4. Using Encryption Wisely4. Using Encryption Wisely
UNIVERSITYTHE
of ULSAT
Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security
Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104
[email protected]@utulsa.edu
UNIVERSITYTHE
of ULSAT
4. Using Encryption Wisely4. Using Encryption Wisely
Encryption provides a “false sense of security”
• Must be used correctly
• Practices
• Protocols
UNIVERSITYTHE
of ULSAT
Encryption SpeedEncryption Speed
Delay Time
• Stream Stream-Block Block
• DES: 64-bit blocks
• RSA: 100-200-bit blocks (limited security with short blocks)
Speed
• Symmetric algorithms are much faster (1,000 to 5,000)
• Hardware solutions are much faster
• RSA: 220K Bits/s vs 0.5K Bits/s/MIPS
• DES: 1,200,000K Bits/s vs 400K Bits/s/MIPS
UNIVERSITYTHE
of ULSAT
Block ReplayBlock Replay
Transaction Format
• Depositor Name SrcAct DestAct Amount 24 bytes 8 8 8 3 DES 1 DES 1 DES 1 DES
Original Transactions
Intruder xxx I# zz$ John Doe yyy JD# 8K$
Fabricated Transaction
Intruder yyy I# 8K$
UNIVERSITYTHE
of ULSAT
Block ChainingBlock Chaining
• Prevents “Block Replay”
• x x = 0 (1011 1011 = 0000)
• Encryption
– C1: { P1 }K
– C2: { P2 C1 }K
– Cj: { Pj Cj-1}K
• Decryption
– P1: { C1 }K
– P2: { C2 }K C1
– Pj: { Cj }K Cj-1
UNIVERSITYTHE
of ULSAT
Initial Chaining ValueInitial Chaining Value
• Block Chaining conceals identical blocks
• Only if each block is preceded by something unique
• Suppose messages always begin with: “US Army HQ”
• Encryption
– C1: { IV }K (IV: Random Initial Vector)
– C2: { P1 C1}K
– Cj: { Pj-1 Cj-1}K
• Decryption
– P0: { C1 }K
– Pj: { Cj+1 }K Cj
UNIVERSITYTHE
of ULSAT
One Way EncryptionOne Way Encryption
Use special functions
• f(x) = x3 x = (f(x))1/3 (difficult to compute)
• f(x) = x2 x = (f(x))1/2 (no unique inverse, e.g., for f(x) = 4)
• System stores f(pwd)
• User enters string
• System computes f(string) and compares with f(pwd)
• Internet Worm (Nov. 2, 1988)
UNIVERSITYTHE
of ULSAT
Cryptographic SealingCryptographic Sealing
Integrity (as opposed to Secrecy)
• Store <file> and SHA(<file>)
• A cryptographic checksum could be the last block of a chained DES encryption
UNIVERSITYTHE
of ULSAT
Authentication and Time StampsAuthentication and Time Stamps
Authentication
• Biometrics
Time Stamps
• Prevent replays
• Chronology
• Sender’s and receiver’s time stamps must match
UNIVERSITYTHE
of ULSAT
Cipher Block Chain (CBC)Cipher Block Chain (CBC)
• Prevents block replay
• Self-healing (Error in block Cj affects Bj and Bj+1)
• Encryption
– C1: { B1 }K (Usually B1 = Initial Vector)
– C2: { B2 C1 }K
– Cj: { Bj Cj-1}K
• Decryption
– Bj: { Cj }K Cj-1
UNIVERSITYTHE
of ULSAT
Cipher Feedback (CFB)Cipher Feedback (CFB)
• Block nature of DES is inconvenient
– Partial final block must be padded (size of ciphertext > size of plaintext)
– Encryption cannot begin until entire 64-bit block is input (secure networks: every character must be encrypted)
• CFB: Block Stream
– Encryption error only affects the next 8 characters
UNIVERSITYTHE
of ULSAT
Double EncryptionDouble Encryption
DES is “weak”
Can we use two 56-bit DES keys back to back?
• { { Message }K1 }K2
• 56-bit key 256 possibilities
• Two 56-bit keys 2112 possibilities?
• No!
• 257 possibilities (Merkle, 1981)
UNIVERSITYTHE
of ULSAT
Triple DESTriple DES
Uses two 56-bit DES keys; Same hardware/software
Encryption
1. C1 = DESEncrypt(P, K1)
2. C2 = DESDecrypt(C1, K2)
3. C3 = DESEncrypt(C2, K1)
Decryption
1. D2 = DESDecrypt(C3, K1)
2. D1 = DESEncrypt(D2, K2)
3. P = DESDecrypt(D1, K1)
5. Cryptographic Protocols5. Cryptographic Protocols
UNIVERSITYTHE
of ULSAT
Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security
Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104
[email protected]@utulsa.edu
UNIVERSITYTHE
of ULSAT
5. Cryptographic Protocols5. Cryptographic Protocols
Cryptographic Protocol
• Orderly sequence of steps to achieve certain security properties
• Established in advance
• Mutually subscribed
• Unambiguous
• Complete
UNIVERSITYTHE
of ULSAT
Kinds of ProtocolsKinds of Protocols
Arbitrated Protocols
• Trusted third party participates in each transaction
• Expensive, slow, vulnerable
Adjudicated Protocols
• Third party judges fairness after the fact
• Address disadvantages of arbitrated protocols
• Detect failure only after the fact
Self-Enforcing Protocols
• Guarantee fairness; cheating is immediately obvious
• May not exist for every situation
UNIVERSITYTHE
of ULSAT
Applications of ProtocolsApplications of Protocols
• Key Distribution
• Certificates
• Digital Signatures
• Clipper Key Exchange
• Mental Poker
• Voting by Computer
• Oblivious Transfer
• Contract Signing
• Certified Mail
UNIVERSITYTHE
of ULSAT
Key Distribution ProtocolsKey Distribution Protocols
1. Symmetric Key Exchange (without Server)
2. Symmetric Key Exchange (with Server)
3. Asymmetric Key Exchange (without Server)
4. Asymmetric Key Exchange (with Server)
UNIVERSITYTHE
of ULSAT
Sym. Key Exchange (No Server)Sym. Key Exchange (No Server)
Requirements
• A & B share KM (Master Key)
Protocol
1. A: Generates session key: KS
2. A B: { KS }KM
UNIVERSITYTHE
of ULSAT
Sym. Key Exchange (Server)Sym. Key Exchange (Server)
Needham-Schroeder Protocol
1. A S : A B IA (IA: Unique session ID)
2. S A : { IA, B, KAB, { KAB, A }KB }KA
(new KAB)
3. A B : { KAB, A}KB
UNIVERSITYTHE
of ULSAT
Asym. Key Exchange (No Server)Asym. Key Exchange (No Server)
Important Point
• Asymmetric key encryption is very expensive
• Never encrypt message; transmit encrypted sym. key
Protocol
1. A B: { { KAB }KApriv }KB
pub
2a. B A: { n }KAB (n: Random number)
2b. A B: { n + 1 }KAB
UNIVERSITYTHE
of ULSAT
Asym. Key Exchange (Server)Asym. Key Exchange (Server)
Protocol
1. A S: A B
2. S A: { KBpub, B }KS
priv
3. A B: { A, IA }KBpub (IA: message reference)
4. B S: B A
5. S B: { KApub, A }KS
priv
6. B A: { IA, IB }KApub (IB: message reference)
7. A B: { KAB, IB }KBpub (KAB : message)
UNIVERSITYTHE
of ULSAT
CertificatesCertificates
Binding an Individual’s Identity and Public Key
• A: President and CEO
• B, C: Vice Presidents
• C supervises D and E
• B’s Certificate: { IDB, PosB, KBpub, H(.) }KA
priv
• C’s Certificate: { IDC, PosC, KCpub, H(.) }KA
priv
• D’s Certificate: { IDD, PosD, KDpub, H(.) }KC
priv C’s Certificate
• Always need a top-level authority
UNIVERSITYTHE
of ULSAT
Digital Signature ProtocolsDigital Signature Protocols
Goals
• Non Forgeable [M, sig(M, P)]
• Authentic
• Non Alterable; Non Reusable
• Non Repudiation
• Symmetric Key Protocol (Arbiter (A) needed)
• Cryptographic Sealing (Arbiter (A) needed)
• Asymmetric Key Protocol (Self-Enforcing)
UNIVERSITYTHE
of ULSAT
Symmetric Key (Digital Signature)Symmetric Key (Digital Signature)
Symmetric Key Protocol
(Non Forgeability, Authenticity, Non Repudiation)
• S A: { M }KS
• A R: { M, S, { M }KS
}KR
• R: Unlocks with KR
Saves M and { M }KS
UNIVERSITYTHE
of ULSAT
Cryptographic Sealing (Dig. Sig.)Cryptographic Sealing (Dig. Sig.)
Cryptographic Sealing Function
• f(M) unique value
• S and R register fS and fR with Arbiter A
Protocol (No Secrecy)
1. S A: M fS(M)
2. A: Recomputes fS(M) Compares with fS(M) received from S
3. A R: M S fS(M) fR(M, S)
UNIVERSITYTHE
of ULSAT
Asymmetric Key (Digital Signature)Asymmetric Key (Digital Signature)
Protocol 1 (Non Forgeability, Authenticity, Non Repud.)
• S R: { M }KS
priv
• R: { { M }KS
priv }KS
pub M (saves { M }KS
priv)
Protocol 2 (Double Encryption: Privacy)
• S R: { { M }KS
priv }KRpub
• R: { { { { M }KS
priv }KR
pub }KSpub
}KR
priv M
UNIVERSITYTHE
of ULSAT
Clipper Key Exchange AlgorithmClipper Key Exchange Algorithm
Seven Step Protocol
• Three steps for key exchange
• Four steps for mutual authentication
• S & R share secret key KP, symmetric algorithm and asymmetric algorithm
UNIVERSITYTHE
of ULSAT
Clipper Key Exchange (contd.)Clipper Key Exchange (contd.)
Step 1
S R: { KSpub }KP
Step 2
R: Uses KP to obtain KSpub
R: Chooses random session key Kk
R S: { { Kk }KP
}KSpub
Step 3
S : Uses KSpriv and KP to obtain Kk
UNIVERSITYTHE
of ULSAT
Clipper Authentication (contd.)Clipper Authentication (contd.)
Step 4
S R: { M }Kk M: Random string
Step 5
R: Uses Kk to obtain M
R S: { M, N }Kk N: Random string
Step 6
S : Checks M
Step 7
R : Checks N
UNIVERSITYTHE
of ULSAT
Mental Poker ProtocolMental Poker Protocol
Symmetric Key Implementation
• A B: { m1 }KA … { m10 }KA
• B: Locks 5 messages: { { mj }KA }KB
…
• B A: { mi }KA … & { { mj }KA
}KB …
• A: Unlocks all 10 messages with KA
Keeps 5 messages: { { mi }KA }KA
… = mi …
• A B: { { { mj }KA }KB
}KA … = { mj }KB
…
• B: Unlocks all 5 messages with KB
Keeps 5 messages: { { mj }KB }KB
… = mj …
UNIVERSITYTHE
of ULSAT
Mental Poker Protocol (contd.)Mental Poker Protocol (contd.)
Asymmetric Key Implementation
• A B: { m1 }KApub … { m10 }KA
pub
• B: Locks 5 messages: { { mj }KApub }KB
pub …
• B A: { mi }KApub … & { { mj }KA
pub }KBpub
…
• A: Unlocks all 10 messages with KApriv
Keeps 5 msgs: { { mi }KApub }KA
priv …
= mi …
• A B: { { { mj }KApub }KB
pub }KA
priv … = { mj }KBpub …
• B: Unlocks all 5 messages with KBpriv
Keeps 5 msgs: { { mj }KBpub }KB
priv … = mj …
UNIVERSITYTHE
of ULSAT
Voting by Computer ProtocolVoting by Computer Protocol
2*n Link Chain (n: number of voters)
• Results at each link can be made public without destroying anonymity
• During the last n links, anyone can go back to check, but only one can go forward
• Assume three voters (J, K, L)
• Two pairs of public keys
– (KJpriv, KJ
pub ); (KKpriv, KK
pub ); (KLpriv, KL
pub )
– (RJpriv, RJ
pub ); (RKpriv, RK
pub ); (RLpriv, RL
pub )
– Ripub embeds random string; allows voter i to check vote
UNIVERSITYTHE
of ULSAT
Voting by Computer (contd.)Voting by Computer (contd.)
Step 0
• Each voter encrypts vote and sends it to J
– J has: RJpub ° RK
pub ° RLpub ° KJ
pub ° KKpub ° KL
pub (vi)
Steps 1-3
• J (K, L) verifies vote is in pool with RJpriv (RK
priv , RLpriv )
• Applies RJpriv (RK
priv , RLpriv ) to each vote
• Sends votes to K (L, J)
– J has: KJpub ° KK
pub ° KLpub (vi)
UNIVERSITYTHE
of ULSAT
Voting by Computer (contd.)Voting by Computer (contd.)
Steps 4-6
• J (K, L) applies KJpriv (KK
priv , KLpriv )
• Applies KJpriv (KK
priv , KLpriv ) to each vote
• Signs all votes
• Sends votes to K (L)
– L has all votes: vi
– L counts votes
– L posts results
UNIVERSITYTHE
of ULSAT
Oblivious Transfer ProtocolOblivious Transfer Protocol
Eight Step Protocol (Flipping a coin at a distance)
1. A: Picks two asymmetric key pairs: (KIpriv, KI
pub ) (KJpriv, KJ
pub )
2. B: Picks symmetric key: KB
3. A B: KIpub KJ
pub 4. B: Picks one key at random: KH
pub
B A: { KB }KHpub
5. A: Picks I or J at random (say: J)
Computes: KA = { { KB }KHpub }KJ
priv (KA = KB if H = J)
6. A B: { A loses }KA J
7. B: M = { { A loses }KA }KB
B A: M H (B loses if H J)
8. B A: KIpriv KJ
priv (for verification)
UNIVERSITYTHE
of ULSAT
Contract Signing ProtocolContract Signing Protocol
1. A: Selects 2n symmetric keys: C1 .. C2n
Arranges them in pairs: (Ci, Cn+i) i = 1 .. n
2. A B: i = { S }Ci i = 1 .. 2n (S = Std Msg; i: S-puzzle)
3. A: Agrees to contract if B can produce a pair (Ci, Cn+i) for any i
(S-puzzle solution)
4. B: Repeats Steps 1-3: keys: Di and S-puzzles: i
5. A B: Exchange (Ci, Cn+i) … by Oblivious Transfer Protocol
B A: Exchange (Di, Dn+i) … by Oblivious Transfer Protocol
6. For each bit j:
A B: jth bit of Ci i = 1 .. 2n
B A: jth bit of Di i = 1 .. 2n
UNIVERSITYTHE
of ULSAT
Certified Mail ProtocolCertified Mail Protocol
1. A: Selects n + 1 symmetric keys: g0 .. gn
Computes: gn+i = g0 gi i = 1 .. n
2. A B: G = { M }g0 (g0 = gn+i gi for all i)
3. A B: Gi = { SA }gi i = 1 .. 2n (SA = Std Msg)
4. B: Selects 2n symmetric keys: h1 .. h2n
B A: Hi = { SB }hi i = 1 .. 2n (SB = Std Msg)
5. B: Agrees to acknowledge receipt of plaintext of G if A can produce any one of (hi, hn+i) and all gj (j = 1 .. 2n)
6. A B: Exchange (gi, gn+i) … by Oblivious Transfer Protocol
B A: Exchange (hi, hn+i) … by Oblivious Transfer Protocol
7. For each bit j:
A B: jth bit of gi i = 1 .. 2n
B A: jth bit of hi i = 1 .. 2n