Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy

Cryptography  Is A tremendous tool The basis for many security mechanisms  Is not The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent yourself unless  you spend a lot of time becoming an expert  you subject your design to outside review

 Encryption scheme: functions to encrypt, decrypt data key generation algorithm symmetric key vs. asymmetric (public) key  Symmetric key: more efficient, generally key = key -1  Public key: publishing key does not reveal key -1  Signature scheme Functions to sign data, verify signature  Hash function, MAC Map input to short hash; ideally, no collisions MAC (keyed hash) used for message integrity Basic Cryptographic Concepts All of these primitives are used in SSL/TLS

Our Approach  Analyze systems and protocols that use cryptographic primitives such as SSL, assuming that the primitives are themselves secure  How is security of cryptographic primitives defined? Today’s lecture  How are primitives constructed that satisfy these definitions? : Applied Cryptography : Introduction to Theoretical Cryptography Will put up additional slides for optional reading

We will cover  Symbolic model Modeling “perfect” cryptography – always secure Abstraction enables mechanized analysis  Complexity-theoretic model Security definitions given by “games” Security properties guaranteed with high probability (almost always) against probabilistic polynomial time adversaries

Symmetric encryption  Can compute message m and key k from set S of messages implies can compute encryption {m} k from the same set S (1)S |- m  S |-k  S |- {m} k  Can compute encrypted message (cipher-text) {m} k and key k implies can recover message m (2) S |- {m} k  S |- k  S |- m Formally, messages are terms of a term algebra

Asymmetric encryption  Can compute message m and public key K implies can compute encryption {m} K (3) S |- m  S |-K  S |- {m} K  Can compute encrypted message (cipher-text) {m} K and inverse key K -1 implies can recover message m (4) S |- {m} K  S |- K -1  S |- m Each principal has a public-private encryption key pair

Digital signature  Can compute message m and signing key s -1 implies can compute signature sig(s -1, m) (5) S |- {m}  S |- s -1  S |- sig(s -1, m)  Given signature sig(s -1, m) and inverse key s, can verify signature Usually modeled using pattern matching

Hash function  Can compute message m implies can compute hash h(m) (6) S |- m   S |- h(m)  Given message m and key k, can compute keyed hash h(k,m) (7) S |- m  S |- k  S |- h(k,m) (7) Is a special case of (6) in the symbolic model

We will cover  Symbolic model Modeling “perfect” cryptography – always secure Abstraction enables mechanized analysis  Complexity-theoretic model Security definitions given by “games” Security properties guaranteed with high probability (almost always) against probabilistic polynomial time adversaries

Digital signatures A Sig(S -1,mi) mi Attacker wins if m ≠mi Messages are bit-strings Signature scheme Attacker is a PPT Turing Machine UF-CMA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [m ≠mi | A plays by the rules] <= f(n) Intuition: Signatures should be unforgeable with high probability C Sig(S -1,m)

Keyed Hash (MAC) A h(k,mi) mi Attacker wins if m ≠mi Messages are bit-strings Attacker is a PPT Turing Machine CMA security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [m ≠mi | A plays by the rules] <= f(n) Intuition: MACs should be unforgeable with high probability C h(k,m)

Asymmetric encryption C A m {m} K m {mb} K m0, m1 d Attacker wins if d = b Messages are bit-strings Attacker is a PPT Turing Machine IND-CCA2 security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n) Intuition: Encryption reveals no information about message

Hash functions  Preimage resistant  Second preimage resistant  Collision resistant Given hash function h: X  Y Find: x, x’  X s.t x ≠ x’ and h(x) = h(x’) Should be difficult!  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [A finds x, x’  X s.t x ≠ x’ and h(x) = h(x’)] <= f(n)

Putting it together: SSL/TLS C N1, Version1 N2, Version2, sig(CA -1, S, Ks) S Sig(CA -1, C, Kc), Sig(Kc, handshake1), {secret} Ks, h(secret, handshake1, “client”) h(secret, handshake2, “server”)

Questions?