Final - PowerPoint PPT Presentation

1 / 43

About This Presentation

Title:

Final

Description:

two people Alice and Bob who wish to exchange some key over an insecure communications channel. ... This is the approached used in Australian EFT standards AS8205 ... – PowerPoint PPT presentation

Number of Views:89

Avg rating:3.0/5.0

Slides: 44

Provided by: and6165

Category:

Tags: eft | final

more less

Transcript and Presenter's Notes

Title: Final

1
Final

Everything we have covered
Thursday 1130-220
Physics S106
Do review the cryptographic algorithms
DES
AES
RSA

2
Diffie-Hellman

Security relies on the difficulty of computing
logarithms in these fields
discrete logarithms takes O(e log n log log n)
operations
The algorithm
two people Alice and Bob who wish to exchange
some key over an insecure communications channel.
They select a large prime p (200 digit), such as
(p-1)/2 should also be prime
They also select g, a primitive root mod p
g is a primitive if for each n from 0 to p-1,
there exists some a where ga n mod p.

3
Diffie-Hellman

The algorithm
The values of g and p dont need to be secret
Alice then chooses a secret number xA
Bob also chooses a secret number xB
Alice and Bob compute yA and yB respectively,
which are then exchanged
yA gxA mod p yB gxB mod p
Both Alice and Bob can calculate the key as
KAB gxA.xB mod p
yAxB mod p (which B can compute)
yBxA mod p (which A can compute)
The key may then be used in a private-key cipher
to secure communications between A and B

4
Merkle-Hellman

Example
Consider the superincreasing sequence
2, 5, 9, 21, 45, 103, 215, 450, 946
Define the function f as
f(x) (1289x) mod 2003
The public key is then
575, 436, 1586, 1030, 1921, 569, 721, 1183, 1570

5
Merkle-Hellman

Example
To encrypt x 101100111 we do
575 1586 1030 721 1183 1570 6665
To recover the plaintext we use
1289-1 317
So 3196665 1643 mod 2003
Knowing the superincreasing sequence we recover x
101100111

6
Digital Signatures

The private-key signs (create) signatures, and
the public-key verifies signatures
Only the owner can create the digital signature,
hence it can be used to verify who created a
message
Generally don't sign the whole message (doubling
the size of information exchanged), but just a
digest or hash of the message,

7
Digital Signatures

A hash function takes the message, and produces a
fixed size (typically 64 to 512 bits) value
dependent on the message
It must be hard to create another message with
the same hash value (otherwise some forgeries are
possible)
Developing good hash functions is another
non-trivial problem

8
Message Authentication

Message authentication is concerned with
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
Electronic equivalent of a signature on a message
An authenticator, signature, or message
authentication code (MAC) is sent along with the
message

9
Message Authentication

The MAC is generated via some algorithm which
depends on known only to the sender and receiver
The message may be both the message and some
(public or private) key of any length
The MAC may be of any length, but more often is
some fixed size, requiring the use of some hash
function to condense the message to the required
size if this is not achieved by the
authentication scheme
Need to consider replay problems with message and
MAC
require a message sequence number, timestamp or
negotiated random values

10
Authentication using Private-key Ciphers

If a message is being encrypted using a session
key known only to the sender and receiver, then
the message may also be authenticated
Since only sender or receiver could have created
it
Any interference will corrupt the message
(provided it includes sufficient redundancy to
detect change)
This does not provide non-repudiation since it is
impossible to prove who created the message

11
Authentication using Private-key Ciphers

Message authentication may also be done using the
standard modes of use of a block cipher
Sometimes do not want to send encrypted messages
Can use either CBC or CFB modes and send final
block, since this will depend on all previous
bits of the message
No hash function is required, since this method
accepts arbitrary length input and produces a
fixed output
Usually use a fixed known IV
This is the approached used in Australian EFT
standards AS8205
Major disadvantage is small size of resulting MAC
since 64-bits is probably too small

12
Hashing Functions

Hashing functions are used to condense an
arbitrary length message to a fixed size, usually
for subsequent signature by a digital signature
algorithm
Good cryptographic hash function h should have
the following properties
h should destroy all homomorphic structures in
the underlying public key cryptosystem (be unable
to compute hash value of 2 messages combined
given their individual hash values)

13
Hashing Functions

Properties
h should be computed on the entire message
h should be a one-way function so that messages
are not disclosed by their signatures
It should be computationally infeasible given a
message and its hash value to compute another
message with the same hash value
Should resist birthday attacks (finding any 2
messages with the same hash value, perhaps by
iterating through minor permutations of 2
messages)

14
SHA (Secure Hash Algorithm)

SHA was designed by NIST NSA and is the US
federal standard for use with Secure Hash
Algorithm) the DSA signature scheme
the algorithm is SHA, the standard is SHS
It produces 160-bit hash values

15
SHA (Secure Hash Algorithm)

SHA overview
Pad message, liker in MD5, so its length is a
multiple of 512 bits
Initialize a 5-word (160-bit) buffer
A 67452301, B efcdab89, C 98badcfe, D
10325476, Ec3d2e1f0
Process the message in 16-word (512-bit) chunks,
using 4 rounds of 20 bit operations each on the
chunk buffer
Output hash value is the final buffer value

16
DSA (Digital Signature Algorithm)

DSA is a variant on the ElGamal and Schnorr
algorithms
Description of DSA
p of length 2L is a prime number, where L 512 to
1024 bits and is a multiple of 64
q is a 160 bit prime factor of p-1
g h(p-1)/q where h is any number less than p-1
with h(p-1)/q(mod p) gt 1
x is a number less than q (private key)
y gx(mod p)

17
DSA (Digital Signature Algorithm)

Description of DSA
To sign a message M
generate random k, kltq
compute
r (gk(mod p))(mod q)
s k-1.SHA(M) x.r (mod q)
the signature is (r,s)
To verify a signature
w s-1(mod q)
u1 (SHA(M).w)(mod q)
u2 r.w(mod q)
v (gu1.yu2(mod p))(mod q)
if vr then the signature is verified

18
DSA (Digital Signature Algorithm)

Comments on DSA
was originally a suggestion to use a common
modulus, this would make a tempting target,
discouraged
it is possible to do both ElGamal and RSA
encryption using DSA routines, this was probably
not intended -)
DSA is patented with royalty free use, but this
patent has been contested, situation unclear
Gus Simmons has found a subliminal channel in
DSA, could be used to leak the private key from a
library - make sure you trust your library
implementer

19
Elliptic Curve Cryptography

Elliptic Curve over K is the set of points (x,y),
with x, y ? K, which satisfy
y2 x3 ax b, together with the point at
infinity O, if characteristic of K gt 3 and x3
ax b has no multiple roots
If the characteristic of K is 2, than the
elliptic curve is
y2 cy x3 ax b (1)
y2 xy x3 ax2 b (2), where we dont care
about multiple roots

20
Elliptic Curve Cryptography

The analogy of multiplying two elements in Fq is
adding two points in E
So the analogy of raising an element to power k
is multiplying a point by k
Raising to power k can be accomplished in O(log k
log3q) bit operations
Multiplying a point by k can be accomplished in
O(log k log3q)

21
Elliptic Curve Cryptography

The discrete log problem in elliptic curve is the
problem of given P and B find an x such as P
xB
There is a way to reduce the log problem over
elliptic curve to the log problem over Fqk
The reduction only works for some special curves
that are called supersingular
Why do you care about this?

22
Diffie Hellman over ECC

Alice and Bob chose a finite field Fq and an
elliptic curve E
The key will be taken from a random point P over
the elliptic curve (e.g. the x coordinate)
Alice and Bob choose a point B that does not need
to be secret
B must have a very large order!

23
Diffie Hellman over ECC

Alice chooses a random a and compute aB ? E
Bob chooses a random b and compute bB ? E
Alice and Bob exchange the computed values
Alice, from bB and a can compute P abB
Bob, from aB and b can compute P abB

24
Elliptic Curve Digital Signature

Chose a finite field Fp, an elliptic curve E, and
a point B ? E
Select a random value d and calculate Q dB.
Make Q public
To sign a message choose a random k and compute
kP (x, y), and r x mod n (r?0)
Compute k-1 mod n, and s k-1 (H(m) dr) mod n
(s?0)
The signature will be the pair (r, s)

25
Elliptic Curve Digital Signature

To verify a signature
Compute c s-1 mod n and H(m)
Compute u1 H(m)c mod n
Compute u2 rc mod n
Compute u1B u2Q (x, y), and v x mod n
The signature is verified if v r

26
Choice of Curve and Point

Random selection
Select a random x, y, a
Verify that the curve with those elements has the
cubic x3 ax b with no multiple roots
(characteristic gt 3)
Set B (x, y)
There are methods that you can use to find the
number of elements of the curve N
In order top be confident on the security of your
curve you want N having large prime factors

27
Choice of Curve and Point

If N is a product of small primes we can solve
the log problem using Pohlig-Silver-Hellman
method.
You can also start from a particular curve and
reduce module p
The curve should have a point of infinite order
In fact, for DH and El Gamal, B needs only to
have a large order
If N is a prime than any B ? 0 will be a generator

28
Pseudo-Random Generators

Many cryptographic algorithms require random
numbers
Either you use a source of randomness (very
difficulty) or you use a pseudo-random number
generators
Pseudo-random numbers have been a source of
weaknesses for a long time
An analysis
J. Kelsey, B. Schneier, D. Wagner, and C. Hall,
Cryptanalytic Attacks on Pseudorandom Number
Generators, Fast Software Encryption, Fifth
International Workshop Proceedings (March 1998),
Springer-Verlag, 1998, pp. 168-188.

29
PKI

Risks
Who do we trust, and for what?
Who is using my key?
How secure is the verifying computer?
Which John Robinson is he?
Is the CA an authority?
Is the user part of the security design?

30
PKI

Risks
Was it one CA or a CA plus a Registration
Authority?
How did the CA identify the certificate holder?
How secure are the certificate practices?
Why are we using the CA process, anyway?

31
PGP

How PGP works

32
PGP Web of Trust

In pgp any user can act as a certifying authority
However the certificate is only valid if the
receiving party recognize the validator as a
trusted introducer
Stored on each user's public keyring are
indicators of
whether or not the user considers a particular
key to be valid
the level of trust the user places on the key
that the key's owner can serve as certifier of
others' keys

33
PGP Web of Trust

Levels of trust
Implicit (I believe in myself)
Others
Complete
Marginal
Notrust
Validity
Valid
Marginally valid
Invalid

34
Certificate Revocation

Revocation is important
User stop playing the role that is specified in
the certificate
Belief that certificate was compromised
Pgp certificates can be revoked by
Owner
Someone that the owner designates as a revoker

35
TLS Handshake protocol

Client
Server
ClientHello --------gt
ServerHello
Certificate
ServerKeyExchange
CertificateRequest
lt--------
ServerHelloDone
Certificate
ClientKeyExchange
CertificateVerify
ChangeCipherSpec
Finished --------gt
ChangeCipherSpec
lt--------
Finished
Application Data lt-------gt
Application Data

36
TLS Record Protocol

The Record Protocol takes messages to be
transmitted, fragments the data into manageable
blocks, optionally compresses the data, applies a
MAC, encrypts, and transmits the result.
Uses read and write parameters defined as client
or server write

37
SET

Acquirer gateway is an Internet interface to the
established credit card authorization system and
cardholder/merchant banks

38
SET Advantages

SET will enable e-commerce, eliminate world
hunger, and close the ozone hole
SET prevents fraud in card not present
transactions
SET eliminates the need for a middleman (the
banks love this)
SET leverages the existing infrastructure

39
SET (problems)

SET is the most complex (published) crypto
protocol ever designed
gt 3000 lines of ASN.1 specification
28-stage (!) transaction process
The SET reference implementation will be
available by mid 1996
SET 1.0 " " " mid 1997
SET 2.0 " " " mid 1998
Interoperability across different implementations
is a problem
SET is awfully slow (6 RSA operations per
transaction)
Great for crypto hardware accelerator
manufacturers
For comparison, VISA interchange gateway
currently has to handle 2000 pure DES-based
transactions/second

40
SET (problems)

Although SET was specifically designed for
exportability, you could not export the reference
implementation for long time
SET requires
Custom wallet software on the cardholders PC
Custom merchant software
Special transaction processing software (and
hardware) at the acquirer gateway.

41
MS PPTP

LAN Manager Hash
Turn the password into a 14-character string,
either by truncating longer passwords or padding
shorter passwords with nulls.
Convert all lowercase characters to uppercase.
Numbers and non-alphanumerics remain unaffected.
Split the 14-byte string into two seven-byte
halves.
Using each seven-byte string as a DES key,
encrypt a fixed constant with each key, yielding
two 8-byte encrypted strings.
Concatenate the two strings together to create a
single 16-byte hash value.