CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos elathan@ics.forth.gr Cryptography Elements Symmetric Encryption Block Ciphers - Stream Ciphers - Asymmetric Encryption Cryptographic Hash Functions Applications CS-457 Elias Athanasopoulos 2 CS-457 Elias Athanasopoulos 3 The need for randomness Key distribution Replay attacks (nonces) Session key generation Generation of keys for the RSA public-key encryption algorithm Stream ciphers CS-457 Elias Athanasopoulos 4 Randomness Uniform distribution - The distribution of bits in the sequence should be uniform; that is, the frequency of occurrence of ones and zeros should be approximately equal. Independence - No one subsequence in the sequence can be inferred from the others. Security requirement - CS-457 Unpredictability Elias Athanasopoulos 5 Random Generator Types True Random Number Generators (TRNGs) Pseudo-random Number Generators (PRNGs) Pseudo-random Functions (PRFs) CS-457 Elias Athanasopoulos 6 CS-457 Elias Athanasopoulos 7 TRNGs CS-457 Elias Athanasopoulos 8 PRNGs r = f(seed); CS-457 Elias Athanasopoulos 9 Requirements Uniformity - Scalability - Occurrence of a zero or one is equally likely. The expected number of zeros (or ones) is n/2, where n = the sequence length Any test applicable to a sequence can also be applied to subsequences extracted at random. If a sequence is random, then any such extracted subsequence should also be random Consistency - CS-457 The behavior of a generator must be consistent across starting values (seeds) Elias Athanasopoulos 10 Tests Frequency test - Runs test - Determine whether the number of ones and zeros in a sequence is approximately the same as would be expected for a truly random sequence Determine whether the number of runs of ones and zeros of various lengths is as expected for a random sequence Maurer’s universal statistical test - CS-457 Detect whether or not the sequence can be significantly compressed without loss of information. A significantly compressible sequence is considered to be non-random Elias Athanasopoulos 11 Unpredictability Forward unpredictability - If the seed is unknown, the next output bit in the sequence should be unpredictable in spite of any knowledge of previous bits in the sequence Backward unpredictability - CS-457 It should also not be feasible to determine the seed from knowledge of any generated values. No correlation between a seed and any value generated from that seed should be evident; each element of the sequence should appear to be the outcome of an independent random event whose probability is 1/2 Elias Athanasopoulos 12 Seed CS-457 Elias Athanasopoulos 13 Cryptographic PRNGs Purpose-built algorithms - Algorithms based on existing cryptographic algorithms - Stream ciphers Asymmetric ciphers - Cryptographic algorithms have the effect of randomizing input. Indeed, this is a requirement of such algorithms. Three broad categories of cryptographic algorithms are commonly used to create PRNGs: Symmetric block ciphers - Designed specifically and solely for the purpose of generating pseudorandom bit streams. RSA, compute primes Hash functions and message authentication codes CS-457 Elias Athanasopoulos 14 Example Xn+1 = (aXn + c) mod m Selection of a, c, and m, is very critical: a=7, c=0, m=32 - {7, 17, 23, 1, 7, etc.} a=5 - {5, 25, 29, 17, 21, 9, 13, 1, 5, etc.} In theory m should be very large (2^31) CS-457 Elias Athanasopoulos 15 Stream ciphers CS-457 Elias Athanasopoulos 16 CS-457 Elias Athanasopoulos 17 RC4 /* Stream Generation */ i, j = 0; while (true) i = (i + 1) mod 256; j = (j + S[i]) mod 256; Swap (S[i], S[j]); t = (S[i] + S[j]) mod 256; k = S[t]; CS-457 /* Initialization */ for i = 0 to 255 do S[i] = i; T[i] = K[i mod keylen]; /* Initial Permutation of S */ j = 0; for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256; Swap (S[i], S[j]); Elias Athanasopoulos 18 CS-457 Elias Athanasopoulos 19 CS-457 Elias Athanasopoulos 20 CS-457 Elias Athanasopoulos 21 More maths Any integer a > 1 can be factored in a unique way as: CS-457 Elias Athanasopoulos 22 CS-457 Elias Athanasopoulos 23 Public-Key Cryptography CS-457 Elias Athanasopoulos 24 Properties 2 keys Public Key (no secrecy) - Private Key (if stolen everything is lost) - Easy algorithm, but hard to reverse Y = f(X), easy - X = f-1(X), computationally hard - Computationally hard means solvable in nonpolynomial time - CS-457 Elias Athanasopoulos 25 RSA Plaintext = M, cipher = C C = Me mod n M = Cd mod n = (Me mod n)d = Med mod n Public Key = {e, n} Private Key = {d, n} CS-457 Elias Athanasopoulos 26 Euler’s totient function Written φ(n), and defined as the number of positive integers less than n and relatively prime to n. By convention, φ(1) = 1. CS-457 Elias Athanasopoulos 27 Just believe me that this holds! (i.e., φ(pq) =φ(p) φ(q)) CS-457 Elias Athanasopoulos 28 RSA Steps p, q, two prime numbers - Private n = pq - n can be public, but recall that it is hard to infer p and q by just knowing n e is relative prime to φ(n) - Public Recall φ(n) = (p-1)(q-1) d from e, and φ(n) - CS-457 Private Elias Athanasopoulos 30 RSA example 1. 2. 3. 4. 5. Select p = 17 and q = 11 Then, n = pq = 17×11 = 187. φ(n) = (p-1)(q-1) = 16×10 = 160. Select e relatively prime to φ(n) = 160 and less than φ(n); e = 7. Determine d - de = 1 (mod 160) and d < 160, - The correct value is d = 23, because 23 × 7 = 161 = (1 × 160) + 1; CS-457 Elias Athanasopoulos 31 Computational Aspects RSA builds on exponents Intensive operation Side channels CS-457 Elias Athanasopoulos 32 CS-457 Elias Athanasopoulos 33 How it works? CS-457 Elias Athanasopoulos 34 Integrity and Message Authentication Integrity - (e.g., download a file) Message digest Message Authentication Code (MAC) - - - CS-457 Used between two parties that share a secret key to authenticate information exchanged between those parties Input is a secret key and a data block and the product is their hash value, referred to as the MAC An attacker who alters the message will be unable to alter the MAC value without knowledge of the secret key Elias Athanasopoulos 35 Digital Signatures The hash value of a message is encrypted with a user’s private key. Anyone who knows the user’s public key can verify the integrity of the message that is associated with the digital signature. CS-457 Elias Athanasopoulos 36 Simple Hash Functions CS-457 Elias Athanasopoulos 37 Essentially based on compression CS-457 Elias Athanasopoulos 38 Requirements CS-457 Elias Athanasopoulos 39 Applications for Hash Functions Passwords Never stored in plain - Server stores only the hash value - Salt (same plain goes to different hash) - Cracking GPUs - Dictionary attacks - CS-457 Elias Athanasopoulos 40