Lecture 15: Cryptography
Allows secure comms between parties when an attacker can intercept/modify their messages.
Goals:
- confidentiality: message between parties can’t be read
- in apps, ideal is end-to-end encryption (only sender and recipient have key)
- integrity: message between parties can’t be changed without them finding out
- in apps, digital signatures (not valid if message or sender changes)
- authentication: attacker can’t impersonate a party
- non-repudiation: a party can’t deny that they sent a message
- use asymmetric digital signatures
Terms:
- plaintext: readable text to be transmitted
- ciphertext: unreadable text actually sent
- encryption: converting plaintext into ciphertext
- decryption: recovering plaintext from ciphertext
Kerckhoffs’ Principle: when encrypting, separate algorithm from key. Assume attacker knows algorithm, keep key secret
Caesar cipher: shift letters in alphabet by a fixed amount
- attacks: bruteforce, frequency analysis (some letters more common in natural languages)
Cryptographic hashes:
- hash function maps message (arbitrary length) to hash (fixed length), should be computationally hard to reverse
- often used to identify message, because it’s hard to find message with same hash
- properties:
- pre-image resistance: given hash, hard to find message that hashes to it
- second pre-image resistance: given message, it’s hard to find another message with the same hash
- collision resistance: hard to find any two messages that have the same hash
- well-known types: old and insecure (MD5, SHA-1), SHA-2, SHA-3
Random numbers:
- CPUs are deterministic so can’t generate truly random numbers
- Pseudo-random number generator (PRNG) computes number from seed, which is updated for every generated number
Blockchain:
- Bitcoin: decentralised digital currency using blockchain
- each block of transactions contains hash of previous block, so can’t change past transactions without changing later ones
- real chain is what more than 50% of users agree on
Perfect encryption:
- never reuse the key
- key is perfectly random
- no information is leaked from ciphertext
Symmetric cryptography
Uses single key to encrypt and decrypt.
Properties:
- provides confidentiality
- signature schemes provide integrity and authentication
One-time pad:
- assume we have message and key both with n bits
- encrypt: ciphertext = msg ⨁ key
- decrypt: msg = ciphertext ⨁ key
- holds because ciphertext ⨁ key = msg ⨁ key ⨁ key = msg ⨁ 0
- provides perfect encryption because doesn’t leak any information (0 bit could be 0⨁0 or 1⨁1 with equal probability)
- breaks if key is reused
Stream ciphers:
- use PRNG to generate key for one-time pad
- initial seed becomes real key
Block ciphers:
- divide data in blocks
- perform computation using key to map plain block into cipher block
Cipher block chaining:
- make each block depend on the previous one
- for first block, use initialization vector instead (doesn’t have to be secret, shouldn’t be reused)
Padding:
- if message sizes not multiple of block size, must be padded
- don’t add zeros, because impossible to recover original if it ends with zeros
- instead, pad with bytes containing padding length
Signatures:
- message authentication code is signature for message
- combine key with message and apply hash function
- key needed to generate and to validate code
- provides integrity and authentication, but not non-repudiation (any verifier can sign)
Asymmetric cryptography
Uses two keys: anyone encrypts with public key, only owner decrypts with private key
RSA:
- sender generates public and private key together
- public key available to anyone, private key kept secret
- mathematically not viable to derive d from e
- to generate key, generate large number m, public key e, private key d such that: $(n^{e})^{d} = n \enspace (\text{mod $m$})$ for any n
- relies on difficulty of writing m as product of prime number factors
- special random padding
- only works for data that fits inside key size
- signatures:
- to sign, compute hash of message and encrypt hash with private key
- to verify, compute hash of message and decrypt with signer’s public key, then compare with encrypted hash received from signer
Key management
Symmetric: key distribution center:
- one trusted party which shares symmetric keys with all others
- Kerberos is a system for key communication, but need constant access to center and is single point of failure
- possible to establish key without sending any revealing info (e.g. Diffie-Hellman Key Exchange)
Asymmetric:
- Certification Authority (CA)
- issues certificates, keeps revocation list of certificates that may be compromised
- X5.09 certificates containing e.g. identity of holder, public key of holder, expiration date, signature from CA
- verifies identities of users
- typically company that must be trusted
- Self-signed certificate:
- signed with own private key
- can be made by anyone so not trusted by default
SSL and HTTPS
SSL (Secure Sockets Layer) ensures crypto protection for network connection on top of TCP (aka TLS)
Goals:
- end-to-end encryption, Diffie-Hellman to create shared key
- authenticates using X5.09 certificate (prevents MITM attack)
- typically doesn’t authenticate client
Password storage
Hash password when storing.
Bruteforce solutions:
- Use salted hash:
- when storing password, generate random string and concatenate with password before hashing
- store salt with hash.
- Use slow hash: e.g. apply hash 1000 times