Ciphertext only: Attacker knows limited number of ciphertexts and wants to get the plaintexts and keys\nKP: attacker knows limited number of ciphers & their plaintexts and wants to get the key\nCP: Attacker knows encryption function (not key) and can encrypt his own plaintexts. Wants to be able to decrypt and get key\nCC: Attacker knows decryption function (not key) and can decrypt spied ciphers. Wants to get key \n
Can be shifted by as many characters as one likes\n
Pure shift cipher: Crack by brute force - just <length of alphabet keys>\nSubstitution/mix cipher: Number of keys <length of alphabet>! - for 26 it&#x2019;s > 4*10^26 -> dictionary attack\n
The first key-recovery attacks on full AES were due to Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, and were published in 2011. The attack is based on bicliques and is faster than brute force by a factor of about four. It requires 2126.1 operations to recover an AES-128 key. For AES-192 and AES-256, 2189.7 and 2254.4 operations are needed, respectively.\n
Pb public key\n\nSb secret key\n
Problem is that we need to find a function that&#x2019;s really hard to apply but extremely hard to reverse.\n
One might ask: If Bob publishes e and n and Alice encrypts a message x by y = xe mod n\nWHY THE HELL can&#x2019;t an ADVERSARY who learns xe mod n not just compute the e-th root mod n and break the code?\np = 3, q = 11. e can be: 7, 11, 13, 17, 19 (not 5)\nn=33, e=7 public key d=3 => e*d=1(mod 20) -> 7*d=1(mod20)\n\n\n\n\n
impertant - distinction between brute force cracking and analytic crackign\n
PKCS: Public Key Cryptography standards\n
Very common password-storage issue\n\n
What would a password cracker do if they get access to your hash&#x2019;ed database of user accounts/passwords?\n\nLookup tables -> Rainbow Tables\n\nA collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor\n\nMD5 digests have been widely used in the software world to provide some assurance that a transferred file has arrived intact. For example, file servers often provide a pre-computed MD5 (known as Md5sum) checksum for the files, so that a user can compare the checksum of the downloaded file to it. Unix-based operating systems include MD5 sum utilities in their distribution packages, whereas Windows users use third-party applications. Android ROMs also utilize this type of checksum.\n
You need to make sure if you create random salts that they are crytographically safe (system.random) or whatever is usually not.\n
Cryptography for developers
Cryptography for Developers Kai Koenig @AgentK
AgendaWhat is Cryptography?DeﬁnitionsSymmetric and Asymmetric cryptographyHashingSome examplesReferences
You might know me from... Being active in the CF/web dev community in AU and NZ Having a very strong opinion on SOAP-based web services Having been at many webDUs in the last few years
What you might not know... I’m also a fully trained mathematician THERE IS A NEED FOR DEVELOPER EDUCATION ON CRYPTOGRAPHY
What is Cryptography? (and what is it good for)
EssentiallyEncryption of plaintext to ciphertextDecryption of ciphertext to plaintext
EssentiallyEncryption of plaintext to ciphertextDecryption of ciphertext to plaintext “Secrets”
Conﬁdentiality (“Don’t worry, no one can hear us here”)
Integrity(“I really work for the FBI, trust me!”)
Anonymity(“Surely no one can trace this movie download via Torrent”)
Deﬁnition of a crypto system (I) Crypto system S = <M,C,K,E,D> M - set of plaintexts (messages) C - set of ciphertexts (encrypted messages) K - set keys E - set of encryption transforms Ek: M -> C D - set of decryption transforms Dk: C ->M
Deﬁnition of a crypto system (II) Every m∊M can be decrypted again after being encrypted (∀m∊M: Dk(Ek(m))=m) Different m∊M can not be encrypted to the same c∊C (∀k∊K,c∊C ∃! m∊M: Ek(m)=c)
Desired properties of a crypto system Both E, D must be efﬁcient and easy to use. Both E, D should be assumed known. It should be infeasible to deduce (without knowing k): m from c Dk from c (even if m is known) Ek from m (even if c is known) c, unless Ek and m are known
Practical application If your crypto system doesn’t fulﬁll the desired properties, it’s most likely not secure. Common attack vectors: Ciphertext-only Known plaintext Chosen plaintext Chosen ciphertext
Implementation of Caesar cipher Very easy to implement via modulo operation: For an integer m and a positive integer n, m mod n is the smallest non-negative integer r so that m=nq+r for some integer q. Caesar cipher is essentially a transformation from position n to position (n+s) mod 26.
Problems Easy to crack with dictionary attacks (frequency of characters) Rotation cipher is too simple, make algorithm more complex? Mix alphabet? Or even more complex: Good?
Problems Symmetric cryptography (any scheme that uses a codebook or private key) suffers from a few drawbacks: Adversary learns what the code is → decoding becomes trivial If the coding scheme is used often enough over time & adversary has enough time and computing power they could break the code
Plaintext: renaissanceCiphertext: seadjsfdocrDecode the following ciphertext: hobgxenwiee
Polyalphabetical ciphers - try it yourself Plaintext: renaissance Ciphertext: seadjsfdocr Decode the following ciphertext: hobgxenwiee
What’s considered good and secure? Block ciphers: a block of data is encrypted at a time, using the same key on each block. Block ciphers have various modes: ECB, CBC, CFB, OFB etc... Stream ciphers: operate on a single bit at a time and provide a feedback mechanism to change the key
What’s considered good and secure? DES (Data Encryption Standard) - considered to be insecure, mainly due to 56-bit keysize TripleDES (key bundle of 3 56-bit keys) - practically secure-ish with known theoretical attack vectors & slow!!!! AES (128-,192-,256-bit keys) - considered mostly secure, there are some related-key attack vectors (All block ciphers)
What’s considered good and secure? Blowﬁsh (variable key length) - there are some limited (# of rounds) attack vectors, but there’s currently no known cryptanalytic weakness Blowﬁsh is also patent- and royalty-free. Others: Serpent, Twoﬁsh, RC6, MARS etc
Public-key (asymmetric) Cryptography Protocol: Both Alice and Bob have a public and private key (key pair) Each participant’s public key is made public Alice encrypts a message to Bob with Bob’s public key. Bob decrypts the message with his private key: m = Sb(Pb(m))
The hard part of public-key cryptography Bob’s dilemma: Sb and Pb have to be easily computable for him. Also: Sb has to be extremely hard to compute for everyone else but him (even if Pb is open and well known). Creating proper public-key cryptography needs a lot of know-how in discrete mathematics.
A simple (unsecure) public-key example Messages: integers between 1 and 999 Bob’s public key is Pb(M)=rev(1000-M) Bob’s private key is Sb(C)=1000-rev(C) Alice: M=167 therefore C=rev(1000-167)=rev(833)=338 Bob: Receives C=338 therefore M=1000- rev(338)=1000-833=167
Example was ﬂawed because if you know Pb,you can easily ﬁgure out Sb.The challenge is to design a function Pb so thateven if you know Pb and C=Pb(M) it isexceptionally difﬁcult to ﬁgure out what M is.
A better (and more famous PK crypto system) RSA: Rivest-Shamir-Adleman Built on the idea of “mod n” calculations in arithmetic body Zn Let’s do that!
We don’t have enough time to introduce:Zn and arithmetic in ZnInverses, Greatest Common DivisorsEuclid’s Division TheoremFermat’s Little Theorem(this is the core of RSA)
How does RSA work though? Bob’s chooses an RSA key:(1) Choose 2 large prime numbers p and q(2) n = p·q(3) Choose e ≠ 1 so that e is relatively prime to (p − 1)·(q − 1)(4) Compute d = e−1 mod (p − 1)·(q − 1)(5) Publish e and n(6) Keep d secret and keep the factorisation n = p·q secret Alice sends to Bob:(1) Alice reads the public directory for Bob’s keys e and n(2) Compute y = xe mod n(3) Send y to Bob Bob does the following:(4) Receive y from Alice(5) Compute z = yd mod n, using secret key d(6) Read z
The trick is:There’s no scheme or algorithm to calculatethe e-th root mod n (and break the code).Someone who doesn’t know the primefactorisation of n = p·q can not break thecode analytically.Modular exponentiation is a one-way function.Note: BRUTE FORCE is still possible!
What’s considered good and secure? RSA (min suggested key length today is 2048- bit, rather 3072-bit) - still the most common public key crypto system and with long keys very secure Others: Difﬁe-Hellman, DSA, various PKCS Worth mentioning: Elliptic Curve Cryptography - ﬁeld of current research
Hashing Speaking of one-way functions...how do you store passwords? A hash function is a one-way function that can’t be reversed. You always want to store hashed passwords in your DB.
Problems with MD5 hashing Even though hashing is one-way, there are MD5 hash libraries/websites Google the hash http://www.lib.muohio.edu/multifacet/record/az-4602da187c6e221d00d02826db1bfd6a MD5 is not collision resistant and considered insecure now, use SHA-2 instead!
Salting The same hash input creates the same hash output: test12→60474c9c10d7142b7508ce7a50acf414 But if you salt every password, the hash value is much harder to reverse-engineer: <userID>test12<RandomSalt>→...