Slides 0x02

advertisement
CS457 – Introduction to Information Systems
Security
Cryptography 1b
Elias Athanasopoulos
elathan@ics.forth.gr
Cryptography Elements
 Symmetric Encryption
Block Ciphers
- Stream Ciphers
-
 Asymmetric Encryption
 Cryptographic Hash Functions
 Applications
CS-457
Elias Athanasopoulos
2
CS-457
Elias Athanasopoulos
3
The need for randomness
 Key distribution
 Replay attacks (nonces)
 Session key generation
 Generation of keys for the RSA public-key
encryption algorithm
 Stream ciphers
CS-457
Elias Athanasopoulos
4
Randomness
 Uniform distribution
-
The distribution of bits in the sequence should be
uniform; that is, the frequency of occurrence of
ones and zeros should be approximately equal.
 Independence
-
No one subsequence in the sequence can be
inferred from the others.
 Security requirement
-
CS-457
Unpredictability
Elias Athanasopoulos
5
Random Generator Types
 True Random Number Generators (TRNGs)
 Pseudo-random Number Generators (PRNGs)
 Pseudo-random Functions (PRFs)
CS-457
Elias Athanasopoulos
6
CS-457
Elias Athanasopoulos
7
TRNGs
CS-457
Elias Athanasopoulos
8
PRNGs
r = f(seed);
CS-457
Elias Athanasopoulos
9
Requirements

Uniformity
-

Scalability
-

Occurrence of a zero or one is equally likely. The expected
number of zeros (or ones) is n/2, where n = the sequence
length
Any test applicable to a sequence can also be applied to
subsequences extracted at random. If a sequence is
random, then any such extracted subsequence should also
be random
Consistency
-
CS-457
The behavior of a generator must be consistent across
starting values (seeds)
Elias Athanasopoulos
10
Tests

Frequency test
-

Runs test
-

Determine whether the number of ones and zeros in a
sequence is approximately the same as would be expected
for a truly random sequence
Determine whether the number of runs of ones and zeros
of various lengths is as expected for a random sequence
Maurer’s universal statistical test
-
CS-457
Detect whether or not the sequence can be significantly
compressed without loss of information. A significantly
compressible sequence is considered to be non-random
Elias Athanasopoulos
11
Unpredictability
 Forward unpredictability
-
If the seed is unknown, the next output bit in the
sequence should be unpredictable in spite of any
knowledge of previous bits in the sequence
 Backward unpredictability
-
CS-457
It should also not be feasible to determine the seed
from knowledge of any generated values. No
correlation between a seed and any value generated
from that seed should be evident; each element of the
sequence should appear to be the outcome of an
independent random event whose probability is 1/2
Elias Athanasopoulos
12
Seed
CS-457
Elias Athanasopoulos
13
Cryptographic PRNGs

Purpose-built algorithms
-

Algorithms based on existing cryptographic algorithms
-

Stream ciphers
Asymmetric ciphers
-

Cryptographic algorithms have the effect of randomizing input.
Indeed, this is a requirement of such algorithms. Three broad
categories of cryptographic algorithms are commonly used to
create PRNGs:
Symmetric block ciphers
-

Designed specifically and solely for the purpose of generating
pseudorandom bit streams.
RSA, compute primes
Hash functions and message authentication codes
CS-457
Elias Athanasopoulos
14
Example
Xn+1 = (aXn + c) mod m
Selection of a, c, and m, is very critical:
 a=7, c=0, m=32
-

{7, 17, 23, 1, 7, etc.}
a=5
-
{5, 25, 29, 17, 21, 9, 13, 1, 5, etc.}
 In theory m should be very large (2^31)
CS-457
Elias Athanasopoulos
15
Stream ciphers
CS-457
Elias Athanasopoulos
16
CS-457
Elias Athanasopoulos
17
RC4
/* Stream Generation */
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
CS-457
/* Initialization */
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
/* Initial Permutation of S */
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
Elias Athanasopoulos
18
CS-457
Elias Athanasopoulos
19
CS-457
Elias Athanasopoulos
20
CS-457
Elias Athanasopoulos
21
More maths
 Any
integer a > 1 can be factored in a
unique way as:
CS-457
Elias Athanasopoulos
22
CS-457
Elias Athanasopoulos
23
Public-Key Cryptography
CS-457
Elias Athanasopoulos
24
Properties
 2 keys
Public Key (no secrecy)
- Private Key (if stolen everything is lost)
-
 Easy algorithm, but hard to reverse
Y = f(X), easy
- X = f-1(X), computationally hard
- Computationally hard means solvable in nonpolynomial time
-
CS-457
Elias Athanasopoulos
25
RSA
Plaintext = M, cipher = C
C = Me mod n
M = Cd mod n = (Me mod n)d = Med mod n
Public Key = {e, n}
Private Key = {d, n}
CS-457
Elias Athanasopoulos
26
Euler’s totient function
 Written φ(n), and defined as the number of
positive integers less than n and relatively
prime to n. By convention, φ(1) = 1.
CS-457
Elias Athanasopoulos
27
Just believe me that this holds!
(i.e., φ(pq) =φ(p) φ(q))
CS-457
Elias Athanasopoulos
28
RSA Steps
 p, q, two prime numbers
-
Private
 n = pq
-
n can be public, but recall that it is hard to infer p and
q by just knowing n
 e is relative prime to φ(n)
-
Public
Recall φ(n) = (p-1)(q-1)
 d from e, and φ(n)
-
CS-457
Private
Elias Athanasopoulos
30
RSA example
1.
2.
3.
4.
5.
Select p = 17 and q = 11
Then, n = pq = 17×11 = 187.
φ(n) = (p-1)(q-1) = 16×10 = 160.
Select e relatively prime to φ(n) = 160 and less
than φ(n); e = 7.
Determine d
- de = 1 (mod 160) and d < 160,
- The correct value is d = 23, because 23 × 7 = 161 = (1 ×
160) + 1;
CS-457
Elias Athanasopoulos
31
Computational Aspects
 RSA builds on exponents
 Intensive operation
 Side channels
CS-457
Elias Athanasopoulos
32
CS-457
Elias Athanasopoulos
33
How it works?
CS-457
Elias Athanasopoulos
34
Integrity and Message Authentication
 Integrity
-
(e.g., download a file)
Message digest
 Message Authentication Code (MAC)
-
-
-
CS-457
Used between two parties that share a secret key to
authenticate information exchanged between those
parties
Input is a secret key and a data block and the product
is their hash value, referred to as the MAC
An attacker who alters the message will be unable to
alter the MAC value without knowledge of the secret
key
Elias Athanasopoulos
35
Digital Signatures
 The hash value of a message is encrypted with
a user’s private key. Anyone who knows the
user’s public key can verify the integrity of the
message that is associated with the digital
signature.
CS-457
Elias Athanasopoulos
36
Simple Hash Functions
CS-457
Elias Athanasopoulos
37
Essentially based on compression
CS-457
Elias Athanasopoulos
38
Requirements
CS-457
Elias Athanasopoulos
39
Applications for Hash Functions
 Passwords
Never stored in plain
- Server stores only the hash value
- Salt (same plain goes to different hash)
-
 Cracking
GPUs
- Dictionary attacks
-
CS-457
Elias Athanasopoulos
40
Download