Introduction to Security and Crypto Agenda Basics of
Introduction to Security and Crypto
Agenda ØBasics of security ØBasics of cryptography Ø Symmetric Crypto Ø DES example, block chaining Ø Key exchange, Asymetric Crypto Ø RSA example ØPublic Key Infrastructure ØTrust Provisionning Ø Attacks and how to cope with it Ø Attacks on Algorithms Ø Attacks on Implementations Ø Attacks on Protocols Ø Two Examples Ø A 7 FS-application Trust provisioning + Offline Authentication ØTLS and support of A 70 CM 2
Basics of. NFC Security Embedded 3
Security Goals At 10 at my place Alice Confidentiality: Eavesdropping possible? Mon, at 10 at my place. Alice At 10 at my place Anneliese Authenticity: Sender correct? Tue, at 10 at my place. Alice Integrity: Message modified? Non-Repudiation: Message signed? But also: Availability (i. e. : preventing denial of service), Privacy (personal data towards merchant or third parties) 4
Security Goals and Algorithms Authenticity: Asymmetric Crypto / Signature / Hash Confidentiality: Symmetric Crypto Integrity: Hash / Signature / MAC Non-repudiation: Hash / Signature Symmetric Crypto DES, Triple-DES, AES Asymmetric Crypto RSA, ECC Hash SHA Signature Hash + Asymmetric Crypto MAC Hash / Symmetric Crypto 5
There is no such thing as „perfect security“ There is no such thing as “perfect security” – A secure system makes an attack more expensive than the value of the advantage gained by the attacker. 6
Attacks & Principles Kerckhoffs’ principle: The attacker always knows the algorithm; the only information unknown to him/her is the key. Brute force attack – Exhaustive search over all keys – Single plaintext-ciphertext-pair may be enough to determine the correct key – Cannot be avoided – Goal: Make it practically infeasible, i. e. key space is so large that the search takes more than a lifetime Side Channel Attacks: – Even if a cryptographic algorithm offers high level of security, its implementation may still leak information about secrets or keys: timing behavior, current consumption, electromagnetic radiation etc establish so called side channels for secret information. There is no such thing as “perfect security” – A secure system makes an attack more expensive than the value of the advantage gained by the attacker.
There is no such thing as „perfect security“
Embedded NFC Basics of Cryptography Symmetric Crypto 9
Symmetric Encryption Key Plaintext Ciphertext Encryption Decryption DES Triple-DES AES DES-1 Triple-DES-1 AES-1 Confidentiality: Eavesdropping not easily possible 10
1. Introduction - What is Android ? 2. Platform Architecture 3. Platform A bit. Components of history… The Caesar cipher 4. Platform Initialization 5. How to get Android sources
1. Introduction - What is Android ? 2. Platform Architecture 3. Block Ciphers Platform DES Components Block Chaining 4. Platform Initialization 5. How to get Android sources
Symmetric Encryption : DES
Symmetric block ciphers: DES and AES Block m 4 Block m 3 Algorithm Block c 2 Block c 1 Plaintext is divided into blocks m 1, m 2, . . . of the same length Every block is encrypted under the same key. Typical block lengths: DES – 64 bit, AES – 128 bit Typical key lengths: DES – 56 bit; AES – 128, 192, 256 bit 14
DES - Data Encryption Standard Most important example for Feistel ciphers (ie: same operations to encrypt and decrypt) Published in 1977 as a standard for the American governmental institutions Significant weakness: 56 bit key is too short 1999 Deep Crack: 100. 000 PCs computed key within 22 hours and 15 minutes Input 64 bit Key 56 bit L 0 round 16 K 1 F Permutation IP round i R 0 Round key i Round key 16 L 1 R 1 L 15 R 15 Permutation IP – 1 Output 64 bit K 16 F L 16 RR 1616 15
Modes of Operation – How to ensure that the ordering of blocks is not changed by an attacker? – Dependencies between encrypted blocks: Cipher Block Chaining (CBC) Block m 4 Block m 3 Algorithm Block c 2 Block c 1
Problems of block encryption ECB-Example: Electronic Code Book Mode: Identical blocks are identically encrypted. m 1 m 2 m 3 (3)DES Enciphering c 1 c 2 c 3 17
CBC Mode CBC-Example: Cipher Block Chaining Mode: Identical blocks are differently encrypted. m 1 m 2 m 3 (3)DES Enciphering c 1 c 2 c 3 IV 18
Triple-DES = triple encryption using DES with two or three external keys: DES(k 1, DES-1(k 2, DES(k 1, m))) 1. Question: Why is the decryption DES-1 in the middle? Compatibility: When implementing Triple-DES and choosing k 1 = k 2, then one gets the single DES. Therefore, only one algorithm needs to be implemented to get Triple-DES and single DES. 2. Question: Why is not Double-DES used instead of Triple-DES? Meet-in-the-middle attack! Security comparison – Two keys – NIST estimation: effectively 80 bits – Three keys – NIST estimation: effectively 112 bits 19
AES – Scheme plaintext AES is standardized for key lengths of 128 bit, 192 bit, 256 bit, and block size of 128 bit. Round key 0 Round 1 (round key 1) The number of rounds depends on key length used: 10 up to 14 Round 2 (round key 2) Round n (round key n) ciphertext Round Function: Byte. Sub Shift. Row Mix. Column Add. Round. Key 20
Security Goals and Algorithms; HASH Function Authentication: Asymmetric Crypto / Signature / Hash Confidentiality: Symmetric Crypto Integrity: Hash / Signature / MAC Non-repudiation: Hash / Signature Symmetric Crypto DES, Triple-DES, AES Asymmetric Crypto RSA, ECC Hash SHA Signature Hash + Asymmetric Crypto MAC Hash / Symmetric Crypto
Hashfunctions Analogy: digital fingerprints Compression: Data of arbitrary length is mapped to n bits. (Typical values: 128/160 bits) Data Cryptographic properties Preimage of a hash is hard to find. Two data elements with the same hash value are hard to find (Collisions). Hash
Hashfunctions m Compression: Data of arbitrary length is mapped to n bits. m' Preimage of a hash is hard to find. One-wayness: Given h(m) finding m is infeasible. m h(m) Two data elements with the same hash value are hard to find (Collisions). Collision resistance: It is infeasible to find m and m‘ which are mapped to the same value. (birthday paradox; output should be at least 160 bits) m m'
Secure Hash Algorithm (SHA) First version: SHA-0 (160 bit output) in early 90 s SHA-1 only a minor change to SHA-0 Chinese Research Group attacked SHA-1: – On collision resistance only expected effort: 280, real effort 263 (Birthday paradox) – Applicability highly depends on application SHA-224, 256, 512 etc … xxx giving the length of output SHA-3 in review and selection process
Message Authentication Codes: MAC, HASH At 10 at my place Alice At 10 at my place Anneliese Authentication The active attacker: Who is the origin of a message? K K Message Authentication Code (“symmetric signature”) m, MAC m, computes MAC = HK(m) verifies MAC = HK(m) ? A authenticates her message by computing a tag MAC and sends it together with the message to B. B can verify this tag by re-computing it and check whether the two results match. The function H can be either a hash function (SHA, MD 5), or a symetric block cipher based on DES or AES (CMAC, …). Integrity: Message can’t be easily modified 25
1. Introduction - What is Android ? 2. Platform Architecture 3. Key Exchange Platform Components Asymmetric Crypto 4. Platform Initialization 5. How to get Android sources
What about the Keys? Alice and Bob need to share the same key. How to share it securely? Pre distribution? (ie: keys exchanges in a “secure environment”) – Trust provisionning (see later) Secured Key Exchange – Diffie Hellman and asymetric cryptography 27
Diffie Hellmann Key Exchange Private “keys” Public “keys” 28
Asymmetric Crypto: The Idea Bob‘s Public Key Bob‘s Private Key Plaintext Ciphertext Encryption Decryption RSA ECC 29
Asymmetric Crypto: Signatures Bob‘s Private Key Bob‘s Public Key Plaintext, Hash Plaintext verified Plaintext, Hash, Signature Generation (Decryption) RSA ECC Signature Verification (Encryption and Compare with Hash) RSA ECC 30
Principles of Asymmetric Encryption Hello Bob, . . . . Bob Everyone can put a letter into Bob‘s mailbox. Everyone can encrypt message for Bob. Everyone can verify Bob’s signature Decryption Hello Bob, . . . . Only Bob can open his mailbox with his private key. Only Bob can decrypt with his private key. Only Bob can create his own signature 31
Comparison Symmetric - Asymmetric Symmetric Algorithms Asymmetric Algorithms Number Many Few Security Can be very good Performance In general: good Bad Key exchange necessary? Yes No Digital Signatures No Yes Typical Application Encryption Digital Signatures Key Exchange
1. Introduction - What is Android ? 2. Platform Architecture 3. Platform Components Asymmetric Crypto: 4. Platform Initialization 5. How to get Android sources RSA
RSA Based on the so called factorization problem: – Given two prime numbers, it is easy to multiply them. Given the product, it is difficult to find the prime numbers. d. B RSA Keys – Every participant has – a modulus n = p*q (public), the product of two large prime numbers – a public exponent e (for performance reasons, one often chooses small prime numbers with few 1’s) A: n. A, e. A B: n. B, e. B C : n. C, e. C d. A d. C – a private exponent d. 34
RSA - Operation Encryption Decryption The sender computes The receiver computes c = me mod n, cd mod n, where m is the message, (n, e) is the cipher text and d is the public key of the receiver, and c private key of the receiver. It holds: cd mod n = med mod n = m. is the cipher text. For signing it is the other way round: • Signing is the same operation as decrypting • Verifying a signature is the same operation as encrypting 35
RSA – Some Math c = me mod n and m = cd mod n - Why? Primes p, q ; n = p*q Thus, φ(n) = (p-1)*(q-1) = |{ x | x and n are coprime }|. Euler‘s Theorem: cφ(n) mod n = 1 mod n Let e, d such that – e and φ(n) are coprime, thus inverse of e mod φ(n) exists – e*d = 1 mod φ(n) Let‘s prove RSA: – cd mod n = (me)d mod n = med mod n = m 1+k*φ(n) mod n = m 1 * mk*φ(n) mod n = m 1 * (mφ(n)) k mod n = m * 1 k mod n =m // substitution // definition modulo // Euler‘s Theorem
RSA Size of the RSA keys – The bit length of the modulus is called the size of an RSA key. The public exponent is usually a lot shorter; the private exponent is of the same length as the modulus. – Today, everything larger than 1024 2048 bit is considered to be secure. Implementation – Chinese Remainder Theorem (CRT) is a mathematical fact that allows to make decryption and signing significantly more efficient. Has to be carefully implemented in order to be secure. – Implementation without CRT is often called “straight forward” – significantly less performance, but usually less security issues as well
Public Key Infrastructure Embedded NFC 38
Threat: Authenticity of Public Keys A : EA B: EB EX C: EC U : EU V: EV Attack Mr. X replaces B’s public key EB by his own public key EX. Consequences: – Encryption: Only X can read messages that are meant for B. – Signature: B’s signatures are not verifiable – B’s signatures are invalid! X can sign messages that are verified as Bob’s signatures. 39
Certificates DA A, EA DCA Cert(A) Name and public key are signed by a trustworthy institution (certification authority, CA). Message (name, public key) and the CA’s signature on it are called “certificate”: Cert(A) = {A, EA}, DCA{A, EA} Format of Certificates have to be specified – X. 509 for example Tree-like structure possible – path of trust 40
Random numbers Facts: – In cryptography, often “unpredictable” numbers are needed (for keys for example). – Example: Generate a 128 bit AES key – required is, that even if an attacker “knows” 127 bits of this key, he should not be able to guess the missing bit with a better probability than ½. – There is NO mathematical way to determine whether the outcome of an “random number generator” is unpredictable!!!! – The best thing offered by mathematicians are statistical tests: but they can only test whether a sequence of random numbers has a specific structure or property (and hence is NOT unpredictable). A statistical test never gives a POSITIVE result. Passing a test, only means a sequence does not have one specific (of many) negative properties.
Unpredictable random numbers
Block Diagram of Random Number Generator
- Slides: 43