Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic
Engineering
CRYPTOGRAPHY
Giorgio Giacinto
Spring Semester 2019-2020
http://pralab.diee.unica.it 2
Cryptography and Security• Used to hide the content of a message
• Goals– Confidentiality– Authenticity– Integrity
• The text is modified by an encryption function– An interceptor should not be able to understand all or part
of the message content
http://pralab.diee.unica.it
Encryption/Decryption Process
3
Key(Optional)
OriginalPlaintext
Plaintext Ciphertext
Key(Optional)
Encryption Decryption
http://pralab.diee.unica.it
Keys and Locks
4
http://pralab.diee.unica.it
KeysL F A Y B D E T C A
R C S E E T Y H G S
O U S U D H R D F C
E I D B T E M E P Q
X N R C I D S F T U
A E T C A U R M F N
P E C J N A C R D B
E M K C I O P F B E
W U X I Y M C R E P
F N O G I D C N T M
5
http://pralab.diee.unica.it
KeysL F A Y B D E T C A
R C S E E T Y H G S
O U S U D H R D F C
E I D B T E M E P Q
X N R C I D S F T U
A E T C A U R M F N
P E C J N A C R D B
E M K C I O P F B E
W U X I Y M C R E P
F N O G I D C N T M
6
http://pralab.diee.unica.it
Steganography
7
-
=
https://towardsdatascience.com/steganography-hiding-an-image-inside-another-77ca66b2acb1
http://pralab.diee.unica.it 8
Definitions• Cryptography algorithm
C = E(K,M)A function E with two inputs– a message M– a key Kthat outputs– the encrypted message C
The algorithm is based on a shared secret between the sender and the receiver
K The Encryption Key
http://pralab.diee.unica.it 9
Symmetric and Asymmetric Cryptography• Symmetric cryptography– The algorithm relies on one key
the key is the shared secret between the sender and the receiver
• Asymmetric cryptography– The algorithm relies on two keys
one key is secret, not shared with anyone – the private keythe other key is public – anyone can have it
http://pralab.diee.unica.it
Cryptosystems
10
Rivest-Shamir-Adelman
Encryption Decryption OriginalPlaintextPlaintext Ciphertext
(a) Symmetric Cryptosystem
DecryptionKey
Encryption Decryption OriginalPlaintextPlaintext Ciphertext
EncryptionKey
(b) Asymmetric Cryptosystem
Key
http://pralab.diee.unica.it
Cryptographic primitives• Substitution– Each character of the plain text is substituted by another
character according to some rule– This technique aims at the confusion of the message
content in the ciphertext
• Transposition– The message is subdivided into parts, and their position is
modified according to some rule– This technique aims at the diffusion of the message
content in the ciphertext
11
http://pralab.diee.unica.it
Stream and Block ciphers
12
Stream Cipherseach byte is encrypted separately
• Speed of transformation• Low error propagation• Low diffusion• Susceptibility to malicious
insertions and modifications
Encryption
Key(Optional)
Plaintext Ciphertext
…ISSOPMI wdhuw…
IH
Key(Optional)
Plaintext Ciphertext
.. XN OI TP ES
pobaqckdem..
Encryption
Block Ciphers a group of symbols is encrypted as a single block
• Slowness of encryption• Padding• Error propagation• High diffusion• Immunity to insertion of symbols
http://pralab.diee.unica.it
Substitution Ciphers
http://pralab.diee.unica.it
The Imitation Game (2014)
14
http://pralab.diee.unica.it 15
Caesar Cipher• Each character in the plaintext is substituted by the
character 3 positions aheadci = E(pi) = pi + 3for examplecomputer securitybecomesfrpsxwhu vhfxulwb
http://pralab.diee.unica.it 16
Other substitutions• A word is selected as a key to set the substitution of the
first letters of the alphabet (e.g., chiefly).
ABCDEFGHIJKLMNOPQRSTUVWXYZ
CHIEFLYABDGJKLMNOPQRSTUWXZ
• Substitution by using as a key a permutation of the alphabet one letter in 3, mod 26
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADGJMPSVYBEHKNQTWZCFILORUX
http://pralab.diee.unica.it 17
Other substitutions• OTP (One Time Pad)– a pad of sheets of papers with one-time keys– the encryption of a message of N characters in length will
need as many keys as to cover all the N characters– the sender will encrypt the message according to some
substitution rule involving each character of the message and the corresponding character of the key• for example, the Vigenère table
http://pralab.diee.unica.it
Transpositions
http://pralab.diee.unica.it 19
Column-based Transpositions• We can convert this text
THIS IS A SAMPLE MESSAGE
into a five-columns sequence of charactersT H I S IS A S A MP L E M ES S A G E
The resulting encrypted messages is
TSPS HALS ISEA SAMG IMEE
http://pralab.diee.unica.it
A useful tool for encoding and encryption
20
https://cryptii.com
http://pralab.diee.unica.it
“Secure” encryption algorithms
http://pralab.diee.unica.it
Shannon and the definition of “good” ciphersCommunication Theory of Secrecy Systems (1949)
1. The amount of secrecy needed should determine the amount of labor appropriate for the encryption and decryption
2. The set of keys and the enciphering algorithm should be free from complexity
3. The implementation of the process should be as simpleas possible
4. Errors in ciphering should not propagate and cause corruption of further information in the message
5. The size of the enciphered text should be no larger than the text of the original message
22
http://pralab.diee.unica.it 23
Cryptanalysis• Goal: break an encryption– break (decrypt) a single message– recognize patterns in encrypted messages– infer some meaning without even breaking the
encryption, such as from the frequency of messages– easily deduce the key to break one message and perhaps
subsequent ones– find weaknesses in the implementation or environment of
use of encryption by the sender– find general weaknesses in an encryption algorithm
An algorithm is called breakable whengiven enough time and data
an analyst can determine the algorithm
http://pralab.diee.unica.it
Inputs to cryptanalysis
• Ciphertext Only– Look for patterns, similarities, and discontinuities among
many messages that are encrypted alike
• Plaintext and Ciphertext pair– Full or Partial Plaintext
• known-plaintext or probable-plaintext– Ciphertext of Any Plaintext
• chosen-plaintext
24
http://pralab.diee.unica.it
Breaking Enigma
25
The Imitation Game (2014)
https://www.youtube.com/watch?v=_C25CwNlVjA
http://pralab.diee.unica.it
Trustworthy cryptosystems
• Based on sound mathematical foundations
• Analyzed by competent experts and found to be sound
• Stood the “test of time”
26
http://pralab.diee.unica.it
Symmetric Encryption Algorithms
http://pralab.diee.unica.it
Symmetric Encryption
28
Plaintextinput
Y = E[K, X] X = D[K, Y]
X
K K
Transmittedciphertext
Plaintextoutput
Secret key shared bysender and recipient
Secret key shared bysender and recipient
Encryption algorithm(e.g., DES)
Decryption algorithm(reverse of encryption
algorithm)
Figure 2.1 Simplified Model of Symmetric Encryption
http://pralab.diee.unica.it
Standard and Commercial algorithms
• Block ciphers– DES (Data Encryption Standard) – 3DES (Triple DES)– AES (Advanced Encryption Standard)– Blowfish (1993, Bruce Schneier)
• Stream ciphers– RC4 (1987, Ron Rivest)
29
http://pralab.diee.unica.it 30
DES• In 1972 the U.S. National Bureau of Standards (NBS, nowadays
NIST) called for proposals for producing a public encryption algorithm.
• In the second call, in 1974, the most promising proposal was IBM’s Lucifer. IBM developed for NBS the Data Encryption Standard (DES) based on Lucifer.
• DES was officially adopted as a U.S. federal standard in November 1977.DES was later accepted as an international standard by ISO.
http://pralab.diee.unica.it
The complete DES
31
L2 = R 1 R2
Substitution
Permutation
Key Permuted
Key Shifted
L15 = R14 R15
L16 = R15 R16
Substitution
Permutation
Key Shifted
L0 R0
L1 = R 0 R1
Substitution
Permutation
Key Permuted
Key Shifted
Inverse Initial Permutation
Output
Initial Permutation
Input
Cycle 1
Cycle 2
Cycle 16
... ...
Key Permuted
64-bit blocks64-bit key
The algorithm at workhttp://page.math.tu-berlin.de/~kant/teaching/hess/krypto-ws2006/des.htm
http://pralab.diee.unica.it
A cycle in DES
32
Left Data Half
32 bits
Right Data Half
32 bits
New Left Data Half (Old Right Half)
New Right Data Half
Substitution, Permuted Choice
Permutation
KeyPermuted
ExpansionPermutation
48 bits
Key Shifted 56 bits
48 bits
32 bits
http://pralab.diee.unica.it 33
DES variants
http://pralab.diee.unica.it 34
Security of DES• Diffie and Hellman in 1977 argued that a 56-bit key is too
short given the increasing power of computers
• In 1998 researchers built a “DES cracker” machine for approximately $200,000 U.S. that could find a DES key in four days (later improved to a few hours)
• In 1995 the NIST began the search for a new, strong, and more flexible algorithm The result was the Advanced Encryption Standard - AES
http://pralab.diee.unica.it 35
AES• In 1997 NIST called for cryptographers to develop a new
encryption system– unclassified– publicly disclosed– royalty free for use worldwide– symmetric block cipher of at least 128 bit– keys 128, 192, and 256 bits long
• In Aug 1998, 15 algorithms chosen from the submissions
• In Aug 1999, 5 finalists
• In 2001 the winning algorithm became the official U.S. standard
http://pralab.diee.unica.it
AES
36
Name of the algorithm: Rijndaelderived from the creators’ namesRijmen e Daemen
Substitutions, transpositions, shifts, XOR, additions
Example source codehttp://www.hoozi.com/posts/advanced-encryption-standard-aes-implementation-in-cc-with-comments-part-1-encryption/
SSSS
k k k k
1. Byte Sub
2. Shift Row
3. Mix Columns
4. Add Round Key
Repeatn Times
http://pralab.diee.unica.it
DES vs. AES
37
http://pralab.diee.unica.it
RC2, RC4, RC5, and RC6• Authored by Ronald Rivest– one of the inventor of the RSA algorithm and founder of
RSA laboratories
• RC2 (publicly released in 1996)– Block cipher designed as a a simple and fast algorithm
• RC4 (popular before 2000)– Stream cipher, widely used in wireless network (WEP and
WPA)
• RC5 (1994)– Block cipher
• RC6– A modification of RC5 to compete in the AES competition
38
http://pralab.diee.unica.it
openssl crypto library• openssl (http://www.openssl.org) is an open source
project that provides a full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols
• The crypto library implements a wide range of cryptographic algorithms used in various Internet standards
39
http://pralab.diee.unica.it
openssl symmetric ciphers• encryption of a message using triple-DES
openssl des3 -salt -in file.txt -out file.des3
• decryption of a message using triple-DESopenssl des3 -d -salt -in file.des3 -out file.txt
40
http://pralab.diee.unica.it
Message Digests
41
http://pralab.diee.unica.it
One-Way Hash Function• Convert input to a digest– It is infeasible to start with a digest
value and infer the input
• They do not have obvious collisions– it is infeasible to find a pair of
inputs that produce the same digest
42
Encrypted forauthenticity
M
Hashfunction
Messagedigest
http://pralab.diee.unica.it
Bank Transfers mid 19th century• One-way coding the amount of money to be transferred
between two parties produces a test key for integrity– Sum of the numbers in the tables according to the
positions of the digits in the amount to be transferred
• Example– Coding € 243.561,00
53 (no millions) + 70 (200.000) + 91 (40.000) + 87 (3.000) =301
43
http://pralab.diee.unica.it
Message Digests• One-way hash functions are cryptographic functions
with multiple uses– They are used in conjunction with asymmetric algorithms
for both encryption and digital signatures– They are used in integrity checking– They are used in authentication– They are used in communications protocols
• They are based on one-way random functions
44
http://pralab.diee.unica.it
Properties of Current Hash Standards
45
Collisions in MD5: https://www.mscs.dal.ca/~selinger/md5collision/
http://pralab.diee.unica.it
Asymmetric ciphersThe RSA algorithm
http://pralab.diee.unica.it 47
Symmetric key distribution• How can the shared secret symmetric key be exchanged
by two parties?
• In 1976 Diffie and Hellman proposed a novel cryptographic mechanism– each user is given two keys• one key is private, i.e., the owner must keep it secret• the other key is public, i.e., anyone must have it
– the pair of private and public keys is generated by a specific key generation algorithm
Recipients of the 2015 ACM A.M. Turing Award
http://pralab.diee.unica.it
Public Key to Exchange Secret Keys
48
4., 5
abc 6def
9wxyz
8tuv
7pqrs
Bill, give me your public key
Here is my key, Amy
1
2
3 Here is a symmetric key we can use
6mno
5jkl1
.,
2abc
3def
9wxyz
8tuv
7pqrs
4ghi
http://pralab.diee.unica.it
Cryptography based on discrete logarithms• A primitive root modulo p is a number whose powers generate all the
nonzero numbers mod p• For example, if we work modulo 7 we find that
- 51 = 5 (mod 7)- 52 = 25≡ 4 (mod 7)- 53 ≡ 4 x 5≡ 6 (mod 7)- 54 ≡ 6 x 5≡ 2 (mod 7)- 55 ≡ 2 x 5≡ 3 (mod 7)- 56 ≡ 3 x 5≡ 1 (mod 7)
• 5 is called a primitive root modulo 7– Given any y, we can always solve the equation y = 5x (mod 7)
x is then called the discrete logarithm of y modulo 7.
• For large random prime numbers p– the discrete logarithm cannot be computed– the mapping 𝒇: 𝒙 → 𝒈𝒙 mod 𝒑 is a one-way function– 𝑓 𝑥 + 𝑦 = 𝑓 𝑥 𝑓 𝑦– 𝑓 𝑛𝑥 = 𝑓 𝑥 "
49
http://pralab.diee.unica.it
Diffie-Hellmann protocol• Original version of the algorithm– Alice and Bob agree on using two numbers p and g
• p is a prime number • g is a primitive root mod p
– Alice chooses a secret integer x and sends to BobA = gx mod p
– Bob chooses a secret integer y and sends to AliceB = gy mod p
– Alice will compute Bx mod p, Bob will compute AY mod pthat will be the shared secret, as Bx mod p = AY mod p = gxy mod p
50
http://pralab.diee.unica.it
Diffie-Hellman ExampleHave• Prime number q = 353 • Primitive root a = 3
A and B each compute their public keys after selecting their secret keys, XA=97 and XB=233, respectively • A computes YA = 397 mod 353 = 40 • B computes YB = 3233 mod 353 = 248
Then exchange and compute secret key• For A: K = (YB)XA mod 353 = 24897 mod 353 = 160• For B: K = (YA)XB mod 353 = 40233 mod 353 = 160
Attacker must solve• 3z mod 353 = 40 which is hard• Desired answer is 97, then compute key as B does
http://pralab.diee.unica.it
Asymmetric Cryptography• Symmetric cryptography– two users share one secret key
• Asymmetric cryptography– each user has two keys: one public and one private
• Messages encrypted using the user’s public key can only be decrypted using the user’s private key, and vice versa
52
http://pralab.diee.unica.it 53
Asymmetric cryptography
kpub Public key
kpriv Private key
E(k,M) Encryption
D(k,M) Decryption
P Plaintext
P = D(kpriv,E(kpub,P))
some algorithms also allow
P = E(kpub,D(kpriv,P))
http://pralab.diee.unica.it
Encryption with public key
54
Plaintextinput
Bobs'spublic key
ring
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm
Joy
Mike
Mike Bob
TedAlice
Alice's publickey
Alice 's privatekey
(a) Encryption with public key
Plaintextinput
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm
Bob's privatekey
Bob
Bob's publickey
Alice'spublic key
ring
Joy Ted
(b) Encryption with private key
X
X
PUa
PUb
PRa
PRb
Y = E[PUa, X]
Y = E[PRb, X]
X =D[PRa, Y]
X =D[PUb, Y]
Figure 2.6 Public-Key Cryptography
Alice
Bob Alice
http://pralab.diee.unica.it
Encryption with private key
55
Plaintextinput
Bobs'spublic key
ring
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm
Joy
Mike
Mike Bob
TedAlice
Alice's publickey
Alice 's privatekey
(a) Encryption with public key
Plaintextinput
Transmittedciphertext
PlaintextoutputEncryption algorithm
(e.g., RSA)Decryption algorithm
Bob's privatekey
Bob
Bob's publickey
Alice'spublic key
ring
Joy Ted
(b) Encryption with private key
X
X
PUa
PUb
PRa
PRb
Y = E[PUa, X]
Y = E[PRb, X]
X =D[PRa, Y]
X =D[PUb, Y]
Figure 2.6 Public-Key Cryptography
Alice
Bob Alice
http://pralab.diee.unica.it
Asymmetric Encryption with RSA• Since its introduction in 1978, no serious flaws have yet
been found
• The encryption algorithm is based on the underlying problem of factoring large prime numbers– the fastest known algorithm is exponential in time
• Two keys, d and e, are used for decryption and encryption, and they are interchangeable
• The plaintext block P is encrypted as Pe mod n = C
• The decrypting key d is chosen so that Cd mod n = PP = Cd mod n = (Pe)d mod n = (Pd)e mod n
56
http://pralab.diee.unica.it
Secret Key vs. Public Key Encryption
57
http://pralab.diee.unica.it
Asymmetric Encryption Algorithms
RSA (Rivest, Shamir,
Adleman)Developed in 1977
Most widely accepted and implemented
approach to public-key encryption
Block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n.
Diffie-Hellman key exchange
algorithm
Enables two users to securely share a
secret key for symmetric encryption
Limited to the exchange of the
keys
Digital Signature
Standard (DSS)
Provides only a digital signature
function with SHA-1
Cannot be used for encryption or key
exchange
Elliptic curve cryptography
(ECC)
Security like RSA, but with much
smaller keys
http://pralab.diee.unica.it
RSA in openssl
• Creation of a RSA private keyopenssl genrsa –out key.pem
• Creation of the corresponding public keyopenssl rsa -in key.pem -pubout -out pubkey.pem
59
http://pralab.diee.unica.it
RSA in openssl• openssl rsautl
with the following parameters-in filename
-out filename
-inkey filefilename containing the key (default: the private key)
-pubinin the case the input key is the public key
60
http://pralab.diee.unica.it
RSA in openssl-encryptRSA encryption of the input file with the public key
-decryptRSA decryption of the input file with the public key
61
http://pralab.diee.unica.it
Example• Public key encryption
openssl rsautl –encrypt -inkey pubkey.pem -pubin–in <infile> -out <file_enc>
• Private key decryptionopenssl rsautl –decrypt –inkey key.pem–in <file_enc> -out <file_dec>
62
http://pralab.diee.unica.it
Certificates
63
http://pralab.diee.unica.it
Certificates• In real life identity and authenticity are certified by
trusted authorities through a hierarchy of mutual trust– Government servants issue and verify
• ID cards• Passports• …
• Other sources of authenticity– Stamps– Headed letters– …
64
http://pralab.diee.unica.it
Digital CertificatesTrustable Identities and Public Keys• A certificate is – a public key – an identity
bound together and signed by a certificate authority
• A Certificate Authority (CA) is an authority that users trust to accurately verify identities before generating certificates that bind those identities to keys
• A Public Key Infrastructure is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
65
http://pralab.diee.unica.it
Delegation of trust
66
http://pralab.diee.unica.it
Certificate Signing and Hierarchy
67
Name: DianaPosition: Division ManagerPublic key: 17EF83CA ...
Diana creates and delivers to Edward:
Edward adds:
Edward signs with his private key:
Name: DianaPosition: Division ManagerPublic key: 17EF83CA ...
hash value128C4
Name: DianaPosition: Division ManagerPublic key: 17EF83CA ...
hash value128C4
Which is Diana’s certificate.
Name: DelwynPosition: Dept ManagerPublic key: 3AB3882C ...
Delwyn creates and delivers to Diana:
Diana adds:
Diana signs with her private key:
Name: DelwynPosition: Dept ManagerPublic key: 3AB3882C ...
hash value48CFA
And appends her certificate:
Which is Delwyn’s certificate.
Name: DianaPosition: Division ManagerPublic key: 17EF83CA ...
hash value128C4
To create Diana’s certificate: To create Delwyn’s certificate:
Name: DelwynPosition: Dept ManagerPublic key: 3AB3882C ...
hash value48CFA
Name: DelwynPosition: Dept ManagerPublic key: 3AB3882C ...
hash value48CFA
http://pralab.diee.unica.it
Certificate Hierarchy
68
http://pralab.diee.unica.it 69
Structure of a digital certificate• Users identity and public key
• Signed by a certificate authority (CA)– Actalis, Comodo, DigiCert, Symantec/VeriSign, …
• self-signed certificates– http://www.akadia.com/services/ssh_test_certificate.html
no authority certify the authenticity, and you need to trust the entity the signed the certificate
http://pralab.diee.unica.it
Certificates in openssl• Creation
openssl req -new -key server.key -out server.csr
– server.key is the private key associated to the server
• Self-signed x509 certificateopenssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
70
http://pralab.diee.unica.it
Random numbers
71
http://pralab.diee.unica.it
Random Numbers• They are needed to generate:– Keys for public-key algorithms– Stream key for symmetric stream cipher– Symmetric key for use as a temporary session key or in
creating a digital envelope– Handshaking to prevent replay attacks– Session key
http://pralab.diee.unica.it
Randomness• Criteria
– Uniform distribution• Frequency of occurrence
of each of the numbers should be approximately the same
– Independence• No one value in the
sequence can be inferred from the others
Unpredictability• Each number is statistically
independent of other numbers in the sequence
• Opponent should not be able to predict future elements of the sequence on the basis of earlier elements
Random Number Requirements
http://pralab.diee.unica.it
Random versus PseudorandomAlgorithmic techniques for random number generation• Algorithms are deterministic and therefore produce
sequences of numbers that are not statistically random
Pseudorandom numbers are• Sequences that satisfy statistical randomness tests• Likely to be predictable
True random number generator (TRNG)• Nondeterministic source to produce randomness• Mostly by measuring unpredictable natural processes
• e.g. radiation, gas discharge, leaky capacitors• Increasingly provided on modern processors
http://pralab.diee.unica.it
Digital Signatures
http://pralab.diee.unica.it
Digital Signature Properties• Unforgeable (mandatory)– No one other than the signer can produce the signature
without the signer’s private key
• Authentic (mandatory)– The receiver can determine that the signature really came
from the signer
• Not alterable (desirable)– No signer, receiver, or any interceptor can modify the
signature without the tampering being evident
• Not reusable (desirable)– Any attempt to reuse a previous signature will be detected
by receiver
76
http://pralab.diee.unica.it
Digital Signature
• The general way of computing digital signatures is with public key encryption– The signer computes a signature value by using a private key– Others can use the public key to verify that the signature came
from the corresponding private key
77
Mark onlythe sendercan make
Authentic Unforgeable
Mark fixedto
document
http://pralab.diee.unica.it
Digital signatures with public key encryption
78
Signature Verification
http://pralab.diee.unica.it
Digital signatures in openssl• Creation of the signature for a file using the private key
openssl rsautl -sign -in file -inkey key.pem-out sig
• Verification of the authenticity of the signatureopenssl rsautl -verify -in sig -inkey pubkey.pem-pubin
79
http://pralab.diee.unica.it
Digital signature and secret message
80
http://pralab.diee.unica.it
Digital Envelopes
81
http://pralab.diee.unica.it
Symmetric and Asymmetric Encryption
• Symmetric algorithms provide for efficient and effective way for protecting confidentiality and integrity of data at rest or in transit
• Asymmetric encryption is used for– exchanging symmetric encryption keys– signing data to show authenticity and proof of origin
82
http://pralab.diee.unica.it
Internet and Cryptography
http://pralab.diee.unica.it
Link encryption• The plaintext message is encrypted just before being
sent through the physical layer– the plaintext is available in all upper layers
84
http://pralab.diee.unica.it
Link encryption: packet format
85
Encryption implemented at the hardware level
http://pralab.diee.unica.it
end-to-end encryption• The message content is encrypted at the application or
presentation layer
86
http://pralab.diee.unica.it
Packet format end-to-end encryption
87
Encryption implemented at the application levelKey exchange protocol
http://pralab.diee.unica.it
Example: the Signal protocol• The Signal protocol was developed by Open Whisper
Systems (https://signal.org) in 2013 to provide end-to-end encryption for instant messaging.
• It has been implemented into applications such as WhatsApp, Facebook Messenger, Google Allo.
• The protocol combines – the Double Ratchet Algorithm– Prekeys– a triple Diffie–Hellman (3-DH) handshake,– uses Curve25519, AES-256 and HMAC-SHA256 as
primitives
88
https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
http://pralab.diee.unica.it
Link vs. End-to-End
89
http://pralab.diee.unica.it
WiFi Security - WEP• WEP - Wired Equivalent Privacy was designed at the
same time as the original 802.11 WiFi standards
• Weaknesses in WEP were first identified in 2001, four years after release– More weaknesses were discovered, until any WEP-
encrypted communication could be cracked in minutes
90
http://pralab.diee.unica.it
How WEP Works• Client and access point (AP) have a pre-shared key– AP sends a random number to the client, which the client
then encrypts using the key and returns to the AP– The AP decrypts the number using the key and checks that
it’s the same number to authenticate the client– Once the client is authenticated, the AP and client
communicate using messages encrypted with the key
91
http://pralab.diee.unica.it
WEP Main Weaknesses• Weak encryption key– WEP allows to be either 64- or 128-bit, but 24 of those bits
are reserved for initialization vectors (IV)– Keys were either alphanumeric or hex phrases that users
typed in, therefore vulnerable to dictionary attacks
• Static key
• Weak encryption process– A 40-bit key can be brute forced easily
• Weak encryption algorithm– WEP used RC4 in a strange way, that allowed attackers to
decrypt large portions of any WEP communication
92
http://pralab.diee.unica.it
WPA (WiFi Protected Access)• WPA was designed in 2003 to replace WEP • WPA2 followed in 2004, the current standard• Non-static encryption key
– WPA uses a hierarchy of keys• New keys are generated for each session, and the encryption key is
automatically changed on each packet
• Strong encryption– WPA supports AES
• Integrity protection– WPA includes a 64-bit cryptographic integrity check
• Session initiation– WPA sessions begin with authentication and a four-way
handshake • separate keys for encryption and integrity on both ends
93
http://pralab.diee.unica.it 94
VPN - Virtual Private Network• An encrypted tunnel for communication between two
sites of the same organization over public networks
• VPN usually implemented by firewalls– link encryption
Firewall A
Firewall B
Office A
Office B
A1 A2 A3 A4
B1 B2 B3 B4
Encrypted
To othersites
http://pralab.diee.unica.it
VPN - Virtual Private Network• VPNs also used for the secure connection of a teleworker
to the remote office
95
Firewall AOffice
A1 A2 A3 A4
Encrypted
To othersites
Teleworker
http://pralab.diee.unica.it
Secure Shell (SSH)• Originally developed for UNIX
• Provides an authenticated, encrypted path to the OS command line over the network
• Replacement for insecure utilities such as telnet, rlogin, and rsh
• The protocol involves negotiation between local and remote sites for– encryption algorithm (e.g., DES or AES)– authentication
96
http://pralab.diee.unica.it
SSL and TLS• Secure Sockets Layer (SSL) was designed by Netscape in
the 1990s to protect communication between the web browser and server
• In a 1999 upgrade to SSL, it was renamed Transport Layer Security (TLS)
• While the protocol is still commonly called SSL, TLS is the modern, and much more secure, protocol
• SSL is implemented at OSI layer 4 (transport) and provides– Server authentication– Client authentication (optional)– Encrypted communication
97
http://pralab.diee.unica.it 98
The TLS protocol• A server replies to a client that wants to initiate a secure
connection with its certificate
• The client sends part of a symmetric key encrypted with the public key of the server
• Client and server compute the remaining part of the session key– Diffie-Hellman protocol
• The session key is used to encrypt the communication through a symmetric encryption algorithm
http://pralab.diee.unica.it 99
email encryption• TLS for the confidentiality of the password between
client and server
• PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions) for encrypting the message content – both based on public keys for authentication and the
exchange of the symmetric session key– PGP relies on each user’s exchanging keys with all
potential recipients (a circle of trust)– S/MIME uses hierarchically validated certificates
http://pralab.diee.unica.it
Anonymous browsing: the TOR project
• The receiver should not be able to identify the computer that initiated the request– The request is handled by intermediate nodes that hide
the identity of the initiator– The intermediate nodes should not be aware of the path
of the packets
100
http://pralab.diee.unica.it
Onion RoutingThe TOR network
• The Tor network is an overlay network
• Each onion router (OR) runs as a normal user-level process without any special privileges.
• Each onion router maintains a TLS connection to every other onion router.
• Each user runs local software called an onion proxy (OP) – to fetch directories, establish circuits across the network, and
handle connections from user applications.
• These onion proxies accept TCP streams and multiplex them across the circuits.
• The onion router on the other side of the circuit connects to the requested destinations and relays data.
101
http://pralab.diee.unica.it
Key exchange and encryption in Onion routing
102𝐸!" " : Encryption with public key𝐻 " : Cryptographic Hash function
http://pralab.diee.unica.it
Anonymous HTTP browsingTOR network
103
http://pralab.diee.unica.it
The TOR network
104
http://pralab.diee.unica.it
The TOR network
105