1. Security Procedures Y.C. Stamatiou Department of Mathematics, University of Ioannina and Research and Academic Computer Technology Institute Master Program in Web Science, Veroia, March 2010
2. Cryptography! It is all about the following simple, but highly important, scenario:
6. An algorithm ! The “program” below computes the difference between two positive integers m and n ( only if m > n, otherwise it “returns” 0) given in the form 0 m 10 n on the tape of the Turing machine ( isn’t it, a bit, reminiscent of good, old Assembly?): q 0 q 1 q 2 q 3 q 4 q 5 q 6 0 (q 1 ,#, Δ) (q 1 , 0 , Δ) (q 3 , 1 , Α) (q 3 , 0 , Α) (q 4 , 0 , Α) (q 5 ,#, Δ) - ( stops ) 1 (q 5 ,#, Δ) (q 2 , 1 , Δ) (q 2 , 1 , Δ) (q 3 , 1 , Α) (q 4 ,#, Α) (q 5 ,#, Δ) - ( stops ) # - ( hangs ) (q 4 ,#, Α) (q 0 , # , Δ) (q 6 , 0 , Δ) (q 6 ,#, Δ) - ( stops )
7.
8. Observe how the functions that are bounded from above by a polynomial have “reasonable” rate of increase !
9. Two important time complexity classes of problems P : Problems for which there exists a polynomial time deterministic Turing machine (algorithm) that solves them NP : Problems for which no polynomial time deterministic Turing machine has been discovered, yet, that solves them but for which a polynomial time non -deterministic Turing machine exists!
10. Integers! God made the integers; all else is the work of man Leopold Kronecker (1823 – 1891)
50. Details of the impersonation attack Step 1: Eve, acting as both herself and Alice, attempts to authenticate herself to Bob as both herself and Alice. Step 2: Bob, as he should, replies with two nonce challenges. Eve gets her nonce but, at the same time, intercepts the nonce directed to Alice. Step 3: Eve answers both challenges. Eve, naturally, can only send a wrong reply on behalf of Alice. She can, however, swap her response with Alice’s before contacting Bob. Step 4: Bob receives both responses and contacts Trent for translation. Step 5: Trent responds. One response consists, as expected, of garbage. The other respond, for Alice, is of course correct. Bob gets, correctly, back the challenge he issued for Alice and then authenticates Eve as Alice!
51.
52. The Needham-Schroeder Key Exchange Protocol Step 1: Alice tells Trent what she is requesting Step 2: Trent gives Alice the session key and gives Alice a package to deliver to Bob. Step 3: Bob can get the session key, and the identity of who he is talking with (verified because it came from Trent). Step 4: Bob sends Alice a challenge Step 5: Alice answers challenge
55. We will look into how theory and practice meet using two working systems: e-Lotteries! e-Voting!
56.
57.
58. An overview of the system Agencies Coupon File &Audit Information Audit Information Audit Information Audit Information Data to Optical Signal Connected in high Availability Configuration Optical Fibre Converter To TV Station Telephone lines Lottery Organization Computer Verifier Gen1 Gen2
59.
60.
61.
62.
63. Design Considerations Randomness Sources Approaches Disadvantages Advantages Common (e.g. as given by Java) Pseudorandom Number Generators Algorithm is susceptible to clever attacks Uniform distributed numbers Cryptographically Secure PNG In principle they could be guessed, given the initial state. Guessing is intractable however! Based on deterministic algorithms Handles the disadvantage above Truly Random Number Generators Physical processes often obey specific distribution laws They depend on environmental parameters (e.g. temperature) Hard to reproduce their output Non deterministic method, truly random output
64.
65.
66.
67.
68.
69. A high-level description of the protocol Exchange keys for encryption & A private /public key for signature GEN1 VERIFIER Idle Drawing Initiation signal Random bits from the TRNG Hash value of the Coupon’s file Bit-commitment &Signature Seed 1 Seed 2 XOR NR function Generate the Numbers From PRNG Verify and decrypt Seeds & nums Encrypt and sign Seeds & numbers Verify that Gen1Commited on the True seeds From the retrieved seeds Regenerate the numbers System Failed SUCCESS! Check the numbers
70. Time Table 6 min before the Draw time 3 min later: If the verifier hasn’t received the numbers, he sends Initiation Signal to Gen2 Gen2 produces the numbers in 3 minutes, on time, with the same processes of the Gen1 Verifier GEN1 Draw initiation signal GEN2 Initiation signal GEN2
106. Step 1: Context Identification Risk Analysis and Management ( 3/11) Abstract Class Diagram Activity Diagram Use Case DIagram
107. Step 1 ( continues ) Risk Analysis and Management (4/11) Example of Time Sequence Diagram (Decryption and Calculation of Result)
108. Step 2: Risk Identification Risk Analysis and Management (5/11) Part of high-level risk table Who/what causes it? How? What is the incident? What does it harm? What makes it possible? Keyholders Disclosure of secret keys Corrupted Keyholders (software ) Voter Disclosure of credentials ( id , password , πιστοποιητικό) to another person Malicious Voter EA Vote Alteration Corrupted ΕΑ EA Vote disclosure Corrupted ΕΑ EA Tallying error Software Error EA Result Alteration Corrupted ΕΑ Coercer Voter coercing Lack of monitoring during remote vote casting Hacker Vote Alteration Insufficient Security Hacker Final result Alteration Insufficient Security
109. Step 2 ( continues ) Risk Analysis and Management (6/11) Part of HazOp Table Asset : Keys Κ i (step 1) Guideword Threats Likelihood Consequence Countermeasures Manipulation Alteration of key generator operation by authorized person Small Keys are not secret or are not random Testing of key generator before elections Restricted access to software Disclosure Disclosure of some K i by their holders Medium Corruption in elections is possible Key sharing (k out of k). In order for the overall Key to be disclosed, all keyholders need to disclose their keys Programming Ε rrors Errors in generator software Medium The keys are not randomly generated ( fake randomness ). The keys do not satisfy the requirements (e.g. length) Application of good programming practices. Extensive testing and debugging. Use of secure random number generators
110. Step 2 ( Continues ) Risk Analysis and Management ( 7/11) Fault Tree Diagram (ITEM Toolkit)
111.
112. Step 3 ( Continues ) Risk Analysis and Management (9/11) Qualitative assessment of Consequence using FMEA ID Function/ Entity Failure Mode Effects Causes Consequences Local System wide 1 GenerateElGamalParameters (size) Size parameter is not available in system config file The public parameters may not be created System initialization is not possible Config file is not properly updated by system administrator. Access to config file/database is not possible Voting process may not begin 2 Publish(elGamalParameters) Bulletin Board is not updated with the public parameters Keyholders may not produce keys System initialization is not possible Connection to database is not possible Voting process may not begin
114. Step 5: Risk Treatment (taken into account in the design/implementation phases) Risk ID Description Risk Level Treatment options - measures Risks with regard to Partial Keys disclosure or non-availability 2 Disclosure of some of K i by their keyholders Extreme The disclosure of partial keys would be catastrophic, as it would allow the decryption of individual votes and the final result by unauthorized parties (or even the EA) Threshold cryptography techniques are used as a countermeasure. Such techniques require for at least t out of n keyholders to cooperate for the conduction of the elections. Moreover, colluding interests of the keyholders discourage potential alliances among them. For ultimate security, we suggest that t=n, which means that all keyholders need to cooperate. 5 Some of the K i are not available Extreme
115.
116.
117.
118.
119.
120.
121.
122.
123.
124. 5. Trust by extensive logging and auditing of system activities (logging and auditing activities are scheduled on daily basis, results available for public scrutiny). 6. Trust by contingency planning (failures in system that offer e-services are not acceptable, contingency plan publicly available). 7. Trust by regulation and laws (system operator introduces suitable legislation for the protection of the public in case of mishaps). 8. Trust by reputation and past experience (the involvement of engineers and experts should be accompanied by credentials that prove their expertise). Convincing the public
136. Performance aspects/ System simulation Network architecture: Directed Acyclic Graph (DAG) Traffic: open Jackson network of M/M/1 queues (Poisson distributed arrival rate – exponentially distributed service rate – one server – unlimited queue size) Voters’ arrival behavior: Weibull distributed with a peak around noon Simulation tool: Uses the CSIM 19 (C and C++) simulation library
137. Performance aspects/ System simulation Shifted Weibull distribution with parameters α = 2.5, b = 5 and t 0 = 8 Time interval λ s i [8:00,10:00) 5.67 [10:00,12:00) 10.32 [12:00,14:00) 6.70 [14:00,16:00) 2 [16:00,18:00) 0.26 [18:00,20:00) 0.026 Time interval s i (incoming vote rate) [8:00,10:00) 0.11 [10:00,12:00) 0.20 [12:00,14:00) 0.13 [14:00,16:00) 0.039 [16:00,18:00) 0. 005 [18:00,20:00) 0. 0005
148. The Complex Multiplication Method Input:an integer D Calculate the Hilbert polynomial H D (x) YES Is one of them suitable? Choose prime p = x 2 +Dy 2 and find integers (x,y) Possible orders: m = p+1 2x NO Calculate the roots of the Hilbert polynomial From every root generate a pair of ECs Find the EC which has order m
163. Threshold phenomena in other problems: 3-SAT Many combinatorial problems exhibit a threshold behavior: Instances generated with their critical parameter (clause/variable ratio in 3-SAT) around the value (4.2 in 3-SAT) that marks the transition from almost certain solubility (satisfiability in 3-SAT) to almost certain insolubility , seem to be among the hardest to solve with the best of algorithms available PROBLEM: Proof of existence and calculation of the critical value
164.
165.
166.
167.
168.
169.
170.
171.
172.
Notes de l'éditeur
A central concern of number theory is the study of prime numbers. Indeed, whole books have been written on the subject. An integer p>1 is a prime number if and only if its only divisors are 1 and itself. Prime numbers play a critical role in number theory and in the techniques discussed in this chapter. Stallings Table 8.1 (excerpt above) shows the primes less than 2000. Note the way the primes are distributed. In particular note the number of primes in each range of 100 numbers.
The idea of "factoring" a number is important - finding numbers which divide into it. Taking this as far as can go, by factorising all the factors, we can eventually write the number as a product of (powers of) primes - its prime factorisation. Note also that factoring a number is relatively hard compared to multiplying the factors together to generate the number.
Have the concept of “relatively prime” if two number share no common factors other than 1. Another common problem is to determine the "greatest common divisor” GCD(a,b) which is the largest number that divides into both a & b.
Two theorems that play important roles in public-key cryptography are Fermat’s theorem and Euler’s theorem. Fermat’s theorem ( also known as Fermat’s Little Theorem ) as listed above, states an important property of prime numbers. See Stallings section 8.2 for its proof.
Now introduce the Euler’s totient function ø(n) , defined as the number of positive integers less than n & relatively prime to n. Note the term “residue” refers to numbers less than some modulus, and the “ reduced set of residues” to those numbers (residues) which are relatively prime to the modulus (n). Note by convention that ø(1) = 1.
To compute ø(n) need to count the number of residues to be excluded. In general you need use a complex formula on the prime factorization of n, but have a couple of special cases as shown.
Euler's Theorem is a generalization of Fermat's Theorem for any number n. See Stallings section 8.2 for its proof.
For many cryptographic functions it is necessary to select one or more very large prime numbers at random. Thus we are faced with the task of determining whether a given large number is prime. Traditionally sieve for primes using trial division of all possible prime factors of some number, but this only works for small numbers. Alternatively can use repeated statistical primality tests based on properties of primes, and then for certainty, use a slower deterministic primality test, such as the AKS test.
The algorithm shown is due to Miller and Rabin is typically used to test a large number for primality. See Stallings section 8.3 for its proof, which is based on Fermat’s theorem.
If Miller-Rabin returns “composite” the number is definitely not prime, otherwise it is either a prime or a pseudo-prime. The chance it detects a pseudo-prime is < 1 / 4 So if apply test repeatedly with different values of a, the probabiility that the number is a pseudo-prime can be made as small as desired, eg after 10 tests have chance of error < 0.00001 If really need certainty, then would now expend effort to run a deterministic primality proof such as AKS.
A result from number theory, known as the prime number theorem, states that primes near n are spaced on the average one every (ln n) integers. Since you can ignore even numbers, on average need only test 0.5 ln(n) numbers of size n to locate a prime. eg. for numbers round 2^200 would check 0.5ln(2^200) = 69 numbers on average. This is only an average, can see successive odd primes, or long runs of composites.
O ne of the most useful results of number theory is the Chinese remainder theorem (CRT), so called because it is believed to have been discovered by the Chinese mathematician Sun-Tse in around 100 AD. It is very useful in speeding up some operations in the RSA public-key scheme, since it allows you to do perform calculations modulo factors of your modulus, and then combine the answers to get the actual result. Since the computational cost is proportional to size, this is faster than working in the full modulus sized modulus.
One of the useful features of the Chinese remainder theorem is that it provides a way to manipulate (potentially very large) numbers mod M, in terms of tuples of smaller numbers.This can be useful when M is 150 digits or more. However note that it is necessary to know beforehand the factorization of M. See worked examples in Stallings section 8.4.
Consider the powers of an integer modulo n. By Eulers theorem, for every relatively prime a, there is at least one power equal to 1 (being ø(n) ), but there may be a smaller value. I f the smallest value is m = ø(n) then a is called a primitive root . If n is prime, then the powers of a primitive root “generate” all residues mod n. Such generators are very useful, and are used in a number of public-key algorithms, but they are relatively hard to find.
Discrete logarithms are fundamental to a number of public-key algorithms, including Diffie-Hellman key exchange and the digital signature algorithm (DSA). Discrete logs (or indices) share the properties of normal logarithms, and are quite useful. The logarithm of a number is defined to be the power to which some positive base (except 1) must be raised in order to equal that number. If working with modulo arithmetic, and the base is a primitive root, then an integral discrete logarithm exists for any residue. However whilst exponentiation is relatively easy, finding discrete logs is not, in fact is as hard as factoring a number. This is an example of a problem that is &quot;easy&quot; one way (raising a number to a power), but &quot;hard&quot; the other (finding what power a number is raised to giving the desired answer). Problems with this type of asymmetry are very rare, but are of critical usefulness in modern cryptography.
Can you give an example in which solving the discrete log is simple? All finite groups are isomorphic to (Z n ,+) so why isn’t it always easy?
Note that the only roots of unity for a prime are 1 and n-1. This algorithm gives a hint of why you should have a large prime factor for (p-1) and/or (q-1)
Can you give an example in which solving the discrete log is simple? All finite groups are isomorphic to (Z n ,+) so why isn’t it always easy?
Can you give an example in which solving the discrete log is simple? All finite groups are isomorphic to (Z n ,+) so why isn’t it always easy?