Intro to Cryptography

Intro to Cryptography
Michael Soltys
California State University at Channel Islands
August 20, 2015 v1.1
Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 1/45

WEP, WPA/WPA2 SSL/SSH
PGP/GPG
RSA Encryption 128 bytes:
BE 89 0E A1 AD FA 7D 58 6A A1 6A E4
3B ED 75 E4 3E F2 19 F7 F3 0F FA D9
EF 62 10 52 7B FC DD 94 96 A8 35 6B
1B 50 60 2E 2E 79 AC 7C 2E A3 81 DE
8D 37 F9 EE 6E 4F 82 C7 E4 12 04 55
AF 57 69 94 8C EF 2E 50 7A 6D 53 0F
5B 5F 62 58 5E CF F2 DF F4 4D CE 71
B6 82 D7 86 E5 4F 77 E4 91 AA E4 BD
5A 65 AA 9E 20 4F 38 5E B4 8B E0 36
45 80 A8 D5 24 5C 46 9D F1 80 C0 6B
62 A5 1F 26 5E AE 17 47
DRM
FairPlay
MD5
5c3079df8a48623f5aa10f0181a7ab03

We know how to do crypto scientiﬁcally
→ and it is a huge help
But, in practice most security problems due to buggy code
→ writing software that is not buggy is the problem of
CS/SE
Challenge 1: build secure systems with insecure components
→ similar to building reliable systems with unreliable
components
Challenge 2: the art of making the right trade-oﬀs to satisfy
contradictory objectives (e.g., security & speed)

Cryptography is the art of computing & communicating in the
presence of an adversary
cryptography = κρυπτo (hidden or secret) + γραφη (writing)
Three broad applications:
encryption
authentication
integrity checking
Not all security is an application of crypto, e.g., Firewalls.

Fundamental TENET of cryptography
Lots of smart people have been trying to ﬁgure out how
to break X,
but so far they have not been able to come up with anything yet.
Therefore X is “secure” . . .

Fundamental ASSUMPTION of cryptography
Everybody knows how it works, i.e., the algorithm is public
knowledge.
The secret is the “key”.
In principle it can always be broken; but in practice it is too much
work for the “bad guy.”

Great free tools to practice the ideas presented in these slides:
GnuPG (http://www.gnupg.org)
OpenSSL (http://www.openssl.org)

plaintext
encryption
−→ ciphertext
decryption
−→ plaintext
Caesar cipher: key a secret number between 1 and 25.
Monoalphabetic cipher: key a secret pairing — 26! ≈ 1026
Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 8/45

Three basic attacks:
ciphertext only
known plaintext
chosen plaintext

Three types of cryptographic functions:
hash functions (0 keys)
secret functions (1 key)
public key functions (2 keys)

Secret (Symmetric) key crypto
plaintext
encryption
decryption
key
ciphertext
plaintext ciphertext

Public (Asymmetric) key crypto
private key
encryption
plaintext ciphertext
ciphertext plaintext
decryption
public key

Digital signature scheme
public key
plaintext
signing
signed message
plaintextsigned message
verification
private key

Symmetric Ciphers
Substitutions
Permutations
XOR
Crypto - Michael Soltys August 10, 2015 v1.1 Symmetric ciphers - 14/45

Rounds of substitutions & permutations

XOR, exclusive OR
x y x ⊕ y
0 0 0
0 1 1
1 0 1
1 1 0
If a, b ∈ {0, 1}n then a ⊕ b is a string in {0, 1}n where the i-th bit
is ai ⊕ bi
Bit-wise XOR
Can also Bit-wise XOR a stream

DES (1977)
“Data Encryption Standard”
IBM’s cipher + NSA =⇒ DES
DES
56 bits
key
64 bits
input
64 bits
output
Technically, key is also 64 bits, but each octet is
x1 x2 x3 x4 x5 x6 x7 y where y = 7
i=1 xi .
Crypto - Michael Soltys August 10, 2015 v1.1 DES - 17/45

inverse of original permutation
64−bit input
permutation
Round 1
Round 2
Round 16
Generate 16 keys, each
of 48−bits from the
initial 56−bits
56−bit key
swap left & right sides

4
32−bit L
32−bit R
32−bit R
Mangler
Function
32−bit L nn
n+1 n+1
+
Kn
1
2
3
Reversible “Feistel cipher.”

Example: Apache HTTP server access
.htaccess & .htpasswd
Can create a (variant of) DES login/password pair:
htpasswd -cbd ./.htpasswd crypto 7u3pr4aa
and the result is is the ﬁle .htpasswd containing:
crypto:9.ZzClMRzHfmc

On:
http://www.cas.mcmaster.ca/~soltys/cs3c03-w13/ReadingList
.htpasswd consists of:
netsec2013:$apr1$fr2JPfTa$HEzejdyg5DE2MFGVCIzd21
created with command:
htpasswd -cbm ./.htpasswd netsec2013 tigerblood
which produces an MD5 hash
-d is crypt() a variant of DES
-m is MD5
-s is SHA1

crypt() function
man 3 crypt for details
password truncated to 8 letters
each encoded with 7 (ASCII)
bits
giving 56 bits of input
salt used to “perturb”
displayed in Base64
64 bits
DES
DES
DES
DES
64 bits of 0s 56 bit passwd
1
2
25
3

h = crypt("passwd","h")
perl -e ’print crypt("7u3pr4aa"," 9. ZzClMRzHfmc ")’
outputs eYZUcvy1BSUak

Challenge
Who can break break crypt() htpasswd corresponding to:
.DubBN4dRdP7w

AES
NIST: National Institute of Standards
“Rijndael”
FIPS 2001
AES-128, AES-192, AES-256
Crypto - Michael Soltys August 10, 2015 v1.1 AES - 26/45

Block ciphers
Encrypting messages longer than 64 bits (KPS, chp 4)
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. k-bit Cipher Feedback Mode (CFB)
4. k-bit Output Feedback Mode (OFB)
5. Counter Mode (CTR)
Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 27/45

ECB
K
message...
m m m m mm1 2 3 4 5 6
e e e e e e1 2 3 4 5 6

Plaintext ECB

CBC
K
m m m m
IV
c c c c1 2 3 4
1 2 3 4
enc enc enc enc
xor xor xor xor
K K K

Plaintext ECB CBC

Stream ciphers: RC4
Message m and one-time pad p both in {0, 1}n.
A stream cipher generates successive bits pi to encode a stream of
bits mi as ci = mi ⊕ pi .
Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 32/45

(Keep in mind that 28 = 256)
let S[i] be an array of octets (i.e., bytes)
Initialize S:
for i=0 . . . 255
S[i]=i
end for
j=0
for i=0 . . . 255
j=(j+S[i]+key[i mod keylength]) mod 256
swap S[i] and S[j]
end for

Generate pseudo-random bit stream (byte at a time)
i=0
j=0
while "next byte needed"
i=(i+1) mod 256
j=(j+S[i]) mod 256
swap S[i] and S[j]
k=S[(S[i]+S[j]) mod 256]
output k
end while

802.11 Wireless Networks Security
WEP (Wired Equivalent Privacy) uses RC4 — deprecated!
WPA (Wi-Fi Protected Access)
WPA uses RC4-type called TKIP (larger keys than WEP)
WPA2 uses AES
WPA/WPA2 part of 802.11i as of 2004.

WEP
"ciphertext"
Init
Vector
"one−time pad" = "keystream"
00101101011101011000101110...
"plaintext" 110111001011000111100100...
+
1111000111000100011...
=
RC4Key
(IV)
concatenation
|

openssl ciphers -v
Name; Protocol; Kx=key exchange; Au=authentication; Enc=encryption; Mac=message digest
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Public Key Crypto
Diﬃe-Hellman
ElGamal
RSA
Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 38/45

Diﬃe-Hellman Key Exchange
Oldest public key cryptosystem still in use.
Allows two individuals to agree on a shared key, even though
they can only exchange messages in public.
A weakness is that there is no authentication; the other might
be a “bad guy.”
Described in RFC 2631

0
2
4
6
8
10
12
14
16
0 2 4 6 8 10 12 14 16
"primitive.txt"
Plot of log3(x) over Z17.

Alice Bob
1 Public: p, g such that Zp = g
2 Choose secret a Choose secret b
3 Computer A := ga Compute B := gb
4 Send A to Bob −→ ←− Send B to Alice
5 Compute Ba Compute Ab
Alice & Bob have shared value
6 Ab = (ga)b = gab = gba = (gb)a = Ba

1. Alice and Bob agree to use a prime p = 23 and base g = 5.
2. Alice chooses secret a = 8; sends Bob A = ga (mod p)
2.1 A = 58
(mod 23)
2.2 A = 16
3. Bob chooses secret b = 15; sends Alice B = gb (mod p)
3.1 B = 515
(mod 23)
3.2 B = 19
4. Alice computes s = Ba (mod p)
4.1 s = 198
(mod 23)
4.2 s = 9
5. Bob computes s = Ab (mod p)
5.1 s = 1615
(mod 23)
5.2 s = 9

Computing large powers in (Zn, ∗) can be done eﬃciently with
repeated squaring—for example, if (m)b = cr . . . c1c0, then
compute
a0 = a, a1 = a2
0, a2 = a2
1, . . . , ar = a2
r−1 (mod n),
and so am = ac0
0 ac1
1 · · · acr
r (mod n).

DH only resists passive adversaries.
A passive attack is one in which the intruder eavesdrops but does
not modify the message stream in any way.
An active attack is one in which the intruder may:
transmit messages
replay old messages
modify messages in transit
delete selected messages from the wire
A typical active attack is one in which an intruder impersonates
one end of the conversation, or acts as a man-in-the-middle. This
attack motivates the need for authentication.

How to do a “man-in-the-middle” on DH?
Alice Eve Bob
gSA = 8389 gSX = 5876 gSB = 9267
8389 −→ 5876 −→
5876 ←− 9267 ←−
Shared key
KAX = 5876SA = 8389SX
and shared key
KBX = 9267SX = 5876SB

Intro to Cryptography

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (15)

Similaire à Intro to Cryptography

Similaire à Intro to Cryptography (20)

Dernier

Dernier (20)

Intro to Cryptography