iLab

Modern cryptography for communications security

part 2

Benjamin Hof
[email protected]

Lehrstuhl für Netzarchitekturen und Netzdienste

Fakultät für Informatik
Technische Universität München

Cryptography – 18ss

1 / 37
Outline

Hash functions

Asymmetric setting

Using cryptography

2 / 37
Outline

Hash functions

Asymmetric setting

Using cryptography

3 / 37
Cryptographic hash functions

secret-key public-key
...
I encryption
I message
authentication codes

hash functions

4 / 37
Hash functions
input

I variable length input

I fixed length output
H(·)
provide:
1. pre-image resistance
output
given H(x ) with a randomly chosen x ,
infeasable to find x 0 s. t. H(x 0 ) = H(x )
“H is one-way” fixed length
2. second pre-image resistance
given x , infeasable to find x 0 6= x s. t. H(x 0 ) = H(x )
3. collision resistance
infeasable to find x 6= x 0 s. t. H(x ) = H(x 0 )

5 / 37
Example: constructing MACs from hash functions

HMAC is a popular MAC:

I opad is 0x36, ipad is 0x5C
tag := H(k ⊕ opadkH(k ⊕ ipadkm))
I use SHA2-256
Used with Merkle-Damgård functions, since they allow to compute
from H(kkm) the extension H(kkmktail).

6 / 37
Outline

Hash functions

Asymmetric setting

Using cryptography

7 / 37
The idea

We no longer have one shared key, but each participant has a key
pair:
I a private key we give to nobody else
I a public key to be published, e. g. on a keyserver

8 / 37
Asymmetric cryptography

I based on mathematical problems believed to be hard

I proofs often only in the weaker random oracle model
I only authenticated channels needed for key exchange, not
confidential
I less keys required
I orders of magnitude slower

Problems believed to be hard

I RSA assumption based on integer factorization
I discrete logarithm and Diffie-Hellman (DH) assumption
I elliptic curves
I El Gamal encryption
I Digital Signature Standard/Algorithm

9 / 37
Asymmetric cryptography

symmectric asymmetric
I encryption I encryption
I message I signatures
authentication codes I key exchange

hash functions

10 / 37
Uses

I encryption
I encrypt with public key of key owner
I decrypt with private key
I signatures
I sign with private key
I verify with public key of key owner
I authentication with non-repudiation
I key exchange
I protect past sessions against key compromise

11 / 37
Uses

I encryption
I encrypt with public key of key owner
I decrypt with private key
I signatures
I sign with private key
I verify with public key of key owner
I authentication with non-repudiation
I key exchange
I protect past sessions against key compromise

Encryption and signing have nothing to do with each other.

11 / 37
Public-key encryption scheme

1. (pk, sk) ← Gen(1n ), security parameter 1n

2. c ← Encpk (m)
3. m := Decsk (c)
We may need to map the plaintext onto the message space.

12 / 37
RSA primitive
Textbook RSA
0.0 (N, p, q) ← GenModulus(1n )
0.1 φ(N) := (p − 1)(q − 1)
0.2 find e: gcd(e, φ(N)) = 1
0.3 d := [e −1 mod φ(N)]
1. public key pk = hN, ei
2. private key sk = hN, di

operations:
1. public key operation on a value y ∈ Z∗N
z := [y e mod N]
we denote z := RSApk (y )
2. private key operation on a value z ∈ Z∗N
y := [z d mod N]
we denote y := RSAsk (z) 13 / 37
RSA assumption

steps
1. choose uniform x ∈ Z∗N
2. A is given N, e, and [x e mod N]

assumption
Infeasable to recover x .

14 / 37
Chosen-plaintext attack
A A

(pk, sk) ← Gen(1n ) m

pk
c ← Encpk (m)
m
c
c ← Encpk (m)
c .. ..
. .
.. ..
. . output bit b 0
m0, m1
b ← {0, 1}
Encpk (m
b)

15 / 37
Security of RSA
Itextbook RSA is deterministic → must be insecure against CPA
⇒ textbook RSA is not secure
I can be used to build secure encryption functions with
appropriate encoding scheme
We want a construction with proof:
I use the RSA function
I breaking the construction implies ability to factor large
numbers
I “breaks RSA assumption”
I factoring believed to be difficult (assumption!)
I secure at least against CPA

armoring (“padding”) schemes needed

I attacks exist, but used often: PKCS #1 v1.5
I better security: PKCS #1 v2.1/v2.2 (OAEP)
16 / 37
Chosen-ciphertext attack
A

(pk, sk) ← Gen(1n )

17 / 37
Chosen-ciphertext attack
A

(pk, sk) ← Gen(1n ) pk

c
m := Decsk (c)
m

.. ..
. .

17 / 37
Chosen-ciphertext attack
A

(pk, sk) ← Gen(1n ) pk

c
m := Decsk (c)
m

.. ..
. .

m0, m1
b ← {0, 1}
Encpk (m
b)

Adversary may not request decryption of Encpk (mb ) itself.

17 / 37
Chosen-ciphertext attack
A A

(pk, sk) ← Gen(1n ) c

pk
m := Decsk (c)
c
m
m := Decsk (c)
m .. ..
. .
.. ..
. . output bit b 0
m0, m1
b ← {0, 1}
Encpk (m
b)

Adversary may not request decryption of Encpk (mb ) itself.

17 / 37
Chosen-ciphertext attack
A A

(pk, sk) ← Gen(1n ) c

pk
m := Decsk (c)
c
m
m := Decsk (c)
m .. ..
. .
.. ..
. . output bit b 0
m0, m1
b ← {0, 1}
Encpk (m
b)

Adversary may not request decryption of Encpk (mb ) itself.

17 / 37
Optimal asymmetric encryption padding

m||0k1 r ← {0, 1}k0

m̂0 ⊕
m̂1

m̂ := m̂0 ||m̂1
c := RSApk (m̂)

recall: c := [m̂e mod N]

18 / 37
Discussion

A proof exists with

assumptions:
I G, H hash functions with random oracle property
I RSA assumption: RSA is one-way

result:
⇒ RSA-OAEP secure against CCA
I relaxation: negligible probability

19 / 37
Signature scheme

1. (pk, sk) ← Gen(1n )

2. σ ← Signsk (m)
3. b := Vrfypk (m, σ)
b = 1 means valid, b = 0 invalid

20 / 37
Signatures

I (often) slower than MACs

I non-repudiation
I verify OS packages

RSA signatures
I RSA not a secure signature function
I PKCS #1 v1.5
I use RSASSA-PSS (“probabilistic signature scheme”)

21 / 37
Adaptive chosen-message attack

A
(pk, sk) ← Gen(1n ) pk

m
σ ← Signsk (m) hm, σi

.. ..
. .
output hm0 , σ 0 i

I let Q be the set of all queries m

I A succeeds, iff Vrfypk (m0 , σ 0 ) = 1 and m0 ∈
/Q
22 / 37
Goal

I signature function using RSA

I breaking signature function implies breaking the RSA
assumption
I proof

23 / 37
RSASSA-PSS m

SHA2

pad1 hash salt

pad2 salt SHA2

⊕ MGF

masked data block hash 0xBC

RSAsk (·)
24 / 37
Overview: signatures using RSA
m0
sk m pk σ
b

m, σ m0 , σ
b
sign verify

σ valid/invalid

Signsk (m) : Vrfypk (m0 , σb ) :

em ← PSS(m) // encoding em
c := RSApk (σb)
σ := RSAsk (em) salt := recover -PSS-salt(em)
d c
0 0
em := PSS(m , salt)
d
?
em0 = em
c

25 / 37
Discussion

A proof exists with

assumptions:
I random oracle model
I RSA assumption: RSA is one-way

result:
⇒ RSA-PSS existentially unforgeable under adaptive
chosen-message attack
I relaxation: negligible probability

26 / 37
Hybrid approach
Public-key cryptography
I valuable properties
I slow

Hybrid encryption
I protect shared key with public-key cryptography
I protect bulk traffic with secret-key cryptography

Example

k ← {0, 1}n
w ← Enc
\ pk (k)
c0 ← Enck (msg0 )
c1 ← Enck (msg1 ) transmit: hw , c0 , c1 i
27 / 37
Combining secret-key and public-key methods in protocols

e. g.:
handshake
I Diffie-Hellman key exchange
I signatures for entity authentication
I key derivation
I ...

transport
I secret-key authenticated encryption
I replay protection

28 / 37
Perfect forward security
Assume
I long-term (identity) keys
I session keys (for protecting one connection)

Idea
I attacker captures secret-key encrypted traffic
I later: an endpoint is compromised → keys are compromised
We want: security of past connections should not be broken.

Perfect forward security

protection of past sessions against:
I compromise of session key
I compromise of long-term key
29 / 37
Decisional Diffie-Hellman assumption
Alice Bob
DHa
DHb

compute s compute s

[store transcript]

C A

b ← {0, 1}
if b = 0 : ŝ := s,
random
else: ŝ ←−−−− ŝ, transcript

output b 0
30 / 37
Elliptic curve Diffie-Hellman key exchange: X25519
I p = 2255 − 19
I E (Fp × Fp )
I E : y 2 = x 3 + 486662x 2 + x

a ← {0, 1}255 b ← {0, 1}255

A := aG A
B := bG
B
s := aB s := bA
k := KDF (sx ) k := KDF (sx )

(Other DH cryptosystems will need additional verification steps.)

31 / 37
Perfect forward security

I generate new DH key for each connection

I wipe old shared keys
Compromise of long term keys in combination with eavesdropping
does not break security of past connections anymore!

32 / 37
Outline

Hash functions

Asymmetric setting

Using cryptography

33 / 37
Key size equivalents

secret-key hash output RSA DLOG EC

128 256 3072 3072 256 near term
256 512 15360 15360 512 long term

N. Smart (editor): Algorithms, key size and parameters report,

Nov. 2014, ENISA

openssl on my Skylake (E3-1270 v5, 4GHz peak), ops/s

(unscientific):

algo signatures/s verifications/s

ECDSAp256 33 134 14 952
RSA 2048 1 838 65 028
RSA 4096 278 18 483

34 / 37
Considerations

I different keys for different purposes

I algorithms from competitions: eSTREAM, PHC, AES, SHA,
CAESAR
I e. g. Salsa20, AES
I keys based on passwords: Argon2, scrypt, bcrypt, PBKDF2
In networking, timing is not “just a side channel”. Demand
constant-time implementations.

35 / 37
What has to go right

algorithms
cryptographic security
protocol design

implementation software security, side channel

library API design

deployment & correct usage

inspired by Matthew D. Green, Pascal Junod

36 / 37
Words of caution
limits
I crypto will not solve your problem
I only a small part of a secure system
I don’t implement yourself

difficult to solve problems

I trust / key distribution
I revocation
I ease of use

many requirements remaining

I replay
I timing attack
I endpoint security
37 / 37