Tài liệu Introduction to Encryption II pdf

“quickly” for certain inputs • exponential or super-polynomial problems • factoring large integers into primes RSA • solving the discrete logarithm problem El Gamal • computing elliptic

Encryption and Exploits - SANS ©2001 1

Introduction to Encryption II

Security Essentials The SANS Institute

This is the second of two of the most important classes we have the privilege to teach as part of the SANS Security Essentials course In the first course, we went on a quick tour of some of the important issues and concepts in the field of cryptography We saw that encryption is real, it is crucial, it is a foundation of so much that happens in the world around us today and, most of it in a manner that is completely transparent to us

I guess you know that one of SANS’ mottos is, “Never teach anything in a class which the student can’t use at work the next day.” One of our goals in this course is to help you be aware of how cryptography operates under the covers in some of the major cryptosystems which are used on a 24x7 basis in our world Along the way, we’ll share some hard-earned pragmatic lessons we’ve learned, and hope that our experience will be of help to you

Enjoy!

Encryption II - SANS ©2001 2

Why Do I Care About Crypto?

U.S Dept of Commerce

no longer supports DES

Distributed Denial of Service attack daemon found to be protected by “blowfish”

a DES-like block cipher

National Institute of Standards and Technology (NIST) is leading the development of AES the replacement for DES

Mobile Code

Communications in the presence of adversaries…

ConfidentialityÌIntegrityÌAuthenticationÌNon-repudiation

Insecure Global Networks

When you use a secure mobile telephone, all communications between you and the party on the other end are rapidly encrypted and decrypted on the fly, so that any eavesdropper will not be able to listen

in on your conversation Every once in awhile, we hear how the confidential communication of a public figure was intercepted and his or her privacy compromised Yet another example of not using cryptographically enabled products

One of the more important emerging applications of cryptographically-enabled communications is at e-commerce-enabled web sites on the Internet and the World Wide Web When supported with an enterprise-wide Public Key Infrastructure (PKI), a whole suite of new and innovative products and services is instantly enabled Today, this is leading to new business opportunities, new capabilities being delivered to consumers, new functionality provided by organizations to their shareholders, fundamental changes in the way entire industries function, new legislation, tapping into global opportunities, etc

We begin this course by examining the conceptual underpinnings behind major cryptosystems that

are in use today In particular, we’ll look at Triple-DES which is a good alternative for the now obsolete DES algorithm, which is officially no longer considered to be secure Next, we’ll stop by

for a quick status update on the development activity that is currently underway throughout the

global cryptographic community in connection with the new Advanced Encryption Standard

(AES).

Our next stop will be the RSA algorithm, which is a widely implemented public key cryptographic

algorithm, and which came off-patent in September 2000 We’ll perform an exercise in which we’ll walk through a highly simplified version of the mathematical mechanism upon which the RSA algorithm is based

We’ll wrap up this course by considering the characteristics of emerging Elliptic Curve

Cryptosystems (ECC), which are rapidly growing in popularity due to the proliferation of such

devices as PDAs, mobile telephones, information appliances, ATMs, and smart cards

All right Enough of the big picture Let’s dive right into it…

Encryption II - SANS ©2001 4

• What if…

– we can find a mathematical “problem”

that exhibits characteristics of one-way functions (with trapdoors)?

– or, as mathematicians would prefer to say,

a problem that is “impossible” to solve in polynomial time?

– we could use it to build a new cryptosystem!

Confidentiality Integrity of Data Authentication Non-repudiation

You’ll recognize the four important characteristics of cryptosystems that are at the top of this slide:

Confidentiality, Integrity of Data, Authentication, and Non-repudiation We covered this

material in Encryption I So we know that these are important characteristics that any good

cryptosystem must have But, how do we go about actually constructing such a cryptosystem? Where do we begin?

Mathematics comes to our rescue In general, there are many fields in mathematics that contain concepts that could prove to be useful as we seek to build a cryptosystem Specifically, we find that the following branches of mathematics are particularly rich in ideas we could use: Probability Theory, Information Theory, Complexity Theory, Number Theory, Abstract Algebra, and Finite Fields

In Encryption I, we were introduced to one-way mathematical functions We saw how such

functions which have “trapdoors” have interesting properties that could prove to be useful in

cryptography We are using the term “trapdoor” to refer to a way to decrypt a message using a different key So with public key cryptography, one would encrypt the message with a public key The “trapdoor” would be the corresponding private key that would be used to decrypt or retrieve the message If the one-way function deals with a “hard” mathematical problem – one that is impossible

to solve in polynomial time – then it could be used to make things very difficult for any adversary

who might be eavesdropping on our communications over an insecure public network like the global

Encryption II - SANS ©2001 5

Concepts in Cryptography 2

Tractable Problems

“Easy” problems Can be solved in polynomial

time (i.e “quickly”) for certain inputs

• exponential or super-polynomial problems

• factoring large integers into primes (RSA)

• solving the discrete logarithm problem (El Gamal)

• computing elliptic curves in a finite field (ECC)

Computational Complexity deals

with time and space requirements for

the execution of algorithms.

Problems can be classified as

tractable or intractable.

This is exactly the class of problems

we are looking for!

Following this train of thought, let’s see what hard or intractable problems are already well-known

in mathematics These problems just might provide us with the building blocks upon which we could build our cryptosystem

Computational complexity is a branch of mathematics which studies time and space requirements

for the execution of algorithms It classifies problems as either tractable (easy to solve) or

intractable (hard to solve) This is really neat, because its exactly what we’re looking for.

It turns out that there are many well-known intractable problems – the class of problems we’re

interested in These exponential or super-polynomial problems are “hard” problems which cannot

be solved in polynomial time (i.e., quickly) Actually, it is more accurate to say that these problems

are believed to be intractable by the worldwide mathematical community that is active in researching

issues in the field of computation complexity

Three well-known examples of intractable problems include: factoring large integers into their two prime factors (the basis for RSA); solving the discrete logarithm problem over finite fields (the basis for ElGamal); and computing elliptic curves over finite fields (the basis for Elliptic Curve

Cryptosystems)

Now, let’s examine each of these three important classes of intractable problems in greater detail, as each one of them forms the basis of important cryptosystems that are widely used all over the world

Encryption II - SANS ©2001 6

Concepts in Cryptography 3

Example: RSA

• based on difficulty of factoring a large integer into its prime factors

• ~1000 times slower than DES

• considered “secure”

• de facto standard

• patent expires in 2000

An Example of an Intractable Problem

Difficulty of factoring a large integer into its two

prime factors

• A “hard” problem

• Years of intense public scrutiny

suggest intractability

• No mathematical proof so far

Every middle school student knows how to factor integers So, given an integer 15, they can

immediately respond that the integer factors are 1x15 and 3x5 Easy enough! So why is this a hard problem? Why is it on our list of intractable problems?

It turns out that the key here – no pun intended – is the word “large.” Factoring a large integer into

its prime factors is decidedly non-trivial In fact, there is no easy solution to the problem This is

the general consensus of the global community that actively researches such mathematical topics It

is important to note, however, that there is no unequivocal mathematical “proof” that this problem cannot be solved easily It’s the years of public scrutiny of the problem that leads us to conclude that

it is a hard problem which cannot be solved in polynomial time

For our purposes, this is good enough to build a cryptosystem upon Actually that’s already been

done! The most widely used example is the RSA algorithm, which takes advantage of the

intractability of the integer factorization problem to build the public key (asymmetric)

cryptosystem which is widely used throughout the world

How about some of the other intractable problems we found from our brief survey of the field of mathematics? Can they also be used to construct cryptosystems?

Encryption II - SANS ©2001 7

Concepts in Cryptography 4

Examples

• El Gamal encryption and signature schemes

• Diffie-Hellman key agreement scheme

• Schnorr signature scheme

• NIST’s Digital Signature Algorithm (DSA)

Another Intractable Problem

Difficulty of solving the discrete logarithm problem

for finite fields

• A “hard” problem

• Years of intense public scrutiny

suggest intractability

• No mathematical proof so far

• The discrete logarithm problem

is as difficult as the problem of

factoring a large integer into its

prime factors

Another intractable problem that appears to have useful properties that we can use to build a

cryptosystem upon is the difficulty of solving what is known as the discrete logarithm problem for

finite fields The mathematics behind this type of problem are complex and we will not attempt an

explanation of the working mechanism in this brief course

It turns out that there is no easy solution to this problem either Again, this is the general consensus

of the global community that actively researches such mathematical topics It is important to note, however, that there is no unequivocal mathematical “proof” that this problem cannot be solved easily It’s the years of public scrutiny of the problem that leads us to conclude that it is a hard problem which cannot be solved in polynomial time

But, how does it compare with the previous intractable problem we looked at – the factorization of large integers into their two prime factors? There is evidence that the discrete logarithm problem is just as difficult

So, we should be able to use this problem in building a cryptosystem? Right? Absolutely!

Again that’s already been done! The following cryptosystems are all built upon the intractability of

the discrete logarithm problem over finite fields: the ElGamal encryption and signature schemes, the Diffie-Hellman key agreement scheme, the Schnorr signature scheme, and the Digital

Signature Algorithm (DSA) by the U.S Department of Commerce’s National Institute of Standards

and Technology (NIST)

• Elliptic curve Diffie-Hellman key agreement scheme

• Elliptic curve Schnorr signature scheme

• Elliptic Curve Digital Signature Algorithm (ECDSA)

Yet Another Intractable Problem

Difficulty of solving the discrete logarithm problem

as applied to elliptic curves

• A “hard” problem

• Years of intense public scrutiny

suggest intractability

• No mathematical proof so far

• In general, elliptic curve

cryptosystems (ECC) offer

higher speed, lower power

consumption, and tighter code

Now, let’s take a quick look at yet another class of intractable problems This one involves the

difficulty of solving the discrete logarithm problem (we just discussed it in the previous slide) as

applied to elliptic curves.

So, how does this class of intractable problem compare with the previous intractable problem we’ve looked at – the factorization of large integers into their two prime factors, and solving the discrete logarithm problem over finite fields? Very well, thank you! And…it has a number of very attractive features to boot Features that include high security levels even at low key lengths, high speed processing, and low power and storage requirements

These characteristics are very useful in crypto-enabling the many new devices that are rapidly appearing in the marketplace, e.g mobile telephones, information appliances, smart cards, and even the venerable ATMs Of course it has been broken a few times so they are still working on this one

Encryption II - SANS ©2001 9

Voila! We Can Now Build

Hash SignatureDigital

Original Document -

Ciphertext

or plaintext

Original Document -

Ciphertext

or plaintext

Digital Signature

Hash

Hash

“Alice” first creates a Hash of the Original

Document Next, she encrypts the Hash

with her Private Key to generate a Digital

Signature Finally, she transmits the

Original Document and the Digital

Signature to “Bob.”

“Bob” first creates a Hash of the Original

Document Next, he decrypts the Digital

Signature with Alice’s Public Key to

regenerate the Hash that Alice originally

created Finally, he compares the two

Hashes A match indicates the Original

Document was not tampered with.

Bob compares

the two hashes

Hash Algorithm

Same Hash Algorithm

Alice encrypts with her

Private Key

Bob decrypts with Alice’s Public Key

Authentication!

Non-repudiation! Integrity of Data!

Confidentiality!

Communications in the presence of adversaries…

ConfidentialityÌIntegrityÌAuthenticationÌNon-repudiation

We started out by noting that communicating in the presence of adversaries meant constructing a cryptosystem that was capable of providing support for important requirements such as

Confidentiality, Integrity of Data, Authentication, and Non-repudiation We briefly examined some

of the well-known intractable mathematical problems which could be used as building blocks upon which to construct our cryptosystem

But how do we make the connection between complex and abstract mathematical concepts, to crypto-enabled products we use routinely every day of our lives?

While each type of cryptosystem addresses the specific details in its own unique way, the

fundamental concepts behind the working crypto-mechanism that actually delivers the functionality that makes it possible to support Confidentiality, Integrity of Data, Authentication, and Non-

repudiation are fundamentally quite similar

This “big picture” slide puts it all together from the perspective of a message being sent by Alice over an insecure public network (like the global Internet) to Bob Please study this slide carefully for

a few moments, and trace the working mechanism that is at the foundation of many cryptosystems See for yourself exactly how the users of the cryptosystem are able to tap into the Confidentiality, Integrity of Data, Authentication, and Non-repudiation services that are supported by the

cryptosystem

Elliptic Curve Cryptography

(Miller, 1986 & Koblitz, 1987)

ECA: Elliptic Curve Algorithm

AES: Advanced Encryption Standard

(sponsored by NIST, finalist selected.)

Origins of Cryptography

(traced as far back as 4000 years!

Key-Exchange Method

(Diffie and Hellman, 1976)

DES: Data Encryption Standard

(U.S FIPS-46, 1977)

Public-Key Cryptography

(Merkle, 1978)

…built upon the work of giants!

We noted earlier in our discussion that a number of mathematicians and researchers had made important contributions, over the years, to the advanced mathematical ideas that serve as the

foundation of many widely used cryptosystems in use today We also noted that each of the three classes of intractable problems we discussed had been successfully employed as building blocks for constructing cryptosystems

There is a long, rich history behind modern cryptosystems This slide lists a few (by no means, all!)

of the leading cryptographers whose work and ideas have been successfully incorporated into everyday products that we use on a routine basis Modern day cryptosystems are truly built upon the work of giants!

The mathematics behind cryptosystems is invariably abstract and can be highly complex The process of developing new cryptographic algorithms works best when the attention of the entire global cryptographic community can be focused on the development activity It is generally

acknowledged that openness to intense scrutiny by the global cryptographic community in the development process of new cryptographic algorithms is the most effective way to achieving

algorithms that can be trusted to serve as the foundation of our growing ecommerce infrastructure The U.S Department of Commerce’s NIST has done just that as it selected the finalist for the Advanced Encryption Standard (AES)

Encryption II - SANS ©2001 11

• Released March 17, 1975

• Rather fast encryption algorithm

• Widely used; a de facto standard

• Symmetric-key, 64-bit block cipher

• 56-bit key size Æ Small 2 56 key space

• Today, DES is not considered secure

DES: Data Encryption Standard

DES is the most commonly used encryption algorithm in the world On March 17, 1975, the United

States government proposed the adoption of the Data Encryption Standard (DES) cryptosystem as

a national standard for use with “unclassified computer data.” It was based upon IBM’s Lucifer cryptosystem DES is specified in FIPS-42 The Data Encryption Algorithm (DEA) is essentially the same cipher based on the ANSI X.3.92 standard

Due to the internal bit-oriented operations in the design of DES, software implementations of DES are slow, while hardware implementations are faster Four different modes of operation for DES were standardized for use in the USA by the National Institute of Standards and Technology (NIST): Electronic Code Book (ECB) mode, Cipher Block Chaining (CBC) mode, Output Feedback (OFB) mode, and Cipher Feedback (CFB) mode

From the very beginning, concerns were raised about the vulnerability of DES due to the rather small

key length of 56 bits, resulting in a keyspace containing only 256possible different keys

The effectiveness of attacks based on brute force searches depends upon the size of the keyspaceinvolved Because DES is limited to an effective key size of only 56-bits (= 64-bit block - 8 parity bits), it is vulnerable to brute force attacks DES was first [publicly] cracked in in theRSA

Challenge, which was a five month effort, and subsequent attempts are taking less and less time At the present time, there is a general consensus that DES is not secure

Encryption II - SANS ©2001 12

DES

• In 1992 it was proven that DES is not a

group This means that multiple DES

encryptions are not equivalent to a

single encryption THIS IS A GOOD

THING.

• If something is a group than

– E(E(K,M)K2) = E(K3,M)

• Since DES is not a group, multiple

encryptions will increase the security.

As we know, DES is no longer supported because of the key length With current technology and computers, this key length is considered non-secure For additional information, see the book Cracking DES It gives you all of the code you would need to build your own DES cracking engine Just think, you would be the envy of the entire neighborhood!

Since DES is weak, someone proposed whether you could perform multiple encipherments to increase the key length In order to do this, you would have to prove whether DES is a group or not

It was proven that DES is not a group; this means that multiple DES encryptions are not equivalent to

a single encryption This is a very good thing If DES was a group, then triple DES would provide the same key length as single DES Since DES is not a group, multiple encryptions will increase the security

If something is a group, then

E(E(K,M)K2) = E(K3,M), which means multiple encipherments are equivalent to a single

encipherment

Encryption II - SANS ©2001 13

DES Weaknesses

• DES is considered non-secure for very

sensitive encryption It is crackable in a short

period of time.

• See the “Cracking DES” book by O’Reilly.

• Multiple encryptions and key size will increase

the security.

• Double DES is vulnerable to the

meet-in-the-middle attack and only has an effective key

length of 57 bits.

• Triple DES is preferred.

Now that we know that multiple enchipherments of DES will help the key length, why “triple” DES? What happened to double DES, and why isn’t it used? Funny thing you should ask It turns out that

double DES is vulnerable to the meet-in-the-middle attack, which gives an effective key length of

57 bits, which is only one more bit more than DES So because of this weakness, triple DES is used

We will look at the meet-in-the-middle attack on the next slide

Encryption II - SANS ©2001 14

Meet-in-the-middle Attack

E

E(M,K1) = C’ , 2 56possibilitiesD(C,K2) = C’ , 2 56possibilities

2 56 + 2 56 = 2 57

so double DES only gives effective key length of 57 bits which is 1

more than DES

M

K2 K1

C C’

With the meet-in-the-middle attack, you start with both the message and the ciphertext In this case

M and C

For each choice of K1 compute

C’=E(K1,M) – this is a table of 2 56

For each choice of K2 compute

C”=D(K2, C) – this is a table of 2 56

Therefore the amount of keys tried is

256+ 256= 257, which gives an effective key length of 57 bits

Now when you play Geek Trivial Pursuit and someone asks, “Why isn’t double DES used?”, you will know the answer!