Software Infrastructure for Electronic Commerce All About Cryptography Professor Fred B. Schneider Dept. of Computer Science Cornell University

1 Goals l Learn what problems can (and cannot) be addressed using cryptography. l Become convinced that: –Designing a decent cryptosystem is extremely difficult. –Using cryptography requires building a substantial (but easily overlooked) infrastructure.

2 Encryption and Decryption This is…aSxxyw Encrypt aSxxywThis is… Decrypt Encryption key Decryption key plaintext ciphertext

3 Encryption and Decryption: Terminology plaintext: input to encryption algorithm. ciphertext: output of encryption algorithm. shared key (symmetric key) cryptography: –encryption key and decryption keys the same. –Encrypt & Decrypt functions often the same. public key (asymmetric key) cryptography: –Encryption key and decryption keys different. –Encrypt & Decrypt functions are different.

4 Uses for Cryptography Secrecy: Obscure the contents of messages or stored data from eavesdroppers. Integrity: Detect any alteration performed after message or stored data is generated. Authentication: Verify the identity of the source of a message or stored data. (Authentication of messages is useful in making authorization decisions.) Non-repudiation: Establish for a third party the source and contents of a message or stored data.

5 What Encryption Does Confusion: Unable to predict how changing the plaintext alters the ciphertext. Diffusion: Local change to plaintext alters much of the ciphertext. a  x xy  yx Mechanisms: substitution and transposition. Final Result: computational secrecy: Depends on resource limits. Bigger keys better. perfect secrecy: Will never be broken.

6 Secret Key Encryption Algorithms DES (Data Encryption Standard) y64 bits in/out, 56 bits key. yComputationally (in)secure. $1M tries all DES keys in 7 hrs using 1993 hardware cracking machine. Triple-DES AES (Advanced Encryption Standard) “Rijndael” yVariable block length & variable key length (128, 192, 256) IDEA (International Data Encryption Algorithm) y64 bits in/out, 128 bit key. yComputationally secure: at 1 billion key-tries/sec/processor, system of a billion processors requires years to try every possible key (1000x longer than age of the universe).

7 Secret Key Encryption: Implementing Secrecy Notation: –E(m,K)Encrypt m using key K –D(x,K)Decrypt x using key K –A  B: msgA sends msg to B Protocol: 1. A  B: E(m, K AB ) A encrypts m using a key shared with B 2. B: D( E(m, K AB ), K AB ) B decrypts message it received.

8 Secret Key Encryption: Implementing Authentication A  B: I’m A B: Generate random r B B  A: r B A  B: E(r B, K AB ) B: D(E(r B, K AB ),K AB )=r B ? A: Generate random r A A  B: r A B  A: E(r A, K AB ) A: D(E(r A, K AB ), K AB ) = r A ?

9 Secret Key Encryption: Implementing Authentication A  B: I’m A A starts protocol B: Generate random r B B generates challenge B  A: r B A  B: E(r B, K AB ) A responds to B’s challenge B: D(E(r B, K AB ),K AB ) = r B ? B checks A’s response. Only A would know K AB A: Generate random r A A generates challenge A  B: r A B  A: E(r A, K AB ) B responds to A’s challenge A: D(E(r A, K AB ), K AB ) = r A ? A checks B’s response. Only B would know K AB

10 Secret Key Encryption: Key Management Problem Problem: N principals: N 2 keys (2 N keys for groups) Solution: Key Distribution Center (KDC) yEvery principal shares a key with KDC. (N keys needed for this) yKDC is trusted host: Generates keys only as needed. Communicates those keys to parties. Kerberos is an example. Mostly used for authentication / authorization in distributed systems (and not for secrecy).

11 Public Key Cryptography Must you already share a secret to share another? key needed A: Secret in chest; Secure with Lock A A A  B: Chest with Lock A A B  A: Chest with Lock A and Lock B A, B A: Remove Lock A B A  B: Chest with Lock B B B: Remove Lock B. Remove secret __ Key is a secret in chest. Lock is 1-way trap-door function.

12 Public Key Cryptography: Encryption and Decryption Notation: K A : public key for A (upper case K) k A : private key for A (lower case k) For key pair K,k: E(m,K): encrypt m with public key K D(x, k): decrypt x with private key k Properties: D( E(m,K), k) = m E( D(m,k), K) = m (Optional) E and D are expensive on long messages.

13 Public Key Cryptography: Encryption Algorithms l RSA (Rivest-Shamir-Adelman): Based on factoring large numbers and computing logarithms in finite fields. Patent rights expire in l Elliptic Curve Cryptography: The “new, new thing”; not everyone believes this is secure.

14 Public Key Cryptography: Digital signatures h( msg ) = E(, K FBS ) … to check signature validity Buy 100 QCOM for $132. -FBS D( h( msg ), k FBS ) msg D( h( msg ), k FBS ) {msg} FBS denotes message msg signed by k FBS ?

15 Public Key Cryptography: Properties of Cryptographic Hash hash function: Encryption without keys! Variable length input  Fixed length output ( bits). Infeasible to ydetermine input from output. yfind an input that has a particular (desired) output. yfind 2 inputs that have the same output. Changing one bit (or more) in input leads to completely different output. Examples of hash functions: MD5, SHA

16 Public Key Cryptography: Certificates Problem: How do principals learn others’ public keys? Solution: Employ a certification authority (CA): –Trusted server that generates certificates { Fred, K Fred } Verasign when presented with evidence of principal’s identity. –All hosts pre-configured with K Verasign. –CA need not be on-line. –Certificates can be stored anyplace and forwarded anywhere as needed.

17 Public Key Cryptography: Revocation of Certificates Problem: Compromise of a private key. Solutions: –Associate expiration dates with certificates. Risk: Period from compromise to expiration. –Periodically issue certificate revocation list (CRL). Risk: Denial of service to delay CRL arrival. –Support re-validation of certificates use.

18 Problem: Having a single CA is unrealistic! yNothing is trusted by everyone! yPerformance must scale. Solution: Multiple CA’s. To find K A, find: l If have K CA then find a certificate {A, K A } CA l Else find K CA1 for first link in chain: {CA2, K CA2 } CA1 {CA3, K CA3 } CA2 … {CA7, K CA7 } CA6 {A, K A } CA7 Each certificate may be managed by a different CA. What’s in a name? That’s the real problem… Public Key Cryptography: Multiple Certification Authorities

19 Public Key Cryptography: Web of Trust Problem: Having a single CA is unrealistic! yNothing is trusted by everyone! yPerformance must scale. Solution: Have principals endorse certificates. l If receive enough endorsements from principals that you trust, then you decide binding is correct. l Revocation is difficult to manage. l Introduced in PGP mail system.

20 Public Key Cryptography: Public Key Infrastructure l Creation of certificates. l Dissemination of certificates. l Revocation of certificates. l Key escrow. –Allow recovery of data encrypted by an old key. l Data archives with old keys.

21 Misuse of Cryptography Software-implemented content protection is a flawed idea. Example: DVD encryption: yDVD encrypted using CCS (content scrambling system) 40 bit key. Weak key! yEvery DVD player comes with several “unlock” keys. yEvery DVD stores 400 copies of content decryption key; each copy is encrypted with a different “unlock” key. yContent decryption key must appear in the clear. yWith secure hardware, scheme would work… 11/1/99: DVD’s effectively no longer have their content protected. But copyright law still applies.

22 Misplaced Trust l Trust a certificate? Better trust the issuing CA! –Anyone can assign a name. –Anyone can assume a name. l Is your signing key secure? –Virus and malicious code attacks –(Guessable) password protected?