Stephen Kleene
Engineering
Cryptographic
Applications

Day 2:

Using
(and
Misusing)
Symmetric
Ciphers
David Evans
University of Virginia
...
Recap: Symmetric Encryption
Ciphertext

Plaintext

AES

AES

Plaintext

Insecure Channel

Key

Key

Correctness property: ...
Today: Using Symmetric Encryption
Ciphertext

Plaintext

AES

AES

Plaintext

Insecure Channel

Key

evans@virginia.edu

K...
Today: Using Symmetric Encryption
Ciphertext

Plaintext

AES

AES

Plaintext

Insecure Channel

Key

Key

1. How to genera...
Generating Randomness

evans@virginia.edu

Engineering Crypto Applications

5
0101100001111 0101101001101
0110000111011 0110000111011
1010000000011 1010100010011
1011000000011 1011000100011
1011011001...
0101100001111 0101101001101
0110000111011 0110000111011
1010000000011 1010100010011
1011000000011 C1 with sequences of 5 o...
Which is random?

Source of images: http://boallen.com/random-numbers.html
evans@virginia.edu

Engineering Crypto Applicat...
Which is random?

random.org

PHP rand()

(atmospheric noise)

(on Windows)

Which should you use to generate cyrptographi...
Defining Non-Randomness
If you can find
any predictable
patterns in the
sequence, it is
definitely not
random.
evans@virgi...
Defining
Randomness

й
ров
Andrey Kolmogorov
(1903-1987)

For a sequence s, its
Kolmogorov Complexity
K(s) = the length of...
Kolmogorov Complexities
s = 000000000000000…

evans@virginia.edu

Engineering Crypto Applications

12
Kolmogorov Complexities
s = 000000000000000…
description = “N repeated 0s”
K(s) = log |s| + C1 < |s| + C
t = 0100110001110...
Kolmogorov Complexities
s = 000000000000000…
description = “N repeated 0s”
K(s) = log |s| + C1 < |s| + C
t = 0100110001110...
Kolmogorov Complexities
r=010110000111101100001110111010000000011101
100000001110110110010111110011011110010000011
1000000...
If your mind isn’t blown yet…
What is the smallest natural
number that cannot be
described in eleven words?

evans@virgini...
If your mind isn’t blown yet…
What is the smallest natural
number that cannot be
described in eleven words?
1

2

3

4

5
...
Randomness is Essential
• Kolmogorov provides a definition of randomness
but not a “useful” one: computing K(s) for an
arb...
Amplifying Physical Randomness
Pseudo-Random Number Generator
k = f(physical randomness)
0

AES

1

k

AES

2

3

k

k
out...
NIST SP 800-90: Recommendation for
Random Number Generation Using
Deterministic Random Bit Generators (2006)

evans@virgin...
Dual-EC PRNG
s0  physical randomness

si +1= φ(si P)
Update Internal State
evans@virginia.edu

P and Q are
points on an
e...
Elliptic Curves
y2 = x3 – 7 (mod p)

Discrete values: x and y are integers!
Addition: P + Q
= intersection of curve with l...
Elliptic Curves
P+Q

y2 = x3 – 7 (mod p)

Discrete values: x and y are integers!
Addition: P + Q
= negate intersection of ...
Elliptic Curves
Elliptic curve discrete
logarithm problem:
given points P and Q
on an elliptic curve, it is
hard to find a...
Curve Used by Dual-EC PRNG
NIST P-256

y2 = x3 + ax + b (mod p)
256 − 2224 + 2192 + 296 − 1
p=2
a=p−3=
b=

115792089210356...
Why would anyone use
Elliptic Curves as basis for PRNG?
• Easier to plant a back-door in it than designs
based on symmetri...
Dual-EC PRNG
Proposed as NIST standard (2005)

s0  randomness

P and Q are (random?)
points on P-256.

si +1= φ(si P)
Upd...
Image credit: Matthew Green

OpenSSL-FIPS Implementation (using NIST P and Q values)
evans@virginia.edu

Engineering Crypt...
“Rump session” talk at CRYPTO 2007:

You can choose Q such that:
Q = dP
then, it is easy to find e such that: P = eQ
and t...
Shumow and Ferguson’s conclusion:

evans@virginia.edu

Engineering Crypto Applications

30
Snowden Leak (5 September 2013)
2013 Intelligence Budget Request ($250M)
2013 Intelligence Budget Request

evans@virginia....
September 2013

evans@virginia.edu

Engineering Crypto Applications

32
evans@virginia.edu

Engineering Crypto Applications

33
evans@virginia.edu

Engineering Crypto Applications

34
Randomness Summary

• All cryptosystems depend on randomness
• No way to test is a value is really random
• Physical rando...
Building an
Encrypted File
System

evans@virginia.edu

Engineering Crypto Applications

36
Scenario
• Documents about plan to
overthrow government stored
on (easily-stolen) device
• Password/biometric-protected
(a...
Electronic Codebook Mode
block 2

AES

block 3

block 4

AES

block 4

block n-1

AES

block n-1

block n

AES

block n

…...
Electronic Codebook Mode
block 2

AES

block 3

block 4

AES

block 4

block n-1

AES

block n-1

block n

AES

block n

…...
Block Size
128 bits = 16 bytes
"Benjamin Frankli" (16 characters)

Almanack

Mail

pennsylvannians.txt

declaration.txt
ev...
Time-Space Tradeoffs
No-memory brute force attack:
known
crib

AES

known
ciphertext

Try all keys until you
find one that...
Time-Space Tradeoffs
No-time (not) brute force attack:
key

AESkey(crib)

000…000
000…001

7ebc5137da5ff2

…

Pre-compute ...
Won’t quite work like this for AES, but with some more tricks.

Combination: Rainbow Tables
Precompute:
known
crib

AES

O...
16 October 2013

University of Virginia cs4414

44
NSA
Meltdown?
“Experts estimate the
new center in Utah can
store data by the
exabyte or zettabyte.”
(Actual amount is
high...
Cipher Block Chaining Mode (CBC)
block 2

block 3

block 4

Initialization
Vector

block 1

AES

AES

AES

evans@virginia....
Cipher Block Chaining Mode
block 2

block 3

block 4

Initialization
Vector

block 1

AES

AES

AES

AES

block 1

k

bloc...
Counter Mode (CTR)
Nonce

00000000

Nonce

00000001

…

Counter

block 1

k
block 2

block 1
evans@virginia.edu

AES

AES
...
Counter Mode (CTR)
Nonce

00000000

Nonce

00000001

…

Counter

AES

AES

k

k

block 1

Increase
counter for
each block
...
How should
our young
subversive
store master
key k and
(per-file)
nonces?
evans@virginia.edu

Engineering Crypto Applicati...
Storing the Key (?)

AES

k

Human-Remembered
4-Digit PIN

evans@virginia.edu

Engineering Crypto Applications

stored
enc...
Maybe this
could work with
a tamper-proof
device?

evans@virginia.edu

Engineering Crypto Applications

52
R2B2: $200 robot that
can try all 10000 fourdigit PINs in < 20 hours

evans@virginia.edu

Engineering Crypto Applications
...
Higher Entropy Passwords

AES

k

Human-Remembered
Long Password

evans@virginia.edu

stored
encrypted
k
(44 bits of entro...
Scaling Work
repeat 1000 times

k

Human-Remembered
Long Password

evans@virginia.edu

stored
1000x
encrypted k

AES

(44 ...
repeat 1000 times

k

AES

stored
1000x
encrypted
k

Scaling Work

(44 bits of entropy)

Time for one AES:
10 ms
Time for ...
Scaling to a Web Service

evans@virginia.edu

Engineering Crypto Applications

57
http://epetitions.direct.gov.uk/

evans@virginia.edu

Engineering Crypto Applications

58
http://petitions.whitehouse.gov

evans@virginia.edu

Engineering Crypto Applications

59
Early Password Schemes
UserID

benf

Password

flyakite

samadams beer
tj

Monti07cello04

…

Login: tj
Password: wahoo
Fa...
Early Password Schemes
UserID

Password

benf
samadams
tj
…

FAIL Login: tj
Password: wahoo
beer
someone who gets
Failed l...
Encrypted Passwords Scheme
UserID

benf

Password

AESK(flyakite)

samadams AESK(beer)
tj

AESK(Monti07cello04)

…

Master...
Encrypted Passwords Scheme
UserID

benf

Password

FAIL Master key K
AES (beer)
Store passwords
someone who gets
encrypted...
Hashed Passwords Scheme
UserID

benf

Password

AESflyakite(0)

samadams AESbeer(0)
tj

AESMonti07cello04(0)

…

Store pas...
Hashed Passwords Scheme
UserID

benf

Password

AESflyakite(K)

FAIL

samadams AESbeer(K)
tj

AESMonti07cello04(K)

…

…

...
“If they had consulted
with anyone that knows
anything about password
security, this would not
have happened,” said Paul
K...
86% of users are dumb
Single ASCII character
Two characters

0.5%
2%

Three characters

14%

Four alphabetic letters

14%
...
Dictionary Attacks
Seed list
All 1-4 letter words
List of common (dog) names
Words from dictionary
(4M words, 20+
language...
Aside: My 3-Word Password Advice
Unimportant Passwords: use “silly”
(protect service, not user)
Important Passwords:

Writ...
Making Dictionary Attacks Harder
UserID

benf

Password

AESflyakite(0)

Password

AESflyakite1000(0)

samadams AESbeer(0)...
Making Dictionary Attacks Harder
UserID

Salt (16 bits)

Password

benf

52455

AESflyakite1000(52455)

samadams

50757

A...
Two Big Problems Remaining:
1. Users are still morons

evans@virginia.edu

Engineering Crypto Applications

72
Two Big Problems Remaining:
1. Users are still morons
(Solving Auditors calledscope of employees and
this is outside 100 I...
Two Big Problems Remaining:
2. Transmitting password

Insecure Channel

petitions.gov

How does TJ know he’s really talkin...
Plan for Next Week
Solving these problems using
asymmetric cryptography:
- Public key cryptosystems
- Digital signatures
-...
evans@virginia.edu

Engineering Crypto Applications

76
Upcoming SlideShare
Loading in …5
×

Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

787 views

Published on

Second session in Applied Cryptography course held at AMC Theater in Tyson's Corner (http://www.mightbeevil.com/crypto).

Generating keys for symmetric ciphers (randomness)
Cipher modes
Using symmetric ciphers for authentication
Password management

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
787
On SlideShare
0
From Embeds
0
Number of Embeds
118
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Engineering Cryptographic Applications: Using (and Misusing) Symmetric Ciphers

  1. 1. Stephen Kleene
  2. 2. Engineering Cryptographic Applications Day 2: Using (and Misusing) Symmetric Ciphers David Evans University of Virginia www.cs.virginia.edu/evans Microstrategy Course 11 October 2013
  3. 3. Recap: Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key Correctness property: for all possible messages m, D(E(m)) = m Security property: given c  E(m), it is “hard” to learn anything interesting about m. “hard” = if correctly implemented and used, even the NSA can’t do it unless they have made dozens of theoretical breakthroughs or have energy comparable to Trillions of massive nuclear explosions evans@virginia.edu Engineering Crypto Applications 2
  4. 4. Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key evans@virginia.edu Key Engineering Crypto Applications 3
  5. 5. Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key 1. How to generate a good (unpredictable) key: randomness 2. How to use symmetric encryption to do more interesting things than just send one block: building an encrypted file server evans@virginia.edu Engineering Crypto Applications 4
  6. 6. Generating Randomness evans@virginia.edu Engineering Crypto Applications 5
  7. 7. 0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 1011000100011 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 Which is random? 0001110111000 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 6
  8. 8. 0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 C1 with sequences of 5 or more 1011000100011 C1 from Puzzle Challenge repeated symbols modified (message Crypto.Random) 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 0001110111000 random? Which is 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 7
  9. 9. Which is random? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 8
  10. 10. Which is random? random.org PHP rand() (atmospheric noise) (on Windows) Which should you use to generate cyrptographic keys? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 9
  11. 11. Defining Non-Randomness If you can find any predictable patterns in the sequence, it is definitely not random. evans@virginia.edu I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that. Supreme Court Justice Potter Stewart (or pornography) Engineering Crypto Applications 10
  12. 12. Defining Randomness й ров Andrey Kolmogorov (1903-1987) For a sequence s, its Kolmogorov Complexity K(s) = the length of the shortest description of s A sequence s is random, if K(s) = |s| + C (This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.) evans@virginia.edu Engineering Crypto Applications “He was to probability theory what Euclid was to geometry.” (Peter Lax) 11
  13. 13. Kolmogorov Complexities s = 000000000000000… evans@virginia.edu Engineering Crypto Applications 12
  14. 14. Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… evans@virginia.edu Engineering Crypto Applications 13
  15. 15. Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… description = “t = “”; int for (i = 1; for (j = for (j = i, j; i < N; i++) { 0; j < i; j++) t += „0‟; 0; j < i; j++) t += „1‟; }” K(s) = log |s| + C1 < |s| + C evans@virginia.edu Engineering Crypto Applications 14
  16. 16. Kolmogorov Complexities r=010110000111101100001110111010000000011101 100000001110110110010111110011011110010000011 100000011101110000000111010100100010100000101 000010011101110111111110011000101… "from Crypto.Random import random def random_sequence(n): return map(lambda x: random.choice([0, 1]), range(n)) " and state of random module (and any entropy added during generation) Hmmm…maybe answer from earlier slide was wrong! evans@virginia.edu Engineering Crypto Applications 15
  17. 17. If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? evans@virginia.edu Engineering Crypto Applications 16
  18. 18. If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? 1 2 3 4 5 The smallest natural number that 6 7 8 9 10 11 cannot be described in eleven words. evans@virginia.edu Engineering Crypto Applications 17
  19. 19. Randomness is Essential • Kolmogorov provides a definition of randomness but not a “useful” one: computing K(s) for an arbitrary s is undecidable (not just hard, theoretically impossible) • Impossible for a program to generate true randomness: program can generate longer sequence than itself • There are physical sources of randomness (or near randomness): quantum events, radioactive decay, thermal noise, lava lamps, key presses evans@virginia.edu Engineering Crypto Applications 18
  20. 20. Amplifying Physical Randomness Pseudo-Random Number Generator k = f(physical randomness) 0 AES 1 k AES 2 3 k k output AES output output Every once in a while, compute a new k using new physical randomness. evans@virginia.edu Engineering Crypto Applications 19
  21. 21. NIST SP 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (2006) evans@virginia.edu Engineering Crypto Applications 20
  22. 22. Dual-EC PRNG s0  physical randomness si +1= φ(si P) Update Internal State evans@virginia.edu P and Q are points on an elliptic curve ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 21
  23. 23. Elliptic Curves y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P Elliptic Curves are primarily used in asymmetric crypto – but also in Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 22
  24. 24. Elliptic Curves P+Q y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = negate intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P evans@virginia.edu Engineering Crypto Applications P Q 23
  25. 25. Elliptic Curves Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP. y2 = x3 – 7 (mod p) P + Q = point on curve where line PQ intersects kP = P + P + … + P (multiplication is just repeated addition) evans@virginia.edu Engineering Crypto Applications 24
  26. 26. Curve Used by Dual-EC PRNG NIST P-256 y2 = x3 + ax + b (mod p) 256 − 2224 + 2192 + 296 − 1 p=2 a=p−3= b= 115792089210356248762697446949407573530086143415290314195533631308867097853948 41058363725152142129326129780047268409114441015993725554835256314039467401291 Elliptic curve operations are expensive! Dual-EC PRNG is 1000x slower than strong PRNG’s built using symmetric ciphers. evans@virginia.edu Engineering Crypto Applications 25
  27. 27. Why would anyone use Elliptic Curves as basis for PRNG? • Easier to plant a back-door in it than designs based on symmetric ciphers • Can be used to provide provable security properties based on number theory – But not done for Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 26
  28. 28. Dual-EC PRNG Proposed as NIST standard (2005) s0  randomness P and Q are (random?) points on P-256. si +1= φ(si P) Update Internal State evans@virginia.edu ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 27
  29. 29. Image credit: Matthew Green OpenSSL-FIPS Implementation (using NIST P and Q values) evans@virginia.edu Engineering Crypto Applications 28
  30. 30. “Rump session” talk at CRYPTO 2007: You can choose Q such that: Q = dP then, it is easy to find e such that: P = eQ and then easy to learn state of PRNG from just one output! evans@virginia.edu Engineering Crypto Applications 29
  31. 31. Shumow and Ferguson’s conclusion: evans@virginia.edu Engineering Crypto Applications 30
  32. 32. Snowden Leak (5 September 2013) 2013 Intelligence Budget Request ($250M) 2013 Intelligence Budget Request evans@virginia.edu Engineering Crypto Applications 31
  33. 33. September 2013 evans@virginia.edu Engineering Crypto Applications 32
  34. 34. evans@virginia.edu Engineering Crypto Applications 33
  35. 35. evans@virginia.edu Engineering Crypto Applications 34
  36. 36. Randomness Summary • All cryptosystems depend on randomness • No way to test is a value is really random • Physical randomness is limited: need algorithms to amplify physical randomness • If you pseudorandom numbers are predictable, all is (almost always) lost evans@virginia.edu Engineering Crypto Applications 35
  37. 37. Building an Encrypted File System evans@virginia.edu Engineering Crypto Applications 36
  38. 38. Scenario • Documents about plan to overthrow government stored on (easily-stolen) device • Password/biometric-protected (assume that works, for now) Data should not be readable to someone who steals the device and can physically extract its non-volatile (flash) storage evans@virginia.edu Engineering Crypto Applications 37
  39. 39. Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k Encrypt each block with k evans@virginia.edu Engineering Crypto Applications 38
  40. 40. Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k If two blocks have the same plaintext, with ECB they have the same ciphertext! evans@virginia.edu Engineering Crypto Applications 39
  41. 41. Block Size 128 bits = 16 bytes "Benjamin Frankli" (16 characters) Almanack Mail pennsylvannians.txt declaration.txt evans@virginia.edu Engineering Crypto Applications 40
  42. 42. Time-Space Tradeoffs No-memory brute force attack: known crib AES known ciphertext Try all keys until you find one that fits evans@virginia.edu Engineering Crypto Applications Memory: 0 Time: 2127 encryptions (1T nuclear mega-bombs) 41
  43. 43. Time-Space Tradeoffs No-time (not) brute force attack: key AESkey(crib) 000…000 000…001 7ebc5137da5ff2 … Pre-compute table: 4d7b9328a582c … Break intercepted ciphertext message: one table lookup! evans@virginia.edu sort by ciphertext Time: 1 Memory: 2132 bytes ~$2 Decillion (1033) Engineering Crypto Applications 42
  44. 44. Won’t quite work like this for AES, but with some more tricks. Combination: Rainbow Tables Precompute: known crib AES Only store these: ciphertext 1 AES … AES ciphertext 264 … … known crib AES ciphertext 1 AES … AES ciphertext 264 Time: 264 Memory: 268 bytes (~$137 Trillion) evans@virginia.edu Engineering Crypto Applications 43
  45. 45. 16 October 2013 University of Virginia cs4414 44
  46. 46. NSA Meltdown? “Experts estimate the new center in Utah can store data by the exabyte or zettabyte.” (Actual amount is highly classified.) 45
  47. 47. Cipher Block Chaining Mode (CBC) block 2 block 3 block 4 Initialization Vector block 1 AES AES AES evans@virginia.edu AES block 1 k block 2 block 3 block 4 Engineering Crypto Applications 46
  48. 48. Cipher Block Chaining Mode block 2 block 3 block 4 Initialization Vector block 1 AES AES AES AES block 1 k block 2 block 3 block 4  Avoids leaking repeated plaintexts − Cannot encrypt in parallel evans@virginia.edu Engineering Crypto Applications 47
  49. 49. Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter block 1 k block 2 block 1 evans@virginia.edu AES AES k Increase counter for each block block 2 Engineering Crypto Applications 48
  50. 50. Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter AES AES k k block 1 Increase counter for each block block 2  Avoids leaking repeated plaintexts  Can encrypt and decrypt in parallel ⁇ Systematic input block 1 evans@virginia.edu block 2 Engineering Crypto Applications 49
  51. 51. How should our young subversive store master key k and (per-file) nonces? evans@virginia.edu Engineering Crypto Applications 50
  52. 52. Storing the Key (?) AES k Human-Remembered 4-Digit PIN evans@virginia.edu Engineering Crypto Applications stored encrypted k 0704 51
  53. 53. Maybe this could work with a tamper-proof device? evans@virginia.edu Engineering Crypto Applications 52
  54. 54. R2B2: $200 robot that can try all 10000 fourdigit PINs in < 20 hours evans@virginia.edu Engineering Crypto Applications 53
  55. 55. Higher Entropy Passwords AES k Human-Remembered Long Password evans@virginia.edu stored encrypted k (44 bits of entropy) Engineering Crypto Applications 54
  56. 56. Scaling Work repeat 1000 times k Human-Remembered Long Password evans@virginia.edu stored 1000x encrypted k AES (44 bits of entropy) Engineering Crypto Applications 55
  57. 57. repeat 1000 times k AES stored 1000x encrypted k Scaling Work (44 bits of entropy) Time for one AES: 10 ms Time for 244 AESs: 5000 years (or 2 days with 1Mx computing power) Time for 1000x AES: 10 s Time for 244 1000x AES: 5M years evans@virginia.edu Engineering Crypto Applications 56
  58. 58. Scaling to a Web Service evans@virginia.edu Engineering Crypto Applications 57
  59. 59. http://epetitions.direct.gov.uk/ evans@virginia.edu Engineering Crypto Applications 58
  60. 60. http://petitions.whitehouse.gov evans@virginia.edu Engineering Crypto Applications 59
  61. 61. Early Password Schemes UserID benf Password flyakite samadams beer tj Monti07cello04 … Login: tj Password: wahoo Failed login. Guess again. … authentication check: guess == users[userID].password evans@virginia.edu Engineering Crypto Applications 60
  62. 62. Early Password Schemes UserID Password benf samadams tj … FAIL Login: tj Password: wahoo beer someone who gets Failed login. Guess again. Monti07cello04 password file learns … all passwords flyakite authentication check: guess == users[userID].password evans@virginia.edu Engineering Crypto Applications 61
  63. 63. Encrypted Passwords Scheme UserID benf Password AESK(flyakite) samadams AESK(beer) tj AESK(Monti07cello04) … Master key K Store passwords encrypted using K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 62
  64. 64. Encrypted Passwords Scheme UserID benf Password FAIL Master key K AES (beer) Store passwords someone who gets encrypted using K AES (Monti07cello04) password file and K … learns all passwords AESK(flyakite) samadams tj K K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 63
  65. 65. Hashed Passwords Scheme UserID benf Password AESflyakite(0) samadams AESbeer(0) tj AESMonti07cello04(0) … Store passwords by using them as key to encrypt 0 … authentication check: AESguess(0) == users[userID].password evans@virginia.edu Engineering Crypto Applications 64
  66. 66. Hashed Passwords Scheme UserID benf Password AESflyakite(K) FAIL samadams AESbeer(K) tj AESMonti07cello04(K) … … Master key K Store passwords by using them to encrypt K authentication check: AESguess(K) == users[userID].password evans@virginia.edu Engineering Crypto Applications 65
  67. 67. “If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm. evans@virginia.edu Engineering Crypto Applications 66
  68. 68. 86% of users are dumb Single ASCII character Two characters 0.5% 2% Three characters 14% Four alphabetic letters 14% Five same-case letters 21% Six lowercase letters 18% Words in dictionaries or names 15% Other (possibly good passwords) 14% (Morris/Thompson 79) evans@virginia.edu Engineering Crypto Applications 67
  69. 69. Dictionary Attacks Seed list All 1-4 letter words List of common (dog) names Words from dictionary (4M words, 20+ languages) Phone numbers, dates, etc. Rules for generating passwords http://www.openwall.com/john/ Combining words from seed list Inserting numbers, symbols Anything written in any popular Replacing “l” with “1”, password advice document! “ate” with “8”, etc. evans@virginia.edu Engineering Crypto Applications 68
  70. 70. Aside: My 3-Word Password Advice Unimportant Passwords: use “silly” (protect service, not user) Important Passwords: Write them down (but somewhat obfuscated and in a secure place) If you can memorize it, it is not secure! (unless you have a well-trained memory) evans@virginia.edu Engineering Crypto Applications 69
  71. 71. Making Dictionary Attacks Harder UserID benf Password AESflyakite(0) Password AESflyakite1000(0) samadams AESbeer(0) AESbeer1000 (0) tj AESMonti07cello04(0) AESMonti07cello041000(0) … … … 1. Use a more expensive cryptographic hash function evans@virginia.edu Engineering Crypto Applications 70
  72. 72. Making Dictionary Attacks Harder UserID Salt (16 bits) Password benf 52455 AESflyakite1000(52455) samadams 50757 AESbeer1000 (50757) AESMonti07cello041000(47101 AES x 1000 makes dictionary attack 1000 times harder ) 16-bit salt makes dictionary attack 216 times harder (but doesn’t make targeted against one user harder) … … tj 47101 2. Add “salt” – randomly selected (but non-secret) value for each user evans@virginia.edu Engineering Crypto Applications 71
  73. 73. Two Big Problems Remaining: 1. Users are still morons evans@virginia.edu Engineering Crypto Applications 72
  74. 74. Two Big Problems Remaining: 1. Users are still morons (Solving Auditors calledscope of employees and this is outside 100 IRS this class.) managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. “We were able to convince 35 managers and employees to provide us their username and change their password,” the report said. GAO Audit of IRS (2005) evans@virginia.edu Engineering Crypto Applications 73
  75. 75. Two Big Problems Remaining: 2. Transmitting password Insecure Channel petitions.gov How does TJ know he’s really talking to petitions.gov? How can he establish a secure channel to transmit password? evans@virginia.edu Engineering Crypto Applications 74
  76. 76. Plan for Next Week Solving these problems using asymmetric cryptography: - Public key cryptosystems - Digital signatures - Public key protocols (TLS) open to requests! evans@virginia.edu MightBeEvil.com/crypto evans@virginia.edu Engineering Crypto Applications 75
  77. 77. evans@virginia.edu Engineering Crypto Applications 76

×