EE515/IS523
Think Like an
Adversary
Lecture 3
Cryptography in a Nutshell
Yongdae Kim
Recap
http://syssec.kaist.ac.kr/courses/ee515
E-mail policy
 Include [ee515] or [is523] in the subject of your e-mail
Student Survey
 http://bit.ly/SiK9M3
News posting
 KLMS http://edu3.kaist.ac.kr/course/view.php?id=14461
Match making, criticism
 KLMS
Text only posting, email!
In a Nutshell
Security by Obscurity is not secure!
Conservative modeling for adversary
State-sponsored, Hacktivists, Hacker+Criminals, Researchers ;-)
Care for the weakest link.
Plan for unknown attacks.
Check for environmental changes
All stages are important
Attacker modeling, design, implementation, deployment,
operation
Check News!
Cyber Warfare?
Security & Risk
We only have finite resources for security…
Product A
Product B
Prevents
Attacks:
U,W,Y,Z
Prevents
Attacks:
V,X
Cost $10K
Cost $20K
If we only have $20K, which should we buy?
Risk
The risk due to a set of attacks is the
expected (or average) cost per unit of time.
One measure of risk is Annualized Loss
Expectancy, or ALE:
ALE of attack A
Σ
( pA × L A )
attack A
Annualized attack
incidence
Cost per attack
Risk Reduction
A defense mechanism may reduce the risk
of a set of attacks by reducing LA or pA. This
is the gross risk reduction (GRR):
Σ
(pA ×LA – p’A×L’A)
attack A
The mechanism also has a cost. The net
risk reduction (NRR) is GRR – cost.
Basic Cryptography
Yongdae Kim
The main players
Eve
Yves?
Alice
Bob
Attacks
Normal Flow
Source
Interruption: Availability
Source
Destination
Modification: Integrity
Source
Destination
Destination
Interception: Confidentiality
Source
Destination
Fabrication: Authenticity
Source
Destination
Taxonomy of Attacks
Passive attacks
Eavesdropping
Traffic analysis
Active attacks
Masquerade
Replay
Modification of message content
Denial of service
Big picture
Trusted third party
(e.g. arbiter, distributor
of secret information)
Bob
Alice
Message
Information
Channel
Secret
Information
Message
Secret
Information
Eve
Terminology for Encryption
A denotes a finite set called the alphabet
M denotes a set called the message space
M consists of strings of symbols from an alphabet
An element of M is called a plaintext
C denotes a set called the ciphertext space
C consists of strings of symbols from an alphabet
An element of C is called a ciphertext
 K denotes a set called the key space
 An element of K is called a key
Ee is an encryption function where e  K
Dd called a decryption function where d  K
Encryption
Adversary
Encryption
Ee(m) = c
c
insecure channel
m
Decryption
Dd(c) = m
m
Plaintext source
destination
Alice
Bob
Why do we use key?
Or why not use just a shared encryption function?
SKE with Secure channel
Adversary
Key source
d
Secure channel
e
Encryption
Ee(m) = c
m
c
Insecure channel
Decryption
Dd(c) = m
m
Plaintext source
destination
Alice
Bob
PKE with insecure channel
Passive
Adversary
e
Insecure channel
Key source
d
Encryption
Ee(m) = c
m
c
Insecure channel
Decryption
Dd(c) = m
m
Plaintext source
destination
Alice
Bob
Public key should be authentic!
e
e’
Ee(m)
Ee’(m)
e
Ee(m)
Need to authenticate public keys
Digital Signatures
Primitive in authentication and nonrepudiation
Signature
Process of transforming the message and some
secret information into a tag
Nomenclature
M is set of messages
S is set of signatures
SA: M ! S for A, kept private
VA is verification transformation from M to S for
A, publicly known
Key Establishment, Management
Key establishment
Process to whereby a shared secret key becomes
available to two or more parties
Subdivided into key agreement and key
transport.
Key management
The set of processes and mechanisms which
support key establishment
The maintenance of ongoing keying relationships
between parties
Symmetric vs. Public key
Pros
Cons
 High data throughput
SKE
 Relatively short key size
The key must remain secret
at both ends
O(n2) keys to be managed
Relatively short lifetime of
the key
O(n) keys
Only the private key
must be kept secret
PKE
longer key life time
digital signature
Low data throughput
Much larger key sizes
Symmetric key Encryption
Symmetric key encryption
if for each (e,d) it is easy computationally easy to
compute e knowing d and d knowing e
Usually e = d
Block cipher
breaks up the plaintext messages to be
transmitted into blocks of a fixed length, and
encrypts one block at a time
Stream cipher
encrypt individual characters of plaintext
message one at a time, using encryption
transformation which varies with time
Hash function and MAC
A hash function is a function h
 compression
 ease of computation
 Properties
one-way: for a given y, find x’ such that h(x’) = y
collision resistance: find x and x’ such that h(x) = h(x’)
 Examples: SHA-1, MD-5
MAC (message authentication codes)
 both authentication and integrity
 MAC is a family of functions hk
ease of computation (if k is known !!)
compression, x is of arbitrary length, hk(x) has fixed length
computation resistance
 Example: HMAC
How Random is the Hash function?
Applications of Hash Function
File integrity
File identifier
Hash table
Digital signature
Sign = SSK(h(m))
Password verification
stored hash = h(password)
Generating random
numbers
Hash function and MAC
A hash function is a function h
 compression
 ease of computation
 Properties
one-way: for a given y, find x’ such that h(x’) = y
collision resistance: find x and x’ such that h(x) = h(x’)
 Examples: SHA-1, MD-5
MAC (message authentication codes)
 both authentication and integrity
 MAC is a family of functions hk
ease of computation (if k is known !!)
compression, x is of arbitrary length, hk(x) has fixed length
computation resistance
 Example: HMAC
MAC construction from Hash
Prefix
 M=h(k||x)
 appending y and deducing h(k||x||y) form h(k||x) without
knowing k
Suffix
 M=h(x||k)
 possible a birthday attack, an adversary that can choose x
can construct x’ for which h(x)=h(x’) in O(2n/2)
STATE OF THE ART: HMAC (RFC 2104)
 HMAC(x)=h(k||p1||h(k|| p2||x)), p1 and p2 are padding
 The outer hash operates on an input of two blocks
 Provably secure
How to use MAC?
A & B share a secret key k
A sends the message x and the MAC
M←Hk(x)
B receives x and M from A
B computes Hk(x) with received M
B checks if M=Hk(x)
PKE with insecure channel
Passive
Adversary
e
Insecure channel
Key source
d
Encryption
Ee(m) = c
m
c
Insecure channel
Decryption
Dd(c) = m
m
Plaintext source
destination
Alice
Bob
Digital Signature
I did not
have
intimate
relations
with that
woman,…,
Ms.
Lewinsky
Integrity
Authentication
Non-repudiation
Digital Signature with Appendix
Schemes with appendix
Requires the message as input to verification
algorithm
Rely on cryptographic hash functions rather than
customized redundancy functions
DSA, ElGamal, Schnorr etc.
Digital Signature with Appendix
M
Mh
h
m
Mh x S
VA
mh
S
SA,k
s*
s* = SA,k(mh)
u 2 {True, False}
u = VA(mh, s*)
Authentication
How to prove your identity?
Prove that you know a secret information
When key K is shared between A and Server
A  S: HMACK(M) where M can provide freshness
Why freshness?
Digital signature?
A  S: SigSK(M) where M can provide freshness
Comparison?
Encryption and Authentication
EK(M)
Redundancy-then-Encrypt: EK(M, R(M))
Hash-then-Encrypt: EK(M, h(M))
Hash and Encrypt: EK(M), h(M)
MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M)
MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))
Challenge-response authentication
Alice is identified by a secret she possesses
Bob needs to know that Alice does indeed possess
this secret
Alice provides response to a time-variant
challenge
Response depends on both secret and challenge
Using
Symmetric encryption
One way functions
Challenge Response using SKE
Alice and Bob share a key K
Taxonomy
Unidirectional authentication using
timestamps
Unidirectional authentication using random
numbers
Mutual authentication using random numbers
Unilateral authentication using timestamps
Alice  Bob: EK(tA, B)
Bob decrypts and verified that timestamp is OK
Parameter B prevents replay of same message in
B  A direction
Challenge Response using SKE
Unilateral authentication using random
numbers
Bob  Alice: rb
Alice  Bob: EK(rb, B)
Bob checks to see if rb is the one it sent out
Also checks “B” - prevents reflection attack
rb must be non-repeating
Mutual authentication using random
numbers
Bob  Alice: rb
Alice  Bob: EK(ra, rb, B)
Bob  Alice: EK(ra, rb)
Alice checks that ra, rb are the ones used earlier
Challenge-response using OWF
Instead of encryption, used keyed MAC hK
Check: compute MAC from known
quantities, and check with message
SKID3
Bob  Alice: rb
Alice  Bob: ra, hK(ra, rb, B)
Bob  Alice: hK(ra, rb, A)
Key Establishment, Management
Key establishment
Process to whereby a shared secret key becomes
available to two or more parties
Subdivided into key agreement and key
transport.
Key management
The set of processes and mechanisms which
support key establishment
The maintenance of ongoing keying relationships
between parties