SlideShare a Scribd company logo

cryptography summary hash function slides

S
sarala9

The document discusses cryptographic hash functions and their essential properties, including one-wayness, collision resistance, and weak collision resistance, along with the implications of the birthday paradox and brute-force attacks. It also covers applications of hash functions, such as password hashing and software integrity verification, and compares hashing with encryption. Finally, the document details the history and security of common hash functions like MD5 and SHA-1, and touches upon the structure and importance of HMAC in securing messaging.

Engineering
1 of 76
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
*Slides borrowed from Vitaly Shmatikov Cryptographic Hash Functions
slide 2 Hash Functions: Main Idea bit strings of any length n-bit strings . . . . . x’ x’’ x y’ y hash function H ◆ Hash function H is a lossy compression function • Collision: H(x)=H(x’) for some inputs x≠x’ ◆ H(x) should look “random” • Every bit (almost) equally likely to be 0 or 1 ◆ A cryptographic hash function must have certain properties “message digest” message
slide 3 One-Way ◆ Intuition: hash should be hard to invert • “Preimage resistance” • Given a random y, it should be hard to find any x such that h(x)=y – y is an n-bit string randomly chosen from the output space of the hash function, i.e., y=h(x’) for some x’ ◆ How hard? • Brute-force: try every possible x, see if h(x)=y • SHA-1 (a common hash function) has 160-bit output – Suppose we have hardware that can do 230 trials a pop – Assuming 234 trials per second, can do 289 trials per year – Will take 271 years to invert SHA-1 on a random image
Birthday Paradox ◆ T people ◆ Suppose each birthday is a random number taken from K days (K=365) – how many possibilities? • KT - samples with replacement ◆ How many possibilities that are all different? • (K)T = K(K-1)…(K-T+1) - samples without replacement ◆ Probability of no repetition? • (K)T/KT ≈ 1 - T(T-1)/2K ◆ Probability of repetition? • O(T2)
slide 5 Collision Resistance ◆ Should be hard to find x≠x’ such that h(x)=h(x’) ◆ Birthday paradox • Let T be the number of values x,x’,x’’… we need to look at before finding the first pair x≠x’ s.t. h(x)=h(x’) • Assuming h is random, what is the probability that we find a repetition after looking at T values? • Total number of pairs? – n = number of bits in the output of hash function • Conclusion: ◆ Brute-force collision search is O(2n/2), not O(2n) • For SHA-1, this means O(280) vs. O(2160) O(T2) O(2n) T ≈ O(2n/2)
slide 6 One-Way vs. Collision Resistance ◆ One-wayness does not imply collision resistance • Suppose g() is one-way • Define h(x) as g(x’) where x’ is x except the last bit – h is one-way (cannot invert h without inverting g) – Collisions for h are easy to find: for any x, h(x0)=h(x1) ◆ Collision resistance does not imply one-wayness • Suppose g() is collision-resistant • Define h(x) to be 0x if x is (n-1)-bit long, else 1g(x) – Collisions for h are hard to find: if y starts with 0, then there are no collisions; if y starts with 1, then must find collisions in g – h is not one way: half of all y’s (those whose first bit is 0) are easy to invert (how?), thus random y is invertible with prob. 1/2
slide 7 Weak Collision Resistance ◆ Given a randomly chosen x, hard to find x’ such that h(x)=h(x’) • Attacker must find collision for a specific x… by contrast, to break collision resistance, enough to find any collision • Brute-force attack requires O(2n) time ◆ Weak collision resistance does not imply collision resistance (why?)
slide 8 Hashing vs. Encryption ◆ Hashing is one-way. There is no “uh-hashing”! • A ciphertext can be decrypted with a decryption key… hashes have no equivalent of “decryption” ◆ Hash(x) looks “random”, but can be compared for equality with Hash(x’) • Hash the same input twice → same hash value • Encrypt the same input twice → different ciphertexts ◆ Cryptographic hashes are also known as “cryptographic checksums” or “message digests”
slide 9 Application: Password Hashing ◆ Instead of user password, store hash(password) ◆ When user enters a password, compute its hash and compare with the entry in the password file • System does not store actual passwords! • Cannot go from hash to password! ◆ Why is hashing better than encryption here? ◆ Does hashing protect weak, easily guessable passwords?
slide 10 Application: Software Integrity goodFile Software manufacturer wants to ensure that the executable file is received by users without modification… Sends out the file to users and publishes its hash in the NY Times The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) BigFirm™ User VIRUS badFile The Times hash(goodFile)
slide 11 Which Property Is Needed? ◆ Passwords stored as hash(password) • One-wayness: hard to recover entire password • Passwords are not random and thus guessable ◆ Integrity of software distribution • Weak collision resistance? • But software images are not random… maybe need full collision resistance ◆ Auctions: to bid B, send H(B), later reveal B • One-wayness… but does not protect B from guessing • Collision resistance: bidder should not be able to find two bids B and B’ such that H(B)=H(B’)
slide 12 Common Hash Functions ◆ MD5 • Completely broken by now ◆ RIPEMD-160 • 160-bit variant of MD-5 ◆ SHA-1 (Secure Hash Algorithm) • Recently broken & deprecated ◆ SHA-256, SHA-3 • Still secure and recommended
Overview of MD5 ◆ Designed in 1991 by Ron Rivest ◆ Iterative design using compression function M1 M2 M3 M4 IHV0 Com- press Com- press Com- press Com- press IHV4 slide 13
slide 14 History of MD5 Collisions ◆ 2004: first collision attack • The only difference between colliding messages is 128 random-looking bytes ◆ 2007: chosen-prefix collisions • For any prefix, can find colliding messages that have this prefix and differ up to 716 random-looking bytes ◆ 2008: rogue SSL certificates • Talk about this in more detail when discussing PKI ◆ 2012: MD5 collisions used in cyberwarfare • Flame malware uses an MD5 prefix collision to fake a Microsoft digital code signature
slide 15 Basic Structure of SHA-1 Against padding attacks Split message into 512-bit blocks Compression function • Applied to each 512-bit block and current 160-bit buffer • This is the heart of SHA-1 160-bit buffer (5 registers) initialized with magic values
slide 16 SHA-1 Compression Function Current message block Current buffer (five 32-bit registers A,B,C,D,E) Buffer contains final hash value Similar to a block cipher, with message itself used as the key for each round Four rounds, 20 steps in each Let’s look at each step in more detail… Fifth round adds the original buffer to the result of 4 rounds
slide 17 A E B C D A E B C D + + ft 5 bitwise left-rotate Wt Kt One Step of SHA-1 (80 steps total) Special constant added (same value in each 20-step round, 4 different constants altogether) Logic function for steps • (B∧C)∨(¬B∧D) 0..19 • B⊕C⊕D 20..39 • (B∧C)∨(B∧D)∨(C∧D) 40..59 • B⊕C⊕D 60..79 Current message block mixed in • For steps 0..15, W0..15=message block • For steps 16..79, Wt=Wt-16⊕Wt-14⊕Wt-8⊕Wt-3 + + Multi-level shifting of message blocks 30 bitwise left-rotate
slide 18 How Strong Is SHA-1? ◆ Every bit of output depends on every bit of input • Very important property for collision-resistance ◆ Brute-force inversion requires 2160 ops, birthday attack on collision resistance requires 280 ops ◆ Weaknesses discovered in 2005 • Collisions can be found in 263 ops ◆ Researchers at Google/CWI demonstrated first collision attack in 2017
slide 19 NIST Competition ◆ A public competition to develop a new cryptographic hash algorithm • Organized by NIST (read: NSA) ◆ 64 entries into the competition (Oct 2008) ◆ 5 finalists in 3rd round (Dec 2010) ◆ Winner: Keccak (Oct 2012) • standardized as SHA-3
slide 20 Integrity and Authentication Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message Alice Bob KEY KEY message MAC (message authentication code) message, MAC(KEY,message) = ? Recomputes MAC and verifies whether it is equal to the MAC attached to the message
slide 21 HMAC ◆ Construct MAC from a cryptographic hash function • Invented by Bellare, Canetti, and Krawczyk (1996) • Used in SSL/TLS, mandatory for IPsec ◆ Why not encryption? • Hashing is faster than encryption • Library code for hash functions widely available • Can easily replace one hash function with another • There used to be US export restrictions on encryption
slide 22 Structure of HMAC Embedded hash function “Black box”: can use this HMAC construction with any hash function (why is this important?) Block size of embedded hash function Secret key padded to block size magic value (flips half of key bits) another magic value (flips different key bits) hash(key,hash(key,message))
Overview of Symmetric Encryption
slide 24 Basic Problem ? ----- ----- ----- Given: both parties already know the same secret How is this achieved in practice? Goal: send a message confidentially Any communication system that aims to guarantee confidentiality must solve this problem
slide 25 Kerckhoffs's Principle ◆ An encryption scheme should be secure even if enemy knows everything about it except the key • Attacker knows all algorithms • Attacker does not know random numbers ◆ Do not rely on secrecy of the algorithms (“security by obscurity”) Full name: Jean-Guillaume-Hubert-Victor- François-Alexandre-Auguste Kerckhoffs von Nieuwenhof Easy lesson: use a good random number generator!
slide 26 Randomness Matters!
slide 27 One-Time Pad (Vernam Cipher) = 10111101… ----- ----- ----- = 00110010… 10001111… ⊕ 00110010… = ⊕ 10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext ⊕ key Decrypt by bitwise XOR of ciphertext and key: ciphertext ⊕ key = (plaintext ⊕ key) ⊕ key = plaintext ⊕ (key ⊕ key) = plaintext Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon, 1949)
slide 28 Advantages of One-Time Pad ◆ Easy to compute • Encryption and decryption are the same operation • Bitwise XOR is very cheap to compute ◆ As secure as theoretically possible • Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources • …if and only if the key sequence is truly random – True randomness is expensive to obtain in large quantities • …if and only if each key is as long as the plaintext – But how do the sender and the receiver communicate the key to each other? Where do they store the key?
slide 29 Problems with One-Time Pad ◆ Key must be as long as the plaintext • Impractical in most realistic scenarios • Still used for diplomatic and intelligence traffic ◆ Does not guarantee integrity • One-time pad only guarantees confidentiality • Attacker cannot recover plaintext, but can easily change it to something else ◆ Insecure if keys are reused • Attacker can obtain XOR of plaintexts
slide 30 No Integrity = 10111101… ----- ----- ----- = 00110010… 10001111… ⊕ 00110010… = ⊕ 10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext ⊕ key Decrypt by bitwise XOR of ciphertext and key: ciphertext ⊕ key = (plaintext ⊕ key) ⊕ key = plaintext ⊕ (key ⊕ key) = plaintext 0 0
slide 31 Dangers of Reuse = 00000000… ----- ----- ----- = 00110010… 00110010… ⊕ 00110010… = ⊕ 00000000… P1 C1 = 11111111… ----- ----- ----- = 00110010… 11001101… ⊕ P2 C2 Learn relationship between plaintexts C1⊕C2 = (P1⊕K)⊕(P2⊕K) = (P1⊕P2)⊕(K⊕K) = P1⊕P2
slide 32 Reducing Key Size ◆ What to do when it is infeasible to pre-share huge random keys? ◆ Use special cryptographic primitives: block ciphers, stream ciphers • Single key can be re-used (with some restrictions) • Not as theoretically secure as one-time pad
slide 33 Block Ciphers ◆ Operates on a single chunk (“block”) of plaintext • For example, 64 bits for DES, 128 bits for AES • Same key is reused for each block (can use short keys) ◆ Result should look like a random permutation ◆ Not impossible to break, just very expensive • If there is no more efficient algorithm (unproven assumption!), can only break the cipher by brute-force, try-every-possible-key search • Time and cost of breaking the cipher exceed the value and/or useful lifetime of protected information
slide 34 Permutation 1 2 3 4 1 2 3 4 CODE becomes DCEO ◆ For N-bit input, N! possible permutations ◆ Idea: split plaintext into blocks, for each block use secret key to pick a permutation, rinse and repeat • Without the key, permutation should “look random”
slide 35 A Bit of Block Cipher History ◆ Playfair and variants (from 1854 until WWII) ◆ Feistel structure • “Ladder” structure: split input in half, put one half through the round and XOR with the other half • After 3 random rounds, ciphertext indistinguishable from a random permutation ◆ DES: Data Encryption Standard • Invented by IBM, issued as federal standard in 1977 • 64-bit blocks, 56-bit key + 8 bits for parity • Very widely used (usually as 3DES) until recently – 3DES: DES + inverse DES + DES (with 2 or 3 different keys) Textbook Textbook
slide 36 DES Operation (Simplified) Block of plaintext S S S S S S S S S S S S Key Add some secret key bits to provide confusion Each S-box transforms its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext) repeat for several rounds Block of ciphertext Procedure must be reversible (for decryption)
slide 37 Remember SHA-1? Current message block Constant value Buffer contains final hash value Very similar to a block cipher, with message itself used as the key for each round
slide 38 Advanced Encryption Standard (AES) ◆ US federal standard as of 2001 ◆ Based on the Rijndael algorithm ◆ 128-bit blocks, keys can be 128, 192 or 256 bits ◆ Unlike DES, does not use Feistel structure • The entire block is processed during each round ◆ Design uses some clever math • See section 8.5 of the textbook for a concise summary
slide 39 Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key ⊕ S shuffle the array (16x16 substitution table) Shift rows shift array rows (1st unchanged, 2nd left by 1, 3rd left by 2, 4th left by 3) add key for this round ⊕ Expand key repeat 10 times Mix columns mix 4 bytes in each column (each new byte depends on all bytes in old column)
slide 40 Encrypting a Large Message ◆ So, we’ve got a good block cipher, but our plaintext is larger than 128-bit block size ◆ Electronic Code Book (ECB) mode • Split plaintext into blocks, encrypt each one separately using the block cipher ◆ Cipher Block Chaining (CBC) mode • Split plaintext into blocks, XOR each block with the result of encrypting previous blocks ◆ Also various counter modes, feedback modes, etc.
slide 41 ECB Mode ◆ Identical blocks of plaintext produce identical blocks of ciphertext ◆ No integrity checks: can mix and match blocks plaintext ciphertext block cipher block cipher block cipher block cipher block cipher key key key key key
slide 42 Information Leakage in ECB Mode [Wikipedia] Encrypt in ECB mode
slide 43 Adobe Passwords Stolen (2013) ◆ 153 million account passwords • 56 million of them unique ◆ Encrypted using 3DES in ECB mode rather than hashed Password hints
Sent with ciphertext (preferably encrypted) slide 44 CBC Mode: Encryption ◆ Identical blocks of plaintext encrypted differently ◆ Last cipherblock depends on entire plaintext • Still does not guarantee integrity plaintext ciphertext block cipher block cipher block cipher block cipher ⊕ Initialization vector (random) ⊕ ⊕ ⊕ key key key key
slide 45 CBC Mode: Decryption plaintext ciphertext decrypt decrypt decrypt decrypt ⊕ Initialization vector ⊕ ⊕ ⊕ key key key key
slide 46 ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext blocks produce similar ciphertext blocks (not good!) [Picture due to Bart Preneel]
slide 47 Choosing the Initialization Vector ◆ Key used only once • No IV needed (can use IV=0) ◆ Key used multiple times • Best: fresh, random IV for every message • Can also use unique IV (eg, counter), but then the first step in CBC mode must be IV’ ← E(k, IV) – Example: Windows BitLocker – May not need to transmit IV with the ciphertext ◆ Multi-use key, unique messages • Synthetic IV: IV ← F(k’, message) – F is a cryptographically secure keyed pseudorandom function
slide 48 CBC and Electronic Voting Initialization vector (supposed to be random) plaintext ciphertext DES DES DES DES ⊕ ⊕ ⊕ ⊕ Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize, DESKEY, NULL, DES_ENCRYPT) [Kohno, Stubblefield, Rubin, Wallach] key key key key
slide 49 CTR (Counter Mode) ◆ Still does not guarantee integrity ◆ Fragile if counter repeats plaintext ciphertext Enc(IV) Enc(IV+1) Enc(IV+2) Enc(IV+3) ⊕ Random IV ⊕ ⊕ ⊕ IV key key key key
slide 50 When Is a Cipher “Secure”? ◆ Hard to recover plaintext from ciphertext? • What if attacker learns only some bits of the plaintext? Some function of the bits? Some partial information about the plaintext? ◆ Fixed mapping from plaintexts to ciphertexts? • What if attacker sees two identical ciphertexts and infers that the corresponding plaintexts are identical? • What if attacker guesses the plaintext – can he verify his guess? • Implication: encryption must be randomized or stateful
slide 51 How Can a Cipher Be Attacked? ◆ Attackers knows ciphertext and encryption algthm • What else does the attacker know? Depends on the application in which the cipher is used! ◆ Known-plaintext attack (stronger) • Knows some plaintext-ciphertext pairs ◆ Chosen-plaintext attack (even stronger) • Can obtain ciphertext for any plaintext of his choice ◆ Chosen-ciphertext attack (very strong) • Can decrypt any ciphertext except the target • Sometimes very realistic
slide 52 Known-Plaintext Attack Extracting password from an encrypted PKZIP file … ◆ “… I opened the ZIP file and found a `logo.tif’ file, so I went to their main Web site and looked at all the files named `logo.tif.’ I downloaded them and zipped them all up and found one that matched the same checksum as the one in the protected ZIP file” ◆ With known plaintext, PkCrack took 5 minutes to extract the key • Biham-Kocher attack on PKZIP stream cipher [From “The Art of Intrusion”]
slide 53 Chosen-Plaintext Attack Crook #1 changes his PIN to a number of his choice cipher(key,PIN) PIN is encrypted and transmitted to bank Crook #2 eavesdrops on the wire and learns ciphertext corresponding to chosen plaintext PIN … repeat for any PIN value
slide 54 Very Informal Intuition ◆ Security against chosen-plaintext attack • Ciphertext leaks no information about the plaintext • Even if the attacker correctly guesses the plaintext, he cannot verify his guess • Every ciphertext is unique, encrypting same message twice produces completely different ciphertexts ◆ Security against chosen-ciphertext attack • Integrity protection – it is not possible to change the plaintext by modifying the ciphertext Minimum security requirement for a modern encryption scheme
slide 55 The Chosen-Plaintext Game ◆ Attacker does not know the key ◆ He chooses as many plaintexts as he wants, and receives the corresponding ciphertexts ◆ When ready, he picks two plaintexts M0 and M1 • He is even allowed to pick plaintexts for which he previously learned ciphertexts! ◆ He receives either a ciphertext of M0, or a ciphertext of M1 ◆ He wins if he guesses correctly which one it is
slide 56 Meaning of “Leaks No Information” ◆ Idea: given a ciphertext, attacker should not be able to learn even a single bit of useful information about the plaintext ◆ Let Enc(M0,M1,b) be a “magic box” that returns encrypted Mb • Given two plaintexts, the box always returns the ciphertext of the left plaintext or right plaintext • Attacker can use this box to obtain the ciphertext of any plaintext M by submitting M0=M1=M, or he can try to learn even more by submitting M0≠M1 ◆ Attacker’s goal is to learn just this one bit b 0 or 1
slide 57 Chosen-Plaintext Security ◆ Consider two experiments (A is the attacker) Experiment 0 Experiment 1 A interacts with Enc(-,-,0) A interacts with Enc(-,-,1) and outputs his guess of bit b and outputs his guess of bit b • Identical except for the value of the secret bit • b is attacker’s guess of the secret bit ◆ Attacker’s advantage is defined as | Prob(A outputs 1 in Exp0) - Prob(A outputs 1 in Exp1)) | ◆ Encryption scheme is chosen-plaintext secure if this advantage is negligible for any efficient A
slide 58 Simple Example ◆ Any deterministic, stateless symmetric encryption scheme is insecure • Attacker can easily distinguish encryptions of different plaintexts from encryptions of identical plaintexts • This includes ECB mode of common block ciphers! Attacker A interacts with Enc(-,-,b) Let X,Y be any two different plaintexts C1 ← Enc(X,X,b); C2 ← Enc(X,Y,b); If C1=C2 then b=0 else b=1 ◆ The advantage of this attacker A is 1 Prob(A outputs 1 if b=0)=0 Prob(A outputs 1 if b=1)=1
slide 59 Encrypt + MAC Goal: confidentiality + integrity + authentication Alice Bob K1, K2 K1, K2 msg MAC=HMAC(K2,msg) encrypt(msg), MAC(msg) = ? Encrypt(K1,msg) Decrypt Verify MAC encrypt(msg2), MAC(msg2) Can tell if messages are the same! MAC is deterministic: messages are equal ⇒ their MACs are equal Solution: Encrypt, then MAC (or MAC, then encrypt) Breaks chosen- plaintext security
slide 60 CS 361S Overview of Public-Key Cryptography
slide 61 Public-Key Cryptography ? Given: Everybody knows Bob’s public key - How is this achieved in practice? Only Bob knows the corresponding private key private key Goals: 1. Alice wants to send a message that only Bob can read 2. Bob wants to send a message that only Bob could have written public key public key Alice Bob
slide 62 Applications of Public-Key Crypto ◆ Encryption for confidentiality • Anyone can encrypt a message – With symmetric crypto, must know the secret key to encrypt • Only someone who knows the private key can decrypt • Secret keys are only stored in one place ◆ Digital signatures for authentication • Only someone who knows the private key can sign ◆ Session key establishment • Exchange messages to create a secret session key • Then switch to symmetric cryptography (why?)
slide 63 Public-Key Encryption ◆ Key generation: computationally easy to generate a pair (public key PK, private key SK) ◆ Encryption: given plaintext M and public key PK, easy to compute ciphertext C=EPK(M) ◆ Decryption: given ciphertext C=EPK(M) and private key SK, easy to compute plaintext M • Infeasible to learn anything about M from C without SK • Trapdoor function: Decrypt(SK,Encrypt(PK,M))=M
slide 64 Some Number Theory Facts ◆ Euler totient function ϕ(n) where n≥1 is the number of integers in the [1,n] interval that are relatively prime to n • Two numbers are relatively prime if their greatest common divisor (gcd) is 1 ◆ Euler’s theorem: if a∈Zn*, then aϕ(n) ≡ 1 mod n ◆ Special case: Fermat’s Little Theorem if p is prime and gcd(a,p)=1, then ap-1 ≡ 1 mod p
slide 65 RSA Cryptosystem ◆ Key generation: • Generate large primes p, q – At least 2048 bits each… need primality testing! • Compute n=pq – Note that ϕ(n)=(p-1)(q-1) • Choose small e, relatively prime to ϕ(n) – Typically, e=3 (may be vulnerable) or e=216+1=65537 (why?) • Compute unique d such that ed ≡ 1 mod ϕ(n) • Public key = (e,n); private key = d ◆ Encryption of m: c = me mod n ◆ Decryption of c: cd mod n = (me)d mod n = m [Rivest, Shamir, Adleman 1977]
slide 66 Why RSA Decryption Works ◆ e⋅d ≡ 1 mod ϕ(n) ◆ Thus e⋅d = 1+k⋅ϕ(n) = 1+k(p-1)(q-1) for some k ◆ If gcd(m,p)=1, then by Fermat’s Little Theorem, mp-1 ≡ 1 mod p ◆ Raise both sides to the power k(q-1) and multiply by m, obtaining m1+k(p-1)(q-1) ≡ m mod p ◆ Thus med ≡ m mod p ◆ By the same argument, med ≡ m mod q ◆ Since p and q are distinct primes and p⋅q=n, med ≡ m mod n
slide 67 Why Is RSA Secure? ◆ RSA problem: given c, n=pq, and e such that gcd(e,(p-1)(q-1))=1, find m such that me=c mod n • In other words, recover m from ciphertext c and public key (n,e) by taking eth root of c modulo n • There is no known efficient algorithm for doing this ◆ Factoring problem: given positive integer n, find primes p1, …, pk such that n=p1 e1p2 e2…pk ek ◆ If factoring is easy, then RSA problem is easy, but may be possible to break RSA without factoring n
“Textbook” RSA Is Bad Encryption ◆ Deterministic • Attacker can guess plaintext, compute ciphertext, and compare for equality • If messages are from a small set (for example, yes/no), can build a table of corresponding ciphertexts ◆ Can tamper with encrypted messages • Take an encrypted auction bid c and submit c(101/100)e mod n instead ◆ Does not provide semantic security (security against chosen-plaintext attacks) slide 68
slide 69 Integrity in RSA Encryption ◆ “Textbook” RSA does not provide integrity • Given encryptions of m1 and m2, attacker can create encryption of m1⋅m2 – (m1 e) ⋅ (m2 e) mod n ≡ (m1⋅m2)e mod n • Attacker can convert m into mk without decrypting – (me)k mod n ≡ (mk)e mod n ◆ In practice, OAEP is used: instead of encrypting M, encrypt M⊕G(r) ; r⊕H(M⊕G(r)) • r is random and fresh, G and H are hash functions • Resulting encryption is plaintext-aware: infeasible to compute a valid encryption without knowing plaintext – … if hash functions are “good” and RSA problem is hard
slide 70 Digital Signatures: Basic Idea ? Given: Everybody knows Bob’s public key Only Bob knows the corresponding private key private key Goal: Bob sends a “digitally signed” message 1. To compute a signature, must know the private key 2. To verify a signature, only the public key is needed public key public key Alice Bob
slide 71 RSA Signatures ◆ Public key is (n,e), private key is d ◆ To sign message m: s = hash(m)d mod n • Signing and decryption are the same mathematical operation in RSA ◆ To verify signature s on message m: se mod n = (hash(m)d)e mod n = hash(m) • Verification and encryption are the same mathematical operation in RSA ◆ Message must be hashed and padded (why?)
slide 72 Diffie-Hellman Protocol ◆ Alice and Bob never met and share no secrets ◆ Public info: p and g • p is a large prime number, g is a generator of Zp* – Zp*={1, 2 … p-1}; ∀a∈Zp* ∃i such that a=gi mod p Alice Bob Pick secret, random X Pick secret, random Y gy mod p gx mod p Compute k=(gy)x=gxy mod p Compute k=(gx)y=gxy mod p
slide 73 Why Is Diffie-Hellman Secure? ◆ Discrete Logarithm (DL) problem: given gx mod p, it’s hard to extract x • There is no known efficient algorithm for doing this • This is not enough for Diffie-Hellman to be secure! ◆ Computational Diffie-Hellman (CDH) problem: given gx and gy, it’s hard to compute gxy mod p • … unless you know x or y, in which case it’s easy ◆ Decisional Diffie-Hellman (DDH) problem: given gx and gy, it’s hard to tell the difference between gxy mod p and gr mod p where r is random
slide 74 Properties of Diffie-Hellman ◆ Assuming DDH problem is hard, Diffie-Hellman protocol is a secure key establishment protocol against passive attackers • Eavesdropper can’t tell the difference between the established key and a random value • Can use the new key for symmetric cryptography ◆ Basic Diffie-Hellman protocol does not provide authentication • IPsec combines Diffie-Hellman with signatures, anti-DoS cookies, etc.
slide 75 Advantages of Public-Key Crypto ◆ Confidentiality without shared secrets • Very useful in open environments • Can use this for key establishment, avoiding the “chicken-or-egg” problem – With symmetric crypto, two parties must share a secret before they can exchange secret messages ◆ Authentication without shared secrets ◆ Encryption keys are public, but must be sure that Alice’s public key is really her public key • This is a hard problem… Often solved using public-key certificates
slide 76 Disadvantages of Public-Key Crypto ◆ Calculations are 2-3 orders of magnitude slower • Modular exponentiation is an expensive computation • Typical usage: use public-key cryptography to establish a shared secret, then switch to symmetric crypto – SSL, IPsec, most other systems based on public crypto ◆ Keys are longer • 2048 bits (RSA) rather than 128 bits (AES) ◆ Relies on unproven number-theoretic assumptions • Factoring, RSA problem, discrete logarithm problem, decisional Diffie-Hellman problem…
Ad

Recommended

Cryptographic Hashing Functions
Cryptographic Hashing Functions
Yusuf Uzun
 
Cryptography-101
Cryptography-101
Vishal Punjabi
 
Cryptography - 101
Cryptography - 101
n|u - The Open Security Community
 
Concepts of BlockChain explained very well
Concepts of BlockChain explained very well
panickerp23092
 
lec20111111111111111111111111111111111111.pptx
lec20111111111111111111111111111111111111.pptx
ssuser8cd160
 
Cryptography Key Management.pptx
Cryptography Key Management.pptx
SurendraBasnet6
 
Cs166 mynote
Cs166 mynote
Kaya Ota
 
Hash Techniques in Cryptography
Hash Techniques in Cryptography
Basudev Saha
 
Hash functions
Hash functions
sameezahur
 
Topic 2 Blockchain Fundamentals - Cryptography BW.pdf
Topic 2 Blockchain Fundamentals - Cryptography BW.pdf
beluleung1
 
Ch_07 (1).pptx
Ch_07 (1).pptx
siddhusid10
 
Computer network (3)
Computer network (3)
NYversity
 
Hashfunction
Hashfunction
Tony Nguyen
 
Hashfunction
Hashfunction
Young Alista
 
Hashfunction
Hashfunction
James Wong
 
Hash function
Hash function
Harry Potter
 
Hashfunction
Hashfunction
David Hoen
 
Hashfunction
Hashfunction
Fraboni Ec
 
Hashfunction
Hashfunction
Luis Goldster
 
Message Digest message digest ppttsx.pptx
Message Digest message digest ppttsx.pptx
LaxmipujaBiradar
 
Chapter 3
Chapter 3
manojjoshi1234
 
Cryptography and Network Security Principles and Practice.docx
Cryptography and Network Security Principles and Practice.docx
richardnorman90310
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
Bitcoin MOOC Lecture 1.pptx
Bitcoin MOOC Lecture 1.pptx
Oluseyi Akindeinde
 
SHA New Revised Version - SHA-512 Syllabus Module 3
SHA New Revised Version - SHA-512 Syllabus Module 3
AnantNimkar1
 
Common Crypto Pitfalls
Common Crypto Pitfalls
Amirali Sanatinia
 
symet.crypto.hill.cipher.2023.ppt
symet.crypto.hill.cipher.2023.ppt
halosidiq1
 
Hash Function & Analysis
Hash Function & Analysis
Pawandeep Kaur
 
Modern multi-proposer consensus implementations
Modern multi-proposer consensus implementations
François Garillot
 
Deep Learning for Image Processing on 16 June 2025 MITS.pptx
Deep Learning for Image Processing on 16 June 2025 MITS.pptx
resming1
 

More Related Content

Similar to cryptography summary hash function slides (20)

Hash functions
Hash functions
sameezahur
 
Topic 2 Blockchain Fundamentals - Cryptography BW.pdf
Topic 2 Blockchain Fundamentals - Cryptography BW.pdf
beluleung1
 
Ch_07 (1).pptx
Ch_07 (1).pptx
siddhusid10
 
Computer network (3)
Computer network (3)
NYversity
 
Hashfunction
Hashfunction
Tony Nguyen
 
Hashfunction
Hashfunction
Young Alista
 
Hashfunction
Hashfunction
James Wong
 
Hash function
Hash function
Harry Potter
 
Hashfunction
Hashfunction
David Hoen
 
Hashfunction
Hashfunction
Fraboni Ec
 
Hashfunction
Hashfunction
Luis Goldster
 
Message Digest message digest ppttsx.pptx
Message Digest message digest ppttsx.pptx
LaxmipujaBiradar
 
Chapter 3
Chapter 3
manojjoshi1234
 
Cryptography and Network Security Principles and Practice.docx
Cryptography and Network Security Principles and Practice.docx
richardnorman90310
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
Bitcoin MOOC Lecture 1.pptx
Bitcoin MOOC Lecture 1.pptx
Oluseyi Akindeinde
 
SHA New Revised Version - SHA-512 Syllabus Module 3
SHA New Revised Version - SHA-512 Syllabus Module 3
AnantNimkar1
 
Common Crypto Pitfalls
Common Crypto Pitfalls
Amirali Sanatinia
 
symet.crypto.hill.cipher.2023.ppt
symet.crypto.hill.cipher.2023.ppt
halosidiq1
 
Hash Function & Analysis
Hash Function & Analysis
Pawandeep Kaur
 
Hash functions
Hash functions
sameezahur
 
Topic 2 Blockchain Fundamentals - Cryptography BW.pdf
Topic 2 Blockchain Fundamentals - Cryptography BW.pdf
beluleung1
 
Ch_07 (1).pptx
Ch_07 (1).pptx
siddhusid10
 
Computer network (3)
Computer network (3)
NYversity
 
Hashfunction
Hashfunction
Tony Nguyen
 
Hashfunction
Hashfunction
Young Alista
 
Hashfunction
Hashfunction
James Wong
 
Hash function
Hash function
Harry Potter
 
Hashfunction
Hashfunction
David Hoen
 
Hashfunction
Hashfunction
Fraboni Ec
 
Hashfunction
Hashfunction
Luis Goldster
 
Message Digest message digest ppttsx.pptx
Message Digest message digest ppttsx.pptx
LaxmipujaBiradar
 
Chapter 3
Chapter 3
manojjoshi1234
 
Cryptography and Network Security Principles and Practice.docx
Cryptography and Network Security Principles and Practice.docx
richardnorman90310
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
Bitcoin MOOC Lecture 1.pptx
Bitcoin MOOC Lecture 1.pptx
Oluseyi Akindeinde
 
SHA New Revised Version - SHA-512 Syllabus Module 3
SHA New Revised Version - SHA-512 Syllabus Module 3
AnantNimkar1
 
Common Crypto Pitfalls
Common Crypto Pitfalls
Amirali Sanatinia
 
symet.crypto.hill.cipher.2023.ppt
symet.crypto.hill.cipher.2023.ppt
halosidiq1
 
Hash Function & Analysis
Hash Function & Analysis
Pawandeep Kaur
 

Recently uploaded (20)

Modern multi-proposer consensus implementations
Modern multi-proposer consensus implementations
François Garillot
 
Deep Learning for Image Processing on 16 June 2025 MITS.pptx
Deep Learning for Image Processing on 16 June 2025 MITS.pptx
resming1
 
Rapid Prototyping for XR: Lecture 6 - AI for Prototyping and Research Directi...
Rapid Prototyping for XR: Lecture 6 - AI for Prototyping and Research Directi...
Mark Billinghurst
 
Rapid Prototyping for XR: Lecture 4 - High Level Prototyping.
Rapid Prototyping for XR: Lecture 4 - High Level Prototyping.
Mark Billinghurst
 
Complete guidance book of Asp.Net Web API
Complete guidance book of Asp.Net Web API
Shabista Imam
 
Tesla-Stock-Analysis-and-Forecast.pptx (1).pptx
Tesla-Stock-Analysis-and-Forecast.pptx (1).pptx
moonsony54
 
20CE404-Soil Mechanics - Slide Share PPT
20CE404-Soil Mechanics - Slide Share PPT
saravananr808639
 
Unit III_One Dimensional Consolidation theory
Unit III_One Dimensional Consolidation theory
saravananr808639
 
MATERIAL SCIENCE LECTURE NOTES FOR DIPLOMA STUDENTS
MATERIAL SCIENCE LECTURE NOTES FOR DIPLOMA STUDENTS
SAMEER VISHWAKARMA
 
دراسة حاله لقرية تقع في جنوب غرب السودان
دراسة حاله لقرية تقع في جنوب غرب السودان
محمد قصص فتوتة
 
Rapid Prototyping for XR: Lecture 1 Introduction to Prototyping
Rapid Prototyping for XR: Lecture 1 Introduction to Prototyping
Mark Billinghurst
 
Fatality due to Falls at Working at Height
Fatality due to Falls at Working at Height
ssuserb8994f
 
Complete University of Calculus :: 2nd edition
Complete University of Calculus :: 2nd edition
Shabista Imam
 
DESIGN OF REINFORCED CONCRETE ELEMENTS S
DESIGN OF REINFORCED CONCRETE ELEMENTS S
prabhusp8
 
How to Un-Obsolete Your Legacy Keypad Design
How to Un-Obsolete Your Legacy Keypad Design
Epec Engineered Technologies
 
Introduction to sensing and Week-1.pptx
Introduction to sensing and Week-1.pptx
KNaveenKumarECE
 
Call For Papers - 17th International Conference on Wireless & Mobile Networks...
Call For Papers - 17th International Conference on Wireless & Mobile Networks...
hosseinihamid192023
 
System design handwritten notes guidance
System design handwritten notes guidance
Shabista Imam
 
Introduction to Python Programming Language
Introduction to Python Programming Language
merlinjohnsy
 
Machine Learning - Classification Algorithms
Machine Learning - Classification Algorithms
resming1
 
Modern multi-proposer consensus implementations
Modern multi-proposer consensus implementations
François Garillot
 
Deep Learning for Image Processing on 16 June 2025 MITS.pptx
Deep Learning for Image Processing on 16 June 2025 MITS.pptx
resming1
 
Rapid Prototyping for XR: Lecture 6 - AI for Prototyping and Research Directi...
Rapid Prototyping for XR: Lecture 6 - AI for Prototyping and Research Directi...
Mark Billinghurst
 
Rapid Prototyping for XR: Lecture 4 - High Level Prototyping.
Rapid Prototyping for XR: Lecture 4 - High Level Prototyping.
Mark Billinghurst
 
Complete guidance book of Asp.Net Web API
Complete guidance book of Asp.Net Web API
Shabista Imam
 
Tesla-Stock-Analysis-and-Forecast.pptx (1).pptx
Tesla-Stock-Analysis-and-Forecast.pptx (1).pptx
moonsony54
 
20CE404-Soil Mechanics - Slide Share PPT
20CE404-Soil Mechanics - Slide Share PPT
saravananr808639
 
Unit III_One Dimensional Consolidation theory
Unit III_One Dimensional Consolidation theory
saravananr808639
 
MATERIAL SCIENCE LECTURE NOTES FOR DIPLOMA STUDENTS
MATERIAL SCIENCE LECTURE NOTES FOR DIPLOMA STUDENTS
SAMEER VISHWAKARMA
 
دراسة حاله لقرية تقع في جنوب غرب السودان
دراسة حاله لقرية تقع في جنوب غرب السودان
محمد قصص فتوتة
 
Rapid Prototyping for XR: Lecture 1 Introduction to Prototyping
Rapid Prototyping for XR: Lecture 1 Introduction to Prototyping
Mark Billinghurst
 
Fatality due to Falls at Working at Height
Fatality due to Falls at Working at Height
ssuserb8994f
 
Complete University of Calculus :: 2nd edition
Complete University of Calculus :: 2nd edition
Shabista Imam
 
DESIGN OF REINFORCED CONCRETE ELEMENTS S
DESIGN OF REINFORCED CONCRETE ELEMENTS S
prabhusp8
 
How to Un-Obsolete Your Legacy Keypad Design
How to Un-Obsolete Your Legacy Keypad Design
Epec Engineered Technologies
 
Introduction to sensing and Week-1.pptx
Introduction to sensing and Week-1.pptx
KNaveenKumarECE
 
Call For Papers - 17th International Conference on Wireless & Mobile Networks...
Call For Papers - 17th International Conference on Wireless & Mobile Networks...
hosseinihamid192023
 
System design handwritten notes guidance
System design handwritten notes guidance
Shabista Imam
 
Introduction to Python Programming Language
Introduction to Python Programming Language
merlinjohnsy
 
Machine Learning - Classification Algorithms
Machine Learning - Classification Algorithms
resming1
 
Ad

cryptography summary hash function slides

  • 1. *Slides borrowed from Vitaly Shmatikov Cryptographic Hash Functions
  • 2. slide 2 Hash Functions: Main Idea bit strings of any length n-bit strings . . . . . x’ x’’ x y’ y hash function H ◆ Hash function H is a lossy compression function • Collision: H(x)=H(x’) for some inputs x≠x’ ◆ H(x) should look “random” • Every bit (almost) equally likely to be 0 or 1 ◆ A cryptographic hash function must have certain properties “message digest” message
  • 3. slide 3 One-Way ◆ Intuition: hash should be hard to invert • “Preimage resistance” • Given a random y, it should be hard to find any x such that h(x)=y – y is an n-bit string randomly chosen from the output space of the hash function, i.e., y=h(x’) for some x’ ◆ How hard? • Brute-force: try every possible x, see if h(x)=y • SHA-1 (a common hash function) has 160-bit output – Suppose we have hardware that can do 230 trials a pop – Assuming 234 trials per second, can do 289 trials per year – Will take 271 years to invert SHA-1 on a random image
  • 4. Birthday Paradox ◆ T people ◆ Suppose each birthday is a random number taken from K days (K=365) – how many possibilities? • KT - samples with replacement ◆ How many possibilities that are all different? • (K)T = K(K-1)…(K-T+1) - samples without replacement ◆ Probability of no repetition? • (K)T/KT ≈ 1 - T(T-1)/2K ◆ Probability of repetition? • O(T2)
  • 5. slide 5 Collision Resistance ◆ Should be hard to find x≠x’ such that h(x)=h(x’) ◆ Birthday paradox • Let T be the number of values x,x’,x’’… we need to look at before finding the first pair x≠x’ s.t. h(x)=h(x’) • Assuming h is random, what is the probability that we find a repetition after looking at T values? • Total number of pairs? – n = number of bits in the output of hash function • Conclusion: ◆ Brute-force collision search is O(2n/2), not O(2n) • For SHA-1, this means O(280) vs. O(2160) O(T2) O(2n) T ≈ O(2n/2)
  • 6. slide 6 One-Way vs. Collision Resistance ◆ One-wayness does not imply collision resistance • Suppose g() is one-way • Define h(x) as g(x’) where x’ is x except the last bit – h is one-way (cannot invert h without inverting g) – Collisions for h are easy to find: for any x, h(x0)=h(x1) ◆ Collision resistance does not imply one-wayness • Suppose g() is collision-resistant • Define h(x) to be 0x if x is (n-1)-bit long, else 1g(x) – Collisions for h are hard to find: if y starts with 0, then there are no collisions; if y starts with 1, then must find collisions in g – h is not one way: half of all y’s (those whose first bit is 0) are easy to invert (how?), thus random y is invertible with prob. 1/2
  • 7. slide 7 Weak Collision Resistance ◆ Given a randomly chosen x, hard to find x’ such that h(x)=h(x’) • Attacker must find collision for a specific x… by contrast, to break collision resistance, enough to find any collision • Brute-force attack requires O(2n) time ◆ Weak collision resistance does not imply collision resistance (why?)
  • 8. slide 8 Hashing vs. Encryption ◆ Hashing is one-way. There is no “uh-hashing”! • A ciphertext can be decrypted with a decryption key… hashes have no equivalent of “decryption” ◆ Hash(x) looks “random”, but can be compared for equality with Hash(x’) • Hash the same input twice → same hash value • Encrypt the same input twice → different ciphertexts ◆ Cryptographic hashes are also known as “cryptographic checksums” or “message digests”
  • 9. slide 9 Application: Password Hashing ◆ Instead of user password, store hash(password) ◆ When user enters a password, compute its hash and compare with the entry in the password file • System does not store actual passwords! • Cannot go from hash to password! ◆ Why is hashing better than encryption here? ◆ Does hashing protect weak, easily guessable passwords?
  • 10. slide 10 Application: Software Integrity goodFile Software manufacturer wants to ensure that the executable file is received by users without modification… Sends out the file to users and publishes its hash in the NY Times The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) BigFirm™ User VIRUS badFile The Times hash(goodFile)
  • 11. slide 11 Which Property Is Needed? ◆ Passwords stored as hash(password) • One-wayness: hard to recover entire password • Passwords are not random and thus guessable ◆ Integrity of software distribution • Weak collision resistance? • But software images are not random… maybe need full collision resistance ◆ Auctions: to bid B, send H(B), later reveal B • One-wayness… but does not protect B from guessing • Collision resistance: bidder should not be able to find two bids B and B’ such that H(B)=H(B’)
  • 12. slide 12 Common Hash Functions ◆ MD5 • Completely broken by now ◆ RIPEMD-160 • 160-bit variant of MD-5 ◆ SHA-1 (Secure Hash Algorithm) • Recently broken & deprecated ◆ SHA-256, SHA-3 • Still secure and recommended
  • 13. Overview of MD5 ◆ Designed in 1991 by Ron Rivest ◆ Iterative design using compression function M1 M2 M3 M4 IHV0 Com- press Com- press Com- press Com- press IHV4 slide 13
  • 14. slide 14 History of MD5 Collisions ◆ 2004: first collision attack • The only difference between colliding messages is 128 random-looking bytes ◆ 2007: chosen-prefix collisions • For any prefix, can find colliding messages that have this prefix and differ up to 716 random-looking bytes ◆ 2008: rogue SSL certificates • Talk about this in more detail when discussing PKI ◆ 2012: MD5 collisions used in cyberwarfare • Flame malware uses an MD5 prefix collision to fake a Microsoft digital code signature
  • 15. slide 15 Basic Structure of SHA-1 Against padding attacks Split message into 512-bit blocks Compression function • Applied to each 512-bit block and current 160-bit buffer • This is the heart of SHA-1 160-bit buffer (5 registers) initialized with magic values
  • 16. slide 16 SHA-1 Compression Function Current message block Current buffer (five 32-bit registers A,B,C,D,E) Buffer contains final hash value Similar to a block cipher, with message itself used as the key for each round Four rounds, 20 steps in each Let’s look at each step in more detail… Fifth round adds the original buffer to the result of 4 rounds
  • 17. slide 17 A E B C D A E B C D + + ft 5 bitwise left-rotate Wt Kt One Step of SHA-1 (80 steps total) Special constant added (same value in each 20-step round, 4 different constants altogether) Logic function for steps • (B∧C)∨(¬B∧D) 0..19 • B⊕C⊕D 20..39 • (B∧C)∨(B∧D)∨(C∧D) 40..59 • B⊕C⊕D 60..79 Current message block mixed in • For steps 0..15, W0..15=message block • For steps 16..79, Wt=Wt-16⊕Wt-14⊕Wt-8⊕Wt-3 + + Multi-level shifting of message blocks 30 bitwise left-rotate
  • 18. slide 18 How Strong Is SHA-1? ◆ Every bit of output depends on every bit of input • Very important property for collision-resistance ◆ Brute-force inversion requires 2160 ops, birthday attack on collision resistance requires 280 ops ◆ Weaknesses discovered in 2005 • Collisions can be found in 263 ops ◆ Researchers at Google/CWI demonstrated first collision attack in 2017
  • 19. slide 19 NIST Competition ◆ A public competition to develop a new cryptographic hash algorithm • Organized by NIST (read: NSA) ◆ 64 entries into the competition (Oct 2008) ◆ 5 finalists in 3rd round (Dec 2010) ◆ Winner: Keccak (Oct 2012) • standardized as SHA-3
  • 20. slide 20 Integrity and Authentication Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message Alice Bob KEY KEY message MAC (message authentication code) message, MAC(KEY,message) = ? Recomputes MAC and verifies whether it is equal to the MAC attached to the message
  • 21. slide 21 HMAC ◆ Construct MAC from a cryptographic hash function • Invented by Bellare, Canetti, and Krawczyk (1996) • Used in SSL/TLS, mandatory for IPsec ◆ Why not encryption? • Hashing is faster than encryption • Library code for hash functions widely available • Can easily replace one hash function with another • There used to be US export restrictions on encryption
  • 22. slide 22 Structure of HMAC Embedded hash function “Black box”: can use this HMAC construction with any hash function (why is this important?) Block size of embedded hash function Secret key padded to block size magic value (flips half of key bits) another magic value (flips different key bits) hash(key,hash(key,message))
  • 23. Overview of Symmetric Encryption
  • 24. slide 24 Basic Problem ? ----- ----- ----- Given: both parties already know the same secret How is this achieved in practice? Goal: send a message confidentially Any communication system that aims to guarantee confidentiality must solve this problem
  • 25. slide 25 Kerckhoffs's Principle ◆ An encryption scheme should be secure even if enemy knows everything about it except the key • Attacker knows all algorithms • Attacker does not know random numbers ◆ Do not rely on secrecy of the algorithms (“security by obscurity”) Full name: Jean-Guillaume-Hubert-Victor- François-Alexandre-Auguste Kerckhoffs von Nieuwenhof Easy lesson: use a good random number generator!
  • 27. slide 27 One-Time Pad (Vernam Cipher) = 10111101… ----- ----- ----- = 00110010… 10001111… ⊕ 00110010… = ⊕ 10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext ⊕ key Decrypt by bitwise XOR of ciphertext and key: ciphertext ⊕ key = (plaintext ⊕ key) ⊕ key = plaintext ⊕ (key ⊕ key) = plaintext Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon, 1949)
  • 28. slide 28 Advantages of One-Time Pad ◆ Easy to compute • Encryption and decryption are the same operation • Bitwise XOR is very cheap to compute ◆ As secure as theoretically possible • Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources • …if and only if the key sequence is truly random – True randomness is expensive to obtain in large quantities • …if and only if each key is as long as the plaintext – But how do the sender and the receiver communicate the key to each other? Where do they store the key?
  • 29. slide 29 Problems with One-Time Pad ◆ Key must be as long as the plaintext • Impractical in most realistic scenarios • Still used for diplomatic and intelligence traffic ◆ Does not guarantee integrity • One-time pad only guarantees confidentiality • Attacker cannot recover plaintext, but can easily change it to something else ◆ Insecure if keys are reused • Attacker can obtain XOR of plaintexts
  • 30. slide 30 No Integrity = 10111101… ----- ----- ----- = 00110010… 10001111… ⊕ 00110010… = ⊕ 10111101… Key is a random bit sequence as long as the plaintext Encrypt by bitwise XOR of plaintext and key: ciphertext = plaintext ⊕ key Decrypt by bitwise XOR of ciphertext and key: ciphertext ⊕ key = (plaintext ⊕ key) ⊕ key = plaintext ⊕ (key ⊕ key) = plaintext 0 0
  • 31. slide 31 Dangers of Reuse = 00000000… ----- ----- ----- = 00110010… 00110010… ⊕ 00110010… = ⊕ 00000000… P1 C1 = 11111111… ----- ----- ----- = 00110010… 11001101… ⊕ P2 C2 Learn relationship between plaintexts C1⊕C2 = (P1⊕K)⊕(P2⊕K) = (P1⊕P2)⊕(K⊕K) = P1⊕P2
  • 32. slide 32 Reducing Key Size ◆ What to do when it is infeasible to pre-share huge random keys? ◆ Use special cryptographic primitives: block ciphers, stream ciphers • Single key can be re-used (with some restrictions) • Not as theoretically secure as one-time pad
  • 33. slide 33 Block Ciphers ◆ Operates on a single chunk (“block”) of plaintext • For example, 64 bits for DES, 128 bits for AES • Same key is reused for each block (can use short keys) ◆ Result should look like a random permutation ◆ Not impossible to break, just very expensive • If there is no more efficient algorithm (unproven assumption!), can only break the cipher by brute-force, try-every-possible-key search • Time and cost of breaking the cipher exceed the value and/or useful lifetime of protected information
  • 34. slide 34 Permutation 1 2 3 4 1 2 3 4 CODE becomes DCEO ◆ For N-bit input, N! possible permutations ◆ Idea: split plaintext into blocks, for each block use secret key to pick a permutation, rinse and repeat • Without the key, permutation should “look random”
  • 35. slide 35 A Bit of Block Cipher History ◆ Playfair and variants (from 1854 until WWII) ◆ Feistel structure • “Ladder” structure: split input in half, put one half through the round and XOR with the other half • After 3 random rounds, ciphertext indistinguishable from a random permutation ◆ DES: Data Encryption Standard • Invented by IBM, issued as federal standard in 1977 • 64-bit blocks, 56-bit key + 8 bits for parity • Very widely used (usually as 3DES) until recently – 3DES: DES + inverse DES + DES (with 2 or 3 different keys) Textbook Textbook
  • 36. slide 36 DES Operation (Simplified) Block of plaintext S S S S S S S S S S S S Key Add some secret key bits to provide confusion Each S-box transforms its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext) repeat for several rounds Block of ciphertext Procedure must be reversible (for decryption)
  • 37. slide 37 Remember SHA-1? Current message block Constant value Buffer contains final hash value Very similar to a block cipher, with message itself used as the key for each round
  • 38. slide 38 Advanced Encryption Standard (AES) ◆ US federal standard as of 2001 ◆ Based on the Rijndael algorithm ◆ 128-bit blocks, keys can be 128, 192 or 256 bits ◆ Unlike DES, does not use Feistel structure • The entire block is processed during each round ◆ Design uses some clever math • See section 8.5 of the textbook for a concise summary
  • 39. slide 39 Basic Structure of Rijndael 128-bit plaintext (arranged as 4x4 array of 8-bit bytes) 128-bit key ⊕ S shuffle the array (16x16 substitution table) Shift rows shift array rows (1st unchanged, 2nd left by 1, 3rd left by 2, 4th left by 3) add key for this round ⊕ Expand key repeat 10 times Mix columns mix 4 bytes in each column (each new byte depends on all bytes in old column)
  • 40. slide 40 Encrypting a Large Message ◆ So, we’ve got a good block cipher, but our plaintext is larger than 128-bit block size ◆ Electronic Code Book (ECB) mode • Split plaintext into blocks, encrypt each one separately using the block cipher ◆ Cipher Block Chaining (CBC) mode • Split plaintext into blocks, XOR each block with the result of encrypting previous blocks ◆ Also various counter modes, feedback modes, etc.
  • 41. slide 41 ECB Mode ◆ Identical blocks of plaintext produce identical blocks of ciphertext ◆ No integrity checks: can mix and match blocks plaintext ciphertext block cipher block cipher block cipher block cipher block cipher key key key key key
  • 42. slide 42 Information Leakage in ECB Mode [Wikipedia] Encrypt in ECB mode
  • 43. slide 43 Adobe Passwords Stolen (2013) ◆ 153 million account passwords • 56 million of them unique ◆ Encrypted using 3DES in ECB mode rather than hashed Password hints
  • 44. Sent with ciphertext (preferably encrypted) slide 44 CBC Mode: Encryption ◆ Identical blocks of plaintext encrypted differently ◆ Last cipherblock depends on entire plaintext • Still does not guarantee integrity plaintext ciphertext block cipher block cipher block cipher block cipher ⊕ Initialization vector (random) ⊕ ⊕ ⊕ key key key key
  • 45. slide 45 CBC Mode: Decryption plaintext ciphertext decrypt decrypt decrypt decrypt ⊕ Initialization vector ⊕ ⊕ ⊕ key key key key
  • 46. slide 46 ECB vs. CBC AES in ECB mode AES in CBC mode Similar plaintext blocks produce similar ciphertext blocks (not good!) [Picture due to Bart Preneel]
  • 47. slide 47 Choosing the Initialization Vector ◆ Key used only once • No IV needed (can use IV=0) ◆ Key used multiple times • Best: fresh, random IV for every message • Can also use unique IV (eg, counter), but then the first step in CBC mode must be IV’ ← E(k, IV) – Example: Windows BitLocker – May not need to transmit IV with the ciphertext ◆ Multi-use key, unique messages • Synthetic IV: IV ← F(k’, message) – F is a cryptographically secure keyed pseudorandom function
  • 48. slide 48 CBC and Electronic Voting Initialization vector (supposed to be random) plaintext ciphertext DES DES DES DES ⊕ ⊕ ⊕ ⊕ Found in the source code for Diebold voting machines: DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data, totalSize, DESKEY, NULL, DES_ENCRYPT) [Kohno, Stubblefield, Rubin, Wallach] key key key key
  • 49. slide 49 CTR (Counter Mode) ◆ Still does not guarantee integrity ◆ Fragile if counter repeats plaintext ciphertext Enc(IV) Enc(IV+1) Enc(IV+2) Enc(IV+3) ⊕ Random IV ⊕ ⊕ ⊕ IV key key key key
  • 50. slide 50 When Is a Cipher “Secure”? ◆ Hard to recover plaintext from ciphertext? • What if attacker learns only some bits of the plaintext? Some function of the bits? Some partial information about the plaintext? ◆ Fixed mapping from plaintexts to ciphertexts? • What if attacker sees two identical ciphertexts and infers that the corresponding plaintexts are identical? • What if attacker guesses the plaintext – can he verify his guess? • Implication: encryption must be randomized or stateful
  • 51. slide 51 How Can a Cipher Be Attacked? ◆ Attackers knows ciphertext and encryption algthm • What else does the attacker know? Depends on the application in which the cipher is used! ◆ Known-plaintext attack (stronger) • Knows some plaintext-ciphertext pairs ◆ Chosen-plaintext attack (even stronger) • Can obtain ciphertext for any plaintext of his choice ◆ Chosen-ciphertext attack (very strong) • Can decrypt any ciphertext except the target • Sometimes very realistic
  • 52. slide 52 Known-Plaintext Attack Extracting password from an encrypted PKZIP file … ◆ “… I opened the ZIP file and found a `logo.tif’ file, so I went to their main Web site and looked at all the files named `logo.tif.’ I downloaded them and zipped them all up and found one that matched the same checksum as the one in the protected ZIP file” ◆ With known plaintext, PkCrack took 5 minutes to extract the key • Biham-Kocher attack on PKZIP stream cipher [From “The Art of Intrusion”]
  • 53. slide 53 Chosen-Plaintext Attack Crook #1 changes his PIN to a number of his choice cipher(key,PIN) PIN is encrypted and transmitted to bank Crook #2 eavesdrops on the wire and learns ciphertext corresponding to chosen plaintext PIN … repeat for any PIN value
  • 54. slide 54 Very Informal Intuition ◆ Security against chosen-plaintext attack • Ciphertext leaks no information about the plaintext • Even if the attacker correctly guesses the plaintext, he cannot verify his guess • Every ciphertext is unique, encrypting same message twice produces completely different ciphertexts ◆ Security against chosen-ciphertext attack • Integrity protection – it is not possible to change the plaintext by modifying the ciphertext Minimum security requirement for a modern encryption scheme
  • 55. slide 55 The Chosen-Plaintext Game ◆ Attacker does not know the key ◆ He chooses as many plaintexts as he wants, and receives the corresponding ciphertexts ◆ When ready, he picks two plaintexts M0 and M1 • He is even allowed to pick plaintexts for which he previously learned ciphertexts! ◆ He receives either a ciphertext of M0, or a ciphertext of M1 ◆ He wins if he guesses correctly which one it is
  • 56. slide 56 Meaning of “Leaks No Information” ◆ Idea: given a ciphertext, attacker should not be able to learn even a single bit of useful information about the plaintext ◆ Let Enc(M0,M1,b) be a “magic box” that returns encrypted Mb • Given two plaintexts, the box always returns the ciphertext of the left plaintext or right plaintext • Attacker can use this box to obtain the ciphertext of any plaintext M by submitting M0=M1=M, or he can try to learn even more by submitting M0≠M1 ◆ Attacker’s goal is to learn just this one bit b 0 or 1
  • 57. slide 57 Chosen-Plaintext Security ◆ Consider two experiments (A is the attacker) Experiment 0 Experiment 1 A interacts with Enc(-,-,0) A interacts with Enc(-,-,1) and outputs his guess of bit b and outputs his guess of bit b • Identical except for the value of the secret bit • b is attacker’s guess of the secret bit ◆ Attacker’s advantage is defined as | Prob(A outputs 1 in Exp0) - Prob(A outputs 1 in Exp1)) | ◆ Encryption scheme is chosen-plaintext secure if this advantage is negligible for any efficient A
  • 58. slide 58 Simple Example ◆ Any deterministic, stateless symmetric encryption scheme is insecure • Attacker can easily distinguish encryptions of different plaintexts from encryptions of identical plaintexts • This includes ECB mode of common block ciphers! Attacker A interacts with Enc(-,-,b) Let X,Y be any two different plaintexts C1 ← Enc(X,X,b); C2 ← Enc(X,Y,b); If C1=C2 then b=0 else b=1 ◆ The advantage of this attacker A is 1 Prob(A outputs 1 if b=0)=0 Prob(A outputs 1 if b=1)=1
  • 59. slide 59 Encrypt + MAC Goal: confidentiality + integrity + authentication Alice Bob K1, K2 K1, K2 msg MAC=HMAC(K2,msg) encrypt(msg), MAC(msg) = ? Encrypt(K1,msg) Decrypt Verify MAC encrypt(msg2), MAC(msg2) Can tell if messages are the same! MAC is deterministic: messages are equal ⇒ their MACs are equal Solution: Encrypt, then MAC (or MAC, then encrypt) Breaks chosen- plaintext security
  • 60. slide 60 CS 361S Overview of Public-Key Cryptography
  • 61. slide 61 Public-Key Cryptography ? Given: Everybody knows Bob’s public key - How is this achieved in practice? Only Bob knows the corresponding private key private key Goals: 1. Alice wants to send a message that only Bob can read 2. Bob wants to send a message that only Bob could have written public key public key Alice Bob
  • 62. slide 62 Applications of Public-Key Crypto ◆ Encryption for confidentiality • Anyone can encrypt a message – With symmetric crypto, must know the secret key to encrypt • Only someone who knows the private key can decrypt • Secret keys are only stored in one place ◆ Digital signatures for authentication • Only someone who knows the private key can sign ◆ Session key establishment • Exchange messages to create a secret session key • Then switch to symmetric cryptography (why?)
  • 63. slide 63 Public-Key Encryption ◆ Key generation: computationally easy to generate a pair (public key PK, private key SK) ◆ Encryption: given plaintext M and public key PK, easy to compute ciphertext C=EPK(M) ◆ Decryption: given ciphertext C=EPK(M) and private key SK, easy to compute plaintext M • Infeasible to learn anything about M from C without SK • Trapdoor function: Decrypt(SK,Encrypt(PK,M))=M
  • 64. slide 64 Some Number Theory Facts ◆ Euler totient function ϕ(n) where n≥1 is the number of integers in the [1,n] interval that are relatively prime to n • Two numbers are relatively prime if their greatest common divisor (gcd) is 1 ◆ Euler’s theorem: if a∈Zn*, then aϕ(n) ≡ 1 mod n ◆ Special case: Fermat’s Little Theorem if p is prime and gcd(a,p)=1, then ap-1 ≡ 1 mod p
  • 65. slide 65 RSA Cryptosystem ◆ Key generation: • Generate large primes p, q – At least 2048 bits each… need primality testing! • Compute n=pq – Note that ϕ(n)=(p-1)(q-1) • Choose small e, relatively prime to ϕ(n) – Typically, e=3 (may be vulnerable) or e=216+1=65537 (why?) • Compute unique d such that ed ≡ 1 mod ϕ(n) • Public key = (e,n); private key = d ◆ Encryption of m: c = me mod n ◆ Decryption of c: cd mod n = (me)d mod n = m [Rivest, Shamir, Adleman 1977]
  • 66. slide 66 Why RSA Decryption Works ◆ e⋅d ≡ 1 mod ϕ(n) ◆ Thus e⋅d = 1+k⋅ϕ(n) = 1+k(p-1)(q-1) for some k ◆ If gcd(m,p)=1, then by Fermat’s Little Theorem, mp-1 ≡ 1 mod p ◆ Raise both sides to the power k(q-1) and multiply by m, obtaining m1+k(p-1)(q-1) ≡ m mod p ◆ Thus med ≡ m mod p ◆ By the same argument, med ≡ m mod q ◆ Since p and q are distinct primes and p⋅q=n, med ≡ m mod n
  • 67. slide 67 Why Is RSA Secure? ◆ RSA problem: given c, n=pq, and e such that gcd(e,(p-1)(q-1))=1, find m such that me=c mod n • In other words, recover m from ciphertext c and public key (n,e) by taking eth root of c modulo n • There is no known efficient algorithm for doing this ◆ Factoring problem: given positive integer n, find primes p1, …, pk such that n=p1 e1p2 e2…pk ek ◆ If factoring is easy, then RSA problem is easy, but may be possible to break RSA without factoring n
  • 68. “Textbook” RSA Is Bad Encryption ◆ Deterministic • Attacker can guess plaintext, compute ciphertext, and compare for equality • If messages are from a small set (for example, yes/no), can build a table of corresponding ciphertexts ◆ Can tamper with encrypted messages • Take an encrypted auction bid c and submit c(101/100)e mod n instead ◆ Does not provide semantic security (security against chosen-plaintext attacks) slide 68
  • 69. slide 69 Integrity in RSA Encryption ◆ “Textbook” RSA does not provide integrity • Given encryptions of m1 and m2, attacker can create encryption of m1⋅m2 – (m1 e) ⋅ (m2 e) mod n ≡ (m1⋅m2)e mod n • Attacker can convert m into mk without decrypting – (me)k mod n ≡ (mk)e mod n ◆ In practice, OAEP is used: instead of encrypting M, encrypt M⊕G(r) ; r⊕H(M⊕G(r)) • r is random and fresh, G and H are hash functions • Resulting encryption is plaintext-aware: infeasible to compute a valid encryption without knowing plaintext – … if hash functions are “good” and RSA problem is hard
  • 70. slide 70 Digital Signatures: Basic Idea ? Given: Everybody knows Bob’s public key Only Bob knows the corresponding private key private key Goal: Bob sends a “digitally signed” message 1. To compute a signature, must know the private key 2. To verify a signature, only the public key is needed public key public key Alice Bob
  • 71. slide 71 RSA Signatures ◆ Public key is (n,e), private key is d ◆ To sign message m: s = hash(m)d mod n • Signing and decryption are the same mathematical operation in RSA ◆ To verify signature s on message m: se mod n = (hash(m)d)e mod n = hash(m) • Verification and encryption are the same mathematical operation in RSA ◆ Message must be hashed and padded (why?)
  • 72. slide 72 Diffie-Hellman Protocol ◆ Alice and Bob never met and share no secrets ◆ Public info: p and g • p is a large prime number, g is a generator of Zp* – Zp*={1, 2 … p-1}; ∀a∈Zp* ∃i such that a=gi mod p Alice Bob Pick secret, random X Pick secret, random Y gy mod p gx mod p Compute k=(gy)x=gxy mod p Compute k=(gx)y=gxy mod p
  • 73. slide 73 Why Is Diffie-Hellman Secure? ◆ Discrete Logarithm (DL) problem: given gx mod p, it’s hard to extract x • There is no known efficient algorithm for doing this • This is not enough for Diffie-Hellman to be secure! ◆ Computational Diffie-Hellman (CDH) problem: given gx and gy, it’s hard to compute gxy mod p • … unless you know x or y, in which case it’s easy ◆ Decisional Diffie-Hellman (DDH) problem: given gx and gy, it’s hard to tell the difference between gxy mod p and gr mod p where r is random
  • 74. slide 74 Properties of Diffie-Hellman ◆ Assuming DDH problem is hard, Diffie-Hellman protocol is a secure key establishment protocol against passive attackers • Eavesdropper can’t tell the difference between the established key and a random value • Can use the new key for symmetric cryptography ◆ Basic Diffie-Hellman protocol does not provide authentication • IPsec combines Diffie-Hellman with signatures, anti-DoS cookies, etc.
  • 75. slide 75 Advantages of Public-Key Crypto ◆ Confidentiality without shared secrets • Very useful in open environments • Can use this for key establishment, avoiding the “chicken-or-egg” problem – With symmetric crypto, two parties must share a secret before they can exchange secret messages ◆ Authentication without shared secrets ◆ Encryption keys are public, but must be sure that Alice’s public key is really her public key • This is a hard problem… Often solved using public-key certificates
  • 76. slide 76 Disadvantages of Public-Key Crypto ◆ Calculations are 2-3 orders of magnitude slower • Modular exponentiation is an expensive computation • Typical usage: use public-key cryptography to establish a shared secret, then switch to symmetric crypto – SSL, IPsec, most other systems based on public crypto ◆ Keys are longer • 2048 bits (RSA) rather than 128 bits (AES) ◆ Relies on unproven number-theoretic assumptions • Factoring, RSA problem, discrete logarithm problem, decisional Diffie-Hellman problem…