Professional Documents
Culture Documents
Appendix A: Introduction To Cryptographic Algorithms and Protocols
Appendix A: Introduction To Cryptographic Algorithms and Protocols
in Wireless Networks
http://secowinet.epfl.ch/
symmetric and
asymmetric key
encryption;
hash functions;
MAC functions;
digital signatures;
key establishment
protocols;
advanced
authentication
techniques;
© 2007 Levente Buttyán and Jean-Pierre Hubaux
Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
attacks can be
– passive
• attempts to learn or make use of information from the system but does not affect
system resources
• examples: eavesdropping message contents, traffic analysis
• difficult to detect, should be prevented
– active
• attempts to alter system resources or affect their operation
• examples: masquerade (spoofing), replay, modification (substitution, insertion,
destruction), denial of service
• difficult to prevent, should be detected
access control
– aims to prevent unauthorized access to resources
confidentiality
– aims to protect data from unauthorized disclosure
– usually based on encryption
integrity
– aims to detect modification and replay
– provides assurance that data received are exactly as sent by the sender
non-repudiation
– provides protection against denial by one entity involved in a communication
of having participated in all or part of the communication
– two basic types: non-repudiation of origin and non-repudiation of delivery
Security and Cooperation in Wireless Networks
A.1 Introduction 4/80
Appendix A: Intro to cryptographic algorithms and protocols
Some security mechanisms
encryption
– symmetric key, asymmetric (public) key
digital signature
authentication protocols
– passwords, cryptographic challenge-response protocols, biometrics
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
EK(m)
ciphertext
m EE DD DK’ (EK(m)) = m
plaintext
K eavesdropping K’
encryption key adversary decryption key
Kerckhoff’s principle:
– we must assume that the adversary knows all details of E and D
– security of the system should be based on the protection of the
decryption key
known-plaintext attack
– the adversary can obtain corresponding plaintext-ciphertext pairs
produced with the same encryption key
related-key attack
– the adversary can obtain ciphertexts, or plaintext-ciphertext pairs that
are produced with different encryption keys that are related in a
known way to a specific encryption key
symmetric-key encryption
– it is easy to compute K’ from K (and vice versa)
– usually K’ = K
– two main types:
• stream ciphers – operate on individual characters of the plaintext
• block ciphers – process the plaintext in larger blocks of characters
asymmetric-key encryption
– it is hard (computationally infeasible) to compute K’ from K
– K can be made public ( public-key cryptography)
an n bit block cipher is a function E: {0, 1}n x {0, 1}k {0, 1}n, such that
for each K {0, 1}k, E(x, K) = EK(x) is an invertible mapping from {0, 1}n
to {0, 1}n
k bit key
n bit input
EE n bit output
…
…
avalanche effect
– changing one bit in the input block should change approximately half
of the bits in the output block
– similarly, changing one key bit should result in the change of
approximately half of the bits in the output block
statistical independence
– input and output should appear to be statistically independent
simple operations:
– elementary arithmetic operations
– logical operations (e.g., XOR)
– modular multiplication
– transpositions
– substitutions
– ...
Initial Permutation
Initial Permutation input size: 64
(32) (32)
output size: 64
+ FF (48)
K1 key size: 56
16 rounds
+ FF (48)
Feistel structure
Key Scheduler
K2
(56)
K
+ FF (48)
K3
…
+ FF (48)
K16
Initial Permutation-1-1
Initial Permutation
Y (64)
key
++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ injection
S1
S1 S2
S2 S3
S3 S4
S4 S5
S5 S6
S6 S7
S7 S8
S8
PP
K
(56)
(48)
K1 Permuted
PermutedChoice
Choice22
(48)
K2 Permuted
PermutedChoice
Choice22
…
example:
– naïve exhaustive key search against DES: 255
– attack using the complementation property of DES: 254
Y = DESK(X) implies Y* = DESK*(X*), where X* denotes the bitwise
complement of X
– differential cryptanalysis of DES: 247
– linear cryptanalysis of DES: 243
CTR – Counter
– simplified OFB with certain advantages
K EE K EE … K EE
C1 C2 CN
decrypt
C1 C2 CN
K DD K DD … K DD
P1 P2 PN
IV + + + CN-1 +
K EE K EE K EE … K EE
C1 C2 C3 CN
decrypt
C1 C2 C3 CN
K DD K DD K DD K DD
IV + + + CN-1 +
P1 P2 P3 PN
error propagation:
– one bit error in a ciphertext block Cj has an effect on the j-th and (j+1)-st
plaintext block
• Pj’ is complete garbage and Pj+1’ has bit errors where Cj had
• an attacker may cause predictable bit changes in the (j+1)-st plaintext block
error recovery:
– recovers from bit errors (self-synchronizing)
– cannot, however, recover from frame errors (“lost” bits)
one can add some extra bytes to the short end block until it
reaches the correct size – this is called padding
05
encrypt decrypt
(s)
shift register (n) shift register (n)
(n) (n)
K EE K EE
(n) (n)
select
selectssbits
bits select
selectssbits
bits
(s) (s)
(s) (s) (s) (s)
Pi + Ci Ci + Pi
error propagation:
– one bit error in a ciphertext block Cj has an effect on the decryption of that
and the next n/s ciphertext blocks (the error remains in the shift register for
n/s steps)
• Pj’ has bit errors where Cj had, all the other erroneous plaintext blocks are garbage
• an attacker may cause predictable bit changes in the j-th plaintext block
error recovery:
– self synchronizing, but requires n/s blocks to recover
encrypt decrypt
(s) (s)
shift register (n) shift register (n)
(n) (n)
K EE K EE
(n) (n)
select select
selectssbits
selectssbits
bits bits
(s) (s)
(s) (s) (s) (s)
Pi + Ci Ci + Pi
error propagation:
– one bit error in a ciphertext block Cj has an effect on the decryption of only
that ciphertext block
• Pj’ has bit errors where Cj had
• an attacker may cause predictable bit changes in the j-th plaintext block
error recovery:
– recovers from bit errors
– never recovers if bits are lost or the IV is modified
encrypt decrypt
counter + i counter + i
(n) (n)
K EE K EE
(n) (n)
note1: in CFB, OFB, and CTR mode only the encryption algorithm is used
(decryption is not needed), that is why some ciphers (e.g., AES) is
optimized for encryption
note2: the OFB and CTR modes essentially make a synchronous stream
cipher out of a block cipher, whereas the CFB mode converts a block
cipher into a self-synchronizing stream-cipher
pi
ffk
k
i+1
zi
i ggk hh
i k
ci
no error propagation
– a ciphertext character that is modified during transmission affects only the
decryption of that character
an attacker can make changes to selected ciphertext characters and know
exactly what effect these changes have on the plaintext (if h = XOR)
Security and Cooperation in Wireless Networks A.2 Encryption
Appendix A: Intro to cryptographic algorithms and protocols Stream ciphers
33/80
Self-synchronizing stream ciphers
pi
register
zi
ggk hh
…
k
ci
self-synchronizing
– since the size t of the register is fixed, a lost ciphertext character affects only
the decryption of the next t ciphertext characters
one-time pad
– a Vernam cipher where the key stream digits are generated
independently and uniformly at random
– the one-time pad is unconditionally secure [Shannon, 1949]
• I(P; C) = H(P) - H(P|C) = 0
– a necessary condition for a symmetric key cipher to be
unconditionally secure is that H(K) H(P) [Shannon, 1949]
• practically, the key must have as many bits as the compressed plaintext
• impractical because of key management problems
EK(m)
ciphertext
m EE DD DK’ (EK(m)) = m
plaintext
K attacker K’
(public) encryption key (private) decryption key
asymmetric-key encryption
– it is hard (computationally infeasible) to compute K’ from K
Diffie-Hellman problem
– given a prime p, a generator g of Zp*, and elements gx mod p and gy
mod p, find gxy mod p
• true complexity is unknown
• it is believed that it does not belong to P
Security and Cooperation in Wireless Networks A.2 Encryption
Appendix A: Intro to cryptographic algorithms and protocols A.2.2 Asymmetric-key encryption
37/80
The RSA encryption scheme
key generation
– select p, q large primes (about 500 bits each)
– n = pq, (n) = (p-1)(q-1)
– select e such that 1 < e < (n) and gcd(e, (n)) = 1
– compute d such that ed mod (n) = 1 (this is easy if (n) is known)
– the public key is (e, n)
– the private key is d
encryption
– represent the message as an integer m in [0, n-1]
– compute c = me mod n
decryption
– compute m = cd mod n
encryption
– represent the message as an integer m in [0, p-1]
– select a random integer r, 1 r p-2, and compute R = gr mod p
– compute C = mAr mod p
– the ciphertext is the pair (R, C)
decryption
– compute m = CRp-1-a mod p
proof of decryption
CRp-1-a mArRp-1-a mgargr(p-1-a) mgp-1)r m (mod p)
plaintext message
generate
generaterandom
random
symmetric
symmetrickey
key
symmetric-key
symmetric-key
cipher
cipher bulk encryption key
(e.g.,
(e.g., inCBC
in CBCmode)
mode)
asymmetric-key
asymmetric-key public key
cipher
cipher of the receiver
digital envelop
Security and Cooperation in Wireless Networks A.2 Encryption
Appendix A: Intro to cryptographic algorithms and protocols A.2.2 Asymmetric-key encryption
43/80
Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
hash
hash
function
function
fix length
hash value / message digest / fingerprint
x1 x2 x3 xL
(b) (b) (b) (b)
…
(n) ff (n) ff (n) ff (n) ff (n)
CV0 h(x) = CVL
CV1 CV2 CV3 CVL-1
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
MAC
MAC secret key
function
function
fix length
MAC
secret key
generation
message MAC
MAC
MAC
message MAC
MAC
verification
MAC
compare
compare
secret key
yes/no
key non-recovery
– it is computationally infeasible to recover the secret key k, given one
or more text-MAC pairs (xi, MACk(xi)) for that k
computation resistance
– given zero or more text-MAC pairs (xi, MACk(xi)), it is computationally
infeasible to find a text-MAC pair (x, MACk(x)) for any new input x xi
x1 x2 x3 xN
0 + + + cN-1 +
k EE k EE k EE … k EE
cN
c1 c2 c3
k’ EE-1-1
optional
k EE
CBC MAC is secure for messages of a fixed
number of blocks
(adaptive chosen-text existential) forgery is MAC
k+ ipad xL|padding1
x1
hash fn
ff ff … ff
CV0
CV1inner
M
k+ opad M|padding2
HMACk(X) = H( k’’|H( k’|X ))
hash fn
ff ff
CV0 HMACk(x)
CV1outer
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
known-message attack
– the adversary has signatures for a set of messages known to her but
not chosen by her
chosen-message attack
– the adversary obtains signatures for messages chosen by her before
attempting to break the signature scheme
hh dec
compare
compare public key
of sender
yes/no
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
key confirmation
– one party is assured that a second (possibly unidentified) party actually
possesses the session key
– possession of a key can be demonstrated by
• producing a one-way hash value of the key or
• encryption of known data with the key
key freshness
– one party is assured that the key is new (never used before)
efficiency
– number of message exchanges (passes) required
– total number of bits transmitted (i.e., bandwidth used)
– complexity of computations by each party
– possibility of precomputations to reduce on-line computational complexity
system setup
– distribution of initial keying material
generate k
A, EKas( B, k, Ta )
EKbs( A, k, Ts )
summary: a simple key transport protocol that uses a trusted third party
Alice generates the session key and sends it to Bob via the trusted third party
B, EKbs( A, k, Ts )
EKas( B, k, Ts(1))
A, EKas( B, k, Ts(1))
EKbs( A, k, Ts(2))
...
EKbs( A, k, Ts(n))
summary: after observing one run of the protocol, Trudy can continuously use the Server
as an oracle until she wants to bring about re-authentication between Alice and Bob
Alice Bob
generate k
A, EKb(k), Ta, SKa(B,EKb(k),Ta)
summary: Alice generates a session key, encrypts it with Bob’s public key, then sings it,
and sends it to Bob
characteristics: unilateral entity authentication (of Alice), mutual implicit key authentication,
no key confirmation, key freshness with timestamp, clock synchronization,
off-line third party for issuing public key certificates may be required, initial
exchange of public keys between the parties may be required, Alice is trusted
to generate keys, non-repudiation guarantee for Bob
Alice Bob
select random x
compute gx mod p
gx mod p
select random y
compute gy mod p
gy mod p
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
unpredictable
input samples entropy
entropy
…
(from physical pool
pool
processes)
re-keying
internal
internal one-way fn
pseudo-random bits
state
state indistinguishable from
state update real random bits
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
hash chains can be used for repeated authentications at the cost of a single digital
signature
– Alice computes a hash chain and commits to it by signing v n and distributing it to
potential verifiers
– later on, Alice can authenticate herself repeatedly (at most n times) by revealing the
elements of the hash chain in reverse order
– when vn-i is revealed, verifiers can check if h (i)(vn-i) = vn (or h(vn-i) = vn-i+1 if they
remember the last revealed element)
– each hash chain element can be used only once for authenticating Alice
– verifiers are assured that only Alice could have released the next hash chain element
hash chains can be stored efficiently with a storage complexity that is logarithmic
in the length of the hash chain
when revealing a value vi, Alice must also reveal all the values assigned to the
sibling vertices on the path from vi’ to the root (e.g., v3 is revealed together with v4’,
u12, u5678)
verifiers hash the revealed values appropriately and check if the result is u0
assumptions:
– loose time synchronization between the participants
– each party knows an upper bound on the maximum synchronization error
– initial secret between the parties to bootstrap the whole mechanism
protocol operation:
– setup: Alice sends Kn to each verifier in an authentic manner
– time is divided into epochs
– each message sent in epoch i is authenticated with key K n-i
– Kn-i is disclosed in epoch i+d, where d is a system parameter
– Kn-i is verified by checking h(Kn-i) = Kn-i+1
example:
Kn-1 Kn-2 Kn-3 Kn-4
Kn P1 P2 P3 P4 P5 P6 P7 time
but be cautious:
“If you think cryptography is going to solve your problem, you don't understand
cryptography and you don't understand your problem.”
-- Roger Needham
other important aspects are
– physical protection
– procedural rules
– education