Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intro to Cryptography

656 views

Published on

A talk given at the August meeting of ISSA in Ventura at Cal Lutheran, about applications of Cryptography to Internet security

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Intro to Cryptography

  1. 1. Intro to Cryptography Michael Soltys California State University at Channel Islands August 20, 2015 v1.1 Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 1/45
  2. 2. WEP, WPA/WPA2 SSL/SSH PGP/GPG RSA Encryption 128 bytes: BE 89 0E A1 AD FA 7D 58 6A A1 6A E4 3B ED 75 E4 3E F2 19 F7 F3 0F FA D9 EF 62 10 52 7B FC DD 94 96 A8 35 6B 1B 50 60 2E 2E 79 AC 7C 2E A3 81 DE 8D 37 F9 EE 6E 4F 82 C7 E4 12 04 55 AF 57 69 94 8C EF 2E 50 7A 6D 53 0F 5B 5F 62 58 5E CF F2 DF F4 4D CE 71 B6 82 D7 86 E5 4F 77 E4 91 AA E4 BD 5A 65 AA 9E 20 4F 38 5E B4 8B E0 36 45 80 A8 D5 24 5C 46 9D F1 80 C0 6B 62 A5 1F 26 5E AE 17 47 DRM FairPlay MD5 5c3079df8a48623f5aa10f0181a7ab03 Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 2/45
  3. 3. We know how to do crypto scientifically → and it is a huge help But, in practice most security problems due to buggy code → writing software that is not buggy is the problem of CS/SE Challenge 1: build secure systems with insecure components → similar to building reliable systems with unreliable components Challenge 2: the art of making the right trade-offs to satisfy contradictory objectives (e.g., security & speed) Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 3/45
  4. 4. Cryptography is the art of computing & communicating in the presence of an adversary cryptography = κρυπτo (hidden or secret) + γραφη (writing) Three broad applications: encryption authentication integrity checking Not all security is an application of crypto, e.g., Firewalls. Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 4/45
  5. 5. Fundamental TENET of cryptography Lots of smart people have been trying to figure out how to break X, but so far they have not been able to come up with anything yet. Therefore X is “secure” . . . Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 5/45
  6. 6. Fundamental ASSUMPTION of cryptography Everybody knows how it works, i.e., the algorithm is public knowledge. The secret is the “key”. In principle it can always be broken; but in practice it is too much work for the “bad guy.” Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 6/45
  7. 7. Great free tools to practice the ideas presented in these slides: GnuPG (http://www.gnupg.org) OpenSSL (http://www.openssl.org) Crypto - Michael Soltys August 10, 2015 v1.1 Introduction - 7/45
  8. 8. plaintext encryption −→ ciphertext decryption −→ plaintext Caesar cipher: key a secret number between 1 and 25. Monoalphabetic cipher: key a secret pairing — 26! ≈ 1026 Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 8/45
  9. 9. Three basic attacks: ciphertext only known plaintext chosen plaintext Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 9/45
  10. 10. Three types of cryptographic functions: hash functions (0 keys) secret functions (1 key) public key functions (2 keys) Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 10/45
  11. 11. Secret (Symmetric) key crypto plaintext encryption decryption key ciphertext plaintext ciphertext Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 11/45
  12. 12. Public (Asymmetric) key crypto private key encryption plaintext ciphertext ciphertext plaintext decryption public key Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 12/45
  13. 13. Digital signature scheme public key plaintext signing signed message plaintextsigned message verification private key Crypto - Michael Soltys August 10, 2015 v1.1 Basic ciphers - 13/45
  14. 14. Symmetric Ciphers Substitutions Permutations XOR Crypto - Michael Soltys August 10, 2015 v1.1 Symmetric ciphers - 14/45
  15. 15. Rounds of substitutions & permutations Crypto - Michael Soltys August 10, 2015 v1.1 Symmetric ciphers - 15/45
  16. 16. XOR, exclusive OR x y x ⊕ y 0 0 0 0 1 1 1 0 1 1 1 0 If a, b ∈ {0, 1}n then a ⊕ b is a string in {0, 1}n where the i-th bit is ai ⊕ bi Bit-wise XOR Can also Bit-wise XOR a stream Crypto - Michael Soltys August 10, 2015 v1.1 Symmetric ciphers - 16/45
  17. 17. DES (1977) “Data Encryption Standard” IBM’s cipher + NSA =⇒ DES DES 56 bits key 64 bits input 64 bits output Technically, key is also 64 bits, but each octet is x1 x2 x3 x4 x5 x6 x7 y where y = 7 i=1 xi . Crypto - Michael Soltys August 10, 2015 v1.1 DES - 17/45
  18. 18. inverse of original permutation 64−bit input permutation Round 1 Round 2 Round 16 Generate 16 keys, each of 48−bits from the initial 56−bits 56−bit key swap left & right sides Crypto - Michael Soltys August 10, 2015 v1.1 DES - 18/45
  19. 19. 4 32−bit L 32−bit R 32−bit R Mangler Function 32−bit L nn n+1 n+1 + Kn 1 2 3 Reversible “Feistel cipher.” Crypto - Michael Soltys August 10, 2015 v1.1 DES - 19/45
  20. 20. Example: Apache HTTP server access .htaccess & .htpasswd Can create a (variant of) DES login/password pair: htpasswd -cbd ./.htpasswd crypto 7u3pr4aa and the result is is the file .htpasswd containing: crypto:9.ZzClMRzHfmc Crypto - Michael Soltys August 10, 2015 v1.1 DES - 20/45
  21. 21. On: http://www.cas.mcmaster.ca/~soltys/cs3c03-w13/ReadingList .htpasswd consists of: netsec2013:$apr1$fr2JPfTa$HEzejdyg5DE2MFGVCIzd21 created with command: htpasswd -cbm ./.htpasswd netsec2013 tigerblood which produces an MD5 hash -d is crypt() a variant of DES -m is MD5 -s is SHA1 Crypto - Michael Soltys August 10, 2015 v1.1 DES - 21/45
  22. 22. crypt() function man 3 crypt for details password truncated to 8 letters each encoded with 7 (ASCII) bits giving 56 bits of input salt used to “perturb” displayed in Base64 64 bits DES DES DES DES 64 bits of 0s 56 bit passwd 1 2 25 3 Crypto - Michael Soltys August 10, 2015 v1.1 DES - 22/45
  23. 23. Crypto - Michael Soltys August 10, 2015 v1.1 DES - 23/45
  24. 24. h = crypt("passwd","h") perl -e ’print crypt("7u3pr4aa"," 9. ZzClMRzHfmc ")’ outputs eYZUcvy1BSUak Crypto - Michael Soltys August 10, 2015 v1.1 DES - 24/45
  25. 25. Challenge Who can break break crypt() htpasswd corresponding to: .DubBN4dRdP7w Crypto - Michael Soltys August 10, 2015 v1.1 DES - 25/45
  26. 26. AES NIST: National Institute of Standards “Rijndael” FIPS 2001 AES-128, AES-192, AES-256 Crypto - Michael Soltys August 10, 2015 v1.1 AES - 26/45
  27. 27. Block ciphers Encrypting messages longer than 64 bits (KPS, chp 4) 1. Electronic Code Book (ECB) 2. Cipher Block Chaining (CBC) 3. k-bit Cipher Feedback Mode (CFB) 4. k-bit Output Feedback Mode (OFB) 5. Counter Mode (CTR) Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 27/45
  28. 28. ECB K message... m m m m mm1 2 3 4 5 6 e e e e e e1 2 3 4 5 6 Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 28/45
  29. 29. Plaintext ECB Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 29/45
  30. 30. CBC K m m m m IV c c c c1 2 3 4 1 2 3 4 enc enc enc enc xor xor xor xor K K K Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 30/45
  31. 31. Plaintext ECB CBC Crypto - Michael Soltys August 10, 2015 v1.1 Block ciphers - 31/45
  32. 32. Stream ciphers: RC4 Message m and one-time pad p both in {0, 1}n. A stream cipher generates successive bits pi to encode a stream of bits mi as ci = mi ⊕ pi . Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 32/45
  33. 33. (Keep in mind that 28 = 256) let S[i] be an array of octets (i.e., bytes) Initialize S: for i=0 . . . 255 S[i]=i end for j=0 for i=0 . . . 255 j=(j+S[i]+key[i mod keylength]) mod 256 swap S[i] and S[j] end for Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 33/45
  34. 34. Generate pseudo-random bit stream (byte at a time) i=0 j=0 while "next byte needed" i=(i+1) mod 256 j=(j+S[i]) mod 256 swap S[i] and S[j] k=S[(S[i]+S[j]) mod 256] output k end while Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 34/45
  35. 35. 802.11 Wireless Networks Security WEP (Wired Equivalent Privacy) uses RC4 — deprecated! WPA (Wi-Fi Protected Access) WPA uses RC4-type called TKIP (larger keys than WEP) WPA2 uses AES WPA/WPA2 part of 802.11i as of 2004. Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 35/45
  36. 36. WEP "ciphertext" Init Vector "one−time pad" = "keystream" 00101101011101011000101110... "plaintext" 110111001011000111100100... + 1111000111000100011... = RC4Key (IV) concatenation | Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 36/45
  37. 37. openssl ciphers -v Name; Protocol; Kx=key exchange; Au=authentication; Enc=encryption; Mac=message digest DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Crypto - Michael Soltys August 10, 2015 v1.1 Stream ciphers - 37/45
  38. 38. Public Key Crypto Diffie-Hellman ElGamal RSA Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 38/45
  39. 39. Diffie-Hellman Key Exchange Oldest public key cryptosystem still in use. Allows two individuals to agree on a shared key, even though they can only exchange messages in public. A weakness is that there is no authentication; the other might be a “bad guy.” Described in RFC 2631 Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 39/45
  40. 40. 0 2 4 6 8 10 12 14 16 0 2 4 6 8 10 12 14 16 "primitive.txt" Plot of log3(x) over Z17. Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 40/45
  41. 41. Alice Bob 1 Public: p, g such that Zp = g 2 Choose secret a Choose secret b 3 Computer A := ga Compute B := gb 4 Send A to Bob −→ ←− Send B to Alice 5 Compute Ba Compute Ab Alice & Bob have shared value 6 Ab = (ga)b = gab = gba = (gb)a = Ba Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 41/45
  42. 42. 1. Alice and Bob agree to use a prime p = 23 and base g = 5. 2. Alice chooses secret a = 8; sends Bob A = ga (mod p) 2.1 A = 58 (mod 23) 2.2 A = 16 3. Bob chooses secret b = 15; sends Alice B = gb (mod p) 3.1 B = 515 (mod 23) 3.2 B = 19 4. Alice computes s = Ba (mod p) 4.1 s = 198 (mod 23) 4.2 s = 9 5. Bob computes s = Ab (mod p) 5.1 s = 1615 (mod 23) 5.2 s = 9 Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 42/45
  43. 43. Computing large powers in (Zn, ∗) can be done efficiently with repeated squaring—for example, if (m)b = cr . . . c1c0, then compute a0 = a, a1 = a2 0, a2 = a2 1, . . . , ar = a2 r−1 (mod n), and so am = ac0 0 ac1 1 · · · acr r (mod n). Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 43/45
  44. 44. DH only resists passive adversaries. A passive attack is one in which the intruder eavesdrops but does not modify the message stream in any way. An active attack is one in which the intruder may: transmit messages replay old messages modify messages in transit delete selected messages from the wire A typical active attack is one in which an intruder impersonates one end of the conversation, or acts as a man-in-the-middle. This attack motivates the need for authentication. Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 44/45
  45. 45. How to do a “man-in-the-middle” on DH? Alice Eve Bob gSA = 8389 gSX = 5876 gSB = 9267 8389 −→ 5876 −→ 5876 ←− 9267 ←− Shared key KAX = 5876SA = 8389SX and shared key KBX = 9267SX = 5876SB Crypto - Michael Soltys August 10, 2015 v1.1 PKC - 45/45

×