Chapter 2: Foundations The problem of providing secret communication over insecure media is the most traditional and basic problem of cryptography. 1 ◎Foundations Terminologies: Sender vs. Receiver Messages vs. Encryption Plaintext Encryption vs. Decryption Algorithms vs. Ciphers Symmetric alg. vs. Public-Key alg. Cryptanalysis Security of Cryptosystems Classical Cryptography vs. PKC Plaintext Encryption Ciphertext Decryption Original Plaintext A cryptographic algorithm, also called a cipher, is the mathematical function used for encryption and decryption. To encrypt a plaintext message, apply an encryption algorithm to the plaintext. To decrypt a ciphertext , apply a decryption algorithm to the ciphertext. 2 ◎Foundations E(P) = C D(C) = P , D( E(P) ) = P ; describe these terms P, C, E, D ? If the security of an algorithm is based on keeping the nature of the algorithm secret, it is called RESTRICTED(algorithm). There are two general forms of key-based algorithms: symmetric and publickey. Symmetric algorithms are algorithms where the encryption key can be calculated from the decryption key and vice versa. In many such systems, the encryption key and the decryption key are the same. Ek ( P) C VS. Dk (C ) P Ek 1 ( P) C Dk 2 (C ) P Dk ( Ek ( P)) P Dk 2 ( Ek1 ( P)) P 3 ◎Foundations PS. Symmetric algorithm are also called secret-key alg, single-key alg. or one-key alg.. Symmetric algotithms can also be divided into two categories: (a) stream algorithms or stream ciphers (b) block algorithms or block ciphers KEY Plaintext Encryption Ciphertext Decryption Original Plaintext Plaintext Encryption KEY Decryption KEY (public key) (private key) Encryption Ciphertext Decryption Original Plaintext 4 ◎Foundations In this class, ALGORITHM will refer specifically to the MATHEMATICAL TRANSFORMATIONS for encryption and decryption. CRYPTOSYSTEMS will refer to the algorithm, plus the way in which it is implemented. There are three kinds of cryptographic functions: hash functions, secret key functions, and public key functions. We will describe what each kind is, and what it is useful for. Public key cryptography involves the use of two keys. Secret key cryptography involves the use of one key. Hash functions involve the use of zero keys ! Try to imagine what that could possibly mean, and what use it could possibly have --- an algorithm everyone knows with no secret key, and yet it has uses in security. 5 ◎Foundations CRYPTANALYSIS: 共有六種攻擊法,今依其難易度分成下述: (1) Ciphertext-only attack. Given: C1 Ek ( P1 ),...,Ci Ek ( Pi ) Deduce:Either P1 , P2 ,...,Pi ; k ;or an algorithm to infer Pi 1 from Ci 1 Ek ( Pi 1 ) (2) Known-plaintext attack. Given: P1 , C1 Ek ( P1 ),...,Pi , Ci Ek ( Pi ) Deduce:Either k, or an algorithm to infer Pi 1 from Ci 1 Ek ( Pi 1 ) (3) Chosen-plaintext attack. Given:同上;where the cryptanalysis choose P1 , P2 ,...,P Deduce:同上 6 ◎Foundations (4) Adaptive-chosen-plaintext attack. 動態選取明密文:由第一次選取而得之結果去決定第二次選取之明 密文對(pair) (5)Chosen-ciphertext attack. 給予數對 “密文→明文” 而求出key k (6) Chosen-key attack. This is not an attack when you are given the key. It is strange and obscure, not very practical. 7 ◎Foundations Security of Cryptosystems All algorithms but one are theoretically breakable, given enough time and computing resources. If the time and money required to break an algorithm is more than the value of the encrypted data, then it is probably safe. An algorithm that is not breakable in practice is SECURE. Unconditionally secure VS. Computationally secure ,only a one-time pad is unbreakable given infinite resources(key 之長度大於明文長度). (針對 前者而言,這種僅用一次key的方法之管理成本高) The amount of computing time and power required to recover the encryption key is called the WORK FACTOR, and is expressed as an order of magnitude. 8 ◎Foundations A cryptosystem is also called a CODE or a CIPHER. 參考資料:Substitution Ciphers & Transposition Cipher This cryptosystem is DES, Simple XOR 均屬於此種類別, called a stream cipher P XOR K = C which is a classical cryptosystem. C XOR K = P ( P XOR K ) XOR K = P 9 1 . Foundations, including terminology and concepts of cryptography. 2. Cryptographic Protocols, including protocol build blocks (secure cryptographic module), basic protocols (key exchange, authentication, secret sharing, etc.), intermediate protocols (subliminal channel, group signature, key escrow, etc.), advanced protocols (zero-knowledge proofs, blind signature, oblivious transfer, etc.), esoteric( 奧 秘 的 ) protocols (secure elections, anonymous broadcast, digital cash, etc.). 10 3 . Cryptographic Techniques, including key length, key management, and the using algorithms. 4. Cryptographic Algorithms, including mathematical backgrounds, DES and other block ciphers, one-way hash functions, public key cryptosystems. 5. Example Implementations, including some well-known commercial products and standards. 11 A protocol is a series of steps, involving two or more parties, designed to accomplish a task. Trent Alice Arbitrator:a trusted third party Adjudicator: is necessary in case of dispute Bob 12 Bob Alice Evidence Trent (After the fact) Alice Bob 13 Key Exchange (KE) A session key: used for only one particular communication session.(會議金鑰) {A common cryptographic technique is to encrypt each individual conversation between two people with a separate key} Q: 如何將此一session key k 安全配送到送收雙方? Ans: 數種提案… (一) KE with symmetric cryptography(若KDC已然給A、 B密鑰) (1) A ( KDC): 要求製作session key k (2) KDC ( A): ESKA (k) 及 ESKB (IDA , k) (3) A: DSKA(ESKA(k)) = k ( B): ESKB(IDA , k) (4) B: DSKB(ESKB (IDA , k)) = (IDA , k) (5) A & B 從此有 k 可用. 若KDC被外人Mallet攻陷則慘矣!(由於此處以對稱式密碼為基,故用KDC/TTP取代CA) 14 傳統(對稱性)加密法之數位簽章需可信賴之第三 者之助方得竟其功.{參考下圖} M=Dka(C) C’=Ekb(M) 2. C 3. C’ 1. C=Eka(M) M=Dkb(C’) Alice 與 Bob 沒有約定session key,兩人與 TTP 分別約 定 session keys ka 及 kb, Bob 收到密文后直接轉給 TTP, 而 TTP 用與 Alice 約定之session key 解得明文,再用與 Bob約定之 session key 加密后,送給Bob. 15 (二) KE with public-key cryptography (1) B ( A): PKB {B 直接送自己的公鑰給 A 的確是奇怪之舉 !} (2) A : 產製 k (randomly) ( B): PKB(k) (3) B : SKB(PKB(k)) = k (4) A & B 從此有 k 可用. Employing public-keys without CA’s support ? ( see next page for more details) 此協定雖說用PKC,但是太過簡略;因為(1)沒有CA之助, (2)沒有考量man-inthe-middle攻擊, (3) 竟然不加認證A之身分! (如果我們沒有CA概念則可理解) 16 (三) KE with public-key cryptography using a public-key database (1) A ( CA-like): PKB (2) A : 產製 k (randomly) ( B): PKB(k) (3) B : SKB(PKB(k)) = k (4) A & B 從此有 k 可用. 若有攪局者, M, 在A與B之間宛如database之姿,則此種攻擊謂之 Man-in-the-Middle Attach (refer to next page now) Point: 這一類協定需要讓A與B交談雙方能夠相互印證對方;即mutual authentication;若需要透過CA之助,則A/B 與CA亦得相互認證. 注意上面兩協定均欠缺mutual authentication,當然不安全. 17 (1) A B: PKA (2) B A: PKB (3) A B: EPKM(M) M B: PKM {M 用 PKM 取代 PKA} M A: PKM {M 用 PKM 取代 PKB} {Alice encrypts M with Bob’s public key, she thought} M B: DSKM (EPKM(M))=M EPKB(M) ( B) (4) Similarly, when Bob sends message M’ to Alice, Mallet does the same tricky game. 18 Rivest & Shamir針對此攻擊法(Man-in-the-Middle Attack) 提出 “Interlock protocol”: { A要 B 給重要訊息 mB 之安全協定} (1) A ( B): PKA (2) B ( A): PKB (3) A ( B): half( PKB ( mA)) = α {譬如 僅取奇數位元/ 或mA之hash值} (4) B ( A): half( PKA ( mB)) = γ (5) A ( B): half( PKB ( mA)) 之另一半 = β (6) B : SKB(α, β) = mA ( A): half( PKA ( mB))之另一半 = δ {注意 此協定旨在保護 mB } (7) A : SKA(γ , δ) = mB 何以如此設計? mA應該是讓Bob可以據以認證Alice身分之資訊 因 一半密文無法解密,等你送出此一半,則無法挽回 ! 想一想: M攔截A與B之訊息且取代之以自己之訊息,則兩訊息 無關聯性;要之,M僅能愚弄兩者. 19 (四) KE with digital signatures 引入數位簽章可防KE作業時遭受 man-in-the-middle 攻擊;由於 KDC利用自己的密鑰對A與B之公鑰簽章,因此A與B可利用KDC之公 鑰驗證自己收到的公鑰是欲通訊之對方所有,KDC之功能類似今日之 CA. (五) Key and Message Transmission In the protocol below, Alice sends Bob the message, M, without any previous key-exchange( KE) protocol: (1) A : 產製a random session key, k 且對訊息M加密; Ek(M) =α (2) A ( KDC): PKB (3) A : EPKB(k) = β (4) A ( B): α , β (5) B {為了加強安全, 也可簽章之: ESKA(α , β )} : DPKA(ESKA(α,β)) = (α,β); DSKB(EPKB(k)) = k; Dk(Ek(M)) = M This is how public-key cryptography is most often used in a communications system. It can be combined with digital signature, timestamps, and any other security protocols. 20 (六) Key and Message Broadcast (在上一個協定之延伸概念下) Alice can send the encrypted message to Bob, Carol, and Dave: (1) A: Ek(M) (2) A ( KDC): PKB , PKC , PKD (3) A ( Bob, Carol, and Dave): EPKB(k), EPKC(k), EPKD(k) and Ek(M) (4) Only Bob, Carol, and Dave can decrypt the k key using his or her private key. (5) Only Bob, Carol, and Dave can decrypt Alice’s message using k. 至此,我們體會到環環相扣(mutual authentication)之必要性. 21 Some things you should know: Privacy: the ability to keep anyone but the intended recipient from reading the message. Authentication: reassurance to the recipient of the identity of the sender. Integrity: reassurance to the recipient that the message has not been altered since it was transmitted by the sender. Non-repudiation: the ability of the recipient to prove to a third party that the sender really did send the message. (also called third party authentication.) 22 Two hard problems: (1) Factoring problem: n = p * q (knowing n, hard to get prime p or prime q) (2) Discrete Logarithm Problem (DLP) : y = gx mod p (knowing y and large prime p and g, hard to get x) 23 1. 對任意一明文 M需滿足 gcd(M, n) = 1, 此處 n=p*q; p與q為兩大質數. 2. 如何求 e 與 d兩數? 可取一與(n)互質之數 e, 根據 e*d mod (n) = 1之條件,可求解 d (refer to上一頁) 3. 若 e 與 n 公開, 而 d 與 (n) 保密, 則安全可保. 4. 若有人欲分解 n = p*q,若 n 是200位數,而電腦可處理 106 指令/秒(即1 MIPS)則破解 需106 年.(此因數分解是NP-complete 問題) 5. 公開金鑰與對稱金鑰兩者之系統整合現況: 密文 Encrypted session key 明文 收方私鑰 產製亂數 通訊基碼 session key RSA加密 RSA解密 DES解密 DES加密 密文 RSA解密 通訊基碼 session key Encrypted session key PKDB RSA加密 發方私鑰 發方公鑰 收方公鑰 24