpb(pwd) ๏ Bob believes he is talking to Alice !
  25. The attacker pretends to be Bob EKpb(A, Kab) “Hi, Alice!”

    EKpa(n) EKpb(n) ๏ No Mutual Authentication
  26. Two trust models How to establish the authenticity of the

    binding between someone and its public key ? Centralized trust model ➡ PKI - Public Key Infrastructure Decentralized trust model ➡ Web of Trust
  27. Do you trust the GPG key ? Alice should verify

    Bob’s public key fingerprint • either by communicating with Bob over another channel • or by trusting someone that already trusts Bob ➡ the web of trust Alice Bob I am Bob! Pkm
  28. The web of trust Alice Dan Erin Carol Bob trust

    i.e has_signed Pk transitive trust
  29. Do you trust the network ? example.com I am example.com!

    The browser should verify the certificate ➡ PKI - Public Key Infrastructure