Encryption and Integrity
Example-IPSec(ESP) Packet Encrypted IP ESP TCP / UDP Payload HMAC Authenticated
Example - continued HMAC computed over ciphertext (advantages…) HMAC doesn’t cover IP header (unlike AH). Can’t cover mutable fields. ESP header and IP header can’t be encrypted Encrypting TCP/UDP/ICMP… headers has advantages and disadvantages. HMAC is not encrypted
Example 2 - CBC MAC IV P1 Pn … Ek Ek Ek C1 Cn MAC
CTR Mode Encryption Stream cipher mode (like OFB) IV is a pair <nonce, counter> The nonce should be random Counter is incremented for each block encrypted Encryption of block number j, Pj by: Ek(nonce, counter+i) , Pj
CCM Mode Encryption and authentication together with block cipher Authentication by CBC MAC Encryption of message and of MAC by CTR mode Used in WiMAX communication
Public-Key Cryptography
Quadratic Residues Definition: An element x is a quadratic residue modulo n if there exists y such that y2x mod n If x is a quadratic residue and y is one of its roots, then so is –y mod n Claim: if p is a prime there are exactly (p-1)/2 quadratic residues in Zp Claim: if p is a prime, and g is a generator of the multiplicative group, the quadratic residues are even powers of g.
Quadratic Residues Claim: an element x in Zp is a quadratic residue if and only if x(p-1)/21 mod p
Generic Discrete Log Let G be a group and g a set element. g is called the base. Let y=gx x is called the discrete log of y Example: y=gx mod p in Zp Example: y=gx mod p in the multiplicative group of Zp
Giant Step-Baby Step Goal: recover the discrete log in O(|G|1/2) steps Input: y, g Output: x such that gx=y Let k |G|1/2 Compute and store gik for i=0,…,k-1 For every j=0,…,k-1 test if yg-j is one of the stored elements
Standard Discrete Log y=gx mod p in the multiplicative group of Zp Computation takes O(log3p) steps Standard discrete log is believed to be a one-way function Can it be used as a hash function?
Key Exchange Idea was first presented by Diffie and Hellman Goal: two parties who do not share a secret perform a protocol and derive the same key Eve who is listening in cannot obtain the new shared key if she has limited computational resources.
Classic Scheme Each party generates a key pair: a private key and a public key. The public keys are exchanged. Both parties derive the same shared key from two public keys and a single private key.
Properties of Key Exchange Necessary security condition: the public key is a one way function of the private key. Necessary “algebraic” condition: an appropriate combination of public and private keys to form a shared key is required Key exchange by itself is effective only against a passive adversary. Man-in-the-middle attack is lethal
Security Requirements Is the one-way relationship between public key and private key sufficient? A one-way function may leak some bits of its arguments. Example: gx mod p Shared key may be compromised Example: gx+y mod p
Security Requirements (cont.) The full requirement is: given all the communication recorded throughout the protocol, computing any bit of the shared key is hard Note that the “any bit” requirement is especially important
Diffie-Hellman Algorithm Public parameters: a prime p, and an element g (possibly a generator of the multiplicative group of Zp) Alice chooses x at random from the multiplicative group and sends gx mod p Bob chooses y at random from the multiplicative group and sends gy mod p Alice and Bob compute the shared key gxy mod p
Computing DH Computation time O(log3p) 1-10 key exchanges a second in real-world SW Up to 10 times that in HW. Beyond that- a heavy penalty in gate count Useful as key exchange, but not as block encryption
Other DH Systems The DH idea can be used with any group structure Limitation: groups in which the discrete log can be easily computed are not useful Example: additive group of Zp Currently useful DH systems: the multiplicative group of Zp and elliptic curve systems
Quantum Key Exchange
Some Properties of Photons Photons may be polarized, e.g: Rectilinear basis: Diagonal basis: Assume a single photon is transmitted with a certain polarization The act of measuring its polarization may change it A filter with the same polarization will receive the photon
Properties (cont.) A filter with the orthogonal polarization will receive nothing A filter in a different basis will receive the photon with 0.5 probability
Qubits Each photon represents one bit. The value of the bit is determined by polarization In each basis, one filter direction represents 1 and the other represents 0 If both sides choose the same basis a qubit (bit passed by photon) is passed correctly If both sides choose different bases there is a 50% chance that it is passed correctly and 50% that it is passed incorrectly
Eavesdropping If Eve chooses correctly the basis by which a qubit is sent she obtains the bit If she chooses incorrectly, she obtains the correct bit with 0.5 probability Eve must retransmit the qubit to Bob By obtaining the qubit, she may have changed it. If the qubit is changed, Bob gets the wrong bit
Brassard-Bennett Key Exchange Alice chooses random n-bit key k Alice chooses n random bases Alice sends k as n qubits. The i-th qubit is transmitted using the i-th base Bob chooses n random bases and measures the qubits Bob tells Alice what bases he chose Alice tells Bob which of these bases is correct Shared key – bits for which Bob chose correctly Bob’s message to Alice has to be authenticated. Does not have to be encrypted.