15441 Computer Networks

1
15-441 Computer Networks

• Cryptography Basics
• RSA
• SSL
• SSH
• Kerberos

2
Basic Definitions

• Private Key or Symmetric Key1 Key2
• Public Key or Asymmetric Key1 ? Key2Key1 or
  Key2 is public depending on the protocol

3
What does it mean to be secure?

• Unconditionally Secure Encrypted message cannot
  be decoded without the key
• Shannon showed in 1943 that key must be as long
  as the message to be unconditionally secure
  this is based on information theory
• A one time pad xor a random key with a message
  (Used in 2nd world war)
• Security based on computational cost it is
  computationally infeasible to decode a message
  without the key.
• No (probabilistic) polynomial time algorithm can
  decode the message.

4
One Way Functions
5
Primitives One-Way Functions

• (Informally) A function
• Y f(x)
• is one-way if it is easy to compute y from x but
  hard to compute x from y
• Building block of most cryptographic protocols
• encryption function f is invertible
• one-way hash function f typically isnt
  invertible
• The security of most protocols rely on their
  existence.
• Unfortunately, not known to exist. This is true
  even if we assume P ? NP.

6
One-way functions possible definition

• f(x) is polynomial time
• f-1(x) is NP-hard
• What is wrong with this definition?

7
One-way functionsbetter definition

• For most y no single PPT (probabilistic
  polynomial time) algorithm can compute x
• Roughly at most a fraction 1/xk instances x
  are easy for any fixed k as x -gt ?
• This definition can be used to make the
  probability of hitting an easy instance
  arbitrarily small.

8
Some examples (conjectures)

• Factoring x (u,v)y f(u,v) uv
• If u and v are prime it is hard to generate them
  from y.
• Discrete Log y gx mod p
• where p is prime and g is a generator (i.e.,
  g1, g2, g3, generates all values lt p).
• DES with fixed message y DESx(m)
• This would assume a family of DES functions of
  increasing key size (for asymptotics)

9
One-way functions in private-key protocols

• y ciphertext m plaintext k key
• Is
• y Ek(m) (i.e. f Ek)
• a one-way function with respect to y and m?
• What do one-way functions have to do with
  private-key protocols?

10
One-way functions in private-key protocols

• y ciphertext m plaintext k key
• How about
• y Ek(m) E(k,m) Em(k) (i.e. f
  Em)
• should this be a one-way function?

In a known-plaintext attack we know a (y,m)
pair. The m along with E defines f Em(k)
needs to be easy Em-1(y) should be
hard Otherwise we could extract the key k.
11
One-way functions in public-key protocols

• y ciphertext m plaintext k public
  key
• Consider y Ek(m) (i.e., f Ek)
• We know k and thus f
• Ek(m) needs to be easy
• Ek-1(y) should be hard
• Otherwise we could decrypt y.
• But what about the intended recipient, who should
  be able to decrypt y?

12
One-Way Trapdoor Functions

• A one-way function with a trapdoor
• The trapdoor is a key that makes it easy to
  invert the function y f(x)
• Example RSA (conjecture)
• y xe mod n
• Where n pq (p, q are prime)
• p or q or d (where ed 1 mod (p-1)(q-1)) can be
  used as trapdoors
• In public-key algorithms
• f(x) public key (e.g., e and n in RSA)
• Trapdoor private key (e.g., d in RSA)

13
One-way Hash Functions

• Y h(x) where
• y is a fixed length independent of the size of x.
  In general this means h is not invertible since
  it is many to one.
• Calculating y from x is easy
• Calculating any x such that y h(x) give y is
  hard
• Used in digital signatures and other protocols.

14
Protocols

• Digital Signatures
• Key Exchange
• Private-Key Encryption
• Public-Key Encryption

15
Protocols Digital Signatures

• Goals
• Convince recipient that message was actually sent
  by a trusted source
• Do not allow repudiation, i.e., thats not my
  signature.
• Do not allow tampering with the message without
  invalidating the signature
• Item 2 turns out to be really hard to do

16
Using Public Keys
K1 Alices private key Bob decrypts it with
Alices public key
More Efficiently
Dk1(h(m)) m
Alice
Bob
h(m) is a one-way hash of m
17
Protocols Key Exchange
Private Key method
Trent
Eka(k)
Ekb(k)
Generates k
Alice
Bob
Public Key method
Ek1(k)
Alice
Bob
Generates k
k1 Bobs public key
18
Diffie-Hellman Key Exchange

• A group (G,) and a primitive element (generator)
  g is made public.
• Alice picks a, and sends ga to Bob
• Bob picks b and sends gb to Alice
• The shared key is gab
• Note this is easy for Alice or Bob to compute,
  but assuming discrete logs are hard is hard for
  anyone else to compute.
• Can someone see a problem with this protocol?

19
Person-in-the-middle attack
Mallory gets to listen to everything.
20
Private Key Algorithms
What granularity of the message does Ek encrypt?
21
Private Key Algorithms

• Block Ciphers blocks of bits at a time
• DES (Data Encryption Standard)Banks, linux
  passwords (almost), SSL, kerberos,
• Blowfish (SSL as option)
• IDEA (used in PGP, SSL as option)
• Rijndael (AES) the new standard
• Stream Ciphers one bit (or a few bits) at a time
• RC4 (SSL as option)
• PKZip
• Sober, Leviathan, Panama,

22
Private Key Block Ciphers

• Encrypt one block at a time (e.g. 64 bits)
• ci f(k,mi) mi f(k,ci)
• Keys and blocks are often about the same size.
• Equal message blocks will encrypt to equal
  codeblocks
• Why is this a problem?
• Various ways to avoid this
• E.g. ci f(k,ci-1 ? mi) Cipher block
  chaining (CBC)
• Why could this still be a problem?

Solution attach random block to the front of the
message
23
Iterated Block Ciphers
m
key

• Consists of n rounds
• R the round function
• si state after round i
• ki the ith round key

k1
R
s1
k2
R
s2
. . .
. . .
kn
R
c
24
Iterated Block Ciphers Decryption

• Run the rounds in reverse.
• Requires that R has an inverse.

m
key
k1
R-1
s1
k2
R-1
s2
. . .
. . .
kn
R-1
c
25
Feistel Networks

• If function is not invertible rounds can still be
  made invertible. Requires 2 rounds to mix all
  bits.

high bits
low bits
R
R-1
ki
ki
F
F
XOR
XOR
Forwards
Backwards
Used by DES (the Data Encryption Standard)
26
Product Ciphers

• Each round has two components
• Substitution on smaller blocksDecorrelate input
  and output confusion
• Permutation across the smaller blocksMix the
  bits diffusion
• Substitution-Permutation Product Cipher
• Avalanche Effect 1 bit of input should affect
  all output bits, ideally evenly, and for all
  settings of other in bits

27
Rijndael

• Selected by AES (Advanced Encryption Standard,
  part of NIST) as the new private-key encryption
  standard.
• Based on an open competition.
• Competition started Sept. 1997.
• Narrowed to 5 Sept. 1999
• MARS by IBM, RC6 by RSA, Twofish by Counterplane,
  Serpent, and Rijndael
• Rijndael selected Oct. 2000.
• Official Oct. 2001? (AES page on Rijndael)
• Designed by Rijmen and Daemen (Dutch)

28
Public Key Cryptosystems

• Introduced by Diffie and Hellman in 1976.

Plaintext M
Public Key systems K1 public key K2 private
key
EK1(M) C
Encryption
K1
Cyphertext C
Digital signatures K1 private key K2 public
key
Decryption
DK2(C) M
K2
Original Plaintext
Typically used as part of a more complicated
protocol.
29
One-way trapdoor functions

• Both Public-Key and Digital signatures make use
  of one-way trapdoor functions.
• Public Key
• Encode c f(m)
• Decode m f-1(c) using trapdoor
• Digital Signatures
• Sign c f-1(m) using trapdoor
• Verify m f(c)

30
RSA

• Invented by Rivest, Shamir and Adleman in 1978
• Based on difficulty of factoring.
• Used to hide the size of a group Zn since
• .
• Factoring has not been reduced to RSA
• an algorithm that generates m from c does not
  give an efficient algorithm for factoring
• On the other hand, factoring has been reduced to
  finding the private-key.
• there is an efficient algorithm for factoring
  given one that can find the private key.

31
RSA Public-key Cryptosystem

• What we need
• p and q, primes of approximately the same size
• n pq ?(n) (p-1)(q-1)
• e ? Z ?(n)
• d inv. of e in Z ?(n) i.e., d e-1 mod ?(n)

Public Key (e,n) Private Key d

• Encode
• m ? Zn
• E(m) me mod n

Decode D(c) cd mod n
32
RSA continued

• Why it works
• D(c) cd mod n
• med mod n
• m1 k(p-1)(q-1) mod n
• m1 k ?(n) mod n
• m(m ?(n))k mod n
• m (because ?(n) 0 mod ?(n))
• Why is this argument not quite sound?

What if m ? Zn then m?(n) ? 1 mod n Answer
1 Not hard to show that it still works.
Answer 2 jackpot youve factored n
33
RSA computations

• To generate the keys, we need to
• Find two primes p and q. Generate candidates and
  use primality testing to filter them.
• Find e-1 mod (p-1)(q-1). Use Euclids
  algorithm. Takes time log2(n)
• To encode and decode
• Take me or cd. Use the power method.Takes time
  log(e) log2(n) and log(d) log2(n) .
• In practice e is selected to be small so that
  encoding is fast.

34
Security of RSA

• Warning
• Do not use this or any other algorithm naively!
• Possible security holes
• Need to use safe primes p and q. In particular
  p-1 and q-1 should have large prime factors.
• p and q should not have the same number of
  digits. Can use a middle attack starting at
  sqrt(n).
• e cannot be too small
• Dont use same n for different es.
• You should always pad messages

35
RSA Performance

• Performance (600Mhz PIII) (from ssh toolkit)
  

36
RSA in the Real World

• Part of many standards PKCS, ITU X.509, ANSI
  X9.31, IEEE P1363
• Used by SSL, PEM, PGP, Entrust,
• The standards specify many details on the
  implementation, e.g.
• e should be selected to be small, but not too
  small
• multi prime versions make use of n pqrthis
  makes it cheaper to decode especially in parallel
  (uses Chinese remainder theorem).

37
Factoring in the Real World

• Quadratic Sieve (QS)
• Used in 1994 to factor a 129 digit (428-bit)
  number. 1600 Machines, 8 months.
• Number field Sieve (NFS)
• Used in 1999 to factor 155 digit (512-bit)
  number. 35 CPU years. At least 4x faster than
  QS
• Used in 2003-2005 to factor 200 digits (663 bits)
  75 CPU years (20K prize)

38
Applications

• SSL
• SSH
• Kerberos

39
Example of SSL (3.0)

• SSL (Secure Socket Layer) is the standard for the
  web (https).
• Protocol (somewhat simplified) Bob -gt amazon.com
• B-gtA client hello protocol version,
  acceptable ciphers
• A-gtB server hello cipher, session ID,
  amazon.comverisign
• B-gtA key exchange, masterkeyamazons
  public key
• A-gtB server finish (amazon,prev-messages
  ,masterkey)key1
• B-gtA client finish (bob,prev-messages,ma
  sterkey)key2
• A-gtB server message (message1,message1)ke
  y1
• B-gtA client message (message2,message2)ke
  y2
• hissuer Certificate
• Issuer, lth,hs public key,
  time stampgtissuers private key
• ltgtprivate key Digital signature
  public key Public-key encryption
• .. Secure Hash ()key
  Private-key encryption
• key1 and key2 are derived from masterkey and
  session ID

hand-shake
data
40
SSH v2

• Server has a permanent host public-private key
  pair (RSA or DSA) . Client warns if public host
  key changes.
• Diffie-Hellman used to exchange session key.
• Server selects g and p and sends to client.
• Client and server create DH public keys ga and
  gb. Client sends public DH key ga .
• Server sends public DH key gb and signs hash of
  DH shared secret gab and other 12 other values
  with its private host key.
• Symmetric encryption using 3DES, Blowfish, AES,
  or Arcfour begins.
• User can authenticate by sending password or
  using public-private key pair.
• If using keys, server sends challenge signed
  with users public key for user to decode with
  private key.

41
Kerberos

• A key-serving system based on Private-Keys (DES).
• Assumptions
• Built on top of TCP/IP networks
• Many clients (typically users, but perhaps
  software)
• Many servers (e.g. file servers, compute
  servers, print servers, )
• User machines and servers are potentially
  insecure without compromising the whole system
• A kerberos server must be secure.

42
Kerberos (kinit)
Kerberos Authentication Server
Ticket Granting Server (TGS)
1
2
3
4
Service Server
Client
5

• Request ticket-granting-ticket (TGT)
• ltTGTgt
• Request server-ticket (ST)
• ltSTgt
• Request service

43
Kerberos V Message Formats

• C client S server K key or session key
• T timestamp V time range
• TGS Ticket Granting Service A Net Address
• Ticket Granting Ticket TC,TGS
  TGS,C,A,V,KC,TGSKTGS
• Server Ticket TC,S S,
  C,A,V,KC,SKS
• Authenticator AC,S C,TKC,S
• Client to Kerberos C,TGS
• Kerberos to Client KC,TGSKC, TC,TGS
• Client to TGS TC,TGS , S, AC,TGS
• TGS to Client KC,SKC,TGS, TC,S
• Client to Server TC,S, AC,S

Possibly repeat
44
Kerberos Notes

• All machines have to have synchronized clocks
• Must not be able to reuse authenticators
• Servers should store all previous and valid
  tickets
• Help prevent replays
• Client keys are typically a one-way hash of the
  password. Clients do not keep these keys.
• Kerberos 5 uses CBC mode for encryption -
  Kerberos 4 was insecure because it used a
  nonstandard mode.