1. Cryptography and SSL in Smalltalk Martin Kobetic Cincom Smalltalk Development January 2003
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
Notes de l'éditeur
hot air, bag of tricks, no proofs but growing lists of weaknesses
peer review vs security through obscurity
value of the protected entity cost of protection cost of breaking the protection understand the properties thoroughly e.g. latest side-channel (timing) attacks on SSL server implementations
confidentiality - prevent eavesdropping (passive attack) integrity - prevent undetected modification (active attack) authentication - proof of origin (active attack) non-repudiation - undeniable proof of origin SSL provides authentication but doesn’t provide non-repudiation SMIME does both (theoretically) point-to-point vs end-to-end
DEA (ANSI), DEA-1 (ISO) Lucifer descendant (IBM), NSA evaluated reviewed every 5 years 1983 – recertified, 1987 – recertified “last time” after public outcry 1993 – recertified, still no alternatives 1999 – reaffirmed 3DES, AES not finished yet
IV should be unique, but doesn’t have to be secret (pseudo random, timestamp value, counter, …) ADV: decryption parallelizable, random access DIS: synchronization, noise
N-bit OFB: smaller than block processing No need to pad. Doesn’t need decryption operation.
Nonce: usually message number combined with additional data to guarantee uniqueness N-bit CTR: smaller than block processing No need to pad. Doesn’t need decryption operation.
N-bit CFB: smaller than block processing No need to pad. Doesn’t need decryption operation.
double encryption – meet in the middle attach 2^n+1 instead of 2^2n tripple encryption – 2key or 3key cascading – beware of algorithm interactions
Rijndael – Joan Daemen, Vincent Rijmen (Netherlands) Serpent – Ross Anderson (Cambridge, UK) Twofish – Bruce Schneier (Counterpane Inc) MARS – Don Coppersmith (IBM) RC6 – Ron Rivest (RSA Labs)
much slower: expensive operations, sparse key space (much longer keys) eliptic curve crypto – same ciphers, different number field (faster)
no good for a small set of plaintexts (dictionary attack) encryption key is public => attacker can get as much chosen plaintext as she wants
Rivest, Shamir, Adelman use small e to optimize encryption/verification don’t use the same key to encrypt and sign; decrypting c is the same operation as signing c ! don’t reuse n (more material for cryptanalysis) not good with small messages; if modular reduction doesn’t occur (good chance with small e), the plaintext can be recoverd by simple (non-modular) e-th root computation; in fact any kind of structure in the message seems to facilitate attacks; messages should be protected against that using suitable “encoding” (PKCS#1 v2.1 – OAEP)
MD-strengthening: with inclusion of the length no encoded input is a prefix of another encoded input “ length extension attack”: if M2 = M1’ || X => h(M2) = h ( h (M1) || X)) M1’ means, the original M1 message padded as prescribed by the hash function possible fixes: h(h(M), M) – expensive, or h(h(M)) - weaker; MACs usually address the weakness as well
can get digest value in progress can clone a digest in progress blockSize, digestSize
CBC-MAC: encrypt the message in CBC mode and throw away all but last block of ciphertext. don’t forget MD-strengthening and paddding SSL 3.0 MAC (1996) hash(MAC_write_secret + pad_2 + (hash(MAC_write_secret + pad_1 + seq_num + type + length + content))
- all usual hash API applies
- expand the digest to match the bit-size of n (seed a random generator with the digest and use as many bytes as possible)
man-in-the-middle attack small subgroup attack - small order g ss is in that subgroup, if the group is small enough, it can be searched for solution: safe primes p = 2q + 1; q prime optimization - using smaller, but sufficiently large subgroups: p = Nq + 1; q prime (> 160b); N suitably large integer find g of order q (mod p), thus g > 1 and g^q=1 (mod p) then any r^e = r^(e mod q) (mod p), for any r from the subgroup. consequently 1 < x < q always check that received value belongs to the subgroup, i.e. 1 < r < p and r^q = 1