This document discusses using symmetric encryption for applications beyond simple transmission of encrypted messages. It covers generating cryptographically secure random keys, using block cipher modes like CBC and CTR to encrypt files, and securely storing encryption keys and initialization vectors. Generating true randomness is impossible, so physical sources must be amplified with cryptographic pseudorandom number generators. Commonly used block cipher modes like ECB leak information, while CBC and CTR avoid this if properly implemented with random or changing nonces/IVs. Storing keys securely, such as encrypting them with a password-derived key, is also important for practical encrypted storage systems.
3. Recap: Symmetric Encryption
Ciphertext
Plaintext
AES
AES
Plaintext
Insecure Channel
Key
Key
Correctness property: for all possible messages m, D(E(m)) = m
Security property: given c E(m), it is “hard” to learn anything
interesting about m.
“hard” = if correctly implemented and used, even the NSA can’t do
it unless they have made dozens of theoretical breakthroughs or
have energy comparable to Trillions of massive nuclear explosions
evans@virginia.edu
Engineering Crypto Applications
2
5. Today: Using Symmetric Encryption
Ciphertext
Plaintext
AES
AES
Plaintext
Insecure Channel
Key
Key
1. How to generate a good (unpredictable) key:
randomness
2. How to use symmetric encryption to do more
interesting things than just send one block:
building an encrypted file server
evans@virginia.edu
Engineering Crypto Applications
4
8. 0101100001111 0101101001101
0110000111011 0110000111011
1010000000011 1010100010011
1011000000011 C1 with sequences of 5 or more
1011000100011
C1 from Puzzle Challenge
repeated symbols modified
(message Crypto.Random)
1011011001011 1011011001011
1110011011110 0110011011010
0100000111000 0100100111001
0001110111000 random?
Which is 0001110111001
0000111010100 0000111010100
1000101000001 1000101010001
evans@virginia.edu
Engineering Crypto Applications
7
9. Which is random?
Source of images: http://boallen.com/random-numbers.html
evans@virginia.edu
Engineering Crypto Applications
8
10. Which is random?
random.org
PHP rand()
(atmospheric noise)
(on Windows)
Which should you use to generate cyrptographic keys?
Source of images: http://boallen.com/random-numbers.html
evans@virginia.edu
Engineering Crypto Applications
9
11. Defining Non-Randomness
If you can find
any predictable
patterns in the
sequence, it is
definitely not
random.
evans@virginia.edu
I shall not today attempt further
to define the kinds of material I
understand to be embraced
within that shorthand
description; and perhaps I could
never succeed in intelligibly doing
so. But I know it when I see it,
and the motion picture involved
in this case is not that.
Supreme Court Justice Potter
Stewart (or pornography)
Engineering Crypto Applications
10
12. Defining
Randomness
й
ров
Andrey Kolmogorov
(1903-1987)
For a sequence s, its
Kolmogorov Complexity
K(s) = the length of the
shortest description of s
A sequence s is random,
if K(s) = |s| + C
(This is a somewhat informal version. A real
definition would need to be more careful about
stating this asymptotically.)
evans@virginia.edu
Engineering Crypto Applications
“He was to probability
theory what Euclid was to
geometry.” (Peter Lax)
11
17. If your mind isn’t blown yet…
What is the smallest natural
number that cannot be
described in eleven words?
evans@virginia.edu
Engineering Crypto Applications
16
18. If your mind isn’t blown yet…
What is the smallest natural
number that cannot be
described in eleven words?
1
2
3
4
5
The smallest natural number that
6
7
8
9
10
11
cannot be described in eleven words.
evans@virginia.edu
Engineering Crypto Applications
17
19. Randomness is Essential
• Kolmogorov provides a definition of randomness
but not a “useful” one: computing K(s) for an
arbitrary s is undecidable (not just hard,
theoretically impossible)
• Impossible for a program to generate true
randomness: program can generate longer
sequence than itself
• There are physical sources of randomness (or
near randomness): quantum events, radioactive
decay, thermal noise, lava lamps, key presses
evans@virginia.edu
Engineering Crypto Applications
18
20. Amplifying Physical Randomness
Pseudo-Random Number Generator
k = f(physical randomness)
0
AES
1
k
AES
2
3
k
k
output
AES
output
output
Every once in a while, compute a new k using new physical randomness.
evans@virginia.edu
Engineering Crypto Applications
19
21. NIST SP 800-90: Recommendation for
Random Number Generation Using
Deterministic Random Bit Generators (2006)
evans@virginia.edu
Engineering Crypto Applications
20
22. Dual-EC PRNG
s0 physical randomness
si +1= φ(si P)
Update Internal State
evans@virginia.edu
P and Q are
points on an
elliptic curve
ri = φ(si Q)
si
16 least
significant bits of
ri’s x-coordinate
Generate Output Bits
Engineering Crypto Applications
21
23. Elliptic Curves
y2 = x3 – 7 (mod p)
Discrete values: x and y are integers!
Addition: P + Q
= intersection of curve with line
through P and Q
Multiplication: repeated addition
kP = P + P + … + P
Elliptic Curves are primarily used in asymmetric
crypto – but also in Dual EC PRNG
evans@virginia.edu
Engineering Crypto Applications
22
24. Elliptic Curves
P+Q
y2 = x3 – 7 (mod p)
Discrete values: x and y are integers!
Addition: P + Q
= negate intersection of curve
with line through P and Q
Multiplication: repeated addition
kP = P + P + … + P
evans@virginia.edu
Engineering Crypto Applications
P
Q
23
25. Elliptic Curves
Elliptic curve discrete
logarithm problem:
given points P and Q
on an elliptic curve, it is
hard to find an integer
k such that Q = kP.
y2 = x3 – 7 (mod p)
P + Q = point on curve where line PQ intersects
kP = P + P + … + P (multiplication is just repeated addition)
evans@virginia.edu
Engineering Crypto Applications
24
26. Curve Used by Dual-EC PRNG
NIST P-256
y2 = x3 + ax + b (mod p)
256 − 2224 + 2192 + 296 − 1
p=2
a=p−3=
b=
115792089210356248762697446949407573530086143415290314195533631308867097853948
41058363725152142129326129780047268409114441015993725554835256314039467401291
Elliptic curve operations are expensive! Dual-EC PRNG is 1000x
slower than strong PRNG’s built using symmetric ciphers.
evans@virginia.edu
Engineering Crypto Applications
25
27. Why would anyone use
Elliptic Curves as basis for PRNG?
• Easier to plant a back-door in it than designs
based on symmetric ciphers
• Can be used to provide provable security
properties based on number theory
– But not done for Dual EC PRNG
evans@virginia.edu
Engineering Crypto Applications
26
28. Dual-EC PRNG
Proposed as NIST standard (2005)
s0 randomness
P and Q are (random?)
points on P-256.
si +1= φ(si P)
Update Internal State
evans@virginia.edu
ri = φ(si Q)
si
16 least
significant bits of
ri’s x-coordinate
Generate Output Bits
Engineering Crypto Applications
27
29. Image credit: Matthew Green
OpenSSL-FIPS Implementation (using NIST P and Q values)
evans@virginia.edu
Engineering Crypto Applications
28
30. “Rump session” talk at CRYPTO 2007:
You can choose Q such that:
Q = dP
then, it is easy to find e such that: P = eQ
and then easy to learn state of PRNG from
just one output!
evans@virginia.edu
Engineering Crypto Applications
29
31. Shumow and Ferguson’s conclusion:
evans@virginia.edu
Engineering Crypto Applications
30
36. Randomness Summary
• All cryptosystems depend on randomness
• No way to test is a value is really random
• Physical randomness is limited: need
algorithms to amplify physical randomness
• If you pseudorandom numbers are
predictable, all is (almost always) lost
evans@virginia.edu
Engineering Crypto Applications
35
38. Scenario
• Documents about plan to
overthrow government stored
on (easily-stolen) device
• Password/biometric-protected
(assume that works, for now)
Data should not be readable to someone
who steals the device and can physically
extract its non-volatile (flash) storage
evans@virginia.edu
Engineering Crypto Applications
37
39. Electronic Codebook Mode
block 2
AES
block 3
block 4
AES
block 4
block n-1
AES
block n-1
block n
AES
block n
…
AES
…
block 1
block 3
divide
into
128-bit
blocks
AES
block 2
declaration.txt
block 1
k
Encrypt each block with k
evans@virginia.edu
Engineering Crypto Applications
38
40. Electronic Codebook Mode
block 2
AES
block 3
block 4
AES
block 4
block n-1
AES
block n-1
block n
AES
block n
…
AES
…
block 1
block 3
divide
into
128-bit
blocks
AES
block 2
declaration.txt
block 1
k
If two blocks have the same plaintext, with ECB they have the same ciphertext!
evans@virginia.edu
Engineering Crypto Applications
39
42. Time-Space Tradeoffs
No-memory brute force attack:
known
crib
AES
known
ciphertext
Try all keys until you
find one that fits
evans@virginia.edu
Engineering Crypto Applications
Memory: 0
Time: 2127
encryptions
(1T nuclear
mega-bombs)
41
44. Won’t quite work like this for AES, but with some more tricks.
Combination: Rainbow Tables
Precompute:
known
crib
AES
Only store these:
ciphertext
1
AES
…
AES
ciphertext
264
…
…
known
crib
AES
ciphertext
1
AES
…
AES
ciphertext
264
Time:
264
Memory: 268 bytes (~$137 Trillion)
evans@virginia.edu
Engineering Crypto Applications
43
56. Scaling Work
repeat 1000 times
k
Human-Remembered
Long Password
evans@virginia.edu
stored
1000x
encrypted k
AES
(44 bits of entropy)
Engineering Crypto Applications
55
57. repeat 1000 times
k
AES
stored
1000x
encrypted
k
Scaling Work
(44 bits of entropy)
Time for one AES:
10 ms
Time for 244 AESs:
5000 years
(or 2 days with 1Mx computing power)
Time for 1000x AES:
10 s
Time for 244 1000x AES: 5M years
evans@virginia.edu
Engineering Crypto Applications
56
58. Scaling to a Web Service
evans@virginia.edu
Engineering Crypto Applications
57
64. Encrypted Passwords Scheme
UserID
benf
Password
FAIL Master key K
AES (beer)
Store passwords
someone who gets
encrypted using K
AES (Monti07cello04)
password file and K
…
learns all passwords
AESK(flyakite)
samadams
tj
K
K
…
authentication check:
AESK(guess) == users[userID].password
evans@virginia.edu
Engineering Crypto Applications
63
67. “If they had consulted
with anyone that knows
anything about password
security, this would not
have happened,” said Paul
Kocher, president of
Cryptography Research, a
San Francisco computer
security firm.
evans@virginia.edu
Engineering Crypto Applications
66
68. 86% of users are dumb
Single ASCII character
Two characters
0.5%
2%
Three characters
14%
Four alphabetic letters
14%
Five same-case letters
21%
Six lowercase letters
18%
Words in dictionaries or names
15%
Other (possibly good passwords)
14%
(Morris/Thompson 79)
evans@virginia.edu
Engineering Crypto Applications
67
69. Dictionary Attacks
Seed list
All 1-4 letter words
List of common (dog) names
Words from dictionary
(4M words, 20+
languages)
Phone numbers, dates, etc.
Rules for generating passwords
http://www.openwall.com/john/
Combining words from seed list
Inserting numbers, symbols
Anything written in any popular
Replacing “l” with “1”,
password advice document!
“ate” with “8”, etc.
evans@virginia.edu
Engineering Crypto Applications
68
70. Aside: My 3-Word Password Advice
Unimportant Passwords: use “silly”
(protect service, not user)
Important Passwords:
Write them down
(but somewhat obfuscated and in a secure place)
If you can memorize it, it is not secure!
(unless you have a well-trained memory)
evans@virginia.edu
Engineering Crypto Applications
69
71. Making Dictionary Attacks Harder
UserID
benf
Password
AESflyakite(0)
Password
AESflyakite1000(0)
samadams AESbeer(0)
AESbeer1000 (0)
tj
AESMonti07cello04(0)
AESMonti07cello041000(0)
…
…
…
1. Use a more expensive cryptographic hash function
evans@virginia.edu
Engineering Crypto Applications
70
72. Making Dictionary Attacks Harder
UserID
Salt (16 bits)
Password
benf
52455
AESflyakite1000(52455)
samadams
50757
AESbeer1000 (50757)
AESMonti07cello041000(47101
AES x 1000 makes dictionary attack 1000 times harder
)
16-bit salt makes dictionary attack 216 times harder
(but doesn’t make targeted against one user harder)
…
…
tj
47101
2. Add “salt” – randomly selected
(but non-secret) value for each user
evans@virginia.edu
Engineering Crypto Applications
71
73. Two Big Problems Remaining:
1. Users are still morons
evans@virginia.edu
Engineering Crypto Applications
72
74. Two Big Problems Remaining:
1. Users are still morons
(Solving Auditors calledscope of employees and
this is outside 100 IRS this class.)
managers, portraying themselves as
personnel from the information technology
help desk trying to correct a network
problem. They asked the employees to
provide their network logon name and
temporarily change their password to one
they suggested. “We were able to convince
35 managers and employees to provide us
their username and change their password,”
the report said.
GAO Audit of IRS (2005)
evans@virginia.edu
Engineering Crypto Applications
73
75. Two Big Problems Remaining:
2. Transmitting password
Insecure Channel
petitions.gov
How does TJ know he’s really talking to petitions.gov?
How can he establish a secure channel to transmit password?
evans@virginia.edu
Engineering Crypto Applications
74
76. Plan for Next Week
Solving these problems using
asymmetric cryptography:
- Public key cryptosystems
- Digital signatures
- Public key protocols (TLS)
open to
requests!
evans@virginia.edu
MightBeEvil.com/crypto
evans@virginia.edu
Engineering Crypto Applications
75