1. No category

M - Universiteit Twente

Applied Cryptography
Protocol Building Blocks
Sape J. Mullender
Huygens Systems Research Laboratory
Universiteit Twente
Enschede
1
Protocols
An algorithm describes a series of steps carried out by a
process to accomplish a task.
A protocol can be viewed as a description of the
communication steps that are carried out by two or more
communicating processes to carry out a task, or, if you like, a
distributed algorithm.
2
Cryptographic Protocols
In cryptographic protocols we are concerned with ‘unintended
anonymous participants’ (eavesdroppers or active intruders)
which makes it necessary to design the protocols in such a
way that
• Participants learn only what the protocol intends them to
learn,
• Protocol messages provide useful information only to
genuine participants
• Protocol messages are designed so that only genuine
participants can generate them
3
Arbitrated Protocol
Example: buying a house (Dutch protocol).
Buyer and seller agree on a trusted third party, the arbitrator.
In this example, the arbitrator is a notary public.
Buyer gives money to the arbitrator, who keeps it in escrow,
The arbitrator verifies seller’s title to the house and lets the
seller sign the transfer of title to the buyer. The arbitrator
then gives the escrowed money to the seller.
4
Arbitrated and Adjudicated Protocols
Trent
Alice
Alice
Evidence
Arbitrated Protocol
Bob
Bob
Trent
Evidence
Adjudicated Protocol
5
Passive and Active Attacks
Alice
Plaintext
Eve
Encryption
Bob
Decryption
Ciphertext
Sender A
Receiver
E(M) = C
Plaintext
M
B
D(C) = M
Mallory
Alice
Modification
Insertion
Deletion
Replay
Bob
Plaintext
M
Encryption
Decryption
Ciphertext
Sender A
E(M) = C
Receiver
Plaintext
M
B
D(C) = M
6
Cheaters
A malicious participant in a protocol is called a cheater.
There are many protocols that defend against cheating.
Banking protocols are an obvious example.
Passive cheaters run a protocol according to its rules, but
try to obtain information they are not supposed to get.
Active cheaters abuse protocols in order to mislead other
participants.
7
Symmetric Cryptography
Alice
M
Bob
Encryption
Decryption
Encryption
Decryption
Encryption
Decryption
C
M
8
Key Issues
• Keys must be distributed in secret
• If keys are compromised, all traffic encrypted with that key
may be exposed
• Each pair of principals requires a separate key — n
principals need n(n − 1)/2 keys
Key management is really, really important!
9
One-way functions
One-way functions have many functions in cryptographic
algorithms.
Given x and a one-way function f , y = f (x) is relatively easy
to compute, but given y and f , finding x : y = f (x) is
computationally infeasible.
10
Computationally Infeasible
Cryptographic algorithms rely on the property that it is ‘easy’
to encrypt or decrypt messages with the appropriate keys, or
calculate digests, but ‘very hard’ to find keys.
The RSA public-key cryptosystem, for example, relies on the
fact that, given two large prime numbers p, and q, it is easy
to compute n = p · q, but, given only n, it is very difficult
indeed to factor n into its constituents p and q.
There are no mathematical proofs for the ‘difficulty’ of
breaking any cryptographic algorithm; in fact, algorithms are
broken with frightening regularity.
11
One-way Hash
Many names: one-way hash function, message digest,
fingerprint, cryptographic checksum, message integrity check
(MIC), manipulation-detection code.
A message digest takes a variable-length string (which could
be as large as a whole book) and computes a fixed-length (e.g.,
128 bits) one-way function with the property that:
given the message digest — and, if you like, the string that
produced it — it is computationally infeasible to produce a
different string with the same digest.
Hash functions are usually not secret. They are intended to
prevent tampering.
12
Message Authentication Code
A message authentication code (MAC) or data authentication
code (DAC) is a message digest of a message and a secret key.
If you know the secret key, you can verify the MAC.
13
Public-Key Cryptography
Alice
M
Bob
Encryption
Decryption
Encryption
Decryption
Encryption
Decryption
C
M
14
Key Management
Note that Eve learns nothing useful from this exchange: she
learns Bob’s public key, but that key is useless for decrypting
Alice’s message.
Bob’s public key is exactly what it says: public. Everybody
could put their public key is a database and Alice could get
Bob’s key from there.
The number of keys goes up linearly with the number of
principals, not quadratically as in the case of symmetric
cryptosystems.
15
Symmetric Algorithms in Practice
There are many official and unofficial standards for symmetric encryption:
DES, Triple-DES, IDEA, RC5, Blowfish, . . .
Symmetric encryption is quite fast: with hardware support, DES runs at
200 MBps; in software, DES will do 2 MBps on a Pentium II at 400 MHz.
IDEA is twice as fast. Software Blowfish five times. RC5 is three to four.
Triple-DES is three times slower (naturally).
DES has a small key: 56 bits. All other useful cryptographic systems have
bigger keys. IDEA has a 128-bit key. Standards with keys smaller than 56
bits are only popular with governments — for obvious reasons.
16
Asymmetric Algorithms in Practice
The notion of asymmetric cryptography was invented by Diffie
and Hellman in the mid-seventies. The first practical algorithm
was invented a few years later by Rivest, Shamir and Adleman.
There is now a small set of known algorithms, but RSA remains
the best known.
With hardware support, speeds of 100 megabytes per second
have been achieved; in software, speeds are only a few
kilobytes per second (1024-bit key).
Keys are much larger for asymmetric encryption.
17
Hybrid Cryptosystems
Since asymmetric cryptography has more functionality and
symmetric encryption is much faster, it is interesting to
combine the two:
Asymmetric cryptography can be used to authenticate the
parties and to agree on a key for a symmetric cryptosystem.
That key is then used for the duration of a single session.
This has a number of advantages . . .
18
Advantages of Hybrid Cryptoystems
• The amount of encryption with long-term keys is minimized,
thus reducing the probability of compromise of those keys.
• The session key is used for encrypting the bulk of the data,
but it is used only once. If this key is compromised, the
damage is limited.
• One has to be careful what gets encrypted with a publickey system: The attacker knows the (public) encryption key,
so, any time the number of different messages is small, an
attacker can encrypt each one to see if it encrypts to the
encrypted message that was sent.
19
Digital Signatures
We want to create a digital analogue of the handwritten signature that has
the same important properties. It is
1. Authentic: the recipient believes the signer deliberately signed
the document.
2. Unforgeable: the signature proves that the signer, and nobody
else, signed the document.
3. Single purpose: the signature is attached to the document and
cannot be moved to a different one.
4. Unalterable: after it has been signed, the document can no
longer be changed.
5. Unrepudiable: after the fact, the signer can not successfully
deny having signed the document.
20
Digital Signatures with an Arbitrator
Trent, the arbitrator is trusted by everyone. What he says is
true.
Alice shares KAT with Trent; only Alice and Trent know KAT .
Bob shares KBT with Trent; only Bob and Trent know KBT .
1.
{B needs M}KAT
2.
{A says M}KBT
Properties: (1) Authentic; (2) Unforgeable; (3) Single purpose;
(4) Unalterable; (5) Unrepudiable;
21
More Properties of ‘Symmetric Signatures’
Bob cannot show Alice’s signed message to Carol. He has to
ask Trent to show it to her:
1.
{C needs {A says M}KBT }KBT
2.
{A says M}KT C
Or, if you like accuracy and complexity:
1.
{C needs {A says M}}KBT
2.
{{B says A says M} ∧ {A oncesaid B needs M}
22
Trent is a Liability
Trent has to be absolutely trustworthy. If he makes mistakes,
no matter how rarely, nobody is going to trust him. And if
his database of shared keys should ever be compromised, the
world around him would collapse.
Trent is in the path of every signed communication.
makes Trent a bottleneck.
This
‘Replicating Trent’ may solve that problem, but it makes the
problem of making him truly worthy of his trust so much more
complicated.
It really would be nice if there were something better.
23
Signatures with Public-Key Cryptography
Some public-key algorithms are almost symmetric — they can
be used in two directions: anything encrypted with one key
can be decrypted with the other.
We use this as follows (remember our notation: K is the public
key, K −1 is the private key):
1.
A says {M}K −1
2.
?
{{M}K −1 }KA =M
A
A
Properties: (1) Authentic; (2) Unforgeable; (3) Single purpose;
(4) Unalterable; (5) Unrepudiable;
24
Timestamps
Signed messages without timestamps are vulnerable to replay
attacks.
Suppose Alice’s message was a digital cheque. Bob could then
try to cash it multiple times.
If Alice’s message contained a timestamp — remember Logical
Clocks? Sequence numbers are timestamps too — the bank
could (and would) recognize replay attack by keeping track of
timestamps.
25
Signatures and Digests
Public-key encryption is slow. Signing a large message by
encrypting it with PK encryption is a time-consuming affair.
A practical alternative is to compute a one-way hash of the
message and to encrypt that with a secret key instead:
1.
A says M {H(M)}K −1
2.
?
{{H(M)}K −1 }KA =H(M)
A
A
This works, because one-way hashes are designed such that
the probability that an attacker can find a message M 0 such
that H(M 0) = H(M) is vanishingly small.
26
Multiple Signatures
With hashes, a document M can easily carry multiple
signatures. Each signature is a fixed-length encryption of the
message digest, using a different secret key each time:
M, {H(M)}K −1 , {H(M)}K −1 , {H(M)}K −1
A
Notation:
B
C
SA(M) or {M}SA is message M signed by Alice.
?
VA(SA(M))=M is the verification.
27
Repudiation of Digital Signatures
Alice signs M and then she ‘conveniently loses her key’. When
confronted with M and her signature, she denies ever having
signed it and points out that she has lost her key.
Repudiation is denying something you did.
Time stamps help to some extent.
In digital payment schemes, nonrepudiation is important.
Locking secret keys in tamperproof environments (such as
smart cards one day hope to be) helps a lot.
28
Signed and Sealed Messages
Here’s the cryptographic equivalent of signing a letter and
putting it into a sealed envelope.
1.
EB (SA(M))
2.
?
VA(DB (EB (SA(M))))=M
29
You could try it the other way round
1.
SA(EB (M))
2.
?
DB (VA(SA(EB (M))))=M
But:
1.
SA(EB (M))
2.
SM (EB (M)) [= SM (VA(SA(EB (M))))]
Never sign anything you can’t read!
30
Not a Good Receipt
1.
EB (SA(M))
2.
?
VA(DB (EB (SA(M))))=M
3.
EA(SB (M))
31
Here’s why
(V = E and S = D)
1.
EB (DA(M)) (message for Bob)
2.
EB (DA(M)) (literal replay)
3.
EM (DB (EB (DA(M)))) = EM (DA(M)) (gibberis
4.
EM (DB (EM (DA(M)))) (receipt)
5.
DM (EB (DM (EM (DB (EM (DA(M))))))) = M (!)
Never, ever, encrypt something you didn’t generate yourself!
32
A Better Receipt
1.
EB (SA(M), NA)
2.
?
VA(DB (EB (SA(M))))=M
1.
SB (NA, NB )
NA is a random number used as a nonce.
Bob adds NB so that he doesn’t encrypt something he didn’t
generate himself.
33
Lessons
• Don’t sign something you can’t read
• Don’t sign or encrypt something you didn’t generate
• Don’t use exactly the same algorithm/key for signing and
decrypting
• Use timestamps or nonces to prevent replay attacks
• Don’t respond to gibberish (and make sure messages you
send don’t look like gibberish)
34
Certificates
How does Bob know Alice’s public key?
Alice could tell Bob, but Mallory could change the message.
We need Trent as a universally trusted agent. Trent, in his role
of certification authority or key distribution center, constructs
messages of the form: ST (TT , Alice’s public key is KA), where
TT is Trent’s timestamp and TS is, of course, Trent’s signature.
Trent’s messages
statements.
are
certificates,
signed
and
dated
Trent can send them when somebody needs them, or he can
put them in a database, for others to retrieve.
35
Random Numbers
Keys and nonces are almost always generated with the help of
a random-number generator. If you don’t use a good random
number generator, it is likely your enemies can guess your
keys. It’s happened.
36
Good random numbers
• The number of zeroes and ones is approximately equal
• Half the runs should be of length one, a quarter of length
two, etc.
• A random sequence must not be compressible
• It must be computationally infeasible to predict the next bit,
even knowing the algorithm and all the previous bits (but
not the internal state of the generator)
37
Using Random Number Devices
Devices exist that measure quantom noise in a resistor and
convert that to sequences of ones and zeroes. This is about
as random as you can get.
Some programs use humans as a source of quantum noise:
the user is requested to rattle the keyboard; keystrokes and
their timings are used to provide a sequence of seeds for a
pseudo random-number generator
38

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz