1Types of CryptosystemsECE 646 - Lecture 3 Implementation of Security Services 2Project, Next Steps•Due Today: Initial choice, literature list•Wednesday: List of topics and people withe-mail address on webpage•Sept 19: Final choice, final groups•Sept 26: Draft project specifications•Discussions of groups with instructor•Oct 3: Final specifications due3Review of Reading Assignments•Ross Anderson, Why Cryptosystems Fail•Matt Curtin, Snake Oil Warning Signs: Encryption Software to Avoid•2006 CSI/FBI Computer Crime and Security Survey 4Review of Lecture 1•Identification•Security Services•Handwritten and Digital Signatures•Network Security Threats8Review of Lecture 2•Overview of the field of cryptology•Basic vocabulary•Kerkhoff's principle•Software vs. hardware 13Block vs. stream ciphers Types of Cryptosystems (1)14Cryptosystem (Cipher)message Xciphertext Ycryptographickey Km bitsn bitsj bits 15Block vs. stream ciphersStream ciphermemoryBlock cipherKKX1, X2, …, Xnx1, x2, …, xnY1, Y2, …, Yny1, y2, …, ynYi=fK(Xi) yi = fK(xi, xi-1, …, x2, x1)Every block of ciphertext is a function of only one corresponding block of plaintextEvery block of ciphertext is a function of the current and all proceeding blocks of plaintext16Typical stream cipherSender ReceiverPseudorandomKeyGeneratorxiplaintextyiciphertextkikeystreamkeyinitialization vector (seed)PseudorandomKeyGeneratorxiplaintextyiciphertextkikeystreamkey initializationvector (seed) 17Secret-key vs. public-key ciphers Types of Cryptosystems (2)18Secret-key (Symmetric) Cryptosystemskey of Alice and Bob - KABkey of Alice and Bob - KABAliceBobNetworkEncryptionDecryption 19Key Distribution ProblemN - UsersN · (N-1)2KeysUsersKeys1005,0001000 500,00020Digital Signature ProblemBoth corresponding sides have the same informationand are able to generate a signatureThere is a possibility of the receiver falsifying the message sender denying that he/she sent the message 21Public Key (Asymmetric) CryptosystemsPublic key of Bob - KBPrivate key of Bob - kBAliceBobNetworkEncryptionDecryption22Classification of cryptosystemsTerminologysecret-keysymmetricsymmetric-keyclassicalconventionalpublic keyasymmetric 23One-way functionXf(X) Yf-1(Y)EXAMPLE:f: Y=f(X) = AX mod Pwhere P and A are constants, P is a large prime, A is an integer smaller than PNumber of bits of P Average number of multiplicationsnecessary to computef f -110001500 103024Trap-door one-way functionXf(X) Yf-1(Y)Whitfield Diffie and Martin Hellman“New directions in cryptography,” 1976PUBLIC KEYPRIVATE KEY 25Key DistributionAliceBobmessageciphertextmessageciphertextBob’s public keyBob’s private keyBob’s public keymessageciphertextBob’s public keyIntruder26Digital SignatureAliceBobsignaturemessagesignaturemessageAlice’s public keyAlice’s private keyAlice’s public keysignaturemessageAlice’s public keyIntrudersignaturemessageAlice’s public keyJudge 27Implementation of Security Services28MessageHash functionPublic keycipherAliceSignatureAlice’s private keyBobHash functionAlice’s public keyNon-repudiationHash value 1Hash value 2Hash valuePublic key cipheryesnoMessageSignature 29Hash functionarbitrary lengthmessagehashfunctionhash valueh(m)hmfixed length30Hash functions•Basic Requirements1) Public description, no key.2) h(m) can be applied to any size m.3) h(m) produces fixed length output.4) h(m) is easy to compute (hw and sw). 31Hash functionsWhy not use error correcting codes?32Hash functionsSecurity requirementsIt is computationally infeasibleGivenTo Findh(m)mm and h(m)m’ ≠ m, such thath(m’) = h(m)m’ ≠ m, such thath(m’) = h(m)PropertyOne-wayWeak collisionresistantStrong collisonresistant 33One Way•Bob sends Ek(m) || h(m) to Alice•If h(m) is not a one-way function what can Oscar do?34Weak collision resistant•Oscar could replace x with x'.Alice Oscar Bobz=h(x)y=sigKpr(z)(x,y)(x',y)z=h(x')=h(x)y=verKpub(z,y)= true 35Strong collision resistant•Oscar coulda) Choose legitimate x1 and bad x2.b) Alter x1 and x2 at “non-visible” locations until h(x'1) = h(x'2).c) Let Bob sign x'1 (x'1 , sigKpr(h(x'1)).d) Replace x'1 x'2 and (x'2 , sigKpr(h(x'2))36Hash functionsWhy is there no collision free hash function? 37Bithday Paradox•1st person, P[b'day] = 1•any person, P[b'day] on a specific date] = •2nd person, P[b'day ≠ 1st person] =•3rd person, P[b'day ≠ 1st and 2nd ] =•P[all 3 have different b'day] =•for 46 ppl: •P[no two ppl. have b'day same] = 0.052i.e. P[two have same b'day] = 94.8% !136511365=36436512365 11365 12365 11365 12365 145365=0.05238i =1k 1 1inP[no collisions amongst k elements in a group of size n] =Recall:ex=1xx22!x33!if x 1 ex1xif ni then for x=inx 1i =1k 1 1in=i=1k1ein=e1ne2ne3nek 1n=e123k 1nRecall:123k 1=k k 12P[no collision]ek k 12nP[at least one collision]1ek k1 2n1ek k1 2nln 1k k12nk k12n ln 1=2n ln 11 39k k12n ln 11if k 1, then k2k k 12n ln 11k2n ln 11Example:k =0.52n ln 110.5=1.18n•A collision is found after √n trials with a probability of 50%.•Hash output space 2160 (i.e. 160 bits) then finding collision takes √2160 = 280 steps.40MessageHash functionPublic keycipherAliceSignatureAlice’s private keyBobHash functionAlice’s public keyNon-repudiationHash value 1Hash value 2Hash valuePublic key cipheryes/noMessageSignature 41MessageHash functionPublic keycipherAliceSignatureAlice’s private keyBobHash functionAlice’s public keyNon-repudiationHash value 1Hash value 2Hash valuePublic key cipheryes/noMessageSignatureSignaturegenerationfunctionSignatureverificationfunction42MessageSecret keyalgorithmAliceMACSecret key of Alice and BobBobSecret keyalgorithmAuthenticationMAC’MACyesnoMessageMACSecret key of Alice and BobKABKAB 43MAC - Message Autentication Codes (keyed hash functions)arbitrary lengthmessageMACfunctionMACmfixed lengthsecret keyK44MAC functionsBasic requirements1. Public description, SECRET key parameter2. Compressionarbitrary length input → fixed length output3. Ease of
View Full Document
Unlocking...