Basics Flashcards

Question

Public Key Algorithms

Answer 1

* RSA * product of prime numbers, factoring of the result * usable for secrecy and digital signatures * patented (only in USA) by RSA, expired in 20-09-2000 * computational optimizations: * all public keys have E = 3, 17 or 65537 (0x10001, fermat number) * the power operation is very easy since these numbers have only two bits to 1 * high speed of encryption and signature verification * optimized algorithms for this special calse * Possible attack: provide signature made with key whose exponent has \> 2 bits to one, since the algorithms are not efficient with those keys it willl generate a high computational load. * DSA (Digital Signature Algorithm) * taking the power, logarithm of the result * digital signature only (uses one-way lossy compression) * for encryption it uses the El-Gamal algorithm

Answer 2

* 512 bits can be attacked in some weeks * 1024 bits can be attacked in some months * 2048 bits offer an appropriate security level for several years * Note that MS system don't accept any RSA keys \< 1024 since 2012; Mozilla does not accept keys \< 2048 & md5 since 2013

Answer 3

**Twinkle** Electro-optical sieving device that executed factoring algorithms 2/3 order of magnitude faster than conventional fast PC. Estimated cost after design of $5k. (1999) **Twirl** Electronic device for factoring large integers, that implements the sieving step very efficiently. Possible to factor 1024-bit integers, and hence break 1024-bit RSA keys in 1 year at the cost of 1M dollars or less if more integers are factored at the same time.

Answer 4

* Private keys are never disclosed * public key distributed as widely as possible * Problem: verifying that the public key indeed corresponds to the entity we want to talk to. * Solution 1: exchange key Out Of Band * Solution 2: distribution of the public key by means of a specific data strucute named public-key certificate (= digital certificate) * Format of certificate? * Can we trust certificate issuer?

Answer 5

* confidentiality without shared secrets is often used to send the secret key chosen for a symmetric algorithm *

Answer 6

* First public key algorithm invented * Frequently used to agree on secret key. * Resistant to the sniffing attack * If the attacker can manipulte the data then it is possible to make a man in the middle attack: to protect from MITM we need pre-authentication (certificates for DH keys, authenticated DH = MQV) How * A and B agree to use two public integers p (prime, large) and g (generators) such that: 1 \< g \< p ( typically g=2,3,5 ) * DH key length = bits of p * A arbitrarily chooses an integer x \> 0 and computes: X = g^x mod p * B arbitrarily chooses and integer y \> 0 and computes: Y = g^y mod p * A and b exchange (publish) X and y * A computes K_A = Y^x * B computes K_B = X^y * K_A = K_B = g^xy mod p

Answer 7

* DH has comparable complexity to discrete logarithm computation == exponential in the number of bites of p (linear with p) * Algorithms to compute the discrete logarithm can often be used for factorization * Shor's algorithm is polinomial O((logN)³) but requires a quantum computer.

Answer 8

* Instead of using arithmetic, the operations are executed on the surface of a 2D (elliptic) curve * The problem of discrete logarithm becomes harder on these curves, hence it is possible to reduce the length of the keys to have comparable security. * Digital signatures = ECDSA * Key agreement = ECDH * Authenticated key agreement = ECMQV (patented) * Key distribution = ECIES (EC Integrated Encryption Scheme)

Answer 9

* Elliptic curve = y² = x³ + ax + b (mod p) * compute R = (x, y) = P + Q given P and Q (two points) * x = λ²–xP–xQ * y = λ(xP – x) – yP * We can compute addition of two point and moltiplication of a point by a scalar

Answer 10

* A and b selecte the same elliptic curve and a point G of it * A chooses a random value x and computes: * X = x G * B chooses a random value y and computes: * Y = y G * A and B exchange (publish) X and Y * A computes K = x Y * B computes K' = y X * but K = K' = x y G * Note: this uses only scalar multiplication of a point.

Answer 11

* ECDSA: * Message digest computed with a normal hash function (e.g. SHA-256) * Signature = pair of scalars derived from the digest + some operations on the curve * ECIES: * Generates a symmetric encryption key (e.g. AES-128 one) with operations on the curve * gives the receive the information (based on his public key)

Answer 12

* PS3 has embedded linux loaded verifying the binaries ECDSA signature before execution * Generation of ECDSA signature requires a random nonce, otherwise from the signature the private key can be computed, but Sony used a fixed random =\> someone computed the private key and distributed it world-wide so that anybody could run their binaries.

Answer 13

* A person that intercepts an encrypted communication cannot read it, but can modify it in an unpredictable way * Digest: fixed length summary of the message to be protected (of any length) * it must be: * Fast to compute * impossible or very difficult to invert * difficult to create "collisions" * digest often used to avoid performing operations on the whole message, especially when the message is very large * digest can be calculated in many ways, but usually via a (cryptographic) hash function (specifically designed to be secure.

Answer 14

They usually split the message M in N blocks (M1, .... Mn) and iteratively apply a base function (f) V_k = f(V_k-1, M_k) with V₀ = IV and h = V_N

Answer 15

In 2005 a chinese team published a paper describing how they were able to break SHA-1. Results: * Much less collision hash operaton than in the brute force attack (orders of magnituted) *

Answer 16

* Quick fix for SHA-1 attack, simply making the digest longer. * SHA-2 = {SHA-(224|256|354|512}

Answer 17

* To avoid aliasing it's important to make the digest long enough * md1 = h(m1) * md2 = h(m2) * If m2 != m1 we'd like to have md1 != md2 most of the times. * If the algorithm is well designed the probability of aliasing is proportial to 1/2^Nbit *

Answer 18

If there are at least 23 persons in the same room, then the probability that 2 of them were born in the same day is \> 0.5; with 30 persons the probability is \> 0.7: * Subtract from 1 the probability that the second person is born in the same day of any preceding one: * P(2 born in the same day) = 1 - 364/365 * P(3 ...) = 1 - 364/365 \* 363/365 Attack: * a N-bit digest algo is insecure when more than 2^(N/2) digests are generated because the probability of collision is circa 0.5 * If the system is used over a long period of time, the probability of collision increases * A balanced cryptosystem is "balanced" when the encryption and digest algorithms have the same resistance: * SHA-256 and SHA-512 have been designed to be used with AES-128 and AES-256, respectively

Answer 19

* Competition started in 2008 with 64 candidates, the winner was declared in 2012: Keccak ("catch-ack") * SHA-3 family has many hash functions

Answer 20

Key derivation function * A cryptographic key must be random, but users typicall insert guessable passwords * K = KDF (P, S, I) * P = password * S = salt * I = no. of iterations of the base function (to slow down the computation and make like complex for attackers) * KDF hash functions: PBKDF2 (SHA-1, |S| \> 64, |I| \> 1000); HKDF uses HMAC

Answer 21

* Key derivation function * DK = PBKDF2( PRF, PWD, Salt, C, dkLen) * PRF = pseudorandom function of two parameters with output length hLen * PWD = password from which a derived key is generated * Salt = cryptographic salt * C = number of iterations desired * dkLen = desired length of the derived key * DK = generated derived key = T₁ || T₂ || ... || T_dkLen/hLen * WPA2 uses it: DK = PBDKF2(HMAC-SHA1, PWD, SSID, 4096, 256) PBKDF2 can be attacked because C may be large, but this requires only a lot of computation, not a lot of memory, ASIC can attack it. Competitions have been lunched to find an alternatie, Argon2 was the winner.

Answer 22

MAC = Message authentication code: the message is authentic. MIC = Message integrity code: guarantees message integrity through a code added to the message. MID = Message identifier: used to avoid replay attackd.

Answer 23

A way to intrinsically secure the digest, since it cannot be exchanged out of band. The digest is calculated on the message and on the secret key. Operations: * Sender: d = digest(K, M) * Transmission: M || d * Receiver: d' = digest(K, M) * Verification: is d == d'? Only entities that know the key can compare the transmitted digest with the digest calculated on the received data. Advantages: * Only one operation needs to be performed (digest computation) * few additional data Cons: * Does not provide non-repudiation. Possible mistakes in computing keyed-digest: * if kd = H(K || M) an attacker could add a message block to the end * kd' = H(K || M || M') = f(kd, M') * if kd = H(M || K) an attacker could add a message to the beginning of the message * kd = H(M' || M || K), choosing M' s.t. IV = f(IV, M') * to protect against these attacks: * insert the length of the message in the digest * define kd = H(K || M || K) * use a standard key digest.

Answer 24

This is the most widely solution used when is needed to create a keyed-digest, MAC (or MIC, it is the same), starting from a hash function H. HMAC is typically used to protect integrity. If confidentiality must also be protected, there is CBC-MAC. **Details** H must have a block size of B, with an output long L bytes, with B \> L. Definitions: * ipad = 0x36 repeated B times * opad = 0x5C repeated B times * deprecated keys: | K | \< | L | * if | K | \> B then K' = H(K) else K' = K * if | K' | \< B then K' is 0-padded-up to B bytes * HMAC = H( K' xor opad || H( K' xor ipad || data ) ) Basically HMAC is a double hash of the data composed in someway with the key. This is much stronger than just pre or post appending the key to the data.

Answer 25

When we want integrity and confidentiality, instead of using two different functions (one for encryption and one for hashing), we can compute a MAC based on a symmetric encryption algorithm: CBC-MAC. Works by using the last block of CBC as MAC, IV = null. The message is split in N blocks. Loop: * V₀ = 0 * from k= 1...N: V_k = enc(K, M_k xor V_k-1) * CBC-MAC = V_N Usable only for fixed length messges (for variable length message use CMAC).

Answer 26

Various ways to combine secrecy (symmetric encryption with K₁) and integrity (keyed-digest with K₂). * A&E * enc(K₁, p) || mac( K₂, p ) * To verify the integrity the message must be decrypted, this could lead to DoS attacks. * MAC is sent in plain-text, may leak information about the message * Note: insecure unless performed in a single step. * AtE * enc( K₁ , p || mac( K₂ , p ) ) * must always decrypt before checking integrity * slightly better than A&E * used by SSL and TLS * Note: secure only with CBC or stream encryption * EtA * enc( K₁ , p ) || mac( K₂ , enc( K₁ , p ) ) * can avoid decryption of message if mac is wrong. * Used by IPsec * Note: beware of implementation errors: must always include IV and and specify algo in the MAC, otherwise some attacks are possble.

Answer 27

Combine privacy and authentication (and integrity), has many benefits: * Just one key and one algorithm * high speed * less error likelihood in combining 2 functions * Useful for many applications (e-mail messages, network packets, ...) * Normal encrytion modes are vulnerabe to **chosen ciphertext attacks** when on-line: Attacker modified ciphetext and observes whether the receiver signaled an error (e.g. padding oracle or decryption oracle attack). In the picture: AEAD (Authenticated Encryption with Associated Data), one way of making AE possible. Note that AEAD is spliting the message in: part that needs integrity and part that needs privacy . The nonce is added to avoid replay attacks. The encrypted payload also includes a **tag** that provides integrity for the header and the nonce.

Answer 28

(Infinite Garble Extension) ## Footnote Basically, it is like the CBC with one addition: in CBC a modification in one block of the ciphertext affect only the block itself and the next one (and then propagation stops). IGE makes it so that an error will occur on every block after the tampered one. In this way verifying the validity of the message requires only to decrypt the last block to check if it contains the expected value (some **fixed content**: all zeros, content length, etc.) In this context the last block is what in AEAD is called **tag**. Not a very good algo, but interesting.

Answer 29

GCM (Galois/Counter Mode) is one of the 6 standard modes for authenticated encryption, it's defined for algorithms with 128-bit block. (C, T) = algo\_GCM\_enc(K, IV, P, A) with: * IV size from 1 to 2⁶⁴ bits * P (original plaintext) size from 0 to 2³⁹ - 256 bits * A (associated authenticated data) size from 0 to 2⁶⁴ bits * C (Ciphertext) has the same size of P * T (Authentication tag) with size from 0 to 128 bits * Since we are not using an hash algorithm, the security is worth 128 bits (not half of the size, as we would get using an hash function). P = algo\_GCM\_dec(K, IV, C, A, T): * If authentication is not OK P = FAILURE VALUE

Answer 30

It is Counter-mode with CBC-MAC: first an authentication tag of (plaintext + associated data) is computed by CBC-MAC, then the plaintext and the tag are (separately) encrypted in CTR mode. Double pass algorithm defined for encryption algorithms with 128-bit block.

Answer 31

* TLS-1.3 uses GCM and CCM * 802.11i uses CCM * ZigBee uses CCM\* (=CCM + auth-only + enc-only) * ANSI C12.22 (house power meter) uses EAX' * broken since the standard has 3-5 less encryption steps respect to the implementation used in the formal proof of its security

Answer 32

* GCM: the most popular, on-line single-pass AEAD, parallelizable, used by TLS, present in openssl. * encryption: generate ciphertext + authentication tag; * decryption: * compute authentication tag, then if it matches the input one * ciphertext is decrypted * Fast on Intel arch (4 cycle/byte) * OCB 2.0: the fastest one, on-line single pass AEAD, GPL patented (thus scarcely used), free for military use. * EAX: on-line double-pass AEAD, slow but small (only uses encryption block), good for constrained systems. * CCM: off-line double pass, slowest.

Answer 33

Authentication by means of digest, using asymmetric crypto. Keyed digest doesn't provide non-repudiation. * (**signer** S) H = enc( S\_Kpri, hash( M ) ) * (**transmission**) M || H * (**verifiier** V) X = dec( S\_Kpub, H ) * (**verification**) if ( X == hash( M ) ) then OK else ALARM! Problem: guerantee of association between identity and public key. Attack: tampering the digital signature will result in an error, but it cannot be determined if it is because of a tramission error in the signature or in the message.

Answer 34

* using a **shared secret** * only useful for the receiver * cannot be used as a proof without disclosing the secret key * not useful for non-repudiation * usable agains two peers that trust each other but anyone else * using **asym. encryption** (digital signature) * applied to digest only (since it is slow) * can be used as a formal proof * can be used for non-repudiation, provided that is possible to demonstrate the owner of the public key (public key certificate)

Answer 35

Digital is better: gives authentication + integrity. Note that each document signed by an user has a different signature made with the same key. Handwritten only authentication.

Answer 36

A data structure used to securely bind a public key to some attributes. Binds a key to an identity, but supports also other kinds of associations (ip addresses). The binding is secured by a certificate authority that digitally signs the **public key certificate**, so that: * we have a proof of authentication: it is a valid certificate because it has been created by a certification authority. * a proof of integrity: the has not been modifyied. * has a **limited validity**, like a identity document, and can also be revoked by the user or the issuer. It is responsability of the receiver to check that the certificate is still valid. Verification: * To verify a signature, we request the public key certificate that is signed by the entitiy that provides, then we need to verify the public key of the Certificate Authority, and in-turn of the Certificate Authority that hosts its public key certificate, continue like this until we react the Root CA, this cannot be verified, it is self-signed. There are multiple TLCA. Tipically in a computer system there are lot of trusted CA: for security (so that no one entity can control who is trusted) and since obtaining a certificate by a CA has a price. (CA pay to be in the list of trusted CA of Windows for example). Problem: attackers could fake the whole CA tree, if the device is left unattended and the attacker manages to have administrative privileges, it is possible to add another (fake) Root CA, making the whole hierarchical system useless for that device. The list of Root CA can be managed either by the operating system or by the application being used.

Answer 37

* **Version**: since there are more versions of the same format as seen previously; * **Serial number**: each certificate is uniquely identified; * **Signature algorithm**: algorithm used to perform the signature; * **Issuer**: name of the entity that created the certificate, the **certification authority**. The syntax used to specify this information is called DN (distinguished name), composed by three fields: * **C** stands for country (e.g. Italy); * **O** stands for organization (e.g. Politecnico di Torino); * **OU** stands for organizational unit, which means that this is the department who created this certificate (e.g. certification authority). * **Validity**: period of validity. * **Subject**: the entity that is controlling the private key corresponding to the public key being certified. Also, here it is used the DM to identify that entity, with other fields not mentioned earlier: * CN stands for common name (e.g. Antonio Lioy); * Email, that is the e-mail of the entity. It is important to include this fields because public key certificates are used to protect internet applications, for example to send an e-mail to “Antonio Lioy”, the mail server needs to be able to understand what is the certified mail for the entity (so, the e-mail field is required). The same reasoning applies to other applications for which protection is wanted. * **subjectPublicKeyInfo**: is the field containing the public key; it specifies the algorithm, the length of the key and all the bits that constitute it; * **CA digital signature**: it is the digital signature of the certification authority computed over the certificate.

Answer 38

Technical and administrative infrastructure that manages **creation**, **distribution** and **revocation** of public key certificates.

Answer 39

* CRL (Certificate Revocation List): * list of revoked certificates * signed by the CA or by a delegated party * certificate validity since it was issues * allows the receiver to verify the validity since the certificate was issues * example: document received 3 months ago is valid even if the certificate is not valid from today, because 3 months ago the certificate was valid. * Only way to check certificate history (of validity) * To verify one certificate we must download the full list * OCSP (On-line certificate status protocol): * is a client-server protocol in which is possible to request to a specific service if the certificate is valid or not at the current time. The response is signed by the server, so that is not possible for someone to provide a fake response. * Good for real-time checks.

Answer 40

Depends on CPU, not on ram. Performance is not a problem on clients (if not embedded systems). Perfmance is an issue on servers when making secure a network of ndoes (e.g. routers), in these cases special hardware is used, either for crypto functions or for the whole packet processing step (including crypto stuff). * RC4 is the best of all cause it's a stream algo. * 3DES is 3x slower than DES. * AES is faster than DES and guarantees better security. * Singnature verification is faster than creation.

Answer 41

* In 2018: * AES-256, K \< 256bit is weak. * SHA-384 for hashing * key agreement: ECDH and ECMQV * digital signature: ECDSA, with EC on curve P-384

Answer 42

User browser uses weak crypto generally, and strong crypto when it talks with a bank. ## Footnote It is also named **gated cryptography** because the strong part is inside a gate opened only when the server submits the correct certificate.

Basics Flashcards

(66 cards)