Post on 01-Mar-2021
transcript
1
Grenzen der KryptographieMicrosoft Research
Grenzen der Kryptographie
Dieter GollmannMicrosoft Research
2
Grenzen der KryptographieMicrosoft Research, Cambridge
Summary
n Crypto does not solve security problemsn Crypto transforms security problemsn Typically, the new problems relate to key
management and the protection of keysn In these areas, reasonable solutions exist
for closed systems but hardly for open & public systems
3
Grenzen der KryptographieMicrosoft Research, Cambridge
Agenda
n A brief history of cryptographyn A long look at public key cryptographyn Security protocols and their verificationn Open and closed environmentsn Conclusions
4
Grenzen der KryptographieMicrosoft Research, Cambridge
The origins of cryptography
Alice
Bob
Two secure end systemscommunicate over aninsecure channel
The enemy is anoutsider listeningto traffic
5
Grenzen der KryptographieMicrosoft Research, Cambridge
Symmetric key encryption
Aencrypt
Bdecrypt
plaintext ciphertext plaintext
6
Grenzen der KryptographieMicrosoft Research, Cambridge
Symmetric Key Cryptography
n Encryption protects documents on the way fromA to B
n A and B need to share a keyn A procedure is required for A and B to obtain
their shared keyn For n parties to communicate directly, about n2
keys are neededn Security services: confidentiality, integrity,
authentication (data origin authentication, key exchange ≈ peer entity authentication)
7
Grenzen der KryptographieMicrosoft Research, Cambridge
Symmetric Key Cryptography
n Algorithms: DES, AES (Rijndael), …n No provable security n Algorithms designed to resist known attacks: e.g.
differential & linear cryptanalysisn Recommended key length: 80-90 bits n DES: 56-bit keys vulnerable to brute-force searchn DES designed to resist differential cryptanalysis
8
Grenzen der KryptographieMicrosoft Research, Cambridge
Key exchange: “authentication”
n Needham-Schroeder protocol: key transport protocol using a symmetric cipher for encryption: A and B obtain a session key Kab from server S (Trusted Third Party)
n A [B] shares a secret key Kas [Kbs] with Sn Nonces (random challenges) nA and nB in
messages prevent replay attacks
9
Grenzen der KryptographieMicrosoft Research, Cambridge
Needham-Schroeder protocol
1. A,B,nA
2. eKas(nA,B,Kab,eKbs(Kab,A))
S
A B
3. eKbs(Kab,A)
4. eKab(nB)
5. eKab(nB-1)
(basis for Kerberos)
10
Grenzen der KryptographieMicrosoft Research, Cambridge
History: Non-secret Encryption
n “Fact”: to exchange secret messages shared secrets are required
n Counterexample (Bell Labs, 1944): ¨ receiver adds noise on a telephone line¨ sender sends the message¨ attacker only hears noise¨ receiver gets message by cancelling own noise
n J.H.Ellis (CESG): described a scheme for non-secret (public key) encryption in 1970
11
Grenzen der KryptographieMicrosoft Research, Cambridge
Encryption with public keys
plaintext
Aencrypt
Bdecrypt
plaintext ciphertext
12
Grenzen der KryptographieMicrosoft Research, Cambridge
Public Key Cryptography
n Encryption protects documents on the way from A to B
n B has a public encryption key and a private decryption key
n A procedure is required for A to get an authentic copy of B’s public key (need not be easier than getting a shared secret key)
n For n parties to communicate, n key pairs are needed
13
Grenzen der KryptographieMicrosoft Research, Cambridge
Digital signatures
Asign
Bverify
documentdocument
+signature
acceptreject
14
Grenzen der KryptographieMicrosoft Research, Cambridge
Digital Signaturesn Protect authenticity of documents ‘signed by A’,
more precisely, a cryptographic mechanism for associating documents with verification keys
n A has a public verification key and a private signature key
n A procedure is required for B to get an authentic copy of A’s public key
n Provide authentication; on their own they do not provide non-repudiation at the level of persons
n Electronic signatures: a security service for associating documents with persons
15
Grenzen der KryptographieMicrosoft Research, Cambridge
Key exchange without secrets
Alice puts key in box and attaches a lock
Bob adds his lock and returns the box
Alice removesher lock and returns the box
Bob removes his lock and opens the box
e.g. the Diffie-Hellman protocol
16
Grenzen der KryptographieMicrosoft Research, Cambridge
Public Key Cryptography
n Algorithms: RSA, ElGamal (encryption), RSA, DSA, … (digital signatures), Diffie-Hellman (key agreement), elliptic curve algorithms
n Provable security: reduction proofs to open problems: factoring, discrete logarithm (DLP)
n Note: RSA ≠ factoring, DSA ≠ DLP, DH ≠ DLPn Provable security for protocols: reduction proofs to
breaking the crypto algorithms (Bellare-Rogaway)n Services: confidentiality, integrity, authentication,
non-repudiation (at the level of keys)
17
Grenzen der KryptographieMicrosoft Research, Cambridge
Key Sizes – RSA
Arjen Lenstra: Unbelievable Security, Asiacrypt 2001
18260986043793408253410842030
1723591603956304622339062020
1624684933560270919557472010
1538779183224242617236202001
AES 256
AES 192
AES 128
3K 3DES
2K 3DES
DES
18
Grenzen der KryptographieMicrosoft Research, Cambridge
Key Sizes – ‘2010’
Arjen Lenstra: Unbelievable Security, Asiacrypt 2001
2300170012001000860510ECC
86004600200016001200490XTR
170008900380029002100860LUC
160008500360027002000750RSA
AES 256
AES 192
AES 128
3K 3DES
2K 3DES
DES
19
Grenzen der KryptographieMicrosoft Research, Cambridge
Digital Signature Misconceptions
n Verification is decryption with the public key (as stated in X.509): Even untrue for RSA signatures (→ existential forgeries), does not hold for DSA; the output of ‘decrypt’ is of type ‘message’, the output of ‘verify’ is of type Boolean, …
n A signature binds the signer A to the document:verification links document and verification key
n Digital signatures are legally binding: even if recognized by law, digital signatures do not guarantee that there is a court with jurisdiction
20
Grenzen der KryptographieMicrosoft Research, Cambridge
Digital Signatures revisited
n Authentication: Signatures are mathematical evidence linking a document to a public key
n The link between a public key and a person has to be established by procedural means
n This link can be recorded in a certificate (but certificates are not necessary for verifying digital signatures, verification keys are)
n The holder of a private signature key has to protect the key from compromise and to be sure that the key is only used as intended
21
Grenzen der KryptographieMicrosoft Research, Cambridge
Electronic signatures
document nameperson
publicverification
key
privatesignature
key
digital signature certificate
key containersigning device
mathematicsmathematics
procedures
secure O/Sphysical security
procedures
22
Grenzen der KryptographieMicrosoft Research, Cambridge
Verifying security protocols
n Security services are typically provided by cryptographic protocols
n The design of security protocols is supposedly difficult and error prone
n There exists a substantial body of work on protocol analysis
n Can one trust the results of protocol analysis?n We will use the Needham-Schroeder public key
protocol as a case study
23
Grenzen der KryptographieMicrosoft Research, Cambridge
NS public key protocol (1978)
n Only B can decrypt the first message and form a reply containing the challenge nA
n Only A can decrypt the second message and form a reply containing the challenge nB
A B
1. ePB(nA,A)
2. ePA (nB,nA)
3. ePB(nB)
24
Grenzen der KryptographieMicrosoft Research, Cambridge
Fact sheetn Defined in the 1970s: principals are honestn Authentication: verifying the identity of the
communicating principals to one anothern Communications with servers can be done
without establishing a ‘connection’n Establish a shared session key from nA, nB
n Formal analysis in the BAN logic (1990): e.g.
A believes B believes nB is a secret shared by A and B
25
Grenzen der KryptographieMicrosoft Research, Cambridge
A second formal analysis (1995)
n Conducted by Gavin Lowe using CSP n CSP processes communicate on channelsn Goals and assumptions:¨Attacker can be a regular protocol participant¨ Initiator commits to a run with B when receiving
a reply ePA(nB,nA) containing the challenge nA
¨Responder commits to a run with A only if the message ePB(nA,A) came from A
n Why should the origin of challenges be verified?
26
Grenzen der KryptographieMicrosoft Research, Cambridge
Lowe’s ‘man-in-the-middle’ attack:connection-oriented (1995)
A E B
ePE(nA,A) ePB(nA,A)
ePA(nB,nA) ePA(nB,nA)
ePB(nB)ePE(nB)
Attack: Responder Bcan be tricked by a masquerading initiator
Proof: Initiator Aauthenticates responder E
27
Grenzen der KryptographieMicrosoft Research, Cambridge
Why is there proof and attack?
n Assumptions about the environment differ: E is a protocol participant but E is not ‘honest’
n Authentication goals differ: correspondence properties as used by Lowe became popular in the early 1990s, but were only intended to capture the authentication of protocol runs
n Correspondence ≈ authentication of connectionsþA sees a run with E and is connected to EýB sees a run with A but is connected to E
28
Grenzen der KryptographieMicrosoft Research, Cambridge
A triangle attack (connectionless)
A
E
B
ePE(nA,A) ePB(nA,A)
ePA(nB,nA)
ePB(nB)ePE(nB)
B has been tricked.Why? A was involved in the protocol run
The initiator cannot be misled. Why? E is not responding
29
Grenzen der KryptographieMicrosoft Research, Cambridge
Comments
n The proof is no longer ‘correct’ because we have an ‘attack’ where the responder does not run the protocol
n The attack is no longer an ‘attack’ because the initiator is involved in the protocol run
n Still, the attack violates properties claimed for the protocol: A is cheated because nAand nB are not secrets shared with E
30
Grenzen der KryptographieMicrosoft Research, Cambridge
Closed systems & open systems
There is an important difference between closed systems where parties look for protection from the outside (the old world cryptography came from) and open systemswhere parties look for protection from insiders (the new world of e-commerce)
31
Grenzen der KryptographieMicrosoft Research, Cambridge
Key exchange with a stranger
Alice puts key in box and attaches a lock
someone adds a lockand returns the box
Alice removesher lock and returns the box
someone removes the lock and opens the box
32
Grenzen der KryptographieMicrosoft Research, Cambridge
Conclusions
n Cryptography has its origins in communications security
n Not all security problems can be expressed as communications security problems
n Communications security tends to assume that end systems are secure and users are honest
n In today’s world, we have to secure applications where end systems are not secure and users are not necessarily honest
33
Grenzen der KryptographieMicrosoft Research, Cambridge
Conclusionsn Crypto algorithms are not provably secureØ Lars Knudsen: If it’s provably secure, it probably isn’t
n Crypto algorithms are practically very secure Ø unless you insist on inventing your own algorithms
n Crypto gives no more security than the keys usedØ key management is a frequent source of problemsØ Robert Morris sr.: The Enigma never was broken
n Crypto gives no more security than the end system it is running onØ designing secure end systems is the really difficult
security challenge
34
Grenzen der KryptographieMicrosoft Research, Cambridge
Conclusions
n Crypto relies on tamper-resistant devices and on alternative channels (trust)
n Tamper resistant devices + symmetric key crypto: CHAPS (see Davis & Price: Security for Computer Networks, 1984+89)
n Alternative channels for bootstrapping and for confirmation messages: GSM, book, newspaper
n Crypto depends on good security managementn End users are their own security managersØ “How to get full control over your PC”
35
Grenzen der KryptographieMicrosoft Research, Cambridge
Brave New World
government
bank
merchantcustomer
Can all these parties manage their own security?
36
Grenzen der KryptographieMicrosoft Research, Cambridge
Security & Security Services
SSL gives no security guarantees that are relevant for e-commerce.
Dr Richard Walton, Director of CESG
Digital certificates provide no actual security for electronic commerce; it's a complete sham.
Bruce Schneier: Secrets & Lies
There exist security services that do not provide any security at all
Roger Schell, Novell, ex-USAF