garantía y seguridad en sistemas y redes. tema 2 ...2. cryptographic tools g678: garantía y...
TRANSCRIPT
Tema 2. Cryptographic Tools
Garantía y Seguridad en Sistemas y Redes
Esteban Stafford
Departamento de Ingeniería Informá2ca y Electrónica
Este tema se publica bajo Licencia:
Crea2ve Commons BY-‐NC-‐SA 4.0
Grupo deIngeniería deComputadores
2. Cryptographic ToolsG678: Garantía y Seguridad en Sistemas y RedesEsteban StaffordSantander, September 28, 2015
Contents
Basics of Cryptography
Confidentiality with Symmetric Encryption
Message Authentication and Hash Functions
Public-Key Cryptography
Digital Signatures and Key Management
Practical Application: SSL/TLS
Grupo deIngeniería deComputadores
1
What can cryptography do?ConfidentialityIntegrityAvailabilityAuthenticityAccountability
PlaintextInput E
key
D
key
PlaintextOutput
X
K KY=E(K,X) X=D(K,Y)
Grupo deIngeniería deComputadores
2
Caesar CypherNamed after Julius Caesar, although used long before.Representative of the substitution cypher algorithms.The encryption process shifts each letter a number ofplaces. (key)Easily attackable by brute force.
Grupo deIngeniería deComputadores
3
What can cryptography do?ConfidentialityIntegrityAvailabilityAuthenticityAccountability
PlaintextInput E
key
D
key
PlaintextOutput
X
K KY=E(K,X) X=D(K,Y)
Grupo deIngeniería deComputadores
2
Caesar CypherNamed after Julius Caesar, although used long before.Representative of the substitution cypher algorithms.The encryption process shifts each letter a number ofplaces. (key)Easily attackable by brute force.
Grupo deIngeniería deComputadores
3
Substitution CypherThe key is a substitution table.The encryption changes each letter by the correspondingin the table.Infeasible to break by brute force.Breakable by cryptanalysis.
Grupo deIngeniería deComputadores
4
Substitution Cypher
ab c de f gh i j k l mnopq r s t u vwx y z
Pro
babi
lity
Working examples of old cyphers http://www.
simonsingh.net/The_Black_Chamber/chamberguide.html
Grupo deIngeniería deComputadores
5
Substitution CypherThe key is a substitution table.The encryption changes each letter by the correspondingin the table.Infeasible to break by brute force.Breakable by cryptanalysis.
Grupo deIngeniería deComputadores
4
Substitution Cypher
Pro
babi
lity
ab c de f gh i j k l mno pq r s t u vwx y z
Working examples of old cyphers
http://simonsingh.net/The_Black_Chamber/chamberguide.html
Grupo deIngeniería deComputadores
5
Vernam cipher
Commonly known as One-time-pad.Proven to be unbreakable (Go Shannon!)Key must be as long as plain text and shared by peers.Key must me truly random and can be used only once.
Grupo deIngeniería deComputadores
6
Randomness
Cryptography relies heavily on random numbers.Quality of random numbers
Uniform distributionIndependence
Pseudo-random numbersMathematical modular expression derives number from thelast.Good distribution and price, but bad independence.
True-random numbersMonitor random or chaotic physical process.Good distribution and independence, but expensive.
Grupo deIngeniería deComputadores
7
Vernam cipher
Commonly known as One-time-pad.Proven to be unbreakable (Go Shannon!)Key must be as long as plain text and shared by peers.Key must me truly random and can be used only once.
Grupo deIngeniería deComputadores
6
Randomness
Cryptography relies heavily on random numbers.Quality of random numbers
Uniform distributionIndependence
Pseudo-random numbersMathematical modular expression derives number from thelast.Good distribution and price, but bad independence.
True-random numbersMonitor random or chaotic physical process.Good distribution and independence, but expensive.
Grupo deIngeniería deComputadores
7
Symmetric Encryption
PlaintextInput E
key
D
key
PlaintextOutput
X Y=E(K,X) X=D(K,Y)K K
How robust is this?
Strong encryption algorithm.Cryptanalysis: Mathematically derive X and/or K from Y.Or simplify brute-force.Keys subject to brute-force attacksSender and receiver must obtain keys in secure fashion.
Grupo deIngeniería deComputadores
8
Data Encryption Standard (DES)
64 bit blocks, 56 bit keys.Adopted NIST 1977Cryptanalysis not yet successful.1997: call for replacementproposals.July 1998: $250,000 machinecracks DES in 56h.Advanced Encryption Standard(AES) 128 bit blocks,128,192,256 bit keys. Adopted2001 100 200
10−17
103
1023
1043
1063
DES
3DES112AES128
3DES168
AES196
AES256
Key length(bits)
Year
sto
brea
k(2
700
chec
ks/µ
s)
Grupo deIngeniería deComputadores
9
Symmetric Encryption
PlaintextInput E
key
D
key
PlaintextOutput
X Y=E(K,X) X=D(K,Y)K K
How robust is this?
Strong encryption algorithm.Cryptanalysis: Mathematically derive X and/or K from Y.Or simplify brute-force.Keys subject to brute-force attacksSender and receiver must obtain keys in secure fashion.
Grupo deIngeniería deComputadores
8
Data Encryption Standard (DES)
64 bit blocks, 56 bit keys.Adopted NIST 1977Cryptanalysis not yet successful.1997: call for replacementproposals.July 1998: $250,000 machinecracks DES in 56h.Advanced Encryption Standard(AES) 128 bit blocks,128,192,256 bit keys. Adopted2001 100 200
10−17
103
1023
1043
1063
DES
3DES112AES128
3DES168
AES196
AES256
Key length(bits)
Year
sto
brea
k(2
700
chec
ks/µ
s)Grupo deIngeniería deComputadores
9
Message Authentication with SymmetricEncryption
No confidentiality.Protection against falsification, alteration, delay or replay.Message must contain metadata: error-detection code,sequence number, timestamp.
Mes
sage
Mes
sage
Mes
sage
MK
M K
=
Transmit
MAC
Message Authentication Code (MAC)Last 16-32 bits of DES encrypted message.
Grupo deIngeniería deComputadores
10
One-way Hash Functions
x H H(x)
Easy
Infeasible
x: “unlimited” size, H(x): fixed length.Preimage resistant: guess x from H(x).2nd preimage resistant: find y6=x such that H(x)=H(y).Collision resistant: find any x and y such that H(x)=H(y).Hash function crisis: RIPMED-160, SHA-256 andSHA-512.
Grupo deIngeniería deComputadores
11
Message Authentication with SymmetricEncryption
No confidentiality.Protection against falsification, alteration, delay or replay.Message must contain metadata: error-detection code,sequence number, timestamp.
Mes
sage
Mes
sage
Mes
sage
MK
M K
=
Transmit
MAC
Message Authentication Code (MAC)Last 16-32 bits of DES encrypted message.
Grupo deIngeniería deComputadores
10
One-way Hash Functions
x H H(x)
Easy
Infeasible
x: “unlimited” size, H(x): fixed length.Preimage resistant: guess x from H(x).2nd preimage resistant: find y6=x such that H(x)=H(y).Collision resistant: find any x and y such that H(x)=H(y).Hash function crisis: RIPMED-160, SHA-256 andSHA-512.
Grupo deIngeniería deComputadores
11
Message Authentication with One-wayHash Functions
One-way Hash Functions are faster than SymmetricEncryptionUsing shared secret value (K).
Mes
sage
K
KM
essa
ge
Mes
sage
K
KH=
HTransmit
Secure Hash Algorithm(SHA): SHA-1 160 bit long, usedbut weaker than expected. Currently 256, 384, 512 bit long.Use in password storage and intrusion detection.Grupo deIngeniería deComputadores
12
Public-Key EncryptionProposed by Diffie and Hellman in 1976.Keys are created in pairs. One reverses the other.Bob sends confidential message to Alice.
PlaintextInput E
PUa
D
PRa
PlaintextOutput
X Y=E(PUa,X) X=D(PRa,Y)
Bob sends authentic message to Alice.
PlaintextInput E
PRb
D
PUb
PlaintextOutput
X Y=E(PUb,X) X=D(PRb,Y)
Grupo deIngeniería deComputadores
13
Message Authentication with One-wayHash Functions
One-way Hash Functions are faster than SymmetricEncryptionUsing shared secret value (K).
Mes
sage
K
K
Mes
sage
Mes
sage
K
KH=
HTransmit
Secure Hash Algorithm(SHA): SHA-1 160 bit long, usedbut weaker than expected. Currently 256, 384, 512 bit long.Use in password storage and intrusion detection.Grupo deIngeniería deComputadores
12
Public-Key EncryptionProposed by Diffie and Hellman in 1976.Keys are created in pairs. One reverses the other.Bob sends confidential message to Alice.
PlaintextInput E
PUa
D
PRa
PlaintextOutput
X Y=E(PUa,X) X=D(PRa,Y)
Bob sends authentic message to Alice.
PlaintextInput E
PRb
D
PUb
PlaintextOutput
X Y=E(PUb,X) X=D(PRb,Y)
Grupo deIngeniería deComputadores
13
Public-Key Cryptography
Myths:Public-key encryption is more secure than Symmetric-keyencryption.Public-key encryption makes symmetric obsolete.Public-key distribution is easier than Symmetric-keydistributions.
Implementations:Rivest, Shamir and Adleman (RSA) Proposed in 1978.Digital Signature Algorithm (DSA) Proposed in 1991.Stronger than RSA. Faster signing, but slower verifying.Elliptic Curve Cryptography (ECC) Stronger than RSA.Allows shorter keys.
Grupo deIngeniería deComputadores
14
Digital Signature
Messages can be signed by encrypting MAC with privatekey.
Mes
sage
Mes
sage
Mes
sage
H E
PRb
H
D
PUb =
Transmit
Grupo deIngeniería deComputadores
15
Public-Key Cryptography
Myths:Public-key encryption is more secure than Symmetric-keyencryption.Public-key encryption makes symmetric obsolete.Public-key distribution is easier than Symmetric-keydistributions.
Implementations:Rivest, Shamir and Adleman (RSA) Proposed in 1978.Digital Signature Algorithm (DSA) Proposed in 1991.Stronger than RSA. Faster signing, but slower verifying.Elliptic Curve Cryptography (ECC) Stronger than RSA.Allows shorter keys.
Grupo deIngeniería deComputadores
14
Digital Signature
Messages can be signed by encrypting MAC with privatekey.
Mes
sage
Mes
sage
Mes
sage
H E
PRb
H
D
PUb =
Transmit
Grupo deIngeniería deComputadores
15
Distribution of public keysCertificate Authority(CA) signs public keys (Certificate)
Bob’s ID
Bob’s Pub.Key
CA info
E
H
D
PRCA PUCA
H
=
Certificate
Who certifies the CA? Chicken-and-egg problem.Root CAs distribute their public keys self-signed.Applications and OS ship with common root certificates.
Grupo deIngeniería deComputadores
16
Certificate Chain of Trust
Document
Bob’s Cert CA Info
Bob’s ID
CA
CA Cert
Root Info
CA’s ID
Root CA
Root Cert
CRL
Users can recursively validate signatures to the root CA.Certificate Revocation Lists(CRL) enumerate invalid certs.
Grupo deIngeniería deComputadores
17
Distribution of public keysCertificate Authority(CA) signs public keys (Certificate)
Bob’s ID
Bob’s Pub.Key
CA info
E
H
D
PRCA PUCA
H
=
Certificate
Who certifies the CA? Chicken-and-egg problem.Root CAs distribute their public keys self-signed.Applications and OS ship with common root certificates.
Grupo deIngeniería deComputadores
16
Certificate Chain of Trust
Document
Bob’s Cert CA Info
Bob’s ID
CA
CA Cert
Root Info
CA’s ID
Root CA
Root Cert
CRL
Users can recursively validate signatures to the root CA.Certificate Revocation Lists(CRL) enumerate invalid certs.
Grupo deIngeniería deComputadores
17
SSL/TLS HandshakeSupported algorithmsRandom number
Selected algorithmRandom numberServer certificate
Verify certificateExtract server public key
Encrypt pre-master key withserver public key
Decrypt pre-master key withserver private key
Compute symmetric master key Compute symmetric master key
Send checksum of handshakemessages with master key Verify checksum
Send checksum of handshakemessages with master keyVerify checksum
Grupo deIngeniería deComputadores
18