Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

787 views

Published on

Generating keys for symmetric ciphers (randomness)

Cipher modes

Using symmetric ciphers for authentication

Password management

No Downloads

Total views

787

On SlideShare

0

From Embeds

0

Number of Embeds

118

Shares

0

Downloads

16

Comments

0

Likes

1

No embeds

No notes for slide

- 1. Stephen Kleene
- 2. Engineering Cryptographic Applications Day 2: Using (and Misusing) Symmetric Ciphers David Evans University of Virginia www.cs.virginia.edu/evans Microstrategy Course 11 October 2013
- 3. Recap: Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key Correctness property: for all possible messages m, D(E(m)) = m Security property: given c E(m), it is “hard” to learn anything interesting about m. “hard” = if correctly implemented and used, even the NSA can’t do it unless they have made dozens of theoretical breakthroughs or have energy comparable to Trillions of massive nuclear explosions evans@virginia.edu Engineering Crypto Applications 2
- 4. Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key evans@virginia.edu Key Engineering Crypto Applications 3
- 5. Today: Using Symmetric Encryption Ciphertext Plaintext AES AES Plaintext Insecure Channel Key Key 1. How to generate a good (unpredictable) key: randomness 2. How to use symmetric encryption to do more interesting things than just send one block: building an encrypted file server evans@virginia.edu Engineering Crypto Applications 4
- 6. Generating Randomness evans@virginia.edu Engineering Crypto Applications 5
- 7. 0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 1011000100011 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 Which is random? 0001110111000 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 6
- 8. 0101100001111 0101101001101 0110000111011 0110000111011 1010000000011 1010100010011 1011000000011 C1 with sequences of 5 or more 1011000100011 C1 from Puzzle Challenge repeated symbols modified (message Crypto.Random) 1011011001011 1011011001011 1110011011110 0110011011010 0100000111000 0100100111001 0001110111000 random? Which is 0001110111001 0000111010100 0000111010100 1000101000001 1000101010001 evans@virginia.edu Engineering Crypto Applications 7
- 9. Which is random? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 8
- 10. Which is random? random.org PHP rand() (atmospheric noise) (on Windows) Which should you use to generate cyrptographic keys? Source of images: http://boallen.com/random-numbers.html evans@virginia.edu Engineering Crypto Applications 9
- 11. Defining Non-Randomness If you can find any predictable patterns in the sequence, it is definitely not random. evans@virginia.edu I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it, and the motion picture involved in this case is not that. Supreme Court Justice Potter Stewart (or pornography) Engineering Crypto Applications 10
- 12. Defining Randomness й ров Andrey Kolmogorov (1903-1987) For a sequence s, its Kolmogorov Complexity K(s) = the length of the shortest description of s A sequence s is random, if K(s) = |s| + C (This is a somewhat informal version. A real definition would need to be more careful about stating this asymptotically.) evans@virginia.edu Engineering Crypto Applications “He was to probability theory what Euclid was to geometry.” (Peter Lax) 11
- 13. Kolmogorov Complexities s = 000000000000000… evans@virginia.edu Engineering Crypto Applications 12
- 14. Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… evans@virginia.edu Engineering Crypto Applications 13
- 15. Kolmogorov Complexities s = 000000000000000… description = “N repeated 0s” K(s) = log |s| + C1 < |s| + C t = 010011000111000011110000011111… description = “t = “”; int for (i = 1; for (j = for (j = i, j; i < N; i++) { 0; j < i; j++) t += „0‟; 0; j < i; j++) t += „1‟; }” K(s) = log |s| + C1 < |s| + C evans@virginia.edu Engineering Crypto Applications 14
- 16. Kolmogorov Complexities r=010110000111101100001110111010000000011101 100000001110110110010111110011011110010000011 100000011101110000000111010100100010100000101 000010011101110111111110011000101… "from Crypto.Random import random def random_sequence(n): return map(lambda x: random.choice([0, 1]), range(n)) " and state of random module (and any entropy added during generation) Hmmm…maybe answer from earlier slide was wrong! evans@virginia.edu Engineering Crypto Applications 15
- 17. If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? evans@virginia.edu Engineering Crypto Applications 16
- 18. If your mind isn’t blown yet… What is the smallest natural number that cannot be described in eleven words? 1 2 3 4 5 The smallest natural number that 6 7 8 9 10 11 cannot be described in eleven words. evans@virginia.edu Engineering Crypto Applications 17
- 19. Randomness is Essential • Kolmogorov provides a definition of randomness but not a “useful” one: computing K(s) for an arbitrary s is undecidable (not just hard, theoretically impossible) • Impossible for a program to generate true randomness: program can generate longer sequence than itself • There are physical sources of randomness (or near randomness): quantum events, radioactive decay, thermal noise, lava lamps, key presses evans@virginia.edu Engineering Crypto Applications 18
- 20. Amplifying Physical Randomness Pseudo-Random Number Generator k = f(physical randomness) 0 AES 1 k AES 2 3 k k output AES output output Every once in a while, compute a new k using new physical randomness. evans@virginia.edu Engineering Crypto Applications 19
- 21. NIST SP 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators (2006) evans@virginia.edu Engineering Crypto Applications 20
- 22. Dual-EC PRNG s0 physical randomness si +1= φ(si P) Update Internal State evans@virginia.edu P and Q are points on an elliptic curve ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 21
- 23. Elliptic Curves y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P Elliptic Curves are primarily used in asymmetric crypto – but also in Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 22
- 24. Elliptic Curves P+Q y2 = x3 – 7 (mod p) Discrete values: x and y are integers! Addition: P + Q = negate intersection of curve with line through P and Q Multiplication: repeated addition kP = P + P + … + P evans@virginia.edu Engineering Crypto Applications P Q 23
- 25. Elliptic Curves Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP. y2 = x3 – 7 (mod p) P + Q = point on curve where line PQ intersects kP = P + P + … + P (multiplication is just repeated addition) evans@virginia.edu Engineering Crypto Applications 24
- 26. Curve Used by Dual-EC PRNG NIST P-256 y2 = x3 + ax + b (mod p) 256 − 2224 + 2192 + 296 − 1 p=2 a=p−3= b= 115792089210356248762697446949407573530086143415290314195533631308867097853948 41058363725152142129326129780047268409114441015993725554835256314039467401291 Elliptic curve operations are expensive! Dual-EC PRNG is 1000x slower than strong PRNG’s built using symmetric ciphers. evans@virginia.edu Engineering Crypto Applications 25
- 27. Why would anyone use Elliptic Curves as basis for PRNG? • Easier to plant a back-door in it than designs based on symmetric ciphers • Can be used to provide provable security properties based on number theory – But not done for Dual EC PRNG evans@virginia.edu Engineering Crypto Applications 26
- 28. Dual-EC PRNG Proposed as NIST standard (2005) s0 randomness P and Q are (random?) points on P-256. si +1= φ(si P) Update Internal State evans@virginia.edu ri = φ(si Q) si 16 least significant bits of ri’s x-coordinate Generate Output Bits Engineering Crypto Applications 27
- 29. Image credit: Matthew Green OpenSSL-FIPS Implementation (using NIST P and Q values) evans@virginia.edu Engineering Crypto Applications 28
- 30. “Rump session” talk at CRYPTO 2007: You can choose Q such that: Q = dP then, it is easy to find e such that: P = eQ and then easy to learn state of PRNG from just one output! evans@virginia.edu Engineering Crypto Applications 29
- 31. Shumow and Ferguson’s conclusion: evans@virginia.edu Engineering Crypto Applications 30
- 32. Snowden Leak (5 September 2013) 2013 Intelligence Budget Request ($250M) 2013 Intelligence Budget Request evans@virginia.edu Engineering Crypto Applications 31
- 33. September 2013 evans@virginia.edu Engineering Crypto Applications 32
- 34. evans@virginia.edu Engineering Crypto Applications 33
- 35. evans@virginia.edu Engineering Crypto Applications 34
- 36. Randomness Summary • All cryptosystems depend on randomness • No way to test is a value is really random • Physical randomness is limited: need algorithms to amplify physical randomness • If you pseudorandom numbers are predictable, all is (almost always) lost evans@virginia.edu Engineering Crypto Applications 35
- 37. Building an Encrypted File System evans@virginia.edu Engineering Crypto Applications 36
- 38. Scenario • Documents about plan to overthrow government stored on (easily-stolen) device • Password/biometric-protected (assume that works, for now) Data should not be readable to someone who steals the device and can physically extract its non-volatile (flash) storage evans@virginia.edu Engineering Crypto Applications 37
- 39. Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k Encrypt each block with k evans@virginia.edu Engineering Crypto Applications 38
- 40. Electronic Codebook Mode block 2 AES block 3 block 4 AES block 4 block n-1 AES block n-1 block n AES block n … AES … block 1 block 3 divide into 128-bit blocks AES block 2 declaration.txt block 1 k If two blocks have the same plaintext, with ECB they have the same ciphertext! evans@virginia.edu Engineering Crypto Applications 39
- 41. Block Size 128 bits = 16 bytes "Benjamin Frankli" (16 characters) Almanack Mail pennsylvannians.txt declaration.txt evans@virginia.edu Engineering Crypto Applications 40
- 42. Time-Space Tradeoffs No-memory brute force attack: known crib AES known ciphertext Try all keys until you find one that fits evans@virginia.edu Engineering Crypto Applications Memory: 0 Time: 2127 encryptions (1T nuclear mega-bombs) 41
- 43. Time-Space Tradeoffs No-time (not) brute force attack: key AESkey(crib) 000…000 000…001 7ebc5137da5ff2 … Pre-compute table: 4d7b9328a582c … Break intercepted ciphertext message: one table lookup! evans@virginia.edu sort by ciphertext Time: 1 Memory: 2132 bytes ~$2 Decillion (1033) Engineering Crypto Applications 42
- 44. Won’t quite work like this for AES, but with some more tricks. Combination: Rainbow Tables Precompute: known crib AES Only store these: ciphertext 1 AES … AES ciphertext 264 … … known crib AES ciphertext 1 AES … AES ciphertext 264 Time: 264 Memory: 268 bytes (~$137 Trillion) evans@virginia.edu Engineering Crypto Applications 43
- 45. 16 October 2013 University of Virginia cs4414 44
- 46. NSA Meltdown? “Experts estimate the new center in Utah can store data by the exabyte or zettabyte.” (Actual amount is highly classified.) 45
- 47. Cipher Block Chaining Mode (CBC) block 2 block 3 block 4 Initialization Vector block 1 AES AES AES evans@virginia.edu AES block 1 k block 2 block 3 block 4 Engineering Crypto Applications 46
- 48. Cipher Block Chaining Mode block 2 block 3 block 4 Initialization Vector block 1 AES AES AES AES block 1 k block 2 block 3 block 4 Avoids leaking repeated plaintexts − Cannot encrypt in parallel evans@virginia.edu Engineering Crypto Applications 47
- 49. Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter block 1 k block 2 block 1 evans@virginia.edu AES AES k Increase counter for each block block 2 Engineering Crypto Applications 48
- 50. Counter Mode (CTR) Nonce 00000000 Nonce 00000001 … Counter AES AES k k block 1 Increase counter for each block block 2 Avoids leaking repeated plaintexts Can encrypt and decrypt in parallel ⁇ Systematic input block 1 evans@virginia.edu block 2 Engineering Crypto Applications 49
- 51. How should our young subversive store master key k and (per-file) nonces? evans@virginia.edu Engineering Crypto Applications 50
- 52. Storing the Key (?) AES k Human-Remembered 4-Digit PIN evans@virginia.edu Engineering Crypto Applications stored encrypted k 0704 51
- 53. Maybe this could work with a tamper-proof device? evans@virginia.edu Engineering Crypto Applications 52
- 54. R2B2: $200 robot that can try all 10000 fourdigit PINs in < 20 hours evans@virginia.edu Engineering Crypto Applications 53
- 55. Higher Entropy Passwords AES k Human-Remembered Long Password evans@virginia.edu stored encrypted k (44 bits of entropy) Engineering Crypto Applications 54
- 56. Scaling Work repeat 1000 times k Human-Remembered Long Password evans@virginia.edu stored 1000x encrypted k AES (44 bits of entropy) Engineering Crypto Applications 55
- 57. repeat 1000 times k AES stored 1000x encrypted k Scaling Work (44 bits of entropy) Time for one AES: 10 ms Time for 244 AESs: 5000 years (or 2 days with 1Mx computing power) Time for 1000x AES: 10 s Time for 244 1000x AES: 5M years evans@virginia.edu Engineering Crypto Applications 56
- 58. Scaling to a Web Service evans@virginia.edu Engineering Crypto Applications 57
- 59. http://epetitions.direct.gov.uk/ evans@virginia.edu Engineering Crypto Applications 58
- 60. http://petitions.whitehouse.gov evans@virginia.edu Engineering Crypto Applications 59
- 61. Early Password Schemes UserID benf Password flyakite samadams beer tj Monti07cello04 … Login: tj Password: wahoo Failed login. Guess again. … authentication check: guess == users[userID].password evans@virginia.edu Engineering Crypto Applications 60
- 62. Early Password Schemes UserID Password benf samadams tj … FAIL Login: tj Password: wahoo beer someone who gets Failed login. Guess again. Monti07cello04 password file learns … all passwords flyakite authentication check: guess == users[userID].password evans@virginia.edu Engineering Crypto Applications 61
- 63. Encrypted Passwords Scheme UserID benf Password AESK(flyakite) samadams AESK(beer) tj AESK(Monti07cello04) … Master key K Store passwords encrypted using K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 62
- 64. Encrypted Passwords Scheme UserID benf Password FAIL Master key K AES (beer) Store passwords someone who gets encrypted using K AES (Monti07cello04) password file and K … learns all passwords AESK(flyakite) samadams tj K K … authentication check: AESK(guess) == users[userID].password evans@virginia.edu Engineering Crypto Applications 63
- 65. Hashed Passwords Scheme UserID benf Password AESflyakite(0) samadams AESbeer(0) tj AESMonti07cello04(0) … Store passwords by using them as key to encrypt 0 … authentication check: AESguess(0) == users[userID].password evans@virginia.edu Engineering Crypto Applications 64
- 66. Hashed Passwords Scheme UserID benf Password AESflyakite(K) FAIL samadams AESbeer(K) tj AESMonti07cello04(K) … … Master key K Store passwords by using them to encrypt K authentication check: AESguess(K) == users[userID].password evans@virginia.edu Engineering Crypto Applications 65
- 67. “If they had consulted with anyone that knows anything about password security, this would not have happened,” said Paul Kocher, president of Cryptography Research, a San Francisco computer security firm. evans@virginia.edu Engineering Crypto Applications 66
- 68. 86% of users are dumb Single ASCII character Two characters 0.5% 2% Three characters 14% Four alphabetic letters 14% Five same-case letters 21% Six lowercase letters 18% Words in dictionaries or names 15% Other (possibly good passwords) 14% (Morris/Thompson 79) evans@virginia.edu Engineering Crypto Applications 67
- 69. Dictionary Attacks Seed list All 1-4 letter words List of common (dog) names Words from dictionary (4M words, 20+ languages) Phone numbers, dates, etc. Rules for generating passwords http://www.openwall.com/john/ Combining words from seed list Inserting numbers, symbols Anything written in any popular Replacing “l” with “1”, password advice document! “ate” with “8”, etc. evans@virginia.edu Engineering Crypto Applications 68
- 70. Aside: My 3-Word Password Advice Unimportant Passwords: use “silly” (protect service, not user) Important Passwords: Write them down (but somewhat obfuscated and in a secure place) If you can memorize it, it is not secure! (unless you have a well-trained memory) evans@virginia.edu Engineering Crypto Applications 69
- 71. Making Dictionary Attacks Harder UserID benf Password AESflyakite(0) Password AESflyakite1000(0) samadams AESbeer(0) AESbeer1000 (0) tj AESMonti07cello04(0) AESMonti07cello041000(0) … … … 1. Use a more expensive cryptographic hash function evans@virginia.edu Engineering Crypto Applications 70
- 72. Making Dictionary Attacks Harder UserID Salt (16 bits) Password benf 52455 AESflyakite1000(52455) samadams 50757 AESbeer1000 (50757) AESMonti07cello041000(47101 AES x 1000 makes dictionary attack 1000 times harder ) 16-bit salt makes dictionary attack 216 times harder (but doesn’t make targeted against one user harder) … … tj 47101 2. Add “salt” – randomly selected (but non-secret) value for each user evans@virginia.edu Engineering Crypto Applications 71
- 73. Two Big Problems Remaining: 1. Users are still morons evans@virginia.edu Engineering Crypto Applications 72
- 74. Two Big Problems Remaining: 1. Users are still morons (Solving Auditors calledscope of employees and this is outside 100 IRS this class.) managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. “We were able to convince 35 managers and employees to provide us their username and change their password,” the report said. GAO Audit of IRS (2005) evans@virginia.edu Engineering Crypto Applications 73
- 75. Two Big Problems Remaining: 2. Transmitting password Insecure Channel petitions.gov How does TJ know he’s really talking to petitions.gov? How can he establish a secure channel to transmit password? evans@virginia.edu Engineering Crypto Applications 74
- 76. Plan for Next Week Solving these problems using asymmetric cryptography: - Public key cryptosystems - Digital signatures - Public key protocols (TLS) open to requests! evans@virginia.edu MightBeEvil.com/crypto evans@virginia.edu Engineering Crypto Applications 75
- 77. evans@virginia.edu Engineering Crypto Applications 76

No public clipboards found for this slide

×
### Save the most important slides with Clipping

Clipping is a handy way to collect and organize the most important slides from a presentation. You can keep your great finds in clipboards organized around topics.

Be the first to comment