Modul 1. Basics in Cryptography

Transkript

1 Modul 1 Basics in Cryptography Folie 1

2 Objectives of Cryptography Privacy: Assure confidentiality of information Integrity: Assure retention of information, i.e. no unauthorized modification Authentication: Identify for certain who is communicating with you Accountability: Assure identification who did what and when No-repudiation: The ability to provide proof of the origin or delivery of data Folie 2

3 One Time Pad Random Numbers + linking by XOR pros: provable safety cons: Key exchange, there are no random numbers Application case: TAN-method in the context of Home banking Folie 3

4 Symmetric Cryptography Alice smart card K Bob and Alice are using the same key K -----> smart card K Bob symmetric cryptography encrypted encrypted Internet Folie 4

5 Symmetric block encryption - symmetric cryptography K K plaintext cyphertext plaintext Let K be a Key and enc and dec a encryption function such that dec = enc -1 then plaintext = dec( K, enc (K, plaintext )) key space (set of all keys) has 2? 64! elements (this implies a key length up to log 2 (2?!) 10 bit) there are approximately infinite methods to construct a symmetric block encryption algorithm Folie 5

6 The symmetric block encryption algorithm DES 8 Byte Key 8 byte block plaintext 8 Byte block cipher text Currently DES is the most important symmetric block encryption algorithm. To be honest: only 56 bit of the DES 8 Byte key is used. A saver variant of DES is Triple-DES (112 bit key). In the future the DES algorithm will be substituted by the recent AES (Advanced Encryption Standard) algorithm. DES is a very fast algorithm and it can easily be hardware-implemented in a smart card (crypto processor unit) Other block encryption algorithms: IDEA (used by PGP, 128 key length), Blowfish, Twofish, RC2, RC5, RC6. Folie 6

7 DES and Triple-DES DES key k = ( k k 56 1,..., 56) {0,1 } DES encryption E 1 k 64 :{0,1} {0,1} 64 DES decryption D 1 k 64 :{0,1} {0,1} 64 formula Triple DES encryption Triple DES decryption k = ( kl, kr) E = E D D 1 1 ( k1,..., k56 ) ( k56,..., k 3 k : 1 1 = E k o D kr o l 3 k : 1 1 = D k o E kr o l E D 1 ) 1 kl 1 kl Folie 7

8 AES (Advanced Encryption Standard) in October 2000, the NIST (National Institute of Standards and Technology) announced the approval of a new secret key cipher standard chosen among 15 candidates block and key length of 128, 192 or 256 Very high encryption speed (200 MBit/sec using a 1GB-PC) Very efficiently to implement (even on a 8-Bit smart card (math. calculation is based on the Galois field ( 8 bit numbers). Universally applicable: One way hash, MAC, pseudo random number generator AES can also be used by smart cards Folie 8

9 Operating Mode Electronic Code Book (ECB) blocka (8 Byte) blockb (8 Byte) blockc (8 Byte) s-key s-key s-key blocka' (8 Byte) blockb' (8 Byte) blockc' (8 Byte) very simple It is not very safe: If block A equals block B then also the cipher blocks A' and B' are equal. Folie 9

10 Operating Mode Cipher Block Chain (CBC) and Hashing block (8 Byte) block (8 Byte) block (8 Byte) Data init-vektor (8 Byte) s-key s-key s-key Hash block (8 Byte) block (8 Byte) block (8 Byte) trunc XOR CCS (4 B.) CCS Criptographic Checksum Folie 10

11 cipher block chaining (used by the BasicCard) P = B,..., B l, B ) ( l 8) ( 1 1 l P n m blocking + padding with 00 bytes P ' = ( P1,..., P n 1, Pn ) l + m = 8n C 0 C i = E k ( Ci 1 xor i P ) ( i = 1... n) init.- vektor C truncate by bytes n 1 m ( 1 1 n C,..., C' n, C ) C = B',..., B' l, B' ) concatenate ( 1 1 l Folie 11

12 Fachbereich Angewandte Informatik Public Key Cryptography

13 Public-Key-Kryptographie certificate A assigned to Alice Alice smart card A A seal Alice has two keys a secret key (e.g. on a smart card) a public key (not secret, can be stored in a public directory or on her homepage To encrypt and decrypt information, you need both keys Folie 13

14 Certificate Tuple (owner, public key, SignatureCA(owner, public key)) Additional data: Angabe des eingesetzten Signaturverfahrens, Beginn und Ende der Gültigkeit, Seriennummer, Attribute, Namen der ausstellenden Certification Authority, Einschränkungen der Nutzung des Signaturschlüssels Time Stamp =SignatureCA (hash value, time) Standard: X509v3 Folie 14

15 Public Key Cryptography - The Concept of Confidentiality smart card A public keys (to be used by everyone) A B smart card B Alice Bob B B Internet Folie 15

16 Public Key Cryptography - The Concept of Digital Signatures smart card A public keys (to be used by everyone) A B smart card B Alice Bob A A Internet Folie 16

17 Public Key Algorithms RSA based on prime numbers typical key length: 1024 bit Elliptic functions based on elliptic functions and finite fields typical key length: 160 bit Pro and cons of public key cryptography: + allows sophisticated key management + very high safety - slow algorithms Folie 17

18 RSA Method public key = (e,n) private key = (d,n), where d e-1 mod φ(n) with φ(n) = (p-1) * (q-1) encryption: plain text M (<n) cipher text C = Me mod n decryption: cipher text C plain text M = Cd mod n no patent (since autumn 2000) Convention: pk: public key, encryption key sk: signature key, secret key, private key, decryption key Folie 18

19 Fachbereich Angewandte Informatik Hybrid Encryption

20 The Concept of Hybrid Encryption Scenario: A (Alice) wants to encrypt a document for B (Bob) public key of B B (arbitrary) symmetric key SK SK encrypted Folie 20

21 The Concept of Hybrid Decryption Scenario: B (Bob) wants to read the document sent by A (Alice) smart card B SK SK symmetric key encrypted Folie 21

22 The Problem of Key Management The problem of key management: How to exchange the common symmetric key for hybrid encryption? Two Solutions: Solution 1: By sending an encrypted symmetric key Solution 2: Using the Diffie-Hellman key exchange algorithm --> next slide Folie 22

23 Diffie-Hellman Key Exchange Algorithm smart card A public keys (to be used by everyone) A B smart card B Alice Bob Diffie-Hellman key exchange algorithm Diffie-Hellman key exchange algorithm this derived key is often called "a shared secret" SK These keys are equal! SK Folie 23

24 Standard Process for Hybrid Encryption (RSA / elliptic) step 1: generate a private and a public key step 2: get the public key of the communicatio n partner step 3: Calculate the shared secret using Diffie- Hellmann step 4: Derive a symmetric session key from the shared secret step 5: use symmetric encryption for secure communication PKI Diffie-Hellmann hash DES / AES RSA / elliptic sk1 PKI pk1 pk2 sk2 Dif.-Hell. man-inthe-middle Dif.-Hell. shared secret == shared secret Folie 24

25 hash function (one way function) plain text of arbitrary length is mapped to a hash value of fixed length It is difficult to find any (x, y) with H(x) = H(y) (strong collision resistant) Given x it is difficult to find a y such that H(x) = H(y) (weak collision resistant) MD5: 128 Bit hash value (used by PGP) SHA-1: 160 Bit hash value RIPE-MD: 160 Bit hash value (is supposed to be very save) Message Authentication Code (MAC) ist eine schlüsselabhängige Einweg- Hashfunktion ( Integrität + Authentizität der Nachricht), Realisierung durch DES oder AES im CBC-Mode Folie 25

26 digital signature Method: Hash the document D, encrypt the hash value H using the secret key S the signed document = (D, encs(h)) Standards for digital signetures: DSA (Digital Signature Algorithm, diskreter Algorithmus, 1024-Bit Schlüssellänge, NIST-Standard (National Institute of Standards and Technology)), DSS (Digital Signature Standard, Nachfolger DSA, digitalen Beglaubigungsstandard der US-Regierung), RSA (einfacher und beliebter) Folie 26

27 Erzeugung von sicheren Zufallszahlen Zufallszahlen werden zur Realisierung sicherer Protokolle benötigt Die Erzeugung von echten Zufallszahlen ist schwierig und mit algorithmischen Verfahren unmöglich: John von Neumann: Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin. jeder Zufallszahlen -Generator in einem Computer ist zwangsläufig periodisch und damit nicht zufällig Definition: Ein Pseudozufallsbitgenerator ist ein deterministischer Algorithmus, der als Eingabe eine echt zufällige Bitfolge (seed) erhält und daraus eine (längere) Bitfolge erzeugt, die den Eindruck der Zufälligkeit erweckt. Die Güte eines Pseudozufallsbitgenerator kann mathematisch gefasst werden kryptographisch sicherer Pseudozufallsbitgenerator Folie 27