9. Getting better at
crypto
A cipher is “strong” until the smartest
minds in the world can get “close” to
breaking it.
1945
Claude S.
“A Mathematical Theory
of Cryptography”
aka “Starting point of
modern crypto”
All practical ciphers are
“breakable”.
Contains foundations of
mathematical cryptanalysis.
We can obtain mathematical
proofs of certain levels of
cryptographic security.
29. What if someone in the
middle changes my
message in transit?
30. Enter the
cryptographic hash
function
One Way Function.
Arbitrary length input;
fixed length output.
hash(M1) = digest1
hash(M2) = digest2
Hard to convert digest1 to M1.
Hard to find My that has the
same digest of a Mx. (collision)
“Work horse of modern crypto”
FAST!
31. Foundational work done in the
1970s by Ralph Merkle (more on
him later), et. al.
You’ll see Ronald Rivest’s name
pop up again as well.
32. Keyed-Hash
Message
Authentication
Code (HMAC)
Provides integrity and authenticity
HMAC(M, K) = hash(M + K)
(it’s actually a bit more
complicated but that’s the gist)
If recipient of M + HMAC(M, K)
has K, then:
Recipient can verify that M was
not modified in transit.
33. MAC then Encrypt. One type of attempt at providing integrity.
Alice
Bob
C = senc(K, M + hmac(K, M))
K K
Bob:
M’ + x = sdec(K, C)
x == hmac(K, M’)?
If true: then M’ is
legit
34. How can two remote
parties securely share a
key?
37. Discrete logarithms w/ very large numbers is computationally infeasible
Alice
Bob
p, g
a b
x = (g^a)mod p
y = (g^b)mod p
K = (y^a) mod p
K = (g^(ab)) mod p
K = (x^b) mod p
K = (g^(ab)) mod p
4 3
23, 5
c = senc(K, M)
4
10
18 18
38. How does Alice know if
she’s communicating
with Bob, or an
imposter?
39. Enter … public key crypto
1976
Ron R.
Adi S. Leonard A.
Discrete
logarithms
is hard.
You know
what else
is hard?
FACTORING
LARGE
NUMBERS INTO
PRIMES!
R-S-A!
41. public key crypto for confidentiality
Alice
Bob
C = penc(KpbB, M)
(KprA, KpbA), KpbB KpbA, (KprB, KpbB)
Bob:
M = pdec(KprB, C)
Trusted Source
Only Bob can decrypt,
b/c only he has his
private key!
47. Public key + symmetric key encryption
Alice
Bob
C = senc(K, M + hmac(K, M))
(KprA, KpbA), KpbB KpbA, (KprB, KpbB)
Trusted Source
CK = penc(KpbB, K)
K = genkey()
DS = penc(KprA, hash(K))
Message
integrity
Message
integrity
Message
integrity
Not so slow
since payloads
are small
Fast for
large m
48. We can also use public
key crypto to
authenticate a Diffie-
Hellman key exchange,
right?
49. We can also use public
key crypto to
authenticate a Diffie-
Hellman key exchange,
right?
YES!
50. We can also use public
key crypto to
authenticate a Diffie-
Hellman key exchange,
right?
YES! (not shown)
52. It’s Worldwide. It’s a Web
Tim B-L
This Internet
thing is great!
Could it
support a
system of ...
1989 … documents
interconnected
w/ hyperlinks?
It would be
public to
everyone.
It would be
worldwide.
It would resemble
a spider web!
53. A couple of guys who didn’t ever do anything
Tim B-L Vint C.
61. Birth of the Secure Sockets Layer Protocol
1995
Taher E.
He’s back!
62. Birth of the Secure Sockets Layer Protocol
1995
Taher E.
The Web is being
used more and
more everyday by
individuals.
Corporations and
governments have
the resources and
know-how to
protect their data
on the Internet.
Individuals’ data
are being sent in
PLAINTEXT!
We can use all that
crypto from the
previous slides for ...
Chief
Scientist
66. Goals of
SSL/TLS
Some of them anyway
● Honor the end-to-end principle
● Confidentiality
● Integrity
● Server authentication
Later goals:
● Client authentication
● Forward secrecy
67. SSL / TLS versions
Protocol Published Notes
SSL 1.0 never Immediately deemed too insecure.
SSL 2.0 1995 IETF prohibition in 2011.
SSL 3.0 1996 IETF prohibition in June 2015.
TLS 1.0 1999 “SSL 3.1”. Standardized by the IETF. Supports downgrade to SSL 3.0. Deprecated
by PCI in June 2018.
TLS 1.1 2006 Added protections against CBC vulnerabilities.
TLS 1.2 2008 Prohibits downgrade to SSL. Mandates use of improved hash functions. Supports
enhanced encryption modes.
TLS 1.3 2018 Mandates forward secrecy. Prohibits non-AEAD cipher suites.
68. An Overview of the TLS Protocol
TCP Handshake
Client Server
Server Authentication
Optional Client Authentication
Cipher Suite Agreement
Secure Tunnel Established
Instead of just
one symmetric
key, the hosts will
continually
generate new
keys.
69. An Overview of the TLS Protocol
TCP Handshake
Client Server
Server Authentication
Optional Client Authentication
Cipher Suite Agreement
Secure Tunnel Established
70. An Overview of the TLS Protocol
TCP Handshake
Client Server
Server Authentication
Optional Client Authentication
Cipher Suite Agreement
Secure Tunnel Established
71. An Overview of the TLS Protocol
TCP Handshake
Client Server
Server Authentication
Optional Client Authentication
Cipher Suite Agreement
Secure Tunnel Established
72. An Overview of the TLS Protocol
TCP Handshake
Client Server
Server Authentication
Optional Client Authentication
Cipher Suite Agreement
Secure Tunnel Established
74. X.509 Certificates
Name: Bob
Public Key:
2k3f98j2f92fjjf2903 …
Signature:
vmew90v33 …
Signed By: Cert Auth X
Name: Cert Auth X
Public Key: 9d3md9s …
Signature:
1kd09nf …
Signed By: self
Certificate of
Certificate
Authority aka
“trusted third
party”
Certificate
Recipient
Certificate
Trusted CAs are pre-
configured in browsers
and are kept up-to-date
over time.
75. Server Authentication
Client Server
Hello, I’d like to talk
Here’s my signed certificate (+ integrity info)
Cipher Suite Agreement
Verify signed by
trusted party.
Verify name.
Verify integrity + signature.
Standard default is:
Name == domain name
76. Mutual Authentication
Client Server
Hello, I’d like to talk
Here’s my signed certificate (w/ integrity). Give me yours.
Cipher Suite Agreement
Verify name.
Here’s my signed certificate (w/ integrity).
Verity name.
Verify integrity + signature.
Verify integrity + signature.
Verify signature is by
trusted party.
Verify signature is by
trusted party..
77. Cipher Suites
Per Wikipedia:
TLS_RSA_WITH_NULL_MD5 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5
Key exchange with RSA. RSA
provides authentication.
Key agreement with Diffie-
Hellman. Authentication with
DSS/DSA.
Key agreement with Diffie-
Hellman. Anonymous: no
authentication.
78. Cipher Suites
Per Wikipedia:
TLS_RSA_WITH_NULL_MD5 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5
No encryption: No
confidentiality.
Confidentiality encryption with Triple-
DES using the CBC mode. EDE
means “encrypt-decrypt-encrypt”.
Confidentiality encryption with
RC4 with 128 bit keys.
79. Cipher Suites
Per Wikipedia:
TLS_RSA_WITH_NULL_MD5 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5
MD5 as the hash function
used in HMAC integrity
protection.
SHA-1 as the hash function used in
HMAC integrity protection.
MD5 as the hash function used
in HMAC integrity protection.
80. Cipher Suites
Per Wikipedia:
TLS_RSA_WITH_NULL_MD5 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5
Don’t use NULL encryption.
3DES in TLS rendered “weak” by CVE-
2016-2183 aka “Sweet32”.
RC4 prohibited by IETF in Feb
2015. Also, you probably want
server authentication and not
anonymity.
87. A Problem with RSA Key Exchange
Client Server
TCP handshake. Authentication. Cipher suite agreement.
Let’s use this symmetric key for fast encryption
Traffic encrypted using symmetric key(s)
derived from C.
(KprS, KpbS)
C = penc(KpbS, genkey())
KpbS
Mr Spy
Captures trafficCaptures traffic
Later, steals
KprS.
Later, with kprS, Spy can decrypt the
symmetric key(s), and read ALL the data.
88. We can also use public
key crypto to
authenticate a Diffie-
Hellman key exchange,
right?
YES! (not shown)
89. We can also use public
key crypto to
authenticate a Diffie-
Hellman key exchange,
right?
YES! (not shown)
90. A Problem with RSA Key Exchange
Client Server
TCP handshake. Authentication.
Traffic encrypted using symmetric key(s)
derived from c.
“Ephemeral” Diffie-Hellman Key Agreement,
and remainder of cipher suite agreement.
Mr Spy
Captures trafficCaptures traffic
Later, steals
KprS.
W/o the private DH values, Spy cannot
recover the encryption keys
(KprS, KpbS)KpbS
Discard DH
values and
symmetric keys
Discard DH
values and
symmetric keys