Cryptography for Smalltalkers 2 - ESUG 2006


Published on

ESUG 2006

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • much slower than secret key encryption: expensive operations (x^y mod z), long keys (1-8K bits) => used for key encryption/exchange, signing elliptic curve crypto (ECC) same ciphers, different number field allows much shorter keys for comparable security => faster heavily patented ( some royalty free licenses for specific purposes (NIST/IETF)
  • Usage: sender uses the *public* key of the recipient to encrypt the message receiver uses her *private* key to decrypt the message encryption does not provide integrity protection!
  • Rivest, Shamir, Adelman can be used for both encryption and digital signatures use small e to optimize encryption/verification Pitfalls: don’t use the same key to encrypt and sign; decrypting c is the same operation as signing c ! not good with small messages; if modular reduction doesn’t occur (good chance with small e), the plaintext can be recovered by simple (non-modular) e-th root computation; => PKCS#1 applies padding in fact any kind of structure in the message seems to facilitate attacks; messages should be protected against that using suitable “encoding”; including padding => use PKCS#1 v2.1 – OAEP padding
  • public key structure: n, e ciphertext size is 512 bits! (depends on the key size) private key structure: n, d p, q: CRT => 3-4 times speed up of decryption.
  • you have to transfer both the encrypted key and the encrypted message
  • allows to establish a shared, secret value over an unprotected communication channel used to establish a secret session key for further communication (DH handshake) doesn’t provide authentication of the parties => doesn’t protect against the man-in-the-middle attack small subgroup attack –small order g the shared secret is in that subgroup, if the group is small enough, it can be searched for the secret => solution: safe primes p = 2q + 1; q prime
  • m – bit size of q => bit size of x (at least twice the size of symmetric key) l – bit size of p => bit size of y - Ephemeral-ephemeral DH - perfect forward secrecy (PFS)
  • Ephemeral-static DH Unlike RSA with DH Bob needs ya to decrypt!
  • a.k.a “message digest” one-way : hard to find the input for given output collision resistant : hard to find two distinct inputs with the same output used a lot in MACs and digital signatures used for file “fingerprints”: md5sum, sha1sum
  • MD-strengthening: with inclusion of the length no encoded input is a prefix of another encoded input MD-stregthening helps a lot but doesn’t completely prevent “length extension” if M2 = M1’ || X => h(M2) = h ( h (M1) || X)) M1’ means, the original M1 message padded as prescribed by the hash function possible fixes: h(h(M), M) – expensive, or h(h(M)) - weaker; MACs usually address the weakness as well
  • derived from MD4 (fixing known MD4 weaknesses) broken in 2004 by Wang, Yin; furher improved by others currently collision in a few hours on common desktop PC
  • higher level API, processes entire input at once both stream and byte array based parameter support
  • also derived from MD4 SHA-0 broken (Wang, Yin, Yu 2004): collisions in 2**69 instead of 2**80 SHA-1 broken (Wang, Yin, Yu 2005): collisions in 2**69 instead of 2**80
  • lower-level API, processes input in arbitrary chunks can get digest value in progress, I.e can continue with updates after a #digest call can clone a digest in progress (#copy) can be queried for #blockSize and #digestSize and current #messageLength can reuse algorithm instances after #reset
  • - bound to the key and to the data being signed (it won’t validate with any other data)
  • digest encoding is to expand the digest to match the bit-size of n destroy any structure that the encoded bytes might have seed a random generator with the digest and use as many bytes as possible
  • based on “discrete logarithm” problem used for signatures only signing: Generate a random per message value k where 0 < k < q (this is known as a nonce ) Calculate r = ( g k mod p ) mod q Calculate s = ( k -1 (SHA-1( m ) + x * r )) mod q Recalculate the signature in the unlikely case that r =0 or s =0 The signature is ( r , s ) verification: Reject the signature if either 0< r <q or 0< s <q is not satisfied. Calculate w = ( s ) -1 mod q Calculate u 1 = (SHA-1( m )* w ) mod q Calculate u 2 = ( r * w ) mod q Calculate v = (( g u 1 * y u 2 ) mod p ) mod q The signature is valid if v = r Note: FIPS-186-2, change notice 1 specifies that L should only assume the value 1024 forthcoming FIPS 186-3 (described, e.g., in SP 800-57) uses SHA-224, SHA-256, SHA-384, and SHA-512 as a hash function, q of size 224, 256, 384, and 512 bits, with L equal to 2048, 3072, 7680, and 15360, respectively.
  • Cryptography for Smalltalkers 2 - ESUG 2006

    1. 1. Cryptography or Smalltalkers 2 Public Key Cryptography Martin Kobetic Cincom Smalltalk Development ESUG 2006
    2. 2. Contents <ul><li>Public Key Algorithms </li></ul><ul><li>Encryption (RSA) </li></ul><ul><li>Key Establishment (RSA, DH) </li></ul><ul><li>Signing </li></ul><ul><ul><li>Hashes (SHA, MD5) </li></ul></ul><ul><ul><li>MACs (HMAC, CBC-MAC) </li></ul></ul><ul><ul><li>Digital Signatures (RSA, DSA) </li></ul></ul>
    3. 3. Public Key Algorithms <ul><li>public and private key </li></ul><ul><ul><li>hard to compute private from the public </li></ul></ul><ul><ul><li>sparse key space => much longer keys </li></ul></ul><ul><li>based on “hard” problems </li></ul><ul><ul><li>factoring, discrete logarithm </li></ul></ul><ul><li>much slower </li></ul><ul><li>RSA, DSA, DH, ElGamal </li></ul><ul><li>elliptic curves: ECDSA, ECDH, … </li></ul>
    4. 4. Encryption <ul><li>provides: </li></ul><ul><ul><li>confidentiality </li></ul></ul><ul><li>symmetric (secret) key ciphers </li></ul><ul><ul><li>same (secret) key => encrypt and decrypt </li></ul></ul><ul><ul><li>DES, AES, RC4 </li></ul></ul><ul><li>asymmetric (public) key ciphers </li></ul><ul><ul><li>public key => encrypt </li></ul></ul><ul><ul><li>private key => decrypt </li></ul></ul><ul><ul><li>RSA,ElGammal </li></ul></ul>
    5. 5. RSA (1977) <ul><li>RSA Security, PKCS #1 </li></ul><ul><ul><li>modulus n = product of 2 large primes p, q </li></ul></ul><ul><ul><li>public: e = relatively prime to (p-1)(q-1) </li></ul></ul><ul><ul><li>private: d = e -1 mod ((p-1)(q-1)) </li></ul></ul><ul><ul><li>C = P e mod n [ P < n ] </li></ul></ul><ul><ul><li>P = C d mod n </li></ul></ul><ul><li>small e => faster encryption </li></ul>
    6. 6. RSA <ul><li>keys := RSAKeyGenerator keySize: 512. </li></ul><ul><li>alice := RSA new publicKey: keys publicKey. </li></ul><ul><li>ctxt := alice encrypt: 'Hello World' asByteArray. </li></ul><ul><li>ctxt asHexString </li></ul><ul><li>bob := RSA new privateKey: keys privateKey. </li></ul><ul><li>(bob decrypt: ctxt) asString </li></ul>
    7. 7. RSA <ul><li>keys := RSAKeyGenerator keySize: 512. </li></ul><ul><li>alice := RSA new publicKey: keys publicKey. </li></ul><ul><li>msg := 'Hello World' asByteArrayEncoding: #utf8. </li></ul><ul><li>msg := alice encrypt: msg. </li></ul><ul><li>bob := RSA new privateKey: keys privateKey. </li></ul><ul><li>msg := bob decrypt: msg. </li></ul><ul><li>msg asStringEncoding: #utf8 </li></ul>
    8. 8. Key Establishment <ul><li>public key too slow for bulk encryption </li></ul><ul><ul><li>public key => secure symmetric key </li></ul></ul><ul><ul><li>symmetric key => bulk encryption </li></ul></ul><ul><li>key exchange (RSA) </li></ul><ul><ul><li>generate one-time symmetric key </li></ul></ul><ul><ul><li>public key => encrypt the symmetric key </li></ul></ul><ul><li>key agreement (DH) </li></ul><ul><ul><li>parties cooperate to generate a shared secret </li></ul></ul>
    9. 9. RSA – Key Exchange <ul><li>key := DSSRandom default byteStream next: 40. </li></ul><ul><li>msg := 'Hello World!' asByteArray. </li></ul><ul><li>msg := (ARC4 key: key) encrypt: msg. </li></ul><ul><li>alice := RSA new publicKey: keys publicKey. </li></ul><ul><li>key := alice encrypt: key. </li></ul><ul><li>bob := RSA new privateKey: keys privateKey. </li></ul><ul><li>key := bob decrypt: key </li></ul><ul><li>((ARC4 key: key) decrypt: msg) asString. </li></ul>
    10. 10. Diffie-Hellman (1976) <ul><li>shared secret over unprotected channel </li></ul><ul><li> txt </li></ul><ul><ul><li>modulus p: large prime (>=512b) order q: large prime (>=160b) generator g: order q mod p private x: random 1 < x < q - 1 public y: g^x mod p public y’: other party’s y = g^x’ (mod p) shared secret: y’^x = y^x’ (mod p) </li></ul></ul>
    11. 11. Diffie-Hellman (interactive) <ul><li>gen := DHParameterGenerator m: 160 l: 512. </li></ul><ul><li>alice := DH p: gen p q: gen q g: gen g. </li></ul><ul><li>ya := alice publicValue. </li></ul><ul><li>bob := DH p: alice p q: alice q g: alice g. </li></ul><ul><li>yb := bob publicValue. </li></ul><ul><li>ss := bob sharedSecretUsing: ya </li></ul><ul><li>ss = (alice sharedSecretUsing: yb) </li></ul>
    12. 12. Diffie-Hellman (offline) <ul><li>bob := DH newFrom: gen. </li></ul><ul><li>yb := bob publicValue. </li></ul><ul><li>alice := DH newFrom: gen. </li></ul><ul><li>ya := alice publicValue. </li></ul><ul><li>ss := (alice sharedSecretUsing: yb) asByteArray. </li></ul><ul><li>msg := 'Hello World!' asByteArray. </li></ul><ul><li>msg := (ARC4 key: ss) encrypt: msg. </li></ul><ul><li>ss := (bob sharedSecretUsing: ya) asByteArray. </li></ul><ul><li>((ARC4 key: ss) decrypt: msg) asString. </li></ul>
    13. 13. Signing <ul><li>Provides: </li></ul><ul><ul><li>integrity (tamper evidence) </li></ul></ul><ul><ul><li>authentication </li></ul></ul><ul><ul><li>non-repudiation </li></ul></ul><ul><li>Hashes (SHA, MD5) </li></ul><ul><li>Digital Signatures (RSA, DSA) </li></ul>
    14. 14. Hash Functions <ul><li>provides: </li></ul><ul><ul><li>data “fingerprinting” </li></ul></ul><ul><li>unlimited input size => fixed output size </li></ul><ul><li>must be: </li></ul><ul><ul><li>one-way : h(m) => m </li></ul></ul><ul><ul><li>collision resistant : m1,m2 => h(m1) = h(m2) </li></ul></ul><ul><li>MD2, MD4, MD5, SHA, RIPE-MD </li></ul>
    15. 15. Hash Functions <ul><li>compression function: </li></ul><ul><li>M = M 1 , M 2 , … </li></ul><ul><li>h i = f(M i , h i-1 ) </li></ul><ul><li>MD-strengthening: </li></ul><ul><ul><li>include message length (in the padding) </li></ul></ul><ul><ul><li>doesn’t completely prevent “length extension” </li></ul></ul>
    16. 16. MD5 (1992) <ul><li> txt (Ron Rivest) </li></ul><ul><ul><li>digest: 128-bits (16B) </li></ul></ul><ul><ul><li>block: 512-bits (64B) </li></ul></ul><ul><ul><li>padding: M | 10...0 | length (64bits) </li></ul></ul><ul><li>broken in 2004, avoid MD5! </li></ul>
    17. 17. MD5 <ul><li>(MD5 hash: 'Hello' asByteArray) asHexString </li></ul><ul><li>(MD5 hash: #[1 2 3 4 5] from: 2 to: 4) asHexString </li></ul><ul><li>input := #[1 2 3 4 5 6 7 8 9] readStream. </li></ul><ul><li>(MD5 hashNext: 3 from: input) asHexString </li></ul><ul><li>(MD5 hashFrom: input) asHexString </li></ul>
    18. 18. SHA (1993) <ul><li>SHS - NIST FIPS PUB 180 </li></ul><ul><ul><li>digest: 160 bits (20B) </li></ul></ul><ul><ul><li>block: 512 bits (64B) </li></ul></ul><ul><ul><li>padding: M | 10...0 | length (64bits) </li></ul></ul><ul><li>FIPS 180-1: SHA-1 (1995) </li></ul><ul><li>FIPS 180-2: SHA-256, 384, 512 (2002) </li></ul><ul><li>SHA-1 broken in 2005! </li></ul>
    19. 19. SHA <ul><li>input := 'Hello World!' asByteArray readStream. </li></ul><ul><li>sha := SHA new. </li></ul><ul><li>sha updateWithNext: 5 from: input. </li></ul><ul><li>sha digest asHexString. </li></ul><ul><li>sha updateFrom: input. </li></ul><ul><li>sha digest asHexString. </li></ul><ul><li>input reset. </li></ul><ul><li>(SHA256 hashFrom: input) asHexString. </li></ul>
    20. 20. Digital Signatures <ul><li>authentic, non-reusable, unalterable </li></ul><ul><li>signing </li></ul><ul><ul><li>uses the private key </li></ul></ul><ul><ul><li>message, key => signature </li></ul></ul><ul><li>verification </li></ul><ul><ul><li>uses the public key </li></ul></ul><ul><ul><li>message, key, signature => true/false </li></ul></ul>
    21. 21. RSA <ul><li>signing: hash the plaintext encode digest encrypt digest with private key </li></ul><ul><li>verifying: </li></ul><ul><li>decrypt digest with public key decode digest hash the plaintext compare the digests </li></ul>
    22. 22. RSA <ul><li>alice := RSA new privateKey: keys privateKey. </li></ul><ul><li>msg := 'Hello World' asByteArray. </li></ul><ul><li>sig := alice sign: msg. </li></ul><ul><li>sig asHexString </li></ul><ul><li>bob := RSA new publicKey: keys publicKey. </li></ul><ul><li>bob verify: sig of: msg </li></ul>
    23. 23. DSA (1994) <ul><li>NIST FIPS PUB 186 </li></ul><ul><ul><li>p prime (modulus): (512 + k*64 <= 1024) </li></ul></ul><ul><ul><li>q prime factor of p – 1 (160 bits) </li></ul></ul><ul><ul><li>g > 1; g^q mod p = 1 (g has order q mod p) </li></ul></ul><ul><ul><li>x < q (private key) </li></ul></ul><ul><ul><li>y = g^x mod p (public key) </li></ul></ul><ul><li>FIPS 186-1 (1998): RSA(X9.31) </li></ul><ul><li>FIPS 186-2 (2001): ECDSA(X9.62) </li></ul><ul><li>FIPS 186-3 (?2006): bigger keys up to 15K bits </li></ul>
    24. 24. DSA <ul><li>keys := DSAKeyGenerator keySize: 512. </li></ul><ul><li>alice := DSA new privateKey: keys privateKey. </li></ul><ul><li>sig := alice sign: 'Hello World' asByteArray </li></ul><ul><li>bob := DSA new publicKey: keys publicKey. </li></ul><ul><li>bob verify: sig of: 'Hello World' asByteArray </li></ul>
    25. 25. Books <ul><li>[1] Anderson: Security Engineering </li></ul><ul><li>[2] Ferguson, Schneier: Practical Cryptography </li></ul><ul><li>[3] Kahn: The Codebreakers </li></ul><ul><li>[4] Menezes, van Oorschot, Vanstone: Handbook of Applied Cryptography </li></ul><ul><li>[5] Schneier: Applied Cryptography </li></ul>