The document provides an extensive overview of cryptographic concepts, including cryptographic algorithms, entity authentication, and network security. It discusses various encryption methods, such as symmetric and public-key cryptography, along with the importance of data authentication and integrity. Additionally, it covers practical implementations and protocols for secure communications, emphasizing the critical role of secure key management and transport layer security.

1. 29-01-2015 by Bart Van Bos - AllBits29-01-2015 by Bart Van Bos - AllBits
Security in TheorySecurity in Theory
Cryptography and Entity Authentication

2. Presentation Overview
● Introduction
● Cryptographic Algorithms
● Entity Authentication
● Network Security
● Conclusion

3. Security Terminology
● Definitions
– Confidentiality - limit access to information
– Authentication - confirming the truth of an attribute
– Authorization - access control
– Non-repudiation - unable to deny an action
● Don't use the word authentication without
defining it
Data Entities
Confidentiality encryption anonymity
Authentication data authentication identification

4. Cryptology Basic Principles
● Alice – Bob – Eve
clear text
%^C&@&^(
CRYPTO
box
clear text
%^C&@&^(
CRYPTO
boxListen – Modify
Alice Bob
Eve

5. Presentation Overview
● Introduction
● Cryptographic Algorithms
– Symmetric algorithms
– Public-key Cryptology
● Entity Authentication
● Network Security
● Conclusion

6. Symmetric Encryption
● Confidentiality through encryption
– Stream ciphers
● RC4 – 1987 by Ron Rivest (MIT)
● E0 (Bluetooth) or A5/1 (GSM)
– Block ciphers
● DES and triple-DES
● AES
● Stream cipher
– Plain text digits are combined with a pseudo random cipher digit
stream (key stream)
● Block cipher
– Fixed-length groups of bits, called blocks, with an unvarying
transformation

7. Stream cipher
init state
next
state
function
output
function
IV
K
+
init state
next
state
function
output
function
IV
K
+
Plain textPlain text Cipher text
looks
random

8. Stream cipher key stream
● For a fixed key K and initial value IV, the stream
cipher output is a deterministic function of the
state
● A repetition of the state (for a given K, IV) leads
to a repetition of the key stream and plain text
recovery
● Exhaustive key search (2014)
– 240 instructions is easy, 260 is somewhat hard, 280 is hard, 2128
is completely infeasible
– < 70 bits is insecure. 80 bits OK for 1 year. 100 bits for 20
years

9. Block cipher
plain block 1 plain block 2 plain block 3
cipher block 1 cipher block 2 cipher block 3
block
cipher
block
cipher
block
cipher
– Larger data units: 64... 128 bits
– Memoryless
– Repeat simple operation (round) many times

10. AES Rijndael
● Advanced Encryption Standard
– Open Competition launched by US government in
1997 to replace DES
● Joan Daemen and Vincent Rijmen
● Graduated a ESAT KUL
– 128 bit block cipher with key of 128/192/256 bits
– As strong as triple DES
● More efficient
● Royalty free

11. Symmetric Data Hashing
● Data authentication through Hashing
– A hash function is a one way function
– Hash functions without a key
● MDC (Manipulation Detection Code)
– MD5: collisions 230 steps
– SHA-1: collisions 269 steps
– SHA-3 (Keccak – BE 2013): collisions 2256 steps
– Hash functions with a secret key
● MAC (Message Authentication Code)

12. Data authentication with MDC
● Protect short hash value rather then long text
● Pre-image resistance
– Give y, hard to find x, such that hash(x) = y
– Hard to find x' ≠ x, such that hash(x') = hash(x)
This is an input to a
cryptographic hash function. The
input is a very long string, that is
reduced by the hash function to a
string of fixed length. There are
additional security conditions: it
should be very hard to find an
input hashing to a given value (a
pre-image) or to find two colliding
inputs (a collision).
7E6FD7198A198FB3C
HASH
● (MD5)
● (SHA-1)/256/512
● RIPEMD-60
● SHA-3 (BE design)

13. MAC Algorithms
● Alice – Bob – Eve
clear text
clear text
MAC
clear text
clear text
VERIFYModify
Alice Bob
Eve

14. Data authentication with MAC
● Protection of authenticity of long messages =>
protection of secrecy of short key
● Add MAC to the plain text
● Birthday attacks: security level smaller < expected
This is an input to a MAC
algorithm. The input is a very
long string, that is reduced by the
hash function to a string of fixed
length. There are additional
security conditions: it should be
very hard for someone who does
not know the secret key to
compute the hash function on a
new input.
7E6FD7198A198FB3C
HASH
● CBC-MAC (3DES)
● HMAC (AES)
● GMAC

15. Cipher Block Chaining MAC
● MAC algorithms
– Banking: CBC-MAC based on triple DES
– Internet: HMAC and CBC-MAC based on AES
– Initial Vector should be random and secret
AES
+
K
plain block 1
cipher block 1
AES
+
K
plain block 1
cipher block 1
AES
+
K
plain block 2
cipher block 2
AES
+
K
plain block n
cipher block n
...
IV
MAC

16. Presentation Overview
● Introduction
● Cryptographic Algorithms
– Symmetric algorithms
– Public-key cryptology
● Entity Authentication
● Network Security
● Conclusion

17. Why Public-key Cryptology?
● Limitation of symmetric cryptology
– Reduce security of information to security of keys
– But how to establish these secret keys?
● Cumbersome and expensive
● Risky: all keys in one place
– Do we really need to establish secret keys?

18. Public Key Encryption
clear text
%^C&@&^(
CRYPTO
box
clear text
%^C&@&^(
CRYPTO
boxListen
Alice Bob
Eve
Public
key
Private
key
● Public key cryptology: encryption

19. Public Key Digital signatures
● Public key cryptology: digital signature
clear text
%^C&@&^(
CRYPTO
box
clear text
%^C&@&^(
CRYPTO
boxModify
Alice Bob
Eve
Private
key
Public
key

20. Key transport using RSA
● RSA protocol (1978 - Rivest, Shamir and Adleman)
– The security of RSA is based on the fact that it is easy to
generate two large primes, but that it is hard to factor their
product
● encryption: c = me mod(n)
● decryption: m = cd mod(n)
– How does Bob know that k is coming from Alice?
● In reality as Alice you'll use a password or credit card number to identify
yourself to Amazon
– What happens if private server key SKB is leaked or requested by the NSA or
hackers? All historical data can be read → no forward secrecy!
generate k
encrypt with PKB
sign with SKA
decrypt using
SKB to obtain k
verify using PKA
SigSKA
{EPKB
(k || tA
)}

21. Key transport using STS
● Station to Station (STS) protocol
– Diffie-Hellman: first published in 1976
– Before: Alice & Bob never met and share no secrets
– After: Alice & Bob share short term key k
● Eve cannot compute k (discrete logarithm problem)
● Provides perfect forward secrecy
generate x
compute αx
compute k = (αy
)x
√ SigB
generate y
compute αy
compute k = (αx
)y
√ SigA
αx
αy
SigA(αx
,αy
)
SigB(αy
,αx
)

22. Public key cryptology
● Advantages
– Protection of information => authenticity of public keys
– Confidentiality without secret keys: open environment
– Data authentication without shared secret keys: digital
signature
● Disadvantages
– Calculation in HW/SW is 2 to 3 orders of magnitude
slower than symmetric algorithms
– Longer keys: 1024 bits iso 56 ... 128

23. Cryptographic SW Libraries
C, C++, C# Java
● Botan (C++)
● Cryptlib (C)
● Crypto++ (C++)
● CyaSSL (C) embedded
● GnuTLS (C)
● Libgcrypt (C++)
● MatrixSSL (C++) embedded
● Miracl (binaries)
● OpenSSL (C++)
● PolarSSL (C)
● SunJCA/JCE
● BouncyCastle (BC, C#)
● CryptixCrypto
● EspreSSL
● FlexiProvider
● GNU Crypto
● IAIK
● Java SSL
● RSA JSafe
Reference: http://ece.gmu.edu/crypto_resources/web_resources/libraries.htm

24. Presentation Overview
● Introduction
● Cryptographic Algorithms
● Entity Authentication
– Passwords
– Symmetric Keys
– Public Keys
● Network Security
● Conclusion

25. Entity Authentication
● Entity Authentication - one is corroborated
of the identity of another party and of the
fact that this party is alive (active) during
the protocol
Why should I
believe her?
Hello Bob, I am Alice

26. Entity Authentication Elements
● What someone knows
– Password, PIN code
● What someone has
– Magnetic stripe card, smart card
● What someone is (biometrics)
– Fingerprint, retina, hand shape...
● How someone does something
– Manual signature, typing pattern
● Where someone is
– Dial back, location based services (GSM, Galileo)
Xur%9pLr

27. Password identification
● Bob stores hash(P) rather then P
● Eve can guess the password P
● Eve can eavesdrop the channel and learn
Alice's password OK!
Hello Bob, I am Alice.
My password P is
Xur%9pLr
One-way
hash
P
f(P)
Alice f(Xur%9pLr)

28. Password identification
● Every user a random publicly known salt S.
● Bob stores hash(P,S)||S rather then P
● It's harder to attack the passwords of all
users simultaneously OK!
Hello Bob, I am Alice.
My password P is
Xur%9pLr
One-way
hash
P
f(P || S)
Alice f(Xur%9pLr || 987&*) || 987&*)
S

29. Human memory is limited
● Store key K on magnetic stripe, USB keys or
hard disk
● Stops guessing attacks
● But does not solve the other problems related
to password
● And you identify the card, not the user
● Possibility of replay: liveliness is missing

30. Static Data Authentication
● Replace K by a signature of a third party CA
(Certificate Authority) on Alice's name
SigSKCA(Alice)
● Advantages
– Can be verified using public string PKCA
– Can only be generated by CA
● Disadvantages
– Possibility of replay due to liveliness is missing
– Can still be copied/intercepted
– Signature = 40...128 bytes
DN: cn= Alice,
o=KBC, c=BE
Serial #: 8391037
Start: 3/02/13 1:00
End: 3/02/14 00:59
CRL: cn=BCC,
o=EMV, c=BE
CA DN: o=EMV, c=BE

31. Identification symmetric token
● Challenge response protocol
– Eavesdropping no longer effective
– Bob still needs to have the secret key K
– Detects whether Alice is alive!
OK!
MACK
(r)
random number r
K K

32. Identification symmetric token
● With implicit challenge from clock
– Eavesdropping no longer effective (no challenge)
– Bob still needs to have the secret key K
– Resynchronization mechanism needed OK!
MACK
(time)
K K
http://allthingsd.com/20110404/rsa-explains-how-it-was-hacked
http://www.computerworld.com/article/2511297/security0/diginotar-dies-from-certificate-hack-caper.html

33. Identification public key token
● Use private key to sign the challenge r
● Eavesdropping no longer effective
● Bob no longer needs a secret – only PKA
● Most expensive (€ and time)
OK!
SigSKA
(r)
random number r
SKA
PKA

34. Overview Identification Protocols
Guess Eavesdrop
(liveliness)
Impersonation
by Bob
Secret info
for Bob
Security
Password - - - - 1
Magnetic stripe
(SK)
+ - - - 2
Magnetic stripe
(PK)
+ - - + 3
Dynamic PW + + - - 4
Smart Card
(SK)
+ + - - 4
Smart Card
(PK)
+ + + + 5

35. Entity authentication in practice
● Phishing – mutual authentication
● 2 stage authentication
user → device, device → world
● Forward credentials – biometry
● Interrupt after initial authentication – authenticated
key establishment (session key to encrypt data)
● Mafia fraud – distance bounding
● Protocol errors – check that local device
authentication is linked to entity authentication
protocol https://www.youtube.com/watch?v=JPAX32lgkrw
http://www.cl.cam.ac.uk/research/security/banking/nopin

36. Presentation Overview
● Introduction
● Cryptographic Algorithms
● Entity Authentication
● Network Security
– Transport Layer Security (SSL/TLS)
● Conclusion

37. Transport Layer Security
● Connection-oriented data confidentiality
and integrity, with optional client and
server authentication
TCP
SSL
TCP
SSL
https://http://
HTTP
HTTP over SSL
browser
4 - Transport
3 - Network
2 – Data Link
1 - Physical
5 - Session
6 - Presentation
7 - Application
SSL Secure Sockets Layer (Netscape)
TLS Transport Layer Security (IETF)
secure
web server SSL 1.0 N/A
SSL 2.0 1995
SSL 3.0 1996
TLS 1.0 1999
TLS 1.1 2006
TLS 1.2 2008
TLS 1.3 TBD

38. TLS Protocol Details
● A new record layer is inserted
● Handshake
– Negotiation of
Crypto Algorithms
– Client/Server
Authentication
– Cryptographic Key
Establishment
● Encryption (1st)
● MAC (2nd)
– Key confirmation
Application (http, telnet...)
Transport Layer (TCP)
Record Layer Protocol
Handshake
protocol
Cipher Spec
protocol
Application
protocol
Client Hello
Server Hello
Application
Data
Data
SSL Record
Change
Cipher Spec

39. TLS Handshake Overview
✔ start handshake, protocol version, algorithms
✔ authentication server + exchange (pre)master secret
✔ client authentication
✔ end handshake, integrity verification (*)
Hello Request
Server Hello
Certificate
Server Key Exchange
Certificate Request
Server Hello Done
[change cipher spec]
Finished
Client Hello
Certificate
Client Key Exchange
Certificate Verify
[change cipher spec]
Finished
CLIENT SERVER
MAC*
MAC*

40. Data encapsulation options
● Integrity
● Confidentiality
key size 144 160 256
algorithm HMAC-MD5 HMAC-SHA1 HMAC-SHA256
key size 40 56 128 168 256
algorithm
options
RC4_40
RC2_CBC_40
DES_CBC_40
DES_CBC RC4
IDEA_CBC
AES_CBC
3DES_EDE_CBC AES_CBC
TLS 1.2
TLS 1.0 – http://tools.ietf.org/html/rfc2246 TLS 1.2 – http://tools.ietf.org/html/rfc5246

41. TLS Key Management Options
➢ DH Diffie-Hellman
➢ DHE Ephemeral DH
➢ x/y generated each time
➢ perfect FW secrecy
➢ DSS Digital Signature Standard (DSA)
➢ RSA Rivest-Shamir-Adleman
➢ EC Elliptic Curve (shorter keys)
➢ TLS 1.0 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA1
➢ TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA1
key
exchange
anonymousanonymous
not anonymous
server authentication
only
server and client
authentication
DH_anon
RSA
DH_DSS
DH_RSA
DHE_DSS
DHE_RSA
RSA
DH_DSS
DH_RSA
DHE_DSS
DHE_RSA
TLS 1.0
man-in-the-middle
ECDHE_ECDSA
TLS 1.2

42. Current SSL & TLS usage
● Top 1 Million websites October 2014
– Removal of SSLv3 browsers support blocked
– 96.9% still support SSLv3
– Only 34.2% support TLSv1.2
https://zmap.io/sslv3/#affected
41.21%
0.12% 24.02%
0.40%
34.24%
Highest supported TLS Version
HTTP Only
SSLv3
TLS 1.0
TLS 1.1
TLS 1.2
No TLS support!
citibank.com
marketwatch.com
clkmon.com
inclk.com
informer.com
billdesk.com

43. Presentation Overview
● Introduction
● Cryptographic Algorithms
● Entity Authentication
● Network Security
● Conclusion

44. Conclusions
● Properties of protocols are subtle
● Many standardized protocols exist
– ISO/IEC, IETF
● Difficulty: which properties are needed for
a specific application
● Rule #1 of protocol design – DON'T
– Not even by simplifying existing protocols

45. References
● A.J. Menezes, P.C. van Oorschot, S.A. Vanstone,
Handbook of Applied Cryptography, CRC Press, 1997.
– http://www.cacr.math.uwaterloo.ca/hac
● N. Smart, Cryptography, An Introduction: 3rd Ed, 2008.
Solid and up to date but on the mathematical side.
– http://www.cs.bris.ac.uk/~nigel/Crypto_Book
● Joseph Bonneau, Cormac Herley, Paul C. van Oorschot,
Frank Stajano: The Quest to Replace Passwords: A
Framework for Comparative Evaluation of Web
Authentication Schemes.
– IEEE Symposium on Security
and Privacy 2012: 553-567

46. Q&A
● Thanks for your attention
Email: bartvanbos@allbits.eu
LinkedIn: http://lnkd.in/Kre-kR