4. Using Encryption Wisely U NIVERSITY THE of ULSA T Sujeet Shenoi Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

U NIVERSITY THE of ULSA T 4. Using Encryption Wisely Encryption provides a “false sense of security” Must be used correctly Practices Protocols

U NIVERSITY THE of ULSA T Encryption Speed Delay Time Stream  Stream-Block  Block DES: 64-bit blocks RSA: bit blocks (limited security with short blocks) Speed Symmetric algorithms are much faster (1,000 to 5,000) Hardware solutions are much faster RSA: 220K Bits/s vs 0.5K Bits/s/MIPS DES: 1,200,000K Bits/s vs 400K Bits/s/MIPS

U NIVERSITY THE of ULSA T Block Replay Transaction Format Depositor Name SrcAct DestAct Amount  24 bytes   8   8   8  3 DES 1 DES 1 DES 1 DES Original Transactions  Intruder   xxx   I#   zz$   John Doe   yyy   JD#   8K$  Fabricated Transaction  Intruder   yyy   I#   8K$ 

U NIVERSITY THE of ULSA T Block Chaining Prevents “Block Replay” x  x = 0 (1011  1011 = 0000) Encryption – C 1 : { P 1 } K – C 2 : { P 2  C 1 } K – C j : { P j  C j-1 } K Decryption – P 1 : { C 1 } K – P 2 : { C 2 } K  C 1 – P j : { C j } K  C j-1

U NIVERSITY THE of ULSA T Initial Chaining Value Block Chaining conceals identical blocks Only if each block is preceded by something unique Suppose messages always begin with: “US Army HQ” Encryption – C 1 : { IV } K (IV: Random Initial Vector) – C 2 : { P 1  C 1 } K – C j : { P j-1  C j-1 } K Decryption – P 0 : { C 1 } K – P j : { C j+1 } K  C j

U NIVERSITY THE of ULSA T One Way Encryption Use special functions f(x) = x 3  x = (f(x)) 1/3 (difficult to compute) f(x) = x 2  x = (f(x)) 1/2 (no unique inverse, e.g., for f(x) = 4) System stores f(pwd) User enters string System computes f(string) and compares with f(pwd) Internet Worm (Nov. 2, 1988)

U NIVERSITY THE of ULSA T Cryptographic Sealing Integrity (as opposed to Secrecy) Store and SHA( ) A cryptographic checksum could be the last block of a chained DES encryption

U NIVERSITY THE of ULSA T Authentication and Time Stamps Authentication Biometrics Time Stamps Prevent replays Chronology Sender’s and receiver’s time stamps must match

U NIVERSITY THE of ULSA T Cipher Block Chain (CBC) Prevents block replay Self-healing (Error in block C j affects B j and B j+1 ) Encryption – C 1 : { B 1 } K (Usually B 1 = Initial Vector) – C 2 : { B 2  C 1 } K – C j : { B j  C j-1 } K Decryption – B j : { C j } K  C j-1

U NIVERSITY THE of ULSA T Cipher Feedback (CFB) Block nature of DES is inconvenient – Partial final block must be padded (size of ciphertext > size of plaintext) – Encryption cannot begin until entire 64-bit block is input (secure networks: every character must be encrypted) CFB: Block  Stream – Encryption error only affects the next 8 characters

U NIVERSITY THE of ULSA T Double Encryption DES is “weak” Can we use two 56-bit DES keys back to back? { { Message } K 1 } K 2 56-bit key  2 56 possibilities Two 56-bit keys  possibilities? No! 2 57 possibilities (Merkle, 1981)

U NIVERSITY THE of ULSA T Triple DES Uses two 56-bit DES keys; Same hardware/software Encryption 1. C 1 = DES Encrypt (P, K 1 ) 2. C 2 = DES Decrypt (C 1, K 2 ) 3. C 3 = DES Encrypt (C 2, K 1 ) Decryption 1. D 2 = DES Decrypt (C 3, K 1 ) 2. D 1 = DES Encrypt (D 2, K 2 ) 3. P = DES Decrypt (D 1, K 1 )

5. Cryptographic Protocols U NIVERSITY THE of ULSA T Sujeet Shenoi Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

U NIVERSITY THE of ULSA T 5. Cryptographic Protocols Cryptographic Protocol Orderly sequence of steps to achieve certain security properties Established in advance Mutually subscribed Unambiguous Complete

U NIVERSITY THE of ULSA T Kinds of Protocols Arbitrated Protocols Trusted third party participates in each transaction Expensive, slow, vulnerable Adjudicated Protocols Third party judges fairness after the fact Address disadvantages of arbitrated protocols Detect failure only after the fact Self-Enforcing Protocols Guarantee fairness; cheating is immediately obvious May not exist for every situation

U NIVERSITY THE of ULSA T Applications of Protocols Key Distribution Certificates Digital Signatures Clipper Key Exchange Mental Poker Voting by Computer Oblivious Transfer Contract Signing Certified Mail

U NIVERSITY THE of ULSA T Key Distribution Protocols 1. Symmetric Key Exchange (without Server) 2. Symmetric Key Exchange (with Server) 3. Asymmetric Key Exchange (without Server) 4. Asymmetric Key Exchange (with Server)

U NIVERSITY THE of ULSA T Sym. Key Exchange (No Server) Requirements A & B share K M (Master Key) Protocol 1. A: Generates session key: K S 2. A  B: { K S } K M

U NIVERSITY THE of ULSA T Sym. Key Exchange (Server) Needham-Schroeder Protocol 1. A  S : A  B  I A (I A : Unique session ID) 2. S  A : { I A, B, K AB, { K AB, A } K B } K A (new K AB ) 3. A  B : { K AB, A} K B

U NIVERSITY THE of ULSA T Asym. Key Exchange (No Server) Important Point Asymmetric key encryption is very expensive Never encrypt message; transmit encrypted sym. key Protocol 1. A  B: { { K AB } K A priv } K B pub 2a. B  A: { n } K AB (n: Random number) 2b. A  B: { n + 1 } K AB

U NIVERSITY THE of ULSA T Asym. Key Exchange (Server) Protocol 1. A  S: A  B 2. S  A: { K B pub, B } K S priv 3. A  B: { A, I A } K B pub (I A : message reference) 4. B  S: B  A 5. S  B: { K A pub, A } K S priv 6. B  A: { I A, I B } K A pub (I B : message reference) 7. A  B: { K AB, I B } K B pub (K AB : message)

U NIVERSITY THE of ULSA T Certificates Binding an Individual’s Identity and Public Key A: President and CEO B, C: Vice Presidents C supervises D and E B’s Certificate: { ID B, Pos B, K B pub, H(.) } K A priv C’s Certificate: { ID C, Pos C, K C pub, H(.) } K A priv D’s Certificate: { ID D, Pos D, K D pub, H(.) } K C priv  C’s Certificate Always need a top-level authority

U NIVERSITY THE of ULSA T Digital Signature Protocols Goals Non Forgeable [M, sig(M, P)] Authentic Non Alterable; Non Reusable Non Repudiation Symmetric Key Protocol (Arbiter (A) needed) Cryptographic Sealing (Arbiter (A) needed) Asymmetric Key Protocol (Self-Enforcing)

U NIVERSITY THE of ULSA T Symmetric Key (Digital Signature) Symmetric Key Protocol (Non Forgeability, Authenticity, Non Repudiation) S  A: { M } K S A  R: { M, S, { M } K S } K R R: Unlocks with K R Saves M and { M } K S

U NIVERSITY THE of ULSA T Cryptographic Sealing (Dig. Sig.) Cryptographic Sealing Function f(M)  unique value S and R register f S and f R with Arbiter A Protocol (No Secrecy) 1. S  A: M  f S (M) 2. A: Recomputes f S (M) Compares with f S (M) received from S 3. A  R: M  S  f S (M)  f R (M, S)

U NIVERSITY THE of ULSA T Asymmetric Key (Digital Signature) Protocol 1 (Non Forgeability, Authenticity, Non Repud.) S  R: { M } K S priv R: { { M } K S priv } K S pub  M (saves { M } K S priv ) Protocol 2 (Double Encryption: Privacy) S  R: { { M } K S priv } K R pub R: { { { { M } K S priv } K R pub } K S pub } K R priv  M

U NIVERSITY THE of ULSA T Clipper Key Exchange Algorithm Seven Step Protocol Three steps for key exchange Four steps for mutual authentication S & R share secret key K P, symmetric algorithm and asymmetric algorithm

U NIVERSITY THE of ULSA T Clipper Key Exchange (contd.) Step 1 S  R: { K S pub } K P Step 2 R: Uses K P to obtain K S pub R: Chooses random session key K k R  S: { { K k } K P } K S pub Step 3 S : Uses K S priv and K P to obtain K k

U NIVERSITY THE of ULSA T Clipper Authentication (contd.) Step 4 S  R: { M } K k M: Random string Step 5 R: Uses K k to obtain M R  S: { M, N } K k N: Random string Step 6 S : Checks M Step 7 R : Checks N

U NIVERSITY THE of ULSA T Mental Poker Protocol Symmetric Key Implementation A  B: { m 1 } K A … { m 10 } K A B: Locks 5 messages: { { m j } K A } K B … B  A: { m i } K A … & { { m j } K A } K B … A: Unlocks all 10 messages with K A Keeps 5 messages: { { m i } K A } K A … = m i … A  B: { { { m j } K A } K B } K A … = { m j } K B … B: Unlocks all 5 messages with K B Keeps 5 messages: { { m j } K B } K B … = m j …

U NIVERSITY THE of ULSA T Mental Poker Protocol (contd.) Asymmetric Key Implementation A  B: { m 1 } K A pub … { m 10 } K A pub B: Locks 5 messages: { { m j } K A pub } K B pub … B  A: { m i } K A pub … & { { m j } K A pub } K B pub … A: Unlocks all 10 messages with K A priv Keeps 5 msgs: { { m i } K A pub } K A priv … = m i … A  B: { { { m j } K A pub } K B pub } K A priv … = { m j } K B pub … B: Unlocks all 5 messages with K B priv Keeps 5 msgs: { { m j } K B pub } K B priv … = m j …

U NIVERSITY THE of ULSA T Voting by Computer Protocol 2*n Link Chain (n: number of voters) Results at each link can be made public without destroying anonymity During the last n links, anyone can go back to check, but only one can go forward Assume three voters (J, K, L) Two pairs of public keys – (K J priv, K J pub ); (K K priv, K K pub ); (K L priv, K L pub ) – (R J priv, R J pub ); (R K priv, R K pub ); (R L priv, R L pub ) – R i pub embeds random string; allows voter i to check vote

U NIVERSITY THE of ULSA T Voting by Computer (contd.) Step 0 Each voter encrypts vote and sends it to J – J has: R J pub ° R K pub ° R L pub ° K J pub ° K K pub ° K L pub (v i ) Steps 1-3 J (K, L) verifies vote is in pool with R J priv (R K priv, R L priv ) Applies R J priv (R K priv, R L priv ) to each vote Sends votes to K (L, J) – J has: K J pub ° K K pub ° K L pub (v i )

U NIVERSITY THE of ULSA T Voting by Computer (contd.) Steps 4-6 J (K, L) applies K J priv (K K priv, K L priv ) Applies K J priv (K K priv, K L priv ) to each vote Signs all votes Sends votes to K (L) – L has all votes: v i – L counts votes – L posts results

U NIVERSITY THE of ULSA T Oblivious Transfer Protocol Eight Step Protocol (Flipping a coin at a distance) 1. A: Picks two asymmetric key pairs: (K I priv, K I pub ) (K J priv, K J pub ) 2. B: Picks symmetric key: K B 3. A  B: K I pub  K J pub 4. B: Picks one key at random: K H pub B  A: { K B } K H pub 5. A: Picks I or J at random (say: J) Computes: K A = { { K B } K H pub } K J priv (K A = K B if H = J) 6. A  B: { A loses } K A  J 7. B: M = { { A loses } K A } K B B  A: M  H (B loses if H  J) 8. B  A: K I priv  K J priv (for verification)

U NIVERSITY THE of ULSA T Contract Signing Protocol 1. A: Selects 2n symmetric keys: C 1.. C 2n Arranges them in pairs: (C i, C n+i ) i = 1.. n 2. A  B:  i = { S } C i i = 1.. 2n (S = Std Msg;  i : S-puzzle) 3. A: Agrees to contract if B can produce a pair (C i, C n+i ) for any i (S-puzzle solution) 4. B: Repeats Steps 1-3: keys: D i and S-puzzles:  i 5. A  B: Exchange (C i, C n+i ) … by Oblivious Transfer Protocol B  A: Exchange (D i, D n+i ) … by Oblivious Transfer Protocol 6. For each bit j: A  B: j th bit of C i i = 1.. 2n B  A: j th bit of D i i = 1.. 2n

U NIVERSITY THE of ULSA T Certified Mail Protocol 1. A: Selects n + 1 symmetric keys: g 0.. g n Computes: g n+i = g 0  g i i = 1.. n 2. A  B: G = { M } g 0 (g 0 = g n+i  g i for all i) 3. A  B: G i = { SA } g i i = 1.. 2n (SA = Std Msg) 4. B: Selects 2n symmetric keys: h 1.. h 2n B  A: H i = { SB } h i i = 1.. 2n (SB = Std Msg) 5. B: Agrees to acknowledge receipt of plaintext of G if A can produce any one of (h i, h n+i ) and all g j (j = 1.. 2n) 6. A  B: Exchange (g i, g n+i ) … by Oblivious Transfer Protocol B  A: Exchange (h i, h n+i ) … by Oblivious Transfer Protocol 7. For each bit j: A  B: j th bit of g i i = 1.. 2n B  A: j th bit of h i i = 1.. 2n