Cryptography Goal 1: Secure communication (data in motion)

Cyber Security
Cryptography
Is:
Michele Nogueira, Ph.D. – A tremendous tool for protecting information
Computer Security Science Center (CCSC)
– The basis for many security mechanisms
Is not:
– The solution to all security problems
no eavesdropping
– Reliable unless implemented and used properly no tampering
– Something you should try to invent yourself
2 3
Goal 2: Protect files (data at rest) Cryptography Cryptography concepts

• Two main types

File system
– Symmetric encryption (shared key)
File 1 – Asymmetric encryption (public key)
Alice Alice
No eavesdropping
No tampering
File 2

4 5 6
Cryptography concepts Cryptography Building Blocks
Symmetric cipher
nonce
• Two main types Alice Bob
m, n E(k,m,n)=c c, n D(k,c,n)=m
– Symmetric encryption (shared key) E D
– Asymmetric encryption (public key)
k k

E, D: cipher k: secret key (e.g. 128 bits)

m, c: plaintext, ciphertext n: nonce (non-repeating)
Asymmetric encryption Encryption algorithm is publicly known
7 8
⇒ never use a proprietary cipher 9
Symmetric Cipher Symmetric Cipher Symmetric Cipher
Use Cases One Time Pad (single use key) One Time Pad (single use key)

Single use key: (one time key) Shannon (1949):

Key (k): 0 1 0 1 1 1 0 0 1 0
• Key is only used to encrypt one message ⊕ ● OTP is “secure” against one-time eavesdropping
• encrypted email: new key generated for every email Plaintext (m): 1 1 0 0 0 1 1 0 0 0
• No need for nonce (set to 0)
● without key, ciphertext reveals no “information”
about plaintext
Ciphertext (c): 1 0 0 1 1 0 1 0 1 0
Multi use key: (many time key)
• Key is used to encrypt multiple messages or multiple files Problem: OTP key is as long as the message
• TLS: same key used to encrypt many frames Encryption: c = E(k, m) = m ⨁ k
• Use either a unique nonce or a random nonce Decryption: D(k, c) = c ⨁ k = (m ⨁ k) ⨁k = m
10 11 12
Symmetric Cipher Symmetric Cipher Symmetric Cipher
Stream Cipher (single use key) Dangers in using stream cipher Block cipher

Problem: OTP key is as long as the message One time key !! “Two time pad” is insecure: n bits n bits

Solution: Pseudo random key -- stream ciphers c1 ← m1 ⊕ PRG(k) PT Block E, D CT Block

key c2 ← m2 ⊕ PRG(k) What if want to use

same key to encrypt Key k Bits
PRG
c ← PRG(k) ⊕ m Eavesdropper does: two files?
Canonical examples:
⊕ c1 ⊕ c2 → m 1 ⊕ m2 1. 3DES (old): n= 64 bits, k = 168 bits
message
Enough redundant information in English that:
ciphertext 2. AES: n=128 bits, k = 128, 192, 256 bits
13 m1 ⊕ m2 → m1 , m2 14 15
Symmetric Cipher Symmetric Cipher Symmetric Cipher
Block cipher AES in HW (Intel, AMD, ARM) Block cipher - Incorrect Use
key k
New x86 hardware instructions used to implement AES: Electronic Code Book (ECB):
key expansion • aesenc, aesenclast: one round of AES
k1 k2 k3 kn aesenc xmm1, xmm2 (result written to xmm1) PT m1 m2
:
• aesdec, aesdeclast: one round of AES CT c1 c2

R(kn, ⋅)
R(k1, ⋅)

R(k2, ⋅)

R(k3, ⋅)

m c • aeskeygenassist: do AES key expansion

:

⟹ more than 10x speedup over a software AES Problem:

R(k,m): round function – If m1=m2, then c1=c2
⟹ better security: all AES instructions are constant time
For AES128: 10 rounds, AES256: n=14 rounds 16 17 18
 Symmetric Cipher Symmetric Cipher
Attention!
Message Integrity Hash MAC

• Goal: provide message integrity. No confidentiality. Most widely used MAC on the Internet
Eavesdropping security is insufficient for most applications H: hash function
– Ex: Protecting public binaries on disk
example: SHA-256; output is 256 bits
● Need also to defend against active (tampering) attacks
k k
● Next: methods to ensure message integrity message m tag
Building a MAC out of a hash function:
Alice Bob
– Standardized method: HMAC
Generate tag: Verify tag: ?
tag ← S(k, m) V(k, m, tag) = `yes’ S( k, msg ) = H(k⊕opad ǁ H( k⊕ipad ǁ msg ) )
www.ccsc-research.org
[email protected] 19 20 21
 Building Blocks Building Blocks
Cryptography
Public-key encryption Trapdoor permutations

Tool for managing or generating symmetric keys

• Two main types 1. Algorithm KeyGen: outputs pk and sk
Alice1
m1 Bob
– Symmetric encryption (shared key) E E(PK, m1)=c1
c D(SK,c)=m 2. Algorithm F(pk, ⋅) : a one-way function
– Asymmetric encryption (public key) Alice2 D – Computing y = F(pk, x) is easy
m2
E E(PK, m2)=c2 – One-way: given random y, finding x s.t. y = F(pk,x) is difficult
• E – Encryption alg. PK – Public encryption key
3. Algorithm F-1(sk, ⋅): Invert F(pk, ⋅) using trapdoor SK
• D – Decryption alg. SK – Private decryption key F-1(sk, y ) = x
22 Algorithms E, D are publicly known 23 24
Building Blocks
Digital Signatures Digital Signatures
RSA (Rivest-Shamir-Adleman)

1. KeyGen: generate two equal length primes p, q Goal: bind document to author identity
set N ← p⋅q (3072 bits ≈ 925 digits) • Problem: attacker can copy Alice’s sig from one doc to another
set e ← 216+1 = 65537; d ← e-1 (mod ϕ(N))
Main idea: make signature depend on document • Only someone who knows sk can sign a message m
pk = (N, e); sk = (N, d)
Example: signatures from a trapdoor permutation (e.g. RSA) • Anyone who has pk can verify a (msg, signature) pair
2. RSA(pk, x) : x → (xe mod N)
sign(sk, m):= F-1 (sk, H(m))
Inverting this function is believed to be as hard as factoring N
verify(pk, m, sig):= accept if F(pk, sig) = H(m)
3. RSA-1(sk, y): y → (yd mod N) 25 26 27
Digital Certificates Digital Certificates Digital Certificates
How does Alice (browser) obtain Bob’s public key pkBob ? Sample Certificate Real World!

Browser Server Bob CA

Alice RSA signature scheme:
generate pk and
(sk,pk) proof “I am Bob” • Fast to verify, but signatures are long
check • Often used in certificates
proof skCA
pkCA pkCA issue Cert with skCA :
Bob’s ECDSA, Schnorr, BLS signature schemes:
verify Bob’s key is pk
cert key is pk • Faster to generate signature and more compact than RSA
• Used everywhere, other than web certificates
Bob uses Cert for an extended period (e.g. one year) 28 29 30
 TLS: Transport Layer Security TLS: Transport Layer Security
Key Exchange
Standard for Internet Security Simplified session - Diffie-Hellman key exchange

Goal: Browser and Server want a shared secret, unknown to attacker Goal: “... provide privacy and reliability between two ClientHello: nonceC, KeyShare
communicating applications” Client Server
ServerHello: nonceS, KeyShare, Enc[certS,…]
Two main parts secret
Browser Server CertVerify: Enc[SigS(data)], Finished key
1. Handshake Protocol: Establish shared secret key
using public-key cryptography Finished
certS
attacker ?? session-keys ← HKDF( DHkey, nonceC , nonceS )
key key 2. Record Layer: Transmit data using negotiated key
Example: Diffie-Hellman key exchange Encrypted ApplicationData
• Only secure against eavesdropping Our starting point: Using a key for encryption and integrity Encrypted ApplicationData
• TLS 1.3: enhances Diffie-Hellman key exchange
31 32 33
⟹ security against an active attacker
Summary

● Overview on cryptography
● Cryptography as a tool
● Types: symmetric and asymmetric encryption
● Cases of use

www.ccsc-research.org
[email protected] 34