Security in Computing Chapter 2, Elementary Cryptography Summary created by Kirk Scott 1.
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
1
Transcript of Security in Computing Chapter 2, Elementary Cryptography Summary created by Kirk Scott 1.
2
1. Notation
• S = Sender• R = Recipient or Receiver• T = Transmission Medium• O = Outsider, possibly an Interceptor or
Intruder
3
2. Possible Attacks on Messages in Transition
• A. Block the message• R does not receive it• This violates availability• B. Intercept the message• If it is readable, this violates confidentiality• Even if unreadable, knowing that a message
was sent may be of value
4
• C. Modify the message• Intercept, modify, and retransmit• This violates integrity• D. Fabricate a message• Send a message to R that appears to come
from S• This violates integrity
5
3. Terminology
• Encryption = encoding = enciphering = converting plaintext to ciphertext = scrambling the contents of a message so it can only be read by the intended recipient
• Decryption = decoding = deciphering = converting ciphertext to plaintext
• A rational scheme for encryption and decryption is known as a cryptosystem
6
4. More Notation
• A plaintext sequence of characters can be represented in this way:
• P = <p1, p2, …, pn>• Ciphertext can be represented in this way:• C = < c1, c2, …, cn>• Encoding and decoding can be represented as
functions E() and D()
7
5. Relationships in a Cryptosystem
• Encryption: C = E(P)• Decryption: P = D(C)• A successful cryptosystem has this property:• P = D(E(P))
8
6. Encryption Algorithms
• An encryption algorithm is a set of rules for converting plaintext to ciphertext
• Algorithms commonly come in families• A slight variation in the use of the rules yields
a different encryption
9
7. Keys
• In certain cryptosystems the variation between different applications of an algorithm is embodied in keys
• A key, K, identifies or characterizes a particular variation on an algorithm
• This is the notation for encrypting with a key, where E() represents the algorithm overall:
• C = E(K, P)• If encryption is done with a key, decryption will also be
done with a key:• P = D(K, P)
10
8. Symmetric and Asymmetric Keys
• Symmetric: The key for encryption and decryption are the same:
• P = D(K, E(K, P))• Asymmetric: The key for encryption and
decryption are different:• P = D(KD, E(KE, P))• Both kinds of systems will eventually be
discussed in depth
11
9. Keys or No Keys
• Keyless cryptosystems are possible• A system with a key makes multiple
encryptions of plaintext possible• It makes the code breaker’s task more difficult• Figure out the algorithm• Also figure out the key• Even if the algorithm is known, it’s still
necessary to figure out the key
12
10. Cryptology/Cryptography
• Cryptology = research and study of codes• Cryptography = use and application of codes• Cryptographer = (authorized) user of codes• Cryptanalyst = breaker of codes
13
11. Functions of Cryptanalysis
• Break a single message• Deduce a key for an algorithm• Deduce an algorithm• Signals intelligence: Infer meaning from
message traffic without decryption• Find weaknesses in the use of a cryptosystem• Find weaknesses in a cryptosystem in the
absence of intercepted messages
14
12. Sources for Cryptanalysis
• Intercepted plaintext• Intercepted ciphertext or suspected ciphertext• Properties of human languages• Mathematical and statistical tools• Known algorithms• Intuition, ingenuity, perseverance, luck• All approaches, licit and illicit, are open to the
attacker
15
13. Breakable Encryption
• A code may be theoretically breakable through brute force
• Even given all possible decryptions, it would still be necessary to pick the right one
• The real problem is not having the computing resources to afford a brute force solution
• On the other hand, computing resources are getting cheaper and cheaper
• The real opportunity comes from applying strategies better than brute force
16
14. Numeric Representations of the Alphabet
• A = 0, B = 1, …, Z = 25• Starting with zero makes it possible to work in
modular fashion• Simple codes can be based on + and –• If the result goes below 0 or above 25,
modular arithmetic rolls over or wraps around
17
15. Two Simple Example Techniques of Encryption
• Substitution: Exchange one letter for another• This embodies the idea of confusion• One thing stands for another• Transposition: Rearrange the letters in a
message• This embodies the idea of diffusion• Parts of the original message are spread
throughout the encrypted message
18
• These two techniques alone are too weak for commercial use
• They are of historical interest• They are also useful for learning the concepts
without getting bogged down in heavy math
19
16. Simple Substitution
• This may be called a mono-alphabetic cipher• Example: Caesar’s Cipher:• A d, B e, …, Z c• ci = E(pi) = (pi + 3) mod 26• Example:• TREATY IMPOSSIBLE wuhdwb lpsrvvleoh
20
18. Aspect’s of Caesar’s Cipher
• Easy to use• No need for written instructions• In a world where most were illiterate anyway,
it was reasonably secure• On the other hand, it is also quite weak
21
19. Cryptanalysis of Caesar’s Cipher
• Spaces between words are preserved• Plaintext letters always map to the same
ciphertext letters• As a consequence, regularly occurring
sequences of letters in plaintext will recur as ciphertext sequences (prefixes, suffixes, etc.)
• In the small example given, the appearance of the double letters SS/vv illustrates the idea
22
20. A Cryptanalysis Example
• wklv phvvdjh lv qrw wrr kdug wr euhdn
• This is based on a 27 letter alphabet with the space included
• Furthermore, the space hasn’t been encrypted (or “it codes to itself”)
• This opens up lots of cryptanalytic possibilities
23
• The number of short words in English is small• For example, am, is, to , be, he , we, and, are,
you, she, …• Approach: Substitute whole short words, then
do the same letter substitutions elsewhere to see what you get
24
• wrr is a strong clue because it contains a double letter, and wr only reinforces this
• Small words fitting the wrr pattern include see, too, add, odd, off, …
• You also need one where the first two letters make a smaller word
• Add and ad would work• Too and to are probably more common
25
• This is an educated guessing game• Trying too and to gives:• wklv phvvdjh lv qrw wrr kdug wr euhdn• T--- ------- -- -OT TOO ---- TO -----
• Now consider lv which is a short word in its own right and also ends wklv
• Is and this are reasonable guesses• At some point either the message or the
transformation will become obvious…
26
21. Permutations of the Alphabet
• The alphabet can be rearranged in less obvious ways than shifting 3 to the right
• In general a permutation is any reordering of the elements of a set
• Given a set, {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}• A permutation can be represented:• Π1 = {1, 3, 5, 7, 10, 8, 6, 4, 2}• For an individual element:• Π1(3) = 5
27
22. Keys, Permutations, and Substitution Ciphers
• Any permutation of the alphabet can be used as a substitution cipher
• A key can be the basis for coming up with a substitution
• Let the key be “word”• Here is a way of using it to determine a code:• ABCDEFGHIJKLMNOPQRSTUVWXYZ• wordabcefghijklmnpqstuvxyz
28
• The key is short, so lots of substitutions are near their originals
• At the end, letters “substitute” for themselves• The letters at the end of the alphabet are
uncommon• Still, this is weak
29
• The books suggests an alternative of counting by 3:
• ABCDEFGHIJKLMNOPQRSTUVWXYZ• adgjmpsvybehknqtwzcfilorux• You could probably come up with a
mathematical expression for this• It works because of the relationship between
3 and 26 (relatively prime?)
30
23. The Complexity of Substitution
• All simple substitutions are equivalent to table look up
• For practical purposes, the time to look up each letter is constant
• For a message of length n, both encryption and decryption are O(n)
31
• The simplicity of table look makes use easy for authorized users
• Low order of complexity is a sign of a weak algorithm
• If a key is involved, the encryption may be strong
• The point is that the security of the encryption now depends largely on the key and not the algorithm
32
24. Cryptanalysis of Substitution Ciphers
• Superficially, substitution ciphers appear to be based on a hard problem
• There are 26! Permutations of the English alphabet
• Trying all by brute force would be daunting
33
• If encryption was done by mono-alphabetic substitution, letter frequency analysis breaks the code
• The cryptanalyst is not restricted to solving the underlying hard problem
• Consider the program LetterCount.java, given with the first assignment
• Empirically determine letter frequencies in English text and see what frequencies occur in ciphertext
34
25. The Cryptographer’s Dilemma
• Encryption is not random• In order to encrypt and decrypt, there has to
be a pattern which authorized users know• It’s the pattern which gives clues to the
cryptanalyst• The contest between cryptographers and
cryptanalysts is never-ending
35
• Consider these additional points• 1. If a message is short enough, it will not
include sufficient traces of the pattern for analysis
• Suppose you simply intercept a message consisting of 6 characters
• What could it be?• You need context to even hazard a guess
36
• 2. In the cryptographic arms race, you can essentially assume that anything encrypt is breakable
• The question is, will it be breakable before the data loses its value
• This is the principle of adequate protection applied to thinking about how strongly to encrypt something
37
26. Vernam Ciphers
• A diagram of the Vernam process is shown on the following overhead
• Note that the diagram shows XOR as the transformation
39
• The book chooses to illustrate the idea behind Vernam with an example based on addition and modular arithmetic rather than XOR
• Letters of plaintext are represented by numbers• Then a sequence of 2 digit random numbers is
considered• The random numbers are added to the
plaintext, mod 26
40
• The idea is that this is a system where the algorithm is extremely simple
• Security depends on the secrecy and randomness of the key
• The problem with this illustration is that it’s not clear how you decrypt
• It does not appear to me that this is true:• p = ((p + n) mod 26) + n) mod 26
41
• XOR actually makes a better example• Let the letters and random numbers be
represented in binary• If p is the plaintext and q is the random number
key:• E(p) = c = p XOR q• D(c) = c XOR q = (p XOR q) XOR Q = p• In other words, applying XOR q twice returns
you to p
42
• Here is a little truth table showing that on a bit-wise basis, (p XOR q) XOR q = p:
p q p XOR q (p XOR q) XOR q
1 1 0 1
1 0 1 1
0 1 1 0
0 0 0 0
43
27. Vigenere Tables
• A Vigenere table is shown on the overhead following the next one
• Across the top the columns are labeled with small letters
• This can be interpreted as key look up• Down the side the rows are labeled with big
letters• This can be interpreted as plaintext look up
44
• At the right-most edge there is a column labeled π
• This tells you that each row in the table is one of 26 permutations of the alphabet
• Encryption using a Vigenere table involves substitution
• This is poly-alphabetic substitution (not mono-alphabetic)
46
28. Vigenere Example
• Key:• iamiexistthatiscert• Message:• MACHINESCANNOTTHINK• Encryption of first letter, for example:• Look up intersection of row M, column i,
getting u
47
• The complete encryption is:• uaopm kmkvt unhbl jmed• Substitution has occurred, but substitution
was done on each letter from a potentially different permutation of the alphabet, depending on what the corresponding key value was.
48
29. Cryptanalysis of the Example
• The original message is English and has corresponding letter frequencies
• In this example the key is also English and will have corresponding letter frequencies
• A, E, O, and T make up 40% of English text• The probability that both the plaintext and the
key come from this set:• .4 X .4 = .16
49
• A, E, O, T, N, and I make up 50% of English text• The probability that both the plaintext and the
key come from this set:• .5 X .5 = .25• A Vigenere table is shown on the following
overhead with the intersections of the rows and columns for these letters circled
51
• Consider any one ciphertext letter• If it appears in the intersection of one of the
highlighted rows and columns, there is a high probability that the ciphertext letter was produced by that plaintext/key pair
• This observation alone won’t crack the code, but it tilts the odds in the cryptanalyst’s favor
52
• Randomly guessing plaintext key pairs would have this kind of probability:
• 1/26 X 1/26 = 1/676 = .001479• Letter pair by letter pair it isn’t necessarily
clear which would be the plaintext and which would be the key
• Even in a final decryption, which would be the message, “iam…” or “machines…”?
53
30. Strengthening Such a Code
• Never repeat or recycle the key• Do not use text, books, poems, etc. as the key• Use values without a pattern• Example: Use middle digits of telephone
numbers starting at an agreed upon place in the book
• Use random numbers generated by a computer
54
31. One Time Pads
• This term refers to printed sequences of random numbers distributed as keys to senders and receivers
• As they are used, they are destroyed• Without other clues, the ciphertext itself is
virtually unbreakable• Attacks will come on the key distribution and
storage system
55
32. Transpositions = Permutations of Messages (Not Permutations of the Alphabet)
• Substitution is a confusion based technique• Transposition is a diffusion based technique• The contents of the original message are
dispersed throughout the encrypted message
56
33. Columnar Transposition (Row-Column Transposition)
• Arrange the plaintext in rows of fixed length• Read it back in columns• If you don’t completely fill the matrix, pad the
last row with X’s• An example is shown on the following
overhead
57
• THISI• SAMES• SAGET• OSHOW• HOWAC• OLUMN• ARTRA• NSPOS• ITION• WORKS• Becomes:• tssoh oaniw haaso lrsto imghw utpir seeoa mrook
istwc nasns
58
34. Encipherment/Decipherment Complexity
• Note, this is about authorized users, not cryptanalysis
• There is a constant time for each character• There is also a space cost• You have to have to hold the whole message
before encrypting or decrypting• This implies a delay before encrypting and
decrypting• Not practical for long, time-sensitive messages
59
35. Cryptanalysis of a Transposition Cipher
• If you believe you have a complete message• If you suspect it’s a row-column transposition• You can try all different possible row/column
sizes and see which one gives a decryption• Note that if you do a letter frequency analysis
and it agrees with English text, this is a sign that you’re dealing with a technique like transposition, not substitution
60
• If the message is large• Or if computing resources are limited• You can do a piecemeal attack using
digram/trigram analysis• Digram and trigram are just fancy words for
sequences of two and three letters
61
• In any language, including English, some sequences are common and some are rare
• Let the following be given:• ABS• URD• LYX• aulbrysdx
62
• To check whether there were two columns:• c0, c2 = AL (OK)
• c0, c2, c4 = ALR (OK--already)
• c2, c4, c6 = LRS (Maybe not)• To check whether there were three columns:• c0, c3 = AB (OK)
• c0, c3, c6 = ABS (OK)• Etc.—They’ll all be OK…• A large proportion of common to rare “grams” is a sign
you’re on the right track
63
36. Combinations of Encryption Approaches
• Substitution and Transposition can be mixed, for example
• A product cipher can be represented in this way:• E2(E1(P, K1), K2)• A product, or composition of ciphers may be
more secure• If algorithms are composed without
understanding, the result may be weaker
64
37. Shannon’s Characteristics of Good Ciphers
• 1. Effort to use should be proportional to strength• 2. Algorithm and keys should be free of
extraneous complexities• 3. Implementation and use should be as simple
as possible• 4. Errors in ciphering should not propagate and
corrupt what follows• 5. The size of the encryption should be no greater
than the original
65
• Shannon’s characteristics were developed for hand-based systems
• They still have general validity• However, computers have effectively obviated
some of them
66
38. Properties of Trustworthy Encryption Systems
• This topic refers to commercially viable systems, not hand-based systems
• Based on sound, established mathematics and solid principles
• Analyzed by competent experts and verified by them
• Stood the test of time
67
39. Stream Ciphers
• Mono-alphabetic substitution illustrated the concept
• Transformation of plaintext accomplished one symbol at a time with key algorithm
• One slip can mess up what follows, but finding the problem in a stream is doable
• Low to no diffusion• Susceptible to insertion and modification
68
40. Block Ciphers
• Row-column transposition illustrated the concept
• Encryption/decryption performed on a set of symbols, producing another set
• High diffusion—throughout block• Immunity to insertion• Delay/slowness in encryption and decryption• One error may make a whole block garbage
69
41. Source Information for Cryptanalysis
• The cryptanalyst may have this information:• Ciphertext (only)• Full plaintext (plus matching ciphertext)• Partial or possible plaintext (plus ciphertext)• The algorithm
70
42. Given Ciphertext
• This is what the foregoing examples were about
• The analysis is based on:• Probabilities• Distributions• Characteristics discernible in the ciphertext• Publicly available knowledge
71
43. Ultimate Task, Given Plaintext and Ciphertext
• For some C = E(P)• Find E()• Or, for some C = E(P, K)• Find K
72
44. Given Full Plaintext and Ciphertext
• Under these conditions there is no message to decrypt
• The goal is to find the algorithm or key• Given the algorithm, a key may be breakable
by brute force, testing all possibilities• With no additional knowledge, deducing the
algorithm may depend on informed trial and error
73
45. Given Partial or Probable Plaintext and Ciphertext
• This is like a ciphertext-only attack, only with a headstart
• You rely on educated guesses, probabilities, distributions, etc.
• Hopefully you arrive at a full message decryption
• Then you can think about trying to determine the algorithm or key that produced it
74
46. Given Ciphertext of any Selected Plaintext
• If an organization has been infiltrated, it may be possible insert messages and intercept the encryptions
• This is the most powerful attack possible on algorithms
• It allows the analyst to test hypotheses about them• This approach depends on a pre-existing attack that
allows insertion—as opposed to an attack that obtained algorithms and keys outright
75
47. Cryptographic Weaknesses
• Human beings are faulty, or at least they have predictable characteristics which can be exploited
• Likewise for software…• Likewise for hardware…
76
48. Current Commercial Algorithms
• These systems are supposed to measure up to a level of trustworthiness appropriate to modern commercial transactions
• DES = Data Encryption Standard• RSA = Rivest-Shamir-Adelman• AES = Advanced Encryption Standard• It may be argued that AES does not yet meet
criterion 3, the test of time, since it’s the newest
77
49. Symmetric and Asymmetric Encryption Systems
• AES and DES are symmetric• Secure communication is supported by a single,
shared, private key for each pair of users• RSA is asymmetric• Each user has two keys, one public and one private• The public key is shared with any other user who
wants to send a secure message to that user• The differences in keys determines how each kind
of system is applied
78
50. DES Background
• NBS Specifications:• Highly secure• Clearly specified/easy to understand• Publishable/open algorithm/validatable• Available to all users• Adaptable to diverse applications• Economical hardware implementation• Efficient to use• exportable
79
• Didn’t quite meet all of their requirements• System developed by IBM (initially proprietary
and not)• Verfified/modified(?) by the NSA• Adopted as a standard in 1976
80
51. DES Algorithm
• 64 bit blocks• Suited to 64 bit architecture• 64 bit key with 56 effective bits• 16 cycles of substitution and transposition• I.e., both confusion and diffusion in blocks• Implemented using standard
arithmetic/logic/shift operations
81
52. Security of DES
• Growth in computing power now makes testing 256 possible keys feasible
• This still takes money and time• Some features were never revealed or inferred
through independent research• Never was fully trusted for fear of an NSA
trapdoor
82
53. Increasing the Security of DES
• DES wasn’t developed with the ability to increase its security with longer keys
• Double DES = E(k2, E(k1, m))• It has been shown that for doubling the
encryption/decryption effort in this way, you only double the cryptanalysis cost
• In other words, the effective key length only grows to 57
83
• Triple DES = E(k3, D(k2, E(k1, m)))• Note: This is the presentation in the 3rd edition• The textual explanation seems to imply that the
3rd edition was correct and the 4th edition contains a false modification
• At the expense of tripling the encryption/decryption cost, the cost of cryptanalysis is increased by a factor of 256
84
• In other words, the effective key length is doubled to 112
• This is significant, but multiple encryption is not as convenient as a system that simply has a longer key
• The book presents a third option that results in an effective key length of 80
• The details aren’t important
85
54. AES Background
• The NIST solicited replacements for DES with these characteristics:
• Unclassified/publicly disclosed• Royalty-free worldwide• Symmetric block cipher for 128 bits• Usable with 128, 192, and 256 bit keys
86
• After evaluation, the Rijndael algorithm was chosen
• It was created by two Dutchmen and openly published
• Not the least of its advantages was reduced fear of a government trapdoor
87
55. AES Algorithm
• 10, 12, or 14 cycles for keys of 128, 192, and 256 bits, respectively
• Cycles include substitution and transposition • Operations include byte substitution, row shift,
column mixing, XOR, and adding subkeys• Message bits are diffused throughout the block• Adding subkeys means that key bits are also
diffused throughout the block
88
56. Security of AES
• Extensively studied and tested• Less real world experience• Little chance of trapdoors• No flaws found yet• Number of cycles and length of keys can be
increased• On the other hand, the day will come when
cryptanalysis forces it to be replaced
89
57. Keys in Symmetric Systems
• Support authentication of sender• Support secure communication• One secret key shared by every pair of users• n(n – 1) / 2 keys to fully interconnect n users• Key proliferation and distribution are
challenges• Keeping multiple distributed keys secret is an
additional aspect of proliferation
90
58. Public Key Encryption
• The challenges of symmetric encryption motivate asymmetric encryption
• A system can be devised with a public key and a private key (see ch. 12)
• In notation:• P = D(kpriv, E(kpub, P))
• P = D(kpub, E(kpriv, P))
91
• For secure communication, encryption is done with the public key
• Decryption is done with the private key• For authentication, encryption is done with
the private key• Decryption is done with the public key
92
59. Advantages of Public Key Systems
• Each user has only one public and one private key
• That means 2n keys to fully interconnect n users
• Proliferation problems are reduced• Each user only has to keep one key secret• Distribution of public keys is simply not a
problem
93
60. Comparison of Symmetric and Asymmetric Encryption
• Symmetric is fast, on the order of 10,000 times faster than asymmetric
• Therefore, symmetric is the workhorse• Symmetric keys have to be distributed “out of
band”• Asymmetric is the ideal tool for distributing
symmetric keys• Asymmetric is convenient for mass messages to
multiple receivers and for authentication
94
61. RSA Encryption
• This brief preview is just to establish that asymmetric systems are possible and do exist
• Let e, d, and n be numeric values• e = encryption key, d = decryption key• C = Pe mod n• P = (Pe)d mod n
95
• In simplistic terms:• P = C1/e = (Pe)1/e
• Because the arithmetic is done mod n, finding the decryption key, d, is not as simple as just finding 1/e
• Ultimately this is based on finding the prime factors of a (large) number
• This will be covered in chapter 12
96
62. The Uses of Encryption
• 1. Secrecy or confidentiality of message/data• 2. Integrity of message/data• 3. Key exchange• 4. Authentication/digital signatures/security
certificates
97
63. Message Integrity—Cryptographic Hashing
• Hash function checksum or message digest• I.e., h(P) hash value• H() has to have this characteristic:• Change one bit in P and h(P) is changed• The idea is this:• Whoever holds the hash algorithm/key has the
unique ability to produce h(P)• If someone a fake Pfake, h(P) won’t match and they
won’t have the ability to create the matching h(Pfake)
98
• In order to be secure, the hashing algorithm or key has to be kept secret
• Only an authorized user, whether sender or receiver, can create or verify a hash
• A hashing scheme will be more secure if the algorithm is effectively non-invertible
• This eliminate inversion as an angle of attack
99
64. How Hashing is Used
• The sender hashes a message/data• The hash is posted with the message• The receiver hashes the message and
compares with the received hash• If the computed hash doesn’t agree with the
posted one, the message has been altered or damaged (or, possibly the posted hash has been altered or damaged)
100
65. Integrity Verification
• For comparison, checksums are a simple form of integrity verification
• They would not be secure• XOR’ing repeated message blocks would be
another simple integrity checking scheme• Posting an encryption with corresponding
plaintext would effectively be a hash, but it’s not desirable to hand P and C both to attackers
101
66. Commercial Hash Functions
• MD4, MD5 (MD = Message Digest)• Created by RSA (Rivest, Shamir, Adelman)• Convert any msg to 128 bit digest• SHA/SHS (Secure Hash Algorithm/Standard)• Converts any msg to 160 bit digest
102
67. Attacking Hashes
• If msgs of any length generate fixed length hashes shorter than the msgs:
• Then >1 message can generate the same hash• This means a different message could be posted
with the hash of the original message and no problem would be detected
• This may or may not be useful to an attacker• A complete attack would allow the attacker to
generate correct hashes for arbitrary messages
103
68. Key Exchange
• The basic problem is setting up secure exchange between two parties who don’t know each other face-to-face
• The goal is to exchange a private symmetric key between them
• This problem has two components:– Making sure the key is secure– Authenticating the sender of the key
104
• Let the symmetric key be represented as K• Let R and S both have public and private
asymmetric keys, kPUB-R, kPRIV-R, kPUB-S, kPRIV-S
• Let S be the party who will be sending K to R• S should send this:• E(kPUB-R, E(kPRIV-S, K))• The outer transformation provides security• The inner transformation authenticates S
105
69. Diffie-Hellman Key Exchange
• The bottom line: Don’t worry about the details of this
• The book mentions it without giving a full explanation
• It is essentially based on the same idea as RSA encryption, powers and modular arithmetic
• That will be covered in ch. 12• If, ultimately, you understand key exchange using
public key encryption, you’ve learned enough
106
70. Characteristics of Digital Signatures
• The book uses a paper (monetary) check as a reality check on signatures
• A signature/signed document should:• Be authenticable/not be forgeable/not be
repudiatable• Not be alterable• Not be reusable
107
71. Notation for Digital Signatures
• P = Person who signs• R = Receiver of signed item• M = Message, signed item• S(P, M) is the signature of P on M• [M, S(P, M)] is the unique, unreproducible pair
created when P signs M• It is important to note that the signature is
unique to the message—it’s bound to the message
108
72. Characteristics of Signed Documents Using Notation
• This is the pair: [M, S(P, M)]• Authentic/not forgeable/not repudiatable: R
can verify that P was the only possible source of the pair
• Not alterable: After sending or posting, neither P, nor R, nor an outside interceptor can change the pair without detection
• Not repudiatable: If the pair is presented a second time, R can immediately detect this
109
73. Alternate Notation and Terminology for Public Key Encryption
• Whether a key is public or private is indicated by the transformation, E() or D()
• Let U = the User• Let M = the Message• Privacy transformation: Use of public key by other user
to send to U will be shown with E():• E(M, Ku)• Authentication transformation: Use of private key by U
to send to others will be shown with D():• D(M, Ku)
110
74. Using Public Keys for Digital Signatures
• This is a straightforward use of public keys for authentication
• As presented, it also relies on the idea that the encryption of a message is itself a kind of hash of the message
• This is the message/signature pair that S would produce:
• [M, D(M, Ks)]
111
75. Characteristics—Authentic
• [M, D(M, Ks)]• Authentic/not forgeable/not repudiatable: • Only S can produce this• R can verify by applying E(D(M, Ks), Ks) to
acquire M• Note that R should save a copy for non-
repudiation purposes
112
76. Characteristics—Not Alterable
• [M, D(M, Ks)]
• If M (or D(M, Ks)) is altered, E(D(M, Ks), Ks) will not give back M
• Again, note that this assumes that the system hasn’t been broken
• A successful attack on the system would allow fake M and the correct, corresponding D(M, Ks)
113
77. Characteristics—Not Reusable
• [M, D(M, Ks)]• This characteristic is not based on the protocol directly• Just like with monetary checks, every transaction, M,
should be numbered internally• Each numbered transaction should be honored only once• An attacker could alter the transaction number in M, but
could not produce the matching D(M, Ks) for resubmission• Like for non-repudiation, R should save a copy of all
honored transactions
114
78. Trust in Digital Environments
• An authentication transformation makes it possible to distribute a symmetric key, for example
• The antecedent question is how you verify the identity of/put trust in a party who wants to exchange keys
• Trust is transferred or transmitted when a known, trusted party vouches for another party
115
• Vouching sets up chains or hierarchies of trust• Hierarchies of trust may be parallel to
hierarchies of management in organizations• Through a chain of contacts in the
organization, one party can trust another who is n steps removed
• Authentication is applied at each step• The result is a sequence of authentications
116
79. Digital Certificates
• Note: This idea will be presented in a somewhat simplified form, with a note on reality at the end
• The idea will initially be explained in terms of key distribution only
• The reality is that keys should be distributed along with the identities of the key holders
• In practice, certificates are made more secure by hashing their contents, binding the key and the identity together
117
• Let individual X be a publicly known figure at the top of a hierarchy
• Let X post a public key on a secure, trusted system available to other members of the hierarchy
• Let X retain the matching private key• Let Y be one step removed in the hierarchy,
but personally known and trusted by X
118
• X transmits trust to Y by performing and posting this transformation: D(KX PRIV, KY PUB)
• KX PRIV is the key used in the transformation
• KY PUB is the message• Anyone with access to X’s public key can apply
E(KX PUB, D(KX PRIV, KY PUB)) and obtain Y’s public key
• D(KX PRIV, KY PUB) is Y’s certificate
119
• The process can be repeated from Y to Z, assuming Y knows and trusts Z
• Y vouches for Z by performing this transformation: D(KY PRIV, KZ PUB)
• This is not Z’s full certificate• A complete certificate reaches all the way to a
commonly trusted individual
120
• A certificate consists of a full chain of individual “vouchers” that reaches the top of the hierarchy
• In this case, Z’s certificate would be:• D(KX PRIV, KY PUB) + D(KY PRIV, KZ PUB)
• With access to KX PUB, it’s possible to evaluate the second half of the certificate, obtaining KZ
PUB
121
80. Identities and Hashing in Certificates
• A public key is not so useful if you don’t know who it belongs to, so an identity has to be distributed with a key
• The message body, M, of a certificate, should contain both.
• For Z, for example, the last part of the certificate should contain:
• M = Z’s id + KZ PUB
122
• The transformation is D(KY PRIV, Z’s id + KZ PUB)• There is a cryptographic weakness here• An attacker may be able to separate the two
parts of the message at the plus sign, substituting a fake id or a fake key
• A more secure certificate would bind the id and its key together
• Hashing can be used to bind things together
123
• At the lowest level, the message or contents of Z’s certificate become:
• [Z’s id + KZ PUB, hash(Z’s id + KZ PUB)]• Checking against the hash will protect against
changes in the id or the key• Then applying Y’s vouching transformation,
the lowest level of Z’s certificate is:• D{KY PRIV, [Z’s id + KZ PUB, hash(Z’s id + KZ PUB)]}
124
• Remember that Z’s complete certificate also includes Y’s certificate
• Under this scheme, Y’s certificate is:• D{KX PRIV, [Z’s id + KY PUB, hash(Z’s id + KY PUB)]}• Thus, Z’s complete certificate is the sequence,
or chain:• D{KX PRIV, [Z’s id + KY PUB, hash(Z’s id + KY PUB)]} +
D{KY PRIV, [Z’s id + KZ PUB, hash(Z’s id + KZ PUB)]}
125
• In summary, for every user:• The individual parts of the certificate bind id and
public key together• Each individual part is authenticated by the next
individual part• The different parts, or sub-certificates are
independent and do not have to be bound by hashing
• The chain ultimately has to reach an agreed upon source of trust
126
81. Trust Outside of a Hierarchy
• An organization can build a trust hierarchy different from the management hierarchy
• For example, there may be one security officer responsible for issuing one-level certificates to all employees
• The Internet overall does not have just one root• There are multiple (typically national) trusted, top-level
certificate issuing bodies• Trust still propagates through chains of certificates• Digital security relies on mutual trust of a common
authority
127
82. What Do Trust and Certificates Accomplish?
• This is just a reminder, but it’s useful in case you’ve lost sight of the forest for the trees
• Aside from the abstraction, trust, what is concretely being transmitted by certificates?
• The message contains an id and a public key• A public key is being distributed• Knowing who the key belongs to—priceless• This is what is being securely accomplished