Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ENEI 2014 - Cryptography

2,140 views

Published on

A brief introduction to cryptography and its mechanisms (eg. Ciphers, Smart Cards, etc..) , where it is found and why it is useful. Presented at ENEI 2014 in Aveiro.

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

ENEI 2014 - Cryptography

  1. 1. Cryptography João Paulo Barraca <jpbarraca@ua.pt> ENEI 2014 - Aveiro
  2. 2. Privacy Restrict information to a limited number of entities Privacy State of being free from being observed Flickr, valpearl/5103209989
  3. 3. Security • The state of being free from danger or threat Security The state of being free from danger or threat Flickr, juanktru/3503494338
  4. 4. Cryptography Write something in a covert way Greek: Kryptós (Hidden), graphein (Write) ! Similar to Steganography Cryptography Flickr, delgrossodotcom/3211643440
  5. 5. Cryptography key = ‘qwerty’ text = ‘Meet with Alex at 13:05’ Base64( AES-128-ECB(key, text) ) U2FsdGVkX1/ Q7MhqgxAWF5YU57uZRzDfCDuJa6k0u QW9CZvB22svyiE/WdxKXid3
  6. 6. Cryptography key = ‘qwerty’ text = ‘Meet with Alex at 13:05’ Base64( AES-128-ECB(key, text) ) U2FsdGVkX1/ Q7MhqgxAWF5YU57uZRzDfCDuJa6k0u QW9CZvB22svyiE/WdxKXid3 Output seems to be random
  7. 7. Steganography ! text = ‘Meet with Alex at 13:05’ method = encode Least Significant Bit (00000001)
  8. 8. Steganography ! text = ‘Meet with Alex at 13:05’ method = encode Least Significant Bit (00000001) Covert Channel
  9. 9. Steganography ! text = ‘Meet with Alex at 13:05’ method = encode Least Significant Bit (00000001) Output seems to be unmodified
  10. 10. Cryptography Uses Increase Security 2 - Assure origin of information (Authentication) 1 - Condition access to information (Privacy)
  11. 11. Ancient Times • Simple ciphers • Transposition: change symbol order • Substitution: replace symbols • Transmit encoded messages • Military, Political partners, Private conversations Flickr, stuckincustoms/189321498
  12. 12. Scytale Flickr, templar-revenged/12468322164 ! Transposition Cipher ! Used by Greeks and Spartans
  13. 13. Caesar Cipher ! ! E -> B N -> K E -> B I -> F Substitution Cipher
  14. 14. Stallings, W. Cryptography and Internet Security: Principles and Practices. Upper Saddle River: Prentice, 1999.
  15. 15. XIX, XX centuries More complex ciphers Using electro- mechanical devices Integration with communication lines (telegraph) Flickr, elsie/3916831047
  16. 16. Enigma Transposition Cipher Flickr, timg_vancouver/200625463
  17. 17. Flickr, brewbooks/3317243295
  18. 18. Lorenz Vernan Cipher (substitution)
  19. 19. Modern Times: > 1970 • Even more complex ciphers ! • Based on mathematical models • Applied by computers • Impossible to solve by hand! ! • Mostly use substitution algorithms
  20. 20. Symmetric Crypto • Single key to cipher and decipher • Key sets state of cipher algorithm Text Cipher Algorithm Cryptogram Key Cipher Algorithm Text Key ???
  21. 21. Stream Ciphers • Key sets cipher state • Cipher produces random sequence • Sequence is XORed with data
  22. 22. Stream Ciphers Text Cipher Algorithm Key Cipher Algorithm Key ??? ++ Cryptogram Text Key Stream Key Stream
  23. 23. Stream Ciphers • 1 byte encoded (XOR) at a time • Very fast! • Good for communications! • Size of input equals size of output • Typical Key Sizes: >128 bits
  24. 24. Stream Ciphers • A5 - Mobile Phone Communications • RC4 - Wifi WEP, Internet HTTPS
  25. 25. • O Original Text
  26. 26. Cryptogram seems to be random
  27. 27. Block Ciphers • Input processed in blocks • Block size related to key size ! • Output is multiple of block size • Typical sizes: 64bits, 128bits, 192bits, 256bits
  28. 28. Block Ciphers • Cipher algorithm does substitutions and permutations • Key defines how • Typical algorithms: AES, Blowfish, 3DES…
  29. 29. Block Ciphers CipherKey Decipher Key ??? Cryptogram Cryptogram
  30. 30. Cryptogram doesn’t seems to be random
  31. 31. Block Ciphers • Blocks with same content will result in same output • … because blocks are ciphered individually • …. no feedback mechanism
  32. 32. Cipher Modes • Aditional Cipher Modes destroy patterns • eg, Cipher-block chaining (CBC) CipherKey Block 1 Cryptogram CipherKey Cryptogram Block 2 + +IV
  33. 33. Asymmetric Crypto • Uses a pair of keys: • Public Key: every one may have it • Private Key: never should be disclosed • One key can do the oposite of the other
  34. 34. Confidentiality CipherPublic Key Decipher ??? Cryptogram Cryptogram Private Key
  35. 35. Authentication CipherPrivate Key Decipher ??? Cryptogram Cryptogram Public Key
  36. 36. Who uses cryptography? Should I (You) use? Flickr, icedsoul/3194511482
  37. 37. Spies Flickr, dunechaser/2630433944
  38. 38. Military Flickr, lord_dane/4809995767
  39. 39. … and every one else
  40. 40. Cryptography It’s a building block of our society Flickr, nickobec/359440072
  41. 41. Enforces Security • Cipher: Restricts access to Information • Only holder of KEY can decipher cryptogram ! • Authentication: Restricts access to Actions • KEY asserts identity of its holder Flickr, adulau/7712545428
  42. 42. In other words… • You really know with whom you are sharing information • Entities are Authenticated • Mechanisms really restrict who accesses information • Data is private Flickr, adulau/7712545428
  43. 43. Wifi • Restrict Access to authorised users • eg, Your friends • Make traffic confidential • Wireless signals travel a long distance Flickr, _miki/3425273296
  44. 44. Wifi • Shared key (Password) provided by user is converted into key • All traffic is ciphered • Only key holders are authorised to associate • Prevents eavesdropping and usage
  45. 45. Wifi • WEP: RC4 (Stream Cipher, weak) • Uses 24bits IV (‘random’) + 104bit Key • WPA/WPA2: AES/CCMP (Block Ciphers) • 128bit, per packet key • 802.1x: Extensible Authentication Protocol (EAP)
  46. 46. Mobile Phones Identify user Identify sim card (client) Identify terminal Make all traffic confidencial Flickr, 26311710@N02/3235380837
  47. 47. Mobile Phones • SIM card is protected by PIN • Contains algorithms for authentication • Contains Keys shared with Service Provider • Terminal contains identifier (IMEI) • Traffic is ciphered
  48. 48. Secure Sockets Layer (SSL) • Protect traffic over communication networks • Authenticate endpoints • Make traffic confidential
  49. 49. Secure Sockets Layer (SSL) • Extensively used in the Internet • HTTPS, IMAPS, POP3S, XMPP, etc.. • Based on Certificates and Asymmetric Cryptography • Established tunnel before actual data
  50. 50. Secure Sockets Layer (SSL) • Server has Certificated issued by Trusted CA • Client has temporary keys or trusted certificate • Single (Server) or Mutual authentication • All traffic is confidential
  51. 51. Identification • Identify citizen / user • Stronger method than visual ones • Enable authentication over the Internet • eg, web pages, emails, digital documents
  52. 52. Identification • Smart Card protected by PIN codes • Certificate issued by State • Private Key that can be used for signing • Card is secure against tampering • Private Key never leaves Smart Card
  53. 53. Identification I'm Maria Prove It! Random_number Sure! Sign(Random_number), CertVerify Certificate Verify Signature Request Card to Sign Hello Maria!
  54. 54. Information Confidentiality • Most systems provide Software ciphered storage • FileVault, BitLocker, TrueCrypt • Devices also support ciphered storage • Self Encrypting Drives Seagate
  55. 55. Attacking Cryptographic Systems
  56. 56. Direct Attacks • Analyse cryptographic algorithms • Find weaknesses in its components • Require serious mathematical skills ! • Frequent contests to elect the best algorithm • ex: 3DES, AES, SHA
  57. 57. Direct Attacks • Brute force • Try every possible combination • Example: RSA 2048 • Time required: ~6.4 quadrillion years • Universe age: 13.2 billion years http://www.digicert.com/TimeTravel/math.htm ECRYPT II
  58. 58. Direct Attacks • Brute force • Try every possible combination • Example: RSA 2048 • Time required: ~6.4 quadrillion years • Universe age: 13.2 billion years http://www.digicert.com/TimeTravel/math.htm Considering evolution in computer capacity RSA 2048 secure until 2030 ! Source, ECRYPT II
  59. 59. Direct Attacks • Brute force • Try every possible combination • Example: RSA 2048 • Time required: ~6.4 quadrillion years • Universe age: 13.2 billion years http://www.digicert.com/TimeTravel/math.htm If aiming at a user created password, results should be ready soon
  60. 60. Indirect Attacks • Obtain information indirectly • Algorithm is not broken • Implementation is broken • Implementation leaks information • User is the frequent target
  61. 61. Human Behaviour
  62. 62. Human Behaviour
  63. 63. Power Leakage Consumption when Key bit is 0 Consumption when Key bit is 1 Wikimedia Foundation
  64. 64. Sound Leakage Daniel et al
  65. 65. Implementation Errors • Heartbleed bug in openssl 1.0.1-1.0.1f • Allows extracting 64Kbytes from server memory • Affects all systems using SSL
  66. 66. Implementation Errors ... if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; … Apple “GOTO” bug, 2014
  67. 67. Thanks

×