Software Infrastructure for
Electronic Commerce
All About Cryptography
Professor Fred B. Schneider
Dept. of Computer Science
Cornell University
Goals


Learn what problems can (and cannot) be
addressed using cryptography.
Become convinced that:
– Designing a decent cryptosystem is extremely difficult.
– Using cryptography requires building a substantial (but
easily overlooked) infrastructure.
1
Encryption and Decryption
This is…
aSxxyw
Encryption key
plaintext
ciphertext
Encrypt
aSxxyw
Decrypt
This is…
Decryption key
2
Encryption and Decryption:
Terminology
plaintext: input to encryption algorithm.
ciphertext: output of encryption algorithm.
shared key (symmetric key) cryptography:
– encryption key and decryption keys the same.
– Encrypt & Decrypt functions often the same.
public key (asymmetric key) cryptography:
– Encryption key and decryption keys different.
– Encrypt & Decrypt functions are different.
3
Uses for Cryptography
Secrecy: Obscure the contents of messages or stored
data from eavesdroppers.
Integrity: Detect any alteration performed after message
or stored data is generated.
Authentication: Verify the identity of the source of a
message or stored data. (Authentication of messages is
useful in making authorization decisions.)
Non-repudiation: Establish for a third party the source
and contents of a message or stored data.
4
What Encryption Does
Confusion: Unable to predict how changing the plaintext
alters the ciphertext.
Diffusion: Local change to plaintext alters much of the
ciphertext.
ax
xy  yx
Mechanisms: substitution and transposition.
Final Result:
computational secrecy: Depends on resource limits.
Bigger keys better.
perfect secrecy: Will never be broken.
5
Secret Key Encryption Algorithms
DES (Data Encryption Standard)
64 bits in/out, 56 bits key.
Computationally (in)secure. $1M tries all DES keys in 7 hrs
using 1993 hardware cracking machine.
Triple-DES
AES (Advanced Encryption Standard) “Rijndael”
Variable block length & variable key length (128, 192, 256)
IDEA (International Data Encryption Algorithm)
64 bits in/out, 128 bit key.
Computationally secure: at 1 billion key-tries/sec/processor,
system of a billion processors requires 1013 years to try
every possible key (1000x longer than age of the universe).
6
Secret Key Encryption:
Implementing Secrecy
Notation:
– E(m,K)
– D(x,K)
– AB: msg
Encrypt m using key K
Decrypt x using key K
A sends msg to B
Protocol:
1. AB: E(m, KAB)
2. B: D( E(m, KAB) , KAB)
A encrypts m using a key shared with B
B decrypts message it received.
7
Secret Key Encryption:
Implementing Authentication
AB: I’m A
B: Generate random rB
BA: rB
AB: E(rB, KAB)
B: D(E(rB, KAB),KAB)=rB?
A: Generate random rA
AB: rA
BA: E(rA, KAB)
A: D(E(rA, KAB), KAB) = rA?
8
Secret Key Encryption:
Implementing Authentication
AB: I’m A
B: Generate random rB
BA: rB
AB: E(rB, KAB)
B: D(E(rB, KAB),KAB) = rB?
A: Generate random rA
AB: rA
A starts protocol
B generates challenge
A responds to B’s challenge
B checks A’s response. Only A would know KAB
A generates challenge
BA: E(rA, KAB)
B responds to A’s challenge
A: D(E(rA, KAB), KAB) = rA?
A checks B’s response. Only B would know KAB
9
Secret Key Encryption:
Key Management Problem
Problem: N principals: N2 keys (2N keys for groups)
Solution: Key Distribution Center (KDC)
Every principal shares a key with KDC. (N keys needed for this)
KDC is trusted host:
• Generates keys only as needed.
• Communicates those keys to parties.
Kerberos is an example. Mostly used for authentication /
authorization in distributed systems (and not for secrecy).
10
Public Key Cryptography
Must you already share a secret to share another?
key needed
A: Secret in chest; Secure with LockA
AB: Chest with LockA
BA: Chest with LockA and LockB
A: Remove LockA
AB: Chest with LockB
B: Remove LockB. Remove secret
A
A
A, B
B
B
__
Key is a secret in chest. Lock is 1-way trap-door function.
11
Public Key Cryptography:
Encryption and Decryption
Notation:
KA: public key for A (upper case K)
kA: private key for A (lower case k)
For key pair K,k:
E(m,K): encrypt m with public key K
D(x, k): decrypt x with private key k
Properties:
D( E(m,K), k) = m
E( D(m,k), K) = m
(Optional)
E and D are expensive on long messages.
12
Public Key Cryptography:
Encryption Algorithms


RSA (Rivest-Shamir-Adelman): Based on
factoring large numbers and computing
logarithms in finite fields. Patent rights expire in
2000.
Elliptic Curve Cryptography: The “new, new
thing”; not everyone believes this is secure.
13
Public Key Cryptography:
Digital signatures
{msg}FBS denotes message msg signed by kFBS
Buy 100 QCOM for $132. -FBS
D( h( msg ), kFBS)
msg
?
h( msg ) = E( D( h( msg ), kFBS) , KFBS)
… to check signature validity
14
Public Key Cryptography:
Properties of Cryptographic Hash
hash function: Encryption without keys!
Variable length input  Fixed length output (100-1000 bits).
Infeasible to
determine input from output.
find an input that has a particular (desired) output.
find 2 inputs that have the same output.
Changing one bit (or more) in input leads to
completely different output.
Examples of hash functions: MD5, SHA
15
Public Key Cryptography:
Certificates
Problem: How do principals learn others’ public
keys?
Solution: Employ a certification authority (CA):
– Trusted server that generates certificates
{ Fred , KFred }Verasign
when presented with evidence of principal’s identity.
– All hosts pre-configured with KVerasign.
– CA need not be on-line.
– Certificates can be stored anyplace and forwarded
anywhere as needed.
16
Public Key Cryptography:
Revocation of Certificates
Problem: Compromise of a private key.
Solutions:
– Associate expiration dates with certificates.
Risk: Period from compromise to expiration.
– Periodically issue certificate revocation list (CRL).
Risk: Denial of service to delay CRL arrival.
– Support re-validation of certificates use.
17
Public Key Cryptography:
Multiple Certification Authorities
Problem: Having a single CA is unrealistic!
Nothing is trusted by everyone!
Performance must scale.
Solution: Multiple CA’s. To find KA, find:
 If have KCA then find a certificate {A, KA}CA
 Else find KCA1 for first link in chain:
{CA2, KCA2}CA1 {CA3, KCA3}CA2 … {CA7, KCA7}CA6 {A, KA}CA7
Each certificate may be managed by a different CA.
What’s in a name? That’s the real problem…
18
Public Key Cryptography:
Web of Trust
Problem: Having a single CA is unrealistic!
Nothing is trusted by everyone!
Performance must scale.
Solution: Have principals endorse certificates.
 If receive enough endorsements from principals
that you trust, then you decide binding is correct.
 Revocation is difficult to manage.
 Introduced in PGP mail system.
19
Public Key Cryptography:
Public Key Infrastructure

Creation of certificates.
Dissemination of certificates.
Revocation of certificates.

Key escrow.


– Allow recovery of data encrypted by an old key.

Data archives with old keys.
20
Misuse of Cryptography
Software-implemented content protection is a flawed
idea.
Example: DVD encryption:
DVD encrypted using CCS (content scrambling system) 40 bit key. Weak key!
Every DVD player comes with several “unlock” keys.
Every DVD stores 400 copies of content decryption key; each copy is encrypted
with a different “unlock” key.
Content decryption key must appear in the clear.
With secure hardware, scheme would work…
11/1/99: DVD’s effectively no longer have their content protected. But
copyright law still applies.
21
Misplaced Trust

Trust a certificate? Better trust the issuing CA!
– Anyone can assign a name.
– Anyone can assume a name.

Is your signing key secure?
– Virus and malicious code attacks
– (Guessable) password protected?
22