CS 758: Cryptography / Network Security
Transcript of CS 758: Cryptography / Network Security
CS 758 D.R. Stinson
CS 758: Cryptography / Network Security
• offered in the Fall Semester, 2003, by Doug Stinson
• my office: DC 3122
• my email address: [email protected]
• my web page:
http://cacr.math.uwaterloo.ca/~dstinson/index.html
provides a link to the course web page
• lectures: Mondays and Wednesdays from 2:30 PM - 4:00 PM inE2 1303
Sept. 8, 2003 1
CS 758 D.R. Stinson
Objectives/Prerequisites
• basic cryptography concerns secure communication betweentwo parties, while in this course we are interested incryptographic protocols in multiuser/network context
• there is no overlap with
– C&O 685 (Mathematics of Public-Key Cryptography), orwith
– ECE 720 (Cryptographic Computations), or with
– ECE 710 (Sequence Design and Cryptography)
• prerequisites: a previous course in cryptography (e.g. C&O487, Applied Cryptography) is helpful but not required
• background: basic complexity theory, elementary numbertheory, algebra (finite groups, finite fields, linear algebra),probability (random variables), combinatorics
Sept. 8, 2003 2
CS 758 D.R. Stinson
Course Requirements
• students’ grades will be based on assignments (4 or 5, about70%) and a project (about 30%)
• the project will be a written project, possibly with a partner
• the project will involve
– preparing a report on a recent research paper on a topicrelated to the course material, or
– implementing and analyzing one or more protocols on atopic related to the course material
Sept. 8, 2003 3
CS 758 D.R. Stinson
Course Outline
• Review of cryptographic primitives and their applications toinformation security, and notions of cryptographic security.Discussion of public-key encryption, secret-key encryption,message authentication, signature schemes, and hash functions.
• Techniques for entity authentication. Passwords,challenge-response, identification schemes (e.g., Fiat-Shamir,Guillou-Quisquater), general techniques for zero-knowledgeproofs for NP-complete languages.
• Protocols for key establishment, transport, agreement andmaintenance. Online key distibution using a trusted server(Kerberos). Public-key techniques, including Diffie-Hellmankey agreement, man-in-the-middle attacks, STS and forwardsecrecy. Unconditionally secure key distribution, including theBlom scheme and combinatorial key distribution patterns.
Sept. 8, 2003 4
CS 758 D.R. Stinson
Course Outline (cont.)
• Cryptography in a multi-user setting. Secret sharing schemes(including Shamir threshold schemes and schemes for generalaccess structures). Conference key distribution and broadcastencryption. Copyright protection techniques and tracingschemes.
• Public-key infrastructure. Models for managing public keysand certificates (X.509 certificates, certification authorities,trust models, certificate verification and revocation, etc.).Applications, including PGP, SSL and IPsec.
Sept. 8, 2003 5
CS 758 D.R. Stinson
Goals of Cryptography
confidentiality
Confidentiality (or secrecy) means that data cannot beunderstood by an unauthorized party.
data integrity
Data integrity means that data cannot be modified by anunauthorized party.
data origin authentication
Data origin authentication is achieved when it can be verifiedthat data was transmitted by a particular source.
entity authentication
Entity authentication (or identification) refers to theverification of the identity of a person, computer or otherdevice.
Sept. 8, 2003 6
CS 758 D.R. Stinson
Goals of Cryptography (cont.)
non-repudiation
Non-repudiation occurs when it is impossible for someone todeny having transmitted a message that, in fact, they didtransmit.
access control
Access control refers to the restriction of electronic or physicalaccess to authorized parties.
anonymity
Anonymity refers to the anonymous transmission of data, sothat the origin cannot be determined.
Sept. 8, 2003 7
CS 758 D.R. Stinson
Cryptographic Tools
encryption schemes
Encryption schemes are used to achieve confidentiality.
signature schemes
Signature schemes are used to “sign” data. A signature helpsto ensure data integrity and data origin authentication, and itcan also provide non-repudiation.
message authentication codes
A message authentication code provides data integrity.
cryptographic hash functions
A hash function is used to provide random, unpredictableredundancy in data.
Sept. 8, 2003 8
CS 758 D.R. Stinson
Cryptographic Tools (cont.)
key agreement protocols
A key agreement protocol is used to establish a common secretkey known to two or more specified parties. Usually this key isto be subsequently used for another cryptographic purposesuch as symmetric-key encryption or message authentication.
identification schemes
An identification scheme provides entity authentication.
pseudorandom number generators
Pseudorandom number generators expand a small, trulyrandom, seed into a long string of bits that cannot bedistinguished from random bits. Pseudorandom numbergenerators are used in many cryptographic contexts, forexample, in the generation of keys.
Sept. 8, 2003 9
CS 758 D.R. Stinson
Tools and their Usage of Keys
A short summary of cryptographic tools and their usage of keys isprovided in the following table. An “X” indicates that the givenalgorithm and key combination is feasible.
keys
scheme public/private? secret? no key?
encryption scheme X X
signature scheme X
MAC X
hash function X
key agreement scheme X X
identification scheme X X
Sept. 8, 2003 10
CS 758 D.R. Stinson
Secure Socket Layer
client server
I’m Alice−−−−−−−−−−−−−−−−→
I’m Bob, Inc.←−−−−−−−−−−−−−−−−
PK , sigCA(PK )←−−−−−−−−−−−−−−−−verify PK
generate MSy = ePK (MS )−−−−−−−−−−−−−−−−→
MS = dPK (y)
K1, K2 = h(MS ) K1, K2 = h(MS )
Sept. 8, 2003 11
CS 758 D.R. Stinson
Cryptosystem
A cryptosystem is a five-tuple (P, C, K, E, D), where the followingconditions are satisfied:
1. P is a finite set of possible plaintexts
2. C is a finite set of possible ciphertexts
3. K, the keyspace, is a finite set of possible keys
4. For each K ∈ K, there is an encryption rule eK ∈ E and acorresponding decryption rule dK ∈ D. Each eK : P→ C anddK : C→ P are functions such that dK(eK(x)) = x for everyplaintext element x ∈ P.
Sept. 8, 2003 12
CS 758 D.R. Stinson
Public-key vs Secret-key Cryptosystems
• in a secret-key cryptosystem, K is known to both Alice andBob:
Alice Bob
K K
y = eK(x)y−−−−−−−−−−−−−−−−→ x = dK(y)
• in a public-key cryptosystem, K is known only to Bob and eK
is public:
Alice Bob
ek K
y = eK(x)y−−−−−−−−−−−−−−−−→ x = dK(y)
Sept. 8, 2003 13
CS 758 D.R. Stinson
A Substitution-Permutation Network
K1
K2
K3
K4
K5
u1
1v
w 1
u2
v 2
w 2
u3
v 3
w
u4
v 4
S1
2
S2
2
S3
2 S3
4S1
3
S1
4S
4
2 S4
3 S4
4
S2
1 S2
3 S2
4
S1
1 S1
4S1
3
S3
3
3
y
x
Sept. 8, 2003 14
CS 758 D.R. Stinson
The Advanced Encryption Standard (AES)
AES has a block length of 128 bits, and it supports key lengths of128, 192 and 256 bits. The number of rounds, Nr, depends on thekey length: Nr = 10 if the key length is 128 bits; Nr = 12 if the keylength is 192 bits; and Nr = 14 if the key length is 256 bits.
1. Given a plaintext x, initialize State to be x and performAddRoundKey, which x-ors the RoundKey with State.
2. For each of the first Nr− 1 rounds, perform a substitutionoperation called SubBytes on State using an S-box; perform apermutation ShiftRows on State; perform an operationMixColumns on State; and perform AddRoundKey.
3. Perform SubBytes; perform ShiftRows; and performAddRoundKey.
4. Define the ciphertext y to be State.
Sept. 8, 2003 15
CS 758 D.R. Stinson
AES States
All operations in AES are byte-oriented operations, and allvariables used are considered to be formed from an appropriatenumber of bytes. The plaintext x consists of 16 bytes, denotedx0, . . . , x15. State is represented as a four by four array of bytes,initialized as follows:
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
←−
x0 x4 x8 x12
x1 x5 x9 x13
x2 x6 x10 x14
x3 x7 x11 x15
Sept. 8, 2003 16
CS 758 D.R. Stinson
The Finite Field F256
The operation SubBytes performs a substitution on each byte ofState independently, which involves operations in the finite field
F28 = Z2[x]/(x8 + x4 + x3 + x + 1).
Let BinaryToField convert a byte to a field element; and letFieldToBinary perform the inverse conversion. This conversionis done in the obvious way: the field element
7∑
i=0
aixi
corresponds to the byte
a7a6a5a4a3a2a1a0,
where ai ∈ Z2 for 0 ≤ i ≤ 7.
Sept. 8, 2003 17
CS 758 D.R. Stinson
SubBytes
Algorithm: SubBytes(a7a6a5a4a3a2a1a0)
external FieldInv,BinaryToField,FieldToBinary
z ← BinaryToField(a7a6a5a4a3a2a1a0)
if z �= 0
then z ← FieldInv(z)
(a7a6a5a4a3a2a1a0)← FieldToBinary(z)
(c7c6c5c4c3c2c1c0)← (01100011)
for i← 0 to 7
do bi ← (ai + ai+4 + ai+5 + ai+6 + ai+7 + ci) mod 2
return b7b6b5b4b3b2b1b0
Sept. 8, 2003 18
CS 758 D.R. Stinson
ShiftRows
The operation ShiftRows acts on State as shown in the followingdiagram:
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3
←
s0,0 s0,1 s0,2 s0,3
s1,1 s1,2 s1,3 s1,0
s2,2 s2,3 s2,0 s2,1
s3,3 s3,0 s3,1 s3,2
Sept. 8, 2003 19
CS 758 D.R. Stinson
MixColumns
Algorithm: MixColumn(c)
external FieldMult,BinaryToField,FieldToBinary
for i← 0 to 3
do ti ← BinaryToField(si,c)
u0 ← FieldMult(x, t0)⊕ FieldMult(x + 1, t1)⊕ t2 ⊕ t3
u1 ← FieldMult(x, t1)⊕ FieldMult(x + 1, t2)⊕ t3 ⊕ t0
u2 ← FieldMult(x, t2)⊕ FieldMult(x + 1, t3)⊕ t0 ⊕ t1
u3 ← FieldMult(x, t3)⊕ FieldMult(x + 1, t0)⊕ t1 ⊕ t2
for i← 0 to 3
do si,c ← FieldToBinary(ui)
Sept. 8, 2003 20
CS 758 D.R. Stinson
Modes of Operation
• ECB (electronic code book) mode corresponds to the naive useof a block cipher: given a sequence x1x2 · · · of plaintext blocks(each consisting of 128 bits, in the case of the AES), each xi isencrypted with the same key K, producing a string ofciphertext blocks, y1y2 · · · .• In CBC (cipher block chaining) mode, each ciphertext block yi
is x-ored with the next plaintext block, xi+1, before beingencrypted with the key K. More formally, we start with aninitialization vector, denoted by IV, and define y0 = IV. Thenwe construct y1, y2, . . . , using the rule
yi = eK(yi−1 ⊕ xi),
i ≥ 1.
Sept. 8, 2003 21
CS 758 D.R. Stinson
CBC Mode
0IV = y +
Ke
+
Ke
0IV = y + +
x2
y
1x
2
K Kd d
1
1y
decrypt
encrypt
2
21y y
x x
Sept. 8, 2003 22
CS 758 D.R. Stinson
The RSA Public-key Cryptosystem
Let n = pq, where p and q are large primes. Let P = C = Zn, anddefine
K = {(n, p, q, a, b) : ab ≡ 1 (mod φ(n))}.For K = (n, p, q, a, b), define
eK(x) = xb mod n
anddK(y) = ya mod n
(x, y ∈ Zn). The values n and b comprise the public key, and thevalues p, q and a form the private key.
Sept. 8, 2003 23
CS 758 D.R. Stinson
A Toy Example
• suppose Bob chooses primes p = 101 and q = 113
• then n = 11413 and φ(n) = 100× 112 = 11200
• suppose Bob chooses public encryption exponent b = 3533
• then his private decryption exponent isa = b−1 mod 11200 = 6597
• suppose Alice wants to encrypt the plaintext x = 9726
• she will compute
y = 97263533 mod 11413 = 5761
and send y to Bob
• when Bob receives the ciphertext y = 5761, he computes
x = 57616597 mod 11413 = 9726.
Sept. 8, 2003 24
CS 758 D.R. Stinson
The Rabin Cryptosystem
Let n = pq, where p and q are primes. Let P = C = Zn∗, and define
K = {(n, p, q)}.For K = (n, p, q), define
eK(x) = x2 mod n
anddK(y) =
√y mod n.
The value n is the public key, while p and q are the private key.
Note: there are four square roots of y modulo n.
Sept. 8, 2003 25
CS 758 D.R. Stinson
A Toy Example
• suppose Bob chooses primes p = 7 and q = 11
• then the encryption function is
eK(x) = x2 mod 77
and the decryption function is
dK(y) =√
y mod 77
• suppose Alice encrypts the plaintext x = 32 to send to Bob
• the ciphertext is y = 322 mod 77 = 23
• the four square roots of 23 modulo 77 are ±10,±32 mod 77
• the four possible plaintexts are x = 10, 32, 45 and 67
Sept. 8, 2003 26