Scribd
Upload
74 views48 pages

Module 2 P

The document covers key concepts in applied cryptography, including symmetric and asymmetric encryption, hash functions, and cryptanalysis. It outlines the goals of cryptography such as confidentiality, integrity, authenticity, and non-repudiation, while also discussing various encryption methods and their historical context. Additionally, it highlights the importance of key management and the role of certificate authorities in establishing trust in public key infrastructure.

Uploaded by

akun test
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views48 pages

Module 2 P

The document covers key concepts in applied cryptography, including symmetric and asymmetric encryption, hash functions, and cryptanalysis. It outlines the goals of cryptography such as confidentiality, integrity, authenticity, and non-repudiation, while also discussing various encryption methods and their historical context. Additionally, it highlights the importance of key management and the role of certificate authorities in establishing trust in public key infrastructure.

Uploaded by

akun test
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 48

Applied Cryptography

This Week’s Objectives


• Symmetric Encryption
• Asymmetric Encryption
• Hash Functions
• TLS Example
• Cryptanalysis and Attacks

3
Terminology
Cryptography – More practical (engineering) development and study of encryption
systems
Cryptology – More academic (mathematical) study of encryption and their
properties
Cryptanalysis – Analysing and breaking cryptographic systems.

4
Goals of Cryptography
Confidentiality: Only authorised people get to see the data.
Integrity: There is certain assurance that data has not been manipulated or
corrupted.
Authenticity: There is certain assurance we know who sent/created the data.
Non-Repudiation: Certain assurance that the author/sender cannot deny an
action.
(Note: Availability is NOT a goal of crypto)

5
Symmetric Key Encryption

K K

BOB
ALICE
D(C, K) → M
E(M, K) → C
Ciphertext C Ciphertext C Plaintext M
Plaintext M

EVE (the Eavesdropper)


6
Terminology
Plaintext = original unencrypted message
Ciphertext = encrypted message
Adversary: is the person/s you are trying to keep a secret
from
Encryption: the process of disguising sensitive information
Cipher: is the algorithm or process used to encrypt/decrypt
Key: is the secret cipher setting chosen known only to
sender and receiver.
Historic Symmetric Ciphers
CAESAR Cipher (shift cipher)

MEET AT THE HUB

NFFU BU UIF IVC

E(M, n) → shift each character by n (1≤ n ≤ 25)

D(C, n) → shift each character by… 26-n

ROT13
How to attack?
Try n=1,2,…25
Used in news groups
Simple brute force
8
Historic Symmetric Ciphers
Vigenère cipher ABCDEFGHIJKLMNOPQRSTUVWXYZ

MEET AT THE HUB

MHIE DX TKI HXF


K=ADEL (0,3,4,11)

E(M, K) → shift 1st char by K1, 2nd by K2, etc.(1≤ Ki ≤ 25)

D(C, K) → shift 1st char by 26-K1 etc

How to attack?
Frequency Analysis
9
Historic Symmetric Ciphers
SUBSTITUTION cipher

MEET AT THE HUB

DTTM AM MIT IWZ


K= AZERTYUIOPQSDFGHJKLMWXCVBN

ABCDEFGHIJKLMNOPQRSTUVWXYZ

E(M, K) → {A→A, B→Z, C→E, etc}


D(C, K) → {A→A, Z→B, E→C, etc}
How to attack?
Frequency Analysis
10
Frequency Analysis
ETAOIN SHRDLU CMFWYP VBGKQJ XZ

https://www.dcode.fr/frequency-analysis 11
Historic Symmetric Ciphers
POLYGRAPHIC SUBSTITUTION cipher

ME ET AT TH HU B

ME ➔ KY ET➔RD etc

C Y B E R
S C A G H
I M L K N
O P Q D T
U V W X Z
12
Transposition Cipher
Create anagram of the message by doing column transposition.
The key dictates the number of columns and the ordering.

“We are discovered flee


EVLNE ACDTK ESEAQ
at once”
ROFOJ DEECU WIREE

Key = ZEBRAS = 632415


(alphabetical order) 13
Kerckhoffs's principle
The system must be practically, if not mathematically, indecipherable.
It must not be required to be secret, and it must be able to fall into the hands of the enemy without
inconvenience.
Its key must be communicable and retainable without the help of written notes, and changeable or
modifiable at the will of the correspondents.
It must be applicable to telegraphic correspondence.
Apparatus and documents must be portable, and its usage and function must not require the
concourse of several people.
Finally, it is necessary, given the circumstances that command its application, that the system be easy
to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.

1. Encryption scheme should be open (don’t rely on security by obscurity)


2. Only the secret key should be kept secret
3. It should be easy to change keys (in case of a compromise)

Shannon’s Maxim: Don’t rely on security through obscurity.


15
15
XOR 01001010
 11011001
10010011

Properties MK=C
• A  {0} = A
• A  {1} = ~A
• A  A = {0} C K=M
• AB = B A
• A  (B  C) = (A  B)  C

E(M,K) = XOR(M,K)
D(C,K) = XOR(C,K)
16
One-Time Pad
C=1011101010100000111010…1111010101100110001110110101010010
K=1010001001111010001100…0110001101001010111010010010010101

• Mathematically proven PERFECT secrecy! BUT


• Must key must be completely random
• Key must be as long as the plaintext (very long!)
• Can only be used ONCE
• If there is a way to safely exchange the key… just as well safely
exchange the message

NOT PRACTICAL
17
N-Time Pad?
C=1011101010100000111010…1111010101100110001110110101010010
K=1010001001111010001100…0110001101001010111010010010010101

• Can we exchange K once, and use it multiple times?


• NO!
• If the attacker has multiple ciphertexts (C1, C2, C3..) encrypted
with the same key…

C1  C2 = (M1  K)  (M2  K)
= (M1  M2)
You can deduce locations of spaces, then work out M1 and M2 and K 17
Block vs Stream Ciphers
• Block cipher (most common type)
o Encrypts data in blocks of predetermined size
o Different modes of operation
▪ Electronic Code Book (ECB)
▪ Cipher Block Chaining (CBC)
▪ Counter Mode (CTR) – NIST recommended mode
• Stream cipher
o Encrypts data one bit at a time
o Faster and less resources than block ciphers
o Not as strong as block ciphers
Block Ciphers
Fixed length KEY
M {0,1}n → E(M,K) {0,1}n

KEY KEY

M E C D M

• Encryption is seemingly random permutation of bits


• Must be reversible
20
If len(M) > len(K)
Use K repeatedly (NOT the same as n-time pad)
Different MODES
M
M1 M2 M3 M4 M5 M6 PAD

K K K K K K

C1 C2 C3 C4 C5 C6

ECB (Electronic Code Book) Mode


• Simple
• Can encrypt in parallel (fast)
• But can deduce plaintext (if C1 and C2 are same)

21
ECB vs CBC

ECB

CBC

CBC = Cipher-Block Chaining


22
CBC – Chaining Mode

• Uses random initialisation vector (IV) to start off first block


• Repeated plaintext does not lead to repeated ciphertext
• Must be encrypted/decrypted in SERIAL

23
CTR – Counter Mode

• Use NONCE + sequential counter


• Can be computed in parallel
**There are other modes such as GCM that incorporate message authentication

24
Common Ciphers
• Block Ciphers
o DES – Data Encryption Standard (no longer secure – prone to BEAST attack)
Key size: 56 bits
o 3DES (Triple DES: DES used 3 times: encrypt with K1, decrypt with K2, then
encrypt again with K1) key size: 168, 112 or 56 bits.
o AES (Advanced Encryption Standard also known as Rijndael) Key size: 64,
128, 192, 256, 512, 1024 bits)
▪ current standard
• Stream Ciphers
o RC4 – Used in wireless networks
o A5 – Used in mobile networks
25
Diffie-Hellman Key Exchange (DH)

Way to agree on secret key without prior


agreement
p is a large prime
Uses Modular Arithmetic 1 < g < p-1

a b
A=ga mod p B=gb mod p
A B BOB
ALICE
K= Ba mod p = gba mod p K= Ab mod p = gab mod p

A,B,p,g 25
DH Colour Analogy

https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
a => ga mod p = A EASY
A => a HARD
Example p,g
Colour Analogy

https://www.youtube.com/watch?v=U1kybvKaUeQ
28
Symmetric Key Limitations
How to securely exchange the secret key?
What if there are N people? You need to manage
(N! / 2) number of keys!! Exponentially increases.
B
A

E
D
29
Asymmetric Key Encryption

• KEY for encryption is DIFFERENT from KEY for decryption

KENC KDEC

M E C D M

31
Asymmetric Encryption Public Key Cryptography
(RSA)
KApriv KBpriv

KApub BOB
ALICE KBpub

E(M, KBpub) → C D(C, KBpriv) → M

Alice only needs to know Only Bob (with knowledge of private key KBpriv ) can
Bob’s public key KBpub decrypt ciphertext encrypted with KBpub

32
RSA
• Based on factorisation of VERY large primes (~1000 bits)
• Suppose there are large primes p and q
• n = p*q is easy to compute
• Factorising n into p and q is computationally hard
• Kpub (or Kenc) = f(n) => only knowledge of n required
• Kpriv (or Kdec) = g(p,q) => requires knowledge of p and q

33
RSA used as Digital Signature

KApriv KBpriv

KApub BOB
ALICE KBpub

E(M, KApriv) → S D(S, KApub) → M

Only Alice can create S Anyone can verify by decryption S using Alice’s
public key KApub

34
Cryptographic Hash
• Digital ”fingerprint” of a piece of data
• One-way function
• Practically collision free
• Variable input, fixed-length output
• MD5, SHA1, SHA256, etc

160 bits Message Digest

de9f2c7fd25e1b3afad3e85
M SHA-1
a0bd17d9b100db4b3

• Provides INTEGRITY assurance of M


• Even if a single bit changes in M, the resulting Message Digest would
be completely different

36
MD5 Collision
broken in 2004

All these have the same MD5


signature!

https://natmchugh.blogspot.com/2014/11/three-way-md5-collision.html

Flame malware (2012) that carried the correct


Practical Microsoft code-signing certificate by finding a
implication collision of a legitimate software, signed by an old
certificate that still used MD5
37
Document Signing

Alice owes Alice owes


Bob $10 Bob $10

SHA1 Fingerprint SHA1 Fingerprint


de9f2c7fd25e
de9f2c7fd25e 1b3afad3e85
1b3afad3e85 a0bd17d9b10
a0bd17d9b10 0db4b3
0db4b3

Encrypt Fingerprint Decrypt


With Alice’s Private Key With Alice’s Public Key

38
Document Signing

Alice owes Alice owes


Bob $10 Bob $100

SHA1 Fingerprint SHA1 Fingerprint


2fd4e1c67a2
de9f2c7fd25e d28fced849e
1b3afad3e85 e1bb76e7391
a0bd17d9b10 b93eb12
0db4b3

Encrypt Fingerprint Decrypt


With Alice’s Private Key With Alice’s Public Key

39
How can you trust the public key advertised by
Alice? Is it really Alice?

MITM

Certificate Authority (CA)


Trusted Authority
40
CA Grant & Revokes Certificates
Comodo
Symantec
GoDaddy Whole thing encrypted by CA’s Private Key
etc

CA certifies that Alice’s Public Key


is 0xABCDE12345…

Signed by CA’s Private Key

Public Key Certificate 40


Putting it all together…
TLS1.2 HTTPS connection initiation

Hello let’s do TLS

OK Here is my Certificate,
containing my public key

Certificate verified with CA!

Let’s use this session key (encrypted


using server public key)

Decrypt Data Encrypted Data


Encrypted Data Decrypt Data
42
Cipher Suite (TLS)

Key Exchange + Authentication + Block Cipher (Session) + Message Digest

ECDHE RSA AES in GCM mode SHA384


43
Key Length
• Key length directly affects strength of cipher
o Shorter key lengths are easier to break
• Brute force attack could check ALL keys so make it practically
impossible by choosing a big key size
• Symmetric Keys
o AES 256bits
• Asymmetric keys
o RSA 2048bits
• Hashing
o SHA-256 or SHA-512
Storage of Passwords
• Storing and sending plaintext password is WRONG
• Encrypting is also bad, because
• if key is stolen, then all the passwords are exposed
• Same passwords compute to same ciphertext
• Ciphertext length ~ Password length
• Solution is to use hashing
• Same length output
• No key management required
• Same passwords still compute to same ciphertext
• ⇒ SALTING
46
Password Hashing
User ID Hashed Password

Alice H(password)

Use MD5, SHA1, SHA256, etc for password hashing

Same password still computes to same hash

Precomputation attack became feasible

47
Rainbow Table
• Precomputed table of hashes paired with plaintext password
• Used for “reversing” hashes to original plaintext (remember, you cannot
unhash a hash, but you can keep a table of plaintext-hash pairs and do a
reverse lookup.)

http://project-rainbowcrack.com

US$2400 on a 6TB Disk (Free Delivery) 48


Salting
User ID Salt = 12 random bits Hashed Password

Alice 001101011 H(Salt || password)

• Salting is not strictly kept secret


• Randomly generated for each user
• Same password ≠ Same hash

Salting does NOT reduce computational


difficulty of cracking one password
But it does make PRE-COMPUTATION (or
Rainbow Table) attacks very hard (x212)

Does NOT prevent replay attacks


(pass the hash)
49
Modern Linux
/etc/shadow

6 indicates hashing protocol => SHA512


8 chars up to next $ is the random salt
Remainder is the hash => H(salt || password)

50
Slow Password Hashing
Salting does NOT reduce computational
difficulty of cracking one password
• BCrypt (Blowfish), Argon2 SCrypt, PBKDF2
• Use “stretching” to hash many times over
• H(H(H(H(……..secret))))))))…..)))))
• Make it difficult to parallelise using GPU
• No efficient way to create rainbow tables
• Example: ~100 guesses/sec with bcrypt (vs 1,000,000,000
guesses/sec with SHA1 on a desktop GPU)

51
Password Attack Tools
• Offline Password Cracking
• John the Ripper
• Hashcat
• Rules for “mangling” passwords
• Uses GPU
• Online Password Cracking
• THC Hydra
• Brutus
• Other
• Cewl – dictionary-builder
• etc

53
Lecture 0x02 - Summary
• We have covered
o Symmetric Encryption
o Asymmetric Encryption
o Hash Functions
o TLS Example
o Cryptanalysis and Attacks
• Cryptography is difficult to get right, both in design and implementation…
DON’T try to write your own cryptography algorithms – use a library that is
tried and true.
• Key length is important, choose a cipher of sufficient length to ensure it
cannot be broken

54

You might also like