Cryptography and SSL in Smalltalk - StS 2003


Published on

Smalltalk Solutions 2003

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • hot air, bag of tricks, no proofs but growing lists of weaknesses
  • peer review vs security through obscurity
  • value of the protected entity cost of protection cost of breaking the protection understand the properties thoroughly e.g. latest side-channel (timing) attacks on SSL server implementations
  • confidentiality - prevent eavesdropping (passive attack) integrity - prevent undetected modification (active attack) authentication - proof of origin (active attack) non-repudiation - undeniable proof of origin SSL provides authentication but doesn’t provide non-repudiation SMIME does both (theoretically) point-to-point vs end-to-end
  • Hardware implementations
  • Key stream reuse disastrous, xoring 2 ciphertexts yields 2 xored plaintexts, easy to break (P1 xor K) xor (P2 xor K) = P1 xor (K xor K) xor P2 = P1 xor P2
  • - RC4
  • DEA (ANSI), DEA-1 (ISO) Lucifer descendant (IBM), NSA evaluated reviewed every 5 years 1983 – recertified, 1987 – recertified “last time” after public outcry 1993 – recertified, still no alternatives 1999 – reaffirmed 3DES, AES not finished yet
  • ADV: parallelization DIS: plaintext patterns, manipulation, synchronization, noise
  • IV should be unique, but doesn’t have to be secret (pseudo random, timestamp value, counter, …) ADV: decryption parallelizable, random access DIS: synchronization, noise
  • N-bit OFB: smaller than block processing No need to pad. Doesn’t need decryption operation.
  • Nonce: usually message number combined with additional data to guarantee uniqueness N-bit CTR: smaller than block processing No need to pad. Doesn’t need decryption operation.
  • N-bit CFB: smaller than block processing No need to pad. Doesn’t need decryption operation.
  • double encryption – meet in the middle attach 2^n+1 instead of 2^2n tripple encryption – 2key or 3key cascading – beware of algorithm interactions
  • Rijndael – Joan Daemen, Vincent Rijmen (Netherlands) Serpent – Ross Anderson (Cambridge, UK) Twofish – Bruce Schneier (Counterpane Inc) MARS – Don Coppersmith (IBM) RC6 – Ron Rivest (RSA Labs)
  • much slower: expensive operations, sparse key space (much longer keys) eliptic curve crypto – same ciphers, different number field (faster)
  • no good for a small set of plaintexts (dictionary attack) encryption key is public => attacker can get as much chosen plaintext as she wants
  • Rivest, Shamir, Adelman use small e to optimize encryption/verification don’t use the same key to encrypt and sign; decrypting c is the same operation as signing c ! don’t reuse n (more material for cryptanalysis) not good with small messages; if modular reduction doesn’t occur (good chance with small e), the plaintext can be recoverd by simple (non-modular) e-th root computation; in fact any kind of structure in the message seems to facilitate attacks; messages should be protected against that using suitable “encoding” (PKCS#1 v2.1 – OAEP)
  • MD-strengthening: with inclusion of the length no encoded input is a prefix of another encoded input “ length extension attack”: if M2 = M1’ || X => h(M2) = h ( h (M1) || X)) M1’ means, the original M1 message padded as prescribed by the hash function possible fixes: h(h(M), M) – expensive, or h(h(M)) - weaker; MACs usually address the weakness as well
  • can get digest value in progress can clone a digest in progress blockSize, digestSize
  • CBC-MAC: encrypt the message in CBC mode and throw away all but last block of ciphertext. don’t forget MD-strengthening and paddding SSL 3.0 MAC (1996) hash(MAC_write_secret + pad_2 + (hash(MAC_write_secret + pad_1 + seq_num + type + length + content))
  • - all usual hash API applies
  • - expand the digest to match the bit-size of n (seed a random generator with the digest and use as many bytes as possible)
  • man-in-the-middle attack small subgroup attack - small order g ss is in that subgroup, if the group is small enough, it can be searched for solution: safe primes p = 2q + 1; q prime optimization - using smaller, but sufficiently large subgroups: p = Nq + 1; q prime (> 160b); N suitably large integer find g of order q (mod p), thus g > 1 and g^q=1 (mod p) then any r^e = r^(e mod q) (mod p), for any r from the subgroup. consequently 1 < x < q always check that received value belongs to the subgroup, i.e. 1 < r < p and r^q = 1
  • ×