Cryptography and SSL in Smalltalk - StS 2003
•Télécharger en tant que PPT, PDF•
1 j'aime•429 vues
Smalltalk Solutions 2003
![Cryptography ,[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à Cryptography and SSL in Smalltalk - StS 2003
Similaire à Cryptography and SSL in Smalltalk - StS 2003 (20)
Cryptography and SSL in Smalltalk - StS 2003
- 1. Cryptography and SSL in Smalltalk Martin Kobetic Cincom Smalltalk Development January 2003
Notes de l'éditeur
- hot air, bag of tricks, no proofs but growing lists of weaknesses
- peer review vs security through obscurity
- value of the protected entity cost of protection cost of breaking the protection understand the properties thoroughly e.g. latest side-channel (timing) attacks on SSL server implementations
- confidentiality - prevent eavesdropping (passive attack) integrity - prevent undetected modification (active attack) authentication - proof of origin (active attack) non-repudiation - undeniable proof of origin SSL provides authentication but doesn’t provide non-repudiation SMIME does both (theoretically) point-to-point vs end-to-end
- Hardware implementations
- Key stream reuse disastrous, xoring 2 ciphertexts yields 2 xored plaintexts, easy to break (P1 xor K) xor (P2 xor K) = P1 xor (K xor K) xor P2 = P1 xor P2
- - RC4
- DEA (ANSI), DEA-1 (ISO) Lucifer descendant (IBM), NSA evaluated reviewed every 5 years 1983 – recertified, 1987 – recertified “last time” after public outcry 1993 – recertified, still no alternatives 1999 – reaffirmed 3DES, AES not finished yet
- ADV: parallelization DIS: plaintext patterns, manipulation, synchronization, noise
- IV should be unique, but doesn’t have to be secret (pseudo random, timestamp value, counter, …) ADV: decryption parallelizable, random access DIS: synchronization, noise
- N-bit OFB: smaller than block processing No need to pad. Doesn’t need decryption operation.
- Nonce: usually message number combined with additional data to guarantee uniqueness N-bit CTR: smaller than block processing No need to pad. Doesn’t need decryption operation.
- N-bit CFB: smaller than block processing No need to pad. Doesn’t need decryption operation.
- double encryption – meet in the middle attach 2^n+1 instead of 2^2n tripple encryption – 2key or 3key cascading – beware of algorithm interactions
- Rijndael – Joan Daemen, Vincent Rijmen (Netherlands) Serpent – Ross Anderson (Cambridge, UK) Twofish – Bruce Schneier (Counterpane Inc) MARS – Don Coppersmith (IBM) RC6 – Ron Rivest (RSA Labs)
- much slower: expensive operations, sparse key space (much longer keys) eliptic curve crypto – same ciphers, different number field (faster)
- no good for a small set of plaintexts (dictionary attack) encryption key is public => attacker can get as much chosen plaintext as she wants
- Rivest, Shamir, Adelman use small e to optimize encryption/verification don’t use the same key to encrypt and sign; decrypting c is the same operation as signing c ! don’t reuse n (more material for cryptanalysis) not good with small messages; if modular reduction doesn’t occur (good chance with small e), the plaintext can be recoverd by simple (non-modular) e-th root computation; in fact any kind of structure in the message seems to facilitate attacks; messages should be protected against that using suitable “encoding” (PKCS#1 v2.1 – OAEP)
- MD-strengthening: with inclusion of the length no encoded input is a prefix of another encoded input “ length extension attack”: if M2 = M1’ || X => h(M2) = h ( h (M1) || X)) M1’ means, the original M1 message padded as prescribed by the hash function possible fixes: h(h(M), M) – expensive, or h(h(M)) - weaker; MACs usually address the weakness as well
- can get digest value in progress can clone a digest in progress blockSize, digestSize
- CBC-MAC: encrypt the message in CBC mode and throw away all but last block of ciphertext. don’t forget MD-strengthening and paddding SSL 3.0 MAC (1996) hash(MAC_write_secret + pad_2 + (hash(MAC_write_secret + pad_1 + seq_num + type + length + content))
- - all usual hash API applies
- - expand the digest to match the bit-size of n (seed a random generator with the digest and use as many bytes as possible)
- man-in-the-middle attack small subgroup attack - small order g ss is in that subgroup, if the group is small enough, it can be searched for solution: safe primes p = 2q + 1; q prime optimization - using smaller, but sufficiently large subgroups: p = Nq + 1; q prime (> 160b); N suitably large integer find g of order q (mod p), thus g > 1 and g^q=1 (mod p) then any r^e = r^(e mod q) (mod p), for any r from the subgroup. consequently 1 < x < q always check that received value belongs to the subgroup, i.e. 1 < r < p and r^q = 1