EE515/IS523 Think Like an

AdversaryLecture 3

Cryptography in a Nutshell

Yongdae Kim

Recap http://syssec.kaist.ac.kr/courses/ee515 E-mail policy

Include [ee515] or [is523] in the subject of your e-mail

Student Survey http://bit.ly/SiK9M3

News posting KLMS http://edu3.kaist.ac.kr/course/view.php?id=14461

Match making, criticism KLMS

Text only posting, email!

In a Nutshell Security by Obscurity is not secure! Conservative modeling for adversary State-sponsored, Hacktivists, Hacker+Criminals,

Researchers ;-) Care for the weakest link. Plan for unknown attacks. Check for environmental changes All stages are important Attacker modeling, design, implementation,

deployment, operation Check News! Cyber Warfare?

Security & RiskWe only have finite resources for security…

If we only have $20K, which should we buy?

Product A

Prevents Attacks: U,W,Y,Z

Cost $10K

Product B

Prevents Attacks: V,X

Cost $20K

RiskThe risk due to a set of attacks is the

expected (or average) cost per unit of time.One measure of risk is Annualized Loss

Expectancy, or ALE:

Σattack A

( pA × LA )

Annualized attack incidence

Cost per attack

ALE of attack A

Risk ReductionA defense mechanism may reduce the risk of

a set of attacks by reducing LA or pA. This is the gross risk reduction (GRR):

The mechanism also has a cost. The net risk reduction (NRR) is GRR – cost.

Σattack A

(pA × LA – p’A×L’A)

Basic Cryptography

Yongdae Kim

The main players

Alice Bob

EveYves?

Attacks

Source Destination

Normal Flow

Source Destination

Interruption: Availability

Source Destination

Interception: Confidentiality

Source Destination

Modification: Integrity

Source Destination

Fabrication: Authenticity

Taxonomy of AttacksPassive attacks

EavesdroppingTraffic analysis

Active attacksMasqueradeReplayModification of message contentDenial of service

Big pictureTrusted third party

(e.g. arbiter, distributorof secret information)

SecretInformation

Message

SecretInformation

Message

Alice Bob

InformationChannel

Eve

Terminology for Encryption

A denotes a finite set called the alphabet M denotes a set called the message space

M consists of strings of symbols from an alphabetAn element of M is called a plaintext

C denotes a set called the ciphertext spaceC consists of strings of symbols from an alphabetAn element of C is called a ciphertext

K denotes a set called the key space An element of K is called a key

Ee is an encryption function where e K

Dd called a decryption function where d K

Encryption

Why do we use key?Or why not use just a shared encryption function?

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

c insecure channel

Alice Bob

Adversary

m m

SKE with Secure channel

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

c Insecure channel

Alice Bob

Adversary

Key source

e

m m

d Secure channel

PKE with insecure channel

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

cInsecure channel

Alice Bob

PassiveAdversary

Key source

d

m m

e Insecure channel

Public key should be authentic!

ee

ee

EEee(m)(m)

ee’’

EEee’’(m)(m)EEee(m)(m)

Need to authenticate public keys

Digital SignaturesPrimitive in authentication and non-

repudiation

Signature Process of transforming the message and some

secret information into a tag

NomenclatureM is set of messagesS is set of signaturesSA: M ! S for A, kept private

VA is verification transformation from M to S for A, publicly known

Key Establishment, Management

Key establishmentProcess to whereby a shared secret key becomes

available to two or more partiesSubdivided into key agreement and key transport.

Key managementThe set of processes and mechanisms which

support key establishment The maintenance of ongoing keying relationships

between parties

Symmetric vs. Public keyPros Cons

SKE High data throughput Relatively short key size

The key must remain secret at both ends

O(n2) keys to be managed Relatively short lifetime of

the key

PKE

O(n) keys Only the private key

must be kept secret longer key life time digital signature

Low data throughput Much larger key sizes

Symmetric key EncryptionSymmetric key encryption

if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e

Usually e = d

Block cipherbreaks up the plaintext messages to be

transmitted into blocks of a fixed length, and encrypts one block at a time

Stream cipherencrypt individual characters of plaintext

message one at a time, using encryption transformation which varies with time

Hash function and MAC A hash function is a function h

compression ease of computation Properties

one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)

Examples: SHA-1, MD-5

MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk

ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance

Example: HMAC

How Random is the Hash function?

Applications of Hash Function

File integrity

Digital signatureSign = SSK(h(m))

Password verificationstored hash = h(password)

File identifier

Hash table

Generating random numbers

Hash function and MAC A hash function is a function h

compression ease of computation Properties

one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)

Examples: SHA-1, MD-5

MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk

ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance

Example: HMAC

MAC construction from Hash Prefix

M=h(k||x) appending y and deducing h(k||x||y) form h(k||x) without

knowing k Suffix

M=h(x||k) possible a birthday attack, an adversary that can choose x

can construct x’ for which h(x)=h(x’) in O(2n/2)

STATE OF THE ART: HMAC (RFC 2104) HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding The outer hash operates on an input of two blocks Provably secure

How to use MAC?A & B share a secret key kA sends the message x and the MAC

M←Hk(x)B receives x and M from AB computes Hk(x) with received MB checks if M=Hk(x)

PKE with insecure channel

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

cInsecure channel

Alice Bob

PassiveAdversary

Key source

d

m m

e Insecure channel

Digital Signature

IntegrityAuthenticationNon-repudiationI did not

have intimate relations with that woman,…, Ms. Lewinsky

Digital Signature with Appendix

Schemes with appendixRequires the message as input to verification

algorithmRely on cryptographic hash functions rather than

customized redundancy functionsDSA, ElGamal, Schnorr etc.

Digital Signature with Appendix

M

m mh

Mh

h s*

SSA,k

Mh x Su 2{True, False}

VA

s* = SA,k(mh)

u = VA(mh, s*)

Authentication

How to prove your identity?Prove that you know a secret information

When key K is shared between A and ServerA S: HMACK(M) where M can provide freshnessWhy freshness?

Digital signature?A S: SigSK(M) where M can provide freshness

Comparison?

Encryption and Authentication

EK(M)

Redundancy-then-Encrypt: EK(M, R(M))

Hash-then-Encrypt: EK(M, h(M))

Hash and Encrypt: EK(M), h(M)

MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M)

MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))

Challenge-response authentication

Alice is identified by a secret she possessesBob needs to know that Alice does indeed possess

this secretAlice provides response to a time-variant

challengeResponse depends on both secret and challenge

UsingSymmetric encryptionOne way functions

Challenge Response using SKE

Alice and Bob share a key KTaxonomy

Unidirectional authentication using timestamps

Unidirectional authentication using random numbers

Mutual authentication using random numbers

Unilateral authentication using timestampsAlice Bob: EK(tA, B)Bob decrypts and verified that timestamp is OKParameter B prevents replay of same message in

B A direction

Challenge Response using SKE

Unilateral authentication using random numbersBob Alice: rb

Alice Bob: EK(rb, B)

Bob checks to see if rb is the one it sent out Also checks “B” - prevents reflection attack

rb must be non-repeating

Mutual authentication using random numbersBob Alice: rb

Alice Bob: EK(ra, rb, B)

Bob Alice: EK(ra, rb)

Alice checks that ra, rb are the ones used earlier

Challenge-response using OWF

Instead of encryption, used keyed MAC hK

Check: compute MAC from known quantities, and check with message

SKID3Bob Alice: rb

Alice Bob: ra, hK(ra, rb, B)

Bob Alice: hK(ra, rb, A)

Key Establishment, Management

Key establishmentProcess to whereby a shared secret key becomes

available to two or more partiesSubdivided into key agreement and key transport.

Key managementThe set of processes and mechanisms which

support key establishment The maintenance of ongoing keying relationships

between parties