Post on 11-May-2015
description
Microstrategy Course18 October 2013
David EvansUniversity of Virginiawww.cs.virginia.edu/evans
Day 3: Public Key Protocols
Engineering Cryptographic Applications
Engineering Crypto Applications 2
Recap: Symmetric Encryption
evans@virginia.edu
AES AESPlaintextCiphertext
PlaintextInsecure Channel
Key Key
Assuming we generate strong keys, use an appropriate cipher mode, and correctly implement a secure symmetric encryption primitive, we can securely encrypt long messages so even an adversary with $Quadrillions cannot learn anything interesting.
Alice Bob
Assumes a secret already shared between Alice and Bob.Amplifies that secret to send more data later.
Engineering Crypto Applications 3
Plan for Today
1. Key Agreement Protocols2. Solving the remote authentication problem
Asymmetric Encryption, Public-Key Protocols
evans@virginia.edu
petitions.govInsecure ChannelSecure Channel
Engineering Crypto Applications 4
Key Agreementevans@virginia.edu
Engineering Crypto Applications 5evans@virginia.edu
Asymmetric Key Agreement
Ralph Merkle (born 1952)
Merkle’s Puzzles
(1974)
Engineering Crypto Applications 6
Merkle’s Puzzles: Key Agreement
evans@virginia.edu
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
Engineering Crypto Applications 7evans@virginia.edu
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
Merkle’s Puzzles: Key Agreement
Engineering Crypto Applications 8evans@virginia.edu
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Ek37(“key #” + 37) Ek82(“key #” + 82) Ek22(“key #” + 22) …
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to AlicexShared secret kx
Engineering Crypto Applications 9
Security
evans@virginia.edu
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to Alicex
Shared secret kx
Engineering Crypto Applications 10
Security
evans@virginia.edu
Alice
1. Generate N random keys: k0, …, kn-12. For each, send Eki(“key #” + i) in random order
Bob
3. Randomly select one of the received messages.
4. Try all possible keys until finding kx that decrypts the message to “key #x”
5. Send x (in clear) to Alicex
Shared secret kx
Suppose each key is 56 bits:Alice has to generate N keys and do N encryptionsBob has to do 256 max work to brute forceEve has to do ½N × 255 expected workSo, if 296 is infeasible, N = 242 could work
Engineering Crypto Applications 11
Can we do better?
evans@virginia.edu
CRYPTO 2009: Actually is impossible to do better!
Any scheme like this, even with perfect primitives, can be broken by an adversary who can do N 2 encryptions (where Alice and Bob do N encryptions).
To do better, we need some magic math!
Engineering Crypto Applications 12
Time for a Revolution!
evans@virginia.edu
“We stand today on the brink of a revolution in cryptography. The development of cheap digital hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science.”
Whit Diffie and Martin Hellman, November 1976.
Engineering Crypto Applications 13evans@virginia.edu
Padlocked Boxes
Alice
MSTR
Engineering Crypto Applications 14evans@virginia.edu
Padlocked Boxes
MST
RAlice’s Padlock
Alice’s Padlock Key
EA(M)Alice
Engineering Crypto Applications 15evans@virginia.edu
Padlocked Boxes
Shady Sammy’s Slimy Shipping Service
Alice’s Padlock Key
Alice
Engineering Crypto Applications 16evans@virginia.edu
Padlocked Boxes
Alice
MST
R
Bob
Bob’s Padlock
Bob’s Padlock Key
Alice’s Padlock Key
EB( )EA(M)
Engineering Crypto Applications 17evans@virginia.edu
Padlocked Boxes
Alice MST
R
BobAlice’s Padlock Key
EB(EA(M))
Bob’s Padlock Key
Engineering Crypto Applications 18evans@virginia.edu
Padlocked Boxes
MST
R
Alice’s Padlock Key
DA(EB(EA(M))) = EB(M)Alice
Bob
Bob’s Padlock Key
Engineering Crypto Applications 19evans@virginia.edu
Padlocked Boxes
MST
R
EB(M)Alice
Bob
Bob’s Padlock Key
Engineering Crypto Applications 20evans@virginia.edu
Padlocked Boxes
MST
R
MSTR
Alice
Bob
Bob’s Padlock Key
Engineering Crypto Applications 21
“Padlocks” Key Agreement
• We relied on: DA(EB(EA(M))) = EB(M)• Is this true for AES?
• What operations is it true for?
evans@virginia.edu
No way! AES (and any strong symmetric primitive) must involve non-linear transformations that are not commutative.
Multiplication
Engineering Crypto Applications 22
Diffie-Hellman(-Merkle) Key Agreement
evans@virginia.edu
Martin HellmanWhit Diffie
Engineering Crypto Applications 23evans@virginia.edu
Diffie-Hellman Key AgreementAlice Bob
1. Choose and publish: q (large prime number)
(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q
Engineering Crypto Applications 24
Key Agreement Requirements
Correctness: Both participants get the same key
Security: An eavesdropper cannot find K from all intercepted values
evans@virginia.edu
Engineering Crypto Applications 25
Key Agreement Correctness
Correctness: Both participants get the same key
evans@virginia.edu
K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q
Engineering Crypto Applications 26
Key Agreement Correctness
Correctness: Both participants get the same key
evans@virginia.edu
K = (YB) XA mod q K = (YA)XB mod qYA= XA mod q YB= XB mod q= (XB mod q)XA mod q= (XBXA mod q) mod q= XBXA mod q
= (XA mod q)XB mod q= (XAXB mod q) mod q= XAXB mod qMultiplication commutes (just like the padlocks)!
Engineering Crypto Applications 27evans@virginia.edu
SecurityAlice Bob
1. Choose and publish: q (large prime number)
(primitive root of q)2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod qAn eavesdropper cannot find K from all intercepted values: q, , YA, YB
Engineering Crypto Applications 28evans@virginia.edu
Primitive RootsAlice Bob
1. Choose and publish: q (large prime number) (primitive root of q)
2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q K = (YA)XB mod q
is a primitive root of q if for all 1 n < q, there is some m, 1 m < q such that m = n mod q
All prime numbers have primitive roots.
Discrete logarithm problem: given , n, and q find the one 0 m < q such that
m = n mod qFor good choices of q, this is believed to be hard.
Engineering Crypto Applications 29evans@virginia.edu
Security of Diffie-HellmanAlice Bob
1. Choose and publish: q (large prime number) (primitive root of q)
2. Generate random XA3. Send YA= XA mod q. 4. Generate random XB.
5. Send YB= XB mod q.K = (YB) XA mod q
Discrete logarithm problem: given , n, and q find the one 0 m < q such that
m = n mod qFor good choices of q, this is believed to be hard.
Eavesdropper cannot find K from intercepted values: q, , YA, YB If they could, could solve discrete log problem which is hard:
given YA= XA mod q find XA
Engineering Crypto Applications 30
What about Mallory?
Encrypt DecryptPlaintextCiphertext
Plaintext
Alice Bob
Mallory(active attacker)
Insecure Channel (e.g., the Internet)
evans@virginia.edu
Engineering Crypto Applications 31evans@virginia.edu
Secure from Active Eavesdropper?Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qK = (YB) XA mod q K = (YA)XB mod q
Engineering Crypto Applications 32evans@virginia.edu
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
Engineering Crypto Applications 33evans@virginia.edu
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
KAM = (YA) XM mod qKBM = (YB) XM mod q
Engineering Crypto Applications 34evans@virginia.edu
Alice
Public: q,
XA
YA= XA mod qBob
XBYB= XB mod qKAM = (YM) XA mod q KBM = (YM)XB mod q
Mallory(active attacker)YM= XM mod q
XM
YM= XM mod q
KAM = (YA) XM mod qKBM = (YB) XM mod q
Engineering Crypto Applications 35
Does D-H Solve This?
evans@virginia.edu
petitions.govInsecure Channel
How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?
Engineering Crypto Applications 36
Asymmetric Cryptography
evans@virginia.edu
Engineering Crypto Applications 37
Asymmetry Required
evans@virginia.edu
Messages: everyone should be able to send Alice a message that only Alice can readSignatures: Bob should be able to verify Alice signed a message, but not impersonate Alice
Engineering Crypto Applications 38
Asymmetric Cryptosystem
evans@virginia.edu
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
Correctness: D(E(m)) = mSecurity: given E(m) and E , cannot learn anything interesting about m or D
Engineering Crypto Applications 39
Asymmetric Cryptosystem(with Kerckhoffs’ Principle)
evans@virginia.edu
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
Correctness: DKUA(EKRA (m)) = mSecurity: given EKRA(m), E, KUA, and D,
cannot learn anything interesting about m or KRA.
KRA KUA
Engineering Crypto Applications 40
Providing AsymmetryNeed a function f that is:Easy to compute:
given x, easy to compute f (x)Hard to invert:
given f (x), hard to compute xHas a trap-door:
given f (x) and t, easy to compute x
evans@virginia.edu
No function (publicly) known with these properties until 1977…
Engineering Crypto Applications 41evans@virginia.edu
Ron RivestLen Adleman Adi Shamir
Engineering Crypto Applications 42evans@virginia.edu
Engineering Crypto Applications 43
RSA Cryptosystem
Ee(M ) = Me mod nDd(C ) = Cd mod n n = pq p, q are primed is relatively prime to (p – 1)(q – 1)ed 1 mod (p – 1)(q – 1)
evans@virginia.edu
Engineering Crypto Applications 44
Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n
evans@virginia.edu
Engineering Crypto Applications 45
Correctness of RSAEe(M ) = Me mod nDd(C ) = Cd mod n
evans@virginia.edu
Dd(Ee(M )) = (Me mod n)d mod n = Med mod n = MThis step depends on choosing e and d to have this property: uses Fermat’s little theorem and Euler’s Totient theorem
Engineering Crypto Applications 46
Bonus: Works in Both OrdersEe(M ) = Me mod nDd(C ) = Cd mod n
evans@virginia.edu
Ee (Dd(M )) = (Md mod n)e mod n = Mde mod n = M
Engineering Crypto Applications 47
Providing AsymmetryNeed a function f that is:Easy to compute:
given x, easy to compute f (x)Hard to invert:
given f (x), hard to compute xHas a trap-door:
given f (x) and t, easy to compute x
evans@virginia.edu
Does RSA satisfy these?
Engineering Crypto Applications 48
Easy (Enough) to ComputeEasy to compute:
given x, easy to compute f (x)
evans@virginia.edu
Ee(M ) = Me mod n
Engineering Crypto Applications 49
Easy (Enough) to Compute
evans@virginia.edu
Ee(M ) = Me mod nam +n = am × ana2b = ab × abCompute Me in about log2e multiplications
Be careful not to have a timing side channel though!
Engineering Crypto Applications 50
Hard to Invert
evans@virginia.edu
Given Ee(M ) and e and n, hard to compute M. If attacker can factor n = pq, easy to find d:d = e-1 mod (p – 1)(q – 1)All other attacks are equivalent to factoring n.
No one seems to know a fast way to factor, except with a quantum computer (and no one seems to yet know how to build a large one).
For reasonable security, n should be 2048 bits (comparable to 112-bit symmetric key) – believed sufficient until 2030.
Engineering Crypto Applications 51
Easy to Invert with Trapdoor
evans@virginia.edu
Ee(M ) = Me mod nDd(C ) = Cd mod n
Engineering Crypto Applications 52
Using RSA: Confidentiality
evans@virginia.edu
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Sends confidential messages to Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
Engineering Crypto Applications 53
Using RSA: Signatures
evans@virginia.edu
E DPlaintextCiphertext
PlaintextInsecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Sends confidential messages to Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
Engineering Crypto Applications 54
Using RSA: Signatures
evans@virginia.edu
E DVerified Message
Signed MessageMessage
Insecure Channel
Alice Bob
KUBKRB
Private Key: KRB = d (private exponent)Bob’s Public Key: KUB = (n, e)
(modulus, public exponent)
Selects two large primes p, q Computes ed 1 mod (p – 1)(q – 1)Publishes n = pq and e, keeps d secret
Verifies message is from Bob using his public key
Over 1000x slower than AES! Only use when asymmetry is needed.
Engineering Crypto Applications 55
Elliptic Curve Asymmetric Cryptosystems
Elliptic curve discrete logarithm problem: given points P and Q on an elliptic curve, it is hard to find an integer k such that Q = kP (unless you know trapdoor).
evans@virginia.edu
y2 = x3 – 7 (mod p)
Engineering Crypto Applications 56evans@virginia.edu
RSA ECC
Discovery1977
(previously discovered in 1969 by GHCQ and perhaps earlier
by NSA)
1985(adoption limited until ~2005)
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken)
Backdoor Risk None Curves selected by NSA
Quantum Computing Risk
Known fast factoring algorithms (Shor’s)
Similar (variation of Shor’s algorithm solves Discrete Log)
Implementation Challenges
Avoiding weak keys, timing side channels
Fast operations on elliptic curves, leaks on invalid inputs
Engineering Crypto Applications 57evans@virginia.edu
RSA ECC Lattice Ciphers
Discovery 1977 1985
(adoption limited until ~2005)
1996
“Hard” Problem Factoring Discrete Log on
Elliptic CurveLattice Problems
(e.g., closest vector)Key Size
(~112-bit)2048 bits
(768 bits broken)224 bits
(112 bits broken) 1,000,000 bitsBackdoor
Risk None Curves selected by NSA Little
Quantum Computing
Risk
Known fast factoring
algorithms (Shor’s)
Similar (variation of Shor’s algorithm
solves Discrete Log)Only if P = NP
Implementation Challenges
Avoiding weak keys, timing side
channels
Fast operations on elliptic curves, leaks
on invalid inputsOnly simple arithmetic
(but 10Ks of them)
Engineering Crypto Applications 58
Applications of Asymmetric Cryptosystems
evans@virginia.edu
Engineering Crypto Applications 59
Using Asymmetry: Signatures
evans@virginia.edu
E DVerified Message
Signed MessageMessage
Insecure Channel
Alice Bob
KUBKRB
Generates KUB and KRB
Publishes KUBVerifies message is from Bob using his public key
Over 1000x slower than AES! (with both RSA and ECC)
What if we need to sign long (bigger than n ~ 2048 bits) messages?
Engineering Crypto Applications 60
Verified Message Message
Message Digests
evans@virginia.edu
E DVerified Message
Digest
Message
Alice Bob
KUBKRB
H
Mes
sage
Dig
est
H=
Sign
ed M
essa
ge
H is a cryptographic hash function:one-way: given H(x) cannot find preimage xstrong collision-resistant:
hard to find pair x and y where H(x) = H(y)
Engineering Crypto Applications 61
Authentication
evans@virginia.edu
petitions.govInsecure Channel
How does TJ know he’s really talking to petitions.gov?How can he establish a secure channel to transmit password?
Engineering Crypto Applications 62
Simple Login Protocol
evans@virginia.edu
petitions.gov
EKUpetitions(“tj” + password) DKRpetitions(c)
Eve can’t decrypt without KRpetitions.
Engineering Crypto Applications 63
Getting Public Keys
• Public keys only useful if you know you have the right one!• Secure on-line directory?
evans@virginia.edu
keys.gov
What is petitions.gov public key?
KUpetitions
Engineering Crypto Applications 64
Moving Directory Off-Line
evans@virginia.edu
TrustMe.com
TJ
Petitions
petitions.gov, KUPetitions
CP = KRTrustMe[“petitions.gov”, KUPetitions]
CPVerifies using KUTrustMe
Engineering Crypto Applications 65
Anyone use this?
evans@virginia.edu
Engineering Crypto Applications 66evans@virginia.edu
Engineering Crypto Applications 67evans@virginia.edu
Engineering Crypto Applications 68
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K EKUS (K)
Decryptusing KRS
Secure channel using K
evans@virginia.edu
Engineering Crypto Applications 69evans@virginia.edu
Engineering Crypto Applications 70evans@virginia.edu
Engineering Crypto Applications 71
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K
Decryptusing KRS
Secure channel using K
evans@virginia.edu
How did client get KUCA?
EKUS (K)
Engineering Crypto Applications 72evans@virginia.edu
Engineering Crypto Applications 73
Certificates
evans@virginia.edu
VarySign.com
TJ
Petitions
petitions.gov, KUPetitions
CPVerifies using KUVarySign
How does VarySign decide if it should give certificate to requester?
CP = KRVarySign[“petitions.gov”, KUPetitions]
Engineering Crypto Applications 74evans@virginia.edu
$1500 for 1 year $399
Engineering Crypto Applications 75evans@virginia.edu
Engineering Crypto Applications 76
Limiting Damage
evans@virginia.edu
VarySign.com
TJ
Petitions
petitions.gov, KUPetitions
CP = KRVarySign [“petitions.gov”, cert ID, Expiration, KUPetitions]
CPVerifies using KUVarySign
Engineering Crypto Applications 77
Certificate Revocation
evans@virginia.edu
VarySign.com
Client
Petitions
petitions.gov, KUPetitions
CP = KRVarySign[“petitions.gov”, cert ID, Expiration, KUPetitions]
CPVerifies using KUVarySign
Certificate Revocation List (CRL)
<cert ID, date>…
Engineering Crypto Applications 78
CRL Checking
evans@virginia.edu
Mozilla Firefox
Google Chrome On-line checking is expensive and may fail
Attacker-in-the-middle can make it fail
Engineering Crypto Applications 79
SSL (Secure Sockets Layer)Simplified TLS Handshake Protocol
Client ServerHello
KRCA[Server Identity, KUS]Verify Certificate using KUCA
Check identity matches URL
Generate random K KUS [K]
Decryptusing KRS
Secure channel using K
evans@virginia.edu
EKUS (K)
Actual TLS has some extra steps:- Negotiate versions- Agree on which ciphers to use (many
options, but beware!)- Can authenticate client also
Engineering Crypto Applications 80
Summary
• Many useful applications require asymmetry– Confidentiality without shared key, signatures– Others we will cover next week
• Asymmetric cryptosystems can be built using hard problems in number theory with trapdoors: RSA (factoring), ECC (discrete log)
• Asymmetric ciphers are very expensive: need to combine with hashes and symmetric crypto
evans@virginia.edu
Engineering Crypto Applications 81
SSL Test
evans@virginia.edu
Engineering Crypto Applications 82evans@virginia.edu
Engineering Crypto Applications 83
evans@virginia.eduMightBeEvil.com/crypto
Plan for Final Meeting:Applications of Asym Crypto
Secure ComputationFuture of Cryptosystems
open to requests!
evans@virginia.edu
Engineering Crypto Applications 84evans@virginia.edu
Engineering Crypto Applications 85evans@virginia.edu
Engineering Crypto Applications 86evans@virginia.edu
Engineering Crypto Applications 87evans@virginia.edu