CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html provides a link to the course web page lectures: Mondays and Wednesdays from 2:30 PM - 4:00 PM in E2 1303 Sept. 8, 2003 1

Objectives/Prerequisites basic cryptography concerns secure communication between two parties, while in this course we are interested in cryptographic protocols in multiuser/network context there is no overlap with C&O 685 (Mathematics of Public-Key Cryptography), or with ECE 720 (Cryptographic Computations), or with ECE 710 (Sequence Design and Cryptography) prerequisites: a previous course in cryptography (e.g. C&O 487, Applied Cryptography) is helpful but not required background: basic complexity theory, elementary number theory, algebra (finite groups, finite fields, linear algebra), probability (random variables), combinatorics Sept. 8, 2003 2

Course Requirements students grades will be based on assignments (4 or 5, about 70%) and a project (about 30%) the project will be a written project, possibly with a partner the project will involve preparing a report on a recent research paper on a topic related to the course material, or implementing and analyzing one or more protocols on a topic related to the course material Sept. 8, 2003 3

Course Outline Review of cryptographic primitives and their applications to information security, and notions of cryptographic security. Discussion of public-key encryption, secret-key encryption, message authentication, signature schemes, and hash functions. Techniques for entity authentication. Passwords, challenge-response, identification schemes (e.g., Fiat-Shamir, Guillou-Quisquater), general techniques for zero-knowledge proofs for NP-complete languages. Protocols for key establishment, transport, agreement and maintenance. Online key distibution using a trusted server (Kerberos). Public-key techniques, including Diffie-Hellman key agreement, man-in-the-middle attacks, STS and forward secrecy. Unconditionally secure key distribution, including the Blom scheme and combinatorial key distribution patterns. Sept. 8, 2003 4

Course Outline (cont.) Cryptography in a multi-user setting. Secret sharing schemes (including Shamir threshold schemes and schemes for general access structures). Conference key distribution and broadcast encryption. Copyright protection techniques and tracing schemes. Public-key infrastructure. Models for managing public keys and certificates (X.509 certificates, certification authorities, trust models, certificate verification and revocation, etc.). Applications, including PGP, SSL and IPsec. Sept. 8, 2003 5

Goals of Cryptography confidentiality Confidentiality (or secrecy) means that data cannot be understood by an unauthorized party. data integrity Data integrity means that data cannot be modified by an unauthorized party. data origin authentication Data origin authentication is achieved when it can be verified that data was transmitted by a particular source. entity authentication Entity authentication (or identification) refers to the verification of the identity of a person, computer or other device. Sept. 8, 2003 6

Goals of Cryptography (cont.) non-repudiation Non-repudiation occurs when it is impossible for someone to deny having transmitted a message that, in fact, they did transmit. access control Access control refers to the restriction of electronic or physical access to authorized parties. anonymity Anonymity refers to the anonymous transmission of data, so that the origin cannot be determined. Sept. 8, 2003 7

Cryptographic Tools encryption schemes Encryption schemes are used to achieve confidentiality. signature schemes Signature schemes are used to sign data. A signature helps to ensure data integrity and data origin authentication, and it can also provide non-repudiation. message authentication codes A message authentication code provides data integrity. cryptographic hash functions A hash function is used to provide random, unpredictable redundancy in data. Sept. 8, 2003 8

Cryptographic Tools (cont.) key agreement protocols A key agreement protocol is used to establish a common secret key known to two or more specified parties. Usually this key is to be subsequently used for another cryptographic purpose such as symmetric-key encryption or message authentication. identification schemes An identification scheme provides entity authentication. pseudorandom number generators Pseudorandom number generators expand a small, truly random, seed into a long string of bits that cannot be distinguished from random bits. Pseudorandom number generators are used in many cryptographic contexts, for example, in the generation of keys. Sept. 8, 2003 9

Tools and their Usage of Keys A short summary of cryptographic tools and their usage of keys is provided in the following table. An X indicates that the given algorithm and key combination is feasible. keys scheme public/private? secret? no key? encryption scheme X X signature scheme MAC hash function key agreement scheme X X identification scheme X X X X X Sept. 8, 2003 10

Secure Socket Layer client server I m Alice I m Bob, Inc. PK, sig CA (PK ) verify PK generate MS y = e PK (MS) K 1,K 2 = h(ms) MS = d PK (y) K 1,K 2 = h(ms) Sept. 8, 2003 11

Cryptosystem A cryptosystem is a five-tuple (P, C, K, E, D), where the following conditions are satisfied: 1. P is a finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. K, thekeyspace, is a finite set of possible keys 4. For each K K, thereisanencryption rule e K E and a corresponding decryption rule d K D. Eache K : P C and d K : C P are functions such that d K (e K (x)) = x for every plaintext element x P. Sept. 8, 2003 12

Public-key vs Secret-key Cryptosystems in a secret-key cryptosystem, K is known to both Alice and Bob: Alice K Bob K y = e K (x) y x = d K (y) in a public-key cryptosystem, K is known only to Bob and e K is public: Alice e k y = e K (x) y Bob K x = d K (y) Sept. 8, 2003 13

A Substitution-Permutation Network x K 1 u 1 1 v S 1 S 1 1 2 S 1 S 1 3 4 w 1 K 2 u 2 S 2 S 2 1 2 S 2 3 S 2 4 v 2 w 2 u 3 v 3 S 1 3 K 3 S 3 2 S 3 S 3 3 4 w u 4 v 4 y 3 S 1 4 K 4 S 4 2 S 4 3 S 4 4 K 5 Sept. 8, 2003 14

The Advanced Encryption Standard (AES) AES has a block length of 128 bits, and it supports key lengths of 128, 192 and 256 bits. The number of rounds, Nr, depends on the key length: Nr = 10 if the key length is 128 bits; Nr = 12 if the key length is 192 bits; and Nr = 14 if the key length is 256 bits. 1. Given a plaintext x, initialize State to be x and perform AddRoundKey, which x-ors the RoundKey with State. 2. For each of the first Nr 1 rounds, perform a substitution operation called SubBytes on State using an S-box; perform a permutation ShiftRows on State; perform an operation MixColumns on State; andperformaddroundkey. 3. Perform SubBytes; perform ShiftRows; and perform AddRoundKey. 4. Define the ciphertext y to be State. Sept. 8, 2003 15

AES States All operations in AES are byte-oriented operations, and all variables used are considered to be formed from an appropriate number of bytes. The plaintext x consists of 16 bytes, denoted x 0,...,x 15. State is represented as a four by four array of bytes, initialized as follows: s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s 3,0 s 3,1 s 3,2 s 3,3 x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 Sept. 8, 2003 16

The Finite Field F 256 The operation SubBytes performs a substitution on each byte of State independently, which involves operations in the finite field F 2 8 = Z 2 [x]/(x 8 + x 4 + x 3 + x +1). Let BinaryToField convert a byte to a field element; and let FieldToBinary perform the inverse conversion. This conversion is done in the obvious way: the field element corresponds to the byte 7 a i x i i=0 where a i Z 2 for 0 i 7. a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0, Sept. 8, 2003 17

SubBytes Algorithm: SubBytes(a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 ) external FieldInv, BinaryToField, FieldToBinary z BinaryToField(a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 ) if z 0 then z FieldInv(z) (a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 ) FieldToBinary(z) (c 7 c 6 c 5 c 4 c 3 c 2 c 1 c 0 ) (01100011) for i 0 to 7 do b i (a i + a i+4 + a i+5 + a i+6 + a i+7 + c i )mod2 return b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 Sept. 8, 2003 18

ShiftRows The operation ShiftRows acts on State as shown in the following diagram: s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s 3,0 s 3,1 s 3,2 s 3,3 s 0,0 s 0,1 s 0,2 s 0,3 s 1,1 s 1,2 s 1,3 s 1,0 s 2,2 s 2,3 s 2,0 s 2,1 s 3,3 s 3,0 s 3,1 s 3,2 Sept. 8, 2003 19

MixColumns Algorithm: MixColumn(c) external FieldMult, BinaryToField, FieldToBinary for i 0 to 3 do t i BinaryToField(s i,c ) u 0 FieldMult(x, t 0 ) FieldMult(x +1,t 1 ) t 2 t 3 u 1 FieldMult(x, t 1 ) FieldMult(x +1,t 2 ) t 3 t 0 u 2 FieldMult(x, t 2 ) FieldMult(x +1,t 3 ) t 0 t 1 u 3 FieldMult(x, t 3 ) FieldMult(x +1,t 0 ) t 1 t 2 for i 0 to 3 do s i,c FieldToBinary(u i ) Sept. 8, 2003 20

Modes of Operation ECB (electronic code book) mode corresponds to the naive use of a block cipher: given a sequence x 1 x 2 of plaintext blocks (each consisting of 128 bits, in the case of the AES), each x i is encrypted with the same key K, producing a string of ciphertext blocks, y 1 y 2. In CBC (cipher block chaining) mode, each ciphertext block y i is x-ored with the next plaintext block, x i+1, before being encrypted with the key K. More formally, we start with an initialization vector, denoted by IV, and define y 0 =IV. Then we construct y 1,y 2,..., using the rule i 1. y i = e K (y i 1 x i ), Sept. 8, 2003 21

CBC Mode x 1 x 2 IV = y 0 + + encrypt e K e K y 1 y 2 decrypt y 1 y 2 d K d K IV = y + + 0 x 1 x 2 Sept. 8, 2003 22

The RSA Public-key Cryptosystem Let n = pq, wherep and q are large primes. Let P = C = Z n,and define K = {(n, p, q, a, b) :ab 1(modφ(n))}. For K =(n, p, q, a, b), define e K (x) =x b mod n and d K (y) =y a mod n (x, y Z n ). The values n and b comprise the public key, and the values p, q and a form the private key. Sept. 8, 2003 23

A Toy Example suppose Bob chooses primes p = 101 and q = 113 then n = 11413 and φ(n) = 100 112 = 11200 suppose Bob chooses public encryption exponent b = 3533 then his private decryption exponent is a = b 1 mod 11200 = 6597 suppose Alice wants to encrypt the plaintext x = 9726 she will compute and send y to Bob y = 9726 3533 mod 11413 = 5761 when Bob receives the ciphertext y = 5761, he computes x = 5761 6597 mod 11413 = 9726. Sept. 8, 2003 24

The Rabin Cryptosystem Let n = pq, wherep and q are primes. Let P = C = Z n, and define K = {(n, p, q)}. For K =(n, p, q), define e K (x) =x 2 mod n and d K (y) = y mod n. The value n is the public key, while p and q are the private key. Note: there are four square roots of y modulo n. Sept. 8, 2003 25

A Toy Example suppose Bob chooses primes p =7andq =11 then the encryption function is e K (x) =x 2 mod 77 and the decryption function is d K (y) = y mod 77 suppose Alice encrypts the plaintext x =32tosendtoBob the ciphertext is y =32 2 mod 77 = 23 the four square roots of 23 modulo 77 are ±10, ±32 mod 77 the four possible plaintexts are x =10, 32, 45 and 67 Sept. 8, 2003 26