Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer...
Transcript of Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer...
![Page 1: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/1.jpg)
Today’s Lecture:hCrypto Crash‐Course
EECS 588: Computer and Network SecurityJanuary 8, 2015January 8, 2015
![Page 2: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/2.jpg)
The Itinerant Professor
J. Alex Halderman (CSE Prof.)In China D.C. Cali. London today, back Tues.
![Page 3: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/3.jpg)
David Adrian (GSI)
![Page 4: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/4.jpg)
Goals for this CourseGoa s o t s Cou se
G i h d i Gain hands‐on experienceBuilding secure systemsE l ti t itEvaluating system security
Prepare for researchComputer security subfieldSecurity‐related issues in other areas
Generally, improve research and communication skills
Learn to be a 1337 hax0r, but an ethical one!
![Page 5: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/5.jpg)
Building BlocksThe security mindset, thinking like an attacker, reasoning about risk, research ethicsSymmetric ciphers, hash functions, message authentication codes, pseudorandom generatorsKey exchange, public‐key cryptography, key management, the TLS protocol
Software SecurityExploitable bugs: buffer overflows and other common vulnerabilities – attacks and defensesMalware: viruses, spyware, rootkits – operation and detectionAutomated security testing and tools for writing secure codeVirtualization, sandboxing, and OS‐level defenses
Web SecurityThe browser security modelWeb site attacks and defenses: cross‐site scripting, SQL injection, cross‐site reference forgeryInternet crime: spam, phishing, botnets – technical and nontechnical responses
Network SecurityNetwork protocols security: TCP and DNS – attacks and defensesPolicing packets: Firewalls, VPNs, intrusion detection
N Denial of service attacks and defensesData privacy, anonymity, censorship, surveillance
Advanced Topics
Not a crypto courseHardware security – attacks and defenses
Trusted computing and digital rights managementElectronic voting – vulnerabilities, cryptographic voting protocols
course
![Page 6: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/6.jpg)
Getting a SeatGett g a Seat
Long waitlist, but odds are good.
![Page 7: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/7.jpg)
CommunicationCo u cat o
Course Web Sitehttps://www.eecs.umich.edu/courses/eecs588/p 5announcements, schedule, readings
Email [email protected] @[email protected], questions, concernsgg , q ,
![Page 8: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/8.jpg)
Today’s Classoday s C ass
E ti l C t hEssential Cryptography
The Cryptographer’s View Hash Functions Message‐Authentication Codes Generating Random Numbers Block Ciphers
![Page 9: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/9.jpg)
Basic Cryptography Problemsas c C yptog ap y ob e s
MMessage
Alice BobEve
Alice BobPassive Eavesdropper
MalloryMallory
Man‐in‐the‐Middle
![Page 10: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/10.jpg)
Ingredients for a Secure Channelg ed e ts o a Secu e C a e
ConfidentialityAttacker can’t see the message
Eve
Attacker can’t see the messageSymmetric Ciphers
IntegrityMalloryAttacker can’t modify the message
Message Authentication Codes (MACs)
Mallory
![Page 11: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/11.jpg)
Ingredients for a Secure Channelg ed e ts o a Secu e C a e
AuthenticationAttacker can’t impersonate the recipientAttacker can’t impersonate the recipient
Public‐Key Cryptography
Mallory
![Page 12: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/12.jpg)
The Cryptographer’s VieweC yptog ap e s e
Random O l26 1413 6226 1444 62Oracle26 1413 6226 1444 62
26 → 1413 → 6244 → 62
![Page 13: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/13.jpg)
Practical Random Oracles?act ca a do O ac es
6Suppose domain is size 2256…
d dPseudorandom Functions (PRFs)(A function randomly chosen from a f l f llfamily of PRFs is computationally indistinguishable from a Random Oracle)
M A th ti ti C d (MAC )
Pseudorandom Permutationsi i h
≈ Message Authentication Codes (MACs)
≈ Symmetric Ciphers
![Page 14: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/14.jpg)
Hash Functionsas u ct o s
Ideal: Random mapping from any input to a set of output
Caution! Real hashes don’t match our ideal
message Hash Function digestg g
![Page 15: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/15.jpg)
Ideal Hash Functiondea as u ct o
f1. Easy to compute H(m) for all m
f bl f2. Infeasible to compute m from H(m)
f bl d f h h3. Infeasible to modify m without changing H(m)
4. Infeasible to find two messages with the h hsame hash
![Page 16: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/16.jpg)
Hash Function Requirementsas u ct o equ e e ts
Fi i i First pre‐image resistance Given h(x), cannot find x
Second pre‐image resistance Given m cannot find m s t h(m ) h(m ) Given m1, cannot find m2 s.t. h(m1) = h(m2)
Collision resistance Collision resistance Given nothing, find anym1 != m2 s.t. h(m1) = h(m2) Birthday AttackBirthday Attack
![Page 17: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/17.jpg)
MD5 Hash Function5 as u ct o
Designed in 1992 byRon Rivest 128‐bit output 128‐bit internal state 512‐bit block size
Like most hash functions,uses block‐chaining construction
![Page 18: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/18.jpg)
MD5 is Unsafe – Never use it!5 s U sa e e e use t
fl First flaws in 1996;by 2007, researchers demonstrated a demonstrated a collision
Chaining allows gchosen prefix attack
Dec. 2008:others used this to fake SSL certificates l f(cluster of 200 PS3s)
![Page 19: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/19.jpg)
MD5 Collision5 Co s o
d131dd02c5e6eec4693d9a0698aff95c 2fcab58712467eab4004583eb8fb7f89 55ad340609f4b30283e488832571415a 085125e8f7cdc99fd91dbdf280373c5b d8823e3156348f5bae6dacd436c919c6 dd53e2b487da03fd02396306d248cda0 e99f33420f577ee8ce54b67080a80d1e c69821bcb6a8839396f9652b6ff72a70
d131dd02c5e6eec4693d9a0698aff95c 2fcab50712467eab4004583eb8fb7f89 55ad340609f4b30283e4888325f1415a 085125e8f7cdc99fd91dbd7280373c5b d8823e3156348f5bae6dacd436c919c6 dd53e23487da03fd02396306d248cda0 e99f33420f577ee8ce54b67080280d1e c69821bcb6a8839396f965ab6ff72a70
Both of these blocks hash to 79054025255fb1a26e4bc422aef54eb4
![Page 20: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/20.jpg)
SHA Hash FunctionsS as u ct o s
SHA‐1 – standardized by NIST in 1995 160‐bit output and internal state
bit bl k i 512‐bit block size
SHA‐2 – extension published in 20016 ( ) bit t t d i t l t t 256 (or 512)‐bit output and internal state
512 (or 1024)‐bit block size SHA‐3 – chosen by NIST in 2012 SHA‐3 – chosen by NIST in 2012 256 (512)‐bit output Different “sponge” constr ction Different “sponge” construction
![Page 21: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/21.jpg)
Block chaining vs.S t tiSponge‐construction
![Page 22: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/22.jpg)
Tricky! Length Extension Attacksy g
Given hash of secret x, trivial to findhash of x || p || m for padding p and arbitrary marbitrary m
MD5 and SHA family all vulnerable!
![Page 23: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/23.jpg)
Is SHA‐1 Safe?s S Sa e
f Significant cryptanalysis since 2005 Improved attacks show complexity of finding
lla collision < 251(ideally security would be 280 – why?) Attacks only get better …
Use SHA‐256
![Page 24: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/24.jpg)
Message Authentication Codesessage ut e t cat o Codes
Prevents tampering with messages.Like a family of pseudorandom functions,
h k l hwith a key to select among them
P P P
MAC
P0
K
P1 PN‐1…
MACK
tag
![Page 25: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/25.jpg)
Construction: HMACCo st uct o C
fGiven a hash function H:HMAC(K,m) = H( (K pad1) || H(K pad2 || m))for constants pad1 and pad2
Provides nice provable security properties
![Page 26: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/26.jpg)
What Should You Use?at S ou d ouUse
Use HMAC‐SHA256 Use a constant key to get a length‐extension resistant hash function
![Page 27: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/27.jpg)
Generating Random NumbersGe e at g a do u be s
What’s wrong with srand() and rand()?
![Page 28: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/28.jpg)
Generating Random NumbersGe e at g a do u be s
What’s wrong with srand() and rand()? Why not use a secure hash? “Cryptographic Pseudorandom Number Generator” (CPRNG)
Tricky details… Seeding with true randomness (“entropy”)F d Forward secrecy
Most OSes do the hard work for you*O Li /d / d d /d / d On Linux, use /dev/random and /dev/urandom
![Page 29: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/29.jpg)
One‐Time PadsO e e ads
blProvably secure encryption…
h f f l… that often fails in practice.
![Page 30: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/30.jpg)
One‐Time PadsO e e ads
K1 K2 K3 K4P1 P2 P3 P4
P4 K4P3 K3P2 K2P1 K1
P K P KPi Ki Pi Ki
0 0 00 1 11 0 11 0 11 1 0
![Page 31: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/31.jpg)
Block Ciphersoc C p e s
Ideal block cipher:Like a family of pseudorandom permutations
h k l hwith a key to select among them
E
P
K D
P
KEK DK
C C
![Page 32: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/32.jpg)
DES—Data Encryption StandardS ata c ypt o Sta da d
US Government standard (1976)US Government standard (1976) Designed by IBMTweaked by NSATweaked by NSA
56‐bit key56 bit key 64‐bit blocks 16 rounds16 rounds
Key schedule function Key schedule function generates 16 round keys:
![Page 33: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/33.jpg)
DES EncryptionS c ypt o
l k Feistel network common block cipher
t ticonstruction Each round uses the same Feistel function FFeistel function F(by itself a weak block cipher)
makes encryption and decryption symmetric—just
d f d kreverse order of round keys
![Page 34: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/34.jpg)
DES Feistel FunctionS e ste u ct o
In each round: Expansion Permutation E32 → 48 bits32 → 48 bits
S‐boxes (“substitution”)replace 6‐bit valuesp
Fixed Permutation Prearrange the 32 bits
![Page 35: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/35.jpg)
DES is Unsafe – Don’t Use It!S s U sa e o t Use t
Design has known weaknesses 56‐bit key way too short
k EFF’s “Deep Crack” machine can brute force
hin 56 hours using FPGAs($250k in 1998,
f h dfar cheaper today)
![Page 36: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/36.jpg)
3DES3 S
E (P) = E (D (E (P))) EK1, K2,K3(P) = EK3
(DK2(EK1
(P)))
EE CP D Key options: Option 1 independent keys (56*3 168 bit key)
EE CP DK1 K2 K3
Option 1: independent keys (56*3 = 168 bit key) Option 2: K1 = K3 (56*2 = 112 bit key)O ti K K K (B k d tibl DES) Option 3: K1 = K2 = K3 (Backward‐compatible DES)
Wh t h d t DES? What happened to 2DES?
![Page 37: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/37.jpg)
2DES: Meet‐in‐the‐middle attack
S ( ) ( ( )) “2DES”: EK1, K2(P) = EK2
(EK1(P))
EE CPK2K1
Given P and C = EK (EK (P)), find both keysK2( K1
( )), y For all K, generate EK(P) and DK(C) Find a match where DK2
(C) == EK1(P)
DE CP !!!
2 1
DE CP !!!K2K1
![Page 38: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/38.jpg)
AES—Advanced Encryption Standardyp
Standardized by NIST in 2001 following open design competition( k Rij d l)(a.k.a. Rijndael)
128 192 or 256 bit key 128‐, 192‐, or 256‐bit key 128‐bit blocks 10 12 or 14 rounds 10, 12, or 14 rounds
Not a Feistel network construction Not a Feistel‐network construction
![Page 39: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/39.jpg)
One round of One round of AES‐128
![Page 40: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/40.jpg)
How Safe is AES?o Sa e s S
f Known attacks against 128‐bit AES if reduced to 7 rounds (instead of 10)
b d l d 128‐bit AES very widely used, though NSA requires 192‐ or 256‐bit keys for
d dSECRET and TOP SECRET data
h h ld What should you use? Conservative answer: Use 256‐bit AES
![Page 41: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/41.jpg)
Block Ciphers (review)oc C p e s ( e e )
DecryptionEncryption
plaintextplaintext ciphertext
decrypt(.)Kencrypt(.)K
ciphertextciphertext plaintext
![Page 42: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/42.jpg)
ECB – Electronic Codebook Mode
Ci := E(K, Pi) for i = 1, …, n
P2 P3 P4 …P1
EK EK EKEK
C2 C3 C4 …C1
![Page 43: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/43.jpg)
ECB – Electronic Codebook Mode
Ci := E(K, Pi) for i = 1, …, n
P2 P3 P4 …P1
EK EK EKEK
C2 C3 C4 …C1
![Page 44: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/44.jpg)
Why not ECB?y ot C
The cipher text of an identical block is always The cipher text of an identical block is always identical… consider a bitmap image…
(plaintext) (ECB mode) (CBC mode)
![Page 45: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/45.jpg)
CBC: Cipher‐Block Chaining Modep g
C E(K P C ) f i Ci := E(K, Pi Ci‐1) for i = 1, …, n
P P P
P1 P2 P3 …
?
EK EK EK
C1 C2 C3 …
![Page 46: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/46.jpg)
CBC: Cipher‐Block Chaining Modep g
C E(K P C ) f i Ci := E(K, Pi Ci‐1) for i = 1, …, n
P P P
P1 P2 P3 …
EK EK EK
Random“Initialization
V ”
C1 C2 C3 …
Vector”
IV
![Page 47: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/47.jpg)
CBC: Cipher‐Block Chaining Modep g
C E(K P C ) f i Ci := E(K, Pi Ci‐1) for i = 1, …, n
P P P
P1 P2 P3 …
EK EK EK
Random“Initialization
V ”
C1 C2 C3 …
Vector”
IV
DO NOT REUSE INITIALIZATION VECTORS!!
![Page 48: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/48.jpg)
CTR: Counter ModeC Cou te ode
fKi := E(K, Nonce || i ) for i = 1, …, nCi := Pi Ki
• Stream cipher constructionStream cipher construction• Plaintext never passes through E• Don’t need to pad the message• Don t need to pad the message• Allows parallelization and seekingN K N• Never reuse same K+Nonce
![Page 49: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/49.jpg)
Symmetric Key EncryptionSy et c ey c ypt o
DecryptionEncryption
plaintextplaintext ciphertext
decrypt(.)Kencrypt(.)K
ciphertextciphertext plaintext
![Page 50: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/50.jpg)
Public Key Cryptographyub c ey C yptog ap y
Symmetric key cryptographic is great… but has the fundamental problem that every
d h ksend‐receiver pair must share a secret key…
How do we allow the sender and receiver to use different keys for encryption and decryption?yp
Also known as “Asymmetric Encryption”
![Page 51: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/51.jpg)
Diffie‐Hellman Key Exchangee e a ey c a ge
f How do we share our symmetric key in front of an eavesdropping adversary?
“Key Exchange” developed by Whitfield Diffieand Martin Hellman in 1976and Martin Hellman in 1976
Based on Discrete Log Problemwhich we b li i diffi l (“ h i ”)believe is difficult (“the assumption”)
![Page 52: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/52.jpg)
Diffie‐Hellman Key Exchangee e a ey c a ge
Alice generates and shares gwith Bob1. Alice generates and shares gwith Bob2. Alice and Bob each generate a secret
number, which we denote a and b3. Alice generates gaand sends it to Bobg g4. Bob generates gband sends it to Alice5 Alice calculates (gb)a and Bob calculates (ga)b5. Alice calculates (g ) and Bob calculates (g )6. Alice and Bob have (gb)a = gab = gba = (ga)b
![Page 53: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/53.jpg)
Some Diffie‐Hellman DetailsSo e e e a eta s
1 D H works in any finite cyclic group Assume 1. D‐H works in any finite cyclic group. Assume G is predetermined and we are selecting a generator g Ggenerator
2. We almost always just use (multiplicative f i d l )
p*
g G
group of integers modulo p)
3. We share a primitive root (g) and an odd
p
p gprime (p) and perform all operations mod p.
![Page 54: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/54.jpg)
![Page 55: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/55.jpg)
Attacking Diffie‐Hellman (MITM)ttac g e e a ( )
Mallory
Chooses random x < p
Chooses gx
Choosesrandom y < p
random v < p gv
gyChooses
random w < pgw
k := (gw)x k’ := (gv)yk := (gw)x
k’ := (gv)y
![Page 56: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/56.jpg)
Summary of GoalsSu a y o Goa s
Confidentiality
Integrity
AuthenticationAuthentication
![Page 57: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/57.jpg)
RSA Public Key EncryptionS ub c ey c ypt o
![Page 58: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/58.jpg)
RSA EncryptionS c ypt o
l d ip, q large random primesn := pq modulust := (p‐1)(q‐1) ensures xt = 1 (mod n)e := [small prime value] public exponentd := e‐1 mod t private exponent
Public key: (n, e)Private key: (p, q, t, d)Private key: (p, q, t, d)
![Page 59: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/59.jpg)
RSA EncryptionS c ypt o
1. Public Key: (n, e)2. Private Key: (p, q, t, d)
3. Encryption: c := me mod n4. Decryption: m := cd mod n
5. (me)d = med = mkt+1 = (mt)km = 1km = m (mod n)
![Page 60: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/60.jpg)
Encryption with RSAc ypt o t S
1. Public Key Encryption is much slower than symmetric key encryption
2. Publish public key to the world, keep private key secrety
3. Negotiate a symmetric key over public key encryption and utilize the symmetric key for encryption and utilize the symmetric key for encrypting any actual data going forward
![Page 61: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/61.jpg)
Other Public Key AlgorithmsOt e ub c ey go t s
Other p blic ke algorithms do e ist Other public key algorithms do exist
ElGamal (digital signature scheme based on ElGamal (digital signature scheme based on DL)
DSA (Digital Signature Algorithm) DSA (Digital Signature Algorithm) Elliptic Curve DSA (ECDSA)
ECDSA is quickly gaining popularity
![Page 62: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/62.jpg)
Establishing Truststab s g ust
How do Alice and Bob share public keys?
W b f T ( PGP) Web of Trust (e.g. PGP)
Trust on First Use (TOFU) (e.g. SSH)g
Public Key Infrastructure (PKI) (e.g. SSL)
![Page 63: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/63.jpg)
What is PKI?at s
f Organizations we trust (often known as “Certificate Authorities”) generate
f bl kcertificates to tie a public key to an organization
We trust that we’re talking to the correct f f h bl korganization if we can verify their public key
with a trusted authority
![Page 64: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/64.jpg)
SSL/TLS CertificatesSS / S Ce t cates
Subject: C=US/O=Google Inc/CN=www.google.comIssuer: C=US/O=Google Inc/CN=Google Internet AuthoritySerial Number: 01:b1:04:17:be:22:48:b4:8e:1e:8b:a0:73:c9:ac:83Expiration Period: Jul 12 2010 ‐ Jul 19 2012Expiration Period: Jul 12 2010 Jul 19 2012Public Key Algorithm: rsaEncryptionPublic Key: 43:1d:53:2e:09:ef:dc:50:54:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a4ff b 8 6 8 d b 8 6:ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:39:23:46
Signature Algorithm: sha1WithRSAEncryption
Signature: 39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:f0:fa:14:58:ad:a0:81:b0:3d7c:be:b1:82:19:b9:7c3:8:04:e9:1e5d:b5:80:af:d4:a0:81:b0:b0:68:5b:a4:a47 9 9 7 3 4 9 5 5 4 5 4 4:ff:b5:8a:3a:a2:29:e2:6c:7c3:8:04:e9:1e5d:b5:7c3:8:04:e9:1e:5d:b5
![Page 65: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/65.jpg)
Signatures on CertificatesS g atu es o Ce t cates
l b h bl k h d Utilize both public key cryptography and cryptographic hash functions
Oftentimes see a signature algorithm such as sha1WithRSAEncryptionsha1WithRSAEncryption
Encrypt i (SHA‐1(certificate)) EncryptPrivateKey(SHA 1(certificate))
![Page 66: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/66.jpg)
Certificate ChainsCe t cate C a s
Mozilla Firefox BrowserT t thi
Subject: C=US/…/OU=Equifax Secure Certificate AuthorityIssuer: C=US/…/OU=Equifax Secure Certificate Authority
bli
Trust everything signed by this
“root” certificate
S bj C S C G l h
Public Key: Signature: 39:10:83:2e:09:ef:ac:50:04:0a:fb:9a:38:c9:d1I authorize and trust
this certificate; here i i t Subject: C=US/…/CN=Google Internet Authority
Issuer:C=US/…/OU=Equifax Secure Certificate AuthorityPublic Key:Signature: be:b1:82:19:b9:7c:5d:28:04:e9:1e:5d:39:cd
is my signature
I authorize and trust
Subject: C=US/…/O=Google Inc/CN=*.google.comIssuer: C=US/…/CN=Google Internet Authority
g 9 9 7 5 4 9 5 39I authorize and trust this certificate; here
is my signature
/ / g yPublic Key:Signature: bf:dd:e8:46:b5:a8:5d:28:04:38:4f:ea:5d:49:ca
![Page 67: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/67.jpg)
Certificate Authority ClusterfuckCe t cate ut o ty C uste uc
![Page 68: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/68.jpg)
Some Practical AdviceSo e act ca d ce
HMAC: HMAC‐SHA256
Block Cipher: AES‐256p 5
Randomness: OS Cryptographic Pseudo Random Number Generator (CPRNG)Random Number Generator (CPRNG)
Public Key Encryption: RSA or ECDSA
Implementation: OpenSSL
![Page 69: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/69.jpg)
Related Research Problemse ated esea c ob e s
Cryptanalysis: Ongoing work to break crypto functions… rapid progress on hash collisions
Cryptographic function design: We badly need better hash functions… NIST competition now to replace SHA
Attacks: Only beginning to understand y g gimplications of MD5 breaks – likely enables many major attacksy j
![Page 70: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/70.jpg)
Don’t Roll Your Own!!o t o ou O
![Page 71: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/71.jpg)
SECRIT: Security Reading GroupS C Secu ty ead gG oup
We read a recent security paper and discuss it over lunch each week
Tuesdays from 12:30 to 1:30 PM
( d ) ( f l h) (one read paper) == (one free lunch)
https://wiki.eecs.umich.edu/secrit/p // / /
![Page 72: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/72.jpg)
Tuesday: Alex’s Introductionuesday e s t oduct o
![Page 73: Today’s Lecture: Crypto Crash Course...Today’s Lecture: Crypto Crash‐Course EECS 588: Computer and Network Security January 8, 2015 The Itinerant Professor J. Alex Halderman](https://reader034.fdocuments.us/reader034/viewer/2022042414/5f2f21d36e01ae0211124fcb/html5/thumbnails/73.jpg)